SUSE-IU-2022:50-1 SUSE Image security@suse.de SUSE Security Team SUSE Image SUSE-IU-2022:50-1 Interim 1 1 2023-01-17T08:48:17Z current 2022-01-26T01:00:00Z 2022-01-26T01:00:00Z cve-database/bin/generate-cvrf-publiccloud.pl 2021-02-18T01:00:00Z Image update for SUSE-IU-2022:50-1 / google/sles-15-sp1-sap-byos-v20220126 This image update for google/sles-15-sp1-sap-byos-v20220126 contains the following changes: Package SUSEConnect was updated: - Update to 0.3.32- Allow --regcode and --instance-data attributes at the same time (jsc#PCT-164) - Document that 'debug' can also get set in the config file - --status will also print the subscription name - Update to 0.3.31 - Disallow registering via SUSEConnect if the system is managed by SUSE Manager. - Add subscription name to output of 'SUSEConnect --status' - Update to 0.3.30 - send payload of GET requests as part of the url, not in the body (see bsc#1185611) Package aaa_base was updated: - use autopatch - update first two patches from git originals to have the same apply depth as the rest: - git-01-61c106aac03930e03935172eaf94d92c02a343bd.patch - git-02-4e5fe2a6ec5690b51a369d2134a1119962438fd1.patch - fix get_kernel_version.c to work also for recent kernels on the s390/X platform (bsc#1191563) - git-37-dfc5b8af96bec249e44a83d573af1f95a661a85c.patch - support xz compressed kernel (bsc#1162581) - git-38-4c0060639f6fa854830a708a823976772afe7764.patch - Fixing possible resource leak - git-39-df622b89bc92fd882a6715c5743095528a643546.patch - excluding new kernel string in version search - Add git-36-16d1cb895c2742e96a56af98111f8281bedd3188.patch: * Add $HOME/.local/bin to PATH, if it exists (bsc#1192248) - Add patch git-34-9a1bc15517d6da56d75182338c0f1bc4518b2b75.patch * sysctl.d/50-default.conf: allow everybody to create IPPROTO_ICMP sockets (bsc#1174504) - Add patch git-35-91f496b1f65af29832192bad949685a7bc25da0a.patch * sysctl.d/50-default.conf: fix ping_group_range syntax error Package apparmor was updated: - fixed requires of python3 module (bsc#1191690)- Don't provide python2 symbol for python3 package (bsc#1191690). - Be explicit about using python2 macros, when needed. Package augeas was updated: - Allow all printable ASCII characters in WPA-PSK definition * augeas-allow_printable_ASCII.patch * bsc#1187512 * Sourced from https://github.com/hercules-team/augeas/pull/723/commits * Credit to Michal Filka <mfilka@suse.com Package autofs was updated: Package autogen was updated: - Add reproducible.patch to normalize tar- Normalize date in man-pages (boo#1047218) Package avahi was updated: - Add avahi-CVE-2021-3468.patch: avoid infinite loop by handling HUP event in client_work (boo#1184521 CVE-2021-3468). https://github.com/lathiat/avahi/pull/330 Package bash was updated: - Add patch bsc1183064.patch * Fix bug bsc#1183064: Segfault from reading a history file not starting with # with HISTTIMEFORMAT set and history_multiline_entries nonzero and with the history cleared and read on the same input line. Package bind was updated: - Fixed CVE-2021-25219: The lame-ttl option controls how long named caches certain types of broken responses from authoritative servers (see the security advisory for details). This caching mechanism could be abused by an attacker to significantly degrade resolver performance. The vulnerability has been mitigated by changing the default value of lame-ttl to 0 and overriding any explicitly set value with 0, effectively disabling this mechanism altogether. ISC's testing has determined that doing that has a negligible impact on resolver performance while also preventing abuse. Administrators may observe more traffic towards servers issuing certain types of broken responses than in previous BIND 9 releases. [bsc#1192146, CVE-2021-25219, bind-CVE-2021-25219.patch] - Fix off-by-one error when calculating new hashtable size When calculating the new hashtable bitsize, there was an off-by-one error that would allow the new bitsize to be larger than maximum allowed causing assertion failure in the rehash() function. [bsc#1188763, 0001-Fix-off-by-one-error-when-calculating-new-hashtable.patch] - Since BIND 9.9, it has been easier to use tsig-keygen and ddns-confgen to generare TSIG keys. In 9.13, TSIG support was removed from dnssec-keygen, so now it is just for DNSKEY (and KEY for obscure cases). tsig-keygen is now used to generate DDNS keys. [bsc#1187921, vendor-files.tar.bz2] - * A broken inbound incremental zone update (IXFR) can cause named to terminate unexpectedly [CVE-2021-25214, bind-CVE-2021-25214.patch] * An assertion check can fail while answering queries for DNAME records that require the DNAME to be processed to resolve itself [CVE-2021-25215, bind-CVE-2021-25215.patch] * A second vulnerability in BIND's GSSAPI security policy negotiation can be targeted by a buffer overflow attack This does not affect this package as the affected code is disabled. [CVE-2021-25216] [bsc#1185345] - pass PIE compiler and linker flags via environment variables to make /usr/bin/delv in bind-tools also position independent (bsc#1183453). - drop pie_compile.diff: no longer needed, this patch is difficult to maintain, the environment variable approach is less error prone. [bsc#1183453, bind.spec, pie_compile.diff] Package binutils was updated: - Add binutils-revert-hlasm-insns.diff for compatibility on old code stream that expect 'brcl 0,label' to not be disassembled as 'jgnop label' on s390x. [bsc#1192267] - Rebase binutils-2.37-branch.diff: fixes PR28523 aka boo#1188941. - Fix empty man-pages from broken release tarball [PR28144]. - Update binutils-skip-rpaths.patch with contained a memory corruption (boo#1191473). - Configure with --disable-x86-used-note on old code streams. - Disable libalternatives temporarily for build cycle reasons. - make TARGET-bfd=headers again, we patch bfd-in.h - This state submitted to SLE12 and SLE15 code streams for annual toolchain update. [jsc#PM-2767, jsc#SLE-21561, jsc#SLE-19618] - Bump binutils-2.37-branch.diff to 66d5c7003, to include fixes for PR28422, PR28192, PR28391. Also adds some s390x arch14 instructions [jsc#SLE-18637]. - Using libalternatives instead of update-alternatives. - Adjust for testsuite fails on older products that configure binutils in different ways, adds binutils-compat-old-behaviour.diff and adjusts binutils-revert-nm-symversion.diff and binutils-revert-plt32-in-branches.diff. - Bump binutils-2.37-branch.diff: fixes PR28138. - Use LTO & PGO build. - Update to binutils 2.37: * The GNU Binutils sources now requires a C99 compiler and library to build. * Support for the arm-symbianelf format has been removed. * Support for Realm Management Extension (RME) for AArch64 has been added. * A new linker option '-z report-relative-reloc' for x86 ELF targets has been added to report dynamic relative relocations. * A new linker option '-z start-stop-gc' has been added to disable special treatment of __start_*/__stop_* references when - -gc-sections. * A new linker options '-Bno-symbolic' has been added which will cancel the '-Bsymbolic' and '-Bsymbolic-functions' options. * The readelf tool has a new command line option which can be used to specify how the numeric values of symbols are reported. - -sym-base=0|8|10|16 tells readelf to display the values in base 8, base 10 or base 16. A sym base of 0 represents the default action of displaying values under 10000 in base 10 and values above that in base 16. * A new format has been added to the nm program. Specifying '--format=just-symbols' (or just using -j) will tell the program to only display symbol names and nothing else. * A new command line option '--keep-section-symbols' has been added to objcopy and strip. This stops the removal of unused section symbols when the file is copied. Removing these symbols saves space, but sometimes they are needed by other tools. * The '--weaken', '--weaken-symbol' and '--weaken-symbols' options supported by objcopy now make undefined symbols weak on targets that support weak symbols. * Readelf and objdump can now display and use the contents of .debug_sup sections. * Readelf and objdump will now follow links to separate debug info files by default. This behaviour can be stopped via the use of the new '-wN' or '--debug-dump=no-follow-links' options for readelf and the '-WN' or '--dwarf=no-follow-links' options for objdump. Also the old behaviour can be restored by the use of the '--enable-follow-debug-links=no' configure time option. The semantics of the =follow-links option have also been slightly changed. When enabled, the option allows for the loading of symbol tables and string tables from the separate files which can be used to enhance the information displayed when dumping other sections, but it does not automatically imply that information from the separate files should be displayed. If other debug section display options are also enabled (eg '--debug-dump=info') then the contents of matching sections in both the main file and the separate debuginfo file *will* be displayed. This is because in most cases the debug section will only be present in one of the files. If however non-debug section display options are enabled (eg '--sections') then the contents of matching parts of the separate debuginfo file will *not* be displayed. This is because in most cases the user probably only wanted to load the symbol information from the separate debuginfo file. In order to change this behaviour a new command line option --process-links can be used. This will allow di0pslay options to applied to both the main file and any separate debuginfo files. * Nm has a new command line option: '--quiet'. This suppresses "/no symbols"/ diagnostic. - Includes fixes for these CVEs: bnc#1181452 aka CVE-2021-20197 aka PR26945 bnc#1183511 aka CVE-2021-20284 aka PR26931 bnc#1184519 aka CVE-2021-20294 aka PR26929 bnc#1184620 aka CVE-2021-3487 aka PR26946 bnc#1184794 aka CVE-2020-35448 aka PR26574 - Also fixes: bsc#1183909 - slow performance of stripping some binaries - Rebased patches: binutils-build-as-needed.diff, binutils-fix-abierrormsg.diff, binutils-fix-invalid-op-errata.diff, binutils-fix-relax.diff, binutils-revert-nm-symversion.diff, binutils-revert-plt32-in-branches.diff - Removed patches (are in upstream): ppc-ensure-undef-dynamic-weak-undefined.patch and ppc-use-local-plt.patch. - Add binutils-2.37-branch.diff.gz. - ppc-ensure-undef-dynamic-weak-undefined.patch: PPC: ensure_undef_dynamic on weak undef only in plt - ppc-use-local-plt.patch: PowerPC use_local_plt (prerequisite for above patch) - Update 2.36 branch diff which fixes PR27587. - Do not run make TARGET-bfd=headers separately. - Bump 2.36 branch diff (includes fix for PR27441 aka bsc#1182252). - Bump 2.36 branch diff. - Update 2.36 branch diff which should fix PR27311 completely. It fixes also PR27284. - Remove temporary fix 0001-PR27311-ld.bfd-symbol-from-plugin-undefined-referenc.patch. - Add temporary upstream fix for PR27311 0001-PR27311-ld.bfd-symbol-from-plugin-undefined-referenc.patch. - Update to binutils 2.36: New features in the Assembler: General: * When setting the link order attribute of ELF sections, it is now possible to use a numeric section index instead of symbol name. * Added a .nop directive to generate a single no-op instruction in a target neutral manner. This instruction does have an effect on DWARF line number generation, if that is active. * Removed --reduce-memory-overheads and --hash-size as gas now uses hash tables that can be expand and shrink automatically. X86/x86_64: * Add support for AVX VNNI, HRESET, UINTR, TDX, AMX and Key Locker instructions. * Support non-absolute segment values for lcall and ljmp. * Add {disp16} pseudo prefix to x86 assembler. * Configure with --enable-x86-used-note by default for Linux/x86. ARM/AArch64: * Add support for Cortex-A78, Cortex-A78AE and Cortex-X1, Cortex-R82, Neoverse V1, and Neoverse N2 cores. * Add support for ETMv4 (Embedded Trace Macrocell), ETE (Embedded Trace Extension), TRBE (Trace Buffer Extension), CSRE (Call Stack Recorder Extension) and BRBE (Branch Record Buffer Extension) system registers. * Add support for Armv8-R and Armv8.7-A ISA extensions. * Add support for DSB memory nXS barrier, WFET and WFIT instruction for Armv8.7. * Add support for +csre feature for -march. Add CSR PDEC instruction for CSRE feature in AArch64. * Add support for +flagm feature for -march in Armv8.4 AArch64. * Add support for +ls64 feature for -march in Armv8.7 AArch64. Add atomic 64-byte load/store instructions for this feature. * Add support for +pauth (Pointer Authentication) feature for - march in AArch64. New features in the Linker: * Add --error-handling-script=<NAME> command line option to allow a helper script to be invoked when an undefined symbol or a missing library is encountered. This option can be suppressed via the configure time switch: --enable-error-handling-script=no. * Add -z x86-64-{baseline|v[234]} to the x86 ELF linker to mark x86-64-{baseline|v[234]} ISA level as needed. * Add -z unique-symbol to avoid duplicated local symbol names. * The creation of PE format DLLs now defaults to using a more secure set of DLL characteristics. * The linker now deduplicates the types in .ctf sections. The new command-line option --ctf-share-types describes how to do this: its default value, share-unconflicted, produces the most compact output. * The linker now omits the "/variable section"/ from .ctf sections by default, saving space. This is almost certainly what you want unless you are working on a project that has its own analogue of symbol tables that are not reflected in the ELF symtabs. New features in other binary tools: * The ar tool's previously unused l modifier is now used for specifying dependencies of a static library. The arguments of this option (or --record-libdeps long form option) will be stored verbatim in the __.LIBDEP member of the archive, which the linker may read at link time. * Readelf can now display the contents of LTO symbol table sections when asked to do so via the --lto-syms command line option. * Readelf now accepts the -C command line option to enable the demangling of symbol names. In addition the --demangle=<style>, - -no-demangle, --recurse-limit and --no-recurse-limit options are also now availale. - Includes fixes for these CVEs: bnc#1179898 aka CVE-2020-16590 aka PR25821 bnc#1179899 aka CVE-2020-16591 aka PR25822 bnc#1179900 aka CVE-2020-16592 aka PR25823 bnc#1179901 aka CVE-2020-16593 aka PR25827 bnc#1179902 aka CVE-2020-16598 aka PR25840 bnc#1179903 aka CVE-2020-16599 aka PR25842 bnc#1180451 aka CVE-2020-35493 aka PR25307 bnc#1180454 aka CVE-2020-35496 aka PR25308 bnc#1180461 aka CVE-2020-35507 aka PR25308 - Rebase the following patches: * binutils-fix-relax.diff * binutils-revert-nm-symversion.diff * binutils-revert-plt32-in-branches.diff - Add missing dependency on bc (ld.gold testsuite uses it). - Use --enable-obsolete for cross builds as ia64 is deprecated now. - Add binutils-2.36-branch.diff.gz. Package blktrace was updated: - Fix crash due to dropped first event while using pipe input (bsc#1191788). * blkparse: skip check_cpu_map with pipe input * blkparse: fix incorrectly sized memset in check_cpu_map * Added: - blkparse-skip-check_cpu_map-with-pipe-input.patch - blkparse-fix-incorrectly-sized-memset-in-check_cpu_m.patch Package c-ares was updated: - 5c995d5.patch: augment input validation on hostnames to allow _ as part of DNS response (bsc#1190225) - Version update to git snapshot 1.17.1+20200724: * fixes missing input validation on hostnames returned by DNS servers (bsc#1188881, CVE-2021-3672) * If ares_getaddrinfo() was terminated by an ares_destroy(), it would cause crash * Crash in sortaddrinfo() if the list size equals 0 due to an unexpected DNS response * Expand number of escaped characters in DNS replies as per RFC1035 5.1 to prevent spoofing * Use unbuffered /dev/urandom for random data to prevent early startup performance issues - missing_header.patch: upstreamed Package ca-certificates-mozilla was updated: - remove the DST_Root_CA_X3.pem trust, as it expires september 30th 2021. (bsc#1190858) Package chrony was updated: - bsc#1173760: MD5 is not available from mozilla-nss in FIPS mode, but needed for calculating refids from IPv6 addresses as part of the NTP protocol (rfc5905). As this is a non-cryptographic use of MD5 we can use our own implementation without violating FIPS rules: chrony-refid-internal-md5.patch . - boo#1162964, bsc#1183783, clknetsim-glibc-2.31.patch: Fix build with glibc-2.31 - bsc#1184400, chrony-pidfile.patch: Use /run instead of /var/run for PIDFile in chronyd.service. Package cifs-utils was updated: - cifs.upcall: fix regression in kerberos mount; (bsc#1184815). * add 0015-cifs.upcall-fix-regression-in-kerberos-mount.patch - CVE-2021-20208: cifs-utils: cifs.upcall kerberos auth leak in container; (bsc#1183239); CVE-2021-20208. Package cloud-netconfig was updated: - Update to version 1.6: + Ignore proxy when accessing metadata (bsc#1187939) + Print warning in case metadata is not accessible + Documentation update Package containerd was updated: - Update to containerd v1.4.11, to fix CVE-2021-41103 bsc#1191121. bsc#1191355- Switch to Go 1.16.x compiler, in line with upstream. - Install systemd service file as well (fixes bsc#1190826) - Update to containerd v1.4.8, to fix CVE-2021-32760. bsc#1188282 - Remove upstreamed patches: - bsc1188282-use-chmod-path-for-checking-symlink.patch [ This patch was only released in SLES and Leap. ] - Add patch for GHSA-c72p-9xmj-rx3w. CVE-2021-32760 bsc#1188282 + bsc1188282-use-chmod-path-for-checking-symlink.patch - Build with go1.15 for reproducible build results (boo#1102408) - Drop long-since upstreamed patch, originally needed to fix i386 builds on SLES: - 0001-makefile-remove-emoji.patch - Update to containerd v1.4.4, to fix CVE-2021-21334. - Update to handle the docker-runc removal, and drop the -kubic flavour. bsc#1181677 bsc#1181749 - Update to containerd v1.4.3, which is needed for Docker v20.10.2-ce. bsc#1181594 - Install the containerd-shim* binaries and stop creating docker-containerd-shim because that isn't used by Docker anymore. bsc#1183024 Package corosync was updated: - corosync totemudpu: bsc#1192467, Fix don't block local socketpair when interface is down Added: bsc#1192467_dont-block-local-socket-pair.patch - corosync totem: bsc#1189680, Add cancel_token_hold_on_retransmit config option Added: bug-1189680_cancel_token_hold_on_retransmit-option.patch Package cpio was updated: - Add another patch to fix regression (bsc#1189465) * fix-CVE-2021-38185_3.patch - Fix regression in last update (bsc#1189465) * fix-CVE-2021-38185_2.patch - Fix CVE-2021-38185 Remote code execution caused by an integer overflow in ds_fgetstr (CVE-2021-38185, bsc#1189206) * fix-CVE-2021-38185.patch Package crash was updated: - Fix crash utility is taking forever to initialize a vmcore from large config system (bsc#1178827 ltc#189279). crash-task.c-avoid-unnecessary-cpu-cycles-in-stkptr_to_tas.patch - Fix support for opening VMware snapshots (bsc#1173975). crash-VMware-VMSS-dumpfiles-contain-the-state-of-each-vCPU.patch crash-Commit-45b74b89530d611b3fa95a1041e158fbb865fa84-adde.patch Package crmsh was updated: - Update to version 4.3.1+20211119.97feb471: * Fix: ui_resource: Parse node and lifetime correctly (bsc#1192618) - Update to version 4.3.1+20211012.52d4086a: * Fix: ui_resource: Parse lifetime option correctly (bsc#1191508) * Fix: utils: Improve detect_cloud function and support non-Hyper-V in Azure - Update to version 4.3.1+20210827.4fb174c4: * Fix: hb_report: Using python way to collect ra trace files (bsc#1189641) * Fix: bootstrap: adjust host list for parallax to get and copy known_hosts file(bsc#1188971) - Update to version 4.3.1+20210811.2a30e37e: * Dev: ui_resource: Enhancement trace output * Fix: doc: Note that resource tracing is only supported by OCF RAs(bsc#1188966) * Medium: ra: performance/usability improvement (avoid systemd) * Dev: ui_context: Add info when spell-corrections happen * Fix: parse: Should still be able to show the empty property if it already exists(bsc#1188290) - Update to version 4.3.1+20210702.4e0ee8fb: * Fix: bootstrap: check for missing fields in 'crm_node -l' output (bsc#1182131) * Fix: resource: make untrace consistent with trace (bsc#1187396) * Dev: sbd: enable SBD_DELAY_START in virtualization environment - Update to version 4.3.1+20210624.67223df2: * Fix: ocfs2: Skip verifying UUID for ocfs2 device on top of raid or lvm on the join node (bsc#1187553) - Update to version 4.3.0+20210616.cdcfe52e: * Fix: history: use Path.mkdir instead of mkdir command(bsc#1179999, CVE-2020-35459) * Dev: crash_test: Add big warnings to have users' attention to potential failover(jsc#SLE-17979) * Dev: crash_test: rename preflight_check as crash_test(jsc#SLE-17979) * Fix: bootstrap: update sbd watchdog timeout when using diskless SBD with qdevice(bsc#1184465) * Dev: utils: allow configure link-local ipv6 address(bsc#1163460) * Fix: parse: shouldn't allow property setting with an empty value(bsc#1185423) * Fix: help: show help message from argparse(bsc#1175982) - Remove patches: 0001-Fix-history-use-Path.mkdir-instead-of-mkdir-command-.patch - Update to version 4.3.0+20210507.bf02d791: * Fix: bootstrap: add sbd via bootstrap stage on an existing cluster (bsc#1181906) * Fix: bootstrap: change StrictHostKeyChecking=no as a constants(bsc#1185437) * Dev: bootstrap: disable unnecessary warnings (bsc#1178118) * Fix: bootstrap: sync corosync.conf before finished joining(bsc#1183359) * Dev: add "/crm corosync status qdevice"/ sub-command * Dev: ui_cluster: add qdevice help info - Update to version 4.3.0+20210330.06bf9cad: * Dev: ui_cluster: enable/disable corosync-qdevice.service * Fix: bootstrap: parse space in sbd device correctly(bsc#1183883) * Dev: preflight_check: move preflight_check directory into crmsh * Fix: bootstrap: get the peer node name correctly (bsc#1183654) * Fix: update verion and author (bsc#1183689) * Dev: bootstrap: enable configuring qdevice on interactive mode (jsc#ECO-3567) * Fix: ui_resource: change return code and error to warning for some unharmful actions(bsc#1180332) * Dev: lock: change lock directory under /run * Fix: bootstrap: raise warning when configuring diskless SBD with node's count less than 3(bsc#1181907) * Fix: bootstrap: Adjust qdevice configure/remove process to avoid race condition due to quorum lost(bsc#1181415) * Fix: ui_configure: raise error when params not exist(bsc#1180126) * Dev: ui_node: remove status subcommand - Update to version 4.3.0+20210219.5d1bf034: * Fix: hb_report: walk through hb_report process under hacluster(CVE-2020-35459, bsc#1179999; CVE-2021-3020, bsc#1180571) * Fix: bootstrap: setup authorized ssh access for hacluster(CVE-2020-35459, bsc#1179999; CVE-2021-3020, bsc#1180571) * Dev: analyze: Add analyze sublevel and put preflight_check in it(jsc#ECO-1658) * Dev: utils: change default file mod as 644 for str2file function * Dev: hb_report: Detect if any ocfs2 partitions exist * Dev: lock: give more specific error message when raise ClaimLockError * Fix: Replace mktemp() to mkstemp() for security * Fix: Remove the duplicate --cov-report html in tox. * Fix: fix some lint issues. * Fix: Replace utils.msg_info to task.info * Fix: Solve a circular import error of utils.py * Fix: hb_report: run lsof with specific ocfs2 device(bsc#1180688) * Dev: corosync: change the permission of corosync.conf to 644 * Fix: preflight_check: task: raise error when report_path isn't a directory * Fix: bootstrap: Use class Watchdog to simplify watchdog config(bsc#1154927, bsc#1178869) * Dev: Polish the sbd feature. * Dev: Replace -f with -c and run check when no parameter provide. * Fix: Fix the yes option not working * Fix: Remove useless import and show help when no input. * Dev: Correct SBD device id inconsistenc during ASR * Fix: completers: return complete start/stop resource id list correctly(bsc#1180137) * Dev: Makefile.am: change makefile to integrate preflight_check * Medium: integrate preflight_check into crmsh(jsc#ECO-1658) * Fix: bootstrap: make sure sbd device UUID was the same between nodes(bsc#1178454) Package cronie was updated: - Increase limit of allowed entries in crontab files to fix bsc#1187508 * cronie-1.5.1-increase_crontab_limit.patch Package csync2 was updated: - (bsc#1187080) Upgrade and removal of csync2 package throws error for non-existent service template: Removeinstance templates from %service_* macros. - VUL-1: CVE-2019-15522: csync2: daemon fails to enforce TLS (bsc#1147137) - VUL-1: CVE-2019-15523: csync2: incorrect TLS handshake error handling (bsc#1147139) Apply upstream patch: 0001-fail-HELLO-command-when-SSL-is-required.patch 0002-repeat-gnutls_handshake-call-in-case-of-warnings.patch Package cups was updated: - When cupsd creates directories with specific owner group and permissions (usually owner is 'root' and group matches "/configure --with-cups-group=lp"/) specify same owner group and permissions in the RPM spec file to ensure those directories are installed by RPM with the right settings because if those directories were installed by RPM with different settings then cupsd would use them as is and not adjust its specific owner group and permissions which could lead to privilege escalation from 'lp' user to 'root' via symlink attacks e.g. if owner is falsely 'lp' instead of 'root' CVE-2021-25317 (bsc#1184161) - cups-2.2.7-web-ui-kerberos-authentication.patch (bsc#1175960) Fix web UI kerberos authentication Package curl was updated: - libssh: do not let libssh create socket [bsc#1192790] * Fixes sftp over a proxy failure in curl with error: Failure establishing ssh session * Add curl-libssh-socket.patch - MIME: Properly check Content-Type even if it has parameters * Add curl-check-content-type.patch [bsc#1190153] - Security fix: [bsc#1190374, CVE-2021-22947] * STARTTLS protocol injection via MITM * Add curl-CVE-2021-22947.patch - Security fix: [bsc#1190373, CVE-2021-22946] * Protocol downgrade required TLS bypassed * Add curl-CVE-2021-22946.patch - Security fix: [bsc#1188220, CVE-2021-22925] * TELNET stack contents disclosure again * Add curl-CVE-2021-22925.patch - Security fix: [bsc#1188219, CVE-2021-22924] * Bad connection reuse due to flawed path name checks * Add curl-CVE-2021-22924.patch - Security fix: Disable the metalink feature: * Insufficiently Protected Credentials [bsc#1188218, CVE-2021-22923] * Wrong content via metalink not discarded [bsc#1188217, CVE-2021-22922] - Security fix: [bsc#1186114, CVE-2021-22898] * TELNET stack contents disclosure - Add curl-CVE-2021-22898.patch - Allow partial chain verification [jsc#SLE-17956] * Have intermediate certificates in the trust store be treated as trust-anchors, in the same way as self-signed root CA certificates are. This allows users to verify servers using the intermediate cert only, instead of needing the whole chain. * Set FLAG_TRUSTED_FIRST unconditionally. * Do not check partial chains with CRL check. - Add curl-X509_V_FLAG_PARTIAL_CHAIN.patch - Security fix: [bsc#1183933, CVE-2021-22876] * The automatic referer leaks credentials - Add curl-CVE-2021-22876-URL-API.patch curl-CVE-2021-22876.patch - Fix: SFTP uploads result in empty uploaded files [bsc#1177976] - Add curl-fix-O_APPEND.patch Package dbus-1 was updated: - Add missing patch for CVE-2020-12049 * fix-upstream-CVE-2020-12049_2.patch - Fix CVE-2020-12049 truncated messages lead to resource exhaustion (CVE-2020-12049, bsc#1172505) * fix-upstream-CVE-2020-12049.patch - Rebased fix-CVE-2019-12749.patch - Fix CVE-2020-35512 - shared UID's caused issues (CVE-2020-35512 bsc#1187105) * fix-upstream-userdb-constpointer.patch * fix-upstream-CVE-2020-35512.patch Package dhcp was updated: - Oops, when upgrading to 4.3.6-P1 in 2018 only isc_version was bumped, but not the RPM package version. - CVE-2021-25217, bsc#1186382, dhcp-CVE-2021-25217.patch: A buffer overrun in lease file parsing code can be used to exploit a common vulnerability shared by dhcpd and dhclient. - bsc#1185157: Use /run instead of /var/run for PIDFile in dhcrelay.service. Package docker was updated: - Update to Docker 20.10.9-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1191355 CVE-2021-41092 CVE-2021-41089 CVE-2021-41091 CVE-2021-41103 - Rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch * 0006-bsc1190670-seccomp-add-support-for-clone3-syscall-in.patch - Switch to Go 1.16.x compiler, in line with upstream. - Add patch to return ENOSYS for clone3 to avoid breaking glibc again. bsc#1190670 + 0006-bsc1190670-seccomp-add-support-for-clone3-syscall-in.patch - Add shell requires for the *-completion subpackages. - Update to Docker 20.10.6-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1184768 - Rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch - Backport upstream fix <https://github.com/moby/moby/pull/42273> for btrfs quotas being removed by Docker regularly. bsc#1183855 bsc#1175081 + 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch - Update to Docker 20.10.5-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1182947 - Update runc dependency to 1.0.0~rc93. - Remove upstreamed patches: - cli-0001-Rename-bin-md2man-to-bin-go-md2man.patch - Rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch - Switch version to use -ce suffix rather than _ce to avoid confusing other tools. boo#1182476 - Fix incorrect cast in SUSE secrets patches causing warnings on SLES. * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch - Update to Docker 20.10.3-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. Fixes bsc#1181732 (CVE-2021-21284) and bsc#1181730 (CVE-2021-21285). - Rebase patches on top of 20.10.3-ce. - 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch + 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch - 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch + 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch - 0004-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch + 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch - 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch + 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch - Drop docker-runc, docker-test and docker-libnetwork packages. We now just use the upstream runc package (it's stable enough and Docker no longer pins git versions). docker-libnetwork is so unstable that it doesn't have any versioning scheme and so it really doesn't make sense to maintain the project as a separate package. bsc#1181641 bsc#1181677 - Remove no-longer-needed patch for packaging now that we've dropped docker-runc and docker-libnetwork. - 0001-PACKAGING-revert-Remove-docker-prefix-for-containerd.patch - Update to Docker 20.10.2-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1181594 - Remove upstreamed patches: - bsc1122469-0001-apparmor-allow-readby-and-tracedby.patch - boo1178801-0001-Add-docker-interfaces-to-firewalld-docker-zone.patch - Add patches to fix build: + cli-0001-Rename-bin-md2man-to-bin-go-md2man.patch - Since upstream has changed their source repo (again) we have to rebase all of our patches. While doing this, I've collapsed all patches into one branch per-release and thus all the patches are now just one series: - packaging-0001-revert-Remove-docker-prefix-for-containerd-and-runc-.patch + 0001-PACKAGING-revert-Remove-docker-prefix-for-containerd.patch - secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch + 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch - secrets-0002-SUSE-implement-SUSE-container-secrets.patch + 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch - private-registry-0001-Add-private-registry-mirror-support.patch + 0004-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch - bsc1073877-0001-apparmor-clobber-docker-default-profile-on-start.patch + 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch Package dosfstools was updated: - To be able to create filesystems compatible with previous version, add -g command line option to mkfs (boo#1188401, dosfstools-add-g.patch). - BREAKING CHANGES: After fixing of bsc#1172863 in the last update, mkfs started to create different images than before. Applications that depend on exact FAT file format (e. g. embedded systems) may be broken in two ways: * The introduction of the alignment may create smaller images than before, with a different positions of important image elements. It can break existing software that expect images in doststools <= 4.1 style. To work around these problems, use "/-a"/ command line argument. * The new image may contain a different geometry values. Geometry sensitive applications expecting doststools <= 4.1 style images can fails to accept different geometry values. There is no direct work around for this problem. But you can take the old image, use "/file -s $IMAGE"/, check its "/sectors/track"/ and "/heads"/, and use them in the newly introduced "/-g"/ command line argument. - Add fix-calculation.patch (gh#dosfstools/dosfstools#153, bsc#1172863) to work with different size of clusters. Package drbd was updated: - bsc#1189995, backport to fix the stuck in resync. Add patch fix-stuck-resync-when-cancelled.patch - bsc#1183970, disconnect when invalid dual primaries Add patch disconnect-invalid-two-primaries.patch Package drbd-utils was updated: - bsc#1185132, all binaries in SLE-15 are position independent Add patch pie-fix.patch - bsc#1182361, pacemaker2 compat issue for crm-fence-peer.9 use --xml format of crm_mon Add patch crm-fence-peer-pacemaker2-format.patch Add patch crm-fence-peer-pacemaker2-use-xml.patch Package e2fsprogs was updated: Package efibootmgr was updated: Package efivar was updated: - Add efivar-bsc1187386-fix-emmc-parsing.patch to fix the eMMC sysfs parsing (bsc#1187386) - Add efivar-bsc1181967-fix-nvme-parsing.patch to fix the NVME path parsing (bsc#1181967) Package expat was updated: - Security fix (CVE-2021-45960, bsc#1194251) * A left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior. * Added expat-CVE-2021-45960.patch - Security fix (CVE-2021-46143, bsc#1194362) * Integer overflow exists for m_groupSize in doProlog * Added expat-CVE-2021-46143.patch - Security fix (CVE-2022-22822, bsc#1194474) * Integer overflow in addBinding in xmlparse.c * Added expat-CVE-2022-22822.patch - Security fix (CVE-2022-22823, bsc#1194476) * Integer overflow in build_model in xmlparse.c * Added expat-CVE-2022-22823.patch - Security fix (CVE-2022-22824, bsc#1194477) * Integer overflow in defineAttribute in xmlparse.c * Added expat-CVE-2022-22824.patch - Security fix (CVE-2022-22825, bsc#1194478) * Integer overflow in lookup in xmlparse.c * Added expat-CVE-2022-22825.patch - Security fix (CVE-2022-22826, bsc#1194479) * Integer overflow in nextScaffoldPart in xmlparse.c * Added expat-CVE-2022-22826.patch - Security fix (CVE-2022-22827, bsc#1194480) * Integer overflow in storeAtts in xmlparse.c * Added expat-CVE-2022-22826.patch - Refresh expat-CVE-2018-20843.patch as a p1 patch. - Use %autosetup macro Package expect was updated: - bsc#1183904, expect-errorfd.patch: errorfd file descriptors should be closed when forking - fix previous change regarding PIE linking. Passing SHLIB_CFLAGS="/-shared"/ causes /usr/bin/expect to become a shared library that SEGFAULTs upon execution. Instead use SHLIB_LD to pass -shared only to shared library linking. - pass explicit -pie flag to CFLAGS and hack `make` invocation so that /usr/bin/expect actually becomes a PIE binary. This is especially awkard since the expect build system implicitly passes -fPIC which breaks our gcc-PIE package, but does not pass -pie while linking the executable. Shared libraries are also not linked with -shared so we need to explicitly pass this, too, to avoid build breakage (bsc#1184122). - Add an unversioned symlink to make linking easier for applications that use libexpect without Tcl (boo#1172681). - New version 5.45.4: * Fix two bugs in EOF handling. Package fence-agents was updated: - Update to version 4.9.0+git.1624456340.8d746be9: * fence_azure_arm: corrections to support Azure SDK >= 15 - including backward compatibility (#415) (bsc#1185058) * fence_gce: make serviceaccount work with new libraries * fence_kubevirt: new fence agent * fence_virt*: simple_auth: use %zu for sizeof to avoid failing verbose builds on some archs * configure: dont fail when --with-agents contains virt * fence_mpath: watchdog retries support * fencing: add multi plug support for reboot-action * fence_redfish: add missing diag logic * fencing: fix issue with hardcoded help text length for metadata * fence_lindypdu: update metadata * fence_lindypdu: new fence agent * fencing: add stonith_status_sleep parameter for sleep between status calls during a STONITH action * fence_openstack: code formatting fixes per: https://github.com/ClusterLabs/fence-agents/pull/397#pullrequestreview-634281798 * Proper try-except for connection exception. * Fix CI. * Do not wrap as many values. * Restore port metadata. * Update xml metadata. * Use standard logging. * Revert change to __all__ * fence_virt: fix required=1 parameters that used to not be required and add deprecated=1 for old deprecated params * Major rework of the original agent: * fence_gce: default method moved back to powercycle (#389) * fence_aws: add filter parameter to be able to limit which nodes are listed * virt: fix a bunch of coverity scan errors in ip_lookup * virt: make sure to provide an empty default to strncpy * virt: make sure buffers are big enough for 0 byte end string * virt: increase buffer size to avoid overruns * virt: check return code in virt-sockets * virt: fix error code checking * virt: fix plugin (minor) memory leak and plug in load race * virt: attempt to open file directly and avoid race condition * virt: fix different coverity scan errors in common/tcp * virt: cleanup deadcode in client/vsock * virt: cleanup deadcode in client/tcp * virt: fix potential buffer overrun * virt: fix mcast coverity scan errors * virt: drop pm-fence plugin * build: tidy up module sources * virt: drop libvirt-qmf plugin * virt: drop null plugin * build: enable fence_virtd cpg plugin by default * virt: drop fence_virtd non-modular build * virt: fix plugin installation regression on upgrades * build: temporary disable -Wcast-align for some agents * build: fix CFLAGS overrides when using clang * fence_virt: metadata fixes, implement manpage generation and metadata/delay/rng checks * virt: make sure variable is initialized * Drop travis CI * Revert "/virt: drop -Werror to avoid unnecessary failures"/ * zvm: reformat fence_zvm to avoid gcc warnings * build: fix make maintainerclean * build: remove unnecessary build snippets * virt: drop -Werror to avoid unnecessary failures * virt: disable -Wunused for yy generated files * virt: disable fence-virt on bsd variants * virt: merge spec files * build: fix more gcc warnings * build: remove unused / obsoleted options * build: fix some annoying warnings at ./autogen.sh time * virt: move all virt CFLAGS/LDFLAGS in the right location * virt: fix unused gcc warnings and re-enable all build warnings * virt: fix write-strings gcc warnings * virt: fix pointer-arith gcc warnings * virt: fix declaration-after-statement gcc warnings * virt: fix build with -Wmissing-prototypes * build: donÂ´t override clean target * virt: plug fence_virt into the build * virt: allow fence_virt build to be optional * virt: drop support for LSB init script * virt: collect docs in one location * virt: remove unnecessary files and move build macros in place * Ignore fence-virt man pages * Merge done * Move fence_virt to the correct location * Start merge * spec: use python3 path for newer releases * spec: undo autosetup change that breaks builds w/git commit hashes * Ignore unknown options on stdin * fence_gce: support google-auth and oauthlib and fallback to deprecated libs when not available * spec: add aliyun subpackage and fence_mpath_check* to mpath subpackage * fence_gce: Adds cloud-platform scope for bare metal API and optional proxy flags (#382) * fence_virt: Fix minor typo in metadata * fence_gce: update module reqs for SLES 15 (#383) * Add fence_ipmilanplus as fence_ipmilan wrapper always enabling lanplus * fence_redfish: Add diag action * fence_vbox: updated metadata file * fence_vbox: do not flood host account with vboxmanage calls * fence_aws/fence_gce: allow building without cloud libs * fence_gce: default to onoff * fence_lpar: Make --managed a required option * fence_zvmip: fix shell-timeout when using new disable-timeout parameter * Adds service account authentication to GCE fence agent * spec: dont build -all subpackage as noarch * fence_virt: add plug parameter that obsoletes old port parameter * Try to detect directory for initscripts configuration * Accept SIGTERM while waiting for initialization. * Add man pages to fence_virtd service file. * Fix spelling error in fence_virt.conf.5 * build: fix BRs for suse distros * build: remove ExclusiveArch * build: removed gcc-c++ BR * build: add spec-file and rpm build targets * build: cleanup/improvements to reworked build system * [build] rework build system to use automake/libtool * fence_virtd: Fix segfault in vl_get when no domains are found * fence_virt: fix core dump * build: harden and make it possible to build with -fPIE * fence_virt: dont report success for incorrect parameters * fence_virt: mcast: config: Warn when provided mcast addr is not used * fence_virtd: Return control to main loop on select interruption * fence-virtd: Add missing vsock makefile bits * fence-virt: Add vsock support * fence_virtd: Fix transposed arguments in startup message * fence_virt: Rename challenge functions * fence_virtd: Cleanup: remove unused configuration options * fence_virt: Remove remaining references to checkpoints * fence_virt: Remove remaining references to checkpoints * fence-virt: Format string cleanup * fence_virtd: Implment hostlist for the cpg backend * fence_virt: Fix logic error in fence_xvm * fence_virtd: Cleanup config module * fence_virtd: cpg: Fail initialization if no hypervisor connections * fence_virtd: Make the libvirt backend survive libvirtd restarts * fence_virtd: Allow the cpg backend to survive libvirt failures * fence_virtd: cpg: Fix typo * fence-virtd: Add cpg-virt backend plugin * fence_virtd: Remove checkpoint, replace it with a CPG only plugin * fence-virt: Bump version * fence_virtd: Add better debugging messages for the TCP listner * fence_virtd: Fix potential unlocked pthread_cond_timedwait() * fence-virtd: Cleanup small memory leak * fence_virtd: Fix select logic in listener plugins * Factor out common libvirt code so that it can be reused by multiple backends * Document the fence_virtd -p command line flag * fence_virtd: Log an error when startup fails * Retry writes in the TCP, mcast, and serial listener plugins while sending a response to clients, if the write fails or is incomplete. * Make the packet authentication code more resilient in the face of transient failures. * Remove erroneous 'inline' * Disable the libvirt-qmf backend by default * Bump the versions of the libvirt and checkpoint plugins * fence-virtd: Enable TCP listener plugin by default * fence-virtd: Cleanup documentation of the TCP listener * fence_xvm/fence_virt: Add support for the validate-all status op * fence-virt: Add list-status command to man page and metadata * fence-virt: Cleanup numeric argument parsing * fence-virt: Log message to syslog in addition to stdout/stderr * fence-virt: Permit explicitly setting delay to 0 * fence-virt: Add 'list-status' operation for compat with other agents * Fix use of undefined #define * Allow fence_virtd to run as non-root * Remove delay from the status, monitor and list functions * Resolves serveral problems in checkpoint plugin, making it functional. * Current implementation of event listener in virt-serial does not support keepalive, it does not generate nor capable to answer to keepalive requests, which causes libvirt connection to disconnect every 30 seconds (interval*timeout in libvirtd.conf). Furthermore, it does not clean up filehandlers and leaves hanging sockets. Also, if other thread opens its own connection to libvirt (i.e. checkpoint.c), event function in virt-serial.c just updates event listener file handler with a wrong one, what causes checkpoint.c malfunctions, fence_virtd hangs and so on. This patch uses default event listener implementation from libvirt and resolves theese problems. * daemon_init: Removed PID check and update * fence_virtd: drop legacy SysVStartPriority from service unit * fence-virt: client: Do not truncate VM domains in list output * client: fix "/delay"/ parameter checking (copy-paste) * fence-virt: Fix broken restrictions on the port ranges * Clarify debug message * fence-virtd: Use perror only if the last system call returns an error. * fence-virtd: Fix printing wrong system call in perror * fence-virtd: Allow multiple hypervisors for the libvirt backend * fence-virt: Don't overrwrite saved errno * fence-virt: Fix small memory leak in the config module * fence-virt: Fix mismatched sizeof in memset call * fence-virt: Send complete hostlist info * fence-virt: Clarify the path option in serial mode * Bump version * fence-virt: Bump version * fence_virtd: Fix broken systemd service file * fence_virt/fence_xvm: Print status when invoked with -o status * fence-virt: Fix for missed libvirtd events * fence-virt: Fail properly if unable to bind the listener socket * client: dump all arguments structure in debug mode * Drop executable flag for man pages (finally) * Honor implicit "/ip_family=auto"/ in fence_xvm w/IPv6 mult.addr. * Fix using bad struct item for auth algorithm * Drop executable flag for man pages * use bswap_X() instead of b_swapX() * fence_virtd: Fix memcpy size params in the TCP plugin * Revert "/fence-virt: Fix possible descriptor leak"/ * fence_virtd: Return success if a domain exists but is already off. * fence-virt: Add back missing tcp_listener.h file * fence-virt: Fix a few fd leaks * fence-virt: Fix free of uninitialized variable * fence-virt: Fix possible null pointer dereference * fence-virt: Fix memory leak * fence-virt: Fix fd leak when finding local addresses * fence-virt: Fix possible descriptor leak * fence-virt: Fix possible fd leak * fence-virt: Fix null pointer deref * fence-virt: Explicitly set delay to 0 * fence-virt: Fix return with lock held * fence_virt: Fix typo in fence_virt(8) man page * fence_virt: Return failure for nonexistent domains * Initial commit * Improve fence_virt.conf man page description of 'hash' * Add a delay (-w) option. * Remove duplicated port struct entry * Add a TCP listener plugin for use with viosproxy * In serial mode, return failure if the other end closes the connection before we see SERIAL_MAGIC in the reply or timeout. * Stop linking against unnecessary QPid libs. * Update libvirt-qmf plugin and docs * Fix crash when we fail to read key file. * Fix erroneous man page XML * Add 'interface' directive to example.conf * Fix build * Add old wait_for_backend directive handling & docs * Return proper error if we can't set up our socket. * Fix startup in systemd environments * Add systemd unit file and generation * Don't override user's pick for backend server module * Use libvirt as default in shipped config * Clean up compiler warnings * Fix serial domain handling * Fix monolithic build * Clean up build and comments. * Add missing pm_fence source code * Disable CMAN / checkpoint build by default * Rename libvirt-qpid -> libvirt-qmf * Fix static analysis errors * Reword assignment to appease static analyzers * Handle return value from virDomainGetInfo * Fix bad sizeof() * Make listen() retry * Add map_check on 'status' action * Update README * Don't reference out-of-scope temporary * Ensure we don't try to strdup() or atoi() on NULL * Add libvirt-qmf support to the libvirt-qpid plugin * Convert libvirt-qpid plugin to QMFv2 * Fix incorrect return value on hash mismatch * Fix error getting status from libvirt-qpid plugin * Fix typo that broke multicast plugin * Make fence-virt requests endian clean * Update TODO * Fix input parsing to allow domain again * Provide 'domain' in metadata output for compatibility * High: Fix UUID lookups in checkpoint backend * Curtail 'list' operation requests * Fix man page references: fence_virtd.conf -> fence_virt.conf * Add 'list' operation for plugins; fix missing getopt line * Fix build with newer versions of qpid * Make configure.in actually disable plugins * Fix metadata output * Rename parameters to match other fencing agents * Fix fence_xvm man page to point to the right location * client: Clarify license in serial.c * Return 2 for 'off' like other fencing agents * Reset flags before returning from connect_nb * Use nonblocking connect to vmchannel sockets * More parity with other fencing agents' parameters * Fix memory leaks found with valgrind * Add basic daemon functions * Fix bug in path pruning support for serial plugin * Fix libvirt-qpid bugs found while testing * Fix segfault caused by invalid map pointer assignment * Fix another compiler warning * Fix build warnings in client/serial.c * Add 'monitor' as an alias for 'status' * Add serial listener to configuration utility * Make serial/vmchannel module enabled by default * Add missing 'metadata' option to help text * Add missing static_map.h * Add metadata support to fence_xvm/fence_virt * Allow IPs to be members of groups * Allow use of static mappings w/ mcast listener * Make 'path' be a directory * Update TODO * Remove useless debug printfs * Enable VM Channel support in serial plugin * Update TODO based on progress * Pass source VM UUID (if known) to backend * Mirror libvirt-qpid's settings in libvirt-qpid plugin * libvirt-qpid: clean up global variable * Enable a configurable host/port on libvirt-qpid plugin * Minor config utility cleanups * Man page cleanups * Remove unnecessary name_mode from multicast plugin * Add prototypes and clean up build warnings * Use seqno in serial requests * Minor debugging message cleanup * Fix build error due to improper value * Static map support and permissions reporting * Sync up on SERIAL_MAGIC while waiting for a response * Don't build serial vmchannel module by default * Update TODO * Initial checkin of serial server-side support * Fix fence_virt.conf man page name * Add Fedora init script * Compiler warning cleanups in virt-serial.c * Add wait-for-backend mode * Fix up help text for clients * Minor XML cleanups, add missing free() call * add missing module_path to fence_virtd.conf.5 * Add capabilities to virt-serial * Note that serial support is experimental * Add a serial.so build target * Add vmchannel serial event interface * Split fence_virt vs. fence_xvm args * Add static map functions. * Fix build warning due to missing #include * Fix multiple query code * Better config query & multiple value/tag support * Add simple configuration mode * Add missing man pages * More minor config cleanups * Allow setting config values to NULL to clear them * Clean up example config file * Sort plugins by type when printing them * Revert "/Sort plugins by type when printing them"/ * Sort plugins by type when printing them * Clean up some configuration plugin information * add empty line between names * Make libvirt to automatically use uuid or names * Improve error reporting * Fix build for hostlist functionality * Hostlist functionality for libvirt, libvirt-qpid * Update TODO * Work around broken nspr headers * Fix installation target for man pages * Fix default build script * Add man page build infrastructure * Initial commit of fence_virt & fence_xvm man pages * Make fence_xvm compatibility mode enabled by default * Fix libvirt / mcast support for name_mode * Fix agent option parsing * Fix dlsym mapping of C++ module * Make uuids work with libvirt-qpid * Fix uninitialized variable causing false returns * Update monolithic build * Fix linking problem * Add 'help' to fence_virtd * Fix libvirt-qpid build * Make 'reboot' work * Fix libvirt-qpid build * Add libvirt-qpid build target * Initial checking of libvirt-qpid plugin * Fix build on i686 * Make symlink/compatibilty mode disabled by default * Add simple tarball / release script * Update TODO and requirements file * Update TODO * Use immediate resolution of symbols * Example config tweaks * Use sysconfdir for /etc/fence_virt.conf * Fix package name and install locations * Fix daemon return code * Add 'maintainer-clean' target * Fix build errors on Fedora * Add missing header file * Ignore automake error * Add missing COPYING file; update TODO * Make the build script actually build * Make cluster mode plugin work * Add basic cpg stuff for later * Enable 'on' operation for libvirt backend * Clean up modular build * Minor build cleanups * Yet more build fixes * More build cleanups * Build cleanups * Initial port to autoconf * Add checkpoint.c stub functions * Add sequence numbers to requests for tracking * Include missing include * Call generic history functions * Make history functions generic * Make debugging work from modules again * Revert "/Fix build issue breaking debug printing from modules"/ * Fix build issue breaking debug printing from modules * Fix libvirt backend; VALIDATE was wrong * Cleanups, add daemon support * Add simple 'null' skeleton backend plugin * Make all plugins dynamically loaded. * Fix error message * Remove dummy serial prototypes * Remove modules in 'make clean' * Make listeners plugins. * Fix whitespace * Move name_mode to fence_virtd block * Add name_mode to example.conf * Move VM naming scheme to top level of config * Fix bad assignment due to wrong variable * Fix use of wrong variable * Revert "/Fix use of wrong variable"/ * Fix use of wrong variable * Enable UUID use in libvirt.c * Add missing log.c. Enable syslog wrapping * Move options.c to client directory * Fix context type names * Minor cleanup * Drop duplicate fencing requests * Don't require specifying an interface in fence_virt.conf * Fix empty node parsing * Fix segfault * Fix install targets * Actually use the default port by default * Don't overwrite config files * Install modules, too. * Fix config file name * Add temporary 'make install' target * Make a default configuration file * Make mcast work with UUIDs * Update TODO * Remove useless prototype * Update todo * Add checkpoint.so to the build * Fix missing carriage returns on debug prints * Add architecture overview description * Make serial_init match mcast_init. * Make multicast use config file * Integrate config file processing * Create server-side plugin architecture * Remove bad list_do/list_done macros * Make libvirt a built-in plugin * Update description text. * Fix header in serial.c. * serial: Make client work. - remove patch contained by the update: - 0001-Adds-service-account-authentication-to-GCE-fence-age.patch (jsc#SLE-18182) ECO: Update fence-agents (jsc#SLE-18027) Add upstream PR to aws-vpc-move-ip and apply required resource & fence agent patches - bsc#1180518 [15sp3 FEAT] Product-HA / High Availability Extension: Add IBM Z LPAR fence agent fence_ibmz to Pacemaker (kvm) (fence-agents) Package file was updated: Package filesystem was updated: - Remove duplicate line due to merge error- add /etc/skel/.cache with perm 0700 (bsc#1181011) - Set correct permissions when creating /proc and /sys - Ignore postfix user (pulled in from buildsystem) - /proc and /sys should be %ghost to allow filesystem package updates in rootless container environments (rh#1548403) (bsc#1146705) - Split /var/tmp out of fs-var.conf, new file is fs-var-tmp.conf. Allows to override config to add cleanup options of /var/tmp [bsc#1078466] - Create fs-tmp.conf to cleanup /tmp regular (required with tmpfs) [bsc#1175519] - Fix bug about missing group in tmpfiles.d files - Generic cleanup: - Remove /usr/local/games Package gcc was updated: - With gcc-PIE add -pie even when -fPIC is specified but we are not linking a shared library. [boo#1185348] - Fix postun of gcc-go alternative. - Add gccgo symlink, add go and gofmt as alternatives to support parallel install of golang. [bnc#1096677] Package gcc7 was updated: - Adjust some ambiguous SPDX license specifications to prevent spec-cleaner from messing up. - Add gcc7-pr55917.patch to do not handle exceptions in std::thread (jsc#CAR-1182) - - Add gcc7-pfe-0001-Backport-Add-entry-for-patchable_function_entry.patch gcc7-pfe-0002-Backport-Skip-fpatchable-function-entry-tests-for-nv.patch gcc7-pfe-0003-Backport-Error-out-on-nvptx-for-fpatchable-function-.patch gcc7-pfe-0004-Backport-Adapt-scan-assembler-times-for-alpha.patch gcc7-pfe-0005-Backport-patchable_function_entry-decl.c-Use-3-NOPs-.patch gcc7-pfe-0006-Backport-IBM-Z-Use-the-dedicated-NOP-instructions-fo.patch gcc7-pfe-0007-Backport-Add-regex-to-search-for-uppercase-NOP-instr.patch gcc7-pfe-0008-Backport-ICE-segmentation-fault-with-patchable_funct.patch gcc7-pfe-0009-Backport-patchable_function_entry-decl.c-Pass-mcpu-g.patch gcc7-pfe-0010-Backport-patchable_function_entry-decl.c-Do-not-run-.patch gcc7-pfe-0011-Backport-patchable_function_entry-decl.c-Add-fno-pie.patch gcc7-pfe-0012-Backport-PR-c-89946-ICE-in-assemble_start_function-a.patch gcc7-pfe-0013-Backport-targhooks.c-default_print_patchable_functio.patch gcc7-pfe-0014-Backport-Align-__patchable_function_entries-to-POINT.patch gcc7-pfe-0015-Backport-Fix-PR-93242-patchable-function-entry-broke.patch gcc7-pfe-0016-Backport-AArch64-PR92424-Fix-fpatchable-function-ent.patch gcc7-pfe-0017-Backport-Fix-patchable-function-entry-on-arc.patch gcc7-pfe-0018-Backport-Add-patch_area_size-and-patch_area_entry-to.patch gcc7-pfe-0019-Backport-testsuite-Adjust-patchable_function-tests-f.patch gcc7-pfe-0020-Backport-Use-the-section-flag-o-for-__patchable_func.patch gcc7-pfe-0021-Backport-varasm-Fix-up-__patchable_function_entries-.patch gcc7-pfe-0022-Backport-rs6000-Avoid-fpatchable-function-entry-regr.patch gcc7-pfe-0023-Fix-unwinding-issues-when-pfe-is-enabled.patch to add -fpatchable-function-entry feature to gcc-7. - Add gcc7-ada-MINSTKSZ.patch to fix build with glibc 2.34. - Add bits/unistd_ext.h to the list of removed fixed includes. - Add gcc7-sanitizer-cyclades.patch to remove cyclades.h use from libsanitizer fixing builds with recent kernels. Package glib2 was updated: - Add glib2-CVE-2021-27218.patch: g_byte_array_new_take takes a gsize as length but stores in a guint, this patch will refuse if the length is larger than guint. (bsc#1182328, glgo#GNOME/glib!1944) - Add glib2-CVE-2021-27219-add-g_memdup2.patch: g_memdup takes a guint as parameter and sometimes leads into an integer overflow, so add a g_memdup2 function which uses gsize to replace it. (bsc#1182362, glgo#GNOME/glib!1927, glgo#GNOME/glib!1933, glgo#GNOME/glib!1943) Package glibc was updated: - always-do-locking-when-iterating-over-list-of-streams.patch: Upstream part of fix-locking-in-_IO_cleanup.patch - libio-do-not-attempt-to-free-wide-buffers-of-legacy-streams.patch: libio: do not attempt to free wide buffers of legacy streams (bsc#1183085, BZ #24228) - fix-locking-in-_IO_cleanup.patch: rediff - iconv-option-parsing.patch: Rewrite iconv option parsing (CVE-2016-10228, bsc#1027496, BZ #19519) - wordexp-param-overflow.patch: wordexp: handle overflow in positional parameter number (CVE-2021-35942, bsc#1187911, BZ #28011) - mq-notify-use-after-free.patch: Use __pthread_attr_copy in mq_notify (CVE-2021-33574, bsc#1186489, BZ #27896) Package gmp was updated: - Add gmp-6.2.1-CVE-2021-43618.patch to fix buffer overflow on malformed input to mpz_inp_raw. [bsc#1192717, CVE-2021-43618] Package gnutls was updated: - Security fix: [bsc#1183456, CVE-2021-20232] * A use after free issue in client_send_params in lib/ext/pre_shared_key.c may lead to memory corruption and other potential consequences. - Add gnutls-CVE-2021-20232.patch - Security fix: [bsc#1183457, CVE-2021-20231] * A use after free issue in client sending key_share extension may lead to memory corruption and other consequences. - Add gnutls-CVE-2021-20231.patch Package google-guest-agent was updated: - Update to version 20210414.00 (bsc#1185848, bsc#1185849) * start sshd (#106) * Add systemd-networkd.service restart dependency. (#104) * Update error message for handleHealthCheckRequest. (#105) - Update to version 20210223.01 (bsc#1183414, bsc#1183415) * add a match block to sshd_config for SAs (#99) * add ipv6 forwarded ip support (#101) * call restorecon on ssh host keys (#98) * Include startup and shutdown in preset (#96) * set metadata URL earlier (#94) - Fix activation logic of systemd services (bsc#1182793) - Update to version 20201211.00 * Require snapshot scripts to live under /etc/google/snapshots (#90) * Adding support for Windows user account password lengths between 15 and 255 characters. (#91) * Adding bkatyl to OWNERS (#92) Package google-guest-configs was updated: - Update to version 20210317.00 (bsc#1183414, bsc#1183415) * dracut.conf wants spaces around values (#19) * make the same change for debian (#18) * change path back for google_nvme_id (#17) * move google_nvme_id to /usr/bin (#16) * correct udev rule syntax (#15) * prune el6 spec (#13) * Updated udev rules (#11) - Remove empty %{_sbindir} from %install and %files section - Remove service files (bsc#1180304) + google-optimize-local-ssd.service, google-set-multiqueue.service scripts are called from within the guest agent Package google-guest-oslogin was updated: - Update to version 20210728.00 (bsc#1188992, bsc#1189041) * JSON object cleanup (#65) - Update to version 20210707.00 * throw exceptions in cache_refresh (#64) - from version 20210702.00 * Use IP address for calling the metadata server. (#63) - Update to version 20210618.00 * flush each group member write (#62) - Update to version 20210429.00 (bsc#1185848, bsc#1185849) * correct pagetoken in groupsforuser (#59) * resolve self groups last (#58) * support empty groups (#57) * no paginating to find groups (#56) * clear users vector (#55) * correct usage of pagetoken (#54) - Update to version 20210316.00 (bsc#1183414, bsc#1183415) * call correct function in pwenthelper (#53) - Update to version 20210108.00 * Update logic in the cache_refresh binary (#52) * remove old unused workflow files (#49) Package google-osconfig-agent was updated: - Update to version 20210506.00 (bsc#1185848, bsc#1185849) * Add more os policy assignment examples (#348) * e2e_tests: enable stable tests for OSPolicies (#347) * Align start and end task logs (#346) * ConfigTask: add additional info logs (#345) * e2e_tests: add validation tests (#344) * Config Task: make sure agent respects policy mode (#343) * update * e2e_tests: readd retries to OSPolicies * Set minWaitDuration as a string instead of object (#341) * e2e_tests: Fix a few SUSE tests (#339) * Remove pre-release flag from config (#340) * e2e_tests: fixup OSPolicy tests (#338) * e2e_tests: unlock mutex for CreatePolicies as soon as create finishes (#337) * e2e_tests: Don't retry failed OSPolicy tests, fix msi test (#336) * Examples for os policy assignments (#334) * e2e_tests: increase the deadline for OSPolicy tests and only start after a zone has been secured (#335) * Fix panic when installing MSI (#332) * e2e_tests: Add test cases of installing dbe, rpm and msi packages (#333) * e2e_tests: add more logging * e2e_tests: (#330) * e2e_test: Add timouts to OSPolicy tests so we don't wait forever (#329) * Create top level directories for gcloud and console for os policy assignment examples (#328) * e2e_tests: Move api from an internal directory (#327) * Make sure we use the same test name for reruns (#326) * Add CONFIG_V1 capability (#325) * e2e_tests: reduce size of instances, use pd-balanced, rerun failed tests once (#324) * Only report installed packages for dpkg (#322) * e2e_tests: fix windows package and repository tests (#323) * Add top level directories for os policy examples (#321) * e2e_tests: move to using inventory api for inventory reporting (#320) * e2e_tests: add ExecResource tests (#319) * ExecResource: make sure we set permissions correctly for downloaded files (#318) * Config task: only run post check on resources that have already been evaluated (#317) * e2e_test: reorganize OSPolicy tests to be per Resource type (#316) * Set custom user agent (#299) * e2e_tests: check InstanceOSPoliciesCompliance for each test case, add LocalPath FileResource test (#314) * PackageResource: make sure to run AptUpdate prior to package install (#315) * Fix bugs/add more logging for OSPolicies (#313) * Change metadata http client to ignore http proxies (#312) * e2e_test: add tests for FileResource (#311) * Add task_type context logging (#310) * Fix e2e_test typo (#309) * Fix e2e_tests (#308) * Disable OSPolicies by default since it is an unreleased feature (#307) * e2e_tests: Add more OSPolicies package and repo tests (#306) * Do not enforce repo_gpgcheck in guestpolicies (#305) * Gather inventory 3-5min after agent start (#303) * e2e_tests: add OSPolicies tests for package install (#302) * Add helpful error log if a service account is missing (#304) * OSPolicies: correct apt repo extension, remove yum/zypper gpgcheck override (#301) * Update cos library to parse new version of packages file (#300) * config_task: Rework config step logic (#296) * e2e_test: enable serial logs in cos to support ReportInventory test (#297) - Update to version 20210316.00 (bsc#1183414, bsc#1183415) * ExecResource: fix bug in return code handling (#295) * Fix ExecResource permissions, add logs to fetcher (#294) * e2e_tests: Fix ubuntu proposed family (#293) * e2e_tests: add proposed debian images to head tests (#292) * Fix exec_resource for config task, add minimal unit test (#291) * Change util.WriteFile to AtomicWriteFileStream (#289) * Merge development branch into master (#288) * Create util.TempFile to work nicely with Windows (#287) * Fix copy step write (#286) * Fix error on linux lock (#285) * Ensure we cleanup on error in AtomicWrite (#284) * Make writes atomic, add unused "/allowDowngrades"/ option to apt, fix a few recipe issues (#283) * update reviewers (#282) * update apt package lists before running installs (#281) * Simplify build tags for COS package (#280) - Update to version 20210112.00 * Fix builds for ppc and s390x (#274) * Minor updates to tests and additional debug logging (#272) * Add Ubuntu 2004 to tests (#271) * Make sure we stop tickers (#270) * Drop Windows 1903 and CentOS 6 from tests (#269) * Pin el6 tests to last published image as it is EOL (#267) * support cos (#266) - Update to version 20201117.00 (bsc#1179031, bsc#1179032) * Ignore Unavailable erros on stream receive (#260) * Update test Windows images (#259) * update ReportInventory e2e test regexes (#255) * Don't return on a windows update error (#254) * use retryutil for ReportInventory calls (#253) * add additional debug logging for ReportInventory request payload for e2e tests (#252) * stop logging instance identity token as part of ReportInventory request and remove feature-flag setting in OSInventoryReporting e2e tests (#251) * complete ExecTask as no-op when the ExecStepConfig doesn't match the OS (#250) * Add software recipe tests for COS (#249) * remove feature flag for inventory reporting (#243) * Force yum to never colorize output (#247) * Add sleep after Unavailable errors for agentendpoint (#241) * Ensure we record epoch for rpm packages (#242) * Make inventory WUAUpdates call spawn a new process, retry on metadata unmarshal error (#239) * add debug logging for report inventory response (#240) * add initial e2e tests for inventory reporting (#237) * Report installed packages on COS (#236) Package gpg2 was updated: - Fix warning: agent returned different signature type ssh-rsa * The gpg-agent's ssh-agent does not handle flags in signing requests properly [bsc#1161268, bsc#1172308] * Add gnupg-gpg-agent-ssh-agent.patch Package graphviz was updated: - Added graphviz-2.40.1-fix-dot-segfault.patch to fix a segfault in dot bsc#1151207 - Added graphviz-out-of-bounds-write.patch to fix CVE-2020-18032 (bsc#1185833) Package growpart-rootgrow was updated: - Fix root partition ID lookup. Only consider trailing digits to be part of the paritition ID. (bsc#1188868) (bsc#1188904) - Change the logic to determine the partition ID of the root filesystem (bsc#1188179) + Previously the algorithm depended on the order of the output from lsblk using an index to keep track of the known partitions. The new implementation is order independent, it depends on the partition ID being numerical in nature and at the end of the device string. - Add coverage config. Omit version module from coverage check. - Fix string formatting for flake8 formatting. - Replace travis testing with GitHub actions. Add ci testing workflow action. - Switch implementation to use Popen for Python 3.4 compatibility (bsc#1165198) - Bump version: 1.0.2 â 1.0.3 - Fixed unit tests and style This clobbers several fixes into one. Sorry about it but I started on already made changes done by other people. This commit includes several pep8 style fixes mostly on the indentation level. In addition it fixes the unit tests to really cover all code and to make the exception tests really effective. - Switch to use Popen instead of run The run() fuction in the subprocess module was implemented after Python 3.4. However, we need to support Python 3.4 for SLES 12 - Bump version: 1.0.1 â 1.0.2 - Package LICENSE file The LICENSE file is part of the source repo but was not packaged with the rpm package Package grub2 was updated: - Fix boot failure as journaled data not get drained due to abrupt power off after grub-install (bsc#1167756) - Fix boot failure after kdump due to the content of grub.cfg is not completed with pending modificaton in xfs journal (bsc#1186975) * grub-install-force-journal-draining-to-ensure-data-i.patch - Fix error grub_file_filters not found in Azure virtual machine (bsc#1182012) * 0001-Workaround-volatile-efi-boot-variable.patch - Fix executable stack in grub-emu (bsc#1181696) * 0001-emu-fix-executable-stack-marking.patch Package hawk2 was updated: - Update to version 2.6.4: * Fix wizards ui (bsc#1184274) - Update to version 2.6.3: * Remove hawk_invoke and use capture3 instead of runas (bsc#1179999)(CVE-2020-35459) * Remove unnecessary chmod (bsc#1182166)(CVE-2021-25314) * Sanitize filename to contains whitelist of alphanumeric (bsc#1182165) Package insserv-compat was updated: Package ipvsadm was updated: - Hardening: link as position independent executable (bsc#1184988). * Added ipvsadm-PIE.patch Package irqbalance was updated: - not balancing interrupts in Xen guests (bsc#1178477, bsc#1183405) A procinterrupts-check-xen-dyn-event-more-flexible.patch Package java-1_8_0-ibm was updated: - Update to Java 8.0 Service Refresh 7 Fix Pack 0 [bsc#1194232] [bsc#1194198, bsc#1192052, CVE-2021-41035] [bsc#1191902, CVE-2021-35560] [bsc#1191904, CVE-2021-35578] [bsc#1191914, CVE-2021-35586] [bsc#1191913, CVE-2021-35564] [bsc#1191911, CVE-2021-35559] [bsc#1191910, CVE-2021-35556] [bsc#1191909, CVE-2021-35565] [bsc#1191905, CVE-2021-35588] - Update to Java 8.0 Service Refresh 6 Fix Pack 35 [bsc#1188565, CVE-2021-2369] [bsc#1188564, CVE-2021-2341] - Update to Java 8.0 Service Refresh 6 Fix Pack 30 [bsc#1185056, CVE-2021-2161][bsc#1185055, CVE-2021-2163] * Service, Build, Packaging and Deliver: - Symlink issue reported for javaws in jre packages - ibmjceplus security provider depends on msvcr120.dll on windows * Class Libraries: - Exception in pure ipv6 environment in IBM sdk - Fix security vulnerability CVE-2021-2161 - Update cacerts to include certificates from entrust and globalsign - Update timezone information to the latest tzdata2021a * Java Virtual Machine: - Sssertion failed at copyforwardscheme.cpp because a tag slot (0x3) was treated as an object - GPF event from method unlinkclassloadingconstraints - JVM takes more time to start up - xgc:classunloadingkickoffthreshold not working as expected * JIT Compiler: - The JIT incorrectly compiles a method consisting of non-javac generated bytecodes from java 8.0.6.20 and up to 8.0.6.30 * Security: - httpsurlconnection drops the timeout and hangs forever in read - sslsocket that is never bound or connected leaks socket resources - TLS connection always receives close_notify exception - JSSE fails to open racf keystores - Kerberos ticket renewal fails with debug enabled following java.lang.illegalstateexception - Update JSSE to oracle jdk8u281 fix level - Update to Java 8.0 Service Refresh 6 Fix Pack 26 * Java Virtual Machine: - Behaviour change in getmethod for java8_sr6_fp20 - Crash when outputting to verbose GC log using the specifier characters - Outofmemoryerror happens due to nursery heap space shortage * JIT Compiler: - Occasional assertion being triggered in code generation - SEGV when using hashmap$hashiterator.nextnode() in multiple threads concurrently Package json-c was updated: - Add patch bsc1171479.patch + fix integer overflow and out-of-bounds write (CVE-2020-12762, bsc#1171479) Package kdump was updated: - kdump-do-not-iterate-past-end-of-string.patch: URLParser::extractAuthority(): Do not iterate past end of string (bsc#1186037). - kdump-fix-incorrect-exit-code-checking.patch: Fix incorrect exit code checking after "/local"/ with assignment (bsc#1184616 LTC#192282). - kdump-Add-bootdev-to-dracut-command-line.patch: Add 'bootdev=' to dracut command line (bsc#1182309). - kdump-install-etc-resolv.conf-using-resolved-path.patch: Install /etc/resolv.conf using its resolved path (bsc#1183070). - kdump-avoid-endless-loop-EAI_AGAIN.patch: Avoid an endless loop when resolving a hostname fails with EAI_AGAIN (bsc#1183070). - kdump-query-systemd-network.service.patch: Query systemd network.service to find out if wicked is used (bsc#1182309). - kdump-check-explicit-ip-options.patch: Do not add network-related dracut options if ip= is set explicitly (bsc#1182309 bsc#1188090 LTC#193461). - kdump-activate-udev-rules-late-during-boot.patch: kdump: activate udev rules late during boot (bsc#1154837). - kdump-ensure-initrd.target.wants-directory.patch: Make sure that initrd.target.wants directory exists (bsc#1172670). - kdump-make-sure-that-the-udev-runtime-directory-exists.patch: Make sure that the udev runtime directory exists (bsc#1164713). Package kernel-default was updated: - Revert "/header.py: Reject Patch-mainline: No"/ Allow Patch-mainline: No on historical branch. - commit 93a453e - config: disable unprivileged BPF by default (jsc#SLE-22913) Backport of mainline commit 8a03e56b253e ("/bpf: Disallow unprivileged bpf by default"/) only changes kconfig default, used e.g. for "/make oldconfig"/ when the config option is missing, but does not update our kernel configs used for build. Update also these to make sure unprivileged BPF is really disabled by default. - commit 5f769a4 - infiniband: fix spectre issue in ib_uverbs_write (bsc#1192802). - commit 8a8ebed - Refresh patches.suse/hisax-fix-spectre-issues.patch. - commit 8ad1382 - bpf: Remove MTU check in __bpf_skb_max_len (bsc#1192045 CVE-2021-0941). - commit 9de0315 - osst: fix spectre issue in osst_verify_frame (bsc#1192802). - mpt3sas: fix spectre issues (bsc#1192802). - infiniband: fix spectre issue in ib_uverbs_write (bsc#1192802). - hysdn: fix spectre issue in hycapi_send_message (bsc#1192802). - hisax: fix spectre issues (bsc#1192802). - gigaset: fix spectre issue in do_data_b3_req (bsc#1192802). - iwlwifi: fix spectre issue in iwl_dbgfs_update_pm (bsc#1192802). - drm: fix spectre issue in vmw_execbuf_ioctl (bsc#1192802). - media: wl128x: get rid of a potential spectre issue (bsc#1192802). - net: sock_diag: Fix spectre v1 gadget in __sock_diag_cmd() (bsc#1192802). - sysvipc/sem: mitigate semnum index against spectre v1 (bsc#1192802). - media: dvb_ca_en50221: prevent using slot_info for Spectre attacs (bsc#1192802). - media: dvb_ca_en50221: sanity check slot number from userspace (bsc#1192802). - commit f2e7f94 - bpf: Disallow unprivileged bpf by default (jsc#SLE-22913). - bpf: Add kconfig knob for disabling unpriv bpf by default (jsc#SLE-22913) - Update config files: Add CONFIG_BPF_UNPRIV_DEFAULT_OFF is not set - commit 065d420 - dm ioctl: fix out of bounds array access when no devices (CVE-2021-31916 bsc#1192781). - commit 0ab7d09 - ipv4: make exception cache less predictible (bsc#1191790, CVE-2021-20322). - ipv4: use siphash instead of Jenkins in fnhe_hashfun() (bsc#1191790, CVE-2021-20322). - commit 74af5bd - config.sh: Merge fixup. - commit 6ed8fb4 - Revert "/config.sh: Build cve/linux-4.12 against SLE15-SP1."/ This reverts commit ec3bd8c5b541a336b6608cd92493d50ba56230dc. See https://github.com/openSUSE/suse-module-tools/pull/44 - commit bede44a - Bluetooth: cmtp: fix file refcount when cmtp_attach_device fails (bsc#1191961 CVE-2021-34981). - commit 0392318 - Fix backport error - dir_cookie is a pointer to a u64, not a u64 Refresh patches.suse/0001-NFS-Do-uncached-readdir-when-we-re-seeking-a-cookie-.patch - commit 012f3db - config.sh: Build cve/linux-4.12 against SLE15-SP1. SLE15 is no longer updated and we will need recent update to suse-module-tools to continue building the kernel. - commit ec3bd8c - cpufreq: intel_pstate: Add Icelake servers support in no-HWP mode (bsc#1185758,bsc#1192400). - commit 047c233 - x86/CPU: Add more Icelake model numbers (bsc#1185758,bsc#1192400). - commit 1ad6337 - ftrace: Fix scripts/recordmcount.pl due to new binutils (bsc#1192267). - commit adeb3ce - usb: hso: fix error handling code of hso_create_net_device (bsc#1188601 CVE-2021-37159). - commit 3ae1a19 - blacklist.conf: blacklist pair of obsoleted patches (bsc#1188601 CVE-2021-37159) - commit 2c55ec1 - sctp: add vtag check in sctp_sf_ootb (CVE-2021-3772 bsc#1190351). - sctp: add vtag check in sctp_sf_do_8_5_1_E_sa (CVE-2021-3772 bsc#1190351). - sctp: add vtag check in sctp_sf_violation (CVE-2021-3772 bsc#1190351). - sctp: fix the processing for COOKIE_ECHO chunk (CVE-2021-3772 bsc#1190351). - sctp: fix the processing for INIT_ACK chunk (CVE-2021-3772 bsc#1190351). - sctp: fix the processing for INIT chunk (CVE-2021-3772 bsc#1190351). - sctp: use init_tag from inithdr for ABORT chunk (CVE-2021-3772 bsc#1190351). - sctp: check asoc peer.asconf_capable before processing asconf (bsc#1190351). - commit 81f6dbd - sctp: add param size validation for SCTP_PARAM_SET_PRIMARY (CVE-2021-3655 bsc#1188563). - sctp: validate chunk size in __rcv_asconf_lookup (CVE-2021-3655 bsc#1188563). - sctp: add size validation when walking chunks (CVE-2021-3655 bsc#1188563). - commit b0a2686 - cipso,calipso: resolve a number of problems with the DOI refcounts (CVE-2021-33033 bsc#1186109). - commit 017dde5 - nfc: nci: fix the UAF of rf_conn_info object (CVE-2021-3760 bsc#1190067). - commit 6401849 - Update patch reference for a firewire fix (CVE-2021-42739 CVE-2021-3542 bsc#1184673) - commit 7614f38 - xfs: fix up non-directory creation in SGID directories (bsc#1190006 CVE-2018-13405). - commit 888b5ee - xfs: remove the icdinode di_uid/di_gid members (bsc#1190006 CVE-2018-13405). - commit d7d9af2 - xfs: ensure that the inode uid/gid match values match the icdinode ones (bsc#1190006 CVE-2018-13405). - commit f969983 - kabi: hide return value type change of sctp_af::from_addr_param (CVE-2021-3655 bsc#1188563). - sctp: fix return value check in __sctp_rcv_asconf_lookup (CVE-2021-3655 bsc#1188563). - sctp: validate from_addr_param return (CVE-2021-3655 bsc#1188563). - sctp: fully initialize v4 addr in some functions (bsc#1188563). - commit 535a60e - Update patches.suse/net_sched-cls_route-remove-the-right-filter-from-has.patch references (add CVE-2021-3715 bsc#1190349). - commit 2e6d83a - ceph: take snap_empty_lock atomically with snaprealm refcount change (bsc#1191888). - commit 1377d31 - media: firewire: firedtv-avc: fix a buffer overflow in avc_ca_pmt() (CVE-2021-3542 bsc#1184673). - commit d196d58 - net: mana: Fix error handling in mana_create_rxq() (git-fixes, bsc#1191800). - commit 88ae105 - scsi: lpfc: Fix FLOGI failure due to accessing a freed node (bsc#1191349). - commit 3f943d1 - scsi: lpfc: Fix memory overwrite during FC-GS I/O abort handling (bsc#1191349 bsc#1191457). - scsi: lpfc: Keep NDLP reference until after freeing the IOCB after ELS handling (bsc#1191349 bsc#1191457). - commit c13ac76 - NFS: Do uncached readdir when we're seeking a cookie in an empty page cache (bsc#1191628). - commit 5b6b8b4 - powerpc/bpf: Emit stf barrier instruction sequences for BPF_NOSPEC (bsc#1188983 CVE-2021-34556 bsc#1188985 CVE-2021-35477). - powerpc/security: Add a helper to query stf_barrier type (bsc#1188983 CVE-2021-34556 bsc#1188985 CVE-2021-35477). - powerpc/bpf: Validate branch ranges (bsc#1188983 CVE-2021-34556 bsc#1188985 CVE-2021-35477). - powerpc/lib: Add helper to check if offset is within conditional branch range (bsc#1188983 CVE-2021-34556 bsc#1188985 CVE-2021-35477). - commit d4beb54 - Move upstreamed bpf patch into sorted section - commit 848cbf8 - soc: aspeed: lpc-ctrl: Fix boundary check for mmap (CVE-2021-42252 bsc#1190479). - commit 5b9f8af - target: core: Fix sense key for invalid XCOPY request (bsc#1186078). - scsi: target: avoid using lun_tg_pt_gp after unlock (bsc#1186078). - commit fe0b62b - bpf: Fix integer overflow in prealloc_elems_and_freelist() (bsc#1191317, CVE-2021-41864). - commit d0cde41 - net: 6pack: fix slab-out-of-bounds in decode_data (CVE-2021-42008 bsc#1191315). - commit 7ea0770 - ipc: remove memcg accounting for sops objects in do_semtimedop() (bsc#1190115 CVE-2021-3759). - Delete patches.suse/ipc-remove-memcg-accounting-for-sops-objects.patch. This commit is effectively patch refresh but filename changed too. This only adds metadata to the patch after it was accepted upstream. - commit d2aacd0 - kABI compatibility for ath_key_delete() changes (CVE-2020-3702 bsc#1191193). - commit f8ebcef - ath9k: Postpone key cache entry deletion for TXQ frames reference it (CVE-2020-3702 bsc#1191193). - ath: Modify ath_key_delete() to not need full key entry (CVE-2020-3702 bsc#1191193). - ath: Export ath_hw_keysetmac() (CVE-2020-3702 bsc#1191193). - ath9k: Clear key cache explicitly on disabling hardware (CVE-2020-3702 bsc#1191193). - ath: Use safer key clearing with key cache entries (CVE-2020-3702 bsc#1191193). - commit 9bf1f45 - kabi/severities: skip kABI check for ath9k-local symbols (CVE-2020-3702 bsc#1191193) ath9k modules have some exported symbols for the common helpers and the recent fixes broke kABI of those. They are specific to ath9k's own usages, so safe to ignore. - commit b554871 - net: mana: Prefer struct_size over open coded arithmetic (jsc#SLE-18779, bsc#1185726). - net: mana: Add WARN_ON_ONCE in case of CQE read overflow (jsc#SLE-18779, bsc#1185726). - net: mana: Add support for EQ sharing (jsc#SLE-18779, bsc#1185726). - net: mana: Move NAPI from EQ to CQ (jsc#SLE-18779, bsc#1185726). - net: mana: Fix a memory leak in an error handling path in (jsc#SLE-18779, bsc#1185726). - net: mana: Use struct_size() in kzalloc() (jsc#SLE-18779, bsc#1185726). - hv_netvsc: Make netvsc/VF binding check both MAC and serial number (jsc#SLE-18779, bsc#1185726). - net: mana: Use int to check the return value of mana_gd_poll_cq() (jsc#SLE-18779, bsc#1185726). - net: mana: fix PCI_HYPERV dependency (jsc#SLE-18779, bsc#1185726). - net: mana: remove redundant initialization of variable err (jsc#SLE-18779, bsc#1185726). - hv: mana: adjust mana_select_queue to old API (jsc#SLE-18779, bsc#1185726). - hv: mana: remove netdev_lockdep_set_classes usage (jsc#SLE-18779, bsc#1185726). - net: mana: Add a driver for Microsoft Azure Network Adapter (MANA) (jsc#SLE-18779, bsc#1185726). - commit a964401 - Bluetooth: check for zapped sk before connecting (CVE-2021-3752 bsc#1190023). - commit 7504476 - net: sched: sch_teql: fix null-pointer dereference (bsc#1190717). - commit 7ff24ce - s390/bpf: Fix optimizing out zero-extensions (bsc#1190601). - s390/bpf: Fix 64-bit subtraction of the -0x80000000 constant (bsc#1190601). - s390/bpf: Fix branch shortening during codegen pass (bsc#1190601). - s390/bpf: Wrap JIT macro parameter usages in parentheses (bsc#1190601). - s390: bpf: implement jitting of BPF_ALU | BPF_ARSH | BPF_* (bsc#1190601). - commit 79e76b1 - ext4: fix race writing to an inline_data file while its xattrs are changing (bsc#1190159 CVE-2021-40490). - commit 3973759 - crypto: ccp - fix resource leaks in ccp_run_aes_gcm_cmd() (bsc#1189884 CVE-2021-3744 bsc#1190534 CVE-2021-3764). - commit 5fef1e1 - ipc: remove memcg accounting for sops objects in do_semtimedop() (bsc#1190115). - commit 2e73db0 - mm/memory.c: do_fault: avoid usage of stale vm_area_struct (bsc#1136513). - commit c081da7 - bpf: Fix leakage due to insufficient speculative store bypass mitigation (bsc#1188983, bsc#1188985, CVE-2021-34556, CVE-2021-35477). - Refresh patches.kabi/bpf-prevent-memory-disambiguation-attack.patch. - Refresh patches.kabi/bpf-prevent-out-of-bounds-speculation-on-pointer-ari.patch. - commit 15cd454 - scsi: sg: add sg_remove_request in sg_write (bsc#1171420 CVE-2020-12770). - commit c1e2c47 - Bluetooth: schedule SCO timeouts with delayed_work (CVE-2021-3640 bsc#1188172). - Refresh patches.kabi/bt_accept_enqueue-kabi-workaround.patch. - Refresh patches.suse/Bluetooth-switch-to-lock_sock-in-SCO.patch. - commit adfd842 - Revert "/memcg: enable accounting for file lock caches (bsc#1190115)."/ This reverts commit 912b4421a3e9bb9f0ef1aadc64a436666259bd4d. It's effectively upstream commit 3754707bcc3e190e5dadc978d172b61e809cb3bd applied to kernel-source (to avoid proliferation of patches). Make a note in blacklist.conf too. - commit 84da196 - vhost: scsi: add weight support (CVE-2019-3900 bsc#1133374). - vhost: vsock: add weight support (CVE-2019-3900 bsc#1133374). - vhost_net: fix possible infinite loop (CVE-2019-3900 bsc#1133374). - refresh patches.kabi/kabi-mask-changes-to-vhost_dev_init-and-struct-vhost.patch - kabi: mask changes to vhost_dev_init() and struct vhost_dev (CVE-2019-3900 bsc#1133374). - vhost: introduce vhost_exceeds_weight() (CVE-2019-3900 bsc#1133374). - vhost_net: introduce vhost_exceeds_weight() (CVE-2019-3900 bsc#1133374). - refresh patches.suse/vhost-log-dirty-page-correctly.patch - vhost_net: use packet weight for rx handler, too (CVE-2019-3900 bsc#1133374). - refresh patches.suse/vhost-log-dirty-page-correctly.patch - vhost-net: set packet weight of tx polling to 2 * vq size (CVE-2019-3900 bsc#1133374). - commit fac5272 - sctp: implement memory accounting on rx path (CVE-2019-3874 bsc#1129898). - sctp: implement memory accounting on tx path (CVE-2019-3874 bsc#1129898). - commit d1cd2ad - Update patches.suse/l2tp-pass-tunnel-pointer-to-session_create.patch references (add CVE-2018-9517 bsc#1108488). - commit 902e6bb - memcg: enable accounting of ipc resources (bsc#1190115 CVE-2021-3759). - memcg: enable accounting for file lock caches (bsc#1190115). - commit e2a14e4 - virtio_console: Assure used length from device is limited (CVE-2021-38160 bsc#1190117). - commit 495fc27 - scsi: libfc: Fix array index out of bound exception (bsc#1188616). - commit e62158e - Bluetooth: sco: Fix lock_sock() blockage by memcpy_from_msg() (CVE-2021-3640 bsc#1188172). - commit d78ba89 - Move upstreamed BT fixes into sorted section - commit 52a00c3 - vt_kdsetmode: extend console locking (bsc#1190025 CVE-2021-3753). - commit 9420ba7 - ovl: prevent private clone if bind mount is not allowed (bsc#1189706, CVE-2021-3732). - ovl: fix dentry leak in ovl_get_redirect (bsc#1189846). - ovl: initialize error in ovl_copy_xattr (bsc#1189846). - ovl: relax WARN_ON() on rename to self (bsc#1189846). - ovl: filter of trusted xattr results in audit (bsc#1189846). - ovl: check whiteout in ovl_create_over_whiteout() (bsc#1189846). - commit 1f3eb84 - PCI: hv: Use expected affinity when unmasking IRQ (bsc#1185973). - commit 7c750ac - bpf: Introduce BPF nospec instruction for mitigating Spectre v4 (bsc#1188983, bsc#1188985, CVE-2021-34556, CVE-2021-35477). - commit 84b20f7 - KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl (bsc#1189399, CVE-2021-3653). - KVM: nSVM: always intercept VMLOAD/VMSAVE when nested (bsc#1189400, CVE-2021-3656). - KVM: X86: MMU: Use the correct inherited permissions to get shadow page (CVE-2021-38198 bsc#1189262). - commit 9c35f8d - Bluetooth: switch to lock_sock in SCO (CVE-2021-3640 bsc#1188172). - Bluetooth: avoid circular locks in sco_sock_connect (CVE-2021-3640 bsc#1188172). - commit 73d3a49 - Bluetooth: defer cleanup of resources in hci_unregister_dev() (CVE-2021-3640 bsc#1188172). - commit c8012e0 - usb: max-3421: Prevent corruption of freed memory (CVE-2021-38204 bsc#1189291). - commit cfb9fc6 - tracing: Fix bug in rb_per_cpu_empty() that might cause deadloop (CVE-2021-3679 bsc#1189057). - commit dfd73b3 - powerpc/pesries: Get STF barrier requirement from H_GET_CPU_CHARACTERISTICS (CVE-2018-3639 bsc#1087082 git-fixes bsc#1188885 ltc#193722). - powerpc/security: Add a security feature for STF barrier (CVE-2018-3639 bsc#1087082 git-fixes bsc#1188885 ltc#193722). - powerpc/pseries: Get entry and uaccess flush required bits from H_GET_CPU_CHARACTERISTICS (CVE-2020-4788 bsc#1177666 git-fixes bsc#1188885 ltc#193722). - powerpc/64s: rename pnv|pseries_setup_rfi_flush to _setup_security_mitigations (CVE-2018-3639, bsc#1087082, bsc#1188885 ltc#193722). - commit bd9e95f - Update patch-mainline and git-commit tags Refresh: - patches.suse/0001-netfilter-conntrack-add-new-sysctl-to-disable-RST-ch.patch - patches.suse/0001-netfilter-conntrack-improve-RST-handling-when-tuple-.patch - commit b202481 - net: mac802154: Fix general protection fault (CVE-2021-3659 bsc#1188876). - commit c0396b9 - xfrm: xfrm_state_mtu should return at least 1280 for ipv6 (bsc#1185377). - commit 6f8f910 - Update patches.suse/l2tp-ensure-sessions-are-freed-after-their-PPPOL2TP-.patch references (add CVE-2020-0429 bsc#1176724). - Update patches.suse/l2tp-fix-race-between-l2tp_session_delete-and-l2tp_t.patch references (add CVE-2020-0429 bsc#1176724). - commit b29ebd9 - use 3.0 SPDX identifier in rpm License tags As requested by Maintenance, change rpm License tags from "/GPL-2.0"/ (SPDX 2.0) to "/GPL-2.0-only"/ (SPDX 3.0) so that their scripts do not have to adjust the tags with each maintenance update submission. - commit f888e0b - KVM: PPC: Book3S: Fix H_RTAS rets buffer overflow (bsc#1188838 CVE-2021-37576). - commit 50c1fab - KVM: do not allow mapping valid but non-reference-counted pages (bsc#1186482, CVE-2021-22543). - KVM: Use kvm_pfn_t for local PFN variable in hva_to_pfn_remapped() (bsc#1186482, CVE-2021-22543). - KVM: do not assume PTE is writable after follow_pfn (bsc#1186482, CVE-2021-22543). - kvm: Map PFN-type memory regions as writable (if possible) (bsc#1186482, CVE-2021-22543). - commit 9c4f9b4 - Update seq_file fix to the upstreamed one and moved into sorted section (bsc#1188062, CVE-2021-33909). - commit 175d85f - rpm/kernel-binary.spec.in: Do not install usrmerged kernel on Leap (boo#1184804). - commit 5b51131 - netfilter: x_tables: fix compat match/target pad out-of-bound write (CVE-2021-22555 bsc#1188116). - commit 62f1359 - kabi: preserve struct header_ops after bsc#1176081 fix (bsc#1176081). - af_packet: fix the tx skb protocol in raw sockets with ETH_P_ALL (bsc#1176081). - net/mlx5e: Trust kernel regarding transport offset (bsc#1176081). - net/mlx5e: Remove the wrong assumption about transport offset (bsc#1176081). - net/packet: Remove redundant skb->protocol set (bsc#1176081). - net/packet: Ask driver for protocol if not provided by user (bsc#1176081). - net/ethernet: Add parse_protocol header_ops support (bsc#1176081). - net: Introduce parse_protocol header_ops callback (bsc#1176081). - net: Don't set transport offset to invalid value (bsc#1176081). Refresh patches.suse/net-stricter-validation-of-untrusted-gso-packets.patch - commit 64b2283 - rpm/kernel-binary.spec.in: Remove zdebug define used only once. - commit 85a9fc2 - kernel-binary.spec: Exctract s390 decompression code (jsc#SLE-17042). - commit 7f97df2 - seq_file: Disallow extremely large seq buffer allocations (bsc#1188062, CVE-2021-33909). - commit c848c42 - kernel-binary.spec: Fix up usrmerge for non-modular kernels. - commit d718cd9 - can: bcm: delay release of struct bcm_op after synchronize_rcu() (CVE-2021-3609 bsc#1187215). - commit 36fe7da - kernel-binary.spec: Remove obsolete and wrong comment mkmakefile is repleced by echo on newer kernel - commit d9209e7 - SUNRPC: More fixes for backlog congestion (bsc#1185428). - SUNRPC in case of backlog, hand free slots directly to waiting task (bsc#1185428). - commit ae05351 - bpf: Fix leakage under speculation on mispredicted branches (bsc#1187554,CVE-2021-33624). - commit daa92a2 - af_key: pfkey_dump needs parameter validation (CVE-2021-0605 bsc#1187601). - commit 685407a - resource: Fix find_next_iomem_res() iteration issue (bsc#1181193). - Refresh patches.suse/resource-fix-locking-in-find_next_iomem_res.patch. - commit 021a265 - HID: make arrays usage and value to be the same (CVE-2021-0512 bsc#1187595). - commit 3d7a48c - Update patch reference for a BT fix (CVE-2020-26558) - commit ee30101 - bpf: Fix leakage under speculation on mispredicted branches (bsc#1187554,CVE-2021-33624). - commit df48014 - can: bcm: fix infoleak in struct bcm_msg_head (CVE-2021-34693 bsc#1187452). - commit 8f80d3a - x86/debug: Extend the lower bound of crash kernel low reservations (bsc#1153720). - commit 1477041 - UsrMerge the kernel (boo#1184804) - Move files in /boot to modules dir The file names in /boot are included as %ghost links. The %post script creates symlinks for the kernel, sysctl.conf and System.map in /boot for compatibility. Some tools require adjustments before we can drop those links. If boot is a separate partition, a copy is used instead of a link. The logic for /boot/vmlinuz and /boot/initrd doesn't change with this patch. - Use /usr/lib/modules as module dir when usermerge is active in the target distro. - commit 6f5ed04 - kernel-binary.spec.in: Regenerate makefile when not using mkmakefile. - commit 6b30fe5 - x86/crash: Add e820 reserved ranges to kdump kernel's e820 table (bsc#1181193). - x86/mm: Rework ioremap resource mapping determination (bsc#1181193). - x86/e820, ioport: Add a new I/O resource descriptor IORES_DESC_RESERVED (bsc#1181193). - commit 40951e1 - rpm/kernel-binary.spec.in: Fix handling of +arch marker (bsc#1186672) The previous commit made a module wrongly into Module.optional. Although it didn't influence on the end result, better to fix it. Also, add a comment to explain the markers briefly. - commit 8f79742 - Add arch-dependent support markers in supported.conf (bsc#1186672) We may need to put some modules as supported only on specific archs. This extends the supported.conf syntax to allow to put +arch additionally after the unsupported marker, then it'll be conditionally supported on that arch. - commit 8cbdb41 - Create Symbols.list and ipa-clones.list determistically without this patch, filesystem readdir order would influence order of entries in these files. This patch was done while working on reproducible builds for SLE. - commit a898b6d - RDMA/ucma: Rework ucma_migrate_id() to avoid races with destroy (bsc#1187050, CVE-2020-36385) - commit ee0f2cc - Bluetooth: SMP: Fail if remote and local public keys are identical (bsc#1186463 CVE-2021-0129). - commit effcfea - scsi: scsi_dh_alua: Retry RTPG on a different path after failure (bsc#1174978 bsc#1185701). - commit c68883a - kernel-binary.spec.in: Add Supplements: for -extra package on Leap kernel-$flavor-extra should supplement kernel-$flavor on Leap, like it does on SLED, and like the kernel-$flavor-optional package does. - commit c60d87f - Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt() (CVE-2020-36386 bsc#1187038). - commit e0be120 - cfg80211: mitigate A-MSDU aggregation attacks (CVE-2020-24588 bsc#1185861). - commit 821e5ae - Refresh patches.suse/bpf-prevent-out-of-bounds-speculation-on-pointer-ari.patch. Adjust the diff for fixup_bpf_calls() to apply to the correct code block - commit dd58306 - kernel-binary.spec.in: build-id check requires elfutils. - commit 01569b3 - kernel-binary.spec: Only use mkmakefile when it exists Linux 5.13 no longer has a mkmakefile script - commit b453c7b - bpf: No need to simulate speculative domain for immediates (bsc#1186484,CVE-2021-33200). - bpf: Fix leakage of uninitialized bpf stack under speculation (bsc#1186484,CVE-2021-33200). Refresh patches.suse/bpf-Wrap-aux-data-inside-bpf_sanitize_info-container.patch - bpf: Fix masking negation logic upon negative dst register (bsc#1186484,CVE-2021-33200). - commit b1c6278 - netfilter: conntrack: add new sysctl to disable RST check (bsc#1183947 bsc#1185950). - commit 34df908 - netfilter: conntrack: improve RST handling when tuple is re-used (bsc#1183947 bsc#1185950). - commit f464560 - netfilter: conntrack: tcp: only close if RST matches exact sequence (bsc#1183947 bsc#1185950). - commit 95f7e6e - netfilter: conntrack: avoid misleading 'invalid' in log message (bsc#1183947 bsc#1185950). - commit 1c49817 - bpf: Fix mask direction swap upon off reg sign change (bsc#1186484,CVE-2021-33200). - bpf: Wrap aux data inside bpf_sanitize_info container (bsc#1186484,CVE-2021-33200). - commit 3ce8728 - Refresh ibmvfc patch metadata, move to sorted section. - commit effe5ef - Refresh ibmvfc patches to upstream version. - commit f0f2d59 - powerpc/64s: Fix crashes when toggling entry flush barrier (CVE-2020-4788 bsc#1177666 git-fixes). - commit 3917f8f - powerpc/64s: Fix crashes when toggling stf barrier (CVE-2018-3639 bsc#1087082 git-fixes). - commit 2a6a70d - kABI workaround for hci_chan amp field addition (CVE-2021-33034 bsc#1186111). - commit 53b1091 - Bluetooth: verify AMP hci_chan before amp_destroy (CVE-2021-33034 bsc#1186111). - commit daddd4e - video: hyperv_fb: Add ratelimit on error message (bsc#1185725). - Drivers: hv: vmbus: Increase wait time for VMbus unload (bsc#1185725). - Drivers: hv: vmbus: Initialize unload_event statically (bsc#1185725). - commit 3a35d96 - Correct CVE number for a mac80211 fix (CVE-2020-26139 bsc#1186062) - commit 9e5446b - net/nfc: fix use-after-free llcp_sock_bind/connect (CVE-2021-23134 bsc#1186060). - commit 577df82 - kABI workaround for cfg80211 changes (CVE-2020-24586 bsc#1185859). - ath10k: Validate first subframe of A-MSDU before processing the list (CVE-2020-26141 bsc#1185863 bsc#1185987). - ath10k: Fix TKIP Michael MIC verification for PCIe (CVE-2020-26141 bsc#1185863 bsc#1185987). - ath10k: drop fragments with multicast DA for PCIe (CVE-2020-26145 bsc#1185860). - mac80211: extend protection against mixed key and fragment cache attacks (CVE-2020-24586 bsc#1185859). - mac80211: do not accept/forward invalid EAPOL frames (CVE-2020-24587 CVE-2020-24586 bsc#1185863 bsc#1185862 bsc#1185859). - mac80211: prevent attacks on TKIP/WEP as well (CVE-2020-24586 bsc#1185859). - mac80211: check defrag PN against current frame (CVE-2020-24587 CVE-2020-24586 bsc#1185863 bsc#1185862 bsc#1185859). - mac80211: add fragment cache to sta_info (CVE-2020-24587 CVE-2020-24586 bsc#1185863 bsc#1185859). - mac80211: drop A-MSDUs on old ciphers (CVE-2020-24587 CVE-2020-24586 bsc#1185863 bsc#1185862 bsc#1185859). - mac80211: properly handle A-MSDUs that start with an RFC 1042 header (CVE-2020-24587 CVE-2020-24586 bsc#1185863 bsc#1185862 bsc#1185859). - mac80211: prevent mixed key and fragment cache attacks (CVE-2020-24587 CVE-2020-24586 bsc#1185863 bsc#1185862 bsc#1185859). - mac80211: assure all fragments are encrypted (CVE-2020-26147 bsc#1185863 bsc#1185859). - commit f9c088d - ibmvfc: Reinit target retries (bsc#1185938 ltc#192043). - ibmvfc: Avoid move login if fast fail is enabled (bsc#1185938 ltc#192043). - ibmvfc: Handle move login failure (bsc#1185938 ltc#192043). - commit c4c07db - scripts/git_sort/git_sort.py: add bpf git repo - commit 65979e3 - proc: Avoid mixing integer types in mem_rw() (CVE-2021-3491 bsc#1185642). - commit fb84449 - blacklist: add commit b166a20b0738 Mainline commit b166a20b0738 ("/net/sctp: fix race condition in sctp_destroy_sock"/) was found buggy so that it was reverted by commit 01bfe5e8e428 ("/Revert "/net/sctp: fix race condition in sctp_destroy_sock"/"/) and replaced by a new fix, commit 34e5b0118685 ("/sctp: delay auto_asconf init until binding the first addr"/). - commit 23ad848 - sctp: delay auto_asconf init until binding the first addr (CVE-2021-23133 bsc#1184675). - commit c06b5aa - bluetooth: eliminate the potential race condition when removing the HCI controller (CVE-2021-32399 bsc#1185898). - commit 4b51cab - dm: fix redundant IO accounting for bios that need splitting (bsc#1183738). - commit 57165ff - kernel-docs.spec.in: Build using an utf-8 locale. Sphinx cannot handle UTF-8 input in non-UTF-8 locale. - commit 0db6da1 - md/raid1: properly indicate failure when ending a failed write request (bsc#1185680). - commit eb7a0e7 - rpm: drop /usr/bin/env in interpreter specification OBS checks don't like /usr/bin/env in script interpreter lines but upstream developers tend to use it. A proper solution would be fixing the depedency extraction and drop the OBS check error but that's unlikely to happen so that we have to work around the problem on our side and rewrite the interpreter lines in scripts before collecting files for packages instead. - commit 45c5c1a - scripts/git_sort/git_sort.py: Update nvme repositories - commit e849c44 - Update patches.suse/net-fix-race-condition-in-__inet_lookup_established.patch (bsc#1151794 bsc#1180624). - handle also the opposite type of race condition - commit 783d87d - KVM: Add proper lockdep assertion in I/O bus unregister (CVE-2020-36312 bsc#1184509). - KVM: Stop looking for coalesced MMIO zones if the bus is destroyed (CVE-2020-36312 bsc#1184509). - KVM: Destroy I/O bus devices on unregister failure _after_ sync'ing SRCU (CVE-2020-36312 bsc#1184509). - commit bc1f707 - rpm/constraints.in: bump disk space to 45GB on riscv64 - commit f8b883f - rpm/constraints.in: remove aarch64 disk size exception obs://Kernel:stable/kernel-default/ARM/aarch64 currrently fails: installing package kernel-default-livepatch-devel-5.12.0-3.1.g6208a83.aarch64 needs 3MB more space on the / filesystem The stats say: Maximal used disk space: 31799 Mbyte By default, we require 35G. For aarch64 we had an exception to lower this limit to 30G there. Drop this exception as it is obviously no longer valid. - commit ee00b50 - netfilter: x_tables: Use correct memory barriers (bsc#1184208 CVE-2021-29650). - commit 719c6a8 - rpm/macros.kernel-source: fix KMP failure in %install (bsc#1185244) - commit 52805ed - kabi: nvme: fix fast_io_fail_tmo (bsc#1181161). - commit 8f8dc4a - nvme-fabrics: reject I/O to offline device (bsc#1181161). - commit 9f5a8f9 - nvme-rdma: fix possible hang when failing to set io queues (bsc#1181161). - commit f48dbc6 - nvme-tcp: fix possible hang when failing to set io queues (bsc#1181161). - commit b19606e - nvme-tcp: avoid request double completion for concurrent nvme_tcp_timeout (bsc#1181161). - commit a2912f9 - nvme-rdma: avoid request double completion for concurrent nvme_rdma_timeout (bsc#1181161). - commit 44d9e40 - nvme-tcp: avoid repeated request completion (bsc#1181161). - commit 43a6479 - nvme-rdma: avoid repeated request completion (bsc#1181161). - commit 364febe - nvme-tcp: avoid race between time out and tear down (bsc#1181161). - commit 7c77c21 - nvme-rdma: avoid race between time out and tear down (bsc#1181161). - commit 2b90938 - nvme: introduce nvme_sync_io_queues (bsc#1181161). - commit 513d68a - nvme-fabrics: allow to queue requests for live queues (bsc#1181161). - commit 6e870fd - nvme-rdma: fix timeout handler (bsc#1181161). - commit e05f968 - nvme-rdma: serialize controller teardown sequences (bsc#1181161). - commit 871c29c - nvme-tcp: fix timeout handler (bsc#1181161). - commit 904ed9c - nvme-tcp: serialize controller teardown sequences (bsc#1181161). - commit 2634c7c - nvme-fabrics: don't check state NVME_CTRL_NEW for request acceptance (bsc#1181161). - commit 2a84cd5 - nvme-rdma: fix controller reset hang during traffic (bsc#1181161). - commit 18206ad - nvme-tcp: fix controller reset hang during traffic (bsc#1181161). - commit 4fdf590 - nvme: unlink head after removing last namespace (bsc#1181161). - commit 30b587a - nvme: prevent warning triggered by nvme_stop_keep_alive (bsc#1181161). - commit 847d812 - nvme: introduce "/Command Aborted By host"/ status code (bsc#1181161). - commit c6ffd2d - nvme: include admin_q sync with nvme_sync_queues (bsc#1181161). - commit 62c9354 - kabi: Fix nvmet error log definitions (bsc#1181161). - commit fd8ba73 - kabi: Fix breakage in NVMe driver (bsc#1181161). Fix to the changes introduced by patch patches.suse/nvme-make-fabrics-command-run-on-a-separate-request-.patch - commit b9af701 - nvme: make fabrics command run on a separate request queue (bsc#1181161). - Refresh patches.suse/nvme-fc-set-max_segments-to-lldd-max-value.patch. Context adjustment in refreshed patch. - commit 33615b9 - nvme: introduce nvme_is_fabrics to check fabrics cmd (bsc#1181161). - commit 8a22637 - nvme-pci: Sync queues on reset (bsc#1181161). - commit 4acae24 - nvmet: add error log support for fabrics-cmd (bsc#1181161). - commit d8c2f0d - nvmet: add error-log definitions (bsc#1181161). - commit 8327be0 - nvme: add error log page slot definition (bsc#1181161). - commit 56e4bcb - nvme: Restart request timers in resetting state (bsc#1181161). - commit e8075c3 - rpm/kernel-obs-build.spec.in: Include essiv with dm-crypt (boo#1183063). Previously essiv was part of dm-crypt but now it is separate. Include the module in kernel-obs-build when available. Fixes: 7cf5b9e26d87 ("/rpm/kernel-obs-build.spec.in: add dm-crypt for building with cryptsetup"/) - commit fe15b78 - Revert "/rpm/kernel-binary.spec.in: Fix dependency of kernel-*-devel package (bsc#1184514)"/ This turned out to be a bad idea: the kernel-$flavor-devel package must be usable without kernel-$flavor, e.g. at the build of a KMP. And this change brought superfluous installation of kernel-preempt when a system had kernel-syms (bsc#1185113). - commit d771304 - rpm/check-for-config-changes: add AS_HAS_* to ignores arch/arm64/Kconfig defines a lot of these. So far our current compilers seem to support them all. But it can quickly change with SLE later. - commit a4d8194 - bpf: Tighten speculative pointer arithmetic mask (bsc#1184942 CVE-2021-29155). - bpf: Move sanitize_val_alu out of op switch (bsc#1184942 CVE-2021-29155). - bpf: Refactor and streamline bounds check into helper (bsc#1184942 CVE-2021-29155). - bpf: Improve verifier error messages for users (bsc#1184942 CVE-2021-29155). - bpf: Rework ptr_limit into alu_limit and add common error path (bsc#1184942 CVE-2021-29155). - bpf: Ensure off_reg has no mixed signed bounds for all types (bsc#1184942 CVE-2021-29155). - bpf: Move off_reg into sanitize_ptr_alu (bsc#1184942 CVE-2021-29155). - commit c3fe286 - blacklist.conf: Add b6b79dd53082 powerpc/64s: Fix allnoconfig build since uaccess flush - commit e9d5937 - Refresh ppc L1D flush patch metadata. - commit 9db13af - rpm/check-for-config-changes: remove stale comment It is stale since 8ab393bf905a committed in 2005 :). - commit c9f9f5a - rpm/mkspec: Use tilde instead of dot for version string with rc (bsc#1184650) - commit f37613f - Update bsc#1184170 fixes to fix a mistakenly modified BPF instruction - Refresh patches.suse/bpf-Fix-32-bit-src-register-truncation-on-div-mod.patch. - Refresh patches.suse/bpf-Fix-truncation-handling-for-mod32-dst-reg-wrt-ze.patch - commit e62aa97 - KVM: SVM: avoid infinite loop on NPF from bad address (CVE-2020-36310 bsc#1184512). - commit a90e23c - rpm/kernel-binary.spec.in: Fix dependency of kernel-*-devel package (bsc#1184514) The devel package requires the kernel binary package itself for building modules externally. - commit 794be7b - KVM: fix memory leak in kvm_io_bus_unregister_dev() (CVE-2020-36312 bsc#1184509). - commit 8663791 - xen/events: fix setting irq affinity (bsc#1184583 XSA-332 CVE-2020-27673). - commit de73046 - bpf, x86: Validate computation of branch displacements for x86-64 (bsc#1184391 CVE-2021-29154). - commit 1d1eb4d - nfc: Avoid endless loops caused by repeated llcp_sock_connect() (CVE-2020-25673 bsc#1178181). - nfc: fix memory leak in llcp_sock_connect() (CVE-2020-25672 bsc#1178181). - nfc: fix refcount leak in llcp_sock_connect() (CVE-2020-25671 bsc#1178181). - nfc: fix refcount leak in llcp_sock_bind() (CVE-2020-25670 bsc#1178181). - commit 71faffc - KVM: SVM: Periodically schedule when unregistering regions on destroy (bsc#1184511 CVE-2020-36311). - commit e140650 - rpm/check-for-config-changes: Also ignore AS_VERSION added in 5.12. - commit bd64cb2 - post.sh: Return an error when module update fails (bsc#1047233 bsc#1184388). - commit 18f65df - Update bsc#1184170 fixes to do 32bit jump correctly - Refresh patches.suse/bpf-Fix-32-bit-src-register-truncation-on-div-mod.patch. - Refresh patches.suse/bpf-Fix-truncation-handling-for-mod32-dst-reg-wrt-ze.patch. - commit c609295 - ibmvnic: Clear failover_pending if unable to schedule (bsc#1181960 ltc#190997). - commit adfe469 - fuse: fix live lock in fuse_iget() (bsc#1184211 CVE-2021-28950). - fuse: fix bad inode (bsc#1184211 CVE-2020-36322). - commit 920863f - media: v4l: ioctl: Fix memory leak in video_usercopy (bsc#1184120 CVE-2021-30002). - commit f75d1ab - media: v4l: ioctl: Fix memory leak in video_usercopy (bsc#1184120 CVE-2021-30002). - commit 08b20fe - firewire: nosy: Fix a use-after-free bug in nosy_ioctl() (CVE-2021-3483 bsc#1184393). - commit 9292696 - Update patch reference of tty fix (CVE-2021-20219 bsc#1184397) - commit b4b1b38 - net: sched: disable TCQ_F_NOLOCK for pfifo_fast (bsc#1183405) - commit 72e236c - btrfs: fix race when cloning extent buffer during rewind of an old root (bsc#1184193 CVE-2021-28964). - commit 8039ed4 - bpf: Fix truncation handling for mod32 dst reg wrt zero (bsc#1184170 CVE-2021-3444). - bpf: Fix 32 bit src register truncation on div/mod (bsc#1184170). - commit 0962666 - bpf: fix subprog verifier bypass by div/mod by 0 exception (bsc#1184170). - Refresh patches.suse/bpf-move-tmp-variable-into-ax-register-in-interprete.patch. - commit 4d5a2c3 - perf/x86/intel: Fix a crash caused by zero PEBS status (CVE-2021-28971 bsc#1184196). - commit 40c1d32 - xen-blkback: don't leak persistent grants from xen_blkbk_map() (bsc#1183646, CVE-2021-28688, XSA-371). - commit 55909b8 - usbip: fix stub_dev usbip_sockfd_store() races leading to gpf (CVE-2021-29265 bsc#1184167). - commit 6095add - gianfar: fix jumbo packets+napi+rx overrun crash (CVE-2021-29264 bsc#1184168). - commit 9dcbb37 - PCI: rpadlpar: Fix potential drc_name corruption in store functions (CVE-2021-28972 bsc#1184198). - commit 6348e09 - net: qrtr: fix a kernel-infoleak in qrtr_recvmsg() (CVE-2021-29647 bsc#1184192). - commit 3ab36f2 - bpf: Add sanity check for upper ptr_limit (bsc#1183686 bsc#1183775). - bpf: Simplify alu_limit masking for pointer arithmetic (bsc#1183686 bsc#1183775). - bpf: Fix off-by-one for area size in creating mask to left (bsc#1183775 CVE-2020-27171). - bpf: Prohibit alu ops for pointer types not defining ptr_limit (bsc#1183686 CVE-2020-27170). - commit dbf16ca - nvme: return an error if nvme_set_queue_count() fails (bsc#1180197). - commit 62966a2 - Fix a typo in r8188eu fix patch that caused a build error (CVE-2021-28660 bsc#1183593) - commit b574698 - Update patch reference for x25 fix (CVE-2020-35519 bsc#1183696) - commit c241986 - staging: rtl8188eu: prevent ->ssid overflow in rtw_wx_set_scan() (CVE-2021-28660 bsc#1183593). - commit 5b4b262 - Update tags patches.suse/ext4-check-journal-inode-extents-more-carefully.patch (bsc#1173485 bsc#1183509 CVE-2021-3428). - commit f1fc1ff - blk-mq: move _blk_mq_update_nr_hw_queues synchronize_rcu call (CVE-2020-0433 bsc#1176720). - blk-mq: Allow blocking queue tag iter callbacks (CVE-2020-0433 bsc#1176720 bsc#1167316). - commit 7fb1c08 - Update patches.suse/Xen-gnttab-handle-p2m-update-errors-on-a-per-slot-ba.patch (bsc#1183022 XSA-367 CVE-2021-28038): added CVE number - Update patches.suse/xen-netback-respect-gnttab_map_refs-s-return-value.patch (bsc#1183022 XSA-367 CVE-2021-28038): added CVE number - commit cfcdec5 - xen/events: avoid handling the same event on two cpus at the same time (bsc#1183638 XSA-332 CVE-2020-27673). - commit 89c8a49 - xen/events: don't unmask an event channel when an eoi is pending (bsc#1183638 XSA-332 CVE-2020-27673). - commit e4088d0 - xen/events: reset affinity of 2-level event when tearing it down (bsc#1183638 XSA-332 CVE-2020-27673). - commit 6e06fe9 - jfs: Fix array index bounds check in dbAdjTree (bsc#1179454 CVE-2020-27815). - commit 981c2ff - Refresh patches.suse/ibmvnic-fix-a-race-between-open-and-reset.patch. - commit 14b37a2 - rpm/check-for-config-changes: comment on the list To explain what it actually is. - commit e94bacf - rpm/check-for-config-changes: define ignores more strictly * search for whole words, so make wildcards explicit * use ' for quoting * prepend CONFIG_ dynamically, so it need not be in the list - commit f61e954 - rpm/check-for-config-changes: sort the ignores They are growing so to make them searchable by humans. - commit 67c6b55 - rpm/check-for-config-changes: add -mrecord-mcount ignore Added by 3b15cdc15956 (tracing: move function tracer options to Kconfig) upstream. - commit 018b013 - Correct bugzilla reference (CVE-2021-27365 CVE-2021-27363 CVE-2021-27364 bsc#1182716 bsc#1182717 bsc#1182715) - commit c6090b9 - scsi: iscsi: Verify lengths on passthrough PDUs (CVE-2021-27365 bsc#182715). - scsi: iscsi: Ensure sysfs attributes are limited to PAGE_SIZE (CVE-2021-27365 bsc#182715). - scsi: iscsi: Restrict sessions and handles to admin capabilities (CVE-2021-27363 CVE-2021-27364 bsc#182716 bsc#182717). - scsi: iscsi: Verify lengths on passthrough PDUs (CVE-2021-27365 bsc#182715). - scsi: iscsi: Ensure sysfs attributes are limited to PAGE_SIZE (CVE-2021-27365 bsc#182715). - scsi: iscsi: Restrict sessions and handles to admin capabilities (CVE-2021-27363 CVE-2021-27364 bsc#182716 bsc#182717). - commit 6898b4f - bfq: Fix kABI for update internal depth state when queue depth changes (bsc#1172455). - bfq: update internal depth state when queue depth changes (bsc#1172455). - commit a6276eb - ibmvnic: always store valid MAC address (bsc#1182011 ltc#191844). - commit 746c605 - rpm/check-for-config-changes: declare sed args as an array So that we can reuse it in both seds. This also introduces IGNORED_CONFIGS_RE array which can be easily extended. - commit a1976d2 - xen-netback: respect gnttab_map_refs()'s return value (bsc#1183022 XSA-367). - commit 6e61f26 - Xen/gnttab: handle p2m update errors on a per-slot basis (bsc#1183022 XSA-367). - commit 1ab6d01 - rpm/check-for-config-changes: ignore more configs Specifially, these: * CONFIG_CC_HAS_* * CONFIG_CC_HAVE_* * CONFIG_CC_CAN_* * CONFIG_HAVE_[A-Z]*_COMPILER * CONFIG_TOOLS_SUPPORT_* are compiler specific too. This will allow us to use super configs using kernel's dummy-tools. - commit d12dcbd - ibmvnic: store valid MAC address (bsc#1182011). - commit 54870aa - usb: dwc2: Make "/trimming xfer length"/ a debug message (bsc#1180262). - usb: dwc2: Abort transaction after errors with unknown reason (bsc#1180262). - usb: dwc2: Do not update data length if it is 0 on inbound transfers (bsc#1180262). - commit 8a278e5 - Drivers: hv: vmbus: Avoid use-after-free in vmbus_onoffer_rescind() (git-fixes). - commit 1e4ac7f - mm, THP, swap: make reuse_swap_page() works for THP swapped out (partial) (CVE-2020-29368, bsc#1179660.). - commit 556db3f - mm: thp: fix MADV_REMOVE deadlock on shmem THP (CVE-2020-29368, bsc#1179660.). - commit 4eb863b - mm: thp: make the THP mapcount atomic against __split_huge_pmd_locked() (CVE-2020-29368, bsc#1179660.). - commit 2881aaa - nvme-multipath: Early exit if no path is available (bsc#1180964). - commit 0789e5e - ibmvnic: fix a race between open and reset (bsc#1176855 ltc#187293). - commit b44b587 - vmxnet3: Remove buf_info from device accessible structures (bsc#1181671). - commit de8dc4f - btrfs: Unlock extents in btrfs_zero_range in case of errors (bsc#1182047). - commit 4522878 - btrfs: Simplify code flow in btrfs_delayed_inode_reserve_metadata (bsc#1182047). - commit b1bf992 - btrfs: Remove btrfs_inode from btrfs_delayed_inode_reserve_metadata (bsc#1182047). - commit b9625d8 - btrfs: Cleanup try_flush_qgroup (bsc#1182047). - commit a3f071f - btrfs: Don't flush from btrfs_delayed_inode_reserve_metadata (bsc#1182047). - commit 1c8c274 - btrfs: Free correct amount of space in btrfs_delayed_inode_reserve_metadata (bsc#1182047). - commit 5da7303 - macros.kernel-source: Use spec_install_pre for certificate installation (boo#1182672). Since rpm 4.16 files installed during build phase are lost. - commit d0b887e - scsi: target: fix unmap_zeroes_data boolean initialisation (bsc#1163617). - commit 3fa1a11 - libnvdimm/dimm: Avoid race between probe and available_slots_show() (bsc#1170442). - Use the above upstream patch to replace the following in-house patch, patches.suse/nvdimm-Avoid-race-between-probe-and-reading-device-a.patch. - commit 8e49f2a - rpm/kernel-subpackage-build: Workaround broken bot (https://github.com/openSUSE/openSUSE-release-tools/issues/2439) - commit b74d860 - xen-blkback: fix error handling in xen_blkbk_map() (XSA-365 CVE-2021-26930 bsc#1181843). - commit 0ed98dc - xen-scsiback: don't "/handle"/ error by BUG() (XSA-362 CVE-2021-26931 bsc#1181753). - commit b067c04 - xen-netback: don't "/handle"/ error by BUG() (XSA-362 CVE-2021-26931 bsc#1181753). - commit 4c9cf8b - xen-blkback: don't "/handle"/ error by BUG() (XSA-362 CVE-2021-26931 bsc#1181753). - commit 603464d - xen/arm: don't ignore return errors from set_phys_to_machine (XSA-361 CVE-2021-26932 bsc#1181747). - commit 9ff68db - Xen/gntdev: correct error checking in gntdev_map_grant_pages() (XSA-361 CVE-2021-26932 bsc#1181747). - commit 7fd73db - Xen/gntdev: correct dev_bus_addr handling in gntdev_map_grant_pages() (XSA-361 CVE-2021-26932 bsc#1181747). - commit 131ffb6 - Xen/x86: also check kernel mapping in set_foreign_p2m_mapping() (XSA-361 CVE-2021-26932 bsc#1181747). - commit 4b44d15 - Xen/x86: don't bail early from clear_foreign_p2m_mapping() (XSA-361 CVE-2021-26932 bsc#1181747). - commit 92a5a6c - xen/netback: fix spurious event detection for common event case (bsc#1182175). - commit 1f35f61 - net/mlx4_en: Handle TX error CQE (bsc#1181854). - commit 0ba2395 - kernel-binary.spec: Add back initrd and image symlink ghosts to filelist (bsc#1182140). Fixes: 76a9256314c3 ("/rpm/kernel-{source,binary}.spec: do not include ghost symlinks (boo#1179082)."/) - commit 606c9d1 - rpm/post.sh: Avoid purge-kernel for the first installed kernel (bsc#1180058) - commit c29e77d - Btrfs: fix data bytes_may_use underflow with fallocate due to failed quota reserve (bsc#1182130) - commit 98c1690 - xen/netback: avoid race in xenvif_rx_ring_slots_available() (bsc#1065600). - commit 8f2c4d9 - objtool: Don't fail on missing symbol table (bsc#1192379). - commit e7ec5af - rpm/kernel-binary.spec.in: Correct Supplements in optional subpkg (jsc#SLE-11796) The product string was changed from openSUSE to Leap. - commit 3cb7943 - blacklist.conf: update blacklist - commit 2dbfda5 - net: bcmgenet: fix mask check in bcmgenet_validate_flow() (git-fixes). - commit 9f11f7d - net: bcmgenet: use __be16 for htons(ETH_P_IP) (git-fixes). - commit a5c7f8a - bonding: wait for sysfs kobject destruction before freeing struct slave (git-fixes). - commit ebefb0a - net: bcmgenet: re-remove bcmgenet_hfb_add_filter (git-fixes). - commit 46fda79 - net: bcmgenet: add support for ethtool rxnfc flows (git-fixes). - commit 26fc3e4 - net: bcmgenet: code movement (git-fixes). - commit 9299a9b - net: lpc-enet: fix error return code in lpc_mii_init() (git-fixes). - commit 6d2577b - Revert "/net: bcmgenet: remove unused function in bcmgenet.c"/ (git-fixes). - commit 29b8135 - net: bcmgenet: Fix WoL with password after deep sleep (git-fixes). - commit 434ba32 - net: bcmgenet: set Rx mode before starting netif (git-fixes). - commit a274812 - net: bcmgenet: Use correct I/O accessors (git-fixes). - commit 4b04da3 - bonding: Fix reference count leak in bond_sysfs_slave_add (git-fixes). - commit 0dfed9e - net: sun: fix missing release regions in cas_init_one() (git-fixes). - commit 1566edd - net: moxa: Fix a potential double 'free_irq()' (git-fixes). - commit 7e78b2e - blacklist.conf: Add 08685be7761d powerpc/64s: fix scv entry fallback flush vs interrupt No scv support. - commit f4c561c - Exclude Symbols.list again. Removing the exclude builds vanilla/linux-next builds. Fixes: 55877625c800 ("/kernel-binary.spec.in: Package the obj_install_dir as explicit filelist."/) - commit a1728f2 - rpm/split-modules: Avoid errors even if Module.* are not present - commit 752fbc6 - Add the support for kernel-FLAVOR-optional subpackage (jsc#SLE-11796) This change allows to create kernel-*-optional subpackage containing the modules that are not shipped on SLE but only on Leap. Those modules are marked in the new "/-!optional"/ marker in supported.conf. Flip split_optional definition in kernel-binaries.spec.in for the branch that needs the splitting. - commit 1fa25f8 - commit 794d98a - commit 9b895a5 - commit 7164881 - net_sched: cls_route: remove the right filter from hashtable (networking-stable-20_03_28). - commit a96d7a8 Package keyutils was updated: - Add /etc/keys/ and /usr/etc/keys/ directory (bsc#1187654)- update to 1.6.3: * Revert the change notifications that were using /dev/watch_queue. * Apply the change notifications that use pipe2(O_NOTIFICATION_PIPE). * Allow "/keyctl supports"/ to retrieve raw capability data. * Allow "/keyctl id"/ to turn a symbolic key ID into a numeric ID. * Allow "/keyctl new_session"/ to name the keyring. * Allow "/keyctl add/padd/etc."/ to take hex-encoded data. * Add "/keyctl watch*"/ to expose kernel change notifications on keys. * Add caps for namespacing and notifications. * Set a default TTL on keys that upcall for name resolution. * Explicitly clear memory after it's held sensitive information. * Various manual page fixes. * Fix C++-related errors. * Add support for keyctl_move(). * Add support for keyctl_capabilities(). * Make key=val list optional for various public-key ops. * Fix system call signature for KEYCTL_PKEY_QUERY. * Fix 'keyctl pkey_query' argument passing. * Use keyctl_read_alloc() in dump_key_tree_aux(). * Various manual page fixes. - spec-cleaner run (fixup failing homepage url) - prepare usrmerge (boo#1029961) - updated to 1.6 - Apply various specfile cleanups from Fedora. - request-key: Provide a command line option to suppress helper execution. - request-key: Find least-wildcard match rather than first match. - Remove the dependency on MIT Kerberos. - Fix some error messages - keyctl_dh_compute.3: Suggest /proc/crypto for list of available hashes. - Fix doc and comment typos. - Add public key ops for encrypt, decrypt, sign and verify (needs linux-4.20). - Add pkg-config support for finding libkeyutils. - upstream isn't offering PGP signatures for the source tarballs anymore - Replace krb5-devel BuildRequires with pkgconfig(krb5): Allow OBS to shortcut the ring0 bootstrap cycle by also using krb5-mini. - add upstream signing key and verify source signature - updated to 1.5.11 (bsc#1113013) - Add keyring restriction support. - Add KDF support to the Diffie-Helman function. - DNS: Add support for AFS config files and SRV records Package kmod was updated: Package krb5 was updated: - Fix KDC null pointer dereference via a FAST inner body that lacks a server field; (CVE-2021-37750); (bsc#1189929); - Added patches: * 0012-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch - Fix KDC null deref on bad encrypted challenge; (CVE-2021-36222); (bsc#1188571); - Added patches: * 0011-Fix-KDC-null-deref-on-bad-encrypted-challenge.patch - Use /run instead of /var/run for daemon PID files; (bsc#1185163); Package ldb was updated: - CVE-2020-27840: samba: Unauthenticated remote heap corruption via bad DNs; (bso#14595); (bsc#1183572). - CVE-2021-20277: samba: out of bounds read in ldb_handler_fold; (bso#14655); (bsc#1183574). - Add CVE-2020-27840-1.4.6.patch - Add CVE-2021-20277-1.4.6.patch Package less was updated: - Add missing runtime dependency on which, which is used by lessopen.sh. Fix bsc#1190552. Package libX11 was updated: - redone U_CVE-2021-31535.patch due to regressions (boo#1186643) * fixes segfaults for xforms applications like fdesign - U_CVE-2021-31535.patch * adds missing request length checks in libX11 (CVE-2021-31535, bsc#1182506) - U_0001-_XIOError-dpy-will-never-return-so-remore-dead.patch U_0002-remove-empty-line.patch U_0003-poll_for_response-Call-poll_for_event-again-if-xcb_p.patch U_0004-poll_for_event-Allow-using-xcb_poll_for_queued_event.patch U_0005-Prepare-for-_XIOError-possibly-returning.patch U_0006-Fix-poll_for_response-race-condition.patch * fixes a race condition in libX11 that causes various applications to crash randomly (boo#1181963) - refreshed U_0001-Fix-an-integer-overflow-in-init_om.patch Package libcap was updated: - Add explicit dependency on libcap2 with version to libcap-progs and pam_cap (bsc#1184690) - Update to libcap 2.26 for supporting the ambient capabilities (jsc#SLE-17092, jsc#ECO-3460) - Use "/or"/ in the license tag to avoid confusion (bsc#1180073) Package libesmtp was updated: - Add libesmtp-fix-cve-2019-19977.patch: Fix stack-based buffer over-read in ntlm/ntlmstruct.c (bsc#1160462 bsc#1189097). Package libgcrypt was updated: - FIPS: Fix gcry_mpi_sub_ui subtraction [bsc#1193480] * gcry_mpi_sub_ui: fix subtracting from negative value * Add libgcrypt-FIPS-fix-gcry_mpi_sub_ui.patch - Security fix: [bsc#1187212, CVE-2021-33560] * Libgcrypt mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm - Add patches: * libgcrypt-CVE-2021-33560-ElGamal-exponent-blinding.patch * libgcrypt-CVE-2021-33560-fix-ElGamal-enc.patch Package libjpeg-turbo was updated: fix CVE-2020-17541 [bsc#1186764], stack-based buffer overflow in the "/transform"/ component + libjpeg-turbo-CVE-2020-17541.patch - security update - added patches Package libjpeg62-turbo was updated: fix CVE-2020-17541 [bsc#1186764], stack-based buffer overflow in the "/transform"/ component + libjpeg-turbo-CVE-2020-17541.patch - security update - added patches Package libnettle was updated: - Security fix: [CVE-2021-3580, bsc#1187060] * Remote crash in RSA decryption via manipulated ciphertext - Add patches: * libnettle-CVE-2021-3580-rsa_sec.patch * libnettle-CVE-2021-3580-rsa_decrypt.patch - Security fix: [bsc#1184401, CVE-2021-20305] * multiply function being called with out-of-range scalars * Affects ecc-ecdsa-sign(), ecc_ecdsa_verify() and _eddsa_hash(). - Add libnettle-CVE-2021-20305.patch Package libsolv was updated: - fix misparsing of '&' in attributes with libxml2- choice rules: treat orphaned packages as newest [bsc#1190465] - fix compatibility with Python 3.10 - new SOLVER_EXCLUDEFROMWEAK job type - support for environments in comps parser - bump version to 0.7.20 - Disable python2 usage on suse_version >= 1550 by default (still possible to use osc build --with=python). - fix rare segfault in resolve_jobrules() that could happen if new rules are learnt - fix a couple of memory leaks in error cases - fix error handling in solv_xfopen_fd() - bump version to 0.7.19 - fixed regex code on win32 - fixed memory leak in choice rule generation - repo_add_conda: add flag to skip v2 packages - bump version to 0.7.18 - repo_write: fix handling of nested flexarray - improve choicerule generation a bit more to cover more cases - harden testcase parser against repos being added too late - support python-3.10 - check %_dbpath macro in rpmdb code - handle default/visible/langonly attributes in comps parser - support multiple collections in updateinfo parser - add '-D' option in rpmdb2solv to set the dbpath - bump version to 0.7.17 Package libunwind was updated: - update to 1.5.0: * dwarf: clang doesn't respect the static alias * Fixed a missing dependency in dwarf-eh.h * x86_64: Fix tdep_init_done when built with libatomic_ops * mips: make _step_n64 as a static function * Added braces to suppress empty if/else warnings * Delete hardcode of address size to support MIPS64. * Fix format specifier for int64_t:29 * Add initial support for Solaris x86-64 * x86_64: Add fixup code if previous RIP was invalid * x86-64: make `is_cached_valid_mem` functional * arm: clear ip thumb/arm mode bit before move to previous instruction * Fix compilation with -fno-common. * Fix off-by-one error in x86_64 stack frames * aarch64: Fix __sigset build issue on muslC * Make SHF_COMPRESSED use contingent on its existence - remove libunwind_U_dyn_info_list.patch (upstream) - Enable s390x for building - Fix compilation with -fno-common [bsc#1171549] - Add patch libunwind_U_dyn_info_list.patch - Update to 1.4.0 - Fix compilation with -fno-common. - arm: clear ip thumb/arm mode bit before move to previous instruction (#131) - tests: fix test-coredump-unwind without HAVE_EXECINFO_H (#165) - There are 20 not 9 failing tests on Solaris (#162) - change asm to __asm__ to support -std=c11 or similar (#149) - x86-64: make `is_cached_valid_mem` functional (#146) - Allow to build without weak `backtrace` symbol. (#142) - fix compile issue on SH platform (#137) - Add support for zlib compressed elf .debug_frame sections - README: add libc requirement description (#121) - Older systems (e.g. RHEL5) do not have pipe2(). (#122) - x86_64: Add fixup code if previous RIP was invalid (#120) - Fix format specifier for int64_t:29 (#117) - Delete hardcode of address size to support MIPS64. (#114) - Added braces to suppress empty if/else warnings (#112) - mips: make _step_n64 as a static function - x86_64: Fix tdep_init_done when built with libatomic_ops - x86_64: tsan clean (#109) - Fixed a missing dependency in dwarf-eh.h - dwarf: clang doesn't respect the static alias (#102) - Update libunwind.keyring - Remove libunwind-gcc10-build-fno-common.patch fixed upstream - Fix build with GCC-10: [bsc#1160876] * In GCC-10, the default option -fcommon will change to -fno-common - Add libunwind-gcc10-build-fno-common.patch - Ensure neutrality of description. Avoid name repetition in summaries. - Update to 1.3.1 * Iteration of unwind register states support * Freebsd/Armv6 support * Many, many dwarf bugfixes * Mips remote unwind support * aarch64 ptrace support - fix_versioning_libunwind_1.2.1.patch: removed Package libvirt was updated: - CVE-2021-4147: libxl: Fix libvirtd deadlocks and segfaults 23b51d7b-libxl-disable-death-event.patch, a4e6fba0-libxl-rename-threadinfo-struct.patch, b9a5faea-libxl-handle-death-thread.patch, 5c5df531-libxl-search-domid-in-thread.patch, a7a03324-libxl-protect-logger-access.patch bsc#1191668, bsc#1192017, bsc#1193981, bsc#1194041 - CVE-2021-3975: Add missing lock in qemuProcessHandleMonitorEOF 1ac703a7-CVE-2021-3975.patch bsc#1192876 - Add upstream debug patch to the libxl driver to aid in future debugging 27e1779f-libxl-debug.patch - Include collection of active VM config files in the supportconfig plugin - libxl: Fix driver reload 65fab900-libxl-fix-driver-reload.patch, 51eb680b-libxl-dont-autostart-on-reload.patch bsc#1190420 - storage_driver: Unlock object on ACL fail in storagePoolLookupByTargetPath CVE-2021-3667 447f69de-CVE-2021-3667.patch bsc#1188843 - resolve hangs/crashes on libvirtd shutdown c5bf40bf-add-driver-shutdown-helpers.patch, 018e213f-always-init-prio-cond.patch, 255437ee-add-threadpool-funcs.patch, 1eae52b9-rpc-fix-double-unref.patch, 0f38dedd-add-virNetDaemonSetShutdownCallbacks.patch, b776dfa8-add-shutdown-facility-netserver.patch, 94e45d10-rpc-finish-threads.patch bsc#1182783 - libxl: Add support for 'e820_host' settings b7d6648d-conf-add-e820-host.patch, 5749395b-libxl-e820-host.patch, f3ef7daf-xenconfig-e820-host.patch, 34077c1b-tests-check-e820-host.patch bsc#1185081 - qemu: Normalize MAC address in device conf on netdev hotplug 6c17606b-qemu-normalize-mac-addr.patch bsc#1184772 - libxl: Fix domain shutdown 87a9d3a6-libxl-fix-domain-shutdown.patch bsc#1184152 Package libwebp was updated: - Add libwebp-CVE-2018-25011.patch: fail on multiple image chunks (bsc#1186247 CVE-2018-25011). - Add libwebp-CVE-2020-36328.patch: fix invalid check for buffer size (bsc#1185688 CVE-2020-36328). - Add libwebp-CVE-2020-36329.patch: fix for thread race heap use after free (bsc#1185652 CVE-2020-36329). - Add libwebp-CVE-2020-36330.patch: fix riff size checks (bsc#1185691 CVE-2020-36330). - Add libwebp-CVE-2018-25013.patch: wait for all threads to be done in DecodeRemaining (bsc#1185654 bsc#1186250 CVE-2018-25013 CVE-2018-25014). - Add libwebp-CVE-2020-36331.patch: fix possible overflow when validating chunk size (bsc#1185686 CVE-2020-36331). - Add libwebp-CVE-2018-25010.patch: fix alpha-filtering crash when image is larger than radius (bsc#1185685 CVE-2018-25010). - Add libwebp-CVE-2018-25009.patch: fix overflow while reading VP8X chunk (bsc#1185673 bsc#1185690 CVE-2018-25009 CVE-2018-25012). - Add libwebp-CVE-2020-36332.patch: better handling of bogus Huffman code (bsc#1185674 CVE-2020-36332). Package libxml2 was updated: - Security fix: [bsc#1186015, CVE-2021-3541] * Exponential entity expansion attack bypasses all existing protection mechanisms. - Add libxml2-CVE-2021-3541.patch - Security fix: [bsc#1185698, bsc#1185879, CVE-2021-3537] * NULL pointer dereference in valid.c:xmlValidBuildAContentModel * Add libxml2-CVE-2021-3537.patch - Security fix: [bsc#1185408, CVE-2021-3518] * Fix use-after-free in xinclude.c:xmlXIncludeDoProcess() * Add libxml2-CVE-2021-3518.patch - Security fix: [bsc#1185410, CVE-2021-3517] * Fix heap-based buffer overflow in entities.c:xmlEncodeEntitiesInternal() * Add libxml2-CVE-2021-3517.patch - Security fix: [bsc#1185409, CVE-2021-3516] * Fix use-after-free in entities.c:xmlEncodeEntitiesInternal() * Add libxml2-CVE-2021-3516.patch Package libzypp was updated: - Use the default zypp.conf settings if no zypp.conf exists (bsc#1193488) - Fix wrong encoding of iso: URL components (bsc#954813) - Handle armv8l as armv7hl compatible userland. - Introduce zypp-curl a sublibrary for CURL related code. - zypp-rpm: Increase rpm loglevel if ZYPP_RPM_DEBUG is set. - Save all signatures associated with a public key in its PublicKeyData. - version 17.29.0 (22) - Disable logger in the child after fork (bsc#1192436) - version 17.28.8 (22) - Check log writer before accessing it (fixes #355, bsc#1192337) - Save locks: Update an existing locks changed comment string. - Allow uname-r format in purge kernels keepspec (fixes openSUSE/zypper#418) - version 17.28.7 (22) - Zypper should keep cached files if transaction is aborted (bsc#1190356) Singletrans mode currently does not keep files around if the transaction is aborted. This patch fixes the problem. - Require a minimum number of mirrors for multicurl (bsc#1191609) - Use procfs to detect nr of open fd's if rlimit is too high (bsc#1191324) Especially in a VM iterating over all possible fd's to close open ones right before a exec() slows down zypper unnecessarily. This patch uses /proc/self/fd to iterate over open fd's in case rlimit is above 1024. - po: Fix some lost '%' signs in positional args (bsc#1191370) - RepoManager: Don't probe for plaindir repo if URL schema is plugin: (bsc#1191286) - version 17.28.6 (22) - Downloader does not respect checkExistsOnly flag (bsc#1190712) A missing check causes zyppng::Downloader to always download full files even if the checkExistsOnly flag is set. This patch adds the missing logic. - Fix kernel-*-livepatch removal in purge-kernels (bsc#1190815) The kernel-*-livepatch packages are supposed to serve as a stable handle for the ephemeral kernel livepatch packages. See FATE#320268 for details. As part of the kernel live patching ecosystem, kernel-*-livepatch packages should not block the purge-kernels step. - version 17.28.5 (22) - Make sure to keep states alives while transitioning (bsc#1190199) - May set techpreview variables for testing in /etc/zypp/zypp.conf. If environment variables are unhandy one may enable the desired techpreview in zypp.conf as well: [main] techpreview.ZYPP_SINGLE_RPMTRANS=1 techpreview.ZYPP_MEDIANETWORK=1 - version 17.28.4 (22) - CMake/spec: Add option to force SINGLE_RPMTRANS as default for zypper (fixes #340) - Make sure singleTrans is zypper-only for now. - Do not double check signatures and keys (bsc#1190059) - version 17.28.3 (22) - Workaround Bug 1189788: Don't allow ZYPP_SINGLE_RPMTRANS=1 on a not UsrMerged Tumbleweed system. - version 17.28.2 (22) - Fix crashes in logging code when shutting down (bsc#1189031) - version 17.28.1 (22) - Rephrase vendor conflict message in case 2 packages are involved (bsc#1187760) This covers the case where not the packages itself would change its vendor, but replaces a package from a different vendor. - Fix solver jobs for PTFs (bsc#1186503) - spec: switch to pkgconfig(openssl) - Show key fpr from signature when signature check fails (bsc#1187224) Rpm by default only shows the short key ID when checking the signature of a package fails. This patch reads the signatures from the RPM headers and replaces she short IDs with the key fingerprints fetched from the signatures. - Implement alternative single transaction commit strategy. This patch adds a experimental commit strategy that runs all operations in a single rpm transaction, speeding up the execution a lot. - Use ZYPP_MEDIANETWORK=1 to enable the experimental new media backend. - Implement zchunk download, refactor Downloader backend. - Fix purge-kernels fails with kernels from Kernel:HEAD (bsc#1187738) There recently was a change in the kernel package naming scheme in regards to rc kernels. Since kernel upstream uses characters in the version that are not allowed in rpm versions a "/-rc"/ was previously replaced with "/.rc"/ which broke sorting by version, to fix this issue it was replaced with "/~rc"/, which unfortunately broke the purge-kernels logic. This patch makes sure purge-kernel does apply the same conversion. - version 17.28.0 (22) - Enhance XML output of repo GPG options (fixes openSUSE/zypper#390) In addition to the effective values, add optional attributes showing the raw values actually present in the .repo file. (raw_gpgcheck, raw_repo_gpgcheck, raw_pkg_gpgcheck) - Link all executables with -pie (bsc#1186447) - Ship an empty /etc/zypp/needreboot per default (fixes #311, jsc#PM-2645) If packages want to trigger the reboot-needed hiint upon installation they may provide 'installhint(reboot-needed)'. Builtin packages triggering the hint without the provides are only kernel and kernel-firmware related. - Add Solvable::isBlacklisted as superset of retracted and ptf packages (bsc#1186503) - Fix segv if ZYPP_FULLOG is set (fixes #317) - version 17.27.0 (22) - Work around download.o.o broken https redirects. - Allow trusted repos to add additional signing keys (bsc#1184326) Repositories signed with a trusted gpg key may import additional package signing keys. This is needed if different keys were used to sign the the packages shipped by the repository. - MediaCurl: Fix logging of redirects. - Use 15.3 resolver problem and solution texts on all distros. - $ZYPP_LOCK_TIMEOUT: Let negative values wait forever for the zypp lock (bsc#1184399) Helps boot time services like 'zypper purge-kernels' to wait for the zypp lock until other services using zypper have completed. - Fix purge-kernels is broken in Leap 15.3 (bsc#1185325) Leap 15.3 introduces a new kernel package called kernel-flavour-extra, which contain kmp's. Currently kmp's are detected by name "/.*-kmp(-.*)?"/ but this does not work which those new packages. This patch fixes the problem by checking packages for kmod(*) and ksym(*) provides and only falls back to name checking if the package in question does not provide one of those. - Introduce zypp-runpurge, a tool to run purge-kernels on testcases. - version 17.26.0 (22) - Properly handle permission denied when providing optional files (bsc#1185239) - Fix service detection with cgroupv2 (bsc#1184997) - version 17.25.10 (22) - Add missing includes for GCC 11 (bsc#1181874) - Fix unsafe usage of static in media verifier. - Solver: Avoid segfault if no system is loaded (bsc#1183628) - MediaVerifier: Relax media set verification in case of a single not-volatile medium (bsc#1180851) - Do no cleanup in custom cache dirs (bsc#1182936) - ZConfig: let pubkeyCachePath follow repoCachePath. - version 17.25.9 (22) - Try to provide a mounted /proc in --root installs (bsc#1181328) Some systemd tools require /proc to be mounted and fail if it's not there. - Enable release packages to request a releaxed suse/opensuse vendorcheck in dup when migrating. (bsc#1182629) - version 17.25.8 (22) - Patch: Identify well-known category names (bsc#1179847) This allows to use the RH and SUSE patch categrory names synonymously: (recommendedi = bugfix) and (optional = feature = enhancement). - Add missing includes for GCC 11 compatibility. (bsc#1181874) - Fix %posttrans script execution (fixes #265) The scripts are execuable. No need to call them through 'sh -c'. - Commit: Fix rpmdb compat symlink in case rpm got removed. - Repo: Allow multiple baseurls specified on one line (fixes #285) - Regex: Fix memory leak and undefined behavior. - Add rpm buildrequires for test suite (fixes #279) - Use rpmdb2solv new -D switch to tell the location ob the rpmdatabase to use. - BuildRequires: libsolv-devel >= 0.7.17. - version 17.25.7 (22) - Rephrase solver problem descriptions (jsc#SLE-8482) - Adapt to changed gpg2/libgpgme behavior (bsc#1180721) - Multicurl backend breaks with with unknown filesize (fixes #277) - version 17.25.6 (22) - Fix lsof monitoring (bsc#1179909) - version 17.25.5 (22) - Prevent librpmDb iterator from accidentally creating an empty rpmdb in / (repoened bsc#1178910) - Fix update of gpg keys with elongated expire date (bsc#1179222) - needreboot: remove udev from the list (bsc#1179083) - Prefer /run over /var/run. - version 17.25.4 (22) - RepoManager: Carefully tidy up the caches. Remove non-directory entries. (bsc#1178966) - RpmDb: If no database exists use the _dbpath configured in rpm. Still makes sure a compat symlink at /var/lib/rpm exists in case the configures _dbpath is elsewhere. (bsc#1178910) - Url: Hide known password entries when writing the query part (bsc#1050625 bsc#1177583, CVE-2017-9271) - adapt testcase to change introduced by libsolv#402. - RepoManager: Force refresh if repo url has changed (bsc#1174016) - RepoInfo: ignore legacy type= in a .repo file and let RepoManager probe (bsc#1177427, Fixes openSUSE/zypper#357). - version 17.25.3 (22) - Bump version to force rebuild against a fixed libsolv. (bsc#1177238, bsc#1177275) - version 17.25.2 (22) Package lua53 was updated: - Sync with Factory (5.3.6), includes fixes for - Long brackets with a huge number of '=' overflow some internal buffer arithmetic. - bsc#1123043 CVE-2019-6706 Fix free-after-use bug in lua_upvaluejoin function of lapi.c - Remove upstreamed patches: - CVE-2019-6706-use-after-free-lua_upvaluejoin.patch - Update to version 5.3.6: * Fixes bugs found in Lua 5.3.5 and Lua 5.4.0 * Lua 5.3 is now EOL - Removed upstream-bugs.patch: new release (no bugs found yet) - Removed upstream-bugs-backport-lua54.patch: new release (no bugs found yet) - Added upstream-bugs.patch: upstream bug patches * Patches 2,3,4 - Added upstream-bugs-backport-lua54.patch: bugs discovered in lua54 * Patch 10: CVE-2020-24371, boo#1175449 * Patch 11: CVE-2020-24370, boo#1175448 * Patch 13 - Add RISC-V to list of 64-bit architectures - Use FAT LTO objects in order to provide proper static library. - Update to 5.3.5: (it is really problematic to find ANY documentation of changes between minor versions; the best we have is https://www.lua.org/bugs.html) - Long brackets with a huge number of '=' overflow some internal buffer arithmetic. - Small build tweaks. Package lz4 was updated: - security update- added patches fix CVE-2021-3520 [bsc#1185438], memory corruption due to an integer overflow bug caused by memmove argument + lz4-CVE-2021-3520.patch Package mailx was updated: - Add patch mailx-12.5-systemd.patch to add description how to avoid bugs like bsc#1192916 -- mailx does not send mails unless run via strace or in verbose mode - fix-sendmail-name.patch: fix name argument when calling /usr/sbin/sendmail [bsc#1180355]. - Updates to mailx-12.5-openssl-1.1.0f.patch * If the openssl RNG is already seeded (on linux it always is) skip snake-oil reeseeding from file. Update man page accordingly. * Update man page with information that ssl2 and ssl3 are not only deprecated but currently unavailable and that tls1 forces TLS 1.0 but not later versions. * RAND_EGD is also unavailable, not just unused. * set SSL_OP_NO_TICKET, many servers accept session tickets, but almost never rotate them properly, TLS 1.3 session tickets are not affected by this flag. * When using client certificates, check if the cert and key match each other. - Remove redundant %clean section. - Replace old $RPM_* shell vars by macros. Package man-pages was updated: - install kernel_lockdown.7 man page [bsc#1185534]- added sources + kernel_lockdown.7 Package mozilla-nspr was updated: - update to version 4.32: * implement new socket option PR_SockOpt_DontFrag * support larger DNS records by increasing the default buffer size for DNS queries - update to version 4.31: * Lock access to PRCallOnceType members in PR_CallOnce* for thread safety bmo#1686138 - update to version 4.30 * support longer thread names on macOS * fix a build failure on OpenBSD - update to version 4.29 * Remove macOS Code Fragment Manager support code * Remove XP_MACOSX and OS_TARGET=MacOSX * Refresh config.guess and config.sub * Remove NSPR's patch to config.sub * Add support for e2k target (64-bit Elbrus 2000) - update to version 4.28 * Fix a compiler warning * Add rule for cross-compiling with cygwin - update to version 4.27 * the macOS platform code for shared library loading was * An include statement for a Windows system library header was added - update to version 4.26 * PR_GetSystemInfo supports a new flag PR_SI_RELEASE_BUILD to get information about the operating system build version. * Better support parallel building on Windows. * The internal release automatic script requires python 3. Package mozilla-nss was updated: - Mozilla NSS 3.68.2 (bsc#1193845) * mozilla::pkix: support SHA-2 hashes in CertIDs in OCSP responses (bmo#966856) - Mozilla NSS 3.68.1 MFSA 2021-51 (bsc#1193170) * CVE-2021-43527 (bmo#1737470) Memory corruption via DER-encoded DSA and RSA-PSS signatures - Remove now obsolete patch nss-bsc1193170.patch - Add patch to fix CVE-2021-43527 (bsc#1193170): nss-bsc1193170.patch - Removed nss-fips-kdf-self-tests.patch. This was made obsolete by upstream changes. (bmo#1660304) - Rebase nss-fips-stricter-dh.patch needed due to upstream changes. - Update nss-fips-constructor-self-tests.patch to fix crashes reported by upstream. This was likely affecting WebRTC calls. - update to NSS 3.68 * bmo#1713562 - Fix test leak. * bmo#1717452 - NSS 3.68 should depend on NSPR 4.32. * bmo#1693206 - Implement PKCS8 export of ECDSA keys. * bmo#1712883 - DTLS 1.3 draft-43. * bmo#1655493 - Support SHA2 HW acceleration using Intel SHA Extension. * bmo#1713562 - Validate ECH public names. * bmo#1717610 - Add function to get seconds from epoch from pkix::Time. - update to NSS 3.67 * bmo#1683710 - Add a means to disable ALPN. * bmo#1715720 - Fix nssckbi version number in NSS 3.67 (was supposed to be incremented in 3.66). * bmo#1714719 - Set NSS_USE_64 on riscv64 target when using GYP/Ninja. * bmo#1566124 - Fix counter increase in ppc-gcm-wrap.c. * bmo#1566124 - Fix AES_GCM mode on ppc64le for messages of length more than 255-byte. - update to NSS 3.66 * bmo#1710716 - Remove Expired Sonera Class2 CA from NSS. * bmo#1710716 - Remove Expired Root Certificates from NSS - QuoVadis Root Certification Authority. * bmo#1708307 - Remove Trustis FPS Root CA from NSS. * bmo#1707097 - Add Certum Trusted Root CA to NSS. * bmo#1707097 - Add Certum EC-384 CA to NSS. * bmo#1703942 - Add ANF Secure Server Root CA to NSS. * bmo#1697071 - Add GLOBALTRUST 2020 root cert to NSS. * bmo#1712184 - NSS tools manpages need to be updated to reflect that sqlite is the default database. * bmo#1712230 - Don't build ppc-gcm.s with clang integrated assembler. * bmo#1712211 - Strict prototype error when trying to compile nss code that includes blapi.h. * bmo#1710773 - NSS needs FIPS 180-3 FIPS indicators. * bmo#1709291 - Add VerifyCodeSigningCertificateChain. * Use GNU tar for the release helper script. - update to NSS 3.65 * bmo#1709654 - Update for NetBSD configuration. * bmo#1709750 - Disable HPKE test when fuzzing. * bmo#1566124 - Optimize AES-GCM for ppc64le. * bmo#1699021 - Add AES-256-GCM to HPKE. * bmo#1698419 - ECH -10 updates. * bmo#1692930 - Update HPKE to final version. * bmo#1707130 - NSS should use modern algorithms in PKCS#12 files by default. * bmo#1703936 - New coverity/cpp scanner errors. * bmo#1697303 - NSS needs to update it's csp clearing to FIPS 180-3 standards. * bmo#1702663 - Need to support RSA PSS with Hashing PKCS #11 Mechanisms. * bmo#1705119 - Deadlock when using GCM and non-thread safe tokens. - refreshed patches - Firefox 90.0 requires NSS 3.66 - update to NSS 3.64 * bmo#1705286 - Properly detect mips64. * bmo#1687164 - Introduce NSS_DISABLE_CRYPTO_VSX and disable_crypto_vsx. * bmo#1698320 - replace __builtin_cpu_supports("/vsx"/) with ppc_crypto_support() for clang. * bmo#1613235 - Add POWER ChaCha20 stream cipher vector acceleration. - update to NSS 3.63.1 * no upstream release notes for 3.63.1 (yet) Fixed in 3.63 * bmo#1697380 - Make a clang-format run on top of helpful contributions. * bmo#1683520 - ECCKiila P384, change syntax of nested structs initialization to prevent build isses with GCC 4.8. * bmo#1683520 - [lib/freebl/ecl] P-384: allow zero scalars in dual scalar multiplication. * bmo#1683520 - ECCKiila P521, change syntax of nested structs initialization to prevent build isses with GCC 4.8. * bmo#1683520 - [lib/freebl/ecl] P-521: allow zero scalars in dual scalar multiplication. * bmo#1696800 - HACL* update March 2021 - c95ab70fcb2bc21025d8845281bc4bc8987ca683. * bmo#1694214 - tstclnt can't enable middlebox compat mode. * bmo#1694392 - NSS does not work with PKCS #11 modules not supporting profiles. * bmo#1685880 - Minor fix to prevent unused variable on early return. * bmo#1685880 - Fix for the gcc compiler version 7 to support setenv with nss build. * bmo#1693217 - Increase nssckbi.h version number for March 2021 batch of root CA changes, CA list version 2.48. * bmo#1692094 - Set email distrust after to 21-03-01 for Camerfirma's 'Chambers of Commerce' and 'Global Chambersign' roots. * bmo#1618407 - Symantec root certs - Set CKA_NSS_EMAIL_DISTRUST_AFTER. * bmo#1693173 - Add GlobalSign R45, E45, R46, and E46 root certs to NSS. * bmo#1683738 - Add AC RAIZ FNMT-RCM SERVIDORES SEGUROS root cert to NSS. * bmo#1686854 - Remove GeoTrust PCA-G2 and VeriSign Universal root certs from NSS. * bmo#1687822 - Turn off Websites trust bit for the âStaat der Nederlanden Root CA - G3â root cert in NSS. * bmo#1692094 - Turn off Websites Trust Bit for 'Chambers of Commerce Root - 2008' and 'Global Chambersign Root - 2008â. * bmo#1694291 - Tracing fixes for ECH. - required for Firefox 88 - update to NSS 3.62 * bmo#1688374 - Fix parallel build NSS-3.61 with make * bmo#1682044 - pkix_Build_GatherCerts() + pkix_CacheCert_Add() can corrupt "/cachedCertTable"/ * bmo#1690583 - Fix CH padding extension size calculation * bmo#1690421 - Adjust 3.62 ABI report formatting for new libabigail * bmo#1690421 - Install packaged libabigail in docker-builds image * bmo#1689228 - Minor ECH -09 fixes for interop testing, fuzzing * bmo#1674819 - Fixup a51fae403328, enum type may be signed * bmo#1681585 - Add ECH support to selfserv * bmo#1681585 - Update ECH to Draft-09 * bmo#1678398 - Add Export/Import functions for HPKE context * bmo#1678398 - Update HPKE to draft-07 - required for Firefox 87 - Add nss-btrfs-sqlite.patch to address bmo#1690232 - update to NSS 3.61 * required for Firefox 86 * bmo#1682071 - Fix issue with IKE Quick mode deriving incorrect key values under certain conditions. * bmo#1684300 - Fix default PBE iteration count when NSS is compiled with NSS_DISABLE_DBM. * bmo#1651411 - Improve constant-timeness in RSA operations. * bmo#1677207 - Upgrade Google Test version to latest release. * bmo#1654332 - Add aarch64-make target to nss-try. - update to NSS 3.60.1 Notable changes in NSS 3.60: * TLS 1.3 Encrypted Client Hello (draft-ietf-tls-esni-08) support has been added, replacing the previous ESNI (draft-ietf-tls-esni-01) implementation. See bmo#1654332 for more information. * December 2020 batch of Root CA changes, builtins library updated to version 2.46. See bmo#1678189, bmo#1678166, and bmo#1670769 for more information. - removed obsolete ppc-old-abi-v3.patch - update to NSS 3.59.1 * bmo#1679290 - Fix potential deadlock with certain third-party PKCS11 modules - update to NSS 3.59 Notable changes * Exported two existing functions from libnss: CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData Bugfixes * bmo#1607449 - Lock cert->nssCertificate to prevent a potential data race * bmo#1672823 - Add Wycheproof test cases for HMAC, HKDF, and DSA * bmo#1663661 - Guard against NULL token in nssSlot_IsTokenPresent * bmo#1670835 - Support enabling and disabling signatures via Crypto Policy * bmo#1672291 - Resolve libpkix OCSP failures on SHA1 self-signed root certs when SHA1 signatures are disabled. * bmo#1644209 - Fix broken SelectedCipherSuiteReplacer filter to solve some test intermittents * bmo#1672703 - Tolerate the first CCS in TLS 1.3 to fix a regression in our CVE-2020-25648 fix that broke purple-discord (boo#1179382) * bmo#1666891 - Support key wrap/unwrap with RSA-OAEP * bmo#1667989 - Fix gyp linking on Solaris * bmo#1668123 - Export CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData from libnss * bmo#1634584 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Trustis FPS Root CA * bmo#1663091 - Remove unnecessary assertions in the streaming ASN.1 decoder that affected decoding certain PKCS8 private keys when using NSS debug builds * bmo#670839 - Use ARM crypto extension for AES, SHA1 and SHA2 on MacOS. - update to NSS 3.58 Bugs fixed: * bmo#1641480 (CVE-2020-25648) Tighten CCS handling for middlebox compatibility mode. * bmo#1631890 - Add support for Hybrid Public Key Encryption (draft-irtf-cfrg-hpke) support for TLS Encrypted Client Hello (draft-ietf-tls-esni). * bmo#1657255 - Add CI tests that disable SHA1/SHA2 ARM crypto extensions. * bmo#1668328 - Handle spaces in the Python path name when using gyp on Windows. * bmo#1667153 - Add PK11_ImportDataKey for data object import. * bmo#1665715 - Pass the embedded SCT list extension (if present) to TrustDomain::CheckRevocation instead of the notBefore value. - install libraries in %{_libdir} (boo#1029961) - Fix build with RPM 4.16: error: bare words are no longer supported, please use "/..."/: lib64 == lib64. - update to NSS 3.57 * The following CA certificates were Added: bmo#1663049 - CN=Trustwave Global Certification Authority SHA-256 Fingerprint: 97552015F5DDFC3C8788C006944555408894450084F100867086BC1A2BB58DC8 bmo#1663049 - CN=Trustwave Global ECC P256 Certification Authority SHA-256 Fingerprint: 945BBC825EA554F489D1FD51A73DDF2EA624AC7019A05205225C22A78CCFA8B4 bmo#1663049 - CN=Trustwave Global ECC P384 Certification Authority SHA-256 Fingerprint: 55903859C8C0C3EBB8759ECE4E2557225FF5758BBD38EBD48276601E1BD58097 * The following CA certificates were Removed: bmo#1651211 - CN=EE Certification Centre Root CA SHA-256 Fingerprint: 3E84BA4342908516E77573C0992F0979CA084E4685681FF195CCBA8A229B8A76 bmo#1656077 - O=Government Root Certification Authority; C=TW SHA-256 Fingerprint: 7600295EEFE85B9E1FD624DB76062AAAAE59818A54D2774CD4C0B2C01131E1B3 * Trust settings for the following CA certificates were Modified: bmo#1653092 - CN=OISTE WISeKey Global Root GA CA Websites (server authentication) trust bit removed. * https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.57_release_notes - requires NSPR 4.29 - removed obsolete nss-freebl-fix-aarch64.patch (bmo#1659256) - introduced _constraints due to high memory requirements especially for LTO on Tumbleweed - Add patch to fix build on aarch64 - boo#1176934: * nss-freebl-fix-aarch64.patch - Update nss-fips-approved-crypto-non-ec.patch to match RC2 code being moved to deprecated/. - Remove nss-fix-dh-pkcs-derive-inverted-logic.patch. This was made obsolete by upstream changes. - update to NSS 3.56 Notable changes * bmo#1650702 - Support SHA-1 HW acceleration on ARMv8 * bmo#1656981 - Use MPI comba and mulq optimizations on x86-64 MacOS. * bmo#1654142 - Add CPU feature detection for Intel SHA extension. * bmo#1648822 - Add stricter validation of DH keys in FIPS mode. * bmo#1656986 - Properly detect arm64 during GYP build architecture detection. * bmo#1652729 - Add build flag to disable RC2 and relocate to lib/freebl/deprecated. * bmo#1656429 - Correct RTT estimate used in 0-RTT anti-replay. * bmo#1588941 - Send empty certificate message when scheme selection fails. * bmo#1652032 - Fix failure to build in Windows arm64 makefile cross-compilation. * bmo#1625791 - Fix deadlock issue in nssSlot_IsTokenPresent. * bmo#1653975 - Fix 3.53 regression by setting "/all"/ as the default makefile target. * bmo#1659792 - Fix broken libpkix tests with unexpired PayPal cert. * bmo#1659814 - Fix interop.sh failures with newer tls-interop commit and dependencies. * bmo#1656519 - NSPR dependency updated to 4.28 - do not hard require mozilla-nss-certs-32bit via baselibs (boo#1176206) - update to NSS 3.55 Notable changes * P384 and P521 elliptic curve implementations are replaced with verifiable implementations from Fiat-Crypto [0] and ECCKiila [1]. * PK11_FindCertInSlot is added. With this function, a given slot can be queried with a DER-Encoded certificate, providing performance and usability improvements over other mechanisms. (bmo#1649633) * DTLS 1.3 implementation is updated to draft-38. (bmo#1647752) Relevant Bugfixes * bmo#1631583 (CVE-2020-6829, CVE-2020-12400) - Replace P384 and P521 with new, verifiable implementations from Fiat-Crypto and ECCKiila. * bmo#1649487 - Move overzealous assertion in VFY_EndWithSignature. * bmo#1631573 (CVE-2020-12401) - Remove unnecessary scalar padding. * bmo#1636771 (CVE-2020-12403) - Explicitly disable multi-part ChaCha20 (which was not functioning correctly) and more strictly enforce tag length. * bmo#1649648 - Don't memcpy zero bytes (sanitizer fix). * bmo#1649316 - Don't memcpy zero bytes (sanitizer fix). * bmo#1649322 - Don't memcpy zero bytes (sanitizer fix). * bmo#1653202 - Fix initialization bug in blapitest when compiled with NSS_DISABLE_DEPRECATED_SEED. * bmo#1646594 - Fix AVX2 detection in makefile builds. * bmo#1649633 - Add PK11_FindCertInSlot to search a given slot for a DER-encoded certificate. * bmo#1651520 - Fix slotLock race in NSC_GetTokenInfo. * bmo#1647752 - Update DTLS 1.3 implementation to draft-38. * bmo#1649190 - Run cipher, sdr, and ocsp tests under standard test cycle in CI. * bmo#1649226 - Add Wycheproof ECDSA tests. * bmo#1637222 - Consistently enforce IV requirements for DES and 3DES. * bmo#1067214 - Enforce minimum PKCS#1 v1.5 padding length in RSA_CheckSignRecover. * bmo#1646324 - Advertise PKCS#1 schemes for certificates in the signature_algorithms extension. - update to NSS 3.54 Notable changes * Support for TLS 1.3 external pre-shared keys (bmo#1603042). * Use ARM Cryptography Extension for SHA256, when available (bmo#1528113) * The following CA certificates were Added: bmo#1645186 - certSIGN Root CA G2. bmo#1645174 - e-Szigno Root CA 2017. bmo#1641716 - Microsoft ECC Root Certificate Authority 2017. bmo#1641716 - Microsoft RSA Root Certificate Authority 2017. * The following CA certificates were Removed: bmo#1645199 - AddTrust Class 1 CA Root. bmo#1645199 - AddTrust External CA Root. bmo#1641718 - LuxTrust Global Root 2. bmo#1639987 - Staat der Nederlanden Root CA - G2. bmo#1618402 - Symantec Class 2 Public Primary Certification Authority - G4. bmo#1618402 - Symantec Class 1 Public Primary Certification Authority - G4. bmo#1618402 - VeriSign Class 3 Public Primary Certification Authority - G3. * A number of certificates had their Email trust bit disabled. See bmo#1618402 for a complete list. Bugs fixed * bmo#1528113 - Use ARM Cryptography Extension for SHA256. * bmo#1603042 - Add TLS 1.3 external PSK support. * bmo#1642802 - Add uint128 support for HACL* curve25519 on Windows. * bmo#1645186 - Add "/certSIGN Root CA G2"/ root certificate. * bmo#1645174 - Add Microsec's "/e-Szigno Root CA 2017"/ root certificate. * bmo#1641716 - Add Microsoft's non-EV root certificates. * bmo1621151 - Disable email trust bit for "/O=Government Root Certification Authority; C=TW"/ root. * bmo#1645199 - Remove AddTrust root certificates. * bmo#1641718 - Remove "/LuxTrust Global Root 2"/ root certificate. * bmo#1639987 - Remove "/Staat der Nederlanden Root CA - G2"/ root certificate. * bmo#1618402 - Remove Symantec root certificates and disable email trust bit. * bmo#1640516 - NSS 3.54 should depend on NSPR 4.26. * bmo#1642146 - Fix undefined reference to `PORT_ZAlloc_stub' in seed.c. * bmo#1642153 - Fix infinite recursion building NSS. * bmo#1642638 - Fix fuzzing assertion crash. * bmo#1642871 - Enable SSL_SendSessionTicket after resumption. * bmo#1643123 - Support SSL_ExportEarlyKeyingMaterial with External PSKs. * bmo#1643557 - Fix numerous compile warnings in NSS. * bmo#1644774 - SSL gtests to use ClearServerCache when resetting self-encrypt keys. * bmo#1645479 - Don't use SECITEM_MakeItem in secutil.c. * bmo#1646520 - Stricter enforcement of ASN.1 INTEGER encoding. Package mpfr was updated: - Add cummulative patch mpfr-4.0.2-p6.patch fixing various bugs.- Add floating-point-format-no-lto.patch in order to fix assembler scanning (boo#1141190). - Update to mpfr 4.0.2 * Cummulative bugfix release, includes mpfr-4.0.1-cummulative-patch.patch. - Fix %install_info_delete usage: * It has to be performed in %preun not in %postun. * See https://en.opensuse.org/openSUSE:Packaging_Conventions_RPM_Macros#.25install_info_delete. - Add mpfr-4.0.1-cummulative-patch.patch. Fixes * A subtraction of two numbers of the same sign or addition of two numbers of different signs can be rounded incorrectly (and the ternary value can be incorrect) when one of the two inputs is reused as the output (destination) and all these MPFR numbers have exactly GMP_NUMB_BITS bits of precision (typically, 32 bits on 32-bit machines, 64 bits on 64-bit machines). * The mpfr_fma and mpfr_fms functions can behave incorrectly in case of internal overflow or underflow. * The result of the mpfr_sqr function can be rounded incorrectly in a rare case near underflow when the destination has exactly GMP_NUMB_BITS bits of precision (typically, 32 bits on 32-bit machines, 64 bits on 64-bit machines) and the input has at most GMP_NUMB_BITS bits of precision. * The behavior and documentation of the mpfr_get_str function are inconsistent concerning the minimum precision (this is related to the change of the minimum precision from 2 to 1 in MPFR 4.0.0). The get_str patch fixes this issue in the following way: the value 1 can now be provided for n (4th argument of mpfr_get_str); if n = 0, then the number of significant digits in the output string can now be 1, as already implied by the documentation (but the code was increasing it to 2). * The mpfr_cmp_q function can behave incorrectly when the rational (mpq_t) number has a null denominator. * The mpfr_inp_str and mpfr_out_str functions might behave incorrectly when the stream is a null pointer: the stream is replaced by stdin and stdout, respectively. This behavior is useless, not documented (thus incorrect in case a null pointer would have a special meaning), and not consistent with other input/output functions. Package ncurses was updated: - Add patch bsc1190793-63ca9e06.patch to fix bsc#1190793 for CVE-2021-39537: ncurses: heap-based buffer overflow in _nc_captoinfo in captoinfo.c Package net-snmp was updated: - Fix LFH violation during v3 user creation (bsc#1181591). Add net-snmp-5.7.3-fix-create-v3-user-outfile.patch - Fix hrStorage autofs objects timeout problems (bsc#1179699, bsc#1145864). Add net-snmp-5.7.3-host-mib-skip-autofs-entries.patch Add net-snmp-5.7.3-fix-missing-mib-hrStorage-indexes.patch - Fix NSS mounted volumes in hrStorageDescr (bsc#1100146). Add net-snmp-5.7.3-recognize-nss-pools-and-nss-volumes-oes.patch - Fix subagent crash at save_set_var() (bsc#1178021). Add net-snmp-5.7.3-subagent-set-response.patch - Fix subagent data corruption (bsc#1178351, bsc#1179009). Add net-snmp-5.7.3-fix-subagent-data-corruption.patch - Fix output for high memTotalReal RAM values (bsc#1152968). Add net-snmp-5.7.3-ucd-snmp-mib-add-64-bit-mem-obj.patch - Make extended MIB read-only (bsc#1174961, CVE-2020-15862). Add net-snmp-5.7.3-make-extended-mib-read-only.patch - Add Lustre filesystem support (bsc#1140341, jsc#SLE-6120). Add net-snmp-5.7.3-add-lustre-fs-support.patch - Add info about the original agent which triggered the trap. When the trap is forwarded there was no info about the original agent (bsc#1116807). Add net-snmp-5.7.3-snmptrapd-add-forwarder-info.patch - Fix missing sysconfig files creation (bsc#1108471). - Fix remote DoS in agent/helpers/table.c (bsc#1111122, CVE-2018-18065) Add net-snmp-5.7.3-helpers-table-skip-if-next-handler-called.patch - swintst_rpm: Protect against unspecified Group name (bsc#1102775) Add net-snmp-5.7.3-swintst_rpm-Protect-against-unspecified-Group-name.patch - Add tsm and tlstm MIBs and the USM security module. (bsc#1081164) - Fix agentx freezing on timeout (bsc#1027353) Add net-snmp-fix-agentx-freezing-on-timeout.patch Package netcfg was updated: - add submissions port number [bsc#1189683]- modified patches % services-suse.diff Package nfs-utils was updated: - Add 0019-gssd-use-mutex-to-protect-decrement-of-refcount.patch A field was modified by multiple threads without locking. This can lead to use-after-free. (bsc#1183194) - Add 0018-Replace-all-var-run-with-run.patch /var/run is long deprecated - switch all relevant paths to /run (bsc#1185170) - 0012-mountd-reject-unknown-client-IP-when-use_ipaddr.patch 0013-mountd-Don-t-proactively-add-export-info-when-fh-inf.patch 0014-mountd-add-logging-for-authentication-results-for-ac.patch 0015-mountd-add-cache-use-ipaddr-option-to-force-use_ipad.patch 0116-mountd-make-default-ttl-settable-by-option.patch Improve logging of authentication (bsc#1181540) - Add 0011-manpage-Add-a-description-of-the-nconnect-mount-opti.patch (bsc#1181651) - Add 0010-gssd-Fix-locking-for-machine-principal-list.patch (bsc#1183194) Package nghttp2 was updated: - security update- added patches fix CVE-2020-11080 [bsc#1181358], HTTP/2 Large Settings Frame DoS + nghttp2-CVE-2020-11080.patch Package numactl was updated: - include bugfixes in SLE, to enable 32 bit systems (SLE-17217)- Enable LTO (boo#1133098) as it works now. - update to 2.0.14: * manpage update * numademo: fix issue on 32 bit systems * drop custom cflags for libnuma * use symvers attribute for symbol versioning - Update to version 2.0.13: * Release numactl 2.0.13 * Skip `test/move_pages` if we don't have at least two nodes available * Add license files: GPLv2 + LGPLv2.1 * Handle cpu-less node for bind_range test * Convert numastat.c to standard numactl coding style * Disable clang travis targets for now * numastat.8: clarify that information relates to resident pages * Fix all declarations to be C prototypes * numatopology: Add check for cpu-less nodes * Update INSTALL.md * numastat: when reading no-exist pid, return EXIT_FAILURE * numastat: Add KReclaimable to list of known fields in meminfo * numastat: Better diagnostic when find unknown string in meminfo * Enable building on s390x * Correct sysconf constants * Removed unnecessary exit from memhog.c Solves issue #50 * Synchronized usage function with man page * Added memhog.8 to Makefile.am * memhog: add man page * Allow linking with lld by deduplicating symbols * numademo: free the node_to_use on the way out * numademo: free test nodemask * libnuma: cleanup node cpu mask in destructor * numactl: add va_end to usage function * travis: add build matrix * remove kernel version check * add missing linux version header * make MPOL_ macros match linux kernel * add missing policy * Fix: Add ShmemHugePages and ShmemPmdMapped to system_meminfo[] * Fix: move_pages test for non-contiguous nodes * Correct calculation of nr_nodes and re-enable move_pages test * Fix: regress test numastat function and few test fixes * Fix: distance test to include all existing nodes * numademo: fix wrong node input * Fix: node_list with memory-less nodes - Drop autoconf/libtool BuildRequires and autoreconf invocation, bundled configure is up-to-date. - Drop obsolete revert_date_in_numastat.patch, gcc sets __DATE__ based on SOURCE_DATE_EPOCH now. - Correct License for devel subpackage, same as for the library (LGPL-2.1-or-later). - numastat doesn't need perl anymore since 2012 - For obs regression checker, this version includes following SLE fixes: - enable build for aarch64 (fate#319973) (bsc#976199) factory has an extra patch to disable ARM 32 bit archs which looks a bit misleading as %arm macro only covers 32 bit ARM. - Bug 955334 - numactl/libnuma: add patch for Dynamic Reconfiguration bsc#955334 - Disable LTO (boo#1133098). - Update to version 2.0.12: * Release numactl 2.0.12 * Cleanup whitespace from *.c and *.h files * Add Travis build status to numactl README * Convert README and INSTALL to Markdown * Remove `threadtest.c` * Remove `mkolddemo` script * Remove file TODO, which has outdated contents * Remove file DESIGN, which has no contents * Remove changelogs from the repository * Revert "/make clearcache work on x86/PIC"/ * Add "/NAME"/ section to numastat manpage * Allow building on ARM systems * Add pkg-config file for NUMA library * readdir_r(3) is deprecated, use readdir(3) instead * Avoid filename truncation in numastat * fix coding style in last change * Fix: numademo test between sparse nodes * Fix: allocation of dynamic array * Fix: numactl distance between sparse nodes * include sys/sysmacros.h for major/minor * make clearcache work on x86/PIC * Fix regress test for invalid hard code of nodenames * Fix end of line check in distance parsing * Optimize numa_distance check * affinity: Include sys/sysmacros.h to fix warning * numademo: Increase buffer to avoid theoretical buffer overflow * Check for invalid nodes in numa_distance - sysmacros.patch: Include <sys/sysmacros.h> for major/minor (bsc#1181571) (bsc#1183796) Package ocfs2-tools was updated: - Rollback when dir_index creation fails (bsc#1192103) + libocfs2-roll-back-when-dir_index-creation-fails.patch - Fix mounted.ocfs2 output when some devices are not ready (bsc#1191810) + fixed-mounted.ocfs2-output-when-some-devices-are-Not.patch + update-mounted.ocfs2-mounted.c.patch Package open-iscsi was updated: - Cherry-picked 3 Factory/upstream commits, for bsc#1179908 (which addresses CVE-2020-17437, CVE-2020-17438, CVE-2020-13987, and CVE-2020-13988): * check for TCP urgent pointer past end of frame * check for u8 overflow when processing TCP options * check for header length underflow during checksum calculation - Enabled no-wait ("/-W"/) iscsiadm option for iscsi login service (bsc#1173886, bsc#1183421) - Added two upstream commits: * 40a39d7b93a1 Implement login "/no_wait"/ for iscsiadm NODE mode * e27ac1318510 Add ability to attempt target logins asynchronously for bsc#1173886. This adds the ability to perform async logins. Package openldap2 was updated: - bsc#1187210 - Resolve bug in the idle / connection TTL timeout implementation in OpenLDAP. * 0231-ITS-9468-Added-test-case-for-proxy-re-binding-anonym.patch * 0232-ITS-9468-back-ldap-Return-disconect-if-rebind-cannot.patch * 0233-ITS-9468-removed-accidental-unicode-characters.patch * 0234-ITS-9468-documented-that-re-connecting-does-not-happ.patch * 0235-ITS-9468-summarize-discussion-about-rebind-as-user.patch * 0236-ITS-9468-fixed-typos.patch * 0237-ITS-9468-always-init-lc_time-and-lc_create_time.patch * 0238-ITS-9468-do-not-arm-expire-timer-for-connections-tha.patch - bsc#1182791 - improve proxy connection timout options to correctly prune connections. * 0225-ITS-8625-Separate-Avlnode-and-TAvlnode-types.patch * 0226-ITS-9197-back-ldap-added-task-that-prunes-expired-co.patch * 0227-ITS-9197-Increase-timeouts-in-test-case-due-to-spora.patch * 0228-ITS-9197-fix-typo-in-prev-commit.patch * 0229-ITS-9197-Fix-test-script.patch * 0230-ITS-9197-fix-info-msg-for-slapd-check.patch - bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the X.509 DN parsing in decode.c ber_next_element, resulting in denial of service. * 0220-ITS-9423-ldap_X509dn2bv-check-for-invalid-BER-after-.patch - bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN parsing in ad_keystring, resulting in denial of service. * 0222-ITS-9425-add-more-checks-to-ldap_X509dn2bv.patch - bsc#1182412 CVE-2020-36228 - integer underflow leading to crash in the Certificate List Exact Assertion processing, resulting in denial of service. * 0223-ITS-9427-fix-issuerAndThisUpdateCheck.patch - bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the cancel_extop Cancel operation, resulting in denial of service. * 0224-ITS-9428-fix-cancel-exop.patch - bsc#1182416 CVE-2020-36225 - double free and slapd crash in the saslAuthzTo processing, resulting in denial of service. * 0218-ITS-9412-fix-AVA_Sort-on-invalid-RDN.patch - bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash in the saslAuthzTo processing, resulting in denial of service. * 0217-ITS-9409-saslauthz-use-slap_sl_free-in-prev-commit.patch * 0216-ITS-9409-saslauthz-use-ch_free-on-normalized-DN.patch - bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd crash in the saslAuthzTo processing, resulting in denial of service. * 0219-ITS-9413-fix-slap_parse_user.patch - bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the saslAuthzTo validation, resulting in denial of service. * 0213-ITS-9406-9407-remove-saslauthz-asserts.patch * 0214-ITS-9406-fix-debug-msg.patch - bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact Assertion processing, resulting in denial of service (schema_init.c serialNumberAndIssuerCheck). * 0212-ITS-9404-fix-serialNumberAndIssuerCheck.patch * 0221-ITS-9424-fix-serialNumberAndIssuerSerialCheck.patch - bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter control handling, resulting in denial of service (double free and out-of-bounds read). * 0215-ITS-9408-fix-vrfilter-double-free.patch - bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime. * patch: 0211-ITS-9454-fix-issuerAndThisUpdateCheck.patch Package openslp was updated: - Implement automatic active discovery retries so that DAs do not get dropped if they are not reachable for some time [bnc#1166637] [bnc#1184008] new patch: openslp.unicastactivediscovery.diff Package openssh was updated: - Add openssh-bsc1190975-CVE-2021-41617-authorizedkeyscommand.patch (bsc#1190975, CVE-2021-41617), backported from upstream by Ali Abdallah. Package openssl-1_1 was updated: - Other OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the "/data"/ field, then a read buffer overrun can occur. * CVE-2021-3712 continued * bsc#1189521 * Add CVE-2021-3712-other-ASN1_STRING-issues.patch * Sourced from openssl-CVE-2021-3712.tar.bz2 posted on bsc-1189521 2021-08-24 00:47 PDT by Marcus Meissner - The function X509_aux_print() has a bug which may cause a read buffer overrun when printing certificate details. A malicious actor could construct a certificate to deliberately hit this bug, which may result in a crash of the application (causing a Denial of Service attack). * CVE-2021-3712 * bsc#1189521 * Add CVE-2021-3712-Fix-read-buffer-overrun-in-X509_aux_print.patch - Add safe primes to DH parameter generation * RFC7919 and RFC3526 * bsc#1180995 * Added openssl-add_rfc3526_rfc7919.patch * Genpkey: "/-pkeyopt dh_param:"/ can now choose modp_* (rfc3526) and ffdhe* (rfc7919) groups. Example: $ openssl genpkey -genparam -algorithm DH -pkeyopt dh_param:ffdhe4096 - Security fixes: * Integer overflow in CipherUpdate: Incorrect SSLv2 rollback protection [bsc#1182333, CVE-2021-23840] * Null pointer deref in X509_issuer_and_serial_hash() [bsc#1182331, CVE-2021-23841] - Add openssl-CVE-2021-23840.patch openssl-CVE-2021-23841.patch Package p11-kit was updated: - 0001-common-Use-reallocarray-instead-of-realloc-as-approp.patch 0001-Check-for-arithmetic-overflows-before-allocating.patch 0001-Follow-up-to-arithmetic-overflow-fix.patch: Fixed multiple integer overflows in rpc code (bsc#1180064 CVE-2020-29361) - Add support for CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER (bsc#1187993, 0001-trust-Support-CKA_NSS_-SERVER-EMAIL-_DISTRUST_AFTER.patch) - add bcond to spec file to enable debug easily Package pacemaker was updated: - controller: ensure newly joining node learns the node names of non-DCs (bsc#1180618) * bsc#1180618-0002-Fix-controller-ensure-newly-joining-node-learns-the-.patch - scheduler: add test for probe of unmanaged resource on pending node (bsc#1188653) * bsc#1188653-0003-Test-scheduler-add-test-for-probe-of-unmanaged-resou.patch - scheduler: update existing tests for probe scheduling change (bsc#1188653) * bsc#1188653-0002-Test-scheduler-update-existing-tests-for-probe-sched.patch - scheduler: don't schedule probes of unmanaged resources on pending nodes (bsc#1188653) * bsc#1188653-0001-Fix-scheduler-don-t-schedule-probes-of-unmanaged-res.patch - libcrmcommon: Correctly handle case-sensitive ids of xml objects when changing a value. (bsc#1187414) * bsc#1187414-0001-Fix-libcrmcommon-Correctly-handle-case-sensitive-ids.patch - controld: purge attrd attributes when the remote node is up to ensure sync with CIB (bsc#1186693) * bsc#1186693-clean-attrd-attributes-when-remote-node-is-up.patch - controller: re-joined node gets the host names of non-DC nodes (bsc#1180618) * bsc#1180618-0001-Fix-crmd-update-crm_peer_cache.patch - iso8601: prevent sec overrun before adding up as long long * 0001-Fix-iso8601-prevent-sec-overrun-before-adding-up-as-.patch - fencer: optimize merging of fencing history by removing unneeded entries on creation of history diff (bsc#1181744) * bsc#1181744-0004-Refactor-fencer-optimize-merging-of-fencing-history-.patch - fencing: new function stonith_op_state_pending() for checking if a fencing operation is in pending state (bsc#1181744) * bsc#1181744-0003-Refactor-fencing-new-function-stonith_op_state_pendi.patch - fencer: update outdated pending operations according to returned ones from remote peer history (bsc#1181744) * bsc#1181744-0002-Fix-fencer-update-outdated-pending-operations-accord.patch - fencer: broadcast returned fencing operations to update outdated pending ones in remote peer history (bsc#1181744) * bsc#1181744-0001-Fix-fencer-broadcast-returned-fencing-operations-to-.patch - execd: Skips merging of canceled fencing monitors.(Fix:#CLBZ5393) * 0001-Mid-execd-Skips-merging-of-canceled-fencing-monitors.patch - fencing: remove any devices that are not installed * 0001-Fix-fencing-remove-any-devices-that-are-not-installe.patch - liblrmd: Limit node name addition to proxied attrd update commands (rh#1907726) * rh#1907726-0001-Fix-liblrmd-Limit-node-name-addition-to-proxied-attr.patch - attrd: prevent leftover attributes of shutdown node in cib (bsc#1173668) * bsc#1173668-0001-Fix-attrd-prevent-leftover-attributes-of-shutdown-no.patch - crmadmin: printing DC quietly if needed (bsc#1178865) * bsc#1178865-0001-Fix-crmadmin-printing-DC-quietly-if-needed.patch - controller, Pacemaker Explained: improve the documentation of `stonith-watchdog-timeout` cluster option (bsc#1174696, bsc#1184557) * bsc#1174696-0004-Doc-controller-Pacemaker-Explained-improve-the-docum.patch - scheduler: improve the documentation of `have-watchdog` cluster option (bsc#1174696, bsc#1184557) * bsc#1174696-0003-Doc-scheduler-improve-the-documentation-of-have-watc.patch - libpe_status: downgrade the message about the meaning of `have-watchdog=true` to info (bsc#1174696, bsc#1184557) * bsc#1174696-0002-Log-libpe_status-downgrade-the-message-about-the-mea.patch - scheduler: clarify message about when watchdog will be used (bsc#1174696, bsc#1184557) * bsc#1174696-0001-Log-scheduler-clarify-message-about-when-watchdog-wi.patch - scheduler: update migrate-fail-9 test for migration code change (bsc#1177212, bsc#1182607) * bsc#1177212-0010-Test-scheduler-update-migrate-fail-9-test-for-migrat.patch - scheduler: don't schedule a dangling migration stop if one already occurred (bsc#1177212, bsc#1182607) * bsc#1177212-0009-Fix-scheduler-don-t-schedule-a-dangling-migration-st.patch - fenced: Remove relayed stonith operation.(Fix:CLBZ#5401) (bsc#1181744) * bsc#1181744-0001-Low-fenced-Remove-relayed-stonith-operation.-Fix-CLB.patch - scheduler: properly detect dangling migrations (bsc#1177212) * bsc#1177212-0008-Test-scheduler-test-failed-migration-followed-by-suc.patch * bsc#1177212-0007-Fix-scheduler-properly-detect-dangling-migrations.patch * bsc#1177212-0006-Refactor-scheduler-functionize-getting-call-ID-from-.patch - scheduler: only successful ops count for migration comparisons (bsc#1177212) * bsc#1177212-0005-Low-scheduler-only-successful-ops-count-for-migratio.patch * bsc#1177212-0004-Test-scheduler-fix-invalid-test-XML.patch - libpe_status: add sanity check when unpacking migration history (bsc#1177212) * bsc#1177212-0003-Low-libpe_status-add-sanity-check-when-unpacking-mig.patch * bsc#1177212-0002-Refactor-libpe_status-reorganize-unpacking-migration.patch - libpe_status: check for stops correctly when unpacking migration (bsc#1177212) * bsc#1177212-0001-Low-libpe_status-check-for-stops-correctly-when-unpa.patch - fencer: don't require API registration for list and status commands (bsc#1148236) * bsc#1148236-0002-Low-fencer-don-t-require-API-registration-for-list-a.patch - fencer: improve error checking and log messages for API action requests (bsc#1148236) * bsc#1148236-0001-Low-fencer-improve-error-checking-and-log-messages-f.patch - st_client: cleanup token whenever setting api to disconnected (bsc#1181744) * bsc#1181744-0008-Fix-st_client-cleanup-token-whenever-setting-api-to-.patch - controld-fencing: add notice-log for successful fencer-connect (bsc#1181744) * bsc#1181744-0007-Fix-controld-fencing-add-notice-log-for-successful-f.patch * bsc#1181744-0006-Test-CTS-new-pattern-to-identify-fenced-reconnected.patch - st_client: make safe to remove notifications from notifications (bsc#1181744) * bsc#1181744-0005-Fix-st_client-make-safe-to-remove-notifications-from.patch - fence-history: resync fence-history after fenced crash (bsc#1181744) * bsc#1181744-0004-Fix-fence-history-resync-fence-history-after-fenced-.patch - fence-history: add notification upon history-synced (bsc#1181744) * bsc#1181744-0003-Feature-fence-history-add-notification-upon-history-.patch - controld-fencing: remove-notifications upon connection-destroy (bsc#1181744) * bsc#1181744-0002-Fix-controld-fencing-remove-notifications-upon-conne.patch - fence-history: fail leftover pending-actions after fenced-restart (bsc#1181744) * bsc#1181744-0001-Fix-fence-history-fail-leftover-pending-actions-afte.patch - libpe_status: handle pending migrations correctly (bsc#1177212) Package pam was updated: - Corrected a bad directive file which resulted in the "/securetty"/ file to be installed as "/macros.pam"/. [pam.spec] - Added tmpfiles for pam to set up directory for pam_faillock. [pam.conf] - Corrected macros.pam entry for %_pam_moduledir Cleanup in pam.spec: * Replaced all references to ${_lib}/security in pam.spec by %{_pam_moduledir} * Removed definition of (unused) "/amdir"/. - Added new file macros.pam on request of systemd. [bsc#1190052, macros.pam] - Added pam_faillock to the set of modules. [jsc#sle-20638, pam-sle20638-add-pam_faillock.patch] - In the 32-bit compatibility package for 64-bit architectures, require "/systemd-32bit"/ to be also installed as it contains pam_systemd.so for 32 bit applications. [bsc#1185562, baselibs.conf] - If "/LOCAL"/ is configured in access.conf, and a login attempt from a remote host is made, pam_access tries to resolve "/LOCAL"/ as a hostname and logs a failure. Checking explicitly for "/LOCAL"/ and rejecting access in this case resolves this issue. [bsc#1184358, bsc1184358-prevent-LOCAL-from-being-resolved.patch] - pam_limits: "/unlimited"/ is not a legitimate value for "/nofile"/ (see setrlimit(2)). So, when "/nofile"/ is set to one of the "/unlimited"/ values, it is set to the contents of "//proc/sys/fs/nr_open"/ instead. Also changed the manpage of pam_limits to express this. [bsc#1181443, pam-bsc1181443-make-nofile-unlimited-mean-nr_open.patch] - Add a definition for pamdir to pam.spec So that a proper contents of macros.pam can be constructed. [pam.spec] Package patterns-server-enterprise was updated: - Move the FIPS pattern to patterns-base-fips (bsc#1183154)- Run pre_checkin.sh, was overdue Package pcre was updated: - pcre 8.45 (the final release) * Fixed a small (*MARK) bug in the interpreter (Bugzilla #2771). - pcre 8.44 * Small patch to pcreposix.c to set the erroroffset field to -1 immediately after a successful compile, instead of at the start of matching to avoid a sanitizer complaint (regexec is supposed to be thread safe). * Check the size of the number after (?C as it is read, in order to avoid integer overflow. (bsc#1172974, CVE-2020-14155) * Tidy up left shifts to avoid sanitize warnings; also fix one NULL deference in pcretest. - pcre 8.43 * In a pattern such as /[^x{100}-x{ffff}]*[x80-xff]/ which has a repeated negative class with no characters less than 0x100 followed by a positive class with only characters less than 0x100, the first class was incorrectly being auto-possessified, causing incorrect match failures. * If the only branch in a conditional subpattern was anchored, the whole subpattern was treated as anchored, when it should not have been, since the assumed empty second branch cannot be anchored. Demonstrated by test patterns such as /(?(1)^())b/ or /(?(?=^))b/. * Fix subject buffer overread in JIT when UTF is disabled and X or R has a greater than 1 fixed quantifier. This issue was found by Yunho Kim. (bsc#1172973 CVE-2019-20838) * If a pattern started with a subroutine call that had a quantifier with a minimum of zero, an incorrect "/match must start with this character"/ could be recorded. Example: /(?&xxx)*ABC(?<xxx>XYZ)/ would (incorrectly) expect 'A' to be the first character of a match. - pcre 8.42 * If a backreference with a minimum repeat count of zero was first in a pattern, apart from assertions, an incorrect first matching character could be recorded. For example, for the pattern /(?=(a))1?b/, "/b"/ was incorrectly set as the first character of a match. * Fix out-of-bounds read for partial matching of /./ against an empty string when the newline type is CRLF. * When matching using the the REG_STARTEND feature of the POSIX API with a non-zero starting offset, unset capturing groups with lower numbers than a group that did capture something were not being correctly returned as "/unset"/ (that is, with offset values of -1). * Matching the pattern /(*UTF)C[^v]+x80/ against an 8-bit string containing multi-code-unit characters caused bad behaviour and possibly a crash. This issue was fixed for other kinds of repeat in release 8.37 by change 38, but repeating character classes were overlooked. - Do not run profiling 'check' in parallel to make package build reproducible (boo#1040589) Package pcre2 was updated: - Added 0001-Fixed-atomic-group-backtracking-bug.patch * bsc#1187937 * PHP 7.6.4 on s390x returns different results for preg_match function as compared to older PHP versions and x86 * Sourced from upstream subversion commit: $ svn log -r965 svn://vcs.pcre.org/pcre2/code/trunk Package pixman was updated: Package polkit was updated: - CVE-2021-4034: fixed a local privilege escalation in pkexec (bsc#1194568) added CVE-2021-4034-pkexec-fix.patch - CVE-2021-3560: fixed a local privilege escalation using polkit_system_bus_name_get_creds_sync() (bsc#1186497) CVE-2021-3560.patch Package procps was updated: - Add upstream patch procps-vmstat-1b9ea611.patch for bsc#1185417 * Support up to 2048 CPU as well - Add upstream patch procps-3.3.17-bsc1181976.patch based on commit 3dd1661a to fix bsc#1181976 that is change descripton of psr, which is for 39th field of /proc/[pid]/stat Package psmisc was updated: - Change patch 0001-Use-mountinfo-to-be-able-to-use-the-mount-identity.patch * Fix bsc#1185208 to make private mount namespaces work as well as to distinguish NFS mounts from same remote device share. - Change patch 0001-Use-mountinfo-to-be-able-to-use-the-mount-identity.patch * Fix bsc#1178407: fuser does not show open kvm storage image files such as qcow2 files. Patch from Ali Abdallah <ali.abdallah@suse.com> Package python-PyYAML was updated: - Add pyyaml.CVE-2020-14343.patch (bsc#1174514 CVE-2020-14343) Prevents arbitrary code execution during python/object/* constructors This patch contains the upstream git commit a001f27 from the 5.4 release. - Update in SLE-15 (bsc#1176785, jsc#ECO-3105, jsc#PM-2352) - update to 5.3.1 * fixes boo#1165439 (cve-2020-1747) Prevents arbitrary code execution during python/object/new constructor - update to 5.3 * Use `is` instead of equality for comparing with `None` * fix typos and stylistic nit * Fix up small typo * Fix handling of __slots__ * Allow calling add_multi_constructor with None * Add use of safe_load() function in README * Fix reader for Unicode code points over 0xFFFF * Enable certain unicode tests when maxunicode not > 0xffff * Use full_load in yaml-highlight example * Document that PyYAML is implemented with Cython * Fix for Python 3.10 * increase size of index, line, and column fields * remove some unused imports * Create timezone-aware datetimes when parsed as such * Add tests for timezone - update to 5.2 * A more flexible fix for custom tag constructors * Change default loader for yaml.add_constructor * Change default loader for add_implicit_resolver, add_path_resolver * Move constructor for object/apply to UnsafeConstructor * Fix logic for quoting special characters Package python-dbus-python was updated: - Update to latest version from tumbleweed jira#OPENSUSE-22 boo#1183818 - Enable testsuite - update to 1.2.16: * All tests are run even if the tap.py module is not available, although diagnostics for failing tests will be better if it is present. * Forbid unexpanded AX-prefixed macros more selectively - Support builds with more than one python3 flavor gh#openSUSE/python-rpm-macros#66 - Remove shebang from examples (rpmlint warning, is in common doc) - Clean duplicate python flavor variables for configure - Update the provides/obsoletes tags for old-style dbus-1-$python - Version update to version 1.2.14: * Ensure that the numeric types from dbus.types get the same str() under Python 3.8 that they did under previous versions. * Disable -Winline. * Add Python 3.8 to CI. - Changes in version 1.2.12: * Don't save and restore the exception indicator when called from C code. - Changes in version 1.2.10: * Rewrite CONTRIBUTING.md document, based on Wayland's equivalent * Add clearer license information using SPDX-License-Identifier. * Improve test coverage. * Don't set deprecated tp_print to NULL under Python 3. * Include inherited methods and properties when documenting objects, which regressed when migrating from epydoc to sphinx. * Add missing variant_level member to UnixFd type, for parity with the other dbus.types types (dbus-python!3. - Note that this is a potentially incompatible change: unknown keyword arguments were previously ignored (!) and are now an error. * Don't reply to method calls if they have the NO_REPLY_EXPECTED flag (fd.o#32529, dbus-python#26. * Silence -Wcast-function-type with gcc 8. * Fix distcheck with python3.7 by deleting __pycache__ during uninstall. * Consistently save and restore the exception indicator when called from C code. * Avoid a long-standing race condition in the automated tests. * Fix Qt website URL. - Up dbus dependency; 1.8 is now required. - Add missing dependency for pkg-config files - Version update to version 1.2.8: * Python 2.7 required or 3.4 respectively * Tests use tap.py functionality * Upstream dropped epydoc completely * See NEWS for more - Use requires_ge instead of the rpm calls Package python-py was updated: - CVE-2020-29651.patch (bsc#1179805, CVE-2020-29651, bsc#1184505) * python-py: regular expression denial of service in svnwc.py Package python-pytz was updated: - Add %pyunittest shim for platforms where it is missing.- Remove real directory of %{python_sitelib}/pytz/zoneinfo when upgrading, before it is replaced by a symlink (bsc#1185748). - %check: use %pyunittest rpm macro - Bump tzdata_version - update to 2021.1: * update to IANA 2021a timezone release - update to 2020.5: * update to IANA 2020e timezone release - Update in SLE-15 (bsc#1176785, jsc#ECO-3105, jsc#PM-2352) - update to 2020.4: * update to IANA 2020d timezone release - specfile: * be more specific in %files section * README.txt -> README.rst - update to version 2020.1: * Test against Python 3.8 and Python 3.9 * Bump version numbers to 2020.1/2020a * Base class for all errors * Add flake8 settings * IANA 2020a * Fix remaining references to README.txt * Update README.md * Use .rst extension for reStructuredText * typo * highlight codes * use .rst extension name * Tidelift links * Add links for security reports * Update LICENSE.txt * Create FUNDING.yml * Make FixedOffset part of public API - Update to 2019.3 * IANA 2019c - Add versioned dependency on timezone database to ensure the correct data is installed - Remove system_zoneinfo.patch, and instead add a symlink to the system timezone database - Replace unnecessary pytest, adding a missing __init__.py in the tests to allow the test suite to work on Python 2.7 without pytest - update to 2019.2 * IANA 2019b * Defer generating case-insensitive lookups - update to 2019.1 * Raise UnknownTimeZoneError if provided timezone name is None * Use early python2 compatible str formatting * timezone constructor arg is case-insensitive * Add _all_timezones_lower_to_standard to gen_tzinfo - Use more useful and clean https://pythonhosted.org/pytz/ as URL - Use fdupes - Add missing dependency on Python runtime, and install using setuptools. - update to 2018.9 * IANA 2018i * Replace all references to deprecated easy_install with pip * Add _all_timezones_lower_to_standard to gen_tzinfo * timezone constructor arg is case-insensitive * Use early python2 compatible str formatting * Raise UnknownTimeZoneError if provided timezone name is None * Make timezone lookup case insensitive - from 2018.7 * IANA 2018g - from 2018.6 * IANA 2018f * Promote BaseTzInfo to public API for type checking * Update dev notes for Ubuntu 18.04 containers * Add warnings to examples showing what not to do - Replace nose test runner with pytest (py2k stdlib unittest runner is not sufficient to run the test suite here). - Refresh patches fix-tests.patch, system_zoneinfo.patch, 0001-Fix-tests-for-older-timezone-versions.patch - Remove superfluous devel dependency for noarch package Package python-pyzmq was updated: - update to version 17.1.2 (fixes boo#1186945) * Fix possible hang when working with asyncio * Remove some outdated workarounds for old Cython versions * Fix some compilation with custom compilers * Remove unneeded link of libstdc++ on PyPy Package python-requests was updated: - Update in SLE-15 (bsc#1176785, jsc#ECO-3105, jsc#PM-2352)- remove patch pr_5251-pytest5.patch, not needed anymore. - update to version 2.24.0: - pyOpenSSL TLS implementation is now only used if Python either doesn't have an `ssl` module or doesn't support SNI. Previously pyOpenSSL was unconditionally used if available. This applies even if pyOpenSSL is installed via the `requests[security]` extra (#5443) - Redirect resolution should now only occur when `allow_redirects` is True. (#5492) - No longer perform unnecessary Content-Length calculation for requests that won't use it. (#5496) - update to 2.23.0 - dropped merged_pr_5049.patch - refreshed requests-no-hardcoded-version.patch * Remove defunct reference to prefetch in Session __attrs__ * Requests no longer outputs password in basic auth usage warning - Remove python-urllib3, python-certifi and ca-certificates from main package BuildRequires, not required for building. - Do not require full python, (implicit) python-base is sufficient. - Add two patches only updating test logic to remove pytest 3 pin - merged_pr_5049.patch - pr_5251-pytest5.patch - Hardcode pytest 3.x series as upstream even in git does not work with newer versions (they pinned the release) - Update to 2.22.0: * Requests now supports urllib3 v1.25.2. (note: 1.25.0 and 1.25.1 are incompatible) - Rebase requests-no-hardcoded-version.patch - Do not hardcode version requirements in setup.py allowing us to update and verify functionality on our own: * requests-no-hardcoded-version.patch - Skip one more test that is flaky - Do not depend on python-py - Update few of the requirements - update to version 2.21.0: * Requests now supports idna v2.8. - Support older Red Hat platforms that don't offer "/Recommends:"/ - Move name ahead of version in spec file to resolve build issues on older distributions - fdupe more thoroughly. - update to version 2.20.1: * Bugfixes + Fixed bug with unintended Authorization header stripping for redirects using default ports (http/80, https/443). Package python-urllib3 was updated: - Add %dir declaration for %{_licensedir}- Add CVE-2021-33503.patch (bsc#1187045, CVE-2021-33503) * Improve performance of sub-authority splitting in URL - Update in SLE-15 (bsc#1182422, jsc#ECO-3352, jsc#PM-2485) - Enable python2 builds - Re-add file permissions in %file section - Undo python2/3 split in %install section - Skip test for RECENT_DATE. It is a test purely for developers. To maintain reproducibility, keep upstreams possibly outdated RECENT_DATE in the source code. - Add CI variable, which makes timeouts in the test suite longer (gh#urllib3/urllib3#2109, bsc#1176389) and test_timeout_errors_cause_retries should not fail. - Generate pyc for ssl_match_hostname too - update to 1.25.10: * Added support for ``SSLKEYLOGFILE`` environment variable for logging TLS session keys with use with programs like Wireshark for decrypting captured web traffic (Pull #1867) * Fixed loading of SecureTransport libraries on macOS Big Sur due to the new dynamic linker cache (Pull #1905) * Collapse chunked request bodies data and framing into one call to ``send()`` to reduce the number of TCP packets by 2-4x (Pull #1906) * Don't insert ``None`` into ``ConnectionPool`` if the pool was empty when requesting a connection (Pull #1866) * Avoid ``hasattr`` call in ``BrotliDecoder.decompress()`` (Pull #1858) - update to 1.25.9 (bsc#1177120, CVE-2020-26137): * Added ``InvalidProxyConfigurationWarning`` which is raised when erroneously specifying an HTTPS proxy URL. urllib3 doesn't currently support connecting to HTTPS proxies but will soon be able to and we would like users to migrate properly without much breakage. * Drain connection after ``PoolManager`` redirect (Pull #1817) * Ensure ``load_verify_locations`` raises ``SSLError`` for all backends (Pull #1812) * Rename ``VerifiedHTTPSConnection`` to ``HTTPSConnection`` (Pull #1805) * Allow the CA certificate data to be passed as a string (Pull #1804) * Raise ``ValueError`` if method contains control characters (Pull #1800) * Add ``__repr__`` to ``Timeout`` (Pull #1795) - Explicitly switch off building python 2 version. - update to 1.25.8 * Drop support for EOL Python 3.4 * Optimize _encode_invalid_chars * Preserve chunked parameter on retries * Allow unset SERVER_SOFTWARE in App Engine * Fix issue where URL fragment was sent within the request target. * Fix issue where an empty query section in a URL would fail to parse. * Remove TLS 1.3 support in SecureTransport due to Apple removing support. - Require a new enough release of python-six. 1.25.6 needs at least 1.12.0 for ensure_text() and friends. - Updae to 1.25.6: * Fix issue where tilde (~) characters were incorrectly percent-encoded in the path. (Pull #1692) - Restrict the tornado dep from tom to 5 or older release as the 6.x changed the API - Update to 1.25.5: * Add mitigation for BPO-37428 affecting Python <3.7.4 and OpenSSL 1.1.1+ which caused certificate verification to be enabled when using cert_reqs=CERT_NONE. (Issue #1682) * Propagate Retry-After header settings to subsequent retries. (Pull #1607) * Fix edge case where Retry-After header was still respected even when explicitly opted out of. (Pull #1607) * Remove dependency on rfc3986 for URL parsing. * Fix issue where URLs containing invalid characters within Url.auth would raise an exception instead of percent-encoding those characters. * Add support for HTTPResponse.auto_close = False which makes HTTP responses work well with BufferedReaders and other io module features. (Pull #1652) * Percent-encode invalid characters in URL for HTTPConnectionPool.request() (Pull #1673) - Drop patch urllib3-ssl-default-context.patch - Drop patch python-urllib3-recent-date.patch the date is recent enough on its own - Use have/skip_python2/3 macros to allow building only one flavour - Use old pytest 3.x as newer do not work with this release * this will be fixed with next release, just spread among numerous fixes in the git for quick backporting - Fixup pre script: the migration issue happens when changing from python-urllib3 to python2-urllib3: the number of installed instances of python2-urlliib3 is at this moment 1, unlike in regular updates. This is due to a name change, which consists not of a pure package update. - Provides/Obsoletes does not fix the issue: we have a directory-to-symlink switch, which cannot be handled by RPM internally. Assist using pre script (boo#1138715). - Fix Upgrade from Leap 42.1/42.2 by adding Obsoletes/Provides: python-urllib3, fixes boo#1138746 - Add more test to skip as with new openssl some behaviour changed and we can't rely on them anymore - Unbundle the six, rfc3986, and backports.ssl_match_hostname - Add missing dependency on python-six (bsc#1150895) - Update to 1.25.3: * Change HTTPSConnection to load system CA certificates when ca_certs, ca_cert_dir, and ssl_context are unspecified. (Pull #1608, Issue #1603) * Upgrade bundled rfc3986 to v1.3.2. (Pull #1609, Issue #1605) - Update to 1.25.2: * Change is_ipaddress to not detect IPvFuture addresses. (Pull #1583) * Change parse_url to percent-encode invalid characters within the path, query, and target components. (Pull #1586) * Add support for Google's Brotli package. (Pull #1572, Pull #1579) * Upgrade bundled rfc3986 to v1.3.1 (Pull #1578) - Require all the deps from the secure list rather than Recommend. This makes the check to be run always and ensure the urls are "/secure"/. - Remove ndg-httpsclient as it is not needed since 2015 - Add missing dependency on brotlipy - Fix the tests to pass again - update to 1.25 (bsc#1132663, bsc#1129071, CVE-2019-9740, CVE-2019-11236): * Require and validate certificates by default when using HTTPS * Upgraded ``urllib3.utils.parse_url()`` to be RFC 3986 compliant. * Added support for ``key_password`` for ``HTTPSConnectionPool`` to use encrypted ``key_file`` without creating your own ``SSLContext`` object. * Add TLSv1.3 support to CPython, pyOpenSSL, and SecureTransport ``SSLContext`` implementations. (Pull #1496) * Switched the default multipart header encoder from RFC 2231 to HTML 5 working draft. * Fixed issue where OpenSSL would block if an encrypted client private key was given and no password was given. Instead an ``SSLError`` is raised. * Added support for Brotli content encoding. It is enabled automatically if ``brotlipy`` package is installed which can be requested with ``urllib3[brotli]`` extra. * Drop ciphers using DSS key exchange from default TLS cipher suites. Improve default ciphers when using SecureTransport. * Implemented a more efficient ``HTTPResponse.__iter__()`` method. - Drop urllib3-test-ssl-drop-sslv3.patch . No longer needed - Update to 1.24.2 (bsc#1132900, CVE-2019-11324): - Implemented a more efficient HTTPResponse.__iter__() method. (Issue #1483) - Upgraded urllib3.utils.parse_url() to be RFC 3986 compliant. (Pull #1487) - Remove Authorization header regardless of case when redirecting to cross-site. (Issue #1510) - Added support for key_password for HTTPSConnectionPool to use encrypted key_file without creating your own SSLContext object. (Pull #1489) - Fixed issue where OpenSSL would block if an encrypted client private key was given and no password was given. Instead an SSLError is raised. (Pull #1489) - Require and validate certificates by default when using HTTPS (Pull #1507) - Added support for Brotli content encoding. It is enabled automatically if brotlipy package is installed which can be requested with urllib3[brotli] extra. (Pull #1532) - Add TLSv1.3 support to CPython, pyOpenSSL, and SecureTransport SSLContext implementations. (Pull #1496) - Drop ciphers using DSS key exchange from default TLS cipher suites. Improve default ciphers when using SecureTransport. (Pull #1496) - Add support for IPv6 addresses in subjectAltName section of certificates. (Issue #1269) - Switched the default multipart header encoder from RFC 2231 to HTML 5 working draft. (Issue #303, PR #1492) - Update to 1.24.1: * Remove quadratic behavior within GzipDecoder.decompress() (Issue #1467) * Restored functionality of ciphers parameter for create_urllib3_context(). (Issue #1462) Package python3 was updated: - The previous construct works only on the current Factory, not in SLE. - BuildRequire rpm-build-python: The provider to inject python(abi) has been moved there. rpm-build pulls rpm-build-python automatically in when building anything against python3-base, but this implies that the initial build of python3-base does not trigger the automatic installation. - Due to conflicting demands of bsc#1183858 and platforms where Python 3.6 is only in interpreter+pip set we have to make complicated ugly construct about Sphinx BR. - Make python36 primary interpreter on SLE-15 - Make build working even on older SLEs. - Update to 3.6.15: - bpo-43124: Made the internal putcmd function in smtplib sanitize input for presence of r and n characters to avoid (unlikely) command injection. Library - bpo-45001: Made email date parsing more robust against malformed input, namely a whitespace-only Date: header. Patch by Wouter Bolsterlee. Tests - bpo-38965: Fix test_faulthandler on GCC 10. Use the âvolatileâ keyword in faulthandler._stack_overflow() to prevent tail call optimization on any compiler, rather than relying on compiler specific pragma. - Remove upstreamed patches: - faulthandler_stack_overflow_on_GCC10.patch - test_faulthandler is still problematic under qemu linux-user emulation, disable it there - Update to 3.6.14: * Security - bpo-44022 (bsc#1189241, CVE-2021-3737): mod:http.client now avoids infinitely reading potential HTTP headers after a 100 Continue status response from the server. - bpo-43882: The presence of newline or tab characters in parts of a URL could allow some forms of attacks. Following the controlling specification for URLs defined by WHATWG urllib.parse() now removes ASCII newlines and tabs from URLs, preventing such attacks. - bpo-42988 (CVE-2021-3426, bsc#1183374): Remove the getfile feature of the pydoc module which could be abused to read arbitrary files on the disk (directory traversal vulnerability). Moreover, even source code of Python modules can contain sensitive data like passwords. Vulnerability reported by David SchwÃ¶rer. - bpo-43285: ftplib no longer trusts the IP address value returned from the server in response to the PASV command by default. This prevents a malicious FTP server from using the response to probe IPv4 address and port combinations on the client network. Code that requires the former vulnerable behavior may set a trust_server_pasv_ipv4_address attribute on their ftplib.FTP instances to True to re-enable it. - bpo-43075 (CVE-2021-3733, bsc#1189287): Fix Regular Expression Denial of Service (ReDoS) vulnerability in urllib.request.AbstractBasicAuthHandler. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server. - Upstreamed patches were removed: - CVE-2021-3426-inf-disclosure-pydoc-getfile.patch - Refreshed patches: - python3-sorted_tar.patch - riscv64-ctypes.patch - Rebuild to get new headers, avoid building in support for stropts.h (bsc#1187338). - Use versioned python-Sphinx to avoid dependency on other version of Python (bsc#1183858). - Modify Lib/ensurepip/__init__.py to contain the same version numbers as are in reality the ones in the bundled wheels (bsc#1187668). - add 22198.patch to build with Sphinx 4 - Stop providing "/python"/ symbol (bsc#1185588), which means python2 currently. - Make sure to close the import_failed.map file after the exception has been raised in order to avoid ResourceWarnings when the failing import is part of a try...except block. - Add CVE-2021-3426-inf-disclosure-pydoc-getfile.patch to remove getfile feature from pydoc, which is a security nightmare (among other things, CVE-2021-3426, allows disclosure of any file on the system; bsc#1183374, bpo#42988). Update to 3.6.13, final release of 3.6 branch: * Security - bpo#42967 (bsc#1182379, CVE-2021-23336): Fix web cache poisoning vulnerability by defaulting the query args separator to &, and allowing the user to choose a custom separator. - bpo#42938 (bsc#1181126, CVE-2021-3177): Avoid static buffers when computing the repr of ctypes.c_double and ctypes.c_longdouble values. - bpo#42103: Prevented potential DoS attack via CPU and RAM exhaustion when processing malformed Apple Property List files in binary format. - bpo#42051: The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities. This should not affect users as entity declarations are not used in regular plist files. - bpo#40791: Add volatile to the accumulator variable in hmac.compare_digest, making constant-time-defeating optimizations less likely. * Core and Builtins - bpo#35560: Fix an assertion error in format() in debug build for floating point formatting with ânâ format, zero padding and small width. Release build is not impacted. Patch by Karthikeyan Singaravelan. * Library - bpo#42103: InvalidFileException and RecursionError are now the only errors caused by loading malformed binary Plist file (previously ValueError and TypeError could be raised in some specific cases). * Tests - bpo#42794: Update test_nntplib to use offical group name of news.aioe.org for testing. Patch by Dong-hee Na. - bpo#41944: Tests for CJK codecs no longer call eval() on content received via HTTP. - Patches removed, because they were included in the upstream tarball: - CVE-2020-27619-no-eval-http-content.patch - CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch - (bsc#1180125) We really don't Require python-rpm-macros package. Unnecessary dependency. Package release-notes-sles-for-sap was updated: - 15.1.20211213 (tracked in bsc#933411)- Added disclaimer for Trento in tech preview section (jsc#PM-3168) Package resource-agents was updated: - VirtualDomain RA using migration_network_suffix does create xenmigr URI causing live migration to fail (bsc#1180668) - Failover issue due to a Google API being unreachable - request upstream patches which include a retry (bsc#1186830) - nfs ganehsa failover takes 5 minutes for the client to regain access to nfs share (bsc#1184382) Add patches: 0001-VirtualDomain-drop-prefix-xenmigr-from-migrate-uri.patch 0001-gcp-vpc-move-vip.in-Adds-retries.patch nfsnotify.patch portblock.patch - ECO (jsc#SLE-18232) * Backport aws-vpc-move-ip patches to SLE15 codestreams. * (bsc#1186652) New GCP Load Balancer Resource Agent Add upstream patches: ECO-SLE-18232.diff 0001-gcp-ilb-resource-wrapping-nc-or-socat-to-respond-to-.patch - SAPInstance fails to detect SAP unit files for systemd (bsc#1189535) Add upstream patches: 0001-Clear-out-the-DIR_EXECUTABLE-variable-so-we-catch-th.patch 0001-SAPInstance_fails_to_detect_SAP_unit_files_for_systemd.patch 0002-SAPInstance_fails_to_detect_SAP_unit_files_for_systemd.patch - (bsc#1188975) azure-lb RA is using /usr/bin/nc instead of /usr/bin/socat Add upstream patch: 0001-ocf-distro-Improve-robustness-and-specificity-1558.patch - (bsc#1183971) L3: azure-events puts both nodes in standby Add upostream patch: 0001-azure-events-only-decode-when-exec-output-not-of-typ.patch - (bsc#1177796) ethmonitor bloats journal with warnings for VLAN devices [ref:_00D1igLOd._5001iTe6jj:ref] Add upstream patch: 0001-ethmonitor-is_interface-RE-matches-vlan-names.patch - (bsc#1180590) azure-events URLError fixed upstream Add upstream patch: 0001-azure-events-import-URLError-and-encode-postData-whe.patch - (bsc#1179977) L3: anything RA stop operation fails if /root/.profile has unexpected content Add upstream patch: 0001-The-anything-RA-getpid-function-can-fail-to-return-t.patch Package rsync was updated: - Fixed an error when using the external compression library where files larger that 1GB would not be transferred completely and failing with error: - deflate on token returned 0 (XXX bytes left) - rsync error: error in rsync protocol data stream (code 12) * Add rsync-fix-external-compression.patch [bsc#1190828] - Fix a segmentation fault in iconv [bsc#1188258] * Add rsync-iconv-segfault.patch Package rsyslog was updated: - fix groupname retrieval for large groups (bsc#1178490) * add 0001-rainerscript-call-getgrnam_r-repeatedly-to-get-all-g.patch Package ruby2 was updated: Add patches to fix the following CVE's: - CVE-2021-32066.patch (CVE-2021-32066): Fix StartTLS stripping vulnerability in Net:IMAP (bsc#1188160) - CVE-2021-31810.patch (CVE-2021-31810): Fix trusting FTP PASV responses vulnerability in Net:FTP (bsc#1188161) - CVE-2021-31799.patch (CVE-2021-31799): Fix Command injection vulnerability in RDoc (bsc#1190375) - Update to 2.5.9 (boo#1184644) https://www.ruby-lang.org/en/news/2021/04/05/ruby-2-5-9-released/ - CVE-2020-25613: Potential HTTP Request Smuggling Vulnerability in WEBrick - CVE-2021-28965: XML round-trip vulnerability in REXML Complete list of changes at https://github.com/ruby/ruby/compare/v2_5_8...v2_5_9 - Update suse.patch: Remove fix for CVE-2020-25613 as it is included in the update - Update suse.patch: (boo#1177125) Backport fix CVE-2020-25613: Potential HTTP Request Smuggling Vulnerability in WEBrick - replace all patches with suse.patch (v2_5_8..2.5-suse) (we keep remove-unneeded-files.patch as it can not be done in our backports branch) - backport patch to enable optimizations also on ARM64 (boo#1177222) - make sure that update-alternative weight for the default distribution is always greater than our normal weight - make the update-alternative weight based on the ruby version Package rubygem-actionpack-5_1 was updated: Package rubygem-activerecord-5_1 was updated: - bsc#1182169, CVE-2021-22880: Fix possible DoS vector in PostgreSQL money type added: CVE-2021-22880-postgresql-money-dos.patch Package salt was updated: - Use dnfnotify instead yumnotify for relevant distros- Remove wrong _parse_cpe_name from grains.core - dnfnotify pkgset plugin implementation - Add rpm_vercmp python library support for version comparison - Prevent pkg plugins errors on missing cookie path (bsc#1186738) - Fix ip6_interface grain to not leak secondary IPv4 aliases (bsc#1191412) - Make "/salt-api"/ package to require python3-cherrypy on RHEL systems - tar is required by minion on transactional-update system - Do not consider skipped targets as failed for ansible.playbooks state (bsc#1190446) - Fix traceback.*_exc() calls - Added: * add-rpm_vercmp-python-library-for-version-comparison.patch * remove-wrong-_parse_cpe_name-from-grains.core-452.patch * dnfnotify-pkgset-plugin-implementation-3002.2-450.patch * 3002.2-do-not-consider-skipped-targets-as-failed-for.patch * mock-ip_addrs-in-utils-minions.py-unit-test-444.patch * fix-traceback.-_exc-calls-429.patch * prevent-pkg-plugins-errors-on-missing-cookie-path-bs.patch * fix-ip6_interface-grain-to-not-leak-secondary-ipv4-a.patch * fix-the-regression-for-yumnotify-plugin-456.patch - Support querying for JSON data in external sql pillar - Exclude the full path of a download URL to prevent injection of malicious code (bsc#1190265) (CVE-2021-21996) - Added: * 3002.2-postgresql-json-support-in-pillar-424.patch * exclude-the-full-path-of-a-download-url-to-prevent-i.patch - Fix wrong relative paths resolution with Jinja renderer when importing subdirectories - Don't pass shell="//sbin/nologin"/ to onlyif/unless checks (bsc#1188259) - Add missing aarch64 to rpm package architectures - Backport of upstream PR#59492 - Fix failing unit test for systemd - Fix error handling in openscap module (bsc#1188647) - Better handling of bad public keys from minions (bsc#1189040) - Define license macro as doc in spec file if not existing - Add standalone formulas configuration for salt minion and remove salt-master requirement (bsc#1168327) - Added: * backport-of-upstream-pr59492-to-3002.2-404.patch * don-t-use-shell-sbin-nologin-in-requisites.patch * fix-error-handling-in-openscap-module-bsc-1188647-40.patch * better-handling-of-bad-public-keys-from-minions-bsc-.patch * add-missing-aarch64-to-rpm-package-architectures-405.patch * templates-move-the-globals-up-to-the-environment-jin.patch * fix-failing-unit-tests-for-systemd.patch - Do noop for services states when running systemd in offline mode (bsc#1187787) - transactional_updates: do not execute states in parallel but use a queue (bsc#1188170) - Handle "/master tops"/ data when states are applied by "/transactional_update"/ (bsc#1187787) - Enhance openscap module: add "/xccdf_eval"/ call - virt: pass emulator when getting domain capabilities from libvirt - Adding preliminary support for Rocky Linux - Implementation of held/unheld functions for state pkg (bsc#1187813) - Replace deprecated Thread.isAlive() with Thread.is_alive() - Fix exception in yumpkg.remove for not installed package - Fix save for iptables state module (bsc#1185131) - virt: use /dev/kvm to detect KVM - zypperpkg: improve logic for handling vendorchange flags - Add bundled provides for tornado to the spec file - Enhance logging when inotify beacon is missing pyinotify (bsc#1186310) - Add "/python3-pyinotify"/ as a recommended package for Salt in SUSE/OpenSUSE distros - Fix tmpfiles.d configuration for salt to not use legacy paths (bsc#1173103) - Detect Python version to use inside container (bsc#1167586) (bsc#1164192) - Handle volumes on stopped pools in virt.vm_info (bsc#1186287) - grains.extra: support old non-intel kernels (bsc#1180650) - Fix missing minion returns in batch mode (bsc#1184659) - Parsing Epoch out of version provided during pkg remove (bsc#1173692) - Added: * grains.extra-support-old-non-intel-kernels-bsc-11806.patch * do-noop-for-services-states-when-running-systemd-in-.patch * move-vendor-change-logic-to-zypper-class-355.patch * adding-preliminary-support-for-rocky.-59682-391.patch * parsing-epoch-out-of-version-provided-during-pkg-rem.patch * figure-out-python-interpreter-to-use-inside-containe.patch * backport-thread.is_alive-fix-390.patch * virt-use-dev-kvm-to-detect-kvm-383.patch * virt-pass-emulator-when-getting-domain-capabilities-.patch * fix-exception-in-yumpkg.remove-for-not-installed-pac.patch * enhance-logging-when-inotify-beacon-is-missing-pyino.patch * implementation-of-held-unheld-functions-for-state-pk.patch * fix-missing-minion-returns-in-batch-mode-360.patch * handle-master-tops-data-when-states-are-applied-by-t.patch * fix-save-for-iptables-state-module-bsc-1185131-372.patch * handle-volumes-on-stopped-pools-in-virt.vm_info-373.patch * enhance-openscap-module-add-xccdf_eval-call-386.patch - Check if dpkgnotify is executable (bsc#1186674) - Added: * check-if-dpkgnotify-is-executable-bsc-1186674-376.patch - Update to Salt release version 3002.2 (jsc#ECO-3212) (jsc#SLE-18033) - See release notes: https://docs.saltstack.com/en/latest/topics/releases/3002.2.html - Drop support for Python2. Obsoletes "/python2-salt"/ package - virt module updates * network: handle missing ipv4 netmask attribute * more network support * PCI/USB host devices passthrough support * drop wrong capabilities code after rebasing patches - Set distro requirement to oldest supported version in requirements/base.txt - Bring missing part of async batch implementation back (bsc#1182382) (CVE-2021-25315) - Always require python3-distro (bsc#1182293) - Remove deprecated warning that breaks minion execution when "/server_id_use_crc"/ opts is missing - Fix pkg states when DEB package has "/all"/ arch - Do not force beacons configuration to be a list. (Revert https://github.com/saltstack/salt/pull/58655) - Remove msgpack < 1.0.0 from base requirements (bsc#1176293) - msgpack support for version >= 1.0.0 (bsc#1171257) - Added: * 3002-set-distro-requirement-to-oldest-supported-vers.patch * add-alibaba-cloud-linux-2-by-backporting-upstream-s-.patch * add-almalinux-and-alibaba-cloud-linux-to-the-os-fami.patch * add-sleep-on-exception-handling-on-minion-connection.patch * async-batch-implementation-fix-320.patch * drop-wrong-virt-capabilities-code-after-rebasing-pat.patch * fix-aptpkg.normalize_name-when-package-arch-is-all.patch * fix-grains.test_core-unit-test-277.patch * fix-__mount_device-wrapper-254.patch * opensuse-3000.2-virt-backports-236-257.patch * opensuse-3000.3-spacewalk-runner-parse-command-250.patch * opensuse-3000-libvirt-engine-fixes-251.patc * open-suse-3002.2-bigvm-310.patch * open-suse-3002.2-virt-network-311.patch * pkgrepo-support-python-2.7-function-call-295.patch * remove-deprecated-warning-that-breaks-miniion-execut.patch * remove-msgpack-1.0.0-requirement-in-the-installed-me.patch * revert-fixing-a-use-case-when-multiple-inotify-beaco.patch * support-transactional-systems-microos-271.patch * update-target-fix-for-salt-ssh-to-process-targets-li.patch * virt.network_update-handle-missing-ipv4-netmask-attr.patch * zypperpkg-filter-patterns-that-start-with-dot-244.patch - Modified: * 3002.2-xen-spicevmc-dns-srv-records-backports-314.patch * accumulated-changes-from-yomi-167.patch * accumulated-changes-required-for-yomi-165.patch * activate-all-beacons-sources-config-pillar-grains.patch * add-all_versions-parameter-to-include-all-installed-.patch * add-astra-linux-common-edition-to-the-os-family-list.patch * add-batch_presence_ping_timeout-and-batch_presence_p.patch * add-cpe_name-for-osversion-grain-parsing-u-49946.patch * add-custom-suse-capabilities-as-grains.patch * add-docker-logout-237.patch * add-environment-variable-to-know-if-yum-is-invoked-f.patch * add-hold-unhold-functions.patch * add-migrated-state-and-gpg-key-management-functions-.patch * add-multi-file-support-and-globbing-to-the-filetree-.patch * add-new-custom-suse-capability-for-saltutil-state-mo.patch * add-patch-support-for-allow-vendor-change-option-wit.patch * add-pkg.services_need_restart-302.patch * add-publish_batch-to-clearfuncs-exposed-methods.patch * add-saltssh-multi-version-support-across-python-inte.patch * adds-explicit-type-cast-for-port.patch * add-standalone-configuration-file-for-enabling-packa.patch * add-supportconfig-module-for-remote-calls-and-saltss.patch * add-virt.all_capabilities.patch * allow-extra_filerefs-as-sanitized-kwargs-for-ssh-cli.patch * allow-passing-kwargs-to-pkg.list_downloaded-bsc-1140.patch * allow-vendor-change-option-with-zypper-313.patch * ansiblegate-take-care-of-failed-skipped-and-unreacha.patch * apply-patch-from-upstream-to-support-python-3.8.patch * async-batch-implementation.patch * avoid-excessive-syslogging-by-watchdog-cronjob-58.patch * avoid-traceback-when-http.query-request-cannot-be-pe.patch * backport-a-few-virt-prs-272.patch * backport-virt-patches-from-3001-256.patch * batch_async-avoid-using-fnmatch-to-match-event-217.patch * batch-async-catch-exceptions-and-safety-unregister-a.patch * batch.py-avoid-exception-when-minion-does-not-respon.patch * bsc-1176024-fix-file-directory-user-and-group-owners.patch * calculate-fqdns-in-parallel-to-avoid-blockings-bsc-1.patch * changed-imports-to-vendored-tornado.patch * debian-info_installed-compatibility-50453.patch * do-not-break-repo-files-with-multiple-line-values-on.patch * do-not-crash-when-there-are-ipv6-established-connect.patch * do-not-crash-when-unexpected-cmd-output-at-listing-p.patch * do-not-load-pip-state-if-there-is-no-3rd-party-depen.patch * do-not-make-ansiblegate-to-crash-on-python3-minions.patch * do-not-monkey-patch-yaml-bsc-1177474.patch * do-not-raise-streamclosederror-traceback-but-only-lo.patch * don-t-call-zypper-with-more-than-one-no-refresh.patch * drop-wrong-mock-from-chroot-unit-test.patch * early-feature-support-config.patch * enable-passing-a-unix_socket-for-mysql-returners-bsc.patch * ensure-virt.update-stop_on_reboot-is-updated-with-it.patch * fall-back-to-pymysql.patch * fix-aptpkg-systemd-call-bsc-1143301.patch * fix-async-batch-multiple-done-events.patch * fix-async-batch-race-conditions.patch * fix-a-test-and-some-variable-names-229.patch * fix-a-wrong-rebase-in-test_core.py-180.patch * fix-batch_async-obsolete-test.patch * fix-bsc-1065792.patch * fix-cve-2020-25592-and-add-tests-bsc-1178319.patch * fixed-bug-lvm-has-no-parttion-type.-the-scipt-later-.patch * fixes-56144-to-enable-hotadd-profile-support.patch * fixes-cve-2018-15750-cve-2018-15751.patch * fix-failing-unit-tests-for-batch-async.patch * fix-for-log-checking-in-x509-test.patch * fix-for-some-cves-bsc1181550.patch * fix-for-suse-expanded-support-detection.patch * fix-for-temp-folder-definition-in-loader-unit-test.patch * fix-git_pillar-merging-across-multiple-__env__-repos.patch * fixing-streamclosed-issue.patch * fix-ipv6-scope-bsc-1108557.patch * fix-issue-2068-test.patch * fix-issue-parsing-errors-in-ansiblegate-state-module.patch * fix-memory-leak-produced-by-batch-async-find_jobs-me.patch * fix-novendorchange-option-284.patch * fix-onlyif-unless-when-multiple-conditions-bsc-11808.patch * fix-regression-on-cmd.run-when-passing-tuples-as-cmd.patch * fix-salt.utils.stringutils.to_str-calls-to-make-it-w.patch * fix-the-removed-six.itermitems-and-six.-_type-262.patch * fix-unit-test-for-grains-core.patch * fix-unit-tests-for-batch-async-after-refactor.patch * fix-virt.update-with-cpu-defined-263.patch * fix-wrong-test_mod_del_repo_multiline_values-test-af.patch * fix-zypper.list_pkgs-to-be-aligned-with-pkg-state.patch * fix-zypper-pkg.list_pkgs-expectation-and-dpkg-mockin.patch * force-zyppnotify-to-prefer-packages.db-than-packages.patch * get-os_arch-also-without-rpm-package-installed.patch * grains-master-can-read-grains.patch * implementation-of-suse_ip-execution-module-bsc-10999.patch * implement-network.fqdns-module-function-bsc-1134860-.patch * improve-batch_async-to-release-consumed-memory-bsc-1.patch * improvements-on-ansiblegate-module-354.patch * include-aliases-in-the-fqdns-grains.patch * info_installed-works-without-status-attr-now.patch * integration-of-msi-authentication-with-azurearm-clou.patch * invalidate-file-list-cache-when-cache-file-modified-.patch * let-salt-ssh-use-platform-python-binary-in-rhel8-191.patch * loop-fix-variable-names-for-until_no_eval.patch * loosen-azure-sdk-dependencies-in-azurearm-cloud-driv.patch * make-aptpkg.list_repos-compatible-on-enabled-disable.patch * make-profiles-a-package.patch * make-setup.py-script-to-not-require-setuptools-9.1.patch * move-server_id-deprecation-warning-to-reduce-log-spa.patch * notify-beacon-for-debian-ubuntu-systems-347.patch * opensuse-3000-virt-defined-states-222.patch * open-suse-3002.2-xen-grub-316.patch * option-to-en-disable-force-refresh-in-zypper-215.patch * path-replace-functools.wraps-with-six.wraps-bsc-1177.patch * prevent-ansiblegate-unit-tests-to-fail-on-ubuntu.patch * prevent-command-injection-in-the-snapper-module-bsc-.patch * prevent-import-errors-when-running-test_btrfs-unit-t.patch * prevent-logging-deadlock-on-salt-api-subprocesses-bs.patch * prevent-race-condition-on-sigterm-for-the-minion-bsc.patch * prevent-systemd-run-description-issue-when-running-a.patch * prevent-test_mod_del_repo_multiline_values-to-fail.patch * provide-the-missing-features-required-for-yomi-yet-o.patch * python3.8-compatibility-pr-s-235.patch * re-adding-function-to-test-for-root.patch * read-repo-info-without-using-interpolation-bsc-11356.patch * regression-fix-of-salt-ssh-on-processing-targets-353.patch * reintroducing-reverted-changes.patch * remove-arch-from-name-when-pkg.list_pkgs-is-called-w.patch * remove-deprecated-usage-of-no_mock-and-no_mock_reaso.patch * remove-unnecessary-yield-causing-badyielderror-bsc-1.patch * remove-vendored-backports-abc-from-requirements.patch * restore-default-behaviour-of-pkg-list-return.patch * return-the-expected-powerpc-os-arch-bsc-1117995.patch * revert-add-patch-support-for-allow-vendor-change-opt.patch * run-salt-api-as-user-salt-bsc-1064520.patch * run-salt-master-as-dedicated-salt-user.patch * sanitize-grains-loaded-from-roster_grains.json.patch * strip-trailing-from-repo.uri-when-comparing-repos-in.patch * support-config-non-root-permission-issues-fixes-u-50.patch * support-for-btrfs-and-xfs-in-parted-and-mkfs.patch * switch-firewalld-state-to-use-change_interface.patch * temporary-fix-extend-the-whitelist-of-allowed-comman.patch * transactional_update-detect-recursion-in-the-executo.patch * transactional_update-unify-with-chroot.call.patch * use-adler32-algorithm-to-compute-string-checksums.patch * use-current-ioloop-for-the-localclient-instance-of-b.patch * use-threadpool-from-multiprocessing.pool-to-avoid-le.patch * virt-adding-kernel-boot-parameters-to-libvirt-xml-55.patch * virt._get_domain-don-t-raise-an-exception-if-there-i.patch * virt-uefi-fix-backport-312.patch * x509-fixes-111.patch * xen-disk-fixes-264.patch * xfs-do-not-fails-if-type-is-not-present.patch * zypperpkg-ignore-retcode-104-for-search-bsc-1176697-.patch - Removed: * add-alibaba-cloud-linux-2-to-salt-3000-branch-351.patch * add-almalinux-to-the-os-family-list-340.patch * add-ip-filtering-by-network.patch * add-missing-fun-for-returns-from-wfunc-executions.patch * add-missing-_utils-at-loader-grains_func.patch * add-sleep-on-exception-handling-minion-connecting-to.patch * avoid-has_docker-true-if-import-messes-with-salt.uti.patch * backport-commit-1b16478c51fb75c25cd8d217c80955feefb6.patch * decide-if-the-source-should-be-actually-skipped.patch * do-not-report-patches-as-installed-when-not-all-the-.patch * fix-cve-2020-11651-and-fix-cve-2020-11652.patch * fix-for-bsc-1102248-psutil-is-broken-and-so-process-.patch * fix-for-return-value-ret-vs-return-in-batch-mode.patch * fix-for-unless-requisite-when-pip-is-not-installed.patch * fix-grains.test_core-unit-test-276.patch * fix-__mount_device-wrapper-253.patch * fix-recursion-false-detectioni-in-payload-305.patch * fix-regression-in-service-states-with-reload-argumen.patch * fix-type-error-in-tornadoimporter.patch patch * fix-typo-on-msgpack-version-when-sanitizing-msgpack-.patch * fix-zmq-hang-backport-of-saltstack-salt-58364.patch * loader-invalidate-the-import-cachefor-extra-modules.patch * make-lazyloader.__init__-call-to-_refresh_file_mappi.patch * make-salt.ext.tornado.gen-to-use-salt.ext.backports_.patch * opensuse-3000.2-virt-backports-236.patch * opensuse-3000-bigvm-backports-300.patch * opensuse-3000-libvirt-engine-fixes-248.patch * opensuse-3000-spacewalk-runner-parse-command-247.patch * opensuse-3000-virtual-network-backports-329.patch * pkgrepo-support-python-2.7-function-call-294.patch * removes-unresolved-merge-conflict-in-yumpkg-module.patch * revert-changes-to-slspath-saltstack-salt-56341.patch * set-passphrase-for-salt-ssh-keys-to-empty-string-293.patch * support-transactional-systems-microos-268.patch * update-target-fix-for-salt-ssh-and-avoiding-race-con.patch * use-full-option-name-instead-of-undocumented-abbrevi.patch * various-fixes-to-the-mysql-module-to-break-out-the-h.patch * zypperpkg-filter-patterns-that-start-with-dot-243.patch - Fix issue parsing errors in ansiblegate state module - Added: * fix-issue-parsing-errors-in-ansiblegate-state-module.patch - Prevent command injection in the snapper module (bsc#1185281) (CVE-2021-31607) - transactional_update: detect recursion in the executor - Add subpackage salt-transactional-update (jsc#SLE-18028) - Remove duplicate directories from specfile - Added: * transactional_update-detect-recursion-in-the-executo.patch * prevent-command-injection-in-the-snapper-module-bsc-.patch - Improvements on "/ansiblegate"/ module (bsc#1185092): * New methods: ansible.targets / ansible.discover_playbooks * General bugfixes - Added: * improvements-on-ansiblegate-module-354.patch - Add support for Alibaba Cloud Linux 2 (Aliyun Linux) - Regression fix of salt-ssh on processing targets - Added: * add-alibaba-cloud-linux-2-to-salt-3000-branch-351.patch * regression-fix-of-salt-ssh-on-processing-targets-353.patch - Update target fix for salt-ssh and avoiding race condition on salt-ssh event processing (bsc#1179831, bsc#1182281) - Added: * update-target-fix-for-salt-ssh-and-avoiding-race-con.patch - Add notify beacon for Debian/Ubuntu systems - Added: * notify-beacon-for-debian-ubuntu-systems-347.patch - Fix zmq bug that causes salt-call to freeze (bsc#1181368) - Added: * fix-zmq-hang-backport-of-saltstack-salt-58364.patch - Add core grains support for AlmaLinux - Allow vendor change option with zypper - virt: virtual network backports to Salt 3000 - Do not monkey patch yaml loaders: Prevent breaking Ansible filter modules (bsc#1177474) - Added: * add-almalinux-to-the-os-family-list-340.patch * do-not-monkey-patch-yaml-bsc-1177474.patch * allow-vendor-change-option-with-zypper-313.patch * opensuse-3000-virtual-network-backports-329.patch - Only require python-certifi for CentOS7 - Fix race conditions for corner cases when handling SIGTERM by minion (bsc#1172110) - Adjust and rename patch files - Exclude SLE 12 from requiring python-certifi - Implementation of suse_ip execution module to prevent issues with network.managed (bsc#1099976) - Fix recursion false detection in payload (bsc#1180101) - Add sleep on exception handling on minion connection attempt to the master (bsc#1174855) - Allows for the VMware provider to handle CPU and memory hot-add in newer versions of the software. (bsc#1181347) - Always require python-certifi (used by salt.ext.tornado) - Do not crash when unexpected cmd output at listing patches (bsc#1181290) - Fix behavior for "/onlyif/unless"/ when multiple conditions (bsc#1180818) - Added: * add-sleep-on-exception-handling-minion-connecting-to.patch * implementation-of-suse_ip-execution-module-bsc-10999.patch * fix-onlyif-unless-when-multiple-conditions-bsc-11808.patch * fix-recursion-false-detectioni-in-payload-305.patch * do-not-crash-when-unexpected-cmd-output-at-listing-p.patch * fixes-56144-to-enable-hotadd-profile-support.patch * prevent-race-condition-on-sigterm-for-the-minion-bsc.patch - Renamed: * fix_regression_in_cmd_run_after_cve.patch -> fix-regression-on-cmd.run-when-passing-tuples-as-cmd.patch - Modified: * 3002.2-xen-spicevmc-dns-srv-records-backports-314.patch * allow-extra_filerefs-as-sanitized-kwargs-for-ssh-cli.patch * fix-for-some-cves-bsc1181550.patch * open-suse-3002.2-xen-grub-316.patch * virt-uefi-fix-backport-312.patch Package samba was updated: - The username map [script] advice from CVE-2020-25717 advisory note has undesired side effects for the local nt token. Fallback to a SID/UID based mapping if the name based lookup fails; (bsc#1192849); (bso#14901). - CVE-2016-2124: Don't fallback to non spnego authentication if kerberos is required; (bsc#1014440); (bso#12444); - CVE-2020-25717: A user in an AD Domain could become root on domain members; (bsc#1192284); (bso#14556); - s3-libads: Do not turn on canonicalization flag. Fixes a regression changing the computer account password; (bsc#1185089); (bso#14155); - CVE-2021-20254 Buffer overrun in sids_to_unixids(); (bso#14571); (bsc#1184677). - s3-libads: use dns name to open a ldap session; (bso#13124); (bsc#1184310). - CVE-2020-27840: samba: Unauthenticated remote heap corruption via bad DNs; (bso#14595); (bsc#1183572). - CVE-2021-20277: samba: out of bounds read in ldb_handler_fold; (bso#14655); (bsc#1183574). - Avoid free'ing our own pointer in memcache when memcache_trim attempts to reduce cache size; (bso#14625); (bnc#1179156). - Adjust smbcacls '--propagate-inheritance' feature to align with upstream; (bsc#1178469). Package sapconf was updated: - version update from 5.0.2 to 5.0.3- adapt the activity detection of saptune to the upcoming saptune version 3 (bsc#1189496) - version update from 5.0.0 to 5.0.2 - added sapconf_check and supportconfig plugin for sapconf - change log message for 'MIN_PERF_PCT' parameter to reduce the spot light (bsc#1179524) - add additional check to detect an active saptune service (started but disabled and without any notes applied). Improve the logging message. (bsc#1182314) - enable and start sapconf.service during package update, if tuned is running with sapconf as profile (bsc#1176061) - preserve the state of the sapconf.service during the package update. Only disable the sapconf service, if saptune is active. In any other cases don't touch the state of the sapconf service. If tuned has problems and the command 'tune-adm off' does not work properly in the preinstall script of the package, try to stop the tuned service to avoid weird error messages in the log of tuned during and after the package update (bsc#1182906) Package sbd was updated: - Update to version 1.5.0+20210720.f4ca41f:- sbd-inquisitor: Implement default delay start for diskless sbd (bsc#1189398) - sbd-inquisitor: Sanitize numeric arguments - Update to version 1.5.0+20210629.1c72cf2: - sbd-inquisitor: tolerate and strip any leading spaces of command line option values (bsc#1187547) - sbd-inquisitor: tell the actual watchdog device specified with `-w` (bsc#1187547) - Revert "/Doc: adapt description of startup/shutdown sync with pacemaker"/ * 0001-Revert-Doc-adapt-description-of-startup-shutdown-syn.patch - Update to version 1.5.0+20210614.d7f447d (v1.5.0): - Deprecated path "//var/run/"/ used in systemd-services (bsc#1185182) - Update to version 1.4.2+20210305.926b554: - sbd-inquisitor: take the defaults for the options set in sysconfig with empty strings (bsc#1183259) - Update to version 1.4.2+20210305.57b84b5: - sbd-inquisitor: prevent segfault if no command is supplied (bsc#1183237) - Update to version 1.4.2+20210304.488a5b9: - sbd-inquisitor,sbd-md: make watchdog warning messages more understandable (bsc#1182648) - sbd-inquisitor: calculate the default timeout for watchdog warning based on the watchdog timeout consistently (bsc#1182648) - sbd-inquisitor: ensure the timeout for watchdog warning specified with `-5` option is respected (bsc#1182648) - sbd-common: ensure the default timeout for watchdog warning is about 3/5 of the default watchdog timeout (bsc#1182648) - sbd-inquisitor: downgrade the warning about SBD_SYNC_RESOURCE_STARTUP to notice (bsc#1180966) * bsc#1180966-0001-Log-sbd-inquisitor-downgrade-the-warning-about-SBD_S.patch - Update to version 1.4.2+20210129.5e2100f: - Doc: adapt description of startup/shutdown sync with pacemaker - Update to version 1.4.2+20201214.01c18c7: - sbd-inquisitor: check SBD_SYNC_RESOURCE_STARTUP only in watch mode (bsc#1180966) - Update to version 1.4.2+20201202.0446439 (v1.4.2): - ship sbd.pc with basic sbd build information for downstream packages to use - Update to version 1.4.1+20201105.507bd5f: - sbd: inform the user to restart the sbd service (bsc#1179655) - Update the uses of the systemd rpm macros * use '%service_del_postun_without_restart' instead of '%service_del_postun -n' * drop use of '%service_del_preun -n' as '-n' is unsafe and is deprecated This part still needs to be reworked as leaving services running why their package has been removed is unsafe. - Update to version 1.4.1+20200819.4a02ef2: - sbd-pacemaker: stay with basic string handling - build: use configure for watchdog-default-timeout & others - Update to version 1.4.1+20200807.7c21899: - Update to version 1.4.1+20200727.1117c6b: - make syncing of pacemaker resource startup configurable - sbd-pacemaker: sync with pacemakerd for robustness - Update to version 1.4.1+20200727.971affb: - sbd-cluster: match qdevice-sync_timeout against wd-timeout - Rebase: * bsc#1140065-Fix-sbd-cluster-exit-if-cmap-is-disconnected.patch - Update to version 1.4.1+20200624.cee826a: - sbd-pacemaker: handle new no_quorum_demote (rh#1850078) Package sed was updated: - Build fix for the new glibc-2.31 (bsc#1183797, sed-tests-build-fix.patch). Package sensors was updated: - change-pidfile-path-from-var-run-to-run.patch: Change PIDFile path from /var/run to /run (bsc#1185183). - var-run-deprecated.patch: /var/run is deprecated (bsc#1185183). Package shim was updated: - restore the shim-susesigned installation via buildrequires here.- Update to shim to 15.4-4.7.1 from SLE15-SP3 + Version: 15.4, "/Thu Jul 15 2021"/ + Update the SLE signatures + Include the fixes for bsc#1187696, bsc#1185261, bsc#1185441, bsc#1187071, bsc#1185621, bsc#1185261, bsc#1185232, bsc#1185261, bsc#1187260, bsc#1185232. - Remove shim-install because the shim-install is updated in SLE 15.4 RPM. - shim-install: remove the unexpected residual "/removable"/ label for Azure (bsc#1185464, bsc#1185961) - shim-install: instead of assuming "/removable"/ for Azure, remove fallback.efi from EFIBoot and copy grub.efi/cfg to EFIBoot to make EFIBoot bootable and keep the boot option created by efibootmgr (bsc#1185464, bsc#1185961) - shim-install: always assume "/removable"/ for Azure to avoid the endless reset loop (bsc#1185464) - Also package the debuginfo and debugsource - Drop COPYRIGHT file since it's already in the shim rpm package - Update to the unified shim binary from SLE15-SP3 for SBAT support (bsc#1182057) + Version: 15.4, "/Thu Apr 22 03:26:48 UTC 2021"/ + Merged EKU codesign check (bsc#1177315) - Drop merged patches + shim-arch-independent-names.patch + shim-change-debug-file-path.patch + shim-bsc1092000-fallback-menu.patch + shim-always-mirror-mok-variables.patch + shim-correct-license-in-headers.patch + gcc9-fix-warnings.patch + shim-fix-gnu-efi-3.0.11.patch + shim-bsc1173411-only-check-efi-var-on-sb.patch - Drop shim-opensuse-cert-prompt.patch since the openSUSE kernel enabled lockdown. Package snappy was updated: - update to 1.1.8: * Small performance improvements. * Removed snappy::string alias for std::string. * Improved CMake configuration. - remove snappy-pcfile.patch (never went upstream) - Better neutrality of from description. Quantify "/Core i7"/. Trim description of SRPM and -devel as the user already has an idea what to look for. - Fix RPM groups. - Version update to 1.1.7: * Aarch64 fixes * ppc speedups * PIE improvements * Switch to cmake build system - Add patch snappy-pcfile.patch: * Pull 55 on upstream github, was dropped when moving to cmake of course we still need it - Fix license install wrt bsc#1080040 - Version bump to 1.1.4 * Fix a 1% performance regression when snappy is used in PIE executables. * Improve compression performance by 5%. * Improve decompression performance by 20%. - Use better download url. Package sqlite3 was updated: - Sync version 3.36.0 from Factory to implement jsc#SLE-16032.- Obsoletes sqlite3-CVE-2019-16168.patch. - The following CVEs have been fixed in upstream releases up to this point, but were not mentioned in the change log so far: * bsc#1173641, CVE-2020-15358: heap-based buffer overflow in multiSelectOrderBy due to mishandling of query-flattener optimization * bsc#1164719, CVE-2020-9327: NULL pointer dereference and segmentation fault because of generated column optimizations in isAuxiliaryVtabOperator * bsc#1160439, CVE-2019-20218: selectExpander in select.c proceeds with WITH stack unwinding even after a parsing error * bsc#1160438, CVE-2019-19959: memory-management error via ext/misc/zipfile.c involving embedded '0' input * bsc#1160309, CVE-2019-19923: improper handling of certain uses of SELECT DISTINCT in flattenSubquery may lead to null pointer dereference * bsc#1159850, CVE-2019-19924: improper error handling in sqlite3WindowRewrite() * bsc#1159847, CVE-2019-19925: improper handling of NULL pathname during an update of a ZIP archive * bsc#1159715, CVE-2019-19926: improper handling of certain errors during parsing multiSelect in select.c * bsc#1159491, CVE-2019-19880: exprListAppendList in window.c allows attackers to trigger an invalid pointer dereference * bsc#1158960, CVE-2019-19603: during handling of CREATE TABLE and CREATE VIEW statements, does not consider confusion with a shadow table name * bsc#1158959, CVE-2019-19646: pragma.c mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns * bsc#1158958, CVE-2019-19645: alter.c allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements * bsc#1158812, CVE-2019-19317: lookupName in resolve.c omits bits from the colUsed bitmask in the case of a generated column, which allows attackers to cause a denial of service * bsc#1157818, CVE-2019-19244: sqlite3,sqlite2,sqlite: The function sqlite3Select in select.c allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage * bsc#928701, CVE-2015-3415: sqlite3VdbeExec comparison operator vulnerability * bsc#928700, CVE-2015-3414: sqlite3,sqlite2: dequoting of collation-sequence names * CVE-2020-13434 boo#1172115: integer overflow in sqlite3_str_vappendf * CVE-2020-13630 boo#1172234: use-after-free in fts3EvalNextRow * CVE-2020-13631 boo#1172236: virtual table allowed to be renamed to one of its shadow tables * CVE-2020-13632 boo#1172240: NULL pointer dereference via crafted matchinfo() query * CVE-2020-13435: Malicious SQL statements could have crashed the process that is running SQLite (boo#1172091) Package sudo was updated: - Update to 1.8.27 - jsc#SLE-17083 - Rebased the following patches: sudo-1.8.22-CVE-2019-18634.patch sudo-1.8.22-fix_listpw.patch sudo-1.8.22-pam_xauth.patch sudo-CVE-2019-14287.patch sudo-CVE-2021-23239.patch sudo-CVE-2021-23240.patch sudo-CVE-2021-3156.patch sudo-fix-bsc-1180687.patch sudo-sudoers.patch - Deleted sudoers2ldif-env.patch - Added from SLE-12-SP5: * sudo-1.8.27-ipa_hostname.patch * sudo-1.8.27-ldap-respect-SUDOERS_TIMED.patch - Major changes between version 1.8.27 and 1.8.26: * Fixes and clarifications to the sudo plugin documentation. * The sudo manuals no longer require extensive post-processing to hide system-specific features. Conditionals in the roff source are now used instead. This fixes corruption of the sudo manual on systems without BSD login classes. Bug #861. * If an I/O logging plugin is configured but the plugin does not actually log any I/O, sudo will no longer force the command to be run in a pseudo-tty. * In visudo, it is now possible to specify the path to sudoers without using the -f option. Bug #864. * Fixed a bug introduced in sudo 1.8.22 where the utmp (or utmpx) file would not be updated when a command was run in a pseudo-tty. Bug #865. * Sudo now sets the silent flag when opening the PAM session except when running a shell via sudo -s or sudo -i. This prevents the pam_lastlog module from printing the last login information for each sudo command. Bug #867. - Major changes between version 1.8.26 and 1.8.25p1: * Fixed a bug in cvtsudoers when converting to JSON format when alias expansion is enabled. Bug #853. * Sudo no long sets the USERNAME environment variable when running commands. This is a non-standard environment variable that was set on some older Linux systems. * Sudo now treats the LOGNAME and USER environment variables (as well as the LOGIN variable on AIX) as a single unit. If one is preserved or removed from the environment using env_keep, env_check or env_delete, so is the other. * Added support for OpenLDAP's TLS_REQCERT setting in ldap.conf. * Sudo now logs when the command was suspended and resumed in the I/O logs. This information is used by sudoreplay to skip the time suspended when replaying the session unless the new -S flag is used. * Fixed documentation problems found by the igor utility. Bug #854. * Sudo now prints a warning message when there is an error or end of file while reading the password instead of exiting silently. * Fixed a bug in the sudoers LDAP back-end parsing the command_timeout, role, type, privs and limitprivs sudoOptions. This also affected cvtsudoers conversion from LDIF to sudoers or JSON. * Fixed a bug that prevented timeout settings in sudoers from functioning unless a timeout was also specified on the command line. * Asturian translation for sudo from translationproject.org. * When generating LDIF output, cvtsudoers can now be configured to pad the sudoOrder increment such that the start order is used as a prefix. Bug #856. * If the user specifies a group via sudo's -g option that matches any of the target user's groups, it is now allowed even if no groups are present in the Runas_Spec. Previously, it was only allowed if it matched the target user's primary group. * The sudoers LDAP back-end now supports negated sudoRunAsUser and sudoRunAsGroup entries. * Sudo now provides a proper error message when the "/fqdn"/ sudoers option is set and it is unable to resolve the local host name. Bug #859. * Portuguese translation for sudo and sudoers from translationproject.org. * Sudo now includes sudoers LDAP schema for the on-line configuration supported by OpenLDAP. - Major changes between version 1.8.25p1 and 1.8.25: * Fixed a bug introduced in sudo 1.8.25 that caused a crash on systems that have the poll() function but not the ppoll() function. Bug #851. - Major changes between version 1.8.25 and 1.8.24: * Fixed a bug introduced in sudo 1.8.20 that broke formatting of I/O log timing file entries on systems without a C99-compatible snprintf() function. Our replacement snprintf() doesn't support floating point so we can't use the %f format directive. * I/O log timing file entries now use a monotonic timer and include nanosecond precision. A monotonic timer that does not increment while the system is sleeping is used where available. * When sudo runs a command in a pseudo-tty, the slave device is now closed in the main process immediately after starting the monitor process. This removes the need for an AIX-specific workaround that was added in sudo 1.8.24. * Fixed a bug displaying timeout values the "/sudo -V"/ output. The value displayed was 3600 times the actual value. Bug #846. * The testsudoers utility now supports querying an LDIF-format policy. * Fixed a regression introduced in sudo 1.8.24 where the LDAP and SSSD backends evaluated the rules in reverse sudoOrder. Bug #849. - Major changes between version 1.8.24 and 1.8.23: * The LDAP and SSS back-ends now use the same rule evaluation code as the sudoers file backend. This builds on the work in sudo 1.8.23 where the formatting functions for sudo -l output were shared. The handling of negated commands in SSS and LDAP is unchanged. * Fixed a regression introduced in 1.8.23 where sudo -i could not be used in conjunction with --preserve-env=VARIABLE. Bug #835. * cvtsudoers can now parse base64-encoded attributes in LDIF files. * Random insults are now more random. * Added SUDO_CONV_PREFER_TTY flag for conversation function to tell sudo to try writing to /dev/tty first. Can be used in conjunction with SUDO_CONV_ INFO_MSG and SUDO_CONV_ERROR_MSG. * Fixed typos in the OpenLDAP sudo schema. Bugs #839 and #840. Bug #839 and bug #840. * Fixed a race condition when building with parallel make. Bug #842. * Fixed a duplicate free when netgroup_base in ldap.conf is set to an invalid value. * On systems using PAM, sudo now ignores the PAM_NEW_AUTHTOK_REQD and PAM_AUTHTOK_EXPIRED errors from PAM account management if authentication is disabled for the user. This fixes a regression introduced in sudo 1.8.23. Bug #843. * Fixed an ambiguity in the sudoers manual in the description and definition of User, Runas, Host, and Cmnd Aliases. Bug #834. * Fixed a bug that resulted in only the first window size change event being logged. * Fixed a compilation problem on systems that define O_PATH or O_SEARCH in fnctl.h but do not define O_DIRECTORY. Bug #844. - Major changes between version 1.8.23 and 1.8.22: * PAM account management modules and BSD auth approval modules are now run even when no password is required. * For kernel-based time stamps, if no terminal is present, fall back to parent-pid style time stamps. * The new cvtsudoers utility replaces both the sudoers2ldif script and the visudo -x functionality. It can read a file in either sudoers or LDIF format and produce JSON, LDIF or sudoers output. It is also possible to filter the generated output file by user, group or host name. * The file, ldap and sss sudoers backends now share a common set of formatting functions for "/sudo -l"/ output, which is also used by the cvtsudoers utility. * The /run directory is now used in preference to /var/run if it exists. Bug #822. * More accurate descriptions of the --with-rundir and --with-vardir configure options. Bug #823. * The setpassent() and setgroupent() functions are now used on systems that support them to keep the passwd and group database open. Sudo performs a lot of passwd and group lookups so it can be beneficial to avoid opening and closing the files each time. * The new case_insensitive_user and case_insensitive_group sudoers options can be used to control whether sudo does case-sensitive matching of users and groups in sudoers. Case insensitive matching is now the default. * Fixed a bug on some systems where sudo could hang on command exit when I/O logging was enabled. Bug #826. * Fixed a problem with the process start time test in make check when run in a Linux container. The test now uses the "/btime"/ field in /proc/stat to get the system start time instead of using /proc/uptime, which is the container uptime. Bug #829. * When determining which temporary directory to use, sudoedit now checks the directory for writability before using it. Previously, sudoedit only performed an existence check. Bug #827. * Sudo now includes an optional set of Monty Python-inspired insults. * Chinese (Taiwan) translation for sudo from translationproject.org. - Tenable Scan reports sudo is still vulnerable to CVE-2021-3156 [bsc#1183936] - Add sudo-1.8.27-ipa_hostname.patch to fix special handling of ipa_hostname that was lost in sudo 1.8.24. We now include the long and short hostname in sudo parser container [bsc#1181371] - Restore sudo ldap behavior to ignore expire dates when SUDOERS_TIMED option is not set in /etc/ldap.conf * [bsc#1176473] * Added sudo-1.8.27-ldap-respect-SUDOERS_TIMED.patch From: https://www.sudo.ws/repos/sudo/rev/d1e1bb5a6cc1 Package supportutils was updated: - Changes to version 3.1.17 + Adding ethtool options g l m to network.txt (jsc#SLE-18240) - Changes to version 3.1.16 + lsof options to improve performance (bsc#1186687) - Fixes to supportconfig + Exclude rhn.conf from etc.txt (bsc#1186347) - analyzevmcore supports local directories (bsc#1186397) - getappcore checks for valid compression binary (bsc#1185991) - getappcore does not trigger errors with help message (bsc#1185993) - Additions to version 3.1.15 + Checks package signatures in rpm.txt (bsc#1021918) + Optimize find (bsc#1184912) - Using zypper --xmlout (bsc#1181351) - Error fix for sysfs.txt (bsc#1089870) - Additions to version 3.1.15 + Added drbd-overview to drbd.txt + Added list-timers to systemd.txt (bsc#1169348) + Including nfs4 in search (bsc#1184829) - Minor: Fix a typo (executible -> executable) #99 - Changed minor wording to loaded module - [powerpc] Collect dynamic_debug log files for ibmvNIC #98 (bsc#1183826) - Fixed mismatched taint flags (bsc#1178491) - Removed redundant fdisk code that can cause timeout issues (bsc#1181679) - Supportconfig processes -f without hanging (bsc#1182904) - Remove net-tools from requires, it does not contain any tool anymore used by supportutils pr#96 - Collect logs for power specific components (using iprconfig) pr#94 (bsc#1182950) + Additional nvme information + Additional kdump configuration and logs - Additions to version 3.1.14 + [powerpc] Collect logs for power specific components (HNV) pr#88 (bsc#1181911) + Updated pam.txt documentation explaining GDPR + ha.txt: Fix pacemaker.log location for SLE15 pr#90 + supportconfig: use readlink /proc/<pid>/cwd to get cwd list instead of lsof pr#91 + supportconfig: sssd_info consistency pr#93 + Includes NVMe information with OPTION_NVME=1 in nvme.txt (bsc#1176370, SLE-15932) - No longer truncates boot log (bsc#1181610) - Require the awk, which and sed commands instead of packages to allow alternate implementations on embedded/Edge systems - Additions to version 3.1.13 + Added update-alternatives to etc.txt #82 + Collects rotated logs with different compression types (bsc#1180478) + Added GPL-2.0-only license tag to spec file - Additions to version 3.1.12 + btrfs_info: add -pce argument to qgroup show #80 + docker: add /etc/docker/daemon.json contents #81 - Additions to version 3.1.12 + Capture IBM Power bootlist (SLE-15557) + Fix spelling typos in man pages #78 + Collect multipath wwids file #77 + Removed unnecessary appname parameter from HTTP upload URL + added aa-status #74 - Additions to version 3.1.12 + [powerpc] Collect logs for power specific components #72 (bscn#1176895) + supportconfig: fs-btrfs: Add "/btrfs device stats"/ output #73 - Additions to version 3.1.11 + Changes affecting supportconfig - disk_info: Show discard information in lsblk #70 - memory_info: Show VMware memory balloon infomation #71 - Addition to version 3.1.10 + Changes affecting analyzevmcore - Fixed typo in error message #67 + Changes affecting supportconfig - Fixed btrfs errors (bsc#1168894) - Large ntp.txt with binary data (bsc#1169122) - Check btrfs balance status #69 Package supportutils-plugin-ha-sap was updated: - Update to version 0.0.2+git.1623772960.fed5aa7: to fix bsc#1187373 * Added process list for sid<adm> user * Added ENSA1 and ENSA2 informational messages * Added filter to gather logs for "/sap_suse_cluster_connector"/ * Fixed documentation links * Updated Documentation Links * Added Authentication Section and capture information about sid<adm> user * Added some additional logic. * Obscure clear text password from cluster resources using "/crm configure show"/ output Package suse-module-tools was updated: - Update to version 15.1.24: * blacklist isst_if_mbox_msr (bsc#1187196) - Update to version 15.1.23: * rpm-script: fix bad exit status in OpenQA (bsc#1191922) * cert-script: Deal with existing $cert.delete file (bsc#1191804). * cert-script: Ignore kernel keyring for kernel certificates (bsc#1191480). * cert-script: Only print mokutil output in verbose mode. * inkmp-script(postun): don't pass existing files to weak-modules2 (boo#1191200) * kernel-scriptlets: skip cert scriptlet on non-UEFI systems (boo#1191260) * rpm-script: link config also into /boot (boo#1189879) * Import kernel scriptlets from kernel-source. (bsc#1189841, bsc#1190598) * Provide "/suse-kernel-rpm-scriptlets"/ * spec file: avoid %{_libexecdir} Package sysstat was updated: Package systemd was updated: - Import commit d38785e9adcf79c9729b94ef9f21185dd5a6d35f e1e30f53f2 Revert "/core: rework how we connect to the bus"/ (bsc#1193521 bsc#1193481) 3463e3178c sleep-config: partitions can't be deleted, only files can e9e021b3b9 shared/sleep-config: exclude zram devices from hibernation candidates - Drop 0001-core-prevent-bus_init_api-from-being-called-recursiv.patch This patch is no more needed since it was a follow-up for "/core: rework how we connect to the bus"/, which has been reverted. - Add 0001-core-prevent-bus_init_api-from-being-called-recursiv.patch - Import commit 43e57122ef9856db4ec4a8a2758bc8f73d2d1835 1a6747aa01 umount: show correct error message e4b8a01ca5 core/umount: fix unitialized fields in MountPoint in dm_list_get() - Fix IO scheduler udev rules * 60-io-scheduler.rules: don't use BFQ for real multiqueue devices (jsc#SLE-21032, bsc#1192161) * 60-io-scheduler.rules: use "/none"/ for multipath components (bsc#1192161) - Import commit d126915ede24b052216ca940155ea5531970aa95 f2cf0ac034 busctl: use usec granularity for the timestamp printed by the busctl monitor command (jsc#SLE-21862 jsc#SLE-18102 jsc#SLE-18103) - Import commit 5acd9826521306d7b312826135afe491bd889a29 df05d5b906 shutdown: Reduce log level of unmounts (bsc#1191252) 31f2b51c18 umount: Don't bother remounting api and ro filesystems read-only 4914963481 umount: Provide the same mount flags too when remounting read-only 04463997a7 umount: Decide whether to remount read-only earlier 143aed644f umount: Add more asserts and remove some unused arguments 09c7ad555d umount: Fix memory leak 1899743f50 shutdown: explicitly set a log target in shutdown.c a66287c2fe test: add tests for mount_option_mangle() 036077c2a0 mount-util: add mount_option_mangle() e90a30bc86 dissect: automatically mark partitions read-only that have a read-only file system b09a5f1835 build-sys: require libmount >= 2.30 (#6795) 2679668b86 systemd-shutdown: use log_set_prohibit_ipc(true) 32625253bc rationalize interface for opening/closing logging 46774b1d21 pid1: when we can't log to journal, remember our fallback log target cd994c1e81 log: remove LOG_TARGET_SAFE pseudo log target 8d4ec9ec2e log: add brief comment for log_set_open_when_needed() and log_set_always_reopen_console() a914dd2003 pid1: make use of new "/prohibit_ipc"/ logging flag in PID 1 (bsc#1189803) 496668c670 log: add new "/prohibit_ipc"/ flag to logging system 9df8261e38 log: make log_set_upgrade_syslog_to_journal() take effect immediately 15b3fcf953 mount-util: fix fd_is_mount_point() when both the parent and directory are network fs (bsc#1190984) 1898f668dd core: rework how we connect to the bus (bsc#1190325) 22a4287477 dbus: split up bus_done() into seperate functions 42ce096d80 machine-id-setup: generate machine-id from DMI product ID on Amazon EC2 39ea02b718 virt: detect Amazon EC2 Nitro instance (bsc#1190440) ef0253c6e5 virt: if we detect Xen by DMI, trust that over CPUID - Import commit dc982a577e6d3eea8832083f470e48f6fbf227cc ddc6c90310 basic/unit-name: adjust comments 390bc4e04f basic/unit-name: do not use strdupa() on a path (bsc#1188063 CVE-2021-33910) b83b235cac unit-name: generate a clear error code when converting an overly long fs path to a unit name 4fd60931a5 unit-name: tighten checks for building valid unit names 513c103faf manager: reexecute on SIGRTMIN+25, user instances only ff761f71a9 logind: terminate cleanly on SIGTERM/SIGINT (bsc#1188018) b236f23d9d units: make fsck/grows/makefs/makeswap units conflict against shutdown.target - Dropped 1001-unit-name-tighten-checks-for-building-valid-unit-nam.patch Dropped 1002-unit-name-generate-a-clear-error-code-when-convertin.patch Dropped 1003-basic-unit-name-do-not-use-strdupa-on-a-path.patch Dropped 1004-basic-unit-name-adjust-comments.patch These patches have been merged in branch SUSE/v234. - Update 60-io-scheduler.rules (jsc#SLE-21032, bsc#1134353) * rules weren't applied to dm devices (multipath), fix it (bsc#1188713) * ignore obsolete "/elevator"/ kernel parameter (bsc#1184994, bsc#1190234) ("/elevator"/ did falsely overide settings even for blk-mq, fixed). - Make sure the versions of both udev and systemd packages are always the same (bsc#1189480) - Avoid the error message when udev is updated due to udev being already active when the sockets are started again (bsc#1188291) - Allow the systemd sysusers config files to be overriden during system installation (bsc#1171962). - While at it, add a comment to explain why we don't use %sysusers_create in %pre and why it should be safe in %post. - Added patches to fix CVE-2021-33910 (bsc#1188063) Added 1001-unit-name-tighten-checks-for-building-valid-unit-nam.patch Added 1002-unit-name-generate-a-clear-error-code-when-convertin.patch Added 1003-basic-unit-name-do-not-use-strdupa-on-a-path.patch Added 1004-basic-unit-name-adjust-comments.patch These patches will be moved to the git repo once the bug will become public. - Added fix for bsc#1184994 to skip udev rules if 'elevator=' is used - Create /run/lock/subsys again (bsc#1187292) The creation of this directory was mistakenly dropped when 'filesystem' package took the initialization of the generic paths over. Paths under /run/lock are still managed by systemd for lack of better place. - Import commit f6f87c1cb4119c41f6fb93702e03cec794829b7c d7ed4af259 mount-util: shorten the loop a bit (#7545) cdf9cbb509 mount-util: do not use the official MAX_HANDLE_SZ (#7523) bbcc63a032 mount-util: tape over name_to_handle_at() flakiness (#7517) (bsc#1184761) d44adc63ab test: fix test-mount-util when handling duplicate mounts on the same location 7c74260899 mount-util: fix bad indenting c4ef3248e2 mount-util: EOVERFLOW might have other causes than buffer size issues 3f3eb23ccb mount-util: fix error propagation in fd_fdinfo_mnt_id() 9f170ee221 mount-util: drop exponential buffer growing in name_to_handle_at_loop() 5c709e7b31 udev: port udev_has_devtmpfs() to use path_get_mnt_id() ac57cefcb9 mount-util: add new path_get_mnt_id() call that queries the mnt ID of a path e49d88b898 mount-util: add name_to_handle_at_loop() wrapper around name_to_handle_at() 060b1db043 core: fix output (logging) for mount units (#7603) (bsc#1187400) - Import commit 93910b81b809729afa7ff9529b45b1e67f229232 c289e1e5ae sysusers: use the usual comment style f11535886f test/TEST-21-SYSUSERS: add tests for new functionality 2f2bfa731c sysusers: allow admin/runtime overrides to command-line config dbd190cd3b basic/strv: add function to insert items at position 3c7b4c67fa sysusers: allow the shell to be specified f316974ebe man: reformat table in sysusers.d(5) 24113b7f00 sysusers: take configuration as positional arguments 8232e059d8 sysusers: emit a bit more info at debug level when locking fails 461356cfe9 sysusers: allow force reusing existing user/group IDs (#8037) dd9349e71a sysusers: ensure GID in uid:gid syntax exists 5e0ab33e59 sysusers: make ADD_GROUP always create a group 0dd4a69687 test: add TEST-21-SYSUSERS test 4dea8a2774 sysuser: use OrderedHashmap de09744500 sysusers: allow uid:gid in sysusers.conf files 9271c17657 meson: "/conf.get(condition)"/ fails if condition was not defined These commits implement the option '--replace' for systemd-sysusers so %sysusers_create_package can be introduced in SLE and packages can rely on this rpm macro without wondering whether the macro is available on the different target the package is submitted to. - udev requires systemd in its %post (bsc#1185958) udevadm, called in udev's %post, requires libsystemd-shared-xxx.so. - Expect 644 permissions for /usr/lib/udev/compat-symlink-generation (bsc#1185807) - Import commit ca070cf0125f3b83fb3d7300ef4f524af47c49a3 3daea193a1 cgroup: Parse infinity properly for memory protections (bsc#1167471) a3f4d2980e cgroup: Make empty assignments reset to default (bsc#1167471) 72bbd3928c cgroup: Support 0-value for memory protection directives (bsc#1167471) 9c192a00a4 core/cgroup: accepts MemorySwapMax=0 (#8366) (bsc#1154935) d64f691eb7 bus-unit-util: add proper MemorySwapMax= serialization 98af04a71c core: accept MemorySwapMax= properties that are scaled, too d4528bcaa3 execute: make sure to call into PAM after initializing resource limits (bsc#1184967) 7fb1ab4f38 rlimit-util: introduce setrlimit_closest_all() c0d1ae3086 system-conf: drop reference to ShutdownWatchdogUsec= 9f66f43082 core: rename ShutdownWatchdogSec to RebootWatchdogSec (bsc#1185331) 82a5f215a3 Return -EAGAIN instead of -EALREADY from unit_reload (bsc#1185046) - Drop 0010-core-accept-MemorySwapMax-properties-that-are-scaled.patch Drop 0011-bus-unit-util-add-proper-MemorySwapMax-serialization.patch Drop 0012-core-cgroup-accepts-MemorySwapMax-0-8366.patch Drop 0013-cgroup-Support-0-value-for-memory-protection-directi.patch Drop 0014-cgroup-Make-empty-assignments-reset-to-default.patch Drop 0015-cgroup-Parse-infinity-properly-for-memory-protection.patch These patches have been merged in SUSE/v234 branch. - Import commit bb23f007799c0ad2b14a6da7f74ee242e10b00b9 611376f830 rules: don't ignore Xen virtual interfaces anymore (bsc#1178561) 65f4fa852e write_net_rules: set execute bits (bsc#1178561) f60153e565 udev: rework network device renaming df31eb968a Revert "/Revert "/udev: network device renaming - immediately give up if the target name isn't available"/"/ - Import commit a9d8f7b4aa917ad28bc8c2622e77cb10c78b6b64 1130a2a712 shutdown: bump kmsg log level to LOG_WARNING only 188fb8b6ed shutdown: rework bump_sysctl_printk_log_level() to use sysctl_writef() 8f718ea1ea sysctl: add sysctl_writef() helper cfaa3afb20 shutdown: use "/int"/ for log level type 112b8553dc killall: bump log message about unkilled processes to LOG_WARNING 5a9628e4d9 core/killall: Log the process names not killed after 10s 26a073c9cf shutdown: Bump sysctl kernel.printk log level in order to see info msg a72f23faaa core/killall: Propagate errors and return the number of process left 13092aa300 shutdown: always pass errno to logging functions 62f0cbad46 umount: beef up logging when umount/remount child processes fail c04232cd6c umount: Try unmounting even if remounting read-only failed 9cf5376ff5 core: Implement sync_with_progress() (bsc#1178219) 160ef4200a core: Implement timeout based umount/remount limit (bsc#1178219) 4a38837448 core: remove "/misuse"/ of getpgid() in systemd-shutdown 6427ab4adf core: systemd-shutdown: avoid confusingly redundant messages c069ee55de core: systemd-shutdown: add missing check for umount_changed d28bde105a umount: always use MNT_FORCE in umount_all() (#7213) 2c592670f0 signal-util: use a slightly less likely to conflict variable name instead of 't' b7e22d4712 meson: rename -Ddebug to -Ddebug-extra 063f26c13b meson: drop misplaced -Wl,--undefined argument A bunch of commits which should improve the logs emitted by systemd-shutdown during the shutdown process when some badly written applications cannot be stopped properly and prevents some mount points to be unmounted properly. See bsc#1178219 for an example of such case. - fix-machines-btrfs-subvol.sh is only shipped when machined is built - Don't use shell redirections when calling a rpm macro (bsc#1183094) It's broken since the redirection is expanded where the parameters of the macro are, which can be anywhere in the body of macro. - systemd requires aaa_base >= 13.2 This dependency is required because 'systemctl {is-enabled,enable,disable} [initscript]"/ ends up calling systemd-sysv-install which in its turn calls "/chkconfig - -no-systemctl"/. aaa_base package has a weird versioning but the '--no-systemctl' option has been introduced starting from SLE12-SP2-GA, which shipped version "/13.2+git20140911.61c1681"/. Spotted in bsc#1180083. - Import commit 05690b706a7c93e595280789f7b066afc1e3dcc4 963377e674 PATCH] Always free deserialized_subscribed on reload (bsc#1180020) c77d75305a core: Fix edge case when processing /proc/self/mountinfo (#7811) (bsc#1180596) 07a5ede612 cgroup: actually reset the cgroup invalidation mask after we made our changes (bsc#1178775) - Drop 0001-cgroup-actually-reset-the-cgroup-invalidation-mask-a.patch This patch have been imported in SUSE/v234 branch - Drop most of the tmpfiles that deal with generic paths (bsc#1078466 bsc#1181831) They are problematic because some of them conflict with SUSE defaults. Therefore it seems better to let the revelant packages owning these paths to provide their own definitions instead. - Create and own /usr/lib/systemd/system-environment-generators just like /usr/lib/systemd/user-environment-generators. Package systemd-presets-branding-SLE was updated: - Don't enable btrfsmaintenance-refresh.service, btrfsmaintenance is managed by systemd-presets-common-SUSE instead (boo#1165780) Package systemd-presets-common-SUSE was updated: - When installing the systemd-presets-common-SUSE package for the first time in a new system, it might happen that some services are installed before systemd so the %systemd_pre/post macros would not work. This is handled by enabling all preset services in this package's %posttrans section but it wasn't enabling user services, just system services. Now it enables also the user services installed before this package, thus fixing boo#1186561 - Enable hcn-init.service for HNV on POWER (bsc#1184136 ltc#192155). - Enable user service pipewire-media-session.service (used with pipewire >= 0.3.23). - Enable user services pipewire.socket and pipewire-pulse.socket (boo#1183012). - Enable btrfsmaintenance-refresh.path and disable btrfsmaintenance-refresh.service to avoid needless refresh on boot (boo#1165780) - Enable dnf-makecache.timer - BuildRequire pkgconfig(systemd) instead of systemd: allow OBS to shortcut the build queues by allowing usage of systemd-mini - Enable ignition-firstboot-complete.service - Enable logwatch.timer (bsc#1112500). - Recent versions of mlocate don't use updatedb.timer any more. Instead, the unit is called mlocate.timer. [boo#1115408] - Add default user preset: currently containing only the new pulseaudio.socket (bsc#1083473) Package tar was updated: - Link /var/lib/tests/tar/bin/genfile as Position-Independent Executable (bsc#1184124). + tar-PIE.patch - security update - added patches fix CVE-2021-20193 [bsc#1181131], Memory leak in read_header() in list.c + tar-CVE-2021-20193.patch Package tcpdump was updated: - Disable 5 regression tests that fail with libpcap > 1.8.1 * These test pcap files have been updated in later versions: arp-too-long-tha, juniper_header-heapoverflow, tftp-heapoverflow, relts-0x80000000, stp-v4-length-sigsegv. - Add tcpdump-disable-failing-tests.patch [bsc#1183800] Package tcsh was updated: - Add patch tcsh-6.20.00-toolong.patch which is an upstream commit ported back to 6.20.00 to fix bsc#1179316 about history file growing Package telnet was updated: Package thin-provisioning-tools was updated: Package tigervnc was updated: - tigervnc-FIPS-use-RFC7919.patch * Enable GnuTLS 3.6.0 and later to use Diffie-Hellman parameters from RFC7919 instead of generating our own, for FIPS compliance. * Specify RFC7919 parameters for GnuTLS older than 3.6.0. * bsc#1179809 Package timezone was updated: - timezone update 2021e (bsc#1177460): * Palestine will fall back 10-29 (not 10-30) at 01:00 - timezone update 2021d: * Fiji suspends DST for the 2021/2022 season * 'zic -r' marks unspecified timestamps with "/-00"/ - timezone update 2021c: * Revert almost all of 2021b's changes to the 'backward' file * Fix a bug in 'zic -b fat' that caused old timestamps to be mishandled in 32-bit-only readers - timezone update 2021b: * Jordan now starts DST on February's last Thursday. * Samoa no longer observes DST. * Move some backward-compatibility links to 'backward'. * Rename Pacific/Enderbury to Pacific/Kanton. * Correct many pre-1993 transitions in Malawi, Portugal, etc. * zic now creates each output file or link atomically. * zic -L no longer omits the POSIX TZ string in its output. * zic fixes for truncation and leap second table expiration. * zic now follows POSIX for TZ strings using all-year DST. * Fix some localtime crashes and bugs in obscure cases. * zdump -v now outputs more-useful boundary cases. * tzfile.5 better matches a draft successor to RFC 8536. - Refresh tzdata-china.patch - Install tzdata.zi (bsc#1188127) Package tuned was updated: - bsc#1191341 Tuned: latency-performance profile configures cpu max-cstates to POLL instead of C1 Fixed by mainline commit: latency-peformance: backup latency requirement increased to 3 us A set_force_latency_C1.patch Package util-linux was updated: - Update to version 2.33.2 to provide seamless update from SLE12 SP5 to SLE15 SP2: * agetty: Fix 8-bit processing in get_logname() (bsc#1125886). * mount: Fix "/mount"/ output for net file systems (bsc#1122417). * Many Other fixes, see https://www.kernel.org/pub/linux/utils/util-linux/v2.33/v2.33.2-ReleaseNotes * obsoletes util-linux-agetty-smart-reload-13.patch, util-linux-agetty-smart-reload-14.patch. * ported util-linux-libmount-pseudofs.patch - ipcutils: Avoid potential memory allocation overflow (bsc#1188921, CVE-2021-37600, util-linux-ipcutils-overflow-CVE-2021-37600.patch). - Fix ipcs testsuite (bsc#1178236#c19, util-linux-ipcs-shmall-overflow-ts.patch). - ipcs: Avoid overflows (bsc#1178236, util-linux-ipcs-shmall-overflow-1.patch, util-linux-ipcs-shmall-overflow-2.patch). Package util-linux-systemd was updated: - Update to version 2.33.2 to provide seamless update from SLE12 SP5 to SLE15 SP2: * agetty: Fix 8-bit processing in get_logname() (bsc#1125886). * mount: Fix "/mount"/ output for net file systems (bsc#1122417). * Many Other fixes, see https://www.kernel.org/pub/linux/utils/util-linux/v2.33/v2.33.2-ReleaseNotes * obsoletes util-linux-agetty-smart-reload-13.patch, util-linux-agetty-smart-reload-14.patch. * ported util-linux-libmount-pseudofs.patch - ipcutils: Avoid potential memory allocation overflow (bsc#1188921, CVE-2021-37600, util-linux-ipcutils-overflow-CVE-2021-37600.patch). - Fix ipcs testsuite (bsc#1178236#c19, util-linux-ipcs-shmall-overflow-ts.patch). - ipcs: Avoid overflows (bsc#1178236, util-linux-ipcs-shmall-overflow-1.patch, util-linux-ipcs-shmall-overflow-2.patch). Package vim was updated: - install suse vimrc in /usr (boo#1182324, vim-8.0.1568-globalvimrc.patch)- source correct suse.vimrc file (boo#1182324) doesn't leave not owned directories (boo#1173256). build against Tumbleweed repo. Package virt-what was updated: - update to 1.21: * Nutanix Acropolis Hypervisor detection * podman detection - Add "/which"/ to Requires * Fixes boo#1161850, bsc#1176132 - Version bump 1.20. No upstream changelog, see http://git.annexia.org/?p=virt-what.git;a=shortlog;h=refs/tags/v1.20 Package wget was updated: - When running recursively, wget will verify the length of the whole URL when saving the files. This will make it overwrite files with truncated names, throwing the "/The name is too long, ... trying to shorten"/ messages. The patch moves the length check code to a separate function and call it from the append_dir_structure() for each path element. [ bsc#1181173, 0001-possibly-truncate-pathname-components.patch] Package xfsprogs was updated: - xfsprogs-devel: add libhandle1 dependency following split (bsc#1191566) - xfs_admin: support external log devices (bsc#1189984) * Add xfsprogs-xfs_admin-support-external-log-devices.patch - xfs_quota: state command should report ugp grace times (bsc#1189983) * Add xfsprogs-xfs_quota-display-warning-limits-when-printing-quota.patch * Add xfsprogs-xfs_quota-state-command-should-report-ugp-grace-time.patch - xfsprogs: Remove barrier/nobarrier mount options from xfs.5 (bsc#1191675) * Add xfsprogs-man-Remove-barrier-nobarrier-mount-options-from.patch - xfs_io: add label command (bsc#1191500) * Add xfsprogs-xfs_io-add-label-command.patch - xfs_bmap: remove -c from manpage (bsc#1189552) - xfs_bmap: don't reject -e (bsc#1189552) * Add xfsprogs-xfs_bmap-remove-c-from-manpage.patch * Add xfsprogs-xfs_bmap-don-t-reject-e.patch - xfs_repair: check plausibility of root dir pointer before trashing it (bsc#1188651) * Add xfsprogs-xfs_repair-refactor-fixed-inode-location-checks.patch * Add xfsprogs-xfs_repair-check-plausibility-of-root-dir-pointer-be.patch - xfsprogs: split libhandle1 into a separate package, since nothing within xfsprogs dynamically links against it. The shared library is still required by xfsdump as a runtime dependency. - mkfs.xfs: fix ASSERT on too-small device with stripe geometry (bsc#1181536) * Add xfsprogs-mkfs.xfs-fix-ASSERT-on-too-small-device-with-stripe-.patch - mkfs.xfs: if either sunit or swidth is nonzero, the other must be as well (bsc#1085917, bsc#1181535) * Add xfsprogs-mkfs.xfs-if-either-sunit-or-swidth-is-nonzero-the-ot.patch - xfs_growfs: refactor geometry reporting (bsc#1181306) * Add xfsprogs-xfs_growfs-refactor-geometry-reporting.patch - xfs_growfs: allow mounted device node as argument (bsc#1181299) * Add xfsprogs-libfrog-fs_table_lookup_mount-should-realpath-the-ar.patch * Add xfsprogs-xfs_fsr-refactor-mountpoint-finding-to-use-libfrog-p.patch * Add xfsprogs-xfs_growfs-allow-mounted-device-node-as-argument.patch - xfs_repair: rebuild directory when non-root leafn blocks claim block 0 (bsc#1181309) * Add xfsprogs-xfs_repair-rebuild-directory-when-non-root-leafn-blo.patch Package xkeyboard-config was updated: - U_Fix-media-keys-lag-on-ABNT2-keyboard.patch * fixes wrong keyboard mapping causing input delays with ABNT2 keyboards (bsc#1191242) Package xterm was updated: - xterm-CVE-2021-27135.patch: Fixed buffer-overflow when clicking on selected utf8 text. (bsc#1182091 CVE-2021-27135) - Add Recommends: xorg-x11-fonts-legacy, since the default font is now available in that package. If the font is not available it will fall back to use a font installed in xorg-x11-fonts and it can also use truetype fonts, thus the Recommends instead of a Requires (related to boo#1169444) Package yast2 was updated: - Add linuxrc option "/reboot_timeout"/ to configure the timeout before reboot (bsc#1122493 poo#89716) - Linuxrc: Ensure the new opened SCR instace is closed when reading the /etc/install.inf file (bsc#1122493, bsc#1157476) - Ensure /etc/install.inf is not read from the target system but from the local one. (bsc#1122493, bsc#1157476) - 4.1.81 - Do not use the 'installation-helper' binary to create snapshots during installation or offline upgrade (bsc#1180142). - Add a new exception to properly handle exceptions when reading/writing snapshots numbers (related to bsc#1180142). - 4.1.80 Package yast2-add-on was updated: - Auto client does not crash when trying to import from an empty add-on section (bsc#1189154). - 4.1.15 Package yast2-installation was updated: - Filter the installation proposals (in the Installation Settings screen) according to the AutoYaST profile even before tab switching (related to bsc#1190294) - 4.1.55 - Use linuxrc option "/reboot_timeout"/ to configure the timeout before reboot (bsc#1122493 poo#89716) - Do not remove /etc/install.inf from inst-sys (bsc#1122493, bsc#1157476). - 4.1.54 - Clean-up the unneeded installer updates (bsc#1182928). - 4.1.53 - Do not cleanup the libzypp cache when the system has low memory, incomplete cache confuses libzypp later (bsc#1179415) - 4.1.52 - Do not crash when it is not possible to create a snapshot after installing or upgrading the system (bsc#1180142). - 4.1.51 Package yast2-saptune was updated: - version update from 1.3 to 1.4 to include the following fixes:- Fixes for bsc#1188321 Exchange the tuned daemon handling with the new saptune service handling for saptune version 3, but stay with the old behaviour for systems running saptune version 2. Add information, if the service is enabled or disabled. Package yast2-storage-ng was updated: - Set the volume group extent size according to the AutoYaST profile (bsc#1192124). - 4.1.98 Package yast2-update was updated: - Do not rely on the 'installation-helper' binary to create snapshots after installation or offline upgrade (bsc#1180142). - Do not crash when it is not possible to create a snapshot before upgrading the system (related to bsc#1180142). - 4.1.13 Package zlib was updated: - Update 410.patch to include new fixes from upstream, fixes bsc#1192688 - Refresh bsc1174736-DFLTCC_LEVEL_MASK-set-to-0x1ff.patch to match upstream commit - Drop patches which changes have been merged in 410.patch: * zlib-compression-switching.patch * zlib-390x-z15-fix-hw-compression.patch * bsc1174551-fxi-imcomplete-raw-streams.patch - Fix hw compression on z15 bsc#1176201 - Add zlib-s390x-z15-fix-hw-compression.patch Package zstd was updated: - Add 0001-PATCH-Use-umask-to-Constrain-Created-File-Permission.patch fixing (CVE-2021-24031, bsc#1183371) and (CVE-2021-24032, bsc#1183370). Use umask() to constrain created file permission. Package zypper was updated: - Fix compiler warning.- zypper.conf: New option whether to collect subcommands found in $PATH (fixes #379) +[subcommand] i + +## Whether to look for subcommands in $PATH +## +## If a subcommand is not found in the zypper_execdir, the wrapper +## will look in the rest of your $PATH for it. Thus, it's possible +## to write local zypper extensions that don't live in system space. +## See section SUBCOMMANDS in the zypper manpage. +## +## Valid values: boolean +## Default value: yes +## +# seachSubcommandInPath = yes. - help subcommand: show path of command found in $PATH. - version 1.14.50 - Avoid calling 'su' to detect a too restrictive sudo user umask (bsc#1186602) - Fix typo in German translation (fixes #395) - BuildRequires: libzypp-devel >= 17.28.3. - version 1.14.49 - Support new reports for singletrans rpm commit. - BuildRequires: libzypp-devel >= 17.27.1. For lock/query comments. - Prompt: choose exact match if prompt options are not prefix free (bsc#1188156) - Install summary: Show new and removed packages closer to the prompt (fixes #403) These packages are usually more interesting than the updated ones. In case of doubt less scrolling is needed to see them. - Add need reboot/restart hint to XML install summary (bsc#1188435) - Add comment option for lock command (fixes #388). - version 1.14.48 - Quick fix obs:// platform guessing for Leap (bsc#1187425) - man: point out more clearly that patches update affected packages to the latest version (bsc#1187466) - version 1.14.47 - Link all executables with -pie (bsc#1186447) - Tag PTF packages in the status column (bsc#1186503) Like retracted packages, a program temporary fix must be explicitly selected and will otherwise not be considered in dependency resolution. - BuildRequires: libzypp-devel >= 17.26.1. - version 1.14.46 - Add hints to 'trust GPG key' prompt. - Add report when receiving new package signing keys from a trusted repo (bsc#1184326) - Added translation using Weblate (Kabyle) - version 1.14.45 - Rephrase needs-rebooting help and messages. Try to point out that the need to reboot was not necessarily triggered by the current transaction. - man page: Recommend the needs-rebooting command to test whether a system reboot is suggested. - patch: Let a patch's reboot-needed flag overrule included packages (bsc#1183268) - Quickfix setting "/openSUSE_Tumbleweed"/ as default platform for "/MicroOS"/ (bsc#1153687) This fixes the guessed platform for "/obs://<project>/"/ URLs. - Protect against strict/relaxed user umask via sudo (bsc#1183589) - zypper-log: protect against thread name indicators in a log. - xml summary: add solvables repository alias (bsc#1182372) - version 1.14.44 - doc: give more details about creating versioned package locks (bsc#1181622) - man: Document synonymously used patch categories (bsc#1179847) - version 1.14.43 - Fix source-download commnds help (bsc#1180663) - man: Recommend to use the --non-interactive global option rather than the command option -y (bsc#1179816) - Extend apt packagemap (fixes #366) - --quitet: Fix install summary to write nothing if there's nothing todo (bsc#1180077) - Prefer /run over /var/run. - version 1.14.42 - Avoid translated text in xml attributes ( fixes #361 ) - BuildRequires: libzypp-devel >= 17.25.3. Adapt to new LoadTestcase API. - version 1.14.41 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://publiccloudimagechangeinfo.suse.com/google/sles-15-sp1-sap-byos-v20220126/ Public Cloud Image Info https://www.suse.com/support/security/rating/ SUSE Security Ratings Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 SAPHanaSR-0.154.1-4.14.1 SAPHanaSR-doc-0.154.1-4.14.1 SLES_SAP-release-15.1-66.1 SUSEConnect-0.3.32-7.25.1 aaa_base-84.87+git20180409.04c9dae-3.52.1 aaa_base-extras-84.87+git20180409.04c9dae-3.52.1 alsa-1.1.5-6.9.2 alsa-utils-1.1.5-4.6.1 apparmor-parser-2.12.3-7.25.3 at-3.1.20-2.38 at-spi2-core-2.26.3-5.3.5 attr-2.4.47-2.19 audit-2.8.1-5.5.2 augeas-1.10.1-3.3.1 augeas-lenses-1.10.1-3.3.1 autofs-5.1.3-7.6.1 autoyast2-installation-4.1.21-3.24.1 bash-4.4-9.14.1 bc-1.07.1-3.3.1 bind-utils-9.16.6-12.57.1 bing-1.0.5-3.3 binutils-2.37-7.26.1 blktrace-1.1.0+git.20170126-3.6.1 blog-2.18-4.11 bonnie-1.5-1.18 boost-license1_66_0-1.66.0-5.3.1 ca-certificates-2+git20170807.10b2785-7.3.3 ca-certificates-mozilla-2.44-4.32.1 catatonit-0.1.5-3.3.2 chrony-3.2-9.24.2 chrony-pool-suse-3.2-9.24.2 cifs-utils-6.9-5.12.1 cloud-netconfig-gce-1.6-25.5.1 cluster-glue-1.0.12+v1.git.1587474580.a5fda2bc-3.9.1 cluster-md-kmp-default-4.12.14-197.102.2 command-not-found-0.2.2+20190613.e6c2668-6.3.2 conntrack-tools-1.4.4-1.29 containerd-1.4.11-56.1 coreutils-8.29-2.12 corosync-2.4.5-9.19.1 cpio-2.12-3.9.1 cpp-7-3.9.1 cpp7-7.5.0+r278197-4.30.1 cpupower-4.19-6.8.1 cracklib-2.9.6-2.21 cracklib-dict-small-2.9.6-2.21 crash-7.2.1-9.13.1 crmsh-4.3.1+20211119.97feb471-3.84.1 crmsh-scripts-4.3.1+20211119.97feb471-3.84.1 cron-4.2-70.14.4.1 cronie-1.5.1-70.14.4.1 csync2-2.0+git.1461714863.10636a4-4.9.1 ctdb-4.9.5+git.477.8163dd03413-3.61.1 cups-config-2.2.7-3.26.1 curl-7.60.0-28.1 cyrus-sasl-2.1.26-5.7.1 cyrus-sasl-digestmd5-2.1.26-5.7.1 cyrus-sasl-gssapi-2.1.26-5.7.1 cyrus-sasl-plain-2.1.26-5.7.1 cyrus-sasl-saslauthd-2.1.26-5.7.1 dbus-1-1.12.2-8.11.2 dejavu-fonts-2.37-1.21 deltarpm-3.6.1-3.19 desktop-data-SLE-15-2.22 device-mapper-1.02.149-12.40.1 dhcp-4.3.6.P1-6.11.1 dhcp-client-4.3.6.P1-6.11.1 dialog-1.3-3.3.7 diffutils-3.6-4.3.1 dlm-kmp-default-4.12.14-197.102.2 dmidecode-3.2-9.11.1 dmz-icon-theme-cursors-11.3.0-1.22 docker-20.10.9_ce-156.1 dos2unix-7.4.0-1.19 dosfstools-4.1-3.6.1 dracut-44.2-18.70.1 drbd-9.0.16+git.ab9777df-8.25.1 drbd-kmp-default-9.0.16+git.ab9777df_k4.12.14_197.102-8.25.1 drbd-utils-9.6.0-6.15.1 e2fsprogs-1.43.8-4.26.1 ebtables-2.0.10.4-5.6.4 efibootmgr-14-4.3.2 elfutils-0.168-4.5.3 ethtool-4.13-5.17 expat-2.2.5-3.9.1 expect-5.45.4-3.3.1 fdupes-1.61-1.452 fence-agents-4.9.0+git.1624456340.8d746be9-7.29.1 file-5.32-7.14.1 file-magic-5.32-7.14.1 filesystem-15.0-11.3.2 fillup-1.42-2.18 findutils-4.6.0-4.3.1 firewall-macros-0.5.5-4.24.9 firewalld-0.5.5-4.24.9 fontconfig-2.12.6-4.3.1 fonts-config-20200609+git0.42e2b1b-4.7.1 fping-4.0-4.3.2 gamin-server-0.1.10-1.41 gawk-4.2.1-1.41 gdk-pixbuf-query-loaders-2.36.11-3.19 gettext-runtime-0.19.8.1-4.11.1 gfs2-kmp-default-4.12.14-197.102.2 gio-branding-SLE-15-4.3.11 girepository-1_0-1.54.1-2.31 glib2-tools-2.54.3-4.24.1 glibc-2.26-13.62.1 glibc-i18ndata-2.26-13.62.1 glibc-locale-2.26-13.62.1 glibc-locale-base-2.26-13.62.1 gnutls-3.6.7-6.40.2 google-guest-agent-20210414.0-1.20.1 google-guest-configs-20210317.0-1.13.1 google-guest-oslogin-20210728.0-1.21.1 google-opensans-fonts-1.0-1.21 google-osconfig-agent-20210506.0-1.11.1 gpg2-2.2.5-4.19.8 gptfdisk-1.0.1-2.11 graphviz-2.40.1-6.12.1 graphviz-gd-2.40.1-6.12.1 graphviz-plugins-core-2.40.1-6.12.1 grep-3.1-4.3.12 groff-1.22.3-5.3.1 growpart-0.31-5.9.3 growpart-rootgrow-1.0.5-1.9.1 grub2-2.02-123.7.17 grub2-i386-pc-2.02-123.7.17 grub2-x86_64-efi-2.02-123.7.17 gtk2-tools-2.24.32-2.27 gzip-1.1-4.3.1 ha-cluster-bootstrap-0.5-5.3.1 hardlink-1.0+git.e66999f-1.25 haveged-1.9.2-6.1 hawk-apiserver-0.0.4+git.1604696958.cd5cdf1-5.6.1 hawk2-2.6.4+git.1618478653.7272e6b6-3.30.2 hdparm-9.52-1.22 hicolor-icon-theme-0.17-1.21 hostname-3.16-2.22 hwinfo-21.7-3.6.1 icewm-1.4.2-7.12.1 icewm-lite-1.4.2-7.12.1 icewm-theme-branding-1.2.4-3.12.1 info-6.5-4.17 initviocons-0.5-1.27 insserv-compat-0.1-4.6.1 ipmitool-1.8.18-7.3.1 iproute2-4.12-10.15 ipset-6.36-3.3.1 iptables-1.6.2-1.12 iputils-s20161105-8.3.1 ipvsadm-1.29-4.3.1 irqbalance-1.4.0-7.6.1 iscsiuio-0.7.8.2-13.42.1 java-1_8_0-ibm-1.8.0_sr7.0-3.53.1 javapackages-tools-5.0.0+git20180104.9367c8f6-1.19 kbd-2.0.4-8.3.1 kbd-legacy-2.0.4-8.3.1 kdump-0.9.0-4.9.1 kernel-default-4.12.14-197.102.2 kexec-tools-2.0.16-7.2.1 keyutils-1.6.3-5.6.1 kmod-25-6.10.1 kmod-compat-25-6.10.1 krb5-1.16.3-3.24.1 krb5-client-1.16.3-3.24.1 ldirectord-4.3.0184.6ee15eb2-4.57.1 less-530-3.3.2 libHX28-3.22-1.26 libICE6-1.0.9-1.25 libQt5Core5-5.9.7-13.8.1 libQt5DBus5-5.9.7-13.8.1 libQt5Gui5-5.9.7-13.8.1 libQt5Network5-5.9.7-13.8.1 libQt5Widgets5-5.9.7-13.8.1 libQt5X11Extras5-5.9.7-4.39 libSM6-1.2.2-1.23 libX11-6-1.6.5-3.21.1 libX11-data-1.6.5-3.21.1 libX11-xcb1-1.6.5-3.21.1 libXau6-1.0.8-1.26 libXaw7-1.0.13-3.3.8 libXcomposite1-0.4.4-1.23 libXcursor1-1.1.15-1.18 libXdamage1-1.1.4-1.23 libXdmcp6-1.1.2-1.23 libXext6-1.3.3-1.3 libXfixes3-5.0.3-1.24 libXfont2-2-2.0.3-1.17 libXft2-2.3.2-1.33 libXi6-1.7.9-3.2.1 libXinerama1-1.1.3-1.22 libXmu6-1.1.2-1.3 libXmuu1-1.1.2-1.3 libXpm4-3.5.12-1.33 libXrandr2-1.5.1-2.17 libXrender1-0.9.10-1.3 libXt6-1.1.5-2.24 libXtst6-1.2.3-1.24 libXvnc1-1.9.0-19.12.1 libacl1-2.2.52-4.3.1 libaio1-0.3.109-1.25 libapparmor1-2.12.3-7.25.2 libargon2-1-0.0+git20171227.670229c-2.14 libasm1-0.168-4.5.3 libasound2-1.1.5-6.9.2 libassuan0-2.5.1-2.14 libatk-1_0-0-2.26.1-2.18 libatspi0-2.26.3-5.3.5 libattr1-2.4.47-2.19 libaudit1-2.8.1-5.5.1 libaugeas0-1.10.1-3.3.1 libauparse0-2.8.1-5.5.1 libavahi-client3-0.7-3.9.1 libavahi-common3-0.7-3.9.1 libbind9-1600-9.16.6-12.57.1 libblkid1-2.33.2-4.16.1 libboost_regex1_66_0-1.66.0-5.3.1 libboost_system1_66_0-1.66.0-5.3.1 libboost_thread1_66_0-1.66.0-5.3.1 libbsd0-0.8.7-3.3.17 libbz2-1-1.0.6-5.11.1 libcairo2-1.16.0-4.8.1 libcap-ng0-0.7.9-4.37 libcap2-2.26-4.6.1 libcares2-1.17.1+20200724-3.17.1 libcfg6-2.4.5-9.19.1 libcmap4-2.4.5-9.19.1 libcom_err2-1.43.8-4.26.1 libcorosync_common4-2.4.5-9.19.1 libcpg4-2.4.5-9.19.1 libcpupower0-4.19-6.8.1 libcrack2-2.9.6-2.21 libcroco-0_6-3-0.6.12-4.3.51 libcryptsetup12-2.0.6-4.3.1 libctf-nobfd0-2.37-7.26.1 libctf0-2.37-7.26.1 libcups2-2.2.7-3.26.1 libcurl4-7.60.0-28.1 libdatrie1-0.2.9-1.25 libdb-4_8-4.8.30-7.3.1 libdbus-1-3-1.12.2-8.11.2 libdcerpc-binding0-4.9.5+git.477.8163dd03413-3.61.1 libdcerpc0-4.9.5+git.477.8163dd03413-3.61.1 libdevmapper-event1_03-1.02.149-12.40.1 libdevmapper1_03-1.02.149-12.40.1 libdialog14-1.3-3.3.7 libdlm-4.0.9-6.8.1 libdlm3-4.0.9-6.8.1 libdns1605-9.16.6-12.57.1 libdouble-conversion1-2.0.1-1.28 libdrm2-2.4.97-3.3.11 libdw1-0.168-4.5.3 libebl-plugins-0.168-4.5.3 libedit0-3.1.snap20150325-2.12 libefivar1-37-6.12.1 libelf1-0.168-4.5.3 libesmtp-1.0.6-150.4.1 libestr0-0.1.10-1.25 libevdev2-1.4.5-1.27 libevent-2_1-8-2.1.8-2.23 libexpat1-2.2.5-3.9.1 libext2fs2-1.43.8-4.26.1 libfam0-gamin-0.1.10-3.2.3 libfastjson4-0.99.8-1.16 libfdisk1-2.33.2-4.16.1 libffi7-3.2.1.git259-3.16 libfl2-2.6.4-3.157 libfontenc1-1.1.3-1.22 libfreebl3-3.68.2-3.64.2 libfreetype6-2.10.1-4.8.1 libfuse2-2.9.7-3.3.1 libgcc_s1-11.2.1+git610-1.3.9 libgcrypt20-1.8.2-8.42.1 libgd3-2.2.5-4.14.1 libgdbm4-1.12-1.418 libgdk_pixbuf-2_0-0-2.36.11-3.19 libgio-2_0-0-2.54.3-4.24.1 libgirepository-1_0-1-1.54.1-2.31 libglib-2_0-0-2.54.3-4.24.1 libglue2-1.0.12+v1.git.1587474580.a5fda2bc-3.9.1 libglvnd-1.0.0-1.8 libgmodule-2_0-0-2.54.3-4.24.1 libgmp10-6.1.2-4.9.1 libgnutls30-3.6.7-6.40.2 libgobject-2_0-0-2.54.3-4.24.1 libgpg-error0-1.29-1.8 libgpgme11-1.10.0-4.3.4 libgraphite2-3-1.3.11-2.12 libgraphviz6-2.40.1-6.12.1 libgthread-2_0-0-2.54.3-4.24.1 libgtk-2_0-0-2.24.32-2.27 libgudev-1_0-0-232-1.33 libharfbuzz0-1.7.5-1.21 libhavege1-1.9.2-6.1 libhogweed4-3.4.1-4.18.1 libicu60_2-60.2-3.9.1 libicu60_2-ledata-60.2-3.9.1 libidn11-1.34-3.2.2 libidn2-0-2.2.0-3.6.1 libinput10-1.10.5-1.21 libipset11-6.36-3.3.1 libiptc0-1.6.2-1.12 libirs1601-9.16.6-12.57.1 libisc1606-9.16.6-12.57.1 libisccc1600-9.16.6-12.57.1 libisccfg1600-9.16.6-12.57.1 libisl15-0.18-1.443 libjansson4-2.9-1.24 libjbig2-2.1-3.2.1 libjemalloc2-5.0.1-1.25 libjpeg62-62.2.0-32.0.1 libjpeg8-8.1.2-32.2.1 libjson-c3-0.13-3.3.1 libkeyutils1-1.6.3-5.6.1 libkmod2-25-6.10.1 libksba8-1.3.5-2.14 libldap-2_4-2-2.4.46-9.58.1 libldap-data-2.4.46-9.58.1 libldapcpp1-0.3.1-1.33 libldb1-1.4.6-3.8.1 liblmdb-0_9_17-0.9.17-4.6.2 liblockdev1-1.0.3_git201003141408-1.97 liblogging0-1.0.6-3.21 liblognorm5-2.0.4-1.17 libltdl7-2.4.6-3.4.1 liblua5_3-5-5.3.6-3.6.1 liblvm2app2_2-2.02.180-12.40.1 liblvm2cmd2_02-2.02.180-12.40.1 liblz4-1-1.8.0-3.8.1 liblzma5-5.2.3-4.3.1 liblzo2-2-2.1-2.22 libmagic1-5.32-7.14.1 libmetalink3-0.1.3-1.24 libmnl0-1.0.4-1.25 libmodman1-2.0.1-1.27 libmount1-2.33.2-4.16.1 libmozjs-52-52.6.0-3.3.2 libmpc3-1.1.0-1.47 libmpfr6-4.0.2-3.3.1 libmtdev1-1.1.5-1.26 libncurses6-6.1-5.9.1 libndr-krb5pac0-4.9.5+git.477.8163dd03413-3.61.1 libndr-nbt0-4.9.5+git.477.8163dd03413-3.61.1 libndr-standard0-4.9.5+git.477.8163dd03413-3.61.1 libndr0-4.9.5+git.477.8163dd03413-3.61.1 libnetapi0-4.9.5+git.477.8163dd03413-3.61.1 libnetfilter_conntrack3-1.0.6-1.26 libnetfilter_cthelper0-1.0.0-1.21 libnetfilter_cttimeout1-1.0.0-1.22 libnetfilter_queue1-1.0.3-1.16 libnettle6-3.4.1-4.18.1 libnfnetlink0-1.0.1-2.11 libnghttp2-14-1.40.0-3.11.1 libnl-config-3.3.0-1.29 libnl3-200-3.3.0-1.29 libnm0-1.10.6-5.12.1 libnpth0-1.5-2.11 libns1604-9.16.6-12.57.1 libnscd1-2.0.2-3.21 libnsl2-1.2.0-2.44 libnuma1-2.0.14-4.6.1 libopeniscsiusr0_2_0-2.0.876-13.42.1 libopenssl1_1-1.1.0i-14.24.3 libopts25-5.18.12-3.3.1 libp11-kit0-0.23.2-4.13.1 libpacemaker3-2.0.1+20190417.13d370ca9-3.21.1 libpango-1_0-0-1.40.14-3.3.1 libparted0-3.2-11.14.1 libpcap1-1.8.1-4.5.1 libpci3-3.5.6-3.3.1 libpcre1-8.45-20.10.1 libpcre2-8-0-10.31-3.3.1 libpgm-5_2-0-5.2.122-5.3.1 libpipeline1-1.4.1-1.27 libpixman-1-0-0.34.0-7.2.1 libpng12-0-1.2.57-2.18 libpng16-16-1.6.34-3.9.1 libpolkit0-0.114-3.15.1 libpopt0-1.16-3.22 libprocps7-3.3.15-7.19.1 libproxy1-0.4.15-4.3.1 libpsl5-0.20.1-1.2 libpython3_6m1_0-3.6.15-3.91.3 libqb20-1.0.3+20190326.a521604-3.3.1 libqrencode4-4.0.0-1.17 libquorum5-2.4.5-9.19.1 libreadline7-7.0-9.14.1 librsync2-1.0.0-1.27 libruby2_5-2_5-2.5.9-4.20.1 libsam4-2.4.5-9.19.1 libsamba-credentials0-4.9.5+git.477.8163dd03413-3.61.1 libsamba-errors0-4.9.5+git.477.8163dd03413-3.61.1 libsamba-hostconfig0-4.9.5+git.477.8163dd03413-3.61.1 libsamba-passdb0-4.9.5+git.477.8163dd03413-3.61.1 libsamba-util0-4.9.5+git.477.8163dd03413-3.61.1 libsamdb0-4.9.5+git.477.8163dd03413-3.61.1 libsamplerate0-0.1.9-3.22 libsasl2-3-2.1.26-5.7.1 libseccomp2-2.4.1-3.3.1 libselinux1-2.8-8.3.1 libsemanage1-2.8-4.35 libsensors4-3.5.0-4.6.1 libsepol1-2.8-4.37 libsgutils2-1_43-2-1.44~763+19.1ed0757-9.3.1 libsigc-2_0-0-2.10.0-3.7.1 libsmartcols1-2.33.2-4.16.1 libsmbconf0-4.9.5+git.477.8163dd03413-3.61.1 libsmbldap2-4.9.5+git.477.8163dd03413-3.61.1 libsmi-0.4.8-1.29 libsmi2-0.4.8-1.29 libsnappy1-1.1.8-3.3.1 libsnmp30-5.7.3-10.9.1 libsodium23-1.0.16-4.3.18 libsoftokn3-3.68.2-3.64.2 libsolv-tools-0.7.20-4.3.1 libsqlite3-0-3.36.0-3.12.1 libssh2-1-1.9.0-4.13.1 libssh4-0.8.7-10.12.1 libstdc++6-11.2.1+git610-1.3.9 libstorage-ng-ruby-4.1.111-4.24.1 libstorage-ng1-4.1.111-4.24.1 libsystemd0-234-24.102.1 libtalloc2-2.1.14-5.22 libtasn1-4.13-4.5.1 libtasn1-6-4.13-4.5.1 libtdb1-1.3.16-4.23 libtevent-util0-4.9.5+git.477.8163dd03413-3.61.1 libtevent0-0.9.37-6.23 libthai-data-0.1.27-1.16 libthai0-0.1.27-1.16 libtiff5-4.0.9-45.2.1 libtirpc-netconfig-1.0.2-3.8.1 libtirpc3-1.0.2-3.8.1 libtotem_pg5-2.4.5-9.19.1 libts0-1.13-1.18 libudev1-234-24.102.1 libunistring2-0.9.9-1.15 libunwind-1.5.0-4.5.1 libusb-1_0-0-1.0.21-3.3.1 libutempter0-1.1.6-3.42 libuuid1-2.33.2-4.16.1 libuv1-1.18.0-1.19 libverto1-0.2.6-3.2 libvirt-client-5.1.0-17.1 libvirt-libs-5.1.0-17.1 libvotequorum8-2.4.5-9.19.1 libwacom-data-0.23-1.31 libwacom2-0.23-1.31 libwbclient0-4.9.5+git.477.8163dd03413-3.61.1 libwebp6-0.5.0-3.5.1 libwrap0-7.6-1.433 libx86emu2-2.2-1.8 libxcb-glx0-1.13-3.7.1 libxcb-icccm4-0.4.1-1.24 libxcb-image0-0.4.0-1.23 libxcb-keysyms1-0.4.0-1.23 libxcb-randr0-1.13-3.7.1 libxcb-render-util0-0.3.9-1.23 libxcb-render0-1.13-3.7.1 libxcb-shape0-1.13-3.7.1 libxcb-shm0-1.13-3.7.1 libxcb-sync1-1.13-3.7.1 libxcb-util1-0.4.0-1.23 libxcb-xfixes0-1.13-3.7.1 libxcb-xinerama0-1.13-3.7.1 libxcb-xkb1-1.13-3.7.1 libxcb1-1.13-3.7.1 libxkbcommon-x11-0-0.8.2-3.3.1 libxkbcommon0-0.8.2-3.3.1 libxkbfile1-1.0.9-1.26 libxml2-2-2.9.7-3.37.1 libxslt1-1.1.32-3.8.24 libxtables12-1.6.2-1.12 libyajl2-2.1.0-2.12 libyaml-0-2-0.1.7-1.17 libyaml-cpp0_6-0.6.1-4.2.1 libyui-ncurses-pkg9-2.48.9-7.7.1 libyui-ncurses9-2.50.4-5.24 libyui-qt9-2.49.16-1.15 libyui9-3.4.2-4.24 libz1-1.2.11-3.24.1 libzio1-1.06-2.2 libzmq5-4.2.3-3.15.4 libzstd1-1.4.4-1.6.1 libzypp-17.29.0-3.64.1 lockdev-1.0.3_git201003141408-1.97 logrotate-3.13.0-4.3.9 lsb-release-3.0-1.2 lsof-4.91-1.11 lsscsi-0.28-1.24 lvm2-2.02.180-12.40.1 lvm2-lockd-2.02.180-12.40.1 mailx-12.5-3.3.1 makedumpfile-1.6.3-10.6.1 man-2.7.6-6.22 man-pages-4.16-3.12.1 mksh-56c-1.1 mlocate-0.26-5.22 mozilla-nspr-4.32-3.20.1 mozilla-nss-3.68.2-3.64.2 mozilla-nss-certs-3.68.2-3.64.2 mozilla-nss-tools-3.68.2-3.64.2 ncurses-utils-6.1-5.9.1 net-snmp-5.7.3-10.9.1 net-tools-2.0+git20170221.479bb4a-3.11 netcat-openbsd-1.178-1.24 netcfg-11.6-3.3.1 nfs-client-2.1.1-10.18.1 nfs-kernel-server-2.1.1-10.18.1 nfsidmap-0.26-3.3.1 nscd-2.26-13.62.1 ocfs2-kmp-default-4.12.14-197.102.2 ocfs2-tools-1.8.5-12.11.1 open-iscsi-2.0.876-13.42.1 openldap2-client-2.4.46-9.58.1 openslp-2.0.0-6.15.1 openssh-7.9p1-6.28.1 openssl-1.1.0i-3.3.1 openssl-1_1-1.1.0i-14.24.3 p11-kit-0.23.2-4.13.1 p11-kit-tools-0.23.2-4.13.1 pacemaker-2.0.1+20190417.13d370ca9-3.21.1 pacemaker-cli-2.0.1+20190417.13d370ca9-3.21.1 pam-1.3.0-6.50.1 pam-config-0.96-5.17 pam-modules-12.1-3.17 parted-3.2-11.14.1 patch-2.7.6-3.5 patterns-base-base-20171206-35.2 patterns-base-basesystem-20171206-35.2 patterns-base-minimal_base-20171206-35.2 patterns-ha-ha_sles-15.1.0-11.1 patterns-server-enterprise-sap_server-20171206-12.6.1 pciutils-3.5.6-3.3.1 pciutils-ids-20200324-3.6.1 perl-5.26.1-7.12.1 perl-Bootloader-0.924-8.3.1 perl-CPAN-Changes-0.400002-1.24 perl-Crypt-SmbHash-0.12-1.24 perl-Devel-Symdump-2.18-1.24 perl-Digest-MD4-1.9-1.28 perl-Digest-SHA1-2.13-1.27 perl-Encode-Locale-1.05-1.24 perl-File-Listing-6.04-1.23 perl-HTML-Parser-3.72-1.26 perl-HTML-Tagset-3.2-1.24 perl-HTTP-Cookies-6.04-1.2 perl-HTTP-Daemon-6.01-1.24 perl-HTTP-Date-6.02-1.24 perl-HTTP-Message-6.14-1.16 perl-HTTP-Negotiate-6.01-1.23 perl-IO-HTML-1.001-1.24 perl-IO-Socket-INET6-2.72-1.22 perl-LWP-MediaTypes-6.02-1.25 perl-MailTools-2.19-1.2 perl-Net-DBus-1.1.0-1.3 perl-Net-HTTP-6.17-1.2 perl-Net-SSLeay-1.81-1.26 perl-Net-Telnet-3.04-1.25 perl-Parse-RecDescent-1.967015-1.22 perl-Pod-Coverage-0.23-1.23 perl-SNMP-5.7.3-10.9.1 perl-Socket6-0.28-1.17 perl-Term-ReadKey-2.37-1.2 perl-Test-Pod-1.51-1.24 perl-Test-Pod-Coverage-1.1-1.23 perl-TimeDate-2.3-3.9.1 perl-Try-Tiny-0.3-1.17 perl-URI-1.73-1.16 perl-WWW-RobotRules-6.02-1.23 perl-X11-Protocol-0.56-1.24 perl-X500-DN-0.29-1.22 perl-XML-LibXML-2.0132-1.2 perl-XML-NamespaceSupport-1.12-1.24 perl-XML-Parser-2.44-1.443 perl-XML-SAX-0.99-1.22 perl-XML-SAX-Base-1.09-1.25 perl-XML-SAX-Expat-0.51-1.22 perl-XML-Simple-2.24-1.22 perl-XML-Twig-3.52-3.3.1 perl-base-5.26.1-7.12.1 perl-gettext-1.07-1.442 perl-libwww-perl-6.31-1.17 permissions-20181116-9.38.1 pigz-2.3.3-1.28 pinentry-1.1.0-4.3.1 pkg-config-0.29.2-1.436 polkit-0.114-3.15.1 polkit-default-privs-13.2-18.8.1 procmail-3.22-2.34 procps-3.3.15-7.19.1 psmisc-23.0-6.16.1 python3-3.6.15-3.91.4 python3-Babel-2.5.1-1.26 python3-Jinja2-2.10.1-3.10.2 python3-M2Crypto-0.35.2-3.9.1 python3-MarkupSafe-1.0-1.29 python3-PyYAML-5.3.1-6.10.1 python3-appdirs-1.4.3-1.21 python3-base-3.6.15-3.91.3 python3-bind-9.16.6-12.57.1 python3-certifi-2018.1.18-1.18 python3-chardet-3.0.4-3.23 python3-configobj-5.0.6-1.24 python3-configshell-fb-1.1.fb23-2.17 python3-cssselect-1.0.3-1.18 python3-curses-3.6.15-3.91.4 python3-dbus-python-1.2.16-6.3.1 python3-decorator-4.2.1-1.18 python3-firewall-0.5.5-4.24.9 python3-gcemetadata-1.0.4-3.9.1 python3-gobject-3.26.1-1.31 python3-idna-2.6-1.2 python3-linux-procfs-0.6-1.26 python3-lxml-4.0.0-2.26 python3-msgpack-0.5.6-1.19 python3-packaging-16.8-1.23 python3-parallax-1.0.6-3.3.14 python3-pexpect-4.8.0-5.3.5 python3-ply-3.1-1.27 python3-psutil-5.4.8-4.24 python3-ptyprocess-0.5.2-1.54 python3-py-1.8.1-5.6.1 python3-pycurl-7.43.0.2-4.3.1 python3-pyparsing-2.2.0-1.28 python3-python-dateutil-2.7.3-4.22 python3-pytz-2021.1-6.7.1 python3-pyudev-0.21.0-3.22 python3-pyzmq-17.1.2-3.3.1 python3-requests-2.24.0-6.10.2 python3-rpm-4.14.1-10.19.18 python3-rtslib-fb-2.1.69-5.24 python3-salt-3002.2-51.1 python3-setuptools-40.5.0-6.3.1 python3-six-1.14.0-7.3.1 python3-slip-0.6.5-4.21 python3-slip-dbus-0.6.5-4.21 python3-solv-0.7.20-4.3.1 python3-talloc-2.1.14-5.22 python3-targetcli-fb-2.1.49-10.9.1 python3-urllib3-1.25.10-9.14.1 python3-urwid-2.0.1-1.15 python3-zypp-plugin-0.6.3-2.18 quota-4.05-3.9.1 release-notes-ha-15.1.20200207-8.5.1 release-notes-sles-for-sap-15.1.20211213-6.3.1 resource-agents-4.3.0184.6ee15eb2-4.57.1 rpcbind-0.2.3-5.9.2 rpm-4.14.1-10.19.8 rsync-3.1.3-4.10.1 rsyslog-8.33.1-3.34.2 ruby-2.5-1.21 ruby-common-2.1-3.15 ruby2.5-2.5.9-4.20.1 ruby2.5-rubygem-abstract_method-1.2.1-1.28 ruby2.5-rubygem-actioncable-5_1-5.1.4-1.26 ruby2.5-rubygem-actionmailer-5_1-5.1.4-1.26 ruby2.5-rubygem-actionpack-5_1-5.1.4-3.9.1 ruby2.5-rubygem-actionview-5_1-5.1.4-3.3.1 ruby2.5-rubygem-activejob-5_1-5.1.4-3.3.1 ruby2.5-rubygem-activemodel-5_1-5.1.4-1.26 ruby2.5-rubygem-activerecord-5_1-5.1.4-5.3.3 ruby2.5-rubygem-activesupport-5_1-5.1.4-3.3.1 ruby2.5-rubygem-arel-8.0.0-1.26 ruby2.5-rubygem-axiom-types-0.1.1-1.28 ruby2.5-rubygem-builder-3.2.3-1.29 ruby2.5-rubygem-bundler-1.16.1-3.3.1 ruby2.5-rubygem-cfa-0.7.0-4.2 ruby2.5-rubygem-cfa_grub2-1.0.1-4.2 ruby2.5-rubygem-cheetah-0.5.0-1.28 ruby2.5-rubygem-coercible-1.0.0-1.28 ruby2.5-rubygem-concurrent-ruby-1.0.5-1.28 ruby2.5-rubygem-crass-1.0.3-1.19 ruby2.5-rubygem-descendants_tracker-0.0.4-1.28 ruby2.5-rubygem-equalizer-0.0.11-1.28 ruby2.5-rubygem-erubi-1.7.0-1.19 ruby2.5-rubygem-fast_gettext-1.6.0-1.18 ruby2.5-rubygem-ffi-1.9.18-1.31 ruby2.5-rubygem-gem2rpm-0.10.1-3.45 ruby2.5-rubygem-gettext-3.2.5-1.17 ruby2.5-rubygem-gettext_i18n_rails-1.8.0-1.28 ruby2.5-rubygem-gettext_i18n_rails_js-1.3.0-1.28 ruby2.5-rubygem-globalid-0.4.1-1.24 ruby2.5-rubygem-i18n-0.9.1-1.21 ruby2.5-rubygem-ice_nine-0.11.2-1.29 ruby2.5-rubygem-js-routes-1.4.1-1.26 ruby2.5-rubygem-kramdown-1.15.0-1.28 ruby2.5-rubygem-locale-2.1.2-1.28 ruby2.5-rubygem-loofah-2.2.2-4.3.1 ruby2.5-rubygem-mail-2.7.1-3.3.1 ruby2.5-rubygem-method_source-0.9.0-1.26 ruby2.5-rubygem-mini_mime-1.0.0-1.17 ruby2.5-rubygem-mini_portile2-2.3.0-1.27 ruby2.5-rubygem-nio4r-2.1.0-1.28 ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 ruby2.5-rubygem-po_to_json-1.0.1-1.28 ruby2.5-rubygem-puma-4.3.5-3.3.1 ruby2.5-rubygem-rack-2.0.8-3.3.1 ruby2.5-rubygem-rack-test-0_6-0.6.3-1.28 ruby2.5-rubygem-rails-5_1-5.1.4-1.26 ruby2.5-rubygem-rails-dom-testing-2.0.3-1.28 ruby2.5-rubygem-rails-html-sanitizer-1.0.4-2.11 ruby2.5-rubygem-railties-5_1-5.1.4-3.3.1 ruby2.5-rubygem-rb-fsevent-0.10.2-1.26 ruby2.5-rubygem-rb-inotify-0.9.10-1.26 ruby2.5-rubygem-ruby-augeas-0.5.0-1.31 ruby2.5-rubygem-ruby-dbus-0.14.0-1.27 ruby2.5-rubygem-sass-3.5.3-1.19 ruby2.5-rubygem-sass-listen-4.0.0-1.26 ruby2.5-rubygem-sass-rails-5.0.7-1.21 ruby2.5-rubygem-simpleidn-0.0.9-1.17 ruby2.5-rubygem-sprockets-3.7.2-3.3.1 ruby2.5-rubygem-sprockets-rails-3.2.1-1.26 ruby2.5-rubygem-text-1.3.1-1.28 ruby2.5-rubygem-thor-0.20.0-1.27 ruby2.5-rubygem-thread_safe-0.3.6-1.28 ruby2.5-rubygem-tilt-2.0.8-1.27 ruby2.5-rubygem-tzinfo-1.2.4-1.23 ruby2.5-rubygem-virtus-1.0.5-1.28 ruby2.5-rubygem-websocket-driver-0_6-0.6.5-1.25 ruby2.5-rubygem-websocket-extensions-0.1.3-1.18 ruby2.5-stdlib-2.5.9-4.20.1 salt-3002.2-51.1 salt-minion-3002.2-51.1 samba-libs-4.9.5+git.477.8163dd03413-3.61.1 samba-libs-python3-4.9.5+git.477.8163dd03413-3.61.1 sapconf-5.0.3-7.18.1 sbd-1.5.0+20210720.f4ca41f-3.18.1 scout-0.2.2+20190613.e6c2668-6.3.2 screen-4.6.2-5.3.1 sed-4.4-4.3.1 setxkbmap-1.3.1-1.24 sg3_utils-1.44~763+19.1ed0757-9.3.1 shadow-4.6-3.5.6 shared-mime-info-1.9-2.37 sharutils-4.15.2-2.21 shim-15.4-3.32.1 snmp-mibs-5.7.3-10.9.1 sqlite3-3.36.0-3.12.1 strace-4.2-2.2 sudo-1.8.27-4.21.4 supportutils-3.1.17-5.34.1 supportutils-plugin-ha-sap-0.0.2+git.1623772960.fed5aa7-1.6.1 supportutils-plugin-suse-public-cloud-1.0.5-3.6.1 suse-build-key-12.0-8.16.1 suse-module-tools-15.1.24-3.22.1 sysconfig-0.85.6-3.6.1 sysconfig-netconfig-0.85.6-3.6.1 sysfsutils-2.1.0-3.3.1 syslog-service-2.0-2.23 sysstat-12.0.2-3.30.1 system-group-hardware-20170617-4.155 system-role-sles4sap-15.1.1-5.2 system-user-lp-20170617-4.155 system-user-man-20170617-4.155 system-user-nobody-20170617-4.155 system-user-root-20190513-3.3.1 system-user-uuidd-20170617-4.155 systemd-234-24.102.1 systemd-presets-branding-SLE-15.1-20.8.1 systemd-presets-common-SUSE-15-8.9.1 systemd-sysvinit-234-24.102.1 sysuser-shadow-2.0-4.2.8 sysvinit-tools-2.88+-1.26 tar-1.3-3.9.1 targetcli-fb-common-2.1.49-10.9.1 tcl-8.6.7-7.6.1 tcpd-7.6-1.433 tcpdump-4.9.2-3.15.1 tcsh-6.20.00-4.15.1 tdb-tools-1.3.16-4.23 telnet-1.2-3.3.1 terminfo-6.1-5.9.1 terminfo-base-6.1-5.9.1 thin-provisioning-tools-0.7.5-3.3.1 timezone-2021e-75.4.1 tuned-2.10.0-11.6.1 typelib-1_0-NM-1_0-1.10.6-5.12.1 udev-234-24.102.1 unzip-6.0-4.8.13 update-alternatives-1.19.0.4-2.48 util-linux-2.33.2-4.16.1 util-linux-systemd-2.33.2-4.16.1 uuidd-2.33.2-4.16.1 vim-8.0.1568-5.14.1 vim-data-common-8.0.1568-5.14.1 virt-what-1.21-3.3.1 wallpaper-branding-SLE-15-12.48 wget-1.20.3-3.12.1 which-2.21-2.2 wicked-0.6.64-3.19.9 wicked-service-0.6.64-3.19.9 xauth-1.0.10-1.24 xbitmaps-1.1.1-1.2 xdg-menu-0.2-1.23 xdg-utils-20170508-3.2 xfsprogs-4.15.0-4.52.1 xinit-1.4.0-6.17 xkbcomp-1.4.1-1.9 xkeyboard-config-2.23.1-3.9.1 xmodmap-1.0.9-1.24 xorg-x11-Xvnc-1.9.0-19.12.1 xorg-x11-fonts-core-7.6-3.9 xrdb-1.1.0-3.4.1 xsetroot-1.1.1-1.24 xtables-plugins-1.6.2-1.12 xterm-bin-330-4.3.1 xz-5.2.3-4.3.1 yast2-4.1.81-3.28.1 yast2-add-on-4.1.15-3.13.1 yast2-audit-laf-4.1.1-4.56 yast2-bootloader-4.1.26-3.5.1 yast2-cluster-4.1.7-3.9.1 yast2-control-center-4.1.7-1.19 yast2-control-center-qt-4.1.7-1.19 yast2-core-4.1.0-5.18 yast2-country-4.1.14-3.6.1 yast2-country-data-4.1.14-3.6.1 yast2-dhcp-server-4.1.5-10.84 yast2-dns-server-4.1.4-9.3.2 yast2-drbd-4.1.0-5.56 yast2-firewall-4.1.12-1.2 yast2-ftp-server-4.1.9-9.8.1 yast2-hardware-detection-4.1.0-1.14 yast2-http-server-4.1.5-3.3.3 yast2-installation-4.1.55-3.27.1 yast2-iplb-4.1.0-5.56 yast2-iscsi-client-4.1.10-3.7.6 yast2-iscsi-lio-server-4.1.7-3.3.1 yast2-journal-4.1.5-6.56 yast2-kdump-4.1.1-6.82 yast2-ldap-4.1.0-1.28 yast2-logs-4.1.81-3.28.1 yast2-mail-4.1.2-7.3.1 yast2-network-4.1.53-3.12.7 yast2-nfs-client-4.1.8-3.7.7 yast2-nfs-common-4.1.1-3.3.1 yast2-nfs-server-4.1.1-3.3.1 yast2-nis-client-4.1.1-1.22 yast2-nis-server-4.1.1-5.84 yast2-ntp-client-4.1.12-3.10.7 yast2-online-update-4.1.0-1.44 yast2-online-update-frontend-4.1.0-1.44 yast2-packager-4.1.52-3.23.1 yast2-pam-4.1.0-1.13 yast2-perl-bindings-4.1.0-1.18 yast2-pkg-bindings-4.1.3-3.10.3 yast2-printer-4.1.1-1.12 yast2-proxy-4.1.1-7.3.1 yast2-python3-bindings-4.1.0-1.16 yast2-registration-4.1.26-3.12.1 yast2-ruby-bindings-4.1.4-1.15 yast2-samba-client-4.1.3-3.3.1 yast2-samba-server-4.1.5-10.5.3 yast2-sap-ha-1.0.8-3.6.1 yast2-sap-scp-1.0.4-1.62 yast2-sap-scp-prodlist-1.0.4-1.49 yast2-saptune-1.4-3.6.1 yast2-schema-4.1.8-3.6.1 yast2-security-4.1.4-8.5.4 yast2-services-manager-4.1.15-3.3.1 yast2-slp-4.1.0-1.28 yast2-squid-4.1.4-7.57 yast2-storage-ng-4.1.98-3.36.1 yast2-sudo-4.1.1-3.3.1 yast2-support-4.1.1-9.3.1 yast2-sysconfig-4.1.2-6.56 yast2-tftp-server-4.1.7-1.4 yast2-trans-en_US-84.87.20190418.408a34e118-1.3 yast2-trans-stats-2.19.0-1.28 yast2-transfer-4.1.0-1.28 yast2-tune-4.1.0-1.28 yast2-update-4.1.13-3.12.5 yast2-users-4.1.14-3.6.1 yast2-xml-4.1.1-3.3.1 yast2-ycp-ui-bindings-4.1.0-4.25 yp-tools-4.2.2-3.16 zip-3.0-2.22 zsh-5.6-5.17 zypper-1.14.50-3.46.1 zypper-migration-plugin-0.12.1590748670.86b0749-6.9.1 SAPHanaSR-0.154.1-4.14.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 SAPHanaSR-doc-0.154.1-4.14.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 SLES_SAP-release-15.1-66.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 SUSEConnect-0.3.32-7.25.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 aaa_base-84.87+git20180409.04c9dae-3.52.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 aaa_base-extras-84.87+git20180409.04c9dae-3.52.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 alsa-1.1.5-6.9.2 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 alsa-utils-1.1.5-4.6.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 apparmor-parser-2.12.3-7.25.3 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 at-3.1.20-2.38 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 at-spi2-core-2.26.3-5.3.5 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 attr-2.4.47-2.19 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 audit-2.8.1-5.5.2 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 augeas-1.10.1-3.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 augeas-lenses-1.10.1-3.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 autofs-5.1.3-7.6.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 autoyast2-installation-4.1.21-3.24.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 bash-4.4-9.14.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 bc-1.07.1-3.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 bind-utils-9.16.6-12.57.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 bing-1.0.5-3.3 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 binutils-2.37-7.26.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 blktrace-1.1.0+git.20170126-3.6.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 blog-2.18-4.11 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 bonnie-1.5-1.18 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 boost-license1_66_0-1.66.0-5.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ca-certificates-2+git20170807.10b2785-7.3.3 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ca-certificates-mozilla-2.44-4.32.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 catatonit-0.1.5-3.3.2 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 chrony-3.2-9.24.2 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 chrony-pool-suse-3.2-9.24.2 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 cifs-utils-6.9-5.12.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 cloud-netconfig-gce-1.6-25.5.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 cluster-glue-1.0.12+v1.git.1587474580.a5fda2bc-3.9.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 cluster-md-kmp-default-4.12.14-197.102.2 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 command-not-found-0.2.2+20190613.e6c2668-6.3.2 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 conntrack-tools-1.4.4-1.29 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 containerd-1.4.11-56.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 coreutils-8.29-2.12 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 corosync-2.4.5-9.19.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 cpio-2.12-3.9.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 cpp-7-3.9.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 cpp7-7.5.0+r278197-4.30.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 cpupower-4.19-6.8.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 cracklib-2.9.6-2.21 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 cracklib-dict-small-2.9.6-2.21 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 crash-7.2.1-9.13.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 crmsh-4.3.1+20211119.97feb471-3.84.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 crmsh-scripts-4.3.1+20211119.97feb471-3.84.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 cron-4.2-70.14.4.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 cronie-1.5.1-70.14.4.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 csync2-2.0+git.1461714863.10636a4-4.9.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ctdb-4.9.5+git.477.8163dd03413-3.61.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 cups-config-2.2.7-3.26.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 curl-7.60.0-28.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 cyrus-sasl-2.1.26-5.7.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 cyrus-sasl-digestmd5-2.1.26-5.7.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 cyrus-sasl-gssapi-2.1.26-5.7.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 cyrus-sasl-plain-2.1.26-5.7.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 cyrus-sasl-saslauthd-2.1.26-5.7.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 dbus-1-1.12.2-8.11.2 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 dejavu-fonts-2.37-1.21 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 deltarpm-3.6.1-3.19 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 desktop-data-SLE-15-2.22 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 device-mapper-1.02.149-12.40.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 dhcp-4.3.6.P1-6.11.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 dhcp-client-4.3.6.P1-6.11.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 dialog-1.3-3.3.7 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 diffutils-3.6-4.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 dlm-kmp-default-4.12.14-197.102.2 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 dmidecode-3.2-9.11.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 dmz-icon-theme-cursors-11.3.0-1.22 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 docker-20.10.9_ce-156.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 dos2unix-7.4.0-1.19 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 dosfstools-4.1-3.6.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 dracut-44.2-18.70.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 drbd-9.0.16+git.ab9777df-8.25.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 drbd-kmp-default-9.0.16+git.ab9777df_k4.12.14_197.102-8.25.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 drbd-utils-9.6.0-6.15.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 e2fsprogs-1.43.8-4.26.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ebtables-2.0.10.4-5.6.4 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 efibootmgr-14-4.3.2 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 elfutils-0.168-4.5.3 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ethtool-4.13-5.17 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 expat-2.2.5-3.9.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 expect-5.45.4-3.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 fdupes-1.61-1.452 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 fence-agents-4.9.0+git.1624456340.8d746be9-7.29.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 file-5.32-7.14.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 file-magic-5.32-7.14.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 filesystem-15.0-11.3.2 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 fillup-1.42-2.18 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 findutils-4.6.0-4.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 firewall-macros-0.5.5-4.24.9 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 firewalld-0.5.5-4.24.9 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 fontconfig-2.12.6-4.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 fonts-config-20200609+git0.42e2b1b-4.7.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 fping-4.0-4.3.2 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 gamin-server-0.1.10-1.41 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 gawk-4.2.1-1.41 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 gdk-pixbuf-query-loaders-2.36.11-3.19 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 gettext-runtime-0.19.8.1-4.11.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 gfs2-kmp-default-4.12.14-197.102.2 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 gio-branding-SLE-15-4.3.11 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 girepository-1_0-1.54.1-2.31 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 glib2-tools-2.54.3-4.24.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 glibc-2.26-13.62.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 glibc-i18ndata-2.26-13.62.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 glibc-locale-2.26-13.62.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 glibc-locale-base-2.26-13.62.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 gnutls-3.6.7-6.40.2 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 google-guest-agent-20210414.0-1.20.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 google-guest-configs-20210317.0-1.13.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 google-guest-oslogin-20210728.0-1.21.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 google-opensans-fonts-1.0-1.21 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 google-osconfig-agent-20210506.0-1.11.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 gpg2-2.2.5-4.19.8 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 gptfdisk-1.0.1-2.11 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 graphviz-2.40.1-6.12.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 graphviz-gd-2.40.1-6.12.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 graphviz-plugins-core-2.40.1-6.12.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 grep-3.1-4.3.12 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 groff-1.22.3-5.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 growpart-0.31-5.9.3 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 growpart-rootgrow-1.0.5-1.9.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 grub2-2.02-123.7.17 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 grub2-i386-pc-2.02-123.7.17 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 grub2-x86_64-efi-2.02-123.7.17 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 gtk2-tools-2.24.32-2.27 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 gzip-1.1-4.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ha-cluster-bootstrap-0.5-5.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 hardlink-1.0+git.e66999f-1.25 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 haveged-1.9.2-6.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 hawk-apiserver-0.0.4+git.1604696958.cd5cdf1-5.6.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 hawk2-2.6.4+git.1618478653.7272e6b6-3.30.2 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 hdparm-9.52-1.22 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 hicolor-icon-theme-0.17-1.21 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 hostname-3.16-2.22 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 hwinfo-21.7-3.6.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 icewm-1.4.2-7.12.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 icewm-lite-1.4.2-7.12.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 icewm-theme-branding-1.2.4-3.12.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 info-6.5-4.17 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 initviocons-0.5-1.27 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 insserv-compat-0.1-4.6.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ipmitool-1.8.18-7.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 iproute2-4.12-10.15 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ipset-6.36-3.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 iptables-1.6.2-1.12 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 iputils-s20161105-8.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ipvsadm-1.29-4.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 irqbalance-1.4.0-7.6.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 iscsiuio-0.7.8.2-13.42.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 java-1_8_0-ibm-1.8.0_sr7.0-3.53.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 javapackages-tools-5.0.0+git20180104.9367c8f6-1.19 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 kbd-2.0.4-8.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 kbd-legacy-2.0.4-8.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 kdump-0.9.0-4.9.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 kernel-default-4.12.14-197.102.2 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 kexec-tools-2.0.16-7.2.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 keyutils-1.6.3-5.6.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 kmod-25-6.10.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 kmod-compat-25-6.10.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 krb5-1.16.3-3.24.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 krb5-client-1.16.3-3.24.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ldirectord-4.3.0184.6ee15eb2-4.57.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 less-530-3.3.2 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libHX28-3.22-1.26 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libICE6-1.0.9-1.25 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libQt5Core5-5.9.7-13.8.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libQt5DBus5-5.9.7-13.8.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libQt5Gui5-5.9.7-13.8.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libQt5Network5-5.9.7-13.8.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libQt5Widgets5-5.9.7-13.8.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libQt5X11Extras5-5.9.7-4.39 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libSM6-1.2.2-1.23 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libX11-6-1.6.5-3.21.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libX11-data-1.6.5-3.21.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libX11-xcb1-1.6.5-3.21.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libXau6-1.0.8-1.26 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libXaw7-1.0.13-3.3.8 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libXcomposite1-0.4.4-1.23 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libXcursor1-1.1.15-1.18 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libXdamage1-1.1.4-1.23 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libXdmcp6-1.1.2-1.23 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libXext6-1.3.3-1.3 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libXfixes3-5.0.3-1.24 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libXfont2-2-2.0.3-1.17 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libXft2-2.3.2-1.33 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libXi6-1.7.9-3.2.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libXinerama1-1.1.3-1.22 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libXmu6-1.1.2-1.3 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libXmuu1-1.1.2-1.3 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libXpm4-3.5.12-1.33 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libXrandr2-1.5.1-2.17 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libXrender1-0.9.10-1.3 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libXt6-1.1.5-2.24 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libXtst6-1.2.3-1.24 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libXvnc1-1.9.0-19.12.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libacl1-2.2.52-4.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libaio1-0.3.109-1.25 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libapparmor1-2.12.3-7.25.2 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libargon2-1-0.0+git20171227.670229c-2.14 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libasm1-0.168-4.5.3 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libasound2-1.1.5-6.9.2 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libassuan0-2.5.1-2.14 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libatk-1_0-0-2.26.1-2.18 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libatspi0-2.26.3-5.3.5 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libattr1-2.4.47-2.19 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libaudit1-2.8.1-5.5.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libaugeas0-1.10.1-3.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libauparse0-2.8.1-5.5.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libavahi-client3-0.7-3.9.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libavahi-common3-0.7-3.9.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libbind9-1600-9.16.6-12.57.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libblkid1-2.33.2-4.16.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libboost_regex1_66_0-1.66.0-5.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libboost_system1_66_0-1.66.0-5.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libboost_thread1_66_0-1.66.0-5.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libbsd0-0.8.7-3.3.17 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libbz2-1-1.0.6-5.11.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libcairo2-1.16.0-4.8.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libcap-ng0-0.7.9-4.37 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libcap2-2.26-4.6.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libcares2-1.17.1+20200724-3.17.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libcfg6-2.4.5-9.19.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libcmap4-2.4.5-9.19.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libcom_err2-1.43.8-4.26.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libcorosync_common4-2.4.5-9.19.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libcpg4-2.4.5-9.19.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libcpupower0-4.19-6.8.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libcrack2-2.9.6-2.21 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libcroco-0_6-3-0.6.12-4.3.51 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libcryptsetup12-2.0.6-4.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libctf-nobfd0-2.37-7.26.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libctf0-2.37-7.26.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libcups2-2.2.7-3.26.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libcurl4-7.60.0-28.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libdatrie1-0.2.9-1.25 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libdb-4_8-4.8.30-7.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libdbus-1-3-1.12.2-8.11.2 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libdcerpc-binding0-4.9.5+git.477.8163dd03413-3.61.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libdcerpc0-4.9.5+git.477.8163dd03413-3.61.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libdevmapper-event1_03-1.02.149-12.40.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libdevmapper1_03-1.02.149-12.40.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libdialog14-1.3-3.3.7 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libdlm-4.0.9-6.8.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libdlm3-4.0.9-6.8.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libdns1605-9.16.6-12.57.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libdouble-conversion1-2.0.1-1.28 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libdrm2-2.4.97-3.3.11 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libdw1-0.168-4.5.3 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libebl-plugins-0.168-4.5.3 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libedit0-3.1.snap20150325-2.12 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libefivar1-37-6.12.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libelf1-0.168-4.5.3 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libesmtp-1.0.6-150.4.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libestr0-0.1.10-1.25 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libevdev2-1.4.5-1.27 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libevent-2_1-8-2.1.8-2.23 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libexpat1-2.2.5-3.9.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libext2fs2-1.43.8-4.26.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libfam0-gamin-0.1.10-3.2.3 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libfastjson4-0.99.8-1.16 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libfdisk1-2.33.2-4.16.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libffi7-3.2.1.git259-3.16 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libfl2-2.6.4-3.157 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libfontenc1-1.1.3-1.22 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libfreebl3-3.68.2-3.64.2 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libfreetype6-2.10.1-4.8.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libfuse2-2.9.7-3.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libgcc_s1-11.2.1+git610-1.3.9 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libgcrypt20-1.8.2-8.42.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libgd3-2.2.5-4.14.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libgdbm4-1.12-1.418 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libgdk_pixbuf-2_0-0-2.36.11-3.19 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libgio-2_0-0-2.54.3-4.24.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libgirepository-1_0-1-1.54.1-2.31 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libglib-2_0-0-2.54.3-4.24.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libglue2-1.0.12+v1.git.1587474580.a5fda2bc-3.9.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libglvnd-1.0.0-1.8 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libgmodule-2_0-0-2.54.3-4.24.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libgmp10-6.1.2-4.9.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libgnutls30-3.6.7-6.40.2 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libgobject-2_0-0-2.54.3-4.24.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libgpg-error0-1.29-1.8 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libgpgme11-1.10.0-4.3.4 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libgraphite2-3-1.3.11-2.12 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libgraphviz6-2.40.1-6.12.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libgthread-2_0-0-2.54.3-4.24.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libgtk-2_0-0-2.24.32-2.27 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libgudev-1_0-0-232-1.33 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libharfbuzz0-1.7.5-1.21 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libhavege1-1.9.2-6.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libhogweed4-3.4.1-4.18.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libicu60_2-60.2-3.9.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libicu60_2-ledata-60.2-3.9.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libidn11-1.34-3.2.2 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libidn2-0-2.2.0-3.6.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libinput10-1.10.5-1.21 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libipset11-6.36-3.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libiptc0-1.6.2-1.12 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libirs1601-9.16.6-12.57.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libisc1606-9.16.6-12.57.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libisccc1600-9.16.6-12.57.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libisccfg1600-9.16.6-12.57.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libisl15-0.18-1.443 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libjansson4-2.9-1.24 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libjbig2-2.1-3.2.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libjemalloc2-5.0.1-1.25 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libjpeg62-62.2.0-32.0.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libjpeg8-8.1.2-32.2.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libjson-c3-0.13-3.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libkeyutils1-1.6.3-5.6.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libkmod2-25-6.10.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libksba8-1.3.5-2.14 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libldap-2_4-2-2.4.46-9.58.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libldap-data-2.4.46-9.58.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libldapcpp1-0.3.1-1.33 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libldb1-1.4.6-3.8.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 liblmdb-0_9_17-0.9.17-4.6.2 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 liblockdev1-1.0.3_git201003141408-1.97 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 liblogging0-1.0.6-3.21 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 liblognorm5-2.0.4-1.17 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libltdl7-2.4.6-3.4.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 liblua5_3-5-5.3.6-3.6.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 liblvm2app2_2-2.02.180-12.40.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 liblvm2cmd2_02-2.02.180-12.40.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 liblz4-1-1.8.0-3.8.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 liblzma5-5.2.3-4.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 liblzo2-2-2.1-2.22 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libmagic1-5.32-7.14.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libmetalink3-0.1.3-1.24 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libmnl0-1.0.4-1.25 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libmodman1-2.0.1-1.27 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libmount1-2.33.2-4.16.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libmozjs-52-52.6.0-3.3.2 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libmpc3-1.1.0-1.47 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libmpfr6-4.0.2-3.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libmtdev1-1.1.5-1.26 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libncurses6-6.1-5.9.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libndr-krb5pac0-4.9.5+git.477.8163dd03413-3.61.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libndr-nbt0-4.9.5+git.477.8163dd03413-3.61.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libndr-standard0-4.9.5+git.477.8163dd03413-3.61.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libndr0-4.9.5+git.477.8163dd03413-3.61.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libnetapi0-4.9.5+git.477.8163dd03413-3.61.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libnetfilter_conntrack3-1.0.6-1.26 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libnetfilter_cthelper0-1.0.0-1.21 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libnetfilter_cttimeout1-1.0.0-1.22 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libnetfilter_queue1-1.0.3-1.16 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libnettle6-3.4.1-4.18.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libnfnetlink0-1.0.1-2.11 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libnghttp2-14-1.40.0-3.11.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libnl-config-3.3.0-1.29 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libnl3-200-3.3.0-1.29 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libnm0-1.10.6-5.12.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libnpth0-1.5-2.11 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libns1604-9.16.6-12.57.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libnscd1-2.0.2-3.21 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libnsl2-1.2.0-2.44 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libnuma1-2.0.14-4.6.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libopeniscsiusr0_2_0-2.0.876-13.42.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libopenssl1_1-1.1.0i-14.24.3 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libopts25-5.18.12-3.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libp11-kit0-0.23.2-4.13.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libpacemaker3-2.0.1+20190417.13d370ca9-3.21.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libpango-1_0-0-1.40.14-3.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libparted0-3.2-11.14.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libpcap1-1.8.1-4.5.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libpci3-3.5.6-3.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libpcre1-8.45-20.10.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libpcre2-8-0-10.31-3.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libpgm-5_2-0-5.2.122-5.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libpipeline1-1.4.1-1.27 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libpixman-1-0-0.34.0-7.2.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libpng12-0-1.2.57-2.18 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libpng16-16-1.6.34-3.9.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libpolkit0-0.114-3.15.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libpopt0-1.16-3.22 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libprocps7-3.3.15-7.19.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libproxy1-0.4.15-4.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libpsl5-0.20.1-1.2 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libpython3_6m1_0-3.6.15-3.91.3 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libqb20-1.0.3+20190326.a521604-3.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libqrencode4-4.0.0-1.17 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libquorum5-2.4.5-9.19.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libreadline7-7.0-9.14.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 librsync2-1.0.0-1.27 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libruby2_5-2_5-2.5.9-4.20.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libsam4-2.4.5-9.19.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libsamba-credentials0-4.9.5+git.477.8163dd03413-3.61.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libsamba-errors0-4.9.5+git.477.8163dd03413-3.61.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libsamba-hostconfig0-4.9.5+git.477.8163dd03413-3.61.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libsamba-passdb0-4.9.5+git.477.8163dd03413-3.61.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libsamba-util0-4.9.5+git.477.8163dd03413-3.61.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libsamdb0-4.9.5+git.477.8163dd03413-3.61.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libsamplerate0-0.1.9-3.22 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libsasl2-3-2.1.26-5.7.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libseccomp2-2.4.1-3.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libselinux1-2.8-8.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libsemanage1-2.8-4.35 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libsensors4-3.5.0-4.6.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libsepol1-2.8-4.37 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libsgutils2-1_43-2-1.44~763+19.1ed0757-9.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libsigc-2_0-0-2.10.0-3.7.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libsmartcols1-2.33.2-4.16.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libsmbconf0-4.9.5+git.477.8163dd03413-3.61.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libsmbldap2-4.9.5+git.477.8163dd03413-3.61.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libsmi-0.4.8-1.29 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libsmi2-0.4.8-1.29 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libsnappy1-1.1.8-3.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libsnmp30-5.7.3-10.9.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libsodium23-1.0.16-4.3.18 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libsoftokn3-3.68.2-3.64.2 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libsolv-tools-0.7.20-4.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libsqlite3-0-3.36.0-3.12.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libssh2-1-1.9.0-4.13.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libssh4-0.8.7-10.12.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libstdc++6-11.2.1+git610-1.3.9 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libstorage-ng-ruby-4.1.111-4.24.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libstorage-ng1-4.1.111-4.24.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libsystemd0-234-24.102.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libtalloc2-2.1.14-5.22 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libtasn1-4.13-4.5.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libtasn1-6-4.13-4.5.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libtdb1-1.3.16-4.23 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libtevent-util0-4.9.5+git.477.8163dd03413-3.61.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libtevent0-0.9.37-6.23 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libthai-data-0.1.27-1.16 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libthai0-0.1.27-1.16 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libtiff5-4.0.9-45.2.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libtirpc-netconfig-1.0.2-3.8.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libtirpc3-1.0.2-3.8.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libtotem_pg5-2.4.5-9.19.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libts0-1.13-1.18 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libudev1-234-24.102.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libunistring2-0.9.9-1.15 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libunwind-1.5.0-4.5.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libusb-1_0-0-1.0.21-3.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libutempter0-1.1.6-3.42 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libuuid1-2.33.2-4.16.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libuv1-1.18.0-1.19 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libverto1-0.2.6-3.2 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libvirt-client-5.1.0-17.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libvirt-libs-5.1.0-17.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libvotequorum8-2.4.5-9.19.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libwacom-data-0.23-1.31 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libwacom2-0.23-1.31 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libwbclient0-4.9.5+git.477.8163dd03413-3.61.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libwebp6-0.5.0-3.5.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libwrap0-7.6-1.433 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libx86emu2-2.2-1.8 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libxcb-glx0-1.13-3.7.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libxcb-icccm4-0.4.1-1.24 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libxcb-image0-0.4.0-1.23 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libxcb-keysyms1-0.4.0-1.23 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libxcb-randr0-1.13-3.7.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libxcb-render-util0-0.3.9-1.23 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libxcb-render0-1.13-3.7.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libxcb-shape0-1.13-3.7.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libxcb-shm0-1.13-3.7.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libxcb-sync1-1.13-3.7.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libxcb-util1-0.4.0-1.23 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libxcb-xfixes0-1.13-3.7.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libxcb-xinerama0-1.13-3.7.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libxcb-xkb1-1.13-3.7.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libxcb1-1.13-3.7.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libxkbcommon-x11-0-0.8.2-3.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libxkbcommon0-0.8.2-3.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libxkbfile1-1.0.9-1.26 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libxml2-2-2.9.7-3.37.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libxslt1-1.1.32-3.8.24 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libxtables12-1.6.2-1.12 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libyajl2-2.1.0-2.12 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libyaml-0-2-0.1.7-1.17 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libyaml-cpp0_6-0.6.1-4.2.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libyui-ncurses-pkg9-2.48.9-7.7.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libyui-ncurses9-2.50.4-5.24 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libyui-qt9-2.49.16-1.15 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libyui9-3.4.2-4.24 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libz1-1.2.11-3.24.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libzio1-1.06-2.2 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libzmq5-4.2.3-3.15.4 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libzstd1-1.4.4-1.6.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 libzypp-17.29.0-3.64.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 lockdev-1.0.3_git201003141408-1.97 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 logrotate-3.13.0-4.3.9 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 lsb-release-3.0-1.2 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 lsof-4.91-1.11 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 lsscsi-0.28-1.24 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 lvm2-2.02.180-12.40.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 lvm2-lockd-2.02.180-12.40.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 mailx-12.5-3.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 makedumpfile-1.6.3-10.6.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 man-2.7.6-6.22 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 man-pages-4.16-3.12.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 mksh-56c-1.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 mlocate-0.26-5.22 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 mozilla-nspr-4.32-3.20.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 mozilla-nss-3.68.2-3.64.2 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 mozilla-nss-certs-3.68.2-3.64.2 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 mozilla-nss-tools-3.68.2-3.64.2 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ncurses-utils-6.1-5.9.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 net-snmp-5.7.3-10.9.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 net-tools-2.0+git20170221.479bb4a-3.11 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 netcat-openbsd-1.178-1.24 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 netcfg-11.6-3.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 nfs-client-2.1.1-10.18.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 nfs-kernel-server-2.1.1-10.18.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 nfsidmap-0.26-3.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 nscd-2.26-13.62.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ocfs2-kmp-default-4.12.14-197.102.2 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ocfs2-tools-1.8.5-12.11.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 open-iscsi-2.0.876-13.42.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 openldap2-client-2.4.46-9.58.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 openslp-2.0.0-6.15.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 openssh-7.9p1-6.28.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 openssl-1.1.0i-3.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 openssl-1_1-1.1.0i-14.24.3 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 p11-kit-0.23.2-4.13.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 p11-kit-tools-0.23.2-4.13.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 pacemaker-2.0.1+20190417.13d370ca9-3.21.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 pacemaker-cli-2.0.1+20190417.13d370ca9-3.21.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 pam-1.3.0-6.50.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 pam-config-0.96-5.17 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 pam-modules-12.1-3.17 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 parted-3.2-11.14.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 patch-2.7.6-3.5 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 patterns-base-base-20171206-35.2 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 patterns-base-basesystem-20171206-35.2 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 patterns-base-minimal_base-20171206-35.2 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 patterns-ha-ha_sles-15.1.0-11.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 patterns-server-enterprise-sap_server-20171206-12.6.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 pciutils-3.5.6-3.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 pciutils-ids-20200324-3.6.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 perl-5.26.1-7.12.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 perl-Bootloader-0.924-8.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 perl-CPAN-Changes-0.400002-1.24 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 perl-Crypt-SmbHash-0.12-1.24 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 perl-Devel-Symdump-2.18-1.24 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 perl-Digest-MD4-1.9-1.28 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 perl-Digest-SHA1-2.13-1.27 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 perl-Encode-Locale-1.05-1.24 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 perl-File-Listing-6.04-1.23 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 perl-HTML-Parser-3.72-1.26 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 perl-HTML-Tagset-3.2-1.24 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 perl-HTTP-Cookies-6.04-1.2 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 perl-HTTP-Daemon-6.01-1.24 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 perl-HTTP-Date-6.02-1.24 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 perl-HTTP-Message-6.14-1.16 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 perl-HTTP-Negotiate-6.01-1.23 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 perl-IO-HTML-1.001-1.24 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 perl-IO-Socket-INET6-2.72-1.22 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 perl-LWP-MediaTypes-6.02-1.25 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 perl-MailTools-2.19-1.2 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 perl-Net-DBus-1.1.0-1.3 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 perl-Net-HTTP-6.17-1.2 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 perl-Net-SSLeay-1.81-1.26 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 perl-Net-Telnet-3.04-1.25 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 perl-Parse-RecDescent-1.967015-1.22 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 perl-Pod-Coverage-0.23-1.23 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 perl-SNMP-5.7.3-10.9.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 perl-Socket6-0.28-1.17 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 perl-Term-ReadKey-2.37-1.2 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 perl-Test-Pod-1.51-1.24 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 perl-Test-Pod-Coverage-1.1-1.23 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 perl-TimeDate-2.3-3.9.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 perl-Try-Tiny-0.3-1.17 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 perl-URI-1.73-1.16 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 perl-WWW-RobotRules-6.02-1.23 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 perl-X11-Protocol-0.56-1.24 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 perl-X500-DN-0.29-1.22 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 perl-XML-LibXML-2.0132-1.2 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 perl-XML-NamespaceSupport-1.12-1.24 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 perl-XML-Parser-2.44-1.443 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 perl-XML-SAX-0.99-1.22 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 perl-XML-SAX-Base-1.09-1.25 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 perl-XML-SAX-Expat-0.51-1.22 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 perl-XML-Simple-2.24-1.22 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 perl-XML-Twig-3.52-3.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 perl-base-5.26.1-7.12.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 perl-gettext-1.07-1.442 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 perl-libwww-perl-6.31-1.17 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 permissions-20181116-9.38.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 pigz-2.3.3-1.28 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 pinentry-1.1.0-4.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 pkg-config-0.29.2-1.436 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 polkit-0.114-3.15.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 polkit-default-privs-13.2-18.8.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 procmail-3.22-2.34 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 procps-3.3.15-7.19.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 psmisc-23.0-6.16.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 python3-3.6.15-3.91.4 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 python3-Babel-2.5.1-1.26 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 python3-Jinja2-2.10.1-3.10.2 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 python3-M2Crypto-0.35.2-3.9.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 python3-MarkupSafe-1.0-1.29 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 python3-PyYAML-5.3.1-6.10.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 python3-appdirs-1.4.3-1.21 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 python3-base-3.6.15-3.91.3 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 python3-bind-9.16.6-12.57.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 python3-certifi-2018.1.18-1.18 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 python3-chardet-3.0.4-3.23 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 python3-configobj-5.0.6-1.24 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 python3-configshell-fb-1.1.fb23-2.17 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 python3-cssselect-1.0.3-1.18 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 python3-curses-3.6.15-3.91.4 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 python3-dbus-python-1.2.16-6.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 python3-decorator-4.2.1-1.18 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 python3-firewall-0.5.5-4.24.9 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 python3-gcemetadata-1.0.4-3.9.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 python3-gobject-3.26.1-1.31 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 python3-idna-2.6-1.2 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 python3-linux-procfs-0.6-1.26 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 python3-lxml-4.0.0-2.26 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 python3-msgpack-0.5.6-1.19 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 python3-packaging-16.8-1.23 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 python3-parallax-1.0.6-3.3.14 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 python3-pexpect-4.8.0-5.3.5 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 python3-ply-3.1-1.27 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 python3-psutil-5.4.8-4.24 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 python3-ptyprocess-0.5.2-1.54 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 python3-py-1.8.1-5.6.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 python3-pycurl-7.43.0.2-4.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 python3-pyparsing-2.2.0-1.28 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 python3-python-dateutil-2.7.3-4.22 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 python3-pytz-2021.1-6.7.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 python3-pyudev-0.21.0-3.22 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 python3-pyzmq-17.1.2-3.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 python3-requests-2.24.0-6.10.2 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 python3-rpm-4.14.1-10.19.18 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 python3-rtslib-fb-2.1.69-5.24 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 python3-salt-3002.2-51.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 python3-setuptools-40.5.0-6.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 python3-six-1.14.0-7.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 python3-slip-0.6.5-4.21 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 python3-slip-dbus-0.6.5-4.21 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 python3-solv-0.7.20-4.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 python3-talloc-2.1.14-5.22 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 python3-targetcli-fb-2.1.49-10.9.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 python3-urllib3-1.25.10-9.14.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 python3-urwid-2.0.1-1.15 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 python3-zypp-plugin-0.6.3-2.18 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 quota-4.05-3.9.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 release-notes-ha-15.1.20200207-8.5.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 release-notes-sles-for-sap-15.1.20211213-6.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 resource-agents-4.3.0184.6ee15eb2-4.57.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 rpcbind-0.2.3-5.9.2 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 rpm-4.14.1-10.19.8 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 rsync-3.1.3-4.10.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 rsyslog-8.33.1-3.34.2 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby-2.5-1.21 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby-common-2.1-3.15 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-2.5.9-4.20.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-abstract_method-1.2.1-1.28 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-actioncable-5_1-5.1.4-1.26 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-actionmailer-5_1-5.1.4-1.26 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-actionpack-5_1-5.1.4-3.9.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-actionview-5_1-5.1.4-3.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-activejob-5_1-5.1.4-3.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-activemodel-5_1-5.1.4-1.26 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-activerecord-5_1-5.1.4-5.3.3 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-activesupport-5_1-5.1.4-3.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-arel-8.0.0-1.26 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-axiom-types-0.1.1-1.28 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-builder-3.2.3-1.29 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-bundler-1.16.1-3.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-cfa-0.7.0-4.2 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-cfa_grub2-1.0.1-4.2 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-cheetah-0.5.0-1.28 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-coercible-1.0.0-1.28 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-concurrent-ruby-1.0.5-1.28 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-crass-1.0.3-1.19 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-descendants_tracker-0.0.4-1.28 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-equalizer-0.0.11-1.28 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-erubi-1.7.0-1.19 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-fast_gettext-1.6.0-1.18 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-ffi-1.9.18-1.31 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-gem2rpm-0.10.1-3.45 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-gettext-3.2.5-1.17 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-gettext_i18n_rails-1.8.0-1.28 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-gettext_i18n_rails_js-1.3.0-1.28 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-globalid-0.4.1-1.24 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-i18n-0.9.1-1.21 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-ice_nine-0.11.2-1.29 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-js-routes-1.4.1-1.26 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-kramdown-1.15.0-1.28 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-locale-2.1.2-1.28 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-loofah-2.2.2-4.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-mail-2.7.1-3.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-method_source-0.9.0-1.26 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-mini_mime-1.0.0-1.17 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-mini_portile2-2.3.0-1.27 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-nio4r-2.1.0-1.28 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-po_to_json-1.0.1-1.28 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-puma-4.3.5-3.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-rack-2.0.8-3.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-rack-test-0_6-0.6.3-1.28 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-rails-5_1-5.1.4-1.26 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-rails-dom-testing-2.0.3-1.28 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-rails-html-sanitizer-1.0.4-2.11 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-railties-5_1-5.1.4-3.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-rb-fsevent-0.10.2-1.26 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-rb-inotify-0.9.10-1.26 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-ruby-augeas-0.5.0-1.31 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-ruby-dbus-0.14.0-1.27 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-sass-3.5.3-1.19 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-sass-listen-4.0.0-1.26 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-sass-rails-5.0.7-1.21 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-simpleidn-0.0.9-1.17 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-sprockets-3.7.2-3.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-sprockets-rails-3.2.1-1.26 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-text-1.3.1-1.28 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-thor-0.20.0-1.27 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-thread_safe-0.3.6-1.28 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-tilt-2.0.8-1.27 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-tzinfo-1.2.4-1.23 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-virtus-1.0.5-1.28 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-websocket-driver-0_6-0.6.5-1.25 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-rubygem-websocket-extensions-0.1.3-1.18 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 ruby2.5-stdlib-2.5.9-4.20.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 salt-3002.2-51.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 salt-minion-3002.2-51.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 samba-libs-4.9.5+git.477.8163dd03413-3.61.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 samba-libs-python3-4.9.5+git.477.8163dd03413-3.61.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 sapconf-5.0.3-7.18.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 sbd-1.5.0+20210720.f4ca41f-3.18.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 scout-0.2.2+20190613.e6c2668-6.3.2 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 screen-4.6.2-5.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 sed-4.4-4.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 setxkbmap-1.3.1-1.24 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 sg3_utils-1.44~763+19.1ed0757-9.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 shadow-4.6-3.5.6 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 shared-mime-info-1.9-2.37 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 sharutils-4.15.2-2.21 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 shim-15.4-3.32.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 snmp-mibs-5.7.3-10.9.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 sqlite3-3.36.0-3.12.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 strace-4.2-2.2 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 sudo-1.8.27-4.21.4 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 supportutils-3.1.17-5.34.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 supportutils-plugin-ha-sap-0.0.2+git.1623772960.fed5aa7-1.6.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 supportutils-plugin-suse-public-cloud-1.0.5-3.6.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 suse-build-key-12.0-8.16.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 suse-module-tools-15.1.24-3.22.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 sysconfig-0.85.6-3.6.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 sysconfig-netconfig-0.85.6-3.6.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 sysfsutils-2.1.0-3.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 syslog-service-2.0-2.23 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 sysstat-12.0.2-3.30.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 system-group-hardware-20170617-4.155 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 system-role-sles4sap-15.1.1-5.2 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 system-user-lp-20170617-4.155 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 system-user-man-20170617-4.155 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 system-user-nobody-20170617-4.155 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 system-user-root-20190513-3.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 system-user-uuidd-20170617-4.155 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 systemd-234-24.102.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 systemd-presets-branding-SLE-15.1-20.8.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 systemd-presets-common-SUSE-15-8.9.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 systemd-sysvinit-234-24.102.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 sysuser-shadow-2.0-4.2.8 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 sysvinit-tools-2.88+-1.26 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 tar-1.3-3.9.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 targetcli-fb-common-2.1.49-10.9.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 tcl-8.6.7-7.6.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 tcpd-7.6-1.433 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 tcpdump-4.9.2-3.15.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 tcsh-6.20.00-4.15.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 tdb-tools-1.3.16-4.23 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 telnet-1.2-3.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 terminfo-6.1-5.9.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 terminfo-base-6.1-5.9.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 thin-provisioning-tools-0.7.5-3.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 timezone-2021e-75.4.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 tuned-2.10.0-11.6.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 typelib-1_0-NM-1_0-1.10.6-5.12.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 udev-234-24.102.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 unzip-6.0-4.8.13 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 update-alternatives-1.19.0.4-2.48 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 util-linux-2.33.2-4.16.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 util-linux-systemd-2.33.2-4.16.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 uuidd-2.33.2-4.16.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 vim-8.0.1568-5.14.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 vim-data-common-8.0.1568-5.14.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 virt-what-1.21-3.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 wallpaper-branding-SLE-15-12.48 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 wget-1.20.3-3.12.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 which-2.21-2.2 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 wicked-0.6.64-3.19.9 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 wicked-service-0.6.64-3.19.9 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 xauth-1.0.10-1.24 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 xbitmaps-1.1.1-1.2 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 xdg-menu-0.2-1.23 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 xdg-utils-20170508-3.2 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 xfsprogs-4.15.0-4.52.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 xinit-1.4.0-6.17 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 xkbcomp-1.4.1-1.9 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 xkeyboard-config-2.23.1-3.9.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 xmodmap-1.0.9-1.24 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 xorg-x11-Xvnc-1.9.0-19.12.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 xorg-x11-fonts-core-7.6-3.9 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 xrdb-1.1.0-3.4.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 xsetroot-1.1.1-1.24 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 xtables-plugins-1.6.2-1.12 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 xterm-bin-330-4.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 xz-5.2.3-4.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-4.1.81-3.28.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-add-on-4.1.15-3.13.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-audit-laf-4.1.1-4.56 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-bootloader-4.1.26-3.5.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-cluster-4.1.7-3.9.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-control-center-4.1.7-1.19 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-control-center-qt-4.1.7-1.19 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-core-4.1.0-5.18 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-country-4.1.14-3.6.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-country-data-4.1.14-3.6.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-dhcp-server-4.1.5-10.84 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-dns-server-4.1.4-9.3.2 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-drbd-4.1.0-5.56 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-firewall-4.1.12-1.2 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-ftp-server-4.1.9-9.8.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-hardware-detection-4.1.0-1.14 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-http-server-4.1.5-3.3.3 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-installation-4.1.55-3.27.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-iplb-4.1.0-5.56 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-iscsi-client-4.1.10-3.7.6 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-iscsi-lio-server-4.1.7-3.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-journal-4.1.5-6.56 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-kdump-4.1.1-6.82 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-ldap-4.1.0-1.28 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-logs-4.1.81-3.28.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-mail-4.1.2-7.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-network-4.1.53-3.12.7 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-nfs-client-4.1.8-3.7.7 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-nfs-common-4.1.1-3.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-nfs-server-4.1.1-3.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-nis-client-4.1.1-1.22 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-nis-server-4.1.1-5.84 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-ntp-client-4.1.12-3.10.7 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-online-update-4.1.0-1.44 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-online-update-frontend-4.1.0-1.44 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-packager-4.1.52-3.23.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-pam-4.1.0-1.13 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-perl-bindings-4.1.0-1.18 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-pkg-bindings-4.1.3-3.10.3 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-printer-4.1.1-1.12 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-proxy-4.1.1-7.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-python3-bindings-4.1.0-1.16 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-registration-4.1.26-3.12.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-ruby-bindings-4.1.4-1.15 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-samba-client-4.1.3-3.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-samba-server-4.1.5-10.5.3 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-sap-ha-1.0.8-3.6.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-sap-scp-1.0.4-1.62 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-sap-scp-prodlist-1.0.4-1.49 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-saptune-1.4-3.6.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-schema-4.1.8-3.6.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-security-4.1.4-8.5.4 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-services-manager-4.1.15-3.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-slp-4.1.0-1.28 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-squid-4.1.4-7.57 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-storage-ng-4.1.98-3.36.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-sudo-4.1.1-3.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-support-4.1.1-9.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-sysconfig-4.1.2-6.56 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-tftp-server-4.1.7-1.4 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-trans-en_US-84.87.20190418.408a34e118-1.3 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-trans-stats-2.19.0-1.28 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-transfer-4.1.0-1.28 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-tune-4.1.0-1.28 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-update-4.1.13-3.12.5 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-users-4.1.14-3.6.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-xml-4.1.1-3.3.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yast2-ycp-ui-bindings-4.1.0-4.25 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 yp-tools-4.2.2-3.16 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 zip-3.0-2.22 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 zsh-5.6-5.17 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 zypper-1.14.50-3.46.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 zypper-migration-plugin-0.12.1590748670.86b0749-6.9.1 as a component of Public Cloud Image google/sles-15-sp1-sap-byos-v20220126 SQLite before 3.8.9 does not properly implement the dequoting of collation-sequence names, which allows context-dependent attackers to cause a denial of service (uninitialized memory access and application crash) or possibly have unspecified other impact via a crafted COLLATE clause, as demonstrated by COLLATE"""""""" at the end of a SELECT statement. CVE-2015-3414 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsqlite3-0-3.36.0-3.12.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:sqlite3-3.36.0-3.12.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P The sqlite3VdbeExec function in vdbe.c in SQLite before 3.8.9 does not properly implement comparison operators, which allows context-dependent attackers to cause a denial of service (invalid free operation) or possibly have unspecified other impact via a crafted CHECK clause, as demonstrated by CHECK(0&O>O) in a CREATE TABLE statement. CVE-2015-3415 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsqlite3-0-3.36.0-3.12.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:sqlite3-3.36.0-3.12.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P The iconv program in the GNU C Library (aka glibc or libc6) 2.31 and earlier, when invoked with multiple suffixes in the destination encoding (TRANSLATE or IGNORE) along with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service. CVE-2016-10228 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:glibc-2.26-13.62.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:glibc-i18ndata-2.26-13.62.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:glibc-locale-2.26-13.62.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:glibc-locale-base-2.26-13.62.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:nscd-2.26-13.62.1 low 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P A flaw was found in the way samba implemented SMB1 authentication. An attacker could use this flaw to retrieve the plaintext password sent over the wire even if Kerberos authentication was required. CVE-2016-2124 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ctdb-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libdcerpc-binding0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libdcerpc0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libndr-krb5pac0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libndr-nbt0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libndr-standard0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libndr0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libnetapi0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsamba-credentials0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsamba-errors0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsamba-hostconfig0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsamba-passdb0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsamba-util0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsamdb0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsmbconf0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsmbldap2-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libtevent-util0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libwbclient0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:samba-libs-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:samba-libs-python3-4.9.5+git.477.8163dd03413-3.61.1 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N The commandline package update tool zypper writes HTTP proxy credentials into its logfile, allowing local attackers to gain access to proxies used. CVE-2017-9271 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libzypp-17.29.0-3.64.1 moderate 2.1 AV:L/AC:L/Au:N/C:P/I:N/A:N The inode_init_owner function in fs/inode.c in the Linux kernel through 3.16 allows local users to create files with an unintended group ownership, in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of that group. Here, the non-member can trigger creation of a plain file whose group ownership is that group. The intended behavior was that the non-member can trigger creation of a directory (but not a plain file) whose group ownership is that group. The non-member can escalate privileges by making the plain file executable and SGID. CVE-2018-13405 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 moderate 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P _set_key in agent/helpers/table_container.c in Net-SNMP before 5.8 has a NULL Pointer Exception bug that can be used by an authenticated attacker to remotely cause the instance to crash via a crafted UDP packet, resulting in Denial of Service. CVE-2018-18065 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsnmp30-5.7.3-10.9.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:net-snmp-5.7.3-10.9.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:perl-SNMP-5.7.3-10.9.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:snmp-mibs-5.7.3-10.9.1 moderate 4 AV:N/AC:L/Au:S/C:N/I:N/A:P In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks). CVE-2018-20843 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:expat-2.2.5-3.9.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libexpat1-2.2.5-3.9.1 moderate 7.8 AV:N/AC:L/Au:N/C:N/I:N/A:C A heap-based buffer overflow was found in libwebp in versions before 1.0.1 in GetLE16(). CVE-2018-25009 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libwebp6-0.5.0-3.5.1 moderate 6.4 AV:N/AC:L/Au:N/C:P/I:N/A:P A heap-based buffer overflow was found in libwebp in versions before 1.0.1 in ApplyFilter(). CVE-2018-25010 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libwebp6-0.5.0-3.5.1 moderate 6.4 AV:N/AC:L/Au:N/C:P/I:N/A:P A heap-based buffer overflow was found in libwebp in versions before 1.0.1 in PutLE16(). CVE-2018-25011 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libwebp6-0.5.0-3.5.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P A heap-based buffer overflow was found in libwebp in versions before 1.0.1 in GetLE24(). CVE-2018-25012 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libwebp6-0.5.0-3.5.1 moderate 6.4 AV:N/AC:L/Au:N/C:P/I:N/A:P A heap-based buffer overflow was found in libwebp in versions before 1.0.1 in ShiftBytes(). CVE-2018-25013 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libwebp6-0.5.0-3.5.1 moderate 6.4 AV:N/AC:L/Au:N/C:P/I:N/A:P A use of uninitialized value was found in libwebp in versions before 1.0.1 in ReadSymbol(). CVE-2018-25014 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libwebp6-0.5.0-3.5.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4. CVE-2018-3639 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 moderate 2.1 AV:L/AC:L/Au:N/C:P/I:N/A:N In pppol2tp_connect, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-38159931. CVE-2018-9517 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 low 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument. CVE-2019-11324 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:python3-urllib3-1.25.10-9.14.1 low 5 AV:N/AC:L/Au:N/C:N/I:P/A:N dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical Upstart in Ubuntu 14.04 (and in some, less common, uses of dbus-daemon), allows cookie spoofing because of symlink mishandling in the reference implementation of DBUS_COOKIE_SHA1 in the libdbus library. (This only affects the DBUS_COOKIE_SHA1 authentication mechanism.) A malicious client with write access to its own home directory could manipulate a ~/.dbus-keyrings symlink to cause a DBusServer with a different uid to read and write in unintended locations. In the worst case, this could result in the DBusServer reusing a cookie that is known to the malicious client, and treating that cookie as evidence that a subsequent client connection came from an attacker-chosen uid, allowing authentication bypass. CVE-2019-12749 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dbus-1-1.12.2-8.11.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libdbus-1-3-1.12.2-8.11.2 important 3.6 AV:L/AC:L/Au:N/C:P/I:P/A:N In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a "sudo -u \#$((0xffffffff))" command. CVE-2019-14287 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:sudo-1.8.27-4.21.4 moderate 9 AV:N/AC:L/Au:S/C:C/I:C/A:C An issue was discovered in LINBIT csync2 through 2.0. csync_daemon_session in daemon.c neglects to force a failure of a hello command when the configuration requires use of SSL. CVE-2019-15522 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:csync2-2.0+git.1461714863.10636a4-4.9.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P An issue was discovered in LINBIT csync2 through 2.0. It does not correctly check for the return value GNUTLS_E_WARNING_ALERT_RECEIVED of the gnutls_handshake() function. It neglects to call this function again, as required by the design of the API. CVE-2019-15523 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:csync2-2.0+git.1461714863.10636a4-4.9.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application because of missing validation of a sqlite_stat1 sz field, aka a "severe division by zero in the query planner." CVE-2019-16168 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsqlite3-0-3.36.0-3.12.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:sqlite3-3.36.0-3.12.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. (pwfeedback is a default setting in Linux Mint and elementary OS; however, it is NOT the default for upstream and many other packages, and would exist only if enabled by an administrator.) The attacker needs to deliver a long string to the stdin of getln() in tgetpass.c. CVE-2019-18634 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:sudo-1.8.27-4.21.4 critical 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P sqlite3Select in select.c in SQLite 3.30.1 allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage. CVE-2019-19244 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsqlite3-0-3.36.0-3.12.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:sqlite3-3.36.0-3.12.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P lookupName in resolve.c in SQLite 3.30.1 omits bits from the colUsed bitmask in the case of a generated column, which allows attackers to cause a denial of service or possibly have unspecified other impact. CVE-2019-19317 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsqlite3-0-3.36.0-3.12.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:sqlite3-3.36.0-3.12.1 low 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P SQLite 3.30.1 mishandles certain SELECT statements with a nonexistent VIEW, leading to an application crash. CVE-2019-19603 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsqlite3-0-3.36.0-3.12.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:sqlite3-3.36.0-3.12.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements. CVE-2019-19645 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsqlite3-0-3.36.0-3.12.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:sqlite3-3.36.0-3.12.1 moderate 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P pragma.c in SQLite through 3.30.1 mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns. CVE-2019-19646 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsqlite3-0-3.36.0-3.12.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:sqlite3-3.36.0-3.12.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P exprListAppendList in window.c in SQLite 3.30.1 allows attackers to trigger an invalid pointer dereference because constant integer values in ORDER BY clauses of window definitions are mishandled. CVE-2019-19880 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsqlite3-0-3.36.0-3.12.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:sqlite3-3.36.0-3.12.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P flattenSubquery in select.c in SQLite 3.30.1 mishandles certain uses of SELECT DISTINCT involving a LEFT JOIN in which the right-hand side is a view. This can cause a NULL pointer dereference (or incorrect results). CVE-2019-19923 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsqlite3-0-3.36.0-3.12.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:sqlite3-3.36.0-3.12.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P SQLite 3.30.1 mishandles certain parser-tree rewriting, related to expr.c, vdbeaux.c, and window.c. This is caused by incorrect sqlite3WindowRewrite() error handling. CVE-2019-19924 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsqlite3-0-3.36.0-3.12.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:sqlite3-3.36.0-3.12.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N zipfileUpdate in ext/misc/zipfile.c in SQLite 3.30.1 mishandles a NULL pathname during an update of a ZIP archive. CVE-2019-19925 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsqlite3-0-3.36.0-3.12.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:sqlite3-3.36.0-3.12.1 low 5 AV:N/AC:L/Au:N/C:N/I:N/A:P multiSelect in select.c in SQLite 3.30.1 mishandles certain errors during parsing, as demonstrated by errors from sqlite3WindowRewrite() calls. NOTE: this vulnerability exists because of an incomplete fix for CVE-2019-19880. CVE-2019-19926 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsqlite3-0-3.36.0-3.12.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:sqlite3-3.36.0-3.12.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P ext/misc/zipfile.c in SQLite 3.30.1 mishandles certain uses of INSERT INTO in situations involving embedded '\0' characters in filenames, leading to a memory-management error that can be detected by (for example) valgrind. CVE-2019-19959 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsqlite3-0-3.36.0-3.12.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:sqlite3-3.36.0-3.12.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N selectExpander in select.c in SQLite 3.30.1 proceeds with WITH stack unwinding even after a parsing error. CVE-2019-20218 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsqlite3-0-3.36.0-3.12.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:sqlite3-3.36.0-3.12.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P libpcre in PCRE before 8.43 allows a subject buffer over-read in JIT when UTF is disabled, and \X or \R has more than one fixed quantifier, a related issue to CVE-2019-20454. CVE-2019-20838 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libpcre1-8.45-20.10.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P The SCTP socket buffer used by a userspace application is not accounted by the cgroups subsystem. An attacker can use this flaw to cause a denial of service attack. Kernel 3.10.x and 4.18.x branches are believed to be vulnerable. CVE-2019-3874 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 moderate 3.3 AV:A/AC:L/Au:N/C:N/I:N/A:P An infinite loop issue was found in the vhost_net kernel module in Linux Kernel up to and including v5.1-rc6, while handling incoming packets in handle_rx(). It could occur if one end sends packets faster than the other end can process them. A guest user, maybe remote one, could use this flaw to stall the vhost_net kernel thread, resulting in a DoS scenario. CVE-2019-3900 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 moderate 6.8 AV:N/AC:L/Au:S/C:N/I:N/A:C Lua 5.3.5 has a use-after-free in lua_upvaluejoin in lapi.c. For example, a crash outcome might be achieved by an attacker who is able to trigger a debug.upvaluejoin call in which the arguments have certain relationships. CVE-2019-6706 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:liblua5_3-5-5.3.6-3.6.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9. CVE-2019-9740 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:python3-urllib3-1.25.10-9.14.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N In l2tp_session_delete and related functions of l2tp_core.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-152735806 CVE-2020-0429 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 moderate 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P In blk_mq_queue_tag_busy_iter of blk-mq-tag.c, there is a possible use after free due to improper locking. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-151939299 CVE-2020-0433 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 important 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection. CVE-2020-11080 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libnghttp2-14-1.40.0-3.11.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P An issue was discovered in dbus >= 1.3.0 before 1.12.18. The DBusServer in libdbus, as used in dbus-daemon, leaks file descriptors when a message exceeds the per-message file descriptor limit. A local attacker with access to the D-Bus system bus or another system service's private AF_UNIX socket could use this to make the system service reach its file descriptor limit, denying service to subsequent D-Bus clients. CVE-2020-12049 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dbus-1-1.12.2-8.11.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libdbus-1-3-1.12.2-8.11.2 moderate 4.9 AV:L/AC:L/Au:N/C:N/I:N/A:C During ECDSA signature generation, padding applied in the nonce designed to ensure constant-time scalar multiplication was removed, resulting in variable-time execution dependent on secret data. This vulnerability affects Firefox < 80 and Firefox for Android < 80. CVE-2020-12401 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libfreebl3-3.68.2-3.64.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsoftokn3-3.68.2-3.64.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:mozilla-nss-3.68.2-3.64.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:mozilla-nss-certs-3.68.2-3.64.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:mozilla-nss-tools-3.68.2-3.64.2 critical 1.9 AV:L/AC:M/Au:N/C:P/I:N/A:N A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS in versions before 3.55. When using multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling multi-part ChaCha20 (which was not functioning correctly) and strictly enforcing tag length. The highest threat from this vulnerability is to confidentiality and system availability. CVE-2020-12403 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libfreebl3-3.68.2-3.64.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsoftokn3-3.68.2-3.64.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:mozilla-nss-3.68.2-3.64.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:mozilla-nss-certs-3.68.2-3.64.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:mozilla-nss-tools-3.68.2-3.64.2 critical 6.4 AV:N/AC:L/Au:N/C:P/I:N/A:P json-c through 0.14 has an integer overflow and out-of-bounds write via a large JSON file, as demonstrated by printbuf_memappend. CVE-2020-12762 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libjson-c3-0.13-3.3.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P An issue was discovered in the Linux kernel through 5.6.11. sg_write lacks an sg_remove_request call in a certain failure case, aka CID-83c6f2390040. CVE-2020-12770 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 moderate 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P SQLite through 3.32.0 has an integer overflow in sqlite3_str_vappendf in printf.c. CVE-2020-13434 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsqlite3-0-3.36.0-3.12.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:sqlite3-3.36.0-3.12.1 moderate 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P SQLite through 3.32.0 has a segmentation fault in sqlite3ExprCodeTarget in expr.c. CVE-2020-13435 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsqlite3-0-3.36.0-3.12.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:sqlite3-3.36.0-3.12.1 important 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P ext/fts3/fts3.c in SQLite before 3.32.0 has a use-after-free in fts3EvalNextRow, related to the snippet feature. CVE-2020-13630 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsqlite3-0-3.36.0-3.12.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:sqlite3-3.36.0-3.12.1 moderate 4.4 AV:L/AC:M/Au:N/C:P/I:P/A:P SQLite before 3.32.0 allows a virtual table to be renamed to the name of one of its shadow tables, related to alter.c and build.c. CVE-2020-13631 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsqlite3-0-3.36.0-3.12.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:sqlite3-3.36.0-3.12.1 moderate 2.1 AV:L/AC:L/Au:N/C:N/I:P/A:N ext/fts3/fts3_snippet.c in SQLite before 3.32.0 has a NULL pointer dereference via a crafted matchinfo() query. CVE-2020-13632 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsqlite3-0-3.36.0-3.12.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:sqlite3-3.36.0-3.12.1 moderate 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P An issue was discovered in Contiki through 3.0. An Integer Overflow exists in the uIP TCP/IP Stack component when parsing TCP MSS options of IPv4 network packets in uip_process in net/ipv4/uip.c. CVE-2020-13988 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:iscsiuio-0.7.8.2-13.42.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libopeniscsiusr0_2_0-2.0.876-13.42.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:open-iscsi-2.0.876-13.42.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P libpcre in PCRE before 8.44 allows an integer overflow via a large number after a (?C substring. CVE-2020-14155 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libpcre1-8.45-20.10.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747. CVE-2020-14343 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:python3-PyYAML-5.3.1-6.10.1 important 10 AV:N/AC:L/Au:N/C:C/I:C/A:C In SQLite before 3.32.3, select.c mishandles query-flattener optimization, leading to a multiSelectOrderBy heap overflow because of misuse of transitive properties for constant propagation. CVE-2020-15358 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsqlite3-0-3.36.0-3.12.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:sqlite3-3.36.0-3.12.1 moderate 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P Net-SNMP through 5.7.3 has Improper Privilege Management because SNMP WRITE access to the EXTEND MIB provides the ability to run arbitrary commands as root. CVE-2020-15862 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsnmp30-5.7.3-10.9.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:net-snmp-5.7.3-10.9.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:perl-SNMP-5.7.3-10.9.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:snmp-mibs-5.7.3-10.9.1 moderate 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C A double free vulnerability exists in the Binary File Descriptor (BFD) (aka libbrd) in GNU Binutils 2.35 in the process_symbol_table, as demonstrated in readelf, via a crafted file. CVE-2020-16590 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:binutils-2.37-7.26.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libctf-nobfd0-2.37-7.26.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libctf0-2.37-7.26.1 low 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P A Denial of Service vulnerability exists in the Binary File Descriptor (BFD) in GNU Binutils 2.35 due to an invalid read in process_symbol_table, as demonstrated in readeif. CVE-2020-16591 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:binutils-2.37-7.26.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libctf-nobfd0-2.37-7.26.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libctf0-2.37-7.26.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P A use after free issue exists in the Binary File Descriptor (BFD) library (aka libbfd) in GNU Binutils 2.34 in bfd_hash_lookup, as demonstrated in nm-new, that can cause a denial of service via a crafted file. CVE-2020-16592 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:binutils-2.37-7.26.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libctf-nobfd0-2.37-7.26.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libctf0-2.37-7.26.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P A Null Pointer Dereference vulnerability exists in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.35, in scan_unit_for_symbols, as demonstrated in addr2line, that can cause a denial of service via a crafted file. CVE-2020-16593 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:binutils-2.37-7.26.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libctf-nobfd0-2.37-7.26.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libctf0-2.37-7.26.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. CVE-2020-16598 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:binutils-2.37-7.26.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libctf-nobfd0-2.37-7.26.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libctf0-2.37-7.26.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P A Null Pointer Dereference vulnerability exists in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.35, in _bfd_elf_get_symbol_version_string, as demonstrated in nm-new, that can cause a denial of service via a crafted file. CVE-2020-16599 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:binutils-2.37-7.26.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libctf-nobfd0-2.37-7.26.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libctf0-2.37-7.26.1 low 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P An issue was discovered in uIP 1.0, as used in Contiki 3.0 and other products. When the Urgent flag is set in a TCP packet, and the stack is configured to ignore the urgent data, the stack attempts to use the value of the Urgent pointer bytes to separate the Urgent data from the normal data, by calculating the offset at which the normal data should be present in the global buffer. However, the length of this offset is not checked; therefore, for large values of the Urgent pointer bytes, the data pointer can point to memory that is way beyond the data buffer in uip_process in uip.c. CVE-2020-17437 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:iscsiuio-0.7.8.2-13.42.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libopeniscsiusr0_2_0-2.0.876-13.42.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:open-iscsi-2.0.876-13.42.1 important 6.4 AV:N/AC:L/Au:N/C:P/I:N/A:P Libjpeg-turbo all version have a stack-based buffer overflow in the "transform" component. A remote attacker can send a malformed jpeg file to the service and cause arbitrary code execution or denial of service of the target service. CVE-2020-17541 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libjpeg62-62.2.0-32.0.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libjpeg8-8.1.2-32.2.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Buffer Overflow in Graphviz Graph Visualization Tools from commit ID f8b9e035 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (application crash) by loading a crafted file into the "lib/common/shapes.c" component. CVE-2020-18032 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:graphviz-2.40.1-6.12.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:graphviz-plugins-core-2.40.1-6.12.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libgraphviz6-2.40.1-6.12.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P ldebug.c in Lua 5.4.0 allows a negation overflow and segmentation fault in getlocal and setlocal, as demonstrated by getlocal(3,2^31). CVE-2020-24370 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:liblua5_3-5-5.3.6-3.6.1 low 5 AV:N/AC:L/Au:N/C:N/I:N/A:P lgc.c in Lua 5.4.0 mishandles the interaction between barriers and the sweep phase, leading to a memory access violation involving collectgarbage. CVE-2020-24371 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:liblua5_3-5-5.3.6-3.6.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data. CVE-2020-24586 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 moderate 2.9 AV:A/AC:M/Au:N/C:P/I:N/A:N The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. CVE-2020-24587 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 moderate 1.8 AV:A/AC:H/Au:N/C:P/I:N/A:N The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated. Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. CVE-2020-24588 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 moderate 2.9 AV:A/AC:M/Au:N/C:N/I:P/A:N An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy (which also has a poor header check), which may lead to an HTTP Request Smuggling attack. CVE-2020-25613 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N A flaw was found in the way NSS handled CCS (ChangeCipherSpec) messages in TLS 1.3. This flaw allows a remote attacker to send multiple CCS messages, causing a denial of service for servers compiled with the NSS library. The highest threat from this vulnerability is to system availability. This flaw affects NSS versions before 3.58. CVE-2020-25648 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libfreebl3-3.68.2-3.64.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsoftokn3-3.68.2-3.64.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:mozilla-nss-3.68.2-3.64.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:mozilla-nss-certs-3.68.2-3.64.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:mozilla-nss-tools-3.68.2-3.64.2 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P A vulnerability was found in Linux Kernel where refcount leak in llcp_sock_bind() causing use-after-free which might lead to privilege escalations. CVE-2020-25670 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 important 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C A vulnerability was found in Linux Kernel, where a refcount leak in llcp_sock_connect() causing use-after-free which might lead to privilege escalations. CVE-2020-25671 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 important 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C A memory leak vulnerability was found in Linux kernel in llcp_sock_connect CVE-2020-25672 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P A vulnerability was found in Linux kernel where non-blocking socket in llcp_sock_connect() leads to leak and eventually hanging-up the system. CVE-2020-25673 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 important 4.9 AV:L/AC:L/Au:N/C:N/I:N/A:C A flaw was found in the way Samba maps domain users to local users. An authenticated attacker could use this flaw to cause possible privilege escalation. CVE-2020-25717 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ctdb-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libdcerpc-binding0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libdcerpc0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libndr-krb5pac0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libndr-nbt0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libndr-standard0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libndr0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libnetapi0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsamba-credentials0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsamba-errors0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsamba-hostconfig0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsamba-passdb0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsamba-util0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsamdb0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsmbconf0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsmbldap2-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libtevent-util0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libwbclient0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:samba-libs-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:samba-libs-python3-4.9.5+git.477.8163dd03413-3.61.1 important 8.5 AV:N/AC:L/Au:S/C:C/I:C/A:N urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116. CVE-2020-26137 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:python3-urllib3-1.25.10-9.14.1 moderate 6.4 AV:N/AC:L/Au:N/C:P/I:P/A:N An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients. CVE-2020-26139 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 moderate 2.9 AV:A/AC:M/Au:N/C:N/I:N/A:P An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol. CVE-2020-26141 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 moderate 3.3 AV:A/AC:L/Au:N/C:N/I:P/A:N An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. CVE-2020-26145 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 moderate 3.3 AV:A/AC:L/Au:N/C:N/I:P/A:N An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. CVE-2020-26147 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 moderate 3.2 AV:A/AC:H/Au:N/C:P/I:P/A:N Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time. CVE-2020-26558 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 moderate 4.3 AV:A/AC:M/Au:N/C:P/I:P/A:N An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory, aka CID-f232326f6966. This affects pointer types that do not define a ptr_limit. CVE-2020-27170 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 moderate 1.9 AV:L/AC:M/Au:N/C:P/I:N/A:N An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c has an off-by-one error (with a resultant integer underflow) affecting out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory, aka CID-10d2bb2e6b1d. CVE-2020-27171 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 moderate 3.6 AV:L/AC:L/Au:N/C:P/I:N/A:P In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP. CVE-2020-27619 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:python3-3.6.15-3.91.4 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:python3-curses-3.6.15-3.91.4 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. Guest OS users can cause a denial of service (host OS hang) via a high rate of events to dom0, aka CID-e99502f76271. CVE-2020-27673 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 moderate 4.9 AV:L/AC:L/Au:N/C:N/I:N/A:C A flaw was found in the JFS filesystem code in the Linux Kernel which allows a local attacker with the ability to set extended attributes to panic the system, causing memory corruption or escalating privileges. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. CVE-2020-27815 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 important 6.1 AV:L/AC:L/Au:N/C:P/I:P/A:C A flaw was found in samba. Spaces used in a string around a domain name (DN), while supposed to be ignored, can cause invalid DN strings with spaces to instead write a zero-byte into out-of-bounds memory, resulting in a crash. The highest threat from this vulnerability is to system availability. CVE-2020-27840 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ctdb-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libdcerpc-binding0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libdcerpc0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libldb1-1.4.6-3.8.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libndr-krb5pac0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libndr-nbt0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libndr-standard0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libndr0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libnetapi0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsamba-credentials0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsamba-errors0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsamba-hostconfig0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsamba-passdb0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsamba-util0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsamdb0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsmbconf0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsmbldap2-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libtevent-util0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libwbclient0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:samba-libs-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:samba-libs-python3-4.9.5+git.477.8163dd03413-3.61.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P An issue was discovered in p11-kit 0.21.1 through 0.23.21. Multiple integer overflows have been discovered in the array allocations in the p11-kit library and the p11-kit list command, where overflow checks are missing before calling realloc or calloc. CVE-2020-29361 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libp11-kit0-0.23.2-4.13.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:p11-kit-0.23.2-4.13.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:p11-kit-tools-0.23.2-4.13.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P An issue was discovered in __split_huge_pmd in mm/huge_memory.c in the Linux kernel before 5.7.5. The copy-on-write implementation can grant unintended write access because of a race condition in a THP mapcount check, aka CID-c444eb564fb1. CVE-2020-29368 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 moderate 6.9 AV:L/AC:M/Au:N/C:C/I:C/A:C A denial of service via regular expression in the py.path.svnwc component of py (aka python-py) through 1.9.0 could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality. CVE-2020-29651 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:python3-py-1.8.1-5.6.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.35.1. A heap-based buffer over-read can occur in bfd_getl_signed_32 in libbfd.c because sh_entsize is not validated in _bfd_elf_slurp_secondary_reloc_section in elf.c. CVE-2020-35448 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:binutils-2.37-7.26.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libctf-nobfd0-2.37-7.26.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libctf0-2.37-7.26.1 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N An issue was discovered in ClusterLabs crmsh through 4.2.1. Local attackers able to call "crm history" (when "crm" is run) were able to execute commands via shell code injection to the crm history commandline, potentially allowing escalation of privileges. CVE-2020-35459 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:crmsh-4.3.1+20211119.97feb471-3.84.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:crmsh-scripts-4.3.1+20211119.97feb471-3.84.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:hawk2-2.6.4+git.1618478653.7272e6b6-3.30.2 moderate 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C A flaw exists in binutils in bfd/pef.c. An attacker who is able to submit a crafted PEF file to be parsed by objdump could cause a heap buffer overflow -> out-of-bounds read that could lead to an impact to application availability. This flaw affects binutils versions prior to 2.34. CVE-2020-35493 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:binutils-2.37-7.26.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libctf-nobfd0-2.37-7.26.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libctf0-2.37-7.26.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P There's a flaw in bfd_pef_scan_start_address() of bfd/pef.c in binutils which could allow an attacker who is able to submit a crafted file to be processed by objdump to cause a NULL pointer dereference. The greatest threat of this flaw is to application availability. This flaw affects binutils versions prior to 2.34. CVE-2020-35496 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:binutils-2.37-7.26.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libctf-nobfd0-2.37-7.26.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libctf0-2.37-7.26.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P There's a flaw in bfd_pef_parse_function_stubs of bfd/pef.c in binutils in versions prior to 2.34 which could allow an attacker who is able to submit a crafted file to be processed by objdump to cause a NULL pointer dereference. The greatest threat of this flaw is to application availability. CVE-2020-35507 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:binutils-2.37-7.26.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libctf-nobfd0-2.37-7.26.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libctf0-2.37-7.26.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P A use-after-free flaw was found in D-Bus Development branch <= 1.13.16, dbus-1.12.x stable branch <= 1.12.18, and dbus-1.10.x and older branches <= 1.10.30 when a system has multiple usernames sharing the same UID. When a set of policy rules references these usernames, D-Bus may free some memory in the heap, which is still used by data structures necessary for the other usernames sharing the UID, possibly leading to a crash or other undefined behaviors CVE-2020-35512 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dbus-1-1.12.2-8.11.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libdbus-1-3-1.12.2-8.11.2 moderate 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C An out-of-bounds (OOB) memory access flaw was found in x25_bind in net/x25/af_x25.c in the Linux kernel version v5.12-rc5. A bounds check failure allows a local attacker with a user account on the system to gain access to out-of-bounds memory, leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. CVE-2020-35519 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 important 6.8 AV:L/AC:L/Au:N/C:C/I:P/A:C An integer underflow was discovered in OpenLDAP before 2.4.57 leading to slapd crashes in the Certificate Exact Assertion processing, resulting in denial of service (schema_init.c serialNumberAndIssuerCheck). CVE-2020-36221 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libldap-2_4-2-2.4.46-9.58.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libldap-data-2.4.46-9.58.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:openldap2-client-2.4.46-9.58.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P A flaw was discovered in OpenLDAP before 2.4.57 leading to an assertion failure in slapd in the saslAuthzTo validation, resulting in denial of service. CVE-2020-36222 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libldap-2_4-2-2.4.46-9.58.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libldap-data-2.4.46-9.58.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:openldap2-client-2.4.46-9.58.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P A flaw was discovered in OpenLDAP before 2.4.57 leading to a slapd crash in the Values Return Filter control handling, resulting in denial of service (double free and out-of-bounds read). CVE-2020-36223 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libldap-2_4-2-2.4.46-9.58.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libldap-data-2.4.46-9.58.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:openldap2-client-2.4.46-9.58.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P A flaw was discovered in OpenLDAP before 2.4.57 leading to an invalid pointer free and slapd crash in the saslAuthzTo processing, resulting in denial of service. CVE-2020-36224 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libldap-2_4-2-2.4.46-9.58.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libldap-data-2.4.46-9.58.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:openldap2-client-2.4.46-9.58.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P A flaw was discovered in OpenLDAP before 2.4.57 leading to a double free and slapd crash in the saslAuthzTo processing, resulting in denial of service. CVE-2020-36225 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libldap-2_4-2-2.4.46-9.58.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libldap-data-2.4.46-9.58.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:openldap2-client-2.4.46-9.58.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P A flaw was discovered in OpenLDAP before 2.4.57 leading to a memch->bv_len miscalculation and slapd crash in the saslAuthzTo processing, resulting in denial of service. CVE-2020-36226 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libldap-2_4-2-2.4.46-9.58.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libldap-data-2.4.46-9.58.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:openldap2-client-2.4.46-9.58.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P A flaw was discovered in OpenLDAP before 2.4.57 leading to an infinite loop in slapd with the cancel_extop Cancel operation, resulting in denial of service. CVE-2020-36227 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libldap-2_4-2-2.4.46-9.58.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libldap-data-2.4.46-9.58.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:openldap2-client-2.4.46-9.58.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P An integer underflow was discovered in OpenLDAP before 2.4.57 leading to a slapd crash in the Certificate List Exact Assertion processing, resulting in denial of service. CVE-2020-36228 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libldap-2_4-2-2.4.46-9.58.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libldap-data-2.4.46-9.58.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:openldap2-client-2.4.46-9.58.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P A flaw was discovered in ldap_X509dn2bv in OpenLDAP before 2.4.57 leading to a slapd crash in the X.509 DN parsing in ad_keystring, resulting in denial of service. CVE-2020-36229 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libldap-2_4-2-2.4.46-9.58.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libldap-data-2.4.46-9.58.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:openldap2-client-2.4.46-9.58.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P A flaw was discovered in OpenLDAP before 2.4.57 leading in an assertion failure in slapd in the X.509 DN parsing in decode.c ber_next_element, resulting in denial of service. CVE-2020-36230 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libldap-2_4-2-2.4.46-9.58.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libldap-data-2.4.46-9.58.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:openldap2-client-2.4.46-9.58.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P An issue was discovered in the Linux kernel before 5.8. arch/x86/kvm/svm/svm.c allows a set_memory_region_test infinite loop for certain nested page faults, aka CID-e72436bc3a52. CVE-2020-36310 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 moderate 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P An issue was discovered in the Linux kernel before 5.9. arch/x86/kvm/svm/sev.c allows attackers to cause a denial of service (soft lockup) by triggering destruction of a large SEV VM (which requires unregistering many encrypted regions), aka CID-7be74942f184. CVE-2020-36311 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 low 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P An issue was discovered in the Linux kernel before 5.8.10. virt/kvm/kvm_main.c has a kvm_io_bus_unregister_dev memory leak upon a kmalloc failure, aka CID-f65886606c2d. CVE-2020-36312 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 low 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P An issue was discovered in the FUSE filesystem implementation in the Linux kernel before 5.10.6, aka CID-5d069dbe8aaf. fuse_do_getattr() calls make_bad_inode() in inappropriate situations, causing a system crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as CVE-2021-28950. CVE-2020-36322 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 important 4.9 AV:L/AC:L/Au:N/C:N/I:N/A:C A flaw was found in libwebp in versions before 1.0.1. A heap-based buffer overflow in function WebPDecodeRGBInto is possible due to an invalid check for buffer size. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. CVE-2020-36328 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libwebp6-0.5.0-3.5.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P A flaw was found in libwebp in versions before 1.0.1. A use-after-free was found due to a thread being killed too early. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. CVE-2020-36329 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libwebp6-0.5.0-3.5.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P A flaw was found in libwebp in versions before 1.0.1. An out-of-bounds read was found in function ChunkVerifyAndAssign. The highest threat from this vulnerability is to data confidentiality and to the service availability. CVE-2020-36330 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libwebp6-0.5.0-3.5.1 moderate 6.4 AV:N/AC:L/Au:N/C:P/I:N/A:P A flaw was found in libwebp in versions before 1.0.1. An out-of-bounds read was found in function ChunkAssignData. The highest threat from this vulnerability is to data confidentiality and to the service availability. CVE-2020-36331 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libwebp6-0.5.0-3.5.1 moderate 6.4 AV:N/AC:L/Au:N/C:P/I:N/A:P A flaw was found in libwebp in versions before 1.0.1. When reading a file libwebp allocates an excessive amount of memory. The highest threat from this vulnerability is to the service availability. CVE-2020-36332 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libwebp6-0.5.0-3.5.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P An issue was discovered in the Linux kernel before 5.10. drivers/infiniband/core/ucma.c has a use-after-free because the ctx is reached via the ctx_list in some ucma_migrate_id situations where ucma_close is called, aka CID-f5449e74802c. CVE-2020-36385 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P An issue was discovered in the Linux kernel before 5.8.1. net/bluetooth/hci_event.c has a slab out-of-bounds read in hci_extended_inquiry_result_evt, aka CID-51c19bf3d5cf. CVE-2020-36386 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 moderate 5.6 AV:L/AC:L/Au:N/C:P/I:N/A:C u'Specifically timed and handcrafted traffic can cause internal errors in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure over the air for a discrete set of traffic' in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking in APQ8053, IPQ4019, IPQ8064, MSM8909W, MSM8996AU, QCA9531, QCN5502, QCS405, SDX20, SM6150, SM7150 CVE-2020-3702 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 important 5 AV:N/AC:L/Au:N/C:P/I:N/A:N IBM Power9 (AIX 7.1, 7.2, and VIOS 3.1) processors could allow a local user to obtain sensitive information from the data in the L1 cache under extenuating circumstances. IBM X-Force ID: 189296. CVE-2020-4788 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 moderate 1.9 AV:L/AC:M/Au:N/C:P/I:N/A:N When performing EC scalar point multiplication, the wNAF point multiplication algorithm was used; which leaked partial information about the nonce used during signature generation. Given an electro-magnetic trace of a few signature generations, the private key could have been computed. This vulnerability affects Firefox < 80 and Firefox for Android < 80. CVE-2020-6829 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libfreebl3-3.68.2-3.64.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsoftokn3-3.68.2-3.64.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:mozilla-nss-3.68.2-3.64.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:mozilla-nss-certs-3.68.2-3.64.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:mozilla-nss-tools-3.68.2-3.64.2 critical 5 AV:N/AC:L/Au:N/C:P/I:N/A:N In SQLite 3.31.1, isAuxiliaryVtabOperator allows attackers to trigger a NULL pointer dereference and segmentation fault because of generated column optimizations. CVE-2020-9327 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsqlite3-0-3.36.0-3.12.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:sqlite3-3.36.0-3.12.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access. CVE-2021-0129 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 moderate 2.7 AV:A/AC:L/Au:S/C:P/I:N/A:N In __hidinput_change_resolution_multipliers of hid-input.c, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-173843328References: Upstream kernel CVE-2021-0512 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 important 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P In pfkey_dump of af_key.c, there is a possible out-of-bounds read due to a missing bounds check. This could lead to local information disclosure in the kernel with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-110373476 CVE-2021-0605 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 important 4.9 AV:L/AC:L/Au:N/C:C/I:N/A:N In bpf_skb_change_head of filter.c, there is a possible out of bounds read due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-154177719References: Upstream kernel CVE-2021-0941 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 important 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C A flaw was found in the src/list.c of tar 1.33 and earlier. This flaw allows an attacker who can submit a crafted input file to tar to cause uncontrolled consumption of memory. The highest threat from this vulnerability is to system availability. CVE-2021-20193 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:tar-1.3-3.9.1 low 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P There is an open race window when writing output in the following utilities in GNU binutils version 2.35 and earlier:ar, objcopy, strip, ranlib. When these utilities are run as a privileged user (presumably as part of a script updating binaries across different users), an unprivileged user can trick these utilities into getting ownership of arbitrary files through a symlink. CVE-2021-20197 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:binutils-2.37-7.26.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libctf-nobfd0-2.37-7.26.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libctf0-2.37-7.26.1 moderate 3.3 AV:L/AC:M/Au:N/C:P/I:P/A:N A flaw was found in cifs-utils in versions before 6.13. A user when mounting a krb5 CIFS file system from within a container can use Kerberos credentials of the host. The highest threat from this vulnerability is to data confidentiality and integrity. CVE-2021-20208 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cifs-utils-6.9-5.12.1 moderate 4.9 AV:N/AC:M/Au:S/C:P/I:P/A:N A denial of service vulnerability was found in n_tty_receive_char_special in drivers/tty/n_tty.c of the Linux kernel. In this flaw a local attacker with a normal user privilege could delay the loop (due to a changing ldata->read_head, and a missing sanity check) and cause a threat to the system availability. CVE-2021-20219 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 moderate 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P A flaw was found in gnutls. A use after free issue in client sending key_share extension may lead to memory corruption and other consequences. CVE-2021-20231 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gnutls-3.6.7-6.40.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libgnutls30-3.6.7-6.40.2 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P A flaw was found in gnutls. A use after free issue in client_send_params in lib/ext/pre_shared_key.c may lead to memory corruption and other potential consequences. CVE-2021-20232 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gnutls-3.6.7-6.40.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libgnutls30-3.6.7-6.40.2 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P A flaw was found in samba. The Samba smbd file server must map Windows group identities (SIDs) into unix group ids (gids). The code that performs this had a flaw that could allow it to read data beyond the end of the array in the case where a negative cache entry had been added to the mapping cache. This could cause the calling code to return those values into the process token that stores the group membership for a user. The highest threat from this vulnerability is to data confidentiality and integrity. CVE-2021-20254 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ctdb-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libdcerpc-binding0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libdcerpc0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libndr-krb5pac0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libndr-nbt0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libndr-standard0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libndr0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libnetapi0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsamba-credentials0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsamba-errors0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsamba-hostconfig0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsamba-passdb0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsamba-util0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsamdb0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsmbconf0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsmbldap2-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libtevent-util0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libwbclient0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:samba-libs-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:samba-libs-python3-4.9.5+git.477.8163dd03413-3.61.1 important 5.5 AV:N/AC:L/Au:S/C:P/I:P/A:N A flaw was found in Samba's libldb. Multiple, consecutive leading spaces in an LDAP attribute can lead to an out-of-bounds memory write, leading to a crash of the LDAP server process handling the request. The highest threat from this vulnerability is to system availability. CVE-2021-20277 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ctdb-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libdcerpc-binding0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libdcerpc0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libldb1-1.4.6-3.8.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libndr-krb5pac0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libndr-nbt0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libndr-standard0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libndr0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libnetapi0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsamba-credentials0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsamba-errors0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsamba-hostconfig0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsamba-passdb0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsamba-util0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsamdb0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsmbconf0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsmbldap2-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libtevent-util0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libwbclient0-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:samba-libs-4.9.5+git.477.8163dd03413-3.61.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:samba-libs-python3-4.9.5+git.477.8163dd03413-3.61.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P A flaw was found in GNU Binutils 2.35.1, where there is a heap-based buffer overflow in _bfd_elf_slurp_secondary_reloc_section in elf.c due to the number of symbols not calculated correctly. The highest threat from this vulnerability is to system availability. CVE-2021-20284 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:binutils-2.37-7.26.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libctf-nobfd0-2.37-7.26.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libctf0-2.37-7.26.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P A flaw was found in binutils readelf 2.35 program. An attacker who is able to convince a victim using readelf to read a crafted file could trigger a stack buffer overflow, out-of-bounds write of arbitrary data supplied by the attacker. The highest impact of this flaw is to confidentiality, integrity, and availability. CVE-2021-20294 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:binutils-2.37-7.26.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libctf-nobfd0-2.37-7.26.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libctf0-2.37-7.26.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P A flaw was found in Nettle in versions before 3.7.2, where several Nettle signature verification functions (GOST DSA, EDDSA & ECDSA) result in the Elliptic Curve Cryptography point (ECC) multiply function being called with out-of-range scalers, possibly resulting in incorrect results. This flaw allows an attacker to force an invalid signature, causing an assertion failure or possible validation. The highest threat to this vulnerability is to confidentiality, integrity, as well as system availability. CVE-2021-20305 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libhogweed4-3.4.1-4.18.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libnettle6-3.4.1-4.18.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P A flaw in the processing of received ICMP errors (ICMP fragment needed and ICMP redirect) in the Linux kernel functionality was found to allow the ability to quickly scan open UDP ports. This flaw allows an off-path remote user to effectively bypass the source port UDP randomization. The highest threat from this vulnerability is to confidentiality and possibly integrity, because software that relies on UDP source port randomization are indirectly affected as well. CVE-2021-20322 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 important 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N In Docker before versions 9.03.15, 20.10.3 there is a vulnerability involving the --userns-remap option in which access to remapped root allows privilege escalation to real root. When using "--userns-remap", if the root user in the remapped namespace has access to the host filesystem they can modify files under "/var/lib/docker/<remapping>" that cause writing files with extended privileges. Versions 20.10.3 and 19.03.15 contain patches that prevent privilege escalation from remapped user. CVE-2021-21284 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:docker-20.10.9_ce-156.1 low 2.7 AV:A/AC:L/Au:S/C:N/I:P/A:N In containerd (an industry-standard container runtime) before versions 1.3.10 and 1.4.4, containers launched through containerd's CRI implementation (through Kubernetes, crictl, or any other pod/container client that uses the containerd CRI service) that share the same image may receive incorrect environment variables, including values that are defined for other containers. If the affected containers have different security contexts, this may allow sensitive information to be unintentionally shared. If you are not using containerd's CRI implementation (through one of the mechanisms described above), you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image which have different environment variables, you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image in rapid succession, you have reduced likelihood of being vulnerable to this issue This vulnerability has been fixed in containerd 1.3.10 and containerd 1.4.4. Users should update to these versions. CVE-2021-21334 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:containerd-1.4.11-56.1 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N Vulnerability in the Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u291, 8u281, 11.0.10, 16; Java SE Embedded: 8u281; Oracle GraalVM Enterprise Edition: 19.3.5, 20.3.1.2 and 21.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. It can also be exploited by supplying untrusted data to APIs in the specified Component. CVSS 3.1 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N). CVE-2021-2161 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:java-1_8_0-ibm-1.8.0_sr7.0-3.53.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N An issue was discovered in SaltStack Salt before 3003.3. A user who has control of the source, and source_hash URLs can gain full file system access as root on a salt minion. CVE-2021-21996 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:python3-salt-3002.2-51.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:salt-3002.2-51.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:salt-minion-3002.2-51.1 moderate 7.1 AV:N/AC:H/Au:S/C:C/I:C/A:C An issue was discovered in Linux: KVM through Improper handling of VM_IO|VM_PFNMAP vmas in KVM can bypass RO checks and can lead to pages being freed while still accessible by the VMM and guest. This allows users with the ability to start and control a VM to read/write random pages of memory and can result in local privilege escalation. CVE-2021-22543 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 important 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c. This allows an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space CVE-2021-22555 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 important 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of Private Personal Information to an Unauthorized Actor" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request. CVE-2021-22876 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:curl-7.60.0-28.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libcurl4-7.60.0-28.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDoS) vulnerability. Carefully crafted input can cause the input validation in the `money` type of the PostgreSQL adapter in Active Record to spend too much time in a regular expression, resulting in the potential for a DoS attack. This only impacts Rails applications that are using PostgreSQL along with money type columns that take user input. CVE-2021-22880 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ruby2.5-rubygem-activerecord-5_1-5.1.4-5.3.3 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P A possible information disclosure / unintended method execution vulnerability in Action Pack >= 2.0.0 when using the `redirect_to` or `polymorphic_url`helper with untrusted user input. CVE-2021-22885 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ruby2.5-rubygem-actionpack-5_1-5.1.4-3.9.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server, resulting in potentially revealing sensitive internal information to the server using a clear-text network protocol. CVE-2021-22898 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:curl-7.60.0-28.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libcurl4-7.60.0-28.1 moderate 2.6 AV:N/AC:H/Au:N/C:P/I:N/A:N When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different servers and theclient can then download the file from one or several of them. In a serial orparallel manner.If one of the servers hosting the contents has been breached and the contentsof the specific file on that server is replaced with a modified payload, curlshould detect this when the hash of the file mismatches after a completeddownload. It should remove the contents and instead try getting the contentsfrom another URL. This is not done, and instead such a hash mismatch is onlymentioned in text and the potentially malicious content is kept in the file ondisk. CVE-2021-22922 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:curl-7.60.0-28.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libcurl4-7.60.0-28.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and without telling the user it happened. CVE-2021-22923 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:curl-7.60.0-28.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libcurl4-7.60.0-28.1 moderate 2.6 AV:N/AC:H/Au:N/C:P/I:N/A:N libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can setto qualify how to verify the server certificate. CVE-2021-22924 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:curl-7.60.0-28.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libcurl4-7.60.0-28.1 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`in libcurl. This rarely used option is used to send variable=content pairs toTELNET servers.Due to flaw in the option parser for sending `NEW_ENV` variables, libcurlcould be made to pass on uninitialized data from a stack based buffer to theserver. Therefore potentially revealing sensitive internal information to theserver using a clear-text network protocol.This could happen because curl did not call and use sscanf() correctly whenparsing the string provided by the application. CVE-2021-22925 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:curl-7.60.0-28.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libcurl4-7.60.0-28.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N A user can tell curl >= 7.20.0 and <= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (`--ssl-reqd` on the command line or`CURLOPT_USE_SSL` set to `CURLUSESSL_CONTROL` or `CURLUSESSL_ALL` withlibcurl). This requirement could be bypassed if the server would return a properly crafted but perfectly legitimate response.This flaw would then make curl silently continue its operations **withoutTLS** contrary to the instructions and expectations, exposing possibly sensitive data in clear text over the network. CVE-2021-22946 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:curl-7.60.0-28.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libcurl4-7.60.0-28.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server can respond and send back multiple responses at once that curl caches. curl would then upgrade to TLS but not flush the in-queue of cached responses but instead continue using and trustingthe responses it got *before* the TLS handshake as if they were authenticated.Using this flaw, it allows a Man-In-The-Middle attacker to first inject the fake responses, then pass-through the TLS traffic from the legitimate server and trick curl into sending data back to the user thinking the attacker's injected data comes from the TLS-protected server. CVE-2021-22947 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:curl-7.60.0-28.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libcurl4-7.60.0-28.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel privilege escalation from the context of a network service or an unprivileged process. If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network service privileges to escalate to root or from the context of an unprivileged user directly if a BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. CVE-2021-23133 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 moderate 6.9 AV:L/AC:M/Au:N/C:C/I:C/A:C Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability. CVE-2021-23134 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 important 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P The sudoedit personality of Sudo before 1.9.5 may allow a local unprivileged user to perform arbitrary directory-existence tests by winning a sudo_edit.c race condition in replacing a user-controlled directory by a symlink to an arbitrary path. CVE-2021-23239 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:sudo-1.8.27-4.21.4 low 1.9 AV:L/AC:M/Au:N/C:P/I:N/A:N selinux_edit_copy_tfiles in sudoedit in Sudo before 1.9.5 allows a local unprivileged user to gain file ownership and escalate privileges by replacing a temporary file with a symlink to an arbitrary file target. This affects SELinux RBAC support in permissive mode. Machines without SELinux are not vulnerable. CVE-2021-23240 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:sudo-1.8.27-4.21.4 important 4.4 AV:L/AC:M/Au:N/C:P/I:P/A:P The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter. CVE-2021-23336 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:python3-3.6.15-3.91.4 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:python3-curses-3.6.15-3.91.4 moderate 4 AV:N/AC:H/Au:N/C:N/I:P/A:P Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Library). Supported versions that are affected are Java SE: 7u301, 8u291, 11.0.11, 16.0.1; Oracle GraalVM Enterprise Edition: 20.3.2 and 21.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 4.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N). CVE-2021-2369 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:java-1_8_0-ibm-1.8.0_sr7.0-3.53.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x). CVE-2021-23840 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libopenssl1_1-1.1.0i-14.24.3 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:openssl-1_1-1.1.0i-14.24.3 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x). CVE-2021-23841 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libopenssl1_1-1.1.0i-14.24.3 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:openssl-1_1-1.1.0i-14.24.3 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P In the Zstandard command-line utility prior to v1.4.1, output files were created with default permissions. Correct file permissions (matching the input) would only be set at completion time. Output files could therefore be readable or writable to unintended parties. CVE-2021-24031 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libzstd1-1.4.4-1.6.1 moderate 2.1 AV:L/AC:L/Au:N/C:P/I:N/A:N In BIND 9.8.5 -> 9.8.8, 9.9.3 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.9.3-S1 -> 9.11.29-S1 and 9.16.8-S1 -> 9.16.13-S1 of BIND 9 Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.11 of the BIND 9.17 development branch, when a vulnerable version of named receives a malformed IXFR triggering the flaw described above, the named process will terminate due to a failed assertion the next time the transferred secondary zone is refreshed. CVE-2021-25214 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:bind-utils-9.16.6-12.57.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libbind9-1600-9.16.6-12.57.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libdns1605-9.16.6-12.57.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libirs1601-9.16.6-12.57.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libisc1606-9.16.6-12.57.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libisccc1600-9.16.6-12.57.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libisccfg1600-9.16.6-12.57.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libns1604-9.16.6-12.57.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:python3-bind-9.16.6-12.57.1 moderate 4 AV:N/AC:L/Au:S/C:N/I:N/A:P In BIND 9.0.0 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.9.3-S1 -> 9.11.29-S1 and 9.16.8-S1 -> 9.16.13-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.11 of the BIND 9.17 development branch, when a vulnerable version of named receives a query for a record triggering the flaw described above, the named process will terminate due to a failed assertion check. The vulnerability affects all currently maintained BIND 9 branches (9.11, 9.11-S, 9.16, 9.16-S, 9.17) as well as all other versions of BIND 9. CVE-2021-25215 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:bind-utils-9.16.6-12.57.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libbind9-1600-9.16.6-12.57.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libdns1605-9.16.6-12.57.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libirs1601-9.16.6-12.57.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libisc1606-9.16.6-12.57.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libisccc1600-9.16.6-12.57.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libisccfg1600-9.16.6-12.57.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libns1604-9.16.6-12.57.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:python3-bind-9.16.6-12.57.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P In BIND 9.5.0 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.11.3-S1 -> 9.11.29-S1 and 9.16.8-S1 -> 9.16.13-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.1 of the BIND 9.17 development branch, BIND servers are vulnerable if they are running an affected version and are configured to use GSS-TSIG features. In a configuration which uses BIND's default settings the vulnerable code path is not exposed, but a server can be rendered vulnerable by explicitly setting values for the tkey-gssapi-keytab or tkey-gssapi-credential configuration options. Although the default configuration is not vulnerable, GSS-TSIG is frequently used in networks where BIND is integrated with Samba, as well as in mixed-server environments that combine BIND servers with Active Directory domain controllers. For servers that meet these conditions, the ISC SPNEGO implementation is vulnerable to various attacks, depending on the CPU architecture for which BIND was built: For named binaries compiled for 64-bit platforms, this flaw can be used to trigger a buffer over-read, leading to a server crash. For named binaries compiled for 32-bit platforms, this flaw can be used to trigger a server crash due to a buffer overflow and possibly also to achieve remote code execution. We have determined that standard SPNEGO implementations are available in the MIT and Heimdal Kerberos libraries, which support a broad range of operating systems, rendering the ISC implementation unnecessary and obsolete. Therefore, to reduce the attack surface for BIND users, we will be removing the ISC SPNEGO implementation in the April releases of BIND 9.11 and 9.16 (it had already been dropped from BIND 9.17). We would not normally remove something from a stable ESV (Extended Support Version) of BIND, but since system libraries can replace the ISC SPNEGO implementation, we have made an exception in this case for reasons of stability and security. CVE-2021-25216 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:bind-utils-9.16.6-12.57.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libbind9-1600-9.16.6-12.57.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libdns1605-9.16.6-12.57.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libirs1601-9.16.6-12.57.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libisc1606-9.16.6-12.57.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libisccc1600-9.16.6-12.57.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libisccfg1600-9.16.6-12.57.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libns1604-9.16.6-12.57.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:python3-bind-9.16.6-12.57.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P In ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16, ISC DHCP 4.4.0 -> 4.4.2 (Other branches of ISC DHCP (i.e., releases in the 4.0.x series or lower and releases in the 4.3.x series) are beyond their End-of-Life (EOL) and no longer supported by ISC. From inspection it is clear that the defect is also present in releases from those series, but they have not been officially tested for the vulnerability), The outcome of encountering the defect while reading a lease that will trigger it varies, according to: the component being affected (i.e., dhclient or dhcpd) whether the package was built as a 32-bit or 64-bit binary whether the compiler flag -fstack-protection-strong was used when compiling In dhclient, ISC has not successfully reproduced the error on a 64-bit system. However, on a 32-bit system it is possible to cause dhclient to crash when reading an improper lease, which could cause network connectivity problems for an affected system due to the absence of a running DHCP client process. In dhcpd, when run in DHCPv4 or DHCPv6 mode: if the dhcpd server binary was built for a 32-bit architecture AND the -fstack-protection-strong flag was specified to the compiler, dhcpd may exit while parsing a lease file containing an objectionable lease, resulting in lack of service to clients. Additionally, the offending lease and the lease immediately following it in the lease database may be improperly deleted. if the dhcpd server binary was built for a 64-bit architecture OR if the -fstack-protection-strong compiler flag was NOT specified, the crash will not occur, but it is possible for the offending lease and the lease which immediately followed it to be improperly deleted. CVE-2021-25217 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dhcp-4.3.6.P1-6.11.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dhcp-client-4.3.6.P1-6.11.1 important 3.3 AV:A/AC:L/Au:N/C:N/I:N/A:P In BIND 9.3.0 -> 9.11.35, 9.12.0 -> 9.16.21, and versions 9.9.3-S1 -> 9.11.35-S1 and 9.16.8-S1 -> 9.16.21-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.18 of the BIND 9.17 development branch, exploitation of broken authoritative servers using a flaw in response processing can cause degradation in BIND resolver performance. The way the lame cache is currently designed makes it possible for its internal data structures to grow almost infinitely, which may cause significant delays in client query processing. CVE-2021-25219 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:bind-utils-9.16.6-12.57.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libbind9-1600-9.16.6-12.57.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libdns1605-9.16.6-12.57.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libirs1601-9.16.6-12.57.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libisc1606-9.16.6-12.57.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libisccc1600-9.16.6-12.57.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libisccfg1600-9.16.6-12.57.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libns1604-9.16.6-12.57.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:python3-bind-9.16.6-12.57.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P A Creation of Temporary File With Insecure Permissions vulnerability in hawk2 of SUSE Linux Enterprise High Availability 12-SP3, SUSE Linux Enterprise High Availability 12-SP5, SUSE Linux Enterprise High Availability 15-SP2 allows local attackers to escalate to root. This issue affects: SUSE Linux Enterprise High Availability 12-SP3 hawk2 versions prior to 2.6.3+git.1614685906.812c31e9. SUSE Linux Enterprise High Availability 12-SP5 hawk2 versions prior to 2.6.3+git.1614685906.812c31e9. SUSE Linux Enterprise High Availability 15-SP2 hawk2 versions prior to 2.6.3+git.1614684118.af555ad9. CVE-2021-25314 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:hawk2-2.6.4+git.1618478653.7272e6b6-3.30.2 moderate 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C A Incorrect Implementation of Authentication Algorithm vulnerability in of SUSE SUSE Linux Enterprise Server 15 SP 3; openSUSE Tumbleweed allows local attackers to execute arbitrary code via salt without the need to specify valid credentials. This issue affects: SUSE SUSE Linux Enterprise Server 15 SP 3 salt versions prior to 3002.2-3. openSUSE Tumbleweed salt version 3002.2-2.1 and prior versions. CVE-2021-25315 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:python3-salt-3002.2-51.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:salt-3002.2-51.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:salt-minion-3002.2-51.1 critical 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P A Incorrect Default Permissions vulnerability in the packaging of cups of SUSE Linux Enterprise Server 11-SP4-LTSS, SUSE Manager Server 4.0, SUSE OpenStack Cloud Crowbar 9; openSUSE Leap 15.2, Factory allows local attackers with control of the lp users to create files as root with 0644 permissions without the ability to set the content. This issue affects: SUSE Linux Enterprise Server 11-SP4-LTSS cups versions prior to 1.3.9. SUSE Manager Server 4.0 cups versions prior to 2.2.7. SUSE OpenStack Cloud Crowbar 9 cups versions prior to 1.7.5. openSUSE Leap 15.2 cups versions prior to 2.2.7. openSUSE Factory cups version 2.3.3op2-2.1 and prior versions. CVE-2021-25317 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cups-config-2.2.7-3.26.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libcups2-2.2.7-3.26.1 moderate 2.1 AV:L/AC:L/Au:N/C:N/I:P/A:N An issue was discovered in the Linux kernel 3.11 through 5.10.16, as used by Xen. To service requests to the PV backend, the driver maps grant references provided by the frontend. In this process, errors may be encountered. In one case, an error encountered earlier might be discarded by later processing, resulting in the caller assuming successful mapping, and hence subsequent operations trying to access space that wasn't mapped. In another case, internal state would be insufficiently updated, preventing safe recovery from the error. This affects drivers/block/xen-blkback/blkback.c. CVE-2021-26930 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 important 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P An issue was discovered in the Linux kernel 2.6.39 through 5.10.16, as used in Xen. Block, net, and SCSI backends consider certain errors a plain bug, deliberately causing a kernel crash. For errors potentially being at least under the influence of guests (such as out of memory conditions), it isn't correct to assume a plain bug. Memory allocations potentially causing such crashes occur only when Linux is running in PV mode, though. This affects drivers/block/xen-blkback/blkback.c and drivers/xen/xen-scsiback.c. CVE-2021-26931 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 moderate 1.9 AV:L/AC:M/Au:N/C:N/I:N/A:P An issue was discovered in the Linux kernel 3.2 through 5.10.16, as used by Xen. Grant mapping operations often occur in batch hypercalls, where a number of operations are done in a single hypercall, the success or failure of each one is reported to the backend driver, and the backend driver then loops over the results, performing follow-up actions based on the success or failure of each operation. Unfortunately, when running in PV mode, the Linux backend drivers mishandle this: Some errors are ignored, effectively implying their success from the success of related batch elements. In other cases, errors resulting from one batch element lead to further batch elements not being inspected, and hence successful ones to not be possible to properly unmap upon error recovery. Only systems with Linux backends running in PV mode are vulnerable. Linux backends run in HVM / PVH modes are not vulnerable. This affects arch/*/xen/p2m.c and drivers/xen/gntdev.c. CVE-2021-26932 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 moderate 1.9 AV:L/AC:M/Au:N/C:N/I:N/A:P xterm before Patch #366 allows remote attackers to execute arbitrary code or cause a denial of service (segmentation fault) via a crafted UTF-8 combining character sequence. CVE-2021-27135 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:xterm-bin-330-4.3.1 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P In OpenLDAP through 2.4.57 and 2.5.x through 2.5.1alpha, an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime. CVE-2021-27212 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libldap-2_4-2-2.4.46-9.58.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libldap-data-2.4.46-9.58.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:openldap2-client-2.4.46-9.58.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P An issue was discovered in GNOME GLib before 2.66.7 and 2.67.x before 2.67.4. If g_byte_array_new_take() was called with a buffer of 4GB or more on a 64-bit platform, the length would be truncated modulo 2**32, causing unintended length truncation. CVE-2021-27218 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:glib2-tools-2.54.3-4.24.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libgio-2_0-0-2.54.3-4.24.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libglib-2_0-0-2.54.3-4.24.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libgmodule-2_0-0-2.54.3-4.24.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libgobject-2_0-0-2.54.3-4.24.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libgthread-2_0-0-2.54.3-4.24.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P An issue was discovered in GNOME GLib before 2.66.6 and 2.67.x before 2.67.3. The function g_bytes_new has an integer overflow on 64-bit platforms due to an implicit cast from 64 bits to 32 bits. The overflow could potentially lead to memory corruption. CVE-2021-27219 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:glib2-tools-2.54.3-4.24.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libgio-2_0-0-2.54.3-4.24.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libglib-2_0-0-2.54.3-4.24.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libgmodule-2_0-0-2.54.3-4.24.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libgobject-2_0-0-2.54.3-4.24.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libgthread-2_0-0-2.54.3-4.24.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P An issue was discovered in the Linux kernel through 5.11.3. A kernel pointer leak can be used to determine the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI subsystem, the transport's handle is available to unprivileged users via the sysfs file system, at /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When read, the show_transport_handle function (in drivers/scsi/scsi_transport_iscsi.c) is called, which leaks the handle. This handle is actually the pointer to an iscsi_transport struct in the kernel module's global variables. CVE-2021-27363 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 important 3.6 AV:L/AC:L/Au:N/C:P/I:N/A:P An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a Netlink message. CVE-2021-27365 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 moderate 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P An issue was discovered in the Linux kernel through 5.11.3, as used with Xen PV. A certain part of the netback driver lacks necessary treatment of errors such as failed memory allocations (as a result of changes to the handling of grant mapping errors). A host OS denial of service may occur during misbehavior of a networking frontend driver. NOTE: this issue exists because of an incomplete fix for CVE-2021-26931. CVE-2021-28038 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 moderate 4.9 AV:L/AC:L/Au:N/C:N/I:N/A:C rtw_wx_set_scan in drivers/staging/rtl8188eu/os_dep/ioctl_linux.c in the Linux kernel through 5.11.6 allows writing beyond the end of the ->ssid[] array. NOTE: from the perspective of kernel.org releases, CVE IDs are not normally used for drivers/staging/* (unfinished work); however, system integrators may have situations in which a drivers/staging issue is relevant to their own customer base. CVE-2021-28660 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 important 8.3 AV:A/AC:L/Au:N/C:C/I:C/A:C The fix for XSA-365 includes initialization of pointers such that subsequent cleanup code wouldn't use uninitialized or stale values. This initialization went too far and may under certain conditions also overwrite pointers which are in need of cleaning up. The lack of cleanup would result in leaking persistent grants. The leak in turn would prevent fully cleaning up after a respective guest has died, leaving around zombie domains. All Linux versions having the fix for XSA-365 applied are vulnerable. XSA-365 was classified to affect versions back to at least 3.11. CVE-2021-28688 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 moderate 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P An issue was discovered in fs/fuse/fuse_i.h in the Linux kernel before 5.11.8. A "stall on CPU" can occur because a retry loop continually finds the same bad inode, aka CID-775c5033a0d1. CVE-2021-28950 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 moderate 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P A race condition was discovered in get_old_root in fs/btrfs/ctree.c in the Linux kernel through 5.11.8. It allows attackers to cause a denial of service (BUG) because of a lack of locking on an extent buffer before a cloning operation, aka CID-dbcc7d57bffc. CVE-2021-28964 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 moderate 1.9 AV:L/AC:M/Au:N/C:N/I:N/A:P The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing. CVE-2021-28965 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N In intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c in the Linux kernel through 5.11.8 on some Haswell CPUs, userspace applications (such as perf-fuzzer) can cause a system crash because the PEBS status in a PEBS record is mishandled, aka CID-d88d05a9e0b6. CVE-2021-28971 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 moderate 4.9 AV:L/AC:L/Au:N/C:N/I:N/A:C In drivers/pci/hotplug/rpadlpar_sysfs.c in the Linux kernel through 5.11.8, the RPA PCI Hotplug driver has a user-tolerable buffer overflow when writing a new device name to the driver from userspace, allowing userspace to write data to the kernel stack frame directly. This occurs because add_slot_store and remove_slot_store mishandle drc_name '\0' termination, aka CID-cc7a0bb058b8. CVE-2021-28972 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 moderate 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C BPF JIT compilers in the Linux kernel through 5.11.12 have incorrect computation of branch displacements, allowing them to execute arbitrary code within the kernel context. This affects arch/x86/net/bpf_jit_comp.c and arch/x86/net/bpf_jit_comp32.c. CVE-2021-29154 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 moderate 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations. CVE-2021-29155 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 moderate 2.1 AV:L/AC:L/Au:N/C:P/I:N/A:N An issue was discovered in the Linux kernel through 5.11.10. drivers/net/ethernet/freescale/gianfar.c in the Freescale Gianfar Ethernet driver allows attackers to cause a system crash because a negative fragment size is calculated in situations involving an rx queue overrun when jumbo packets are used and NAPI is enabled, aka CID-d8861bab48b6. CVE-2021-29264 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 moderate 4.7 AV:L/AC:M/Au:N/C:N/I:N/A:C An issue was discovered in the Linux kernel before 5.11.7. usbip_sockfd_store in drivers/usb/usbip/stub_dev.c allows attackers to cause a denial of service (GPF) because the stub-up sequence has race conditions during an update of the local and shared status, aka CID-9380afd6df70. CVE-2021-29265 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 moderate 4.7 AV:L/AC:M/Au:N/C:N/I:N/A:C An issue was discovered in the Linux kernel before 5.11.11. qrtr_recvmsg in net/qrtr/qrtr.c allows attackers to obtain sensitive information from kernel memory because of a partially uninitialized data structure, aka CID-50535249f624. CVE-2021-29647 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 moderate 2.1 AV:L/AC:L/Au:N/C:P/I:N/A:N An issue was discovered in the Linux kernel before 5.11.11. The netfilter subsystem allows attackers to cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a full memory barrier upon the assignment of a new table value, aka CID-175e476b8cdf. CVE-2021-29650 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 moderate 4.9 AV:L/AC:L/Au:N/C:N/I:N/A:C An issue was discovered in the Linux kernel before 5.11.3 when a webcam device exists. video_usercopy in drivers/media/v4l2-core/v4l2-ioctl.c has a memory leak for large arguments, aka CID-fb18802a338b. CVE-2021-30002 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 moderate 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P LookupCol.c in X.Org X through X11R7.7 and libX11 before 1.7.1 might allow remote attackers to execute arbitrary code. The libX11 XLookupColor request (intended for server-side color lookup) contains a flaw allowing a client to send color-name requests with a name longer than the maximum size allowed by the protocol (and also longer than the maximum packet size for normal-sized packets). The user-controlled data exceeding the maximum size is then interpreted by the server as additional X protocol requests and executed, e.g., to disable X server authorization completely. For example, if the victim encounters malicious terminal control sequences for color codes, then the attacker may be able to take full control of the running graphical session. CVE-2021-31535 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libX11-6-1.6.5-3.21.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libX11-data-1.6.5-3.21.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libX11-xcb1-1.6.5-3.21.1 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash character. CVE-2021-3156 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:sudo-1.8.27-4.21.4 important 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function (which executes popen unsafely). CVE-2021-31607 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:python3-salt-3002.2-51.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:salt-3002.2-51.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:salt-minion-3002.2-51.1 important 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely. CVE-2021-3177 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:python3-3.6.15-3.91.4 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:python3-curses-3.6.15-3.91.4 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 3.0.1, it is possible to execute arbitrary code via | and tags in a filename. CVE-2021-31799 important 4.4 AV:L/AC:M/Au:N/C:P/I:P/A:P An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions). CVE-2021-31810 important 5 AV:N/AC:L/Au:N/C:P/I:N/A:N An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi-device driver module in the Linux kernel before 5.12. A bound check failure allows an attacker with special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability. CVE-2021-31916 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 moderate 6.1 AV:L/AC:L/Au:N/C:P/I:P/A:C An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack." CVE-2021-32066 important 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI controller. CVE-2021-32399 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 important 4.4 AV:L/AC:M/Au:N/C:P/I:P/A:P containerd is a container runtime. A bug was found in containerd versions prior to 1.4.8 and 1.5.4 where pulling and extracting a specially-crafted container image can result in Unix file permission changes for existing files in the host’s filesystem. Changes to file permissions can deny access to the expected owner of the file, widen access to others, or set extended bits like setuid, setgid, and sticky. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in containerd 1.5.4 and 1.4.8. As a workaround, ensure that users only pull images from trusted sources. Linux security modules (LSMs) like SELinux and AppArmor can limit the files potentially affected by this bug through policies and profiles that prevent containerd from interacting with specific files. CVE-2021-32760 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:containerd-1.4.11-56.1 low 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value. CVE-2021-33033 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 moderate 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. CVE-2021-33034 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 important 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P kernel/bpf/verifier.c in the Linux kernel through 5.12.7 enforces incorrect limits for pointer arithmetic operations, aka CID-bb01a1bba579. This can be abused to perform out-of-bounds reads and writes in kernel memory, leading to local privilege escalation to root. In particular, there is a corner case where the off reg causes a masking direction change, which then results in an incorrect final aux->alu_limit. CVE-2021-33200 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 important 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. CVE-2021-33503 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:python3-urllib3-1.25.10-9.14.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. This, for example, affects use of ElGamal in OpenPGP. CVE-2021-33560 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libgcrypt20-1.8.2-8.42.1 important 5 AV:N/AC:L/Au:N/C:P/I:N/A:N The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact. CVE-2021-33574 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:glibc-2.26-13.62.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:glibc-i18ndata-2.26-13.62.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:glibc-locale-2.26-13.62.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:glibc-locale-base-2.26-13.62.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:nscd-2.26-13.62.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P In kernel/bpf/verifier.c in the Linux kernel before 5.12.13, a branch can be mispredicted (e.g., because of type confusion) and consequently an unprivileged BPF program can read arbitrary memory locations via a side-channel attack, aka CID-9183671af6db. CVE-2021-33624 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 moderate 4.7 AV:L/AC:M/Au:N/C:C/I:N/A:N fs/seq_file.c in the Linux kernel 3.16 through 5.13.x before 5.13.4 does not properly restrict seq buffer allocations, leading to an integer overflow, an Out-of-bounds Write, and escalation to root by an unprivileged user, aka CID-8cae8cd89f05. CVE-2021-33909 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 important 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C basic/unit-name.c in systemd prior to 246.15, 247.8, 248.5, and 249.1 has a Memory Allocation with an Excessive Size Value (involving strdupa and alloca for a pathname controlled by a local attacker) that results in an operating system crash. CVE-2021-33910 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsystemd0-234-24.102.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libudev1-234-24.102.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:systemd-234-24.102.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:systemd-sysvinit-234-24.102.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:udev-234-24.102.1 moderate 4.9 AV:L/AC:L/Au:N/C:N/I:N/A:C There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normally be able to access. The highest risk of this flaw is to data confidentiality. This flaw affects Python versions before 3.8.9, Python versions before 3.9.3 and Python versions before 3.10.0a7. CVE-2021-3426 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:python3-3.6.15-3.91.4 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:python3-curses-3.6.15-3.91.4 moderate 2.7 AV:A/AC:L/Au:S/C:P/I:N/A:N A flaw was found in the Linux kernel. A denial of service problem is identified if an extent tree is corrupted in a crafted ext4 filesystem in fs/ext4/extents.c in ext4_es_cache_extent. Fabricating an integer overflow, A local attacker with a special user privilege may cause a system crash problem which can lead to an availability threat. CVE-2021-3428 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 low 4.9 AV:L/AC:L/Au:N/C:N/I:N/A:C The bpf verifier in the Linux kernel did not properly handle mod32 destination register truncation when the source register was known to be 0. A local attacker with the ability to load bpf programs could use this gain out-of-bounds reads in kernel memory leading to information disclosure (kernel memory), and possibly out-of-bounds writes that could potentially lead to code execution. This issue was addressed in the upstream kernel in commit 9b00f1b78809 ("bpf: Fix truncation handling for mod32 dst reg wrt zero") and in Linux stable kernels 5.11.2, 5.10.19, and 5.4.101. CVE-2021-3444 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 moderate 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P In the Linux kernel through 5.13.7, an unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack because the protection mechanism neglects the possibility of uninitialized memory locations on the BPF stack. CVE-2021-34556 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 moderate 2.1 AV:L/AC:L/Au:N/C:P/I:N/A:N A flaw was found in avahi in versions 0.6 up to 0.8. The event used to signal the termination of the client connection on the avahi Unix socket is not correctly handled in the client_work function, allowing a local attacker to trigger an infinite loop. The highest threat from this vulnerability is to the availability of the avahi service, which becomes unresponsive after this flaw is triggered. CVE-2021-3468 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libavahi-client3-0.7-3.9.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libavahi-common3-0.7-3.9.1 moderate 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized. CVE-2021-34693 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 moderate 2.1 AV:L/AC:L/Au:N/C:P/I:N/A:N A flaw was found in the Nosy driver in the Linux kernel. This issue allows a device to be inserted twice into a doubly-linked list, leading to a use-after-free when one of these devices is removed. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. Versions before kernel 5.12-rc6 are affected CVE-2021-3483 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 moderate 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P There's a flaw in the BFD library of binutils in versions before 2.36. An attacker who supplies a crafted file to an application linked with BFD, and using the DWARF functionality, could cause an impact to system availability by way of excessive memory consumption. CVE-2021-3487 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:binutils-2.37-7.26.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libctf-nobfd0-2.37-7.26.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libctf0-2.37-7.26.1 moderate 7.1 AV:N/AC:M/Au:N/C:N/I:N/A:C The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc/<PID>/mem. This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was addressed via commit d1f82808877b ("io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers") (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was introduced in ddf0322db79c ("io_uring: add IORING_OP_PROVIDE_BUFFERS") (v5.7-rc1). CVE-2021-3491 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 important 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2021-34981 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 important There's a flaw in libxml2's xmllint in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by xmllint could trigger a use-after-free. The greatest impact of this flaw is to confidentiality, integrity, and availability. CVE-2021-3516 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libxml2-2-2.9.7-3.37.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application. CVE-2021-3517 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libxml2-2-2.9.7-3.37.1 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability. CVE-2021-3518 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libxml2-2-2.9.7-3.37.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P There's a flaw in lz4. An attacker who submits a crafted file to an application linked with lz4 may be able to trigger an integer overflow, leading to calling of memmove() on a negative size argument, causing an out-of-bounds write and/or a crash. The greatest impact of this flaw is to availability, with some potential impact to confidentiality and integrity as well. CVE-2021-3520 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:liblz4-1-1.8.0-3.8.1 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application. The highest threat from this vulnerability is to system availability. CVE-2021-3537 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libxml2-2-2.9.7-3.37.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P A flaw was found in libxml2. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leading to denial of service. CVE-2021-3541 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libxml2-2-2.9.7-3.37.1 moderate 4 AV:N/AC:L/Au:S/C:N/I:N/A:P ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2021-42739. Reason: This candidate is a reservation duplicate of CVE-2021-42739. Notes: All CVE users should reference CVE-2021-42739 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. CVE-2021-3542 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 important In the Linux kernel through 5.13.7, an unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack because a certain preempting store operation does not necessarily occur before a store operation that has an attacker-controlled value. CVE-2021-35477 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 moderate 2.1 AV:L/AC:L/Au:N/C:P/I:N/A:N Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Swing). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). CVE-2021-35559 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:java-1_8_0-ibm-1.8.0_sr7.0-3.53.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P Vulnerability in the Java SE product of Oracle Java SE (component: Deployment). The supported version that is affected is Java SE: 8u301. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H). CVE-2021-35560 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:java-1_8_0-ibm-1.8.0_sr7.0-3.53.1 moderate Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). CVE-2021-35565 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:java-1_8_0-ibm-1.8.0_sr7.0-3.53.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: ImageIO). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). CVE-2021-35586 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:java-1_8_0-ibm-1.8.0_sr7.0-3.53.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P It was found that polkit could be tricked into bypassing the credential checks for D-Bus requests, elevating the privileges of the requestor to the root user. This flaw could be used by an unprivileged local attacker to, for example, create a new local administrator. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. CVE-2021-3560 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libpolkit0-0.114-3.15.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:polkit-0.114-3.15.1 important 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C A flaw was found in the way nettle's RSA decryption functions handled specially crafted ciphertext. An attacker could use this flaw to provide a manipulated ciphertext leading to application crash and denial of service. CVE-2021-3580 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libhogweed4-3.4.1-4.18.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libnettle6-3.4.1-4.18.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted, crafted pattern, potentially resulting in a denial of service or disclosure of information. This occurs because atoi was used but strtoul should have been used to ensure correct calculations. CVE-2021-35942 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:glibc-2.26-13.62.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:glibc-i18ndata-2.26-13.62.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:glibc-locale-2.26-13.62.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:glibc-locale-base-2.26-13.62.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:nscd-2.26-13.62.1 moderate 6.4 AV:N/AC:L/Au:N/C:P/I:N/A:P .A flaw was found in the CAN BCM networking protocol in the Linux kernel, where a local attacker can abuse a flaw in the CAN subsystem to corrupt memory, crash the system or escalate privileges. This race condition in net/can/bcm.c in the Linux kernel allows for local privilege escalation to root. CVE-2021-3609 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 moderate 6.9 AV:L/AC:M/Au:N/C:C/I:C/A:C ec_verify in kdc/kdc_preauth_ec.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.4 and 1.19.x before 1.19.2 allows remote attackers to cause a NULL pointer dereference and daemon crash. This occurs because a return value is not properly managed in a certain situation. CVE-2021-36222 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:krb5-1.16.3-3.24.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:krb5-client-1.16.3-3.24.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P A flaw use-after-free in function sco_sock_sendmsg() of the Linux kernel HCI subsystem was found in the way user calls ioct UFFDIO_REGISTER or other way triggers race condition of the call sco_conn_del() together with the call sco_sock_sendmsg() with the expected controllable faulting memory page. A privileged local user could use this flaw to crash the system or escalate their privileges on the system. CVE-2021-3640 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 important 6.9 AV:L/AC:M/Au:N/C:C/I:C/A:C A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The flaw occurs when processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested guest (L2). Due to improper validation of the "int_ctl" field, this issue could allow a malicious L1 to enable AVIC support (Advanced Virtual Interrupt Controller) for the L2 guest. As a result, the L2 guest would be allowed to read/write physical pages of the host, resulting in a crash of the entire system, leak of sensitive data or potential guest-to-host escape. This flaw affects Linux kernel versions prior to 5.14-rc7. CVE-2021-3653 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 important 6.1 AV:L/AC:L/Au:N/C:P/I:P/A:C A vulnerability was found in the Linux kernel in versions prior to v5.14-rc1. Missing size validations on inbound SCTP packets may allow the kernel to read uninitialized memory. CVE-2021-3655 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 low 2.1 AV:L/AC:L/Au:N/C:P/I:N/A:N A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The flaw occurs when processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested guest (L2). Due to improper validation of the "virt_ext" field, this issue could allow a malicious L1 to disable both VMLOAD/VMSAVE intercepts and VLS (Virtual VMLOAD/VMSAVE) for the L2 guest. As a result, the L2 guest would be allowed to read/write physical pages of the host, resulting in a crash of the entire system, leak of sensitive data or potential guest-to-host escape. CVE-2021-3656 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 important 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C A NULL pointer dereference flaw was found in the Linux kernel’s IEEE 802.15.4 wireless networking subsystem in the way the user closes the LR-WPAN connection. This flaw allows a local user to crash the system. The highest threat from this vulnerability is to system availability. CVE-2021-3659 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 moderate An improper locking issue was found in the virStoragePoolLookupByTargetPath API of libvirt. It occurs in the storagePoolLookupByTargetPath function where a locked virStoragePoolObj object is not properly released on ACL permission failure. Clients connecting to the read-write socket with limited ACL permissions could use this flaw to acquire the lock and prevent other users from accessing storage pool/volume APIs, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability. CVE-2021-3667 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libvirt-client-5.1.0-17.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libvirt-libs-5.1.0-17.1 moderate 3.5 AV:N/AC:M/Au:S/C:N/I:N/A:P A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability. CVE-2021-3672 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libcares2-1.17.1+20200724-3.17.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P A lack of CPU resource in the Linux kernel tracing module functionality in versions prior to 5.14-rc3 was found in the way user uses trace ring buffer in a specific way. Only privileged local users (with CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service. CVE-2021-3679 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 moderate 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own "d2i" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the "data" and "length" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the "data" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y). CVE-2021-3712 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libopenssl1_1-1.1.0i-14.24.3 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:openssl-1_1-1.1.0i-14.24.3 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:N/A:P A flaw was found in the "Routing decision" classifier in the Linux kernel's Traffic Control networking subsystem in the way it handled changing of classification filters, leading to a use-after-free condition. This flaw allows unprivileged local users to escalate their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. CVE-2021-3715 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 important 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C hso_free_net_device in drivers/net/usb/hso.c in the Linux kernel through 5.13.4 calls unregister_netdev without checking for the NETREG_REGISTERED state, leading to a use-after-free and a double free. CVE-2021-37159 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 moderate 4.4 AV:L/AC:M/Au:N/C:P/I:P/A:P A flaw was found in the Linux kernel's OverlayFS subsystem in the way the user mounts the TmpFS filesystem with OverlayFS. This flaw allows a local user to gain access to hidden files that should not be accessible. CVE-2021-3732 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 low 2.1 AV:L/AC:L/Au:N/C:P/I:N/A:N There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability. CVE-2021-3733 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:python3-3.6.15-3.91.4 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:python3-curses-3.6.15-3.91.4 low 4 AV:N/AC:L/Au:S/C:N/I:N/A:P A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to system availability. CVE-2021-3737 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:python3-3.6.15-3.91.4 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:python3-curses-3.6.15-3.91.4 moderate 7.1 AV:N/AC:M/Au:N/C:N/I:N/A:C A memory leak flaw was found in the Linux kernel in the ccp_run_aes_gcm_cmd() function in drivers/crypto/ccp/ccp-ops.c, which allows attackers to cause a denial of service (memory consumption). This vulnerability is similar with the older CVE-2019-18808. CVE-2021-3744 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 moderate 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P A use-after-free flaw was found in the Linux kernel’s Bluetooth subsystem in the way user calls connect to the socket and disconnect simultaneously due to a race condition. This flaw allows a user to crash the system or escalate their privileges. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. CVE-2021-3752 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 important 7.9 AV:A/AC:M/Au:N/C:C/I:C/A:C A race problem was seen in the vt_k_ioctl in drivers/tty/vt/vt_ioctl.c in the Linux kernel, which may cause an out of bounds read in vt as the write access to vc_mode is not protected by lock-in vt_ioctl (KDSETMDE). The highest threat from this vulnerability is to data confidentiality. CVE-2021-3753 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 low 1.9 AV:L/AC:M/Au:N/C:P/I:N/A:N arch/powerpc/kvm/book3s_rtas.c in the Linux kernel through 5.13.5 on the powerpc platform allows KVM guest OS users to cause host OS memory corruption via rtas_args.nargs, aka CID-f62f3c20647e. CVE-2021-37576 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 important 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C A memory overflow vulnerability was found in the Linux kernel’s ipc functionality of the memcg subsystem, in the way a user calls the semget function multiple times, creating semaphores. This flaw allows a local user to starve the resources, causing a denial of service. The highest threat from this vulnerability is to system availability. CVE-2021-3759 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 moderate A flaw was found in the Linux kernel. A use-after-free vulnerability in the NFC stack can lead to a threat to confidentiality, integrity, and system availability. CVE-2021-3760 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 moderate 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C ** DISPUTED ** An integer overflow in util-linux through 2.37.1 can potentially cause a buffer overflow if an attacker were able to use system resources in a way that leads to a large number in the /proc/sysvipc/sem file. NOTE: this is unexploitable in GNU C Library environments, and possibly in all realistic environments. CVE-2021-37600 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libblkid1-2.33.2-4.16.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libfdisk1-2.33.2-4.16.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libmount1-2.33.2-4.16.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsmartcols1-2.33.2-4.16.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libuuid1-2.33.2-4.16.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:util-linux-2.33.2-4.16.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:util-linux-systemd-2.33.2-4.16.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:uuidd-2.33.2-4.16.1 moderate 1.2 AV:L/AC:H/Au:N/C:N/I:N/A:P A flaw was found in the Linux SCTP stack. A blind attacker may be able to kill an existing SCTP association through invalid chunks if the attacker knows the IP-addresses and port numbers being used and the attacker can send packets with spoofed IP addresses. CVE-2021-3772 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 moderate 5.8 AV:N/AC:M/Au:N/C:N/I:P/A:P The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.5 and 1.19.x before 1.19.3 has a NULL pointer dereference in kdc/do_tgs_req.c via a FAST inner body that lacks a server field. CVE-2021-37750 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:krb5-1.16.3-3.24.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:krb5-client-1.16.3-3.24.1 moderate 4 AV:N/AC:L/Au:S/C:N/I:N/A:P ** DISPUTED ** In drivers/char/virtio_console.c in the Linux kernel before 5.13.4, data corruption or loss can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size. NOTE: the vendor indicates that the cited data corruption is not a vulnerability in any existing use case; the length validation was added solely for robustness in the face of anomalous host OS behavior. CVE-2021-38160 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 moderate 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C GNU cpio through 2.13 allows attackers to execute arbitrary code via a crafted pattern file, because of a dstring.c ds_fgetstr integer overflow that triggers an out-of-bounds heap write. NOTE: it is unclear whether there are common cases where the pattern file, associated with the -E option, is untrusted data. CVE-2021-38185 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cpio-2.12-3.9.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P arch/x86/kvm/mmu/paging_tmpl.h in the Linux kernel before 5.12.11 incorrectly computes the access permissions of a shadow page, leading to a missing guest protection page fault. CVE-2021-38198 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 important 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P drivers/usb/host/max3421-hcd.c in the Linux kernel before 5.13.6 allows physically proximate attackers to cause a denial of service (use-after-free and panic) by removing a MAX-3421 USB device in certain situations. CVE-2021-38204 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 moderate 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P An issue was discovered in ncurses through v6.2-1. _nc_captoinfo in captoinfo.c has a heap-based buffer overflow. CVE-2021-39537 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libncurses6-6.1-5.9.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ncurses-utils-6.1-5.9.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:terminfo-6.1-5.9.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:terminfo-base-6.1-5.9.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P A use-after-free flaw was found in libvirt. The qemuMonitorUnregister() function in qemuProcessHandleMonitorEOF is called using multiple threads without being adequately protected by a monitor lock. This flaw could be triggered by the virConnectGetAllDomainStats API when the guest is shutting down. An unprivileged client with a read-only connection could use this flaw to perform a denial of service attack by causing the libvirt daemon to crash. CVE-2021-3975 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libvirt-client-5.1.0-17.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libvirt-libs-5.1.0-17.1 moderate A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine. CVE-2021-4034 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libpolkit0-0.114-3.15.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:polkit-0.114-3.15.1 important 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C A race condition was discovered in ext4_write_inline_data_end in fs/ext4/inline.c in the ext4 subsystem in the Linux kernel through 5.13.13. CVE-2021-40490 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 moderate 4.4 AV:L/AC:M/Au:N/C:P/I:P/A:P In Eclipse Openj9 before version 0.29.0, the JVM does not throw IllegalAccessError for MethodHandles that invoke inaccessible interface methods. CVE-2021-41035 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:java-1_8_0-ibm-1.8.0_sr7.0-3.53.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P Docker CLI is the command line interface for the docker container runtime. A bug was found in the Docker CLI where running `docker login my-private-registry.example.com` with a misconfigured configuration file (typically `~/.docker/config.json`) listing a `credsStore` or `credHelpers` that could not be executed would result in any provided credentials being sent to `registry-1.docker.io` rather than the intended private registry. This bug has been fixed in Docker CLI 20.10.9. Users should update to this version as soon as possible. For users unable to update ensure that any configured credsStore or credHelpers entries in the configuration file reference an installed credential helper that is executable and on the PATH. CVE-2021-41092 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:docker-20.10.9_ce-156.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N containerd is an open source container runtime with an emphasis on simplicity, robustness and portability. A bug was found in containerd where container root directories and some plugins had insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as setuid), unprivileged Linux users could discover and execute those programs. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host could discover, read, and modify those files. This vulnerability has been fixed in containerd 1.4.11 and containerd 1.5.7. Users should update to these version when they are released and may restart containers or update directory permissions to mitigate the vulnerability. Users unable to update should limit access to the host to trusted users. Update directory permission on container bundles directories. CVE-2021-41103 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:containerd-1.4.11-56.1 moderate 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C A flaw was found in the libvirt libxl driver. A malicious guest could continuously reboot itself and cause libvirtd on the host to deadlock or crash, resulting in a denial of service condition. CVE-2021-4147 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libvirt-client-5.1.0-17.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libvirt-libs-5.1.0-17.1 moderate 4.9 AV:L/AC:L/Au:N/C:N/I:N/A:C sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows privilege escalation because supplemental groups are not initialized as expected. Helper programs for AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with privileges associated with group memberships of the sshd process, if the configuration specifies running the command as a different user. CVE-2021-41617 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:openssh-7.9p1-6.28.1 moderate 4.4 AV:L/AC:M/Au:N/C:P/I:P/A:P prealloc_elems_and_freelist in kernel/bpf/stackmap.c in the Linux kernel before 5.14.12 allows unprivileged users to trigger an eBPF multiplication integer overflow with a resultant out-of-bounds write. CVE-2021-41864 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 important 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P The decode_data function in drivers/net/hamradio/6pack.c in the Linux kernel before 5.13.13 has a slab out-of-bounds write. Input from a process that has the CAP_NET_ADMIN capability can lead to root access. CVE-2021-42008 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 important 6.9 AV:L/AC:M/Au:N/C:C/I:C/A:C An issue was discovered in aspeed_lpc_ctrl_mmap in drivers/soc/aspeed/aspeed-lpc-ctrl.c in the Linux kernel before 5.14.6. Local attackers able to access the Aspeed LPC control interface could overwrite memory in the kernel and potentially execute privileges, aka CID-b49a0e69a7b1. This occurs because a certain comparison uses values that are not memory sizes. CVE-2021-42252 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 important 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P A heap-based buffer overflow flaw was found in the Linux kernel FireDTV media card driver, where the user calls the CA_SEND_MSG ioctl. This flaw allows a local user of the host machine to crash the system or escalate privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. CVE-2021-42739 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:cluster-md-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:dlm-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:gfs2-kmp-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:kernel-default-4.12.14-197.102.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:ocfs2-kmp-default-4.12.14-197.102.2 important 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR are vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures. Applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS \#7, or PKCS \#12 are likely to be impacted. Applications using NSS for certificate validation or other TLS, X.509, OCSP or CRL functionality may be impacted, depending on how they configure NSS. *Note: This vulnerability does NOT impact Mozilla Firefox.* However, email clients and PDF viewers that use NSS for signature verification, such as Thunderbird, LibreOffice, Evolution and Evince are believed to be impacted. This vulnerability affects NSS < 3.73 and NSS < 3.68.1. CVE-2021-43527 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libfreebl3-3.68.2-3.64.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libsoftokn3-3.68.2-3.64.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:mozilla-nss-3.68.2-3.64.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:mozilla-nss-certs-3.68.2-3.64.2 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:mozilla-nss-tools-3.68.2-3.64.2 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms. CVE-2021-43618 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libgmp10-6.1.2-4.9.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory). CVE-2021-45960 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:expat-2.2.5-3.9.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libexpat1-2.2.5-3.9.1 moderate 9 AV:N/AC:L/Au:S/C:C/I:C/A:C In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize. CVE-2021-46143 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:expat-2.2.5-3.9.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libexpat1-2.2.5-3.9.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. CVE-2022-22822 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:expat-2.2.5-3.9.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libexpat1-2.2.5-3.9.1 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. CVE-2022-22823 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:expat-2.2.5-3.9.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libexpat1-2.2.5-3.9.1 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. CVE-2022-22824 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:expat-2.2.5-3.9.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libexpat1-2.2.5-3.9.1 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. CVE-2022-22825 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:expat-2.2.5-3.9.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libexpat1-2.2.5-3.9.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. CVE-2022-22826 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:expat-2.2.5-3.9.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libexpat1-2.2.5-3.9.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. CVE-2022-22827 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:expat-2.2.5-3.9.1 Public Cloud Image google/sles-15-sp1-sap-byos-v20220126:libexpat1-2.2.5-3.9.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P