SUSE-IU-2023:675-1
SUSE Image
security@suse.de
SUSE Security Team
SUSE Image SUSE-IU-2023:675-1
Interim
1
1
2024-05-04T07:22:02Z
current
2023-09-22T01:00:00Z
2023-09-22T01:00:00Z
cve-database/bin/generate-cvrf-publiccloud.pl
2021-02-18T01:00:00Z
Image update for SUSE-IU-2023:675-1 / google/suse-manager-server-4-2-byos-v20230922-x86-64
This image update for google/suse-manager-server-4-2-byos-v20230922-x86-64 contains the following changes:
Package antlr was updated:
- Build antlr-manual package without examples files [bsc#1120360]- Remove not needed files
Package apache-commons-cli was updated:
- Rebased patch CLI-253-workaround.patch to new version.- Updated build XML file to new version.
- Harmonized the use of X.Y.X strings everywhere.
- Updated new source locations from Apache.
- Added 'apache-commons-cli-rpmlintrc' to silence 'package-with-huge-docs' warning (Javadoc generates many files...)
- Update to 1.5:
* New features:
- (CLI-217) Accommodate toggling partial matching in DefaultParser. Thanks to Rubin Simons.
- (CLI-274) Option parser type EXISTING_FILE_VALUE not check file existing Thanks to Béla Schaum.
- (CLI-271) CommandLine.getXXX and CommandLine.hasXXX should accept an Option as a parameter Thanks to Christoph Läubrich.
- (CLI-276) Adjust access-modifier of checkRequiredOptions() to protected. Thanks to Jason Dillon.
- (CLI-282) TypeHandler should throw ParseException for an unsupported class. Thanks to Alex Nordlund.
- Added setter for Builder.option #33. Thanks to Waldemar Sojka, Gary Gregory.
- Add Option unit tests #76. Thanks to Waldemar Sojka, Gary Gregory.
* Fixed bugs:
- Fix NPE in DefaultParser.isLongOption(String). Thanks to Gary Gregory.
- (CLI-279) @param or @return lines should end with a period in CommandLine.java Thanks to Krishna Mohan Rao Kandunoori.
- Replace deprecated FindBugs with SpotBugs. Thanks to Gary Gregory.
- Replace CLIRR with JApiCmp. Thanks to Gary Gregory.
- Option Javadocs grammar nits #55. Thanks to Elliotte Rusty Harold.
- Minor Improvements #57, #61. Thanks to Arturo Bernal, Gary Gregory.
- (CLI-254) Input "test" gets parsed as test, quotes die #58. Thanks to stoty.
- (CLI-287) Allow whitespace-only header and footer #26. Thanks to MrQubo, Gary Gregory.
* Updates:
- (CLI-294) Update Java from version 5 to 7.
- Docs: Replace OptionBuilder in usage page #30. Thanks to Mincong Huang.
- Remove deprecated sudo setting. #36. Thanks to dengliming.
- Bump junit:junit from 4.12 to 4.13.2, #53, #60. Thanks to Gary Gregory, Dependabot.
- Bump commons-parent from 48 to 52. Thanks to Dependabot.
- Bump maven-pmd-plugin from 3.12.0 to 3.15.0, #44, #54, #67. Thanks to Dependabot.
- Bump actions/checkout from v2.3.1 to v2.3.5 #46, #72. Thanks to Dependabot.
- Bump actions/setup-java from v1.4.2 to v2 #50. Thanks to Dependabot, Gary Gregory.
- Bump maven-antrun-plugin from 1.7 to 3.0.0 #43. Thanks to Dependabot.
- Bump maven-checkstyle-plugin from 2.15 to 3.1.2 #41. Thanks to Gary Gregory.
- Bump checkstyle to 9.0.1 #68. Thanks to Gary Gregory.
- Bump actions/cache from 2 to 2.1.6 #64, #65. Thanks to Dependabot.
- Bump commons.animal-sniffer.version 1.19 -> 1.20. Thanks to Gary Gregory.
- Bump maven-bundle-plugin 5.1.1 -> 5.1.2. Thanks to Gary Gregory.
- Bump biz.aQute.bndlib.version 5.1.2 -> 6.0.0. Thanks to Gary Gregory.
- Bump spotbugs from 4.4.1 to 4.4.2 #70. Thanks to Dependabot.
- Bump spotbugs-maven-plugin from 4.4.1 to 4.4.2.2 #71. Thanks to Dependabot.-
- Add OSGi manifest to the build files.
- Set java source/target levels to 6
Package apache-commons-codec was updated:
- Do not alias the artifact to itself
- Update to 1.15
* Fix: MurmurHash3: Ensure hash128 maintains the sign extension bug.
* Update: Base32/Base64/BCodec: Added strict decoding property to
control handling of trailing bits. Default lenient mode discards
them without error. Strict mode raise an exception.
* Update: Base32/Base64 Input/OutputStream: Added strict decoding
property to control handling of trailing bits. Default lenient
mode discards them without error. Strict mode raise an exception.
* Update: Update tests from JUnit 4.12 to 4.13.
* Add: Base16Codec and Base16Input/OutputStream.
* Add: Hex encode/decode with existing arrays.
* Update: Update actions/checkout from v1 to v2.3.2.
* Update: Update actions/setup-java from v1.4.0 to v1.4.1.
- Remove timeout.patch
- Update to version 1.14
* Release 1.14 - 2019-12-30
- Fix: Hex: Allow encoding read-only ByteBuffer.
- Fix: Hex: Only use an available ByteBuffer backing array if
the length equals the remaining byte count.
- Update: MurmurHash3: Deprecate hash64 methods and hash methods
accepting a String that use the default encoding.
- Fix: BaseNCodec to expand buffer using overflow conscious code.
- Fix: Base32/64: Fixed decoding check that all the final trailing
bits to discard are zero.
- Add: Add MurmurHash3.hash128x64 methods to fix sign extension error
during seeding in hash128 methods.
- Add: Add MurmurHash3.hash32x86 methods and IncrementalHash32x86 to
fix sign extension error in hash32 methods.
- Fix: Allow repeat calls to MurmurHash3.IncrementalHash32.end() to
generate the same value.
- Add: Add RandomAccessFile digest methods #31.
- Add: Add Path APIs to org.apache.commons.codec.digest.DigestUtils
similar to File APIs.
- Add: Add SHA-512/224 and SHA-512/256 to DigestUtils for Java 9 and up.
- Add: Add missing note in javadoc when sign extension error is present #34.
- Fix: Reliance on default encoding in MurmurHash2 and MurmurHash3.
- Update: Don't reload standard Charsets in org.apache.commons.codec.Charsets.
- Update: Deprecate Charset constants in org.apache.commons.codec.Charsets
in favor of java.nio.charset.StandardCharsets.
* Release 1.13 - 2019-07-20
- Fix: ColognePhonetic handles x incorrectly.
- Fix: ColognePhonetic does not treat the letter H correctly.
- Fix: Reject any decode request for a value that is impossible to
encode to for Base32/Base64 rather than blindly decoding.
- Add: MurmurHash2 for 32-bit or 64-bit value.
- Add: MurmurHash3 for 32-bit or 128-bit value.
- Update: Broken direct java.nio.ByteBuffer support in
org.apache.commons.codec.binary.Hex.
* Release 1.12 - 2019-02-04
- Fix: B64 salt generator: Random -> ThreadLocalRandom.
- Fix: Wrong value calculated by Cologne Phonetic if a special character
is placed between equal letters.
- Update: Update from Java 6 to Java 7.
- Add: Add Percent-Encoding Codec (described in RFC3986 and RFC7578).
- Fix: ColognePhoneticTest.testIsEncodeEquals missing assertions.
- Add: Add SHA-3 methods in DigestUtils.
Package apache-commons-collections was updated:
- Do not use a dummy pom that only declares dependencies for the testframework artifact
- Clean up the spec file
Package apache-commons-daemon was updated:
- Update to 1.3.2: * Fixes:
- Procrun. Remove noisy INFO log message that triggered logging
once per minute while the service was running.
- Fix typos in Javadoc and comments.
- Procrun. The DependsOn parameter is no longer ignored when
updating the service configuration.
- Fix crash and provide an error level log message when the
user attempts to start the service without configuring a
JVM and none is available via the registry.
* Updates:
- Bump actions/cache from 3.0.3 to 3.0.8.
- Bump actions/checkout from 3 to 3.0.2.
- Bump commons-parent from 53 to 54.
- Bump spotbugs-maven-plugin from 4.6.0.0 to 4.7.2.0.
- Bump jacoco-maven-plugin from 0.8.7 to 0.8.8.
- Bump japicmp-maven-plugin from 0.15.4 to 0.16.0.
- Bump JUnit 4 to 5 vintage.
* Remove apache-commons-daemon-riscv64.patch already upstream
- Build with source/target levels 8
- Define %%make_build for systems where it is not defined in
rpm macros
- Update to 1.2.4
* Procrun. Ensure that log messages written to stdout and stderr
are not lost during start-up.
* Procrun. Correct a regression introduced in 1.2.3. Enable the
service to start if the Options value is not present in the
registry.
* jsvc. Don't fail if the CAP_DAC_READ_SEARCH capability is not
available. Fall back to using argv[0] rather than
/proc/self/exe to determine the path for the current binary.
* Improved JRE/JDK detection to support increased range of both
JVM versions and vendors
- Update to 1.2.3
* Fix: Procrun. Correct multiple issues related to enabling a
service to interact with the desktop. Provide a better error
message if this option is used with an invalid user, install
the service with the option enabled if requested and correctly
save the setting if it is enabled in the GUI.
* Fix: jsvc. Update the list of paths searched for libjvm.so to
include the path used by OpenJDK 11.
* Add: Procrun. Add additional debug logging for Java start mode.
* Fix: jsvc. Remove incorrect definition 'supported_os' which
defined in psupport.m4 file to fix jsvc build error on s390,
arm, aarch64, mipsel and mips.
* Add: More debug logging in prunsrv.c and javajni.c.
* Add: Update arguments.c to support Java 11 --enable-preview.
* Add: jsvc and Procrun. Add support for Java native memory tracking.
* Add: Procrun. Add a new command, print, that outputs the command to
(re-)configure the service with the current settings. This is
intended to be used to save settings such as before an upgrade.
- Rebase apache-commons-daemon-riscv64.patch
- Remove apache-commons-daemon-s390x.patch fixed upstream
- Generate ant build file and customize it in order to be able to
build this ring package without cycles. Ring packages cannot be
built using maven.
- Modified patches:
* apache-commons-daemon-JAVA_OS.patch
* apache-commons-daemon-riscv64.patch
* apache-commons-daemon-s390x.patch
+ Do not patch configure file itself, since we generate it
during the build
- Update to 1.2.2
* Release 1.2.2 - 2019-10-04
- Fix: Procrun. Correct a regression in the fix for DAEMON-401
that prevented the service from starting unless support for the
universal C runtime had been installed.
- Update: Update Commons-Parent to version 49.
* Release 1.2.1 - 2019-09-09
- Fix: jsvc. Correct debug log message that reports change in umask.
- Fix: Procrun. Correct a regression in the previous fix for this
issue that caused 32-bit services to crash on start-up. Fixes DAEMON-401.
- Fix: Procrun. Correct a regression in the fix for DAEMON-391
that caused the GUI to mix-up the WARN and INFO logging levels.
* Release 1.2.0 - 2019-07-02
- Fix: Procrun. Only set the global shutdown event if the event is created.
- Fix: Unable to build with Java 9 using ant; dropped Ant build files.
- Fix: Procrun. prunsrv stopping with error due to hard-coded timeout.
- Fix: Update config.guess and config.sub.
- Fix: Jsvc. Set the sun.java.command system property when starting via jsvc
so that tools like jconsole show something meaningful for the process name.
- Fix: Procrun. Correct the level name used in the GUI for WARN so that
changes made via the GUI are recognised. Order the log levels in the
drop-down from ERROR to DEBUG.
- Fix: Procrun. Correct reversed code comments for JRE and JDK locations
in the registry.
- Fix: Procrun. Fix a bug that meant a value provided for LibraryPath
replaced the value of the PATH environment variable rather than prepended to it.
- Fix: Procrun. Ensure that the java.library.path environment variable is
correctly configured when running on a JRE that depends on the Universal CRT.
- Add: Procrun. Log the error code returned if JVM creation fails to aid debugging.
- Fix: Procrun. Ensure that environment variables set via prunsrv are visible
to native libraries that depend on the Universal CRT.
- Fix: Procrun. Remove the code that removed quotes from configured Java and
Java 9 Options.
- Add: Procrun. Add an option to configure the service to use the 'Automatic
(Delayed Start)' startup mode.
- Add: Procrun. When running in jre mode, if the standard Java registry
entries for JavaHome and RuntimeLib are not present, attempt to use the
Procrun JavaHome key to find the runtime library.
- Add: jsvc. Include the full path to the jsvc executable in the debug log.
* Release 1.1.0 - 2017-11-15
- Update: Update the minimum Java requirement from version 5 to 6.
- Update: Add AArch64 support to src/native/unix/support/apsupport.m4.
- Fix: Remove calls to explicit garbage collection during daemon start and stop.
- Fix: Update config.guess and config.sub to add support, amongst others,
for the 64-bit PowerPC Little-Endian architecture.
- Update: Update Commons-Parent to version 41.
- Fix: Update apsupport.m4 add support for 64-bit PowerPC architectures.
- Fix: Suppress spurious "The data area passed to a system call is too small"
error message in the log when Procrun fails to stop the service.
- Fix: Enable jsvc to start when running on Java 9.
- Fix: Fix a resource leak opening the JVM configuration file.
_ Fix: Improve the jsvc code that restarts the process if the JVM crashes so
that if the JVM crashes after a signal has been received to shut down jsvc
does not attempt to restart the JVM.
- Fix: Ensure that the child process is started with the correct umask.
- Fix: Correct conflicting information for the behaviour of Procrun when
using jvm mode.
- Fix: Ensure that, when using Procrun in java or exe mode, the service
process waits for the stop process to complete before starting clean-up
to avoid a crash in the stop process.
- Fix: Enable jsvc to find the jvm when running on AIX.
- Fix: Ensure that Procrun treats JVM crashes as service failures so the
recovery options will apply.
- Fix: Ensure that the //MQ command closes the prunmgr process even if
the configuration dialog is open when the //MQ command is used.
- Fix: Add support for Java 9 command line arguments to jsvc.
- Add: Add a restarts options to jsvc to control the number of permitted
restarts after a system crash.
- Remove: Remove support for building Procrun for the Itanium platform.
- Fix: Fix race conditions in PID file handling in jsvc.
- Remove patches:
* apache-commons-daemon-ppc64.patch
* apache-commons-daemon-aarch64.patch
- Refresh patches:
* apache-commons-daemon-riscv64.patch
* apache-commons-daemon-JAVA_OS.patch
- Update project keyring.
Package apache-commons-digester was updated:
- Build with java source and target levels 8
- Fixed SPEC file: Replaced broken URL.
Package apache-commons-el was updated:
Package apache-commons-fileupload was updated:
- Upgrade to upstream version 1.5 * New features:
+ Add a configurable limit (disabled by default) for the number
of files to upload per request (bsc#1208513, CVE-2023-24998).
The new configuration option (FileUploadBase#setFileCountMax)
is not enabled by default and must be explicitly configured.
* Fixed Bugs:
+ FILEUPLOAD-293: DiskFileItem.write(File) had been changed to
use FileUtils.moveFile internally, preventing an existing file
as the target.
+ Improve parsing speed.
* Changes:
+ Bump Commons IO to 2.11.0
+ FILEUPLOAD-328 Switch from Cobertura code coverage to Jacoco
code coverage.
+ Bump JUnit to 4.13.2
- Build with java source and target levels 8
Package apache-commons-jexl was updated:
Package apache-commons-lang3 was updated:
- Remove the junit bom dependency for now as it breaks the build of other packages like log4j.
* Add apache-commons-lang3-junit-bom.patch
- Fix component version in default.properties to 3.12
- Updated download URL.
- Update to 3.12.0:
- New features:
* Add BooleanUtils.booleanValues().
* Add BooleanUtils.primitiveValues().
* Add StringUtils.containsAnyIgnoreCase(CharSequence, CharSequence...).
* Add StopWatch.getStopTime().
* More test coverage for CharSequenceUtils.
* Add fluent-style ArraySorter.
* Add and use LocaleUtils.toLocale(Locale) to avoid NPEs.
* Add FailableShortSupplier, handy for JDBC APIs.
* Add JavaVersion.JAVA_17.
* Add missing boolean[] join method.
* Add StringUtils.substringBefore(String, int).
* Add Range.INTEGER.
* Add DurationUtils.
* Introduce the use of @Nonnull, and @Nullable, and the Objects class as a helper tool.
* Add and use true and false String constants.
* Add and use ObjectUtils.requireNonEmpty().
- Fixed Bugs:
* Correct implementation of RandomUtils.nextLong(long, long).
* Restore handling of collections for non-JSON ToStringStyle.
* ContextedException Javadoc add missing semicolon.
* Resolve JUnit pioneer transitive dependencies using JUnit BOM.
* NumberUtilsTest - incorrect types in min/max tests.
* Improve StringUtils.stripAccents conversion of remaining accents.
* StringUtils.countMatches - clarify Javadoc.
* Remove redundant argument from substring call.
* BigDecimal is created when you pass it the min and max values.
* ArrayUtils.contains() and indexOf() fail to handle Double.NaN.
* ArrayUtils contains() and indexOf() fail to handle Float.NaN.
* Fix potential NPE in TypeUtils.isAssignable(Type, ParameterizedType, Map, Type>).
* TypeUtils.isAssignable returns wrong result for GenericArrayType and ParameterizedType.
* testGetAllFields and testGetFieldsWithAnnotation sometimes fail.
* Fix Javadoc for SystemUtils.isJavaVersionAtMost().
* Fix StringUtils.unwrap throws StringIndexOutOfBoundsException.
* Fix formatting of isAnyBlank() and isAnyEmpty().
* TypeUtils. containsTypeVariables does not support GenericArrayType.
* Javadoc of some methods incorrectly refers to another method.
* Refine StringUtils.lastIndexOfIgnoreCase.
* Refine StringUtils.abbreviate.
* Refine StringUtils.isNumericSpace.
* Refine StringUtils.deleteWhitespace.
* Correction in Javadoc of some methods.
* Javadoc for RandomStringUtils.random() letters, numbers parameters is wrong.
* Correct markup in Javadoc for unbalanced braces.
* MethodUtils.invokeMethod NullPointerException in case of null in args list.
* Fix 2 digit week year formatting.
* Fix broken Javadoc links to commons-text.
* Add and use ThreadUtils.sleep(Duration).
* Add and use ThreadUtils.join(Thread, Duration).
* Add ObjectUtils.wait(Duration).
- Changes:
* ArrayUtils.toPrimitive(Object) does not support boolean and other types.
* Enable Dependabot.
* Bump junit-jupiter from 5.6.2 to 5.7.0.
* Bump spotbugs from 4.1.2 to 4.2.1.
* Bump spotbugs-maven-plugin from 4.0.0 to 4.2.0.
* Bump biz.aQute.bndlib from 5.1.1 to 5.3.0.
* Bump junit-pioneer from 0.6.0 to 1.1.0.
* Bump checkstyle from 8.34 to 8.40.
* Bump actions/checkout from v2.3.1 to v2.3.4.
* Bump actions/setup-java from v1.4.0 to v1.4.2.
* Update commons.jacoco.version 0.8.5 to 0.8.6 (Fixes Java 15 builds).
* Update maven-surefire-plugin 2.22.2 -> 3.0.0-M5.
* Bump maven-pmd-plugin from 3.13.0 to 3.14.0.
* Bump jmh.version from 1.21 to 1.27.
* Update commons.japicmp.version 0.14.3 -> 0.15.2.
* Processor.java: check enum equality with == instead of .equals() method.
* Bump junit-pioneer from 1.1.0 to 1.3.0.
* Bump maven-checkstyle-plugin from 3.1.1 to 3.1.2.
* Bump actions/cache from v2 to v2.1.4.
* Bump junit-bom from 5.7.0 to 5.7.1.
* Minor Improvements.
* Minor Improvement: Add final variable.try to make the code read-only.
* Minor Improvement: Remove redundant initializer.
* Use own validator ObjectUtils.anyNull to check null String input.
- From 3.11 Update:
- New features:
* Add ArrayUtils.isSameLength() to compare more array types.
* Added the Locks class as a convenient possibility to deal with locked objects.
* Add to Functions: FailableBooleanSupplier, FailableIntSupplier, FailableLongSupplier, FailableDoubleSupplier, and so on.
* Add ArrayUtils.get(T[], index, T) to provide an out-of-bounds default value.
* Add JavaVersion enum constants for Java 14 and 15.
* Add JavaVersion enum constants for Java 16.
* Use Java 8 lambdas and Map operations.
* Change removeLastFieldSeparator to use endsWith.
* Change a Pattern to a static final field, for not letting it compile each time the function invoked.
* Add ImmutablePair factory methods left() and right().
* Add ObjectUtils.toString(Object, Supplier<String>).
* Add org.apache.commons.lang3.StringUtils.substringAfter(String, int).
* Add org.apache.commons.lang3.StringUtils.substringAfterLast(String, int).
- Fixed Bugs:
* Fix Javadoc for StringUtils.appendIfMissingIgnoreCase().
* Refine Javadoc.
* Fix typos
* Ignored exception `ignored`, should not be called so.
* StringUtils.replaceEachRepeatedly gives IllegalStateException.
* [JSON string for maps] ToStringBuilder.reflectionToString doesnt render nested maps correctly.
* Correct Javadocs of methods that use Validate.notNull() and replace some uses of Validate.isTrue() with Validate.notNull().
* Add allNull() and anyNull() methods to ObjectUtils.
- Changes:
* Refine test output for FastDateParserTest
* CharSequenceUtils.lastIndexOf : remake it
* remove encoding and docEncoding and use inherited values from commons-parent
* Simplify null checks in Pair.hashCode() using Objects.hashCode().
* Simplify null checks in Triple.hashCode() using Objects.hashCode().
* Simplify some if statements in StringUtils.
* Simplify a null check in the private replaceEach() method of StringUtils.
* Replace some usages of the ternary operator with calls to Math.max() and Math.min().
* (Javadoc) Fix return tag for throwableOf*() methods.
* CharSequenceUtils.regionMatches is wrong dealing with Georgian.
* Optimize ArrayUtils::isArrayIndexValid method.
* Use List.sort instead of Collection.sort.
* Use StandardCharsets.UTF_8.
* Use Collections.singletonList insteadof Arrays.asList when there be only one element.
* Change array style from `int a[]` to `int[] a`.
* Change from addAll to constructors for some List.
* Simplify if as some conditions are covered by others.
* Fixed Javadocs for setTestRecursive().
* ToStringBuilder.reflectionToString - Wrong JSON format when object has a List of Enum.
* Make org.apache.commons.lang3.CharSequenceUtils.toCharArray(CharSequence) public.
* org.apache.commons:commons-parent 50 -> 51.
* org.junit-pioneer:junit-pioneer 0.5.4 -> 0.6.0.
* org.junit.jupiter:junit-jupiter 5.6.0 -> 5.6.2.
* com.github.spotbugs:spotbugs 4.0.0 -> 4.0.6.
* com.puppycrawl.tools:checkstyle 8.29 -> 8.34.
* commons.surefire.version 3.0.0-M4 -> 3.0.0-M5..
- From 3.10 Update:
- New features:
* Add ExceptionUtils.throwableOfType(Throwable, Class) and friends.
* Add EMPTY_ARRAY constants to classes in org.apache.commons.lang3.tuple.
* Add null-safe StringUtils APIs to wrap String#getBytes([Charset|String]).
* Add zero arg constructor for org.apache.commons.lang3.NotImplementedException.
* Add ArrayUtils.addFirst() methods.
* Add Range.fit(T) to fit a value into a range.
* Added Functions.as*, and tests thereof, as suggested by Peter Verhas
* Add getters for lhs and rhs objects in DiffResult.
* Generify builder classes Diffable, DiffBuilder, and DiffResult.
* Add ClassLoaderUtils with toString() implementations.
* Add null-safe APIs as StringUtils.toRootLowerCase(String) and StringUtils.toRootUpperCase(String).
* Add org.apache.commons.lang3.time.Calendars.
* Add EnumUtils getEnum() methods with default values.
* Added indexesOf methods and simplified removeAllOccurences.
* Add support of lambda value evaluation for defaulting methods.
* Add factory methods to Pair classes with Map.Entry input.
* Add StopWatch convenience APIs to format times and create a simple instance.
* Allow a StopWatch to carry an optional message.
* Add ComparableUtils.
* Add org.apache.commons.lang3.SystemUtils.getUserName().
* Add ObjectToStringComparator.
* Add org.apache.commons.lang3.arch.Processor.Arch.getLabel().
* Add IS_JAVA_14 and IS_JAVA_15 to org.apache.commons.lang3.SystemUtils.
* ObjectUtils: Get first non-null supplier value.
* Added the Streams class, and Functions.stream() as an accessor thereof.
- Fixed Bugs:
* Make test more stable by wrapping assertions in hashset.
* Generate Javadoc jar on build.
* Trivial: year of release for 3.9 says 2018, should be 2019.
* Use synchronize on a set created with Collections.synchronizedSet before iterating.
* StringUtils.unwrap incorrect throw StringIndexOutOfBoundsException.
* StringIndexOutOfBoundsException in StringUtils.replaceIgnoreCase.
* StringUtils.removeIgnoreCase("?a", "a") throws IndexOutOfBoundsException.
* Corrected usage examples in Javadocs.
* StringUtils abbreviate returns String of length greater than maxWidth.
* Test may fail due to a different order of fields returned by reflection api.
* Sort fields in ReflectionToStringBuilder for deterministic order.
* MethodUtils will throw a NPE if invokeMethod() is called for a var-args method.
* MethodUtils.getAnnotation() with searchSupers = true does not work if super is generic.
- Changes:
* Remove redundant if statements in join methods.
* commons.japicmp.version 0.13.1 -> 0.14.1.
* junit-jupiter 5.5.0 -> 5.5.1.
* junit-jupiter 5.5.1 -> 5.5.2.
* Improve Javadoc based on the discussion of the GitHub PR.
* maven-checkstyle-plugin 3.0.0 -> 3.1.0.
* Update documentation related to the issue LANG-696.
* AnnotationUtils little cleanup.
* Update test dependency: org.easymock:easymock 4.0.2 -> 4.1.
* Update test dependency: org.hamcrest:hamcrest 2.1 -> 2.2.
* Update test dependency: org.junit-pioneer:junit-pioneer 0.3.0 -> 0.4.2.
* Update build dependency: com.puppycrawl.tools:checkstyle 8.18 -> 8.27.
* Update POM parent: org.apache.commons:commons-parent 48 -> 50.
* BooleanUtils Javadoc.
* Functions Javadoc.
* org.easymock:easymock 4.1 -> 4.2.
* org.junit-pioneer:junit-pioneer 0.4.2 -> 0.5.4.
* org.junit.jupiter:junit-jupiter 5.5.2 -> 5.6.0.
* Use Javadoc {@code} instead of pre tags.
* ExceptionUtilsTest to 100%.
* Reuse own code in Functions.java.
* Avoid unnecessary allocation in StringUtils.wrapIfMissing.
* Internally use Validate.notNull(foo, ...) instead of Validate.isTrue(foo != null, ...).
* Add 1 and 0 in toBooleanObject(final String str).
* Remove an redundant argument check in NumberUtils.
* Deprecate org.apache.commons.lang3.ArrayUtils.removeAllOccurences(*) for org.apache.commons.lang3.ArrayUtils.removeAllOccurrences(*).
- Fixed SPEC file: Replaced broken URL
- Update to 3.9
* Requires jdk >= 1.8
* Fixed issues with java 12
* Add more SystemUtils.IS_JAVA_XX variants
* Adding the Functions class
* Add @FunctionalInterface to ThreadPredicate and ThreadGroupPredicate
* Add isEmpty method to ObjectUtils
* null-safe StringUtils.valueOf(char[]) to delegate to
String.valueOf(char[]).
* Add API org.apache.commons.lang3.SystemUtils.isJavaVersionAtMost(JavaVersion)
* Consolidate the StringUtils equals and equalsIgnoreCase
- Add OSGi manifest
Package apache-commons-logging was updated:
- Do not build against the log4j12 packages, use the new reload4j
- Disable tests everywhere, not only for arm6
- Added patch
* no-tests.patch
+ ignore failing tests for arm6
Package apache2 was updated:
- Security update: * fix CVE-2023-27522 [bsc#1209049], mod_proxy_uwsgi HTTP response splitting
+ Added patch apache2-CVE-2023-27522.patch
* fix CVE-2023-25690 [bsc#1209047], HTTP request splitting with mod_rewrite and mod_proxy
+ Added patch apache2-CVE-2023-25690.patch
- Rename patches to use proper naming:
* Rename patch:
- Removed bsc1207327-fix-mod_proxy-handling-long-urls.patch
- Added apache2-bsc1207327-fix-mod_proxy-handling-long-urls.patch
- [bsc#1208708] fix passing health check does not recover worker
from its error state:
* Added: apache2-bsc1208708-fix-passing-health-check-recover-worker-from-error-state.patch
- [bsc#1207327] fix mod_proxy handling of very long urls
+ bsc1207327-fix-mod_proxy-handling-long-urls.patch
Package autofs was updated:
- autofs-5.1.3-revert-fix-argc-off-by-one-in-mount_aut.patch Fix off-by-one error in recursive map handling. (bsc#1209653)
Package autoyast2 was updated:
- Rebuild the RPM database during upgrade (--rebuilddb) (bsc#1209565)- 4.3.106
- Properly install the selected products, do not lose them after
resetting the package manager internally (bsc#1202234)
- 4.3.105
Package bind was updated:
- Security Fix: * The overmem cleaning process has been improved, to prevent the
cache from significantly exceeding the configured
max-cache-size limit.
[bsc#1212544, CVE-2023-2828, bind-CVE-2023-2828.patch]
Package binutils was updated:
- Add binutils-disable-dt-relr.sh for an compatibility problem caused by binutils-revert-rela.diff in SLE codestreams.
Needed for update of glibc as that would otherwise pick up
the broken relative relocs support. [bsc#1213282, PED-1435]
Package blog was updated:
- Add patch blog.dif * Fix big endian cast problems to be able to read commands
and ansers (blogctl) as well as passphrases (blogd)
Package ca-certificates-mozilla was updated:
- Updated to 2.62 state of Mozilla SSL root CAs (bsc#1214248) Added:
- Atos TrustedRoot Root CA ECC G2 2020
- Atos TrustedRoot Root CA ECC TLS 2021
- Atos TrustedRoot Root CA RSA G2 2020
- Atos TrustedRoot Root CA RSA TLS 2021
- BJCA Global Root CA1
- BJCA Global Root CA2
- LAWtrust Root CA2 (4096)
- Sectigo Public Email Protection Root E46
- Sectigo Public Email Protection Root R46
- Sectigo Public Server Authentication Root E46
- Sectigo Public Server Authentication Root R46
- SSL.com Client ECC Root CA 2022
- SSL.com Client RSA Root CA 2022
- SSL.com TLS ECC Root CA 2022
- SSL.com TLS RSA Root CA 2022
Removed CAs:
- Chambers of Commerce Root
- E-Tugra Certification Authority
- E-Tugra Global Root CA ECC v3
- E-Tugra Global Root CA RSA v3
- Hongkong Post Root CA 1
Package cal10n was updated:
- Fetch sources using source service from ch.qos git- Upgrade to the 10th commit after 0.8.1 calling it 0.8.1.10
- Redo completely the packaging including the possibility to run
tests if --with tests is specified
- Add the cal10n-ant-task to built artifacts
- Removed patch:
* cal10n-0.7.7-sourcetarget.patch
+ changes factored into the build system
- Update to 0.8.1:
* This release adds JSR-269 support. In other words, verification
of bundles can be performed at compilation time. See the related
documentation for more details.
* Fix issue with Eclipse not finding existing resources. With
release 0.8.1, Eclipse will find bundles located under
"src/main/resources" but still fail to find bundles located
under "src/test/resources/".
* When reading in bundles, the verify method in MessageKeyVerifier
now uses the locale passed as parameter instead of always
Locale.FR. This bug was reported by Dale Wijnand who also
provided the releavant patch.
- Update build.xml-0.7.7.tar.xz to build.xml-0.8.1.tar.xz with
references to version 0.8.1 to build correctly versioned jar
files.
Package cglib was updated:
- Remove links between artifacts and their parent since we are not building with maven
- Don't inject <optional>true</optional> in cglib pom, as 3.3.0
already provides that option and it makes the POM xml incorrect.
- Update to upstream 3.3.0
* emits code compatible with java 1.8, so we can call static
interface methods.
* minor fix for allowing a fastclass to call static interface
methods.
* update to asm 7.1
* make ant dependency optional
* add Automatic Module Names
* Expose non-bridge methods more frequently.
* Drop support for Java6. (It may continue to work, but continuous
integration tests will no longer validate it does.)
* Fix #115: Release resources eagerly.
* Deprecated TinyBitSet.
* Add workarounds for changes coming from Jigsaw.
* Fix #89 / #90 (generated incorrect code for bridge methods sometimes)
- Update project url to new github site (old one redirects there)
Package cloud-netconfig was updated:
- Update to version 1.8: + Fix Azure metadata check (bsc#1214715)
+ Fix cleanup on ifdown
Package cloud-regionsrv-client was updated:
- Update to version 10.1.2 (bsc#1211282) + Properly handle Ipv6 when checking update server responsiveness. If not
available fall back and use IPv4 information
+ Use systemd_ordered to allow use in a container without pulling systemd
into the container as a requirement
- Update to version 10.1.1 (bsc#1210020, bsc#1210021)
+ Clean up the system if baseproduct registraion fails to leave the
system in prestine state
+ Log when the registercloudguest command is invoked with --clean
- Update to version 10.1.0 (bsc#1207133, bsc#1208097, bsc#1208099 )
- Removes a warning about system_token entry present in the credentials
file.
- Adds logrotate configuration for log rotation.
- Update to version 10.1.0 (bsc#1207133, bsc#1208097, bsc#1208099 )
- Removes a warning about system_token entry present in the credentials
file.
- Adds logrotate configuration for log rotation.
Package cobbler was updated:
- Fix S390X auto-installation for cases where kernel options are longer than 79 characters (bsc#1207308)
- Switch packaging from patch based to Git tree based development
- All patches that are being removed in this revision are contained in
the new Git tree.
- Removed:
* better-string-replacement-performance.diff
* cgi_parse_qs_is_deprecated.diff
* fix-for-cve-2022-0860-fixup.patch
* fix-for-cve-2022-0860.diff
* fix-for-old-str.join-usage.diff
* fix-string-replacement.diff
* fix-trail-stripping-utf8.diff
* fix_issue_when_inherited_boot_loader_bsc1185679.patch
* load_module_apache_suse_fix.diff
* patch_logrotate_service_condrestart.patch
* prevent-race-condition-writting-tftpboot-files-bsc1186124.patch
* refactored_auth_module.diff
* remove-redundant-json-suffix.diff
* v3-1-2-arbitrary-file-read-write-plus-RCE.patch
* v3-1-2-fix-failing-test-after-cve-fix.patch
* v3-1-2-incomplete-template-sanatization.patch
* v3-1-2-log-pollution-1.patch
* v3-1-2-log-pollution-2.patch
* v3-1-2-log-pollution-3.patch
* v3-1-2-mongodb-sanatiy-check.patch
* v3-1-2-remove-testing-auth.patch
- Unbreak PAM authentication due to missing encode of user input in the PAM
auth module of Cobbler (bsc#1197027, CVE-2022-0860)
- Added:
- fix-for-cve-2022-0860-fixup.patch
Package gcc7 was updated:
- Add gcc7-aarch64-bsc1214052.patch to fix -fstack-protector issues with variable length stack allocations on aarch64.
Fixes CVE-2023-4039. [bsc#1214052]
- Add gcc7-aarch64-untyped_call.patch to fix issue with __builtin_apply
- Add gcc7-lra-elim.patch to fix internal compiler error when forming
paired loads and stores on aarch64.
- Disable multilib and go on riscv64
- libgcc-riscv-div.patch: Backport of r12-5799-g45116f342057b7 to fix
build with current binutils
- Backport _multibuild auto-generation. Remove redundant
.changes files.
- Add _multibuild to define 2nd spec file as additional flavor.
Eliminates the need for source package links in OBS.
- Add gcc7-pr89124.patch to fix KASAN kernel compile. [bsc#1205145]
- Add gcc7-pr72764.patch to fix ICE with C++17 code as reported
in [bsc#1204505]
- Add gcc7-libsanitizer-cherry-pick-9cf13067cb5088626ba7-from-u.patch
and gcc7-libgo-don-t-include-linux-fs.h-when-building-gen-sys.patch
in order to support glibc 2.36.
- Enable format_spec_file otherwise one gets huge diff after
running change_spec.
- Remove fixed sys/mount.h.
- Add patch from upstream to fix altivec.h redefining bool in C++
which makes bool unusable (boo#1195517):
* gcc7-pr78263.patch
- Add gcc7-ada-Target_Name.patch to adjust gnats idea of the
target, fixing the build of gprbuild. [bsc#1196861]
- Remove include-fixed/sys/rseq.h to fix build on openSUSE:Factory.
- Avoid duplicate license in cross packages.
Package cpu-mitigations-formula was updated:
- Update to version 0.5.0: * Mark all SUSE Linux Enterprise 15 SP4 and newer and
openSUSE 15.4 and newer as supported (bsc#1210835)
Package cups was updated:
- cups-2.2.7-CVE-2023-4504.patch fixes CVE-2023-4504 "CUPS PostScript Parsing Heap Overflow"
https://github.com/OpenPrinting/cups/security/advisories/GHSA-pf5r-86w9-678h
bsc#1215204
- cups-2.2.7-CVE-2023-32360.patch fixes CVE-2023-32360
"Information leak through Cups-Get-Document operation"
by requiring authentication for CUPS-Get-Document in cupsd.conf
https://github.com/OpenPrinting/cups/commit/a0c8b9c9556882f00c68b9727a95a1b6d1452913
https://github.com/OpenPrinting/cups/security/advisories/GHSA-7pv4-hx8c-gr4g
bsc#1214254
- cups-2.2.7-additional_policies.patch is an updated version
of cups-2.0.3-additional_policies.patch that replaces it
to add the 'allowallforanybody' policy to cupsd.conf
after cups-2.2.7-CVE-2023-32360.patch was applied
- cups-2.2.7-CVE-2023-34241.patch fixes CVE-2023-34241
"use-after-free in cupsdAcceptClient()"
https://github.com/OpenPrinting/cups/security/advisories/GHSA-qjgh-5hcq-5f25
bsc#1212230
- cups-2.2.7-CVE-2023-32324.patch fixes CVE-2023-32324
"Heap buffer overflow in cupsd"
https://github.com/OpenPrinting/cups/security/advisories/GHSA-cxc6-w2g7-69p7
bsc#1211643
- 0001-cups-dests.c-cupsGetNamedDest-set-IPP_STATUS_ERROR_N.patch
improves logging on 'IPP_STATUS_ERROR_NOT_FOUND' error
that fixes bsc#1191467, bsc#1198932:
"lpr reports 'No such file or directory' for missing catalogue files"
"/usr/bin/lpr: No such file or directory"
- after-network_target-sssd_service.patch
is derived from https://github.com/apple/cups/issues/5550 with its
https://github.com/apple/cups/commit/aaebca5660fdd7f7b6f30461f0788d91ef6e2fee
and SUSE PTF:24471 cups.SUSE_SLE-15_Update cups-2.2.7-wait-for-network.patch
to add "After=network.target sssd.service" to the systemd unit
source files cupsd.service.in and cups.cups-lpdAT.service.in
to fix bsc#1201234, bsc#1200321:
"Missing network dependency in systemd unit for cups-2.2.7"
"CUPS may not always start if sssd is in use"
- cups-branch-2.2-commit-876fdc1c90a885a58644c8757bc1283c9fd5bcb7.diff
is https://github.com/OpenPrinting/cups/commit/876fdc1c90a885a58644c8757bc1283c9fd5bcb7
which belongs to https://github.com/OpenPrinting/cups/issues/308
that fixes bsc#1191525, bsc#1203446:
"Print jobs on cups.sock return with EAGAIN (Resource temporarily unavailable)"
"/usr/bin/lpr: Error - The printer or class does not exist."
Package curl was updated:
- Security fixes: * [bsc#1211231, CVE-2023-28320] siglongjmp race condition
- Add curl-CVE-2023-28320.patch
* [bsc#1211232, CVE-2023-28321] IDN wildcard matching
- Add curl-CVE-2023-28321.patch [bsc#1211339]
* [bsc#1211233, CVE-2023-28322] POST-after-PUT confusion
- Add curl-CVE-2023-28322.patch
- Security fixes:
* [bsc#1209209, CVE-2023-27533] TELNET option IAC injection
Add curl-CVE-2023-27533-no-sscanf.patch curl-CVE-2023-27533.patch
* [bsc#1209210, CVE-2023-27534] SFTP path ~ resolving discrepancy
Add curl-CVE-2023-27534.patch curl-CVE-2023-27534-dynbuf.patch
* [bsc#1209211, CVE-2023-27535] FTP too eager connection reuse
Add curl-CVE-2023-27535.patch
* [bsc#1209212, CVE-2023-27536] GSS delegation too eager connection re-use
Add curl-CVE-2023-27536.patch
* [bsc#1209214, CVE-2023-27538] SSH connection too eager reuse still
Add curl-CVE-2023-27538.patch
- Security Fix: [bsc#1207992, CVE-2023-23916]
* HTTP multi-header compression denial of service
* Add curl-CVE-2023-23916.patch
Package dbus-1 was updated:
- Sometimes unprivileged users were able to crash dbus-daemon (CVE-2023-34969, bsc#1212126)
* fix-upstream-CVE-2023-34969.patch
Package lvm2 was updated:
- blkdeactivate calls wrong mountpoint cmd (bsc#1214071) + bug-1214071-blkdeactivate_calls_wrong_mountpoint.patch
Package dmidecode was updated:
- use-read_file-to-read-from-dump.patch: Fix an old harmless bug which would prevent root from using the --from-dump option since
the latest security fixes (bsc#1210418).
Security fixes (CVE-2023-30630)
- dmidecode-split-table-fetching-from-decoding.patch: dmidecode:
Clean up function dmi_table so that it does only one thing
(bsc#1210418).
- dmidecode-write-the-whole-dump-file-at-once.patch: When option
- -dump-bin is used, write the whole dump file at once, instead of
opening and closing the file separately for the table and then
for the entry point (bsc#1210418).
- dmidecode-do-not-let-dump-bin-overwrite-an-existing-file.patch:
Make sure that the file passed to option --dump-bin does not
already exist (bsc#1210418).
- ensure-dev-mem-is-a-character-device-file.patch: Add a safety
check on the type of the mem device file we are asked to read
from, if we are root (bsc#1210418).
3 recommended fixes from upstream:
- dmidecode-fortify-entry-point-length-checks.patch: Ensure that
the SMBIOS entry point is long enough to include all the fields
we need.
- dmidecode-fix-the-alignment-of-type-25-name.patch: Drop a stray
tabulation before the name of DMI record type 25.
- dmidecode-print-type-33-name-unconditionally.patch: Display the
name of DMI record type 33 even if we can't decode it.
Package docker was updated:
- update to Docker 24.0.5-ce. See upstream changelong online at <https://docs.docker.com/engine/release-notes/24.0/#2405>. bsc#1213229
- Update to Docker 24.0.4-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/24.0/#2404>. bsc#1213500
- Update to Docker 24.0.3-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/24.0/#2403>. bsc#1213120
- Rebase patches:
* cli-0001-docs-include-required-tools-in-source-tree.patch
- Recommend docker-rootless-extras instead of Require(ing) it, given
it's an additional functionality and not inherently required for
docker to function.
- Add docker-rootless-extras subpackage
(https://docs.docker.com/engine/security/rootless)
- Update to Docker 24.0.2-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/24.0/#2402>. bsc#1212368
* Includes the upstreamed fix for the mount table pollution issue.
bsc#1210797
- Add Recommends for docker-buildx, and add /usr/lib/docker/cli-plugins as
being provided by this package.
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* cli-0001-docs-include-required-tools-in-source-tree.patch
- Update to Docker 23.0.6-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/23.0/#2306>. bsc#1211578
- Rebase patches:
* cli-0001-docs-include-required-tools-in-source-tree.patch
- Re-unify packaging for SLE-12 and SLE-15.
- Add patch to fix build on SLE-12 by switching back to libbtrfs-devel headers
(the uapi headers in SLE-12 are too old).
+ 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
- Re-numbered patches:
- 0003-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+ 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch`
- Update to Docker 23.0.5-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/23.0/#2305>.
- Rebase patches:
* cli-0001-docs-include-required-tools-in-source-tree.patch
- Update to Docker 23.0.4-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/23.0/#2304>. bsc#1208074
- Fixes:
* bsc#1214107 - CVE-2023-28840
* bsc#1214108 - CVE-2023-28841
* bsc#1214109 - CVE-2023-28842
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
- Renumbered patches:
- 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
- Remove upstreamed patches:
- 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch
- 0006-bsc1193930-vendor-update-golang.org-x-crypto.patch
- 0007-bsc1200022-fifo.Close-prevent-possible-panic-if-fifo.patch
- Backport <https://github.com/docker/cli/pull/4228> to allow man pages to be
built without internet access in OBS.
+ cli-0001-docs-include-required-tools-in-source-tree.patch
- update to 20.10.23-ce.
* see upstream changelog at https://docs.docker.com/engine/release-notes/#201023
- drop kubic flavor as kubic is EOL. this removes:
kubelet.env docker-kubic-service.conf 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
- Update to Docker 20.10.21-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/#201021>. bsc#1206065
bsc#1205375 CVE-2022-36109
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch
* 0006-bsc1193930-vendor-update-golang.org-x-crypto.patch
* 0007-bsc1200022-fifo.Close-prevent-possible-panic-if-fifo.patch
- The PRIVATE-REGISTRY patch will now output a warning if it is being used (in
preparation for removing the feature). This feature was never meant to be
used by users directly (and is only available in the -kubic/CaaSP version of
the package anyway) and thus should not affect any users.
- Fix wrong After: in docker.service, fixes bsc#1188447
- Add apparmor-parser as a Recommends to make sure that most users will end up
with it installed even if they are primarily running SELinux.
- Fix syntax of boolean dependency
- Allow to install container-selinux instead of apparmor-parser.
- Change to using systemd-sysusers
Package dom4j was updated:
- Build against the standalone JavaEE modules unconditionally
- Add alias to the new artifact coordinates org.dom4j:dom4j
- Simplify the spec file a bit
- Add jaxb-api dependency for relevant distribution versions so that
we can build with JDKs that do not include the JavaEE modules
Package dracut was updated:
- Update to version 049.1+suse.255.g19bd61fd: * fix(dracut.sh): exit if resolving executable dependencies fails (bsc#1214081)
- Update to version 049.1+suse.253.g1008bf13:
* fix(network-legacy): handle do_dhcp calls without arguments (bsc#1210640)
- Update to version 049.1+suse.251.g0b8dad5:
* fix(dracut.sh): omission is an addition to other omissions in conf files (bsc#1208929)
* fix(nfs): chown using rpc default group (bsc#1204929)
Package ecj was updated:
- Added patch: * encoding.patch
+ the encoding needs to be set for all JDK versions
- Modified patch:
* ecj-rpmdebuginfo.patch
+ rediff
* javaAPI.patch
+ extract the encoding part to a separate patch
- Upgrade to eclipse 4.18 ecj
- Switch java14api to java15api to be compatible to JDK 15
- Upgrade to eclipse 4.17 ecj
* No changelog was made available.
- Removed patches:
* ecj-encoding.patch
* jdk10u-jdk8compat.patch
- Switch to JDK 11 for build a JDK 8 is not supported anymore by ecj
- Switch java10api to java14api to be compatible to JDK 14
Package elfutils was updated:
- 0001-libelf-Fixup-SHF_COMPRESSED-sh_addralign-in-elf_upda.patch: make debuginfo extraction from go1.19 built binaries work again.
(bsc#1203599)
Package firewalld was updated:
- Fix firewalld does not longer understand IPv4 network masks of type `255.255.255.0`
Added following patch (boo#1212974)
[+ 0004-fix_rich_source_address_with_netmask.patch]
- Fix firewall-offline-cmd fails with ERROR: Calling pre func
Added following patch (bsc#1206928)
[+ 0003-firewall-offline-cmd-fail-fix.patch]
Package fonts-config was updated:
- get the homedir from getpwuid when no $ENV{"HOME"} set- added patches
fix bsc#1210700
+ fonts-config-homedir-getpwuid.patch
Package gawk was updated:
- format-tree-positional-arg.patch: Validate index into argument list (CVE-2023-4156, bsc#1214025)
Package geronimo-specs was updated:
- On supported platforms, avoid building with OpenJ9, in order to prevent build cycles.
- Set version for the specs comming from tag 1_1_1 in order to
avoid unexpanded version macros in pom files.
Package glib2 was updated:
- Update glib2-fix-normal-form-handling-in-gvariant.patch: Backported from upstream to fix regression on s390x.
(bsc#1210135, glgo#GNOME/glib!2978)
- Add glib2-fix-normal-form-handling-in-gvariant.patch: Backported
from upstream to fix normal form handling in GVariant.
(CVE-2023-24593, CVE-2023-25180, bsc#1209714, bsc#1209713,
glgo#GNOME/glib!3125)
Package glibc was updated:
- resolv-conf-lock.patch: resolv_conf: release lock on allocation failure (bsc#1211828, BZ #30527)
- ulp-prologue-into-asm-functions.patch: Add support for livepatches
in ASM written functions (bsc#1211726)
- getlogin-no-loginuid.patch: getlogin_r: fix missing fallback if loginuid
is unset (bsc#1209229, BZ #30235)
- Exclude static archives from preparation for live patching (bnc#1208721)
- amd-cacheinfo.patch: x86: Cache computation for AMD architecture
(bsc#1207957)
- gmon-hash-table-size.patch: gmon: Fix allocated buffer overflow
(CVE-2023-0687, bsc#1207975, BZ #29444)
- strncmp-avx2-boundary.patch: Fix avx2 strncmp offset compare condition
check (bsc#1208358, BZ #25933)
- dlopen-filter-object.patch: elf: Allow dlopen of filter object to work
(bsc#1207571, BZ #16272)
- powerpc-tst-ucontext.patch: powerpc: Fix unrecognized instruction errors
with recent GCC
Package google-guest-agent was updated:
- Update to version 20230601.00 (bsc#1212418, bsc#1212759) * Revert "Avoid conflict with automated package updates (#212)" (#214)
* Don't block google-osconfig-agent (#213)
- from version 20230531.00
* Avoid conflict with automated package updates (#212)
* Add a support of TrustedUserCAKeys into sshd configuration (#206)
- Update to version 20230510.00
* Fix dependencies after updating go ver to 1.17 (#211)
* Update Go version (#210)
- from version 20230426.00
* Fix compilation directives (#207)
- from version 20230403.00
* Mod update (#205)
* Update mod: update golang.org/x/net to
0.8.0 and its dependencies (#204)
Package google-guest-configs was updated:
- Update to version 20230808.00 (bsc#1214546, bsc#1214572) * 64-gce-disk-removal.rules: delete (#51)
- from version 20230801.00
* Replace xxd with dd for google_nvme_id (#56)
- from version 20230729.00
* Setup irq binding for a3 8g vm (#57)
- from version 20230724.00
* Debian packaging: add xxd dependency (#55)
- Update to version 20230626.00 (bsc#1212418, bsc#1212759)
* Revert "Replace `xxd` to `cut` for google_nvme_id (#49)" (#54)
- Update to version 20230526.00
* dracut: Add a new dracut module for gcp udev rules (#53)
- from version 20230522.00
* src/lib/udev: only create symlinks for GCP devices (#52)
- from version 20230515.00
* Replace `xxd` to `cut` for google_nvme_id (#49)
- from version 20230328.00
* Set hostname: consider fully qualified static hostname (#46)
- Update to version 20230217.01
* Support multiple local SSD controllers (#39)
- from version 20230217.00
* Update OWNERS (#45)
- from version 20230215.00
* DHCP hostname: don't reset hostname if
the hostname hasn't changed (#44)
- from version 20230202.00
* Update OWNERS file (#43)
- from version 20230123.00
* Fix a repository URL in packaging specs (#41)
Package google-osconfig-agent was updated:
- Update to version 20230706.02 (bsc#1212418, bsc#1212759) * Update go version in go.mod (#479)
- from version 20230706.01
* Fix condition to have 10 attempts rather than 11. (#477)
- from version 20230706.00
* Remove tests for Ubuntu 18.04 (EOL) (#476)
- from version 20230605.00
* Update old SLES images paths (#475)
- from version 20230602.00
* Adding what exit codes mean for OS Config policy (#474)
- from version 20230504.00
* Set DEBIAN_FRONTEND=noninteractive for apt-get (#472)
- from version 20230403.00
* Disable repos clean-up (#471)
- from version 20230330.00
* Revert "Call FQDN (#454)" (#470)
- from version 20230327.00
* support new format of zypper patch (#469)
* Fix comparing exec.Cmd in mock on Go1.20
- from version 20230316.00
* Remove old images from e2e tests image list
- from version 20230227.01
* Update dependencies (#466)
- from version 20230227.00
* Bump golang.org/x/sys from 0.0.0-20210923061019-b8560ed6a9b7 to 0.1.0 (#463)
Package grub2 was updated:
- grub2-once: Fix 'sh: terminal_output: command not found' error (bsc#1204563)
- Fix unknown filesystem error on disks with 4096 sector size (bsc#1207064)
(bsc#1209234)
* 0001-grub-core-modify-sector-by-sysfs-as-disk-sector.patch
- Fix installation over serial console ends up in infinite boot loop
(bsc#1187810) (bsc#1209667) (bsc#1209372)
* 0001-Fix-infinite-boot-loop-on-headless-system-in-qemu.patch
- Fix aarch64 kiwi image's file not found due to '/@' prepended to path in
btrfs filesystem. (bsc#1209165)
* grub2-btrfs-05-grub2-mkconfig.patch
- Make grub more robust against storage race condition causing system boot
failures (bsc#1189036)
* 0001-ieee1275-ofdisk-retry-on-open-and-read-failure.patch
- Make grub.cfg invariant to efi and legacy platforms (bsc#1205200)
- Removed patch linuxefi
* grub2-secureboot-provide-linuxefi-config.patch
* grub2-secureboot-use-linuxefi-on-uefi-in-os-prober.patch
* grub2-secureboot-use-linuxefi-on-uefi.patch
- Rediff
* grub2-btrfs-05-grub2-mkconfig.patch
* grub2-efi-xen-cmdline.patch
* grub2-s390x-05-grub2-mkconfig.patch
* grub2-suse-remove-linux-root-param.patch
- Move unsupported zfs modules into 'extras' packages
(bsc#1205554) (PED-2947)
Package httpcomponents-client was updated:
- Build with source/target levels 8
- Update to version 4.5.12
Package httpcomponents-core was updated:
- Build with source/target levels 8
- Upgraded to version 4.4.13
- Removed patch:
* 0001-Re-generated-expired-test-certificates.patch
+ included in this version
- Modified patch:
* httpcomponents-core-java8compat.patch
+ rediffed to changed context
Package hwdata was updated:
- update to 0.371: * Update pci, usb and vendor ids
- update to 0.370:
* Update pci, usb and vendor ids
- update to 0.369:
* Update pci, usb and vendor ids
- update to 0.368:
* Update pci, usb and vendor ids
- update to 0.367:
* Update pci, usb and vendor ids
- update to 0.366:
* Update pci, usb and vendor ids
Package hwinfo was updated:
- merge gh#openSUSE/hwinfo#132- avoid linking problems with libsamba (bsc#1212756)
- 21.85
- merge gh#openSUSE/hwinfo#127
- create xen usb controller device if necessary (bsc#1204294)
- 21.84
- merge gh#openSUSE/hwinfo#115
- improve treatment of NVME devices (bsc#1200975)
- fix compiler warnings
- 21.83
Package icu4j was updated:
- Upgrade to version 71.1 * Updates to CLDR 41 locale data with various additions and
corrections.
* Adds phrase-based line breaking for Japanese. Existing line
breaking methods follow standards and conventions for body text
but do not work well for short Japanese text, such as in titles
and headings. This new feature is optimized for these use
cases.
* Adds support for Hindi written in Latin letters (hi_Latn). The
CLDR data for this increasingly popular locale has been
significantly revised and expanded. Note that based on user
expectations, hi_Latn incorporates a large amount of English,
and can also be referred to as âHinglishâ.
* ICU 71 and CLDR 41 are minor releases, mostly focused on bug
fixes and small enhancements.
* Updates to the time zone data version 2022a. Note that pre-1970
data for a number of time zones has been removed, as has been
the case in the upstream tzdata release since 2021b.
- Remove obsolete stuff from spec file
- Reformat the changes file to fit to 67 chars width
- Upgrade to verison 70.1
- Modified patches:
* icu4j-66.1-java8compat.patch -> icu4j-70.1-java8compat.patch
* icu4j-jdk10plus.patch
+ rediff to changed context
* improve-osgi-manifest.patch
+ replace also DATAVERSION token during the build
- Added patch:
* icu4j-javadoc.patch
+ fix invalid html entities
- Update to version 67.1
* Unicode 13 (ICU-20893, same as in ICU 66)
+ Total of 5930 new characters
+ 4 new scripts
+ 55 new emoji characters, plus additional new sequences
+ New CJK extension, first characters in plane 3: U+30000..U+3134A
* CLDR 37
+ New language at Modern coverage: Nigerian Pidgin
+ New languages at Basic coverage: Fulah (Adlam), Maithili,
Manipuri, Santali, Sindhi (Devanagari), Sundanese
+ Region containment: EU no longer includes GB
+ Unicode 13 root collation data and Chinese data for collation
and transliteration
* DateTimePatternGenerator now obeys the "hc" preference in the
locale identifier (ICU-20442)
* Various other improvements for ECMA-402 conformance
* Number skeletons have a new "concise" form that can be used in
MessageFormat strings (ICU-20418)
* Currency formatting options for formal and other currency
display name variants (ICU-20854)
* ListFormatter: new public API to select the style & type
(ICU-12863)
* ListFormatter now selects the proper âandâ/âorâ form for
Spanish & Hebrew (ICU-21016)
* Locale ID canonicalization upgraded to implement the complete
CLDR spec (ICU-20834, ICU-20272)
* LocaleMatcher: New option to ignore one-way matches
(ICU-20936), and other tweaks to the code (ICU-20916,
ICU-20917) and data (from CLDR)
* acceptLanguage() reimplemented via LocaleMatcher (ICU-20700)
* Data build tool: tzdbNames.res moved from the "zone_tree"
category to the "zone_supplemental" category (ICU-21073)
- Version update to 66.1
- Changed patches:
* icu4j-jdk10plus.patch
* improve-osgi-manifest.patch
* icu4j-63.1-java8compat.patch -> icu4j-66.1-java8compat.patch
+ rediff to changed context
- Remove build-dependency on java-javadoc, since it is not
necessary with this version.
Package open-iscsi was updated:
- Branched SLE-15-SP3 from Factory. No longer in sync with Tumbleweed.
- Backported upstream commit, which sets 'safe_logout' and
'startup' in iscsid.conf, to address bsc#1207157
- Updated year in SPEC file
Package isorelax was updated:
Package issue-generator was updated:
- Update to version 1.13 - SELinux: Do not call agetty --reload [bsc#1186178]
- Update to version 1.12
- Update manual page
- Use python3 instead of python 2.x
- Update to version 1.11
- Don't display issue.d/*.issue files, agetty will do that [bsc#1177891]
- Ignore /run/issue.d in issue-generator.path, else issue-generator will
be called too fast too often [bsc#1177865]
- Ignore *.bak, *~ and *.rpm* files [bsc#1118862]
- Handle the .path unit in scriptlets as well
- Update to version 1.10
- Display wlan interfaces [bsc#1169070]
- Update to version 1.9
- Fix path for systemd files
- Update to version 1.8
- Handle network interface renames
Package jakarta-commons-discovery was updated:
- Update to 0.5: * Breaking changes: The minimum JDK requirement is now JDK 1.5.
The provided binaries will not work on lower JDKs. The source
has been updated to leverage Generics and other JDK 1.5 features
where possible, and requires JDK 1.5 to compile.
* Dependencies: Commons Discovery depends on Commons Logging.
It is built against version 1.1.1.
* New features: Discovery APIs use Java5 Generics.
* Known bugs/limitations: resource.classes.DiscoverClasses doesn't
work with Oracle embedded JVM in DBMS, see DISCOVERY-13:
- https://issues.apache.org/jira/browse/DISCOVERY-13
* Deprecations:
- Classes in org.apache.commons.discovery.log package
have been deprecated, depending on Apache Commons Logging 1.1.1
there is no more circular dependency between Apache Commons
Discovery and Apache Commons Logging.
- setLog(org.apache.commons.logging.Log) methods have been
deprecated too, they are not thread-safe.
- Build with source and target levels 8
- Distribute commons-discovery as maven artifact
- Added build support for Enterprise Linux.
Package java-11-openjdk was updated:
- Update to upstream tag jdk-11.0.20.1+1 (August 2023 emergency release fixing a regression in July 2023 CPU)
* Changes:
+ JDK-8313765: Invalid CEN header (invalid zip64 extra data
field size)
+ JDK-8314678: Bump update version for OpenJDK: jdk-11.0.20.1
- Added patch:
* reproducible-javadoc-timestamp.patch
+ use SOURCE_DATE_EPOCH in javadoc and make the javadoc
generation more reproducible
- Upgrade to upstream tag jdk-11.0.20+8 (July 2023 CPU)
* CVEs
+ CVE-2023-22006, bsc#1213473
+ CVE-2023-22036, bsc#1213474
+ CVE-2023-22041, bsc#1213475
+ CVE-2023-22044, bsc#1213479
+ CVE-2023-22045, bsc#1213481
+ CVE-2023-22049, bsc#1213482
+ CVE-2023-25193, bsc#1207922
* Security fixes
+ JDK-8298676: Enhanced Look and Feel
+ JDK-8300285: Enhance TLS data handling
+ JDK-8300596: Enhance Jar Signature validation
+ JDK-8301998, JDK-8302084: Update HarfBuzz to 7.0.1
+ JDK-8302475: Enhance HTTP client file downloading
+ JDK-8302483: Enhance ZIP performance
+ JDK-8303376: Better launching of JDI
+ JDK-8304468: Better array usages
+ JDK-8305312: Enhanced path handling
+ JDK-8308682: Enhance AES performance
* Other changes
+ JDK-8171426: java/lang/ProcessBuilder/Basic.java failed with
Stream closed
+ JDK-8178806: Better exception logging in crypto code
+ JDK-8187522: test/sun/net/ftp/FtpURLConnectionLeak.java timed
out
+ JDK-8209167: Use CLDR's time zone mappings for Windows
+ JDK-8209546: Make sun/security/tools/keytool/autotest.sh to
support macosx
+ JDK-8209880: tzdb.dat is not reproducibly built
+ JDK-8213531: Test javax/swing/border/TestTitledBorderLeak.java
fails
+ JDK-8214459: NSS source should be removed
+ JDK-8214807: Improve handling of very old class files
+ JDK-8215015: [TESTBUG] remove unneeded -Xfuture option from
tests
+ JDK-8215575: C2 crash: assert(get_instanceKlass()->is_loaded())
failed: must be at least loaded
+ JDK-8220093: Change to GCC 8.2 for building on Linux at Oracle
+ JDK-8227257: javax/swing/JFileChooser/4847375/bug4847375.java
fails with AssertionError
+ JDK-8232853: AuthenticationFilter.Cache::remove may throw
ConcurrentModificationException
+ JDK-8243936: NonWriteable system properties are actually
writeable
+ JDK-8246383: NullPointerException in
JceSecurity.getVerificationResult when using Entrust provider
+ JDK-8248701: On Windows generated modules-deps.gmk can
contain backslash-r (CR) characters
+ JDK-8257856: Make ClassFileVersionsTest.java robust to JDK
version updates
+ JDK-8259530: Generated docs contain MIT/GPL-licenced works
without reproducing the licence
+ JDK-8263420: Incorrect function name in
NSAccessibilityStaticText native peer implementation
+ JDK-8264290: Create implementation for
NSAccessibilityComponentGroup protocol peer
+ JDK-8264304: Create implementation for NSAccessibilityToolbar
protocol peer
+ JDK-8265486: ProblemList javax/sound/midi/Sequencer/
/Recording.java on macosx-aarch64
+ JDK-8268558: [TESTBUG] Case 2 in
TestP11KeyFactoryGetRSAKeySpec is skipped
+ JDK-8269746: C2: assert(!in->is_CFG()) failed: CFG Node with
no controlling input?
+ JDK-8274864: Remove Amman/Cairo hacks in ZoneInfoFile
+ JDK-8275233: Incorrect line number reported in exception
stack trace thrown from a lambda expression
+ JDK-8275721: Name of UTC timezone in a locale changes
depending on previous code
+ JDK-8275735: [linux] Remove deprecated Metrics api (kernel
memory limit)
+ JDK-8276880: Remove java/lang/RuntimeTests/exec/ExecWithDir
as unnecessary
+ JDK-8277775: Fixup bugids in RemoveDropTargetCrashTest.java -
add 4357905
+ JDK-8278434: timeouts in test java/time/test/java/time/format/
/TestZoneTextPrinterParser.java
+ JDK-8280703: CipherCore.doFinal(...) causes potentially
massive byte[] allocations during decryption
+ JDK-8282077: PKCS11 provider C_sign() impl should handle
CKR_BUFFER_TOO_SMALL error
+ JDK-8282201: Consider removal of expiry check in
VerifyCACerts.java test
+ JDK-8282467: add extra diagnostics for JDK-8268184
+ JDK-8282600: SSLSocketImpl should not use user_canceled
workaround when not necessary
+ JDK-8283059: Uninitialized warning in check_code.c with GCC
11.2
+ JDK-8285497: Add system property for Java SE specification
maintenance version
+ JDK-8286398: Address possibly lossy conversions in
jdk.internal.le
+ JDK-8287007: [cgroups] Consistently use stringStream
throughout parsing code
+ JDK-8287246: DSAKeyValue should check for missing params
instead of relying on KeyFactory provider
+ JDK-8287876: The recently de-problemlisted
TestTitledBorderLeak test is unstable
+ JDK-8287897: Augment src/jdk.internal.le/share/legal/jline.md
with information on 4th party dependencies
+ JDK-8289301: P11Cipher should not throw out of bounds
exception during padding
+ JDK-8289735: UTIL_LOOKUP_PROGS fails on pathes with space
+ JDK-8291226: Create Test Cases to cover scenarios for
JDK-8278067
+ JDK-8291637: HttpClient default keep alive timeout not
followed if server sends invalid value
+ JDK-8291638: Keep-Alive timeout of 0 should close connection
immediately
+ JDK-8292206: TestCgroupMetrics.java fails as getMemoryUsage()
is lower than expected
+ JDK-8293232: Fix race condition in pkcs11 SessionManager
+ JDK-8293815: P11PSSSignature.engineUpdate should not print
debug messages during normal operation
+ JDK-8294548: Problem list SA core file tests on macosx-x64
due to JDK-8294316
+ JDK-8294906: Memory leak in PKCS11 NSS TLS server
+ JDK-8295974: jni_FatalError and Xcheck:jni warnings should
print the native stack when there are no Java frames
+ JDK-8296934: Write a test to verify whether Undecorated Frame
can be iconified or not
+ JDK-8297000: [jib] Add more friendly warning for proxy issues
+ JDK-8297450: ScaledTextFieldBorderTest.java fails when run
with -show parameter
+ JDK-8298887: On the latest macOS+XCode the Robot API may
report wrong colors
+ JDK-8299259: C2: Div/Mod nodes without zero check could be
split through iv phi of loop resulting in SIGFPE
+ JDK-8300079: SIGSEGV in LibraryCallKit::inline_string_copy
due to constant NULL src argument
+ JDK-8300205: Swing test bug8078268 make latch timeout
configurable
+ JDK-8300490: Spaces in name of MacOS Code Signing Identity
are not correctly handled after JDK-8293550
+ JDK-8301119: Support for GB18030-2022
+ JDK-8301170: perfMemory_windows.cpp add free_security_attr to
early returns
+ JDK-8301401: Allow additional characters for GB18030-2022
support
+ JDK-8302151: BMPImageReader throws an exception reading BMP
images
+ JDK-8302791: Add specific ClassLoader object to Proxy
IllegalArgumentException message
+ JDK-8303102: jcmd: ManagementAgent.status truncates the text
longer than O_BUFLEN
+ JDK-8303354: addCertificatesToKeystore in KeystoreImpl.m
needs CFRelease call in early potential CHECK_NULL return
+ JDK-8303432: Bump update version for OpenJDK: jdk-11.0.20
+ JDK-8303440: The "ZonedDateTime.parse" may not accept the
"UTC+XX" zone id
+ JDK-8303465: KeyStore of type KeychainStore, provider Apple
does not show all trusted certificates
+ JDK-8303476: Add the runtime version in the release file of a
JDK image
+ JDK-8303482: Update LCMS to 2.15
+ JDK-8303564: C2: "Bad graph detected in build_loop_late"
after a CMove is wrongly split thru phi
+ JDK-8303576: addIdentitiesToKeystore in KeystoreImpl.m needs
CFRelease call in early potential CHECK_NULL return
+ JDK-8303822: gtestMain should give more helpful output
+ JDK-8303861: Error handling step timeouts should never be
blocked by OnError and others
+ JDK-8303937: Corrupted heap dumps due to missing retries for
os::write()
+ JDK-8304134: jib bootstrapper fails to quote filename when
checking download filetype
+ JDK-8304291: [AIX] Broken build after JDK-8301998
+ JDK-8304295: harfbuzz build fails with GCC 7 after JDK-8301998
+ JDK-8304350: Font.getStringBounds calculates wrong width for
TextAttribute.TRACKING other than 0.0
+ JDK-8304760: Add 2 Microsoft TLS roots
+ JDK-8305113: (tz) Update Timezone Data to 2023c
+ JDK-8305400: ISO 4217 Amendment 175 Update
+ JDK-8305528: [11u] Backport of JDK-8259530 breaks build with
JDK10 bootstrap VM
+ JDK-8305682: Update the javadoc in the Character class to
state support for GB 18030-2022 Implementation Level 2
+ JDK-8305711: Arm: C2 always enters slowpath for monitorexit
+ JDK-8305721: add `make compile-commands` artifacts to
.gitignore
+ JDK-8305975: Add TWCA Global Root CA
+ JDK-8306543: GHA: MSVC installation is failing
+ JDK-8306658: GHA: MSVC installation could be optional since
it might already be pre-installed
+ JDK-8306664: GHA: Update MSVC version to latest stepping
+ JDK-8306768: CodeCache Analytics reports wrong threshold
+ JDK-8306976: UTIL_REQUIRE_SPECIAL warning on grep
+ JDK-8307134: Add GTS root CAs
+ JDK-8307811: [TEST] compilation of TimeoutInErrorHandlingTest
fails after backport of JDK-8303861
+ JDK-8308006: Missing NMT memory tagging in CMS
+ JDK-8308884: [17u/11u] Backout JDK-8297951
+ JDK-8309476: [11u] tools/jmod/hashes/HashesOrderTest.java
fails intermittently
+ JDK-8311465: [11u] Remove designator
DEFAULT_PROMOTED_VERSION_PRE=ea for release 11.0.20
- Removed patch:
* system-crypto-policy.patch
+ folded into modified fips.patch
- Modified patch:
* fips.patch
+ fold in the system-crypto-policy.patch
+ regenerate to changed context
- Upgrade to upsteam tag jdk-11.0.19+7 (April 2023 CPU)
* Security fixes:
+ JDK-8287404: Improve ping times
+ JDK-8288436: Improve Xalan supports
+ JDK-8294474, CVE-2023-21930, bsc#1210628: Better AES support
+ JDK-8295304, CVE-2023-21938, bsc#1210632: Runtime support
improvements
+ JDK-8296676, CVE-2023-21937, bsc#1210631: Improve String
platform support
+ JDK-8296684, CVE-2023-21937, bsc#1210631: Improve String
platform support
+ JDK-8296692, CVE-2023-21937, bsc#1210631: Improve String
platform support
+ JDK-8296832, CVE-2023-21939, bsc#1210634: Improve Swing
platform support
+ JDK-8297371: Improve UTF8 representation redux
+ JDK-8298191, CVE-2023-21954, bsc#1210635: Enhance object
reclamation process
+ JDK-8298310, CVE-2023-21967, bsc#1210636: Enhance TLS session
negotiation
+ JDK-8298667, CVE-2023-21968, bsc#1210637: Improved path
handling
+ JDK-8299129: Enhance NameService lookups
* Fixes:
+ JDK-6528710: sRGB-ColorSpace to sRGB-ColorSpace Conversion
+ JDK-7188098: TEST_BUG: closed/javax/sound/midi/Synthesizer/
/Receiver/bug6186488.java fails
+ JDK-8035787: SourcePositions are wrong for Strings
concatenated with '+' operator
+ JDK-8065097: [macosx] javax/swing/Popup/
/TaskbarPositionTest.java fails because Popup is one pixel off
+ JDK-8065422: Trailing dot in hostname causes TLS handshake to
fail with SNI disabled
+ JDK-8129315: java/net/Socket/LingerTest.java and
java/net/Socket/ShutdownBoth.java timeout intermittently
+ JDK-8144030: [macosx] test java/awt/Frame/
/ShapeNotSetSometimes/ShapeNotSetSometimes.java fails (again)
+ JDK-8170705: sun/net/www/protocol/http/StackTraceTest.java
fails intermittently with Invalid Http response
+ JDK-8171405: java/net/URLConnection/ResendPostBody.java
failed with "Error while cleaning up threads after test"
+ JDK-8179317: [TESTBUG] rewrite runtime shell tests in java
+ JDK-8247741: Test test/hotspot/jtreg/runtime/7162488/
/TestUnrecognizedVmOption.java fails when
- XX:+IgnoreUnrecognizedVMOptions is set
+ JDK-8190492: Remove SSLv2Hello and SSLv3 from default enabled
TLS protocols
+ JDK-8192931: Regression test java/awt/font/TextLayout/
/CombiningPerf.java fails
+ JDK-8195057: java/util/concurrent/CountDownLatch/Basic.java
failed w/ Xcomp
+ JDK-8195716: BootstrapLoggerTest : Executor still alive
+ JDK-8202621: bad test with broken links needs to be updated
+ JDK-8207248: Reduce incidence of
compiler.warn.source.no.bootclasspath in javac tests
+ JDK-8208077: File.listRoots performance degradation
+ JDK-8209023: fix 2 compiler tests to avoid JDK-8208690
+ JDK-8209115: adjust libsplashscreen linux ppc64le builds for
easier libpng update
+ JDK-8209774: Refactor shell test
javax/xml/jaxp/common/8035437/run.sh to java
+ JDK-8209935: Test to cover CodeSource.getCodeSigners()
+ JDK-8210373: Deadlock in libj2gss.so when loading "j2gss" and
"net" libraries in parallel.
+ JDK-8212165: JGSS: Fix cut/paste error in NativeUtil.c
+ JDK-8212216: JGSS: Fix leak in exception cases in getJavaOID()
+ JDK-8213130: Update ProblemList after verification of jtreg
tests in Win 7
+ JDK-8213265: fix missing newlines at end of files
+ JDK-8213932: [TESTBUG] assertEquals is invoked with the
arguments in the wrong order
+ JDK-8214445: [test] java/net/URL/HandlerLoop has illegal
reflective access
+ JDK-8215372: test/jdk/java/nio/file/DirectoryStream/Basic.java
not correct when using a glob
+ JDK-8215759: [test] java/math/BigInteger/ModPow.java can
throw an ArithmeticException
+ JDK-8217353: java/util/logging/LogManager/Configuration/
/updateConfiguration/HandlersOnComplexResetUpdate.java fails
with Unexpected reference: java.lang.ref.WeakReference
+ JDK-8217730: Split up MakeBase.gmk
+ JDK-8218133: sun/net/www/protocol/http/ProtocolRedirect.java
failed with "java.net.ConnectException"
+ JDK-8218431: Improved platform checking in makefiles
+ JDK-8221098: Run java/net/URL/HandlerLoop.java in othervm mode
+ JDK-8221168: java/util/concurrent/CountDownLatch/Basic.java
fails
+ JDK-8221351: Crash in
KlassFactory::check_shared_class_file_load_hook
+ JDK-8221621: FindTests.gmk cannot handle "=" in TEST.groups
comments
+ JDK-8222430: Add tests for ElementKind predicates
+ JDK-8223463: Replace wildcard address with loopback or local
host in tests - part 2
+ JDK-8223716: sun/net/www/http/HttpClient/MultiThreadTest.java
should be more resilient to unexpected traffic
+ JDK-8223736: jvmti/scenarios/contention/TC04/tc04t001/
/TestDescription.java fails due to wrong number of
MonitorContendedEntered events
+ JDK-8224024: java/util/concurrent/BlockingQueue/
/DrainToFails.java testBounded fails intermittently
+ JDK-8226595: jvmti/scenarios/contention/TC04/tc04t001/
/TestDescription.java still fails due to wrong number of
MonitorContendedEntered events
+ JDK-8226917: jvmti/scenarios/contention/TC04/tc04t001/
/TestDescription.java fails on jvmti->InterruptThread
(JVMTI_ERROR_THREAD_NOT_ALIVE)
+ JDK-8227422: sun/net/www/protocol/file/
/DirPermissionDenied.java failed on Windows 2016 because
DirPermissionDenied directory has no read permission
+ JDK-8230374: maxOutputSize, instead of
javatest.maxOutputSize, should be used in TEST.properties
+ JDK-8230731: SA tests fail with "Windbg Error: ReadVirtual
failed"
+ JDK-8231595: [TEST] develop a test case for SuspendThreadList
including current thread
+ JDK-8233462: serviceability/tmtools/jstat tests times out
with -Xcomp
+ JDK-8235448: code cleanup in SSLContextImpl.java
+ JDK-8238936: The crash in XRobotPeer when the custom
GraphicsDevice is used
+ JDK-8241806: The sun/awt/shell/FileSystemViewMemoryLeak.java
is unstable
+ JDK-8244592: Start supporting SOURCE_DATE_EPOCH
+ JDK-8245245: WebSocket can lose the URL encoding of URI query
parameters
+ JDK-8298588: WebSockets: HandshakeUrlEncodingTest
unnecessarily depends on a response body
+ JDK-8245654: Add Certigna Root CA
+ JDK-8248306: gc/stress/gclocker/
/TestExcessGCLockerCollections.java does not compile
+ JDK-8249691: jdk/lambda/vm/StrictfpDefault.java file can be
removed
+ JDK-8252401: Introduce Utils.TEST_NATIVE_PATH
+ JDK-8252532: use Utils.TEST_NATIVE_PATH instead of
System.getProperty("test.nativepath")
+ JDK-8252715: Problem list java/awt/event/KeyEvent/KeyTyped/
/CtrlASCII.java on Linux
+ JDK-8254267: javax/xml/crypto/dsig/LogParameters.java failed
with "RuntimeException: Unexpected log output:"
+ JDK-8255710: Opensource unit/regression tests for CMM
+ JDK-8256110: Create implementation for NSAccessibilityStepper
protocol
+ JDK-8256111: Create implementation for
NSAccessibilityStaticText protocol
+ JDK-8256126: Create implementation for NSAccessibilityImage
protocol peer
+ JDK-8256240: Reproducible builds should turn on the
"deterministic" flag for Visual Studio
+ JDK-8281262: Windows builds in different directories are not
fully reproducible
+ JDK-8256934: C2: assert(C->live_nodes() <=
C->max_node_limit()) failed: Live Node limit exceeded limit
+ JDK-8257928: Test image build failure with clang-10 due to
- Wmisleading-indentation
+ JDK-8258005: JDK build fails with incorrect fixpath script
+ JDK-8259265: Refactor UncaughtExceptions shell test as java
test.
+ JDK-8259267: Refactor LoaderLeak shell test as java test.
+ JDK-8225648: [TESTBUG] java/lang/annotation/loaderLeak/
/Main.java fails with -Xcomp
+ JDK-8260576: Typo in compiler/runtime/safepoints/
/TestRegisterRestoring.java
+ JDK-8261270: MakeMethodNotCompilableTest fails with
- XX:TieredStopAtLevel={1,2,3}
+ JDK-8261279: sun/util/resources/cldr/TimeZoneNamesTest.java
timed out
+ JDK-8261350: Create implementation for
NSAccessibilityCheckBox protocol peer
+ JDK-8261351: Create implementation for
NSAccessibilityRadioButton protocol
+ JDK-8261352: Create implementation for component peer for all
the components who should be ignored in a11y interactions
+ JDK-8262060: compiler/whitebox/BlockingCompilation.java timed
out
+ JDK-8264200: java/nio/channels/DatagramChannel/SRTest.java
fails intermittently
+ JDK-8264299: Create implementation of native accessibility
peer for ScrollPane and ScrollBar Java Accessibility roles
+ JDK-8264512: jdk/test/jdk/java/util/prefs/ExportNode.java
relies on default platform encoding
+ JDK-8266974: duplicate property key in java.sql.rowset
resource bundle
+ JDK-8267038: Update IANA Language Subtag Registry to Version
2022-03-02
+ JDK-8270609: [TESTBUG] java/awt/print/Dialog/DialogCopies.java
does not show instruction
+ JDK-8271323: [TESTBUG] serviceability/sa/ClhsdbCDSCore.java
fails with -XX:TieredStopAtLevel=1
+ JDK-8271506: Add ResourceHashtable support for deleting
selected entries
+ JDK-8272985: Reference discovery is confused about atomicity
and degree of parallelism
+ JDK-8273497: building.md should link to both md and html
+ JDK-8273806: compiler/cpuflags/TestSSE4Disabled.java should
test for CPU feature explicitly
+ JDK-8273895: compiler/ciReplay/TestVMNoCompLevel.java fails
due to wrong data size with TieredStopAtLevel=2,3
+ JDK-8274939: Incorrect size of the pixel storage is used by
the robot on macOS
+ JDK-8277346: ProblemList 7 serviceability/sa tests on
macosx-x64
+ JDK-8277351: ProblemList runtime/jni/checked/
/TestPrimitiveArrayCriticalWithBadParam.java on macosx-x64
+ JDK-8279614: The left line of the TitledBorder is not painted
on 150 scale factor
+ JDK-8279662: serviceability/sa/ClhsdbScanOops.java can fail
due to unexpected GC
+ JDK-8279941: sun/security/pkcs11/Signature/
/TestDSAKeyLength.java fails when NSS version detection fails
+ JDK-8280048: Missing comma in copyright header
+ JDK-8280391: NMT: Correct NMT tag on CollectedHeap
+ JDK-8280401: [sspi] gss_accept_sec_context leaves
output_token uninitialized
+ JDK-8280896: java/nio/file/Files/probeContentType/Basic.java
fails on Windows 11
+ JDK-8282036: Change java/util/zip/ZipFile/DeleteTempJar.java
to stop HttpServer cleanly in case of exceptions
+ JDK-8282219: jdk/java/lang/ProcessBuilder/Basic.java fails on
AIX
+ JDK-8282398: EndingDotHostname.java test fails because SSL
cert expired
+ JDK-8282511: Use fixed certificate validation date in
SSLExampleCert template
+ JDK-8282958: Rendering Issues with Borders on Windows
High-DPI systems
+ JDK-8283606: Tests may fail with zh locale on MacOS
+ JDK-8283717: vmTestbase/nsk/jdi/ThreadStartEvent/thread/
/thread001 failed due to SocketTimeoutException
+ JDK-8283719: java/util/logging/CheckZombieLockTest.java
failing intermittently
+ JDK-8283870: jdeprscan --help causes an exception when the
locale is ja, zh_CN or de
+ JDK-8284023: java.sun.awt.X11GraphicsDevice
.getDoubleBufferVisuals() leaks XdbeScreenVisualInfo
+ JDK-8284165: Add pid to process reaper thread name
+ JDK-8285093: Introduce UTIL_ARG_WITH
+ JDK-8285755: JDK-8285093 changed the default for
- -with-output-sync
+ JDK-8285919: Remove debug printout from JDK-8285093
+ JDK-8285399: JNI exception pending in awt_GraphicsEnv.c:1432
+ JDK-8285690: CloneableReference subtest should not throw
CloneNotSupportedException
+ JDK-8285835: SIGSEGV in
PhaseIdealLoop::build_loop_late_post_work
+ JDK-8286030: Avoid JVM crash when containers share the same
/tmp dir
+ JDK-8286800: Assert in PhaseIdealLoop::dump_real_LCA is too
strong
+ JDK-8286962: java/net/httpclient/ServerCloseTest.java failed
once with ConnectException
+ JDK-8287011: Improve container information
+ JDK-8287180: Update IANA Language Subtag Registry to Version
2022-08-08
+ JDK-8287906: Rewrite of GitHub Actions (GHA) sanity tests
+ JDK-8288499: Restore cancel-in-progress in GHA
+ JDK-8288332: Tier1 validate-source fails after 8279614
+ JDK-8289562: Change bugs.java.com and bugreport.java.com
URL's to https
+ JDK-8289695: [TESTBUG] TestMemoryAwareness.java fails on
cgroups v2 and crun
+ JDK-8290197: test/jdk/java/nio/file/Files/probeContentType/
/Basic.java fails on some systems for the ".rar" extension
+ JDK-8290899: java/lang/String/StringRepeat.java test requests
too much heap on windows x86
+ JDK-8290920: sspi_bridge.dll not built if BUILD_CRYPTO is
false
+ JDK-8290964: C2 compilation fails with assert "non-reduction
loop contains reduction nodes"
+ JDK-8292863: assert(_print_inlining_stream->size() > 0)
failed: missing inlining msg
+ JDK-8292877: java/util/concurrent/atomic/Serial.java uses
{Double,Long}Accumulator incorrectly
+ JDK-8293550: Optionally add get-task-allow entitlement to
macos binaries
+ JDK-8293767: AWT test TestSinhalaChar.java has old SCCS
markings
+ JDK-8293996: C2: fix and simplify
IdealLoopTree::do_remove_empty_loop
+ JDK-8294378: URLPermission constructor exception when using
tr locale
+ JDK-8294580: frame::interpreter_frame_print_on() crashes if
free BasicObjectLock exists in frame
+ JDK-8294705: Disable an assertion in
test/jdk/java/util/DoubleStreamSums/CompensatedSums.java
+ JDK-8294947: Use 64bit atomics in patch_verified_entry on
x86_64
+ JDK-8295116: C2: assert(dead->outcnt() == 0 &&
!dead->is_top()) failed: node must be dead
+ JDK-8295211: Fix autoconf 2.71 warning "AC_CHECK_HEADERS: you
should use literals"
+ JDK-8295405: Add cause in a couple of
IllegalArgumentException and InvalidParameterException shown
by sun/security/pkcs11 tests
+ JDK-8295412: support latest VS2022 MSC_VER in
abstract_vm_version.cpp
+ JDK-8295530: Update Zlib Data Compression Library to Version
1.2.13
+ JDK-8295685: Update Libpng to 1.6.38
+ JDK-8295774: Write a test to verify List sends
ItemEvent/ActionEvent
+ JDK-8295777: java/net/httpclient/ConnectExceptionTest.java
should not rely on system resolver
+ JDK-8295788: C2 compilation hits "assert((mode ==
ControlAroundStripMined && use == sfpt) ||
!use->is_reachable_from_root()) failed: missed a node"
+ JDK-8296239: ISO 4217 Amendment 174 Update
+ JDK-8296611: Problemlist several sun/security tests until
+ JDK-8295343 is resolved
+ JDK-8296619: Upgrade jQuery to 3.6.1
+ JDK-8296675: Exclude linux-aarch64 in NSS tests
+ JDK-8296878: Document Filter attached to JPasswordField and
setText("") is not cleared instead inserted characters
replaced with unicode null characters
+ JDK-8296904: Improve handling of macos xcode toolchain
+ JDK-8296912: C2: CreateExNode::Identity fails with assert(i <
_max) failed: oob: i=1, _max=1
+ JDK-8296924: C2:
assert(is_valid_AArch64_address(dest.target())) failed: bad
address
+ JDK-8297088: Update LCMS to 2.14
+ JDK-8297257: Bump update version for OpenJDK: jdk-11.0.19
+ JDK-8297264: C2: Cast node is not processed again in CCP and
keeps a wrong too narrow type which is later replaced by top
+ JDK-8297480: GetPrimitiveArrayCritical in imageioJPEG misses
result - NULL check
+ JDK-8297489: Modify TextAreaTextEventTest.java as to verify
the content change of TextComponent sends TextEvent
+ JDK-8297569: URLPermission constructor throws
IllegalArgumentException: Invalid characters in hostname
after JDK-8294378
+ JDK-8297951: C2: Create skeleton predicates for all If nodes
in loop predication
+ JDK-8297963: Partially fix string expansion issues in
UTIL_DEFUN_NAMED and related macros
+ JDK-8298027: Remove SCCS id's from awt jtreg tests
+ JDK-8298073: gc/metaspace/
/CompressedClassSpaceSizeInJmapHeap.java causes test task
timeout on macosx
+ JDK-8241293: CompressedClassSpaceSizeInJmapHeap.java time out
after 8 minutes
+ JDK-8298093: improve cleanup and error handling of
awt_parseColorModel in awt_parseImage.c
+ JDK-8298108: Add a regression test for JDK-8297684
+ JDK-8298129: Let checkpoint event sizes grow beyond u4 limit
+ JDK-8298271: java/security/SignedJar/spi-calendar-provider/
/TestSPISigned.java failing on Windows
+ JDK-8298459: Fix msys2 linking and handling out of tree build
directory for source zip creation
+ JDK-8298527: Cygwin's uname -m returns different string than
before
+ JDK-8299194: CustomTzIDCheckDST.java may fail at future date
+ JDK-8299296: Write a test to verify the components selection
sends ItemEvent
+ JDK-8299439: java/text/Format/NumberFormat/CurrencyFormat.java
fails for hr_HR
+ JDK-8299483: ProblemList java/text/Format/NumberFormat/
/CurrencyFormat.java
+ JDK-8299445: EndingDotHostname.java fails because of
compilation errors
+ JDK-8299520: TestPrintXML.java output error messages in case
compare fails
+ JDK-8299596: [11u] Remove designator
DEFAULT_PROMOTED_VERSION_PRE=ea for release 11.0.19
+ JDK-8299616: [11u] Bootcycle build fails after JDK-8257679
backport
+ JDK-8299789: Compilation of gtest causes build to fail if
runtime libraries are in different dirs
+ JDK-8300119: CgroupMetrics.getTotalMemorySize0() can report
invalid results on 32 bit systems
+ JDK-8300424: [11u] Chunk lost in backport of 8297569
+ JDK-8300642: [17u,11u] Fix DEFAULT_PROMOTED_VERSION_PRE=ea
for -dev
+ JDK-8300742: jstat's CGCT is 5 percent higher than the pause
time in -Xlog:gc.
+ JDK-8300773: Address the inconsistency between the constant
array and pool size
+ JDK-8301397: [11u, 17u] Bump jtreg to fix issue with build
JDK 11.0.18
+ JDK-8301760: Fix possible leak in SpNegoContext dispose
+ JDK-8301842: JFR: increase checkpoint event size for
stacktrace and string pool
+ JDK-8302000: [11u] A subtle race condition during jdk11u
build
+ JDK-8218460: Test generation scripts do not invoke stream
preprocessor correctly
+ JDK-8302657: [11u] Add missing '(' in makefile after backport
of 8218431
+ JDK-8302694: [11u] Update GHA Boot JDK to 11.0.18
+ JDK-8302903: [11u] Add modified test snippet after backport
of JDK-8221871
+ JDK-8303075: [11u] Add CompileClassWithDebugTest to
ProblemList for 8303074
+ JDK-8304389: [11u] Crash on Windows in C2 compiled code after
8248238 and 8218431
- Modified patch:
* fips.patch
+ adapt to changed context
Package javamail was updated:
- Add alias to com.sun.mail:jakarta.mail needed by ant-javamail
- Remove all parents, since this package is not built with maven
- Assure that every dependency has a version, or at least "any"
* fixes use with gradle
- Build against the standalone JavaEE modules unconditionally
- Build with source/target levels 8
- Add glassfish-activation-api dependency for relevant distribution
versions to make buildable with JDK that does not contain the
JavaEE modules
Package javapackages-tools was updated:
- Update to upstream version 6.1.0 * Release version 6.1.0
* Introduce common and extra subpackages
* Update documentation
* Add lua interpreter to check and GH actions
* Remove license headers from wrapper scripts
* Make scripts compatible with rpmlua
* Add more tests, fix behaviour
* Implement separate simple class name matching
* Minor changes
* Modularize Lua scripts
* Add Lua scripts for removing annotations
* Update build status badge in README.md
* Migrate CI from TravisCI to GitHub Actions
* Fix running tests without coverage
* Update ivy-local-classpath
* Release version 6.0.0
* Fix extra XML handling of pom_change_dep
* Add reproducer for #82
* Respect %jpb_env RPM macro
* Add bootstrap metadata to XMvn resolver config
* Delete run_tests.py
* Replace nose by pytest
* [install] Make glob pattern work with Python 3.10
* Adding ppc64le architecture support on travis-ci
* Drop deprecated add_maven_depmap macro
* Drop SCL support
* Fix provides matching
* Fix builddep snippet generation
* [test] Add test for builddep snippet generation
* Add location of java binary used by the java-1.8.0-openjdk
(JRE) package so that setting JAVA_HOME will work correctly
* Use XMvn Javadoc MOJO by default
* Remove explicit import of Python 3 features
* Remove dependency on Six compatibility library
* Fix invalid <skippedPlugins> in XMvn configuration
* [test] Don't try to kill PID 1 during tests
* [travis] Drop Python 2 from test matrix
* Add separate subpackage with RPM generators
* mvn_build: replace inline shell scriptlet with native python
code
* [test] Don't use networking during tests
* Add apache-rat-plugin to skippedPlugins
* Skip execution of various Maven plugins
* Remove Python 3.5 from .travis.yml
* Make generated javadoc package noarch
- Added patch:
* javapackages-6.1.0-maven-depmap.patch
+ Bulk patch correspoding to our pull request
https://github.com/fedora-java/javapackages/pull/92 which
brings back some of the removed tools that we depend on
heavily
- Modified patches:
* python-optional.patch
* suse-use-libdir.patch
+ Rediff to changed context
- Removed patches:
* 0001-Let-maven_depmap.py-generate-metadata-with-dependenc.patch
* 0002-Do-not-try-to-construct-POM-from-maven-coordinate-st.patch
* 0003-Fix-tests-after-the-recent-maven_depmap.py-changes.patch
+ Already part of the above-mentioned bulk patch
* 0004-Remove-dependency-on-Six-compatibility-library.patch
+ Upstream patch already integrated in the 6.x code-line
- Fix wrong conditioning of the python-six require.
- Added patch:
* 0004-Remove-dependency-on-Six-compatibility-library.patch
+ remove dependency on python-six for newer distributions
- Added patches:
* 0001-Let-maven_depmap.py-generate-metadata-with-dependenc.patch
* 0002-Do-not-try-to-construct-POM-from-maven-coordinate-st.patch
* 0003-Fix-tests-after-the-recent-maven_depmap.py-changes.patch
+ Let maven_depmap.py generate metadata with dependencies under
certain circumstances
- Fix typo in suse-use-libdir.patch:
%{_libdir}/jvm-commmon -> %{_libdir}/jvm-common
- Do not run tests on SLE12, since python3-test is not accessible
- Can't assume non-existence of python38 macros in Leap.
gh#openSUSE/python-rpm-macros#107
Test for suse_version instead. Only Tumbleweed has and needs the
python_subpackage_only support.
- Fix typo in spec file sitearch -> sitelib
- Fix the python subpackage generation
gh#openSUSE/python-rpm-macros#79
- Support python subpackages for each flavor
gh#openSUSE/python-rpm-macros#66
- Replace old nose with pytest gh#fedora-java/javapackages#86
- when building extra flavor, BuildRequire javapackages-filesystem:
/etc/java is being cleaned out of the filesystems package.
- Upgrade to version 5.3.1
- Modified patch:
* suse-use-libdir.patch
+ rediff to changed context
- Define _rpmmacrodir for distributions that don't have it
- Use %{_rpmmacrodir} instead of %{_libexecdir}/rpm/macros.d: this
just happens to overlap in some distros.
Package javassist was updated:
- Clean up the spec file and make it actually build on a vanilla SLE-12-SP5
- Modified patch:
* javassist-java8-compat.patch
+ make remove functions that are not available in java 8
- Version update to 3.29.2:
* Include` Automatic-Module-Name in MANIFEST.MF
- Rebased javassist-osgi.patch and corrected version numbers in
the patch.
- Version update to 3.29.1:
* `Readme.html` was deleted.
- Rebased javassist-osgi.patch and corrected version numbers in
the patch.
- Requires java >= 1.8
- Rebased patches:
* javassist-osgi.patch
- Version update to 3.29.0:
* removes an unused import declaration as PR 384 mentions.
* Merge pull request #382 from tim-hoffman/PR_RemoveStringBuffer
* Merge pull request #383 from tim-hoffman/PR_ArrayCopyPerformance
* uncomments test code suggested by PR405
* cancels PR#391, which does not pass all the tests
* fixes a wrong indentation
* Merge pull request #391 from derklaro/fix-method-naming-syntax
* does refactoring
* fixes a bug in SignatureAttribute.renameClass().
* fixs a compilation problem although one test still fails.
* Merge pull request #299 from pietrobraione/master
* Merge branch 'master' into master
* Merge pull request #278 from ximsfei/master
* Merge pull request #390 from derklaro/master
* changes test code because package
java.rmi.activation.ActivationGroupDesc does not exist any
longer.
* deletes src/test/test2/*.class
* Merge pull request #399 from carldea/master
* Merge pull request #409 from aschleck/patch-1
* Remove redundant type check
* Using TCK Tested JDK builds of OpenJDK
* Merge pull request #395 from aburaksahin/master
* Fix for NullPointerException on detach()
* Only wrap the method name if the method doesn't come from the
same decl class
* Lower requirement for an extra type in constructor to Java 7-
* Replace array copy loop with System.arraycopy
* Replace remaining StringBuffer uses with StringBuilder
* Replace StringBuffer with StringBuilder and other minor String
optimizations
* fixes GitHub Issue 378 (wrong link for apache license)
* updates javassist.Loader to exclude jdk.internal.
* Fixes to support the full syntax of possible signatures
* Fix renaming of classes in presence of generic signatures and
nested classes.
* add unit test
* fixes a bug of ClassFile#renameClass(), some imports could not
be successfully renamed
- Rebased osgi patch: javassist-osgi.patch
- Rebased java8 compat patch: javassist-java8-compat.patch
- Requires Java API >= 1.7
- Added patch:
* javassist-osgi.patch
+ Add OSGi manifest to the javassist.jar
Package jdom was updated:
- Security fix: [bsc#1187446, CVE-2021-33813] * XXE issue in SAXBuilder can cause a denial of service via
a crafted HTTP request
- Add jdom-CVE-2021-33813.patch
- Remove unneeded dependency on glassfish-jaxb-api.
- Build against the standalone JavaEE modules unconditionally
- Modified patch:
* jdom-1.1-build.xml.patch
+ Build with source/target levels 8
- Build against standalone jaxb-api on distributions that have
JDK without the JavaEE modules
- Alias the xom artifact to the new com.io7m.xom groupId
- Update jaxen to version 1.1.6
* Bug fixes
- Increase java stack size to avoid overflow
Package joda-time was updated:
Package jzlib was updated:
Package kernel-default was updated:
- Refresh patches.suse/powerpc-Move-DMA64_PROPNAME-define-to-a-header.patch.- commit d263157
- x86/speculation: Mark all Skylake CPUs as vulnerable to GDS (git-fixes).
- commit a3ff58c
- drm/vmwgfx: Test shader type against SVGA3d_SHADERTYPE_MIN (bsc#1203517 CVE-2022-36402)
- commit 5b2dbae
- powerpc/rtas: remove ibm_suspend_me_token (bsc#1023051).
- commit 4f01e57
- Do not add and remove genksyms ifdefs
- Refresh patches.kabi/lockdown-kABI-workaround-for-lockdown_reason-changes.patch.
- Refresh patches.suse/lockdown-also-lock-down-previous-kgdb-use.patch.
- commit e497b88
- powerpc/rtas: move syscall filter setup into separate function
(bsc#1023051).
- commit a36442d
- x86/speculation: Add cpu_show_gds() prototype (git-fixes).
- commit 5d94fff
- x86: Move gds_ucode_mitigated() declaration to header (git-fixes).
- commit 5ab0096
- blacklist.conf: Blacklist redundant docu patch
- commit 1c6d737
- Sort recent hw security-related patches
Move them to the sorted section and adjust patches accordingly.
- Refresh patches.suse/kvm-add-gds_no-support-to-kvm.patch.
- Refresh
patches.suse/x86-speculation-add-force-option-to-gds-mitigation.patch.
- Refresh
patches.suse/x86-speculation-add-gather-data-sampling-mitigation.patch.
- Refresh
patches.suse/x86-speculation-add-kconfig-option-for-gds.patch.
- Refresh
patches.suse/x86-srso-add-a-speculative-ras-overflow-mitigation.patch.
- Refresh patches.suse/x86-srso-add-srso_no-support.patch.
- commit 5c87dd7
- Input: cyttsp4_core - change del_timer_sync() to
timer_shutdown_sync() (bsc#1213971 CVE-2023-4134).
- commit 3ffe891
- powerpc/rtas: block error injection when locked down
(bsc#1023051).
Refresh patches.kabi/lockdown-kABI-workaround-for-lockdown_reason-changes.patch
- commit 3bd253d
- powerpc/rtas: mandate RTAS syscall filtering (bsc#1023051).
- commit 3251f7a
- powerpc: Move DMA64_PROPNAME define to a header (bsc#1214297
ltc#197503).
- commit c36e5b8
- x86/CPU/AMD: Fix the DIV(0) initial fix attempt (bsc#1213927, CVE-2023-20588).
- commit 48fc5d8
- x86/CPU/AMD: Do not leak quotient data after a division by 0 (bsc#1213927, CVE-2023-20588).
- commit 5e5738e
- net: vmxnet3: fix possible NULL pointer dereference in
vmxnet3_rq_cleanup() (bsc#1214451 CVE-2023-4459).
- commit 1ac9015
- net: nfc: Fix use-after-free caused by nfc_llcp_find_local
(bsc#1213601 CVE-2023-3863).
- nfc: llcp: simplify llcp_sock_connect() error paths (bsc#1213601
CVE-2023-3863).
- nfc: llcp: nullify llcp_sock->dev on connect() error paths
(bsc#1213601 CVE-2023-3863).
- commit 9d4529d
- kabi/severities: Ignore newly added SRSO mitigation functions
- commit 95ed32f
- x86/srso: Correct the mitigation status when SMT is disabled (git-fixes).
- commit 309af7f
- x86/srso: Explain the untraining sequences a bit more (git-fixes).
- commit fa09ab7
- x86/cpu/kvm: Provide UNTRAIN_RET_VM (git-fixes).
- commit 5038558
- x86/cpu: Cleanup the untrain mess (git-fixes).
- commit eda7e6d
- x86/cpu: Rename srso_(.*)_alias to srso_alias_\1 (git-fixes).
- commit 6e5dea6
- xfrm: add NULL check in xfrm_update_ae_params (bsc#1213666
CVE-2023-3772).
- commit fdc40c6
- x86/cpu: Rename original retbleed methods (git-fixes).
- commit 554babe
- x86/srso: Disable the mitigation on unaffected configurations (git-fixes).
- commit a99796e
- x86/retpoline: Don't clobber RFLAGS during srso_safe_ret() (git-fixes).
- commit 2b91cd9
- Update config files. Drop the dpt_i2o kernel module.
For: jsc#PED-4579, CVE-2023-2007
- commit 6a43698
- fs: jfs: fix possible NULL pointer dereference in dbFree() (bsc#1214348 CVE-2023-4385).
- commit ee83171
- xfs: fix sb write verify for lazysbcount (bsc#1214275).
- commit 37c728c
- xfs: update superblock counters correctly for !lazysbcount
(bsc#1214275).
- commit 2b6e01d
- xfs: gut error handling in xfs_trans_unreserve_and_mod_sb()
(bsc#1214275).
- commit e55f7c6
- pseries/iommu/ddw: Fix kdump to work in absence of
ibm,dma-window (bsc#1214297 ltc#197503).
- commit ea499bc
- net: vmxnet3: fix possible use-after-free bugs in
vmxnet3_rq_alloc_rx_buf() (bsc#1214350 CVE-2023-4387).
- commit 0fa208f
- e1000: Remove unnecessary use of kmap_atomic() (jsc#PED-5738).
- commit dfa3fd7
- intel/e1000:fix repeated words in comments (jsc#PED-5738).
- commit e5d93d0
- e1000: Fix typos in comments (jsc#PED-5738).
- commit 64fd6bc
- e1000: switch to napi_consume_skb() (jsc#PED-5738).
- commit 1ad8d9c
- intel: remove checker warning (jsc#PED-5738).
- commit c3ad152
- net: e1000: remove repeated words for e1000_hw.c (jsc#PED-5738).
- commit ace3bf9
- net: e1000: remove repeated word "slot" for e1000_main.c
(jsc#PED-5738).
- commit cfd4849
- e1000: Fix fall-through warnings for Clang (jsc#PED-5738).
- commit 7817f78
- e1000: drop unneeded assignment in e1000_set_itr()
(jsc#PED-5738).
- commit d2ba4db
- io_uring: Acquire completion_lock around io_get_deferred_req
(bsc#1213272 CVE-2023-21400).
- commit 84db304
- md/raid0: Fix performance regression for large sequential writes
(bsc#1213916).
- md/raid0: Factor out helper for mapping and submitting a bio
(bsc#1213916).
- commit b0544bd
- media: usb: siano: Fix warning due to null work_func_t function
pointer (bsc#1213969 CVE-2023-4132).
- commit c44d7c3
- media: usb: siano: Fix use after free bugs caused by
do_submit_urb (bsc#1213969 CVE-2023-4132).
- commit a27f430
- net/sched: cls_route: No longer copy tcf_result on update to
avoid use-after-free (bsc#1214149 CVE-2023-4128).
- net/sched: cls_fw: No longer copy tcf_result on update to
avoid use-after-free (bsc#1214149 CVE-2023-4128).
- net/sched: cls_u32: No longer copy tcf_result on update to
avoid use-after-free (bsc#1214149 CVE-2023-4128).
- commit ea3bad4
- exfat: check if filename entries exceeds max filename length
(bsc#1214120 CVE-2023-4273).
- commit d8c4244
- series.conf: resort
- commit b2ee92a
- netfilter: nf_tables: disallow rule addition to bound chain
via NFTA_RULE_CHAIN_ID (CVE-2023-4147 bsc#1213968).
- commit 1258138
- cxgb4: fix use after free bugs caused by circular dependency
problem (bsc#1213970 CVE-2023-4133).
- timers: Provide timer_shutdown[_sync]() (bsc#1213970).
- timers: Add shutdown mechanism to the internal functions
(bsc#1213970).
- timers: Split [try_to_]del_timer[_sync]() to prepare for
shutdown mode (bsc#1213970).
- timers: Silently ignore timers with a NULL function
(bsc#1213970).
- timers: Rename del_timer() to timer_delete() (bsc#1213970).
- timers: Rename del_timer_sync() to timer_delete_sync()
(bsc#1213970).
- timers: Use del_timer_sync() even on UP (bsc#1213970).
- timers: Update kernel-doc for various functions (bsc#1213970).
- timers: Replace BUG_ON()s (bsc#1213970).
- clocksource/drivers/sp804: Do not use timer namespace for
timer_shutdown() function (bsc#1213970).
- clocksource/drivers/arm_arch_timer: Do not use timer namespace
for timer_shutdown() function (bsc#1213970).
- ARM: spear: Do not use timer namespace for timer_shutdown()
function (bsc#1213970).
- commit 6a1c404
- xen/netback: Fix buffer overrun triggered by unusual packet
(CVE-2023-34319, XSA-432, bsc#1213546).
- commit 3617080
- x86/srso: Tie SBPB bit setting to microcode patch detection (bsc#1213287, CVE-2023-20569).
- commit 3f35ab4
- net: tun_chr_open(): set sk_uid from current_fsuid()
(CVE-2023-4194 bsc#1214019).
- commit 25c979d
- net: tap_open(): set sk_uid from current_fsuid() (CVE-2023-4194
bsc#1214019).
- commit b03d1d8
- x86/microcode/AMD: Make stub function static inline
(bsc#1213868).
- Refresh patches.suse/x86-cpu-amd-add-a-zenbleed-fix.patch.
- commit f587833
- mm: Move mm_cachep initialization to mm_init() (bsc#1206418, CVE-2022-40982).
- commit 487512d
- bpf: add missing header file include (bsc#1211738
CVE-2023-0459).
- commit 0e6ab49
- locking/rwsem: Add __always_inline annotation to
__down_read_common() and inlined callers (bsc#1207270
jsc#PED-4567).
- commit 9e46337
- locking/rwsem: Disable preemption in all down_write*() and
up_write() code paths (bsc#1207270 jsc#PED-4567).
- commit e8b39d0
- locking/rwsem: Disable preemption in all down_read*() and
up_read() code paths (bsc#1207270 jsc#PED-4567).
- commit f20a53f
- locking/rwsem: Prevent non-first waiter from spinning in
down_write() slowpath (bsc#1207270 jsc#PED-4567).
- commit 9c40fdf
- locking/rwsem: Disable preemption while trying for rwsem lock
(bsc#1207270 jsc#PED-4567).
- commit d6741e8
- locking/rwsem: Allow slowpath writer to ignore handoff bit if
not set by first waiter (bsc#1207270 jsc#PED-4567).
- commit 22681e5
- locking/rwsem: Always try to wake waiters in out_nolock path
(bsc#1207270 jsc#PED-4567).
- commit 2dd13e8
- locking/rwsem: Conditionally wake waiters in reader/writer
slowpaths (bsc#1207270 jsc#PED-4567).
- commit c20a7d3
- locking/rwsem: No need to check for handoff bit if wait queue
empty (bsc#1207270 jsc#PED-4567).
- commit 7d6a2e9
- locking: Add missing __sched attributes (bsc#1207270
jsc#PED-4567).
- commit 0f7a2d1
- locking/rwsem: Optimize down_read_trylock() under highly
contended case (bsc#1207270 jsc#PED-4567).
- commit 46658e6
- locking/rwsem: Make handoff bit handling more consistent
(bsc#1207270 jsc#PED-4567).
- commit e47427d
- locking/rwsem: Fix comments about reader optimistic lock
stealing conditions (bsc#1207270 jsc#PED-4567).
- commit 4a0d7cf
- locking: Remove rcu_read_{,un}lock() for preempt_{dis,en}able()
(bsc#1207270 jsc#PED-4567).
- commit ee007db
- lockdep: Add preemption enabled/disabled assertion APIs
(bsc#1207270 jsc#PED-4567).
- commit 1386d93
- locking/rwsem: Disable preemption for spinning region
(bsc#1207270 jsc#PED-4567).
- commit 0fad749
- locking/rwsem: Remove an unused parameter of rwsem_wake()
(bsc#1207270 jsc#PED-4567).
- commit b255b46
- locking/rwsem: Fix comment typo (bsc#1207270 jsc#PED-4567).
- commit 0ac673a
- locking/rwsem: Remove reader optimistic spinning (bsc#1207270
jsc#PED-4567).
- commit 4b129c1
- locking/rwsem: Enable reader optimistic lock stealing
(bsc#1207270 jsc#PED-4567).
- commit 7c0e82a
- locking/rwsem: Prevent potential lock starvation (bsc#1207270
jsc#PED-4567).
- commit 00b076e
- locking/rwsem: Pass the current atomic count to
rwsem_down_read_slowpath() (bsc#1207270 jsc#PED-4567).
- commit 1d2b5fa
- locking/rwsem: Fold __down_{read,write}*() (bsc#1207270
jsc#PED-4567).
- commit fd0b8b5
- locking/rwsem: Introduce rwsem_write_trylock() (bsc#1207270
jsc#PED-4567).
- commit daa9d5f
- locking/rwsem: Better collate rwsem_read_trylock() (bsc#1207270
jsc#PED-4567).
- commit 23252c2
- rwsem: Implement down_read_interruptible (bsc#1207270
jsc#PED-4567).
- commit 07e26fd
- rwsem: Implement down_read_killable_nested (bsc#1207270
jsc#PED-4567).
- commit 42f4ca4
- locking/rwsem: Prepare for a rwsem backport
The rwsem backport will enable the kernel to run on large VMs in Azure
(M416v2, M832v2). The rwsem code is going to be updated with newest
features one of which disables optimistic spinning for readers.
- blacklist.conf: Remove an entry that is part of the backported
patch set.
- Delete
patches.suse/locking-rwsem-Disable-reader-optimistic-spinning.patch.
- commit d354394
- ipv6: rpl: Fix Route of Death (CVE-2023-2156 bsc#1211131).
- commit 5601bfa
- x86/srso: Add IBPB on VMEXIT (bsc#1213287, CVE-2023-20569).
- commit f2c709c
- x86/srso: Add IBPB (bsc#1213287, CVE-2023-20569).
- commit ef6bc71
- x86/srso: Add SRSO_NO support (bsc#1213287, CVE-2023-20569).
- commit a905016
- x86/cpu, kvm: Add support for CPUID_80000021_EAX (bsc#1213287, CVE-2023-20569).
- Refresh patches.suse/x86-cpufeatures-add-kabi-padding.patch.
- commit f39cd8f
- x86/srso: Add IBPB_BRTYPE support (bsc#1213287, CVE-2023-20569).
- commit 5d6a6a0
- x86: Sanitize linker script (bsc#1213287, CVE-2023-20569).
- commit 8ff4f99
- x86/retbleed: Add __x86_return_thunk alignment checks (bsc#1213287, CVE-2023-20569).
- commit e623809
- x86/srso: Add a Speculative RAS Overflow mitigation (bsc#1213287, CVE-2023-20569).
- commit 707be59
- kernel-binary.spec.in: Remove superfluous %% in Supplements
Fixes: 02b7735e0caf ("rpm/kernel-binary.spec.in: Add Enhances and Supplements tags to in-tree KMPs")
- commit 264db74
- net/sched: sch_qfq: account for stab overhead in qfq_enqueue
(CVE-2023-3611 bsc#1213585).
- net/sched: sch_qfq: refactor parsing of netlink parameters
(bsc#1213585).
- blacklist follow-up commit 158810b261d0 ("net/sched: sch_qfq: reintroduce
lmax bound check for MTU") as unlike the original upstream commit, our
backport does not remove the check
- commit 609da2e
- net/sched: cls_u32: Fix reference counter leak leading to
overflow (CVE-2023-3609 bsc#1213586).
- commit b22e9b9
- net/sched: cls_fw: Fix improper refcount update leads to
use-after-free (CVE-2023-3776 bsc#1213588).
- commit b7fc513
- vc_screen: don't clobber return value in vcs_read (bsc#1213167
CVE-2023-3567).
- vc_screen: modify vcs_size() handling in vcs_read() (bsc#1213167
CVE-2023-3567).
- vc_screen: move load of struct vc_data pointer in vcs_read()
to avoid UAF (bsc#1213167 CVE-2023-3567).
- commit da930b7
- block, bfq: Fix division by zero error on zero wsum
(bsc#1213653).
- commit 67879a5
- x86/xen: Fix secondary processors' FPU initialization (bsc#1206418, CVE-2022-40982).
- commit 8a9c409
- x86/fpu: Move FPU initialization into arch_cpu_finalize_init() (bsc#1206418, CVE-2022-40982).
- commit d9e45bd
- x86/fpu: Mark init functions __init (bsc#1206418, CVE-2022-40982).
- commit 613212d
- x86/fpu: Remove cpuinfo argument from init functions (bsc#1206418).
- commit 82c61db
- init, x86: Move mem_encrypt_init() into arch_cpu_finalize_init() (bsc#1206418).
- commit 6fb5f8f
- init: Invoke arch_cpu_finalize_init() earlier (bsc#1206418).
- commit 8ef61c6
- init: Remove check_bugs() leftovers (bsc#1206418).
- commit a639423
- ARM: cpu: Switch to arch_cpu_finalize_init() (bsc#1206418).
- commit cbb96e9
- x86/cpu: Switch to arch_cpu_finalize_init() (bsc#1206418).
- commit 7fa4777
- x86/mm: Initialize text poking earlier (bsc#1206418, CVE-2022-40982).
- Refresh patches.suse/init-provide-arch_cpu_finalize_init.patch.
- commit 9784a5e
- init: Provide arch_cpu_finalize_init() (bsc#1206418).
- commit f81d332
- x86/mm: fix poking_init() for Xen PV guests (bsc#1206418, CVE-2022-40982).
- commit b12d1bf
- x86/mm: Use mm_alloc() in poking_init() (bsc#1206418, CVE-2022-40982).
- commit 9a1d45f
- net: tun: fix bugs for oversize packet when napi frags enabled
(bsc#1213543 CVE-2023-3812).
- commit 5e9be17
- netfilter: nf_tables: do not ignore genmask when looking up
chain by id (CVE-2023-31248 bsc#1213061).
- commit 414921d
- netfilter: nf_tables: prevent OOB access in nft_byteorder_eval
(CVE-2023-35001 bsc#1213059).
- commit b0acbe2
- uaccess: Add speculation barrier to copy_from_user()
(bsc#1211738 CVE-2023-0459).
- commit 93eec59
- netfilter: nf_tables: incorrect error path handling with
NFT_MSG_NEWRULE (CVE-2023-3390 CVE-2023-3117 bsc#1212846
bsc#1213245).
- commit 176a7df
- KVM: Add GDS_NO support to KVM (bsc#1206418, CVE-2022-40982).
- commit 6550823
- x86/speculation: Add Kconfig option for GDS (bsc#1206418, CVE-2022-40982).
- commit eb94624
- x86/speculation: Add force option to GDS mitigation (bsc#1206418, CVE-2022-40982).
- commit 79691d3
- x86/speculation: Add Gather Data Sampling mitigation (bsc#1206418, CVE-2022-40982).
- commit 74a70bc
- ocfs2: fix defrag path triggering jbd2 ASSERT (bsc#1199304).
- ocfs2: fix a deadlock when commit trans (bsc#1199304).
- jbd2: export jbd2_journal_[grab|put]_journal_head (bsc#1199304).
- ocfs2: fix race between searching chunks and release
journal_head from buffer_head (bsc#1199304).
- commit f86bdfe
- Refresh
patches.suse/keys-Fix-linking-a-duplicate-key-to-a-keyring-s-asso.patch.
- commit d8b8cf8
- x86/cpu/amd: Add a Zenbleed fix (bsc#1213286, CVE-2023-20593).
- commit c2a9155
- x86/cpu/amd: Move the errata checking functionality up (bsc#1213286, CVE-2023-20593).
- commit d7a9bc3
- rpm: Update dependency to match current kmod.
- commit d687dc3
- keys: Do not cache key in task struct if key is requested from
kernel thread (bsc#1213354).
- commit 0121b9a
- net: mana: Add support for vlan tagging (bsc#1212301).
- commit 613e87e
- fs: hfsplus: fix UAF issue in hfsplus_put_super (bsc#1211867, CVE-2023-2985).
- commit e01b911
- rpm/check-for-config-changes: ignore also RISCV_ISA_* and DYNAMIC_SIGFRAME
They depend on CONFIG_TOOLCHAIN_HAS_*.
- commit 1007103
- ubi: Fix failure attaching when vid_hdr offset equals to
(sub)page size (bsc#1210584).
- ubi: ensure that VID header offset + VID header size <= alloc,
size (bsc#1210584).
- commit 8f5f025
- Remove more packaging cruft for SLE < 12 SP3
- commit a16781c
- Get module prefix from kmod (bsc#1212835).
- commit f6691b0
- rpm/check-for-config-changes: ignore also PAHOLE_HAS_*
We now also have options like CONFIG_PAHOLE_HAS_LANG_EXCLUDE.
- commit 86b52c1
- usrmerge: Adjust module path in the kernel sources (bsc#1212835).
With the module path adjustment applied as source patch only
ALP/Tumbleweed kernel built on SLE/Leap needs the path changed back to
non-usrmerged.
- commit dd9a820
- ipvlan:Fix out-of-bounds caused by unclear skb->cb (bsc#1212842
CVE-2023-3090).
- commit ddb6922
- x86/build: Avoid relocation information in final vmlinux
(bsc#1187829).
- commit 88b515e
- Refresh
patches.suse/cifs-fix-open-leaks-in-open_cached_dir.patch.
s/sync_hdr/hdr/ - fix build breakage on CONFIG_CIFS_DEBUG2=y.
- commit c3cb631
- kernel-docs: Use python3 together with python3-Sphinx (bsc#1212741).
- commit 95a40a6
- HID: intel_ish-hid: Add check for ishtp_dma_tx_map (git-fixes
bsc#1212606 CVE-2023-3358).
- commit 7077c4f
- usb: gadget: udc: renesas_usb3: Fix use after free bug
in renesas_usb3_remove due to race condition (bsc#1212513
CVE-2023-35828).
- commit 1f06f62
- binfmt_elf: Take the mmap lock when walking the VMA list
(bsc#1209039 CVE-2023-1249).
- commit 3f46ff2
- bluetooth: Perform careful capability checks in hci_sock_ioctl()
(bsc#1210533 CVE-2023-2002).
- commit cb86eb0
- relayfs: fix out-of-bounds access in relay_file_read
(bsc#1212502 CVE-2023-3268).
- kernel/relay.c: fix read_pos error when multiple readers
(bsc#1212502 CVE-2023-3268).
- commit 73e4027
- media: dm1105: Fix use after free bug in dm1105_remove due to
race condition (bsc#1212501 CVE-2023-35824).
- commit 0c9d507
- media: saa7134: fix use after free bug in saa7134_finidev due
to race condition (bsc#1212494 CVE-2023-35823).
- commit 61b38d8
- net/sched: flower: fix possible OOB write in fl_set_geneve_opt()
(CVE-2023-35788 bsc#1212504).
- commit 865936b
- Drop a buggy dvb-core fix patch (bsc#1205758)
Also the kabi workaround is dropped, too
- commit 7ace3fb
- cifs: fix open leaks in open_cached_dir() (bsc#1209342).
- commit 82c30e2
- kernel-docs: Add buildrequires on python3-base when using python3
The python3 binary is provided by python3-base.
- commit c5df526
- fbcon: Check font dimension limits (CVE-2023-3161 bsc#1212154).
- commit 6f6d21f
- Move setting %%build_html to config.sh
- commit 3f65cd5
- memstick: r592: Fix UAF bug in r592_remove due to race condition
(CVE-2023-3141 bsc#1212129 bsc#1211449).
- commit 4d760e7
- firewire: fix potential uaf in outbound_phy_packet_callback()
(CVE-2023-3159 bsc#1212128).
- commit 444321d
- Fix missing top level chapter numbers on SLE12 SP5 (bsc#1212158).
- commit 7ebcbd5
- Move setting %%split_optional to config.sh
- commit 4519250
- Move setting %%supported_modules_check to config.sh
- commit d9c64aa
- rpm/kernel-docs.spec.in: pass PYTHON=python3 to fix build error (bsc#1160435)
- commit 799f050
- rpm/kernel-binary.spec.in: Fix compatibility wth newer rpm
- commit 334fb4d
- Also include kernel-docs build requirements for ALP
- commit 114d088
- Move the kernel-binary conflicts out of the spec file.
Thie list of conflicting packages varies per release.
To reduce merge conflicts move the list out of the spec file.
- commit 4d81125
- sched/rt: pick_next_rt_entity(): check list_entry (bsc#1208600 CVE-2023-1077)
- commit a8f82d0
- Avoid unsuported tar parameter on SLE12
- commit f11765a
- gve: Remove the code of clearing PBA bit (bsc#1211519).
- gve: Secure enough bytes in the first TX desc for all TCP pkts
(bsc#1211519).
- gve: Cache link_speed value from device (bsc#1211519).
- gve: Handle alternate miss completions (bsc#1211519).
- gve: Adding a new AdminQ command to verify driver (bsc#1211519).
- gve: Fix error return code in gve_prefill_rx_pages()
(bsc#1211519).
- gve: Reduce alloc and copy costs in the GQ rx path
(bsc#1211519).
- gve: Fix GFP flags when allocing pages (bsc#1211519).
- google/gve:fix repeated words in comments (bsc#1211519).
- gve: Fix spelling mistake "droping" -> "dropping" (bsc#1211519).
- gve: enhance no queue page list detection (bsc#1211519).
- commit 5088617
- Move obsolete KMP list into a separate file.
The list of obsoleted KMPs varies per release, move it out of the spec
file.
- commit 016bc55
- Trim obsolete KMP list.
SLE11 is out of support, we do not need to handle upgrading from SLE11
SP1.
- commit 08819bb
- Generalize kernel-doc build requirements.
- commit 23b058f
- kernel-binary: Add back kernel-default-base guarded by option
Add configsh option for splitting off kernel-default-base, and for
not signing the kernel on non-efi
- commit 28c22af
- net: rpl: fix rpl header size calculation (CVE-2023-2156
bsc#1211131).
- commit 884cd15
- Drivers: hv: vmbus: Optimize vmbus_on_event (bsc#1211622).
- commit 6cf7013
- usrmerge: Compatibility with earlier rpm (boo#1211796)
- commit 2191d32
- Fix usrmerge error (boo#1211796)
- commit da84579
- Update References
patches.suse/x86-speculation-restore-speculation-related-msrs-during-s3-resume.patch
(bsc#1198400 bsc#1209779 CVE-2023-1637).
- commit 23e11e7
- tcp: Fix data races around icsk->icsk_af_ops (bsc#1204405
CVE-2022-3566).
- commit d1f836b
- Remove usrmerge compatibility symlink in buildroot (boo#1211796)
Besides Makefile depmod.sh needs to be patched to prefix /lib/modules.
Requires corresponding patch to kmod.
- commit b8e00c5
- Update
patches.suse/netfilter-x_tables-use-correct-memory-barriers.patch
(bsc#1184208 CVE-2021-29650 bsc#1211596 CVE-2020-36694).
- commit 0092ed2
- HID: asus: use spinlock to safely schedule workers (bsc#1208604
CVE-2023-1079).
- commit df4ce9a
- HID: asus: use spinlock to protect concurrent accesses
(bsc#1208604 CVE-2023-1079).
- commit 4b7a2e4
- ipv6: sr: fix out-of-bounds read when setting HMAC data
(bsc#1211592).
- commit f37c1a1
- power: supply: bq24190: Fix use after free bug in bq24190_remove
due to race condition (CVE-2023-33288 bsc#1211590).
- commit 3e2047c
- kernel-source: Remove unused macro variant_symbols
- commit 915ac72
- media: dvb_net: kABI workaround (CVE-2022-45886 bsc#1205760).
- media: dvb_frontend: kABI workaround (CVE-2022-45885
bsc#1205758).
- commit c99685c
- media: ttusb-dec: fix memory leak in ttusb_dec_exit_dvb()
(CVE-2022-45887 bsc#1205762).
- media: dvb-core: Fix use-after-free due to race condition at
dvb_ca_en50221 (CVE-2022-45919 bsc#1205803).
- media: dvb-core: Fix use-after-free due to race at
dvb_register_device() (CVE-2022-45884 bsc#1205756).
- media: dvb-core: Fix use-after-free due on race condition at
dvb_net (CVE-2022-45886 bsc#1205760).
- media: dvb-core: Fix kernel WARNING for blocking operation in
wait_event*() (CVE-2023-31084 bsc#1210783).
- media: dvb-core: Fix use-after-free on race condition at
dvb_frontend (CVE-2022-45885 bsc#1205758).
- commit f5d1bea
- media: dvbdev: fix error logic at dvb_register_device()
(CVE-2022-45884 bsc#1205756).
- media: dvbdev: Fix memleak in dvb_register_device
(CVE-2022-45884 bsc#1205756).
- media: media/dvb: Use kmemdup rather than duplicating its
implementation (CVE-2022-45884 bsc#1205756).
- commit fa580d0
- net: sched: sch_qfq: prevent slab-out-of-bounds in
qfq_activate_agg (bsc#1210940 CVE-2023-31436).
- commit eeb865d
- i2c: xgene-slimpro: Fix out-of-bounds bug in
xgene_slimpro_i2c_xfer() (bsc#1210715 CVE-2023-2194).
- commit e9b03ca
- netrom: Fix use-after-free caused by accept on already
connected socket (bsc#1211186 CVE-2023-32269).
- commit e76516d
- SUNRPC: Ensure the transport backchannel association
(bsc#1211203).
- commit db18275
- rpm/constraints.in: Increase disk size constraint for riscv64 to 52GB
- commit 1c1a4cd
- netfilter: nf_tables: deactivate anonymous set from preparation
phase (CVE-2023-32233 bsc#1211043).
- commit 8d253dc
- act_mirred: use the backlog for nested calls to mirred ingress
(CVE-2022-4269 bsc#1206024).
- net/sched: act_mirred: better wording on protection against
excessive stack growth (CVE-2022-4269 bsc#1206024).
- net/sched: act_mirred: refactor the handle of xmit
(CVE-2022-4269 bsc#1206024).
- commit c36d39a
- wifi: brcmfmac: slab-out-of-bounds read in
brcmf_get_assoc_ies() (bsc#1209287 CVE-2023-1380).
- commit 238a208
- Remove obsolete rpm spec constructs
defattr does not need to be specified anymore
buildroot does not need to be specified anymore
- commit c963185
- kernel-spec-macros: Fix up obsolete_rebuilds_subpackage to generate
obsoletes correctly (boo#1172073 bsc#1191731).
rpm only supports full length release, no provides
- commit c9b5bc4
- ext4: add EXT4_INODE_HAS_XATTR_SPACE macro in xattr.h
(bsc#1206878 bsc#1211105 CVE-2023-2513).
- commit 2a8658b
- ext4: fix use-after-free in ext4_xattr_set_entry (bsc#1206878
bsc#1211105 CVE-2023-2513).
- commit 880db90
- kernel-binary: install expoline.o (boo#1210791 bsc#1211089)
- commit d6c8c20
- net: qcom/emac: Fix use after free bug in emac_remove due to
race condition (bsc#1211037 CVE-2023-2483).
- commit d3abec2
- Update patches.suse/io_uring-prevent-race-on-registering-fixed-files.patch
Fix the missing the bsc# prefix for the bug number in the References tag.
- commit 704a6c4
- timens: Forbid changing time namespace for an io_uring process
(bsc#1208474 CVE-2023-23586).
- commit 89cf4b3
- s390,dcssblk,dax: Add dax zero_page_range operation to dcssblk
driver (bsc#1199636).
- commit 6a9faa3
- xfs: verify buffer contents when we skip log replay (bsc#1210498
CVE-2023-2124).
- commit 8eed3d3
- io_uring: prevent race on registering fixed files (1210414
CVE-2023-1872).
- commit e53cfa3
- KVM: VMX: Execute IBPB on emulated VM-exit when guest has IBRS
(bsc#1206992 CVE-2022-2196).
- commit f66a218
- keys: Fix linking a duplicate key to a keyring's assoc_array
(bsc#1207088).
- commit 527a5be
- xirc2ps_cs: Fix use after free bug in xirc2ps_detach
(bsc#1209871 CVE-2023-1670).
- commit cfec974
- Drivers: vmbus: Check for channel allocation before looking
up relids (git-fixes).
- commit de13f74
- scsi: iscsi_tcp: Fix UAF during login when accessing the shost
ipaddress (bsc#1210647 CVE-2023-2162).
- commit d0a859e
- RDMA/core: Refactor rdma_bind_addr (bsc#1210629 CVE-2023-2176)
- commit 5886145
- RDMA/cma: Ensure rdma_addr_cancel() happens before issuing more requests (bsc#1210629 CVE-2023-2176)
- commit 8b6288f
- RDMA/cma: Do not change route.addr.src_addr outside state checks (bsc#1210629 CVE-2023-2176)
- commit c706a03
- RDMA/cma: Make the locking for automatic state transition more clear (bsc#1210629 CVE-2023-2176)
- commit 7a43827
- vmxnet3: use gro callback when UPT is enabled (bsc#1209739).
- commit f513a6e
- x86/speculation: Allow enabling STIBP with legacy IBRS
(bsc#1210506 CVE-2023-1998).
- commit d03ef09
- cifs: fix negotiate context parsing (bsc#1210301).
- commit 5d87bbe
- power: supply: da9150: Fix use after free bug in
da9150_charger_remove due to race condition (CVE-2023-30772
bsc#1210329).
- commit 61aa622
- k-m-s: Drop Linux 2.6 support
- commit 22b2304
- Remove obsolete KMP obsoletes (bsc#1210469).
- commit 7f325c6
- udmabuf: add back sanity check (git-fixes bsc#1210453
CVE-2023-2008).
- commit b2b9158
- hwmon: (xgene) Fix use after free bug in xgene_hwmon_remove
due to race condition (CVE-2023-1855 bsc#1210202).
- commit 4401c6f
- netlink: limit recursion depth in policy validation
(CVE-2020-36691 bsc#1209613).
- Refresh
patches.suse/netlink-prevent-potential-spectre-v1-gadgets.patch.
- commit 374a1af
- nfc: st-nci: Fix use after free bug in ndlc_remove due to race
condition (git-fixes bsc#1210337 CVE-2023-1990).
- commit 775e632
- Bluetooth: btsdio: fix use after free bug in btsdio_remove
due to unfinished work (CVE-2023-1989 bsc#1210336).
- commit e27c00d
- Update
patches.suse/NFSD-Protect-against-send-buffer-overflow-in-NFSv2-R.patch
(bsc#1205128 CVE-2022-43945 bsc#1210124).
- Update
patches.suse/NFSD-Protect-against-send-buffer-overflow-in-NFSv3-R.patch
(bsc#1205128 CVE-2022-43945 bsc#1210124).
- Update
patches.suse/NFSD-Protect-against-send-buffer-overflow-in-NFSv3-Rdir.patch
(bsc#1205128 CVE-2022-43945 bsc#1210124).
Fix performance problem with these patches - bsc@1210124
- commit 4dbd22d
- btrfs: fix race between quota disable and quota assign ioctls
(CVE-2023-1611 bsc#1209687).
- commit 3fdcd22
- Fix double fget() in vhost_net_set_backend() (bsc#1210203
CVE-2023-1838).
- commit 7e671a8
- Define kernel-vanilla as source variant
The vanilla_only macro is overloaded. It is used for determining if
there should be two kernel sources built as well as for the purpose of
determmioning if vanilla kernel should be used for kernel-obs-build.
While the former can be determined at build time the latter needs to be
baked into the spec file template. Separate the two while also making
the latter more generic.
$build_dtbs is enabled on every single rt and azure branch since 15.3
when the setting was introduced, gate on the new $obs_build_variant
setting as well.
- commit 36ba909
- series.conf: cleanup
- update upstream references and resort:
- patches.suse/wifi-cfg80211-avoid-nontransmitted-BSS-list-corrupti.patch
- commit 9bae747
- net/ulp: use consistent error code when blocking ULP
(CVE-2023-0461 bsc#1208787).
- net/ulp: prevent ULP without clone op from entering the LISTEN
status (CVE-2023-0461 bsc#1208787).
- commit 028f0fd
- rpm/constraints.in: increase the disk size for armv6/7 to 24GB
It grows and the build fails recently on SLE15-SP4/5.
- commit 41ac816
- rpm/check-for-config-changes: add TOOLCHAIN_NEEDS_* to IGNORED_CONFIGS_RE
This new form was added in commit e89c2e815e76 ("riscv: Handle
zicsr/zifencei issues between clang and binutils").
- commit 234baea
- seq_buf: Fix overflow in seq_buf_putmem_hex() (bsc#1209549
CVE-2023-28772).
- commit 5c5e4d3
- PCI: hv: Add a per-bus mutex state_lock (bsc#1209785).
- Revert "PCI: hv: Fix a timing issue which causes kdump to fail
occasionally" (bsc#1209785).
- PCI: hv: Remove the useless hv_pcichild_state from struct
hv_pci_dev (bsc#1209785).
- PCI: hv: Fix a race condition in hv_irq_unmask() that can
cause panic (bsc#1209785).
- PCI: hv: fix a race condition bug in hv_pci_query_relations()
(bsc#1209785).
- commit 6b9e385
- kvm: initialize all of the kvm_debugregs structure before
sending it to userspace (bsc#1209532 CVE-2023-1513).
- commit bd9c11d
- Bluetooth: Fix double free in hci_conn_cleanup (bsc#1209052
CVE-2023-28464).
- commit 677d920
- net: tls: fix possible race condition between
do_tls_getsockopt_conf() and do_tls_setsockopt_conf()
(bsc#1209366 CVE-2023-28466).
- commit 5f7c4a6
- Move ENA upstream fix to sorted section.
- commit aff6c71
- RDMA/core: Don't infoleak GRH fields (bsc#1209778 CVE-2021-3923)
- commit 50ba48b
- tipc: fix NULL deref in tipc_link_xmit() (bsc#1209289
CVE-2023-1390).
- commit b2c1533
- tun: avoid double free in tun_free_netdev (bsc#1209635
CVE-2022-4744).
- commit c5cf205
- net/sched: tcindex: update imperfect hash filters respecting
rcu (CVE-2023-1281 bsc#1209634).
- commit 97b3f9d
- fs/proc: task_mmu.c: don't read mapcount for migration entry
(CVE-2023-1582, bsc#1209636).
- commit 35d5c42
- af_unix: Get user_ns from in_skb in unix_diag_get_exact()
(bsc#1209290 CVE-2023-28327).
- commit 000517c
- netlink: prevent potential spectre v1 gadgets (bsc#1209547
CVE-2017-5753).
- commit cec3f24
- tipc: add an extra conn_get in tipc_conn_alloc (bsc#1209288
CVE-2023-1382).
- commit 6a58da4
- tipc: set con sock in tipc_conn_alloc (bsc#1209288
CVE-2023-1382).
- commit 06eaf34
- Refresh
patches.suse/sctp-fail-if-no-bound-addresses-can-be-used-for-a-gi.patch.
- commit 890554b
- media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()
(bsc#1209291 CVE-2023-28328).
- commit af7b7eb
- rpm/group-source-files.pl: Fix output difference when / is in location
While previous attempt to fix group-source-files.pl in 6d651362c38
"rpm/group-source-files.pl: Deal with {pre,post}fixed / in location"
breaks the infinite loop, it does not properly address the issue. Having
prefixed and/or postfixed forward slash still result in different
output.
This commit changes the script to use the Perl core module File::Spec
for proper path manipulation to give consistent output.
- commit 4161bf9
- Require suse-kernel-rpm-scriptlets at all times.
The kernel packages call scriptlets for each stage, add the dependency
to make it clear to libzypp that the scriptlets are required.
There is no special dependency for posttrans, these scriptlets run when
transactions are resolved. The plain dependency has to be used to
support posttrans.
- commit 56c4dbe
- Replace mkinitrd dependency with dracut (bsc#1202353).
Also update mkinitrd refrences in documentation and comments.
- commit e356c9b
- prlimit: do_prlimit needs to have a speculation check
(bsc#1209256 CVE-2017-5753).
- commit a2ac7fb
- rpm/kernel-obs-build.spec.in: Remove SLE11 cruft
- commit 871eeb4
- rds: rds_rm_zerocopy_callback() correct order for
list_add_tail() (CVE-2023-1078 bsc#1208601).
- rds: rds_rm_zerocopy_callback() use list_first_entry()
(CVE-2023-1078 bsc#1208601).
- commit ec0c93c
- net/tls: tls_is_tx_ready() checked list_entry (CVE-2023-1075
bsc#1208598).
- commit d651270
- tap: tap_open(): correctly initialize socket uid (CVE-2023-1076
bsc#1208599).
- tun: tun_chr_open(): correctly initialize socket uid
(CVE-2023-1076 bsc#1208599).
- net: add sock_init_data_uid() (CVE-2023-1076 bsc#1208599).
- netfilter: nf_tables: fix null deref due to zeroed list head
(CVE-2023-1095 bsc#1208777).
- commit b65b67b
- cifs: fix use-after-free caused by invalid pointer `hostname`
(bsc#1208971).
- commit d1a37f1
- HID: bigben: use spinlock to safely schedule workers
(CVE-2023-25012 bsc#1207560).
- HID: bigben_worker() remove unneeded check on report_field
(CVE-2023-25012 bsc#1207560).
- HID: bigben: use spinlock to protect concurrent accesses
(CVE-2023-25012 bsc#1207560).
- commit 3c79258
- malidp: Fix NULL vs IS_ERR() checking (bsc#1208843
CVE-2023-23004).
- commit a8f9557
- Do not sign the vanilla kernel (bsc#1209008).
- commit cee4d89
- rpm/group-source-files.pl: Deal with {pre,post}fixed / in location
When the source file location provided with -L is either prefixed or
postfixed with forward slash, the script get stuck in a infinite loop
inside calc_dirs() where $path is an empty string.
user@localhost:/tmp> perl "$HOME/group-source-files.pl" -D devel.files -N nondevel.files -L /usr/src/linux-5.14.21-150500.41/
...
path = /usr/src/linux-5.14.21-150500.41/Documentation/Kconfig
path = /usr/src/linux-5.14.21-150500.41/Documentation
path = /usr/src/linux-5.14.21-150500.41
path = /usr/src
path = /usr
path =
path =
path =
... # Stuck in an infinite loop
This workarounds the issue by breaking out the loop once path is an
empty string. For a proper fix we'd want something that
filesystem-aware, but this workaround should be enough for the rare
occation that this script is ran manually.
Link: http://mailman.suse.de/mlarch/SuSE/kernel/2023/kernel.2023.03/msg00024.html
- commit 6d65136
- media: rc: Fix use-after-free bugs caused by ene_tx_irqsim()
(CVE-2023-1118 bsc#1208837).
- phy: tegra: xusb: Fix return value of tegra_xusb_find_port_node
function (CVE-2023-23000 bsc#1208816).
- commit 52c897a
- scsi: qla2xxx: Add option to disable FC2 Target support
(bsc#1198438 bsc#1206103).
- Delete
patches.suse/revert-scsi-qla2xxx-Changes-to-support-FCP2-Target.patch.
- commit 5959f82
- drm/virtio: Fix NULL vs IS_ERR checking in
virtio_gpu_object_shmem_init (bsc#1208776 CVE-2023-22998).
- commit 2fd8a08
- net/mlx5: DR, Fix NULL vs IS_ERR checking in
dr_domain_init_resources (bsc#1208845 CVE-2023-23006).
- commit 14082ec
- mm/slub: fix panic in slab_alloc_node() (bsc#1208023).
- commit b092aa9
- kernel-module-subpackage: Fix expansion with -b parameter (bsc#1208179).
When -b is specified the script is prefixed with KMP_NEEDS_MKINITRD=1
which sets the variable for a simple command.
However, the script is no longer a simple command. Export the variable
instead.
- commit 152a069
- README.BRANCH: Update
Relieve Ivan Ivanov of his duties as branch maintainer as I am back.
- commit 1da55f1
- usb: dwc3: dwc3-qcom: Add missing platform_device_put() in
dwc3_qcom_acpi_register_core (bsc#1208741 CVE-2023-22995).
- commit 7a31d48
- net: mpls: fix stale pointer if allocation fails during device
rename (bsc#1208700 CVE-2023-26545).
- commit 18d9ec7
- s390/kexec: fix ipl report address for kdump (bsc#1207575).
- commit 7a62f13
- x86/mm: Randomize per-cpu entry area (bsc#1207845
CVE-2023-0597).
- commit 3a695c7
- vmxnet3: move rss code block under eop descriptor (bsc#1208212).
- commit f589074
- usb: rndis_host: Secure rndis_query check against int overflow
(CVE-2023-23559 bsc#1207051).
- commit d9a137b
- net: mana: Assign interrupts to CPUs based on NUMA nodes
(bsc#1208153).
- Refresh
patches.suse/net-mana-Fix-IRQ-name-add-PCI-and-queue-number.patch.
- commit 342fb4d
- net: mana: Fix accessing freed irq affinity_hint (bsc#1208153).
- genirq: Provide new interfaces for affinity hints (bsc#1208153).
- commit 4d24191
- drm/vmwgfx: Avoid NULL-ptr deref in vmw_cmd_dx_define_query() (bsc#1203331 CVE-2022-38096)
- commit 1f21d95
- module: Don't wait for GOING modules (bsc#1196058, bsc#1186449,
bsc#1204356, bsc#1204662).
- commit 77af0b0
- drm/vmwgfx: Validate the box size for the snooped cursor (bsc#1203332 CVE-2022-36280)
- commit f246cad
- Refresh
patches.kabi/scsi-kABI-fix-for-eh_should_retry_cmd.patch (bsc#1206351).
The former kABI fix only move the newly added member to scsi_host_template to
the end of the struct. But that is usually allocated statically, even by 3rd
party modules relying on kABI. Before we use the member we need to signalize
that it is to be expected. As we only expect it to be allocated by in-tree
modules that we can control, we can use a space in the bitfield to signalize
that.
- commit 0e772e8
- net: mana: Fix IRQ name - add PCI and queue number
(bsc#1207875).
- commit f2c8c19
- x86/bugs: Flush IBP in ib_prctl_set() (bsc#1207773
CVE-2023-0045).
- commit baf6bec
- net: ena: optimize data access in fast-path code (bsc#1208137).
- commit 09cfdc0
- net: sched: fix race condition in qdisc_graft() (CVE-2023-0590
bsc#1207795).
- net_sched: add __rcu annotation to netdev->qdisc (CVE-2023-0590
bsc#1207795).
- commit c6f042b
- Update
patches.suse/net-mlx5-Allocate-individual-capability.patch
(bsc#1195175).
- Update
patches.suse/net-mlx5-Dynamically-resize-flow-counters-query-buff.patch
(bsc#1195175).
- Update
patches.suse/net-mlx5-Fix-flow-counters-SF-bulk-query-len.patch
(bsc#1195175).
- Update
patches.suse/net-mlx5-Reduce-flow-counters-bulk-query-buffer-size.patch
(bsc#1195175).
- Update
patches.suse/net-mlx5-Reorganize-current-and-maximal-capabilities.patch
(bsc#1195175).
- Update
patches.suse/net-mlx5-Use-order-0-allocations-for-EQs.patch
(bsc#1195175).
Fixed bugzilla reference.
- commit e56868b
Package krb5 was updated:
- Ensure array count consistency in kadm5 RPC; (bsc#1214054); (CVE-2023-36054);
- Added patches:
* 0011-Ensure-array-count-consistency-in-kadm5-RPC.patch
Package libX11 was updated:
- U_InitExt.c-Add-bounds-checks-for-extension-request-ev.patch * Buffer overflows in InitExt.c (boo#1212102, CVE-2023-3138)
Package gcc12 was updated:
- Add gcc12-aarch64-bsc1214052.patch to fix -fstack-protector issues with variable length stack allocations on aarch64.
Fixes CVE-2023-4039. [bsc#1214052]
- Update to GCC 12.3 release, 0c61aa720e62f1baf0bfd178e283, git1204
* includes regression bug fixes
- Add gcc12-testsuite-fixes.patch to pick testsuite related fixes
from the branch after the release.
- Speed up builds with --enable-link-serialization.
- Update to gcc-12 branch head, 193f7e62815b4089dfaed4c2bd3, git749
- Don't rely on %usrmerged, set it based on standard %suse_version
- Update to gcc-12 branch head, e4b5fec75aa8d0d01f6e042ec28, git696
* remove gcc12-fifo-jobserver-support.patch which is now
included upstream
- avoid trailing backslashes at the end of post install scripts
- Update to gcc-12 branch head, 0aaef83351473e8f4eb774f8f99, git537
- Update embedded newlib to version 4.2.0
* includes newlib-4.1.0-aligned_alloc.patch
- add gcc12-riscv-inline-atomics.patch,
gcc12-riscv-pthread.patch: handle subword size inline atomics
(needed by several openSUSE packages)
Package avahi was updated:
- Add avahi-CVE-2023-1981.patch: emit error if requested service is not found (boo#1210328 CVE-2023-1981).
Package util-linux was updated:
- Add upstream patch fix-lib-internal-cache-size.patch bsc#1210164, gh#util-linux/util-linux@2fa4168c8bc9
Package libcap was updated:
- Fixed integer overflow or wraparound in libcap/cap_alloc.c:_libcap_strdup() (bsc#1211419 / CVE-2023-2603) CVE-2023-2603.patch
Package c-ares was updated:
- Update to version 1.19.1 Security:
* CVE-2023-32067. High. 0-byte UDP payload causes Denial of Service
(bsc#1211604)
* CVE-2023-31147 Moderate. Insufficient randomness in generation
of DNS query IDs (bsc#1211605)
* CVE-2023-31130. Moderate. Buffer Underwrite in
ares_inet_net_pton() (bsc#1211606)
* CVE-2023-31124. Low. AutoTools does not set CARES_RANDOM_FILE
during cross compilation (bsc#1211607)
Bug fixes:
* Fix uninitialized memory warning in test
* ares_getaddrinfo() should allow a port of 0
* Fix memory leak in ares_send() on error
* Fix comment style in ares_data.h
* Fix typo in ares_init_options.3
* Sync ax_pthread.m4 with upstream
* Sync ax_cxx_compile_stdcxx_11.m4 with upstream to fix uclibc support
Package cryptsetup was updated:
- luksFormat: Handle system with low memory and no swap space [bsc#1211079] * Check for physical memory available also in PBKDF benchmark.
* Try to avoid OOM killer on low-memory systems without swap.
* Use only half of detected free memory on systems without swap.
* Add patches:
- cryptsetup-Check-for-physical-memory-available-also-in-PBKDF-be.patch
- cryptsetup-Try-to-avoid-OOM-killer-on-low-memory-systems-withou.patch
- cryptsetup-Use-only-half-of-detected-free-memory-on-systems-wit.patch
Package libdb-4_8 was updated:
Package libeconf was updated:
- Additional info for version 0.5.2: * Fixed a stack-buffer-overflow vulnerability in "econf_writeFile"
function. (CVE-2023-30078, CVE-2023-32181, bsc#1211078)
* Fixed a stack-buffer-overflow vulnerability in "read_file"
function. (CVE-2023-30079, CVE-2023-22652, bsc#1211078)
- Update to version 0.5.2:
* Fixed build for aarch64 and gcc13.
* Making the output verbose when a test fails.
* Fixed a stack-buffer-overflow vulnerability in "econf_writeFile"
function.
* Fixed a stack-buffer-overflow vulnerability in "read_file"
function.
* Added new feature: econf_set_conf_dirs (const char **dir_postfix_list)
Sets a list of directory structures (with order) which describes
the directories in which the files have to be parsed.
E.G. with the given list: {"/conf.d/", ".d/", "/", NULL} files in following
directories will be parsed:
"<default_dirs>/<project_name>.<suffix>.d/"
"<default_dirs>/<project_name>/conf.d/"
"<default_dirs>/<project_name>.d/"
"<default_dirs>/<project_name>/"
The entry "<default_dirs>/<project_name>.<suffix>.d/" will be added
automatically.
* General code cleanup.
- Update to version 0.5.1:
* Reading files in /usr/_vendor_/_example_._suffix_.d/* regardless
there is a /etc/_example_._suffix_ file. (#175)
- Update to version 0.5.0:
* API calls econf_read*WithCallback supporting a general (void *)
argument for user defined data with which the callback function is
called.
* Tagged following functions deprecated:
econf_requireOwner, econf_requireGroup, econf_requirePermissions,
econf_followSymlinks, econf_reset_security_settings
Use one of the econf_read*WithCallback functions instead.
- Update to version 0.4.9:
* libeconf.h: added missing sys/types.h header (#171)
* new API calls: econf_readFileWithCallback,
econf_readDirsWithCallback, econf_readDirsHistoryWithCallback (#172)
* Checking NULL comment parameter in the parsing functions.
- Update to version 0.4.8+git20221114.7ff7704:
* Parsing files which are containing keys only (#170)
All delimiters are allowed now : "", " =", " ", "=". But the
user should use "" in order to be distinct.
* /usr/etc/shells.d/<file_name> will not be parsed if
/etc/shells.d/<file_name> is defined too.
* Lto build fixed (#168)
* New calls: econf_comment_tag, econf_delimiter_tag, econf_set_comment_tag,
econf_set_delimiter_tag
* Checking UID,GroupID, permissions,... of the parsed files (#165)
New calls: econf_requireOwner, econf_requireGroup, econf_requirePermissions,
econf_followSymlinks
* Ignoring Group without brackets; Do not hold brackets in the internal data structure. (#164)
* Error handling improved for nums and booleans (#163)
- Update to version 0.4.6+git20220427.3016f4e:
* econftool:
* * Parsing error: Reporting file and line nr.
* * --delimeters=spaces Taking all kind of spaces for delimiter
* libeconf:
Fixed bsc#1198165: Parsing files correctly which have space characters
AND none space characters as delimiters.
- Update to version 0.4.5+git20220406.c9658f2:
* econftool:
* * New call "syntax" for checking the configuration files only.
Returns an error string with line number if an error occurs.
* * New options "--comment" and "--delimeters"
* * Parsing one file only if needed.
Package mozilla-nss was updated:
- update to NSS 3.90 * bmo#1623338 - ride along: remove a duplicated doc page
* bmo#1623338 - remove a reference to IRC
* bmo#1831983 - clang-format lib/freebl/stubs.c
* bmo#1831983 - Add a constant time select function
* bmo#1774657 - Updating an old dbm with lots of certs with keys to sql results in a database that is slow to access.
* bmo#1830973 - output early build errors by default
* bmo#1804505 - Update the technical constraints for KamuSM
* bmo#1822921 - Add BJCA Global Root CA1 and CA2 root certificates
* bmo#1790763 - Enable default UBSan Checks
* bmo#1786018 - Add explicit handling of zero length records
* bmo#1829391 - Tidy up DTLS ACK Error Handling Path
* bmo#1786018 - Refactor zero length record tests
* bmo#1829112 - Fix compiler warning via correct assert
* bmo#1755267 - run linux tests on nss-t/t-linux-xlarge-gcp
* bmo#1806496 - In FIPS mode, nss should reject RSASSA-PSS salt lengths larger than the output size of the hash function used, or provide an indicator
* bmo#1784163 - Fix reading raw negative numbers
* bmo#1748237 - Repairing unreachable code in clang built with gyp
* bmo#1783647 - Integrate Vale Curve25519
* bmo#1799468 - Removing unused flags for Hacl*
* bmo#1748237 - Adding a better error message
* bmo#1727555 - Update HACL* till 51a72a953a4ee6f91e63b2816ae5c4e62edf35d6
* bmo#1782980 - Fall back to the softokn when writing certificate trust
* bmo#1806010 - FIPS-104-3 requires we restart post programmatically
* bmo#1826650 - cmd/ecperf: fix dangling pointer warning on gcc 13
* bmo#1818766 - Update ACVP dockerfile for compatibility with debian package changes
* bmo#1815796 - Add a CI task for tracking ECCKiila code status, update whitespace in ECCKiila files
* bmo#1819958 - Removed deprecated sprintf function and replaced with snprintf
* bmo#1822076 - fix rst warnings in nss doc
* bmo#1821997 - Fix incorrect pygment style
* bmo#1821292 - Change GYP directive to apply across platforms
* Add libsmime3 abi-check exception for NSS_CMSSignerInfo_GetDigestAlgTag
- Add nss-fix-bmo1836925.patch to fix build-errors
- Merge the libfreebl3-hmac and libsoftokn3-hmac packages
into the respective libraries. (bsc#1185116)
- update to NSS 3.89.1
* bmo#1804505 - Update the technical constraints for KamuSM.
* bmo#1822921 - Add BJCA Global Root CA1 and CA2 root certificates.
- update to NSS 3.89
* bmo#1820834 - revert freebl/softoken RSA_MIN_MODULUS_BITS increase
* bmo#1820175 - PR_STATIC_ASSERT is cursed
* bmo#1767883 - Need to add policy control to keys lengths for signatures
* bmo#1820175 - Fix unreachable code warning in fuzz builds
* bmo#1820175 - Fix various compiler warnings in NSS
* bmo#1820175 - Enable various compiler warnings for clang builds
* bmo#1815136 - set PORT error after sftk_HMACCmp failure
* bmo#1767883 - Need to add policy control to keys lengths for signatures
* bmo#1804662 - remove data length assertion in sec_PKCS7Decrypt
* bmo#1804660 - Make high tag number assertion failure an error
* bmo#1817513 - CKM_SHA384_KEY_DERIVATION correction maximum key
length from 284 to 384
* bmo#1815167 - Tolerate certificate_authorities xtn in ClientHello
* bmo#1789436 - Fix build failure on Windows
* bmo#1811337 - migrate Win 2012 tasks to Azure
* bmo#1810702 - fix title length in doc
* bmo#1570615 - Add interop tests for HRR and PSK to GREASE suite
* bmo#1570615 - Add presence/absence tests for TLS GREASE
* bmo#1804688 - Correct addition of GREASE value to ALPN xtn
* bmo#1789436 - CH extension permutation
* bmo#1570615 - TLS GREASE (RFC8701)
* bmo#1804640 - improve handling of unknown PKCS#12 safe bag types
* bmo#1815870 - use a different treeherder symbol for each docker
image build task
* bmo#1815868 - pin an older version of the ubuntu:18.04 and
20.04 docker images
* bmo#1810702 - remove nested table in rst doc
* bmo#1815246 - Export NSS_CMSSignerInfo_GetDigestAlgTag
* bmo#1812671 - build failure while implicitly casting SECStatus
to PRUInt32
- update to NSS 3.88.1
* bmo#1804640 - improve handling of unknown PKCS#12 safe bag types
- update to NSS 3.88
* bmo#1815870 - use a different treeherder symbol for each docker
image build task
* bmo#1815868 - pin an older version of the ubuntu:18.04 and
20.04 docker images
* bmo#1810702 - remove nested table in rst doc
* bmo#1815246 - Export NSS_CMSSignerInfo_GetDigestAlgTag.
* bmo#1812671 - build failure while implicitly casting SECStatus
to PRUInt32
* bmo#1212915 - Add check for ClientHello SID max length
* bmo#1771100 - Added EarlyData ALPN test support to BoGo shim
* bmo#1790357 - ECH client - Discard resumption TLS < 1.3
Session(IDs|Tickets) if ECH configs are setup
* bmo#1714245 - On HRR skip PSK incompatible with negotiated
ciphersuites hash algorithm
* bmo#1789410 - ECH client: Send ech_required alert on server
negotiating TLS 1.2. Fixed misleading Gtest,
enabled corresponding BoGo test
* bmo#1771100 - Added Bogo ECH rejection test support
* bmo#1771100 - Added ECH 0Rtt support to BoGo shim
* bmo#1747957 - RSA OAEP Wycheproof JSON
* bmo#1747957 - RSA decrypt Wycheproof JSON
* bmo#1747957 - ECDSA Wycheproof JSON
* bmo#1747957 - ECDH Wycheproof JSON
* bmo#1747957 - PKCS#1v1.5 wycheproof json
* bmo#1747957 - Use X25519 wycheproof json
* bmo#1766767 - Move scripts to python3
* bmo#1809627 - Properly link FuzzingEngine for oss-fuzz.
* bmo#1805907 - Extending RSA-PSS bltest test coverage
(Adding SHA-256 and SHA-384)
* bmo#1804091 - NSS needs to move off of DSA for integrity checks
* bmo#1805815 - Add initial testing with ACVP vector sets using
acvp-rust
* bmo#1806369 - Don't clone libFuzzer, rely on clang instead
- update to NSS 3.87
* bmo#1803226 - NULL password encoding incorrect
* bmo#1804071 - Fix rng stub signature for fuzzing builds
* bmo#1803595 - Updating the compiler parsing for build
* bmo#1749030 - Modification of supported compilers
* bmo#1774654 - tstclnt crashes when accessing gnutls server
without a user cert in the database.
* bmo#1751707 - Add configuration option to enable source-based
coverage sanitizer
* bmo#1751705 - Update ECCKiila generated files.
* bmo#1730353 - Add support for the LoongArch 64-bit architecture
* bmo#1798823 - add checks for zero-length RSA modulus to avoid
memory errors and failed assertions later
* bmo#1798823 - Additional zero-length RSA modulus checks
- Remove nss-fix-bmo1774654.patch which is now upstream
- update to NSS 3.86
* bmo#1803190 - conscious language removal in NSS
* bmo#1794506 - Set nssckbi version number to 2.60
* bmo#1803453 - Set CKA_NSS_SERVER_DISTRUST_AFTER and
CKA_NSS_EMAIL_DISTRUST_AFTER for 3
TrustCor Root Certificates
* bmo#1799038 - Remove Staat der Nederlanden EV Root CA from NSS
* bmo#1797559 - Remove EC-ACC root cert from NSS
* bmo#1794507 - Remove SwissSign Platinum CA - G2 from NSS
* bmo#1794495 - Remove Network Solutions Certificate Authority
* bmo#1802331 - compress docker image artifact with zstd
* bmo#1799315 - Migrate nss from AWS to GCP
* bmo#1800989 - Enable static builds in the CI
* bmo#1765759 - Removing SAW docker from the NSS build system
* bmo#1783231 - Initialising variables in the rsa blinding code
* bmo#320582 - Implementation of the double-signing of the message
for ECDSA
* bmo#1783231 - Adding exponent blinding for RSA.
- update to NSS 3.85
* bmo#1792821 - Modification of the primes.c and dhe-params.c in
order to have better looking tables
* bmo#1796815 - Update zlib in NSS to 1.2.13
* bmo#1796504 - Skip building modutil and shlibsign when building
in Firefox
* bmo#1796504 - Use __STDC_VERSION__ rather than __STDC__ as a guard
* bmo#1796407 - Fix -Wunused-but-set-variable warning from clang 15
* bmo#1796308 - Fix -Wtautological-constant-out-of-range-compare
and -Wtype-limits warnings
* bmo#1796281 - Followup: add missing stdint.h include
* bmo#1796281 - Fix -Wint-to-void-pointer-cast warnings
* bmo#1796280 - Fix -Wunused-{function,variable,but-set-variable}
warnings on Windows
* bmo#1796079 - Fix -Wstring-conversion warnings
* bmo#1796075 - Fix -Wempty-body warnings
* bmo#1795242 - Fix unused-but-set-parameter warning
* bmo#1795241 - Fix unreachable-code warnings
* bmo#1795222 - Mark _nss_version_c unused on clang-cl
* bmo#1795668 - Remove redundant variable definitions in lowhashtest
* Add note about python executable to build instructions.
- update to NSS 3.84
* bmo#1791699 - Bump minimum NSPR version to 4.35
* bmo#1792103 - Add a flag to disable building libnssckbi.
- update to NSS 3.83
* bmo#1788875 - Remove set-but-unused variables from
SEC_PKCS12DecoderValidateBags
* bmo#1563221 - remove older oses that are unused part3/ BeOS
* bmo#1563221 - remove older unix support in NSS part 3 Irix
* bmo#1563221 - remove support for older unix in NSS part 2 DGUX
* bmo#1563221 - remove support for older unix in NSS part 1 OSF
* bmo#1778413 - Set nssckbi version number to 2.58
* bmp#1785297 - Add two SECOM root certificates to NSS
* bmo#1787075 - Add two DigitalSign root certificates to NSS
* bmo#1778412 - Remove Camerfirma Global Chambersign Root from NSS
* bmo#1771100 - Added bug reference and description to disabled
UnsolicitedServerNameAck bogo ECH test
* bmo#1779361 - Removed skipping of ECH on equality of private and
public server name
* bmo#1779357 - Added comment and bug reference to
ECHRandomHRRExtension bogo test
* bmo#1779370 - Added Bogo shim client HRR test support. Fixed
overwriting of CHInner.random on HRR
* bmo#1779234 - Added check for server only sending ECH extension
with retry configs in EncryptedExtensions and if not
accepting ECH. Changed config setting behavior to
skip configs with unsupported mandatory extensions
instead of failing
* bmo# 1771100 - Added ECH client support to BoGo shim. Changed
CHInner creation to skip TLS 1.2 only extensions to
comply with BoGo
* bmo#1771100 - Added ECH server support to BoGo shim. Fixed NSS ECH
server accept_confirmation bugs
* bmo#1771100 - Update BoGo tests to recent BoringSSL version
* bmo#1785846 - Bump minimum NSPR version to 4.34.1
- update to NSS 3.82
* bmo#1330271 - check for null template in sec_asn1{d,e}_push_state
* bmo#1735925 - QuickDER: Forbid NULL tags with non-zero length
* bmo#1784724 - Initialize local variables in
TlsConnectTestBase::ConnectAndCheckCipherSuite
* bmo#1784191 - Cast the result of GetProcAddress
* bmo#1681099 - pk11wrap: Tighten certificate lookup based on
PKCS #11 URI.
- update to NSS 3.81
* bmo#1762831 - Enable aarch64 hardware crypto support on OpenBSD
* bmo#1775359 - make NSS_SecureMemcmp 0/1 valued
* bmo#1779285 - Add no_application_protocol alert handler and
test client error code is set
* bmo#1777672 - Gracefully handle null nickname in
CERT_GetCertNicknameWithValidity
* required for Firefox 104
- raised NSPR requirement to 4.34.1
- changing some Requires from (pre) to generic as (pre) is not
sufficient (boo#1202118)
- update to NSS 3.80
* bmo#1774720 - Fix SEC_ERROR_ALGORITHM_MISMATCH entry in SECerrs.h.
* bmo#1617956 - Add support for asynchronous client auth hooks.
* bmo#1497537 - nss-policy-check: make unknown keyword check optional.
* bmo#1765383 - GatherBuffer: Reduced plaintext buffer allocations
by allocating it on initialization. Replaced
redundant code with assert. Debug builds: Added
buffer freeing/allocation for each record.
* bmo#1773022 - Mark 3.79 as an ESR release.
* bmo#1764206 - Bump nssckbi version number for June.
* bmo#1759815 - Remove Hellenic Academic 2011 Root.
* bmo#1770267 - Add E-Tugra Roots.
* bmo#1768970 - Add Certainly Roots.
* bmo#1764392 - Add DigitCert Roots.
* bmo#1759794 - Protect SFTKSlot needLogin with slotLock.
* bmo#1366464 - Compare signature and signatureAlgorithm fields in
legacy certificate verifier.
* bmo#1771497 - Uninitialized value in cert_VerifyCertChainOld.
* bmo#1771495 - Unchecked return code in sec_DecodeSigAlg.
* bmo#1771498 - Uninitialized value in cert_ComputeCertType.
* bmo#1760998 - Avoid data race on primary password change.
* bmo#1769063 - Replace ppc64 dcbzl intrinisic.
* bmo#1771036 - Allow LDFLAGS override in makefile builds.
- Update nss-fips-approved-crypto-non-ec.patch (bsc#1208999) with
fixes to PBKDF2 parameter validation.
- Update nss-fips-approved-crypto-non-ec.patch (bsc#1208999) to
validate extra PBKDF2 parameters according to FIPS 140-3.
- Update nss-fips-approved-crypto-non-ec.patch (bsc#1191546) to
update session->lastOpWasFIPS before destroying the key after
derivation in the CKM_TLS12_KEY_AND_MAC_DERIVE,
CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256,
CKM_TLS_KEY_AND_MAC_DERIVE and CKM_SSL3_KEY_AND_MAC_DERIVE cases.
- Update nss-fips-pct-pubkeys.patch (bsc#1207209) to remove some
excess code.
- Update nss-fips-approved-crypto-non-ec.patch (bsc#1191546).
- Add nss-fips-pct-pubkeys.patch (bsc#1207209) for pairwise consistency
checks. Thanks to Martin for the DHKey parts.
- Add manpages to mozilla-nss-tools (bsc#1208242)
Package freetype2 was updated:
- Added patch: * CVE-2023-2004.patch
+ fixes bsc#1210419, CVE-2023-2004: Integer overflow
Package harfbuzz was updated:
- Add CVE-2023-25193.patch: limit how far we skip when looking back (bsc#1207922 CVE-2023-25193).
Package libjansson was updated:
- Update to 2.14 (boo#1201817): * New Features:
+ Add `json_object_getn`, `json_object_setn`, `json_object_deln`, and the
corresponding `nocheck` functions.
+ Add jansson_version_str() and jansson_version_cmp() for runtime
version checking
+ Add json_object_update_new(), json_object_update_existing_new()
and json_object_update_missing_new() functions
+ Add json_object_update_recursive()
+ Add `json_pack()` format specifiers s*, o* and O* for values
that can be omitted if null (#339).
+ Add `json_error_code()` to retrieve numeric error codes
(#365, #380, #381).
+ Enable thread safety for `json_dump()` on all systems.
Enable thread safe `json_decref()` and `json_incref()` for
modern compilers (#389).
+ Add `json_sprintf()` and `json_vsprintf()` (#393).
* Fixes:
+ Handle `sprintf` corner cases.
+ Add infinite loop check in json_deep_copy()
+ Enhance JANSSON_ATTRS macro to support earlier C standard(C89)
+ Update version detection for sphinx-build
+ Fix error message in `json_pack()` for NULL object (#409).
+ Avoid invalid memory read in `json_pack()` (#421).
+ Call va_end after va_copy in `json_vsprintf()` (#427).
+ Improve handling of formats with '?' and '*' in `json_pack()`
(#438).
+ Remove inappropriate `jsonp_free()` which caused
segmentation fault in error handling (#444).
+ Fix incorrect report of success from `json_dump_file()` when
an error is returned by `fclose()` (#359).
+ Make json_equal() const-correct (#344).
+ Fix incomplete stealing of references by `json_pack()` (#374)
- Use GitHub as source URLs: Release hasn't been uploaded to digip.org.
- Add check section.
Package openldap2 was updated:
- bsc#1212260 - crash in libldap when non-ldap data responds * 0245-ITS-9803-Drop-connection-when-receiving-non-LDAP-dat.patch
- bsc#1211795 - CVE-2023-2953 - Null pointer deref in ber_memalloc_x
* 0244-ITS-9904-ldif_open_url-check-for-ber_strdup-failure.patch
Package ldb was updated:
- Remove no longer needed ldb-memory-bug-15096-4.15-ldbonly.patch- Add cve-2023-0614.patch: Address CVE-2023-0614
- CVE-2023-0614: samba: Access controlled AD LDAP attributes can be
discovered; (bsc#1209485); (bso#15270);
- Update to version 2.4.4
+ CVE-2022-32746 ldb: db: Use-after-free occurring in
database audit logging module; (bso#15009); (bsc#1201490).
Package liblognorm was updated:
- Upgrade to liblognorm v2.0.6 (jsc#PED-4883) * 2018-11-02: nitfixes: issues deteced by CodeFactor.com
* 2018-11-01: more cleanup of shell scripting
* 2018-10-31: cleanup shell scripting
* 2018-10-26: implement Checkpoint LEA transfer format
* 2018-10-31: fix mising shebangs in test scripts
* 2018-10-30: fix some bash style nits
* 2018-07-15: fix very theoretic misadressing (gcc-8 warning)
* 2018-06-26: string parser: add "lazy" matching mode
* 2018-05-30: Update lognormalizer.c
* 2018-05-30: Update lognormalizer.c to support case fallthrough
* 2018-05-30: Update README
* 2018-05-10: Fix for #229 (cisco-interface-spec at end of line)
* 2018-03-21: Suppress invalid param error for name to fix #270
- Upgrade to liblognorm v2.0.5
* 2018-04-25: fix potential NULL pointer addressing
* 2018-04-07: Add test for nested user types
* 2018-04-07: Fix use after free with nested user types (#235)
* 2018-04-25: build system: fix gcc warning
* 2018-04-25: make "make check" "succeed" on solaris 10
* 2018-04-16: fix build warnings with some newer compilers
* 2018-04-16: remove dead code
* 2018-04-16: fix potential memory leaks during config processing
* 2018-04-16: fix memory leak during config processing
* 2018-04-16: csv encoder: fix format error when processing arrays
* 2018-03-29: Explicitly list supported whitespace characters
* 2018-03-28: "fix" return type of unused dummy function
- replaces liblognorm-2.0.4-no-return-in-nonvoid-function.patch
* 2018-03-21: Suppress invalid param error for name to fix #270
* 2018-03-19: fix header guard
* 2018-03-06: Correct CLI options in the docs
* 2018-01-13: AIX port : added compatibility and modified lognormalizer for AIX.
* 2017-11-29: codestyle: correct line length to 120
* 2017-11-29: codestyle: set max line length to 120
* 2017-11-25: fix some very bad line length violations
* 2017-11-25: travis: temporarily permit longer line length
* 2017-10-19: make build with gcc7
* 2017-10-05: es_str2cstr leak in string-to v1 parse
Package ncurses was updated:
- Modify patch ncurses-6.1.dif * Secure writing terminfo entries by setfs[gu]id in s[gu]id
(boo#1210434, CVE-2023-29491)
* Reading is done since 2000/01/17
Package nftables was updated:
- add 0001-evaluate-reject-support-ethernet-as-L2-protocol-for-.patch: this fixes a crash in nftables if layer2 reject rules are processed (e.g.
Ethernet MAC address based reject rich rule in firewalld, bsc#1210773).
Package openssl-1_1 was updated:
- Security fix: (bsc#1213853, CVE-2023-3817) * Fix excessive time spent checking DH q parameter value
(bsc#1213853, CVE-2023-3817). The function DH_check() performs
various checks on DH parameters. After fixing CVE-2023-3446 it
was discovered that a large q parameter value can also trigger
an overly long computation during some of these checks. A
correct q value, if present, cannot be larger than the modulus
p parameter, thus it is unnecessary to perform these checks if
q is larger than p. If DH_check() is called with such q parameter
value, DH_CHECK_INVALID_Q_VALUE return flag is set and the
computationally intensive checks are skipped.
* Add openssl-1_1-CVE-2023-3817.patch
- Dont pass zero length input to EVP_Cipher because assembler
optimized AES cannot handle zero size. [bsc#1213517]
* Add openssl-dont-pass-zero-length-input-to-EVP_Cipher.patch
- Security fix: [bsc#1213487, CVE-2023-3446]
* Fix DH_check() excessive time with over sized modulus.
* The function DH_check() performs various checks on DH parameters.
One of those checks confirms that the modulus ("p" parameter) is
not too large. Trying to use a very large modulus is slow and
OpenSSL will not normally use a modulus which is over 10,000 bits
in length.
However the DH_check() function checks numerous aspects of the
key or parameters that have been supplied. Some of those checks
use the supplied modulus value even if it has already been found
to be too large.
A new limit has been added to DH_check of 32,768 bits. Supplying
a key/parameters with a modulus over this size will simply cause
DH_check() to fail.
* Add openssl-CVE-2023-3446.patch openssl-CVE-2023-3446-test.patch
- Security Fix: [bsc#1207534, CVE-2022-4304]
* Reworked the Fix for the Timing Oracle in RSA Decryption
The previous fix for this timing side channel turned out to cause
a severe 2-3x performance regression in the typical use case
compared to 1.1.1s.
* Add openssl-CVE-2022-4304.patch
* Removed patches:
- openssl-CVE-2022-4304-1of2.patch
- openssl-CVE-2022-4304-2of2.patch
* Refreshed openssl-CVE-2023-0286.patch
- Update further expiring certificates that affect tests [bsc#1201627]
* Add openssl-Update-further-expiring-certificates.patch
- Security Fix: [CVE-2023-2650, bsc#1211430]
* Possible DoS translating ASN.1 object identifiers
* Add openssl-CVE-2023-2650.patch
- Security Fix: [CVE-2023-0465, bsc#1209878]
* Invalid certificate policies in leaf certificates are silently ignored
* Add openssl-CVE-2023-0465.patch
- Security Fix: [CVE-2023-0466, bsc#1209873]
* Certificate policy check not enabled
* Add openssl-CVE-2023-0466.patch
- Security Fix: [CVE-2023-0464, bsc#1209624]
* Excessive Resource Usage Verifying X.509 Policy Constraints
* Add openssl-CVE-2023-0464.patch
Package parted was updated:
- fix null pointer dereference (bsc#1193412) - add: parted-fix-check-diskp-in-do_name.patch
- update mkpart options in manpage (bsc#1182142)
- add: parted-mkpart-manpage.patch
Package pcre2 was updated:
- Security fix: [bsc#1213514, CVE-2022-41409] * Integer overflow vulnerability in pcre2test before 10.41
allows attackers to cause a denial of service or other
unspecified impacts via negative input.
* Add pcre2-CVE-2022-41409.patch
Package postgresql15 was updated:
- Update to 15.4: * bsc#1214059, CVE-2023-39417: Disallow substituting a schema or
owner name into an extension script if the name contains a
quote, backslash, or dollar sign.
* bsc#1214061, CVE-2023-39418: Fix MERGE to enforce row security
policies properly.
* https://www.postgresql.org/docs/15/release-15-4.html
- Update to 15.3:
* bsc#1211228, CVE-2023-2454:
Prevent CREATE SCHEMA from defeating changes in search_path
* bsc#1211229, CVE-2023-2455: Enforce row-level security
policies correctly after inlining a set-returning function
* https://www.postgresql.org/docs/15/release-15-3.html
- bsc#1210303: Stop using the obsolete internal %_restart_on_update
macro and drop support for sysv init to simplify the scriptlets.
- Include -mini in Name: to avoid conflicts in the source package
name and OBS internal dependency tracking.
Package procps was updated:
- Add patch CVE-2023-4016.patch * CVE-2023-4016: ps buffer overflow (bsc#1214290)
- Add patch bsc1209122-a6c0795d.patch
* Fix for bsc#1209122 to allow `-´ as leading character to ignore
possible errors on systctl entries
Package python-base was updated:
- Fix the application of the python-2.7.17-switch-off-failing-SSL-tests.patch.
- python-2.7.5-multilib.patch: Update for riscv64
- Don't fail if _ctypes or dl extension was not built
- The condition around libnsl-devel BuildRequires is NOT
switching off NIS support on SLE < 15, support for NIS used to
be in the glibc itself. Partial revert of sr#1061583.
- Add PygmentsBridge-trime_doctest_flags.patch to allow build of
the documentation even with the current Sphinx. (SUSE-ONLY
PATCH, DO NOT SEND UPSTREAM!)
- Enable --with-system-ffi for non-standard architectures.
- SLE-12 builds nis.so as well.
Package python3 was updated:
- Add 99366-patch.dict-can-decorate-async.patch fixing gh#python/cpython#98086 (backport from Python 3.10 patch in
gh#python/cpython!99366), fixing bsc#1211158.
- Add CVE-2007-4559-filter-tarfile_extractall.patch to fix
CVE-2007-4559 (bsc#1203750) by adding the filter for
tarfile.extractall (PEP 706).
- Use python3 modules to build the documentation.
- Add bpo-44434-libgcc_s-for-pthread_cancel.patch
which eliminates unnecessary and dangerous calls to
PyThread_exit_thread() (bsc#1203355).
- Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329,
bsc#1208471) blocklists bypass via the urllib.parse component
when supplying a URL that starts with blank characters
Package snapper was updated:
- improved responsiveness of snapperd when a btrfs quota rescan is running (see bsc#1211459)
* added pr821.patch
- avoid stale btrfs qgroups on transactional systems (bsc#1210151)
* added pr805.patch
- wait for existing btrfs quota rescans to finish (bsc#1210150)
* added pr790.patch
Package libsolv was updated:
- handle learnt rules in solver_alternativeinfo()- support x86_64_v[234] architecture levels
- implement decision sorting for package decisionlists
- add back findutils requires for the libsolv-tools packagse
[bsc#1195633]
- bump version to 0.7.24
- fix "keep installed" jobs not disabling "best update" rules
- do not autouninstall suse ptf packages
- ensure duplinvolvedmap_all is reset when a solver is reused
- special case file dependencies in the testcase writer
- support stringification of multiple solvables
- new weakdep introspection interface similar to ruleinfos
- support decision reason queries
- support merging of related decissions
- support stringification of ruleinfo, decisioninfo and decision reasons
- support better info about alternatives
- new '-P' and '-W' options for testsolv
- bump version to 0.7.23
Package libxml2 was updated:
- Security update: * [CVE-2023-39615, bsc#1214768] Crafted xml can cause global
buffer overflow
- Added file libxml2-CVE-2023-39615.patch
- Security update:
* [CVE-2023-29469, bsc#1210412] Hashing of empty dict strings
isn't deterministic
- Added patch libxml2-CVE-2023-29469.patch
* [CVE-CVE-2023-28484, bsc#1210411] NULL dereference in
xmlSchemaFixupComplexType
- Added patch libxml2-CVE-2023-28484-1.patch
- Added patch libxml2-CVE-2023-28484-2.patch
- Fix changelog entries in both .changes files.
- Apply al patches correctly for libxml2 and python-libxml2.
Package libyajl was updated:
Package zlib was updated:
- Fix deflateBound() before deflateInit(), bsc#1210593 bsc1210593.patch
- Add DFLTCC support for using inflate() with a small window,
fixes bsc#1206513
* bsc1206513.patch
Package zstd was updated:
- Fix CVE-2022-4899, bsc#1209533 * Disallow empty --output-dir-flat=
- Added patch:
* Disallow-empty-output-directory.patch
Package libzypp was updated:
- Fixup changes for 17.31.16. Remove faulty reference to a bug actually fixed in 2019.
- version 17.31.20 (22)
- Fix zypp-tui/output/Out.h to build with clang.
- Fix zypp/Arch.h for clang (fixes #478)
Clang seems to have issues with picking the overload in
std::men_fn if there is a static overload of a member function.
We need to explicitely specify the correct type of the function
pointer. To make sure this would not break compiling a
application with clang that builds against libzypp this patch
works around the problem.
- version 17.31.19 (22)
- SINGLE_RPMTRANS: Respect ZYPP_READONLY_HACK when checking the
zypp-rpm lock (fixes openSUSE/openSUSE-repos#29)
- version 17.31.18 (22)
- Fix wrong filesize exceeded dl abort in zyppng::Downloader
(bsc#1213673)
In some cases when downloading very small files we can run into
issues when the URL is protected by credentials.
- version 17.31.17 (22)
- Fix negative ZYPP_LOCK_TIMEOUT not waiting forever (bsc#1213231)
- Don't cleanup orphaned dirs if read-only mode was promised
(bsc#1210740)
- version 17.31.16 (22)
- Fix build against protobuf >= 22 (fixes #465, closes #466)
Port away from protobuf_generate_cpp. Upstream protobuf does not
export protobuf_generate_cpp by default anymore.
Use protobuf_generate instead, which is also available on older
versions.
- Remove SUSE < SLE11 constructs (fixes #464).
- version 17.31.15 (22)
- build: honor libproxy.pc's includedir (bsc#1212222)
- Curl: trim all custom headers (bsc#1212187)
HTTP/2 RFC 9113 forbids fields ending with a space. So we make
sure all custom headers are trimmed. This also includes headers
returned by URL-Resolver plugins.
- version 17.31.14 (22)
- curl: Trim user agent string (bsc#1212187)
HTTP/2 RFC 9113 forbids fields ending with a space. Violation
results in curl error: 92: HTTP/2 PROTOCOL_ERROR.
- version 17.31.13 (22)
- Do not unconditionally release a medium if provideFile failed
(bsc#1211661)
- libzypp.spec.cmake: remove duplicate file listing.
- version 17.31.12 (22)
- MediaCurl: Fix endless loop if wrong credentials are stored in
credentials.cat (bsc#1210870)
Since libzypp-17.31.7 wrong credentials stored in credentials.cat
may lead to an endless loop. Rather than asking for the right
credentials, the stored ones are used again and again.
- zypp.conf: Introduce 'download.connect_timeout' [60 sec.]
(bsc#1208329)
Maximum time in seconds that you allow the connection phase to
the server to take. This only limits the connection phase, it has
no impact once it has connected. (see also CURLOPT_CONNECTTIMEOUT)
- commit: Try to provide /dev fs if not present (fixes #444)
- fix build with boost 1.82.
- version 17.31.11 (22)
- fix build with boost 1.82
- BuildRequires: libsolv-devel >= 0.7.24 for x86_64_v[234]
support.
- version 17.31.10 (22)
- Workround bsc#1195633 while libsolv <= 0.7.23 is used.
- Fix potential endless loop in new ZYPP_MEDIANETWORK.
- ZYPP_METALINK_DEBUG=1: Log URL and priority of the mirrors
parsed from a metalink file.
- multicurl: propagate ssl settings stored in repo url
(boo#1127591)
Closes #335.
- Teach MediaNetwork to retry on HTTP2 errors.
- fix CapDetail to return Rel::NONE if an EXPRESSION is used as a
NAMED cap.
- Capability: support parsing richdeps from string.
- defaultLoadSystem: default to LS_NOREFRESH if not root.
- Detect x86_64_v[234]: Fix LZCNT bit used in detection (fixes
[#439])
Merges rpm-software-management/rpm#2412: The bit for LZCNT is in
CPUID 0x80000001, not 1.
- Detect x86_64_v[234] architecture levels (fixes #439)
- Support x86_64_v[234] architecture levels (for #439)
- version 17.31.9 (22)
- ProgressData: enforce reporting the INIT||END state
(bsc#1206949)
- ps: fix service detection on newer Tumbleweed systems
(bsc#1205636)
- version 17.31.8 (22)
- Hint to "zypper removeptf" to remove PTFs.
- Removing a PTF without enabled repos should always fail
(bsc#1203248)
Without enabled repos, the dependent PTF-packages would be
removed (not replaced!) as well. To remove a PTF "zypper install
- - -PTF" or a dedicated "zypper removeptf PTF" should be used.
This will update the installed PTF packages to theit latest
version.
- version 17.31.7 (22)
- Avoid calling getsockopt when we know the info already.
This patch hopefully fixes logging on WSL, getsockopt seems to
not be fully supported but the code required it when accepting
new socket connections. (for bsc#1178233)
- Enhance yaml-cpp detection (fixes #428)
- No need to redirect 'history.logfile=/dev/null' into the target.
- MultiCurl: Make sure to reset the progress function when
falling back.
- version 17.31.6 (22)
- Create '.no_auto_prune' in the package cache dir to prevent auto
cleanup of orphaned repositories (bsc#1204956)
- properly reset range requests (bsc#1204548)
- version 17.31.5 (22)
- Do not clean up MediaSetAccess before using the geoip file
(fixes #424)
- version 17.31.4 (22)
- Improve download of optional files (fixes #416)
- Do not use geoip rewrites if the repo has explicit country
settings.
- Implement geoIP feature for zypp.
This patch adds a feature to rewrite request URLs to the repo
servers by querying a geoIP file from download.opensuse.org. This
file can return a redirection target depending on the clients IP
adress, this way we can directly contact a local mirror of d.o.o
instead. The redir target stays valid for 24hrs.
This feature can be disabled in zypp.conf by setting
'download.use_geoip_mirror = false'.
- Use a dynamic fallback for BLKSIZE in downloads.
When not receiving a blocklist via metalink file from the server
MediaMultiCurl used to fallback to a fixed, relatively small
BLKSIZE. This patch changes the fallback into a dynamic value
based on the filesize using a similar metric as the MirrorCache
implementation on the server side.
- Skip media.1/media download for http repo status calc.
This patch allows zypp to skip a extra media.1/media download to
calculate if a repository needs to be refreshed. This
optimisation only takes place if the repo does specify only
downloading base urls.
- version 17.31.3 (22)
Package log4j was updated:
- Do not package the *.zip artifacts whose content is part of the multi-release jars already
- Added patch:
* log4j-java8compat.patch
+ maintain ByteBuffer and CharBuffer compatibility with java 8
- Build as multi-release jar.
- Add some logging providers which we can build with the existing
dependencies and without cycles.
- Add dependency on standalone javax.activation-api that is not
included in newer JDKs
- Update to 2.17.2
* New Features
- Limit loading of configuration via a url to https by default.
- Require log4j2.Script.enableLanguages to be specified to
enable scripting for specific languages.
- Add TB support to FileSize.
- Add the log4j-to-jul JDK Logging Bridge.
- Add org.apache.logging.log4j.core.appender.AsyncAppender.getAppenders()
to more easily port from org.apache.log4j.AsyncAppender.getAllAppenders().
- Add Configurator.setLevel(Logger, Level),
setLevel(String, String), and setLevel(Class, Level).
- Add shorthand syntax for properties configuration format for
specifying a logger level and appender refs.
- Add optional additional fields to NoSQLAppender.
* Fixed Bugs
- Flag LogManager as initiialized if the LoggerFactory is
provided as a property.
- Fix DefaultConfiguration leak in PatternLayout.
- Document that the Spring Boot Lookup requires the
log4j-spring-boot dependency.
- Fix RoutingAppender backcompat and disallow recursive
evaluation of lookup results outside of configuration
properties.
- Fix ThreadContextDataInjector initialization deadlock.
- Fix substitutions when programmatic configuration is used.
- OptionConverter could cause a StackOverflowError.
- Log4j 1.2 bridge class ConsoleAppender should extend
WriterAppender and provide better compatibility with custom
appenders.
- Log4j 1.2 bridge method NDC.inherit(Stack) should not use
generics to provide source compatibility.
- Log4j 1.2 bridge class PatternLayout is missing constants
DEFAULT_CONVERSION_PATTERN and TTCC_CONVERSION_PATTERN.
- Log4j 1.2 bridge class PropertyConfigurator should implement
Configurator.
- Log4j 1.2 bridge interface Configurator doConfigure() methods
should use LoggerRepository, not LoggerContext.
- Log4j 1.2 bridge class OptionConverter is missing
selectAndConfigure() methods.
- Log4j 1.2 bridge class Category should implement
AppenderAttachable.
- Log4j 1.2 bridge method Category.exists(String) should be
static.
- Log4j 1.2 bridge methods missing in org.apache.log4j.Category:
getDefaultHierarchy(), getHierarchy(), getLoggerRepository().
- Log4j 1.2 bridge class LogManager default constructor should
be public.
- Log4j 1.2 bridge interface org.apache.log4j.spi.RendererSupport
was in the wrong package and incomplete.
- Log4j 1.2 bridge interfaces missing from package
org.apache.log4j.spi: ThrowableRenderer,
ThrowableRendererSupport, TriggeringEventEvaluator.
- Log4j 1.2 bridge missing class org.apache.log4j.or.RendererMap.
- Log4j 1.2 bridge PropertiesConfiguration.buildAppender not
adding filters to custom appender.
- Log4j 1.2 bridge should ignore case in properties file keys.
- Log4j 1.2 bridge adds org.apache.log4j.component.helpers.Constants.
- Log4j 1.2 bridge adds org.apache.log4j.helpers.LogLog.
- Log4j 1.2 bridge adds org.apache.log4j.helpers.Loader.
- Log4j 1.2 bridge adds org.apache.log4j.spi.RootLogger.
- Log4j 1.2 bridge class Category is missing some protected
instance variables.
- Log4j 1.2 bridge adds org.apache.log4j.Hierarchy.
- Log4j 1.2 bridge methods Category.getChainedPriority() and
getEffectiveLevel() should not be final.
- Log4j 1.2 bridge adds org.apache.log4j.spi.NOPLoggerRepository
and NOPLogger.
- Log4j 1.2 bridge adds org.apache.log4j.spi.DefaultRepositorySelector.
- Log4j 1.2 bridge implements LogManager.getCurrentLoggers()
fully.
- Log4j 1.2 bridge fixes parsing filters in properties
configuration file #680.
- Log4j 1.2 bridge missing OptionConverter.instantiateByKey(
Properties, String, Class, Object).
- Log4j 1.2 bridge class org.apache.log4j.spi.LoggingEvent
missing constructors and public instance variable.
- Log4j 1.2 bridge does not support system properties in log4j.xml.
- Log4j 1.2 bridge now logs a warning instead of throwing an
NullPointerException when building a Syslog appender with a
missing "SyslogHost" param.
- Log4j 1.2 bridge should allow property and XML attributes to
start with either an upper-case or lower-case letter.
- Log4j 1.2 bridge uses the wrong default values for a
TTCCLayout.
- Log4j 1.2 bridge throws ClassCastException when using
SimpleLayout and others.
- Log4j 1.2 bridge uses the wrong file pattern for rolling file
appenders.
- Log4j 1.2 bridge throws ClassCastException when using
SimpleLayout and others.
- Log4j 1.2 bridge creates a SocketAppender instead of a
SyslogAppender.
- Log4j 1.2 bridge uses some incorrect default property values
in some appenders.
- Log4j 1.2 bridge supports the SocketAppender.
- Log4j 1.2 bridge missing DefaultThrowableRenderer.
- Log4j 1.2 bridge missing some ThrowableInformation constructors.
- Log4j 1.2 bridge missing some LocationInfo constructors.
- Log4j 1.2 bridge missed
- Log4j 1.2 bridge missed org.apache.log4j.pattern.FormattingInfo.
- Log4j 1.2 bridge missed org.apache.log4j.pattern.NameAbbreviator.
- Log4j 1.2 bridge missing UtilLoggingLevel.
- Log4j 1.2 bridge missing FormattingInfo.
- Log4j 1.2 bridge missing PatternConverter.
- Log4j 1.2 bridge missing PatternParser.
- Log4j 1.2 bridge issues with filters.
- Log4j 1.2 bridge implements most of DOMConfigurator.
- JndiManager reverts to 2.17.0 behavior: Read the system
property for each call.
- Configurator.setLevel not fetching the correct LoggerContext.
- Fix DTD error: Add missing ELEMENT for Marker.
- Fix log4j-jakarta-web service file.
- AppenderLoggingException logging any exception to a MongoDB
Appender.
- Possible NullPointerException in MongoDb4DocumentObject,
MongoDbDocumentObject, DefaultNoSqlObject.
- Trim whitespace before parsing a String into an Integer.
- Log4j 1.2 bridge throws a ClassCastException when logging a
Map with non-String keys.
- Log4j 1.2 bridge Check for non-existent appender when parsing
properties #761. Thanks to Kenny MacLeod.
- Log4j 1.2 bridge supports global threshold.
* Changes
- Change modifier of method
org.apache.logging.log4j.core.tools.Generate#generate to
public (was package private) to facilitate automated code
generation.
Package shadow was updated:
- bsc#1213189: Change lock mechanism to file locking to prevent lock files after power interruptions
- Add shadow-4.8.1-lock-mechanism.patch
- bsc#1206627: Add --prefix support to passwd, chpasswd and chage
Needed for YaST
- Add shadow-4.8.1-add-prefix-passwd-chpasswd-chage.patch
- bsc#1210507 (CVE-2023-29383):
Check for control characters
- Add shadow-CVE-2023-29383.patch
Package man was updated:
- Use inverted exit status in exec option of find command to avoid refreshing man database (boo#1155879)
- Minor corrections on %ghost /var/cache/man
Package mgr-libmod was updated:
- version 4.2.8-1 * Ignore extra metadata fields for Liberty Linux (bsc#1208908)
Package mozilla-nspr was updated:
- update to version 4.35 * fixes for building with clang
* use the number of online processors for the
PR_GetNumberOfProcessors() API on some platforms
* fix build on mips+musl libc
* Add support for the LoongArch 64-bit architecture
Package nekohtml was updated:
- Use the security patched fork at https://github.com/sparklemotion/nekohtml
- Upgrade to version 1.9.22.neko2
* fixes bsc#1198739, CVE-2022-28366, bsc#1198404, CVE-2022-24839
- Fetch tarball using source service
- Modified patches:
* 0002-Jar-paths.patch -> 0001-Jar-paths.patch
* 0003-Add-OSGi-attributes.patch -> 0002-Add-OSGi-attributes.patch
+ rebase to changed context
- Build with source and target levels 8
Package nfs-utils was updated:
- Add 0032-exportfs-Ingnore-export-failures-in-nfs-server.seriv.patch Inconsistencies in /etc/exports shouldn't be fatal.
(bsc#1212594)
- Add 0030-systemd-use-correct-modprobe-d-directory
SLE15-SP5 an earlier don't use /usr/lib/modprobe.d
(bsc#1200710)
- Add 0031-mountd-don-t-advertise-krb5-for-v4root-when-not-conf.patch
Avoid unhelpful warning if rpcsec_gss_krb5.ko not installed
- Add 0028-mount.nfs-always-include-mountpoint-or-spec-if-error.patch
boo#1157881
- Add 0029-nfsd.man-fix-typo-in-section-on-scope.patch
bsc#1209859
- Allow scope to be set in sysconfig: NFSD_SCOPE
- Rename all drop-in options.conf files as 10-options.conf
This makes it easier for other packages to over-ride
with a drop-in with a later sequence number.
resource-agents does this.
(bsc#1207843)
- 0026-modprobe-avoid-error-messages-if-sbin-sysctl-fail.patch
Avoid modprobe errors when sysctl is not installed.
(bsc#1200710 bsc#1207022 bsc#1206781)
- 0027-nfsd-allow-server-scope-to-be-set-with-config-or-com.patch
Add "-S scope" option to rpc.nfsd to simplify fail-over cluster
config.
(bsc#1203746)
Package objectweb-asm was updated:
- Upgrade to version 9.3 * new Opcodes.V19 constant for Java 19
* new size() method in ByteVector
* checkDataFlow option in CheckClassAdapter can now be used
without valid maxStack and maxLocals values
* new Maven BOM
* bug fixes
+ 317949: fix javadoc errors
+ remap invokedynamic field handles properly
+ add missing left curly brace in ASMifier output of visitModule
- Build asm as modular jar files to be used as such by java >= 9
- Leave asm-all.jar as a non-modular jar
- Upgrade to version 9.2
* Up to JDK 18 support
* ClassReader.readStream() performance improvements
* Add some input validations in ClassReader
* Replace -debug flag in Printer with -nodebug (-debug continues
to work)
* new V15 constant
* experimental support for PermittedSubtypes and RecordComponent
* Javadoc fixes
* bug fixes
+ 317942: ClassCheckAdaptor output represents reference arrays
as only their "root" component type
+ 317921: Make Analyzer not require correct maxs or calculate
maxs fast
+ 317922: InstructionAdapter shall throw consistent exceptions
+ 317923: Incorrect documentation on ClassReader's use of
AnnotationVisitor
+ 317929: ClassRemapper doesn't remap annotation values
+ 317930: Can CheckClassAdapter.checkTypeRef throw a more
specific exception?
+ 317931: Shall CheckMethodAdapter.Method.visitLabel throw
IllegalStateException?
+ Tests that requires preview features should only run if the
preview features of the right JDK are enabled
+ 317897: AdviceAdapter incorrectly emits onMethodEnter from a
try-catch block in a constructor
+ 317900: Javadoc of ClassVisitor does not specify order of
visitRecordComponent
+ 317904: Bug with constructors in AdviceAdapter
+ 317910: Iterating over a InsnList with an iterator traverses
the list twice
+ 317898: ASM 8 does not support writing of empty records
+ 317896: Performance degradation when using dynamic constants
as a static paramet to another InDy/ConDy
+ 317885: SKIP_DEBUG now skips MethodParameters attributes
Package openssh was updated:
- Add openssh-CVE-2023-38408-PKCS11-execution.patch, Abort if requested to load a PKCS#11 provider that isnt a PKCS#11
provider (bsc#1213504,CVE-2023-38408)
- openssh-7.7p1-fips_checks.patch: close the right filedescriptor
to avoid fd leads, and also close fdh in read_hmac (bsc#1209536)
- Revert addition of openssh-dbus.sh, openssh-dbus.csh, openssh-dbus.fish:
This caused invalid and irrelevant environment assignments (bsc#1207014).
Package oro was updated:
Package perl-Bootloader was updated:
- merge gh#openSUSE/perl-bootloader#152- use signed grub EFI binary when updating grub in default EFI
location (bsc#1210799)
- check whether grub2-install supports --suse-force-signed option
- 0.944
- merge gh#openSUSE/perl-bootloader#147
- UEFI: update also default location, if it is controlled by SUSE
(bsc#1210799, bsc#1201399)
- 0.943
- merge gh#openSUSE/perl-bootloader#142
- use fw_platform_size to distinguish between 32 bit and 64 bit
UEFI platforms (bsc#1208003)
- 0.942
- merge gh#openSUSE/perl-bootloader#141
- systemd-boot: easier initial setup
- 0.941
- merge gh#openSUSE/perl-bootloader#140
- add basic support for systemd-boot
- 0.940
Package perl-Satcon was updated:
- version 4.2.3-1 * Accept keys with dots
Package perl was updated:
- enable TLS cert verification in CPAN [bnc#1210999] [CVE-2023-31484] new patch: perl-cpan_verify_cert.diff
Package postgresql13 was updated:
- Update to 13.12: * bsc#1214059, CVE-2023-39417: Disallow substituting a schema or
owner name into an extension script if the name contains a
quote, backslash, or dollar sign.
* https://www.postgresql.org/docs/13/release-13-12.html
- Update to 13.11:
* bsc#1211228, CVE-2023-2454:
Prevent CREATE SCHEMA from defeating changes in search_path
* bsc#1211229, CVE-2023-2455: Enforce row-level security
policies correctly after inlining a set-returning function
* https://www.postgresql.org/docs/13/release-13-11.html
- bsc#1210303: Stop using the obsolete internal %_restart_on_update
macro and drop support for sysv init to simplify the scriptlets.
- Include -mini in Name: to avoid conflicts in the source package
name and OBS internal dependency tracking.
Package publicsuffix was updated:
- Update to version 20230607: * util: gTLD data autopull updates for 2023-06-07T15:13:30 UTC (#1772)
* Add test workflow (#1750)
* Update of gov.pl labels (#1752)
- Update to version 20230426:
* Update public_suffix_list.dat (#1747)
* Update README.md - added link to sorting
- Update to version 20230414:
* util: gTLD data autopull updates for 2023-04-14T15:13:16 UTC (#1738)
* Change - update comments/policy for the French ccTLDs (`.fr`, `.pm`, `.re`, `.tf`, `.wf`, `.yt`) by Administrator (#1732)
* New policy for .museum, without all the SLD (Second-Level Domains) (#1729)
* Add ladesk.com (#1538)
* util: gTLD data autopull updates for 2023-03-18T15:13:12 UTC (#1723)
* util: gTLD data autopull updates for 2023-03-08T15:15:40 UTC (#1714)
* Additional ngrok domains - more `ngrok.io` from #48 + `ngrok.app` `ngrok-free.app` `ngrok.dev` `ngrok-free.dev` `ngrok.pizza` (#1653)
* Add `ie.ua` (#1597)
- Update to version 20230226:
* TLD and gTLD data updated
* add SAKURA Internet Inc. domains
* Add 3.azurestaticapps.net DNS suffix
* Add subset of Akamai domains to the PSL
* Add it.com
* Add Snowflake private domains
* add canva-apps.com and canva-apps.cn
* add fastly-edge.com
* Add Adobe Developer Platform domains
* Add autocode.dev
* update .bj
- Update to version 20221129:
* util: gTLD data autopull updates for 2022-11-29T15:14:18 UTC (#1658)
* Add activetrail.biz (#1655)
* Add `cf-ipfs.com`, `cloudflare-ipfs.com`, and `r2.dev` (#1582)
* Added mytabit.co.il; mytabit.com; (#1499)
* removing tbits.me from public suffix list (#1642)
- Update to version 20221107:
* Add myamaze.net (#1602)
* Remove gwiddle.co.uk (#1638)
* Removing domain that expired and is not used (#1643)
* util: gTLD data autopull updates for 2022-11-02T15:17:39 UTC (#1641)
* Fix typos in pull request template (#1639)
* util: gTLD data autopull updates for 2022-10-29T15:16:24 UTC (#1636)
* util: gTLD data autopull updates for 2022-10-20T15:22:14 UTC (#1632)
* util: gTLD data autopull updates for 2022-10-15T15:17:50 UTC (#1631)
* Use CentralNic model for Amazon suffixes (#1629)
* Names.of.London is no longer operating the service (#1630)
* Domains from simplesite.com used for subdomain style webhosting of individual customer websites. (#1623)
* Add Fastmail user content domain user.fm (#1601)
* util: gTLD data autopull updates for 2022-10-11T15:20:32 UTC (#1626)
* util: gTLD data autopull updates for 2022-10-07T15:19:56 UTC (#1624)
* Add *.on-acorn.io (#1578)
* Update existing Replit entries, add `firewalledreplit.co` (#1568)
* Add 2.azurestaticapps.net DNS suffix (#1604)
* Update Pull Request Form to address #1619
* Add rules for AWS Cloud9 (#1590)
* util: gTLD data autopull updates for 2022-09-15T15:17:33 UTC (#1615)
Package purge-kernels-service was updated:
Package python-cryptography was updated:
- Add patch CVE-2023-23931-dont-allow-update-into.patch (bsc#1208036, CVE-2023-23931) * Don't allow update_into to mutate immutable objects
Package python-pyasn1 was updated:
- To avoid users of this package having to recompile bytecode files, change the mtime of any __init__.py. (bsc#1207805)
Package python-requests was updated:
- Add CVE-2023-32681.patch to fix unintended leak of Proxy-Authorization header (CVE-2023-32681, bsc#1211674)
Upstream commit: gh#psf/requests@74ea7cf7a6a2
Package python-urllib3 was updated:
Package python-PyJWT was updated:
- Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)- Drop CVE-2022-29217-non-blocked-pubkeys.patch since the issue
was fixed upstream in version 2.4.0
Package python-configobj was updated:
Package python-libxml2-python was updated:
- Security update: * [CVE-2023-39615, bsc#1214768] Crafted xml can cause global
buffer overflow
- Added file libxml2-CVE-2023-39615.patch
- Security update:
* [CVE-2023-29469, bsc#1210412] Hashing of empty dict strings
isn't deterministic
- Added patch libxml2-CVE-2023-29469.patch
* [CVE-CVE-2023-28484, bsc#1210411] NULL dereference in
xmlSchemaFixupComplexType
- Added patch libxml2-CVE-2023-28484-1.patch
- Added patch libxml2-CVE-2023-28484-2.patch
- Fix changelog entries in both .changes files.
- Apply al patches correctly for libxml2 and python-libxml2.
- Add W3C conformance tests to the testsuite (bsc#1204585):
* Added file xmlts20080827.tar.gz
Package salt was updated:
- Prevent _pygit2.GitError: error loading known_hosts when $HOME is not set (bsc#1210994)- Fix ModuleNotFoundError and other issues raised by salt-support module (bsc#1211591)
- tornado: Fix an open redirect in StaticFileHandler (CVE-2023-28370, bsc#1211741)
- Added:
* 3006.0-prevent-_pygit2.giterror-error-loading-known_.patch
* fix-some-issues-detected-in-salt-support-cli-module-.patch
* tornado-fix-an-open-redirect-in-staticfilehandler-cv.patch
- Make master_tops compatible with Salt 3000 and older minions (bsc#1212516) (bsc#1212517)
- Added:
* make-master_tops-compatible-with-salt-3000-and-older.patch
- Avoid failures due transactional_update module not available in Salt 3006.0 (bsc#1211754)
- Added:
* define-__virtualname__-for-transactional_update-modu.patch
- Avoid conflicts with Salt dependencies versions (bsc#1211612)
- Added:
* avoid-conflicts-with-dependencies-versions-bsc-12116.patch
- Update to Salt release version 3006.0 (jsc#PED-4360)
* See release notes: https://docs.saltproject.io/en/latest/topics/releases/3006.0.html
- Add missing patch after rebase to fix collections Mapping issues
- Add python3-looseversion as new dependency for salt
- Add python3-packaging as new dependency for salt
- Allow entrypoint compatibility for "importlib-metadata>=5.0.0" (bsc#1207071)
- Create new salt-tests subpackage containing Salt tests
- Drop conflictive patch dicarded from upstream
- Fix SLS rendering error when Jinja macros are used
- Fix version detection and avoid building and testing failures
- Prevent deadlocks in salt-ssh executions
- Require python3-jmespath runtime dependency (bsc#1209233)
- Added:
* 3005.1-implement-zypper-removeptf-573.patch
* control-the-collection-of-lvm-grains-via-config.patch
* fix-version-detection-and-avoid-building-and-testing.patch
* make-sure-the-file-client-is-destroyed-upon-used.patch
* skip-package-names-without-colon-bsc-1208691-578.patch
* use-rlock-to-avoid-deadlocks-in-salt-ssh.patch
- Modified:
* activate-all-beacons-sources-config-pillar-grains.patch
* add-custom-suse-capabilities-as-grains.patch
* add-environment-variable-to-know-if-yum-is-invoked-f.patch
* add-migrated-state-and-gpg-key-management-functions-.patch
* add-publish_batch-to-clearfuncs-exposed-methods.patch
* add-salt-ssh-support-with-venv-salt-minion-3004-493.patch
* add-sleep-on-exception-handling-on-minion-connection.patch
* add-standalone-configuration-file-for-enabling-packa.patch
* add-support-for-gpgautoimport-539.patch
* allow-vendor-change-option-with-zypper.patch
* async-batch-implementation.patch
* avoid-excessive-syslogging-by-watchdog-cronjob-58.patch
* bsc-1176024-fix-file-directory-user-and-group-owners.patch
* change-the-delimeters-to-prevent-possible-tracebacks.patch
* debian-info_installed-compatibility-50453.patch
* dnfnotify-pkgset-plugin-implementation-3002.2-450.patch
* do-not-load-pip-state-if-there-is-no-3rd-party-depen.patch
* don-t-use-shell-sbin-nologin-in-requisites.patch
* drop-serial-from-event.unpack-in-cli.batch_async.patch
* early-feature-support-config.patch
* enable-passing-a-unix_socket-for-mysql-returners-bsc.patch
* enhance-openscap-module-add-xccdf_eval-call-386.patch
* fix-bsc-1065792.patch
* fix-for-suse-expanded-support-detection.patch
* fix-issue-2068-test.patch
* fix-missing-minion-returns-in-batch-mode-360.patch
* fix-ownership-of-salt-thin-directory-when-using-the-.patch
* fix-regression-with-depending-client.ssh-on-psutil-b.patch
* fix-salt-ssh-opts-poisoning-bsc-1197637-3004-501.patch
* fix-salt.utils.stringutils.to_str-calls-to-make-it-w.patch
* fix-the-regression-for-yumnotify-plugin-456.patch
* fix-traceback.print_exc-calls-for-test_pip_state-432.patch
* fixes-for-python-3.10-502.patch
* include-aliases-in-the-fqdns-grains.patch
* info_installed-works-without-status-attr-now.patch
* let-salt-ssh-use-platform-python-binary-in-rhel8-191.patch
* make-aptpkg.list_repos-compatible-on-enabled-disable.patch
* make-setup.py-script-to-not-require-setuptools-9.1.patch
* pass-the-context-to-pillar-ext-modules.patch
* prevent-affection-of-ssh.opts-with-lazyloader-bsc-11.patch
* prevent-pkg-plugins-errors-on-missing-cookie-path-bs.patch
* prevent-shell-injection-via-pre_flight_script_args-4.patch
* read-repo-info-without-using-interpolation-bsc-11356.patch
* restore-default-behaviour-of-pkg-list-return.patch
* return-the-expected-powerpc-os-arch-bsc-1117995.patch
* revert-fixing-a-use-case-when-multiple-inotify-beaco.patch
* run-salt-api-as-user-salt-bsc-1064520.patch
* run-salt-master-as-dedicated-salt-user.patch
* save-log-to-logfile-with-docker.build.patch
* switch-firewalld-state-to-use-change_interface.patch
* temporary-fix-extend-the-whitelist-of-allowed-comman.patch
* update-target-fix-for-salt-ssh-to-process-targets-li.patch
* use-adler32-algorithm-to-compute-string-checksums.patch
* use-salt-bundle-in-dockermod.patch
* x509-fixes-111.patch
* zypperpkg-ignore-retcode-104-for-search-bsc-1176697-.patch
- Removed:
* 3003.3-do-not-consider-skipped-targets-as-failed-for.patch
* 3003.3-postgresql-json-support-in-pillar-423.patch
* add-amazon-ec2-detection-for-virtual-grains-bsc-1195.patch
* add-missing-ansible-module-functions-to-whitelist-in.patch
* add-rpm_vercmp-python-library-for-version-comparison.patch
* add-support-for-name-pkgs-and-diff_attr-parameters-t.patch
* adds-explicit-type-cast-for-port.patch
* align-amazon-ec2-nitro-grains-with-upstream-pr-bsc-1.patch
* backport-syndic-auth-fixes.patch
* batch.py-avoid-exception-when-minion-does-not-respon.patch
* check-if-dpkgnotify-is-executable-bsc-1186674-376.patch
* clarify-pkg.installed-pkg_verify-documentation.patch
* detect-module.run-syntax.patch
* do-not-crash-when-unexpected-cmd-output-at-listing-p.patch
* enhance-logging-when-inotify-beacon-is-missing-pyino.patch
* fix-62092-catch-zmq.error.zmqerror-to-set-hwm-for-zm.patch
* fix-crash-when-calling-manage.not_alive-runners.patch
* fixes-pkg.version_cmp-on-openeuler-systems-and-a-few.patch
* fix-exception-in-yumpkg.remove-for-not-installed-pac.patch
* fix-for-cve-2022-22967-bsc-1200566.patch
* fix-inspector-module-export-function-bsc-1097531-481.patch
* fix-ip6_interface-grain-to-not-leak-secondary-ipv4-a.patch
* fix-issues-with-salt-ssh-s-extra-filerefs.patch
* fix-jinja2-contextfuntion-base-on-version-bsc-119874.patch
* fix-multiple-security-issues-bsc-1197417.patch
* fix-salt-call-event.send-call-with-grains-and-pillar.patch
* fix-salt.states.file.managed-for-follow_symlinks-tru.patch
* fix-state.apply-in-test-mode-with-file-state-module-.patch
* fix-test_ipc-unit-tests.patch
* fix-the-regression-in-schedule-module-releasded-in-3.patch
* fix-wrong-test_mod_del_repo_multiline_values-test-af.patch
* fixes-56144-to-enable-hotadd-profile-support.patch
* fopen-workaround-bad-buffering-for-binary-mode-563.patch
* force-zyppnotify-to-prefer-packages.db-than-packages.patch
* ignore-erros-on-reading-license-files-with-dpkg_lowp.patch
* ignore-extend-declarations-from-excluded-sls-files.patch
* ignore-non-utf8-characters-while-reading-files-with-.patch
* implementation-of-held-unheld-functions-for-state-pk.patch
* implementation-of-suse_ip-execution-module-bsc-10999.patch
* improvements-on-ansiblegate-module-354.patch
* include-stdout-in-error-message-for-zypperpkg-559.patch
* make-pass-renderer-configurable-other-fixes-532.patch
* make-sure-saltcacheloader-use-correct-fileclient-519.patch
* mock-ip_addrs-in-utils-minions.py-unit-test-443.patch
* normalize-package-names-once-with-pkg.installed-remo.patch
* notify-beacon-for-debian-ubuntu-systems-347.patch
* refactor-and-improvements-for-transactional-updates-.patch
* retry-if-rpm-lock-is-temporarily-unavailable-547.patch
* set-default-target-for-pip-from-venv_pip_target-envi.patch
* state.apply-don-t-check-for-cached-pillar-errors.patch
* state.orchestrate_single-does-not-pass-pillar-none-4.patch
* support-transactional-systems-microos.patch
* wipe-notify_socket-from-env-in-cmdmod-bsc-1193357-30.patch
- Fix problem with detecting PTF packages (bsc#1208691)
- Added:
* skip-package-names-without-colon-bsc-1208691-578.patch
- Fixes pkg.version_cmp on openEuler systems and a few other OS flavors
- Make pkg.remove function from zypperpkg module to handle also PTF packages
- Added:
* fixes-pkg.version_cmp-on-openeuler-systems-and-a-few.patch
* 3004-implement-zypper-removeptf-574.patch
Package spacewalk-certs-tools was updated:
- version 4.2.20-1 * Update translations
Package spacewalk-client-tools was updated:
- version 4.2.23-1 * Update translation strings
Package python-tornado was updated:
- Add tornado-Fix-an-open-redirect-in-StaticFileHandler.patch: Backport from upstream, Fix an open redirect in StaticFileHandler.
Under some configurations the default_filename redirect could be
exploited to redirect to an attacker-controlled site. This change
refuses to redirect to URLs that could be misinterpreted
(CVE-2023-28370 bsc#1211741).
Package uyuni-common-libs was updated:
- version 4.2.10-1 * Allow default component for context manager.
Package python was updated:
- Fix the application of the python-2.7.17-switch-off-failing-SSL-tests.patch.
- python-2.7.5-multilib.patch: Update for riscv64
- Don't fail if _ctypes or dl extension was not built
- The condition around libnsl-devel BuildRequires is NOT
switching off NIS support on SLE < 15, support for NIS used to
be in the glibc itself. Partial revert of sr#1061583.
- Add PygmentsBridge-trime_doctest_flags.patch to allow build of
the documentation even with the current Sphinx. (SUSE-ONLY
PATCH, DO NOT SEND UPSTREAM!)
- Enable --with-system-ffi for non-standard architectures.
- SLE-12 builds nis.so as well.
Package regexp was updated:
Package relaxngDatatype was updated:
Package release-notes-sles was updated:
- 15.3.20230301 (tracked in bsc#933411)- Added note about silencing killmode=none (jsc#PED-407)
- Added note about by-id/wwn- change (bsc#1188762)
- Added note about frr (jsc#SLE-13591)
- Added note about ssh-import-id GitHub support (jsc#SLE-20079)
- Added note about adcli --dont-expire-password (jsc#SLE-21224)
- Added note about NVMe-oF in dracut (jsc#SLE-17091)
- Added note about vPMU optimization (jsc#SLE-12687)
- Added note about snapper btrfs snapshot cleanup (jsc#SLE-16031)
- Added note about redis and bindings (jsc#SLE-11036)
- Added note about zram on low-mem devices (jsc#SLE-17630)
- Added note about wsmancli moving to basesystem (jsc#SLE-22844)
- Added note about scap-security-guide (jsc#SLE-20292)
- Added note about libreiserfs removal (jsc#SLE-17723)
- Added note about icu 69.1 (jsc#SLE-17893)
- Added note about blog 2.26 (jsc#SLE-23233)
- Added note about libpwquality-tools (jsc#SLE-23623)
- Added note about DFS share failover (jsc#SLE-20042)
- Added note about git 2.35.3 (jsc#SLE-23332)
- Added note about tcl 8.6.12 (jsc#SLE-21016)
- Added note about Rust developer tools (jsc#SLE-23381)
- Added note about PostgreSQL 14 (jsc#SLE-20675)
- Added note about NodeJS 16 (jsc#SLE-21235)
- Added note about strongSwan namespace support (jsc#SLE-17756)
- Added note about mariadb-galera (jsc#SLE-22242)
Package rsync was updated:
- Drop rsync-fix-external-compression.patch, rsync-iconv-segfault.patch
- Fix --delay-updates never updates after interruption [bsc#1204538]
* Added patch rsync-fix-delay-updates-never-updates-after-interruption.patch
Package rsyslog was updated:
- fix segfaults in modExit() of imklog.c (bsc#1211757) * add 0001-imklog-fix-invalid-memory-adressing-could-cause-abor.patch
- fix removal of imfile state files (bsc#1213212)
* add 0001-fixing-the-deleteStateOnFileDelete-option.patch
Package samba was updated:
- Move libcluster-samba4.so from samba-libs to samba-client-libs; (bsc#1213940);
- secure channel faulty since Windows 10/11 update 07/2023;
(bso#15418); (bsc#1213384).
- CVE-2022-2127: lm_resp_len not checked properly in
winbindd_pam_auth_crap_send; (bso#15072); (bsc#1213174).
- CVE-2023-34966: Samba Spotlight mdssvc RPC Request Infinite
Loop Denial-of-Service Vulnerability; (bso#15340); (bsc#1213173).
- CVE-2023-34967: Samba Spotlight mdssvc RPC Request Type
Confusion Denial-of-Service Vulnerability; (bso#15341); (bsc#1213172).
- CVE-2023-34968: Spotlight server-side Share Path Disclosure;
(bso#15388); (bsc#1213171).
- CVE-2023-0922: Samba AD DC admin tool samba-tool sends passwords
in cleartext; (bso#15315); (bsc#1209481).
- CVE-2023-0225: Samba AD DC "dnsHostname" attribute can be
deleted by unprivileged authenticated users; (bso#15276);
(bsc#1209483).
- CVE-2023-0614: samba: Access controlled AD LDAP attributes can
be discovered; (bso#15270); (bsc#1209485).
- Prevent use after free of messaging_ctdb_fde_ev structs;
(bso#15293); (bsc#1207416).
Package 000release-packages:sle-module-basesystem-release was updated:
Package 000release-packages:sle-module-public-cloud-release was updated:
Package 000release-packages:sle-module-server-applications-release was updated:
Package 000product:sle-module-suse-manager-server-release was updated:
Package 000release-packages:sle-module-web-scripting-release was updated:
Package slf4j was updated:
- Add symlink to reload4j -> log4j12 for applications that expect that name.
- Build with source/target levels 8
- Upgrade to 1.7.36
* Changes in 1.7.36:
+ Correct corrupt "Export-Package" declaration in MANIFEST.MF
in log4j-over-slf4j module
+ Starting with version 1.7.36, slf4j releases will be
reproducible. By reproducible we mean that anyone checking out
the code corresponding to the release version from source code
repository and building that local copy, will obtain an
identical binary to the published binary.
* Changes 1.7.35
+ In this release, the "slf4j-log4j12" artifact automatically
instructs Maven to use the "slf4j-reload4j" artifact instead.
As you might have guessed, the "slf4j-reload4j" binding
delegates log processing to the reload4j logging framework.
+ Fix incorrect version number in the relocation element in
slf4j-log4j12/pom.ml
* Changes in 1.7.34
+ The relocation element in slf4j-log4j12 had incorrect version
number. Version 1.7.34 should not be used.
* Changes in 1.7.33
+ SLF4J now ships with the slf4j-reload4j module delegating to
the reload4j backend.
+ SimpleLogger now prints the thread Id if instructed to do so.
This fixes SLF4J-499.
- Added patch:
* slf4j-reload4j-bundlename.patch
+ fix a typo in source reload4k -> reload4j
- Do not use a separate spec file for sources, since now they
can be built in the same run as the other artifacts
- Removed patch:
* slf4j-reload4j.patch
+ the incompatibility is now handled in reload4j itself
- Fetch sources using source service
- Depend for build on reload4j
- Fix dependencies of the module slf4j-log4j12
- Added patch:
* slf4j-reload4j.patch
+ fix build against reload4j
- Update to upstream version 1.7.32
* In the slf4j-simple module, SimpleLogger now caters for
concurrent access.
- Update to upstream version 1.7.31
* In the jcl-over-slf4j module avoid Object to String conversion.
* In the log4j-over-slf4j module added empty constructors for
ConsoleAppender.
- Don't use %%mvn_artifact, but %%add_maven_depmap for the
sources artifacts, so that they don't suck in half of the xmvn*
stack in order to build
Package snakeyaml was updated:
- Fix --with tests build
- Upgrade to upstream release 1.33
* Fixes
+ bsc#1204173
+ bsc#1203154 (CVE-2022-38752)
* Changes of 1.33
+ Remove some deprecated unused methods
+ Fix #555: Fixed Github actions
+ Fix #553: LoaderOptions.setCodePointLimit() not honored by
loadAll()
+ Fix #554: Always emit numberish strings with quotes
* Changes of 1.32
+ Fix #543: show the configuration in the test
+ Fix #531: provide configuration to fail early
+ Fix #547: Set the limit for incoming data to prevent a CVE
report in NIST. By default it is 3MB
+ Fix #544: Support unescaped unicode characters for
double-quoted scalars
- Modified patches:
* 0001-replace-bundled-base64coder-with-java.util.Base64.patch
* 0002-Replace-bundled-gdata-java-client-classes-with-commo.patch
+ rebase
- Added patch:
* 0003-Fix-ReaderBomTest.patch
+ remove two tests that require unicode boms
Package spacecmd was updated:
- version 4.2.24-1 * Update the translations from Weblate
- version 4.2.23-1
* Fix argument parsing of distribution_update (bsc#1210458)
- version 4.2.22-1
* Display activation key details after executing the corresponding command (bsc#1208719)
* Show targetted packages before actually removing them (bsc#1207830)
* Fix spacecmd not showing any output for softwarechannel_diff
and softwarechannel_errata_diff (bsc#1207352)
Package spacewalk-backend was updated:
- version 4.2.29-1 * Use a constant to get the product name in python code rather than reading rhn.conf (bsc#1212943)
* Only show missing /root/.curlrc error with log_level = 5 (bsc#1212507)
- version 4.2.28-1
* Filter CLM modular packages using release strings (bsc#1207814)
* Add package details to reposync error logging
- version 4.2.27-1
* Fix the mgr-inter-sync not creating valid repository metadata when dealing
with empty channels (bsc#1207829)
* fix repo sync for cloud payg connected repositories (bsc#1208772)
* Fix issues with kickstart syncing on mirrorlist repositories
* Do not sync .mirrorlist and other non needed files
* reposync: catch local file not found urlgrabber error properly (bsc#1208288)
Package spacewalk-web was updated:
- version 4.2.36-1 * Update the translations from weblate
* Fix VHM CPU and RAM display when 0 (bsc#1175823)
* Fix parsing error when showing notification message details (bsc#1211469)
- version 4.2.35-1
* Show loading indicator on formula details pages (bsc#1179747)
* Increase datetimepicker font sizes (bsc#1210437)
* Fix an issue where the datetimepicker shows wrong date (bsc#1209231)
- version 4.2.34-1
* Fix datetime picker appearing behind modal edge (bsc#1209703)
- version 4.2.33-1
* Deprecate jQuery datepicker, integrate React datepicker (bsc#1209689)
* Fix CLM environments UI for environment labels containing dots (bsc#1207838)
Package spacewalk-java was updated:
- version 4.2.55-1 * Set swap memory value if available
* Set primary FQDN to hostname if none is set (bsc#1209156, bsc#1214333)
- version 4.2.54-1
* Consider venv-salt-minion package update as salt update to prevent
backtraces on upgrading salt with itself (bsc#1211884)
- version 4.2.53-1
* Fix "more then one method candidate found" for API function (bsc#1211100)
* Fixed a bug that caused the tab Autoinstallation to hide when clicking on Power
Management Management/Operations on SSM -> Provisioning
* Update copyright year (bsc#1212106)
* Disable jinja processing for the roster file (bsc#1211650)
- version 4.2.52-1
* Update jetty-util to version 9.4.51
- version 4.2.51-1
* Update version of Tomcat build dependencies
- version 4.2.50-1
* Fix misleading error message regarding SCC credentials removal (bsc#1207941)
* Fix issue with `aclChannelTypeCapable` that prevented errata view in
deb arch
* Refresh pillars after setting custom values via SSM (bsc#1210659)
* Report SSM power management errors in 'rhn_web_ui' (bsc#1210406)
* Filter CLM modular packages using release strings (bsc#1207814)
* Allow processing big state results (bsc#1210957)
* Use glassfish-activation-api instead of gnu-jaf
* Fix session information leak CVE-2023-22644 (bsc#1210107)
* Fix Intenal Server Error when URI contains invalid sysid (bsc#1186011)
* kernel options: only add quotes if there is a space in the value (bsc#1209926)
* Fix link to Knowledge Base articles (bsc#1210311)
* Do not output Cobbler xmlrpc token in debug logs CVE-2023-22644 (bsc#1210162)
* Remove channels from client after transfer to a different
organization (bsc#1209220)
* Fix displaying system channels when no base product is installed
(bsc#1206423)
* Fix broken ifcfg grub option on reinstallation (bsc#1210232)
* Fix NPE in Cobbler system sync when server has no creator set
* Fix credentials and other secrets disclosure when debug log is enabled
CVE-2023-22644 (bsc#1210154)
* Do not output URL parameters for tiny urls CVE-2023-22644 (bsc#1210101)
* Remove web session swap secrets output in logs CVE-2023-22644 (bsc#1210086)
* Add listSystemEvents missing API endpoint (bsc#1209877)
- version 4.2.49-1
* Refactor Java notification synchronize to avoid dead locks (bsc#1209369)
- version 4.2.48-1
* Prevent logging formula data (bsc#1209386, bsc#1209434, CVE-2023-22644)
* Use gnu-jaf instead of jaf
* Use reload4j instead of log4j or log4j12
* Save scheduler user when creating Patch actions manually (bsc#1208321)
* Use slf4j-reload4j and jaf
* Add `mgr_server_is_uyuni` minion pillar item
* Do not execute immediately Package Refresh action for the SSH minion (bsc#1208325)
* Mark as failed actions that cannot be scheduled because earliest
date is too old
* Update earliest date when rescheduling failed actions (bsc#1206562)
* Fix reconnection of postgres event stream
* fix NumberFormatException when syncing ubuntu errata (bsc#1207883)
* Fix duplicate keys in image tables (bsc#1207799)
* Fix CLM environments UI for environment labels containing dots (bsc#1207838)
Package spacewalk-reports was updated:
- version 4.2.8-1 * Drop Python2 compatibility (bsc#1212589)
Package spacewalk-search was updated:
- version 4.2.10-1 * Use reload4j instead of log4j or log4j12
Package spacewalk-setup was updated:
- version 4.2.13-1 * Drop usage of salt.ext.six in embedded_diskspace_check
- version 4.2.12-1
* Enable netapi clients in master configuration (required for Salt 3006)
Package spacewalk-utils was updated:
- version 4.2.20-1 * Drop Python2 compatibility
- version 4.2.19-1
* spacewalk-hostname-rename remains stuck at refreshing pillars (bsc#1207550)
Package subscription-matcher was updated:
Package sudo was updated:
- Fix CVE-2023-28486, sudo does not escape control characters in log messages, (CVE-2023-28486, bsc#1209362)
* Add sudo-CVE-2023-28486.patch
- Fix CVE-2023-28487, sudo does not escape control characters in
sudoreplay output (CVE-2023-28487, bsc#1209361)
- sudo-dont-enable-read-after-pty_finish.patch
* bsc#1203201
* Do not re-enable the reader when flushing the buffers as part
of pty_finish().
* While sudo-observe-SIGCHLD patch applied earlier prevents a
race condition from happening, this fixes a related buffer hang.
- Added sudo-fix_NULL_deref_RunAs.patch
* bsc#1206483
* Fix a situation where "sudo -U otheruser -l" would dereference
a NULL pointer.
Package supportutils-plugin-suse-public-cloud was updated:
- Update to version 1.0.8 (bsc#1213951) + Capture CSP billing adapter config and log (issue#13)
+ Accept upper case Amazon string in DMI table (issue#12)
- Update to version 1.0.7 (bsc#1209026)
+ Include information about the cached registration data
+ Collect the data that is sent to the update infrastructure during
registration
Package supportutils-plugin-susemanager was updated:
- version 4.2.7-1 * Fix property name to tune for salt events queue processing
- version 4.2.6-1
* fix db connection check tool (bsc#1208586)
Package supportutils was updated:
- Changes to supportconfig version 3.1.11-46.3 + Added missed sanitation check on crash.txt (bsc#1203818)
- Changes to supportconfig.rc version 3.1.11-30
+ Added check to _sanitize_file
+ Using variable for replement text in _sanitize_file
Package susemanager-build-keys was updated:
- Version 15.3.9 * add SUSE Liberty v2 key (bsc#1212096)
+ Added: RPM-GPG-KEY-SUSE-Liberty-v2
* add Debian 12 (bookworm) GPG keys (bsc#1212363)
+ Added:
debian-archive-key-12-security-254CF3B5AEC0A8F0.asc
debian-archive-key-12-B7C5D7D6350947F8.asc
debian-release-12-F8D2585B8783D481.asc
* add new 4096 bit RSA package hub key
+ Added: packagehub-gpg-pubkey-8A49EB0325DB7AE0.asc
- Version 15.3.8
* fix installation of sle15 RSA reserve build key
* add new 4096 bit RSA openSUSE build key gpg-pubkey-29b700a4.asc
- Version 15.3.7 (jsc#PED-2777):
* add new 4096 bit RSA build key gpg-pubkey-3fa1d6ce-63c9481c.asc
* add new 4096 bit RSA reserve build key gpg-pubkey-d588dc46-63c939db.asc
* add 2022 2048 bit RSA PTF key suse_ptf_key-6F5DA62B.asc
* add new 4096 bit RSA PTF key suse_ptf_key_2023.asc
Package susemanager-doc-indexes was updated:
- Typo correction for Cobbler buildiso command in Client Configuration Guide
- Replaced plain text with dedicated attribute for AutoYaST
- Added a note about Oracle Unbreakable Linux Network mirroring
requirements in Client Configuration Guide (bsc#1212032)
- Added SUSE Linux Enterprise 15 SP5 and openSUSE Leap 15.5
as supported clients in the Client Configuration Guide
- Fixed missing tables of content in the Reference Guide
(bsc#1208577)
- Fixed instruction for Single sign-on implementation example
in the Administration Guide (bsc#1210103)
- Removed reference to non-exitent files in Reference Guide
(bsc#1208528)
- Salt version changed to 3006.0
- Added note for clarification between self-installed and cloud
instances of Ubuntu
- Improved Pay-as-you-go documentation in the Install and Upgrade
Guide (bsc#1208984)
- Added comment about activation keys for LTSS clients in Client
Configuration Guide (bsc#1210011)
- Updated API script examples to Python 3 in Administration Guide
and Large Deployment Guide
- Change cleanup Salt Client description
- Added instruction for Cobbler to use the correct label in Client
Configuration Guide distro label (bsc#1205600)
- Added updated options for rhn.conf file in the Administration Guide
(bsc#1209508)
- Fixed calculation of DB max-connections and align it with the
supportconfig checking tool in the Tuning Guide
- Removed z196 and z114 from listing in System Z chapter of the
Installation and Upgrade Guide (bsc#1206973)
- Branding updated for 2023
- New search engine optimization improvements for documentation
- Translations are now included in the webui help documentation
- Local search is now provided with the webui help documentation
Package susemanager-docs_en was updated:
- Typo correction for Cobbler buildiso command in Client Configuration Guide
- Replaced plain text with dedicated attribute for AutoYaST
- Added a note about Oracle Unbreakable Linux Network mirroring
requirements in Client Configuration Guide (bsc#1212032)
- Added SUSE Linux Enterprise 15 SP5 and openSUSE Leap 15.5
as supported clients in the Client Configuration Guide
- Fixed missing tables of content in the Reference Guide
(bsc#1208577)
- Fixed instruction for Single sign-on implementation example
in the Administration Guide (bsc#1210103)
- Removed reference to non-exitent files in Reference Guide
(bsc#1208528)
- Salt version changed to 3006.0
- Added note for clarification between self-installed and cloud
instances of Ubuntu
- Improved Pay-as-you-go documentation in the Install and Upgrade
Guide (bsc#1208984)
- Added comment about activation keys for LTSS clients in Client
Configuration Guide (bsc#1210011)
- Updated API script examples to Python 3 in Administration Guide
and Large Deployment Guide
- Change cleanup Salt Client description
- Added instruction for Cobbler to use the correct label in Client
Configuration Guide distro label (bsc#1205600)
- Added updated options for rhn.conf file in the Administration Guide
(bsc#1209508)
- Fixed calculation of DB max-connections and align it with the
supportconfig checking tool in the Tuning Guide
- Removed z196 and z114 from listing in System Z chapter of the
Installation and Upgrade Guide (bsc#1206973)
- Branding updated for 2023
- New search engine optimization improvements for documentation
- Translations are now included in the webui help documentation
- Local search is now provided with the webui help documentation
Package susemanager-schema was updated:
- version 4.2.29-1 * Add schema directory for susemanager-schema-4.2.29
- version 4.2.28-1
* Filter CLM modular packages using release strings (bsc#1207814)
* Repeat schema migrations for module metadata storage (bsc#1209915)
Package susemanager-sls was updated:
- version 4.2.35-1 * Do not disable salt-minion on salt-ssh managed clients
* Use venv-salt-minion instead of salt for docker states (bsc#1212416)
- version 4.2.34-1
* trust new Liberty Linux v2 key (bsc#1212096)
- version 4.2.33-1
* Include automatic migration from Salt 3000 to Salt bundle in highstate
* Disable salt-minion and remove its config file on cleanup (bsc#1209277)
* To update everything on a debian system, call dist-upgrade to
be able to install and remove packages
- version 4.2.32-1
* Improve error handling in mgr_events.py (bsc#1208687)
Package susemanager was updated:
- version 4.2.44-1 * Require LTSS channels for SUSE Linux Enterprise 15 SP1/SP2/SP3
and SUSE Manager Proxy 4.2 (bsc#1214187)
- version 4.2.43-1
* Add missing Salt 3006.0 dependencies to bootstrap repo definitions (bsc#1212700)
* Make mgr-salt-ssh to properly fix HOME environment to avoid issues with gitfs (bsc#1210994)
- version 4.2.42-1
* Use newest venv-salt-minion version available to generate the
venv-enabled-*.txt file in bootstrap repos (bsc#1211958)
- version 4.2.41-1
* Add bootstrap repository definitions for openSUSE Leap 15.5
* Add bootstrap repository definitions for SUSE Linux Enterprise Server 15 SP5
Package systemd-presets-common-SUSE was updated:
Package systemd-rpm-macros was updated:
- Bump version to 13
- Fix %sysctl_apply() and %binfmt_apply() so they are disabled when called from
a chroot (bsc#1211272)
- Bump version to 12
- Don't emit a warning when the flag file in /var/lib/systemd/migrated/ is not
present as it's expected (bsc#1208079).
Package tagsoup was updated:
- Condition for SLE-12 to avoid accidental use of modular java with javapackages-tools 2.x
- Compile with source and target levels 8
Package timezone was updated:
- timezone update 2023c: * Revert changes made in 2023b
- timezone update 2023b:
* Lebanon delays the start of DST this year.
- timezone update 2023a:
* Egypt now uses DST again, from April through October.
* This year Morocco springs forward April 23, not April 30.
* Palestine delays the start of DST this year.
* Much of Greenland still uses DST from 2024 on.
* America/Yellowknife now links to America/Edmonton.
* tzselect can now use current time to help infer timezone.
* The code now defaults to C99 or later.
- Refresh tzdata-china.diff
Package tomcat was updated:
- Update to Tomcat 9.0.75. * See changelog at
https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.75_(markt)
* Fixes:
+ bsc#1211608, CVE-2023-28709
+ bsc#1208513, CVE-2023-24998 (previous incomplete fix)
- Remove patches:
* tomcat-9.0-CVE-2021-30640.patch
* tomcat-9.0-CVE-2021-33037.patch
* tomcat-9.0-CVE-2021-41079.patch
* tomcat-9.0-CVE-2022-23181.patch
* tomcat-9.0-NPE-JNDIRealm.patch
* tomcat-9.0-hardening_getResources.patch
* tomcat-9.0.43-CVE-2021-43980.patch
* tomcat-9.0.43-CVE-2022-42252.patch
* tomcat-9.0.43-CVE-2022-45143.patch
* tomcat-9.0.43-CVE-2023-24998.patch
* tomcat-9.0.43-CVE-2023-28708.patch
+ integrated in this version
* tomcat-9.0.43-java8compat.patch
+ problem with Java 8 compatibility solved in this version
- Modified patch:
* tomcat-9.0.31-secretRequired-default.patch
- > tomcat-9.0.75-secretRequired-default.patch
+ rediffed to changed context
* tomcat-9.0-javadoc.patch
+ drop integrated hunks
* tomcat-9.0-osgi-build.patch
+ fix to work with current version
- Added patch:
* tomcat-9.0-jdt.patch
+ fix build against our ecj
- Fixed CVEs:
* CVE-2022-45143: JsonErrorReportValve: add escape for type, message or description (bsc#1206840)
- Added patches:
* tomcat-9.0.43-CVE-2022-45143.patch
- Fixed CVEs:
* CVE-2023-28708: tomcat: not including the secure attribute
causes information disclosure (bsc#1209622)
- Added patches:
* tomcat-9.0.43-CVE-2023-28708.patch
- Fixed CVEs:
* CVE-2023-24998: tomcat,tomcat6: FileUpload DoS with excessive parts (bsc#1208513)
- Added patches:
* tomcat-9.0.43-CVE-2023-24998.patch
- set logrotate for localhost.log, manager.log, host-manager.log and localhost_access_log.txt
- use logrotate for catalina.out
* update tomcat-serverxml-tool and spec to configure server.xml
- Added patch:
* tomcat-9.0-logrotate_everything.patch
* tomcat-serverxml-tool.tar.gz
- Removed:
* tomcat-serverxml-tool-1.0.tar.gz
- Use catalina.out for logging (bsc#1205647)
- Added patches:
* tomcat-9.0-fix_catalina.patch
- Fixed CVEs:
* CVE-2022-42252: reject invalid content-length requests. (bsc#1204918)
- Added patches:
* tomcat-9.0.43-CVE-2022-42252.patch
- Fixed CVEs:
* CVE-2021-43980: Improve the recycling of Processor objects to make it more robust. (bsc#1203868)
- Added patches:
* tomcat-9.0.43-CVE-2021-43980.patch
- Do not hardcode /usr/libexec but use %%_libexecdir during the
build
* Fixes for platforms, where /usr/libexec and %%_libexecdir are
different
- Fix bsc#1201081 by building with release=8 all files that can be
built this way. The one file remaining, build it with source=8 and
target=8
- Modified patch:
* tomcat-9.0.43-java8compat.patch
+ Do not cast ByteBuffer to Buffer to call the Java 8 compatible
methods. Build with release=8 instead
Package util-linux-systemd was updated:
- Add upstream patch fix-lib-internal-cache-size.patch bsc#1210164, gh#util-linux/util-linux@2fa4168c8bc9
Package vim was updated:
- Updated to version 9.0 with patch level 1572, fixes the following security problems * Fixing bsc#1210996 (CVE-2023-2426) - VUL-0: CVE-2023-2426: vim: Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 9.0.1499.
* Fixing bsc#1211256 (CVE-2023-2609) - VUL-1: CVE-2023-2609: vim: NULL Pointer Dereference prior to 9.0.1531
* Fixing bsc#1211257 (CVE-2023-2610) - VUL-1: CVE-2023-2610: vim: Integer Overflow or Wraparound prior to 9.0.1532
- for the complete list of changes see
https://github.com/vim/vim/compare/v9.0.1443...v9.0.1572
- Fixing bsc#1211461 - L3: vim "eats" first character from prompt in xterm
* Add: reorder-exit-raw-mode.patch
* Swaps out_str_t_TE() and cursor_on() during exit to prevent missing characters in xterm prompt on exit.
- Fixing bsc#1211144 - [Build 96.1] openQA test fails in zypper_migration - conflict between xxd and vim
* Revert the creation standalone xxd packages
- Updated to version 9.0 with patch level 1443, fixes the following security problems
* Fixing bsc#1209042 (CVE-2023-1264) - VUL-0: CVE-2023-1264: vim: NULL Pointer Dereference vim prior to 9.0.1392
* Fixing bsc#1209187 (CVE-2023-1355) - VUL-0: CVE-2023-1355: vim: NULL Pointer Dereference prior to 9.0.1402.
* Fixing bsc#1208828 (CVE-2023-1127) - VUL-1: CVE-2023-1127: vim: divide by zero in scrolldown()
- drop vim-8.0-ttytype-test.patch as it changes test_options.vim which we
remove during %prep anyway. And this breaks quilt setup.
- for the complete list of changes see
https://github.com/vim/vim/compare/v9.0.1386...v9.0.1443
- Updated to version 9.0 with patch level 1386, fixes the following security problems
* Fixing bsc#1207780Â -Â (CVE-2023-0512)Â VUL-0: CVE-2023-0512: vim: Divide By Zero in GitHub repository vim/vim prior to 9.0.1247
* Fixing bsc#1208957Â -Â (CVE-2023-1175)Â VUL-0: CVE-2023-1175: vim: Incorrect Calculation of Buffer Size
* Fixing bsc#1208959Â -Â (CVE-2023-1170)Â VUL-0: CVE-2023-1170: vim: Heap-based Buffer Overflow in vim prior to 9.0.1376
* Fixing bsc#1208828Â -Â (CVE-2023-1127)Â VUL-1: CVE-2023-1127: vim: divide by zero in scrolldown()
- for the complete list of changes see
https://github.com/vim/vim/compare/v9.0.1234...v9.0.1386
Package virtual-host-gatherer was updated:
- version 1.0.26-1 * fix cpu calculation in the libvirt module and enhance the data
structure by os value
- version 1.0.25-1
* Report total CPU numbers in the libvirt module
Package wicked was updated:
- ifconfig: fix arp notify loop (boo#1212806) and burst sending [+ 0001-fix_arp_notify_loop_and_burst_sending.patch]
- update to version 0.6.73
- spec: cleanup artefacts and fix some rpmlint warnings
- arp: allow verify/notify counter and interval configuration
- arp: handle ENOBUFS sending errors (bsc#1203300)
- extensions: improve environment variable handling
- firmware: refactor firmware extension definition
- firmware: enable, disable and revert cli commands
- code cleanup: fix memory leaks, add array/list utils
- wireless: Ignore WIRELESS_EAP_AUTH within TLS (bsc#1211026)
- cleanup /var/run leftovers in extension scripts (bsc#1194557)
- json: output formatting improvements and Unicode support
- bond: workaround 6.1 kernel enslave regression (boo#1206674)
- update to version 0.6.72
- client: add `wicked firmware extensions|interfaces|enable|disable`
command to improve `ibft`,`nbft`,`redfish` firmware extension and
interface handling.
- client: improve error handling in netif firmware discovery
extension execution and extension definition overrides in
the wicked-config.
- nanny: fix use-after-free in debug mode (bsc#1206447)
- spec: replace transitional `%usrmerged` macro with regular
version check (boo#1206798)
- client: improve to show `no-carrier` in ifstatus output
- linux: cleanup inclusions and update uapi header to 6.0
- ethtool: link mode nwords cleanup and new advertise mode names
- update to version 0.6.71
- dhcp: enable raw-ip support for wwan-qmi interfaces (jsc#PED-90)
- schema: fix the ip rule to-selector to handle network prefixes
- spec: Add /etc/sysconfig/network to file list, no longer in the
default list of a cleaned up filesystem package on tumbleweed
(https://github.com/openSUSE/wicked/pull/939).
Package ws-jaxme was updated:
- Build against the standalone JavaEE modules unconditionally
- Modified patch:
* ws-jaxme-sourcetarget.patch
+ Build with source/target levels 8
- On relevant distributions, build against the standalone jaxb-api
- Do not build against the log4j12 packages, use the new reload4j
Package xalan-j2 was updated:
- Build with source/target levels 8
- Do not link to the java_cup* compatibility links, but to the
java-cup* ones
- Remove parent from the pom files, since we are not building
with maven
- Clean-up packaging
Package xen was updated:
- Update to Xen 4.14.6 bug fix release (bsc#1027519) xen-4.14.6-testing-src.tar.bz2
* No upstream changelog found in sources or webpage
- bsc#1214082 - VUL-0: CVE-2023-20569: xen: x86/AMD: Speculative
Return Stack Overflow (XSA-434)
- bsc#1214083 - VUL-0: CVE-2022-40982: xen: x86/Intel: Gather Data
Sampling (XSA-435)
- Dropped patches contained in new tarball
62a1e594-x86-clean-up-_get_page_type.patch
62a1e5b0-x86-ABAC-race-in-_get_page_type.patch
62a1e5d2-x86-introduce-_PAGE_-for-mem-types.patch
62a1e5f0-x86-dont-change-cacheability-of-directmap.patch
62a1e60e-x86-split-cache_flush-out-of-cache_writeback.patch
62a1e62b-x86-AMD-work-around-CLFLUSH-ordering.patch
62a1e649-x86-track-and-flush-non-coherent.patch
62ab0fab-x86-spec-ctrl-VERW-flushing-runtime-cond.patch
62ab0fac-x86-spec-ctrl-enum-for-MMIO-Stale-Data.patch
62ab0fad-x86-spec-ctrl-add-unpriv-mmio.patch
62bdd840-x86-spec-ctrl-only-adjust-idle-with-legacy-IBRS.patch
62bdd841-x86-spec-ctrl-knobs-for-STIBP-and-PSFD.patch
62cc31ee-cmdline-extend-parse_boolean.patch
62cc31ef-x86-spec-ctrl-fine-grained-cmdline-subopts.patch
62cd91d0-x86-spec-ctrl-rework-context-switching.patch
62cd91d1-x86-spec-ctrl-rename-SCF_ist_wrmsr.patch
62cd91d2-x86-spec-ctrl-rename-opt_ibpb.patch
62cd91d3-x86-spec-ctrl-rework-SPEC_CTRL_ENTRY_FROM_INTR_IST.patch
62cd91d4-x86-spec-ctrl-IBPB-on-entry.patch
62cd91d5-x86-cpuid-BTC_NO-enum.patch
62cd91d6-x86-spec-ctrl-enable-Zen2-chickenbit.patch
62cd91d7-x86-spec-ctrl-mitigate-Branch-Type-Confusion.patch
62dfe40a-x86-mm-gpt-TLB-flush-condition.patch
62f27ebd-x86-expose-more-MSR_ARCH_CAPS-to-hwdom.patch
62f51e16-x86-spec-ctrl-enum-PBRSB_NO.patch
62f523da-AMD-setup_force_cpu_cap-BSP-only.patch
63455f82-Arm-P2M-prevent-adding-mapping-when-dying.patch
63455fa8-Arm-P2M-preempt-when-freeing-intermediate.patch
63455fc3-x86-p2m_teardown-allow-skip-root-pt-removal.patch
63455fe4-x86-HAP-monitor-table-error-handling.patch
63456000-x86-tolerate-sh_set_toplevel_shadow-failure.patch
6345601d-x86-tolerate-shadow_prealloc-failure.patch
6345603a-x86-P2M-refuse-new-alloc-for-dying.patch
63456057-x86-P2M-truly-free-paging-pool-for-dying.patch
63456075-x86-P2M-free-paging-pool-preemptively.patch
63456090-x86-p2m_teardown-preemption.patch
63456175-libxl-per-arch-extra-default-paging-memory.patch
63456177-Arm-construct-P2M-pool-for-guests.patch
6345617a-Arm-XEN_DOMCTL_shadow_op.patch
6345617c-Arm-take-P2M-pages-P2M-pool.patch
634561aa-gnttab-locking-on-transitive-copy-error-path.patch
6351095c-Arm-rework-p2m_init.patch
6351096a-Arm-P2M-populate-pages-for-GICv2-mapping.patch
63569723-x86-shadow-replace-bogus-assertions.patch
636a9130-x86-spec-ctrl-Enumeration-for-IBPB_RET.patch
636a9130-x86-spec-ctrl-Mitigate-IBPB-not-flushing-the-RSB-RAS.patch
xsa326-01.patch
xsa326-02.patch
xsa326-03.patch
xsa326-04.patch
xsa326-05.patch
xsa326-06.patch
xsa326-07.patch
xsa326-08.patch
xsa326-09.patch
xsa326-10.patch
xsa326-11.patch
xsa326-12.patch
xsa326-13.patch
xsa326-14.patch
xsa326-15.patch
xsa326-16.patch
xsa403.patch
xsa414.patch
xsa415.patch
xsa416.patch
xsa417.patch
xsa418-01.patch
xsa418-02.patch
xsa418-03.patch
xsa418-04.patch
xsa418-05.patch
xsa418-06.patch
xsa419-01.patch
xsa419-02.patch
xsa419-03.patch
xsa421-01.patch
xsa421-02.patch
xsa427.patch
xsa428-1.patch
xsa428-2.patch
xsa429.patch
xsa433.patch
- Handle potential off-by-one errors in libxc-sr-xg_sr_bitmap.patch
A bit is an index in bitmap, while bits is the allocated size
of the bitmap.
- bsc#1213616 - VUL-0: CVE-2023-20593: xen: x86/AMD: Zenbleed
(XSA-433)
xsa433.patch
- Updated fix for XSA-417 (bsc#1204489)
64ba268b-xenstore-fix-XSA-417.patch
- bsc#1209017 - VUL-0: CVE-2022-42332: xen: x86 shadow plus
log-dirty mode use-after-free (XSA-427)
xsa427.patch
- bsc#1209018 - VUL-0: CVE-2022-42333,CVE-2022-42334: xen: x86/HVM
pinned cache attributes mis-handling (XSA-428)
xsa428-1.patch
xsa428-2.patch
- bsc#1209019 - VUL-0: CVE-2022-42331: xen: x86: speculative
vulnerability in 32bit SYSCALL path (XSA-429)
xsa429.patch
Package xerces-j2 was updated:
Package xml-commons-apis was updated:
Package xml-commons-resolver was updated:
Package xpp2 was updated:
- Modified patch: * xpp2-build_xml.patch
+ Build with source/target levels 8
- Added pom file
Package xpp3 was updated:
- Modified patch: * xpp3-sourcetarget.patch
+ Build with source/target levels 8
Package xstream was updated:
- Upgrade to 1.4.20 * Security fixes
+ This maintenance release addresses the security
vulnerabilities CVE-2022-40151 (bsc#1203520) and
CVE-2022-41966 (bsc#1206729), causing a Denial of Service by
raising a stack overflow. It also provides new converters for
Optional and Atomic types.
* Major changes
+ #308: Add converter for AtomicBoolean, AtomicInteger,
AtomicLong, and AtomicReference of package
java.util.concurrent.atomic.
+ #293: Add converter for Optional, OptionalDouble, OptionalInt,
and OptionalLong of package java.util.
* Minor changes
+ #287: Close stream opened from provided URL.
+ #284: Fix disabling check against hash code attack with
XStream.setCollectionUpdateLimit(0).
* Stream compatibility
+ The atomic types with new converters of package
java.util.concurrent.atomic, that have been written with
previous versions of XStream, can still be deserialized.
+ The Optional types with new converters of package java.util,
that have been written with previous versions of XStream,
can still be deserialized.
+ The WildcardTypePermission allows by default no longer
anonymous class types.
* API changes
+ Added c.t.x.converters.extended.AtomicBooleanConverter.
+ Added c.t.x.converters.extended.AtomicIntegerConverter.
+ Added c.t.x.converters.extended.AtomicLongConverter.
+ Added c.t.x.converters.extended.AtomicReferenceConverter.
+ Added c.t.x.converters.extended.OptionalConverter.
+ Added c.t.x.converters.extended.OptionalDoubleConverter.
+ Added c.t.x.converters.extended.OptionalIntConverter.
+ Added c.t.x.converters.extended.OptionalLongConverter.
+ Added c.t.x.security.WildcardTypePermission
.WildcardTypePermission(boolean,String[]).
- Build against the standalone JavaEE modules unconditionally
- Build against standalone activation-api and jaxb-api on systems
where the JavaEE modules are not part of JDK
Package yast2-network was updated:
- Fix typo when writing the wireless channel (bsc#1212976)- 4.3.88
- bsc#1211431
- Do not crash installation when storing vlan configuration into
NetworkManager
- 4.3.87
Package yast2-online-update was updated:
- Fix showing of release notes when we update a rubygem (bsc#1205913)
- 4.2.3
Package yast2-pkg-bindings was updated:
- Pkg.TargetInitializeOptions() - added a new option for rebuilding the RPM database (--rebuilddb) (bsc#1209565)
- 4.3.12
Package yast2-transfer was updated:
- Fixed TFTP download, truncate the target file to avoid garbage at the end of the file when saving to an already existing file
(bsc#1208754)
- 4.1.1
Package yast2-update was updated:
- Rebuild the RPM database during upgrade (--rebuilddb) (bsc#1209565)- 4.3.5
Package zypper was updated:
- Changed location of bash-complication (bsc#1213854). This changes the location of zypper.sh bash completion script
from /usr/share/bash-completion/completions/.
- version 1.14.63
- man: revised explanation of --force-resolution (bsc#1213557)
Point out that the option not only allows to remove packages but
may also violate any other active policy if there is no other way
to resolve the job.
- Print summary hint if policies were violated due to
- -force-resolution (bsc#1213557)
- BuildRequires: libzypp-devel >= 17.31.16 (for zypp-tui)
- version 1.14.62
- targetos: Add an error note if XPath:/product/register/target
is not defined in /etc/products.d/baseproduct (bsc#1211261)
- targetos: Update help and man page (bsc#1211261)
- version 1.14.61
- Fix selecting installed patterns from picklist (bsc#1209406)
- man: better explanation of --priority (fixes #480)
- version 1.14.60
- BuildRequires: libzypp-devel >= 17.31.7.
- Provide "removeptf" command (bsc#1203249)
A remove command which prefers replacing dependant packages to
removing them as well.
A PTF is typically removed as soon as the fix it provides is
applied to the latest official update of the dependant packages.
But you don't want the dependant packages to be removed together
with the PTF, which is what the remove command would do. The
removeptf command however will aim to replace the dependant
packages by their official update versions.
- patterns: Avoid dispylaing superfluous @System entries
(bsc#1205570)
- version 1.14.59
- Update man page and explain '.no_auto_prune' (bsc#1204956)
- Allow to (re)add a service with the same URL (bsc#1203715)
- Explain outdatedness of repos (fixes #463)
- BuildRequires: libzypp-devel >= 17.31.5
- version 1.14.58
The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
https://publiccloudimagechangeinfo.suse.com/google/suse-manager-server-4-2-byos-v20230922-x86-64/
Public Cloud Image Info
https://www.suse.com/support/security/rating/
SUSE Security Ratings
Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
antlr-java-2.7.7-150200.18.7.5
apache-commons-beanutils-1.9.4-150200.3.6.4
apache-commons-cli-1.5.0-150200.3.6.4
apache-commons-codec-1.15-150200.3.6.4
apache-commons-collections-3.2.2-150200.13.6.4
apache-commons-daemon-1.3.2-150200.11.9.2
apache-commons-dbcp-2.1.1-150200.10.6.3
apache-commons-digester-2.1-150200.3.6.3
apache-commons-el-1.0-150200.3.9.4
apache-commons-fileupload-1.5-150200.3.9.1
apache-commons-io-2.11.0-150200.3.9.4
apache-commons-jexl-2.1.1-150200.3.6.4
apache-commons-lang3-3.12.0-150200.3.6.4
apache-commons-logging-1.2-150200.11.6.4
apache-commons-pool2-2.4.2-150200.11.6.4
apache2-2.4.51-150200.3.56.1
apache2-prefork-2.4.51-150200.3.56.1
apache2-utils-2.4.51-150200.3.56.1
autofs-5.1.3-150000.7.14.1
autoyast2-installation-4.3.106-150300.3.56.1
bind-utils-9.16.6-150300.22.30.1
binutils-2.39-150100.7.43.2
blog-2.26-150300.4.6.1
ca-certificates-mozilla-2.62-150200.30.1
cal10n-0.8.1.10-150200.11.6.3
cglib-3.3.0-150200.3.6.5
cloud-netconfig-gce-1.8-150000.25.11.1
cloud-regionsrv-client-10.1.2-150000.6.96.1
cloud-regionsrv-client-plugin-gce-1.0.0-150000.6.96.1
cobbler-3.1.2-150300.5.22.5
containerd-1.6.21-150000.93.1
cpp7-7.5.0+r278197-150000.4.35.1
cpu-mitigations-formula-0.5.0-150300.3.6.2
cups-config-2.2.7-150000.3.51.2
curl-7.66.0-150200.4.57.1
dbus-1-1.12.2-150100.8.17.1
device-mapper-2.03.05_1.02.163-150200.8.52.1
dmidecode-3.2-150100.9.16.1
docker-24.0.5_ce-150000.185.1
dom4j-1.6.1-150200.12.6.3
dracut-049.1+suse.255.g19bd61fd-150200.3.72.1
ecj-4.18-150200.3.6.4
elfutils-0.177-150300.11.6.1
firewalld-0.9.3-150300.3.15.1
fonts-config-20200609+git0.42e2b1b-150000.4.10.1
gawk-4.2.1-150000.3.3.1
gcc7-7.5.0+r278197-150000.4.35.1
geronimo-annotation-1_0-api-1.2-150200.15.6.4
geronimo-jta-1_1-api-1.2-150200.15.6.4
geronimo-stax-1_0-api-1.2-150200.15.6.4
glib2-tools-2.62.6-150200.3.15.1
glibc-2.31-150300.52.2
glibc-devel-2.31-150300.52.2
glibc-i18ndata-2.31-150300.52.2
glibc-locale-2.31-150300.52.2
glibc-locale-base-2.31-150300.52.2
google-gson-2.8.9-150200.3.10.3
google-guest-agent-20230601.00-150000.1.37.1
google-guest-configs-20230808.00-150000.1.28.1
google-osconfig-agent-20230706.02-150000.1.30.1
grub2-2.04-150300.22.40.1
grub2-i386-pc-2.04-150300.22.40.1
grub2-x86_64-efi-2.04-150300.22.40.1
guava-30.1.1-150300.4.3.4
httpcomponents-client-4.5.12-150200.3.6.4
httpcomponents-core-4.4.13-150200.3.6.4
hwdata-0.371-150000.3.62.1
hwinfo-21.85-150300.3.6.1
icu4j-71.1-150200.3.4.4
iscsiuio-0.7.8.6-150300.32.24.1
isorelax-0.1-150200.11.4.4
issue-generator-1.13-150100.3.3.1
jakarta-commons-discovery-0.5-150000.4.11.1
java-11-openjdk-11.0.20.1-150000.3.102.1
java-11-openjdk-headless-11.0.20.1-150000.3.102.1
javamail-1.5.2-150200.3.4.4
javapackages-filesystem-6.1.0-150200.3.7.1
javapackages-tools-6.1.0-150200.3.7.1
javassist-3.29.2-150200.3.10.1
jaxen-1.1.6-150200.12.4.4
jdom-1.1.3-150200.12.4.4
joda-time-2.10.1-150200.3.4.4
jzlib-1.1.3-150200.11.4.4
kernel-default-5.3.18-150300.59.133.1
krb5-1.19.2-150300.13.1
krb5-client-1.19.2-150300.13.1
libX11-6-1.6.5-150000.3.30.1
libX11-data-1.6.5-150000.3.30.1
libasan4-7.5.0+r278197-150000.4.35.1
libasm1-0.177-150300.11.6.1
libassuan0-2.5.5-150000.4.5.2
libatomic1-12.3.0+git1204-150000.1.16.1
libavahi-client3-0.7-150100.3.24.1
libavahi-common3-0.7-150100.3.24.1
libbind9-1600-9.16.6-150300.22.30.1
libblkid1-2.36.2-150300.4.35.1
libblogger2-2.26-150300.4.6.1
libcap2-2.26-150000.4.9.1
libcares2-1.19.1-150000.3.23.1
libcilkrts5-7.5.0+r278197-150000.4.35.1
libcryptsetup12-2.3.7-150300.3.8.1
libctf-nobfd0-2.39-150100.7.43.2
libctf0-2.39-150100.7.43.2
libcups2-2.2.7-150000.3.51.2
libcurl4-7.66.0-150200.4.57.1
libdb-4_8-4.8.30-150000.7.9.1
libdbus-1-3-1.12.2-150100.8.17.1
libdevmapper-event1_03-2.03.05_1.02.163-150200.8.52.1
libdevmapper1_03-2.03.05_1.02.163-150200.8.52.1
libdns1605-9.16.6-150300.22.30.1
libdw1-0.177-150300.11.6.1
libebl-plugins-0.177-150300.11.6.1
libeconf0-0.5.2-150300.3.11.1
libelf1-0.177-150300.11.6.1
libfdisk1-2.36.2-150300.4.35.1
libfreebl3-3.90-150000.3.101.1
libfreetype6-2.10.4-150000.4.15.1
libgcc_s1-12.3.0+git1204-150000.1.16.1
libgfortran4-7.5.0+r278197-150000.4.35.1
libgio-2_0-0-2.62.6-150200.3.15.1
libglib-2_0-0-2.62.6-150200.3.15.1
libgmodule-2_0-0-2.62.6-150200.3.15.1
libgobject-2_0-0-2.62.6-150200.3.15.1
libgomp1-12.3.0+git1204-150000.1.16.1
libharfbuzz0-2.6.4-150200.3.6.1
libicu-suse65_1-65.1-150200.4.8.1
libicu65_1-ledata-65.1-150200.4.8.1
libirs1601-9.16.6-150300.22.30.1
libisc1606-9.16.6-150300.22.30.1
libisccc1600-9.16.6-150300.22.30.1
libisccfg1600-9.16.6-150300.22.30.1
libitm1-12.3.0+git1204-150000.1.16.1
libjansson4-2.14-150000.3.3.1
libldap-2_4-2-2.4.46-150200.14.17.1
libldap-data-2.4.46-150200.14.17.1
libldb2-2.4.4-150300.3.23.1
liblognorm5-2.0.6-150000.3.3.1
liblsan0-12.3.0+git1204-150000.1.16.1
liblvm2cmd2_03-2.03.05-150200.8.52.1
libmount1-2.36.2-150300.4.35.1
libncurses6-6.1-150000.5.15.1
libnewt0_52-0.52.20-150000.7.2.3
libnftables1-0.9.8-150300.3.6.1
libns1604-9.16.6-150300.22.30.1
libopeniscsiusr0_2_0-2.1.7-150300.32.24.1
libopenssl1_1-1.1.1d-150200.11.75.1
libparted0-3.2-150300.21.3.1
libpcre2-8-0-10.31-150000.3.15.1
libpq5-15.4-150200.5.12.1
libprocps7-3.3.15-150000.7.34.1
libprotobuf-lite20-3.9.2-150200.4.21.1
libpython2_7-1_0-2.7.18-150000.51.1
libpython3_6m1_0-3.6.15-150300.10.48.1
libquadmath0-12.3.0+git1204-150000.1.16.1
libslang2-2.3.1a-150000.5.2.3
libsmartcols1-2.36.2-150300.4.35.1
libsnapper5-0.8.16-150300.3.6.1
libsoftokn3-3.90-150000.3.101.1
libsolv-tools-0.7.24-150200.20.2
libstdc++6-12.3.0+git1204-150000.1.16.1
libubsan0-7.5.0+r278197-150000.4.35.1
libuuid1-2.36.2-150300.4.35.1
libxml2-2-2.9.7-150000.3.60.1
libxml2-tools-2.9.7-150000.3.60.1
libyajl2-2.1.0-150000.4.6.1
libz1-1.2.11-150000.3.45.1
libzstd1-1.4.4-150000.1.9.1
libzypp-17.31.20-150200.75.1
log4j-2.17.2-150200.4.24.13
log4j-slf4j-2.17.2-150200.4.24.13
login_defs-4.8.1-150300.4.9.1
lvm2-2.03.05-150200.8.52.1
man-2.7.6-150100.8.3.1
mgr-libmod-4.2.8-150300.3.9.6
mozilla-nspr-4.35-150000.3.29.1
mozilla-nss-3.90-150000.3.101.1
mozilla-nss-certs-3.90-150000.3.101.1
ncurses-utils-6.1-150000.5.15.1
nekohtml-1.9.22.noko2-150200.3.4.4
newt-0.52.20-150000.7.2.3
nfs-client-2.1.1-150100.10.37.1
nfs-kernel-server-2.1.1-150100.10.37.1
nftables-0.9.8-150300.3.6.1
nscd-2.31-150300.52.2
objectweb-asm-9.3-150200.3.4.4
open-iscsi-2.1.7-150300.32.24.1
openldap2-client-2.4.46-150200.14.17.1
openssh-8.4p1-150300.3.22.1
openssh-clients-8.4p1-150300.3.22.1
openssh-common-8.4p1-150300.3.22.1
openssh-server-8.4p1-150300.3.22.1
openssl-1_1-1.1.1d-150200.11.75.1
oro-2.0.8-150200.11.4.4
parted-3.2-150300.21.3.1
perl-5.26.1-150300.17.14.1
perl-Bootloader-0.944-150300.3.9.1
perl-Satcon-4.2.3-150300.3.3.3
perl-base-5.26.1-150300.17.14.1
postgresql13-13.12-150200.5.43.1
postgresql13-contrib-13.12-150200.5.43.1
postgresql13-server-13.12-150200.5.43.1
procps-3.3.15-150000.7.34.1
protobuf-java-3.9.2-150200.4.21.1
publicsuffix-20230607-150000.3.15.1
purge-kernels-service-0-150200.8.6.1
python-2.7.18-150000.51.1
python-base-2.7.18-150000.51.1
python-xml-2.7.18-150000.51.1
python2-apipkg-1.4-150000.3.6.1
python2-cryptography-3.3.2-150200.19.1
python2-iniconfig-1.1.1-150000.1.11.1
python2-pyasn1-0.4.2-150000.3.5.1
python2-pyzmq-17.1.2-150000.3.5.2
python2-requests-2.24.0-150300.3.3.1
python2-simplejson-3.17.2-150300.3.2.3
python3-3.6.15-150300.10.48.1
python3-PyJWT-2.4.0-150200.3.6.2
python3-apipkg-1.4-150000.3.6.1
python3-base-3.6.15-150300.10.48.1
python3-bind-9.16.6-150300.22.30.1
python3-configobj-5.0.6-150000.3.3.1
python3-cryptography-3.3.2-150200.19.1
python3-curses-3.6.15-150300.10.48.1
python3-firewall-0.9.3-150300.3.15.1
python3-iniconfig-1.1.1-150000.1.11.1
python3-libxml2-python-2.9.7-150000.3.60.1
python3-newt-0.52.20-150000.7.2.3
python3-nftables-0.9.8-150300.3.6.1
python3-packaging-21.3-150200.3.3.1
python3-ply-3.10-150000.3.3.4
python3-pyasn1-0.4.2-150000.3.5.1
python3-pyzmq-17.1.2-150000.3.5.2
python3-requests-2.24.0-150300.3.3.1
python3-salt-3006.0-150300.53.53.2
python3-simplejson-3.17.2-150300.3.2.3
python3-solv-0.7.24-150200.20.2
python3-spacewalk-certs-tools-4.2.20-150300.3.30.4
python3-spacewalk-client-tools-4.2.23-150300.4.33.7
python3-tornado-4.5.3-150000.3.6.1
python3-uyuni-common-libs-4.2.10-150300.3.17.6
regexp-1.5-150200.11.4.4
relaxngDatatype-2011.1-150200.10.4.4
release-notes-sles-15.3.20230301-150300.3.32.1
rsync-3.2.3-150000.4.23.2
rsyslog-8.2106.0-150200.4.40.1
ruby-solv-0.7.24-150200.20.2
runc-1.1.7-150000.46.1
salt-3006.0-150300.53.53.2
salt-api-3006.0-150300.53.53.2
salt-master-3006.0-150300.53.53.2
salt-minion-3006.0-150300.53.53.2
samba-client-libs-4.15.13+git.666.851db7b9ff-150300.3.60.1
shadow-4.8.1-150300.4.9.1
shim-15.7-150300.4.16.1
slf4j-1.7.36-150200.3.4.3
snakeyaml-1.33-150200.3.12.4
snapper-0.8.16-150300.3.6.1
spacecmd-4.2.24-150300.4.42.3
spacewalk-backend-4.2.29-150300.4.44.5
spacewalk-backend-app-4.2.29-150300.4.44.5
spacewalk-backend-applet-4.2.29-150300.4.44.5
spacewalk-backend-config-files-4.2.29-150300.4.44.5
spacewalk-backend-config-files-common-4.2.29-150300.4.44.5
spacewalk-backend-config-files-tool-4.2.29-150300.4.44.5
spacewalk-backend-iss-4.2.29-150300.4.44.5
spacewalk-backend-iss-export-4.2.29-150300.4.44.5
spacewalk-backend-package-push-server-4.2.29-150300.4.44.5
spacewalk-backend-server-4.2.29-150300.4.44.5
spacewalk-backend-sql-4.2.29-150300.4.44.5
spacewalk-backend-sql-postgresql-4.2.29-150300.4.44.5
spacewalk-backend-tools-4.2.29-150300.4.44.5
spacewalk-backend-xml-export-libs-4.2.29-150300.4.44.5
spacewalk-backend-xmlrpc-4.2.29-150300.4.44.5
spacewalk-base-4.2.36-150300.3.47.5
spacewalk-base-minimal-4.2.36-150300.3.47.5
spacewalk-base-minimal-config-4.2.36-150300.3.47.5
spacewalk-certs-tools-4.2.20-150300.3.30.4
spacewalk-client-tools-4.2.23-150300.4.33.7
spacewalk-html-4.2.36-150300.3.47.5
spacewalk-java-4.2.55-150300.3.73.2
spacewalk-java-config-4.2.55-150300.3.73.2
spacewalk-java-lib-4.2.55-150300.3.73.2
spacewalk-java-postgresql-4.2.55-150300.3.73.2
spacewalk-reports-4.2.8-150300.3.12.3
spacewalk-search-4.2.10-150300.3.18.6
spacewalk-setup-4.2.13-150300.3.21.3
spacewalk-taskomatic-4.2.55-150300.3.73.2
spacewalk-utils-4.2.20-150300.3.27.3
subscription-matcher-0.29-150300.6.15.5
sudo-1.9.5p2-150300.3.24.1
supportutils-3.1.21-150300.7.35.18.1
supportutils-plugin-suse-public-cloud-1.0.8-150000.3.17.1
supportutils-plugin-susemanager-4.2.7-150300.3.15.4
susemanager-4.2.44-150300.3.59.1
susemanager-build-keys-15.3.9-150300.3.14.1
susemanager-build-keys-web-15.3.9-150300.3.14.1
susemanager-doc-indexes-4.2-150300.12.48.5
susemanager-docs_en-4.2-150300.12.48.3
susemanager-docs_en-pdf-4.2-150300.12.48.3
susemanager-schema-4.2.29-150300.3.41.5
susemanager-sls-4.2.35-150300.3.54.3
susemanager-tools-4.2.44-150300.3.59.1
systemd-presets-common-SUSE-15-150100.8.20.1
systemd-rpm-macros-13-150000.7.33.1
tagsoup-1.2.1-150200.10.7.1
terminfo-6.1-150000.5.15.1
terminfo-base-6.1-150000.5.15.1
timezone-2023c-150000.75.23.1
tomcat-9.0.75-150200.41.1
tomcat-el-3_0-api-9.0.75-150200.41.1
tomcat-jsp-2_3-api-9.0.75-150200.41.1
tomcat-lib-9.0.75-150200.41.1
tomcat-servlet-4_0-api-9.0.75-150200.41.1
util-linux-2.36.2-150300.4.35.1
util-linux-systemd-2.36.2-150300.4.35.1
vim-9.0.1572-150000.5.49.1
vim-data-common-9.0.1572-150000.5.49.1
virtual-host-gatherer-1.0.26-150300.3.15.2
wicked-0.6.73-150300.4.13.1
wicked-service-0.6.73-150300.4.13.1
ws-jaxme-0.5.2-150200.12.4.3
xalan-j2-2.7.2-150200.11.4.3
xen-libs-4.14.6_02-150300.3.51.1
xerces-j2-2.12.2-150200.3.7.3
xml-commons-apis-1.4.01-150200.3.4.3
xml-commons-resolver-1.2-150200.3.4.3
xom-1.2b1-150200.12.4.4
xpp2-2.1.10-150200.11.4.3
xpp3-1.1.4c-150200.11.6.3
xpp3-minimal-1.1.4c-150200.11.6.3
xstream-1.4.20-150200.3.25.1
yast2-network-4.3.88-150300.3.38.1
yast2-online-update-4.2.3-150200.3.3.1
yast2-online-update-frontend-4.2.3-150200.3.3.1
yast2-pkg-bindings-4.3.12-150300.3.3.2
yast2-transfer-4.1.1-150100.3.3.1
yast2-update-4.3.5-150300.3.9.1
zypper-1.14.63-150200.59.1
antlr-java-2.7.7-150200.18.7.5 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
apache-commons-beanutils-1.9.4-150200.3.6.4 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
apache-commons-cli-1.5.0-150200.3.6.4 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
apache-commons-codec-1.15-150200.3.6.4 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
apache-commons-collections-3.2.2-150200.13.6.4 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
apache-commons-daemon-1.3.2-150200.11.9.2 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
apache-commons-dbcp-2.1.1-150200.10.6.3 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
apache-commons-digester-2.1-150200.3.6.3 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
apache-commons-el-1.0-150200.3.9.4 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
apache-commons-fileupload-1.5-150200.3.9.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
apache-commons-io-2.11.0-150200.3.9.4 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
apache-commons-jexl-2.1.1-150200.3.6.4 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
apache-commons-lang3-3.12.0-150200.3.6.4 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
apache-commons-logging-1.2-150200.11.6.4 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
apache-commons-pool2-2.4.2-150200.11.6.4 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
apache2-2.4.51-150200.3.56.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
apache2-prefork-2.4.51-150200.3.56.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
apache2-utils-2.4.51-150200.3.56.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
autofs-5.1.3-150000.7.14.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
autoyast2-installation-4.3.106-150300.3.56.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
bind-utils-9.16.6-150300.22.30.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
binutils-2.39-150100.7.43.2 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
blog-2.26-150300.4.6.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
ca-certificates-mozilla-2.62-150200.30.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
cal10n-0.8.1.10-150200.11.6.3 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
cglib-3.3.0-150200.3.6.5 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
cloud-netconfig-gce-1.8-150000.25.11.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
cloud-regionsrv-client-10.1.2-150000.6.96.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
cloud-regionsrv-client-plugin-gce-1.0.0-150000.6.96.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
cobbler-3.1.2-150300.5.22.5 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
containerd-1.6.21-150000.93.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
cpp7-7.5.0+r278197-150000.4.35.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
cpu-mitigations-formula-0.5.0-150300.3.6.2 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
cups-config-2.2.7-150000.3.51.2 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
curl-7.66.0-150200.4.57.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
dbus-1-1.12.2-150100.8.17.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
device-mapper-2.03.05_1.02.163-150200.8.52.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
dmidecode-3.2-150100.9.16.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
docker-24.0.5_ce-150000.185.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
dom4j-1.6.1-150200.12.6.3 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
dracut-049.1+suse.255.g19bd61fd-150200.3.72.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
ecj-4.18-150200.3.6.4 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
elfutils-0.177-150300.11.6.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
firewalld-0.9.3-150300.3.15.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
fonts-config-20200609+git0.42e2b1b-150000.4.10.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
gawk-4.2.1-150000.3.3.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
gcc7-7.5.0+r278197-150000.4.35.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
geronimo-annotation-1_0-api-1.2-150200.15.6.4 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
geronimo-jta-1_1-api-1.2-150200.15.6.4 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
geronimo-stax-1_0-api-1.2-150200.15.6.4 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
glib2-tools-2.62.6-150200.3.15.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
glibc-2.31-150300.52.2 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
glibc-devel-2.31-150300.52.2 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
glibc-i18ndata-2.31-150300.52.2 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
glibc-locale-2.31-150300.52.2 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
glibc-locale-base-2.31-150300.52.2 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
google-gson-2.8.9-150200.3.10.3 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
google-guest-agent-20230601.00-150000.1.37.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
google-guest-configs-20230808.00-150000.1.28.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
google-osconfig-agent-20230706.02-150000.1.30.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
grub2-2.04-150300.22.40.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
grub2-i386-pc-2.04-150300.22.40.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
grub2-x86_64-efi-2.04-150300.22.40.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
guava-30.1.1-150300.4.3.4 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
httpcomponents-client-4.5.12-150200.3.6.4 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
httpcomponents-core-4.4.13-150200.3.6.4 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
hwdata-0.371-150000.3.62.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
hwinfo-21.85-150300.3.6.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
icu4j-71.1-150200.3.4.4 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
iscsiuio-0.7.8.6-150300.32.24.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
isorelax-0.1-150200.11.4.4 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
issue-generator-1.13-150100.3.3.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
jakarta-commons-discovery-0.5-150000.4.11.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
java-11-openjdk-11.0.20.1-150000.3.102.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
java-11-openjdk-headless-11.0.20.1-150000.3.102.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
javamail-1.5.2-150200.3.4.4 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
javapackages-filesystem-6.1.0-150200.3.7.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
javapackages-tools-6.1.0-150200.3.7.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
javassist-3.29.2-150200.3.10.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
jaxen-1.1.6-150200.12.4.4 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
jdom-1.1.3-150200.12.4.4 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
joda-time-2.10.1-150200.3.4.4 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
jzlib-1.1.3-150200.11.4.4 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
kernel-default-5.3.18-150300.59.133.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
krb5-1.19.2-150300.13.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
krb5-client-1.19.2-150300.13.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libX11-6-1.6.5-150000.3.30.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libX11-data-1.6.5-150000.3.30.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libasan4-7.5.0+r278197-150000.4.35.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libasm1-0.177-150300.11.6.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libassuan0-2.5.5-150000.4.5.2 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libatomic1-12.3.0+git1204-150000.1.16.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libavahi-client3-0.7-150100.3.24.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libavahi-common3-0.7-150100.3.24.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libbind9-1600-9.16.6-150300.22.30.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libblkid1-2.36.2-150300.4.35.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libblogger2-2.26-150300.4.6.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libcap2-2.26-150000.4.9.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libcares2-1.19.1-150000.3.23.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libcilkrts5-7.5.0+r278197-150000.4.35.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libcryptsetup12-2.3.7-150300.3.8.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libctf-nobfd0-2.39-150100.7.43.2 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libctf0-2.39-150100.7.43.2 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libcups2-2.2.7-150000.3.51.2 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libcurl4-7.66.0-150200.4.57.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libdb-4_8-4.8.30-150000.7.9.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libdbus-1-3-1.12.2-150100.8.17.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libdevmapper-event1_03-2.03.05_1.02.163-150200.8.52.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libdevmapper1_03-2.03.05_1.02.163-150200.8.52.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libdns1605-9.16.6-150300.22.30.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libdw1-0.177-150300.11.6.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libebl-plugins-0.177-150300.11.6.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libeconf0-0.5.2-150300.3.11.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libelf1-0.177-150300.11.6.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libfdisk1-2.36.2-150300.4.35.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libfreebl3-3.90-150000.3.101.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libfreetype6-2.10.4-150000.4.15.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libgcc_s1-12.3.0+git1204-150000.1.16.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libgfortran4-7.5.0+r278197-150000.4.35.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libgio-2_0-0-2.62.6-150200.3.15.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libglib-2_0-0-2.62.6-150200.3.15.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libgmodule-2_0-0-2.62.6-150200.3.15.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libgobject-2_0-0-2.62.6-150200.3.15.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libgomp1-12.3.0+git1204-150000.1.16.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libharfbuzz0-2.6.4-150200.3.6.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libicu-suse65_1-65.1-150200.4.8.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libicu65_1-ledata-65.1-150200.4.8.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libirs1601-9.16.6-150300.22.30.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libisc1606-9.16.6-150300.22.30.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libisccc1600-9.16.6-150300.22.30.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libisccfg1600-9.16.6-150300.22.30.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libitm1-12.3.0+git1204-150000.1.16.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libjansson4-2.14-150000.3.3.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libldap-2_4-2-2.4.46-150200.14.17.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libldap-data-2.4.46-150200.14.17.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libldb2-2.4.4-150300.3.23.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
liblognorm5-2.0.6-150000.3.3.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
liblsan0-12.3.0+git1204-150000.1.16.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
liblvm2cmd2_03-2.03.05-150200.8.52.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libmount1-2.36.2-150300.4.35.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libncurses6-6.1-150000.5.15.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libnewt0_52-0.52.20-150000.7.2.3 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libnftables1-0.9.8-150300.3.6.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libns1604-9.16.6-150300.22.30.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libopeniscsiusr0_2_0-2.1.7-150300.32.24.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libopenssl1_1-1.1.1d-150200.11.75.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libparted0-3.2-150300.21.3.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libpcre2-8-0-10.31-150000.3.15.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libpq5-15.4-150200.5.12.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libprocps7-3.3.15-150000.7.34.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libprotobuf-lite20-3.9.2-150200.4.21.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libpython2_7-1_0-2.7.18-150000.51.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libpython3_6m1_0-3.6.15-150300.10.48.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libquadmath0-12.3.0+git1204-150000.1.16.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libslang2-2.3.1a-150000.5.2.3 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libsmartcols1-2.36.2-150300.4.35.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libsnapper5-0.8.16-150300.3.6.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libsoftokn3-3.90-150000.3.101.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libsolv-tools-0.7.24-150200.20.2 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libstdc++6-12.3.0+git1204-150000.1.16.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libubsan0-7.5.0+r278197-150000.4.35.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libuuid1-2.36.2-150300.4.35.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libxml2-2-2.9.7-150000.3.60.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libxml2-tools-2.9.7-150000.3.60.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libyajl2-2.1.0-150000.4.6.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libz1-1.2.11-150000.3.45.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libzstd1-1.4.4-150000.1.9.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
libzypp-17.31.20-150200.75.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
log4j-2.17.2-150200.4.24.13 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
log4j-slf4j-2.17.2-150200.4.24.13 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
login_defs-4.8.1-150300.4.9.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
lvm2-2.03.05-150200.8.52.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
man-2.7.6-150100.8.3.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
mgr-libmod-4.2.8-150300.3.9.6 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
mozilla-nspr-4.35-150000.3.29.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
mozilla-nss-3.90-150000.3.101.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
mozilla-nss-certs-3.90-150000.3.101.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
ncurses-utils-6.1-150000.5.15.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
nekohtml-1.9.22.noko2-150200.3.4.4 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
newt-0.52.20-150000.7.2.3 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
nfs-client-2.1.1-150100.10.37.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
nfs-kernel-server-2.1.1-150100.10.37.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
nftables-0.9.8-150300.3.6.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
nscd-2.31-150300.52.2 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
objectweb-asm-9.3-150200.3.4.4 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
open-iscsi-2.1.7-150300.32.24.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
openldap2-client-2.4.46-150200.14.17.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
openssh-8.4p1-150300.3.22.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
openssh-clients-8.4p1-150300.3.22.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
openssh-common-8.4p1-150300.3.22.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
openssh-server-8.4p1-150300.3.22.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
openssl-1_1-1.1.1d-150200.11.75.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
oro-2.0.8-150200.11.4.4 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
parted-3.2-150300.21.3.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
perl-5.26.1-150300.17.14.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
perl-Bootloader-0.944-150300.3.9.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
perl-Satcon-4.2.3-150300.3.3.3 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
perl-base-5.26.1-150300.17.14.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
postgresql13-13.12-150200.5.43.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
postgresql13-contrib-13.12-150200.5.43.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
postgresql13-server-13.12-150200.5.43.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
procps-3.3.15-150000.7.34.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
protobuf-java-3.9.2-150200.4.21.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
publicsuffix-20230607-150000.3.15.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
purge-kernels-service-0-150200.8.6.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
python-2.7.18-150000.51.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
python-base-2.7.18-150000.51.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
python-xml-2.7.18-150000.51.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
python2-apipkg-1.4-150000.3.6.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
python2-cryptography-3.3.2-150200.19.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
python2-iniconfig-1.1.1-150000.1.11.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
python2-pyasn1-0.4.2-150000.3.5.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
python2-pyzmq-17.1.2-150000.3.5.2 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
python2-requests-2.24.0-150300.3.3.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
python2-simplejson-3.17.2-150300.3.2.3 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
python3-3.6.15-150300.10.48.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
python3-PyJWT-2.4.0-150200.3.6.2 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
python3-apipkg-1.4-150000.3.6.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
python3-base-3.6.15-150300.10.48.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
python3-bind-9.16.6-150300.22.30.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
python3-configobj-5.0.6-150000.3.3.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
python3-cryptography-3.3.2-150200.19.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
python3-curses-3.6.15-150300.10.48.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
python3-firewall-0.9.3-150300.3.15.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
python3-iniconfig-1.1.1-150000.1.11.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
python3-libxml2-python-2.9.7-150000.3.60.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
python3-newt-0.52.20-150000.7.2.3 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
python3-nftables-0.9.8-150300.3.6.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
python3-packaging-21.3-150200.3.3.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
python3-ply-3.10-150000.3.3.4 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
python3-pyasn1-0.4.2-150000.3.5.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
python3-pyzmq-17.1.2-150000.3.5.2 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
python3-requests-2.24.0-150300.3.3.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
python3-salt-3006.0-150300.53.53.2 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
python3-simplejson-3.17.2-150300.3.2.3 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
python3-solv-0.7.24-150200.20.2 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
python3-spacewalk-certs-tools-4.2.20-150300.3.30.4 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
python3-spacewalk-client-tools-4.2.23-150300.4.33.7 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
python3-tornado-4.5.3-150000.3.6.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
python3-uyuni-common-libs-4.2.10-150300.3.17.6 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
regexp-1.5-150200.11.4.4 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
relaxngDatatype-2011.1-150200.10.4.4 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
release-notes-sles-15.3.20230301-150300.3.32.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
rsync-3.2.3-150000.4.23.2 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
rsyslog-8.2106.0-150200.4.40.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
ruby-solv-0.7.24-150200.20.2 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
runc-1.1.7-150000.46.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
salt-3006.0-150300.53.53.2 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
salt-api-3006.0-150300.53.53.2 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
salt-master-3006.0-150300.53.53.2 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
salt-minion-3006.0-150300.53.53.2 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
samba-client-libs-4.15.13+git.666.851db7b9ff-150300.3.60.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
shadow-4.8.1-150300.4.9.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
shim-15.7-150300.4.16.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
slf4j-1.7.36-150200.3.4.3 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
snakeyaml-1.33-150200.3.12.4 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
snapper-0.8.16-150300.3.6.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
spacecmd-4.2.24-150300.4.42.3 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
spacewalk-backend-4.2.29-150300.4.44.5 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
spacewalk-backend-app-4.2.29-150300.4.44.5 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
spacewalk-backend-applet-4.2.29-150300.4.44.5 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
spacewalk-backend-config-files-4.2.29-150300.4.44.5 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
spacewalk-backend-config-files-common-4.2.29-150300.4.44.5 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
spacewalk-backend-config-files-tool-4.2.29-150300.4.44.5 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
spacewalk-backend-iss-4.2.29-150300.4.44.5 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
spacewalk-backend-iss-export-4.2.29-150300.4.44.5 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
spacewalk-backend-package-push-server-4.2.29-150300.4.44.5 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
spacewalk-backend-server-4.2.29-150300.4.44.5 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
spacewalk-backend-sql-4.2.29-150300.4.44.5 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
spacewalk-backend-sql-postgresql-4.2.29-150300.4.44.5 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
spacewalk-backend-tools-4.2.29-150300.4.44.5 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
spacewalk-backend-xml-export-libs-4.2.29-150300.4.44.5 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
spacewalk-backend-xmlrpc-4.2.29-150300.4.44.5 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
spacewalk-base-4.2.36-150300.3.47.5 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
spacewalk-base-minimal-4.2.36-150300.3.47.5 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
spacewalk-base-minimal-config-4.2.36-150300.3.47.5 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
spacewalk-certs-tools-4.2.20-150300.3.30.4 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
spacewalk-client-tools-4.2.23-150300.4.33.7 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
spacewalk-html-4.2.36-150300.3.47.5 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
spacewalk-java-4.2.55-150300.3.73.2 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
spacewalk-java-config-4.2.55-150300.3.73.2 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
spacewalk-java-lib-4.2.55-150300.3.73.2 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
spacewalk-java-postgresql-4.2.55-150300.3.73.2 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
spacewalk-reports-4.2.8-150300.3.12.3 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
spacewalk-search-4.2.10-150300.3.18.6 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
spacewalk-setup-4.2.13-150300.3.21.3 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
spacewalk-taskomatic-4.2.55-150300.3.73.2 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
spacewalk-utils-4.2.20-150300.3.27.3 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
subscription-matcher-0.29-150300.6.15.5 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
sudo-1.9.5p2-150300.3.24.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
supportutils-3.1.21-150300.7.35.18.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
supportutils-plugin-suse-public-cloud-1.0.8-150000.3.17.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
supportutils-plugin-susemanager-4.2.7-150300.3.15.4 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
susemanager-4.2.44-150300.3.59.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
susemanager-build-keys-15.3.9-150300.3.14.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
susemanager-build-keys-web-15.3.9-150300.3.14.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
susemanager-doc-indexes-4.2-150300.12.48.5 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
susemanager-docs_en-4.2-150300.12.48.3 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
susemanager-docs_en-pdf-4.2-150300.12.48.3 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
susemanager-schema-4.2.29-150300.3.41.5 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
susemanager-sls-4.2.35-150300.3.54.3 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
susemanager-tools-4.2.44-150300.3.59.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
systemd-presets-common-SUSE-15-150100.8.20.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
systemd-rpm-macros-13-150000.7.33.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
tagsoup-1.2.1-150200.10.7.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
terminfo-6.1-150000.5.15.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
terminfo-base-6.1-150000.5.15.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
timezone-2023c-150000.75.23.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
tomcat-9.0.75-150200.41.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
tomcat-el-3_0-api-9.0.75-150200.41.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
tomcat-jsp-2_3-api-9.0.75-150200.41.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
tomcat-lib-9.0.75-150200.41.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
tomcat-servlet-4_0-api-9.0.75-150200.41.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
util-linux-2.36.2-150300.4.35.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
util-linux-systemd-2.36.2-150300.4.35.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
vim-9.0.1572-150000.5.49.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
vim-data-common-9.0.1572-150000.5.49.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
virtual-host-gatherer-1.0.26-150300.3.15.2 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
wicked-0.6.73-150300.4.13.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
wicked-service-0.6.73-150300.4.13.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
ws-jaxme-0.5.2-150200.12.4.3 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
xalan-j2-2.7.2-150200.11.4.3 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
xen-libs-4.14.6_02-150300.3.51.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
xerces-j2-2.12.2-150200.3.7.3 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
xml-commons-apis-1.4.01-150200.3.4.3 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
xml-commons-resolver-1.2-150200.3.4.3 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
xom-1.2b1-150200.12.4.4 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
xpp2-2.1.10-150200.11.4.3 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
xpp3-1.1.4c-150200.11.6.3 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
xpp3-minimal-1.1.4c-150200.11.6.3 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
xstream-1.4.20-150200.3.25.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
yast2-network-4.3.88-150300.3.38.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
yast2-online-update-4.2.3-150200.3.3.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
yast2-online-update-frontend-4.2.3-150200.3.3.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
yast2-pkg-bindings-4.3.12-150300.3.3.2 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
yast2-transfer-4.1.1-150100.3.3.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
yast2-update-4.3.5-150300.3.9.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
zypper-1.14.63-150200.59.1 as a component of Public Cloud Image google/suse-manager-server-4-2-byos-v20230922-x86-64
Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.
CVE-2007-4559
moderate
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.
CVE-2017-5753
important
4.7
AV:L/AC:M/Au:N/C:C/I:N/A:N
An issue was discovered in the Linux kernel before 5.8. lib/nlattr.c allows attackers to cause a denial of service (unbounded recursion) via a nested Netlink policy with a back reference.
CVE-2020-36691
moderate
An issue was discovered in the Linux kernel before 5.11.11. The netfilter subsystem allows attackers to cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a full memory barrier upon the assignment of a new table value, aka CID-175e476b8cdf.
CVE-2021-29650
moderate
4.9
AV:L/AC:L/Au:N/C:N/I:N/A:C
A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65.
CVE-2021-30640
moderate
5.8
AV:N/AC:M/Au:N/C:P/I:P/A:N
Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.
CVE-2021-33037
moderate
5
AV:N/AC:L/Au:N/C:N/I:P/A:N
An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request.
CVE-2021-33813
moderate
5
AV:N/AC:L/Au:N/C:N/I:N/A:P
A flaw was found in the Linux kernel's implementation of RDMA over infiniband. An attacker with a privileged local account can leak kernel stack information when issuing commands to the /dev/infiniband/rdma_cm device node. While this access is unlikely to leak sensitive user information, it can be further used to defeat existing kernel protection mechanisms.
CVE-2021-3923
low
Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet could be used to trigger an infinite loop resulting in a denial of service.
CVE-2021-41079
moderate
4.3
AV:N/AC:M/Au:N/C:N/I:N/A:P
The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client.
CVE-2021-43980
moderate
Improper Authorization in GitHub repository cobbler/cobbler prior to 3.3.2.
CVE-2022-0860
moderate
6.4
AV:N/AC:L/Au:N/C:P/I:P/A:N
An out-of-bounds read vulnerability was found in Samba due to insufficient length checks in winbindd_pam_auth_crap.c. When performing NTLM authentication, the client replies to cryptographic challenges back to the server. These replies have variable lengths, and Winbind fails to check the lan manager response length. When Winbind is used for NTLM authentication, a maliciously crafted request can trigger an out-of-bounds read in Winbind, possibly resulting in a crash.
CVE-2022-2127
moderate
A regression exists in the Linux Kernel within KVM: nVMX that allowed for speculative execution attacks. L2 can carry out Spectre v2 attacks on L1 due to L1 thinking it doesn't need retpolines or IBPB after running L2 due to KVM (L0) advertising eIBRS support to L1. An attacker at L2 with code execution can execute code on an indirect branch on the host machine. We recommend upgrading to Kernel 6.2 or past commit 2e7eab81425a
CVE-2022-2196
moderate
The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue is only exploitable when Tomcat is configured to persist sessions using the FileStore.
CVE-2022-23181
moderate
3.7
AV:L/AC:H/Au:N/C:P/I:P/A:P
Certain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input that causes excessive heap memory consumption. In particular, this issue exists in HtmlUnit-Neko through 2.26, and is fixed in 2.27. This issue also exists in CyberNeko HTML through 1.9.22 (also affecting OWASP AntiSamy before 1.6.6), but 1.9.22 is the last version of CyberNeko HTML. NOTE: this may be related to CVE-2022-24839.
CVE-2022-28366
moderate
5
AV:N/AC:L/Au:N/C:N/I:N/A:P
PyJWT is a Python implementation of RFC 7519. PyJWT supports multiple different JWT signing algorithms. With JWT, an attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requires that the application chooses what algorithms are supported. The application can specify `jwt.algorithms.get_default_algorithms()` to get support for all algorithms, or specify a single algorithm. The issue is not that big as `algorithms=jwt.algorithms.get_default_algorithms()` has to be used. Users should upgrade to v2.4.0 to receive a patch for this issue. As a workaround, always be explicit with the algorithms that are accepted and expected when decoding.
CVE-2022-29217
moderate
5
AV:N/AC:L/Au:N/C:N/I:P/A:N
A flaw was found in the Samba AD LDAP server. The AD DC database audit logging module can access LDAP message values freed by a preceding database module, resulting in a use-after-free issue. This issue is only possible when modifying certain privileged attributes, such as userAccountControl.
CVE-2022-32746
moderate
A vulnerability, which was classified as problematic, was found in Linux Kernel. This affects the function tcp_getsockopt/tcp_setsockopt of the component TCP Handler. The manipulation leads to race condition. It is recommended to apply a patch to fix this issue. The identifier VDB-211089 was assigned to this vulnerability.
CVE-2022-3566
moderate
Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where supplementary groups are not set up properly. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. This bug is fixed in Moby (Docker Engine) 20.10.18. Running containers should be stopped and restarted for the permissions to be fixed. For users unable to upgrade, this problem can be worked around by not using the `"USER $USERNAME"` Dockerfile instruction. Instead by calling `ENTRYPOINT ["su", "-", "user"]` the supplementary groups will be set up properly.
CVE-2022-36109
moderate
An out-of-bounds(OOB) memory access vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_kms.c in GPU component in the Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).
CVE-2022-36280
moderate
An integer overflow vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in GPU component of Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).
CVE-2022-36402
moderate
A NULL pointer dereference vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in GPU component of Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).
CVE-2022-38096
moderate
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.
CVE-2022-38752
moderate
Those using Xstream to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.
CVE-2022-40151
moderate
Information exposure through microarchitectural state after transient execution in certain vector execution units for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.
CVE-2022-40982
moderate
Integer overflow vulnerability in pcre2test before 10.41 allows attackers to cause a denial of service or other unspecified impacts via negative input.
CVE-2022-41409
moderate
XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation the processed input stream. The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. This issue is patched in version 1.4.20 which handles the stack overflow and raises an InputManipulationException instead. A potential workaround for users who only use HashMap or HashSet and whose XML refers these only as default map or set, is to change the default implementation of java.util.Map and java.util per the code example in the referenced advisory. However, this implies that your application does not care about the implementation of the map and all elements are comparable.
CVE-2022-41966
moderate
If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.
CVE-2022-42252
moderate
x86: speculative vulnerability in 32bit SYSCALL path Due to an oversight in the very original Spectre/Meltdown security work (XSA-254), one entrypath performs its speculation-safety actions too late. In some configurations, there is an unprotected RET instruction which can be attacked with a variety of speculative attacks.
CVE-2022-42331
moderate
x86 shadow plus log-dirty mode use-after-free In environments where host assisted address translation is necessary but Hardware Assisted Paging (HAP) is unavailable, Xen will run guests in so called shadow mode. Shadow mode maintains a pool of memory used for both shadow page tables as well as auxiliary data structures. To migrate or snapshot guests, Xen additionally runs them in so called log-dirty mode. The data structures needed by the log-dirty tracking are part of aformentioned auxiliary data. In order to keep error handling efforts within reasonable bounds, for operations which may require memory allocations shadow mode logic ensures up front that enough memory is available for the worst case requirements. Unfortunately, while page table memory is properly accounted for on the code path requiring the potential establishing of new shadows, demands by the log-dirty infrastructure were not taken into consideration. As a result, just established shadow page tables could be freed again immediately, while other code is still accessing them on the assumption that they would remain allocated.
CVE-2022-42332
important
x86/HVM pinned cache attributes mis-handling T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] To allow cachability control for HVM guests with passed through devices, an interface exists to explicitly override defaults which would otherwise be put in place. While not exposed to the affected guests themselves, the interface specifically exists for domains controlling such guests. This interface may therefore be used by not fully privileged entities, e.g. qemu running deprivileged in Dom0 or qemu running in a so called stub-domain. With this exposure it is an issue that - the number of the such controlled regions was unbounded (CVE-2022-42333), - installation and removal of such regions was not properly serialized (CVE-2022-42334).
CVE-2022-42333
moderate
A flaw was found in the Linux kernel Traffic Control (TC) subsystem. Using a specific networking configuration (redirecting egress packets to ingress using TC action "mirred") a local unprivileged user could trigger a CPU soft lockup (ABBA deadlock) when the transport protocol in use (TCP or SCTP) does a retransmission, resulting in a denial of service condition.
CVE-2022-4269
moderate
A timing based side channel exists in the OpenSSL RSA Decryption implementation
which could be sufficient to recover a plaintext across a network in a
Bleichenbacher style attack. To achieve a successful decryption an attacker
would have to be able to send a very large number of trial messages for
decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5,
RSA-OEAP and RSASVE.
For example, in a TLS connection, RSA is commonly used by a client to send an
encrypted pre-master secret to the server. An attacker that had observed a
genuine connection between a client and a server could use this flaw to send
trial messages to the server and record the time taken to process them. After a
sufficiently large number of messages the attacker could recover the pre-master
secret used for the original connection and thus be able to decrypt the
application data sent over that connection.
CVE-2022-4304
moderate
The Linux kernel NFSD implementation prior to versions 5.19.17 and 6.0.2 are vulnerable to buffer overflow. NFSD tracks the number of pages held by each NFSD thread by combining the receive and send buffers of a remote procedure call (RPC) into a single array of pages. A client can force the send buffer to shrink by sending an RPC message over TCP with garbage data added at the end of the message. The RPC message with garbage data is still correctly formed according to the specification and is passed forward to handlers. Vulnerable code in NFSD is not expecting the oversized request and writes beyond the allocated buffer space. CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVE-2022-43945
important
The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.
CVE-2022-45143
moderate
An issue was discovered in the Linux kernel through 6.0.9. drivers/media/dvb-core/dvbdev.c has a use-after-free, related to dvb_register_device dynamically allocating fops.
CVE-2022-45884
moderate
An issue was discovered in the Linux kernel through 6.0.9. drivers/media/dvb-core/dvb_frontend.c has a race condition that can cause a use-after-free when a device is disconnected.
CVE-2022-45885
moderate
An issue was discovered in the Linux kernel through 6.0.9. drivers/media/dvb-core/dvb_net.c has a .disconnect versus dvb_device_open race condition that leads to a use-after-free.
CVE-2022-45886
moderate
An issue was discovered in the Linux kernel through 6.0.9. drivers/media/usb/ttusb-dec/ttusb_dec.c has a memory leak because of the lack of a dvb_frontend_detach call.
CVE-2022-45887
moderate
An issue was discovered in the Linux kernel through 6.0.10. In drivers/media/dvb-core/dvb_ca_en50221.c, a use-after-free can occur is there is a disconnect after an open, because of the lack of a wait_event.
CVE-2022-45919
important
A double-free flaw was found in the Linux kernel’s TUN/TAP device driver functionality in how a user registers the device when the register_netdevice function fails (NETDEV_REGISTER notifier). This flaw allows a local user to crash or potentially escalate their privileges on the system.
CVE-2022-4744
important
A vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the command line tool to cause buffer overrun.
CVE-2022-4899
moderate
The current implementation of the prctl syscall does not issue an IBPB immediately during the syscall. The ib_prctl_set function updates the Thread Information Flags (TIFs) for the task and updates the SPEC_CTRL MSR on the function __speculation_ctrl_update, but the IBPB is only issued on the next schedule, when the TIF bits are checked. This leaves the victim vulnerable to values already injected on the BTB, prior to the prctl syscall. The patch that added the support for the conditional mitigation via prctl (ib_prctl_set) dates back to the kernel 4.9.176.
We recommend upgrading past commit a664ec9158eeddd75121d39c9a0758016097fa96
CVE-2023-0045
moderate
A flaw was found in Samba. An incomplete access check on dnsHostName allows authenticated but otherwise unprivileged users to delete this attribute from any object in the directory.
CVE-2023-0225
moderate
There is a type confusion vulnerability relating to X.400 address processing
inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but
the public structure definition for GENERAL_NAME incorrectly specified the type
of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by
the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an
ASN1_STRING.
When CRL checking is enabled (i.e. the application sets the
X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass
arbitrary pointers to a memcmp call, enabling them to read memory contents or
enact a denial of service. In most cases, the attack requires the attacker to
provide both the certificate chain and CRL, neither of which need to have a
valid signature. If the attacker only controls one of these inputs, the other
input must already contain an X.400 address as a CRL distribution point, which
is uncommon. As such, this vulnerability is most likely to only affect
applications which have implemented their own functionality for retrieving CRLs
over a network.
CVE-2023-0286
important
Copy_from_user on 64-bit versions of the Linux kernel does not implement the __uaccess_begin_nospec allowing a user to bypass the "access_ok" check and pass a kernel pointer to copy_from_user(). This would allow an attacker to leak information. We recommend upgrading beyond commit 74e19ef0ff8061ef55957c3abd71614ef0f42f47
CVE-2023-0459
moderate
There is a use-after-free vulnerability in the Linux Kernel which can be exploited to achieve local privilege escalation. To reach the vulnerability kernel configuration flag CONFIG_TLS or CONFIG_XFRM_ESPINTCP has to be configured, but the operation does not require any privilege.
There is a use-after-free bug of icsk_ulp_data of a struct inet_connection_sock.
When CONFIG_TLS is enabled, user can install a tls context (struct tls_context) on a connected tcp socket. The context is not cleared if this socket is disconnected and reused as a listener. If a new socket is created from the listener, the context is inherited and vulnerable.
The setsockopt TCP_ULP operation does not require any privilege.
We recommend upgrading past commit 2c02d41d71f90a5168391b6a5f2954112ba2307c
CVE-2023-0461
important
A security vulnerability has been identified in all supported versions
of OpenSSL related to the verification of X.509 certificate chains
that include policy constraints. Attackers may be able to exploit this
vulnerability by creating a malicious certificate chain that triggers
exponential use of computational resources, leading to a denial-of-service
(DoS) attack on affected systems.
Policy processing is disabled by default but can be enabled by passing
the `-policy' argument to the command line utilities or by calling the
`X509_VERIFY_PARAM_set1_policies()' function.
CVE-2023-0464
moderate
Applications that use a non-default option when verifying certificates may be
vulnerable to an attack from a malicious CA to circumvent certain checks.
Invalid certificate policies in leaf certificates are silently ignored by
OpenSSL and other certificate policy checks are skipped for that certificate.
A malicious CA could use this to deliberately assert invalid certificate policies
in order to circumvent policy checking on the certificate altogether.
Policy processing is disabled by default but can be enabled by passing
the `-policy' argument to the command line utilities or by calling the
`X509_VERIFY_PARAM_set1_policies()' function.
CVE-2023-0465
moderate
The function X509_VERIFY_PARAM_add0_policy() is documented to
implicitly enable the certificate policy check when doing certificate
verification. However the implementation of the function does not
enable the check which allows certificates with invalid or incorrect
policies to pass the certificate verification.
As suddenly enabling the policy check could break existing deployments it was
decided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy()
function.
Instead the applications that require OpenSSL to perform certificate
policy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly
enable the policy check by calling X509_VERIFY_PARAM_set_flags() with
the X509_V_FLAG_POLICY_CHECK flag argument.
Certificate policy checks are disabled by default in OpenSSL and are not
commonly used by applications.
CVE-2023-0466
moderate
Divide By Zero in GitHub repository vim/vim prior to 9.0.1247.
CVE-2023-0512
important
A use-after-free flaw was found in qdisc_graft in net/sched/sch_api.c in the Linux Kernel due to a race problem. This flaw leads to a denial of service issue. If patch ebda44da44f6 ("net: sched: fix race condition in qdisc_graft()") not applied yet, then kernel could be affected.
CVE-2023-0590
important
A flaw possibility of memory leak in the Linux kernel cpu_entry_area mapping of X86 CPU data to memory was found in the way user can guess location of exception stack(s) or other important data. A local user could use this flaw to get access to some important data with expected location in memory.
CVE-2023-0597
moderate
The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919 Confidential attribute disclosure vi LDAP filters was insufficient and an attacker may be able to obtain confidential BitLocker recovery keys from a Samba AD DC.
CVE-2023-0614
moderate
** DISPUTED ** A vulnerability was found in GNU C Library 2.38. It has been declared as critical. This vulnerability affects the function __monstartup of the file gmon.c of the component Call Graph Monitor. The manipulation leads to buffer overflow. It is recommended to apply a patch to fix this issue. VDB-220246 is the identifier assigned to this vulnerability. NOTE: The real existence of this vulnerability is still doubted at the moment. The inputs that induce this vulnerability are basically addresses of the running application that is built with gmon enabled. It's basically trusted input or input that needs an actual security flaw to be compromised or controlled.
CVE-2023-0687
low
4
AV:A/AC:H/Au:S/C:P/I:P/A:P
The Samba AD DC administration tool, when operating against a remote LDAP server, will by default send new or reset passwords over a signed-only connection.
CVE-2023-0922
moderate
A flaw was found in the Linux Kernel. The tls_is_tx_ready() incorrectly checks for list emptiness, potentially accessing a type confused entry to the list_head, leaking the last byte of the confused field that overlaps with rec->tx_ready.
CVE-2023-1075
low
A flaw was found in the Linux Kernel. The tun/tap sockets have their socket UID hardcoded to 0 due to a type confusion in their initialization function. While it will be often correct, as tuntap devices require CAP_NET_ADMIN, it may not always be the case, e.g., a non-root user only having that capability. This would make tun/tap sockets being incorrectly treated in filtering/routing decisions, possibly bypassing network filters.
CVE-2023-1076
moderate
In the Linux kernel, pick_next_rt_entity() may return a type confused entry, not detected by the BUG_ON condition, as the confused entry will not be NULL, but list_head.The buggy error condition would lead to a type confused entry with the list head,which would then be used as a type confused sched_rt_entity,causing memory corruption.
CVE-2023-1077
important
A flaw was found in the Linux Kernel in RDS (Reliable Datagram Sockets) protocol. The rds_rm_zerocopy_callback() uses list_entry() on the head of a list causing a type confusion. Local user can trigger this with rds_message_put(). Type confusion leads to `struct rds_msg_zcopy_info *info` actually points to something else that is potentially controlled by local user. It is known how to trigger this, which causes an out of bounds access, and a lock corruption.
CVE-2023-1078
important
A flaw was found in the Linux kernel. A use-after-free may be triggered in asus_kbd_backlight_set when plugging/disconnecting in a malicious USB device, which advertises itself as an Asus device. Similarly to the previous known CVE-2023-25012, but in asus devices, the work_struct may be scheduled by the LED controller while the device is disconnecting, triggering a use-after-free on the struct asus_kbd_leds *led structure. A malicious USB device may exploit the issue to cause memory corruption with controlled data.
CVE-2023-1079
moderate
In nf_tables_updtable, if nf_tables_table_enable returns an error, nft_trans_destroy is called to free the transaction object. nft_trans_destroy() calls list_del(), but the transaction was never placed on a list -- the list head is all zeroes, this results in a NULL pointer dereference.
CVE-2023-1095
moderate
A flaw use after free in the Linux kernel integrated infrared receiver/transceiver driver was found in the way user detaching rc device. A local user could use this flaw to crash the system or potentially escalate their privileges on the system.
CVE-2023-1118
moderate
Divide By Zero in GitHub repository vim/vim prior to 9.0.1367.
CVE-2023-1127
moderate
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1376.
CVE-2023-1170
moderate
Incorrect Calculation of Buffer Size in GitHub repository vim/vim prior to 9.0.1378.
CVE-2023-1175
moderate
A use-after-free flaw was found in the Linux kernel’s core dump subsystem. This flaw allows a local user to crash the system. Only if patch 390031c94211 ("coredump: Use the vma snapshot in fill_files_note") not applied yet, then kernel could be affected.
CVE-2023-1249
moderate
NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.1392.
CVE-2023-1264
moderate
Use After Free vulnerability in Linux kernel traffic control index filter (tcindex) allows Privilege Escalation. The imperfect hash area can be updated while packets are traversing, which will cause a use-after-free when 'tcf_exts_exec()' is called with the destroyed tcf_ext. A local attacker user can use this vulnerability to elevate its privileges to root.
This issue affects Linux Kernel: from 4.14 before git commit ee059170b1f7e94e55fa6cadee544e176a6e59c2.
CVE-2023-1281
important
NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.1402.
CVE-2023-1355
moderate
A slab-out-of-bound read problem was found in brcmf_get_assoc_ies in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux Kernel. This issue could occur when assoc_info->req_len data is bigger than the size of the buffer, defined as WL_EXTRA_BUF_MAX, leading to a denial of service.
CVE-2023-1380
low
A data race flaw was found in the Linux kernel, between where con is allocated and con->sock is set. This issue leads to a NULL pointer dereference when accessing con->sock->sk in net/tipc/topsrv.c in the tipc protocol in the Linux kernel.
CVE-2023-1382
moderate
A remote denial of service vulnerability was found in the Linux kernel’s TIPC kernel module. The while loop in tipc_link_xmit() hits an unknown state while attempting to parse SKBs, which are not in the queue. Sending two small UDP packets to a system with a UDP bearer results in the CPU utilization for the system to instantly spike to 100%, causing a denial of service condition.
CVE-2023-1390
important
A flaw was found in KVM. When calling the KVM_GET_DEBUGREGS ioctl, on 32-bit systems, there might be some uninitialized portions of the kvm_debugregs structure that could be copied to userspace, causing an information leak.
CVE-2023-1513
low
A race problem was found in fs/proc/task_mmu.c in the memory management sub-component in the Linux kernel. This issue may allow a local attacker with user privilege to cause a denial of service.
CVE-2023-1582
moderate
A use-after-free flaw was found in btrfs_search_slot in fs/btrfs/ctree.c in btrfs in the Linux Kernel.This flaw allows an attacker to crash the system and possibly cause a kernel information lea
CVE-2023-1611
moderate
A flaw that boot CPU could be vulnerable for the speculative execution behavior kind of attacks in the Linux kernel X86 CPU Power management options functionality was found in the way user resuming CPU from suspend-to-RAM. A local user could use this flaw to potentially get unauthorized access to some memory of the CPU similar to the speculative execution behavior kind of attacks.
CVE-2023-1637
moderate
A flaw use after free in the Linux kernel Xircom 16-bit PCMCIA (PC-card) Ethernet driver was found.A local user could use this flaw to crash the system or potentially escalate their privileges on the system.
CVE-2023-1670
moderate
A use-after-free flaw was found in vhost_net_set_backend in drivers/vhost/net.c in virtio network subcomponent in the Linux kernel due to a double fget. This flaw could allow a local attacker to crash the system, and could even lead to a kernel information leak problem.
CVE-2023-1838
moderate
A use-after-free flaw was found in xgene_hwmon_remove in drivers/hwmon/xgene-hwmon.c in the Hardware Monitoring Linux Kernel Driver (xgene-hwmon). This flaw could allow a local attacker to crash the system due to a race problem. This vulnerability could even lead to a kernel information leak problem.
CVE-2023-1855
moderate
A use-after-free vulnerability in the Linux Kernel io_uring system can be exploited to achieve local privilege escalation.
The io_file_get_fixed function lacks the presence of ctx->uring_lock which can lead to a Use-After-Free vulnerability due a race condition with fixed files getting unregistered.
We recommend upgrading past commit da24142b1ef9fd5d36b76e36bab328a5b27523e8.
CVE-2023-1872
important
A vulnerability was found in the avahi library. This flaw allows an unprivileged user to make a dbus call, causing the avahi daemon to crash.
CVE-2023-1981
moderate
A use-after-free flaw was found in btsdio_remove in drivers\bluetooth\btsdio.c in the Linux Kernel. In this flaw, a call to btsdio_remove with an unfinished job, may cause a race problem leading to a UAF on hdev devices.
CVE-2023-1989
important
A use-after-free flaw was found in ndlc_remove in drivers/nfc/st-nci/ndlc.c in the Linux Kernel. This flaw could allow an attacker to crash the system due to a race problem.
CVE-2023-1990
moderate
The Linux kernel allows userspace processes to enable mitigations by calling prctl with PR_SET_SPECULATION_CTRL which disables the speculation feature as well as by using seccomp. We had noticed that on VMs of at least one major cloud provider, the kernel still left the victim process exposed to attacks in some cases even after enabling the spectre-BTI mitigation with prctl. The same behavior can be observed on a bare-metal machine when forcing the mitigation to IBRS on boot command line.
This happened because when plain IBRS was enabled (not enhanced IBRS), the kernel had some logic that determined that STIBP was not needed. The IBRS bit implicitly protects against cross-thread branch target injection. However, with legacy IBRS, the IBRS bit was cleared on returning to userspace, due to performance reasons, which disabled the implicit STIBP and left userspace threads vulnerable to cross-thread branch target injection against which STIBP protects.
CVE-2023-1998
moderate
A vulnerability was found in the HCI sockets implementation due to a missing capability check in net/bluetooth/hci_sock.c in the Linux Kernel. This flaw allows an attacker to unauthorized execution of management commands, compromising the confidentiality, integrity, and availability of Bluetooth communication.
CVE-2023-2002
moderate
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2023-2004
moderate
The specific flaw exists within the DPT I2O Controller driver. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of the kernel.
CVE-2023-2007
moderate
A flaw was found in the Linux kernel's udmabuf device driver. The specific flaw exists within a fault handler. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an array. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the kernel.
CVE-2023-2008
moderate
A side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled address, potentially leading to information disclosure.
CVE-2023-20569
moderate
A division-by-zero error on some AMD processors can potentially return speculative data resulting in loss of confidentiality.
CVE-2023-20588
moderate
An issue in “Zen 2” CPUs, under specific microarchitectural circumstances, may allow an attacker to potentially access sensitive information.
CVE-2023-20593
moderate
An out-of-bounds memory access flaw was found in the Linux kernel’s XFS file system in how a user restores an XFS image after failure (with a dirty log journal). This flaw allows a local user to crash or potentially escalate their privileges on the system.
CVE-2023-2124
moderate
In multiple functions of io_uring.c, there is a possible kernel memory corruption due to improper locking. This could lead to local escalation of privilege in the kernel with System execution privileges needed. User interaction is not needed for exploitation.
CVE-2023-21400
moderate
A flaw was found in the networking subsystem of the Linux kernel within the handling of the RPL protocol. This issue results from the lack of proper handling of user-supplied data, which can lead to an assertion failure. This may allow an unauthenticated remote attacker to create a denial of service condition on the system.
CVE-2023-2156
important
A use-after-free vulnerability was found in iscsi_sw_tcp_session_create in drivers/scsi/iscsi_tcp.c in SCSI sub-component in the Linux Kernel. In this flaw an attacker could leak kernel internal information.
CVE-2023-2162
moderate
A vulnerability was found in compare_netdev_and_ip in drivers/infiniband/core/cma.c in RDMA in the Linux Kernel. The improper cleanup results in out-of-boundary read, where a local user can utilize this problem to crash the system or escalation of privilege.
CVE-2023-2176
important
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).
CVE-2023-21930
important
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2023-21937
low
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and 22.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2023-21938
low
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Swing). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2023-21939
moderate
An out-of-bounds write vulnerability was found in the Linux kernel's SLIMpro I2C device driver. The userspace "data->block[0]" variable was not capped to a number between 0-255 and was used as the size of a memcpy, possibly writing beyond the end of dma_buffer. This flaw could allow a local privileged user to crash the system or potentially achieve code execution.
CVE-2023-2194
moderate
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).
CVE-2023-21954
moderate
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
CVE-2023-21967
moderate
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2023-21968
low
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N).
CVE-2023-22006
low
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Utility). Supported versions that are affected are Oracle Java SE: 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2023-22036
low
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK executes to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).
CVE-2023-22041
moderate
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u371-perf, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).
CVE-2023-22044
moderate
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u371, 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).
CVE-2023-22045
low
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 8u371, 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2023-22049
moderate
An Innsertion of Sensitive Information into Log File vulnerability in SUSE SUSE Manager Server Module 4.2 spacewalk-java, SUSE SUSE Manager Server Module 4.3 spacewalk-java causes sensitive information to be logged.
This issue affects SUSE Manager Server Module 4.2: before 4.2.50-150300.3.66.5; SUSE Manager Server Module 4.3: before 4.3.58-150400.3.46.4.
CVE-2023-22644
moderate
In the Linux kernel before 5.17, an error path in dwc3_qcom_acpi_register_core in drivers/usb/dwc3/dwc3-qcom.c lacks certain platform_device_put and kfree calls.
CVE-2023-22995
low
In the Linux kernel before 6.0.3, drivers/gpu/drm/virtio/virtgpu_object.c misinterprets the drm_gem_shmem_get_sg_table return value (expects it to be NULL in the error case, whereas it is actually an error pointer).
CVE-2023-22998
moderate
In the Linux kernel before 5.17, drivers/phy/tegra/xusb.c mishandles the tegra_xusb_find_port_node return value. Callers expect NULL in the error case, but an error pointer is used.
CVE-2023-23000
low
In the Linux kernel before 5.19, drivers/gpu/drm/arm/malidp_planes.c misinterprets the get_sg_table return value (expects it to be NULL in the error case, whereas it is actually an error pointer).
CVE-2023-23004
low
In the Linux kernel before 5.15.13, drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c misinterprets the mlx5_get_uars_page return value (expects it to be NULL in the error case, whereas it is actually an error pointer).
CVE-2023-23006
moderate
In rndis_query_oid in drivers/net/wireless/rndis_wlan.c in the Linux kernel through 6.1.5, there is an integer overflow in an addition.
CVE-2023-23559
moderate
Due to a vulnerability in the io_uring subsystem, it is possible to leak kernel memory information to the user process. timens_install calls current_is_single_threaded to determine if the current process is single-threaded, but this call does not consider io_uring's io_worker threads, thus it is possible to insert a time namespace's vvar page to process's memory space via a page fault. When this time namespace is destroyed, the vvar page is also freed, but not removed from the process' memory, and a next page allocated by the kernel will be still available from the user-space process and can leak memory contents via this (read-only) use-after-free vulnerability. We recommend upgrading past version 5.10.161 or commit 788d0824269bef539fe31a785b1517882eafed93 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/io_uring
CVE-2023-23586
moderate
An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this "decompression chain" wascapped, but the cap was implemented on a per-header basis allowing a maliciousserver to insert a virtually unlimited number of compression steps simply byusing many headers. The use of such a decompression chain could result in a "malloc bomb", making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors.
CVE-2023-23916
moderate
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as `bytes`) to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since `update_into` was originally introduced in cryptography 1.8.
CVE-2023-23931
low
Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 9.0.1499.
CVE-2023-2426
moderate
An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.
CVE-2023-24329
important
schema_element defeats protective search_path changes; It was found that certain database calls in PostgreSQL could permit an authed attacker with elevated database-level privileges to execute arbitrary code.
CVE-2023-2454
moderate
Row security policies disregard user ID changes after inlining; PostgreSQL could permit incorrect policies to be applied in certain cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy.
CVE-2023-2455
moderate
** REJECT ** Rejected by upstream.
CVE-2023-24593
moderate
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2023-33203. Reason: This candidate is a reservation duplicate of CVE-2023-33203. Notes: All CVE users should reference CVE-2023-33203 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.
CVE-2023-2483
moderate
Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.
Note that, like all of the file upload limits, the
new configuration option (FileUploadBase#setFileCountMax) is not
enabled by default and must be explicitly configured.
CVE-2023-24998
moderate
The Linux kernel through 6.1.9 has a Use-After-Free in bigben_remove in drivers/hid/hid-bigbenff.c via a crafted USB device because the LED controllers remain registered for too long.
CVE-2023-25012
moderate
A use-after-free vulnerability was found in the Linux kernel's ext4 filesystem in the way it handled the extra inode size for extended attributes. This flaw could allow a privileged local user to cause a system crash or other undefined behaviors.
CVE-2023-2513
moderate
hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks.
CVE-2023-25193
important
Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.
Configurations are affected when mod_proxy is enabled along with some form of RewriteRule
or ProxyPassMatch in which a non-specific pattern matches
some portion of the user-supplied request-target (URL) data and is then
re-inserted into the proxied request-target using variable
substitution. For example, something like:
RewriteEngine on
RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1"; [P]
ProxyPassReverse /here/ http://example.com:8080/
Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. Users are recommended to update to at least version 2.4.56 of Apache HTTP Server.
CVE-2023-25690
important
A vulnerability was found in libcap. This issue occurs in the _libcap_strdup() function and can lead to an integer overflow if the input string is close to 4GiB.
CVE-2023-2603
moderate
NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.1531.
CVE-2023-2609
important
Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.1532.
CVE-2023-2610
important
All versions of the package configobj are vulnerable to Regular Expression Denial of Service (ReDoS) via the validate function, using (.+?)\((.*)\).
**Note:** This is only exploitable in the case of a developer, putting the offending value in a server side configuration file.
CVE-2023-26112
low
Issue summary: Processing some specially crafted ASN.1 object identifiers or
data containing them may be very slow.
Impact summary: Applications that use OBJ_obj2txt() directly, or use any of
the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message
size limit may experience notable to very long delays when processing those
messages, which may lead to a Denial of Service.
An OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers -
most of which have no size limit. OBJ_obj2txt() may be used to translate
an ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSL
type ASN1_OBJECT) to its canonical numeric text form, which are the
sub-identifiers of the OBJECT IDENTIFIER in decimal form, separated by
periods.
When one of the sub-identifiers in the OBJECT IDENTIFIER is very large
(these are sizes that are seen as absurdly large, taking up tens or hundreds
of KiBs), the translation to a decimal number in text may take a very long
time. The time complexity is O(n^2) with 'n' being the size of the
sub-identifiers in bytes (*).
With OpenSSL 3.0, support to fetch cryptographic algorithms using names /
identifiers in string form was introduced. This includes using OBJECT
IDENTIFIERs in canonical numeric text form as identifiers for fetching
algorithms.
Such OBJECT IDENTIFIERs may be received through the ASN.1 structure
AlgorithmIdentifier, which is commonly used in multiple protocols to specify
what cryptographic algorithm should be used to sign or verify, encrypt or
decrypt, or digest passed data.
Applications that call OBJ_obj2txt() directly with untrusted data are
affected, with any version of OpenSSL. If the use is for the mere purpose
of display, the severity is considered low.
In OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME,
CMS, CMP/CRMF or TS. It also impacts anything that processes X.509
certificates, including simple things like verifying its signature.
The impact on TLS is relatively low, because all versions of OpenSSL have a
100KiB limit on the peer's certificate chain. Additionally, this only
impacts clients, or servers that have explicitly enabled client
authentication.
In OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects,
such as X.509 certificates. This is assumed to not happen in such a way
that it would cause a Denial of Service, so these versions are considered
not affected by this issue in such a way that it would be cause for concern,
and the severity is therefore considered low.
CVE-2023-2650
moderate
In the Linux kernel before 6.1.13, there is a double free in net/mpls/af_mpls.c upon an allocation failure (for registering the sysctl table under a new location) during the renaming of a device.
CVE-2023-26545
moderate
HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55.
Special characters in the origin response header can truncate/split the response forwarded to the client.
CVE-2023-27522
moderate
A vulnerability in input validation exists in curl <8.0 during communication using the TELNET protocol may allow an attacker to pass on maliciously crafted user name and "telnet options" during server negotiation. The lack of proper input scrubbing allows an attacker to send content or perform option negotiation without the application's intent. This vulnerability could be exploited if an application allows user input, thereby enabling attackers to execute arbitrary code on the system.
CVE-2023-27533
moderate
A path traversal vulnerability exists in curl <8.0.0 SFTP implementation causes the tilde (~) character to be wrongly replaced when used as a prefix in the first path element, in addition to its intended use as the first element to indicate a path relative to the user's home directory. Attackers can exploit this flaw to bypass filtering or execute arbitrary code by crafting a path like /~2/foo while accessing a server with a specific user.
CVE-2023-27534
moderate
An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP connection reuse feature that can result in wrong credentials being used during subsequent transfers. Previously created connections are kept in a connection pool for reuse if they match the current setup. However, certain FTP settings such as CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC, and CURLOPT_USE_SSL were not included in the configuration match checks, causing them to match too easily. This could lead to libcurl using the wrong credentials when performing a transfer, potentially allowing unauthorized access to sensitive information.
CVE-2023-27535
moderate
An authentication bypass vulnerability exists libcurl <8.0.0 in the connection reuse feature which can reuse previously established connections with incorrect user permissions due to a failure to check for changes in the CURLOPT_GSSAPI_DELEGATION option. This vulnerability affects krb5/kerberos/negotiate/GSSAPI transfers and could potentially result in unauthorized access to sensitive information. The safest option is to not reuse connections if the CURLOPT_GSSAPI_DELEGATION option has been changed.
CVE-2023-27536
moderate
An authentication bypass vulnerability exists in libcurl prior to v8.0.0 where it reuses a previously established SSH connection despite the fact that an SSH option was modified, which should have prevented reuse. libcurl maintains a pool of previously used connections to reuse them for subsequent transfers if the configurations match. However, two SSH settings were omitted from the configuration check, allowing them to match easily, potentially leading to the reuse of an inappropriate connection.
CVE-2023-27538
moderate
Every `named` instance configured to run as a recursive resolver maintains a cache database holding the responses to the queries it has recently sent to authoritative servers. The size limit for that cache database can be configured using the `max-cache-size` statement in the configuration file; it defaults to 90% of the total amount of memory available on the host. When the size of the cache reaches 7/8 of the configured limit, a cache-cleaning algorithm starts to remove expired and/or least-recently used RRsets from the cache, to keep memory use below the configured limit.
It has been discovered that the effectiveness of the cache-cleaning algorithm used in `named` can be severely diminished by querying the resolver for specific RRsets in a certain order, effectively allowing the configured `max-cache-size` limit to be significantly exceeded.
This issue affects BIND 9 versions 9.11.0 through 9.16.41, 9.18.0 through 9.18.15, 9.19.0 through 9.19.13, 9.11.3-S1 through 9.16.41-S1, and 9.18.11-S1 through 9.18.15-S1.
CVE-2023-2828
important
A denial of service vulnerability exists in curl <v8.1.0 in the way libcurl provides several different backends for resolving host names, selected at build time. If it is built to use the synchronous resolver, it allows name resolves to time-out slow operations using `alarm()` and `siglongjmp()`. When doing this, libcurl used a global buffer that was not mutex protected and a multi-threaded application might therefore crash or otherwise misbehave.
CVE-2023-28320
low
An improper certificate validation vulnerability exists in curl <v8.1.0 in the way it supports matching of wildcard patterns when listed as "Subject Alternative Name" in TLS server certificates. curl can be built to use its own name matching function for TLS rather than one provided by a TLS library. This private wildcard matching function would match IDN (International Domain Name) hosts incorrectly and could as a result accept patterns that otherwise should mismatch. IDN hostnames are converted to puny code before used for certificate checks. Puny coded names always start with `xn--` and should not be allowed to pattern match, but the wildcard check in curl could still check for `x*`, which would match even though the IDN name most likely contained nothing even resembling an `x`.
CVE-2023-28321
moderate
An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously wasused to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the second transfer. The problem exists in the logic for a reused handle when it is (expected to be) changed from a PUT to a POST.
CVE-2023-28322
important
A NULL pointer dereference flaw was found in the UNIX protocol in net/unix/diag.c In unix_diag_get_exact in the Linux Kernel. The newly allocated skb does not have sk, leading to a NULL pointer. This flaw allows a local user to crash or potentially cause a denial of service.
CVE-2023-28327
moderate
A NULL pointer dereference flaw was found in the az6027 driver in drivers/media/usb/dev-usb/az6027.c in the Linux Kernel. The message from user space is not checked properly before transferring into the device. This flaw allows a local user to crash the system or potentially cause a denial of service.
CVE-2023-28328
moderate
Open redirect vulnerability in Tornado versions 6.3.1 and earlier allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having user access a specially crafted URL.
CVE-2023-28370
low
hci_conn_cleanup in net/bluetooth/hci_conn.c in the Linux kernel through 6.2.9 has a use-after-free (observed in hci_conn_hash_flush) because of calls to hci_dev_put and hci_conn_put. There is a double free that may lead to privilege escalation.
CVE-2023-28464
important
do_tls_getsockopt in net/tls/tls_main.c in the Linux kernel through 6.2.6 lacks a lock_sock call, leading to a race condition (with a resultant use-after-free or NULL pointer dereference).
CVE-2023-28466
important
In libxml2 before 2.10.4, parsing of certain invalid XSD schemas can lead to a NULL pointer dereference and subsequently a segfault. This occurs in xmlSchemaFixupComplexType in xmlschemas.c.
CVE-2023-28484
moderate
Sudo before 1.9.13 does not escape control characters in log messages.
CVE-2023-28486
moderate
Sudo before 1.9.13 does not escape control characters in sudoreplay output.
CVE-2023-28487
moderate
When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.
CVE-2023-28708
moderate
The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.
CVE-2023-28709
moderate
An issue was discovered in the Linux kernel before 5.13.3. lib/seq_buf.c has a seq_buf_putmem_hex buffer overflow.
CVE-2023-28772
important
Moby is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (`dockerd`), which is developed as moby/moby, is commonly referred to as *Docker*.
Swarm Mode, which is compiled in and delivered by default in dockerd and is thus present in most major Moby downstreams, is a simple, built-in container orchestrator that is implemented through a combination of SwarmKit and supporting network code.
The overlay network driver is a core feature of Swarm Mode, providing isolated virtual LANs that allow communication between containers and services across the cluster. This driver is an implementation/user of VXLAN, which encapsulates link-layer (Ethernet) frames in UDP datagrams that tag the frame with a VXLAN Network ID (VNI) that identifies the originating overlay network. In addition, the overlay network driver supports an optional, off-by-default encrypted mode, which is especially useful when VXLAN packets traverses an untrusted network between nodes.
Encrypted overlay networks function by encapsulating the VXLAN datagrams through the use of the IPsec Encapsulating Security Payload protocol in Transport mode. By deploying IPSec encapsulation, encrypted overlay networks gain the additional properties of source authentication through cryptographic proof, data integrity through check-summing, and confidentiality through encryption.
When setting an endpoint up on an encrypted overlay network, Moby installs three iptables (Linux kernel firewall) rules that enforce both incoming and outgoing IPSec. These rules rely on the u32 iptables extension provided by the xt_u32 kernel module to directly filter on a VXLAN packet's VNI field, so that IPSec guarantees can be enforced on encrypted overlay networks without interfering with other overlay networks or other users of VXLAN.
Two iptables rules serve to filter incoming VXLAN datagrams with a VNI that corresponds to an encrypted network and discards unencrypted datagrams. The rules are appended to the end of the INPUT filter chain, following any rules that have been previously set by the system administrator. Administrator-set rules take precedence over the rules Moby sets to discard unencrypted VXLAN datagrams, which can potentially admit unencrypted datagrams that should have been discarded.
The injection of arbitrary Ethernet frames can enable a Denial of Service attack. A sophisticated attacker may be able to establish a UDP or TCP connection by way of the container’s outbound gateway that would otherwise be blocked by a stateful firewall, or carry out other escalations beyond simple injection by smuggling packets into the overlay network.
Patches are available in Moby releases 23.0.3 and 20.10.24. As Mirantis Container Runtime's 20.10 releases are numbered differently, users of that platform should update to 20.10.16.
Some workarounds are available. Close the VXLAN port (by default, UDP port 4789) to incoming traffic at the Internet boundary to prevent all VXLAN packet injection, and/or ensure that the `xt_u32` kernel module is available on all nodes of the Swarm cluster.
CVE-2023-28840
important
Moby is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (`dockerd`), which is developed as moby/moby is commonly referred to as *Docker*.
Swarm Mode, which is compiled in and delivered by default in `dockerd` and is thus present in most major Moby downstreams, is a simple, built-in container orchestrator that is implemented through a combination of SwarmKit and supporting network code.
The `overlay` network driver is a core feature of Swarm Mode, providing isolated virtual LANs that allow communication between containers and services across the cluster. This driver is an implementation/user of VXLAN, which encapsulates link-layer (Ethernet) frames in UDP datagrams that tag the frame with the VXLAN metadata, including a VXLAN Network ID (VNI) that identifies the originating overlay network. In addition, the overlay network driver supports an optional, off-by-default encrypted mode, which is especially useful when VXLAN packets traverses an untrusted network between nodes.
Encrypted overlay networks function by encapsulating the VXLAN datagrams through the use of the IPsec Encapsulating Security Payload protocol in Transport mode. By deploying IPSec encapsulation, encrypted overlay networks gain the additional properties of source authentication through cryptographic proof, data integrity through check-summing, and confidentiality through encryption.
When setting an endpoint up on an encrypted overlay network, Moby installs three iptables (Linux kernel firewall) rules that enforce both incoming and outgoing IPSec. These rules rely on the `u32` iptables extension provided by the `xt_u32` kernel module to directly filter on a VXLAN packet's VNI field, so that IPSec guarantees can be enforced on encrypted overlay networks without interfering with other overlay networks or other users of VXLAN.
An iptables rule designates outgoing VXLAN datagrams with a VNI that corresponds to an encrypted overlay network for IPsec encapsulation.
Encrypted overlay networks on affected platforms silently transmit unencrypted data. As a result, `overlay` networks may appear to be functional, passing traffic as expected, but without any of the expected confidentiality or data integrity guarantees.
It is possible for an attacker sitting in a trusted position on the network to read all of the application traffic that is moving across the overlay network, resulting in unexpected secrets or user data disclosure. Thus, because many database protocols, internal APIs, etc. are not protected by a second layer of encryption, a user may use Swarm encrypted overlay networks to provide confidentiality, which due to this vulnerability this is no longer guaranteed.
Patches are available in Moby releases 23.0.3, and 20.10.24. As Mirantis Container Runtime's 20.10 releases are numbered differently, users of that platform should update to 20.10.16.
Some workarounds are available. Close the VXLAN port (by default, UDP port 4789) to outgoing traffic at the Internet boundary in order to prevent unintentionally leaking unencrypted traffic over the Internet, and/or ensure that the `xt_u32` kernel module is available on all nodes of the Swarm cluster.
CVE-2023-28841
moderate
Moby) is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (`dockerd`), which is developed as moby/moby is commonly referred to as *Docker*.
Swarm Mode, which is compiled in and delivered by default in `dockerd` and is thus present in most major Moby downstreams, is a simple, built-in container orchestrator that is implemented through a combination of SwarmKit and supporting network code.
The `overlay` network driver is a core feature of Swarm Mode, providing isolated virtual LANs that allow communication between containers and services across the cluster. This driver is an implementation/user of VXLAN, which encapsulates link-layer (Ethernet) frames in UDP datagrams that tag the frame with the VXLAN metadata, including a VXLAN Network ID (VNI) that identifies the originating overlay network. In addition, the overlay network driver supports an optional, off-by-default encrypted mode, which is especially useful when VXLAN packets traverses an untrusted network between nodes.
Encrypted overlay networks function by encapsulating the VXLAN datagrams through the use of the IPsec Encapsulating Security Payload protocol in Transport mode. By deploying IPSec encapsulation, encrypted overlay networks gain the additional properties of source authentication through cryptographic proof, data integrity through check-summing, and confidentiality through encryption.
When setting an endpoint up on an encrypted overlay network, Moby installs three iptables (Linux kernel firewall) rules that enforce both incoming and outgoing IPSec. These rules rely on the `u32` iptables extension provided by the `xt_u32` kernel module to directly filter on a VXLAN packet's VNI field, so that IPSec guarantees can be enforced on encrypted overlay networks without interfering with other overlay networks or other users of VXLAN.
The `overlay` driver dynamically and lazily defines the kernel configuration for the VXLAN network on each node as containers are attached and detached. Routes and encryption parameters are only defined for destination nodes that participate in the network. The iptables rules that prevent encrypted overlay networks from accepting unencrypted packets are not created until a peer is available with which to communicate.
Encrypted overlay networks silently accept cleartext VXLAN datagrams that are tagged with the VNI of an encrypted overlay network. As a result, it is possible to inject arbitrary Ethernet frames into the encrypted overlay network by encapsulating them in VXLAN datagrams. The implications of this can be quite dire, and GHSA-vwm3-crmr-xfxw should be referenced for a deeper exploration.
Patches are available in Moby releases 23.0.3, and 20.10.24. As Mirantis Container Runtime's 20.10 releases are numbered differently, users of that platform should update to 20.10.16.
Some workarounds are available. In multi-node clusters, deploy a global ‘pause’ container for each encrypted overlay network, on every node. For a single-node cluster, do not use overlay networks of any sort. Bridge networks provide the same connectivity on a single node and have no multi-node features. The Swarm ingress feature is implemented using an overlay network, but can be disabled by publishing ports in `host` mode instead of `ingress` mode (allowing the use of an external load balancer), and removing the `ingress` network. If encrypted overlay networks are in exclusive use, block UDP port 4789 from traffic that has not been validated by IPSec.
CVE-2023-28842
moderate
In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that "cat /etc/passwd" shows a rogue user account.
CVE-2023-29383
moderate
An issue was discovered in libxml2 before 2.10.4. When hashing empty dict strings in a crafted XML document, xmlDictComputeFastKey in dict.c can produce non-deterministic values, leading to various logic and memory errors, such as a double free. This behavior occurs because there is an attempt to use the first byte of an empty string, and any value is possible (not solely the '\0' value).
CVE-2023-29469
moderate
ncurses before 6.4 20230408, when used by a setuid application, allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable.
CVE-2023-29491
moderate
A vulnerability was found in openldap. This security flaw causes a null pointer dereference in ber_memalloc_x() function.
CVE-2023-2953
moderate
A use after free flaw was found in hfsplus_put_super in fs/hfsplus/super.c in the Linux Kernel. This flaw could allow a local user to cause a denial of service problem.
CVE-2023-2985
moderate
** REJECT ** DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2023-32181. Reason: This record is a duplicate of CVE-2023-32181. Notes: All CVE users should reference CVE-2023-32181 instead of this record. All references and descriptions in this record have been removed to prevent accidental usage.
CVE-2023-30078
important
** REJECT ** DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2023-22652. Reason: This record is a duplicate of CVE-2023-22652. Notes: All CVE users should reference CVE-2023-22652 instead of this record. All references and descriptions in this record have been removed to prevent accidental usage.
CVE-2023-30079
important
Dmidecode before 3.5 allows -dump-bin to overwrite a local file. This has security relevance because, for example, execution of Dmidecode via Sudo is plausible.
CVE-2023-30630
moderate
The Linux kernel before 6.2.9 has a race condition and resultant use-after-free in drivers/power/supply/da9150-charger.c if a physically proximate attacker unplugs a device.
CVE-2023-30772
moderate
A heap out-of-bounds write vulnerability in the Linux Kernel ipvlan network driver can be exploited to achieve local privilege escalation.
The out-of-bounds write is caused by missing skb->cb initialization in the ipvlan network driver. The vulnerability is reachable if CONFIG_IPVLAN is enabled.
We recommend upgrading past commit 90cbed5247439a966b645b34eb0a2e037836ea8e.
CVE-2023-3090
important
An issue was discovered in drivers/media/dvb-core/dvb_frontend.c in the Linux kernel 6.2. There is a blocking operation when a task is in !TASK_RUNNING. In dvb_frontend_get_event, wait_event_interruptible is called; the condition is dvb_frontend_test_event(fepriv,events). In dvb_frontend_test_event, down(&fepriv->sem) is called. However, wait_event_interruptible would put the process to sleep, and down(&fepriv->sem) may block the process.
CVE-2023-31084
moderate
c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android. This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG. This issue was patched in version 1.19.1.
CVE-2023-31124
low
c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1.
CVE-2023-31130
moderate
c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1.
CVE-2023-31147
moderate
Linux Kernel nftables Use-After-Free Local Privilege Escalation Vulnerability; `nft_chain_lookup_byid()` failed to check whether a chain was active and CAP_NET_ADMIN is in any user or network namespace
CVE-2023-31248
important
A vulnerability was found in libX11. The security flaw occurs because the functions in src/InitExt.c in libX11 do not check that the values provided for the Request, Event, or Error IDs are within the bounds of the arrays that those functions write to, using those IDs as array indexes. They trust that they were called with values provided by an Xserver adhering to the bounds specified in the X11 protocol, as all X servers provided by X.Org do. As the protocol only specifies a single byte for these values, an out-of-bounds value provided by a malicious server (or a malicious proxy-in-the-middle) can only overwrite other portions of the Display structure and not write outside the bounds of the Display structure itself, possibly causing the client to crash with this memory corruption.
CVE-2023-3138
important
A use-after-free flaw was found in r592_remove in drivers/memstick/host/r592.c in media access in the Linux Kernel. This flaw allows a local attacker to crash the system at device disconnect, possibly leading to a kernel information leak.
CVE-2023-3141
moderate
qfq_change_class in net/sched/sch_qfq.c in the Linux kernel before 6.2.13 allows an out-of-bounds write because lmax can exceed QFQ_MIN_LMAX.
CVE-2023-31436
moderate
CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.
CVE-2023-31484
important
A use after free issue was discovered in driver/firewire in outbound_phy_packet_callback in the Linux Kernel. In this flaw a local attacker with special privilege may cause a use after free problem when queue_event() fails.
CVE-2023-3159
important
A flaw was found in the Framebuffer Console (fbcon) in the Linux Kernel. When providing font->width and font->height greater than 32 to fbcon_set_font, since there are no checks in place, a shift-out-of-bounds occurs leading to undefined behavior and possible denial of service.
CVE-2023-3161
moderate
c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection. This issue has been patched in version 1.19.1.
CVE-2023-32067
important
In the Linux kernel through 6.3.1, a use-after-free in Netfilter nf_tables when processing batch requests can be abused to perform arbitrary read and write operations on kernel memory. Unprivileged local users can obtain root privileges. This occurs because anonymous sets are mishandled.
CVE-2023-32233
important
An issue was discovered in the Linux kernel before 6.1.11. In net/netrom/af_netrom.c, there is a use-after-free because accept is also allowed for a successfully connected AF_NETROM socket. However, in order for an attacker to exploit this, the system must have netrom routing configured or the attacker must have the CAP_NET_ADMIN capability.
CVE-2023-32269
moderate
OpenPrinting CUPS is an open source printing system. In versions 2.4.2 and prior, a heap buffer overflow vulnerability would allow a remote attacker to launch a denial of service (DoS) attack. A buffer overflow vulnerability in the function `format_log_line` could allow remote attackers to cause a DoS on the affected system. Exploitation of the vulnerability can be triggered when the configuration file `cupsd.conf` sets the value of `loglevel `to `DEBUG`. No known patches or workarounds exist at time of publication.
CVE-2023-32324
moderate
An authentication issue was addressed with improved state management. This issue is fixed in macOS Big Sur 11.7.7, macOS Monterey 12.6.6, macOS Ventura 13.4. An unauthenticated user may be able to access recently printed documents.
CVE-2023-32360
moderate
An out of bounds (OOB) memory access flaw was found in the Linux kernel in relay_file_read_start_pos in kernel/relay.c in the relayfs. This flaw could allow a local attacker to crash the system or leak kernel internal information.
CVE-2023-3268
moderate
Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.
CVE-2023-32681
moderate
An issue was discovered in the Linux kernel before 6.2.9. A use-after-free was found in bq24190_remove in drivers/power/supply/bq24190_charger.c. It could allow a local attacker to crash the system due to a race condition.
CVE-2023-33288
moderate
There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse function. which will cause out-of-memory in server and cause crash.
CVE-2023-33460
moderate
A null pointer dereference was found in the Linux kernel's Integrated Sensor Hub (ISH) driver. This issue could allow a local user to crash the system.
CVE-2023-3358
moderate
A use-after-free vulnerability was found in the Linux kernel's netfilter subsystem in net/netfilter/nf_tables_api.c.
Mishandled error handling with NFT_MSG_NEWRULE makes it possible to use a dangling pointer in the same transaction causing a use-after-free vulnerability. This flaw allows a local attacker with user access to cause a privilege escalation issue.
We recommend upgrading past commit 1240eb93f0616b21c675416516ff3d74798fdc97.
CVE-2023-3390
important
OpenPrinting CUPS is a standards-based, open source printing system for Linux and other Unix-like operating systems. Starting in version 2.0.0 and prior to version 2.4.6, CUPS logs data of free memory to the logging service AFTER the connection has been closed, when it should have logged the data right before. This is a use-after-free bug that impacts the entire cupsd process.
The exact cause of this issue is the function `httpClose(con->http)` being called in `scheduler/client.c`. The problem is that httpClose always, provided its argument is not null, frees the pointer at the end of the call, only for cupsdLogClient to pass the pointer to httpGetHostname. This issue happens in function `cupsdAcceptClient` if LogLevel is warn or higher and in two scenarios: there is a double-lookup for the IP Address (HostNameLookups Double is set in `cupsd.conf`) which fails to resolve, or if CUPS is compiled with TCP wrappers and the connection is refused by rules from `/etc/hosts.allow` and `/etc/hosts.deny`.
Version 2.4.6 has a patch for this issue.
CVE-2023-34241
important
The fix for XSA-423 added logic to Linux'es netback driver to deal with
a frontend splitting a packet in a way such that not all of the headers
would come in one piece. Unfortunately the logic introduced there
didn't account for the extreme case of the entire packet being split
into as many pieces as permitted by the protocol, yet still being
smaller than the area that's specially dealt with to keep all (possible)
headers together. Such an unusual packet would therefore trigger a
buffer overrun in the driver.
CVE-2023-34319
moderate
Issue summary: Checking excessively long DH keys or parameters may be very slow.
Impact summary: Applications that use the functions DH_check(), DH_check_ex()
or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long
delays. Where the key or parameters that are being checked have been obtained
from an untrusted source this may lead to a Denial of Service.
The function DH_check() performs various checks on DH parameters. One of those
checks confirms that the modulus ('p' parameter) is not too large. Trying to use
a very large modulus is slow and OpenSSL will not normally use a modulus which
is over 10,000 bits in length.
However the DH_check() function checks numerous aspects of the key or parameters
that have been supplied. Some of those checks use the supplied modulus value
even if it has already been found to be too large.
An application that calls DH_check() and supplies a key or parameters obtained
from an untrusted source could be vulernable to a Denial of Service attack.
The function DH_check() is itself called by a number of other OpenSSL functions.
An application calling any of those other functions may similarly be affected.
The other functions affected by this are DH_check_ex() and
EVP_PKEY_param_check().
Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications
when using the '-check' option.
The OpenSSL SSL/TLS implementation is not affected by this issue.
The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.
CVE-2023-3446
moderate
An infinite loop vulnerability was found in Samba's mdssvc RPC service for Spotlight. When parsing Spotlight mdssvc RPC packets sent by the client, the core unmarshalling function sl_unpack_loop() did not validate a field in the network packet that contains the count of elements in an array-like structure. By passing 0 as the count value, the attacked function will run in an endless loop consuming 100% CPU. This flaw allows an attacker to issue a malformed RPC request, triggering an infinite loop, resulting in a denial of service condition.
CVE-2023-34966
important
A Type Confusion vulnerability was found in Samba's mdssvc RPC service for Spotlight. When parsing Spotlight mdssvc RPC packets, one encoded data structure is a key-value style dictionary where the keys are character strings, and the values can be any of the supported types in the mdssvc protocol. Due to a lack of type checking in callers of the dalloc_value_for_key() function, which returns the object associated with a key, a caller may trigger a crash in talloc_get_size() when talloc detects that the passed-in pointer is not a valid talloc pointer. With an RPC worker process shared among multiple client connections, a malicious client or attacker can trigger a process crash in a shared RPC mdssvc worker process, affecting all other clients this worker serves.
CVE-2023-34967
moderate
A path disclosure vulnerability was found in Samba. As part of the Spotlight protocol, Samba discloses the server-side absolute path of shares, files, and directories in the results for search queries. This flaw allows a malicious client or an attacker with a targeted RPC request to view the information that is part of the disclosed path.
CVE-2023-34968
moderate
D-Bus before 1.15.6 sometimes allows unprivileged users to crash dbus-daemon. If a privileged user with control over the dbus-daemon is using the org.freedesktop.DBus.Monitoring interface to monitor message bus traffic, then an unprivileged user with the ability to connect to the same dbus-daemon can cause a dbus-daemon crash under some circumstances via an unreplyable message. When done on the well-known system bus, this is a denial-of-service vulnerability. The fixed versions are 1.12.28, 1.14.8, and 1.15.6.
CVE-2023-34969
moderate
Linux Kernel nftables Out-Of-Bounds Read/Write Vulnerability; nft_byteorder poorly handled vm register contents when CAP_NET_ADMIN is in any user or network namespace
CVE-2023-35001
important
A use-after-free flaw was found in vcs_read in drivers/tty/vt/vc_screen.c in vc_screen in the Linux Kernel. This issue may allow an attacker with local user access to cause a system crash or leak internal kernel information.
CVE-2023-3567
important
An issue was discovered in fl_set_geneve_opt in net/sched/cls_flower.c in the Linux kernel before 6.3.7. It allows an out-of-bounds write in the flower classifier code via TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets. This may result in denial of service or privilege escalation.
CVE-2023-35788
important
An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in saa7134_finidev in drivers/media/pci/saa7134/saa7134-core.c.
CVE-2023-35823
moderate
An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in dm1105_remove in drivers/media/pci/dm1105/dm1105.c.
CVE-2023-35824
moderate
An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in renesas_usb3_remove in drivers/usb/gadget/udc/renesas_usb3.c.
CVE-2023-35828
moderate
lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count.
CVE-2023-36054
important
A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to achieve local privilege escalation.
If tcf_change_indev() fails, u32_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability.
We recommend upgrading past commit 04c55383fa5689357bcdd2c8036725a55ed632bc.
CVE-2023-3609
moderate
An out-of-bounds write vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited to achieve local privilege escalation.
The qfq_change_agg() function in net/sched/sch_qfq.c allows an out-of-bounds write because lmax is updated according to packet sizes without bounds checks.
We recommend upgrading past commit 3e337087c3b5805fe0b8a46ba622a962880b5d64.
CVE-2023-3611
moderate
A flaw was found in the Linux kernel’s IP framework for transforming packets (XFRM subsystem). This issue may allow a malicious user with CAP_NET_ADMIN privileges to directly dereference a NULL pointer in xfrm_update_ae_params(), leading to a possible kernel crash and denial of service.
CVE-2023-3772
moderate
A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation.
If tcf_change_indev() fails, fw_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability.
We recommend upgrading past commit 0323bce598eea038714f941ce2b22541c46d488f.
CVE-2023-3776
moderate
An out-of-bounds memory access flaw was found in the Linux kernel’s TUN/TAP device driver functionality in how a user generates a malicious (too big) networking packet when napi frags is enabled. This flaw allows a local user to crash or potentially escalate their privileges on the system.
CVE-2023-3812
important
Issue summary: Checking excessively long DH keys or parameters may be very slow.
Impact summary: Applications that use the functions DH_check(), DH_check_ex()
or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long
delays. Where the key or parameters that are being checked have been obtained
from an untrusted source this may lead to a Denial of Service.
The function DH_check() performs various checks on DH parameters. After fixing
CVE-2023-3446 it was discovered that a large q parameter value can also trigger
an overly long computation during some of these checks. A correct q value,
if present, cannot be larger than the modulus p parameter, thus it is
unnecessary to perform these checks if q is larger than p.
An application that calls DH_check() and supplies a key or parameters obtained
from an untrusted source could be vulnerable to a Denial of Service attack.
The function DH_check() is itself called by a number of other OpenSSL functions.
An application calling any of those other functions may similarly be affected.
The other functions affected by this are DH_check_ex() and
EVP_PKEY_param_check().
Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications
when using the "-check" option.
The OpenSSL SSL/TLS implementation is not affected by this issue.
The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.
CVE-2023-3817
moderate
The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.
CVE-2023-38408
important
A use-after-free flaw was found in nfc_llcp_find_local in net/nfc/llcp_core.c in NFC in the Linux kernel. This flaw allows a local user with special privileges to impact a kernel information leak issue.
CVE-2023-3863
important
IN THE EXTENSION SCRIPT, a SQL Injection vulnerability was found in PostgreSQL if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct (dollar quoting, '', or ""). If an administrator has installed files of a vulnerable, trusted, non-bundled extension, an attacker with database-level CREATE privilege can execute arbitrary code as the bootstrap superuser.
CVE-2023-39417
moderate
A vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid some rows that INSERT policies do not forbid, a user could store such rows.
CVE-2023-39418
moderate
** DISPUTED ** Xmlsoft Libxml2 v2.11.0 was discovered to contain an out-of-bounds read via the xmlSAX2StartElement() function at /libxml2/SAX2.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted XML file. NOTE: the vendor's position is that the product does not support the legacy SAX1 interface with custom callbacks; there is a crash even without crafted input.
CVE-2023-39615
moderate
Under some circumstances, this weakness allows a user who has access to run the “ps” utility on a machine, the ability to write almost unlimited amounts of unfiltered data into the process heap.
CVE-2023-4016
low
**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains
that target AArch64 allows an attacker to exploit an existing buffer
overflow in dynamically-sized local variables in your application
without this being detected. This stack-protector failure only applies
to C99-style dynamically-sized local variables or those created using
alloca(). The stack-protector operates as intended for statically-sized
local variables.
The default behavior when the stack-protector
detects an overflow is to terminate your application, resulting in
controlled loss of availability. An attacker who can exploit a buffer
overflow without triggering the stack-protector might be able to change
program flow control to cause an uncontrolled loss of availability or to
go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.
CVE-2023-4039
important
** REJECT ** DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2023-4206, CVE-2023-4207, CVE-2023-4208. Reason: This record is a duplicate of CVE-2023-4206, CVE-2023-4207, CVE-2023-4208. Notes: All CVE users should reference CVE-2023-4206, CVE-2023-4207, CVE-2023-4208 instead of this record. All references and descriptions in this record have been removed to prevent accidental usage.
CVE-2023-4128
moderate
A use-after-free vulnerability was found in the siano smsusb module in the Linux kernel. The bug occurs during device initialization when the siano device is plugged in. This flaw allows a local user to crash the system, causing a denial of service condition.
CVE-2023-4132
moderate
A use-after-free vulnerability was found in the cxgb4 driver in the Linux kernel. The bug occurs when the cxgb4 device is detaching due to a possible rearming of the flower_stats_timer from the work queue. This flaw allows a local user to crash the system, causing a denial of service condition.
CVE-2023-4133
moderate
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2023-4134
moderate
A use-after-free flaw was found in the Linux kernel’s Netfilter functionality when adding a rule with NFTA_RULE_CHAIN_ID. This flaw allows a local user to crash or escalate their privileges on the system.
CVE-2023-4147
important
A heap out-of-bounds read flaw was found in builtin.c in the gawk package. This issue may lead to a crash and could be used to read sensitive information.
CVE-2023-4156
low
A flaw was found in the Linux kernel's TUN/TAP functionality. This issue could allow a local user to bypass network filters and gain unauthorized access to some resources. The original patches fixing CVE-2023-1076 are incorrect or incomplete. The problem is that the following upstream commits - a096ccca6e50 ("tun: tun_chr_open(): correctly initialize socket uid"), - 66b2c338adce ("tap: tap_open(): correctly initialize socket uid"), pass "inode->i_uid" to sock_init_data_uid() as the last parameter and that turns out to not be accurate.
CVE-2023-4194
moderate
A flaw was found in the exFAT driver of the Linux kernel. The vulnerability exists in the implementation of the file name reconstruction function, which is responsible for reading file name entries from a directory index and merging file name parts belonging to one file into a single long file name. Since the file name characters are copied into a stack variable, a local privileged attacker could use this flaw to overflow the kernel stack.
CVE-2023-4273
important
A NULL pointer dereference flaw was found in dbFree in fs/jfs/jfs_dmap.c in the journaling file system (JFS) in the Linux Kernel. This issue may allow a local attacker to crash the system due to a missing sanity check.
CVE-2023-4385
moderate
A use-after-free flaw was found in vmxnet3_rq_alloc_rx_buf in drivers/net/vmxnet3/vmxnet3_drv.c in VMware's vmxnet3 ethernet NIC driver in the Linux Kernel. This issue could allow a local attacker to crash the system due to a double-free while cleaning up vmxnet3_rq_cleanup_all, which could also lead to a kernel information leak problem.
CVE-2023-4387
moderate
A NULL pointer dereference flaw was found in vmxnet3_rq_cleanup in drivers/net/vmxnet3/vmxnet3_drv.c in the networking sub-component in vmxnet3 in the Linux Kernel. This issue may allow a local attacker with normal user privilege to cause a denial of service due to a missing sanity check during cleanup.
CVE-2023-4459
moderate
Due to failure in validating the length provided by an attacker-crafted PPD PostScript document, CUPS and libppd are susceptible to a heap-based buffer overflow and possibly code execution. This issue has been fixed in CUPS version 2.4.7, released in September of 2023.
CVE-2023-4504
important