Removed rpms ============ - clang11-devel - clang11-devel-32bit - cluster-md-kmp-preempt - dlm-kmp-preempt - fedfs-utils-admin - gfs2-kmp-preempt - glibc-livepatches - hypre-gnu-mpich-hpc-devel - hypre-gnu-mvapich2-hpc-devel - hypre-gnu-openmpi2-hpc-devel - hypre-gnu-openmpi3-hpc-devel - hypre-gnu-openmpi4-hpc-devel - kernel-64kb-livepatch-devel - kernel-azure-livepatch-devel - kernel-debug-livepatch-devel - kernel-default-livepatch - kernel-default-livepatch-devel - kernel-docs-rt - kernel-docs-rt-html - kernel-kvmsmall-livepatch-devel - kernel-preempt - kernel-preempt-devel - kernel-preempt-extra - kernel-preempt-livepatch-devel - kernel-preempt-optional - kernel-rt-livepatch - kernel-rt-livepatch-devel - kernel-rt_debug-livepatch-devel - kernel-vanilla - kernel-vanilla-base - kernel-vanilla-devel - kernel-vanilla-livepatch-devel - kselftests-kmp-preempt - libboost_graph_parallel1_66_0-devel - libboost_mpi1_66_0-devel - libboost_mpi_python-py3-1_66_0-devel - libebl-devel - libscalapack2-gnu-mpich-hpc - libscalapack2-gnu-mpich-hpc-devel - libscalapack2-gnu-mvapich2-hpc - libscalapack2-gnu-mvapich2-hpc-devel - libscalapack2-gnu-openmpi2-hpc - libscalapack2-gnu-openmpi2-hpc-devel - libscalapack2-gnu-openmpi3-hpc - libscalapack2-gnu-openmpi3-hpc-devel - libscalapack2-gnu-openmpi4-hpc - libscalapack2-gnu-openmpi4-hpc-devel - libsvrcore0-32bit - libtrilinos-gnu-mpich-hpc - libtrilinos-gnu-mvapich2-hpc - libtrilinos-gnu-openmpi2-hpc - libtrilinos-gnu-openmpi3-hpc - libtrilinos-gnu-openmpi4-hpc - libtrilinos_13_2_0-gnu-mpich-hpc - libtrilinos_13_2_0-gnu-mpich-hpc13 - libtrilinos_13_2_0-gnu-mvapich2-hpc - libtrilinos_13_2_0-gnu-mvapich2-hpc13 - libtrilinos_13_2_0-gnu-openmpi2-hpc - libtrilinos_13_2_0-gnu-openmpi2-hpc13 - libtrilinos_13_2_0-gnu-openmpi3-hpc - libtrilinos_13_2_0-gnu-openmpi3-hpc13 - libtrilinos_13_2_0-gnu-openmpi4-hpc - libtrilinos_13_2_0-gnu-openmpi4-hpc13 - lldb11-devel - mumps-gnu-mpich-hpc-devel - mumps-gnu-mpich-hpc-doc - mumps-gnu-mpich-hpc-examples - mumps-gnu-mvapich2-hpc-devel - mumps-gnu-mvapich2-hpc-doc - mumps-gnu-mvapich2-hpc-examples - mumps-gnu-openmpi2-hpc-devel - mumps-gnu-openmpi2-hpc-doc - mumps-gnu-openmpi2-hpc-examples - mumps-gnu-openmpi3-hpc-devel - mumps-gnu-openmpi3-hpc-doc - mumps-gnu-openmpi3-hpc-examples - mumps-gnu-openmpi4-hpc-devel - mumps-gnu-openmpi4-hpc-doc - mumps-gnu-openmpi4-hpc-examples - mumps_5_3_5-gnu-mpich-hpc-devel - mumps_5_3_5-gnu-mpich-hpc-devel-static - mumps_5_3_5-gnu-mpich-hpc-doc - mumps_5_3_5-gnu-mpich-hpc-examples - mumps_5_3_5-gnu-mvapich2-hpc-devel - mumps_5_3_5-gnu-mvapich2-hpc-devel-static - mumps_5_3_5-gnu-mvapich2-hpc-doc - mumps_5_3_5-gnu-mvapich2-hpc-examples - mumps_5_3_5-gnu-openmpi2-hpc-devel - mumps_5_3_5-gnu-openmpi2-hpc-devel-static - mumps_5_3_5-gnu-openmpi2-hpc-doc - mumps_5_3_5-gnu-openmpi2-hpc-examples - mumps_5_3_5-gnu-openmpi3-hpc-devel - mumps_5_3_5-gnu-openmpi3-hpc-devel-static - mumps_5_3_5-gnu-openmpi3-hpc-doc - mumps_5_3_5-gnu-openmpi3-hpc-examples - mumps_5_3_5-gnu-openmpi4-hpc-devel - mumps_5_3_5-gnu-openmpi4-hpc-devel-static - mumps_5_3_5-gnu-openmpi4-hpc-doc - mumps_5_3_5-gnu-openmpi4-hpc-examples - mypy - nanopb-source - nemo-extension-compare - netty-javadoc - netty-poms - ocaml-cppo - ocaml-cppo-devel - ocfs2-kmp-preempt - openssl-1_1-livepatches - petsc-gnu-mpich-hpc-devel - petsc-gnu-mvapich2-hpc-devel - petsc-gnu-openmpi2-hpc-devel - petsc-gnu-openmpi3-hpc-devel - petsc-gnu-openmpi4-hpc-devel - postgresql15-devel-mini - python3-ibus - python3-libxml2-python - python3-tagpy - reiserfs-kmp-preempt - ruby2.5-rubygem-cf-uaac - ruby2.5-rubygem-cf-uaac-doc - ruby2.5-rubygem-cf-uaac-testsuite - sassc - svrcore-devel - systemd-mini - tftpboot-installation-openSUSE-Leap-15.5-Beta-aarch64 - tftpboot-installation-openSUSE-Leap-15.5-Beta-ppc64le - tftpboot-installation-openSUSE-Leap-15.5-Beta-s390x - tftpboot-installation-openSUSE-Leap-15.5-Beta-x86_64 - tycho-extras - tycho-extras-javadoc - xml-commons-resolver10 - xml-commons-resolver11 - xml-commons-resolver12 - zypper-migration-plugin Added rpms ========== - aardvark-dns - libbpf0 - libbpf0-32bit - liblmdb-0_9_17 - liblmdb-0_9_17-32bit - tftpboot-installation-openSUSE-Leap-15.5-aarch64 - tftpboot-installation-openSUSE-Leap-15.5-ppc64le - tftpboot-installation-openSUSE-Leap-15.5-s390x - tftpboot-installation-openSUSE-Leap-15.5-x86_64 Package Source Changes ====================== avahi +- Add avahi-CVE-2023-1981.patch: emit error if requested service + is not found (boo#1210328 CVE-2023-1981). + +- switch to use _multibuild +- delete _avahi_spec-prepare.sh, pre_checkin.sh: obsolete +- use https urls + bcache-tools +- bcache-tools: improve is_zoned_device() (bsc#1208425) + 0029-bcache-tools-improve-is_zoned_device.patch + -- removed unnecessary openssl-devel buildrequires - chromium +- Chromium 112.0.5615.165 (boo#1210618): + * CVE-2023-2133: Out of bounds memory access in Service Worker API + * CVE-2023-2134: Out of bounds memory access in Service Worker API + * CVE-2023-2135: Use after free in DevTools + * CVE-2023-2136: Integer overflow in Skia + * CVE-2023-2137: Heap buffer overflow in sqlite +- drop chromium-112-feed_protos.patch + +- Fix Leap 15.4 build failures from default comparison operators + defined outside of the class definition, a C++20 feature + adding chromium-112-default-comparison-operators.patch + clamav-database +- database refresh on 2023-04-24 (bsc#1084929) + containerized-data-importer +- Use recent golang compiler (bsc#1208916) + dmidecode +- use-read_file-to-read-from-dump.patch: Fix an old harmless bug + which would prevent root from using the --from-dump option since + the latest security fixes (bsc#1210418). + +Security fixes (CVE-2023-30630) +- dmidecode-split-table-fetching-from-decoding.patch: dmidecode: + Clean up function dmi_table so that it does only one thing + (bsc#1210418). +- dmidecode-write-the-whole-dump-file-at-once.patch: When option + - -dump-bin is used, write the whole dump file at once, instead of + opening and closing the file separately for the table and then + for the entry point (bsc#1210418). +- dmidecode-do-not-let-dump-bin-overwrite-an-existing-file.patch: + Make sure that the file passed to option --dump-bin does not + already exist (bsc#1210418). +- ensure-dev-mem-is-a-character-device-file.patch: Add a safety + check on the type of the mem device file we are asked to read + from, if we are root (bsc#1210418). + 3 recommended fixes from upstream: +- dmioem-typo-fix-virutal-virtual.patch: Simple typo fix in a + user-visible string. +- dmidecode-fortify-entry-point-length-checks.patch: Ensure that + the SMBIOS entry point is long enough to include all the fields + we need. +- dmioem-hpe-oem-record-237-firmware-change.patch: Properly decode + the last field of HPE OEM record type 237. + dtb-aarch64 +- ovl: fail on invalid uid/gid mapping at copy up (CVE-2023-0386 + bsc#1209615). +- commit 92426ca + +- vmxnet3: use gro callback when UPT is enabled (bsc#1209739). +- commit 507557e + +- Update CVE reference to + patches.suse/netdevsim-fib-Fix-reference-count-leak-on-route-dele.patch + (git-fixes bsc#1210454 CVE-2023-2019). +- commit 75fc91b + +- Update CVE reference to patches.suse/udmabuf-add-back-sanity-check.patch + (jsc#PED-1166 jsc#PED-1168 jsc#PED-1170 jsc#PED-1218 + jsc#PED-1220 jsc#PED-1222 jsc#PED-1223 jsc#PED-1225 bsc#1210453 + CVE-2023-2008). +- commit 342d08e + +- nfc: st-nci: Fix use after free bug in ndlc_remove due to race + condition (git-fixes bsc#1210337 CVE-2023-1990). +- commit 12594bd + grub2 +- Fix PowerVS deployment fails to boot with 90 cores (bsc#1208581) + * 0001-kern-ieee1275-init-Convert-plain-numbers-to-constant.patch + * 0002-kern-ieee1275-init-Extended-support-in-Vec5.patch + hawk2 +- Update sass-ansible dependency in the hawk2.spec: + * Unable to activate sass-rails-5.1.0 (bsc#1208533) + indent +- Fix memory safety issues, bsc#1209718 + * fix-buffer-overflow-print_comment.patch + * fix-buffer-overread-found_keyword.patch + * fix-use-after-free.patch + -- Fix compiler warnings. - jettison +- Upgrade to version 1.5.4 + * Fixes: + + Fixing issue 60: Infinite recursion triggered when + constructing a JSONArray from a Collection (bsc#1209605, + CVE-2023-1436) + kernel-64kb +- ovl: fail on invalid uid/gid mapping at copy up (CVE-2023-0386 + bsc#1209615). +- commit 92426ca + +- vmxnet3: use gro callback when UPT is enabled (bsc#1209739). +- commit 507557e + +- Update CVE reference to + patches.suse/netdevsim-fib-Fix-reference-count-leak-on-route-dele.patch + (git-fixes bsc#1210454 CVE-2023-2019). +- commit 75fc91b + +- Update CVE reference to patches.suse/udmabuf-add-back-sanity-check.patch + (jsc#PED-1166 jsc#PED-1168 jsc#PED-1170 jsc#PED-1218 + jsc#PED-1220 jsc#PED-1222 jsc#PED-1223 jsc#PED-1225 bsc#1210453 + CVE-2023-2008). +- commit 342d08e + +- nfc: st-nci: Fix use after free bug in ndlc_remove due to race + condition (git-fixes bsc#1210337 CVE-2023-1990). +- commit 12594bd + kernel-azure +- ovl: fail on invalid uid/gid mapping at copy up (CVE-2023-0386 + bsc#1209615). +- commit 92426ca + +- vmxnet3: use gro callback when UPT is enabled (bsc#1209739). +- commit 507557e + +- Update CVE reference to + patches.suse/netdevsim-fib-Fix-reference-count-leak-on-route-dele.patch + (git-fixes bsc#1210454 CVE-2023-2019). +- commit 75fc91b + +- Update CVE reference to patches.suse/udmabuf-add-back-sanity-check.patch + (jsc#PED-1166 jsc#PED-1168 jsc#PED-1170 jsc#PED-1218 + jsc#PED-1220 jsc#PED-1222 jsc#PED-1223 jsc#PED-1225 bsc#1210453 + CVE-2023-2008). +- commit 342d08e + +- nfc: st-nci: Fix use after free bug in ndlc_remove due to race + condition (git-fixes bsc#1210337 CVE-2023-1990). +- commit 12594bd + +- ice: avoid bonding causing auxiliary plug/unplug under RTNL lock + (bsc#1210158). +- commit bca1250 + +- rpm/constraints.in: increase the disk size for armv6/7 to 24GB + It grows and the build fails recently on SLE15-SP4/5. +- commit 8ba35ca + kernel-debug +- ovl: fail on invalid uid/gid mapping at copy up (CVE-2023-0386 + bsc#1209615). +- commit 92426ca + +- vmxnet3: use gro callback when UPT is enabled (bsc#1209739). +- commit 507557e + +- Update CVE reference to + patches.suse/netdevsim-fib-Fix-reference-count-leak-on-route-dele.patch + (git-fixes bsc#1210454 CVE-2023-2019). +- commit 75fc91b + +- Update CVE reference to patches.suse/udmabuf-add-back-sanity-check.patch + (jsc#PED-1166 jsc#PED-1168 jsc#PED-1170 jsc#PED-1218 + jsc#PED-1220 jsc#PED-1222 jsc#PED-1223 jsc#PED-1225 bsc#1210453 + CVE-2023-2008). +- commit 342d08e + +- nfc: st-nci: Fix use after free bug in ndlc_remove due to race + condition (git-fixes bsc#1210337 CVE-2023-1990). +- commit 12594bd + kernel-default +- ovl: fail on invalid uid/gid mapping at copy up (CVE-2023-0386 + bsc#1209615). +- commit 92426ca + +- vmxnet3: use gro callback when UPT is enabled (bsc#1209739). +- commit 507557e + +- Update CVE reference to + patches.suse/netdevsim-fib-Fix-reference-count-leak-on-route-dele.patch + (git-fixes bsc#1210454 CVE-2023-2019). +- commit 75fc91b + +- Update CVE reference to patches.suse/udmabuf-add-back-sanity-check.patch + (jsc#PED-1166 jsc#PED-1168 jsc#PED-1170 jsc#PED-1218 + jsc#PED-1220 jsc#PED-1222 jsc#PED-1223 jsc#PED-1225 bsc#1210453 + CVE-2023-2008). +- commit 342d08e + +- nfc: st-nci: Fix use after free bug in ndlc_remove due to race + condition (git-fixes bsc#1210337 CVE-2023-1990). +- commit 12594bd + kernel-default-base +- Do not build on s390 (bsc#1210729) + kernel-docs +- ovl: fail on invalid uid/gid mapping at copy up (CVE-2023-0386 + bsc#1209615). +- commit 92426ca + +- vmxnet3: use gro callback when UPT is enabled (bsc#1209739). +- commit 507557e + +- Update CVE reference to + patches.suse/netdevsim-fib-Fix-reference-count-leak-on-route-dele.patch + (git-fixes bsc#1210454 CVE-2023-2019). +- commit 75fc91b + +- Update CVE reference to patches.suse/udmabuf-add-back-sanity-check.patch + (jsc#PED-1166 jsc#PED-1168 jsc#PED-1170 jsc#PED-1218 + jsc#PED-1220 jsc#PED-1222 jsc#PED-1223 jsc#PED-1225 bsc#1210453 + CVE-2023-2008). +- commit 342d08e + +- nfc: st-nci: Fix use after free bug in ndlc_remove due to race + condition (git-fixes bsc#1210337 CVE-2023-1990). +- commit 12594bd + kernel-kvmsmall +- ovl: fail on invalid uid/gid mapping at copy up (CVE-2023-0386 + bsc#1209615). +- commit 92426ca + +- vmxnet3: use gro callback when UPT is enabled (bsc#1209739). +- commit 507557e + +- Update CVE reference to + patches.suse/netdevsim-fib-Fix-reference-count-leak-on-route-dele.patch + (git-fixes bsc#1210454 CVE-2023-2019). +- commit 75fc91b + +- Update CVE reference to patches.suse/udmabuf-add-back-sanity-check.patch + (jsc#PED-1166 jsc#PED-1168 jsc#PED-1170 jsc#PED-1218 + jsc#PED-1220 jsc#PED-1222 jsc#PED-1223 jsc#PED-1225 bsc#1210453 + CVE-2023-2008). +- commit 342d08e + +- nfc: st-nci: Fix use after free bug in ndlc_remove due to race + condition (git-fixes bsc#1210337 CVE-2023-1990). +- commit 12594bd + kernel-obs-build +- ovl: fail on invalid uid/gid mapping at copy up (CVE-2023-0386 + bsc#1209615). +- commit 92426ca + +- vmxnet3: use gro callback when UPT is enabled (bsc#1209739). +- commit 507557e + +- Update CVE reference to + patches.suse/netdevsim-fib-Fix-reference-count-leak-on-route-dele.patch + (git-fixes bsc#1210454 CVE-2023-2019). +- commit 75fc91b + +- Update CVE reference to patches.suse/udmabuf-add-back-sanity-check.patch + (jsc#PED-1166 jsc#PED-1168 jsc#PED-1170 jsc#PED-1218 + jsc#PED-1220 jsc#PED-1222 jsc#PED-1223 jsc#PED-1225 bsc#1210453 + CVE-2023-2008). +- commit 342d08e + +- nfc: st-nci: Fix use after free bug in ndlc_remove due to race + condition (git-fixes bsc#1210337 CVE-2023-1990). +- commit 12594bd + kernel-obs-qa +- ovl: fail on invalid uid/gid mapping at copy up (CVE-2023-0386 + bsc#1209615). +- commit 92426ca + +- vmxnet3: use gro callback when UPT is enabled (bsc#1209739). +- commit 507557e + +- Update CVE reference to + patches.suse/netdevsim-fib-Fix-reference-count-leak-on-route-dele.patch + (git-fixes bsc#1210454 CVE-2023-2019). +- commit 75fc91b + +- Update CVE reference to patches.suse/udmabuf-add-back-sanity-check.patch + (jsc#PED-1166 jsc#PED-1168 jsc#PED-1170 jsc#PED-1218 + jsc#PED-1220 jsc#PED-1222 jsc#PED-1223 jsc#PED-1225 bsc#1210453 + CVE-2023-2008). +- commit 342d08e + +- nfc: st-nci: Fix use after free bug in ndlc_remove due to race + condition (git-fixes bsc#1210337 CVE-2023-1990). +- commit 12594bd + kernel-rt +- ovl: fail on invalid uid/gid mapping at copy up (CVE-2023-0386 + bsc#1209615). +- commit 92426ca + +- vmxnet3: use gro callback when UPT is enabled (bsc#1209739). +- commit 507557e + +- Update CVE reference to + patches.suse/netdevsim-fib-Fix-reference-count-leak-on-route-dele.patch + (git-fixes bsc#1210454 CVE-2023-2019). +- commit 75fc91b + +- Update CVE reference to patches.suse/udmabuf-add-back-sanity-check.patch + (jsc#PED-1166 jsc#PED-1168 jsc#PED-1170 jsc#PED-1218 + jsc#PED-1220 jsc#PED-1222 jsc#PED-1223 jsc#PED-1225 bsc#1210453 + CVE-2023-2008). +- commit 342d08e + +- nfc: st-nci: Fix use after free bug in ndlc_remove due to race + condition (git-fixes bsc#1210337 CVE-2023-1990). +- commit 12594bd + +- ice: avoid bonding causing auxiliary plug/unplug under RTNL lock + (bsc#1210158). +- commit bca1250 + +- rpm/constraints.in: increase the disk size for armv6/7 to 24GB + It grows and the build fails recently on SLE15-SP4/5. +- commit 8ba35ca + kernel-rt_debug +- ovl: fail on invalid uid/gid mapping at copy up (CVE-2023-0386 + bsc#1209615). +- commit 92426ca + +- vmxnet3: use gro callback when UPT is enabled (bsc#1209739). +- commit 507557e + +- Update CVE reference to + patches.suse/netdevsim-fib-Fix-reference-count-leak-on-route-dele.patch + (git-fixes bsc#1210454 CVE-2023-2019). +- commit 75fc91b + +- Update CVE reference to patches.suse/udmabuf-add-back-sanity-check.patch + (jsc#PED-1166 jsc#PED-1168 jsc#PED-1170 jsc#PED-1218 + jsc#PED-1220 jsc#PED-1222 jsc#PED-1223 jsc#PED-1225 bsc#1210453 + CVE-2023-2008). +- commit 342d08e + +- nfc: st-nci: Fix use after free bug in ndlc_remove due to race + condition (git-fixes bsc#1210337 CVE-2023-1990). +- commit 12594bd + +- ice: avoid bonding causing auxiliary plug/unplug under RTNL lock + (bsc#1210158). +- commit bca1250 + +- rpm/constraints.in: increase the disk size for armv6/7 to 24GB + It grows and the build fails recently on SLE15-SP4/5. +- commit 8ba35ca + kernel-source +- ovl: fail on invalid uid/gid mapping at copy up (CVE-2023-0386 + bsc#1209615). +- commit 92426ca + +- vmxnet3: use gro callback when UPT is enabled (bsc#1209739). +- commit 507557e + +- Update CVE reference to + patches.suse/netdevsim-fib-Fix-reference-count-leak-on-route-dele.patch + (git-fixes bsc#1210454 CVE-2023-2019). +- commit 75fc91b + +- Update CVE reference to patches.suse/udmabuf-add-back-sanity-check.patch + (jsc#PED-1166 jsc#PED-1168 jsc#PED-1170 jsc#PED-1218 + jsc#PED-1220 jsc#PED-1222 jsc#PED-1223 jsc#PED-1225 bsc#1210453 + CVE-2023-2008). +- commit 342d08e + +- nfc: st-nci: Fix use after free bug in ndlc_remove due to race + condition (git-fixes bsc#1210337 CVE-2023-1990). +- commit 12594bd + kernel-source-azure +- ovl: fail on invalid uid/gid mapping at copy up (CVE-2023-0386 + bsc#1209615). +- commit 92426ca + +- vmxnet3: use gro callback when UPT is enabled (bsc#1209739). +- commit 507557e + +- Update CVE reference to + patches.suse/netdevsim-fib-Fix-reference-count-leak-on-route-dele.patch + (git-fixes bsc#1210454 CVE-2023-2019). +- commit 75fc91b + +- Update CVE reference to patches.suse/udmabuf-add-back-sanity-check.patch + (jsc#PED-1166 jsc#PED-1168 jsc#PED-1170 jsc#PED-1218 + jsc#PED-1220 jsc#PED-1222 jsc#PED-1223 jsc#PED-1225 bsc#1210453 + CVE-2023-2008). +- commit 342d08e + +- nfc: st-nci: Fix use after free bug in ndlc_remove due to race + condition (git-fixes bsc#1210337 CVE-2023-1990). +- commit 12594bd + +- ice: avoid bonding causing auxiliary plug/unplug under RTNL lock + (bsc#1210158). +- commit bca1250 + +- rpm/constraints.in: increase the disk size for armv6/7 to 24GB + It grows and the build fails recently on SLE15-SP4/5. +- commit 8ba35ca + kernel-source-rt +- ovl: fail on invalid uid/gid mapping at copy up (CVE-2023-0386 + bsc#1209615). +- commit 92426ca + +- vmxnet3: use gro callback when UPT is enabled (bsc#1209739). +- commit 507557e + +- Update CVE reference to + patches.suse/netdevsim-fib-Fix-reference-count-leak-on-route-dele.patch + (git-fixes bsc#1210454 CVE-2023-2019). +- commit 75fc91b + +- Update CVE reference to patches.suse/udmabuf-add-back-sanity-check.patch + (jsc#PED-1166 jsc#PED-1168 jsc#PED-1170 jsc#PED-1218 + jsc#PED-1220 jsc#PED-1222 jsc#PED-1223 jsc#PED-1225 bsc#1210453 + CVE-2023-2008). +- commit 342d08e + +- nfc: st-nci: Fix use after free bug in ndlc_remove due to race + condition (git-fixes bsc#1210337 CVE-2023-1990). +- commit 12594bd + +- ice: avoid bonding causing auxiliary plug/unplug under RTNL lock + (bsc#1210158). +- commit bca1250 + +- rpm/constraints.in: increase the disk size for armv6/7 to 24GB + It grows and the build fails recently on SLE15-SP4/5. +- commit 8ba35ca + kernel-syms +- ovl: fail on invalid uid/gid mapping at copy up (CVE-2023-0386 + bsc#1209615). +- commit 92426ca + +- vmxnet3: use gro callback when UPT is enabled (bsc#1209739). +- commit 507557e + +- Update CVE reference to + patches.suse/netdevsim-fib-Fix-reference-count-leak-on-route-dele.patch + (git-fixes bsc#1210454 CVE-2023-2019). +- commit 75fc91b + +- Update CVE reference to patches.suse/udmabuf-add-back-sanity-check.patch + (jsc#PED-1166 jsc#PED-1168 jsc#PED-1170 jsc#PED-1218 + jsc#PED-1220 jsc#PED-1222 jsc#PED-1223 jsc#PED-1225 bsc#1210453 + CVE-2023-2008). +- commit 342d08e + +- nfc: st-nci: Fix use after free bug in ndlc_remove due to race + condition (git-fixes bsc#1210337 CVE-2023-1990). +- commit 12594bd + kernel-syms-azure +- ovl: fail on invalid uid/gid mapping at copy up (CVE-2023-0386 + bsc#1209615). +- commit 92426ca + +- vmxnet3: use gro callback when UPT is enabled (bsc#1209739). +- commit 507557e + +- Update CVE reference to + patches.suse/netdevsim-fib-Fix-reference-count-leak-on-route-dele.patch + (git-fixes bsc#1210454 CVE-2023-2019). +- commit 75fc91b + +- Update CVE reference to patches.suse/udmabuf-add-back-sanity-check.patch + (jsc#PED-1166 jsc#PED-1168 jsc#PED-1170 jsc#PED-1218 + jsc#PED-1220 jsc#PED-1222 jsc#PED-1223 jsc#PED-1225 bsc#1210453 + CVE-2023-2008). +- commit 342d08e + +- nfc: st-nci: Fix use after free bug in ndlc_remove due to race + condition (git-fixes bsc#1210337 CVE-2023-1990). +- commit 12594bd + +- ice: avoid bonding causing auxiliary plug/unplug under RTNL lock + (bsc#1210158). +- commit bca1250 + +- rpm/constraints.in: increase the disk size for armv6/7 to 24GB + It grows and the build fails recently on SLE15-SP4/5. +- commit 8ba35ca + kernel-syms-rt +- ovl: fail on invalid uid/gid mapping at copy up (CVE-2023-0386 + bsc#1209615). +- commit 92426ca + +- vmxnet3: use gro callback when UPT is enabled (bsc#1209739). +- commit 507557e + +- Update CVE reference to + patches.suse/netdevsim-fib-Fix-reference-count-leak-on-route-dele.patch + (git-fixes bsc#1210454 CVE-2023-2019). +- commit 75fc91b + +- Update CVE reference to patches.suse/udmabuf-add-back-sanity-check.patch + (jsc#PED-1166 jsc#PED-1168 jsc#PED-1170 jsc#PED-1218 + jsc#PED-1220 jsc#PED-1222 jsc#PED-1223 jsc#PED-1225 bsc#1210453 + CVE-2023-2008). +- commit 342d08e + +- nfc: st-nci: Fix use after free bug in ndlc_remove due to race + condition (git-fixes bsc#1210337 CVE-2023-1990). +- commit 12594bd + +- ice: avoid bonding causing auxiliary plug/unplug under RTNL lock + (bsc#1210158). +- commit bca1250 + +- rpm/constraints.in: increase the disk size for armv6/7 to 24GB + It grows and the build fails recently on SLE15-SP4/5. +- commit 8ba35ca + kernel-zfcpdump +- ovl: fail on invalid uid/gid mapping at copy up (CVE-2023-0386 + bsc#1209615). +- commit 92426ca + +- vmxnet3: use gro callback when UPT is enabled (bsc#1209739). +- commit 507557e + +- Update CVE reference to + patches.suse/netdevsim-fib-Fix-reference-count-leak-on-route-dele.patch + (git-fixes bsc#1210454 CVE-2023-2019). +- commit 75fc91b + +- Update CVE reference to patches.suse/udmabuf-add-back-sanity-check.patch + (jsc#PED-1166 jsc#PED-1168 jsc#PED-1170 jsc#PED-1218 + jsc#PED-1220 jsc#PED-1222 jsc#PED-1223 jsc#PED-1225 bsc#1210453 + CVE-2023-2008). +- commit 342d08e + +- nfc: st-nci: Fix use after free bug in ndlc_remove due to race + condition (git-fixes bsc#1210337 CVE-2023-1990). +- commit 12594bd + kubevirt +- Use recent golang compiler (bsc#1208916) +- Limit operator secrets permission (CVE-2023-26484, bsc#1209359) + 0003-Vulnerability-fix-limit-operator-secrets-permission.patch + libxml2 +- Security update: + * [CVE-2023-29469, bsc#1210412] Hashing of empty dict strings + isn't deterministic + - Added patch libxml2-CVE-2023-29469.patch + * [CVE-CVE-2023-28484, bsc#1210411] NULL dereference in + xmlSchemaFixupComplexType + - Added patch libxml2-CVE-2023-28484-1.patch + - Added patch libxml2-CVE-2023-28484-2.patch + +- Remove unneeded dependency (bsc#1209918). + libxml2:python +- Security update: + * [CVE-2023-29469, bsc#1210412] Hashing of empty dict strings + isn't deterministic + - Added patch libxml2-CVE-2023-29469.patch + * [CVE-CVE-2023-28484, bsc#1210411] NULL dereference in + xmlSchemaFixupComplexType + - Added patch libxml2-CVE-2023-28484-1.patch + - Added patch libxml2-CVE-2023-28484-2.patch + +- Remove unneeded dependency (bsc#1209918). + mariadb +- Update to 10.6.12: + https://mariadb.com/kb/en/library/mariadb-10612-release-notes + https://mariadb.com/kb/en/library/mariadb-10612-changelog + https://mariadb.com/kb/en/library/mariadb-10611-release-notes + https://mariadb.com/kb/en/library/mariadb-10611-changelog + * fixes for the following security vulnerabilities: + 10.6.12: none + 10.6.11: none +- Update mariadb.keyring +- Update list of skipped tests + mozilla-nss +- Update nss-fips-approved-crypto-non-ec.patch (bsc#1208999) with + fixes to PBKDF2 parameter validation. + +- Update nss-fips-approved-crypto-non-ec.patch (bsc#1208999) to + validate extra PBKDF2 parameters according to FIPS 140-3. + +- Update nss-fips-approved-crypto-non-ec.patch (bsc#1191546) to + update session->lastOpWasFIPS before destroying the key after + derivation in the CKM_TLS12_KEY_AND_MAC_DERIVE, + CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256, + CKM_TLS_KEY_AND_MAC_DERIVE and CKM_SSL3_KEY_AND_MAC_DERIVE cases. +- Update nss-fips-pct-pubkeys.patch (bsc#1207209) to remove some + excess code. + +- Update nss-fips-approved-crypto-non-ec.patch (bsc#1191546). + +- Add nss-fips-pct-pubkeys.patch (bsc#1207209) for pairwise consistency + checks. Thanks to Martin for the DHKey parts. + +- Add manpages to mozilla-nss-tools (bsc#1208242) + netty +- Upgrade to latest upstream version 4.1.75 +- Modified patches: + * 0001-Remove-optional-dep-Blockhound.patch + * 0002-Remove-optional-dep-conscrypt.patch + * 0003-Remove-optional-deps-jetty-alpn-and-npn.patch + * 0004-Remove-optional-dep-tcnative.patch + * 0005-Remove-optional-dep-log4j.patch + * 0006-revert-Fix-native-image-build.patch + * 0007-Revert-Support-session-cache-for-client-and-server-w.patch + + rebase + +- Do not build against the log4j12 packages + +- Upgrade to latest upstream version 4.1.72 + * fixes: bsc#1190610, CVE-2021-37136: Bzip2Decoder doesn't allow + setting size restrictions for decompressed data + * fixes: bsc#1190613, CVE-2021-37137: SnappyFrameDecoder doesn't + restrict chunk length any may buffer skippable chunks in an + unnecessary way + * fixes: bsc#1193672, CVE-2021-43797: possible HTTP request + smuggling due to insufficient validation against control + characters + * fixes: bsc#1184203, CVE-2021-21409: request smuggling via + content-length header +- Modified patches: + * 0001-Remove-optional-dep-Blockhound.patch + * 0002-Remove-optional-dep-conscrypt.patch + * 0003-Remove-optional-deps-jetty-alpn-and-npn.patch + * 0004-Remove-optional-dep-tcnative.patch + * 0005-Remove-optional-dep-log4j.patch + * 0006-revert-Fix-native-image-build.patch + * 0007-Revert-Support-session-cache-for-client-and-server-w.patch + * no-werror.patch + + rediff to changed context +- Added patch: + * no-brotli-zstd.patch + + disable Brotli and Zstd compression, since we lack + the dependencies needed to build them + +- Upgrade to latest upstream version 4.1.60 + * fixes: bsc#1183262, CVE-2021-21295: HTTP/2 request + Content-Length header field is not validated by + 'Http2MultiplexHandler' +- Modified patches: + * 0001-Remove-optional-dep-Blockhound.patch + * 0002-Remove-optional-dep-conscrypt.patch + * 0003-Remove-optional-deps-jetty-alpn-and-npn.patch + * 0004-Remove-optional-dep-tcnative.patch + * 0005-Remove-optional-dep-log4j.patch + * 0006-revert-Fix-native-image-build.patch + + rediff to changed context +- Added patch: + * 0007-Revert-Support-session-cache-for-client-and-server-w.patch + + revert optional disabled cache implementation that conflicts + with our 0004-Remove-optional-dep-tcnative.patch + +- Upgrade to latest upstream version 4.1.59 +- Removed patches: + * netty-CVE-2020-11612.patch + * netty-CVE-2021-21290.patch + + fixes integrated in the upstream sources + * 0001-Remove-OpenSSL-parts-depending-on-tcnative.patch + * 0002-Remove-NPN.patch + * 0003-Remove-conscrypt-ALPN.patch + * 0004-Remove-jetty-ALPN.patch + + replaced by new patches +- Added patches: + * 0001-Remove-optional-dep-Blockhound.patch + * 0002-Remove-optional-dep-conscrypt.patch + * 0003-Remove-optional-deps-jetty-alpn-and-npn.patch + * 0004-Remove-optional-dep-tcnative.patch + * 0005-Remove-optional-dep-log4j.patch + + remove various optional dependencies that we do not need + * 0006-revert-Fix-native-image-build.patch + + Revert changes that introduce a new dependency that we + do not have + * no-werror.patch + + Do not treat warnings as errors +- Build -poms and -javadoc as noarch packages, since they do not + install anything in arch-dependent directories + - * netty-CVE-2021-21295.patch - + backport of upstream fixes for bsc#1183262, CVE-2021-21295: - HTTP/2 request Content-Length header field is not validated - by 'Http2MultiplexHandler' + * netty-CVE-2021-21290.patch + + bsc#1182103, CVE-2021-21290 newt -- Make it build with latest TeXLive 2012 with new package layout - -- update to 0.52.14: - + fix returning strings in whiptail and whiptcl (rh#752818) - + fix configure to work with multiple python versions (rh#737998) -- removed newt-0.52.13-python_version.patch : fixed upstream -- compile with fPIC - fixes problems with _snackmodule.so - thanks to Joerg Steffens (bnc#734171) -- newt-doc recommends the main package as the examples need it -- added newt-0.52.14-incorrect-fsf-address.patch - -- Remove redundant tags/sections per specfile guideline suggestions - -- update to 0.52.13: - + add support for changing colors in individual labels, scrollbars, entries, - textboxes and scales, add custom colorsets - + add support for NEWT_COLORS and NEWT_COLORS_FILE variables (rh#689903) - + allow resizing of form - + fix errors found by coverity - + fix va_list usage (Gwenole Beauchesne) - + fix building and installing on Mac OS X (rh#652479) - + check for slang.h header, support DESTDIR variable, add --without-python - option (Otavio Salvador) - + add Persian, Low German translations -- added newt-0.52.13-python_version.patch to fix detection of - python version in configure script - -- add comment to keep static lib - -- fix baselibs.conf - o newt > libnewt0_52 -- fix naming - o define libname libnewt - o define libsoname {libname}0_52 -- fix deps - o add pkg-config - o move {py_requires} to subpkg python-newt -- remove Author from description - -- update to 0.52.12: - + fix whiptail --gauge and its description in man page (#620083) - + remove space after \n in whiptail texts (#620083) - + remove NLS code from snack (#599608) - + expose more keys to python as shortcuts in dialogs (Jakob Kemi) - + release python global-thread-lock during dialog displays (Jakob Kemi) - + fix warnings in whiptcl.c and include Tcl_PkgProvide() call (Mikhail T.) - + don't NULL deref when an invalid array is specified in checkboxtree - (Arnaldo Carvalho de Melo) -- build on older distributions by owning locale/as - -- package baselibs.conf - -- update to 0.52.11 - * fix buffer overflow in textbox when reflowing (#523955, CVE-2009-2905) - * use full textbox width when reflowing and allow minimal width 1 - * fix writing lines longer than width in textbox - * don't use va_list in newtvwindow more than once (#523696) - * bind \E[Z to back-tab in built-in keymap (#468046) - * terminate string after reading file in whiptail - * add newtRadioSetCurrent function (Thomas Jarosch) - * add pkgconfig support (Thomas Jarosch) - * add Malay, Malayalam, Assamese, Gujarati, Bengali India, Kannada, Telugu - translations - * include tutorial in txt format - * include debian patches - - fix crash in textbox SetText when topLines != 0 - - don't link modules with libraries already linked with libnewt - - add Asturian and Marathi translations -- cleanup spec - * sorted TAGS - * macros __make, __install, ... - name -> {name} - version -> {version} - buildroot -> {buildroot} - _defaultdocdir -> {_defaultdocdir} - .... -- removed obsolete newt-CVE-2009-2905.patch - -- fix heap-based buffer overflow in function doReflow in textbox.c - (fix bnc#540930 and CVE-2009-2905 : newt-CVE-2009-2905.patch) - openssl-ibmca +- Applies a patch (bsc#1210359) + * openssl-ibmca-engine-noregister.patch +- Updated the '#dynamic_path' line, as it was before, with the comment '#'. + ovmf +- Add ovmf-SecurityPkg-DxeImageVerificationLib-Check-result-of-.patch + to check result of GetEfiGlobalVariable2 (CVE-2019-14560, bsc#1174246) + +- Add ovmf-MdeModulePkg-PiSmmCore-SmmEntryPoint-underflow-CVE-2.patch + for MdeModulePkg/PiSmmCore: SmmEntryPoint underflow (CVE-2021-38578) + (bsc#1196741) + package-translations +- Update to version 89.87.20230417.43910d3: + * Translated using Weblate (Czech) + * Added translation using Weblate (Georgian) + * Translated using Weblate (Finnish) + * Translated using Weblate (Polish) + * Translated using Weblate (Polish) + * Translated using Weblate (Polish) + * Translated using Weblate (Polish) + * Translated using Weblate (Polish) + * Translated using Weblate (Polish) + * Translated using Weblate (Polish) + * Translated using Weblate (Polish) + * Translated using Weblate (Polish) + * Translated using Weblate (Polish) + * Translated using Weblate (Polish) + * Translated using Weblate (Polish) + * Translated using Weblate (Polish) + * Translated using Weblate (Polish) + * Translated using Weblate (Polish) + * Translated using Weblate (Polish) + * Translated using Weblate (Polish) + * Translated using Weblate (Polish) + * Translated using Weblate (Polish) + * Translated using Weblate (Polish) + * Translated using Weblate (Polish) + * Translated using Weblate (Polish) + * Translated using Weblate (Polish) + * Translated using Weblate (Polish) + * Translated using Weblate (Polish) + * Translated using Weblate (Polish) + * Translated using Weblate (Polish) + * Translated using Weblate (Polish) + * Translated using Weblate (Polish) + * Translated using Weblate (Polish) + * Translated using Weblate (Polish) + * Translated using Weblate (Polish) + * Translated using Weblate (Polish) + * Translated using Weblate (Polish) + * Translated using Weblate (Polish) + * Translated using Weblate (Polish) + * Translated using Weblate (Polish) + * Translated using Weblate (Polish) + * Translated using Weblate (Polish) + * Translated using Weblate (Polish) + * Translated using Weblate (Polish) + * Translated using Weblate (Polish) + * Translated using Weblate (Polish) + * Translated using Weblate (Spanish) + * Translated using Weblate (Spanish) + * Translated using Weblate (Swedish) + * Added translation using Weblate (Georgian) + parsec +- Update to 1.2.0: + * Closed issue since 1.2.0-rc1: + - Parsec 1.1 fails to build with meta-security master branch + +- Disable jwt-svid-authenticator (SPIFFE) until fixed upstream + with gcc13 - https://github.com/parallaxsecond/parsec/issues/672 + +- Update to 1.2.0-rc1 +- Drop upstream patch: + * 664.patch + +- Add patch to fix build on Tumbleweed (update tss-esapi to 7.2.0): + * 664.patch +- Add true to _service to apply + security updates +- Use cargo-packaging for all flavors +- Enable cargo_audit + parsec-tool +- Update to 0.6.0: + * Update (embedded) changelog + +- Update to 0.6.0-rc2: + * Align crates version with parsec-service + +- Update to 0.6.0-rc1: + * Bump parsec-client + * Allow to exclude algorithms for encryption/decryption tests + * Add support for RSA OAEP into parsec-tool and parsec-cli-tests.sh + * Fix clippy needless_borrow warnings + * Update lib.rs to remove const_err +- Add true to _service to apply + security updates +- Use cargo-packaging for all flavors +- Enable cargo_audit + podman +- Update to version 4.4.4: + * Bump to v4.4.4 + * Release notes for v4.4.4 + * libpod: always use direct mapping + * macos pkginstaller: do not fail when podman-mac-helper fails + * podman-mac-helper: install: do not error if already installed + * Bump to v4.4.4-dev +- spec: Bump required version for libcontainers-common (bsc#1209495) + +- Update to version 4.4.3: + * Bump to v4.4.3 + * Release notes for v4.4.3 + * compat: /auth: parse server address correctly + * vendor github.com/containers/common@v0.51.1 + * pkginstaller: bump Qemu to version 7.2.0 + * podman machine: Adjust Chrony makestep config + * [v4.4] fix --health-on-failure=restart in transient unit + * podman logs passthrough driver support --cgroups=split + * journald logs: simplify entry parsing + * podman logs: read journald with passthrough + * journald: remove initializeJournal() + * netavark: only use aardvark ip as nameserver + * compat API: network create return 409 for duplicate + * fix "podman logs --since --follow" flake + * system service --log-level=trace: support hijack + * podman-mac-helper: exit 1 on error + * bump golang.org/x/net to v0.8.0 + * Fix package restore + * Quadlet - use the default runtime + * Bump to v4.4.3-dev +- Remove patch (merged upstream): + * Quadlet-use-the-default-runtime.patch + (https://github.com/containers/podman/pull/17601) + rp-pppoe +- Require iproute2 instead of net-tools + -- updated patches to apply with fuzz=0 - runc -- Update to runc v1.1.4. Upstream changelog is available from - https://github.com/opencontainers/runc/releases/tag/v1.1.4. - * Fix mounting via wrong proc fd. When the user and mount namespaces are - used, and the bind mount is followed by the cgroup mount in the spec, - the cgroup was mounted using the bind mount's mount fd. - * Switch kill() in libcontainer/nsenter to sane_kill(). - * Fix "permission denied" error from runc run on noexec fs. - * Fix failed exec after systemctl daemon-reload. Due to a regression - in v1.1.3, the DeviceAllow=char-pts rwm rule was no longer added and - was causing an error open /dev/pts/0: operation not permitted: unknown when systemd was reloaded. - (boo#1202821) +- Update to runc v1.1.5. Upstream changelog is available from + . + Includes fixes for the following CVEs: + - CVE-2023-25809 bsc#1209884 + - CVE-2023-27561 bsc#1208962 + - CVE-2023-28642 bsc#1209888 + * Fix the inability to use `/dev/null` when inside a container. + * Fix changing the ownership of host's `/dev/null` caused by fd redirection + (a regression in 1.1.1). bsc#1168481 + * Fix rare runc exec/enter unshare error on older kernels. + * nsexec: Check for errors in `write_log()`. +- Drop version-specific Go requirement. sddm +- Add patch to fix delays on shutdown (boo#1210391): + * 0001-Avoid-starting-a-new-session-on-exit.patch + +- Replace proper_pam.diff with installation of source files: + * sddm.pam, sddm-autologin.pam, sddm-greeter.pam +- PAM services: + * Make use of substack for common-* + * Include postlogin-* + * Run pam_keyinit before common-session + * Deny password in sddm-greeter +- /run/sddm is owned by root:root +- Add patch to fix possible deadlock: + * 0001-Process-all-available-auth-messages-in-a-loop.patch +- Add missing dependencies on update-alternatives + +- Migration of PAM settings to /usr/lib/pam.d. + +- Honor /etc/nologin like login, sshd, xdm and gdm do + * added: auth requisite pam_nologin.so to proper_pam.diff + * see: man 5 nologin + slang -- add automake as buildrequire to avoid implicit dependency - -- fix baselibs.conf - -- disabled parallel build again, still broken - -- updated to version 2.2.2 - + new languag features - * ternary expressions - * break and condition statements can now work on several levels - of loops - * multiline strings - * List_Type objects can now also be indexed using an array of - indices - + new modules: zlib, fork, sysconf - + new intrinsic functions: sumsq, expm1, log1p, list_to_array, - string_matches, _close, _fileno, dup2, getsid, killpg, - getpriority, setpriority, ldexp, frexp - + provides pkg-info file - + many bugfixes -- split package to conform to library naming policy -- rebased patches, removed obsolete slang-2.2.1-format.patch -- added patch slang-2.2.2-makefile.patch from Fedora which fixes - shared libs permissions, the slang shared library symlink, and - parallel build dependency issues and removes rpath -- build pcre, png, and zlib modules -- removed incorrect license information -- more accurate summary and description -- further cleanup - -- unbreak occasional build failures by disabling parallel make. - -- fixed better - -- include headers to fix build - -- add baselibs.conf as a source -- enable parallel build - trilinos +- Add an 'Obsoletes:/Provides:' for a bogus package name that + was released to SLE/Leap by accident. + This may be removed once we move past version 13.2.0. + +- Tie %python_flavor to python3 on Leap/SLE 15 < SP3 + (bsc#1197781). + +- Make use of the newly introduced %%hpc_pyton_sitelib macro. + +- Fix python modules to use the right include and lib dir: + Make-include-and-library-path-configurable-using-Cmake-variables.patch + See also: https://github.com/gsjaardema/seacas/pull/279 +- Make sure python modules for serial and MPI variants don't + overlap. + NOTE: mpi-selector is not setting PYTHONPATH! +- Free package of all python2 traces. + +- Lower disk and memory constraints to match actual requirements, + dito %limit_build (now 16 GByte disk and 5 GByte memory). +- Add memoryperjob constraint for a worker preselection, so + limit_build only lowers the number of jobs slightly. +- Fix cmake files for non-HPC MPI build. +- Add openmpi4 non-HPC flavor + + See also: https://github.com/trilinos/Trilinos/issues/10100 valgrind +- Build without -z now (bsc#1208407) + valgrind:client-headers +- Build without -z now (bsc#1208407) + wireshark +- Wireshark 3.6.13: + * CVE-2023-1992: RPCoRDMA dissector crash (bsc#1210405). + * CVE-2023-1993: LISP dissector large loop (bsc#1210404). + * CVE-2023-1994: GQUIC dissector crash (bsc#1210403). +- Further features, bug fixes and updated protocol support as listed in: + https://www.wireshark.org/docs/relnotes/wireshark-3.6.13.html +