Removed rpms ============ Added rpms ========== - wicked-nbft Package Source Changes ====================== ImageMagick + fix CVE-2022-44267 [bsc#1207982], denial of service when parsing a PNG image + fix CVE-2022-44268 [bsc#1207983], arbitrary file disclosure when parsing a PNG image + + ImageMagick-CVE-2022-44267,44268.patch + +- security update +- added patches apr-util +- security fix CVE-2022-25147, bsc#1207866: buffer overflow + possible with specially crafted input + + added patch apr-util-CVE-2022-25147.patch + bind +- Update to release 9.16.37 + Security Fixes: + * An UPDATE message flood could cause named to exhaust all + available memory. This flaw was addressed by adding a new + update-quota option that controls the maximum number of + outstanding DNS UPDATE messages that named can hold in a queue + at any given time (default: 100). (CVE-2022-3094) + * named could crash with an assertion failure when an RRSIG query + was received and stale-answer-client-timeout was set to a + non-zero value. This has been fixed. (CVE-2022-3736) + * named running as a resolver with the + stale-answer-client-timeout option set to any value greater + than 0 could crash with an assertion failure, when the + recursive-clients soft quota was reached. This has been fixed. + (CVE-2022-3924) + New Features: + * The new update-quota option can be used to control the number + of simultaneous DNS UPDATE messages that can be processed to + update an authoritative zone on a primary server, or forwarded + to the primary server by a secondary server. The default is + 100. A new statistics counter has also been added to record + events when this quota is exceeded, and the version numbers for + the XML and JSON statistics schemas have been updated. + Feature Changes: + * The Differentiated Services Code Point (DSCP) feature in BIND + has been deprecated. Configuring DSCP values in named.conf now + causes a warning to be logged. Note that this feature has only + been partly operational since the new Network Manager was + introduced in BIND 9.16.0. + * The catalog zone implementation has been optimized to work with + hundreds of thousands of member zones. + Bug Fixes: + * In certain query resolution scenarios (e.g. when following + CNAME records), named configured to answer from stale cache + could return a SERVFAIL response despite a usable, non-stale + answer being present in the cache. This has been fixed. + [bsc#1207471, bsc#1207473, bsc#1207475, jsc#SLE-24600] + +- Update to release 9.16.36 + Feature Changes: + * The auto-dnssec option has been deprecated and will be removed + in a future BIND 9.19.x release. Please migrate to + dnssec-policy. + Bug Fixes: + * When a catalog zone was removed from the configuration, in some + cases a dangling pointer could cause the named process to + crash. + * When a zone was deleted from a server, a key management object + related to that zone was inadvertently kept in memory and only + released upon shutdown. This could lead to constantly + increasing memory use on servers with a high rate of changes + affecting the set of zones being served. + * In certain cases, named waited for the resolution of + outstanding recursive queries to finish before shutting down. + * The zone /: final reference detached log message + was moved from the INFO log level to the DEBUG(1) log level to + prevent the named-checkzone tool from superfluously logging + this message in non-debug mode. + [jsc#SLE-24600] + curl +- Security Fix: [bsc#1207992, CVE-2023-23916] + * HTTP multi-header compression denial of service + * Add curl-CVE-2023-23916.patch + +- Security Fixes: + * HSTS ignored on multiple requests [bsc#1207990, CVE-2023-23914] + * HSTS amnesia with --parallel [bsc#1207991, CVE-2023-23915] + * Add curl-CVE-2023-23914-23915.patch + f2fs-tools +- Replace transitional %usrmerged macro with regular version check (boo#1206798) + graphite2 +- fixed license string [bsc#1207676]: + LGPL-2.1-or-later OR MPL-2.0 OR GPL-2.0-or-later + -- Remove harfbuzz dep. Breaks another buildcycle. - This effectively means we are not running tests. No functional - changes otherwise. - -- Remove texlive dep to remove dep circle. - -- Use rpath so the tests work. - -- Enable the tests. They work on 13.1 but fail on Factory... - -- Version bump to 1.2.4: - * Various bugfixes - * Expanded testsuite -- Remove graphite2-arm.patch - applied upstream -- Add patches from debian: - * soname.diff - * no-specific-nunit-version.diff -- Run^Wdocument tests and generate documentation - -- Use cmake macros for nice and tidy setup. - -- Add baselibs.conf and provide libgraphite2-3-32bit, which is at - this moment required by harfbuzz. - -- graphite2-arm.patch :Fix build in arm and possible other platforms, we should - notuse -nodefaultlibs as a linker flag and let the system - do its job automatically. -- freetype-devel should be freetype2-devel - -- license update: LGPL-2.1+ or GPL-2.0+ or MPL-1.1 - See License file (most source code notices concur) - -- Whitespace trying to figure out why spec file is interpreted as - binary. - -- Fix desc not to mention libexttextcat. - -- Initial commit version 1.2.0. - kernel-default +- aquantia: Do not purge addresses when setting the number of + rings (jsc#PED-1530). +- commit 39a03b2 + +- net: atlantic: macsec: clear encryption keys from the stack + (jsc#PED-1530). +- commit 643f719 + +- atlantic: fix deadlock at aq_nic_stop (jsc#PED-1530). +- commit 4a9a64f + +- net: atlantic: fix potential memory leak in aq_ndev_close() + (jsc#PED-1530). +- commit 719db2f + +- net: atlantic: remove aq_nic_deinit() when resume + (jsc#PED-1530). +- commit ff2f581 + +- net: atlantic: remove deep parameter on suspend/resume functions + (jsc#PED-1530). +- commit 9e96b4d + +- net: atlantic:fix repeated words in comments (jsc#PED-1530). +- commit d6d4ffb + +- net: atlantic: verify hw_head_ lies within TX buffer ring + (jsc#PED-1530). +- commit 7059ede + +- net: atlantic: add check for MAX_SKB_FRAGS (jsc#PED-1530). +- commit e719b81 + +- net: atlantic: reduce scope of is_rsc_complete (jsc#PED-1530). +- commit b04c254 + +- net: atlantic: fix "frag[0] not initialized" (jsc#PED-1530). +- commit 0263576 + +- Update + patches.suse/net-sched-cbq-dont-intepret-cls-results-when-asked-t.patch + (bsc#1207361 bsc#1207036 CVE-2023-23454). +- commit 521fdca + +- Update + patches.suse/net-sched-atm-dont-intepret-cls-results-when-asked-t.patch + (bsc#1207361 bc#1207125 CVE-2023-23455). +- commit c8b6243 + +- io_uring/poll: fix poll_refs race with cancelation (bsc#1207511 + CVE-2023-0468). +- io_uring: make poll refs more robust (bsc#1207511 + CVE-2023-0468). +- io_uring: cmpxchg for poll arm refs release (bsc#1207511 + CVE-2023-0468). +- io_uring: fix tw losing poll events (bsc#1207511 CVE-2023-0468). +- io_uring: update res mask in io_poll_check_events (bsc#1207511 + CVE-2023-0468). +- commit 4fe9bfe + +- io_uring: pass in EPOLL_URING_WAKE for eventfd signaling and + wakeups (bsc#1207100). +- eventfd: provide a eventfd_signal_mask() helper (bsc#1207100). +- eventpoll: add EPOLL_URING_WAKE poll wakeup flag (bsc#1207100). +- commit 9e5a117 + +- fbdev: Fix invalid page access after closing deferred I/O + devices (bsc#1207284). +- commit 6a8d940 + +- ipmi:ssif: Add 60ms time internal between write retries + (bsc#1206459). +- ipmi:ssif: Increase the message retry time (bsc#1206459). +- commit 14626c0 + less +- Apply "cve-2022-46663.patch" to fix a vulnerability in less that + could be exploited for denial-of-service attacks or even remote + code execution by printing specially crafted escape sequences to + the terminal. [CVE-2022-46663, bsc#1207815] + mozilla-nss +- update to NSS 3.79.4 (bsc#1208138) + * Bug 1804640 - improve handling of unknown PKCS#12 safe bag types. + (CVE-2023-0767) + tiff + * CVE-2022-48281 [bsc#1207413] + + tiff-CVE-2022-48281.patch + +- security update: yast2-bootloader +- make secure boot for ppc64 consistent with how secure boot works + on other architectures (bsc#1206295) +- 4.5.8 + yast2-iscsi-client +- Expose all core functionality from IscsiClientLib, with options + to suppress usage of pop-ups (related t gh#yast/d-installer#402). + +- Finish client: copy the content of both /etc/iscsi and + /var/lib/iscsi (bsc#1207374). +- Finish client: never enable both the iscsid socket and the + service (partial fix for bsc#1207839). +- 4.5.7 + yast2-network +- Fix calling method read on nil crash in bootloader caused by + not restoring SCR chroot in save_network client when running + in autoyast (bsc#1207968) +- 4.5.16 + yast2-packager +- Prevent crash if nil dependencies instead of [] (bsc#1208068) +- 4.5.14 +