References : 1047218 1071995 1074971 1080978 1081495 1081495 1084533 1084842
1085785 1086185 1094680 1095817 1096008 1096677 1098017 1099119
1099192 1100504 1102522 1104821 1105000 1108038 1109412 1109413
1109414 1111996 1112534 1112535 1113247 1113252 1113255 1113313
1113978 1114209 1114209 1114592 1114832 1116827 1118644 1118830
1118831 1118897 1118897 1118898 1118898 1118899 1118899 1119634
1119706 1120640 1121034 1121035 1121056 1121397 1121967 1123013
1124644 1126826 1126829 1126831 1128376 1128746 1128794 1129389
1131264 1133131 1133232 1134068 1140126 1141190 1141897 1141913
1142649 1142649 1142772 1143609 1146475 1148517 1149145 1150164
1152590 1153768 1153770 1154016 1154025 1157755 1160086 1160254
1160590 1160590 1161913 1163333 1163744 1164903 1167939 1167939
1172608 1172798 1175132 1177047 1178577 1178614 1178624 1178675
1179036 1179341 1179898 1179899 1179900 1179901 1179902 1179903
1180451 1180454 1180461 1180713 1181452 1181618 1182252 1182345
1183043 1183511 1183909 1184519 1184620 1184794 1185348 1186642
1188941 1190589 1190649 1190649 1190649 1190649 1190649 1190649
1190649 1190649 1190649 1191468 1191473 1192267 1192377 1192378
1193597 1193598 1195628 1195834 1195835 1195838 1196107 1196732
1198062 1198237 1198423 1198424 1198922 CVE-2018-1000876 CVE-2018-16873
CVE-2018-16873 CVE-2018-16874 CVE-2018-16874 CVE-2018-16875 CVE-2018-16875
CVE-2018-17358 CVE-2018-17359 CVE-2018-17360 CVE-2018-17985 CVE-2018-18309
CVE-2018-18483 CVE-2018-18484 CVE-2018-18605 CVE-2018-18606 CVE-2018-18607
CVE-2018-19931 CVE-2018-19932 CVE-2018-20623 CVE-2018-20651 CVE-2018-20671
CVE-2018-6323 CVE-2018-6543 CVE-2018-6759 CVE-2018-6872 CVE-2018-7187
CVE-2018-7187 CVE-2018-7208 CVE-2018-7568 CVE-2018-7569 CVE-2018-7570
CVE-2018-7642 CVE-2018-7643 CVE-2018-8945 CVE-2019-1010180 CVE-2019-12972
CVE-2019-14250 CVE-2019-14250 CVE-2019-14444 CVE-2019-15847 CVE-2019-17450
CVE-2019-17451 CVE-2019-5736 CVE-2019-6486 CVE-2019-9074 CVE-2019-9075
CVE-2019-9077 CVE-2020-13844 CVE-2020-16590 CVE-2020-16591 CVE-2020-16592
CVE-2020-16593 CVE-2020-16598 CVE-2020-16599 CVE-2020-35448 CVE-2020-35493
CVE-2020-35496 CVE-2020-35507 CVE-2021-20197 CVE-2021-20284 CVE-2021-20294
CVE-2021-3487 CVE-2021-38297 CVE-2021-39293 CVE-2021-41771 CVE-2021-41772
CVE-2021-44716 CVE-2021-44717 CVE-2022-1271 CVE-2022-23772 CVE-2022-23773
CVE-2022-23806 CVE-2022-24675 CVE-2022-24921 CVE-2022-28327 ECO-368
SLE-6206 SLE-6738
1081495,1085785,CVE-2018-7187
This update for go and go1.9 fixes the following issues:
The following security issues have been addressed for both packages:
- CVE-2018-7187: Fixed the validation of the import path in the go get command,
which allowed for arbitrary command execution via VCS path when the -insecure
flag is used (bsc#1081495)
The following other changes have been made for go1.9:
- Fixes to the go command and the crypto/x509 and strings packages, which add
minimal support to the go command for the vgo transition.
- Several fixes to the compiler and go command
- Fixed various issues in go trace (bsc#1085785):
- Ensure go binaries are not stripped (eg: go tools trace), this caused some of
them to misbehave
- Ensure go trace html template is shipped as part of the installation,
otherwise the web UI won't work
For details on any other changes see the Go milestones on the official
issue tracker.
1100504
This update for make fixes the following issues:
- Use a non-blocking read with pselect to avoid hangs (bsc#1100504)
1047218,1074971,1080978,1081495,1084533,1086185,1094680,1095817,1098017,1102522,1104821,1105000,1108038,1113313,1113978,1114209,1118897,1118898,1118899,1119634,1119706,CVE-2018-16873,CVE-2018-16874,CVE-2018-16875,CVE-2018-7187
This update for containerd, docker and go fixes the following issues:
containerd and docker:
- Add backport for building containerd (bsc#1102522, bsc#1113313)
- Upgrade to containerd v1.1.2, which is required for Docker v18.06.1-ce.
(bsc#1102522)
- Enable seccomp support on SLE12 (fate#325877)
- Update to containerd v1.1.1, which is the required version for the Docker
v18.06.0-ce upgrade. (bsc#1102522)
- Put containerd under the podruntime slice (bsc#1086185)
- 3rd party registries used the default Docker certificate (bsc#1084533)
- Handle build breakage due to missing 'export GOPATH' (caused by resolution of
boo#1119634). I believe Docker is one of the only packages with this problem.
go:
- golang: arbitrary command execution via VCS path (bsc#1081495, CVE-2018-7187)
- Make profile.d/go.sh no longer set GOROOT=, in order to make switching
between versions no longer break. This ends up removing the need for go.sh
entirely (because GOPATH is also set automatically) (boo#1119634)
- Fix a regression that broke go get for import path patterns containing '...'
(bsc#1119706)
Additionally, the package go1.10 has been added.
1099119,1099192
GCC 7 was updated to the GCC 7.4 release.
- Fix AVR configuration to not use __cxa_atexit or libstdc++ headers.
Point to /usr/avr/sys-root/include as system header include directory.
- Includes fix for build with ISL 0.20.
- Pulls fix for libcpp lexing bug on ppc64le manifesting during
build with gcc8. [bsc#1099119]
- Pulls fix for forcing compile-time tuning even when building
with -march=z13 on s390x. [bsc#1099192]
- Fixes support for 32bit ASAN with glibc 2.27+
1096008
This update for gcc fixes the following issues:
- Fix gcc-PIE spec to properly honor -no-pie at link time. (bsc#1096008)
1084842,1114592,1124644,1128794,1129389,1131264,SLE-6738
This update for gcc7 fixes the following issues:
Update to gcc-7-branch head (r270528).
- Disables switch jump-tables when retpolines are used. This restores
some lost performance for kernel builds with retpolines. (bsc#1131264,
jsc#SLE-6738)
- Fix ICE compiling tensorflow on aarch64. (bsc#1129389)
- Fix for aarch64 FMA steering pass use-after-free. (bsc#1128794)
- Fix for s390x FP load-and-test issue. (bsc#1124644)
- Improve build reproducability by disabling address-space randomization
during build.
- Adjust gnat manual entries in the info directory. (bsc#1114592)
- Includes fix to no longer try linking -lieee with -mieee-fp. (bsc#1084842)
1114209,1114832,1118897,1118898,1118899,1121397,1121967,1123013,1128376,1128746,1134068,CVE-2018-16873,CVE-2018-16874,CVE-2018-16875,CVE-2019-5736,CVE-2019-6486
This update for containerd, docker, docker-runc, go, go1.11, go1.12, golang-github-docker-libnetwork fixes the following issues:
Security issues fixed:
- CVE-2019-5736: containerd: Fixing container breakout vulnerability (bsc#1121967).
- CVE-2019-6486: go security release, fixing crypto/elliptic CPU DoS vulnerability affecting P-521 and P-384 (bsc#1123013).
- CVE-2018-16873: go secuirty release, fixing cmd/go remote command execution (bsc#1118897).
- CVE-2018-16874: go security release, fixing cmd/go directory traversal (bsc#1118898).
- CVE-2018-16875: go security release, fixing crypto/x509 CPU denial of service (bsc#1118899).
Other changes and bug fixes:
- Update to containerd v1.2.5, which is required for v18.09.5-ce (bsc#1128376, bsc#1134068).
- Update to runc 2b18fe1d885e, which is required for Docker v18.09.5-ce (bsc#1128376, bsc#1134068).
- Update to Docker 18.09.5-ce see upstream changelog in the packaged (bsc#1128376, bsc#1134068).
- docker-test: Improvements to test packaging (bsc#1128746).
- Move daemon.json file to /etc/docker directory (bsc#1114832).
- Revert golang(API) removal since it turns out this breaks >= requires in certain cases (bsc#1114209).
- Fix go build failures (bsc#1121397).
1071995,1141897,1142649,1148517,1149145,CVE-2019-14250,CVE-2019-15847
This update for gcc7 to r275405 fixes the following issues:
Security issues fixed:
- CVE-2019-14250: Fixed an integer overflow in binutils (bsc#1142649).
- CVE-2019-15847: Fixed an optimization in the POWER9 backend of gcc that could reduce the entropy of the random number generator (bsc#1149145).
Non-security issue fixed:
- Move Live Patching technology stack from kGraft to upstream klp (bsc#1071995, fate#323487).
1109412,1109413,1109414,1111996,1112534,1112535,1113247,1113252,1113255,1116827,1118644,1118830,1118831,1120640,1121034,1121035,1121056,1133131,1133232,1141913,1142772,1152590,1154016,1154025,CVE-2018-1000876,CVE-2018-17358,CVE-2018-17359,CVE-2018-17360,CVE-2018-17985,CVE-2018-18309,CVE-2018-18483,CVE-2018-18484,CVE-2018-18605,CVE-2018-18606,CVE-2018-18607,CVE-2018-19931,CVE-2018-19932,CVE-2018-20623,CVE-2018-20651,CVE-2018-20671,CVE-2018-6323,CVE-2018-6543,CVE-2018-6759,CVE-2018-6872,CVE-2018-7208,CVE-2018-7568,CVE-2018-7569,CVE-2018-7570,CVE-2018-7642,CVE-2018-7643,CVE-2018-8945,CVE-2019-1010180,ECO-368,SLE-6206
This update for binutils fixes the following issues:
binutils was updated to current 2.32 branch [jsc#ECO-368].
Includes following security fixes:
- CVE-2018-17358: Fixed invalid memory access in _bfd_stab_section_find_nearest_line in syms.c (bsc#1109412)
- CVE-2018-17359: Fixed invalid memory access exists in bfd_zalloc in opncls.c (bsc#1109413)
- CVE-2018-17360: Fixed heap-based buffer over-read in bfd_getl32 in libbfd.c (bsc#1109414)
- CVE-2018-17985: Fixed a stack consumption problem caused by the cplus_demangle_type (bsc#1116827)
- CVE-2018-18309: Fixed an invalid memory address dereference was discovered in read_reloc in reloc.c (bsc#1111996)
- CVE-2018-18483: Fixed get_count function provided by libiberty that allowed attackers to cause a denial of service or other unspecified impact (bsc#1112535)
- CVE-2018-18484: Fixed stack exhaustion in the C++ demangling functions provided by libiberty, caused by recursive stack frames (bsc#1112534)
- CVE-2018-18605: Fixed a heap-based buffer over-read issue was discovered in the function sec_merge_hash_lookup causing a denial of service (bsc#1113255)
- CVE-2018-18606: Fixed a NULL pointer dereference in _bfd_add_merge_section when attempting to merge sections with large alignments, causing denial of service (bsc#1113252)
- CVE-2018-18607: Fixed a NULL pointer dereference in elf_link_input_bfd when used for finding STT_TLS symbols without any TLS section, causing denial of service (bsc#1113247)
- CVE-2018-19931: Fixed a heap-based buffer overflow in bfd_elf32_swap_phdr_in in elfcode.h (bsc#1118831)
- CVE-2018-19932: Fixed an integer overflow and infinite loop caused by the IS_CONTAINED_BY_LMA (bsc#1118830)
- CVE-2018-20623: Fixed a use-after-free in the error function in elfcomm.c (bsc#1121035)
- CVE-2018-20651: Fixed a denial of service via a NULL pointer dereference in elf_link_add_object_symbols in elflink.c (bsc#1121034)
- CVE-2018-20671: Fixed an integer overflow that can trigger a heap-based buffer overflow in load_specific_debug_section in objdump.c (bsc#1121056)
- CVE-2018-1000876: Fixed integer overflow in bfd_get_dynamic_reloc_upper_bound,bfd_canonicalize_dynamic_reloc in objdump (bsc#1120640)
- CVE-2019-1010180: Fixed an out of bound memory access that could lead to crashes (bsc#1142772)
- enable xtensa architecture (Tensilica lc6 and related)
- Use -ffat-lto-objects in order to provide assembly for static libs
(bsc#1141913).
- Fixed some LTO build issues (bsc#1133131 bsc#1133232).
- riscv: Don't check ABI flags if no code section
- Fixed a segfault in ld when building some versions of pacemaker (bsc#1154025, bsc#1154016).
- Add avr, epiphany and rx to target_list so that the common binutils can handle all objects we can create with crosses (bsc#1152590).
Update to binutils 2.32:
* The binutils now support for the C-SKY processor series.
* The x86 assembler now supports a -mvexwig=[0|1] option to control
encoding of VEX.W-ignored (WIG) VEX instructions.
It also has a new -mx86-used-note=[yes|no] option to generate (or
not) x86 GNU property notes.
* The MIPS assembler now supports the Loongson EXTensions R2 (EXT2),
the Loongson EXTensions (EXT) instructions, the Loongson Content
Address Memory (CAM) ASE and the Loongson MultiMedia extensions
Instructions (MMI) ASE.
* The addr2line, c++filt, nm and objdump tools now have a default
limit on the maximum amount of recursion that is allowed whilst
demangling strings. This limit can be disabled if necessary.
* Objdump's --disassemble option can now take a parameter,
specifying the starting symbol for disassembly. Disassembly will
continue from this symbol up to the next symbol or the end of the
function.
* The BFD linker will now report property change in linker map file
when merging GNU properties.
* The BFD linker's -t option now doesn't report members within
archives, unless -t is given twice. This makes it more useful
when generating a list of files that should be packaged for a
linker bug report.
* The GOLD linker has improved warning messages for relocations that
refer to discarded sections.
- Improve relro support on s390 [fate#326356]
- Fix broken debug symbols (bsc#1118644)
- Handle ELF compressed header alignment correctly.
1146475
This update for gcc7 fixes the following issues:
- Fix miscompilation with thread-safe localstatic initialization (gcc#85887).
- Fix debug info created for array definitions that complete an earlier declaration (bsc#1146475).
1160086
This update for gcc7 fixes the following issue:
- Fixed a miscompilation in zSeries code (bsc#1160086)
1160590
This update for binutils fixes the following issues:
- Recognize the official name of s390 arch13: 'z15'. (bsc#1160590, jsc#SLE-7903 aka jsc#SLE-7464)
1126826,1126829,1126831,1140126,1142649,1143609,1153768,1153770,1157755,1160254,1160590,1163333,1163744,CVE-2019-12972,CVE-2019-14250,CVE-2019-14444,CVE-2019-17450,CVE-2019-17451,CVE-2019-9074,CVE-2019-9075,CVE-2019-9077
This update for binutils fixes the following issues:
binutils was updated to version 2.35. (jsc#ECO-2373)
Update to binutils 2.35:
* The assembler can now produce DWARF-5 format line number tables.
* Readelf now has a 'lint' mode to enable extra checks of the files it is processing.
* Readelf will now display '[...]' when it has to truncate a symbol name.
The old behaviour - of displaying as many characters as possible, up to
the 80 column limit - can be restored by the use of the --silent-truncation
option.
* The linker can now produce a dependency file listing the inputs that it
has processed, much like the -M -MP option supported by the compiler.
- fix DT_NEEDED order with -flto [bsc#1163744]
Update to binutils 2.34:
* The disassembler (objdump --disassemble) now has an option to
generate ascii art thats show the arcs between that start and end
points of control flow instructions.
* The binutils tools now have support for debuginfod. Debuginfod is a
HTTP service for distributing ELF/DWARF debugging information as
well as source code. The tools can now connect to debuginfod
servers in order to download debug information about the files that
they are processing.
* The assembler and linker now support the generation of ELF format
files for the Z80 architecture.
- Add new subpackages for libctf and libctf-nobfd.
- Disable LTO due to bsc#1163333.
- Includes fixes for these CVEs:
bsc#1153768 aka CVE-2019-17451 aka PR25070
bsc#1153770 aka CVE-2019-17450 aka PR25078
- fix various build fails on aarch64 (PR25210, bsc#1157755).
Update to binutils 2.33.1:
* Adds support for the Arm Scalable Vector Extension version 2
(SVE2) instructions, the Arm Transactional Memory Extension (TME)
instructions and the Armv8.1-M Mainline and M-profile Vector
Extension (MVE) instructions.
* Adds support for the Arm Cortex-A76AE, Cortex-A77 and Cortex-M35P
processors and the AArch64 Cortex-A34, Cortex-A65, Cortex-A65AE,
Cortex-A76AE, and Cortex-A77 processors.
* Adds a .float16 directive for both Arm and AArch64 to allow
encoding of 16-bit floating point literals.
* For MIPS, Add -m[no-]fix-loongson3-llsc option to fix (or not)
Loongson3 LLSC Errata. Add a --enable-mips-fix-loongson3-llsc=[yes|no]
configure time option to set the default behavior. Set the default
if the configure option is not used to 'no'.
* The Cortex-A53 Erratum 843419 workaround now supports a choice of
which workaround to use. The option --fix-cortex-a53-843419 now
takes an optional argument --fix-cortex-a53-843419[=full|adr|adrp]
which can be used to force a particular workaround to be used.
See --help for AArch64 for more details.
* Add support for GNU_PROPERTY_AARCH64_FEATURE_1_BTI and
GNU_PROPERTY_AARCH64_FEATURE_1_PAC in ELF GNU program properties
in the AArch64 ELF linker.
* Add -z force-bti for AArch64 to enable GNU_PROPERTY_AARCH64_FEATURE_1_BTI
on output while warning about missing GNU_PROPERTY_AARCH64_FEATURE_1_BTI
on inputs and use PLTs protected with BTI.
* Add -z pac-plt for AArch64 to pick PAC enabled PLTs.
* Add --source-comment[=] option to objdump which if present,
provides a prefix to source code lines displayed in a disassembly.
* Add --set-section-alignment =
option to objcopy to allow the changing of section alignments.
* Add --verilog-data-width option to objcopy for verilog targets to
control width of data elements in verilog hex format.
* The separate debug info file options of readelf (--debug-dump=links
and --debug-dump=follow) and objdump (--dwarf=links and
--dwarf=follow-links) will now display and/or follow multiple
links if more than one are present in a file. (This usually
happens when gcc's -gsplit-dwarf option is used).
In addition objdump's --dwarf=follow-links now also affects its
other display options, so that for example, when combined with
--syms it will cause the symbol tables in any linked debug info
files to also be displayed. In addition when combined with
--disassemble the --dwarf= follow-links option will ensure that
any symbol tables in the linked files are read and used when
disassembling code in the main file.
* Add support for dumping types encoded in the Compact Type Format
to objdump and readelf.
- Includes fixes for these CVEs:
bsc#1126826 aka CVE-2019-9077 aka PR1126826
bsc#1126829 aka CVE-2019-9075 aka PR1126829
bsc#1126831 aka CVE-2019-9074 aka PR24235
bsc#1140126 aka CVE-2019-12972 aka PR23405
bsc#1143609 aka CVE-2019-14444 aka PR24829
bsc#1142649 aka CVE-2019-14250 aka PR90924
* Add xBPF target
* Fix various problems with DWARF 5 support in gas
* fix nm -B for objects compiled with -flto and -fcommon.
1179036,1179341
This update for binutils fixes the following issues:
Update binutils 2.35 branch to commit 1c5243df:
* Fixes PR26520, aka [bsc#1179036], a problem in addr2line with
certain DWARF variable descriptions.
* Also fixes PR26711, PR26656, PR26655, PR26929, PR26808, PR25878,
PR26740, PR26778, PR26763, PR26685, PR26699, PR26902, PR26869,
PR26711
* The above includes fixes for dwo files produced by modern dwp,
fixing several problems in the DWARF reader.
Update binutils to 2.35.1 and rebased branch diff:
* This is a point release over the previous 2.35 version, containing bug
fixes, and as an exception to the usual rule, one new feature. The
new feature is the support for a new directive in the assembler:
'.nop'. This directive creates a single no-op instruction in whatever
encoding is correct for the target architecture. Unlike the .space or
.fill this is a real instruction, and it does affect the generation of
DWARF line number tables, should they be enabled. This fixes an
incompatibility introduced in the latest update that broke the install
scripts of the Oracle server. [bsc#1179341]
1150164,1161913,1167939,1172798,1178577,1178614,1178624,1178675,CVE-2020-13844
This update for gcc7 fixes the following issues:
- CVE-2020-13844: Added mitigation for aarch64 Straight Line Speculation issue (bsc#1172798)
- Enable fortran for the nvptx offload compiler.
- Update README.First-for.SuSE.packagers- avoid assembler errors with AVX512 gather and scatter instructions when using -masm=intel.
- Backport the aarch64 -moutline-atomics feature and accumulated fixes but not its
default enabling. [jsc#SLE-12209, bsc#1167939]
- Fixed 32bit libgnat.so link. [bsc#1178675]
- Fixed memcpy miscompilation on aarch64. [bsc#1178624, bsc#1178577]
- Fixed debug line info for try/catch. [bsc#1178614]
- Remove -mbranch-protection=standard (aarch64 flag) when gcc7 is used to build gcc7 (ie when ada is enabled)
- Fixed corruption of pass private ->aux via DF. [gcc#94148]
- Fixed debug information issue with inlined functions and passed by reference arguments. [gcc#93888]
- Fixed binutils release date detection issue.
- Fixed register allocation issue with exception handling code on s390x. [bsc#1161913]
- Fixed miscompilation of some atomic code on aarch64. [bsc#1150164]
This update for gzip fixes the following issue:
- Enable `DFLTCC` (Deflate Conversion Call) compression for s390x for levels 1-6 to `CFLAGS`. (jsc#SLE-13775)
Enable by adding `-DDFLTCC_LEVEL_MASK=0x7e` to `CFLAGS`.
1167939
This update for gcc7 fixes the following issues:
- Amend the gcc7 aarch64 atomics for glibc namespace violation with getauxval. [bsc#1167939]
1181618
This update for gcc7 fixes the following issues:
- Fixed webkit2gtk3 build (bsc#1181618)
- Change GCC exception licenses to SPDX format
- Remove include-fixed/pthread.h
1164903,1172608,1175132
This update for go fixes the following issues:
Update to current stable go1.15 (bsc#1175132)
* Ensure 'Provides: golang(API) = %{api_version}' is consistent
to improve package resolution for common go dependency expressions
'BuildRequires: golang(API) >= 1.x' and BuildRequires: go >= 1.x
OBS projects that contain go code often have prjconf entries
'Prefer: go' which selects go metapackage over go1.x packages.
When go metapackage Provides: version is lower than go1.x versions,
'Prefer: go' is not effective and build failures occur with errors unresolvable: have choice for golang(API) >= 1.13: go1.13 go1.14
Edits and changelog Jeff Kowalczyk (bsc#1172608)
* Unify '{version'} and '{short_version}' as '{api_version}' for
'Provides: golang(API) = %{api_version}'
* Use both 'BuildRequires: go%{api_version}' and 'Requires: go%{api_version}'
to trigger build errors if go1.x is unavailable
* Add aarch64 to supported systems for go-race via
%define tsan_arch x86_64 aarch64
* Add tsan_arch x86_64 aarch64 for suse_version >= 1500 and
sle_version >= 150000, formerly conditional on suse_version >= 1315
* Ensure %ifarch %{tsan_arch} always evaluates (nil does not work)
via dummy tsan_arch on systems where go-race is not supported
Update to current stable go1.14 (bsc#1164903)
* Remove redundant Provides: go-doc=%{version} per rpmlint warning
- Change suse_version >= 1315 (was 1550) defines short_version 1.12
go1.12 packages are available for SLE-12.
1182345
This update for go fixes the following issues:
- Update to current stable go1.16 (bsc#1182345)
1180713
This update for gzip fixes the following issues:
- Fixes an issue when 'gzexe' counts the lines to skip wrong. (bsc#1180713)
1177047
This update for gzip fixes the following issues:
- Fixed a potential segfault when zlib acceleration is enabled (bsc#1177047)
1141190
This update for mpfr fixes the following issues:
- Fixed an issue when building for ppc64le (bsc#1141190)
Technical library fixes:
- A subtraction of two numbers of the same sign or addition of two numbers of different signs
can be rounded incorrectly (and the ternary value can be incorrect) when one of the two
inputs is reused as the output (destination) and all these MPFR numbers have exactly
GMP_NUMB_BITS bits of precision (typically, 32 bits on 32-bit machines, 64 bits on 64-bit
machines).
- The mpfr_fma and mpfr_fms functions can behave incorrectly in case of internal overflow or
underflow.
- The result of the mpfr_sqr function can be rounded incorrectly in a rare case near underflow
when the destination has exactly GMP_NUMB_BITS bits of precision (typically, 32 bits on
32-bit machines, 64 bits on 64-bit machines) and the input has at most GMP_NUMB_BITS bits
of precision.
- The behavior and documentation of the mpfr_get_str function are inconsistent concerning the
minimum precision (this is related to the change of the minimum precision from 2 to 1 in
MPFR 4.0.0). The get_str patch fixes this issue in the following way: the value 1 can now be
provided for n (4th argument of mpfr_get_str); if n = 0, then the number of significant digits
in the output string can now be 1, as already implied by the documentation (but the code was
increasing it to 2).
- The mpfr_cmp_q function can behave incorrectly when the rational (mpq_t) number has a null
denominator.
- The mpfr_inp_str and mpfr_out_str functions might behave incorrectly when the stream is a
null pointer: the stream is replaced by stdin and stdout, respectively. This behavior is
useless, not documented (thus incorrect in case a null pointer would have a special meaning),
and not consistent with other input/output functions.
1096677
This update for gcc fixes the following issues:
- Added gccgo symlink and go and gofmt as alternatives to support parallel installation
of golang (bsc#1096677)
1186642
This update for gzip fixes the following issue:
- gzip had a lower release number in 15 sp2 and sp3 than in 15 sp1, which could lead
to migration issues. (bsc#1186642)
1185348
This update for gcc fixes the following issues:
- With gcc-PIE add -pie even when -fPIC is specified but we are
not linking a shared library. [bsc#1185348]
- Fix postun of gcc-go alternative.
1190589,1190649,CVE-2021-39293
This update for go1.17 fixes the following issues:
This is the initial go 1.17 shipment.
go1.17.1 (released 2021-09-09) includes a security fix to the
archive/zip package, as well as bug fixes to the compiler,
linker, the go command, and to the crypto/rand, embed, go/types,
html/template, and net/http packages. (bsc#1190649)
CVE-2021-39293: Fixed an overflow in preallocation check that can cause OOM panic in archive/zip (bsc#1190589)
go1.17 (released 2021-08-16) is a major release of Go.
go1.17.x minor releases will be provided through August 2022.
See https://github.com/golang/go/wiki/Go-Release-Cycle
Most changes are in the implementation of the toolchain, runtime,
and libraries. As always, the release maintains the Go 1 promise
of compatibility. We expect almost all Go programs to continue to
compile and run as before. (bsc#1190649)
* See release notes https://golang.org/doc/go1.17. Excerpts
relevant to OBS environment and for SUSE/openSUSE follow:
* The compiler now implements a new way of passing function
arguments and results using registers instead of the
stack. Benchmarks for a representative set of Go packages and
programs show performance improvements of about 5%, and a
typical reduction in binary size of about 2%. This is currently
enabled for Linux, macOS, and Windows on the 64-bit x86
architecture (the linux/amd64, darwin/amd64, and windows/amd64
ports). This change does not affect the functionality of any
safe Go code and is designed to have no impact on most assembly
code.
* When the linker uses external linking mode, which is the
default when linking a program that uses cgo, and the linker is
invoked with a -I option, the option will now be passed to the
external linker as a -Wl,--dynamic-linker option.
* The runtime/cgo package now provides a new facility that allows
to turn any Go values to a safe representation that can be used
to pass values between C and Go safely. See runtime/cgo.Handle
for more information.
* ARM64 Go programs now maintain stack frame pointers on the
64-bit ARM architecture on all operating systems. Previously,
stack frame pointers were only enabled on Linux, macOS, and
iOS.
* Pruned module graphs in go 1.17 modules: If a module specifies
go 1.17 or higher, the module graph includes only the immediate
dependencies of other go 1.17 modules, not their full
transitive dependencies. To convert the go.mod file for an
existing module to Go 1.17 without changing the selected
versions of its dependencies, run: go mod tidy -go=1.17
By default, go mod tidy verifies that the selected versions of
dependencies relevant to the main module are the same versions
that would be used by the prior Go release (Go 1.16 for a
module that specifies go 1.17), and preserves the go.sum
entries needed by that release even for dependencies that are
not normally needed by other commands.
The -compat flag allows that version to be overridden to
support older (or only newer) versions, up to the version
specified by the go directive in the go.mod file. To tidy a go
1.17 module for Go 1.17 only, without saving checksums for (or
checking for consistency with) Go 1.16: go mod tidy
-compat=1.17
Note that even if the main module is tidied with -compat=1.17,
users who require the module from a go 1.16 or earlier module
will still be able to use it, provided that the packages use
only compatible language and library features.
The go mod graph subcommand also supports the -go flag, which
causes it to report the graph as seen by the indicated Go
version, showing dependencies that may otherwise be pruned out.
* Module deprecation comments: Module authors may deprecate a
module by adding a // Deprecated: comment to go.mod, then
tagging a new version. go get now prints a warning if a module
needed to build packages named on the command line is
deprecated. go list -m -u prints deprecations for all
dependencies (use -f or -json to show the full message). The go
command considers different major versions to be distinct
modules, so this mechanism may be used, for example, to provide
users with migration instructions for a new major version.
* go get -insecure flag is deprecated and has been removed. To
permit the use of insecure schemes when fetching dependencies,
please use the GOINSECURE environment variable. The -insecure
flag also bypassed module sum validation, use GOPRIVATE or
GONOSUMDB if you need that functionality. See go help
environment for details.
* go get prints a deprecation warning when installing commands
outside the main module (without the -d flag). go install
cmd@version should be used instead to install a command at a
specific version, using a suffix like @latest or @v1.2.3. In Go
1.18, the -d flag will always be enabled, and go get will only
be used to change dependencies in go.mod.
* go.mod files missing go directives: If the main module's go.mod
file does not contain a go directive and the go command cannot
update the go.mod file, the go command now assumes go 1.11
instead of the current release. (go mod init has added go
directives automatically since Go 1.12.)
If a module dependency lacks an explicit go.mod file, or its
go.mod file does not contain a go directive, the go command now
assumes go 1.16 for that dependency instead of the current
release. (Dependencies developed in GOPATH mode may lack a
go.mod file, and the vendor/modules.txt has to date never
recorded the go versions indicated by dependencies' go.mod
files.)
* vendor contents: If the main module specifies go 1.17 or
higher, go mod vendor now annotates vendor/modules.txt with the
go version indicated by each vendored module in its own go.mod
file. The annotated version is used when building the module's
packages from vendored source code.
If the main module specifies go 1.17 or higher, go mod vendor
now omits go.mod and go.sum files for vendored dependencies,
which can otherwise interfere with the ability of the go
command to identify the correct module root when invoked within
the vendor tree.
* Password prompts: The go command by default now suppresses SSH
password prompts and Git Credential Manager prompts when
fetching Git repositories using SSH, as it already did
previously for other Git password prompts. Users authenticating
to private Git repos with password-protected SSH may configure
an ssh-agent to enable the go command to use password-protected
SSH keys.
* go mod download: When go mod download is invoked without
arguments, it will no longer save sums for downloaded module
content to go.sum. It may still make changes to go.mod and
go.sum needed to load the build list. This is the same as the
behavior in Go 1.15. To save sums for all modules, use:
go mod download all
* The go command now understands //go:build lines and prefers them over // +build lines. The new syntax uses boolean
expressions, just like Go, and should be less error-prone. As
of this release, the new syntax is fully supported, and all Go
files should be updated to have both forms with the same
meaning. To aid in migration, gofmt now automatically
synchronizes the two forms. For more details on the syntax and
migration plan, see https://golang.org/design/draft-gobuild.
* go run now accepts arguments with version suffixes (for
example, go run /cmd@v1.0.0). This causes go run to
build and run packages in module-aware mode, ignoring the
go.mod file in the current directory or any parent directory,
if there is one. This is useful for running executables without
installing them or without changing dependencies of the current
module.
* The format of stack traces from the runtime (printed when an
uncaught panic occurs, or when runtime.Stack is called) is
improved.
* TLS strict ALPN: When Config.NextProtos is set, servers now
enforce that there is an overlap between the configured
protocols and the ALPN protocols advertised by the client, if
any. If there is no mutually supported protocol, the connection
is closed with the no_application_protocol alert, as required
by RFC 7301. This helps mitigate the ALPACA cross-protocol
attack. As an exception, when the value 'h2' is included in the
server's Config.NextProtos, HTTP/1.1 clients will be allowed to
connect as if they didn't support ALPN. See issue go#46310 for
more information.
* crypto/ed25519: The crypto/ed25519 package has been rewritten,
and all operations are now approximately twice as fast on amd64
and arm64. The observable behavior has not otherwise changed.
* crypto/elliptic: CurveParams methods now automatically invoke
faster and safer dedicated implementations for known curves
(P-224, P-256, and P-521) when available. Note that this is a
best-effort approach and applications should avoid using the
generic, not constant-time CurveParams methods and instead use
dedicated Curve implementations such as P256. The P521 curve
implementation has been rewritten using code generated by the
fiat-crypto project, which is based on a formally-verified
model of the arithmetic operations. It is now constant-time and
three times faster on amd64 and arm64. The observable behavior
has not otherwise changed.
* crypto/tls: The new Conn.HandshakeContext method allows the
user to control cancellation of an in-progress TLS
handshake. The provided context is accessible from various
callbacks through the new ClientHelloInfo.Context and
CertificateRequestInfo.Context methods. Canceling the context
after the handshake has finished has no effect.
Cipher suite ordering is now handled entirely by the crypto/tls
package. Currently, cipher suites are sorted based on their
security, performance, and hardware support taking into account
both the local and peer's hardware. The order of the
Config.CipherSuites field is now ignored, as well as the
Config.PreferServerCipherSuites field. Note that
Config.CipherSuites still allows applications to choose what
TLS 1.0–1.2 cipher suites to enable.
The 3DES cipher suites have been moved to InsecureCipherSuites
due to fundamental block size-related weakness. They are still
enabled by default but only as a last resort, thanks to the
cipher suite ordering change above.
Beginning in the next release, Go 1.18, the Config.MinVersion
for crypto/tls clients will default to TLS 1.2, disabling TLS
1.0 and TLS 1.1 by default. Applications will be able to
override the change by explicitly setting
Config.MinVersion. This will not affect crypto/tls servers.
* crypto/x509: CreateCertificate now returns an error if the
provided private key doesn't match the parent's public key, if
any. The resulting certificate would have failed to verify.
* crypto/x509: The temporary GODEBUG=x509ignoreCN=0 flag has been
removed.
* crypto/x509: ParseCertificate has been rewritten, and now
consumes ~70% fewer resources. The observable behavior has not
otherwise changed, except for error messages.
* crypto/x509: Beginning in the next release, Go 1.18,
crypto/x509 will reject certificates signed with the SHA-1 hash
function. This doesn't apply to self-signed root
certificates. Practical attacks against SHA-1 have been
demonstrated in 2017 and publicly trusted Certificate
Authorities have not issued SHA-1 certificates since 2015.
* go/build: The new Context.ToolTags field holds the build tags
appropriate to the current Go toolchain configuration.
* net/http package now uses the new (*tls.Conn).HandshakeContext
with the Request context when performing TLS handshakes in the
client or server.
* syscall: On Unix-like systems, the process group of a child
process is now set with signals blocked. This avoids sending a
SIGTTOU to the child when the parent is in a background process
group.
* time: The new Time.IsDST method can be used to check whether
the time is in Daylight Savings Time in its configured
location.
* time: The new Time.UnixMilli and Time.UnixMicro methods return
the number of milliseconds and microseconds elapsed since
January 1, 1970 UTC respectively.
* time: The new UnixMilli and UnixMicro functions return the
local Time corresponding to the given Unix time.
- Add bash scripts used by go tool commands to provide a more
complete cross-compiling go toolchain install.
1190649,1191468,CVE-2021-38297
This update for go1.17 fixes the following issues:
Update to go1.17.2
- CVE-2021-38297: misc/wasm, cmd/link: do not let command line args overwrite global data (bsc#1191468)
1179898,1179899,1179900,1179901,1179902,1179903,1180451,1180454,1180461,1181452,1182252,1183511,1184620,1184794,CVE-2020-16590,CVE-2020-16591,CVE-2020-16592,CVE-2020-16593,CVE-2020-16598,CVE-2020-16599,CVE-2020-35448,CVE-2020-35493,CVE-2020-35496,CVE-2020-35507,CVE-2021-20197,CVE-2021-20284,CVE-2021-3487
This update for binutils fixes the following issues:
Update to binutils 2.37:
* The GNU Binutils sources now requires a C99 compiler and library to
build.
* Support for Realm Management Extension (RME) for AArch64 has been
added.
* A new linker option '-z report-relative-reloc' for x86 ELF targets
has been added to report dynamic relative relocations.
* A new linker option '-z start-stop-gc' has been added to disable
special treatment of __start_*/__stop_* references when
--gc-sections.
* A new linker options '-Bno-symbolic' has been added which will
cancel the '-Bsymbolic' and '-Bsymbolic-functions' options.
* The readelf tool has a new command line option which can be used to
specify how the numeric values of symbols are reported.
--sym-base=0|8|10|16 tells readelf to display the values in base 8,
base 10 or base 16. A sym base of 0 represents the default action
of displaying values under 10000 in base 10 and values above that in
base 16.
* A new format has been added to the nm program. Specifying
'--format=just-symbols' (or just using -j) will tell the program to
only display symbol names and nothing else.
* A new command line option '--keep-section-symbols' has been added to
objcopy and strip. This stops the removal of unused section symbols
when the file is copied. Removing these symbols saves space, but
sometimes they are needed by other tools.
* The '--weaken', '--weaken-symbol' and '--weaken-symbols' options
supported by objcopy now make undefined symbols weak on targets that
support weak symbols.
* Readelf and objdump can now display and use the contents of .debug_sup
sections.
* Readelf and objdump will now follow links to separate debug info
files by default. This behaviour can be stopped via the use of the
new '-wN' or '--debug-dump=no-follow-links' options for readelf and
the '-WN' or '--dwarf=no-follow-links' options for objdump. Also
the old behaviour can be restored by the use of the
'--enable-follow-debug-links=no' configure time option.
The semantics of the =follow-links option have also been slightly
changed. When enabled, the option allows for the loading of symbol
tables and string tables from the separate files which can be used
to enhance the information displayed when dumping other sections,
but it does not automatically imply that information from the
separate files should be displayed.
If other debug section display options are also enabled (eg
'--debug-dump=info') then the contents of matching sections in both
the main file and the separate debuginfo file *will* be displayed.
This is because in most cases the debug section will only be present
in one of the files.
If however non-debug section display options are enabled (eg
'--sections') then the contents of matching parts of the separate
debuginfo file will *not* be displayed. This is because in most
cases the user probably only wanted to load the symbol information
from the separate debuginfo file. In order to change this behaviour
a new command line option --process-links can be used. This will
allow di0pslay options to applied to both the main file and any
separate debuginfo files.
* Nm has a new command line option: '--quiet'. This suppresses 'no
symbols' diagnostic.
Update to binutils 2.36:
New features in the Assembler:
- General:
* When setting the link order attribute of ELF sections, it is now
possible to use a numeric section index instead of symbol name.
* Added a .nop directive to generate a single no-op instruction in
a target neutral manner. This instruction does have an effect on
DWARF line number generation, if that is active.
* Removed --reduce-memory-overheads and --hash-size as gas now
uses hash tables that can be expand and shrink automatically.
- X86/x86_64:
* Add support for AVX VNNI, HRESET, UINTR, TDX, AMX and Key
Locker instructions.
* Support non-absolute segment values for lcall and ljmp.
* Add {disp16} pseudo prefix to x86 assembler.
* Configure with --enable-x86-used-note by default for Linux/x86.
- ARM/AArch64:
* Add support for Cortex-A78, Cortex-A78AE and Cortex-X1,
Cortex-R82, Neoverse V1, and Neoverse N2 cores.
* Add support for ETMv4 (Embedded Trace Macrocell), ETE (Embedded
Trace Extension), TRBE (Trace Buffer Extension), CSRE (Call
Stack Recorder Extension) and BRBE (Branch Record Buffer
Extension) system registers.
* Add support for Armv8-R and Armv8.7-A ISA extensions.
* Add support for DSB memory nXS barrier, WFET and WFIT
instruction for Armv8.7.
* Add support for +csre feature for -march. Add CSR PDEC
instruction for CSRE feature in AArch64.
* Add support for +flagm feature for -march in Armv8.4 AArch64.
* Add support for +ls64 feature for -march in Armv8.7
AArch64. Add atomic 64-byte load/store instructions for this
feature.
* Add support for +pauth (Pointer Authentication) feature for
-march in AArch64.
New features in the Linker:
* Add --error-handling-script= command line option to allow
a helper script to be invoked when an undefined symbol or a
missing library is encountered. This option can be suppressed
via the configure time switch: --enable-error-handling-script=no.
* Add -z x86-64-{baseline|v[234]} to the x86 ELF linker to mark
x86-64-{baseline|v[234]} ISA level as needed.
* Add -z unique-symbol to avoid duplicated local symbol names.
* The creation of PE format DLLs now defaults to using a more
secure set of DLL characteristics.
* The linker now deduplicates the types in .ctf sections. The new
command-line option --ctf-share-types describes how to do this:
its default value, share-unconflicted, produces the most compact
output.
* The linker now omits the 'variable section' from .ctf sections
by default, saving space. This is almost certainly what you
want unless you are working on a project that has its own
analogue of symbol tables that are not reflected in the ELF
symtabs.
New features in other binary tools:
* The ar tool's previously unused l modifier is now used for
specifying dependencies of a static library. The arguments of
this option (or --record-libdeps long form option) will be
stored verbatim in the __.LIBDEP member of the archive, which
the linker may read at link time.
* Readelf can now display the contents of LTO symbol table
sections when asked to do so via the --lto-syms command line
option.
* Readelf now accepts the -C command line option to enable the
demangling of symbol names. In addition the --demangle=
