SUSE Container Update Advisory: suse/sle-micro/5.1/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2022:1765-1 Container Tags : suse/sle-micro/5.1/toolbox:11.1 , suse/sle-micro/5.1/toolbox:11.1-2.2.254 , suse/sle-micro/5.1/toolbox:latest Container Release : 2.2.254 Severity : critical Type : security References : 1029961 1029961 1040589 1070955 1073299 1093392 1099272 1104700 1112310 1113013 1113554 1115529 1120402 1120610 1121227 1121230 1122004 1122021 1128846 1130496 1130557 1134353 1137373 1139519 1140016 1150451 1160242 1161276 1162581 1162964 1164384 1169582 1169614 1171479 1172055 1172113 1172427 1172973 1172974 1173277 1174075 1174504 1174504 1174911 1176804 1177127 1177460 1177460 1177460 1177460 1177460 1177460 1177598 1178236 1178346 1178350 1178353 1178561 1180125 1180125 1180689 1180786 1181131 1181640 1181658 1181703 1181826 1182959 1182998 1183374 1183533 1183572 1183574 1183659 1183858 1183905 1184214 1184501 1184994 1185016 1185299 1185524 1185588 1185637 1185638 1186040 1186071 1186489 1186503 1186602 1186819 1186910 1187044 1187153 1187196 1187224 1187270 1187273 1187425 1187466 1187512 1187512 1187654 1187668 1187670 1187738 1187760 1187906 1187911 1188127 1188156 1188291 1188344 1188348 1188435 1188507 1188520 1188548 1188571 1188588 1188623 1188713 1188914 1188921 1189028 1189031 1189152 1189241 1189287 1189441 1189446 1189454 1189480 1189520 1189521 1189521 1189683 1189841 1190052 1190059 1190199 1190315 1190356 1190373 1190374 1190401 1190440 1190447 1190465 1190515 1190533 1190552 1190566 1190570 1190598 1190645 1190712 1190739 1190793 1190815 1190824 1190850 1190915 1190926 1190933 1190943 1190984 1191019 1191096 1191157 1191200 1191227 1191260 1191286 1191324 1191370 1191480 1191502 1191532 1191532 1191563 1191592 1191609 1191690 1191690 1191736 1191770 1191794 1191804 1191804 1191826 1191893 1191922 1191987 1192104 1192160 1192161 1192167 1192248 1192249 1192337 1192423 1192436 1192478 1192481 1192489 1192637 1192684 1192688 1192717 1192858 1192902 1192903 1192904 1192951 1192954 1193007 1193086 1193086 1193166 1193179 1193181 1193204 1193273 1193294 1193298 1193430 1193446 1193466 1193480 1193488 1193489 1193632 1193659 1193690 1193711 1193732 1193759 1193868 1193905 1194093 1194178 1194178 1194216 1194216 1194217 1194229 1194251 1194265 1194265 1194362 1194388 1194469 1194474 1194476 1194477 1194478 1194479 1194480 1194522 1194556 1194597 1194640 1194642 1194642 1194708 1194768 1194770 1194785 1194848 1194859 1194872 1194883 1194885 1194898 1194968 1194976 1195004 1195004 1195048 1195054 1195066 1195126 1195149 1195157 1195202 1195203 1195217 1195231 1195247 1195251 1195258 1195283 1195326 1195332 1195354 1195356 1195463 1195468 1195529 1195628 1195654 1195792 1195797 1195825 1195856 1195899 1195999 1196025 1196025 1196026 1196036 1196061 1196093 1196107 1196168 1196169 1196171 1196275 1196317 1196361 1196368 1196406 1196490 1196514 1196567 1196647 1196784 1196825 1196850 1196861 1196925 1196939 1197004 1197024 1197065 1197134 1197443 1197459 1197570 1197718 1197771 1197794 1198062 1198062 1198090 1198114 1198176 1198446 1198507 1198511 1198596 1198614 1198723 1198732 1198748 1198751 1198766 1198922 1199132 1199140 1199166 1199223 1199224 1199232 1199232 1199235 1199240 1199331 1199333 1199334 1199651 1199655 1199693 1199745 1199747 1199936 1200010 1200011 1200012 1200170 1200334 1200550 1200735 1200737 1200855 1200855 1201099 1201560 1201640 954813 CVE-2015-20107 CVE-2017-17087 CVE-2018-16301 CVE-2018-20482 CVE-2018-20573 CVE-2018-20574 CVE-2018-25032 CVE-2019-20454 CVE-2019-20838 CVE-2019-6285 CVE-2019-6292 CVE-2019-9923 CVE-2020-12762 CVE-2020-14155 CVE-2020-14367 CVE-2020-14370 CVE-2020-15157 CVE-2020-27840 CVE-2021-20193 CVE-2021-20199 CVE-2021-20277 CVE-2021-20291 CVE-2021-20316 CVE-2021-22570 CVE-2021-22946 CVE-2021-22947 CVE-2021-28153 CVE-2021-33574 CVE-2021-3426 CVE-2021-3572 CVE-2021-35942 CVE-2021-3602 CVE-2021-36222 CVE-2021-3711 CVE-2021-3712 CVE-2021-3712 CVE-2021-3733 CVE-2021-3737 CVE-2021-37600 CVE-2021-3778 CVE-2021-3778 CVE-2021-3796 CVE-2021-3796 CVE-2021-3872 CVE-2021-3872 CVE-2021-3875 CVE-2021-3903 CVE-2021-3927 CVE-2021-3927 CVE-2021-3928 CVE-2021-3928 CVE-2021-39537 CVE-2021-3968 CVE-2021-3973 CVE-2021-3974 CVE-2021-3984 CVE-2021-3984 CVE-2021-3995 CVE-2021-3996 CVE-2021-3997 CVE-2021-3997 CVE-2021-3999 CVE-2021-4019 CVE-2021-4019 CVE-2021-4024 CVE-2021-4069 CVE-2021-41190 CVE-2021-4122 CVE-2021-4136 CVE-2021-4166 CVE-2021-4192 CVE-2021-4193 CVE-2021-4193 CVE-2021-43566 CVE-2021-43618 CVE-2021-44141 CVE-2021-44142 CVE-2021-45960 CVE-2021-46059 CVE-2021-46059 CVE-2021-46143 CVE-2022-0128 CVE-2022-0213 CVE-2022-0261 CVE-2022-0318 CVE-2022-0318 CVE-2022-0319 CVE-2022-0319 CVE-2022-0336 CVE-2022-0351 CVE-2022-0351 CVE-2022-0359 CVE-2022-0361 CVE-2022-0361 CVE-2022-0392 CVE-2022-0407 CVE-2022-0413 CVE-2022-0413 CVE-2022-0696 CVE-2022-1271 CVE-2022-1271 CVE-2022-1292 CVE-2022-1304 CVE-2022-1381 CVE-2022-1420 CVE-2022-1586 CVE-2022-1586 CVE-2022-1587 CVE-2022-1616 CVE-2022-1619 CVE-2022-1620 CVE-2022-1733 CVE-2022-1735 CVE-2022-1771 CVE-2022-1785 CVE-2022-1796 CVE-2022-1851 CVE-2022-1897 CVE-2022-1898 CVE-2022-1927 CVE-2022-2068 CVE-2022-2097 CVE-2022-22576 CVE-2022-22822 CVE-2022-22823 CVE-2022-22824 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827 CVE-2022-23218 CVE-2022-23219 CVE-2022-23308 CVE-2022-23852 CVE-2022-23990 CVE-2022-24407 CVE-2022-25235 CVE-2022-25236 CVE-2022-25236 CVE-2022-25313 CVE-2022-25314 CVE-2022-25315 CVE-2022-27775 CVE-2022-27776 CVE-2022-27781 CVE-2022-27782 CVE-2022-29155 CVE-2022-29824 CVE-2022-32206 CVE-2022-32208 ----------------------------------------------------------------- The container suse/sle-micro/5.1/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1332-1 Released: Tue Jul 17 09:01:19 2018 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1073299,1093392 This update for timezone provides the following fixes: - North Korea switches back from +0830 to +09 on 2018-05-05. - Ireland's standard time is in the summer, with negative DST offset to standard time used in Winter. (bsc#1073299) - yast2-country is no longer setting TIMEZONE in /etc/sysconfig/clock and is calling systemd timedatectl instead. Do not set /etc/localtime on timezone package updates to avoid setting an incorrect timezone. (bsc#1093392) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2463-1 Released: Thu Oct 25 14:48:34 2018 Summary: Recommended update for timezone, timezone-java Type: recommended Severity: moderate References: 1104700,1112310 This update for timezone, timezone-java fixes the following issues: The timezone database was updated to 2018f: - Volgograd moves from +03 to +04 on 2018-10-28. - Fiji ends DST 2019-01-13, not 2019-01-20. - Most of Chile changes DST dates, effective 2019-04-06 (bsc#1104700) - Corrections to past timestamps of DST transitions - Use 'PST' and 'PDT' for Philippine time - minor code changes to zic handling of the TZif format - documentation updates Other bugfixes: - Fixed a zic problem with the 1948-1951 DST transition in Japan (bsc#1112310) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2550-1 Released: Wed Oct 31 16:16:56 2018 Summary: Recommended update for timezone, timezone-java Type: recommended Severity: moderate References: 1113554 This update provides the latest time zone definitions (2018g), including the following change: - Morocco switched from +00/+01 to permanent +01 effective 2018-10-28 (bsc#1113554) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:102-1 Released: Tue Jan 15 18:02:58 2019 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1120402 This update for timezone fixes the following issues: - Update 2018i: São Tomé and Príncipe switches from +01 to +00 on 2019-01-01. (bsc#1120402) - Update 2018h: Qyzylorda, Kazakhstan moved from +06 to +05 on 2018-12-21 New zone Asia/Qostanay because Qostanay, Kazakhstan didn't move Metlakatla, Alaska observes PST this winter only Guess Morocco will continue to adjust clocks around Ramadan Add predictions for Iran from 2038 through 2090 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:790-1 Released: Thu Mar 28 12:06:17 2019 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1130557 This update for timezone fixes the following issues: timezone was updated 2019a: * Palestine 'springs forward' on 2019-03-30 instead of 2019-03-23 * Metlakatla 'fell back' to rejoin Alaska Time on 2019-01-20 at 02:00 * Israel observed DST in 1980 (08-02/09-13) and 1984 (05-05/08-25) * zic now has an -r option to limit the time range of output data ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1815-1 Released: Thu Jul 11 07:47:55 2019 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1140016 This update for timezone fixes the following issues: - Timezone update 2019b. (bsc#1140016): - Brazil no longer observes DST. - 'zic -b slim' outputs smaller TZif files. - Palestine's 2019 spring-forward transition was on 03-29, not 03-30. - Add info about the Crimea situation. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2762-1 Released: Thu Oct 24 07:08:44 2019 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1150451 This update for timezone fixes the following issues: - Fiji observes DST from 2019-11-10 to 2020-01-12. - Norfolk Island starts observing Australian-style DST. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1303-1 Released: Mon May 18 09:40:36 2020 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1169582 This update for timezone fixes the following issues: - timezone update 2020a. (bsc#1169582) * Morocco springs forward on 2020-05-31, not 2020-05-24. * Canada's Yukon advanced to -07 year-round on 2020-03-08. * America/Nuuk renamed from America/Godthab. * zic now supports expiration dates for leap second lists. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1542-1 Released: Thu Jun 4 13:24:37 2020 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1172055 This update for timezone fixes the following issue: - zdump --version reported 'unknown' (bsc#1172055) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2020:3026-1 Released: Fri Oct 23 15:35:51 2020 Summary: Optional update for the Public Cloud Module Type: optional Severity: moderate References: This update adds the Google Cloud Storage packages to the Public Cloud module (jsc#ECO-2398). The following packages were included: - python3-grpcio - python3-protobuf - python3-google-api-core - python3-google-cloud-core - python3-google-cloud-storage - python3-google-resumable-media - python3-googleapis-common-protos - python3-grpcio-gcp - python3-mock (updated to version 3.0.5) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3099-1 Released: Thu Oct 29 19:33:41 2020 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1177460 This update for timezone fixes the following issues: - timezone update 2020b (bsc#1177460) * Revised predictions for Morocco's changes starting in 2023. * Canada's Yukon changes to -07 on 2020-11-01, not 2020-03-08. * Macquarie Island has stayed in sync with Tasmania since 2011. * Casey, Antarctica is at +08 in winter and +11 in summer. * zic no longer supports -y, nor the TYPE field of Rules. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3123-1 Released: Tue Nov 3 09:48:13 2020 Summary: Recommended update for timezone Type: recommended Severity: important References: 1177460,1178346,1178350,1178353 This update for timezone fixes the following issues: - Generate 'fat' timezone files (was default before 2020b). (bsc#1178346, bsc#1178350, bsc#1178353) - Palestine ends DST earlier than predicted, on 2020-10-24. (bsc#1177460) - Fiji starts DST later than usual, on 2020-12-20. (bsc#1177460) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:179-1 Released: Wed Jan 20 13:38:51 2021 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1177460 This update for timezone fixes the following issues: - timezone update 2020f (bsc#1177460) * 'make rearguard_tarballs' no longer generates a bad rearguard.zi, fixing a 2020e bug. - timezone update 2020e (bsc#1177460) * Volgograd switches to Moscow time on 2020-12-27 at 02:00. - timezone update 2020f (bsc#1177460) * 'make rearguard_tarballs' no longer generates a bad rearguard.zi, fixing a 2020e bug. - timezone update 2020e (bsc#1177460) * Volgograd switches to Moscow time on 2020-12-27 at 02:00. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:294-1 Released: Wed Feb 3 12:54:28 2021 Summary: Recommended update for libprotobuf Type: recommended Severity: moderate References: libprotobuf was updated to fix: - ship the libprotobuf-lite15 on the basesystem module and the INSTALLER channel. (jsc#ECO-2911) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:301-1 Released: Thu Feb 4 08:46:27 2021 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1177460 This update for timezone fixes the following issues: - timezone update 2021a (bsc#1177460) * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00. - timezone update 2021a (bsc#1177460) * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:656-1 Released: Mon Mar 1 09:34:21 2021 Summary: Recommended update for protobuf Type: recommended Severity: moderate References: 1177127 This update for protobuf fixes the following issues: - Add missing dependency of python subpackages on python-six. (bsc#1177127) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2573-1 Released: Thu Jul 29 14:21:52 2021 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1188127 This update for timezone fixes the following issue: - From systemd v249: when enumerating time zones the timedatectl tool will now consult the 'tzdata.zi' file shipped by the IANA time zone database package, in addition to 'zone1970.tab', as before. This makes sure time zone aliases are now correctly supported. This update adds the 'tzdata.zi' file (bsc#1188127). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2626-1 Released: Thu Aug 5 12:10:35 2021 Summary: Recommended maintenance update for libeconf Type: recommended Severity: moderate References: 1188348 This update for libeconf fixes the following issue: - Solve a downgrade issue between SUSE Linux Enterprise SP3 and lower (bsc#1188348) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2830-1 Released: Tue Aug 24 16:20:18 2021 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1189520,1189521,CVE-2021-3711,CVE-2021-3712 This update for openssl-1_1 fixes the following security issues: - CVE-2021-3711: A bug in the implementation of the SM2 decryption code could lead to buffer overflows. [bsc#1189520] - CVE-2021-3712: a bug in the code for printing certificate details could lead to a buffer overrun that a malicious actor could exploit to crash the application, causing a denial-of-service attack. [bsc#1189521] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2966-1 Released: Tue Sep 7 09:49:14 2021 Summary: Security update for openssl-1_1 Type: security Severity: low References: 1189521,CVE-2021-3712 This update for openssl-1_1 fixes the following issues: - CVE-2021-3712: This is an update for the incomplete fix for CVE-2021-3712. Read buffer overruns processing ASN.1 strings (bsc#1189521). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3001-1 Released: Thu Sep 9 15:08:13 2021 Summary: Recommended update for netcfg Type: recommended Severity: moderate References: 1189683 This update for netcfg fixes the following issues: - add submissions port/protocol to services file for message submission over TLS protocol [bsc#1189683] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3291-1 Released: Wed Oct 6 16:45:36 2021 Summary: Security update for glibc Type: security Severity: moderate References: 1186489,1187911,CVE-2021-33574,CVE-2021-35942 This update for glibc fixes the following issues: - CVE-2021-33574: Fixed use __pthread_attr_copy in mq_notify (bsc#1186489). - CVE-2021-35942: Fixed wordexp handle overflow in positional parameter number (bsc#1187911). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3298-1 Released: Wed Oct 6 16:54:52 2021 Summary: Security update for curl Type: security Severity: moderate References: 1190373,1190374,CVE-2021-22946,CVE-2021-22947 This update for curl fixes the following issues: - CVE-2021-22947: Fixed STARTTLS protocol injection via MITM (bsc#1190374). - CVE-2021-22946: Fixed protocol downgrade required TLS bypassed (bsc#1190373). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3310-1 Released: Wed Oct 6 18:12:41 2021 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1134353,1184994,1188291,1188588,1188713,1189446,1189480 This update for systemd fixes the following issues: - Switch I/O scheduler from 'mq-deadline' to 'bfq' for rotating disks(HD's) (jsc#SLE-21032, bsc#1134353). - Multipath: Rules weren't applied to dm devices (bsc#1188713). - Ignore obsolete 'elevator' kernel parameter (bsc#1184994). - Remove kernel unsupported single-queue block I/O. - Make sure the versions of both udev and systemd packages are always the same (bsc#1189480). - Avoid error message when updating active udev on sockets restart (bsc#1188291). - Merge of v246.16, for a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/8d8f5fc31eece95644b299b784bbfb8f836d0108...f5c33d9f82d3d782d28938df9ff09484360c540d - Drop 1007-tmpfiles-follow-SUSE-policies.patch: Since most of the tmpfiles config files shipped by upstream are ignored (see previous commit 'Drop most of the tmpfiles that deal with generic paths'), this patch is no more relevant. Additional fixes: - core: make sure cgroup_oom_queue is flushed on manager exit. - cgroup: do 'catchup' for unit cgroup inotify watch files. - journalctl: never fail at flushing when the flushed flag is set (bsc#1188588). - manager: reexecute on SIGRTMIN+25, user instances only. - manager: fix HW watchdog when systemd starts before driver loaded (bsc#1189446). - pid1: watchdog modernizations. ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:3327-1 Released: Mon Oct 11 11:44:50 2021 Summary: Optional update for coreutils Type: optional Severity: low References: 1189454 This optional update for coreutils fixes the following issue: - Provide coreutils documentation, 'coreutils-doc', with 'L2' support level. (bsc#1189454) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3411-1 Released: Wed Oct 13 10:42:25 2021 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1191019 This update for lvm2 fixes the following issues: - Do not crash vgextend when extending VG with missing PV. (bsc#1191019) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3413-1 Released: Wed Oct 13 10:50:45 2021 Summary: Recommended update for suse-module-tools Type: recommended Severity: important References: 1189441,1189841,1190598 This update for suse-module-tools fixes the following issues: - Fixed an issue where the queuing of secure boot certificates did not happen (bsc#1189841, bsc#1190598) - Fixed an issue where initrd was not always rebuilding after installing any kernel-*-extra package (bsc#1189441) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3445-1 Released: Fri Oct 15 09:03:39 2021 Summary: Security update for rpm Type: security Severity: important References: 1183659,1185299,1187670,1188548 This update for rpm fixes the following issues: Security issues fixed: - PGP hardening changes (bsc#1185299) Maintaince issues fixed: - Fixed zstd detection (bsc#1187670) - Added ndb rofs support (bsc#1188548) - Fixed deadlock when multiple rpm processes try tp acquire the database lock (bsc#1183659) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3474-1 Released: Wed Oct 20 08:41:31 2021 Summary: Security update for util-linux Type: security Severity: moderate References: 1178236,1188921,CVE-2021-37600 This update for util-linux fixes the following issues: - CVE-2021-37600: Fixed an integer overflow which could lead to a buffer overflow in get_sem_elements() in sys-utils/ipcutils.c. (bsc#1188921) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3480-1 Released: Wed Oct 20 11:24:10 2021 Summary: Recommended update for yast2-network Type: recommended Severity: moderate References: 1185016,1185524,1186910,1187270,1187512,1188344,1190645,1190739,1190915,1190933 This update for yast2-network fixes the following issues: - Don't crash when the interfaces table contains a not configured one (bnc#1190645, bsc#1190915). - Fix the shown description using the interface friendly name when it is empty (bsc#1190933). - Consider aliases sections as case insensitive (bsc#1190739). - Display user defined device name in the devices overview (bnc#1190645). - Don't crash when defined aliases in AutoYaST profile are not defined as a map (bsc#1188344). - Support 'boot' and 'on' as aliases for the 'auto' startmode (bsc#1186910). - Fix desktop file so the control center tooltip is translated (bsc#1187270). - Use the linuxrc proxy settings for the HTTPS and FTP proxies (bsc#1185016). - Don't crash at the end of installation when storing wifi configuration for NetworkManager (bsc#1185524, bsc#1187512). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3490-1 Released: Wed Oct 20 16:31:55 2021 Summary: Security update for ncurses Type: security Severity: moderate References: 1190793,CVE-2021-39537 This update for ncurses fixes the following issues: - CVE-2021-39537: Fixed an heap-based buffer overflow in _nc_captoinfo. (bsc#1190793) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3494-1 Released: Wed Oct 20 16:48:46 2021 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1190052 This update for pam fixes the following issues: - Added pam_faillock to the set of available PAM modules. (jsc#SLE-20638) - Added new file macros.pam on request of systemd. (bsc#1190052) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3501-1 Released: Fri Oct 22 10:42:46 2021 Summary: Recommended update for libzypp, zypper, libsolv, protobuf Type: recommended Severity: moderate References: 1186503,1186602,1187224,1187425,1187466,1187738,1187760,1188156,1188435,1189031,1190059,1190199,1190465,1190712,1190815 This update for libzypp, zypper, libsolv and protobuf fixes the following issues: - Choice rules: treat orphaned packages as newest (bsc#1190465) - Avoid calling 'su' to detect a too restrictive sudo user umask (bsc#1186602) - Do not check of signatures and keys two times(redundant) (bsc#1190059) - Rephrase vendor conflict message in case 2 packages are involved (bsc#1187760) - Show key fpr from signature when signature check fails (bsc#1187224) - Fix solver jobs for PTFs (bsc#1186503) - Fix purge-kernels fails (bsc#1187738) - Fix obs:// platform guessing for Leap (bsc#1187425) - Make sure to keep states alives while transitioning. (bsc#1190199) - Manpage: Improve description about patch updates(bsc#1187466) - Manpage: Recommend the needs-rebooting command to test whether a system reboot is suggested. - Fix kernel-*-livepatch removal in purge-kernels. (bsc#1190815) - Fix crashes in logging code when shutting down (bsc#1189031) - Do not download full files even if the checkExistsOnly flag is set. (bsc#1190712) - Add need reboot/restart hint to XML install summary (bsc#1188435) - Prompt: choose exact match if prompt options are not prefix free (bsc#1188156) - Include libprotobuf-lite20 in products to enable parallel downloads. (jsc#ECO-2911, jsc#SLE-16862) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3509-1 Released: Tue Oct 26 09:47:40 2021 Summary: Recommended update for suse-module-tools Type: recommended Severity: important References: 1191200,1191260,1191480,1191804,1191922 This update for suse-module-tools fixes the following issues: Update to version 15.3.13: - Fix bad exit status in openQA. (bsc#1191922) - Ignore kernel keyring for kernel certificates. (bsc#1191480) - Deal with existing certificates that should be de-enrolled. (bsc#1191804) - Don't pass existing files to weak-modules2. (bsc#1191200) - Skip certificate scriptlet on non-UEFI systems. (bsc#1191260) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3510-1 Released: Tue Oct 26 11:22:15 2021 Summary: Recommended update for pam Type: recommended Severity: important References: 1191987 This update for pam fixes the following issues: - Fixed a bad directive file which resulted in the 'securetty' file to be installed as 'macros.pam'. (bsc#1191987) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3529-1 Released: Wed Oct 27 09:23:32 2021 Summary: Security update for pcre Type: security Severity: moderate References: 1172973,1172974,CVE-2019-20838,CVE-2020-14155 This update for pcre fixes the following issues: Update pcre to version 8.45: - CVE-2020-14155: Fixed integer overflow via a large number after a '(?C' substring (bsc#1172974). - CVE-2019-20838: Fixed buffer over-read in JIT compiler (bsc#1172973) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3538-1 Released: Wed Oct 27 10:40:32 2021 Summary: Recommended update for iproute2 Type: recommended Severity: moderate References: 1160242 This update for iproute2 fixes the following issues: - Follow-up fixes backported from upstream. (bsc#1160242) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3545-1 Released: Wed Oct 27 14:46:39 2021 Summary: Recommended update for less Type: recommended Severity: low References: 1190552 This update for less fixes the following issues: - Add missing runtime dependency on package 'which', that is used by lessopen.sh (bsc#1190552) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3564-1 Released: Wed Oct 27 16:12:08 2021 Summary: Recommended update for rpm-config-SUSE Type: recommended Severity: moderate References: 1190850 This update for rpm-config-SUSE fixes the following issues: - Support ZSTD compressed kernel modules. (bsc#1190850) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3589-1 Released: Mon Nov 1 19:27:52 2021 Summary: Recommended update for apparmor Type: recommended Severity: moderate References: 1191690 This update for apparmor fixes the following issues: - Fixed an issue when apparmor provides python2 and python3 libraries with the same name. (bsc#1191690) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3663-1 Released: Mon Nov 15 19:14:32 2021 Summary: Recommended update for suse-module-tools Type: recommended Severity: moderate References: 1191804 This update for suse-module-tools fixes the following issues: - Update to version 15.3.14: * more fixes for updates under secure boot * cert-script: Deal with existing $cert.delete file (bsc#1191804). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3786-1 Released: Wed Nov 24 05:59:13 2021 Summary: Recommended update for rpm-config-SUSE Type: recommended Severity: important References: 1192160 This update for rpm-config-SUSE fixes the following issues: - Add support for the kernel xz-compressed firmware files (bsc#1192160) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3792-1 Released: Wed Nov 24 06:12:09 2021 Summary: Recommended update for kmod Type: recommended Severity: moderate References: 1192104 This update for kmod fixes the following issues: - Enable ZSTD compression (bsc#1192104)(jsc#SLE-21256) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3799-1 Released: Wed Nov 24 18:07:54 2021 Summary: Recommended update for gcc11 Type: recommended Severity: moderate References: 1187153,1187273,1188623 This update for gcc11 fixes the following issues: The additional GNU compiler collection GCC 11 is provided: To select these compilers install the packages: - gcc11 - gcc-c++11 - and others with 11 prefix. to select them for building: - CC='gcc-11' - CXX='g++-11' The compiler baselibraries (libgcc_s1, libstdc++6 and others) are being replaced by the GCC 11 variants. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3808-1 Released: Fri Nov 26 00:30:54 2021 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1186071,1190440,1190984,1192161 This update for systemd fixes the following issues: - Add timestamp to D-Bus events to improve traceability (jsc#SLE-17798) - Fix fd_is_mount_point() when both the parent and directory are network file systems (bsc#1190984) - Support detection for ARM64 Hyper-V guests (bsc#1186071) - Fix systemd-detect-virt not detecting Amazon EC2 Nitro instance (bsc#1190440) - Enable support for Portable Services in openSUSE Leap only (jsc#SLE-21694) - Fix IO scheduler udev rules to address performance issues (jsc#SLE-21032, bsc#1192161) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3870-1 Released: Thu Dec 2 07:11:50 2021 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1190356,1191286,1191324,1191370,1191609,1192337,1192436 This update for libzypp, zypper fixes the following issues: libzypp: - Check log writer before accessing it (bsc#1192337) - Zypper should keep cached files if transaction is aborted (bsc#1190356) - Require a minimum number of mirrors for multicurl (bsc#1191609) - Fixed slowdowns when rlimit is too high by using procfs to detect niumber of open file descriptors (bsc#1191324) - Fixed zypper incomplete messages when using non English localization (bsc#1191370) - RepoManager: Don't probe for plaindir repository if the URL schema is a plugin (bsc#1191286) - Disable logger in the child process after fork (bsc#1192436) zypper: - Fixed Zypper removing a kernel explicitely pinned that uses uname -r output format as name (openSUSE/zypper#418) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3872-1 Released: Thu Dec 2 07:25:55 2021 Summary: Recommended update for cracklib Type: recommended Severity: moderate References: 1191736 This update for cracklib fixes the following issues: - Enable build time tests (bsc#1191736) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3883-1 Released: Thu Dec 2 11:47:07 2021 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1177460 This update for timezone fixes the following issues: Update timezone to 2021e (bsc#1177460) - Palestine will fall back 10-29 (not 10-30) at 01:00 - Fiji suspends DST for the 2021/2022 season - 'zic -r' marks unspecified timestamps with '-00' - Fix a bug in 'zic -b fat' that caused old timestamps to be mishandled in 32-bit-only readers- Refresh timezone info for china ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3890-1 Released: Fri Dec 3 10:19:50 2021 Summary: Recommended update for gdb Type: recommended Severity: moderate References: 1180786,1184214,1185638,1186040,1187044 This update for gdb fixes the following issues: Rebase to 11.1 release (as in fedora 35 @ 9cd9368): * GDB now supports general memory tagging functionality if the underlying architecture supports the proper primitives and hooks. Currently this is enabled only for AArch64 MTE. * GDB will now look for the .gdbinit file in a config directory before looking for ~/.gdbinit. The file is searched for in the following locations: $XDG_CONFIG_HOME/gdb/gdbinit, $HOME/.config/gdb/gdbinit, $HOME/.gdbinit. * GDB will now load and process commands from ~/.config/gdb/gdbearlyinit or ~/.gdbearlyinit if these files are present. These files are processed earlier than any of the other initialization files and can affect parts of GDB's startup that previously had already been completed before the initialization files were read, for example styling of the initial GDB greeting. * GDB now has two new options '--early-init-command' and '--early-init-eval-command' with corresponding short options '-eix' and '-eiex' that allow options (that would normally appear in a gdbearlyinit file) to be passed on the command line. * set startup-quietly on|off show startup-quietly When 'on', this causes GDB to act as if '-silent' were passed on the command line. This command needs to be added to an early initialization file (e.g. ~/.config/gdb/gdbearlyinit) in order to affect GDB. * For RISC-V targets, the target feature 'org.gnu.gdb.riscv.vector' is now understood by GDB, and can be used to describe the vector registers of a target. * TUI windows now support mouse actions. The mouse wheel scrolls the appropriate window. * Key combinations that do not have a specific action on the focused window are passed to GDB. For example, you now can use Ctrl-Left/Ctrl-Right to move between words in the command window regardless of which window is in focus. Previously you would need to focus on the command window for such key combinations to work. * set python ignore-environment on|off show python ignore-environment When 'on', this causes GDB's builtin Python to ignore any environment variables that would otherwise affect how Python behaves. This command needs to be added to an early initialization file (e.g. ~/.config/gdb/gdbearlyinit) in order to affect GDB. * set python dont-write-bytecode auto|on|off show python dont-write-bytecode When 'on', this causes GDB's builtin Python to not write any byte-code (.pyc files) to disk. This command needs to be added to an early initialization file (e.g. ~/.config/gdb/gdbearlyinit) in order to affect GDB. When 'off' byte-code will always be written. When set to 'auto' (the default) Python will check the PYTHONDONTWRITEBYTECODE environment variable. * break [PROBE_MODIFIER] [LOCATION] [thread THREADNUM] [-force-condition] [if CONDITION] This command would previously refuse setting a breakpoint if the CONDITION expression is invalid at a location. It now accepts and defines the breakpoint if there is at least one location at which the CONDITION is valid. The locations for which the CONDITION is invalid, are automatically disabled. If CONDITION is invalid at all of the locations, setting the breakpoint is still rejected. However, the '-force-condition' flag can be used in this case for forcing GDB to define the breakpoint, making all the current locations automatically disabled. This may be useful if the user knows the condition will become meaningful at a future location, e.g. due to a shared library load. - Update libipt to v2.0.4. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3891-1 Released: Fri Dec 3 10:21:49 2021 Summary: Recommended update for keyutils Type: recommended Severity: moderate References: 1029961,1113013,1187654 This update for keyutils fixes the following issues: - Add /etc/keys/ and /usr/etc/keys/ directory (bsc#1187654) keyutils was updated to 1.6.3 (jsc#SLE-20016): * Revert the change notifications that were using /dev/watch_queue. * Apply the change notifications that use pipe2(O_NOTIFICATION_PIPE). * Allow 'keyctl supports' to retrieve raw capability data. * Allow 'keyctl id' to turn a symbolic key ID into a numeric ID. * Allow 'keyctl new_session' to name the keyring. * Allow 'keyctl add/padd/etc.' to take hex-encoded data. * Add 'keyctl watch*' to expose kernel change notifications on keys. * Add caps for namespacing and notifications. * Set a default TTL on keys that upcall for name resolution. * Explicitly clear memory after it's held sensitive information. * Various manual page fixes. * Fix C++-related errors. * Add support for keyctl_move(). * Add support for keyctl_capabilities(). * Make key=val list optional for various public-key ops. * Fix system call signature for KEYCTL_PKEY_QUERY. * Fix 'keyctl pkey_query' argument passing. * Use keyctl_read_alloc() in dump_key_tree_aux(). * Various manual page fixes. Updated to 1.6: * Apply various specfile cleanups from Fedora. * request-key: Provide a command line option to suppress helper execution. * request-key: Find least-wildcard match rather than first match. * Remove the dependency on MIT Kerberos. * Fix some error messages * keyctl_dh_compute.3: Suggest /proc/crypto for list of available hashes. * Fix doc and comment typos. * Add public key ops for encrypt, decrypt, sign and verify (needs linux-4.20). * Add pkg-config support for finding libkeyutils. * upstream isn't offering PGP signatures for the source tarballs anymore Updated to 1.5.11 (bsc#1113013) * Add keyring restriction support. * Add KDF support to the Diffie-Helman function. * DNS: Add support for AFS config files and SRV records ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3899-1 Released: Fri Dec 3 11:27:41 2021 Summary: Security update for aaa_base Type: security Severity: moderate References: 1162581,1174504,1191563,1192248 This update for aaa_base fixes the following issues: - Allowed ping and ICMP commands without CAP_NET_RAW (bsc#1174504). - Add $HOME/.local/bin to PATH, if it exists (bsc#1192248). - Fixed get_kernel_version.c to work also for recent kernels on the s390/X platform (bsc#1191563). - Support xz compressed kernel (bsc#1162581) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3946-1 Released: Mon Dec 6 14:57:42 2021 Summary: Security update for gmp Type: security Severity: moderate References: 1192717,CVE-2021-43618 This update for gmp fixes the following issues: - CVE-2021-43618: Fixed buffer overflow via crafted input in mpz/inp_raw.c (bsc#1192717). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3963-1 Released: Mon Dec 6 19:57:39 2021 Summary: Recommended update for system-usersType: recommended Severity: moderate References: 1190401 This update for system-users fixes the following issues: - system-user-tss.conf: Removed group entry because it's not needed and contained syntax errors (bsc#1190401) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3980-1 Released: Thu Dec 9 16:42:19 2021 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1191592 glibc was updated to fix the following issue: - Support for new IBM Z Hardware (bsc#1191592, jsc#IBM-869) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3985-1 Released: Fri Dec 10 06:08:24 2021 Summary: Recommended update for suse-module-tools Type: recommended Severity: moderate References: 1187196 This update for suse-module-tools fixes the following issues: - Blacklist isst_if_mbox_msr driver because uses hardware information based on CPU family and model, which is too unspecific. On large systems, this causes a lot of failing loading attempts for this driver, leading to slow or even stalled boot (bsc#1187196) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:4014-1 Released: Mon Dec 13 13:57:39 2021 Summary: Recommended update for apparmor Type: recommended Severity: moderate References: 1191532,1191690 This update for apparmor fixes the following issues: Changes in apparmor: - Add a profile for 'samba-bgqd'. (bsc#1191532) - Fix 'Requires' of python3 module. (bsc#1191690) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:4104-1 Released: Thu Dec 16 11:14:12 2021 Summary: Security update for python3 Type: security Severity: moderate References: 1180125,1183374,1183858,1185588,1187668,1189241,1189287,CVE-2021-3426,CVE-2021-3733,CVE-2021-3737 This update for python3 fixes the following issues: - CVE-2021-3426: Fixed information disclosure via pydoc (bsc#1183374). - CVE-2021-3733: Fixed infinitely reading potential HTTP headers after a 100 Continue status response from the server (bsc#1189241). - CVE-2021-3737: Fixed ReDoS in urllib.request (bsc#1189287). - We do not require python-rpm-macros package (bsc#1180125). - Use versioned python-Sphinx to avoid dependency on other version of Python (bsc#1183858). - Stop providing 'python' symbol, which means python2 currently (bsc#1185588). - Modify Lib/ensurepip/__init__.py to contain the same version numbers as are in reality the ones in the bundled wheels (bsc#1187668). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:4145-1 Released: Wed Dec 22 05:27:48 2021 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate References: 1161276 This update for openssl-1_1 fixes the following issues: - Remove previously applied patch because it interferes with FIPS validation (bsc#1161276) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:4165-1 Released: Wed Dec 22 22:52:11 2021 Summary: Recommended update for kmod Type: recommended Severity: moderate References: 1193430 This update for kmod fixes the following issues: - Ensure that kmod and packages linking to libkmod provide same features. (bsc#1193430) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:4175-1 Released: Thu Dec 23 11:22:33 2021 Summary: Recommended update for systemd Type: recommended Severity: important References: 1192423,1192858,1193759 This update for systemd fixes the following issues: - Bump the max number of inodes for /dev to a million (bsc#1192858) - sleep: don't skip resume device with low priority/available space (bsc#1192423) - test: use kbd-mode-map we ship in one more test case - test-keymap-util: always use kbd-model-map we ship - Add rules for virtual devices and enforce 'none' for loop devices. (bsc#1193759) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:4182-1 Released: Thu Dec 23 11:51:51 2021 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1192688 This update for zlib fixes the following issues: - Fix hardware compression incorrect result on z15 hardware (bsc#1192688) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:4192-1 Released: Tue Dec 28 10:39:50 2021 Summary: Security update for permissions Type: security Severity: moderate References: 1174504 This update for permissions fixes the following issues: - Update to version 20181225: * drop ping capabilities in favor of ICMP_PROTO sockets (bsc#1174504) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:2-1 Released: Mon Jan 3 08:27:18 2022 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1183905,1193181 This update for lvm2 fixes the following issues: - Fix lvconvert not taking `--stripes` option (bsc#1183905) - Fix LVM vgimportclone not working on hardware snapshot (bsc#1193181) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:4-1 Released: Mon Jan 3 08:28:54 2022 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1193480 This update for libgcrypt fixes the following issues: - Fix function gcry_mpi_sub_ui subtracting from negative value (bsc#1193480) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:43-1 Released: Tue Jan 11 08:50:13 2022 Summary: Security update for systemd Type: security Severity: moderate References: 1178561,1190515,1194178,CVE-2021-3997 This update for systemd fixes the following issues: - CVE-2021-3997: Fixed an uncontrolled recursion in systemd's systemd-tmpfiles which could cause a minor denial of service. (bsc#1194178) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:48-1 Released: Tue Jan 11 09:17:57 2022 Summary: Recommended update for python3 Type: recommended Severity: moderate References: 1190566,1192249,1193179 This update for python3 fixes the following issues: - Don't use OpenSSL 1.1 on platforms which don't have it. - Remove shebangs from python-base libraries in '_libdir'. (bsc#1193179, bsc#1192249). - Build against 'openssl 1.1' as it is incompatible with 'openssl 3.0+' (bsc#1190566) - Fix for permission error when changing the mtime of the source file in presence of 'SOURCE_DATE_EPOCH'. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:93-1 Released: Tue Jan 18 05:11:58 2022 Summary: Recommended update for openssl-1_1 Type: recommended Severity: important References: 1192489 This update for openssl-1_1 fixes the following issues: - Add RSA_get0_pss_params() accessor that is used by nodejs16 and provide openssl-has-RSA_get0_pss_params (bsc#1192489) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:96-1 Released: Tue Jan 18 05:14:44 2022 Summary: Recommended update for rpm Type: recommended Severity: important References: 1180125,1190824,1193711 This update for rpm fixes the following issues: - Fix header check so that old rpms no longer get rejected (bsc#1190824) - Add explicit requirement on python-rpm-macros (bsc#1180125, bsc#1193711) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:141-1 Released: Thu Jan 20 13:47:16 2022 Summary: Security update for permissions Type: security Severity: moderate References: 1169614 This update for permissions fixes the following issues: - Update to version 20181225: setuid bit for cockpit session binary (bsc#1169614). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:144-1 Released: Thu Jan 20 16:38:23 2022 Summary: Security update for cryptsetup Type: security Severity: moderate References: 1194469,CVE-2021-4122 This update for cryptsetup fixes the following issues: - CVE-2021-4122: Fixed possible attacks against data confidentiality through LUKS2 online reencryption extension crash recovery (bsc#1194469). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:178-1 Released: Tue Jan 25 14:16:23 2022 Summary: Security update for expat Type: security Severity: important References: 1194251,1194362,1194474,1194476,1194477,1194478,1194479,1194480,CVE-2021-45960,CVE-2021-46143,CVE-2022-22822,CVE-2022-22823,CVE-2022-22824,CVE-2022-22825,CVE-2022-22826,CVE-2022-22827 This update for expat fixes the following issues: - CVE-2021-45960: Fixed left shift in the storeAtts function in xmlparse.c that can lead to realloc misbehavior (bsc#1194251). - CVE-2021-46143: Fixed integer overflow in m_groupSize in doProlog (bsc#1194362). - CVE-2022-22822: Fixed integer overflow in addBinding in xmlparse.c (bsc#1194474). - CVE-2022-22823: Fixed integer overflow in build_model in xmlparse.c (bsc#1194476). - CVE-2022-22824: Fixed integer overflow in defineAttribute in xmlparse.c (bsc#1194477). - CVE-2022-22825: Fixed integer overflow in lookup in xmlparse.c (bsc#1194478). - CVE-2022-22826: Fixed integer overflow in nextScaffoldPart in xmlparse.c (bsc#1194479). - CVE-2022-22827: Fixed integer overflow in storeAtts in xmlparse.c (bsc#1194480). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:184-1 Released: Tue Jan 25 18:20:56 2022 Summary: Security update for json-c Type: security Severity: important References: 1171479,CVE-2020-12762 This update for json-c fixes the following issues: - CVE-2020-12762: Fixed integer overflow and out-of-bounds write. (bsc#1171479) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:207-1 Released: Thu Jan 27 09:24:49 2022 Summary: Recommended update for glibc Type: recommended Severity: moderate References: This update for glibc fixes the following issues: - Add support for livepatches on x86_64 for SUSE Linux Enterprise 15 SP4 (jsc#SLE-20049). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:228-1 Released: Mon Jan 31 06:07:52 2022 Summary: Recommended update for boost Type: recommended Severity: moderate References: 1194522 This update for boost fixes the following issues: - Fix compilation errors (bsc#1194522) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:330-1 Released: Fri Feb 4 09:29:08 2022 Summary: Security update for glibc Type: security Severity: important References: 1194640,1194768,1194770,1194785,CVE-2021-3999,CVE-2022-23218,CVE-2022-23219 This update for glibc fixes the following issues: - CVE-2021-3999: Fixed incorrect errno in getcwd (bsc#1194640) - CVE-2022-23219: Fixed buffer overflow in sunrpc clnt_create for 'unix' (bsc#1194768) - CVE-2022-23218: Fixed buffer overflow in sunrpc svcunix_create (bsc#1194770) Features added: - IBM Power 10 string operation improvements (bsc#1194785, jsc#SLE-18195) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:335-1 Released: Fri Feb 4 10:24:02 2022 Summary: Recommended update for coreutils Type: recommended Severity: moderate References: 1189152 This update for coreutils fixes the following issues: - Add 'fuse.portal' as a dummy file system (used in flatpak implementations) (bsc#1189152). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:343-1 Released: Mon Feb 7 15:16:58 2022 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1193086 This update for systemd fixes the following issues: - disable DNSSEC until the following issue is solved: https://github.com/systemd/systemd/issues/10579 - disable fallback DNS servers and fail when no DNS server info could be obtained from the links. - DNSSEC support requires openssl therefore document this build dependency in systemd-network sub-package. - Improve warning messages (bsc#1193086). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:348-1 Released: Tue Feb 8 13:02:20 2022 Summary: Recommended update for libzypp Type: recommended Severity: important References: 1193007,1193488,1194597,1194898,954813 This update for libzypp fixes the following issues: - RepoManager: remember execution errors in exception history (bsc#1193007) - Fix exception handling when reading or writing credentials (bsc#1194898) - Fix install path for parser (bsc#1194597) - Fix Legacy include (bsc#1194597) - Public header files on older distros must use c++11 (bsc#1194597) - Use the default zypp.conf settings if no zypp.conf exists (bsc#1193488) - Fix wrong encoding of URI compontents of ISO images (bsc#954813) - When invoking 32bit mode in userland of an aarch64 kernel, handle armv8l as armv7hl compatible - Introduce zypp-curl as a sublibrary for CURL related code - zypp-rpm: Increase rpm loglevel if ZYPP_RPM_DEBUG is set - Save all signatures associated with a public key in its PublicKeyData ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:283-1 Released: Tue Feb 8 16:10:39 2022 Summary: Security update for samba Type: security Severity: critical References: 1139519,1183572,1183574,1188571,1191227,1191532,1192684,1193690,1194859,1195048,CVE-2020-27840,CVE-2021-20277,CVE-2021-20316,CVE-2021-36222,CVE-2021-43566,CVE-2021-44141,CVE-2021-44142,CVE-2022-0336 - CVE-2021-44141: Information leak via symlinks of existance of files or directories outside of the exported share; (bso#14911); (bsc#1193690); - CVE-2021-44142: Out-of-bounds heap read/write vulnerability in VFS module vfs_fruit allows code execution; (bso#14914); (bsc#1194859); - CVE-2022-0336: Samba AD users with permission to write to an account can impersonate arbitrary services; (bso#14950); (bsc#1195048); samba was updated to 4.15.4 (jsc#SLE-23329); * Duplicate SMB file_ids leading to Windows client cache poisoning; (bso#14928); * Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error - NT_STATUS_BUFFER_TOO_SMALL; (bso#14932); * kill_tcp_connections does not work; (bso#14934); * Can't connect to Windows shares not requiring authentication using KDE/Gnome; (bso#14935); * smbclient -L doesn't set 'client max protocol' to NT1 before calling the 'Reconnecting with SMB1 for workgroup listing' path; (bso#14939); * Cross device copy of the crossrename module always fails; (bso#14940); * symlinkat function from VFS cap module always fails with an error; (bso#14941); * Fix possible fsp pointer deference; (bso#14942); * Missing pop_sec_ctx() in error path inside close_directory(); (bso#14944); * 'smbd --build-options' no longer works without an smb.conf file; (bso#14945); Samba was updated to version 4.15.3 + CVE-2021-43566: Symlink race error can allow directory creation outside of the exported share; (bsc#1139519); + CVE-2021-20316: Symlink race error can allow metadata read and modify outside of the exported share; (bsc#1191227); - Reorganize libs packages. Split samba-libs into samba-client-libs, samba-libs, samba-winbind-libs and samba-ad-dc-libs, merging samba public libraries depending on internal samba libraries into these packages as there were dependency problems everytime one of these public libraries changed its version (bsc#1192684). The devel packages are merged into samba-devel. - Rename package samba-core-devel to samba-devel - Update the symlink create by samba-dsdb-modules to private samba ldb modules following libldb2 changes from /usr/lib64/ldb/samba to /usr/lib64/ldb2/modules/ldb/samba krb5 was updated to 1.16.3 to 1.19.2 * Fix a denial of service attack against the KDC encrypted challenge code; (CVE-2021-36222); * Fix a memory leak when gss_inquire_cred() is called without a credential handle. Changes from 1.19.1: * Fix a linking issue with Samba. * Better support multiple pkinit_identities values by checking whether certificates can be loaded for each value. Changes from 1.19 Administrator experience * When a client keytab is present, the GSSAPI krb5 mech will refresh credentials even if the current credentials were acquired manually. * It is now harder to accidentally delete the K/M entry from a KDB. Developer experience * gss_acquire_cred_from() now supports the 'password' and 'verify' options, allowing credentials to be acquired via password and verified using a keytab key. * When an application accepts a GSS security context, the new GSS_C_CHANNEL_BOUND_FLAG will be set if the initiator and acceptor both provided matching channel bindings. * Added the GSS_KRB5_NT_X509_CERT name type, allowing S4U2Self requests to identify the desired client principal by certificate. * PKINIT certauth modules can now cause the hw-authent flag to be set in issued tickets. * The krb5_init_creds_step() API will now issue the same password expiration warnings as krb5_get_init_creds_password(). Protocol evolution * Added client and KDC support for Microsoft's Resource-Based Constrained Delegation, which allows cross-realm S4U2Proxy requests. A third-party database module is required for KDC support. * kadmin/admin is now the preferred server principal name for kadmin connections, and the host-based form is no longer created by default. The client will still try the host-based form as a fallback. * Added client and server support for Microsoft's KERB_AP_OPTIONS_CBT extension, which causes channel bindings to be required for the initiator if the acceptor provided them. The client will send this option if the client_aware_gss_bindings profile option is set. User experience * kinit will now issue a warning if the des3-cbc-sha1 encryption type is used in the reply. This encryption type will be deprecated and removed in future releases. * Added kvno flags --out-cache, --no-store, and --cached-only (inspired by Heimdal's kgetcred). Changes from 1.18.3 * Fix a denial of service vulnerability when decoding Kerberos protocol messages. * Fix a locking issue with the LMDB KDB module which could cause KDC and kadmind processes to lose access to the database. * Fix an assertion failure when libgssapi_krb5 is repeatedly loaded and unloaded while libkrb5support remains loaded. Changes from 1.18.2 * Fix a SPNEGO regression where an acceptor using the default credential would improperly filter mechanisms, causing a negotiation failure. * Fix a bug where the KDC would fail to issue tickets if the local krbtgt principal's first key has a single-DES enctype. * Add stub functions to allow old versions of OpenSSL libcrypto to link against libkrb5. * Fix a NegoEx bug where the client name and delegated credential might not be reported. Changes from 1.18.1 * Fix a crash when qualifying short hostnames when the system has no primary DNS domain. * Fix a regression when an application imports 'service@' as a GSS host-based name for its acceptor credential handle. * Fix KDC enforcement of auth indicators when they are modified by the KDB module. * Fix removal of require_auth string attributes when the LDAP KDB module is used. * Fix a compile error when building with musl libc on Linux. * Fix a compile error when building with gcc 4.x. * Change the KDC constrained delegation precedence order for consistency with Windows KDCs. Changes from 1.18 Administrator experience: * Remove support for single-DES encryption types. * Change the replay cache format to be more efficient and robust. Replay cache filenames using the new format end with '.rcache2' by default. * setuid programs will automatically ignore environment variables that normally affect krb5 API functions, even if the caller does not use krb5_init_secure_context(). * Add an 'enforce_ok_as_delegate' krb5.conf relation to disable credential forwarding during GSSAPI authentication unless the KDC sets the ok-as-delegate bit in the service ticket. * Use the permitted_enctypes krb5.conf setting as the default value for default_tkt_enctypes and default_tgs_enctypes. Developer experience: * Implement krb5_cc_remove_cred() for all credential cache types. * Add the krb5_pac_get_client_info() API to get the client account name from a PAC. Protocol evolution: * Add KDC support for S4U2Self requests where the user is identified by X.509 certificate. (Requires support for certificate lookup from a third-party KDB module.) * Remove support for an old ('draft 9') variant of PKINIT. * Add support for Microsoft NegoEx. (Requires one or more third-party GSS modules implementing NegoEx mechanisms.) User experience: * Add support for 'dns_canonicalize_hostname=fallback', causing host-based principal names to be tried first without DNS canonicalization, and again with DNS canonicalization if the un-canonicalized server is not found. * Expand single-component hostnames in host-based principal names when DNS canonicalization is not used, adding the system's first DNS search path as a suffix. Add a 'qualify_shortname' krb5.conf relation to override this suffix or disable expansion. * Honor the transited-policy-checked ticket flag on application servers, eliminating the requirement to configure capaths on servers in some scenarios. Code quality: * The libkrb5 serialization code (used to export and import krb5 GSS security contexts) has been simplified and made type-safe. * The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED messages has been revised to conform to current coding practices. * The test suite has been modified to work with macOS System Integrity Protection enabled. * The test suite incorporates soft-pkcs11 so that PKINIT PKCS11 support can always be tested. Changes from 1.17.1 * Fix a bug preventing 'addprinc -randkey -kvno' from working in kadmin. * Fix a bug preventing time skew correction from working when a KCM credential cache is used. Changes from 1.17: Administrator experience: * A new Kerberos database module using the Lightning Memory-Mapped Database library (LMDB) has been added. The LMDB KDB module should be more performant and more robust than the DB2 module, and may become the default module for new databases in a future release. * 'kdb5_util dump' will no longer dump policy entries when specific principal names are requested. Developer experience: * The new krb5_get_etype_info() API can be used to retrieve enctype, salt, and string-to-key parameters from the KDC for a client principal. * The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise principal names to be used with GSS-API functions. * KDC and kadmind modules which call com_err() will now write to the log file in a format more consistent with other log messages. * Programs which use large numbers of memory credential caches should perform better. Protocol evolution: * The SPAKE pre-authentication mechanism is now supported. This mechanism protects against password dictionary attacks without requiring any additional infrastructure such as certificates. SPAKE is enabled by default on clients, but must be manually enabled on the KDC for this release. * PKINIT freshness tokens are now supported. Freshness tokens can protect against scenarios where an attacker uses temporary access to a smart card to generate authentication requests for the future. * Password change operations now prefer TCP over UDP, to avoid spurious error messages about replays when a response packet is dropped. * The KDC now supports cross-realm S4U2Self requests when used with a third-party KDB module such as Samba's. The client code for cross-realm S4U2Self requests is also now more robust. User experience: * The new ktutil addent -f flag can be used to fetch salt information from the KDC for password-based keys. * The new kdestroy -p option can be used to destroy a credential cache within a collection by client principal name. * The Kerberos man page has been restored, and documents the environment variables that affect programs using the Kerberos library. Code quality: * Python test scripts now use Python 3. * Python test scripts now display markers in verbose output, making it easier to find where a failure occurred within the scripts. * The Windows build system has been simplified and updated to work with more recent versions of Visual Studio. A large volume of unused Windows-specific code has been removed. Visual Studio 2013 or later is now required. - Build with full Cyrus SASL support. Negotiating SASL credentials with an EXTERNAL bind mechanism requires interaction. Kerberos provides its own interaction function that skips all interaction, thus preventing the mechanism from working. ldb was updated to version 2.4.1 (jsc#SLE-23329); - Release 2.4.1 + Corrected python behaviour for 'in' for LDAP attributes contained as part of ldb.Message; (bso#14845); + Fix memory handling in ldb.msg_diff; (bso#14836); - Release 2.4.0 + pyldb: Fix Message.items() for a message containing elements + pyldb: Add test for Message.items() + tests: Use ldbsearch '--scope instead of '-s' + Change page size of guidindexpackv1.ldb + Use a 1MiB lmdb so the test also passes on aarch64 CentOS stream + attrib_handler casefold: simplify space dropping + fix ldb_comparison_fold off-by-one overrun + CVE-2020-27840: pytests: move Dn.validate test to ldb + CVE-2020-27840 ldb_dn: avoid head corruption in ldb_dn_explode + CVE-2021-20277 ldb/attrib_handlers casefold: stay in bounds + CVE-2021-20277 ldb tests: ldb_match tests with extra spaces + improve comments for ldb_module_connect_backend() + test/ldb_tdb: correct introductory comments + ldb.h: remove undefined async_ctx function signatures + correct comments in attrib_handers val_to_int64 + dn tests use cmocka print functions + ldb_match: remove redundant check + add tests for ldb_wildcard_compare + ldb_match: trailing chunk must match end of string + pyldb: catch potential overflow error in py_timestring + ldb: remove some 'if PY3's in tests talloc was updated to 2.3.3: + various bugfixes + python: Ensure reference counts are properly incremented + Change pytalloc source to LGPL + Upgrade waf to 2.0.18 to fix a cross-compilation issue; (bso#13846). tdb was updated to version 1.4.4: + various bugfixes tevent was updated to version 0.11.0: + Add custom tag to events + Add event trace api sssd was updated to: - Fix tests test_copy_ccache & test_copy_keytab for later versions of krb5 - Update the private ldb modules installation following libldb2 changes from /usr/lib64/ldb/samba to /usr/lib64/ldb2/modules/ldb/samba apparmor was updated to: - Cater for changes to ldb packaging to allow parallel installation with libldb (bsc#1192684). - add profile for samba-bgqd (bsc#1191532). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:383-1 Released: Tue Feb 15 17:47:36 2022 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1194265 This update for cyrus-sasl fixes the following issues: - Fixed an issue when in postfix 'sasl' authentication with password fails. (bsc#1194265) - Add config parameter '--with-dblib=gdbm' - Avoid converting of '/etc/sasldb2 by every update. Convert '/etc/sasldb2' only if it is a Berkeley DB. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:498-1 Released: Fri Feb 18 10:46:56 2022 Summary: Security update for expat Type: security Severity: important References: 1195054,1195217,CVE-2022-23852,CVE-2022-23990 This update for expat fixes the following issues: - CVE-2022-23852: Fixed signed integer overflow in XML_GetBuffer (bsc#1195054). - CVE-2022-23990: Fixed integer overflow in the doProlog function (bsc#1195217). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:520-1 Released: Fri Feb 18 12:45:19 2022 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1194968 This update for rpm fixes the following issues: - Revert unwanted /usr/bin/python to /usr/bin/python2 change we got with the update to 4.14.3 (bsc#1194968) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:539-1 Released: Mon Feb 21 13:47:51 2022 Summary: Security update for systemd Type: security Severity: moderate References: 1191826,1192637,1194178,CVE-2021-3997 This update for systemd fixes the following issues: - CVE-2021-3997: Fixed an uncontrolled recursion in systemd's systemd-tmpfiles (bsc#1194178). The following non-security bugs were fixed: - udev/net_id: don't generate slot based names if multiple devices might claim the same slot (bsc#1192637) - localectl: don't omit keymaps files that are symlinks (bsc#1191826) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:674-1 Released: Wed Mar 2 13:24:38 2022 Summary: Recommended update for yast2-network Type: recommended Severity: moderate References: 1187512 This update for yast2-network fixes the following issues: - Don't crash at the end of installation when storing wifi configuration for NetworkManager. (bsc#1187512) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:692-1 Released: Thu Mar 3 15:46:47 2022 Summary: Recommended update for filesystem Type: recommended Severity: moderate References: 1190447 This update for filesystem fixes the following issues: - Release ported filesystem to LTSS channels (bsc#1190447). ----------------------------------------------------------------- Advisory ID: 23018 Released: Fri Mar 4 08:31:54 2022 Summary: Security update for conmon, libcontainers-common, libseccomp, podman Type: security Severity: moderate References: 1176804,1177598,1181640,1182998,1188520,1188914,1193166,1193273,CVE-2020-14370,CVE-2020-15157,CVE-2021-20199,CVE-2021-20291,CVE-2021-3602,CVE-2021-4024,CVE-2021-41190 This update for conmon, libcontainers-common, libseccomp, podman fixes the following issues: podman was updated to 3.4.4. Security issues fixed: - fix CVE-2021-41190 [bsc#1193273], opencontainers: OCI manifest and index parsing confusion - fix CVE-2021-4024 [bsc#1193166], podman machine spawns gvproxy with port binded to all IPs - fix CVE-2021-20199 [bsc#1181640], Remote traffic to rootless containers is seen as orginating from localhost - Add: Provides: podman:/usr/bin/podman-remote subpackage for a clearer upgrade path from podman < 3.1.2 Update to version 3.4.4: * Bugfixes - Fixed a bug where the podman exec command would, under some circumstances, print a warning message about failing to move conmon to the appropriate cgroup (#12535). - Fixed a bug where named volumes created as part of container creation (e.g. podman run --volume avolume:/a/mountpoint or similar) would be mounted with incorrect permissions (#12523). - Fixed a bug where the podman-remote create and podman-remote run commands did not properly handle the --entrypoint='' option (to clear the container's entrypoint) (#12521). - Update to version 3.4.3: * Security - This release addresses CVE-2021-4024, where the podman machine command opened the gvproxy API (used to forward ports to podman machine VMs) to the public internet on port 7777. - This release addresses CVE-2021-41190, where incomplete specification of behavior regarding image manifests could lead to inconsistent decoding on different clients. * Features - The --secret type=mount option to podman create and podman run supports a new option, target=, which specifies where in the container the secret will be mounted (#12287). * Bugfixes - Fixed a bug where rootless Podman would occasionally print warning messages about failing to move the pause process to a new cgroup (#12065). - Fixed a bug where the podman run and podman create commands would, when pulling images, still require TLS even with registries set to Insecure via config file (#11933). - Fixed a bug where the podman generate systemd command generated units that depended on multi-user.target, which has been removed from some distributions (#12438). - Fixed a bug where Podman could not run containers with images that had /etc/ as a symlink (#12189). - Fixed a bug where the podman logs -f command would, when using the journald logs backend, exit immediately if the container had previously been restarted (#12263). - Fixed a bug where, in containers on VMs created by podman machine, the host.containers.internal name pointed to the VM, not the host system (#11642). - Fixed a bug where containers and pods created by the podman play kube command in VMs managed by podman machine would not automatically forward ports from the host machine (#12248). - Fixed a bug where podman machine init would fail on OS X when GNU Coreutils was installed (#12329). - Fixed a bug where podman machine start would exit before SSH on the started VM was accepting connections (#11532). - Fixed a bug where the podman run command with signal proxying (--sig-proxy) enabled could print an error if it attempted to send a signal to a container that had just exited (#8086). - Fixed a bug where the podman stats command would not return correct information for containers running Systemd as PID1 (#12400). - Fixed a bug where the podman image save command would fail on OS X when writing the image to STDOUT (#12402). - Fixed a bug where the podman ps command did not properly handle PS arguments which contained whitespace (#12452). - Fixed a bug where the podman-remote wait command could fail to detect that the container exited and return an error under some circumstances (#12457). - Fixed a bug where the Windows MSI installer for podman-remote would break the PATH environment variable by adding an extra ' (#11416). * API - The Libpod Play Kube endpoint now also accepts ConfigMap YAML as part of its payload, and will use provided any ConfigMap to configure provided pods and services. - Fixed a bug where the Compat Create endpoint for Containers would not always create the container's working directory if it did not exist (#11842). - Fixed a bug where the Compat Create endpoint for Containers returned an incorrect error message with 404 errors when the requested image was not found (#12315). - Fixed a bug where the Compat Create endpoint for Containers did not properly handle the HostConfig.Mounts field (#12419). - Fixed a bug where the Compat Archive endpoint for Containers did not properly report errors when the operation failed (#12420). - Fixed a bug where the Compat Build endpoint for Images ignored the layers query parameter (for caching intermediate layers from the build) (#12378). - Fixed a bug where the Compat Build endpoint for Images did not report errors in a manner compatible with Docker (#12392). - Fixed a bug where the Compat Build endpoint for Images would fail to build if the context directory was a symlink (#12409). - Fixed a bug where the Compat List endpoint for Images included manifest lists (and not just images) in returned results (#12453). - Update to version 3.4.2: * Fixed a bug where podman tag could not tag manifest lists (#12046). * Fixed a bug where built-in volumes specified by images would not be created correctly under some circumstances. * Fixed a bug where, when using Podman Machine on OS X, containers in pods did not have working port forwarding from the host (#12207). * Fixed a bug where the podman network reload command command on containers using the slirp4netns network mode and the rootlessport port forwarding driver would make an unnecessary attempt to restart rootlessport on containers that did not forward ports. * Fixed a bug where the podman generate kube command would generate YAML including some unnecessary (set to default) fields (e.g. empty SELinux and DNS configuration blocks, and the privileged flag when set to false) (#11995). * Fixed a bug where the podman pod rm command could, if interrupted at the right moment, leave a reference to an already-removed infra container behind (#12034). * Fixed a bug where the podman pod rm command would not remove pods with more than one container if all containers save for the infra container were stopped unless --force was specified (#11713). * Fixed a bug where the --memory flag to podman run and podman create did not accept a limit of 0 (which should specify unlimited memory) (#12002). * Fixed a bug where the remote Podman client's podman build command could attempt to build a Dockerfile in the working directory of the podman system service instance instead of the Dockerfile specified by the user (#12054). * Fixed a bug where the podman logs --tail command could function improperly (printing more output than requested) when the journald log driver was used. * Fixed a bug where containers run using the slirp4netns network mode with IPv6 enabled would not have IPv6 connectivity until several seconds after they started (#11062). * Fixed a bug where some Podman commands could cause an extra dbus-daemon process to be created (#9727). * Fixed a bug where rootless Podman would sometimes print warnings about a failure to move the pause process into a given CGroup (#12065). * Fixed a bug where the checkpointed field in podman inspect on a container was not set to false after a container was restored. * Fixed a bug where the podman system service command would print overly-verbose logs about request IDs (#12181). * Fixed a bug where Podman could, when creating a new container without a name explicitly specified by the user, sometimes use an auto-generated name already in use by another container if multiple containers were being created in parallel (#11735). Update to version 3.4.1: * Bugfixes - Fixed a bug where podman machine init could, under some circumstances, create invalid machine configurations which could not be started (#11824). - Fixed a bug where the podman machine list command would not properly populate some output fields. - Fixed a bug where podman machine rm could leave dangling sockets from the removed machine (#11393). - Fixed a bug where podman run --pids-limit=-1 was not supported (it now sets the PID limit in the container to unlimited) (#11782). - Fixed a bug where podman run and podman attach could throw errors about a closed network connection when STDIN was closed by the client (#11856). - Fixed a bug where the podman stop command could fail when run on a container that had another podman stop command run on it previously. - Fixed a bug where the --sync flag to podman ps was nonfunctional. - Fixed a bug where the Windows and OS X remote clients' podman stats command would fail (#11909). - Fixed a bug where the podman play kube command did not properly handle environment variables whose values contained an = (#11891). - Fixed a bug where the podman generate kube command could generate invalid annotations when run on containers with volumes that use SELinux relabelling (:z or :Z) (#11929). - Fixed a bug where the podman generate kube command would generate YAML including some unnecessary (set to default) fields (e.g. user and group, entrypoint, default protocol for forwarded ports) (#11914, #11915, and #11965). - Fixed a bug where the podman generate kube command could, under some circumstances, generate YAML including an invalid targetPort field for forwarded ports (#11930). - Fixed a bug where rootless Podman's podman info command could, under some circumstances, not read available CGroup controllers (#11931). - Fixed a bug where podman container checkpoint --export would fail to checkpoint any container created with --log-driver=none (#11974). * API - Fixed a bug where the Compat Create endpoint for Containers could panic when no options were passed to a bind mount of tmpfs (#11961). Update to version 3.4.0: * Features - Pods now support init containers! Init containers are containers which run before the rest of the pod starts. There are two types of init containers: 'always', which always run before the pod is started, and 'once', which only run the first time the pod starts and are subsequently removed. They can be added using the podman create command's --init-ctr option. - Support for init containers has also been added to podman play kube and podman generate kube - init containers contained in Kubernetes YAML will be created as Podman init containers, and YAML generated by Podman will include any init containers created. - The podman play kube command now supports building images. If the --build option is given and a directory with the name of the specified image exists in the current working directory and contains a valid Containerfile or Dockerfile, the image will be built and used for the container. - The podman play kube command now supports a new option, --teardown, which removes any pods and containers created by the given Kubernetes YAML. - The podman generate kube command now generates annotations for SELinux mount options on volume (:z and :Z) that are respected by the podman play kube command. - A new command has been added, podman pod logs, to return logs for all containers in a pod at the same time. - Two new commands have been added, podman volume export (to export a volume to a tar file) and podman volume import) (to populate a volume from a given tar file). - The podman auto-update command now supports simple rollbacks. If a container fails to start after an automatic update, it will be rolled back to the previous image and restarted again. - Pods now share their user namespace by default, and the podman pod create command now supports the --userns option. This allows rootless pods to be created with the --userns=keep-id option. - The podman pod ps command now supports a new filter with its --filter option, until, which returns pods created before a given timestamp. - The podman image scp command has been added. This command allows images to be transferred between different hosts. - The podman stats command supports a new option, --interval, to specify the amount of time before the information is refreshed. - The podman inspect command now includes ports exposed (but not published) by containers (e.g. ports from --expose when --publish-all is not specified). - The podman inspect command now has a new boolean value, Checkpointed, which indicates that a container was stopped as a result of a podman container checkpoint operation. - Volumes created by podman volume create now support setting quotas when run atop XFS. The size and inode options allow the maximum size and maximum number of inodes consumed by a volume to be limited. - The podman info command now outputs information on what log drivers, network drivers, and volume plugins are available for use (#11265). - The podman info command now outputs the current log driver in use, and the variant and codename of the distribution in use. - The parameters of the VM created by podman machine init (amount of disk space, memory, CPUs) can now be set in containers.conf. - The podman machine ls command now shows additional information (CPUs, memory, disk size) about VMs managed by podman machine. - The podman ps command now includes healthcheck status in container state for containers that have healthchecks (#11527). * Changes - The podman build command has a new alias, podman buildx, to improve compatibility with Docker. We have already added support for many docker buildx flags to podman build and aim to continue to do so. - Cases where Podman is run without a user session or a writable temporary files directory will now produce better error messages. - The default log driver has been changed from file to journald. The file driver did not properly support log rotation, so this should lead to a better experience. If journald is not available on the system, Podman will automatically revert to the file. - Podman no longer depends on ip for removing networks (#11403). - The deprecated --macvlan flag to podman network create now warns when it is used. It will be removed entirely in the Podman 4.0 release. - The podman machine start command now prints a message when the VM is successfully started. - The podman stats command can now be used on containers that are paused. - The podman unshare command will now return the exit code of the command that was run in the user namespace (assuming the command was successfully run). - Successful healthchecks will no longer add a healthy line to the system log to reduce log spam. - As a temporary workaround for a lack of shortname prompts in the Podman remote client, VMs created by podman machine now default to only using the docker.io registry. * Bugfixes - Fixed a bug where whitespace in the definition of sysctls (particularly default sysctls specified in containers.conf) would cause them to be parsed incorrectly. - Fixed a bug where the Windows remote client improperly validated volume paths (#10900). - Fixed a bug where the first line of logs from a container run with the journald log driver could be skipped. - Fixed a bug where images created by podman commit did not include ports exposed by the container. - Fixed a bug where the podman auto-update command would ignore the io.containers.autoupdate.authfile label when pulling images (#11171). - Fixed a bug where the --workdir option to podman create and podman run could not be set to a directory where a volume was mounted (#11352). - Fixed a bug where systemd socket-activation did not properly work with systemd-managed Podman containers (#10443). - Fixed a bug where environment variable secrets added to a container were not available to exec sessions launched in the container. - Fixed a bug where rootless containers could fail to start the rootlessport port-forwarding service when XDG_RUNTIME_DIR was set to a long path. - Fixed a bug where arguments to the --systemd option to podman create and podman run were case-sensitive (#11387). - Fixed a bug where the podman manifest rm command would also remove images referenced by the manifest, not just the manifest itself (#11344). - Fixed a bug where the Podman remote client on OS X would not function properly if the TMPDIR environment variable was not set (#11418). - Fixed a bug where the /etc/hosts file was not guaranteed to contain an entry for localhost (this is still not guaranteed if --net=host is used; such containers will exactly match the host's /etc/hosts) (#11411). - Fixed a bug where the podman machine start command could print warnings about unsupported CPU features (#11421). - Fixed a bug where the podman info command could segfault when accessing cgroup information. - Fixed a bug where the podman logs -f command could hang when a container exited (#11461). - Fixed a bug where the podman generate systemd command could not be used on containers that specified a restart policy (#11438). - Fixed a bug where the remote Podman client's podman build command would fail to build containers if the UID and GID on the client were higher than 65536 (#11474). - Fixed a bug where the remote Podman client's podman build command would fail to build containers if the context directory was a symlink (#11732). - Fixed a bug where the --network flag to podman play kube was not properly parsed when a non-bridge network configuration was specified. - Fixed a bug where the podman inspect command could error when the container being inspected was removed as it was being inspected (#11392). - Fixed a bug where the podman play kube command ignored the default pod infra image specified in containers.conf. - Fixed a bug where the --format option to podman inspect was nonfunctional under some circumstances (#8785). - Fixed a bug where the remote Podman client's podman run and podman exec commands could skip a byte of output every 8192 bytes (#11496). - Fixed a bug where the podman stats command would print nonsensical results if the container restarted while it was running (#11469). - Fixed a bug where the remote Podman client would error when STDOUT was redirected on a Windows client (#11444). - Fixed a bug where the podman run command could return 0 when the application in the container exited with 125 (#11540). - Fixed a bug where containers with --restart=always set using the rootlessport port-forwarding service could not be restarted automatically. - Fixed a bug where the --cgroups=split option to podman create and podman run was silently discarded if the container was part of a pod. - Fixed a bug where the podman container runlabel command could fail if the image name given included a tag. - Fixed a bug where Podman could add an extra 127.0.0.1 entry to /etc/hosts under some circumstances (#11596). - Fixed a bug where the remote Podman client's podman untag command did not properly handle tags including a digest (#11557). - Fixed a bug where the --format option to podman ps did not properly support the table argument for tabular output. - Fixed a bug where the --filter option to podman ps did not properly handle filtering by healthcheck status (#11687). - Fixed a bug where the podman run and podman start --attach commands could race when retrieving the exit code of a container that had already been removed resulting in an error (e.g. by an external podman rm -f) (#11633). - Fixed a bug where the podman generate kube command would add default environment variables to generated YAML. - Fixed a bug where the podman generate kube command would add the default CMD from the image to generated YAML (#11672). - Fixed a bug where the podman rm --storage command could fail to remove containers under some circumstances (#11207). - Fixed a bug where the podman machine ssh command could fail when run on Linux (#11731). - Fixed a bug where the podman stop command would error when used on a container that was already stopped (#11740). - Fixed a bug where renaming a container in a pod using the podman rename command, then removing the pod using podman pod rm, could cause Podman to believe the new name of the container was permanently in use, despite the container being removed (#11750). * API - The Libpod Pull endpoint for Images now has a new query parameter, quiet, which (when set to true) suppresses image pull progress reports (#10612). - The Compat Events endpoint now includes several deprecated fields from the Docker v1.21 API for improved compatibility with older clients. - The Compat List and Inspect endpoints for Images now prefix image IDs with sha256: for improved Docker compatibility (#11623). - The Compat Create endpoint for Containers now properly sets defaults for healthcheck-related fields (#11225). - The Compat Create endpoint for Containers now supports volume options provided by the Mounts field (#10831). - The Compat List endpoint for Secrets now supports a new query parameter, filter, which allows returned results to be filtered. - The Compat Auth endpoint now returns the correct response code (500 instead of 400) when logging into a registry fails. - The Version endpoint now includes information about the OCI runtime and Conmon in use (#11227). - Fixed a bug where the X-Registry-Config header was not properly handled, leading to errors when pulling images (#11235). - Fixed a bug where invalid query parameters could cause a null pointer dereference when creating error messages. - Logging of API requests and responses at trace level has been greatly improved, including the addition of an X-Reference-Id header to correlate requests and responses (#10053). Update to version 3.3.1: * Bugfixes - Fixed a bug where unit files created by podman generate systemd could not cleanup shut down containers when stopped by systemctl stop (#11304). - Fixed a bug where podman machine commands would not properly locate the gvproxy binary in some circumstances. - Fixed a bug where containers created as part of a pod using the --pod-id-file option would not join the pod's network namespace (#11303). - Fixed a bug where Podman, when using the systemd cgroups driver, could sometimes leak dbus sessions. - Fixed a bug where the until filter to podman logs and podman events was improperly handled, requiring input to be negated (#11158). - Fixed a bug where rootless containers using CNI networking run on systems using systemd-resolved for DNS would fail to start if resolved symlinked /etc/resolv.conf to an absolute path (#11358). * API - A large number of potential file descriptor leaks from improperly closing client connections have been fixed. Update to version 3.3.0: * Fix network aliases with network id * machine: compute sha256 as we read the image file * machine: check for file exists instead of listing directory * pkg/bindings/images.nTar(): slashify hdr.Name values * Volumes: Only remove from DB if plugin removal succeeds * For compatibility, ignore Content-Type * [v3.3] Bump c/image 5.15.2, buildah v1.22.3 * Implement SD-NOTIFY proxy in conmon * Fix rootless cni dns without systemd stub resolver * fix rootlessport flake * Skip stats test in CGv1 container environments * Fix AVC denials in tests of volume mounts * Restore buildah-bud test requiring new images * Revert '.cirrus.yml: use fresh images for all VMs' * Fix device tests using ls test files * Enhance priv. dev. check * Workaround host availability of /dev/kvm * Skip cgroup-parent test due to frequent flakes * Cirrus: Fix not uploading logformatter html Switch to crun (bsc#1188914) Update to version 3.2.3: * Bump to v3.2.3 * Update release notes for v3.2.3 * vendor containers/common@v0.38.16 * vendor containers/buildah@v1.21.3 * Fix race conditions in rootless cni setup * CNI-in-slirp4netns: fix bind-mount for /run/systemd/resolve/stub-resolv.conf * Make rootless-cni setup more robust * Support uid,gid,mode options for secrets * vendor containers/common@v0.38.15 * [CI:DOCS] podman search: clarify that results depend on implementation * vendor containers/common@v0.38.14 * vendor containers/common@v0.38.13 * [3.2] vendor containers/common@v0.38.12 * Bump README to v3.2.2 * Bump to v3.2.3-dev - Update to version 3.2.2: * Bump to v3.2.2 * fix systemcontext to use correct TMPDIR * Scrub podman commands to use report package * Fix volumes with uid and gid options * Vendor in c/common v0.38.11 * Initial release notes for v3.2.2 * Fix restoring of privileged containers * Fix handling of podman-remote build --device * Add support for podman remote build -f - . * Fix panic condition in cgroups.getAvailableControllers * Fix permissions on initially created named volumes * Fix building static podman-remote * add correct slirp ip to /etc/hosts * disable tty-size exec checks in system tests * Fix resize race with podman exec -it * Fix documentation of the --format option of podman push * Fix systemd-resolved detection. * Health Check is not handled in the compat LibpodToContainerJSON * Do not use inotify for OCICNI * getContainerNetworkInfo: lock netNsCtr before sync * [NO TESTS NEEDED] Create /etc/mtab with the correct ownership * Create the /etc/mtab file if does not exists * [v3.2] cp: do not allow dir->file copying * create: support images with invalid platform * vendor containers/common@v0.38.10 * logs: k8s-file: restore poll sleep * logs: k8s-file: fix spurious error logs * utils: move message from warning to debug * Bump to v3.2.2-dev - Update to version 3.2.1: * Bump to v3.2.1 * Updated release notes for v3.2.1 * Fix network connect race with docker-compose * Revert 'Ensure minimum API version is set correctly in tests' * Fall back to string for dockerfile parameter * remote events: fix --stream=false * [CI:DOCS] fix incorrect network remove api doc * remote: always send resize before the container starts * remote events: support labels * remote pull: cancel pull when connection is closed * Fix network prune api docs * Improve systemd-resolved detection * logs: k8s-file: fix race * Fix image prune --filter cmd behavior * Several shell completion fixes * podman-remote build should handle -f option properly * System tests: deal with crun 0.20.1 * Fix build tags for pkg/machine... * Fix pre-checkpointing * container: ignore named hierarchies * [v3.2] vendor containers/common@v0.38.9 * rootless: fix fast join userns path * [v3.2] vendor containers/common@v0.38.7 * [v3.2] vendor containers/common@v0.38.6 * Correct qemu options for Intel macs * Ensure minimum API version is set correctly in tests * Bump to v3.2.1-dev - Update to version 3.2.0: * Bump to v3.2.0 * Fix network create macvlan with subnet option * Final release notes updates for v3.2.0 * add ipv6 nameservers only when the container has ipv6 enabled * Use request context instead of background * [v.3.2] events: support disjunctive filters * System tests: add :Z to volume mounts * generate systemd: make mounts portable * vendor containers/storage@v1.31.3 * vendor containers/common@v0.38.5 * Bump to v3.2.0-dev * Bump to v3.2.0-RC3 * Update release notes for v3.2.0-RC3 * Fix race on podman start --all * Fix race condition in running ls container in a pod * docs: --cert-dir: point to containers-certs.d(5) * Handle hard links in different directories * Improve OCI Runtime error * Handle hard links in remote builds * Podman info add support for status of cgroup controllers * Drop container does not exist on removal to debugf * Downgrade API service routing table logging * add libimage events * docs: generate systemd: XDG_RUNTIME_DIR * Fix problem copying files when container is in host pid namespace * Bump to v3.2.0-dev * Bump to v3.2.0-RC2 * update c/common * Update Cirrus DEST_BRANCH to v3.2 * Updated vendors of c/image, c/storage, Buildah * Initial release notes for v3.2.0-RC2 * Add script for identifying commits in release branches * Add host.containers.internal entry into container's etc/hosts * image prune: remove unused images only with `--all` * podman network reload add rootless support * Use more recent `stale` release... * network tutorial: update with rootless cni changes * [CI:DOCS] Update first line in intro page * Use updated VM images + updated automation tooling * auto-update service: prune images * make vendor * fix system upgrade tests * Print 'extracting' only on compressed file * podman image tree: restore previous behavior * fix network restart always test * fix incorrect log driver in podman container image * Add support for cli network prune --filter flag * Move filter parsing to common utils * Bump github.com/containers/storage from 1.30.2 to 1.30.3 * Update nix pin with `make nixpkgs` * [CI:DOCS] hack/bats - new helper for running system tests * fix restart always with slirp4netns * Bump github.com/opencontainers/runc from 1.0.0-rc93 to 1.0.0-rc94 * Bump github.com/coreos/go-systemd/v22 from 22.3.1 to 22.3.2 * Add host.serviceIsRemote to podman info results * Add client disconnect to build handler loop * Remove obsolete skips * Fix podman-remote build --rm=false ... * fix: improved 'containers/{name}/wait' endpoint * Bump github.com/containers/storage from 1.30.1 to 1.30.2 * Add envars to the generated systemd unit * fix: use UTC Time Stamps in response JSON * fix container startup for empty pidfile * Kube like pods should share ipc,net,uts by default * fix: compat API 'images/get' for multiple images * Revert escaped double dash man page flag syntax * Report Download complete in Compatibility mode * Add documentation on short-names * Bump github.com/docker/docker * Adds support to preserve auto update labels in generate and play kube * [CI:DOCS] Stop conversion of `--` into en dash * Revert Patch to relabel if selinux not enabled * fix per review request * Add support for environment variable secrets * fix pre review request * Fix infinite loop in isPathOnVolume * Add containers.conf information for changing defaults * CI: run rootless tests under ubuntu * Fix wrong macvlan PNG in networking doc. * Add restart-policy to container filters & --filter to podman start * Fixes docker-compose cannot set static ip when use ipam * channel: simplify implementation * build: improve regex for iidfile * Bump github.com/onsi/gomega from 1.11.0 to 1.12.0 * cgroup: fix rootless --cgroup-parent with pods * fix: docker APIv2 `images/get` * codespell cleanup * Minor podmanimage docs updates. * Fix handling of runlabel IMAGE and NAME * Bump to v3.2.0-dev * Bump to v3.2.0-rc1 * rootless: improve automatic range split * podman: set volatile storage flag for --rm containers * Bump github.com/onsi/ginkgo from 1.16.1 to 1.16.2 * Bump github.com/containers/image/v5 from 5.11.1 to 5.12.0 * migrate Podman to containers/common/libimage * Add filepath glob support to --security-opt unmask * Force log_driver to k8s-file for containers in containers * add --mac-address to podman play kube * compat api: Networks must be empty instead of null * System tests: honor $OCI_RUNTIME (for CI) * is this a bug? * system test image: add arm64v8 image * Fix troubleshooting documentation on handling sublemental groups. * Add --all to podman start * Fix variable reference typo. in multi-arch image action * cgroup: always honor --cgroup-parent with cgroupfs * Bump github.com/uber/jaeger-client-go * Don't require tests for github-actions & metadata * Detect if in podman machine virtual vm * Fix multi-arch image workflow typo * [CI:DOCS] Add titles to remote docs (windows) * Remove unused VolumeList* structs * Cirrus: Update F34beta -> F34 * Update container image docs + fix unstable execution * Bump github.com/containers/storage from 1.30.0 to 1.30.1 * TODO complete * Docker returns 'die' status rather then 'died' status * Check if another VM is running on machine start * [CI:DOCS] Improve titles of command HTML pages * system tests: networking: fix another race condition * Use seccomp_profile as default profile if defined in containers.conf * Bump github.com/json-iterator/go from 1.1.10 to 1.1.11 * Vendored * Autoupdate local label functional * System tests: fix two race conditions * Add more documentation on conmon * Allow docker volume create API to pass without name * Cirrus: Update Ubuntu images to 21.04 * Skip blkio-weight test when no kernel BFQ support * rootless: Tell the user what was led to the error, not just what it is * Add troubleshooting advice about the --userns option. * Fix images prune filter until * Fix logic for pushing stable multi-arch images * Fixes generate kube incorrect when bind-mounting '/' and '/root' * libpod/image: unit tests: don't use system's registries.conf.d * runtime: create userns when CAP_SYS_ADMIN is not present * rootless: attempt to copy current mappings first * [CI:DOCS] Restore missing content to manpages * [CI:DOCS] Fix Markdown layout bugs * Fix podman ps --filter ancestor to match exact ImageName/ImageID * Add machine-enabled to containers.conf for machine * Several multi-arch image build/push fixes * Add podman run --timeout option * Parse slirp4netns net options with compat api * Fix rootlesskit port forwarder with custom slirp cidr * Fix removal race condition in ListContainers * Add github-action workflow to build/push multi-arch * rootless: if root is not sub?id raise a debug message * Bump github.com/containers/common from 0.36.0 to 0.37.0 * Add go template shell completion for --format * Add --group-add keep-groups: suplimentary groups into container * Fixes from make codespell * Typo fix to usage text of --compress option * corrupt-image test: fix an oops * Add --noheading flag to all list commands * Bump github.com/containers/storage from 1.29.0 to 1.30.0 * Bump github.com/containers/image/v5 from 5.11.0 to 5.11.1 * [CI:DOCS] Fix Markdown table layout bugs * podman-remote should show podman.sock info * rmi: don't break when the image is missing a manifest * [CI:DOCS] Rewrite --uidmap doc in podman-create.1.md and podman-run.1.md * Add support for CDI device configuration * [CI:DOCS] Add missing dash to verbose option * Bump github.com/uber/jaeger-client-go * Remove an advanced layer diff function * Ensure mount destination is clean, no trailing slash * add it for inspect pidfile * [CI:DOCS] Fix introduction page typo * support pidfile on container restore * fix start it * skip pidfile test on remote * improve document * set pidfile default value int containerconfig * add pidfile in inspection * add pidfile it for container start * skip pidfile it on remote * Modify according to comments * WIP: drop test requirement * runtime: bump required conmon version * runtime: return findConmon to libpod * oci: drop ExecContainerCleanup * oci: use `--full-path` option for conmon * use AttachSocketPath when removing conmon files * hide conmon-pidfile flag on remote mode * Fix possible panic in libpod/image/prune.go * add --ip to podman play kube * add flag autocomplete * add ut * add flag '--pidfile' for podman create/run * Add network bindings tests: remove and list * Fix build with GO111MODULE=off * system tests: build --pull-never: deal with flakes * compose test: diagnose flakes v3 * podman play kube apply correct log driver * Fixes podman-remote save to directories does not work * Bump github.com/rootless-containers/rootlesskit from 0.14.1 to 0.14.2 * Update documentation of podman-run to reflect volume 'U' option * Fix flake on failed podman-remote build : try 2 * compose test: ongoing efforts to diagnose flakes * Test that we don't error out on advertised --log-level values * At trace log level, print error text using %+v instead of %v * pkg/errorhandling.JoinErrors: don't throw away context for lone errors * Recognize --log-level=trace * Fix flake on failed podman-remote build * System tests: fix racy podman-inspect * Fixes invalid expression in save command * Bump github.com/containers/common from 0.35.4 to 0.36.0 * Update nix pin with `make nixpkgs` * compose test: try to get useful data from flakes * Remove in-memory state implementation * Fix message about runtime to show only the actual runtime * System tests: setup: better cleanup of stray images * Bump github.com/containers/ocicrypt from 1.1.0 to 1.1.1 * Reflect current state of prune implementation in docs * Do not delete container twice * [CI:DOCS] Correct status code for /pods/create * vendor in containers/storage v1.29.0 * cgroup: do not set cgroup parent when rootless and cgroupfs * Overhaul Makefile binary and release worflows * Reorganize Makefile with sections and guide * Simplify Makefile help target * Don't shell to obtain current directory * Remove unnecessary/not-needed release.txt target * Fix incorrect version number output * Exclude .gitignore from test req. * Fix handling of $NAME and $IMAGE in runlabel * Update podman image Dockerfile to support Podman in container * Bump github.com/containers/image/v5 from 5.10.5 to 5.11.0 * Fix slashes in socket URLs * Add network prune filters support to bindings * Add support for play/generate kube volumes * Update manifest API endpoints * Fix panic when not giving a machine name for ssh * cgroups: force 64 bits to ParseUint * Bump k8s.io/api from 0.20.5 to 0.21.0 * [CI:DOCS] Fix formatting of podman-build man page * buildah-bud tests: simplify * Add missing return * Bump github.com/onsi/ginkgo from 1.16.0 to 1.16.1 * speed up CI handling of images * Volumes prune endpoint should use only prune filters * Cirrus: Use Fedora 34beta images * Bump go.sum + Makefile for golang 1.16 * Exempt Makefile changes from test requirements * Adjust libpod API Container Wait documentation to the code * [CI:DOCS] Update swagger definition of inspect manifest * use updated ubuntu images * podman unshare: add --rootless-cni to join the ns * Update swagger-check * swagger: remove name wildcards * Update buildah-bud diffs * Handle podman-remote --arch, --platform, --os * buildah-bud tests: handle go pseudoversions, plus... * Fix flaking rootless compose test * rootless cni add /usr/sbin to PATH if not present * System tests: special case for RHEL: require runc * Add --requires flag to podman run/create * [CI:DOCS] swagger-check: compare operations * [CI:DOCS] Polish swagger OpertionIDs * [NO TESTS NEEDED] Update nix pin with `make nixpkgs` * Ensure that `--userns=keep-id` sets user in config * [CI:DOCS] Set all operation id to be compatibile * Move operationIds to swagger:operation line * swagger: add operationIds that match with docker * Cirrus: Make use of shared get_ci_vm container * Don't relabel volumes if running in a privileged container * Allow users to override default storage opts with --storage-opt * Add support for podman --context default * Verify existence of auth file if specified * fix machine naming conventions * Initial network bindings tests * Update release notes to indicate CVE fix * Move socket activation check into init() and set global condition. * Bump github.com/onsi/ginkgo from 1.15.2 to 1.16.0 * Http api tests for network prune with until filter * podman-run.1.md, podman-create.1.md : Adjust Markdown layout for --userns * Fix typos --uidmapping and --gidmapping * Add transport and destination info to manifest doc * Bump github.com/rootless-containers/rootlesskit from 0.14.0 to 0.14.1 * Add default template functions * Fix missing podman-remote build options * Bump github.com/coreos/go-systemd/v22 from 22.3.0 to 22.3.1 * Add ssh connection to root user * Add rootless docker-compose test to the CI * Use the slrip4netns dns in the rootless cni ns * Cleanup the rootless cni namespace * Add new docker-compose test for two networks * Make the docker-compose test work rootless * Remove unused rootless-cni-infra container files * Only use rootless RLK when the container has ports * Fix dnsname test * Enable rootless network connect/disconnect * Move slirp4netns functions into an extra file * Fix pod infra container cni network setup * Add rootless support for cni and --uidmap * rootless cni without infra container * Recreate until container prune tests for bindings * Remove --execute from podman machine ssh * Fixed podman-remote --network flag * Makefile: introduce install.docker-full * Makefile: ensure install.docker creates BINDIR * Fix unmount doc reference in image.rst * Should send the OCI runtime path not just the name to buildah * podman machine shell completion * Fix handling of remove --log-rusage param * Fix bindings prune containers flaky test * [CI:DOCS] Add local html build info to docs/README.md * Add podman machine list * Trim white space from /top endpoint results * Remove semantic version suffices from API calls * podman machine init --ignition-path * Document --volume from podman-remote run/create client * Update main branch to reflect the release of v3.1.0 * Silence podman network reload errors with iptables-nft * Containers prune endpoint should use only prune filters * resolve proper aarch64 image names * APIv2 basic test: relax APIVersion check * Add machine support for qemu-system-aarch64 * podman machine init user input * manpage xref: helpful diagnostic for unescaped dash-dash * Bump to v3.2.0-dev * swagger: update system version response body * buildah-bud tests: reenable pull-never test * [NO TESTS NEEDED] Shrink the size of podman-remote * Add powershell completions * [NO TESTS NEEDED] Drop Warning to Info, if cgroups not mounted * Fix long option format on docs.podman.io * system tests: friendier messages for 2-arg is() * service: use LISTEN_FDS * man pages: correct seccomp-policy label * rootless: use is_fd_inherited * podman generate systemd --new do not duplicate params * play kube: add support for env vars defined from secrets * play kube: support optional/mandatory env var from config map * play kube: prepare supporting other env source than config maps * Add machine support for more Linux distros * [NO TESTS NEEDED] Use same function podman-remote rmi as podman * Podman machine enhancements * Add problematic volume name to kube play error messages * Fix podman build --pull-never * [NO TESTS NEEDED] Fix for kernel without CONFIG_USER_NS * [NO TESTS NEEDED] Turn on podman-remote build --isolation * Fix list pods filter handling in libpod api * Remove resize race condition * [NO TESTS NEEDED] Vendor in containers/buildah v1.20.0 * Use TMPDIR when commiting images * Add RequiresMountsFor= to systemd generate * Bump github.com/vbauerster/mpb/v6 from 6.0.2 to 6.0.3 * Fix swapped dimensions from terminal.GetSize * Rename podman machine create to init and clean up * Correct json field name * system tests: new interactive tests * Improvements for machine * libpod/image: unit tests: use a `registries.conf` for aliases * libpod/image: unit tests: defer cleanup * libpod/image: unit tests: use `require.NoError` * Add --execute flag to podman machine ssh * introduce podman machine * Podman machine CLI and interface stub * Support multi doc yaml for generate/play kube * Fix filters in image http compat/libpod api endpoints * Bump github.com/containers/common from 0.35.3 to 0.35.4 * Bump github.com/containers/storage from 1.28.0 to 1.28.1 * Check if stdin is a term in --interactive --tty mode * [NO TESTS NEEDED] Remove /tmp/containers-users-* files on reboot * [NO TESTS NEEDED] Fix rootless volume plugins * Ensure manually-created volumes have correct ownership * Bump github.com/rootless-containers/rootlesskit * Unification of until filter across list/prune endpoints * Unification of label filter across list/prune endpoints * fixup * fix: build endpoint for compat API * [CI:DOCS] Add note to mappings for user/group userns in build * Bump k8s.io/api from 0.20.1 to 0.20.5 * Validate passed in timezone from tz option * WIP: run buildah bud tests using podman * Fix containers list/prune http api filter behaviour * Generate Kubernetes PersistentVolumeClaims from named volumes - Update to version 3.1.2: * Bump to v3.1.2 * Update release notes for v3.1.2 * Ensure mount destination is clean, no trailing slash * Fixes podman-remote save to directories does not work * [CI:DOCS] Add missing dash to verbose option * [CI:DOCS] Fix Markdown table layout bugs * [CI:DOCS] Rewrite --uidmap doc in podman-create.1.md and podman-run.1.md * rmi: don't break when the image is missing a manifest * Bump containers/image to v5.11.1 * Bump github.com/coreos/go-systemd from 22.2.0 to 22.3.1 * Fix lint * Bump to v3.1.2-dev - Split podman-remote into a subpackage - Add missing scriptlets for systemd units - Escape macros in comments - Drop some obsolete workarounds, including %{go_nostrip} - Update to version 3.1.1: * Bump to v3.1.1 * Update release notes for v3.1.1 * podman play kube apply correct log driver * Fix build with GO111MODULE=off * [CI:DOCS] Set all operation id to be compatibile * Move operationIds to swagger:operation line * swagger: add operationIds that match with docker * Fix missing podman-remote build options * [NO TESTS NEEDED] Shrink the size of podman-remote * Move socket activation check into init() and set global condition. * rootless: use is_fd_inherited * Recreate until container prune tests for bindings * System tests: special case for RHEL: require runc * Document --volume from podman-remote run/create client * Containers prune endpoint should use only prune filters * Trim white space from /top endpoint results * Fix unmount doc reference in image.rst * Fix handling of remove --log-rusage param * Makefile: introduce install.docker-full * Makefile: ensure install.docker creates BINDIR * Should send the OCI runtime path not just the name to buildah * Fixed podman-remote --network flag * podman-run.1.md, podman-create.1.md : Adjust Markdown layout for --userns * Fix typos --uidmapping and --gidmapping * Add default template functions * Don't relabel volumes if running in a privileged container * Allow users to override default storage opts with --storage-opt * Add transport and destination info to manifest doc * Verify existence of auth file if specified * Ensure that `--userns=keep-id` sets user in config * [CI:DOCS] Update swagger definition of inspect manifest * Volumes prune endpoint should use only prune filters * Adjust libpod API Container Wait documentation to the code * Add missing return * [CI:DOCS] Fix formatting of podman-build man page * cgroups: force 64 bits to ParseUint * Fix slashes in socket URLs * [CI:DOCS] Correct status code for /pods/create * cgroup: do not set cgroup parent when rootless and cgroupfs * Reflect current state of prune implementation in docs * Do not delete container twice * Test that we don't error out on advertised --log-level values * At trace log level, print error text using %+v instead of %v * pkg/errorhandling.JoinErrors: don't throw away context for lone errors * Recognize --log-level=trace * Fix message about runtime to show only the actual runtime * Fix handling of $NAME and $IMAGE in runlabel * Fix flake on failed podman-remote build : try 2 * Fix flake on failed podman-remote build * Update documentation of podman-run to reflect volume 'U' option * Fixes invalid expression in save command * Fix possible panic in libpod/image/prune.go * Update all containers/ project vendors * Fix tests * Bump to v3.1.1-dev - Update to version 3.1.0: * Bump to v3.1.0 * Fix test failure * Update release notes for v3.1.0 final release * [NO TESTS NEEDED] Turn on podman-remote build --isolation * Fix long option format on docs.podman.io * Fix containers list/prune http api filter behaviour * [CI:DOCS] Add note to mappings for user/group userns in build * Validate passed in timezone from tz option * Generate Kubernetes PersistentVolumeClaims from named volumes * libpod/image: unit tests: use a `registries.conf` for aliases - Require systemd 241 or newer due to podman dependency go-systemd v22, otherwise build will fail with unknown C name errors - Create docker subpackage to allow replacing docker with corresponding aliases to podman. - Update to v3.0.1 * Changes - Several frequently-occurring WARN level log messages have been downgraded to INFO or DEBUG to not clutter terminal output. Bugfixes - Fixed a bug where the Created field of podman ps --format=json was formatted as a string instead of an Unix timestamp (integer) (#9315). - Fixed a bug where failing lookups of individual layers during the podman images command would cause the whole command to fail without printing output. - Fixed a bug where --cgroups=split did not function properly on cgroups v1 systems. - Fixed a bug where mounting a volume over an directory in the container that existed, but was empty, could fail (#9393). - Fixed a bug where mounting a volume over a directory in the container that existed could copy the entirety of the container's rootfs, instead of just the directory mounted over, into the volume (#9415). - Fixed a bug where Podman would treat the --entrypoint=[''] option to podman run and podman create as a literal empty string in the entrypoint, when instead it should have been ignored (#9377). - Fixed a bug where Podman would set the HOME environment variable to '' when the container ran as a user without an assigned home directory (#9378). - Fixed a bug where specifying a pod infra image that had no tags (by using its ID) would cause podman pod create to panic (#9374). - Fixed a bug where the --runtime option was not properly handled by the podman build command (#9365). - Fixed a bug where Podman would incorrectly print an error message related to the remote API when the remote API was not in use and starting Podman failed. - Fixed a bug where Podman would change ownership of a container's working directory, even if it already existed (#9387). - Fixed a bug where the podman generate systemd --new command would incorrectly escape %t when generating the path for the PID file (#9373). - Fixed a bug where Podman could, when run inside a Podman container with the host's containers/storage directory mounted into the container, erroneously detect a reboot and reset container state if the temporary directory was not also mounted in (#9191). - Fixed a bug where some options of the podman build command (including but not limited to --jobs) were nonfunctional (#9247). * API - Fixed a breaking change to the Libpod Wait API for Containers where the Conditions parameter changed type in Podman v3.0 (#9351). - Fixed a bug where the Compat Create endpoint for Containers did not properly handle forwarded ports that did not specify a host port. - Fixed a bug where the Libpod Wait endpoint for Containers could write duplicate headers after an error occurred. - Fixed a bug where the Compat Create endpoint for Images would not pull images that already had a matching tag present locally, even if a more recent version was available at the registry (#9232). - The Compat Create endpoint for Images has had its compatibility with Docker improved, allowing its use with the docker-java library. * Misc - Updated Buildah to v1.19.4 - Updated the containers/storage library to v1.24.6 - Changes from v3.0.0 * Features - Podman now features initial support for Docker Compose. - Added the podman rename command, which allows containers to be renamed after they are created (#1925). - The Podman remote client now supports the podman copy command. - A new command, podman network reload, has been added. This command will re-configure the network of all running containers, and can be used to recreate firewall rules lost when the system firewall was reloaded (e.g. via firewall-cmd --reload). - Podman networks now have IDs. They can be seen in podman network ls and can be used when removing and inspecting networks. Existing networks receive IDs automatically. - Podman networks now also support labels. They can be added via the --label option to network create, and podman network ls can filter labels based on them. - The podman network create command now supports setting bridge MTU and VLAN through the --opt option (#8454). - The podman container checkpoint and podman container restore commands can now checkpoint and restore containers that include volumes. - The podman container checkpoint command now supports the --with-previous and --pre-checkpoint options, and the podman container restore command now support the --import-previous option. These add support for two-step checkpointing with lowered dump times. - The podman push command can now push manifest lists. Podman will first attempt to push as an image, then fall back to pushing as a manifest list if that fails. - The podman generate kube command can now be run on multiple containers at once, and will generate a single pod containing all of them. - The podman generate kube and podman play kube commands now support Kubernetes DNS configuration, and will preserve custom DNS configuration when exporting or importing YAML (#9132). - The podman generate kube command now properly supports generating YAML for containers and pods creating using host networking (--net=host) (#9077). - The podman kill command now supports a --cidfile option to kill containers given a file containing the container's ID (#8443). - The podman pod create command now supports the --net=none option (#9165). - The podman volume create command can now specify volume UID and GID as options with the UID and GID fields passed to the the --opt option. - Initial support has been added for Docker Volume Plugins. Podman can now define available plugins in containers.conf and use them to create volumes with podman volume create --driver. - The podman run and podman create commands now support a new option, --platform, to specify the platform of the image to be used when creating the container. - The --security-opt option to podman run and podman create now supports the systempaths=unconfined option to unrestrict access to all paths in the container, as well as mask and unmask options to allow more granular restriction of container paths. - The podman stats --format command now supports a new format specified, MemUsageBytes, which prints the raw bytes of memory consumed by a container without human-readable formatting #8945. - The podman ps command can now filter containers based on what pod they are joined to via the pod filter (#8512). - The podman pod ps command can now filter pods based on what networks they are joined to via the network filter. The podman pod ps command can now print information on what networks a pod is joined to via the .Networks specifier to the --format option. - The podman system prune command now supports filtering what containers, pods, images, and volumes will be pruned. - The podman volume prune commands now supports filtering what volumes will be pruned. - The podman system prune command now includes information on space reclaimed (#8658). - The podman info command will now properly print information about packages in use on Gentoo and Arch systems. - The containers.conf file now contains an option for disabling creation of a new kernel keyring on container creation (#8384). - The podman image sign command can now sign multi-arch images by producing a signature for each image in a given manifest list. - The podman image sign command, when run as rootless, now supports per-user registry configuration files in $HOME/.config/containers/registries.d. - Configuration options for slirp4netns can now be set system-wide via the NetworkCmdOptions configuration option in containers.conf. - The MTU of slirp4netns can now be configured via the mtu= network command option (e.g. podman run --net slirp4netns:mtu=9000). * Security - A fix for CVE-2021-20199 is included. Podman between v1.8.0 and v2.2.1 used 127.0.0.1 as the source address for all traffic forwarded into rootless containers by a forwarded port; this has been changed to address the issue. * Changes - Shortname aliasing support has now been turned on by default. All Podman commands that must pull an image will, if a TTY is available, prompt the user about what image to pull. - The podman load command no longer accepts a NAME[:TAG] argument. The presence of this argument broke CLI compatibility with Docker by making docker load commands unusable with Podman (#7387). - The Go bindings for the HTTP API have been rewritten with a focus on limiting dependency footprint and improving extensibility. Read more here. - The legacy Varlink API has been completely removed from Podman. - The default log level for Podman has been changed from Error to Warn. - The podman network create command can now create macvlan networks using the --driver macvlan option for Docker compatibility. The existing --macvlan flag has been deprecated and will be removed in Podman 4.0 some time next year. - The podman inspect command has had the LogPath and LogTag fields moved into the LogConfig structure (from the root of the Inspect structure). The maximum size of the log file is also included. - The podman generate systemd command no longer generates unit files using the deprecated KillMode=none option (#8615). - The podman stop command now releases the container lock while waiting for it to stop - as such, commands like podman ps will no longer block until podman stop completes (#8501). - Networks created with podman network create --internal no longer use the dnsname plugin. This configuration never functioned as expected. - Error messages for the remote Podman client have been improved when it cannot connect to a Podman service. - Error messages for podman run when an invalid SELinux is specified have been improved. - Rootless Podman features improved support for containers with a single user mapped into the rootless user namespace. - Pod infra containers now respect default sysctls specified in containers.conf allowing for advanced configuration of the namespaces they will share. - SSH public key handling for remote Podman has been improved. * Bugfixes - Fixed a bug where the podman history --no-trunc command would truncate the Created By field (#9120). - Fixed a bug where root containers that did not explicitly specify a CNI network to join did not generate an entry for the network in use in the Networks field of the output of podman inspect (#6618). - Fixed a bug where, under some circumstances, container working directories specified by the image (via the WORKDIR instruction) but not present in the image, would not be created (#9040). - Fixed a bug where the podman generate systemd command would generate invalid unit files if the container was creating using a command line that included doubled braces ({{ and }}), e.g. --log-opt-tag={{.Name}} (#9034). - Fixed a bug where the podman generate systemd --new command could generate unit files including invalid Podman commands if the container was created using merged short options (e.g. podman run -dt) (#8847). - Fixed a bug where the podman generate systemd --new command could generate unit files that did not handle Podman commands including some special characters (e.g. $) (#9176 - Fixed a bug where rootless containers joining CNI networks could not set a static IP address (#7842). - Fixed a bug where rootless containers joining CNI networks could not set network aliases (#8567). - Fixed a bug where the remote client could, under some circumstances, not include the Containerfile when sending build context to the server (#8374). - Fixed a bug where rootless Podman did not mount /sys as a new sysfs in some circumstances where it was acceptable. - Fixed a bug where rootless containers that both joined a user namespace and a CNI networks would cause a segfault. These options are incompatible and now return an error. - Fixed a bug where the podman play kube command did not properly handle CMD and ARGS from images (#8803). - Fixed a bug where the podman play kube command did not properly handle environment variables from images (#8608). - Fixed a bug where the podman play kube command did not properly print errors that occurred when starting containers. - Fixed a bug where the podman play kube command errored when hostNetwork was used (#8790). - Fixed a bug where the podman play kube command would always pull images when the :latest tag was specified, even if the image was available locally (#7838). - Fixed a bug where the podman play kube command did not properly handle SELinux configuration, rending YAML with custom SELinux configuration unusable (#8710). - Fixed a bug where the podman generate kube command incorrectly populated the args and command fields of generated YAML (#9211). - Fixed a bug where containers in a pod would create a duplicate entry in the pod's shared /etc/hosts file every time the container restarted (#8921). - Fixed a bug where the podman search --list-tags command did not support the --format option (#8740). - Fixed a bug where the http_proxy option in containers.conf was not being respected, and instead was set unconditionally to true (#8843). - Fixed a bug where rootless Podman could, on systems with a recent Conmon and users with a long username, fail to attach to containers (#8798). - Fixed a bug where the podman images command would break and fail to display any images if an empty manifest list was present in storage (#8931). - Fixed a bug where locale environment variables were not properly passed on to Conmon. - Fixed a bug where Podman would not build on the MIPS architecture (#8782). - Fixed a bug where rootless Podman could fail to properly configure user namespaces for rootless containers when the user specified a --uidmap option that included a mapping beginning with UID 0. - Fixed a bug where the podman logs command using the k8s-file backend did not properly handle partial log lines with a length of 1 (#8879). - Fixed a bug where the podman logs command with the --follow option did not properly handle log rotation (#8733). - Fixed a bug where user-specified HOSTNAME environment variables were overwritten by Podman (#8886). - Fixed a bug where Podman would applied default sysctls from containers.conf in too many situations (e.g. applying network sysctls when the container shared its network with a pod). - Fixed a bug where Podman did not properly handle cases where a secondary image store was in use and an image was present in both the secondary and primary stores (#8176). - Fixed a bug where systemd-managed rootless Podman containers where the user in the container was not root could fail as the container's PID file was not accessible to systemd on the host (#8506). - Fixed a bug where the --privileged option to podman run and podman create would, under some circumstances, not disable Seccomp (#8849). - Fixed a bug where the podman exec command did not properly add capabilities when the container or exec session were run with --privileged. - Fixed a bug where rootless Podman would use the --enable-sandbox option to slirp4netns unconditionally, even when pivot_root was disabled, rendering slirp4netns unusable when pivot_root was disabled (#8846). - Fixed a bug where podman build --logfile did not actually write the build's log to the logfile. - Fixed a bug where the podman system service command did not close STDIN, and could display user-interactive prompts (#8700). - Fixed a bug where the podman system reset command could, under some circumstances, remove all the contents of the XDG_RUNTIME_DIR directory (#8680). - Fixed a bug where the podman network create command created CNI configurations that did not include a default gateway (#8748). - Fixed a bug where the podman.service systemd unit provided by default used the wrong service type, and would cause systemd to not correctly register the service as started (#8751). - Fixed a bug where, if the TMPDIR environment variable was set for the container engine in containers.conf, it was being ignored. - Fixed a bug where the podman events command did not properly handle future times given to the --until option (#8694). - Fixed a bug where the podman logs command wrote container STDERR logs to STDOUT instead of STDERR (#8683). - Fixed a bug where containers created from an image with multiple tags would report that they were created from the wrong tag (#8547). - Fixed a bug where container capabilities were not set properly when the --cap-add=all and --user options to podman create and podman run were combined. - Fixed a bug where the --layers option to podman build was nonfunctional (#8643). - Fixed a bug where the podman system prune command did not act recursively, and thus would leave images, containers, pods, and volumes present that would be removed by a subsequent call to podman system prune (#7990). - Fixed a bug where the --publish option to podman run and podman create did not properly handle ports specified as a range of ports with no host port specified (#8650). - Fixed a bug where --format did not support JSON output for individual fields (#8444). - Fixed a bug where the podman stats command would fail when run on root containers using the slirp4netns network mode (#7883). - Fixed a bug where the Podman remote client would ask for a password even if the server's SSH daemon did not support password authentication (#8498). - Fixed a bug where the podman stats command would fail if the system did not support one or more of the cgroup controllers Podman supports (#8588). - Fixed a bug where the --mount option to podman create and podman run did not ignore the consistency mount option. - Fixed a bug where failures during the resizing of a container's TTY would print the wrong error. - Fixed a bug where the podman network disconnect command could cause the podman inspect command to fail for a container until it was restarted (#9234). - Fixed a bug where containers created from a read-only rootfs (using the --rootfs option to podman create and podman run) would fail (#9230). - Fixed a bug where specifying Go templates to the --format option to multiple Podman commands did not support the join function (#8773). - Fixed a bug where the podman rmi command could, when run in parallel on multiple images, return layer not known errors (#6510). - Fixed a bug where the podman inspect command on containers displayed unlimited ulimits incorrectly (#9303). - Fixed a bug where Podman would fail to start when a volume was mounted over a directory in a container that contained symlinks that terminated outside the directory and its subdirectories (#6003). API - Libpod API version has been bumped to v3.0.0. - All Libpod Pod APIs have been modified to properly report errors with individual containers. Cases where the operation as a whole succeeded but individual containers failed now report an HTTP 409 error (#8865). - The Compat API for Containers now supports the Rename and Copy APIs. - Fixed a bug where the Compat Prune APIs (for volumes, containers, and images) did not return the amount of space reclaimed in their responses. - Fixed a bug where the Compat and Libpod Exec APIs for Containers would drop errors that occurred prior to the exec session successfully starting (e.g. a 'no such file' error if an invalid executable was passed) (#8281) - Fixed a bug where the Volumes field in the Compat Create API for Containers was being ignored (#8649). - Fixed a bug where the NetworkMode field in the Compat Create API for Containers was not handling some values, e.g. container:, correctly. - Fixed a bug where the Compat Create API for Containers did not set container name properly. - Fixed a bug where containers created using the Compat Create API unconditionally used Kubernetes file logging (the default specified in containers.conf is now used). - Fixed a bug where the Compat Inspect API for Containers could include container states not recognized by Docker. - Fixed a bug where Podman did not properly clean up after calls to the Events API when the journald backend was in use, resulting in a leak of file descriptors (#8864). - Fixed a bug where the Libpod Pull endpoint for Images could fail with an index out of range error under certain circumstances (#8870). - Fixed a bug where the Libpod Exists endpoint for Images could panic. - Fixed a bug where the Compat List API for Containers did not support all filters (#8860). - Fixed a bug where the Compat List API for Containers did not properly populate the Status field. - Fixed a bug where the Compat and Libpod Resize APIs for Containers ignored the height and width parameters (#7102). - Fixed a bug where the Compat Search API for Images returned an incorrectly-formatted JSON response (#8758). - Fixed a bug where the Compat Load API for Images did not properly clean up temporary files. - Fixed a bug where the Compat Create API for Networks could panic when an empty IPAM configuration was specified. - Fixed a bug where the Compat Inspect and List APIs for Networks did not include Scope. - Fixed a bug where the Compat Wait endpoint for Containers did not support the same wait conditions that Docker did. * Misc - Updated Buildah to v1.19.2 - Updated the containers/storage library to v1.24.5 - Updated the containers/image library to v5.10.2 - Updated the containers/common library to v0.33.4 - Update to v2.2.1 * Changes - Due to a conflict with a previously-removed field, we were forced to modify the way image volumes (mounting images into containers using --mount type=image) were handled in the database. As a result, containers created in Podman 2.2.0 with image volume will not have them in v2.2.1, and these containers will need to be re-created. * Bugfixes - Fixed a bug where rootless Podman would, on systems without the XDG_RUNTIME_DIR environment variable defined, use an incorrect path for the PID file of the Podman pause process, causing Podman to fail to start (#8539). - Fixed a bug where containers created using Podman v1.7 and earlier were unusable in Podman due to JSON decode errors (#8613). - Fixed a bug where Podman could retrieve invalid cgroup paths, instead of erroring, for containers that were not running. - Fixed a bug where the podman system reset command would print a warning about a duplicate shutdown handler being registered. - Fixed a bug where rootless Podman would attempt to mount sysfs in circumstances where it was not allowed; some OCI runtimes (notably crun) would fall back to alternatives and not fail, but others (notably runc) would fail to run containers. - Fixed a bug where the podman run and podman create commands would fail to create containers from untagged images (#8558). - Fixed a bug where remote Podman would prompt for a password even when the server did not support password authentication (#8498). - Fixed a bug where the podman exec command did not move the Conmon process for the exec session into the correct cgroup. - Fixed a bug where shell completion for the ancestor option to podman ps --filter did not work correctly. - Fixed a bug where detached containers would not properly clean themselves up (or remove themselves if --rm was set) if the Podman command that created them was invoked with --log-level=debug. * API - Fixed a bug where the Compat Create endpoint for Containers did not properly handle the Binds and Mounts parameters in HostConfig. - Fixed a bug where the Compat Create endpoint for Containers ignored the Name query parameter. - Fixed a bug where the Compat Create endpoint for Containers did not properly handle the 'default' value for NetworkMode (this value is used extensively by docker-compose) (#8544). - Fixed a bug where the Compat Build endpoint for Images would sometimes incorrectly use the target query parameter as the image's tag. * Misc - Podman v2.2.0 vendored a non-released, custom version of the github.com/spf13/cobra package; this has been reverted to the latest upstream release to aid in packaging. - Updated the containers/image library to v5.9.0 - Update to v2.2.0 * Features - Experimental support for shortname aliasing has been added. This is not enabled by default, but can be turned on by setting the environment variable CONTAINERS_SHORT_NAME_ALIASING to on. Documentation is available here and here. - Initial support has been added for the podman network connect and podman network disconnect commands, which allow existing containers to modify what networks they are connected to. At present, these commands can only be used on running containers that did not specify --network=none when they were created. - The podman run command now supports the --network-alias option to set network aliases (additional names the container can be accessed at from other containers via DNS if the dnsname CNI plugin is in use). Aliases can also be added and removed using the new podman network connect and podman network disconnect commands. Please note that this requires a new release (v1.1.0) of the dnsname plugin, and will only work on newly-created CNI networks. - The podman generate kube command now features support for exporting container's memory and CPU limits (#7855). - The podman play kube command now features support for setting CPU and Memory limits for containers (#7742). - The podman play kube command now supports persistent volumes claims using Podman named volumes. - The podman play kube command now supports Kubernetes configmaps via the --configmap option (#7567). - The podman play kube command now supports a --log-driver option to set the log driver for created containers. - The podman play kube command now supports a --start option, enabled by default, to start the pod after creating it. This allows for podman play kube to be more easily used in systemd unitfiles. - The podman network create command now supports the --ipv6 option to enable dual-stack IPv6 networking for created networks (#7302). - The podman inspect command can now inspect pods, networks, and volumes, in addition to containers and images (#6757). - The --mount option for podman run and podman create now supports a new type, image, to mount the contents of an image into the container at a given location. - The Bash and ZSH completions have been completely reworked and have received significant enhancements! Additionally, support for Fish completions and completions for the podman-remote executable have been added. - The --log-opt option for podman create and podman run now supports the max-size option to set the maximum size for a container's logs (#7434). - The --network option to the podman pod create command now allows pods to be configured to use slirp4netns networking, even when run as root (#6097). - The podman pod stop, podman pod pause, podman pod unpause, and podman pod kill commands now work on multiple containers in parallel and should be significantly faster. - The podman search command now supports a --list-tags option to list all available tags for a single image in a single repository. - The podman search command can now output JSON using the --format=json option. - The podman diff and podman mount commands now work with all containers in the storage library, including those not created by Podman. This allows them to be used with Buildah and CRI-O containers. - The podman container exists command now features a --external option to check if a container exists not just in Podman, but also in the storage library. This will allow Podman to identify Buildah and CRI-O containers. - The --tls-verify and --authfile options have been enabled for use with remote Podman. - The /etc/hosts file now includes the container's name and hostname (both pointing to localhost) when the container is run with --net=none (#8095). - The podman events command now supports filtering events based on the labels of the container they occurred on using the --filter label=key=value option. - The podman volume ls command now supports filtering volumes based on their labels using the --filter label=key=value option. - The --volume and --mount options to podman run and podman create now support two new mount propagation options, unbindable and runbindable. - The name and id filters for podman pod ps now match based on a regular expression, instead of requiring an exact match. - The podman pod ps command now supports a new filter status, that matches pods in a certain state. * Changes - The podman network rm --force command will now also remove pods that are using the network (#7791). - The podman volume rm, podman network rm, and podman pod rm commands now return exit code 1 if the object specified for removal does not exist, and exit code 2 if the object is in use and the --force option was not given. - If /dev/fuse is passed into Podman containers as a device, Podman will open it before starting the container to ensure that the kernel module is loaded on the host and the device is usable in the container. - Global Podman options that were not supported with remote operation have been removed from podman-remote (e.g. --cgroup-manager, --storage-driver). - Many errors have been changed to remove repetition and be more clear as to what has gone wrong. - The --storage option to podman rm is now enabled by default, with slightly changed semantics. If the given container does not exist in Podman but does exist in the storage library, it will be removed even without the --storage option. If the container exists in Podman it will be removed normally. The --storage option for podman rm is now deprecated and will be removed in a future release. - The --storage option to podman ps has been renamed to --external. An alias has been added so the old form of the option will continue to work. - Podman now delays the SIGTERM and SIGINT signals during container creation to ensure that Podman is not stopped midway through creating a container resulting in potential resource leakage (#7941). - The podman save command now strips signatures from images it is exporting, as the formats we export to do not support signatures (#7659). - A new Degraded state has been added to pods. Pods that have some, but not all, of their containers running are now considered to be Degraded instead of Running. - Podman will now print a warning when conflicting network options related to port forwarding (e.g. --publish and --net=host) are specified when creating a container. - The --restart on-failure and --rm options for containers no longer conflict. When both are specified, the container will be restarted if it exits with a non-zero error code, and removed if it exits cleanly (#7906). - Remote Podman will no longer use settings from the client's containers.conf; defaults will instead be provided by the server's containers.conf (#7657). - The podman network rm command now has a new alias, podman network remove (#8402). * Bugfixes - Fixed a bug where podman load on the remote client did not error when attempting to load a directory, which is not yet supported for remote use. - Fixed a bug where rootless Podman could hang when the newuidmap binary was not installed (#7776). - Fixed a bug where the --pull option to podman run, podman create, and podman build did not match Docker's behavior. - Fixed a bug where sysctl settings from the containers.conf configuration file were applied, even if the container did not join the namespace associated with a sysctl. - Fixed a bug where Podman would not return the text of errors encounted when trying to run a healthcheck for a container. - Fixed a bug where Podman was accidentally setting the containers environment variable in addition to the expected container environment variable. - Fixed a bug where rootless Podman using CNI networking did not properly clean up DNS entries for removed containers (#7789). - Fixed a bug where the podman untag --all command was not supported with remote Podman. - Fixed a bug where the podman system service command could time out even if active attach connections were present (#7826). - Fixed a bug where the podman system service command would sometimes never time out despite no active connections being present. - Fixed a bug where Podman's handling of capabilities, specifically inheritable, did not match Docker's. - Fixed a bug where podman run would fail if the image specified was a manifest list and had already been pulled (#7798). - Fixed a bug where Podman did not take search registries into account when looking up images locally (#6381). - Fixed a bug where the podman manifest inspect command would fail for images that had already been pulled (#7726). - Fixed a bug where rootless Podman would not add supplemental GIDs to containers when when a user, but not a group, was set via the --user option to podman create and podman run and sufficient GIDs were available to add the groups (#7782). - Fixed a bug where remote Podman commands did not properly handle cases where the user gave a name that could also be a short ID for a pod or container (#7837). - Fixed a bug where podman image prune could leave images ready to be pruned after podman image prune was run (#7872). - Fixed a bug where the podman logs command with the journald log driver would not read all available logs (#7476). - Fixed a bug where the --rm and --restart options to podman create and podman run did not conflict when a restart policy that is not on-failure was chosen (#7878). - Fixed a bug where the --format 'table {{ .Field }}' option to numerous Podman commands ceased to function on Podman v2.0 and up. - Fixed a bug where pods did not properly share an SELinux label between their containers, resulting in containers being unable to see the processes of other containers when the pod shared a PID namespace (#7886). - Fixed a bug where the --namespace option to podman ps did not work with the remote client (#7903). - Fixed a bug where rootless Podman incorrectly calculated the number of UIDs available in the container if multiple different ranges of UIDs were specified. - Fixed a bug where the /etc/hosts file would not be correctly populated for containers in a user namespace (#7490). - Fixed a bug where the podman network create and podman network remove commands could race when run in parallel, with unpredictable results (#7807). - Fixed a bug where the -p option to podman run, podman create, and podman pod create would, when given only a single number (e.g. -p 80), assign the same port for both host and container, instead of generating a random host port (#7947). - Fixed a bug where Podman containers did not properly store the cgroup manager they were created with, causing them to stop functioning after the cgroup manager was changed in containers.conf or with the --cgroup-manager option (#7830). - Fixed a bug where the podman inspect command did not include information on the CNI networks a container was connected to if it was not running. - Fixed a bug where the podman attach command would not print a newline after detaching from the container (#7751). - Fixed a bug where the HOME environment variable was not set properly in containers when the --userns=keep-id option was set (#8004). - Fixed a bug where the podman container restore command could panic when the container in question was in a pod (#8026). - Fixed a bug where the output of the podman image trust show --raw command was not properly formatted. - Fixed a bug where the podman runlabel command could panic if a label to run was not given (#8038). - Fixed a bug where the podman run and podman start --attach commands would exit with an error when the user detached manually using the detach keys on remote Podman (#7979). - Fixed a bug where rootless CNI networking did not use the dnsname CNI plugin if it was not available on the host, despite it always being available in the container used for rootless networking (#8040). - Fixed a bug where Podman did not properly handle cases where an OCI runtime is specified by its full path, and could revert to using another OCI runtime with the same binary path that existed in the system $PATH on subsequent invocations. - Fixed a bug where the --net=host option to podman create and podman run would cause the /etc/hosts file to be incorrectly populated (#8054). - Fixed a bug where the podman inspect command did not include container network information when the container shared its network namespace (IE, joined a pod or another container's network namespace via --net=container:...) (#8073). - Fixed a bug where the podman ps command did not include information on all ports a container was publishing. - Fixed a bug where the podman build command incorrectly forwarded STDIN into build containers from RUN instructions. - Fixed a bug where the podman wait command's --interval option did not work when units were not specified for the duration (#8088). - Fixed a bug where the --detach-keys and --detach options could be passed to podman create despite having no effect (and not making sense in that context). - Fixed a bug where Podman could not start containers if running on a system without a /etc/resolv.conf file (which occurs on some WSL2 images) (#8089). - Fixed a bug where the --extract option to podman cp was nonfunctional. - Fixed a bug where the --cidfile option to podman run would, when the container was not run with --detach, only create the file after the container exited (#8091). - Fixed a bug where the podman images and podman images -a commands could panic and not list any images when certain improperly-formatted images were present in storage (#8148). - Fixed a bug where the podman events command could, when the journald events backend was in use, become nonfunctional when a badly-formatted event or a log message that container certain string was present in the journal (#8125). - Fixed a bug where remote Podman would, when using SSH transport, not authenticate to the server using hostkeys when connecting on a port other than 22 (#8139). - Fixed a bug where the podman attach command would not exit when containers stopped (#8154). - Fixed a bug where Podman did not properly clean paths before verifying them, resulting in Podman refusing to start if the root or temporary directories were specified with extra trailing / characters (#8160). - Fixed a bug where remote Podman did not support hashed hostnames in the known_hosts file on the host for establishing connections (#8159). - Fixed a bug where the podman image exists command would return non-zero (false) when multiple potential matches for the given name existed. - Fixed a bug where the podman manifest inspect command on images that are not manifest lists would error instead of inspecting the image (#8023). - Fixed a bug where the podman system service command would fail if the directory the Unix socket was to be created inside did not exist (#8184). - Fixed a bug where pods that shared the IPC namespace (which is done by default) did not share a /dev/shm filesystem between all containers in the pod (#8181). - Fixed a bug where filters passed to podman volume list were not inclusive (#6765). - Fixed a bug where the podman volume create command would fail when the volume's data directory already existed (as might occur when a volume was not completely removed) (#8253). - Fixed a bug where the podman run and podman create commands would deadlock when trying to create a container that mounted the same named volume at multiple locations (e.g. podman run -v testvol:/test1 -v testvol:/test2) (#8221). - Fixed a bug where the parsing of the --net option to podman build was incorrect (#8322). - Fixed a bug where the podman build command would print the ID of the built image twice when using remote Podman (#8332). - Fixed a bug where the podman stats command did not show memory limits for containers (#8265). - Fixed a bug where the podman pod inspect command printed the static MAC address of the pod in a non-human-readable format (#8386). - Fixed a bug where the --tls-verify option of the podman play kube command had its logic inverted (false would enforce the use of TLS, true would disable it). - Fixed a bug where the podman network rm command would error when trying to remove macvlan networks and rootless CNI networks (#8491). - Fixed a bug where Podman was not setting sane defaults for missing XDG_ environment variables. - Fixed a bug where remote Podman would check if volume paths to be mounted in the container existed on the host, not the server (#8473). - Fixed a bug where the podman manifest create and podman manifest add commands on local images would drop any images in the manifest not pulled by the host. - Fixed a bug where networks made by podman network create did not include the tuning plugin, and as such did not support setting custom MAC addresses (#8385). - Fixed a bug where container healthchecks did not use $PATH when searching for the Podman executable to run the healthcheck. - Fixed a bug where the --ip-range option to podman network create did not properly handle non-classful subnets when calculating the last usable IP for DHCP assignment (#8448). - Fixed a bug where the podman container ps alias for podman ps was missing (#8445). * API - The Compat Create endpoint for Container has received a major refactor to share more code with the Libpod Create endpoint, and should be significantly more stable. - A Compat endpoint for exporting multiple images at once, GET /images/get, has been added (#7950). - The Compat Network Connect and Network Disconnect endpoints have been added. - Endpoints that deal with image registries now support a X-Registry-Config header to specify registry authentication configuration. - The Compat Create endpoint for images now properly supports specifying images by digest. - The Libpod Build endpoint for images now supports an httpproxy query parameter which, if set to true, will forward the server's HTTP proxy settings into the build container for RUN instructions. - The Libpod Untag endpoint for images will now remove all tags for the given image if no repository and tag are specified for removal. - Fixed a bug where the Ping endpoint misspelled a header name (Libpod-Buildha-Version instead of Libpod-Buildah-Version). - Fixed a bug where the Ping endpoint sent an extra newline at the end of its response where Docker did not. - Fixed a bug where the Compat Logs endpoint for containers did not send a newline character after each log line. - Fixed a bug where the Compat Logs endpoint for containers would mangle line endings to change newline characters to add a preceding carriage return (#7942). - Fixed a bug where the Compat Inspect endpoint for Containers did not properly list the container's stop signal (#7917). - Fixed a bug where the Compat Inspect endpoint for Containers formatted the container's create time incorrectly (#7860). - Fixed a bug where the Compat Inspect endpoint for Containers did not include the container's Path, Args, and Restart Count. - Fixed a bug where the Compat Inspect endpoint for Containers prefixed added and dropped capabilities with CAP_ (Docker does not do so). - Fixed a bug where the Compat Info endpoint for the Engine did not include configured registries. - Fixed a bug where the server could panic if a client closed a connection midway through an image pull (#7896). - Fixed a bug where the Compat Create endpoint for volumes returned an error when a volume with the same name already existed, instead of succeeding with a 201 code (#7740). - Fixed a bug where a client disconnecting from the Libpod or Compat events endpoints could result in the server using 100% CPU (#7946). - Fixed a bug where the 'no such image' error message sent by the Compat Inspect endpoint for Images returned a 404 status code with an error that was improperly formatted for Docker compatibility. - Fixed a bug where the Compat Create endpoint for networks did not properly set a default for the driver parameter if it was not provided by the client. - Fixed a bug where the Compat Inspect endpoint for images did not populate the RootFS field of the response. - Fixed a bug where the Compat Inspect endpoint for images would omit the ParentId field if the image had no parent, and the Created field if the image did not have a creation time. - Fixed a bug where the Compat Remove endpoint for Networks did not support the Force query parameter. - add dependency to timezone package or podman fails to build a - Correct invalid use of %{_libexecdir} to ensure files should be in /usr/lib SELinux support [jsc#SMO-15] libseccomp was updated to release 2.5.3: * Update the syscall table for Linux v5.15 * Fix issues with multiplexed syscalls on mipsel introduced in v2.5.2 * Document that seccomp_rule_add() may return -EACCES Update to release 2.5.2 * Update the syscall table for Linux v5.14-rc7 * Add a function, get_notify_fd(), to the Python bindings to get the nofication file descriptor. * Consolidate multiplexed syscall handling for all architectures into one location. * Add multiplexed syscall support to PPC and MIPS * The meaning of SECCOMP_IOCTL_NOTIF_ID_VALID changed within the kernel. libseccomp's fd notification logic was modified to support the kernel's previous and new usage of SECCOMP_IOCTL_NOTIF_ID_VALID. update to 2.5.1: * Fix a bug where seccomp_load() could only be called once * Change the notification fd handling to only request a notification fd if * the filter has a _NOTIFY action * Add documentation about SCMP_ACT_NOTIFY to the seccomp_add_rule(3) manpage * Clarify the maintainers' GPG keys Update to release 2.5.0 * Add support for the seccomp user notifications, see the seccomp_notify_alloc(3), seccomp_notify_receive(3), seccomp_notify_respond(3) manpages for more information * Add support for new filter optimization approaches, including a balanced tree optimization, see the SCMP_FLTATR_CTL_OPTIMIZE filter attribute for more information * Add support for the 64-bit RISC-V architecture * Performance improvements when adding new rules to a filter thanks to the use of internal shadow transactions and improved syscall lookup tables * Properly document the libseccomp API return values and include them in the stable API promise * Improvements to the s390 and s390x multiplexed syscall handling * Multiple fixes and improvements to the libseccomp manpages * Moved from manually maintained syscall tables to an automatically generated syscall table in CSV format * Update the syscall tables to Linux v5.8.0-rc5 * Python bindings and build now default to Python 3.x * Improvements to the tests have boosted code coverage to over 93% Update to release 2.4.3 * Add list of authorized release signatures to README.md * Fix multiplexing issue with s390/s390x shm* syscalls * Remove the static flag from libseccomp tools compilation * Add define for __SNR_ppoll * Fix potential memory leak identified by clang in the scmp_bpf_sim tool Update to release 2.4.2 * Add support for io-uring related system calls conmon was updated to version 2.0.30: * Remove unreachable code path * exit: report if the exit command was killed * exit: fix race zombie reaper * conn_sock: allow watchdog messages through the notify socket proxy * seccomp: add support for seccomp notify Update to version 2.0.29: * Reset OOM score back to 0 for container runtime * call functions registered with atexit on SIGTERM * conn_sock: fix potential segfault Update to version 2.0.27: * Add CRI-O integration test GitHub action * exec: don't fail on EBADFD * close_fds: fix close of external fds * Add arm64 static build binary Update to version 2.0.26: * conn_sock: do not fail on EAGAIN * fix segfault from a double freed pointer * Fix a bug where conmon could never spawn a container, because a disagreement between the caller and itself on where the attach socket was. * improve --full-attach to ignore the socket-dir directly. that means callers don't need to specify a socket dir at all (and can remove it) * add full-attach option to allow callers to not truncate a very long path for the attach socket * close only opened FDs * set locale to inherit environment Update to version 2.0.22: * added man page * attach: always chdir * conn_sock: Explicitly free a heap-allocated string * refactor I/O and add SD_NOTIFY proxy support Update to version 2.0.21: * protect against kill(-1) * Makefile: enable debuginfo generation * Remove go.sum file and add go.mod * Fail if conmon config could not be written * nix: remove double definition for e2fsprogs * Speedup static build by utilizing CI cache on `/nix` folder * Fix nix build for failing e2fsprogs tests * test: fix CI * Use Podman for building libcontainers-common was updated to include: - common 0.44.0 - image 5.16.0 - podman 3.3.1 - storage 1.36.0 (changes too long to list) CVEs fixed: CVE-2020-14370,CVE-2020-15157,CVE-2021-20199,CVE-2021-20291,CVE-2021-3602 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:711-1 Released: Fri Mar 4 09:15:11 2022 Summary: Recommended update for sudo Type: recommended Severity: moderate References: 1181703 This update for sudo fixes the following issues: - Add support in the LDAP filter for negated users (jsc#SLE-20068) - Restrict use of sudo -U other -l to people who have permission to run commands as that user (bsc#1181703, jsc#SLE-22569) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:713-1 Released: Fri Mar 4 09:34:17 2022 Summary: Security update for expat Type: security Severity: important References: 1196025,1196026,1196168,1196169,1196171,CVE-2022-25235,CVE-2022-25236,CVE-2022-25313,CVE-2022-25314,CVE-2022-25315 This update for expat fixes the following issues: - CVE-2022-25236: Fixed possible namespace-separator characters insertion into namespace URIs (bsc#1196025). - CVE-2022-25235: Fixed UTF-8 character validation in a certain context (bsc#1196026). - CVE-2022-25313: Fixed stack exhaustion in build_model() via uncontrolled recursion (bsc#1196168). - CVE-2022-25314: Fixed integer overflow in copyString (bsc#1196169). - CVE-2022-25315: Fixed integer overflow in storeRawNames (bsc#1196171). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:727-1 Released: Fri Mar 4 10:39:21 2022 Summary: Security update for libeconf, shadow and util-linux Type: security Severity: moderate References: 1188507,1192954,1193632,1194976,CVE-2021-3995,CVE-2021-3996 This security update for libeconf, shadow and util-linux fix the following issues: libeconf: - Add libeconf to SLE-Module-Basesystem_15-SP3 because needed by 'util-linux' and 'shadow' to fix autoyast handling of security related parameters (bsc#1192954, jsc#SLE-23384, jsc#SLE-23402) Issues fixed in libeconf: - Reading numbers with different bases (e.g. oktal) (bsc#1193632) (#157) - Fixed different issues while writing string values to file. - Writing comments to file too. - Fixed crash while merging values. - Added econftool cat option (#146) - new API call: econf_readDirsHistory (showing ALL locations) - new API call: econf_getPath (absolute path of the configuration file) - Man pages libeconf.3 and econftool.8. - Handling multiline strings. - Added libeconf_ext which returns more information like line_nr, comments, path of the configuration file,... - Econftool, an command line interface for handling configuration files. - Generating HTML API documentation with doxygen. - Improving error handling and semantic file check. - Joining entries with the same key to one single entry if env variable ECONF_JOIN_SAME_ENTRIES has been set. shadow: - The legacy code does not support /etc/login.defs.d used by YaST. Enable libeconf to read it (bsc#1192954, jsc#SLE-23384, jsc#SLE-23402) util-linux: - The legacy code does not support /etc/login.defs.d used by YaST. Enable libeconf to read it (bsc#1192954, jsc#SLE-23384, jsc#SLE-23402) - Allow use of larger values for start sector to prevent `blockdev --report` aborting (bsc#1188507) - Fixed `blockdev --report` using non-space characters as a field separator (bsc#1188507) - CVE-2021-3995: Fixed unauthorized unmount in util-linux's libmount. (bsc#1194976) - CVE-2021-3996: Fixed unauthorized unmount in util-linux's libmount. (bsc#1194976) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:736-1 Released: Fri Mar 4 14:51:57 2022 Summary: Security update for vim Type: security Severity: important References: 1190533,1190570,1191893,1192478,1192481,1193294,1193298,1194216,1194556,1195004,1195066,1195126,1195202,1195356,CVE-2021-3778,CVE-2021-3796,CVE-2021-3872,CVE-2021-3927,CVE-2021-3928,CVE-2021-3984,CVE-2021-4019,CVE-2021-4193,CVE-2021-46059,CVE-2022-0318,CVE-2022-0319,CVE-2022-0351,CVE-2022-0361,CVE-2022-0413 This update for vim fixes the following issues: - CVE-2022-0318: Fixed heap-based buffer overflow (bsc#1195004). - CVE-2021-3796: Fixed use-after-free in nv_replace() in normal.c (bsc#1190570). - CVE-2021-3872: Fixed heap-based buffer overflow in win_redr_status() drawscreen.c (bsc#1191893). - CVE-2021-3927: Fixed heap-based buffer overflow (bsc#1192481). - CVE-2021-3928: Fixed stack-based buffer overflow (bsc#1192478). - CVE-2021-4019: Fixed heap-based buffer overflow (bsc#1193294). - CVE-2021-3984: Fixed illegal memory access when C-indenting could have led to heap buffer overflow (bsc#1193298). - CVE-2021-3778: Fixed heap-based buffer overflow in regexp_nfa.c (bsc#1190533). - CVE-2021-4193: Fixed out-of-bounds read (bsc#1194216). - CVE-2021-46059: Fixed pointer dereference vulnerability via the vim_regexec_multi function at regexp.c (bsc#1194556). - CVE-2022-0319: Fixded out-of-bounds read (bsc#1195066). - CVE-2022-0351: Fixed uncontrolled recursion in eval7() (bsc#1195126). - CVE-2022-0361: Fixed buffer overflow (bsc#1195126). - CVE-2022-0413: Fixed use-after-free in src/ex_cmds.c (bsc#1195356). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:743-1 Released: Mon Mar 7 22:08:12 2022 Summary: Security update for cyrus-sasl Type: security Severity: important References: 1194265,1196036,CVE-2022-24407 This update for cyrus-sasl fixes the following issues: - CVE-2022-24407: Fixed SQL injection in sql_auxprop_store in plugins/sql.c (bsc#1196036). The following non-security bugs were fixed: - postfix: sasl authentication with password fails (bsc#1194265). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:771-1 Released: Wed Mar 9 09:27:07 2022 Summary: Recommended update for libseccomp Type: recommended Severity: moderate References: 1196825 This update for libseccomp fixes the following issues: - Check if we have NR_openat2, avoid using its definition when not (bsc#1196825), this fixes build of systemd. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:774-1 Released: Wed Mar 9 10:52:10 2022 Summary: Security update for tcpdump Type: security Severity: moderate References: 1195825,CVE-2018-16301 This update for tcpdump fixes the following issues: - CVE-2018-16301: Fixed segfault when handling large files (bsc#1195825). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:788-1 Released: Thu Mar 10 11:21:04 2022 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1195326 This update for libzypp, zypper fixes the following issues: - Fix handling of redirected command in-/output (bsc#1195326) This fixes delays at the end of zypper operations, where zypper unintentionally waits for appdata plugin scripts to complete. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:789-1 Released: Thu Mar 10 11:22:05 2022 Summary: Recommended update for update-alternatives Type: recommended Severity: moderate References: 1195654 This update for update-alternatives fixes the following issues: - Break bash - update-alternatives cycle rewrite of '%post' in 'lua'. (bsc#1195654) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:808-1 Released: Fri Mar 11 06:07:58 2022 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1195468 This update for procps fixes the following issues: - Stop registering signal handler for SIGURG, to avoid `ps` failure if someone sends such signal. Without the signal handler, SIGURG will just be ignored. (bsc#1195468) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:836-1 Released: Tue Mar 15 07:47:48 2022 Summary: Recommended update for gdb Type: recommended Severity: moderate References: This update for gdb fixes the following issues: - Support for new IBM Z Hardware - GDB Part (jsc#SLE-22287) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:844-1 Released: Tue Mar 15 11:33:57 2022 Summary: Security update for expat Type: security Severity: important References: 1196025,1196784,CVE-2022-25236 This update for expat fixes the following issues: - Fixed a regression caused by the patch for CVE-2022-25236 (bsc#1196784). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:845-1 Released: Tue Mar 15 11:40:52 2022 Summary: Security update for chrony Type: security Severity: moderate References: 1099272,1115529,1128846,1162964,1172113,1173277,1174075,1174911,1180689,1181826,1187906,1190926,1194229,CVE-2020-14367 This update for chrony fixes the following issues: Chrony was updated to 4.1, bringing features and bugfixes. Update to 4.1 * Add support for NTS servers specified by IP address (matching Subject Alternative Name in server certificate) * Add source-specific configuration of trusted certificates * Allow multiple files and directories with trusted certificates * Allow multiple pairs of server keys and certificates * Add copy option to server/pool directive * Increase PPS lock limit to 40% of pulse interval * Perform source selection immediately after loading dump files * Reload dump files for addresses negotiated by NTS-KE server * Update seccomp filter and add less restrictive level * Restart ongoing name resolution on online command * Fix dump files to not include uncorrected offset * Fix initstepslew to accept time from own NTP clients * Reset NTP address and port when no longer negotiated by NTS-KE server - Ensure the correct pool packages are installed for openSUSE and SLE (bsc#1180689). - Fix pool package dependencies, so that SLE prefers chrony-pool-suse over chrony-pool-empty. (bsc#1194229) - Enable syscallfilter unconditionally [bsc#1181826]. Update to 4.0 - Enhancements - Add support for Network Time Security (NTS) authentication - Add support for AES-CMAC keys (AES128, AES256) with Nettle - Add authselectmode directive to control selection of unauthenticated sources - Add binddevice, bindacqdevice, bindcmddevice directives - Add confdir directive to better support fragmented configuration - Add sourcedir directive and 'reload sources' command to support dynamic NTP sources specified in files - Add clockprecision directive - Add dscp directive to set Differentiated Services Code Point (DSCP) - Add -L option to limit log messages by severity - Add -p option to print whole configuration with included files - Add -U option to allow start under non-root user - Allow maxsamples to be set to 1 for faster update with -q/-Q option - Avoid replacing NTP sources with sources that have unreachable address - Improve pools to repeat name resolution to get 'maxsources' sources - Improve source selection with trusted sources - Improve NTP loop test to prevent synchronisation to itself - Repeat iburst when NTP source is switched from offline state to online - Update clock synchronisation status and leap status more frequently - Update seccomp filter - Add 'add pool' command - Add 'reset sources' command to drop all measurements - Add authdata command to print details about NTP authentication - Add selectdata command to print details about source selection - Add -N option and sourcename command to print original names of sources - Add -a option to some commands to print also unresolved sources - Add -k, -p, -r options to clients command to select, limit, reset data - Bug fixes - Don’t set interface for NTP responses to allow asymmetric routing - Handle RTCs that don’t support interrupts - Respond to command requests with correct address on multihomed hosts - Removed features - Drop support for RIPEMD keys (RMD128, RMD160, RMD256, RMD320) - Drop support for long (non-standard) MACs in NTPv4 packets (chrony 2.x clients using non-MD5/SHA1 keys need to use option 'version 3') - Drop support for line editing with GNU Readline - By default we don't write log files but log to journald, so only recommend logrotate. - Adjust and rename the sysconfig file, so that it matches the expectations of chronyd.service (bsc#1173277). Update to 3.5.1: * Create new file when writing pidfile (CVE-2020-14367, bsc#1174911) - Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075) - Use iburst in the default pool statements to speed up initial synchronisation (bsc#1172113). Update to 3.5: + Add support for more accurate reading of PHC on Linux 5.0 + Add support for hardware timestamping on interfaces with read-only timestamping configuration + Add support for memory locking and real-time priority on FreeBSD, NetBSD, Solaris + Update seccomp filter to work on more architectures + Validate refclock driver options + Fix bindaddress directive on FreeBSD + Fix transposition of hardware RX timestamp on Linux 4.13 and later + Fix building on non-glibc systems - Fix location of helper script in chrony-dnssrv@.service (bsc#1128846). - Read runtime servers from /var/run/netconfig/chrony.servers to fix bsc#1099272. - Move chrony-helper to /usr/lib/chrony/helper, because there should be no executables in /usr/share. Update to version 3.4 * Enhancements + Add filter option to server/pool/peer directive + Add minsamples and maxsamples options to hwtimestamp directive + Add support for faster frequency adjustments in Linux 4.19 + Change default pidfile to /var/run/chrony/chronyd.pid to allow chronyd without root privileges to remove it on exit + Disable sub-second polling intervals for distant NTP sources + Extend range of supported sub-second polling intervals + Get/set IPv4 destination/source address of NTP packets on FreeBSD + Make burst options and command useful with short polling intervals + Modify auto_offline option to activate when sending request failed + Respond from interface that received NTP request if possible + Add onoffline command to switch between online and offline state according to current system network configuration + Improve example NetworkManager dispatcher script * Bug fixes + Avoid waiting in Linux getrandom system call + Fix PPS support on FreeBSD and NetBSD Update to version 3.3 * Enhancements: + Add burst option to server/pool directive + Add stratum and tai options to refclock directive + Add support for Nettle crypto library + Add workaround for missing kernel receive timestamps on Linux + Wait for late hardware transmit timestamps + Improve source selection with unreachable sources + Improve protection against replay attacks on symmetric mode + Allow PHC refclock to use socket in /var/run/chrony + Add shutdown command to stop chronyd + Simplify format of response to manual list command + Improve handling of unknown responses in chronyc * Bug fixes: + Respond to NTPv1 client requests with zero mode + Fix -x option to not require CAP_SYS_TIME under non-root user + Fix acquisitionport directive to work with privilege separation + Fix handling of socket errors on Linux to avoid high CPU usage + Fix chronyc to not get stuck in infinite loop after clock step ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:861-1 Released: Tue Mar 15 23:30:48 2022 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate References: 1182959,1195149,1195792,1195856 This update for openssl-1_1 fixes the following issues: openssl-1_1: - Fix PAC pointer authentication in ARM (bsc#1195856) - Pull libopenssl-1_1 when updating openssl-1_1 with the same version (bsc#1195792) - FIPS: Fix function and reason error codes (bsc#1182959) - Enable zlib compression support (bsc#1195149) glibc: - Resolve installation issue of `glibc-devel` in SUSE Linux Enterprise Micro 5.1 linux-glibc-devel: - Resolve installation issue of `linux-kernel-headers` in SUSE Linux Enterprise Micro 5.1 libxcrypt: - Resolve installation issue of `libxcrypt-devel` in SUSE Linux Enterprise Micro 5.1 zlib: - Resolve installation issue of `zlib-devel` in SUSE Linux Enterprise Micro 5.1 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:905-1 Released: Mon Mar 21 08:46:09 2022 Summary: Recommended update for util-linux Type: recommended Severity: important References: 1172427,1194642 This update for util-linux fixes the following issues: - Prevent root owning of `/var/lib/libuuid/clock.txt`. (bsc#1194642) - Make uuidd lock state file usable and time based UUIDs safer. (bsc#1194642) - Fix `su -s` bash completion. (bsc#1172427) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:936-1 Released: Tue Mar 22 18:10:17 2022 Summary: Recommended update for filesystem and systemd-rpm-macros Type: recommended Severity: moderate References: 1196275,1196406 This update for filesystem and systemd-rpm-macros fixes the following issues: filesystem: - Add path /lib/modprobe.d (bsc#1196275, jsc#SLE-20639) systemd-rpm-macros: - Make %_modprobedir point to /lib/modprobe.d (bsc#1196275, bsc#1196406) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:942-1 Released: Thu Mar 24 10:30:15 2022 Summary: Security update for python3 Type: security Severity: moderate References: 1186819,CVE-2021-3572 This update for python3 fixes the following issues: - CVE-2021-3572: Fixed an improper handling of unicode characters in pip (bsc#1186819). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:948-1 Released: Fri Mar 25 12:46:42 2022 Summary: Recommended update for sudo Type: recommended Severity: moderate References: 1193446 This update for sudo fixes the following issues: - Fix user set timeout not being honored (bsc#1193446) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:1040-1 Released: Wed Mar 30 09:40:58 2022 Summary: Security update for protobuf Type: security Severity: moderate References: 1195258,CVE-2021-22570 This update for protobuf fixes the following issues: - CVE-2021-22570: Fix incorrect parsing of nullchar in the proto symbol (bsc#1195258). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1047-1 Released: Wed Mar 30 16:20:56 2022 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1196093,1197024 This update for pam fixes the following issues: - Define _pam_vendordir as the variable is needed by systemd and others. (bsc#1196093) - Between allocating the variable 'ai' and free'ing them, there are two 'return NO' were we don't free this variable. This patch inserts freaddrinfo() calls before the 'return NO;'s. (bsc#1197024) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:1061-1 Released: Wed Mar 30 18:27:06 2022 Summary: Security update for zlib Type: security Severity: important References: 1197459,CVE-2018-25032 This update for zlib fixes the following issues: - CVE-2018-25032: Fixed memory corruption on deflate (bsc#1197459). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:1073-1 Released: Fri Apr 1 11:45:01 2022 Summary: Security update for yaml-cpp Type: security Severity: moderate References: 1121227,1121230,1122004,1122021,CVE-2018-20573,CVE-2018-20574,CVE-2019-6285,CVE-2019-6292 This update for yaml-cpp fixes the following issues: - CVE-2018-20573: Fixed remote DOS via a crafted YAML file in function Scanner:EnsureTokensInQueue (bsc#1121227). - CVE-2018-20574: Fixed remote DOS via a crafted YAML file in function SingleDocParser:HandleFlowMap (bsc#1121230). - CVE-2019-6285: Fixed remote DOS via a crafted YAML file in function SingleDocParser::HandleFlowSequence (bsc#1122004). - CVE-2019-6292: Fixed DOS by stack consumption in singledocparser.cpp (bsc#1122021). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1099-1 Released: Mon Apr 4 12:53:05 2022 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1194883 This update for aaa_base fixes the following issues: - Set net.ipv4.ping_group_range to allow ICMP ping (bsc#1194883) - Include all fixes and changes for systemwide inputrc to remove the 8 bit escape sequence which interfere with UTF-8 multi byte characters as well as support the vi mode of readline library ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1107-1 Released: Mon Apr 4 17:49:17 2022 Summary: Recommended update for util-linux Type: recommended Severity: moderate References: 1194642 This update for util-linux fixes the following issue: - Improve throughput and reduce clock sequence increments for high load situation with time based version 1 uuids. (bsc#1194642) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1118-1 Released: Tue Apr 5 18:34:06 2022 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1177460 This update for timezone fixes the following issues: - timezone update 2022a (bsc#1177460): * Palestine will spring forward on 2022-03-27, not on 03-26 * `zdump -v` now outputs better failure indications * Bug fixes for code that reads corrupted TZif data ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1119-1 Released: Wed Apr 6 09:16:06 2022 Summary: Recommended update for supportutils Type: recommended Severity: moderate References: 1189028,1190315,1190943,1191096,1191794,1193204,1193732,1193868,1195797 This update for supportutils fixes the following issues: - Add command `blkid` - Add email.txt based on OPTION_EMAIL (bsc#1189028) - Add rpcinfo -p output #116 - Add s390x specific files and output - Add shared memory as a log directory for emergency use (bsc#1190943) - Fix cron package for RPM validation (bsc#1190315) - Fix for invalid argument during updates (bsc#1193204) - Fix iscsi initiator name (bsc#1195797) - Improve `lsblk` readability with `--ascsi` option - Include 'multipath -t' output in mpio.txt - Include /etc/sssd/conf.d configuration files - Include udev rules in /lib/udev/rules.d/ - Made /proc directory and network names spaces configurable (bsc#1193868) - Prepare future installation of binaries to /usr/sbin instead of /sbin. This does not affect SUSE Linux Enterprise 15 Serivce Pack 3 and 4 (bsc#1191096) - Move localmessage/warm logs out of messages.txt to new localwarn.txt - Optimize configuration files - Remove chronyc DNS lookups with -n switch (bsc#1193732) - Remove duplicate commands in network.txt - Remove duplicate firewalld status output - getappcore identifies compressed core files (bsc#1191794) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:1157-1 Released: Tue Apr 12 13:26:19 2022 Summary: Security update for libsolv, libzypp, zypper Type: security Severity: important References: 1184501,1194848,1195999,1196061,1196317,1196368,1196514,1196925,1197134 This update for libsolv, libzypp, zypper fixes the following issues: Security relevant fix: - Harden package signature checks (bsc#1184501). libsolv update to 0.7.22: - reworked choice rule generation to cover more usecases - support SOLVABLE_PREREQ_IGNOREINST in the ordering code (bsc#1196514) - support parsing of Debian's Multi-Arch indicator - fix segfault on conflict resolution when using bindings - fix split provides not working if the update includes a forbidden vendor change - support strict repository priorities new solver flag: SOLVER_FLAG_STRICT_REPO_PRIORITY - support zstd compressed control files in debian packages - add an ifdef allowing to rename Solvable dependency members ('requires' is a keyword in C++20) - support setting/reading userdata in solv files new functions: repowriter_set_userdata, solv_read_userdata - support queying of the custom vendor check function new function: pool_get_custom_vendorcheck - support solv files with an idarray block - allow accessing the toolversion at runtime libzypp update to 17.30.0: - ZConfig: Update solver settings if target changes (bsc#1196368) - Fix possible hang in singletrans mode (bsc#1197134) - Do 2 retries if mount is still busy. - Fix package signature check (bsc#1184501) Pay attention that header and payload are secured by a valid signature and report more detailed which signature is missing. - Retry umount if device is busy (bsc#1196061, closes #381) A previously released ISO image may need a bit more time to release it's loop device. So we wait a bit and retry. - Fix serializing/deserializing type mismatch in zypp-rpm protocol (bsc#1196925) - Fix handling of ISO media in releaseAll (bsc#1196061) - Hint on common ptf resolver conflicts (bsc#1194848) - Hint on ptf<>patch resolver conflicts (bsc#1194848) zypper update to 1.14.52: - info: print the packages upstream URL if available (fixes #426) - info: Fix SEGV with not installed PTFs (bsc#1196317) - Don't prevent less restrictive umasks (bsc#1195999) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:1158-1 Released: Tue Apr 12 14:44:43 2022 Summary: Security update for xz Type: security Severity: important References: 1198062,CVE-2022-1271 This update for xz fixes the following issues: - CVE-2022-1271: Fixed an incorrect escaping of malicious filenames (ZDI-CAN-16587). (bsc#1198062) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1170-1 Released: Tue Apr 12 18:20:07 2022 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1191502,1193086,1195247,1195529,1195899,1196567 This update for systemd fixes the following issues: - Fix the default target when it's been incorrectly set to one of the runlevel targets (bsc#1196567) - When migrating from sysvinit to systemd (it probably won't happen anymore), let's use the default systemd target, which is the graphical.target one. - Don't open /var journals in volatile mode when runtime_journal==NULL - udev: 60-persistent-storage-tape.rules: handle duplicate device ID (bsc#1195529) - man: tweak description of auto/noauto (bsc#1191502) - shared/install: ignore failures for auxiliary files - install: make UnitFileChangeType enum anonymous - shared/install: reduce scope of iterator variables - systemd-coredump: allow setting external core size to infinity (bsc#1195899 jsc#SLE-23867) - Update s390 udev rules conversion script to include the case when the legacy rule was also 41-* (bsc#1195247) - Drop or soften some of the deprecation warnings (bsc#1193086) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1203-1 Released: Thu Apr 14 11:43:28 2022 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1195231 This update for lvm2 fixes the following issues: - udev: create symlinks and watch even in suspended state (bsc#1195231) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1281-1 Released: Wed Apr 20 12:26:38 2022 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1196647 This update for libtirpc fixes the following issues: - Add option to enforce connection via protocol version 2 first (bsc#1196647) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1302-1 Released: Fri Apr 22 10:04:46 2022 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1196939 This update for e2fsprogs fixes the following issues: - Add support for 'libreadline7' for Leap. (bsc#1196939) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1333-1 Released: Mon Apr 25 11:29:26 2022 Summary: Recommended update for sles15-image Type: recommended Severity: moderate References: This update for sles15-image fixes the following issues: - Add zypper explicitly to work around obs-build bug (gh#openSUSE/obs-build#562) - Add com.suse.supportlevel label (jsc#BCI-40) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1374-1 Released: Mon Apr 25 15:02:13 2022 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1191157,1197004 This update for openldap2 fixes the following issues: - allow specification of max/min TLS version with TLS1.3 (bsc#1191157) - libldap was able to be out of step with openldap in some cases which could cause incorrect installations and symbol resolution failures. openldap2 and libldap now are locked to their related release versions. (bsc#1197004) - restore CLDAP functionality in CLI tools (jsc#PM-3288) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1409-1 Released: Tue Apr 26 12:54:57 2022 Summary: Recommended update for gcc11 Type: recommended Severity: moderate References: 1195628,1196107 This update for gcc11 fixes the following issues: - Add a list of Obsoletes to libstdc++6-pp-gcc11 so updates from packages provided by older GCC work. Add a requires from that package to the corresponding libstc++6 package to keep those at the same version. [bsc#1196107] - Fixed memory corruption when creating dependences with the D language frontend. - Add gcc11-PIE, similar to gcc-PIE but affecting gcc11 [bsc#1195628] - Put libstdc++6-pp Requires on the shared library and drop to Recommends. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1438-1 Released: Wed Apr 27 15:27:19 2022 Summary: Recommended update for systemd-presets-common-SUSE Type: recommended Severity: low References: 1195251 This update for systemd-presets-common-SUSE fixes the following issue: - enable vgauthd service for VMWare by default (bsc#1195251) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1451-1 Released: Thu Apr 28 10:47:22 2022 Summary: Recommended update for perl Type: recommended Severity: moderate References: 1193489 This update for perl fixes the following issues: - Fix Socket::VERSION evaluation and stabilize Socket:VERSION comparisons (bsc#1193489) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:1455-1 Released: Thu Apr 28 11:31:51 2022 Summary: Security update for glib2 Type: security Severity: low References: 1183533,CVE-2021-28153 This update for glib2 fixes the following issues: - CVE-2021-28153: Fixed an issue where symlink targets would be incorrectly created as empty files (bsc#1183533). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:1548-1 Released: Thu May 5 16:45:28 2022 Summary: Security update for tar Type: security Severity: moderate References: 1029961,1120610,1130496,1181131,CVE-2018-20482,CVE-2019-9923,CVE-2021-20193 This update for tar fixes the following issues: - CVE-2021-20193: Fixed a memory leak in read_header() in list.c (bsc#1181131). - CVE-2019-9923: Fixed a null-pointer dereference in pax_decode_header in sparse.c (bsc#1130496). - CVE-2018-20482: Fixed infinite read loop in sparse_dump_region in sparse.c (bsc#1120610). - Update to GNU tar 1.34: * Fix extraction over pipe * Fix memory leak in read_header (CVE-2021-20193) (bsc#1181131) * Fix extraction when . and .. are unreadable * Gracefully handle duplicate symlinks when extracting * Re-initialize supplementary groups when switching to user privileges - Update to GNU tar 1.33: * POSIX extended format headers do not include PID by default * --delay-directory-restore works for archives with reversed member ordering * Fix extraction of a symbolic link hardlinked to another symbolic link * Wildcards in exclude-vcs-ignore mode don't match slash * Fix the --no-overwrite-dir option * Fix handling of chained renames in incremental backups * Link counting works for file names supplied with -T * Accept only position-sensitive (file-selection) options in file list files - prepare usrmerge (bsc#1029961) - Update to GNU 1.32 * Fix the use of --checkpoint without explicit --checkpoint-action * Fix extraction with the -U option * Fix iconv usage on BSD-based systems * Fix possible NULL dereference (savannah bug #55369) [bsc#1130496] [CVE-2019-9923] * Improve the testsuite - Update to GNU 1.31 * Fix heap-buffer-overrun with --one-top-level, bug introduced with the addition of that option in 1.28 * Support for zstd compression * New option '--zstd' instructs tar to use zstd as compression program. When listing, extractng and comparing, zstd compressed archives are recognized automatically. When '-a' option is in effect, zstd compression is selected if the destination archive name ends in '.zst' or '.tzst'. * The -K option interacts properly with member names given in the command line. Names of members to extract can be specified along with the '-K NAME' option. In this case, tar will extract NAME and those of named members that appear in the archive after it, which is consistent with the semantics of the option. Previous versions of tar extracted NAME, those of named members that appeared before it, and everything after it. * Fix CVE-2018-20482 - When creating archives with the --sparse option, previous versions of tar would loop endlessly if a sparse file had been truncated while being archived. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:1617-1 Released: Tue May 10 14:40:12 2022 Summary: Security update for gzip Type: security Severity: important References: 1198062,1198922,CVE-2022-1271 This update for gzip fixes the following issues: - CVE-2022-1271: Fix escaping of malicious filenames. (bsc#1198062) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1626-1 Released: Tue May 10 15:55:13 2022 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1198090,1198114 This update for systemd fixes the following issues: - tmpfiles.d: only 'w+' can have multiple lines for the same path (bsc#1198090) - journald: make sure journal_file_open() doesn't leave a corrupted file around after failing (bsc#1198114) - tmpfiles: constify item_compatible() parameters- test tmpfiles: add a test for 'w+' - test: add test checking tmpfiles conf file precedence - journald: make use of CLAMP() in cache_space_refresh() - journal-file: port journal_file_open() to openat_report_new() - fs-util: make sure openat_report_new() initializes return param also on shortcut - fs-util: fix typos in comments - fs-util: add openat_report_new() wrapper around openat() ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1655-1 Released: Fri May 13 15:36:10 2022 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1197794 This update for pam fixes the following issue: - Do not include obsolete header files (bsc#1197794) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:1657-1 Released: Fri May 13 15:39:07 2022 Summary: Security update for curl Type: security Severity: moderate References: 1198614,1198723,1198766,CVE-2022-22576,CVE-2022-27775,CVE-2022-27776 This update for curl fixes the following issues: - CVE-2022-27776: Fixed auth/cookie leak on redirect (bsc#1198766) - CVE-2022-27775: Fixed bad local IPv6 connection reuse (bsc#1198723) - CVE-2022-22576: Fixed OAUTH2 bearer bypass in connection re-use (bsc#1198614) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1658-1 Released: Fri May 13 15:40:20 2022 Summary: Recommended update for libpsl Type: recommended Severity: important References: 1197771 This update for libpsl fixes the following issues: - Fix libpsl compilation issues (bsc#1197771) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:1670-1 Released: Mon May 16 10:06:30 2022 Summary: Security update for openldap2 Type: security Severity: important References: 1199240,CVE-2022-29155 This update for openldap2 fixes the following issues: - CVE-2022-29155: Fixed SQL injection in back-sql (bsc#1199240). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:1688-1 Released: Mon May 16 14:02:49 2022 Summary: Security update for e2fsprogs Type: security Severity: important References: 1198446,CVE-2022-1304 This update for e2fsprogs fixes the following issues: - CVE-2022-1304: Fixed out-of-bounds read/write leading to segmentation fault and possibly arbitrary code execution. (bsc#1198446) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1691-1 Released: Mon May 16 15:13:39 2022 Summary: Recommended update for augeas Type: recommended Severity: moderate References: 1197443 This update for augeas fixes the following issue: - Sysctl keys can contain some more non-alphanumeric characters. (bsc#1197443) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:1750-1 Released: Thu May 19 15:28:20 2022 Summary: Security update for libxml2 Type: security Severity: important References: 1196490,1199132,CVE-2022-23308,CVE-2022-29824 This update for libxml2 fixes the following issues: - CVE-2022-23308: Fixed a use-after-free of ID and IDREF attributes (bsc#1196490). - CVE-2022-29824: Fixed integer overflow that could have led to an out-of-bounds write in buf.c (xmlBuf*) and tree.c (xmlBuffer*) (bsc#1199132). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1770-1 Released: Fri May 20 14:36:30 2022 Summary: Recommended update for skelcd, sles15-image Type: recommended Severity: moderate References: This update for skelcd, sles15-image fixes the following issues: Changes in skelcd: - Ship skelcd-EULA-bci for SLE BCI EULA (jsc#BCI-10) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:1870-1 Released: Fri May 27 10:03:40 2022 Summary: Security update for curl Type: security Severity: important References: 1199223,1199224,CVE-2022-27781,CVE-2022-27782 This update for curl fixes the following issues: - CVE-2022-27781: Fixed CERTINFO never-ending busy-loop (bsc#1199223) - CVE-2022-27782: Fixed TLS and SSH connection too eager reuse (bsc#1199224) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:1883-1 Released: Mon May 30 12:41:35 2022 Summary: Security update for pcre2 Type: security Severity: important References: 1199232,CVE-2022-1586 This update for pcre2 fixes the following issues: - CVE-2022-1586: Fixed out-of-bounds read via missing Unicode property matching issue in JIT compiled regular expressions (bsc#1199232). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1887-1 Released: Tue May 31 09:24:18 2022 Summary: Recommended update for grep Type: recommended Severity: moderate References: 1040589 This update for grep fixes the following issues: - Make profiling deterministic. (bsc#1040589, SLE-24115) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1899-1 Released: Wed Jun 1 10:43:22 2022 Summary: Recommended update for libtirpc Type: recommended Severity: important References: 1198176 This update for libtirpc fixes the following issues: - Add a check for nullpointer in check_address to prevent client from crashing (bsc#1198176) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1909-1 Released: Wed Jun 1 16:25:35 2022 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1198751 This update for glibc fixes the following issues: - Add the correct name for the IBM Z16 (bsc#1198751). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:2019-1 Released: Wed Jun 8 16:50:07 2022 Summary: Recommended update for gcc11 Type: recommended Severity: moderate References: 1192951,1193659,1195283,1196861,1197065 This update for gcc11 fixes the following issues: Update to the GCC 11.3.0 release. * includes SLS hardening backport on x86_64. [bsc#1195283] * includes change to adjust gnats idea of the target, fixing the build of gprbuild. [bsc#1196861] * fixed miscompile of embedded premake in 0ad on i586. [bsc#1197065] * use --with-cpu rather than specifying --with-arch/--with-tune * Fix D memory corruption in -M output. * Fix ICE in is_this_parameter with coroutines. [bsc#1193659] * fixes issue with debug dumping together with -o /dev/null * fixes libgccjit issue showing up in emacs build [bsc#1192951] * Package mwaitintrin.h ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2102-1 Released: Thu Jun 16 15:18:23 2022 Summary: Security update for vim Type: security Severity: important References: 1070955,1191770,1192167,1192902,1192903,1192904,1193466,1193905,1194093,1194216,1194217,1194388,1194872,1194885,1195004,1195203,1195332,1195354,1196361,1198596,1198748,1199331,1199333,1199334,1199651,1199655,1199693,1199745,1199747,1199936,1200010,1200011,1200012,CVE-2017-17087,CVE-2021-3778,CVE-2021-3796,CVE-2021-3872,CVE-2021-3875,CVE-2021-3903,CVE-2021-3927,CVE-2021-3928,CVE-2021-3968,CVE-2021-3973,CVE-2021-3974,CVE-2021-3984,CVE-2021-4019,CVE-2021-4069,CVE-2021-4136,CVE-2021-4166,CVE-2021-4192,CVE-2021-4193,CVE-2021-46059,CVE-2022-0128,CVE-2022-0213,CVE-2022-0261,CVE-2022-0318,CVE-2022-0319,CVE-2022-0351,CVE-2022-0359,CVE-2022-0361,CVE-2022-0392,CVE-2022-0407,CVE-2022-0413,CVE-2022-0696,CVE-2022-1381,CVE-2022-1420,CVE-2022-1616,CVE-2022-1619,CVE-2022-1620,CVE-2022-1733,CVE-2022-1735,CVE-2022-1771,CVE-2022-1785,CVE-2022-1796,CVE-2022-1851,CVE-2022-1897,CVE-2022-1898,CVE-2022-1927 This update for vim fixes the following issues: - CVE-2017-17087: Fixed information leak via .swp files (bsc#1070955). - CVE-2021-3875: Fixed heap-based buffer overflow (bsc#1191770). - CVE-2021-3903: Fixed heap-based buffer overflow (bsc#1192167). - CVE-2021-3968: Fixed heap-based buffer overflow (bsc#1192902). - CVE-2021-3973: Fixed heap-based buffer overflow (bsc#1192903). - CVE-2021-3974: Fixed use-after-free (bsc#1192904). - CVE-2021-4069: Fixed use-after-free in ex_open()in src/ex_docmd.c (bsc#1193466). - CVE-2021-4136: Fixed heap-based buffer overflow (bsc#1193905). - CVE-2021-4166: Fixed out-of-bounds read (bsc#1194093). - CVE-2021-4192: Fixed use-after-free (bsc#1194217). - CVE-2021-4193: Fixed out-of-bounds read (bsc#1194216). - CVE-2022-0128: Fixed out-of-bounds read (bsc#1194388). - CVE-2022-0213: Fixed heap-based buffer overflow (bsc#1194885). - CVE-2022-0261: Fixed heap-based buffer overflow (bsc#1194872). - CVE-2022-0318: Fixed heap-based buffer overflow (bsc#1195004). - CVE-2022-0359: Fixed heap-based buffer overflow in init_ccline() in ex_getln.c (bsc#1195203). - CVE-2022-0392: Fixed heap-based buffer overflow (bsc#1195332). - CVE-2022-0407: Fixed heap-based buffer overflow (bsc#1195354). - CVE-2022-0696: Fixed NULL pointer dereference (bsc#1196361). - CVE-2022-1381: Fixed global heap buffer overflow in skip_range (bsc#1198596). - CVE-2022-1420: Fixed out-of-range pointer offset (bsc#1198748). - CVE-2022-1616: Fixed use-after-free in append_command (bsc#1199331). - CVE-2022-1619: Fixed heap-based Buffer Overflow in function cmdline_erase_chars (bsc#1199333). - CVE-2022-1620: Fixed NULL pointer dereference in function vim_regexec_string (bsc#1199334). - CVE-2022-1733: Fixed heap-based buffer overflow in cindent.c (bsc#1199655). - CVE-2022-1735: Fixed heap-based buffer overflow (bsc#1199651). - CVE-2022-1771: Fixed stack exhaustion (bsc#1199693). - CVE-2022-1785: Fixed out-of-bounds write (bsc#1199745). - CVE-2022-1796: Fixed use-after-free in find_pattern_in_path (bsc#1199747). - CVE-2022-1851: Fixed out-of-bounds read (bsc#1199936). - CVE-2022-1897: Fixed out-of-bounds write (bsc#1200010). - CVE-2022-1898: Fixed use-after-free (bsc#1200011). - CVE-2022-1927: Fixed buffer over-read (bsc#1200012). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2251-1 Released: Mon Jul 4 09:52:25 2022 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1185637,1199166,1200550,CVE-2022-1292,CVE-2022-2068 This update for openssl-1_1 fixes the following issues: - CVE-2022-1292: Fixed command injection in c_rehash (bsc#1199166). - CVE-2022-2068: Fixed more shell code injection issues in c_rehash. (bsc#1200550) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:2323-1 Released: Thu Jul 7 12:16:58 2022 Summary: Recommended update for systemd-presets-branding-SLE Type: recommended Severity: low References: This update for systemd-presets-branding-SLE fixes the following issues: - Enable suseconnect-keepalive.timer for SUSEConnect (jsc#SLE-23312) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2327-1 Released: Thu Jul 7 15:06:13 2022 Summary: Security update for curl Type: security Severity: important References: 1200735,1200737,CVE-2022-32206,CVE-2022-32208 This update for curl fixes the following issues: - CVE-2022-32206: HTTP compression denial of service (bsc#1200735) - CVE-2022-32208: FTP-KRB bad message verification (bsc#1200737) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2328-1 Released: Thu Jul 7 15:07:35 2022 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1201099,CVE-2022-2097 This update for openssl-1_1 fixes the following issues: - CVE-2022-2097: Fixed partial missing encryption in AES OCB mode (bsc#1201099). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2357-1 Released: Mon Jul 11 20:34:20 2022 Summary: Security update for python3 Type: security Severity: important References: 1198511,CVE-2015-20107 This update for python3 fixes the following issues: - CVE-2015-20107: avoid command injection in the mailcap module (bsc#1198511). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2361-1 Released: Tue Jul 12 12:05:01 2022 Summary: Security update for pcre Type: security Severity: important References: 1199232,CVE-2022-1586 This update for pcre fixes the following issues: - CVE-2022-1586: Fixed unicode property matching issue. (bsc#1199232) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:2406-1 Released: Fri Jul 15 11:49:01 2022 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1197718,1199140,1200334,1200855 This update for glibc fixes the following issues: - powerpc: Fix VSX register number on __strncpy_power9 (bsc#1200334) - Disable warnings due to deprecated libselinux symbols used by nss and nscd (bsc#1197718) - i386: Remove broken CAN_USE_REGISTER_ASM_EBP (bsc#1197718) - rtld: Avoid using up static TLS surplus for optimizations (bsc#1200855, BZ #25051) This readds the s390 32bit glibc and libcrypt1 libraries (glibc-32bit, glibc-locale-base-32bit, libcrypt1-32bit). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:2470-1 Released: Thu Jul 21 04:40:14 2022 Summary: Recommended update for systemd Type: recommended Severity: important References: 1137373,1181658,1194708,1195157,1197570,1198507,1198732,1200170 This update for systemd fixes the following issues: - Allow control characters in environment variable values (bsc#1200170) - Call pam_loginuid when creating user@.service (bsc#1198507) - Fix parsing error in s390 udev rules conversion script (bsc#1198732) - Fix issues with multipath setup (bsc#1137373, bsc#1181658, bsc#1194708, bsc#1195157, bsc#1197570) - Flagsify EscapeStyle and make ESCAPE_BACKSLASH_ONELINE implicit - Revert 'basic/env-util: (mostly) follow POSIX for what variable names are allowed' - basic/env-util: (mostly) follow POSIX for what variable names are allowed - basic/env-util: make function shorter - basic/escape: add mode where empty arguments are still shown as '' - basic/escape: always escape newlines in shell_escape() - basic/escape: escape control characters, but not utf-8, in shell quoting - basic/escape: use consistent location for '*' in function declarations - basic/string-util: inline iterator variable declarations - basic/string-util: simplify how str_realloc() is used - basic/string-util: split out helper function - core/device: device_coldplug(): don't set DEVICE_DEAD - core/device: do not downgrade device state if it is already enumerated - core/device: drop unnecessary condition - string-util: explicitly cast character to unsigned - string-util: fix build error on aarch64 - test-env-util: Verify that \r is disallowed in env var values - test-env-util: print function headers ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:2494-1 Released: Thu Jul 21 15:16:42 2022 Summary: Recommended update for glibc Type: recommended Severity: important References: 1200855,1201560,1201640 This update for glibc fixes the following issues: - Remove tunables from static tls surplus patch which caused crashes (bsc#1200855) - i386: Disable check_consistency for GCC 5 and above (bsc#1201640, BZ #25788) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:2628-1 Released: Tue Aug 2 12:21:23 2022 Summary: Recommended update for apparmor Type: recommended Severity: important References: 1195463,1196850 This update for apparmor fixes the following issues: - Add new rule to fix reported 'DENIED' audit records with Apparmor profile 'usr.sbin.smbd' (bsc#1196850) - Add new rule to allow reading of openssl.cnf (bsc#1195463) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2649-1 Released: Wed Aug 3 15:06:21 2022 Summary: Security update for pcre2 Type: security Severity: important References: 1164384,1199235,CVE-2019-20454,CVE-2022-1587 This update for pcre2 fixes the following issues: - CVE-2019-20454: Fixed out-of-bounds read in JIT mode when \X is used in non-UTF mode (bsc#1164384). - CVE-2022-1587: Fixed out-of-bounds read due to bug in recursions (bsc#1199235). The following package changes have been done: - aaa_base-84.87+git20180409.04c9dae-3.57.1 updated - boost-license1_66_0-1.66.0-12.3.1 updated - coreutils-8.32-150300.3.5.1 updated - cracklib-dict-small-2.9.7-11.6.1 updated - cracklib-2.9.7-11.6.1 updated - file-magic-5.32-7.14.1 updated - filesystem-15.0-11.8.1 updated - gdb-11.1-8.30.1 updated - glibc-locale-base-2.31-150300.37.1 updated - glibc-locale-2.31-150300.37.1 updated - glibc-2.31-150300.31.2 updated - grep-3.1-150000.4.6.1 updated - gzip-1.10-150200.10.1 updated - iproute2-5.3-5.5.1 updated - kmod-29-4.15.1 updated - krb5-1.19.2-150300.8.3.2 updated - less-530-3.3.2 updated - libapparmor1-2.13.6-150300.3.15.1 updated - libaugeas0-1.10.1-150000.3.12.1 updated - libblkid1-2.36.2-150300.4.20.1 updated - libboost_system1_66_0-1.66.0-12.3.1 updated - libboost_thread1_66_0-1.66.0-12.3.1 updated - libcom_err2-1.43.8-150000.4.33.1 updated - libcrack2-2.9.7-11.6.1 updated - libcrypt1-4.4.15-150300.4.4.3 updated - libcryptsetup12-hmac-2.3.7-150300.3.5.1 updated - libcryptsetup12-2.3.7-150300.3.5.1 updated - libcurl4-7.66.0-150200.4.36.1 updated - libdevmapper1_03-1.02.163-8.42.1 updated - libeconf0-0.4.4+git20220104.962774f-150300.3.6.2 added - libexpat1-2.2.5-3.19.1 updated - libfdisk1-2.36.2-150300.4.20.1 updated - libgcc_s1-11.3.0+git1637-150000.1.9.1 updated - libgcrypt20-hmac-1.8.2-8.42.1 updated - libgcrypt20-1.8.2-8.42.1 updated - libglib-2_0-0-2.62.6-150200.3.9.1 updated - libgmodule-2_0-0-2.62.6-150200.3.9.1 updated - libgmp10-6.1.2-4.9.1 updated - libjson-c3-0.13-3.3.1 updated - libkeyutils1-1.6.3-5.6.1 updated - libkmod2-29-4.15.1 updated - libldap-2_4-2-2.4.46-150200.14.8.1 updated - libldap-data-2.4.46-150200.14.8.1 updated - liblzma5-5.2.3-150000.4.7.1 updated - libmagic1-5.32-7.14.1 updated - libmount1-2.36.2-150300.4.20.1 updated - libncurses6-6.1-5.9.1 updated - libopenssl1_1-hmac-1.1.1d-150200.11.51.1 updated - libopenssl1_1-1.1.1d-150200.11.51.1 updated - libpcre1-8.45-150000.20.13.1 updated - libpcre2-8-0-10.31-150000.3.12.1 updated - libprocps7-3.3.15-7.22.1 updated - libprotobuf-lite20-3.9.2-4.12.1 added - libpsl5-0.20.1-150000.3.3.1 updated - libpython3_6m1_0-3.6.15-150300.10.27.1 updated - libsasl2-3-2.1.27-150300.4.6.1 updated - libseccomp2-2.5.3-150300.10.8.1 updated - libsmartcols1-2.36.2-150300.4.20.1 updated - libsolv-tools-0.7.22-150200.12.1 updated - libstdc++6-11.3.0+git1637-150000.1.9.1 updated - libsystemd0-246.16-150300.7.45.1 updated - libtirpc-netconfig-1.2.6-150300.3.6.1 updated - libtirpc3-1.2.6-150300.3.6.1 updated - libudev1-246.16-150300.7.45.1 updated - libuuid1-2.36.2-150300.4.20.1 updated - libxml2-2-2.9.7-150000.3.46.1 updated - libyaml-cpp0_6-0.6.1-4.5.1 updated - libz1-1.2.11-150000.3.30.1 updated - libzypp-17.30.0-150200.36.1 updated - login_defs-4.8.1-150300.4.3.8 updated - ncurses-utils-6.1-5.9.1 updated - netcfg-11.6-3.3.1 updated - openssl-1_1-1.1.1d-150200.11.51.1 added - pam-1.3.0-150000.6.58.3 updated - perl-base-5.26.1-150300.17.3.1 updated - perl-5.26.1-150300.17.3.1 updated - permissions-20181225-23.12.1 updated - procps-3.3.15-7.22.1 updated - python3-base-3.6.15-150300.10.27.1 updated - rpm-config-SUSE-1-5.6.1 updated - rpm-ndb-4.14.3-150300.46.1 updated - shadow-4.8.1-150300.4.3.8 updated - sudo-1.9.5p2-150300.3.6.1 updated - supportutils-3.1.20-150300.7.35.10.1 updated - suse-module-tools-15.3.15-3.17.1 updated - system-group-hardware-20170617-17.3.1 updated - system-group-kvm-20170617-17.3.1 updated - system-group-wheel-20170617-17.3.1 updated - system-user-man-20170617-17.3.1 updated - systemd-presets-branding-SLE-15.1-150100.20.11.1 updated - systemd-presets-common-SUSE-15-150100.8.12.1 updated - systemd-246.16-150300.7.48.1 updated - tar-1.34-150000.3.12.1 updated - tcpdump-4.9.2-3.18.1 updated - terminfo-base-6.1-5.9.1 updated - timezone-2022a-150000.75.7.1 added - udev-246.16-150300.7.48.1 updated - update-alternatives-1.19.0.4-4.3.1 updated - util-linux-systemd-2.36.2-150300.4.20.1 updated - util-linux-2.36.2-150300.4.20.1 updated - vim-data-common-8.2.5038-150000.5.21.1 updated - vim-8.2.5038-150000.5.21.1 updated - zypper-1.14.52-150200.30.2 updated - container:sles15-image-15.0.0-17.18.1 updated - python-rpm-macros-20200207.5feb6c1-3.11.1 removed

SUSE: 2022:1765-1 suse/sle-micro/5.1/toolbox Security Update

August 4, 2022

The container suse/sle-micro/5.1/toolbox was updated

Summary

Advisory ID: SUSE-RU-2018:1332-1 Released: Tue Jul 17 09:01:19 2018 Summary: Recommended update for timezone Type: recommended Severity: moderate Advisory ID: SUSE-RU-2018:2463-1 Released: Thu Oct 25 14:48:34 2018 Summary: Recommended update for timezone, timezone-java Type: recommended Severity: moderate Advisory ID: SUSE-RU-2018:2550-1 Released: Wed Oct 31 16:16:56 2018 Summary: Recommended update for timezone, timezone-java Type: recommended Severity: moderate Advisory ID: SUSE-RU-2019:102-1 Released: Tue Jan 15 18:02:58 2019 Summary: Recommended update for timezone Type: recommended Severity: moderate Advisory ID: SUSE-RU-2019:790-1 Released: Thu Mar 28 12:06:17 2019 Summary: Recommended update for timezone Type: recommended Severity: moderate Advisory ID: SUSE-RU-2019:1815-1 Released: Thu Jul 11 07:47:55 2019 Summary: Recommended update for timezone Type: recommended Severity: moderate Advisory ID: SUSE-RU-2019:2762-1 Released: Thu Oct 24 07:08:44 2019 Summary: Recommended update for timezone Type: recommended Severity: moderate Advisory ID: SUSE-RU-2020:1303-1 Released: Mon May 18 09:40:36 2020 Summary: Recommended update for timezone Type: recommended Severity: moderate Advisory ID: SUSE-RU-2020:1542-1 Released: Thu Jun 4 13:24:37 2020 Summary: Recommended update for timezone Type: recommended Severity: moderate Advisory ID: SUSE-OU-2020:3026-1 Released: Fri Oct 23 15:35:51 2020 Summary: Optional update for the Public Cloud Module Type: optional Severity: moderate Advisory ID: SUSE-RU-2020:3099-1 Released: Thu Oct 29 19:33:41 2020 Summary: Recommended update for timezone Type: recommended Severity: moderate Advisory ID: SUSE-RU-2020:3123-1 Released: Tue Nov 3 09:48:13 2020 Summary: Recommended update for timezone Type: recommended Severity: important Advisory ID: SUSE-RU-2021:179-1 Released: Wed Jan 20 13:38:51 2021 Summary: Recommended update for timezone Type: recommended Severity: moderate Advisory ID: SUSE-RU-2021:294-1 Released: Wed Feb 3 12:54:28 2021 Summary: Recommended update for libprotobuf Type: recommended Severity: moderate Advisory ID: SUSE-RU-2021:301-1 Released: Thu Feb 4 08:46:27 2021 Summary: Recommended update for timezone Type: recommended Severity: moderate Advisory ID: SUSE-RU-2021:656-1 Released: Mon Mar 1 09:34:21 2021 Summary: Recommended update for protobuf Type: recommended Severity: moderate Advisory ID: SUSE-RU-2021:2573-1 Released: Thu Jul 29 14:21:52 2021 Summary: Recommended update for timezone Type: recommended Severity: moderate Advisory ID: SUSE-RU-2021:2626-1 Released: Thu Aug 5 12:10:35 2021 Summary: Recommended maintenance update for libeconf Type: recommended Severity: moderate Advisory ID: SUSE-SU-2021:2830-1 Released: Tue Aug 24 16:20:18 2021 Summary: Security update for openssl-1_1 Type: security Severity: important Advisory ID: SUSE-SU-2021:2966-1 Released: Tue Sep 7 09:49:14 2021 Summary: Security update for openssl-1_1 Type: security Severity: low Advisory ID: SUSE-RU-2021:3001-1 Released: Thu Sep 9 15:08:13 2021 Summary: Recommended update for netcfg Type: recommended Severity: moderate Advisory ID: SUSE-SU-2021:3291-1 Released: Wed Oct 6 16:45:36 2021 Summary: Security update for glibc Type: security Severity: moderate Advisory ID: SUSE-SU-2021:3298-1 Released: Wed Oct 6 16:54:52 2021 Summary: Security update for curl Type: security Severity: moderate Advisory ID: SUSE-RU-2021:3310-1 Released: Wed Oct 6 18:12:41 2021 Summary: Recommended update for systemd Type: recommended Severity: moderate Advisory ID: SUSE-OU-2021:3327-1 Released: Mon Oct 11 11:44:50 2021 Summary: Optional update for coreutils Type: optional Severity: low Advisory ID: SUSE-RU-2021:3411-1 Released: Wed Oct 13 10:42:25 2021 Summary: Recommended update for lvm2 Type: recommended Severity: moderate Advisory ID: SUSE-RU-2021:3413-1 Released: Wed Oct 13 10:50:45 2021 Summary: Recommended update for suse-module-tools Type: recommended Severity: important Advisory ID: SUSE-SU-2021:3445-1 Released: Fri Oct 15 09:03:39 2021 Summary: Security update for rpm Type: security Severity: important Advisory ID: SUSE-SU-2021:3474-1 Released: Wed Oct 20 08:41:31 2021 Summary: Security update for util-linux Type: security Severity: moderate Advisory ID: SUSE-RU-2021:3480-1 Released: Wed Oct 20 11:24:10 2021 Summary: Recommended update for yast2-network Type: recommended Severity: moderate Advisory ID: SUSE-SU-2021:3490-1 Released: Wed Oct 20 16:31:55 2021 Summary: Security update for ncurses Type: security Severity: moderate Advisory ID: SUSE-RU-2021:3494-1 Released: Wed Oct 20 16:48:46 2021 Summary: Recommended update for pam Type: recommended Severity: moderate Advisory ID: SUSE-RU-2021:3501-1 Released: Fri Oct 22 10:42:46 2021 Summary: Recommended update for libzypp, zypper, libsolv, protobuf Type: recommended Severity: moderate Advisory ID: SUSE-RU-2021:3509-1 Released: Tue Oct 26 09:47:40 2021 Summary: Recommended update for suse-module-tools Type: recommended Severity: important Advisory ID: SUSE-RU-2021:3510-1 Released: Tue Oct 26 11:22:15 2021 Summary: Recommended update for pam Type: recommended Severity: important Advisory ID: SUSE-SU-2021:3529-1 Released: Wed Oct 27 09:23:32 2021 Summary: Security update for pcre Type: security Severity: moderate Advisory ID: SUSE-RU-2021:3538-1 Released: Wed Oct 27 10:40:32 2021 Summary: Recommended update for iproute2 Type: recommended Severity: moderate Advisory ID: SUSE-RU-2021:3545-1 Released: Wed Oct 27 14:46:39 2021 Summary: Recommended update for less Type: recommended Severity: low Advisory ID: SUSE-RU-2021:3564-1 Released: Wed Oct 27 16:12:08 2021 Summary: Recommended update for rpm-config-SUSE Type: recommended Severity: moderate Advisory ID: SUSE-RU-2021:3589-1 Released: Mon Nov 1 19:27:52 2021 Summary: Recommended update for apparmor Type: recommended Severity: moderate Advisory ID: SUSE-RU-2021:3663-1 Released: Mon Nov 15 19:14:32 2021 Summary: Recommended update for suse-module-tools Type: recommended Severity: moderate Advisory ID: SUSE-RU-2021:3786-1 Released: Wed Nov 24 05:59:13 2021 Summary: Recommended update for rpm-config-SUSE Type: recommended Severity: important Advisory ID: SUSE-RU-2021:3792-1 Released: Wed Nov 24 06:12:09 2021 Summary: Recommended update for kmod Type: recommended Severity: moderate Advisory ID: SUSE-RU-2021:3799-1 Released: Wed Nov 24 18:07:54 2021 Summary: Recommended update for gcc11 Type: recommended Severity: moderate Advisory ID: SUSE-RU-2021:3808-1 Released: Fri Nov 26 00:30:54 2021 Summary: Recommended update for systemd Type: recommended Severity: moderate Advisory ID: SUSE-RU-2021:3870-1 Released: Thu Dec 2 07:11:50 2021 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate Advisory ID: SUSE-RU-2021:3872-1 Released: Thu Dec 2 07:25:55 2021 Summary: Recommended update for cracklib Type: recommended Severity: moderate Advisory ID: SUSE-RU-2021:3883-1 Released: Thu Dec 2 11:47:07 2021 Summary: Recommended update for timezone Type: recommended Severity: moderate Advisory ID: SUSE-RU-2021:3890-1 Released: Fri Dec 3 10:19:50 2021 Summary: Recommended update for gdb Type: recommended Severity: moderate Advisory ID: SUSE-RU-2021:3891-1 Released: Fri Dec 3 10:21:49 2021 Summary: Recommended update for keyutils Type: recommended Severity: moderate Advisory ID: SUSE-SU-2021:3899-1 Released: Fri Dec 3 11:27:41 2021 Summary: Security update for aaa_base Type: security Severity: moderate Advisory ID: SUSE-SU-2021:3946-1 Released: Mon Dec 6 14:57:42 2021 Summary: Security update for gmp Type: security Severity: moderate Advisory ID: SUSE-RU-2021:3963-1 Released: Mon Dec 6 19:57:39 2021 Summary: Recommended update for system-usersType: recommended Severity: moderate Advisory ID: SUSE-RU-2021:3980-1 Released: Thu Dec 9 16:42:19 2021 Summary: Recommended update for glibc Type: recommended Severity: moderate Advisory ID: SUSE-RU-2021:3985-1 Released: Fri Dec 10 06:08:24 2021 Summary: Recommended update for suse-module-tools Type: recommended Severity: moderate Advisory ID: SUSE-RU-2021:4014-1 Released: Mon Dec 13 13:57:39 2021 Summary: Recommended update for apparmor Type: recommended Severity: moderate Advisory ID: SUSE-SU-2021:4104-1 Released: Thu Dec 16 11:14:12 2021 Summary: Security update for python3 Type: security Severity: moderate Advisory ID: SUSE-RU-2021:4145-1 Released: Wed Dec 22 05:27:48 2021 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate Advisory ID: SUSE-RU-2021:4165-1 Released: Wed Dec 22 22:52:11 2021 Summary: Recommended update for kmod Type: recommended Severity: moderate Advisory ID: SUSE-RU-2021:4175-1 Released: Thu Dec 23 11:22:33 2021 Summary: Recommended update for systemd Type: recommended Severity: important Advisory ID: SUSE-RU-2021:4182-1 Released: Thu Dec 23 11:51:51 2021 Summary: Recommended update for zlib Type: recommended Severity: moderate Advisory ID: SUSE-SU-2021:4192-1 Released: Tue Dec 28 10:39:50 2021 Summary: Security update for permissions Type: security Severity: moderate Advisory ID: SUSE-RU-2022:2-1 Released: Mon Jan 3 08:27:18 2022 Summary: Recommended update for lvm2 Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:4-1 Released: Mon Jan 3 08:28:54 2022 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate Advisory ID: SUSE-SU-2022:43-1 Released: Tue Jan 11 08:50:13 2022 Summary: Security update for systemd Type: security Severity: moderate Advisory ID: SUSE-RU-2022:48-1 Released: Tue Jan 11 09:17:57 2022 Summary: Recommended update for python3 Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:93-1 Released: Tue Jan 18 05:11:58 2022 Summary: Recommended update for openssl-1_1 Type: recommended Severity: important Advisory ID: SUSE-RU-2022:96-1 Released: Tue Jan 18 05:14:44 2022 Summary: Recommended update for rpm Type: recommended Severity: important Advisory ID: SUSE-SU-2022:141-1 Released: Thu Jan 20 13:47:16 2022 Summary: Security update for permissions Type: security Severity: moderate Advisory ID: SUSE-SU-2022:144-1 Released: Thu Jan 20 16:38:23 2022 Summary: Security update for cryptsetup Type: security Severity: moderate Advisory ID: SUSE-SU-2022:178-1 Released: Tue Jan 25 14:16:23 2022 Summary: Security update for expat Type: security Severity: important Advisory ID: SUSE-SU-2022:184-1 Released: Tue Jan 25 18:20:56 2022 Summary: Security update for json-c Type: security Severity: important Advisory ID: SUSE-RU-2022:207-1 Released: Thu Jan 27 09:24:49 2022 Summary: Recommended update for glibc Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:228-1 Released: Mon Jan 31 06:07:52 2022 Summary: Recommended update for boost Type: recommended Severity: moderate Advisory ID: SUSE-SU-2022:330-1 Released: Fri Feb 4 09:29:08 2022 Summary: Security update for glibc Type: security Severity: important Advisory ID: SUSE-RU-2022:335-1 Released: Fri Feb 4 10:24:02 2022 Summary: Recommended update for coreutils Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:343-1 Released: Mon Feb 7 15:16:58 2022 Summary: Recommended update for systemd Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:348-1 Released: Tue Feb 8 13:02:20 2022 Summary: Recommended update for libzypp Type: recommended Severity: important Advisory ID: SUSE-SU-2022:283-1 Released: Tue Feb 8 16:10:39 2022 Summary: Security update for samba Type: security Severity: critical Advisory ID: SUSE-RU-2022:383-1 Released: Tue Feb 15 17:47:36 2022 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate Advisory ID: SUSE-SU-2022:498-1 Released: Fri Feb 18 10:46:56 2022 Summary: Security update for expat Type: security Severity: important Advisory ID: SUSE-RU-2022:520-1 Released: Fri Feb 18 12:45:19 2022 Summary: Recommended update for rpm Type: recommended Severity: moderate Advisory ID: SUSE-SU-2022:539-1 Released: Mon Feb 21 13:47:51 2022 Summary: Security update for systemd Type: security Severity: moderate Advisory ID: SUSE-RU-2022:674-1 Released: Wed Mar 2 13:24:38 2022 Summary: Recommended update for yast2-network Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:692-1 Released: Thu Mar 3 15:46:47 2022 Summary: Recommended update for filesystem Type: recommended Severity: moderate Advisory ID: 23018 Released: Fri Mar 4 08:31:54 2022 Summary: Security update for conmon, libcontainers-common, libseccomp, podman Type: security Severity: moderate Advisory ID: SUSE-RU-2022:711-1 Released: Fri Mar 4 09:15:11 2022 Summary: Recommended update for sudo Type: recommended Severity: moderate Advisory ID: SUSE-SU-2022:713-1 Released: Fri Mar 4 09:34:17 2022 Summary: Security update for expat Type: security Severity: important Advisory ID: SUSE-SU-2022:727-1 Released: Fri Mar 4 10:39:21 2022 Summary: Security update for libeconf, shadow and util-linux Type: security Severity: moderate Advisory ID: SUSE-SU-2022:736-1 Released: Fri Mar 4 14:51:57 2022 Summary: Security update for vim Type: security Severity: important Advisory ID: SUSE-SU-2022:743-1 Released: Mon Mar 7 22:08:12 2022 Summary: Security update for cyrus-sasl Type: security Severity: important Advisory ID: SUSE-RU-2022:771-1 Released: Wed Mar 9 09:27:07 2022 Summary: Recommended update for libseccomp Type: recommended Severity: moderate Advisory ID: SUSE-SU-2022:774-1 Released: Wed Mar 9 10:52:10 2022 Summary: Security update for tcpdump Type: security Severity: moderate Advisory ID: SUSE-RU-2022:788-1 Released: Thu Mar 10 11:21:04 2022 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:789-1 Released: Thu Mar 10 11:22:05 2022 Summary: Recommended update for update-alternatives Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:808-1 Released: Fri Mar 11 06:07:58 2022 Summary: Recommended update for procps Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:836-1 Released: Tue Mar 15 07:47:48 2022 Summary: Recommended update for gdb Type: recommended Severity: moderate Advisory ID: SUSE-SU-2022:844-1 Released: Tue Mar 15 11:33:57 2022 Summary: Security update for expat Type: security Severity: important Advisory ID: SUSE-SU-2022:845-1 Released: Tue Mar 15 11:40:52 2022 Summary: Security update for chrony Type: security Severity: moderate Advisory ID: SUSE-RU-2022:861-1 Released: Tue Mar 15 23:30:48 2022 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:905-1 Released: Mon Mar 21 08:46:09 2022 Summary: Recommended update for util-linux Type: recommended Severity: important Advisory ID: SUSE-RU-2022:936-1 Released: Tue Mar 22 18:10:17 2022 Summary: Recommended update for filesystem and systemd-rpm-macros Type: recommended Severity: moderate Advisory ID: SUSE-SU-2022:942-1 Released: Thu Mar 24 10:30:15 2022 Summary: Security update for python3 Type: security Severity: moderate Advisory ID: SUSE-RU-2022:948-1 Released: Fri Mar 25 12:46:42 2022 Summary: Recommended update for sudo Type: recommended Severity: moderate Advisory ID: SUSE-SU-2022:1040-1 Released: Wed Mar 30 09:40:58 2022 Summary: Security update for protobuf Type: security Severity: moderate Advisory ID: SUSE-RU-2022:1047-1 Released: Wed Mar 30 16:20:56 2022 Summary: Recommended update for pam Type: recommended Severity: moderate Advisory ID: SUSE-SU-2022:1061-1 Released: Wed Mar 30 18:27:06 2022 Summary: Security update for zlib Type: security Severity: important Advisory ID: SUSE-SU-2022:1073-1 Released: Fri Apr 1 11:45:01 2022 Summary: Security update for yaml-cpp Type: security Severity: moderate Advisory ID: SUSE-RU-2022:1099-1 Released: Mon Apr 4 12:53:05 2022 Summary: Recommended update for aaa_base Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:1107-1 Released: Mon Apr 4 17:49:17 2022 Summary: Recommended update for util-linux Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:1118-1 Released: Tue Apr 5 18:34:06 2022 Summary: Recommended update for timezone Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:1119-1 Released: Wed Apr 6 09:16:06 2022 Summary: Recommended update for supportutils Type: recommended Severity: moderate Advisory ID: SUSE-SU-2022:1157-1 Released: Tue Apr 12 13:26:19 2022 Summary: Security update for libsolv, libzypp, zypper Type: security Severity: important Advisory ID: SUSE-SU-2022:1158-1 Released: Tue Apr 12 14:44:43 2022 Summary: Security update for xz Type: security Severity: important Advisory ID: SUSE-RU-2022:1170-1 Released: Tue Apr 12 18:20:07 2022 Summary: Recommended update for systemd Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:1203-1 Released: Thu Apr 14 11:43:28 2022 Summary: Recommended update for lvm2 Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:1281-1 Released: Wed Apr 20 12:26:38 2022 Summary: Recommended update for libtirpc Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:1302-1 Released: Fri Apr 22 10:04:46 2022 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:1333-1 Released: Mon Apr 25 11:29:26 2022 Summary: Recommended update for sles15-image Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:1374-1 Released: Mon Apr 25 15:02:13 2022 Summary: Recommended update for openldap2 Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:1409-1 Released: Tue Apr 26 12:54:57 2022 Summary: Recommended update for gcc11 Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:1438-1 Released: Wed Apr 27 15:27:19 2022 Summary: Recommended update for systemd-presets-common-SUSE Type: recommended Severity: low Advisory ID: SUSE-RU-2022:1451-1 Released: Thu Apr 28 10:47:22 2022 Summary: Recommended update for perl Type: recommended Severity: moderate Advisory ID: SUSE-SU-2022:1455-1 Released: Thu Apr 28 11:31:51 2022 Summary: Security update for glib2 Type: security Severity: low Advisory ID: SUSE-SU-2022:1548-1 Released: Thu May 5 16:45:28 2022 Summary: Security update for tar Type: security Severity: moderate Advisory ID: SUSE-SU-2022:1617-1 Released: Tue May 10 14:40:12 2022 Summary: Security update for gzip Type: security Severity: important Advisory ID: SUSE-RU-2022:1626-1 Released: Tue May 10 15:55:13 2022 Summary: Recommended update for systemd Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:1655-1 Released: Fri May 13 15:36:10 2022 Summary: Recommended update for pam Type: recommended Severity: moderate Advisory ID: SUSE-SU-2022:1657-1 Released: Fri May 13 15:39:07 2022 Summary: Security update for curl Type: security Severity: moderate Advisory ID: SUSE-RU-2022:1658-1 Released: Fri May 13 15:40:20 2022 Summary: Recommended update for libpsl Type: recommended Severity: important Advisory ID: SUSE-SU-2022:1670-1 Released: Mon May 16 10:06:30 2022 Summary: Security update for openldap2 Type: security Severity: important Advisory ID: SUSE-SU-2022:1688-1 Released: Mon May 16 14:02:49 2022 Summary: Security update for e2fsprogs Type: security Severity: important Advisory ID: SUSE-RU-2022:1691-1 Released: Mon May 16 15:13:39 2022 Summary: Recommended update for augeas Type: recommended Severity: moderate Advisory ID: SUSE-SU-2022:1750-1 Released: Thu May 19 15:28:20 2022 Summary: Security update for libxml2 Type: security Severity: important Advisory ID: SUSE-RU-2022:1770-1 Released: Fri May 20 14:36:30 2022 Summary: Recommended update for skelcd, sles15-image Type: recommended Severity: moderate Advisory ID: SUSE-SU-2022:1870-1 Released: Fri May 27 10:03:40 2022 Summary: Security update for curl Type: security Severity: important Advisory ID: SUSE-SU-2022:1883-1 Released: Mon May 30 12:41:35 2022 Summary: Security update for pcre2 Type: security Severity: important Advisory ID: SUSE-RU-2022:1887-1 Released: Tue May 31 09:24:18 2022 Summary: Recommended update for grep Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:1899-1 Released: Wed Jun 1 10:43:22 2022 Summary: Recommended update for libtirpc Type: recommended Severity: important Advisory ID: SUSE-RU-2022:1909-1 Released: Wed Jun 1 16:25:35 2022 Summary: Recommended update for glibc Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:2019-1 Released: Wed Jun 8 16:50:07 2022 Summary: Recommended update for gcc11 Type: recommended Severity: moderate Advisory ID: SUSE-SU-2022:2102-1 Released: Thu Jun 16 15:18:23 2022 Summary: Security update for vim Type: security Severity: important Advisory ID: SUSE-SU-2022:2251-1 Released: Mon Jul 4 09:52:25 2022 Summary: Security update for openssl-1_1 Type: security Severity: moderate Advisory ID: SUSE-RU-2022:2323-1 Released: Thu Jul 7 12:16:58 2022 Summary: Recommended update for systemd-presets-branding-SLE Type: recommended Severity: low Advisory ID: SUSE-SU-2022:2327-1 Released: Thu Jul 7 15:06:13 2022 Summary: Security update for curl Type: security Severity: important Advisory ID: SUSE-SU-2022:2328-1 Released: Thu Jul 7 15:07:35 2022 Summary: Security update for openssl-1_1 Type: security Severity: important Advisory ID: SUSE-SU-2022:2357-1 Released: Mon Jul 11 20:34:20 2022 Summary: Security update for python3 Type: security Severity: important Advisory ID: SUSE-SU-2022:2361-1 Released: Tue Jul 12 12:05:01 2022 Summary: Security update for pcre Type: security Severity: important Advisory ID: SUSE-RU-2022:2406-1 Released: Fri Jul 15 11:49:01 2022 Summary: Recommended update for glibc Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:2470-1 Released: Thu Jul 21 04:40:14 2022 Summary: Recommended update for systemd Type: recommended Severity: important Advisory ID: SUSE-RU-2022:2494-1 Released: Thu Jul 21 15:16:42 2022 Summary: Recommended update for glibc Type: recommended Severity: important Advisory ID: SUSE-RU-2022:2628-1 Released: Tue Aug 2 12:21:23 2022 Summary: Recommended update for apparmor Type: recommended Severity: important Advisory ID: SUSE-SU-2022:2649-1 Released: Wed Aug 3 15:06:21 2022 Summary: Security update for pcre2 Type: security Severity: important

References

References : 1029961 1029961 1040589 1070955 1073299 1093392 1099272 1104700

1112310 1113013 1113554 1115529 1120402 1120610 1121227 1121230

1122004 1122021 1128846 1130496 1130557 1134353 1137373 1139519

1140016 1150451 1160242 1161276 1162581 1162964 1164384 1169582

1169614 1171479 1172055 1172113 1172427 1172973 1172974 1173277

1174075 1174504 1174504 1174911 1176804 1177127 1177460 1177460

1177460 1177460 1177460 1177460 1177598 1178236 1178346 1178350

1178353 1178561 1180125 1180125 1180689 1180786 1181131 1181640

1181658 1181703 1181826 1182959 1182998 1183374 1183533 1183572

1183574 1183659 1183858 1183905 1184214 1184501 1184994 1185016

1185299 1185524 1185588 1185637 1185638 1186040 1186071 1186489

1186503 1186602 1186819 1186910 1187044 1187153 1187196 1187224

1187270 1187273 1187425 1187466 1187512 1187512 1187654 1187668

1187670 1187738 1187760 1187906 1187911 1188127 1188156 1188291

1188344 1188348 1188435 1188507 1188520 1188548 1188571 1188588

1188623 1188713 1188914 1188921 1189028 1189031 1189152 1189241

1189287 1189441 1189446 1189454 1189480 1189520 1189521 1189521

1189683 1189841 1190052 1190059 1190199 1190315 1190356 1190373

1190374 1190401 1190440 1190447 1190465 1190515 1190533 1190552

1190566 1190570 1190598 1190645 1190712 1190739 1190793 1190815

1190824 1190850 1190915 1190926 1190933 1190943 1190984 1191019

1191096 1191157 1191200 1191227 1191260 1191286 1191324 1191370

1191480 1191502 1191532 1191532 1191563 1191592 1191609 1191690

1191690 1191736 1191770 1191794 1191804 1191804 1191826 1191893

1191922 1191987 1192104 1192160 1192161 1192167 1192248 1192249

1192337 1192423 1192436 1192478 1192481 1192489 1192637 1192684

1192688 1192717 1192858 1192902 1192903 1192904 1192951 1192954

1193007 1193086 1193086 1193166 1193179 1193181 1193204 1193273

1193294 1193298 1193430 1193446 1193466 1193480 1193488 1193489

1193632 1193659 1193690 1193711 1193732 1193759 1193868 1193905

1194093 1194178 1194178 1194216 1194216 1194217 1194229 1194251

1194265 1194265 1194362 1194388 1194469 1194474 1194476 1194477

1194478 1194479 1194480 1194522 1194556 1194597 1194640 1194642

1194642 1194708 1194768 1194770 1194785 1194848 1194859 1194872

1194883 1194885 1194898 1194968 1194976 1195004 1195004 1195048

1195054 1195066 1195126 1195149 1195157 1195202 1195203 1195217

1195231 1195247 1195251 1195258 1195283 1195326 1195332 1195354

1195356 1195463 1195468 1195529 1195628 1195654 1195792 1195797

1195825 1195856 1195899 1195999 1196025 1196025 1196026 1196036

1196061 1196093 1196107 1196168 1196169 1196171 1196275 1196317

1196361 1196368 1196406 1196490 1196514 1196567 1196647 1196784

1196825 1196850 1196861 1196925 1196939 1197004 1197024 1197065

1197134 1197443 1197459 1197570 1197718 1197771 1197794 1198062

1198062 1198090 1198114 1198176 1198446 1198507 1198511 1198596

1198614 1198723 1198732 1198748 1198751 1198766 1198922 1199132

1199140 1199166 1199223 1199224 1199232 1199232 1199235 1199240

1199331 1199333 1199334 1199651 1199655 1199693 1199745 1199747

1199936 1200010 1200011 1200012 1200170 1200334 1200550 1200735

1200737 1200855 1200855 1201099 1201560 1201640 954813 CVE-2015-20107

CVE-2017-17087 CVE-2018-16301 CVE-2018-20482 CVE-2018-20573 CVE-2018-20574

CVE-2018-25032 CVE-2019-20454 CVE-2019-20838 CVE-2019-6285 CVE-2019-6292

CVE-2019-9923 CVE-2020-12762 CVE-2020-14155 CVE-2020-14367 CVE-2020-14370

CVE-2020-15157 CVE-2020-27840 CVE-2021-20193 CVE-2021-20199 CVE-2021-20277

CVE-2021-20291 CVE-2021-20316 CVE-2021-22570 CVE-2021-22946 CVE-2021-22947

CVE-2021-28153 CVE-2021-33574 CVE-2021-3426 CVE-2021-3572 CVE-2021-35942

CVE-2021-3602 CVE-2021-36222 CVE-2021-3711 CVE-2021-3712 CVE-2021-3712

CVE-2021-3733 CVE-2021-3737 CVE-2021-37600 CVE-2021-3778 CVE-2021-3778

CVE-2021-3796 CVE-2021-3796 CVE-2021-3872 CVE-2021-3872 CVE-2021-3875

CVE-2021-3903 CVE-2021-3927 CVE-2021-3927 CVE-2021-3928 CVE-2021-3928

CVE-2021-39537 CVE-2021-3968 CVE-2021-3973 CVE-2021-3974 CVE-2021-3984

CVE-2021-3984 CVE-2021-3995 CVE-2021-3996 CVE-2021-3997 CVE-2021-3997

CVE-2021-3999 CVE-2021-4019 CVE-2021-4019 CVE-2021-4024 CVE-2021-4069

CVE-2021-41190 CVE-2021-4122 CVE-2021-4136 CVE-2021-4166 CVE-2021-4192

CVE-2021-4193 CVE-2021-4193 CVE-2021-43566 CVE-2021-43618 CVE-2021-44141

CVE-2021-44142 CVE-2021-45960 CVE-2021-46059 CVE-2021-46059 CVE-2021-46143

CVE-2022-0128 CVE-2022-0213 CVE-2022-0261 CVE-2022-0318 CVE-2022-0318

CVE-2022-0319 CVE-2022-0319 CVE-2022-0336 CVE-2022-0351 CVE-2022-0351

CVE-2022-0359 CVE-2022-0361 CVE-2022-0361 CVE-2022-0392 CVE-2022-0407

CVE-2022-0413 CVE-2022-0413 CVE-2022-0696 CVE-2022-1271 CVE-2022-1271

CVE-2022-1292 CVE-2022-1304 CVE-2022-1381 CVE-2022-1420 CVE-2022-1586

CVE-2022-1586 CVE-2022-1587 CVE-2022-1616 CVE-2022-1619 CVE-2022-1620

CVE-2022-1733 CVE-2022-1735 CVE-2022-1771 CVE-2022-1785 CVE-2022-1796

CVE-2022-1851 CVE-2022-1897 CVE-2022-1898 CVE-2022-1927 CVE-2022-2068

CVE-2022-2097 CVE-2022-22576 CVE-2022-22822 CVE-2022-22823 CVE-2022-22824

CVE-2022-22825 CVE-2022-22826 CVE-2022-22827 CVE-2022-23218 CVE-2022-23219

CVE-2022-23308 CVE-2022-23852 CVE-2022-23990 CVE-2022-24407 CVE-2022-25235

CVE-2022-25236 CVE-2022-25236 CVE-2022-25313 CVE-2022-25314 CVE-2022-25315

CVE-2022-27775 CVE-2022-27776 CVE-2022-27781 CVE-2022-27782 CVE-2022-29155

CVE-2022-29824 CVE-2022-32206 CVE-2022-32208

1073299,1093392

This update for timezone provides the following fixes:

- North Korea switches back from +0830 to +09 on 2018-05-05.

- Ireland's standard time is in the summer, with negative DST offset to standard time used

in Winter. (bsc#1073299)

- yast2-country is no longer setting TIMEZONE in /etc/sysconfig/clock and is calling systemd

timedatectl instead. Do not set /etc/localtime on timezone package updates to avoid

setting an incorrect timezone. (bsc#1093392)

1104700,1112310

This update for timezone, timezone-java fixes the following issues:

The timezone database was updated to 2018f:

- Volgograd moves from +03 to +04 on 2018-10-28.

- Fiji ends DST 2019-01-13, not 2019-01-20.

- Most of Chile changes DST dates, effective 2019-04-06 (bsc#1104700)

- Corrections to past timestamps of DST transitions

- Use 'PST' and 'PDT' for Philippine time

- minor code changes to zic handling of the TZif format

- documentation updates

Other bugfixes:

- Fixed a zic problem with the 1948-1951 DST transition in Japan (bsc#1112310)

1113554

This update provides the latest time zone definitions (2018g), including the following change:

- Morocco switched from +00/+01 to permanent +01 effective 2018-10-28 (bsc#1113554)

1120402

This update for timezone fixes the following issues:

- Update 2018i:

São Tomé and Príncipe switches from +01 to +00 on 2019-01-01. (bsc#1120402)

- Update 2018h:

Qyzylorda, Kazakhstan moved from +06 to +05 on 2018-12-21

New zone Asia/Qostanay because Qostanay, Kazakhstan didn't move

Metlakatla, Alaska observes PST this winter only

Guess Morocco will continue to adjust clocks around Ramadan

Add predictions for Iran from 2038 through 2090

1130557

This update for timezone fixes the following issues:

timezone was updated 2019a:

* Palestine 'springs forward' on 2019-03-30 instead of 2019-03-23

* Metlakatla 'fell back' to rejoin Alaska Time on 2019-01-20 at 02:00

* Israel observed DST in 1980 (08-02/09-13) and 1984 (05-05/08-25)

* zic now has an -r option to limit the time range of output data

1140016

This update for timezone fixes the following issues:

- Timezone update 2019b. (bsc#1140016):

- Brazil no longer observes DST.

- 'zic -b slim' outputs smaller TZif files.

- Palestine's 2019 spring-forward transition was on 03-29, not 03-30.

- Add info about the Crimea situation.

1150451

This update for timezone fixes the following issues:

- Fiji observes DST from 2019-11-10 to 2020-01-12.

- Norfolk Island starts observing Australian-style DST.

1169582

This update for timezone fixes the following issues:

- timezone update 2020a. (bsc#1169582)

* Morocco springs forward on 2020-05-31, not 2020-05-24.

* Canada's Yukon advanced to -07 year-round on 2020-03-08.

* America/Nuuk renamed from America/Godthab.

* zic now supports expiration dates for leap second lists.

1172055

This update for timezone fixes the following issue:

- zdump --version reported 'unknown' (bsc#1172055)

This update adds the Google Cloud Storage packages to the Public Cloud module (jsc#ECO-2398).

The following packages were included:

- python3-grpcio

- python3-protobuf

- python3-google-api-core

- python3-google-cloud-core

- python3-google-cloud-storage

- python3-google-resumable-media

- python3-googleapis-common-protos

- python3-grpcio-gcp

- python3-mock (updated to version 3.0.5)

1177460

This update for timezone fixes the following issues:

- timezone update 2020b (bsc#1177460)

* Revised predictions for Morocco's changes starting in 2023.

* Canada's Yukon changes to -07 on 2020-11-01, not 2020-03-08.

* Macquarie Island has stayed in sync with Tasmania since 2011.

* Casey, Antarctica is at +08 in winter and +11 in summer.

* zic no longer supports -y, nor the TYPE field of Rules.

1177460,1178346,1178350,1178353

This update for timezone fixes the following issues:

- Generate 'fat' timezone files (was default before 2020b). (bsc#1178346, bsc#1178350, bsc#1178353)

- Palestine ends DST earlier than predicted, on 2020-10-24. (bsc#1177460)

- Fiji starts DST later than usual, on 2020-12-20. (bsc#1177460)

1177460

This update for timezone fixes the following issues:

- timezone update 2020f (bsc#1177460)

* 'make rearguard_tarballs' no longer generates a bad rearguard.zi,

fixing a 2020e bug.

- timezone update 2020e (bsc#1177460)

* Volgograd switches to Moscow time on 2020-12-27 at 02:00.

- timezone update 2020f (bsc#1177460)

* 'make rearguard_tarballs' no longer generates a bad rearguard.zi,

fixing a 2020e bug.

- timezone update 2020e (bsc#1177460)

* Volgograd switches to Moscow time on 2020-12-27 at 02:00.

libprotobuf was updated to fix:

- ship the libprotobuf-lite15 on the basesystem module and the INSTALLER channel. (jsc#ECO-2911)

1177460

This update for timezone fixes the following issues:

- timezone update 2021a (bsc#1177460)

* South Sudan changes from +03 to +02 on 2021-02-01 at 00:00.

- timezone update 2021a (bsc#1177460)

* South Sudan changes from +03 to +02 on 2021-02-01 at 00:00.

1177127

This update for protobuf fixes the following issues:

- Add missing dependency of python subpackages on python-six. (bsc#1177127)

1188127

This update for timezone fixes the following issue:

- From systemd v249: when enumerating time zones the timedatectl tool will now consult the 'tzdata.zi' file shipped by

the IANA time zone database package, in addition to 'zone1970.tab', as before. This makes sure time zone aliases are

now correctly supported. This update adds the 'tzdata.zi' file (bsc#1188127).

1188348

This update for libeconf fixes the following issue:

- Solve a downgrade issue between SUSE Linux Enterprise SP3 and lower (bsc#1188348)

1189520,1189521,CVE-2021-3711,CVE-2021-3712

This update for openssl-1_1 fixes the following security issues:

- CVE-2021-3711: A bug in the implementation of the SM2 decryption code

could lead to buffer overflows. [bsc#1189520]

- CVE-2021-3712: a bug in the code for printing certificate details could

lead to a buffer overrun that a malicious actor could exploit to crash

the application, causing a denial-of-service attack. [bsc#1189521]

1189521,CVE-2021-3712

This update for openssl-1_1 fixes the following issues:

- CVE-2021-3712: This is an update for the incomplete fix for CVE-2021-3712.

Read buffer overruns processing ASN.1 strings (bsc#1189521).

1189683

This update for netcfg fixes the following issues:

- add submissions port/protocol to services file for message submission over TLS protocol [bsc#1189683]

1186489,1187911,CVE-2021-33574,CVE-2021-35942

This update for glibc fixes the following issues:

- CVE-2021-33574: Fixed use __pthread_attr_copy in mq_notify (bsc#1186489).

- CVE-2021-35942: Fixed wordexp handle overflow in positional parameter number (bsc#1187911).

1190373,1190374,CVE-2021-22946,CVE-2021-22947

This update for curl fixes the following issues:

- CVE-2021-22947: Fixed STARTTLS protocol injection via MITM (bsc#1190374).

- CVE-2021-22946: Fixed protocol downgrade required TLS bypassed (bsc#1190373).

1134353,1184994,1188291,1188588,1188713,1189446,1189480

This update for systemd fixes the following issues:

- Switch I/O scheduler from 'mq-deadline' to 'bfq' for rotating disks(HD's) (jsc#SLE-21032, bsc#1134353).

- Multipath: Rules weren't applied to dm devices (bsc#1188713).

- Ignore obsolete 'elevator' kernel parameter (bsc#1184994).

- Remove kernel unsupported single-queue block I/O.

- Make sure the versions of both udev and systemd packages are always the same (bsc#1189480).

- Avoid error message when updating active udev on sockets restart (bsc#1188291).

- Merge of v246.16, for a complete list of changes, visit:

https://github.com/openSUSE/systemd/compare/8d8f5fc31eece95644b299b784bbfb8f836d0108...f5c33d9f82d3d782d28938df9ff09484360c540d

- Drop 1007-tmpfiles-follow-SUSE-policies.patch:

Since most of the tmpfiles config files shipped by upstream are

ignored (see previous commit 'Drop most of the tmpfiles that deal

with generic paths'), this patch is no more relevant.

Additional fixes:

- core: make sure cgroup_oom_queue is flushed on manager exit.

- cgroup: do 'catchup' for unit cgroup inotify watch files.

- journalctl: never fail at flushing when the flushed flag is set (bsc#1188588).

- manager: reexecute on SIGRTMIN+25, user instances only.

- manager: fix HW watchdog when systemd starts before driver loaded (bsc#1189446).

- pid1: watchdog modernizations.

1189454

This optional update for coreutils fixes the following issue:

- Provide coreutils documentation, 'coreutils-doc', with 'L2' support level. (bsc#1189454)

1191019

This update for lvm2 fixes the following issues:

- Do not crash vgextend when extending VG with missing PV. (bsc#1191019)

1189441,1189841,1190598

This update for suse-module-tools fixes the following issues:

- Fixed an issue where the queuing of secure boot certificates did not happen (bsc#1189841, bsc#1190598)

- Fixed an issue where initrd was not always rebuilding after installing

any kernel-*-extra package (bsc#1189441)

1183659,1185299,1187670,1188548

This update for rpm fixes the following issues:

Security issues fixed:

- PGP hardening changes (bsc#1185299)

Maintaince issues fixed:

- Fixed zstd detection (bsc#1187670)

- Added ndb rofs support (bsc#1188548)

- Fixed deadlock when multiple rpm processes try tp acquire the database lock (bsc#1183659)

1178236,1188921,CVE-2021-37600

This update for util-linux fixes the following issues:

- CVE-2021-37600: Fixed an integer overflow which could lead to a buffer overflow in get_sem_elements() in sys-utils/ipcutils.c. (bsc#1188921)

1185016,1185524,1186910,1187270,1187512,1188344,1190645,1190739,1190915,1190933

This update for yast2-network fixes the following issues:

- Don't crash when the interfaces table contains a not configured one (bnc#1190645, bsc#1190915).

- Fix the shown description using the interface friendly name when it is empty (bsc#1190933).

- Consider aliases sections as case insensitive (bsc#1190739).

- Display user defined device name in the devices overview (bnc#1190645).

- Don't crash when defined aliases in AutoYaST profile are not defined as a map (bsc#1188344).

- Support 'boot' and 'on' as aliases for the 'auto' startmode (bsc#1186910).

- Fix desktop file so the control center tooltip is translated (bsc#1187270).

- Use the linuxrc proxy settings for the HTTPS and FTP proxies (bsc#1185016).

- Don't crash at the end of installation when storing wifi configuration for NetworkManager (bsc#1185524, bsc#1187512).

1190793,CVE-2021-39537

This update for ncurses fixes the following issues:

- CVE-2021-39537: Fixed an heap-based buffer overflow in _nc_captoinfo. (bsc#1190793)

1190052

This update for pam fixes the following issues:

- Added pam_faillock to the set of available PAM modules. (jsc#SLE-20638)

- Added new file macros.pam on request of systemd. (bsc#1190052)

1186503,1186602,1187224,1187425,1187466,1187738,1187760,1188156,1188435,1189031,1190059,1190199,1190465,1190712,1190815

This update for libzypp, zypper, libsolv and protobuf fixes the following issues:

- Choice rules: treat orphaned packages as newest (bsc#1190465)

- Avoid calling 'su' to detect a too restrictive sudo user umask (bsc#1186602)

- Do not check of signatures and keys two times(redundant) (bsc#1190059)

- Rephrase vendor conflict message in case 2 packages are involved (bsc#1187760)

- Show key fpr from signature when signature check fails (bsc#1187224)

- Fix solver jobs for PTFs (bsc#1186503)

- Fix purge-kernels fails (bsc#1187738)

- Fix obs:// platform guessing for Leap (bsc#1187425)

- Make sure to keep states alives while transitioning. (bsc#1190199)

- Manpage: Improve description about patch updates(bsc#1187466)

- Manpage: Recommend the needs-rebooting command to test whether a system reboot is suggested.

- Fix kernel-*-livepatch removal in purge-kernels. (bsc#1190815)

- Fix crashes in logging code when shutting down (bsc#1189031)

- Do not download full files even if the checkExistsOnly flag is set. (bsc#1190712)

- Add need reboot/restart hint to XML install summary (bsc#1188435)

- Prompt: choose exact match if prompt options are not prefix free (bsc#1188156)

- Include libprotobuf-lite20 in products to enable parallel downloads. (jsc#ECO-2911, jsc#SLE-16862)

1191200,1191260,1191480,1191804,1191922

This update for suse-module-tools fixes the following issues:

Update to version 15.3.13:

- Fix bad exit status in openQA. (bsc#1191922)

- Ignore kernel keyring for kernel certificates. (bsc#1191480)

- Deal with existing certificates that should be de-enrolled. (bsc#1191804)

- Don't pass existing files to weak-modules2. (bsc#1191200)

- Skip certificate scriptlet on non-UEFI systems. (bsc#1191260)

1191987

This update for pam fixes the following issues:

- Fixed a bad directive file which resulted in

the 'securetty' file to be installed as 'macros.pam'.

(bsc#1191987)

1172973,1172974,CVE-2019-20838,CVE-2020-14155

This update for pcre fixes the following issues:

Update pcre to version 8.45:

- CVE-2020-14155: Fixed integer overflow via a large number after a '(?C' substring (bsc#1172974).

- CVE-2019-20838: Fixed buffer over-read in JIT compiler (bsc#1172973)

1160242

This update for iproute2 fixes the following issues:

- Follow-up fixes backported from upstream. (bsc#1160242)

1190552

This update for less fixes the following issues:

- Add missing runtime dependency on package 'which', that is used by

lessopen.sh (bsc#1190552)

1190850

This update for rpm-config-SUSE fixes the following issues:

- Support ZSTD compressed kernel modules. (bsc#1190850)

1191690

This update for apparmor fixes the following issues:

- Fixed an issue when apparmor provides python2 and python3 libraries with the same name. (bsc#1191690)

1191804

This update for suse-module-tools fixes the following issues:

- Update to version 15.3.14:

* more fixes for updates under secure boot

* cert-script: Deal with existing $cert.delete file (bsc#1191804).

1192160

This update for rpm-config-SUSE fixes the following issues:

- Add support for the kernel xz-compressed firmware files (bsc#1192160)

1192104

This update for kmod fixes the following issues:

- Enable ZSTD compression (bsc#1192104)(jsc#SLE-21256)

1187153,1187273,1188623

This update for gcc11 fixes the following issues:

The additional GNU compiler collection GCC 11 is provided:

To select these compilers install the packages:

- gcc11

- gcc-c++11

- and others with 11 prefix.

to select them for building:

- CC='gcc-11'

- CXX='g++-11'

The compiler baselibraries (libgcc_s1, libstdc++6 and others) are being replaced by the GCC 11 variants.

1186071,1190440,1190984,1192161

This update for systemd fixes the following issues:

- Add timestamp to D-Bus events to improve traceability (jsc#SLE-17798)

- Fix fd_is_mount_point() when both the parent and directory are network file systems (bsc#1190984)

- Support detection for ARM64 Hyper-V guests (bsc#1186071)

- Fix systemd-detect-virt not detecting Amazon EC2 Nitro instance (bsc#1190440)

- Enable support for Portable Services in openSUSE Leap only (jsc#SLE-21694)

- Fix IO scheduler udev rules to address performance issues (jsc#SLE-21032, bsc#1192161)

1190356,1191286,1191324,1191370,1191609,1192337,1192436

This update for libzypp, zypper fixes the following issues:

libzypp:

- Check log writer before accessing it (bsc#1192337)

- Zypper should keep cached files if transaction is aborted (bsc#1190356)

- Require a minimum number of mirrors for multicurl (bsc#1191609)

- Fixed slowdowns when rlimit is too high by using procfs to detect niumber of

open file descriptors (bsc#1191324)

- Fixed zypper incomplete messages when using non English localization (bsc#1191370)

- RepoManager: Don't probe for plaindir repository if the URL schema is a plugin (bsc#1191286)

- Disable logger in the child process after fork (bsc#1192436)

zypper:

- Fixed Zypper removing a kernel explicitely pinned that uses uname -r output format as name (openSUSE/zypper#418)

1191736

This update for cracklib fixes the following issues:

- Enable build time tests (bsc#1191736)

1177460

This update for timezone fixes the following issues:

Update timezone to 2021e (bsc#1177460)

- Palestine will fall back 10-29 (not 10-30) at 01:00

- Fiji suspends DST for the 2021/2022 season

- 'zic -r' marks unspecified timestamps with '-00'

- Fix a bug in 'zic -b fat' that caused old timestamps to be mishandled in 32-bit-only readers- Refresh timezone info for china

1180786,1184214,1185638,1186040,1187044

This update for gdb fixes the following issues:

Rebase to 11.1 release (as in fedora 35 @ 9cd9368):

* GDB now supports general memory tagging functionality if the

underlying architecture supports the proper primitives and hooks.

Currently this is enabled only for AArch64 MTE.

* GDB will now look for the .gdbinit file in a config directory

before looking for ~/.gdbinit. The file is searched for in

the following locations: $XDG_CONFIG_HOME/gdb/gdbinit,

$HOME/.config/gdb/gdbinit, $HOME/.gdbinit.

* GDB will now load and process commands from

~/.config/gdb/gdbearlyinit or ~/.gdbearlyinit if these files

are present. These files are processed earlier than any of

the other initialization files and can affect parts of GDB's

startup that previously had already been completed before the

initialization files were read, for example styling of the

initial GDB greeting.

* GDB now has two new options '--early-init-command' and

'--early-init-eval-command' with corresponding short options

'-eix' and '-eiex' that allow options (that would normally

appear in a gdbearlyinit file) to be passed on the command

line.

* set startup-quietly on|off

show startup-quietly

When 'on', this causes GDB to act as if '-silent' were passed

on the command line. This command needs to be added to an

early initialization file (e.g. ~/.config/gdb/gdbearlyinit)

in order to affect GDB.

* For RISC-V targets, the target feature

'org.gnu.gdb.riscv.vector' is now understood by GDB, and can

be used to describe the vector registers of a target.

* TUI windows now support mouse actions. The mouse wheel

scrolls the appropriate window.

* Key combinations that do not have a specific action on the

focused window are passed to GDB. For example, you now can

use Ctrl-Left/Ctrl-Right to move between words in the command

window regardless of which window is in focus. Previously

you would need to focus on the command window for such key

combinations to work.

* set python ignore-environment on|off

show python ignore-environment

When 'on', this causes GDB's builtin Python to ignore any

environment variables that would otherwise affect how Python

behaves. This command needs to be added to an early

initialization file (e.g. ~/.config/gdb/gdbearlyinit) in

order to affect GDB.

* set python dont-write-bytecode auto|on|off

show python dont-write-bytecode

When 'on', this causes GDB's builtin Python to not write any

byte-code (.pyc files) to disk. This command needs to be

added to an early initialization file

(e.g. ~/.config/gdb/gdbearlyinit) in order to affect GDB.

When 'off' byte-code will always be written.

When set to 'auto' (the default) Python will check the

PYTHONDONTWRITEBYTECODE environment variable.

* break [PROBE_MODIFIER] [LOCATION] [thread THREADNUM]

[-force-condition] [if CONDITION]

This command would previously refuse setting a breakpoint if

the CONDITION expression is invalid at a location. It now

accepts and defines the breakpoint if there is at least one

location at which the CONDITION is valid. The locations

for which the CONDITION is invalid, are automatically

disabled. If CONDITION is invalid at all of the locations,

setting the breakpoint is still rejected. However, the

'-force-condition' flag can be used in this case for forcing

GDB to define the breakpoint, making all the current

locations automatically disabled. This may be useful if the

user knows the condition will become meaningful at a future

location, e.g. due to a shared library load.

- Update libipt to v2.0.4.

1029961,1113013,1187654

This update for keyutils fixes the following issues:

- Add /etc/keys/ and /usr/etc/keys/ directory (bsc#1187654)

keyutils was updated to 1.6.3 (jsc#SLE-20016):

* Revert the change notifications that were using /dev/watch_queue.

* Apply the change notifications that use pipe2(O_NOTIFICATION_PIPE).

* Allow 'keyctl supports' to retrieve raw capability data.

* Allow 'keyctl id' to turn a symbolic key ID into a numeric ID.

* Allow 'keyctl new_session' to name the keyring.

* Allow 'keyctl add/padd/etc.' to take hex-encoded data.

* Add 'keyctl watch*' to expose kernel change notifications on keys.

* Add caps for namespacing and notifications.

* Set a default TTL on keys that upcall for name resolution.

* Explicitly clear memory after it's held sensitive information.

* Various manual page fixes.

* Fix C++-related errors.

* Add support for keyctl_move().

* Add support for keyctl_capabilities().

* Make key=val list optional for various public-key ops.

* Fix system call signature for KEYCTL_PKEY_QUERY.

* Fix 'keyctl pkey_query' argument passing.

* Use keyctl_read_alloc() in dump_key_tree_aux().

* Various manual page fixes.

Updated to 1.6:

* Apply various specfile cleanups from Fedora.

* request-key: Provide a command line option to suppress helper execution.

* request-key: Find least-wildcard match rather than first match.

* Remove the dependency on MIT Kerberos.

* Fix some error messages

* keyctl_dh_compute.3: Suggest /proc/crypto for list of available hashes.

* Fix doc and comment typos.

* Add public key ops for encrypt, decrypt, sign and verify (needs linux-4.20).

* Add pkg-config support for finding libkeyutils.

* upstream isn't offering PGP signatures for the source tarballs anymore

Updated to 1.5.11 (bsc#1113013)

* Add keyring restriction support.

* Add KDF support to the Diffie-Helman function.

* DNS: Add support for AFS config files and SRV records

1162581,1174504,1191563,1192248

This update for aaa_base fixes the following issues:

- Allowed ping and ICMP commands without CAP_NET_RAW (bsc#1174504).

- Add $HOME/.local/bin to PATH, if it exists (bsc#1192248).

- Fixed get_kernel_version.c to work also for recent kernels on the s390/X platform (bsc#1191563).

- Support xz compressed kernel (bsc#1162581)

1192717,CVE-2021-43618

This update for gmp fixes the following issues:

- CVE-2021-43618: Fixed buffer overflow via crafted input in mpz/inp_raw.c (bsc#1192717).

1190401

This update for system-users fixes the following issues:

- system-user-tss.conf: Removed group entry because it's not needed and contained syntax errors (bsc#1190401)

1191592

glibc was updated to fix the following issue:

- Support for new IBM Z Hardware (bsc#1191592, jsc#IBM-869)

1187196

This update for suse-module-tools fixes the following issues:

- Blacklist isst_if_mbox_msr driver because uses hardware information based on

CPU family and model, which is too unspecific. On large systems, this causes a lot of

failing loading attempts for this driver, leading to slow or even stalled boot (bsc#1187196)

1191532,1191690

This update for apparmor fixes the following issues:

Changes in apparmor:

- Add a profile for 'samba-bgqd'. (bsc#1191532)

- Fix 'Requires' of python3 module. (bsc#1191690)

1180125,1183374,1183858,1185588,1187668,1189241,1189287,CVE-2021-3426,CVE-2021-3733,CVE-2021-3737

This update for python3 fixes the following issues:

- CVE-2021-3426: Fixed information disclosure via pydoc (bsc#1183374).

- CVE-2021-3733: Fixed infinitely reading potential HTTP headers after a 100 Continue status response from the server (bsc#1189241).

- CVE-2021-3737: Fixed ReDoS in urllib.request (bsc#1189287).

- We do not require python-rpm-macros package (bsc#1180125).

- Use versioned python-Sphinx to avoid dependency on other version of Python (bsc#1183858).

- Stop providing 'python' symbol, which means python2 currently (bsc#1185588).

- Modify Lib/ensurepip/__init__.py to contain the same version numbers as are in reality the ones in the bundled wheels (bsc#1187668).

1161276

This update for openssl-1_1 fixes the following issues:

- Remove previously applied patch because it interferes with FIPS validation (bsc#1161276)

1193430

This update for kmod fixes the following issues:

- Ensure that kmod and packages linking to libkmod provide same features. (bsc#1193430)

1192423,1192858,1193759

This update for systemd fixes the following issues:

- Bump the max number of inodes for /dev to a million (bsc#1192858)

- sleep: don't skip resume device with low priority/available space (bsc#1192423)

- test: use kbd-mode-map we ship in one more test case

- test-keymap-util: always use kbd-model-map we ship

- Add rules for virtual devices and enforce 'none' for loop devices. (bsc#1193759)

1192688

This update for zlib fixes the following issues:

- Fix hardware compression incorrect result on z15 hardware (bsc#1192688)

1174504

This update for permissions fixes the following issues:

- Update to version 20181225:

* drop ping capabilities in favor of ICMP_PROTO sockets (bsc#1174504)

1183905,1193181

This update for lvm2 fixes the following issues:

- Fix lvconvert not taking `--stripes` option (bsc#1183905)

- Fix LVM vgimportclone not working on hardware snapshot (bsc#1193181)

1193480

This update for libgcrypt fixes the following issues:

- Fix function gcry_mpi_sub_ui subtracting from negative value (bsc#1193480)

1178561,1190515,1194178,CVE-2021-3997

This update for systemd fixes the following issues:

- CVE-2021-3997: Fixed an uncontrolled recursion in systemd's systemd-tmpfiles which could cause a minor denial of service. (bsc#1194178)

1190566,1192249,1193179

This update for python3 fixes the following issues:

- Don't use OpenSSL 1.1 on platforms which don't have it.

- Remove shebangs from python-base libraries in '_libdir'. (bsc#1193179, bsc#1192249).

- Build against 'openssl 1.1' as it is incompatible with 'openssl 3.0+' (bsc#1190566)

- Fix for permission error when changing the mtime of the source file in presence of 'SOURCE_DATE_EPOCH'.

1192489

This update for openssl-1_1 fixes the following issues:

- Add RSA_get0_pss_params() accessor that is used by nodejs16 and provide openssl-has-RSA_get0_pss_params (bsc#1192489)

1180125,1190824,1193711

This update for rpm fixes the following issues:

- Fix header check so that old rpms no longer get rejected (bsc#1190824)

- Add explicit requirement on python-rpm-macros (bsc#1180125, bsc#1193711)

1169614

This update for permissions fixes the following issues:

- Update to version 20181225: setuid bit for cockpit session binary (bsc#1169614).

1194469,CVE-2021-4122

This update for cryptsetup fixes the following issues:

- CVE-2021-4122: Fixed possible attacks against data confidentiality through LUKS2 online reencryption extension crash recovery (bsc#1194469).

1194251,1194362,1194474,1194476,1194477,1194478,1194479,1194480,CVE-2021-45960,CVE-2021-46143,CVE-2022-22822,CVE-2022-22823,CVE-2022-22824,CVE-2022-22825,CVE-2022-22826,CVE-2022-22827

This update for expat fixes the following issues:

- CVE-2021-45960: Fixed left shift in the storeAtts function in xmlparse.c that can lead to realloc misbehavior (bsc#1194251).

- CVE-2021-46143: Fixed integer overflow in m_groupSize in doProlog (bsc#1194362).

- CVE-2022-22822: Fixed integer overflow in addBinding in xmlparse.c (bsc#1194474).

- CVE-2022-22823: Fixed integer overflow in build_model in xmlparse.c (bsc#1194476).

- CVE-2022-22824: Fixed integer overflow in defineAttribute in xmlparse.c (bsc#1194477).

- CVE-2022-22825: Fixed integer overflow in lookup in xmlparse.c (bsc#1194478).

- CVE-2022-22826: Fixed integer overflow in nextScaffoldPart in xmlparse.c (bsc#1194479).

- CVE-2022-22827: Fixed integer overflow in storeAtts in xmlparse.c (bsc#1194480).

1171479,CVE-2020-12762

This update for json-c fixes the following issues:

- CVE-2020-12762: Fixed integer overflow and out-of-bounds write. (bsc#1171479)

This update for glibc fixes the following issues:

- Add support for livepatches on x86_64 for SUSE Linux Enterprise 15 SP4 (jsc#SLE-20049).

1194522

This update for boost fixes the following issues:

- Fix compilation errors (bsc#1194522)

1194640,1194768,1194770,1194785,CVE-2021-3999,CVE-2022-23218,CVE-2022-23219

This update for glibc fixes the following issues:

- CVE-2021-3999: Fixed incorrect errno in getcwd (bsc#1194640)

- CVE-2022-23219: Fixed buffer overflow in sunrpc clnt_create for 'unix' (bsc#1194768)

- CVE-2022-23218: Fixed buffer overflow in sunrpc svcunix_create (bsc#1194770)

Features added:

- IBM Power 10 string operation improvements (bsc#1194785, jsc#SLE-18195)

1189152

This update for coreutils fixes the following issues:

- Add 'fuse.portal' as a dummy file system (used in flatpak implementations) (bsc#1189152).

1193086

This update for systemd fixes the following issues:

- disable DNSSEC until the following issue is solved: https://github.com/systemd/systemd/issues/10579

- disable fallback DNS servers and fail when no DNS server info could be obtained from the links.

- DNSSEC support requires openssl therefore document this build dependency in systemd-network sub-package.

- Improve warning messages (bsc#1193086).

1193007,1193488,1194597,1194898,954813

This update for libzypp fixes the following issues:

- RepoManager: remember execution errors in exception history (bsc#1193007)

- Fix exception handling when reading or writing credentials (bsc#1194898)

- Fix install path for parser (bsc#1194597)

- Fix Legacy include (bsc#1194597)

- Public header files on older distros must use c++11 (bsc#1194597)

- Use the default zypp.conf settings if no zypp.conf exists (bsc#1193488)

- Fix wrong encoding of URI compontents of ISO images (bsc#954813)

- When invoking 32bit mode in userland of an aarch64 kernel, handle armv8l as armv7hl compatible

- Introduce zypp-curl as a sublibrary for CURL related code

- zypp-rpm: Increase rpm loglevel if ZYPP_RPM_DEBUG is set

- Save all signatures associated with a public key in its PublicKeyData

1139519,1183572,1183574,1188571,1191227,1191532,1192684,1193690,1194859,1195048,CVE-2020-27840,CVE-2021-20277,CVE-2021-20316,CVE-2021-36222,CVE-2021-43566,CVE-2021-44141,CVE-2021-44142,CVE-2022-0336

- CVE-2021-44141: Information leak via symlinks of existance of

files or directories outside of the exported share; (bso#14911);

(bsc#1193690);

- CVE-2021-44142: Out-of-bounds heap read/write vulnerability

in VFS module vfs_fruit allows code execution; (bso#14914);

(bsc#1194859);

- CVE-2022-0336: Samba AD users with permission to write to an

account can impersonate arbitrary services; (bso#14950);

(bsc#1195048);

samba was updated to 4.15.4 (jsc#SLE-23329);

* Duplicate SMB file_ids leading to Windows client cache

poisoning; (bso#14928);

* Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error -

NT_STATUS_BUFFER_TOO_SMALL; (bso#14932);

* kill_tcp_connections does not work; (bso#14934);

* Can't connect to Windows shares not requiring authentication

using KDE/Gnome; (bso#14935);

* smbclient -L doesn't set 'client max protocol' to NT1 before

calling the 'Reconnecting with SMB1 for workgroup listing'

path; (bso#14939);

* Cross device copy of the crossrename module always fails;

(bso#14940);

* symlinkat function from VFS cap module always fails with an

error; (bso#14941);

* Fix possible fsp pointer deference; (bso#14942);

* Missing pop_sec_ctx() in error path inside close_directory();

(bso#14944);

* 'smbd --build-options' no longer works without an smb.conf file;

(bso#14945);

Samba was updated to version 4.15.3

+ CVE-2021-43566: Symlink race error can allow directory creation

outside of the exported share; (bsc#1139519);

+ CVE-2021-20316: Symlink race error can allow metadata read and

modify outside of the exported share; (bsc#1191227);

- Reorganize libs packages. Split samba-libs into samba-client-libs,

samba-libs, samba-winbind-libs and samba-ad-dc-libs, merging samba

public libraries depending on internal samba libraries into these

packages as there were dependency problems everytime one of these

public libraries changed its version (bsc#1192684). The devel

packages are merged into samba-devel.

- Rename package samba-core-devel to samba-devel

- Update the symlink create by samba-dsdb-modules to private samba

ldb modules following libldb2 changes from /usr/lib64/ldb/samba to

/usr/lib64/ldb2/modules/ldb/samba

krb5 was updated to 1.16.3 to 1.19.2

* Fix a denial of service attack against the KDC encrypted challenge code; (CVE-2021-36222);

* Fix a memory leak when gss_inquire_cred() is called without a credential handle.

Changes from 1.19.1:

* Fix a linking issue with Samba.

* Better support multiple pkinit_identities values by checking whether

certificates can be loaded for each value.

Changes from 1.19

Administrator experience

* When a client keytab is present, the GSSAPI krb5 mech will refresh

credentials even if the current credentials were acquired manually.

* It is now harder to accidentally delete the K/M entry from a KDB.

Developer experience

* gss_acquire_cred_from() now supports the 'password' and 'verify'

options, allowing credentials to be acquired via password and

verified using a keytab key.

* When an application accepts a GSS security context, the new

GSS_C_CHANNEL_BOUND_FLAG will be set if the initiator and acceptor

both provided matching channel bindings.

* Added the GSS_KRB5_NT_X509_CERT name type, allowing S4U2Self requests

to identify the desired client principal by certificate.

* PKINIT certauth modules can now cause the hw-authent flag to be set

in issued tickets.

* The krb5_init_creds_step() API will now issue the same password

expiration warnings as krb5_get_init_creds_password().

Protocol evolution

* Added client and KDC support for Microsoft's Resource-Based Constrained

Delegation, which allows cross-realm S4U2Proxy requests. A third-party

database module is required for KDC support.

* kadmin/admin is now the preferred server principal name for kadmin

connections, and the host-based form is no longer created by default.

The client will still try the host-based form as a fallback.

* Added client and server support for Microsoft's KERB_AP_OPTIONS_CBT

extension, which causes channel bindings to be required for the

initiator if the acceptor provided them. The client will send this

option if the client_aware_gss_bindings profile option is set.

User experience

* kinit will now issue a warning if the des3-cbc-sha1 encryption type is

used in the reply. This encryption type will be deprecated and removed

in future releases.

* Added kvno flags --out-cache, --no-store, and --cached-only

(inspired by Heimdal's kgetcred).

Changes from 1.18.3

* Fix a denial of service vulnerability when decoding Kerberos

protocol messages.

* Fix a locking issue with the LMDB KDB module which could cause

KDC and kadmind processes to lose access to the database.

* Fix an assertion failure when libgssapi_krb5 is repeatedly loaded

and unloaded while libkrb5support remains loaded.

Changes from 1.18.2

* Fix a SPNEGO regression where an acceptor using the default credential

would improperly filter mechanisms, causing a negotiation failure.

* Fix a bug where the KDC would fail to issue tickets if the local krbtgt

principal's first key has a single-DES enctype.

* Add stub functions to allow old versions of OpenSSL libcrypto to link

against libkrb5.

* Fix a NegoEx bug where the client name and delegated credential might

not be reported.

Changes from 1.18.1

* Fix a crash when qualifying short hostnames when the system has

no primary DNS domain.

* Fix a regression when an application imports 'service@' as a GSS

host-based name for its acceptor credential handle.

* Fix KDC enforcement of auth indicators when they are modified by

the KDB module.

* Fix removal of require_auth string attributes when the LDAP KDB

module is used.

* Fix a compile error when building with musl libc on Linux.

* Fix a compile error when building with gcc 4.x.

* Change the KDC constrained delegation precedence order for consistency

with Windows KDCs.

Changes from 1.18

Administrator experience:

* Remove support for single-DES encryption types.

* Change the replay cache format to be more efficient and robust.

Replay cache filenames using the new format end with '.rcache2'

by default.

* setuid programs will automatically ignore environment variables

that normally affect krb5 API functions, even if the caller does

not use krb5_init_secure_context().

* Add an 'enforce_ok_as_delegate' krb5.conf relation to disable

credential forwarding during GSSAPI authentication unless the KDC

sets the ok-as-delegate bit in the service ticket.

* Use the permitted_enctypes krb5.conf setting as the default value

for default_tkt_enctypes and default_tgs_enctypes.

Developer experience:

* Implement krb5_cc_remove_cred() for all credential cache types.

* Add the krb5_pac_get_client_info() API to get the client account

name from a PAC.

Protocol evolution:

* Add KDC support for S4U2Self requests where the user is identified

by X.509 certificate. (Requires support for certificate lookup from

a third-party KDB module.)

* Remove support for an old ('draft 9') variant of PKINIT.

* Add support for Microsoft NegoEx. (Requires one or more third-party

GSS modules implementing NegoEx mechanisms.)

User experience:

* Add support for 'dns_canonicalize_hostname=fallback', causing

host-based principal names to be tried first without DNS

canonicalization, and again with DNS canonicalization if the

un-canonicalized server is not found.

* Expand single-component hostnames in host-based principal names

when DNS canonicalization is not used, adding the system's first DNS

search path as a suffix. Add a 'qualify_shortname' krb5.conf relation

to override this suffix or disable expansion.

* Honor the transited-policy-checked ticket flag on application servers,

eliminating the requirement to configure capaths on servers in some

scenarios.

Code quality:

* The libkrb5 serialization code (used to export and import krb5 GSS

security contexts) has been simplified and made type-safe.

* The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED

messages has been revised to conform to current coding practices.

* The test suite has been modified to work with macOS System Integrity

Protection enabled.

* The test suite incorporates soft-pkcs11 so that PKINIT PKCS11 support

can always be tested.

Changes from 1.17.1

* Fix a bug preventing 'addprinc -randkey -kvno' from working in kadmin.

* Fix a bug preventing time skew correction from working when a KCM

credential cache is used.

Changes from 1.17:

Administrator experience:

* A new Kerberos database module using the Lightning Memory-Mapped

Database library (LMDB) has been added. The LMDB KDB module should

be more performant and more robust than the DB2 module, and may

become the default module for new databases in a future release.

* 'kdb5_util dump' will no longer dump policy entries when specific

principal names are requested.

Developer experience:

* The new krb5_get_etype_info() API can be used to retrieve enctype,

salt, and string-to-key parameters from the KDC for a client

principal.

* The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise

principal names to be used with GSS-API functions.

* KDC and kadmind modules which call com_err() will now write to the

log file in a format more consistent with other log messages.

* Programs which use large numbers of memory credential caches should

perform better.

Protocol evolution:

* The SPAKE pre-authentication mechanism is now supported. This

mechanism protects against password dictionary attacks without

requiring any additional infrastructure such as certificates. SPAKE

is enabled by default on clients, but must be manually enabled on

the KDC for this release.

* PKINIT freshness tokens are now supported. Freshness tokens can

protect against scenarios where an attacker uses temporary access to

a smart card to generate authentication requests for the future.

* Password change operations now prefer TCP over UDP, to avoid

spurious error messages about replays when a response packet is

dropped.

* The KDC now supports cross-realm S4U2Self requests when used with a

third-party KDB module such as Samba's. The client code for

cross-realm S4U2Self requests is also now more robust.

User experience:

* The new ktutil addent -f flag can be used to fetch salt information

from the KDC for password-based keys.

* The new kdestroy -p option can be used to destroy a credential cache

within a collection by client principal name.

* The Kerberos man page has been restored, and documents the

environment variables that affect programs using the Kerberos

library.

Code quality:

* Python test scripts now use Python 3.

* Python test scripts now display markers in verbose output, making it

easier to find where a failure occurred within the scripts.

* The Windows build system has been simplified and updated to work

with more recent versions of Visual Studio. A large volume of

unused Windows-specific code has been removed. Visual Studio 2013

or later is now required.

- Build with full Cyrus SASL support. Negotiating SASL credentials with

an EXTERNAL bind mechanism requires interaction. Kerberos provides its

own interaction function that skips all interaction, thus preventing the

mechanism from working.

ldb was updated to version 2.4.1 (jsc#SLE-23329);

- Release 2.4.1

+ Corrected python behaviour for 'in' for LDAP attributes

contained as part of ldb.Message; (bso#14845);

+ Fix memory handling in ldb.msg_diff; (bso#14836);

- Release 2.4.0

+ pyldb: Fix Message.items() for a message containing elements

+ pyldb: Add test for Message.items()

+ tests: Use ldbsearch '--scope instead of '-s'

+ Change page size of guidindexpackv1.ldb

+ Use a 1MiB lmdb so the test also passes on aarch64 CentOS stream

+ attrib_handler casefold: simplify space dropping

+ fix ldb_comparison_fold off-by-one overrun

+ CVE-2020-27840: pytests: move Dn.validate test to ldb

+ CVE-2020-27840 ldb_dn: avoid head corruption in ldb_dn_explode

+ CVE-2021-20277 ldb/attrib_handlers casefold: stay in bounds

+ CVE-2021-20277 ldb tests: ldb_match tests with extra spaces

+ improve comments for ldb_module_connect_backend()

+ test/ldb_tdb: correct introductory comments

+ ldb.h: remove undefined async_ctx function signatures

+ correct comments in attrib_handers val_to_int64

+ dn tests use cmocka print functions

+ ldb_match: remove redundant check

+ add tests for ldb_wildcard_compare

+ ldb_match: trailing chunk must match end of string

+ pyldb: catch potential overflow error in py_timestring

+ ldb: remove some 'if PY3's in tests

talloc was updated to 2.3.3:

+ various bugfixes

+ python: Ensure reference counts are properly incremented

+ Change pytalloc source to LGPL

+ Upgrade waf to 2.0.18 to fix a cross-compilation issue;

(bso#13846).

tdb was updated to version 1.4.4:

+ various bugfixes

tevent was updated to version 0.11.0:

+ Add custom tag to events

+ Add event trace api

sssd was updated to:

- Fix tests test_copy_ccache & test_copy_keytab for later versions of krb5

- Update the private ldb modules installation following libldb2

changes from /usr/lib64/ldb/samba to /usr/lib64/ldb2/modules/ldb/samba

apparmor was updated to:

- Cater for changes to ldb packaging to allow parallel installation with libldb (bsc#1192684).

- add profile for samba-bgqd (bsc#1191532).

1194265

This update for cyrus-sasl fixes the following issues:

- Fixed an issue when in postfix 'sasl' authentication with password fails. (bsc#1194265)

- Add config parameter '--with-dblib=gdbm'

- Avoid converting of '/etc/sasldb2 by every update. Convert '/etc/sasldb2' only if it is a Berkeley DB.

1195054,1195217,CVE-2022-23852,CVE-2022-23990

This update for expat fixes the following issues:

- CVE-2022-23852: Fixed signed integer overflow in XML_GetBuffer (bsc#1195054).

- CVE-2022-23990: Fixed integer overflow in the doProlog function (bsc#1195217).

1194968

This update for rpm fixes the following issues:

- Revert unwanted /usr/bin/python to /usr/bin/python2 change we got with the update to 4.14.3 (bsc#1194968)

1191826,1192637,1194178,CVE-2021-3997

This update for systemd fixes the following issues:

- CVE-2021-3997: Fixed an uncontrolled recursion in systemd's systemd-tmpfiles (bsc#1194178).

The following non-security bugs were fixed:

- udev/net_id: don't generate slot based names if multiple devices might claim the same slot (bsc#1192637)

- localectl: don't omit keymaps files that are symlinks (bsc#1191826)

1187512

This update for yast2-network fixes the following issues:

- Don't crash at the end of installation when storing wifi configuration for NetworkManager. (bsc#1187512)

1190447

This update for filesystem fixes the following issues:

- Release ported filesystem to LTSS channels (bsc#1190447).

1176804,1177598,1181640,1182998,1188520,1188914,1193166,1193273,CVE-2020-14370,CVE-2020-15157,CVE-2021-20199,CVE-2021-20291,CVE-2021-3602,CVE-2021-4024,CVE-2021-41190

This update for conmon, libcontainers-common, libseccomp, podman fixes the following issues:

podman was updated to 3.4.4.

Security issues fixed:

- fix CVE-2021-41190 [bsc#1193273], opencontainers: OCI manifest and index parsing confusion

- fix CVE-2021-4024 [bsc#1193166], podman machine spawns gvproxy with port binded to all IPs

- fix CVE-2021-20199 [bsc#1181640], Remote traffic to rootless containers is seen as orginating from localhost

- Add: Provides: podman:/usr/bin/podman-remote subpackage for a clearer upgrade

path from podman < 3.1.2

Update to version 3.4.4:

* Bugfixes

- Fixed a bug where the podman exec command would, under some circumstances,

print a warning message about failing to move conmon to the appropriate cgroup (#12535).

- Fixed a bug where named volumes created as part of container creation

(e.g. podman run --volume avolume:/a/mountpoint or similar) would be

mounted with incorrect permissions (#12523).

- Fixed a bug where the podman-remote create and podman-remote run commands

did not properly handle the --entrypoint='' option (to clear the container's entrypoint) (#12521).

- Update to version 3.4.3:

* Security

- This release addresses CVE-2021-4024, where the podman machine command opened the gvproxy API (used to forward ports to podman machine VMs) to the public internet on port 7777.

- This release addresses CVE-2021-41190, where incomplete specification of behavior regarding image manifests could lead to inconsistent decoding on different clients.

* Features

- The --secret type=mount option to podman create and podman run supports a new option, target=, which specifies where in the container the secret will be mounted (#12287).

* Bugfixes

- Fixed a bug where rootless Podman would occasionally print warning messages about failing to move the pause process to a new cgroup (#12065).

- Fixed a bug where the podman run and podman create commands would, when pulling images, still require TLS even with registries set to Insecure via config file (#11933).

- Fixed a bug where the podman generate systemd command generated units that depended on multi-user.target, which has been removed from some distributions (#12438).

- Fixed a bug where Podman could not run containers with images that had /etc/ as a symlink (#12189).

- Fixed a bug where the podman logs -f command would, when using the journald logs backend, exit immediately if the container had previously been restarted (#12263).

- Fixed a bug where, in containers on VMs created by podman machine, the host.containers.internal name pointed to the VM, not the host system (#11642).

- Fixed a bug where containers and pods created by the podman play kube command in VMs managed by podman machine would not automatically forward ports from the host machine (#12248).

- Fixed a bug where podman machine init would fail on OS X when GNU Coreutils was installed (#12329).

- Fixed a bug where podman machine start would exit before SSH on the started VM was accepting connections (#11532).

- Fixed a bug where the podman run command with signal proxying (--sig-proxy) enabled could print an error if it attempted to send a signal to a container that had just exited (#8086).

- Fixed a bug where the podman stats command would not return correct information for containers running Systemd as PID1 (#12400).

- Fixed a bug where the podman image save command would fail on OS X when writing the image to STDOUT (#12402).

- Fixed a bug where the podman ps command did not properly handle PS arguments which contained whitespace (#12452).

- Fixed a bug where the podman-remote wait command could fail to detect that the container exited and return an error under some circumstances (#12457).

- Fixed a bug where the Windows MSI installer for podman-remote would break the PATH environment variable by adding an extra ' (#11416).

* API

- The Libpod Play Kube endpoint now also accepts ConfigMap YAML as part of its payload, and will use provided any ConfigMap to configure provided pods and services.

- Fixed a bug where the Compat Create endpoint for Containers would not always create the container's working directory if it did not exist (#11842).

- Fixed a bug where the Compat Create endpoint for Containers returned an incorrect error message with 404 errors when the requested image was not found (#12315).

- Fixed a bug where the Compat Create endpoint for Containers did not properly handle the HostConfig.Mounts field (#12419).

- Fixed a bug where the Compat Archive endpoint for Containers did not properly report errors when the operation failed (#12420).

- Fixed a bug where the Compat Build endpoint for Images ignored the layers query parameter (for caching intermediate layers from the build) (#12378).

- Fixed a bug where the Compat Build endpoint for Images did not report errors in a manner compatible with Docker (#12392).

- Fixed a bug where the Compat Build endpoint for Images would fail to build if the context directory was a symlink (#12409).

- Fixed a bug where the Compat List endpoint for Images included manifest lists (and not just images) in returned results (#12453).

- Update to version 3.4.2:

* Fixed a bug where podman tag could not tag manifest lists (#12046).

* Fixed a bug where built-in volumes specified by images would not be

created correctly under some circumstances.

* Fixed a bug where, when using Podman Machine on OS X, containers in pods

did not have working port forwarding from the host (#12207).

* Fixed a bug where the podman network reload command command on containers using the slirp4netns network mode and the rootlessport port forwarding

driver would make an unnecessary attempt to restart rootlessport

on containers that did not forward ports.

* Fixed a bug where the podman generate kube command would generate YAML

including some unnecessary (set to default) fields (e.g. empty SELinux and

DNS configuration blocks, and the privileged flag when set to false) (#11995).

* Fixed a bug where the podman pod rm command could, if interrupted at the right moment,

leave a reference to an already-removed infra container behind (#12034).

* Fixed a bug where the podman pod rm command would not remove pods with

more than one container if all containers save for the infra container

were stopped unless --force was specified (#11713).

* Fixed a bug where the --memory flag to podman run and podman create did

not accept a limit of 0 (which should specify unlimited memory) (#12002).

* Fixed a bug where the remote Podman client's podman build command could

attempt to build a Dockerfile in the working directory of the podman

system service instance instead of the Dockerfile specified by the user (#12054).

* Fixed a bug where the podman logs --tail command could function improperly

(printing more output than requested) when the journald log driver was used.

* Fixed a bug where containers run using the slirp4netns network mode with

IPv6 enabled would not have IPv6 connectivity until several seconds after they started (#11062).

* Fixed a bug where some Podman commands could cause an extra dbus-daemon

process to be created (#9727).

* Fixed a bug where rootless Podman would sometimes print warnings

about a failure to move the pause process into a given CGroup (#12065).

* Fixed a bug where the checkpointed field in podman inspect on a container

was not set to false after a container was restored.

* Fixed a bug where the podman system service command would print

overly-verbose logs about request IDs (#12181).

* Fixed a bug where Podman could, when creating a new container without a name

explicitly specified by the user, sometimes use an auto-generated name already

in use by another container if multiple containers were being created in parallel (#11735).

Update to version 3.4.1:

* Bugfixes

- Fixed a bug where podman machine init could, under some circumstances,

create invalid machine configurations which could not be started (#11824).

- Fixed a bug where the podman machine list command would not properly

populate some output fields.

- Fixed a bug where podman machine rm could leave dangling sockets from

the removed machine (#11393).

- Fixed a bug where podman run --pids-limit=-1 was not supported (it now

sets the PID limit in the container to unlimited) (#11782).

- Fixed a bug where podman run and podman attach could throw errors about

a closed network connection when STDIN was closed by the client (#11856).

- Fixed a bug where the podman stop command could fail when run on a

container that had another podman stop command run on it previously.

- Fixed a bug where the --sync flag to podman ps was nonfunctional.

- Fixed a bug where the Windows and OS X remote clients' podman stats

command would fail (#11909).

- Fixed a bug where the podman play kube command did not properly handle

environment variables whose values contained an = (#11891).

- Fixed a bug where the podman generate kube command could generate

invalid annotations when run on containers with volumes that use SELinux

relabelling (:z or :Z) (#11929).

- Fixed a bug where the podman generate kube command would generate YAML

including some unnecessary (set to default) fields (e.g. user and group,

entrypoint, default protocol for forwarded ports) (#11914, #11915, and #11965).

- Fixed a bug where the podman generate kube command could, under some

circumstances, generate YAML including an invalid targetPort field for

forwarded ports (#11930).

- Fixed a bug where rootless Podman's podman info command could, under

some circumstances, not read available CGroup controllers (#11931).

- Fixed a bug where podman container checkpoint --export would fail to

checkpoint any container created with --log-driver=none (#11974).

* API

- Fixed a bug where the Compat Create endpoint for Containers could panic

when no options were passed to a bind mount of tmpfs (#11961).

Update to version 3.4.0:

* Features

- Pods now support init containers! Init containers are containers which run before the rest of the pod starts. There are two types of init containers: 'always', which always run before the pod is started, and 'once', which only run the first time the pod starts and are subsequently removed. They can be added using the podman create command's --init-ctr option.

- Support for init containers has also been added to podman play kube and podman generate kube - init containers contained in Kubernetes YAML will be created as Podman init containers, and YAML generated by Podman will include any init containers created.

- The podman play kube command now supports building images. If the --build option is given and a directory with the name of the specified image exists in the current working directory and contains a valid Containerfile or Dockerfile, the image will be built and used for the container.

- The podman play kube command now supports a new option, --teardown, which removes any pods and containers created by the given Kubernetes YAML.

- The podman generate kube command now generates annotations for SELinux mount options on volume (:z and :Z) that are respected by the podman play kube command.

- A new command has been added, podman pod logs, to return logs for all containers in a pod at the same time.

- Two new commands have been added, podman volume export (to export a volume to a tar file) and podman volume import) (to populate a volume from a given tar file).

- The podman auto-update command now supports simple rollbacks. If a container fails to start after an automatic update, it will be rolled back to the previous image and restarted again.

- Pods now share their user namespace by default, and the podman pod create command now supports the --userns option. This allows rootless pods to be created with the --userns=keep-id option.

- The podman pod ps command now supports a new filter with its --filter option, until, which returns pods created before a given timestamp.

- The podman image scp command has been added. This command allows images to be transferred between different hosts.

- The podman stats command supports a new option, --interval, to specify the amount of time before the information is refreshed.

- The podman inspect command now includes ports exposed (but not published) by containers (e.g. ports from --expose when --publish-all is not specified).

- The podman inspect command now has a new boolean value, Checkpointed, which indicates that a container was stopped as a result of a podman container checkpoint operation.

- Volumes created by podman volume create now support setting quotas when run atop XFS. The size and inode options allow the maximum size and maximum number of inodes consumed by a volume to be limited.

- The podman info command now outputs information on what log drivers, network drivers, and volume plugins are available for use (#11265).

- The podman info command now outputs the current log driver in use, and the variant and codename of the distribution in use.

- The parameters of the VM created by podman machine init (amount of disk space, memory, CPUs) can now be set in containers.conf.

- The podman machine ls command now shows additional information (CPUs, memory, disk size) about VMs managed by podman machine.

- The podman ps command now includes healthcheck status in container state for containers that have healthchecks (#11527).

* Changes

- The podman build command has a new alias, podman buildx, to improve compatibility with Docker. We have already added support for many docker buildx flags to podman build and aim to continue to do so.

- Cases where Podman is run without a user session or a writable temporary files directory will now produce better error messages.

- The default log driver has been changed from file to journald. The file driver did not properly support log rotation, so this should lead to a better experience. If journald is not available on the system, Podman will automatically revert to the file.

- Podman no longer depends on ip for removing networks (#11403).

- The deprecated --macvlan flag to podman network create now warns when it is used. It will be removed entirely in the Podman 4.0 release.

- The podman machine start command now prints a message when the VM is successfully started.

- The podman stats command can now be used on containers that are paused.

- The podman unshare command will now return the exit code of the command that was run in the user namespace (assuming the command was successfully run).

- Successful healthchecks will no longer add a healthy line to the system log to reduce log spam.

- As a temporary workaround for a lack of shortname prompts in the Podman remote client, VMs created by podman machine now default to only using the docker.io registry.

* Bugfixes

- Fixed a bug where whitespace in the definition of sysctls (particularly default sysctls specified in containers.conf) would cause them to be parsed incorrectly.

- Fixed a bug where the Windows remote client improperly validated volume paths (#10900).

- Fixed a bug where the first line of logs from a container run with the journald log driver could be skipped.

- Fixed a bug where images created by podman commit did not include ports exposed by the container.

- Fixed a bug where the podman auto-update command would ignore the io.containers.autoupdate.authfile label when pulling images (#11171).

- Fixed a bug where the --workdir option to podman create and podman run could not be set to a directory where a volume was mounted (#11352).

- Fixed a bug where systemd socket-activation did not properly work with systemd-managed Podman containers (#10443).

- Fixed a bug where environment variable secrets added to a container were not available to exec sessions launched in the container.

- Fixed a bug where rootless containers could fail to start the rootlessport port-forwarding service when XDG_RUNTIME_DIR was set to a long path.

- Fixed a bug where arguments to the --systemd option to podman create and podman run were case-sensitive (#11387).

- Fixed a bug where the podman manifest rm command would also remove images referenced by the manifest, not just the manifest itself (#11344).

- Fixed a bug where the Podman remote client on OS X would not function properly if the TMPDIR environment variable was not set (#11418).

- Fixed a bug where the /etc/hosts file was not guaranteed to contain an entry for localhost (this is still not guaranteed if --net=host is used; such containers will exactly match the host's /etc/hosts) (#11411).

- Fixed a bug where the podman machine start command could print warnings about unsupported CPU features (#11421).

- Fixed a bug where the podman info command could segfault when accessing cgroup information.

- Fixed a bug where the podman logs -f command could hang when a container exited (#11461).

- Fixed a bug where the podman generate systemd command could not be used on containers that specified a restart policy (#11438).

- Fixed a bug where the remote Podman client's podman build command would fail to build containers if the UID and GID on the client were higher than 65536 (#11474).

- Fixed a bug where the remote Podman client's podman build command would fail to build containers if the context directory was a symlink (#11732).

- Fixed a bug where the --network flag to podman play kube was not properly parsed when a non-bridge network configuration was specified.

- Fixed a bug where the podman inspect command could error when the container being inspected was removed as it was being inspected (#11392).

- Fixed a bug where the podman play kube command ignored the default pod infra image specified in containers.conf.

- Fixed a bug where the --format option to podman inspect was nonfunctional under some circumstances (#8785).

- Fixed a bug where the remote Podman client's podman run and podman exec commands could skip a byte of output every 8192 bytes (#11496).

- Fixed a bug where the podman stats command would print nonsensical results if the container restarted while it was running (#11469).

- Fixed a bug where the remote Podman client would error when STDOUT was redirected on a Windows client (#11444).

- Fixed a bug where the podman run command could return 0 when the application in the container exited with 125 (#11540).

- Fixed a bug where containers with --restart=always set using the rootlessport port-forwarding service could not be restarted automatically.

- Fixed a bug where the --cgroups=split option to podman create and podman run was silently discarded if the container was part of a pod.

- Fixed a bug where the podman container runlabel command could fail if the image name given included a tag.

- Fixed a bug where Podman could add an extra 127.0.0.1 entry to /etc/hosts under some circumstances (#11596).

- Fixed a bug where the remote Podman client's podman untag command did not properly handle tags including a digest (#11557).

- Fixed a bug where the --format option to podman ps did not properly support the table argument for tabular output.

- Fixed a bug where the --filter option to podman ps did not properly handle filtering by healthcheck status (#11687).

- Fixed a bug where the podman run and podman start --attach commands could race when retrieving the exit code of a container that had already been removed resulting in an error (e.g. by an external podman rm -f) (#11633).

- Fixed a bug where the podman generate kube command would add default environment variables to generated YAML.

- Fixed a bug where the podman generate kube command would add the default CMD from the image to generated YAML (#11672).

- Fixed a bug where the podman rm --storage command could fail to remove containers under some circumstances (#11207).

- Fixed a bug where the podman machine ssh command could fail when run on Linux (#11731).

- Fixed a bug where the podman stop command would error when used on a container that was already stopped (#11740).

- Fixed a bug where renaming a container in a pod using the podman rename command, then removing the pod using podman pod rm, could cause Podman to believe the new name of the container was permanently in use, despite the container being removed (#11750).

* API

- The Libpod Pull endpoint for Images now has a new query parameter, quiet, which (when set to true) suppresses image pull progress reports (#10612).

- The Compat Events endpoint now includes several deprecated fields from the Docker v1.21 API for improved compatibility with older clients.

- The Compat List and Inspect endpoints for Images now prefix image IDs with sha256: for improved Docker compatibility (#11623).

- The Compat Create endpoint for Containers now properly sets defaults for healthcheck-related fields (#11225).

- The Compat Create endpoint for Containers now supports volume options provided by the Mounts field (#10831).

- The Compat List endpoint for Secrets now supports a new query parameter, filter, which allows returned results to be filtered.

- The Compat Auth endpoint now returns the correct response code (500 instead of 400) when logging into a registry fails.

- The Version endpoint now includes information about the OCI runtime and Conmon in use (#11227).

- Fixed a bug where the X-Registry-Config header was not properly handled, leading to errors when pulling images (#11235).

- Fixed a bug where invalid query parameters could cause a null pointer dereference when creating error messages.

- Logging of API requests and responses at trace level has been greatly improved, including the addition of an X-Reference-Id header to correlate requests and responses (#10053).

Update to version 3.3.1:

* Bugfixes

- Fixed a bug where unit files created by podman generate systemd could

not cleanup shut down containers when stopped by systemctl stop (#11304).

- Fixed a bug where podman machine commands would not properly locate

the gvproxy binary in some circumstances.

- Fixed a bug where containers created as part of a pod using the

--pod-id-file option would not join the pod's network namespace (#11303).

- Fixed a bug where Podman, when using the systemd cgroups driver,

could sometimes leak dbus sessions.

- Fixed a bug where the until filter to podman logs and podman events

was improperly handled, requiring input to be negated (#11158).

- Fixed a bug where rootless containers using CNI networking run on

systems using systemd-resolved for DNS would fail to start if resolved

symlinked /etc/resolv.conf to an absolute path (#11358).

* API

- A large number of potential file descriptor leaks from improperly closing

client connections have been fixed.

Update to version 3.3.0:

* Fix network aliases with network id

* machine: compute sha256 as we read the image file

* machine: check for file exists instead of listing directory

* pkg/bindings/images.nTar(): slashify hdr.Name values

* Volumes: Only remove from DB if plugin removal succeeds

* For compatibility, ignore Content-Type

* [v3.3] Bump c/image 5.15.2, buildah v1.22.3

* Implement SD-NOTIFY proxy in conmon

* Fix rootless cni dns without systemd stub resolver

* fix rootlessport flake

* Skip stats test in CGv1 container environments

* Fix AVC denials in tests of volume mounts

* Restore buildah-bud test requiring new images

* Revert '.cirrus.yml: use fresh images for all VMs'

* Fix device tests using ls test files

* Enhance priv. dev. check

* Workaround host availability of /dev/kvm

* Skip cgroup-parent test due to frequent flakes

* Cirrus: Fix not uploading logformatter html

Switch to crun (bsc#1188914)

Update to version 3.2.3:

* Bump to v3.2.3

* Update release notes for v3.2.3

* vendor containers/common@v0.38.16

* vendor containers/buildah@v1.21.3

* Fix race conditions in rootless cni setup

* CNI-in-slirp4netns: fix bind-mount for /run/systemd/resolve/stub-resolv.conf

* Make rootless-cni setup more robust

* Support uid,gid,mode options for secrets

* vendor containers/common@v0.38.15

* [CI:DOCS] podman search: clarify that results depend on implementation

* vendor containers/common@v0.38.14

* vendor containers/common@v0.38.13

* [3.2] vendor containers/common@v0.38.12

* Bump README to v3.2.2

* Bump to v3.2.3-dev

- Update to version 3.2.2:

* Bump to v3.2.2

* fix systemcontext to use correct TMPDIR

* Scrub podman commands to use report package

* Fix volumes with uid and gid options

* Vendor in c/common v0.38.11

* Initial release notes for v3.2.2

* Fix restoring of privileged containers * Fix handling of podman-remote build --device

* Add support for podman remote build -f - .

* Fix panic condition in cgroups.getAvailableControllers * Fix permissions on initially created named volumes

* Fix building static podman-remote

* add correct slirp ip to /etc/hosts

* disable tty-size exec checks in system tests

* Fix resize race with podman exec -it

* Fix documentation of the --format option of podman push

* Fix systemd-resolved detection.

* Health Check is not handled in the compat LibpodToContainerJSON

* Do not use inotify for OCICNI

* getContainerNetworkInfo: lock netNsCtr before sync

* [NO TESTS NEEDED] Create /etc/mtab with the correct ownership

* Create the /etc/mtab file if does not exists

* [v3.2] cp: do not allow dir->file copying

* create: support images with invalid platform

* vendor containers/common@v0.38.10

* logs: k8s-file: restore poll sleep

* logs: k8s-file: fix spurious error logs

* utils: move message from warning to debug

* Bump to v3.2.2-dev

- Update to version 3.2.1:

* Bump to v3.2.1

* Updated release notes for v3.2.1

* Fix network connect race with docker-compose

* Revert 'Ensure minimum API version is set correctly in tests'

* Fall back to string for dockerfile parameter

* remote events: fix --stream=false

* [CI:DOCS] fix incorrect network remove api doc

* remote: always send resize before the container starts

* remote events: support labels

* remote pull: cancel pull when connection is closed

* Fix network prune api docs

* Improve systemd-resolved detection

* logs: k8s-file: fix race

* Fix image prune --filter cmd behavior

* Several shell completion fixes

* podman-remote build should handle -f option properly

* System tests: deal with crun 0.20.1

* Fix build tags for pkg/machine...

* Fix pre-checkpointing

* container: ignore named hierarchies

* [v3.2] vendor containers/common@v0.38.9

* rootless: fix fast join userns path

* [v3.2] vendor containers/common@v0.38.7

* [v3.2] vendor containers/common@v0.38.6

* Correct qemu options for Intel macs

* Ensure minimum API version is set correctly in tests

* Bump to v3.2.1-dev

- Update to version 3.2.0:

* Bump to v3.2.0

* Fix network create macvlan with subnet option

* Final release notes updates for v3.2.0

* add ipv6 nameservers only when the container has ipv6 enabled

* Use request context instead of background

* [v.3.2] events: support disjunctive filters * System tests: add :Z to volume mounts

* generate systemd: make mounts portable

* vendor containers/storage@v1.31.3

* vendor containers/common@v0.38.5

* Bump to v3.2.0-dev

* Bump to v3.2.0-RC3

* Update release notes for v3.2.0-RC3

* Fix race on podman start --all

* Fix race condition in running ls container in a pod

* docs: --cert-dir: point to containers-certs.d(5)

* Handle hard links in different directories

* Improve OCI Runtime error

* Handle hard links in remote builds

* Podman info add support for status of cgroup controllers * Drop container does not exist on removal to debugf

* Downgrade API service routing table logging

* add libimage events

* docs: generate systemd: XDG_RUNTIME_DIR

* Fix problem copying files when container is in host pid namespace

* Bump to v3.2.0-dev

* Bump to v3.2.0-RC2

* update c/common

* Update Cirrus DEST_BRANCH to v3.2

* Updated vendors of c/image, c/storage, Buildah

* Initial release notes for v3.2.0-RC2

* Add script for identifying commits in release branches

* Add host.containers.internal entry into container's etc/hosts

* image prune: remove unused images only with `--all`

* podman network reload add rootless support

* Use more recent `stale` release...

* network tutorial: update with rootless cni changes

* [CI:DOCS] Update first line in intro page

* Use updated VM images + updated automation tooling

* auto-update service: prune images

* make vendor

* fix system upgrade tests

* Print 'extracting' only on compressed file

* podman image tree: restore previous behavior

* fix network restart always test

* fix incorrect log driver in podman container image

* Add support for cli network prune --filter flag

* Move filter parsing to common utils

* Bump github.com/containers/storage from 1.30.2 to 1.30.3

* Update nix pin with `make nixpkgs`

* [CI:DOCS] hack/bats - new helper for running system tests

* fix restart always with slirp4netns

* Bump github.com/opencontainers/runc from 1.0.0-rc93 to 1.0.0-rc94

* Bump github.com/coreos/go-systemd/v22 from 22.3.1 to 22.3.2

* Add host.serviceIsRemote to podman info results

* Add client disconnect to build handler loop

* Remove obsolete skips

* Fix podman-remote build --rm=false ...

* fix: improved 'containers/{name}/wait' endpoint

* Bump github.com/containers/storage from 1.30.1 to 1.30.2

* Add envars to the generated systemd unit

* fix: use UTC Time Stamps in response JSON

* fix container startup for empty pidfile

* Kube like pods should share ipc,net,uts by default

* fix: compat API 'images/get' for multiple images

* Revert escaped double dash man page flag syntax

* Report Download complete in Compatibility mode

* Add documentation on short-names

* Bump github.com/docker/docker

* Adds support to preserve auto update labels in generate and play kube

* [CI:DOCS] Stop conversion of `--` into en dash

* Revert Patch to relabel if selinux not enabled

* fix per review request

* Add support for environment variable secrets

* fix pre review request

* Fix infinite loop in isPathOnVolume

* Add containers.conf information for changing defaults

* CI: run rootless tests under ubuntu

* Fix wrong macvlan PNG in networking doc.

* Add restart-policy to container filters & --filter to podman start

* Fixes docker-compose cannot set static ip when use ipam

* channel: simplify implementation

* build: improve regex for iidfile

* Bump github.com/onsi/gomega from 1.11.0 to 1.12.0

* cgroup: fix rootless --cgroup-parent with pods

* fix: docker APIv2 `images/get`

* codespell cleanup

* Minor podmanimage docs updates.

* Fix handling of runlabel IMAGE and NAME

* Bump to v3.2.0-dev

* Bump to v3.2.0-rc1

* rootless: improve automatic range split

* podman: set volatile storage flag for --rm containers * Bump github.com/onsi/ginkgo from 1.16.1 to 1.16.2

* Bump github.com/containers/image/v5 from 5.11.1 to 5.12.0

* migrate Podman to containers/common/libimage

* Add filepath glob support to --security-opt unmask

* Force log_driver to k8s-file for containers in containers * add --mac-address to podman play kube

* compat api: Networks must be empty instead of null

* System tests: honor $OCI_RUNTIME (for CI)

* is this a bug?

* system test image: add arm64v8 image

* Fix troubleshooting documentation on handling sublemental groups.

* Add --all to podman start

* Fix variable reference typo. in multi-arch image action

* cgroup: always honor --cgroup-parent with cgroupfs

* Bump github.com/uber/jaeger-client-go

* Don't require tests for github-actions & metadata

* Detect if in podman machine virtual vm

* Fix multi-arch image workflow typo

* [CI:DOCS] Add titles to remote docs (windows)

* Remove unused VolumeList* structs

* Cirrus: Update F34beta -> F34

* Update container image docs + fix unstable execution

* Bump github.com/containers/storage from 1.30.0 to 1.30.1

* TODO complete

* Docker returns 'die' status rather then 'died' status

* Check if another VM is running on machine start

* [CI:DOCS] Improve titles of command HTML pages

* system tests: networking: fix another race condition

* Use seccomp_profile as default profile if defined in containers.conf

* Bump github.com/json-iterator/go from 1.1.10 to 1.1.11

* Vendored

* Autoupdate local label functional

* System tests: fix two race conditions

* Add more documentation on conmon

* Allow docker volume create API to pass without name

* Cirrus: Update Ubuntu images to 21.04

* Skip blkio-weight test when no kernel BFQ support

* rootless: Tell the user what was led to the error, not just what it is

* Add troubleshooting advice about the --userns option.

* Fix images prune filter until

* Fix logic for pushing stable multi-arch images

* Fixes generate kube incorrect when bind-mounting '/' and '/root'

* libpod/image: unit tests: don't use system's registries.conf.d

* runtime: create userns when CAP_SYS_ADMIN is not present

* rootless: attempt to copy current mappings first

* [CI:DOCS] Restore missing content to manpages

* [CI:DOCS] Fix Markdown layout bugs

* Fix podman ps --filter ancestor to match exact ImageName/ImageID

* Add machine-enabled to containers.conf for machine

* Several multi-arch image build/push fixes

* Add podman run --timeout option

* Parse slirp4netns net options with compat api

* Fix rootlesskit port forwarder with custom slirp cidr

* Fix removal race condition in ListContainers * Add github-action workflow to build/push multi-arch

* rootless: if root is not sub?id raise a debug message

* Bump github.com/containers/common from 0.36.0 to 0.37.0

* Add go template shell completion for --format

* Add --group-add keep-groups: suplimentary groups into container

* Fixes from make codespell

* Typo fix to usage text of --compress option

* corrupt-image test: fix an oops

* Add --noheading flag to all list commands

* Bump github.com/containers/storage from 1.29.0 to 1.30.0

* Bump github.com/containers/image/v5 from 5.11.0 to 5.11.1

* [CI:DOCS] Fix Markdown table layout bugs

* podman-remote should show podman.sock info

* rmi: don't break when the image is missing a manifest

* [CI:DOCS] Rewrite --uidmap doc in podman-create.1.md and podman-run.1.md

* Add support for CDI device configuration

* [CI:DOCS] Add missing dash to verbose option

* Bump github.com/uber/jaeger-client-go

* Remove an advanced layer diff function

* Ensure mount destination is clean, no trailing slash

* add it for inspect pidfile

* [CI:DOCS] Fix introduction page typo

* support pidfile on container restore

* fix start it

* skip pidfile test on remote

* improve document

* set pidfile default value int containerconfig

* add pidfile in inspection

* add pidfile it for container start

* skip pidfile it on remote

* Modify according to comments

* WIP: drop test requirement

* runtime: bump required conmon version

* runtime: return findConmon to libpod

* oci: drop ExecContainerCleanup

* oci: use `--full-path` option for conmon

* use AttachSocketPath when removing conmon files

* hide conmon-pidfile flag on remote mode

* Fix possible panic in libpod/image/prune.go

* add --ip to podman play kube

* add flag autocomplete

* add ut

* add flag '--pidfile' for podman create/run

* Add network bindings tests: remove and list

* Fix build with GO111MODULE=off

* system tests: build --pull-never: deal with flakes

* compose test: diagnose flakes v3

* podman play kube apply correct log driver

* Fixes podman-remote save to directories does not work

* Bump github.com/rootless-containers/rootlesskit from 0.14.1 to 0.14.2

* Update documentation of podman-run to reflect volume 'U' option

* Fix flake on failed podman-remote build : try 2

* compose test: ongoing efforts to diagnose flakes

* Test that we don't error out on advertised --log-level values

* At trace log level, print error text using %+v instead of %v

* pkg/errorhandling.JoinErrors: don't throw away context for lone errors * Recognize --log-level=trace

* Fix flake on failed podman-remote build

* System tests: fix racy podman-inspect

* Fixes invalid expression in save command

* Bump github.com/containers/common from 0.35.4 to 0.36.0

* Update nix pin with `make nixpkgs`

* compose test: try to get useful data from flakes

* Remove in-memory state implementation

* Fix message about runtime to show only the actual runtime

* System tests: setup: better cleanup of stray images

* Bump github.com/containers/ocicrypt from 1.1.0 to 1.1.1

* Reflect current state of prune implementation in docs

* Do not delete container twice

* [CI:DOCS] Correct status code for /pods/create

* vendor in containers/storage v1.29.0

* cgroup: do not set cgroup parent when rootless and cgroupfs

* Overhaul Makefile binary and release worflows

* Reorganize Makefile with sections and guide

* Simplify Makefile help target

* Don't shell to obtain current directory

* Remove unnecessary/not-needed release.txt target

* Fix incorrect version number output

* Exclude .gitignore from test req.

* Fix handling of $NAME and $IMAGE in runlabel

* Update podman image Dockerfile to support Podman in container

* Bump github.com/containers/image/v5 from 5.10.5 to 5.11.0

* Fix slashes in socket URLs

* Add network prune filters support to bindings

* Add support for play/generate kube volumes

* Update manifest API endpoints

* Fix panic when not giving a machine name for ssh

* cgroups: force 64 bits to ParseUint

* Bump k8s.io/api from 0.20.5 to 0.21.0

* [CI:DOCS] Fix formatting of podman-build man page

* buildah-bud tests: simplify

* Add missing return

* Bump github.com/onsi/ginkgo from 1.16.0 to 1.16.1

* speed up CI handling of images

* Volumes prune endpoint should use only prune filters * Cirrus: Use Fedora 34beta images

* Bump go.sum + Makefile for golang 1.16

* Exempt Makefile changes from test requirements

* Adjust libpod API Container Wait documentation to the code

* [CI:DOCS] Update swagger definition of inspect manifest

* use updated ubuntu images

* podman unshare: add --rootless-cni to join the ns

* Update swagger-check

* swagger: remove name wildcards

* Update buildah-bud diffs

* Handle podman-remote --arch, --platform, --os

* buildah-bud tests: handle go pseudoversions, plus...

* Fix flaking rootless compose test

* rootless cni add /usr/sbin to PATH if not present

* System tests: special case for RHEL: require runc

* Add --requires flag to podman run/create

* [CI:DOCS] swagger-check: compare operations

* [CI:DOCS] Polish swagger OpertionIDs

* [NO TESTS NEEDED] Update nix pin with `make nixpkgs`

* Ensure that `--userns=keep-id` sets user in config

* [CI:DOCS] Set all operation id to be compatibile

* Move operationIds to swagger:operation line

* swagger: add operationIds that match with docker

* Cirrus: Make use of shared get_ci_vm container

* Don't relabel volumes if running in a privileged container

* Allow users to override default storage opts with --storage-opt

* Add support for podman --context default

* Verify existence of auth file if specified

* fix machine naming conventions

* Initial network bindings tests

* Update release notes to indicate CVE fix

* Move socket activation check into init() and set global condition.

* Bump github.com/onsi/ginkgo from 1.15.2 to 1.16.0

* Http api tests for network prune with until filter

* podman-run.1.md, podman-create.1.md : Adjust Markdown layout for --userns

* Fix typos --uidmapping and --gidmapping

* Add transport and destination info to manifest doc

* Bump github.com/rootless-containers/rootlesskit from 0.14.0 to 0.14.1

* Add default template functions

* Fix missing podman-remote build options

* Bump github.com/coreos/go-systemd/v22 from 22.3.0 to 22.3.1

* Add ssh connection to root user

* Add rootless docker-compose test to the CI

* Use the slrip4netns dns in the rootless cni ns

* Cleanup the rootless cni namespace

* Add new docker-compose test for two networks

* Make the docker-compose test work rootless

* Remove unused rootless-cni-infra container files

* Only use rootless RLK when the container has ports

* Fix dnsname test

* Enable rootless network connect/disconnect

* Move slirp4netns functions into an extra file

* Fix pod infra container cni network setup

* Add rootless support for cni and --uidmap

* rootless cni without infra container

* Recreate until container prune tests for bindings

* Remove --execute from podman machine ssh

* Fixed podman-remote --network flag

* Makefile: introduce install.docker-full

* Makefile: ensure install.docker creates BINDIR

* Fix unmount doc reference in image.rst

* Should send the OCI runtime path not just the name to buildah

* podman machine shell completion

* Fix handling of remove --log-rusage param

* Fix bindings prune containers flaky test

* [CI:DOCS] Add local html build info to docs/README.md

* Add podman machine list

* Trim white space from /top endpoint results

* Remove semantic version suffices from API calls

* podman machine init --ignition-path

* Document --volume from podman-remote run/create client

* Update main branch to reflect the release of v3.1.0

* Silence podman network reload errors with iptables-nft

* Containers prune endpoint should use only prune filters * resolve proper aarch64 image names

* APIv2 basic test: relax APIVersion check

* Add machine support for qemu-system-aarch64

* podman machine init user input

* manpage xref: helpful diagnostic for unescaped dash-dash

* Bump to v3.2.0-dev

* swagger: update system version response body

* buildah-bud tests: reenable pull-never test

* [NO TESTS NEEDED] Shrink the size of podman-remote

* Add powershell completions

* [NO TESTS NEEDED] Drop Warning to Info, if cgroups not mounted

* Fix long option format on docs.podman.io

* system tests: friendier messages for 2-arg is()

* service: use LISTEN_FDS

* man pages: correct seccomp-policy label

* rootless: use is_fd_inherited

* podman generate systemd --new do not duplicate params

* play kube: add support for env vars defined from secrets

* play kube: support optional/mandatory env var from config map

* play kube: prepare supporting other env source than config maps

* Add machine support for more Linux distros

* [NO TESTS NEEDED] Use same function podman-remote rmi as podman

* Podman machine enhancements

* Add problematic volume name to kube play error messages

* Fix podman build --pull-never

* [NO TESTS NEEDED] Fix for kernel without CONFIG_USER_NS

* [NO TESTS NEEDED] Turn on podman-remote build --isolation

* Fix list pods filter handling in libpod api

* Remove resize race condition

* [NO TESTS NEEDED] Vendor in containers/buildah v1.20.0

* Use TMPDIR when commiting images

* Add RequiresMountsFor= to systemd generate

* Bump github.com/vbauerster/mpb/v6 from 6.0.2 to 6.0.3

* Fix swapped dimensions from terminal.GetSize

* Rename podman machine create to init and clean up

* Correct json field name

* system tests: new interactive tests

* Improvements for machine

* libpod/image: unit tests: use a `registries.conf` for aliases

* libpod/image: unit tests: defer cleanup

* libpod/image: unit tests: use `require.NoError`

* Add --execute flag to podman machine ssh

* introduce podman machine

* Podman machine CLI and interface stub

* Support multi doc yaml for generate/play kube

* Fix filters in image http compat/libpod api endpoints

* Bump github.com/containers/common from 0.35.3 to 0.35.4

* Bump github.com/containers/storage from 1.28.0 to 1.28.1

* Check if stdin is a term in --interactive --tty mode

* [NO TESTS NEEDED] Remove /tmp/containers-users-* files on reboot

* [NO TESTS NEEDED] Fix rootless volume plugins

* Ensure manually-created volumes have correct ownership

* Bump github.com/rootless-containers/rootlesskit

* Unification of until filter across list/prune endpoints

* Unification of label filter across list/prune endpoints

* fixup

* fix: build endpoint for compat API

* [CI:DOCS] Add note to mappings for user/group userns in build

* Bump k8s.io/api from 0.20.1 to 0.20.5

* Validate passed in timezone from tz option

* WIP: run buildah bud tests using podman

* Fix containers list/prune http api filter behaviour

* Generate Kubernetes PersistentVolumeClaims from named volumes

- Update to version 3.1.2:

* Bump to v3.1.2

* Update release notes for v3.1.2

* Ensure mount destination is clean, no trailing slash

* Fixes podman-remote save to directories does not work

* [CI:DOCS] Add missing dash to verbose option

* [CI:DOCS] Fix Markdown table layout bugs

* [CI:DOCS] Rewrite --uidmap doc in podman-create.1.md and podman-run.1.md

* rmi: don't break when the image is missing a manifest

* Bump containers/image to v5.11.1

* Bump github.com/coreos/go-systemd from 22.2.0 to 22.3.1

* Fix lint

* Bump to v3.1.2-dev

- Split podman-remote into a subpackage

- Add missing scriptlets for systemd units

- Escape macros in comments

- Drop some obsolete workarounds, including %{go_nostrip}

- Update to version 3.1.1:

* Bump to v3.1.1

* Update release notes for v3.1.1

* podman play kube apply correct log driver

* Fix build with GO111MODULE=off

* [CI:DOCS] Set all operation id to be compatibile

* Move operationIds to swagger:operation line

* swagger: add operationIds that match with docker

* Fix missing podman-remote build options

* [NO TESTS NEEDED] Shrink the size of podman-remote

* Move socket activation check into init() and set global condition.

* rootless: use is_fd_inherited

* Recreate until container prune tests for bindings

* System tests: special case for RHEL: require runc

* Document --volume from podman-remote run/create client

* Containers prune endpoint should use only prune filters * Trim white space from /top endpoint results

* Fix unmount doc reference in image.rst

* Fix handling of remove --log-rusage param

* Makefile: introduce install.docker-full

* Makefile: ensure install.docker creates BINDIR

* Should send the OCI runtime path not just the name to buildah

* Fixed podman-remote --network flag

* podman-run.1.md, podman-create.1.md : Adjust Markdown layout for --userns

* Fix typos --uidmapping and --gidmapping

* Add default template functions

* Don't relabel volumes if running in a privileged container

* Allow users to override default storage opts with --storage-opt

* Add transport and destination info to manifest doc

* Verify existence of auth file if specified

* Ensure that `--userns=keep-id` sets user in config

* [CI:DOCS] Update swagger definition of inspect manifest

* Volumes prune endpoint should use only prune filters * Adjust libpod API Container Wait documentation to the code

* Add missing return

* [CI:DOCS] Fix formatting of podman-build man page

* cgroups: force 64 bits to ParseUint

* Fix slashes in socket URLs

* [CI:DOCS] Correct status code for /pods/create

* cgroup: do not set cgroup parent when rootless and cgroupfs

* Reflect current state of prune implementation in docs

* Do not delete container twice

* Test that we don't error out on advertised --log-level values

* At trace log level, print error text using %+v instead of %v

* pkg/errorhandling.JoinErrors: don't throw away context for lone errors * Recognize --log-level=trace

* Fix message about runtime to show only the actual runtime

* Fix handling of $NAME and $IMAGE in runlabel

* Fix flake on failed podman-remote build : try 2

* Fix flake on failed podman-remote build

* Update documentation of podman-run to reflect volume 'U' option

* Fixes invalid expression in save command

* Fix possible panic in libpod/image/prune.go

* Update all containers/ project vendors * Fix tests

* Bump to v3.1.1-dev

- Update to version 3.1.0:

* Bump to v3.1.0

* Fix test failure

* Update release notes for v3.1.0 final release

* [NO TESTS NEEDED] Turn on podman-remote build --isolation

* Fix long option format on docs.podman.io

* Fix containers list/prune http api filter behaviour

* [CI:DOCS] Add note to mappings for user/group userns in build

* Validate passed in timezone from tz option

* Generate Kubernetes PersistentVolumeClaims from named volumes

* libpod/image: unit tests: use a `registries.conf` for aliases

- Require systemd 241 or newer due to podman dependency go-systemd v22,

otherwise build will fail with unknown C name errors

- Create docker subpackage to allow replacing docker with

corresponding aliases to podman.

- Update to v3.0.1

* Changes

- Several frequently-occurring WARN level log messages have been downgraded to INFO or DEBUG to not clutter terminal output.

Bugfixes

- Fixed a bug where the Created field of podman ps --format=json was formatted as a string instead of an Unix timestamp (integer) (#9315).

- Fixed a bug where failing lookups of individual layers during the podman images command would cause the whole command to fail without printing output.

- Fixed a bug where --cgroups=split did not function properly on cgroups v1 systems.

- Fixed a bug where mounting a volume over an directory in the container that existed, but was empty, could fail (#9393).

- Fixed a bug where mounting a volume over a directory in the container that existed could copy the entirety of the container's rootfs, instead of just the directory mounted over, into the volume (#9415).

- Fixed a bug where Podman would treat the --entrypoint=[''] option to podman run and podman create as a literal empty string in the entrypoint, when instead it should have been ignored (#9377).

- Fixed a bug where Podman would set the HOME environment variable to '' when the container ran as a user without an assigned home directory (#9378).

- Fixed a bug where specifying a pod infra image that had no tags (by using its ID) would cause podman pod create to panic (#9374).

- Fixed a bug where the --runtime option was not properly handled by the podman build command (#9365).

- Fixed a bug where Podman would incorrectly print an error message related to the remote API when the remote API was not in use and starting Podman failed.

- Fixed a bug where Podman would change ownership of a container's working directory, even if it already existed (#9387).

- Fixed a bug where the podman generate systemd --new command would incorrectly escape %t when generating the path for the PID file (#9373).

- Fixed a bug where Podman could, when run inside a Podman container with the host's containers/storage directory mounted into the container, erroneously detect a reboot and reset container state if the temporary directory was not also mounted in (#9191).

- Fixed a bug where some options of the podman build command (including but not limited to --jobs) were nonfunctional (#9247).

* API

- Fixed a breaking change to the Libpod Wait API for Containers where the Conditions parameter changed type in Podman v3.0 (#9351).

- Fixed a bug where the Compat Create endpoint for Containers did not properly handle forwarded ports that did not specify a host port.

- Fixed a bug where the Libpod Wait endpoint for Containers could write duplicate headers after an error occurred.

- Fixed a bug where the Compat Create endpoint for Images would not pull images that already had a matching tag present locally, even if a more recent version was available at the registry (#9232).

- The Compat Create endpoint for Images has had its compatibility with Docker improved, allowing its use with the docker-java library.

* Misc

- Updated Buildah to v1.19.4

- Updated the containers/storage library to v1.24.6

- Changes from v3.0.0

* Features

- Podman now features initial support for Docker Compose.

- Added the podman rename command, which allows containers to be renamed after they are created (#1925).

- The Podman remote client now supports the podman copy command.

- A new command, podman network reload, has been added. This command will re-configure the network of all running containers, and can be used to recreate firewall rules lost when the system firewall was reloaded (e.g. via firewall-cmd --reload).

- Podman networks now have IDs. They can be seen in podman network ls and can be used when removing and inspecting networks. Existing networks receive IDs automatically.

- Podman networks now also support labels. They can be added via the --label option to network create, and podman network ls can filter labels based on them.

- The podman network create command now supports setting bridge MTU and VLAN through the --opt option (#8454).

- The podman container checkpoint and podman container restore commands can now checkpoint and restore containers that include volumes.

- The podman container checkpoint command now supports the --with-previous and --pre-checkpoint options, and the podman container restore command now support the --import-previous option. These add support for two-step checkpointing with lowered dump times.

- The podman push command can now push manifest lists. Podman will first attempt to push as an image, then fall back to pushing as a manifest list if that fails.

- The podman generate kube command can now be run on multiple containers at once, and will generate a single pod containing all of them.

- The podman generate kube and podman play kube commands now support Kubernetes DNS configuration, and will preserve custom DNS configuration when exporting or importing YAML (#9132).

- The podman generate kube command now properly supports generating YAML for containers and pods creating using host networking (--net=host) (#9077).

- The podman kill command now supports a --cidfile option to kill containers given a file containing the container's ID (#8443).

- The podman pod create command now supports the --net=none option (#9165).

- The podman volume create command can now specify volume UID and GID as options with the UID and GID fields passed to the the --opt option.

- Initial support has been added for Docker Volume Plugins. Podman can now define available plugins in containers.conf and use them to create volumes with podman volume create --driver.

- The podman run and podman create commands now support a new option, --platform, to specify the platform of the image to be used when creating the container.

- The --security-opt option to podman run and podman create now supports the systempaths=unconfined option to unrestrict access to all paths in the container, as well as mask and unmask options to allow more granular restriction of container paths.

- The podman stats --format command now supports a new format specified, MemUsageBytes, which prints the raw bytes of memory consumed by a container without human-readable formatting #8945.

- The podman ps command can now filter containers based on what pod they are joined to via the pod filter (#8512).

- The podman pod ps command can now filter pods based on what networks they are joined to via the network filter.

The podman pod ps command can now print information on what networks a pod is joined to via the .Networks specifier to the --format option.

- The podman system prune command now supports filtering what containers, pods, images, and volumes will be pruned.

- The podman volume prune commands now supports filtering what volumes will be pruned.

- The podman system prune command now includes information on space reclaimed (#8658).

- The podman info command will now properly print information about packages in use on Gentoo and Arch systems.

- The containers.conf file now contains an option for disabling creation of a new kernel keyring on container creation (#8384).

- The podman image sign command can now sign multi-arch images by producing a signature for each image in a given manifest list.

- The podman image sign command, when run as rootless, now supports per-user registry configuration files in $HOME/.config/containers/registries.d.

- Configuration options for slirp4netns can now be set system-wide via the NetworkCmdOptions configuration option in containers.conf.

- The MTU of slirp4netns can now be configured via the mtu= network command option (e.g. podman run --net slirp4netns:mtu=9000).

* Security

- A fix for CVE-2021-20199 is included. Podman between v1.8.0 and v2.2.1 used 127.0.0.1 as the source address for all traffic forwarded into rootless containers by a forwarded port; this has been changed to address the issue.

* Changes

- Shortname aliasing support has now been turned on by default. All Podman commands that must pull an image will, if a TTY is available, prompt the user about what image to pull.

- The podman load command no longer accepts a NAME[:TAG] argument. The presence of this argument broke CLI compatibility with Docker by making docker load commands unusable with Podman (#7387).

- The Go bindings for the HTTP API have been rewritten with a focus on limiting dependency footprint and improving extensibility. Read more here.

- The legacy Varlink API has been completely removed from Podman.

- The default log level for Podman has been changed from Error to Warn.

- The podman network create command can now create macvlan networks using the --driver macvlan option for Docker compatibility. The existing --macvlan flag has been deprecated and will be removed in Podman 4.0 some time next year.

- The podman inspect command has had the LogPath and LogTag fields moved into the LogConfig structure (from the root of the Inspect structure). The maximum size of the log file is also included.

- The podman generate systemd command no longer generates unit files using the deprecated KillMode=none option (#8615).

- The podman stop command now releases the container lock while waiting for it to stop - as such, commands like podman ps will no longer block until podman stop completes (#8501).

- Networks created with podman network create --internal no longer use the dnsname plugin. This configuration never functioned as expected.

- Error messages for the remote Podman client have been improved when it cannot connect to a Podman service.

- Error messages for podman run when an invalid SELinux is specified have been improved.

- Rootless Podman features improved support for containers with a single user mapped into the rootless user namespace.

- Pod infra containers now respect default sysctls specified in containers.conf allowing for advanced configuration of the namespaces they will share.

- SSH public key handling for remote Podman has been improved.

* Bugfixes

- Fixed a bug where the podman history --no-trunc command would truncate the Created By field (#9120).

- Fixed a bug where root containers that did not explicitly specify a CNI network to join did not generate an entry for the network in use in the Networks field of the output of podman inspect (#6618).

- Fixed a bug where, under some circumstances, container working directories specified by the image (via the WORKDIR instruction) but not present in the image, would not be created (#9040).

- Fixed a bug where the podman generate systemd command would generate invalid unit files if the container was creating using a command line that included doubled braces ({{ and }}), e.g. --log-opt-tag={{.Name}} (#9034).

- Fixed a bug where the podman generate systemd --new command could generate unit files including invalid Podman commands if the container was created using merged short options (e.g. podman run -dt) (#8847).

- Fixed a bug where the podman generate systemd --new command could generate unit files that did not handle Podman commands including some special characters (e.g. $) (#9176

- Fixed a bug where rootless containers joining CNI networks could not set a static IP address (#7842).

- Fixed a bug where rootless containers joining CNI networks could not set network aliases (#8567).

- Fixed a bug where the remote client could, under some circumstances, not include the Containerfile when sending build context to the server (#8374).

- Fixed a bug where rootless Podman did not mount /sys as a new sysfs in some circumstances where it was acceptable.

- Fixed a bug where rootless containers that both joined a user namespace and a CNI networks would cause a segfault. These options are incompatible and now return an error.

- Fixed a bug where the podman play kube command did not properly handle CMD and ARGS from images (#8803).

- Fixed a bug where the podman play kube command did not properly handle environment variables from images (#8608).

- Fixed a bug where the podman play kube command did not properly print errors that occurred when starting containers.

- Fixed a bug where the podman play kube command errored when hostNetwork was used (#8790).

- Fixed a bug where the podman play kube command would always pull images when the :latest tag was specified, even if the image was available locally (#7838).

- Fixed a bug where the podman play kube command did not properly handle SELinux configuration, rending YAML with custom SELinux configuration unusable (#8710).

- Fixed a bug where the podman generate kube command incorrectly populated the args and command fields of generated YAML (#9211).

- Fixed a bug where containers in a pod would create a duplicate entry in the pod's shared /etc/hosts file every time the container restarted (#8921).

- Fixed a bug where the podman search --list-tags command did not support the --format option (#8740).

- Fixed a bug where the http_proxy option in containers.conf was not being respected, and instead was set unconditionally to true (#8843).

- Fixed a bug where rootless Podman could, on systems with a recent Conmon and users with a long username, fail to attach to containers (#8798).

- Fixed a bug where the podman images command would break and fail to display any images if an empty manifest list was present in storage (#8931).

- Fixed a bug where locale environment variables were not properly passed on to Conmon.

- Fixed a bug where Podman would not build on the MIPS architecture (#8782).

- Fixed a bug where rootless Podman could fail to properly configure user namespaces for rootless containers when the user specified a --uidmap option that included a mapping beginning with UID 0.

- Fixed a bug where the podman logs command using the k8s-file backend did not properly handle partial log lines with a length of 1 (#8879).

- Fixed a bug where the podman logs command with the --follow option did not properly handle log rotation (#8733).

- Fixed a bug where user-specified HOSTNAME environment variables were overwritten by Podman (#8886).

- Fixed a bug where Podman would applied default sysctls from containers.conf in too many situations (e.g. applying network sysctls when the container shared its network with a pod).

- Fixed a bug where Podman did not properly handle cases where a secondary image store was in use and an image was present in both the secondary and primary stores (#8176).

- Fixed a bug where systemd-managed rootless Podman containers where the user in the container was not root could fail as the container's PID file was not accessible to systemd on the host (#8506).

- Fixed a bug where the --privileged option to podman run and podman create would, under some circumstances, not disable Seccomp (#8849).

- Fixed a bug where the podman exec command did not properly add capabilities when the container or exec session were run with --privileged.

- Fixed a bug where rootless Podman would use the --enable-sandbox option to slirp4netns unconditionally, even when pivot_root was disabled, rendering slirp4netns unusable when pivot_root was disabled (#8846).

- Fixed a bug where podman build --logfile did not actually write the build's log to the logfile.

- Fixed a bug where the podman system service command did not close STDIN, and could display user-interactive prompts (#8700).

- Fixed a bug where the podman system reset command could, under some circumstances, remove all the contents of the XDG_RUNTIME_DIR directory (#8680).

- Fixed a bug where the podman network create command created CNI configurations that did not include a default gateway (#8748).

- Fixed a bug where the podman.service systemd unit provided by default used the wrong service type, and would cause systemd to not correctly register the service as started (#8751).

- Fixed a bug where, if the TMPDIR environment variable was set for the container engine in containers.conf, it was being ignored.

- Fixed a bug where the podman events command did not properly handle future times given to the --until option (#8694).

- Fixed a bug where the podman logs command wrote container STDERR logs to STDOUT instead of STDERR (#8683).

- Fixed a bug where containers created from an image with multiple tags would report that they were created from the wrong tag (#8547).

- Fixed a bug where container capabilities were not set properly when the --cap-add=all and --user options to podman create and podman run were combined.

- Fixed a bug where the --layers option to podman build was nonfunctional (#8643).

- Fixed a bug where the podman system prune command did not act recursively, and thus would leave images, containers, pods, and volumes present that would be removed by a subsequent call to podman system prune (#7990).

- Fixed a bug where the --publish option to podman run and podman create did not properly handle ports specified as a range of ports with no host port specified (#8650).

- Fixed a bug where --format did not support JSON output for individual fields (#8444).

- Fixed a bug where the podman stats command would fail when run on root containers using the slirp4netns network mode (#7883).

- Fixed a bug where the Podman remote client would ask for a password even if the server's SSH daemon did not support password authentication (#8498).

- Fixed a bug where the podman stats command would fail if the system did not support one or more of the cgroup controllers Podman supports (#8588).

- Fixed a bug where the --mount option to podman create and podman run did not ignore the consistency mount option.

- Fixed a bug where failures during the resizing of a container's TTY would print the wrong error.

- Fixed a bug where the podman network disconnect command could cause the podman inspect command to fail for a container until it was restarted (#9234).

- Fixed a bug where containers created from a read-only rootfs (using the --rootfs option to podman create and podman run) would fail (#9230).

- Fixed a bug where specifying Go templates to the --format option to multiple Podman commands did not support the join function (#8773).

- Fixed a bug where the podman rmi command could, when run in parallel on multiple images, return layer not known errors (#6510).

- Fixed a bug where the podman inspect command on containers displayed unlimited ulimits incorrectly (#9303).

- Fixed a bug where Podman would fail to start when a volume was mounted over a directory in a container that contained symlinks that terminated outside the directory and its subdirectories (#6003).

API

- Libpod API version has been bumped to v3.0.0.

- All Libpod Pod APIs have been modified to properly report errors with individual containers. Cases where the operation as a whole succeeded but individual containers failed now report an HTTP 409 error (#8865).

- The Compat API for Containers now supports the Rename and Copy APIs.

- Fixed a bug where the Compat Prune APIs (for volumes, containers, and images) did not return the amount of space reclaimed in their responses.

- Fixed a bug where the Compat and Libpod Exec APIs for Containers would drop errors that occurred prior to the exec session successfully starting (e.g. a 'no such file' error if an invalid executable was passed) (#8281)

- Fixed a bug where the Volumes field in the Compat Create API for Containers was being ignored (#8649).

- Fixed a bug where the NetworkMode field in the Compat Create API for Containers was not handling some values, e.g. container:, correctly.

- Fixed a bug where the Compat Create API for Containers did not set container name properly.

- Fixed a bug where containers created using the Compat Create API unconditionally used Kubernetes file logging (the default specified in containers.conf is now used).

- Fixed a bug where the Compat Inspect API for Containers could include container states not recognized by Docker.

- Fixed a bug where Podman did not properly clean up after calls to the Events API when the journald backend was in use, resulting in a leak of file descriptors (#8864).

- Fixed a bug where the Libpod Pull endpoint for Images could fail with an index out of range error under certain circumstances (#8870).

- Fixed a bug where the Libpod Exists endpoint for Images could panic.

- Fixed a bug where the Compat List API for Containers did not support all filters (#8860).

- Fixed a bug where the Compat List API for Containers did not properly populate the Status field.

- Fixed a bug where the Compat and Libpod Resize APIs for Containers ignored the height and width parameters (#7102).

- Fixed a bug where the Compat Search API for Images returned an incorrectly-formatted JSON response (#8758).

- Fixed a bug where the Compat Load API for Images did not properly clean up temporary files.

- Fixed a bug where the Compat Create API for Networks could panic when an empty IPAM configuration was specified.

- Fixed a bug where the Compat Inspect and List APIs for Networks did not include Scope.

- Fixed a bug where the Compat Wait endpoint for Containers did not support the same wait conditions that Docker did.

* Misc

- Updated Buildah to v1.19.2

- Updated the containers/storage library to v1.24.5

- Updated the containers/image library to v5.10.2

- Updated the containers/common library to v0.33.4

- Update to v2.2.1

* Changes

- Due to a conflict with a previously-removed field, we were forced to

modify the way image volumes (mounting images into containers using

--mount type=image) were handled in the database.

As a result, containers created in Podman 2.2.0 with image volume

will not have them in v2.2.1, and these containers will need to be re-created.

* Bugfixes

- Fixed a bug where rootless Podman would, on systems without the

XDG_RUNTIME_DIR environment variable defined, use an incorrect path

for the PID file of the Podman pause process, causing Podman to fail

to start (#8539).

- Fixed a bug where containers created using Podman v1.7 and earlier were

unusable in Podman due to JSON decode errors (#8613).

- Fixed a bug where Podman could retrieve invalid cgroup paths, instead

of erroring, for containers that were not running.

- Fixed a bug where the podman system reset command would print a warning

about a duplicate shutdown handler being registered.

- Fixed a bug where rootless Podman would attempt to mount sysfs in

circumstances where it was not allowed; some OCI runtimes (notably

crun) would fall back to alternatives and not fail, but others (notably runc) would fail to run containers.

- Fixed a bug where the podman run and podman create commands would fail

to create containers from untagged images (#8558).

- Fixed a bug where remote Podman would prompt for a password even when

the server did not support password authentication (#8498).

- Fixed a bug where the podman exec command did not move the Conmon

process for the exec session into the correct cgroup.

- Fixed a bug where shell completion for the ancestor option to

podman ps --filter did not work correctly.

- Fixed a bug where detached containers would not properly clean themselves

up (or remove themselves if --rm was set) if the Podman command that

created them was invoked with --log-level=debug.

* API

- Fixed a bug where the Compat Create endpoint for Containers did not

properly handle the Binds and Mounts parameters in HostConfig.

- Fixed a bug where the Compat Create endpoint for Containers ignored the Name query parameter.

- Fixed a bug where the Compat Create endpoint for Containers did not

properly handle the 'default' value for NetworkMode (this value is

used extensively by docker-compose) (#8544).

- Fixed a bug where the Compat Build endpoint for Images would sometimes

incorrectly use the target query parameter as the image's tag.

* Misc

- Podman v2.2.0 vendored a non-released, custom version of the

github.com/spf13/cobra package; this has been reverted to the latest

upstream release to aid in packaging.

- Updated the containers/image library to v5.9.0

- Update to v2.2.0

* Features

- Experimental support for shortname aliasing has been added. This is not enabled by default, but can be turned on by setting the environment variable CONTAINERS_SHORT_NAME_ALIASING to on. Documentation is available here and here.

- Initial support has been added for the podman network connect and podman network disconnect commands, which allow existing containers to modify what networks they are connected to. At present, these commands can only be used on running containers that did not specify --network=none when they were created.

- The podman run command now supports the --network-alias option to set network aliases (additional names the container can be accessed at from other containers via DNS if the dnsname CNI plugin is in use). Aliases can also be added and removed using the new podman network connect and podman network disconnect commands. Please note that this requires a new release (v1.1.0) of the dnsname plugin, and will only work on newly-created CNI networks.

- The podman generate kube command now features support for exporting container's memory and CPU limits (#7855).

- The podman play kube command now features support for setting CPU and Memory limits for containers (#7742).

- The podman play kube command now supports persistent volumes claims using Podman named volumes.

- The podman play kube command now supports Kubernetes configmaps via the --configmap option (#7567).

- The podman play kube command now supports a --log-driver option to set the log driver for created containers.

- The podman play kube command now supports a --start option, enabled by default, to start the pod after creating it. This allows for podman play kube to be more easily used in systemd unitfiles.

- The podman network create command now supports the --ipv6 option to enable dual-stack IPv6 networking for created networks (#7302).

- The podman inspect command can now inspect pods, networks, and volumes, in addition to containers and images (#6757).

- The --mount option for podman run and podman create now supports a new type, image, to mount the contents of an image into the container at a given location.

- The Bash and ZSH completions have been completely reworked and have received significant enhancements! Additionally, support for Fish completions and completions for the podman-remote executable have been added.

- The --log-opt option for podman create and podman run now supports the max-size option to set the maximum size for a container's logs (#7434).

- The --network option to the podman pod create command now allows pods to be configured to use slirp4netns networking, even when run as root (#6097).

- The podman pod stop, podman pod pause, podman pod unpause, and podman pod kill commands now work on multiple containers in parallel and should be significantly faster.

- The podman search command now supports a --list-tags option to list all available tags for a single image in a single repository.

- The podman search command can now output JSON using the --format=json option.

- The podman diff and podman mount commands now work with all containers in the storage library, including those not created by Podman. This allows them to be used with Buildah and CRI-O containers.

- The podman container exists command now features a --external option to check if a container exists not just in Podman, but also in the storage library. This will allow Podman to identify Buildah and CRI-O containers.

- The --tls-verify and --authfile options have been enabled for use with remote Podman.

- The /etc/hosts file now includes the container's name and hostname (both pointing to localhost) when the container is run with --net=none (#8095).

- The podman events command now supports filtering events based on the labels of the container they occurred on using the --filter label=key=value option.

- The podman volume ls command now supports filtering volumes based on their labels using the --filter label=key=value option.

- The --volume and --mount options to podman run and podman create now support two new mount propagation options, unbindable and runbindable.

- The name and id filters for podman pod ps now match based on a regular expression, instead of requiring an exact match.

- The podman pod ps command now supports a new filter status, that matches pods in a certain state.

* Changes

- The podman network rm --force command will now also remove pods that are using the network (#7791).

- The podman volume rm, podman network rm, and podman pod rm commands now return exit code 1 if the object specified for removal does not exist, and exit code 2 if the object is in use and the --force option was not given.

- If /dev/fuse is passed into Podman containers as a device, Podman will open it before starting the container to ensure that the kernel module is loaded on the host and the device is usable in the container.

- Global Podman options that were not supported with remote operation have been removed from podman-remote (e.g. --cgroup-manager, --storage-driver).

- Many errors have been changed to remove repetition and be more clear as to what has gone wrong.

- The --storage option to podman rm is now enabled by default, with slightly changed semantics. If the given container does not exist in Podman but does exist in the storage library, it will be removed even without the --storage option. If the container exists in Podman it will be removed normally. The --storage option for podman rm is now deprecated and will be removed in a future release.

- The --storage option to podman ps has been renamed to --external. An alias has been added so the old form of the option will continue to work.

- Podman now delays the SIGTERM and SIGINT signals during container creation to ensure that Podman is not stopped midway through creating a container resulting in potential resource leakage (#7941).

- The podman save command now strips signatures from images it is exporting, as the formats we export to do not support signatures (#7659).

- A new Degraded state has been added to pods. Pods that have some, but not all, of their containers running are now considered to be Degraded instead of Running.

- Podman will now print a warning when conflicting network options related to port forwarding (e.g. --publish and --net=host) are specified when creating a container.

- The --restart on-failure and --rm options for containers no longer conflict. When both are specified, the container will be restarted if it exits with a non-zero error code, and removed if it exits cleanly (#7906).

- Remote Podman will no longer use settings from the client's containers.conf; defaults will instead be provided by the server's containers.conf (#7657).

- The podman network rm command now has a new alias, podman network remove (#8402).

* Bugfixes

- Fixed a bug where podman load on the remote client did not error when attempting to load a directory, which is not yet supported for remote use.

- Fixed a bug where rootless Podman could hang when the newuidmap binary was not installed (#7776).

- Fixed a bug where the --pull option to podman run, podman create, and podman build did not match Docker's behavior.

- Fixed a bug where sysctl settings from the containers.conf configuration file were applied, even if the container did not join the namespace associated with a sysctl.

- Fixed a bug where Podman would not return the text of errors encounted when trying to run a healthcheck for a container.

- Fixed a bug where Podman was accidentally setting the containers environment variable in addition to the expected container environment variable.

- Fixed a bug where rootless Podman using CNI networking did not properly clean up DNS entries for removed containers (#7789).

- Fixed a bug where the podman untag --all command was not supported with remote Podman.

- Fixed a bug where the podman system service command could time out even if active attach connections were present (#7826).

- Fixed a bug where the podman system service command would sometimes never time out despite no active connections being present.

- Fixed a bug where Podman's handling of capabilities, specifically inheritable, did not match Docker's.

- Fixed a bug where podman run would fail if the image specified was a manifest list and had already been pulled (#7798).

- Fixed a bug where Podman did not take search registries into account when looking up images locally (#6381).

- Fixed a bug where the podman manifest inspect command would fail for images that had already been pulled (#7726).

- Fixed a bug where rootless Podman would not add supplemental GIDs to containers when when a user, but not a group, was set via the --user option to podman create and podman run and sufficient GIDs were available to add the groups (#7782).

- Fixed a bug where remote Podman commands did not properly handle cases where the user gave a name that could also be a short ID for a pod or container (#7837).

- Fixed a bug where podman image prune could leave images ready to be pruned after podman image prune was run (#7872).

- Fixed a bug where the podman logs command with the journald log driver would not read all available logs (#7476).

- Fixed a bug where the --rm and --restart options to podman create and podman run did not conflict when a restart policy that is not on-failure was chosen (#7878).

- Fixed a bug where the --format 'table {{ .Field }}' option to numerous Podman commands ceased to function on Podman v2.0 and up.

- Fixed a bug where pods did not properly share an SELinux label between their containers, resulting in containers being unable to see the processes of other containers when the pod shared a PID namespace (#7886).

- Fixed a bug where the --namespace option to podman ps did not work with the remote client (#7903).

- Fixed a bug where rootless Podman incorrectly calculated the number of UIDs available in the container if multiple different ranges of UIDs were specified.

- Fixed a bug where the /etc/hosts file would not be correctly populated for containers in a user namespace (#7490).

- Fixed a bug where the podman network create and podman network remove commands could race when run in parallel, with unpredictable results (#7807).

- Fixed a bug where the -p option to podman run, podman create, and podman pod create would, when given only a single number (e.g. -p 80), assign the same port for both host and container, instead of generating a random host port (#7947).

- Fixed a bug where Podman containers did not properly store the cgroup manager they were created with, causing them to stop functioning after the cgroup manager was changed in containers.conf or with the --cgroup-manager option (#7830).

- Fixed a bug where the podman inspect command did not include information on the CNI networks a container was connected to if it was not running.

- Fixed a bug where the podman attach command would not print a newline after detaching from the container (#7751).

- Fixed a bug where the HOME environment variable was not set properly in containers when the --userns=keep-id option was set (#8004).

- Fixed a bug where the podman container restore command could panic when the container in question was in a pod (#8026).

- Fixed a bug where the output of the podman image trust show --raw command was not properly formatted.

- Fixed a bug where the podman runlabel command could panic if a label to run was not given (#8038).

- Fixed a bug where the podman run and podman start --attach commands would exit with an error when the user detached manually using the detach keys on remote Podman (#7979).

- Fixed a bug where rootless CNI networking did not use the dnsname CNI plugin if it was not available on the host, despite it always being available in the container used for rootless networking (#8040).

- Fixed a bug where Podman did not properly handle cases where an OCI runtime is specified by its full path, and could revert to using another OCI runtime with the same binary path that existed in the system $PATH on subsequent invocations.

- Fixed a bug where the --net=host option to podman create and podman run would cause the /etc/hosts file to be incorrectly populated (#8054).

- Fixed a bug where the podman inspect command did not include container network information when the container shared its network namespace (IE, joined a pod or another container's network namespace via --net=container:...) (#8073).

- Fixed a bug where the podman ps command did not include information on all ports a container was publishing.

- Fixed a bug where the podman build command incorrectly forwarded STDIN into build containers from RUN instructions.

- Fixed a bug where the podman wait command's --interval option did not work when units were not specified for the duration (#8088).

- Fixed a bug where the --detach-keys and --detach options could be passed to podman create despite having no effect (and not making sense in that context).

- Fixed a bug where Podman could not start containers if running on a system without a /etc/resolv.conf file (which occurs on some WSL2 images) (#8089).

- Fixed a bug where the --extract option to podman cp was nonfunctional.

- Fixed a bug where the --cidfile option to podman run would, when the container was not run with --detach, only create the file after the container exited (#8091).

- Fixed a bug where the podman images and podman images -a commands could panic and not list any images when certain improperly-formatted images were present in storage (#8148).

- Fixed a bug where the podman events command could, when the journald events backend was in use, become nonfunctional when a badly-formatted event or a log message that container certain string was present in the journal (#8125).

- Fixed a bug where remote Podman would, when using SSH transport, not authenticate to the server using hostkeys when connecting on a port other than 22 (#8139).

- Fixed a bug where the podman attach command would not exit when containers stopped (#8154).

- Fixed a bug where Podman did not properly clean paths before verifying them, resulting in Podman refusing to start if the root or temporary directories were specified with extra trailing / characters (#8160).

- Fixed a bug where remote Podman did not support hashed hostnames in the known_hosts file on the host for establishing connections (#8159).

- Fixed a bug where the podman image exists command would return non-zero (false) when multiple potential matches for the given name existed.

- Fixed a bug where the podman manifest inspect command on images that are not manifest lists would error instead of inspecting the image (#8023).

- Fixed a bug where the podman system service command would fail if the directory the Unix socket was to be created inside did not exist (#8184).

- Fixed a bug where pods that shared the IPC namespace (which is done by default) did not share a /dev/shm filesystem between all containers in the pod (#8181).

- Fixed a bug where filters passed to podman volume list were not inclusive (#6765).

- Fixed a bug where the podman volume create command would fail when the volume's data directory already existed (as might occur when a volume was not completely removed) (#8253).

- Fixed a bug where the podman run and podman create commands would deadlock when trying to create a container that mounted the same named volume at multiple locations (e.g. podman run -v testvol:/test1 -v testvol:/test2) (#8221).

- Fixed a bug where the parsing of the --net option to podman build was incorrect (#8322).

- Fixed a bug where the podman build command would print the ID of the built image twice when using remote Podman (#8332).

- Fixed a bug where the podman stats command did not show memory limits for containers (#8265).

- Fixed a bug where the podman pod inspect command printed the static MAC address of the pod in a non-human-readable format (#8386).

- Fixed a bug where the --tls-verify option of the podman play kube command had its logic inverted (false would enforce the use of TLS, true would disable it).

- Fixed a bug where the podman network rm command would error when trying to remove macvlan networks and rootless CNI networks (#8491).

- Fixed a bug where Podman was not setting sane defaults for missing XDG_ environment variables.

- Fixed a bug where remote Podman would check if volume paths to be mounted in the container existed on the host, not the server (#8473).

- Fixed a bug where the podman manifest create and podman manifest add commands on local images would drop any images in the manifest not pulled by the host.

- Fixed a bug where networks made by podman network create did not include the tuning plugin, and as such did not support setting custom MAC addresses (#8385).

- Fixed a bug where container healthchecks did not use $PATH when searching for the Podman executable to run the healthcheck.

- Fixed a bug where the --ip-range option to podman network create did not properly handle non-classful subnets when calculating the last usable IP for DHCP assignment (#8448).

- Fixed a bug where the podman container ps alias for podman ps was missing (#8445).

* API

- The Compat Create endpoint for Container has received a major refactor to share more code with the Libpod Create endpoint, and should be significantly more stable.

- A Compat endpoint for exporting multiple images at once, GET /images/get, has been added (#7950).

- The Compat Network Connect and Network Disconnect endpoints have been added.

- Endpoints that deal with image registries now support a X-Registry-Config header to specify registry authentication configuration.

- The Compat Create endpoint for images now properly supports specifying images by digest.

- The Libpod Build endpoint for images now supports an httpproxy query parameter which, if set to true, will forward the server's HTTP proxy settings into the build container for RUN instructions.

- The Libpod Untag endpoint for images will now remove all tags for the given image if no repository and tag are specified for removal.

- Fixed a bug where the Ping endpoint misspelled a header name (Libpod-Buildha-Version instead of Libpod-Buildah-Version).

- Fixed a bug where the Ping endpoint sent an extra newline at the end of its response where Docker did not.

- Fixed a bug where the Compat Logs endpoint for containers did not send a newline character after each log line.

- Fixed a bug where the Compat Logs endpoint for containers would mangle line endings to change newline characters to add a preceding carriage return (#7942).

- Fixed a bug where the Compat Inspect endpoint for Containers did not properly list the container's stop signal (#7917).

- Fixed a bug where the Compat Inspect endpoint for Containers formatted the container's create time incorrectly (#7860).

- Fixed a bug where the Compat Inspect endpoint for Containers did not include the container's Path, Args, and Restart Count.

- Fixed a bug where the Compat Inspect endpoint for Containers prefixed added and dropped capabilities with CAP_ (Docker does not do so).

- Fixed a bug where the Compat Info endpoint for the Engine did not include configured registries.

- Fixed a bug where the server could panic if a client closed a connection midway through an image pull (#7896).

- Fixed a bug where the Compat Create endpoint for volumes returned an error when a volume with the same name already existed, instead of succeeding with a 201 code (#7740).

- Fixed a bug where a client disconnecting from the Libpod or Compat events endpoints could result in the server using 100% CPU (#7946).

- Fixed a bug where the 'no such image' error message sent by the Compat Inspect endpoint for Images returned a 404 status code with an error that was improperly formatted for Docker compatibility.

- Fixed a bug where the Compat Create endpoint for networks did not properly set a default for the driver parameter if it was not provided by the client.

- Fixed a bug where the Compat Inspect endpoint for images did not populate the RootFS field of the response.

- Fixed a bug where the Compat Inspect endpoint for images would omit the ParentId field if the image had no parent, and the Created field if the image did not have a creation time.

- Fixed a bug where the Compat Remove endpoint for Networks did not support the Force query parameter.

- add dependency to timezone package or podman fails to build a

- Correct invalid use of %{_libexecdir} to ensure files should be in /usr/lib

SELinux support [jsc#SMO-15]

libseccomp was updated to release 2.5.3:

* Update the syscall table for Linux v5.15

* Fix issues with multiplexed syscalls on mipsel introduced in v2.5.2

* Document that seccomp_rule_add() may return -EACCES

Update to release 2.5.2

* Update the syscall table for Linux v5.14-rc7

* Add a function, get_notify_fd(), to the Python bindings to

get the nofication file descriptor.

* Consolidate multiplexed syscall handling for all

architectures into one location.

* Add multiplexed syscall support to PPC and MIPS

* The meaning of SECCOMP_IOCTL_NOTIF_ID_VALID changed within

the kernel. libseccomp's fd notification logic was modified

to support the kernel's previous and new usage of

SECCOMP_IOCTL_NOTIF_ID_VALID.

update to 2.5.1:

* Fix a bug where seccomp_load() could only be called once

* Change the notification fd handling to only request a notification fd if

* the filter has a _NOTIFY action

* Add documentation about SCMP_ACT_NOTIFY to the seccomp_add_rule(3) manpage

* Clarify the maintainers' GPG keys

Update to release 2.5.0

* Add support for the seccomp user notifications, see the

seccomp_notify_alloc(3), seccomp_notify_receive(3),

seccomp_notify_respond(3) manpages for more information

* Add support for new filter optimization approaches, including a balanced

tree optimization, see the SCMP_FLTATR_CTL_OPTIMIZE filter attribute for

more information

* Add support for the 64-bit RISC-V architecture

* Performance improvements when adding new rules to a filter thanks to the

use of internal shadow transactions and improved syscall lookup tables

* Properly document the libseccomp API return values and include them in the

stable API promise

* Improvements to the s390 and s390x multiplexed syscall handling

* Multiple fixes and improvements to the libseccomp manpages

* Moved from manually maintained syscall tables to an automatically generated

syscall table in CSV format

* Update the syscall tables to Linux v5.8.0-rc5

* Python bindings and build now default to Python 3.x

* Improvements to the tests have boosted code coverage to over 93%

Update to release 2.4.3

* Add list of authorized release signatures to README.md

* Fix multiplexing issue with s390/s390x shm* syscalls

* Remove the static flag from libseccomp tools compilation

* Add define for __SNR_ppoll

* Fix potential memory leak identified by clang in the

scmp_bpf_sim tool

Update to release 2.4.2

* Add support for io-uring related system calls

conmon was updated to version 2.0.30:

* Remove unreachable code path

* exit: report if the exit command was killed

* exit: fix race zombie reaper

* conn_sock: allow watchdog messages through the notify socket proxy

* seccomp: add support for seccomp notify

Update to version 2.0.29:

* Reset OOM score back to 0 for container runtime

* call functions registered with atexit on SIGTERM

* conn_sock: fix potential segfault

Update to version 2.0.27:

* Add CRI-O integration test GitHub action

* exec: don't fail on EBADFD

* close_fds: fix close of external fds

* Add arm64 static build binary

Update to version 2.0.26:

* conn_sock: do not fail on EAGAIN

* fix segfault from a double freed pointer

* Fix a bug where conmon could never spawn a container, because

a disagreement between the caller and itself on where the attach

socket was.

* improve --full-attach to ignore the socket-dir directly. that

means callers don't need to specify a socket dir at all (and

can remove it)

* add full-attach option to allow callers to not truncate a very

long path for the attach socket

* close only opened FDs

* set locale to inherit environment

Update to version 2.0.22:

* added man page

* attach: always chdir

* conn_sock: Explicitly free a heap-allocated string

* refactor I/O and add SD_NOTIFY proxy support

Update to version 2.0.21:

* protect against kill(-1)

* Makefile: enable debuginfo generation

* Remove go.sum file and add go.mod

* Fail if conmon config could not be written

* nix: remove double definition for e2fsprogs

* Speedup static build by utilizing CI cache on `/nix` folder

* Fix nix build for failing e2fsprogs tests

* test: fix CI

* Use Podman for building

libcontainers-common was updated to include:

- common 0.44.0

- image 5.16.0

- podman 3.3.1

- storage 1.36.0

(changes too long to list)

CVEs fixed: CVE-2020-14370,CVE-2020-15157,CVE-2021-20199,CVE-2021-20291,CVE-2021-3602

1181703

This update for sudo fixes the following issues:

- Add support in the LDAP filter for negated users (jsc#SLE-20068)

- Restrict use of sudo -U other -l to people who have permission

to run commands as that user (bsc#1181703, jsc#SLE-22569)

1196025,1196026,1196168,1196169,1196171,CVE-2022-25235,CVE-2022-25236,CVE-2022-25313,CVE-2022-25314,CVE-2022-25315

This update for expat fixes the following issues:

- CVE-2022-25236: Fixed possible namespace-separator characters insertion into namespace URIs (bsc#1196025).

- CVE-2022-25235: Fixed UTF-8 character validation in a certain context (bsc#1196026).

- CVE-2022-25313: Fixed stack exhaustion in build_model() via uncontrolled recursion (bsc#1196168).

- CVE-2022-25314: Fixed integer overflow in copyString (bsc#1196169).

- CVE-2022-25315: Fixed integer overflow in storeRawNames (bsc#1196171).

1188507,1192954,1193632,1194976,CVE-2021-3995,CVE-2021-3996

This security update for libeconf, shadow and util-linux fix the following issues:

libeconf:

- Add libeconf to SLE-Module-Basesystem_15-SP3 because needed by 'util-linux' and 'shadow'

to fix autoyast handling of security related parameters (bsc#1192954, jsc#SLE-23384, jsc#SLE-23402)

Issues fixed in libeconf:

- Reading numbers with different bases (e.g. oktal) (bsc#1193632) (#157)

- Fixed different issues while writing string values to file.

- Writing comments to file too.

- Fixed crash while merging values.

- Added econftool cat option (#146)

- new API call: econf_readDirsHistory (showing ALL locations)

- new API call: econf_getPath (absolute path of the configuration file)

- Man pages libeconf.3 and econftool.8.

- Handling multiline strings.

- Added libeconf_ext which returns more information like

line_nr, comments, path of the configuration file,...

- Econftool, an command line interface for handling configuration

files.

- Generating HTML API documentation with doxygen.

- Improving error handling and semantic file check.

- Joining entries with the same key to one single entry if

env variable ECONF_JOIN_SAME_ENTRIES has been set.

shadow:

- The legacy code does not support /etc/login.defs.d used by YaST. Enable libeconf to

read it (bsc#1192954, jsc#SLE-23384, jsc#SLE-23402)

util-linux:

- The legacy code does not support /etc/login.defs.d used by YaST. Enable libeconf to

read it (bsc#1192954, jsc#SLE-23384, jsc#SLE-23402)

- Allow use of larger values for start sector to prevent `blockdev --report` aborting (bsc#1188507)

- Fixed `blockdev --report` using non-space characters as a field separator (bsc#1188507)

- CVE-2021-3995: Fixed unauthorized unmount in util-linux's libmount. (bsc#1194976)

- CVE-2021-3996: Fixed unauthorized unmount in util-linux's libmount. (bsc#1194976)

1190533,1190570,1191893,1192478,1192481,1193294,1193298,1194216,1194556,1195004,1195066,1195126,1195202,1195356,CVE-2021-3778,CVE-2021-3796,CVE-2021-3872,CVE-2021-3927,CVE-2021-3928,CVE-2021-3984,CVE-2021-4019,CVE-2021-4193,CVE-2021-46059,CVE-2022-0318,CVE-2022-0319,CVE-2022-0351,CVE-2022-0361,CVE-2022-0413

This update for vim fixes the following issues:

- CVE-2022-0318: Fixed heap-based buffer overflow (bsc#1195004).

- CVE-2021-3796: Fixed use-after-free in nv_replace() in normal.c (bsc#1190570).

- CVE-2021-3872: Fixed heap-based buffer overflow in win_redr_status() drawscreen.c (bsc#1191893).

- CVE-2021-3927: Fixed heap-based buffer overflow (bsc#1192481).

- CVE-2021-3928: Fixed stack-based buffer overflow (bsc#1192478).

- CVE-2021-4019: Fixed heap-based buffer overflow (bsc#1193294).

- CVE-2021-3984: Fixed illegal memory access when C-indenting could have led to heap buffer overflow (bsc#1193298).

- CVE-2021-3778: Fixed heap-based buffer overflow in regexp_nfa.c (bsc#1190533).

- CVE-2021-4193: Fixed out-of-bounds read (bsc#1194216).

- CVE-2021-46059: Fixed pointer dereference vulnerability via the vim_regexec_multi function at regexp.c (bsc#1194556).

- CVE-2022-0319: Fixded out-of-bounds read (bsc#1195066).

- CVE-2022-0351: Fixed uncontrolled recursion in eval7() (bsc#1195126).

- CVE-2022-0361: Fixed buffer overflow (bsc#1195126).

- CVE-2022-0413: Fixed use-after-free in src/ex_cmds.c (bsc#1195356).

1194265,1196036,CVE-2022-24407

This update for cyrus-sasl fixes the following issues:

- CVE-2022-24407: Fixed SQL injection in sql_auxprop_store in plugins/sql.c (bsc#1196036).

The following non-security bugs were fixed:

- postfix: sasl authentication with password fails (bsc#1194265).

1196825

This update for libseccomp fixes the following issues:

- Check if we have NR_openat2, avoid using its definition when not

(bsc#1196825), this fixes build of systemd.

1195825,CVE-2018-16301

This update for tcpdump fixes the following issues:

- CVE-2018-16301: Fixed segfault when handling large files (bsc#1195825).

1195326

This update for libzypp, zypper fixes the following issues:

- Fix handling of redirected command in-/output (bsc#1195326)

This fixes delays at the end of zypper operations, where

zypper unintentionally waits for appdata plugin scripts to

complete.

1195654

This update for update-alternatives fixes the following issues:

- Break bash - update-alternatives cycle rewrite of '%post' in 'lua'. (bsc#1195654)

1195468

This update for procps fixes the following issues:

- Stop registering signal handler for SIGURG, to avoid `ps` failure if

someone sends such signal. Without the signal handler, SIGURG will

just be ignored. (bsc#1195468)

This update for gdb fixes the following issues:

- Support for new IBM Z Hardware - GDB Part (jsc#SLE-22287)

1196025,1196784,CVE-2022-25236

This update for expat fixes the following issues:

- Fixed a regression caused by the patch for CVE-2022-25236 (bsc#1196784).

1099272,1115529,1128846,1162964,1172113,1173277,1174075,1174911,1180689,1181826,1187906,1190926,1194229,CVE-2020-14367

This update for chrony fixes the following issues:

Chrony was updated to 4.1, bringing features and bugfixes.

Update to 4.1

* Add support for NTS servers specified by IP address (matching

Subject Alternative Name in server certificate)

* Add source-specific configuration of trusted certificates

* Allow multiple files and directories with trusted certificates

* Allow multiple pairs of server keys and certificates

* Add copy option to server/pool directive

* Increase PPS lock limit to 40% of pulse interval

* Perform source selection immediately after loading dump files

* Reload dump files for addresses negotiated by NTS-KE server

* Update seccomp filter and add less restrictive level

* Restart ongoing name resolution on online command

* Fix dump files to not include uncorrected offset

* Fix initstepslew to accept time from own NTP clients

* Reset NTP address and port when no longer negotiated by NTS-KE

server

- Ensure the correct pool packages are installed for openSUSE

and SLE (bsc#1180689).

- Fix pool package dependencies, so that SLE prefers chrony-pool-suse

over chrony-pool-empty. (bsc#1194229)

- Enable syscallfilter unconditionally [bsc#1181826].

Update to 4.0

- Enhancements

- Add support for Network Time Security (NTS) authentication

- Add support for AES-CMAC keys (AES128, AES256) with Nettle

- Add authselectmode directive to control selection of

unauthenticated sources

- Add binddevice, bindacqdevice, bindcmddevice directives

- Add confdir directive to better support fragmented

configuration

- Add sourcedir directive and 'reload sources' command to

support dynamic NTP sources specified in files

- Add clockprecision directive

- Add dscp directive to set Differentiated Services Code Point

(DSCP)

- Add -L option to limit log messages by severity

- Add -p option to print whole configuration with included

files

- Add -U option to allow start under non-root user

- Allow maxsamples to be set to 1 for faster update with -q/-Q

option

- Avoid replacing NTP sources with sources that have

unreachable address

- Improve pools to repeat name resolution to get 'maxsources'

sources

- Improve source selection with trusted sources

- Improve NTP loop test to prevent synchronisation to itself

- Repeat iburst when NTP source is switched from offline state

to online

- Update clock synchronisation status and leap status more

frequently

- Update seccomp filter

- Add 'add pool' command

- Add 'reset sources' command to drop all measurements

- Add authdata command to print details about NTP

authentication

- Add selectdata command to print details about source

selection

- Add -N option and sourcename command to print original names

of sources

- Add -a option to some commands to print also unresolved

sources

- Add -k, -p, -r options to clients command to select, limit,

reset data

- Bug fixes

- Don’t set interface for NTP responses to allow asymmetric

routing

- Handle RTCs that don’t support interrupts

- Respond to command requests with correct address on

multihomed hosts

- Removed features

- Drop support for RIPEMD keys (RMD128, RMD160, RMD256, RMD320)

- Drop support for long (non-standard) MACs in NTPv4 packets

(chrony 2.x clients using non-MD5/SHA1 keys need to use

option 'version 3')

- Drop support for line editing with GNU Readline

- By default we don't write log files but log to journald, so

only recommend logrotate.

- Adjust and rename the sysconfig file, so that it matches the

expectations of chronyd.service (bsc#1173277).

Update to 3.5.1:

* Create new file when writing pidfile (CVE-2020-14367, bsc#1174911)

- Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075)

- Use iburst in the default pool statements to speed up initial

synchronisation (bsc#1172113).

Update to 3.5:

+ Add support for more accurate reading of PHC on Linux 5.0

+ Add support for hardware timestamping on interfaces with read-only timestamping configuration

+ Add support for memory locking and real-time priority on FreeBSD, NetBSD, Solaris

+ Update seccomp filter to work on more architectures

+ Validate refclock driver options

+ Fix bindaddress directive on FreeBSD

+ Fix transposition of hardware RX timestamp on Linux 4.13 and later

+ Fix building on non-glibc systems

- Fix location of helper script in chrony-dnssrv@.service

(bsc#1128846).

- Read runtime servers from /var/run/netconfig/chrony.servers to

fix bsc#1099272.

- Move chrony-helper to /usr/lib/chrony/helper, because there

should be no executables in /usr/share.

Update to version 3.4

* Enhancements

+ Add filter option to server/pool/peer directive

+ Add minsamples and maxsamples options to hwtimestamp directive

+ Add support for faster frequency adjustments in Linux 4.19

+ Change default pidfile to /var/run/chrony/chronyd.pid to allow chronyd

without root privileges to remove it on exit

+ Disable sub-second polling intervals for distant NTP sources

+ Extend range of supported sub-second polling intervals

+ Get/set IPv4 destination/source address of NTP packets on FreeBSD

+ Make burst options and command useful with short polling intervals

+ Modify auto_offline option to activate when sending request failed

+ Respond from interface that received NTP request if possible

+ Add onoffline command to switch between online and offline state

according to current system network configuration

+ Improve example NetworkManager dispatcher script

* Bug fixes

+ Avoid waiting in Linux getrandom system call

+ Fix PPS support on FreeBSD and NetBSD

Update to version 3.3

* Enhancements:

+ Add burst option to server/pool directive

+ Add stratum and tai options to refclock directive

+ Add support for Nettle crypto library

+ Add workaround for missing kernel receive timestamps on Linux

+ Wait for late hardware transmit timestamps

+ Improve source selection with unreachable sources

+ Improve protection against replay attacks on symmetric mode

+ Allow PHC refclock to use socket in /var/run/chrony

+ Add shutdown command to stop chronyd

+ Simplify format of response to manual list command

+ Improve handling of unknown responses in chronyc

* Bug fixes:

+ Respond to NTPv1 client requests with zero mode

+ Fix -x option to not require CAP_SYS_TIME under non-root user

+ Fix acquisitionport directive to work with privilege separation

+ Fix handling of socket errors on Linux to avoid high CPU usage

+ Fix chronyc to not get stuck in infinite loop after clock step

1182959,1195149,1195792,1195856

This update for openssl-1_1 fixes the following issues:

openssl-1_1:

- Fix PAC pointer authentication in ARM (bsc#1195856)

- Pull libopenssl-1_1 when updating openssl-1_1 with the same version (bsc#1195792)

- FIPS: Fix function and reason error codes (bsc#1182959)

- Enable zlib compression support (bsc#1195149)

glibc:

- Resolve installation issue of `glibc-devel` in SUSE Linux Enterprise Micro 5.1

linux-glibc-devel:

- Resolve installation issue of `linux-kernel-headers` in SUSE Linux Enterprise Micro 5.1

libxcrypt:

- Resolve installation issue of `libxcrypt-devel` in SUSE Linux Enterprise Micro 5.1

zlib:

- Resolve installation issue of `zlib-devel` in SUSE Linux Enterprise Micro 5.1

1172427,1194642

This update for util-linux fixes the following issues:

- Prevent root owning of `/var/lib/libuuid/clock.txt`. (bsc#1194642)

- Make uuidd lock state file usable and time based UUIDs safer. (bsc#1194642)

- Fix `su -s` bash completion. (bsc#1172427)

1196275,1196406

This update for filesystem and systemd-rpm-macros fixes the following issues:

filesystem:

- Add path /lib/modprobe.d (bsc#1196275, jsc#SLE-20639)

systemd-rpm-macros:

- Make %_modprobedir point to /lib/modprobe.d (bsc#1196275, bsc#1196406)

1186819,CVE-2021-3572

This update for python3 fixes the following issues:

- CVE-2021-3572: Fixed an improper handling of unicode characters in pip (bsc#1186819).

1193446

This update for sudo fixes the following issues:

- Fix user set timeout not being honored (bsc#1193446)

1195258,CVE-2021-22570

This update for protobuf fixes the following issues:

- CVE-2021-22570: Fix incorrect parsing of nullchar in the proto symbol (bsc#1195258).

1196093,1197024

This update for pam fixes the following issues:

- Define _pam_vendordir as the variable is needed by systemd and others. (bsc#1196093)

- Between allocating the variable 'ai' and free'ing them, there are two 'return NO' were we don't free this variable.

This patch inserts freaddrinfo() calls before the 'return NO;'s. (bsc#1197024)

1197459,CVE-2018-25032

This update for zlib fixes the following issues:

- CVE-2018-25032: Fixed memory corruption on deflate (bsc#1197459).

1121227,1121230,1122004,1122021,CVE-2018-20573,CVE-2018-20574,CVE-2019-6285,CVE-2019-6292

This update for yaml-cpp fixes the following issues:

- CVE-2018-20573: Fixed remote DOS via a crafted YAML file in function Scanner:EnsureTokensInQueue (bsc#1121227).

- CVE-2018-20574: Fixed remote DOS via a crafted YAML file in function SingleDocParser:HandleFlowMap (bsc#1121230).

- CVE-2019-6285: Fixed remote DOS via a crafted YAML file in function SingleDocParser::HandleFlowSequence (bsc#1122004).

- CVE-2019-6292: Fixed DOS by stack consumption in singledocparser.cpp (bsc#1122021).

1194883

This update for aaa_base fixes the following issues:

- Set net.ipv4.ping_group_range to allow ICMP ping (bsc#1194883)

- Include all fixes and changes for systemwide inputrc to remove the 8 bit escape sequence which interfere with UTF-8

multi byte characters as well as support the vi mode of readline library

1194642

This update for util-linux fixes the following issue:

- Improve throughput and reduce clock sequence increments for high load situation with time based

version 1 uuids. (bsc#1194642)

1177460

This update for timezone fixes the following issues:

- timezone update 2022a (bsc#1177460):

* Palestine will spring forward on 2022-03-27, not on 03-26

* `zdump -v` now outputs better failure indications

* Bug fixes for code that reads corrupted TZif data

1189028,1190315,1190943,1191096,1191794,1193204,1193732,1193868,1195797

This update for supportutils fixes the following issues:

- Add command `blkid`

- Add email.txt based on OPTION_EMAIL (bsc#1189028)

- Add rpcinfo -p output #116

- Add s390x specific files and output

- Add shared memory as a log directory for emergency use (bsc#1190943)

- Fix cron package for RPM validation (bsc#1190315)

- Fix for invalid argument during updates (bsc#1193204)

- Fix iscsi initiator name (bsc#1195797)

- Improve `lsblk` readability with `--ascsi` option

- Include 'multipath -t' output in mpio.txt

- Include /etc/sssd/conf.d configuration files

- Include udev rules in /lib/udev/rules.d/

- Made /proc directory and network names spaces configurable (bsc#1193868)

- Prepare future installation of binaries to /usr/sbin instead of /sbin. This does not affect

SUSE Linux Enterprise 15 Serivce Pack 3 and 4 (bsc#1191096)

- Move localmessage/warm logs out of messages.txt to new localwarn.txt

- Optimize configuration files

- Remove chronyc DNS lookups with -n switch (bsc#1193732)

- Remove duplicate commands in network.txt

- Remove duplicate firewalld status output

- getappcore identifies compressed core files (bsc#1191794)

1184501,1194848,1195999,1196061,1196317,1196368,1196514,1196925,1197134

This update for libsolv, libzypp, zypper fixes the following issues:

Security relevant fix:

- Harden package signature checks (bsc#1184501).

libsolv update to 0.7.22:

- reworked choice rule generation to cover more usecases

- support SOLVABLE_PREREQ_IGNOREINST in the ordering code (bsc#1196514)

- support parsing of Debian's Multi-Arch indicator

- fix segfault on conflict resolution when using bindings

- fix split provides not working if the update includes a forbidden vendor change

- support strict repository priorities

new solver flag: SOLVER_FLAG_STRICT_REPO_PRIORITY

- support zstd compressed control files in debian packages

- add an ifdef allowing to rename Solvable dependency members ('requires' is a keyword in C++20)

- support setting/reading userdata in solv files

new functions: repowriter_set_userdata, solv_read_userdata

- support queying of the custom vendor check function

new function: pool_get_custom_vendorcheck

- support solv files with an idarray block

- allow accessing the toolversion at runtime

libzypp update to 17.30.0:

- ZConfig: Update solver settings if target changes (bsc#1196368)

- Fix possible hang in singletrans mode (bsc#1197134)

- Do 2 retries if mount is still busy.

- Fix package signature check (bsc#1184501)

Pay attention that header and payload are secured by a valid

signature and report more detailed which signature is missing.

- Retry umount if device is busy (bsc#1196061, closes #381)

A previously released ISO image may need a bit more time to

release it's loop device. So we wait a bit and retry.

- Fix serializing/deserializing type mismatch in zypp-rpm protocol (bsc#1196925)

- Fix handling of ISO media in releaseAll (bsc#1196061)

- Hint on common ptf resolver conflicts (bsc#1194848)

- Hint on ptf<>patch resolver conflicts (bsc#1194848)

zypper update to 1.14.52:

- info: print the packages upstream URL if available (fixes #426)

- info: Fix SEGV with not installed PTFs (bsc#1196317)

- Don't prevent less restrictive umasks (bsc#1195999)

1198062,CVE-2022-1271

This update for xz fixes the following issues:

- CVE-2022-1271: Fixed an incorrect escaping of malicious filenames (ZDI-CAN-16587). (bsc#1198062)

1191502,1193086,1195247,1195529,1195899,1196567

This update for systemd fixes the following issues:

- Fix the default target when it's been incorrectly set to one of the runlevel targets (bsc#1196567)

- When migrating from sysvinit to systemd (it probably won't happen anymore),

let's use the default systemd target, which is the graphical.target one.

- Don't open /var journals in volatile mode when runtime_journal==NULL

- udev: 60-persistent-storage-tape.rules: handle duplicate device ID (bsc#1195529)

- man: tweak description of auto/noauto (bsc#1191502)

- shared/install: ignore failures for auxiliary files

- install: make UnitFileChangeType enum anonymous

- shared/install: reduce scope of iterator variables

- systemd-coredump: allow setting external core size to infinity (bsc#1195899 jsc#SLE-23867)

- Update s390 udev rules conversion script to include the case when the legacy rule was also 41-* (bsc#1195247)

- Drop or soften some of the deprecation warnings (bsc#1193086)

1195231

This update for lvm2 fixes the following issues:

- udev: create symlinks and watch even in suspended state (bsc#1195231)

1196647

This update for libtirpc fixes the following issues:

- Add option to enforce connection via protocol version 2 first (bsc#1196647)

1196939

This update for e2fsprogs fixes the following issues:

- Add support for 'libreadline7' for Leap. (bsc#1196939)

This update for sles15-image fixes the following issues:

- Add zypper explicitly to work around obs-build bug (gh#openSUSE/obs-build#562)

- Add com.suse.supportlevel label (jsc#BCI-40)

1191157,1197004

This update for openldap2 fixes the following issues:

- allow specification of max/min TLS version with TLS1.3 (bsc#1191157)

- libldap was able to be out of step with openldap in some cases which could cause incorrect installations and symbol

resolution failures. openldap2 and libldap now are locked to their related release versions. (bsc#1197004)

- restore CLDAP functionality in CLI tools (jsc#PM-3288)

1195628,1196107

This update for gcc11 fixes the following issues:

- Add a list of Obsoletes to libstdc++6-pp-gcc11 so updates from

packages provided by older GCC work. Add a requires from that

package to the corresponding libstc++6 package to keep those

at the same version. [bsc#1196107]

- Fixed memory corruption when creating dependences with the D language frontend.

- Add gcc11-PIE, similar to gcc-PIE but affecting gcc11 [bsc#1195628]

- Put libstdc++6-pp Requires on the shared library and drop

to Recommends.

1195251

This update for systemd-presets-common-SUSE fixes the following issue:

- enable vgauthd service for VMWare by default (bsc#1195251)

1193489

This update for perl fixes the following issues:

- Fix Socket::VERSION evaluation and stabilize Socket:VERSION comparisons (bsc#1193489)

1183533,CVE-2021-28153

This update for glib2 fixes the following issues:

- CVE-2021-28153: Fixed an issue where symlink targets would be incorrectly created as empty files (bsc#1183533).

1029961,1120610,1130496,1181131,CVE-2018-20482,CVE-2019-9923,CVE-2021-20193

This update for tar fixes the following issues:

- CVE-2021-20193: Fixed a memory leak in read_header() in list.c (bsc#1181131).

- CVE-2019-9923: Fixed a null-pointer dereference in pax_decode_header in sparse.c (bsc#1130496).

- CVE-2018-20482: Fixed infinite read loop in sparse_dump_region in sparse.c (bsc#1120610).

- Update to GNU tar 1.34:

* Fix extraction over pipe

* Fix memory leak in read_header (CVE-2021-20193) (bsc#1181131)

* Fix extraction when . and .. are unreadable

* Gracefully handle duplicate symlinks when extracting

* Re-initialize supplementary groups when switching to user

privileges

- Update to GNU tar 1.33:

* POSIX extended format headers do not include PID by default

* --delay-directory-restore works for archives with reversed

member ordering

* Fix extraction of a symbolic link hardlinked to another

symbolic link

* Wildcards in exclude-vcs-ignore mode don't match slash

* Fix the --no-overwrite-dir option

* Fix handling of chained renames in incremental backups

* Link counting works for file names supplied with -T

* Accept only position-sensitive (file-selection) options in file

list files

- prepare usrmerge (bsc#1029961)

- Update to GNU 1.32

* Fix the use of --checkpoint without explicit --checkpoint-action

* Fix extraction with the -U option

* Fix iconv usage on BSD-based systems

* Fix possible NULL dereference (savannah bug #55369)

[bsc#1130496] [CVE-2019-9923]

* Improve the testsuite

- Update to GNU 1.31

* Fix heap-buffer-overrun with --one-top-level, bug introduced

with the addition of that option in 1.28

* Support for zstd compression

* New option '--zstd' instructs tar to use zstd as compression

program. When listing, extractng and comparing, zstd compressed

archives are recognized automatically. When '-a' option is in

effect, zstd compression is selected if the destination archive

name ends in '.zst' or '.tzst'.

* The -K option interacts properly with member names given in the

command line. Names of members to extract can be specified along

with the '-K NAME' option. In this case, tar will extract NAME

and those of named members that appear in the archive after it,

which is consistent with the semantics of the option. Previous

versions of tar extracted NAME, those of named members that

appeared before it, and everything after it.

* Fix CVE-2018-20482 - When creating archives with the --sparse

option, previous versions of tar would loop endlessly if a

sparse file had been truncated while being archived.

1198062,1198922,CVE-2022-1271

This update for gzip fixes the following issues:

- CVE-2022-1271: Fix escaping of malicious filenames. (bsc#1198062)

1198090,1198114

This update for systemd fixes the following issues:

- tmpfiles.d: only 'w+' can have multiple lines for the same path (bsc#1198090)

- journald: make sure journal_file_open() doesn't leave a corrupted file around after failing (bsc#1198114)

- tmpfiles: constify item_compatible() parameters- test tmpfiles: add a test for 'w+'

- test: add test checking tmpfiles conf file precedence

- journald: make use of CLAMP() in cache_space_refresh()

- journal-file: port journal_file_open() to openat_report_new()

- fs-util: make sure openat_report_new() initializes return param also on shortcut

- fs-util: fix typos in comments

- fs-util: add openat_report_new() wrapper around openat()

1197794

This update for pam fixes the following issue:

- Do not include obsolete header files (bsc#1197794)

1198614,1198723,1198766,CVE-2022-22576,CVE-2022-27775,CVE-2022-27776

This update for curl fixes the following issues:

- CVE-2022-27776: Fixed auth/cookie leak on redirect (bsc#1198766)

- CVE-2022-27775: Fixed bad local IPv6 connection reuse (bsc#1198723)

- CVE-2022-22576: Fixed OAUTH2 bearer bypass in connection re-use (bsc#1198614)

1197771

This update for libpsl fixes the following issues:

- Fix libpsl compilation issues (bsc#1197771)

1199240,CVE-2022-29155

This update for openldap2 fixes the following issues:

- CVE-2022-29155: Fixed SQL injection in back-sql (bsc#1199240).

1198446,CVE-2022-1304

This update for e2fsprogs fixes the following issues:

- CVE-2022-1304: Fixed out-of-bounds read/write leading to segmentation fault

and possibly arbitrary code execution. (bsc#1198446)

1197443

This update for augeas fixes the following issue:

- Sysctl keys can contain some more non-alphanumeric characters. (bsc#1197443)

1196490,1199132,CVE-2022-23308,CVE-2022-29824

This update for libxml2 fixes the following issues:

- CVE-2022-23308: Fixed a use-after-free of ID and IDREF attributes (bsc#1196490).

- CVE-2022-29824: Fixed integer overflow that could have led to an out-of-bounds write in buf.c (xmlBuf*) and tree.c (xmlBuffer*) (bsc#1199132).

This update for skelcd, sles15-image fixes the following issues:

Changes in skelcd:

- Ship skelcd-EULA-bci for SLE BCI EULA (jsc#BCI-10)

1199223,1199224,CVE-2022-27781,CVE-2022-27782

This update for curl fixes the following issues:

- CVE-2022-27781: Fixed CERTINFO never-ending busy-loop (bsc#1199223)

- CVE-2022-27782: Fixed TLS and SSH connection too eager reuse (bsc#1199224)

1199232,CVE-2022-1586

This update for pcre2 fixes the following issues:

- CVE-2022-1586: Fixed out-of-bounds read via missing Unicode property matching issue in JIT compiled regular expressions (bsc#1199232).

1040589

This update for grep fixes the following issues:

- Make profiling deterministic. (bsc#1040589, SLE-24115)

1198176

This update for libtirpc fixes the following issues:

- Add a check for nullpointer in check_address to prevent client from crashing (bsc#1198176)

1198751

This update for glibc fixes the following issues:

- Add the correct name for the IBM Z16 (bsc#1198751).

1192951,1193659,1195283,1196861,1197065

This update for gcc11 fixes the following issues:

Update to the GCC 11.3.0 release.

* includes SLS hardening backport on x86_64. [bsc#1195283]

* includes change to adjust gnats idea of the target, fixing the build of gprbuild. [bsc#1196861]

* fixed miscompile of embedded premake in 0ad on i586. [bsc#1197065]

* use --with-cpu rather than specifying --with-arch/--with-tune

* Fix D memory corruption in -M output.

* Fix ICE in is_this_parameter with coroutines. [bsc#1193659]

* fixes issue with debug dumping together with -o /dev/null

* fixes libgccjit issue showing up in emacs build [bsc#1192951]

* Package mwaitintrin.h

1070955,1191770,1192167,1192902,1192903,1192904,1193466,1193905,1194093,1194216,1194217,1194388,1194872,1194885,1195004,1195203,1195332,1195354,1196361,1198596,1198748,1199331,1199333,1199334,1199651,1199655,1199693,1199745,1199747,1199936,1200010,1200011,1200012,CVE-2017-17087,CVE-2021-3778,CVE-2021-3796,CVE-2021-3872,CVE-2021-3875,CVE-2021-3903,CVE-2021-3927,CVE-2021-3928,CVE-2021-3968,CVE-2021-3973,CVE-2021-3974,CVE-2021-3984,CVE-2021-4019,CVE-2021-4069,CVE-2021-4136,CVE-2021-4166,CVE-2021-4192,CVE-2021-4193,CVE-2021-46059,CVE-2022-0128,CVE-2022-0213,CVE-2022-0261,CVE-2022-0318,CVE-2022-0319,CVE-2022-0351,CVE-2022-0359,CVE-2022-0361,CVE-2022-0392,CVE-2022-0407,CVE-2022-0413,CVE-2022-0696,CVE-2022-1381,CVE-2022-1420,CVE-2022-1616,CVE-2022-1619,CVE-2022-1620,CVE-2022-1733,CVE-2022-1735,CVE-2022-1771,CVE-2022-1785,CVE-2022-1796,CVE-2022-1851,CVE-2022-1897,CVE-2022-1898,CVE-2022-1927

This update for vim fixes the following issues:

- CVE-2017-17087: Fixed information leak via .swp files (bsc#1070955).

- CVE-2021-3875: Fixed heap-based buffer overflow (bsc#1191770).

- CVE-2021-3903: Fixed heap-based buffer overflow (bsc#1192167).

- CVE-2021-3968: Fixed heap-based buffer overflow (bsc#1192902).

- CVE-2021-3973: Fixed heap-based buffer overflow (bsc#1192903).

- CVE-2021-3974: Fixed use-after-free (bsc#1192904).

- CVE-2021-4069: Fixed use-after-free in ex_open()in src/ex_docmd.c (bsc#1193466).

- CVE-2021-4136: Fixed heap-based buffer overflow (bsc#1193905).

- CVE-2021-4166: Fixed out-of-bounds read (bsc#1194093).

- CVE-2021-4192: Fixed use-after-free (bsc#1194217).

- CVE-2021-4193: Fixed out-of-bounds read (bsc#1194216).

- CVE-2022-0128: Fixed out-of-bounds read (bsc#1194388).

- CVE-2022-0213: Fixed heap-based buffer overflow (bsc#1194885).

- CVE-2022-0261: Fixed heap-based buffer overflow (bsc#1194872).

- CVE-2022-0318: Fixed heap-based buffer overflow (bsc#1195004).

- CVE-2022-0359: Fixed heap-based buffer overflow in init_ccline() in ex_getln.c (bsc#1195203).

- CVE-2022-0392: Fixed heap-based buffer overflow (bsc#1195332).

- CVE-2022-0407: Fixed heap-based buffer overflow (bsc#1195354).

- CVE-2022-0696: Fixed NULL pointer dereference (bsc#1196361).

- CVE-2022-1381: Fixed global heap buffer overflow in skip_range (bsc#1198596).

- CVE-2022-1420: Fixed out-of-range pointer offset (bsc#1198748).

- CVE-2022-1616: Fixed use-after-free in append_command (bsc#1199331).

- CVE-2022-1619: Fixed heap-based Buffer Overflow in function cmdline_erase_chars (bsc#1199333).

- CVE-2022-1620: Fixed NULL pointer dereference in function vim_regexec_string (bsc#1199334).

- CVE-2022-1733: Fixed heap-based buffer overflow in cindent.c (bsc#1199655).

- CVE-2022-1735: Fixed heap-based buffer overflow (bsc#1199651).

- CVE-2022-1771: Fixed stack exhaustion (bsc#1199693).

- CVE-2022-1785: Fixed out-of-bounds write (bsc#1199745).

- CVE-2022-1796: Fixed use-after-free in find_pattern_in_path (bsc#1199747).

- CVE-2022-1851: Fixed out-of-bounds read (bsc#1199936).

- CVE-2022-1897: Fixed out-of-bounds write (bsc#1200010).

- CVE-2022-1898: Fixed use-after-free (bsc#1200011).

- CVE-2022-1927: Fixed buffer over-read (bsc#1200012).

1185637,1199166,1200550,CVE-2022-1292,CVE-2022-2068

This update for openssl-1_1 fixes the following issues:

- CVE-2022-1292: Fixed command injection in c_rehash (bsc#1199166).

- CVE-2022-2068: Fixed more shell code injection issues in c_rehash. (bsc#1200550)

This update for systemd-presets-branding-SLE fixes the following issues:

- Enable suseconnect-keepalive.timer for SUSEConnect (jsc#SLE-23312)

1200735,1200737,CVE-2022-32206,CVE-2022-32208

This update for curl fixes the following issues:

- CVE-2022-32206: HTTP compression denial of service (bsc#1200735)

- CVE-2022-32208: FTP-KRB bad message verification (bsc#1200737)

1201099,CVE-2022-2097

This update for openssl-1_1 fixes the following issues:

- CVE-2022-2097: Fixed partial missing encryption in AES OCB mode (bsc#1201099).

1198511,CVE-2015-20107

This update for python3 fixes the following issues:

- CVE-2015-20107: avoid command injection in the mailcap module (bsc#1198511).

1199232,CVE-2022-1586

This update for pcre fixes the following issues:

- CVE-2022-1586: Fixed unicode property matching issue. (bsc#1199232)

1197718,1199140,1200334,1200855

This update for glibc fixes the following issues:

- powerpc: Fix VSX register number on __strncpy_power9 (bsc#1200334)

- Disable warnings due to deprecated libselinux symbols used by nss and nscd (bsc#1197718)

- i386: Remove broken CAN_USE_REGISTER_ASM_EBP (bsc#1197718)

- rtld: Avoid using up static TLS surplus for optimizations (bsc#1200855, BZ #25051)

This readds the s390 32bit glibc and libcrypt1 libraries (glibc-32bit, glibc-locale-base-32bit, libcrypt1-32bit).

1137373,1181658,1194708,1195157,1197570,1198507,1198732,1200170

This update for systemd fixes the following issues:

- Allow control characters in environment variable values (bsc#1200170)

- Call pam_loginuid when creating user@.service (bsc#1198507)

- Fix parsing error in s390 udev rules conversion script (bsc#1198732)

- Fix issues with multipath setup (bsc#1137373, bsc#1181658, bsc#1194708, bsc#1195157, bsc#1197570)

- Flagsify EscapeStyle and make ESCAPE_BACKSLASH_ONELINE implicit

- Revert 'basic/env-util: (mostly) follow POSIX for what variable names are allowed'

- basic/env-util: (mostly) follow POSIX for what variable names are allowed

- basic/env-util: make function shorter

- basic/escape: add mode where empty arguments are still shown as ''

- basic/escape: always escape newlines in shell_escape()

- basic/escape: escape control characters, but not utf-8, in shell quoting

- basic/escape: use consistent location for '*' in function declarations

- basic/string-util: inline iterator variable declarations

- basic/string-util: simplify how str_realloc() is used

- basic/string-util: split out helper function

- core/device: device_coldplug(): don't set DEVICE_DEAD

- core/device: do not downgrade device state if it is already enumerated

- core/device: drop unnecessary condition

- string-util: explicitly cast character to unsigned

- string-util: fix build error on aarch64

- test-env-util: Verify that \r is disallowed in env var values

- test-env-util: print function headers

1200855,1201560,1201640

This update for glibc fixes the following issues:

- Remove tunables from static tls surplus patch which caused crashes (bsc#1200855)

- i386: Disable check_consistency for GCC 5 and above (bsc#1201640, BZ #25788)

1195463,1196850

This update for apparmor fixes the following issues:

- Add new rule to fix reported 'DENIED' audit records with Apparmor profile 'usr.sbin.smbd' (bsc#1196850)

- Add new rule to allow reading of openssl.cnf (bsc#1195463)

1164384,1199235,CVE-2019-20454,CVE-2022-1587

This update for pcre2 fixes the following issues:

- CVE-2019-20454: Fixed out-of-bounds read in JIT mode when \X is used in non-UTF mode (bsc#1164384).

- CVE-2022-1587: Fixed out-of-bounds read due to bug in recursions (bsc#1199235).

The following package changes have been done:

- aaa_base-84.87+git20180409.04c9dae-3.57.1 updated

- boost-license1_66_0-1.66.0-12.3.1 updated

- coreutils-8.32-150300.3.5.1 updated

- cracklib-dict-small-2.9.7-11.6.1 updated

- cracklib-2.9.7-11.6.1 updated

- file-magic-5.32-7.14.1 updated

- filesystem-15.0-11.8.1 updated

- gdb-11.1-8.30.1 updated

- glibc-locale-base-2.31-150300.37.1 updated

- glibc-locale-2.31-150300.37.1 updated

- glibc-2.31-150300.31.2 updated

- grep-3.1-150000.4.6.1 updated

- gzip-1.10-150200.10.1 updated

- iproute2-5.3-5.5.1 updated

- kmod-29-4.15.1 updated

- krb5-1.19.2-150300.8.3.2 updated

- less-530-3.3.2 updated

- libapparmor1-2.13.6-150300.3.15.1 updated

- libaugeas0-1.10.1-150000.3.12.1 updated

- libblkid1-2.36.2-150300.4.20.1 updated

- libboost_system1_66_0-1.66.0-12.3.1 updated

- libboost_thread1_66_0-1.66.0-12.3.1 updated

- libcom_err2-1.43.8-150000.4.33.1 updated

- libcrack2-2.9.7-11.6.1 updated

- libcrypt1-4.4.15-150300.4.4.3 updated

- libcryptsetup12-hmac-2.3.7-150300.3.5.1 updated

- libcryptsetup12-2.3.7-150300.3.5.1 updated

- libcurl4-7.66.0-150200.4.36.1 updated

- libdevmapper1_03-1.02.163-8.42.1 updated

- libeconf0-0.4.4+git20220104.962774f-150300.3.6.2 added

- libexpat1-2.2.5-3.19.1 updated

- libfdisk1-2.36.2-150300.4.20.1 updated

- libgcc_s1-11.3.0+git1637-150000.1.9.1 updated

- libgcrypt20-hmac-1.8.2-8.42.1 updated

- libgcrypt20-1.8.2-8.42.1 updated

- libglib-2_0-0-2.62.6-150200.3.9.1 updated

- libgmodule-2_0-0-2.62.6-150200.3.9.1 updated

- libgmp10-6.1.2-4.9.1 updated

- libjson-c3-0.13-3.3.1 updated

- libkeyutils1-1.6.3-5.6.1 updated

- libkmod2-29-4.15.1 updated

- libldap-2_4-2-2.4.46-150200.14.8.1 updated

- libldap-data-2.4.46-150200.14.8.1 updated

- liblzma5-5.2.3-150000.4.7.1 updated

- libmagic1-5.32-7.14.1 updated

- libmount1-2.36.2-150300.4.20.1 updated

- libncurses6-6.1-5.9.1 updated

- libopenssl1_1-hmac-1.1.1d-150200.11.51.1 updated

- libopenssl1_1-1.1.1d-150200.11.51.1 updated

- libpcre1-8.45-150000.20.13.1 updated

- libpcre2-8-0-10.31-150000.3.12.1 updated

- libprocps7-3.3.15-7.22.1 updated

- libprotobuf-lite20-3.9.2-4.12.1 added

- libpsl5-0.20.1-150000.3.3.1 updated

- libpython3_6m1_0-3.6.15-150300.10.27.1 updated

- libsasl2-3-2.1.27-150300.4.6.1 updated

- libseccomp2-2.5.3-150300.10.8.1 updated

- libsmartcols1-2.36.2-150300.4.20.1 updated

- libsolv-tools-0.7.22-150200.12.1 updated

- libstdc++6-11.3.0+git1637-150000.1.9.1 updated

- libsystemd0-246.16-150300.7.45.1 updated

- libtirpc-netconfig-1.2.6-150300.3.6.1 updated

- libtirpc3-1.2.6-150300.3.6.1 updated

- libudev1-246.16-150300.7.45.1 updated

- libuuid1-2.36.2-150300.4.20.1 updated

- libxml2-2-2.9.7-150000.3.46.1 updated

- libyaml-cpp0_6-0.6.1-4.5.1 updated

- libz1-1.2.11-150000.3.30.1 updated

- libzypp-17.30.0-150200.36.1 updated

- login_defs-4.8.1-150300.4.3.8 updated

- ncurses-utils-6.1-5.9.1 updated

- netcfg-11.6-3.3.1 updated

- openssl-1_1-1.1.1d-150200.11.51.1 added

- pam-1.3.0-150000.6.58.3 updated

- perl-base-5.26.1-150300.17.3.1 updated

- perl-5.26.1-150300.17.3.1 updated

- permissions-20181225-23.12.1 updated

- procps-3.3.15-7.22.1 updated

- python3-base-3.6.15-150300.10.27.1 updated

- rpm-config-SUSE-1-5.6.1 updated

- rpm-ndb-4.14.3-150300.46.1 updated

- shadow-4.8.1-150300.4.3.8 updated

- sudo-1.9.5p2-150300.3.6.1 updated

- supportutils-3.1.20-150300.7.35.10.1 updated

- suse-module-tools-15.3.15-3.17.1 updated

- system-group-hardware-20170617-17.3.1 updated

- system-group-kvm-20170617-17.3.1 updated

- system-group-wheel-20170617-17.3.1 updated

- system-user-man-20170617-17.3.1 updated

- systemd-presets-branding-SLE-15.1-150100.20.11.1 updated

- systemd-presets-common-SUSE-15-150100.8.12.1 updated

- systemd-246.16-150300.7.48.1 updated

- tar-1.34-150000.3.12.1 updated

- tcpdump-4.9.2-3.18.1 updated

- terminfo-base-6.1-5.9.1 updated

- timezone-2022a-150000.75.7.1 added

- udev-246.16-150300.7.48.1 updated

- update-alternatives-1.19.0.4-4.3.1 updated

- util-linux-systemd-2.36.2-150300.4.20.1 updated

- util-linux-2.36.2-150300.4.20.1 updated

- vim-data-common-8.2.5038-150000.5.21.1 updated

- vim-8.2.5038-150000.5.21.1 updated

- zypper-1.14.52-150200.30.2 updated

- container:sles15-image-15.0.0-17.18.1 updated

- python-rpm-macros-20200207.5feb6c1-3.11.1 removed

Severity

Container Advisory ID : SUSE-CU-2022:1765-1

Container Tags : suse/sle-micro/5.1/toolbox:11.1 , suse/sle-micro/5.1/toolbox:11.1-2.2.254 , suse/sle-micro/5.1/toolbox:latest

Container Release : 2.2.254

Severity : critical

Type : security

SUSE: 2022:1765-1 suse/sle-micro/5.1/toolbox Security Update

Summary

References

Related News

Get the Latest News & Insights

News

Advisories

HOWTOs

Features

About Us

Powered By