Packages changed: MicroOS-release (20241028 -> 20241029) containerd (1.7.22 -> 1.7.23) crun (1.17 -> 1.18) libxslt mozilla-nss (3.104 -> 3.105) openssh openssl-3 (3.1.4 -> 3.1.7) openssl (3.1.4 -> 3.1.7) openvpn === Details === ==== MicroOS-release ==== Version update (20241028 -> 20241029) Subpackages: MicroOS-release-appliance MicroOS-release-dvd - automatically generated by openSUSE-release-tools/pkglistgen ==== containerd ==== Version update (1.7.22 -> 1.7.23) - Update to containerd v1.7.23. Upstream release notes: - Rebase patches: * 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch ==== crun ==== Version update (1.17 -> 1.18) - Update to crun v1.18. Upstream changelog is available from - Remove URL from crun.keyring source declaration. If the Ubuntu keyservers update their server software or some other minor change causes the output of the key to change (such as the maintainer updating their key expiry), we will end up with build failures despite the key still being a totally valid key to do verifications with. This also matches how keyring files are managed for most packages. ==== libxslt ==== Subpackages: libexslt0 libxslt-tools libxslt1 - Add libxslt-reproducible.patch to make xml output deterministic (boo#1062303) ==== mozilla-nss ==== Version update (3.104 -> 3.105) Subpackages: libfreebl3 libsoftokn3 mozilla-nss-certs - update to NSS 3.105 * bmo#1915792 - Allow importing PKCS#8 private EC keys missing public key * bmo#1909768 - UBSAN fix: applying zero offset to null pointer in sslsnce.c * bmo#1919577 - set KRML_MUSTINLINE=inline in makefile builds * bmo#1918965 - Don't set CKA_SIGN for CKK_EC_MONTGOMERY private keys * bmo#1918767 - override default definition of KRML_MUSTINLINE * bmo#1916525 - libssl support for mlkem768x25519 * bmo#1916524 - support for ML-KEM-768 in softoken and pk11wrap * bmo#1866841 - Add Libcrux implementation of ML-KEM 768 to FreeBL * bmo#1911912 - Avoid misuse of ctype(3) functions * bmo#1917311 - part 2: run clang-format * bmo#1917311 - part 1: upgrade to clang-format 13 * bmo#1916953 - clang-format fuzz * bmo#1910370 - DTLS client message buffer may not empty be on retransmit * bmo#1916413 - Optionally print config for TLS client and server fuzz target * bmo#1916059 - Fix some simple documentation issues in NSS. * bmo#1915439 - improve performance of NSC_FindObjectsInit when template has CKA_TOKEN attr * bmo#1912828 - define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN ==== openssh ==== Subpackages: openssh-clients openssh-common openssh-server - Don't force using gcc11 on SLFO/ALP which have a newer version. - Add patches from upstream: - To fix a copy&paste oversight in an ifdef : * 0001-fix-utmpx-ifdef.patch - To fix a regression introduced when the "Match" criteria tokenizer was modified since it stopped supporting the "Match criteria=argument" format: * 0002-upstream-fix-regression-introduced-when-I-switched-the-Match.patch - To fix the previous patch which broke on negated Matches: * 0003-upstream-fix-previous-change-to-ssh_config-Match_-which-broken-on.patch - To fix the ML-KEM768x25519 kex algorithm on big-endian systems: * 0004-upstream-fix-ML-KEM768x25519-KEX-on-big-endian-systems-spotted-by.patch ==== openssl-3 ==== Version update (3.1.4 -> 3.1.7) Subpackages: libopenssl3 - Update to 3.1.7: * Major changes between OpenSSL 3.1.6 and OpenSSL 3.1.7 [3 Sep 2024] - Fixed possible denial of service in X.509 name checks (CVE-2024-6119) - Fixed possible buffer overread in SSL_select_next_proto() (CVE-2024-5535) * Major changes between OpenSSL 3.1.5 and OpenSSL 3.1.6 [4 Jun 2024] - Fixed potential use after free after SSL_free_buffers() is called (CVE-2024-4741) - Fixed an issue where checking excessively long DSA keys or parameters may be very slow (CVE-2024-4603) - Fixed unbounded memory growth with session handling in TLSv1.3 (CVE-2024-2511) * Major changes between OpenSSL 3.1.4 and OpenSSL 3.1.5 [30 Jan 2024] - Fixed PKCS12 Decoding crashes (CVE-2024-0727) - Fixed Excessive time spent checking invalid RSA public keys [CVE-2023-6237) - Fixed POLY1305 MAC implementation corrupting vector registers on PowerPC CPUs which support PowerISA 2.07 (CVE-2023-6129) - Fix excessive time spent in DH check / generation with large Q parameter value (CVE-2023-5678) * Update openssl.keyring with BA5473A2B0587B07FB27CF2D216094DFD0CB81EF * Rebase patches: - openssl-Force-FIPS.patch - openssl-FIPS-embed-hmac.patch - openssl-FIPS-services-minimize.patch - openssl-FIPS-RSA-disable-shake.patch - openssl-CVE-2023-50782.patch * Remove patches fixed in the update: - openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch - openssl-CVE-2024-6119.patch openssl-CVE-2024-5535.patch - openssl-CVE-2024-4741.patch openssl-CVE-2024-4603.patch - openssl-CVE-2024-2511.patch openssl-CVE-2024-0727.patch - openssl-CVE-2023-6237.patch openssl-CVE-2023-6129.patch - openssl-CVE-2023-5678.patch - openssl-Enable-BTI-feature-for-md5-on-aarch64.patch - openssl-Fix-EVP_PKEY_CTX_add1_hkdf_info-behavior.patch - openssl-Handle-empty-param-in-EVP_PKEY_CTX_add1_hkdf_info.patch - reproducible.patch ==== openssl ==== Version update (3.1.4 -> 3.1.7) - Update to 3.1.7 ==== openvpn ==== Subpackages: openvpn-auth-pam-plugin - Fix multiple exit notifications from authenticated clients will extend the validity of a closing session (bsc#1227546 CVE-2024-28882) Patchname:openvpn-CVE-2024-28882.patch - Enable Data-Channel-Offloading (DCO) for better performance (jsc#PED-8305) if libnl >= 3.4 is available