November 2020 - openSUSE Security Announce

[opensuse-security-announce] openSUSE-SU-2020:2090-1: moderate: Security update for mariadb
by opensuse-security＠opensuse.org 28 Nov '20

28 Nov '20

openSUSE Security Update: Security update for mariadb ______________________________________________________________________________ Announcement ID: openSUSE-SU-2020:2090-1 Rating: moderate References: #1175596 #1177472 #1178428 Cross-References: CVE-2020-14765 CVE-2020-14776 CVE-2020-14789 CVE-2020-14812 CVE-2020-15180 Affected Products: openSUSE Leap 15.2 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: This update for mariadb and mariadb-connector-c fixes the following issues: - Update mariadb to 10.2.36 GA [bsc#1177472, bsc#1178428] fixing for the following security vulnerabilities: CVE-2020-14812, CVE-2020-14765, CVE-2020-14776, CVE-2020-14789 CVE-2020-15180 - Update mariadb-connector-c to 3.1.11 [bsc#1177472 and bsc#1178428] This update was imported from the SUSE:SLE-15:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.2: zypper in -t patch openSUSE-2020-2090=1 Package List: - openSUSE Leap 15.2 (i586 x86_64): libmariadb-devel-3.1.11-lp152.2.3.1 libmariadb-devel-debuginfo-3.1.11-lp152.2.3.1 libmariadb3-3.1.11-lp152.2.3.1 libmariadb3-debuginfo-3.1.11-lp152.2.3.1 libmariadb_plugins-3.1.11-lp152.2.3.1 libmariadb_plugins-debuginfo-3.1.11-lp152.2.3.1 libmariadbprivate-3.1.11-lp152.2.3.1 libmariadbprivate-debuginfo-3.1.11-lp152.2.3.1 libmysqld-devel-10.2.36-lp152.2.6.1 libmysqld19-10.2.36-lp152.2.6.1 libmysqld19-debuginfo-10.2.36-lp152.2.6.1 mariadb-10.2.36-lp152.2.6.1 mariadb-bench-10.2.36-lp152.2.6.1 mariadb-bench-debuginfo-10.2.36-lp152.2.6.1 mariadb-client-10.2.36-lp152.2.6.1 mariadb-client-debuginfo-10.2.36-lp152.2.6.1 mariadb-connector-c-debugsource-3.1.11-lp152.2.3.1 mariadb-debuginfo-10.2.36-lp152.2.6.1 mariadb-debugsource-10.2.36-lp152.2.6.1 mariadb-galera-10.2.36-lp152.2.6.1 mariadb-test-10.2.36-lp152.2.6.1 mariadb-test-debuginfo-10.2.36-lp152.2.6.1 mariadb-tools-10.2.36-lp152.2.6.1 mariadb-tools-debuginfo-10.2.36-lp152.2.6.1 - openSUSE Leap 15.2 (x86_64): libmariadb3-32bit-3.1.11-lp152.2.3.1 libmariadb3-32bit-debuginfo-3.1.11-lp152.2.3.1 - openSUSE Leap 15.2 (noarch): mariadb-errormessages-10.2.36-lp152.2.6.1 References: https://www.suse.com/security/cve/CVE-2020-14765.html https://www.suse.com/security/cve/CVE-2020-14776.html https://www.suse.com/security/cve/CVE-2020-14789.html https://www.suse.com/security/cve/CVE-2020-14812.html https://www.suse.com/security/cve/CVE-2020-15180.html https://bugzilla.suse.com/1175596 https://bugzilla.suse.com/1177472 https://bugzilla.suse.com/1178428

1 0

[opensuse-security-announce] openSUSE-SU-2020:2082-1: moderate: Security update for ceph
by opensuse-security＠opensuse.org 27 Nov '20

27 Nov '20

openSUSE Security Update: Security update for ceph ______________________________________________________________________________ Announcement ID: openSUSE-SU-2020:2082-1 Rating: moderate References: #1163764 #1170200 #1170498 #1173079 #1174466 #1174529 #1174644 #1175120 #1175161 #1175169 #1176451 #1176499 #1176638 #1177078 #1177151 #1177319 #1177344 #1177450 #1177643 #1177676 #1177843 #1177933 #1178073 #1178531 Cross-References: CVE-2020-25660 Affected Products: openSUSE Leap 15.2 ______________________________________________________________________________ An update that solves one vulnerability and has 23 fixes is now available. Description: This update for ceph fixes the following issues: - CVE-2020-25660: Bring back CEPHX_V2 authorizer challenges (bsc#1177843). - Added --container-init feature (bsc#1177319, bsc#1163764) - Made journald as the logdriver again (bsc#1177933) - Fixes a condition check for copy_tree, copy_files, and move_files in cephadm (bsc#1177676) - Fixed a bug where device_health_metrics pool gets created even without any OSDs in the cluster (bsc#1173079) - Log cephadm output /var/log/ceph/cephadm.log (bsc#1174644) - Fixed a bug where the orchestrator didn't come up anymore after the deletion of OSDs (bsc#1176499) - Fixed a bug where cephadm fails to deploy all OSDs and gets stuck (bsc#1177450) - python-common will no longer skip unavailable disks (bsc#1177151) - Added snap-schedule module (jsc#SES-704) - Updated the SES7 downstream branding (bsc#1175120, bsc#1175161, bsc#1175169, bsc#1170498) This update was imported from the SUSE:SLE-15-SP2:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.2: zypper in -t patch openSUSE-2020-2082=1 Package List: - openSUSE Leap 15.2 (noarch): ceph-grafana-dashboards-15.2.5.667+g1a579d5bf2-lp152.2.3.1 ceph-mgr-cephadm-15.2.5.667+g1a579d5bf2-lp152.2.3.1 ceph-mgr-dashboard-15.2.5.667+g1a579d5bf2-lp152.2.3.1 ceph-mgr-diskprediction-cloud-15.2.5.667+g1a579d5bf2-lp152.2.3.1 ceph-mgr-diskprediction-local-15.2.5.667+g1a579d5bf2-lp152.2.3.1 ceph-mgr-k8sevents-15.2.5.667+g1a579d5bf2-lp152.2.3.1 ceph-mgr-modules-core-15.2.5.667+g1a579d5bf2-lp152.2.3.1 ceph-mgr-rook-15.2.5.667+g1a579d5bf2-lp152.2.3.1 ceph-prometheus-alerts-15.2.5.667+g1a579d5bf2-lp152.2.3.1 - openSUSE Leap 15.2 (x86_64): ceph-15.2.5.667+g1a579d5bf2-lp152.2.3.1 ceph-base-15.2.5.667+g1a579d5bf2-lp152.2.3.1 ceph-base-debuginfo-15.2.5.667+g1a579d5bf2-lp152.2.3.1 ceph-common-15.2.5.667+g1a579d5bf2-lp152.2.3.1 ceph-common-debuginfo-15.2.5.667+g1a579d5bf2-lp152.2.3.1 ceph-debugsource-15.2.5.667+g1a579d5bf2-lp152.2.3.1 ceph-fuse-15.2.5.667+g1a579d5bf2-lp152.2.3.1 ceph-fuse-debuginfo-15.2.5.667+g1a579d5bf2-lp152.2.3.1 ceph-immutable-object-cache-15.2.5.667+g1a579d5bf2-lp152.2.3.1 ceph-immutable-object-cache-debuginfo-15.2.5.667+g1a579d5bf2-lp152.2.3.1 ceph-mds-15.2.5.667+g1a579d5bf2-lp152.2.3.1 ceph-mds-debuginfo-15.2.5.667+g1a579d5bf2-lp152.2.3.1 ceph-mgr-15.2.5.667+g1a579d5bf2-lp152.2.3.1 ceph-mgr-debuginfo-15.2.5.667+g1a579d5bf2-lp152.2.3.1 ceph-mon-15.2.5.667+g1a579d5bf2-lp152.2.3.1 ceph-mon-debuginfo-15.2.5.667+g1a579d5bf2-lp152.2.3.1 ceph-osd-15.2.5.667+g1a579d5bf2-lp152.2.3.1 ceph-osd-debuginfo-15.2.5.667+g1a579d5bf2-lp152.2.3.1 ceph-radosgw-15.2.5.667+g1a579d5bf2-lp152.2.3.1 ceph-radosgw-debuginfo-15.2.5.667+g1a579d5bf2-lp152.2.3.1 ceph-test-15.2.5.667+g1a579d5bf2-lp152.2.3.1 ceph-test-debuginfo-15.2.5.667+g1a579d5bf2-lp152.2.3.1 ceph-test-debugsource-15.2.5.667+g1a579d5bf2-lp152.2.3.1 cephadm-15.2.5.667+g1a579d5bf2-lp152.2.3.1 cephfs-shell-15.2.5.667+g1a579d5bf2-lp152.2.3.1 libcephfs-devel-15.2.5.667+g1a579d5bf2-lp152.2.3.1 libcephfs2-15.2.5.667+g1a579d5bf2-lp152.2.3.1 libcephfs2-debuginfo-15.2.5.667+g1a579d5bf2-lp152.2.3.1 librados-devel-15.2.5.667+g1a579d5bf2-lp152.2.3.1 librados-devel-debuginfo-15.2.5.667+g1a579d5bf2-lp152.2.3.1 librados2-15.2.5.667+g1a579d5bf2-lp152.2.3.1 librados2-debuginfo-15.2.5.667+g1a579d5bf2-lp152.2.3.1 libradospp-devel-15.2.5.667+g1a579d5bf2-lp152.2.3.1 librbd-devel-15.2.5.667+g1a579d5bf2-lp152.2.3.1 librbd1-15.2.5.667+g1a579d5bf2-lp152.2.3.1 librbd1-debuginfo-15.2.5.667+g1a579d5bf2-lp152.2.3.1 librgw-devel-15.2.5.667+g1a579d5bf2-lp152.2.3.1 librgw2-15.2.5.667+g1a579d5bf2-lp152.2.3.1 librgw2-debuginfo-15.2.5.667+g1a579d5bf2-lp152.2.3.1 python3-ceph-argparse-15.2.5.667+g1a579d5bf2-lp152.2.3.1 python3-ceph-common-15.2.5.667+g1a579d5bf2-lp152.2.3.1 python3-cephfs-15.2.5.667+g1a579d5bf2-lp152.2.3.1 python3-cephfs-debuginfo-15.2.5.667+g1a579d5bf2-lp152.2.3.1 python3-rados-15.2.5.667+g1a579d5bf2-lp152.2.3.1 python3-rados-debuginfo-15.2.5.667+g1a579d5bf2-lp152.2.3.1 python3-rbd-15.2.5.667+g1a579d5bf2-lp152.2.3.1 python3-rbd-debuginfo-15.2.5.667+g1a579d5bf2-lp152.2.3.1 python3-rgw-15.2.5.667+g1a579d5bf2-lp152.2.3.1 python3-rgw-debuginfo-15.2.5.667+g1a579d5bf2-lp152.2.3.1 rados-objclass-devel-15.2.5.667+g1a579d5bf2-lp152.2.3.1 rbd-fuse-15.2.5.667+g1a579d5bf2-lp152.2.3.1 rbd-fuse-debuginfo-15.2.5.667+g1a579d5bf2-lp152.2.3.1 rbd-mirror-15.2.5.667+g1a579d5bf2-lp152.2.3.1 rbd-mirror-debuginfo-15.2.5.667+g1a579d5bf2-lp152.2.3.1 rbd-nbd-15.2.5.667+g1a579d5bf2-lp152.2.3.1 rbd-nbd-debuginfo-15.2.5.667+g1a579d5bf2-lp152.2.3.1 References: https://www.suse.com/security/cve/CVE-2020-25660.html https://bugzilla.suse.com/1163764 https://bugzilla.suse.com/1170200 https://bugzilla.suse.com/1170498 https://bugzilla.suse.com/1173079 https://bugzilla.suse.com/1174466 https://bugzilla.suse.com/1174529 https://bugzilla.suse.com/1174644 https://bugzilla.suse.com/1175120 https://bugzilla.suse.com/1175161 https://bugzilla.suse.com/1175169 https://bugzilla.suse.com/1176451 https://bugzilla.suse.com/1176499 https://bugzilla.suse.com/1176638 https://bugzilla.suse.com/1177078 https://bugzilla.suse.com/1177151 https://bugzilla.suse.com/1177319 https://bugzilla.suse.com/1177344 https://bugzilla.suse.com/1177450 https://bugzilla.suse.com/1177643 https://bugzilla.suse.com/1177676 https://bugzilla.suse.com/1177843 https://bugzilla.suse.com/1177933 https://bugzilla.suse.com/1178073 https://bugzilla.suse.com/1178531

1 0

[opensuse-security-announce] openSUSE-SU-2020:2083-1: moderate: Security update for java-1_8_0-openjdk
by opensuse-security＠opensuse.org 27 Nov '20

27 Nov '20

openSUSE Security Update: Security update for java-1_8_0-openjdk ______________________________________________________________________________ Announcement ID: openSUSE-SU-2020:2083-1 Rating: moderate References: #1174157 #1177943 Cross-References: CVE-2020-14556 CVE-2020-14577 CVE-2020-14578 CVE-2020-14579 CVE-2020-14581 CVE-2020-14583 CVE-2020-14593 CVE-2020-14621 CVE-2020-14779 CVE-2020-14781 CVE-2020-14782 CVE-2020-14792 CVE-2020-14796 CVE-2020-14797 CVE-2020-14798 CVE-2020-14803 Affected Products: openSUSE Leap 15.2 ______________________________________________________________________________ An update that fixes 16 vulnerabilities is now available. Description: This update for java-1_8_0-openjdk fixes the following issues: - Fix regression "8250861: Crash in MinINode::Ideal(PhaseGVN*, bool)", introduced in October 2020 CPU. - Update to version jdk8u272 (icedtea 3.17.0) (July 2020 CPU, bsc#1174157, and October 2020 CPU, bsc#1177943) * New features + JDK-8245468: Add TLSv1.3 implementation classes from 11.0.7 + PR3796: Allow the number of curves supported to be specified * Security fixes + JDK-8028431, CVE-2020-14579: NullPointerException in DerValue.equals(DerValue) + JDK-8028591, CVE-2020-14578: NegativeArraySizeException in sun.security.util.DerInputStream.getUnalignedBitString() + JDK-8230613: Better ASCII conversions + JDK-8231800: Better listing of arrays + JDK-8232014: Expand DTD support + JDK-8233255: Better Swing Buttons + JDK-8233624: Enhance JNI linkage + JDK-8234032: Improve basic calendar services + JDK-8234042: Better factory production of certificates + JDK-8234418: Better parsing with CertificateFactory + JDK-8234836: Improve serialization handling + JDK-8236191: Enhance OID processing + JDK-8236196: Improve string pooling + JDK-8236862, CVE-2020-14779: Enhance support of Proxy class + JDK-8237117, CVE-2020-14556: Better ForkJoinPool behavior + JDK-8237592, CVE-2020-14577: Enhance certificate verification + JDK-8237990, CVE-2020-14781: Enhanced LDAP contexts + JDK-8237995, CVE-2020-14782: Enhance certificate processing + JDK-8238002, CVE-2020-14581: Better matrix operations + JDK-8238804: Enhance key handling process + JDK-8238842: AIOOBE in GIFImageReader.initializeStringTable + JDK-8238843: Enhanced font handing + JDK-8238920, CVE-2020-14583: Better Buffer support + JDK-8238925: Enhance WAV file playback + JDK-8240119, CVE-2020-14593: Less Affine Transformations + JDK-8240124: Better VM Interning + JDK-8240482: Improved WAV file playback + JDK-8241114, CVE-2020-14792: Better range handling + JDK-8241379: Update JCEKS support + JDK-8241522: Manifest improved jar headers redux + JDK-8242136, CVE-2020-14621: Better XML namespace handling + JDK-8242680, CVE-2020-14796: Improved URI Support + JDK-8242685, CVE-2020-14797: Better Path Validation + JDK-8242695, CVE-2020-14798: Enhanced buffer support + JDK-8243302: Advanced class supports + JDK-8244136, CVE-2020-14803: Improved Buffer supports + JDK-8244479: Further constrain certificates + JDK-8244955: Additional Fix for JDK-8240124 + JDK-8245407: Enhance zoning of times + JDK-8245412: Better class definitions + JDK-8245417: Improve certificate chain handling + JDK-8248574: Improve jpeg processing + JDK-8249927: Specify limits of jdk.serialProxyInterfaceLimit + JDK-8253019: Enhanced JPEG decoding * Import of OpenJDK 8 u262 build 01 + JDK-4949105: Access Bridge lacks html tags parsing + JDK-8003209: JFR events for network utilization + JDK-8030680: 292 cleanup from default method code assessment + JDK-8035633: TEST_BUG: java/net/NetworkInterface/Equals.java and some tests failed on windows intermittently + JDK-8041626: Shutdown tracing event + JDK-8141056: Erroneous assignment in HeapRegionSet.cpp + JDK-8149338: JVM Crash caused by Marlin renderer not handling NaN coordinates + JDK-8151582: (ch) test java/nio/channels/ /AsyncCloseAndInterrupt.java failing due to "Connection succeeded" + JDK-8165675: Trace event for thread park has incorrect unit for timeout + JDK-8176182: 4 security tests are not run + JDK-8178910: Problemlist sample tests + JDK-8183925: Decouple crash protection from watcher thread + JDK-8191393: Random crashes during cfree+0x1c + JDK-8195817: JFR.stop should require name of recording + JDK-8195818: JFR.start should increase autogenerated name by one + JDK-8195819: Remove recording=x from jcmd JFR.check output + JDK-8199712: Flight Recorder + JDK-8202578: Revisit location for class unload events + JDK-8202835: jfr/event/os/TestSystemProcess.java fails on missing events + JDK-8203287: Zero fails to build after JDK-8199712 (Flight Recorder) + JDK-8203346: JFR: Inconsistent signature of jfr_add_string_constant + JDK-8203664: JFR start failure after AppCDS archive created with JFR StartFlightRecording + JDK-8203921: JFR thread sampling is missing fixes from JDK-8194552 + JDK-8203929: Limit amount of data for JFR.dump + JDK-8205516: JFR tool + JDK-8207392: [PPC64] Implement JFR profiling + JDK-8207829: FlightRecorderMXBeanImpl is leaking the first classloader which calls it + JDK-8209960: -Xlog:jfr* doesn't work with the JFR + JDK-8210024: JFR calls virtual is_Java_thread from ~Thread() + JDK-8210776: Upgrade X Window System 6.8.2 to the latest XWD 1.0.7 + JDK-8211239: Build fails without JFR: empty JFR events signatures mismatch + JDK-8212232: Wrong metadata for the configuration of the cutoff for old object sample events + JDK-8213015: Inconsistent settings between JFR.configure and -XX:FlightRecorderOptions + JDK-8213421: Line number information for execution samples always 0 + JDK-8213617: JFR should record the PID of the recorded process + JDK-8213734: SAXParser.parse(File, ..) does not close resources when Exception occurs. + JDK-8213914: [TESTBUG] Several JFR VM events are not covered by tests + JDK-8213917: [TESTBUG] Shutdown JFR event is not covered by test + JDK-8213966: The ZGC JFR events should be marked as experimental + JDK-8214542: JFR: Old Object Sample event slow on a deep heap in debug builds + JDK-8214750: Unnecessary <p> tags in jfr classes + JDK-8214896: JFR Tool left files behind + JDK-8214906: [TESTBUG] jfr/event/sampling/TestNative.java fails with UnsatisfiedLinkError + JDK-8214925: JFR tool fails to execute + JDK-8215175: Inconsistencies in JFR event metadata + JDK-8215237: jdk.jfr.Recording javadoc does not compile + JDK-8215284: Reduce noise induced by periodic task getFileSize() + JDK-8215355: Object monitor deadlock with no threads holding the monitor (using jemalloc 5.1) + JDK-8215362: JFR GTest JfrTestNetworkUtilization fails + JDK-8215771: The jfr tool should pretty print reference chains + JDK-8216064: -XX:StartFlightRecording:settings= doesn't work properly + JDK-8216486: Possibility of integer overflow in JfrThreadSampler::run() + JDK-8216528: test/jdk/java/rmi/transport/ /runtimeThreadInheritanceLeak/ /RuntimeThreadInheritanceLeak.java failing with Xcomp + JDK-8216559: [JFR] Native libraries not correctly parsed from /proc/self/maps + JDK-8216578: Remove unused/obsolete method in JFR code + JDK-8216995: Clean up JFR command line processing + JDK-8217744: [TESTBUG] JFR TestShutdownEvent fails on some systems due to process surviving SIGINT + JDK-8217748: [TESTBUG] Exclude TestSig test case from JFR TestShutdownEvent + JDK-8218935: Make jfr strncpy uses GCC 8.x friendly + JDK-8223147: JFR Backport + JDK-8223689: Add JFR Thread Sampling Support + JDK-8223690: Add JFR BiasedLock Event Support + JDK-8223691: Add JFR G1 Region Type Change Event Support + JDK-8223692: Add JFR G1 Heap Summary Event Support + JDK-8224172: assert(jfr_is_event_enabled(id)) failed: invariant + JDK-8224475: JTextPane does not show images in HTML rendering + JDK-8226253: JAWS reports wrong number of radio buttons when buttons are hidden. + JDK-8226779: [TESTBUG] Test JFR API from Java agent + JDK-8226892: ActionListeners on JRadioButtons don't get notified when selection is changed with arrow keys + JDK-8227011: Starting a JFR recording in response to JVMTI VMInit and / or Java agent premain corrupts memory + JDK-8227605: Kitchensink fails "assert((((klass)->trace_id() & (JfrTraceIdEpoch::leakp_in_use_this_epoch_bit())) != 0)) failed: invariant" + JDK-8229366: JFR backport allows unchecked writing to memory + JDK-8229401: Fix JFR code cache test failures + JDK-8229708: JFR backport code does not initialize + JDK-8229873: 8229401 broke jdk8u-jfr-incubator + JDK-8230448: [test] JFRSecurityTestSuite.java is failing on Windows + JDK-8230707: JFR related tests are failing + JDK-8230782: Robot.createScreenCapture() fails if "awt.robot.gtk" is set to false + JDK-8230856: Java_java_net_NetworkInterface_getByName0 on unix misses ReleaseStringUTFChars in early return + JDK-8230947: TestLookForUntestedEvents.java is failing after JDK-8230707 + JDK-8231995: two jtreg tests failed after 8229366 is fixed + JDK-8233623: Add classpath exception to copyright in EventHandlerProxyCreator.java file + JDK-8236002: CSR for JFR backport suggests not leaving out the package-info + JDK-8236008: Some backup files were accidentally left in the hotspot tree + JDK-8236074: Missed package-info + JDK-8236174: Should update javadoc since tags + JDK-8238076: Fix OpenJDK 7 Bootstrap Broken by JFR Backport + JDK-8238452: Keytool generates wrong expiration date if validity is set to 2050/01/01 + JDK-8238555: Allow Initialization of SunPKCS11 with NSS when there are external FIPS modules in the NSSDB + JDK-8238589: Necessary code cleanup in JFR for JDK8u + JDK-8238590: Enable JFR by default during compilation in 8u + JDK-8239055: Wrong implementation of VMState.hasListener + JDK-8239476: JDK-8238589 broke windows build by moving OrderedPair + JDK-8239479: minimal1 and zero builds are failing + JDK-8239867: correct over use of INCLUDE_JFR macro + JDK-8240375: Disable JFR by default for July 2020 release + JDK-8241444: Metaspace::_class_vsm not initialized if compressed class pointers are disabled + JDK-8241902: AIX Build broken after integration of JDK-8223147 (JFR Backport) + JDK-8242788: Non-PCH build is broken after JDK-8191393 * Import of OpenJDK 8 u262 build 02 + JDK-8130737: AffineTransformOp can't handle child raster with non-zero x-offset + JDK-8172559: [PIT][TEST_BUG] Move @test to be 1st annotation in java/awt/image/Raster/TestChildRasterOp.java + JDK-8230926: [macosx] Two apostrophes are entered instead of one with "U.S. International - PC" layout + JDK-8240576: JVM crashes after transformation in C2 IdealLoopTree::merge_many_backedges + JDK-8242883: Incomplete backport of JDK-8078268: backport test part * Import of OpenJDK 8 u262 build 03 + JDK-8037866: Replace the Fun class in tests with lambdas + JDK-8146612: C2: Precedence edges specification violated + JDK-8150986: serviceability/sa/jmap-hprof/ /JMapHProfLargeHeapTest.java failing because expects HPROF JAVA PROFILE 1.0.1 file format + JDK-8229888: (zipfs) Updating an existing zip file does not preserve original permissions + JDK-8230597: Update GIFlib library to the 5.2.1 + JDK-8230769: BufImg_SetupICM add ReleasePrimitiveArrayCritical call in early return + JDK-8233880, PR3798: Support compilers with multi-digit major version numbers + JDK-8239852: java/util/concurrent tests fail with -XX:+VerifyGraphEdges: assert(!VerifyGraphEdges) failed: verification should have failed + JDK-8241638: launcher time metrics always report 1 on Linux when _JAVA_LAUNCHER_DEBUG set + JDK-8243059: Build fails when --with-vendor-name contains a comma + JDK-8243474: [TESTBUG] removed three tests of 0 bytes + JDK-8244461: [JDK 8u] Build fails with glibc 2.32 + JDK-8244548: JDK 8u: sun.misc.Version.jdkUpdateVersion() returns wrong result * Import of OpenJDK 8 u262 build 04 + JDK-8067796: (process) Process.waitFor(timeout, unit) doesn't throw NPE if timeout is less than, or equal to zero when unit == null + JDK-8148886: SEGV in sun.java2d.marlin.Renderer._endRendering + JDK-8171934: ObjectSizeCalculator.getEffectiveMemoryLayoutSpecification() does not recognize OpenJDK's HotSpot VM + JDK-8196969: JTreg Failure: serviceability/sa/ClhsdbJstack.java causes NPE + JDK-8243539: Copyright info (Year) should be updated for fix of 8241638 + JDK-8244777: ClassLoaderStats VM Op uses constant hash value * Import of OpenJDK 8 u262 build 05 + JDK-7147060: com/sun/org/apache/xml/internal/security/ /transforms/ClassLoaderTest.java doesn't run in agentvm mode + JDK-8178374: Problematic ByteBuffer handling in CipherSpi.bufferCrypt method + JDK-8181841: A TSA server returns timestamp with precision higher than milliseconds + JDK-8227269: Slow class loading when running with JDWP + JDK-8229899: Make java.io.File.isInvalid() less racy + JDK-8236996: Incorrect Roboto font rendering on Windows with subpixel antialiasing + JDK-8241750: x86_32 build failure after JDK-8227269 + JDK-8244407: JVM crashes after transformation in C2 IdealLoopTree::split_fall_in + JDK-8244843: JapanEraNameCompatTest fails * Import of OpenJDK 8 u262 build 06 + JDK-8246223: Windows build fails after JDK-8227269 * Import of OpenJDK 8 u262 build 07 + JDK-8233197: Invert JvmtiExport::post_vm_initialized() and Jfr:on_vm_start() start-up order for correct option parsing + JDK-8243541: (tz) Upgrade time-zone data to tzdata2020a + JDK-8245167: Top package in method profiling shows null in JMC + JDK-8246703: [TESTBUG] Add test for JDK-8233197 * Import of OpenJDK 8 u262 build 08 + JDK-8220293: Deadlock in JFR string pool + JDK-8225068: Remove DocuSign root certificate that is expiring in May 2020 + JDK-8225069: Remove Comodo root certificate that is expiring in May 2020 * Import of OpenJDK 8 u262 build 09 + JDK-8248399: Build installs jfr binary when JFR is disabled * Import of OpenJDK 8 u262 build 10 + JDK-8248715: New JavaTimeSupplementary localisation for 'in' installed in wrong package * Import of OpenJDK 8 u265 build 01 + JDK-8249677: Regression in 8u after JDK-8237117: Better ForkJoinPool behavior + JDK-8250546: Expect changed behaviour reported in JDK-8249846 * Import of OpenJDK 8 u272 build 01 + JDK-8006205: [TESTBUG] NEED_TEST: please JTREGIFY test/compiler/7177917/Test7177917.java + JDK-8035493: JVMTI PopFrame capability must instruct compilers not to prune locals + JDK-8036088: Replace strtok() with its safe equivalent strtok_s() in DefaultProxySelector.c + JDK-8039082: [TEST_BUG] Test java/awt/dnd/ /BadSerializationTest/BadSerializationTest.java fails + JDK-8075774: Small readability and performance improvements for zipfs + JDK-8132206: move ScanTest.java into OpenJDK + JDK-8132376: Add @requires os.family to the client tests with access to internal OS-specific API + JDK-8132745: minor cleanup of java/util/Scanner/ScanTest.java + JDK-8137087: [TEST_BUG] Cygwin failure of java/awt/ /appletviewer/IOExceptionIfEncodedURLTest/ /IOExceptionIfEncodedURLTest.sh + JDK-8145808: java/awt/Graphics2D/MTGraphicsAccessTest/ /MTGraphicsAccessTest.java hangs on Win. 8 + JDK-8151788: NullPointerException from ntlm.Client.type3 + JDK-8151834: Test SmallPrimeExponentP.java times out intermittently + JDK-8153430: jdk regression test MletParserLocaleTest, ParserInfiniteLoopTest reduce default timeout + JDK-8153583: Make OutputAnalyzer.reportDiagnosticSummary public + JDK-8156169: Some sound tests rarely hangs because of incorrect synchronization + JDK-8165936: Potential Heap buffer overflow when seaching timezone info files + JDK-8166148: Fix for JDK-8165936 broke solaris builds + JDK-8167300: Scheduling failures during gcm should be fatal + JDK-8167615: Opensource unit/regression tests for JavaSound + JDK-8172012: [TEST_BUG] delays needed in javax/swing/JTree/4633594/bug4633594.java + JDK-8177628: Opensource unit/regression tests for ImageIO + JDK-8183341: Better cleanup for javax/imageio/AllowSearch.java + JDK-8183351: Better cleanup for jdk/test/javax/imageio/spi/ /AppletContextTest/BadPluginConfigurationTest.sh + JDK-8193137: Nashorn crashes when given an empty script file + JDK-8194298: Add support for per Socket configuration of TCP keepalive + JDK-8198004: javax/swing/JFileChooser/6868611/bug6868611.java throws error + JDK-8200313: java/awt/Gtk/GtkVersionTest/GtkVersionTest.java fails + JDK-8210147: adjust some WSAGetLastError usages in windows network coding + JDK-8211714: Need to update vm_version.cpp to recognise VS2017 minor versions + JDK-8214862: assert(proj != __null) at compile.cpp:3251 + JDK-8217606: LdapContext#reconnect always opens a new connection + JDK-8217647: JFR: recordings on 32-bit systems unreadable + JDK-8226697: Several tests which need the @key headful keyword are missing it. + JDK-8229378: jdwp library loader in linker_md.c quietly truncates on buffer overflow + JDK-8230303: JDB hangs when running monitor command + JDK-8230711: ConnectionGraph::unique_java_object(Node* N) return NULL if n is not in the CG + JDK-8234617: C1: Incorrect result of field load due to missing narrowing conversion + JDK-8235243: handle VS2017 15.9 and VS2019 in abstract_vm_version + JDK-8235325: build failure on Linux after 8235243 + JDK-8235687: Contents/MacOS/libjli.dylib cannot be a symlink + JDK-8237951: CTW: C2 compilation fails with "malformed control flow" + JDK-8238225: Issues reported after replacing symlink at Contents/MacOS/libjli.dylib with binary + JDK-8239385: KerberosTicket client name refers wrongly to sAMAccountName in AD + JDK-8239819: XToolkit: Misread of screen information memory + JDK-8240295: hs_err elapsed time in seconds is not accurate enough + JDK-8241888: Mirror jdk.security.allowNonCaAnchor system property with a security one + JDK-8242498: Invalid "sun.awt.TimedWindowEvent" object leads to JVM crash + JDK-8243489: Thread CPU Load event may contain wrong data for CPU time under certain conditions + JDK-8244818: Java2D Queue Flusher crash while moving application window to external monitor + JDK-8246310: Clean commented-out code about ModuleEntry and PackageEntry in JFR + JDK-8246384: Enable JFR by default on supported architectures for October 2020 release + JDK-8248643: Remove extra leading space in JDK-8240295 8u backport + JDK-8249610: Make sun.security.krb5.Config.getBooleanObject(String... keys) method public * Import of OpenJDK 8 u272 build 02 + JDK-8023697: failed class resolution reports different class name in detail message for the first and subsequent times + JDK-8025886: replace [[ and == bash extensions in regtest + JDK-8046274: Removing dependency on jakarta-regexp + JDK-8048933: -XX:+TraceExceptions output should include the message + JDK-8076151: [TESTBUG] Test java/awt/FontClass/CreateFont/ /fileaccess/FontFile.java fails + JDK-8148854: Class names "SomeClass" and "LSomeClass;" treated by JVM as an equivalent + JDK-8154313: Generated javadoc scattered all over the place + JDK-8163251: Hard coded loop limit prevents reading of smart card data greater than 8k + JDK-8173300: [TESTBUG]compiler/tiered/NonTieredLevelsTest.java fails with compiler.whitebox.SimpleTestCaseHelper(int) must be compiled + JDK-8183349: Better cleanup for jdk/test/javax/imageio/ /plugins/shared/CanWriteSequence.java and WriteAfterAbort.java + JDK-8191678: [TESTBUG] Add keyword headful in java/awt FocusTransitionTest test. + JDK-8201633: Problems with AES-GCM native acceleration + JDK-8211049: Second parameter of "initialize" method is not used + JDK-8219566: JFR did not collect call stacks when MaxJavaStackTraceDepth is set to zero + JDK-8220165: Encryption using GCM results in RuntimeException- input length out of bound + JDK-8220555: JFR tool shows potentially misleading message when it cannot access a file + JDK-8224217: RecordingInfo should use textual representation of path + JDK-8231779: crash HeapWord*ParallelScavengeHeap::failed_mem_allocate + JDK-8238380, PR3798: java.base/unix/native/libjava/childproc.c "multiple definition" link errors with GCC10 + JDK-8238386, PR3798: (sctp) jdk.sctp/unix/native/libsctp/ /SctpNet.c "multiple definition" link errors with GCC10 + JDK-8238388, PR3798: libj2gss/NativeFunc.o "multiple definition" link errors with GCC10 + JDK-8242556: Cannot load RSASSA-PSS public key with non-null params from byte array + JDK-8250755: Better cleanup for jdk/test/javax/imageio/ /plugins/shared/CanWriteSequence.java * Import of OpenJDK 8 u272 build 03 + JDK-6574989: TEST_BUG: javax/sound/sampled/Clip/bug5070081.java fails sometimes + JDK-8148754: C2 loop unrolling fails due to unexpected graph shape + JDK-8192953: sun/management/jmxremote/bootstrap/*.sh tests fail with error : revokeall.exe: Permission denied + JDK-8203357: Container Metrics + JDK-8209113: Use WeakReference for lastFontStrike for created Fonts + JDK-8216283: Allow shorter method sampling interval than 10 ms + JDK-8221569: JFR tool produces incorrect output when both --categories and --events are specified + JDK-8233097: Fontmetrics for large Fonts has zero width + JDK-8248851: CMS: Missing memory fences between free chunk check and klass read + JDK-8250875: Incorrect parameter type for update_number in JDK_Version::jdk_update * Import of OpenJDK 8 u272 build 04 + JDK-8061616: HotspotDiagnosticMXBean.getVMOption() throws IllegalArgumentException for flags of type double + JDK-8177334: Update xmldsig implementation to Apache Santuario 2.1.1 + JDK-8217878: ENVELOPING XML signature no longer works in JDK 11 + JDK-8218629: XML Digital Signature throws NAMESPACE_ERR exception on OpenJDK 11, works 8/9/10 + JDK-8243138: Enhance BaseLdapServer to support starttls extended request * Import of OpenJDK 8 u272 build 05 + JDK-8026236: Add PrimeTest for BigInteger + JDK-8057003: Large reference arrays cause extremely long synchronization times + JDK-8060721: Test runtime/SharedArchiveFile/ /LimitSharedSizes.java fails in jdk 9 fcs new platforms/compiler + JDK-8152077: (cal) Calendar.roll does not always roll the hours during daylight savings + JDK-8168517: java/lang/ProcessBuilder/Basic.java failed + JDK-8211163: UNIX version of Java_java_io_Console_echo does not return a clean boolean + JDK-8220674: [TESTBUG] MetricsMemoryTester failcount test in docker container only works with debug JVMs + JDK-8231213: Migrate SimpleDateFormatConstTest to JDK Repo + JDK-8236645: JDK 8u231 introduces a regression with incompatible handling of XML messages + JDK-8240676: Meet not symmetric failure when running lucene on jdk8 + JDK-8243321: Add Entrust root CA - G4 to Oracle Root CA program + JDK-8249158: THREAD_START and THREAD_END event posted in primordial phase + JDK-8250627: Use -XX:+/-UseContainerSupport for enabling/disabling Java container metrics + JDK-8251546: 8u backport of JDK-8194298 breaks AIX and Solaris builds + JDK-8252084: Minimal VM fails to bootcycle: undefined symbol: AgeTableTracer::is_tenuring_distribution_event_enabled * Import of OpenJDK 8 u272 build 06 + JDK-8064319: Need to enable -XX:+TraceExceptions in release builds + JDK-8080462, PR3801: Update SunPKCS11 provider with PKCS11 v2.40 support + JDK-8160768: Add capability to custom resolve host/domain names within the default JNDI LDAP provider + JDK-8161973: PKIXRevocationChecker.getSoftFailExceptions() not working + JDK-8169925, PR3801: PKCS #11 Cryptographic Token Interface license + JDK-8184762: ZapStackSegments should use optimized memset + JDK-8193234: When using -Xcheck:jni an internally allocated buffer can leak + JDK-8219919: RuntimeStub name lost with PrintFrameConverterAssembly + JDK-8220313: [TESTBUG] Update base image for Docker testing to OL 7.6 + JDK-8222079: Don't use memset to initialize fields decode_env constructor in disassembler.cpp + JDK-8225695: 32-bit build failures after JDK-8080462 (Update SunPKCS11 provider with PKCS11 v2.40 support) + JDK-8226575: OperatingSystemMXBean should be made container aware + JDK-8226809: Circular reference in printed stack trace is not correctly indented & ambiguous + JDK-8228835: Memory leak in PKCS11 provider when using AES GCM + JDK-8233621: Mismatch in jsse.enableMFLNExtension property name + JDK-8238898, PR3801: Missing hash characters for header on license file + JDK-8243320: Add SSL root certificates to Oracle Root CA program + JDK-8244151: Update MUSCLE PC/SC-Lite headers to the latest release 1.8.26 + JDK-8245467: Remove 8u TLSv1.2 implementation files + JDK-8245469: Remove DTLS protocol implementation + JDK-8245470: Fix JDK8 compatibility issues + JDK-8245471: Revert JDK-8148188 + JDK-8245472: Backport JDK-8038893 to JDK8 + JDK-8245473: OCSP stapling support + JDK-8245474: Add TLS_KRB5 cipher suites support according to RFC-2712 + JDK-8245476: Disable TLSv1.3 protocol in the ClientHello message by default + JDK-8245477: Adjust TLS tests location + JDK-8245653: Remove 8u TLS tests + JDK-8245681: Add TLSv1.3 regression test from 11.0.7 + JDK-8251117: Cannot check P11Key size in P11Cipher and P11AEADCipher + JDK-8251120, PR3793: [8u] HotSpot build assumes ENABLE_JFR is set to either true or false + JDK-8251341: Minimal Java specification change + JDK-8251478: Backport TLSv1.3 regression tests to JDK8u * Import of OpenJDK 8 u272 build 07 + JDK-8246193: Possible NPE in ENC-PA-REP search in AS-REQ * Import of OpenJDK 8 u272 build 08 + JDK-8062947: Fix exception message to correctly represent LDAP connection failure + JDK-8151678: com/sun/jndi/ldap/LdapTimeoutTest.java failed due to timeout on DeadServerNoTimeoutTest is incorrect + JDK-8252573: 8u: Windows build failed after 8222079 backport * Import of OpenJDK 8 u272 build 09 + JDK-8252886: [TESTBUG] sun/security/ec/TestEC.java : Compilation failed * Import of OpenJDK 8 u272 build 10 + JDK-8254673: Call to JvmtiExport::post_vm_start() was removed by the fix for JDK-8249158 + JDK-8254937: Revert JDK-8148854 for 8u272 * Backports + JDK-8038723, PR3806: Openup some PrinterJob tests + JDK-8041480, PR3806: ArrayIndexOutOfBoundsException when JTable contains certain string + JDK-8058779, PR3805: Faster implementation of String.replace(CharSequence, CharSequence) + JDK-8130125, PR3806: [TEST_BUG] add @modules to the several client tests unaffected by the automated bulk update + JDK-8144015, PR3806: [PIT] failures of text layout font tests + JDK-8144023, PR3806: [PIT] failure of text measurements in javax/swing/text/html/parser/Parser/6836089/bug6836089.java + JDK-8144240, PR3806: [macosx][PIT] AIOOB in closed/javax/swing/text/GlyphPainter2/6427244/bug6427244.java + JDK-8145542, PR3806: The case failed automatically and thrown java.lang.ArrayIndexOutOfBoundsException exception + JDK-8151725, PR3806: [macosx] ArrayIndexOOB exception when displaying Devanagari text in JEditorPane + JDK-8152358, PR3800: code and comment cleanups found during the hunt for 8077392 + JDK-8152545, PR3804: Use preprocessor instead of compiling a program to generate native nio constants + JDK-8152680, PR3806: Regression in GlyphVector.getGlyphCharIndex behaviour + JDK-8158924, PR3806: Incorrect i18n text document layout + JDK-8166003, PR3806: [PIT][TEST_BUG] missing helper for javax/swing/text/GlyphPainter2/6427244/bug6427244.java + JDK-8166068, PR3806: test/java/awt/font/GlyphVector/ /GetGlyphCharIndexTest.java does not compile + JDK-8169879, PR3806: [TEST_BUG] javax/swing/text/ /GlyphPainter2/6427244/bug6427244.java - compilation failed + JDK-8191512, PR3806: T2K font rasterizer code removal + JDK-8191522, PR3806: Remove Bigelow&Holmes Lucida fonts from JDK sources + JDK-8236512, PR3801: PKCS11 Connection closed after Cipher.doFinal and NoPadding + JDK-8254177, PR3809: (tz) Upgrade time-zone data to tzdata2020b * Bug fixes + PR3798: Fix format-overflow error on GCC 10, caused by passing NULL to a '%s' directive + PR3795: ECDSAUtils for XML digital signatures should support the same curve set as the rest of the JDK + PR3799: Adapt elliptic curve patches to JDK-8245468: Add TLSv1.3 implementation classes from 11.0.7 + PR3808: IcedTea does not install the JFR *.jfc files + PR3810: Enable JFR on x86 (32-bit) now that JDK-8252096 has fixed its use with Shenandoah + PR3811: Don't attempt to install JFR files when JFR is disabled * Shenandoah + [backport] 8221435: Shenandoah should not mark through weak roots + [backport] 8221629: Shenandoah: Cleanup class unloading logic + [backport] 8222992: Shenandoah: Pre-evacuate all roots + [backport] 8223215: Shenandoah: Support verifying subset of roots + [backport] 8223774: Shenandoah: Refactor ShenandoahRootProcessor and family + [backport] 8224210: Shenandoah: Refactor ShenandoahRootScanner to support scanning CSet codecache roots + [backport] 8224508: Shenandoah: Need to update thread roots in final mark for piggyback ref update cycle + [backport] 8224579: ResourceMark not declared in shenandoahRootProcessor.inline.hpp with --disable-precompiled-headers + [backport] 8224679: Shenandoah: Make ShenandoahParallelCodeCacheIterator noncopyable + [backport] 8224751: Shenandoah: Shenandoah Verifier should select proper roots according to current GC cycle + [backport] 8225014: Separate ShenandoahRootScanner method for object_iterate + [backport] 8225216: gc/logging/TestMetaSpaceLog.java doesn't work for Shenandoah + [backport] 8225573: Shenandoah: Enhance ShenandoahVerifier to ensure roots to-space invariant + [backport] 8225590: Shenandoah: Refactor ShenandoahClassLoaderDataRoots API + [backport] 8226413: Shenandoah: Separate root scanner for SH::object_iterate() + [backport] 8230853: Shenandoah: replace leftover assert(is_in(...)) with rich asserts + [backport] 8231198: Shenandoah: heap walking should visit all roots most of the time + [backport] 8231244: Shenandoah: all-roots heap walking misses some weak roots + [backport] 8237632: Shenandoah: accept NULL fwdptr to cooperate with JVMTI and JFR + [backport] 8239786: Shenandoah: print per-cycle statistics + [backport] 8239926: Shenandoah: Shenandoah needs to mark nmethod's metadata + [backport] 8240671: Shenandoah: refactor ShenandoahPhaseTimings + [backport] 8240749: Shenandoah: refactor ShenandoahUtils + [backport] 8240750: Shenandoah: remove leftover files and mentions of ShenandoahAllocTracker + [backport] 8240868: Shenandoah: remove CM-with-UR piggybacking cycles + [backport] 8240872: Shenandoah: Avoid updating new regions from start of evacuation + [backport] 8240873: Shenandoah: Short-cut arraycopy barriers + [backport] 8240915: Shenandoah: Remove unused fields in init mark tasks + [backport] 8240948: Shenandoah: cleanup not-forwarded-objects paths after JDK-8240868 + [backport] 8241007: Shenandoah: remove ShenandoahCriticalControlThreadPriority support + [backport] 8241062: Shenandoah: rich asserts trigger "empty statement" inspection + [backport] 8241081: Shenandoah: Do not modify update-watermark concurrently + [backport] 8241093: Shenandoah: editorial changes in flag descriptions + [backport] 8241139: Shenandoah: distribute mark-compact work exactly to minimize fragmentation + [backport] 8241142: Shenandoah: should not use parallel reference processing with single GC thread + [backport] 8241351: Shenandoah: fragmentation metrics overhaul + [backport] 8241435: Shenandoah: avoid disabling pacing with "aggressive" + [backport] 8241520: Shenandoah: simplify region sequence numbers handling + [backport] 8241534: Shenandoah: region status should include update watermark + [backport] 8241574: Shenandoah: remove ShenandoahAssertToSpaceClosure + [backport] 8241583: Shenandoah: turn heap lock asserts into macros + [backport] 8241668: Shenandoah: make ShenandoahHeapRegion not derive from ContiguousSpace + [backport] 8241673: Shenandoah: refactor anti-false-sharing padding + [backport] 8241675: Shenandoah: assert(n->outcnt() > 0) at shenandoahSupport.cpp:2858 with java/util/Collections/FindSubList.java + [backport] 8241692: Shenandoah: remove ShenandoahHeapRegion::_reserved + [backport] 8241700: Shenandoah: Fold ShenandoahKeepAliveBarrier flag into ShenandoahSATBBarrier + [backport] 8241740: Shenandoah: remove ShenandoahHeapRegion::_heap + [backport] 8241743: Shenandoah: refactor and inline ShenandoahHeap::heap() + [backport] 8241748: Shenandoah: inline MarkingContext TAMS methods + [backport] 8241838: Shenandoah: no need to trash cset during final mark + [backport] 8241841: Shenandoah: ditch one of allocation type counters in ShenandoahHeapRegion + [backport] 8241842: Shenandoah: inline ShenandoahHeapRegion::region_number + [backport] 8241844: Shenandoah: rename ShenandoahHeapRegion::region_number + [backport] 8241845: Shenandoah: align ShenandoahHeapRegions to cache lines + [backport] 8241926: Shenandoah: only print heap changes for operations that directly affect it + [backport] 8241983: Shenandoah: simplify FreeSet logging + [backport] 8241985: Shenandoah: simplify collectable garbage logging + [backport] 8242040: Shenandoah: print allocation failure type + [backport] 8242041: Shenandoah: adaptive heuristics should account evac reserve in free target + [backport] 8242042: Shenandoah: tune down ShenandoahGarbageThreshold + [backport] 8242054: Shenandoah: New incremental-update mode + [backport] 8242075: Shenandoah: rename ShenandoahHeapRegionSize flag + [backport] 8242082: Shenandoah: Purge Traversal mode + [backport] 8242083: Shenandoah: split "Prepare Evacuation" tracking into cset/freeset counters + [backport] 8242089: Shenandoah: per-worker stats should be summed up, not averaged + [backport] 8242101: Shenandoah: coalesce and parallelise heap region walks during the pauses + [backport] 8242114: Shenandoah: remove ShenandoahHeapRegion::reset_alloc_metadata_to_shared + [backport] 8242130: Shenandoah: Simplify arraycopy-barrier dispatching + [backport] 8242211: Shenandoah: remove ShenandoahHeuristics::RegionData::_seqnum_last_alloc + [backport] 8242212: Shenandoah: initialize ShenandoahHeuristics::_region_data eagerly + [backport] 8242213: Shenandoah: remove ShenandoahHeuristics::_bytes_in_cset + [backport] 8242217: Shenandoah: Enable GC mode to be diagnostic/experimental and have a name + [backport] 8242227: Shenandoah: transit regions to cset state when adding to collection set + [backport] 8242228: Shenandoah: remove unused ShenandoahCollectionSet methods + [backport] 8242229: Shenandoah: inline ShenandoahHeapRegion liveness-related methods + [backport] 8242267: Shenandoah: regions space needs to be aligned by os::vm_allocation_granularity() + [backport] 8242271: Shenandoah: add test to verify GC mode unlock + [backport] 8242273: Shenandoah: accept either SATB or IU barriers, but not both + [backport] 8242301: Shenandoah: Inline LRB runtime call + [backport] 8242316: Shenandoah: Turn NULL-check into assert in SATB slow-path entry + [backport] 8242353: Shenandoah: micro-optimize region liveness handling + [backport] 8242365: Shenandoah: use uint16_t instead of jushort for liveness cache + [backport] 8242375: Shenandoah: Remove ShenandoahHeuristic::record_gc_start/end methods + [backport] 8242641: Shenandoah: clear live data and update TAMS optimistically + [backport] 8243238: Shenandoah: explicit GC request should wait for a complete GC cycle + [backport] 8243301: Shenandoah: ditch ShenandoahAllowMixedAllocs + [backport] 8243307: Shenandoah: remove ShCollectionSet::live_data + [backport] 8243395: Shenandoah: demote guarantee in ShenandoahPhaseTimings::record_workers_end + [backport] 8243463: Shenandoah: ditch total_pause counters + [backport] 8243464: Shenandoah: print statistic counters in time order + [backport] 8243465: Shenandoah: ditch unused pause_other, conc_other counters + [backport] 8243487: Shenandoah: make _num_phases illegal phase type + [backport] 8243494: Shenandoah: set counters once per cycle + [backport] 8243573: Shenandoah: rename GCParPhases and related code + [backport] 8243848: Shenandoah: Windows build fails after JDK-8239786 + [backport] 8244180: Shenandoah: carry Phase to ShWorkerTimingsTracker explicitly + [backport] 8244200: Shenandoah: build breakages after JDK-8241743 + [backport] 8244226: Shenandoah: per-cycle statistics contain worker data from previous cycles + [backport] 8244326: Shenandoah: global statistics should not accept bogus samples + [backport] 8244509: Shenandoah: refactor ShenandoahBarrierC2Support::test_* methods + [backport] 8244551: Shenandoah: Fix racy update of update_watermark + [backport] 8244667: Shenandoah: SBC2Support::test_gc_state takes loop for wrong control + [backport] 8244730: Shenandoah: gc/shenandoah/options/ /TestHeuristicsUnlock.java should only verify the heuristics + [backport] 8244732: Shenandoah: move heuristics code to gc/shenandoah/heuristics + [backport] 8244737: Shenandoah: move mode code to gc/shenandoah/mode + [backport] 8244739: Shenandoah: break superclass dependency on ShenandoahNormalMode + [backport] 8244740: Shenandoah: rename ShenandoahNormalMode to ShenandoahSATBMode + [backport] 8245461: Shenandoah: refine mode name()-s + [backport] 8245463: Shenandoah: refine ShenandoahPhaseTimings constructor arguments + [backport] 8245464: Shenandoah: allocate collection set bitmap at lower addresses + [backport] 8245465: Shenandoah: test_in_cset can use more efficient encoding + [backport] 8245726: Shenandoah: lift/cleanup ShenandoahHeuristics names and properties + [backport] 8245754: Shenandoah: ditch ShenandoahAlwaysPreTouch + [backport] 8245757: Shenandoah: AlwaysPreTouch should not disable heap resizing or uncommits + [backport] 8245773: Shenandoah: Windows assertion failure after JDK-8245464 + [backport] 8245812: Shenandoah: compute root phase parallelism + [backport] 8245814: Shenandoah: reconsider format specifiers for stats + [backport] 8245825: Shenandoah: Remove diagnostic flag ShenandoahConcurrentScanCodeRoots + [backport] 8246162: Shenandoah: full GC does not mark code roots when class unloading is off + [backport] 8247310: Shenandoah: pacer should not affect interrupt status + [backport] 8247358: Shenandoah: reconsider free budget slice for marking + [backport] 8247367: Shenandoah: pacer should wait on lock instead of exponential backoff + [backport] 8247474: Shenandoah: Windows build warning after JDK-8247310 + [backport] 8247560: Shenandoah: heap iteration holds root locks all the time + [backport] 8247593: Shenandoah: should not block pacing reporters + [backport] 8247751: Shenandoah: options tests should run with smaller heaps + [backport] 8247754: Shenandoah: mxbeans tests can be shorter + [backport] 8247757: Shenandoah: split heavy tests by heuristics to improve parallelism + [backport] 8247860: Shenandoah: add update watermark line in rich assert failure message + [backport] 8248041: Shenandoah: pre-Full GC root updates may miss some roots + [backport] 8248652: Shenandoah: SATB buffer handling may assume no forwarded objects + [backport] 8249560: Shenandoah: Fix racy GC request handling + [backport] 8249649: Shenandoah: provide per-cycle pacing stats + [backport] 8249801: Shenandoah: Clear soft-refs on requested GC cycle + [backport] 8249953: Shenandoah: gc/shenandoah/mxbeans tests should account for corner cases + Fix slowdebug build after JDK-8230853 backport + JDK-8252096: Shenandoah: adjust SerialPageShiftCount for x86_32 and JFR + JDK-8252366: Shenandoah: revert/cleanup changes in graphKit.cpp + Shenandoah: add JFR roots to root processor after JFR integration + Shenandoah: add root statistics for string dedup table/queues + Shenandoah: enable low-frequency STW class unloading + Shenandoah: fix build failures after JDK-8244737 backport + Shenandoah: Fix build failure with +JFR -PCH + Shenandoah: fix forceful pacer claim + Shenandoah: fix formats in ShenandoahStringSymbolTableUnlinkTask + Shenandoah: fix runtime linking failure due to non-compiled shenandoahBarrierSetC1 + Shenandoah: hook statistics printing to PrintGCDetails, not PrintGC + Shenandoah: JNI weak roots are always cleared before Full GC mark + Shenandoah: missing SystemDictionary roots in ShenandoahHeapIterationRootScanner + Shenandoah: move barrier sets to their proper locations + Shenandoah: move parallelCleaning.* to shenandoah/ + Shenandoah: pacer should use proper Atomics for intptr_t + Shenandoah: properly deallocates class loader metadata + Shenandoah: specialize String Table scans for better pause performance + Shenandoah: Zero build fails after recent Atomic cleanup in Pacer * AArch64 port + JDK-8161072, PR3797: AArch64: jtreg compiler/uncommontrap/TestDeoptOOM failure + JDK-8171537, PR3797: aarch64: compiler/c1/Test6849574.java generates guarantee failure in C1 + JDK-8183925, PR3797: [AArch64] Decouple crash protection from watcher thread + JDK-8199712, PR3797: [AArch64] Flight Recorder + JDK-8203481, PR3797: Incorrect constraint for unextended_sp in frame:safe_for_sender + JDK-8203699, PR3797: java/lang/invoke/SpecialInterfaceCall fails with SIGILL on aarch64 + JDK-8209413, PR3797: AArch64: NPE in clhsdb jstack command + JDK-8215961, PR3797: jdk/jfr/event/os/TestCPUInformation.java fails on AArch64 + JDK-8216989, PR3797: CardTableBarrierSetAssembler::gen_write_ref_array_post_barrier() does not check for zero length on AARCH64 + JDK-8217368, PR3797: AArch64: C2 recursive stack locking optimisation not triggered + JDK-8221658, PR3797: aarch64: add necessary predicate for ubfx patterns + JDK-8237512, PR3797: AArch64: aarch64TestHook leaks a BufferBlob + JDK-8246482, PR3797: Build failures with +JFR -PCH + JDK-8247979, PR3797: aarch64: missing side effect of killing flags for clearArray_reg_reg + JDK-8248219, PR3797: aarch64: missing memory barrier in fast_storefield and fast_accessfield This update was imported from the SUSE:SLE-15:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.2: zypper in -t patch openSUSE-2020-2083=1 Package List: - openSUSE Leap 15.2 (i586 x86_64): java-1_8_0-openjdk-1.8.0.272-lp152.2.3.1 java-1_8_0-openjdk-accessibility-1.8.0.272-lp152.2.3.1 java-1_8_0-openjdk-debuginfo-1.8.0.272-lp152.2.3.1 java-1_8_0-openjdk-debugsource-1.8.0.272-lp152.2.3.1 java-1_8_0-openjdk-demo-1.8.0.272-lp152.2.3.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.272-lp152.2.3.1 java-1_8_0-openjdk-devel-1.8.0.272-lp152.2.3.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.272-lp152.2.3.1 java-1_8_0-openjdk-headless-1.8.0.272-lp152.2.3.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.272-lp152.2.3.1 java-1_8_0-openjdk-src-1.8.0.272-lp152.2.3.1 - openSUSE Leap 15.2 (noarch): java-1_8_0-openjdk-javadoc-1.8.0.272-lp152.2.3.1 References: https://www.suse.com/security/cve/CVE-2020-14556.html https://www.suse.com/security/cve/CVE-2020-14577.html https://www.suse.com/security/cve/CVE-2020-14578.html https://www.suse.com/security/cve/CVE-2020-14579.html https://www.suse.com/security/cve/CVE-2020-14581.html https://www.suse.com/security/cve/CVE-2020-14583.html https://www.suse.com/security/cve/CVE-2020-14593.html https://www.suse.com/security/cve/CVE-2020-14621.html https://www.suse.com/security/cve/CVE-2020-14779.html https://www.suse.com/security/cve/CVE-2020-14781.html https://www.suse.com/security/cve/CVE-2020-14782.html https://www.suse.com/security/cve/CVE-2020-14792.html https://www.suse.com/security/cve/CVE-2020-14796.html https://www.suse.com/security/cve/CVE-2020-14797.html https://www.suse.com/security/cve/CVE-2020-14798.html https://www.suse.com/security/cve/CVE-2020-14803.html https://bugzilla.suse.com/1174157 https://bugzilla.suse.com/1177943

1 0

[opensuse-security-announce] openSUSE-SU-2020:2076-1: moderate: Security update for wireshark
by opensuse-security＠opensuse.org 27 Nov '20

27 Nov '20

openSUSE Security Update: Security update for wireshark ______________________________________________________________________________ Announcement ID: openSUSE-SU-2020:2076-1 Rating: moderate References: #1177406 #1178291 Cross-References: CVE-2020-26575 CVE-2020-28030 Affected Products: openSUSE Leap 15.2 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for wireshark fixes the following issues: - wireshark was updated to 3.2.8: - CVE-2020-26575: Fixed an issue where FBZERO dissector was entering in infinite loop (bsc#1177406) - CVE-2020-28030: Fixed an issue where GQUIC dissector was crashing (bsc#1178291) * Infinite memory allocation while parsing this tcp packet This update was imported from the SUSE:SLE-15:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.2: zypper in -t patch openSUSE-2020-2076=1 Package List: - openSUSE Leap 15.2 (i586 x86_64): libwireshark13-3.2.8-lp152.2.9.1 libwireshark13-debuginfo-3.2.8-lp152.2.9.1 libwiretap10-3.2.8-lp152.2.9.1 libwiretap10-debuginfo-3.2.8-lp152.2.9.1 libwsutil11-3.2.8-lp152.2.9.1 libwsutil11-debuginfo-3.2.8-lp152.2.9.1 wireshark-3.2.8-lp152.2.9.1 wireshark-debuginfo-3.2.8-lp152.2.9.1 wireshark-debugsource-3.2.8-lp152.2.9.1 wireshark-devel-3.2.8-lp152.2.9.1 wireshark-ui-qt-3.2.8-lp152.2.9.1 wireshark-ui-qt-debuginfo-3.2.8-lp152.2.9.1 References: https://www.suse.com/security/cve/CVE-2020-26575.html https://www.suse.com/security/cve/CVE-2020-28030.html https://bugzilla.suse.com/1177406 https://bugzilla.suse.com/1178291

1 0

[opensuse-security-announce] openSUSE-SU-2020:2067-1: moderate: Security update for go1.14
by opensuse-security＠opensuse.org 27 Nov '20

27 Nov '20

openSUSE Security Update: Security update for go1.14 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2020:2067-1 Rating: moderate References: #1164903 #1178750 #1178752 #1178753 Cross-References: CVE-2020-28362 CVE-2020-28366 CVE-2020-28367 Affected Products: openSUSE Leap 15.2 ______________________________________________________________________________ An update that solves three vulnerabilities and has one errata is now available. Description: This update for go1.14 fixes the following issues: - go1.14.12 (released 2020-11-12) includes security fixes to the cmd/go and math/big packages. * go#42553 math/big: panic during recursive division of very large numbers (bsc#1178750 CVE-2020-28362) * go#42560 cmd/go: arbitrary code can be injected into cgo generated files (bsc#1178752 CVE-2020-28367) * go#42557 cmd/go: improper validation of cgo flags can lead to remote code execution at build time (bsc#1178753 CVE-2020-28366) * go#42155 time: Location interprets wrong timezone (DST) with slim zoneinfo * go#42112 x/net/http2: the first write error on a connection will cause all subsequent write requests to fail blindly * go#41991 runtime: macOS-only segfault on 1.14+ with "split stack overflow" * go#41913 net/http: request.Clone doesn't deep copy TransferEncoding * go#41703 runtime: macOS syscall.Exec can get SIGILL due to preemption signal * go#41386 x/net/http2: connection-level flow control not returned if stream errors, causes server hang This update was imported from the SUSE:SLE-15:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.2: zypper in -t patch openSUSE-2020-2067=1 Package List: - openSUSE Leap 15.2 (x86_64): go1.14-1.14.12-lp152.2.12.1 go1.14-doc-1.14.12-lp152.2.12.1 go1.14-race-1.14.12-lp152.2.12.1 References: https://www.suse.com/security/cve/CVE-2020-28362.html https://www.suse.com/security/cve/CVE-2020-28366.html https://www.suse.com/security/cve/CVE-2020-28367.html https://bugzilla.suse.com/1164903 https://bugzilla.suse.com/1178750 https://bugzilla.suse.com/1178752 https://bugzilla.suse.com/1178753

1 0

[opensuse-security-announce] openSUSE-SU-2020:2064-1: moderate: Security update for perl-DBI
by opensuse-security＠opensuse.org 27 Nov '20

27 Nov '20

openSUSE Security Update: Security update for perl-DBI ______________________________________________________________________________ Announcement ID: openSUSE-SU-2020:2064-1 Rating: moderate References: #1176492 Cross-References: CVE-2014-10401 CVE-2014-10402 Affected Products: openSUSE Leap 15.2 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for perl-DBI fixes the following issues: - DBD::File drivers can open files from folders other than those specifically passed via the f_dir attribute in the data source name (DSN). [bsc#1176492, CVE-2014-10401, CVE-2014-10402] This update was imported from the SUSE:SLE-15-SP2:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.2: zypper in -t patch openSUSE-2020-2064=1 Package List: - openSUSE Leap 15.2 (i586 x86_64): perl-DBI-1.642-lp152.2.9.1 perl-DBI-debuginfo-1.642-lp152.2.9.1 perl-DBI-debugsource-1.642-lp152.2.9.1 References: https://www.suse.com/security/cve/CVE-2014-10401.html https://www.suse.com/security/cve/CVE-2014-10402.html https://bugzilla.suse.com/1176492

1 0

[opensuse-security-announce] openSUSE-SU-2020:2063-1: moderate: Security update for podman
by opensuse-security＠opensuse.org 27 Nov '20

27 Nov '20

openSUSE Security Update: Security update for podman ______________________________________________________________________________ Announcement ID: openSUSE-SU-2020:2063-1 Rating: moderate References: #1176804 #1178122 #1178392 Cross-References: CVE-2020-14370 Affected Products: openSUSE Leap 15.2 ______________________________________________________________________________ An update that solves one vulnerability and has two fixes is now available. Description: This update for podman fixes the following issues: Security issue fixed: - This release resolves CVE-2020-14370, in which environment variables could be leaked between containers created using the Varlink API (bsc#1176804). Non-security issues fixed: - add dependency to timezone package or podman fails to build a container (bsc#1178122) - Install new auto-update system units - Update to v2.1.1 (bsc#1178392): * Changes - The `podman info` command now includes the cgroup manager Podman is using. * API - The REST API now includes a Server header in all responses. - Fixed a bug where the Libpod and Compat Attach endpoints could terminate early, before sending all output from the container. - Fixed a bug where the Compat Create endpoint for containers did not properly handle the Interactive parameter. - Fixed a bug where the Compat Kill endpoint for containers could continue to run after a fatal error. - Fixed a bug where the Limit parameter of the Compat List endpoint for Containers did not properly handle a limit of 0 (returning nothing, instead of all containers) [#7722]. - The Libpod Stats endpoint for containers is being deprecated and will be replaced by a similar endpoint with additional features in a future release. - Changes in v2.1.0 * Features - A new command, `podman image mount`, has been added. This allows for an image to be mounted, read-only, to inspect its contents without creating a container from it [#1433]. - The `podman save` and `podman load` commands can now create and load archives containing multiple images [#2669]. - Rootless Podman now supports all `podman network` commands, and rootless containers can now be joined to networks. - The performance of `podman build` on `ADD` and `COPY` instructions has been greatly improved, especially when a `.dockerignore` is present. - The `podman run` and `podman create` commands now support a new mode for the `--cgroups` option, `--cgroups=split`. Podman will create two cgroups under the cgroup it was launched in, one for the container and one for Conmon. This mode is useful for running Podman in a systemd unit, as it ensures that all processes are retained in systemd's cgroup hierarchy [#6400]. - The `podman run` and `podman create` commands can now specify options to slirp4netns by using the `--network` option as follows: `--net slirp4netns:opt1,opt2`. This allows for, among other things, switching the port forwarder used by slirp4netns away from rootlessport. - The `podman ps` command now features a new option, `--storage`, to show containers from Buildah, CRI-O and other applications. - The `podman run` and `podman create` commands now feature a `--sdnotify` option to control the behavior of systemd's sdnotify with containers, enabling improved support for Podman in `Type=notify` units. - The `podman run` command now features a `--preserve-fds` opton to pass file descriptors from the host into the container [#6458]. - The `podman run` and `podman create` commands can now create overlay volume mounts, by adding the `:O` option to a bind mount (e.g. `-v /test:/test:O`). Overlay volume mounts will mount a directory into a container from the host and allow changes to it, but not write those changes back to the directory on the host. - The `podman play kube` command now supports the Socket HostPath type [#7112]. - The `podman play kube` command now supports read-only mounts. - The `podman play kube` command now supports setting labels on pods from Kubernetes metadata labels. - The `podman play kube` command now supports setting container restart policy [#7656]. - The `podman play kube` command now properly handles `HostAlias` entries. - The `podman generate kube` command now adds entries to `/etc/hosts` from `--host-add` generated YAML as `HostAlias` entries. - The `podman play kube` and `podman generate kube` commands now properly support `shareProcessNamespace` to share the PID namespace in pods. - The `podman volume ls` command now supports the `dangling` filter to identify volumes that are dangling (not attached to any container). - The `podman run` and `podman create` commands now feature a `--umask` option to set the umask of the created container. - The `podman create` and `podman run` commands now feature a `--tz` option to set the timezone within the container [#5128]. - Environment variables for Podman can now be added in the `containers.conf` configuration file. - The `--mount` option of `podman run` and `podman create` now supports a new mount type, `type=devpts`, to add a `devpts` mount to the container. This is useful for containers that want to mount `/dev/` from the host into the container, but still create a terminal. - The `--security-opt` flag to `podman run` and `podman create` now supports a new option, `proc-opts`, to specify options for the container's `/proc` filesystem. - Podman with the `crun` OCI runtime now supports a new option to `podman run` and `podman create`, `--cgroup-conf`, which allows for advanced configuration of cgroups on cgroups v2 systems. - The `podman create` and `podman run` commands now support a `--override-variant` option, to override the architecture variant of the image that will be pulled and ran. - A new global option has been added to Podman, `--runtime-flags`, which allows for setting flags to use when the OCI runtime is called. - The `podman manifest add` command now supports the `--cert-dir`, `--auth-file`, `--creds`, and `--tls-verify` options. * Security - This release resolves CVE-2020-14370, in which environment variables could be leaked between containers created using the Varlink API. * Changes - Podman will now retry pulling an image 3 times if a pull fails due to network errors. - The `podman exec` command would previously print error messages (e.g. `exec session exited with non-zero exit code -1`) when the command run exited with a non-0 exit code. It no longer does this. The `podman exec` command will still exit with the same exit code as the command run in the container did. - Error messages when creating a container or pod with a name that is already in use have been improved. - For read-only containers running systemd init, Podman creates a tmpfs filesystem at `/run`. This was previously limited to 65k in size and mounted `noexec`, but is now unlimited size and mounted `exec`. - The `podman system reset` command no longer removes configuration files for rootless Podman. * API - The Libpod API version has been bumped to v2.0.0 due to a breaking change in the Image List API. - Docker-compatible Volume Endpoints (Create, Inspect, List, Remove, Prune) are now available! - Added an endpoint for generating systemd unit files for containers. - The `last` parameter to the Libpod container list endpoint now has an alias, `limit` [#6413]. - The Libpod image list API new returns timestamps in Unix format, as integer, as opposed to as strings - The Compat Inspect endpoint for containers now includes port information in NetworkSettings. - The Compat List endpoint for images now features limited support for the (deprecated) `filter` query parameter [#6797]. - Fixed a bug where the Compat Create endpoint for containers was not correctly handling bind mounts. - Fixed a bug where the Compat Create endpoint for containers would not return a 404 when the requested image was not present. - Fixed a bug where the Compat Create endpoint for containers did not properly handle Entrypoint and Command from images. - Fixed a bug where name history information was not properly added in the Libpod Image List endpoint. - Fixed a bug where the Libpod image search endpoint improperly populated the Description field of responses. - Added a `noTrunc` option to the Libpod image search endpoint. - Fixed a bug where the Pod List API would return null, instead of an empty array, when no pods were present [#7392]. - Fixed a bug where endpoints that hijacked would do perform the hijack too early, before being ready to send and receive data [#7195]. - Fixed a bug where Pod endpoints that can operate on multiple containers at once (e.g. Kill, Pause, Unpause, Stop) would not forward errors from individual containers that failed. - The Compat List endpoint for networks now supports filtering results [#7462]. - Fixed a bug where the Top endpoint for pods would return both a 500 and 404 when run on a non-existent pod. - Fixed a bug where Pull endpoints did not stream progress back to the client. - The Version endpoints (Libpod and Compat) now provide version in a format compatible with Docker. - All non-hijacking responses to API requests should not include headers with the version of the server. - Fixed a bug where Libpod and Compat Events endpoints did not send response headers until the first event occurred [#7263]. - Fixed a bug where the Build endpoints (Compat and Libpod) did not stream progress to the client. - Fixed a bug where the Stats endpoints (Compat and Libpod) did not properly handle clients disconnecting. - Fixed a bug where the Ignore parameter to the Libpod Stop endpoint was not performing properly. - Fixed a bug where the Compat Logs endpoint for containers did not stream its output in the correct format [#7196]. This update was imported from the SUSE:SLE-15-SP1:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.2: zypper in -t patch openSUSE-2020-2063=1 Package List: - openSUSE Leap 15.2 (noarch): podman-cni-config-2.1.1-lp152.4.6.1 - openSUSE Leap 15.2 (x86_64): podman-2.1.1-lp152.4.6.1 References: https://www.suse.com/security/cve/CVE-2020-14370.html https://bugzilla.suse.com/1176804 https://bugzilla.suse.com/1178122 https://bugzilla.suse.com/1178392

1 0

[opensuse-security-announce] openSUSE-SU-2020:2065-1: moderate: Security update for dash
by opensuse-security＠opensuse.org 27 Nov '20

27 Nov '20

openSUSE Security Update: Security update for dash ______________________________________________________________________________ Announcement ID: openSUSE-SU-2020:2065-1 Rating: moderate References: #1178978 Affected Products: openSUSE Leap 15.2 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for dash fixes the following issues: - Fixed an issue where code was executed even if noexec ("-n") was specified (bsc#1178978). This update was imported from the SUSE:SLE-15:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.2: zypper in -t patch openSUSE-2020-2065=1 Package List: - openSUSE Leap 15.2 (i586 x86_64): dash-0.5.11.2-lp152.4.6.1 dash-debuginfo-0.5.11.2-lp152.4.6.1 dash-debugsource-0.5.11.2-lp152.4.6.1 References: https://bugzilla.suse.com/1178978

1 0

[opensuse-security-announce] openSUSE-SU-2020:2075-1: important: Security update for ucode-intel
by opensuse-security＠opensuse.org 27 Nov '20

27 Nov '20

openSUSE Security Update: Security update for ucode-intel ______________________________________________________________________________ Announcement ID: openSUSE-SU-2020:2075-1 Rating: important References: #1170446 #1173592 #1173594 #1178971 Cross-References: CVE-2020-8695 CVE-2020-8696 CVE-2020-8698 Affected Products: openSUSE Leap 15.2 ______________________________________________________________________________ An update that solves three vulnerabilities and has one errata is now available. Description: This update for ucode-intel fixes the following issues: - Updated Intel CPU Microcode to 20201118 official release. (bsc#1178971) - Removed TGL/06-8c-01/80 due to functional issues with some OEM platforms. - Updated Intel CPU Microcode to 20201110 official release. - CVE-2020-8695: Fixed Intel RAPL sidechannel attack (SGX) (bsc#1170446) - CVE-2020-8698: Fixed Fast Store Forward Predictor INTEL-SA-00381 (bsc#1173594) - CVE-2020-8696: Vector Register Sampling Active INTEL-SA-00381 (bsc#1173592) - Release notes: - Security updates for [INTEL-SA-00381](https://www.intel.com/content/www/us/en/security-center/ad visory/intel-sa-00381.html). - Security updates for [INTEL-SA-00389](https://www.intel.com/content/www/us/en/security-center/ad visory/intel-sa-00389.html). - Update for functional issues. Refer to [Second Generation Intel�� Xeon�� Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/338848) for details. - Update for functional issues. Refer to [Intel�� Xeon�� Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/613537) for details. - Update for functional issues. Refer to [Intel�� Xeon�� Processor E5 v3 Product Family Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e5-v3- spec-update.html?wapkw=processor+spec+update+e5) for details. - Update for functional issues. Refer to [10th Gen Intel�� Core�� Processor Families Specification Update](https://www.intel.com/content/www/us/en/products/docs/processors/co re/10th-gen-core-families-specification-update.html) for details. - Update for functional issues. Refer to [8th and 9th Gen Intel�� Core�� Processor Family Spec Update](https://www.intel.com/content/www/us/en/products/docs/processors/co re/8th-gen-core-spec-update.html) for details. - Update for functional issues. Refer to [7th Gen and 8th Gen (U Quad-Core) Intel�� Processor Families Specification Update](https://www.intel.com/content/www/us/en/processors/core/7th-gen-cor e-family-spec-update.html) for details. - Update for functional issues. Refer to [6th Gen Intel�� Processor Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/332689) for details. - Update for functional issues. Refer to [Intel�� Xeon�� E3-1200 v6 Processor Family Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e3-120 0v6-spec-update.html) for details. - Update for functional issues. Refer to [Intel�� Xeon�� E-2100 and E-2200 Processor Family Specification Update](https://www.intel.com/content/www/us/en/products/docs/processors/xe on/xeon-e-2100-specification-update.html) for details. ### New Platforms | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products |:---------------|:---------|:------------|:---------|:---------|:--------- | CPX-SP | A1 | 06-55-0b/bf | | 0700001e | Xeon Scalable Gen3 | LKF | B2/B3 | 06-8a-01/10 | | 00000028 | Core w/Hybrid Technology | TGL | B1 | 06-8c-01/80 | | 00000068 | Core Gen11 Mobile | CML-H | R1 | 06-a5-02/20 | | 000000e0 | Core Gen10 Mobile | CML-S62 | G1 | 06-a5-03/22 | | 000000e0 | Core Gen10 | CML-S102 | Q0 | 06-a5-05/22 | | 000000e0 | Core Gen10 | CML-U62 V2 | K0 | 06-a6-01/80 | | 000000e0 | Core Gen10 Mobile ### Updated Platforms | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products |:---------------|:---------|:------------|:---------|:---------|:--------- | HSX-E/EP | Cx/M1 | 06-3f-02/6f | 00000043 | 00000044 | Core Gen4 X series; Xeon E5 v3 | SKL-U/Y | D0 | 06-4e-03/c0 | 000000d6 | 000000e2 | Core Gen6 Mobile | SKL-U23e | K1 | 06-4e-03/c0 | 000000d6 | 000000e2 | Core Gen6 Mobile | SKX-SP | B1 | 06-55-03/97 | 01000157 | 01000159 | Xeon Scalable | SKX-SP | H0/M0/U0 | 06-55-04/b7 | 02006906 | 02006a08 | Xeon Scalable | SKX-D | M1 | 06-55-04/b7 | 02006906 | 02006a08 | Xeon D-21xx | CLX-SP | B0 | 06-55-06/bf | 04002f01 | 04003003 | Xeon Scalable Gen2 | CLX-SP | B1 | 06-55-07/bf | 05002f01 | 05003003 | Xeon Scalable Gen2 | APL | D0 | 06-5c-09/03 | 00000038 | 00000040 | Pentium N/J4xxx, Celeron N/J3xxx, Atom x5/7-E39xx | APL | E0 | 06-5c-0a/03 | 00000016 | 0000001e | Atom x5-E39xx | SKL-H/S | R0/N0 | 06-5e-03/36 | 000000d6 | 000000e2 | Core Gen6; Xeon E3 v5 | GKL-R | R0 | 06-7a-08/01 | 00000016 | 00000018 | Pentium J5040/N5030, Celeron J4125/J4025/N4020/N4120 | ICL-U/Y | D1 | 06-7e-05/80 | 00000078 | 000000a0 | Core Gen10 Mobile | AML-Y22 | H0 | 06-8e-09/10 | 000000d6 | 000000de | Core Gen8 Mobile | KBL-U/Y | H0 | 06-8e-09/c0 | 000000d6 | 000000de | Core Gen7 Mobile | CFL-U43e | D0 | 06-8e-0a/c0 | 000000d6 | 000000e0 | Core Gen8 Mobile | WHL-U | W0 | 06-8e-0b/d0 | 000000d6 | 000000de | Core Gen8 Mobile | AML-Y42 | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen10 Mobile | CML-Y42 | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen10 Mobile | WHL-U | V0 | 06-8e-0c/94 | 000000d6 | 000000de | Core Gen8 Mobile | KBL-G/H/S/E3 | B0 | 06-9e-09/2a | 000000d6 | 000000de | Core Gen7; Xeon E3 v6 | CFL-H/S/E3 | U0 | 06-9e-0a/22 | 000000d6 | 000000de | Core Gen8 Desktop, Mobile, Xeon E | CFL-S | B0 | 06-9e-0b/02 | 000000d6 | 000000de | Core Gen8 | CFL-H/S | P0 | 06-9e-0c/22 | 000000d6 | 000000de | Core Gen9 | CFL-H | R0 | 06-9e-0d/22 | 000000d6 | 000000de | Core Gen9 Mobile | CML-U62 | A0 | 06-a6-00/80 | 000000ca | 000000e0 | Core Gen10 Mobile This update was imported from the SUSE:SLE-15:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.2: zypper in -t patch openSUSE-2020-2075=1 Package List: - openSUSE Leap 15.2 (x86_64): ucode-intel-20201118-lp152.2.8.1 References: https://www.suse.com/security/cve/CVE-2020-8695.html https://www.suse.com/security/cve/CVE-2020-8696.html https://www.suse.com/security/cve/CVE-2020-8698.html https://bugzilla.suse.com/1170446 https://bugzilla.suse.com/1173592 https://bugzilla.suse.com/1173594 https://bugzilla.suse.com/1178971

1 0

[opensuse-security-announce] openSUSE-SU-2020:2059-1: moderate: Security update for wpa_supplicant
by opensuse-security＠opensuse.org 27 Nov '20

27 Nov '20

openSUSE Security Update: Security update for wpa_supplicant ______________________________________________________________________________ Announcement ID: openSUSE-SU-2020:2059-1 Rating: moderate References: #1131644 #1131868 #1131870 #1131871 #1131872 #1131874 #1133640 #1144443 #1150934 #1156920 #1166933 #1167331 #930077 #930078 #930079 Cross-References: CVE-2015-4141 CVE-2015-4142 CVE-2015-4143 CVE-2015-8041 CVE-2017-13077 CVE-2017-13078 CVE-2017-13079 CVE-2017-13080 CVE-2017-13081 CVE-2017-13082 CVE-2017-13086 CVE-2017-13087 CVE-2017-13088 CVE-2018-14526 CVE-2019-11555 CVE-2019-13377 CVE-2019-16275 CVE-2019-9494 CVE-2019-9495 CVE-2019-9497 CVE-2019-9498 CVE-2019-9499 Affected Products: openSUSE Leap 15.2 ______________________________________________________________________________ An update that fixes 22 vulnerabilities is now available. Description: This update for wpa_supplicant fixes the following issues: Security issue fixed: - CVE-2019-16275: Fixed an AP mode PMF disconnection protection bypass (bsc#1150934). Non-security issues fixed: - Enable SAE support (jsc#SLE-14992). - Limit P2P_DEVICE name to appropriate ifname size. - Fix wicked wlan (bsc#1156920) - Restore fi.epitest.hostap.WPASupplicant.service (bsc#1167331) - With v2.9 fi.epitest.hostap.WPASupplicant.service is obsolete (bsc#1167331) - Fix WLAN config on boot with wicked. (bsc#1166933) - Update to 2.9 release: * SAE changes - disable use of groups using Brainpool curves - improved protection against side channel attacks [https://w1.fi/security/2019-6/] * EAP-pwd changes - disable use of groups using Brainpool curves - allow the set of groups to be configured (eap_pwd_groups) - improved protection against side channel attacks [https://w1.fi/security/2019-6/] * fixed FT-EAP initial mobility domain association using PMKSA caching (disabled by default for backwards compatibility; can be enabled with ft_eap_pmksa_caching=1) * fixed a regression in OpenSSL 1.1+ engine loading * added validation of RSNE in (Re)Association Response frames * fixed DPP bootstrapping URI parser of channel list * extended EAP-SIM/AKA fast re-authentication to allow use with FILS * extended ca_cert_blob to support PEM format * improved robustness of P2P Action frame scheduling * added support for EAP-SIM/AKA using anonymous@realm identity * fixed Hotspot 2.0 credential selection based on roaming consortium to ignore credentials without a specific EAP method * added experimental support for EAP-TEAP peer (RFC 7170) * added experimental support for EAP-TLS peer with TLS v1.3 * fixed a regression in WMM parameter configuration for a TDLS peer * fixed a regression in operation with drivers that offload 802.1X 4-way handshake * fixed an ECDH operation corner case with OpenSSL * SAE changes - added support for SAE Password Identifier - changed default configuration to enable only groups 19, 20, 21 (i.e., disable groups 25 and 26) and disable all unsuitable groups completely based on REVmd changes - do not regenerate PWE unnecessarily when the AP uses the anti-clogging token mechanisms - fixed some association cases where both SAE and FT-SAE were enabled on both the station and the selected AP - started to prefer FT-SAE over SAE AKM if both are enabled - started to prefer FT-SAE over FT-PSK if both are enabled - fixed FT-SAE when SAE PMKSA caching is used - reject use of unsuitable groups based on new implementation guidance in REVmd (allow only FFC groups with prime >= 3072 bits and ECC groups with prime >= 256) - minimize timing and memory use differences in PWE derivation [https://w1.fi/security/2019-1/] (CVE-2019-9494, bsc#1131868) * EAP-pwd changes - minimize timing and memory use differences in PWE derivation [https://w1.fi/security/2019-2/] (CVE-2019-9495, bsc#1131870) - verify server scalar/element [https://w1.fi/security/2019-4/] (CVE-2019-9497, CVE-2019-9498, CVE-2019-9499, bsc#1131874, bsc#1131872, bsc#1131871, bsc#1131644) - fix message reassembly issue with unexpected fragment [https://w1.fi/security/2019-5/] (CVE-2019-11555, bsc#1133640) - enforce rand,mask generation rules more strictly - fix a memory leak in PWE derivation - disallow ECC groups with a prime under 256 bits (groups 25, 26, and 27) - SAE/EAP-pwd side-channel attack update [https://w1.fi/security/2019-6/] (CVE-2019-13377, bsc#1144443) * fixed CONFIG_IEEE80211R=y (FT) build without CONFIG_FILS=y * Hotspot 2.0 changes - do not indicate release number that is higher than the one AP supports - added support for release number 3 - enable PMF automatically for network profiles created from credentials * fixed OWE network profile saving * fixed DPP network profile saving * added support for RSN operating channel validation (CONFIG_OCV=y and network profile parameter ocv=1) * added Multi-AP backhaul STA support * fixed build with LibreSSL * number of MKA/MACsec fixes and extensions * extended domain_match and domain_suffix_match to allow list of values * fixed dNSName matching in domain_match and domain_suffix_match when using wolfSSL * started to prefer FT-EAP-SHA384 over WPA-EAP-SUITE-B-192 AKM if both are enabled * extended nl80211 Connect and external authentication to support SAE, FT-SAE, FT-EAP-SHA384 * fixed KEK2 derivation for FILS+FT * extended client_cert file to allow loading of a chain of PEM encoded certificates * extended beacon reporting functionality * extended D-Bus interface with number of new properties * fixed a regression in FT-over-DS with mac80211-based drivers * OpenSSL: allow systemwide policies to be overridden * extended driver flags indication for separate 802.1X and PSK 4-way handshake offload capability * added support for random P2P Device/Interface Address use * extended PEAP to derive EMSK to enable use with ERP/FILS * extended WPS to allow SAE configuration to be added automatically for PSK (wps_cred_add_sae=1) * removed support for the old D-Bus interface (CONFIG_CTRL_IFACE_DBUS) * extended domain_match and domain_suffix_match to allow list of values * added a RSN workaround for misbehaving PMF APs that advertise IGTK/BIP KeyID using incorrect byte order * fixed PTK rekeying with FILS and FT * fixed WPA packet number reuse with replayed messages and key reinstallation [https://w1.fi/security/2017-1/] (CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088) * fixed unauthenticated EAPOL-Key decryption in wpa_supplicant [https://w1.fi/security/2018-1/] (CVE-2018-14526) * added support for FILS (IEEE 802.11ai) shared key authentication * added support for OWE (Opportunistic Wireless Encryption, RFC 8110; and transition mode defined by WFA) * added support for DPP (Wi-Fi Device Provisioning Protocol) * added support for RSA 3k key case with Suite B 192-bit level * fixed Suite B PMKSA caching not to update PMKID during each 4-way handshake * fixed EAP-pwd pre-processing with PasswordHashHash * added EAP-pwd client support for salted passwords * fixed a regression in TDLS prohibited bit validation * started to use estimated throughput to avoid undesired signal strength based roaming decision * MACsec/MKA: - new macsec_linux driver interface support for the Linux kernel macsec module - number of fixes and extensions * added support for external persistent storage of PMKSA cache (PMKSA_GET/PMKSA_ADD control interface commands; and MESH_PMKSA_GET/MESH_PMKSA_SET for the mesh case) * fixed mesh channel configuration pri/sec switch case * added support for beacon report * large number of other fixes, cleanup, and extensions * added support for randomizing local address for GAS queries (gas_rand_mac_addr parameter) * fixed EAP-SIM/AKA/AKA' ext auth cases within TLS tunnel * added option for using random WPS UUID (auto_uuid=1) * added SHA256-hash support for OCSP certificate matching * fixed EAP-AKA' to add AT_KDF into Synchronization-Failure * fixed a regression in RSN pre-authentication candidate selection * added option to configure allowed group management cipher suites (group_mgmt network profile parameter) * removed all PeerKey functionality * fixed nl80211 AP and mesh mode configuration regression with Linux 4.15 and newer * added ap_isolate configuration option for AP mode * added support for nl80211 to offload 4-way handshake into the driver * added support for using wolfSSL cryptographic library * SAE - added support for configuring SAE password separately of the WPA2 PSK/passphrase - fixed PTK and EAPOL-Key integrity and key-wrap algorithm selection for SAE; note: this is not backwards compatible, i.e., both the AP and station side implementations will need to be update at the same time to maintain interoperability - added support for Password Identifier - fixed FT-SAE PMKID matching * Hotspot 2.0 - added support for fetching of Operator Icon Metadata ANQP-element - added support for Roaming Consortium Selection element - added support for Terms and Conditions - added support for OSEN connection in a shared RSN BSS - added support for fetching Venue URL information * added support for using OpenSSL 1.1.1 * FT - disabled PMKSA caching with FT since it is not fully functional - added support for SHA384 based AKM - added support for BIP ciphers BIP-CMAC-256, BIP-GMAC-128, BIP-GMAC-256 in addition to previously supported BIP-CMAC-128 - fixed additional IE inclusion in Reassociation Request frame when using FT protocol - Changed service-files for start after network (systemd-networkd). This update was imported from the SUSE:SLE-15:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.2: zypper in -t patch openSUSE-2020-2059=1 Package List: - openSUSE Leap 15.2 (i586 x86_64): wpa_supplicant-2.9-lp152.8.3.1 wpa_supplicant-debuginfo-2.9-lp152.8.3.1 wpa_supplicant-debugsource-2.9-lp152.8.3.1 wpa_supplicant-gui-2.9-lp152.8.3.1 wpa_supplicant-gui-debuginfo-2.9-lp152.8.3.1 References: https://www.suse.com/security/cve/CVE-2015-4141.html https://www.suse.com/security/cve/CVE-2015-4142.html https://www.suse.com/security/cve/CVE-2015-4143.html https://www.suse.com/security/cve/CVE-2015-8041.html https://www.suse.com/security/cve/CVE-2017-13077.html https://www.suse.com/security/cve/CVE-2017-13078.html https://www.suse.com/security/cve/CVE-2017-13079.html https://www.suse.com/security/cve/CVE-2017-13080.html https://www.suse.com/security/cve/CVE-2017-13081.html https://www.suse.com/security/cve/CVE-2017-13082.html https://www.suse.com/security/cve/CVE-2017-13086.html https://www.suse.com/security/cve/CVE-2017-13087.html https://www.suse.com/security/cve/CVE-2017-13088.html https://www.suse.com/security/cve/CVE-2018-14526.html https://www.suse.com/security/cve/CVE-2019-11555.html https://www.suse.com/security/cve/CVE-2019-13377.html https://www.suse.com/security/cve/CVE-2019-16275.html https://www.suse.com/security/cve/CVE-2019-9494.html https://www.suse.com/security/cve/CVE-2019-9495.html https://www.suse.com/security/cve/CVE-2019-9497.html https://www.suse.com/security/cve/CVE-2019-9498.html https://www.suse.com/security/cve/CVE-2019-9499.html https://bugzilla.suse.com/1131644 https://bugzilla.suse.com/1131868 https://bugzilla.suse.com/1131870 https://bugzilla.suse.com/1131871 https://bugzilla.suse.com/1131872 https://bugzilla.suse.com/1131874 https://bugzilla.suse.com/1133640 https://bugzilla.suse.com/1144443 https://bugzilla.suse.com/1150934 https://bugzilla.suse.com/1156920 https://bugzilla.suse.com/1166933 https://bugzilla.suse.com/1167331 https://bugzilla.suse.com/930077 https://bugzilla.suse.com/930078 https://bugzilla.suse.com/930079

1 0