openSUSE Security Announce
Threads by month
- ----- 2025 -----
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2004 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2003 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2002 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2001 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2000 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1999 -----
- December
- November
- October
- September
- August
November 2020
- 2 participants
- 135 discussions
[opensuse-security-announce] openSUSE-SU-2020:2013-1: important: Security update for chromium
by opensuse-security@opensuse.org 25 Nov '20
by opensuse-security@opensuse.org 25 Nov '20
25 Nov '20
openSUSE Security Update: Security update for chromium
______________________________________________________________________________
Announcement ID: openSUSE-SU-2020:2013-1
Rating: important
References: #1178630 #1178703
Cross-References: CVE-2020-16013 CVE-2020-16016 CVE-2020-16017
Affected Products:
openSUSE Backports SLE-15-SP1
______________________________________________________________________________
An update that fixes three vulnerabilities is now available.
Description:
This update for chromium fixes the following issues:
Update to 86.0.4240.198 (boo#1178703)
- CVE-2020-16013: Inappropriate implementation in V8
- CVE-2020-16017: Use after free in site isolation
Update to 86.0.4240.193 (boo#1178630)
- CVE-2020-16016: Inappropriate implementation in base.
This update was imported from the openSUSE:Leap:15.1:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP1:
zypper in -t patch openSUSE-2020-2013=1
Package List:
- openSUSE Backports SLE-15-SP1 (aarch64 x86_64):
chromedriver-86.0.4240.198-bp151.3.134.1
chromium-86.0.4240.198-bp151.3.134.1
References:
https://www.suse.com/security/cve/CVE-2020-16013.html
https://www.suse.com/security/cve/CVE-2020-16016.html
https://www.suse.com/security/cve/CVE-2020-16017.html
https://bugzilla.suse.com/1178630
https://bugzilla.suse.com/1178703
1
0
[opensuse-security-announce] openSUSE-SU-2020:2012-1: important: Security update for chromium
by opensuse-security@opensuse.org 25 Nov '20
by opensuse-security@opensuse.org 25 Nov '20
25 Nov '20
openSUSE Security Update: Security update for chromium
______________________________________________________________________________
Announcement ID: openSUSE-SU-2020:2012-1
Rating: important
References: #1178923
Cross-References: CVE-2019-8075 CVE-2020-16012 CVE-2020-16014
CVE-2020-16015 CVE-2020-16018 CVE-2020-16019
CVE-2020-16020 CVE-2020-16021 CVE-2020-16022
CVE-2020-16023 CVE-2020-16024 CVE-2020-16025
CVE-2020-16026 CVE-2020-16027 CVE-2020-16028
CVE-2020-16029 CVE-2020-16030 CVE-2020-16031
CVE-2020-16032 CVE-2020-16033 CVE-2020-16034
CVE-2020-16035 CVE-2020-16036
Affected Products:
openSUSE Backports SLE-15-SP2
______________________________________________________________________________
An update that fixes 23 vulnerabilities is now available.
Description:
This update for chromium fixes the following issues:
- Update to 87.0.4280.66 (boo#1178923)
- Wayland support by default
- CVE-2020-16018: Use after free in payments.
- CVE-2020-16019: Inappropriate implementation in filesystem.
- CVE-2020-16020: Inappropriate implementation in cryptohome.
- CVE-2020-16021: Race in ImageBurner.
- CVE-2020-16022: Insufficient policy enforcement in networking.
- CVE-2020-16015: Insufficient data validation in WASM. R
- CVE-2020-16014: Use after free in PPAPI.
- CVE-2020-16023: Use after free in WebCodecs.
- CVE-2020-16024: Heap buffer overflow in UI.
- CVE-2020-16025: Heap buffer overflow in clipboard.
- CVE-2020-16026: Use after free in WebRTC.
- CVE-2020-16027: Insufficient policy enforcement in developer tools. R
- CVE-2020-16028: Heap buffer overflow in WebRTC.
- CVE-2020-16029: Inappropriate implementation in PDFium.
- CVE-2020-16030: Insufficient data validation in Blink.
- CVE-2019-8075: Insufficient data validation in Flash.
- CVE-2020-16031: Incorrect security UI in tab preview.
- CVE-2020-16032: Incorrect security UI in sharing.
- CVE-2020-16033: Incorrect security UI in WebUSB.
- CVE-2020-16034: Inappropriate implementation in WebRTC.
- CVE-2020-16035: Insufficient data validation in cros-disks.
- CVE-2020-16012: Side-channel information leakage in graphics.
- CVE-2020-16036: Inappropriate implementation in cookies.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP2:
zypper in -t patch openSUSE-2020-2012=1
Package List:
- openSUSE Backports SLE-15-SP2 (aarch64 x86_64):
chromedriver-87.0.4280.66-bp152.2.32.1
chromium-87.0.4280.66-bp152.2.32.1
References:
https://www.suse.com/security/cve/CVE-2019-8075.html
https://www.suse.com/security/cve/CVE-2020-16012.html
https://www.suse.com/security/cve/CVE-2020-16014.html
https://www.suse.com/security/cve/CVE-2020-16015.html
https://www.suse.com/security/cve/CVE-2020-16018.html
https://www.suse.com/security/cve/CVE-2020-16019.html
https://www.suse.com/security/cve/CVE-2020-16020.html
https://www.suse.com/security/cve/CVE-2020-16021.html
https://www.suse.com/security/cve/CVE-2020-16022.html
https://www.suse.com/security/cve/CVE-2020-16023.html
https://www.suse.com/security/cve/CVE-2020-16024.html
https://www.suse.com/security/cve/CVE-2020-16025.html
https://www.suse.com/security/cve/CVE-2020-16026.html
https://www.suse.com/security/cve/CVE-2020-16027.html
https://www.suse.com/security/cve/CVE-2020-16028.html
https://www.suse.com/security/cve/CVE-2020-16029.html
https://www.suse.com/security/cve/CVE-2020-16030.html
https://www.suse.com/security/cve/CVE-2020-16031.html
https://www.suse.com/security/cve/CVE-2020-16032.html
https://www.suse.com/security/cve/CVE-2020-16033.html
https://www.suse.com/security/cve/CVE-2020-16034.html
https://www.suse.com/security/cve/CVE-2020-16035.html
https://www.suse.com/security/cve/CVE-2020-16036.html
https://bugzilla.suse.com/1178923
1
0
[opensuse-security-announce] openSUSE-SU-2020:2010-1: important: Security update for chromium
by opensuse-security@opensuse.org 25 Nov '20
by opensuse-security@opensuse.org 25 Nov '20
25 Nov '20
openSUSE Security Update: Security update for chromium
______________________________________________________________________________
Announcement ID: openSUSE-SU-2020:2010-1
Rating: important
References: #1178923
Cross-References: CVE-2019-8075 CVE-2020-16012 CVE-2020-16014
CVE-2020-16015 CVE-2020-16018 CVE-2020-16019
CVE-2020-16020 CVE-2020-16021 CVE-2020-16022
CVE-2020-16023 CVE-2020-16024 CVE-2020-16025
CVE-2020-16026 CVE-2020-16027 CVE-2020-16028
CVE-2020-16029 CVE-2020-16030 CVE-2020-16031
CVE-2020-16032 CVE-2020-16033 CVE-2020-16034
CVE-2020-16035 CVE-2020-16036
Affected Products:
openSUSE Backports SLE-15-SP1
______________________________________________________________________________
An update that fixes 23 vulnerabilities is now available.
Description:
This update for chromium fixes the following issues:
- Update to 87.0.4280.66 (boo#1178923)
- Wayland support by default
- CVE-2020-16018: Use after free in payments.
- CVE-2020-16019: Inappropriate implementation in filesystem.
- CVE-2020-16020: Inappropriate implementation in cryptohome.
- CVE-2020-16021: Race in ImageBurner.
- CVE-2020-16022: Insufficient policy enforcement in networking.
- CVE-2020-16015: Insufficient data validation in WASM. R
- CVE-2020-16014: Use after free in PPAPI.
- CVE-2020-16023: Use after free in WebCodecs.
- CVE-2020-16024: Heap buffer overflow in UI.
- CVE-2020-16025: Heap buffer overflow in clipboard.
- CVE-2020-16026: Use after free in WebRTC.
- CVE-2020-16027: Insufficient policy enforcement in developer tools. R
- CVE-2020-16028: Heap buffer overflow in WebRTC.
- CVE-2020-16029: Inappropriate implementation in PDFium.
- CVE-2020-16030: Insufficient data validation in Blink.
- CVE-2019-8075: Insufficient data validation in Flash.
- CVE-2020-16031: Incorrect security UI in tab preview.
- CVE-2020-16032: Incorrect security UI in sharing.
- CVE-2020-16033: Incorrect security UI in WebUSB.
- CVE-2020-16034: Inappropriate implementation in WebRTC.
- CVE-2020-16035: Insufficient data validation in cros-disks.
- CVE-2020-16012: Side-channel information leakage in graphics.
- CVE-2020-16036: Inappropriate implementation in cookies.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP1:
zypper in -t patch openSUSE-2020-2010=1
Package List:
- openSUSE Backports SLE-15-SP1 (aarch64 x86_64):
chromedriver-87.0.4280.66-bp151.3.131.1
chromium-87.0.4280.66-bp151.3.131.1
References:
https://www.suse.com/security/cve/CVE-2019-8075.html
https://www.suse.com/security/cve/CVE-2020-16012.html
https://www.suse.com/security/cve/CVE-2020-16014.html
https://www.suse.com/security/cve/CVE-2020-16015.html
https://www.suse.com/security/cve/CVE-2020-16018.html
https://www.suse.com/security/cve/CVE-2020-16019.html
https://www.suse.com/security/cve/CVE-2020-16020.html
https://www.suse.com/security/cve/CVE-2020-16021.html
https://www.suse.com/security/cve/CVE-2020-16022.html
https://www.suse.com/security/cve/CVE-2020-16023.html
https://www.suse.com/security/cve/CVE-2020-16024.html
https://www.suse.com/security/cve/CVE-2020-16025.html
https://www.suse.com/security/cve/CVE-2020-16026.html
https://www.suse.com/security/cve/CVE-2020-16027.html
https://www.suse.com/security/cve/CVE-2020-16028.html
https://www.suse.com/security/cve/CVE-2020-16029.html
https://www.suse.com/security/cve/CVE-2020-16030.html
https://www.suse.com/security/cve/CVE-2020-16031.html
https://www.suse.com/security/cve/CVE-2020-16032.html
https://www.suse.com/security/cve/CVE-2020-16033.html
https://www.suse.com/security/cve/CVE-2020-16034.html
https://www.suse.com/security/cve/CVE-2020-16035.html
https://www.suse.com/security/cve/CVE-2020-16036.html
https://bugzilla.suse.com/1178923
1
0
[opensuse-security-announce] openSUSE-SU-2020:2008-1: moderate: Security update for rclone
by opensuse-security@opensuse.org 24 Nov '20
by opensuse-security@opensuse.org 24 Nov '20
24 Nov '20
openSUSE Security Update: Security update for rclone
______________________________________________________________________________
Announcement ID: openSUSE-SU-2020:2008-1
Rating: moderate
References: #1179005
Cross-References: CVE-2020-28924
Affected Products:
openSUSE Leap 15.2
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for rclone fixes the following issues:
rclone was updated to version 1.53.3:
* Bug Fixes
- Fix incorrect use of math/rand instead of crypto/rand CVE-2020-28924
boo#1179005 (Nick Craig-Wood)
- Check https://github.com/rclone/passwordcheck for a tool check for
weak passwords generated by rclone
* VFS
- Fix vfs/refresh calls with fs= parameter (Nick Craig-Wood)
* Sharefile
- Fix backend due to API swapping integers for strings (Nick
Craig-Wood)
Update to 1.53.2:
* Bug Fixes
- accounting
+ Fix incorrect speed and transferTime in core/stats (Nick
Craig-Wood)
+ Stabilize display order of transfers on Windows (Nick Craig-Wood)
- operations
+ Fix use of --suffix without --backup-dir (Nick Craig-Wood)
+ Fix spurious "--checksum is in use but the source and destination
have no hashes in common" (Nick Craig-Wood)
- build
+ Work around GitHub actions brew problem (Nick Craig-Wood)
+ Stop using set-env and set-path in the GitHub actions (Nick
Craig-Wood)
* Mount
- mount2: Fix the swapped UID / GID values (Russell Cattelan)
* VFS
- Detect and recover from a file being removed externally from the
cache (Nick Craig-Wood)
- Fix a deadlock vulnerability in downloaders.Close (Leo Luan)
- Fix a race condition in retryFailedResets (Leo Luan)
- Fix missed concurrency control between some item operations and
reset (Leo Luan)
- Add exponential backoff during ENOSPC retries (Leo Luan)
- Add a missed update of used cache space (Leo Luan)
- Fix --no-modtime to not attempt to set modtimes (as documented)
(Nick Craig-Wood)
* Local
- Fix sizes and syncing with --links option on Windows (Nick
Craig-Wood)
* Chunker
- Disable ListR to fix missing files on GDrive (workaround) (Ivan
Andreev)
- Fix upload over crypt (Ivan Andreev)
* Fichier
- Increase maximum file size from 100GB to 300GB (gyutw)
* Jottacloud
- Remove clientSecret from config when upgrading to token based
authentication (buengese)
- Avoid double url escaping of device/mountpoint (albertony)
- Remove DirMove workaround as it's not required anymore - also
(buengese)
* Mailru
- Fix uploads after recent changes on server (Ivan Andreev)
- Fix range requests after june changes on server (Ivan Andreev)
- Fix invalid timestamp on corrupted files (fixes) (Ivan Andreev)
* Onedrive
- Fix disk usage for sharepoint (Nick Craig-Wood)
* S3
- Add missing regions for AWS (Anagh Kumar Baranwal)
* Seafile
- Fix accessing libraries > 2GB on 32 bit systems (Muffin King)
* SFTP
- Always convert the checksum to lower case (buengese)
* Union
- Create root directories if none exist (Nick Craig-Wood)
Update to version 1.53.1:
* Bug Fixes
- accounting: Remove new line from end of --stats-one-line display
* VFS
- Fix spurious error "vfs cache: failed to _ensure cache EOF"
- Log an ERROR if we fail to set the file to be sparse
* Local
- Log an ERROR if we fail to set the file to be sparse
* Drive
- Re-adds special oauth help text
* Opendrive
- Do not retry 400 errors
Update to version 1.53.0
* New Features
- The VFS layer was heavily reworked for this release - see below for
more details
- Interactive mode -i/--interactive for destructive operations
(fishbullet)
- Add --bwlimit-file flag to limit speeds of individual file transfers
(Nick Craig-Wood)
- Transfers are sorted by start time in the stats and progress output
(Max Sum)
- Make sure backends expand ~ and environment vars in file names they
use (Nick Craig-Wood)
- Add --refresh-times flag to set modtimes on hashless backends (Nick
Craig-Wood)
- rclone check
+ Add reporting of filenames for same/missing/changed (Nick
Craig-Wood)
+ Make check command obey --dry-run/-i/--interactive (Nick
Craig-Wood)
+ Make check do --checkers files concurrently (Nick Craig-Wood)
+ Retry downloads if they fail when using the --download flag (Nick
Craig-Wood)
+ Make it show stats by default (Nick Craig-Wood)
- rclone config
+ Set RCLONE_CONFIG_DIR for use in config files and subprocesses
(Nick Craig-Wood)
+ Reject remote names starting with a dash. (jtagcat)
- rclone cryptcheck: Add reporting of filenames for
same/missing/changed (Nick Craig-Wood)
- rclone dedupe: Make it obey the --size-only flag for duplicate
detection (Nick Craig-Wood)
- rclone link: Add --expire and --unlink flags (Roman Kredentser)
- rclone mkdir: Warn when using mkdir on remotes which can't have
empty directories (Nick Craig-Wood)
- rclone rc: Allow JSON parameters to simplify command line usage
(Nick Craig-Wood)
- rclone serve ftp
+ Don't compile on < go1.13 after dependency update (Nick Craig-Wood)
+ Add error message if auth proxy fails (Nick Craig-Wood)
+ Use refactored goftp.io/server library for binary shrink (Nick
Craig-Wood)
- rclone serve restic: Expose interfaces so that rclone can be used as
a library from within restic (Jack)
- rclone sync: Add --track-renames-strategy leaf (Nick Craig-Wood)
- rclone touch: Add ability to set nanosecond resolution times (Nick
Craig-Wood)
- rclone tree: Remove -i shorthand for --noindent as it conflicts with
-i/--interactive (Nick Craig-Wood)
* Bug Fixes
* Mount
- rc interface
+ Add call for unmount all (Chaitanya Bankanhal)
+ Make mount/mount remote control take vfsOpt option (Nick
Craig-Wood)
+ Add mountOpt to mount/mount (Nick Craig-Wood)
+ Add VFS and Mount options to mount/listmounts (Nick Craig-Wood)
- Catch panics in cgofuse initialization and turn into error messages
(Nick Craig-Wood)
- Always supply stat information in Readdir (Nick Craig-Wood)
- Add support for reading unknown length files using direct IO
(Windows) (Nick Craig-Wood)
- Fix On Windows don't add -o uid/gid=-1 if user supplies -o uid/gid.
(Nick Craig-Wood)
- Fix volume name broken in recent refactor (Nick Craig-Wood)
* VFS
- Implement partial reads for --vfs-cache-mode full (Nick Craig-Wood)
- Add --vfs-writeback option to delay writes back to cloud storage
(Nick Craig-Wood)
- Add --vfs-read-ahead parameter for use with --vfs-cache-mode full
(Nick Craig-Wood)
- Restart pending uploads on restart of the cache (Nick Craig-Wood)
- Support synchronous cache space recovery upon ENOSPC (Leo Luan)
- Allow ReadAt and WriteAt to run concurrently with themselves (Nick
Craig-Wood)
- Change modtime of file before upload to current (Rob Calistri)
- Recommend --vfs-cache-modes writes on backends which can't stream
(Nick Craig-Wood)
- Add an optional fs parameter to vfs rc methods (Nick Craig-Wood)
- Fix errors when using > 260 char files in the cache in Windows (Nick
Craig-Wood)
- Fix renaming of items while they are being uploaded (Nick Craig-Wood)
- Fix very high load caused by slow directory listings (Nick
Craig-Wood)
- Fix renamed files not being uploaded with --vfs-cache-mode minimal
(Nick Craig-Wood)
- Fix directory locking caused by slow directory listings (Nick
Craig-Wood)
- Fix saving from chrome without --vfs-cache-mode writes (Nick
Craig-Wood)
* Crypt Add --crypt-server-side-across-configs flag (Nick Craig-Wood)
Make any created backends be cached to fix rc problems (Nick
Craig-Wood)
* Azure Blob Don't compile on < go1.13 after dependency update (Nick
Craig-Wood)
* B2 Implement server side copy for files > 5GB (Nick Craig-Wood) Cancel
in progress multipart uploads and copies on rclone exit (Nick
Craig-Wood) Note that b2's encoding now allows \ but rclone's hasn't
changed (Nick Craig-Wood) Fix transfers when using download_url (Nick
Craig-Wood)
* Box
- Implement rclone cleanup (buengese)
- Cancel in progress multipart uploads and copies on rclone exit (Nick
Craig-Wood)
- Allow authentication with access token (David)
* Chunker
- Make any created backends be cached to fix rc problems (Nick
Craig-Wood)
* Drive
- Add rclone backend drives to list shared drives (teamdrives) (Nick
Craig-Wood)
- Implement rclone backend untrash (Nick Craig-Wood)
- Work around drive bug which didn't set modtime of copied docs (Nick
Craig-Wood)
- Added --drive-starred-only to only show starred files (Jay McEntire)
- Deprecate --drive-alternate-export as it is no longer needed
(themylogin)
- Fix duplication of Google docs on server side copy (Nick Craig-Wood)
- Fix "panic: send on closed channel" when recycling dir entries (Nick
Craig-Wood)
* Dropbox
- Add copyright detector info in limitations section in the docs (Alex
Guerrero)
- Fix rclone link by removing expires parameter (Nick Craig-Wood)
* Fichier
- Detect Flood detected: IP Locked error and sleep for 30s (Nick
Craig-Wood)
* FTP
- Add explicit TLS support (Heiko Bornholdt)
- Add support for --dump bodies and --dump auth for debugging (Nick
Craig-Wood)
- Fix interoperation with pure-ftpd (Nick Craig-Wood)
* Google Cloud Storage
- Add support for anonymous access (Kai L��ke)
* Jottacloud
- Bring back legacy authentification for use with whitelabel versions
(buengese)
- Switch to new api root - also implement a very ugly workaround for
the DirMove failures (buengese)
* Onedrive
- Rework cancel of multipart uploads on rclone exit (Nick Craig-Wood)
- Implement rclone cleanup (Nick Craig-Wood)
- Add --onedrive-no-versions flag to remove old versions (Nick
Craig-Wood)
* Pcloud
- Implement rclone link for public link creation (buengese)
* Qingstor
- Cancel in progress multipart uploads on rclone exit (Nick Craig-Wood)
* S3
- Preserve metadata when doing multipart copy (Nick Craig-Wood)
- Cancel in progress multipart uploads and copies on rclone exit (Nick
Craig-Wood)
- Add rclone link for public link sharing (Roman Kredentser)
- Add rclone backend restore command to restore objects from GLACIER
(Nick Craig-Wood)
- Add rclone cleanup and rclone backend cleanup to clean unfinished
multipart uploads (Nick Craig-Wood)
- Add rclone backend list-multipart-uploads to list unfinished
multipart uploads (Nick Craig-Wood)
- Add --s3-max-upload-parts support (Kamil Trzci��ski)
- Add --s3-no-check-bucket for minimising rclone transactions and
perms (Nick Craig-Wood)
- Add --s3-profile and --s3-shared-credentials-file options (Nick
Craig-Wood)
- Use regional s3 us-east-1 endpoint (David)
- Add Scaleway provider (Vincent Feltz)
- Update IBM COS endpoints (Egor Margineanu)
- Reduce the default --s3-copy-cutoff to < 5GB for Backblaze S3
compatibility (Nick Craig-Wood)
- Fix detection of bucket existing (Nick Craig-Wood)
* SFTP
- Use the absolute path instead of the relative path for listing for
improved compatibility (Nick Craig-Wood)
- Add --sftp-subsystem and --sftp-server-command options (aus)
* Swift
- Fix dangling large objects breaking the listing (Nick Craig-Wood)
- Fix purge not deleting directory markers (Nick Craig-Wood)
- Fix update multipart object removing all of its own parts (Nick
Craig-Wood)
- Fix missing hash from object returned from upload (Nick Craig-Wood)
* Tardigrade
- Upgrade to uplink v1.2.0 (Kaloyan Raev)
* Union
- Fix writing with the all policy (Nick Craig-Wood)
* WebDAV
- Fix directory creation with 4shared (Nick Craig-Wood)
- Update to version 1.52.3
* Bug Fixes
- docs
+ Disable smart typography (eg en-dash) in MANUAL.* and man page
(Nick Craig-Wood)
+ Update install.md to reflect minimum Go version (Evan Harris)
+ Update install from source instructions (Nick Craig-Wood)
+ make_manual: Support SOURCE_DATE_EPOCH (Morten Linderud)
- log: Fix --use-json-log going to stderr not --log-file on Windows
(Nick Craig-Wood)
- serve dlna: Fix file list on Samsung Series 6+ TVs (Matteo Pietro
Dazzi)
- sync: Fix deadlock with --track-renames-strategy modtime (Nick
Craig-Wood)
* Cache
- Fix moveto/copyto remote:file remote:file2 (Nick Craig-Wood)
* Drive
- Stop using root_folder_id as a cache (Nick Craig-Wood)
- Make dangling shortcuts appear in listings (Nick Craig-Wood)
- Drop "Disabling ListR" messages down to debug (Nick Craig-Wood)
- Workaround and policy for Google Drive API (Dmitry Ustalov)
* FTP
- Add note to docs about home vs root directory selection (Nick
Craig-Wood)
* Onedrive
- Fix reverting to Copy when Move would have worked (Nick Craig-Wood)
- Avoid comma rendered in URL in onedrive.md (Kevin)
* Pcloud
- Fix oauth on European region "eapi.pcloud.com" (Nick Craig-Wood)
* S3
- Fix bucket Region auto detection when Region unset in config (Nick
Craig-Wood)
- Update to version 1.52.2
* Bug Fixes
- build
+ Fix docker release build action (Nick Craig-Wood)
+ Fix custom timezone in Docker image (NoLooseEnds)
- check: Fix misleading message which printed errors instead of
differences (Nick Craig-Wood)
- errors: Add WSAECONNREFUSED and more to the list of retriable
Windows errors (Nick Craig-Wood)
- rcd: Fix incorrect prometheus metrics (Gary Kim)
- serve restic: Fix flags so they use environment variables (Nick
Craig-Wood)
- serve webdav: Fix flags so they use environment variables (Nick
Craig-Wood)
- sync: Fix --track-renames-strategy modtime (Nick Craig-Wood)
* Drive
- Fix not being able to delete a directory with a trashed shortcut
(Nick Craig-Wood)
- Fix creating a directory inside a shortcut (Nick Craig-Wood)
- Fix --drive-impersonate with cached root_folder_id (Nick Craig-Wood)
* SFTP
- Fix SSH key PEM loading (Zac Rubin)
* Swift
- Speed up deletes by not retrying segment container deletes (Nick
Craig-Wood)
* Tardigrade
- Upgrade to uplink v1.1.1 (Caleb Case)
* WebDAV
- Fix free/used display for rclone about/df for certain backends (Nick
Craig-Wood)
- Update to version 1.52.1
* VFS
- Fix OS vs Unix path confusion - fixes ChangeNotify on Windows (Nick
Craig-Wood)
* Drive
- Fix missing items when listing using --fast-list / ListR (Nick
Craig-Wood)
* Putio
- Fix panic on Object.Open (Cenk Alti)
* S3
- Fix upload of single files into buckets without create permission
(Nick Craig-Wood)
- Fix --header-upload (Nick Craig-Wood)
* Tardigrade
- Fix listing bug by upgrading to v1.0.7
- Set UserAgent to rclone (Caleb Case)
- Update to version 1.52.0
* New backends
- Tardigrade backend for use with storj.io (Caleb Case)
- Union re-write to have multiple writable remotes (Max Sum)
- Seafile for Seafile server (Fred @creativeprojects)
* New commands
- backend: command for backend specific commands (see backends) (Nick
Craig-Wood)
- cachestats: Deprecate in favour of rclone backend stats cache: (Nick
Craig-Wood)
- dbhashsum: Deprecate in favour of rclone hashsum DropboxHash (Nick
Craig-Wood)
* New Features
- Add --header-download and --header-upload flags for setting HTTP
headers when uploading/downloading (Tim Gallant)
- Add --header flag to add HTTP headers to every HTTP transaction
(Nick Craig-Wood)
- Add --check-first to do all checking before starting transfers (Nick
Craig-Wood)
- Add --track-renames-strategy for configurable matching criteria for
--track-renames (Bernd Schoolmann)
- Add --cutoff-mode hard,soft,catious (Shing Kit Chan & Franklyn
Tackitt)
- Filter flags (eg --files-from -) can read from stdin (fishbullet)
- Add --error-on-no-transfer option (Jon Fautley)
- Implement --order-by xxx,mixed for copying some small and some big
files (Nick Craig-Wood)
- Allow --max-backlog to be negative meaning as large as possible
(Nick Craig-Wood)
- Added --no-unicode-normalization flag to allow Unicode filenames to
remain unique (Ben Zenker)
- Allow --min-age/--max-age to take a date as well as a duration (Nick
Craig-Wood)
- Add rename statistics for file and directory renames (Nick
Craig-Wood)
- Add statistics output to JSON log (reddi)
- Make stats be printed on non-zero exit code (Nick Craig-Wood)
- When running --password-command allow use of stdin (S��bastien Gross)
- Stop empty strings being a valid remote path (Nick Craig-Wood)
- accounting: support WriterTo for less memory copying (Nick
Craig-Wood)
- build
+ Update to use go1.14 for the build (Nick Craig-Wood)
+ Add -trimpath to release build for reproduceable builds (Nick
Craig-Wood)
+ Remove GOOS and GOARCH from Dockerfile (Brandon Philips)
- config
+ Fsync the config file after writing to save more reliably (Nick
Craig-Wood)
+ Add --obscure and --no-obscure flags to config create/update
(Nick Craig-Wood)
+ Make config show take remote: as well as remote (Nick Craig-Wood)
- copyurl: Add --no-clobber flag (Denis)
- delete: Added --rmdirs flag to delete directories as well (Kush)
- filter: Added --files-from-raw flag (Ankur Gupta)
- genautocomplete: Add support for fish shell (Matan Rosenberg)
- log: Add support for syslog LOCAL facilities (Patryk Jakuszew)
- lsjson: Add --hash-type parameter and use it in lsf to speed up
hashing (Nick Craig-Wood)
- rc
+ Add -o/--opt and -a/--arg for more structured input (Nick
Craig-Wood)
+ Implement backend/command for running backend specific commands
remotely (Nick Craig-Wood)
+ Add mount/mount command for starting rclone mount via the API
(Chaitanya)
- rcd: Add Prometheus metrics support (Gary Kim)
- serve http
+ Added a --template flag for user defined markup (calistri)
+ Add Last-Modified headers to files and directories (Nick
Craig-Wood)
- serve sftp: Add support for multiple host keys by repeating --key
flag (Maxime Suret)
- touch: Add --localtime flag to make --timestamp localtime not UTC
(Nick Craig-Wood)
* Bug Fixes
- accounting
+ Restore "Max number of stats groups reached" log line (Micha��
Matczuk)
+ Correct exitcode on Transfer Limit Exceeded flag. (Anuar
Serdaliyev)
+ Reset bytes read during copy retry (Ankur Gupta)
+ Fix race clearing stats (Nick Craig-Wood)
- copy: Only create empty directories when they don't exist on the
remote (Ishuah Kariuki)
- dedupe: Stop dedupe deleting files with identical IDs (Nick
Craig-Wood)
- oauth
+ Use custom http client so that --no-check-certificate is honored
by oauth token fetch (Mark Spieth)
+ Replace deprecated oauth2.NoContext (Lars Lehtonen)
- operations
+ Fix setting the timestamp on Windows for multithread copy (Nick
Craig-Wood)
+ Make rcat obey --ignore-checksum (Nick Craig-Wood)
+ Make --max-transfer more accurate (Nick Craig-Wood)
- rc
+ Fix dropped error (Lars Lehtonen)
+ Fix misplaced http server config (Xiaoxing Ye)
+ Disable duplicate log (ElonH)
- serve dlna
+ Cds: don't specify childCount at all when unknown (Dan Walters)
+ Cds: use modification time as date in dlna metadata (Dan Walters)
- serve restic: Fix tests after restic project removed vendoring (Nick
Craig-Wood)
- sync
+ Fix incorrect "nothing to transfer" message using --delete-before
(Nick Craig-Wood)
+ Only create empty directories when they don't exist on the remote
(Ishuah Kariuki)
* Mount
- Add --async-read flag to disable asynchronous reads (Nick Craig-Wood)
- Ignore --allow-root flag with a warning as it has been removed
upstream (Nick Craig-Wood)
- Warn if --allow-non-empty used on Windows and clarify docs (Nick
Craig-Wood)
- Constrain to go1.13 or above otherwise bazil.org/fuse fails to
compile (Nick Craig-Wood)
- Fix fail because of too long volume name (evileye)
- Report 1PB free for unknown disk sizes (Nick Craig-Wood)
- Map more rclone errors into file systems errors (Nick Craig-Wood)
- Fix disappearing cwd problem (Nick Craig-Wood)
- Use ReaddirPlus on Windows to improve directory listing performance
(Nick Craig-Wood)
- Send a hint as to whether the filesystem is case insensitive or not
(Nick Craig-Wood)
- Add rc command mount/types (Nick Craig-Wood)
- Change maximum leaf name length to 1024 bytes (Nick Craig-Wood)
* VFS
- Add --vfs-read-wait and --vfs-write-wait flags to control time
waiting for a sequential read/write (Nick Craig-Wood)
- Change default --vfs-read-wait to 20ms (it was 5ms and not
configurable) (Nick Craig-Wood)
- Make df output more consistent on a rclone mount. (Yves G)
- Report 1PB free for unknown disk sizes (Nick Craig-Wood)
- Fix race condition caused by unlocked reading of Dir.path (Nick
Craig-Wood)
- Make File lock and Dir lock not overlap to avoid deadlock (Nick
Craig-Wood)
- Implement lock ordering between File and Dir to eliminate deadlocks
(Nick Craig-Wood)
- Factor the vfs cache into its own package (Nick Craig-Wood)
- Pin the Fs in use in the Fs cache (Nick Craig-Wood)
- Add SetSys() methods to Node to allow caching stuff on a node (Nick
Craig-Wood)
- Ignore file not found errors from Hash in Read.Release (Nick
Craig-Wood)
- Fix hang in read wait code (Nick Craig-Wood)
* Local
- Speed up multi thread downloads by using sparse files on Windows
(Nick Craig-Wood)
- Implement --local-no-sparse flag for disabling sparse files (Nick
Craig-Wood)
- Implement rclone backend noop for testing purposes (Nick Craig-Wood)
- Fix "file not found" errors on post transfer Hash calculation (Nick
Craig-Wood)
* Cache
- Implement rclone backend stats command (Nick Craig-Wood)
- Fix Server Side Copy with Temp Upload (Brandon McNama)
- Remove Unused Functions (Lars Lehtonen)
- Disable race tests until bbolt is fixed (Nick Craig-Wood)
- Move methods used for testing into test file (greatroar)
- Add Pin and Unpin and canonicalised lookup (Nick Craig-Wood)
- Use proper import path go.etcd.io/bbolt (Robert-Andr�� Mauchin)
* Crypt
- Calculate hashes for uploads from local disk (Nick Craig-Wood)
+ This allows crypted Jottacloud uploads without using local disk
+ This means crypted s3/b2 uploads will now have hashes
- Added rclone backend decode/encode commands to replicate
functionality of cryptdecode (Anagh Kumar Baranwal)
- Get rid of the unused Cipher interface as it obfuscated the code
(Nick Craig-Wood)
* Azure Blob
- Implement streaming of unknown sized files so rcat is now supported
(Nick Craig-Wood)
- Implement memory pooling to control memory use (Nick Craig-Wood)
- Add --azureblob-disable-checksum flag (Nick Craig-Wood)
- Retry InvalidBlobOrBlock error as it may indicate block concurrency
problems (Nick Craig-Wood)
- Remove unused Object.parseTimeString() (Lars Lehtonen)
- Fix permission error on SAS URL limited to container (Nick
Craig-Wood)
* B2
- Add support for --header-upload and --header-download (Tim Gallant)
- Ignore directory markers at the root also (Nick Craig-Wood)
- Force the case of the SHA1 to lowercase (Nick Craig-Wood)
- Remove unused largeUpload.clearUploadURL() (Lars Lehtonen)
* Box
- Add support for --header-upload and --header-download (Tim Gallant)
- Implement About to read size used (Nick Craig-Wood)
- Add token renew function for jwt auth (David Bramwell)
- Added support for interchangeable root folder for Box backend (Sunil
Patra)
- Remove unnecessary iat from jws claims (David)
* Drive
- Follow shortcuts by default, skip with --drive-skip-shortcuts (Nick
Craig-Wood)
- Implement rclone backend shortcut command for creating shortcuts
(Nick Craig-Wood)
- Added rclone backend command to change service_account_file and
chunk_size (Anagh Kumar Baranwal)
- Fix missing files when using --fast-list and --drive-shared-with-me
(Nick Craig-Wood)
- Fix duplicate items when using --drive-shared-with-me (Nick
Craig-Wood)
- Extend --drive-stop-on-upload-limit to respond to
teamDriveFileLimitExceeded. (harry)
- Don't delete files with multiple parents to avoid data loss (Nick
Craig-Wood)
- Server side copy docs use default description if empty (Nick
Craig-Wood)
* Dropbox
- Make error insufficient space to be fatal (harry)
- Add info about required redirect url (Elan Ruusam��e)
* Fichier
- Add support for --header-upload and --header-download (Tim Gallant)
- Implement custom pacer to deal with the new rate limiting (buengese)
* FTP
- Fix lockup when using concurrency limit on failed connections (Nick
Craig-Wood)
- Fix lockup on failed upload when using concurrency limit (Nick
Craig-Wood)
- Fix lockup on Close failures when using concurrency limit (Nick
Craig-Wood)
- Work around pureftp sending spurious 150 messages (Nick Craig-Wood)
* Google Cloud Storage
- Add support for --header-upload and --header-download (Nick
Craig-Wood)
- Add ARCHIVE storage class to help (Adam Stroud)
- Ignore directory markers at the root (Nick Craig-Wood)
* Googlephotos
- Make the start year configurable (Daven)
- Add support for --header-upload and --header-download (Tim Gallant)
- Create feature/favorites directory (Brandon Philips)
- Fix "concurrent map write" error (Nick Craig-Wood)
- Don't put an image in error message (Nick Craig-Wood)
* HTTP
- Improved directory listing with new template from Caddy project
(calisro)
* Jottacloud
- Implement --jottacloud-trashed-only (buengese)
- Add support for --header-upload and --header-download (Tim Gallant)
- Use RawURLEncoding when decoding base64 encoded login token
(buengese)
- Implement cleanup (buengese)
- Update docs regarding cleanup, removed remains from old auth, and
added warning about special mountpoints. (albertony)
* Mailru
- Describe 2FA requirements (valery1707)
* Onedrive
- Implement --onedrive-server-side-across-configs (Nick Craig-Wood)
- Add support for --header-upload and --header-download (Tim Gallant)
- Fix occasional 416 errors on multipart uploads (Nick Craig-Wood)
- Added maximum chunk size limit warning in the docs (Harry)
- Fix missing drive on config (Nick Craig-Wood)
- Make error quotaLimitReached to be fatal (harry)
* Opendrive
- Add support for --header-upload and --header-download (Tim Gallant)
* Pcloud
- Added support for interchangeable root folder for pCloud backend
(Sunil Patra)
- Add support for --header-upload and --header-download (Tim Gallant)
- Fix initial config "Auth state doesn't match" message (Nick
Craig-Wood)
* Premiumizeme
- Add support for --header-upload and --header-download (Tim Gallant)
- Prune unused functions (Lars Lehtonen)
* Putio
- Add support for --header-upload and --header-download (Nick
Craig-Wood)
- Make downloading files use the rclone http Client (Nick Craig-Wood)
- Fix parsing of remotes with leading and trailing / (Nick Craig-Wood)
* Qingstor
- Make rclone cleanup remove pending multipart uploads older than 24h
(Nick Craig-Wood)
- Try harder to cancel failed multipart uploads (Nick Craig-Wood)
- Prune multiUploader.list() (Lars Lehtonen)
- Lint fix (Lars Lehtonen)
* S3
- Add support for --header-upload and --header-download (Tim Gallant)
- Use memory pool for buffer allocations (Maciej Zimnoch)
- Add SSE-C support for AWS, Ceph, and MinIO (Jack Anderson)
- Fail fast multipart upload (Micha�� Matczuk)
- Report errors on bucket creation (mkdir) correctly (Nick Craig-Wood)
- Specify that Minio supports URL encoding in listings (Nick
Craig-Wood)
- Added 500 as retryErrorCode (Micha�� Matczuk)
- Use --low-level-retries as the number of SDK retries (Aleksandar
Jankovi��)
- Fix multipart abort context (Aleksandar Jankovic)
- Replace deprecated session.New() with session.NewSession() (Lars
Lehtonen)
- Use the provided size parameter when allocating a new memory pool
(Joachim Brandon LeBlanc)
- Use rclone's low level retries instead of AWS SDK to fix listing
retries (Nick Craig-Wood)
- Ignore directory markers at the root also (Nick Craig-Wood)
- Use single memory pool (Micha�� Matczuk)
- Do not resize buf on put to memBuf (Micha�� Matczuk)
- Improve docs for --s3-disable-checksum (Nick Craig-Wood)
- Don't leak memory or tokens in edge cases for multipart upload (Nick
Craig-Wood)
* Seafile
- Implement 2FA (Fred)
* SFTP
- Added --sftp-pem-key to support inline key files (calisro)
- Fix post transfer copies failing with 0 size when using
set_modtime=false (Nick Craig-Wood)
* Sharefile
- Add support for --header-upload and --header-download (Tim Gallant)
* Sugarsync
- Add support for --header-upload and --header-download (Tim Gallant)
* Swift
- Add support for --header-upload and --header-download (Nick
Craig-Wood)
- Fix cosmetic issue in error message (Martin Michlmayr)
* Union
- Implement multiple writable remotes (Max Sum)
- Fix server-side copy (Max Sum)
- Implement ListR (Max Sum)
- Enable ListR when upstreams contain local (Max Sum)
* WebDAV
- Add support for --header-upload and --header-download (Tim Gallant)
- Fix X-OC-Mtime header for Transip compatibility (Nick Craig-Wood)
- Report full and consistent usage with about (Yves G)
* Yandex
- Add support for --header-upload and --header-download (Tim Gallant)
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.2:
zypper in -t patch openSUSE-2020-2008=1
Package List:
- openSUSE Leap 15.2 (noarch):
rclone-bash-completion-1.53.3-lp152.2.3.1
rclone-zsh-completion-1.53.3-lp152.2.3.1
- openSUSE Leap 15.2 (x86_64):
rclone-1.53.3-lp152.2.3.1
rclone-debuginfo-1.53.3-lp152.2.3.1
References:
https://www.suse.com/security/cve/CVE-2020-28924.html
https://bugzilla.suse.com/1179005
1
0
[opensuse-security-announce] openSUSE-SU-2020:2000-1: important: Security update for rmt-server
by opensuse-security@opensuse.org 23 Nov '20
by opensuse-security@opensuse.org 23 Nov '20
23 Nov '20
openSUSE Security Update: Security update for rmt-server
______________________________________________________________________________
Announcement ID: openSUSE-SU-2020:2000-1
Rating: important
References: #1172177 #1172182 #1172184 #1172186 #1173351
Cross-References: CVE-2019-16770 CVE-2019-5418 CVE-2019-5419
CVE-2019-5420 CVE-2020-11076 CVE-2020-11077
CVE-2020-15169 CVE-2020-5247 CVE-2020-5249
CVE-2020-5267 CVE-2020-8164 CVE-2020-8165
CVE-2020-8166 CVE-2020-8167 CVE-2020-8184
CVE-2020-8185
Affected Products:
openSUSE Leap 15.1
______________________________________________________________________________
An update that fixes 16 vulnerabilities is now available.
Description:
This update for rmt-server fixes the following issues:
- Version 2.6.5
- Solved potential bug of SCC repository URLs changing over time. RMT now
self heals by removing the previous invalid repository and creating the
correct one.
- Version 2.6.4
- Add web server settings to /etc/rmt.conf: Now it's possible to configure
the minimum and maximum threads count as well the number of web server
workers to be booted through /etc/rmt.conf.
- Version 2.6.3
- Instead of using an MD5 of URLs for custom repository friendly_ids, RMT
now builds an ID from the name.
- Version 2.6.2
- Fix RMT file caching based on timestamps: Previously, RMT sent GET
requests with the header 'If-Modified-Since' to a repository server and
if the response had a 304 (Not Modified), it would copy a file from the
local cache instead of downloading. However, if the local file timestamp
accidentally changed to a date newer than the one on the repository
server, RMT would have an outdated file, which caused some errors. Now,
RMT makes HEAD requests to the repositories servers and inspect the
'Last-Modified' header to decide whether to download a file or copy it
from cache, by comparing the equalness of timestamps.
- Version 2.6.1
- Fixed an issue where relative paths supplied to `rmt-cli import repos`
caused the command to fail.
- Version 2.6.0
- Friendlier IDs for custom repositories: In an effort to simplify the
handling of SCC and custom repositories, RMT now has friendly IDs. For
SCC repositories, it's the same SCC ID as before. For custom
repositories, it can either be user provided
or RMT generated (MD5 of the provided URL). Benefits:
* `rmt-cli mirror repositories` now works for custom repositories.
* Custom repository IDs can be the same across RMT instances.
* No more confusing "SCC ID" vs "ID" in `rmt-cli` output. Deprecation
Warnings:
* RMT now uses a different ID for custom repositories than before. RMT
still supports that old ID, but it's recommended to start using the
new ID to ensure future compatibility.
- Version 2.5.20
- Updated rails from 6.0.3.2 to 6.0.3.3:
- actionview (CVE-2020-15169)
- Version 2.5.19
- RMT now has the ability to remove local systems with the command
`rmt-cli systems remove`.
- Version 2.5.18
- Fixed exit code for `rmt-cli mirror` and its subcommands. Now it exits
with 1 whenever an error occurs during mirroring
- Improved message logging for `rtm-cli mirror`. Instead of logging an
error when it occurs, the command summarize all errors at the end of
execution. Now log messages have colors to better identify
failure/success.
- Version 2.5.17
- RMT no longer provides the installer updates repository to systems via
its zypper service. This repository is used during the installation
process, as it provides an up-to-date installation experience, but it
has no use on an already installed system.
- Version 2.5.16
- Updated RMT's rails and puma dependencies.
- puma (CVE-2020-11076, CVE-2020-11077, CVE-2020-5249, CVE-2020-5247
CVE-2019-16770)
- actionpack (CVE-2020-8185, CVE-2020-8164, CVE-2020-8166)
- actionview (CVE-2020-8167, CVE-2020-5267, CVE-2019-5418, CVE-2019-5419)
- activesupport (CVE-2020-8165)
- railties (CVE-2019-5420)
- Version 2.5.15
- RMT now checks if repositories are fully mirrored during the activation
process. Previously, RMT only checked if the repositories were enabled
to be mirrored, but not that they were actually mirrored. In this case,
RMTs were not able to provide the repository data which systems assumed
it had.
- Version 2.5.14
- Enable 'Installer-Updates' repositories by default
- Fixed deprecation warning when thor encountered an error. Also, instead
of returning 0 for thor errors, rmt-cli will return 1 instead.
- Version 2.5.13
- Added `rmt-cli repos clean` command to remove locally mirrored files
of repositories which are not marked to be mirrored.
- Previously, RMT didn't track deduplicated files in its database. Now, to
accommodate `rmt-cli repos clean`, RMT will track all mirrored files.
- Move the nginx reload to the configuration package which contain nginx
config files, don't reload nginx unconditionally from main package.
- Version 2.5.12
- Update rack to version 2.2.3 (CVE-2020-8184: bsc#1173351)
- Update Rails to version 5.2.4.3:
- actionpack (CVE-2020-8164: bsc#1172177)
- actionpack (CVE-2020-8166: bsc#1172182)
- activesupport (CVE-2020-8165: bsc#1172186)
- actionview (CVE-2020-8167: bsc#1172184)
- Version 2.5.11
- rmt-server-pubcloud:
- SLES11 EOL
- Extension activation verification based on the available subscriptions
- Added a manual instance verification script
- Version 2.5.10
- Support rmt-server to run with Ruby 2.7 (Factory/Tumbleweed):
- Bump gem 'config' version from 1.7.2 to 2.2.1 to fix incompatibility
Ruby 2.7 OpenStruct class;
- Bump gem 'typhoeus' version from 1.3.1 to 1.4.0 in order to also bump
gem 'ethon' version, which caused a 'rb_safe_level' warning on Ruby
2.7;
- Fix "last arg as keyword arg" Ruby 2.7 warning on source code;
- Disable "deprecated" warnings from Ruby 2.7; Rails 5.1 generates a lot
of warnings with Ruby 2.7, mainly due to "capturing the given block
with Proc.new", which is deprecated;
- Improve RPM spec to consider only the distribution default Ruby
version configured in OBS;
- Improve RPM spec to remove Ruby 2.7 warnings regarding 'bundler.
- Move nginx/vhosts.d directory to correct sub-package. They are needed
together with nginx, not rmt-server.
- Fix dependencies especially for containerized usage:
- mariadb and nginx are not hard requires, could run on another host
- Fix generic dependencies:
- systemd ordering was missing
- shadow is required for pre-install
- Version 2.5.9
- rmt-server-pubcloud: enforce strict authentication
- Version 2.5.8
- Use repomd_parser gem to remove repository metadata parsing code.
This update was imported from the SUSE:SLE-15-SP1:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.1:
zypper in -t patch openSUSE-2020-2000=1
Package List:
- openSUSE Leap 15.1 (x86_64):
rmt-server-2.6.5-lp151.2.18.2
rmt-server-config-2.6.5-lp151.2.18.2
rmt-server-debuginfo-2.6.5-lp151.2.18.2
rmt-server-debugsource-2.6.5-lp151.2.18.2
rmt-server-pubcloud-2.6.5-lp151.2.18.2
References:
https://www.suse.com/security/cve/CVE-2019-16770.html
https://www.suse.com/security/cve/CVE-2019-5418.html
https://www.suse.com/security/cve/CVE-2019-5419.html
https://www.suse.com/security/cve/CVE-2019-5420.html
https://www.suse.com/security/cve/CVE-2020-11076.html
https://www.suse.com/security/cve/CVE-2020-11077.html
https://www.suse.com/security/cve/CVE-2020-15169.html
https://www.suse.com/security/cve/CVE-2020-5247.html
https://www.suse.com/security/cve/CVE-2020-5249.html
https://www.suse.com/security/cve/CVE-2020-5267.html
https://www.suse.com/security/cve/CVE-2020-8164.html
https://www.suse.com/security/cve/CVE-2020-8165.html
https://www.suse.com/security/cve/CVE-2020-8166.html
https://www.suse.com/security/cve/CVE-2020-8167.html
https://www.suse.com/security/cve/CVE-2020-8184.html
https://www.suse.com/security/cve/CVE-2020-8185.html
https://bugzilla.suse.com/1172177
https://bugzilla.suse.com/1172182
https://bugzilla.suse.com/1172184
https://bugzilla.suse.com/1172186
https://bugzilla.suse.com/1173351
1
0
[opensuse-security-announce] openSUSE-SU-2020:1998-1: important: Security update for moinmoin-wiki
by opensuse-security@opensuse.org 23 Nov '20
by opensuse-security@opensuse.org 23 Nov '20
23 Nov '20
openSUSE Security Update: Security update for moinmoin-wiki
______________________________________________________________________________
Announcement ID: openSUSE-SU-2020:1998-1
Rating: important
References: #1178744 #1178745
Cross-References: CVE-2020-15275 CVE-2020-25074
Affected Products:
openSUSE Backports SLE-15-SP2
______________________________________________________________________________
An update that fixes two vulnerabilities is now available.
Description:
This update for moinmoin-wiki fixes the following issues:
- update to version 1.9.11: CVE-2020-25074 (boo#1178744): fix remote code
execution via cache action CVE-2020-15275 (boo#1178745): fix malicious
SVG attachment causing stored XSS vulnerability
This update was imported from the openSUSE:Leap:15.2:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP2:
zypper in -t patch openSUSE-2020-1998=1
Package List:
- openSUSE Backports SLE-15-SP2 (noarch):
moinmoin-wiki-1.9.11-bp152.4.3.1
References:
https://www.suse.com/security/cve/CVE-2020-15275.html
https://www.suse.com/security/cve/CVE-2020-25074.html
https://bugzilla.suse.com/1178744
https://bugzilla.suse.com/1178745
1
0
[opensuse-security-announce] openSUSE-SU-2020:1997-1: moderate: Security update for blueman
by opensuse-security@opensuse.org 22 Nov '20
by opensuse-security@opensuse.org 22 Nov '20
22 Nov '20
openSUSE Security Update: Security update for blueman
______________________________________________________________________________
Announcement ID: openSUSE-SU-2020:1997-1
Rating: moderate
References: #1178196
Cross-References: CVE-2020-15238
Affected Products:
openSUSE Leap 15.2
openSUSE Backports SLE-15-SP2
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for blueman fixes the following issues:
- Update to version 2.1.4
* CVE-2020-15238: Fixed a local denial-of-service in the D-Bus interface
(boo#1178196)
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.2:
zypper in -t patch openSUSE-2020-1997=1
- openSUSE Backports SLE-15-SP2:
zypper in -t patch openSUSE-2020-1997=1
Package List:
- openSUSE Leap 15.2 (noarch):
blueman-lang-2.1.4-lp152.2.3.1
thunar-sendto-blueman-2.1.4-lp152.2.3.1
- openSUSE Leap 15.2 (x86_64):
blueman-2.1.4-lp152.2.3.1
blueman-debuginfo-2.1.4-lp152.2.3.1
blueman-debugsource-2.1.4-lp152.2.3.1
- openSUSE Backports SLE-15-SP2 (aarch64 ppc64le s390x x86_64):
blueman-2.1.4-bp152.2.3.1
- openSUSE Backports SLE-15-SP2 (noarch):
blueman-lang-2.1.4-bp152.2.3.1
thunar-sendto-blueman-2.1.4-bp152.2.3.1
References:
https://www.suse.com/security/cve/CVE-2020-15238.html
https://bugzilla.suse.com/1178196
1
0
[opensuse-security-announce] openSUSE-SU-2020:1994-1: moderate: Security update for java-11-openjdk
by opensuse-security@opensuse.org 21 Nov '20
by opensuse-security@opensuse.org 21 Nov '20
21 Nov '20
openSUSE Security Update: Security update for java-11-openjdk
______________________________________________________________________________
Announcement ID: openSUSE-SU-2020:1994-1
Rating: moderate
References: #1177943
Cross-References: CVE-2020-14779 CVE-2020-14781 CVE-2020-14782
CVE-2020-14792 CVE-2020-14796 CVE-2020-14797
CVE-2020-14798 CVE-2020-14803
Affected Products:
openSUSE Leap 15.2
______________________________________________________________________________
An update that fixes 8 vulnerabilities is now available.
Description:
This update for java-11-openjdk fixes the following issues:
- Update to upstream tag jdk-11.0.9-11 (October 2020 CPU, bsc#1177943)
* New features
+ JDK-8250784: Shenandoah: A Low-Pause-Time Garbage Collector
* Security fixes
+ JDK-8233624: Enhance JNI linkage
+ JDK-8236196: Improve string pooling
+ JDK-8236862, CVE-2020-14779: Enhance support of Proxy class
+ JDK-8237990, CVE-2020-14781: Enhanced LDAP contexts
+ JDK-8237995, CVE-2020-14782: Enhance certificate processing
+ JDK-8240124: Better VM Interning
+ JDK-8241114, CVE-2020-14792: Better range handling
+ JDK-8242680, CVE-2020-14796: Improved URI Support
+ JDK-8242685, CVE-2020-14797: Better Path Validation
+ JDK-8242695, CVE-2020-14798: Enhanced buffer support
+ JDK-8243302: Advanced class supports
+ JDK-8244136, CVE-2020-14803: Improved Buffer supports
+ JDK-8244479: Further constrain certificates
+ JDK-8244955: Additional Fix for JDK-8240124
+ JDK-8245407: Enhance zoning of times
+ JDK-8245412: Better class definitions
+ JDK-8245417: Improve certificate chain handling
+ JDK-8248574: Improve jpeg processing
+ JDK-8249927: Specify limits of jdk.serialProxyInterfaceLimit
+ JDK-8253019: Enhanced JPEG decoding
* Other changes
+ JDK-6532025: GIF reader throws misleading exception with truncated
images
+ JDK-6949753: [TEST BUG]: java/awt/print/PageFormat/
/PDialogTest.java needs update by removing an infinite loop
+ JDK-8022535: [TEST BUG] javax/swing/text/html/parser/
/Test8017492.java fails
+ JDK-8062947: Fix exception message to correctly represent LDAP
connection failure
+ JDK-8067354: com/sun/jdi/GetLocalVariables4Test.sh failed
+ JDK-8134599: TEST_BUG: java/rmi/transport/closeServerSocket/
/CloseServerSocket.java fails intermittently with Address already in
use
+ JDK-8151678: com/sun/jndi/ldap/LdapTimeoutTest.java failed due to
timeout on DeadServerNoTimeoutTest is incorrect
+ JDK-8160768: Add capability to custom resolve host/domain names
within the default JNDI LDAP provider
+ JDK-8172404: Tools should warn if weak algorithms are used before
restricting them
+ JDK-8193367: Annotated type variable bounds crash javac
+ JDK-8202117: com/sun/jndi/ldap/RemoveNamingListenerTest.java fails
intermittently: Connection reset
+ JDK-8203026: java.rmi.NoSuchObjectException: no such object in table
+ JDK-8203281: [Windows] JComboBox change in ui when
editor.setBorder() is called
+ JDK-8203382: Rename SystemDictionary::initialize_wk_klass to
resolve_wk_klass
+ JDK-8203393: com/sun/jdi/JdbMethodExitTest.sh and JdbExprTest.sh
fail due to timeout
+ JDK-8203928: [Test] Convert non-JDB scaffolding serviceability shell
script tests to java
+ JDK-8204963: javax.swing.border.TitledBorder has a memory leak
+ JDK-8204994: SA might fail to attach to process with "Windbg Error:
WaitForEvent failed"
+ JDK-8205534: Remove SymbolTable dependency from serviceability agent
+ JDK-8206309: Tier1 SA tests fail
+ JDK-8208281: java/nio/channels/
/AsynchronousSocketChannel/Basic.java timed out
+ JDK-8209109: [TEST] rewrite com/sun/jdi shell tests to java version
- step1
+ JDK-8209332: [TEST] test/jdk/com/sun/jdi/CatchPatternTest.sh is
incorrect
+ JDK-8209342: Problemlist SA tests on Solaris due to Error attaching
to process: Can't create thread_db agent!
+ JDK-8209343: Test javax/swing/border/TestTitledBorderLeak.java
should be marked as headful
+ JDK-8209517: com/sun/jdi/BreakpointWithFullGC.java fails with timeout
+ JDK-8209604: [TEST] rewrite com/sun/jdi shell tests to java version
- step2
+ JDK-8209605: com/sun/jdi/BreakpointWithFullGC.java fails with ZGC
+ JDK-8209608: Problem list com/sun/jdi/BreakpointWithFullGC.java
+ JDK-8210131: vmTestbase/nsk/jvmti/scenarios/allocation/AP10/
/ap10t001/TestDescription.java failed with ObjectFree:
GetCurrentThreadCpuTimerInfo returned unexpected error code
+ JDK-8210243: [TEST] rewrite com/sun/jdi shell tests to java version
- step3
+ JDK-8210527: JShell: NullPointerException in
jdk.jshell.Eval.translateExceptionStack
+ JDK-8210560: [TEST] convert com/sun/jdi redefineClass-related tests
+ JDK-8210725: com/sun/jdi/RedefineClearBreakpoint.java fails with
waitForPrompt timed out after 60 seconds
+ JDK-8210748: [TESTBUG] lib.jdb.Jdb.waitForPrompt() should clarify
which output is the pending reply after a timeout
+ JDK-8210760: [TEST] rewrite com/sun/jdi shell tests to java version
- step4
+ JDK-8210977: jdk/jfr/event/oldobject/TestThreadLocalLeak.java fails
to find ThreadLocalObject
+ JDK-8211292: [TEST] convert com/sun/jdi/DeferredStepTest.sh test
+ JDK-8211694: JShell: Redeclared variable should be reset
+ JDK-8212200: assert when shared java.lang.Object is redefined by
JVMTI agent
+ JDK-8212629: [TEST] wrong breakpoint in
test/jdk/com/sun/jdi/DeferredStepTest
+ JDK-8212665: com/sun/jdi/DeferredStepTest.java: jj1 (line 57)
- unexpected. lastLine=52, minLine=52, maxLine=55
+ JDK-8212807: tools/jar/multiRelease/Basic.java times out
+ JDK-8213182: Minimal VM build failure after JDK-8212200 (assert when
shared java.lang.Object is redefined by JVMTI agent)
+ JDK-8213214: Set -Djava.io.tmpdir= when running tests
+ JDK-8213275: ReplaceCriticalClasses.java fails with
jdk.internal.vm.PostVMInitHook not found
+ JDK-8213574: Deadlock in string table expansion when dumping lots of
CDS classes
+ JDK-8213703: LambdaConversionException: Invalid receiver type not a
subtype of implementation type interface
+ JDK-8214074: Ghash optimization using AVX instructions
+ JDK-8214491: Upgrade to JLine 3.9.0
+ JDK-8214797: TestJmapCoreMetaspace.java timed out
+ JDK-8215243: JShell tests failing intermitently with "Problem
cleaning up the following threads:"
+ JDK-8215244: jdk/jshell/ToolBasicTest.java testHistoryReference
failed
+ JDK-8215354: x86_32 build failures after JDK-8214074 (Ghash
optimization using AVX instructions)
+ JDK-8215438: jshell tool: Ctrl-D causes EOF
+ JDK-8216021: RunTest.gmk might set concurrency level to 1 on Windows
+ JDK-8216974: HttpConnection not returned to the pool after 204
response
+ JDK-8218948: SimpleDateFormat :: format - Zone Names are not
reflected correctly during run time
+ JDK-8219712: code_size2 (defined in stub_routines_x86.hpp) is too
small on new Skylake CPUs
+ JDK-8220150: macos10.14 Mojave returns anti-aliased glyphs instead
of aliased B&W glyphs
+ JDK-8221658: aarch64: add necessary predicate for ubfx patterns
+ JDK-8221759: Crash when completing "java.io.File.path"
+ JDK-8221918: runtime/SharedArchiveFile/serviceability/
/ReplaceCriticalClasses.java fails: Shared archive not found
+ JDK-8222074: Enhance auto vectorization for x86
+ JDK-8222079: Don't use memset to initialize fields decode_env
constructor in disassembler.cpp
+ JDK-8222769: [TESTBUG] TestJFRNetworkEvents should not rely
on hostname command
+ JDK-8223688: JShell: crash on the instantiation of raw anonymous
class
+ JDK-8223777: In posix_spawn mode, failing to exec() jspawnhelper
does not result in an error
+ JDK-8223940: Private key not supported by chosen signature algorithm
+ JDK-8224184: jshell got IOException at exiting with AIX
+ JDK-8224234: compiler/codegen/TestCharVect2.java fails in test_mulc
+ JDK-8225037: java.net.JarURLConnection::getJarEntry() throws
NullPointerException
+ JDK-8225625: AES Electronic Codebook (ECB) encryption and decryption
optimization using AVX512 + VAES instructions
+ JDK-8226536: Catch OOM from deopt that fails rematerializing
objects
+ JDK-8226575: OperatingSystemMXBean should be made container aware
+ JDK-8226697: Several tests which need the @key headful keyword are
missing it.
+ JDK-8226809: Circular reference in printed stack trace is not
correctly indented & ambiguous
+ JDK-8227059: sun/security/tools/keytool/
/DefaultSignatureAlgorithm.java timed out
+ JDK-8227269: Slow class loading when running with JDWP
+ JDK-8227595: keytool/fakegen/DefaultSignatureAlgorithm.java fails
due to "exitValue = 6"
+ JDK-8228448: Jconsole can't connect to itself
+ JDK-8228967: Trust/Key store and SSL context utilities for tests
+ JDK-8229378: jdwp library loader in linker_md.c quietly truncates on
buffer overflow
+ JDK-8229815: Upgrade Jline to 3.12.1
+ JDK-8230000: some httpclients testng tests run zero test
+ JDK-8230002: javax/xml/jaxp/unittest/transform/
/SecureProcessingTest.java runs zero test
+ JDK-8230010: Remove jdk8037819/BasicTest1.java
+ JDK-8230094: CCE in createXMLEventWriter(Result) over an arbitrary
XMLStreamWriter
+ JDK-8230402: Allocation of compile task fails with assert: "Leaking
compilation tasks?"
+ JDK-8230767: FlightRecorderListener returns null recording
+ JDK-8230870: (zipfs) Add a ZIP FS test that is similar to
test/jdk/java/util/zip/EntryCount64k.java
+ JDK-8231209: [REDO] ThreadMXBean::getThreadAllocatedBytes() can be
quicker for self thread
+ JDK-8231586: enlarge encoding space for OopMapValue offsets
+ JDK-8231953: Wrong assumption in assertion in
oop::register_oop
+ JDK-8231968: getCurrentThreadAllocatedBytes default implementation
s/b getThreadAllocatedBytes
+ JDK-8232083: Minimal VM is broken after JDK-8231586
+ JDK-8232161: Align some one-way conversion in MS950 charset with
Windows
+ JDK-8232855: jshell missing word in /help help
+ JDK-8233027: OopMapSet::all_do does oms.next() twice during iteration
+ JDK-8233228: Disable weak named curves by default in TLS, CertPath,
and Signed JAR
+ JDK-8233386: Initialize NULL fields for unused decorations
+ JDK-8233452: java.math.BigDecimal.sqrt() with RoundingMode.FLOOR
results in incorrect result
+ JDK-8233686: XML transformer uses excessive amount of memory
+ JDK-8233741: AES Countermode (AES-CTR) optimization using AVX512 +
VAES instructions
+ JDK-8233829: javac cannot find non-ASCII module name under non-UTF8
environment
+ JDK-8233958: Memory retention due to HttpsURLConnection finalizer
that serves no purpose
+ JDK-8234011: (zipfs) Memory leak in ZipFileSystem.releaseDeflater()
+ JDK-8234058: runtime/CompressedOops/ /CompressedClassPointers.java
fails with 'Narrow klass base: 0x0000000000000000' missing from
stdout/stderr
+ JDK-8234149: Several regression tests do not dispose Frame at end
+ JDK-8234347: "Turkey" meta time zone does not generate composed
localized names
+ JDK-8234385: [TESTBUG] java/awt/EventQueue/6980209/ /bug6980209.java
fails in linux nightly
+ JDK-8234535: Cross compilation fails due to missing CFLAGS for the
BUILD_CC
+ JDK-8234541: C1 emits an empty message when it inlines successfully
+ JDK-8234687: change javap reporting on unknown attributes
+ JDK-8236464: SO_LINGER option is ignored by SSLSocket in JDK 11
+ JDK-8236548: Localized time zone name inconsistency between English
and other locales
+ JDK-8236617: jtreg test containers/docker/ /TestMemoryAwareness.java
fails after 8226575
+ JDK-8237182: Update copyright header for shenandoah and epsilon files
+ JDK-8237888: security/infra/java/security/cert/
/CertPathValidator/certification/LuxTrustCA.java fails when checking
validity interval
+ JDK-8237977: Further update
javax/net/ssl/compatibility/Compatibility.java
+ JDK-8238270: java.net HTTP/2 client does not decrease stream count
when receives 204 response
+ JDK-8238284: [macos] Zero VM build fails due to an obvious typo
+ JDK-8238380: java.base/unix/native/libjava/childproc.c "multiple
definition" link errors with GCC10
+ JDK-8238386: (sctp) jdk.sctp/unix/native/libsctp/SctpNet.c "multiple
definition" link errors with GCC10
+ JDK-8238388: libj2gss/NativeFunc.o "multiple definition" link errors
with GCC10
+ JDK-8238448: RSASSA-PSS signature verification fail when using
certain odd key sizes
+ JDK-8238710: LingeredApp doesn't log stdout/stderr if exits with
non-zero code
+ JDK-8239083: C1 assert(known_holder == NULL ||
(known_holder->is_instance_klass() && (!known_holder->is_interface()
||
((ciInstanceKlass*)known_holder)->has_nonstatic_concrete_methods())), "shou
ld be non-static concrete method");
+ JDK-8239385: KerberosTicket client name refers wrongly to
sAMAccountName in AD
+ JDK-8240169: javadoc fails to link to non-modular api docs
+ JDK-8240295: hs_err elapsed time in seconds is not accurate enough
+ JDK-8240360: NativeLibraryEvent has wrong library name on Linux
+ JDK-8240676: Meet not symmetric failure when running lucene
on jdk8
+ JDK-8241007: Shenandoah: remove
ShenandoahCriticalControlThreadPriority support
+ JDK-8241065: Shenandoah: remove leftover code after JDK-8231086
+ JDK-8241086: Test runtime/NMT/HugeArenaTracking.java is failing on
32bit Windows
+ JDK-8241130: com.sun.jndi.ldap.EventSupport.removeDeadNotifier:
java.lang.NullPointerException
+ JDK-8241138: http.nonProxyHosts=* causes
StringIndexOutOfBoundsException in DefaultProxySelector
+ JDK-8241319: WB_GetCodeBlob doesn't have ResourceMark
+ JDK-8241478: vmTestbase/gc/gctests/Steal/steal001/steal001.java
fails with OOME
+ JDK-8241574: Shenandoah: remove ShenandoahAssertToSpaceClosure
+ JDK-8241750: x86_32 build failure after JDK-8227269
+ JDK-8242184: CRL generation error with RSASSA-PSS
+ JDK-8242283: Can't start JVM when java home path includes non-ASCII
character
+ JDK-8242556: Cannot load RSASSA-PSS public key with non-null params
from byte array
+ JDK-8243029: Rewrite javax/net/ssl/compatibility/
/Compatibility.java with a flexible interop test framework
+ JDK-8243138: Enhance BaseLdapServer to support starttls extended
request
+ JDK-8243320: Add SSL root certificates to Oracle Root CA program
+ JDK-8243321: Add Entrust root CA - G4 to Oracle Root CA program
+ JDK-8243389: enhance os::pd_print_cpu_info on linux
+ JDK-8243453: java --describe-module failed with non-ASCII module
name under non-UTF8 environment
+ JDK-8243470: [macos] bring back O2 opt level for unsafe.cpp
+ JDK-8243489: Thread CPU Load event may contain wrong data for CPU
time under certain conditions
+ JDK-8243925: Toolkit#getScreenInsets() returns wrong value on HiDPI
screens (Windows)
+ JDK-8244087: 2020-04-24 public suffix list update
+ JDK-8244151: Update MUSCLE PC/SC-Lite headers to the latest release
1.8.26
+ JDK-8244164: AArch64: jaotc generates incorrect code for compressed
OOPs with non-zero heap base
+ JDK-8244196: adjust output in os_linux
+ JDK-8244225: stringop-overflow warning on strncpy call from
compile_the_world_in
+ JDK-8244287: JFR: Methods samples have line number 0
+ JDK-8244703: "platform encoding not initialized" exceptions with
debugger, JNI
+ JDK-8244719: CTW: C2 compilation fails with
"assert(!VerifyHashTableKeys || _hash_lock == 0) failed: remove node
from hash table before modifying it"
+ JDK-8244729: Shenandoah: remove resolve paths from
SBSA::generate_shenandoah_lrb
+ JDK-8244763: Update --release 8 symbol information after JSR 337 MR3
+ JDK-8244818: Java2D Queue Flusher crash while moving application
window to external monitor
+ JDK-8245151: jarsigner should not raise duplicate warnings on
verification
+ JDK-8245616: Bump update version for OpenJDK: jdk-11.0.9
+ JDK-8245714: "Bad graph detected in build_loop_late" when loads are
pinned on loop limit check uncommon branch
+ JDK-8245801: StressRecompilation triggers assert "redundunt OSR
recompilation detected. memory leak in CodeCache!"
+ JDK-8245832: JDK build make-static-libs should build all JDK
libraries
+ JDK-8245880: Shenandoah: check class unloading flag early in
concurrent code root scan
+ JDK-8245981: Upgrade to jQuery 3.5.1
+ JDK-8246027: Minimal fastdebug build broken after JDK-8245801
+ JDK-8246094: [macos] Sound Recording and playback is not working
+ JDK-8246153: TestEliminateArrayCopy fails with
-XX:+StressReflectiveCode
+ JDK-8246193: Possible NPE in ENC-PA-REP search in AS-REQ
+ JDK-8246196: javax/management/MBeanServer/OldMBeanServerTest fails
with AssertionError
+ JDK-8246203: Segmentation fault in verification due to stack
overflow with -XX:+VerifyIterativeGVN
+ JDK-8246330: Add TLS Tests for Legacy ECDSA curves
+ JDK-8246453: TestClone crashes with "all collected exceptions must
come from the same place"
+ JDK-8247246: Add explicit ResolvedJavaType.link and expose presence
of default methods
+ JDK-8247350: [aarch64] assert(false) failed: wrong size of mach node
+ JDK-8247502: PhaseStringOpts crashes while optimising effectively
dead code
+ JDK-8247615: Initialize the bytes left for the heap sampler
+ JDK-8247824: CTW: C2 (Shenandoah) compilation fails with SEGV in
SBC2Support::pin_and_expand
+ JDK-8247874: Replacement in VersionProps.java.template not working
when --with-vendor-bug-url contains '&'
+ JDK-8247979: aarch64: missing side effect of killing flags for
clearArray_reg_reg
+ JDK-8248214: Add paddings for TaskQueueSuper to reduce false-sharing
cache contention
+ JDK-8248219: aarch64: missing memory barrier in fast_storefield and
fast_accessfield
+ JDK-8248348: Regression caused by the update to BCEL 6.0
+ JDK-8248385: [testbug][11u] Adapt TestInitiExceptions to jtreg 5.1
+ JDK-8248495: [macos] zerovm is broken due to libffi headers location
+ JDK-8248851: CMS: Missing memory fences between free chunk check and
klass read
+ JDK-8248987: AOT's Linker.java seems to eagerly fail-fast on Windows
+ JDK-8249159: Downport test rework for SSLSocketTemplate from 8224650
+ JDK-8249215: JFrame::setVisible crashed with
-Dfile.encoding=UTF-8 on Japanese Windows.
+ JDK-8249251: [dark_mode ubuntu 20.04] The selected menu is not
highlighted in GTKLookAndFeel
+ JDK-8249255: Build fails if source code in cygwin home dir
+ JDK-8249277: TestVerifyIterativeGVN.java is failing with timeout in
OpenJDK 11
+ JDK-8249278: Revert JDK-8226253 which breaks the spec of
AccessibleState.SHOWING for JList
+ JDK-8249560: Shenandoah: Fix racy GC request handling
+ JDK-8249801: Shenandoah: Clear soft-refs on requested GC cycle
+ JDK-8249953: Shenandoah: gc/shenandoah/mxbeans tests should account
for corner cases
+ JDK-8250582: Revert Principal Name type to NT-UNKNOWN when
requesting TGS Kerberos tickets
+ JDK-8250609: C2 crash in IfNode::fold_compares
+ JDK-8250627: Use -XX:+/-UseContainerSupport for enabling/disabling
Java container metrics
+ JDK-8250755: Better cleanup for
jdk/test/javax/imageio/plugins/shared/CanWriteSequence.java
+ JDK-8250787: Provider.put no longer registering aliases in FIPS env
+ JDK-8250826: jhsdb does not work with coredump which comes from
Substrate VM
+ JDK-8250827: Shenandoah: needs to reset/finish StringTable's dead
count before/after parallel walk
+ JDK-8250844: Make sure {type,obj}ArrayOopDesc accessors check the
bounds
+ JDK-8251117: Cannot check P11Key size in P11Cipher and P11AEADCipher
+ JDK-8251354: Shenandoah: Fix jdk/jfr/tool/TestPrintJSON.java test
failure
+ JDK-8251451: Shenandoah: Remark ObjectSynchronizer roots with I-U
+ JDK-8251469: Better cleanup for test/jdk/javax/imageio/SetOutput.java
+ JDK-8251487: Shenandoah: missing detail timing tracking for final
mark cleaning phase
+ JDK-8252120: compiler/oracle/TestCompileCommand.java misspells
"occured"
+ JDK-8252157: JDK-8231209 11u backport breaks jmm binary compatibility
+ JDK-8252258: [11u] JDK-8242154 changes the default vendor
+ JDK-8252804: [test] Fix 'ReleaseDeflater.java' test after downport
of 8234011
+ JDK-8253134: JMM_VERSION should remain at 0x20020000 (JDK 10) in JDK
11
+ JDK-8253283: [11u] Test build/translations/ /VerifyTranslations.java
failing after JDK-8252258
+ JDK-8253813: Backout JDK-8244287 from 11u: it causes several crashes
+ Fix regression "8250861: Crash in MinINode::Ideal(PhaseGVN*, bool)"
introduced in jdk 11.0.9
This update was imported from the SUSE:SLE-15:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.2:
zypper in -t patch openSUSE-2020-1994=1
Package List:
- openSUSE Leap 15.2 (i586 x86_64):
java-11-openjdk-11.0.9.0-lp152.2.6.2
java-11-openjdk-accessibility-11.0.9.0-lp152.2.6.2
java-11-openjdk-accessibility-debuginfo-11.0.9.0-lp152.2.6.2
java-11-openjdk-debuginfo-11.0.9.0-lp152.2.6.2
java-11-openjdk-debugsource-11.0.9.0-lp152.2.6.2
java-11-openjdk-demo-11.0.9.0-lp152.2.6.2
java-11-openjdk-devel-11.0.9.0-lp152.2.6.2
java-11-openjdk-headless-11.0.9.0-lp152.2.6.2
java-11-openjdk-jmods-11.0.9.0-lp152.2.6.2
java-11-openjdk-src-11.0.9.0-lp152.2.6.2
- openSUSE Leap 15.2 (noarch):
java-11-openjdk-javadoc-11.0.9.0-lp152.2.6.2
References:
https://www.suse.com/security/cve/CVE-2020-14779.html
https://www.suse.com/security/cve/CVE-2020-14781.html
https://www.suse.com/security/cve/CVE-2020-14782.html
https://www.suse.com/security/cve/CVE-2020-14792.html
https://www.suse.com/security/cve/CVE-2020-14796.html
https://www.suse.com/security/cve/CVE-2020-14797.html
https://www.suse.com/security/cve/CVE-2020-14798.html
https://www.suse.com/security/cve/CVE-2020-14803.html
https://bugzilla.suse.com/1177943
1
0
[opensuse-security-announce] openSUSE-SU-2020:1993-1: important: Security update for rmt-server
by opensuse-security@opensuse.org 21 Nov '20
by opensuse-security@opensuse.org 21 Nov '20
21 Nov '20
openSUSE Security Update: Security update for rmt-server
______________________________________________________________________________
Announcement ID: openSUSE-SU-2020:1993-1
Rating: important
References: #1165548 #1168554 #1172177 #1172182 #1172184
#1172186 #1173351
Cross-References: CVE-2019-16770 CVE-2019-5418 CVE-2019-5419
CVE-2019-5420 CVE-2020-11076 CVE-2020-11077
CVE-2020-15169 CVE-2020-5247 CVE-2020-5249
CVE-2020-5267 CVE-2020-8164 CVE-2020-8165
CVE-2020-8166 CVE-2020-8167 CVE-2020-8184
CVE-2020-8185
Affected Products:
openSUSE Leap 15.2
______________________________________________________________________________
An update that fixes 16 vulnerabilities is now available.
Description:
This update for rmt-server fixes the following issues:
Update to version 2.6.5:
- Solved potential bug of SCC repository URLs changing over time. RMT now
self heals by removing the previous invalid repository and creating the
correct one.
- Add web server settings to /etc/rmt.conf: Now it's possible to configure
the minimum and maximum threads count as well the number of web server
workers to be booted through /etc/rmt.conf.
- Instead of using an MD5 of URLs for custom repository friendly_ids, RMT
now builds an ID from the name.
- Fix RMT file caching based on timestamps: Previously, RMT sent GET
requests with the header 'If-Modified-Since' to a repository server and
if the response had a 304 (Not Modified), it would copy a file from the
local cache instead of downloading. However, if the local file timestamp
accidentally changed to a date newer than the one on the repository
server, RMT would have an outdated file, which caused some errors. Now,
RMT makes HEAD requests to the repositories servers and inspect the
'Last-Modified' header to decide whether to download a file or copy it
from cache, by comparing the equalness of timestamps.
- Fixed an issue where relative paths supplied to `rmt-cli import repos`
caused the command to fail.
- Friendlier IDs for custom repositories: In an effort to simplify the
handling of SCC and custom repositories, RMT now has friendly IDs. For
SCC repositories, it's the same SCC ID as before. For custom
repositories, it can either be user provided
or RMT generated (MD5 of the provided URL). Benefits:
* `rmt-cli mirror repositories` now works for custom repositories.
* Custom repository IDs can be the same across RMT instances.
* No more confusing "SCC ID" vs "ID" in `rmt-cli` output. Deprecation
Warnings:
* RMT now uses a different ID for custom repositories than before. RMT
still supports that old ID, but it's recommended to start using the
new ID to ensure future compatibility.
- Updated rails and puma dependencies for security fixes.
This update was imported from the SUSE:SLE-15-SP2:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.2:
zypper in -t patch openSUSE-2020-1993=1
Package List:
- openSUSE Leap 15.2 (x86_64):
rmt-server-2.6.5-lp152.2.3.1
rmt-server-config-2.6.5-lp152.2.3.1
rmt-server-debuginfo-2.6.5-lp152.2.3.1
rmt-server-debugsource-2.6.5-lp152.2.3.1
rmt-server-pubcloud-2.6.5-lp152.2.3.1
References:
https://www.suse.com/security/cve/CVE-2019-16770.html
https://www.suse.com/security/cve/CVE-2019-5418.html
https://www.suse.com/security/cve/CVE-2019-5419.html
https://www.suse.com/security/cve/CVE-2019-5420.html
https://www.suse.com/security/cve/CVE-2020-11076.html
https://www.suse.com/security/cve/CVE-2020-11077.html
https://www.suse.com/security/cve/CVE-2020-15169.html
https://www.suse.com/security/cve/CVE-2020-5247.html
https://www.suse.com/security/cve/CVE-2020-5249.html
https://www.suse.com/security/cve/CVE-2020-5267.html
https://www.suse.com/security/cve/CVE-2020-8164.html
https://www.suse.com/security/cve/CVE-2020-8165.html
https://www.suse.com/security/cve/CVE-2020-8166.html
https://www.suse.com/security/cve/CVE-2020-8167.html
https://www.suse.com/security/cve/CVE-2020-8184.html
https://www.suse.com/security/cve/CVE-2020-8185.html
https://bugzilla.suse.com/1165548
https://bugzilla.suse.com/1168554
https://bugzilla.suse.com/1172177
https://bugzilla.suse.com/1172182
https://bugzilla.suse.com/1172184
https://bugzilla.suse.com/1172186
https://bugzilla.suse.com/1173351
1
0
[opensuse-security-announce] openSUSE-SU-2020:1988-1: moderate: Security update for python
by opensuse-security@opensuse.org 21 Nov '20
by opensuse-security@opensuse.org 21 Nov '20
21 Nov '20
openSUSE Security Update: Security update for python
______________________________________________________________________________
Announcement ID: openSUSE-SU-2020:1988-1
Rating: moderate
References: #1177211
Cross-References: CVE-2020-26116
Affected Products:
openSUSE Leap 15.2
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for python fixes the following issues:
- bsc#1177211 (CVE-2020-26116) no longer allowing special characters in
the method parameter
of HTTPConnection.putrequest in httplib, stopping injection of headers.
This update was imported from the SUSE:SLE-15:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.2:
zypper in -t patch openSUSE-2020-1988=1
Package List:
- openSUSE Leap 15.2 (i586 x86_64):
libpython2_7-1_0-2.7.17-lp152.3.6.2
libpython2_7-1_0-debuginfo-2.7.17-lp152.3.6.2
python-2.7.17-lp152.3.6.1
python-base-2.7.17-lp152.3.6.2
python-base-debuginfo-2.7.17-lp152.3.6.2
python-base-debugsource-2.7.17-lp152.3.6.2
python-curses-2.7.17-lp152.3.6.1
python-curses-debuginfo-2.7.17-lp152.3.6.1
python-debuginfo-2.7.17-lp152.3.6.1
python-debugsource-2.7.17-lp152.3.6.1
python-demo-2.7.17-lp152.3.6.1
python-devel-2.7.17-lp152.3.6.2
python-gdbm-2.7.17-lp152.3.6.1
python-gdbm-debuginfo-2.7.17-lp152.3.6.1
python-idle-2.7.17-lp152.3.6.1
python-tk-2.7.17-lp152.3.6.1
python-tk-debuginfo-2.7.17-lp152.3.6.1
python-xml-2.7.17-lp152.3.6.2
python-xml-debuginfo-2.7.17-lp152.3.6.2
- openSUSE Leap 15.2 (x86_64):
libpython2_7-1_0-32bit-2.7.17-lp152.3.6.2
libpython2_7-1_0-32bit-debuginfo-2.7.17-lp152.3.6.2
python-32bit-2.7.17-lp152.3.6.1
python-32bit-debuginfo-2.7.17-lp152.3.6.1
python-base-32bit-2.7.17-lp152.3.6.2
python-base-32bit-debuginfo-2.7.17-lp152.3.6.2
- openSUSE Leap 15.2 (noarch):
python-doc-2.7.17-lp152.3.6.1
python-doc-pdf-2.7.17-lp152.3.6.1
References:
https://www.suse.com/security/cve/CVE-2020-26116.html
https://bugzilla.suse.com/1177211
1
0