openSUSE Updates
Threads by month
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
November 2020
- 2 participants
- 330 discussions
[opensuse-updates] openSUSE-SU-2020:2048-1: moderate: Security update for java-1_8_0-openjdk
by opensuse-security@opensuse.org 26 Nov '20
by opensuse-security@opensuse.org 26 Nov '20
26 Nov '20
openSUSE Security Update: Security update for java-1_8_0-openjdk
______________________________________________________________________________
Announcement ID: openSUSE-SU-2020:2048-1
Rating: moderate
References: #1174157 #1177943
Cross-References: CVE-2020-14556 CVE-2020-14577 CVE-2020-14578
CVE-2020-14579 CVE-2020-14581 CVE-2020-14583
CVE-2020-14593 CVE-2020-14621 CVE-2020-14779
CVE-2020-14781 CVE-2020-14782 CVE-2020-14792
CVE-2020-14796 CVE-2020-14797 CVE-2020-14798
CVE-2020-14803
Affected Products:
openSUSE Leap 15.1
______________________________________________________________________________
An update that fixes 16 vulnerabilities is now available.
Description:
This update for java-1_8_0-openjdk fixes the following issues:
- Fix regression "8250861: Crash in MinINode::Ideal(PhaseGVN*, bool)",
introduced in October 2020 CPU.
- Update to version jdk8u272 (icedtea 3.17.0) (July 2020 CPU, bsc#1174157,
and October 2020 CPU, bsc#1177943)
* New features
+ JDK-8245468: Add TLSv1.3 implementation classes from 11.0.7
+ PR3796: Allow the number of curves supported to be specified
* Security fixes
+ JDK-8028431, CVE-2020-14579: NullPointerException in
DerValue.equals(DerValue)
+ JDK-8028591, CVE-2020-14578: NegativeArraySizeException in
sun.security.util.DerInputStream.getUnalignedBitString()
+ JDK-8230613: Better ASCII conversions
+ JDK-8231800: Better listing of arrays
+ JDK-8232014: Expand DTD support
+ JDK-8233255: Better Swing Buttons
+ JDK-8233624: Enhance JNI linkage
+ JDK-8234032: Improve basic calendar services
+ JDK-8234042: Better factory production of certificates
+ JDK-8234418: Better parsing with CertificateFactory
+ JDK-8234836: Improve serialization handling
+ JDK-8236191: Enhance OID processing
+ JDK-8236196: Improve string pooling
+ JDK-8236862, CVE-2020-14779: Enhance support of Proxy class
+ JDK-8237117, CVE-2020-14556: Better ForkJoinPool behavior
+ JDK-8237592, CVE-2020-14577: Enhance certificate verification
+ JDK-8237990, CVE-2020-14781: Enhanced LDAP contexts
+ JDK-8237995, CVE-2020-14782: Enhance certificate processing
+ JDK-8238002, CVE-2020-14581: Better matrix operations
+ JDK-8238804: Enhance key handling process
+ JDK-8238842: AIOOBE in GIFImageReader.initializeStringTable
+ JDK-8238843: Enhanced font handing
+ JDK-8238920, CVE-2020-14583: Better Buffer support
+ JDK-8238925: Enhance WAV file playback
+ JDK-8240119, CVE-2020-14593: Less Affine Transformations
+ JDK-8240124: Better VM Interning
+ JDK-8240482: Improved WAV file playback
+ JDK-8241114, CVE-2020-14792: Better range handling
+ JDK-8241379: Update JCEKS support
+ JDK-8241522: Manifest improved jar headers redux
+ JDK-8242136, CVE-2020-14621: Better XML namespace handling
+ JDK-8242680, CVE-2020-14796: Improved URI Support
+ JDK-8242685, CVE-2020-14797: Better Path Validation
+ JDK-8242695, CVE-2020-14798: Enhanced buffer support
+ JDK-8243302: Advanced class supports
+ JDK-8244136, CVE-2020-14803: Improved Buffer supports
+ JDK-8244479: Further constrain certificates
+ JDK-8244955: Additional Fix for JDK-8240124
+ JDK-8245407: Enhance zoning of times
+ JDK-8245412: Better class definitions
+ JDK-8245417: Improve certificate chain handling
+ JDK-8248574: Improve jpeg processing
+ JDK-8249927: Specify limits of jdk.serialProxyInterfaceLimit
+ JDK-8253019: Enhanced JPEG decoding
* Import of OpenJDK 8 u262 build 01
+ JDK-4949105: Access Bridge lacks html tags parsing
+ JDK-8003209: JFR events for network utilization
+ JDK-8030680: 292 cleanup from default method code assessment
+ JDK-8035633: TEST_BUG: java/net/NetworkInterface/Equals.java and
some tests failed on windows intermittently
+ JDK-8041626: Shutdown tracing event
+ JDK-8141056: Erroneous assignment in HeapRegionSet.cpp
+ JDK-8149338: JVM Crash caused by Marlin renderer not handling NaN
coordinates
+ JDK-8151582: (ch) test java/nio/channels/
/AsyncCloseAndInterrupt.java failing due to "Connection succeeded"
+ JDK-8165675: Trace event for thread park has incorrect unit for
timeout
+ JDK-8176182: 4 security tests are not run
+ JDK-8178910: Problemlist sample tests
+ JDK-8183925: Decouple crash protection from watcher thread
+ JDK-8191393: Random crashes during cfree+0x1c
+ JDK-8195817: JFR.stop should require name of recording
+ JDK-8195818: JFR.start should increase autogenerated name by
one
+ JDK-8195819: Remove recording=x from jcmd JFR.check output
+ JDK-8199712: Flight Recorder
+ JDK-8202578: Revisit location for class unload events
+ JDK-8202835: jfr/event/os/TestSystemProcess.java fails on missing
events
+ JDK-8203287: Zero fails to build after JDK-8199712 (Flight Recorder)
+ JDK-8203346: JFR: Inconsistent signature of jfr_add_string_constant
+ JDK-8203664: JFR start failure after AppCDS archive created with JFR
StartFlightRecording
+ JDK-8203921: JFR thread sampling is missing fixes from JDK-8194552
+ JDK-8203929: Limit amount of data for JFR.dump
+ JDK-8205516: JFR tool
+ JDK-8207392: [PPC64] Implement JFR profiling
+ JDK-8207829: FlightRecorderMXBeanImpl is leaking the first
classloader which calls it
+ JDK-8209960: -Xlog:jfr* doesn't work with the JFR
+ JDK-8210024: JFR calls virtual is_Java_thread from ~Thread()
+ JDK-8210776: Upgrade X Window System 6.8.2 to the latest XWD 1.0.7
+ JDK-8211239: Build fails without JFR: empty JFR events signatures
mismatch
+ JDK-8212232: Wrong metadata for the configuration of the cutoff for
old object sample events
+ JDK-8213015: Inconsistent settings between JFR.configure and
-XX:FlightRecorderOptions
+ JDK-8213421: Line number information for execution samples always 0
+ JDK-8213617: JFR should record the PID of the recorded process
+ JDK-8213734: SAXParser.parse(File, ..) does not close resources when
Exception occurs.
+ JDK-8213914: [TESTBUG] Several JFR VM events are not covered by tests
+ JDK-8213917: [TESTBUG] Shutdown JFR event is not covered by test
+ JDK-8213966: The ZGC JFR events should be marked as experimental
+ JDK-8214542: JFR: Old Object Sample event slow on a deep heap in
debug builds
+ JDK-8214750: Unnecessary <p> tags in jfr classes
+ JDK-8214896: JFR Tool left files behind
+ JDK-8214906: [TESTBUG] jfr/event/sampling/TestNative.java fails with
UnsatisfiedLinkError
+ JDK-8214925: JFR tool fails to execute
+ JDK-8215175: Inconsistencies in JFR event metadata
+ JDK-8215237: jdk.jfr.Recording javadoc does not compile
+ JDK-8215284: Reduce noise induced by periodic task getFileSize()
+ JDK-8215355: Object monitor deadlock with no threads holding the
monitor (using jemalloc 5.1)
+ JDK-8215362: JFR GTest JfrTestNetworkUtilization fails
+ JDK-8215771: The jfr tool should pretty print reference chains
+ JDK-8216064: -XX:StartFlightRecording:settings= doesn't work properly
+ JDK-8216486: Possibility of integer overflow in
JfrThreadSampler::run()
+ JDK-8216528: test/jdk/java/rmi/transport/
/runtimeThreadInheritanceLeak/ /RuntimeThreadInheritanceLeak.java
failing with Xcomp
+ JDK-8216559: [JFR] Native libraries not correctly parsed from
/proc/self/maps
+ JDK-8216578: Remove unused/obsolete method in JFR code
+ JDK-8216995: Clean up JFR command line processing
+ JDK-8217744: [TESTBUG] JFR TestShutdownEvent fails on some systems
due to process surviving SIGINT
+ JDK-8217748: [TESTBUG] Exclude TestSig test case from JFR
TestShutdownEvent
+ JDK-8218935: Make jfr strncpy uses GCC 8.x friendly
+ JDK-8223147: JFR Backport
+ JDK-8223689: Add JFR Thread Sampling Support
+ JDK-8223690: Add JFR BiasedLock Event Support
+ JDK-8223691: Add JFR G1 Region Type Change Event Support
+ JDK-8223692: Add JFR G1 Heap Summary Event Support
+ JDK-8224172: assert(jfr_is_event_enabled(id)) failed: invariant
+ JDK-8224475: JTextPane does not show images in HTML rendering
+ JDK-8226253: JAWS reports wrong number of radio buttons when buttons
are hidden.
+ JDK-8226779: [TESTBUG] Test JFR API from Java agent
+ JDK-8226892: ActionListeners on JRadioButtons don't get notified
when selection is changed with arrow keys
+ JDK-8227011: Starting a JFR recording in response to JVMTI VMInit
and / or Java agent premain corrupts memory
+ JDK-8227605: Kitchensink fails "assert((((klass)->trace_id() &
(JfrTraceIdEpoch::leakp_in_use_this_epoch_bit())) != 0)) failed:
invariant"
+ JDK-8229366: JFR backport allows unchecked writing to memory
+ JDK-8229401: Fix JFR code cache test failures
+ JDK-8229708: JFR backport code does not initialize
+ JDK-8229873: 8229401 broke jdk8u-jfr-incubator
+ JDK-8230448: [test] JFRSecurityTestSuite.java is failing on Windows
+ JDK-8230707: JFR related tests are failing
+ JDK-8230782: Robot.createScreenCapture() fails if "awt.robot.gtk" is
set to false
+ JDK-8230856: Java_java_net_NetworkInterface_getByName0 on unix
misses ReleaseStringUTFChars in early return
+ JDK-8230947: TestLookForUntestedEvents.java is failing after
JDK-8230707
+ JDK-8231995: two jtreg tests failed after 8229366 is fixed
+ JDK-8233623: Add classpath exception to copyright in
EventHandlerProxyCreator.java file
+ JDK-8236002: CSR for JFR backport suggests not leaving out the
package-info
+ JDK-8236008: Some backup files were accidentally left in the hotspot
tree
+ JDK-8236074: Missed package-info
+ JDK-8236174: Should update javadoc since tags
+ JDK-8238076: Fix OpenJDK 7 Bootstrap Broken by JFR Backport
+ JDK-8238452: Keytool generates wrong expiration date if validity is
set to 2050/01/01
+ JDK-8238555: Allow Initialization of SunPKCS11 with NSS when there
are external FIPS modules in the NSSDB
+ JDK-8238589: Necessary code cleanup in JFR for JDK8u
+ JDK-8238590: Enable JFR by default during compilation in 8u
+ JDK-8239055: Wrong implementation of VMState.hasListener
+ JDK-8239476: JDK-8238589 broke windows build by moving OrderedPair
+ JDK-8239479: minimal1 and zero builds are failing
+ JDK-8239867: correct over use of INCLUDE_JFR macro
+ JDK-8240375: Disable JFR by default for July 2020 release
+ JDK-8241444: Metaspace::_class_vsm not initialized if compressed
class pointers are disabled
+ JDK-8241902: AIX Build broken after integration of JDK-8223147 (JFR
Backport)
+ JDK-8242788: Non-PCH build is broken after JDK-8191393
* Import of OpenJDK 8 u262 build 02
+ JDK-8130737: AffineTransformOp can't handle child raster with
non-zero x-offset
+ JDK-8172559: [PIT][TEST_BUG] Move @test to be 1st annotation in
java/awt/image/Raster/TestChildRasterOp.java
+ JDK-8230926: [macosx] Two apostrophes are entered instead of
one with "U.S. International - PC" layout
+ JDK-8240576: JVM crashes after transformation in C2
IdealLoopTree::merge_many_backedges
+ JDK-8242883: Incomplete backport of JDK-8078268: backport test part
* Import of OpenJDK 8 u262 build 03
+ JDK-8037866: Replace the Fun class in tests with lambdas
+ JDK-8146612: C2: Precedence edges specification violated
+ JDK-8150986: serviceability/sa/jmap-hprof/
/JMapHProfLargeHeapTest.java failing because expects HPROF JAVA
PROFILE 1.0.1 file format
+ JDK-8229888: (zipfs) Updating an existing zip file does not preserve
original permissions
+ JDK-8230597: Update GIFlib library to the 5.2.1
+ JDK-8230769: BufImg_SetupICM add ReleasePrimitiveArrayCritical call
in early return
+ JDK-8233880, PR3798: Support compilers with multi-digit major
version numbers
+ JDK-8239852: java/util/concurrent tests fail with
-XX:+VerifyGraphEdges: assert(!VerifyGraphEdges) failed:
verification should have failed
+ JDK-8241638: launcher time metrics always report 1 on Linux when
_JAVA_LAUNCHER_DEBUG set
+ JDK-8243059: Build fails when --with-vendor-name contains a comma
+ JDK-8243474: [TESTBUG] removed three tests of 0 bytes
+ JDK-8244461: [JDK 8u] Build fails with glibc 2.32
+ JDK-8244548: JDK 8u: sun.misc.Version.jdkUpdateVersion() returns
wrong result
* Import of OpenJDK 8 u262 build 04
+ JDK-8067796: (process) Process.waitFor(timeout, unit) doesn't throw
NPE if timeout is less than, or equal to zero when unit == null
+ JDK-8148886: SEGV in sun.java2d.marlin.Renderer._endRendering
+ JDK-8171934:
ObjectSizeCalculator.getEffectiveMemoryLayoutSpecification() does
not recognize OpenJDK's HotSpot VM
+ JDK-8196969: JTreg Failure: serviceability/sa/ClhsdbJstack.java
causes NPE
+ JDK-8243539: Copyright info (Year) should be updated for fix
of 8241638
+ JDK-8244777: ClassLoaderStats VM Op uses constant hash value
* Import of OpenJDK 8 u262 build 05
+ JDK-7147060: com/sun/org/apache/xml/internal/security/
/transforms/ClassLoaderTest.java doesn't run in agentvm mode
+ JDK-8178374: Problematic ByteBuffer handling in
CipherSpi.bufferCrypt method
+ JDK-8181841: A TSA server returns timestamp with precision higher
than milliseconds
+ JDK-8227269: Slow class loading when running with JDWP
+ JDK-8229899: Make java.io.File.isInvalid() less racy
+ JDK-8236996: Incorrect Roboto font rendering on Windows with
subpixel antialiasing
+ JDK-8241750: x86_32 build failure after JDK-8227269
+ JDK-8244407: JVM crashes after transformation in C2
IdealLoopTree::split_fall_in
+ JDK-8244843: JapanEraNameCompatTest fails
* Import of OpenJDK 8 u262 build 06
+ JDK-8246223: Windows build fails after JDK-8227269
* Import of OpenJDK 8 u262 build 07
+ JDK-8233197: Invert JvmtiExport::post_vm_initialized() and
Jfr:on_vm_start() start-up order for correct option parsing
+ JDK-8243541: (tz) Upgrade time-zone data to tzdata2020a
+ JDK-8245167: Top package in method profiling shows null in JMC
+ JDK-8246703: [TESTBUG] Add test for JDK-8233197
* Import of OpenJDK 8 u262 build 08
+ JDK-8220293: Deadlock in JFR string pool
+ JDK-8225068: Remove DocuSign root certificate that is expiring in
May 2020
+ JDK-8225069: Remove Comodo root certificate that is expiring in May
2020
* Import of OpenJDK 8 u262 build 09
+ JDK-8248399: Build installs jfr binary when JFR is disabled
* Import of OpenJDK 8 u262 build 10
+ JDK-8248715: New JavaTimeSupplementary localisation for 'in'
installed in wrong package
* Import of OpenJDK 8 u265 build 01
+ JDK-8249677: Regression in 8u after JDK-8237117: Better ForkJoinPool
behavior
+ JDK-8250546: Expect changed behaviour reported in JDK-8249846
* Import of OpenJDK 8 u272 build 01
+ JDK-8006205: [TESTBUG] NEED_TEST: please JTREGIFY
test/compiler/7177917/Test7177917.java
+ JDK-8035493: JVMTI PopFrame capability must instruct compilers not
to prune locals
+ JDK-8036088: Replace strtok() with its safe equivalent strtok_s() in
DefaultProxySelector.c
+ JDK-8039082: [TEST_BUG] Test java/awt/dnd/
/BadSerializationTest/BadSerializationTest.java fails
+ JDK-8075774: Small readability and performance improvements for zipfs
+ JDK-8132206: move ScanTest.java into OpenJDK
+ JDK-8132376: Add @requires os.family to the client tests with access
to internal OS-specific API
+ JDK-8132745: minor cleanup of java/util/Scanner/ScanTest.java
+ JDK-8137087: [TEST_BUG] Cygwin failure of java/awt/
/appletviewer/IOExceptionIfEncodedURLTest/
/IOExceptionIfEncodedURLTest.sh
+ JDK-8145808: java/awt/Graphics2D/MTGraphicsAccessTest/
/MTGraphicsAccessTest.java hangs on Win. 8
+ JDK-8151788: NullPointerException from ntlm.Client.type3
+ JDK-8151834: Test SmallPrimeExponentP.java times out intermittently
+ JDK-8153430: jdk regression test MletParserLocaleTest,
ParserInfiniteLoopTest reduce default timeout
+ JDK-8153583: Make OutputAnalyzer.reportDiagnosticSummary public
+ JDK-8156169: Some sound tests rarely hangs because of incorrect
synchronization
+ JDK-8165936: Potential Heap buffer overflow when seaching timezone
info files
+ JDK-8166148: Fix for JDK-8165936 broke solaris builds
+ JDK-8167300: Scheduling failures during gcm should be fatal
+ JDK-8167615: Opensource unit/regression tests for JavaSound
+ JDK-8172012: [TEST_BUG] delays needed in
javax/swing/JTree/4633594/bug4633594.java
+ JDK-8177628: Opensource unit/regression tests for ImageIO
+ JDK-8183341: Better cleanup for javax/imageio/AllowSearch.java
+ JDK-8183351: Better cleanup for jdk/test/javax/imageio/spi/
/AppletContextTest/BadPluginConfigurationTest.sh
+ JDK-8193137: Nashorn crashes when given an empty script file
+ JDK-8194298: Add support for per Socket configuration of TCP
keepalive
+ JDK-8198004: javax/swing/JFileChooser/6868611/bug6868611.java throws
error
+ JDK-8200313: java/awt/Gtk/GtkVersionTest/GtkVersionTest.java fails
+ JDK-8210147: adjust some WSAGetLastError usages in windows network
coding
+ JDK-8211714: Need to update vm_version.cpp to recognise VS2017 minor
versions
+ JDK-8214862: assert(proj != __null) at compile.cpp:3251
+ JDK-8217606: LdapContext#reconnect always opens a new connection
+ JDK-8217647: JFR: recordings on 32-bit systems unreadable
+ JDK-8226697: Several tests which need the @key headful keyword are
missing it.
+ JDK-8229378: jdwp library loader in linker_md.c quietly truncates on
buffer overflow
+ JDK-8230303: JDB hangs when running monitor command
+ JDK-8230711: ConnectionGraph::unique_java_object(Node* N) return
NULL if n is not in the CG
+ JDK-8234617: C1: Incorrect result of field load due to missing
narrowing conversion
+ JDK-8235243: handle VS2017 15.9 and VS2019 in abstract_vm_version
+ JDK-8235325: build failure on Linux after 8235243
+ JDK-8235687: Contents/MacOS/libjli.dylib cannot be a symlink
+ JDK-8237951: CTW: C2 compilation fails with "malformed control flow"
+ JDK-8238225: Issues reported after replacing symlink at
Contents/MacOS/libjli.dylib with binary
+ JDK-8239385: KerberosTicket client name refers wrongly to
sAMAccountName in AD
+ JDK-8239819: XToolkit: Misread of screen information memory
+ JDK-8240295: hs_err elapsed time in seconds is not accurate enough
+ JDK-8241888: Mirror jdk.security.allowNonCaAnchor system property
with a security one
+ JDK-8242498: Invalid "sun.awt.TimedWindowEvent" object leads to JVM
crash
+ JDK-8243489: Thread CPU Load event may contain wrong data for CPU
time under certain conditions
+ JDK-8244818: Java2D Queue Flusher crash while moving application
window to external monitor
+ JDK-8246310: Clean commented-out code about ModuleEntry and
PackageEntry in JFR
+ JDK-8246384: Enable JFR by default on supported architectures for
October 2020 release
+ JDK-8248643: Remove extra leading space in JDK-8240295 8u backport
+ JDK-8249610: Make
sun.security.krb5.Config.getBooleanObject(String... keys) method
public
* Import of OpenJDK 8 u272 build 02
+ JDK-8023697: failed class resolution reports different class name in
detail message for the first and subsequent times
+ JDK-8025886: replace [[ and == bash extensions in regtest
+ JDK-8046274: Removing dependency on jakarta-regexp
+ JDK-8048933: -XX:+TraceExceptions output should include the message
+ JDK-8076151: [TESTBUG] Test java/awt/FontClass/CreateFont/
/fileaccess/FontFile.java fails
+ JDK-8148854: Class names "SomeClass" and "LSomeClass;" treated by
JVM as an equivalent
+ JDK-8154313: Generated javadoc scattered all over the place
+ JDK-8163251: Hard coded loop limit prevents reading of smart card
data greater than 8k
+ JDK-8173300: [TESTBUG]compiler/tiered/NonTieredLevelsTest.java fails
with compiler.whitebox.SimpleTestCaseHelper(int) must be compiled
+ JDK-8183349: Better cleanup for jdk/test/javax/imageio/
/plugins/shared/CanWriteSequence.java and WriteAfterAbort.java
+ JDK-8191678: [TESTBUG] Add keyword headful in java/awt
FocusTransitionTest test.
+ JDK-8201633: Problems with AES-GCM native acceleration
+ JDK-8211049: Second parameter of "initialize" method is not used
+ JDK-8219566: JFR did not collect call stacks when
MaxJavaStackTraceDepth is set to zero
+ JDK-8220165: Encryption using GCM results in RuntimeException- input
length out of bound
+ JDK-8220555: JFR tool shows potentially misleading message when it
cannot access a file
+ JDK-8224217: RecordingInfo should use textual representation
of path
+ JDK-8231779: crash HeapWord*ParallelScavengeHeap::failed_mem_allocate
+ JDK-8238380, PR3798: java.base/unix/native/libjava/childproc.c
"multiple definition" link errors with GCC10
+ JDK-8238386, PR3798: (sctp) jdk.sctp/unix/native/libsctp/ /SctpNet.c
"multiple definition" link errors with GCC10
+ JDK-8238388, PR3798: libj2gss/NativeFunc.o "multiple definition"
link errors with GCC10
+ JDK-8242556: Cannot load RSASSA-PSS public key with non-null params
from byte array
+ JDK-8250755: Better cleanup for jdk/test/javax/imageio/
/plugins/shared/CanWriteSequence.java
* Import of OpenJDK 8 u272 build 03
+ JDK-6574989: TEST_BUG: javax/sound/sampled/Clip/bug5070081.java
fails sometimes
+ JDK-8148754: C2 loop unrolling fails due to unexpected graph shape
+ JDK-8192953: sun/management/jmxremote/bootstrap/*.sh tests fail with
error : revokeall.exe: Permission denied
+ JDK-8203357: Container Metrics
+ JDK-8209113: Use WeakReference for lastFontStrike for created Fonts
+ JDK-8216283: Allow shorter method sampling interval than 10 ms
+ JDK-8221569: JFR tool produces incorrect output when both
--categories and --events are specified
+ JDK-8233097: Fontmetrics for large Fonts has zero width
+ JDK-8248851: CMS: Missing memory fences between free chunk check and
klass read
+ JDK-8250875: Incorrect parameter type for update_number in
JDK_Version::jdk_update
* Import of OpenJDK 8 u272 build 04
+ JDK-8061616: HotspotDiagnosticMXBean.getVMOption() throws
IllegalArgumentException for flags of type double
+ JDK-8177334: Update xmldsig implementation to Apache Santuario 2.1.1
+ JDK-8217878: ENVELOPING XML signature no longer works in JDK 11
+ JDK-8218629: XML Digital Signature throws NAMESPACE_ERR exception on
OpenJDK 11, works 8/9/10
+ JDK-8243138: Enhance BaseLdapServer to support starttls extended
request
* Import of OpenJDK 8 u272 build 05
+ JDK-8026236: Add PrimeTest for BigInteger
+ JDK-8057003: Large reference arrays cause extremely long
synchronization times
+ JDK-8060721: Test runtime/SharedArchiveFile/ /LimitSharedSizes.java
fails in jdk 9 fcs new platforms/compiler
+ JDK-8152077: (cal) Calendar.roll does not always roll the hours
during daylight savings
+ JDK-8168517: java/lang/ProcessBuilder/Basic.java failed
+ JDK-8211163: UNIX version of Java_java_io_Console_echo does not
return a clean boolean
+ JDK-8220674: [TESTBUG] MetricsMemoryTester failcount test in docker
container only works with debug JVMs
+ JDK-8231213: Migrate SimpleDateFormatConstTest to JDK Repo
+ JDK-8236645: JDK 8u231 introduces a regression with incompatible
handling of XML messages
+ JDK-8240676: Meet not symmetric failure when running lucene
on jdk8
+ JDK-8243321: Add Entrust root CA - G4 to Oracle Root CA program
+ JDK-8249158: THREAD_START and THREAD_END event posted in primordial
phase
+ JDK-8250627: Use -XX:+/-UseContainerSupport for enabling/disabling
Java container metrics
+ JDK-8251546: 8u backport of JDK-8194298 breaks AIX and Solaris builds
+ JDK-8252084: Minimal VM fails to bootcycle: undefined symbol:
AgeTableTracer::is_tenuring_distribution_event_enabled
* Import of OpenJDK 8 u272 build 06
+ JDK-8064319: Need to enable -XX:+TraceExceptions in release builds
+ JDK-8080462, PR3801: Update SunPKCS11 provider with PKCS11 v2.40
support
+ JDK-8160768: Add capability to custom resolve host/domain names
within the default JNDI LDAP provider
+ JDK-8161973: PKIXRevocationChecker.getSoftFailExceptions() not
working
+ JDK-8169925, PR3801: PKCS #11 Cryptographic Token Interface license
+ JDK-8184762: ZapStackSegments should use optimized memset
+ JDK-8193234: When using -Xcheck:jni an internally allocated buffer
can leak
+ JDK-8219919: RuntimeStub name lost with PrintFrameConverterAssembly
+ JDK-8220313: [TESTBUG] Update base image for Docker testing to OL 7.6
+ JDK-8222079: Don't use memset to initialize fields decode_env
constructor in disassembler.cpp
+ JDK-8225695: 32-bit build failures after JDK-8080462 (Update
SunPKCS11 provider with PKCS11 v2.40 support)
+ JDK-8226575: OperatingSystemMXBean should be made container aware
+ JDK-8226809: Circular reference in printed stack trace is not
correctly indented & ambiguous
+ JDK-8228835: Memory leak in PKCS11 provider when using AES GCM
+ JDK-8233621: Mismatch in jsse.enableMFLNExtension property name
+ JDK-8238898, PR3801: Missing hash characters for header on license
file
+ JDK-8243320: Add SSL root certificates to Oracle Root CA program
+ JDK-8244151: Update MUSCLE PC/SC-Lite headers to the latest release
1.8.26
+ JDK-8245467: Remove 8u TLSv1.2 implementation files
+ JDK-8245469: Remove DTLS protocol implementation
+ JDK-8245470: Fix JDK8 compatibility issues
+ JDK-8245471: Revert JDK-8148188
+ JDK-8245472: Backport JDK-8038893 to JDK8
+ JDK-8245473: OCSP stapling support
+ JDK-8245474: Add TLS_KRB5 cipher suites support according to RFC-2712
+ JDK-8245476: Disable TLSv1.3 protocol in the ClientHello message by
default
+ JDK-8245477: Adjust TLS tests location
+ JDK-8245653: Remove 8u TLS tests
+ JDK-8245681: Add TLSv1.3 regression test from 11.0.7
+ JDK-8251117: Cannot check P11Key size in P11Cipher and P11AEADCipher
+ JDK-8251120, PR3793: [8u] HotSpot build assumes ENABLE_JFR is set to
either true or false
+ JDK-8251341: Minimal Java specification change
+ JDK-8251478: Backport TLSv1.3 regression tests to JDK8u
* Import of OpenJDK 8 u272 build 07
+ JDK-8246193: Possible NPE in ENC-PA-REP search in AS-REQ
* Import of OpenJDK 8 u272 build 08
+ JDK-8062947: Fix exception message to correctly represent LDAP
connection failure
+ JDK-8151678: com/sun/jndi/ldap/LdapTimeoutTest.java failed due to
timeout on DeadServerNoTimeoutTest is incorrect
+ JDK-8252573: 8u: Windows build failed after 8222079 backport
* Import of OpenJDK 8 u272 build 09
+ JDK-8252886: [TESTBUG] sun/security/ec/TestEC.java : Compilation
failed
* Import of OpenJDK 8 u272 build 10
+ JDK-8254673: Call to JvmtiExport::post_vm_start() was removed by the
fix for JDK-8249158
+ JDK-8254937: Revert JDK-8148854 for 8u272
* Backports
+ JDK-8038723, PR3806: Openup some PrinterJob tests
+ JDK-8041480, PR3806: ArrayIndexOutOfBoundsException when JTable
contains certain string
+ JDK-8058779, PR3805: Faster implementation of
String.replace(CharSequence, CharSequence)
+ JDK-8130125, PR3806: [TEST_BUG] add @modules to the several client
tests unaffected by the automated bulk update
+ JDK-8144015, PR3806: [PIT] failures of text layout font tests
+ JDK-8144023, PR3806: [PIT] failure of text measurements in
javax/swing/text/html/parser/Parser/6836089/bug6836089.java
+ JDK-8144240, PR3806: [macosx][PIT] AIOOB in
closed/javax/swing/text/GlyphPainter2/6427244/bug6427244.java
+ JDK-8145542, PR3806: The case failed automatically and thrown
java.lang.ArrayIndexOutOfBoundsException exception
+ JDK-8151725, PR3806: [macosx] ArrayIndexOOB exception when
displaying Devanagari text in JEditorPane
+ JDK-8152358, PR3800: code and comment cleanups found during the hunt
for 8077392
+ JDK-8152545, PR3804: Use preprocessor instead of compiling a program
to generate native nio constants
+ JDK-8152680, PR3806: Regression in GlyphVector.getGlyphCharIndex
behaviour
+ JDK-8158924, PR3806: Incorrect i18n text document layout
+ JDK-8166003, PR3806: [PIT][TEST_BUG] missing helper for
javax/swing/text/GlyphPainter2/6427244/bug6427244.java
+ JDK-8166068, PR3806: test/java/awt/font/GlyphVector/
/GetGlyphCharIndexTest.java does not compile
+ JDK-8169879, PR3806: [TEST_BUG] javax/swing/text/
/GlyphPainter2/6427244/bug6427244.java - compilation failed
+ JDK-8191512, PR3806: T2K font rasterizer code removal
+ JDK-8191522, PR3806: Remove Bigelow&Holmes Lucida fonts from JDK
sources
+ JDK-8236512, PR3801: PKCS11 Connection closed after Cipher.doFinal
and NoPadding
+ JDK-8254177, PR3809: (tz) Upgrade time-zone data to tzdata2020b
* Bug fixes
+ PR3798: Fix format-overflow error on GCC 10, caused by passing NULL
to a '%s' directive
+ PR3795: ECDSAUtils for XML digital signatures should support the
same curve set as the rest of the JDK
+ PR3799: Adapt elliptic curve patches to JDK-8245468: Add TLSv1.3
implementation classes from 11.0.7
+ PR3808: IcedTea does not install the JFR *.jfc files
+ PR3810: Enable JFR on x86 (32-bit) now that JDK-8252096 has fixed
its use with Shenandoah
+ PR3811: Don't attempt to install JFR files when JFR is disabled
* Shenandoah
+ [backport] 8221435: Shenandoah should not mark through weak roots
+ [backport] 8221629: Shenandoah: Cleanup class unloading logic
+ [backport] 8222992: Shenandoah: Pre-evacuate all roots
+ [backport] 8223215: Shenandoah: Support verifying subset of roots
+ [backport] 8223774: Shenandoah: Refactor ShenandoahRootProcessor and
family
+ [backport] 8224210: Shenandoah: Refactor ShenandoahRootScanner to
support scanning CSet codecache roots
+ [backport] 8224508: Shenandoah: Need to update thread roots in final
mark for piggyback ref update cycle
+ [backport] 8224579: ResourceMark not declared in
shenandoahRootProcessor.inline.hpp with
--disable-precompiled-headers
+ [backport] 8224679: Shenandoah: Make
ShenandoahParallelCodeCacheIterator noncopyable
+ [backport] 8224751: Shenandoah: Shenandoah Verifier should select
proper roots according to current GC cycle
+ [backport] 8225014: Separate ShenandoahRootScanner method for
object_iterate
+ [backport] 8225216: gc/logging/TestMetaSpaceLog.java doesn't work
for Shenandoah
+ [backport] 8225573: Shenandoah: Enhance ShenandoahVerifier to ensure
roots to-space invariant
+ [backport] 8225590: Shenandoah: Refactor
ShenandoahClassLoaderDataRoots API
+ [backport] 8226413: Shenandoah: Separate root scanner for
SH::object_iterate()
+ [backport] 8230853: Shenandoah: replace leftover assert(is_in(...))
with rich asserts
+ [backport] 8231198: Shenandoah: heap walking should visit all roots
most of the time
+ [backport] 8231244: Shenandoah: all-roots heap walking misses some
weak roots
+ [backport] 8237632: Shenandoah: accept NULL fwdptr to cooperate with
JVMTI and JFR
+ [backport] 8239786: Shenandoah: print per-cycle statistics
+ [backport] 8239926: Shenandoah: Shenandoah needs to mark nmethod's
metadata
+ [backport] 8240671: Shenandoah: refactor ShenandoahPhaseTimings
+ [backport] 8240749: Shenandoah: refactor ShenandoahUtils
+ [backport] 8240750: Shenandoah: remove leftover files and mentions
of ShenandoahAllocTracker
+ [backport] 8240868: Shenandoah: remove CM-with-UR piggybacking cycles
+ [backport] 8240872: Shenandoah: Avoid updating new regions from
start of evacuation
+ [backport] 8240873: Shenandoah: Short-cut arraycopy barriers
+ [backport] 8240915: Shenandoah: Remove unused fields in init mark
tasks
+ [backport] 8240948: Shenandoah: cleanup not-forwarded-objects paths
after JDK-8240868
+ [backport] 8241007: Shenandoah: remove
ShenandoahCriticalControlThreadPriority support
+ [backport] 8241062: Shenandoah: rich asserts trigger "empty
statement" inspection
+ [backport] 8241081: Shenandoah: Do not modify update-watermark
concurrently
+ [backport] 8241093: Shenandoah: editorial changes in flag
descriptions
+ [backport] 8241139: Shenandoah: distribute mark-compact work exactly
to minimize fragmentation
+ [backport] 8241142: Shenandoah: should not use parallel reference
processing with single GC thread
+ [backport] 8241351: Shenandoah: fragmentation metrics overhaul
+ [backport] 8241435: Shenandoah: avoid disabling pacing with
"aggressive"
+ [backport] 8241520: Shenandoah: simplify region sequence numbers
handling
+ [backport] 8241534: Shenandoah: region status should include update
watermark
+ [backport] 8241574: Shenandoah: remove ShenandoahAssertToSpaceClosure
+ [backport] 8241583: Shenandoah: turn heap lock asserts into macros
+ [backport] 8241668: Shenandoah: make ShenandoahHeapRegion not derive
from ContiguousSpace
+ [backport] 8241673: Shenandoah: refactor anti-false-sharing padding
+ [backport] 8241675: Shenandoah: assert(n->outcnt() > 0) at
shenandoahSupport.cpp:2858 with
java/util/Collections/FindSubList.java
+ [backport] 8241692: Shenandoah: remove
ShenandoahHeapRegion::_reserved
+ [backport] 8241700: Shenandoah: Fold ShenandoahKeepAliveBarrier flag
into ShenandoahSATBBarrier
+ [backport] 8241740: Shenandoah: remove ShenandoahHeapRegion::_heap
+ [backport] 8241743: Shenandoah: refactor and inline
ShenandoahHeap::heap()
+ [backport] 8241748: Shenandoah: inline MarkingContext TAMS methods
+ [backport] 8241838: Shenandoah: no need to trash cset during final
mark
+ [backport] 8241841: Shenandoah: ditch one of allocation type
counters in ShenandoahHeapRegion
+ [backport] 8241842: Shenandoah: inline
ShenandoahHeapRegion::region_number
+ [backport] 8241844: Shenandoah: rename
ShenandoahHeapRegion::region_number
+ [backport] 8241845: Shenandoah: align ShenandoahHeapRegions to cache
lines
+ [backport] 8241926: Shenandoah: only print heap changes for
operations that directly affect it
+ [backport] 8241983: Shenandoah: simplify FreeSet logging
+ [backport] 8241985: Shenandoah: simplify collectable garbage logging
+ [backport] 8242040: Shenandoah: print allocation failure type
+ [backport] 8242041: Shenandoah: adaptive heuristics should account
evac reserve in free target
+ [backport] 8242042: Shenandoah: tune down ShenandoahGarbageThreshold
+ [backport] 8242054: Shenandoah: New incremental-update mode
+ [backport] 8242075: Shenandoah: rename ShenandoahHeapRegionSize flag
+ [backport] 8242082: Shenandoah: Purge Traversal mode
+ [backport] 8242083: Shenandoah: split "Prepare Evacuation" tracking
into cset/freeset counters
+ [backport] 8242089: Shenandoah: per-worker stats should be summed
up, not averaged
+ [backport] 8242101: Shenandoah: coalesce and parallelise heap region
walks during the pauses
+ [backport] 8242114: Shenandoah: remove
ShenandoahHeapRegion::reset_alloc_metadata_to_shared
+ [backport] 8242130: Shenandoah: Simplify arraycopy-barrier
dispatching
+ [backport] 8242211: Shenandoah: remove
ShenandoahHeuristics::RegionData::_seqnum_last_alloc
+ [backport] 8242212: Shenandoah: initialize
ShenandoahHeuristics::_region_data eagerly
+ [backport] 8242213: Shenandoah: remove
ShenandoahHeuristics::_bytes_in_cset
+ [backport] 8242217: Shenandoah: Enable GC mode to be
diagnostic/experimental and have a name
+ [backport] 8242227: Shenandoah: transit regions to cset state when
adding to collection set
+ [backport] 8242228: Shenandoah: remove unused
ShenandoahCollectionSet methods
+ [backport] 8242229: Shenandoah: inline ShenandoahHeapRegion
liveness-related methods
+ [backport] 8242267: Shenandoah: regions space needs to be aligned by
os::vm_allocation_granularity()
+ [backport] 8242271: Shenandoah: add test to verify GC mode unlock
+ [backport] 8242273: Shenandoah: accept either SATB or IU barriers,
but not both
+ [backport] 8242301: Shenandoah: Inline LRB runtime call
+ [backport] 8242316: Shenandoah: Turn NULL-check into assert in SATB
slow-path entry
+ [backport] 8242353: Shenandoah: micro-optimize region liveness
handling
+ [backport] 8242365: Shenandoah: use uint16_t instead of jushort for
liveness cache
+ [backport] 8242375: Shenandoah: Remove
ShenandoahHeuristic::record_gc_start/end methods
+ [backport] 8242641: Shenandoah: clear live data and update TAMS
optimistically
+ [backport] 8243238: Shenandoah: explicit GC request should wait for
a complete GC cycle
+ [backport] 8243301: Shenandoah: ditch ShenandoahAllowMixedAllocs
+ [backport] 8243307: Shenandoah: remove ShCollectionSet::live_data
+ [backport] 8243395: Shenandoah: demote guarantee in
ShenandoahPhaseTimings::record_workers_end
+ [backport] 8243463: Shenandoah: ditch total_pause counters
+ [backport] 8243464: Shenandoah: print statistic counters in time
order
+ [backport] 8243465: Shenandoah: ditch unused pause_other, conc_other
counters
+ [backport] 8243487: Shenandoah: make _num_phases illegal phase type
+ [backport] 8243494: Shenandoah: set counters once per cycle
+ [backport] 8243573: Shenandoah: rename GCParPhases and related code
+ [backport] 8243848: Shenandoah: Windows build fails after JDK-8239786
+ [backport] 8244180: Shenandoah: carry Phase to
ShWorkerTimingsTracker explicitly
+ [backport] 8244200: Shenandoah: build breakages after JDK-8241743
+ [backport] 8244226: Shenandoah: per-cycle statistics contain worker
data from previous cycles
+ [backport] 8244326: Shenandoah: global statistics should not accept
bogus samples
+ [backport] 8244509: Shenandoah: refactor
ShenandoahBarrierC2Support::test_* methods
+ [backport] 8244551: Shenandoah: Fix racy update of update_watermark
+ [backport] 8244667: Shenandoah: SBC2Support::test_gc_state takes
loop for wrong control
+ [backport] 8244730: Shenandoah: gc/shenandoah/options/
/TestHeuristicsUnlock.java should only verify the heuristics
+ [backport] 8244732: Shenandoah: move heuristics code to
gc/shenandoah/heuristics
+ [backport] 8244737: Shenandoah: move mode code to gc/shenandoah/mode
+ [backport] 8244739: Shenandoah: break superclass dependency
on ShenandoahNormalMode
+ [backport] 8244740: Shenandoah: rename ShenandoahNormalMode to
ShenandoahSATBMode
+ [backport] 8245461: Shenandoah: refine mode name()-s
+ [backport] 8245463: Shenandoah: refine ShenandoahPhaseTimings
constructor arguments
+ [backport] 8245464: Shenandoah: allocate collection set bitmap at
lower addresses
+ [backport] 8245465: Shenandoah: test_in_cset can use more efficient
encoding
+ [backport] 8245726: Shenandoah: lift/cleanup ShenandoahHeuristics
names and properties
+ [backport] 8245754: Shenandoah: ditch ShenandoahAlwaysPreTouch
+ [backport] 8245757: Shenandoah: AlwaysPreTouch should not disable
heap resizing or uncommits
+ [backport] 8245773: Shenandoah: Windows assertion failure after
JDK-8245464
+ [backport] 8245812: Shenandoah: compute root phase parallelism
+ [backport] 8245814: Shenandoah: reconsider format specifiers for
stats
+ [backport] 8245825: Shenandoah: Remove diagnostic flag
ShenandoahConcurrentScanCodeRoots
+ [backport] 8246162: Shenandoah: full GC does not mark code roots
when class unloading is off
+ [backport] 8247310: Shenandoah: pacer should not affect interrupt
status
+ [backport] 8247358: Shenandoah: reconsider free budget slice for
marking
+ [backport] 8247367: Shenandoah: pacer should wait on lock instead of
exponential backoff
+ [backport] 8247474: Shenandoah: Windows build warning after
JDK-8247310
+ [backport] 8247560: Shenandoah: heap iteration holds root locks all
the time
+ [backport] 8247593: Shenandoah: should not block pacing reporters
+ [backport] 8247751: Shenandoah: options tests should run with
smaller heaps
+ [backport] 8247754: Shenandoah: mxbeans tests can be shorter
+ [backport] 8247757: Shenandoah: split heavy tests by heuristics to
improve parallelism
+ [backport] 8247860: Shenandoah: add update watermark line in rich
assert failure message
+ [backport] 8248041: Shenandoah: pre-Full GC root updates may miss
some roots
+ [backport] 8248652: Shenandoah: SATB buffer handling may assume no
forwarded objects
+ [backport] 8249560: Shenandoah: Fix racy GC request handling
+ [backport] 8249649: Shenandoah: provide per-cycle pacing stats
+ [backport] 8249801: Shenandoah: Clear soft-refs on requested GC cycle
+ [backport] 8249953: Shenandoah: gc/shenandoah/mxbeans tests should
account for corner cases
+ Fix slowdebug build after JDK-8230853 backport
+ JDK-8252096: Shenandoah: adjust SerialPageShiftCount for x86_32 and
JFR
+ JDK-8252366: Shenandoah: revert/cleanup changes in graphKit.cpp
+ Shenandoah: add JFR roots to root processor after JFR integration
+ Shenandoah: add root statistics for string dedup table/queues
+ Shenandoah: enable low-frequency STW class unloading
+ Shenandoah: fix build failures after JDK-8244737 backport
+ Shenandoah: Fix build failure with +JFR -PCH
+ Shenandoah: fix forceful pacer claim
+ Shenandoah: fix formats in ShenandoahStringSymbolTableUnlinkTask
+ Shenandoah: fix runtime linking failure due to non-compiled
shenandoahBarrierSetC1
+ Shenandoah: hook statistics printing to PrintGCDetails, not PrintGC
+ Shenandoah: JNI weak roots are always cleared before Full GC mark
+ Shenandoah: missing SystemDictionary roots in
ShenandoahHeapIterationRootScanner
+ Shenandoah: move barrier sets to their proper locations
+ Shenandoah: move parallelCleaning.* to shenandoah/
+ Shenandoah: pacer should use proper Atomics for intptr_t
+ Shenandoah: properly deallocates class loader metadata
+ Shenandoah: specialize String Table scans for better pause
performance
+ Shenandoah: Zero build fails after recent Atomic cleanup in Pacer
* AArch64 port
+ JDK-8161072, PR3797: AArch64: jtreg
compiler/uncommontrap/TestDeoptOOM failure
+ JDK-8171537, PR3797: aarch64: compiler/c1/Test6849574.java generates
guarantee failure in C1
+ JDK-8183925, PR3797: [AArch64] Decouple crash protection from
watcher thread
+ JDK-8199712, PR3797: [AArch64] Flight Recorder
+ JDK-8203481, PR3797: Incorrect constraint for unextended_sp in
frame:safe_for_sender
+ JDK-8203699, PR3797: java/lang/invoke/SpecialInterfaceCall fails
with SIGILL on aarch64
+ JDK-8209413, PR3797: AArch64: NPE in clhsdb jstack command
+ JDK-8215961, PR3797: jdk/jfr/event/os/TestCPUInformation.java fails
on AArch64
+ JDK-8216989, PR3797:
CardTableBarrierSetAssembler::gen_write_ref_array_post_barrier()
does not check for zero length on AARCH64
+ JDK-8217368, PR3797: AArch64: C2 recursive stack locking
optimisation not triggered
+ JDK-8221658, PR3797: aarch64: add necessary predicate for ubfx
patterns
+ JDK-8237512, PR3797: AArch64: aarch64TestHook leaks a BufferBlob
+ JDK-8246482, PR3797: Build failures with +JFR -PCH
+ JDK-8247979, PR3797: aarch64: missing side effect of killing flags
for clearArray_reg_reg
+ JDK-8248219, PR3797: aarch64: missing memory barrier in
fast_storefield and fast_accessfield
This update was imported from the SUSE:SLE-15:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.1:
zypper in -t patch openSUSE-2020-2048=1
Package List:
- openSUSE Leap 15.1 (i586 x86_64):
java-1_8_0-openjdk-1.8.0.272-lp151.2.15.1
java-1_8_0-openjdk-accessibility-1.8.0.272-lp151.2.15.1
java-1_8_0-openjdk-debuginfo-1.8.0.272-lp151.2.15.1
java-1_8_0-openjdk-debugsource-1.8.0.272-lp151.2.15.1
java-1_8_0-openjdk-demo-1.8.0.272-lp151.2.15.1
java-1_8_0-openjdk-demo-debuginfo-1.8.0.272-lp151.2.15.1
java-1_8_0-openjdk-devel-1.8.0.272-lp151.2.15.1
java-1_8_0-openjdk-devel-debuginfo-1.8.0.272-lp151.2.15.1
java-1_8_0-openjdk-headless-1.8.0.272-lp151.2.15.1
java-1_8_0-openjdk-headless-debuginfo-1.8.0.272-lp151.2.15.1
java-1_8_0-openjdk-src-1.8.0.272-lp151.2.15.1
- openSUSE Leap 15.1 (noarch):
java-1_8_0-openjdk-javadoc-1.8.0.272-lp151.2.15.1
References:
https://www.suse.com/security/cve/CVE-2020-14556.html
https://www.suse.com/security/cve/CVE-2020-14577.html
https://www.suse.com/security/cve/CVE-2020-14578.html
https://www.suse.com/security/cve/CVE-2020-14579.html
https://www.suse.com/security/cve/CVE-2020-14581.html
https://www.suse.com/security/cve/CVE-2020-14583.html
https://www.suse.com/security/cve/CVE-2020-14593.html
https://www.suse.com/security/cve/CVE-2020-14621.html
https://www.suse.com/security/cve/CVE-2020-14779.html
https://www.suse.com/security/cve/CVE-2020-14781.html
https://www.suse.com/security/cve/CVE-2020-14782.html
https://www.suse.com/security/cve/CVE-2020-14792.html
https://www.suse.com/security/cve/CVE-2020-14796.html
https://www.suse.com/security/cve/CVE-2020-14797.html
https://www.suse.com/security/cve/CVE-2020-14798.html
https://www.suse.com/security/cve/CVE-2020-14803.html
https://bugzilla.suse.com/1174157
https://bugzilla.suse.com/1177943
1
0
[opensuse-updates] openSUSE-OU-2020:2044-1: Optional update for brp-check-suse
by maintenance@opensuse.org 26 Nov '20
by maintenance@opensuse.org 26 Nov '20
26 Nov '20
openSUSE Optional Update: Optional update for brp-check-suse
______________________________________________________________________________
Announcement ID: openSUSE-OU-2020:2044-1
Rating: low
References: #1074711
Affected Products:
openSUSE Leap 15.1
______________________________________________________________________________
An update that has one optional fix can now be installed.
Description:
This update for brp-check-suse doesn't fix any runtime specific errors,
but improves the packaging related build procedure (bsc#1074711)
This update was imported from the SUSE:SLE-15:Update update project.
Patch Instructions:
To install this openSUSE Optional Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.1:
zypper in -t patch openSUSE-2020-2044=1
Package List:
- openSUSE Leap 15.1 (i586 x86_64):
brp-check-suse-84.87+git20181106.224b37d-lp151.3.6.1
References:
https://bugzilla.suse.com/1074711
1
0
[opensuse-updates] openSUSE-SU-2020:2053-1: moderate: Security update for wpa_supplicant
by opensuse-security@opensuse.org 26 Nov '20
by opensuse-security@opensuse.org 26 Nov '20
26 Nov '20
openSUSE Security Update: Security update for wpa_supplicant
______________________________________________________________________________
Announcement ID: openSUSE-SU-2020:2053-1
Rating: moderate
References: #1131644 #1131868 #1131870 #1131871 #1131872
#1131874 #1133640 #1144443 #1150934 #1156920
#1166933 #1167331 #930077 #930078 #930079
Cross-References: CVE-2015-4141 CVE-2015-4142 CVE-2015-4143
CVE-2015-8041 CVE-2017-13077 CVE-2017-13078
CVE-2017-13079 CVE-2017-13080 CVE-2017-13081
CVE-2017-13082 CVE-2017-13086 CVE-2017-13087
CVE-2017-13088 CVE-2018-14526 CVE-2019-11555
CVE-2019-13377 CVE-2019-16275 CVE-2019-9494
CVE-2019-9495 CVE-2019-9497 CVE-2019-9498
CVE-2019-9499
Affected Products:
openSUSE Leap 15.1
______________________________________________________________________________
An update that fixes 22 vulnerabilities is now available.
Description:
This update for wpa_supplicant fixes the following issues:
Security issue fixed:
- CVE-2019-16275: Fixed an AP mode PMF disconnection protection bypass
(bsc#1150934).
Non-security issues fixed:
- Enable SAE support (jsc#SLE-14992).
- Limit P2P_DEVICE name to appropriate ifname size.
- Fix wicked wlan (bsc#1156920)
- Restore fi.epitest.hostap.WPASupplicant.service (bsc#1167331)
- With v2.9 fi.epitest.hostap.WPASupplicant.service is obsolete
(bsc#1167331)
- Fix WLAN config on boot with wicked. (bsc#1166933)
- Update to 2.9 release:
* SAE changes
- disable use of groups using Brainpool curves
- improved protection against side channel attacks
[https://w1.fi/security/2019-6/]
* EAP-pwd changes
- disable use of groups using Brainpool curves
- allow the set of groups to be configured (eap_pwd_groups)
- improved protection against side channel attacks
[https://w1.fi/security/2019-6/]
* fixed FT-EAP initial mobility domain association using PMKSA caching
(disabled by default for backwards compatibility; can be enabled with
ft_eap_pmksa_caching=1)
* fixed a regression in OpenSSL 1.1+ engine loading
* added validation of RSNE in (Re)Association Response frames
* fixed DPP bootstrapping URI parser of channel list
* extended EAP-SIM/AKA fast re-authentication to allow use with FILS
* extended ca_cert_blob to support PEM format
* improved robustness of P2P Action frame scheduling
* added support for EAP-SIM/AKA using anonymous@realm identity
* fixed Hotspot 2.0 credential selection based on roaming consortium to
ignore credentials without a specific EAP method
* added experimental support for EAP-TEAP peer (RFC 7170)
* added experimental support for EAP-TLS peer with TLS v1.3
* fixed a regression in WMM parameter configuration for a TDLS peer
* fixed a regression in operation with drivers that offload 802.1X
4-way handshake
* fixed an ECDH operation corner case with OpenSSL
* SAE changes
- added support for SAE Password Identifier
- changed default configuration to enable only groups 19, 20, 21
(i.e., disable groups 25 and 26) and disable all unsuitable groups
completely based on REVmd changes
- do not regenerate PWE unnecessarily when the AP uses the
anti-clogging token mechanisms
- fixed some association cases where both SAE and FT-SAE were enabled
on both the station and the selected AP
- started to prefer FT-SAE over SAE AKM if both are enabled
- started to prefer FT-SAE over FT-PSK if both are enabled
- fixed FT-SAE when SAE PMKSA caching is used
- reject use of unsuitable groups based on new implementation
guidance in REVmd (allow only FFC groups with prime >= 3072 bits and ECC
groups with prime >= 256)
- minimize timing and memory use differences in PWE derivation
[https://w1.fi/security/2019-1/] (CVE-2019-9494, bsc#1131868)
* EAP-pwd changes
- minimize timing and memory use differences in PWE derivation
[https://w1.fi/security/2019-2/] (CVE-2019-9495, bsc#1131870)
- verify server scalar/element [https://w1.fi/security/2019-4/]
(CVE-2019-9497, CVE-2019-9498, CVE-2019-9499, bsc#1131874, bsc#1131872,
bsc#1131871, bsc#1131644)
- fix message reassembly issue with unexpected fragment
[https://w1.fi/security/2019-5/] (CVE-2019-11555, bsc#1133640)
- enforce rand,mask generation rules more strictly
- fix a memory leak in PWE derivation
- disallow ECC groups with a prime under 256 bits (groups 25, 26, and
27)
- SAE/EAP-pwd side-channel attack update
[https://w1.fi/security/2019-6/] (CVE-2019-13377, bsc#1144443)
* fixed CONFIG_IEEE80211R=y (FT) build without CONFIG_FILS=y
* Hotspot 2.0 changes
- do not indicate release number that is higher than the one AP
supports
- added support for release number 3
- enable PMF automatically for network profiles created from
credentials
* fixed OWE network profile saving
* fixed DPP network profile saving
* added support for RSN operating channel validation (CONFIG_OCV=y and
network profile parameter ocv=1)
* added Multi-AP backhaul STA support
* fixed build with LibreSSL
* number of MKA/MACsec fixes and extensions
* extended domain_match and domain_suffix_match to allow list of values
* fixed dNSName matching in domain_match and domain_suffix_match when
using wolfSSL
* started to prefer FT-EAP-SHA384 over WPA-EAP-SUITE-B-192 AKM if both
are enabled
* extended nl80211 Connect and external authentication to support SAE,
FT-SAE, FT-EAP-SHA384
* fixed KEK2 derivation for FILS+FT
* extended client_cert file to allow loading of a chain of PEM encoded
certificates
* extended beacon reporting functionality
* extended D-Bus interface with number of new properties
* fixed a regression in FT-over-DS with mac80211-based drivers
* OpenSSL: allow systemwide policies to be overridden
* extended driver flags indication for separate 802.1X and PSK 4-way
handshake offload capability
* added support for random P2P Device/Interface Address use
* extended PEAP to derive EMSK to enable use with ERP/FILS
* extended WPS to allow SAE configuration to be added automatically for
PSK (wps_cred_add_sae=1)
* removed support for the old D-Bus interface (CONFIG_CTRL_IFACE_DBUS)
* extended domain_match and domain_suffix_match to allow list of values
* added a RSN workaround for misbehaving PMF APs that advertise
IGTK/BIP KeyID using incorrect byte order
* fixed PTK rekeying with FILS and FT
* fixed WPA packet number reuse with replayed messages and key
reinstallation [https://w1.fi/security/2017-1/] (CVE-2017-13077,
CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081,
CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088)
* fixed unauthenticated EAPOL-Key decryption in wpa_supplicant
[https://w1.fi/security/2018-1/] (CVE-2018-14526)
* added support for FILS (IEEE 802.11ai) shared key authentication
* added support for OWE (Opportunistic Wireless Encryption, RFC 8110;
and transition mode defined by WFA)
* added support for DPP (Wi-Fi Device Provisioning Protocol)
* added support for RSA 3k key case with Suite B 192-bit level
* fixed Suite B PMKSA caching not to update PMKID during each 4-way
handshake
* fixed EAP-pwd pre-processing with PasswordHashHash
* added EAP-pwd client support for salted passwords
* fixed a regression in TDLS prohibited bit validation
* started to use estimated throughput to avoid undesired signal
strength based roaming decision
* MACsec/MKA:
- new macsec_linux driver interface support for the Linux kernel
macsec module
- number of fixes and extensions
* added support for external persistent storage of PMKSA cache
(PMKSA_GET/PMKSA_ADD control interface commands; and
MESH_PMKSA_GET/MESH_PMKSA_SET for the mesh case)
* fixed mesh channel configuration pri/sec switch case
* added support for beacon report
* large number of other fixes, cleanup, and extensions
* added support for randomizing local address for GAS queries
(gas_rand_mac_addr parameter)
* fixed EAP-SIM/AKA/AKA' ext auth cases within TLS tunnel
* added option for using random WPS UUID (auto_uuid=1)
* added SHA256-hash support for OCSP certificate matching
* fixed EAP-AKA' to add AT_KDF into Synchronization-Failure
* fixed a regression in RSN pre-authentication candidate selection
* added option to configure allowed group management cipher suites
(group_mgmt network profile parameter)
* removed all PeerKey functionality
* fixed nl80211 AP and mesh mode configuration regression with Linux
4.15 and newer
* added ap_isolate configuration option for AP mode
* added support for nl80211 to offload 4-way handshake into the driver
* added support for using wolfSSL cryptographic library
* SAE
- added support for configuring SAE password separately of the WPA2
PSK/passphrase
- fixed PTK and EAPOL-Key integrity and key-wrap algorithm selection
for SAE; note: this is not backwards compatible, i.e., both the AP and
station side implementations will need to be update at the same time to
maintain interoperability
- added support for Password Identifier
- fixed FT-SAE PMKID matching
* Hotspot 2.0
- added support for fetching of Operator Icon Metadata ANQP-element
- added support for Roaming Consortium Selection element
- added support for Terms and Conditions
- added support for OSEN connection in a shared RSN BSS
- added support for fetching Venue URL information
* added support for using OpenSSL 1.1.1
* FT
- disabled PMKSA caching with FT since it is not fully functional
- added support for SHA384 based AKM
- added support for BIP ciphers BIP-CMAC-256, BIP-GMAC-128,
BIP-GMAC-256 in addition to previously supported BIP-CMAC-128
- fixed additional IE inclusion in Reassociation Request frame when
using FT protocol
- Changed service-files for start after network (systemd-networkd).
This update was imported from the SUSE:SLE-15:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.1:
zypper in -t patch openSUSE-2020-2053=1
Package List:
- openSUSE Leap 15.1 (i586 x86_64):
wpa_supplicant-2.9-lp151.5.10.1
wpa_supplicant-debuginfo-2.9-lp151.5.10.1
wpa_supplicant-debugsource-2.9-lp151.5.10.1
wpa_supplicant-gui-2.9-lp151.5.10.1
wpa_supplicant-gui-debuginfo-2.9-lp151.5.10.1
References:
https://www.suse.com/security/cve/CVE-2015-4141.html
https://www.suse.com/security/cve/CVE-2015-4142.html
https://www.suse.com/security/cve/CVE-2015-4143.html
https://www.suse.com/security/cve/CVE-2015-8041.html
https://www.suse.com/security/cve/CVE-2017-13077.html
https://www.suse.com/security/cve/CVE-2017-13078.html
https://www.suse.com/security/cve/CVE-2017-13079.html
https://www.suse.com/security/cve/CVE-2017-13080.html
https://www.suse.com/security/cve/CVE-2017-13081.html
https://www.suse.com/security/cve/CVE-2017-13082.html
https://www.suse.com/security/cve/CVE-2017-13086.html
https://www.suse.com/security/cve/CVE-2017-13087.html
https://www.suse.com/security/cve/CVE-2017-13088.html
https://www.suse.com/security/cve/CVE-2018-14526.html
https://www.suse.com/security/cve/CVE-2019-11555.html
https://www.suse.com/security/cve/CVE-2019-13377.html
https://www.suse.com/security/cve/CVE-2019-16275.html
https://www.suse.com/security/cve/CVE-2019-9494.html
https://www.suse.com/security/cve/CVE-2019-9495.html
https://www.suse.com/security/cve/CVE-2019-9497.html
https://www.suse.com/security/cve/CVE-2019-9498.html
https://www.suse.com/security/cve/CVE-2019-9499.html
https://bugzilla.suse.com/1131644
https://bugzilla.suse.com/1131868
https://bugzilla.suse.com/1131870
https://bugzilla.suse.com/1131871
https://bugzilla.suse.com/1131872
https://bugzilla.suse.com/1131874
https://bugzilla.suse.com/1133640
https://bugzilla.suse.com/1144443
https://bugzilla.suse.com/1150934
https://bugzilla.suse.com/1156920
https://bugzilla.suse.com/1166933
https://bugzilla.suse.com/1167331
https://bugzilla.suse.com/930077
https://bugzilla.suse.com/930078
https://bugzilla.suse.com/930079
1
0
[opensuse-updates] openSUSE-RU-2020:2042-1: Recommended update for bind
by maintenance@opensuse.org 26 Nov '20
by maintenance@opensuse.org 26 Nov '20
26 Nov '20
openSUSE Recommended Update: Recommended update for bind
______________________________________________________________________________
Announcement ID: openSUSE-RU-2020:2042-1
Rating: low
References: #1177983
Affected Products:
openSUSE Leap 15.1
______________________________________________________________________________
An update that has one recommended fix can now be installed.
Description:
This update for bind fixes the following issue:
- Build the "Administrator Reference Manual" which is built using
python3-Sphinx (bsc#1177983)
This update was imported from the SUSE:SLE-15:Update update project.
Patch Instructions:
To install this openSUSE Recommended Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.1:
zypper in -t patch openSUSE-2020-2042=1
Package List:
- openSUSE Leap 15.1 (i586 x86_64):
bind-9.16.6-lp151.11.15.1
bind-chrootenv-9.16.6-lp151.11.15.1
bind-debuginfo-9.16.6-lp151.11.15.1
bind-debugsource-9.16.6-lp151.11.15.1
bind-devel-9.16.6-lp151.11.15.1
bind-utils-9.16.6-lp151.11.15.1
bind-utils-debuginfo-9.16.6-lp151.11.15.1
libbind9-1600-9.16.6-lp151.11.15.1
libbind9-1600-debuginfo-9.16.6-lp151.11.15.1
libdns1605-9.16.6-lp151.11.15.1
libdns1605-debuginfo-9.16.6-lp151.11.15.1
libirs-devel-9.16.6-lp151.11.15.1
libirs1601-9.16.6-lp151.11.15.1
libirs1601-debuginfo-9.16.6-lp151.11.15.1
libisc1606-9.16.6-lp151.11.15.1
libisc1606-debuginfo-9.16.6-lp151.11.15.1
libisccc1600-9.16.6-lp151.11.15.1
libisccc1600-debuginfo-9.16.6-lp151.11.15.1
libisccfg1600-9.16.6-lp151.11.15.1
libisccfg1600-debuginfo-9.16.6-lp151.11.15.1
libns1604-9.16.6-lp151.11.15.1
libns1604-debuginfo-9.16.6-lp151.11.15.1
- openSUSE Leap 15.1 (noarch):
bind-doc-9.16.6-lp151.11.15.1
python3-bind-9.16.6-lp151.11.15.1
- openSUSE Leap 15.1 (x86_64):
bind-devel-32bit-9.16.6-lp151.11.15.1
libbind9-1600-32bit-9.16.6-lp151.11.15.1
libbind9-1600-32bit-debuginfo-9.16.6-lp151.11.15.1
libdns1605-32bit-9.16.6-lp151.11.15.1
libdns1605-32bit-debuginfo-9.16.6-lp151.11.15.1
libirs1601-32bit-9.16.6-lp151.11.15.1
libirs1601-32bit-debuginfo-9.16.6-lp151.11.15.1
libisc1606-32bit-9.16.6-lp151.11.15.1
libisc1606-32bit-debuginfo-9.16.6-lp151.11.15.1
libisccc1600-32bit-9.16.6-lp151.11.15.1
libisccc1600-32bit-debuginfo-9.16.6-lp151.11.15.1
libisccfg1600-32bit-9.16.6-lp151.11.15.1
libisccfg1600-32bit-debuginfo-9.16.6-lp151.11.15.1
libns1604-32bit-9.16.6-lp151.11.15.1
libns1604-32bit-debuginfo-9.16.6-lp151.11.15.1
References:
https://bugzilla.suse.com/1177983
1
0
[opensuse-updates] openSUSE-SU-2020:2039-1: moderate: Security update for podman
by opensuse-security@opensuse.org 26 Nov '20
by opensuse-security@opensuse.org 26 Nov '20
26 Nov '20
openSUSE Security Update: Security update for podman
______________________________________________________________________________
Announcement ID: openSUSE-SU-2020:2039-1
Rating: moderate
References: #1176804 #1178122 #1178392
Cross-References: CVE-2020-14370
Affected Products:
openSUSE Leap 15.1
______________________________________________________________________________
An update that solves one vulnerability and has two fixes
is now available.
Description:
This update for podman fixes the following issues:
Security issue fixed:
- This release resolves CVE-2020-14370, in which environment variables
could be leaked between containers created using the Varlink API
(bsc#1176804).
Non-security issues fixed:
- add dependency to timezone package or podman fails to build a container
(bsc#1178122)
- Install new auto-update system units
- Update to v2.1.1 (bsc#1178392):
* Changes
- The `podman info` command now includes the cgroup manager Podman is
using.
* API
- The REST API now includes a Server header in all responses.
- Fixed a bug where the Libpod and Compat Attach endpoints could
terminate early, before sending all output from the container.
- Fixed a bug where the Compat Create endpoint for containers did not
properly handle the Interactive parameter.
- Fixed a bug where the Compat Kill endpoint for containers could
continue to run after a fatal error.
- Fixed a bug where the Limit parameter of the Compat List endpoint
for Containers did not properly handle a limit of 0 (returning
nothing, instead of all containers) [#7722].
- The Libpod Stats endpoint for containers is being deprecated and
will be replaced by a similar endpoint with additional features in a
future release.
- Changes in v2.1.0
* Features
- A new command, `podman image mount`, has been added. This allows for
an image to be mounted, read-only, to inspect its contents without
creating a container from it [#1433].
- The `podman save` and `podman load` commands can now create and load
archives containing multiple images [#2669].
- Rootless Podman now supports all `podman network` commands, and
rootless containers can now be joined to networks.
- The performance of `podman build` on `ADD` and `COPY` instructions
has been greatly improved, especially when a `.dockerignore` is
present.
- The `podman run` and `podman create` commands now support a new mode
for the `--cgroups` option, `--cgroups=split`. Podman will create
two cgroups under the cgroup it was launched in, one for the
container and one for Conmon. This mode is useful for running Podman
in a systemd unit, as it ensures that all processes are retained in
systemd's cgroup hierarchy [#6400].
- The `podman run` and `podman create` commands can now specify
options to slirp4netns by using the `--network` option as follows:
`--net slirp4netns:opt1,opt2`. This allows for, among other things,
switching the port forwarder used by slirp4netns away from rootlessport.
- The `podman ps` command now features a new option, `--storage`, to
show containers from Buildah, CRI-O and other applications.
- The `podman run` and `podman create` commands now feature a
`--sdnotify` option to control the behavior of systemd's sdnotify
with containers, enabling improved support for Podman in
`Type=notify` units.
- The `podman run` command now features a `--preserve-fds`
opton to pass file descriptors from the host into the container
[#6458].
- The `podman run` and `podman create` commands can now create
overlay volume mounts, by adding the `:O` option to a bind mount
(e.g. `-v /test:/test:O`). Overlay volume mounts will mount a directory
into a container from the host and allow changes to it, but not write
those changes back to the directory on the host.
- The `podman play kube` command now supports the Socket HostPath type
[#7112].
- The `podman play kube` command now supports read-only mounts.
- The `podman play kube` command now supports setting labels on pods
from Kubernetes metadata labels.
- The `podman play kube` command now supports setting container
restart policy [#7656].
- The `podman play kube` command now properly handles `HostAlias`
entries.
- The `podman generate kube` command now adds entries to `/etc/hosts`
from `--host-add` generated YAML as `HostAlias` entries.
- The `podman play kube` and `podman generate kube` commands now
properly support `shareProcessNamespace` to share the PID namespace
in pods.
- The `podman volume ls` command now supports the `dangling` filter to
identify volumes that are dangling (not attached to any container).
- The `podman run` and `podman create` commands now feature a
`--umask` option to set the umask of the created container.
- The `podman create` and `podman run` commands now feature a `--tz`
option to set the timezone within the container [#5128].
- Environment variables for Podman can now be added in the
`containers.conf` configuration file.
- The `--mount` option of `podman run` and `podman create` now
supports a new mount type, `type=devpts`, to add a `devpts` mount to
the container. This is useful for containers that want to mount
`/dev/` from the host into the container, but still create a
terminal.
- The `--security-opt` flag to `podman run` and `podman create` now
supports a new option, `proc-opts`, to specify options for the
container's `/proc` filesystem.
- Podman with the `crun` OCI runtime now supports a new option to
`podman run` and `podman create`, `--cgroup-conf`, which allows for
advanced configuration of cgroups on cgroups v2 systems.
- The `podman create` and `podman run` commands now support a
`--override-variant` option, to override the architecture variant of
the image that will be pulled and ran.
- A new global option has been added to Podman, `--runtime-flags`,
which allows for setting flags to use when the OCI runtime is called.
- The `podman manifest add` command now supports the `--cert-dir`,
`--auth-file`, `--creds`, and `--tls-verify`
options.
* Security
- This release resolves CVE-2020-14370, in which environment variables
could be leaked between containers created using the Varlink API.
* Changes
- Podman will now retry pulling an image 3 times if a pull fails due
to network errors.
- The `podman exec` command would previously print error messages
(e.g. `exec session exited with non-zero exit code
-1`) when the command run exited with a non-0 exit code. It no
longer does this. The `podman exec` command will still exit with the same
exit code as the command run in the container did.
- Error messages when creating a container or pod with a name that is
already in use have been improved.
- For read-only containers running systemd init, Podman creates a
tmpfs filesystem at `/run`. This was previously limited to 65k in
size and mounted `noexec`, but is now unlimited size and mounted
`exec`.
- The `podman system reset` command no longer removes configuration
files for rootless Podman.
* API
- The Libpod API version has been bumped to v2.0.0 due to a breaking
change in the Image List API.
- Docker-compatible Volume Endpoints (Create, Inspect, List, Remove,
Prune) are now available!
- Added an endpoint for generating systemd unit files for containers.
- The `last` parameter to the Libpod container list endpoint now has
an alias, `limit` [#6413].
- The Libpod image list API new returns timestamps in Unix format, as
integer, as opposed to as strings
- The Compat Inspect endpoint for containers now includes port
information in NetworkSettings.
- The Compat List endpoint for images now features limited support for
the (deprecated) `filter` query parameter [#6797].
- Fixed a bug where the Compat Create endpoint for containers was not
correctly handling bind mounts.
- Fixed a bug where the Compat Create endpoint for containers would
not return a 404 when the requested image was not present.
- Fixed a bug where the Compat Create endpoint for containers did not
properly handle Entrypoint and Command from images.
- Fixed a bug where name history information was not properly added in
the Libpod Image List endpoint.
- Fixed a bug where the Libpod image search endpoint improperly
populated the Description field of responses.
- Added a `noTrunc` option to the Libpod image search endpoint.
- Fixed a bug where the Pod List API would return null, instead
of an empty array, when no pods were present [#7392].
- Fixed a bug where endpoints that hijacked would do perform the
hijack too early, before being ready to send and receive data
[#7195].
- Fixed a bug where Pod endpoints that can operate on multiple
containers at once (e.g. Kill, Pause, Unpause, Stop) would not
forward errors from individual containers that failed.
- The Compat List endpoint for networks now supports filtering results
[#7462].
- Fixed a bug where the Top endpoint for pods would return both a 500
and 404 when run on a non-existent pod.
- Fixed a bug where Pull endpoints did not stream progress back to the
client.
- The Version endpoints (Libpod and Compat) now provide version in a
format compatible with Docker.
- All non-hijacking responses to API requests should not include
headers with the version of the server.
- Fixed a bug where Libpod and Compat Events endpoints did not send
response headers until the first event occurred [#7263].
- Fixed a bug where the Build endpoints (Compat and Libpod) did not
stream progress to the client.
- Fixed a bug where the Stats endpoints (Compat and Libpod) did not
properly handle clients disconnecting.
- Fixed a bug where the Ignore parameter to the Libpod Stop endpoint
was not performing properly.
- Fixed a bug where the Compat Logs endpoint for containers did not
stream its output in the correct format [#7196].
This update was imported from the SUSE:SLE-15-SP1:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.1:
zypper in -t patch openSUSE-2020-2039=1
Package List:
- openSUSE Leap 15.1 (x86_64):
podman-2.1.1-lp151.3.25.1
- openSUSE Leap 15.1 (noarch):
podman-cni-config-2.1.1-lp151.3.25.1
References:
https://www.suse.com/security/cve/CVE-2020-14370.html
https://bugzilla.suse.com/1176804
https://bugzilla.suse.com/1178122
https://bugzilla.suse.com/1178392
1
0
[opensuse-updates] openSUSE-SU-2020:2047-1: moderate: Security update for go1.14
by opensuse-security@opensuse.org 26 Nov '20
by opensuse-security@opensuse.org 26 Nov '20
26 Nov '20
openSUSE Security Update: Security update for go1.14
______________________________________________________________________________
Announcement ID: openSUSE-SU-2020:2047-1
Rating: moderate
References: #1164903 #1178750 #1178752 #1178753
Cross-References: CVE-2020-28362 CVE-2020-28366 CVE-2020-28367
Affected Products:
openSUSE Leap 15.1
______________________________________________________________________________
An update that solves three vulnerabilities and has one
errata is now available.
Description:
This update for go1.14 fixes the following issues:
- go1.14.12 (released 2020-11-12) includes security fixes to the cmd/go
and math/big packages.
* go#42553 math/big: panic during recursive division of very large
numbers (bsc#1178750 CVE-2020-28362)
* go#42560 cmd/go: arbitrary code can be injected into cgo generated
files (bsc#1178752 CVE-2020-28367)
* go#42557 cmd/go: improper validation of cgo flags can lead to remote
code execution at build time (bsc#1178753 CVE-2020-28366)
* go#42155 time: Location interprets wrong timezone (DST) with slim
zoneinfo
* go#42112 x/net/http2: the first write error on a connection will cause
all subsequent write requests to fail blindly
* go#41991 runtime: macOS-only segfault on 1.14+ with "split stack
overflow"
* go#41913 net/http: request.Clone doesn't deep copy TransferEncoding
* go#41703 runtime: macOS syscall.Exec can get SIGILL due to preemption
signal
* go#41386 x/net/http2: connection-level flow control not returned if
stream errors, causes server hang
This update was imported from the SUSE:SLE-15:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.1:
zypper in -t patch openSUSE-2020-2047=1
Package List:
- openSUSE Leap 15.1 (x86_64):
go1.14-1.14.12-lp151.22.1
go1.14-doc-1.14.12-lp151.22.1
go1.14-race-1.14.12-lp151.22.1
References:
https://www.suse.com/security/cve/CVE-2020-28362.html
https://www.suse.com/security/cve/CVE-2020-28366.html
https://www.suse.com/security/cve/CVE-2020-28367.html
https://bugzilla.suse.com/1164903
https://bugzilla.suse.com/1178750
https://bugzilla.suse.com/1178752
https://bugzilla.suse.com/1178753
1
0
[opensuse-updates] openSUSE-RU-2020:2049-1: moderate: Recommended update for lvm2
by maintenance@opensuse.org 26 Nov '20
by maintenance@opensuse.org 26 Nov '20
26 Nov '20
openSUSE Recommended Update: Recommended update for lvm2
______________________________________________________________________________
Announcement ID: openSUSE-RU-2020:2049-1
Rating: moderate
References: #1123327 #1173503 #1175110 #998893
Affected Products:
openSUSE Leap 15.1
______________________________________________________________________________
An update that has four recommended fixes can now be
installed.
Description:
This update for lvm2 fixes the following issues:
- Fixed an issue when the hot spares in LVM not added automatically.
(bsc#1175110)
- Fixed an issue when lvm produces a large number of luns with error
message "Too many open files". (bsc#1173503)
- Fixes an issue when LVM initialization failed during reboot. (bsc#998893)
- Fixed a misplaced parameter in the lvm configuration. (bsc#1123327)
This update was imported from the SUSE:SLE-15-SP1:Update update project.
Patch Instructions:
To install this openSUSE Recommended Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.1:
zypper in -t patch openSUSE-2020-2049=1
Package List:
- openSUSE Leap 15.1 (i586 x86_64):
device-mapper-1.02.149-lp151.4.21.1
device-mapper-debuginfo-1.02.149-lp151.4.21.1
device-mapper-debugsource-1.02.149-lp151.4.21.1
device-mapper-devel-1.02.149-lp151.4.21.1
libdevmapper-event1_03-1.02.149-lp151.4.21.1
libdevmapper-event1_03-debuginfo-1.02.149-lp151.4.21.1
libdevmapper1_03-1.02.149-lp151.4.21.1
libdevmapper1_03-debuginfo-1.02.149-lp151.4.21.1
liblvm2app2_2-2.02.180-lp151.4.21.1
liblvm2app2_2-debuginfo-2.02.180-lp151.4.21.1
liblvm2cmd2_02-2.02.180-lp151.4.21.1
liblvm2cmd2_02-debuginfo-2.02.180-lp151.4.21.1
lvm2-2.02.180-lp151.4.21.1
lvm2-clvm-2.02.180-lp151.4.21.1
lvm2-clvm-debuginfo-2.02.180-lp151.4.21.1
lvm2-clvm-debugsource-2.02.180-lp151.4.21.1
lvm2-cmirrord-2.02.180-lp151.4.21.1
lvm2-cmirrord-debuginfo-2.02.180-lp151.4.21.1
lvm2-debuginfo-2.02.180-lp151.4.21.1
lvm2-debugsource-2.02.180-lp151.4.21.1
lvm2-devel-2.02.180-lp151.4.21.1
lvm2-lockd-2.02.180-lp151.4.21.1
lvm2-lockd-debuginfo-2.02.180-lp151.4.21.1
lvm2-testsuite-2.02.180-lp151.4.21.1
lvm2-testsuite-debuginfo-2.02.180-lp151.4.21.1
- openSUSE Leap 15.1 (x86_64):
device-mapper-devel-32bit-1.02.149-lp151.4.21.1
libdevmapper-event1_03-32bit-1.02.149-lp151.4.21.1
libdevmapper-event1_03-32bit-debuginfo-1.02.149-lp151.4.21.1
libdevmapper1_03-32bit-1.02.149-lp151.4.21.1
libdevmapper1_03-32bit-debuginfo-1.02.149-lp151.4.21.1
References:
https://bugzilla.suse.com/1123327
https://bugzilla.suse.com/1173503
https://bugzilla.suse.com/1175110
https://bugzilla.suse.com/998893
1
0
[opensuse-updates] openSUSE-SU-2020:2037-1: moderate: Security update for krb5
by opensuse-security@opensuse.org 26 Nov '20
by opensuse-security@opensuse.org 26 Nov '20
26 Nov '20
openSUSE Security Update: Security update for krb5
______________________________________________________________________________
Announcement ID: openSUSE-SU-2020:2037-1
Rating: moderate
References: #1178512
Cross-References: CVE-2020-28196
Affected Products:
openSUSE Leap 15.1
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for krb5 fixes the following security issue:
- CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded
Kerberos message (bsc#1178512).
This update was imported from the SUSE:SLE-15-SP1:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.1:
zypper in -t patch openSUSE-2020-2037=1
Package List:
- openSUSE Leap 15.1 (i586 x86_64):
krb5-1.16.3-lp151.2.15.1
krb5-client-1.16.3-lp151.2.15.1
krb5-client-debuginfo-1.16.3-lp151.2.15.1
krb5-debuginfo-1.16.3-lp151.2.15.1
krb5-debugsource-1.16.3-lp151.2.15.1
krb5-devel-1.16.3-lp151.2.15.1
krb5-mini-1.16.3-lp151.2.15.1
krb5-mini-debuginfo-1.16.3-lp151.2.15.1
krb5-mini-debugsource-1.16.3-lp151.2.15.1
krb5-mini-devel-1.16.3-lp151.2.15.1
krb5-plugin-kdb-ldap-1.16.3-lp151.2.15.1
krb5-plugin-kdb-ldap-debuginfo-1.16.3-lp151.2.15.1
krb5-plugin-preauth-otp-1.16.3-lp151.2.15.1
krb5-plugin-preauth-otp-debuginfo-1.16.3-lp151.2.15.1
krb5-plugin-preauth-pkinit-1.16.3-lp151.2.15.1
krb5-plugin-preauth-pkinit-debuginfo-1.16.3-lp151.2.15.1
krb5-server-1.16.3-lp151.2.15.1
krb5-server-debuginfo-1.16.3-lp151.2.15.1
- openSUSE Leap 15.1 (x86_64):
krb5-32bit-1.16.3-lp151.2.15.1
krb5-32bit-debuginfo-1.16.3-lp151.2.15.1
krb5-devel-32bit-1.16.3-lp151.2.15.1
References:
https://www.suse.com/security/cve/CVE-2020-28196.html
https://bugzilla.suse.com/1178512
1
0
[opensuse-updates] openSUSE-RU-2020:2036-1: moderate: Recommended update for dmidecode
by maintenance@opensuse.org 26 Nov '20
by maintenance@opensuse.org 26 Nov '20
26 Nov '20
openSUSE Recommended Update: Recommended update for dmidecode
______________________________________________________________________________
Announcement ID: openSUSE-RU-2020:2036-1
Rating: moderate
References: #1174257
Affected Products:
openSUSE Leap 15.1
______________________________________________________________________________
An update that has one recommended fix can now be installed.
Description:
This update for dmidecode fixes the following issues:
- Add partial support for SMBIOS 3.4.0. (bsc#1174257)
- Skip details of uninstalled memory modules. (bsc#1174257)
This update was imported from the SUSE:SLE-15-SP1:Update update project.
Patch Instructions:
To install this openSUSE Recommended Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.1:
zypper in -t patch openSUSE-2020-2036=1
Package List:
- openSUSE Leap 15.1 (i586 x86_64):
dmidecode-3.2-lp151.4.6.1
dmidecode-debuginfo-3.2-lp151.4.6.1
dmidecode-debugsource-3.2-lp151.4.6.1
References:
https://bugzilla.suse.com/1174257
1
0
[opensuse-updates] openSUSE-RU-2020:2038-1: moderate: Recommended update for multipath-tools
by maintenance@opensuse.org 26 Nov '20
by maintenance@opensuse.org 26 Nov '20
26 Nov '20
openSUSE Recommended Update: Recommended update for multipath-tools
______________________________________________________________________________
Announcement ID: openSUSE-RU-2020:2038-1
Rating: moderate
References: #1162896 #1178354
Affected Products:
openSUSE Leap 15.1
______________________________________________________________________________
An update that has two recommended fixes can now be
installed.
Description:
This update for multipath-tools fixes the following issues:
- Avoid reading files extensions other than '.conf' from config dir.
(bsc#1162896)
- Fix wrong usage of '%service_del_preun -n' macro in spec file.
(bsc#1178354)
This update was imported from the SUSE:SLE-15-SP1:Update update project.
Patch Instructions:
To install this openSUSE Recommended Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.1:
zypper in -t patch openSUSE-2020-2038=1
Package List:
- openSUSE Leap 15.1 (i586 x86_64):
kpartx-0.7.9+195+suse.16740c5-lp151.2.12.1
kpartx-debuginfo-0.7.9+195+suse.16740c5-lp151.2.12.1
libdmmp-devel-0.7.9+195+suse.16740c5-lp151.2.12.1
libdmmp0_2_0-0.7.9+195+suse.16740c5-lp151.2.12.1
libdmmp0_2_0-debuginfo-0.7.9+195+suse.16740c5-lp151.2.12.1
multipath-tools-0.7.9+195+suse.16740c5-lp151.2.12.1
multipath-tools-debuginfo-0.7.9+195+suse.16740c5-lp151.2.12.1
multipath-tools-debugsource-0.7.9+195+suse.16740c5-lp151.2.12.1
multipath-tools-devel-0.7.9+195+suse.16740c5-lp151.2.12.1
References:
https://bugzilla.suse.com/1162896
https://bugzilla.suse.com/1178354
1
0