openSUSE Optional Update: Optional update for tk and tcl
______________________________________________________________________________
Announcement ID: openSUSE-OU-2021:0361-1
Rating: low
References: #1181840
Affected Products:
openSUSE Leap 15.2
______________________________________________________________________________
An update that has one optional fix can now be installed.
Description:
This update for tk and tcl fixes the following issues:
- Rebuilt tk and tcl with newer glibc (bsc#1181840)
This update was imported from the SUSE:SLE-15:Update update project.
Patch Instructions:
To install this openSUSE Optional Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.2:
zypper in -t patch openSUSE-2021-361=1
Package List:
- openSUSE Leap 15.2 (i586 x86_64):
tcl-8.6.7-lp152.7.6.1
tcl-debuginfo-8.6.7-lp152.7.6.1
tcl-debugsource-8.6.7-lp152.7.6.1
tcl-devel-8.6.7-lp152.7.6.1
tk-8.6.7-lp152.4.6.1
tk-debuginfo-8.6.7-lp152.4.6.1
tk-debugsource-8.6.7-lp152.4.6.1
tk-devel-8.6.7-lp152.4.6.1
- openSUSE Leap 15.2 (x86_64):
tcl-32bit-8.6.7-lp152.7.6.1
tcl-32bit-debuginfo-8.6.7-lp152.7.6.1
tk-32bit-8.6.7-lp152.4.6.1
tk-32bit-debuginfo-8.6.7-lp152.4.6.1
References:
https://bugzilla.suse.com/1181840
openSUSE Recommended Update: Recommended update for go
______________________________________________________________________________
Announcement ID: openSUSE-RU-2021:0362-1
Rating: moderate
References: #1164903 #1172608 #1175132
Affected Products:
openSUSE Leap 15.2
______________________________________________________________________________
An update that has three recommended fixes can now be
installed.
Description:
This update for go fixes the following issues:
Update to current stable go1.15 (bsc#1175132)
* Ensure 'Provides: golang(API) = %{api_version}' is consistent to improve
package resolution for common go dependency expressions 'BuildRequires:
golang(API) >= 1.x' and BuildRequires: go >= 1.x OBS projects that
contain go code often have prjconf entries 'Prefer: go' which selects go
metapackage over go1.x packages. When go metapackage Provides: version
is lower than go1.x versions, 'Prefer: go' is not effective and build
failures occur with errors unresolvable: have choice for golang(API) >=
1.13: go1.13 go1.14 Edits and changelog Jeff Kowalczyk
<jkowalczyk(a)suse.com> (bsc#1172608)
* Unify '{version'} and '{short_version}' as '{api_version}' for
'Provides: golang(API) = %{api_version}'
* Use both 'BuildRequires: go%{api_version}' and 'Requires:
go%{api_version}' to trigger build errors if go1.x is unavailable
* Add aarch64 to supported systems for go-race via %define tsan_arch
x86_64 aarch64
* Add tsan_arch x86_64 aarch64 for suse_version >= 1500 and sle_version >=
150000, formerly conditional on suse_version >= 1315
* Ensure %ifarch %{tsan_arch} always evaluates (nil does not work) via
dummy tsan_arch on systems where go-race is not supported
Update to current stable go1.14 (bsc#1164903)
* Remove redundant Provides: go-doc=%{version} per rpmlint warning
- Change suse_version >= 1315 (was 1550) defines short_version 1.12 go1.12
packages are available for SLE-12.
This update was imported from the SUSE:SLE-15:Update update project.
Patch Instructions:
To install this openSUSE Recommended Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.2:
zypper in -t patch openSUSE-2021-362=1
Package List:
- openSUSE Leap 15.2 (x86_64):
go-1.15-lp152.2.3.1
go-doc-1.15-lp152.2.3.1
go-race-1.15-lp152.2.3.1
References:
https://bugzilla.suse.com/1164903https://bugzilla.suse.com/1172608https://bugzilla.suse.com/1175132
openSUSE Recommended Update: Recommended update for go1.16
______________________________________________________________________________
Announcement ID: openSUSE-RU-2021:0360-1
Rating: moderate
References: #1182345
Affected Products:
openSUSE Leap 15.2
______________________________________________________________________________
An update that has one recommended fix can now be installed.
Description:
This update brings go1.16 to the Development Tools Module.
go1.16 (released 2021-02-16)
Go 1.16 is a major release of Go.
go1.16.x minor releases will be provided through February 2022.
See https://github.com/golang/go/wiki/Go-Release-Cycle
Most changes are in the implementation of the toolchain, runtime, and
libraries. As always, the release maintains the Go 1 promise
of compatibility. We expect almost all Go programs to continue to compile
and run as before.
* See release notes https://golang.org/doc/go1.16. Excerpts relevant to
OBS environment and for SUSE/openSUSE follow:
* Module-aware mode is enabled by default, regardless of whether a go.mod
file is present in the current working directory or a parent directory.
More precisely, the GO111MODULE environment variable now defaults to on.
To switch to the previous behavior, set GO111MODULE to auto.
* Build commands like go build and go test no longer modify go.mod and
go.sum by default. Instead, they report an error if a module requirement
or checksum needs to be added or updated (as if the -mod=readonly flag
were used). Module requirements and sums may be adjusted with go mod
tidy or go get.
* go install now accepts arguments with version suffixes (for example, go
install example.com/cmd@v1.0.0). This causes go install to build and
install packages in module-aware mode, ignoring the go.mod file in the
current directory or any parent directory, if there is one. This is
useful for installing executables without affecting the dependencies of
the main module.
* go install, with or without a version suffix (as described above), is
now the recommended way to build and install packages in module mode. go
get should be used with the -d flag to adjust the current module's
dependencies without building packages, and use of go get to build and
install packages is deprecated. In a future release, the -d flag will
always be enabled.
* retract directives may now be used in a go.mod file to indicate that
certain published versions of the module should not be used by other
modules. A module author may retract a version after a severe problem is
discovered or if the version was published unintentionally.
* The go mod vendor and go mod tidy subcommands now accept the -e flag,
which instructs them to proceed despite errors in resolving missing
packages.
* The go command now ignores requirements on module versions excluded by
exclude directives in the main module. Previously, the go command used
the next version higher than an excluded version, but that version could
change over time, resulting in non-reproducible builds.
* In module mode, the go command now disallows import paths that include
non-ASCII characters or path elements with a leading dot character (.).
Module paths with these characters were already disallowed (see Module
paths and versions), so this change affects only paths within module
subdirectories.
* The go command now supports including static files and file trees as
part of the final executable, using the new //go:embed directive. See
the documentation for the new embed package for details.
* When using go test, a test that calls os.Exit(0) during execution of a
test function will now be considered to fail. This will help catch cases
in which a test calls code that calls os.Exit(0) and thereby stops
running all future tests. If a TestMain function calls os.Exit(0) that
is still considered to be a passing test.
* go test reports an error when the -c or -i flags are used together with
unknown flags. Normally, unknown flags are passed to tests, but when -c
or -i are used, tests are not run.
* The go get -insecure flag is deprecated and will be removed in a future
version. This flag permits fetching from repositories and resolving
custom domains using insecure schemes such as HTTP, and also bypasses
module sum validation using the checksum database. To permit the use of
insecure schemes, use the GOINSECURE environment variable instead. To
bypass module sum validation, use GOPRIVATE or GONOSUMDB. See go help
environment for details.
* go get example.com/mod@patch now requires that some version of
example.com/mod already be required by the main module. (However, go get
-u=patch continues to patch even newly-added dependencies.)
* GOVCS is a new environment variable that limits which version control
tools the go command may use to download source code. This mitigates
security issues with tools that are typically used in trusted,
authenticated environments. By default, git and hg may be used to
download code from any repository. svn, bzr, and fossil may only be used
to download code from repositories with module paths or package paths
matching patterns in the GOPRIVATE environment variable. See go help vcs
for details.
* When the main module's go.mod file declares go 1.16 or higher, the all
package pattern now matches only those packages that are transitively
imported by a package or test found in the main module. (Packages
imported by tests of packages imported by the main module are no longer
included.) This is the same set of packages retained by go mod vendor
since Go 1.11.
* When the -toolexec build flag is specified to use a program when
invoking toolchain programs like compile or asm, the environment
variable TOOLEXEC_IMPORTPATH is now set to the import path of the
package being built.
* The -i flag accepted by go build, go install, and go test is now
deprecated. The -i flag instructs the go command to install packages
imported by packages named on the command line. Since the build cache
was introduced in Go 1.10, the -i flag no longer has a significant
effect on build times, and it causes errors when the install directory
is not writable.
* When the -export flag is specified, the BuildID field is now set to the
build ID of the compiled package. This is equivalent to running go tool
buildid on go list -exported -f {{.Export}}, but without the extra step.
* The -overlay flag specifies a JSON configuration file containing a set
of file path replacements. The -overlay flag may be used with all build
commands and go mod subcommands. It is primarily intended to be used by
editor tooling such as gopls to understand the effects of unsaved
changes to source files. The config file maps actual file paths to
replacement file paths and the go command and its builds will run as if
the actual file paths exist with the contents given by the replacement
file paths, or don't exist if the replacement file paths are empty.
* The cgo tool will no longer try to translate C struct bitfields into Go
struct fields, even if their size can be represented in Go. The order in
which C bitfields appear in memory is implementation dependent, so in
some cases the cgo tool produced results that were silently incorrect.
* The linux/riscv64 port now supports cgo and -buildmode=pie. This release
also includes performance optimizations and code generation improvements
for RISC-V.
* The new runtime/metrics package introduces a stable interface for
reading implementation-defined metrics from the Go runtime. It
supersedes existing functions like runtime.ReadMemStats and
debug.GCStats and is significantly more general and efficient. See the
package documentation for more details.
* Setting the GODEBUG environment variable to inittrace=1 now causes the
runtime to emit a single line to standard error for each package init,
summarizing its execution time and memory allocation. This trace can be
used to find bottlenecks or regressions in Go startup performance. The
GODEBUG documentation describes the format.
* On Linux, the runtime now defaults to releasing memory to the
operating system promptly (using MADV_DONTNEED), rather than lazily when
the operating system is under memory pressure (using MADV_FREE). This
means process-level memory statistics like RSS will more accurately
reflect the amount of physical memory being used by Go processes.
Systems that are currently using GODEBUG=madvdontneed=1 to improve
memory monitoring behavior no longer need to set this environment
variable.
* Go 1.16 fixes a discrepancy between the race detector and the Go memory
model. The race detector now more precisely follows the channel
synchronization rules of the memory model. As a result, the detector may
now report races it previously missed.
* linker: This release includes additional improvements to the Go linker,
reducing linker resource usage (both time and memory) and improving code
robustness/maintainability. These changes form the second half of a
two-release project to modernize the Go linker.
* The linker changes in 1.16 extend the 1.15 improvements to all supported
architecture/OS combinations (the 1.15 performance improvements were
primarily focused on ELF-based OSes and amd64 architectures). For a
representative set of large Go programs, linking is 20-25% faster than
1.15 and requires 5-15% less memory on average for linux/amd64, with
larger improvements for
other architectures and OSes. Most binaries are also smaller as a result
of more aggressive symbol pruning.
* The new embed package provides access to files embedded in the program
during compilation using the new //go:embed directive.
* The new io/fs package defines the fs.FS interface, an abstraction for
read-only trees of files. The standard library packages have been
adapted to make use of the interface as appropriate.
* For testing code that implements fs.FS, the new testing/fstest package
provides a TestFS function that checks for and reports common mistakes.
It also provides a simple in-memory file system implementation, MapFS,
which can be useful for testing code that accepts fs.FS implementations.
* syscall: On Linux, Setgid, Setuid, and related calls are now
implemented. Previously, they returned an syscall.EOPNOTSUPP error. On
Linux, the new functions AllThreadsSyscall and AllThreadsSyscall6 may be
used to make a system call on all Go threads in the process. These
functions may only be used by programs that do not use cgo; if a program
uses cgo, they will always return syscall.ENOTSUP.
* time/tzdata: The slim timezone data format is now used for the timezone
database in $GOROOT/lib/time/zoneinfo.zip and the embedded copy in this
package. This reduces the size of the timezone database by about 350 KB.
Patch Instructions:
To install this openSUSE Recommended Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.2:
zypper in -t patch openSUSE-2021-360=1
Package List:
- openSUSE Leap 15.2 (x86_64):
go1.16-1.16-lp152.2.1
go1.16-doc-1.16-lp152.2.1
go1.16-race-1.16-lp152.2.1
References:
https://bugzilla.suse.com/1182345
openSUSE Recommended Update: Recommended update for hawk2
______________________________________________________________________________
Announcement ID: openSUSE-RU-2021:0359-1
Rating: moderate
References: #1181436 #1182163
Affected Products:
openSUSE Leap 15.2
______________________________________________________________________________
An update that has two recommended fixes can now be
installed.
Description:
This update for hawk2 fixes the following issues:
- Fixed an issue where the path to /usr/sbin/attrd_updater was wrong
(bsc#1181436)
- Removed the use of %x (bsc#1182163)
This update was imported from the SUSE:SLE-15:Update update project.
Patch Instructions:
To install this openSUSE Recommended Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.2:
zypper in -t patch openSUSE-2021-359=1
Package List:
- openSUSE Leap 15.2 (x86_64):
hawk2-2.6.0+git.1613486511.51b6e37d-lp152.2.15.1
hawk2-debuginfo-2.6.0+git.1613486511.51b6e37d-lp152.2.15.1
hawk2-debugsource-2.6.0+git.1613486511.51b6e37d-lp152.2.15.1
References:
https://bugzilla.suse.com/1181436https://bugzilla.suse.com/1182163
openSUSE Security Update: Security update for nodejs14
______________________________________________________________________________
Announcement ID: openSUSE-SU-2021:0356-1
Rating: important
References: #1182619 #1182620
Cross-References: CVE-2021-22883 CVE-2021-22884
CVSS scores:
CVE-2021-22883 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2021-22884 (SUSE): 5.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L
Affected Products:
openSUSE Leap 15.2
______________________________________________________________________________
An update that fixes two vulnerabilities is now available.
Description:
This update for nodejs14 fixes the following issues:
- New upstream LTS version 14.16.0:
* CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by
resource exhaustion (bsc#1182619)
* CVE-2021-22884: DNS rebinding in --inspect (bsc#1182620)
This update was imported from the SUSE:SLE-15-SP2:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.2:
zypper in -t patch openSUSE-2021-356=1
Package List:
- openSUSE Leap 15.2 (noarch):
nodejs14-docs-14.16.0-lp152.8.1
- openSUSE Leap 15.2 (x86_64):
nodejs14-14.16.0-lp152.8.1
nodejs14-debuginfo-14.16.0-lp152.8.1
nodejs14-debugsource-14.16.0-lp152.8.1
nodejs14-devel-14.16.0-lp152.8.1
npm14-14.16.0-lp152.8.1
References:
https://www.suse.com/security/cve/CVE-2021-22883.htmlhttps://www.suse.com/security/cve/CVE-2021-22884.htmlhttps://bugzilla.suse.com/1182619https://bugzilla.suse.com/1182620
openSUSE Security Update: Security update for nodejs12
______________________________________________________________________________
Announcement ID: openSUSE-SU-2021:0357-1
Rating: important
References: #1182333 #1182619 #1182620
Cross-References: CVE-2021-22883 CVE-2021-22884 CVE-2021-23840
CVSS scores:
CVE-2021-22883 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2021-22884 (SUSE): 5.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L
CVE-2021-23840 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2021-23840 (SUSE): 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
Affected Products:
openSUSE Leap 15.2
______________________________________________________________________________
An update that fixes three vulnerabilities is now available.
Description:
This update for nodejs12 fixes the following issues:
New upstream LTS version 12.21.0:
- CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by
resource exhaustion (bsc#1182619)
- CVE-2021-22884: DNS rebinding in --inspect (bsc#1182620)
- CVE-2021-23840: OpenSSL - Integer overflow in CipherUpdate (bsc#1182333)
This update was imported from the SUSE:SLE-15-SP2:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.2:
zypper in -t patch openSUSE-2021-357=1
Package List:
- openSUSE Leap 15.2 (noarch):
nodejs12-docs-12.21.0-lp152.3.12.1
- openSUSE Leap 15.2 (x86_64):
nodejs12-12.21.0-lp152.3.12.1
nodejs12-debuginfo-12.21.0-lp152.3.12.1
nodejs12-debugsource-12.21.0-lp152.3.12.1
nodejs12-devel-12.21.0-lp152.3.12.1
npm12-12.21.0-lp152.3.12.1
References:
https://www.suse.com/security/cve/CVE-2021-22883.htmlhttps://www.suse.com/security/cve/CVE-2021-22884.htmlhttps://www.suse.com/security/cve/CVE-2021-23840.htmlhttps://bugzilla.suse.com/1182333https://bugzilla.suse.com/1182619https://bugzilla.suse.com/1182620
openSUSE Optional Update: Optional update for netpbm
______________________________________________________________________________
Announcement ID: openSUSE-OU-2021:0354-1
Rating: low
References: #1181571
Affected Products:
openSUSE Leap 15.2
______________________________________________________________________________
An update that has one optional fix can now be installed.
Description:
This update for netpbm fixes the following issues:
- Skips failing test cases for armv7hl (bsc#1181571)
This patch is optional to install. It doesn't fix any issues for users.
This update was imported from the SUSE:SLE-15:Update update project.
Patch Instructions:
To install this openSUSE Optional Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.2:
zypper in -t patch openSUSE-2021-354=1
Package List:
- openSUSE Leap 15.2 (i586 x86_64):
libnetpbm-devel-10.80.1-lp152.6.3.1
libnetpbm11-10.80.1-lp152.6.3.1
libnetpbm11-debuginfo-10.80.1-lp152.6.3.1
netpbm-10.80.1-lp152.6.3.1
netpbm-debuginfo-10.80.1-lp152.6.3.1
netpbm-debugsource-10.80.1-lp152.6.3.1
netpbm-vulnerable-10.80.1-lp152.6.3.1
netpbm-vulnerable-debuginfo-10.80.1-lp152.6.3.1
- openSUSE Leap 15.2 (x86_64):
libnetpbm11-32bit-10.80.1-lp152.6.3.1
libnetpbm11-32bit-debuginfo-10.80.1-lp152.6.3.1
References:
https://bugzilla.suse.com/1181571
openSUSE Recommended Update: Recommended update for arpwatch
______________________________________________________________________________
Announcement ID: openSUSE-RU-2021:0355-1
Rating: moderate
References: #1181936
Affected Products:
openSUSE Leap 15.2
______________________________________________________________________________
An update that has one recommended fix can now be installed.
Description:
This update for arpwatch fixes the following issues:
- Fix arp2ethers script (bsc#1181936).
This update was imported from the SUSE:SLE-15:Update update project.
Patch Instructions:
To install this openSUSE Recommended Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.2:
zypper in -t patch openSUSE-2021-355=1
Package List:
- openSUSE Leap 15.2 (x86_64):
arpwatch-2.1a15-lp152.6.6.1
arpwatch-debuginfo-2.1a15-lp152.6.6.1
arpwatch-debugsource-2.1a15-lp152.6.6.1
arpwatch-ethercodes-build-2.1a15-lp152.6.6.1
References:
https://bugzilla.suse.com/1181936
openSUSE Recommended Update: Recommended update for yast2, yast2-update, and yast2-installation
______________________________________________________________________________
Announcement ID: openSUSE-RU-2021:0350-1
Rating: moderate
References: #1180142
Affected Products:
openSUSE Leap 15.2
______________________________________________________________________________
An update that has one recommended fix can now be installed.
Description:
This update for yast2, yast2-update, and yast2-installation fixes the
following issues:
- Fixed a crash which occured while creating a snapshot of the system when
it is not possible (bsc#1180142)
This update was imported from the SUSE:SLE-15-SP2:Update update project.
Patch Instructions:
To install this openSUSE Recommended Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.2:
zypper in -t patch openSUSE-2021-350=1
Package List:
- openSUSE Leap 15.2 (i586 x86_64):
yast2-4.2.92-lp152.2.22.1
yast2-logs-4.2.92-lp152.2.22.1
yast2-update-4.2.21-lp152.2.7.1
yast2-update-FACTORY-4.2.21-lp152.2.7.1
- openSUSE Leap 15.2 (noarch):
yast2-installation-4.2.49-lp152.2.15.1
References:
https://bugzilla.suse.com/1180142