11 moderate SUSE ALP Source Standard Core 1.0 Build This update for wget fixes the following issues: - CVE-2024-38428: Fix mishandled semicolons in the userinfo subcomponent of a URI. (bsc#1226419) - Update to GNU wget 1.24.5: * Fix how subdomain matches are checked for HSTS. * Wget will now also parse the srcset attribute in <source> HTML tags * Support reading fetchmail style "user" and "passwd" fields from netrc * In some cases, prevent the confusing "Cannot write to... (success)" error messages * Support extremely fast download speeds (TB/s) * Ensure that CSS URLs are corectly quoted * libproxy support is now upstream- drop wget-libproxy.patch wget-1.24.5-1.1.s390x.rpm wget-1.24.5-1.1.src.rpm wget-debuginfo-1.24.5-1.1.s390x.rpm wget-debugsource-1.24.5-1.1.s390x.rpm 10 critical SUSE ALP Source Standard Core 1.0 Build This update for qemu fixes the following issues: - Update to version 8.2.5: * target/loongarch: fix a wrong print in cpu dump * ui/sdl2: Allow host to power down screen * target/i386: fix SSE and SSE2 feature check * target/i386: fix xsave.flat from kvm-unit-tests * disas/riscv: Decode all of the pmpcfg and pmpaddr CSRs * target/riscv/kvm.c: Fix the hart bit setting of AIA * target/riscv: rvzicbo: Fixup CBO extension register calculation * target/riscv: do not set mtval2 for non guest-page faults * target/riscv: prioritize pmp errors in raise_mmu_exception() * target/riscv: rvv: Remove redudant SEW checking for vector fp narrow/widen instructions * target/riscv: rvv: Check single width operator for vfncvt.rod.f.f.w * target/riscv: rvv: Check single width operator for vector fp widen instructions * target/riscv: rvv: Fix Zvfhmin checking for vfwcvt.f.f.v and vfncvt.f.f.w instructions * target/riscv/cpu.c: fix Zvkb extension config * target/riscv: Fix the element agnostic function problem * target/riscv/kvm: tolerate KVM disable ext errors * hw/intc/riscv_aplic: APLICs should add child earlier than realize * iotests: test NBD+TLS+iothread * qio: Inherit follow_coroutine_ctx across TLS * target/arm: Disable SVE extensions when SVE is disabled * hw/intc/arm_gic: Fix handling of NS view of GICC_APR<n> * hvf: arm: Fix encodings for ID_AA64PFR1_EL1 and debug System registers * gitlab: use 'setarch -R' to workaround tsan bug * gitlab: use $MAKE instead of 'make' * dockerfiles: add 'MAKE' env variable to remaining containers * gitlab: Update msys2-64bit runner tags * target/i386: no single-step exception after MOV or POP SS - Update to version 8.2.4. * target/sh4: Fix SUBV opcode * target/sh4: Fix ADDV opcode * hw/arm/npcm7xx: Store derivative OTP fuse key in little endian * hw/dmax/xlnx_dpdma: fix handling of address_extension descriptor fields * hw/ufs: Fix buffer overflow bug * tests/avocado: update sunxi kernel from armbian to 6.6.16 * target/loongarch/cpu.c: typo fix: expection * backends/cryptodev-builtin: Fix local_error leaks * nbd/server: Mark negotiation functions as coroutine_fn * nbd/server: do not poll within a coroutine context * linux-user: do_setsockopt: fix SOL_ALG.ALG_SET_KEY * target/riscv/kvm: change timer regs size to u64 * target/riscv/kvm: change KVM_REG_RISCV_FP_D to u64 * target/riscv/kvm: change KVM_REG_RISCV_FP_F to u32 - Update to version 8.2.3. * Update version for 8.2.3 release * ppc/spapr: Initialize max_cpus limit to SPAPR_IRQ_NR_IPIS. * ppc/spapr: Introduce SPAPR_IRQ_NR_IPIS to refer IRQ range for CPU IPIs. * hw/pci-host/ppc440_pcix: Do not expose a bridge device on PCI bus * hw/isa/vt82c686: Keep track of PIRQ/PINT pins separately * virtio-pci: fix use of a released vector * linux-user/x86_64: Handle the vsyscall page in open_self_maps_{2,4} * hw/audio/virtio-snd: Remove unused assignment * hw/net/net_tx_pkt: Fix overrun in update_sctp_checksum() * hw/sd/sdhci: Do not update TRNMOD when Command Inhibit (DAT) is set * hw/net/lan9118: Fix overflow in MIL TX FIFO * hw/net/lan9118: Replace magic '2048' value by MIL_TXFIFO_SIZE definition * backends/cryptodev: Do not abort for invalid session ID * hw/misc/applesmc: Fix memory leak in reset() handler * hw/block/nand: Fix out-of-bound access in NAND block buffer * hw/block/nand: Have blk_load() take unsigned offset and return boolean * hw/block/nand: Factor nand_load_iolen() method out * qemu-options: Fix CXL Fixed Memory Window interleave-granularity typo * hw/virtio/virtio-crypto: Protect from DMA re-entrancy bugs * hw/char/virtio-serial-bus: Protect from DMA re-entrancy bugs * hw/display/virtio-gpu: Protect from DMA re-entrancy bugs * mirror: Don't call job_pause_point() under graph lock (bsc#1224179) - Backports and bugfixes: * hw/net/net_tx_pkt: Fix overrun in update_sctp_checksum() (bsc#1222841, CVE-2024-3567) * hw/virtio/virtio-crypto: Protect from DMA re-entrancy bugs (bsc#1222843, CVE-2024-3446) * hw/char/virtio-serial-bus: Protect from DMA re-entrancy bugs (bsc#1222843, CVE-2024-3446) * hw/display/virtio-gpu: Protect from DMA re-entrancy bugs (bsc#1222843, CVE-2024-3446) * hw/virtio: Introduce virtio_bh_new_guarded() helper (bsc#1222843, CVE-2024-3446) * hw/sd/sdhci: Do not update TRNMOD when Command Inhibit (DAT) is set (bsc#1222845, CVE-2024-3447) * hw/nvme: Use pcie_sriov_num_vfs() (bsc#1220065, CVE-2024-26328) - Update to version 8.2.2 * chardev/char-socket: Fix TLS io channels sending too much data to the backend * tests/unit/test-util-sockets: Remove temporary file after test * hw/usb/bus.c: PCAP adding 0xA in Windows version * hw/intc/Kconfig: Fix GIC settings when using "--without-default-devices" * gitlab: force allow use of pip in Cirrus jobs * tests/vm: avoid re-building the VM images all the time * tests/vm: update openbsd image to 7.4 * target/i386: leave the A20 bit set in the final NPT walk * target/i386: remove unnecessary/wrong application of the A20 mask * target/i386: Fix physical address truncation * target/i386: check validity of VMCB addresses * target/i386: mask high bits of CR3 in 32-bit mode * pl031: Update last RTCLR value on write in case it's read back * hw/nvme: fix invalid endian conversion * update edk2 binaries to edk2-stable202402 * update edk2 submodule to edk2-stable202402 * target/ppc: Fix crash on machine check caused by ifetch * target/ppc: Fix lxv/stxv MSR facility check * .gitlab-ci.d/windows.yml: Drop msys2-32bit job * system/vl: Update description for input grab key * docs/system: Update description for input grab key * hw/hppa/Kconfig: Fix building with "configure --without-default-devices" * tests/qtest: Depend on dbus_display1_dep * meson: Explicitly specify dbus-display1.h dependency * audio: Depend on dbus_display1_dep * ui/console: Fix console resize with placeholder surface * ui/clipboard: add asserts for update and request * ui/clipboard: mark type as not available when there is no data * ui: reject extended clipboard message if not activated * target/i386: Generate an illegal opcode exception on cmp instructions with lock prefix * i386/cpuid: Move leaf 7 to correct group * i386/cpuid: Decrease cpuid_i when skipping CPUID leaf 1F * i386/cpu: Mask with XCR0/XSS mask for FEAT_XSAVE_XCR0_HI and FEAT_XSAVE_XSS_HI leafs * i386/cpu: Clear FEAT_XSAVE_XSS_LO/HI leafs when CPUID_EXT_XSAVE is not available * .gitlab-ci/windows.yml: Don't install libusb or spice packages on 32-bit * iotests: Make 144 deterministic again * target/arm: Don't get MDCR_EL2 in pmu_counter_enabled() before checking ARM_FEATURE_PMU * target/arm: Fix SVE/SME gross MTE suppression checks * target/arm: Handle mte in do_ldrq, do_ldro - Address bsc#1220310. Backported upstream commits: * ppc/spapr: Initialize max_cpus limit to SPAPR_IRQ_NR_IPIS * ppc/spapr: Introduce SPAPR_IRQ_NR_IPIS to refer IRQ range for CPU IPIs. qemu-8.2.5-1.1.s390x.rpm qemu-8.2.5-1.1.src.rpm qemu-audio-spice-8.2.5-1.1.s390x.rpm qemu-audio-spice-debuginfo-8.2.5-1.1.s390x.rpm qemu-block-curl-8.2.5-1.1.s390x.rpm qemu-block-curl-debuginfo-8.2.5-1.1.s390x.rpm qemu-chardev-spice-8.2.5-1.1.s390x.rpm qemu-chardev-spice-debuginfo-8.2.5-1.1.s390x.rpm qemu-debuginfo-8.2.5-1.1.s390x.rpm qemu-debugsource-8.2.5-1.1.s390x.rpm qemu-guest-agent-8.2.5-1.1.s390x.rpm qemu-guest-agent-debuginfo-8.2.5-1.1.s390x.rpm qemu-hw-display-qxl-8.2.5-1.1.s390x.rpm qemu-hw-display-qxl-debuginfo-8.2.5-1.1.s390x.rpm qemu-hw-usb-redirect-8.2.5-1.1.s390x.rpm qemu-hw-usb-redirect-debuginfo-8.2.5-1.1.s390x.rpm qemu-img-8.2.5-1.1.s390x.rpm qemu-img-debuginfo-8.2.5-1.1.s390x.rpm qemu-s390x-8.2.5-1.1.s390x.rpm qemu-s390x-debuginfo-8.2.5-1.1.s390x.rpm qemu-ui-opengl-8.2.5-1.1.s390x.rpm qemu-ui-opengl-debuginfo-8.2.5-1.1.s390x.rpm qemu-ui-spice-core-8.2.5-1.1.s390x.rpm qemu-ui-spice-core-debuginfo-8.2.5-1.1.s390x.rpm 21 important SUSE ALP Source Standard Core 1.0 Build This update for skopeo fixes the following issues: - Update to version 1.14.4: * CVE-2024-3727: digest type does not guarantee valid type (bsc#1224123) * Packit: update packit targets * Bump gopkg.in/go-jose to v2.6.3 * Bump ocicrypt and go-jose CVE-2024-28180 * Freeze the fedora-minimal image reference at Fedora 38 * Bump c/common to v0.57.4 * Bump google.golang.org/protobuf to v1.33.0 * Bump Skopeo to v1.14.3-dev - Update to version 1.14.2: * Bump c/image to v5.29.2, c/common to v0.57.3 (fixes bsc#1219563) - Update to version 1.14.1: * fix(deps): update module github.com/containers/common to v0.57.2 * fix(deps): update module github.com/containers/image/v5 to v5.29.1 * chore(deps): update dependency containers/automation_images to v20240102 * Fix libsubid detection * fix(deps): update module golang.org/x/term to v0.16.0 * fix(deps): update golang.org/x/exp digest to 02704c9 * chore(deps): update dependency containers/automation_images to v20231208 * [skip-ci] Update actions/stale action to v9 * fix(deps): update module github.com/containers/common to v0.57.1 * fix(deps): update golang.org/x/exp digest to 6522937 * fix(deps): update module golang.org/x/term to v0.15.0 skopeo-1.14.4-1.1.s390x.rpm skopeo-1.14.4-1.1.src.rpm skopeo-debuginfo-1.14.4-1.1.s390x.rpm 9 low SUSE ALP Source Standard Core 1.0 Build This update fixes the following issues: - No change rebuild due to dependency changes. bash-5.2.15-3.1.s390x.rpm bash-5.2.15-3.1.src.rpm bash-debuginfo-5.2.15-3.1.s390x.rpm bash-debugsource-5.2.15-3.1.s390x.rpm bash-sh-5.2.15-3.1.noarch.rpm libcap-ng-0.8.3-4.1.src.rpm libcap-ng-debugsource-0.8.3-4.1.s390x.rpm libcap-ng0-0.8.3-4.1.s390x.rpm libcap-ng0-debuginfo-0.8.3-4.1.s390x.rpm libselinux-3.5-3.1.src.rpm libselinux-debugsource-3.5-3.1.s390x.rpm libselinux1-3.5-3.1.s390x.rpm libselinux1-debuginfo-3.5-3.1.s390x.rpm selinux-tools-3.5-3.1.s390x.rpm selinux-tools-debuginfo-3.5-3.1.s390x.rpm libselinux-bindings-3.5-3.1.src.rpm libselinux-bindings-debugsource-3.5-3.1.s390x.rpm python3-selinux-3.5-3.1.s390x.rpm python3-selinux-debuginfo-3.5-3.1.s390x.rpm libsemanage-3.5-3.1.src.rpm libsemanage-conf-3.5-3.1.s390x.rpm libsemanage-debugsource-3.5-3.1.s390x.rpm libsemanage2-3.5-3.1.s390x.rpm libsemanage2-debuginfo-3.5-3.1.s390x.rpm zypper-1.14.68-2.1.s390x.rpm zypper-1.14.68-2.1.src.rpm zypper-debuginfo-1.14.68-2.1.s390x.rpm zypper-debugsource-1.14.68-2.1.s390x.rpm 26 critical SUSE ALP Source Standard Core 1.0 Build This update for suse-build-key fixes the following issues: Extended 2048 bit SUSE SLE 12, 15 GA-SP5 key until 2028. (bsc#1229339) suse-build-key-12.0-4.1.noarch.rpm suse-build-key-12.0-4.1.src.rpm 28 moderate SUSE ALP Source Standard Core 1.0 Build This update for python-requests fixes the following issues: - Update to 2.32.2 * To provide a more stable migration for custom HTTPAdapters impacted by the CVE changes in 2.32.0, we've renamed _get_connection to a new public API, get_connection_with_tls_context. Existing custom HTTPAdapters will need to migrate their code to use this new API. get_connection is considered deprecated in all versions of Requests>=2.32.0. - Update to 2.32.1 * Fixed an issue where setting verify=False on the first request from a Session will cause subsequent requests to the same origin to also ignore cert verification, regardless of the value of verify. (bsc#1224788, CVE-2024-35195) * verify=True now reuses a global SSLContext which should improve request time variance between first and subsequent requests. * Requests now supports optional use of character detection (chardet or charset_normalizer) when repackaged or vendored. This enables pip and other projects to minimize their vendoring surface area. * Requests has officially added support for CPython 3.12 and dropped support for CPython 3.7. * Starting in Requests 2.33.0, Requests will migrate to a PEP 517 build system using hatchling. python-requests-2.32.2-1.1.src.rpm python311-requests-2.32.2-1.1.noarch.rpm