Security

- 1.12.4 (fixed CVE-2022-21682, CVE-2021-43860)
- 1.2.2 (fixed CVE-2022-21682)
- Workqueue update for RT prerequisites
- nvme: avoid race in shutdown namespace removal
- powerpc/xmon: Dump XIVE information for online-only processors.
- CVE-2021-20322 - ipv4: make exception cache less predictible
- [s390] s390/cio: make ccw_device_dma_* more robust
- [s390] s390/pci: add s390_iommu_aperture kernel parameter
- [s390] s390/pci: cleanup resources only if necessary
- [s390] s390/sclp: fix Secure-IPL facility detection
- Revert "[redhat] Generate a crashkernel.default for each kernel build"
- ibmvnic: fix kdump over nfs when auto priority disabled for ibmvnic
- ibmvnic: don't stop queue in xmit
- bpf/selftests: allow disabling tests
- kernel/crash_core: suppress unknown crashkernel parameter warning
- mm: fix memory onlining under the debug kernel
- Fixing CVE-2021-3752 for RHEL-9
- zstd: Sync with upstream 5.16 fixes and improvements
- new version 3.2.11
- Fixes for the following security vulnerabilities:
  + CVE-2021-45115 Prevented DoS vector in UserAttributeSimilarityValidator.
  + CVE-2021-45116 Fixed potential information disclosure in dictsort template filter.
  + CVE-2021-45452 Fixed potential path traversal in storage subsystem.
- Updated to 2.4.3 (with multiple security fixes).
- Fixes:
  + CVE-2021-45960 issues with left shift by >= 29 places in function storeAtts that
    can lead to realloc misbehavior;
  + CVE-2021-46143 Integer overflow on variable m_groupSize in function doProlog;
  + CVE-2022-22822 Integer overflows near memory allocation in function addBinding;
  + CVE-2022-22823 Integer overflows near memory allocation in function build_model;
  + CVE-2022-22824 Integer overflows near memory allocation in function defineAttribute;
  + CVE-2022-22825 Integer overflows near memory allocation in function lookup;
  + CVE-2022-22826 Integer overflows near memory allocation in function nextScaffoldPart;
  + CVE-2022-22827 Integer overflows near memory allocation in function storeAtts.
- 0.103.5 (CVE-2022-20698)
- 2.4.3 (Fixes: CVE-2021-4122).
- 249.9 (Fixes: CVE-2021-3997)
- New version.
- Security fixes:
  + CVE-2022-22746 Calling into reportValidity could have lead to fullscreen window spoof
  + CVE-2022-22743 Browser window spoof using fullscreen mode
  + CVE-2022-22742 Out-of-bounds memory access when inserting text in edit mode
  + CVE-2022-22741 Browser window spoof using fullscreen mode
  + CVE-2022-22740 Use-after-free of ChannelEventQueue::mOwner
  + CVE-2022-22738 Heap-buffer-overflow in blendGaussianBlur
  + CVE-2022-22737 Race condition when playing audio files
  + CVE-2021-4140 Iframe sandbox bypass with XSLT
  + CVE-2022-22748 Spoofed origin on external protocol launch dialog
  + CVE-2022-22745 Leaking cross-origin URLs through securitypolicyviolation event
  + CVE-2022-22744 The 'Copy as curl' feature in DevTools did not fully escape website-controlled data, potentially leading to command injection
  + CVE-2022-22747 Crash when handling empty pkcs7 sequence
  + CVE-2022-22739 Missing throttling on external protocol launch dialog
  + CVE-2022-22751 Memory safety bugs fixed in Thunderbird 91.5
- New ESR version.
- Security fixes:
  + CVE-2022-22746 Calling into reportValidity could have lead to fullscreen window spoof
  + CVE-2022-22743 Browser window spoof using fullscreen mode
  + CVE-2022-22742 Out-of-bounds memory access when inserting text in edit mode
  + CVE-2022-22741 Browser window spoof using fullscreen mode
  + CVE-2022-22740 Use-after-free of ChannelEventQueue::mOwner
  + CVE-2022-22738 Heap-buffer-overflow in blendGaussianBlur
  + CVE-2022-22737 Race condition when playing audio files
  + CVE-2021-4140 Iframe sandbox bypass with XSLT
  + CVE-2022-22748 Spoofed origin on external protocol launch dialog
  + CVE-2022-22745 Leaking cross-origin URLs through securitypolicyviolation event
  + CVE-2022-22744 The 'Copy as curl' feature in DevTools did not fully escape website-controlled data, potentially leading to command injection
  + CVE-2022-22747 Crash when handling empty pkcs7 sequence
  + CVE-2022-22739 Missing throttling on external protocol launch dialog
  + CVE-2022-22751 Memory safety bugs fixed in Firefox 96 and Firefox ESR 91.5
- 4.8.27 (CVE-2021-36370; ALT #40217)
- New version (97.0.4692.71).
- Security fixes:
  - CVE-2022-0096: Use after free in Storage.
  - CVE-2022-0097: Inappropriate implementation in DevTools.
  - CVE-2022-0098: Use after free in Screen Capture.
  - CVE-2022-0099: Use after free in Sign-in.
  - CVE-2022-0100: Heap buffer overflow in Media streams API.
  - CVE-2022-0101: Heap buffer overflow in Bookmarks.
  - CVE-2022-0102: Type Confusion in V8 .
  - CVE-2022-0103: Use after free in SwiftShader.
  - CVE-2022-0104: Heap buffer overflow in ANGLE.
  - CVE-2022-0105: Use after free in PDF.
  - CVE-2022-0106: Use after free in Autofill.
  - CVE-2022-0107: Use after free in File Manager API.
  - CVE-2022-0108: Inappropriate implementation in Navigation.
  - CVE-2022-0109: Inappropriate implementation in Autofill.
  - CVE-2022-0110: Incorrect security UI in Autofill.
  - CVE-2022-0111: Inappropriate implementation in Navigation.
  - CVE-2022-0112: Incorrect security UI in Browser UI.
  - CVE-2022-0113: Inappropriate implementation in Blink.
  - CVE-2022-0114: Out of bounds memory access in Web Serial.
  - CVE-2022-0115: Uninitialized Use in File API.
  - CVE-2022-0116: Inappropriate implementation in Compositing.
  - CVE-2022-0117: Policy bypass in Service Workers.
  - CVE-2022-0118: Inappropriate implementation in WebShare.
  - CVE-2022-0120: Inappropriate implementation in Passwords.
- 3.6.1 (Fixes: CVE-2021-4185, CVE-2021-4184, CVE-2021-4183, CVE-2021-4182, CVE-2021-4181)
- 2.4.52 (Fixes: CVE-2021-44790, CVE-2021-44224)
- new version (fixes CVE-2021-45105)
- new version 1.37.1 (with rpmrb script)
- (T292763, CVE-2021-44854) (T271037, CVE-2021-44856)
- (T297322, CVE-2021-44857) (T297322, CVE-2021-44858)
- (T297574, CVE-2021-45038) (T293589, CVE-2021-44855) (T294686)
- 6.2.0.
- Fixes for the following security vulnerabilities:
  + CVE-2021-20203 vmxnet3: validate configuration values during activate
  + CVE-2021-3947 hw/nvme: fix buffer overrun in nvme_changed_nslist
  + CVE-2021-20196 Null Pointer Failure in fdctrl_read() in hw/block/fdc.c
- new version 14.18.2 (with rpmrb script)
- CVE-2021-22959: HTTP Request Smuggling due to spaced in headers
- CVE-2021-22960: HTTP Request Smuggling when parsing the body
- python 3.10 support
- set c-ares >= 1.18.1
- 2.1.38 -> 2.1.39 (fixes for CVE-2021-42097 and CVE-2021-44227).
- Update to latest regression fixes for samba-4.14.10:
  + CVE-2021-3670 ldb: Confirm the request has not yet timed out
- 8.1.8 (Fixes: CVE-2021-43798, CVE-2021-39226)
- ^ 1.12.4 -> 1.12.5
- ! CVE-2021-41098
- new version 1.0.13 (Fixes: CVE-2021-43612)
- migrate /var/run -> /run
- 1.4.12 (Fixes: CVE-2021-41190)
- 1.10.6 -> 1.10.7 (Fixes: CVE-2021-41158, CVE-2021-41145, CVE-2021-41157,
  CVE-2021-41105, CVE-2021-37624, CVE-2021-36513)
- New version
- Security fixes:
  + CVE-2021-41099: buffer overflow with non-default configuration
  + CVE-2021-32762: buffer overflow issue in redis-cli and redis-sentinel
  + CVE-2021-32687: buffer overflow with non-default configuration
  + CVE-2021-32675: Denial Of Service when processing RESP request payloads
  + CVE-2021-32672: random heap reading issue with Lua Debugger
  + CVE-2021-32628: buffer overflow with non-default configuration
  + CVE-2021-32627: buffer overflow with non-default configuration
  + CVE-2021-32626: Lua scripts may result with Heap buffer overflow
  + CVE-2021-32761: integer overflow in BITFIELD on 32-bit versions
- Applied SUSE combchar.diff to prevent DoS via crafted UTF-8 character
  sequence (fixes CVE-2021-26937).
- 13.5 (Fixes CVE-2021-23214, CVE-2021-23222)
- 12.8 (Fixes CVE-2021-23214, CVE-2021-23222)
- 11.14 (Fixes CVE-2021-23214, CVE-2021-23222)

Branches
sisyphus
aarch64
armh
noarch
ppc64le
x86_64
i586
sisyphus_e2k
sisyphus_mipsel
sisyphus_riscv64
p10
p10_e2k
p9
p9_e2k
p9_mipsel
p8
c9f1
c7

flatpak Jan. 19, 2022, 2:12 p.m.	Jan. 19, 2022, 2:12 p.m.
Version: 1.12.4-alt1
Summary: Application deployment framework for desktop apps
Changelog:
- 1.12.4 (fixed CVE-2022-21682, CVE-2021-43860)

flatpak-builder Jan. 19, 2022, 1:46 p.m.	Jan. 19, 2022, 1:46 p.m.
Version: 1.2.2-alt1
Summary: Tool to build flatpaks from source
Changelog:
- 1.2.2 (fixed CVE-2022-21682)

kernel-image-centos Jan. 19, 2022, 12:21 p.m.	Jan. 19, 2022, 12:21 p.m.
Version: 5.14.0.45-alt1.el9
Summary: The Linux kernel (the core of the Linux operating system)
Changelog:
- Workqueue update for RT prerequisites - nvme: avoid race in shutdown namespace removal - powerpc/xmon: Dump XIVE information for online-only processors. - CVE-2021-20322 - ipv4: make exception cache less predictible - [s390] s390/cio: make ccw_device_dma_* more robust - [s390] s390/pci: add s390_iommu_aperture kernel parameter - [s390] s390/pci: cleanup resources only if necessary - [s390] s390/sclp: fix Secure-IPL facility detection - Revert "[redhat] Generate a crashkernel.default for each kernel build" - ibmvnic: fix kdump over nfs when auto priority disabled for ibmvnic - ibmvnic: don't stop queue in xmit - bpf/selftests: allow disabling tests - kernel/crash_core: suppress unknown crashkernel parameter warning - mm: fix memory onlining under the debug kernel - Fixing CVE-2021-3752 for RHEL-9 - zstd: Sync with upstream 5.16 fixes and improvements

python3-module-django Jan. 18, 2022, 9 p.m.	Jan. 18, 2022, 9 p.m.
Version: 3.2.11-alt1
Summary: A high-level Python 3 Web framework that encourages rapid development and clean, pragmatic design.
Changelog:
- new version 3.2.11 - Fixes for the following security vulnerabilities: + CVE-2021-45115 Prevented DoS vector in UserAttributeSimilarityValidator. + CVE-2021-45116 Fixed potential information disclosure in dictsort template filter. + CVE-2021-45452 Fixed potential path traversal in storage subsystem.

expat Jan. 18, 2022, 3:17 p.m.	Jan. 18, 2022, 3:17 p.m.
Version: 2.4.3-alt1
Summary: An XML parser written in C
Changelog:
- Updated to 2.4.3 (with multiple security fixes). - Fixes: + CVE-2021-45960 issues with left shift by >= 29 places in function storeAtts that can lead to realloc misbehavior; + CVE-2021-46143 Integer overflow on variable m_groupSize in function doProlog; + CVE-2022-22822 Integer overflows near memory allocation in function addBinding; + CVE-2022-22823 Integer overflows near memory allocation in function build_model; + CVE-2022-22824 Integer overflows near memory allocation in function defineAttribute; + CVE-2022-22825 Integer overflows near memory allocation in function lookup; + CVE-2022-22826 Integer overflows near memory allocation in function nextScaffoldPart; + CVE-2022-22827 Integer overflows near memory allocation in function storeAtts.

clamav Jan. 18, 2022, 11:22 a.m.	Jan. 18, 2022, 11:22 a.m.
Version: 0.103.5-alt1
Summary: Clam Antivirus scanner
Changelog:
- 0.103.5 (CVE-2022-20698)

cryptsetup Jan. 18, 2022, 2:22 a.m.	Jan. 18, 2022, 2:22 a.m.
Version: 2.4.3-alt1
Summary: Utility to setup a encrypted disks with LUKS support
Changelog:
- 2.4.3 (Fixes: CVE-2021-4122).

systemd Jan. 14, 2022, 10:11 p.m.	Jan. 14, 2022, 10:11 p.m.
Version: 249.9-alt1
Summary: System and Session Manager
Changelog:
- 249.9 (Fixes: CVE-2021-3997)

thunderbird Jan. 12, 2022, 3:56 p.m.	Jan. 12, 2022, 3:56 p.m.
Version: 91.5.0-alt1
Summary: Thunderbird is Mozilla's e-mail client
Changelog:
- New version. - Security fixes: + CVE-2022-22746 Calling into reportValidity could have lead to fullscreen window spoof + CVE-2022-22743 Browser window spoof using fullscreen mode + CVE-2022-22742 Out-of-bounds memory access when inserting text in edit mode + CVE-2022-22741 Browser window spoof using fullscreen mode + CVE-2022-22740 Use-after-free of ChannelEventQueue::mOwner + CVE-2022-22738 Heap-buffer-overflow in blendGaussianBlur + CVE-2022-22737 Race condition when playing audio files + CVE-2021-4140 Iframe sandbox bypass with XSLT + CVE-2022-22748 Spoofed origin on external protocol launch dialog + CVE-2022-22745 Leaking cross-origin URLs through securitypolicyviolation event + CVE-2022-22744 The 'Copy as curl' feature in DevTools did not fully escape website-controlled data, potentially leading to command injection + CVE-2022-22747 Crash when handling empty pkcs7 sequence + CVE-2022-22739 Missing throttling on external protocol launch dialog + CVE-2022-22751 Memory safety bugs fixed in Thunderbird 91.5

firefox-esr Jan. 12, 2022, 12:25 p.m.	Jan. 12, 2022, 12:25 p.m.
Version: 91.5.0-alt1
Summary: The Mozilla Firefox project is a redesign of Mozilla's browser (ESR version)
Changelog:
- New ESR version. - Security fixes: + CVE-2022-22746 Calling into reportValidity could have lead to fullscreen window spoof + CVE-2022-22743 Browser window spoof using fullscreen mode + CVE-2022-22742 Out-of-bounds memory access when inserting text in edit mode + CVE-2022-22741 Browser window spoof using fullscreen mode + CVE-2022-22740 Use-after-free of ChannelEventQueue::mOwner + CVE-2022-22738 Heap-buffer-overflow in blendGaussianBlur + CVE-2022-22737 Race condition when playing audio files + CVE-2021-4140 Iframe sandbox bypass with XSLT + CVE-2022-22748 Spoofed origin on external protocol launch dialog + CVE-2022-22745 Leaking cross-origin URLs through securitypolicyviolation event + CVE-2022-22744 The 'Copy as curl' feature in DevTools did not fully escape website-controlled data, potentially leading to command injection + CVE-2022-22747 Crash when handling empty pkcs7 sequence + CVE-2022-22739 Missing throttling on external protocol launch dialog + CVE-2022-22751 Memory safety bugs fixed in Firefox 96 and Firefox ESR 91.5

mc Jan. 9, 2022, 1:28 a.m.	Jan. 9, 2022, 1:28 a.m.
Version: 4.8.27-alt1
Summary: An user-friendly file manager and visual shell
Changelog:
- 4.8.27 (CVE-2021-36370; ALT #40217)

chromium Jan. 6, 2022, 12:59 a.m.	Jan. 6, 2022, 12:59 a.m.
Version: 97.0.4692.71-alt1
Summary: An open source web browser developed by Google
Changelog:
- New version (97.0.4692.71). - Security fixes: - CVE-2022-0096: Use after free in Storage. - CVE-2022-0097: Inappropriate implementation in DevTools. - CVE-2022-0098: Use after free in Screen Capture. - CVE-2022-0099: Use after free in Sign-in. - CVE-2022-0100: Heap buffer overflow in Media streams API. - CVE-2022-0101: Heap buffer overflow in Bookmarks. - CVE-2022-0102: Type Confusion in V8 . - CVE-2022-0103: Use after free in SwiftShader. - CVE-2022-0104: Heap buffer overflow in ANGLE. - CVE-2022-0105: Use after free in PDF. - CVE-2022-0106: Use after free in Autofill. - CVE-2022-0107: Use after free in File Manager API. - CVE-2022-0108: Inappropriate implementation in Navigation. - CVE-2022-0109: Inappropriate implementation in Autofill. - CVE-2022-0110: Incorrect security UI in Autofill. - CVE-2022-0111: Inappropriate implementation in Navigation. - CVE-2022-0112: Incorrect security UI in Browser UI. - CVE-2022-0113: Inappropriate implementation in Blink. - CVE-2022-0114: Out of bounds memory access in Web Serial. - CVE-2022-0115: Uninitialized Use in File API. - CVE-2022-0116: Inappropriate implementation in Compositing. - CVE-2022-0117: Policy bypass in Service Workers. - CVE-2022-0118: Inappropriate implementation in WebShare. - CVE-2022-0120: Inappropriate implementation in Passwords.

wireshark Jan. 3, 2022, 4:20 p.m.	Jan. 3, 2022, 4:20 p.m.
Version: 3.6.1-alt1
Summary: The BugTraq Award Winning Network Traffic Analyzer
Changelog:
- 3.6.1 (Fixes: CVE-2021-4185, CVE-2021-4184, CVE-2021-4183, CVE-2021-4182, CVE-2021-4181)

apache2 Dec. 21, 2021, 4:06 p.m.	Dec. 21, 2021, 4:06 p.m.
Version: 2.4.52-alt1
Summary: The most widely used Web server on the Internet
Changelog:
- 2.4.52 (Fixes: CVE-2021-44790, CVE-2021-44224)

log4j Dec. 19, 2021, 2:37 p.m.	Dec. 19, 2021, 2:37 p.m.
Version: 2.17.0-alt1_1jpp11
Summary: Java logging package
Changelog:
- new version (fixes CVE-2021-45105)

mediawiki Dec. 19, 2021, 5:36 a.m.	Dec. 19, 2021, 5:36 a.m.
Version: 1.37.1-alt1
Summary: A wiki engine, typical installation (with Apache2 and MySQL support)
Changelog:
- new version 1.37.1 (with rpmrb script) - (T292763, CVE-2021-44854) (T271037, CVE-2021-44856) - (T297322, CVE-2021-44857) (T297322, CVE-2021-44858) - (T297574, CVE-2021-45038) (T293589, CVE-2021-44855) (T294686)

qemu Dec. 17, 2021, 10:12 p.m.	Dec. 17, 2021, 10:12 p.m.
Version: 6.2.0-alt1
Summary: QEMU CPU Emulator
Changelog:
- 6.2.0. - Fixes for the following security vulnerabilities: + CVE-2021-20203 vmxnet3: validate configuration values during activate + CVE-2021-3947 hw/nvme: fix buffer overrun in nvme_changed_nslist + CVE-2021-20196 Null Pointer Failure in fdctrl_read() in hw/block/fdc.c

node Dec. 17, 2021, 9:37 a.m.	Dec. 17, 2021, 9:37 a.m.
Version: 14.18.2-alt1
Summary: Evented I/O for V8 Javascript
Changelog:
- new version 14.18.2 (with rpmrb script) - CVE-2021-22959: HTTP Request Smuggling due to spaced in headers - CVE-2021-22960: HTTP Request Smuggling when parsing the body - python 3.10 support - set c-ares >= 1.18.1

mailman Dec. 14, 2021, 3:13 p.m.	Dec. 14, 2021, 3:13 p.m.
Version: 2.1.39-alt1
Summary: Mailing list manager with built in web access
Changelog:
- 2.1.38 -> 2.1.39 (fixes for CVE-2021-42097 and CVE-2021-44227).

libldb Dec. 13, 2021, 3:26 a.m.	Dec. 13, 2021, 3:26 a.m.
Version: 2.3.2-alt2
Summary: A schema-less, ldap like, API and database
Changelog:
- Update to latest regression fixes for samba-4.14.10: + CVE-2021-3670 ldb: Confirm the request has not yet timed out

grafana Dec. 9, 2021, 11:46 p.m.	Dec. 9, 2021, 11:46 p.m.
Version: 8.1.8-alt1
Summary: Metrics dashboard and graph editor
Changelog:
- 8.1.8 (Fixes: CVE-2021-43798, CVE-2021-39226)

gem-nokogiri Dec. 6, 2021, 2:31 p.m.	Dec. 6, 2021, 2:31 p.m.
Version: 1.12.5-alt1
Summary: Ruby libraries for Nokogiri (HTML, XML, SAX, and Reader parser)
Changelog:
- ^ 1.12.4 -> 1.12.5 - ! CVE-2021-41098

lldpd Dec. 2, 2021, 1:02 a.m.	Dec. 2, 2021, 1:02 a.m.
Version: 1.0.13-alt1
Summary: Link Layer Discovery Protocol Daemon
Changelog:
- new version 1.0.13 (Fixes: CVE-2021-43612) - migrate /var/run -> /run

containerd Dec. 1, 2021, 4:49 p.m.	Dec. 1, 2021, 4:49 p.m.
Version: 1.4.12-alt1
Summary: A daemon to control runC
Changelog:
- 1.4.12 (Fixes: CVE-2021-41190)

Repository: sisyphus

Security

freeswitch Nov. 26, 2021, 1:39 p.m.	Nov. 26, 2021, 1:39 p.m.
Version: 1.10.7-alt1
Summary: FreeSWITCH open source telephony platform
Changelog:
- 1.10.6 -> 1.10.7 (Fixes: CVE-2021-41158, CVE-2021-41145, CVE-2021-41157, CVE-2021-41105, CVE-2021-37624, CVE-2021-36513)

redis Nov. 20, 2021, 3:26 p.m.	Nov. 20, 2021, 3:26 p.m.
Version: 6.2.6-alt1
Summary: Redis is an advanced key-value store
Changelog:
- New version - Security fixes: + CVE-2021-41099: buffer overflow with non-default configuration + CVE-2021-32762: buffer overflow issue in redis-cli and redis-sentinel + CVE-2021-32687: buffer overflow with non-default configuration + CVE-2021-32675: Denial Of Service when processing RESP request payloads + CVE-2021-32672: random heap reading issue with Lua Debugger + CVE-2021-32628: buffer overflow with non-default configuration + CVE-2021-32627: buffer overflow with non-default configuration + CVE-2021-32626: Lua scripts may result with Heap buffer overflow + CVE-2021-32761: integer overflow in BITFIELD on 32-bit versions

screen Nov. 11, 2021, 3:28 p.m.	Nov. 11, 2021, 3:28 p.m.
Version: 4.8.0-alt2
Summary: A screen manager that supports multiple sessions on one terminal
Changelog:
- Applied SUSE combchar.diff to prevent DoS via crafted UTF-8 character sequence (fixes CVE-2021-26937).

postgresql13 Nov. 10, 2021, 9:30 a.m.	Nov. 10, 2021, 9:30 a.m.
Version: 13.5-alt1
Summary: PostgreSQL client programs and libraries
Changelog:
- 13.5 (Fixes CVE-2021-23214, CVE-2021-23222)

postgresql12 Nov. 10, 2021, 9:10 a.m.	Nov. 10, 2021, 9:10 a.m.
Version: 12.9-alt1
Summary: PostgreSQL client programs and libraries
Changelog:
- 12.8 (Fixes CVE-2021-23214, CVE-2021-23222)

postgresql11 Nov. 10, 2021, 8:53 a.m.	Nov. 10, 2021, 8:53 a.m.
Version: 11.14-alt1
Summary: PostgreSQL client programs and libraries
Changelog:
- 11.14 (Fixes CVE-2021-23214, CVE-2021-23222)