File _patchinfo of Package patchinfo.38334
<patchinfo incident="38334"> <issue tracker="bnc" id="942385">python-Cython should require python-devel</issue> <issue tracker="bnc" id="1128828">VUL-0: CVE-2019-9893: libseccomp: incorrect generation of syscall filters in libseccomp</issue> <issue tracker="bnc" id="1082318">Packages must not mark license files as %doc</issue> <issue tracker="bnc" id="963974">python-Cython and python3-Cython fail to build with GCC 6</issue> <issue tracker="bnc" id="1118611">python-Cython 0.29 removed support for subinterpreters (downgrade required)</issue> <issue tracker="bnc" id="1142614">libseccomp ppc64le: Test 36-sim-ipc_syscalls%%001-00001 result: ERROR 36-sim-ipc_syscalls rc=14</issue> <issue tracker="bnc" id="1196825">Last update brought libseccomp-2.5.3 that broke build of systemd (at least)</issue> <issue tracker="bnc" id="1062237">excessive build time for python-Cython</issue> <issue tracker="cve" id="2019-9893"/> <packager>msmeissn</packager> <rating>important</rating> <category>security</category> <summary>Security update for libseccomp, python-Cython</summary> <description>This update for libseccomp, python-Cython fixes the following issues: python-Cython was updated to version 0.29.14 to make libseccomp work. Changes in libseccomp: Update to release 2.5.3: * Update the syscall table for Linux v5.15 * Fix issues with multiplexed syscalls on mipsel introduced in v2.5.2 * Document that seccomp_rule_add() may return -EACCES Update to release 2.5.2: * Update the syscall table for Linux v5.14-rc7 * Add a function, get_notify_fd(), to the Python bindings to get the nofication file descriptor. * Consolidate multiplexed syscall handling for all architectures into one location. * Add multiplexed syscall support to PPC and MIPS * The meaning of SECCOMP_IOCTL_NOTIF_ID_VALID changed within the kernel. libseccomp's fd notification logic was modified to support the kernel's previous and new usage of SECCOMP_IOCTL_NOTIF_ID_VALID. Update to 2.5.1: * Fix a bug where seccomp_load() could only be called once * Change the notification fd handling to only request a notification fd if * the filter has a _NOTIFY action * Add documentation about SCMP_ACT_NOTIFY to the seccomp_add_rule(3) manpage * Clarify the maintainers' GPG keys Update to release 2.5.0; * Add support for the seccomp user notifications, see the seccomp_notify_alloc(3), seccomp_notify_receive(3), seccomp_notify_respond(3) manpages for more information * Add support for new filter optimization approaches, including a balanced tree optimization, see the SCMP_FLTATR_CTL_OPTIMIZE filter attribute for more information * Add support for the 64-bit RISC-V architecture * Performance improvements when adding new rules to a filter thanks to the use of internal shadow transactions and improved syscall lookup tables * Properly document the libseccomp API return values and include them in the stable API promise * Improvements to the s390 and s390x multiplexed syscall handling * Multiple fixes and improvements to the libseccomp manpages * Moved from manually maintained syscall tables to an automatically generated syscall table in CSV format * Update the syscall tables to Linux v5.8.0-rc5 * Python bindings and build now default to Python 3.x * Improvements to the tests have boosted code coverage to over 93% Update to release 2.4.3: * Add list of authorized release signatures to README.md * Fix multiplexing issue with s390/s390x shm* syscalls * Remove the static flag from libseccomp tools compilation * Add define for __SNR_ppoll * Fix potential memory leak identified by clang in the scmp_bpf_sim tool Update to release 2.4.2: * Add support for io-uring related system calls Update to new upstream release 2.4.1: * Fix a BPF generation bug where the optimizer mistakenly identified duplicate BPF code blocks. Updated to 2.4.0 (bsc#1128828 CVE-2019-9893): - Update the syscall table for Linux v5.0-rc5 - Added support for the SCMP_ACT_KILL_PROCESS action - Added support for the SCMP_ACT_LOG action and SCMP_FLTATR_CTL_LOG attribute - Added explicit 32-bit (SCMP_AX_32(...)) and 64-bit (SCMP_AX_64(...)) argument comparison macros to help protect against unexpected sign extension - Added support for the parisc and parisc64 architectures - Added the ability to query and set the libseccomp API level via seccomp_api_get(3) and seccomp_api_set(3) - Return -EDOM on an endian mismatch when adding an architecture to a filter - Renumber the pseudo syscall number for subpage_prot() so it no longer conflicts with spu_run() - Fix PFC generation when a syscall is prioritized, but no rule exists - Numerous fixes to the seccomp-bpf filter generation code - Switch our internal hashing function to jhash/Lookup3 to MurmurHash3 - Numerous tests added to the included test suite, coverage now at ~92% - Update our Travis CI configuration to use Ubuntu 16.04 - Numerous documentation fixes and updates Update to release 2.3.3: * Updated the syscall table for Linux v4.15-rc7 Update to release 2.3.2: * Achieved full compliance with the CII Best Practices program * Added Travis CI builds to the GitHub repository * Added code coverage reporting with the "--enable-code-coverage" configure flag and added Coveralls to the GitHub repository * Updated the syscall tables to match Linux v4.10-rc6+ * Support for building with Python v3.x * Allow rules with the -1 syscall if the SCMP\_FLTATR\_API\_TSKIP attribute is set to true * Several small documentation fixes </description> </patchinfo>
