-----------------------------------------
Version 1.0.2-Build1.385 2020-04-19T17:47:38

-----------------------------------------
Patch: SUSE-2014-85
Released: Tue Nov  4 16:29:29 2014
Summary: Recommended update for dirmngr
Severity: moderate
References: 901845
Description:
This update for dirmngr fixes a segmentation fault at start up. (bnc#901845)

-----------------------------------------
Patch: SUSE-2014-76
Released: Wed Nov  5 16:41:10 2014
Summary: Security update for wget
Severity: moderate
References: 902709,CVE-2014-4877
Description:
wget was updated to fix one security issue.
	  
This security issue was fixed:
- FTP symlink arbitrary filesystem access (CVE-2014-4877).


-----------------------------------------
Patch: SUSE-2014-66
Released: Thu Nov  6 06:23:15 2014
Summary: Recommended update for gcc48
Severity: moderate
References: 899871
Description:
This update for gcc48 fixes a performance degradation issue caused by generation of unneeded code whe using option -pg.


-----------------------------------------
Patch: SUSE-2014-93
Released: Wed Nov 19 13:36:09 2014
Summary: Security update for java-1_6_0-ibm
Severity: moderate
References: 901223,901239,904889,CVE-2014-3065,CVE-2014-3566,CVE-2014-4288,CVE-2014-6457,CVE-2014-6458,CVE-2014-6466,CVE-2014-6492,CVE-2014-6493,CVE-2014-6502,CVE-2014-6503,CVE-2014-6506,CVE-2014-6511,CVE-2014-6512,CVE-2014-6513,CVE-2014-6515,CVE-2014-6531,CVE-2014-6532,CVE-2014-6558
Description:
java-1_6_0-ibm was updated to version 1.6.0_sr16.2 to fix 18 security issues.

These security issues were fixed:
- Unspecified vulnerability in Oracle Java SE 6u81 (CVE-2014-3065).
- The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and
  other products, uses nondeterministic CBC padding, which makes it easier for
  man-in-the-middle attackers to obtain cleartext data via a padding-oracle
  attack, aka the 'POODLE' issue (CVE-2014-3566).
- Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and
  8u20, and Java SE Embedded 7u60, allows remote attackers to affect
  confidentiality, integrity, and availability via vectors related to AWT (CVE-2014-6513).
- Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and
  8u20 allows remote attackers to affect confidentiality, integrity, and
  availability via unknown vectors related to Deployment, a different
  vulnerability than CVE-2014-4288, CVE-2014-6493, and CVE-2014-6532 (CVE-2014-6503).
- Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and
  8u20 allows remote attackers to affect confidentiality, integrity, and
  availability via unknown vectors related to Deployment, a different
  vulnerability than CVE-2014-4288, CVE-2014-6493, and CVE-2014-6503 (CVE-2014-6532).
- Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and
  8u20 allows remote attackers to affect confidentiality, integrity, and
  availability via unknown vectors related to Deployment, a different
  vulnerability than CVE-2014-6493, CVE-2014-6503, and CVE-2014-6532 (CVE-2014-4288).
- Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and
  8u20 allows remote attackers to affect confidentiality, integrity, and
  availability via unknown vectors related to Deployment, a different
  vulnerability than CVE-2014-4288, CVE-2014-6503, and CVE-2014-6532 (CVE-2014-6493).
- Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and
  8u20, when running on Firefox, allows remote attackers to affect
  confidentiality, integrity, and availability via unknown vectors related to
  Deployment (CVE-2014-6492).
- Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and
  8u20 allows local users to affect confidentiality, integrity, and
  availability via unknown vectors related to Deployment (CVE-2014-6458).
- Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and
  8u20, when running on Internet Explorer, allows local users to affect
  confidentiality, integrity, and availability via unknown vectors related to
  Deployment (CVE-2014-6466).
- Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81,
  7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect
  confidentiality, integrity, and availability via unknown vectors related to
  Libraries (CVE-2014-6506).
- Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and
  8u20 allows remote attackers to affect integrity via unknown vectors related
  to Deployment (CVE-2014-6515).
- Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81,
  7u67, and 8u20 allows remote attackers to affect confidentiality via unknown
  vectors related to 2D (CVE-2014-6511).
- Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81,
  7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect
  confidentiality via unknown vectors related to Libraries (CVE-2014-6531).
- Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81,
  7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3 and R28.3.3 allows
  remote attackers to affect integrity via unknown vectors related to Libraries (CVE-2014-6512).
- Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81,
  7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3, and R28.3.3
  allows remote attackers to affect confidentiality and integrity via vectors
  related to JSSE (CVE-2014-6457).
- Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81,
  7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect
  integrity via unknown vectors related to Libraries (CVE-2014-6502).
- Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81,
  7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3 and JRockit
  R28.3.3 allows remote attackers to affect integrity via unknown vectors related
  to Security (CVE-2014-6558).

Further information can be found at
http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_November_2014


-----------------------------------------
Patch: SUSE-2014-111
Released: Thu Nov 27 21:44:29 2014
Summary: Security update for docker, sle2docker, go
Severity: moderate
References: 898901,902289,902413,907012,907014,CVE-2014-5277,CVE-2014-5282,CVE-2014-6407,CVE-2014-6408,CVE-2014-7189
Description:


Docker was updated to version 1.3.2 to fix five security issues and several other bugs.

- Updated to 1.3.2 (2014-11-20) - fixes bnc#907012 (CVE-2014-6407) and
  bnc#907014 (CVE-2014-6408)
- Fixed minor packaging issues.

These security issues were fixed:
- Prevent fallback to SSL protocols lower than TLS 1.0 for client, daemon and registry (CVE-2014-5277).
- Secure HTTPS connection to registries with certificate verification and without HTTP fallback unless `--insecure-registry` is specified.
- Tagging image to ID can redirect images on subsequent pulls (CVE-2014-5282).
- Fix tar breakout vulnerability (CVE-2014-6407)
- Extractions are now sandboxed chroot (CVE-2014-6407)
- Security options are no longer committed to images (CVE-2014-6408)

These non-security issues were fixed:
- Fix deadlock in `docker ps -f exited=1`
- Fix a bug when `--volumes-from` references a container that failed to start
- `--insecure-registry` now accepts CIDR notation such as 10.1.0.0/16
- Private registries whose IPs fall in the 127.0.0.0/8 range do no need
  the `--insecure-registry` flag
- Skip the experimental registry v2 API when mirroring is enabled
- Fix issue where volumes would not be shared
- Fix issue with `--iptables=false` not automatically setting `--ip-masq=false`
- Fix docker run output to non-TTY stdout
- Fix escaping `$` for environment variables
- Fix issue with lowercase `onbuild` Dockerfile instruction
- Restrict envrionment variable expansion to `ENV`, `ADD`, `COPY`, `WORKDIR`, `EXPOSE`, `VOLUME` and `USER`
- docker `exec` allows you to run additional processes inside existing containers
- docker `create` gives you the ability to create a container via the cli without executing a process
- `--security-opts` options to allow user to customize container labels and apparmor profiles
- docker `ps` filters
- Wildcard support to copy/add
- Move production urls to get.docker.com from get.docker.io
- Allocate ip address on the bridge inside a valid cidr
- Use drone.io for pr and ci testing
- Ability to setup an official registry mirror
- Ability to save multiple images with docker `save`

go was updated to version 1.3.3 to fix one security issue and several other bugs.

This security issue was fixed:
- TLS client authentication issue (CVE-2014-7189).
  
These non-security issues were fixed:
- Avoid stripping debuginfo on arm, it fails (and is not necessary)
- Revert the /usr/share/go/contrib symlink as it caused problems
  during update. Moved all go sources to /usr/share/go/contrib/src
  instead of /usr/share/go/contrib/src/pkg and created pkg and src
  symlinks in contrib to add it to GOPATH
- Fixed %go_contribsrcdir value
- Copy temporary macros.go as go.macros to avoid it to be built
- Do not modify Source: files, because that makes the .src.rpm
  being tied to one specific arch.
- Removed extra src folder in /usr/share/go/contrib: the goal is to
  transform this folder into a proper entry for GOPATH. This folder
  is now linked to %{_libdir}/go/contrib
- go requires gcc to build sources using cgo
- tools-packaging.patch: Allow building cover and vet tools in
  $GOROOT_TARGET/pkg/tool instead of $GOROOT/pkg/tool. This will
  allow building go tools as a separate package

sle2docker was updated to version 0.2.2 to fix one bug:
- Fix SLE12 urls (bnc#902289)


-----------------------------------------
Patch: SUSE-2014-97
Released: Fri Nov 28 10:20:32 2014
Summary: Security update for file
Severity: moderate
References: 888308,902367,CVE-2014-3710
Description:
file was updated to fix one security issue.

This security issue was fixed:
- Out-of-bounds read in elf note headers (CVE-2014-3710).

This non-security issues was fixed:
- Correctly identify GDBM files created by libgdbm4 (bnc#888308).
  

-----------------------------------------
Patch: SUSE-2014-123
Released: Mon Dec  1 18:03:36 2014
Summary: Recommended update for libXi
Severity: moderate
References: 883553
Description:
This update for libXi fixes a double unlock issue when connecting to an X server with XInputExtension version lower than 2.0. This could result, for example, in a segmentation fault when starting YaST over an ssh connection from SUSE Linux Enterprise 11.

-----------------------------------------
Patch: SUSE-2014-115
Released: Mon Dec  1 18:06:24 2014
Summary: Security update for flac
Severity: moderate
References: 906831,907016,CVE-2014-8962,CVE-2014-9028
Description:
flac was updated to fix two security issues.

These security issues were fixed:
- Stack overflow may result in arbitrary code execution (CVE-2014-8962).
- Heap overflow via specially crafted .flac files (CVE-2014-9028).
  

-----------------------------------------
Patch: SUSE-2014-83
Released: Mon Dec  1 19:46:53 2014
Summary: Security update for compat-openssl098
Severity: moderate
References: 901223,901277,CVE-2014-3566,CVE-2014-3567,CVE-2014-3568
Description:
compat-openssl098 was updated to fix three security issues.
	  
NOTE: this update alone DOESN'T FIX the POODLE SSL protocol vulnerability.
OpenSSL only adds downgrade detection support for client applications.
See https://www.suse.com/support/kb/doc.php?id=7015773 for mitigations.

These security issues were fixed:
- Session ticket memory leak (CVE-2014-3567).
- Fixed build option no-ssl3 (CVE-2014-3568).
- Added support for TLS_FALLBACK_SCSV (CVE-2014-3566).


-----------------------------------------
Patch: SUSE-2014-113
Released: Tue Dec  2 18:17:57 2014
Summary: Security update for cpio
Severity: moderate
References: 658010,907456,CVE-2014-9112
Description:

This cpio security update fixes the following buffer overflow issue and
two non security issues:

- fix an OOB write with cpio -i (bnc#907456) (CVE-2014-9112)
- prevent cpio from extracting over a symlink (bnc#658010)
- fix a truncation check in mt


-----------------------------------------
Patch: SUSE-2015-4
Released: Wed Dec  3 15:57:25 2014
Summary: Security update for libyaml
Severity: moderate
References: 907809,CVE-2014-9130
Description:

This libyaml update fixes the following security issue:

- bnc#907809: assert failure when processing wrapped strings
  (CVE-2014-9130)


-----------------------------------------
Patch: SUSE-2015-15
Released: Thu Dec  4 15:24:10 2014
Summary: Security update for libjpeg-turbo, libjpeg62-turbo
Severity: moderate
References: 906761,CVE-2014-9092
Description:
libjpeg-turbo, libjpeg62-turbo were updated to fix one security issue.

This security issue was fixed:
- Passing special crafted jpeg file smashes stack (CVE-2014-9092).
  

-----------------------------------------
Patch: SUSE-2014-116
Released: Sat Dec  6 16:21:37 2014
Summary: Recommended update for SUSE Manager Client Tools
Severity: moderate
References: 855389,896254,898428,900498,901058,901958,908152
Description:
This collective update for SUSE Manager Client Tools provides the following fixes and enhancements:

cobbler:

- Fix port guessing in koan. (bsc#855389)
- Add 'copy-default' option to grubby-compat. (bsc#855389)
- Handle elilo in SUSE. (bsc#855389)
- Fix wrong option 'text' in SUSE environment. (bsc#901058)

osad:

- Removed PyXML dependency for RHEL systems.
- Fix osad through unauthenticated proxy case.
- Enable and install osad during first installation. (bsc#901958)

rhncfg:

- Fix compare configuration files by checking permissions on the correct file. (bsc#900498)
- Fix error in rhncfg if SELinux is disabled.
- Validate the content of configuration files before deploying.

spacewalk-backend-libs:

- Fix traceback when pushing rpms with archive size greater than 4GB.
- Adding handling for new rpm header information.

spacewalk-client-tools:

- Disable sgmlop import in rhn_check.

spacewalk-koan:

- Make spacewalk-koan work with newer cobbler/koan version. (bsc#908152)

spacewalk-oscap:

- Avoid creating profile with empty id.

spacewalk-remote-utils:

- Add channel definitions for RHEL 6.6.
- Compose format has slightly changed for RHEL 6.6.
- Add channel definitions for RHEL 5.11.

suseRegisterInfo:

- Re-add legacy suse_register_info to successfully perform the update. (bsc#898428)

zypp-plugin-spacewalk:

- Check for retrieveOnly option in up2date configuration and set download_only. (bsc#896254)


-----------------------------------------
Patch: SUSE-2014-81
Released: Sat Dec  6 17:14:40 2014
Summary: Security update for MozillaFirefox and mozilla-nss
Severity: important
References: 897890,900941,908009,CVE-2014-1568,CVE-2014-1574,CVE-2014-1575,CVE-2014-1576,CVE-2014-1577,CVE-2014-1578,CVE-2014-1581,CVE-2014-1583,CVE-2014-1585,CVE-2014-1586,CVE-2014-1587,CVE-2014-1588,CVE-2014-1590,CVE-2014-1592,CVE-2014-1593,CVE-2014-1594,CVE-2014-1595
Description:

Mozilla Firefox was updated to 31.3.0 ESR (bnc#900941) (bnc#908009).

Security issues fixed:
MFSA 2014-83 / CVE-2014-1588 / CVE-2014-1587: Mozilla developers and
community identified and fixed several memory safety bugs in the browser
engine used in Firefox and other Mozilla-based products. Some of these
bugs showed evidence of memory corruption under certain circumstances,
and we presume that with enough effort at least some of these could be
exploited to run arbitrary code.

MFSA 2014-85 / CVE-2014-1590: Security researcher Joe Vennix from Rapid7
reported that passing a JavaScript object to XMLHttpRequest that mimics
an input stream will a crash. This crash is not exploitable and can only
be used for denial of service attacks.

MFSA 2014-87 / CVE-2014-1592: Security researcher Berend-Jan Wever
reported a use-after-free created by triggering the creation of a
second root element while parsing HTML written to a document created
with document.open(). This leads to a potentially exploitable crash.

MFSA 2014-88 / CVE-2014-1593: Security researcher Abhishek Arya (Inferno)
of the Google Chrome Security Team used the Address Sanitizer tool to
discover a buffer overflow during the parsing of media content. This
leads to a potentially exploitable crash.

MFSA 2014-89 / CVE-2014-1594: Security researchers Byoungyoung Lee,
Chengyu Song, and Taesoo Kim at the Georgia Tech Information Security
Center (GTISC) reported a bad casting from the BasicThebesLayer to
BasicContainerLayer, resulting in undefined behavior. This behavior is
potentially exploitable with some compilers but no clear mechanism to
trigger it through web content was identified.

MFSA 2014-90 / CVE-2014-1595: Security researcher Kent Howard reported an
Apple issue present in OS X 10.10 (Yosemite) where log files are created
by the CoreGraphics framework of OS X in the /tmp local directory. These
log files contain a record of all inputs into Mozilla programs during
their operation. In versions of OS X from versions 10.6 through 10.9,
the CoreGraphics had this logging ability but it was turned off by
default. In OS X 10.10, this logging was turned on by default for some
applications that use a custom memory allocator, such as jemalloc,
because of an initialization bug in the framework. This issue has been
addressed in Mozilla products by explicitly turning off the framework's
logging of input events. On vulnerable systems, this issue can result
in private data such as usernames, passwords, and other inputed data
being saved to a log file on the local system.

MFSA 2014-74 / CVE-2014-1574 / CVE-2014-1575:
Mozilla developers and community identified and fixed several memory
safety bugs in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption under
certain circumstances, and we presume that with enough effort at least
some of these could be exploited to run arbitrary code.

Bobby Holley, Christian Holler, David Bolter, Byron Campen, and Jon
Coppeard reported memory safety problems and crashes that affect Firefox
ESR 31.1 and Firefox 32.

Carsten Book, Christian Holler, Martijn Wargers, Shih-Chiang Chien,
Terrence Cole, Eric Rahm , and Jeff Walden reported memory safety problems
and crashes that affect Firefox 32.

MFSA 2014-75 / CVE-2014-1576: Using the Address Sanitizer tool, security
researcher Atte Kettunen from OUSPG discovered a buffer overflow when
making capitalization style changes during CSS parsing. This can cause
a crash that is potentially exploitable.

MFSA 2014-76 / CVE-2014-1577: Security researcher Holger Fuhrmannek
used the used the Address Sanitizer tool to discover an out-of-bounds
read issue with Web Audio when interacting with custom waveforms with
invalid values. This results in a crash and could allow for the reading
of random memory which may contain sensitive data, or of memory addresses
that could be used in combination with another bug.

MFSA 2014-77 / CVE-2014-1578: Using the Address Sanitizer tool, security
researcher Abhishek Arya (Inferno) of the Google Chrome Security Team
found an out-of-bounds write when buffering WebM format video containing
frames with invalid tile sizes. This can lead to a potentially exploitable
crash during WebM video playback.

MFSA 2014-79 / CVE-2014-1581: Security researcher regenrecht reported,
via TippingPoint's Zero Day Initiative, a use-after-free during text
layout when interacting with text direction. This results in a crash
which can lead to arbitrary code execution.

MFSA 2014-81 / CVE-2014-1585 / CVE-2014-1586: Mozilla developers Eric
Shepherd and Jan-Ivar Bruaroey reported issues with privacy and video
sharing using WebRTC. Once video sharing has started within a WebRTC
session running within an <iframe>, video will continue to be shared even
if the user selects the 'Stop Sharing' button in the controls. The
camera will also remain on even if the user navigates to another site and
will begin streaming again if the user returns to the original site. This
is a privacy problem and can lead to inadvertent video streaming. This
does not affect implementations that are not within an <iframe>.

MFSA 2014-82 / CVE-2014-1583: Mozilla developer Boris Zbarsky reported
that a malicious app could use the AlarmAPI to read the values of
cross-origin references, such as an iframe's location object, as part of
an alarm's JSON data. This allows a malicious app to bypass same-origin
policy.

SSLv3 is disabled by default. See README.POODLE for more
detailed information.

Mozilla NSS was updated to 3.17.2 (bnc#900941)
Bugfix release
  * bmo#1049435 - Importing an RSA private key fails if p < q
  * bmo#1057161 - NSS hangs with 100% CPU on invalid EC key
  * bmo#1078669 - certutil crashes when using the --certVersion
    parameter
- changes from earlier version of the 3.17 branch:
  update to 3.17.1 (bnc#897890)
  * MFSA 2014-73/CVE-2014-1568 (bmo#1064636, bmo#1069405)
    RSA Signature Forgery in NSS
  * Change library's signature algorithm default to SHA256
  * Add support for draft-ietf-tls-downgrade-scsv
  * Add clang-cl support to the NSS build system
  * Implement TLS 1.3:
    * Part 1. Negotiate TLS 1.3
    * Part 2. Remove deprecated cipher suites andcompression.
  * Add support for little-endian powerpc64
  update to 3.17
  * required for Firefox 33
  New functionality:
  * When using ECDHE, the TLS server code may be configured to
    generate a fresh ephemeral ECDH key for each handshake, by
    setting the SSL_REUSE_SERVER_ECDHE_KEY socket option to
    PR_FALSE. The SSL_REUSE_SERVER_ECDHE_KEY option defaults to
    PR_TRUE, which means the server's ephemeral ECDH key is reused
    for multiple handshakes.  This option does not affect the TLS
    client code, which always generates a fresh ephemeral ECDH key
    for each handshake.
  New Macros
  * SSL_REUSE_SERVER_ECDHE_KEY
  Notable Changes:
  * The manual pages for the certutil and pp tools have been
    updated to document the new parameters that had been added in
    NSS 3.16.2.


-----------------------------------------
Patch: SUSE-2015-16
Released: Thu Dec 11 09:25:27 2014
Summary: Security update for libksba
Severity: moderate
References: 907074,CVE-2014-9087
Description:
This libksba update fixes the following security issue:

- bnc#907074: buffer overflow in OID processing (CVE-2014-9087)


-----------------------------------------
Patch: SUSE-2014-122
Released: Mon Dec 15 14:25:41 2014
Summary: Security update for tcpdump
Severity: moderate
References: 905870,905871,905872,CVE-2014-8767,CVE-2014-8768,CVE-2014-8769
Description:
This tcpdump update fixes the following security issues:

- fix CVE-2014-8767 (bnc#905870)
  * denial of service in verbose mode using malformed OLSR payload
- fix CVE-2014-8768 (bnc#905871)
  * denial of service in verbose mode using malformed Geonet payload
- fix CVE-2014-8769 (bnc#905872)
  * unreliable output using malformed AOVD payload


-----------------------------------------
Patch: SUSE-2015-34
Released: Fri Dec 19 15:16:12 2014
Summary: Security update for ruby2.1
Severity: moderate
References: 902851,905326,CVE-2014-8080,CVE-2014-8090
Description:
This ruby update fixes the following two security issues:

- bnc#902851: fix CVE-2014-8080: Denial Of Service XML Expansion
- bnc#905326: fix CVE-2014-8090: Another Denial Of Service XML Expansion
- Enable tests to run during the build. This way we can compare
  the results on different builds.


-----------------------------------------
Patch: SUSE-2015-5
Released: Fri Dec 19 19:56:21 2014
Summary: Security update for jasper
Severity: moderate
References: 906364,909474,909475,CVE-2014-8137,CVE-2014-9029
Description:
This libjasper update fixes the following three security issues:

- bnc#906364: heap overflows in libjasper (CVE-2014-9029)
- bnc#909474: double-free in jas_iccattrval_destroy() (CVE-2014-8137)
- bnc#909475: heap overflow in jas_decode() (CVE-2014-8138)


-----------------------------------------
Patch: SUSE-2014-126
Released: Fri Dec 19 20:16:00 2014
Summary: Security update for file
Severity: moderate
References: 910252,910253,CVE-2014-8116,CVE-2014-8117
Description:
This file update fixes the following security issues:

- bsc#910252: multiple denial of service issues (resource consumption)
              (CVE-2014-8116)
- bsc#910253: denial of service issue (resource consumption)
              (CVE-2014-8117)


-----------------------------------------
Patch: SUSE-2015-22
Released: Mon Dec 22 20:12:03 2014
Summary: Recommended update for perl-Net-DNS
Severity: low
References: 904041
Description:
This update for perl-Net-DNS fixes handling of TSIG algorithms, no longer removing dots and dashes from their names.

-----------------------------------------
Patch: SUSE-2015-12
Released: Wed Jan  7 11:24:10 2015
Summary: Security update for unzip
Severity: moderate
References: 909214,CVE-2014-8139,CVE-2014-8140,CVE-2014-8141
Description:

  This update fixes the following security issues:

- CVE-2014-8139: fix heap overflow condition in
  the CRC32 verification (fixes bnc#909214)
- CVE-2014-8140 and CVE-2014-8141: fix write error
  (*_8349_*) shows a problem in extract.c:test_compr_eb(), and:
  read errors (*_6430_*, *_3422_*) show problems in
  process.c:getZip64Data() (fixes bnc#909214)



-----------------------------------------
Patch: SUSE-2015-99
Released: Wed Jan  7 19:36:45 2015
Summary: Recommended update for supportutils
Severity: low
References: 900366,904481,904729
Description:
This update for supportutils provides the following fixes and enhancements:

- Fixed NTP service in ntp.txt. (bnc#904729)
- Create a new lxc.txt file to include information about virtual containers using lxc and/or libvirt-lxc. (bnc#904481)
- Include /var/log/libvirt/libxl logs in xen.txt. (bnc#900366)

-----------------------------------------
Patch: SUSE-2015-46
Released: Thu Jan  8 11:52:33 2015
Summary: Security update for libsndfile
Severity: moderate
References: 911796,CVE-2014-9496
Description:

      This update fixes the following security issue:
      - two buffer read overflows in sd2_parse_rsrc_fork() (CVE-2014-9496, bnc#911796): backported upstream fix patches


-----------------------------------------
Patch: SUSE-2015-29
Released: Mon Jan 12 11:37:43 2015
Summary: Security update for curl
Severity: moderate
References: 901924,911363,CVE-2014-3707,CVE-2014-8150
Description:

   This update fixes the following security issues   
      - CVE-2014-8150: URL request injection vulnerability  (bnc#911363)
      - CVE-2014-3707: duphandle read out of bounds  (bnc#901924)


-----------------------------------------
Patch: SUSE-2015-53
Released: Tue Jan 13 12:24:12 2015
Summary: Security update for mpfr
Severity: moderate
References: 911812,CVE-2014-9474
Description:

      This update fixes the following security issue: 
      - CVE-2014-9474: possible buffer overflow in mpfr_strtofr (bnc#911812)


-----------------------------------------
Patch: SUSE-2015-33
Released: Wed Jan 14 10:47:09 2015
Summary: Security update for libpng16
Severity: important
References: 912076,912929,CVE-2014-9495,CVE-2015-0973
Description:

  This update fixes the following security issues:

  * CVE-2014-9495: libpng versions heap overflow vulnerability, that under certain circumstances could be exploit. [bnc#912076]

  * CVE-2015-0973: A heap-based overflow was found in the png_combine_row() function of the libpng library, when very large interlaced images were used.[bnc#912929]



-----------------------------------------
Patch: SUSE-2015-28
Released: Thu Jan 15 14:17:44 2015
Summary: Security update for docker
Severity: moderate
References: 909709,909710,909712,913211,913213,CVE-2014-9356,CVE-2014-9357,CVE-2014-9358
Description:
This docker version upgrade fixes the following security and non
security issues, and adds the also additional features:

- Updated to 1.4.1 (2014-12-15):
  * Runtime:
    - Fix issue with volumes-from and bind mounts not being honored after
      create (fixes bnc#913213)

- Added e2fsprogs as runtime dependency, this is required when the
  devicemapper driver is used. (bnc#913211).
- Fixed owner & group for docker.socket (thanks to Andrei Dziahel and
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=752555#5)

- Updated to 1.4.0 (2014-12-11):
  * Notable Features since 1.3.0:
    - Set key=value labels to the daemon (displayed in `docker info`), applied with
      new `-label` daemon flag
    - Add support for `ENV` in Dockerfile of the form: 
      `ENV name=value name2=value2...`
    - New Overlayfs Storage Driver
    - `docker info` now returns an `ID` and `Name` field
    - Filter events by event name, container, or image
    - `docker cp` now supports copying from container volumes
    - Fixed `docker tag`, so it honors `--force` when overriding a tag for existing
      image.
- Changes introduced by 1.3.3 (2014-12-11):
  * Security:
    - Fix path traversal vulnerability in processing of absolute symbolic links (CVE-2014-9356) - (bnc#909709)
    - Fix decompression of xz image archives, preventing privilege escalation (CVE-2014-9357) - (bnc#909710)
    - Validate image IDs (CVE-2014-9358) - (bnc#909712)
  * Runtime:
    - Fix an issue when image archives are being read slowly
  * Client:
    - Fix a regression related to stdin redirection
    - Fix a regression with `docker cp` when destination is the current directory


-----------------------------------------
Patch: SUSE-2015-50
Released: Thu Jan 15 16:33:18 2015
Summary: Recommended update for ca-certificates-mozilla
Severity: moderate
References: 888534
Description:

The system root SSL certificates were updated to match Mozilla NSS 2.2.

Some removed/disabled 1024 bit certificates were temporarily reenabled/readded,
as openssl and gnutls have a different handling of intermediates than
mozilla nss and would otherwise not recognize SSL certificates from commonly used
sites like Amazon.

Updated to 2.2 (bnc#888534)
- The following CAs were added:
  + COMODO_RSA_Certification_Authority
    codeSigning emailProtection serverAuth
  + GlobalSign_ECC_Root_CA_-_R4
    codeSigning emailProtection serverAuth
  + GlobalSign_ECC_Root_CA_-_R5
    codeSigning emailProtection serverAuth
  + USERTrust_ECC_Certification_Authority
    codeSigning emailProtection serverAuth
  + USERTrust_RSA_Certification_Authority
    codeSigning emailProtection serverAuth
  + VeriSign-C3SSA-G2-temporary-intermediate-after-1024bit-removal
- The following CAs were changed:
  + Equifax_Secure_eBusiness_CA_1
    remote code signing and https trust, leave email trust
  + Verisign_Class_3_Public_Primary_Certification_Authority_-_G2
    only trust emailProtection
- Updated to 2.1 (bnc#888534)
- The following 1024-bit CA certificates were removed
  - Entrust.net Secure Server Certification Authority
  - ValiCert Class 1 Policy Validation Authority
  - ValiCert Class 2 Policy Validation Authority
  - ValiCert Class 3 Policy Validation Authority
  - TDC Internet Root CA
- The following CA certificates were added:
  - Certification Authority of WoSign
  - CA 沃通根证书
  - DigiCert Assured ID Root G2
  - DigiCert Assured ID Root G3
  - DigiCert Global Root G2
  - DigiCert Global Root G3
  - DigiCert Trusted Root G4
  - QuoVadis Root CA 1 G3
  - QuoVadis Root CA 2 G3
  - QuoVadis Root CA 3 G3
- The Trust Bits were changed for the following CA certificates
  - Class 3 Public Primary Certification Authority
  - Class 3 Public Primary Certification Authority
  - Class 2 Public Primary Certification Authority - G2
  - VeriSign Class 2 Public Primary Certification Authority - G3
  - AC Raíz Certicámara S.A.
  - NetLock Uzleti (Class B) Tanusitvanykiado
  - NetLock Expressz (Class C) Tanusitvanykiado

Temporary reenable some root ca trusts, as openssl/gnutls
have trouble using intermediates as root CA.
  - GTE CyberTrust Global Root
  - Thawte Server CA
  - Thawte Premium Server CA
  - ValiCert Class 1 VA
  - ValiCert Class 2 VA
  - RSA Root Certificate 1
  - Entrust.net Secure Server CA
  - America Online Root Certification Authority 1
  - America Online Root Certification Authority 2


-----------------------------------------
Patch: SUSE-2015-40
Released: Thu Jan 15 18:35:11 2015
Summary: Security update for rpm
Severity: important
References: 892431,906803,908128,911228,CVE-2013-6435,CVE-2014-8118
Description:
This rpm update fixes the following security and non-security issues:

- bnc#908128: Check for bad invalid name sizes (CVE-2014-8118)
- bnc#906803: Create files with mode 0 (CVE-2013-6435)
- bnc#892431: Honor --noglob in install mode 
- bnc#911228: Fix noglob patch, it broke files with space.

-----------------------------------------
Patch: SUSE-2015-64
Released: Thu Jan 15 23:21:45 2015
Summary: Recommended update for e2fsprogs
Severity: moderate
References: 912229
Description:
This update for e2fsprogs fixes a 'use after free' issue in fsck(8).

-----------------------------------------
Patch: SUSE-2015-26
Released: Fri Jan 16 18:54:45 2015
Summary: Security update for MozillaFirefox
Severity: important
References: 909563,910647,910669,CVE-2014-1569,CVE-2014-8634,CVE-2014-8635,CVE-2014-8638,CVE-2014-8639,CVE-2014-8641
Description:

This update fixes the following security issues in MozillaFirefox:
- MFSA 2015-01/CVE-2014-8634/CVE-2014-8635
   (bmo#1109889, bmo#1111737, bmo#1026774, bmo#1027300,
     bmo#1054538, bmo#1067473, bmo#1070962, bmo#1072130,
     bmo#1072871, bmo#1098583)
    Miscellaneous memory safety hazards (rv:35.0 / rv:31.4)
- MFSA 2015-03/CVE-2014-8638
   (bmo#1080987)
   sendBeacon requests lack an Origin header
- MFSA 2015-04/CVE-2014-8639
  (bmo#1095859)
  Cookie injection through Proxy Authenticate responses
- MFSA 2015-06/CVE-2014-8641
  (bmo#1108455)
  Read-after-free in WebRTC

Also Mozilla NSS was updated to 3.17.3 to fix:
* The QuickDER decoder now decodes lengths robustly
  (bmo#1064670/CVE-2014-1569)
* Support for TLS_FALLBACK_SCSV has been added to the ssltap
  and tstclnt utilities
* Changes in CA certificates


-----------------------------------------
Patch: SUSE-2015-44
Released: Tue Jan 20 00:18:26 2015
Summary: Security update for binutils
Severity: moderate
References: 902676,902677,903655,905735,905736,CVE-2014-8484,CVE-2014-8485,CVE-2014-8501,CVE-2014-8502,CVE-2014-8503,CVE-2014-8504,CVE-2014-8737,CVE-2014-8738
Description:
This binutils update fixes the following security issues:

- bnc#902676: lack of range checking leading to controlled write in 
  _bfd_elf_setup_sections() (CVE-2014-8485)
- bnc#902677: invalid read flaw in libbfd (CVE-2014-8484)
- bnc#903655: Multiple memory corruption issues in binary parsers of 
  libbfd (CVE-2014-8501, CVE-2014-8502, CVE-2014-8503, CVE-2014-8504)
- bnc#905735: Out-of-bounds memory write while processing a crafted 'ar'
  archive (CVE-2014-8738)
- bnc#905736: Directory traversal vulnerability allowing random file 
  deletion/creation (CVE-2014-8737)


-----------------------------------------
Patch: SUSE-2015-86
Released: Tue Jan 20 21:04:41 2015
Summary: Optional update for compat-libldap-2_3
Severity: low
References: 913681
Description:
This update provides compat-libldap-2_3, a compatibility library required by some 3rd-party applications.

-----------------------------------------
Patch: SUSE-2015-93
Released: Fri Jan 23 12:45:25 2015
Summary: Recommended update for cloud-regionsrv-client
Severity: moderate
References: 909114
Description:
This update for cloud-regionsrv-client provides the following
  changes:

  - Update to version 6.3.5, which fixes several issues with the SMT
    certificate. Most of them were needed to work properly with
    SUSEConnect for SLE 11 and 12 registration. (bnc#909114)
  - re-licensed to LGPL-3.0



-----------------------------------------
Patch: SUSE-2015-68
Released: Sat Jan 24 12:18:22 2015
Summary: Security update for xdg-utils
Severity: moderate
References: 906625,913676,CVE-2014-9622
Description:

This update of xdg-utils fixes a command injection security problem (CVE-2014-9622, bsc#913676)
and a bug when opening files where multiple mime handlers existed (bsc#906625).


-----------------------------------------
Patch: SUSE-2015-92
Released: Fri Jan 30 14:51:02 2015
Summary: Security update for unzip
Severity: moderate
References: 914442,CVE-2014-9636
Description:
unzip was updated to fix one security issue.

This security issue was fixed:
- Out-of-bounds read/write in test_compr_eb() in extract.c (CVE-2014-9636).
  

-----------------------------------------
Patch: SUSE-2015-76
Released: Fri Jan 30 15:01:03 2015
Summary: Security update for elfutils
Severity: moderate
References: 911662,CVE-2014-9447
Description:
elfutils was updated to fix one security issue.

This security issue was fixed:
- Directory traversal vulnerability in the read_long_names function (CVE-2014-9447).
  

-----------------------------------------
Patch: SUSE-2015-73
Released: Mon Feb  2 11:53:55 2015
Summary: Security update for jasper
Severity: moderate
References: 911837,CVE-2014-8157,CVE-2014-8158
Description:
jasper was updated to fix two security issues.

These security issues were fixed:
- CVE-2014-8157: Off-by-one error in the jpc_dec_process_sot function in JasPer 1.900.1 and earlier allowed remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted JPEG 2000 image, which triggers a heap-based buffer overflow (bnc#911837).
CVE-2014-8158: Multiple stack-based buffer overflows in jpc_qmfb.c in JasPer 1.900.1 and earlier allowed remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted JPEG 2000 image (bnc#911837).
  

-----------------------------------------
Patch: SUSE-2015-55
Released: Tue Feb  3 14:51:17 2015
Summary: Recommended update for curl
Severity: moderate
References: 913209
Description:

curl was updated to fix problems when operating in FIPS mode.

This patch reenables following methods:
- NTLM authentication (e.g. for proxies) (allowing its usage of MD4 and MD5)
- HTTP Digest authentication (allowing its usage of MD5)


-----------------------------------------
Patch: SUSE-2015-121
Released: Tue Feb  3 16:30:16 2015
Summary: Recommended update for pam
Severity: low
References: 912922
Description:
This update for pam fixes updating of NIS passwords.

-----------------------------------------
Patch: SUSE-2015-78
Released: Wed Feb  4 13:46:43 2015
Summary: Security update for compat-openssl098
Severity: moderate
References: 892403,912014,912015,912018,912293,912294,912296,CVE-2014-0224,CVE-2014-3570,CVE-2014-3571,CVE-2014-3572,CVE-2014-8275,CVE-2015-0204,CVE-2015-0205
Description:

The openssl 0.9.8j compatibility package was updated to fix several security vulnerabilities:

CVE-2014-3570: Bignum squaring (BN_sqr) may produce incorrect results
on some platforms, including x86_64.

CVE-2014-3571: Fix crash in dtls1_get_record whilst in the listen state where
you get two separate reads performed - one for the header and
one for the body of the handshake record.

CVE-2014-3572: Do not accept a handshake using an ephemeral ECDH ciphersuites
with the server key exchange message omitted.

CVE-2014-8275: Fixed various certificate fingerprint issues

CVE-2015-0204: Only allow ephemeral RSA keys in export ciphersuites

CVE-2015-0205: OpenSSL 0.9.8j is NOT vulnerable to CVE-2015-0205 as it doesn't
support DH certificates and this typo prohibits skipping of
certificate verify message for sign only certificates anyway.
(This patch only fixes the wrong condition)

This update also fixes regression caused by CVE-2014-0224.patch (bnc#892403)


-----------------------------------------
Patch: SUSE-2015-79
Released: Tue Feb 10 15:26:47 2015
Summary: Security update for java-1_6_0-ibm
Severity: important
References: 916265,916266,CVE-2014-8891,CVE-2014-8892
Description:
java-1_6_0-ibm was updated to fix two security issues.

These security issues were fixed:
- CVE-2014-8892: Unspecified vulnerability (bnc#916265).
- CVE-2014-8891: Unspecified vulnerability (bnc#916266).
  

-----------------------------------------
Patch: SUSE-2015-115
Released: Tue Feb 17 08:57:12 2015
Summary: Recommended update for docker
Severity: moderate
References: 917647
Description:

Docker was updated to 1.5.0 (2015-02-10) [bnc#917647] bringing new
features and bugfixes:

  * Builder:
    - Dockerfile to use for a given `docker build` can be specified with
      the `-f` flag
    - Dockerfile and .dockerignore files can be themselves excluded as part
      of the .dockerignore file, thus preventing modifications to these files
      invalidating ADD or COPY instructions cache
    - ADD and COPY instructions accept relative paths
    - Dockerfile `FROM scratch` instruction is now interpreted as a no-base
      specifier
    - Improve performance when exposing a large number of ports
  * Hack:
    - Allow client-side only integration tests for Windows
    - Include docker-py integration tests against Docker daemon as part of our
      test suites
  * Packaging:
    - Support for the new version of the registry HTTP API
    - Speed up `docker push` for images with a majority of already existing
      layers
    - Fixed contacting a private registry through a proxy
  * Remote API:
    - A new endpoint will stream live container resource metrics and can be
      accessed with the `docker stats` command
    - Containers can be renamed using the new `rename` endpoint and the
      associated `docker rename` command
    - Container `inspect` endpoint show the ID of `exec` commands running in
      this container
    - Container `inspect` endpoint show the number of times Docker
      auto-restarted the container
    - New types of event can be streamed by the `events` endpoint: ‘OOM’
      (container died with out of memory), ‘exec_create’, and ‘exec_start'
    - Fixed returned string fields which hold numeric characters incorrectly
      omitting surrounding double quotes
  * Runtime:
    - Docker daemon has full IPv6 support
    - The `docker run` command can take the `--pid=host` flag to use the host
      PID namespace, which makes it possible for example to debug host processes
      using containerized debugging tools
    - The `docker run` command can take the `--read-only` flag to make the
      container’s root filesystem mounted as readonly, which can be used in
      combination with volumes to force a container’s processes to only write to
      locations that will be persisted
    - Container total memory usage can be limited for `docker run` using the
      `—memory-swap` flag
    - Major stability improvements for devicemapper storage driver
    - Better integration with host system: containers will reflect changes
      to the host's `/etc/resolv.conf` file when restarted
    - Better integration with host system: per-container iptable rules are moved
      to the DOCKER chain
    - Fixed container exiting on out of memory to return an invalid exit code
  * Other:
    - The HTTP_PROXY, HTTPS_PROXY, and NO_PROXY environment variables are
      properly taken into account by the client when connecting to the
      Docker daemon


-----------------------------------------
Patch: SUSE-2015-69
Released: Mon Feb 23 11:53:02 2015
Summary: Recommended update for timezone
Severity: important
References: 912415,915422,915693
Description:
This update provides the latest timezone information (2015a) for your system, including the following changes:

- Add positive leap second on 2015-06-30 23:59:60 UTC, as per IERS Bulletin C 49. (bsc#912415)
- Mexico state Quintana Roo (America/Cancun) shifts from Central Time with DST to Eastern Time without DST on 2015-02-01 02:00. (bsc#915422)
- Chile (America/Santiago) will retain old DST as standard time from April, also Pacific/Easter, and Antarctica/Palmer.

This release also includes changes affecting past time stamps, documentation and some minor bug fixes. For a comprehensive list, refer to the release announcement from ICANN:

- [http://mm.icann.org/pipermail/tz-announce/2015-January/000028.html](http://mm.icann.org/pipermail/tz-announce/2015-January/000028.html)


-----------------------------------------
Patch: SUSE-2015-274
Released: Mon Feb 23 22:21:35 2015
Summary: Recommended update for openslp
Severity: moderate
References: 909195
Description:
This update for openslp provides the following fixes:

- Fix storage handling in predicate code. It clashed with gcc's fortify_source extension and this could cause a segmentation fault.
- Bring back allowDoubleEqualInPredicate option.


-----------------------------------------
Patch: SUSE-2015-110
Released: Mon Mar  2 17:43:50 2015
Summary: Security update for icu
Severity: moderate
References: 917129,CVE-2014-9654
Description:
icu was updated to fix one security issue.

This security issue was fixed:
- CVE-2014-9654: Insufficient size limit checks in regular expression compiler (bnc#917129).
  

-----------------------------------------
Patch: SUSE-2015-116
Released: Mon Mar  2 21:22:56 2015
Summary: Security update for cups, cups154
Severity: moderate
References: 917799,CVE-2014-9679
Description:
cups, cups154 was updated to fix one security issue.

This security issue was fixed:
- CVE-2014-9679: A malformed compressed raster file can trigger a buffer overflow in cupsRasterReadPixels (bnc#917799).
  

-----------------------------------------
Patch: SUSE-2015-157
Released: Tue Mar 10 09:01:41 2015
Summary: Security update for libssh2_org
Severity: moderate
References: 921070,CVE-2015-1782
Description:

The ssh client library libssh2_org was updated to fix a security issue.

CVE-2015-1782: A malicious server could send a crafted SSH_MSG_KEXINIT
packet, that could lead to a buffer overread and to a crash of the
libssh2_org using application.


-----------------------------------------
Patch: SUSE-2015-313
Released: Fri Mar 13 00:47:47 2015
Summary: Recommended update for pciutils
Severity: low
References: 837347
Description:
This update for pciutils fixes a memory leak in function get_cache_name().

-----------------------------------------
Patch: SUSE-2015-155
Released: Mon Mar 16 10:21:09 2015
Summary: Security update for libarchive
Severity: moderate
References: 800024,920870,CVE-2013-0211,CVE-2015-2304
Description:

libarchive was updated to fix a directory traversal in the bsdcpio tool, which
allowed attackers supplying crafted archives to overwrite files. (CVE-2015-2304)

Also, a integer overflow was fixed that could also overflow buffers. (CVE-2013-0211)


-----------------------------------------
Patch: SUSE-2015-139
Released: Tue Mar 17 12:08:46 2015
Summary: Recommended update for python-docker-py, google-cloud-sdk
Severity: low
References: 915479
Description:
This update provides python-docker-py 0.5.3, fixing the following issues:

* Fixed attaching when connecting to the daemon over a UNIX socket.
* Fixed a bug where sockets were closed immediately when attaching over TLS.
* Added a `assert_hostname` option to `TLSConfig` which can be used to disable verification of hostnames.
* Fixed SSL not working due to an incorrect version comparison
* Added support for adding and dropping capabilities
* Added support for restart policy
* Fixed timeout behavior in `Client.stop`.

The tools to work with Google Cloud Services (google-cloud-sdk) have been updated to version 0.9.44, bringing several fixes and enhancements. Please refer to the package's change log for a comprehensive list of changes.

Finally, this update also adds packages python-gcs-oauth2-boto-plugin and python-gcemetadata to the Public Cloud Module for SLES 12.

-----------------------------------------
Patch: SUSE-2015-140
Released: Tue Mar 17 22:40:00 2015
Summary: Recommended update for cloud-regionsrv-client
Severity: moderate
References: 912979,917450,917453
Description:
This update provides cloud-regionsrv-client version 6.3.11:

- Fix boot order for Azure, force waagent to run after registration.
- Properly handle exception if network connection fails.
- Retry network connection 3 times before giving up.
- Fix the ordering in the boot phase.
- Source from new upstream location.


-----------------------------------------
Patch: SUSE-2015-275
Released: Wed Mar 18 18:21:44 2015
Summary: Recommended update for procps
Severity: low
References: 901202,908516
Description:
This update for procps provides the following fixes:

- Add description of pgrep's --list-full parameter to usage instructions (--help). (bsc#901202)
- Fix handling of arguments to -s option in free(1). (bsc#908516)
- Correct package name in descriptions: procps, not props.

-----------------------------------------
Patch: SUSE-2015-135
Released: Wed Mar 18 19:18:56 2015
Summary: Security update for compat-openssl098
Severity: important
References: 915976,919648,920236,922488,922496,922499,922500,922501,CVE-2009-5146,CVE-2015-0209,CVE-2015-0286,CVE-2015-0287,CVE-2015-0288,CVE-2015-0289,CVE-2015-0292,CVE-2015-0293
Description:
OpenSSL was updated to fix various security issues.

Following security issues were fixed:
- CVE-2015-0209: A Use After Free following d2i_ECPrivatekey error
  was fixed which could lead to crashes for attacker supplied Elliptic
  Curve keys. This could be exploited over SSL connections with client
  supplied keys.

- CVE-2015-0286: A segmentation fault in ASN1_TYPE_cmp was fixed that
  could be exploited by attackers when e.g. client authentication is
  used. This could be exploited over SSL connections.

- CVE-2015-0287: A ASN.1 structure reuse memory corruption was fixed. This
  problem can not be exploited over regular SSL connections, only if
  specific client programs use specific ASN.1 routines.

- CVE-2015-0288: A X509_to_X509_REQ NULL pointer dereference was fixed,
  which could lead to crashes. This function is not commonly used, and
  not reachable over SSL methods.

- CVE-2015-0289: Several PKCS7 NULL pointer dereferences were fixed,
  which could lead to crashes of programs using the PKCS7 APIs. The SSL
  apis do not use those by default.

- CVE-2015-0292: Various issues in base64 decoding were fixed, which
  could lead to crashes with memory corruption, for instance by using
  attacker supplied PEM data.

- CVE-2015-0293: Denial of service via reachable assert in SSLv2 servers,
  could be used by remote attackers to terminate the server process. Note
  that this requires SSLv2 being allowed, which is not the default.

- CVE-2009-5146: A memory leak in the TLS hostname extension was fixed,
  which could be used by remote attackers to run SSL services out of memory.


-----------------------------------------
Patch: SUSE-2015-159
Released: Fri Mar 20 15:25:46 2015
Summary: Security update for tcpdump
Severity: moderate
References: 922220,922221,922222,922223,923142,CVE-2014-9140,CVE-2015-0261,CVE-2015-2153,CVE-2015-2154,CVE-2015-2155
Description:
tcpdump was updated to fix five vulnerabilities in protocol printers

When running tcpdump, a remote unauthenticated user could have crashed the application or, potentially, execute arbitrary code by injecting crafted packages into the network.

The following vulnerabilities were fixed:
 * IPv6 mobility printer remote DoS (CVE-2015-0261, bnc#922220)
 * PPP printer remote DoS (CVE-2014-9140, bnc#923142)
 * force printer remote DoS (CVE-2015-2155, bnc#922223)
 * ethernet printer remote DoS (CVE-2015-2154, bnc#922222)
 * tcp printer remote DoS (CVE-2015-2153, bnc#922221)


-----------------------------------------
Patch: SUSE-2015-146
Released: Mon Mar 23 11:45:22 2015
Summary: Recommended update for timezone
Severity: low
References: 923498
Description:
This update provides the latest timezone information (2015b) for your system, including the following changes:

- Mongolia will start observing DST again in 2015, from the last Saturday in March to the last Saturday in September.
- Palestine will start DST on March 28, not March 27.
- Fix integer overflow bug in reference 'mktime' implementation.

This release also includes changes affecting past time stamps and documentation. For a comprehensive list, refer to the release announcement from ICANN:

- http://mm.icann.org/pipermail/tz-announce/2015-March/000029.html


-----------------------------------------
Patch: SUSE-2015-156
Released: Tue Mar 24 17:51:59 2015
Summary: Security update for pigz
Severity: moderate
References: 913627,CVE-2015-1191
Description:
Pigz, a multi-threaded implementation of gzip, was updated to fix one vulnerability.

The following vulnerability was fixed:

* A crafted file could have caused an unwanted directory traversal on extract (CVE-2015-1191)


-----------------------------------------
Patch: SUSE-2015-150
Released: Fri Mar 27 15:44:10 2015
Summary: Optional update for yast2-docker
Severity: low
References: 899104,912733,920638,920645
Description:
This update provides yast2-docker, an easy to use graphical user interface to manage Docker containers.

-----------------------------------------
Patch: SUSE-2015-222
Released: Wed Apr  8 01:19:45 2015
Summary: Recommended update for supportutils
Severity: moderate
References: 890604,912797,915888,918641,920795,922607,924738,924760,924761,925230
Description:
This update for supportutils provides the following fixes:

- Fixed xz system logs compressed (bnc#924761)
- Fixed xz compressed logs in updates.txt (bnc#924760)
- Added docker support in docker.txt with OPTION_DOCKER=1 (bnc#925230)
- Added missing SUSEConnect (bnc#924738)
- Fixed kdumptool error (bnc#922607)
- Added missing wicked configuration to network.txt (bnc#920795)
- Fixed vmcp detection (bnc#915888)
- Included DNS fix (bnc#918641)
- Use /etc/drbd.conf for test instead of rpm (bnc#890604)
- Added missing taint flag E (bnc#912797)
- Added lsinitrd to boot.txt for SLE12.


-----------------------------------------
Patch: SUSE-2015-169
Released: Wed Apr 15 02:34:35 2015
Summary: Recommended update for timezone
Severity: low
References: 927184
Description:
This update provides the latest timezone information (2015c) for your
system, including the following changes:

- Egypt's spring-forward transition in 2015 will be on Thursday, April 30 at 24:00,
  not Friday, April 24 at 00:00.

This release also includes changes affecting past time stamps and documentation.
For a comprehensive list, refer to the release announcement from ICANN:

- http://mm.icann.org/pipermail/tz-announce/2015-April/000030.html


-----------------------------------------
Patch: SUSE-2015-234
Released: Thu Apr 16 15:41:43 2015
Summary: Recommended update for yp-tools
Severity: low
References: 902507
Description:
This update for yp-tools provides the following fixes:

- Add a workround for a Solaris ypbind bug, which let NIS use a 
  french server as NIS server.
- ypchfn/ypchsh are not deprecated and should not call the chfn/chsh
  variants.


-----------------------------------------
Patch: SUSE-2015-289
Released: Thu Apr 16 20:19:38 2015
Summary: Recommended update for cloud-regionsrv-client
Severity: moderate
References: 920295,921526,924712,926647
Description:
This update for cloud-regionsrv-client provides the following fixes:

- Do not modify /etc/hosts file if a registrations exists, the
  registration data is consistent and the configured SMT server
  is reachable. (bsc#926647)

- Write instance data to /var/lib into a randomly generated
  file name. (bsc#924712)

- Add missing provides for the generic configuration.
  Resolves improper conflict between -plugin-gce and
  the generic configuration.

- Implement new --force-new command line option for
  registration code fo on demand images. (bsc#921526)

- Improve logging information on registration failure
  in SLES 12. (bsc#920295)


-----------------------------------------
Patch: SUSE-2015-182
Released: Fri Apr 24 17:03:35 2015
Summary: Recommended update for docker
Severity: moderate
References: 908033
Description:

Docker was updated to version 1.6.0 (2015-04-07) [bnc#908033]

Major changes in docker 1.6.0:
* Builder:
  + Building images from an image ID
  + build containers with resource constraints, ie `docker build --cpu-shares=100 --memory=1024m...`
  + `commit --change` to apply specified Dockerfile instructions while committing the image
  + `import --change` to apply specified Dockerfile instructions while importing the image
  + basic build cancellation
* Client:
  + Windows Support
* Runtime:
  + Container and image Labels
  + `--cgroup-parent` for specifying a parent cgroup to place container cgroup within
  + Logging drivers, `json-file`, `syslog`, or `none`
  + Pulling images by ID
  + `--ulimit` to set the ulimit on a container
  + `--default-ulimit` option on the daemon which applies to all created containers (and overwritten by `--ulimit` on run)
* Support of Docker Registry API v2.


-----------------------------------------
Patch: SUSE-2015-174
Released: Sat Apr 25 15:13:10 2015
Summary: Recommended update for timezone
Severity: low
References: 928246
Description:
This update adjusts Egypt's time zone definitions, canceling DST from 2015 onwards.

-----------------------------------------
Patch: SUSE-2015-235
Released: Wed Apr 29 19:05:01 2015
Summary: Security update for curl
Severity: moderate
References: 927556,927607,927608,927746,928533,CVE-2015-3143,CVE-2015-3144,CVE-2015-3145,CVE-2015-3148,CVE-2015-3153
Description:
curl was updated to fix five security issues.

The following vulnerabilities were fixed:

* CVE-2015-3143: curl could re-use NTML authenticateds connections
* CVE-2015-3144: curl could access memory out of bounds with zero length host names
* CVE-2015-3145: curl cookie parser could access memory out of boundary
* CVE-2015-3148: curl could treat Negotiate as not connection-oriented
* CVE-2015-3153: curl could have sent sensitive HTTP headers also to proxies


-----------------------------------------
Patch: SUSE-2015-273
Released: Mon May 18 10:42:24 2015
Summary: Security update for openldap2
Severity: moderate
References: 905959,916897,916914,CVE-2015-1545,CVE-2015-1546
Description:
openldap2 was updated to fix two security issues and one non-security bug.

The following vulnerabilities were fixed:

* A remote attacker could cause a denial of service through a NULL pointer dereference and crash via an empty attribute list in a deref control in a search request. (bnc#916897 CVE-2015-1545)
* A remote attacker could cause a denial of service (crash) via a crafted search query with a matched values control. (bnc#916914 CVE-2015-1546) 

The following non-security issue was fixed:

* Prevent connection-0 (internal connection) from showing up in the monitor backend (bnc#905959)


-----------------------------------------
Patch: SUSE-2015-230
Released: Tue May 19 20:34:00 2015
Summary: Security update for docker
Severity: moderate
References: 930235,931301,CVE-2015-3627,CVE-2015-3629,CVE-2015-3630,CVE-2015-3631
Description:
The Linux container runtime environment Docker was updated to version 1.6.2
to fix several security and non-security issues.

- Security:
  - Fix read/write /proc paths. (CVE-2015-3630)
  - Prohibit VOLUME /proc and VOLUME /. (CVE-2015-3631)
  - Fix opening of file-descriptor 1. (CVE-2015-3627)
  - Fix symlink traversal on container respawn allowing local privilege
    escalation. (CVE-2015-3629)

- Runtime:
  - Update Apparmor policy to not allow mounts.


-----------------------------------------
Patch: SUSE-2015-267
Released: Wed May 20 14:45:05 2015
Summary: Security update for fuse
Severity: moderate
References: 931452,CVE-2015-3202
Description:

This update fixes a vulnerability in fuse that 
did not clear the environment upon execution of external programs. 
CVE-2015-3202 has been assigned to this issue


-----------------------------------------
Patch: SUSE-2015-247
Released: Wed Jun  3 13:57:56 2015
Summary: Security update for patch
Severity: moderate
References: 904519,913678,915328,915329,CVE-2015-1196,CVE-2015-1395,CVE-2015-1396
Description:
The GNU patch utility was updated to 2.7.5 to fix three security issues and one non-security bug.

The following vulnerabilities were fixed:

* CVE-2015-1196: directory traversal flaw when handling git-style patches. This could allow an attacker to overwrite arbitrary files by tricking the user into applying a specially crafted patch. (bsc#913678)
* CVE-2015-1395: directory traversal flaw when handling patches which rename files. This could allow an attacker to overwrite arbitrary files by tricking the user into applying a specially crafted patch. (bsc#915328) 
* CVE-2015-1396: directory traversal flaw via symbolic links. This could allow an attacker to overwrite arbitrary files by tricking the user into applying a by applying a specially crafted patch. (bsc#915329)

The following bug was fixed:

* bsc#904519:  Function names in hunks (from diff -p) are now preserved in  reject files.


-----------------------------------------
Patch: SUSE-2015-334
Released: Tue Jun  9 17:09:01 2015
Summary: Recommended update for tcsh
Severity: low
References: 901076
Description:
This update for tcsh fixes locking of .history files when multiple instances of the shell run simultaneously.

-----------------------------------------
Patch: SUSE-2015-264
Released: Wed Jun 10 16:31:35 2015
Summary: Security update for cups
Severity: critical
References: 924208,CVE-2012-5519,CVE-2015-1158,CVE-2015-1159
Description:
The following issues are fixed by this update:

* CVE-2012-5519: privilege escalation via cross-site scripting
  and bad print job submission used to replace cupsd.conf on server (bsc#924208).
* CVE-2015-1158: Improper Update of Reference Count
* CVE-2015-1159: Cross-Site Scripting



-----------------------------------------
Patch: SUSE-2015-296
Released: Thu Jun 11 15:46:59 2015
Summary: Security update for libgcrypt
Severity: moderate
References: 896202,896435,898003,899524,900275,900276,905483,920057,928740,929919,CVE-2014-3591
Description:

This update of libgcrypt fixes one security issue and brings various FIPS 140-2 related improvements.

libgcrypt now uses ciphertext blinding for Elgamal decryption (CVE-2014-3591)

FIPS 140-2 related changes:
* The library performs its self-tests when the module is complete (the -hmac file is also installed).

* Added a NIST 800-90a compliant DRBG.

* Change DSA key generation to be FIPS 186-4 compliant.

* Change RSA key generation to be FIPS 186-4 compliant.

* Enable HW support in fips mode (bnc#896435)

* Make DSA selftest use 2048 bit keys (bnc#898003)

* Added ECDSA selftests and add support for it to the CAVS testing
  framework (bnc#896202)

* Various CAVS testing improvements.


-----------------------------------------
Patch: SUSE-2015-283
Released: Tue Jun 16 15:02:53 2015
Summary: Recommended update for timezone
Severity: low
References: 928841,934654
Description:

This update provides the latest timezone information (2015e) for your
system, including the following changes:

- Morocco will suspend DST from 2015-06-14 03:00 through 2015-07-19 02:00,
  not 06-13 and 07-18.
- Assume Cayman Islands will observe DST starting next year, using US rules.
- Fix post-install script to overwrite the temporary file when attempting
  to create /etc/localtime as a hard link. (bsc#928841)

This release also includes changes affecting past time stamps and documentation.
For a comprehensive list, refer to the release announcements from ICANN:

http://mm.icann.org/pipermail/tz-announce/2015-June/000032.html
http://mm.icann.org/pipermail/tz-announce/2015-April/000031.html


-----------------------------------------
Patch: SUSE-2015-288
Released: Wed Jun 17 12:10:21 2015
Summary: Security update for java-1_6_0-ibm
Severity: important
References: 912434,912447,930365,931702,CVE-2015-0138,CVE-2015-0192,CVE-2015-0204,CVE-2015-0458,CVE-2015-0459,CVE-2015-0469,CVE-2015-0477,CVE-2015-0478,CVE-2015-0480,CVE-2015-0488,CVE-2015-0491,CVE-2015-1914,CVE-2015-2808
Description:

IBM Java 1.6.0 was updated to SR16-FP4 fixing security issues and bugs.

Tabulated information can be found on:
[http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_May_2015](http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_May_2015)

CVEs addressed:
CVE-2015-0192 CVE-2015-2808 CVE-2015-1914 CVE-2015-0138
CVE-2015-0491 CVE-2015-0458 CVE-2015-0459 CVE-2015-0469
CVE-2015-0480 CVE-2015-0488 CVE-2015-0478 CVE-2015-0477
CVE-2015-0204 

Additional bugs fixed:

* Fix javaws/plugin stuff should slave plugin update-alternatives (bnc#912434)
* Changed Java to use the system root CA certificates (bnc#912447)


-----------------------------------------
Patch: SUSE-2015-285
Released: Wed Jun 17 18:11:24 2015
Summary: Security update for compat-openssl098
Severity: important
References: 879179,929678,931698,933898,933911,934487,934489,934491,934493,CVE-2015-1788,CVE-2015-1789,CVE-2015-1790,CVE-2015-1791,CVE-2015-1792,CVE-2015-3216,CVE-2015-4000
Description:

This update fixes the following security issues:

- CVE-2015-4000 (boo#931698)
  * The Logjam Attack / weakdh.org
  * reject connections with DH parameters shorter than 1024 bits
  * generates 2048-bit DH parameters by default
- CVE-2015-1788 (boo#934487)
  * Malformed ECParameters causes infinite loop
- CVE-2015-1789 (boo#934489)
  * Exploitable out-of-bounds read in X509_cmp_time
- CVE-2015-1790 (boo#934491)
  * PKCS7 crash with missing EnvelopedContent
- CVE-2015-1792 (boo#934493)
  * CMS verify infinite loop with unknown hash function
- CVE-2015-1791 (boo#933911)
  * race condition in NewSessionTicket
- CVE-2015-3216 (boo#933898)
  * Crash in ssleay_rand_bytes due to locking regression
  * modified openssl-1.0.1i-fipslocking.patch
- fix timing side channel in RSA decryption (bnc#929678)
- add ECC ciphersuites to DEFAULT (bnc#879179)
- Disable EXPORT ciphers by default (bnc#931698, comment #3)


-----------------------------------------
Patch: SUSE-2015-366
Released: Mon Jun 29 10:13:43 2015
Summary: Security update for e2fsprogs
Severity: low
References: 915402,918346,CVE-2015-0247,CVE-2015-1572
Description:

Two security issues were fixed in e2fsprogs:

Security issues fixed:

* CVE-2015-0247: Various heap overflows were fixed in e2fsprogs (fsck, dumpe2fs, e2image...).
* CVE-2015-1572: Fixed a potential buffer overflow in closefs() (bsc#918346 )


-----------------------------------------
Patch: SUSE-2015-287
Released: Fri Jul  3 23:20:01 2015
Summary: Initial update for the Containers-Module
Severity: low
References: 918228,924438
Description:
This recommended update provides the initial version of docker and its dependencies including images for SUSE Linux Enterprise Server 12 and 11-SP3 for the Containers-Module.

Fully supported as part of SUSE Linux Enterprise Server 12, enterprise-ready Docker from SUSE improves operational efficiency and is accompanied by easy-to-use tools to build, deploy and manage containers.

SUSE provides pre-built images from a verified and trusted source. In addition, customers can create an on-premise registry behind the enterprise firewall, minimizing exposure to malicious attacks and providing better control of intellectual property.

As integral parts of SUSE Linux Enterprise Server, Docker and containers provide additional virtualization options to improve operational efficiency. SUSE Linux Enterprise Server includes the Xen and KVM hypervisors and is a perfect guest in virtual and cloud environments. With the addition of Docker, customers can build, ship and run containerized applications on SUSE Linux Enterprise Server in physical, virtual or cloud environments.

The efficient YaST management framework provides a simple overview of the available Docker images and allows customers to run and easily control Docker containers. In addition, the KIWI image-building tool has been extended to support the Docker build format.

SUSE's current Docker offering supports x86-64 servers with support for other hardware platforms in the works.

For more information about Docker in SUSE Linux Enterprise Server, including a series of Docker mini-course videos, visit www.suse.com/promo/docker.html and www.suse.com/promo/sle.

-----------------------------------------
Patch: SUSE-2015-330
Released: Tue Jul 14 20:28:10 2015
Summary: Security update for MozillaFirefox, mozilla-nspr, mozilla-nss
Severity: important
References: 856315,935033,935979,CVE-2015-2721,CVE-2015-2722,CVE-2015-2724,CVE-2015-2725,CVE-2015-2726,CVE-2015-2728,CVE-2015-2730,CVE-2015-2733,CVE-2015-2734,CVE-2015-2735,CVE-2015-2736,CVE-2015-2737,CVE-2015-2738,CVE-2015-2739,CVE-2015-2740,CVE-2015-2743,CVE-2015-4000
Description:
MozillaFirefox, mozilla-nspr and  mozilla-nss were updated to fix 17 security issues.

For more details please check the changelogs.
- CVE-2015-2724/CVE-2015-2725/CVE-2015-2726: Miscellaneous memory safety hazards (bsc#935979).
- CVE-2015-2728: Type confusion in Indexed Database Manager (bsc#935979).
- CVE-2015-2730: ECDSA signature validation fails to handle some signatures correctly (bsc#935979).
- CVE-2015-2722/CVE-2015-2733: Use-after-free in workers while using XMLHttpRequest (bsc#935979).
- CVE-2015-2734/CVE-2015-2735/CVE-2015-2736/CVE-2015-2737/CVE-2015-2738/CVE-2015-2739/CVE-2015-2740: Vulnerabilities found through code inspection (bsc#935979).
- CVE-2015-2743: Privilege escalation in PDF.js (bsc#935979).
- CVE-2015-4000: NSS accepts export-length DHE keys with regular DHE cipher suites (bsc#935033).
- CVE-2015-2721: NSS incorrectly permits skipping of ServerKeyExchange (bsc#935979).


-----------------------------------------
Patch: SUSE-2015-361
Released: Wed Jul 15 08:26:27 2015
Summary: Recommended update for gcc48, libffi48, libgcj48
Severity: moderate
References: 889990,917169,919274,922534,924525,924687,927993,930176,934689
Description:

The system compiler gcc48 was updated to the GCC 4.8.5 release, fixing
a lot of bugs and bringing some improvements.

It includes various bug fixes found by our customers:

* Fixes bogus integer overflow in constant expression.  [bnc#934689]
* Fixes ICE with atomics on aarch64.  [bnc#930176]
* Includes fix for -imacros bug.  [bnc#917169]
* Includes fix for incorrect -Warray-bounds warnings.  [bnc#919274]
* Includes updated -mhotpatch for s390x.  [bnc#924525]
* Includes fix for ppc64le issue with doubleword vector extract.  [bnc#924687]
* Includes patches to allow building against ISL 0.14.
* Backport rework of the memory allocator for C++ exceptions used in OOM situations.  [bnc#889990]
* Fix a reload issue on S390 (GCC PR66306).
* Avoid accessing invalid memory when passing aggregates by value. [bnc#922534]
  

-----------------------------------------
Patch: SUSE-2015-404
Released: Fri Jul 24 16:35:52 2015
Summary: Recommended update for yast2-docker
Severity: moderate
References: 935929,938441
Description:

yast2-docker was updated to fix two bugs:

- prompt before removing container on 'stop' and 'kill' operations (bnc#938441)
- ensure untagged images can be removed (bnc#935929)
  

-----------------------------------------
Patch: SUSE-2015-377
Released: Mon Jul 27 16:54:59 2015
Summary: Recommended update for cloud-regionsrv-client
Severity: moderate
References: 937873
Description:
This update for cloud-regionsrv-client to version 6.3.18
  contains the following fix:
- Repository issues with suse-sles-12 on Azure (bnc#937873)


-----------------------------------------
Patch: SUSE-2015-422
Released: Tue Jul 28 06:25:51 2015
Summary: The Toolchain module containing GCC 5.2
Severity: low
References: 926412,936050,937823
Description:

This update contains the release of the new SUSE Linux Enterprise Toolchain module.

Its major feature is the GNU Compiler Collection 5.2, please see
https://gcc.gnu.org/gcc-5/changes.html for important changes.

This update also includes a version update of binutils to 2.25 release branch
to provide features and bugfixes.

Following features have been added to binutils:

* IBM zSeries z13 hardware support (fate#318036, bnc#936050).
* various IBM Power8 improvements (fate#318238, bnc#926412).
* AVX512 support on the Intel EM64T platform (fate#318520).


The GNU Debugger gdb was updated to version 7.9.1 bringing
various features and lots of bugfixes. Also IBM zSeries z13 hardware
support has been added to gdb. (fate#318039)


-----------------------------------------
Patch: SUSE-2015-442
Released: Fri Jul 31 17:25:19 2015
Summary: Security update for perl-XML-LibXML
Severity: moderate
References: 929237,CVE-2015-3451
Description:

perl-XML-LibXML was updated to fix the expand_entities option to be preserved in all cases. (CVE-2015-3451).


-----------------------------------------
Patch: SUSE-2015-369
Released: Mon Aug  3 14:39:53 2015
Summary: Security update for java-1_6_0-ibm
Severity: important
References: 935540,936844,938895,CVE-2015-1931,CVE-2015-2590,CVE-2015-2601,CVE-2015-2621,CVE-2015-2625,CVE-2015-2632,CVE-2015-2637,CVE-2015-2638,CVE-2015-2664,CVE-2015-2808,CVE-2015-4000,CVE-2015-4731,CVE-2015-4732,CVE-2015-4733,CVE-2015-4748,CVE-2015-4749,CVE-2015-4760
Description:
IBM Java was updated to 6.0-16.7 to fix several security issues.

The following vulnerabilities were fixed:

* CVE-2015-1931: IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system.
* CVE-2015-2590: Easily exploitable vulnerability in the Libraries component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized Operating System takeover including arbitrary code execution.
* CVE-2015-2601: Easily exploitable vulnerability in the JCE component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized read access to a subset of Java accessible data.
* CVE-2015-2621: Easily exploitable vulnerability in the JMX component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized read access to a subset of Java accessible data.
* CVE-2015-2625: Very difficult to exploit vulnerability in the JSSE component allowed successful unauthenticated network attacks via SSL/TLS. Successful attack of this vulnerability could have resulted in unauthorized read access to a subset of Java accessible data.
* CVE-2015-2632: Easily exploitable vulnerability in the 2D component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized read access to a subset of Java accessible data.
* CVE-2015-2637: Easily exploitable vulnerability in the 2D component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized read access to a subset of Java accessible data.
* CVE-2015-2638: Easily exploitable vulnerability in the 2D component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized Operating System takeover including arbitrary code execution.
* CVE-2015-2664: Difficult to exploit vulnerability in the Deployment component requiring logon to Operating System. Successful attack of this vulnerability could have resulted in unauthorized Operating System takeover including arbitrary code execution.
* CVE-2015-2808: Very difficult to exploit vulnerability in the JSSE component allowed successful unauthenticated network attacks via SSL/TLS. Successful attack of this vulnerability could have resulted in unauthorized update, insert or delete access to some Java accessible data as well as read access to a subset of Java accessible data.
* CVE-2015-4000: Very difficult to exploit vulnerability in the JSSE component allowed successful unauthenticated network attacks via SSL/TLS. Successful attack of this vulnerability could have resulted in unauthorized update, insert or delete access to some Java accessible data as well as read access to a subset of Java Embedded accessible data.
* CVE-2015-4731: Easily exploitable vulnerability in the JMX component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized Operating System takeover including arbitrary code execution.
* CVE-2015-4732: Easily exploitable vulnerability in the Libraries component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized Operating System takeover including arbitrary code execution.
* CVE-2015-4733: Easily exploitable vulnerability in the RMI component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized Operating System takeover including arbitrary code execution.
* CVE-2015-4748: Very difficult to exploit vulnerability in the Security component allowed successful unauthenticated network attacks via OCSP. Successful attack of this vulnerability could have resulted in unauthorized Operating System takeover including arbitrary code execution.
* CVE-2015-4749: Difficult to exploit vulnerability in the JNDI component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized ability to cause a partial denial of service (partial DOS).
* CVE-2015-4760: Easily exploitable vulnerability in the 2D component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized Operating System takeover including arbitrary code execution.

The following non-security bugs were fixed:

* bsc#936844: misconfigured update-alternative entries


-----------------------------------------
Patch: SUSE-2015-419
Released: Fri Aug  7 11:26:40 2015
Summary: Recommended update for compat-openssl098
Severity: moderate
References: 937492,CVE-2015-0287
Description:

This update of compat-openssl098 fixes a regression problem when loading DSA keys
from disk caused by the security fix for CVE-2015-0287. (bsc#937492)


-----------------------------------------
Patch: SUSE-2015-400
Released: Mon Aug 10 13:01:34 2015
Summary: Recommended update for Docker
Severity: low
References: 935570,938156
Description:
This update for Docker provides version 1.7.1 with various fixes and improvements (bsc#935570, bsc#938156):

- Runtime
  + Fix default user spawning exec process with docker exec
  + Make --bridge=none not to configure the network bridge
  + Publish networking stats properly
  + Fix implicit devicemapper selection with static binaries
  + Fix socket connections that hung intermittently
  + Fix bridge interface creation on CentOS/RHEL 6.6
  + Fix local dns lookups added to resolv.conf
  + Fix copy command mounting volumes
  + Fix read/write privileges in volumes mounted with --volumes-from
  + Experimental feature: support for out-of-process volume plugins
  + The userland proxy can be disabled in favor of hairpin NAT using the daemon’s `--userland-proxy=false` flag
  + The `exec` command supports the `-u|--user` flag to specify the new process owner
  + Default gateway for containers can be specified daemon-wide using the `--default-gateway` and `--default-gateway-v6` flags
  + The CPU CFS (Completely Fair Scheduler) quota can be set in `docker run` using `--cpu-quota`
  + Container block IO can be controlled in `docker run` using`--blkio-weight`
  + ZFS support
  + The `docker logs` command supports a `--since` argument
  + UTS namespace can be shared with the host with `docker run --uts=host`

- Remote API
  + Fix unmarshalling of Command and Entrypoint
  + Set limit for minimum client version supported
  + Validate port specification
  + Return proper errors when attach/reattach fail

- Distribution
  + Fix pulling private images
  + Fix fallback between registry V2 and V1
  + Client support for v2 mirroring support for the official registry

- Quality
  + Networking stack was entirely rewritten as part of the libnetwork effort
  + Engine internals refactoring
  + Volumes code was entirely rewritten to support the plugins effort
  + Sending SIGUSR1 to a daemon will dump all goroutines stacks without exiting

- Build
  + Support ${variable:-value} and ${variable:+value} syntax for environment variables
  + Support resource management flags `--cgroup-parent`, `--cpu-period`, `--cpu-quota`, `--cpuset-cpus`, `--cpuset-mems`
  + git context changes with branches and directories
  + The .dockerignore file support exclusion rules

- Bugfixes
  + Firewalld is now supported and will automatically be used when available
  + mounting --device recursively


-----------------------------------------
Patch: SUSE-2015-416
Released: Tue Aug 11 18:18:42 2015
Summary: Recommended update for timezone
Severity: low
References: 941249
Description:

This update provides the latest timezone information (2015f) for your
system, including the following changes:

- North Korea switches to +0830 on 2015-08-15. The abbreviation remains 'KST'.
- Uruguay no longer observes DST.
- Moldova starts and ends DST at 00:00 UTC, not at 01:00 UTC.

This release also includes changes affecting past time stamps, documentation
and some minor code fixes. For a comprehensive list, refer to the release
announcement from ICANN:

http://mm.icann.org/pipermail/tz-announce/2015-August/000033.html


-----------------------------------------
Patch: SUSE-2015-427
Released: Fri Aug 14 13:12:33 2015
Summary: Recommended update for SUSE Linux Enterprise Modules
Severity: low
References: 939702,940943
Description:

This update adjusts the product definitions of the following SUSE Linux Enterprise
Modules, allowing their installation on top of the upcoming Service Packs for SLE 12:

- Advanced Systems Management
- Containers
- Legacy
- Public Cloud
- Live Patching
- Manager Tools
- Web and Scripting.


-----------------------------------------
Patch: SUSE-2015-500
Released: Mon Aug 17 11:36:33 2015
Summary: Security update for libgcrypt
Severity: moderate
References: 920057,938343,CVE-2015-0837
Description:

This update fixes the following issues:

Security:
* Fixed data-dependent timing variations in modular exponentiation
  [related to CVE-2015-0837, Last-Level Cache Side-Channel Attacks
   are Practical] (bsc#920057)

Bugfixes:
* don't drop privileges when locking secure memory (bsc#938343)


-----------------------------------------
Patch: SUSE-2015-531
Released: Fri Aug 21 13:44:15 2015
Summary: Recommended update for cronie
Severity: low
References: 900604
Description:
cronie has been updated to fix loading of PAM environment from the pam_env module.

-----------------------------------------
Patch: SUSE-2015-605
Released: Fri Aug 21 15:20:22 2015
Summary: Recommended update for alsa-utils
Severity: low
References: 940950
Description:
This update for alsa-utils supresses alsactl invocations on systems without
sound cards.

-----------------------------------------
Patch: SUSE-2015-573
Released: Fri Aug 21 15:55:14 2015
Summary: Recommended update for libXi
Severity: moderate
References: 940529
Description:
This update provides libXi 1.7.4, which brings several fixes and
enhancements:

- Fix handling of request elements for the XIChangeHierarchy(XIAddMaster) 
  request.
- Fix display locking inside _XIPassiveGrabDevice for error paths.
- Fix locking problems in XIGrabTouchBegin(), XIAllowTouchEvents()
  and XIUngrabTouchBegin().
- Remove fallback for _XEatDataWords, no longer needed on SLE 12.


-----------------------------------------
Patch: SUSE-2015-473
Released: Tue Aug 25 16:06:40 2015
Summary: Security update for tiff
Severity: moderate
References: 914890,916927,CVE-2014-8127,CVE-2014-8128,CVE-2014-8129,CVE-2014-8130,CVE-2014-9655
Description:

LibTiff was updated to the 4.0.4 stable release fixing various security
issues and bugs.

These security issues were fixed:
- CVE-2014-8127: Out-of-bounds write (bnc#914890).
- CVE-2014-8128: Out-of-bounds write (bnc#914890).
- CVE-2014-8129: Out-of-bounds write (bnc#914890).
- CVE-2014-8130: Out-of-bounds write (bnc#914890).
- CVE-2014-9655: Access of uninitialized memory (bnc#916927).


-----------------------------------------
Patch: SUSE-2015-530
Released: Wed Aug 26 03:07:07 2015
Summary: Recommended update for sed
Severity: low
References: 933029
Description:

This update for sed fixes the behavior of --follow-symlinks when reading from the
standard input (stdin).

The behavior of 'sed --follow-symlinks -' is now identical to 'sed -'. In both
cases, sed will read from the standard input and no longer from a file named '-'.


-----------------------------------------
Patch: SUSE-2015-546
Released: Wed Aug 26 21:16:17 2015
Summary: Recommended update for tar
Severity: low
References: 940120
Description:

This update for tar enables support for ACLs, extended attributes (Xattr) and SELinux.


-----------------------------------------
Patch: SUSE-2015-561
Released: Tue Sep  1 21:05:50 2015
Summary: Recommended update for kbd
Severity: low
References: 915473
Description:

This update fixes loading of some console keymaps, including the default keymap
used by 'loadkeys -d'.


-----------------------------------------
Patch: SUSE-2015-472
Released: Wed Sep  2 08:25:03 2015
Summary: Security update for MozillaFirefox, mozilla-nss
Severity: important
References: 940806,943557,943558,943608,CVE-2015-4473,CVE-2015-4474,CVE-2015-4475,CVE-2015-4478,CVE-2015-4479,CVE-2015-4484,CVE-2015-4485,CVE-2015-4486,CVE-2015-4487,CVE-2015-4488,CVE-2015-4489,CVE-2015-4491,CVE-2015-4492,CVE-2015-4495,CVE-2015-4497,CVE-2015-4498
Description:

Mozilla Firefox was updated to version 38.2.1 ESR to fix several
critical and non critical security vulnerabilities.

- Firefox was updated to 38.2.1 ESR (bsc#943608)
  * MFSA 2015-94/CVE-2015-4497 (bsc#943557)
    Use-after-free when resizing canvas element during restyling
  * MFSA 2015-95/CVE-2015-4498 (bsc#943558)
    Add-on notification bypass through data URLs

- Firefox was updated to 38.2.0 ESR (bsc#940806)
  * MFSA 2015-78/CVE-2015-4495
    (bmo#1178058, bmo#1179262)
    Same origin violation and local file stealing via PDF reader
  * MFSA 2015-79/CVE-2015-4473/CVE-2015-4474
    (bmo#1143130, bmo#1161719, bmo#1177501, bmo#1181204,
     bmo#1184068, bmo#1188590, bmo#1146213, bmo#1178890,
     bmo#1182711)
    Miscellaneous memory safety hazards (rv:40.0 / rv:38.2)
  * MFSA 2015-80/CVE-2015-4475
    (bmo#1175396)
    Out-of-bounds read with malformed MP3 file
  * MFSA 2015-82/CVE-2015-4478
    (bmo#1105914)
    Redefinition of non-configurable JavaScript object properties
  * MFSA 2015-83/CVE-2015-4479
    (bmo#1185115, bmo#1144107, bmo#1170344, bmo#1186718)
    Overflow issues in libstagefright
  * MFSA 2015-87/CVE-2015-4484
    (bmo#1171540)
    Crash when using shared memory in JavaScript
  * MFSA 2015-88/CVE-2015-4491
    (bmo#1184009)
    Heap overflow in gdk-pixbuf when scaling bitmap images
  * MFSA 2015-89/CVE-2015-4485/CVE-2015-4486
    (bmo#1177948, bmo#1178148)
    Buffer overflows on Libvpx when decoding WebM video
  * MFSA 2015-90/CVE-2015-4487/CVE-2015-4488/CVE-2015-4489
    (bmo#1176270, bmo#1182723, bmo#1171603)
    Vulnerabilities found through code inspection
  * MFSA 2015-92/CVE-2015-4492
    (bmo#1185820)
    Use-after-free in XMLHttpRequest with shared workers

Mozilla NSS switched the CKBI ABI from 1.98 to 2.4, which is what Firefox 38ESR uses.


-----------------------------------------
Patch: SUSE-2015-502
Released: Thu Sep  3 14:53:31 2015
Summary: Optional update for mozjs17
Severity: low
References: 944331
Description:
This update for mozjs17 includes fixes specific to the ARM64 architecture.

-----------------------------------------
Patch: SUSE-2015-606
Released: Tue Sep  8 17:59:56 2015
Summary: Recommended update for blktrace
Severity: low
References: 939307
Description:
This update fixes blktrace to run on systems with more than 512 CPUs.

-----------------------------------------
Patch: SUSE-2015-538
Released: Fri Sep 11 13:55:23 2015
Summary: Recommended update for docker
Severity: moderate
References: 942369,942370
Description:
Docker has been updated to version 1.8.1, bringing several fixes and enhancements.

For a comprehensive list of changes, please refer to the detailed changelogs in:

- https://github.com/docker/docker/releases/tag/v1.8.1
- https://github.com/docker/docker/releases/tag/v1.8.0


-----------------------------------------
Patch: SUSE-2015-568
Released: Wed Sep 16 13:30:12 2015
Summary: Recommended update for grep
Severity: low
References: 920386
Description:
This update for grep fixes undefined behaviour with -P and non-utf-8 data.

-----------------------------------------
Patch: SUSE-2015-571
Released: Wed Sep 16 15:27:13 2015
Summary: Recommended update for make
Severity: low
References: 934131
Description:
This update for make provides the following fixes:

- Force recomputing .VARIABLES when a variable was made undefined. (bsc#934131)


-----------------------------------------
Patch: SUSE-2015-587
Released: Fri Sep 18 02:21:53 2015
Summary: Recommended update for openldap2
Severity: moderate
References: 904028,945633
Description:

This update provides OpenLDAP version 2.4.41, which brings several bug fixes and
stability improvements.

For a comprehensive list of changes between 2.4.39 and 2.4.41 refer to the release
notes at http://www.openldap.org/software/release/changes.html.


-----------------------------------------
Patch: SUSE-2015-640
Released: Wed Sep 23 20:20:09 2015
Summary: Security update for MozillaFirefox, mozilla-nspr
Severity: important
References: 947003,CVE-2015-4500,CVE-2015-4501,CVE-2015-4506,CVE-2015-4509,CVE-2015-4511,CVE-2015-4517,CVE-2015-4519,CVE-2015-4520,CVE-2015-4521,CVE-2015-4522,CVE-2015-7174,CVE-2015-7175,CVE-2015-7176,CVE-2015-7177,CVE-2015-7180
Description:

Mozilla Firefox was updated to version 38.3.0 ESR (bsc#947003),
fixing bugs and security issues.

* MFSA 2015-96/CVE-2015-4500/CVE-2015-4501
  Miscellaneous memory safety hazards (rv:41.0 / rv:38.3)
* MFSA 2015-101/CVE-2015-4506
  Buffer overflow in libvpx while parsing vp9 format video
* MFSA 2015-105/CVE-2015-4511
  Buffer overflow while decoding WebM video
* MFSA 2015-106/CVE-2015-4509
  Use-after-free while manipulating HTML media content
* MFSA 2015-110/CVE-2015-4519
  Dragging and dropping images exposes final URL after
  redirects
* MFSA 2015-111/CVE-2015-4520
  Errors in the handling of CORS preflight request headers
* MFSA 2015-112/CVE-2015-4517/CVE-2015-4521/CVE-2015-4522
  CVE-2015-7174/CVE-2015-7175/CVE-2015-7176/CVE-2015-7177
  CVE-2015-7180
  Vulnerabilities found through code inspection

More details can be found on
	https://www.mozilla.org/en-US/security/advisories/

The Mozilla NSPR library was updated to version 4.10.9, fixing various bugs.


-----------------------------------------
Patch: SUSE-2015-627
Released: Wed Sep 23 21:15:32 2015
Summary: Recommended update for docker
Severity: moderate
References: 946653
Description:

Docker has been updated to version 1.8.2, bringing several fixes and enhancements.

For a comprehensive list of changes, please refer to the detailed changelogs in:

- https://github.com/docker/docker/releases/tag/v1.8.2 


-----------------------------------------
Patch: SUSE-2015-607
Released: Mon Sep 28 12:18:17 2015
Summary: Recommended update for python3
Severity: moderate
References: 935856
Description:

This update fixes a python3 testsuite failure due to the openssl LOGJAM fixes.  (bsc#935856)
It also fixes a python3-base build issue on aarch64.

(It is not meant for public channels)


-----------------------------------------
Patch: SUSE-2015-682
Released: Fri Oct  2 19:17:57 2015
Summary: Recommended update for timezone
Severity: low
References: 948227,948568
Description:

This update provides the latest timezone information (2015g) for your
system, including the following changes:

- Turkey's 2015 fall-back transition is scheduled for Nov. 8, not Oct. 25.
- Norfolk moves from +1130 to +1100 on 2015-10-04 at 02:00 local time.
- Fiji's 2016 fall-back transition is scheduled for January 17, not 24.
- Fort Nelson, British Columbia will not fall back on 2015-11-01.  It has 
  effectively been on MST (-0700) since it advanced its clocks on 2015-03-08.
  Add new zone America/Fort_Nelson.

This release also includes changes affecting past time stamps, documentation
and some minor code fixes. For a comprehensive list, refer to the release
announcement from ICANN:

http://mm.icann.org/pipermail/tz/2015-October/022728.html


-----------------------------------------
Patch: SUSE-2015-756
Released: Wed Oct  7 07:07:48 2015
Summary: Security update for gcc48
Severity: moderate
References: 945842,947772,947791,948168,949000,CVE-2015-5276
Description:
This update for GCC 4.8 provides the following fixes:

- Fix C++11 std::random_device short read issue that could lead to predictable
  randomness. (CVE-2015-5276, bsc#945842)
- Fix linker segmentation fault when building SLOF on ppc64le. (bsc#949000)
- Fix no_instrument_function attribute handling on PPC64 with -mprofile-kernel. (bsc#947791)
- Fix internal compiler error with aarch64 target using PCH and builtin functions. (bsc#947772)
- Fix libffi issues on aarch64. (bsc#948168)


-----------------------------------------
Patch: SUSE-2015-663
Released: Wed Oct  7 16:01:20 2015
Summary: Optional update for binutils
Severity: low
References: 949066
Description:

ARM64 (aarch64) binaries produced by binutils 2.25 gold linker had incorrect (4k)
section alignment. As a result, those binaries could not be mapped when being
executed on a SLE 12 kernel.

This update adjusts the section alignment to 64k, as required by the ABI.


-----------------------------------------
Patch: SUSE-2015-797
Released: Sat Oct 10 04:42:14 2015
Summary: Recommended update for LibreOffice
Severity: moderate
References: 470073,806250,829430,86241,87222,890735,900186,900877,907966,910805,910806,913042,914911,915996,916181,918852,919409,926375,929793,934423,936188,936190,940838,943075,945692,CVE-2014-8146,CVE-2014-8147,CVE-2015-1774,CVE-2015-4551,CVE-2015-5212,CVE-2015-5213,CVE-2015-5214
Description:

This update brings LibreOffice to version 5.0.2, a major version
update.

It brings lots of new features, bugfixes and also security fixes.

Features as seen on http://www.libreoffice.org/discover/new-features/

* LibreOffice 5.0 ships an impressive number of new features for
  its spreadsheet module, Calc: complex formulae image cropping, new
  functions, more powerful conditional formatting, table addressing
  and much more. Calc's blend of performance and features makes it
  an enterprise-ready, heavy duty spreadsheet application capable of
  handling all kinds of workload for an impressive range of use cases
* New icons, major improvements to menus and sidebar : no other
  LibreOffice version has looked that good and helped you be creative and
  get things done the right way. In addition, style management is now more
  intuitive thanks to the visualization of styles right in the interface.
* LibreOffice 5 ships with numerous improvements to document import and
  export filters for MS Office, PDF, RTF, and more. You can now timestamp
  PDF documents generated with LibreOffice and enjoy enhanced document
  conversion fidelity all around.

The Pentaho Flow Reporting Engine is now added and used.

Security issues fixed:

* CVE-2014-8146: The resolveImplicitLevels function in common/ubidi.c
  in the Unicode Bidirectional Algorithm implementation in ICU4C in
  International Components for Unicode (ICU) before 55.1 did not properly
  track directionally isolated pieces of text, which allowed remote
  attackers to cause a denial of service (heap-based buffer overflow)
  or possibly execute arbitrary code via crafted text.
* CVE-2014-8147: The resolveImplicitLevels function in common/ubidi.c
  in the Unicode Bidirectional Algorithm implementation in ICU4C in
  International Components for Unicode (ICU) before 55.1 used an integer
  data type that is inconsistent with a header file, which allowed remote
  attackers to cause a denial of service (incorrect malloc followed by
  invalid free) or possibly execute arbitrary code via crafted text.
* CVE-2015-4551: An arbitrary file disclosure vulnerability in Libreoffice
  and Openoffice Calc and Writer was fixed.
* CVE-2015-1774: The HWP filter in LibreOffice allowed remote attackers
  to cause a denial of service (crash) or possibly execute arbitrary code
  via a crafted HWP document, which triggered an out-of-bounds write.
* CVE-2015-5212: A LibreOffice 'PrinterSetup Length' integer underflow
  vulnerability could be used by attackers supplying documents to execute
  code as the user opening the document.
* CVE-2015-5213: A LibreOffice 'Piece Table Counter' invalid check design
  error vulnerability allowed attackers supplying documents to execute
  code as the user opening the document.
* CVE-2015-5214: Multiple Vendor LibreOffice Bookmark Status Memory
  Corruption Vulnerability allowed attackers supplying documents to execute
  code as the user opening the document.
  

-----------------------------------------
Patch: SUSE-2015-708
Released: Tue Oct 13 17:36:20 2015
Summary: Recommended update for pciutils-ids
Severity: low
References: 911528,944104,944436,944825
Description:
The system's PCI IDs database has been updated to version 2015.10.07. Additionally, the
merge-pciids.pl script was fixed to not print warnings about conflicting definitions by
default.

-----------------------------------------
Patch: SUSE-2015-691
Released: Wed Oct 14 09:40:50 2015
Summary: Security update for docker
Severity: important
References: 949660,CVE-2014-8178,CVE-2014-8179
Description:
docker was updated to version 1.8.3 to fix two security issues.

These security issues were fixed:
- CVE-2014-8178: Manipulated layer IDs could have lead to local graph poisoning (bsc#949660).
- CVE-2014-8179: Manifest validation and parsing logic errors allowed pull-by-digest validation bypass (bsc#949660).

This non-security issues was fixed:
- Add `--disable-legacy-registry` to prevent a daemon from using a v1 registry

More information about docker 1.8.3 can be found at 
https://blog.docker.com/2015/10/security-release-docker-1-8-3-1-6-2-cs7/


-----------------------------------------
Patch: SUSE-2015-747
Released: Thu Oct 15 14:34:52 2015
Summary: Recommended update for supportutils
Severity: low
References: 944445,950216
Description:
This update for supportutils provides the following fixes and enhancements:

- Capture information about IBM's PowerNV platform. (bsc#944445)
- Collect important libvirt log files. (bsc#950216)


-----------------------------------------
Patch: SUSE-2015-753
Released: Mon Oct 19 08:39:44 2015
Summary: Recommended update for cloud-regionsrv-client
Severity: moderate
References: 948057,948129,948130,950858,950865
Description:
This update provides cloud-regionsrv-client 6.4.2:

- Detect and properly report errors when the base product registration fails. (bsc#950858)
- Properly register the base product. (bsc#950865)
- If the server to which the guest is registered to is not available, attempt to
  find another available SMT server. (bsc#948129, bsc#948130)
- Register base product properly even if no other products are set up. (bsc#948057)


-----------------------------------------
Patch: SUSE-2015-760
Released: Mon Oct 19 15:06:01 2015
Summary: Recommended update for sysstat
Severity: low
References: 935144,944951
Description:
This update for sysstat provides the following fixes:

- Fix missing ',' in JSON output before 'file-utc-time' parameter. (bsc#944951)
- Add libsensors4-devel to BuildRequires on x86_64, so that sensors support is included. (bsc#935144)


-----------------------------------------
Patch: SUSE-2015-759
Released: Thu Oct 22 09:44:27 2015
Summary: Security update for polkit
Severity: moderate
References: 912889,933922,935119,939246,943816,950114,CVE-2015-3218,CVE-2015-3255,CVE-2015-3256,CVE-2015-4625
Description:

polkit was updated to the 0.113 release, fixing security issues and bugs.

Security issues fixed:
* Fixes CVE-2015-4625, a local privilege escalation due to predictable
  authentication session cookie values. Thanks to Tavis Ormandy, Google Project
  Zero for reporting this issue. For the future, authentication agents are
  encouraged to use PolkitAgentSession instead of using the D-Bus agent response
  API directly. (bsc#935119)
* Fixes CVE-2015-3256, various memory corruption vulnerabilities in use of the
  JavaScript interpreter, possibly leading to local privilege escalation.
  (bsc#943816)
* Fixes CVE-2015-3255, a memory corruption vulnerability in handling duplicate
  action IDs, possibly leading to local privilege escalation. Thanks to
  Laurent Bigonville for reporting this issue. (bsc#939246)
* Fixes CVE-2015-3218, which allowed any local user to crash polkitd. Thanks to
  Tavis Ormandy, Google Project Zero, for reporting this issue. (bsc#933922)

Other issues fixed:
* On systemd-213 and later, the 'active' state is shared across all sessions of
  an user, instead of being tracked separately.
* pkexec, when not given a program to execute, runs the users shell by
  default.
* Fixed shutdown problems on powerpc64le (bsc#950114)
* polkit had a memory leak (bsc#912889)


-----------------------------------------
Patch: SUSE-2015-776
Released: Fri Oct 30 08:06:58 2015
Summary: Recommended update for libyaml
Severity: low
References: 952625
Description:
This update adjusts libyaml's packaging to require pkg-config at build time.

-----------------------------------------
Patch: SUSE-2015-799
Released: Tue Nov  3 19:11:32 2015
Summary: Recommended update for libxkbfile, libxkbcommon
Severity: low
References: 952403
Description:

This update adds xkeyboard-config as a runtime dependency of libxkbcommon and libxkbfile.
This is needed to ensure the keymap datasets will be available even on systems installed
with the Minimal pattern.


-----------------------------------------
Patch: SUSE-2015-813
Released: Wed Nov  4 19:38:37 2015
Summary: Recommended update for supportutils
Severity: low
References: 915888,931390,939079,941773,952024
Description:
This update for supportutils provides the following fixes and enhancements:

- Added OPTION_NIT for novell-nit.txt. (bsc#939079)
- Included control group listing in systemd.txt.
- Fixed find loop for autoupg.xml. (bsc#952024)
- Added nic,lan,vswitch. (bsc#915888)
- Fixed kernel taint flags. (bsc#941773)
- Fixed package reference. (bsc#931390)


-----------------------------------------
Patch: SUSE-2015-807
Released: Thu Nov  5 07:48:32 2015
Summary: Security update for MozillaFirefox, mozilla-nspr, mozilla-nss
Severity: important
References: 908275,952810,CVE-2015-4513,CVE-2015-7181,CVE-2015-7182,CVE-2015-7183,CVE-2015-7188,CVE-2015-7189,CVE-2015-7193,CVE-2015-7194,CVE-2015-7196,CVE-2015-7197,CVE-2015-7198,CVE-2015-7199,CVE-2015-7200
Description:

This Mozilla Firefox, NSS and NSPR update fixes the following security
and non security issues.

- mozilla-nspr was updated to version 4.10.10 (bsc#952810)
  * MFSA 2015-133/CVE-2015-7183
    (bmo#1205157)
    NSPR memory corruption issues

- mozilla-nss was updated to 3.19.2.1 (bsc#952810)
  * MFSA 2015-133/CVE-2015-7181/CVE-2015-7182
    (bmo#1192028, bmo#1202868)
    NSS and NSPR memory corruption issues

- MozillaFirefox was updated to 38.4.0 ESR (bsc#952810)
  * MFSA 2015-116/CVE-2015-4513
    (bmo#1107011, bmo#1191942, bmo#1193038, bmo#1204580,
     bmo#1204669, bmo#1204700, bmo#1205707, bmo#1206564,
     bmo#1208665, bmo#1209471, bmo#1213979)
    Miscellaneous memory safety hazards (rv:42.0 / rv:38.4)
  * MFSA 2015-122/CVE-2015-7188
    (bmo#1199430)
    Trailing whitespace in IP address hostnames can bypass
    same-origin policy
  * MFSA 2015-123/CVE-2015-7189
    (bmo#1205900)
    Buffer overflow during image interactions in canvas
  * MFSA 2015-127/CVE-2015-7193
    (bmo#1210302)
    CORS preflight is bypassed when non-standard Content-Type
    headers are received
  * MFSA 2015-128/CVE-2015-7194
    (bmo#1211262)
    Memory corruption in libjar through zip files
  * MFSA 2015-130/CVE-2015-7196
    (bmo#1140616)
    JavaScript garbage collection crash with Java applet
  * MFSA 2015-131/CVE-2015-7198/CVE-2015-7199/CVE-2015-7200
    (bmo#1204061, bmo#1188010, bmo#1204155)
    Vulnerabilities found through code inspection
  * MFSA 2015-132/CVE-2015-7197
    (bmo#1204269)
    Mixed content WebSocket policy bypass through workers
  * MFSA 2015-133/CVE-2015-7181/CVE-2015-7182/CVE-2015-7183
    (bmo#1202868, bmo#1192028, bmo#1205157)
    NSS and NSPR memory corruption issues
- fix printing on landscape media (bsc#908275)


-----------------------------------------
Patch: SUSE-2015-836
Released: Thu Nov 12 14:28:01 2015
Summary: Recommended update for compat-openssl098
Severity: moderate
References: 947833
Description:

OpenSSL was updated to fix a bug in TLS session renegotiation.

This renegotiation is for instance used with Apache2 client certificate handling,
which would fail if ECDHE key exchange is used, which is happening more often
after the last openssl update.


-----------------------------------------
Patch: SUSE-2015-854
Released: Wed Nov 18 10:40:35 2015
Summary: Security update for libpng12
Severity: moderate
References: 952051,954980,CVE-2015-7981,CVE-2015-8126
Description:
The libpng12 package was updated to fix the following security issues:

- CVE-2015-8126: Fixed a buffer overflow vulnerabilities in png_get_PLTE/png_set_PLTE functions (bsc#954980).
- CVE-2015-7981: Fixed an out-of-bound read (bsc#952051).


-----------------------------------------
Patch: SUSE-2015-855
Released: Wed Nov 18 10:41:00 2015
Summary: Security update for libpng16
Severity: moderate
References: 954980,CVE-2015-8126
Description:
The libpng16 package was updated to fix the following security issue:

- CVE-2015-8126: Fixed a buffer overflow vulnerabilities in png_get_PLTE/png_set_PLTE functions (bsc#954980).


-----------------------------------------
Patch: SUSE-2015-864
Released: Thu Nov 19 18:00:44 2015
Summary: Recommended update for sle2docker
Severity: moderate
References: 953184
Description:

This update provides sle2docker version 0.4.2, which brings the following fixes:

- Reduce the chances of timeout errors while activating Docker images on VMs with bad I/O.
- Fix wrong documentation inside of README.md.
- Fix formatting inside of man page.


-----------------------------------------
Patch: SUSE-2015-872
Released: Fri Nov 20 13:51:03 2015
Summary: Recommended update for docker
Severity: moderate
References: 950931
Description:

This update for docker enables building of s390x and PowerPC64 LE.
The package is not shipped on a product, but it's part of the soon released Containers-module for s390x and PowerPC64 LE


-----------------------------------------
Patch: SUSE-2015-943
Released: Thu Dec  3 18:59:08 2015
Summary: Security update for java-1_6_0-ibm
Severity: important
References: 941939,955131,CVE-2015-0204,CVE-2015-0458,CVE-2015-0459,CVE-2015-0469,CVE-2015-0477,CVE-2015-0478,CVE-2015-0480,CVE-2015-0488,CVE-2015-0491,CVE-2015-2625,CVE-2015-2808,CVE-2015-4734,CVE-2015-4803,CVE-2015-4805,CVE-2015-4806,CVE-2015-4810,CVE-2015-4835,CVE-2015-4840,CVE-2015-4842,CVE-2015-4843,CVE-2015-4844,CVE-2015-4860,CVE-2015-4871,CVE-2015-4872,CVE-2015-4882,CVE-2015-4883,CVE-2015-4893,CVE-2015-4902,CVE-2015-4903,CVE-2015-4911,CVE-2015-5006
Description:

This update for java-1_6_0-ibm fixes the following issues: 

- Version update to 6.0-16.15 bsc#955131:
  CVE-2015-4734 CVE-2015-4803 CVE-2015-4805 CVE-2015-4806 CVE-2015-4810
  CVE-2015-4835 CVE-2015-4840 CVE-2015-4842 CVE-2015-4843 CVE-2015-4844
  CVE-2015-4860 CVE-2015-4871 CVE-2015-4872 CVE-2015-4882 CVE-2015-4883
  CVE-2015-4893 CVE-2015-4902 CVE-2015-4903 CVE-2015-4911 CVE-2015-5006
  CVE-2015-2808 CVE-2015-2625 CVE-2015-0491 CVE-2015-0459 CVE-2015-0469
  CVE-2015-0458 CVE-2015-0480 CVE-2015-0488 CVE-2015-0478 CVE-2015-0477
  CVE-2015-0204

- Add backcompat symlinks for sdkdir
- Fix baselibs.conf policy symlinking
- Fix bsc#941939 to provide %{name} instead of %{sdklnk} only in
  _jvmprivdir



-----------------------------------------
Patch: SUSE-2015-971
Released: Tue Dec 15 18:04:34 2015
Summary: Recommended update for cloud-regionsrv-client
Severity: moderate
References: 958402
Description:

This update for cloud-regionsrv-client fixes the following issues: 

- Continue to register other products even if one fails. (bsc#958402)


-----------------------------------------
Patch: SUSE-2015-979
Released: Wed Dec 16 11:09:30 2015
Summary: Recommended update for ntp
Severity: important
References: 954982
Description:

This update for ntp fixes synchronization of local clocks. This issue was
introduced with the update to ntp 4.2.8p4 in SLE 12-SP1.


-----------------------------------------
Patch: SUSE-2015-863
Released: Thu Dec 17 16:02:51 2015
Summary: Recommended update for tar
Severity: moderate
References: 950785
Description:

The tar(1) archiving utility has been updated to fix one issue:

When the --acls option is used, explicitly set or delete default ACLs for extracted
directories. Prior to this update, arbitrary default ACLs based on standard file
permissions were being created.


-----------------------------------------
Patch: SUSE-2015-922
Released: Tue Dec 22 08:44:25 2015
Summary: Security update for gpg2
Severity: moderate
References: 918089,918090,952347,955753,CVE-2015-1606,CVE-2015-1607
Description:
The gpg2 package was updated to fix the following security and non security issues:

- CVE-2015-1606: Fixed invalid memory read using a garbled keyring (bsc#918089).
- CVE-2015-1607: Fixed memcpy with overlapping ranges (bsc#918090).

- bsc#955753: Fixed a regression of 'gpg --recv' due to keyserver import filter (also boo#952347). 


-----------------------------------------
Patch: SUSE-2015-1011
Released: Tue Dec 22 15:56:04 2015
Summary: Security update for compat-openssl098
Severity: moderate
References: 952099,957812,CVE-2015-3195
Description:

This update for compat-openssl098 fixes the following issues: 

Security issue fixed:;
- CVE-2015-3195: When presented with a malformed X509_ATTRIBUTE structure
  OpenSSL would leak memory. This structure is used by the PKCS#7 and CMS
  routines so any application which reads PKCS#7 or CMS data from untrusted
  sources is affected. SSL/TLS is not affected. (bsc#957812)

Non security issue fixed:
- Prevent segfault in s_client with invalid options (bsc#952099)


-----------------------------------------
Patch: SUSE-2015-869
Released: Wed Dec 23 10:01:16 2015
Summary: Recommended update for libksba
Severity: moderate
References: 926826
Description:
The libksba package was updated to fix the following security issues:

- Fixed an integer overflow, an out of bounds read and a stack overflow issues (bsc#926826).


-----------------------------------------
Patch: SUSE-2015-862
Released: Wed Dec 23 17:40:51 2015
Summary: Recommended update for acl
Severity: moderate
References: 945899
Description:
This update for acl provides the following fixes:

- Fix segmentation fault of getfacl -e on overly long group name.
- Make sure that acl_from_text() always sets errno when it fails.
- Fix memory and resource leaks in getfacl.


-----------------------------------------
Patch: SUSE-2015-1016
Released: Thu Dec 24 23:32:45 2015
Summary: Security update for bind
Severity: important
References: 958861,CVE-2015-8000
Description:

This update for bind fixes the following security issue: 

- CVE-2015-8000: Fix remote denial of service by misparsing incoming responses
  (bsc#958861).


-----------------------------------------
Patch: SUSE-2015-1018
Released: Fri Dec 25 11:50:44 2015
Summary: Recommended update for ksh
Severity: moderate
References: 887320,924043,924318,926172,931908,933328,934437,939252,951430,953533,954856,955221
Description:

The Korn Shell (ksh) was downgraded from 93v to 93u, as version 93v is not
as stable as version 93u.  This is inline with the purpose of the Legacy
Module, which is to provide a compatibility layer for customers who need
more time to migrate from SUSE Linux Enterprise 11 to 12.

The updated package has its version set to 93vu to ensure the software update
stack (RPM, zypper) will see it as a regular update.  Users who want to stay
with version 93v can prevent the update with 'zypper addlock ksh'.


-----------------------------------------
Patch: SUSE-2015-846
Released: Fri Dec 25 11:51:23 2015
Summary: Security update for libsndfile
Severity: moderate
References: 953516,953519,953521,CVE-2014-9756,CVE-2015-7805,CVE-2015-8075
Description:
The libsndfile package was updated to fix the following security issue:

- CVE-2014-9756: Fixed a divide by zero problem that can lead to a Denial of Service (DoS) (bsc#953521).
- CVE-2015-7805: Fixed heap overflow issue (bsc#953516).
- CVE-2015-8075: Fixed heap overflow issue (bsc#953519).


-----------------------------------------
Patch: SUSE-2015-1021
Released: Mon Dec 28 16:44:12 2015
Summary: Recommended update for regionServiceClientConfigGCE
Severity: important
References: 959244
Description:

This update for regionServiceClientConfigGCE fixes the following issues:

- Point to the proper region servers.
- Enable use of plugin to send region hints to region server.
- New certificate for new region servers.


-----------------------------------------
Patch: SUSE-2015-1028
Released: Tue Dec 29 12:10:43 2015
Summary: Recommended update for numactl
Severity: moderate
References: 955334
Description:

This update for numactl provides fixes for the following issues:

- When numa_node_to_cpu() was called on machines with non-contiguous nodes, it
  returned the first node which wasn't present. Now the return code is checked
  and non-existing nodes are skipped until the right one is found. (bsc#955334)


-----------------------------------------
Patch: SUSE-2016-7
Released: Mon Jan  4 16:54:32 2016
Summary: Recommended update for docker
Severity: moderate
References: 954797
Description:

This update for docker fixes the following issue:

-  Allow removal of containers even when the entry point failed. (bsc#954797)


-----------------------------------------
Patch: SUSE-2016-16
Released: Tue Jan  5 15:13:34 2016
Summary: Security update for libpng16
Severity: moderate
References: 954980,CVE-2015-8126
Description:

  This update fixes the following security issue:

  * CVE-2015-8126 Multiple buffer overflows in the png_set_PLTE and png_get_PLTE functions
    allow remote attackers to cause a denial of service (application crash) or possibly have 
    unspecified other impact [bsc#954980]


-----------------------------------------
Patch: SUSE-2016-37
Released: Thu Jan  7 13:40:33 2016
Summary: Security update for libpng12
Severity: moderate
References: 954980,CVE-2015-8126
Description:

  This update fixes the following security issue
  * CVE-2015-8126 Multiple buffer overflows in the png_set_PLTE and png_get_PLTE functions
    allow remote attackers to cause a denial of service (application crash) or possibly have 
    unspecified other impact [bsc#954980]
  

-----------------------------------------
Patch: SUSE-2016-46
Released: Fri Jan  8 12:37:34 2016
Summary: Recommended update for gcr, gnome-keyring, libgcrypt, libsecret
Severity: moderate
References: 932232
Description:

This update for gcr, gnome-keyring, libgcrypt, libsecret fixes issues when the system
operates in FIPS mode.

The various GNOME libraries and tool have been changed to use the default libgcrypt
allocators.

GNOME keyring was changed not to use MD5 anymore.

libgcrypt was adjusted to free the DRBG on exit to avoid crashes.


-----------------------------------------
Patch: SUSE-2016-61
Released: Tue Jan 12 15:44:14 2016
Summary: Recommended update for deltarpm
Severity: low
References: 948504
Description:
This update for deltarpm provides the following fixes:

- Fix off-by-one error in delta generation code which could lead to a segmentation
  fault in some rare circumstances. (bsc#948504)
- Return error rather than crashing if memory allocation fails.
- Add newline in missing prelink error.
- Do not finish applydeltarpm jobs when in the middle of a request.


-----------------------------------------
Patch: SUSE-2016-98
Released: Mon Jan 18 10:20:53 2016
Summary: Security update for mozilla-nss
Severity: moderate
References: 959888,CVE-2015-7575
Description:
This update contains mozilla-nss 3.19.2.2 and fixes the following security issue:

  - CVE-2015-7575: MD5 signatures accepted within TLS 1.2 ServerKeyExchange in server signature (bsc#959888).


-----------------------------------------
Patch: SUSE-2016-104
Released: Mon Jan 18 18:38:06 2016
Summary: Security update for tiff
Severity: moderate
References: 942690,960341,CVE-2015-7554
Description:

This update to tiff 4.0.6 fixes the following issues:

- CVE-2015-7554: Out-of-bounds write in the thumbnail and tiffcmp tools allowed attacker to cause a denial of service or have unspecified further impact (bsc#960341)
- bsc#942690: potential out-of-bound write in NeXTDecode() (#2508)


-----------------------------------------
Patch: SUSE-2016-113
Released: Tue Jan 19 20:35:10 2016
Summary: Security update for rsync
Severity: moderate
References: 898513,900914,915410,922710,CVE-2014-8242,CVE-2014-9512
Description:

This update for rsync fixes two security issues and two non-security bugs.

The following vulnerabilities were fixed:

- CVE-2014-8242: Checksum collisions leading to a denial of service (bsc#900914)
- CVE-2014-9512: Malicious servers could send files outside of the transferred directory (bsc#915410)

The following non-security bugs were fixed:

- bsc#922710: Prevent rsyncd from spamming the log when trying to register SLP.
- bsc#898513: slp support broke rsync usage.


-----------------------------------------
Patch: SUSE-2016-114
Released: Tue Jan 19 21:07:38 2016
Summary: Security update for bind
Severity: important
References: 962189,CVE-2015-8704
Description:

This update for bind fixes the following issues:

- CVE-2015-8704: Specific APL data allowed remote attacker to trigger a crash in certain configurations (bsc#962189)


-----------------------------------------
Patch: SUSE-2016-139
Released: Mon Jan 25 09:47:36 2016
Summary: Security update for openldap2
Severity: important
References: 937766,945582,955210,CVE-2015-4000,CVE-2015-6908
Description:
This update fixes the following security issues:

- CVE-2015-6908: The ber_get_next function allowed remote attackers to cause a denial
  of service (reachable assertion and application crash) via crafted BER data, as
  demonstrated by an attack against slapd. (bsc#945582)
- CVE-2015-4000: Fix weak Diffie-Hellman size vulnerability. (bsc#937766)

It also fixes the following non-security bugs:

- bsc#955210: Unresponsive LDAP host lookups in IPv6 environment

This update adds the following functionality:

- fate#319300: SHA2 password hashing module that can be loaded on-demand. 


-----------------------------------------
Patch: SUSE-2016-155
Released: Mon Jan 25 18:10:54 2016
Summary: Recommended update for polkit
Severity: moderate
References: 954139
Description:

The previous version update of polkit to fix security and stability issues brought
a small regression in session activeness detection. This update reverts the small
part responsible for the regression.


-----------------------------------------
Patch: SUSE-2016-156
Released: Tue Jan 26 11:49:12 2016
Summary: Recommended update for Docker
Severity: moderate
References: 954737,954812,956434,958255,959405
Description:

Docker has been updated to version 1.9.1, bringing several fixes, enhancements
and new features.

Runtime:

- Do not prevent daemon from booting if images could not be restored.
- Force IPC mount to unmount on daemon shutdown/init.
- Turn IPC unmount errors into warnings.
- Fix 'docker stats' performance regression.
- Clarify cryptic error message upon 'docker logs' if '--log-driver=none'.
- Fix opq whiteouts problems for files with dot prefix.
- Do not make network calls when normalizing names.
- Output block IO metrics on 'docker stats'.
- Detail network stats per interface on 'docker stats'.
- Add 'ancestor=<image>' filter to 'docker ps --filter' flag to filter containers
  based on their ancestor images.
- Add 'label=<somelabel>' filter to 'docker ps --filter' to filter containers
  based on label.
- Add '--kernel-memory' flag to 'docker run'.
- Add '--message' flag to 'docker import' allowing to specify an optional message.
- Add '--privileged' flag to 'docker exec'.
- Add '--stop-signal' flag to 'docker run' to replace the container process stopping signal.
- Add a new 'unless-stopped' restart policy.
- Inspecting an image now returns tags.
- Add container size information to 'docker inspect'.
- Add 'RepoTags' and 'RepoDigests' field to '/images/{name:.*}/json'.
- Remove the deprecated '/container/ps' endpoint from the API.
- Send and document correct HTTP codes for '/exec/<name>/start'.
- Share shm and mqueue between containers sharing IPC namespace.
- Event stream now shows OOM status when '--oom-kill-disable' is set.
- Ensure special network files (e.g. /etc/hosts) are read-only if bind-mounted with 'ro' option.
- Improve 'rmi' performance.
- Do not update /etc/hosts for the default bridge network, except for links.
- Fix conflict with duplicate container names.
- Fix an issue with incorrect template execution in 'docker inspect'.
- Deprecate '-c' short flag variant for '--cpu-shares' in 'docker run'.
- Change systemd unit file to no longer use the deprecated '-d' option. (bsc#954737)
- Use file system cgroups by default.

Client:

- Fix bug with 'docker inspect' output when not connected to daemon.
- Fix 'docker inspect -f {{.HostConfig.Dns}} somecontainer'.
- Allow 'docker import' to import from local files.

Builder:

- Fix regression with symlink behavior in ADD/COPY.
- Add a 'STOPSIGNAL' Dockerfile instruction allowing to set a different stop-signal
  for the container process.
- Add an 'ARG' Dockerfile instruction and a '--build-arg' flag to 'docker build'
  that allows to add build-time environment variables.
- Improve cache miss performance.

Storage:

- Try defaulting to xfs instead of ext4 for performance reasons.
- Fix displayed file system in docker info.
- Implement deferred deletion capability in devicemapper.

Networking:

- Promote 'docker network' from experimental to part of the standard release.
- New network top-level concept, with associated subcommands and API.
  WARNING: the API is different from the experimental API.
- Support for multiple isolated/micro-segmented networks.
- Built-in multihost networking using VXLAN based overlay driver.
- Support for third-party network plugins.
- Ability to dynamically connect containers to multiple networks.
- Support for user-defined IP address management via pluggable IPAM drivers.
- Allow passing a network ID as an argument for '--net'.
- Fix connect to host and prevent disconnect from host for 'host' network.
- Fix '--fixed-cidr' issue when gateway ip falls in ip-range and ip-range is not the
  first block in the network.
- Restore deterministic 'IPv6' generation from 'MAC' address on default 'bridge' network.
- Allow port-mapping only for endpoints created on docker run.
- Fixed an endpoint delete issue with a possible stale sbox.
- Add daemon flags '--cluster-store' and '--cluster-advertise' for built-in nodes discovery.
- Add '--cluster-store-opt' for setting up TLS settings.
- Add '--dns-opt' to the daemon.
- Deprecate the following container 'NetworkSettings' fields in API v1.21:
    'EndpointID', 'Gateway', 'GlobalIPv6Address', 'GlobalIPv6PrefixLen', 'IPAddress',
    'IPPrefixLen', 'IPv6Gateway' and 'MacAddress'.
  Those are now specific to the 'bridge' network. Use 'NetworkSettings.Networks' to
  inspect the networking settings of a container per network.

Distribution:

- Correct parent chain in v2 push when v1Compatibility files on the disk are inconsistent.
- Make 'docker search' work with partial names.
- Push optimization by avoiding buffering to file.
- The daemon will display progress for images that were already being pulled by another client.
- Only permissions required for the current action being performed are requested.
- Renaming trust keys (and respective environment variables) from 'offline' to 'root'
  and 'tagging' to 'repository'.
- Deprecate trust key environment variables 'DOCKER_CONTENT_TRUST_OFFLINE_PASSPHRASE' and
  'DOCKER_CONTENT_TRUST_TAGGING_PASSPHRASE'.

Volumes:

- New top-level 'volume' sub-command and API.
- Move API volume driver settings to host-specific config.
- Print an error message if volume name is not unique.
- Ensure volumes created from Dockerfiles always use the local volume driver.
- Deprecate auto-creating missing host paths for bind mounts.

Logging:

- Add 'awslogs' logging driver for Amazon CloudWatch.
- Add generic 'tag' log option to allow customizing container/image information
  passed to driver (e.g. show container names).
- Implement the 'docker logs' endpoint for the journald driver.
- Deprecate driver-specific log tags (e.g. 'syslog-tag', etc.).

Security:

- Only relabel if user requested so with the 'z' option. (SELinux)
- Add SELinux profiles to the rpm package.
- Add AppArmor policy that prevents writing to /proc.
- Fix creation of AppArmor profiles. (bsc#958255)
- Add rules for auditd. (bsc#959405)


-----------------------------------------
Patch: SUSE-2016-157
Released: Tue Jan 26 13:19:19 2016
Summary: Recommended update for ruby-common
Severity: moderate
References: 934328,953771
Description:
This update for ruby-common provides several fixes and enhancements:

- Help the solver to pick the right gem2rpm for the default Ruby version. (bsc#934328)
- Fix premature return from from gem install.
- Fail early if gem install fails, avoiding confusing error messages at the end of the build.
- Implement cleaner solution for the extensions doc dir.
- Do not overwrite options.otheropts.
- Fixed forwarding of options to gem install.
- Call ruby with -x from shell wrappers otherwise it might run into an endless loop.
- Add shell-launcher to avoid dependency on a fixed Ruby version.
- Ignore any files found in */.gem/*. In some versions of rubygems, gems that are installed
  are also copied to ~/.gem/.


-----------------------------------------
Patch: SUSE-2016-199
Released: Thu Feb  4 15:48:09 2016
Summary: Security update for MozillaFirefox, MozillaFirefox-branding-SLE, mozilla-nss
Severity: important
References: 954447,963520,963632,963635,963731,964332,CVE-2016-1930,CVE-2016-1935,CVE-2016-1938
Description:

This update for MozillaFirefox, MozillaFirefox-branding-SLE, mozilla-nss fixes the following issues: (bsc#963520)

Mozilla Firefox was updated to 38.6.0 ESR.
Mozilla NSS was updated to 3.20.2.

The following vulnerabilities were fixed:

- CVE-2016-1930: Memory safety bugs fixed in Firefox ESR 38.6 (bsc#963632)
- CVE-2016-1935: Buffer overflow in WebGL after out of memory allocation (bsc#963635)
- CVE-2016-1938: Calculations with mp_div and mp_exptmod in Network Security Services (NSS) canproduce wrong results (bsc#963731)

The following improvements were added:

- bsc#954447: Mozilla NSS now supports a number of new DHE ciphersuites
- Tracking protection is now enabled by default
- bsc#964332: Fixed leaking file descriptors inside FIPS selfcheck code


-----------------------------------------
Patch: SUSE-2016-201
Released: Thu Feb  4 15:51:22 2016
Summary: Security update for curl
Severity: moderate
References: 934333,936676,962983,962996,CVE-2016-0755
Description:

This update for curl fixes the following issues:

- CVE-2016-0755: libcurl would reuse NTLM-authenticated proxy connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer (bsc#962983)

The following non-security bugs were fixed:

- bsc#936676: secure_getenv or __secure_getenv may not be detected correctly at build time

The following tracked bugs only affect the test suite:

- bsc#962996: Expired cookie in test 46 caused test failures
- bsc#934333: Curl test suite was not run, is now enabled during build


-----------------------------------------
Patch: SUSE-2016-207
Released: Thu Feb  4 18:05:06 2016
Summary: Optional update for libXaw7, libXaw3d8
Severity: low
References: 963687
Description:

This update provides 32bit builds of libXaw7 and libXaw3d8 for SUSE Linux Enterprise
Server 12 and 12-SP1.


-----------------------------------------
Patch: SUSE-2016-244
Released: Thu Feb 11 11:52:06 2016
Summary: Security update for java-1_6_0-ibm
Severity: important
References: 960286,960402,963937,CVE-2015-5041,CVE-2015-7575,CVE-2015-7981,CVE-2015-8126,CVE-2015-8472,CVE-2015-8540,CVE-2016-0402,CVE-2016-0448,CVE-2016-0466,CVE-2016-0483,CVE-2016-0494
Description:

This update for java-1_6_0-ibm fixes the following issues by updating to 6.0-16.20 (bsc#963937)

- CVE-2015-5041: Could could have invoked non-public interface methods under certain circumstances
- CVE-2015-7575: The TLS protocol could allow weaker than expected security caused by a collision attack when using the MD5 hash function for signing a ServerKeyExchange message during a TLS handshake. An attacker could exploit this vulnerability using man-in-the-middle techniques to impersonate a TLS server and obtain credentials
- CVE-2015-7981: libpng could allow a remote attacker to obtain sensitive information, caused by an out-of-bounds read in the png_convert_to_rfc1123 function. An attacker could exploit this vulnerability to obtain sensitive information
- CVE-2015-8126: buffer overflow in libpng caused by improper bounds checking by the png_set_PLTE() and png_get_PLTE() functions
- CVE-2015-8472: buffer overflow in libpng caused by improper bounds checking by the png_set_PLTE() and png_get_PLTE() functions
- CVE-2015-8540: libpng is vulnerable to a buffer overflow, caused by a read underflow in png_check_keyword in pngwutil.c. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
- CVE-2016-0402: An unspecified vulnerability related to the Networking component has no confidentiality impact, partial integrity impact, and no availability impact
- CVE-2016-0448: An unspecified vulnerability related to the JMX component could allow a remote attacker to obtain sensitive information
- CVE-2016-0466: An unspecified vulnerability related to the JAXP component could allow a remote attacker to cause a denial of service
- CVE-2016-0483: An unspecified vulnerability related to the AWT component has complete confidentiality impact, complete integrity impact, and complete availability impact
- CVE-2016-0494: An unspecified vulnerability related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact

The following bugs were fixed:

- bsc#960402: resolve package conflicts in devel package
- bsc#960286: resolve package conflicts in the fonts subpackage


-----------------------------------------
Patch: SUSE-2016-252
Released: Fri Feb 12 14:58:06 2016
Summary: Recommended update for timezone
Severity: low
References: 963921
Description:

This update provides the latest timezone information (2016a) for your
system, including the following changes:

- America/Cayman will not observe daylight saving this year.
- Asia/Chita switches from +0800 to +0900 on 2016-03-27 at 02:00.
- Asia/Tehran now has DST predictions for the year 2038 and later.
- America/Metlakatla switched from PST all year to AKST/AKDT on
  2015-11-01 at 02:00.
- America/Santa_Isabel has been removed, and replaced with a
  backward compatibility link to America/Tijuana.
- Asia/Karachi's two transition times in 2002 were off by a minute.

This release also includes changes affecting past time stamps, documentation
and some minor code fixes. For a comprehensive list, refer to the release
announcement from ICANN:

http://mm.icann.org/pipermail/tz/2016-January/023106.html


-----------------------------------------
Patch: SUSE-2016-256
Released: Fri Feb 12 18:09:32 2016
Summary: Recommended update for cloud-regionsrv-client
Severity: low
References: 959206,964334
Description:

This update for cloud-regionsrv-client fixes the following issues:

- Handle proxy configuration properly. (bsc#964334)
- Make generic-config provide regionsrv-certs to allow it to be installed without
  conflicts. (bsc#959206)


-----------------------------------------
Patch: SUSE-2016-259
Released: Mon Feb 15 14:25:02 2016
Summary: Security update for libnettle
Severity: moderate
References: 964845,964847,964849,CVE-2015-8803,CVE-2015-8804,CVE-2015-8805
Description:
This update for libnettle fixes the following security issues: 

- CVE-2015-8803: Fixed miscomputation bugs in secp-256r1 modulo functions. (bsc#964845)
- CVE-2015-8804: Fixed carry folding bug in x86_64 ecc_384_modp. (bsc#964847)
- CVE-2015-8805: Fixed miscomputation bugs in secp-256r1 modulo functions. (bsc#964849)


-----------------------------------------
Patch: SUSE-2016-291
Released: Fri Feb 19 19:31:54 2016
Summary: Recommended update for openslp
Severity: low
References: 950777
Description:

This update for OpenSLP adjusts slpd's initialization to use SystemD's forking
mechanism, avoiding stale PID files after the daemon is stopped.


-----------------------------------------
Patch: SUSE-2016-294
Released: Mon Feb 22 14:36:09 2016
Summary: Security update for dhcp
Severity: moderate
References: 880984,936923,956159,960506,961305,CVE-2015-8605
Description:

This update for dhcp fixes the following issues:

- CVE-2015-8605: A remote attacker could have used badly formed packets with an invalid IPv4 UDP length field to cause a DHCP server, client, or relay program to terminate abnormally (bsc#961305)

The following bugs were fixed:

- bsc#936923: Improper lease duration checking
- bsc#880984: Integer overflows in the date and time handling code
- bsc#956159: fixed service files to start dhcpd after slapd
- bsc#960506: Improve exit reason and logging when /sbin/dhclient-script is unable to pre-init requested interface


-----------------------------------------
Patch: SUSE-2016-302
Released: Tue Feb 23 13:56:57 2016
Summary: Recommended update for google-cloud-sdk
Severity: moderate
References: 954690
Description:

The Google Cloud SDK has been updated to version 0.9.87, bringing several fixes,
enhancements and new features. A comprehensive list of changes is available in
the package's change log.

The Python Client for Google APIs has been updated to version 1.4.2. This update
removes the embedded oauth2client, which is now delivered as a separate package
'python-oauth2client'.

Some runtime dependencies required by these updates have been added to the Public
Cloud Module 12:

  python-antlr3_runtime, python-enum34, python-keyring, python-oauth2,
  python-oauth2client, python-oauth2client-gce, python-portpicker.


-----------------------------------------
Patch: SUSE-2016-324
Released: Thu Feb 25 15:52:58 2016
Summary: Initial release of supportutils-plugin-suse-public-cloud
Severity: low
References: 963690
Description:

This patch adds supportutils-plugin-suse-public-cloud to the Public Cloud 12 Module.

This plug-in extends supportconfig functionality to collect information specific
to systems running on Public Cloud environments.


-----------------------------------------
Patch: SUSE-2016-332
Released: Fri Feb 26 13:07:12 2016
Summary: Recommended update for cloud-regionsrv-client
Severity: low
References: 968128
Description:

This update for cloud-regionsrv-client provides the following fixes:

- Do not attempt to generate the product list using remote repositories. (bsc#968128)


-----------------------------------------
Patch: SUSE-2016-367
Released: Thu Mar  3 12:02:37 2016
Summary: Security update for openssl
Severity: important
References: 952871,963415,968046,968048,968051,968053,968374,CVE-2015-3197,CVE-2016-0702,CVE-2016-0703,CVE-2016-0704,CVE-2016-0797,CVE-2016-0799,CVE-2016-0800
Description:

This update for compat-openssl098 fixes various security issues and bugs: 

Security issues fixed:
- CVE-2016-0800 aka the 'DROWN' attack (bsc#968046):
  OpenSSL was vulnerable to a cross-protocol attack that could lead to
  decryption of TLS sessions by using a server supporting SSLv2 and
  EXPORT cipher suites as a Bleichenbacher RSA padding oracle.

  This update changes the openssl library to:

  * Disable SSLv2 protocol support by default.

    This can be overridden by setting the environment variable
    'OPENSSL_ALLOW_SSL2' or by using SSL_CTX_clear_options using the
    SSL_OP_NO_SSLv2 flag.

    Note that various services and clients had already disabled SSL
    protocol 2 by default previously.

  * Disable all weak EXPORT ciphers by default. These can be reenabled
    if required by old legacy software using the environment variable
    'OPENSSL_ALLOW_EXPORT'.

- CVE-2016-0797 (bnc#968048):
  The BN_hex2bn() and BN_dec2bn() functions had a bug that could result
  in an attempt to de-reference a NULL pointer leading to crashes.
  This could have security consequences if these functions were ever
  called by user applications with large untrusted hex/decimal data. Also,
  internal usage of these functions in OpenSSL uses data from config files
  or application command line arguments. If user developed applications
  generated config file data based on untrusted data, then this could
  have had security consequences as well.

- CVE-2016-0799 (bnc#968374)
  On many 64 bit systems, the internal fmtstr() and doapr_outch()
  functions could miscalculate the length of a string and attempt to
  access out-of-bounds memory locations. These problems could have
  enabled attacks where large amounts of untrusted data is passed to
  the BIO_*printf functions. If applications use these functions in
  this way then they could have been vulnerable. OpenSSL itself uses
  these functions when printing out human-readable dumps of ASN.1
  data. Therefore applications that print this data could have been
  vulnerable if the data is from untrusted sources. OpenSSL command line
  applications could also have been vulnerable when they print out ASN.1
  data, or if untrusted data is passed as command line arguments. Libssl
  is not considered directly vulnerable.

- CVE-2015-3197 (bsc#963415):
  The SSLv2 protocol did not block disabled ciphers.

Note that the March 1st 2016 release also references following CVEs
that were fixed by us with CVE-2015-0293 in 2015:

- CVE-2016-0703 (bsc#968051): This issue only affected versions of
  OpenSSL prior to March 19th 2015 at which time the code was refactored
  to address vulnerability CVE-2015-0293. It would have made the above
  'DROWN' attack much easier.
- CVE-2016-0704 (bsc#968053): 'Bleichenbacher oracle in SSLv2'
  This issue only affected versions of OpenSSL prior to March 19th
  2015 at which time the code was refactored to address vulnerability
  CVE-2015-0293. It would have made the above 'DROWN' attack much easier.

Also fixes the following bug:
- Avoid running OPENSSL_config twice. This avoids breaking
  engine loading and also fixes a memory leak in libssl. (bsc#952871)


-----------------------------------------
Patch: SUSE-2016-371
Released: Thu Mar  3 15:58:18 2016
Summary: Recommended update for insserv-compat
Severity: low
References: 960820
Description:

This update for insserv-compat fixes the name of the ntpd service.


-----------------------------------------
Patch: SUSE-2016-382
Released: Mon Mar  7 14:43:46 2016
Summary: Recommended update for SDL
Severity: low
References: 953861
Description:

This update for SDL disables usage of backing storage by default due to tearing
effects. Users who would like to enable it can set the SDL_VIDEO_X11_BACKINGSTORE
environment variable.


-----------------------------------------
Patch: SUSE-2016-413
Released: Fri Mar 11 10:17:57 2016
Summary: Security update for libssh2_org
Severity: moderate
References: 933336,961964,967026,CVE-2016-0787
Description:

This update for libssh2_org fixes the following issues: 

Security issue fixed:
- CVE-2016-0787 (bsc#967026):
  Weakness in diffie-hellman secret key generation lead to much shorter DH groups
  then needed, which could be used to retrieve server keys.

A feature was added:
- Support of SHA256 digests for DH group exchanges was added (fate#320343, bsc#961964)

Bug fixed:
- Properly detect EVP_aes_128_ctr at configure time (bsc#933336)


-----------------------------------------
Patch: SUSE-2016-419
Released: Fri Mar 11 16:25:09 2016
Summary: Security update for MozillaFirefox, mozilla-nspr, mozilla-nss
Severity: important
References: 969894,CVE-2016-1950,CVE-2016-1952,CVE-2016-1953,CVE-2016-1954,CVE-2016-1957,CVE-2016-1958,CVE-2016-1960,CVE-2016-1961,CVE-2016-1962,CVE-2016-1964,CVE-2016-1965,CVE-2016-1966,CVE-2016-1974,CVE-2016-1977,CVE-2016-1978,CVE-2016-1979,CVE-2016-2790,CVE-2016-2791,CVE-2016-2792,CVE-2016-2793,CVE-2016-2794,CVE-2016-2795,CVE-2016-2796,CVE-2016-2797,CVE-2016-2798,CVE-2016-2799,CVE-2016-2800,CVE-2016-2801,CVE-2016-2802
Description:

This update for MozillaFirefox, mozilla-nspr, mozilla-nss fixes the following issues:

Mozilla Firefox was updated to 38.7.0 ESR (bsc#969894), fixing
following security issues:
* MFSA 2016-16/CVE-2016-1952/CVE-2016-1953
  Miscellaneous memory safety hazards (rv:45.0 / rv:38.7)
* MFSA 2016-17/CVE-2016-1954
  Local file overwriting and potential privilege escalation
  through CSP reports
* MFSA 2016-20/CVE-2016-1957
  Memory leak in libstagefright when deleting an array during
  MP4 processing
* MFSA 2016-21/CVE-2016-1958
  Displayed page address can be overridden
* MFSA 2016-23/CVE-2016-1960
  Use-after-free in HTML5 string parser
* MFSA 2016-24/CVE-2016-1961
  Use-after-free in SetBody
* MFSA 2016-25/CVE-2016-1962
  Use-after-free when using multiple WebRTC data channels
* MFSA 2016-27/CVE-2016-1964
  Use-after-free during XML transformations
* MFSA 2016-28/CVE-2016-1965
  Addressbar spoofing though history navigation and Location
  protocol property
* MFSA 2016-31/CVE-2016-1966
  Memory corruption with malicious NPAPI plugin
* MFSA 2016-34/CVE-2016-1974
  Out-of-bounds read in HTML parser following a failed
  allocation
* MFSA 2016-35/CVE-2016-1950
  Buffer overflow during ASN.1 decoding in NSS
* MFSA 2016-37/CVE-2016-1977/CVE-2016-2790/CVE-2016-2791/
  CVE-2016-2792/CVE-2016-2793/CVE-2016-2794/CVE-2016-2795/
  CVE-2016-2796/CVE-2016-2797/CVE-2016-2798/CVE-2016-2799/
  CVE-2016-2800/CVE-2016-2801/CVE-2016-2802
  Font vulnerabilities in the Graphite 2 library

Mozilla NSPR was updated to version 4.12 (bsc#969894), fixing following bugs:
* added a PR_GetEnvSecure function, which attempts to detect if
  the program is being executed with elevated privileges, and
  returns NULL if detected. It is recommended to use this function
  in general purpose library code.
* fixed a memory allocation bug related to the PR_*printf functions
* exported API PR_DuplicateEnvironment, which had already been
  added in NSPR 4.10.9
* added support for FreeBSD aarch64
* several minor correctness and compatibility fixes

Mozilla NSS was updated to fix security issues (bsc#969894):
* MFSA 2016-15/CVE-2016-1978
  Use-after-free in NSS during SSL connections in low memory
* MFSA 2016-35/CVE-2016-1950
  Buffer overflow during ASN.1 decoding in NSS
* MFSA 2016-36/CVE-2016-1979
  Use-after-free during processing of DER encoded keys in NSS


-----------------------------------------
Patch: SUSE-2016-444
Released: Mon Mar 14 15:32:47 2016
Summary: Security update for bind
Severity: important
References: 970072,970073,CVE-2016-1285,CVE-2016-1286
Description:

This update for bind fixes the following issues:

Fix two assertion failures that can lead to a remote denial of service attack:
* CVE-2016-1285: An error when parsing signature records for DNAME can lead to named exiting due to an assertion failure. (bsc#970072)
* CVE-2016-1286: An error when parsing signature records for DNAME records having specific properties can lead to named exiting due to an assertion failure in resolver.c or db.c. (bsc#970073)


-----------------------------------------
Patch: SUSE-2016-456
Released: Tue Mar 15 18:01:12 2016
Summary: Security update for graphite2
Severity: important
References: 965803,965807,965810,CVE-2016-1521,CVE-2016-1523,CVE-2016-1526
Description:

This update for graphite2 fixes the following issues:

- CVE-2016-1521: The directrun function in directmachine.cpp in
  Libgraphite did not validate a certain skip operation, which allowed
  remote attackers to execute arbitrary code, obtain sensitive information,
  or cause a denial of service (out-of-bounds read and application crash)
  via a crafted Graphite smart font.

- CVE-2016-1523: The SillMap::readFace function in FeatureMap.cpp in
  Libgraphite mishandled a return value, which allowed remote attackers
  to cause a denial of service (missing initialization, NULL pointer
  dereference, and application crash) via a crafted Graphite smart font.

- CVE-2016-1526: The TtfUtil:LocaLookup function in TtfUtil.cpp in
  Libgraphite incorrectly validated a size value, which allowed remote
  attackers to obtain sensitive information or cause a denial of service
  (out-of-bounds read and application crash) via a crafted Graphite
  smart font.


-----------------------------------------
Patch: SUSE-2016-462
Released: Wed Mar 16 18:17:59 2016
Summary: Recommended update for libcap
Severity: low
References: 967838
Description:

This update for libcap adds two new capabilities (CAP_WAKE_ALARM and CAP_BLOCK_SUSPEND)
which are available in Linux Kernel 3.12.


-----------------------------------------
Patch: SUSE-2016-479
Released: Fri Mar 18 15:35:18 2016
Summary: Recommended update for supportutils
Severity: low
References: 951218,958403,959252,961318,965682
Description:

This update for supportutils provides the following fixes:

- Capture the correct pacemaker logs. (bsc#958403)
- Fix name space errors. (bsc#961318)
- Change rpm to check with NCP server. (bsc#965682)
- Collect more data about Docker containers in docker.txt.
- Added OPTION_HAPROXY for haproxy.txt. (bsc#959252)
- Fixed mount option. (bsc#951218)


-----------------------------------------
Patch: SUSE-2016-490
Released: Mon Mar 21 16:45:13 2016
Summary: Recommended update for timezone
Severity: low
References: 971377
Description:

This update provides the latest timezone information (2016b) for your system, including
the following changes:

- New zones Europe/Astrakhan and Europe/Ulyanovsk for Astrakhan and Ulyanovsk Oblasts,
  Russia, both of which will switch from +03 to +04 on 2016-03-27 at 02:00 local time.
- New zone Asia/Barnaul for Altai Krai and Altai Republic, Russia, which will switch
  from +06 to +07 on the same date and local time.
- Asia/Sakhalin moves from +10 to +11 on 2016-03-27 at 02:00.
- As a trial of a new system that needs less information to be made up, the new zones
  use numeric time zone abbreviations like '+04' instead of invented abbreviations
  like 'ASTT'.
- Haiti will not observe DST in 2016.
- Palestine's spring-forward transition on 2016-03-26 is at 01:00, not 00:00.
- tzselect's diagnostics and checking, and checktab.awk's checking, have been improved.
- tzselect now tests Julian-date TZ settings more accurately.


-----------------------------------------
Patch: SUSE-2016-510
Released: Thu Mar 24 15:40:28 2016
Summary: Recommended update for timezone
Severity: low
References: 972433
Description:

This update provides the latest timezone information (2016c) for your
system, including the following changes:

- Azerbaijan no longer observes DST (Asia/Baku)
- Chile reverts from permanent to seasonal DST

This release also includes changes affecting past time stamps and documentation.
For a comprehensive list, please refer to the release announcement from ICANN:

http://mm.icann.org/pipermail/tz-announce/2016-March/000037.html


-----------------------------------------
Patch: SUSE-2016-526
Released: Wed Mar 30 17:07:30 2016
Summary: Recommended update for sysstat
Severity: moderate
References: 970770
Description:

This update for sysstat fixes the following issues:

- Don't send signal to pid 1 in signal handler (bsc#970770)


-----------------------------------------
Patch: SUSE-2016-543
Released: Fri Apr  1 18:44:16 2016
Summary: Recommended update for libgcrypt
Severity: moderate
References: 970882
Description:

This update for libgcrypt fixes a crash in GPG key generation when operating in FIPS mode. (bsc#970882)


-----------------------------------------
Patch: SUSE-2016-565
Released: Wed Apr  6 16:26:42 2016
Summary: Security update for gcc5
Severity: moderate
References: 939460,945842,952151,953831,954002,955382,962765,964468,966220,968771,CVE-2015-5276
Description:

The GNU Compiler Collection was updated to version 5.3.1, which brings several fixes
and enhancements.

The following security issue has been fixed:

- Fix C++11 std::random_device short read issue that could lead to predictable
  randomness. (CVE-2015-5276, bsc#945842)

The following non-security issues have been fixed:

- Enable frame pointer for TARGET_64BIT_MS_ABI when stack is misaligned. Fixes internal
  compiler error when building Wine. (bsc#966220)
- Fix a PowerPC specific issue in gcc-go that broke compilation of newer versions of
  Docker. (bsc#964468)
- Fix HTM built-ins on PowerPC. (bsc#955382)
- Fix libgo certificate lookup. (bsc#953831)
- Suppress deprecated-declarations warnings for inline definitions of deprecated virtual
  methods. (bsc#939460)
- Build s390[x] with '--with-tune=z9-109 --with-arch=z900' on SLE11 again. (bsc#954002)
- Revert accidental libffi ABI breakage on aarch64. (bsc#968771)
- On x86_64, set default 32bit code generation to -march=x86-64 rather than -march=i586.
- Add experimental File System TS library.


-----------------------------------------
Patch: SUSE-2016-575
Released: Thu Apr  7 15:45:32 2016
Summary: Recommended update for at
Severity: low
References: 945124
Description:

This update for 'at' provides the following fixes:

- Don't loop on corrupted files and prevent their creation. (bsc#945124)


-----------------------------------------
Patch: SUSE-2016-587
Released: Fri Apr  8 17:06:56 2016
Summary: Recommended update for ca-certificates-mozilla
Severity: moderate
References: 973042
Description:

The root SSL certificate store ca-certificates-mozilla was updated
to version 2.7 of the Mozilla NSS equivalent. (bsc#973042)

- Newly added CAs:
  * CA WoSign ECC Root
  * Certification Authority of WoSign
  * Certification Authority of WoSign G2
  * Certinomis - Root CA
  * Certum Trusted Network CA 2
  * CFCA EV ROOT
  * COMODO RSA Certification Authority
  * DigiCert Assured ID Root G2
  * DigiCert Assured ID Root G3
  * DigiCert Global Root G2
  * DigiCert Global Root G3
  * DigiCert Trusted Root G4
  * Entrust Root Certification Authority - EC1
  * Entrust Root Certification Authority - G2
  * GlobalSign
  * IdenTrust Commercial Root CA 1
  * IdenTrust Public Sector Root CA 1
  * OISTE WISeKey Global Root GB CA
  * QuoVadis Root CA 1 G3
  * QuoVadis Root CA 2 G3
  * QuoVadis Root CA 3 G3
  * Staat der Nederlanden EV Root CA
  * Staat der Nederlanden Root CA - G3
  * S-TRUST Universal Root CA
  * SZAFIR ROOT CA2
  * TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5
  * TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6
  * USERTrust ECC Certification Authority
  * USERTrust RSA Certification Authority
  * 沃通根证书

- Removed CAs:
  * AOL CA
  * A Trust nQual 03
  * Buypass Class 3 CA 1
  * CA Disig
  * Digital Signature Trust Co Global CA 1
  * Digital Signature Trust Co Global CA 3
  * E Guven Kok Elektronik Sertifika Hizmet Saglayicisi
  * NetLock Expressz (Class C) Tanusitvanykiado
  * NetLock Kozjegyzoi (Class A) Tanusitvanykiado
  * NetLock Minositett Kozjegyzoi (Class QA) Tanusitvanykiado
  * NetLock Uzleti (Class B) Tanusitvanykiado
  * SG TRUST SERVICES RACINE
  * Staat der Nederlanden Root CA
  * TC TrustCenter Class 2 CA II
  * TC TrustCenter Universal CA I
  * TDC Internet Root CA
  * UTN DATACorp SGC Root CA
  * Verisign Class 1 Public Primary Certification Authority - G2
  * Verisign Class 3 Public Primary Certification Authority
  * Verisign Class 3 Public Primary Certification Authority - G2

- Removed server trust from:
  * AC Raíz Certicámara S.A.
  * ComSign Secured CA
  * NetLock Uzleti (Class B) Tanusitvanykiado
  * NetLock Business (Class B) Root
  * NetLock Expressz (Class C) Tanusitvanykiado
  * TC TrustCenter Class 3 CA II
  * TURKTRUST Certificate Services Provider Root 1
  * TURKTRUST Certificate Services Provider Root 2
  * Equifax Secure Global eBusiness CA-1
  * Verisign Class 4 Public Primary Certification Authority G3

- Enable server trust for:
  * Actalis Authentication Root CA


-----------------------------------------
Patch: SUSE-2016-636
Released: Mon Apr 18 09:18:19 2016
Summary: Security update for libgcrypt
Severity: moderate
References: 965902,CVE-2015-7511
Description:
libgcrypt was updated to fix one security issue.

This security issue was fixed:
- CVE-2015-7511: Side-channel attack on ECDH with Weierstrass curves (bsc#965902).
  

-----------------------------------------
Patch: SUSE-2016-643
Released: Tue Apr 19 09:23:39 2016
Summary: Recommended update for bzip2
Severity: low
References: 970260
Description:

This update for bzip2 fixes the following issues:

- Fix bzgrep wrapper that always returns 0 as exit code when working on multiple
  archives, even when the pattern is not found.


-----------------------------------------
Patch: SUSE-2016-660
Released: Fri Apr 22 13:09:31 2016
Summary: Recommended update for docker, docker-image-migrator
Severity: moderate
References: 963142,964468,965600,965918,968933,968937,968972,970637
Description:

This update provides Docker 1.10.3, bringing several fixes and enhancements:

- Add usernamespace support.
- Add support for custom seccomp profiles.
- Improvements in network and volume management.
- Let docker manage the cgroups of the processes that it launches without systemd. (bsc#968972)
- Recommend docker-image-migrator. (bsc#968933)
- Register /run/secrets as a mountpoint, so that it is unmounted properly when the container
  is removed and thus container removal works. (bsc#963142)
- Add no-downtime migration package 'docker-image-migrator'. (bsc#968937, fate#320637)

Runtime:

- Fix Docker client exiting with an 'Unrecognized input header' error.
- Fix Docker exiting if Exec is started with both AttachStdin and Detach.
- Prevent systemd from deleting containers' cgroups when its configuration is reloaded.
- Fix SELinux issues by disregarding --read-only when mounting /dev/mqueue.
- Fix chown permissions used during docker cp when userns is used.
- Fix configuration loading issue with all booleans defaulting to true.
- Fix occasional panic with docker logs -f.

Distribution:

- Fix a crash when pushing multiple images sharing the same layers to the same repository in parallel.
- Fix a panic when pushing images to a registry which uses a misconfigured token service.
- Keep layer reference if deletion failed to avoid a badly inconsistent state.
- Handle gracefully a corner case when canceling migration.
- Fix docker import on compressed data.
- Fix tar-split files corruption during migration that later cause docker push and docker save to fail.

Networking:

- Fix daemon crash if embedded DNS is sent garbage.

Plugin system:

- Fix issue preventing volume plugins to start when SELinux is enabled.
- Prevent Docker from exiting if a volume plugin returns a null response for Get requests.
- Fix plugin system leaking file descriptors if a plugin has an error.

Volumes:

- Fix issue with multiple volume references with same name.

Security:

- Fix linux32 emulation to fail during docker build.
- Fix Oracle XE 10g failing to start in a container.
- Fix issue preventing daemon to start if userns is enabled and the subuid or subgid files contain comments.
- Fix potential cache corruption and delegation conflict issues.

For a comprehensive list of changes, please refer to the following Release Notes:

- https://github.com/docker/docker/releases/tag/v1.10.3
- https://github.com/docker/docker/releases/tag/v1.10.2
- https://github.com/docker/docker/releases/tag/v1.10.1
- https://github.com/docker/docker/releases/tag/v1.10.0


-----------------------------------------
Patch: SUSE-2016-661
Released: Fri Apr 22 15:18:03 2016
Summary: Recommended update for supportutils
Severity: moderate
References: 973803
Description:

This update for supportutils fixes the following issue:

- Removed 11 digit SR limit (bsc#973803)


-----------------------------------------
Patch: SUSE-2016-663
Released: Fri Apr 22 15:33:50 2016
Summary: Recommended update for timezone
Severity: low
References: 975875
Description:

This update provides the latest timezone information (2016d) for your
system, including the following changes:

- Venezuela (America/Caracas) switches from -0430 to -04 on 2016-05-01 at 02:30.
- Asia/Magadan switches from +10 to +11 on 2016-04-24 at 02:00.
- New zone Asia/Tomsk, split off from Asia/Novosibirsk. It covers Tomsk Oblast,
  Russia, which switches from +06 to +07 on 2016-05-29 at 02:00.

This release also includes changes affecting past time stamps. For a comprehensive
list, please refer to the release announcement from ICANN:

http://mm.icann.org/pipermail/tz/2016-April/023563.html


-----------------------------------------
Patch: SUSE-2016-682
Released: Tue Apr 26 14:32:49 2016
Summary: Security update for docker
Severity: moderate
References: 976777,CVE-2016-3697
Description:
docker was updated to fix one security issue.

This security issue was fixed:
- CVE-2016-3697: Potential privilege escalation via confusion of usernames and UIDs (bsc#976777).
  

-----------------------------------------
Patch: SUSE-2016-689
Released: Wed Apr 27 20:08:42 2016
Summary: Recommended update for ruby2.1
Severity: low
References: 973073
Description:

This update for ruby2.1 brings performance improvements of Ruby on the IBM POWER platform.


-----------------------------------------
Patch: SUSE-2016-694
Released: Thu Apr 28 15:45:16 2016
Summary: Security update for ntp
Severity: important
References: 782060,916617,937837,951559,951629,956773,962318,962784,962802,962960,962966,962970,962988,962994,962995,962997,963000,963002,975496,975981,CVE-2015-5300,CVE-2015-7973,CVE-2015-7974,CVE-2015-7975,CVE-2015-7976,CVE-2015-7977,CVE-2015-7978,CVE-2015-7979,CVE-2015-8138,CVE-2015-8139,CVE-2015-8140,CVE-2015-8158
Description:
ntp was updated to version 4.2.8p6 to fix 12 security issues.

Also yast2-ntp-client was updated to match some sntp syntax changes. (bsc#937837)

These security issues were fixed:
- CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966).
- CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002).
- CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode (bsc#962784).
- CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list (bsc#963000).
- CVE-2015-7977: reslist NULL pointer dereference (bsc#962970).
- CVE-2015-7976: ntpq saveconfig command allows dangerous characters in filenames (bsc#962802).
- CVE-2015-7975: nextvar() missing length check (bsc#962988).
- CVE-2015-7974: Skeleton Key: Missing key check allows impersonation between authenticated peers (bsc#962960).
- CVE-2015-7973: Replay attack on authenticated broadcast mode (bsc#962995).
- CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994).
- CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997).
- CVE-2015-5300: MITM attacker could have forced ntpd to make a step larger than the panic threshold (bsc#951629).

These non-security issues were fixed:
- fate#320758 bsc#975981: Enable compile-time support for MS-SNTP
  (--enable-ntp-signd).  This replaces the w32 patches in 4.2.4 that added
  the authreg directive.
- bsc#962318: Call /usr/sbin/sntp with full path to synchronize in start-ntpd.
  When run as cron job, /usr/sbin/ is not in the path, which caused
  the synchronization to fail.
- bsc#782060: Speedup ntpq.
- bsc#916617: Add /var/db/ntp-kod.
- bsc#956773: Add ntp-ENOBUFS.patch to limit a warning that might happen quite a lot on loaded systems.
- bsc#951559,bsc#975496: Fix the TZ offset output of sntp during DST.
- Add ntp-fork.patch and build with threads disabled to allow name resolution even when running chrooted.


-----------------------------------------
Patch: SUSE-2016-697
Released: Thu Apr 28 16:03:24 2016
Summary: Recommended update for libssh2_org
Severity: important
References: 974691
Description:

This update for libssh2_org fixes a regression introduced by a previous update
which could result in a segmentation fault in EVP_DigestInit_Ex().


-----------------------------------------
Patch: SUSE-2016-721
Released: Thu May  5 16:34:11 2016
Summary: Recommended update for sle-module-toolchain-release
Severity: low
References: 961219
Description:

This update for sle-module-toolchain-release drops patterns-toolchain-gcc5 from
the product definition metadata. As a result, installing the Toolchain Module 12
won't, by default, trigger the installation of GCC5.


-----------------------------------------
Patch: SUSE-2016-729
Released: Fri May  6 15:53:38 2016
Summary: Recommended update for pciutils-ids
Severity: low
References: 958712
Description:

The system's PCI IDs database has been updated to version 2016.04.04.


-----------------------------------------
Patch: SUSE-2016-735
Released: Mon May  9 08:50:13 2016
Summary: Security update for compat-openssl098
Severity: important
References: 889013,968050,976942,976943,977614,977615,977617,CVE-2016-0702,CVE-2016-2105,CVE-2016-2106,CVE-2016-2108,CVE-2016-2109
Description:
This update for compat-openssl098 fixes the following issues:

- CVE-2016-2108: Memory corruption in the ASN.1 encoder (bsc#977617)
- CVE-2016-2105: EVP_EncodeUpdate overflow (bsc#977614)
- CVE-2016-2106: EVP_EncryptUpdate overflow (bsc#977615)
- CVE-2016-2109: ASN.1 BIO excessive memory allocation (bsc#976942)
- CVE-2016-0702: Side channel attack on modular exponentiation 'CacheBleed' (bsc#968050)
- bsc#976943: Buffer overrun in ASN1_parse

The following non-security bugs were fixed:

- bsc#889013: Rename README.SuSE to the new spelling (bsc#889013)


-----------------------------------------
Patch: SUSE-2016-764
Released: Thu May 12 16:58:18 2016
Summary: Security update for ntp
Severity: important
References: 957226,977446,977450,977451,977452,977455,977457,977458,977459,977461,977464,CVE-2015-7704,CVE-2015-7705,CVE-2015-7974,CVE-2016-1547,CVE-2016-1548,CVE-2016-1549,CVE-2016-1550,CVE-2016-1551,CVE-2016-2516,CVE-2016-2517,CVE-2016-2518,CVE-2016-2519
Description:

This update for ntp to 4.2.8p7 fixes the following issues:

* CVE-2016-1547, bsc#977459:
  Validate crypto-NAKs, AKA: CRYPTO-NAK DoS.
* CVE-2016-1548, bsc#977461: Interleave-pivot
* CVE-2016-1549, bsc#977451:
  Sybil vulnerability: ephemeral association attack.
* CVE-2016-1550, bsc#977464: Improve NTP security against buffer
  comparison timing attacks.
* CVE-2016-1551, bsc#977450:
  Refclock impersonation vulnerability
* CVE-2016-2516, bsc#977452: Duplicate IPs on unconfig
  directives will cause an assertion botch in ntpd.
* CVE-2016-2517, bsc#977455: remote configuration trustedkey/
  requestkey/controlkey values are not properly validated.
* CVE-2016-2518, bsc#977457: Crafted addpeer with hmode > 7
  causes array wraparound with MATCH_ASSOC.
* CVE-2016-2519, bsc#977458: ctl_getitem() return value not
  always checked.
* This update also improves the fixes for:
  CVE-2015-7704, CVE-2015-7705, CVE-2015-7974

Bugs fixed:
- Restrict the parser in the startup script to the first
  occurrance of 'keys' and 'controlkey' in ntp.conf (bsc#957226).


-----------------------------------------
Patch: SUSE-2016-771
Released: Fri May 13 17:09:15 2016
Summary: Security update for java-1_6_0-ibm
Severity: important
References: 977646,977648,977650,979252,CVE-2016-0264,CVE-2016-0363,CVE-2016-0376,CVE-2016-0686,CVE-2016-0687,CVE-2016-3422,CVE-2016-3426,CVE-2016-3427,CVE-2016-3443,CVE-2016-3449
Description:

This IBM Java 1.6.0 SR16 FP25 release fixes the following issues: 

Security issues fixed:
- CVE-2016-0264: buffer overflow vulnerability in the IBM JVM (bsc#977648)
- CVE-2016-0363: insecure use of invoke method in CORBA component, incorrect CVE-2013-3009 fix (bsc#977650)
- CVE-2016-0376: insecure deserialization in CORBA, incorrect CVE-2013-5456 fix (bsc#977646)
- The following CVEs got also fixed during this update. (bsc#979252)
  CVE-2016-3443, CVE-2016-0687, CVE-2016-0686, CVE-2016-3427, CVE-2016-3449, CVE-2016-3422, CVE-2016-3426


-----------------------------------------
Patch: SUSE-2016-781
Released: Wed May 18 14:01:57 2016
Summary: Optional update for flac
Severity: low
References: 975377
Description:
This update adds libFLAC++6 to SUSE Linux Enterprise Desktop 12 SP1.

-----------------------------------------
Patch: SUSE-2016-801
Released: Thu May 19 22:38:01 2016
Summary: Recommended update for curl
Severity: moderate
References: 915846
Description:

This update for curl fixes the following issue:

- Fix 'Network is unreachable' error when ipv6 is not available but ipv4.
  This fixes the same error in applications using libcurl4 (like zypper). (bsc#915846)



-----------------------------------------
Patch: SUSE-2016-806
Released: Fri May 20 15:46:35 2016
Summary: Recommended update for cloud-regionsrv-client
Severity: low
References: 975209,975815
Description:

This update for cloud-regionsrv-client provides version 6.4.6 and fixes the following issue:

- Try another SMT server if registration fails (bsc#975209,bsc#975815)


-----------------------------------------
Patch: SUSE-2016-812
Released: Mon May 23 14:36:18 2016
Summary: Recommended update for tcpdump
Severity: low
References: 944294
Description:

This update for tcpdump removes a duplicated binary (/usr/sbin/tcpdump.4.5.1) from the package.


-----------------------------------------
Patch: SUSE-2016-835
Released: Wed May 25 18:27:30 2016
Summary: Recommended update for libgcrypt
Severity: moderate
References: 979629
Description:

This update for libgcrypt fixes the following issue:

- Fix failing reboot after installing fips pattern (bsc#979629) 


-----------------------------------------
Patch: SUSE-2016-865
Released: Tue May 31 18:39:35 2016
Summary: Security update for java-1_6_0-ibm
Severity: important
References: 977646,977648,977650,979252,981087,CVE-2016-0264,CVE-2016-0363,CVE-2016-0376,CVE-2016-0686,CVE-2016-0687,CVE-2016-3422,CVE-2016-3426,CVE-2016-3427,CVE-2016-3443,CVE-2016-3449
Description:

This update for java-1_6_0-ibm fixes the following issues: 

- Update to sr16 fp26 to fix a regression in TLS connections. (bsc#981087)
- IBM Java 1.6.0 SR16 FP25 released
  (bsc#977646 bsc#977648 bsc#977650 bsc#979252)
  CVE-2016-0376 CVE-2016-0264 CVE-2016-0363 CVE-2016-3443 CVE-2016-0687
  CVE-2016-0686 CVE-2016-3427 CVE-2016-3449 CVE-2016-3422 CVE-2016-3426

-----------------------------------------
Patch: SUSE-2016-880
Released: Thu Jun  2 19:57:59 2016
Summary: Recommended update for supportutils
Severity: low
References: 976358
Description:

This update for supportutils provides the following fixes:

- Added new SLE12 SP2 kernel taint flags. (bsc#976358)
- Fixed NFS service detection.


-----------------------------------------
Patch: SUSE-2016-888
Released: Fri Jun  3 17:16:43 2016
Summary: Recommended update for the SUSE Linux Enterprise Containers module
Severity: moderate
References: 939702,980707
Description:

This update adjusts the product definitions of the Containers module on ppc64le,
allowing it's installation on top of the upcoming Service Packs for SLE 12.


-----------------------------------------
Patch: SUSE-2016-897
Released: Tue Jun  7 09:46:29 2016
Summary: Security update for supportutils
Severity: moderate
References: 980670,CVE-2016-1602
Description:
supportutils was updated to fix one security issue.

This security issue was fixed:
- CVE-2016-1602: Code injection and privilege escalation via unescaped filenames (bsc#980670).
  

-----------------------------------------
Patch: SUSE-2016-898
Released: Tue Jun  7 09:48:12 2016
Summary: Security update for expat
Severity: important
References: 979441,980391,CVE-2015-1283,CVE-2016-0718
Description:

This update for expat fixes the following issues: 

Security issue fixed:
- CVE-2016-0718: Fix Expat XML parser that mishandles certain kinds of malformed input documents. (bsc#979441)
- CVE-2015-1283: Fix multiple integer overflows. (bnc#980391)


-----------------------------------------
Patch: SUSE-2016-900
Released: Tue Jun  7 10:58:37 2016
Summary: Security update for libksba
Severity: moderate
References: 979261,979906,CVE-2016-4574,CVE-2016-4579
Description:

This update for libksba fixes the following issues:

- CVE-2016-4579: Out-of-bounds read in _ksba_ber_parse_tl()
- CVE-2016-4574: two OOB read access bugs (remote DoS) (bsc#979261)

Also adding reliability fixes from v1.3.4.



-----------------------------------------
Patch: SUSE-2016-930
Released: Mon Jun 13 14:31:22 2016
Summary: Security update for ntp
Severity: important
References: 979302,979981,981422,982056,982064,982065,982066,982067,982068,CVE-2016-4953,CVE-2016-4954,CVE-2016-4955,CVE-2016-4956,CVE-2016-4957
Description:
ntp was updated to version 4.2.8p8 to fix five security issues.

These security issues were fixed:
- CVE-2016-4953: Bad authentication demobilizes ephemeral associations (bsc#982065).
- CVE-2016-4954: Processing spoofed server packets (bsc#982066).
- CVE-2016-4955: Autokey association reset (bsc#982067).
- CVE-2016-4956: Broadcast interleave (bsc#982068).
- CVE-2016-4957: CRYPTO_NAK crash (bsc#982064).

These non-security issues were fixed:
- Keep the parent process alive until the daemon has finished initialisation, to make sure that the PID file exists when the parent returns.
- bsc#979302: Change the process name of the forking DNS worker process to avoid the impression that ntpd is started twice.
- bsc#981422: Don't ignore SIGCHILD because it breaks wait().
- bsc#979981: ntp-wait does not accept fractional seconds, so use 1 instead of 0.2 in ntp-wait.service.
- Separate the creation of ntp.keys and key #1 in it to avoid problems when upgrading installations that have the file, but no key #1, which is needed e.g. by 'rcntp addserver'.


-----------------------------------------
Patch: SUSE-2016-940
Released: Wed Jun 15 11:45:37 2016
Summary: Security update for libarchive
Severity: moderate
References: 979005,CVE-2016-1541
Description:

This update for libarchive fixes the following issue: 

- Fix a heap-based buffer overflow (CVE-2016-1541, bsc#979005)



-----------------------------------------
Patch: SUSE-2016-941
Released: Wed Jun 15 14:26:35 2016
Summary: Recommended update for gcc48
Severity: moderate
References: 955382,970009,976627,977654
Description:

This update for gcc48 fixes the following issues:

- Fix internal compiler error specific to the ppc64le architecture. (bsc#976627)
- Fix issue with using gcov and #pragma pack. (bsc#977654)
- Fix internal compiler error when building samba on aarch64. (bsc#970009)
- Fix HTM built-ins on PowerPC. (bsc#955382)
- Build without GRAPHITE where cloog-isl is not available.


-----------------------------------------
Patch: SUSE-2016-946
Released: Thu Jun 16 14:36:26 2016
Summary: Recommended update for man-pages
Severity: low
References: 967488
Description:

This update for man-pages fixes the following issues:

- Document in open(2) that O_TMPFILE support was added to btrfs only in kernel 3.16
  and hence is not yet available on SUSE Linux Enterprise 12-SP1. (bsc#967488)


-----------------------------------------
Patch: SUSE-2016-951
Released: Fri Jun 17 11:09:13 2016
Summary: Recommended update for docker
Severity: moderate
References: 964673,977394
Description:

This update for docker fixes the following issues:

- Fix database soft corruption issues if the Docker daemon terminates in a bad state. (bsc#964673)
- Fix go version to 1.5 (bsc#977394)


-----------------------------------------
Patch: SUSE-2016-967
Released: Mon Jun 20 12:05:16 2016
Summary: Recommended update for timezone
Severity: low
References: 982833
Description:

This update provides the latest timezone information (2016e) for your
system, including the following changes:

- Africa/Cairo observes DST in 2016 from July 7 to the end of October.

This release also includes changes affecting past time stamps. For a comprehensive
list, please refer to the release announcement from ICANN:

http://mm.icann.org/pipermail/tz-announce/2016-June/000039.html


-----------------------------------------
Patch: SUSE-2016-987
Released: Wed Jun 22 14:32:18 2016
Summary: Recommended update for procps
Severity: low
References: 981616
Description:

This update for procps fixes the following issues:

- Improve pmap(1) to be compatible with kernel 4.4. (bsc#981616)


-----------------------------------------
Patch: SUSE-2016-996
Released: Fri Jun 24 14:38:06 2016
Summary: Recommended update for bind
Severity: moderate
References: 908850,977657,983505
Description:

The BIND DNS server was updated to version 9.9.9-P1, which brings fixes and
enhancements.

One new feature has been implemented:

- Add quotas to be used in recursive resolvers that are under high query load
  for names in zones whose authoritative servers are non-responsive or are
  experiencing a denial of service attack. (fate#320694)

The following fixes are also included in the update:

- Make /var/lib/named owned by the named user. (bsc#908850)
- Add systemd service macros. (bsc#977657)


-----------------------------------------
Patch: SUSE-2016-1003
Released: Mon Jun 27 17:01:45 2016
Summary: Security update for MozillaFirefox, MozillaFirefox-branding-SLE, mozilla-nspr, mozilla-nss
Severity: important
References: 982366,983549,983638,983639,983643,983646,983651,983652,983653,983655,984006,984126,985659,CVE-2016-2815,CVE-2016-2818,CVE-2016-2819,CVE-2016-2821,CVE-2016-2822,CVE-2016-2824,CVE-2016-2828,CVE-2016-2831,CVE-2016-2834
Description:
MozillaFirefox, MozillaFirefox-branding-SLE, mozilla-nss and mozilla-nspr were updated to fix nine security issues.

MozillaFirefox was updated to version 45.2.0 ESR. mozilla-nss was updated to version 3.21.1.

These security issues were fixed:
- CVE-2016-2834: Memory safety bugs in NSS (MFSA 2016-61) (bsc#983639).
- CVE-2016-2824: Out-of-bounds write with WebGL shader (MFSA 2016-53) (bsc#983651).
- CVE-2016-2822: Addressbar spoofing though the SELECT element (MFSA 2016-52) (bsc#983652).
- CVE-2016-2821: Use-after-free deleting tables from a contenteditable document (MFSA 2016-51) (bsc#983653).
- CVE-2016-2819: Buffer overflow parsing HTML5 fragments (MFSA 2016-50) (bsc#983655).
- CVE-2016-2828: Use-after-free when textures are used in WebGL operations after recycle pool destruction (MFSA 2016-56) (bsc#983646).
- CVE-2016-2831: Entering fullscreen and persistent pointerlock without user permission (MFSA 2016-58) (bsc#983643).
- CVE-2016-2815, CVE-2016-2818: Miscellaneous memory safety hazards (MFSA 2016-49) (bsc#983638)
  
These non-security issues were fixed:
- bsc#982366: Unknown SSL protocol error in connections 
- Fix crashes on aarch64
  * Determine page size at runtime (bsc#984006)
  * Allow aarch64 to work in safe mode (bsc#985659)
- Fix crashes on mainframes

All extensions must now be signed by addons.mozilla.org. Please read README.SUSE for more details.


-----------------------------------------
Patch: SUSE-2016-1014
Released: Thu Jun 30 21:23:05 2016
Summary: Recommended update for haveged
Severity: moderate
References: 958562,959237
Description:

This update for haveged fixes the following issues:

- Remedy the potential for deadlocks when booting the system: journald reads from
  /dev/random, which receives entropy from haveged, which in turn logs to syslog
  before providing any. (bsc#959237)
- Remove 'After=systemd-random-seed.service' from systemd service file to avoid
  the potential for deadlocks when booting the system: systemd-random-seed needs
  /var to read its previous state; mounting /var needs journald; journald needs
  entropy; and entropy is provided by haveged, which needs systemd-random-seed.
  (bsc#959237)
- Add missing dependency on coreutils for initrd macros. (bsc#958562)


-----------------------------------------
Patch: SUSE-2016-1016
Released: Fri Jul  1 14:37:29 2016
Summary: Security update for LibreOffice
Severity: moderate
References: 718113,856729,939998,945443,945445,955832,965294,965296,967014,967015,977784,CVE-2016-0794,CVE-2016-0795
Description:

LibreOffice was updated to version 5.1.3.2, bringing many new features and bug fixes.

Two security issues have been fixed:

- CVE-2016-0795: LibreOffice allowed remote attackers to cause a denial of service
  (memory corruption) or possibly have unspecified other impact via a crafted
  LwpTocSuperLayout record in a LotusWordPro (lwp) document.
- CVE-2016-0794: The lwp filter in LibreOffice allowed remote attackers to cause a
  denial of service (memory corruption) or possibly have unspecified other impact
  via a crafted LotusWordPro (lwp) document.

A comprehensive list of new features and improvements in this release is provided by
the Document Foundation at https://wiki.documentfoundation.org/ReleaseNotes/5.1 .


-----------------------------------------
Patch: SUSE-2016-1017
Released: Fri Jul  1 15:45:22 2016
Summary: Recommended update for openldap2
Severity: moderate
References: 770009,972331,976172,978408,984691
Description:

This update for openldap2 provides the following fixes:

- Package previously missing schema files in LDIF format and fix a minor issue in
  schema2ldif script that led to missing attribute in the generated LDIF. (bsc#984691)
- Enable non-blocking SSL/TLS handshakes. (fate#314570, bnc#770009, bsc#978408)
- Fix an issue with transaction management that could cause server crash. (bsc#972331)
- Remove outdated README.update file. (bsc#976172)


-----------------------------------------
Patch: SUSE-2016-1022
Released: Mon Jul  4 18:05:08 2016
Summary: Recommended update for cups
Severity: low
References: 968706
Description:

This update for cups fixes the following issues:

- Fix raw printing multiple files by adding the gziptoany filter. (bsc#968706)
- Avoid warnings in error_log of the form 'Unexpected 'document-name' operation
  attribute in a Create-Job request'.


-----------------------------------------
Patch: SUSE-2016-1026
Released: Wed Jul  6 17:20:17 2016
Summary: Recommended update for timezone
Severity: moderate
References: 987720
Description:

This update provides the latest timezone information (2016f) for your system, including the following changes:

- Egypt (Africa/Cairo) DST change 2016-07-07 cancelled (bsc#987720)
- Asia/Novosibirsk switches from +06 to +07 on 2016-07-24 02:00
- Asia/Novokuznetsk and Asia/Novosibirsk now use numeric time zone abbreviations instead of invented ones
- Europe/Minsk's 1992-03-29 spring-forward transition was at 02:00 not 00:00



-----------------------------------------
Patch: SUSE-2016-1028
Released: Thu Jul  7 11:50:47 2016
Summary: Recommended update for findutils
Severity: moderate
References: 986935
Description:

This update for findutils fixes the following issues:

- find -exec + would not pass all arguments for certain specific filename lengths (bsc#986935)


-----------------------------------------
Patch: SUSE-2016-1036
Released: Fri Jul  8 11:38:35 2016
Summary: Recommended update for xinit
Severity: moderate
References: 921172,973559,981437
Description:

This update for xinit fixes the following issues:
 
- xinitrc.common: Run numbered scripts sequentially. All non-numbered scripts will still be run in background to avoid stalling on non-daemonizing 'services' (bsc#973559)
- xinitrc.common: Remove '$' from error message, increase timeout
- xinitrc.common: Don't expand $WINDOWMANAGER (bsc#981437, bsc#921172)
- xinitrc.common: Accept more WMs as fallbacks and make fallback errors more descriptive



-----------------------------------------
Patch: SUSE-2016-1048
Released: Wed Jul 13 12:26:15 2016
Summary: Security update for dhcp
Severity: moderate
References: 969820,972907,CVE-2016-2774
Description:

This update for dhcp fixes the following issues:

Security issue fixed:
- CVE-2016-2774: Fixed a denial of service attack against the DHCP server over the OMAPI TCP socket, which could be used
  by network adjacent attackers to make the DHCP server non-functional (bsc#969820).

Non security issues fixed:
- Rename freeaddrinfo(), getaddrinfo() and getnameinfo() in the internal libirs
  library that does not consider /etc/hosts and /etc/nsswitch.conf to use irs_
  prefix. This prevents name conflicts which would result in overriding standard
  glibc functions used by libldap. (bsc#972907)


-----------------------------------------
Patch: SUSE-2016-1085
Released: Thu Jul 21 18:45:30 2016
Summary: Recommended update for strace
Severity: low
References: 983282
Description:

This update for strace provides the following fixes:

- If the set of headers are unable to produce a valid list, printflags will try
  to pass NULL to tprints which crashes. Add a sanity check for this edge case.
  (bsc#983282)


-----------------------------------------
Patch: SUSE-2016-1087
Released: Fri Jul 22 10:53:01 2016
Summary: Recommended update for supportutils
Severity: moderate
References: 968073,968269,971778,987627
Description:

This update for supportutils fixes the following issues:

- Support for iSCSI LIO Targets (bsc#968269)
- Fixed docker error (bsc#971778)
- Fixed crash basename extra operand (bsc#968073, bsc#987627)


-----------------------------------------
Patch: SUSE-2016-1090
Released: Fri Jul 22 13:07:15 2016
Summary: Recommended update for automake
Severity: low
References: 986764
Description:

This update for automake provides the following fixes:

- Ensure ac_aux_dir is defined before usage. This fixes building of some packages
  (flatpak for instance). (bsc#986764)


-----------------------------------------
Patch: SUSE-2016-1091
Released: Fri Jul 22 20:13:08 2016
Summary: Recommended update for mozjs17
Severity: low
References: 984126
Description:

This update for mozjs17 adds support for 48 bits virtual address space, used
in the arm64 architecture.


-----------------------------------------
Patch: SUSE-2016-1109
Released: Wed Jul 27 15:31:51 2016
Summary: Recommended update for numactl
Severity: low
References: 976199
Description:
This update for numactl enables support for the aarch64 architecture.


-----------------------------------------
Patch: SUSE-2016-1115
Released: Thu Jul 28 12:40:36 2016
Summary: Recommended update for psmisc
Severity: low
References: 908063,930760,974161
Description:

This update for psmisc prevents attempts to close files which are not open. This
issue could make pstree(1) terminate with a segmentation fault.


-----------------------------------------
Patch: SUSE-2016-1120
Released: Thu Jul 28 17:19:40 2016
Summary: Recommended update for ksh
Severity: moderate
References: 962069,964966,982423,987362
Description:

This update for ksh fixes the following issues:

- Own the ksh files in /etc/alternatives. (bsc#987362, bsc#962069)
- Fix leak in optimize processing. (bsc#982423)
- Fix editor prediction code garbling input. (bsc#964966)


-----------------------------------------
Patch: SUSE-2016-1123
Released: Fri Jul 29 10:19:58 2016
Summary: Security update for libarchive
Severity: important
References: 984990,985609,985665,985669,985673,985675,985679,985682,985685,985688,985689,985697,985698,985700,985703,985704,985706,985826,985832,985835,CVE-2015-8918,CVE-2015-8919,CVE-2015-8920,CVE-2015-8921,CVE-2015-8922,CVE-2015-8923,CVE-2015-8924,CVE-2015-8925,CVE-2015-8926,CVE-2015-8928,CVE-2015-8929,CVE-2015-8930,CVE-2015-8931,CVE-2015-8932,CVE-2015-8933,CVE-2015-8934,CVE-2016-4300,CVE-2016-4301,CVE-2016-4302,CVE-2016-4809
Description:
libarchive was updated to fix 20 security issues.

These security issues were fixed:
- CVE-2015-8918: Overlapping memcpy in CAB parser (bsc#985698).
- CVE-2015-8919: Heap out of bounds read in LHA/LZH parser (bsc#985697).
- CVE-2015-8920: Stack out of bounds read in ar parser (bsc#985675).
- CVE-2015-8921: Global out of bounds read in mtree parser (bsc#985682).
- CVE-2015-8922: Null pointer access in 7z parser (bsc#985685).
- CVE-2015-8923: Unclear crashes in ZIP parser (bsc#985703).
- CVE-2015-8924: Heap buffer read overflow in tar (bsc#985609).
- CVE-2015-8925: Unclear invalid memory read in mtree parser (bsc#985706).
- CVE-2015-8926: NULL pointer access in RAR parser (bsc#985704).
- CVE-2015-8928: Heap out of bounds read in mtree parser (bsc#985679).
- CVE-2015-8929: Memory leak in tar parser (bsc#985669).
- CVE-2015-8930: Endless loop in ISO parser (bsc#985700).
- CVE-2015-8931: Undefined behavior / signed integer overflow in mtree parser (bsc#985689).
- CVE-2015-8932: Compress handler left shifting larger than int size (bsc#985665).
- CVE-2015-8933: Undefined behavior / signed integer overflow in TAR parser (bsc#985688).
- CVE-2015-8934: Out of bounds read in RAR (bsc#985673).
- CVE-2016-4300: Heap buffer overflow vulnerability in the 7zip read_SubStreamsInfo (bsc#985832).
- CVE-2016-4301: Stack buffer overflow in the mtree parse_device (bsc#985826).
- CVE-2016-4302: Heap buffer overflow in the Rar decompression functionality (bsc#985835).
- CVE-2016-4809: Memory allocate error with symbolic links in cpio archives (bsc#984990).


-----------------------------------------
Patch: SUSE-2016-1124
Released: Fri Jul 29 13:27:52 2016
Summary: Recommended update for libxcb
Severity: low
References: 984368
Description:

This update for libxcb provides the following fixes:

- Fix encoding of 64-bit elements in PRESENT extension. (bsc#984368)


-----------------------------------------
Patch: SUSE-2016-1126
Released: Sat Jul 30 00:39:03 2016
Summary: Recommended update for kmod
Severity: low
References: 983754,989788
Description:

This update for kmod fixes libkmod to handle very long lines in /proc/modules.


-----------------------------------------
Patch: SUSE-2016-1141
Released: Wed Aug  3 15:24:30 2016
Summary: Security update for sqlite3
Severity: moderate
References: 987394,CVE-2016-6153
Description:

This update for sqlite3 fixes the following issues: 

The following security issue was fixed:
- CVE-2016-6153: Fixed a tempdir selection vulnerability (bsc#987394)


-----------------------------------------
Patch: SUSE-2016-1149
Released: Thu Aug  4 14:06:16 2016
Summary: Recommended update for gcc48
Severity: low
References: 981311
Description:

This update for gcc48 fixes a miscompilation issue specific to the aarch64 architecture.


-----------------------------------------
Patch: SUSE-2016-1152
Released: Thu Aug  4 15:02:18 2016
Summary: Recommended update for binutils
Severity: low
References: 970239,985642
Description:

GNU Binutils was updated to version 2.26.1, which brings several fixes and
enhancements:

- Add -mrelax-relocations on x86 but keep it disabled on old products.
- Add --fix-stm32l4xx-629360 to the ARM linker to enable a link-time workaround
  for a bug in the bus matrix / memory controller for some of the STM32 Cortex-M4
  based products (STM32L4xx).
- Add a configure option --enable-compressed-debug-sections={all,ld} to decide
  whether DWARF debug sections should be compressed by default.
- Add support for the ARC EM/HS, and ARC600/700 architectures.
- Experimental support for linker garbage collection (--gc-sections) has been
  enabled for COFF and PE based targets.
- New command line option for ELF targets to compress DWARF debug sections,
  --compress-debug-sections=[none|zlib|zlib-gnu|zlib-gabi].
- New command line option, --orphan-handling=[place|warn|error|discard], to
  adjust how orphan sections are handled.  The default is 'place' which gives
  the current behavior, 'warn' and 'error' issue a warning or error respectively
  when orphan sections are found, and 'discard' will discard all orphan sections.
- Add support for LLVM plugin.
- Add --print-memory-usage option to report memory blocks usage.
- Add --require-defined option, it's like --undefined except the new symbol must
  be defined by the end of the link.
- Add a configure option --enable-compressed-debug-sections={all,gas} to decide
  whether DWARF debug sections should be compressed by default.
- Add support for the ARC EM/HS, and ARC600/700 architectures.  Remove assembler
  support for Argonaut RISC architectures.
- Add option to objcopy to insert new symbols into a file:
  --add-symbol <name>=[<section>:]<value>[,<flags>]
- Add support for the ARC EM/HS, and ARC600/700 architectures.
- Extend objcopy --compress-debug-sections option to support
  --compress-debug-sections=[none|zlib|zlib-gnu|zlib-gabi] for ELF targets.
- Add --update-section option to objcopy.
- Add --output-separator option to strings.
- Fix internal error when applying TLSDESC relocations with no TLS segment
- Fix wrong insn type for troo insn.
- Change default common-page-size to 64K on aarch64.


-----------------------------------------
Patch: SUSE-2016-1153
Released: Thu Aug  4 15:17:28 2016
Summary: Recommended update for supportutils-plugin-suse-public-cloud
Severity: low
References: 990887,990888
Description:

This update enhances supportutils-plugin-suse-public-cloud to collect information
about instance initialization recorded by the initialization code in system logs.


-----------------------------------------
Patch: SUSE-2016-1205
Released: Thu Aug 11 15:02:18 2016
Summary: Recommended update for rpm
Severity: low
References: 829717,894610,940315,953532,965322,967728
Description:

This update for rpm provides the following fixes:

- Add is_opensuse and leap_version macros to suse_macros. (bsc#940315)
- Add option to make postinstall scriptlet errors fatal. (bsc#967728)
- Normalize big blocksizes to 4096 bytes. (bsc#894610, bsc#829717, bsc#965322)
- Fix updating of sources/patches when recursing because of a BuildArch. (bsc#953532)


-----------------------------------------
Patch: SUSE-2016-1228
Released: Tue Aug 16 09:29:01 2016
Summary: Security update for libidn
Severity: moderate
References: 923241,990189,990190,990191,CVE-2015-2059,CVE-2015-8948,CVE-2016-6261,CVE-2016-6262,CVE-2016-6263
Description:

This update for libidn fixes the following issues:

- CVE-2016-6262 and CVE-2015-8948: Out-of-bounds-read when reading one zero byte as input (bsc#990189)

- CVE-2016-6261: Out-of-bounds stack read in idna_to_ascii_4i (bsc#990190) 

- CVE-2016-6263: stringprep_utf8_nfkc_normalize reject invalid UTF-8 (bsc#990191)

- CVE-2015-2059: out-of-bounds read with stringprep on invalid UTF-8 (bsc#923241) 



-----------------------------------------
Patch: SUSE-2016-1245
Released: Fri Aug 19 10:31:11 2016
Summary: Security update for python
Severity: moderate
References: 984751,985177,985348,989523,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699
Description:

This update for python fixes the following issues:

- CVE-2016-0772: smtplib vulnerability opens startTLS stripping attack (bsc#984751)
- CVE-2016-5636: heap overflow when importing malformed zip files (bsc#985177)
- CVE-2016-5699: incorrect validation of HTTP headers allow header injection (bsc#985348)
- CVE-2016-1000110: HTTPoxy vulnerability in urllib, fixed by disregarding HTTP_PROXY when REQUEST_METHOD is also set (bsc#989523)


-----------------------------------------
Patch: SUSE-2016-1247
Released: Fri Aug 19 12:58:39 2016
Summary: Security update for cracklib
Severity: moderate
References: 992966,CVE-2016-6318
Description:

This update for cracklib fixes the following issues:

- Add patch to fix a buffer overflow in GECOS parser (bsc#992966 CVE-2016-6318)



-----------------------------------------
Patch: SUSE-2016-1252
Released: Mon Aug 22 15:12:43 2016
Summary: Recommended update for timezone
Severity: low
References: 988184
Description:

This update for timezone adds a positive leap second at the end of 2016-12-31.


-----------------------------------------
Patch: SUSE-2016-1259
Released: Tue Aug 23 17:25:28 2016
Summary: Recommended update for libpcap
Severity: low
References: 874131,992262
Description:

This update for libpcap provides the following fixes:

- Do not apply userspace filter until VLAN tag is reconstructed. (bsc#874131)
- Use TPID value passed by kernel rather than wild-guess 802.1Q. (bsc#874131)
- In 'vlan' filter BPF code, check also for 802.1ad (0x88a8) TPID in addition to
  802.1Q (0x8100) and non-standard 0x9100 Q-in-Q. (bsc#874131)
- Add missing DLT_INFINIBAND to dlt_choices table. (bsc#992262, fate#319438)


-----------------------------------------
Patch: SUSE-2016-1263
Released: Wed Aug 24 13:55:39 2016
Summary: Security update for dosfstools
Severity: moderate
References: 912607,980364,980377,CVE-2015-8872,CVE-2016-4804
Description:
dosfstools was updated to fix two security issues.

These security issues were fixed:
- CVE-2015-8872: The set_fat function in fat.c in dosfstools might have allowed attackers to corrupt a FAT12 filesystem or cause a denial of service (invalid memory read and crash) by writing an odd number of clusters to the third to last entry on a FAT12 filesystem, which triggers an 'off-by-two error (bsc#980364).
- CVE-2016-4804: The read_boot function in boot.c in dosfstools allowed attackers to cause a denial of service (crash) via a crafted filesystem, which triggers a heap-based buffer overflow in the (1) read_fat function or an out-of-bounds heap read in (2) get_fat function (bsc#980377).

This non-security issue was fixed:
- bsc#912607: Attempt to rename root dir in fsck due to uninitialized fields.
  

-----------------------------------------
Patch: SUSE-2016-1267
Released: Wed Aug 24 15:43:49 2016
Summary: Security update for rsync
Severity: moderate
References: 915410,CVE-2014-9512
Description:
rsync was updated to fix one security issue.

- CVE-2014-9512: rsync allowed remote attackers to write to arbitrary files via a symlink attack on a file in the synchronization path (bsc#915410).
  

-----------------------------------------
Patch: SUSE-2016-1276
Released: Fri Aug 26 00:00:05 2016
Summary: Recommended update for containerd, docker, runc
Severity: low
References: 974208,978260,980555,983015,984942,987198,988707,989566,993847,994568
Description:

This update provides docker version 1.11.2 and splits containerd and runc in separate packages.

Additionally, the following issues have been fixed:

docker:

- Explicitly state the version dependencies for runC and containerd, to avoid potential issues with incompatible
  component versions. (bsc#993847)
- Add the ability to not restart the docker service during certain updates with long migration phases. (bsc#980555)
- Remove kernel dependency. (bsc#987198)
- Setting iptables option on ppc64le works now (bsc#988707)
- Fix syntax error in audit.rules. (bsc#984942)
- Update docker.service to fix latency issues when running containers. (bsc#983015)

For a detailed description of all fixes and changes, please refer to the changelog.

containerd:

- Set --runtime option specifically to runC. (bsc#978260)


-----------------------------------------
Patch: SUSE-2016-1309
Released: Fri Sep  2 13:37:41 2016
Summary: Security update for wget
Severity: moderate
References: 937096,958342,984060,CVE-2015-2059,CVE-2016-4971
Description:

This update for wget fixes the following issues:

 - Fix for HTTP to a FTP redirection file name confusion vulnerability
   (bsc#984060, CVE-2016-4971).
 - Work around a libidn  vulnerability
   (bsc#937096, CVE-2015-2059).
 - Fix for wget fails with basicauth: Failed writing HTTP request:
   Bad file descriptor
   (bsc#958342)


-----------------------------------------
Patch: SUSE-2016-1326
Released: Thu Sep  8 11:37:44 2016
Summary: Security update for perl
Severity: moderate
References: 928292,932894,967082,984906,987887,988311,CVE-2015-8853,CVE-2016-1238,CVE-2016-2381,CVE-2016-6185
Description:

This update for Perl fixes the following issues:

- CVE-2016-6185: Xsloader looking at a '(eval)' directory. (bsc#988311)
- CVE-2016-1238: Searching current directory for optional modules. (bsc#987887)
- CVE-2015-8853: Regular expression engine hanging on bad utf8. (bsc)
- CVE-2016-2381: Environment dup handling bug. (bsc#967082)
- 'Insecure dependency in require' error in taint mode. (bsc#984906)
- Memory leak in 'use utf8' handling. (bsc#928292)
- Missing lock prototype to the debugger. (bsc#932894)


-----------------------------------------
Patch: SUSE-2016-1330
Released: Fri Sep  9 09:00:53 2016
Summary: Security update for tiff
Severity: moderate
References: 964225,973340,984808,984831,984837,984842,987351,CVE-2015-8781,CVE-2015-8782,CVE-2015-8783,CVE-2016-3186,CVE-2016-5314,CVE-2016-5316,CVE-2016-5317,CVE-2016-5320,CVE-2016-5875
Description:

This update for tiff fixes the following issues:

* CVE-2015-8781, CVE-2015-8782, CVE-2015-8783: Out-of-bounds writes for invalid images (bsc#964225)
* CVE-2016-3186: Buffer overflow in gif2tiff (bnc#973340).
* CVE-2016-5875: heap-based buffer overflow when using the PixarLog compressionformat (bsc#987351)
* CVE-2016-5316: Out-of-bounds read in PixarLogCleanup() function in tif_pixarlog.c (bsc#984837)
* CVE-2016-5314: Out-of-bounds write in PixarLogDecode() function (bsc#984831)
* CVE-2016-5317: Out-of-bounds write in PixarLogDecode() function in libtiff.so (bsc#984842)
* CVE-2016-5320: Out-of-bounds write in PixarLogDecode() function in tif_pixarlog.c (bsc#984808) 



-----------------------------------------
Patch: SUSE-2016-1344
Released: Tue Sep 13 18:10:21 2016
Summary: Recommended update for kbd
Severity: low
References: 984958
Description:

This update for kbd adds mapping for two keycodes to br-abnt2 map:

- Slash (/): alt-gr + q
- Question mark (?): alt-gr + w


-----------------------------------------
Patch: SUSE-2016-1355
Released: Thu Sep 15 14:52:37 2016
Summary: Recommended update for growpart
Severity: low
References: 998378
Description:

This update provides growpart 0.29, which brings the following enhancements and
fixes:

- Fix use of partx with newer util-linux versions.
- Fix some issues in error path reporting.
- Capture output of 'partx --help' as older versions do not support that flag and
  send output to standard error.
- Fix bug when growing partitions on disks greater than 2TB.
- Support sfdisk 2.26 or newer, and support gpt partitions with sfdisk.


-----------------------------------------
Patch: SUSE-2016-1358
Released: Thu Sep 15 20:54:21 2016
Summary: Optional update for gcc6
Severity: low
References: 983206
Description:

This update ships the GNU Compiler Collection (GCC) in version 6.2.

This update is shipped in two parts:

- SUSE Linux Enterprise Server 12 and Desktop:

  The runtime libraries libgcc_s1, libstdc++6, libatomic1, libgomp1, libitm1
  and some others can now be used by GCC 6 built binaries.

- SUSE Linux Enterprise 12 Toolchain Module:

  The Toolchain module received the GCC 6 compiler suite with this update.

Changes:

- The default mode for C++ is now -std=gnu++14 instead of -std=gnu++98.

Generic Optimization improvements:

- UndefinedBehaviorSanitizer gained a new sanitization option,
  -fsanitize=bounds-strict, which enables strict checking of array
  bounds. In particular, it enables -fsanitize=bounds as well as
  instrumentation of flexible array member-like arrays.
- Type-based alias analysis now disambiguates accesses to different
  pointers. This improves precision of the alias oracle by about 20-30%
  on higher-level C++ programs. Programs doing invalid type punning of
  pointer types may now need -fno-strict-aliasing to work correctly.
- Alias analysis now correctly supports weakref and alias attributes. This
  makes it possible to access both a variable and its alias in one
  translation unit which is common with link-time optimization.
- Value range propagation now assumes that the this pointer of C++
  member functions is non-null. This eliminates common null pointer checks
  but also breaks some non-conforming code-bases (such as Qt-5, Chromium,
  KDevelop). As a temporary work-around -fno-delete-null-pointer-checks
  can be used. Wrong code can be identified by using -fsanitize=undefined.
- Various Link-time optimization improvements.
- Inter-procedural optimization improvements:
    - Basic jump threading is now performed before profile construction
      and inline analysis, resulting in more realistic size and time
      estimates that drive the heuristics of the of inliner and function
      cloning passes.
    - Function cloning now more aggressively eliminates unused function
      parameters.
- Compared to GCC 5, the GCC 6 release series includes a much improved
  implementation of the OpenACC 2.0a specification.

C language specific improvements:

- Version 4.5 of the OpenMP specification is now supported in the C and C++ compilers.
- Source locations for the C and C++ compilers are now tracked as ranges,
  rather than just points, making it easier to identify the subexpression
  of interest within a complicated expression. In addition, there is
  now initial support for precise diagnostic locations within strings,
- Diagnostics can now contain 'fix-it hints', which are displayed in
  context underneath the relevant source code.
- The C and C++ compilers now offer suggestions for misspelled field names.
- New command-line options have been added for the C and C++ compilers:
    - -Wshift-negative-value warns about left shifting a negative value.
    - -Wshift-overflow warns about left shift overflows. This warning is
      enabled by default. -Wshift-overflow=2 also warns about left-shifting
      1 into the sign bit.
    - -Wtautological-compare warns if a self-comparison always evaluates
      to true or false. This warning is enabled by -Wall.
    - -Wnull-dereference warns if the compiler detects paths that
      trigger erroneous or undefined behavior due to dereferencing a null
      pointer. This option is only active when -fdelete-null-pointer-checks
      is active, which is enabled by optimizations in most targets. The
      precision of the warnings depends on the optimization options used.
    - -Wduplicated-cond warns about duplicated conditions in an if-else-if chain.
    - -Wmisleading-indentation warns about places where the indentation
      of the code gives a misleading idea of the block structure of the
      code to a human reader. This warning is enabled by -Wall.
- The C and C++ compilers now emit saner error messages if merge-conflict markers
  are present in a source file.

C improvements:

- It is possible to disable warnings when an initialized field
  of a structure or a union with side effects is being overridden
  when using designated initializers via a new warning option
  -Woverride-init-side-effects.
- A new type attribute scalar_storage_order applying to structures
  and unions has been introduced. It specifies the storage order (aka
  endianness) in memory of scalar fields in structures or unions.

C++ improvements:

- The default mode has been changed to -std=gnu++14.
- C++ Concepts are now supported when compiling with -fconcepts.
- -flifetime-dse is more aggressive in dead-store elimination in situations where
  a memory store to a location precedes a constructor to that memory location.
- G++ now supports C++17 fold expressions, u8 character literals, extended static_assert,
  and nested namespace definitions.
- G++ now allows constant evaluation for all non-type template arguments.
- G++ now supports C++ Transactional Memory when compiling with -fgnu-tm.

libstdc++ improvements:

- Extensions to the C++ Library to support mathematical special functions
  (ISO/IEC 29124:2010), thanks to Edward Smith-Rowland.
- Experimental support for C++17.
- An experimental implementation of the File System TS.
- Experimental support for most features of the second version of the
  Library Fundamentals TS. This includes polymorphic memory resources and
  array support in shared_ptr, thanks to Fan You.
- Some assertions checked by Debug Mode can now also be enabled by
  _GLIBCXX_ASSERTIONS. The subset of checks enabled by the new macro have
  less run-time overhead than the full _GLIBCXX_DEBUG checks and don't
  affect the library ABI, so can be enabled per-translation unit.

Fortran improvements:

- Fortran 2008 SUBMODULE support.
- Fortran 2015 EVENT_TYPE, EVENT_POST, EVENT_WAIT, and EVENT_QUERY support.
- Improved support for Fortran 2003 deferred-length character variables.
- Improved support for OpenMP and OpenACC.
- The MATMUL intrinsic is now inlined for straightforward cases if
  front-end optimization is active. The maximum size for inlining can be
  set to n with the -finline-matmul-limit=n option and turned off with
  -finline-matmul-limit=0.
- The -Wconversion-extra option will warn about REAL constants which
  have excess precision for their kind.
- The -Winteger-division option has been added, which warns about
  divisions of integer constants which are truncated. This option is
  included in -Wall by default.

Architecture improvements:

- AArch64 received a lot of improvements.

IA-32/x86-64 improvements:

- GCC now supports the Intel CPU named Skylake with AVX-512 extensions
  through -march=skylake-avx512. The switch enables the following ISA
  extensions: AVX-512F, AVX512VL, AVX-512CD, AVX-512BW, AVX-512DQ.
- Support for new AMD instructions monitorx and mwaitx has been
  added. This includes new intrinsic and built-in support. It is enabled
  through option -mmwaitx. The instructions monitorx and mwaitx implement
  the same functionality as the old monitor and mwait instructions. In
  addition mwaitx adds a configurable timer. The timer value is received
  as third argument and stored in register %ebx.
- x86-64 targets now allow stack realignment from a word-aligned stack
  pointer using the command-line option -mstackrealign or __attribute__
  ((force_align_arg_pointer)). This allows functions compiled with
  a vector-aligned stack to be invoked from objects that keep only
  word-alignment.
- Support for address spaces __seg_fs, __seg_gs, and __seg_tls. These
  can be used to access data via the %fs and %gs segments without having
  to resort to inline assembly.
- Support for AMD Zen (family 17h) processors is now available through
  the -march=znver1 and -mtune=znver1 options.

PowerPC / PowerPC64 / RS6000 improvements:

- PowerPC64 now supports IEEE 128-bit floating-point using the
  __float128 data type. In GCC 6, this is not enabled by default, but you
  can enable it with -mfloat128. The IEEE 128-bit floating-point support
  requires the use of the VSX instruction set. IEEE 128-bit floating-point
  values are passed and returned as a single vector value. The software
  emulator for IEEE 128-bit floating-point support is only built on
  PowerPC GNU/Linux systems where the default CPU is at least power7. On
  future ISA 3.0 systems (POWER 9 and later), you will be able to use the
  -mfloat128-hardware option to use the ISA 3.0 instructions that support
  IEEE 128-bit floating-point. An additional type (__ibm128) has been added
  to refer to the IBM extended double type that normally implements long
  double. This will allow for a future transition to implementing long
  double with IEEE 128-bit floating-point.
- Basic support has been added for POWER9 hardware that will use the
  recently published OpenPOWER ISA 3.0 instructions. The following new
  switches are available:
     - -mcpu=power9: Implement all of the ISA 3.0 instructions supported by
       the compiler.
     - -mtune=power9: In the future, apply tuning for POWER9 systems. Currently,
       POWER8 tunings are used.
     - -mmodulo: Generate code using the ISA 3.0 integer instructions (modulus,
       count trailing zeros, array index support, integer multiply/add).
     - -mpower9-fusion: Generate code to suitably fuse instruction sequences for
       a POWER9 system.
     - -mpower9-dform: Generate code to use the new D-form (register+offset) memory
       instructions for the vector registers.
     - -mpower9-vector: Generate code using the new ISA 3.0 vector (VSX or Altivec)
       instructions.
     - -mpower9-minmax: Reserved for future development.
     - -mtoc-fusion: Keep TOC entries together to provide more fusion opportunities.
- New constraints have been added to support IEEE 128-bit floating-point and ISA 3.0
  instructions.
- Support has been added for __builtin_cpu_is() and __builtin_cpu_supports(),
  allowing for very fast access to AT_PLATFORM, AT_HWCAP, and AT_HWCAP2 values.
  This requires use of glibc 2.23 or later.
- All hardware transactional memory builtins now correctly behave as
  memory barriers. Programmers can use #ifdef __TM_FENCE__ to determine
  whether their 'old' compiler treats the builtins as barriers.
- Split-stack support has been added for gccgo on PowerPC64 for both
  big- and little-endian (but not for 32-bit). The gold linker from at
  least binutils 2.25.1 must be available in the PATH when configuring and
  building gccgo to enable split stack. (The requirement for binutils 2.25.1
  applies to PowerPC64 only.) The split-stack feature allows a small initial
  stack size to be allocated for each goroutine, which increases as needed.
- GCC on PowerPC now supports the standard lround function.
- The 'q', 'S', 'T', and 't' asm-constraints have been removed.
- The 'b', 'B', 'm', 'M', and 'W' format modifiers have been removed.

S/390, System z, IBM z Systems improvements:

- Support for the IBM z13 processor has been added. When using the
  -march=z13 option, the compiler will generate code making use of the
  new instructions and registers introduced with the vector extension
  facility. The -mtune=z13 option enables z13 specific instruction
  scheduling without making use of new instructions.
- Compiling code with -march=z13 reduces the default alignment of vector
  types bigger than 8 bytes to 8. This is an ABI change and care must be
  taken when linking modules compiled with different arch levels which
  interchange variables containing vector type values. For newly compiled
  code the GNU linker will emit a warning.
- The -mzvector option enables a C/C++ language extension. This extension
  provides a new keyword vector which can be used to define vector type
  variables. (Note: This is not available when enforcing strict standard
  compliance e.g. with -std=c99. Either enable GNU extensions with
  e.g. -std=gnu99 or use __vector instead of vector.)
- Additionally a set of overloaded builtins is provided which is partially
  compatible to the PowerPC Altivec builtins. In order to make use of
  these builtins the vecintrin.h header file needs to be included.
- The new command line options -march=native, and -mtune=native are now
  available on native IBM z Systems. Specifying these options will cause
  GCC to auto-detect the host CPU and rewrite these options to the optimal
  setting for that system. If GCC is unable to detect the host CPU these
  options have no effect.
- The IBM z Systems port now supports target attributes and
  pragmas. Please refer to the documentation for details of available
  attributes and pragmas as well as usage instructions.
- -fsplit-stack is now supported as part of the IBM z Systems port. This
  feature requires a recent gold linker to be used.
- Support for the g5 and g6 -march=/-mtune= CPU level switches has been
  deprecated and will be removed in a future GCC release. -m31 from now
  on defaults to -march=z900 if not specified otherwise. -march=native on
  a g5/g6 machine will default to -march=z900.

An even more detailed list of features can be found at:
https://gcc.gnu.org/gcc-6/changes.html


-----------------------------------------
Patch: SUSE-2016-1364
Released: Fri Sep 16 17:13:43 2016
Summary: Security update for curl
Severity: moderate
References: 991389,991390,991391,991746,997420,CVE-2016-5419,CVE-2016-5420,CVE-2016-5421,CVE-2016-7141
Description:

This update for curl fixes the following issues:

Security issues fixed:
- CVE-2016-5419: TLS session resumption client cert bypass (bsc#991389)
- CVE-2016-5420: Re-using connections with wrong client cert (bsc#991390)
- CVE-2016-5421: use of connection struct after free (bsc#991391)
- CVE-2016-7141: Fixed incorrect reuse of client certificates with NSS (bsc#997420)

Also the following bug was fixed:
- fixing a performance issue (bsc#991746)


-----------------------------------------
Patch: SUSE-2016-1370
Released: Wed Sep 21 12:58:14 2016
Summary: Security update for libgcrypt
Severity: moderate
References: 994157,CVE-2016-6313
Description:

This update for libgcrypt fixes the following issues:

  - RNG prediction vulnerability (bsc#994157, CVE-2016-6313)



-----------------------------------------
Patch: SUSE-2016-1388
Released: Mon Sep 26 20:30:52 2016
Summary: Recommended update for flac
Severity: low
References: 998612
Description:

This update fixes a low severity issue that manifests itself only when building
certain packages against flac-devel.


-----------------------------------------
Patch: SUSE-2016-1390
Released: Tue Sep 27 15:11:15 2016
Summary: Security update for flex, at, bogofilter, cyrus-imapd, kdelibs4, libQtWebKit4, libbonobo, mdbtools, netpbm, openslp, sgmltool, virtuoso, libqt5-qtwebkit
Severity: moderate
References: 954210,990856,CVE-2015-8079,CVE-2016-6354
Description:

Various packages included vulnerable parsers generated by 'flex'.

This update provides a fixed 'flex' package and also rebuilds of packages
that might have security issues caused by the auto generated code.

Flex itself was updated to fix a buffer overflow in the generated scanner
(bsc#990856, CVE-2016-6354)

Packages that were rebuilt with the fixed flex:
- at
- bogofilter
- cyrus-imapd
- kdelibs4
- libQtWebKit4
- libbonobo
- mdbtools
- netpbm
- openslp
- sgmltool
- virtuoso

Also libqt5-qtwebkit received an additional security fix:
- CVE-2015-8079: QtWebKit logs visited URLs to WebpageIcons.db in private browsing mode (bsc#954210).


-----------------------------------------
Patch: SUSE-2016-1399
Released: Tue Sep 27 18:02:49 2016
Summary: Security update for bind
Severity: critical
References: 1000362,CVE-2016-2776
Description:

The nameserver bind was updated to fix a remote denial of service
vulnerability, where a crafted packet could cause the nameserver to abort. (CVE-2016-2776, bsc#1000362)
  

-----------------------------------------
Patch: SUSE-2016-1405
Released: Thu Sep 29 08:54:36 2016
Summary: Recommended update for SUSE Linux Enterprise Modules
Severity: low
References: 1000091,1001061
Description:

This update adjusts the product definitions of the following SUSE Linux Enterprise
Modules, allowing their installation on top of SUSE Linux Enterprise Server 12 SP2
for the ARM 64 architecture:

- Legacy
- Public Cloud
- Manager Tools
- Web and Scripting
- Toolchain.


-----------------------------------------
Patch: SUSE-2016-1423
Released: Tue Oct  4 10:05:25 2016
Summary: Security update for java-1_6_0-ibm
Severity: moderate
References: 992537,CVE-2016-3485
Description:

IBM Java 6 was updated to version 6.0-16.30.

Following security issue was fixed: CVE-2016-3485

Please see https://www.ibm.com/developerworks/java/jdk/alerts/ for more information.


-----------------------------------------
Patch: SUSE-2016-1424
Released: Tue Oct  4 12:34:53 2016
Summary: Recommended update for rsync
Severity: low
References: 999847
Description:

This update for rsync provides the following fixes:

- Don't depend on insserv(8) and fillup(8) as they're not needed or used
  under systemd. (bsc#999847)


-----------------------------------------
Patch: SUSE-2016-1441
Released: Thu Oct  6 16:46:04 2016
Summary: Security update for compat-openssl098
Severity: important
References: 979475,982575,983249,993819,994749,994844,995075,995324,995359,995377,998190,999665,999666,999668,CVE-2016-2177,CVE-2016-2178,CVE-2016-2179,CVE-2016-2181,CVE-2016-2182,CVE-2016-2183,CVE-2016-6302,CVE-2016-6303,CVE-2016-6304,CVE-2016-6306
Description:

This update for compat-openssl098 fixes the following issues:

OpenSSL Security Advisory [22 Sep 2016] (bsc#999665)

Severity: High
* OCSP Status Request extension unbounded memory growth (CVE-2016-6304) (bsc#999666)

Severity: Low
* Pointer arithmetic undefined behaviour (CVE-2016-2177) (bsc#982575)
* Constant time flag not preserved in DSA signing (CVE-2016-2178) (bsc#983249)
* DTLS buffered message DoS (CVE-2016-2179) (bsc#994844)
* DTLS replay protection DoS (CVE-2016-2181) (bsc#994749)
* OOB write in BN_bn2dec() (CVE-2016-2182) (bsc#993819)
* Birthday attack against 64-bit block ciphers (SWEET32) (CVE-2016-2183) (bsc#995359)
* Malformed SHA512 ticket DoS (CVE-2016-6302) (bsc#995324)
* OOB write in MDC2_Update() (CVE-2016-6303) (bsc#995377)
* Certificate message OOB reads (CVE-2016-6306) (bsc#999668)

More information can be found on: https://www.openssl.org/news/secadv/20160922.txt

Bugs fixed:
* update expired S/MIME certs (bsc#979475)
* fix crash in print_notice (bsc#998190)
* resume reading from /dev/urandom when interrupted by a signal (bsc#995075)


-----------------------------------------
Patch: SUSE-2016-1454
Released: Mon Oct 10 16:25:51 2016
Summary: Recommended update for timezone
Severity: low
References: 997830
Description:

This update provides the latest timezone information (2016g) for your system,
including the following changes:

- Turkey will remain on UTC+03 after 2016-10-30. (bsc#997830)
- Antarctica and nautical time zones now use numeric time zone abbreviations instead
  of obsolete alphanumeric ones.
- Renamed Asia/Rangoon to Asia/Yangon.

This release also includes changes affecting past time stamps and documentation.


-----------------------------------------
Patch: SUSE-2016-1461
Released: Wed Oct 12 11:31:33 2016
Summary: Security update for tiff
Severity: moderate
References: 974449,974614,974618,975069,975070,CVE-2016-3622,CVE-2016-3623,CVE-2016-3945,CVE-2016-3990,CVE-2016-3991
Description:
This update for tiff fixes the following security issues:

- CVE-2016-3622: Specially crafted TIFF images could trigger a crash in tiff2rgba (bsc#974449)
- Various out-of-bound write vulnerabilities with unspecified impact (MSVR 35093, MSVR 35094, MSVR 35095, MSVR 35096, MSVR 35097, MSVR 35098)
- CVE-2016-3623: Specially crafted TIFF images could trigger a crash in rgb2ycbcr (bsc#974618)
- CVE-2016-3945: Specially crafted TIFF images could trigger a crash or allow for arbitrary command execution via tiff2rgba (bsc#974614)
- CVE-2016-3990: Specially crafted TIFF images could trigger a crash or allow for arbitrary command execution (bsc#975069)
- CVE-2016-3991: Specially crafted TIFF images could trigger a crash or allow for arbitrary command execution via the tiffcrop tool (bsc#975070)


-----------------------------------------
Patch: SUSE-2016-1464
Released: Wed Oct 12 11:36:01 2016
Summary: Security update for X Window System client libraries
Severity: moderate
References: 1002991,1002995,1002998,1003000,1003002,1003012,1003017,1003023,CVE-2016-5407,CVE-2016-7942,CVE-2016-7944,CVE-2016-7945,CVE-2016-7946,CVE-2016-7947,CVE-2016-7948,CVE-2016-7949,CVE-2016-7950,CVE-2016-7951,CVE-2016-7952,CVE-2016-7953
Description:
This update for the X Window System client libraries fixes a class of privilege escalation issues.

A malicious X Server could send specially crafted data to X clients, which allowed for triggering crashes, or privilege escalation if this relationship was untrusted or crossed user or permission level boundaries.

libX11, libXfixes, libXi, libXrandr, libXrender, libXtst, libXv, libXvMC were fixed, specifically:

libX11:
- CVE-2016-7942: insufficient validation of data from the X server allowed out of boundary memory read (bsc#1002991)

libXfixes:
- CVE-2016-7944: insufficient validation of data from the X server can cause an integer overflow on 32 bit architectures (bsc#1002995)

libXi:
- CVE-2016-7945, CVE-2016-7946: insufficient validation of data from the X server can cause out of boundary memory access or endless loops (Denial of Service) (bsc#1002998)

libXtst:
- CVE-2016-7951, CVE-2016-7952: insufficient validation of data from the X server can cause out of boundary memory access or endless loops (Denial of Service) (bsc#1003012)

libXv:
- CVE-2016-5407: insufficient validation of data from the X server can cause out of boundary memory and memory corruption (bsc#1003017)

libXvMC:
- CVE-2016-7953: insufficient validation of data from the X server can cause a one byte buffer read underrun (bsc#1003023)

libXrender:
- CVE-2016-7949, CVE-2016-7950: insufficient validation of data from the X server can cause out of boundary memory writes (bsc#1003002)

libXrandr:
- CVE-2016-7947, CVE-2016-7948: insufficient validation of data from the X server can cause out of boundary memory writes (bsc#1003000)


-----------------------------------------
Patch: SUSE-2016-1503
Released: Wed Oct 19 11:39:35 2016
Summary: Recommended update for ksh
Severity: low
References: 988213
Description:

This update for ksh fixes a locking error in spawn implementation.


-----------------------------------------
Patch: SUSE-2016-1504
Released: Wed Oct 19 13:34:30 2016
Summary: Recommended update for sle2docker
Severity: low
References: 1003041
Description:

This update brings version 0.5.0 of sle2docker and provides the following features and fixes:

New features:

- Added the `--all` option to the `activate` command. With this options you can tell sle2docker 
  to activate all the available images.
- Added the `--tag_with_build` flag to include the obs build number of kiwi generated images in
  the docker tag.

Fixes:

- Clarified error message on missing Docker images.


-----------------------------------------
Patch: SUSE-2016-1509
Released: Thu Oct 20 12:49:14 2016
Summary: Recommended update for python-cliff, python-setuptools, python-mock
Severity: low
References: 1001350,979493,993968
Description:

This update provides newer versions of python-cliff, python-setuptools and python-mock,
including several fixes and enhancements.

python-cliff (updated from 1.7.0 to 1.14.0):

- Fix encoding issue with the default python CSV output.
- Add command fuzzy matching.
- Allow subcommands to accept --help when using 'deferred_help'.

For a comprehensive list of fixes please refer to the package's change log.

python-mock (updated from 1.0.1 to 1.3.0):

- mock_open.read_data can now be read from each instance.
- Fix unittest.mock.mock_open().reset_mock to not recurse infinitely.
- Support Python 2.6.
- Allow unittest.mock side_effects to be exceptions again.
- Abort installation if the installer is using setuptools older than 17.1.
- Fix MagicMock's initializer to work with __methods__.
- Add matmul, rdivmod support to MagicMock() objects.
- Use set literals instead of creating a set from a list.
- New method assert_not_called for Mock.
- New keyword argument `unsafe` to Mock.
- Four additional builtin types (PyTypeObject, PyMethodDescr_Type, _PyMethodWrapper_Type,
  and PyWrapperDescr_Type) have been modified to provide introspection information for
  builtins.

For a comprehensive list of fixes please refer to the package's change log.

python-setuptools (updated from 1.1.7 to 18.0.1):

- Fix certificate handling with certifi and add support for SUSE's CA bundle. (bsc#993968)
- Drop support for builds with Pyrex. Only Cython is supported.
- Bootstrap script now accepts '--to-dir' to customize save directory or allow for
  re-use of existing repository of setuptools versions.
- Removed built-in support for subversion.
- Eggs that are downloaded for 'setup_requires', 'test_requires', etc. are now
  placed in a './.eggs' directory instead of directly in the current directory.
- Correct usage of host for validation when tunneling for HTTPS.
- Improved handling of Unicode filenames when building manifests.
- More robust handling of replaced zip files and stale caches.
- Add parameter to the test command to support a custom test runner: --test-runner or -r.
- Remove 'setuptools.command.easy_install.HAS_USER_SITE'. Users expecting this
  boolean variable should use 'site.ENABLE_USER_SITE' instead.
- Remove 'pkg_resources.ImpWrapper'. Users that expected this class should use
  'pkgutil.ImpImporter' instead.
- Drop support for Python 2.4 and Python 2.5.
- Establish a more robust technique for determining the terminal encoding.
- 'easy_install' will now use credentials from .pypirc if present for connecting to
  the package index.
- Wheels are now distributed with every release.


-----------------------------------------
Patch: SUSE-2016-1510
Released: Thu Oct 20 14:04:39 2016
Summary: Recommended update for boost
Severity: low
References: 925309,970706,996917
Description:

This update for boost adapts paths for our GCC versions:

- Boost assumes /usr/include/c++/x.y.z/ existence for GCC 4.x onward while our
  version of GCC only has /usr/include/c++/x.y for 4.x GCC and /usr/include/c++/x/
  for 5.x onward. (bsc#996917)
- Fix regression in asio library. (bsc#925309)
- Add libboost_context to the -devel dependencies when it is built. (bsc#970706)


-----------------------------------------
Patch: SUSE-2016-1558
Released: Wed Oct 26 15:21:45 2016
Summary: Security update for python3
Severity: moderate
References: 951166,983582,984751,985177,985348,989523,991069,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699
Description:

This update provides Python 3.4.5, which brings many fixes and enhancements.

The following security issues have been fixed:

- CVE-2016-1000110: CGIHandler could have allowed setting of HTTP_PROXY environment
  variable based on user supplied Proxy request header. (bsc#989523)
- CVE-2016-0772: A vulnerability in smtplib could have allowed a MITM attacker to
  perform a startTLS stripping attack. (bsc#984751)
- CVE-2016-5636: A heap overflow in Python's zipimport module. (bsc#985177)
- CVE-2016-5699: A header injection flaw in urrlib2/urllib/httplib/http.client.
  (bsc#985348)

The update also includes the following non-security fixes:

- Don't force 3rd party C extensions to be built with -Werror=declaration-after-statement.
  (bsc#951166)
- Make urllib proxy var handling behave as usual on POSIX. (bsc#983582)

For a comprehensive list of changes please refer to the upstream change log:
https://docs.python.org/3.4/whatsnew/changelog.html


-----------------------------------------
Patch: SUSE-2016-1565
Released: Thu Oct 27 13:06:35 2016
Summary: Security update for openslp
Severity: moderate
References: 1001600,974655,980722,994989,CVE-2016-4912,CVE-2016-7567
Description:
This update for openslp fixes two security issues and two bugs.

The following vulnerabilities were fixed:
- CVE-2016-4912: A remote attacker could have crashed the server with a large number of packages (bsc#980722)
- CVE-2016-7567: A remote attacker could cause a memory corruption having unspecified impact (bsc#1001600)

The following bugfix changes are included:
- bsc#994989: Removed convenience code as changes bytes in the message buffer breaking the verification code
- bsc#974655: Removed no longer needed slpd init file


-----------------------------------------
Patch: SUSE-2016-1588
Released: Wed Nov  2 09:34:27 2016
Summary: Security update for bind
Severity: important
References: 1007829,965748,CVE-2016-8864
Description:

This update for bind fixes the following issues:

- A defect in BIND's handling of responses containing a DNAME answer had
the potential to trigger assertion errors in the server remotely,
thereby facilitating a denial-of-service attack. (CVE-2016-8864, bsc#1007829).

- Fix BIND to return a valid hostname in response to ldapdump queries.
(bsc#965748)



-----------------------------------------
Patch: SUSE-2016-1591
Released: Wed Nov  2 12:07:51 2016
Summary: Security update for curl
Severity: important
References: 1005633,1005634,1005635,1005637,1005638,1005640,1005642,1005643,1005645,1005646,998760,CVE-2016-7167,CVE-2016-8615,CVE-2016-8616,CVE-2016-8617,CVE-2016-8618,CVE-2016-8619,CVE-2016-8620,CVE-2016-8621,CVE-2016-8622,CVE-2016-8623,CVE-2016-8624
Description:
This update for curl fixes the following security issues:

- CVE-2016-8624: invalid URL parsing with '#' (bsc#1005646)
- CVE-2016-8623: Use-after-free via shared cookies (bsc#1005645)
- CVE-2016-8622: URL unescape heap overflow via integer truncation (bsc#1005643)
- CVE-2016-8621: curl_getdate read out of bounds (bsc#1005642)
- CVE-2016-8620: glob parser write/read out of bounds (bsc#1005640)
- CVE-2016-8619: double-free in krb5 code (bsc#1005638)
- CVE-2016-8618: double-free in curl_maprintf (bsc#1005637)
- CVE-2016-8617: OOB write via unchecked multiplication (bsc#1005635)
- CVE-2016-8616: case insensitive password comparison (bsc#1005634)
- CVE-2016-8615: cookie injection for other servers (bsc#1005633)
- CVE-2016-7167: escape and unescape integer overflows (bsc#998760)


-----------------------------------------
Patch: SUSE-2016-1614
Released: Mon Nov  7 20:01:31 2016
Summary: Recommended update for shadow
Severity: low
References: 1002975
Description:

This update for shadow fixes the following issues:

- Set file modes according to the permissions package and don't attempt to
  manipulate them in %files section. (bsc#1002975)


-----------------------------------------
Patch: SUSE-2016-1617
Released: Tue Nov  8 10:03:25 2016
Summary: Recommended update for libesmtp
Severity: low
References: 1005909
Description:

This update for libesmtp provides the following fixes:

- All TLS clients must support and use the highest TLS version available if
  possible, not only TLS 1.0. (bsc#1005909)


-----------------------------------------
Patch: SUSE-2016-1621
Released: Tue Nov  8 16:20:57 2016
Summary: Recommended update for timezone
Severity: low
References: 1007725,1007726
Description:

This update provides the latest timezone information (2016i) for your system,
including the following changes:

- Pacific/Tongatapu begins DST on 2016-11-06 at 02:00, ending on 2017-01-15 at 03:00.
  (bsc#1007725)
- Northern Cyprus is now +03 year round, causing a split in Cyprus time zones starting
  2016-10-30 at 04:00. This creates a zone Asia/Famagusta. (bsc#1007726)
- Antarctica/Casey switched from +08 to +11 on 2016-10-22.
- Asia/Gaza and Asia/Hebron end DST on 2016-10-29 at 01:00, not 2016-10-21 at 00:00.
- Asia/Colombo now uses numeric time zone abbreviations.

This release also includes changes affecting past time stamps and documentation.


-----------------------------------------
Patch: SUSE-2016-1625
Released: Wed Nov  9 13:54:49 2016
Summary: Initial release of google-compute-engine-init
Severity: low
References: 994943
Description:

This update adds package google-compute-engine-init to the SLE Public Cloud 12 Module.

The google-compute-engine-init package provides the initialization code for instances
in Google Compute Engine. It obsoletes packages gcimagebundle, google-daemon and
google-startup-scripts. The code previously provided by gcimagebundle is not replaced.
New image creation from running instances is accomplished using functionality from
google-cloud-sdk or through the GCE web console.


-----------------------------------------
Patch: SUSE-2016-1634
Released: Thu Nov 10 11:26:56 2016
Summary: Recommended update for pciutils
Severity: low
References: 1001888
Description:

This update for pciutils fixes the following issues:

- lspci(8) incorrectly tested bit 4, not bit 0, for 'CRS Software Visibility' in
  the Root Capabilities register, so it showed 'RootCap: CRSVisible-' even for
  devices that do support Software Visibility. This update fixes it to use the
  correct definition for PCI_EXP_RTCAP_CRSVIS. (bsc#1001888)


-----------------------------------------
Patch: SUSE-2016-1639
Released: Thu Nov 10 18:05:34 2016
Summary: Security update for jasper
Severity: moderate
References: 1005084,1005090,1005242,1006591,1006593,1006597,1006598,1006599,1006836,1006839,1007009,392410,941919,942553,961886,963983,968373,CVE-2008-3522,CVE-2014-8158,CVE-2015-5203,CVE-2015-5221,CVE-2016-1577,CVE-2016-1867,CVE-2016-2089,CVE-2016-2116,CVE-2016-8690,CVE-2016-8691,CVE-2016-8692,CVE-2016-8693,CVE-2016-8880,CVE-2016-8881,CVE-2016-8882,CVE-2016-8883,CVE-2016-8884,CVE-2016-8885,CVE-2016-8886,CVE-2016-8887
Description:

This update for jasper to version 1.900.14 fixes several issues.

These security issues were fixed:
- CVE-2016-8887: NULL pointer dereference in jp2_colr_destroy (jp2_cod.c) (bsc#1006836)
- CVE-2016-8886: memory allocation failure in jas_malloc (jas_malloc.c) (bsc#1006599)
- CVE-2016-8884,CVE-2016-8885: two null pointer dereferences in bmp_getdata (incomplete fix for CVE-2016-8690) (bsc#1007009)
- CVE-2016-8883: assert in jpc_dec_tiledecode() (bsc#1006598)
- CVE-2016-8882: segfault / null pointer access in jpc_pi_destroy (bsc#1006597)
- CVE-2016-8881: Heap overflow in jpc_getuint16() (bsc#1006593)
- CVE-2016-8880: Heap overflow in jpc_dec_cp_setfromcox() (bsc#1006591)
- CVE-2016-8693 Double free vulnerability in mem_close (bsc#1005242)
- CVE-2016-8691, CVE-2016-8692: Divide by zero in jpc_dec_process_siz (bsc#1005090)
- CVE-2016-8690: Null pointer dereference in bmp_getdata triggered by crafted BMP image (bsc#1005084)
- CVE-2016-2116: Memory leak in the jas_iccprof_createfrombuf function in JasPer allowed remote attackers to cause a denial of service (memory consumption) via a crafted ICC color profile in a JPEG 2000 image file (bsc#968373) 
- CVE-2016-2089: invalid read in the JasPer's jas_matrix_clip() function (bsc#963983)
- CVE-2016-1867: Out-of-bounds Read in the JasPer's jpc_pi_nextcprl() function (bsc#961886)
- CVE-2015-5221: Use-after-free (and double-free) in Jasper JPEG-200 (bsc#942553).
- CVE-2015-5203: Double free corruption in JasPer JPEG-2000 implementation (bsc#941919)
- CVE-2008-3522: Buffer overflow in the jas_stream_printf function in libjasper/base/jas_stream.c in JasPer might have allowed context-dependent attackers to have an unknown impact via vectors related to the mif_hdr_put function and use of vsprintf (bsc#392410)
- jasper: NULL pointer dereference in jp2_colr_destroy (jp2_cod.c) (incomplete fix for CVE-2016-8887) (bsc#1006839)

For additional change description please have a look at the changelog.


-----------------------------------------
Patch: SUSE-2016-1641
Released: Thu Nov 10 20:02:04 2016
Summary: Recommended update for sg3_utils
Severity: moderate
References: 1006469,958369,979436
Description:

This update for sg3_utils provides the following fixes:

- Adjust 55-scsi-sg3_id.rules to correctly handle VPD page 0x80. This issue could
  prevent some IBM Power systems from booting after installation. (bsc#1006469)
- Fix 55-scsi_sg3_id.rules to skip sg_inq on recent kernels. (bsc#979436)
- In some circumstances, the rescan-scsi-bus.sh script failed to identify new LUNs
  that have been added to the server. (bsc#958369)


-----------------------------------------
Patch: SUSE-2016-1668
Released: Thu Nov 17 14:34:38 2016
Summary: Security update for X Window System client libraries
Severity: moderate
References: 1002991,1002995,1002998,1003000,1003002,1003012,1003017,1003023,CVE-2016-5407,CVE-2016-7942,CVE-2016-7944,CVE-2016-7945,CVE-2016-7946,CVE-2016-7947,CVE-2016-7948,CVE-2016-7949,CVE-2016-7950,CVE-2016-7951,CVE-2016-7952,CVE-2016-7953
Description:

This update for the X Window System client libraries fixes a class of privilege escalation issues.

A malicious X Server could send specially crafted data to X clients, which allowed for triggering
crashes, or privilege escalation if this relationship was untrusted or crossed user or permission
level boundaries.

libX11, libXfixes, libXi, libXrandr, libXrender, libXtst, libXv, libXvMC were fixed, specifically:

libX11:
- CVE-2016-7942: insufficient validation of data from the X server allowed out of boundary memory
  read (bsc#1002991)

libXfixes:
- CVE-2016-7944: insufficient validation of data from the X server can cause an integer overflow
  on 32 bit architectures (bsc#1002995)

libXi:
- CVE-2016-7945, CVE-2016-7946: insufficient validation of data from the X server can cause out of
  boundary memory access or endless loops (Denial of Service) (bsc#1002998)

libXtst:
- CVE-2016-7951, CVE-2016-7952: insufficient validation of data from the X server can cause out of
  boundary memory access or endless loops (Denial of Service) (bsc#1003012)

libXv:
- CVE-2016-5407: insufficient validation of data from the X server can cause out of boundary memory
  and memory corruption (bsc#1003017)

libXvMC:
- CVE-2016-7953: insufficient validation of data from the X server can cause a one byte buffer read
  underrun (bsc#1003023)

libXrender:
- CVE-2016-7949, CVE-2016-7950: insufficient validation of data from the X server can cause out of
  boundary memory writes (bsc#1003002)

libXrandr:
- CVE-2016-7947, CVE-2016-7948: insufficient validation of data from the X server can cause out of
  boundary memory writes (bsc#1003000)


-----------------------------------------
Patch: SUSE-2016-1675
Released: Fri Nov 18 12:40:36 2016
Summary: Recommended update for boost
Severity: low
References: 925309,970706,996917
Description:

This update for boost adapts paths for our GCC versions:

- Boost assumes /usr/include/c++/x.y.z/ existence for GCC 4.x onward while our
  version of GCC only has /usr/include/c++/x.y for 4.x GCC and /usr/include/c++/x/
  for 5.x onward. (bsc#996917)
- Fix regression in asio library. (bsc#925309)
- Add libboost_context to the -devel dependencies when it is built. (bsc#970706)


-----------------------------------------
Patch: SUSE-2016-1676
Released: Fri Nov 18 12:42:16 2016
Summary: Security update for python3
Severity: moderate
References: 951166,983582,984751,985177,985348,989523,991069,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699
Description:

This update provides Python 3.4.5, which brings many fixes and enhancements.

The following security issues have been fixed:

- CVE-2016-1000110: CGIHandler could have allowed setting of HTTP_PROXY environment
  variable based on user supplied Proxy request header. (bsc#989523)
- CVE-2016-0772: A vulnerability in smtplib could have allowed a MITM attacker to
  perform a startTLS stripping attack. (bsc#984751)
- CVE-2016-5636: A heap overflow in Python's zipimport module. (bsc#985177)
- CVE-2016-5699: A header injection flaw in urrlib2/urllib/httplib/http.client.
  (bsc#985348)

The update also includes the following non-security fixes:

- Don't force 3rd party C extensions to be built with -Werror=declaration-after-statement.
  (bsc#951166)
- Make urllib proxy var handling behave as usual on POSIX. (bsc#983582)

For a comprehensive list of changes please refer to the upstream change log:
https://docs.python.org/3.4/whatsnew/changelog.html


-----------------------------------------
Patch: SUSE-2016-1690
Released: Thu Nov 24 08:36:43 2016
Summary: Security update for tar
Severity: moderate
References: 1007188,913058,CVE-2016-6321
Description:

This update for tar fixes the following issues:

- Fix the POINTYFEATHER vulnerability - GNU tar archiver can be tricked into extracting
  files and directories in the given destination, regardless of the
  path name(s) specified on the command line [bsc#1007188]
  [CVE-2016-6321]
- Fix Amanda integration issue (bsc#913058)



-----------------------------------------
Patch: SUSE-2016-1698
Released: Fri Nov 25 12:32:27 2016
Summary: Security update for libarchive
Severity: moderate
References: 1005070,1005072,1005076,986566,989980,998677,CVE-2015-2304,CVE-2016-5418,CVE-2016-5844,CVE-2016-6250,CVE-2016-8687,CVE-2016-8688,CVE-2016-8689
Description:

This update for libarchive fixes several issues.

These security issues were fixed:

- CVE-2016-8687: Buffer overflow when printing a filename (bsc#1005070).
- CVE-2016-8689: Heap overflow when reading corrupted 7Zip files (bsc#1005072).
- CVE-2016-8688: Use after free because of incorrect calculation in next_line (bsc#1005076).
- CVE-2016-5844: Integer overflow in the ISO parser in libarchive allowed remote attackers to cause a denial of service (application crash) via a crafted ISO file (bsc#986566).
- CVE-2016-6250: Integer overflow in the ISO9660 writer in libarchive allowed remote attackers to cause a denial of service (application crash) or execute arbitrary code via vectors related to verifying filename lengths when writing an ISO9660 archive, which trigger a buffer overflow (bsc#989980).
- CVE-2016-5418: The sandboxing code in libarchive mishandled hardlink archive entries of non-zero data size, which might allowed remote attackers to write to arbitrary files via a crafted archive file (bsc#998677).


-----------------------------------------
Patch: SUSE-2016-1721
Released: Tue Nov 29 13:12:31 2016
Summary: Security update for vim
Severity: important
References: 1010685,988903,CVE-2016-1248
Description:

This update for vim fixes the following security issues:

- Fixed CVE-2016-1248 an arbitrary command execution vulnerability
  (bsc#1010685)

This update for vim fixes the following issues:

- Fix build with Python 3.5. (bsc#988903)


-----------------------------------------
Patch: SUSE-2016-1734
Released: Thu Dec  1 10:34:07 2016
Summary: Recommended update for timezone
Severity: low
References: 1011797
Description:

This update provides the latest timezone information (2016j) for your system,
including the following changes:

- Saratov, Russia switches from +03 to +04 on 2016-12-04 at 02:00. This change
  introduces a new zone Europe/Saratov split from Europe/Volgograd.

This release also includes changes affecting past time stamps. For a comprehensive
list, please refer to the release announcement from ICANN:

http://mm.icann.org/pipermail/tz-announce/2016-November/000044.html


-----------------------------------------
Patch: SUSE-2016-1738
Released: Fri Dec  2 11:22:31 2016
Summary: Recommended update for sensors
Severity: low
References: 1008552,999987
Description:

This update for sensors fixes the sensors-detect script to skip 'random' I/O port
probing on non-x86 systems. Attempting to detect such ports could lead to kernel
faults on ARM64 systems. (bsc#1008552)

Additionally, it fixes CPU detection support on ppc architectures. (bsc#999987)


-----------------------------------------
Patch: SUSE-2016-1744
Released: Fri Dec  2 11:42:41 2016
Summary: Security update for pcre
Severity: moderate
References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127,CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191
Description:

This update for pcre to version 8.39 (bsc#972127) fixes several issues.

If you use pcre extensively please be aware that this is an update to a new version. Please
make sure that your software works with the updated version.

This version fixes a number of vulnerabilities that affect pcre
and applications using the libary when accepting untrusted input
as regular expressions or as part thereof. Remote attackers could
have caused the application to crash, disclose information or
potentially execute arbitrary code. These security issues were fixed:

- CVE-2014-8964: Heap-based buffer overflow in PCRE allowed remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats (bsc#906574).
- CVE-2015-2325: Heap buffer overflow in compile_branch() (bsc#924960).
- CVE-2015-3210: Heap buffer overflow in pcre_compile2() / compile_regex() (bsc#933288)
- CVE-2015-3217: PCRE Library Call Stack Overflow Vulnerability in match() (bsc#933878).
- CVE-2015-5073: Library Heap Overflow Vulnerability in find_fixedlength() (bsc#936227).
- bsc#942865: heap overflow in compile_regex()
- CVE-2015-8380: The pcre_exec function in pcre_exec.c mishandled a // pattern with a \01 string, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957566).
- CVE-2015-2327: PCRE mishandled certain patterns with internal recursive back references, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957567).
- bsc#957598: Various security issues 
- CVE-2015-8381: Heap Overflow in compile_regex() (bsc#957598).
- CVE-2015-8382: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)(bsc#957598).
- CVE-2015-8383: Buffer overflow caused by repeated conditional group(bsc#957598).
- CVE-2015-8384: Buffer overflow caused by recursive back reference by name within certain group(bsc#957598).
- CVE-2015-8385: Buffer overflow caused by forward reference by name to certain group(bsc#957598).
- CVE-2015-8386: Buffer overflow caused by lookbehind assertion(bsc#957598).
- CVE-2015-8387: Integer overflow in subroutine calls(bsc#957598).
- CVE-2015-8388: Buffer overflow caused by certain patterns with an unmatched closing parenthesis(bsc#957598).
- CVE-2015-8389: Infinite recursion in JIT compiler when processing certain patterns(bsc#957598).
- CVE-2015-8390: Reading from uninitialized memory when processing certain patterns(bsc#957598).
- CVE-2015-8391: Some pathological patterns causes pcre_compile() to run for a very long time(bsc#957598).
- CVE-2015-8392: Buffer overflow caused by certain patterns with duplicated named groups(bsc#957598).
- CVE-2015-8393: Information leak when running pcgrep -q on crafted binary(bsc#957598).
- CVE-2015-8394: Integer overflow caused by missing check for certain conditions(bsc#957598).
- CVE-2015-8395: Buffer overflow caused by certain references(bsc#957598).
- CVE-2015-2328: PCRE mishandled the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression (bsc#957600).
- CVE-2016-1283: The pcre_compile2 function in pcre_compile.c in PCRE mishandled certain patterns with named subgroups, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression (bsc#960837).
- CVE-2016-3191: The compile_branch function in pcre_compile.c in pcre2_compile.c mishandled patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allowed remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression (bsc#971741).

These non-security issues were fixed:
- JIT compiler improvements
- performance improvements
- The Unicode data tables have been updated to Unicode 7.0.0.


-----------------------------------------
Patch: SUSE-2016-1746
Released: Fri Dec  2 13:55:49 2016
Summary: Recommended update for libpciaccess
Severity: low
References: 1006827
Description:

This update for libpciaccess provides the following fixes:

- Ignore 32bit PCI domains. They are now supported by the Linux kernel but not
  by the user land library, and this inconsistency can lead to problems such as
  startx(1) terminating with a segmentation fault. 32-bit PCI domains are not
  needed to start the X server.


-----------------------------------------
Patch: SUSE-2016-1749
Released: Mon Dec  5 09:28:00 2016
Summary: Security update for libX11
Severity: moderate
References: 1002991,CVE-2016-7942
Description:

libX11 was updated to fix a memory leak that was introduced with the
security fix for CVE-2016-7942.


-----------------------------------------
Patch: SUSE-2016-1752
Released: Mon Dec  5 14:22:35 2016
Summary: Security update for java-1_6_0-ibm
Severity: important
References: 1009280,CVE-2016-5542,CVE-2016-5554,CVE-2016-5556,CVE-2016-5568,CVE-2016-5573,CVE-2016-5597
Description:

This update for java-1_6_0-ibm fixes the following issues:

- Version update to 6.0-16.35 (bsc#1009280) fixing the following CVE's:
  CVE-2016-5568, CVE-2016-5556, CVE-2016-5573, CVE-2016-5597, CVE-2016-5554,
  CVE-2016-5542



-----------------------------------------
Patch: SUSE-2016-1754
Released: Mon Dec  5 18:03:45 2016
Summary: Security update for MozillaFirefox, mozilla-nss
Severity: important
References: 1009026,1010395,1010401,1010402,1010404,1010410,1010422,1010427,1010517,992549,CVE-2016-5285,CVE-2016-5290,CVE-2016-5291,CVE-2016-5296,CVE-2016-5297,CVE-2016-9064,CVE-2016-9066,CVE-2016-9074
Description:
This update for MozillaFirefox, mozilla-nss fixes security issues and bugs.

The following vulnerabilities were fixed in Firefox ESR 45.5 (bsc#1009026):

- CVE-2016-5297: Incorrect argument length checking in Javascript (bsc#1010401)
- CVE-2016-9066: Integer overflow leading to a buffer overflow in nsScriptLoadHandler (bsc#1010404)
- CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1 (bsc#1010395)
- CVE-2016-9064: Addons update must verify IDs match between current and new versions (bsc#1010402)
- CVE-2016-5290: Memory safety bugs fixed in Firefox 50 and Firefox ESR 45.5 (bsc#1010427)
- CVE-2016-5291: Same-origin policy violation using local HTML file and saved shortcut file (bsc#1010410)

The following vulnerabilities were fixed in mozilla-nss 3.21.3:

- CVE-2016-9074: Insufficient timing side-channel resistance in divSpoiler (bsc#1010422)
- CVE-2016-5285: Missing NULL check in PK11_SignWithSymKey / ssl3_ComputeRecordMACConstantTime causes server crash (bsc#1010517)  

The following bugs were fixed:

- Firefox would fail to go into fullscreen mode with some window managers (bsc#992549)

The Mozilla Firefox changelog was amended to document patched dropped in a previous update.


-----------------------------------------
Patch: SUSE-2016-1758
Released: Tue Dec  6 11:25:26 2016
Summary: Initial release of compat-libgcrypt11
Severity: low
References: 1011556
Description:

This update for compat-libgcrypt11 fixes the following issues:

- package compat-libgcrypt11 for SLE-12 (fate#320852) (bsc#1011556)


-----------------------------------------
Patch: SUSE-2016-1767
Released: Wed Dec  7 16:43:38 2016
Summary: Security update for libXi
Severity: moderate
References: 1002998,CVE-2016-7945,CVE-2016-7946
Description:

libXi was updated to fix two security issues.

These security issues were fixed:
- CVE-2016-7945: Integer overflows in libXI can cause out of boundary memory access or endless loops (Denial of Service) (bsc#1002998).
- CVE-2016-7946: Insufficient validation of data in libXI can cause out of boundary memory access or endless loops (Denial of Service) (bsc#1002998).
  

-----------------------------------------
Patch: SUSE-2016-1778
Released: Thu Dec  8 11:12:31 2016
Summary: Recommended update for wicked
Severity: moderate
References: 972471,975466,988794,988954,997027,998413
Description:

This update provides Wicked 0.6.39, which brings the following fixes and enhancements:

- dhcp: Support to define and request custom options, documented in wicked-config(5)
  and ifcfg-dhcp(5) manual pages. (bsc#988954)
- dhcp6: Fix refresh on newprefix workaround. (bsc#972471)
- dhcp4: Do not fail in capture on link type change. (bsc#975466)
- dhcp4: Ignore invalid options, do not discard complete message.
- dhcp4: Log and add sender (server or relay) ethernet hw-address to the lease.
- ifdown: Show reasons to skip an action. (bsc#997027)
- ifconfig: Fix to consider address scope in dbus model. (bsc#988794)
- bonding: Set the primary slave in the master at enslave of the primary when it
  were not yet ready while setting up bond. (bsc#998413)


-----------------------------------------
Patch: SUSE-2016-1782
Released: Fri Dec  9 13:35:02 2016
Summary: Recommended update for systemd
Severity: moderate
References: 1001790,1004289,1005404,1006372,1006690,989831,991443
Description:

This update for systemd provides the following fixes:

- Allow to redirect confirmation messages to a different console. (bsc#1006690)
- Do not bind a mount unit to a device, if it was from mountinfo. (bsc#989831)
- Decrease systemd-nspawn's non-fatal mount errors to debug level. (bsc#1004289)
- Don't emit space usage message right after opening the persistent journal. (bsc#991443)
- Change owner of /var/log/journal/remote and create /var/lib/systemd/journal-upload.
  (bsc#1006372)
- Document that *KeyIgnoreInhibited only apply to a subset of locks.
- Revert 'logind: really handle *KeyIgnoreInhibited options in logind.conf'.
  (bsc#1001790, bsc#1005404)
- Revert 'kbd-model-map: add more mappings offered by Yast'.
- Don't busy loop when we get a notification message we can't process.
- Rename kbd-model-map-extra into kbd-model-map.legacy.
- Add kbd-model-map-extra file which contains the additional maps needed by YaST.
- Drop localfs.service: unused and not needed anymore.


-----------------------------------------
Patch: SUSE-2016-1794
Released: Mon Dec 12 09:34:56 2016
Summary: Security update for Docker and dependencies
Severity: moderate
References: 1004490,1006368,1007249,1009961,974208,978260,983015,987198,988408,989566,995058,995102,995620,996015,999582,CVE-2016-8867
Description:

This update for Docker and its dependencies fixes the following issues:

- fix runc and containerd revisions (bsc#1009961)

docker:

- Updates version 1.11.2 to 1.12.3 (bsc#1004490, bsc#996015, bsc#995058)
- Fix ambient capability usage in containers (bsc#1007249, CVE-2016-8867)
- Change the internal mountpoint name to not use ':' as that character can be considered 
  a special character by other tools. (bsc#999582)
- Add dockerd(8) man page.
- Package docker-proxy (which was split out of the docker binary in 1.12). (bsc#995620)
- Docker 'migrator' prevents installing 'docker', if docker 1.9 was installed before but 
  there were no images. (bsc#995102)
- Specify an 'OCI' runtime for our runc package explicitly. (bsc#978260)
- Use gcc6-go instead of gcc5-go (bsc#988408)

For a detailed description of all fixes and improvements, please refer to:

https://github.com/docker/docker/releases/tag/v1.12.3
https://github.com/docker/docker/blob/v1.12.2/CHANGELOG.md 
https://github.com/docker/docker/releases/tag/v1.12.1
https://github.com/docker/docker/releases/tag/v1.12.0

containerd:

- Update to current version required from Docker 1.12.3.
- Add missing Requires(post): %fillup_prereq. (bsc#1006368)
- Use gcc6-go instead of gcc5-go. (bsc#988408) 

runc:

- Update to current version required from Docker 1.12.3.
- Use gcc6-go instead of gcc5-go. (bsc#988408)

rubygem-excon:

- Updates version from 0.39.6 to 0.52.0.

For a detailed description of all fixes and improvements, please refer to the installed changelog.txt.

rubygem-docker-api:

- Updated version from 1.17.0 to 1.31.0.


-----------------------------------------
Patch: SUSE-2016-1827
Released: Thu Dec 15 12:41:10 2016
Summary: Security update for pcre
Severity: moderate
References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127,CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191
Description:

This update for pcre to version 8.39 (bsc#972127) fixes several issues.

If you use pcre extensively please be aware that this is an update to a new version. Please
make sure that your software works with the updated version.

This version fixes a number of vulnerabilities that affect pcre
and applications using the libary when accepting untrusted input
as regular expressions or as part thereof. Remote attackers could
have caused the application to crash, disclose information or
potentially execute arbitrary code. These security issues were fixed:

- CVE-2014-8964: Heap-based buffer overflow in PCRE allowed remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats (bsc#906574).
- CVE-2015-2325: Heap buffer overflow in compile_branch() (bsc#924960).
- CVE-2015-3210: Heap buffer overflow in pcre_compile2() / compile_regex() (bsc#933288)
- CVE-2015-3217: PCRE Library Call Stack Overflow Vulnerability in match() (bsc#933878).
- CVE-2015-5073: Library Heap Overflow Vulnerability in find_fixedlength() (bsc#936227).
- bsc#942865: heap overflow in compile_regex()
- CVE-2015-8380: The pcre_exec function in pcre_exec.c mishandled a // pattern with a \01 string, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957566).
- CVE-2015-2327: PCRE mishandled certain patterns with internal recursive back references, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957567).
- bsc#957598: Various security issues 
- CVE-2015-8381: Heap Overflow in compile_regex() (bsc#957598).
- CVE-2015-8382: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)(bsc#957598).
- CVE-2015-8383: Buffer overflow caused by repeated conditional group(bsc#957598).
- CVE-2015-8384: Buffer overflow caused by recursive back reference by name within certain group(bsc#957598).
- CVE-2015-8385: Buffer overflow caused by forward reference by name to certain group(bsc#957598).
- CVE-2015-8386: Buffer overflow caused by lookbehind assertion(bsc#957598).
- CVE-2015-8387: Integer overflow in subroutine calls(bsc#957598).
- CVE-2015-8388: Buffer overflow caused by certain patterns with an unmatched closing parenthesis(bsc#957598).
- CVE-2015-8389: Infinite recursion in JIT compiler when processing certain patterns(bsc#957598).
- CVE-2015-8390: Reading from uninitialized memory when processing certain patterns(bsc#957598).
- CVE-2015-8391: Some pathological patterns causes pcre_compile() to run for a very long time(bsc#957598).
- CVE-2015-8392: Buffer overflow caused by certain patterns with duplicated named groups(bsc#957598).
- CVE-2015-8393: Information leak when running pcgrep -q on crafted binary(bsc#957598).
- CVE-2015-8394: Integer overflow caused by missing check for certain conditions(bsc#957598).
- CVE-2015-8395: Buffer overflow caused by certain references(bsc#957598).
- CVE-2015-2328: PCRE mishandled the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression (bsc#957600).
- CVE-2016-1283: The pcre_compile2 function in pcre_compile.c in PCRE mishandled certain patterns with named subgroups, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression (bsc#960837).
- CVE-2016-3191: The compile_branch function in pcre_compile.c in pcre2_compile.c mishandled patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allowed remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression (bsc#971741).

These non-security issues were fixed:
- JIT compiler improvements
- performance improvements
- The Unicode data tables have been updated to Unicode 7.0.0.


-----------------------------------------
Patch: SUSE-2016-1831
Released: Thu Dec 15 17:47:09 2016
Summary: Recommended update for tar
Severity: important
References: 1012633
Description:

This update for tar fixes a regression caused by the previous security update (bsc#1007188),
which limited append and create operations (bsc#1012633)


-----------------------------------------
Patch: SUSE-2016-1841
Released: Fri Dec 16 14:57:16 2016
Summary: Recommended update for suse-build-key
Severity: moderate
References: 1014151
Description:

This update for suse-build-key extends the lifetime of the build@suse.de
GPG key that is signing the SUSE Linux Enterprise 12 repositories. (bsc#1014151)

UID:
  pub  2048R/39DB7C82 2013-01-31 [expires: 2020-12-06]
  uid                            SuSE Package Signing Key <build@suse.de>


-----------------------------------------
Patch: SUSE-2016-1853
Released: Mon Dec 19 17:07:52 2016
Summary: Security update for ntp
Severity: moderate
References: 1009434,1011377,1011390,1011395,1011398,1011404,1011406,1011411,1011417,943216,956365,981252,988028,992038,992606,CVE-2015-5219,CVE-2016-7426,CVE-2016-7427,CVE-2016-7428,CVE-2016-7429,CVE-2016-7431,CVE-2016-7433,CVE-2016-7434,CVE-2016-9310,CVE-2016-9311
Description:

This update for ntp fixes the following issues:

ntp was updated to 4.2.8p9.

Security issues fixed:

- CVE-2016-9311, CVE-2016-9310, bsc#1011377: Mode 6
  unauthenticated trap information disclosure and DDoS vector.
- CVE-2016-7427, bsc#1011390:
  Broadcast Mode Replay Prevention DoS.
- CVE-2016-7428, bsc#1011417:
  Broadcast Mode Poll Interval Enforcement DoS.
- CVE-2016-7431, bsc#1011395:
  Regression: 010-origin: Zero Origin Timestamp Bypass.
- CVE-2016-7434, bsc#1011398:
  Null pointer dereference in _IO_str_init_static_internal().
- CVE-2016-7429, bsc#1011404: Interface selection attack.
- CVE-2016-7426, bsc#1011406:
  Client rate limiting and server responses.
- CVE-2016-7433, bsc#1011411: Reboot sync calculation problem.
- CVE-2015-5219: An endless loop due to incorrect precision to
  double conversion (bsc#943216).

Non-security issues fixed:

- Fix a spurious error message.
- Other bugfixes, see /usr/share/doc/packages/ntp/ChangeLog.
- Fix a regression in 'trap' (bsc#981252).
- Reduce the number of netlink groups to listen on for changes to
  the local network setup (bsc#992606).
- Fix segfault in 'sntp -a' (bsc#1009434).
- Silence an OpenSSL version warning (bsc#992038).
- Make the resolver task change user and group IDs to the same
  values as the main task. (bsc#988028)
- Simplify ntpd's search for its own executable to prevent AppArmor
  warnings (bsc#956365).



-----------------------------------------
Patch: SUSE-2016-1859
Released: Tue Dec 20 13:18:17 2016
Summary: Recommended update for cloud-regionsrv-client
Severity: moderate
References: 1014339,981689,986294
Description:

This update for cloud-regionsrv-client provides the following fixes:

- Create the missing cache directory if it does not exist. (bsc#1014339)
- Support region portability during registration. (bsc#986294)
- Enable Nvidia repository only on instances that have Nvidia 'hardware'.
- Enable the public cloud repository module repository after registration. (bsc#981689)
- Add option 'metadata_server' to indicate that the SMT server data is supposed 
  to be pulled from a metadata server rather than a region server. Intended to aid 
  integration of the update infrastructure into SUSE OpenStack Cloud.


-----------------------------------------
Patch: SUSE-2016-1863
Released: Wed Dec 21 10:41:35 2016
Summary: Recommended updated for pth
Severity: low
References: 1013286
Description:

This update adds the 32bit version of libpth20 to SUSE Linux Enterprise 12 SP1 and 12 SP2.


-----------------------------------------
Patch: SUSE-2016-1883
Released: Thu Dec 22 10:27:40 2016
Summary: Recommended update for supportutils
Severity: low
References: 995387,997615
Description:

This update for supportutils fixes the following issues:

- Add limits to journalctl to speed up data collection. (bsc#997615)
- Restore missing vgs and lvs commands to lvm.txt. (bsc#995387)
- Collect information about network namespaces.


-----------------------------------------
Patch: SUSE-2016-1886
Released: Thu Dec 22 13:46:07 2016
Summary: Recommended update for sle-module-toolchain-release
Severity: low
References: 1013847
Description:

This update for the Toolchain Module introduces information about the life cycle
of packages provided in the module.

On SUSE Linux Enterprise Server 12 SP2 systems customers can install the new
'zypper-lifecycle-plugin' and run 'zypper lifecycle' to check the end of support
dates for each package.


-----------------------------------------
Patch: SUSE-2016-1888
Released: Thu Dec 22 13:46:35 2016
Summary: Recommended update for lifecycle-data-sle-module-web-scripting
Severity: low
References: 1013222
Description:

This update for the Web and Scripting Module introduces information about the
life cycle of packages provided in the module.

On SUSE Linux Enterprise Server 12 SP2 systems customers can install the new
'zypper-lifecycle-plugin' and run 'zypper lifecycle' to check the end of support
dates for each package.


-----------------------------------------
Patch: SUSE-2016-1889
Released: Thu Dec 22 13:46:53 2016
Summary: Recommended update for lifecycle-data-sle-module-legacy
Severity: low
References: 1013223
Description:

This update for the Legacy Module introduces information about the life cycle
of packages provided in the module.

On SUSE Linux Enterprise Server 12 SP2 systems customers can install the new
'zypper-lifecycle-plugin' and run 'zypper lifecycle' to check the end of support
dates for each package.


-----------------------------------------
Patch: SUSE-2016-1908
Released: Fri Dec 23 14:45:12 2016
Summary: Recommended update for pciutils
Severity: low
References: 1006827
Description:

This update for pciutils provides the following fixes:

- Enable proper support for 32-bit PCI domain numbers. (bsc#1006827)


-----------------------------------------
Patch: SUSE-2016-1911
Released: Fri Dec 23 18:02:19 2016
Summary: Security update for wget
Severity: moderate
References: 1005091,1012677,995964,CVE-2016-7098
Description:

This update for wget fixes the following issues:

Security issues fixed:
- CVE-2016-7098: Fixed a potential race condition by creating files with .tmp ext
  and making them accessible to the current user only. (bsc#995964)

Non security issues fixed:
- bsc#1005091: Don't call xfree() on string returned by usr_error()  
- bsc#1012677: Add support for enforcing TLSv1.1 and TLSv1.2 (TLS 1.2 support was already present, but it was not enforcable).


-----------------------------------------
Patch: SUSE-2016-1937
Released: Thu Dec 29 20:47:49 2016
Summary: Security update for tiff
Severity: moderate
References: 1007280,1010161,1010163,1011103,1011107,914890,974449,974840,984813,984815,987351,CVE-2014-8127,CVE-2016-3622,CVE-2016-3658,CVE-2016-5321,CVE-2016-5323,CVE-2016-5652,CVE-2016-5875,CVE-2016-9273,CVE-2016-9297,CVE-2016-9448,CVE-2016-9453
Description:

The tiff library and tools were updated to version 4.0.7 fixing various bug and security issues.

- CVE-2014-8127: out-of-bounds read with malformed TIFF image in multiple tools [bnc#914890]
- CVE-2016-9297: tif_dirread.c read outside buffer in _TIFFPrintField() [bnc#1010161]
- CVE-2016-3658: Illegal read in TIFFWriteDirectoryTagLongLong8Array function in tiffset / tif_dirwrite.c [bnc#974840]
- CVE-2016-9273: heap overflow [bnc#1010163]
- CVE-2016-3622: divide By Zero in the tiff2rgba tool [bnc#974449]
- CVE-2016-5652: tiff2pdf JPEG Compression Tables Heap Buffer Overflow [bnc#1007280]
- CVE-2016-9453: out-of-bounds Write memcpy and less bound check in tiff2pdf [bnc#1011107]
- CVE-2016-5875: heap-based buffer overflow when using the PixarLog compressionformat [bnc#987351]
- CVE-2016-9448: regression introduced by fixing CVE-2016-9297 [bnc#1011103]
- CVE-2016-5321: out-of-bounds read in tiffcrop /  DumpModeDecode() function [bnc#984813]
- CVE-2016-5323: Divide-by-zero in _TIFFFax3fillruns() function (null ptr dereference?) [bnc#984815]


-----------------------------------------
Patch: SUSE-2017-2
Released: Mon Jan  2 08:35:08 2017
Summary: Security update for zlib
Severity: moderate
References: 1003577,1003579,1003580,1013882,CVE-2016-9840,CVE-2016-9841,CVE-2016-9842,CVE-2016-9843
Description:

This update for zlib fixes the following issues:

CVE-2016-9843: Big-endian out-of-bounds pointer

CVE-2016-9842: Undefined Left Shift of Negative Number (bsc#1003580) 

CVE-2016-9840 CVE-2016-9841: Out-of-bounds pointer arithmetic in inftrees.c (bsc#1003579)

Incompatible declarations for external linkage function deflate (bsc#1003577)



-----------------------------------------
Patch: SUSE-2017-5
Released: Mon Jan  2 16:10:06 2017
Summary: Recommended update for alsa, pulseaudio
Severity: low
References: 1010690
Description:

This update for alsa and pulseaudio provides a new UCM profile for Cherry
Trail audio devices.


-----------------------------------------
Patch: SUSE-2017-6
Released: Tue Jan  3 15:01:58 2017
Summary: Recommended update for systemd
Severity: moderate
References: 1012390,1012591,1012818,1013989,1015515,909418,912715,945340,953807,963290,990538
Description:

This update for systemd fixes the following issues:

- core: Make mount units from /proc/self/mountinfo possibly bind to a device. Fixes
  unmounting issues when ejecting CDs or DVDs. (bsc#909418, bsc#912715, bsc#945340)
- fstab-generator: Remove bogus condition that leads to warnings on boot. (bsc#1013989)
- coredumpctl: Let gdb handle the SIGINT signal. (bsc#1012591)
- Ship kbd-model-map with the correct contents. (bsc#1015515)
- rules: Set SYSTEMD_READY=0 on DM_UDEV_DISABLE_OTHER_RULES_FLAG=1 only with ADD event.
  (bsc#963290, bsc#990538)
- tmpfiles: Don't skip path_set_perms on error. (bsc#953807)
- nspawn: Properly handle image/directory paths that are symbolic links. (bsc#1012390)
- systemctl: Fix 'is-enabled' exit status on failure when executed in chroot. (bsc#1012818)


-----------------------------------------
Patch: SUSE-2017-15
Released: Thu Jan  5 11:26:43 2017
Summary: Recommended update for irqbalance
Severity: low
References: 998399
Description:

This update for irqbalance increases the maximum number of files that can be
opened simultaneously to 4096.


-----------------------------------------
Patch: SUSE-2017-27
Released: Sun Jan  8 13:11:03 2017
Summary: Security update for jasper
Severity: important
References: 1010977,1010979,1011830,1012530,1015993,CVE-2016-8654,CVE-2016-9395,CVE-2016-9398,CVE-2016-9560,CVE-2016-9591
Description:

This update for jasper fixes the following issues:

- CVE-2016-8654: Heap-based buffer overflow in QMFB code in JPC codec. (bsc#1012530)
- CVE-2016-9395: Invalid jasper files could lead to abort of the library caused by attacker provided image. (bsc#1010977)
- CVE-2016-9398: Invalid jasper files could lead to abort of the library caused by attacker provided image. (bsc#1010979)
- CVE-2016-9560: Stack-based buffer overflow in jpc_tsfb_getbands2. (bsc#1011830)
- CVE-2016-9591: Use-after-free on heap in jas_matrix_destroy. (bsc#1015993)


-----------------------------------------
Patch: SUSE-2017-32
Released: Mon Jan  9 11:50:42 2017
Summary: Recommended update for dirmngr
Severity: low
References: 994794
Description:

This update for dirmngr enables support for daemon mode.


-----------------------------------------
Patch: SUSE-2017-36
Released: Mon Jan  9 14:29:14 2017
Summary: Recommended update for containerd, docker, runc
Severity: moderate
References: 1015661,1016307
Description:

Docker was updated to version 1.12.5, which brings several fixes and enhancements:

- Remove old flags from dockerd's command-line to be more inline with upstream now
  that docker-runc is provided by the runc package. -H is dropped because upstream
  dropped it due to concerns with socket activation.
- Remove socket activation entirely.
- Fix bash-completion.

A comprehensive list of changes is available at
https://github.com/docker/docker/blob/v1.12.5/CHANGELOG.md

RunC and containerd were also updated for compatibility with Docker 1.12.5.


-----------------------------------------
Patch: SUSE-2017-47
Released: Wed Jan 11 11:42:43 2017
Summary: Recommended update for systemd
Severity: important
References: 1018214,1018399
Description:

This update for systemd fixes the following two issues:
- A regression in the previous update (SUSE-RU-2017:0013-1, bsc#909418) could have caused systemd to freeze.
  (bsc#1018399)
- Warnings emitted when udev socket units are restarted during package upgrade were silenced. (bsc#1018214)


-----------------------------------------
Patch: SUSE-2017-54
Released: Wed Jan 11 22:57:26 2017
Summary: Security update for bind
Severity: important
References: 1018699,1018700,1018701,1018702,CVE-2016-9131,CVE-2016-9147,CVE-2016-9444
Description:

This update for bind fixes the following issues:

- Fix a potential assertion failure that could have been triggered by a
  malformed response to an ANY query, thereby facilitating a denial-of-service
  attack. [CVE-2016-9131, bsc#1018700, bsc#1018699]

- Fix a potential assertion failure that could have been triggered by
  responding to a query with inconsistent DNSSEC information, thereby
  facilitating a denial-of-service attack. [CVE-2016-9147, bsc#1018701,
  bsc#1018699]

- Fix potential assertion failure that could have been triggered by DNS
  responses that contain unusually-formed DS resource records, facilitating a
  denial-of-service attack. [CVE-2016-9444, bsc#1018702, bsc#1018699]


-----------------------------------------
Patch: SUSE-2017-69
Released: Fri Jan 13 16:57:59 2017
Summary: Recommended update for gdk-pixbuf
Severity: low
References: 1010497,929462
Description:

This update for gdk-pixbuf provides the following fixes:

- Fix RGBA conversion for big endian X11 environments. (bsc#929462, bsc#1010497)


-----------------------------------------
Patch: SUSE-2017-98
Released: Thu Jan 19 10:17:55 2017
Summary: Recommended update for kmod
Severity: low
References: 998906
Description:

This update for kmod fixes a rare race condition while loading modules.


-----------------------------------------
Patch: SUSE-2017-99
Released: Thu Jan 19 10:35:21 2017
Summary: Security update for apache2
Severity: moderate
References: 1013648,CVE-2016-8740
Description:

This update for apache2 fixes the following issues:

- CVE-2016-8740 Server memory can be exhausted and service denied when HTTP/2 is used [bsc#1013648]


-----------------------------------------
Patch: SUSE-2017-138
Released: Mon Jan 23 13:26:01 2017
Summary: Security update for openssh
Severity: moderate
References: 1005480,1005893,1006221,1016366,1016368,1016369,1016370,CVE-2016-10009,CVE-2016-10010,CVE-2016-10011,CVE-2016-10012,CVE-2016-8858
Description:

This update for openssh fixes several issues.

These security issues were fixed:

- CVE-2016-8858: The kex_input_kexinit function in kex.c allowed remote attackers to cause a denial of service (memory consumption) by sending many duplicate KEXINIT requests (bsc#1005480).
- CVE-2016-10012: The shared memory manager (associated with pre-authentication compression) did not ensure that a bounds check is enforced by all compilers, which might allowed local users to gain privileges by leveraging access to a sandboxed privilege-separation process, related to the m_zback and m_zlib data structures (bsc#1016370).
- CVE-2016-10009: Untrusted search path vulnerability in ssh-agent.c allowed remote attackers to execute arbitrary local PKCS#11 modules by leveraging control over a forwarded agent-socket (bsc#1016366).
- CVE-2016-10010: When forwarding unix domain sockets with privilege separation disabled, the resulting sockets have be created as 'root' instead of the authenticated user. Forwarding unix domain sockets without privilege separation enabled is now rejected.
- CVE-2016-10011: authfile.c in sshd did not properly consider the effects of realloc on buffer contents, which might allowed local users to obtain sensitive private-key information by leveraging access to a privilege-separated child process (bsc#1016369).

These non-security issues were fixed:

- Adjusted suggested command for removing conflicting server keys from the known_hosts file (bsc#1006221)
- Properly verify CIDR masks in configuration (bsc#1005893)


-----------------------------------------
Patch: SUSE-2017-147
Released: Tue Jan 24 23:01:42 2017
Summary: Recommended update for openssh
Severity: important
References: 1021626
Description:

This update for openssh fixes the following issues:

- A previous update contained a logic flaw that broke OpenSSH's interpretation
  of the 'DenyUser' config option. That regression could have lead to an exact
  inversion of the intended meaning, i.e. OpenSSH could have locked out all users
  except the one that was supposed to be denied access. [bsc#1021626]


-----------------------------------------
Patch: SUSE-2017-149
Released: Wed Jan 25 09:17:08 2017
Summary: Security update for systemd
Severity: important
References: 1012266,1014560,1014566,1020601,997682,CVE-2016-10156
Description:

This update for systemd fixes the following issues:

This security issue was fixed:

- CVE-2016-10156: Fix permissions set on permanent timer timestamp files, preventing local unprivileged users from escalating privileges (bsc#1020601).

These non-security issues were fixed:

- Fix permission set on /var/lib/systemd/linger/*
- install: follow config_path symlink (#3362)
- install: fix disable when /etc/systemd/system is a symlink (bsc#1014560)
- run: make --slice= work in conjunction with --scope (bsc#1014566)
- core: don't dispatch load queue when setting Slice= for transient units
- systemctl: remove duplicate entries showed by list-dependencies (#5049) (bsc#1012266)
- rule: don't automatically online standby memory on s390x (bsc#997682)


-----------------------------------------
Patch: SUSE-2017-181
Released: Wed Feb  1 14:27:53 2017
Summary: Recommended update for google-compute-engine-init
Severity: low
References: 1015829,1016372,1017395
Description:

This update for google-compute-engine-init fixes the following issues:

- Scripts that are one-shot should not be marked as 'stop_on_removal' as there is no process running. (bsc#1017395)
- Add and improved support for alias IPs in the IP forwarding daemon. (bsc#1016372, bsc#1015829)
- Fix startup script to run after network setup.
- Provide a service to enable network interfaces on boot.

For a detailed description of all changes and improvements, please refer to the changelog.


-----------------------------------------
Patch: SUSE-2017-185
Released: Thu Feb  2 18:22:37 2017
Summary: Security update for cpio
Severity: moderate
References: 1020108,963448,CVE-2016-2037
Description:

This update for cpio fixes two issues.

This security issue was fixed:

- CVE-2016-2037: The cpio_safer_name_suffix function in util.c in cpio allowed remote attackers to cause a denial of service (out-of-bounds write) via a crafted cpio file (bsc#963448).

This non-security issue was fixed:

- bsc#1020108: Always use 32 bit CRC to prevent checksum errors for files greater than 32MB


-----------------------------------------
Patch: SUSE-2017-192
Released: Fri Feb  3 18:46:05 2017
Summary: Security update for libxml2
Severity: moderate
References: 1005544,1010675,1013930,1014873,1017497,CVE-2016-4658,CVE-2016-9318,CVE-2016-9597
Description:

This update for libxml2 fixes the following issues:

* CVE-2016-4658: use-after-free error could lead to crash [bsc#1005544]
* Fix NULL dereference in xpointer.c when in recovery mode [bsc#1014873]
* CVE-2016-9597: An XML document with many opening tags could have caused a overflow of the stack not detected by the recursion limits, allowing for DoS (bsc#1017497).

For CVE-2016-9318 we decided not to ship a fix since it can break existing setups. Please take appropriate actions if you parse untrusted XML files
and use the new -noxxe flag if possible (bnc#1010675, bnc#1013930).


-----------------------------------------
Patch: SUSE-2017-201
Released: Mon Feb  6 15:38:49 2017
Summary: Security update for containerd, docker, runc
Severity: moderate
References: 1012568,1019251,CVE-2016-9962
Description:

This update for 
- containerd
- docker to 1.12.6
- runc
fixes the two issues.

This security issue was fixed:

- CVE-2016-9962: A difficult to exploit race condition caused by passing a file descriptor from the host's filesystem into the container could have allowed the guest to escape(bsc#1012568).

For docker this non-security issue was fixed:

- bsc#1019251: Waiting when starting the docker service 


-----------------------------------------
Patch: SUSE-2017-209
Released: Tue Feb  7 17:00:47 2017
Summary: Recommended update for libseccomp
Severity: low
References: 1019900
Description:

This update provides libseccomp version 2.3.1 which fixes the following issues:

- Fixed a problem with 32-bit x86 socket syscalls on some systems (fate#321647, bsc#1019900)
- Fixed problems with ipc syscalls on 32-bit x86
- Fixed problems with socket and ipc syscalls on s390 and s390x


-----------------------------------------
Patch: SUSE-2017-212
Released: Wed Feb  8 13:07:24 2017
Summary: Security update for expat
Severity: moderate
References: 983215,983216,CVE-2012-6702,CVE-2016-5300
Description:

This update for expat fixes the following security issues:

- CVE-2012-6702: Expat, when used in a parser that has not
  called XML_SetHashSalt or passed it a seed of 0, made it easier for
  context-dependent attackers to defeat cryptographic protection mechanisms
  via vectors involving use of the srand function.  (bsc#983215)
- CVE-2016-5300: The XML parser in Expat did not use sufficient entropy
  for hash initialization, which allowed context-dependent attackers to
  cause a denial of service (CPU consumption) via crafted identifiers in
  an XML document. NOTE: this vulnerability exists because of an incomplete
  fix for CVE-2012-0876.  (bsc#983216)


-----------------------------------------
Patch: SUSE-2017-228
Released: Fri Feb 10 15:39:32 2017
Summary: Security update for openssl
Severity: moderate
References: 1000677,1001912,1009528,1019637,1021641,1022085,1022086,1022271,CVE-2016-7055,CVE-2017-3731,CVE-2017-3732
Description:

This update for openssl fixes the following issues contained in the
OpenSSL Security Advisory [26 Jan 2017] (bsc#1021641)

Security issues fixed:
- CVE-2016-7055: The x86_64 optimized montgomery multiplication may produce incorrect results (bsc#1009528)
- CVE-2017-3731: Truncated packet could crash via OOB read (bsc#1022085)
- CVE-2017-3732: BN_mod_exp may produce incorrect results on x86_64 (bsc#1022086)
- Degrade the 3DES cipher to MEDIUM in SSLv2 (bsc#1001912)

Non-security issues fixed:
- fix crash in openssl speed (bsc#1000677)
- fix X509_CERT_FILE path (bsc#1022271)
- AES XTS key parts must not be identical in FIPS mode (bsc#1019637)


-----------------------------------------
Patch: SUSE-2017-231
Released: Mon Feb 13 11:40:25 2017
Summary: Security update for tiff
Severity: moderate
References: 1019611,1022103,CVE-2017-5225
Description:

This update for tiff fixes the following issues:

- A crafted TIFF image could cause a crash and potential code execution when
processed by the 'tiffcp' utility (CVE-2017-5225, bsc#1019611).

Also a regression from the version update to 4.0.7 was fixed in
handling TIFFTAG_FAXRECVPARAMS. (bsc#1022103)



-----------------------------------------
Patch: SUSE-2017-240
Released: Wed Feb 15 07:29:29 2017
Summary: Security update for libXpm
Severity: moderate
References: 1021315,CVE-2016-10164
Description:

This update for libXpm fixes the following issues:

- A heap overflow in XPM handling could be used by attackers supplying XPM files to 
  crash or potentially execute code. (bsc#1021315)


-----------------------------------------
Patch: SUSE-2017-249
Released: Thu Feb 16 15:35:47 2017
Summary: Recommended update for docker
Severity: important
References: 1016992,1020806
Description:

This update for docker fixes the following issues:

- Containers using old run-time options did no longer start after the last
  docker update. This patch provides the appropriate oci runtime to remedy that
  issue. When those containers are started by the new docker version, the
  runtime is automatically migrated to the new one. [bsc#1020806, bsc#1016992]


-----------------------------------------
Patch: SUSE-2017-261
Released: Mon Feb 20 11:00:28 2017
Summary: Recommended update for dirmngr
Severity: low
References: 1019276
Description:

This update for dirmngr fixes the following issues:

- Properly initialize the dirmngr tmpfilesd files right away and not
  just during reboot
- Own the /usr/lib/tmpfiles.d/ folder as it is needed in older systemds
  wrt (bsc#1019276)
- Proprely require logrotate as we need it for the dirmngr configs


-----------------------------------------
Patch: SUSE-2017-270
Released: Mon Feb 20 15:23:36 2017
Summary: Recommended update for cloud-regionsrv-client
Severity: moderate
References: 1024794
Description:

This update for cloud-regionsrv-client fixes the following issues:

- If the base product registration failed with a given SMT server, the fallback code to try another server generated a
traceback. This update fixes the list name for loops in the failover code path. (bsc#1024794)


-----------------------------------------
Patch: SUSE-2017-312
Released: Thu Mar  2 15:28:34 2017
Summary: Security update for bind
Severity: moderate
References: 1024130,CVE-2017-3135
Description:

This update for bind fixes the following issues:

- Fixed a possible denial of service vulnerability (affected only
  configurations using both DNS64 and RPZ, CVE-2017-3135, bsc#1024130)


-----------------------------------------
Patch: SUSE-2017-319
Released: Fri Mar  3 17:46:48 2017
Summary: Security update for compat-openssl098
Severity: moderate
References: 1000677,1001912,1004499,1005878,1019334,1021641,984663,CVE-2016-2108,CVE-2016-7056,CVE-2016-8610
Description:

This update for compat-openssl098 fixes the following issues contained in the
OpenSSL Security Advisory [26 Jan 2017] (bsc#1021641)

Security issues fixed:
- CVE-2016-7056: A local ECSDA P-256 timing attack that might have allowed key recovery was fixed (bsc#1019334)
- CVE-2016-8610: A remote denial of service in SSL alert handling was fixed (bsc#1005878)
- degrade 3DES to MEDIUM in SSL2 (bsc#1001912)
- CVE-2016-2108: Added a missing commit for CVE-2016-2108, fixing the negative zero handling in the ASN.1 decoder (bsc#1004499)

Bugs fixed:
- fix crash in openssl speed (bsc#1000677)
- don't attempt session resumption if no ticket is present and session
  ID length is zero (bsc#984663)


-----------------------------------------
Patch: SUSE-2017-332
Released: Tue Mar  7 13:04:31 2017
Summary: Recommended update for boost
Severity: low
References: 1017048,1019896
Description:

This update for boost provides the following fixes:

- Enable build of 32bit version of libboost_locale1_54_0. (bsc#1017048)
- Ship ppc64le and s390x versions of libboost_random1_54_0. (bsc#1019896)


-----------------------------------------
Patch: SUSE-2017-335
Released: Tue Mar  7 13:58:47 2017
Summary: Security update for tigervnc
Severity: moderate
References: 1019274,1023012,CVE-2016-10207,CVE-2016-9941,CVE-2016-9942
Description:

This update for tigervnc provides the following fixes:

- Prevent malicious server from crashing a server via a buffer overflow, a similar flaw as the LibVNCServer issues CVE-2016-9941 and CVE-2016-9942. (bsc#1019274)
- CVE-2016-10207: Prevent potential crash due to insufficient clean-up after failure to establish TLS
  connection. (bsc#1023012)


-----------------------------------------
Patch: SUSE-2017-354
Released: Thu Mar  9 11:31:22 2017
Summary: Recommended update for timezone
Severity: low
References: 1024676,1024677
Description:

This update provides the latest timezone information (2017a) for your system, including the
following changes:

- Mongolia no longer observes DST. (bsc#1024676)
- Chile's Region of Magallanes moves from -04/-03 to -03 year-round starting 2017-05-13 23:00.
  Split from America/Santiago creating a new zone America/Punta_Arenas.
  Also affects Antarctica/Palmer. (bsc#1024677)
- Fixes to historical time stamps: Spain, Ecuador, Atyrau, Oral.
- Switch to numeric, or commonly used time zone abbreviations.
- zic(8) no longer mishandles some transitions in January 2038.
- date and strftime now cause %z to generate '-0000' instead of '+0000' when the UT offset is
  zero and the time zone abbreviation begins with '-'.


-----------------------------------------
Patch: SUSE-2017-357
Released: Thu Mar  9 15:12:40 2017
Summary: Recommended update for jasper
Severity: low
References: 1028070
Description:

This update for jasper provides the following fixes:

- Add -D_BSD_SOURCE to fix redefinition of system types in jas_config.h, which
  could lead to build failures on ppc64le, s390 and s390x. (bsc#1028070)


-----------------------------------------
Patch: SUSE-2017-364
Released: Fri Mar 10 15:14:56 2017
Summary: Recommended update for xorg-x11-server, xf86-video-qxl
Severity: low
References: 1021865,1022050,1025002
Description:

This update for xorg-x11-server and xf86-video-qxl provides the following fixes:

- Fix unpainted areas when glamor is in use. (bsc#1022050)
- Fix 8-bit depth support. (fate#321052 bsc#1021865)
- Prevent crash in qxl driver caused by X server fix. (bsc#1025002)


-----------------------------------------
Patch: SUSE-2017-365
Released: Fri Mar 10 15:16:59 2017
Summary: Recommended update for sg3_utils
Severity: low
References: 1006175
Description:

This update for sg3_utils fixes the following issue:

- Add udev rules to handle legacy CCISS devices (bsc#1006175)


-----------------------------------------
Patch: SUSE-2017-367
Released: Mon Mar 13 09:58:27 2017
Summary: Recommended update for cloud-regionsrv-client
Severity: low
References: 1027298,1027299
Description:

This update for cloud-regionsrv-client provides the following fixes:

- Set the current SMT server after failover.


-----------------------------------------
Patch: SUSE-2017-372
Released: Mon Mar 13 19:32:01 2017
Summary: Recommended update for xorg-x11-server
Severity: important
References: 1029093
Description:

This update for xorg-x11-server fixes a regression caused by adding 8-bit depth support. (bsc#1029093)


-----------------------------------------
Patch: SUSE-2017-387
Released: Thu Mar 16 11:34:27 2017
Summary: Optional update for libepoxy
Severity: low
References: 1029310
Description:

This update provides a rebuild of libepoxy to synchronize SLE and PackageHub release numbers.


-----------------------------------------
Patch: SUSE-2017-389
Released: Thu Mar 16 14:16:43 2017
Summary: Recommended update for systemd
Severity: moderate
References: 1004094,1006687,1019470,1022014,1022047,1025598,995936
Description:

This update for systemd provides the following fixes:

- core: Fix memory leak in transient units. (bsc#1025598)
- core: Destroy all name watching bus slots when we are kicked off the bus. (bsc#1006687)
- sd-event: Fix incorrect assertion. (bsc#995936, bsc#1022014)
- journald: Don't flush to /var/log/journal before we get asked to. (bsc#1004094)
- core: Downgrade warning about duplicate device names. (bsc#1022047)
- units: Remove no longer needed ldconfig service. (bsc#1019470)


-----------------------------------------
Patch: SUSE-2017-407
Released: Fri Mar 17 15:02:48 2017
Summary: Security update for java-1_6_0-ibm
Severity: moderate
References: 1027038,CVE-2016-2183
Description:

This update for java-1_6_0-ibm to 8.0-4.1 fixes the following issues:

Security issue fixed:
- CVE-2016-2183: The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and
  other protocols and products, have a birthday bound of approximately four billion blocks, which
  makes it easier for remote attackers to obtain cleartext data via a birthday attack against a
  long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode,
  aka a 'Sweet32' attack. (bsc#1027038)


-----------------------------------------
Patch: SUSE-2017-439
Released: Tue Mar 21 10:48:47 2017
Summary: Recommended update for netcfg
Severity: low
References: 1028305,959693
Description:

This update for netcfg provides the following fixes:

- Update script to generate services to use UTF8 by default. (bsc#1028305)
- Repack services.bz2 with latest from upstream and adjust the script to not
  add all the names and emails at the bottom of the file. (bsc#959693)


-----------------------------------------
Patch: SUSE-2017-445
Released: Tue Mar 21 18:27:18 2017
Summary: Recommended update for man
Severity: low
References: 1025597,786679,986211
Description:

This update for man provides the following fixes:

- Stop using the wrapper that squashed root privileges down to uid man. (bsc#986211, bsc#1025597)
- Add description of MAN_POSIXLY_CORRECT in man.man1. (bsc#786679)


-----------------------------------------
Patch: SUSE-2017-446
Released: Wed Mar 22 13:26:13 2017
Summary: Recommended update for python3
Severity: low
References: 1027282,1029377
Description:

This update provides Python 3.4.6, which brings the following fixes:

- Fix potential crash in PyUnicode_AsDecodedObject() in debug build.
- Fix possible DoS and arbitrary execution in gettext plurals.
- Fix possible use of uninitialized memory in operator.methodcaller.
- Fix possible Py_DECREF on unowned object in _sre.
- Fix possible integer overflow in _csv module.
- Fix selectors incorrectly retaining invalid file descriptors.
- Move _elementtree to python3.rpm to match its pyexpat dependency. (bsc#1029377)

For a comprehensive list of changes, please refer to the upstream Release Notes
available at https://hg.python.org/cpython/raw-file/v3.4.6/Misc/NEWS


-----------------------------------------
Patch: SUSE-2017-448
Released: Wed Mar 22 13:31:03 2017
Summary: Recommended update for python
Severity: moderate
References: 1027282,964182
Description:

This update provides Python 2.7.13, which brings several bug fixes.

- Fix build with NCurses 6.0 and OPAQUE_WINDOW set to 1.
- Update cipher lists for OpenSSL wrapper and support OpenSSL 1.1.0 and newer.
- Incorporate more integer overflow checks from upstream. (bsc#964182)
- Provide python2-* symbols to support new packages built as python2-.

For a comprehensive list of changes, please refer to the upstream Release Notes
available at https://hg.python.org/cpython/raw-file/v2.7.13/Misc/NEWS


-----------------------------------------
Patch: SUSE-2017-450
Released: Wed Mar 22 15:54:10 2017
Summary: Security update for apache2
Severity: moderate
References: 1016712,1016714,1016715,1019380,CVE-2016-0736,CVE-2016-2161,CVE-2016-8743
Description:

This update for apache2 fixes the following security issues:

Security issues fixed:
- CVE-2016-0736: Protect mod_session_crypto data with a MAC to prevent padding oracle attacks (bsc#1016712).
- CVE-2016-2161: Malicious input to mod_auth_digest could have caused the server to crash, resulting in DoS (bsc#1016714).
- CVE-2016-8743: Added new directive 'HttpProtocolOptions Strict' to avoid proxy chain misinterpretation (bsc#1016715).

Bugfixes:
- Add missing copy of hcuri and hcexpr from the worker to the health check worker (bsc#1019380).


-----------------------------------------
Patch: SUSE-2017-451
Released: Wed Mar 22 15:55:40 2017
Summary: Security update for wget
Severity: moderate
References: 1028301,CVE-2017-6508
Description:

This update for wget fixes the following issues:

Security issue fixed:
- CVE-2017-6508: (url_parse): Reject control characters in host part of URL (bsc#1028301).


-----------------------------------------
Patch: SUSE-2017-454
Released: Thu Mar 23 11:19:45 2017
Summary: Initial release of python-kiwi
Severity: low
References: 1011342
Description:

This update adds python-kiwi to the SLE 12-SP2 codestream. This replaces python3-kiwi
released in February.


-----------------------------------------
Patch: SUSE-2017-457
Released: Fri Mar 24 12:35:18 2017
Summary: Recommended update for timezone
Severity: low
References: 1030417
Description:

This update provides the latest timezone information (2017b) for your system, including following changes:

- Haiti resumed observance of DST in 2017.
- Liberia changed from -004430 to +00 on 1972-01-07, not 1972-05-01.
- Use 'MMT' to abbreviate Liberia's time zone before 1972.


-----------------------------------------
Patch: SUSE-2017-458
Released: Fri Mar 24 13:49:49 2017
Summary: Recommended update for fdupes
Severity: low
References: 1005386
Description:

This update for fdupes provides the following fixes and enhancements:

- Add new options: --nohidden, --permissions, --order, --reverse, --immediate.
- Speed up file comparison.
- Fix bug where fdupes fails to consistently ignore hardlinks, depending on
  file processing order, when F_CONSIDERHARDLINKS flag is not set.
- Using tty for interactive input instead of regular stdin. This is to allow
  feeding filenames via stdin in future versions of fdupes without breaking
  interactive deletion feature.
- Sort the output of fdupes by filename to make it deterministic for parallel
  builds. (bsc#1005386)


-----------------------------------------
Patch: SUSE-2017-462
Released: Fri Mar 24 21:58:07 2017
Summary: Recommended update for lvm2
Severity: moderate
References: 1012973,1015943,1017034,1023283,1025560,1025630
Description:

This update for lvm2 fixes the following issues:

- Fix clvmd segmentation fault on ppc64le architecture. (bsc#1025630)
- Fix several trivial issues about clvmd/cmirrord resource agents. (bsc#1023283, bsc#1025560)
- Use {local,remote}-fs-pre.target instead of {local,remote}-fs.target. (bsc#1017034)
- Simplify special-case for md in 69-dm-lvm-metadata.rules. (bsc#1012973)
- Add systemd_requires to device-mapper package. (bsc#1015943)


-----------------------------------------
Patch: SUSE-2017-464
Released: Mon Mar 27 15:50:51 2017
Summary: Recommended update for glibc
Severity: moderate
References: 1007851,1029725,1029900
Description:

This update for glibc fixes a potential segmentation fault in libpthread:

- Fork in libpthread cannot use IFUNC resolver. (bsc#1007851, bsc#1029725, bsc#1029900)


-----------------------------------------
Patch: SUSE-2017-478
Released: Wed Mar 29 13:02:30 2017
Summary: Security update for libpng16
Severity: moderate
References: 1017646,CVE-2016-10087
Description:

This update for libpng16 fixes the following issues:

Security issues fixed:
- CVE-2016-10087: NULL pointer dereference in png_set_text_2() (bsc#1017646)


-----------------------------------------
Patch: SUSE-2017-482
Released: Wed Mar 29 15:40:19 2017
Summary: Security update for libpng12
Severity: moderate
References: 1017646,958791,CVE-2015-8540,CVE-2016-10087
Description:

This update for libpng12 fixes the following issues:

Security issues fixed:
- CVE-2015-8540: read underflow in libpng (bsc#958791)
- CVE-2016-10087: NULL pointer dereference in png_set_text_2() (bsc#1017646)


-----------------------------------------
Patch: SUSE-2017-540
Released: Wed Apr  5 12:16:37 2017
Summary: Recommended update for nfs-utils
Severity: moderate
References: 1005609,1019211,945937,990356
Description:

This update for nfs-utils fixes the following issues:

- Make mount.nfs return failure if statd is being slow to start due to DNS issues. (bsc#945937)
- Include various upstream systemd unit file updates to ensure correct starting dependencies
  of nfsd and rpcbind. (bsc#990356)
- Fix typos relating to version setting in nfs-utils_env.sh. (bsc#990356)
- Only require a filesystem to be mounted if it isn't marked 'noauto' in /etc/fstab.
  (bsc#1019211)
- Move rpc.svcgssd and corresponding man page from nfs-client package to nfs-kernel-server.
  For NFSv4.0 this is needed on client as well as the server to support the back-channel.
  (bsc#1005609)


-----------------------------------------
Patch: SUSE-2017-542
Released: Wed Apr  5 14:26:21 2017
Summary: Security update for audiofile
Severity: low
References: 1026978,1026979,1026980,1026981,1026982,1026983,1026984,1026985,1026986,1026987,1026988,949399,CVE-2015-7747,CVE-2017-6827,CVE-2017-6828,CVE-2017-6829,CVE-2017-6830,CVE-2017-6831,CVE-2017-6832,CVE-2017-6833,CVE-2017-6834,CVE-2017-6835,CVE-2017-6836,CVE-2017-6837,CVE-2017-6838,CVE-2017-6839
Description:

This audiofile update fixes the following issue:

Security issues fixed:
- CVE-2015-7747: Fixed buffer overflow issue when changing both number of channels and sample format. (bsc#949399)
- CVE-2017-6827: heap-based buffer overflow in MSADPCM::initializeCoefficients (MSADPCM.cpp) (bsc#1026979)
- CVE-2017-6828: heap-based buffer overflow in readValue (FileHandle.cpp) (bsc#1026980)
- CVE-2017-6829: global buffer overflow in decodeSample (IMA.cpp) (bsc#1026981)
- CVE-2017-6830: heap-based buffer overflow in alaw2linear_buf (G711.cpp) (bsc#1026982)
- CVE-2017-6831: heap-based buffer overflow in IMA::decodeBlockWAVE (IMA.cpp) (bsc#1026983)
- CVE-2017-6832: heap-based buffer overflow in MSADPCM::decodeBlock (MSADPCM.cpp) (bsc#1026984)
- CVE-2017-6833: divide-by-zero in BlockCodec::runPull (BlockCodec.cpp) (bsc#1026985)
- CVE-2017-6834: heap-based buffer overflow in ulaw2linear_buf (G711.cpp) (bsc#1026986)
- CVE-2017-6835: divide-by-zero in BlockCodec::reset1 (BlockCodec.cpp) (bsc#1026988)
- CVE-2017-6836: heap-based buffer overflow in Expand3To4Module::run (SimpleModule.h) (bsc#1026987)
- CVE-2017-6837, CVE-2017-6838, CVE-2017-6839: multiple ubsan crashes (bsc#1026978)


-----------------------------------------
Patch: SUSE-2017-549
Released: Thu Apr  6 11:37:56 2017
Summary: Recommended update for harfbuzz
Severity: low
References: 1030465
Description:

Harfbuzz was updated to version 1.4.5, which brings several fixes and enhancements:

- Fix buffer-overrun in Bengali.
- Route Adlam script to Arabic shaper.
- Implement OpenType Font Variation tables avar/fvar/HVAR/VVAR.
- hb-shape and hb-view now accept --variations.
- Always build and use UCDN for Unicode data by default.
- Add core of support for OpenType 1.8 Font Variations.
- New APIs:
  - hb_font_set_face().
  - hb_font_set_var_coords_normalized().
  - HB_OT_LAYOUT_NO_VARIATIONS_INDEX.
  - hb_ot_layout_table_find_feature_variations().
  - hb_ot_layout_feature_with_variations_get_lookups().
  - hb_shape_plan_create2().
  - hb_shape_plan_create_cached2().
- Deprecate API: hb_graphite2_font_get_gr_font().
- Fix regression in GDEF glyph class processing.
- Add decompositions for Chakma, Limbu, and Balinese in USE shaper.
- Fix vertical glyph origin in hb-ot-font.
- Implement CBDT/CBLC color font glyph extents in hb-ot-font.
- Implement parsing of OpenType MATH table.
- Blacklist bad GDEF of more fonts.


-----------------------------------------
Patch: SUSE-2017-551
Released: Thu Apr  6 14:28:02 2017
Summary: Security update for jasper
Severity: moderate
References: 1015400,1018088,1020353,1021868,1029497,CVE-2016-10251,CVE-2016-9583,CVE-2016-9600,CVE-2017-5498,CVE-2017-6850
Description:

This update for jasper fixes the following issues:

Security issues fixed:
- CVE-2016-9600: Null Pointer Dereference due to missing check for UNKNOWN color space in JP2 encoder (bsc#1018088)
- CVE-2016-10251: Use of uninitialized value in jpc_pi_nextcprl (jpc_t2cod.c) (bsc#1029497)
- CVE-2017-5498: left-shift undefined behaviour (bsc#1020353)
- CVE-2017-6850: NULL pointer dereference in jp2_cdef_destroy (jp2_cod.c) (bsc#1021868)
- CVE-2016-9583: Out of bounds heap read in jpc_pi_nextpcrl() (bsc#1015400)


-----------------------------------------
Patch: SUSE-2017-571
Released: Tue Apr 11 14:34:28 2017
Summary: Recommended update for python-enum34
Severity: low
References: 1014478
Description:

This update provides python-enum34 1.1.3, which brings fixes for minor issues
and some enhancements.


-----------------------------------------
Patch: SUSE-2017-580
Released: Wed Apr 12 23:58:47 2017
Summary: Recommended update for cpio
Severity: important
References: 1028410
Description:

This update for cpio fixes the following issues:

- A regression caused cpio to crash for tar and ustar archive types
  [bsc#1028410]


-----------------------------------------
Patch: SUSE-2017-582
Released: Thu Apr 13 02:33:21 2017
Summary: Security update for bind
Severity: important
References: 1020983,1033466,1033467,1033468,987866,989528,CVE-2016-2775,CVE-2016-6170,CVE-2017-3136,CVE-2017-3137,CVE-2017-3138
Description:

This update for bind fixes the following issues:

CVE-2017-3137 (bsc#1033467):
Mistaken assumptions about the ordering of records in the answer
section of a response containing CNAME or DNAME resource records
could have been exploited to cause a denial of service of a bind
server performing recursion.

CVE-2017-3136 (bsc#1033466):
An attacker could have constructed a query that would cause a denial
of service of servers configured to use DNS64.

CVE-2017-3138 (bsc#1033468):
An attacker with access to the BIND control channel could have caused
the server to stop by triggering an assertion failure.

CVE-2016-6170 (bsc#987866):
Primary DNS servers could have caused a denial of service of secondary DNS servers via a large AXFR response.
IXFR servers could have caused a denial of service of IXFR clients via a large IXFR response.
Remote authenticated users could have caused a denial of service of primary DNS servers via a large UPDATE message.

CVE-2016-2775 (bsc#989528):
When lwresd or the named lwres option were enabled, bind allowed remote attackers to cause a denial of service 
(daemon crash) via a long request that uses the lightweight resolver protocol.

One additional non-security bug was fixed:

The default umask was changed to 077. (bsc#1020983)



-----------------------------------------
Patch: SUSE-2017-589
Released: Thu Apr 13 13:12:45 2017
Summary: Recommended update for libtool
Severity: moderate
References: 1010802
Description:

This update for libtool prevents a segmentation fault caused by insufficient error
handling on out-of-memory situations.


-----------------------------------------
Patch: SUSE-2017-598
Released: Mon Apr 17 22:56:57 2017
Summary: Recommended update for ruby-common, rubygem-gem2rpm
Severity: low
References: 963710
Description:

This update for ruby-common, rubygem-gem2rpm fixes the following issues:

ruby-common:

- Since rubygems 2.5.0 the default version in the gem bin stub changed from '>= 0'
  to '>= 0.a'. This was done to allow pre-release versions. Our patching script
  didn't take the '.a' into account and generated version fields like '= 0.10.1.a'
  instead of the expected '= 0.10.1'. This fix accounts for the '.a'.

Changes in rubygem-gem2rpm:

- Fix 'gem2rpm --fetch': prefer https for accessing rubygems.org. (bsc#963710)
- Add support for Ruby 2.3.0 and 2.4.0.
- Add :post_patch hook to run commands before we rebuild the gem used by libv8.
- Add support for rubinius 2.5 and remove support for 2.2.
- No longer require the Ruby version inside the sub-package. With BuildRequires
  we already make sure that the package is only built if we find a recent enough
  ABI. Then the normal $interpreter(abi) requires generated by rpm is enough.
- Move to new packaging templates by default.


-----------------------------------------
Patch: SUSE-2017-607
Released: Tue Apr 18 11:20:18 2017
Summary: Security update for libsndfile
Severity: moderate
References: 1033053,1033054,1033914,1033915,CVE-2017-7585,CVE-2017-7586,CVE-2017-7741,CVE-2017-7742
Description:

This update for libsndfile fixes the following security issues:

- CVE-2017-7586: A stack-based buffer overflow via a specially crafted FLAC
  file was fixed (error in the 'header_read()' function) (bsc#1033053)
- CVE-2017-7585,CVE-2017-7741, CVE-2017-7742: Several stack-based buffer overflows via a specially crafted FLAC
  file (error in the 'flac_buffer_copy()' function) were fixed (bsc#1033054,bsc#1033915,bsc#1033914).


-----------------------------------------
Patch: SUSE-2017-609
Released: Tue Apr 18 11:28:14 2017
Summary: Security update for curl
Severity: moderate
References: 1015332,1027712,1032309,CVE-2016-9586,CVE-2017-7407
Description:

This update for curl fixes the following issues:

Security issue fixed:

- CVE-2016-9586: libcurl printf floating point buffer overflow (bsc#1015332)
- CVE-2017-7407: The ourWriteOut function in tool_writeout.c in curl might have allowed physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a '%' character, which lead to a heap-based buffer over-read (bsc#1032309).

With this release new default ciphers are active (SUSE_DEFAULT, bsc#1027712).


-----------------------------------------
Patch: SUSE-2017-610
Released: Tue Apr 18 11:29:22 2017
Summary: Security update for tiff
Severity: important
References: 1031247,1031249,1031250,1031254,1031255,1031262,1031263,CVE-2016-10266,CVE-2016-10267,CVE-2016-10268,CVE-2016-10269,CVE-2016-10270,CVE-2016-10271,CVE-2016-10272
Description:

This update for tiff fixes the following issues:

Security issues fixed:
- CVE-2016-10272: LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based
  buffer overflow) or possibly have unspecified other impact via a crafted TIFF image, related to
  'WRITE of size 2048' and libtiff/tif_next.c:64:9 (bsc#1031247).
- CVE-2016-10271: tools/tiffcrop.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of
  service (heap-based buffer over-read and buffer overflow) or possibly have unspecified other
  impact via a crafted TIFF image, related to 'READ of size 1' and libtiff/tif_fax3.c:413:13
  (bsc#1031249).
- CVE-2016-10270: LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based
  buffer over-read) or possibly have unspecified other impact via a crafted TIFF image, related to
  'READ of size 8' and libtiff/tif_read.c:523:22 (bsc#1031250).
- CVE-2016-10269: LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based
  buffer over-read) or possibly have unspecified other impact via a crafted TIFF image, related to
  'READ of size 512' and libtiff/tif_unix.c:340:2 (bsc#1031254).
- CVE-2016-10268: tools/tiffcp.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of
  service (integer underflow and heap-based buffer under-read) or possibly have unspecified other
  impact via a crafted TIFF image, related to 'READ of size 78490' and libtiff/tif_unix.c:115:23
  (bsc#1031255).
- CVE-2016-10267: LibTIFF 4.0.7 allows remote attackers to cause a denial of service
  (divide-by-zero error and application crash) via a crafted TIFF image, related to
  libtiff/tif_ojpeg.c:816:8 (bsc#1031262).
- CVE-2016-10266: LibTIFF 4.0.7 allows remote attackers to cause a denial of service
  (divide-by-zero error and application crash) via a crafted TIFF image, related to
  libtiff/tif_read.c:351:22. (bsc#1031263).


-----------------------------------------
Patch: SUSE-2017-611
Released: Tue Apr 18 16:05:49 2017
Summary: Security update for ntp
Severity: moderate
References: 1014172,1030050,CVE-2016-9042,CVE-2017-6451,CVE-2017-6458,CVE-2017-6460,CVE-2017-6462,CVE-2017-6463,CVE-2017-6464
Description:

This ntp update to version 4.2.8p10 fixes serveral issues.

This updated enables leap smearing. See
/usr/share/doc/packages/ntp/README.leapsmear for details.

Security issues fixed (bsc#1030050):

- CVE-2017-6464: Denial of Service via Malformed Config
- CVE-2017-6462: Buffer Overflow in DPTS Clock
- CVE-2017-6463: Authenticated DoS via Malicious Config Option
- CVE-2017-6458: Potential Overflows in ctl_put() functions
- CVE-2017-6451: Improper use of snprintf() in mx4200_send()
- CVE-2017-6460: Buffer Overflow in ntpq when fetching reslist
- CVE-2016-9042: 0rigin (zero origin) DoS.
- ntpq_stripquotes() returns incorrect Value
- ereallocarray()/eallocarray() underused
- Copious amounts of Unused Code
- Off-by-one in Oncore GPS Receiver
- Makefile does not enforce Security Flags

Bugfixes:

- Remove spurious log messages (bsc#1014172).
- clang scan-build findings
- Support for openssl-1.1.0 without compatibility modes
- Bugfix 3072 breaks multicastclient
- forking async worker: interrupted pipe I/O
- (...) time_pps_create: Exec format error
- Incorrect Logic for Peer Event Limiting
- Change the process name of forked DNS worker
- Trap Configuration Fail
- Nothing happens if minsane < maxclock < minclock
- allow -4/-6 on restrict line with mask
- out-of-bound pointers in ctl_putsys and decode_bitflags
- Move ntp-kod to /var/lib/ntp, because /var/db is not a standard directory and causes problems for
  transactional updates.


-----------------------------------------
Patch: SUSE-2017-624
Released: Thu Apr 20 08:35:35 2017
Summary: Security update for ruby2.1
Severity: important
References: 1014863,1018808,887877,909695,926974,936032,959495,986630,CVE-2014-4975,CVE-2015-1855,CVE-2015-3900,CVE-2015-7551,CVE-2016-2339
Description:

This ruby2.1 update to version 2.1.9 fixes the following issues:

Security issues fixed:
- CVE-2016-2339: heap overflow vulnerability in the Fiddle::Function.new'initialize' (bsc#1018808)
- CVE-2015-7551: Unsafe tainted string usage in Fiddle and DL (bsc#959495)
- CVE-2015-3900: hostname validation does not work when fetching gems or making API requests (bsc#936032)
- CVE-2015-1855: Ruby'a OpenSSL extension suffers a vulnerability through overly permissive matching of
  hostnames (bsc#926974)
- CVE-2014-4975: off-by-one stack-based buffer overflow in the encodes() function (bsc#887877)

Bugfixes:
- SUSEconnect doesn't handle domain wildcards in no_proxy environment variable properly (bsc#1014863)
- Segmentation fault after pack & ioctl & unpack (bsc#909695)
- Ruby:HTTP Header injection in 'net/http' (bsc#986630)

ChangeLog:
- http://svn.ruby-lang.org/repos/ruby/tags/v2_1_9/ChangeLog


-----------------------------------------
Patch: SUSE-2017-631
Released: Fri Apr 21 13:11:16 2017
Summary: Recommended update for cloud-regionsrv-client
Severity: low
References: 1029162,1034691
Description:

This update for cloud-regionsrv-client provides version 7.0.5 and brings the following fixes and improvements:

- Fix argument mismatch to resolve an issue with re-registration and SMT failover. (bsc#1034691)
- Implement plugins for EC2 and Azure to provide region hint in preparation of IPv6 support. (FATE#323081, bsc#1029162)

The following new sub-packages have been added to the Public Cloud Module 12:

- cloud-region-srv-client-plugin-ec2
- cloud-region-srv-client-plugin-azure
    
Additionally, python-dnspython has been added to the Public Cloud Module 12 on aarch64.


-----------------------------------------
Patch: SUSE-2017-635
Released: Sat Apr 22 10:13:50 2017
Summary: Security update for tigervnc
Severity: moderate
References: 1024929,1026833,1031045,1031875,1031877,1031879,1031886,1032272,1032880,CVE-2017-7392,CVE-2017-7393,CVE-2017-7394,CVE-2017-7395,CVE-2017-7396
Description:

This update for tigervnc provides the several fixes.

These security issues were fixed:

- CVE-2017-7392, CVE-2017-7396: Client can cause leak in VNC server (bsc#1031886)
- CVE-2017-7395: Authenticated VNC client can crash VNC server (bsc#1031877)
- CVE-2017-7394: Client can crash or block VNC server (bsc#1031879)
- CVE-2017-7393: Authenticated client can cause double free in VNC server (bsc#1031875)
- Prevent buffer overflow in VNC client, allowing for crashing the client (bnc#1032880)

These non-security issues were fixed:

- Prevent client disconnection caused by invalid cursor manipulation. (bsc#1024929, bsc#1031045)
- Readd index.vnc. (bsc#1026833)
- Crop operations to visible screen. (bnc#1032272)  


-----------------------------------------
Patch: SUSE-2017-643
Released: Tue Apr 25 19:11:45 2017
Summary: Recommended update for ruby2.1
Severity: important
References: 1014863,1035988
Description:

This update for ruby2.1 fixes a regression introduced by a previous update that
was intended to fix insufficient support for domain wildcards in the $no_proxy
environment variable.


-----------------------------------------
Patch: SUSE-2017-644
Released: Wed Apr 26 17:31:22 2017
Summary: Security update for tcpdump, libpcap
Severity: moderate
References: 1020940,1035686,905870,905871,905872,922220,922221,922222,922223,927637,CVE-2014-8767,CVE-2014-8768,CVE-2014-8769,CVE-2015-0261,CVE-2015-2153,CVE-2015-2154,CVE-2015-2155,CVE-2015-3138,CVE-2016-7922,CVE-2016-7923,CVE-2016-7924,CVE-2016-7925,CVE-2016-7926,CVE-2016-7927,CVE-2016-7928,CVE-2016-7929,CVE-2016-7930,CVE-2016-7931,CVE-2016-7932,CVE-2016-7933,CVE-2016-7934,CVE-2016-7935,CVE-2016-7936,CVE-2016-7937,CVE-2016-7938,CVE-2016-7939,CVE-2016-7940,CVE-2016-7973,CVE-2016-7974,CVE-2016-7975,CVE-2016-7983,CVE-2016-7984,CVE-2016-7985,CVE-2016-7986,CVE-2016-7992,CVE-2016-7993,CVE-2016-8574,CVE-2016-8575,CVE-2017-5202,CVE-2017-5203,CVE-2017-5204,CVE-2017-5205,CVE-2017-5341,CVE-2017-5342,CVE-2017-5482,CVE-2017-5483,CVE-2017-5484,CVE-2017-5485,CVE-2017-5486
Description:

This update for tcpdump to version 4.9.0 and libpcap to version 1.8.1 fixes the several issues.

These security issues were fixed in tcpdump:

- CVE-2016-7922: The AH parser in tcpdump had a buffer overflow in print-ah.c:ah_print() (bsc#1020940).
- CVE-2016-7923: The ARP parser in tcpdump had a buffer overflow in print-arp.c:arp_print() (bsc#1020940).
- CVE-2016-7924: The ATM parser in tcpdump had a buffer overflow in print-atm.c:oam_print() (bsc#1020940).
- CVE-2016-7925: The compressed SLIP parser in tcpdump had a buffer overflow in print-sl.c:sl_if_print() (bsc#1020940).
- CVE-2016-7926: The Ethernet parser in tcpdump had a buffer overflow in print-ether.c:ethertype_print() (bsc#1020940).
- CVE-2016-7927: The IEEE 802.11 parser in tcpdump had a buffer overflow in print-802_11.c:ieee802_11_radio_print() (bsc#1020940).
- CVE-2016-7928: The IPComp parser in tcpdump had a buffer overflow in print-ipcomp.c:ipcomp_print() (bsc#1020940).
- CVE-2016-7929: The Juniper PPPoE ATM parser in tcpdump had a buffer overflow in print-juniper.c:juniper_parse_header() (bsc#1020940).
- CVE-2016-7930: The LLC/SNAP parser in tcpdump had a buffer overflow in print-llc.c:llc_print() (bsc#1020940).
- CVE-2016-7931: The MPLS parser in tcpdump had a buffer overflow in print-mpls.c:mpls_print() (bsc#1020940).
- CVE-2016-7932: The PIM parser in tcpdump had a buffer overflow in print-pim.c:pimv2_check_checksum() (bsc#1020940).
- CVE-2016-7933: The PPP parser in tcpdump had a buffer overflow in print-ppp.c:ppp_hdlc_if_print() (bsc#1020940).
- CVE-2016-7934: The RTCP parser in tcpdump had a buffer overflow in print-udp.c:rtcp_print() (bsc#1020940).
- CVE-2016-7935: The RTP parser in tcpdump had a buffer overflow in print-udp.c:rtp_print() (bsc#1020940).
- CVE-2016-7936: The UDP parser in tcpdump had a buffer overflow in print-udp.c:udp_print() (bsc#1020940).
- CVE-2016-7937: The VAT parser in tcpdump had a buffer overflow in print-udp.c:vat_print() (bsc#1020940).
- CVE-2016-7938: The ZeroMQ parser in tcpdump had an integer overflow in print-zeromq.c:zmtp1_print_frame() (bsc#1020940).
- CVE-2016-7939: The GRE parser in tcpdump had a buffer overflow in print-gre.c, multiple functions (bsc#1020940).
- CVE-2016-7940: The STP parser in tcpdump had a buffer overflow in print-stp.c, multiple functions (bsc#1020940).
- CVE-2016-7973: The AppleTalk parser in tcpdump had a buffer overflow in print-atalk.c, multiple functions (bsc#1020940).
- CVE-2016-7974: The IP parser in tcpdump had a buffer overflow in print-ip.c, multiple functions (bsc#1020940).
- CVE-2016-7975: The TCP parser in tcpdump had a buffer overflow in print-tcp.c:tcp_print() (bsc#1020940).
- CVE-2016-7983: The BOOTP parser in tcpdump had a buffer overflow in print-bootp.c:bootp_print() (bsc#1020940).
- CVE-2016-7984: The TFTP parser in tcpdump had a buffer overflow in print-tftp.c:tftp_print() (bsc#1020940).
- CVE-2016-7985: The CALM FAST parser in tcpdump had a buffer overflow in print-calm-fast.c:calm_fast_print() (bsc#1020940).
- CVE-2016-7986: The GeoNetworking parser in tcpdump had a buffer overflow in print-geonet.c, multiple functions (bsc#1020940).
- CVE-2016-7992: The Classical IP over ATM parser in tcpdump had a buffer overflow in print-cip.c:cip_if_print() (bsc#1020940).
- CVE-2016-7993: A bug in util-print.c:relts_print() in tcpdump could cause a buffer overflow in multiple protocol parsers (DNS, DVMRP, HSRP, IGMP, lightweight resolver protocol, PIM) (bsc#1020940).
- CVE-2016-8574: The FRF.15 parser in tcpdump had a buffer overflow in print-fr.c:frf15_print() (bsc#1020940).
- CVE-2016-8575: The Q.933 parser in tcpdump had a buffer overflow in print-fr.c:q933_print(), a different vulnerability than CVE-2017-5482 (bsc#1020940).
- CVE-2017-5202: The ISO CLNS parser in tcpdump had a buffer overflow in print-isoclns.c:clnp_print() (bsc#1020940).
- CVE-2017-5203: The BOOTP parser in tcpdump had a buffer overflow in print-bootp.c:bootp_print() (bsc#1020940).
- CVE-2017-5204: The IPv6 parser in tcpdump had a buffer overflow in print-ip6.c:ip6_print() (bsc#1020940).
- CVE-2017-5205: The ISAKMP parser in tcpdump had a buffer overflow in print-isakmp.c:ikev2_e_print() (bsc#1020940).
- CVE-2017-5341: The OTV parser in tcpdump had a buffer overflow in print-otv.c:otv_print() (bsc#1020940).
- CVE-2017-5342: In tcpdump a bug in multiple protocol parsers (Geneve, GRE, NSH, OTV, VXLAN and VXLAN GPE) could cause a buffer overflow in print-ether.c:ether_print() (bsc#1020940).
- CVE-2017-5482: The Q.933 parser in tcpdump had a buffer overflow in print-fr.c:q933_print(), a different vulnerability than CVE-2016-8575 (bsc#1020940).
- CVE-2017-5483: The SNMP parser in tcpdump had a buffer overflow in print-snmp.c:asn1_parse() (bsc#1020940).
- CVE-2017-5484: The ATM parser in tcpdump had a buffer overflow in print-atm.c:sig_print() (bsc#1020940).
- CVE-2017-5485: The ISO CLNS parser in tcpdump had a buffer overflow in addrtoname.c:lookup_nsap() (bsc#1020940).
- CVE-2017-5486: The ISO CLNS parser in tcpdump had a buffer overflow in print-isoclns.c:clnp_print() (bsc#1020940).
- CVE-2015-3138: Fixed potential denial of service in print-wb.c (bsc#927637).
- CVE-2015-0261: Integer signedness error in the mobility_opt_print function in the IPv6 mobility printer in tcpdump allowed remote attackers to cause a denial of service (out-of-bounds read and crash) or possibly execute arbitrary code via a negative length value (bsc#922220).
- CVE-2015-2153: The rpki_rtr_pdu_print function in print-rpki-rtr.c in the TCP printer in tcpdump allowed remote attackers to cause a denial of service (out-of-bounds read or write and crash) via a crafted header length in an RPKI-RTR Protocol Data Unit (PDU) (bsc#922221).
- CVE-2015-2154: The osi_print_cksum function in print-isoclns.c in the ethernet printer in tcpdump allowed remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted (1) length, (2) offset, or (3) base pointer checksum value (bsc#922222).
- CVE-2015-2155: The force printer in tcpdump allowed remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unspecified vectors (bsc#922223).
- CVE-2014-8767: Integer underflow in the olsr_print function in tcpdump 3.9.6 when in verbose mode, allowed remote attackers to cause a denial of service (crash) via a crafted length value in an OLSR frame (bsc#905870).
- CVE-2014-8768: Multiple Integer underflows in the geonet_print function in tcpdump when run in verbose mode, allowed remote attackers to cause a denial of service (segmentation fault and crash) via a crafted length value in a Geonet frame (bsc#905871).
- CVE-2014-8769: tcpdump might have allowed remote attackers to obtain sensitive information from memory or cause a denial of service (packet loss or segmentation fault) via a crafted Ad hoc On-Demand Distance Vector (AODV) packet, which triggers an out-of-bounds memory access (bsc#905872).

These non-security issues were fixed in tcpdump:

- PPKI to Router Protocol: Fix Segmentation Faults and other problems
- RPKI to Router Protocol: print strings with fn_printn()
- Added a short option '#', same as long option '--number'
- nflog, mobile, forces, pptp, AODV, AHCP, IPv6, OSPFv4, RPL, DHCPv6 enhancements/fixes
- M3UA decode added.
- Added bittok2str().
- A number of unaligned access faults fixed
- The -A flag does not consider CR to be printable anymore
- fx.lebail took over coverity baby sitting
- Default snapshot size increased to 256K for accomodate USB captures

These non-security issues were fixed in libpcap:

- Provide a -devel-static subpackage that contains the static
  libraries and all the extra dependencies which are not needed
  for dynamic linking.
- Fix handling of packet count in the TPACKET_V3 inner loop
- Filter out duplicate looped back CAN frames.
- Fix the handling of loopback filters for IPv6 packets.
- Add a link-layer header type for RDS (IEC 62106) groups.
- Handle all CAN captures with pcap-linux.c, in cooked mode.
- Removes the need for the 'host-endian' link-layer header type.
- Have separate DLTs for big-endian and host-endian SocketCAN headers.
- Properly check for sock_recv() errors.
- Re-impose some of Winsock's limitations on sock_recv().
- Replace sprintf() with pcap_snprintf().
- Fix signature of pcap_stats_ex_remote().
- Have rpcap_remoteact_getsock() return a SOCKET and supply an 'is active' flag.
- Clean up {DAG, Septel, Myricom SNF}-only builds.
- pcap_create_interface() needs the interface name on Linux.
- Clean up hardware time stamp support: the 'any' device does not support any time stamp types.
- Recognize 802.1ad nested VLAN tag in vlan filter.
- Support for filtering Geneve encapsulated packets.
- Fix handling of zones for BPF on Solaris
- Added bpf_filter1() with extensions
- EBUSY can now be returned by SNFv3 code.
- Don't crash on filters testing a non-existent link-layer type field.
- Fix sending in non-blocking mode on Linux with memory-mapped capture.
- Fix timestamps when reading pcap-ng files on big-endian machines.
- Fixes for byte order issues with NFLOG captures
- Handle using cooked mode for DLT_NETLINK in activate_new().


-----------------------------------------
Patch: SUSE-2017-656
Released: Fri Apr 28 16:12:30 2017
Summary: Recommended update for sqlite3
Severity: low
References: 1019518,1025034
Description:

This update for sqlite3 provides the following fixes:

- Avoid calling sqlite3OsFetch() on a file-handle for which the xFetch method is NULL.
  This prevents a potential segmentation fault. (bsc#1025034)
- Fix defect in the in-memory journal logic that could leave the read cursor for the
  in-memory journal in an inconsistent state and result in a segmentation fault.
  (bsc#1019518)


-----------------------------------------
Patch: SUSE-2017-668
Released: Tue May  2 16:45:00 2017
Summary: Security update for graphite2
Severity: important
References: 1035204,CVE-2017-5436
Description:

This update for graphite2 fixes one issue.

This security issues was fixed:

- CVE-2017-5436: An out-of-bounds write triggered with a maliciously crafted Graphite font could lead to a crash or potentially code execution (bsc#1035204).


-----------------------------------------
Patch: SUSE-2017-732
Released: Wed May 10 14:03:43 2017
Summary: Recommended update for procps
Severity: low
References: 1030621
Description:

This update for procps fixes the following issues:

- Command w(1) with option -n doesn't work. (bsc#1030621)


-----------------------------------------
Patch: SUSE-2017-735
Released: Wed May 10 15:43:46 2017
Summary: Recommended update for gpg2
Severity: low
References: 1036736,986783
Description:

This update for gpg2 provides the following fixes:

- Do not install CAcert and other root certificates which are not needed with
  Let's Encrypt. (bsc#1036736)
- Initialize the trustdb before import attempt. (bsc#986783)


-----------------------------------------
Patch: SUSE-2017-748
Released: Thu May 11 16:23:31 2017
Summary: Security update for MozillaFirefox, mozilla-nss, mozilla-nspr, java-1_8_0-openjdk
Severity: important
References: 1015499,1015547,1021636,1026102,1030071,1035082,983639,CVE-2016-1950,CVE-2016-2834,CVE-2016-8635,CVE-2016-9574,CVE-2017-5429,CVE-2017-5432,CVE-2017-5433,CVE-2017-5434,CVE-2017-5435,CVE-2017-5436,CVE-2017-5437,CVE-2017-5438,CVE-2017-5439,CVE-2017-5440,CVE-2017-5441,CVE-2017-5442,CVE-2017-5443,CVE-2017-5444,CVE-2017-5445,CVE-2017-5446,CVE-2017-5447,CVE-2017-5448,CVE-2017-5459,CVE-2017-5460,CVE-2017-5461,CVE-2017-5462,CVE-2017-5464,CVE-2017-5465,CVE-2017-5469
Description:

Mozilla Firefox was updated to the Firefox ESR release 45.9.

Mozilla NSS was updated to support TLS 1.3 (close to release draft) and various new 
ciphers, PRFs, Diffie Hellman key agreement and support for more hashes.

Security issues fixed in Firefox (bsc#1035082)

- MFSA 2017-11/CVE-2017-5469: Potential Buffer overflow in flex-generated code
- MFSA 2017-11/CVE-2017-5429: Memory safety bugs fixed in Firefox 53, Firefox ESR 45.9, and Firefox ESR 52.1
- MFSA 2017-11/CVE-2017-5439: Use-after-free in nsTArray Length() during XSLT processing
- MFSA 2017-11/CVE-2017-5438: Use-after-free in nsAutoPtr during XSLT processing
- MFSA 2017-11/CVE-2017-5437: Vulnerabilities in Libevent library
- MFSA 2017-11/CVE-2017-5436: Out-of-bounds write with malicious font in Graphite 2
- MFSA 2017-11/CVE-2017-5435: Use-after-free during transaction processing in the editor
- MFSA 2017-11/CVE-2017-5434: Use-after-free during focus handling
- MFSA 2017-11/CVE-2017-5433: Use-after-free in SMIL animation functions
- MFSA 2017-11/CVE-2017-5432: Use-after-free in text input selection
- MFSA 2017-11/CVE-2017-5464: Memory corruption with accessibility and DOM manipulation
- MFSA 2017-11/CVE-2017-5465: Out-of-bounds read in ConvolvePixel
- MFSA 2017-11/CVE-2017-5460: Use-after-free in frame selection
- MFSA 2017-11/CVE-2017-5448: Out-of-bounds write in ClearKeyDecryptor
- MFSA 2017-11/CVE-2017-5446: Out-of-bounds read when HTTP/2 DATA frames are sent with incorrect data
- MFSA 2017-11/CVE-2017-5447: Out-of-bounds read during glyph processing
- MFSA 2017-11/CVE-2017-5444: Buffer overflow while parsing application/http-index-format content
- MFSA 2017-11/CVE-2017-5445: Uninitialized values used while parsing application/http-index-format content
- MFSA 2017-11/CVE-2017-5442: Use-after-free during style changes
- MFSA 2017-11/CVE-2017-5443: Out-of-bounds write during BinHex decoding
- MFSA 2017-11/CVE-2017-5440: Use-after-free in txExecutionState destructor during XSLT processing
- MFSA 2017-11/CVE-2017-5441: Use-after-free with selection during scroll events
- MFSA 2017-11/CVE-2017-5459: Buffer overflow in WebGL

Mozilla NSS was updated to 3.29.5, bringing new features and fixing bugs:

- Update to NSS 3.29.5:
  * MFSA 2017-11/CVE-2017-5461: Rare crashes in the base 64 decoder and encoder were fixed.
  * MFSA 2017-11/CVE-2017-5462: A carry over bug in the RNG was fixed.
  * CVE-2016-9574: Remote DoS during session handshake when using SessionTicket extention and ECDHE-ECDSA (bsc#1015499).
  * requires NSPR >= 4.13.1

- Update to NSS 3.29.3

  * enables TLS 1.3 by default

- Fixed a bug in hash computation (and build with
  GCC 7 which complains about shifts of boolean values).
  (bsc#1030071, bmo#1348767)

- Update to NSS 3.28.3

  This is a patch release to fix binary compatibility issues.

- Update to NSS 3.28.1

  This is a patch release to update the list of root CA certificates.

  * The following CA certificates were Removed

    CN = Buypass Class 2 CA 1
    CN = Root CA Generalitat Valenciana
    OU = RSA Security 2048 V3

  * The following CA certificates were Added

    OU = AC RAIZ FNMT-RCM
    CN = Amazon Root CA 1
    CN = Amazon Root CA 2
    CN = Amazon Root CA 3
    CN = Amazon Root CA 4
    CN = LuxTrust Global Root 2
    CN = Symantec Class 1 Public Primary Certification Authority - G4
    CN = Symantec Class 1 Public Primary Certification Authority - G6
    CN = Symantec Class 2 Public Primary Certification Authority - G4
    CN = Symantec Class 2 Public Primary Certification Authority - G6

  * The version number of the updated root CA list has been set to 2.11

- Update to NSS 3.28

  New functionality:

  * NSS includes support for TLS 1.3 draft -18. This includes a number
    of improvements to TLS 1.3:

    - The signed certificate timestamp, used in certificate
      transparency, is supported in TLS 1.3.
    - Key exporters for TLS 1.3 are supported. This includes the early
      key exporter, which can be used if 0-RTT is enabled. Note that
      there is a difference between TLS 1.3 and key exporters in older
      versions of TLS. TLS 1.3 does not distinguish between an empty
      context and no context.
    - The TLS 1.3 (draft) protocol can be enabled, by defining
      NSS_ENABLE_TLS_1_3=1 when building NSS.
    - NSS includes support for the X25519 key exchange algorithm,
      which is supported and enabled by default in all versions of TLS.

  Notable Changes:

  * NSS can no longer be compiled with support for additional elliptic curves.
    This was previously possible by replacing certain NSS source files.
  * NSS will now detect the presence of tokens that support additional
    elliptic curves and enable those curves for use in TLS.
    Note that this detection has a one-off performance cost, which can be
    avoided by using the SSL_NamedGroupConfig function to limit supported
    groups to those that NSS provides.
  * PKCS#11 bypass for TLS is no longer supported and has been removed.
  * Support for 'export' grade SSL/TLS cipher suites has been removed.
  * NSS now uses the signature schemes definition in TLS 1.3.
    This also affects TLS 1.2. NSS will now only generate signatures with the
    combinations of hash and signature scheme that are defined in TLS 1.3,
    even when negotiating TLS 1.2.

    - This means that SHA-256 will only be used with P-256 ECDSA certificates,
      SHA-384 with P-384 certificates, and SHA-512 with P-521 certificates.
      SHA-1 is permitted (in TLS 1.2 only) with any certificate for backward
      compatibility reasons.
    - NSS will now no longer assume that default signature schemes are
      supported by a peer if there was no commonly supported signature scheme.

  * NSS will now check if RSA-PSS signing is supported by the token that holds
    the private key prior to using it for TLS.
  * The certificate validation code contains checks to no longer trust
    certificates that are issued by old WoSign and StartCom CAs after
    October 21, 2016. This is equivalent to the behavior that Mozilla will
    release with Firefox 51.

- Update to NSS 3.27.2
  * Fixed SSL_SetTrustAnchors leaks (bmo#1318561)

  - raised the minimum softokn/freebl version to 3.28 as reported in (boo#1021636)

- Update to NSS 3.26.2

  New Functionality:

  * the selfserv test utility has been enhanced to support ALPN
    (HTTP/1.1) and 0-RTT
  * added support for the System-wide crypto policy available on
    Fedora Linux see http://fedoraproject.org/wiki/Changes/CryptoPolicy
  * introduced build flag NSS_DISABLE_LIBPKIX that allows compilation
    of NSS without the libpkix library

  Notable Changes:

  * The following CA certificate was Added
    CN = ISRG Root X1
  * NPN is disabled and ALPN is enabled by default
  * the NSS test suite now completes with the experimental TLS 1.3
    code enabled
  * several test improvements and additions, including a NIST known answer test

  Changes in 3.26.2
  * MD5 signature algorithms sent by the server in CertificateRequest
    messages are now properly ignored. Previously, with rare server
    configurations, an MD5 signature algorithm might have been selected
    for client authentication and caused the client to abort the
    connection soon after.

- Update to NSS 3.25

  New functionality:

  * Implemented DHE key agreement for TLS 1.3
  * Added support for ChaCha with TLS 1.3
  * Added support for TLS 1.2 ciphersuites that use SHA384 as the PRF
  * In previous versions, when using client authentication with TLS 1.2,
    NSS only supported certificate_verify messages that used the same
    signature hash algorithm as used by the PRF. This limitation has
    been removed.

  Notable changes:

  * An SSL socket can no longer be configured to allow both TLS 1.3 and SSLv3
  * Regression fix: NSS no longer reports a failure if an application
    attempts to disable the SSLv2 protocol.
  * The list of trusted CA certificates has been updated to version 2.8
  * The following CA certificate was Removed
    Sonera Class1 CA
  * The following CA certificates were Added
    Hellenic Academic and Research Institutions RootCA 2015
    Hellenic Academic and Research Institutions ECC RootCA 2015
    Certplus Root CA G1
    Certplus Root CA G2
    OpenTrust Root CA G1
    OpenTrust Root CA G2
    OpenTrust Root CA G3

- Update to NSS 3.24

  New functionality:

  * NSS softoken has been updated with the latest National Institute
    of Standards and Technology (NIST) guidance (as of 2015):
    - Software integrity checks and POST functions are executed on
      shared library load. These checks have been disabled by default,
      as they can cause a performance regression. To enable these
      checks, you must define symbol NSS_FORCE_FIPS when building NSS.
    - Counter mode and Galois/Counter Mode (GCM) have checks to
      prevent counter overflow.
    - Additional CSPs are zeroed in the code.
    - NSS softoken uses new guidance for how many Rabin-Miller tests
      are needed to verify a prime based on prime size.
  * NSS softoken has also been updated to allow NSS to run in FIPS
    Level 1 (no password). This mode is triggered by setting the
    database password to the empty string. In FIPS mode, you may move
    from Level 1 to Level 2 (by setting an appropriate password),
    but not the reverse.
  * A SSL_ConfigServerCert function has been added for configuring
    SSL/TLS server sockets with a certificate and private key. Use
    this new function in place of SSL_ConfigSecureServer,
    SSL_ConfigSecureServerWithCertChain, SSL_SetStapledOCSPResponses,
    and SSL_SetSignedCertTimestamps. SSL_ConfigServerCert automatically
    determines the certificate type from the certificate and private key.
    The caller is no longer required to use SSLKEAType explicitly to
    select a 'slot' into which the certificate is configured (which
    incorrectly identifies a key agreement type rather than a certificate).
    Separate functions for configuring Online Certificate Status Protocol
    (OCSP) responses or Signed Certificate Timestamps are not needed,
    since these can be added to the optional SSLExtraServerCertData struct
    provided to SSL_ConfigServerCert.  Also, partial support for RSA
    Probabilistic Signature Scheme (RSA-PSS) certificates has been added.
    Although these certificates can be configured, they will not be
    used by NSS in this version.
  * Deprecate the member attribute authAlgorithm of type SSLCipherSuiteInfo.
    Instead, applications should use the newly added attribute authType.
  * Add a shared library (libfreeblpriv3) on Linux platforms that
    define FREEBL_LOWHASH.
  * Remove most code related to SSL v2, including the ability to actively
    send a SSLv2-compatible client hello. However, the server-side
    implementation of the SSL/TLS protocol still supports processing
    of received v2-compatible client hello messages.
  * Disable (by default) NSS support in optimized builds for logging SSL/TLS
    key material to a logfile if the SSLKEYLOGFILE environment variable
    is set. To enable the functionality in optimized builds, you must define
    the symbol NSS_ALLOW_SSLKEYLOGFILE when building NSS.
  * Update NSS to protect it against the Cachebleed attack.
  * Disable support for DTLS compression.
  * Improve support for TLS 1.3. This includes support for DTLS 1.3.
    Note that TLS 1.3 support is experimental and not suitable for
    production use.

- Update to NSS 3.23

  New functionality:

  * ChaCha20/Poly1305 cipher and TLS cipher suites now supported
  * Experimental-only support TLS 1.3 1-RTT mode (draft-11).
    This code is not ready for production use.

  Notable changes:

  * The list of TLS extensions sent in the TLS handshake has been
    reordered to increase compatibility of the Extended Master Secret
    with with servers
  * The build time environment variable NSS_ENABLE_ZLIB has been
    renamed to NSS_SSL_ENABLE_ZLIB
  * The build time environment variable NSS_DISABLE_CHACHAPOLY was
    added, which can be used to prevent compilation of the
    ChaCha20/Poly1305 code.
  * The following CA certificates were Removed

    - Staat der Nederlanden Root CA
    - NetLock Minositett Kozjegyzoi (Class QA) Tanusitvanykiado
    - NetLock Kozjegyzoi (Class A) Tanusitvanykiado
    - NetLock Uzleti (Class B) Tanusitvanykiado
    - NetLock Expressz (Class C) Tanusitvanykiado
    - VeriSign Class 1 Public PCA - G2
    - VeriSign Class 3 Public PCA
    - VeriSign Class 3 Public PCA - G2
    - CA Disig

  * The following CA certificates were Added

    + SZAFIR ROOT CA2
    + Certum Trusted Network CA 2

  * The following CA certificate had the Email trust bit turned on

    + Actalis Authentication Root CA

  Security fixes:
  * CVE-2016-2834: Memory safety bugs (boo#983639)
    MFSA-2016-61 bmo#1206283 bmo#1221620 bmo#1241034 bmo#1241037

- Update to NSS 3.22.3
  * Increase compatibility of TLS extended master secret,
    don't send an empty TLS extension last in the handshake
    (bmo#1243641)
  * Fixed a heap-based buffer overflow related to the parsing of
    certain ASN.1 structures. An attacker could create a specially-crafted
    certificate which, when parsed by NSS, would cause a crash or
    execution of arbitrary code with the permissions of the user.
    (CVE-2016-1950, bmo#1245528)

- Update to NSS 3.22.2

  New functionality:

  * RSA-PSS signatures are now supported (bmo#1215295)
  * Pseudorandom functions based on hashes other than SHA-1 are now supported
  * Enforce an External Policy on NSS from a config file (bmo#1009429)

- CVE-2016-8635: Fix for DH small subgroup confinement attack (bsc#1015547)

Mozilla NSPR was updated to version 4.13.1:

  The previously released version 4.13 had changed pipes to be
  nonblocking by default, and as a consequence, PollEvent was
  changed to not block on clear.
  The NSPR development team received reports that these changes
  caused regressions in some applications that use NSPR, and it
  has been decided to revert the changes made in NSPR 4.13.
  NSPR 4.13.1 restores the traditional behavior of pipes and
  PollEvent.

Mozilla NSPR update to version 4.13 had these changes:

- PL_strcmp (and others) were fixed to return consistent results
    when one of the arguments is NULL.
- PollEvent was fixed to not block on clear.
- Pipes are always nonblocking.
- PR_GetNameForIdentity: added thread safety lock and bound checks.
- Removed the PLArena freelist.
- Avoid some integer overflows.
- fixed several comments.

This update also contains java-1_8_0-openjdk that needed to be rebuilt against the new
mozilla-nss version.


-----------------------------------------
Patch: SUSE-2017-750
Released: Thu May 11 16:34:15 2017
Summary: Recommended update for supportutils
Severity: low
References: 1014481,1023308,1030657,995625
Description:

This update for supportutils provides the following fixes:

- Added URI to zypper repos list (bsc#995625)
- Added curl timeout for shorter access times (bsc#1014481)
- Fixed detailed unit information on sle12sp2 (bsc#1023308)
- Added PPC commands and logs (bsc#1030657)



-----------------------------------------
Patch: SUSE-2017-751
Released: Thu May 11 17:14:30 2017
Summary: Recommended update for systemd
Severity: moderate
References: 1010220,1025398,1025886,1028263,1028610,1029183,1029691,1030290,1031355,1032538,1032660,1033855,1034565,955770
Description:

This update for systemd provides the following fixes:

- logind: Update empty and 'infinity' handling for [User]TasksMax. (bsc#1031355)
- importd: Support SUSE style checksums. (fate#322054)
- journal: Don't remove leading spaces. (bsc#1033855)
- Make sure all swap units are ordered before the swap target. (bsc#955770, bsc#1034565)
- hwdb: Fix warning 'atkbd serio0: Unknown key pressed'. (bsc#1010220)
- logind: Restart logind on package update only on SLE12 distros. (bsc#1032660)
- core: Treat masked files as 'unchanged'. (bsc#1032538)
- units: Move Before deps for quota services to remote-fs.target. (bsc#1028263)
- udev: Support predictable ifnames on vio buses. (bsc#1029183)
- udev: Add a persistent rule for ibmvnic devices. (bsc#1029183)
- units: Do not throw a warning in emergency mode if plymouth is not installed. (bsc#1025398)
- core: Downgrade 'Time has been changed' message to debug level. (bsc#1028610)
- vconsole: Don't do GIO_SCRNMAP / GIO_UNISCRNMAP. (bsc#1029691)
- udev-rules: Perform whitespace replacement for symlink subst values. (bsc#1025886)
- Consider chroot updates in fix-machines-subvol-for-rollbacks.sh. (bsc#1030290)


-----------------------------------------
Patch: SUSE-2017-756
Released: Fri May 12 12:57:39 2017
Summary: Recommended update for autofs
Severity: low
References: 1031533,998078
Description:

This update for autofs fixes the following issues:

- Do not add wildcard key to negative cache. (bsc#1031533)
- Fix typo in DEFAULT_AUTH_CONFIG_FILE definition. (bsc#998078)


-----------------------------------------
Patch: SUSE-2017-761
Released: Mon May 15 16:51:15 2017
Summary: Recommended update for wicked
Severity: moderate
References: 1007909,1009801,1021914,1025757,1026683,1026780,1027231,1029133,1030053
Description:

This update provides Wicked 0.6.40, which brings the following fixes and enhancements:

- fsm: Clone bound config and cleanup references fixing ifindex reference handling in
  iBFT vlan configuration. (bsc#1030053)
- updater: Fix to not leave orphaned background jobs on device delete, causing to block
  processing of synchronized jobs. (bsc#1029133)
- vxlan: Add initial support. (bsc#1026780)
- dhcp: Correct and complete fqdn option support. (bsc#1025757)
- bonding: Properly send primary reselect to kernel, (bsc#1027231)
- dbus: Fix caller-uid timeout to 15sec, not 15ms. (bsc#1026683)
- ethtool: Handle ring,coalesce,eee parameters. (bsc#1007909)
- bond: Fix xmit-hash-policy option mismatch. (bsc#1021914)
- ifconfig: Avoid timeouts on large number of IPs by performing IPv4 duplicate address
  detection, apply and sending gratuitous ARP for chunks of multiple addresses at once.
  (bsc#1009801)


-----------------------------------------
Patch: SUSE-2017-793
Released: Tue May 16 15:40:43 2017
Summary: Security update for libxslt
Severity: moderate
References: 1005591,1035905,934119,952474,CVE-2015-7995,CVE-2015-9019,CVE-2016-4738,CVE-2017-5029
Description:

 This update for libxslt fixes the following issues:
 

- CVE-2017-5029: The xsltAddTextString function in transform.c lacked a check 
for integer overflow during a size calculation, which allowed a remote attacker 
to perform an out of bounds memory write via a crafted HTML page (bsc#1035905).

- CVE-2016-4738: Fix heap overread in xsltFormatNumberConversion: An empty decimal-separator 
could cause a heap overread. This can be exploited to leak a couple of bytes after 
the buffer that holds the pattern string (bsc#1005591).

- CVE-2015-9019: Properly initialize random generator (bsc#934119).

- CVE-2015-7995: Vulnerability in function xsltStylePreCompute' in preproc.c could cause a 
type confusion leading to DoS. (bsc#952474)

 

-----------------------------------------
Patch: SUSE-2017-794
Released: Tue May 16 15:41:09 2017
Summary: Security update for bash
Severity: moderate
References: 1010845,1035371,CVE-2016-9401
Description:

This update for bash fixes an issue that could lead to syntax errors when parsing
scripts that use expr(1) inside loops.

Additionally, the popd build-in now ensures that the normalized stack offset is
within bounds before trying to free that stack entry. This fixes a segmentation
fault.


-----------------------------------------
Patch: SUSE-2017-796
Released: Tue May 16 15:41:58 2017
Summary: Security update for libtirpc
Severity: important
References: 1037559,CVE-2017-8779
Description:

This update for libtirpc fixes the following issues:

-  CVE-2017-8779: crafted UDP packaged could lead  rpcbind to denial-of-service  (bsc#1037559)




-----------------------------------------
Patch: SUSE-2017-799
Released: Wed May 17 00:21:13 2017
Summary: Recommended update for glibc
Severity: low
References: 1026224,1035445
Description:

This update for glibc introduces basic support for IBM POWER9 systems. Additionally,
an improper assert in dlclose() has been removed.


-----------------------------------------
Patch: SUSE-2017-803
Released: Thu May 18 12:24:33 2017
Summary: Security update for rpcbind
Severity: important
References: 1037559,CVE-2017-8779
Description:

This update for rpcbind fixes the following issues:

  - CVE-2017-8779: A crafted UDP package could lead rcpbind to remote denial-of-service (bsc#1037559)



-----------------------------------------
Patch: SUSE-2017-817
Released: Thu May 18 16:04:32 2017
Summary: Recommended update for lua
Severity: low
References: 1010089
Description:

This update provides Lua 5.2.4, which brings fixes for the following issues:

- Wrong overflow check in table.unpack
- Ephemeron table wrongly collecting strong keys
- Crash in chunks that are too long
- Garbage collector can trigger too many times in recursive loops
- Wrong assert when reporting concatenation errors
- Wrong error message in some short-cut expressions
- luac listings choke on long strings
- Reorder items in private Table struct, restoring ABI compatibility.


-----------------------------------------
Patch: SUSE-2017-834
Released: Mon May 22 10:38:07 2017
Summary: Security update for libsndfile
Severity: moderate
References: 1033054,1033914,1033915,1036943,1036944,1036945,1036946,1038856,CVE-2017-7585,CVE-2017-7741,CVE-2017-7742,CVE-2017-8361,CVE-2017-8362,CVE-2017-8363,CVE-2017-8365
Description:

This update for libsndfile fixes the following issues:

- CVE-2017-8361: Global buffer overflow in flac_buffer_copy. (bsc#1036946)
- CVE-2017-8362: Invalid memory read in flac_buffer_copy. (bsc#1036943)
- CVE-2017-8363: Heap-based buffer overflow in flac_buffer_copy. (bsc#1036945)
- CVE-2017-7585, CVE-2017-7741, CVE-2017-7742: Stack-based buffer overflows via specially
  crafted FLAC files. (bsc#1033054)


-----------------------------------------
Patch: SUSE-2017-843
Released: Tue May 23 15:36:45 2017
Summary: Security update for java-1_6_0-ibm
Severity: important
References: 1027038,1038505,CVE-2016-2183,CVE-2016-9840,CVE-2016-9841,CVE-2016-9842,CVE-2016-9843,CVE-2017-1289,CVE-2017-3509,CVE-2017-3514,CVE-2017-3533,CVE-2017-3539,CVE-2017-3544
Description:

This update for java-1_6_0-ibm fixes the following issues:

- Version update to 6.0-16.45 bsc#1038505

  - CVE-2016-9840: zlib: Out-of-bounds pointer arithmetic in inftrees.c
  - CVE-2016-9841: zlib: Out-of-bounds pointer arithmetic in inffast.c
  - CVE-2016-9842: zlib: Undefined left shift of negative number
  - CVE-2016-9843: zlib: Big-endian out-of-bounds pointer
  - CVE-2017-1289: IBM JDK: XML External Entity Injection (XXE) error when processing XML data
  - CVE-2017-3509: OpenJDK: improper re-use of NTLM authenticated connections 
  - CVE-2017-3539: OpenJDK: MD5 allowed for jar verification 
  - CVE-2017-3533: OpenJDK: newline injection in the FTP client
  - CVE-2017-3544: OpenJDK: newline injection in the SMTP client

- Version update to 6.0-16.40 bsc#1027038 CVE-2016-2183



-----------------------------------------
Patch: SUSE-2017-865
Released: Wed May 24 16:23:20 2017
Summary: Security update for pam
Severity: moderate
References: 1015565,1037824,934920,CVE-2015-3238
Description:

This update for pam fixes the following issues:
 

- CVE-2015-3238: pam_unix in conjunction with SELinux allowed for DoS attacks (bsc#934920).
- log a hint to syslog if /etc/nologin is present, but empty (bsc#1015565).
- If /etc/nologin is present, but empty, log a hint to syslog. (bsc#1015565)
- Added support for libowcrypt.so, if present, to configure support for BLOWFISH (bsc#1037824)

 

-----------------------------------------
Patch: SUSE-2017-870
Released: Fri May 26 13:58:57 2017
Summary: Recommended update for sysstat
Severity: low
References: 1031674
Description:

This update for sysstat provides the following fix:

- Properly specify you want to be started by multi-user.target (bsc#1031674)



-----------------------------------------
Patch: SUSE-2017-872
Released: Fri May 26 14:05:10 2017
Summary: Recommended update for ntp
Severity: low
References: 1034892
Description:

This update for ntp provides the following fix:

- Fix systemd migration in %pre (bsc#1034892)


-----------------------------------------
Patch: SUSE-2017-873
Released: Fri May 26 16:19:47 2017
Summary: Recommended update for e2fsprogs
Severity: low
References: 1009532,960273
Description:

This update for e2fsprogs provides the following fixes:

- Fix 32/64-bit overflow when multiplying by blocks/clusters per group. This allows
  resize2fs(8) to resize file systems larger than 20 TB. (bsc#1009532)
- Update spec file to regenerate initrd when e2fsprogs is updated or uninstalled.
  (bsc#960273)


-----------------------------------------
Patch: SUSE-2017-877
Released: Mon May 29 15:11:48 2017
Summary: Recommended update for cryptsetup
Severity: low
References: 1031998
Description:

This update for cryptsetup provides the following fix:

- Don't use a zero-filled empty key, because in FIPS, XTS mode key parts mustn't be equivalent (bsc#1031998)


-----------------------------------------
Patch: SUSE-2017-891
Released: Tue May 30 22:28:21 2017
Summary: Security update for libxml2
Severity: moderate
References: 1039063,1039064,1039066,1039069,1039661,981114,CVE-2016-1839,CVE-2017-9047,CVE-2017-9048,CVE-2017-9049,CVE-2017-9050
Description:

This update for libxml2 fixes the following issues:

- CVE-2017-9047, CVE-2017-9048: The function xmlSnprintfElementContent in valid.c was vulnerable to a stack buffer overflow (bsc#1039063, bsc#1039064)
- CVE-2017-9049: The function xmlDictComputeFastKey in dict.c was vulnerable to a heap-based buffer over-read. (bsc#1039066)
- CVE-2017-9050: The function xmlDictAddString was vulnerable to a heap-based buffer over-read (bsc#1039661)
- CVE-2016-1839: heap-based buffer overflow (xmlDictAddString func) (bnc#1039069)



-----------------------------------------
Patch: SUSE-2017-895
Released: Wed May 31 15:00:15 2017
Summary: Recommended update for python-pyasn1
Severity: low
References: 1002895
Description:

The python-pyasn1 module was updated to version 0.1.9, which provides the following fixes
and enhancements:

- Wheel distribution format is now supported.
- Fix to make uninitialized pyasn1 objects fail properly on hash().
- Fix to ObjectIdentifier initialization from unicode string.
- Fix to CER/DER Boolean decoder: fail on non single-octet payload.


-----------------------------------------
Patch: SUSE-2017-907
Released: Thu Jun  1 14:23:36 2017
Summary: Recommended update for shadow
Severity: low
References: 1003978,1031643
Description:

This update for shadow fixes the following issues:

- Dynamically added users via pam_group are not listed in groups databases but are
  still valid. (bsc#1031643)
- useradd(8) and groupadd(8) performance issue when using SSSD. Previously the entire
  possible UID/GID was iterated to find an available UID/GID. This could take long time
  over a network device. Instead, find available UID/GID locally, and then check only
  those values over network. (bsc#1003978)


-----------------------------------------
Patch: SUSE-2017-910
Released: Fri Jun  2 15:02:55 2017
Summary: Security update for libnettle
Severity: moderate
References: 991464,CVE-2016-6489
Description:
This update for libnettle fixes the following issues:

-  CVE-2016-6489:
  * Reject invalid RSA keys with even modulo.
  * Check for invalid keys, with even p, in dsa_sign().
  * Use function mpz_powm_sec() instead of mpz_powm() (bsc#991464).


-----------------------------------------
Patch: SUSE-2017-918
Released: Tue Jun  6 12:35:44 2017
Summary: Recommended update for libsemanage, selinux-policy
Severity: moderate
References: 1020143,1032445,1035818,1038189
Description:

This update for libsemanage, selinux-policy fixes the following issues:

- Limit to policy version 29 by default.
- Fix policy module build failures and wrong policy path on SLE 12 SP2 (bsc#1038189, bsc#1035818, bsc#1020143, bsc#1032445)


-----------------------------------------
Patch: SUSE-2017-925
Released: Thu Jun  8 12:58:42 2017
Summary: Recommended update for freetype2
Severity: low
References: 1038506
Description:

This update for freetype2 fixes an issue within handling of very large fonts which
could lead to corrupted characters in the boot splash screen of systems configured
to use the Korean language.


-----------------------------------------
Patch: SUSE-2017-936
Released: Fri Jun  9 13:31:48 2017
Summary: Recommended update for supportutils
Severity: low
References: 1013119,1026175,1030448,1035683
Description:

This update for supportutils provides the following fixes:

- Fixed IFS in iscsi_info. (bsc#1030448)
- Added -T to dmesg for readability. (bsc#1013119)
- Removed kpagecgroup in proc.txt. (bsc#1026175)
- Fixed ocfs2 processing when not configured. (bsc#1035683)


-----------------------------------------
Patch: SUSE-2017-939
Released: Mon Jun 12 10:56:22 2017
Summary: Security update for libxml2
Severity: moderate
References: 1039063,1039064,1039066,1039069,1039661,CVE-2017-9047,CVE-2017-9048,CVE-2017-9049,CVE-2017-9050
Description:
This update for libxml2 fixes the following security issues:

* CVE-2017-9050: A heap-based buffer over-read in xmlDictAddString (bsc#1039069, bsc#1039661)
* CVE-2017-9049: A heap-based buffer overflow in xmlDictComputeFastKey (bsc#1039066)
* CVE-2017-9048: A stack overflow vulnerability in xmlSnprintfElementContent (bsc#1039063)
* CVE-2017-9047: A stack overflow vulnerability in xmlSnprintfElementContent (bsc#1039064)


-----------------------------------------
Patch: SUSE-2017-943
Released: Mon Jun 12 16:44:20 2017
Summary: Recommended update for cups
Severity: low
References: 1021133,955432,990045
Description:

This update for cups fixes the following issues:

- Avahi sends an ALL_FOR_NOW event when it finishes sending its cache contents.
  This patch makes cupsEnumDests finish when the signal is received so it doesn't
  block the caller until the timeout finishes. (bsc#955432, fate#322052)
- The scheduler didn't log messages for jobs at LogLevel 'info'. (bsc#1021133, bsc#990045)


-----------------------------------------
Patch: SUSE-2017-959
Released: Wed Jun 14 14:38:11 2017
Summary: Recommended update for gcc5
Severity: low
References: 1043580
Description:

This update for gcc5 fixes the version of libffi in its pkg-config configuration file.


-----------------------------------------
Patch: SUSE-2017-962
Released: Wed Jun 14 16:33:07 2017
Summary: Security update for openldap2
Severity: moderate
References: 1009470,1037396,1041764,972331,CVE-2017-9287
Description:

This update for openldap2 fixes the following issues:

Security issues fixed:

- CVE-2017-9287: A double free vulnerability in the mdb backend during search with page size 0 was fixed (bsc#1041764)

Non security bugs fixed:

- Let OpenLDAP read system-wide certificates by default and don't hide the error if
  the user-specified CA location cannot be read. (bsc#1009470)
- Fix an uninitialised variable that causes startup failure (bsc#1037396)
- Fix an issue with transaction management that can cause server crash (bsc#972331)



-----------------------------------------
Patch: SUSE-2017-985
Released: Mon Jun 19 14:57:41 2017
Summary: Security update for libgcrypt
Severity: moderate
References: 1042326,931932,CVE-2017-9526
Description:
This update for libgcrypt fixes the following issues:

- CVE-2017-9526: Store the session key in secure memory to ensure that constant
  time point operations are used in the MPI library.  (bsc#1042326)

- Don't require secure memory for the fips selftests, this prevents the
  'Oops, secure memory pool already initialized' warning. (bsc#931932)


-----------------------------------------
Patch: SUSE-2017-990
Released: Mon Jun 19 17:19:44 2017
Summary: Security update for glibc
Severity: important
References: 1039357,1040043,CVE-2017-1000366
Description:
This update for glibc fixes the following issues:

- CVE-2017-1000366: Fix a potential privilege escalation vulnerability that
  allowed unprivileged system users to manipulate the stack of setuid binaries
  to gain special privileges. [bsc#1039357]

- A bug in glibc that could result in deadlocks between malloc() and fork() has
  been fixed. [bsc#1040043]


-----------------------------------------
Patch: SUSE-2017-1025
Released: Thu Jun 22 22:44:21 2017
Summary: Recommended update for xfsprogs
Severity: low
References: 1034045,1037376
Description:
This update for xfsprogs provides the following fixes:

- Moved dracut files to accommodate JeOS (bsc#1037376).
- Don't call xfs_sb_quota_from_disk twice in xfs_repair(8). (bsc#1034045)


-----------------------------------------
Patch: SUSE-2017-1033
Released: Fri Jun 23 16:38:55 2017
Summary: Recommended update for e2fsprogs
Severity: low
References: 1038194
Description:

This update for e2fsprogs provides the following fixes:

- Don't ignore fsync errors in libext2fs. (bsc#1038194)
- Fix fsync(2) detection in libext2fs. (bsc#1038194)


-----------------------------------------
Patch: SUSE-2017-1034
Released: Mon Jun 26 08:09:55 2017
Summary: Security update for cairo
Severity: moderate
References: 1007255,1036789,CVE-2016-9082,CVE-2017-7475
Description:
This update for cairo fixes the following issues:

- CVE-2017-7475: Fixed a segfault in get_bitmap_surface due to malformed font
  (bsc#1036789).
- CVE-2016-9082: fix a segfault when using >4GB images since int values were used
  for pointer operations (bsc#1007255).



-----------------------------------------
Patch: SUSE-2017-1036
Released: Mon Jun 26 08:12:24 2017
Summary: Security update for libxml2
Severity: moderate
References: 1024989,1044337,CVE-2017-0663,CVE-2017-5969
Description:
This update for libxml2 fixes the following issues:

Security issues fixed:

* CVE-2017-0663: Fixed a heap buffer overflow in xmlAddID (bsc#1044337)
* CVE-2017-5969: Fixed a NULL pointer deref in xmlDumpElementContent (bsc#1024989)


-----------------------------------------
Patch: SUSE-2017-1037
Released: Mon Jun 26 10:22:34 2017
Summary: Security update for xorg-x11-server
Severity: moderate
References: 1019649,1021803,1025029,1025035,1025084,1025985,1032509,1039042,CVE-2017-2624
Description:

This update for xorg-x11-server provides the following fixes:

- Remove unused function with use-after-free issue. (bsc#1025035)
- Use arc4random to generate cookies. (bsc#1025084)
- Prevent timing attack against MIT cookie. (bsc#1025029, CVE-2017-2624)
- XDrawArc performance improvement. (bsc#1019649)
- Re-enable indirect GLX by default. (bsc#1039042)
- Add IndirectGLX ServerFlags option which allows users to enable or disable indirect GLX. (bsc#1032509)
- Fix dashing in GLAMOR. (bsc#1021803)
- Fix X server crash on drawing dashed lines. (bsc#1025985)


-----------------------------------------
Patch: SUSE-2017-1040
Released: Mon Jun 26 13:22:26 2017
Summary: Recommended update for libsemanage, policycoreutils
Severity: low
References: 1043237
Description:
This update for libsemanage, policycoreutils fixes the following issue:

- Show version numbers of modules where they are available (bsc#1043237) 


-----------------------------------------
Patch: SUSE-2017-1062
Released: Wed Jun 28 21:14:17 2017
Summary: Security update for apache2
Severity: moderate
References: 1035829,1041830,1045060,1045062,1045065,CVE-2017-3167,CVE-2017-3169,CVE-2017-7679
Description:

This update for apache2 provides the following fixes:

Security issues fixed:

- CVE-2017-3167: In Apache use of httpd ap_get_basic_auth_pw() outside
  of the authentication phase could lead to authentication requirements
  bypass (bsc#1045065)
- CVE-2017-3169: In mod_ssl may have a dereference NULL pointer issue
  which could lead to denial of service (bsc#1045062)
- CVE-2017-7679: In mod_mime can buffer over-read by 1 byte, potentially
  leading to a crash or information disclosure (bsc#1045060)

Non-Security issues fixed:

- Remove /usr/bin/http2 symlink only during apache2 package uninstall, not upgrade. (bsc#1041830)
- In gensslcert, use hostname when fqdn is too long. (bsc#1035829)



-----------------------------------------
Patch: SUSE-2017-1063
Released: Wed Jun 28 21:15:03 2017
Summary: Security update for vim
Severity: moderate
References: 1018870,1024724,1027053,1027057,CVE-2017-5953,CVE-2017-6349,CVE-2017-6350
Description:

This update for vim fixes the following issues:

Security issues fixed:

- CVE-2017-5953: Fixed a possible overflow with corrupted spell file (bsc#1024724)
- CVE-2017-6350: Fixed a possible overflow when reading a corrupted undo file (bsc#1027053)
- CVE-2017-6349: Fixed a possible overflow when reading a corrupted undo file (bsc#1027057)


Non security issues fixed:

- Speed up YAML syntax highlighting (bsc#1018870)



-----------------------------------------
Patch: SUSE-2017-1080
Released: Thu Jun 29 22:20:57 2017
Summary: Security update for bind
Severity: important
References: 1046554,1046555,CVE-2017-3142,CVE-2017-3143
Description:
This update for bind fixes the following issues:

- An attacker with the ability to send and receive messages to an authoritative
  DNS server was able to circumvent TSIG authentication of AXFR requests. A
  server that relied solely on TSIG keys for protection could be manipulated
  into (1) providing an AXFR of a zone to an unauthorized recipient and (2)
  accepting bogus Notify packets. [bsc#1046554, CVE-2017-3142]

- An attacker who with the ability to send and receive messages to an
  authoritative DNS server and who had knowledge of a valid TSIG key name for
  the zone and service being targeted was able to manipulate BIND into
  accepting an unauthorized dynamic update. [bsc#1046555, CVE-2017-3143]


-----------------------------------------
Patch: SUSE-2017-1082
Released: Fri Jun 30 10:54:06 2017
Summary: Recommended update for dirmngr
Severity: low
References: 1045943
Description:
This update for dirmngr provides the following fix:

- Change logrotate from Requires to Recommends (bsc#1045943)


-----------------------------------------
Patch: SUSE-2017-1085
Released: Fri Jun 30 15:35:20 2017
Summary: Security update for unrar
Severity: important
References: 1045315,CVE-2012-6706
Description:
This update for unrar fixes the following issues:

- CVE-2012-6706: decoding malicious RAR files could have lead to memory corruption or code execution. (bsc#1045315).


-----------------------------------------
Patch: SUSE-2017-1086
Released: Fri Jun 30 15:36:17 2017
Summary: Security update for libxml2
Severity: moderate
References: 1044887,1044894,CVE-2017-7375,CVE-2017-7376
Description:
This update for libxml2 fixes the following issues:

Security issues fixed:

* CVE-2017-7376: Increase buffer space for port in HTTP redirect support (bsc#1044887)
* CVE-2017-7375: Prevent unwanted external entity reference [bsc#1044894, ]



-----------------------------------------
Patch: SUSE-2017-1099
Released: Tue Jul  4 15:03:53 2017
Summary: Recommended update for tuned
Severity: low
References: 1023996
Description:

This update for tuned provides the following fixes:

- Increase force-latency from 1 to 70 for latency-performance, sap-hana and
  sap-hana-vmware profiles to fix some performance regressions. (bsc#1023996)


-----------------------------------------
Patch: SUSE-2017-1104
Released: Tue Jul  4 16:13:55 2017
Summary: Security update for systemd
Severity: moderate
References: 1004995,1029102,1029516,1036873,1038865,1040258,1040614,1040942,1043758,982303,CVE-2017-9217
Description:
This update for systemd fixes the following issues:

Security issue fixed:

- CVE-2017-9217: resolved: Fix null pointer p->question dereferencing that could lead to resolved aborting (bsc#1040614)

The update also fixed several non-security bugs:

- core/mount: Use the '-c' flag to not canonicalize paths when calling /bin/umount
- automount: Handle expire_tokens when the mount unit changes its state (bsc#1040942)
- automount: Rework propagation between automount and mount units
- build: Make sure tmpfiles.d/systemd-remote.conf get installed when necessary
- build: Fix systemd-journal-upload installation
- basic: Detect XEN Dom0 as no virtualization (bsc#1036873)
- virt: Make sure some errors are not ignored
- fstab-generator: Do not skip Before= ordering for noauto mountpoints
- fstab-gen: Do not convert device timeout into seconds when initializing JobTimeoutSec
- core/device: Use JobRunningTimeoutSec= for device units (bsc#1004995)
- fstab-generator: Apply the _netdev option also to device units (bsc#1004995)
- job: Add JobRunningTimeoutSec for JOB_RUNNING state (bsc#1004995)
- job: Ensure JobRunningTimeoutSec= survives serialization (bsc#1004995)
- rules: Export NVMe WWID udev attribute (bsc#1038865)
- rules: Introduce disk/by-id (model_serial) symbolic links for NVMe drives
- rules: Add rules for NVMe devices
- sysusers: Make group shadow support configurable (bsc#1029516)
- core: When deserializing a unit, fully restore its cgroup state (bsc#1029102)
- core: Introduce cg_mask_from_string()/cg_mask_to_string()
- core:execute: Fix handling failures of calling fork() in exec_spawn() (bsc#1040258)
- Fix systemd-sysv-convert when a package starts shipping service units (bsc#982303)
  The database might be missing when upgrading a package which was
  shipping no sysv init scripts nor unit files (at the time --save was
  called) but the new version start shipping unit files.
- Disable group shadow support (bsc#1029516)
- Only check signature job error if signature job exists (bsc#1043758)



-----------------------------------------
Patch: SUSE-2017-1116
Released: Thu Jul  6 11:37:18 2017
Summary: Security update for libgcrypt
Severity: moderate
References: 1046607,CVE-2017-7526
Description:
This update for libgcrypt fixes the following issues:

- CVE-2017-7526: Hardening against a local side-channel attack in RSA key handling has been added (bsc#1046607)


-----------------------------------------
Patch: SUSE-2017-1119
Released: Fri Jul  7 11:23:20 2017
Summary: Recommended update for ncurses
Severity: important
References: 1000662,1046853,1046858,CVE-2017-10684,CVE-2017-10685
Description:
This update for ncurses fixes the following issues:

Security issues fixed:
- CVE-2017-10684: Possible RCE via stack-based buffer overflow in the fmt_entry function. (bsc#1046858)
- CVE-2017-10685: Possible RCE with format string vulnerability in the fmt_entry function. (bsc#1046853)

Bugfixes:
- Drop patch ncurses-5.9-environment.dif as YaST2 ncurses GUI does
  not need it anymore and as well as it causes bug bsc#1000662 


-----------------------------------------
Patch: SUSE-2017-1124
Released: Fri Jul  7 19:32:38 2017
Summary: Recommended update for binutils
Severity: moderate
References: 1031508
Description:

This update for binutils fixes an issue that prevented ld(1) from correctly linking
the 32 bit version of libclntshcore.so.12.1 from the Oracle 12 Client.


-----------------------------------------
Patch: SUSE-2017-1134
Released: Tue Jul 11 17:56:26 2017
Summary: Security update for libICE
Severity: moderate
References: 1025068,CVE-2017-2626
Description:
This update for libICE fixes the following issues:

- CVE-2017-2626: Creation of the ICE auth session cookies used insufficient randomness, making these cookies
  predictable. A more random generation method has been implemented. (boo#1025068)



-----------------------------------------
Patch: SUSE-2017-1142
Released: Wed Jul 12 15:48:23 2017
Summary: Recommended update for openssh
Severity: moderate
References: 1016709,1017099,1023275,1024251
Description:

This update for openssh provides the following fixes:

- Enable specific ioctl calls for ICA crypto card on the zSeries platform. Without this patch,
  users using the IBMCA engine are not able to perform ssh login as the filter blocks the
  communication with the crypto card. (bsc#1016709)
- Enable case-insensitive hostname matching. (bsc#1017099)
- Add a new switch for printing diagnostic messages in sftp client's batch mode. (bsc#1023275)
- Better fix for core dumps from auditing code when trying to bind to an unavailable port. (bsc#1024251)
- Remove the limit on the amount of tasks sshd can run.


-----------------------------------------
Patch: SUSE-2017-1143
Released: Wed Jul 12 15:49:13 2017
Summary: Recommended update for Docker, RunC, Containerd
Severity: moderate
References: 1026827,1028113,1028638,1028639,1030702,1032287,1032644,1032769,1034053,1034063,1037436,1037607,1038476,1038493,1040618,953182,964546,996303,CVE-2017-8932
Description:

This update for Containerd, Docker and RunC provides several fixes and enhancements.

Containerd:

- Update containerd to the version needed for docker-v17.04.0-ce. (bsc#1034053) 
- Fix spurious messages filling journal. (bsc#1032769)
- Set TasksMax=infinity to make sure runC doesn't start failing randomly.

Docker:

- Update to version 17.04.0-ce. (bsc#1034053)
- Fix execids leaks due to bad error handling. (bsc#1037436)
- Make Apparmor's pkg/aaparser work on read-only root. (bsc#1037607)
- Improve Docker's systemd configuration. (bsc#1032287)
- Check if the docker binary is available before attempting to use it. (bsc#1038476)
- Build man pages for all architectures. (bsc#953182)
- Fix DNS resolution when Docker host uses 127.0.0.1 as resolver. (bsc#1034063)
- Enable Delegate=yes, since systemd will safely ignore lvalues it doesn't understand.
- Update SUSE secrets patch to handle bsc#1030702.
- Change lvm2 from Requires to Recommends: Docker usually uses a default storage driver,
  when it's not configured explicitly. This default driver then depends on the underlying
  system and gets chosen during installation. (bsc#1032644)
- Disable libseccomp for Leap 42.1, SLE 12 and 12-SP1, because docker needs a higher version.
  Otherwise, we get the error 'conditional filtering requires libseccomp version >= 2.2.1.
  (bsc#1028639, bsc#1028638)
- Add a backport of fix to AppArmor lazy loading docker-exec case.
- Fix systemd TasksMax default which could throttle docker. (bsc#1026827)
- Enable pkcs11

For a comprehensive list of changes please refer to /usr/share/doc/packages/docker/CHANGELOG.md

RunC:

- Update version to the one required by docker-17.04.0-ce. (bsc#1034053) 
- Make sure to ignore cgroup v2 mountpoints. (bsc#1028113)


-----------------------------------------
Patch: SUSE-2017-1148
Released: Fri Jul 14 12:03:31 2017
Summary: Security update for xorg-x11-server
Severity: important
References: 1035283,CVE-2017-10971,CVE-2017-10972
Description:
This update for xorg-x11-server provides the following fixes:

- CVE-2017-10971: Fix endianess handling of GenericEvent to prevent a stack overflow by clients. (bnc#1035283)
- Make sure the type of all events to be sent by ProcXSendExtensionEvent are in the
  allowed range.
- CVE-2017-10972: Initialize the xEvent eventT with zeros to avoid information leakage.



-----------------------------------------
Patch: SUSE-2017-1153
Released: Fri Jul 14 12:37:10 2017
Summary: Security update for libXdmcp
Severity: moderate
References: 1025046,CVE-2017-2625
Description:
This update for libXdmcp fixes the following issues:

- CVE-2017-2625: The generation of session key in XDM using libXdmcp might have used weak entropy, making
  the session keys predictable (bsc#1025046)



-----------------------------------------
Patch: SUSE-2017-1157
Released: Fri Jul 14 17:17:33 2017
Summary: Security update for compat-libgcrypt11
Severity: moderate
References: 1046607,CVE-2017-7526
Description:
This update for libgcrypt fixes the following security issue:

- CVE-2017-7526: Hardening against local side-channel attack. (bsc#1046607)


-----------------------------------------
Patch: SUSE-2017-1160
Released: Fri Jul 14 17:20:26 2017
Summary: Recommended update for openldap2
Severity: low
References: 1031702
Description:
This update for openldap2 provides the following fix:
- Fix a regression in handling of non-blocking connection (bsc#1031702)


-----------------------------------------
Patch: SUSE-2017-1167
Released: Tue Jul 18 12:27:50 2017
Summary: Recommended update for sle-module-containers-release
Severity: low
References: 1048336
Description:

The Containers Module was erroneously reported as unsupported. This update extends its lifetime
until 2019-06-31.


-----------------------------------------
Patch: SUSE-2017-1174
Released: Wed Jul 19 11:12:51 2017
Summary: Security update for systemd, dracut
Severity: important
References: 1032029,1033238,1037120,1040153,1040968,1043900,1045290,1046750,986216,CVE-2017-9445
Description:
This update for systemd and dracut fixes the following issues:

Security issues fixed:

- CVE-2017-9445: Possible out-of-bounds write triggered by a specially crafted TCP payload
  from a DNS server. (bsc#1045290)

Non-security issues fixed in systemd:

- Automounter issue in combination with NFS volumes (bsc#1040968)
- Missing symbolic link for SAS device in /dev/disk/by-path (bsc#1040153)
- Add minimal support for boot.d/* scripts in systemd-sysv-convert (bsc#1046750)

Non-security issues fixed in dracut:

- Bail out if module directory does not exist. (bsc#1043900)
- Suppress bogus error message. (bsc#1032029)
- Fix module force loading with systemd. (bsc#986216)
- Ship udev files required by systemd. (bsc#1040153)
- Ignore module resolution errors (e.g. with kgraft). (bsc#1037120)


-----------------------------------------
Patch: SUSE-2017-1191
Released: Thu Jul 20 17:16:11 2017
Summary: Security update for jasper
Severity: moderate
References: 1009994,1010756,1010757,1010766,1010774,1010782,1010968,1010975,1047958,CVE-2016-9262,CVE-2016-9388,CVE-2016-9389,CVE-2016-9390,CVE-2016-9391,CVE-2016-9392,CVE-2016-9393,CVE-2016-9394,CVE-2017-1000050
Description:
This update for jasper fixes the following issues:

Security issues fixed:
- CVE-2016-9262: Multiple integer overflows in the jas_realloc function in base/jas_malloc.c and
  mem_resize function in base/jas_stream.c allow remote attackers to cause a denial of service via
  a crafted image, which triggers use after free vulnerabilities. (bsc#1009994)
- CVE-2016-9388: The ras_getcmap function in ras_dec.c allows remote attackers to cause a denial
  of service (assertion failure) via a crafted image file. (bsc#1010975)
- CVE-2016-9389: The jpc_irct and jpc_iict functions in jpc_mct.c allow remote attackers to cause a
  denial of service (assertion failure). (bsc#1010968)
- CVE-2016-9390: The jas_seq2d_create function in jas_seq.c allows remote attackers to cause a
  denial of service (assertion failure) via a crafted image file. (bsc#1010774)
- CVE-2016-9391: The jpc_bitstream_getbits function in jpc_bs.c allows remote attackers to cause a
  denial of service (assertion failure) via a very large integer. (bsc#1010782)
- CVE-2017-1000050: The jp2_encode function in jp2_enc.c allows remote attackers to cause a denial
  of service. (bsc#1047958)

CVEs already fixed with previous update:
- CVE-2016-9392: The calcstepsizes function in jpc_dec.c allows remote attackers to cause a denial
  of service (assertion failure) via a crafted file. (bsc#1010757)
- CVE-2016-9393: The jpc_pi_nextrpcl function in jpc_t2cod.c allows remote attackers to cause a
  denial of service (assertion failure) via a crafted file. (bsc#1010766)
- CVE-2016-9394: The jas_seq2d_create function in jas_seq.c allows remote attackers to cause a
  denial of service (assertion failure) via a crafted file. (bsc#1010756)


-----------------------------------------
Patch: SUSE-2017-1192
Released: Thu Jul 20 20:07:36 2017
Summary: Recommended update for iptables
Severity: low
References: 1045130
Description:
This update for iptables provides the following fix:

- Fix a locking issue of iptables-batch when other programs modify the iptables rules in parallel (bsc#1045130)


-----------------------------------------
Patch: SUSE-2017-1220
Released: Wed Jul 26 14:16:15 2017
Summary: Security update for apache2
Severity: moderate
References: 1023616,1043055,1048576,CVE-2017-9788
Description:
This update for apache2 fixes the following issues:

Security issue fixed:

- CVE-2017-9788: Uninitialized memory reflection in mod_auth_digest. (bsc#1048576)

Bug fixes:

- Include individual sysconfig.d files instead of the whole sysconfig.d directory.
- Include sysconfig.d/include.conf after httpd.conf is processed. (bsc#1023616, bsc#1043055)


-----------------------------------------
Patch: SUSE-2017-1222
Released: Wed Jul 26 17:15:18 2017
Summary: Recommended update for procps
Severity: low
References: 1034563,1039941
Description:

This update for procps provides the following fixes:

- Make pmap handle LazyFree in /proc/smaps (bsc#1034563)
- Allow reading and writing content lines longer than 1024 characters under /proc/sys (bsc#1039941)
- Avoid printing messages when /proc/sys/net/ipv6/conf/*/stable_secret is not set


-----------------------------------------
Patch: SUSE-2017-1226
Released: Thu Jul 27 14:28:12 2017
Summary: Recommended update for dracut
Severity: moderate
References: 1032029,1032284,1033238,1040153,1043900,1048565,986216
Description:
This update for dracut fixes the following issues:

- Switch FIPS checking to use the libkcapi based fipscheck toolset. (bsc#1048565)
- With iscsiroot, call handle_firmware only for non-iface invocations. (bsc#1032284)
- Bail out if module directory does not exist. (bsc#1043900)
- Suppress bogus error message. (bsc#1032029)
- Fix module force loading with systemd. (bsc#986216)
- Ship udev files required by systemd. (bsc#1040153)


-----------------------------------------
Patch: SUSE-2017-1243
Released: Wed Aug  2 16:00:30 2017
Summary: Recommended update for lsscsi
Severity: low
References: 1008935,1047884
Description:
This update for lsscsi provides the following fixes:

- Fix the detection of the WWN for SCSI disks (bsc#1008935)
- Fix the output of 'lsscsi -t' (bsc#1047884)


-----------------------------------------
Patch: SUSE-2017-1245
Released: Thu Aug  3 10:43:15 2017
Summary: Security update for systemd
Severity: moderate
References: 1004995,1029102,1029516,1032029,1033238,1036873,1037120,1038865,1040153,1040258,1040614,1040942,1040968,1043758,1043900,1045290,1046750,982303,986216,CVE-2017-9217,CVE-2017-9445
Description:
This update for systemd provides several fixes and enhancements.

Security issues fixed:

- CVE-2017-9217: Null pointer dereferencing that could lead to resolved aborting. (bsc#1040614)
- CVE-2017-9445: Possible out-of-bounds write triggered by a specially crafted TCP payload
  from a DNS server. (bsc#1045290)

The update also fixed several non-security bugs:

- core/mount: Use the '-c' flag to not canonicalize paths when calling /bin/umount
- automount: Handle expire_tokens when the mount unit changes its state (bsc#1040942)
- automount: Rework propagation between automount and mount units
- build: Make sure tmpfiles.d/systemd-remote.conf get installed when necessary
- build: Fix systemd-journal-upload installation
- basic: Detect XEN Dom0 as no virtualization (bsc#1036873)
- virt: Make sure some errors are not ignored
- fstab-generator: Do not skip Before= ordering for noauto mountpoints
- fstab-gen: Do not convert device timeout into seconds when initializing JobTimeoutSec
- core/device: Use JobRunningTimeoutSec= for device units (bsc#1004995)
- fstab-generator: Apply the _netdev option also to device units (bsc#1004995)
- job: Add JobRunningTimeoutSec for JOB_RUNNING state (bsc#1004995)
- job: Ensure JobRunningTimeoutSec= survives serialization (bsc#1004995)
- rules: Export NVMe WWID udev attribute (bsc#1038865)
- rules: Introduce disk/by-id (model_serial) symbolic links for NVMe drives
- rules: Add rules for NVMe devices
- sysusers: Make group shadow support configurable (bsc#1029516)
- core: When deserializing a unit, fully restore its cgroup state (bsc#1029102)
- core: Introduce cg_mask_from_string()/cg_mask_to_string()
- core:execute: Fix handling failures of calling fork() in exec_spawn() (bsc#1040258)
- Fix systemd-sysv-convert when a package starts shipping service units (bsc#982303)
  The database might be missing when upgrading a package which was
  shipping no sysv init scripts nor unit files (at the time --save was
  called) but the new version start shipping unit files.
- Disable group shadow support (bsc#1029516)
- Only check signature job error if signature job exists (bsc#1043758)
- Automounter issue in combination with NFS volumes (bsc#1040968)
- Missing symbolic link for SAS device in /dev/disk/by-path (bsc#1040153)
- Add minimal support for boot.d/* scripts in systemd-sysv-convert (bsc#1046750)


-----------------------------------------
Patch: SUSE-2017-1250
Released: Thu Aug  3 13:49:24 2017
Summary: Recommended update for binutils
Severity: moderate
References: 1031508
Description:

This update for binutils fixes an issue that prevented ld(1) from correctly linking
the 32 bit version of libclntshcore.so.12.1 from the Oracle 12 Client.


-----------------------------------------
Patch: SUSE-2017-1259
Released: Fri Aug  4 18:35:44 2017
Summary: Recommended update for release-notes-sles
Severity: low
References: 1048014,1048332,1049272,1049493
Description:
The Release Notes of SUSE Linux Enterprise Server 12 SP3 have been updated to document:

- Updated Btrfs feature table. (bsc#1048014)
- Establishing an NVMe-over-Fabrics connection. (fate#321536, bsc#1049272)
- Encryption improvements using hardware optimizations. (fate#321642)
- Shorter Time to Filter and Save Kdump's /proc/vmcore. (fate#321842)
- Device Driver ibmvnic. (fate#322021)
- Ceph client support on z Systems and POWER. (fate#321098, bsc#1048332)


-----------------------------------------
Patch: SUSE-2017-1268
Released: Mon Aug  7 10:09:19 2017
Summary: Recommended update for openssl
Severity: moderate
References: 1019637,1027079,1027688,1027908,1028281,1028723,1029523,1042392,1044095,1044107,1044175,902364
Description:
This update for openssl fixes the following issues including fixes for our ongoing FIPS 140-2 evaluation:

- Remove DES-CBC3-SHA based ciphers from DEFAULT_SUSE to address SWEET32
  problem (bsc#1027908)
- Use getrandom syscall instead of reading from /dev/urandom to get
  at least 128 bits of entropy to comply with FIPS 140.2 IG 7.14 (bsc#1027079 bsc#1044175)
- Fix x86 extended feature detection (bsc#1029523)
- Allow runtime switching of s390x capabilities via the 'OPENSSL_s390xcap'
  environmental variable (bsc#1028723)
- s_client sent empty client certificate (bsc#1028281)
  Add back certificate initialization set_cert_key_stuff()
  which was removed in a previous update.
- Fix a bug in XTS key handling (bsc#1019637)
- Don't run FIPS power-up self-tests when the checksum files aren't
  installed (bsc#1042392)


-----------------------------------------
Patch: SUSE-2017-1279
Released: Mon Aug  7 14:46:40 2017
Summary: Security update for ncurses
Severity: moderate
References: 1046853,1046858,1047964,1047965,1049344,CVE-2017-10684,CVE-2017-10685,CVE-2017-11112,CVE-2017-11113
Description:
This update for ncurses fixes the following issues:

Security issues fixed:
- CVE-2017-11112: Illegal address access in append_acs. (bsc#1047964)
- CVE-2017-11113: Dereferencing NULL pointer in _nc_parse_entry. (bsc#1047965)
- CVE-2017-10684, CVE-2017-10685: Add modified upstream fix from ncurses 6.0 to avoid broken
  termcap format (bsc#1046853, bsc#1046858, bsc#1049344)



-----------------------------------------
Patch: SUSE-2017-1299
Released: Tue Aug  8 12:55:31 2017
Summary: Recommended update for openssh
Severity: moderate
References: 1016709,1017099,1023275,1024251
Description:

This update for openssh provides the following fixes:

- Enable specific ioctl calls for ICA crypto card on the zSeries platform. Without this patch,
  users using the IBMCA engine are not able to perform ssh login as the filter blocks the
  communication with the crypto card. (bsc#1016709)
- Enable case-insensitive hostname matching. (bsc#1017099)
- Add a new switch for printing diagnostic messages in sftp client's batch mode. (bsc#1023275)
- Better fix for core dumps from auditing code when trying to bind to an unavailable port. (bsc#1024251)
- Remove the limit on the amount of tasks sshd can run.


-----------------------------------------
Patch: SUSE-2017-1309
Released: Tue Aug  8 16:56:31 2017
Summary: Recommended update for yast2-network
Severity: low
References: 1037727,1038717,1039851,1046198,1050986
Description:
This update for yast2-network provides the following fixes:

- Avoid creating duplicate udev rules in AutoYaST installation. (bsc#1038717)
- Create udev rules correctly when more than one device is being configured. (bsc#1050986)
- Display a warning in AutoYaST installation when importing the DNS configuration with
  disabled second stage (the second stage is currently required for writing the configuration).
  (bsc#1046198)
- Change dhclient configuration warning messages to not block AutoYaST. (bsc#1037727)
- Load /etc/hosts entries before import the ones defined in a given AutoYaST profile
  making it backward compatible. (bsc#1039851)


-----------------------------------------
Patch: SUSE-2017-1316
Released: Thu Aug 10 13:54:27 2017
Summary: Recommended update for cyrus-sasl
Severity: moderate
References: 1014471,1026825,1044840,938657
Description:

This update for cyrus-sasl provides the following fixes:

- Fix SASL GSSAPI mechanism acceptor wrongly returns zero maxbufsize
- Fix unknown authentication mechanism: kerberos5 (bsc#1026825)
- Really use SASLAUTHD_PARAMS variable (bsc#938657)
- Make sure /usr/sbin/rcsaslauthd exists   
- Add /usr/sbin/rcsaslauthd symbolic link to /usr/sbin/service (bsc#1014471)
- Silence 'GSSAPI client step 1' debug log message (bsc#1044840)


-----------------------------------------
Patch: SUSE-2017-1326
Released: Fri Aug 11 16:59:04 2017
Summary: Security update for libxml2
Severity: low
References: 1038444,CVE-2017-8872
Description:
This update for libxml2 fixes the following issues:

Security issues fixed:
- CVE-2017-8872: Out-of-bounds read in htmlParseTryOrFinish. (bsc#1038444)


-----------------------------------------
Patch: SUSE-2017-1330
Released: Mon Aug 14 18:41:29 2017
Summary: Recommended update for sed
Severity: low
References: 954661
Description:
This update for sed provides the following fixes:

- Don't terminate with a segmentation fault if close of last file descriptor fails. (bsc#954661)


-----------------------------------------
Patch: SUSE-2017-1333
Released: Tue Aug 15 17:59:30 2017
Summary: Optional update for libverto
Severity: low
References: 1029561
Description:
This update adds the libverto library to OpenStack Cloud Magnum Orchestration channels.


-----------------------------------------
Patch: SUSE-2017-1334
Released: Tue Aug 15 20:09:03 2017
Summary: Recommended update for systemd
Severity: important
References: 1048679,874665
Description:
This update for systemd fixes the following issues:

- compat-rules: Don't rely on ID_SERIAL when generating 'by-id' links for NVMe devices. (bsc#1048679)
- fstab-generator: Handle NFS 'bg' mounts correctly. (bsc#874665, fate#323464)
- timesyncd: Don't use compiled-in list if FallbackNTP has been configured explicitly.


-----------------------------------------
Patch: SUSE-2017-1335
Released: Wed Aug 16 11:24:21 2017
Summary: Security update for curl
Severity: moderate
References: 1051643,1051644,CVE-2017-1000100,CVE-2017-1000101
Description:
This update for curl fixes the following issues:

- CVE-2017-1000100: TFP sends more than buffer size and it could lead to a denial of service (bsc#1051644)
- CVE-2017-1000101: URL globbing out of bounds read could lead to a denial of service (bsc#1051643)


-----------------------------------------
Patch: SUSE-2017-1347
Released: Fri Aug 18 11:03:57 2017
Summary: Recommended update for procps
Severity: important
References: 1053409
Description:
This update for procps fixes the following issues:

- Fix a regression introduced in a previous update that would result in sysctl
  dying with a SIGSEGV error (bsc#1053409).


-----------------------------------------
Patch: SUSE-2017-1349
Released: Fri Aug 18 12:31:07 2017
Summary: Recommended update for lua51
Severity: low
References: 1051626
Description:
This update for lua51 provides the following fixes:

- Add Lua(API) and Lua(devel) symbols to fix building of lua51-luasocket. (bsc#1051626)


-----------------------------------------
Patch: SUSE-2017-1352
Released: Fri Aug 18 18:17:48 2017
Summary: Recommended update for SuSEfirewall2
Severity: low
References: 1044523,906136,946325,963740
Description:
This update for SuSEfirewall2 provides the following fixes:

- Make SuSEfirewall2 check for existing configuration in more sysctl.d style directories to
  allow packages and the user to create overrides easily (bsc#1044523)
- Add support for customizing the sysctl paths to be scanned for existing configuration by
  changing the FW_SYSCTL_PATHS configuration variable (bsc#906136)
- Correct the initialization order between SuSEfirewall2 and NFS components to make sure
  NFS server ports are correctly opened when both services are enabled in systemd, and to
  fix NFS clients not receiving callbacks from the server when started before SuSEfirewall2.
  (bsc#946325, bsc#963740)


-----------------------------------------
Patch: SUSE-2017-1364
Released: Tue Aug 22 14:59:14 2017
Summary: Recommended update for supportutils
Severity: low
References: 1001224,1051237
Description:
This update for supportutils fixes the following issues:

- Add Infiniband for SLES 12-SP3. (bsc#1051237)
- Fix Infiniband detection on SLES 12. (bsc#1001224)
- Fix path to virt-manager log file.


-----------------------------------------
Patch: SUSE-2017-1367
Released: Tue Aug 22 16:49:00 2017
Summary: Security update for samba and resource-agents
Severity: important
References: 1048278,1048339,1048352,1048387,1048790,1052577,1054017,CVE-2017-11103
Description:
This update provides Samba 4.6.7, which fixes the following issues:

- CVE-2017-11103: Metadata were being taken from the unauthenticated plaintext (the Ticket)
  rather than the authenticated and encrypted KDC response. (bsc#1048278)
- Fix cephwrap_chdir(). (bsc#1048790)
- Fix ctdb logs to /var/log/log.ctdb instead of /var/log/ctdb. (bsc#1048339)
- Fix inconsistent ctdb socket path. (bsc#1048352)
- Fix non-admin cephx authentication. (bsc#1048387)
- CTDB cannot start when there is no persistent database. (bsc#1052577)

The CTDB resource agent was also fixed to not fail when the database is empty.


-----------------------------------------
Patch: SUSE-2017-1390
Released: Fri Aug 25 15:14:27 2017
Summary: Security update for libzypp
Severity: important
References: 1009745,1036659,1038984,1043218,1045735,1046417,1047785,1048315,CVE-2017-7435,CVE-2017-7436,CVE-2017-9269
Description:
The Software Update Stack was updated to receive fixes and enhancements.


libzypp:

- CVE-2017-7435, CVE-2017-7436, CVE-2017-9269: Fix GPG check workflows, mainly for unsigned
  repositories and packages. (bsc#1045735, bsc#1038984)
- Fix gpg-pubkey release (creation time) computation. (bsc#1036659)
- Update lsof blacklist. (bsc#1046417)
- Re-probe on refresh if the repository type changes. (bsc#1048315)
- Propagate proper error code to DownloadProgressReport. (bsc#1047785)
- Allow to trigger an appdata refresh unconditionally. (bsc#1009745)
- Support custom repo variables defined in /etc/zypp/vars.d.

yast2-pkg-bindings:

- Do not crash when the repository URL is not defined. (bsc#1043218)


-----------------------------------------
Patch: SUSE-2017-1399
Released: Tue Aug 29 12:11:42 2017
Summary: Recommended update for sapconf
Severity: moderate
References: 1031355,1039309,1043844,1048550
Description:
This update for sapconf fixes the following issues:

- Add a message to %post to remind the admin to restart the tuned service, if the configuration
  changes should take effect immediately. (bsc#1048550)
- Increase MAX_MAP_COUNT_REQ to 2147483647 conforming to SAP Note 900929. (bsc#1048550)
- Make 'tuned' a mandatory runtime dependency. (bsc#1043844)
- In all tuning profiles, do not overwrite a parameter if present value is higher than optimal
  value. (bsc#1048550)
- Amend logind's behavior. (bsc#1031355, bsc#1039309, bsc#1043844)


-----------------------------------------
Patch: SUSE-2017-1402
Released: Tue Aug 29 12:14:10 2017
Summary: Recommended update for javapackages-tools
Severity: low
References: 1039890
Description:

This update for javapackages-tools fixes the following issues:

- Add provides on javapackages-local. (bsc#1039890)


-----------------------------------------
Patch: SUSE-2017-1404
Released: Tue Aug 29 13:14:55 2017
Summary: Security update for the Linux Kernel
Severity: important
References: 1005778,1006180,1011913,1012829,1013887,1015337,1015342,1016119,1019151,1019695,1020645,1022476,1022600,1022604,1023175,1024346,1024373,1025461,1026570,1028173,1028286,1029693,1030552,1031515,1031717,1031784,1033587,1034075,1034113,1034762,1036215,1036632,1037344,1037404,1037838,1037994,1038078,1038616,1038792,1039153,1039348,1039915,1040307,1040347,1040351,1041958,1042257,1042286,1042314,1042422,1042778,1043261,1043347,1043520,1043598,1043652,1043805,1043912,1044112,1044443,1044623,1044636,1045154,1045293,1045330,1045404,1045563,1045596,1045709,1045715,1045866,1045922,1045937,1046105,1046170,1046434,1046651,1046655,1046682,1046821,1046985,1047027,1047048,1047096,1047118,1047121,1047152,1047174,1047277,1047343,1047354,1047418,1047506,1047595,1047651,1047653,1047670,1047802,1048146,1048155,1048221,1048317,1048348,1048356,1048421,1048451,1048501,1048891,1048912,1048914,1048916,1048919,1049231,1049289,1049298,1049361,1049483,1049486,1049603,1049619,1049645,1049706,1049882,1050061,1050188,1050211,1050320,1050322,1050677,1051022,1051048,1051059,1051239,1051399,1051471,1051478,1051479,1051556,1051663,1051689,1051979,1052049,1052223,1052311,1052325,1052365,1052442,1052533,1052709,1052773,1052794,1052899,1052925,1053043,1053117,964063,974215,998664,CVE-2017-1000111,CVE-2017-1000112,CVE-2017-10810,CVE-2017-11473,CVE-2017-7533,CVE-2017-7541,CVE-2017-7542,CVE-2017-8831
Description:


The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.82 to receive various security and bugfixes.


The following security bugs were fixed:

- CVE-2017-1000111: Fixed a race condition in net-packet code that could be exploited to cause out-of-bounds memory access (bsc#1052365).
- CVE-2017-1000112: Fixed a race condition in net-packet code that could have been exploited by unprivileged users to gain root access. (bsc#1052311).
- CVE-2017-8831: The saa7164_bus_get function in drivers/media/pci/saa7164/saa7164-bus.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact by changing a certain sequence-number value, aka a 'double fetch' vulnerability (bnc#1037994).
- CVE-2017-7542: The ip6_find_1stfragopt function in net/ipv6/output_core.c in the Linux kernel allowed local users to cause a denial of service (integer overflow and infinite loop) by leveraging the ability to open a raw socket (bnc#1049882).
- CVE-2017-11473: Buffer overflow in the mp_override_legacy_irq() function in arch/x86/kernel/acpi/boot.c in the Linux kernel allowed local users to gain privileges via a crafted ACPI table (bnc#1049603).
- CVE-2017-7533: Race condition in the fsnotify implementation in the Linux kernel allowed local users to gain privileges or cause a denial of service (memory corruption) via a crafted application that leverages simultaneous execution of the inotify_handle_event and vfs_rename functions (bnc#1049483 bnc#1050677).
- CVE-2017-7541: The brcmf_cfg80211_mgmt_tx function in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux kernel allowed local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted NL80211_CMD_FRAME Netlink packet (bnc#1049645).
- CVE-2017-10810: Memory leak in the virtio_gpu_object_create function in drivers/gpu/drm/virtio/virtgpu_object.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering object-initialization failures (bnc#1047277).

The following non-security bugs were fixed:

- acpi/nfit: Add support of NVDIMM memory error notification in ACPI 6.2 (bsc#1052325).
- acpi/nfit: Issue Start ARS to retrieve existing records (bsc#1052325).
- acpi / processor: Avoid reserving IO regions too early (bsc#1051478).
- acpi / scan: Prefer devices without _HID for _ADR matching (git-fixes).
- Add 'shutdown' to 'struct class' (bsc#1053117).
- af_key: Add lock to key dump (bsc#1047653).
- af_key: Fix slab-out-of-bounds in pfkey_compile_policy (bsc#1047354).
- alsa: fm801: Initialize chip after IRQ handler is registered (bsc#1031717).
- alsa: hda - add more ML register definitions (bsc#1048356).
- alsa: hda - add sanity check to force the separate stream tags (bsc#1048356).
- alsa: hda: Add support for parsing new HDA capabilities (bsc#1048356).
- alsa: hdac: Add support for hda DMA Resume capability (bsc#1048356).
- alsa: hdac_regmap - fix the register access for runtime PM (bsc#1048356).
- alsa: hda: Fix cpu lockup when stopping the cmd dmas (bsc#1048356).
- alsa: hda - Fix endless loop of codec configure (bsc#1031717).
- alsa: hda: fix to wait for RIRB & CORB DMA to set (bsc#1048356).
- alsa: hda - Loop interrupt handling until really cleared (bsc#1048356).
- alsa: hda - move bus_parse_capabilities to core (bsc#1048356).
- alsa: hda - set input_path bitmap to zero after moving it to new place (bsc#1031717).
- alsa: hda - set intel audio clock to a proper value (bsc#1048356).
- arm64: kernel: restrict /dev/mem read() calls to linear region (bsc#1046651).
- arm64: mm: remove page_mapping check in __sync_icache_dcache (bsc#1040347).
- arm64: Update config files. Disable DEVKMEM
- b43: Add missing MODULE_FIRMWARE() (bsc#1037344).
- bcache: force trigger gc (bsc#1038078).
- bcache: only recovery I/O error for writethrough mode (bsc#1043652).
- bcache: only recovery I/O error for writethrough mode (bsc#1043652).
- bdi: Fix use-after-free in wb_congested_put() (bsc#1040307).
- blacklist.conf: 9eeacd3a2f17 not a bug fix (bnc#1050061)
- blacklist.conf: add inapplicable commits for wifi (bsc#1031717)
- blacklist.conf: add non-applicable fixes for iwlwifi (FATE#323335)
- blacklist.conf: add unapplicable/cosmetic iwlwifi fixes (bsc#1031717).
- blacklist.conf: add unapplicable drm fixes (bsc#1031717).
- blacklist.conf: Blacklist aa2369f11ff7 ('mm/gup.c: fix access_ok() argument type') (bsc#1051478) Fixes only a compile-warning.
- blacklist.conf: Blacklist c133c7615751 ('x86/nmi: Fix timeout test in test_nmi_ipi()') It only fixes a self-test (bsc#1051478).
- blacklist.conf: Blacklist c9525a3fab63 ('x86/watchdog: Fix Kconfig help text file path reference to lockup watchdog documentation') Updates only kconfig help-text (bsc#1051478).
- blkfront: add uevent for size change (bnc#1036632).
- blk-mq: map all HWQ also in hyperthreaded system (bsc#1045866).
- block: add kblock_mod_delayed_work_on() (bsc#1050211).
- block: Allow bdi re-registration (bsc#1040307).
- block: do not allow updates through sysfs until registration completes (bsc#1047027).
- block: Fix front merge check (bsc#1051239).
- block: Make blk_mq_delay_kick_requeue_list() rerun the queue at a quiet time (bsc#1050211).
- block: Make del_gendisk() safer for disks without queues (bsc#1040307).
- block: Move bdi_unregister() to del_gendisk() (bsc#1040307).
- block: provide bio_uninit() free freeing integrity/task associations (bsc#1050211).
- bluetooth: hidp: fix possible might sleep error in hidp_session_thread (bsc#1031784).
- brcmfmac: Fix glom_skb leak in brcmf_sdiod_recv_chain (bsc#1031717).
- btrfs: add cond_resched to btrfs_qgroup_trace_leaf_items (bsc#1028286).
- btrfs: Add WARN_ON for qgroup reserved underflow (bsc#1031515).
- btrfs: Do not clear SGID when inheriting ACLs (bsc#1030552).
- btrfs: fix lockup in find_free_extent with read-only block groups (bsc#1046682).
- btrfs: incremental send, fix invalid path for link commands (bsc#1051479).
- btrfs: incremental send, fix invalid path for unlink commands (bsc#1051479).
- btrfs: Manually implement device_total_bytes getter/setter (bsc#1043912).
- btrfs: resume qgroup rescan on rw remount (bsc#1047152).
- btrfs: Round down values which are written for total_bytes_size (bsc#1043912).
- btrfs: send, fix invalid path after renaming and linking file (bsc#1051479).
- cifs: Fix some return values in case of error in 'crypt_message' (bnc#1047802).
- clocksource/drivers/arm_arch_timer: Fix read and iounmap of incorrect variable (bsc#1045937).
- cpuidle: dt: Add missing 'of_node_put()' (bnc#1022476).
- crypto: s5p-sss - fix incorrect usage of scatterlists api (bsc#1048317).
- cx82310_eth: use skb_cow_head() to deal with cloned skbs (bsc# 1045154).
- cxgb4: fix a NULL dereference (bsc#1005778).
- cxgb4: fix BUG() on interrupt deallocating path of ULD (bsc#1005778).
- cxgb4: fix memory leak in init_one() (bsc#1005778).
- cxl: Unlock on error in probe (bsc#1034762, Pending SUSE Kernel Fixes).
- dentry name snapshots (bsc#1049483).
- device-dax: fix sysfs attribute deadlock (bsc#1048919).
- dm: fix second blk_delay_queue() parameter to be in msec units not (bsc#1047670).
- dm: make flush bios explicitly sync (bsc#1050211).
- dm raid1: fixes two crash cases if mirror leg failed (bsc#1043520)
- drivers/char: kmem: disable on arm64 (bsc#1046655).
- drivers: hv: As a bandaid, increase HV_UTIL_TIMEOUT from 30 to 60 seconds (bnc#1039153)
- drivers: hv: Fix a typo (fate#320485).
- drivers: hv: Fix the bug in generating the guest ID (fate#320485).
- drivers: hv: util: Fix a typo (fate#320485).
- drivers: hv: util: Make hv_poll_channel() a little more efficient (fate#320485).
- drivers: hv: vmbus: Close timing hole that can corrupt per-cpu page (fate#320485).
- drivers: hv: vmbus: Fix error code returned by vmbus_post_msg() (fate#320485).
- drivers: hv: vmbus: Get the current time from the current clocksource (fate#320485, bnc#1044112).
- drivers: hv: vmbus: Get the current time from the current clocksource (fate#320485, bnc#1044112, bnc#1042778, bnc#1029693).
- drivers: hv: vmbus: Increase the time between retries in vmbus_post_msg() (fate#320485, bnc#1044112).
- drivers: hv: vmbus: Increase the time between retries in vmbus_post_msg() (fate#320485, bnc#1044112).
- drivers: hv: vmbus: Move the code to signal end of message (fate#320485).
- drivers: hv: vmbus: Move the definition of generate_guest_id() (fate#320485).
- drivers: hv: vmbus: Move the definition of hv_x64_msr_hypercall_contents (fate#320485).
- drivers: hv: vmbus: Restructure the clockevents code (fate#320485).
- drm/amdgpu: Fix overflow of watermark calcs at > 4k resolutions (bsc#1031717).
- drm/bochs: Implement nomodeset (bsc#1047096).
- drm/i915/fbdev: Stop repeating tile configuration on stagnation (bsc#1031717).
- drm/i915: Fix scaler init during CRTC HW state readout (bsc#1031717).
- drm/i915: Serialize GTT/Aperture accesses on BXT (bsc#1046821).
- drm/virtio: do not leak bo on drm_gem_object_init failure (bsc#1047277).
- drm/vmwgfx: Fix large topology crash (bsc#1048155).
- drm/vmwgfx: Support topology greater than texture size (bsc#1048155).
- Drop patches; obsoleted by 'scsi: Add STARGET_CREATE_REMOVE state'
- efi/libstub: Skip GOP with PIXEL_BLT_ONLY format (bnc#974215).
- ext2: Do not clear SGID when inheriting ACLs (bsc#1030552).
- ext4: avoid unnecessary stalls in ext4_evict_inode() (bsc#1049486).
- ext4: Do not clear SGID when inheriting ACLs (bsc#1030552).
- ext4: handle the rest of ext4_mb_load_buddy() ENOMEM errors (bsc#1012829).
- Fix kABI breakage by HD-audio bus caps extensions (bsc#1048356).
- Fix kABI breakage by KVM CVE fix (bsc#1045922).
- fs/fcntl: f_setown, avoid undefined behaviour (bnc#1006180).
- fs: pass on flags in compat_writev (bsc#1050211).
- fuse: initialize the flock flag in fuse_file on allocation (git-fixes).
- gcov: add support for gcc version >= 6 (bsc#1051663).
- gcov: support GCC 7.1 (bsc#1051663).
- gfs2: fix flock panic issue (bsc#1012829).
- hpsa: limit transfer length to 1MB (bsc#1025461).
- hrtimer: Catch invalid clockids again (bsc#1047651).
- hrtimer: Revert CLOCK_MONOTONIC_RAW support (bsc#1047651).
- hv_netvsc: change netvsc device default duplex to FULL (fate#320485).
- hv_netvsc: Exclude non-TCP port numbers from vRSS hashing (bsc#1048421).
- hv_netvsc: Fix the carrier state error when data path is off (fate#320485).
- hv_netvsc: Fix the queue index computation in forwarding case (bsc#1048421).
- hv_netvsc: Remove unnecessary var link_state from struct netvsc_device_info (fate#320485).
- hv: print extra debug in kvp_on_msg in error paths (bnc#1039153).
- hv_utils: drop .getcrosststamp() support from PTP driver (fate#320485, bnc#1044112).
- hv_utils: drop .getcrosststamp() support from PTP driver (fate#320485, bnc#1044112, bnc#1042778, bnc#1029693).
- hv_utils: fix TimeSync work on pre-TimeSync-v4 hosts (fate#320485, bnc#1044112).
- hv_utils: fix TimeSync work on pre-TimeSync-v4 hosts (fate#320485, bnc#1044112, bnc#1042778, bnc#1029693).
- hv_util: switch to using timespec64 (fate#320485).
- hwpoison, memcg: forcibly uncharge LRU pages (bnc#1046105).
- hyperv: fix warning about missing prototype (fate#320485).
- hyperv: netvsc: Neaten netvsc_send_pkt by using a temporary (fate#320485).
- hyperv: remove unnecessary return variable (fate#320485).
- i2c: designware-baytrail: fix potential null pointer dereference on dev (bsc#1011913).
- i40e: add hw struct local variable (bsc#1039915).
- i40e: add private flag to control source pruning (bsc#1034075).
- i40e: add VSI info to macaddr messages (bsc#1039915).
- i40e: avoid looping to check whether we're in VLAN mode (bsc#1039915).
- i40e: avoid O(n^2) loop when deleting all filters (bsc#1039915).
- i40e: delete filter after adding its replacement when converting (bsc#1039915).
- i40e: do not add broadcast filter for VFs (bsc#1039915).
- i40e: do not allow i40e_vsi_(add|kill)_vlan to operate when VID<1 (bsc#1039915).
- i40e: drop is_vf and is_netdev fields in struct i40e_mac_filter (bsc#1039915).
- i40e: enable VSI broadcast promiscuous mode instead of adding broadcast filter (bsc#1039915).
- i40e: factor out addition/deletion of VLAN per each MAC address (bsc#1039915).
- i40e: fix ethtool to get EEPROM data from X722 interface (bsc#1047418).
- i40e: fix MAC filters when removing VLANs (bsc#1039915).
- i40e: fold the i40e_is_vsi_in_vlan check into i40e_put_mac_in_vlan (bsc#1039915).
- i40e/i40evf: Fix use after free in Rx cleanup path (bsc#1051689).
- i40e: implement __i40e_del_filter and use where applicable (bsc#1039915).
- i40e: make use of __dev_uc_sync and __dev_mc_sync (bsc#1039915).
- i40e: move all updates for VLAN mode into i40e_sync_vsi_filters (bsc#1039915).
- i40e: move i40e_put_mac_in_vlan and i40e_del_mac_all_vlan (bsc#1039915).
- i40e: no need to check is_vsi_in_vlan before calling i40e_del_mac_all_vlan (bsc#1039915).
- i40e: properly cleanup on allocation failure in i40e_sync_vsi_filters (bsc#1039915).
- i40e: recalculate vsi->active_filters from hash contents (bsc#1039915).
- i40e: refactor i40e_put_mac_in_vlan to avoid changing f->vlan (bsc#1039915).
- i40e: refactor i40e_update_filter_state to avoid passing aq_err (bsc#1039915).
- i40e: refactor Rx filter handling (bsc#1039915).
- i40e: Removal of workaround for simple MAC address filter deletion (bsc#1039915).
- i40e: remove code to handle dev_addr specially (bsc#1039915).
- i40e: removed unreachable code (bsc#1039915).
- i40e: remove duplicate add/delete adminq command code for filters (bsc#1039915).
- i40e: remove second check of VLAN_N_VID in i40e_vlan_rx_add_vid (bsc#1039915).
- i40e: rename i40e_put_mac_in_vlan and i40e_del_mac_all_vlan (bsc#1039915).
- i40e: restore workaround for removing default MAC filter (bsc#1039915).
- i40e: set broadcast promiscuous mode for each active VLAN (bsc#1039915).
- i40e: store MAC/VLAN filters in a hash with the MAC Address as key (bsc#1039915).
- i40e: use (add|rm)_vlan_all_mac helper functions when changing PVID (bsc#1039915).
- i40evf: fix merge error in older patch (bsc#1024346 FATE#321239 bsc#1024373 FATE#321247).
- i40e: when adding or removing MAC filters, correctly handle VLANs (bsc#1039915).
- i40e: When searching all MAC/VLAN filters, ignore removed filters (bsc#1039915).
- i40e: write HENA for VFs (bsc#1039915).
- IB/hfi1: Wait for QSFP modules to initialize (bsc#1019151).
- IB/iser: Fix connection teardown race condition (bsc#1050211).
- ibmvnic: Check for transport event on driver resume (bsc#1051556, bsc#1052709).
- ibmvnic: Initialize SCRQ's during login renegotiation (bsc#1052223).
- ibmvnic: Report rx buffer return codes as netdev_dbg (bsc#1052794).
- IB/rxe: Fix kernel panic from skb destructor (bsc#1049361).
- iio: hid-sensor: fix return of -EINVAL on invalid values in ret or value (bsc#1031717).
- include/linux/mmzone.h: simplify zone_intersects() (bnc#1047506).
- input: gpio-keys - fix check for disabling unsupported keys (bsc#1031717).
- introduce the walk_process_tree() helper (bnc#1022476).
- iommu/amd: Add flush counters to struct dma_ops_domain (bsc#1045709).
- iommu/amd: Add locking to per-domain flush-queue (bsc#1045709).
- iommu/amd: Add new init-state IOMMU_CMDLINE_DISABLED (bsc#1045715).
- iommu/amd: Add per-domain flush-queue data structures (bsc#1045709).
- iommu/amd: Add per-domain timer to flush per-cpu queues (bsc#1045709).
- iommu/amd: Check for error states first in iommu_go_to_state() (bsc#1045715).
- iommu/amd: Constify irq_domain_ops (bsc#1045709).
- iommu/amd: Disable IOMMUs at boot if they are enabled (bsc#1045715).
- iommu/amd: Enable ga_log_intr when enabling guest_mode (bsc1052533).
- iommu/amd: Fix interrupt remapping when disable guest_mode (bsc#1051471).
- iommu/amd: Fix schedule-while-atomic BUG in initialization code (bsc1052533).
- iommu/amd: Free already flushed ring-buffer entries before full-check (bsc#1045709).
- iommu/amd: Free IOMMU resources when disabled on command line (bsc#1045715).
- iommu/amd: Make use of the per-domain flush queue (bsc#1045709).
- iommu/amd: Ratelimit io-page-faults per device (bsc#1045709).
- iommu/amd: Reduce amount of MMIO when submitting commands (bsc#1045709).
- iommu/amd: Reduce delay waiting for command buffer space (bsc#1045709).
- iommu/amd: Remove amd_iommu_disabled check from amd_iommu_detect() (bsc#1045715).
- iommu/amd: Remove queue_release() function (bsc#1045709).
- iommu/amd: Rename free_on_init_error() (bsc#1045715).
- iommu/amd: Rip out old queue flushing code (bsc#1045709).
- iommu/amd: Set global pointers to NULL after freeing them (bsc#1045715).
- iommu/amd: Suppress IO_PAGE_FAULTs in kdump kernel (bsc#1045715 bsc#1043261).
- iommu: Remove a patch because it caused problems for users. See bsc#1048348.
- ipv4: Should use consistent conditional judgement for ip fragment in __ip_append_data and ip_finish_output (bsc#1041958).
- ipv6: Should use consistent conditional judgement for ip6 fragment between __ip6_append_data and ip6_finish_output (bsc#1041958).
- iw_cxgb4: Fix error return code in c4iw_rdev_open() (bsc#1026570).
- iwlwifi: 8000: fix MODULE_FIRMWARE input (FATE#321353, FATE#323335).
- iwlwifi: 9000: increase the number of queues (FATE#321353, FATE#323335).
- iwlwifi: add device ID for 8265 (FATE#321353, FATE#323335).
- iwlwifi: add device IDs for the 8265 device (FATE#321353, FATE#323335).
- iwlwifi: add disable_11ac module param (FATE#321353, FATE#323335).
- iwlwifi: add new 3168 series devices support (FATE#321353, FATE#323335).
- iwlwifi: add new 8260 PCI IDs (FATE#321353, FATE#323335).
- iwlwifi: add new 8265 (FATE#321353, FATE#323335).
- iwlwifi: add new 8265 series PCI ID (FATE#321353, FATE#323335).
- iwlwifi: Add new PCI IDs for 9260 and 5165 series (FATE#321353, FATE#323335).
- iwlwifi: Add PCI IDs for the new 3168 series (FATE#321353, FATE#323335).
- iwlwifi: Add PCI IDs for the new series 8165 (FATE#321353, FATE#323335).
- iwlwifi: add support for 12K Receive Buffers (FATE#321353, FATE#323335).
- iwlwifi: add support for getting HW address from CSR (FATE#321353, FATE#323335).
- iwlwifi: avoid d0i3 commands when no/init ucode is loaded (FATE#321353, FATE#323335).
- iwlwifi: bail out in case of bad trans state (FATE#321353, FATE#323335).
- iwlwifi: block the queues when we send ADD_STA for uAPSD (FATE#321353, FATE#323335).
- iwlwifi: change the Intel Wireless email address (FATE#321353, FATE#323335).
- iwlwifi: change the Intel Wireless email address (FATE#321353, FATE#323335).
- iwlwifi: check for valid ethernet address provided by OEM (FATE#321353, FATE#323335).
- iwlwifi: clean up transport debugfs handling (FATE#321353, FATE#323335).
- iwlwifi: clear ieee80211_tx_info->driver_data in the op_mode (FATE#321353, FATE#323335).
- iwlwifi: Document missing module options (FATE#321353, FATE#323335).
- iwlwifi: dump prph registers in a common place for all transports (FATE#321353, FATE#323335).
- iwlwifi: dvm: advertise NETIF_F_SG (FATE#321353, FATE#323335).
- iwlwifi: dvm: fix compare_const_fl.cocci warnings (FATE#321353, FATE#323335).
- iwlwifi: dvm: handle zero brightness for wifi LED (FATE#321353, FATE#323335).
- iwlwifi: dvm: remove a wrong dependency on m (FATE#321353, FATE#323335).
- iwlwifi: dvm: remove Kconfig default (FATE#321353, FATE#323335).
- iwlwifi: dvm: remove stray debug code (FATE#321353, FATE#323335).
- iwlwifi: export the _no_grab version of PRPH IO functions (FATE#321353, FATE#323335).
- iwlwifi: expose fw usniffer mode to more utilities (FATE#321353, FATE#323335).
- iwlwifi: fix double hyphen in MODULE_FIRMWARE for 8000 (FATE#321353, FATE#323335).
- iwlwifi: Fix firmware name maximum length definition (FATE#321353, FATE#323335).
- iwlwifi: fix name of ucode loaded for 8265 series (FATE#321353, FATE#323335).
- iwlwifi: fix printf specifier (FATE#321353, FATE#323335).
- iwlwifi: generalize d0i3_entry_timeout module parameter (FATE#321353, FATE#323335).
- iwlwifi: missing error code in iwl_trans_pcie_alloc() (bsc#1031717).
- iwlwifi: mvm: adapt the firmware assert log to new firmware (FATE#321353, FATE#323335).
- iwlwifi: mvm: add 9000-series RX API (FATE#321353, FATE#323335).
- iwlwifi: mvm: add 9000 series RX processing (FATE#321353, FATE#323335).
- iwlwifi: mvm: add a non-trigger window to fw dbg triggers (FATE#321353, FATE#323335).
- iwlwifi: mvm: add an option to start rs from HT/VHT rates (FATE#321353, FATE#323335).
- iwlwifi: mvm: Add a station in monitor mode (FATE#321353, FATE#323335).
- iwlwifi: mvm: add bt rrc and ttc to debugfs (FATE#321353, FATE#323335).
- iwlwifi: mvm: add bt settings to debugfs (FATE#321353, FATE#323335).
- iwlwifi: mvm: add ctdp operations to debugfs (FATE#321353, FATE#323335).
- iwlwifi: mvm: add CT-KILL notification (FATE#321353, FATE#323335).
- iwlwifi: mvm: add debug print if scan config is ignored (FATE#321353, FATE#323335).
- iwlwifi: mvm: add extended dwell time (FATE#321353, FATE#323335).
- iwlwifi: mvm: add new ADD_STA command version (FATE#321353, FATE#323335).
- iwlwifi: mvm: Add P2P client snoozing (FATE#321353, FATE#323335).
- iwlwifi: mvm: add registration to cooling device (FATE#321353, FATE#323335).
- iwlwifi: mvm: add registration to thermal zone (FATE#321353, FATE#323335).
- iwlwifi: mvm: add support for negative temperatures (FATE#321353, FATE#323335).
- iwlwifi: mvm: add tlv for multi queue rx support (FATE#321353, FATE#323335).
- iwlwifi: mvm: add trigger for firmware dump upon TDLS events (FATE#321353, FATE#323335).
- iwlwifi: mvm: add trigger for firmware dump upon TX response status (FATE#321353, FATE#323335).
- iwlwifi: mvm: advertise NETIF_F_SG (FATE#321353, FATE#323335).
- iwlwifi: mvm: Align bt-coex priority with requirements (FATE#321353, FATE#323335).
- iwlwifi: mvm: allow to disable beacon filtering for AP/GO interface (FATE#321353, FATE#323335).
- iwlwifi: mvm: avoid harmless -Wmaybe-uninialized warning (FATE#321353, FATE#323335).
- iwlwifi: mvm: avoid panics with thermal device usage (FATE#321353, FATE#323335).
- iwlwifi: mvm: avoid to WARN about gscan capabilities (FATE#321353, FATE#323335).
- iwlwifi: mvm: bail out if CTDP start operation fails (FATE#321353, FATE#323335).
- iwlwifi: mvm: bump firmware API to 21 (FATE#321353, FATE#323335).
- iwlwifi: mvm: bump max API to 20 (FATE#321353, FATE#323335).
- iwlwifi: mvm: change access to ieee80211_hdr (FATE#321353, FATE#323335).
- iwlwifi: mvm: change iwl_mvm_get_key_sta_id() to return the station (FATE#321353, FATE#323335).
- iwlwifi: mvm: change mcc update API (FATE#321353, FATE#323335).
- iwlwifi: mvm: change name of iwl_mvm_d3_update_gtk (FATE#321353, FATE#323335).
- iwlwifi: mvm: Change number of associated stations when station becomes associated (FATE#321353, FATE#323335).
- iwlwifi: mvm: change protocol offload flows (FATE#321353, FATE#323335).
- iwlwifi: mvm: change the check for ADD_STA status (FATE#321353, FATE#323335).
- iwlwifi: mvm: check FW's response for nvm access write cmd (FATE#321353, FATE#323335).
- iwlwifi: mvm: check iwl_mvm_wowlan_config_key_params() return value (FATE#321353, FATE#323335).
- iwlwifi: mvm: check minimum temperature notification length (FATE#321353, FATE#323335).
- iwlwifi: mvm: cleanup roc te on restart cleanup (FATE#321353, FATE#323335).
- iwlwifi: mvm: compare full command ID (FATE#321353, FATE#323335).
- iwlwifi: mvm: Configure fragmented scan for scheduled scan (FATE#321353, FATE#323335).
- iwlwifi: mvm: configure scheduled scan according to traffic conditions (FATE#321353, FATE#323335).
- iwlwifi: mvm: constify the parameters of a few functions in fw-dbg.c (FATE#321353, FATE#323335).
- iwlwifi: mvm: Disable beacon storing in D3 when WOWLAN configured (FATE#321353, FATE#323335).
- iwlwifi: mvm: disable DQA support (FATE#321353, FATE#323335).
- iwlwifi: mvm: do not ask beacons when P2P GO vif and no assoc sta (FATE#321353, FATE#323335).
- iwlwifi: mvm: do not keep an mvm ref when the interface is down (FATE#321353, FATE#323335).
- iwlwifi: mvm: do not let NDPs mess the packet tracking (FATE#321353, FATE#323335).
- iwlwifi: mvm: do not restart HW if suspend fails with unified image (FATE#321353, FATE#323335).
- iwlwifi: mvm: Do not switch to D3 image on suspend (FATE#321353, FATE#323335).
- iwlwifi: mvm: do not try to offload AES-CMAC in AP/IBSS modes (FATE#321353, FATE#323335).
- iwlwifi: mvm: drop low_latency_agg_frame_cnt_limit (FATE#321353, FATE#323335).
- iwlwifi: mvm: dump more registers upon error (FATE#321353, FATE#323335).
- iwlwifi: mvm: dump the radio registers when the firmware crashes (FATE#321353, FATE#323335).
- iwlwifi: mvm: enable L3 filtering (FATE#321353, FATE#323335).
- iwlwifi: mvm: Enable MPLUT only on supported hw (FATE#321353, FATE#323335).
- iwlwifi: mvm: enable VHT MU-MIMO for supported hardware (FATE#321353, FATE#323335).
- iwlwifi: mvm: extend time event duration (FATE#321353, FATE#323335).
- iwlwifi: mvm: fix accessing Null pointer during fw dump collection (FATE#321353, FATE#323335).
- iwlwifi: mvm: fix d3_test with unified D0/D3 images (FATE#321353, FATE#323335).
- iwlwifi: mvm: fix debugfs signedness warning (FATE#321353, FATE#323335).
- iwlwifi: mvm: fix extended dwell time (FATE#321353, FATE#323335).
- iwlwifi: mvm: fix incorrect fallthrough in iwl_mvm_check_running_scans() (FATE#321353, FATE#323335).
- iwlwifi: mvm: fix memory leaks in error paths upon fw error dump (FATE#321353, FATE#323335).
- iwlwifi: mvm: fix netdetect starting/stopping for unified images (FATE#321353, FATE#323335).
- iwlwifi: mvm: fix RSS key sizing (FATE#321353, FATE#323335).
- iwlwifi: mvm: fix unregistration of thermal in some error flows (FATE#321353, FATE#323335).
- iwlwifi: mvm: flush all used TX queues before suspending (FATE#321353, FATE#323335).
- iwlwifi: mvm: forbid U-APSD for P2P Client if the firmware does not support it (FATE#321353, FATE#323335).
- iwlwifi: mvm: handle pass all scan reporting (FATE#321353, FATE#323335).
- iwlwifi: mvm: ignore LMAC scan notifications when running UMAC scans (FATE#321353, FATE#323335).
- iwlwifi: mvm: infrastructure for frame-release message (FATE#321353, FATE#323335).
- iwlwifi: mvm: kill iwl_mvm_enable_agg_txq (FATE#321353, FATE#323335).
- iwlwifi: mvm: let the firmware choose the antenna for beacons (FATE#321353, FATE#323335).
- iwlwifi: mvm: make collecting fw debug data optional (FATE#321353, FATE#323335).
- iwlwifi: mvm: move fw-dbg code to separate file (FATE#321353, FATE#323335).
- iwlwifi: mvm: only release the trans ref if d0i3 is supported in fw (FATE#321353, FATE#323335).
- iwlwifi: mvm: prepare the code towards TSO implementation (FATE#321353, FATE#323335).
- iwlwifi: mvm: refactor d3 key update functions (FATE#321353, FATE#323335).
- iwlwifi: mvm: refactor the way fw_key_table is handled (FATE#321353, FATE#323335).
- iwlwifi: mvm: remove an extra tab (FATE#321353, FATE#323335).
- iwlwifi: mvm: Remove bf_vif from iwl_power_vifs (FATE#321353, FATE#323335).
- iwlwifi: mvm: Remove iwl_mvm_update_beacon_abort (FATE#321353, FATE#323335).
- iwlwifi: mvm: remove redundant d0i3 flag from the config struct (FATE#321353, FATE#323335).
- iwlwifi: mvm: remove shadowing variable (FATE#321353, FATE#323335).
- iwlwifi: mvm: remove stray nd_config element (FATE#321353, FATE#323335).
- iwlwifi: mvm: remove the vif parameter of iwl_mvm_configure_bcast_filter() (FATE#321353, FATE#323335).
- iwlwifi: mvm: remove unnecessary check in iwl_mvm_is_d0i3_supported() (FATE#321353, FATE#323335).
- iwlwifi: mvm: remove useless WARN_ON and rely on cfg80211's combination (FATE#321353, FATE#323335).
- iwlwifi: mvm: report wakeup for wowlan (FATE#321353, FATE#323335).
- iwlwifi: mvm: reset mvm->scan_type when firmware is started (FATE#321353, FATE#323335).
- iwlwifi: mvm: reset the fw_dump_desc pointer after ASSERT (bsc#1031717).
- iwlwifi: mvm: return the cooling state index instead of the budget (FATE#321353, FATE#323335).
- iwlwifi: mvm: ROC: cleanup time event info on FW failure (FATE#321353, FATE#323335).
- iwlwifi: mvm: ROC: Extend the ROC max delay duration & limit ROC duration (FATE#321353, FATE#323335).
- iwlwifi: mvm: rs: fix a potential out of bounds access (FATE#321353, FATE#323335).
- iwlwifi: mvm: rs: fix a theoretical access to uninitialized array elements (FATE#321353, FATE#323335).
- iwlwifi: mvm: rs: fix a warning message (FATE#321353, FATE#323335).
- iwlwifi: mvm: rs: fix TPC action decision algorithm (FATE#321353, FATE#323335).
- iwlwifi: mvm: rs: fix TPC statistics handling (FATE#321353, FATE#323335).
- iwlwifi: mvm: Send power command on BSS_CHANGED_BEACON_INFO if needed (FATE#321353, FATE#323335).
- iwlwifi: mvm: set default new STA as non-aggregated (FATE#321353, FATE#323335).
- iwlwifi: mvm: set the correct amsdu enum values (FATE#321353, FATE#323335).
- iwlwifi: mvm: set the correct descriptor size for tracing (FATE#321353, FATE#323335).
- iwlwifi: mvm: small update in the firmware API (FATE#321353, FATE#323335).
- iwlwifi: mvm: support A-MSDU in A-MPDU (FATE#321353, FATE#323335).
- iwlwifi: mvm: support beacon storing (FATE#321353, FATE#323335).
- iwlwifi: mvm: support description for user triggered fw dbg collection (FATE#321353, FATE#323335).
- iwlwifi: mvm: support rss queues configuration command (FATE#321353, FATE#323335).
- iwlwifi: mvm: Support setting continuous recording debug mode (FATE#321353, FATE#323335).
- iwlwifi: mvm: support setting minimum quota from debugfs (FATE#321353, FATE#323335).
- iwlwifi: mvm: support sw queue start/stop from mvm (FATE#321353, FATE#323335).
- iwlwifi: mvm: synchronize firmware DMA paging memory (FATE#321353, FATE#323335).
- iwlwifi: mvm: take care of padded packets (FATE#321353, FATE#323335).
- iwlwifi: mvm: take the transport ref back when leaving (FATE#321353, FATE#323335).
- iwlwifi: mvm: track low-latency sources separately (FATE#321353, FATE#323335).
- iwlwifi: mvm: unconditionally stop device after init (bsc#1031717).
- iwlwifi: mvm: unmap the paging memory before freeing it (FATE#321353, FATE#323335).
- iwlwifi: mvm: update GSCAN capabilities (FATE#321353, FATE#323335).
- iwlwifi: mvm: update ucode status before stopping device (FATE#321353, FATE#323335).
- iwlwifi: mvm: use build-time assertion for fw trigger ID (FATE#321353, FATE#323335).
- iwlwifi: mvm: use firmware station lookup, combine code (FATE#321353, FATE#323335).
- iwlwifi: mvm: various trivial cleanups (FATE#321353, FATE#323335).
- iwlwifi: mvm: writing zero bytes to debugfs causes a crash (FATE#321353, FATE#323335).
- iwlwifi: nvm: fix loading default NVM file (FATE#321353, FATE#323335).
- iwlwifi: nvm: fix up phy section when reading it (FATE#321353, FATE#323335).
- iwlwifi: pcie: add 9000 series multi queue rx DMA support (FATE#321353, FATE#323335).
- iwlwifi: pcie: add infrastructure for multi-queue rx (FATE#321353, FATE#323335).
- iwlwifi: pcie: add initial RTPM support for PCI (FATE#321353, FATE#323335).
- iwlwifi: pcie: Add new configuration to enable MSIX (FATE#321353, FATE#323335).
- iwlwifi: pcie: add pm_prepare and pm_complete ops (FATE#321353, FATE#323335).
- iwlwifi: pcie: add RTPM support when wifi is enabled (FATE#321353, FATE#323335).
- iwlwifi: pcie: aggregate Flow Handler configuration writes (FATE#321353, FATE#323335).
- iwlwifi: pcie: allow the op_mode to block the tx queues (FATE#321353, FATE#323335).
- iwlwifi: pcie: allow to pretend to have Tx CSUM for debug (FATE#321353, FATE#323335).
- iwlwifi: pcie: avoid restocks inside rx loop if not emergency (FATE#321353, FATE#323335).
- iwlwifi: pcie: buffer packets to avoid overflowing Tx queues (FATE#321353, FATE#323335).
- iwlwifi: pcie: build an A-MSDU using TSO core (FATE#321353, FATE#323335).
- iwlwifi: pcie: configure more RFH settings (FATE#321353, FATE#323335).
- iwlwifi: pcie: detect and workaround invalid write ptr behavior (FATE#321353, FATE#323335).
- iwlwifi: pcie: do not increment / decrement a bool (FATE#321353, FATE#323335).
- iwlwifi: pcie: enable interrupts before releasing the NIC's CPU (FATE#321353, FATE#323335).
- iwlwifi: pcie: enable multi-queue rx path (FATE#321353, FATE#323335).
- iwlwifi: pcie: extend device reset delay (FATE#321353, FATE#323335).
- iwlwifi: pcie: fine tune number of rxbs (FATE#321353, FATE#323335).
- iwlwifi: pcie: fix a race in firmware loading flow (FATE#321353, FATE#323335).
- iwlwifi: pcie: fix command completion name debug (bsc#1031717).
- iwlwifi: pcie: fix erroneous return value (FATE#321353, FATE#323335).
- iwlwifi: pcie: fix global table size (FATE#321353, FATE#323335).
- iwlwifi: pcie: fix identation in trans.c (FATE#321353, FATE#323335).
- iwlwifi: pcie: fix RF-Kill vs. firmware load race (FATE#321353, FATE#323335).
- iwlwifi: pcie: forbid RTPM on device removal (FATE#321353, FATE#323335).
- iwlwifi: pcie: mark command queue lock with separate lockdep class (FATE#321353, FATE#323335).
- iwlwifi: pcie: prevent skbs shadowing in iwl_trans_pcie_reclaim (FATE#321353, FATE#323335).
- iwlwifi: pcie: refactor RXBs reclaiming code (FATE#321353, FATE#323335).
- iwlwifi: pcie: remove ICT allocation message (FATE#321353, FATE#323335).
- iwlwifi: pcie: remove pointer from debug message (FATE#321353, FATE#323335).
- iwlwifi: pcie: re-organize code towards TSO (FATE#321353, FATE#323335).
- iwlwifi: pcie: set RB chunk size back to 64 (FATE#321353, FATE#323335).
- iwlwifi: pcie: update iwl_mpdu_desc fields (FATE#321353, FATE#323335).
- iwlwifi: print index in api/capa flags parsing message (FATE#321353, FATE#323335).
- iwlwifi: refactor the code that reads the MAC address from the NVM (FATE#321353, FATE#323335).
- iwlwifi: remove IWL_DL_LED (FATE#321353, FATE#323335).
- iwlwifi: remove unused parameter from grab_nic_access (FATE#321353, FATE#323335).
- iwlwifi: replace d0i3_mode and wowlan_d0i3 with more generic variables (FATE#321353, FATE#323335).
- iwlwifi: set max firmware version of 7265 to 17 (FATE#321353, FATE#323335).
- iwlwifi: support ucode with d0 unified image - regular and usniffer (FATE#321353, FATE#323335).
- iwlwifi: trans: make various conversion macros inlines (FATE#321353, FATE#323335).
- iwlwifi: trans: support a callback for ASYNC commands (FATE#321353, FATE#323335).
- iwlwifi: treat iwl_parse_nvm_data() MAC addr as little endian (FATE#321353, FATE#323335).
- iwlwifi: tt: move ucode_loaded check under mutex (FATE#321353, FATE#323335).
- iwlwifi: uninline iwl_trans_send_cmd (FATE#321353, FATE#323335).
- iwlwifi: update host command messages to new format (FATE#321353, FATE#323335).
- iwlwifi: Update PCI IDs for 8000 and 9000 series (FATE#321353, FATE#323335).
- iwlwifi: update support for 3168 series firmware and NVM (FATE#321353, FATE#323335).
- iwlwifi: various comments and code cleanups (FATE#321353, FATE#323335).
- kABI-fix for 'x86/panic: replace smp_send_stop() with kdump friendly version in panic path' (bsc#1051478).
- kABI: protect lwtunnel include in ip6_route.h (kabi).
- KABI protect struct acpi_nfit_desc (bsc#1052325).
- kABI: protect struct iscsi_tpg_attrib (kabi).
- kABI: protect struct se_lun (kabi).
- kABI: protect struct tpm_chip (kabi).
- kABI: protect struct xfrm_dst (kabi).
- kABI: protect struct xfrm_dst (kabi).
- kabi/severities: add drivers/scsi/hisi_sas to kabi severities
- kabi/severities: ignore kABi changes in iwlwifi stuff itself
- kvm: nVMX: fix msr bitmaps to prevent L2 from accessing L0 x2APIC (bsc#1051478).
- kvm: nVMX: Fix nested_vmx_check_msr_bitmap_controls (bsc#1051478).
- kvm: nVMX: Fix nested VPID vmx exec control (bsc#1051478).
- kvm: x86: avoid simultaneous queueing of both IRQ and SMI (bsc#1051478).
- libnvdimm: fix badblock range handling of ARS range (bsc#1023175).
- libnvdimm: fix badblock range handling of ARS range (bsc#1051048).
- libnvdimm, pmem: fix a NULL pointer BUG in nd_pmem_notify (bsc#1023175).
- libnvdimm, pmem: fix a NULL pointer BUG in nd_pmem_notify (bsc#1048919).
- libnvdimm, region: fix flush hint detection crash (bsc#1048919).
- lightnvm: fix 'warning: ‘ret’ may be used uninitialized' (FATE#319466).
- mac80211_hwsim: Replace bogus hrtimer clockid (bsc#1047651).
- md-cluster: Fix a memleak in an error handling path (bsc#1049289).
- md: do not return -EAGAIN in md_allow_write for external metadata arrays (bsc#1047174).
- md: fix sleep in atomic (bsc#1040351).
- mm: call page_ext_init() after all struct pages are initialized (VM Debugging Functionality, bsc#1047048).
- mm: fix classzone_idx underflow in shrink_zones() (VM Functionality, bsc#1042314).
- mm: make PR_SET_THP_DISABLE immediately active (bnc#1048891).
- mm, memory_hotplug: get rid of is_zone_device_section fix (bnc#1047595).
- mm/mmap.c: do not blow on PROT_NONE MAP_FIXED holes in the stack (bnc#1039348).
- mwifiex: do not update MCS set from hostapd (bsc#1031717).
- net: account for current skb length when deciding about UFO (bsc#1041958).
- net: add netdev_lockdep_set_classes() helper (fate#320485).
- net: ena: add hardware hints capability to the driver (bsc#1047121).
- net: ena: add hardware hints capability to the driver (bsc#1047121).
- net: ena: add missing return when ena_com_get_io_handlers() fails (bsc#1047121).
- net: ena: add missing return when ena_com_get_io_handlers() fails (bsc#1047121).
- net: ena: add missing unmap bars on device removal (bsc#1047121).
- net: ena: add missing unmap bars on device removal (bsc#1047121).
- net: ena: add reset reason for each device FLR (bsc#1047121).
- net: ena: add reset reason for each device FLR (bsc#1047121).
- net: ena: add support for out of order rx buffers refill (bsc#1047121).
- net: ena: add support for out of order rx buffers refill (bsc#1047121).
- net: ena: allow the driver to work with small number of msix vectors (bsc#1047121).
- net: ena: allow the driver to work with small number of msix vectors (bsc#1047121).
- net: ena: bug fix in lost tx packets detection mechanism (bsc#1047121).
- net: ena: bug fix in lost tx packets detection mechanism (bsc#1047121).
- net: ena: change return value for unsupported features unsupported return value (bsc#1047121).
- net: ena: change return value for unsupported features unsupported return value (bsc#1047121).
- net: ena: change sizeof() argument to be the type pointer (bsc#1047121).
- net: ena: change sizeof() argument to be the type pointer (bsc#1047121).
- net: ena: disable admin msix while working in polling mode (bsc#1047121).
- net: ena: disable admin msix while working in polling mode (bsc#1047121).
- net: ena: fix bug that might cause hang after consecutive open/close interface (bsc#1047121).
- net: ena: fix bug that might cause hang after consecutive open/close interface (bsc#1047121).
- net: ena: fix race condition between submit and completion admin command (bsc#1047121).
- net: ena: fix race condition between submit and completion admin command (bsc#1047121).
- net: ena: fix rare uncompleted admin command false alarm (bsc#1047121).
- net: ena: fix rare uncompleted admin command false alarm (bsc#1047121).
- net: ena: fix theoretical Rx hang on low memory systems (bsc#1047121).
- net: ena: fix theoretical Rx hang on low memory systems (bsc#1047121).
- net: ena: separate skb allocation to dedicated function (bsc#1047121).
- net: ena: separate skb allocation to dedicated function (bsc#1047121).
- net/ena: switch to pci_alloc_irq_vectors (bsc#1047121).
- net: ena: update driver's rx drop statistics (bsc#1047121).
- net: ena: update driver's rx drop statistics (bsc#1047121).
- net: ena: update ena driver to version 1.1.7 (bsc#1047121).
- net: ena: update ena driver to version 1.1.7 (bsc#1047121).
- net: ena: update ena driver to version 1.2.0 (bsc#1047121).
- net: ena: update ena driver to version 1.2.0 (bsc#1047121).
- net: ena: use lower_32_bits()/upper_32_bits() to split dma address (bsc#1047121).
- net: ena: use lower_32_bits()/upper_32_bits() to split dma address (bsc#1047121).
- net: ena: use napi_schedule_irqoff when possible (bsc#1047121).
- net: ena: use napi_schedule_irqoff when possible (bsc#1047121).
- net: handle NAPI_GRO_FREE_STOLEN_HEAD case also in napi_frags_finish() (bsc#1042286).
- net: hns: Bugfix for Tx timeout handling in hns driver (bsc#1048451).
- net: hyperv: use new api ethtool_{get|set}_link_ksettings (fate#320485).
- net/mlx4_core: Fixes missing capability bit in flags2 capability dump (bsc#1015337).
- net/mlx4_core: Fix namespace misalignment in QinQ VST support commit (bsc#1015337).
- net/mlx4_core: Fix sl_to_vl_change bit offset in flags2 dump (bsc#1015337).
- net/mlx5: Cancel delayed recovery work when unloading the driver (bsc#1015342).
- net/mlx5: Clean SRIOV eswitch resources upon VF creation failure (bsc#1015342).
- net/mlx5: Consider tx_enabled in all modes on remap (bsc#1015342).
- net/mlx5e: Add field select to MTPPS register (bsc#1015342).
- net/mlx5e: Add missing support for PTP_CLK_REQ_PPS request (bsc#1015342).
- net/mlx5e: Change 1PPS out scheme (bsc#1015342).
- net/mlx5e: Fix broken disable 1PPS flow (bsc#1015342).
- net/mlx5e: Fix outer_header_zero() check size (bsc#1015342).
- net/mlx5e: Fix TX carrier errors report in get stats ndo (bsc#1015342).
- net/mlx5e: Initialize CEE's getpermhwaddr address buffer to 0xff (bsc#1015342).
- net/mlx5e: Rename physical symbol errors counter (bsc#1015342).
- net/mlx5: Fix driver load error flow when firmware is stuck (git-fixes).
- net/mlx5: Fix mlx5_add_flow_rules call with correct num of dests (bsc#1015342).
- net/mlx5: Fix mlx5_ifc_mtpps_reg_bits structure size (bsc#1015342).
- net/mlx5: Fix offset of hca cap reserved field (bsc#1015342).
- net: phy: Do not perform software reset for Generic PHY (bsc#1042286).
- netvsc: add comments about callback's and NAPI (fate#320485).
- netvsc: Add #include's for csum_* function declarations (fate#320485).
- netvsc: add rtnl annotations in rndis (fate#320485).
- netvsc: add some rtnl_dereference annotations (fate#320485).
- netvsc: avoid race with callback (fate#320485).
- netvsc: change logic for change mtu and set_queues (fate#320485).
- netvsc: change max channel calculation (fate#320485).
- netvsc: change order of steps in setting queues (fate#320485).
- netvsc: Deal with rescinded channels correctly (fate#320485).
- netvsc: do not access netdev->num_rx_queues directly (fate#320485).
- netvsc: do not overload variable in same function (fate#320485).
- netvsc: do not print pointer value in error message (fate#320485).
- netvsc: eliminate unnecessary skb == NULL checks (fate#320485).
- netvsc: enable GRO (fate#320485).
- netvsc: Fix a bug in sub-channel handling (fate#320485).
- netvsc: fix and cleanup rndis_filter_set_packet_filter (fate#320485).
- netvsc: fix calculation of available send sections (fate#320485).
- netvsc: fix dereference before null check errors (fate#320485).
- netvsc: fix error unwind on device setup failure (fate#320485).
- netvsc: fix hang on netvsc module removal (fate#320485).
- netvsc: fix NAPI performance regression (fate#320485).
- netvsc: fix net poll mode (fate#320485).
- netvsc: fix netvsc_set_channels (fate#320485).
- netvsc: fix ptr_ret.cocci warnings (fate#320485).
- netvsc: fix rcu dereference warning from ethtool (fate#320485).
- netvsc: fix RCU warning in get_stats (fate#320485).
- netvsc: fix return value for set_channels (fate#320485).
- netvsc: fix rtnl deadlock on unregister of vf (fate#320485, bsc#1052442).
- netvsc: fix use after free on module removal (fate#320485).
- netvsc: fix warnings reported by lockdep (fate#320485).
- netvsc: fold in get_outbound_net_device (fate#320485).
- netvsc: force link update after MTU change (fate#320485).
- netvsc: handle offline mtu and channel change (fate#320485).
- netvsc: implement NAPI (fate#320485).
- netvsc: include rtnetlink.h (fate#320485).
- netvsc: Initialize all channel related state prior to opening the channel (fate#320485).
- netvsc: make sure and unregister datapath (fate#320485, bsc#1052899).
- netvsc: make sure napi enabled before vmbus_open (fate#320485).
- netvsc: mark error cases as unlikely (fate#320485).
- netvsc: move filter setting to rndis_device (fate#320485).
- netvsc: need napi scheduled during removal (fate#320485).
- netvsc: need rcu_derefence when accessing internal device info (fate#320485).
- netvsc: optimize calculation of number of slots (fate#320485).
- netvsc: optimize receive completions (fate#320485).
- netvsc: pass net_device to netvsc_init_buf and netvsc_connect_vsp (fate#320485).
- netvsc: prefetch the first incoming ring element (fate#320485).
- netvsc: Properly initialize the return value (fate#320485).
- netvsc: remove bogus rtnl_unlock (fate#320485).
- netvsc: remove no longer used max_num_rss queues (fate#320485).
- netvsc: Remove redundant use of ipv6_hdr() (fate#320485).
- netvsc: remove unnecessary indirection of page_buffer (fate#320485).
- netvsc: remove unnecessary lock on shutdown (fate#320485).
- netvsc: remove unused #define (fate#320485).
- netvsc: replace netdev_alloc_skb_ip_align with napi_alloc_skb (fate#320485).
- netvsc: save pointer to parent netvsc_device in channel table (fate#320485).
- netvsc: signal host if receive ring is emptied (fate#320485).
- netvsc: transparent VF management (fate#320485, bsc#1051979).
- netvsc: use ERR_PTR to avoid dereference issues (fate#320485).
- netvsc: use hv_get_bytes_to_read (fate#320485).
- netvsc: use napi_consume_skb (fate#320485).
- netvsc: use RCU to protect inner device structure (fate#320485).
- netvsc: uses RCU instead of removal flag (fate#320485).
- netvsc: use typed pointer for internal state (fate#320485).
- nfs: Cache aggressively when file is open for writing (bsc#1033587).
- nfs: Do not flush caches for a getattr that races with writeback (bsc#1033587).
- nfs: invalidate file size when taking a lock (git-fixes).
- nfs: only invalidate dentrys that are clearly invalid (bsc#1047118).
- nfs: Optimize fallocate by refreshing mapping when needed (git-fixes).
- nvme: add hostid token to fabric options (bsc#1045293).
- nvme: also provide a UUID in the WWID sysfs attribute (bsc#1048146).
- nvme: fabrics commands should use the fctype field for data direction (bsc#1043805).
- nvme-pci: fix CMB sysfs file removal in reset path (bsc#1050211).
- nvme/pci: Fix stuck nvme reset (bsc#1043805).
- nvmet: identify controller: improve standard compliance (bsc#1048146).
- nvme: wwid_show: strip trailing 0-bytes (bsc#1048146).
- ocfs2: Do not clear SGID when inheriting ACLs (bsc#1030552).
- ocfs2: fix deadlock caused by recursive locking in xattr (bsc#1012829).
- ocfs2: Make ocfs2_set_acl() static (bsc#1030552).
- pci: Add Mellanox device IDs (bsc#1051478).
- pci: Convert Mellanox broken INTx quirks to be for listed devices only (bsc#1051478).
- pci: Correct PCI_STD_RESOURCE_END usage (bsc#1051478).
- pci: dwc: dra7xx: Use RW1C for IRQSTATUS_MSI and IRQSTATUS_MAIN (bsc#1051478).
- pci: dwc: Fix uninitialized variable in dw_handle_msi_irq() (bsc#1051478).
- pci: Enable ECRC only if device supports it (bsc#1051478).
- pci: hv: Allocate interrupt descriptors with GFP_ATOMIC (fate#320295, bnc#1034113).
- pci: hv: Lock PCI bus on device eject (fate#320295, bnc#1034113). Replaces a change for (bnc#998664)
- pci/msi: fix the pci_alloc_irq_vectors_affinity stub (bsc#1050211).
- pci/msi: Ignore affinity if pre/post vector count is more than min_vecs (1050211).
- pci/pm: Fix native PME handling during system suspend/resume (bsc#1051478).
- pci: Support INTx masking on ConnectX-4 with firmware x.14.1100+ (bsc#1051478).
- perf/x86: Fix spurious NMI with PEBS Load Latency event (bsc#1051478).
- perf/x86/intel: Cure bogus unwind from PEBS entries (bsc#1051478).
- perf/x86/intel: Fix PEBSv3 record drain (bsc#1051478).
- pipe: cap initial pipe capacity according to pipe-max-size limit (bsc#1045330).
- platform/x86: ideapad-laptop: Add IdeaPad 310-15IKB to no_hw_rfkill (bsc#1051022).
- platform/x86: ideapad-laptop: Add IdeaPad V310-15ISK to no_hw_rfkill (bsc#1051022).
- platform/x86: ideapad-laptop: Add IdeaPad V510-15IKB to no_hw_rfkill (bsc#1051022).
- platform/x86: ideapad-laptop: Add Lenovo Yoga 910-13IKB to no_hw_rfkill dmi list (bsc#1051022).
- platform/x86: ideapad-laptop: Add several models to no_hw_rfkill (bsc#1051022).
- platform/x86: ideapad-laptop: Add Y520-15IKBN to no_hw_rfkill (bsc#1051022).
- platform/x86: ideapad-laptop: Add Y700 15-ACZ to no_hw_rfkill DMI list (bsc#1051022).
- platform/x86: ideapad-laptop: Add Y720-15IKBN to no_hw_rfkill (bsc#1051022).
- pm / Hibernate: Fix scheduling while atomic during hibernation (bsc#1051059).
- powerpc: Add POWER9 architected mode to cputable (bsc#1048916, fate#321439).
- powerpc/fadump: Add a warning when 'fadump_reserve_mem=' is used (bsc#1049231).
- powerpc/ftrace: Pass the correct stack pointer for DYNAMIC_FTRACE_WITH_REGS (FATE#322421).
- powerpc/perf: Fix branch event code for power9 (fate#321438,  Pending SUSE Kernel Fixes).
- powerpc/perf: Fix oops when kthread execs user process
- powerpc/perf: Fix SDAR_MODE value for continous sampling on Power9 (bsc#1053043 (git-fixes)).
- powerpc: Support POWER9 in architected mode (bsc#1048916, fate#321439).
- powerpc/tm: Fix saving of TM SPRs in core dump (fate#318470, git-fixes 08e1c01d6aed).
- prctl: propagate has_child_subreaper flag to every descendant (bnc#1022476).
- printk: Correctly handle preemption in console_unlock() (bsc#1046434).
- printk/xen: Force printk sync mode when migrating Xen guest (bsc#1043347).
- qed: Add missing static/local dcbx info (bsc#1019695).
- qed: Correct print in iscsi error-flow (bsc#1019695).
- qeth: fix L3 next-hop im xmit qeth hdr (bnc#1052773, LTC#157374).
- rbd: drop extra rbd_img_request_get (bsc#1045596).
- rbd: make sure pages are freed by libceph (bsc#1045596).
- rdma/bnxt_re: checking for NULL instead of IS_ERR() (bsc#1052925).
- rdma/iw_cxgb4: Always wake up waiter in c4iw_peer_abort_intr() (bsc#1026570).
- rdma/mlx5: Fix existence check for extended address vector (bsc#1015342).
- rdma/qedr: Prevent memory overrun in verbs' user responses (bsc#1022604 FATE#321747).
- reiserfs: Do not clear SGID when inheriting ACLs (bsc#1030552).
- Remove upstream commit e14b4db7a567 netvsc: fix race during initialization will be replaced by following changes
- reorder upstream commit d0c2c9973ecd net: use core MTU range checking in virt drivers
- Revert 'ACPI / video: Add force_native quirk for HP Pavilion dv6' (bsc#1031717).
- Revert 'Add 'shutdown' to 'struct class'.' (kabi).
- Revert 'KVM: x86: fix emulation of RSM and IRET instructions' (kabi).
- Revert 'Make file credentials available to the seqfile interfaces' (kabi).
- Revert 'mm/list_lru.c: fix list_lru_count_node() to be race free' (kabi).
- Revert 'netvsc: optimize calculation of number of slots' (fate#320485).
- Revert 'powerpc/numa: Fix percpu allocations to be NUMA aware' (bsc#1048914).
- Revert 'powerpc/numa: Fix percpu allocations to be NUMA aware' (bsc#1048914).
- Revert '/proc/iomem: only expose physical resource addresses to privileged users' (kabi).
- Revert 'tpm: Issue a TPM2_Shutdown for TPM2 devices.' (kabi).
- rpm/kernel-binary.spec.in: find-debuginfo.sh should not touch build-id This needs rpm-4.14+ (bsc#964063).
- s390/crash: Remove unused KEXEC_NOTE_BYTES (bsc#1049706).
- s390/kdump: remove code to create ELF notes in the crashed system (bsc#1049706).
- sched/core: Allow __sched_setscheduler() in interrupts when PI is not used (bnc#1022476).
- sched/debug: Print the scheduler topology group mask (bnc#1022476).
- sched/fair, cpumask: Export for_each_cpu_wrap() (bnc#1022476).
- sched/fair: Fix O(nr_cgroups) in load balance path (bnc#1022476).
- sched/fair: Use task_groups instead of leaf_cfs_rq_list to walk all cfs_rqs (bnc#1022476).
- sched/topology: Add sched_group_capacity debugging (bnc#1022476).
- sched/topology: Fix building of overlapping sched-groups (bnc#1022476).
- sched/topology: Fix overlapping sched_group_capacity (bnc#1022476).
- sched/topology: Move comment about asymmetric node setups (bnc#1022476).
- sched/topology: Refactor function build_overlap_sched_groups() (bnc#1022476).
- sched/topology: Remove FORCE_SD_OVERLAP (bnc#1022476).
- sched/topology: Simplify build_overlap_sched_groups() (bnc#1022476).
- sched/topology: Small cleanup (bnc#1022476).
- sched/topology: Verify the first group matches the child domain (bnc#1022476).
- scsi: aacraid: Do not copy uninitialized stack memory to userspace (bsc#1048912).
- scsi: aacraid: fix leak of data from stack back to userspace (bsc#1048912).
- scsi: aacraid: fix PCI error recovery path (bsc#1048912).
- scsi: Add STARGET_CREATE_REMOVE state to scsi_target_state (bsc#1013887).
- scsi: bnx2i: missing error code in bnx2i_ep_connect() (bsc#1048221).
- scsi: bnx2i: missing error code in bnx2i_ep_connect() (bsc#1048221).
- scsi_devinfo: fixup string compare (bsc#1037404).
- scsi_dh_alua: suppress errors from unsupported devices (bsc#1038792).
- scsi: hisi_sas: add pci_dev in hisi_hba struct (bsc#1049298).
- scsi: hisi_sas: add v2 hw internal abort timeout workaround (bsc#1049298).
- scsi: hisi_sas: controller reset for multi-bits ECC and AXI fatal errors (bsc#1049298).
- scsi: hisi_sas: fix NULL deference when TMF timeouts (bsc#1049298).
- scsi: hisi_sas: fix timeout check in hisi_sas_internal_task_abort() (bsc#1049298).
- scsi: hisi_sas: optimise DMA slot memory (bsc#1049298).
- scsi: hisi_sas: optimise the usage of hisi_hba.lock (bsc#1049298).
- scsi: hisi_sas: relocate get_ata_protocol() (bsc#1049298).
- scsi: hisi_sas: workaround a SoC SATA IO processing bug (bsc#1049298).
- scsi: hisi_sas: workaround SoC about abort timeout bug (bsc#1049298).
- scsi: hisi_sas: workaround STP link SoC bug (bsc#1049298).
- scsi: kABI fix for new state STARGET_CREATED_REMOVE (bsc#1013887).
- scsi: lpfc: Add auto EQ delay logic (bsc#1042257).
- scsi: lpfc: Added recovery logic for running out of NVMET IO context resources (bsc#1037838).
- scsi: lpfc: Adding additional stats counters for nvme (bsc#1037838).
- scsi: lpfc: Add MDS Diagnostic support (bsc#1037838).
- scsi: lpfc: Cleanup entry_repost settings on SLI4 queues (bsc#1037838).
- scsi: lpfc: do not double count abort errors (bsc#1048912).
- scsi: lpfc: Driver responds LS_RJT to Beacon Off ELS - Linux (bsc#1044623).
- scsi: lpfc: Fix crash after firmware flash when IO is running (bsc#1044623).
- scsi: lpfc: Fix crash doing IO with resets (bsc#1044623).
- scsi: lpfc: Fix crash in lpfc_sli_ringtxcmpl_put when nvmet gets an abort request (bsc#1044623).
- scsi: lpfc: Fix debugfs root inode 'lpfc' not getting deleted on driver unload (bsc#1037838).
- scsi: lpfc: Fix defects reported by Coverity Scan (bsc#1042257).
- scsi: lpfc: fix linking against modular NVMe support (bsc#1048912).
- scsi: lpfc: Fix NMI watchdog assertions when running nvmet IOPS tests (bsc#1037838).
- scsi: lpfc: Fix NVMEI driver not decrementing counter causing bad rport state (bsc#1037838).
- scsi: lpfc: Fix nvme io stoppage after link bounce (bsc#1045404).
- scsi: lpfc: Fix NVMEI's handling of NVMET's PRLI response attributes (bsc#1037838).
- scsi: lpfc: Fix NVME I+T not registering NVME as a supported FC4 type (bsc#1037838).
- scsi: lpfc: Fix nvmet RQ resource needs for large block writes (bsc#1037838).
- scsi: lpfc: fix refcount error on node list (bsc#1045404).
- scsi: lpfc: Fix SLI3 drivers attempting NVME ELS commands (bsc#1044623).
- scsi: lpfc: Fix system crash when port is reset (bsc#1037838).
- scsi: lpfc: Fix system panic when express lane enabled (bsc#1044623).
- scsi: lpfc: Fix used-RPI accounting problem (bsc#1037838).
- scsi: lpfc: Reduce time spent in IRQ for received NVME commands (bsc#1044623).
- scsi: lpfc: Separate NVMET data buffer pool fir ELS/CT (bsc#1037838).
- scsi: lpfc: Separate NVMET RQ buffer posting from IO resources SGL/iocbq/context (bsc#1037838).
- scsi: lpfc: update to revision to 11.4.0.1 (bsc#1044623).
- scsi: lpfc: update version to 11.2.0.14 (bsc#1037838).
- scsi: lpfc: Vport creation is failing with 'Link Down' error (bsc#1044623).
- scsi: qedf: Fix a return value in case of error in 'qedf_alloc_global_queues' (bsc#1048912).
- scsi: qedi: Fix return code in qedi_ep_connect() (bsc#1048912).
- scsi: qedi: Remove WARN_ON for untracked cleanup (bsc#1044443).
- scsi: qedi: Remove WARN_ON from clear task context (bsc#1044443).
- scsi: storvsc: Prefer kcalloc over kzalloc with multiply (fate#320485).
- scsi: storvsc: remove return at end of void function (fate#320485).
- scsi: storvsc: Workaround for virtual DVD SCSI version (fate#320485, bnc#1044636).
- sfc: Add ethtool -m support for QSFP modules (bsc#1049619).
- smartpqi: limit transfer length to 1MB (bsc#1025461).
- smsc75xx: use skb_cow_head() to deal with cloned skbs (bsc#1045154).
- sr9700: use skb_cow_head() to deal with cloned skbs (bsc#1045154).
- string.h: add memcpy_and_pad() (bsc#1048146).
- sysctl: do not print negative flag for proc_douintvec (bnc#1046985).
- Temporarily disable iwlwifi-expose-default-fallback-ucode-api ... for updating iwlwifi stack
- timers: Plug locking race vs. timer migration (bnc#1022476).
- tools: hv: Add clean up for included files in Ubuntu net config (fate#320485).
- tools: hv: Add clean up function for Ubuntu config (fate#320485).
- tools: hv: properly handle long paths (fate#320485).
- tools: hv: set allow-hotplug for VF on Ubuntu (fate#320485).
- tools: hv: set hotplug for VF on Suse (fate#320485).
- Tools: hv: vss: Thaw the filesystem and continue if freeze call has timed out (fate#320485).
- tpm: Issue a TPM2_Shutdown for TPM2 devices (bsc#1053117).
- tpm: KABI fix (bsc#1053117).
- tpm_tis: Fix IRQ autoprobing when using platform_device (bsc#1020645, fate#321435, fate#321507, fate#321600, Pending fixes 2017-07-06).
- tpm_tis: Use platform_get_irq (bsc#1020645, fate#321435, fate#321507, fate#321600, Pending fixes 2017-07-06).
- tpm/tpm_crb: fix priv->cmd_size initialisation (bsc#1020645, fate#321435, fate#321507, fate#321600, Pending SUSE Kernel Fixes).
- udf: Fix deadlock between writeback and udf_setsize() (bsc#1012829).
- udf: Fix races with i_size changes during readpage (bsc#1012829).
- Update config files: add CONFIG_IWLWIFI_PCIE_RTPM=y (FATE#323335)
- vfs: fix missing inode_get_dev sites (bsc#1052049).
- vmbus: cleanup header file style (fate#320485).
- vmbus: expose debug info for drivers (fate#320485).
- vmbus: fix spelling errors (fate#320485).
- vmbus: introduce in-place packet iterator (fate#320485).
- vmbus: only reschedule tasklet if time limit exceeded (fate#320485).
- vmbus: re-enable channel tasklet (fate#320485).
- vmbus: remove unnecessary initialization (fate#320485).
- vmbus: remove useless return's (fate#320485).
- x86/dmi: Switch dmi_remap() from ioremap() to ioremap_cache() (bsc#1051399).
- x86/hyperv: Check frequency MSRs presence according to the specification (fate#320485).
- x86/LDT: Print the real LDT base address (bsc#1051478).
- x86/mce: Make timer handling more robust (bsc#1042422).
- x86/panic: replace smp_send_stop() with kdump friendly version in panic path (bsc#1051478).
- x86/platform/uv/BAU: Disable BAU on single hub configurations (bsc#1050320).
- x86/platform/uv/BAU: Fix congested_response_us not taking effect (bsc#1050322).
- xen: allocate page for shared info page from low memory (bnc#1038616).
- xen/balloon: do not online new memory initially (bnc#1028173).
- xen: hold lock_device_hotplug throughout vcpu hotplug operations (bsc#1042422).
- xen-netfront: Rework the fix for Rx stall during OOM and network stress (git-fixes).
- xen/pvh*: Support > 32 VCPUs at domain restore (bnc#1045563).
- xfrm: NULL dereference on allocation failure (bsc#1047343).
- xfrm: Oops on error in pfkey_msg2xfrm_state() (bsc#1047653).
- xfs: detect and handle invalid iclog size set by mkfs (bsc#1043598).
- xfs: detect and trim torn writes during log recovery (bsc#1036215).
- xfs: do not BUG() on mixed direct and mapped I/O (bsc#1050188).
- xfs: Do not clear SGID when inheriting ACLs (bsc#1030552).
- xfs: refactor and open code log record crc check (bsc#1036215).
- xfs: refactor log record start detection into a new helper (bsc#1036215).
- xfs: return start block of first bad log record during recovery (bsc#1036215).
- xfs: support a crc verification only log record pass (bsc#1036215).
- xgene: Do not fail probe, if there is no clk resource for SGMII interfaces (bsc#1048501).
- xilinx network drivers: disable (bsc#1046170).


-----------------------------------------
Patch: SUSE-2017-1410
Released: Tue Aug 29 17:55:57 2017
Summary: Recommended update for cloud-regionsrv-client
Severity: low
References: 1054602,1054603
Description:
This update for cloud-regionsrv-client provides fixes and enhancements:

- Fix traceback if configuration file is not set up properly.
- Add feature to allow user to specify a target SMT server, new command line options:
  --smt-ip, --smt-fp, --smt-fqdn.


-----------------------------------------
Patch: SUSE-2017-1411
Released: Tue Aug 29 17:56:02 2017
Summary: Recommended update for python-gcemetadata, regionServiceClientConfigGCE, regionServiceClientConfigSAPGCE
Severity: low
References: 1045148,1053687,1053695,1053696
Description:
This update for python-gcemetadata, regionServiceClientConfigGCE and regionServiceClientConfigSAPGCE provides fixes and enhancements.

regionServiceClientConfigGCE, regionServiceClientConfigSAPGCE:

- Configure the client to send license verification data to the SMT server.

python-gcemetadata:

- Implement new feature to generate license verification token.
- Add man page.
- The --identity argument must accept a value and the value is required.
- Properly handle overlapping enpoint names.
- Support writing data to a file and as XML snippets.
- Set proper value for dict lookup to avoid traceback.


-----------------------------------------
Patch: SUSE-2017-1419
Released: Wed Aug 30 15:38:22 2017
Summary: Security update for expat
Severity: moderate
References: 1047236,1047240,CVE-2016-9063,CVE-2017-9233
Description:
This update for expat fixes the following issues:

- CVE-2016-9063: Possible integer overflow to fix inside XML_Parse leading to unexpected behaviour (bsc#1047240)
- CVE-2017-9233: External Entity Vulnerability could lead to denial of service (bsc#1047236)




-----------------------------------------
Patch: SUSE-2017-1424
Released: Thu Aug 31 17:46:42 2017
Summary: Recommended update for tcsh
Severity: low
References: 1028864
Description:
This update for tcsh provides the following fix:

- Avoid closing sockets that were not opened by tcsh itself. (bsc#1028864)

-----------------------------------------
Patch: SUSE-2017-1430
Released: Thu Aug 31 21:43:54 2017
Summary: Security update for icu
Severity: moderate
References: 929629,CVE-2014-8146,CVE-2014-8147
Description:
icu was updated to fix two security issues.

These security issues were fixed:
- CVE-2014-8147: The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectional
  Algorithm implementation in ICU4C in International Components for Unicode (ICU) used an integer
  data type that is inconsistent with a header file, which allowed remote attackers to cause a
  denial of service (incorrect malloc followed by invalid free) or possibly execute arbitrary code
  via crafted text (bsc#929629).
- CVE-2014-8146: The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectional
  Algorithm implementation in ICU4C in International Components for Unicode (ICU) did not properly
  track directionally isolated pieces of text, which allowed remote attackers to cause a denial of
  service (heap-based buffer overflow) or possibly execute arbitrary code via crafted text
  (bsc#929629).
  

-----------------------------------------
Patch: SUSE-2017-1434
Released: Fri Sep  1 11:52:18 2017
Summary: Recommended update for release-notes-sles
Severity: low
References: 1046755,1049960,1056433
Description:
The Release Notes of SUSE Linux Enterprise Server 12 SP3 have been updated to document:

- Updated number of supported vCPUs in KVM. (fate#321335)
- NVDIMM and Persistent Memory on QEMU. (fate#319684)
- Intel* Omni-Path Architecture (OPA) Host Software. (fate#321473, bsc#1046755)
- KVM on AArch64. (fate#321497)
- Error on Migration From SP2 to SP3 When HPC Module Is Selected. (fate#323911, bsc#1049960)
- Toolchain Module Enabled in Default Installation. (fate#320679)
- New System-on-Chip Driver Enablement. (fate#323366)


-----------------------------------------
Patch: SUSE-2017-1436
Released: Fri Sep  1 11:53:48 2017
Summary: Recommended update for xorg-x11-server
Severity: low
References: 1025084,1047154
Description:
This update for xorg-x11-server provides the following fixes:

- Improve the entropy when generating random data used in X.org server authorization
  cookies generation by using getentropy() and getrandom() when available. (bsc#1025084)
- Fix rendering with glamor acceleration. (bsc#1047154)


-----------------------------------------
Patch: SUSE-2017-1439
Released: Fri Sep  1 15:31:05 2017
Summary: Recommended update for systemd
Severity: important
References: 1045384,1045987,1046268,1047379,1048605
Description:
This update for systemd fixes the following issues:

- Revert fix for bsc#1004995 which could have caused boot failure on LVM (bsc#1048605)

- compat-rules: drop the bogus 'import everything' rule (bsc#1046268)
- core: use an AF_UNIX/SOCK_DGRAM socket for cgroup agent notification (bsc#1045384 bsc#1047379)
- udev/path_id: introduce support for NVMe devices (bsc#1045987)



-----------------------------------------
Patch: SUSE-2017-1443
Released: Mon Sep  4 13:32:24 2017
Summary: Recommended update for supportutils-plugin-suse-public-cloud
Severity: low
References: 1053737
Description:
This update for supportutils-plugin-suse-public-cloud provides version 1.0.2 and adds the following additional packages
to the framework specific package queries:

- Microsoft Azure:
  + python3-azurectl

- Amazon EC2:
  + python3-ec2deprecateimg, python3-ec2metadata, python3-ec2publishimg, python3-ec2uploadimg,
    regionServiceClientConfigSAPEC2, supportutils-plugin-suse-public-cloud

- Google Cloud Platform (GCE):
    * google-compute-engine-init, google-compute-engine-oslogin, python3-gcemetadata,
      regionServiceClientConfigSAPGCE, supportutils-plugin-suse-public-cloud


-----------------------------------------
Patch: SUSE-2017-1447
Released: Mon Sep  4 15:38:20 2017
Summary: Security update for libzypp, zypper
Severity: important
References: 1008325,1038984,1045735,1047785,1054088,1054671,1055920,CVE-2017-7436
Description:
The Software Update Stack was updated to receive fixes and enhancements.

libzypp:

- Adapt to work with GnuPG 2.1.23. (bsc#1054088)
- Support signing with subkeys. (bsc#1008325)
- Enhance sort order for media.1/products. (bsc#1054671)

zypper:

- Also show a gpg key's subkeys. (bsc#1008325)
- Improve signature check callback messages. (bsc#1045735)
- Add options to tune the GPG check settings. (bsc#1045735)
- Adapt download callback to report and handle unsigned packages. (bsc#1038984, CVE-2017-7436)
- Report missing/optional files as 'not found' rather than 'error'. (bsc#1047785)


-----------------------------------------
Patch: SUSE-2017-1450
Released: Mon Sep  4 16:36:07 2017
Summary: Recommended update for insserv-compat
Severity: low
References: 1035062,944903
Description:

This update for insserv-compat fixes the following issues:

- Add /etc/init.d hierarchy from former 'filesystem' package. (bsc#1035062)
- Fix directory argument parsing. (bsc#944903)
- Add perl(Getopt::Long) to list of requirements.


-----------------------------------------
Patch: SUSE-2017-1451
Released: Mon Sep  4 18:34:03 2017
Summary: Recommended update for yast2-ntp-client
Severity: low
References: 1043370,1051899
Description:
This update for yast2-ntp-client provides the following fixes:

- Fix a crash when a restrict entry in autoyast have an empty value. (bsc#1043370)
- Make sure the trusted key configuration entry is written correctly. (bsc#1043370)
- Fix a crash in ntp-client. (bsc#1051899)


-----------------------------------------
Patch: SUSE-2017-1453
Released: Mon Sep  4 21:23:50 2017
Summary: Recommended update for libgcrypt
Severity: moderate
References: 1043333,1046659,1047008
Description:
This update for libgcrypt fixes the following issues:

- libgcrypt stored an open file descriptor to the random device in
  a static variable between invocations.
  gnome-keyring-daemon on initialization reopened descriptors 0-2
  with /dev/null which caused an infinite loop when libgcrypt
  attempted to read from the random device (bsc#1043333)
- Avoid seeding the DRBG during FIPS power-up selftests (bsc#1046659)
  * don't call gcry_drbg_instantiate() in healthcheck sanity test to
    save entropy
  * turn off blinding for RSA decryption in selftests_rsa to avoid
    allocation of a random integer
- fix a bug in gcry_drbg_healthcheck_sanity() which caused skipping
  some of the tests (bsc#1046659)
- dlsym returns PLT address on s390x, dlopen libgcrypt20.so before
  calling dlsym (bsc#1047008)


-----------------------------------------
Patch: SUSE-2017-1467
Released: Wed Sep  6 12:58:33 2017
Summary: Recommended update for Mesa
Severity: low
References: 1047154
Description:
This update for Mesa provides the following fix:

- Fix some rendering problems detected through rendercheck tests when X server is using
  glamor for acceleration. (bsc#1047154)


-----------------------------------------
Patch: SUSE-2017-1471
Released: Wed Sep  6 16:19:58 2017
Summary: Security update for gdk-pixbuf
Severity: important
References: 1027024,1027025,1027026,1048289,1048544,1049877,CVE-2017-2862,CVE-2017-2870,CVE-2017-6312,CVE-2017-6313,CVE-2017-6314
Description:
This update for gdk-pixbuf fixes the following issues:

- CVE-2017-2862: JPEG gdk_pixbuf__jpeg_image_load_increment Code Execution Vulnerability (bsc#1048289)
- CVE-2017-2870: tiff_image_parse Code Execution Vulnerability (bsc#1048544)
- CVE-2017-6313: A dangerous integer underflow in io-icns.c (bsc#1027024)
- CVE-2017-6314: Infinite loop in io-tiff.c (bsc#1027025)
- CVE-2017-6312: Out-of-bounds read on io-ico.c (bsc#1027026)


-----------------------------------------
Patch: SUSE-2017-1481
Released: Fri Sep  8 16:48:35 2017
Summary: Recommended update for autoyast2
Severity: moderate
References: 1047809,1049473,1051483,1052145,1054969
Description:
This update for autoyast2 provides the following fixes:

- Fix a problem that classes/rules were being ignored due to the stack not being properly
  initialized when evaluating multiple times (in case of a self-update). (bsc#1051483)
- Fix a crash while applying the configuration to the system via the 'File/Apply Profile
  to this System' menu. (bsc#1047809)
- Make sure ask-scripts and their corresponding log files are saved to /var/adm/autoinstall.
  (bsc#1049473)
- Fix running autoyast2 on installed systems by writing the init scripts to
  /var/adm/autoinstall/init.d. (bsc#1052145)
- Handle packages that are missing a PGP signature but have valid digests. (bsc#1054969)


-----------------------------------------
Patch: SUSE-2017-1487
Released: Mon Sep 11 12:35:07 2017
Summary: Recommended update for unixODBC
Severity: low
References: 1044970
Description:
This update for unixODBC provides the following enhancements:

- Enable compile time option --enable-fastvalidate. This disables some internal validation
  checks performed on connection handles by unixODBC, increasing performance specially when
  many handles are used on multi-threaded systems. (fate#323520, bsc#1044970)


-----------------------------------------
Patch: SUSE-2017-1517
Released: Wed Sep 13 12:39:42 2017
Summary: Recommended update for dracut
Severity: moderate
References: 1021846,1037344,1048606,1048698,1048748,1049113,1054538,1054809,1055492
Description:
This update for dracut provides the following fixes:

- Ensure dracut.sh responds properly to hostonly_cmdline option. (bsc#1048748)
- Fix system shutdown when in initrd rescue mode. (bsc#1048698)
- Do not scan drivers for their reverse dependency as this causes too many extra modules to
  be included into the initrd. (bsc#1037344)
- Make sure dracut looks for modules.builtin in the correct path when used with the --kmoddir
  option. (bsc#1048606)
- Ensure the ssh-client is usable by including the NSS plugin libraries configured in
  nsswitch.conf. (bsc#1021846)
- Sync initramfs after creation to ensure it is properly written to disk when using fadump
  and invoking crash right after service start. (bsc#1049113)
- Don't detect crc32.ko as built-in, as in some kernel configurations it may also appear as
  a module. (bsc#1054538)
- Enable systemd-based core dumps for initrd. (bsc#1054809)
- Add missing coreutils dependency for initrd macros. (bsc#1055492)


-----------------------------------------
Patch: SUSE-2017-1527
Released: Thu Sep 14 12:52:11 2017
Summary: Recommended update for yast2-ca-management
Severity: low
References: 1051538
Description:

This update for yast2-ca-management fixes parsing of URL values in parameters such as 'caIssuers' 
from openssl.cnf.


-----------------------------------------
Patch: SUSE-2017-1528
Released: Thu Sep 14 12:52:33 2017
Summary: Recommended update for yast2-storage
Severity: moderate
References: 1044250,1044434,1049108,1051200,1051210,988700
Description:
This update for yast2-storage provides the following fixes:

- Fix Btrfs default sub-volume name detection. (bsc#1044434, bsc#1044250)
- Mark the description of the first snapshot for translation. (bsc#988700)
- Allow different mount points for the home partition. (fate#323532)
- Fix installation when the system has a volume group with no logical volumes.
  (bsc#1049108)


-----------------------------------------
Patch: SUSE-2017-1548
Released: Fri Sep 15 18:19:12 2017
Summary: Recommended update for sg3_utils
Severity: moderate
References: 1005063,1009269,1012523,1025176,1050767,1050943
Description:
This update for sg3_utils provides the following fixes:

- Add lunsearch filter to findresized() so that only LUNs specified using --luns are
  rescanned or resized. (bsc#1025176)
- In case the VPD sysfs attributes are missing or cannot be accessed, fallback to use
  sg_inq --page when using multipath devices in AutoYast2 installations. (bsc#1012523)
- Generate /dev/disk/by-path links based on WWPN for Fibre Channel NPIV setups. (bsc#1005063)
- Fix dumping data in hexadecimal format in sg_vpd when using the --hex option. (bsc#1050943)
- Fix ID_SERIAL values for KVM disks by exporting all NAA values and removing some validity
  checking. (bsc#1050767)
- Make sure initrd is rebuilt on sg3_utils updates. (bsc#1009269)


-----------------------------------------
Patch: SUSE-2017-1549
Released: Fri Sep 15 18:26:57 2017
Summary: Recommended update for at
Severity: low
References: 988890
Description:

This update for at fixes the following issues:

- The systemd atd.service will now run After=nss-user-lookup.target not after
  systemd-user-sessions.service
- Make systemd atd.service run After=time-sync.target (bsc#988890)


-----------------------------------------
Patch: SUSE-2017-1562
Released: Mon Sep 18 18:40:24 2017
Summary: Security update for the Linux Kernel
Severity: important
References: 1057389,CVE-2017-1000251
Description:

The SUSE Linux Enterprise 12 SP3 kernel was updated to receive the following security fixes:

- CVE-2017-1000251: The native Bluetooth stack in the Linux Kernel was
  vulnerable to a stack overflow while processing L2CAP configuration
  responses, resulting in a potential remote denial-of-service vulnerability
  but no remote code execution due to use of CONFIG_CC_STACKPROTECTOR.
  [bnc#1057389]
  

-----------------------------------------
Patch: SUSE-2017-1564
Released: Tue Sep 19 18:38:16 2017
Summary: Security update for gcc48
Severity: moderate
References: 1011348,1022062,1028744,1039513,1044016,1050947,988274,CVE-2017-11671
Description:
This update for gcc48 fixes the following issues:

Security issues fixed:

- A new option -fstack-clash-protection is now offered, which mitigates the stack clash type of attacks. [bnc#1039513]
  Future maintenance releases of packages will be built with this option.
- CVE-2017-11671: Fixed rdrand/rdseed code generation issue [bsc#1050947]

Bugs fixed:

- Enable LFS support in 32bit libgcov.a.  [bsc#1044016]
- Bump libffi version in libffi.pc to 3.0.11.
- Fix libffi issue for armv7l.  [bsc#988274]
- Properly diagnose missing -fsanitize=address support on ppc64le.  [bnc#1028744]
- Backport patch for PR65612.  [bnc#1022062]
- Fixed DR#1288.  [bnc#1011348]


-----------------------------------------
Patch: SUSE-2017-1572
Released: Thu Sep 21 15:32:04 2017
Summary: Security update for apache2
Severity: moderate
References: 1058058,CVE-2017-9798
Description:
This update for apache2 fixes the following security issue:

- CVE-2017-9798: Prevent use-after-free use of memory that allowed for an
  information leak via OPTIONS (bsc#1058058).


-----------------------------------------
Patch: SUSE-2017-1573
Released: Thu Sep 21 16:12:55 2017
Summary: Recommended update for the Linux Kernel
Severity: important
References: 1057695
Description:

The SUSE Linux Enterprise 12 SP3 kernel was updated to fix the following issue:

- xfs: revert previously applied patch to fix a regression that would cause
  system failures saying 'Torn write (CRC failure) detected' while trying to
  mount an XFS file system. [bnc#1057695]
  

-----------------------------------------
Patch: SUSE-2017-1579
Released: Fri Sep 22 09:42:25 2017
Summary: Recommended update for tigervnc, vncmanager
Severity: low
References: 1041847,1053373,1054300
Description:
This update for tigervnc and vncmanager provides the following fixes:

- Fix race problem when detecting listening inetd sockets. (bsc#1054300)
- Fix certificate handling in the Java client. (bsc#1041847)
- Make sure CN in generated certificate doesn't exceed 64 characters. (bsc#1041847)
- Change with-vnc-key.sh to generate TLS certificate using current hostname to keep
  it short. (bsc#1041847)
- Disable MIT-SHM extension when running under user 'vnc'. (bsc#1053373)
- Disable MIT-SHM extension in Xvnc when started by vncmanager. (bsc#1053373)


-----------------------------------------
Patch: SUSE-2017-1585
Released: Mon Sep 25 16:03:33 2017
Summary: Recommended update for iproute2
Severity: low
References: 1034855,1045399,1056261,990635
Description:
This update for iproute2 provides the following fixes:

- Fix command line parser in routel command preventing it from entering in an infinite
  loop. (bsc#1034855)
- Do not truncate the output of 'ip addr' on systems with a large number of VFs.
  (bsc#1045399, bsc#1056261)
- Clarify the meaning of 'priority' in ip-rule(8) and ip-route(8)
  manual pages. (bsc#990635)


-----------------------------------------
Patch: SUSE-2017-1586
Released: Mon Sep 25 17:16:58 2017
Summary: Recommended update for xinetd
Severity: low
References: 1054532,943484,947475,972691
Description:
This update for xinetd provides the following fixes:

- Specifying multiple log targets in the configuration caused a crash in xinetd, so make
  sure this is not allowed and in case of misconfiguration handle it correctly.
  (bsc#1054532)
- Fix a race condition that was causing xinetd not to be running after receiving a SIGHUP
  and a call to bind() failing with error EADDRINUSE. The fix exposes a sysconfig variable
  named XINETD_BIND_DELAY that can be used to delay calls to bind(). (bsc#972691)
- Fix an error that was causing a failure in xinetd when trying to fallback from IPv6 to
  IPv4. (bsc#947475)
- Update the documentation about the maximum allowed size of server parameters. (bsc#943484)


-----------------------------------------
Patch: SUSE-2017-1589
Released: Tue Sep 26 09:58:51 2017
Summary: Security update for tiff
Severity: moderate
References: 1033109,1033111,1033112,1033113,1033118,1033120,1033126,1033127,1033128,1033129,1033131,1038438,1042804,1042805,CVE-2016-10371,CVE-2017-7592,CVE-2017-7593,CVE-2017-7594,CVE-2017-7595,CVE-2017-7596,CVE-2017-7597,CVE-2017-7598,CVE-2017-7599,CVE-2017-7600,CVE-2017-7601,CVE-2017-7602,CVE-2017-9403,CVE-2017-9404
Description:
This update for tiff to version 4.0.8 fixes a several bugs and security issues:

These security issues were fixed:

- CVE-2017-7595: The JPEGSetupEncode function allowed remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted image (bsc#1033127).
- CVE-2016-10371: The TIFFWriteDirectoryTagCheckedRational function allowed remote attackers to cause a denial of service (assertion failure and application exit) via a crafted TIFF file (bsc#1038438).
- CVE-2017-7598: Error in tif_dirread.c allowed remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted image (bsc#1033118).
- CVE-2017-7596: Undefined behavior because of floats outside their expected value range, which allowed remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image (bsc#1033126).
- CVE-2017-7597: Undefined behavior because of floats outside their expected value range, which allowed remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image (bsc#1033120).
- CVE-2017-7599: Undefined behavior because of shorts outside their expected value range, which allowed remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image (bsc#1033113).
- CVE-2017-7600: Undefined behavior because of chars outside their expected value range, which allowed remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image (bsc#1033112).
- CVE-2017-7601: Because of a shift exponent too large for 64-bit type long undefined behavior was caused, which allowed remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image (bsc#1033111).
- CVE-2017-7602: Prevent signed integer overflow, which allowed remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image (bsc#1033109).
- CVE-2017-7592: The putagreytile function had a left-shift undefined behavior issue, which might allowed remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image (bsc#1033131).
- CVE-2017-7593: Ensure that tif_rawdata is properly initialized, to prevent remote attackers to obtain sensitive information from process memory via a crafted image (bsc#1033129).
- CVE-2017-7594: The OJPEGReadHeaderInfoSecTablesDcTable function allowed remote attackers to cause a denial of service (memory leak) via a crafted image (bsc#1033128).
- CVE-2017-9403: Prevent memory leak in function TIFFReadDirEntryLong8Array, which allowed attackers to cause a denial of service via a crafted file (bsc#1042805).
- CVE-2017-9404: Fixed memory leak vulnerability in function OJPEGReadHeaderInfoSecTablesQTable, which allowed attackers to cause a denial of service via a crafted file (bsc#1042804).

These various other issues were fixed:

- Fix uint32 overflow in TIFFReadEncodedStrip() that caused an
  integer division by zero. Reported by Agostino Sarubbo.
- fix heap-based buffer overflow on generation of PixarLog / LUV
  compressed files, with ColorMap, TransferFunction attached and
  nasty plays with bitspersample. The fix for LUV has not been
  tested, but suffers from the same kind of issue of PixarLog.
- modify ChopUpSingleUncompressedStrip() to instanciate compute
  ntrips as TIFFhowmany_32(td->td_imagelength, rowsperstrip),
  instead of a logic based on the total size of data. Which is
  faulty is the total size of data is not sufficient to fill the
  whole image, and thus results in reading outside of the
  StripByCounts/StripOffsets arrays when using
  TIFFReadScanline()
- make OJPEGDecode() early exit in case of failure in
  OJPEGPreDecode(). This will avoid a divide by zero, and
  potential other issues.
- fix misleading indentation as warned by GCC.
- revert change done on 2016-01-09 that made Param member of
  TIFFFaxTabEnt structure a uint16 to reduce size of the
  binary. It happens that the Hylafax software uses the tables
  that follow this typedef (TIFFFaxMainTable, TIFFFaxWhiteTable,
  TIFFFaxBlackTable), although they are not in a public libtiff
  header.
- add TIFFReadRGBAStripExt() and TIFFReadRGBATileExt() variants
  of the functions without ext, with an extra argument to control
  the stop_on_error behaviour.
- fix potential memory leaks in error code path of
  TIFFRGBAImageBegin().
- increase libjpeg max memory usable to 10 MB instead of libjpeg
  1MB default. This helps when creating files with 'big' tile,
  without using libjpeg temporary files.
- add _TIFFcalloc()
- return 0 in Encode functions instead of -1 when
  TIFFFlushData1() fails.
- only run JPEGFixupTagsSubsampling() if the YCbCrSubsampling
  tag is not explicitly present. This helps a bit to reduce the
  I/O amount when the tag is present (especially on cloud hosted
  files).
- in LZWPostEncode(), increase, if necessary, the code bit-width
  after flushing the remaining code and before emitting the EOI
  code.
- fix memory leak in error code path of PixarLogSetupDecode().
- fix potential memory leak in
  OJPEGReadHeaderInfoSecTablesQTable,
  OJPEGReadHeaderInfoSecTablesDcTable and
  OJPEGReadHeaderInfoSecTablesAcTable
- avoid crash in Fax3Close() on empty file.
- TIFFFillStrip(): add limitation to the number of bytes read
  in case td_stripbytecount[strip] is bigger than reasonable,
  so as to avoid excessive memory allocation.
- fix memory leak when the underlying codec (ZIP, PixarLog)
  succeeds its setupdecode() method, but PredictorSetup fails.
- TIFFFillStrip() and TIFFFillTile(): avoid excessive memory
  allocation in case of shorten files. Only effective on 64 bit
  builds and non-mapped cases.
- TIFFFillStripPartial() / TIFFSeek(), avoid potential integer
  overflows with read_ahead in CHUNKY_STRIP_READ_SUPPORT mode.
- avoid excessive memory allocation in case of shorten files.
  Only effective on 64 bit builds.
- update tif_rawcc in CHUNKY_STRIP_READ_SUPPORT mode with
  tif_rawdataloaded when calling TIFFStartStrip() or
  TIFFFillStripPartial(). 
- avoid potential int32 overflow in TIFFYCbCrToRGBInit() Fixes
- avoid potential int32 overflows in multiply_ms() and add_ms().
- fix out-of-buffer read in PackBitsDecode() Fixes
- LogL16InitState(): avoid excessive memory allocation when
  RowsPerStrip tag is missing.
- update dec_bitsleft at beginning of LZWDecode(), and update
  tif_rawcc at end of LZWDecode(). This is needed to properly
  work with the latest chnges in tif_read.c in
  CHUNKY_STRIP_READ_SUPPORT mode.
- PixarLogDecode(): resync tif_rawcp with next_in and tif_rawcc
  with avail_in at beginning and end of function, similarly to
  what is done in LZWDecode(). Likely needed so that it works
  properly with latest chnges in tif_read.c in
  CHUNKY_STRIP_READ_SUPPORT mode.
- initYCbCrConversion(): add basic validation of luma and
  refBlackWhite coefficients (just check they are not NaN for
  now), to avoid potential float to int overflows.
- _TIFFVSetField(): fix outside range cast of double to float.
- initYCbCrConversion(): check luma[1] is not zero to avoid division by zero
- _TIFFVSetField(): fix outside range cast of double to float.
- initYCbCrConversion(): check luma[1] is not zero to avoid
  division by zero.
- initYCbCrConversion(): stricter validation for refBlackWhite
  coefficients values.
- avoid uint32 underflow in cpDecodedStrips that can cause
  various issues, such as buffer overflows in the library.
- fix readContigStripsIntoBuffer() in -i (ignore) mode so that
  the output buffer is correctly incremented to avoid write
  outside bounds.
- add 3 extra bytes at end of strip buffer in
  readSeparateStripsIntoBuffer() to avoid read outside of heap
  allocated buffer.
- fix integer division by zero when BitsPerSample is missing.
- fix null pointer dereference in -r mode when the image has no
  StripByteCount tag.
- avoid potential division by zero is BitsPerSamples tag is
  missing.
- when TIFFGetField(, TIFFTAG_NUMBEROFINKS, ) is called, limit
  the return number of inks to SamplesPerPixel, so that code
  that parses ink names doesn't go past the end of the buffer.
- avoid potential division by zero is BitsPerSamples tag is
  missing.
- fix uint32 underflow/overflow that can cause heap-based buffer
  overflow.
- replace assert( (bps % 8) == 0 ) by a non assert check.
- fix 2 heap-based buffer overflows (in PSDataBW and
  PSDataColorContig).
- prevent heap-based buffer overflow in -j mode on a paletted
  image.
- fix wrong usage of memcpy() that can trigger unspecified behaviour.
- avoid potential invalid memory read in t2p_writeproc.
- avoid potential heap-based overflow in t2p_readwrite_pdf_image_tile().
- remove extraneous TIFFClose() in error code path, that caused
  double free.
- error out cleanly in cpContig2SeparateByRow and
  cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap
  based overflow.
- avoid integer division by zero.
- call TIFFClose() in error code paths.
- emit appropriate message if the input file is empty.
- close TIFF handle in error code path.


-----------------------------------------
Patch: SUSE-2017-1592
Released: Tue Sep 26 17:38:03 2017
Summary: Recommended update for lvm2
Severity: moderate
References: 1028485,1045628,978055,998893,999878
Description:

This update for lvm2 provides the following fixes:

- Create /dev/disk/by-part{label,uuid} and gpt-auto-root links. (bsc#1028485)
- Try to refresh clvmd's device cache on the first failure. (bsc#978055)
- Fix stale device cache in clvmd. (bsc#978055)
- Warn if PV size in metadata is larger than disk device size. (bsc#999878)
- Fix lvm2 activation issue when used on top of multipath. (bsc#998893)


-----------------------------------------
Patch: SUSE-2017-1597
Released: Wed Sep 27 15:24:38 2017
Summary: Recommended update for autofs
Severity: low
References: 1046493
Description:

This update for autofs improves timeout handling to use a monotonic time source. This prevents
negative adjustments of the system clock from affecting expiration of automounted volumes.


-----------------------------------------
Patch: SUSE-2017-1599
Released: Wed Sep 27 15:32:53 2017
Summary: Recommended update for cloud-regionsrv-client
Severity: low
References: 1058616
Description:
This update for cloud-regionsrv-client fixes the zypper plugin on systems that use proxy servers.


-----------------------------------------
Patch: SUSE-2017-1606
Released: Thu Sep 28 15:52:49 2017
Summary: Recommended update for xinetd
Severity: important
References: 1060432
Description:
This update for xinetd fixes a regression that could cause a crash when an 'IPv6' flag was specified
without a 'bind' option (bsc#1060432)


-----------------------------------------
Patch: SUSE-2017-1622
Released: Mon Oct  2 20:06:28 2017
Summary: Recommended update for yast2-xml
Severity: low
References: 1047449
Description:
This update for yast2-xml provides the following fix:

- Omit libxml2 memory cleanup to prevent a crash if rubygem-nokogiri is installed.
  (bsc#1047449)


-----------------------------------------
Patch: SUSE-2017-1632
Released: Tue Oct  3 13:36:48 2017
Summary: Recommended update for yast2-bootloader
Severity: low
References: 1039712,1052006
Description:
This update for yast2-bootloader provides the following fix:

- Make sure the correct MBR device is found to install grub. (bsc#1039712, bsc#1052006)


-----------------------------------------
Patch: SUSE-2017-1639
Released: Fri Oct  6 14:17:16 2017
Summary: Recommended update for kexec-tools
Severity: low
References: 1033599
Description:
This update for kexec-tools fixes the kexec-bootloader with separate /boot partition.


-----------------------------------------
Patch: SUSE-2017-1641
Released: Fri Oct  6 14:18:45 2017
Summary: Recommended update for google-compute-engine
Severity: low
References: 1049242,1057671
Description:
This update for google-compute-engine provides fixes and enhancements:

- Support oslogin feature. (bsc#1049242, fate#323757)
- Allow nologin paths other than /sbin/nologin.
- Try to download GCS URLs with curl if gsutil is not installed.
- Fix control scripts to correctly restart sshd and nscd if they exist.
- Retry HTTP requests if error 500 is received.
- Move oslogin sudoers directory locations.
- Start services after registercloudguest. (bsc#1057671)


-----------------------------------------
Patch: SUSE-2017-1644
Released: Mon Oct  9 07:52:24 2017
Summary: Security update for krb5
Severity: moderate
References: 1032680,1054028,1056995,903543,CVE-2017-11462
Description:
This update for krb5 fixes several issues.

This security issue was fixed:

- CVE-2017-11462: Prevent automatic security context deletion to prevent
  double-free (bsc#1056995)

These non-security issues were fixed:

- Set 'rdns' and 'dns_canonicalize_hostname' to false in krb5.conf
  in order to improve client security in handling service principle
  names. (bsc#1054028)
- Prevent kadmind.service startup failure caused by absence of
  LDAP service. (bsc#903543)
- Remove main package's dependency on systemd (bsc#1032680)


-----------------------------------------
Patch: SUSE-2017-1662
Released: Tue Oct 10 11:58:50 2017
Summary: Security update for MozillaFirefox, mozilla-nss
Severity: important
References: 1060445,1061005,CVE-2017-7793,CVE-2017-7805,CVE-2017-7810,CVE-2017-7814,CVE-2017-7818,CVE-2017-7819,CVE-2017-7823,CVE-2017-7824,CVE-2017-7825
Description:
This update for MozillaFirefox to ESR 52.4, mozilla-nss fixes the following issues:

This security issue was fixed for mozilla-nss:

- CVE-2017-7805: Prevent use-after-free in TLS 1.2 when generating handshake hashes (bsc#1061005)

These security issues were fixed for Firefox 

- CVE-2017-7825: Fixed some Tibetan and Arabic unicode characters rendering (bsc#1060445).
- CVE-2017-7805: Prevent Use-after-free in TLS 1.2 generating handshake hashes (bsc#1060445).
- CVE-2017-7819: Prevent Use-after-free while resizing images in design mode (bsc#1060445).
- CVE-2017-7818: Prevent Use-after-free during ARIA array manipulation (bsc#1060445).
- CVE-2017-7793: Prevent Use-after-free with Fetch API (bsc#1060445).
- CVE-2017-7824: Prevent Buffer overflow when drawing and validating elements with ANGLE (bsc#1060445).
- CVE-2017-7810: Fixed several memory safety bugs (bsc#1060445).
- CVE-2017-7823: CSP sandbox directive did not create a unique origin (bsc#1060445).
- CVE-2017-7814: Blob and data URLs bypassed phishing and malware protection warnings (bsc#1060445).


-----------------------------------------
Patch: SUSE-2017-1663
Released: Tue Oct 10 12:05:09 2017
Summary: Recommended update for dbus-1
Severity: moderate
References: 1043615,1046173
Description:
This update for dbus-1 provides the following fixes:

- Fix systemd-logind dbus disconnection by ensuring all required timeouts are restarted.
  (bsc#1043615)
- Remove call to initscripts related macros from the spec file as dbus-1 does not ship any
  initscript anymore. (bsc#1046173)


-----------------------------------------
Patch: SUSE-2017-1671
Released: Tue Oct 10 16:54:57 2017
Summary: Security update for samba
Severity: moderate
References: 1050707,1058565,1058622,1058624,CVE-2017-12150,CVE-2017-12151,CVE-2017-12163
Description:
This update for samba fixes several issues.

These security issues were fixed:

- CVE-2017-12163: Prevent client short SMB1 write from writing server memory to
  file, leaking information from the server to the client (bsc#1058624)
- CVE-2017-12150: Always enforce smb signing when it is configured (bsc#1058622)
- CVE-2017-12151: Keep required encryption across SMB3 dfs redirects (bsc#1058565)

The following non-security issue was fixed:

- Fix GUID string format on GetPrinter info request. (bsc#1050707)


-----------------------------------------
Patch: SUSE-2017-1676
Released: Wed Oct 11 15:49:25 2017
Summary: Recommended update for supportutils
Severity: important
References: 1061282
Description:
This update for supportutils fixes the following issues:

* A core_pattern containing pipe could have lead to a filesystem corruption (bsc#1061282)



-----------------------------------------
Patch: SUSE-2017-1692
Released: Mon Oct 16 15:17:30 2017
Summary: Recommended update for yast2-packager
Severity: low
References: 1032523
Description:
This update for yast2-packager provides the following fix:

- Fix configuring the EULA acceptance in AutoYaST of add-on products present in the media
  of the base product. (bsc#1032523)


-----------------------------------------
Patch: SUSE-2017-1695
Released: Tue Oct 17 11:06:57 2017
Summary: Recommended update for netcat-openbsd
Severity: low
References: 1061165
Description:
This update for netcat-openbsd provides the following fix:

- Fix a logic error that would prevent netcat from sending out UDP packets. (bsc#1061165)


-----------------------------------------
Patch: SUSE-2017-1706
Released: Tue Oct 17 15:01:22 2017
Summary: Recommended update for sle2docker
Severity: low
References: 1058371
Description:

This update extends sle2docker to be able to load native Docker images.

Current KIWI docker support builds loadable images, thus they don't need to be built
from a rootfs tarball any more. Image RPMs for native images store the image tarball
inside /usr/share/suse-docker-images/native folder.


-----------------------------------------
Patch: SUSE-2017-1755
Released: Fri Oct 20 18:03:54 2017
Summary: Recommended update for desktop-data-SLE
Severity: low
References: 1058231
Description:
This update for desktop-data-SLE provides the following fix:

- Disable 'Novell' branding in wallpapers. (fate#320506, bsc#1058231)


-----------------------------------------
Patch: SUSE-2017-1758
Released: Mon Oct 23 08:47:47 2017
Summary: Security update for curl
Severity: moderate
References: 1060653,1061876,1063824,CVE-2017-1000254,CVE-2017-1000257
Description:
This update for curl fixes the following issues:

Security issues fixed:

- CVE-2017-1000254: FTP PWD response parser out of bounds read (bsc#1061876)
- CVE-2017-1000257: IMAP FETCH response out of bounds read (bsc#1063824)

Bugs fixed:

- Fixed error 'error:1408F10B:SSL routines' when connecting to ftps via proxy (bsc#1060653)



-----------------------------------------
Patch: SUSE-2017-1770
Released: Wed Oct 25 10:27:56 2017
Summary: Security update for the Linux Kernel
Severity: important
References: 1004527,1005776,1005778,1005780,1005781,1012382,1012829,1015342,1015343,1019675,1019680,1019695,1019699,1020412,1020645,1020657,1020989,1021424,1022595,1022604,1022743,1022912,1022967,1024346,1024373,1024405,1025461,1030850,1031717,1031784,1032150,1034048,1034075,1035479,1036060,1036215,1036737,1037579,1037838,1037890,1038583,1040813,1042847,1043598,1044503,1046529,1047238,1047487,1047989,1048155,1048228,1048325,1048327,1048356,1048501,1048893,1048912,1048934,1049226,1049272,1049291,1049336,1049361,1049580,1050471,1050742,1051790,1051987,1052093,1052094,1052095,1052360,1052384,1052580,1052593,1052888,1053043,1053309,1053472,1053627,1053629,1053633,1053681,1053685,1053802,1053915,1053919,1054082,1054084,1054654,1055013,1055096,1055272,1055290,1055359,1055493,1055567,1055709,1055755,1055896,1055935,1055963,1056061,1056185,1056230,1056261,1056427,1056587,1056588,1056596,1056686,1056827,1056849,1056982,1057015,1057031,1057035,1057038,1057047,1057067,1057383,1057498,1057849,1058038,1058116,1058135,1058410,1058507,1058512,1058550,1059051,1059465,1059500,1059863,1060197,1060229,1060249,1060400,1060985,1061017,1061046,1061064,1061067,1061172,1061451,1061721,1061775,1061831,1061872,1062279,1062520,1062962,1063102,1063349,1063460,1063475,1063479,1063501,1063509,1063520,1063570,1063667,1063671,1063695,1064064,1064206,1064388,1064436,963575,964944,966170,966172,966186,966191,966316,966318,969476,969477,969756,971975,981309,CVE-2017-1000252,CVE-2017-11472,CVE-2017-12134,CVE-2017-12153,CVE-2017-12154,CVE-2017-13080,CVE-2017-14051,CVE-2017-14106,CVE-2017-14489,CVE-2017-15265,CVE-2017-15649
Description:


The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.92 to receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2017-1000252: The KVM subsystem in the Linux kernel allowed guest OS users to cause a denial of service (assertion failure, and hypervisor hang or crash) via an out-of bounds guest_irq value, related to arch/x86/kvm/vmx.c and virt/kvm/eventfd.c (bnc#1058038).
- CVE-2017-11472: The acpi_ns_terminate() function in drivers/acpi/acpica/nsutils.c in the Linux kernel did not flush the operand cache and causes a kernel stack dump, which allowed local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table (bnc#1049580).
- CVE-2017-12134: The xen_biovec_phys_mergeable function in drivers/xen/biomerge.c in Xen might allow local OS guest users to corrupt block device data streams and consequently obtain sensitive memory information, cause a denial of service, or gain host OS privileges by leveraging incorrect block IO merge-ability calculation (bnc#1051790 bsc#1053919).
- CVE-2017-12153: A security flaw was discovered in the nl80211_set_rekey_data() function in net/wireless/nl80211.c in the Linux kernel This function did not check whether the required attributes are present in a Netlink request. This request can be issued by a user with the CAP_NET_ADMIN capability and may result in a NULL pointer dereference and system crash (bnc#1058410).
- CVE-2017-12154: The prepare_vmcs02 function in arch/x86/kvm/vmx.c in the Linux kernel did not ensure that the 'CR8-load exiting' and 'CR8-store exiting' L0 vmcs02 controls exist in cases where L1 omits the 'use TPR shadow' vmcs12 control, which allowed KVM L2 guest OS users to obtain read and write access to the hardware CR8 register (bnc#1058507).
- CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2) allowed reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients (bnc#1056061 1063479 1063667 1063671).
- CVE-2017-14051: An integer overflow in the qla2x00_sysfs_write_optrom_ctl function in drivers/scsi/qla2xxx/qla_attr.c in the Linux kernel allowed local users to cause a denial of service (memory corruption and system crash) by leveraging root access (bnc#1056588).
- CVE-2017-14106: The tcp_disconnect function in net/ipv4/tcp.c in the Linux kernel allowed local users to cause a denial of service (__tcp_select_window divide-by-zero error and system crash) by triggering a disconnect within a certain tcp_recvmsg code path (bnc#1056982).
- CVE-2017-14489: The iscsi_if_rx function in drivers/scsi/scsi_transport_iscsi.c in the Linux kernel allowed local users to cause a denial of service (panic) by leveraging incorrect length validation (bnc#1059051).
- CVE-2017-15265: Use-after-free vulnerability in the Linux kernel before 4.14-rc5 allowed local users to have unspecified impact via vectors related to /dev/snd/seq (bnc#1062520).
- CVE-2017-15649: net/packet/af_packet.c in the Linux kernel allowed local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346 (bnc#1064388).

The following non-security bugs were fixed:

- acpi: apd: Add clock frequency for Hisilicon Hip07/08 I2C controller (bsc#1049291).
- acpi: apd: Fix HID for Hisilicon Hip07/08 (bsc#1049291).
- acpi: apei: Enable APEI multiple GHES source to share a single external IRQ (bsc#1053627).
- acpica: iort: Update SMMU models for revision C (bsc#1036060).
- acpi: irq: Fix return code of acpi_gsi_to_irq() (bsc#1053627).
- acpi/nfit: Fix memory corruption/Unregister mce decoder on failure (bsc#1057047).
- acpi: pci: fix GIC irq model default PCI IRQ polarity (bsc#1053629).
- acpi/processor: Check for duplicate processor ids at hotplug time (bnc#1056230).
- acpi/processor: Implement DEVICE operator for processor enumeration (bnc#1056230).
- ahci: do not use MSI for devices with the silly Intel NVMe remapping scheme (bsc#1048912).
- ahci: thunderx2: stop engine fix update (bsc#1057031).
- alsa: au88x0: avoid theoretical uninitialized access (bnc#1012382).
- alsa: compress: Remove unused variable (bnc#1012382).
- alsa: hda - Add stereo mic quirk for Lenovo G50-70 (17aa:3978) (bsc#1020657).
- alsa: hda - Implement mic-mute LED mode enum (bsc#1055013).
- alsa: hda/realtek - Add support headphone Mic for ALC221 of HP platform (bsc#1024405).
- alsa: hda - Workaround for i915 KBL breakage (bsc#1048356,bsc#1047989,bsc#1055272).
- alsa: ice1712: Add support for STAudio ADCIII (bsc#1048934).
- alsa: usb-audio: Apply sample rate quirk to Sennheiser headset (bsc#1052580).
- alsa: usb-audio: Check out-of-bounds access by corrupted buffer descriptor (bnc#1012382).
- alsa: usx2y: Suppress kernel warning at page allocation failures (bnc#1012382).
- arc: Re-enable MMU upon Machine Check exception (bnc#1012382).
- arm64: add function to get a cpu's MADT GICC table (bsc#1062279).
- arm64: do not trace atomic operations (bsc#1055290).
- arm64: dts: Add Broadcom Vulcan PMU in dts (fate#319481).
- arm64: fault: Route pte translation faults via do_translation_fault (bnc#1012382).
- arm64: Make sure SPsel is always set (bnc#1012382).
- arm64: mm: select CONFIG_ARCH_PROC_KCORE_TEXT (bsc#1046529).
- arm64: pci: Fix struct acpi_pci_root_ops allocation failure path (bsc#1056849).
- arm64/perf: Access pmu register using <read/write>_sys_reg (bsc#1062279).
- arm64/perf: Add Broadcom Vulcan PMU support (fate#319481).
- arm64/perf: Changed events naming as per the ARM ARM (fate#319481).
- arm64/perf: Define complete ARMv8 recommended implementation defined events (fate#319481).
- arm64: perf: do not expose CHAIN event in sysfs (bsc#1062279).
- arm64: perf: Extend event config for ARMv8.1 (bsc#1062279).
- arm64/perf: Filter common events based on PMCEIDn_EL0 (fate#319481).
- arm64: perf: Ignore exclude_hv when kernel is running in HYP (bsc#1062279).
- arm64: perf: move to common attr_group fields (bsc#1062279).
- arm64: perf: Use the builtin_platform_driver (bsc#1062279).
- arm64: pmu: add fallback probe table (bsc#1062279).
- arm64: pmu: Hoist pmu platform device name (bsc#1062279).
- arm64: pmu: Probe default hw/cache counters (bsc#1062279).
- arm64: pmuv3: handle pmuv3+ (bsc#1062279).
- arm64: pmuv3: handle !PMUv3 when probing (bsc#1062279).
- arm64: pmuv3: use arm_pmu ACPI framework (bsc#1062279).
- arm64: pmu: Wire-up Cortex A53 L2 cache events and DTLB refills (bsc#1062279).
- arm: 8635/1: nommu: allow enabling REMAP_VECTORS_TO_RAM (bnc#1012382).
- arm: dts: r8a7790: Use R-Car Gen 2 fallback binding for msiof nodes (bnc#1012382).
- arm/perf: Convert to hotplug state machine (bsc#1062279).
- arm/perf: Fix hotplug state machine conversion (bsc#1062279).
- arm/perf: Use multi instance instead of custom list (bsc#1062279).
- arm: pxa: add the number of DMA requestor lines (bnc#1012382).
- arm: pxa: fix the number of DMA requestor lines (bnc#1012382).
- arm: remove duplicate 'const' annotations' (bnc#1012382).
- asoc: dapm: fix some pointer error handling (bnc#1012382).
- asoc: dapm: handle probe deferrals (bnc#1012382).
- audit: log 32-bit socketcalls (bnc#1012382).
- bcache: correct cache_dirty_target in __update_writeback_rate() (bnc#1012382).
- bcache: Correct return value for sysfs attach errors (bnc#1012382).
- bcache: do not subtract sectors_to_gc for bypassed IO (bnc#1012382).
- bcache: fix bch_hprint crash and improve output (bnc#1012382).
- bcache: fix for gc and write-back race (bnc#1012382).
- bcache: Fix leak of bdev reference (bnc#1012382).
- bcache: initialize dirty stripes in flash_dev_run() (bnc#1012382).
- blacklist.conf: a7b8829d242b1a58107e9c02b09e93aec446d55c is not applicable
- blacklist.conf: Add commit b5accbb0dfae
- blacklist.conf: add one more
- blacklist.conf: Blacklist d12fe87e62d7 signal/testing: Do not look for __SI_FAULT in userspace It just fixes a self-test.
- blacklist.conf: e859afe1ee0c5ae981c55387ccd45eba258a7842 is not applicable
- blacklist.conf: fixes on relevant for MIPS/driver not in our tree
- blacklist.conf: gcc7 compiler warning (bsc#1056849)
- block: genhd: add device_add_disk_with_groups (bsc#1060400).
- block: Relax a check in blk_start_queue() (bnc#1012382).
- block: return on congested block device (FATE#321994).
- bluetooth: bnep: fix possible might sleep error in bnep_session (bsc#1031784).
- bluetooth: cmtp: fix possible might sleep error in cmtp_session (bsc#1031784).
- bnx2x: Do not log mc removal needlessly (bsc#1019680 FATE#321692).
- bnxt: add a missing rcu synchronization (bnc#1038583).
- bnxt: do not busy-poll when link is down (bnc#1038583).
- bnxt_en: Add a callback to inform RDMA driver during PCI shutdown (bsc#1053309).
- bnxt_en: Add additional chip ID definitions (bsc#1053309).
- bnxt_en: Add bnxt_get_num_stats() to centrally get the number of ethtool stats (bsc#1053309).
- bnxt_en: Add missing logic to handle TPA end error conditions (bsc#1053309).
- bnxt_en: Add PCI IDs for BCM57454 VF devices (bsc#1053309).
- bnxt_en: Allow the user to set ethtool stats-block-usecs to 0 (bsc#1053309).
- bnxt_en: Call bnxt_dcb_init() after getting firmware DCBX configuration (bsc#1053309).
- bnxt_en: Check status of firmware DCBX agent before setting DCB_CAP_DCBX_HOST (bsc#1053309).
- bnxt_en: Do not setup MAC address in bnxt_hwrm_func_qcaps() (bsc#963575 FATE#320144).
- bnxt_en: Enable MRU enables bit when configuring VNIC MRU (bnc#1038583).
- bnxt_en: Fix and clarify link_info->advertising (bnc#1038583).
- bnxt_en: Fix a VXLAN vs GENEVE issue (bnc#1038583).
- bnxt_en: Fix bug in ethtool -L (bsc#1053309).
- bnxt_en: Fix netpoll handling (bsc#1053309).
- bnxt_en: Fix NULL pointer dereference in a failure path during open (bnc#1038583).
- bnxt_en: Fix NULL pointer dereference in reopen failure path (bnc#1038583).
- bnxt_en: fix pci cleanup in bnxt_init_one() failure path (bnc#1038583).
- bnxt_en: Fix race conditions in .ndo_get_stats64() (bsc#1053309).
- bnxt_en: Fix ring arithmetic in bnxt_setup_tc() (bnc#1038583).
- bnxt_en: Fix SRIOV on big-endian architecture (bsc#1053309).
- bnxt_en: Fix TX push operation on ARM64 (bnc#1038583).
- bnxt_en: Fix 'uninitialized variable' bug in TPA code path (bnc#1038583).
- bnxt_en: Fix VF virtual link state (bnc#1038583).
- bnxt_en: Fix xmit_more with BQL (bsc#1053309).
- bnxt_en: Free MSIX vectors when unregistering the device from bnxt_re (bsc#1020412 FATE#321671).
- bnxt_en: Implement ndo_bridge_{get|set}link methods (bsc#1053309).
- bnxt_en: Implement xmit_more (bsc#1053309).
- bnxt_en: initialize rc to zero to avoid returning garbage (bnc#1038583).
- bnxt_en: Optimize doorbell write operations for newer chips (bsc#1053309).
- bnxt_en: Pad TX packets below 52 bytes (bnc#1038583).
- bnxt_en: Pass in sh parameter to bnxt_set_dflt_rings() (bsc#1053309).
- bnxt_en: Refactor TPA code path (bnc#1038583).
- bnxt_en: Report firmware DCBX agent (bsc#1053309).
- bnxt_en: Retrieve the hardware bridge mode from the firmware (bsc#1053309).
- bnxt_en: Set ETS min_bw parameter for older firmware (bsc#1053309).
- bnxt_en: Support for Short Firmware Message (bsc#1053309).
- bnxt_en: Update firmware interface spec to 1.8.0 (bsc#1053309).
- bnxt: fix unsigned comparsion with 0 (bsc#1053309).
- bnxt: fix unused variable warnings (bsc#1053309).
- bnxt_re: Do not issue cmd to delete GID for QP1 GID entry before the QP is destroyed (bsc#1056596).
- bnxt_re: Fix compare and swap atomic operands (bsc#1056596).
- bnxt_re: Fix memory leak in FRMR path (bsc#1056596).
- bnxt_re: Fix race between the netdev register and unregister events (bsc#1037579).
- bnxt_re: Fix update of qplib_qp.mtu when modified (bsc#1056596).
- bnxt_re: Free up devices in module_exit path (bsc#1056596).
- bnxt_re: Remove RTNL lock dependency in bnxt_re_query_port (bsc#1056596).
- bnxt_re: Stop issuing further cmds to FW once a cmd times out (bsc#1056596).
- brcmfmac: setup passive scan if requested by user-space (bnc#1012382).
- bridge: netlink: register netdevice before executing changelink (bnc#1012382).
- bsg-lib: do not free job in bsg_prepare_job (bnc#1012382).
- btrfs: change how we decide to commit transactions during flushing (bsc#1060197).
- btrfs: fix early ENOSPC due to delalloc (bsc#1049226).
- btrfs: fix NULL pointer dereference from free_reloc_roots() (bnc#1012382).
- btrfs: nowait aio: Correct assignment of pos (FATE#321994).
- btrfs: nowait aio support (FATE#321994).
- btrfs: prevent to set invalid default subvolid (bnc#1012382).
- btrfs: propagate error to btrfs_cmp_data_prepare caller (bnc#1012382).
- btrfs: qgroup: move noisy underflow warning to debugging build (bsc#1055755).
- ceph: avoid accessing freeing inode in ceph_check_delayed_caps() (bsc#1048228).
- ceph: avoid invalid memory dereference in the middle of umount (bsc#1048228).
- ceph: avoid panic in create_session_open_msg() if utsname() returns NULL (bsc#1061451).
- ceph: check negative offsets in ceph_llseek() (bsc#1061451).
- ceph: cleanup writepage_nounlock() (bsc#1048228).
- ceph: do not re-send interrupted flock request (bsc#1048228).
- ceph: fix message order check in handle_cap_export() (bsc#1061451).
- ceph: fix NULL pointer dereference in ceph_flush_snaps() (bsc#1061451).
- ceph: fix readpage from fscache (bsc#1057015).
- ceph: getattr before read on ceph.* xattrs (bsc#1048228).
- ceph: handle epoch barriers in cap messages (bsc#1048228).
- ceph: limit osd read size to CEPH_MSG_MAX_DATA_LEN (bsc#1061451).
- ceph: limit osd write size (bsc#1061451).
- ceph: new mount option that specifies fscache uniquifier (bsc#1048228).
- ceph: redirty page when writepage_nounlock() skips unwritable page (bsc#1048228).
- ceph: remove special ack vs commit behavior (bsc#1048228).
- ceph: remove useless page->mapping check in writepage_nounlock() (bsc#1048228).
- ceph: re-request max size after importing caps (bsc#1048228).
- ceph: stop on-going cached readdir if mds revokes FILE_SHARED cap (bsc#1061451).
- ceph: update ceph_dentry_info::lease_session when necessary (bsc#1048228).
- ceph: update the 'approaching max_size' code (bsc#1048228).
- ceph: validate correctness of some mount options (bsc#1061451).
- ceph: when seeing write errors on an inode, switch to sync writes (bsc#1048228).
- cifs: add build_path_from_dentry_optional_prefix() (fate#323482).
- cifs: add use_ipc flag to SMB2_ioctl() (fate#323482).
- cifs: Fix maximum SMB2 header size (bsc#1056185).
- cifs: Fix SMB3.1.1 guest authentication to Samba (bnc#1012382).
- cifs: Fix sparse warnings (fate#323482).
- cifs: implement get_dfs_refer for SMB2+ (fate#323482).
- cifs: let ses->ipc_tid hold smb2 TreeIds (fate#323482).
- cifs: move DFS response parsing out of SMB1 code (fate#323482).
- cifs: release auth_key.response for reconnect (bnc#1012382).
- cifs: remove any preceding delimiter from prefix_path (fate#323482).
- cifs: set signing flag in SMB2+ TreeConnect if needed (fate#323482).
- cifs: use DFS pathnames in SMB2+ Create requests (fate#323482).
- clocksource/drivers/arm_arch_timer: Fix mem frame loop initialization (bsc#1055709).
- cpufreq: intel_pstate: Disable energy efficiency optimization (bsc#1054654).
- crush: assume weight_set != null imples weight_set_size > 0 (bsc#1048228).
- crush: crush_init_workspace starts with struct crush_work (bsc#1048228).
- crush: implement weight and id overrides for straw2 (bsc#1048228).
- crush: remove an obsolete comment (bsc#1048228).
- crypto: AF_ALG - remove SGL terminator indicator when chaining (bnc#1012382).
- crypto: chcr - Add ctr mode and process large sg entries for cipher (bsc#1048325).
- crypto: chcr - Avoid changing request structure (bsc#1048325).
- crypto: chcr - Ensure Destination sg entry size less than 2k (bsc#1048325).
- crypto: chcr - Fix fallback key setting (bsc#1048325).
- crypto: chcr - Pass lcb bit setting to firmware (bsc#1048325).
- crypto: chcr - Return correct error code (bsc#1048325).
- crypto: talitos - Do not provide setkey for non hmac hashing algs (bnc#1012382).
- crypto: talitos - fix sha224 (bnc#1012382).
- cxgb4: Fix stack out-of-bounds read due to wrong size to t4_record_mbox() (bsc#1021424 bsc#1022743).
- cxgb4: update latest firmware version supported (bsc#1048327).
- cxgbit: add missing __kfree_skb() (bsc#1052095).
- cxgbit: fix sg_nents calculation (bsc#1052095).
- cxl: Fix driver use count (bnc#1012382).
- device-dax: fix cdev leak (bsc#1057047).
- dmaengine: mmp-pdma: add number of requestors (bnc#1012382).
- dmaengine: mv_xor_v2: do not use descriptors not acked by async_tx (bsc#1056849).
- dmaengine: mv_xor_v2: enable XOR engine after its configuration (bsc#1056849).
- dmaengine: mv_xor_v2: fix tx_submit() implementation (bsc#1056849).
- dmaengine: mv_xor_v2: handle mv_xor_v2_prep_sw_desc() error properly (bsc#1056849).
- dmaengine: mv_xor_v2: properly handle wrapping in the array of HW descriptors (bsc#1056849).
- dmaengine: mv_xor_v2: remove interrupt coalescing (bsc#1056849).
- dmaengine: mv_xor_v2: set DMA mask to 40 bits (bsc#1056849).
- dm mpath: do not lock up a CPU with requeuing activity (bsc#1048912).
- documentation: arm64: pmu: Add Broadcom Vulcan PMU binding (fate#319481).
- driver-core: platform: Add platform_irq_count() (bsc#1062279).
- driver core: platform: Do not read past the end of 'driver_override' buffer (bnc#1012382).
- drivers: base: cacheinfo: fix boot error message when acpi is enabled (bsc#1057849).
- drivers: firmware: psci: drop duplicate const from psci_of_match (FATE#319482 bnc#1012382).
- drivers: hv: fcopy: restore correct transfer length (bnc#1012382).
- drivers: net: phy: xgene: Fix mdio write (bsc#1057383).
- drivers: net: xgene: Fix wrong logical operation (bsc#1056827).
- drivers/perf: arm_pmu_acpi: avoid perf IRQ init when guest PMU is off (bsc#1062279).
- drivers/perf: arm_pmu_acpi: Release memory obtained by kasprintf (bsc#1062279).
- drivers/perf: arm_pmu: add ACPI framework (bsc#1062279).
- drivers/perf: arm_pmu: add common attr group fields (bsc#1062279).
- drivers/perf: arm_pmu: Always consider IRQ0 as an error (bsc#1062279).
- drivers/perf: arm_pmu: Avoid leaking pmu->irq_affinity on error (bsc#1062279).
- drivers/perf: arm_pmu: avoid NULL dereference when not using devicetree (bsc#1062279).
- drivers/perf: arm-pmu: convert arm_pmu_mutex to spinlock (bsc#1062279).
- drivers/perf: arm_pmu: Defer the setting of __oprofile_cpu_pmu (bsc#1062279).
- drivers/perf: arm_pmu: define armpmu_init_fn (bsc#1062279).
- drivers/perf: arm_pmu: expose a cpumask in sysfs (bsc#1062279).
- drivers/perf: arm_pmu: factor out pmu registration (bsc#1062279).
- drivers/perf: arm-pmu: Fix handling of SPI lacking 'interrupt-affinity' property (bsc#1062279).
- drivers/perf: arm_pmu: Fix NULL pointer dereference during probe (bsc#1062279).
- drivers/perf: arm-pmu: fix RCU usage on pmu resume from low-power (bsc#1062279).
- drivers/perf: arm_pmu: Fix reference count of a device_node in of_pmu_irq_cfg (bsc#1062279).
- drivers/perf: arm_pmu: fold init into alloc (bsc#1062279).
- drivers/perf: arm_pmu: handle no platform_device (bsc#1062279).
- drivers/perf: arm-pmu: Handle per-interrupt affinity mask (bsc#1062279).
- drivers/perf: arm_pmu: implement CPU_PM notifier (bsc#1062279).
- drivers/perf: arm_pmu: make info messages more verbose (bsc#1062279).
- drivers/perf: arm_pmu: manage interrupts per-cpu (bsc#1062279).
- drivers/perf: arm_pmu: move irq request/free into probe (bsc#1062279).
- drivers/perf: arm_pmu: only use common attr_groups (bsc#1062279).
- drivers/perf: arm_pmu: remove pointless PMU disabling (bsc#1062279).
- drivers/perf: arm_pmu: rename irq request/free functions (bsc#1062279).
- drivers/perf: arm_pmu: Request PMU SPIs with IRQF_PER_CPU (bsc#1062279).
- drivers/perf: arm_pmu: rework per-cpu allocation (bsc#1062279).
- drivers/perf: arm_pmu: simplify cpu_pmu_request_irqs() (bsc#1062279).
- drivers/perf: arm_pmu: split cpu-local irq request/free (bsc#1062279).
- drivers/perf: arm_pmu: split irq request from enable (bsc#1062279).
- drivers/perf: arm_pmu: split out platform device probe logic (bsc#1062279).
- drivers/perf: kill armpmu_register (bsc#1062279).
- drm: Add driver-private objects to atomic state (bsc#1055493).
- drm/amdkfd: fix improper return value on error (bnc#1012382).
- drm: bridge: add DT bindings for TI ths8135 (bnc#1012382).
- drm/dp: Introduce MST topology state to track available link bandwidth (bsc#1055493).
- drm_fourcc: Fix DRM_FORMAT_MOD_LINEAR #define (bnc#1012382).
- drm/i915/bios: ignore HDMI on port A (bnc#1012382).
- drm/vmwgfx: Limit max desktop dimensions to 8Kx8K (bsc#1048155).
- e1000e: use disable_hardirq() also for MSIX vectors in e1000_netpoll() (bsc#1022912 FATE#321246).
- edac, sb_edac: Assign EDAC memory controller per h/w controller (bsc#1061721).
- edac, sb_edac: Avoid creating SOCK memory controller (bsc#1061721).
- edac, sb_edac: Bump driver version and do some cleanups (bsc#1061721).
- edac, sb_edac: Carve out dimm-populating loop (bsc#1061721).
- edac, sb_edac: Check if ECC enabled when at least one DIMM is present (bsc#1061721).
- edac, sb_edac: Classify memory mirroring modes (bsc#1061721).
- edac, sb_edac: Classify PCI-IDs by topology (bsc#1061721).
- edac, sb_edac: Do not create a second memory controller if HA1 is not present (bsc#1061721).
- edac, sb_edac: Do not use 'Socket#' in the memory controller name (bsc#1061721).
- edac, sb_edac: Drop NUM_CHANNELS from 8 back to 4 (bsc#1061721).
- edac, sb_edac: Fix mod_name (bsc#1061721).
- edac, sb_edac: Get rid of ->show_interleave_mode() (bsc#1061721).
- edac, sb_edac: Remove double buffering of error records (bsc#1061721).
- edac, sb_edac: Remove NULL pointer check on array pci_tad (bsc#1061721).
- edac, skx_edac: Handle systems with segmented PCI busses (bsc#1063102).
- edac, thunderx: Fix a warning during l2c debugfs node creation (bsc#1057038).
- edac, thunderx: Fix error handling path in thunderx_lmc_probe() (bsc#1057038).
- efi/fb: Avoid reconfiguration of BAR that covers the framebuffer (bsc#1051987).
- efi/fb: Correct PCI_STD_RESOURCE_END usage (bsc#1051987).
- ext4: do not allow encrypted operations without keys (bnc#1012382).
- ext4: fix incorrect quotaoff if the quota feature is enabled (bnc#1012382).
- ext4: fix quota inconsistency during orphan cleanup for read-only mounts (bnc#1012382).
- ext4: nowait aio support (FATE#321994).
- extcon: axp288: Use vbus-valid instead of -present to determine cable presence (bnc#1012382).
- exynos-gsc: Do not swap cb/cr for semi planar formats (bnc#1012382).
- f2fs: check hot_data for roll-forward recovery (bnc#1012382).
- fix flags ordering (bsc#1034075 comment 131)
- Fix mpage_writepage() for pages with buffers (bsc#1050471).
- fix whitespace according to upstream commit
- fix xen_swiotlb_dma_mmap prototype (bnc#1012382).
- fs/epoll: cache leftmost node (bsc#1056427).
- fs: Introduce filemap_range_has_page() (FATE#321994).
- fs: Introduce RWF_NOWAIT and FMODE_AIO_NOWAIT (FATE#321994).
- fs/mpage.c: fix mpage_writepage() for pages with buffers (bsc#1050471). Update to version in mainline
- fs/proc: kcore: use kcore_list type to check for vmalloc/module address (bsc#1046529).
- fs: return if direct I/O will trigger writeback (FATE#321994).
- fs: Separate out kiocb flags setup based on RWF_* flags (FATE#321994).
- fs: Use RWF_* flags for AIO operations (FATE#321994).
- ftrace: Fix kmemleak in unregister_ftrace_graph (bnc#1012382).
- ftrace: Fix memleak when unregistering dynamic ops when tracing disabled (bnc#1012382).
- ftrace: Fix selftest goto location on error (bnc#1012382).
- genirq: Fix for_each_action_of_desc() macro (bsc#1061064).
- getcwd: Close race with d_move called by lustre (bsc#1052593).
- gfs2: Do not clear SGID when inheriting ACLs (bsc#1012829).
- gfs2: Fix debugfs glocks dump (bnc#1012382).
- gfs2: Fix reference to ERR_PTR in gfs2_glock_iter_next (bnc#1012382).
- gianfar: Fix Tx flow control deactivation (bnc#1012382).
- hid: i2c-hid: allocate hid buffers for real worst case (bnc#1012382).
- Hid: usbhid: Add HID_QUIRK_NOGET for Aten CS-1758 KVM switch (bnc#1022967).
- hwmon: (gl520sm) Fix overflows and crash seen when writing into limit attributes (bnc#1012382).
- i2c: designware: Add ACPI HID for Hisilicon Hip07/08 I2C controller (bsc#1049291).
- i2c: designware: Convert to use unified device property API (bsc#1049291).
- i2c: meson: fix wrong variable usage in meson_i2c_put_data (bnc#1012382).
- i2c: xgene: Set ACPI_COMPANION_I2C (bsc#1053633).
- i2c: xgene-slimpro: Add ACPI support by using PCC mailbox (bsc#1053633).
- i2c: xgene-slimpro: include linux/io.h for memremap (bsc#1053633).
- i2c: xgene-slimpro: Use a single function to send command message (bsc#1053633).
- i40e/i40evf: fix out-of-bounds read of cpumask (bsc#1053685).
- i40e: Initialize 64-bit statistics TX ring seqcount (bsc#1024346 FATE#321239 bsc#1024373 FATE#321247).
- i40iw: Add missing memory barriers (bsc#969476 FATE#319648 bsc#969477 FATE#319816).
- i40iw: Fix port number for query QP (bsc#969476 FATE#319648 bsc#969477 FATE#319816).
- ib/core: Add generic function to extract IB speed from netdev (bsc#1056596).
- ib/core: Add ordered workqueue for RoCE GID management (bsc#1056596).
- ib/core: Fix for core panic (bsc#1022595 FATE#322350).
- ib/core: Fix the validations of a multicast LID in attach or detach operations (bsc#1022595 FATE#322350).
- ib/hns: checking for IS_ERR() instead of NULL (bsc#1056849).
- ib/i40iw: Fix error code in i40iw_create_cq() (bsc#969476 FATE#319648 bsc#969477 FATE#319816).
- ib/ipoib: Fix deadlock over vlan_mutex (bnc#1012382 bsc#1022595 FATE#322350).
- ib/ipoib: Replace list_del of the neigh->list with list_del_init (FATE#322350 bnc#1012382 bsc#1022595).
- ib/ipoib: rtnl_unlock can not come after free_netdev (FATE#322350 bnc#1012382 bsc#1022595).
- ib/mlx5: Change logic for dispatching IB events for port state (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- ib/mlx5: Fix cached MR allocation flow (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- ib/mlx5: Fix Raw Packet QP event handler assignment (bsc#966170 FATE#320225 bsc#966172 FATE#320226).
- ibmvnic: Clean up resources on probe failure (fate#323285, bsc#1058116).
- ibmvnic: Set state UP (bsc#1062962).
- ib/qib: fix false-postive maybe-uninitialized warning (FATE#321231 FATE#321473 FATE#322149 FATE#322153 bnc#1012382).
- ib/rxe: Add dst_clone() in prepare_ipv6_hdr() (bsc#1049361).
- ib/rxe: Avoid ICRC errors by copying into the skb first (bsc#1049361).
- ib/rxe: Disable completion upcalls when a CQ is destroyed (bsc#1049361).
- ib/rxe: Fix destination cache for IPv6 (bsc#1049361).
- ib/rxe: Fix up rxe_qp_cleanup() (bsc#1049361).
- ib/rxe: Fix up the responder's find_resources() function (bsc#1049361).
- ib/rxe: Handle NETDEV_CHANGE events (bsc#1049361).
- ib/rxe: Move refcounting earlier in rxe_send() (bsc#1049361).
- ib/rxe: Remove dangling prototype (bsc#1049361).
- ib/rxe: Remove unneeded initialization in prepare6() (bsc#1049361).
- ib/rxe: Set dma_mask and coherent_dma_mask (bsc#1049361).
- igb: re-assign hw address pointer on reset after PCI error (bnc#1012382).
- iio: ad7793: Fix the serial interface reset (bnc#1012382).
- iio: adc: axp288: Drop bogus AXP288_ADC_TS_PIN_CTRL register modifications (bnc#1012382).
- iio: adc: hx711: Add DT binding for avia,hx711 (bnc#1012382).
- iio: adc: mcp320x: Fix oops on module unload (bnc#1012382).
- iio: adc: mcp320x: Fix readout of negative voltages (bnc#1012382).
- iio: adc: twl4030: Disable the vusb3v1 rugulator in the error handling path of 'twl4030_madc_probe()' (bnc#1012382).
- iio: adc: twl4030: Fix an error handling path in 'twl4030_madc_probe()' (bnc#1012382).
- iio: ad_sigma_delta: Implement a dedicated reset function (bnc#1012382).
- iio: core: Return error for failed read_reg (bnc#1012382).
- input: i8042 - add Gigabyte P57 to the keyboard reset table (bnc#1012382).
- iommu/arm-smmu-v3, acpi: Add temporary Cavium SMMU-V3 IORT model number definitions (bsc#1036060).
- iommu/arm-smmu-v3: Increase CMDQ drain timeout value (bsc#1035479). Refresh patch to mainline version
- iommu/io-pgtable-arm: Check for leaf entry before dereferencing it (bnc#1012382).
- iommu/vt-d: Avoid calling virt_to_phys() on null pointer (bsc#1061067).
- ipv6: accept 64k - 1 packet length in ip6_find_1stfragopt() (bnc#1012382).
- ipv6: add rcu grace period before freeing fib6_node (bnc#1012382).
- ipv6: fix memory leak with multiple tables during netns destruction (bnc#1012382).
- ipv6: fix sparse warning on rt6i_node (bnc#1012382).
- ipv6: fix typo in fib6_net_exit() (bnc#1012382).
- irqchip/gic-v3-its: Fix command buffer allocation (bsc#1057067).
- iscsi-target: fix invalid flags in text response (bsc#1052095).
- iw_cxgb4: put ep reference in pass_accept_req() (FATE#321658 bsc#1005778 FATE#321660 bsc#1005780 FATE#321661 bsc#1005781).
- iwlwifi: add workaround to disable wide channels in 5GHz (bnc#1012382).
- iwlwifi: mvm: do not send CTDP commands via debugfs if not supported (bsc#1031717).
- kabi: arm64: compatibility workaround for lse atomics (bsc#1055290).
- kabi fix drivers/nvme/target/nvmet.h (bsc#1058550).
- KABI fixup struct nvmet_sq (bsc#1063349).
- kABI: protect enum fs_flow_table_type (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- kABI: protect enum pid_type (kabi).
- kABI: protect struct iscsi_np (kabi).
- kABI: protect struct mlx5_priv (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- kABI: protect struct rm_data_op (kabi).
- kABI: protect struct sdio_func (kabi).
- kabi/severities: add fs/ceph to kabi severities (bsc#1048228).
- kabi/severities: Ignore drivers/scsi/cxgbi (bsc#1052094)
- kabi/severities: Ignore kABI changes due to last patchset (bnc#1053472)
- kabi/severities: ignore nfs_pgio_data_destroy
- kABI: uninline task_tgid_nr_nr (kabi).
- kABI: Workaround kABI breakage of AMD-AVIC fixes (bsc#1044503).
- kernel/*: switch to memdup_user_nul() (bsc#1048893).
- kernel/sysctl_binary.c: check name array length in deprecated_sysctl_warning() (FATE#323821).
- keys: fix writing past end of user-supplied buffer in keyring_read() (bnc#1012382).
- keys: prevent creating a different user's keyrings (bnc#1012382).
- keys: prevent KEYCTL_READ on negative key (bnc#1012382).
- kvm: Add struct kvm_vcpu pointer parameter to get_enable_apicv() (bsc#1044503).
- kvm: arm64: Restore host physical timer access on hyp_panic() (bsc#1054082).
- kvm: arm/arm64: Fix bug in advertising KVM_CAP_MSI_DEVID capability (bsc#1054082).
- kvm: async_pf: Fix #DF due to inject 'Page not Present' and 'Page Ready' exceptions simultaneously (bsc#1061017).
- kvm, pkeys: do not use PKRU value in vcpu->arch.guest_fpu.state (bsc#1055935).
- kvm: PPC: Book3S: Fix race and leak in kvm_vm_ioctl_create_spapr_tce() (bnc#1012382).
- kvm: SVM: Add a missing 'break' statement (bsc#1061017).
- kvm: SVM: Add irqchip_split() checks before enabling AVIC (bsc#1044503).
- kvm: SVM: delete avic_vm_id_bitmap (2 megabyte static array) (bsc#1059500).
- kvm: SVM: Refactor AVIC vcpu initialization into avic_init_vcpu() (bsc#1044503).
- kvm: VMX: do not change SN bit in vmx_update_pi_irte() (bsc#1061017).
- kvm: VMX: remove WARN_ON_ONCE in kvm_vcpu_trigger_posted_interrupt (bsc#1061017).
- kvm: VMX: use cmpxchg64 (bnc#1012382).
- kvm: x86: block guest protection keys unless the host has them enabled (bsc#1055935).
- kvm: x86: kABI workaround for PKRU fixes (bsc#1055935).
- kvm: x86: simplify handling of PKRU (bsc#1055935).
- libata: transport: Remove circular dependency at free time (bnc#1012382).
- libceph: abort already submitted but abortable requests when map or pool goes full (bsc#1048228).
- libceph: add an epoch_barrier field to struct ceph_osd_client (bsc#1048228).
- libceph: advertise support for NEW_OSDOP_ENCODING and SERVER_LUMINOUS (bsc#1048228).
- libceph: advertise support for OSD_POOLRESEND (bsc#1048228).
- libceph: allow requests to return immediately on full conditions if caller wishes (bsc#1048228).
- libceph: always populate t->target_{oid,oloc} in calc_target() (bsc#1048228).
- libceph: always signal completion when done (bsc#1048228).
- libceph: apply_upmap() (bsc#1048228).
- libceph: avoid unnecessary pi lookups in calc_target() (bsc#1048228).
- libceph: ceph_connection_operations::reencode_message() method (bsc#1048228).
- libceph: ceph_decode_skip_* helpers (bsc#1048228).
- libceph: compute actual pgid in ceph_pg_to_up_acting_osds() (bsc#1048228).
- libceph, crush: per-pool crush_choose_arg_map for crush_do_rule() (bsc#1048228).
- libceph: delete from need_resend_linger before check_linger_pool_dne() (bsc#1048228).
- libceph: do not allow bidirectional swap of pg-upmap-items (bsc#1061451).
- libceph: do not call encode_request_finish() on MOSDBackoff messages (bsc#1048228).
- libceph: do not call ->reencode_message() more than once per message (bsc#1048228).
- libceph: do not pass pgid by value (bsc#1048228).
- libceph: drop need_resend from calc_target() (bsc#1048228).
- libceph: encode_{pgid,oloc}() helpers (bsc#1048228).
- libceph: fallback for when there isn't a pool-specific choose_arg (bsc#1048228).
- libceph: fix old style declaration warnings (bsc#1048228).
- libceph: foldreq->last_force_resend into ceph_osd_request_target (bsc#1048228).
- libceph: get rid of ack vs commit (bsc#1048228).
- libceph: handle non-empty dest in ceph_{oloc,oid}_copy() (bsc#1048228).
- libceph: initialize last_linger_id with a large integer (bsc#1048228).
- libceph: introduce and switch to decode_pg_mapping() (bsc#1048228).
- libceph: introduce ceph_spg, ceph_pg_to_primary_shard() (bsc#1048228).
- libceph: kill __{insert,lookup,remove}_pg_mapping() (bsc#1048228).
- libceph: make DEFINE_RB_* helpers more general (bsc#1048228).
- libceph: make encode_request_*() work with r_mempool requests (bsc#1048228).
- libceph: make RECOVERY_DELETES feature create a new interval (bsc#1048228).
- libceph: make sure need_resend targets reflect latest map (bsc#1048228).
- libceph: MOSDOp v8 encoding (actual spgid + full hash) (bsc#1048228).
- libceph: new features macros (bsc#1048228).
- libceph: new pi->last_force_request_resend (bsc#1048228).
- libceph: NULL deref on osdmap_apply_incremental() error path (bsc#1048228).
- libceph: osd_request_timeout option (bsc#1048228).
- libceph: osd_state is 32 bits wide in luminous (bsc#1048228).
- libceph: pg_upmap[_items] infrastructure (bsc#1048228).
- libceph: pool deletion detection (bsc#1048228).
- libceph: potential NULL dereference in ceph_msg_data_create() (bsc#1048228).
- libceph: remove ceph_sanitize_features() workaround (bsc#1048228).
- libceph: remove now unused finish_request() wrapper (bsc#1048228).
- libceph: remove req->r_replay_version (bsc#1048228).
- libceph: resend on PG splits if OSD has RESEND_ON_SPLIT (bsc#1048228).
- libceph: respect RADOS_BACKOFF backoffs (bsc#1048228).
- libceph: set -EINVAL in one place in crush_decode() (bsc#1048228).
- libceph: support SERVER_JEWEL feature bits (bsc#1048228).
- libceph: take osdc->lock in osdmap_show() and dump flags in hex (bsc#1048228).
- libceph: upmap semantic changes (bsc#1048228).
- libceph: use alloc_pg_mapping() in __decode_pg_upmap_items() (bsc#1048228).
- libceph: use target pi for calc_target() calculations (bsc#1048228).
- lib: test_rhashtable: fix for large entry counts (bsc#1055359).
- lib: test_rhashtable: Fix KASAN warning (bsc#1055359).
- lightnvm: remove unused rq parameter of nvme_nvm_rqtocmd() to kill warning (FATE#319466).
- locking/rwsem: Fix down_write_killable() for CONFIG_RWSEM_GENERIC_SPINLOCK=y (bsc#969756).
- locking/rwsem-spinlock: Fix EINTR branch in __down_write_common() (bsc#969756).
- lpfc: Add Buffer to Buffer credit recovery support (bsc#1052384).
- lpfc: convert info messages to standard messages (bsc#1052384).
- lpfc: Correct issues with FAWWN and FDISCs (bsc#1052384).
- lpfc: Correct return error codes to align with nvme_fc transport (bsc#1052384).
- lpfc: Fix bad sgl reposting after 2nd adapter reset (bsc#1052384).
- lpfc: Fix crash in lpfc nvmet when fc port is reset (bsc#1052384).
- lpfc: Fix duplicate NVME rport entries and namespaces (bsc#1052384).
- lpfc: Fix handling of FCP and NVME FC4 types in Pt2Pt topology (bsc#1052384).
- lpfc: fix 'integer constant too large' error on 32bit archs (bsc#1052384).
- lpfc: Fix loop mode target discovery (bsc#1052384).
- lpfc: Fix MRQ > 1 context list handling (bsc#1052384).
- lpfc: Fix NVME PRLI handling during RSCN (bsc#1052384).
- lpfc: Fix nvme target failure after 2nd adapter reset (bsc#1052384).
- lpfc: Fix oops when NVME Target is discovered in a nonNVME environment (bsc#1052384).
- lpfc: Fix plogi collision that causes illegal state transition (bsc#1052384).
- lpfc: Fix rediscovery on switch blade pull (bsc#1052384).
- lpfc: Fix relative offset error on large nvmet target ios (bsc#1052384).
- lpfc: fixup crash during storage failover operations (bsc#1042847).
- lpfc: Limit amount of work processed in IRQ (bsc#1052384).
- lpfc: lpfc version bump 11.4.0.3 (bsc#1052384).
- lpfc: remove console log clutter (bsc#1052384).
- lpfc: support nvmet_fc defer_rcv callback (bsc#1052384).
- lsm: fix smack_inode_removexattr and xattr_getsecurity memleak (bnc#1012382).
- mac80211: flush hw_roc_start work before cancelling the ROC (bnc#1012382).
- md/bitmap: disable bitmap_resize for file-backed bitmaps (bsc#1061172).
- md/raid10: submit bio directly to replacement disk (bnc#1012382).
- md/raid5: fix a race condition in stripe batch (linux-stable).
- md/raid5: preserve STRIPE_ON_UNPLUG_LIST in break_stripe_batch_list (bnc#1012382).
- md/raid5: release/flush io in raid5_do_work() (bnc#1012382).
- media: uvcvideo: Prevent heap overflow when accessing mapped controls (bnc#1012382).
- media: v4l2-compat-ioctl32: Fix timespec conversion (bnc#1012382).
- megaraid_sas: Fix probing cards without io port (bsc#1053681).
- mips: Ensure bss section ends on a long-aligned address (bnc#1012382).
- mips: Fix minimum alignment requirement of IRQ stack (git-fixes).
- mips: IRQ Stack: Unwind IRQ stack onto task stack (bnc#1012382).
- mips: Lantiq: Fix another request_mem_region() return code check (bnc#1012382).
- mips: math-emu: <MAXA|MINA>.<D|S>: Fix cases of both infinite inputs (bnc#1012382).
- mips: math-emu: <MAXA|MINA>.<D|S>: Fix cases of input values with opposite signs (bnc#1012382).
- mips: math-emu: <MAX|MAXA|MIN|MINA>.<D|S>: Fix cases of both inputs zero (bnc#1012382).
- mips: math-emu: <MAX|MAXA|MIN|MINA>.<D|S>: Fix quiet NaN propagation (bnc#1012382).
- mips: math-emu: <MAX|MIN>.<D|S>: Fix cases of both inputs negative (bnc#1012382).
- mips: math-emu: MINA.<D|S>: Fix some cases of infinity and zero inputs (bnc#1012382).
- mips: ralink: Fix incorrect assignment on ralink_soc (bnc#1012382).
- mlx5: Avoid that mlx5_ib_sg_to_klms() overflows the klms array (bsc#966170 FATE#320225 bsc#966172 FATE#320226).
- mm: avoid marking swap cached page as lazyfree (VM Functionality, bsc#1061775).
- mm/backing-dev.c: fix an error handling path in 'cgwb_create()' (bnc#1063475).
- mmc: mmc: correct the logic for setting HS400ES signal voltage (bsc#1054082).
- mm,compaction: serialize waitqueue_active() checks (for real) (bsc#971975).
- mmc: sdhci-xenon: add set_power callback (bsc#1057035).
- mmc: sdhci-xenon: Fix the work flow in xenon_remove() (bsc#1057035).
- mmc: sdio: fix alignment issue in struct sdio_func (bnc#1012382).
- mm: discard memblock data later (bnc#1063460).
- mm: fix data corruption caused by lazyfree page (VM Functionality, bsc#1061775).
- mm, madvise: ensure poisoned pages are removed from per-cpu lists (VM hw poison -- git fixes).
- mm/memblock.c: reversed logic in memblock_discard() (bnc#1063460).
- mm: meminit: mark init_reserved_page as __meminit (bnc#1063509).
- mm/memory_hotplug: change pfn_to_section_nr/section_nr_to_pfn macro to inline function (bnc#1063501).
- mm/memory_hotplug: define find_{smallest|biggest}_section_pfn as unsigned long (bnc#1063520).
- mm/page_alloc.c: apply gfp_allowed_mask before the first allocation attempt (bnc#971975 VM -- git fixes).
- mm: prevent double decrease of nr_reserved_highatomic (bnc#1012382).
- mm/vmalloc.c: huge-vmap: fail gracefully on unexpected huge vmap mappings (bsc#1046529).
- mptsas: Fixup device hotplug for VMWare ESXi (bsc#1030850).
- net: core: Prevent from dereferencing null pointer when releasing SKB (bnc#1012382).
- net: ethernet: hip04: Call SET_NETDEV_DEV() (bsc#1049336).
- netfilter: fix IS_ERR_VALUE usage (bsc#1052888).
- netfilter: invoke synchronize_rcu after set the _hook_ to NULL (bnc#1012382).
- netfilter: nfnl_cthelper: fix incorrect helper->expect_class_max (bnc#1012382).
- netfilter: x_tables: pack percpu counter allocations (bsc#1052888).
- netfilter: x_tables: pass xt_counters struct instead of packet counter (bsc#1052888).
- netfilter: x_tables: pass xt_counters struct to counter allocator (bsc#1052888).
- net: hns: add acpi function of xge led control (bsc#1049336).
- net: hns: Fix a skb used after free bug (bsc#1049336).
- net/mlx4_core: Enable 4K UAR if SRIOV module parameter is not enabled (bsc#966191 FATE#320230 bsc#966186 FATE#320228).
- net/mlx5: Check device capability for maximum flow counters (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- net/mlx5: Delay events till ib registration ends (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- net/mlx5e: Check for qos capability in dcbnl_initialize (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- net/mlx5e: Do not add/remove 802.1ad rules when changing 802.1Q VLAN filter (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- net/mlx5e: Fix calculated checksum offloads counters (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- net/mlx5e: Fix dangling page pointer on DMA mapping error (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- net/mlx5e: Fix DCB_CAP_ATTR_DCBX capability for DCBNL getcap (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- net/mlx5e: Fix inline header size for small packets (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- net/mlx5e: Print netdev features correctly in error message (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- net/mlx5e: Schedule overflow check work to mlx5e workqueue (bsc#966170 FATE#320225 bsc#966172 FATE#320226).
- net/mlx5: E-Switch, Unload the representors in the correct order (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- net/mlx5: Fix arm SRQ command for ISSI version 0 (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- net/mlx5: Fix command completion after timeout access invalid structure (bsc#966318 FATE#320158 bsc#966316 FATE#320159).
- net/mlx5: Fix counter list hardware structure (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- net/mlx5: Remove the flag MLX5_INTERFACE_STATE_SHUTDOWN (bsc#966170 FATE#320225 bsc#966172 FATE#320226).
- net/mlx5: Skip mlx5_unload_one if mlx5_load_one fails (bsc#966170 FATE#320225 bsc#966172 FATE#320226).
- net: mvpp2: fix the mac address used when using PPv2.2 (bsc#1032150).
- net: mvpp2: use {get, put}_cpu() instead of smp_processor_id() (bsc#1032150).
- net/packet: check length in getsockopt() called with PACKET_HDRLEN (bnc#1012382).
- net: phy: Fix lack of reference count on PHY driver (bsc#1049336).
- net: phy: Fix PHY module checks and NULL deref in phy_attach_direct() (bsc#1049336).
- netvsc: Initialize 64-bit stats seqcount (fate#320485).
- new helper: memdup_user_nul() (bsc#1048893).
- nfsd: Fix general protection fault in release_lock_stateid() (bnc#1012382).
- nfs: flush data when locking a file to ensure cache coherence for mmap (bsc#981309).
- nvme: allow timed-out ios to retry (bsc#1063349).
- nvme-fabrics: generate spec-compliant UUID NQNs (bsc#1057498).
- nvme-fc: address target disconnect race conditions in fcp io submit (bsc#1052384).
- nvme-fc: do not override opts->nr_io_queues (bsc#1052384).
- nvme-fc: kABI fix for defer_rcv() callback (bsc#1052384).
- nvme_fc/nvmet_fc: revise Create Association descriptor length (bsc#1052384).
- nvme_fc: Reattach to localports on re-registration (bsc#1052384).
- nvme-fc: revise TRADDR parsing (bsc#1052384).
- nvme-fc: update tagset nr_hw_queues after queues reinit (bsc#1052384).
- nvme-fc: use blk_mq_delay_run_hw_queue instead of open-coding it (bsc#1052384).
- nvme: fix hostid parsing (bsc#1049272).
- nvme: fix sqhd reference when admin queue connect fails (bsc#1063349).
- nvme: fix visibility of 'uuid' ns attribute (bsc#1060400).
- nvme-loop: update tagset nr_hw_queues after reconnecting/resetting (bsc#1052384).
- nvme: protect against simultaneous shutdown invocations (FATE#319965 bnc#1012382 bsc#964944).
- nvme-rdma: update tagset nr_hw_queues after reconnecting/resetting (bsc#1052384).
- nvme: stop aer posting if controller state not live (bsc#1063349).
- nvmet: avoid unneeded assignment of submit_bio return value (bsc#1052384).
- nvmet_fc: Accept variable pad lengths on Create Association LS (bsc#1052384).
- nvmet_fc: add defer_req callback for deferment of cmd buffer return (bsc#1052384).
- nvmet-fc: correct use after free on list teardown (bsc#1052384).
- nvmet-fc: eliminate incorrect static markers on local variables (bsc#1052384).
- nvmet-fc: fix byte swapping in nvmet_fc_ls_create_association (bsc#1052384).
- nvmet_fc: Simplify sg list handling (bsc#1052384).
- nvmet: implement valid sqhd values in completions (bsc#1063349).
- nvmet: Move serial number from controller to subsystem (bsc#1058550).
- nvmet: prefix version configfs file with attr (bsc#1052384).
- nvmet: preserve controller serial number between reboots (bsc#1058550).
- nvmet: synchronize sqhd update (bsc#1063349).
- nvme: use device_add_disk_with_groups() (bsc#1060400).
- of: fix '/cpus' reference leak in of_numa_parse_cpu_nodes() (bsc#1056827).
- ovl: fix dentry leak for default_permissions (bsc#1054084).
- parisc: perf: Fix potential NULL pointer dereference (bnc#1012382).
- partitions/efi: Fix integer overflow in GPT size calculation (FATE#322379 bnc#1012382 bsc#1020989).
- pci: Allow PCI express root ports to find themselves (bsc#1061046).
- pci: fix oops when try to find Root Port for a PCI device (bsc#1061046).
- pci: Fix race condition with driver_override (bnc#1012382).
- pci: Mark AMD Stoney GPU ATS as broken (bsc#1061046).
- pci: rockchip: Handle regulator_get_current_limit() failure correctly (bsc#1056849).
- pci: rockchip: Use normal register bank for config accessors (bsc#1056849).
- pci: shpchp: Enable bridge bus mastering if MSI is enabled (bnc#1012382).
- percpu_ref: allow operation mode switching operations to be called concurrently (bsc#1055096).
- percpu_ref: remove unnecessary RCU grace period for staggered atomic switching confirmation (bsc#1055096).
- percpu_ref: reorganize __percpu_ref_switch_to_atomic() and relocate percpu_ref_switch_to_atomic() (bsc#1055096).
- percpu_ref: restructure operation mode switching (bsc#1055096).
- percpu_ref: unify staggered atomic switching wait behavior (bsc#1055096).
- perf: arm: acpi: remove cpu hotplug statemachine dependency (bsc#1062279).
- perf: arm: platform: remove cpu hotplug statemachine dependency (bsc#1062279).
- perf: arm: replace irq_get_percpu_devid_partition call (bsc#1062279).
- perf: arm: temporary workaround for build errors (bsc#1062279).
- perf: Convert to using %pOF instead of full_name (bsc#1062279).
- perf/x86: Fix RDPMC vs. mm_struct tracking (bsc#1061831).
- perf/x86: kABI Workaround for 'perf/x86: Fix RDPMC vs. mm_struct tracking' (bsc#1061831).
- perf: xgene: Add APM X-Gene SoC Performance Monitoring Unit driver (bsc#1036737).
- perf: xgene: Include module.h (bsc#1036737).
- perf: xgene: Move PMU leaf functions into function pointer structure (bsc#1036737).
- perf: xgene: Parse PMU subnode from the match table (bsc#1036737).
- phy: Do not increment MDIO bus refcount unless it's a different owner (bsc#1049336).
- phy: fix error case of phy_led_triggers_(un)register (bsc#1049336).
- pm / Domains: Fix unsafe iteration over modified list of domains (bsc#1056849).
- powerpc: Fix DAR reporting when alignment handler faults (bnc#1012382).
- powerpc: Fix unused function warning 'lmb_to_memblock' (FATE#322022).
- powerpc/perf: Cleanup of PM_BR_CMPL vs. PM_BRU_CMPL in Power9 event list (bsc#1056686, fate#321438, bsc#1047238, git-fixes 34922527a2bc).
- powerpc/perf: Factor out PPMU_ONLY_COUNT_RUN check code from power8 (fate#321438, bsc#1053043, git-fixes efe881afdd999).
- powerpc/pseries: Add pseries hotplug workqueue (FATE#322022).
- powerpc/pseries: Auto-online hotplugged memory (FATE#322022).
- powerpc/pseries: Check memory device state before onlining/offlining (FATE#322022).
- powerpc/pseries: Correct possible read beyond dlpar sysfs buffer (FATE#322022).
- powerpc/pseries: Do not attempt to acquire drc during memory hot add for assigned lmbs (FATE#322022).
- powerpc/pseries: Fix build break when MEMORY_HOTREMOVE=n (FATE#322022).
- powerpc/pseries: fix memory leak in queue_hotplug_event() error path (FATE#322022).
- powerpc/pseries: Fix parent_dn reference leak in add_dt_node() (bnc#1012382).
- powerpc/pseries: Implement indexed-count hotplug memory add (FATE#322022).
- powerpc/pseries: Implement indexed-count hotplug memory remove (FATE#322022).
- powerpc/pseries: Introduce memory hotplug READD operation (FATE#322022).
- powerpc/pseries: Make the acquire/release of the drc for memory a seperate step (FATE#322022).
- powerpc/pseries: Remove call to memblock_add() (FATE#322022).
- powerpc/pseries: Revert 'Auto-online hotplugged memory' (FATE#322022).
- powerpc/pseries: Update affinity for memory and cpus specified in a PRRN event (FATE#322022).
- powerpc/pseries: Use kernel hotplug queue for PowerVM hotplug events (FATE#322022).
- powerpc/pseries: Use lmb_is_removable() to check removability (FATE#322022).
- powerpc/pseries: Verify CPU does not exist before adding (FATE#322022).
- qeth: add network device features for VLAN devices (bnc#1053472, LTC#157385).
- qlge: avoid memcpy buffer overflow (bnc#1012382).
- r8169: Add support for restarting auto-negotiation (bsc#1050742).
- r8169:Correct the way of setting RTL8168DP ephy (bsc#1050742).
- r8169:fix system hange problem (bsc#1050742).
- r8169:Fix typo in setting RTL8168H PHY parameter (bsc#1050742).
- r8169:Fix typo in setting RTL8168H PHY PFM mode (bsc#1050742).
- r8169:Remove unnecessary phy reset for pcie nic when setting link spped (bsc#1050742).
- r8169:Update the way of reading RTL8168H PHY register 'rg_saw_cnt' (bsc#1050742).
- rda=sRDMA: Fix the composite message user notification (bnc#1012382).
- rdma/bnxt_re: Allocate multiple notification queues (bsc#1037579).
- rdma/bnxt_re: Implement the alloc/get_hw_stats callback (bsc#1037579).
- rdma: Fix return value check for ib_get_eth_speed() (bsc#1056596).
- rdma/qedr: Parse VLAN ID correctly and ignore the value of zero (bsc#1019695 FATE#321703 bsc#1019699 FATE#321702 bsc#1022604 FATE#321747).
- rdma/qedr: Parse vlan priority as sl (bsc#1019695 FATE#321703 bsc#1019699 FATE#321702 bsc#1022604 FATE#321747).
- rds: ib: add error handle (bnc#1012382).
- Remove patch 0407-nvme_fc-change-failure-code-on-remoteport-connectivi.patch (bsc#1037838)
- Remove superfluous hunk in bigmem backport (bsc#1064436).
- Revert 'ceph: SetPageError() for writeback pages if writepages fails' (bsc#1048228).
- Revert 'ipv6: add rcu grace period before freeing fib6_node' (kabi).
- Revert 'ipv6: fix sparse warning on rt6i_node' (kabi).
- Revert 'net: fix percpu memory leaks' (bnc#1012382).
- Revert 'net: phy: Correctly process PHY_HALTED in phy_stop_machine()' (bnc#1012382).
- Revert 'net: use lib/percpu_counter API for fragmentation mem accounting' (bnc#1012382).
- Revert 'Update patches.fixes/xfs-refactor-log-record-unpack-and-data-processing.patch (bsc#1043598, bsc#1036215).' This reverts commit 54e17b011580b532415d2aee5e875c8cf0460df4.
- Revert 'x86/acpi: Enable MADT APIs to return disabled apicids' (bnc#1056230).
- Revert 'x86/acpi: Set persistent cpuid &lt;-&gt; nodeid mapping when booting' (bnc#1056230).
- Revert 'xfs: detect and handle invalid iclog size set by mkfs (bsc#1043598).' This reverts commit caf0b124b172568b3e39544cb9abfdaa7fb3d852.
- Revert 'xfs: detect and trim torn writes during log recovery (bsc#1036215).' This reverts commit a7a591776e8628a33f0223ca9a3f46c1e79bd908.
- Revert 'xfs: refactor and open code log record crc check (bsc#1036215).' This reverts commit 6aef5e1fee21246222618f2337c84d6093281561.
- Revert 'xfs: refactor log record start detection into a new helper (bsc#1036215).' This reverts commit a424c875bdc05dcf3bb0d1af740b644773091cf0.
- Revert 'xfs: return start block of first bad log record during recovery (bsc#1036215).' This reverts commit cb0ce8b2f1435d7ac9aaeb5d5709e73946d55bed.
- Revert 'xfs: support a crc verification only log record pass (bsc#1036215).' This reverts commit f5c0c41b1f3626750f1f0d76b6d71fac673854d2.
- Rewrote KVM kABI fix patches for addressing regressions (bsc#1063570)
- rtnetlink: fix rtnl_vfinfo_size (bsc#1056261).
- s390/cpcmd,vmcp: avoid GFP_DMA allocations (bnc#1060249, LTC#159112).
- s390/diag: add diag26c support (bnc#1053472, LTC#156729).
- s390: export symbols for crash-kmp (bsc#1053915).
- s390: Include uapi/linux/if_ether.h instead of linux/if_ether.h (bsc#1053472).
- s390/pci: do not cleanup in arch_setup_msi_irqs (bnc#1053472, LTC#157731).
- s390/pci: fix handling of PEC 306 (bnc#1053472, LTC#157731).
- s390/pci: improve error handling during fmb (de)registration (bnc#1053472, LTC#157731).
- s390/pci: improve error handling during interrupt deregistration (bnc#1053472, LTC#157731).
- s390/pci: improve pci hotplug (bnc#1053472, LTC#157731).
- s390/pci: improve unreg_ioat error handling (bnc#1053472, LTC#157731).
- s390/pci: introduce clp_get_state (bnc#1053472, LTC#157731).
- s390/pci: provide more debug information (bnc#1053472, LTC#157731).
- s390/pci: recognize name clashes with uids (bnc#1053472, LTC#157731).
- s390/qdio: avoid reschedule of outbound tasklet once killed (bnc#1060249, LTC#159885).
- s390/qeth: no ETH header for outbound AF_IUCV (bnc#1053472, LTC#156276).
- s390/qeth: size calculation outbound buffers (bnc#1053472, LTC#156276).
- s390/qeth: use diag26c to get MAC address on L2 (bnc#1053472, LTC#156729).
- s390/topology: alternative topology for topology-less machines (bnc#1060249, LTC#159177).
- s390/topology: always use s390 specific sched_domain_topology_level (bnc#1060249, LTC#159177).
- s390/topology: enable / disable topology dynamically (bnc#1060249, LTC#159177).
- sched/cpuset/pm: Fix cpuset vs. suspend-resume bugs (bnc#1012382).
- scsi: csiostor: add check for supported fw version (bsc#1005776).
- scsi: csiostor: add support for Chelsio T6 adapters (bsc#1005776).
- scsi: csiostor: fix use after free in csio_hw_use_fwconfig() (bsc#1005776).
- scsi: csiostor: switch to pci_alloc_irq_vectors (bsc#1005776).
- scsi: csiostor: update module version (bsc#1052093).
- scsi: cxgb4i: assign rxqs in round robin mode (bsc#1052094).
- scsi: fixup kernel warning during rmmod() (bsc#1052360).
- scsi: hisi_sas: add missing break in switch statement (bsc#1056849).
- scsi: ILLEGAL REQUEST + ASC==27 => target failure (bsc#1059465).
- scsi: libfc: fix a deadlock in fc_rport_work (bsc#1063695).
- scsi: lpfc: Ensure io aborts interlocked with the target (bsc#1056587).
- scsi: megaraid_sas: Check valid aen class range to avoid kernel panic (bnc#1012382).
- scsi: megaraid_sas: Return pended IOCTLs with cmd_status MFI_STAT_WRONG_STATE in case adapter is dead (bnc#1012382).
- scsi: qedf: Fix a potential NULL pointer dereference (bsc#1048912).
- scsi: qedf: Limit number of CQs (bsc#1040813).
- scsi: qedi: off by one in qedi_get_cmd_from_tid() (bsc#1004527, FATE#321744).
- scsi: qla2xxx: Fix uninitialized work element (bsc#1019675,FATE#321701).
- scsi: scsi_transport_fc: Also check for NOTPRESENT in fc_remote_port_add() (bsc#1037890).
- scsi: scsi_transport_fc: set scsi_target_id upon rescan (bsc#1058135).
- scsi: sd: Do not override max_sectors_kb sysfs setting (bsc#1025461).
- scsi: sd: Remove LBPRZ dependency for discards (bsc#1060985). This patch is originally part of a larger series which can't be easily backported to SLE-12. For a reasoning why we think it's safe to apply, see bsc#1060985, comment 20.
- scsi: sg: close race condition in sg_remove_sfp_usercontext() (bsc#1064206).
- scsi: sg: do not return bogus Sg_requests (bsc#1064206).
- scsi: sg: factor out sg_fill_request_table() (bnc#1012382).
- scsi: sg: fixup infoleak when using SG_GET_REQUEST_TABLE (bnc#1012382).
- scsi: sg: off by one in sg_ioctl() (bnc#1012382).
- scsi: sg: only check for dxfer_len greater than 256M (bsc#1064206).
- scsi: sg: remove 'save_scat_len' (bnc#1012382).
- scsi: sg: use standard lists for sg_requests (bnc#1012382).
- scsi: storvsc: fix memory leak on ring buffer busy (bnc#1012382).
- scsi_transport_fc: Also check for NOTPRESENT in fc_remote_port_add() (bsc#1037890).
- scsi: zfcp: add handling for FCP_RESID_OVER to the fcp ingress path (bnc#1012382).
- scsi: zfcp: fix capping of unsuccessful GPN_FT SAN response trace records (bnc#1012382).
- scsi: zfcp: fix missing trace records for early returns in TMF eh handlers (bnc#1012382).
- scsi: zfcp: fix passing fsf_req to SCSI trace on TMF to correlate with HBA (bnc#1012382).
- scsi: zfcp: fix payload with full FCP_RSP IU in SCSI trace records (bnc#1012382).
- scsi: zfcp: fix queuecommand for scsi_eh commands when DIX enabled (bnc#1012382).
- scsi: zfcp: trace HBA FSF response by default on dismiss or timedout late response (bnc#1012382).
- scsi: zfcp: trace high part of 'new' 64 bit SCSI LUN (bnc#1012382).
- seccomp: fix the usage of get/put_seccomp_filter() in seccomp_get_filter() (bnc#1012382).
- sh_eth: use correct name for ECMR_MPDE bit (bnc#1012382).
- skd: Avoid that module unloading triggers a use-after-free (bnc#1012382).
- skd: Submit requests to firmware before triggering the doorbell (bnc#1012382).
- SMB3: Do not ignore O_SYNC/O_DSYNC and O_DIRECT flags (bnc#1012382).
- SMB: Validate negotiate (to protect against downgrade) even if signing off (bnc#1012382).
- staging: iio: ad7192: Fix - use the dedicated reset function avoiding dma from stack (bnc#1012382).
- stm class: Fix a use-after-free (bnc#1012382).
- supported.conf: clear mistaken external support flag for cifs.ko (bsc#1053802).
- supported.conf: enable dw_mmc-rockchip driver References: bsc#1064064
- swiotlb-xen: implement xen_swiotlb_dma_mmap callback (bnc#1012382).
- sysctl: fix lax sysctl_check_table() sanity check (bsc#1048893).
- sysctl: fold sysctl_writes_strict checks into helper (bsc#1048893).
- sysctl: kdoc'ify sysctl_writes_strict (bsc#1048893).
- sysctl: simplify unsigned int support (bsc#1048893).
- team: call netdev_change_features out of team lock (bsc#1055567).
- team: fix memory leaks (bnc#1012382).
- timer/sysclt: Restrict timer migration sysctl values to 0 and 1 (bnc#1012382).
- tpm: fix: return rc when devm_add_action() fails (bsc#1020645, fate#321435, fate#321507, fate#321600, bsc#1034048, git-fixes 8e0ee3c9faed).
- tpm: read burstcount from TPM_STS in one 32-bit transaction (bsc#1020645, fate#321435, fate#321507, fate#321600, bsc#1034048, git-fixes 27084efee0c3).
- tpm_tis_core: Choose appropriate timeout for reading burstcount (bsc#1020645, fate#321435, fate#321507, fate#321600, bsc#1034048, git-fixes aec04cbdf723).
- tpm_tis_core: convert max timeouts from msec to jiffies (bsc#1020645, fate#321435, fate#321507, fate#321600, bsc#1034048, git-fixes aec04cbdf723).
- tracing: Apply trace_clock changes to instance max buffer (bnc#1012382).
- tracing: Erase irqsoff trace with empty write (bnc#1012382).
- tracing: Fix trace_pipe behavior for instance traces (bnc#1012382).
- ttpci: address stringop overflow warning (bnc#1012382).
- tty: fix __tty_insert_flip_char regression (bnc#1012382).
- tty: goldfish: Fix a parameter of a call to free_irq (bnc#1012382).
- tty: improve tty_insert_flip_char() fast path (bnc#1012382).
- tty: improve tty_insert_flip_char() slow path (bnc#1012382).
- tty: pl011: fix initialization order of QDF2400 E44 (bsc#1054082).
- tty: serial: msm: Support more bauds (git-fixes).
- ubifs: Correctly evict xattr inodes (bsc#1012829).
- ubifs: Do not leak kernel memory to the MTD (bsc#1012829).
- Update patches.drivers/0029-perf-xgene-Remove-bogus-IS_ERR-check.patch (bsc#1036737).
- Update patches.drivers/tpm-141-fix-RC-value-check-in-tpm2_seal_trusted.patch (bsc#1020645, fate#321435, fate#321507, fate#321600, bsc#1034048, git-fixes 5ca4c20cfd37).
- usb: chipidea: vbus event may exist before starting gadget (bnc#1012382).
- usb: core: fix device node leak (bsc#1047487).
- usb: core: harden cdc_parse_cdc_header (bnc#1012382).
- usb: devio: Do not corrupt user memory (bnc#1012382).
- usb: dummy-hcd: fix connection failures (wrong speed) (bnc#1012382).
- usb: dummy-hcd: Fix erroneous synchronization change (bnc#1012382).
- usb: dummy-hcd: fix infinite-loop resubmission bug (bnc#1012382).
- usb: fix out-of-bounds in usb_set_configuration (bnc#1012382).
- usb: gadgetfs: fix copy_to_user while holding spinlock (bnc#1012382).
- usb: gadgetfs: Fix crash caused by inadequate synchronization (bnc#1012382).
- usb: gadget: inode.c: fix unbalanced spin_lock in ep0_write (bnc#1012382).
- usb: gadget: mass_storage: set msg_registered after msg registered (bnc#1012382).
- usb: gadget: udc: atmel: set vbus irqflags explicitly (bnc#1012382).
- usb: g_mass_storage: Fix deadlock when driver is unbound (bnc#1012382).
- usb: Increase quirk delay for USB devices (bnc#1012382).
- usb: pci-quirks.c: Corrected timeout values used in handshake (bnc#1012382).
- usb: plusb: Add support for PL-27A1 (bnc#1012382).
- usb: renesas_usbhs: fix the BCLR setting condition for non-DCP pipe (bnc#1012382).
- usb: renesas_usbhs: fix usbhsf_fifo_clear() for RX direction (bnc#1012382).
- usb: serial: mos7720: fix control-message error handling (bnc#1012382).
- usb: serial: mos7840: fix control-message error handling (bnc#1012382).
- usb-storage: unusual_devs entry to fix write-access regression for Seagate external drives (bnc#1012382).
- usb: uas: fix bug in handling of alternate settings (bnc#1012382).
- uwb: ensure that endpoint is interrupt (bnc#1012382).
- uwb: properly check kthread_run return value (bnc#1012382).
- vfs: Return -ENXIO for negative SEEK_HOLE / SEEK_DATA offsets (bnc#1012382).
- video: fbdev: aty: do not leak uninitialized padding in clk to userspace (bnc#1012382).
- Workaround for kABI compatibility with DP-MST patches (bsc#1055493).
- x86/acpi: Restore the order of CPU IDs (bnc#1056230).
- x86/cpu/amd: Hide unused legacy_fixup_core_id() function (bsc#1060229).
- x86/cpu/amd: Limit cpu_core_id fixup to families older than F17h (bsc#1060229).
- x86/cpu: Remove unused and undefined __generic_processor_info() declaration (bnc#1056230).
- x86 edac, sb_edac.c: Take account of channel hashing when needed (bsc#1061721).
- x86/fpu: Do not let userspace set bogus xcomp_bv (bnc#1012382).
- x86/fsgsbase/64: Report FSBASE and GSBASE correctly in core dumps (bnc#1012382).
- x86/ldt: Fix off by one in get_segment_base() (bsc#1061872).
- x86/mm: Fix boot crash caused by incorrect loop count calculation in sync_global_pgds() (bsc#1058512).
- x86/mm: Fix fault error path using unsafe vma pointer (fate#321300).
- x86/mm: Fix use-after-free of ldt_struct (bsc#1055963).
- x86/mshyperv: Remove excess #includes from mshyperv.h (fate#320485).
- xfs/dmapi: fix incorrect file->f_path.dentry->d_inode usage (bsc#1055896).
- xfs: fix inobt inode allocation search optimization (bsc#1012829).
- xfs: handle error if xfs_btree_get_bufs fails (bsc#1059863).
- xfs: nowait aio support (FATE#321994).
- xfs: remove kmem_zalloc_greedy (bnc#1012382).
- xgene: Always get clk source, but ignore if it's missing for SGMII ports (bsc#1048501).
- xgene: Do not fail probe, if there is no clk resource for SGMII interfaces (bsc#1048501).
- xhci: fix finding correct bus_state structure for USB 3.1 hosts (bnc#1012382).



-----------------------------------------
Patch: SUSE-2017-1772
Released: Wed Oct 25 14:10:42 2017
Summary: Recommended update for logrotate
Severity: low
References: 1057801
Description:
This update for logrotate provides the following fix:

- Make sure log files continue to rotate properly when a stale status file is found. (bsc#1057801)


-----------------------------------------
Patch: SUSE-2017-1776
Released: Thu Oct 26 09:44:44 2017
Summary: Security update for tcpdump
Severity: moderate
References: 1047873,1057247,CVE-2017-11108,CVE-2017-11541,CVE-2017-11542,CVE-2017-11543,CVE-2017-12893,CVE-2017-12894,CVE-2017-12895,CVE-2017-12896,CVE-2017-12897,CVE-2017-12898,CVE-2017-12899,CVE-2017-12900,CVE-2017-12901,CVE-2017-12902,CVE-2017-12985,CVE-2017-12986,CVE-2017-12987,CVE-2017-12988,CVE-2017-12989,CVE-2017-12990,CVE-2017-12991,CVE-2017-12992,CVE-2017-12993,CVE-2017-12994,CVE-2017-12995,CVE-2017-12996,CVE-2017-12997,CVE-2017-12998,CVE-2017-12999,CVE-2017-13000,CVE-2017-13001,CVE-2017-13002,CVE-2017-13003,CVE-2017-13004,CVE-2017-13005,CVE-2017-13006,CVE-2017-13007,CVE-2017-13008,CVE-2017-13009,CVE-2017-13010,CVE-2017-13011,CVE-2017-13012,CVE-2017-13013,CVE-2017-13014,CVE-2017-13015,CVE-2017-13016,CVE-2017-13017,CVE-2017-13018,CVE-2017-13019,CVE-2017-13020,CVE-2017-13021,CVE-2017-13022,CVE-2017-13023,CVE-2017-13024,CVE-2017-13025,CVE-2017-13026,CVE-2017-13027,CVE-2017-13028,CVE-2017-13029,CVE-2017-13030,CVE-2017-13031,CVE-2017-13032,CVE-2017-13033,CVE-2017-13034,CVE-2017-13035,CVE-2017-13036,CVE-2017-13037,CVE-2017-13038,CVE-2017-13039,CVE-2017-13040,CVE-2017-13041,CVE-2017-13042,CVE-2017-13043,CVE-2017-13044,CVE-2017-13045,CVE-2017-13046,CVE-2017-13047,CVE-2017-13048,CVE-2017-13049,CVE-2017-13050,CVE-2017-13051,CVE-2017-13052,CVE-2017-13053,CVE-2017-13054,CVE-2017-13055,CVE-2017-13687,CVE-2017-13688,CVE-2017-13689,CVE-2017-13690,CVE-2017-13725
Description:
This update for tcpdump to version 4.9.2 fixes several issues.

These security issues were fixed:

- CVE-2017-11108: Prevent remote attackers to cause DoS (heap-based buffer over-read and application crash) via crafted packet data. The crash occured in the EXTRACT_16BITS function, called from the stp_print function for the Spanning Tree Protocol (bsc#1047873, bsc#1057247).
- CVE-2017-11543: Prevent buffer overflow in the sliplink_print function in print-sl.c that allowed remote DoS (bsc#1057247).
- CVE-2017-13011: Prevent buffer overflow in bittok2str_internal() that allowed remote DoS (bsc#1057247)
- CVE-2017-12989: Prevent infinite loop in the RESP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12990: Prevent infinite loop in the ISAKMP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12995: Prevent infinite loop in the DNS parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12997: Prevent infinite loop in the LLDP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-11541: Prevent heap-based buffer over-read in the lldp_print function in print-lldp.c, related to util-print.c that allowed remote DoS (bsc#1057247).
- CVE-2017-11542: Prevent heap-based buffer over-read in the pimv1_print function in print-pim.c that allowed remote DoS (bsc#1057247).
- CVE-2017-12893: Prevent buffer over-read in the SMB/CIFS parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12894: Prevent buffer over-read in several protocol parsers that allowed remote DoS (bsc#1057247)
- CVE-2017-12895: Prevent buffer over-read in the ICMP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12896: Prevent buffer over-read in the ISAKMP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12897: Prevent buffer over-read in the ISO CLNS parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12898: Prevent buffer over-read in the NFS parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12899: Prevent buffer over-read in the DECnet parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12900: Prevent buffer over-read in the in several protocol parsers that allowed remote DoS (bsc#1057247)
- CVE-2017-12901: Prevent buffer over-read in the EIGRP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12902: Prevent buffer over-read in the Zephyr parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12985: Prevent buffer over-read in the IPv6 parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12986: Prevent buffer over-read in the IPv6 routing header parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12987: Prevent buffer over-read in the 802.11 parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12988: Prevent buffer over-read in the telnet parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12991: Prevent buffer over-read in the BGP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12992: Prevent buffer over-read in the RIPng parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12993: Prevent buffer over-read in the Juniper protocols parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12994: Prevent buffer over-read in the BGP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12996: Prevent buffer over-read in the PIMv2 parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12998: Prevent buffer over-read in the IS-IS parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12999: Prevent buffer over-read in the IS-IS parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13000: Prevent buffer over-read in the IEEE 802.15.4 parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13001: Prevent buffer over-read in the NFS parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13002: Prevent buffer over-read in the AODV parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13003: Prevent buffer over-read in the LMP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13004: Prevent buffer over-read in the Juniper protocols parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13005: Prevent buffer over-read in the NFS parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13006: Prevent buffer over-read in the L2TP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13007: Prevent buffer over-read in the Apple PKTAP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13008: Prevent buffer over-read in the IEEE 802.11 parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13009: Prevent buffer over-read in the IPv6 mobility parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13010: Prevent buffer over-read in the BEEP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13012: Prevent buffer over-read in the ICMP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13013: Prevent buffer over-read in the ARP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13014: Prevent buffer over-read in the White Board protocol parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13015: Prevent buffer over-read in the EAP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13016: Prevent buffer over-read in the ISO ES-IS parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13017: Prevent buffer over-read in the DHCPv6 parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13018: Prevent buffer over-read in the PGM parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13019: Prevent buffer over-read in the PGM parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13020: Prevent buffer over-read in the VTP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13021: Prevent buffer over-read in the ICMPv6 parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13022: Prevent buffer over-read in the IP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13023: Prevent buffer over-read in the IPv6 mobility parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13024: Prevent buffer over-read in the IPv6 mobility parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13025: Prevent buffer over-read in the IPv6 mobility parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13026: Prevent buffer over-read in the ISO IS-IS parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13027: Prevent buffer over-read in the LLDP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13028: Prevent buffer over-read in the BOOTP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13029: Prevent buffer over-read in the PPP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13030: Prevent buffer over-read in the PIM parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13031: Prevent buffer over-read in the IPv6 fragmentation header parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13032: Prevent buffer over-read in the RADIUS parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13033: Prevent buffer over-read in the VTP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13034: Prevent buffer over-read in the PGM parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13035: Prevent buffer over-read in the ISO IS-IS parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13036: Prevent buffer over-read in the OSPFv3 parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13037: Prevent buffer over-read in the IP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13038: Prevent buffer over-read in the PPP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13039: Prevent buffer over-read in the ISAKMP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13040: Prevent buffer over-read in the MPTCP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13041: Prevent buffer over-read in the ICMPv6 parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13042: Prevent buffer over-read in the HNCP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13043: Prevent buffer over-read in the BGP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13044: Prevent buffer over-read in the HNCP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13045: Prevent buffer over-read in the VQP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13046: Prevent buffer over-read in the BGP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13047: Prevent buffer over-read in the ISO ES-IS parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13048: Prevent buffer over-read in the RSVP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13049: Prevent buffer over-read in the Rx protocol parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13050: Prevent buffer over-read in the RPKI-Router parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13051: Prevent buffer over-read in the RSVP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13052: Prevent buffer over-read in the CFM parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13053: Prevent buffer over-read in the BGP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13054: Prevent buffer over-read in the LLDP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13055: Prevent buffer over-read in the ISO IS-IS parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13687: Prevent buffer over-read in the Cisco HDLC parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13688: Prevent buffer over-read in the OLSR parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13689: Prevent buffer over-read in the IKEv1 parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13690: Prevent buffer over-read in the IKEv2 parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13725: Prevent buffer over-read in the IPv6 routing header parser that allowed remote DoS (bsc#1057247)
- Prevent segmentation fault in ESP decoder with OpenSSL 1.1 (bsc#1057247)


-----------------------------------------
Patch: SUSE-2017-1796
Released: Fri Oct 27 21:25:06 2017
Summary: Recommended update for pcre
Severity: moderate
References: 1058722
Description:


This update for pcre fixes the following issues:

- Fixed the pcre stack frame size detection because modern compilers
  break it due to cloning and inlining pcre match() function (bsc#1058722)


-----------------------------------------
Patch: SUSE-2017-1797
Released: Sat Oct 28 12:06:19 2017
Summary: Recommended update for permissions
Severity: moderate
References: 1028304,1048645,1060738
Description:
This update for permissions fixes the following issues:

- Allows users to install the HPC 'singularity' toolkit for managing singularity containers in setuid root mode. (bsc#1028304)


-----------------------------------------
Patch: SUSE-2017-1802
Released: Tue Oct 31 12:05:17 2017
Summary: Recommended update for iptables
Severity: low
References: 1045130
Description:
This update for iptables provides the following fix:

- Fix a locking issue of iptables-batch when other programs modify the iptables rules in parallel (bsc#1045130)


-----------------------------------------
Patch: SUSE-2017-1822
Released: Mon Nov  6 17:19:11 2017
Summary: Security update for SuSEfirewall2
Severity: moderate
References: 1064127,CVE-2017-15638
Description:
This update for SuSEfirewall2 fixes the following issues:

- CVE-2017-15638: Fixed security issue with too open implicit portmapper rules
  (bsc#1064127): A source net restriction for _rpc_ services
  was not taken into account for the implicitly added rules for port 111,
  making the portmap service accessible to everyone in the affected zone when
  the 'rpc' matching was used.


-----------------------------------------
Patch: SUSE-2017-1824
Released: Tue Nov  7 20:04:35 2017
Summary: Recommended update for release-notes-sles
Severity: low
References: 1040813,1064422
Description:

The Release Notes of SUSE Linux Enterprise 12 SP3 have been updated to document:

- KVM Now Supports up to 288 vCPUs (fate#321335)
- Support for KVM (fate#321734)
- Automatic Log Rotation Will Be Disabled After Upgrade (fate#322037)
- OFED-related Packages Replaced by Packages From New Upstream (fate#322112)
- FCoE Storage Does Not Work with Cavium or QLogic Storage Controllers with FCoE Offload (fate#323796, bsc#1040813)


-----------------------------------------
Patch: SUSE-2017-1826
Released: Wed Nov  8 08:47:17 2017
Summary: Security update for krb5
Severity: important
References: 1065274,CVE-2017-15088
Description:
This update for krb5 fixes the following issues:

Security issues fixed:

- CVE-2017-15088: A buffer overflow in get_matching_data() was fixed that could under specific circumstances be used to execute code (bsc#1065274)


-----------------------------------------
Patch: SUSE-2017-1829
Released: Wed Nov  8 08:50:00 2017
Summary: Security update for shadow
Severity: moderate
References: 1023895,1052261,980486,CVE-2017-12424
Description:
This update for shadow fixes several issues.

This security issue was fixed:

- CVE-2017-12424: The newusers tool could have been forced to manipulate
  internal data structures in ways unintended by the authors. Malformed input may
  have lead to crashes (with a buffer overflow or other memory corruption) or
  other unspecified behaviors (bsc#1052261).

These non-security issues were fixed:

- bsc#1023895: Fixed man page to not contain invalid options and also prevent
  warnings when using these options in certain settings
- bsc#980486: Reset user in /var/log/tallylog because of the usage of pam_tally2


-----------------------------------------
Patch: SUSE-2017-1794
Released: Thu Nov 16 11:17:40 2017
Summary: Security update for wget
Severity: important
References: 1064715,1064716,CVE-2017-13089,CVE-2017-13090
Description:


This update for wget fixes the following security issues:

- CVE-2017-13089,CVE-2017-13090: Missing checks for negative remaining_chunk_size in skip_short_body and fd_read_body could
  cause stack buffer overflows, which could have been exploited by malicious servers. (bsc#1064715,bsc#1064716)


-----------------------------------------
Patch: SUSE-2017-1877
Released: Wed Nov 22 11:42:11 2017
Summary: Recommended update for cpupower
Severity: low
References: 1048546
Description:
This update for cpupower provides the following fix:

- Decode MSR_IA32_MISC_ENABLE only on Intel machines to prevent turbostat errors on AMD
  Opteron boxes. (bsc#1048546)


-----------------------------------------
Patch: SUSE-2017-1879
Released: Wed Nov 22 11:45:35 2017
Summary: Recommended update for yast2-network
Severity: moderate
References: 1037727,1039656,1047615,1047929,1052042,1054400,1054933,1056633,1058396,1067172
Description:
This update for yast2-network fixes the following issues:

- AutoYaST: Do not display a warning about disabled second stage when the hostname setting
  is read out of profile. (bsc#1054400)
- Do not clear /etc/hosts when installing virtual host. (bsc#1039656)
- Fix device name recognition during AutoYaST installation. (bsc#1037727)
- Fix crash during write if Host.Read and Host.Import are called together. (bsc#1047929)
- Fix a crash when /etc/hosts does not exist. (bsc#1047615)
- When installing via autoyast, do not blank out /etc/hosts when no host section is
  defined. (bsc#1058396)
- If there is a global DHCLIENT_SET_HOSTNAME option set, use it to determine whether the
  hostname should be set by DHCP, use the control file default otherwise. (bsc#1054933)
- Do not override the hostname configuration in /etc/sysconfig/network/dhcp with the
  default defined in the control file if the user has disabled the option. (bsc#1056633)
- Properly update canonical name and aliases in /etc/hosts when FQDN is provided as a
  hostname. (bsc#1052042)


-----------------------------------------
Patch: SUSE-2017-1881
Released: Wed Nov 22 16:29:58 2017
Summary: Security update for file
Severity: moderate
References: 1009966,1063269,910252,910253,913650,913651,917152,996511,CVE-2014-8116,CVE-2014-8117,CVE-2014-9620,CVE-2014-9621,CVE-2014-9653
Description:


The GNU file utility was updated to version 5.22.

Security issues fixed:

- CVE-2014-9621: The ELF parser in file allowed remote attackers to cause a denial of service via a long string. (bsc#913650)
- CVE-2014-9620: The ELF parser in file allowed remote attackers to cause a denial of service via a large number of notes. (bsc#913651)
- CVE-2014-9653: readelf.c in file did not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory access) or possibly have unspecified other impact via a crafted ELF file. (bsc#917152)
- CVE-2014-8116: The ELF parser (readelf.c) in file allowed remote attackers to cause a denial of service (CPU consumption or crash) via a large number of (1) program or (2) section headers or (3) invalid capabilities. (bsc#910253)
- CVE-2014-8117: softmagic.c in file did not properly limit recursion, which allowed remote attackers to cause a denial of service (CPU consumption or crash) via unspecified vectors. (bsc#910253)

Version update to file version 5.22

* add indirect relative for TIFF/Exif
* restructure elf note printing to avoid repeated messages
* add note limit, suggested by Alexander Cherepanov
* Bail out on partial pread()'s (Alexander Cherepanov)
* Fix incorrect bounds check in file_printable (Alexander Cherepanov)
* PR/405: ignore SIGPIPE from uncompress programs
* change printable -> file_printable and use it in more places for safety
* in ELF, instead of '(uses dynamic libraries)' when PT_INTERP is present print the interpreter name.

Version update to file version 5.21

* there was an incorrect free in magic_load_buffers()
* there was an out of bounds read for some pascal strings
* there was a memory leak in magic lists
* don't interpret strings printed from files using the current
  locale, convert them to ascii format first.
* there was an out of bounds read in elf note reads

Update to file version 5.20

* recognize encrypted CDF documents
* add magic_load_buffers from Brooks Davis
* add thumbs.db support

Additional non-security bug fixes:

* Fixed a memory corruption during rpmbuild (bsc#1063269)
* Backport of a fix for an increased printable string length as found in file 5.30 (bsc#996511)
* file command throws 'Composite Document File V2 Document, corrupt: Can't read SSAT' error against excel 97/2003 file format. (bsc#1009966)



-----------------------------------------
Patch: SUSE-2017-1882
Released: Wed Nov 22 16:58:12 2017
Summary: Recommended update for timezone
Severity: low
References: 1064571
Description:
This update provides the latest timezone information (2017c) for your system, including following changes:

- Northern Cyprus switches from +03 to +02/+03 on 2017-10-29
- Fiji ends DST 2018-01-14, not 2018-01-21
- Namibia switches from +01/+02 to +02 on 2018-04-01
- Sudan switches from +03 to +02 on 2017-11-01
- Tonga likely switches from +13/+14 to +13 on 2017-11-05
- Turks and Caicos switches from -04 to -05/-04 on 2018-11-04
- Corrections to past DST transitions
- Move oversized Canada/East-Saskatchewan to 'backward' file
- zic(8) and the reference runtime now reject multiple leap seconds within 28 days
  of each other, or leap seconds before the Epoch.


-----------------------------------------
Patch: SUSE-2017-1884
Released: Wed Nov 22 17:15:41 2017
Summary: Security update for xorg-x11-server
Severity: moderate
References: 1022727,1051150,1052984,1061107,1063034,1063035,1063037,1063038,1063039,1063040,1063041,CVE-2017-12176,CVE-2017-12177,CVE-2017-12178,CVE-2017-12179,CVE-2017-12180,CVE-2017-12181,CVE-2017-12182,CVE-2017-12183,CVE-2017-12184,CVE-2017-12185,CVE-2017-12186,CVE-2017-12187,CVE-2017-13721,CVE-2017-13723
Description:


This update for xorg-x11-server fixes several issues.

These security issues were fixed:

- CVE-2017-13721: Missing validation of shmseg resource id in Xext/XShm
  could lead to shared memory segments of other users beeing freed
  (bnc#1052984)
- CVE-2017-13723: A local denial of service via unusual characters in XkbAtomText and XkbStringText was fixed (bnc#1051150)
- CVE-2017-12184,CVE-2017-12185,CVE-2017-12186,CVE-2017-12187: Fixed
  unvalidated lengths in multiple extensions (bsc#1063034)
- CVE-2017-12183: Fixed some unvalidated lengths in the XFIXES
  extension. (bsc#1063035)
- CVE-2017-12180,CVE-2017-12181,CVE-2017-12182: Fixed various unvalidated
  lengths in the XFree86-VidMode/XFree86-DGA/XFree86-DRI extensions
  (bsc#1063037)
- CVE-2017-12179: Fixed an integer overflow and unvalidated length in
  (S)ProcXIBarrierReleasePointer in Xi (bsc#1063038)
- CVE-2017-12178: Fixed a wrong extra length check in
  ProcXIChangeHierarchy in Xi (bsc#1063039)
- CVE-2017-12177: Fixed an unvalidated variable-length request in
  ProcDbeGetVisualInfo (bsc#1063040)
- CVE-2017-12176: Fixed an unvalidated extra length in
  ProcEstablishConnection (bsc#1063041)


These non-security issues were fixed:

- Make colormap/gamma glue code work with the RandR extension disabled. This prevents it
  from crashing and showing wrong colors. (bsc#1061107)
- Recognize ssh as a remote client to fix launching applications remotely when using DRI3.
  (bsc#1022727)


-----------------------------------------
Patch: SUSE-2017-1890
Released: Thu Nov 23 17:25:06 2017
Summary: Recommended update for lifecycle-data-sle-module-legacy
Severity: low
References: 1067849
Description:
This update drops the End of Life date of the Legacy Module from the lifecycle-data package.
The date is already documented in the release-package of the module.

-----------------------------------------
Patch: SUSE-2017-1891
Released: Thu Nov 23 17:25:38 2017
Summary: Recommended update for sle-module-public-cloud-release
Severity: moderate
References: 1067849
Description:
The Containers was erroneous reported End of Life.

This update corrects the Lifetime to Oct. 31st 2024.

-----------------------------------------
Patch: SUSE-2017-1892
Released: Thu Nov 23 17:26:11 2017
Summary: Recommended update for sle-module-adv-systems-management-release
Severity: moderate
References: 1067849
Description:
The Advanced Systems Management module was erroneous reported End of Life.

This update corrects the Lifetime to Oct. 31st 2024.

-----------------------------------------
Patch: SUSE-2017-1893
Released: Thu Nov 23 17:26:47 2017
Summary: Recommended update for sle-module-web-scripting-release
Severity: moderate
References: 1067849
Description:
The Web and Scripting module was erroneous reported End of Life.

This update corrects the Lifetime to Oct. 31st 2024.

Additionally, the End of Life date of the Web and Scripting Module has been dropped from the lifecycle-data package.
The date is already documented in the release-package of the module.


-----------------------------------------
Patch: SUSE-2017-1897
Released: Fri Nov 24 13:29:19 2017
Summary: Recommended update for crash
Severity: moderate
References: 1053915
Description:

This update provides the crash KMP rebuilt against the latest kernel update released for
SUSE Linux Enterprise Server 12 SP3. This fixes an unresolvable symbol issue that made
the module unloadable on the s390x architecture.


-----------------------------------------
Patch: SUSE-2017-1898
Released: Fri Nov 24 13:35:19 2017
Summary: Recommended update for sle-module-containers-release
Severity: low
References: 1067849
Description:
This update corrects the End of Life date for the Containers module.

The correct date is June 30th 2019.

-----------------------------------------
Patch: SUSE-2017-1903
Released: Fri Nov 24 16:19:37 2017
Summary: Security update for perl
Severity: moderate
References: 1047178,1057721,1057724,999735,CVE-2017-12837,CVE-2017-12883,CVE-2017-6512
Description:
This update for perl fixes the following issues:

Security issues fixed:
- CVE-2017-12837: Heap-based buffer overflow in the S_regatom function in regcomp.c in Perl 5 before
  5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to cause a denial of service
  (out-of-bounds write) via a regular expression with a '\N{}' escape and the case-insensitive
  modifier. (bnc#1057724)
- CVE-2017-12883: Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before
  5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to disclose sensitive information
  or cause a denial of service (application crash) via a crafted regular expression with an invalid
  '\N{U+...}' escape. (bnc#1057721)
- CVE-2017-6512: Race condition in the rmtree and remove_tree functions in the File-Path module
  before 2.13 for Perl allows attackers to set the mode on arbitrary files via vectors involving
  directory-permission loosening logic. (bnc#1047178)

Bug fixes:
- backport set_capture_string changes from upstream (bsc#999735)
- reformat baselibs.conf as source validator workaround


-----------------------------------------
Patch: SUSE-2017-1916
Released: Fri Nov 24 20:15:01 2017
Summary: Recommended update for libgcrypt
Severity: important
References: 1043333,1059723
Description:
This update for libgcrypt provides the following fix:

- Fix a regression in a previous update which caused libgcrypt to leak file descriptors
  causing failures when starting rtkit-daemon. (bsc#1059723)


-----------------------------------------
Patch: SUSE-2017-1917
Released: Mon Nov 27 13:32:07 2017
Summary: Optional update for gcc7
Severity: low
References: 1056437,1062591,1062592
Description:

The GNU Compiler GCC 7 is being added to the Toolchain Module by this update.

New features:

- Support for specific IBM Power9 processor instructions.
- Support for specific IBM zSeries z14 processor instructions.
- New packages cross-npvtx-gcc7 and nvptx-tools added to the Toolchain Module for
  specific NVIDIA Card offload support.

The update also supplies gcc7 compatible libstdc++, libgcc_s1 and other gcc derived
libraries for the base products of SUSE Linux Enterprise 12.

Various optimizers have been improved in GCC 7, several of bugs fixed, quite some new
warnings added and the error pin-pointing and fix-suggestions have been greatly improved.

The GNU Compiler page for GCC 7 contains a summary of all the changes that have happened:

	https://gcc.gnu.org/gcc-7/changes.html


-----------------------------------------
Patch: SUSE-2017-1963
Released: Thu Nov 30 08:24:45 2017
Summary: Security update for samba
Severity: moderate
References: 1058565,1058622,1058624,1060427,1063008,1065066,CVE-2017-12150,CVE-2017-12151,CVE-2017-12163,CVE-2017-14746,CVE-2017-15275
Description:
This update for samba fixes the following issues:

Security issues fixed:

- CVE-2017-14746: Use-after-free vulnerability (bsc#1060427).
- CVE-2017-15275: Server heap memory information leak (bsc#1063008).
- CVE-2017-12163: Prevent client short SMB1 write from writing server memory to file (bsc#1058624).
- CVE-2017-12151: Keep required encryption across SMB3 dfs redirects (bsc#1058565).
- CVE-2017-12150: Some code path don't enforce smb signing when they should (bsc#1058565).

Bug fixes:
- Samba was updated to 4.6.9 (bsc#1065066) see release notes for details.
  * https://www.samba.org/samba/history/samba-4.6.9.html


-----------------------------------------
Patch: SUSE-2017-1965
Released: Thu Nov 30 12:48:45 2017
Summary: Recommended update for libsolv, libzypp, zypper
Severity: moderate
References: 1047233,1053671,1057188,1057634,1058695,1058783,1059065,1061384,1062561,1064999,661410
Description:
The Software Update Stack was updated to receive fixes and enhancements.

libsolv:

- Many fixes and improvements for cleandeps.
- Always create dup rules for 'distupgrade' jobs.
- Use recommends also for ordering packages.
- Fix splitprovides handling with addalreadyrecommended turned off. (bsc#1059065)
- Expose solver_get_recommendations() in bindings.
- Fix bug in solver_prune_to_highest_prio_per_name resulting in bad output from solver_get_recommendations().
- Support 'without' and 'unless' dependencies.
- Use same heuristic as upstream to determine source RPMs.
- Fix memory leak in bindings.
- Add pool_best_solvables() function.
- Fix 64bit integer parsing from RPM headers.
- Enable bzip2 and xz/lzma compression support.
- Enable complex/rich dependencies on distributions with RPM 4.13+.

libzypp:

- Fix media handling in presence of a repo path prefix. (bsc#1062561)
- Fix RepoProvideFile ignoring a repo path prefix. (bsc#1062561)
- Remove unused legacy notify-message script. (bsc#1058783)
- Support multiple product licenses in repomd. (fate#322276)
- Propagate 'rpm --import' errors. (bsc#1057188)
- Fix typos in zypp.conf.

zypper:

- Locale: Fix possible segmentation fault. (bsc#1064999)
- Add summary hint if product is better updated by a different command. This is mainly
  used by rolling distributions like openSUSE Tumbleweed to remind their users to use
  'zypper dup' to update (not zypper up or patch). (bsc#1061384)
- Unify '(add|modify)(repo|service)' property related arguments.
- Fixed 'add' commands supporting to set only a subset of properties.
- Introduced '-f/-F' as preferred short option for --[no-]refresh in all four commands.
  (bsc#661410, bsc#1053671)
- Fix missing package names in installation report. (bsc#1058695)
- Differ between unsupported and packages with unknown support status. (bsc#1057634)
- Return error code '107' if an RPM's %post configuration script fails, but only
  if ZYPPER_ON_CODE12_RETURN_107=1 is set in the environment. (bsc#1047233)


-----------------------------------------
Patch: SUSE-2017-1966
Released: Thu Nov 30 13:45:24 2017
Summary: Recommended update for systemd
Severity: moderate
References: 1004995,1035386,1039099,1040800,1045472,1048605,1050152,1053137,1053595,1055641,1063249
Description:
This update for systemd fixes the following issues:

- unit: When JobTimeoutSec= is turned off, implicitly turn off JobRunningTimeoutSec= too.
  (bsc#1048605, bsc#1004995)
- compat-rules: Generate compat by-id symlinks with 'nvme' prefix missing and warn users
  that have broken symlinks. (bsc#1063249)
- compat-rules: Allow to specify the generation number through the kernel command line.
- scsi_id: Fixup prefix for pre-SPC inquiry reply. (bsc#1039099)
- tmpfiles: Remove old ICE and X11 sockets at boot.
- tmpfiles: Silently ignore any path that passes through autofs. (bsc#1045472)
- pam_logind: Skip leading /dev/ from PAM_TTY field before passing it on.
- shared/machine-pool: Fix another mkfs.btrfs checking. (bsc#1053595)
- shutdown: Fix incorrect fscanf() result check.
- shutdown: Don't remount,ro network filesystems. (bsc#1035386)
- shutdown: Don't be fooled when detaching DM devices with BTRFS. (bsc#1055641)
- bash-completion: Add support for --now. (bsc#1053137)
- Add convert-lib-udev-path.sh script to convert /lib/udev directory into a symlink pointing
  to /usr/lib/udev when upgrading from SLE11. (bsc#1050152)
- Add a rule to teach hotplug to offline containers transparently. (bsc#1040800)


-----------------------------------------
Patch: SUSE-2017-1968
Released: Thu Nov 30 19:49:33 2017
Summary: Recommended update for coreutils
Severity: low
References: 1026567,1043059,965780
Description:
This update for coreutils provides the following fixes:

- Fix df(1) to no longer interact with excluded file system types, so for example
  specifying -x nfs no longer hangs with problematic nfs mounts. (bsc#1026567)
- Ensure df -l no longer interacts with dummy file system types, so for example no
  longer hangs with problematic NFS mounted via system.automount(5). (bsc#1043059)
- Significantly speed up df(1) for huge mount lists. (bsc#965780)


-----------------------------------------
Patch: SUSE-2017-1969
Released: Thu Nov 30 19:50:53 2017
Summary: Recommended update for libtool
Severity: low
References: 1056381
Description:
This update for libtool provides the following fix:

- Add missing dependencies and provides to baselibs.conf to make sure libltdl libraries
  are properly installed. (bsc#1056381)


-----------------------------------------
Patch: SUSE-2017-1970
Released: Thu Nov 30 22:55:41 2017
Summary: Security update for openssl
Severity: moderate
References: 1055825,1056058,1065363,1066242,CVE-2017-3735,CVE-2017-3736
Description:
This update for openssl fixes the following issues:

Security issues fixed:

- CVE-2017-3735: openssl1,openssl: Malformed X.509 IPAdressFamily could cause OOB read (bsc#1056058)
- CVE-2017-3736: openssl: bn_sqrx8x_internal carry bug on x86_64 (bsc#1066242)
- Out of bounds read+crash in DES_fcrypt (bsc#1065363)
- openssl DEFAULT_SUSE cipher list is missing ECDHE-ECDSA ciphers (bsc#1055825)


-----------------------------------------
Patch: SUSE-2017-1971
Released: Thu Nov 30 22:58:14 2017
Summary: Security update for binutils
Severity: moderate
References: 1003846,1025282,1029907,1029908,1029909,1029995,1030296,1030297,1030298,1030583,1030584,1030585,1030588,1030589,1031590,1031593,1031595,1031638,1031644,1031656,1033122,1037052,1037057,1037061,1037062,1037066,1037070,1037072,1037273,1038874,1038875,1038876,1038877,1038878,1038880,1038881,1044891,1044897,1044901,1044909,1044925,1044927,1046094,1052061,1052496,1052503,1052507,1052509,1052511,1052514,1052518,1053347,1056312,1056437,1057139,1057144,1057149,1058480,1059050,1060599,1060621,1061241,437293,445037,546106,561142,578249,590820,691290,698346,713504,776968,863764,938658,970239,CVE-2014-9939,CVE-2017-12448,CVE-2017-12450,CVE-2017-12452,CVE-2017-12453,CVE-2017-12454,CVE-2017-12456,CVE-2017-12799,CVE-2017-13757,CVE-2017-14128,CVE-2017-14129,CVE-2017-14130,CVE-2017-14333,CVE-2017-14529,CVE-2017-14729,CVE-2017-14745,CVE-2017-14974,CVE-2017-6965,CVE-2017-6966,CVE-2017-6969,CVE-2017-7209,CVE-2017-7210,CVE-2017-7223,CVE-2017-7224,CVE-2017-7225,CVE-2017-7226,CVE-2017-7227,CVE-2017-7299,CVE-2017-7300,CVE-2017-7301,CVE-2017-7302,CVE-2017-7303,CVE-2017-7304,CVE-2017-7614,CVE-2017-8392,CVE-2017-8393,CVE-2017-8394,CVE-2017-8395,CVE-2017-8396,CVE-2017-8397,CVE-2017-8398,CVE-2017-8421,CVE-2017-9038,CVE-2017-9039,CVE-2017-9040,CVE-2017-9041,CVE-2017-9042,CVE-2017-9043,CVE-2017-9044,CVE-2017-9746,CVE-2017-9747,CVE-2017-9748,CVE-2017-9750,CVE-2017-9755,CVE-2017-9756,CVE-2017-9954,CVE-2017-9955
Description:


GNU binutil was updated to the 2.29.1 release, bringing various new features, fixing a lot of bugs and security issues.

Following security issues are being addressed by this release:

  * 18750 bsc#1030296 CVE-2014-9939
  * 20891 bsc#1030585 CVE-2017-7225
  * 20892 bsc#1030588 CVE-2017-7224
  * 20898 bsc#1030589 CVE-2017-7223
  * 20905 bsc#1030584 CVE-2017-7226
  * 20908 bsc#1031644 CVE-2017-7299
  * 20909 bsc#1031656 CVE-2017-7300
  * 20921 bsc#1031595 CVE-2017-7302
  * 20922 bsc#1031593 CVE-2017-7303
  * 20924 bsc#1031638 CVE-2017-7301
  * 20931 bsc#1031590 CVE-2017-7304
  * 21135 bsc#1030298 CVE-2017-7209 
  * 21137 bsc#1029909 CVE-2017-6965
  * 21139 bsc#1029908 CVE-2017-6966
  * 21156 bsc#1029907 CVE-2017-6969
  * 21157 bsc#1030297 CVE-2017-7210
  * 21409 bsc#1037052 CVE-2017-8392
  * 21412 bsc#1037057 CVE-2017-8393
  * 21414 bsc#1037061 CVE-2017-8394
  * 21432 bsc#1037066 CVE-2017-8396
  * 21440 bsc#1037273 CVE-2017-8421
  * 21580 bsc#1044891 CVE-2017-9746
  * 21581 bsc#1044897 CVE-2017-9747
  * 21582 bsc#1044901 CVE-2017-9748
  * 21587 bsc#1044909 CVE-2017-9750
  * 21594 bsc#1044925 CVE-2017-9755
  * 21595 bsc#1044927 CVE-2017-9756
  * 21787 bsc#1052518 CVE-2017-12448
  * 21813 bsc#1052503, CVE-2017-12456, bsc#1052507, CVE-2017-12454, bsc#1052509, CVE-2017-12453, bsc#1052511, CVE-2017-12452, bsc#1052514, CVE-2017-12450, bsc#1052503, CVE-2017-12456, bsc#1052507, CVE-2017-12454, bsc#1052509, CVE-2017-12453, bsc#1052511, CVE-2017-12452, bsc#1052514, CVE-2017-12450
  * 21933 bsc#1053347 CVE-2017-12799
  * 21990 bsc#1058480 CVE-2017-14333
  * 22018 bsc#1056312 CVE-2017-13757
  * 22047 bsc#1057144 CVE-2017-14129
  * 22058 bsc#1057149 CVE-2017-14130
  * 22059 bsc#1057139 CVE-2017-14128
  * 22113 bsc#1059050 CVE-2017-14529
  * 22148 bsc#1060599 CVE-2017-14745
  * 22163 bsc#1061241 CVE-2017-14974
  * 22170 bsc#1060621 CVE-2017-14729

Update to binutils 2.29. [fate#321454, fate#321494, fate#323293]:

  * The MIPS port now supports microMIPS eXtended Physical Addressing (XPA)
    instructions for assembly and disassembly.
  * The MIPS port now supports the microMIPS Release 5 ISA for assembly and
    disassembly.
  * The MIPS port now supports the Imagination interAptiv MR2 processor,
    which implements the MIPS32r3 ISA, the MIPS16e2 ASE as well as a couple
    of implementation-specific regular MIPS and MIPS16e2 ASE instructions.
  * The SPARC port now supports the SPARC M8 processor, which implements the
    Oracle SPARC Architecture 2017.
  * The MIPS port now supports the MIPS16e2 ASE for assembly and disassembly.
  * Add support for ELF SHF_GNU_MBIND and PT_GNU_MBIND_XXX.
  * Add support for the wasm32 ELF conversion of the WebAssembly file format.
  * Add --inlines option to objdump, which extends the --line-numbers option
    so that inlined functions will display their nesting information.
  * Add --merge-notes options to objcopy to reduce the size of notes in
    a binary file by merging and deleting redundant notes.
  * Add support for locating separate debug info files using the build-id
    method, where the separate file has a name based upon the build-id of
    the original file.

- GAS specific:

  * Add support for ELF SHF_GNU_MBIND.
  * Add support for the WebAssembly file format and wasm32 ELF conversion.
  * PowerPC gas now checks that the correct register class is used in
    instructions.  For instance, 'addi %f4,%cr3,%r31' warns three times
    that the registers are invalid.
  * Add support for the Texas Instruments PRU processor.
  * Support for the ARMv8-R architecture and Cortex-R52 processor has been
    added to the ARM port.

- GNU ld specific:

  * Support for -z shstk in the x86 ELF linker to generate
    GNU_PROPERTY_X86_FEATURE_1_SHSTK in ELF GNU program properties.
  * Add support for GNU_PROPERTY_X86_FEATURE_1_SHSTK in ELF GNU program
    properties in the x86 ELF linker.
  * Add support for GNU_PROPERTY_X86_FEATURE_1_IBT in ELF GNU program
    properties in the x86 ELF linker.
  * Support for -z ibtplt in the x86 ELF linker to generate IBT-enabled
    PLT.
  * Support for -z ibt in the x86 ELF linker to generate IBT-enabled
    PLT as well as GNU_PROPERTY_X86_FEATURE_1_IBT in ELF GNU program
    properties.
  * Add support for ELF SHF_GNU_MBIND and PT_GNU_MBIND_XXX.
  * Add support for ELF GNU program properties.
  * Add support for the Texas Instruments PRU processor.
  * When configuring for arc*-*-linux* targets the default linker emulation will
    change if --with-cpu=nps400 is used at configure time.
  * Improve assignment of LMAs to orphan sections in some edge cases where a
    mixture of both AT>LMA_REGION and AT(LMA) are used.
  * Orphan sections placed after an empty section that has an AT(LMA) will now
    take an load memory address starting from LMA.
  * Section groups can now be resolved (the group deleted and the group members
    placed like normal sections) at partial link time either using the new
    linker option --force-group-allocation or by placing FORCE_GROUP_ALLOCATION
    into the linker script.

- Add riscv64 target, tested with gcc7 and downstream newlib 2.4.0
- Prepare riscv32 target (gh#riscv/riscv-newlib#8)
- Make compressed debug section handling explicit, disable for
  old products and enable for gas on all architectures otherwise. [bsc#1029995]
- Remove empty rpath component removal optimization from to workaround
  CMake rpath handling.  [bsc#1025282]


  Minor security bugs fixed:
  PR 21147, PR 21148, PR 21149, PR 21150, PR 21151, PR 21155, PR 21158, PR 21159

- Update to binutils 2.28.

  * Add support for locating separate debug info files using the build-id
    method, where the separate file has a name based upon the build-id of
    the original file.
  * This version of binutils fixes a problem with PowerPC VLE 16A and 16D
    relocations which were functionally swapped, for example,
    R_PPC_VLE_HA16A performed like R_PPC_VLE_HA16D while R_PPC_VLE_HA16D
    performed like R_PPC_VLE_HA16A.  This could have been fixed by
    renumbering relocations, which would keep object files created by an
    older version of gas compatible with a newer ld.  However, that would
    require an ABI update, affecting other assemblers and linkers that
    create and process the relocations correctly.  It is recommended that
    all VLE object files be recompiled, but ld can modify the relocations
    if --vle-reloc-fixup is passed to ld.  If the new ld command line
    option is not used, ld will ld warn on finding relocations inconsistent
    with the instructions being relocated.
  * The nm program has a new command line option (--with-version-strings)
    which will display a symbol's version information, if any, after the
    symbol's name.
  * The ARC port of objdump now accepts a -M option to specify the extra
    instruction class(es) that should be disassembled.
  * The --remove-section option for objcopy and strip now accepts section
    patterns starting with an exclamation point to indicate a non-matching
    section.  A non-matching section is removed from the set of sections
    matched by an earlier --remove-section pattern.
  * The --only-section option for objcopy now accepts section patterns
    starting with an exclamation point to indicate a non-matching section.
    A non-matching section is removed from the set of sections matched by
    an earlier --only-section pattern.
  * New --remove-relocations=SECTIONPATTERN option for objcopy and strip.
    This option can be used to remove sections containing relocations.
    The SECTIONPATTERN is the section to which the relocations apply, not
    the relocation section itself.

- GAS specific:

  * Add support for the RISC-V architecture.
  * Add support for the ARM Cortex-M23 and Cortex-M33 processors.

- GNU ld specific:

  * The EXCLUDE_FILE linker script construct can now be applied outside of the
    section list in order for the exclusions to apply over all input sections
    in the list.
  * Add support for the RISC-V architecture.
  * The command line option --no-eh-frame-hdr can now be used in ELF based
    linkers to disable the automatic generation of .eh_frame_hdr sections.
  * Add --in-implib=<infile> to the ARM linker to enable specifying a set of
    Secure Gateway veneers that must exist in the output import library
    specified by --out-implib=<outfile> and the address they must have.
    As such, --in-implib is only supported in combination with --cmse-implib.
  * Extended the --out-implib=<file> option, previously restricted to x86 PE
    targets, to any ELF based target.  This allows the generation of an import
    library for an ELF executable, which can then be used by another application
    to link against the executable.

- GOLD specific:

  * Add -z bndplt option (x86-64 only) to support Intel MPX.
  * Add --orphan-handling option.
  * Add --stub-group-multi option (PowerPC only).
  * Add --target1-rel, --target1-abs, --target2 options (Arm only).
  * Add -z stack-size option.
  * Add --be8 option (Arm only).
  * Add HIDDEN support in linker scripts.
  * Add SORT_BY_INIT_PRIORITY support in linker scripts.

- Other fixes:

  * Fix section alignment on .gnu_debuglink. [bso#21193]
  * Add s390x to gold_archs.
  * Fix alignment frags for aarch64 (bsc#1003846)
  * Call ldconfig for libbfd
  * Fix an assembler problem with clang on ARM.
  * Restore monotonically increasing section offsets.


- Update to binutils 2.27.

  * Add a configure option, --enable-64-bit-archive, to force use of a
    64-bit format when creating an archive symbol index.
  * Add --elf-stt-common= option to objcopy for ELF targets to control
    whether to convert common symbols to the STT_COMMON type.

- GAS specific:

  * Default to --enable-compressed-debug-sections=gas for Linux/x86 targets.
  * Add --no-pad-sections to stop the assembler from padding the end of output
    sections up to their alignment boundary.
  * Support for the ARMv8-M architecture has been added to the ARM port.
    Support for the ARMv8-M Security and DSP Extensions has also been added
    to the ARM port.
  * ARC backend accepts .extInstruction, .extCondCode, .extAuxRegister, and
    .extCoreRegister pseudo-ops that allow an user to define custom
    instructions, conditional codes, auxiliary and core registers.
  * Add a configure option --enable-elf-stt-common to decide whether ELF
    assembler should generate common symbols with the STT_COMMON type by
    default.  Default to no.
  * New command line option --elf-stt-common= for ELF targets to control
    whether to generate common symbols with the STT_COMMON type.
  * Add ability to set section flags and types via numeric values for ELF
    based targets.
  * Add a configure option --enable-x86-relax-relocations to decide whether
    x86 assembler should generate relax relocations by default.  Default to
    yes, except for x86 Solaris targets older than Solaris 12.
  * New command line option -mrelax-relocations= for x86 target to control
    whether to generate relax relocations.
  * New command line option -mfence-as-lock-add=yes for x86 target to encode
    lfence, mfence and sfence as 'lock addl $0x0, (%[re]sp)'.
  * Add assembly-time relaxation option for ARC cpus.
  * Add --with-cpu=TYPE configure option for ARC gas.  This allows the default
    cpu type to be adjusted at configure time.

- GOLD specific:

  * Add a configure option --enable-relro to decide whether -z relro should
    be enabled by default.  Default to yes.
  * Add support for s390, MIPS, AArch64, and TILE-Gx architectures.
  * Add support for STT_GNU_IFUNC symbols.
  * Add support for incremental linking (--incremental).

- GNU ld specific:

  * Add a configure option --enable-relro to decide whether -z relro should
    be enabled in ELF linker by default.  Default to yes for all Linux
    targets except FRV, HPPA, IA64 and MIPS.
  * Support for -z noreloc-overflow in the x86-64 ELF linker to disable
    relocation overflow check.
  * Add -z common/-z nocommon options for ELF targets to control whether to
    convert common symbols to the STT_COMMON type during a relocatable link.
  * Support for -z nodynamic-undefined-weak in the x86 ELF linker, which
    avoids dynamic relocations against undefined weak symbols in executable.
  * The NOCROSSREFSTO command was added to the linker script language.
  * Add --no-apply-dynamic-relocs to the AArch64 linker to do not apply
    link-time values for dynamic relocations.



-----------------------------------------
Patch: SUSE-2017-1974
Released: Fri Dec  1 11:30:25 2017
Summary: Recommended update for zip
Severity: low
References: 1068346
Description:

This update for zip provides the following fix:

- Fix memory leaks when appending files (bsc#1068346)


-----------------------------------------
Patch: SUSE-2017-1991
Released: Fri Dec  1 16:59:20 2017
Summary: Recommended update for release-notes-sles
Severity: low
References: 1040813,1050940,1055590,1058232,1059136,1064279,1067244,1069585,1070336
Description:
The Release Notes of SUSE Linux Enterprise Server 12 SP3 have been updated to document:

- Corrected and extended file systems comparison table (bsc#1064279)
- Support for sparse files on OCFS2; note on thread limit (bsc#1050940)
- Nagios Monitoring Server Has Been Removed (fate#316136, bsc#1058232)
- Direct Access to Files in Non-Volatile DIMMs (fate#319691, bsc#1069585)
- Compatibility of Newly Created XFS File Systems With SLE 11 (fate#324448, bsc#1059136)
- Icinga Monitoring Server Shipped as Part of SUSE Manager (fate#324454, bsc#1058232)
- blogd Boot Log Daemon Available as an Alternative to Plymouth (fate#320593)
- Support for New Hardware Instructions in Toolchain (fate#321496)
- Supported Offline Migration Scenarios (fate#322404)
- NVDIMM: Support for Device DAX (Direct Access) (fate#321135, bsc#1067244)
- FCoE Storage Does Not Work with Cavium or QLogic Storage Controllers with FCoE Offload (fate#323796, bsc#1040813, bsc#1055590).


-----------------------------------------
Patch: SUSE-2017-2000
Released: Tue Dec  5 17:38:55 2017
Summary: Security update for libXcursor
Severity: moderate
References: 1065386,CVE-2017-16612
Description:
This update for libXcursor fixes the following issues:

Security issue fixed:

- CVE-2017-16612: Fix integeroverflow while parsing images and a signedness issue while parsing comments (bsc#1065386).


-----------------------------------------
Patch: SUSE-2017-2006
Released: Wed Dec  6 15:22:49 2017
Summary: Security update for the Linux Kernel
Severity: important
References: 1069496,1069702,1070805,CVE-2017-1000405,CVE-2017-16939
Description:


The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2017-1000405: A bug in the THP CoW support could be used by local attackers to corrupt memory of other processes and cause them to crash (bnc#1069496).
- CVE-2017-16939: The XFRM dump policy implementation in net/xfrm/xfrm_user.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) via a crafted SO_RCVBUF setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink messages (bnc#1069702).

The following non-security bugs were fixed:

Fix a build issue on ppc64le systems (bsc#1070805)



-----------------------------------------
Patch: SUSE-2017-2009
Released: Thu Dec  7 13:21:49 2017
Summary: Security update for openssh
Severity: moderate
References: 1006166,1048367,1065000,1068310,1069509,CVE-2008-1483,CVE-2017-15906
Description:
This update for openssh fixes the following issues:

Security issue fixed:

- CVE-2017-15906: Stricter checking of operations in read-only mode in sftp server (bsc#1065000).

Bug fixes:

- FIPS: Startup selfchecks (bsc#1068310).
- FIPS: Silent complaints about unsupported key exchange methods (bsc#1006166).
- Refine handling of sockets for X11 forwarding to remove reintroduced CVE-2008-1483 (bsc#1069509).
- Test configuration before running daemon to prevent looping resulting in service shutdown (bsc#1048367)


-----------------------------------------
Patch: SUSE-2017-2018
Released: Thu Dec  7 15:33:17 2017
Summary: Security update for java-1_6_0-ibm
Severity: important
References: 1070162,CVE-2016-9841,CVE-2017-10281,CVE-2017-10285,CVE-2017-10293,CVE-2017-10295,CVE-2017-10345,CVE-2017-10346,CVE-2017-10347,CVE-2017-10348,CVE-2017-10349,CVE-2017-10350,CVE-2017-10355,CVE-2017-10356,CVE-2017-10357,CVE-2017-10388
Description:
This update for java-1_6_0-ibm fixes the following issues:

Security issues fixed:

- Security update to version 6.0.16.50 (bsc#1070162)
  * CVE-2017-10346 CVE-2017-10285 CVE-2017-10388 CVE-2017-10356
    CVE-2017-10293 CVE-2016-9841  CVE-2017-10355 CVE-2017-10357
    CVE-2017-10348 CVE-2017-10349 CVE-2017-10347 CVE-2017-10350
    CVE-2017-10281 CVE-2017-10295 CVE-2017-10345


-----------------------------------------
Patch: SUSE-2017-2021
Released: Fri Dec  8 10:11:04 2017
Summary: Recommended update for file
Severity: moderate
References: 1070878,1070958
Description:
This update for file fixes detection of JPEG files.

-----------------------------------------
Patch: SUSE-2017-2022
Released: Fri Dec  8 12:26:48 2017
Summary: Recommended update for compat-openssl098
Severity: moderate
References: 1032261,1034941,1065363
Description:
This update for compat-openssl098 fixes the following issues:

Bugs fixed:

- Backport the alternative SSL root CA chain lookup patches (bsc#1032261)
- Fixed a crash in DES_fcrypt (bsc#1065363)
- backported the DEFAULT_SUSE cipher list alias (bsc#1034941)


-----------------------------------------
Patch: SUSE-2017-2026
Released: Fri Dec  8 13:03:27 2017
Summary: Recommended update for google-compute-engine
Severity: low
References: 1064356,1065308,1070895,1070918
Description:

This update for google-compute-engine provides the following fixes:

- Add apt configuration to prevent auto-removal of Google packages.
- Rename set_hostname to prevent naming conflicts.
- Remove logging when checking OS Login status.
- Support the enable-oslogin metadata key for activating OS Login when appropriate.
- Improve packaging to restart services.  
- OS Login is available in Beta.
- Add status option to the OS Login control file.
- Fix system hang during VM shutdown.
- JSON parser accepts string types for int64 values.
- JSON parser casts uid and gid to unsigned integers.
- Remove fstab barrier options in EL 7.  
- Use curl to download metadata script files for SSL certificate validation.
- Use netifaces for retrieving MAC address names if the import exists.
- Ship the udevrules with the -init package only
- Generate SSH host keys when none are present.
- Improve logging when activating OS Login.
- Fix parsing logic for expiration time on SSH public keys.
- Fix home directory creation PAM config.
- oslogin feature is now enabled by the initialization code when appropriate.


-----------------------------------------
Patch: SUSE-2017-2031
Released: Mon Dec 11 12:55:57 2017
Summary: Recommended update for gzip
Severity: low
References: 1067891
Description:

This update for gzip provides the following fix:

- Fix mishandling of leading zeros in the end-of-block code (bsc#1067891)


-----------------------------------------
Patch: SUSE-2017-2036
Released: Wed Dec 13 16:34:21 2017
Summary: Recommended update for util-linux
Severity: low
References: 1039276,1040968,1055446,1066500
Description:
This update for util-linux provides the following fixes:

- Allow unmounting of filesystems without calling stat() on the mount point, when '-c' is used.
  (bsc#1040968)
- Fix an infinite loop, a crash and report the correct minimum and maximum frequencies in
  lscpu for some processors. (bsc#1055446)
- Fix a lscpu failure on Sydney Amazon EC2 region. (bsc#1066500)
- If multiple subvolumes are mounted, report the default subvolume. (bsc#1039276)


-----------------------------------------
Patch: SUSE-2017-2039
Released: Wed Dec 13 17:10:24 2017
Summary: Security update for libapr-util1
Severity: moderate
References: 1064990,CVE-2017-12618
Description:
This update for libapr-util1 fixes the following issues:

Security issue fixed:

- CVE-2017-12618: DoS via crafted SDBM database files in apr_sdbm*() functions (bsc#1064990)


-----------------------------------------
Patch: SUSE-2017-2042
Released: Wed Dec 13 20:09:44 2017
Summary: Recommended update for libXext
Severity: low
References: 1067406
Description:
This update for libXext provides the following fix:

- Remove warning messages about missing Xge extension when translating events in a mixed
  Xlib/xcb scenario, causing the ~/.xsession-errors file to be massively filled. (bsc#1067406)


-----------------------------------------
Patch: SUSE-2017-2044
Released: Thu Dec 14 09:54:35 2017
Summary: Recommended update for psmisc
Severity: low
References: 908068
Description:
This update for psmisc provides the following fixes:

- Use mountinfo to distinguish different mounts with same device number as it happens with NFS shares. (bsc#908068)
- Smaller cleanup as support of chroot environments and older systems.
- Add support for name_to_handle_at() system call to get the real mount ID for each file.
- Run even on older kernels missing mnt_id tag in fdinfo.


-----------------------------------------
Patch: SUSE-2017-2088
Released: Fri Dec 15 14:10:31 2017
Summary: Recommended update for hwinfo
Severity: low
References: 1041090,1047218,1051076,1062562
Description:

This update for hwinfo fixes the following issues:

- Support SMBIOS 3.0 spec (bsc#1062562)
- Ensure /var/lib/hardware/udi exists and with 755 permissions
- Sort input files (bsc#1041090)
- Allow to override current time (bsc#1047218)
- Really set default timeout to 20s for Video BIOS emulation calls


-----------------------------------------
Patch: SUSE-2017-2095
Released: Fri Dec 15 21:04:51 2017
Summary: Recommended update for cifs-utils
Severity: low
References: 1025471
Description:

This update for cifs-utils fixes the following issues:

- Document SMB3+ and new seal option (fate#322075)
- Get rid of init script on everything based off SLE12+ (bsc#1025471)
- Use https urls


-----------------------------------------
Patch: SUSE-2017-2097
Released: Sat Dec 16 01:59:00 2017
Summary: Security update for openssl
Severity: important
References: 1071905,1071906,CVE-2017-3737,CVE-2017-3738
Description:
This update for openssl fixes the following issues:

- OpenSSL Security Advisory [07 Dec 2017]
  * CVE-2017-3737: OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an \'error state\' mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the explicit handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to a bug it does not work correctly if SSL_read() or SSL_write() is called directly. In that scenario, if the handshake fails then a fatal error will be returned in the initial function call. If SSL_read()/SSL_write() is subsequently called by the application for the same SSL object then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer. In order to exploit this issue an application bug would have to be present that resulted in a call to SSL_read()/SSL_write() being issued after having already received a fatal error. OpenSSL version 1.0.2b-1.0.2m are affected. Fixed in OpenSSL 1.0.2n. OpenSSL 1.1.0 is not affected. (bsc#1071905)
  * CVE-2017-3738: There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible, because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th generation). Note: The impact from this issue is similar to CVE-2017-3736, CVE-2017-3732 and CVE-2015-3193. (bsc#1071906)


-----------------------------------------
Patch: SUSE-2017-2100
Released: Mon Dec 18 17:25:18 2017
Summary: Recommended update for wicked
Severity: important
References: 1036619,1043883,1045522,1050258,1057007,1059292
Description:

This update for wicked fixes the following issues:

- A regression in wicked was causing the hostname not to be set correctly via DHCP in some cases. [bsc#1057007,bsc#1050258]
- Configure the interface MTU correctly even in cases where the interface was up already. [bsc#1059292]
- Don't abort the process that adds configures routes if one route fails. [bsc#1036619]
- Handle DHCP4 user-class ids properly. [bsc#1045522]
- ethtool: handle channels parameters. [bsc#1043883]


-----------------------------------------
Patch: SUSE-2017-2129
Released: Thu Dec 21 14:30:33 2017
Summary: Security update for the Linux Kernel
Severity: important
References: 1010201,1012382,1012523,1015336,1015337,1015340,1015342,1015343,1019675,1020412,1020645,1022595,1022607,1024346,1024373,1024376,1024412,1031717,1032150,1036489,1036800,1037404,1037838,1038299,1039542,1040073,1041873,1042268,1042957,1042977,1042978,1043017,1045404,1046054,1046107,1047901,1047989,1048317,1048327,1048356,1050060,1050231,1051406,1051635,1051987,1052384,1053309,1053919,1055272,1056003,1056365,1056427,1056587,1056596,1056652,1056979,1057079,1057199,1057820,1058413,1059639,1060333,1061756,1062496,1062835,1062941,1063026,1063349,1063516,1064206,1064320,1064591,1064597,1064606,1064701,1064926,1065101,1065180,1065600,1065639,1065692,1065717,1065866,1065959,1066045,1066175,1066192,1066213,1066223,1066285,1066382,1066470,1066471,1066472,1066573,1066606,1066629,1066660,1066696,1066767,1066812,1066974,1067105,1067132,1067225,1067494,1067734,1067735,1067888,1067906,1068671,1068978,1068980,1068982,1069152,1069250,1069270,1069277,1069484,1069583,1069721,1069793,1069879,1069916,1069942,1069996,1070001,1070006,1070145,1070169,1070404,1070535,1070767,1070771,1070805,1070825,1070964,1071693,1071694,1071695,1071833,1072589,744692,789311,964944,966170,966172,969470,979928,989261,996376,CVE-2017-1000410,CVE-2017-11600,CVE-2017-12193,CVE-2017-15115,CVE-2017-16528,CVE-2017-16536,CVE-2017-16537,CVE-2017-16645,CVE-2017-16646,CVE-2017-16994,CVE-2017-17448,CVE-2017-17449,CVE-2017-17450,CVE-2017-7482,CVE-2017-8824
Description:


The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.103 to receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2017-1000410: The Linux kernel was affected by an information lea that lies in the processing of incoming L2CAP commands - ConfigRequest, and ConfigResponse messages. (bnc#1070535).
- CVE-2017-11600: net/xfrm/xfrm_policy.c in the Linux kernel did not ensure that the dir value of xfrm_userpolicy_id is XFRM_POLICY_MAX or less, which allowed local users to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via an XFRM_MSG_MIGRATE xfrm Netlink message (bnc#1050231).
- CVE-2017-12193: The assoc_array_insert_into_terminal_node function in lib/assoc_array.c in the Linux kernel mishandled node splitting, which allowed local users to cause a denial of service (NULL pointer dereference and panic) via a crafted application, as demonstrated by the keyring key type, and key addition and link creation operations (bnc#1066192).
- CVE-2017-15115: The sctp_do_peeloff function in net/sctp/socket.c in the Linux kernel did not check whether the intended netns is used in a peel-off action, which allowed local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via crafted system calls (bnc#1068671).
- CVE-2017-16528: sound/core/seq_device.c in the Linux kernel allowed local users to cause a denial of service (snd_rawmidi_dev_seq_free use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066629).
- CVE-2017-16536: The cx231xx_usb_probe function in drivers/media/usb/cx231xx/cx231xx-cards.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066606).
- CVE-2017-16537: The imon_probe function in drivers/media/rc/imon.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066573).
- CVE-2017-16645: The ims_pcu_get_cdc_union_desc function in drivers/input/misc/ims-pcu.c in the Linux kernel allowed local users to cause a denial of service (ims_pcu_parse_cdc_data out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1067132).
- CVE-2017-16646: drivers/media/usb/dvb-usb/dib0700_devices.c in the Linux kernel allowed local users to cause a denial of service (BUG and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1067105).
- CVE-2017-16994: The walk_hugetlb_range function in mm/pagewalk.c in the Linux kernel mishandled holes in hugetlb ranges, which allowed local users to obtain sensitive information from uninitialized kernel memory via crafted use of the mincore() system call (bnc#1069996).
- CVE-2017-17448: net/netfilter/nfnetlink_cthelper.c in the Linux kernel did not require the CAP_NET_ADMIN capability for new, get, and del operations, which allowed local users to bypass intended access restrictions because the nfnl_cthelper_list data structure is shared across all net namespaces (bnc#1071693).
- CVE-2017-17449: The __netlink_deliver_tap_skb function in net/netlink/af_netlink.c in the Linux kernel did not restrict observations of Netlink messages to a single net namespace, which allowed local users to obtain sensitive information by leveraging the CAP_NET_ADMIN capability to sniff an nlmon interface for all Netlink activity on the system (bnc#1071694).
- CVE-2017-17450: net/netfilter/xt_osf.c in the Linux kernel did not require the CAP_NET_ADMIN capability for add_callback and remove_callback operations, which allowed local users to bypass intended access restrictions because the xt_osf_fingers data structure is shared across all net namespaces (bnc#1071695).
- CVE-2017-7482: Fixed an overflow when decoding a krb5 principal. (bnc#1046107).
- CVE-2017-8824: The dccp_disconnect function in net/dccp/proto.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) via an AF_UNSPEC connect system call during the DCCP_LISTEN state (bnc#1070771).

The following non-security bugs were fixed:

- acpi / APD: Add clock frequency for ThunderX2 I2C controller (bsc#1067225).
- Add references (bsc#1062941, bsc#1037404, bsc#1012523, bsc#1038299) The scsi_devinfo patches are relevant for all bugs related to HITACHI OPEN-V:
- adm80211: return an error if adm8211_alloc_rings() fails (bsc#1031717).
- adv7604: Initialize drive strength to default when using DT (bnc#1012382).
- af_netlink: ensure that NLMSG_DONE never fails in dumps (bnc#1012382).
- alsa: caiaq: Fix stray URB at probe error path (bnc#1012382).
- alsa: hda: Abort capability probe at invalid register read (bsc#1048356).
- alsa: hda: Add Raven PCI ID (bnc#1012382).
- alsa: hda - Apply ALC269_FIXUP_NO_SHUTUP on HDA_FIXUP_ACT_PROBE (bnc#1012382).
- alsa: hda/ca0132 - Fix memory leak at error path (bsc#1031717).
- alsa: hda - fix headset mic problem for Dell machines with alc236 (bnc#1012382).
- alsa: hda - No loopback on ALC299 codec (git-fixes).
- alsa: hda/realtek: Add headset mic support for Intel NUC Skull Canyon (bsc#1031717).
- alsa: hda/realtek - Add new codec ID ALC299 (bnc#1012382).
- alsa: hda/realtek - Add support for ALC236/ALC3204 (bnc#1012382).
- alsa: hda/realtek - Fix ALC700 family no sound issue (bsc#1031717).
- alsa: hda: Remove superfluous '-' added by printk conversion (bnc#1012382).
- alsa: hda: Workaround for KBL codec power control (bsc#1048356,bsc#1047989,bsc#1055272,bsc#1058413).
- alsa: line6: Fix leftover URB at error-path during probe (bnc#1012382).
- alsa: pcm: update tstamp only if audio_tstamp changed (bsc#1031717).
- alsa: seq: Avoid invalid lockdep class warning (bsc#1031717).
- alsa: seq: Enable 'use' locking in all configurations (bnc#1012382).
- alsa: seq: Fix copy_from_user() call inside lock (bnc#1012382).
- alsa: seq: Fix nested rwsem annotation for lockdep splat (bnc#1012382).
- alsa: seq: Fix OSS sysex delivery in OSS emulation (bnc#1012382).
- alsa: timer: Add missing mutex lock for compat ioctls (bnc#1012382).
- alsa: timer: Remove kernel warning at compat ioctl error paths (bsc#1031717).
- alsa: usb-audio: Add native DSD support for Pro-Ject Pre Box S2 Digital (bnc#1012382).
- alsa: usb-audio: Add sanity checks in v2 clock parsers (bsc#1031717).
- alsa: usb-audio: Add sanity checks to FE parser (bsc#1031717).
- alsa: usb-audio: Fix potential out-of-bound access at parsing SU (bsc#1031717).
- alsa: usb-audio: Kill stray URB at exiting (bnc#1012382).
- alsa: usb-audio: uac1: Invalidate ctl on interrupt (bsc#1031717).
- alsa: vx: Do not try to update capture stream before running (bnc#1012382).
- alsa: vx: Fix possible transfer overflow (bnc#1012382).
- Apply generic ppc build fixes to vanilla (bsc#1070805)
- arm64: dts: NS2: reserve memory for Nitro firmware (bnc#1012382).
- arm64: ensure __dump_instr() checks addr_limit (bnc#1012382).
- arm: 8715/1: add a private asm/unaligned.h (bnc#1012382).
- arm: 8720/1: ensure dump_instr() checks addr_limit (bnc#1012382).
- arm: 8721/1: mm: dump: check hardware RO bit for LPAE (bnc#1012382).
- arm: 8722/1: mm: make STRICT_KERNEL_RWX effective for LPAE (bnc#1012382).
- arm: crypto: reduce priority of bit-sliced AES cipher (bnc#1012382).
- arm: dts: Fix am335x and dm814x scm syscon to probe children (bnc#1012382).
- arm: dts: Fix compatible for ti81xx uarts for 8250 (bnc#1012382).
- arm: dts: Fix omap3 off mode pull defines (bnc#1012382).
- arm: dts: mvebu: pl310-cache disable double-linefill (bnc#1012382).
- arm: OMAP2+: Fix init for multiple quirks for the same SoC (bnc#1012382).
- arm: omap2plus_defconfig: Fix probe errors on UARTs 5 and 6 (bnc#1012382).
- arm: pxa: Do not rely on public mmc header to include leds.h (bnc#1012382).
- asm/sections: add helpers to check for section data (bsc#1063026).
- asoc: adau17x1: Workaround for noise bug in ADC (bnc#1012382).
- asoc: cs42l56: Fix reset GPIO name in example DT binding (bsc#1031717).
- asoc: davinci-mcasp: Fix an error handling path in 'davinci_mcasp_probe()' (bsc#1031717).
- asoc: rsnd: do not double free kctrl (bnc#1012382).
- asoc: samsung: Fix possible double iounmap on s3c24xx driver probe failure (bsc#1031717).
- asoc: wm_adsp: Do not overrun firmware file buffer when reading region data (bnc#1012382).
- ata: ATA_BMDMA should depend on HAS_DMA (bnc#1012382).
- ata: fixes kernel crash while tracing ata_eh_link_autopsy event (bnc#1012382).
- ata: SATA_HIGHBANK should depend on HAS_DMA (bnc#1012382).
- ata: SATA_MV should depend on HAS_DMA (bnc#1012382).
- ath10k: convert warning about non-existent OTP board id to debug message (git-fixes).
- ath10k: fix a warning during channel switch with multiple vaps (bsc#1031717).
- ath10k: fix board data fetch error message (bsc#1031717).
- ath10k: fix diag_read to collect data for larger memory (bsc#1031717).
- ath10k: fix incorrect txpower set by P2P_DEVICE interface (bnc#1012382).
- ath10k: fix potential memory leak in ath10k_wmi_tlv_op_pull_fw_stats() (bnc#1012382).
- ath10k: free cached fw bin contents when get board id fails (bsc#1031717).
- ath10k: ignore configuring the incorrect board_id (bnc#1012382).
- ath10k: set CTS protection VDEV param only if VDEV is up (bnc#1012382).
- ath9k_htc: check for underflow in ath9k_htc_rx_msg() (bsc#1031717).
- ath9k: off by one in ath9k_hw_nvram_read_array() (bsc#1031717).
- autofs: do not fail mount for transient error (bsc#1065180).
- backlight: adp5520: Fix error handling in adp5520_bl_probe() (bnc#1012382).
- backlight: lcd: Fix race condition during register (bnc#1012382).
- bcache: check ca->alloc_thread initialized before wake up it (bnc#1012382).
- bio-integrity: bio_integrity_advance must update integrity seed (bsc#1046054).
- bio-integrity: bio_trim should truncate integrity vector accordingly (bsc#1046054).
- bio-integrity: Do not allocate integrity context for bio w/o data (bsc#1046054).
- bio-integrity: fix interface for bio_integrity_trim (bsc#1046054).
- bio: partially revert 'fix interface for bio_integrity_trim' (bsc#1046054).
- blacklist.conf: Add ath10k, mmc and rtl8192u commits (bsc#1031717)
- blacklist.conf: Add drm/i915 blacklist (bsc#1031717)
- blacklist.conf: added misc commits (bsc#1031717)
- blacklist.conf: Add misc entries (bsc#1031717)
- blacklist.conf: Add non-applicable commit ID (bsc#1066812)
- blacklist.conf: Add non-applicable commits (bsc#1066812)
- blacklist.conf: blacklisted 16af97dc5a89 (bnc#1053919)
- blacklist.conf: Blacklist two commits (bbb3be170ac2 and ccf1e0045eea).
- blacklist.conf: Update blacklist (bsc#1031717)
- blacklist.conf: Update iwlwifi blacklist (bsc#1031717)
- blacklist.conf: yet another serial entry (bsc#1031717)
- block: Fix a race between blk_cleanup_queue() and timeout handling (FATE#319965, bsc#964944).
- block: Make q_usage_counter also track legacy requests (bsc#1057820).
- bluetooth: btusb: fix QCA Rome suspend/resume (bnc#1012382).
- bnxt_en: Do not use rtnl lock to protect link change logic in workqueue (bsc#1020412 FATE#321671).
- bnxt_en: Fix a variable scoping in bnxt_hwrm_do_send_msg() (bsc#1053309).
- bnxt_en: Fix possible corrupted NVRAM parameters from firmware response (bsc#1020412 FATE#321671).
- bnxt_en: Fix possible corruption in DCB parameters from firmware (bsc#1020412 FATE#321671).
- bnxt_en: Fix VF PCIe link speed and width logic (bsc#1020412 FATE#321671).
- bnxt_en: Need to unconditionally shut down RoCE in bnxt_shutdown (bsc#1053309).
- bnxt_re: Make room for mapping beyond 32 entries (bsc#1056596).
- bonding: discard lowest hash bit for 802.3ad layer3+4 (bnc#1012382).
- bpf: one perf event close won't free bpf program attached by another perf event (bnc#1012382).
- bpf/verifier: reject BPF_ALU64|BPF_END (bnc#1012382).
- brcmfmac: add length check in brcmf_cfg80211_escan_handler() (bnc#1012382).
- brcmfmac: remove setting IBSS mode when stopping AP (bnc#1012382).
- brcmsmac: make some local variables 'static const' to reduce stack size (bnc#1012382).
- bt8xx: fix memory leak (bnc#1012382).
- btrfs: return the actual error value from from btrfs_uuid_tree_iterate (bnc#1012382).
- bus: mbus: fix window size calculation for 4GB windows (bnc#1012382).
- can: c_can: do not indicate triple sampling support for D_CAN (bnc#1012382).
- can: esd_usb2: Fix can_dlc value for received RTR, frames (bnc#1012382).
- can: gs_usb: fix busy loop if no more TX context is available (bnc#1012382).
- can: kvaser_usb: Correct return value in printout (bnc#1012382).
- can: kvaser_usb: Ignore CMD_FLUSH_QUEUE_REPLY messages (bnc#1012382).
- can: sun4i: fix loopback mode (bnc#1012382).
- can: sun4i: handle overrun in RX FIFO (bnc#1012382).
- cdc_ncm: Set NTB format again after altsetting switch for Huawei devices (bnc#1012382).
- ceph: clean up unsafe d_parent accesses in build_dentry_path (FATE#322288 bnc#1012382).
- ceph: disable cached readdir after dropping positive dentry (bsc#1069277).
- ceph: -EINVAL on decoding failure in ceph_mdsc_handle_fsmap() (bsc#1069277).
- ceph: present consistent fsid, regardless of arch endianness (bsc#1069277).
- ceph: unlock dangling spinlock in try_flush_caps() (bsc#1065639).
- cgroup, net_cls: iterate the fds of only the tasks which are being migrated (bnc#1064926).
- cifs: check MaxPathNameComponentLength != 0 before using it (bnc#1012382).
- cifs: fix circular locking dependency (bsc#1064701).
- cifs: Reconnect expired SMB sessions (bnc#1012382).
- clk: ti: dra7-atl-clock: fix child-node lookups (bnc#1012382).
- clk: ti: dra7-atl-clock: Fix of_node reference counting (bnc#1012382).
- clockevents/drivers/cs5535: Improve resilience to spurious interrupts (bnc#1012382).
- cma: fix calculation of aligned offset (VM Functionality, bsc#1050060).
- coda: fix 'kernel memory exposure attempt' in fsync (bnc#1012382).
- cpufreq: CPPC: add acpi_PROCESSOR dependency (bnc#1012382).
- crypto: dh - Do not permit 'key' or 'g' size longer than 'p' (bsc#1048317).
- crypto: dh - Do not permit 'p' to be 0 (bsc#1048317).
- crypto: dh - Fix double free of ctx->p (bsc#1048317).
- crypto: dh - fix memleak in setkey (bsc#1048317).
- crypto: rsa - fix buffer overread when stripping leading zeroes (bsc#1048317).
- crypto: shash - Fix zero-length shash ahash digest crash (bnc#1012382).
- crypto: vmx - disable preemption to enable vsx in aes_ctr.c (bnc#1012382).
- crypto: x86/sha1-mb - fix panic due to unaligned access (bnc#1012382).
- crypto: xts - Add ECB dependency (bnc#1012382).
- cx231xx: Fix I2C on Internal Master 3 Bus (bnc#1012382).
- cxgb4: Fix error codes in c4iw_create_cq() (bsc#1048327).
- cxl: Fix DAR check & use REGION_ID instead of opencoding (bsc#1066223).
- cxl: Fix leaking pid refs in some error paths (bsc#1066223).
- cxl: Force context lock during EEH flow (bsc#1066223).
- cxl: Prevent adapter reset if an active context exists (bsc#1066223).
- cxl: Route eeh events to all drivers in cxl_pci_error_detected() (bsc#1066223).
- direct-io: Prevent NULL pointer access in submit_page_section (bnc#1012382).
- Disable IPMI fix patches due to regression (bsc#1071833)
- Disable patches.kernel.org/4.4.93-022-fix-unbalanced-page-refcounting-in-bio_map_use.patch (bsc#1070767)
- dmaengine: dmatest: warn user when dma test times out (bnc#1012382).
- dmaengine: edma: Align the memcpy acnt array size with the transfer (bnc#1012382).
- dmaengine: zx: set DMA_CYCLIC cap_mask bit (bnc#1012382).
- dm bufio: fix integer overflow when limiting maximum cache size (bnc#1012382).
- dm: fix race between dm_get_from_kobject() and __dm_destroy() (bnc#1012382).
- dm mpath: remove annoying message of 'blk_get_request() returned -11' (bsc#1066812).
- dm raid: fix NULL pointer dereference for raid1 without bitmap (bsc#1042957, FATE#321488).
- dm rq: Avoid that request processing stalls sporadically (bsc#1042978).
- drivers: base: cacheinfo: fix x86 with CONFIG_OF enabled (bsc#1070001).
- drivers: dma-mapping: Do not leave an invalid area->pages pointer in dma_common_contiguous_remap() (Git-fixes, bsc#1065692).
- drivers/fbdev/efifb: Allow BAR to be moved instead of claiming it (bsc#1051987).
- drivers: of: Fix of_pci.h header guard (bsc#1065959).
- drm/amdgpu: when dpm disabled, also need to stop/start vce (bnc#1012382).
- drm/amdkfd: NULL dereference involving create_process() (bsc#1031717).
- drm: Apply range restriction after color adjustment when allocation (bnc#1012382).
- drm/armada: Fix compile fail (bnc#1012382).
- drm: drm_minor_register(): Clean up debugfs on failure (bnc#1012382).
- drm: gma500: fix logic error (bsc#1031717).
- drm/i915/bxt: set min brightness from VBT (bsc#1031717).
- drm/i915: Do not try indexed reads to alternate slave addresses (bsc#1031717).
- drm/i915: fix backlight invert for non-zero minimum brightness (bsc#1031717).
- drm/i915: Prevent zero length 'index' write (bsc#1031717).
- drm/i915: Read timings from the correct transcoder in intel_crtc_mode_get() (bsc#1031717).
- drm/msm: fix an integer overflow test (bnc#1012382).
- drm/msm: Fix potential buffer overflow issue (bnc#1012382).
- drm/nouveau/bsp/g92: disable by default (bnc#1012382).
- drm/nouveau/gr: fallback to legacy paths during firmware lookup (bsc#1031717).
- drm/nouveau/mmu: flush tlbs before deleting page tables (bnc#1012382).
- drm/omap: Fix error handling path in 'omap_dmm_probe()' (bsc#1031717).
- drm/panel: simple: Add missing panel_simple_unprepare() calls (bsc#1031717).
- drm/radeon: Avoid double gpu reset by adding a timeout on IB ring tests (bsc#1066175).
- drm/sti: sti_vtg: Handle return NULL error from devm_ioremap_nocache (bnc#1012382).
- drm/vc4: Fix leak of HDMI EDID (bsc#1031717).
- drm/vmwgfx: Fix Ubuntu 17.10 Wayland black screen issue (bnc#1012382).
- Drop obsolete patch (bsc#1067734)
- e1000e: Avoid receiver overrun interrupt bursts (bsc#969470 FATE#319819).
- e1000e: Fix error path in link detection (bnc#1012382).
- e1000e: Fix return value test (bnc#1012382).
- e1000e: Separate signaling for link check/link up (bnc#1012382).
- ecryptfs: fix dereference of NULL user_key_payload (bnc#1012382).
- eCryptfs: use after free in ecryptfs_release_messaging() (bsc#1070404).
- epoll: avoid calling ep_call_nested() from ep_poll_safewake() (bsc#1056427).
- epoll: remove ep_call_nested() from ep_eventpoll_poll() (bsc#1056427).
- ext4: cleanup goto next group (bsc#1066285).
- ext4: do not use stripe_width if it is not set (bnc#1012382).
- ext4: fix fault handling when mounted with -o dax,ro (bsc#1069484).
- ext4: fix interaction between i_size, fallocate, and delalloc after a crash (bnc#1012382).
- ext4: fix stripe-unaligned allocations (bnc#1012382).
- ext4: in ext4_seek_{hole,data}, return -ENXIO for negative offsets (bnc#1012382).
- ext4: prevent data corruption with inline data + DAX (bsc#1064591).
- ext4: prevent data corruption with journaling + DAX (bsc#1064591).
- ext4: reduce lock contention in __ext4_new_inode (bsc#1066285).
- extcon: palmas: Check the parent instance to prevent the NULL (bnc#1012382).
- exynos4-is: fimc-is: Unmap region obtained by of_iomap() (bnc#1012382).
- f2fs crypto: add missing locking for keyring_key access (bnc#1012382).
- f2fs crypto: replace some BUG_ON()'s with error checks (bnc#1012382).
- f2fs: do not wait for writeback in write_begin (bnc#1012382).
- fealnx: Fix building error on MIPS (bnc#1012382).
- fix a page leak in vhost_scsi_iov_to_sgl() error recovery (bnc#1012382).
- Fix tracing sample code warning (bnc#1012382).
- fix unbalanced page refcounting in bio_map_user_iov (bnc#1012382).
- Fixup patches.fixes/block-Make-q_usage_counter-also-track-legacy-request.patch. (bsc#1062496)
- fm10k: Use smp_rmb rather than read_barrier_depends (bnc#1012382).
- fs/9p: Compare qid.path in v9fs_test_inode (bsc#1070404).
- fs-cache: fix dereference of NULL user_key_payload (bnc#1012382).
- fscrypt: fix dereference of NULL user_key_payload (bnc#1012382).
- fscrypt: lock mutex before checking for bounce page pool (bnc#1012382).
- fscrypto: require write access to mount to set encryption policy (bnc#1012382).
- fuse: fix READDIRPLUS skipping an entry (bnc#1012382).
- gpu: drm: mgag200: mgag200_main:- Handle error from pci_iomap (bnc#1012382).
- hid: elo: clear BTN_LEFT mapping (bsc#1065866).
- hid: usbhid: fix out-of-bounds bug (bnc#1012382).
- hsi: ssi_protocol: double free in ssip_pn_xmit() (bsc#1031717).
- hwmon: (xgene) Fix up error handling path mixup in 'xgene_hwmon_probe()' (bsc#).
- i2c: at91: ensure state is restored after suspending (bnc#1012382).
- i2c: bcm2835: Add support for dynamic clock (bsc#1066660).
- i2c: bcm2835: Add support for Repeated Start Condition (bsc#1066660).
- i2c: bcm2835: Avoid possible NULL ptr dereference (bsc#1066660).
- i2c: bcm2835: Can't support I2C_M_IGNORE_NAK (bsc#1066660).
- i2c: bcm2835: Do not complain on -EPROBE_DEFER from getting our clock (bsc#1066660).
- i2c: bcm2835: Fix hang for writing messages larger than 16 bytes (bsc#1066660).
- i2c: bcm2835: Protect against unexpected TXW/RXR interrupts (bsc#1066660).
- i2c: bcm2835: Support i2c-dev ioctl I2C_TIMEOUT (bsc#1066660).
- i2c: bcm2835: Use dev_dbg logging on transfer errors (bsc#1066660).
- i2c: cadance: fix ctrl/addr reg write order (bsc#1031717).
- i2c: imx: Use correct function to write to register (bsc#1031717).
- i2c: ismt: Separate I2C block read from SMBus block read (bnc#1012382).
- i2c: riic: correctly finish transfers (bnc#1012382).
- i2c: riic: fix restart condition (git-fixes).
- i2c: xlp9xx: Enable HWMON class probing for xlp9xx (bsc#1067225).
- i2c: xlp9xx: Get clock frequency with clk API (bsc#1067225).
- i2c: xlp9xx: Handle I2C_M_RECV_LEN in msg->flags (bsc#1067225).
- i40e: Fix incorrect use of tx_itr_setting when checking for Rx ITR setup (bsc#1024346 FATE#321239 bsc#1024373 FATE#321247).
- i40e: fix the calculation of VFs mac addresses (bsc#1024346 FATE#321239 bsc#1024373 FATE#321247).
- i40e: only redistribute MSI-X vectors when needed (bsc#1024346 FATE#321239 bsc#1024373 FATE#321247).
- i40e: Use smp_rmb rather than read_barrier_depends (bnc#1012382).
- i40evf: Use smp_rmb rather than read_barrier_depends (bnc#1012382).
- i40iw: Remove UDA QP from QoS list if creation fails (bsc#1024376 FATE#321249).
- ib/core: Fix calculation of maximum RoCE MTU (bsc#1022595 FATE#322350).
- ib/core: Fix unable to change lifespan entry for hw_counters (FATE#321231 FATE#321473).
- ib/core: Namespace is mandatory input for address resolution (bsc#1022595 FATE#322350).
- ib/hfi1: Add MODULE_FIRMWARE statements (bsc#1036800).
- ib/ipoib: Clean error paths in add port (bsc#1022595 FATE#322350).
- ib/ipoib: Prevent setting negative values to max_nonsrq_conn_qp (bsc#1022595 FATE#322350).
- ib/ipoib: Remove double pointer assigning (bsc#1022595 FATE#322350).
- ib/ipoib: Set IPOIB_NEIGH_TBL_FLUSH after flushed completion initialization (bsc#1022595 FATE#322350).
- ib/mlx5: Fix RoCE Address Path fields (bsc#966170 FATE#320225 bsc#966172 FATE#320226).
- ibmvnic: Add netdev_dbg output for debugging (fate#323285).
- ibmvnic: Add vnic client data to login buffer (bsc#1069942).
- ibmvnic: Convert vnic server reported statistics to cpu endian (fate#323285).
- ibmvnic: Enable scatter-gather support (bsc#1066382).
- ibmvnic: Enable TSO support (bsc#1066382).
- ibmvnic: Feature implementation of Vital Product Data (VPD) for the ibmvnic driver (bsc#1069942).
- ibmvnic: Fix calculation of number of TX header descriptors (bsc#1066382).
- ibmvnic: fix dma_mapping_error call (bsc#1069942).
- ibmvnic: Fix failover error path for non-fatal resets (bsc#1066382).
- ibmvnic: Implement .get_channels (fate#323285).
- ibmvnic: Implement .get_ringparam (fate#323285).
- ibmvnic: Implement per-queue statistics reporting (fate#323285).
- ibmvnic: Let users change net device features (bsc#1066382).
- ibmvnic: Update reset infrastructure to support tunable parameters (bsc#1066382).
- ib/rxe: check for allocation failure on elem (FATE#322149).
- ib/rxe: do not crash, if allocation of crc algorithm failed (bsc#1051635).
- ib/rxe: put the pool on allocation failure (FATE#322149).
- ib/srp: Avoid that a cable pull can trigger a kernel crash (bsc#1022595 FATE#322350).
- ib/srpt: Do not accept invalid initiator port names (bnc#1012382).
- ib/uverbs: Fix device cleanup (bsc#1022595 FATE#322350).
- ib/uverbs: Fix NULL pointer dereference during device removal (bsc#1022595 FATE#322350).
- igb: close/suspend race in netif_device_detach (bnc#1012382).
- igb: Fix hw_dbg logging in igb_update_flash_i210 (bnc#1012382).
- igb: reset the PHY before reading the PHY ID (bnc#1012382).
- igb: Use smp_rmb rather than read_barrier_depends (bnc#1012382).
- igbvf: Use smp_rmb rather than read_barrier_depends (bnc#1012382).
- iio: adc: xilinx: Fix error handling (bnc#1012382).
- iio: dummy: events: Add missing break (bsc#1031717).
- iio: light: fix improper return value (bnc#1012382).
- iio: trigger: free trigger resource correctly (bnc#1012382).
- ima: do not update security.ima if appraisal status is not INTEGRITY_PASS (bnc#1012382).
- input: ar1021_i2c - fix too long name in driver's device table (bsc#1031717).
- input: edt-ft5x06 - fix setting gain, offset, and threshold via device tree (bsc#1031717).
- input: elan_i2c - add ELAN060C to the acpi table (bnc#1012382).
- input: elan_i2c - add ELAN0611 to the acpi table (bnc#1012382).
- input: gtco - fix potential out-of-bound access (bnc#1012382).
- input: mpr121 - handle multiple bits change of status register (bnc#1012382).
- input: mpr121 - set missing event capability (bnc#1012382).
- input: ti_am335x_tsc - fix incorrect step config for 5 wire touchscreen (bsc#1031717).
- input: twl4030-pwrbutton - use correct device for irq request (bsc#1031717).
- input: ucb1400_ts - fix suspend and resume handling (bsc#1031717).
- input: uinput - avoid crash when sending FF request to device going away (bsc#1031717).
- iommu/amd: Finish TLB flush in amd_iommu_unmap() (bnc#1012382).
- iommu/vt-d: Do not register bus-notifier under dmar_global_lock (bsc#1069793).
- ip6_gre: only increase err_count for some certain type icmpv6 in ip6gre_err (bnc#1012382).
- ip6_gre: skb_push ipv6hdr before packing the header in ip6gre_header (bnc#1012382).
- ipip: only increase err_count for some certain type icmp in ipip_err (bnc#1012382).
- ipmi: fix unsigned long underflow (bnc#1012382).
- ipmi: Pick up slave address from SMBIOS on an acpi device (bsc#1070006).
- ipmi: Prefer acpi system interfaces over SMBIOS ones (bsc#1070006).
- ipmi_si: Clean up printks (bsc#1070006).
- ipmi_si: fix memory leak on new_smi (bsc#1070006).
- ipsec: do not ignore crypto err in ah4 input (bnc#1012382).
- ipv6: flowlabel: do not leave opt->tot_len with garbage (bnc#1012382).
- ipv6: only call ip6_route_dev_notify() once for NETDEV_UNREGISTER (bnc#1012382).
- ipvs: make drop_entry protection effective for SIP-pe (bsc#1056365).
- irqchip/crossbar: Fix incorrect type of local variables (bnc#1012382).
- isa: Prevent NULL dereference in isa_bus driver callbacks (bsc#1031717).
- iscsi-target: Fix non-immediate TMR reference leak (bnc#1012382).
- isdn/i4l: fetch the ppp_write buffer in one shot (bnc#1012382).
- isofs: fix timestamps beyond 2027 (bnc#1012382).
- iwlwifi: mvm: fix the coex firmware API (bsc#1031717).
- iwlwifi: mvm: return -ENODATA when reading the temperature with the FW down (bsc#1031717).
- iwlwifi: mvm: set the RTS_MIMO_PROT bit in flag mask when sending sta to fw (bsc#1031717).
- iwlwifi: mvm: use IWL_HCMD_NOCOPY for MCAST_FILTER_CMD (bnc#1012382).
- iwlwifi: split the regulatory rules when the bandwidth flags require it (bsc#1031717).
- ixgbe: add mask for 64 RSS queues (bnc#1012382).
- ixgbe: do not disable FEC from the driver (bnc#1012382).
- ixgbe: fix AER error handling (bnc#1012382).
- ixgbe: Fix skb list corruption on Power systems (bnc#1012382).
- ixgbe: handle close/suspend race with netif_device_detach/present (bnc#1012382).
- ixgbe: Reduce I2C retry count on X550 devices (bnc#1012382).
- ixgbevf: Use smp_rmb rather than read_barrier_depends (bnc#1012382).
- kABI: protect struct l2tp_tunnel (kabi).
- kABI: protect struct regulator_dev (kabi).
- kABI: protect structs rt_rq+root_domain (kabi).
- kABI: protect typedef rds_rdma_cookie_t (kabi).
- kabi/severities: Ignore drivers/nvme/target (bsc#1063349)
- kabi/severities: Ignore kABI changes for qla2xxx (bsc#1043017)
- kernel-docs: unpack the source instead of using kernel-source (bsc#1057199).
- kernel/sysctl_binary.c: check name array length in deprecated_sysctl_warning() (FATE#323821).
- kernel/sysctl.c: remove duplicate UINT_MAX check on do_proc_douintvec_conv() (bsc#1066470).
- kernel/watchdog: Prevent false positives with turbo modes (bnc#1063516).
- keys: do not let add_key() update an uninstantiated key (bnc#1012382).
- keys: do not revoke uninstantiated key in request_key_auth_new() (bsc#1031717).
- keys: encrypted: fix dereference of NULL user_key_payload (bnc#1012382).
- keys: fix cred refcount leak in request_key_auth_new() (bsc#1031717).
- keys: fix key refcount leak in keyctl_assume_authority() (bsc#1031717).
- keys: fix key refcount leak in keyctl_read_key() (bsc#1031717).
- keys: fix NULL pointer dereference during ASN.1 parsing [ver #2] (bnc#1012382).
- keys: fix out-of-bounds read during ASN.1 parsing (bnc#1012382).
- keys: Fix race between updating and finding a negative key (bnc#1012382).
- keys: return full count in keyring_read() if buffer is too small (bnc#1012382).
- keys: trusted: fix writing past end of buffer in trusted_read() (bnc#1012382).
- keys: trusted: sanitize all key material (bnc#1012382).
- kvm: nVMX: fix guest CR4 loading when emulating L2 to L1 exit (bnc#1012382).
- kvm: nVMX: set IDTR and GDTR limits when loading L1 host state (bnc#1012382).
- kvm: PPC: Book 3S: XICS: correct the real mode ICP rejecting counter (bnc#1012382).
- kvm: SVM: obey guest PAT (bnc#1012382).
- l2tp: Avoid schedule while atomic in exit_net (bnc#1012382).
- l2tp: check ps->sock before running pppol2tp_session_ioctl() (bnc#1012382).
- l2tp: fix race condition in l2tp_tunnel_delete (bnc#1012382).
- libceph: do not WARN() if user tries to add invalid key (bsc#1069277).
- lib/digsig: fix dereference of NULL user_key_payload (bnc#1012382).
- libertas: Fix lbs_prb_rsp_limit_set() (bsc#1031717).
- lib/mpi: call cond_resched() from mpi_powm() loop (bnc#1012382).
- libnvdimm, namespace: fix label initialization to use valid seq numbers (bnc#1012382).
- libnvdimm, namespace: make 'resource' attribute only readable by root (bnc#1012382).
- libnvdimm, pfn: make 'resource' attribute only readable by root (FATE#319858).
- lib/ratelimit.c: use deferred printk() version (bsc#979928).
- locking/lockdep: Add nest_lock integrity test (bnc#1012382).
- lpfc: tie in to new dev_loss_tmo interface in nvme transport (bsc#1041873).
- mac80211: agg-tx: call drv_wake_tx_queue in proper context (bsc#1031717).
- mac80211: do not compare TKIP TX MIC key in reinstall prevention (bsc#1066472).
- mac80211: do not send SMPS action frame in AP mode when not needed (bsc#1031717).
- mac80211: Fix addition of mesh configuration element (git-fixes).
- mac80211: Fix BW upgrade for TDLS peers (bsc#1031717).
- mac80211: fix mgmt-tx abort cookie and leak (bsc#1031717).
- mac80211: fix power saving clients handling in iwlwifi (bnc#1012382).
- mac80211_hwsim: check HWSIM_ATTR_RADIO_NAME length (bnc#1012382).
- mac80211_hwsim: Fix memory leak in hwsim_new_radio_nl() (bsc#1031717).
- mac80211: Remove invalid flag operations in mesh TSF synchronization (bnc#1012382).
- mac80211: Remove unused 'beaconint_us' variable (bsc#1031717).
- mac80211: Remove unused 'i' variable (bsc#1031717).
- mac80211: Remove unused 'len' variable (bsc#1031717).
- mac80211: Remove unused 'rates_idx' variable (bsc#1031717).
- mac80211: Remove unused 'sband' and 'local' variables (bsc#1031717).
- mac80211: Remove unused 'struct ieee80211_rx_status' ptr (bsc#1031717).
- mac80211: Suppress NEW_PEER_CANDIDATE event if no room (bnc#1012382).
- mac80211: TDLS: always downgrade invalid chandefs (bsc#1031717).
- mac80211: TDLS: change BW calculation for WIDER_BW peers (bsc#1031717).
- mac80211: use constant time comparison with keys (bsc#1066471).
- md/linear: shutup lockdep warnning (FATE#321488 bnc#1012382 bsc#1042977).
- media: au0828: fix RC_CORE dependency (bsc#1031717).
- media: Do not do DMA on stack for firmware upload in the AS102 driver (bnc#1012382).
- media: em28xx: calculate left volume level correctly (bsc#1031717).
- media: mceusb: fix memory leaks in error path (bsc#1031717).
- media: rc: check for integer overflow (bnc#1012382).
- media: v4l2-ctrl: Fix flags field on Control events (bnc#1012382).
- mei: return error on notification request to a disconnected client (bnc#1012382).
- memremap: add scheduling point to devm_memremap_pages (bnc#1057079).
- mfd: ab8500-sysctrl: Handle probe deferral (bnc#1012382).
- mfd: axp20x: Fix axp288 PEK_DBR and PEK_DBF irqs being swapped (bnc#1012382).
- misc: panel: properly restore atomic counter on error path (bnc#1012382).
- mmc: block: return error on failed mmc_blk_get() (bsc#1031717).
- mmc: core: add driver strength selection when selecting hs400es (bsc#1069721).
- mmc: core: Fix access to HS400-ES devices (bsc#1031717).
- mmc: core/mmci: restore pre/post_req behaviour (bsc#1031717).
- mmc: dw_mmc: Fix the DTO timeout calculation (bsc#1069721).
- mm: check the return value of lookup_page_ext for all call sites (bnc#1068982).
- mmc: host: omap_hsmmc: avoid possible overflow of timeout value (bsc#1031717).
- mmc: host: omap_hsmmc: checking for NULL instead of IS_ERR() (bsc#1031717).
- mmc: mediatek: Fixed size in dma_free_coherent (bsc#1031717).
- mmc: s3cmci: include linux/interrupt.h for tasklet_struct (bnc#1012382).
- mmc: sd: limit SD card power limit according to cards capabilities (bsc#1031717).
- mm: distinguish CMA and MOVABLE isolation in has_unmovable_pages (bnc#1051406).
- mm: drop migrate type checks from has_unmovable_pages (bnc#1051406).
- mm, hwpoison: fixup 'mm: check the return value of lookup_page_ext for all call sites' (bnc#1012382).
- mm/madvise.c: fix freeing of locked page with MADV_FREE (bnc#1069152).
- mm/madvise.c: fix madvise() infinite loop under special circumstances (bnc#1070964).
- mm, memory_hotplug: add scheduling point to __add_pages (bnc#1057079).
- mm, memory_hotplug: do not fail offlining too early (bnc#1051406).
- mm, memory_hotplug: remove timeout from __offline_memory (bnc#1051406).
- mm, page_alloc: add scheduling point to memmap_init_zone (bnc#1057079).
- mm/page_alloc.c: broken deferred calculation (bnc#1068980).
- mm, page_alloc: fix potential false positive in __zone_watermark_ok (Git-fixes, bsc#1068978).
- mm/page_ext.c: check if page_ext is not prepared (bnc#1068982).
- mm/page_owner: avoid null pointer dereference (bnc#1068982).
- mm/pagewalk.c: report holes in hugetlb ranges (bnc#1012382).
- mm, sparse: do not swamp log with huge vmemmap allocation failures (bnc#1047901).
- net: 3com: typhoon: typhoon_init_one: fix incorrect return values (bnc#1012382).
- net: 3com: typhoon: typhoon_init_one: make return values more specific (bnc#1012382).
- net/9p: Switch to wait_event_killable() (bnc#1012382).
- net: Allow IP_MULTICAST_IF to set index to L3 slave (bnc#1012382).
- net: cdc_ether: fix divide by 0 on bad descriptors (bnc#1012382).
- net: cdc_ncm: GetNtbFormat endian fix (git-fixes).
- net: dsa: select NET_SWITCHDEV (bnc#1012382).
- net: emac: Fix napi poll list corruption (bnc#1012382).
- netfilter/ipvs: clear ipvs_property flag when SKB net namespace changed (bnc#1012382).
- netfilter: nf_ct_expect: Change __nf_ct_expect_check() return value (bnc#1012382).
- netfilter: nf_tables: fix oob access (bnc#1012382).
- netfilter: nft_meta: deal with PACKET_LOOPBACK in netdev family (bnc#1012382).
- netfilter: nft_queue: use raw_smp_processor_id() (bnc#1012382).
- net: ibm: ibmvnic: constify vio_device_id (fate#323285).
- net: ixgbe: Use new IXGBE_FLAG2_ROOT_RELAXED_ORDERING flag (bsc#1056652).
- net/mlx4_core: Fix VF overwrite of module param which disables DMFS on new probed PFs (FATE#321685 FATE#321686 FATE#321687 bnc#1012382 bsc#1015336 bsc#1015337 bsc#1015340).
- net/mlx4_en: fix overflow in mlx4_en_init_timestamp() (FATE#321685 FATE#321686 FATE#321687 bnc#1012382 bsc#1015336 bsc#1015337 bsc#1015340).
- net/mlx5: Delay events till mlx5 interface's add complete for pci resume (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- net/mlx5e: Increase Striding RQ minimum size limit to 4 multi-packet WQEs (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- net/mlx5: Fix health work queue spin lock to IRQ safe (bsc#1015342).
- net/mlx5: Loop over temp list to release delay events (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- net: mvneta: fix handling of the Tx descriptor counter (fate#319899).
- net: mvpp2: release reference to txq_cpu[] entry after unmapping (bnc#1012382 bsc#1032150).
- net: qmi_wwan: fix divide by 0 on bad descriptors (bnc#1012382).
- net/sctp: Always set scope_id in sctp_inet6_skb_msgname (bnc#1012382).
- net: Set sk_prot_creator when cloning sockets to the right proto (bnc#1012382).
- net/smc: dev_put for netdev after usage of ib_query_gid() (bsc#1066812).
- net: thunderx: Fix TCP/UDP checksum offload for IPv4 pkts (bsc#1069583).
- net: thunderx: Fix TCP/UDP checksum offload for IPv6 pkts (bsc#1069583).
- net/unix: do not show information about sockets from other namespaces (bnc#1012382).
- netvsc: use refcount_t for keeping track of sub channels (bsc#1062835).
- nfc: fix device-allocation error return (bnc#1012382).
- nfsd/callback: Cleanup callback cred on shutdown (bnc#1012382).
- nfsd: deal with revoked delegations appropriately (bnc#1012382).
- nfs: Do not disconnect open-owner on NFS4ERR_BAD_SEQID (bsc#989261).
- nfs: Fix typo in nomigration mount option (bnc#1012382).
- nfs: Fix ugly referral attributes (bnc#1012382).
- nilfs2: fix race condition that causes file system corruption (bnc#1012382).
- nl80211: Define policy for packet pattern attributes (bnc#1012382).
- nvme: add duplicate_connect option (bsc#1067734).
- nvme: add helper to compare options to controller (bsc#1067734).
- nvme: add transport SGL definitions (bsc#1057820).
- nvme: allow controller RESETTING to RECONNECTING transition (bsc#1037838).
- nvme-fabrics: Allow 0 as KATO value (bsc#1067734).
- nvme-fabrics: kABI fix for duplicate_connect option (bsc#1067734).
- nvme-fc: add a dev_loss_tmo field to the remoteport (bsc#1037838).
- nvme-fc: add dev_loss_tmo timeout and remoteport resume support (bsc#1037838).
- nvme-fc: add support for duplicate_connect option (bsc#1067734).
- nvme-fc: add uevent for auto-connect (bsc#1037838).
- nvme-fc: change ctlr state assignments during reset/reconnect (bsc#1037838).
- nvme-fc: check connectivity before initiating reconnects (bsc#1037838).
- nvme-fc: correct io termination handling (bsc#1067734).
- nvme-fc: correct io timeout behavior (bsc#1067734).
- nvme-fc: create fc class and transport device (bsc#1037838).
- nvme-fc: decouple ns references from lldd references (bsc#1067734).
- nvme-fc: fix iowait hang (bsc#1052384).
- nvme-fc: fix localport resume using stale values (bsc#1067734).
- nvme-fcloop: fix port deletes and callbacks (bsc#1037838).
- nvme-fc: move remote port get/put/free location (bsc#1037838).
- nvme-fc: on lldd/transport io error, terminate association (bsc#1042268).
- nvme-fc: Reattach to localports on re-registration (bsc#1052384).
- nvme-fc: remove NVME_FC_MAX_SEGMENTS (bsc#1067734).
- nvme-fc: remove unused 'queue_size' field (bsc#1042268).
- nvme-fc: retry initial controller connections 3 times (bsc#1067734).
- nvme-fc: use transport-specific sgl format (bsc#1057820).
- nvme: Fix memory order on async queue deletion (bnc#1012382).
- nvme: fix the definition of the doorbell buffer config support bit (bsc#1066812).
- nvme-rdma: add support for duplicate_connect option (bsc#1067734).
- nvme/rdma: Kick admin queue when a connection is going down (bsc#1059639).
- nvmet-fc: correct ref counting error when deferred rcv used (bsc#1067734).
- nvmet-fc: fix failing max io queue connections (bsc#1067734).
- nvmet-fc: on port remove call put outside lock (bsc#1067734).
- nvmet-fc: simplify sg list handling (bsc#1052384).
- nvmet: Fix fatal_err_work deadlock (bsc#1063349).
- ocfs2: fstrim: Fix start offset of first cluster group during fstrim (bnc#1012382).
- ocfs2: should wait dio before inode lock in ocfs2_setattr() (bnc#1012382).
- packet: avoid panic in packet_getsockopt() (bnc#1012382).
- packet: only test po->has_vnet_hdr once in packet_snd (bnc#1012382).
- parisc: Avoid trashing sr2 and sr3 in LWS code (bnc#1012382).
- parisc: Fix double-word compare and exchange in LWS code on 32-bit kernels (bnc#1012382).
- parisc: Fix validity check of pointer size argument in new CAS implementation (bnc#1012382).
- pci: Apply Cavium ThunderX ACS quirk to more Root Ports (bsc#1069250).
- pci: Apply _HPX settings only to relevant devices (bnc#1012382).
- pci: Enable Relaxed Ordering for Hisilicon Hip07 chip (bsc#1056652).
- pci: Mark Cavium CN8xxx to avoid bus reset (bsc#1069250).
- pci: Set Cavium ACS capability quirk flags to assert RR/CR/SV/UF (bsc#1069250).
- percpu: make this_cpu_generic_read() atomic w.r.t. interrupts (bnc#1012382).
- perf tools: Fix build failure on perl script context (bnc#1012382).
- perf tools: Only increase index if perf_evsel__new_idx() succeeds (bnc#1012382).
- perf/x86/intel/bts: Fix exclusive event reference leak (git-fixes d2878d642a4ed).
- phy: increase size of MII_BUS_ID_SIZE and bus_id (bnc#1012382).
- pkcs#7: fix unitialized boolean 'want' (bnc#1012382).
- pkcs7: Prevent NULL pointer dereference, since sinfo is not always set (bnc#1012382).
- platform/x86: acer-wmi: setup accelerometer when acpi device was found (bsc#1031717).
- platform/x86: hp-wmi: Do not shadow error values (bnc#1012382).
- platform/x86: hp-wmi: Fix detection for dock and tablet mode (bnc#1012382).
- platform/x86: hp-wmi: Fix error value for hp_wmi_tablet_state (bnc#1012382).
- platform/x86: intel_mid_thermal: Fix module autoload (bnc#1012382).
- platform/x86: sony-laptop: Fix error handling in sony_nc_setup_rfkill() (bsc#1031717).
- pm / OPP: Add missing of_node_put(np) (bnc#1012382).
- power: bq27xxx_battery: Fix bq27541 AveragePower register address (bsc#1031717).
- power: bq27xxx: fix reading for bq27000 and bq27010 (bsc#1031717).
- powerCap: Fix an error code in powercap_register_zone() (bsc#1031717).
- power: ipaq-micro-battery: freeing the wrong variable (bsc#1031717).
- powerpc/64: Fix race condition in setting lock bit in idle/wakeup code (bsc#1066223).
- powerpc/64s/hash: Allow MAP_FIXED allocations to cross 128TB boundary (bsc#1070169).
- powerpc/64s/hash: Fix 128TB-512TB virtual address boundary case allocation (bsc#1070169).
- powerpc/64s/hash: Fix 512T hint detection to use >= 128T (bsc#1070169).
- powerpc/64s/hash: Fix fork() with 512TB process address space (bsc#1070169).
- powerpc/64s/slice: Use addr limit when computing slice mask (bsc#1070169).
- powerpc/bpf/jit: Disable classic BPF JIT on ppc64le (bsc#1066223).
- powerpc/corenet: explicitly disable the SDHC controller on kmcoge4 (bnc#1012382).
- powerpc: Correct instruction code for xxlor instruction (bsc#1066223).
- powerpc: Fix VSX enabling/flushing to also test MSR_FP and MSR_VEC (bsc#1066223).
- powerpc/hotplug: Improve responsiveness of hotplug change (FATE#322022, bsc#1067906).
- powerpc/mm: Fix check of multiple 16G pages from device tree (bsc#1066223).
- powerpc/mm: Fix virt_addr_valid() etc. on 64-bit hash (bsc#1066223).
- powerpc/mm/hash64: Fix subpage protection with 4K HPTE config (bsc#1010201, bsc#1066223).
- powerpc/mm/hash: Free the subpage_prot_table correctly (bsc#1066223).
- powerpc/numa: Fix multiple bugs in memory_hotplug_max() (bsc#1066223).
- powerpc/numa: Fix whitespace in hot_add_drconf_memory_max() (bsc#1066223).
- powerpc/opal: Fix EBUSY bug in acquiring tokens (bsc#1066223).
- powerpc/powernv/ioda: Fix endianness when reading TCEs (bsc#1066223).
- powerpc/powernv: Make opal_event_shutdown() callable from IRQ context (bsc#1066223).
- powerpc/pseries/vio: Dispose of virq mapping on vdevice unregister (bsc#1067888).
- powerpc/signal: Properly handle return value from uprobe_deny_signal() (bsc#1066223).
- powerpc/sysrq: Fix oops whem ppmu is not registered (bsc#1066223).
- powerpc/vphn: Fix numa update end-loop bug (FATE#322022, bsc#1067906).
- powerpc/vphn: Improve recognition of PRRN/VPHN (FATE#322022, bsc#1067906).
- powerpc/vphn: Update CPU topology when VPHN enabled (FATE#322022, bsc#1067906).
- power: supply: bq27xxx_battery: Fix register map for BQ27510 and BQ27520 ('bsc#1069270').
- power: supply: isp1704: Fix unchecked return value of devm_kzalloc (bsc#1031717).
- power: supply: lp8788: prevent out of bounds array access (bsc#1031717).
- power_supply: tps65217-charger: Fix NULL deref during property export (bsc#1031717).
- ppp: fix race in ppp device destruction (bnc#1012382).
- printk/console: Always disable boot consoles that use init memory before it is freed (bsc#1063026).
- printk/console: Enhance the check for consoles using init memory (bsc#1063026).
- printk: include <asm/sections.h> instead of <asm-generic/sections.h> (bsc#1063026).
- printk: Make sure to wake up printk kthread from irq work for pending output (bnc#744692, bnc#789311).
- printk: only unregister boot consoles when necessary (bsc#1063026).
- qla2xxx: Fix cable swap (bsc#1043017).
- qla2xxx: Fix notify ack without timeout handling (bsc#1043017).
- qla2xxx: Fix re-login for Nport Handle in use (bsc#1043017).
- qla2xxx: fix stale memory access (bsc#1043017).
- qla2xxx: Login state machine stuck at GPDB (bsc#1043017).
- qla2xxx: Recheck session state after RSCN (bsc#1043017).
- qla2xxx: relogin is being triggered too fast (bsc#1043017).
- qla2xxx: Retry switch command on timed out (bsc#1043017).
- qla2xxx: Serialize gpnid (bsc#1043017).
- quota: Check for register_shrinker() failure (bsc#1070404).
- r8169: Do not increment tx_dropped in TX ring cleaning (bsc#1031717).
- rbd: set discard_alignment to zero (bsc#1064320).
- rbd: use GFP_NOIO for parent stat and data requests (bnc#1012382).
- rcu: Allow for page faults in NMI handlers (bnc#1012382).
- rdma/uverbs: Prevent leak of reserved field (bsc#1022595 FATE#322350).
- rds: rdma: return appropriate error on rdma map failures (bnc#1012382).
- Refresh patches with upstream commit ID (bsc#1067734)
- regulator: core: Limit propagation of parent voltage count and list (bsc#1070145).
- regulator: fan53555: fix I2C device ids (bnc#1012382).
- Revert 'crypto: xts - Add ECB dependency' (bnc#1012382).
- Revert 'drm: bridge: add DT bindings for TI ths8135' (bnc#1012382).
- Revert 'phy: increase size of MII_BUS_ID_SIZE and bus_id' (kabi).
- Revert 'sctp: do not peel off an assoc from one netns to another one' (bnc#1012382).
- Revert 'tty: goldfish: Fix a parameter of a call to free_irq' (bnc#1012382).
- Revert 'uapi: fix linux/rds.h userspace compilation errors' (bnc#1012382).
- rpm/kernel-binary.spec.in: add the kernel-binary dependencies to kernel-binary-base (bsc#1060333).
- rpm/kernel-binary.spec.in: Correct supplements for recent SLE products (bsc#1067494)
- rpm/kernel-binary.spec.in: only rewrite modules.dep if non-zero in size (bsc#1056979).
- rpm/package-descriptions:
- rtc: ds1307: Fix relying on reset value for weekday (bsc#1031717).
- rtc: ds1374: wdt: Fix issue with timeout scaling from secs to wdt ticks (bsc#1031717).
- rtc: ds1374: wdt: Fix stop/start ioctl always returning -EINVAL (bsc#1031717).
- rtc: rtc-nuc900: fix loop timeout test (bsc#1031717).
- rtc: sa1100: fix unbalanced clk_prepare_enable/clk_disable_unprepare (bsc#1031717).
- rtlwifi: fix uninitialized rtlhal->last_suspend_sec time (bnc#1012382).
- rtlwifi: rtl8192ee: Fix memory leak when loading firmware (bnc#1012382).
- rtlwifi: rtl8821ae: Fix connection lost problem (bnc#1012382).
- rtlwifi: rtl8821ae: Fix HW_VAR_NAV_UPPER operation (bsc#1031717).
- s390/dasd: check for device error pointer within state change interrupts (bnc#1012382).
- s390/disassembler: add missing end marker for e7 table (bnc#1012382).
- s390/disassembler: correct disassembly lines alignment (bsc#1070825).
- s390/disassembler: increase show_code buffer size (bnc#1070825, LTC#161577).
- s390/disassembler: increase show_code buffer size (LTC#161577 bnc#1012382 bnc#1070825).
- s390: fix transactional execution control register handling (bnc#1012382).
- s390/kbuild: enable modversions for symbols exported from asm (bnc#1012382).
- s390/mm: fix write access check in gup_huge_pmd() (bnc#1066974, LTC#160551).
- s390/qeth: allow hsuid configuration in DOWN state (bnc#1070825, LTC#161871).
- s390/qeth: issue STARTLAN as first IPA command (bnc#1012382).
- s390/qeth: use ip_lock for hsuid configuration (bnc#1070825, LTC#161871).
- s390/runtime instrumention: fix possible memory corruption (bnc#1012382).
- sched/autogroup: Fix autogroup_move_group() to never skip sched_move_task() (bnc#1012382).
- sched: Make resched_cpu() unconditional (bnc#1012382).
- sched/rt: Simplify the IPI based RT balancing logic (bnc#1012382).
- scsi: aacraid: Check for PCI state of device in a generic way (bsc#1022607, FATE#321673).
- scsi: aacraid: Fix controller initialization failure (FATE#320140).
- scsi: bfa: fix access to bfad_im_port_s (bsc#1065101).
- scsi: check for device state in __scsi_remove_target() (bsc#1072589).
- scsi_devinfo: cleanly zero-pad devinfo strings (bsc#1062941).
- scsi: fcoe: move fcoe_interface_remove() out of fcoe_interface_cleanup() (bsc#1039542).
- scsi: fcoe: open-code fcoe_destroy_work() for NETDEV_UNREGISTER (bsc#1039542).
- scsi: fcoe: separate out fcoe_vport_remove() (bsc#1039542).
- scsi: ipr: Fix scsi-mq lockdep issue (bsc#1066213).
- scsi: ipr: Set no_report_opcodes for RAID arrays (bsc#1066213).
- scsi: libiscsi: fix shifting of DID_REQUEUE host byte (bsc#1056003).
- scsi: lpfc: Add Buffer to Buffer credit recovery support (bsc#1052384).
- scsi: lpfc: Add changes to assist in NVMET debugging (bsc#1041873).
- scsi: lpfc: Add nvme initiator devloss support (bsc#1041873).
- scsi: lpfc: Adjust default value of lpfc_nvmet_mrq (bsc#1067735).
- scsi: lpfc: Break up IO ctx list into a separate get and put list (bsc#1045404).
- scsi: lpfc: change version to 11.4.0.4 (bsc#1067735).
- scsi: lpfc: convert info messages to standard messages (bsc#1052384).
- scsi: lpfc: Correct driver deregistrations with host nvme transport (bsc#1067735).
- scsi: lpfc: Correct issues with FAWWN and FDISCs (bsc#1052384).
- scsi: lpfc: correct nvme sg segment count check (bsc#1067735).
- scsi: lpfc: correct port registrations with nvme_fc (bsc#1067735).
- scsi: lpfc: Correct return error codes to align with nvme_fc transport (bsc#1052384).
- scsi: lpfc: Disable NPIV support if NVME is enabled (bsc#1067735).
- scsi: lpfc: Driver fails to detect direct attach storage array (bsc#1067735).
- scsi: lpfc: Expand WQE capability of every NVME hardware queue (bsc#1067735).
- scsi: lpfc: Extend RDP support (bsc#1067735).
- scsi: lpfc: Fix a precedence bug in lpfc_nvme_io_cmd_wqe_cmpl() (bsc#1056587).
- scsi: lpfc: Fix bad sgl reposting after 2nd adapter reset (bsc#1052384).
- scsi: lpfc: fix build issue if NVME_FC_TARGET is not defined (bsc#1040073).
- scsi: lpfc: Fix counters so outstandng NVME IO count is accurate (bsc#1041873).
- scsi: lpfc: Fix crash after bad bar setup on driver attachment (bsc#1067735).
- scsi: lpfc: Fix crash during driver unload with running nvme traffic (bsc#1067735).
- scsi: lpfc: Fix crash in lpfc_nvme_fcp_io_submit during LIP (bsc#1067735).
- scsi: lpfc: Fix crash in lpfc nvmet when fc port is reset (bsc#1052384).
- scsi: lpfc: Fix crash receiving ELS while detaching driver (bsc#1067735).
- scsi: lpfc: Fix display for debugfs queInfo (bsc#1067735).
- scsi: lpfc: Fix driver handling of nvme resources during unload (bsc#1067735).
- scsi: lpfc: Fix duplicate NVME rport entries and namespaces (bsc#1052384).
- scsi: lpfc: Fix FCP hba_wqidx assignment (bsc#1067735).
- scsi: lpfc: Fix handling of FCP and NVME FC4 types in Pt2Pt topology (bsc#1052384).
- scsi: lpfc: Fix hard lock up NMI in els timeout handling (bsc#1067735).
- scsi: lpfc: fix 'integer constant too large' error on 32bit archs (bsc#1052384).
- scsi: lpfc: Fix loop mode target discovery (bsc#1052384).
- scsi: lpfc: Fix lpfc nvme host rejecting IO with Not Ready message (bsc#1067735).
- scsi: lpfc: Fix Lun Priority level shown as NA (bsc#1041873).
- scsi: lpfc: Fix ndlp ref count for pt2pt mode issue RSCN (bsc#1067735).
- scsi: lpfc: Fix NVME LS abort_xri (bsc#1067735).
- scsi: lpfc: Fix nvme port role handling in sysfs and debugfs handlers (bsc#1041873).
- scsi: lpfc: Fix NVME PRLI handling during RSCN (bsc#1052384).
- scsi: lpfc: Fix nvme target failure after 2nd adapter reset (bsc#1052384).
- scsi: lpfc: Fix nvmet node ref count handling (bsc#1041873).
- scsi: lpfc: Fix oops if nvmet_fc_register_targetport fails (bsc#1067735).
- scsi: lpfc: Fix oops of nvme host during driver unload (bsc#1067735).
- scsi: lpfc: Fix oops when NVME Target is discovered in a nonNVME environment.
- scsi: lpfc: fix pci hot plug crash in list_add call (bsc#1067735).
- scsi: lpfc: fix pci hot plug crash in timer management routines (bsc#1067735).
- scsi: lpfc: Fix plogi collision that causes illegal state transition (bsc#1052384).
- scsi: lpfc: Fix Port going offline after multiple resets (bsc#1041873).
- scsi: lpfc: Fix PRLI retry handling when target rejects it (bsc#1041873).
- scsi: lpfc: Fix rediscovery on switch blade pull (bsc#1052384).
- scsi: lpfc: Fix relative offset error on large nvmet target ios (bsc#1052384).
- scsi: lpfc: Fix return value of board_mode store routine in case of online failure (bsc#1041873).
- scsi: lpfc: Fix secure firmware updates (bsc#1067735).
- scsi: lpfc: Fix System panic after loading the driver (bsc#1041873).
- scsi: lpfc: Fix transition nvme-i rport handling to nport only (bsc#1041873).
- scsi: lpfc: Fix vports not logging into target (bsc#1041873).
- scsi: lpfc: Fix warning messages when NVME_TARGET_FC not defined (bsc#1067735).
- scsi: lpfc: FLOGI failures are reported when connected to a private loop (bsc#1067735).
- scsi: lpfc: Handle XRI_ABORTED_CQE in soft IRQ (bsc#1067735).
- scsi: lpfc: Limit amount of work processed in IRQ (bsc#1052384).
- scsi: lpfc: Linux LPFC driver does not process all RSCNs (bsc#1067735).
- scsi: lpfc: lpfc version bump 11.4.0.3 (bsc#1052384).
- scsi: lpfc: Make ktime sampling more accurate (bsc#1067735).
- scsi: lpfc: Move CQ processing to a soft IRQ (bsc#1067735).
- scsi: lpfc: Null pointer dereference when log_verbose is set to 0xffffffff (bsc#1041873).
- scsi: lpfc: PLOGI failures during NPIV testing (bsc#1067735).
- scsi: lpfc: Raise maximum NVME sg list size for 256 elements (bsc#1067735).
- scsi: lpfc: Reduce log spew on controller reconnects (bsc#1067735).
- scsi: lpfc: remove console log clutter (bsc#1052384).
- scsi: lpfc: Revise NVME module parameter descriptions for better clarity (bsc#1067735).
- scsi: lpfc: Set missing abort context (bsc#1067735).
- scsi: lpfc: small sg cnt cleanup (bsc#1067735).
- scsi: lpfc: spin_lock_irq() is not nestable (bsc#1045404).
- scsi: lpfc: update driver version to 11.4.0.5 (bsc#1067735).
- scsi: lpfc: update to revision to 11.4.0.0 (bsc#1041873).
- scsi: megaraid_sas: mismatch of allocated MFI frame size and length exposed in MFI MPT pass through command (bsc#1066767).
- scsi: qla2xxx: Cleanup debug message IDs (bsc#1043017).
- scsi: qla2xxx: Correction to vha->vref_count timeout (bsc#1066812).
- scsi: qla2xxx: Fix name server relogin (bsc#1043017).
- scsi: qla2xxx: Fix path recovery (bsc#1043017).
- scsi: qla2xxx: Initialize Work element before requesting IRQs (bsc#1019675,FATE#321701).
- scsi: qla2xxx: Replace usage of spin_lock with spin_lock_irqsave (bsc#1043017).
- scsi: qla2xxx: Retain loop test for fwdump length exceeding buffer length (bsc#1043017).
- scsi: qla2xxx: Turn on FW option for exchange check (bsc#1043017).
- scsi: qla2xxx: Use BIT_6 to acquire FAWWPN from switch (bsc#1066812).
- scsi: qla2xxx: Use fabric name for Get Port Speed command (bsc#1066812).
- scsi: qla2xxx: Use flag PFLG_DISCONNECTED (bsc#1043017).
- scsi: reset wait for IO completion (bsc#996376).
- scsi: scsi_devinfo: fixup string compare (bsc#1062941). updated patches.fixes/scsi_devinfo-fixup-string-compare.patch to the version merged upstream.
- scsi: scsi_devinfo: handle non-terminated strings (bsc#1062941).
- scsi: scsi_dh_emc: return success in clariion_std_inquiry() (bnc#1012382).
- scsi: sd_zbc: Fix sd_zbc_read_zoned_characteristics() (bsc#1066812).
- scsi: sg: close race condition in sg_remove_sfp_usercontext() (bsc#1064206).
- scsi: sg: do not return bogus Sg_requests (bsc#1064206).
- scsi: sg: only check for dxfer_len greater than 256M (bsc#1064206).
- scsi: sg: Re-fix off by one in sg_fill_request_table() (bnc#1012382).
- scsi: ufs: add capability to keep auto bkops always enabled (bnc#1012382).
- scsi: ufs-qcom: Fix module autoload (bnc#1012382).
- scsi: zfcp: fix erp_action use-before-initialize in REC action trace (bnc#1012382).
- sctp: add the missing sock_owned_by_user check in sctp_icmp_redirect (bnc#1012382).
- sctp: do not peel off an assoc from one netns to another one (bnc#1012382).
- sctp: do not peel off an assoc from one netns to another one (bnc#1012382).
- sctp: potential read out of bounds in sctp_ulpevent_type_enabled() (bnc#1012382).
- sctp: reset owner sk for data chunks on out queues when migrating a sock (bnc#1012382).
- security/keys: add CONFIG_KEYS_COMPAT to Kconfig (bnc#1012382).
- selftests: firmware: add empty string and async tests (bnc#1012382).
- selftests: firmware: send expected errors to /dev/null (bnc#1012382).
- serial: 8250_fintek: Fix rs485 disablement on invalid ioctl() (bsc#1031717).
- serial: 8250_uniphier: fix serial port index in private data (bsc#1031717).
- serial: Fix serial console on SNI RM400 machines (bsc#1031717).
- serial: omap: Fix EFR write on RTS deassertion (bnc#1012382).
- serial: Remove unused port type (bsc#1066045).
- serial: sh-sci: Fix register offsets for the IRDA serial port (bnc#1012382).
- slub: do not merge cache if slub_debug contains a never-merge flag (bnc#1012382).
- smb3: Validate negotiate request must always be signed (bsc#1064597).
- smb: fix leak of validate negotiate info response buffer (bsc#1064597).
- smb: fix validate negotiate info uninitialised memory use (bsc#1064597).
- sparc64: Migrate hvcons irq to panicked cpu (bnc#1012382).
- spi: SPI_FSL_DSPI should depend on HAS_DMA (bnc#1012382).
- spi: uapi: spidev: add missing ioctl header (bnc#1012382).
- staging: iio: cdc: fix improper return value (bnc#1012382).
- staging: lustre: hsm: stack overrun in hai_dump_data_field (bnc#1012382).
- staging: lustre: llite: do not invoke direct_IO for the EOF case (bnc#1012382).
- staging: lustre: ptlrpc: skip lock if export failed (bnc#1012382).
- staging: r8712u: Fix Sparse warning in rtl871x_xmit.c (bnc#1012382).
- staging: rtl8188eu: fix incorrect ERROR tags from logs (bnc#1012382).
- staging: rtl8712: fixed little endian problem (bnc#1012382).
- staging: rtl8712u: Fix endian settings for structs describing network packets (bnc#1012382).
- sunrpc: Fix tracepoint storage issues with svc_recv and svc_rqst_status (bnc#1012382).
- supported.conf:
- supported.conf: add test_syctl to new kselftests-kmp package FATE#323821 As per FATE#323821 we will require new FATE requests per each new selftest driver. We do not want to support these module on production runs but we do want to support them for QA / testing uses. The compromise is to package them into its own package, this will be the kselftests-kmp package. Selftests can also be used as proof of concept vehicle for issues by customers or ourselves. Vanilla kernels do not get test_sysctl given that driver was using built-in defaults, this also means we cannot run sefltests on config/s390x/zfcpdump which does not enable modules. Likeweise, since we had to *change* the kernel for test_syctl, it it also means we can't test test_syctl with vanilla kernels. It should be possible with other selftests drivers if they are present in vanilla kernels though.
- supported.conf: Support spidev (bsc#1066696)
- sysctl: add unsigned int range support (FATE#323821)
- target: fix ALUA state file path truncation (bsc#1064606).
- target: Fix node_acl demo-mode + uncached dynamic shutdown regression (bnc#1012382).
- target: fix PR state file path truncation (bsc#1064606).
- target: Fix QUEUE_FULL + SCSI task attribute handling (bnc#1012382).
- target/iscsi: Fix unsolicited data seq_end_offset calculation (bnc#1012382 bsc#1036489).
- target/rbd: handle zero length UNMAP requests early (bsc#1064320).
- target/rbd: use target_configure_unmap_from_queue() helper (bsc#1064320).
- tcp/dccp: fix ireq->opt races (bnc#1012382).
- tcp/dccp: fix lockdep splat in inet_csk_route_req() (bnc#1012382).
- tcp/dccp: fix other lockdep splats accessing ireq_opt (bnc#1012382).
- tcp: do not mangle skb->cb[] in tcp_make_synack() (bnc#1012382).
- tcp: fix tcp_mtu_probe() vs highest_sack (bnc#1012382).
- test: firmware_class: report errors properly on failure (bnc#1012382).
- test_sysctl: add dedicated proc sysctl test driver (FATE#323821)
- test_sysctl: add generic script to expand on tests (FATE#323821)
- test_sysctl: add simple proc_dointvec() case (FATE#323821).
- test_sysctl: add simple proc_douintvec() case (bsc#323821).
- test_sysctl: fix sysctl.sh by making it executable (FATE#323821).
- test_sysctl: test against int proc_dointvec() array support (FATE#323821).
- test_sysctl: test against PAGE_SIZE for int (FATE#323821)
- timer: Prevent timer value 0 for MWAITX (bsc#1065717).
- tipc: fix link attribute propagation bug (bnc#1012382).
- tipc: use only positive error codes in messages (bnc#1012382).
- tools: firmware: check for distro fallback udev cancel rule (bnc#1012382).
- tpm: constify transmit data pointers (bsc#1020645, git-fixes).
- tpm: kabi: do not bother with added const (bsc#1020645, git-fixes).
- tpm_tis_spi: Use DMA-safe memory for SPI transfers (bsc#1020645, git-fixes).
- tracing/samples: Fix creation and deletion of simple_thread_fn creation (bnc#1012382).
- tun: allow positive return values on dev_get_valid_name() call (bnc#1012382).
- tun: bail out from tun_get_user() if the skb is empty (bnc#1012382).
- tun: call dev_get_valid_name() before register_netdevice() (bnc#1012382).
- tun/tap: sanitize TUNSETSNDBUF input (bnc#1012382).
- uapi: fix linux/mroute6.h userspace compilation errors (bnc#1012382).
- uapi: fix linux/rds.h userspace compilation error (bnc#1012382).
- uapi: fix linux/rds.h userspace compilation errors (bnc#1012382).
- uapi: fix linux/rds.h userspace compilation errors (bnc#1012382).
- udpv6: Fix the checksum computation when HW checksum does not apply (bnc#1012382).
- Update config files to enable spidev on arm64. (bsc#1066696)
- Update preliminary FC-NVMe patches to mainline status (bsc#1067734)
- usb: Add delay-init quirk for Corsair K70 LUX keyboards (bnc#1012382).
- usb: cdc_acm: Add quirk for Elatec TWN3 (bnc#1012382).
- usb: core: fix out-of-bounds access bug in usb_get_bos_descriptor() (bnc#1012382).
- usb: devio: Revert 'USB: devio: Do not corrupt user memory' (bnc#1012382).
- usb: dummy-hcd: Fix deadlock caused by disconnect detection (bnc#1012382).
- usb: gadget: composite: Fix use-after-free in usb_composite_overwrite_options (bnc#1012382).
- usb: hcd: initialize hcd->flags to 0 when rm hcd (bnc#1012382).
- usb: hub: Allow reset retry for USB2 devices on connect bounce (bnc#1012382).
- usb: musb: Check for host-mode using is_host_active() on reset interrupt (bnc#1012382).
- usb: musb: sunxi: Explicitly release USB PHY on exit (bnc#1012382).
- usb: quirks: add quirk for WORLDE MINI MIDI keyboard (bnc#1012382).
- usb: renesas_usbhs: Fix DMAC sequence for receiving zero-length packet (bnc#1012382).
- usb: serial: console: fix use-after-free after failed setup (bnc#1012382).
- usb: serial: cp210x: add support for ELV TFD500 (bnc#1012382).
- usb: serial: ftdi_sio: add id for Cypress WICED dev board (bnc#1012382).
- usb: serial: garmin_gps: fix I/O after failed probe and remove (bnc#1012382).
- usb: serial: garmin_gps: fix memory leak on probe errors (bnc#1012382).
- usb: serial: metro-usb: add MS7820 device id (bnc#1012382).
- usb: serial: option: add support for TP-Link LTE module (bnc#1012382).
- usb: serial: qcserial: add Dell DW5818, DW5819 (bnc#1012382).
- usb: serial: qcserial: add pid/vid for Sierra Wireless EM7355 fw update (bnc#1012382).
- usb: usbfs: compute urb->actual_length for isochronous (bnc#1012382).
- usb: usbtest: fix NULL pointer dereference (bnc#1012382).
- usb: xhci: Handle error condition in xhci_stop_device() (bnc#1012382).
- vfs: expedite unmount (bsc#1024412).
- video: fbdev: pmag-ba-fb: Remove bad `__init' annotation (bnc#1012382).
- video: udlfb: Fix read EDID timeout (bsc#1031717).
- vlan: fix a use-after-free in vlan_device_event() (bnc#1012382).
- vsock: use new wait API for vsock_stream_sendmsg() (bnc#1012382).
- vti: fix use after free in vti_tunnel_xmit/vti6_tnl_xmit (bnc#1012382).
- watchdog: kempld: fix gcc-4.3 build (bnc#1012382).
- workqueue: Fix NULL pointer dereference (bnc#1012382).
- workqueue: replace pool->manager_arb mutex with a flag (bnc#1012382).
- x86/acpi/cstate: Allow ACPI C1 FFH MWAIT use on AMD systems (bsc#1069879).
- x86/alternatives: Fix alt_max_short macro to really be a max() (bnc#1012382).
- x86/decoder: Add new TEST instruction pattern (bnc#1012382).
- x86/MCE/AMD: Always give panic severity for UC errors in kernel context (git-fixes bf80bbd7dcf5).
- x86/microcode/AMD: Add support for fam17h microcode loading (bsc#1068032).
- x86/microcode/intel: Disable late loading on model 79 (bnc#1012382).
- x86/mm: fix use-after-free of vma during userfaultfd fault (Git-fixes, bsc#1069916).
- x86/oprofile/ppro: Do not use __this_cpu*() in preemptible context (bnc#1012382).
- x86/uaccess, sched/preempt: Verify access_ok() context (bnc#1012382).
- xen: do not print error message in case of missing Xenstore entry (bnc#1012382).
- xen/events: events_fifo: Do not use {get,put}_cpu() in xen_evtchn_fifo_init() (bnc#1065600).
- xen: fix booting ballooned down hvm guest (bnc#1065600).
- xen/gntdev: avoid out of bounds access in case of partial gntdev_mmap() (bnc#1012382).
- xen/manage: correct return value check on xenbus_scanf() (bnc#1012382).
- xen-netback: fix error handling output (bnc#1065600).
- xen: x86: mark xen_find_pt_base as __init (bnc#1065600).
- xen: xenbus driver must not accept invalid transaction ids (bnc#1012382).
- zd1211rw: fix NULL-deref at probe (bsc#1031717).


-----------------------------------------
Patch: SUSE-2017-2137
Released: Thu Dec 21 17:49:12 2017
Summary: Recommended update for dbus-1
Severity: moderate
References: 1046173,1071698
Description:

This update for dbus-1 provides the following fixes:

- The previously released fix for systemd-logind dbus disconnections was missing in some
  parts of the package, so properly apply it. (bsc#1071698)
- Remove call to initscripts related macros from the spec file as dbus-1 does not ship any
  initscript anymore. (bsc#1046173)


-----------------------------------------
Patch: SUSE-2017-2144
Released: Fri Dec 22 13:46:04 2017
Summary: Recommended update for dracut
Severity: important
References: 1011554,1019938,1048551,1052840,1067279,1072424,960669
Description:
This update for dracut provides the following fixes:

- Fix the task limit when running the emergency shell. This fixes a problem that was causing
  xfs_repair to crash when trying to repair a damaged XFS filesystem. (bsc#1019938)
- Scan for files in /etc/multipath/conf.d when setting up a multipath configuration.
  (bsc#1048551)
- Support AMD CPU families 0x16 and 0x17 (bsc#1072424)
- Make ip=dhcp work. Previously, a network interface specifier was required.
  The new behaviour matches documented behaviour.
- Remove 00systemd-bootchart, which is gone from systemd for some time (bsc#1067279)
- support predictable interface names (boo#960669)
- Include crc32c Intel module when using btrfs (bsc#1011554)
- Switch back to fipvlan for bnx2fc (bsc#1052840)
- 95fcoe: Allow bnc2x driver more time to complete DCB negotiation (bsc#1052840)
- 95fcoe: add timeout initqueue entries (bsc#1052840)



-----------------------------------------
Patch: SUSE-2017-2145
Released: Fri Dec 22 16:38:01 2017
Summary: Recommended update for tk and tcl
Severity: low
References: 903017
Description:

This update of tk and tcl to version 8.6.7 brings many improvements and fixes including,
but not limited to, the following highlights:

- Fix a bug in Itcl that was causing the floor tool to print lots of errors and abort.
  (bsc#903017)
- Fix a crash in asynchronous connection to hosts when no address is given.
- Fix possible crashes when closing multithreaded applications.
- Fix a memory leak in [history] destruction.
- Fix a crash in Tcl_ListObjReplace().
- Invalidate VFS mounts on sytem encoding change.
- Repair drifts in timer clock when calling Tcl_GetTime from tcl-clock module.
- Fix a crash when requesting too much character data in binary scan.
- Fix a memory leak when calling geturl from the http package.
- Fix an integer overflow in [lsort] on very long lists.
- Fix a memory leak when calling TclJoinPath.
- Fix a memory leak due to a reference cycle in foreach loops.
- Fix a crash caused by an optimization in the compilation of [string replace].
- Fix a memory corruption in assembler exceptions.
- Fix a crash due to [vwait] trace undo fail.
- Fix a crash when invoking [glob -path a].
- Fix a crash in [dict update] after using lassign in an item.
- Fix a crash in [chan configure -dictionary].
- Make it possible to specify different values for the -accept option when running multiple
  asynchronous http: requests without incurring in race conditions.
- Fix a crash when calling the [expr] command while the application is being traced.
- Avoid leaking memory in Tcl_ZlibInflate when running into error conditions.
- Fix some writes beyond buffer bounds.
- Fix a memory leak in array when unsetting keys from a proc.
- Fix a lock in forking a process under heavy multithreading.
- Fix a crash caused by an allocation overflow when parsing a very large expression.
- Many fixes and improvements to regexp engine from Postgres.
- Fix a segmentation fault due to an integer overflow in TranslateInputEOL().
- Fix multiple crashes in OO teardown.
- Stop crashes when extension var resolvers misbehave.
- Fix using [read] to read past the EOF so that it works on serial devices.
- Fix a regression causing a crash in [oo::class destroy].
- Fix a segmentation fault in mangled bytecode.
- Fix a hang in some [read]s of limited size in UTF-8 channels.
- Fix a segmentation fault in [array set] of traced array.

The following fixes might show some potential incompatibilities with existing software:
- Allow an empty command to be the target of an alias.
- Reconcile libtommath updates, purging some unused files.
- Handle invalid UTF-8 characters correctly in Tcl_UtfToUniChar() to prevent the injection
  of unexpected characters.
- Update Unicode data to 10.0
- Fix some problems in the compilation of [lreplace].
- Fix using parameters with spaces in error messages.
- Make it possible to use [namespace upvar] when the target variable is also a variable of
  the class.
- Change the default transfer encoding to gzip in the http package to be more compatible.
- Limit $... and bareword parsing to ASCII characters only.


-----------------------------------------
Patch: SUSE-2017-2149
Released: Wed Dec 27 10:39:57 2017
Summary: Recommended update for grub2
Severity: low
References: 1047331,1052401,1054453,1069094
Description:
This update for grub2 provides the following fixes:

- Filter out autofs and securityfs from /proc/self/mountinfo to speed
  up nfsroot test in large number of autofs mounts (bsc#1069094)
- Fix reboot in UEFI environments (bsc#1047331)
- Use /boot/<arch>/loader/linux instead of /contents file to determine if the
  installation media is a SUSE distribution. (bsc#1054453)
- Use the pvops-enabled default kernel if the traditional xen pv kernel and initrd
  are not found. (bsc#1054453)
- Build diskboot_tpm.img as separate image to diskboot.img to prevent failure
  in booting on some bogus firmware. To use the TPM image you have to use
  suse-enable-tpm option of grub2-install (bsc#1052401)


-----------------------------------------
Patch: SUSE-2017-2155
Released: Wed Dec 27 16:50:14 2017
Summary: Security update for gdk-pixbuf
Severity: low
References: 1053417
Description:

This update for gdk-pixbuf provides the following fixes:

- Add overflow checks when creating pixbuf structures in general
- Fix arithmetic overflow in the BMP loader (bsc#1053417) 
- Adds support for BMPv3 with bitmasks (bsc#1053417) 


-----------------------------------------
Patch: SUSE-2017-2156
Released: Thu Dec 28 09:45:04 2017
Summary: Recommended update for lifecycle-data-sle-module-toolchain
Severity: low
References: 1056437
Description:
This update for lifecycle-data-sle-module-toolchain provides the following new data:

- GCC6 support ends at 2018-05-31. (FATE#323972, bsc#1056437)

-----------------------------------------
Patch: SUSE-2018-4
Released: Tue Jan  2 15:58:20 2018
Summary: Recommended update for libzypp, zypper
Severity: moderate
References: 1057640,1067605,1068708,1071466,969569
Description:
The Software Update Stack was updated to receive fixes and enhancements.

libzypp:

- Don't store duplicated locks. (bsc#969569)
- Fix default for solver.allowNameChange. (bsc#1071466)
- Don't filter procs with a different mnt namespace. (bsc#1068708)
- Support repo variables in an URIs host:port component. (bsc#1057640, bsc#1067605)

zypper:

- Update manpage regarding custom repository variable fixes. (bsc#1057640, bsc#1067605)


-----------------------------------------
Patch: SUSE-2018-12
Released: Thu Jan  4 08:37:43 2018
Summary: Security update for the Linux Kernel
Severity: important
References: 1005778,1005780,1005781,1012382,1017967,1039616,1047487,1063043,1064311,1065180,1068032,1068951,1070116,1071009,1072166,1072216,1072556,1072866,1072890,1072962,1073090,1073525,1073792,1073809,1073868,1073874,1073912,963897,964063,966170,966172,CVE-2017-17805,CVE-2017-17806,CVE-2017-5715,CVE-2017-5753,CVE-2017-5754
Description:


The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.

This update adds mitigations for various side channel attacks against modern CPUs that could disclose
content of otherwise unreadable memory (bnc#1068032).

- CVE-2017-5753 / 'SpectreAttack': Local attackers on systems with modern CPUs featuring
  deep instruction pipelining could use attacker controllable speculative
  execution over code patterns in the Linux Kernel to leak content from
  otherwise not readable memory in the same address space, allowing
  retrieval of passwords, cryptographic keys and other secrets.

  This problem is mitigated by adding speculative fencing on affected
  code paths throughout the Linux kernel.


- CVE-2017-5715 / 'SpectreAttack': Local attackers on systems with modern CPUs featuring
  branch prediction could use mispredicted branches to speculatively execute
  code patterns that in turn could be made to leak other non-readable
  content in the same address space, an attack similar to CVE-2017-5753.

  This problem is mitigated by disabling predictive branches, depending
  on CPU architecture either by firmware updates and/or fixes in the
  user-kernel privilege boundaries.

  Please also check with your CPU / Hardware vendor for available
  firmware or BIOS updates.

  As this feature can have a performance impact, it can be disabled
  using the 'nospec' kernel commandline option.


- CVE-2017-5754 / 'MeltdownAttack': Local attackers on systems with
  modern CPUs featuring deep instruction pipelining could use code
  patterns in userspace to speculative executive code that would read
  otherwise read protected memory.

  This problem is mitigated by unmapping the Linux Kernel from the user
  address space during user code execution, following a approach called
  'KAISER'. The terms used here are 'KAISER' / 'Kernel Address Isolation'
  and 'PTI' / 'Page Table Isolation'.

  This is only enabled by default on affected architectures.

  This feature can be enabled / disabled by the 'pti=[on|off|auto]' or 'nopti' commandline options.


The following security bugs were fixed:

- CVE-2017-17806: The HMAC implementation (crypto/hmac.c) in the Linux
  kernel did not validate that the underlying cryptographic hash algorithm
  is unkeyed, allowing a local attacker able to use the AF_ALG-based hash
  interface (CONFIG_CRYPTO_USER_API_HASH) and the SHA-3 hash algorithm
  (CONFIG_CRYPTO_SHA3) to cause a kernel stack buffer overflow by executing
  a crafted sequence of system calls that encounter a missing SHA-3
  initialization (bnc#1073874).
- CVE-2017-17805: The Salsa20 encryption algorithm in the Linux kernel did
  not correctly handle zero-length inputs, allowing a local attacker able to
  use the AF_ALG-based skcipher interface (CONFIG_CRYPTO_USER_API_SKCIPHER)
  to cause a denial of service (uninitialized-memory free and kernel
  crash) or have unspecified other impact by executing a crafted sequence
  of system calls that use the blkcipher_walk API. Both the generic
  implementation (crypto/salsa20_generic.c) and x86 implementation
  (arch/x86/crypto/salsa20_glue.c) of Salsa20 were vulnerable (bnc#1073792).


The following non-security bugs were fixed:

- Add undefine _unique_build_ids (bsc#964063)
- apei / ERST: Fix missing error handling in erst_reader() (bsc#1072556).
- arm: Hide finish_arch_post_lock_switch() from modules (bsc#1068032).
- autofs: fix careless error in recent commit (bnc#1012382 bsc#1065180).
- bnxt_en: Do not print 'Link speed -1 no longer supported' messages (bsc#1070116).
- bpf: prevent speculative execution in eBPF interpreter (bnc#1068032).
- carl9170: prevent speculative execution (bnc#1068032).
- ceph: drop negative child dentries before try pruning inode's alias (bsc#1073525).
- Check cmdline_find_option() retval properly and use boot_cpu_has().
- cifs: Fix NULL pointer deref on SMB2_tcon() failure (bsc#1071009).
- cw1200: prevent speculative execution (bnc#1068032).
- e1000e: Fix e1000_check_for_copper_link_ich8lan return value (bsc#1073809).
- Fix unsed variable warning in has_unmovable_pages (bsc#1073868).
- fs: prevent speculative execution (bnc#1068032).
- genwqe: Take R/W permissions into account when dealing with memory pages (bsc#1073090).
- ibmvnic: Include header descriptor support for ARP packets (bsc#1073912).
- ibmvnic: Increase maximum number of RX/TX queues (bsc#1073912).
- ibmvnic: Rename IBMVNIC_MAX_TX_QUEUES to IBMVNIC_MAX_QUEUES (bsc#1073912).
- ipv6: prevent speculative execution (bnc#1068032).
- iw_cxgb4: fix misuse of integer variable (bsc#963897,FATE#320114).
- iw_cxgb4: only insert drain cqes if wq is flushed (bsc#321658 FATE#1005778 bsc#321660 FATE#1005780 bsc#321661 FATE#1005781).
- kaiser: add 'nokaiser' boot option, using ALTERNATIVE.
- kaiser: align addition to x86/mm/Makefile.
- kaiser: asm/tlbflush.h handle noPGE at lower level.
- kaiser: cleanups while trying for gold link.
- kaiser: disabled on Xen PV.
- kaiser: do not set _PAGE_NX on pgd_none.
- kaiser: drop is_atomic arg to kaiser_pagetable_walk().
- kaiser: enhanced by kernel and user PCIDs.
- kaiser: ENOMEM if kaiser_pagetable_walk() NULL.
- kaiser: fix build and FIXME in alloc_ldt_struct().
- kaiser: fix perf crashes.
- kaiser: fix regs to do_nmi() ifndef CONFIG_KAISER.
- kaiser: fix unlikely error in alloc_ldt_struct().
- kaiser: KAISER depends on SMP.
- kaiser: kaiser_flush_tlb_on_return_to_user() check PCID.
- kaiser: kaiser_remove_mapping() move along the pgd.
- kaiser: Kernel Address Isolation.
- kaiser: load_new_mm_cr3() let SWITCH_USER_CR3 flush.
- kaiser: load_new_mm_cr3() let SWITCH_USER_CR3 flush user.
- kaiser: name that 0x1000 KAISER_SHADOW_PGD_OFFSET.
- kaiser: paranoid_entry pass cr3 need to paranoid_exit.
- kaiser: PCID 0 for kernel and 128 for user.
- kaiser: _pgd_alloc() without __GFP_REPEAT to avoid stalls.
- kaiser: stack map PAGE_SIZE at THREAD_SIZE-PAGE_SIZE.
- kaiser: tidied up asm/kaiser.h somewhat.
- kaiser: tidied up kaiser_add/remove_mapping slightly.
- kaiser: use ALTERNATIVE instead of x86_cr3_pcid_noflush.
- kaiser: vmstat show NR_KAISERTABLE as nr_overhead.
- kaiser: x86_cr3_pcid_noflush and x86_cr3_pcid_user.
- kvm: svm: Do not intercept new speculative control MSRs (bsc#1068032).
- kvm: x86: Add speculative control CPUID support for guests (bsc#1068032).
- locking/barriers: introduce new memory barrier gmb() (bnc#1068032).
- mm/mmu_context, sched/core: Fix mmu_context.h assumption (bsc#1068032).
- net/mlx5e: DCBNL, Implement tc with ets type and zero bandwidth (bsc#966170 FATE#320225 bsc#966172 FATE#320226).
- net: mpls: prevent speculative execution (bnc#1068032).
- nfs: revalidate '.' etc correctly on 'open' (bsc#1068951).
- nfs: revalidate '.' etc correctly on 'open' (git-fixes). Fix References: tag.
- nfsv4: always set NFS_LOCK_LOST when a lock is lost (bsc#1068951).
- nvme-fabrics: introduce init command check for a queue that is not alive (bsc#1072890).
- nvme-fc: check if queue is ready in queue_rq (bsc#1072890).
- nvme-fc: do not use bit masks for set/test_bit() numbers (bsc#1072890).
- nvme-loop: check if queue is ready in queue_rq (bsc#1072890).
- nvmet-fc: cleanup nvmet add_port/remove_port (bsc#1072890).
- nvmet_fc: correct broken add_port (bsc#1072890).
- p54: prevent speculative execution (bnc#1068032).
- powerpc/barrier: add gmb.
- powerpc: Secure memory rfi flush (bsc#1068032).
- ptrace: Add a new thread access check (bsc#1068032).
- qla2xxx: prevent speculative execution (bnc#1068032).
- s390: add ppa to system call and program check path (bsc#1068032).
- s390: introduce CPU alternatives (bsc#1068032).
- s390/qeth: add missing hash table initializations (bnc#1072216, LTC#162173).
- s390/qeth: fix early exit from error path (bnc#1072216, LTC#162173).
- s390/qeth: fix thinko in IPv4 multicast address tracking (bnc#1072216, LTC#162173).
- s390/spinlock: add gmb memory barrier (bsc#1068032).
- sched/core: Add switch_mm_irqs_off() and use it in the scheduler (bsc#1068032).
- sched/core: Idle_task_exit() shouldn't use switch_mm_irqs_off() (bsc#1068032).
- scsi_dh_alua: skip RTPG for devices only supporting active/optimized (bsc#1064311).
- scsi: lpfc: correct sg_seg_cnt attribute min vs default (bsc#1072166).
- scsi: qedi: Limit number for CQ queues (bsc#1072866).
- scsi_scan: Exit loop if TUR to LUN0 fails with 0x05/0x25 (bsc#1063043). This is specific to FUJITSU ETERNUS_DX* targets. They can return 'Illegal Request - Logical unit not supported' and processing should leave the timeout loop in this case.
- scsi: ses: check return code from ses_recv_diag() (bsc#1039616).
- scsi: ses: Fixup error message 'failed to get diagnostic page 0xffffffea' (bsc#1039616).
- scsi: ses: Fix wrong page error (bsc#1039616).
- scsi: ses: make page2 support optional (bsc#1039616).
- sfc: pass valid pointers from efx_enqueue_unwind (bsc#1017967 FATE#321663).
- thermal/int340x: prevent speculative execution (bnc#1068032).
- udf: prevent speculative execution (bnc#1068032).
- Update config files: enable KAISER.
- usb: host: fix incorrect updating of offset (bsc#1047487).
- userns: prevent speculative execution (bnc#1068032).
- uvcvideo: prevent speculative execution (bnc#1068032).
- vxlan: correctly handle ipv6.disable module parameter (bsc#1072962).
- x86/boot: Add early cmdline parsing for options with arguments.
- x86/CPU/AMD: Add speculative control support for AMD (bsc#1068032).
- x86/CPU/AMD: Make the LFENCE instruction serialized (bsc#1068032).
- x86/CPU/AMD: Remove now unused definition of MFENCE_RDTSC feature (bsc#1068032).
- x86/CPU: Check speculation control CPUID bit (bsc#1068032).
- x86/enter: Add macros to set/clear IBRS and set IBPB (bsc#1068032).
- x86/entry: Add a function to overwrite the RSB (bsc#1068032).
- x86/entry: Stuff RSB for entry to kernel for non-SMEP platform (bsc#1068032).
- x86/entry: Use IBRS on entry to kernel space (bsc#1068032).
- x86/feature: Enable the x86 feature to control Speculation (bsc#1068032).
- x86/idle: Disable IBRS when offlining a CPU and re-enable on wakeup (bsc#1068032).
- x86/idle: Toggle IBRS when going idle (bsc#1068032).
- x86/kaiser: Check boottime cmdline params.
- x86/kaiser: Move feature detection up (bsc#1068032).
- x86/kaiser: Reenable PARAVIRT.
- x86/kaiser: Rename and simplify X86_FEATURE_KAISER handling.
- x86/kvm: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD to kvm (bsc#1068032).
- x86/kvm: Add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD to kvm (bsc#1068032).
- x86/kvm: Flush IBP when switching VMs (bsc#1068032).
- x86/kvm: Pad RSB on VM transition (bsc#1068032).
- x86/kvm: Toggle IBRS on VM entry and exit (bsc#1068032).
- x86/mm/64: Fix reboot interaction with CR4.PCIDE (bsc#1068032).
- x86/mm: Add a 'noinvpcid' boot option to turn off INVPCID (bsc#1068032).
- x86/mm: Add INVPCID helpers (bsc#1068032).
- x86/mm: Add the 'nopcid' boot option to turn off PCID (bsc#1068032).
- x86/mm: Build arch/x86/mm/tlb.c even on !SMP (bsc#1068032).
- x86/mm: Enable CR4.PCIDE on supported systems (bsc#1068032).
- x86/mm: Fix INVPCID asm constraint (bsc#1068032).
- x86/mm: If INVPCID is available, use it to flush global mappings (bsc#1068032).
- x86/mm: Make flush_tlb_mm_range() more predictable (bsc#1068032).
- x86/mm: Only set IBPB when the new thread cannot ptrace current thread (bsc#1068032).
- x86/mm: Reimplement flush_tlb_page() using flush_tlb_mm_range() (bsc#1068032).
- x86/mm: Remove flush_tlb() and flush_tlb_current_task() (bsc#1068032).
- x86/mm: Remove the UP asm/tlbflush.h code, always use the (formerly) SMP code (bsc#1068032).
- x86/mm, sched/core: Turn off IRQs in switch_mm() (bsc#1068032).
- x86/mm, sched/core: Uninline switch_mm() (bsc#1068032).
- x86/mm: Set IBPB upon context switch (bsc#1068032).
- x86/MSR: Move native_*msr(.. u64) to msr.h (bsc#1068032).
- x86/paravirt: Dont patch flush_tlb_single (bsc#1068032).
- x86/spec: Add IBRS control functions (bsc#1068032).
- x86/spec: Add 'nospec' chicken bit (bsc#1068032).
- x86/spec: Check CPUID direclty post microcode reload to support IBPB feature (bsc#1068032).
- x86/spec_ctrl: Add an Indirect Branch Predictor barrier (bsc#1068032).
- x86/spec_ctrl: Check whether IBPB is enabled before using it (bsc#1068032).
- x86/spec_ctrl: Check whether IBRS is enabled before using it (bsc#1068032).
- x86/svm: Add code to clear registers on VM exit (bsc#1068032).
- x86/svm: Clobber the RSB on VM exit (bsc#1068032).
- x86/svm: Set IBPB when running a different VCPU (bsc#1068032).
- x86/svm: Set IBRS value on VM entry and exit (bsc#1068032).


-----------------------------------------
Patch: SUSE-2018-15
Released: Thu Jan  4 11:47:08 2018
Summary: Security update for libvorbis
Severity: moderate
References: 1059809,1059811,CVE-2017-14632,CVE-2017-14633
Description:
This update for libvorbis fixes the following issues:

- CVE-2017-14633: out-of-bounds array read vulnerability exists in
  function mapping0_forward() could lead to remote denial of service (bsc#1059811)
- CVE-2017-14632: Remote Code Execution upon freeing uninitialized
  memory in function vorbis_analysis_headerout(bsc#1059809)


-----------------------------------------
Patch: SUSE-2018-17
Released: Thu Jan  4 11:49:33 2018
Summary: Recommended update for gcc48
Severity: moderate
References: 1059075
Description:


This update for gcc48 fixes the following issues with an earlier security fix:

- Add support for zero-sized VLAs and allocas with -fstack-clash-protection.  (bnc#1059075)



-----------------------------------------
Patch: SUSE-2018-22
Released: Fri Jan  5 11:42:02 2018
Summary: Recommended update for python-configobj
Severity: low
References: 1035106
Description:
This update for python-configobj provides the following fixes:

- Improves error messages in certain edge cases
- Added runtime dependency: python-six
- Fix error when writing out config files to disk with non-ascii characters
- Documentation corrections


-----------------------------------------
Patch: SUSE-2018-38
Released: Tue Jan  9 14:56:43 2018
Summary: Recommended update for kmod
Severity: low
References: 1070209
Description:

This update for kmod provides the following fix:

- Fix resolving .TOC. in modules on 4.4 and older kernel (bsc#1070209)
- Fix kernel master build for ppc64le (bsc#1070209)


-----------------------------------------
Patch: SUSE-2018-55
Released: Fri Jan 12 09:45:49 2018
Summary: Security update for glibc
Severity: important
References: 1051042,1053188,1063675,1064569,1064580,1064583,1070905,1071319,1073231,1074293,CVE-2017-1000408,CVE-2017-1000409,CVE-2017-15670,CVE-2017-15671,CVE-2017-15804,CVE-2017-16997,CVE-2018-1000001
Description:
This update for glibc fixes the following issues:

- A privilege escalation bug in the realpath() function has been fixed.
  [CVE-2018-1000001, bsc#1074293]

- A memory leak and a buffer overflow in the dynamic ELF loader has been fixed.
  [CVE-2017-1000408, CVE-2017-1000409, bsc#1071319]

- An issue in the code handling RPATHs was fixed that could have been exploited
  by an attacker to execute code loaded from arbitrary libraries.
  [CVE-2017-16997, bsc#1073231]

- A potential crash caused by a use-after-free bug in pthread_create() has been
  fixed. [bsc#1053188]

- A bug that prevented users to build shared objects which use the optimized
  libmvec.so API has been fixed. [bsc#1070905]

- A memory leak in the glob() function has been fixed. [CVE-2017-15670,
  CVE-2017-15671, CVE-2017-15804, bsc#1064569, bsc#1064580, bsc#1064583]

- A bug that would lose the syscall error code value in case of crashes has
  been fixed. [bsc#1063675]


-----------------------------------------
Patch: SUSE-2018-59
Released: Fri Jan 12 11:18:44 2018
Summary: Security update for tiff
Severity: important
References: 1017690,1069213,960341,969783,983436,CVE-2014-8128,CVE-2015-7554,CVE-2016-10095,CVE-2016-5318,CVE-2017-16232
Description:
This update for tiff to version 4.0.9 fixes the following issues:

Security issues fixed:

- CVE-2014-8128: Fix out-of-bounds read with malformed TIFF image in multiple tools (bsc#969783).
- CVE-2015-7554: Fix invalid write in tiffsplit / _TIFFVGetField (bsc#960341).
- CVE-2016-10095: Fix stack-based buffer overflow in _TIFFVGetField (tif_dir.c) (bsc#1017690).
- CVE-2016-5318: Fix stackoverflow in thumbnail (bsc#983436).
- CVE-2017-16232: Fix memory-based DoS in tiff2bw (bsc#1069213).


-----------------------------------------
Patch: SUSE-2018-62
Released: Fri Jan 12 15:34:32 2018
Summary: Recommended update for sle2docker
Severity: low
References: 1064010
Description:

This update for sle2docker fixes the following issues:

- Fix regression that changed the image name (bsc#1064010)



-----------------------------------------
Patch: SUSE-2018-66
Released: Fri Jan 12 16:20:16 2018
Summary: Recommended update for at-spi2-core
Severity: low
References: 1073027
Description:
This update for at-spi2-core provides the following fix:

- Fix a possible buffer overflow on reading dbus address in at-spi-bus-launcher. (bsc#1073027)


-----------------------------------------
Patch: SUSE-2018-68
Released: Mon Jan 15 11:30:39 2018
Summary: Security update for openslp
Severity: moderate
References: 1001600,974655,980722,994989,CVE-2016-4912,CVE-2016-7567
Description:
This update for openslp fixes two security issues and two bugs.

The following vulnerabilities were fixed:

- CVE-2016-4912: A remote attacker could have crashed the server with a large
  number of packages (bsc#980722)
- CVE-2016-7567: A remote attacker could cause a memory corruption having
  unspecified impact (bsc#1001600)

The following bugfix changes are included:

- bsc#994989: Removed convenience code as changes bytes in the message buffer
  breaking the verification code
- bsc#974655: Removed no longer needed slpd init file


-----------------------------------------
Patch: SUSE-2018-74
Released: Mon Jan 15 13:40:49 2018
Summary: Recommended update for systemd-rpm-macros
Severity: low
References: 1059627
Description:

This update for systemd-rpm-macros provides the following fix:

- Make sure to clean up 'new-in-upgrade' tag file (bsc#1059627)


-----------------------------------------
Patch: SUSE-2018-80
Released: Tue Jan 16 15:43:49 2018
Summary: Security update for the Linux Kernel
Severity: important
References: 1068032,CVE-2017-5715,CVE-2017-5753
Description:


The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.

This update is only provided as a fix update for IBM Z platform.

- CVE-2017-5753 / 'Spectre Attack': IBM Z fixes were included but not enabled in the previous update. This update enables those fixes.
- CVE-2017-5715 / 'Spectre Attack': IBM Z fixes were already included in the previous update. A bugfix for the patches has been applied on top.
- CVE-2017-5754: The IBM Z architecture is not affected by the 'Meltdown' attack.



-----------------------------------------
Patch: SUSE-2018-84
Released: Wed Jan 17 08:31:32 2018
Summary: Security update for rsync
Severity: moderate
References: 1028842,1062063,1066644,1071459,1071460,CVE-2017-16548,CVE-2017-17433,CVE-2017-17434
Description:
This update for rsync fixes several issues.

These security issues were fixed:

- CVE-2017-17434: The daemon in rsync did not check for fnamecmp filenames in
  the daemon_filter_list data structure (in the recv_files function in
  receiver.c) and also did not apply the sanitize_paths protection mechanism to
  pathnames found in 'xname follows' strings (in the read_ndx_and_attrs function
  in rsync.c), which allowed remote attackers to bypass intended access
  restrictions' (bsc#1071460).
- CVE-2017-17433: The recv_files function in receiver.c in the daemon in rsync,
  proceeded with certain file metadata updates before checking for a filename in
  the daemon_filter_list data structure, which allowed remote attackers to bypass
  intended access restrictions (bsc#1071459).
- CVE-2017-16548: The receive_xattr function in xattrs.c in rsync did not check
  for a trailing '\\0' character in an xattr name, which allowed remote attackers
  to cause a denial of service (heap-based buffer over-read and application
  crash) or possibly have unspecified other impact by sending crafted data to the
  daemon (bsc#1066644).

This non-security issue was fixed:

- Stop file upload after errors like a full disk (bsc#1062063)
- Ensure -X flag works even when setting owner/group (bsc#1028842)


-----------------------------------------
Patch: SUSE-2018-86
Released: Wed Jan 17 09:38:17 2018
Summary: Security update for ncurses
Severity: moderate
References: 1056127,1056128,1056129,1056131,1056132,1056136,CVE-2017-13728,CVE-2017-13729,CVE-2017-13730,CVE-2017-13731,CVE-2017-13732,CVE-2017-13733
Description:
This update for ncurses fixes the following issues:

Security issues fixed:

- CVE-2017-13728: Fix infinite loop in the next_char function in comp_scan.c (bsc#1056136).
- CVE-2017-13730: Fix illegal address access in the function _nc_read_entry_source() (bsc#1056131).
- CVE-2017-13733: Fix illegal address access in the fmt_entry function (bsc#1056127).
- CVE-2017-13729: Fix illegal address access in the _nc_save_str (bsc#1056132).
- CVE-2017-13732: Fix illegal address access in the function dump_uses() (bsc#1056128).
- CVE-2017-13731: Fix illegal address access in the function postprocess_termcap() (bsc#1056129).


-----------------------------------------
Patch: SUSE-2018-88
Released: Wed Jan 17 14:41:17 2018
Summary: Security update for curl
Severity: moderate
References: 1069222,1069226,CVE-2017-8816,CVE-2017-8817
Description:
This update for curl fixes the following issues:

Security issues fixed:

- CVE-2017-8816: Buffer overrun flaw in the NTLM authentication code (bsc#1069226).
- CVE-2017-8817: Read out of bounds flaw in the FTP wildcard function (bsc#1069222).


-----------------------------------------
Patch: SUSE-2018-89
Released: Wed Jan 17 14:42:04 2018
Summary: Security update for perl-XML-LibXML
Severity: moderate
References: 1046848,CVE-2017-10672
Description:
This update for perl-XML-LibXML fixes the following issues:

Security issue fixed:

- CVE-2017-10672: Fix use-after-free that allows remote attackers to execute arbitrary code by controlling the arguments to a replaceChild call (bsc#1046848).


-----------------------------------------
Patch: SUSE-2018-90
Released: Wed Jan 17 14:44:33 2018
Summary: Recommended update for lvm2
Severity: low
References: 1063051,1067312
Description:

This update for lvm2 provides the following fix:

- Backport various upstream fixes for clvmd. (bsc#1063051)
- Don't print error messages on testing the connection to the daemon. (bsc#1063051)
- Fix handling of udev CHANGE events with systemd. (bsc#1067312)


-----------------------------------------
Patch: SUSE-2018-108
Released: Fri Jan 19 16:02:13 2018
Summary: Recommended update for gcc48
Severity: moderate
References: 1074621
Description:

  
This update for gcc48 fixes the following issues:

Added support for generation of retpolines on x86_64. [bnc#1074621]

This support is used for building the Linux Kernel with retpoline support
to mitigate the Spectre Variant 2 attack.

New compiler options have been added to specify specific code generation:

* -mindirect-branch=keep
* -mindirect-branch=thunk
* -mindirect-branch=thunk-extern
* -mindirect-branch=thunk-inline
* -mindirect-branch-register
* -mfunction-return=keep
* -mfunction-return=thunk
* -mfunction-return=thunk-extern
* -mfunction-return=thunk-inline



-----------------------------------------
Patch: SUSE-2018-116
Released: Mon Jan 22 12:53:29 2018
Summary: Security update for rsync
Severity: moderate
References: 1076503,CVE-2018-5764
Description:
This update for rsync fixes one issues.

This security issue was fixed:

- CVE-2018-5764: The parse_arguments function in options.c did not prevent
  multiple --protect-args uses, which allowed remote attackers to bypass an
  argument-sanitization protection mechanism (bsc#1076503).


-----------------------------------------
Patch: SUSE-2018-118
Released: Mon Jan 22 13:37:47 2018
Summary: Security update for procmail
Severity: moderate
References: 1068648,CVE-2017-16844
Description:
This update for procmail fixes the following issues:

- CVE-2017-16844: Heap-based buffer overflow in loadbuf function could lead to remote denial of service (bsc#1068648)
  


-----------------------------------------
Patch: SUSE-2018-125
Released: Tue Jan 23 11:01:10 2018
Summary: Recommended update for crash
Severity: low
References: 1068477
Description:

This update for crash provides the following fix:

- Adapt crash utility for analyzing dumps with updated hash page table geometry ('powerpc/mm/hash: Increase VA range to 128TB') (bsc#1068477)


-----------------------------------------
Patch: SUSE-2018-129
Released: Tue Jan 23 14:46:32 2018
Summary: Recommended update for python-py
Severity: low
References: 1073879
Description:
This update for python-py adds the Python 3 sub-package to the codestream.


-----------------------------------------
Patch: SUSE-2018-130
Released: Tue Jan 23 16:37:49 2018
Summary: Recommended update for open-iscsi
Severity: low
References: 1028323,1029364,1055492,1072312
Description:

This update for open-iscsi provides the following fixes:

- Start iscsi logins before remote filesystems, so that the shutdown order is also changed
  to prevent hanging. (bsc#1028323)
- Add missing coreutils dependency for initrd macros.(bsc#1055492)
- Clear errno before calling strtoull in iscsiadm. (bsc#1029364)
- Fix some vulnerabilities in iscsiuio reported by Qualys. (bsc#1072312)


-----------------------------------------
Patch: SUSE-2018-132
Released: Tue Jan 23 17:25:33 2018
Summary: Recommended update for makedumpfile
Severity: low
References: 1068485
Description:

This update for makedumpfile provides the following fix:

- Adapt makedumpfile tool for filtering dumps with updated hash page table geometry ('powerpc/mm/hash: Increase VA range to 128TB') (bsc#1068485)


-----------------------------------------
Patch: SUSE-2018-143
Released: Wed Jan 24 17:37:04 2018
Summary: Security update for libevent
Severity: moderate
References: 1022917,1022918,1022919,CVE-2016-10195,CVE-2016-10196,CVE-2016-10197
Description:
This update for libevent fixes the following security issues:

- CVE-2016-10195: DNS remote stack overread vulnerability (bsc#1022917) 
- CVE-2016-10196: stack/buffer overflow in evutil_parse_sockaddr_port() (bsc#1022918) 
- CVE-2016-10197: out-of-bounds read in search_make_new() (bsc#1022919) 


-----------------------------------------
Patch: SUSE-2018-146
Released: Thu Jan 25 11:44:23 2018
Summary: Recommended update for openldap2
Severity: moderate
References: 1064397,1065083
Description:
This update for openldap2 provides the following fixes:

- Fix a leak of sockets in case of unsuccessful connection attempts. (bsc#1065083)
- Fix a crash that would happen under heavy load when using back-relay. (bsc#1064397)


-----------------------------------------
Patch: SUSE-2018-149
Released: Thu Jan 25 13:38:37 2018
Summary: Security update for curl
Severity: moderate
References: 1077001,CVE-2018-1000007
Description:
This update for curl fixes one issues.

This security issue was fixed:

- CVE-2018-1000007: Prevent leaking authentication data to third parties when following redirects (bsc#1077001)


-----------------------------------------
Patch: SUSE-2018-179
Released: Mon Jan 29 11:41:10 2018
Summary: Recommended update for apache2
Severity: moderate
References: 1042037,1045160,1048575,1057406,CVE-2017-7659,CVE-2017-9789
Description:
This update for apache2 fixes several issues.

These security issues were fixed:

- CVE-2017-9789: When under stress (closing many connections) the HTTP/2
  handling code would sometimes access memory after it has been freed, resulting
  in potentially erratic behaviour (bsc#1048575).
- CVE-2017-7659: A maliciously constructed HTTP/2 request could cause mod_http2
  to dereference a NULL pointer and crash the server process (bsc#1045160).

These non-security issues were fixed:

- Use the full path to a2enmod and a2dismod in the apache-22-24-upgrade script (bsc#1042037)
- Fall back to 'localhost' as hostname in gensslcert (bsc#1057406)


-----------------------------------------
Patch: SUSE-2018-184
Released: Mon Jan 29 16:05:12 2018
Summary: Recommended update for mozilla-nss
Severity: moderate
References: 1043853,1049673,1055271,1074009
Description:
This update for mozilla-nss provides the following fixes:

- Change DRBG to use the getrandom() kernel interface instead of /dev/urandom (bsc#1043853).
- Add patches for strengthening and FIPS compliance (bsc#1055271, bsc#1049673):
  * Use getrandom() instead of /dev/random and /dev/urandom where available.
  * Remove continuous DRBG test. This is no longer required for FIPS compliance.
  * Add DSA known answer POST.
  * Add ECDSA known answer POST.
  * Use FIPS compliant hash length in pairwise consistency check.
  * Make RSA key generation parameters more strict in order to meet FIPS criteria.
  * Add DH and ECDH known answer POSTs.
  * Add KDF135 CAVS test.
  * Add keywrapping CAVS test.
  * Add KAS FFC CAVS test.
  * Add KAS ECC CAVS test.
  * Restrict number of bytes generated per GCM IV for FIPS compliance.
  * Add helpers required by new CAVS tests.
  * Add fixes to make DSA CAVS tests pass.
  * Add fixes to make RSA CAVS tests pass.
  * Add constructor POSTs.
  * Disable weak ciphers in FIPS mode.
  * Prevent wraparounds in CTR mode.
  * Clear various sensitive parameters from memory when no longer in use.
  * Allow TLS 1.0 PRF to work in FIPS mode, even though it relies on MD5, which is
    otherwise banned.
  * Use strong random pool (/dev/random or getrandom() with GRND_RANDOM instead of their
    more dilute counterparts) in FIPS mode.
- We allow AESNI by default now. This can be disabled at runtime by defining NSS_DISABLE_HW_AES
  in the environment.
- Export NSS_FORCE_FIPS=1 for build, since this is needed now to prevent NSS from passing
  -DNSS_NO_INIT_SUPPORT, which disables on-load FIPS POSTs.


-----------------------------------------
Patch: SUSE-2018-209
Released: Tue Jan 30 10:53:43 2018
Summary: Security update for ncurses
Severity: moderate
References: 1056126,1056127,1056128,1056129,1056131,1056132,1056136,CVE-2017-13728,CVE-2017-13729,CVE-2017-13730,CVE-2017-13731,CVE-2017-13732,CVE-2017-13733,CVE-2017-13734
Description:
This update for ncurses fixes several issues.

These security issues were fixed:

- CVE-2017-13734: Prevent illegal address access in the _nc_safe_strcat
  function in strings.c that might have lead to a remote denial of service attack
  (bsc#1056126).
- CVE-2017-13733: Prevent illegal address access in the fmt_entry function in
  progs/dump_entry.c that might have lead to a remote denial of service attack
  (bsc#1056127).
- CVE-2017-13732: Prevent illegal address access in the function dump_uses() in
  progs/dump_entry.c that might have lead to a remote denial of service attack
  (bsc#1056128).
- CVE-2017-13731: Prevent illegal address access in the function
  postprocess_termcap() in parse_entry.c that might have lead to a remote denial
  of service attack (bsc#1056129).
- CVE-2017-13730: Prevent illegal address access in the function
  _nc_read_entry_source() in progs/tic.c that might have lead to a remote denial
  of service attack (bsc#1056131).
- CVE-2017-13729: Prevent illegal address access in the _nc_save_str function
  in alloc_entry.c that might have lead to a remote denial of service attack
  (bsc#1056132).
- CVE-2017-13728: Prevent infinite loop in the next_char function in
  comp_scan.c that might have lead to a remote denial of service attack
  (bsc#1056136).


-----------------------------------------
Patch: SUSE-2018-213
Released: Tue Jan 30 14:36:40 2018
Summary: Security update for systemd
Severity: moderate
References: 1048510,1065276,1066156,1068251,1070428,1071558,1074254,1075724,1076308,897422,CVE-2017-15908,CVE-2018-1049
Description:
This update for systemd fixes several issues.

This security issue was fixed:

- CVE-2018-1049: Prevent race that can lead to DoS when using automounts (bsc#1076308).

These non-security issues were fixed:

- core: don't choke if a unit another unit triggers vanishes during reload
- delta: don't ignore PREFIX when the given argument is PREFIX/SUFFIX
- delta: extend skip logic to work on full directory paths (prefix+suffix) (bsc#1070428)
- delta: check if a prefix needs to be skipped only once
- delta: skip symlink paths when split-usr is enabled (#4591)
- sysctl: use raw file descriptor in sysctl_write (#7753)
- sd-netlink: don't take possesion of netlink fd from caller on failure (bsc#1074254)
- Fix the regexp used to detect broken by-id symlinks in /etc/crypttab
  It was missing the following case: '/dev/disk/by-id/cr_-xxx'.
- sysctl: disable buffer while writing to /proc (bsc#1071558)
- Use read_line() and LONG_LINE_MAX to read values configuration files. (bsc#1071558)
- sysctl: no need to check for eof twice
- def: add new constant LONG_LINE_MAX
- fileio: add new helper call read_line() as bounded getline() replacement
- service: Don't stop unneeded units needed by restarted service (#7526) (bsc#1066156)
- gpt-auto-generator: fix the handling of the value returned by fstab_has_fstype() in add_swap() (#6280)
- gpt-auto-generator: disable gpt auto logic for swaps if at least one is defined in fstab (bsc#897422)
- fstab-util: introduce fstab_has_fstype() helper
- fstab-generator: ignore root=/dev/nfs (#3591)
- fstab-generator: don't process root= if it happens to be 'gpt-auto' (#3452)
- virt: use XENFEAT_dom0 to detect the hardware domain (#6442, #6662) (#7581) (bsc#1048510)
- analyze: replace --no-man with --man=no in the man page (bsc#1068251)
- udev: net_setup_link: don't error out when we couldn't apply link config (#7328)
- Add missing /etc/systemd/network directory
- Fix parsing of features in detect_vm_xen_dom0 (#7890) (bsc#1048510)
- sd-bus: use -- when passing arguments to ssh (#6706)
- systemctl: make sure we terminate the bus connection first, and then close the pager (#3550)
- sd-bus: bump message queue size (bsc#1075724)
- tmpfiles: downgrade warning about duplicate line


-----------------------------------------
Patch: SUSE-2018-214
Released: Tue Jan 30 14:37:42 2018
Summary: Security update for libtasn1
Severity: moderate
References: 1076832,CVE-2018-6003
Description:
This update for libtasn1 fixes one issue.

This security issue was fixed:

- CVE-2018-6003: Prevent a stack exhaustion in  _asn1_decode_simple_ber
  (lib/decoding.c) when decoding BER encoded structure allowed for DoS
  (bsc#1076832).


-----------------------------------------
Patch: SUSE-2018-220
Released: Tue Jan 30 15:36:20 2018
Summary: Security update for bind
Severity: important
References: 1040039,1047184,1076118,CVE-2017-3145
Description:
This update for bind fixes several issues.

This security issue was fixed:

- CVE-2017-3145: Improper sequencing during cleanup could have lead to a
  use-after-free error that triggered an assertion failure and crash in named
  (bsc#1076118).

These non-security issues were fixed:

- Updated named.root file (bsc#1040039)
- Update bind.keys for DNSSEC root KSK rollover (bsc#1047184)


-----------------------------------------
Patch: SUSE-2018-230
Released: Thu Feb  1 09:32:01 2018
Summary: Security update for libXfont
Severity: moderate
References: 1049692,1050459,1054285,CVE-2017-13720,CVE-2017-13722
Description:
This update for libXfont fixes several issues.

These security issues were fixed:

- CVE-2017-13720: Improper check for end of string in PatterMatch caused invalid reads (bsc#1054285)
- CVE-2017-13722: Malformed PCF file could have caused DoS or leak information (bsc#1049692)
- Prevent the X server from accessing arbitrary files as root. It is not possible to leak information, but special files can be touched allowing for causing side effects (bsc#1050459)


-----------------------------------------
Patch: SUSE-2018-231
Released: Thu Feb  1 09:56:35 2018
Summary: Recommended update for systemd-rpm-macros
Severity: low
References: 1071543,1073715
Description:
This update for systemd-rpm-macros provides the following fixes:

- Make sure to apply presets if packages start shipping units during upgrades.
  (bsc#1071543, bsc#1073715)
- Remove a useless test in %service_add_pre(). The test was placed where the condition
  '[ '$FIRST_ARG' -gt 1 ]' was always true.


-----------------------------------------
Patch: SUSE-2018-236
Released: Thu Feb  1 12:38:32 2018
Summary: Security update for libXdmcp
Severity: moderate
References: 1025046,CVE-2017-2625
Description:
This update for libXdmcp fixes the following issues:

- CVE-2017-2625: The generation of session key in XDM using libXdmcp might have used weak entropy, making
  the session keys predictable (bsc#1025046)



-----------------------------------------
Patch: SUSE-2018-237
Released: Thu Feb  1 12:38:57 2018
Summary: Security update for libICE
Severity: moderate
References: 1025068,CVE-2017-2626
Description:
This update for libICE fixes the following issues:

- CVE-2017-2626: Creation of the ICE auth session cookies used insufficient randomness, making these cookies
  predictable. A more random generation method has been implemented. (boo#1025068)



-----------------------------------------
Patch: SUSE-2018-238
Released: Thu Feb  1 16:35:51 2018
Summary: Security update for jasper
Severity: moderate
References: 1009994,1010756,1010757,1010766,1010774,1010782,1010968,1010975,1047958,CVE-2016-9262,CVE-2016-9388,CVE-2016-9389,CVE-2016-9390,CVE-2016-9391,CVE-2016-9392,CVE-2016-9393,CVE-2016-9394,CVE-2017-1000050
Description:
This update for jasper fixes the following issues:

Security issues fixed:
- CVE-2016-9262: Multiple integer overflows in the jas_realloc function in base/jas_malloc.c and
  mem_resize function in base/jas_stream.c allow remote attackers to cause a denial of service via
  a crafted image, which triggers use after free vulnerabilities. (bsc#1009994)
- CVE-2016-9388: The ras_getcmap function in ras_dec.c allows remote attackers to cause a denial
  of service (assertion failure) via a crafted image file. (bsc#1010975)
- CVE-2016-9389: The jpc_irct and jpc_iict functions in jpc_mct.c allow remote attackers to cause a
  denial of service (assertion failure). (bsc#1010968)
- CVE-2016-9390: The jas_seq2d_create function in jas_seq.c allows remote attackers to cause a
  denial of service (assertion failure) via a crafted image file. (bsc#1010774)
- CVE-2016-9391: The jpc_bitstream_getbits function in jpc_bs.c allows remote attackers to cause a
  denial of service (assertion failure) via a very large integer. (bsc#1010782)
- CVE-2017-1000050: The jp2_encode function in jp2_enc.c allows remote attackers to cause a denial
  of service. (bsc#1047958)

CVEs already fixed with previous update:
- CVE-2016-9392: The calcstepsizes function in jpc_dec.c allows remote attackers to cause a denial
  of service (assertion failure) via a crafted file. (bsc#1010757)
- CVE-2016-9393: The jpc_pi_nextrpcl function in jpc_t2cod.c allows remote attackers to cause a
  denial of service (assertion failure) via a crafted file. (bsc#1010766)
- CVE-2016-9394: The jas_seq2d_create function in jas_seq.c allows remote attackers to cause a
  denial of service (assertion failure) via a crafted file. (bsc#1010756)


-----------------------------------------
Patch: SUSE-2018-243
Released: Fri Feb  2 09:13:13 2018
Summary: Recommended update for mozilla-nss
Severity: important
References: 1078190,1078333
Description:
This update for mozilla-nss fixes the following issue:

- This update remedies a regression caused by a previous update of mozilla-nss
  that affected users of FIPS mode. [bsc#1078333, bsc#1078190]


-----------------------------------------
Patch: SUSE-2018-247
Released: Fri Feb  2 12:33:37 2018
Summary: Security update for libsndfile
Severity: moderate
References: 1043978,1059911,1059912,1059913,1069874,CVE-2017-14245,CVE-2017-14246,CVE-2017-14634,CVE-2017-16942,CVE-2017-6892
Description:
This update for libsndfile fixes the following issues:

- CVE-2017-16942: Divide-by-zero in the function wav_w64_read_fmt_chunk(), which may lead to Denial of service (bsc#1069874). 
- CVE-2017-6892:  Fixed an out-of-bounds read memory access in the aiff_read_chanmap() (bsc#1043978).
- CVE-2017-14634: In libsndfile 1.0.28, a divide-by-zero error exists in the function double64_init() in double64.c, which may lead to DoS when playing a crafted audio file. (bsc#1059911)
- CVE-2017-14245: An out of bounds read in the function d2alaw_array() in alaw.c of libsndfile 1.0.28 may lead to a remote DoS attack or information disclosure, related to mishandling of 
                  the NAN and INFINITY floating-point values. (bsc#1059912)
- CVE-2017-14246: An out of bounds read in the function d2ulaw_array() in ulaw.c of libsndfile 1.0.28 may lead to a remote DoS attack or information disclosure, related to mishandling of 
                  the NAN and INFINITY floating-point values.(bsc#1059913)


-----------------------------------------
Patch: SUSE-2018-248
Released: Fri Feb  2 17:31:56 2018
Summary: Recommended update for patterns-sles
Severity: low
References: 1065341
Description:
This update for patterns-sles provides the following fixes:

- Removed puppet from base pattern. (bsc#1065341)
- Re-run script to create 32bit patterns.


-----------------------------------------
Patch: SUSE-2018-250
Released: Fri Feb  2 17:33:48 2018
Summary: Recommended update for timezone, timezone-java
Severity: low
References: 1073275
Description:
This update provides the latest timezone information (2018c) for your system, including following changes:

- Sao Tome and Principe switched from +00 to +01 on 2018-01-01.
- Southern Brazil's DST will now start on November's first Sunday. (bsc#1073275)
- New zic option -t to specify the time zone file if TZ is unset.


-----------------------------------------
Patch: SUSE-2018-261
Released: Tue Feb  6 11:24:15 2018
Summary: Security update for libjpeg-turbo
Severity: moderate
References: 1062937,CVE-2017-15232
Description:
This update for libjpeg-turbo fixes the following issues:

Feature update:

- Update from version 1.3.1 to version 1.5.2 (fate#324061).
  
Security issue fixed:

- CVE-2017-15232: Fix NULL pointer dereference in jdpostct.c and jquant1.c (bsc#1062937).


-----------------------------------------
Patch: SUSE-2018-264
Released: Tue Feb  6 12:58:02 2018
Summary: Recommended update for SuSEfirewall2
Severity: moderate
References: 1069760,1074933,1075251
Description:
This update for SuSEfirewall2 provides the following fixes:

- Fix a regression in setting up the final LOG/DROP/REJECT rules for IPv6. (bsc#1075251)
- Remove duplicate rules created in the context of dynamic RPC rules. (bsc#1069760)
- Fix an issue in the logging logic to show the correct PID and avoid losing log lines.
- Set RPC related rules also for IPv6. (bsc#1074933)


-----------------------------------------
Patch: SUSE-2018-265
Released: Tue Feb  6 14:58:28 2018
Summary: Recommended update for ca-certificates-mozilla
Severity: moderate
References: 1010996,1071152,1071390
Description:

  
This update for ca-certificates-mozilla fixes the following issues:

The system SSL root certificate store was updated to Mozilla certificate
version 2.22 from January 2018.  (bsc#1071152 bsc#1071390 bsc#1010996)

We removed the old 1024 bit legacy CAs that were temporary left in to allow
in-chain root certificates as openssl is now able to handle it.

Further changes coming from Mozilla:

- New Root CAs added:

  * Amazon Root CA 1: (email protection, server auth)
  * Amazon Root CA 2: (email protection, server auth)
  * Amazon Root CA 3: (email protection, server auth)
  * Amazon Root CA 4: (email protection, server auth)
  * Certplus Root CA G1: (email protection, server auth)
  * Certplus Root CA G2: (email protection, server auth)
  * D-TRUST Root CA 3 2013: (email protection)
  * GDCA TrustAUTH R5 ROOT: (server auth)
  * Hellenic Academic and Research Institutions ECC RootCA 2015: (email protection, server auth)
  * Hellenic Academic and Research Institutions RootCA 2015: (email protection, server auth)
  * ISRG Root X1: (server auth)
  * LuxTrust Global Root 2: (server auth)
  * OpenTrust Root CA G1: (email protection, server auth)
  * OpenTrust Root CA G2: (email protection, server auth)
  * OpenTrust Root CA G3: (email protection, server auth)
  * SSL.com EV Root Certification Authority ECC: (server auth)
  * SSL.com EV Root Certification Authority RSA R2: (server auth)
  * SSL.com Root Certification Authority ECC: (email protection, server auth)
  * SSL.com Root Certification Authority RSA: (email protection, server auth)
  * Symantec Class 1 Public Primary Certification Authority - G4: (email protection)
  * Symantec Class 1 Public Primary Certification Authority - G6: (email protection)
  * Symantec Class 2 Public Primary Certification Authority - G4: (email protection)
  * Symantec Class 2 Public Primary Certification Authority - G6: (email protection)
  * TrustCor ECA-1: (email protection, server auth)
  * TrustCor RootCert CA-1: (email protection, server auth)
  * TrustCor RootCert CA-2: (email protection, server auth)
  * TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1: (server auth)

- Removed root CAs:

  * AddTrust Public Services Root
  * AddTrust Public CA Root
  * AddTrust Qualified CA Root
  * ApplicationCA - Japanese Government
  * Buypass Class 2 CA 1
  * CA Disig Root R1
  * CA WoSign ECC Root
  * Certification Authority of WoSign G2
  * Certinomis - Autorité Racine
  * Certum Root CA
  * China Internet Network Information Center EV Certificates Root
  * CNNIC ROOT
  * Comodo Secure Services root
  * Comodo Trusted Services root
  * ComSign Secured CA
  * EBG Elektronik Sertifika Hizmet Sağlayıcısı
  * Equifax Secure CA
  * Equifax Secure eBusiness CA 1
  * Equifax Secure Global eBusiness CA
  * GeoTrust Global CA 2
  * IGC/A
  * Juur-SK
  * Microsec e-Szigno Root CA
  * PSCProcert
  * Root CA Generalitat Valenciana
  * RSA Security 2048 v3
  * Security Communication EV RootCA1
  * Sonera Class 1 Root CA
  * StartCom Certification Authority
  * StartCom Certification Authority G2
  * S-TRUST Authentication and Encryption Root CA 2005 PN
  * Swisscom Root CA 1
  * Swisscom Root EV CA 2
  * TÜBİTAK UEKAE Kök Sertifika Hizmet Sağlayıcısı - Sürüm 3
  * TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı
  * TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6
  * UTN USERFirst Hardware Root CA
  * UTN USERFirst Object Root CA
  * VeriSign Class 3 Secure Server CA - G2
  * Verisign Class 1 Public Primary Certification Authority
  * Verisign Class 2 Public Primary Certification Authority - G2
  * Verisign Class 3 Public Primary Certification Authority
  * WellsSecure Public Root Certificate Authority
  * Certification Authority of WoSign
  * WoSign China

- Removed Code Signing rights from a lot of CAs (not listed here).

- Removed Server Auth rights from:

  * AddTrust Low-Value Services Root
  * Camerfirma Chambers of Commerce Root
  * Camerfirma Global Chambersign Root
  * Swisscom Root CA 2



-----------------------------------------
Patch: SUSE-2018-269
Released: Wed Feb  7 10:58:55 2018
Summary: Recommended update for yast2-ruby-bindings
Severity: moderate
References: 1070583
Description:
This update for yast2-ruby-bindings fixes the following issues:

- Set proper window title also for YaST2 Firstboot (bsc#1070583)


-----------------------------------------
Patch: SUSE-2018-271
Released: Wed Feb  7 14:34:56 2018
Summary: Security update for the Linux Kernel
Severity: important
References: 1005778,1005780,1005781,1012382,1012917,1015342,1015343,1019784,1022476,1022595,1022912,1024296,1024376,1031395,1031492,1031717,1037838,1038078,1038085,1040182,1043652,1048325,1048585,1053472,1060279,1062129,1066163,1066223,1068032,1068038,1068569,1068984,1069138,1069160,1070052,1070799,1072163,1072484,1073229,1073928,1074134,1074488,1074621,1074709,1074839,1074847,1075066,1075078,1075087,1075091,1075397,1075428,1075617,1075621,1075627,1075811,1075994,1076017,1076110,1076187,1076232,1076805,1076847,1076872,1076899,1077068,1077560,1077592,1077704,1077871,1078002,1078681,963844,966170,966172,973818,985025,CVE-2017-15129,CVE-2017-17712,CVE-2017-17862,CVE-2017-17864,CVE-2017-18017,CVE-2017-5715,CVE-2018-1000004,CVE-2018-5332,CVE-2018-5333
Description:


The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.114 to receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2017-5715: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis (bnc#1068032).

  The previous fix using CPU Microcode has been complemented by building the Linux Kernel with return trampolines aka 'retpolines'.

- CVE-2017-15129: A use-after-free vulnerability was found in network namespaces code affecting the Linux kernel in the function get_net_ns_by_id() in net/core/net_namespace.c did not check for the net::count value after it has found a peer network in netns_ids idr, which could lead to double free and memory corruption. This vulnerability could allow an unprivileged local user to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although it is thought to be unlikely (bnc#1074839).
- CVE-2017-17712: The raw_sendmsg() function in net/ipv4/raw.c in the Linux kernel has a race condition in inet->hdrincl that leads to uninitialized stack pointer usage; this allowed a local user to execute code and gain privileges (bnc#1073229).
- CVE-2017-17862: kernel/bpf/verifier.c in the Linux kernel ignored unreachable code, even though it would still be processed by JIT compilers. This behavior, also considered an improper branch-pruning logic issue, could possibly be used by local users for denial of service (bnc#1073928).
- CVE-2017-17864: kernel/bpf/verifier.c in the Linux kernel mishandled states_equal comparisons between the pointer data type and the UNKNOWN_VALUE data type, which allowed local users to obtain potentially sensitive address information, aka a 'pointer leak (bnc#1073928).
- CVE-2017-18017: The tcpmss_mangle_packet function in net/netfilter/xt_TCPMSS.c in the Linux kernel allowed remote attackers to cause a denial of service (use-after-free and memory corruption) or possibly have unspecified other impact by leveraging the presence of xt_TCPMSS in an iptables action (bnc#1074488).
- CVE-2018-5332: In the Linux kernel the rds_message_alloc_sgs() function did not validate a value that is used during DMA page allocation, leading to a heap-based out-of-bounds write (related to the rds_rdma_extra_size function in net/rds/rdma.c) (bnc#1075621).
- CVE-2018-5333: In the Linux kernel the rds_cmsg_atomic function in net/rds/rdma.c mishandled cases where page pinning fails or an invalid address is supplied, leading to an rds_atomic_free_op NULL pointer dereference (bnc#1075617).
- CVE-2018-1000004: In the Linux kernel a race condition vulnerability existed in the sound system, this can lead to a deadlock and denial of service condition (bnc#1076017).

The following non-security bugs were fixed:

- 8021q: fix a memory leak for VLAN 0 device (bnc#1012382).
- acpi / scan: Prefer devices without _HID/_CID for _ADR matching (bnc#1012382).
- af_key: fix buffer overread in parse_exthdrs() (bnc#1012382).
- af_key: fix buffer overread in verify_address_len() (bnc#1012382).
- afs: Adjust mode bits processing (bnc#1012382).
- afs: Connect up the CB.ProbeUuid (bnc#1012382).
- afs: Fix afs_kill_pages() (bnc#1012382).
- afs: Fix missing put_page() (bnc#1012382).
- afs: Fix page leak in afs_write_begin() (bnc#1012382).
- afs: Fix the maths in afs_fs_store_data() (bnc#1012382).
- afs: Flush outstanding writes when an fd is closed (bnc#1012382).
- afs: Migrate vlocation fields to 64-bit (bnc#1012382).
- afs: Populate and use client modification time (bnc#1012382).
- afs: Populate group ID from vnode status (bnc#1012382).
- afs: Prevent callback expiry timer overflow (bnc#1012382).
- alpha: fix build failures (bnc#1012382).
- alsa: aloop: Fix inconsistent format due to incomplete rule (bsc#1031717).
- alsa: aloop: Fix racy hw constraints adjustment (bsc#1031717).
- alsa: aloop: Release cable upon open error path (bsc#1031717).
- alsa: hda - Add HP ZBook 15u G3 Conexant CX20724 GPIO mute leds (bsc#1031717).
- alsa: hda - Add MIC_NO_PRESENCE fixup for 2 HP machines (bsc#1031717).
- alsa: hda - Add mute led support for HP EliteBook 840 G3 (bsc#1031717).
- alsa: hda - Add mute led support for HP ProBook 440 G4 (bsc#1031717).
- alsa: hda - add support for docking station for HP 820 G2 (bsc#1031717).
- alsa: hda - add support for docking station for HP 840 G3 (bsc#1031717).
- alsa: hda - Apply headphone noise quirk for another Dell XPS 13 variant (bsc#1031717).
- alsa: hda - Apply the existing quirk to iMac 14,1 (bsc#1031717).
- alsa: hda - change the location for one mic on a Lenovo machine (bsc#1031717).
- alsa: hda: Drop useless WARN_ON() (bsc#1031717).
- alsa: hda - Fix click noises on Samsung Ativ Book 8 (bsc#1031717).
- alsa: hda - fix headset mic detection issue on a Dell machine (bsc#1031717).
- alsa: hda - fix headset mic problem for Dell machines with alc274 (bsc#1031717).
- alsa: hda - Fix headset microphone detection for ASUS N551 and N751 (bsc#1031717).
- alsa: hda - Fix mic regression by ASRock mobo fixup (bsc#1031717).
- alsa: hda - Fix missing COEF init for ALC225/295/299 (bsc#1031717).
- alsa: hda - Fix surround output pins for ASRock B150M mobo (bsc#1031717).
- alsa: hda - On-board speaker fixup on ACER Veriton (bsc#1031717).
- alsa: hda/realtek - Add ALC256 HP depop function (bsc#1031717).
- alsa: hda/realtek - Add default procedure for suspend and resume state (bsc#1031717).
- alsa: hda/realtek - Add support for Acer Aspire E5-475 headset mic (bsc#1031717).
- alsa: hda/realtek - Add support for ALC1220 (bsc#1031717).
- alsa: hda/realtek - Add support for headset MIC for ALC622 (bsc#1031717).
- alsa: hda/realtek - ALC891 headset mode for Dell (bsc#1031717).
- alsa: hda/realtek - change the location for one of two front microphones (bsc#1031717).
- alsa: hda/realtek - Enable jack detection function for Intel ALC700 (bsc#1031717).
- alsa: hda/realtek - Fix ALC275 no sound issue (bsc#1031717).
- alsa: hda/realtek - Fix Dell AIO LineOut issue (bsc#1031717).
- alsa: hda/realtek - Fix headset and mic on several Asus laptops with ALC256 (bsc#1031717).
- alsa: hda/realtek - Fix headset mic and speaker on Asus X441SA/X441UV (bsc#1031717).
- alsa: hda/realtek - fix headset mic detection for MSI MS-B120 (bsc#1031717).
- alsa: hda/realtek - Fix headset mic on several Asus laptops with ALC255 (bsc#1031717).
- alsa: hda/realtek - Fix pincfg for Dell XPS 13 9370 (bsc#1031717).
- alsa: hda/realtek - Fix speaker support for Asus AiO ZN270IE (bsc#1031717).
- alsa: hda/realtek - Fix typo of pincfg for Dell quirk (bsc#1031717).
- alsa: hda/realtek - New codec device ID for ALC1220 (bsc#1031717).
- alsa: hda/realtek - New codecs support for ALC215/ALC285/ALC289 (bsc#1031717).
- alsa: hda/realtek - New codec support for ALC257 (bsc#1031717).
- alsa: hda/realtek - New codec support of ALC1220 (bsc#1031717).
- alsa: hda/realtek - No loopback on ALC225/ALC295 codec (bsc#1031717).
- alsa: hda/realtek - Remove ALC285 device ID (bsc#1031717).
- alsa: hda/realtek - Support Dell headset mode for ALC3271 (bsc#1031717).
- alsa: hda/realtek - Support headset mode for ALC234/ALC274/ALC294 (bsc#1031717).
- alsa: hda/realtek - There is no loopback mixer in the ALC234/274/294 (bsc#1031717).
- alsa: hda/realtek - Update headset mode for ALC225 (bsc#1031717).
- alsa: hda/realtek - Update headset mode for ALC298 (bsc#1031717).
- alsa: hda - Skip Realtek SKU check for Lenovo machines (bsc#1031717).
- alsa: pcm: Abort properly at pending signal in OSS read/write loops (bsc#1031717).
- alsa: pcm: Add missing error checks in OSS emulation plugin builder (bsc#1031717).
- alsa: pcm: Allow aborting mutex lock at OSS read/write loops (bsc#1031717).
- alsa: pcm: prevent UAF in snd_pcm_info (bsc#1031717).
- alsa: pcm: Remove incorrect snd_BUG_ON() usages (bsc#1031717).
- alsa: pcm: Remove yet superfluous WARN_ON() (bsc#1031717).
- alsa: rawmidi: Avoid racy info ioctl via ctl device (bsc#1031717).
- alsa: seq: Remove spurious WARN_ON() at timer check (bsc#1031717).
- alsa: usb-audio: Add check return value for usb_string() (bsc#1031717).
- alsa: usb-audio: Fix out-of-bound error (bsc#1031717).
- alsa: usb-audio: Fix the missing ctl name suffix at parsing SU (bsc#1031717).
- arc: uaccess: dont use 'l' gcc inline asm constraint modifier (bnc#1012382).
- arm64: Add skeleton to harden the branch predictor against aliasing attacks (bsc#1068032).
- arm64: Add trace_hardirqs_off annotation in ret_to_user (bsc#1068032).
- arm64: Branch predictor hardening for Cavium ThunderX2 (bsc#1068032).
- arm64/cpufeature: do not use mutex in bringup path (bsc#1068032).
- arm64: cpufeature: Pass capability structure to ->enable callback (bsc#1068032).
- arm64: cputype: Add MIDR values for Cavium ThunderX2 CPUs (bsc#1068032).
- arm64: cputype: Add missing MIDR values for Cortex-A72 and Cortex-A75 (bsc#1068032).
- arm64: debug: remove unused local_dbg_{enable, disable} macros (bsc#1068032).
- arm64: Define cputype macros for Falkor CPU (bsc#1068032).
- arm64: Disable TTBR0_EL1 during normal kernel execution (bsc#1068032).
- arm64: Do not force KPTI for CPUs that are not vulnerable (bsc#1076187).
- arm64: do not pull uaccess.h into *.S (bsc#1068032).
- arm64: Enable CONFIG_ARM64_SW_TTBR0_PAN (bsc#1068032).
- arm64: entry: Add exception trampoline page for exceptions from EL0 (bsc#1068032).
- arm64: entry: Add fake CPU feature for unmapping the kernel at EL0 (bsc#1068032).
- arm64: entry: Explicitly pass exception level to kernel_ventry macro (bsc#1068032).
- arm64: entry: Hook up entry trampoline to exception vectors (bsc#1068032).
- arm64: entry: remove pointless SPSR mode check (bsc#1068032).
- arm64: entry.S convert el0_sync (bsc#1068032).
- arm64: entry.S: convert el1_sync (bsc#1068032).
- arm64: entry.S: convert elX_irq (bsc#1068032).
- arm64: entry.S: move SError handling into a C function for future expansion (bsc#1068032).
- arm64: entry.S: Remove disable_dbg (bsc#1068032).
- arm64: erratum: Work around Falkor erratum #E1003 in trampoline code (bsc#1068032).
- arm64: explicitly mask all exceptions (bsc#1068032).
- arm64: factor out entry stack manipulation (bsc#1068032).
- arm64: factor out PAGE_* and CONT_* definitions (bsc#1068032).
- arm64: Factor out PAN enabling/disabling into separate uaccess_* macros (bsc#1068032).
- arm64: Factor out TTBR0_EL1 post-update workaround into a specific asm macro (bsc#1068032).
- arm64: factor work_pending state machine to C (bsc#1068032).
- arm64: fpsimd: Prevent registers leaking from dead tasks (bnc#1012382).
- arm64: Handle el1 synchronous instruction aborts cleanly (bsc#1068032).
- arm64: Handle faults caused by inadvertent user access with PAN enabled (bsc#1068032).
- arm64: head.S: get rid of x25 and x26 with 'global' scope (bsc#1068032).
- arm64: Implement branch predictor hardening for affected Cortex-A CPUs (bsc#1068032).
- arm64: Implement branch predictor hardening for Falkor (bsc#1068032).
- arm64: Initialise high_memory global variable earlier (bnc#1012382).
- arm64: introduce an order for exceptions (bsc#1068032).
- arm64: introduce mov_q macro to move a constant into a 64-bit register (bsc#1068032).
- arm64: Introduce uaccess_{disable,enable} functionality based on TTBR0_EL1 (bsc#1068032).
- arm64: kaslr: Put kernel vectors address in separate data page (bsc#1068032).
- arm64: Kconfig: Add CONFIG_UNMAP_KERNEL_AT_EL0 (bsc#1068032).
- arm64: Kconfig: Reword UNMAP_KERNEL_AT_EL0 kconfig entry (bsc#1068032).
- arm64: kill ESR_LNX_EXEC (bsc#1068032).
- arm64: kpti: Fix the interaction between ASID switching and software PAN (bsc#1068032).
- arm64: kvm: Fix SMCCC handling of unimplemented SMC/HVC calls (bsc#1076232).
- arm64: kvm: fix VTTBR_BADDR_MASK BUG_ON off-by-one (bnc#1012382).
- arm64: kvm: Make PSCI_VERSION a fast path (bsc#1068032).
- arm64: kvm: Use per-CPU vector when BP hardening is enabled (bsc#1068032).
- arm64: Mask all exceptions during kernel_exit (bsc#1068032).
- arm64: mm: Add arm64_kernel_unmapped_at_el0 helper (bsc#1068032).
- arm64: mm: Allocate ASIDs in pairs (bsc#1068032).
- arm64: mm: Fix and re-enable ARM64_SW_TTBR0_PAN (bsc#1068032).
- arm64: mm: hardcode rodata=true (bsc#1068032).
- arm64: mm: Introduce TTBR_ASID_MASK for getting at the ASID in the TTBR (bsc#1068032).
- arm64: mm: Invalidate both kernel and user ASIDs when performing TLBI (bsc#1068032).
- arm64: mm: Map entry trampoline into trampoline and kernel page tables (bsc#1068032).
- arm64: mm: Move ASID from TTBR0 to TTBR1 (bsc#1068032).
- arm64: mm: Remove pre_ttbr0_update_workaround for Falkor erratum #E1003 (bsc#1068032).
- arm64: mm: Rename post_ttbr0_update_workaround (bsc#1068032).
- arm64: mm: Temporarily disable ARM64_SW_TTBR0_PAN (bsc#1068032).
- arm64: mm: Use non-global mappings for kernel space (bsc#1068032).
- arm64: Move BP hardening to check_and_switch_context (bsc#1068032).
- arm64: Move post_ttbr_update_workaround to C code (bsc#1068032).
- arm64: Move the async/fiq helpers to explicitly set process context flags (bsc#1068032).
- arm64: SW PAN: Point saved ttbr0 at the zero page when switching to init_mm (bsc#1068032).
- arm64: SW PAN: Update saved ttbr0 value on enter_lazy_tlb (bsc#1068032).
- arm64: swp emulation: bound LL/SC retries before rescheduling (bsc#1068032).
- arm64: sysreg: Fix unprotected macro argmuent in write_sysreg (bsc#1068032).
- arm64: Take into account ID_AA64PFR0_EL1.CSV3 (bsc#1068032).
- arm64: thunderx2: remove branch predictor hardening References: bsc#1076232 This causes undefined instruction abort on the smc call from guest kernel. Disable until kvm is fixed.
- arm64: tls: Avoid unconditional zeroing of tpidrro_el0 for native tasks (bsc#1068032).
- arm64: Turn on KPTI only on CPUs that need it (bsc#1076187).
- arm64: use alternative auto-nop (bsc#1068032).
- arm64: use RET instruction for exiting the trampoline (bsc#1068032).
- arm64: xen: Enable user access before a privcmd hvc call (bsc#1068032).
- arm/arm64: kvm: Make default HYP mappings non-excutable (bsc#1068032).
- arm: avoid faulting on qemu (bnc#1012382).
- arm: BUG if jumping to usermode address in kernel mode (bnc#1012382).
- arm-ccn: perf: Prevent module unload while PMU is in use (bnc#1012382).
- arm: dma-mapping: disallow dma_get_sgtable() for non-kernel managed memory (bnc#1012382).
- arm: dts: am335x-evmsk: adjust mmc2 param to allow suspend (bnc#1012382).
- arm: dts: kirkwood: fix pin-muxing of MPP7 on OpenBlocks A7 (bnc#1012382).
- arm: dts: omap3: logicpd-torpedo-37xx-devkit: Fix MMC1 cd-gpio (bnc#1012382).
- arm: dts: ti: fix PCI bus dtc warnings (bnc#1012382).
- arm: kprobes: Align stack to 8-bytes in test code (bnc#1012382).
- arm: kprobes: Fix the return address of multiple kretprobes (bnc#1012382).
- arm: kvm: Fix VTTBR_BADDR_MASK BUG_ON off-by-one (bnc#1012382).
- arm: OMAP1: DMA: Correct the number of logical channels (bnc#1012382).
- arm: OMAP2+: Fix device node reference counts (bnc#1012382).
- arm: OMAP2+: gpmc-onenand: propagate error on initialization failure (bnc#1012382).
- arm: OMAP2+: Release device node after it is no longer needed (bnc#1012382).
- asm-prototypes: Clear any CPP defines before declaring the functions (git-fixes).
- asn.1: check for error from ASN1_OP_END__ACT actions (bnc#1012382).
- asn.1: fix out-of-bounds read when parsing indefinite length item (bnc#1012382).
- asoc: fsl_ssi: AC'97 ops need regmap, clock and cleaning up on failure (bsc#1031717).
- asoc: twl4030: fix child-node lookup (bsc#1031717).
- asoc: wm_adsp: Fix validation of firmware and coeff lengths (bsc#1031717).
- ath9k: fix tx99 potential info leak (bnc#1012382).
- atm: horizon: Fix irq release error (bnc#1012382).
- audit: ensure that 'audit=1' actually enables audit for PID 1 (bnc#1012382).
- axonram: Fix gendisk handling (bnc#1012382).
- backlight: pwm_bl: Fix overflow condition (bnc#1012382).
- bcache: add a comment in journal bucket reading (bsc#1076110).
- bcache: Avoid nested function definition (bsc#1076110).
- bcache: bch_allocator_thread() is not freezable (bsc#1076110).
- bcache: bch_writeback_thread() is not freezable (bsc#1076110).
- bcache: check return value of register_shrinker (bsc#1076110).
- bcache: documentation formatting, edited for clarity, stripe alignment notes (bsc#1076110).
- bcache: documentation updates and corrections (bsc#1076110).
- bcache: Do not reinvent the wheel but use existing llist API (bsc#1076110).
- bcache: do not write back data if reading it failed (bsc#1076110).
- bcache: explicitly destroy mutex while exiting (bnc#1012382).
- bcache: fix a comments typo in bch_alloc_sectors() (bsc#1076110).
- bcache: Fix building error on MIPS (bnc#1012382).
- bcache: fix sequential large write IO bypass (bsc#1076110).
- bcache: fix wrong cache_misses statistics (bnc#1012382).
- bcache: gc does not work when triggering by manual command (bsc#1076110, bsc#1038078).
- bcache: implement PI controller for writeback rate (bsc#1076110).
- bcache: increase the number of open buckets (bsc#1076110).
- bcache: only permit to recovery read error when cache device is clean (bnc#1012382 bsc#1043652).
- bcache: partition support: add 16 minors per bcacheN device (bsc#1076110, bsc#1019784).
- bcache: rearrange writeback main thread ratelimit (bsc#1076110).
- bcache: recover data from backing when data is clean (bnc#1012382 bsc#1043652).
- bcache: Remove redundant set_capacity (bsc#1076110).
- bcache: remove unused parameter (bsc#1076110).
- bcache: rewrite multiple partitions support (bsc#1076110, bsc#1038085).
- bcache: safeguard a dangerous addressing in closure_queue (bsc#1076110).
- bcache: silence static checker warning (bsc#1076110).
- bcache: smooth writeback rate control (bsc#1076110).
- bcache.txt: standardize document format (bsc#1076110).
- bcache: update bio->bi_opf bypass/writeback REQ_ flag hints (bsc#1076110).
- bcache: update bucket_in_use in real time (bsc#1076110).
- bcache: Update continue_at() documentation (bsc#1076110).
- bcache: use kmalloc to allocate bio in bch_data_verify() (bsc#1076110).
- bcache: use llist_for_each_entry_safe() in __closure_wake_up() (bsc#1076110).
- bcache: writeback rate clamping: make 32 bit safe (bsc#1076110).
- bcache: writeback rate shouldn't artifically clamp (bsc#1076110).
- be2net: restore properly promisc mode after queues reconfiguration (bsc#963844 FATE#320192).
- block: wake up all tasks blocked in get_request() (bnc#1012382).
- bluetooth: btusb: driver to enable the usb-wakeup feature (bnc#1012382).
- bnx2x: do not rollback VF MAC/VLAN filters we did not configure (bnc#1012382).
- bnx2x: fix possible overrun of VFPF multicast addresses array (bnc#1012382).
- bnx2x: prevent crash when accessing PTP with interface down (bnc#1012382).
- btrfs: add missing memset while reading compressed inline extents (bnc#1012382).
- btrfs: clear space cache inode generation always (bnc#1012382).
- btrfs: embed extent_changeset::range_changed to the structure (dependent patch, bsc#1031395).
- btrfs: qgroup: Fix qgroup reserved space underflow by only freeing reserved ranges (bsc#1031395).
- btrfs: qgroup: Fix qgroup reserved space underflow caused by buffered write and quotas being enabled (bsc#1031395).
- btrfs: qgroup: Introduce extent changeset for qgroup reserve functions (dependent patch, bsc#1031395).
- btrfs: qgroup: Return actually freed bytes for qgroup release or free data (bsc#1031395).
- btrfs: qgroup-test: Fix backport error in qgroup selftest (just to make CONFIG_BTRFS_FS_RUN_SANITY_TESTS pass compile).
- btrfs: ulist: make the finalization function public (dependent patch, bsc#1031395).
- btrfs: ulist: rename ulist_fini to ulist_release (dependent patch, bsc#1031395).
- can: af_can: canfd_rcv(): replace WARN_ONCE by pr_warn_once (bnc#1012382).
- can: af_can: can_rcv(): replace WARN_ONCE by pr_warn_once (bnc#1012382).
- can: ems_usb: cancel urb on -EPIPE and -EPROTO (bnc#1012382).
- can: esd_usb2: cancel urb on -EPIPE and -EPROTO (bnc#1012382).
- can: gs_usb: fix return value of the 'set_bittiming' callback (bnc#1012382).
- can: kvaser_usb: cancel urb on -EPIPE and -EPROTO (bnc#1012382).
- can: kvaser_usb: Fix comparison bug in kvaser_usb_read_bulk_callback() (bnc#1012382).
- can: kvaser_usb: free buf in error paths (bnc#1012382).
- can: kvaser_usb: ratelimit errors if incomplete messages are received (bnc#1012382).
- can: peak: fix potential bug in packet fragmentation (bnc#1012382).
- can: ti_hecc: Fix napi poll return value for repoll (bnc#1012382).
- can: usb_8dev: cancel urb on -EPIPE and -EPROTO (bnc#1012382).
- cdc-acm: apply quirk for card reader (bsc#1060279).
- cdrom: factor out common open_for_* code (bsc#1048585).
- cdrom: wait for tray to close (bsc#1048585).
- ceph: more accurate statfs (bsc#1077068).
- clk: imx6: refine hdmi_isfr's parent to make HDMI work on i.MX6 SoCs w/o VPU (bnc#1012382).
- clk: mediatek: add the option for determining PLL source clock (bnc#1012382).
- clk: tegra: Fix cclk_lp divisor register (bnc#1012382).
- config: arm64: enable HARDEN_BRANCH_PREDICTOR
- config: arm64: enable UNMAP_KERNEL_AT_EL0
- cpuidle: fix broadcast control when broadcast can not be entered (bnc#1012382).
- cpuidle: powernv: Pass correct drv->cpumask for registration (bnc#1012382).
- cpuidle: Validate cpu_dev in cpuidle_add_sysfs() (bnc#1012382).
- crypto: algapi - fix NULL dereference in crypto_remove_spawns() (bnc#1012382).
- crypto: chacha20poly1305 - validate the digest size (bnc#1012382).
- crypto: chelsio - select CRYPTO_GF128MUL (bsc#1048325).
- crypto: crypto4xx - increase context and scatter ring buffer elements (bnc#1012382).
- crypto: deadlock between crypto_alg_sem/rtnl_mutex/genl_mutex (bnc#1012382).
- crypto: mcryptd - protect the per-CPU queue with a lock (bnc#1012382).
- crypto: n2 - cure use after free (bnc#1012382).
- crypto: pcrypt - fix freeing pcrypt instances (bnc#1012382).
- crypto: s5p-sss - Fix completing crypto request in IRQ handler (bnc#1012382).
- crypto: tcrypt - fix buffer lengths in test_aead_speed() (bnc#1012382).
- cxl: Check if vphb exists before iterating over AFU devices (bsc#1066223).
- dax: Pass detailed error code from __dax_fault() (bsc#1072484).
- dccp: do not restart ccid2_hc_tx_rto_expire() if sk in closed state (bnc#1012382).
- delay: add poll_event_interruptible (bsc#1048585).
- dlm: fix malfunction of dlm_tool caused by debugfs changes (bsc#1077704).
- dmaengine: dmatest: move callback wait queue to thread context (bnc#1012382).
- dmaengine: Fix array index out of bounds warning in __get_unmap_pool() (bnc#1012382).
- dmaengine: pl330: fix double lock (bnc#1012382).
- dmaengine: ti-dma-crossbar: Correct am335x/am43xx mux value type (bnc#1012382).
- dm btree: fix serious bug in btree_split_beneath() (bnc#1012382).
- dm bufio: fix shrinker scans when (nr_to_scan < retain_target) (bnc#1012382).
- dm thin metadata: THIN_MAX_CONCURRENT_LOCKS should be 6 (bnc#1012382).
- drivers/firmware: Expose psci_get_version through psci_ops structure (bsc#1068032).
- drm/amd/amdgpu: fix console deadlock if late init failed (bnc#1012382).
- drm: extra printk() wrapper macros (bnc#1012382).
- drm/exynos/decon5433: set STANDALONE_UPDATE_F on output enablement (bnc#1012382).
- drm/exynos: gem: Drop NONCONTIG flag for buffers allocated without IOMMU (bnc#1012382).
- drm/omap: fix dmabuf mmap for dma_alloc'ed buffers (bnc#1012382).
- drm/radeon: fix atombios on big endian (bnc#1012382).
- drm/radeon: reinstate oland workaround for sclk (bnc#1012382).
- drm/radeon/si: add dpm quirk for Oland (bnc#1012382).
- drm/vmwgfx: Potential off by one in vmw_view_add() (bnc#1012382).
- dynamic-debug-howto: fix optional/omitted ending line number to be LARGE instead of 0 (bnc#1012382).
- edac, i5000, i5400: Fix definition of NRECMEMB register (bnc#1012382).
- edac, i5000, i5400: Fix use of MTR_DRAM_WIDTH macro (bnc#1012382).
- edac, sb_edac: Fix missing break in switch (bnc#1012382).
- eeprom: at24: check at24_read/write arguments (bnc#1012382).
- efi/esrt: Cleanup bad memory map log messages (bnc#1012382).
- efi: Move some sysfs files to be read-only by root (bnc#1012382).
- eventpoll.h: add missing epoll event masks (bnc#1012382).
- ext4: fix crash when a directory's i_size is too small (bnc#1012382).
- ext4: Fix ENOSPC handling in DAX page fault handle (bsc#1072484).
- ext4: fix fdatasync(2) after fallocate(2) operation (bnc#1012382).
- fbdev: controlfb: Add missing modes to fix out of bounds access (bnc#1012382).
- Fix EX_SIZE. We do not have the patches that shave off parts of the exception data.
- Fix mishandling of cases with MSR not being present (writing to MSR even though _state == -1).
- Fix return value from ib[rs|pb]_enabled()
- Fixup hang when calling 'nvme list' on all paths down (bsc#1070052).
- fjes: Fix wrong netdevice feature flags (bnc#1012382).
- flow_dissector: properly cap thoff field (bnc#1012382).
- fm10k: ensure we process SM mbx when processing VF mbx (bnc#1012382).
- fork: clear thread stack upon allocation (bsc#1077560).
- fscache: Fix the default for fscache_maybe_release_page() (bnc#1012382).
- futex: Prevent overflow by strengthen input validation (bnc#1012382).
- gcov: disable for COMPILE_TEST (bnc#1012382).
- gfs2: Take inode off order_write list when setting jdata flag (bnc#1012382).
- gpio: altera: Use handle_level_irq when configured as a level_high (bnc#1012382).
- hid: chicony: Add support for another ASUS Zen AiO keyboard (bnc#1012382).
- hid: xinmo: fix for out of range for THT 2P arcade controller (bnc#1012382).
- hrtimer: Reset hrtimer cpu base proper on CPU hotplug (bnc#1012382).
- hv: kvp: Avoid reading past allocated blocks from KVP file (bnc#1012382).
- hwmon: (asus_atk0110) fix uninitialized data access (bnc#1012382).
- i40iw: Account for IPv6 header when setting MSS (bsc#1024376 FATE#321249).
- i40iw: Allocate a sdbuf per CQP WQE (bsc#1024376 FATE#321249).
- i40iw: Cleanup AE processing (bsc#1024376 FATE#321249).
- i40iw: Clear CQP Head/Tail during initialization (bsc#1024376 FATE#321249).
- i40iw: Correct ARP index mask (bsc#1024376 FATE#321249).
- i40iw: Do not allow posting WR after QP is flushed (bsc#1024376 FATE#321249).
- i40iw: Do not free sqbuf when event is I40IW_TIMER_TYPE_CLOSE (bsc#1024376 FATE#321249).
- i40iw: Do not generate CQE for RTR on QP flush (bsc#1024376 FATE#321249).
- i40iw: Do not retransmit MPA request after it is ACKed (bsc#1024376 FATE#321249).
- i40iw: Fixes for static checker warnings (bsc#1024376 FATE#321249).
- i40iw: Ignore AE source field in AEQE for some AEs (bsc#1024376 FATE#321249).
- i40iw: Move cqp_cmd_head init to CQP initialization (bsc#1024376 FATE#321249).
- i40iw: Move exception_lan_queue to VSI structure (bsc#1024376 FATE#321249).
- i40iw: Move MPA request event for loopback after connect (bsc#1024376 FATE#321249).
- i40iw: Notify user of established connection after QP in RTS (bsc#1024376 FATE#321249).
- i40iw: Reinitialize IEQ on MTU change (bsc#1024376 FATE#321249).
- ib/hfi1: Fix misspelling in comment (bsc#973818, fate#319242).
- ib/hfi1: Prevent kernel QP post send hard lockups (bsc#973818 FATE#319242).
- ib/ipoib: Fix lockdep issue found on ipoib_ib_dev_heavy_flush (git-fixes).
- ib/ipoib: Fix race condition in neigh creation (bsc#1022595 FATE#322350).
- ib/ipoib: Grab rtnl lock on heavy flush when calling ndo_open/stop (bnc#1012382).
- ib/mlx4: Increase maximal message size under UD QP (bnc#1012382).
- ib/mlx5: Assign send CQ and recv CQ of UMR QP (bnc#1012382).
- ib/mlx5: Serialize access to the VMA list (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- ibmvnic: Allocate and request vpd in init_resources (bsc#1076872).
- ibmvnic: Do not handle RX interrupts when not up (bsc#1075066).
- ibmvnic: Fix IP offload control buffer (bsc#1076899).
- ibmvnic: Fix IPv6 packet descriptors (bsc#1076899).
- ibmvnic: Fix pending MAC address changes (bsc#1075627).
- ibmvnic: Modify buffer size and number of queues on failover (bsc#1076872).
- ibmvnic: Revert to previous mtu when unsupported value requested (bsc#1076872).
- ibmvnic: Wait for device response when changing MAC (bsc#1078681).
- ib/rdmavt: restore IRQs on error path in rvt_create_ah() (bsc#973818, fate#319242).
- ib/srpt: Disable RDMA access by the initiator (bnc#1012382).
- ib/srpt: Fix ACL lookup during login (bsc#1024296 FATE#321265).
- ib/uverbs: Fix command checking as part of ib_uverbs_ex_modify_qp() (FATE#321231 FATE#321473 FATE#322153 FATE#322149).
- igb: check memory allocation failure (bnc#1012382).
- ima: fix hash algorithm initialization (bnc#1012382).
- inet: frag: release spinlock before calling icmp_send() (bnc#1012382).
- input: 88pm860x-ts - fix child-node lookup (bnc#1012382).
- input: elantech - add new icbody type 15 (bnc#1012382).
- input: i8042 - add TUXEDO BU1406 (N24_25BU) to the nomux list (bnc#1012382).
- input: trackpoint - force 3 buttons if 0 button is reported (bnc#1012382).
- input: twl4030-vibra - fix sibling-node lookup (bnc#1012382).
- input: twl6040-vibra - fix child-node lookup (bnc#1012382).
- input: twl6040-vibra - fix DT node memory management (bnc#1012382).
- intel_th: pci: Add Gemini Lake support (bnc#1012382).
- iommu/arm-smmu-v3: Do not free page table ops twice (bnc#1012382).
- iommu/vt-d: Fix scatterlist offset handling (bnc#1012382).
- ip6_gre: remove the incorrect mtu limit for ipgre tap (bsc#1022912 FATE#321246).
- ip6_tunnel: disable dst caching if tunnel is dual-stack (bnc#1012382).
- ip_gre: remove the incorrect mtu limit for ipgre tap (bsc#1022912 FATE#321246).
- ipmi: Stop timers before cleaning up the module (bnc#1012382).
- ipv4: Fix use-after-free when flushing FIB tables (bnc#1012382).
- ipv4: igmp: guard against silly MTU values (bnc#1012382).
- ipv4: Make neigh lookup keys for loopback/point-to-point devices be INADDR_ANY (bnc#1012382).
- ipv6: Fix getsockopt() for sockets with default IPV6_AUTOFLOWLABEL (bnc#1012382).
- ipv6: fix possible mem leaks in ipv6_make_skb() (bnc#1012382).
- ipv6: fix udpv6 sendmsg crash caused by too small MTU (bnc#1012382).
- ipv6: ip6_make_skb() needs to clear cork.base.dst (git-fixes).
- ipv6: mcast: better catch silly mtu values (bnc#1012382).
- ipv6: reorder icmpv6_init() and ip6_mr_init() (bnc#1012382).
- ipvlan: fix ipv6 outbound device (bnc#1012382).
- ipvlan: remove excessive packet scrubbing (bsc#1070799).
- irda: vlsi_ir: fix check for DMA mapping errors (bnc#1012382).
- irqchip/crossbar: Fix incorrect type of register size (bnc#1012382).
- iscsi_iser: Re-enable 'iser_pi_guard' module parameter (bsc#1062129).
- iscsi-target: fix memory leak in lio_target_tiqn_addtpg() (bnc#1012382).
- iscsi-target: Make TASK_REASSIGN use proper se_cmd->cmd_kref (bnc#1012382).
- isdn: kcapi: avoid uninitialized data (bnc#1012382).
- iser-target: Fix possible use-after-free in connection establishment error (FATE#321732).
- iw_cxgb4: Only validate the MSN for successful completions (bnc#1012382).
- iw_cxgb4: reflect the original WR opcode in drain cqes (bsc#321658 FATE#1005778 bsc#321660 FATE#1005780 bsc#321661 FATE#1005781).
- iw_cxgb4: when flushing, complete all wrs in a chain (bsc#321658 FATE#1005778 bsc#321660 FATE#1005780 bsc#321661 FATE#1005781).
- ixgbe: fix use of uninitialized padding (bnc#1012382).
- jump_label: Invoke jump_label_test() via early_initcall() (bnc#1012382).
- kabi fix for new hash_cred function (bsc#1012917).
- kabi: Keep KVM stable after enable s390 wire up bpb feature (bsc#1076805).
- kABI: protect struct bpf_map (kabi).
- kABI: protect struct ipv6_pinfo (kabi).
- kABI: protect struct t10_alua_tg_pt_gp (kabi).
- kABI: protect struct usbip_device (kabi).
- kabi/severities: arm64: ignore cpu capability array
- kabi/severities: do not care about stuff_RSB
- kaiser: Set _PAGE_NX only if supported (bnc#1012382).
- kaiser: Set _PAGE_NX only if supported (bnc#1012382).
- kbuild: add '-fno-stack-check' to kernel build options (bnc#1012382).
- kbuild: modversions for EXPORT_SYMBOL() for asm (bsc#1074621 bsc#1068032).
- kbuild: pkg: use --transform option to prefix paths in tar (bnc#1012382).
- kdb: Fix handling of kallsyms_symbol_next() return value (bnc#1012382).
- kernel/acct.c: fix the acct->needcheck check in check_free_space() (bnc#1012382).
- kernel: make groups_sort calling a responsibility group_info allocators (bnc#1012382).
- kernel/signal.c: protect the SIGNAL_UNKILLABLE tasks from !sig_kernel_only() signals (bnc#1012382).
- kernel/signal.c: protect the traced SIGNAL_UNKILLABLE tasks from SIGKILL (bnc#1012382).
- kernel/signal.c: remove the no longer needed SIGNAL_UNKILLABLE check in complete_signal() (bnc#1012382).
- keys: add missing permission check for request_key() destination (bnc#1012382).
- kprobes/x86: Disable preemption in ftrace-based jprobes (bnc#1012382).
- kpti: Rename to PAGE_TABLE_ISOLATION (bnc#1012382).
- kpti: Report when enabled (bnc#1012382).
- kvm: Fix stack-out-of-bounds read in write_mmio (bnc#1012382).
- kvm: nVMX: reset nested_run_pending if the vCPU is going to be reset (bnc#1012382).
- kvm: nVMX: VMCLEAR should not cause the vCPU to shut down (bnc#1012382).
- kvm: pci-assign: do not map smm memory slot pages in vt-d page tables (bnc#1012382).
- kvm: s390: Enable all facility bits that are known good for passthrough (bsc#1076805).
- kvm: s390: wire up bpb feature (bsc#1076805).
- kvm: VMX: Fix enable VPID conditions (bnc#1012382).
- kvm: VMX: remove I/O port 0x80 bypass on Intel hosts (bnc#1012382).
- kvm: vmx: Scrub hardware GPRs at VM-exit (bnc#1012382 bsc#1068032).
- kvm: x86: Add memory barrier on vmcs field lookup (bnc#1012382).
- kvm: x86: correct async page present tracepoint (bnc#1012382).
- kvm: x86: Exit to user-mode on #UD intercept when emulator requires (bnc#1012382).
- kvm: X86: Fix load RFLAGS w/o the fixed bit (bnc#1012382).
- kvm: x86: fix RSM when PCID is non-zero (bnc#1012382).
- kvm: x86: inject exceptions produced by x86_decode_insn (bnc#1012382).
- kvm: x86: pvclock: Handle first-time write to pvclock-page contains random junk (bnc#1012382).
- l2tp: cleanup l2tp_tunnel_delete calls (bnc#1012382).
- lan78xx: Fix failure in USB Full Speed (bnc#1012382).
- libata: apply MAX_SEC_1024 to all LITEON EP1 series devices (bnc#1012382).
- libata: drop WARN from protocol error in ata_sff_qc_issue() (bnc#1012382).
- lib/genalloc.c: make the avail variable an atomic_long_t (bnc#1012382).
- macvlan: Only deliver one copy of the frame to the macvlan interface (bnc#1012382).
- md: more open-coded offset_in_page() (bsc#1076110).
- media: dvb: i2c transfers over usb cannot be done from stack (bnc#1012382).
- mfd: cros ec: spi: Do not send first message too soon (bnc#1012382).
- mfd: twl4030-audio: Fix sibling-node lookup (bnc#1012382).
- mfd: twl6040: Fix child-node lookup (bnc#1012382).
- mlxsw: reg: Fix SPVMLR max record count (bnc#1012382).
- mlxsw: reg: Fix SPVM max record count (bnc#1012382).
- mm: avoid returning VM_FAULT_RETRY from ->page_mkwrite handlers (bnc#1012382).
- mmc: core: Do not leave the block driver in a suspended state (bnc#1012382).
- mmc: mediatek: Fixed bug where clock frequency could be set wrong (bnc#1012382).
- mm: drop unused pmdp_huge_get_and_clear_notify() (bnc#1012382).
- mm: Handle 0 flags in _calc_vm_trans() macro (bnc#1012382).
- mm/mprotect: add a cond_resched() inside change_pmd_range() (bnc#1077871, bnc#1078002).
- mm/vmstat: Make NR_TLB_REMOTE_FLUSH_RECEIVED available even on UP (bnc#1012382).
- module: Add retpoline tag to VERMAGIC (bnc#1012382).
- module: set __jump_table alignment to 8 (bnc#1012382).
- more bio_map_user_iov() leak fixes (bnc#1012382).
- mtd: nand: Fix writing mtdoops to nand flash (bnc#1012382).
- net: Allow neigh contructor functions ability to modify the primary_key (bnc#1012382).
- net/appletalk: Fix kernel memory disclosure (bnc#1012382).
- net: bcmgenet: correct MIB access of UniMAC RUNT counters (bnc#1012382).
- net: bcmgenet: correct the RBUF_OVFL_CNT and RBUF_ERR_CNT MIB values (bnc#1012382).
- net: bcmgenet: power down internal phy if open or resume fails (bnc#1012382).
- net: bcmgenet: Power up the internal PHY before probing the MII (bnc#1012382).
- net: bcmgenet: reserved phy revisions must be checked first (bnc#1012382).
- net: bridge: fix early call to br_stp_change_bridge_id and plug newlink leaks (bnc#1012382).
- net: core: fix module type in sock_diag_bind (bnc#1012382).
- net: Do not allow negative values for busy_read and busy_poll sysctl interfaces (bnc#1012382).
- net: fec: fix multicast filtering hardware setup (bnc#1012382).
- netfilter: bridge: honor frag_max_size when refragmenting (bnc#1012382).
- netfilter: do not track fragmented packets (bnc#1012382).
- netfilter: ipvs: Fix inappropriate output of procfs (bnc#1012382).
- netfilter: nfnetlink_queue: fix secctx memory leak (bnc#1012382).
- netfilter: nfnetlink_queue: fix timestamp attribute (bsc#1074134).
- netfilter: nfnl_cthelper: fix a race when walk the nf_ct_helper_hash table (bnc#1012382).
- netfilter: nfnl_cthelper: Fix memory leak (bnc#1012382).
- netfilter: nfnl_cthelper: fix runtime expectation policy updates (bnc#1012382).
- net: Fix double free and memory corruption in get_net_ns_by_id() (bnc#1012382).
- net: igmp: fix source address check for IGMPv3 reports (bnc#1012382).
- net: igmp: Use correct source address on IGMPv3 reports (bnc#1012382).
- net: initialize msg.msg_flags in recvfrom (bnc#1012382).
- net: ipv4: fix for a race condition in raw_sendmsg (bnc#1012382).
- netlink: add a start callback for starting a netlink dump (bnc#1012382).
- net/mac80211/debugfs.c: prevent build failure with CONFIG_UBSAN=y (bnc#1012382).
- net/mlx5: Avoid NULL pointer dereference on steering cleanup (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- net/mlx5: Cleanup IRQs in case of unload failure (bsc#966170 FATE#320225 bsc#966172 FATE#320226).
- net/mlx5e: Add refcount to VXLAN structure (bsc#966170 FATE#320225 bsc#966172 FATE#320226).
- net/mlx5e: Fix ETS BW check (bsc#966170 FATE#320225 bsc#966172 FATE#320226).
- net/mlx5e: Fix features check of IPv6 traffic (bsc#966170 FATE#320225 bsc#966172 FATE#320226).
- net/mlx5e: Fix fixpoint divide exception in mlx5e_am_stats_compare (bsc#1015342).
- net/mlx5e: Fix possible deadlock of VXLAN lock (bsc#966170 FATE#320225 bsc#966172 FATE#320226).
- net/mlx5e: Prevent possible races in VXLAN control flow (bsc#966170 FATE#320225 bsc#966172 FATE#320226).
- net/mlx5: Fix error flow in CREATE_QP command (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- net/mlx5: Fix rate limit packet pacing naming and struct (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- net/mlx5: Stay in polling mode when command EQ destroy fails (bsc#966170 FATE#320225 bsc#966172 FATE#320226).
- net: mvmdio: disable/unprepare clocks in EPROBE_DEFER case (bnc#1012382).
- net: mvneta: clear interface link status on port disable (bnc#1012382).
- net: mvneta: eliminate wrong call to handle rx descriptor error (fate#319899).
- net: mvneta: use proper rxq_number in loop on rx queues (fate#319899).
- net/packet: fix a race in packet_bind() and packet_notifier() (bnc#1012382).
- net: phy: at803x: Change error to EINVAL for invalid MAC (bnc#1012382).
- net: phy: micrel: ksz9031: reconfigure autoneg after phy autoneg workaround (bnc#1012382).
- net: qdisc_pkt_len_init() should be more robust (bnc#1012382).
- net: qmi_wwan: add Sierra EM7565 1199:9091 (bnc#1012382).
- net: qmi_wwan: Add USB IDs for MDM6600 modem on Motorola Droid 4 (bnc#1012382).
- net: reevalulate autoflowlabel setting after sysctl setting (bnc#1012382).
- net: Resend IGMP memberships upon peer notification (bnc#1012382).
- net: sctp: fix array overrun read on sctp_timer_tbl (bnc#1012382).
- net: stmmac: enable EEE in MII, GMII or RGMII only (bnc#1012382).
- net: systemport: Pad packet before inserting TSB (bnc#1012382).
- net: systemport: Utilize skb_put_padto() (bnc#1012382).
- net: tcp: close sock if net namespace is exiting (bnc#1012382).
- net: wimax/i2400m: fix NULL-deref at probe (bnc#1012382).
- nfsd: auth: Fix gid sorting when rootsquash enabled (bnc#1012382).
- nfsd: Fix another OPEN stateid race (bnc#1012382).
- nfsd: fix nfsd_minorversion(.., NFSD_AVAIL) (bnc#1012382).
- nfsd: fix nfsd_reset_versions for NFSv4 (bnc#1012382).
- nfsd: Fix stateid races between OPEN and CLOSE (bnc#1012382).
- nfsd: Make init_open_stateid() a bit more whole (bnc#1012382).
- nfs: Do not take a reference on fl->fl_file for LOCK operation (bnc#1012382).
- nfs: Fix a typo in nfs_rename() (bnc#1012382).
- nfs: improve shinking of access cache (bsc#1012917).
- nfsv4.1 respect server's max size in CREATE_SESSION (bnc#1012382).
- nfsv4: Fix client recovery when server reboots multiple times (bnc#1012382).
- nohz: Prevent a timer interrupt storm in tick_nohz_stop_sched_tick() (bnc#1012382).
- n_tty: fix EXTPROC vs ICANON interaction with TIOCINQ (aka FIONREAD) (bnc#1012382).
- nvme_fc: correct hang in nvme_ns_remove() (bsc#1075811).
- nvme_fc: fix rogue admin cmds stalling teardown (bsc#1075811).
- nvme-pci: Remove watchdog timer (bsc#1066163).
- openrisc: fix issue handling 8 byte get_user calls (bnc#1012382).
- packet: fix crash in fanout_demux_rollover() (bnc#1012382).
- parisc: Fix alignment of pa_tlb_lock in assembly on 32-bit SMP kernel (bnc#1012382).
- parisc: Hide Diva-built-in serial aux and graphics card (bnc#1012382).
- partially revert tipc improve link resiliency when rps is activated (bsc#1068038).
- pci/AER: Report non-fatal errors only to the affected endpoint (bnc#1012382).
- pci: Avoid bus reset if bridge itself is broken (bnc#1012382).
- pci: Create SR-IOV virtfn/physfn links before attaching driver (bnc#1012382).
- pci: Detach driver before procfs & sysfs teardown on device remove (bnc#1012382).
- pci/PME: Handle invalid data when reading Root Status (bnc#1012382).
- pci / PM: Force devices to D0 in pci_pm_thaw_noirq() (bnc#1012382).
- perf symbols: Fix symbols__fixup_end heuristic for corner cases (bnc#1012382).
- perf test attr: Fix ignored test case result (bnc#1012382).
- phy: work around 'phys' references to usb-nop-xceiv devices (bnc#1012382).
- pinctrl: adi2: Fix Kconfig build problem (bnc#1012382).
- pinctrl: st: add irq_request/release_resources callbacks (bnc#1012382).
- pipe: avoid round_pipe_size() nr_pages overflow on 32-bit (bnc#1012382).
- powerpc/64: Add macros for annotating the destination of rfid/hrfid (bsc#1068032, bsc#1075087).
- powerpc/64: Convert fast_exception_return to use RFI_TO_USER/KERNEL (bsc#1068032, bsc#1075087).
- powerpc/64: Convert the syscall exit path to use RFI_TO_USER/KERNEL (bsc#1068032, bsc#1075087).
- powerpc/64s: Add EX_SIZE definition for paca exception save areas (bsc#1068032, bsc#1075087).
- powerpc/64s: Add support for RFI flush of L1-D cache (bsc#1068032,  bsc#1075087).
- powerpc/64s: Allow control of RFI flush via debugfs (bsc#1068032, bsc#1075087).
- powerpc/64s: Convert slb_miss_common to use RFI_TO_USER/KERNEL (bsc#1068032, bsc#1075087).
- powerpc/64s: Simple RFI macro conversions (bsc#1068032, bsc#1075087).
- powerpc/64s: Support disabling RFI flush with no_rfi_flush and nopti (bsc#1068032, bsc#1075087).
- powerpc/64s: Wire up cpu_show_meltdown() (bsc#1068032).
- powerpc/asm: Allow including ppc_asm.h in asm files (bsc#1068032, bsc#1075087).
- powerpc/ipic: Fix status get and status clear (bnc#1012382).
- powerpc/perf: Dereference BHRB entries safely (bsc#1066223).
- powerpc/perf/hv-24x7: Fix incorrect comparison in memord (bnc#1012382).
- powerpc/powernv: Check device-tree for RFI flush settings (bsc#1068032,  bsc#1075087).
- powerpc/powernv/cpufreq: Fix the frequency read by /proc/cpuinfo (bnc#1012382).
- powerpc/powernv/ioda2: Gracefully fail if too many TCE levels requested (bnc#1012382).
- powerpc/pseries: include linux/types.h in asm/hvcall.h (bsc#1068032, bsc#1075087).
- powerpc/pseries: Introduce H_GET_CPU_CHARACTERISTICS (bsc#1068032, bsc#1075087).
- powerpc/pseries: Query hypervisor for RFI flush settings (bsc#1068032,  bsc#1075087).
- powerpc/pseries/rfi-flush: Call setup_rfi_flush() after LPM migration (bsc#1068032, bsc#1075087).
- powerpc/rfi-flush: Add DEBUG_RFI config option (bsc#1068032, bsc#1075087).
- powerpc/rfi-flush: Make setup_rfi_flush() not __init (bsc#1068032, bsc#1075087).
- powerpc/rfi-flush: Move RFI flush fields out of the paca (unbreak kABI) (bsc#1068032, bsc#1075087).
- powerpc/rfi-flush: Move the logic to avoid a redo into the sysfs code (bsc#1068032, bsc#1075087).
- powerpc/rfi-flush: prevent crash when changing flush type to fallback after system boot (bsc#1068032, bsc#1075087).
- ppp: Destroy the mutex when cleanup (bnc#1012382).
- pppoe: take ->needed_headroom of lower device into account on xmit (bnc#1012382).
- pti: unbreak EFI (bsc#1074709).
- r8152: fix the list rx_done may be used without initialization (bnc#1012382).
- r8152: prevent the driver from transmitting packets with carrier off (bnc#1012382).
- r8169: fix memory corruption on retrieval of hardware statistics (bnc#1012382).
- raid5: Set R5_Expanded on parity devices as well as data (bnc#1012382).
- ravb: Remove Rx overflow log messages (bnc#1012382).
- rbd: set max_segments to USHRT_MAX (bnc#1012382).
- rdma/cma: Avoid triggering undefined behavior (bnc#1012382).
- rdma/i40iw: Remove MSS change support (bsc#1024376 FATE#321249).
- rds: Fix NULL pointer dereference in __rds_rdma_map (bnc#1012382).
- rds: Heap OOB write in rds_message_alloc_sgs() (bnc#1012382).
- rds: null pointer dereference in rds_atomic_free_op (bnc#1012382).
- Re-enable fixup detection by CPU type in case hypervisor call fails.
- regulator: core: Rely on regulator_dev_release to free constraints (bsc#1074847).
- regulator: da9063: Return an error code on probe failure (bsc#1074847).
- regulator: pwm: Fix regulator ramp delay for continuous mode (bsc#1074847).
- regulator: Try to resolve regulators supplies on registration (bsc#1074847).
- Revert 'Bluetooth: btusb: driver to enable the usb-wakeup feature' (bnc#1012382).
- Revert 'drm/armada: Fix compile fail' (bnc#1012382).
- Revert 'drm/radeon: dont switch vt on suspend' (bnc#1012382).
- Revert 'ipsec: Fix aborted xfrm policy dump crash' (kabi).
- Revert 'kaiser: vmstat show NR_KAISERTABLE as nr_overhead' (kabi).
- Revert 'lib/genalloc.c: make the avail variable an atomic_long_t' (kabi).
- Revert 'module: Add retpoline tag to VERMAGIC' (bnc#1012382 kabi).
- Revert 'module: Add retpoline tag to VERMAGIC' (kabi).
- Revert 'netlink: add a start callback for starting a netlink dump' (kabi).
- Revert 'ocfs2: should wait dio before inode lock in ocfs2_setattr()' (bnc#1012382).
- Revert 'Re-enable fixup detection by CPU type in case hypervisor call fails.' The firmware update is required for the existing instructions to also do the cache flush.
- Revert 's390/kbuild: enable modversions for symbols exported from asm' (bnc#1012382).
- Revert 'sched/deadline: Use the revised wakeup rule for suspending constrained dl tasks' (kabi).
- Revert 'scsi: libsas: align sata_device's rps_resp on a cacheline' (kabi).
- Revert 'spi: SPI_FSL_DSPI should depend on HAS_DMA' (bnc#1012382).
- Revert 'userfaultfd: selftest: vm: allow to build in vm/ directory' (bnc#1012382).
- Revert 'x86/efi: Build our own page table structures' (bnc#1012382).
- Revert 'x86/efi: Hoist page table switching code into efi_call_virt()' (bnc#1012382).
- Revert 'x86/mm/pat: Ensure cpa->pfn only contains page frame numbers' (bnc#1012382).
- rfi-flush: Make DEBUG_RFI a CONFIG option (bsc#1068032, bsc#1075087).
- ring-buffer: Mask out the info bits when returning buffer page length (bnc#1012382).
- route: also update fnhe_genid when updating a route cache (bnc#1012382).
- route: update fnhe_expires for redirect when the fnhe exists (bnc#1012382).
- rtc: cmos: Initialize hpet timer before irq is registered (bsc#1077592).
- rtc: pcf8563: fix output clock rate (bnc#1012382).
- rtc: pl031: make interrupt optional (bnc#1012382).
- rtc: set the alarm to the next expiring timer (bnc#1012382).
- s390: always save and restore all registers on context switch (bnc#1012382).
- s390/cpuinfo: show facilities as reported by stfle (bnc#1076847, LTC#163740).
- s390: fix compat system call table (bnc#1012382).
- s390/pci: do not require AIS facility (bnc#1012382).
- s390/qeth: no ETH header for outbound AF_IUCV (LTC#156276 bnc#1012382 bnc#1053472).
- s390/runtime instrumentation: simplify task exit handling (bnc#1012382).
- sch_dsmark: fix invalid skb_cow() usage (bnc#1012382).
- sched/deadline: Make sure the replenishment timer fires in the next period (bnc#1012382).
- sched/deadline: Throttle a constrained deadline task activated after the deadline (bnc#1012382).
- sched/deadline: Use deadline instead of period when calculating overflow (bnc#1012382).
- sched/deadline: Use the revised wakeup rule for suspending constrained dl tasks (bnc#1012382).
- sched/deadline: Zero out positive runtime after throttling constrained tasks (git-fixes).
- sched/rt: Do not pull from current CPU if only one CPU to pull (bnc#1022476).
- scsi: bfa: integer overflow in debugfs (bnc#1012382).
- scsi: cxgb4i: fix Tx skb leak (bnc#1012382).
- scsi: handle ABORTED_COMMAND on Fujitsu ETERNUS (bsc#1069138).
- scsi: hpsa: cleanup sas_phy structures in sysfs when unloading (bnc#1012382).
- scsi: hpsa: destroy sas transport properties before scsi_host (bnc#1012382).
- scsi: libsas: align sata_device's rps_resp on a cacheline (bnc#1012382).
- scsi: lpfc: Use after free in lpfc_rq_buf_free() (bsc#1037838).
- scsi: mpt3sas: Fix IO error occurs on pulling out a drive from RAID1 volume created on two SATA drive (bnc#1012382).
- scsi: sd: change allow_restart to bool in sysfs interface (bnc#1012382).
- scsi: sd: change manage_start_stop to bool in sysfs interface (bnc#1012382).
- scsi: sg: disable SET_FORCE_LOW_DMA (bnc#1012382).
- scsi: sr: wait for the medium to become ready (bsc#1048585).
- sctp: do not allow the v4 socket to bind a v4mapped v6 address (bnc#1012382).
- sctp: do not free asoc when it is already dead in sctp_sendmsg (bnc#1012382).
- sctp: Replace use of sockets_allocated with specified macro (bnc#1012382).
- sctp: return error if the asoc has been peeled off in sctp_wait_for_sndbuf (bnc#1012382).
- sctp: use the right sk after waking up from wait_buf sleep (bnc#1012382).
- selftest/powerpc: Fix false failures for skipped tests (bnc#1012382).
- selftests/x86: Add test_vsyscall (bnc#1012382).
- selftests/x86/ldt_get: Add a few additional tests for limits (bnc#1012382).
- serial: 8250_pci: Add Amazon PCI serial device ID (bnc#1012382).
- serial: 8250: Preserve DLD[7:4] for PORT_XR17V35X (bnc#1012382).
- series.conf: move core networking (including netfilter) into sorted section
- series.conf: whitespace cleanup
- Set supported_modules_check 1 (bsc#1072163).
- sfc: do not warn on successful change of MAC (bnc#1012382).
- sh_eth: fix SH7757 GEther initialization (bnc#1012382).
- sh_eth: fix TSU resource handling (bnc#1012382).
- sit: update frag_off info (bnc#1012382).
- sock: free skb in skb_complete_tx_timestamp on error (bnc#1012382).
- sparc64/mm: set fields in deferred pages (bnc#1012382).
- spi_ks8995: fix 'BUG: key accdaa28 not in .data!' (bnc#1012382).
- spi: sh-msiof: Fix DMA transfer size check (bnc#1012382).
- spi: xilinx: Detect stall with Unknown commands (bnc#1012382).
- staging: android: ashmem: fix a race condition in ASHMEM_SET_SIZE ioctl (bnc#1012382).
- sunrpc: add auth_unix hash_cred() function (bsc#1012917).
- sunrpc: add generic_auth hash_cred() function (bsc#1012917).
- sunrpc: add hash_cred() function to rpc_authops struct (bsc#1012917).
- sunrpc: add RPCSEC_GSS hash_cred() function (bsc#1012917).
- sunrpc: Fix rpc_task_begin trace point (bnc#1012382).
- sunrpc: replace generic auth_cred hash with auth-specific function (bsc#1012917).
- sunrpc: use supplimental groups in auth hash (bsc#1012917).
- sunxi-rsb: Include OF based modalias in device uevent (bnc#1012382).
- sysfs/cpu: Add vulnerability folder (bnc#1012382).
- sysfs/cpu: Fix typos in vulnerability documentation (bnc#1012382).
- sysfs: spectre_v2, handle spec_ctrl (bsc#1075994 bsc#1075091).
- sysrq : fix Show Regs call trace on ARM (bnc#1012382).
- target: Avoid early CMD_T_PRE_EXECUTE failures during ABORT_TASK (bnc#1012382).
- target/file: Do not return error for UNMAP if length is zero (bnc#1012382).
- target: fix ALUA transition timeout handling (bnc#1012382).
- target:fix condition return in core_pr_dump_initiator_port() (bnc#1012382).
- target: fix race during implicit transition work flushes (bnc#1012382).
- target/iscsi: Fix a race condition in iscsit_add_reject_from_cmd() (bnc#1012382).
- target: Use system workqueue for ALUA transitions (bnc#1012382).
- tcp: correct memory barrier usage in tcp_check_space() (bnc#1012382).
- tcp: fix under-evaluated ssthresh in TCP Vegas (bnc#1012382).
- tcp md5sig: Use skb's saddr when replying to an incoming segment (bnc#1012382).
- tcp: __tcp_hdrlen() helper (bnc#1012382).
- tg3: Fix rx hang on MTU change with 5717/5719 (bnc#1012382).
- thermal/drivers/step_wise: Fix temperature regulation misbehavior (bnc#1012382).
- thermal: hisilicon: Handle return value of clk_prepare_enable (bnc#1012382).
- tipc: fix cleanup at module unload (bnc#1012382).
- tipc: fix memory leak in tipc_accept_from_sock() (bnc#1012382).
- tipc: improve link resiliency when rps is activated (bsc#1068038).
- tracing: Allocate mask_str buffer dynamically (bnc#1012382).
- tracing: Fix converting enum's from the map in trace_event_eval_update() (bnc#1012382).
- tracing: Fix crash when it fails to alloc ring buffer (bnc#1012382).
- tracing: Fix possible double free on failure of allocating trace buffer (bnc#1012382).
- tracing: Remove extra zeroing out of the ring buffer page (bnc#1012382).
- tty fix oops when rmmod 8250 (bnc#1012382).
- uas: Always apply US_FL_NO_ATA_1X quirk to Seagate devices (bnc#1012382).
- uas: ignore UAS for Norelsys NS1068(X) chips (bnc#1012382).
- udf: Avoid overflow when session starts at large offset (bnc#1012382).
- um: link vmlinux with -no-pie (bnc#1012382).
- usb: Add device quirk for Logitech HD Pro Webcam C925e (bnc#1012382).
- usb: add RESET_RESUME for ELSA MicroLink 56K (bnc#1012382).
- usb: core: Add type-specific length check of BOS descriptors (bnc#1012382).
- usb: core: prevent malicious bNumInterfaces overflow (bnc#1012382).
- usb: devio: Prevent integer overflow in proc_do_submiturb() (bnc#1012382).
- usb: Fix off by one in type-specific length check of BOS SSP capability (git-fixes).
- usb: fix usbmon BUG trigger (bnc#1012382).
- usb: gadget: configs: plug memory leak (bnc#1012382).
- usb: gadget: ffs: Forbid usb_ep_alloc_request from sleeping (bnc#1012382).
- usb: gadgetfs: Fix a potential memory leak in 'dev_config()' (bnc#1012382).
- usb: gadget: f_uvc: Sanity check wMaxPacketSize for SuperSpeed (bnc#1012382).
- usb: gadget: udc: remove pointer dereference after free (bnc#1012382).
- usb: hub: Cycle HUB power when initialization fails (bnc#1012382).
- usb: Increase usbfs transfer limit (bnc#1012382).
- usbip: Fix implicit fallthrough warning (bnc#1012382).
- usbip: Fix potential format overflow in userspace tools (bnc#1012382).
- usbip: fix stub_rx: get_pipe() to validate endpoint number (bnc#1012382).
- usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input (bnc#1012382).
- usbip: fix stub_send_ret_submit() vulnerability to null transfer_buffer (bnc#1012382).
- usbip: fix usbip bind writing random string after command in match_busid (bnc#1012382).
- usbip: prevent leaking socket pointer address in messages (bnc#1012382).
- usbip: prevent vhci_hcd driver from leaking a socket pointer address (bnc#1012382).
- usbip: remove kernel addresses from usb device and urb debug msgs (bnc#1012382).
- usbip: stub: stop printing kernel pointer addresses in messages (bnc#1012382).
- usbip: vhci: stop printing kernel pointer addresses in messages (bnc#1012382).
- usb: misc: usb3503: make sure reset is low for at least 100us (bnc#1012382).
- usb: musb: da8xx: fix babble condition handling (bnc#1012382).
- usb: phy: isp1301: Add OF device ID table (bnc#1012382).
- usb: phy: isp1301: Fix build warning when CONFIG_OF is disabled (git-fixes).
- usb: phy: tahvo: fix error handling in tahvo_usb_probe() (bnc#1012382).
- usb: quirks: Add no-lpm quirk for KY-688 USB 3.1 Type-C Hub (bnc#1012382).
- usb: serial: cp210x: add IDs for LifeScan OneTouch Verio IQ (bnc#1012382).
- usb: serial: cp210x: add new device ID ELV ALC 8xxx (bnc#1012382).
- usb: serial: ftdi_sio: add id for Airbus DS P8GR (bnc#1012382).
- usb: serial: option: adding support for YUGA CLM920-NC5 (bnc#1012382).
- usb: serial: option: add Quectel BG96 id (bnc#1012382).
- usb: serial: option: add support for Telit ME910 PID 0x1101 (bnc#1012382).
- usb: serial: qcserial: add Sierra Wireless EM7565 (bnc#1012382).
- usb: uas and storage: Add US_FL_BROKEN_FUA for another JMicron JMS567 ID (bnc#1012382).
- usb: usbfs: Filter flags passed in from user space (bnc#1012382).
- usb: usbip: Fix possible deadlocks reported by lockdep (bnc#1012382).
- usb: xhci: Add XHCI_TRUST_TX_LENGTH for Renesas uPD720201 (bnc#1012382).
- usb: xhci: fix panic in xhci_free_virt_devices_depth_first (bnc#1012382).
- userfaultfd: selftest: vm: allow to build in vm/ directory (bnc#1012382).
- userfaultfd: shmem: __do_fault requires VM_FAULT_NOPAGE (bnc#1012382).
- video: fbdev: au1200fb: Release some resources if a memory allocation fails (bnc#1012382).
- video: fbdev: au1200fb: Return an error code if a memory allocation fails (bnc#1012382).
- virtio: release virtio index when fail to device_register (bnc#1012382).
- vmxnet3: repair memory leak (bnc#1012382).
- vsyscall: Fix permissions for emulate mode with KAISER/PTI (bnc#1012382).
- vt6655: Fix a possible sleep-in-atomic bug in vt6655_suspend (bnc#1012382).
- vti6: Do not report path MTU below IPV6_MIN_MTU (bnc#1012382).
- vti6: fix device register to report IFLA_INFO_KIND (bnc#1012382).
- workqueue: trigger WARN if queue_delayed_work() is called with NULL @wq (bnc#1012382).
- writeback: fix memory leak in wb_queue_work() (bnc#1012382).
- x.509: fix buffer overflow detection in sprint_oid() (bsc#1075078).
- x509: fix printing uninitialized stack memory when OID is empty (bsc#1075078).
- x.509: reject invalid BIT STRING for subjectPublicKey (bnc#1012382).
- x86/acpi: Handle SCI interrupts above legacy space gracefully (bsc#1068984).
- x86/acpi: Reduce code duplication in mp_override_legacy_irq() (bsc#1068984).
- x86/alternatives: Add missing '\n' at end of ALTERNATIVE inline asm (bnc#1012382).
- x86/alternatives: Fix optimize_nops() checking (bnc#1012382).
- x86/apic/vector: Fix off by one in error path (bnc#1012382).
- x86/asm/32: Make sync_core() handle missing CPUID on all 32-bit kernels (bnc#1012382).
- x86/boot: Fix early command-line parsing when matching at end (bsc#1068032).
- x86/cpu: Factor out application of forced CPU caps (bnc#1012382).
- x86/cpufeatures: Add X86_BUG_CPU_INSECURE (bnc#1012382).
- x86/cpufeatures: Add X86_BUG_SPECTRE_V[12] (bnc#1012382).
- x86/cpufeatures: Make CPU bugs sticky (bnc#1012382).
- x86/cpu: Implement CPU vulnerabilites sysfs functions (bnc#1012382).
- x86/cpu: Merge bugs.c and bugs_64.c (bnc#1012382).
- x86/cpu: Rename Merrifield2 to Moorefield (bsc#985025).
- x86/cpu: Rename 'WESTMERE2' family to 'NEHALEM_G' (bsc#985025).
- x86/cpu, x86/pti: Do not enable PTI on AMD processors (bnc#1012382).
- x86/Documentation: Add PTI description (bnc#1012382).
- x86/efi-bgrt: Replace early_memremap() with memremap() (bnc#1012382).
- x86/efi: Build our own page table structures (fate#320512).
- x86/efi: Hoist page table switching code into efi_call_virt() (fate#320512).
- x86/entry: Use SYSCALL_DEFINE() macros for sys_modify_ldt() (bnc#1012382).
- x86/hpet: Prevent might sleep splat on resume (bnc#1012382).
- x86/kasan: Clear kasan_zero_page after TLB flush (bnc#1012382).
- x86/kasan: Write protect kasan zero shadow (bnc#1012382).
- x86/microcode/intel: Extend BDW late-loading further with LLC size check (bnc#1012382).
- x86/microcode/intel: Extend BDW late-loading with a revision check (bnc#1012382).
- x86/mm/32: Move setup_clear_cpu_cap(X86_FEATURE_PCID) earlier (git-fixes).
- x86/mm: Disable PCID on 32-bit kernels (bnc#1012382).
- x86/mm/pat: Ensure cpa->pfn only contains page frame numbers (fate#320588).
- x86/PCI: Make broadcom_postcore_init() check acpi_disabled (bnc#1012382).
- x86/pti: Document fix wrong index (bnc#1012382).
- x86/pti/efi: broken conversion from efi to kernel page table (bnc#1012382).
- x86/pti: Rename BUG_CPU_INSECURE to BUG_CPU_MELTDOWN (bnc#1012382).
- x86/retpolines/spec_ctrl: disable IBRS on !SKL if retpolines are active (bsc#1068032).
- x86/smpboot: Remove stale TLB flush invocations (bnc#1012382).
- x86/spectre_v2: fix ordering in IBRS initialization (bsc#1075994 bsc#1075091).
- x86/spectre_v2: nospectre_v2 means nospec too (bsc#1075994 bsc#1075091).
- x86/tlb: Drop the _GPL from the cpu_tlbstate export (bnc#1012382).
- x86/vm86/32: Switch to flush_tlb_mm_range() in mark_screen_rdonly() (bnc#1012382).
- xen-netfront: avoid crashing on resume after a failure in talk_to_netback() (bnc#1012382).
- xen-netfront: Improve error handling during initialization (bnc#1012382).
- xfrm: Copy policy family in clone_policy (bnc#1012382).
- xfs: add configurable error support to metadata buffers (bsc#1068569).
- xfs: add configuration handlers for specific errors (bsc#1068569).
- xfs: add configuration of error failure speed (bsc#1068569).
- xfs: add 'fail at unmount' error handling configuration (bsc#1068569).
- xfs: Add infrastructure needed for error propagation during buffer IO failure (bsc#1068569).
- xfs: address kabi for xfs buffer retry infrastructure (kabi).
- xfs: configurable error behavior via sysfs (bsc#1068569).
- xfs: fix incorrect extent state in xfs_bmap_add_extent_unwritten_real (bnc#1012382).
- xfs: fix log block underflow during recovery cycle verification (bnc#1012382).
- xfs: fix up inode32/64 (re)mount handling (bsc#1069160).
- xfs: introduce metadata IO error class (bsc#1068569).
- xfs: introduce table-based init for error behaviors (bsc#1068569).
- xfs: Properly retry failed inode items in case of error during buffer writeback (bsc#1068569).
- xfs: remove xfs_trans_ail_delete_bulk (bsc#1068569).
- xhci: Do not add a virt_dev to the devs array before it's fully allocated (bnc#1012382).
- xhci: Fix ring leak in failure path of xhci_alloc_virt_device() (bnc#1012382).
- xhci: plat: Register shutdown for xhci_plat (bnc#1012382).
- zram: set physical queue limits to avoid array out of bounds accesses (bnc#1012382).
- x86/microcode/intel: Fix BDW late-loading revision check (bnc#1012382).


-----------------------------------------
Patch: SUSE-2018-273
Released: Wed Feb  7 15:22:43 2018
Summary: Version update for docker, docker-runc, containerd, golang-github-docker-libnetwork
Severity: important
References: 1021227,1029320,1032287,1045628,1046024,1048046,1051429,1053532,1055676,1057743,1058173,1059011,1064926,1065109,1066210,1066801,1069468,1069758,1072798,CVE-2017-14992,CVE-2017-16539
Description:

This update for docker, docker-runc, containerd, golang-github-docker-libnetwork fixes several issues.

These security issues were fixed:

- CVE-2017-16539: The DefaultLinuxSpec function in oci/defaults.go docker did
  not block /proc/scsi pathnames, which allowed attackers to trigger data loss
  (when certain older Linux kernels are used) by leveraging Docker container
  access to write a 'scsi remove-single-device' line to /proc/scsi/scsi, aka SCSI
  MICDROP (bnc#1066801)

- CVE-2017-14992: Lack of content verification in docker allowed a remote
  attacker to cause a Denial of Service via a crafted image layer payload, aka
  gzip bombing. (bnc#1066210)

These non-security issues were fixed:

- bsc#1059011: The systemd service helper script used a timeout of 60 seconds to start the daemon, which is insufficient in cases where the daemon takes longer to start. Instead, set the service type from 'simple' to 'notify' and remove the now superfluous helper script.
- bsc#1057743: New requirement with new version of docker-libnetwork.
- bsc#1032287: Missing docker systemd configuration.
- bsc#1057743: New 'symbol' for libnetwork requirement.
- bsc#1057743: Update secrets patch to handle 'old' containers that have orphaned secret data no longer available on the host.
- bsc#1055676: Update patches to correctly handle volumes and mounts when Docker is running with user namespaces enabled.
- bsc#1045628:: Add patch to make the dm storage driver remove a container's rootfs mountpoint before attempting to do libdm operations on it. This helps avoid complications when live mounts will leak into containers.
- bsc#1069758: Upgrade Docker to v17.09.1_ce (and obsolete docker-image-migrator).
- bsc#1021227: bsc#1029320 bsc#1058173 -- Enable docker devicemapper support for deferred removal/deletion within Containers module.
- bsc#1046024: Correct interaction between Docker and SuSEFirewall2, to avoid breaking Docker networking after boot.
- bsc#1048046: Build with -buildmode=pie to make all binaries PIC.
- bsc#1072798: Remove dependency on obsolete bridge-utils.
- bsc#1064926: Set --start-timeout=2m by default to match upstream. 
- bsc#1065109, bsc#1053532: Use the upstream makefile so that Docker can get the commit ID in `docker info`.

Please note that the 'docker-runc' package is just a rename of the old 'runc' package to match that we now ship the Docker fork of runc.
  

-----------------------------------------
Patch: SUSE-2018-276
Released: Thu Feb  8 17:47:43 2018
Summary: Security update for libxml2
Severity: moderate
References: 1077993,1078806,1078813,CVE-2016-5131,CVE-2017-15412,CVE-2017-5130
Description:
This update for libxml2 fixes one issue.

This security issue was fixed:

- CVE-2017-15412: Prevent use after free when calling XPath extension functions
  that allowed remote attackers to cause DoS or potentially RCE (bsc#1077993)
- CVE-2016-5131: Use-after-free vulnerability in libxml2 allowed
  remote attackers to cause a denial of service or possibly have
  unspecified other impact via vectors related to the XPointer range-to
  function. (bsc#1078813)
- CVE-2017-5130: Fixed a potential remote buffer overflow in function
  xmlMemoryStrdup() (bsc#1078806)

  

-----------------------------------------
Patch: SUSE-2018-282
Released: Fri Feb  9 15:12:31 2018
Summary: Recommended update for sapconf
Severity: low
References: 1057986
Description:
This update for sapconf provides the following fix:

- Fix a variable assignment that was preventing the pagecache_limit_mb from being calculated
  correctly. (bsc#1057986)


-----------------------------------------
Patch: SUSE-2018-286
Released: Fri Feb  9 16:48:50 2018
Summary: Security update for freetype2
Severity: important
References: 1028103,1035807,1036457,1079600,CVE-2016-10244,CVE-2017-7864,CVE-2017-8105,CVE-2017-8287
Description:

  
This update for freetype2 fixes the following security issues:

- CVE-2016-10244: Make sure that the parse_charstrings function in
  type1/t1load.c does ensure that a font contains a glyph name to prevent a DoS
  through a heap-based buffer over-read or possibly have unspecified other
  impact via a crafted file (bsc#1028103)
- CVE-2017-8105: Fix an out-of-bounds write caused by a heap-based
  buffer overflow related to the t1_decoder_parse_charstrings function in
  psaux/t1decode.ca (bsc#1035807)
- CVE-2017-8287: an out-of-bounds write caused by a heap-based buffer
  overflow related to the t1_builder_close_contour function in psaux/psobjs.c
  (bsc#1036457)
- Fix several integer overflow issues in truetype/ttinterp.c (bsc#1079600)


-----------------------------------------
Patch: SUSE-2018-291
Released: Mon Feb 12 11:50:39 2018
Summary: Recommended update for bash
Severity: low
References: 1057452,1076909
Description:
This update for bash provides the following fix:

- Allow process group assignment on all kernel versions to fix the usage of debug traps.
  (bsc#1057452)
- Fix a crash when filesystem is full. (bsc#1076909)
- Enable multi-byte characters by default.


-----------------------------------------
Patch: SUSE-2018-314
Released: Thu Feb 15 14:47:35 2018
Summary: Security update for glibc
Severity: important
References: 1037930,1051791,1073990,1074293,1079036,CVE-2017-12132,CVE-2017-8804,CVE-2018-1000001,CVE-2018-6485,CVE-2018-6551
Description:

  
This update for glibc fixes the following issues:

Security issues fixed:

- CVE-2017-8804: Fix memory leak after deserialization failure in xdr_bytes, xdr_string (bsc#1037930)
- CVE-2017-12132: Reduce EDNS payload size to 1200 bytes (bsc#1051791)
- CVE-2018-6485,CVE-2018-6551: Fix integer overflows in internal memalign and malloc functions (bsc#1079036)
- CVE-2018-1000001: Avoid underflow of malloced area (bsc#1074293)

Non security bugs fixed:

- Release read lock after resetting timeout (bsc#1073990)


-----------------------------------------
Patch: SUSE-2018-336
Released: Wed Feb 21 14:26:52 2018
Summary: Security update for libdb-4_8
Severity: moderate
References: 1043886
Description:
This update for libdb-4_8 fixes the following issues:

- A DB_CONFIG file in the current working directory allowed local
  users to obtain sensitive information via a symlink attack
  involving a setgid or setuid application using libdb-4_8. (bsc#1043886)


-----------------------------------------
Patch: SUSE-2018-339
Released: Wed Feb 21 16:20:37 2018
Summary: Recommended update for google-compute-engine
Severity: moderate
References: 1078349
Description:
This update for google-compute-engine fixes the following issues:

- Improve rsyslog daemon reset when using the dhcp exit hook.
- The OS Login feature is generally available.
- Change the OS Login uid restriction to allow uid 1000.
- Close socket connections after requesting metadata.

-----------------------------------------
Patch: SUSE-2018-351
Released: Fri Feb 23 18:37:13 2018
Summary: Security update for dhcp
Severity: moderate
References: 1023415,1059061,1073935,1076119,987170,CVE-2017-3144
Description:
 This update for dhcp fixes several issues.

This security issue was fixed:

- CVE-2017-3144: OMAPI code didn't free socket descriptors when empty message
  is received allowing DoS (bsc#1076119).

These non-security issues were fixed:

- Optimized if and when DNS client context and ports are initted (bsc#1073935)
- Relax permission of dhclient-script for libguestfs (bsc#987170)
- Modify dhclient-script to handle static route updates (bsc#1023415).
- Use only the 12 least significant bits of an inbound packet's TCI value as the VLAN ID
  to fix some packages being wrongly discarded by the Linux packet filter. (bsc#1059061)


-----------------------------------------
Patch: SUSE-2018-354
Released: Mon Feb 26 14:38:42 2018
Summary: Recommended update for the Linux Kernel
Severity: important
References: 1081436,1081437
Description:

    The SUSE Linux Enterprise 12 SP3 kernel was updated to fix a
    regression in the microcode loader that could lead to system
    crashes. [bsc#1081436, bsc#1081437]
  

-----------------------------------------
Patch: SUSE-2018-355
Released: Mon Feb 26 16:34:46 2018
Summary: Security update for systemd
Severity: moderate
References: 1057974,1068588,1071224,1071311,1075801,1077925,CVE-2017-18078
Description:

  
This update for systemd fixes the following issues:

Security issue fixed:

- CVE-2017-18078: tmpfiles: refuse to chown()/chmod() files which are
  hardlinked, unless protected_hardlinks sysctl is on. This could be used
  by local attackers to gain privileges (bsc#1077925)

Non Security issues fixed:

- core: use id unit when retrieving unit file state (#8038) (bsc#1075801)
- cryptsetup-generator: run cryptsetup service before swap unit (#5480)
- udev-rules: all values can contain escaped double quotes now (#6890)
- strv: fix buffer size calculation in strv_join_quoted()
- tmpfiles: change ownership of symlinks too
- stdio-bridge: Correctly propagate error
- stdio-bridge: remove dead code
- remove bus-proxyd (bsc#1057974)
- core/timer: Prevent timer looping when unit cannot start (bsc#1068588)

- Make systemd-timesyncd use the openSUSE NTP servers by default
  Previously systemd-timesyncd used the Google Public NTP servers
  time{1..4}.google.com

- Don't ship /usr/lib/systemd/system/tmp.mnt at all (bsc#1071224)
  But we still ship a copy in /var.
  Users who want to use tmpfs on /tmp are supposed to add a symlink in
  /etc/ pointing to the copy shipped in /var.
  To support the update path we automatically create the symlink if
  tmp.mount in use is located in /usr.

- Enable systemd-networkd on Leap distros only (bsc#1071311)



-----------------------------------------
Patch: SUSE-2018-375
Released: Wed Feb 28 16:33:37 2018
Summary: Recommended update for net-tools
Severity: low
References: 1009905,1063910
Description:

This update for net-tools provides the following fix:

- netstat: fix handling of large socket numbers (bsc#1063910)


-----------------------------------------
Patch: SUSE-2018-410
Released: Mon Mar  5 10:42:31 2018
Summary: Security update for cups
Severity: important
References: 1081557,CVE-2017-18190
Description:
This update for cups fixes the following issues:

- CVE-2017-18190: Removed localhost.localdomain from list
  of trustworthy hosts in scheduler/client.c to avoid arbitrary IPP
  command execution in conjunction with DNS rebinding.
  (bsc#1081557)


-----------------------------------------
Patch: SUSE-2018-416
Released: Mon Mar  5 20:10:33 2018
Summary: Recommended update for icewm
Severity: low
References: 1026134
Description:

This update for icewm provides the following fixes:

- Use 'mutt' as the mail client linked in the system tray icon. Previously it
  attempted to run 'alpine', which is not available on SUSE Linux Enterprise.
  (bsc#1026134)


-----------------------------------------
Patch: SUSE-2018-417
Released: Mon Mar  5 20:11:31 2018
Summary: Recommended update for supportutils
Severity: low
References: 1051237,1074866,1074867,1074868
Description:
This update for supportutils provides the following fixes:

- Fix picking up Infiniband data by requiring rdma-core. (bsc#1051237)
- route replaced with ip route list (bsc#1074866)
- Added systemd-delta to systemd.txt (bsc#1074867)
- Changed from repos -u to repos -d to get the repos service included in supportconfig.
  (bsc#1074868)


-----------------------------------------
Patch: SUSE-2018-419
Released: Tue Mar  6 12:47:44 2018
Summary: Recommended update for grub2
Severity: low
References: 1065349,1071239,1079330
Description:
This update for grub2 provides the following fixes:

- Check if the default entry needs to be corrected for updated distributor version and/or
  use fallback entry if the default kernel entry was removed. (bsc#1065349)
- Fix grub2-mkconfig warning when disk is a LVM PV. (bsc#1071239)
- Fix unquoted string errors and add some more checks. (bsc#1079330)


-----------------------------------------
Patch: SUSE-2018-425
Released: Wed Mar  7 20:45:27 2018
Summary: Recommended update for yast2, yast2-nfs-client, yast2-services-manager
Severity: moderate
References: 1037214,1037891,1045658,1049138,1058376,1061306,1064437,1075535,1077310,956755
Description:
This update for yast2, yast2-nfs-client and yast2-services-manager provides fixes and enhancements:

- Use fewer calls to systemctl to speed up startup. (bsc#1045658)
- Implement performance enhancements for handling systemd services. (bsc#1045658)
- Add YaST2 logs to the default list of files for System Log browser. (bsc#1049138)
- Fix the name and icon displayed for the application window. (bsc#1037891)
- Improve the logic to report if SuSEfirewall2 is selected or installed when installing
  OES using integrated media to make sure it gets properly activated. The problem would
  happen once the product is registered and manual network configuration is selected.
  (bsc#1037214)
- Fix storing device information to avoid incorrect 'not found' states when querying
  network interfaces subsequently. (bsc#956755, bsc#1061306)
- Add infrastructure to preserve existing comments in configuration files. (bsc#1064437)
- Preserve comments when editing /etc/fstab. (bsc#1064437)
- Fix starting Gnome Control Center. (bsc#1058376, bsc#1075535)
- Fixed list of the URL schemes without host and fix processing URLs with the 'hd:/' 
  scheme. (bsc#1077310)


-----------------------------------------
Patch: SUSE-2018-439
Released: Fri Mar  9 14:05:22 2018
Summary: Security update for augeas
Severity: low
References: 1054171,CVE-2017-7555
Description:
This update for augeas fixes the following issues:

Security issue fixed:

- CVE-2017-7555: Fix a memory corruption bug could have lead to arbitrary code execution
  by passing crafted strings that would be mis-handled by parse_name() (bsc#1054171).


-----------------------------------------
Patch: SUSE-2018-443
Released: Fri Mar  9 18:02:14 2018
Summary: Security update for glibc
Severity: moderate
References: 1081556,CVE-2017-12133
Description:
This update for glibc fixes the following issues:

- CVE-2017-12133: Avoid use-after-free read access in clntudp_call (bsc#1081556)



-----------------------------------------
Patch: SUSE-2018-446
Released: Mon Mar 12 13:13:55 2018
Summary: Security update for shadow
Severity: moderate
References: 1081294,CVE-2018-7169
Description:
This update for shadow fixes the following issues:

- CVE-2018-7169: Fixed an privilege escalation in newgidmap,
  which allowed an unprivileged user to be placed in a user namespace where
  setgroups(2) is allowed. (bsc#1081294)


-----------------------------------------
Patch: SUSE-2018-465
Released: Thu Mar 15 07:38:52 2018
Summary: Recommended update for systemd
Severity: moderate
References: 1075743,1078358,1081170
Description:
This update for systemd fixes the following issues:

- Add dmi/id conditions to 80-acpi-container-hotplug.rules to restrict
  the rule that it can only be triggered on Huawei Kunlun 9008, 9016 and
  9032 machines. (bsc#1078358, bsc#1081170, bsc#1075743)



-----------------------------------------
Patch: SUSE-2018-470
Released: Thu Mar 15 10:45:15 2018
Summary: Recommended update for release-notes-sles
Severity: low
References: 1061628,1073261,1080616,1081805,1083952
Description:
This update for release-notes-sles provides the following fixes (bsc#1083952):

- Added instructions for enabling unsupported features. (bsc#1073261)
- Added 'Journal checksumming' row to file system table. (bsc#1073261)
- Improve information on ReiserFS features. (bsc#1073261)
- Removed Certifications module from Modules table. (bsc#1080616)
- Postfix has been updated to Version 3.2.0. (FATE#322322, bsc#1081805)
- LibreOffice has been updated to Version 5.4. (FATE#323884)
- FreeRADIUS configuration needs to be merged manually. (FATE#324497, bsc#1061628)
- Unsupported ext4 features. (FATE#325367, bsc#1073261)


-----------------------------------------
Patch: SUSE-2018-472
Released: Thu Mar 15 10:47:40 2018
Summary: Recommended update for libsolv, libzypp, zypper
Severity: low
References: 1074687,1075449,1076415,1079334,953130
Description:
This update for libsolv, libzypp and zypper provides the following fixes:

libsolv:
- Fix a bug that could make fileconflict detection very slow in some cases. (bnc#953130)
- Add new configuration options: ENABLE_RPMDB_LIBRPM and ENABLE_RPMPKG_LIBRPM.
- Add a new function to change the whatprovides data: pool_set_whatprovides.
- Significant improvements in the selection code.

libzypp:
- Make sure deleted keys are also removed from rpmdb. (bsc#1075449)
- plugin: Don't reject header values containing ':'. (bsc#1074687)
- RpmDb::checkPackage: Fix parsing localized rpm output. (bsc#1076415)

zypper:
- Do not recommend cron as it is not a direct dependency of zypper. (bsc#1079334)


-----------------------------------------
Patch: SUSE-2018-500
Released: Mon Mar 19 17:48:38 2018
Summary: Recommended update for yast2-country
Severity: low
References: 1054917,1070305
Description:
This update for yast2-country provides the following fixes:

- Make sure the keyboard settings are properly applied in AutoYaST upgrades. (bsc#1070305)
- Display 'Uzhgorod' prefixed with its country (Ukraine) so that it is not seen as an
  unknown country. (bsc#1054917)
- Make it possible to select the language in CaaS Platform 2. (FATE#323837)


-----------------------------------------
Patch: SUSE-2018-503
Released: Tue Mar 20 14:11:36 2018
Summary: Recommended update for SUSEConnect
Severity: low
References: 1047153,914297,964013
Description:
This update for SUSEConnect provides the following fixes:

- Fix the connection of virt-create-rootfs to SMT server. (bsc#914297)
- Make the target_base_product parameter mandatory.
- Add YaST.system_offline_migrations.
- Improve the packaging. (bsc#964013)
- Fix building SLE15.
- Properly refresh zypper services when deactivating a product on SMT. (bsc#1047153)


-----------------------------------------
Patch: SUSE-2018-507
Released: Wed Mar 21 10:25:47 2018
Summary: Security update for samba, talloc, tevent
Severity: moderate
References: 1069666,1081741,1084191,CVE-2018-1050
Description:


Samba was updated to version 4.6.13 to fix several bugs. (bsc#1084191)

Security issue fixed:

- CVE-2018-1050: DOS vulnerability when SPOOLSS is run externally (bsc#1081741).

The library talloc was updated to version 2.1.10:

- build, documentation and python3 improvements

The library tevent was updated to version 0.9.34 (bsc#1069666);

- Remove unused select backend
- Fix a race condition in tevent_threaded_schedule_immediate(); (bso#13130);
- make tevent_req_print() more robust against crashes
- Fix mutex locking in tevent_threaded_context_destructor().
- Re-init threading in tevent_re_initialise().
- Include the finish location in tevent_req_default_print().



-----------------------------------------
Patch: SUSE-2018-517
Released: Thu Mar 22 07:17:01 2018
Summary: Recommended update for openssh
Severity: moderate
References: 1048367,1048982,1051559,1061061
Description:
This update for openssh provides the following fixes:

- Enable systemd integration to work around various race conditions on reporting failures
  of the service. (bsc#1048367 bsc#1061061)
- Re-add tcpwrappers support (forward ported) that had been removed with the upgrade to
  6.6p1. Please note that tcpwrappers support will not be available in subsequent major
  releases of SUSE Linux Enterprise. (bsc#1048982)
- Fix for socket forwarding when logging in as root on server-side (bsc#1051559)



-----------------------------------------
Patch: SUSE-2018-522
Released: Thu Mar 22 08:20:46 2018
Summary: Security update for curl
Severity: moderate
References: 1084521,1084524,1084532,CVE-2018-1000120,CVE-2018-1000121,CVE-2018-1000122
Description:
This update for curl fixes the following issues:

Following security issues were fixed:

- CVE-2018-1000120: A buffer overflow exists in the FTP URL handling that allowed an attacker to cause a denial of service or possible code execution (bsc#1084521).
- CVE-2018-1000121: A NULL pointer dereference exists in the LDAP code that allowed an attacker to cause a denial of service (bsc#1084524).
- CVE-2018-1000122: A buffer over-read exists in the RTSP+RTP handling code that allowed an attacker to cause a denial of service or information leakage (bsc#1084532).


-----------------------------------------
Patch: SUSE-2018-524
Released: Thu Mar 22 11:53:28 2018
Summary: Recommended update for zypp-plugin
Severity: low
References: 1081596
Description:
This update provides the new Python 3 module for the zypp-plugin.

-----------------------------------------
Patch: SUSE-2018-531
Released: Fri Mar 23 09:24:33 2018
Summary: Security update for libvorbis
Severity: moderate
References: 1085687,CVE-2018-5146
Description:
This update for libvorbis fixes the following issues:

- CVE-2018-5146: Fixed out of bounds memory write while processing Vorbis audio data (bsc#1085687).


-----------------------------------------
Patch: SUSE-2018-534
Released: Fri Mar 23 13:41:32 2018
Summary: Security update for the Linux Kernel
Severity: important
References: 1006867,1012382,1015342,1015343,1020645,1022607,1024376,1027054,1031717,1033587,1034503,1042286,1043441,1043725,1043726,1062840,1065600,1065615,1066223,1067118,1068032,1068569,1069135,1070404,1071306,1071892,1072363,1072689,1072739,1072865,1073401,1073407,1074198,1074426,1075087,1076282,1076693,1076760,1076982,1077241,1077285,1077513,1077560,1077779,1078583,1078672,1078673,1078787,1079029,1079038,1079195,1079313,1079384,1079609,1079886,1079989,1080014,1080263,1080321,1080344,1080364,1080384,1080464,1080533,1080656,1080774,1080813,1080851,1081134,1081431,1081436,1081437,1081491,1081498,1081500,1081512,1081514,1081681,1081735,1082089,1082223,1082299,1082373,1082478,1082632,1082795,1082864,1082897,1082979,1082993,1083048,1083086,1083223,1083387,1083409,1083494,1083548,1083750,1083770,1084041,1084397,1084427,1084610,1084772,1084888,1084926,1084928,1084967,1085011,1085015,1085045,1085047,1085050,1085053,1085054,1085056,1085107,1085224,1085239,863764,966170,966172,966328,969476,969477,975772,983145,CVE-2017-13166,CVE-2017-15951,CVE-2017-16644,CVE-2017-16912,CVE-2017-16913,CVE-2017-17975,CVE-2017-18174,CVE-2017-18208,CVE-2018-1000026,CVE-2018-1068,CVE-2018-8087
Description:


The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.120 to receive various security and bugfixes.


The following security bugs were fixed:

- CVE-2017-13166: An elevation of privilege vulnerability in the v4l2 video driver. (bnc#1072865).
- CVE-2017-15951: The KEYS subsystem did not correctly synchronize the actions of updating versus finding a key in the 'negative' state to avoid a race condition, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls (bnc#1062840 bnc#1065615).
- CVE-2017-16644: The hdpvr_probe function in drivers/media/usb/hdpvr/hdpvr-core.c allowed local users to cause a denial of service (improper error handling and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1067118).
- CVE-2017-16912: The 'get_pipe()' function (drivers/usb/usbip/stub_rx.c) allowed attackers to cause a denial of service (out-of-bounds read) via a specially crafted USB over IP packet (bnc#1078673).
- CVE-2017-16913: The 'stub_recv_cmd_submit()' function (drivers/usb/usbip/stub_rx.c) when handling CMD_SUBMIT packets allowed attackers to cause a denial of service (arbitrary memory allocation) via a specially crafted USB over IP packet (bnc#1078672).
- CVE-2017-17975: Use-after-free in the usbtv_probe function in drivers/media/usb/usbtv/usbtv-core.c allowed attackers to cause a denial of service (system crash) or possibly have unspecified other impact by triggering failure of audio registration, because a kfree of the usbtv data structure occurs during a usbtv_video_free call, but the usbtv_video_fail label's code attempts to both access and free this data structure (bnc#1074426).
- CVE-2017-18174: The amd_gpio_remove function in drivers/pinctrl/pinctrl-amd.c calls the pinctrl_unregister function, leading to a double free (bnc#1080533).
- CVE-2017-18208: The madvise_willneed function in mm/madvise.c allowed local users to cause a denial of service (infinite loop) by triggering use of MADVISE_WILLNEED for a DAX mapping (bnc#1083494).
- CVE-2018-1000026: A insufficient input validation vulnerability in bnx2x network card driver could result in DoS: Network card firmware assertion takes card off-line. This attack appear to be exploitable via An attacker on a must pass a very large, specially crafted packet to the bnx2x card. This can be done from an untrusted guest VM. (bnc#1079384).
- CVE-2018-8087: Memory leak in the hwsim_new_radio_nl function in drivers/net/wireless/mac80211_hwsim.c allowed local users to cause a denial of service (memory consumption) by triggering an out-of-array error case (bnc#1085053).
- CVE-2018-1068: Insufficient user provided offset checking in the ebtables compat code allowed local attackers to overwrite kernel memory and potentially execute code. (bsc#1085107)

The following non-security bugs were fixed:

- acpi / bus: Leave modalias empty for devices which are not present (bnc#1012382).
- acpi, nfit: fix health event notification (FATE#321135, FATE#321217, FATE#321256, FATE#321391, FATE#321393).
- acpi, nfit: fix register dimm error handling (FATE#321135, FATE#321217, FATE#321256, FATE#321391, FATE#321393).
- acpi: sbshc: remove raw pointer from printk() message (bnc#1012382).
- Add delay-init quirk for Corsair K70 RGB keyboards (bnc#1012382).
- add ip6_make_flowinfo helper (bsc#1042286).
- ahci: Add Intel Cannon Lake PCH-H PCI ID (bnc#1012382).
- ahci: Add PCI ids for Intel Bay Trail, Cherry Trail and Apollo Lake AHCI (bnc#1012382).
- ahci: Annotate PCI ids for mobile Intel chipsets as such (bnc#1012382).
- alpha: fix crash if pthread_create races with signal delivery (bnc#1012382).
- alpha: fix reboot on Avanti platform (bnc#1012382).
- alsa: hda/ca0132 - fix possible NULL pointer use (bnc#1012382).
- alsa: hda - Fix headset mic detection problem for two Dell machines (bnc#1012382).
- alsa: hda/realtek - Add headset mode support for Dell laptop (bsc#1031717).
- alsa: hda/realtek: PCI quirk for Fujitsu U7x7 (bnc#1012382).
- alsa: hda - Reduce the suspend time consumption for ALC256 (bsc#1031717).
- alsa: hda - Use IS_REACHABLE() for dependency on input (bsc#1031717).
- alsa: seq: Fix racy pool initializations (bnc#1012382).
- alsa: seq: Fix regression by incorrect ioctl_mutex usages (bnc#1012382).
- alsa: usb-audio: add implicit fb quirk for Behringer UFX1204 (bnc#1012382).
- alsa: usb-audio: Fix UAC2 get_ctl request with a RANGE attribute (bnc#1012382).
- amd-xgbe: Fix unused suspend handlers build warning (bnc#1012382).
- arm64: add PTE_ADDR_MASK (bsc#1068032).
- arm64: barrier: Add CSDB macros to control data-value prediction (bsc#1068032).
- arm64: define BUG() instruction without CONFIG_BUG (bnc#1012382).
- arm64: Disable unhandled signal log messages by default (bnc#1012382).
- arm64: dts: add #cooling-cells to CPU nodes (bnc#1012382).
- arm64: entry: Apply BP hardening for high-priority synchronous exceptions (bsc#1068032).
- arm64: entry: Apply BP hardening for suspicious interrupts from EL0 (bsc#1068032).
- arm64: entry: Ensure branch through syscall table is bounded under speculation (bsc#1068032).
- arm64: entry: Reword comment about post_ttbr_update_workaround (bsc#1068032).
- arm64: Force KPTI to be disabled on Cavium ThunderX (bsc#1068032).
- arm64: futex: Mask __user pointers prior to dereference (bsc#1068032).
- arm64: idmap: Use 'awx' flags for .idmap.text .pushsection directives (bsc#1068032).
- arm64: Implement array_index_mask_nospec() (bsc#1068032).
- arm64: Kconfig: select COMPAT_BINFMT_ELF only when BINFMT_ELF is set (bnc#1012382).
- arm64: kpti: Add -&gt;enable callback to remap swapper using nG mappings (bsc#1068032).
- arm64: kpti: Make use of nG dependent on arm64_kernel_unmapped_at_el0() (bsc#1068032).
- arm64: Make USER_DS an inclusive limit (bsc#1068032).
- arm64: mm: Permit transitioning from Global to Non-Global without BBM (bsc#1068032).
- arm64: move TASK_* definitions to &lt;asm/processor.h&gt; (bsc#1068032).
- arm64: Run enable method for errata work arounds on late CPUs (bsc#1085045).
- arm64: uaccess: Do not bother eliding access_ok checks in __{get, put}_user (bsc#1068032).
- arm64: uaccess: Mask __user pointers for __arch_{clear, copy_*}_user (bsc#1068032).
- arm64: uaccess: Prevent speculative use of the current addr_limit (bsc#1068032).
- arm64: Use pointer masking to limit uaccess speculation (bsc#1068032).
- arm: 8731/1: Fix csum_partial_copy_from_user() stack mismatch (bnc#1012382).
- arm: AM33xx: PRM: Remove am33xx_pwrdm_read_prev_pwrst function (bnc#1012382).
- arm: dts: am4372: Correct the interrupts_properties of McASP (bnc#1012382).
- arm: dts: Fix omap4 hang with GPS connected to USB by using wakeupgen (bnc#1012382).
- arm: dts: ls1021a: fix incorrect clock references (bnc#1012382).
- arm: dts: s5pv210: add interrupt-parent for ohci (bnc#1012382).
- arm: dts: STi: Add gpio polarity for 'hdmi,hpd-gpio' property (bnc#1012382).
- arm: kvm: Fix SMCCC handling of unimplemented SMC/HVC calls (bnc#1012382).
- arm: OMAP2+: Fix SRAM virt to phys translation for save_secure_ram_context (bnc#1012382).
- arm: omap2: hide omap3_save_secure_ram on non-OMAP3 builds (git-fixes).
- arm: pxa/tosa-bt: add MODULE_LICENSE tag (bnc#1012382).
- arm: spear13xx: Fix dmas cells (bnc#1012382).
- arm: spear13xx: Fix spics gpio controller's warning (bnc#1012382).
- arm: spear600: Add missing interrupt-parent of rtc (bnc#1012382).
- arm: tegra: select USB_ULPI from EHCI rather than platform (bnc#1012382).
- asoc: au1x: Fix timeout tests in au1xac97c_ac97_read() (bsc#1031717).
- asoc: Intel: Kconfig: fix build when ACPI is not enabled (bnc#1012382).
- asoc: Intel: sst: Fix the return value of 'sst_send_byte_stream_mrfld()' (bsc#1031717).
- asoc: mediatek: add i2c dependency (bnc#1012382).
- asoc: nuc900: Fix a loop timeout test (bsc#1031717).
- asoc: pcm512x: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE (bnc#1012382).
- asoc: rockchip: disable clock on error (bnc#1012382).
- asoc: rsnd: avoid duplicate free_irq() (bnc#1012382).
- asoc: rsnd: do not call free_irq() on Parent SSI (bnc#1012382).
- asoc: simple-card: Fix misleading error message (bnc#1012382).
- asoc: ux500: add MODULE_LICENSE tag (bnc#1012382).
- ata: ahci_xgene: free structure returned by acpi_get_object_info() (bsc#1082979).
- ata: pata_artop: remove redundant initialization of pio (bsc#1082979).
- ata: sata_dwc_460ex: remove incorrect locking (bsc#1082979).
- b2c2: flexcop: avoid unused function warnings (bnc#1012382).
- binder: add missing binder_unlock() (bnc#1012382).
- binder: check for binder_thread allocation failure in binder_poll() (bnc#1012382).
- binfmt_elf: compat: avoid unused function warning (bnc#1012382).
- blk-mq: add warning to __blk_mq_run_hw_queue() for ints disabled (bsc#1084772).
- blk-mq: stop 'delayed_run_work' in blk_mq_stop_hw_queue() (bsc#1084967).
- blk-mq: turn WARN_ON in __blk_mq_run_hw_queue into printk (bsc#1084772).
- blktrace: fix unlocked registration of tracepoints (bnc#1012382).
- block: fix an error code in add_partition() (bsc#1082979).
- block: Fix __bio_integrity_endio() documentation (bsc#1082979).
- bluetooth: btsdio: Do not bind to non-removable BCM43341 (bnc#1012382).
- bluetooth: btusb: Restore QCA Rome suspend/resume fix with a 'rewritten' version (bnc#1012382).
- bnx2x: Improve reliability in case of nested PCI errors (bnc#1012382).
- bnxt_en: Fix the 'Invalid VF' id check in bnxt_vf_ndo_prep routine (bnc#1012382).
- bpf: arsh is not supported in 32 bit alu thus reject it (bnc#1012382).
- bpf: avoid false sharing of map refcount with max_entries (bnc#1012382).
- bpf: fix 32-bit divide by zero (bnc#1012382).
- bpf: fix bpf_tail_call() x64 JIT (bnc#1012382).
- bpf: fix divides by zero (bnc#1012382).
- bpf: introduce BPF_JIT_ALWAYS_ON config (bnc#1012382).
- bpf: reject stores into ctx via st and xadd (bnc#1012382).
- bridge: implement missing ndo_uninit() (bsc#1042286).
- bridge: move bridge multicast cleanup to ndo_uninit (bsc#1042286).
- btrfs: copy fsid to super_block s_uuid (bsc#1080774).
- btrfs: fix crash due to not cleaning up tree log block's dirty bits (bnc#1012382).
- btrfs: fix deadlock in run_delalloc_nocow (bnc#1012382).
- btrfs: fix deadlock when writing out space cache (bnc#1012382).
- btrfs: Fix possible off-by-one in btrfs_search_path_in_tree (bnc#1012382).
- btrfs: Fix quota reservation leak on preallocated files (bsc#1079989).
- btrfs: fix unexpected -EEXIST when creating new inode (bnc#1012382).
- btrfs: Handle btrfs_set_extent_delalloc failure in fixup worker (bnc#1012382).
- can: flex_can: Correct the checking for frame length in flexcan_start_xmit() (bnc#1012382).
- cdrom: turn off autoclose by default (bsc#1080813).
- ceph: fix incorrect snaprealm when adding caps (bsc#1081735).
- ceph: fix un-balanced fsc-&gt;writeback_count update (bsc#1081735).
- cfg80211: check dev_set_name() return value (bnc#1012382).
- cfg80211: fix cfg80211_beacon_dup (bnc#1012382).
- cifs: dump IPC tcon in debug proc file (bsc#1071306).
- cifs: Fix autonegotiate security settings mismatch (bnc#1012382).
- cifs: Fix missing put_xid in cifs_file_strict_mmap (bnc#1012382).
- cifs: make IPC a regular tcon (bsc#1071306).
- cifs: use tcon_ipc instead of use_ipc parameter of SMB2_ioctl (bsc#1071306).
- cifs: zero sensitive data when freeing (bnc#1012382).
- clk: fix a panic error caused by accessing NULL pointer (bnc#1012382).
- console/dummy: leave .con_font_get set to NULL (bnc#1012382).
- cpufreq: Add Loongson machine dependencies (bnc#1012382).
- crypto: aesni - handle zero length dst buffer (bnc#1012382).
- crypto: af_alg - whitelist mask and type (bnc#1012382).
- crypto: caam - fix endless loop when DECO acquire fails (bnc#1012382).
- crypto: cryptd - pass through absence of -&gt;setkey() (bnc#1012382).
- crypto: hash - introduce crypto_hash_alg_has_setkey() (bnc#1012382).
- crypto: poly1305 - remove -&gt;setkey() method (bnc#1012382).
- crypto: s5p-sss - Fix kernel Oops in AES-ECB mode (bnc#1012382).
- crypto: tcrypt - fix S/G table for test_aead_speed() (bnc#1012382). (bnc#1012382).
- crypto: x86/twofish-3way - Fix %rbp usage (bnc#1012382).
- cw1200: fix bogus maybe-uninitialized warning (bnc#1012382).
- dccp: limit sk_filter trim to payload (bsc#1042286).
- dell-wmi, dell-laptop: depends DMI (bnc#1012382).
- direct-io: Fix sleep in atomic due to sync AIO (bsc#1084888).
- dlm: fix double list_del() (bsc#1082795).
- dlm: fix NULL pointer dereference in send_to_sock() (bsc#1082795).
- dmaengine: at_hdmac: fix potential NULL pointer dereference in atc_prep_dma_interleaved (bnc#1012382).
- dmaengine: dmatest: fix container_of member in dmatest_callback (bnc#1012382).
- dmaengine: ioat: Fix error handling path (bnc#1012382).
- dmaengine: jz4740: disable/unprepare clk if probe fails (bnc#1012382).
- dmaengine: zx: fix build warning (bnc#1012382).
- dm: correctly handle chained bios in dec_pending() (bnc#1012382).
- dn_getsockoptdecnet: move nf_{get/set}sockopt outside sock lock (bnc#1012382).
- do not put symlink bodies in pagecache into highmem (bnc#1012382).
- dpt_i2o: fix build warning (bnc#1012382).
- driver-core: use 'dev' argument in dev_dbg_ratelimited stub (bnc#1012382).
- drivers: hv: balloon: Correctly update onlined page count (fate#315887, bsc#1082632).
- drivers: hv: balloon: Initialize last_post_time on startup (fate#315887, bsc#1082632).
- drivers: hv: balloon: Show the max dynamic memory assigned (fate#315887, bsc#1082632).
- drivers: hv: kvp: Use MAX_ADAPTER_ID_SIZE for translating adapter id (fate#315887, bsc#1082632).
- drivers: hv: Turn off write permission on the hypercall page (fate#315887, bsc#1082632).
- drivers: hv: vmbus: Fix rescind handling (fate#315887, bsc#1082632).
- drivers: hv: vmbus: Fix rescind handling issues (fate#315887, bsc#1082632).
- drivers/net: fix eisa_driver probe section mismatch (bnc#1012382).
- drm/amdgpu: Avoid leaking PM domain on driver unbind (v2) (bnc#1012382).
- drm/amdgpu: Fix SDMA load/unload sequence on HWS disabled mode (bnc#1012382).
- drm/amdkfd: Fix SDMA oversubsription handling (bnc#1012382).
- drm/amdkfd: Fix SDMA ring buffer size calculation (bnc#1012382).
- drm/armada: fix leak of crtc structure (bnc#1012382).
- drm/edid: Add 6 bpc quirk for CPT panel in Asus UX303LA (bnc#1012382).
- drm/gma500: remove helper function (bnc#1012382).
- drm/gma500: Sanity-check pipe index (bnc#1012382).
- drm/nouveau: hide gcc-4.9 -Wmaybe-uninitialized (bnc#1012382).
- drm/nouveau/pci: do a msi rearm on init (bnc#1012382).
- drm/radeon: adjust tested variable (bnc#1012382).
- drm: rcar-du: Fix race condition when disabling planes at CRTC stop (bnc#1012382).
- drm: rcar-du: Use the VBK interrupt for vblank events (bnc#1012382).
- drm: Require __GFP_NOFAIL for the legacy drm_modeset_lock_all (bnc#1012382).
- drm/ttm: check the return value of kzalloc (bnc#1012382).
- drm/vmwgfx: use *_32_bits() macros (bnc#1012382).
- Drop SUSE-specific qla2xxx patches (bsc#1043726)
- e1000: fix disabling already-disabled warning (bnc#1012382).
- edac, octeon: Fix an uninitialized variable warning (bnc#1012382).
- em28xx: only use mt9v011 if camera support is enabled (bnc#1012382).
- enable DST_CACHE in non-vanilla configs except s390x/zfcpdump
- ext4: correct documentation for grpid mount option (bnc#1012382).
- ext4: do not unnecessarily allocate buffer in recently_deleted() (bsc#1080344).
- ext4: Fix data exposure after failed AIO DIO (bsc#1069135 bsc#1082864).
- ext4: save error to disk in __ext4_grp_locked_error() (bnc#1012382).
- f2fs: fix a bug caused by NULL extent tree (bsc#1082478). Does not affect SLE release but should be merged into leap updates
- fbdev: auo_k190x: avoid unused function warnings (bnc#1012382).
- fbdev: s6e8ax0: avoid unused function warnings (bnc#1012382).
- fbdev: sis: enforce selection of at least one backend (bnc#1012382).
- fbdev: sm712fb: avoid unused function warnings (bnc#1012382).
- fs: Avoid invalidation in interrupt context in dio_complete() (bsc#1073407 bsc#1069135).
- fs: Fix page cache inconsistency when mixing buffered and AIO DIO (bsc#1073407 bsc#1069135).
- fs: invalidate page cache after end_io() in dio completion (bsc#1073407 bsc#1069135).
- ftrace: Remove incorrect setting of glob search field (bnc#1012382).
- geneve: fix populating tclass in geneve_get_v6_dst (bsc#1042286).
- genirq/msi: Add stubs for get_cached_msi_msg/pci_write_msi_msg (bnc#1012382).
- genirq/msi: Fix populating multiple interrupts (bsc#1085047).
- genirq: Restore trigger settings in irq_modify_status() (bsc#1085056).
- genksyms: Fix segfault with invalid declarations (bnc#1012382).
- gianfar: fix a flooded alignment reports because of padding issue (bnc#1012382).
- go7007: add MEDIA_CAMERA_SUPPORT dependency (bnc#1012382).
- gpio: ath79: add missing MODULE_DESCRIPTION/LICENSE (bnc#1012382).
- gpio: intel-mid: Fix build warning when !CONFIG_PM (bnc#1012382).
- gpio: iop: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE (bnc#1012382).
- gpio: xgene: mark PM functions as __maybe_unused (bnc#1012382).
- grace: replace BUG_ON by WARN_ONCE in exit_net hook (bnc#1012382).
- gre: build header correctly for collect metadata tunnels (bsc#1042286).
- gre: do not assign header_ops in collect metadata mode (bsc#1042286).
- gre: do not keep the GRE header around in collect medata mode (bsc#1042286).
- gre: reject GUE and FOU in collect metadata mode (bsc#1042286).
- hdpvr: hide unused variable (bnc#1012382).
- hid: quirks: Fix keyboard + touchpad on Toshiba Click Mini not working (bnc#1012382).
- hippi: Fix a Fix a possible sleep-in-atomic bug in rr_close (bnc#1012382).
- hrtimer: Ensure POSIX compliance (relative CLOCK_REALTIME hrtimers) (bnc#1012382).
- hv_netvsc: Add ethtool handler to set and get TCP hash levels (fate#315887, bsc#1082632).
- hv_netvsc: Add ethtool handler to set and get UDP hash levels (fate#315887, bsc#1082632).
- hv_netvsc: Add initialization of tx_table in netvsc_device_add() (fate#315887, bsc#1082632).
- hv_netvsc: Change the hash level variable to bit flags (fate#315887, bsc#1082632).
- hv_netvsc: Clean up an unused parameter in rndis_filter_set_rss_param() (fate#315887, bsc#1082632).
- hv_netvsc: Clean up unused parameter from netvsc_get_hash() (fate#315887, bsc#1082632).
- hv_netvsc: Clean up unused parameter from netvsc_get_rss_hash_opts() (fate#315887, bsc#1082632).
- hv_netvsc: copy_to_send buf can be void (fate#315887, bsc#1082632).
- hv_netvsc: do not need local xmit_more (fate#315887, bsc#1082632).
- hv_netvsc: drop unused macros (fate#315887, bsc#1082632).
- hv_netvsc: empty current transmit aggregation if flow blocked (fate#315887, bsc#1082632).
- hv_netvsc: Fix rndis_filter_close error during netvsc_remove (fate#315887, bsc#1082632).
- hv_netvsc: fix send buffer failure on MTU change (fate#315887, bsc#1082632).
- hv_netvsc: Fix the channel limit in netvsc_set_rxfh() (fate#315887, bsc#1082632).
- hv_netvsc: Fix the real number of queues of non-vRSS cases (fate#315887, bsc#1082632).
- hv_netvsc: Fix the receive buffer size limit (fate#315887, bsc#1082632).
- hv_netvsc: Fix the TX/RX buffer default sizes (fate#315887, bsc#1082632).
- hv_netvsc: hide warnings about uninitialized/missing rndis device (fate#315887, bsc#1082632).
- hv_netvsc: make const array ver_list static, reduces object code size (fate#315887, bsc#1082632).
- hv_netvsc: optimize initialization of RNDIS header (fate#315887, bsc#1082632).
- hv_netvsc: pass netvsc_device to receive callback (fate#315887, bsc#1082632).
- hv_netvsc: remove open_cnt reference count (fate#315887, bsc#1082632).
- hv_netvsc: Rename ind_table to rx_table (fate#315887, bsc#1082632).
- hv_netvsc: Rename tx_send_table to tx_table (fate#315887, bsc#1082632).
- hv_netvsc: replace divide with mask when computing padding (fate#315887, bsc#1082632).
- hv_netvsc: report stop_queue and wake_queue (fate#315887, bsc#1082632).
- hv_netvsc: simplify function args in receive status path (fate#315887, bsc#1082632).
- hv_netvsc: Simplify the limit check in netvsc_set_channels() (fate#315887, bsc#1082632).
- hv_netvsc: track memory allocation failures in ethtool stats (fate#315887, bsc#1082632).
- hv: preserve kabi by keeping hv_do_hypercall (bnc#1082632).
- hwmon: (pmbus) Use 64bit math for DIRECT format values (bnc#1012382).
- hwrng: exynos - use __maybe_unused to hide pm functions (bnc#1012382).
- hyper-v: trace vmbus_ongpadl_created() (fate#315887, bsc#1082632).
- hyper-v: trace vmbus_ongpadl_torndown() (fate#315887, bsc#1082632).
- hyper-v: trace vmbus_on_message() (fate#315887, bsc#1082632).
- hyper-v: trace vmbus_on_msg_dpc() (fate#315887, bsc#1082632).
- hyper-v: trace vmbus_onoffer() (fate#315887, bsc#1082632).
- hyper-v: trace vmbus_onoffer_rescind() (fate#315887, bsc#1082632).
- hyper-v: trace vmbus_onopen_result() (fate#315887, bsc#1082632).
- hyper-v: trace vmbus_onversion_response() (fate#315887, bsc#1082632).
- hyper-v: Use fast hypercall for HVCALL_SIGNAL_EVENT (fate#315887, bsc#1082632).
- i2c: remove __init from i2c_register_board_info() (bnc#1012382).
- i40iw: Correct Q1/XF object count equation (bsc#969476 FATE#319648 bsc#969477 FATE#319816).
- i40iw: Fix sequence number for the first partial FPDU (bsc#969476 FATE#319648 bsc#969477 FATE#319816).
- i40iw: Fix the connection ORD value for loopback (bsc#969476 FATE#319648 bsc#969477 FATE#319816).
- i40iw: Remove limit on re-posting AEQ entries to HW (bsc#969476 FATE#319648 bsc#969477 FATE#319816).
- i40iw: Selectively teardown QPs on IP addr change event (bsc#1024376 FATE#321249).
- i40iw: Validate correct IRD/ORD connection parameters (bsc#969476 FATE#319648 bsc#969477 FATE#319816).
- ib/hfi1: Fix for potential refcount leak in hfi1_open_file() (FATE#321231 FATE#321473).
- ib/iser: Handle lack of memory management extentions correctly (bsc#1082979).
- ib/mlx4: Fix incorrectly releasing steerable UD QPs when have only ETH ports (bnc#1012382).
- ib/mlx4: Fix mlx4_ib_alloc_mr error flow (bnc#1012382).
- ibmvnic: Account for VLAN header length in TX buffers (bsc#1085239).
- ibmvnic: Account for VLAN tag in L2 Header descriptor (bsc#1085239).
- ibmvnic: Allocate max queues stats buffers (bsc#1081498).
- ibmvnic: Allocate statistics buffers during probe (bsc#1082993).
- ibmvnic: Check for NULL skb's in NAPI poll routine (bsc#1081134, git-fixes).
- ibmvnic: Clean RX pool buffers during device close (bsc#1081134).
- ibmvnic: Clean up device close (bsc#1084610).
- ibmvnic: Correct goto target for tx irq initialization failure (bsc#1082223).
- ibmvnic: Do not attempt to login if RX or TX queues are not allocated (bsc#1082993).
- ibmvnic: Do not disable device during failover or partition migration (bsc#1084610).
- ibmvnic: Ensure that buffers are NULL after free (bsc#1080014).
- ibmvnic: Fix early release of login buffer (bsc#1081134, git-fixes).
- ibmvnic: fix empty firmware version and errors cleanup (bsc#1079038).
- ibmvnic: fix firmware version when no firmware level has been provided by the VIOS server (bsc#1079038).
- ibmvnic: Fix login buffer memory leaks (bsc#1081134).
- ibmvnic: Fix NAPI structures memory leak (bsc#1081134).
- ibmvnic: Fix recent errata commit (bsc#1085239).
- ibmvnic: Fix rx queue cleanup for non-fatal resets (bsc#1080014).
- ibmvnic: Fix TX descriptor tracking again (bsc#1082993).
- ibmvnic: Fix TX descriptor tracking (bsc#1081491).
- ibmvnic: Free and re-allocate scrqs when tx/rx scrqs change (bsc#1081498).
- ibmvnic: Free RX socket buffer in case of adapter error (bsc#1081134).
- ibmvnic: Generalize TX pool structure (bsc#1085224).
- ibmvnic: Handle TSO backing device errata (bsc#1085239).
- ibmvnic: Harden TX/RX pool cleaning (bsc#1082993).
- ibmvnic: Improve TX buffer accounting (bsc#1085224).
- ibmvnic: Keep track of supplementary TX descriptors (bsc#1081491).
- ibmvnic: Make napi usage dynamic (bsc#1081498).
- ibmvnic: Move active sub-crq count settings (bsc#1081498).
- ibmvnic: Pad small packets to minimum MTU size (bsc#1085239).
- ibmvnic: queue reset when CRQ gets closed during reset (bsc#1080263).
- ibmvnic: Remove skb->protocol checks in ibmvnic_xmit (bsc#1080384).
- ibmvnic: Rename active queue count variables (bsc#1081498).
- ibmvnic: Reorganize device close (bsc#1084610).
- ibmvnic: Report queue stops and restarts as debug output (bsc#1082993).
- ibmvnic: Reset long term map ID counter (bsc#1080364).
- ibmvnic: Split counters for scrq/pools/napi (bsc#1082223).
- ibmvnic: Update and clean up reset TX pool routine (bsc#1085224).
- ibmvnic: Update release RX pool routine (bsc#1085224).
- ibmvnic: Update TX and TX completion routines (bsc#1085224).
- ibmvnic: Update TX pool initialization routine (bsc#1085224).
- ibmvnic: Wait until reset is complete to set carrier on (bsc#1081134).
- ib/qib: Fix comparison error with qperf compare/swap test (FATE#321231 FATE#321473).
- ib/srpt: Remove an unused structure member (bsc#1082979).
- idle: i7300: add PCI dependency (bnc#1012382).
- igb: Free IRQs when device is hotplugged (bnc#1012382).
- iio: adc: axp288: remove redundant duplicate const on axp288_adc_channels (bnc#1012382).
- iio: adis_lib: Initialize trigger before requesting interrupt (bnc#1012382).
- iio: buffer: check if a buffer has been set up when poll is called (bnc#1012382).
- input: tca8418_keypad - hide gcc-4.9 -Wmaybe-uninitialized warning (bnc#1012382).
- input: tca8418_keypad - remove double read of key event register (git-fixes).
- iommu/amd: Add align parameter to alloc_irq_index() (bsc#975772).
- iommu/amd: Enforce alignment for MSI IRQs (bsc#975772).
- iommu/amd: Fix alloc_irq_index() increment (bsc#975772).
- iommu/amd: Limit the IOVA page range to the specified addresses (fate#321026).
- iommu/arm-smmu-v3: Cope with duplicated Stream IDs (bsc#1084926).
- iommu/iova: Fix underflow bug in __alloc_and_insert_iova_range (bsc#1084928).
- iommu/vt-d: Use domain instead of cache fetching (bsc#975772).
- ip6mr: fix stale iterator (bnc#1012382).
- ipc/msg: introduce msgctl(MSG_STAT_ANY) (bsc#1072689).
- ipc/sem: introduce semctl(SEM_STAT_ANY) (bsc#1072689).
- ipc/shm: introduce shmctl(SHM_STAT_ANY) (bsc#1072689).
- ip_tunnel: fix preempt warning in ip tunnel creation/updating (bnc#1012382).
- ip_tunnel: replace dst_cache with generic implementation (bnc#1012382).
- ipv4: allow local fragmentation in ip_finish_output_gso() (bsc#1042286).
- ipv4: fix checksum annotation in udp4_csum_init (bsc#1042286).
- ipv4: ipconfig: avoid unused ic_proto_used symbol (bnc#1012382).
- ipv4: update comment to document GSO fragmentation cases (bsc#1042286).
- ipv6: datagram: Refactor dst lookup and update codes to a new function (bsc#1042286).
- ipv6: datagram: Refactor flowi6 init codes to a new function (bsc#1042286).
- ipv6: datagram: Update dst cache of a connected datagram sk during pmtu update (bsc#1042286).
- ipv6: fix checksum annotation in udp6_csum_init (bsc#1042286).
- ipv6: icmp6: Allow icmp messages to be looped back (bnc#1012382).
- ipv6/ila: fix nlsize calculation for lwtunnel (bsc#1042286).
- ipv6: remove unused in6_addr struct (bsc#1042286).
- ipv6: tcp: fix endianness annotation in tcp_v6_send_response (bsc#1042286).
- ipv6: udp: Do a route lookup and update during release_cb (bsc#1042286).
- ipvlan: Add the skb->mark as flow4's member to lookup route (bnc#1012382).
- ipvlan: fix multicast processing (bsc#1042286).
- ipvlan: fix various issues in ipvlan_process_multicast() (bsc#1042286).
- irqchip/gic-v3: Use wmb() instead of smb_wmb() in gic_raise_softirq() (bnc#1012382).
- isdn: eicon: reduce stack size of sig_ind function (bnc#1012382).
- isdn: icn: remove a #warning (bnc#1012382).
- isdn: sc: work around type mismatch warning (bnc#1012382).
- jffs2: Fix use-after-free bug in jffs2_iget()'s error handling path (git-fixes).
- kABI: protect struct cpuinfo_x86 (kabi).
- kABI: protect struct ethtool_link_settings (bsc#1085050).
- kABI: protect struct ip_tunnel and reintroduce ip_tunnel_dst_reset_all (kabi).
- kABI: reintroduce crypto_poly1305_setkey (kabi).
- kabi: restore kabi after 'net: replace dst_cache ip6_tunnel implementation with the generic one' (bsc#1082897).
- kabi: restore nft_set_elem_destroy() signature (bsc#1042286).
- kabi: restore rhashtable_insert_slow() signature (bsc#1042286).
- kabi/severities: add sclp to KABI ignore list
- kabi/severities: add __x86_indirect_thunk_rsp
- kabi/severities: as per bsc#1068569 we can ignore XFS kabi The gods have spoken, let there be light.
- kabi/severities: Ignore kvm for KABI severities
- kabi: uninline sk_receive_skb() (bsc#1042286).
- kaiser: fix compile error without vsyscall (bnc#1012382).
- kaiser: fix intel_bts perf crashes (bnc#1012382).
- kasan: rework Kconfig settings (bnc#1012382).
- kernel/async.c: revert 'async: simplify lowest_in_progress()' (bnc#1012382).
- kernel: fix rwlock implementation (bnc#1079886, LTC#164371).
- kernfs: fix regression in kernfs_fop_write caused by wrong type (bnc#1012382).
- keys: encrypted: fix buffer overread in valid_master_desc() (bnc#1012382).
- kmemleak: add scheduling point to kmemleak_scan() (bnc#1012382).
- kvm: add X86_LOCAL_APIC dependency (bnc#1012382).
- kvm: ARM64: fix phy counter access failure in guest (bsc#1085015).
- kvm: arm/arm64: Check pagesize when allocating a hugepage at Stage 2 (bsc#1079029).
- kvm: nVMX: Fix kernel panics induced by illegal INVEPT/INVVPID types (bnc#1012382).
- kvm: nVMX: Fix races when sending nested PI while dest enters/leaves L2 (bnc#1012382).
- kvm: nVMX: invvpid handling improvements (bnc#1012382).
- kvm: nVMX: kmap() can't fail (bnc#1012382).
- kvm: nVMX: vmx_complete_nested_posted_interrupt() can't fail (bnc#1012382).
- kvm: PPC: Book3S PR: Fix svcpu copying with preemption enabled (bsc#1066223).
- kvm: s390: Add operation exception interception handler (FATE#324070, LTC#158959).
- kvm: s390: Add sthyi emulation (FATE#324070, LTC#158959).
- kvm: s390: Enable all facility bits that are known good for passthrough (FATE#324071, LTC#158956).
- kvm: s390: Extend diag 204 fields (FATE#324070, LTC#158959).
- kvm: s390: Fix STHYI buffer alignment for diag224 (FATE#324070, LTC#158959).
- kvm: s390: instruction-execution-protection support (LTC#162428).
- kvm: s390: Introduce BCD Vector Instructions to the guest (FATE#324072, LTC#158953).
- kvm: s390: Introduce Vector Enhancements facility 1 to the guest (FATE#324072, LTC#158953).
- kvm: s390: Limit sthyi execution (FATE#324070, LTC#158959).
- kvm: s390: Populate mask of non-hypervisor managed facility bits (FATE#324071, LTC#158956).
- kvm: VMX: clean up declaration of VPID/EPT invalidation types (bnc#1012382).
- kvm: VMX: Fix rflags cache during vCPU reset (bnc#1012382).
- kvm: VMX: Make indirect call speculation safe (bnc#1012382).
- kvm: x86: Do not re-execute instruction when not passing CR2 value (bnc#1012382).
- kvm: x86: emulator: Return to user-mode on L1 CPL=0 emulation failure (bnc#1012382).
- kvm: x86: fix escape of guest dr6 to the host (bnc#1012382).
- kvm: X86: Fix operand/address-size during instruction decoding (bnc#1012382).
- kvm: x86: ioapic: Clear Remote IRR when entry is switched to edge-triggered (bnc#1012382).
- kvm: x86: ioapic: Fix level-triggered EOI and IOAPIC reconfigure race (bnc#1012382).
- kvm: x86: ioapic: Preserve read-only values in the redirection table (bnc#1012382).
- kvm: x86: Make indirect calls in emulator speculation safe (bnc#1012382).
- kvm/x86: Reduce retpoline performance impact in slot_handle_level_range(), by always inlining iterator helper methods (bnc#1012382).
- l2tp: fix use-after-free during module unload (bsc#1042286).
- led: core: Fix brightness setting when setting delay_off=0 (bnc#1012382).
- leds: do not overflow sysfs buffer in led_trigger_show (bsc#1080464).
- libceph: check kstrndup() return value (bsc#1081735).
- lib/mpi: Fix umul_ppmm() for MIPS64r6 (bnc#1012382).
- lib/uuid.c: introduce a few more generic helpers (fate#315887, bsc#1082632).
- lib/uuid.c: use correct offset in uuid parser (fate#315887, bsc#1082632).
- livepatch: introduce shadow variable API (bsc#1082299 fate#313296). Shadow variables support.
- livepatch: __kgr_shadow_get_or_alloc() is local to shadow.c (bsc#1082299 fate#313296). Shadow variables support.
- lockd: fix 'list_add double add' caused by legacy signal interface (bnc#1012382).
- loop: fix concurrent lo_open/lo_release (bnc#1012382).
- mac80211: fix the update of path metric for RANN frame (bnc#1012382).
- mac80211: mesh: drop frames appearing to be from us (bnc#1012382).
- Make DST_CACHE a silent config option (bnc#1012382).
- mdio-sun4i: Fix a memory leak (bnc#1012382).
- md/raid1: Use a new variable to count flighting sync requests(bsc#1083048)
- media: cxusb, dib0700: ignore XC2028_I2C_FLUSH (bnc#1012382).
- media: dvb-usb-v2: lmedm04: Improve logic checking of warm start (bnc#1012382).
- media: dvb-usb-v2: lmedm04: move ts2020 attach to dm04_lme2510_tuner (bnc#1012382).
- media: r820t: fix r820t_write_reg for KASAN (bnc#1012382).
- media: s5k6aa: describe some function parameters (bnc#1012382).
- media: soc_camera: soc_scale_crop: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE (bnc#1012382).
- media: ts2020: avoid integer overflows on 32 bit machines (bnc#1012382).
- media: usbtv: add a new usbid (bnc#1012382).
- media: v4l2-compat-ioctl32.c: add missing VIDIOC_PREPARE_BUF (bnc#1012382).
- media: v4l2-compat-ioctl32.c: avoid sizeof(type) (bnc#1012382).
- media: v4l2-compat-ioctl32.c: copy clip list in put_v4l2_window32 (bnc#1012382).
- media: v4l2-compat-ioctl32.c: copy m.userptr in put_v4l2_plane32 (bnc#1012382).
- media: v4l2-compat-ioctl32.c: do not copy back the result for certain errors (bnc#1012382).
- media: v4l2-compat-ioctl32.c: drop pr_info for unknown buffer type (bnc#1012382).
- media: v4l2-compat-ioctl32.c: fix ctrl_is_pointer (bnc#1012382).
- media: v4l2-compat-ioctl32.c: fix the indentation (bnc#1012382).
- media: v4l2-compat-ioctl32.c: make ctrl_is_pointer work for subdevs (bnc#1012382).
- media: v4l2-compat-ioctl32.c: move 'helper' functions to __get/put_v4l2_format32 (bnc#1012382).
- media: v4l2-compat-ioctl32: Copy v4l2_window->global_alpha (bnc#1012382).
- media: v4l2-compat-ioctl32.c: refactor compat ioctl32 logic (bnc#1012382).
- media: v4l2-ioctl.c: do not copy back the result for -ENOTTY (bnc#1012382).
- mmc: bcm2835: Do not overwrite max frequency unconditionally (bsc#983145, git-fixes).
- mm/early_ioremap: Fix boot hang with earlyprintk=efi,keep (bnc#1012382).
- mm: hide a #warning for COMPILE_TEST (bnc#1012382).
- mm/kmemleak.c: make cond_resched() rate-limiting more efficient (git-fixes).
- mm: pin address_space before dereferencing it while isolating an LRU page (bnc#1081500).
- mm,vmscan: Make unregister_shrinker() no-op if register_shrinker() failed (bnc#1012382).
- mn10300/misalignment: Use SIGSEGV SEGV_MAPERR to report a failed user copy (bnc#1012382).
- modsign: hide openssl output in silent builds (bnc#1012382).
- module/retpoline: Warn about missing retpoline in module (bnc#1012382).
- mpt3sas: Do not mark fw_event workqueue as WQ_MEM_RECLAIM (bsc#1078583).
- mptfusion: hide unused seq_mpt_print_ioc_summary function (bnc#1012382).
- mtd: cfi: convert inline functions to macros (bnc#1012382).
- mtd: cfi: enforce valid geometry configuration (bnc#1012382).
- mtd: ichxrom: maybe-uninitialized with gcc-4.9 (bnc#1012382).
- mtd: maps: add __init attribute (bnc#1012382).
- mtd: nand: brcmnand: Disable prefetch by default (bnc#1012382).
- mtd: nand: denali_pci: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE (bnc#1012382).
- mtd: nand: Fix nand_do_read_oob() return value (bnc#1012382).
- mtd: nand: gpmi: Fix failure when a erased page has a bitflip at BBM (bnc#1012382).
- mtd: nand: sunxi: Fix ECC strength choice (bnc#1012382).
- mtd: sh_flctl: pass FIFO as physical address (bnc#1012382).
- mvpp2: fix multicast address filter (bnc#1012382).
- ncpfs: fix unused variable warning (bnc#1012382).
- ncr5380: shut up gcc indentation warning (bnc#1012382).
- net: add dst_cache support (bnc#1012382).
- net: arc_emac: fix arc_emac_rx() error paths (bnc#1012382).
- net: avoid skb_warn_bad_offload on IS_ERR (bnc#1012382).
- net: cdc_ncm: initialize drvflags before usage (bnc#1012382).
- net: dst_cache_per_cpu_dst_set() can be static (bnc#1012382).
- net: ena: add detection and recovery mechanism for handling missed/misrouted MSI-X (bsc#1083548).
- net: ena: add new admin define for future support of IPv6 RSS (bsc#1083548).
- net: ena: add power management ops to the ENA driver (bsc#1083548).
- net: ena: add statistics for missed tx packets (bsc#1083548).
- net: ena: fix error handling in ena_down() sequence (bsc#1083548).
- net: ena: fix race condition between device reset and link up setup (bsc#1083548).
- net: ena: fix rare kernel crash when bar memory remap fails (bsc#1083548).
- net: ena: fix wrong max Tx/Rx queues on ethtool (bsc#1083548).
- net: ena: improve ENA driver boot time (bsc#1083548).
- net: ena: increase ena driver version to 1.3.0 (bsc#1083548).
- net: ena: increase ena driver version to 1.5.0 (bsc#1083548).
- net: ena: reduce the severity of some printouts (bsc#1083548).
- net: ena: remove legacy suspend suspend/resume support (bsc#1083548).
- net: ena: Remove redundant unlikely() (bsc#1083548).
- net: ena: unmask MSI-X only after device initialization is completed (bsc#1083548).
- net: ethernet: cavium: Correct Cavium Thunderx NIC driver names accordingly to module name (bsc#1085011).
- net: ethernet: xilinx: Mark XILINX_LL_TEMAC broken on 64-bit (bnc#1012382).
- net: ethtool: Add back transceiver type (bsc#1085050).
- net: ethtool: remove error check for legacy setting transceiver type (bsc#1085050).
- netfilter: drop outermost socket lock in getsockopt() (bnc#1012382).
- netfilter: ebtables: CONFIG_COMPAT: do not trust userland offsets (bsc#1085107).
- netfilter: ebtables: fix erroneous reject of last rule (bsc#1085107).
- netfilter: ipt_CLUSTERIP: fix out-of-bounds accesses in clusterip_tg_check() (bnc#1012382).
- netfilter: ipvs: avoid unused variable warnings (bnc#1012382).
- netfilter: nf_queue: Make the queue_handler pernet (bnc#1012382).
- netfilter: nf_tables: fix a wrong check to skip the inactive rules (bsc#1042286).
- netfilter: nf_tables: fix inconsistent element expiration calculation (bsc#1042286).
- netfilter: nf_tables: fix *leak* when expr clone fail (bsc#1042286).
- netfilter: nf_tables: fix race when create new element in dynset (bsc#1042286).
- netfilter: on sockopt() acquire sock lock only in the required scope (bnc#1012382).
- netfilter: tee: select NF_DUP_IPV6 unconditionally (bsc#1042286).
- netfilter: x_tables: avoid out-of-bounds reads in xt_request_find_{match|target} (bnc#1012382).
- netfilter: x_tables: fix int overflow in xt_alloc_table_info() (bnc#1012382).
- netfilter: xt_RATEEST: acquire xt_rateest_mutex for hash insert (bnc#1012382).
- netfilter: xt_socket: fix transparent match for IPv6 request sockets (bsc#1042286).
- net: gianfar_ptp: move set_fipers() to spinlock protecting area (bnc#1012382).
- net: hns: add ACPI mode support for ethtool -p (bsc#1084041).
- net: hp100: remove unnecessary #ifdefs (bnc#1012382).
- net: igmp: add a missing rcu locking section (bnc#1012382).
- net/ipv4: Introduce IPSKB_FRAG_SEGS bit to inet_skb_parm.flags (bsc#1042286).
- netlink: fix nla_put_{u8,u16,u32} for KASAN (bnc#1012382).
- net/mlx5e: Fix loopback self test when GRO is off (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- net/mlx5e: Fix wrong delay calculation for overflow check scheduling (bsc#966170 FATE#320225 bsc#966172 FATE#320226).
- net/mlx5e: Verify inline header size do not exceed SKB linear size (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- net/mlx5: Use 128B cacheline size for 128B or larger cachelines (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- net: phy: Keep reporting transceiver type (bsc#1085050).
- net: replace dst_cache ip6_tunnel implementation with the generic one (bnc#1012382).
- net_sched: red: Avoid devision by zero (bnc#1012382).
- net_sched: red: Avoid illegal values (bnc#1012382).
- net/smc: fix NULL pointer dereference on sock_create_kern() error path (bsc#1082979).
- netvsc: allow controlling send/recv buffer size (fate#315887, bsc#1082632).
- netvsc: allow driver to be removed even if VF is present (fate#315887, bsc#1082632).
- netvsc: check error return when restoring channels and mtu (fate#315887, bsc#1082632).
- netvsc: cleanup datapath switch (fate#315887, bsc#1082632).
- netvsc: do not signal host twice if empty (fate#315887, bsc#1082632).
- netvsc: fix deadlock betwen link status and removal (fate#315887, bsc#1082632).
- netvsc: increase default receive buffer size (fate#315887, bsc#1082632).
- netvsc: keep track of some non-fatal overload conditions (fate#315887, bsc#1082632).
- netvsc: no need to allocate send/receive on numa node (fate#315887, bsc#1082632).
- netvsc: propagate MAC address change to VF slave (fate#315887, bsc#1082632).
- netvsc: remove unnecessary cast of void pointer (fate#315887, bsc#1082632).
- netvsc: remove unnecessary check for NULL hdr (fate#315887, bsc#1082632).
- netvsc: whitespace cleanup (fate#315887, bsc#1082632).
- net: vxlan: lwt: Fix vxlan local traffic (bsc#1042286).
- net: vxlan: lwt: Use source ip address during route lookup (bsc#1042286).
- nfs: Add a cond_resched() to nfs_commit_release_pages() (bsc#1077779).
- nfs: commit direct writes even if they fail partially (bnc#1012382).
- nfsd: check for use of the closed special stateid (bnc#1012382).
- nfsd: CLOSE SHOULD return the invalid special stateid for NFSv4.x (x>0) (bnc#1012382).
- nfsd: Ensure we check stateid validity in the seqid operation checks (bnc#1012382).
- nfs: Do not convert nfs_idmap_cache_timeout to jiffies (git-fixes).
- nfs: fix a deadlock in nfs client initialization (bsc#1074198).
- nfs/pnfs: fix nfs_direct_req ref leak when i/o falls back to the mds (bnc#1012382).
- nfs: reject request for id_legacy key without auxdata (bnc#1012382).
- nfs: Trunking detection should handle ERESTARTSYS/EINTR (bsc#1074198).
- nvme_fc: cleanup io completion (bsc#1079609).
- nvme_fc: correct abort race condition on resets (bsc#1079609).
- nvme_fc: fix abort race on teardown with lld reject (bsc#1083750).
- nvme_fc: fix ctrl create failures racing with workq items (bsc#1076982).
- nvme_fc: io timeout should defer abort to ctrl reset (bsc#1085054).
- nvme-fc: kick admin requeue list on disconnect (bsc#1077241).
- nvme-fc: merge error on sles12sp3 for reset_work (bsc#1079195).
- nvme_fc: minor fixes on sqsize (bsc#1076760).
- nvme_fc: on remoteport reuse, set new nport_id and role (bsc#1076760).
- nvme_fc: rework sqsize handling (bsc#1076760).
- nvme: Fix managing degraded controllers (bnc#1012382).
- nvme: Fix setting logical block format when revalidating (bsc#1079313).
- nvme: only start KATO if the controller is live (bsc#1083387).
- nvme-pci: clean up CMB initialization (bsc#1082979).
- nvme-pci: clean up SMBSZ bit definitions (bsc#1082979).
- nvme-pci: consistencly use ctrl->device for logging (bsc#1082979).
- nvme-pci: fix typos in comments (bsc#1082979).
- nvme-pci: Remap CMB SQ entries on every controller reset (bsc#1082979).
- nvme-pci: Use PCI bus address for data/queues in CMB (bsc#1082979).
- nvme: Quirks for PM1725 controllers (bsc#1082979).
- nvme_rdma: clear NVME_RDMA_Q_LIVE bit if reconnect fails (bsc#1083770).
- nvme-rdma: fix concurrent reset and reconnect (bsc#1082979).
- nvme: remove nvme_revalidate_ns (bsc#1079313).
- ocfs2: return error when we attempt to access a dirty bh in jbd2 (bsc#1070404).
- openvswitch: fix the incorrect flow action alloc size (bnc#1012382).
- ovl: fix failure to fsync lower dir (bnc#1012382).
- ovs/geneve: fix rtnl notifications on iface deletion (bsc#1042286).
- ovs/gre: fix rtnl notifications on iface deletion (bsc#1042286).
- ovs/gre,geneve: fix error path when creating an iface (bsc#1042286).
- ovs/vxlan: fix rtnl notifications on iface deletion (bsc#1042286).
- pci/ASPM: Do not retrain link if ASPM not possible (bnc#1071892).
- pci: hv: Do not sleep in compose_msi_msg() (fate#315887, bsc#1082632).
- pci: keystone: Fix interrupt-controller-node lookup (bnc#1012382).
- pci/MSI: Fix msi_desc->affinity memory leak when freeing MSI IRQs (bsc#1082979).
- perf bench numa: Fixup discontiguous/sparse numa nodes (bnc#1012382).
- perf top: Fix window dimensions change handling (bnc#1012382).
- perf/x86: Shut up false-positive -Wmaybe-uninitialized warning (bnc#1012382).
- pinctrl: sunxi: Fix A80 interrupt pin bank (bnc#1012382).
- pktcdvd: Fix pkt_setup_dev() error path (bnc#1012382).
- platform/x86: intel_mid_thermal: Fix suspend handlers unused warning (bnc#1012382).
- pm / devfreq: Propagate error from devfreq_add_device() (bnc#1012382).
- pm / wakeirq: Fix unbalanced IRQ enable for wakeirq (bsc#1031717).
- posix-timer: Properly check sigevent->sigev_notify (bnc#1012382).
- power: bq27xxx_battery: mark some symbols __maybe_unused (bnc#1012382).
- powerpc/64: Fix flush_(d|i)cache_range() called from modules (FATE#315275 LTC#103998 bnc#1012382 bnc#863764).
- powerpc/64s: Fix RFI flush dependency on HARDLOCKUP_DETECTOR (bnc#1012382).
- powerpc/64s: Improve RFI L1-D cache flush fallback (bsc#1068032, bsc#1075087).
- powerpc: Do not preempt_disable() in show_cpuinfo() (bsc#1066223).
- powerpc/numa: Ensure nodes initialized for hotplug (FATE#322022, bsc#1081514).
- powerpc/numa: Invalidate numa_cpu_lookup_table on cpu remove (bsc#1081512).
- powerpc/numa: Use ibm,max-associativity-domains to discover possible nodes (FATE#322022, bsc#1081514).
- powerpc/perf: Fix oops when grouping different pmu events (bnc#1012382).
- powerpc/powernv: Fix MCE handler to avoid trashing CR0/CR1 registers (bsc#1066223).
- powerpc/powernv: Move IDLE_STATE_ENTER_SEQ macro to cpuidle.h (bsc#1066223).
- powerpc/powernv: Support firmware disable of RFI flush (bsc#1068032, bsc#1075087).
- powerpc/pseries: Fix cpu hotplug crash with memoryless nodes (FATE#322022, bsc#1081514).
- powerpc/pseries: Support firmware disable of RFI flush (bsc#1068032, bsc#1075087).
- powerpc: Simplify module TOC handling (bnc#1012382).
- power: reset: zx-reboot: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE (bnc#1012382).
- profile: hide unused functions when !CONFIG_PROC_FS (bnc#1012382).
- Provide a function to create a NUL-terminated string from unterminated data (bnc#1012382).
- pwc: hide unused label (bnc#1012382).
- qla2xxx: Add changes for devloss timeout in driver (bsc#1084427).
- qla2xxx: Add FC-NVMe abort processing (bsc#1084427).
- qla2xxx: asynchronous pci probing (bsc#1034503).
- qla2xxx: Cleanup code to improve FC-NVMe error handling (bsc#1084427).
- qla2xxx: Convert QLA_TGT_ABTS to TARGET_SCF_LOOKUP_LUN_FROM_TAG (bsc#1043726,FATE#324770).
- qla2xxx: do not check login_state if no loop id is assigned (bsc#1081681).
- qla2xxx: ensure async flags are reset correctly (bsc#1081681).
- qla2xxx: Fix Async GPN_FT for FCP and FC-NVMe scan (bsc#1084427).
- qla2xxx: Fix FC-NVMe IO abort during driver reset (bsc#1084427).
- qla2xxx: Fix incorrect tcm_qla2xxx_free_cmd use during TMR ABORT (v2) (bsc#1043726,FATE#324770).
- qla2xxx: Fix n2n_ae flag to prevent dev_loss on PDB change (bsc#1084427).
- qla2xxx: Fix NVMe entry_type for iocb packet on BE system (bsc#1043726,FATE#324770).
- qla2xxx: Fix retry for PRLI RJT with reason of BUSY (bsc#1084427).
- qla2xxx: Fixup locking for session deletion (bsc#1081681).
- qla2xxx: Remove nvme_done_list (bsc#1084427).
- qla2xxx: Remove unneeded message and minor cleanup for FC-NVMe (bsc#1084427).
- qla2xxx: remove use of FC-specific error codes (bsc#1043726,FATE#324770).
- qla2xxx: Restore ZIO threshold setting (bsc#1084427).
- qla2xxx: Return busy if rport going away (bsc#1084427).
- qla2xxx: Set IIDMA and fcport state before qla_nvme_register_remote() (bsc#1084427).
- qla2xxx: Update driver version to 10.00.00.06-k (bsc#1084427).
- qlcnic: fix deadlock bug (bnc#1012382).
- r8169: fix RTL8168EP take too long to complete driver initialization (bnc#1012382).
- rdma/cma: Make sure that PSN is not over max allowed (bnc#1012382).
- rdma/uverbs: Protect from command mask overflow (bsc#1082979).
- reiserfs: avoid a -Wmaybe-uninitialized warning (bnc#1012382).
- Revert 'Bluetooth: btusb: fix QCA Rome suspend/resume' (bnc#1012382).
- Revert 'bpf: avoid false sharing of map refcount with max_entries' (kabi).
- Revert 'netfilter: nf_queue: Make the queue_handler pernet' (kabi).
- Revert 'net: replace dst_cache ip6_tunnel implementation with the generic one' (kabi bnc#1082897).
- Revert 'power: bq27xxx_battery: Remove unneeded dependency in Kconfig' (bnc#1012382).
- Revert 'powerpc: Simplify module TOC handling' (kabi).
- Revert SUSE-specific qla2xxx patch 'Add module parameter for interrupt mode' (bsc#1043726)
- Revert 'x86/entry/64: Separate cpu_current_top_of_stack from TSS.sp0'
- Revert 'x86/entry/64: Use a per-CPU trampoline stack for IDT entries'
- rfi-flush: Move the logic to avoid a redo into the debugfs code (bsc#1068032, bsc#1075087).
- rfi-flush: Switch to new linear fallback flush (bsc#1068032, bsc#1075087).
- rhashtable: add rhashtable_lookup_get_insert_key() (bsc#1042286).
- rtc-opal: Fix handling of firmware error codes, prevent busy loops (bnc#1012382).
- rtlwifi: fix gcc-6 indentation warning (bnc#1012382).
- rtlwifi: rtl8821ae: Fix connection lost problem correctly (bnc#1012382).
- s390: add no-execute support (FATE#324087, LTC#158827).
- s390/dasd: fix handling of internal requests (bsc#1080321).
- s390/dasd: fix wrongly assigned configuration data (bnc#1012382).
- s390/dasd: prevent prefix I/O error (bnc#1012382).
- s390: fix handling of -1 in set{,fs}[gu]id16 syscalls (bnc#1012382).
- s390: hypfs: Move diag implementation and data definitions (FATE#324070, LTC#158959).
- s390: kvm: Cpu model support for msa6, msa7 and msa8 (FATE#324069, LTC#159031).
- s390: Make cpc_name accessible (FATE#324070, LTC#158959).
- s390: Make diag224 public (FATE#324070, LTC#158959).
- s390/mem_detect: use unsigned longs (FATE#324071, LTC#158956).
- s390/mm: align swapper_pg_dir to 16k (FATE#324087, LTC#158827).
- s390/mm: always use PAGE_KERNEL when mapping pages (FATE#324087, LTC#158827).
- s390/noexec: execute kexec datamover without DAT (FATE#324087, LTC#158827).
- s390/oprofile: fix address range for asynchronous stack (bsc#1082979).
- s390/pageattr: allow kernel page table splitting (FATE#324087, LTC#158827).
- s390/pageattr: avoid unnecessary page table splitting (FATE#324087, LTC#158827).
- s390/pageattr: handle numpages parameter correctly (FATE#324087, LTC#158827).
- s390/pci_dma: improve lazy flush for unmap (bnc#1079886, LTC#163393).
- s390/pci_dma: improve map_sg (bnc#1079886, LTC#163393).
- s390/pci_dma: make lazy flush independent from the tlb_refresh bit (bnc#1079886, LTC#163393).
- s390/pci_dma: remove dma address range check (bnc#1079886, LTC#163393).
- s390/pci_dma: simplify dma address calculation (bnc#1079886, LTC#163393).
- s390/pci_dma: split dma_update_trans (bnc#1079886, LTC#163393).
- s390/pci: fix dma address calculation in map_sg (bnc#1079886, LTC#163393).
- s390/pci: handle insufficient resources during dma tlb flush (bnc#1079886, LTC#163393).
- s390/pgtable: introduce and use generic csp inline asm (FATE#324087, LTC#158827).
- s390/pgtable: make pmd and pud helper functions available (FATE#324087, LTC#158827).
- s390/qeth: fix underestimated count of buffer elements (bnc#1082089, LTC#164529).
- s390: report new vector facilities (FATE#324088, LTC#158828).
- s390/sclp: Add hmfai field (FATE#324071, LTC#158956).
- s390/vmem: align segment and region tables to 16k (FATE#324087, LTC#158827).
- s390/vmem: introduce and use SEGMENT_KERNEL and REGION3_KERNEL (FATE#324087, LTC#158827).
- s390/vmem: simplify vmem code for read-only mappings (FATE#324087, LTC#158827).
- sched/rt: Up the root domain ref count when passing it around via IPIs (bnc#1012382).
- sched/rt: Use container_of() to get root domain in rto_push_irq_work_func() (bnc#1012382).
- scripts/kernel-doc: Do not fail with status != 0 if error encountered with -none (bnc#1012382).
- scsi: aacraid: Fix hang in kdump (bsc#1022607, FATE#321673).
- scsi: aacraid: Prevent crash in case of free interrupt during scsi EH path (bnc#1012382).
- scsi: advansys: fix build warning for PCI=n (bnc#1012382).
- scsi: advansys: fix uninitialized data access (bnc#1012382).
- scsi: do not look for NULL devices handlers by name (bsc#1082373).
- scsi: fas216: fix sense buffer initialization (bsc#1082979).
- scsi: fdomain: drop fdomain_pci_tbl when built-in (bnc#1012382).
- scsi: hisi_sas: directly attached disk LED feature for v2 hw (bsc#1083409).
- scsi: ibmvfc: fix misdefined reserved field in ibmvfc_fcp_rsp_info (bnc#1012382).
- scsi: initio: remove duplicate module device table (bnc#1012382 bsc#1082979).
- scsi: initio: remove duplicate module device table (bsc#1082979).
- scsi: libsas: fix error when getting phy events (bsc#1082979).
- scsi: libsas: fix memory leak in sas_smp_get_phy_events() (bsc#1082979).
- scsi: lpfc: Add WQ Full Logic for NVME Target (bsc#1080656).
- scsi: lpfc: Allow set of maximum outstanding SCSI cmd limit for a target (bsc#1080656).
- scsi: lpfc: Beef up stat counters for debug (bsc#1076693).
- scsi: lpfc: correct debug counters for abort (bsc#1080656).
- scsi: lpfc: do not dereference localport before it has been null checked (bsc#1076693).
- scsi: lpfc: Do not return internal MBXERR_ERROR code from probe function (bsc#1082979).
- scsi: lpfc: fix a couple of minor indentation issues (bsc#1076693).
- scsi: lpfc: Fix -EOVERFLOW behavior for NVMET and defer_rcv (bsc#1076693).
- scsi: lpfc: Fix header inclusion in lpfc_nvmet (bsc#1080656).
- scsi: lpfc: Fix infinite wait when driver unregisters a remote NVME port (bsc#1076693).
- scsi: lpfc: Fix IO failure during hba reset testing with nvme io (bsc#1080656).
- scsi: lpfc: Fix issue_lip if link is disabled (bsc#1080656).
- scsi: lpfc: Fix issues connecting with nvme initiator (bsc#1076693).
- scsi: lpfc: Fix nonrecovery of NVME controller after cable swap (bsc#1080656).
- scsi: lpfc: Fix PRLI handling when topology type changes (bsc#1080656).
- scsi: lpfc: Fix receive PRLI handling (bsc#1076693).
- scsi: lpfc: Fix RQ empty firmware trap (bsc#1080656).
- scsi: lpfc: Fix SCSI io host reset causing kernel crash (bsc#1080656).
- scsi: lpfc: Fix SCSI LUN discovery when SCSI and NVME enabled (bsc#1076693).
- scsi: lpfc: Fix soft lockup in lpfc worker thread during LIP testing (bsc#1080656).
- scsi: lpfc: Increase CQ and WQ sizes for SCSI (bsc#1080656).
- scsi: lpfc: Increase SCSI CQ and WQ sizes (bsc#1076693).
- scsi: lpfc: Indicate CONF support in NVMe PRLI (bsc#1080656).
- scsi: lpfc: move placement of target destroy on driver detach (bsc#1080656).
- scsi: lpfc: Treat SCSI Write operation Underruns as an error (bsc#1080656).
- scsi: lpfc: Update 11.4.0.7 modified files for 2018 Copyright (bsc#1080656).
- scsi: lpfc: update driver version to 11.4.0.6 (bsc#1076693).
- scsi: lpfc: update driver version to 11.4.0.7 (bsc#1080656).
- scsi: lpfc: Validate adapter support for SRIU option (bsc#1080656).
- scsi: mvumi: use __maybe_unused to hide pm functions (bnc#1012382).
- scsi: qla2xxx: Ability to process multiple SGEs in Command SGL for CT passthrough commands (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Accelerate SCSI BUSY status generation in target mode (bsc#1043725,FATE#324770).
- scsi: qla2xxx: Add ability to autodetect SFP type (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Add ability to send PRLO (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Add ability to use GPNFT/GNNFT for RSCN handling (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Add ATIO-Q processing for INTx mode (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Add boundary checks for exchanges to be offloaded (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Add command completion for error path (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Add debug knob for user control workload (bsc#1043725,FATE#324770).
- scsi: qla2xxx: Add debug logging routine for qpair (bsc#1043725,FATE#324770).
- scsi: qla2xxx: Added change to enable ZIO for FC-NVMe devices (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Add FC-NVMe command handling (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Add FC-NVMe F/W initialization and transport registration (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Add FC-NVMe port discovery and PRLI handling (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Add function call to qpair for door bell (bsc#1043725,FATE#324770).
- scsi: qla2xxx: Add fw_started flags to qpair (bsc#1043725,FATE#324770).
- scsi: qla2xxx: Add lock protection around host lookup (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Add LR distance support from nvram bit (bsc#1043726,FATE#324770).
- scsi: qla2xxx: add missing includes for qla_isr (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Add option for use reserve exch for ELS (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Add ql2xiniexchg parameter (bsc#1043725,FATE#324770).
- scsi: qla2xxx: Add retry limit for fabric scan logic (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Add support for minimum link speed (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Add switch command to simplify fabric discovery (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Add timeout ability to wait_for_sess_deletion() (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Add XCB counters to debugfs (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Allow ABTS, PURX, RIDA on ATIOQ for ISP83XX/27XX (bsc#1043725,FATE#324770).
- scsi: qla2xxx: Allow MBC_GET_PORT_DATABASE to query and save the port states (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Allow relogin and session creation after reset (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Allow SNS fabric login to be retried (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Allow target mode to accept PRLI in dual mode (bsc#1043726,FATE#324770).
- scsi: qla2xxx: avoid unused-function warning (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Change ha->wq max_active value to default (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Changes to support N2N logins (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Chip reset uses wrong lock during IO flush (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Cleanup FC-NVMe code (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Cleanup NPIV host in target mode during config teardown (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Clear fc4f_nvme flag (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Clear loop id after delete (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Combine Active command arrays (bsc#1043725,FATE#324770).
- scsi: qla2xxx: Convert 32-bit LUN usage to 64-bit (bsc#1043725,FATE#324770).
- scsi: qla2xxx: Defer processing of GS IOCB calls (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Delay loop id allocation at login (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Do not call abort handler function during chip reset (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Do not call dma_free_coherent with IRQ disabled (bsc#1043726,FATE#324770).
- scsi: qla2xxx: do not include <generated/utsrelease.h> (bsc#1043725,FATE#324770).
- scsi: qla2xxx: Enable Async TMF processing (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Enable ATIO interrupt handshake for ISP27XX (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Enable Target Multi Queue (bsc#1043725,FATE#324770).
- scsi: qla2xxx: Fix abort command deadlock due to spinlock (FATE#320146, bsc#966328).
- scsi: qla2xxx: fix a bunch of typos and spelling mistakes (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix a locking imbalance in qlt_24xx_handle_els() (bsc#1082979).
- scsi: qla2xxx: Fix compile warning (bsc#1043725,FATE#324770).
- scsi: qla2xxx: Fix FC-NVMe LUN discovery (bsc#1083223).
- scsi: qla2xxx: Fix Firmware dump size for Extended login and Exchange Offload (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix GPNFT/GNNFT error handling (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix gpnid error processing (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix incorrect handle for abort IOCB (bsc#1082979).
- scsi: qla2xxx: Fix login state machine freeze (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix login state machine stuck at GPDB (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix logo flag for qlt_free_session_done() (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix mailbox failure while deleting Queue pairs (bsc#1043725,FATE#324770).
- scsi: qla2xxx: Fix memory leak in dual/target mode (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix NPIV host cleanup in target mode (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix NPIV host enable after chip reset (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix NULL pointer access for fcport structure (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix NULL pointer crash due to active timer for ABTS (bsc#1082979).
- scsi: qla2xxx: Fix NULL pointer crash due to probe failure (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix oops in qla2x00_probe_one error path (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix PRLI state check (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix queue ID for async abort with Multiqueue (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix recursion while sending terminate exchange (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix Relogin being triggered too fast (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix re-login for Nport Handle in use (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix remoteport disconnect for FC-NVMe (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix scan state field for fcport (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix session cleanup for N2N (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix slow mem alloc behind lock (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix smatch warning in qla25xx_delete_{rsp|req}_que (bsc#1043726,FATE#324770).
- scsi: qla2xxx: fix spelling mistake of variable sfp_additonal_info (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix system crash for Notify ack timeout handling (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix system crash in qlt_plogi_ack_unref (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix system crash while triggering FW dump (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix system panic due to pointer access problem (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix target multiqueue configuration (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix task mgmt handling for NPIV (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix warning during port_name debug print (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix warning for code intentation in __qla24xx_handle_gpdb_event() (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix warning in qla2x00_async_iocb_timeout() (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Fix WWPN/WWNN in debug message (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Handle PCIe error for driver (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Include Exchange offload/Extended Login into FW dump (bsc#1043725,FATE#324770).
- scsi: qla2xxx: Increase ql2xmaxqdepth to 64 (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Increase verbosity of debug messages logged (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Migrate switch registration commands away from mailbox interface (bsc#1043726,FATE#324770).
- scsi: qla2xxx: move fields from qla_hw_data to qla_qpair (bsc#1043725,FATE#324770).
- scsi: qla2xxx: Move function prototype to correct header (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Move logging default mask to execute once only (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Move session delete to driver work queue (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Move target stat counters from vha to qpair (bsc#1043725,FATE#324770).
- scsi: qla2xxx: Move work element processing out of DPC thread (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Off by one in qlt_ctio_to_cmd() (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Preparation for Target MQ (bsc#1043725,FATE#324770).
- scsi: qla2xxx: Prevent multiple active discovery commands per session (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Prevent relogin trigger from sending too many commands (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Prevent sp->free null/uninitialized pointer dereference (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Print correct mailbox registers in failed summary (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Properly extract ADISC error codes (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Protect access to qpair members with qpair->qp_lock (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Query FC4 type during RSCN processing (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Recheck session state after RSCN (bsc#1043726,FATE#324770)
- scsi: qla2xxx: Reduce the use of terminate exchange (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Reduce trace noise for Async Events (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Reinstate module parameter ql2xenablemsix (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Relogin to target port on a cable swap (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Remove aborting ELS IOCB call issued as part of timeout (FATE#320146, bsc#966328).
- scsi: qla2xxx: Remove an unused structure member (bsc#1043725,FATE#324770).
- scsi: qla2xxx: Remove datasegs_per_cmd and datasegs_per_cont field (bsc#1043725,FATE#324770).
- scsi: qla2xxx: Remove extra register read (bsc#1043725,FATE#324770).
- scsi: qla2xxx: Remove extra register read (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Remove FC_NO_LOOP_ID for FCP and FC-NVMe Discovery (bsc#1084397).
- scsi: qla2xxx: Remove potential macro parameter side-effect in ql_dump_regs() (bsc#1043726,FATE#324770).
- scsi: qla2xxx: remove redundant assignment of d (bsc#1043726,FATE#324770).
- scsi: qla2xxx: remove redundant null check on tgt (bsc#1043725,FATE#324770).
- scsi: qla2xxx: Remove redundant wait when target is stopped (bsc#1043725,FATE#324770).
- scsi: qla2xxx: Remove session creation redundant code (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Remove unused argument from qlt_schedule_sess_for_deletion() (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Remove unused irq_cmd_count field (bsc#1043725,FATE#324770).
- scsi: qla2xxx: Remove unused tgt_enable_64bit_addr flag (bsc#1043725,FATE#324770).
- scsi: qla2xxx: remove writeq/readq function definitions (bsc#1043725,FATE#324770).
- scsi: qla2xxx: Replace fcport alloc with qla2x00_alloc_fcport (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Replace GPDB with async ADISC command (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Reset the logo flag, after target re-login (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Retry switch command on time out (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Send FC4 type NVMe to the management server (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Serialize GPNID for multiple RSCN (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Serialize session deletion by using work_lock (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Serialize session free in qlt_free_session_done (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Simpify unregistration of FC-NVMe local/remote ports (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Skip IRQ affinity for Target QPairs (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Skip zero queue count entry during FW dump capture (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Suppress a kernel complaint in qla_init_base_qpair() (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Tweak resource count dump (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Update Driver version to 10.00.00.00-k (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Update driver version to 10.00.00.01-k (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Update driver version to 10.00.00.02-k (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Update driver version to 10.00.00.03-k (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Update driver version to 10.00.00.04-k (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Update driver version to 10.00.00.05-k (bsc#1081681).
- scsi: qla2xxx: Update driver version to 9.01.00.00-k (bsc#1043725,FATE#324770).
- scsi: qla2xxx: Update fw_started flags at qpair creation (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Use BIT_6 to acquire FAWWPN from switch (bsc#1043726,FATE#324770)
- scsi: qla2xxx: Use chip reset to bring down laser on unload (bsc#1043726,FATE#324770).
- scsi: qla2xxx: use dma_mapping_error to check map errors (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Use FC-NVMe FC4 type for FDMI registration (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Use IOCB path to submit Control VP MBX command (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Use known NPort ID for Management Server login (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Use ql2xnvmeenable to enable Q-Pair for FC-NVMe (bsc#1043726,FATE#324770).
- scsi: qla2xxx: use shadow register for ISP27XX (bsc#1043725,FATE#324770).
- scsi: qla2xxx: Use shadow register for ISP27XX (bsc#1043726,FATE#324770).
- scsi: qla2xxx: Use sp->free instead of hard coded call (bsc#1043726,FATE#324770).
- scsi: ses: do not get power status of SES device slot on probe (bsc#1082979).
- scsi: sim710: fix build warning (bnc#1012382).
- scsi: sr: workaround VMware ESXi cdrom emulation bug (bsc#1080813).
- scsi: storvsc: Fix scsi_cmd error assignments in storvsc_handle_error (bnc#1012382).
- scsi: storvsc: remove unnecessary channel inbound lock (fate#315887, bsc#1082632).
- scsi: sun_esp: fix device reference leaks (bsc#1082979).
- scsi: tcm_qla2xxx: Do not allow aborted cmd to advance (bsc#1043725,FATE#324770).
- scsi: ufs: ufshcd: fix potential NULL pointer dereference in ufshcd_config_vreg (bnc#1012382).
- sctp: make use of pre-calculated len (bnc#1012382).
- selinux: ensure the context is NUL terminated in security_context_to_sid_core() (bnc#1012382).
- selinux: general protection fault in sock_has_perm (bnc#1012382).
- selinux: skip bounded transition processing if the policy isn't loaded (bnc#1012382).
- serial: 8250_mid: fix broken DMA dependency (bnc#1012382).
- serial: 8250_uniphier: fix error return code in uniphier_uart_probe() (bsc#1031717).
- serial: imx: Only wakeup via RTSDEN bit if the system has RTS/CTS (bnc#1012382).
- series.conf: disable qla2xxx patches (bsc#1043725)
- sget(): handle failures of register_shrinker() (bnc#1012382).
- signal/openrisc: Fix do_unaligned_access to send the proper signal (bnc#1012382).
- signal/sh: Ensure si_signo is initialized in do_divide_error (bnc#1012382).
- SolutionEngine771x: fix Ether platform data (bnc#1012382).
- spi: atmel: fixed spin_lock usage inside atmel_spi_remove (bnc#1012382).
- spi: imx: do not access registers while clocks disabled (bnc#1012382).
- spi: sun4i: disable clocks in the remove function (bnc#1012382).
- ssb: mark ssb_bus_register as __maybe_unused (bnc#1012382).
- staging: android: ashmem: Fix a race condition in pin ioctls (bnc#1012382).
- staging: iio: adc: ad7192: fix external frequency setting (bnc#1012382).
- staging: rtl8188eu: Fix incorrect response to SIOCGIWESSID (bnc#1012382).
- staging: ste_rmi4: avoid unused function warnings (bnc#1012382).
- staging: unisys: visorinput depends on INPUT (bnc#1012382).
- staging: wilc1000: fix kbuild test robot error (bnc#1012382).
- sunrpc: Allow connect to return EHOSTUNREACH (bnc#1012382).
- target: Add support for TMR percpu reference counting (bsc#1043726,FATE#324770).
- target: Add TARGET_SCF_LOOKUP_LUN_FROM_TAG support for ABORT_TASK (bsc#1043726,FATE#324770).
- tc1100-wmi: fix build warning when CONFIG_PM not enabled (bnc#1012382).
- tc358743: fix register i2c_rd/wr function fix (git-fixes).
- tc358743: fix register i2c_rd/wr functions (bnc#1012382).
- tcp: do not set rtt_min to 1 (bsc#1042286).
- tcp: release sk_frag.page in tcp_disconnect (bnc#1012382).
- test_bpf: fix the dummy skb after dissector changes (bsc#1042286).
- tg3: Add workaround to restrict 5762 MRRS to 2048 (bnc#1012382).
- tg3: Enable PHY reset in MTU change path for 5720 (bnc#1012382).
- thermal: fix INTEL_SOC_DTS_IOSF_CORE dependencies (bnc#1012382).
- thermal: spear: use __maybe_unused for PM functions (bnc#1012382).
- tlan: avoid unused label with PCI=n (bnc#1012382).
- tools build: Add tools tree support for 'make -s' (bnc#1012382).
- tpm-dev-common: Reject too short writes (bsc#1020645, git-fixes).
- tpm: fix potential buffer overruns caused by bit glitches on the bus (bsc#1020645, git-fixes).
- tpm_i2c_infineon: fix potential buffer overruns caused by bit glitches on the bus (bsc#1020645, git-fixes).
- tpm_i2c_nuvoton: fix potential buffer overruns caused by bit glitches on the bus (bsc#1020645, git-fixes).
- tpm: st33zp24: fix potential buffer overruns caused by bit glitches on the bus (bsc#1020645, git-fixes).
- tpm_tis: fix potential buffer overruns caused by bit glitches on the bus (bsc#1020645, git-fixes).
- tty: cyclades: cyz_interrupt is only used for PCI (bnc#1012382).
- tty: hvc_xen: hide xen_console_remove when unused (bnc#1012382).
- tty: mxser: Remove ASYNC_CLOSING (bnc#1072363).
- ubi: block: Fix locking for idr_alloc/idr_remove (bnc#1012382).
- udp: restore UDPlite many-cast delivery (bsc#1042286).
- usb: build drivers/usb/common/ when USB_SUPPORT is set (bnc#1012382).
- usb: cdc-acm: Do not log urb submission errors on disconnect (bnc#1012382).
- usb: cdc_subset: only build when one driver is enabled (bnc#1012382).
- usb: dwc3: gadget: Set maxpacket size for ep0 IN (bnc#1012382).
- usb: f_fs: Prevent gadget unbind if it is already unbound (bnc#1012382).
- usb: gadget: do not dereference g until after it has been null checked (bnc#1012382).
- usb: gadget: f_fs: Process all descriptors during bind (bnc#1012382).
- usb: gadget: uvc: Missing files for configfs interface (bnc#1012382).
- usbip: fix 3eee23c3ec14 tcp_socket address still in the status file (bnc#1012382).
- usbip: keep usbip_device sockfd state in sync with tcp_socket (bnc#1012382).
- usbip: list: do not list devices attached to vhci_hcd (bnc#1012382).
- usbip: prevent bind loops on devices attached to vhci_hcd (bnc#1012382).
- usbip: vhci_hcd: clear just the USB_PORT_STAT_POWER bit (bnc#1012382).
- usb: ldusb: add PIDs for new CASSY devices supported by this driver (bnc#1012382).
- usb: musb/ux500: remove duplicate check for dma_is_compatible (bnc#1012382).
- usb: ohci: Proper handling of ed_rm_list to handle race condition between usb_kill_urb() and finish_unlinks() (bnc#1012382).
- usb: option: Add support for FS040U modem (bnc#1012382).
- usb: phy: msm add regulator dependency (bnc#1012382).
- usb: renesas_usbhs: missed the 'running' flag in usb_dmac with rx path (bnc#1012382).
- usb: serial: io_edgeport: fix possible sleep-in-atomic (bnc#1012382).
- usb: serial: pl2303: new device id for Chilitag (bnc#1012382).
- usb: serial: simple: add Motorola Tetra driver (bnc#1012382).
- usb: uas: unconditionally bring back host after reset (bnc#1012382).
- v4l: remove MEDIA_TUNER dependency for VIDEO_TUNER (bnc#1012382).
- vb2: V4L2_BUF_FLAG_DONE is set after DQBUF (bnc#1012382).
- vfs: do not do RCU lookup of empty pathnames (bnc#1012382).
- vhost_net: stop device during reset owner (bnc#1012382).
- video: fbdev: atmel_lcdfb: fix display-timings lookup (bnc#1012382).
- video: fbdev/mmp: add MODULE_LICENSE (bnc#1012382).
- video: fbdev: sis: remove unused variable (bnc#1012382).
- video: fbdev: via: remove possibly unused variables (bnc#1012382).
- video: Use bool instead int pointer for get_opt_bool() argument (bnc#1012382).
- virtio_balloon: prevent uninitialized variable use (bnc#1012382).
- vmbus: add per-channel sysfs info (fate#315887, bsc#1082632).
- vmbus: add prefetch to ring buffer iterator (fate#315887, bsc#1082632).
- vmbus: do not acquire the mutex in vmbus_hvsock_device_unregister() (fate#315887, bsc#1082632).
- vmbus: drop unused ring_buffer_info elements (fate#315887, bsc#1082632).
- vmbus: eliminate duplicate cached index (fate#315887, bsc#1082632).
- vmbus: hvsock: add proper sync for vmbus_hvsock_device_unregister() (fate#315887, bsc#1082632).
- vmbus: initialize reserved fields in messages (fate#315887, bsc#1082632).
- vmbus: make channel_message table constant (fate#315887, bsc#1082632).
- vmbus: more host signalling avoidance (fate#315887, bsc#1082632).
- vmbus: refactor hv_signal_on_read (fate#315887, bsc#1082632).
- vmbus: remove unused vmbus_sendpacket_ctl (fate#315887, bsc#1082632).
- vmbus: remove unused vmbus_sendpacket_multipagebuffer (fate#315887, bsc#1082632).
- vmbus: remove unused vmubs_sendpacket_pagebuffer_ctl (fate#315887, bsc#1082632).
- vmbus: Reuse uuid_le_to_bin() helper (fate#315887, bsc#1082632).
- vmbus: simplify hv_ringbuffer_read (fate#315887, bsc#1082632).
- vmbus: unregister device_obj->channels_kset (fate#315887, bsc#1082632).
- vmxnet3: prevent building with 64K pages (bnc#1012382).
- vxlan: consolidate csum flag handling (bsc#1042286).
- vxlan: consolidate output route calculation (bsc#1042286).
- vxlan: consolidate vxlan_xmit_skb and vxlan6_xmit_skb (bsc#1042286).
- vxlan: do not allow overwrite of config src addr (bsc#1042286).
- watchdog: imx2_wdt: restore previous timeout after suspend+resume (bnc#1012382).
- wireless: cw1200: use __maybe_unused to hide pm functions_ (bnc#1012382).
- x86: add MULTIUSER dependency for KVM (bnc#1012382).
- x86/asm: Fix inline asm call constraints for GCC 4.4 (bnc#1012382).
- x86/boot: Avoid warning for zero-filling .bss (bnc#1012382).
- x86: bpf_jit: small optimization in emit_bpf_tail_call() (bnc#1012382).
- x86/bugs: Drop one 'mitigation' from dmesg (bnc#1012382).
- x86/build: Silence the build with 'make -s' (bnc#1012382).
- x86/cpu/bugs: Make retpoline module warning conditional (bnc#1012382).
- x86/cpu: Change type of x86_cache_size variable to unsigned int (bnc#1012382).
- x86/entry/64: Separate cpu_current_top_of_stack from TSS.sp0 (bsc#1077560).
- x86/entry/64: Use a per-CPU trampoline stack for IDT entries (bsc#1077560).
- x86: fix build warnign with 32-bit PAE (bnc#1012382).
- x86/fpu/math-emu: Fix possible uninitialized variable use (bnc#1012382).
- x86/hyperv: Implement hv_get_tsc_page() (fate#315887, bsc#1082632).
- x86/hyper-v: include hyperv/ only when CONFIG_HYPERV is set (fate#315887, bsc#1082632).
- x86/hyper-v: Introduce fast hypercall implementation (fate#315887, bsc#1082632).
- x86/hyper-v: Make hv_do_hypercall() inline (fate#315887, bsc#1082632).
- x86/hyperv: Move TSC reading method to asm/mshyperv.h (fate#315887, bsc#1082632).
- x86/kaiser: fix build error with KASAN && !FUNCTION_GRAPH_TRACER (bnc#1012382).
- x86/kvm/vmx: do not use vm-exit instruction length for fast MMIO when running nested (bsc#1081431).
- x86/mce: Pin the timer when modifying (bsc#1080851,1076282).
- x86/microcode/AMD: Change load_microcode_amd()'s param to bool to fix preemptibility bug (bnc#1012382).
- x86/microcode/AMD: Do not load when running on a hypervisor (bsc#1081436 bsc#1081437).
- x86/microcode: Do the family check first (bnc#1012382).
- x86/microcode: Do the family check first (bsc#1081436 bsc#1081437).
- x86/mm/kmmio: Fix mmiotrace for page unaligned addresses (bnc#1012382).
- x86/mm/pkeys: Fix fill_sig_info_pkey (fate#321300).
- x86/nospec: Fix header guards names (bnc#1012382).
- x86/oprofile: Fix bogus GCC-8 warning in nmi_setup() (bnc#1012382).
- x86/paravirt: Remove 'noreplace-paravirt' cmdline option (bnc#1012382).
- x86/platform: Add PCI dependency for PUNIT_ATOM_DEBUG (bnc#1012382).
- x86/platform/olpc: Fix resume handler build warning (bnc#1012382).
- x86/pti: Make unpoison of pgd for trusted boot work for real (bnc#1012382).
- x86/ras/inject: Make it depend on X86_LOCAL_APIC=y (bnc#1012382).
- x86/retpoline: Avoid retpolines for built-in __init functions (bnc#1012382).
- x86/retpoline/hyperv: Convert assembler indirect jumps (fate#315887, bsc#1082632).
- x86/retpoline: Remove the esp/rsp thunk (bnc#1012382).
- x86/spectre: Check CONFIG_RETPOLINE in command line parser (bnc#1012382).
- x86/spectre: Fix an error message (git-fixes).
- x86/spectre: Fix spelling mistake: 'vunerable'-> 'vulnerable' (bnc#1012382).
- x86/spectre: Remove the out-of-tree RSB stuffing
- x86/spectre: Simplify spectre_v2 command line parsing (bnc#1012382).
- x86/speculation: Fix typo IBRS_ATT, which should be IBRS_ALL (bnc#1012382).
- x86/xen: Zero MSR_IA32_SPEC_CTRL before suspend (bnc#1065600).
- xen/gntdev: Fix off-by-one error when unmapping with holes (bnc#1012382).
- xen/gntdev: Fix partial gntdev_mmap() cleanup (bnc#1012382).
- xen-netfront: enable device after manual module load (bnc#1012382).
- xen-netfront: remove warning when unloading module (bnc#1012382).
- xen: XEN_ACPI_PROCESSOR is Dom0-only (bnc#1012382).
- xfrm: check id proto in validate_tmpl() (bnc#1012382).
- xfrm: Fix stack-out-of-bounds read on socket policy lookup (bnc#1012382).
- xfrm: Fix stack-out-of-bounds with misconfigured transport mode policies (bnc#1012382).
- xfrm_user: propagate sec ctx allocation errors (bsc#1042286).
- xfs: do not chain ioends during writepage submission (bsc#1077285 bsc#1043441).
- xfs: factor mapping out of xfs_do_writepage (bsc#1077285 bsc#1043441).
- xfs: Introduce writeback context for writepages (bsc#1077285 bsc#1043441).
- xfs: ioends require logically contiguous file offsets (bsc#1077285 bsc#1043441).
- xfs: quota: check result of register_shrinker() (bnc#1012382).
- xfs: quota: fix missed destroy of qi_tree_lock (bnc#1012382).
- xfs: reinit btree pointer on attr tree inactivation walk (bsc#1078787).
- xfs: remove nonblocking mode from xfs_vm_writepage (bsc#1077285 bsc#1043441).
- xfs: remove xfs_cancel_ioend (bsc#1077285 bsc#1043441).
- xfs: stop searching for free slots in an inode chunk when there are none (bsc#1072739).
- xfs: toggle readonly state around xfs_log_mount_finish (bsc#1073401).
- xfs: ubsan fixes (bnc#1012382).
- xfs: validate sb_logsunit is a multiple of the fs blocksize (bsc#1077513).
- xfs: write unmount record for ro mounts (bsc#1073401).
- xfs: xfs_cluster_write is redundant (bsc#1077285 bsc#1043441).
- xtensa: fix futex_atomic_cmpxchg_inatomic (bnc#1012382).
- zram: fix operator precedence to get offset (bsc#1082979).


-----------------------------------------
Patch: SUSE-2018-542
Released: Mon Mar 26 10:38:34 2018
Summary: Security update for dhcp
Severity: moderate
References: 1083302,1083303,CVE-2018-5732,CVE-2018-5733
Description:
This update for dhcp fixes the following issues:

Security issues fixed:

- CVE-2018-5733: reference count overflow in dhcpd (bsc#1083303).
- CVE-2018-5732: buffer overflow in dhclient (bsc#1083302).


-----------------------------------------
Patch: SUSE-2018-560
Released: Wed Mar 28 16:39:25 2018
Summary: Recommended update for suse-build-key
Severity: moderate
References: 1082022,1085512
Description:


This update for suse-build-key fixes the following issues:

- The lifetime of the SUSE Linux Enterprise 11 signing key was extended (bsc#1085512)

- A new security@suse.de E-Mail key was added (bsc#1082022)

  pub   rsa4096/0x21FE92322BA9E067 2018-03-15 [SC] [expires: 2020-03-14]
        Key fingerprint = EC7C 5EAB 2C34 09A6 4F3B  BE6E 21FE 9232 2BA9 E067
  uid                             SUSE Security Team <security@suse.com>
  uid                             SUSE Security Team <security@suse.de>
  sub   rsa4096/0xFF97314EC1E11A0E 2018-03-15 [E] [expires: 2020-03-14]



-----------------------------------------
Patch: SUSE-2018-567
Released: Thu Mar 29 14:02:08 2018
Summary: Security update for krb5
Severity: moderate
References: 1057662,1081725,1083926,1083927,CVE-2018-5729,CVE-2018-5730
Description:
This update for krb5 provides the following fixes:

Security issues fixed:

- CVE-2018-5730: DN container check bypass by supplying special crafted data (bsc#1083927).
- CVE-2018-5729: Null pointer dereference in kadmind or DN container check bypass by supplying special crafted data (bsc#1083926).

Non-security issues fixed:

- Make it possible for legacy applications (e.g. SAP Netweaver) to remain compatible with
  newer Kerberos. System administrators who are experiencing this kind of compatibility
  issues may set the environment variable GSSAPI_ASSUME_MECH_MATCH to a non-empty value,
  and make sure the environment variable is visible and effective to the application
  startup script. (bsc#1057662)
- Fix a GSS failure in legacy applications by not indicating deprecated GSS mechanisms in
  gss_indicate_mech() list. (bsc#1081725)


-----------------------------------------
Patch: SUSE-2018-573
Released: Tue Apr  3 11:59:01 2018
Summary: Security update for graphite2
Severity: moderate
References: 1084850,CVE-2018-7999
Description:
This update for graphite2 fixes the following issues:

- CVE-2018-7999: Fixed a NULL pointer dereference vulnerability in Segment.cpp that may cause a denial of serivce (bsc#1084850).


-----------------------------------------
Patch: SUSE-2018-584
Released: Wed Apr  4 11:47:55 2018
Summary: Recommended update for yast2-users
Severity: moderate
References: 1053564,1066342,1080125
Description:
This update for yast2-users provides the following fixes:

- AutoYaST: Write and export SSH authorized keys also for root user. (bsc#1066342)
- Fix a freeze while parsing authorized_keys. (bsc#1053564)
- Make sure users don't get locked when removing the password expiration date. (bsc#1080125)


-----------------------------------------
Patch: SUSE-2018-586
Released: Wed Apr  4 11:51:00 2018
Summary: Recommended update for aaa_base
Severity: low
References: 1025743,1036895,1038549,1049577,1052182,1079674
Description:
This update for aaa_base provides the following fixes:

- Support changing PS1 even for mksh and user root. (bsc#1036895)
- Unset unused variables on profile files. (bsc#1049577)
- Unset id in csh.cshrc instead of profile.csh. (bsc#1049577)
- Allow that personal ~/.bashrc is read again. (bsc#1052182)
- Avoid that IFS becomes global in _ls ksh shell function. (bsc#1079674, bsc#1025743)
- Replace 'cat > file' by 'mv -f ... file' in pre/post to fix issues with clients
  having these files mmapped. (bsc#1038549)


-----------------------------------------
Patch: SUSE-2018-587
Released: Wed Apr  4 11:51:16 2018
Summary: Recommended update for autoyast2
Severity: low
References: 1054400,1057597,1059617,1077292
Description:
This update for autoyast2 provides the following fixes:

- When using Btrfs but without subvolumes, export an empty list instead of removing them from the profile. (bsc#1059617)
- Shrink needed disks size automatically in order to handle rounding inaccuracies in LVM
  installations. (bsc#1057597)
- Add default subvolumes to the root partition only if the user has not defined any root
  partition in the autoyast configuration file. (bsc#1059617)
- Add the network_before_proposal flag that will be enable if the network is configured
  during the first stage. (bsc#1054400)
- Report packages which cannot be selected for installation, except those packages not
  included in the AutoYaST profile. (bnc#1077292)


-----------------------------------------
Patch: SUSE-2018-590
Released: Wed Apr  4 15:04:46 2018
Summary: Recommended update for growpart
Severity: low
References: 1064755
Description:
This update for growpart fixes the following issues:

- Add rootgrow script to wrap growpart to the Public Cloud Module.
- Ignore sfdisk failure in 2.28.1 when due to reread failing.
- Add service file to start growpart via systemd.


-----------------------------------------
Patch: SUSE-2018-594
Released: Thu Apr  5 17:22:37 2018
Summary: Security update for libidn
Severity: moderate
References: 1056450,CVE-2017-14062
Description:
This update for libidn fixes one issues.

This security issue was fixed:

- CVE-2017-14062: Prevent integer overflow in the decode_digit function that
  allowed remote attackers to cause a denial of service or possibly have
  unspecified other impact (bsc#1056450).


-----------------------------------------
Patch: SUSE-2018-600
Released: Fri Apr  6 19:42:44 2018
Summary: Recommended update for kdump
Severity: low
References: 1002617,1021484,1036223,1047606,1047781,1048178,1056497,1068234,951144
Description:

This update for kdump provides the following fixes:

- Fix a ssh login issue. Only field hosts in /etc/nsswitch is needed for /etc/hosts.
  (bsc#1048178, bsc#1002617)
- Don't exit even if the initrd is not built. (bsc#1047781)
- Limit kdump CPUs to the number provided in the configuration. (bsc#1036223, bsc#1068234)
- Don't split vmcore by default. (bsc#1036223, bsc#1068234)
- Ensure added kdump-early.service is enabled properly after update. (bsc#1021484,
  bsc#1047606)
- Change the logic in load.sh to use kexec_load first. If it fails or if it is blocked by
  the kernel, then try kexec_load_file on x86_64. (bsc#951144, bsc#1056497)


-----------------------------------------
Patch: SUSE-2018-606
Released: Mon Apr  9 15:56:53 2018
Summary: Recommended update for yast2-users
Severity: important
References: 1088183
Description:
This update for yast2-users fixes the following issues:

- Remedy a regression that would cause yast2-users to crash when the root user
  is undefined in the configuration. [bsc#1088183]


-----------------------------------------
Patch: SUSE-2018-616
Released: Tue Apr 10 18:56:16 2018
Summary: Recommended update for xfsprogs
Severity: low
References: 1019938
Description:
This update for xfsprogs fixes the following issues:

- Fix segfaults in initramfs with many AGs. (bsc#1019938)


-----------------------------------------
Patch: SUSE-2018-620
Released: Wed Apr 11 14:45:40 2018
Summary: Initial release of python3-ipaddress and -pyasn1
Severity: low
References: 1073879
Description:
This update provides the following new Python 3 module for the SUSE Linux Enterprise Server and the Public Cloud 
Module:

- python3-ipaddress
- python3-pyasn1

-----------------------------------------
Patch: SUSE-2018-624
Released: Wed Apr 11 18:02:57 2018
Summary: Security update for openssl
Severity: moderate
References: 1087102,CVE-2018-0739
Description:
This update for openssl fixes the following issues:

    - CVE-2018-0739: Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) 
    could eventually exceed the stack given malicious input with excessive recursion. This could result 
    in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from 
    untrusted sources so this is considered safe. (bsc#1087102).



-----------------------------------------
Patch: SUSE-2018-632
Released: Thu Apr 12 18:02:21 2018
Summary: Security update for python3
Severity: moderate
References: 1083507,CVE-2017-18207
Description:
This update for python3 fixes the following issues:

Security issue fixed:

- CVE-2017-18207: Fixed possible denial of service vulnerability by adding a check to Lib/wave.py that verifies that at least one channel is provided (bsc#1083507).

Bug fixes:

- Require python-Sphinx-latex for building on Leap 42.3 or newer.


-----------------------------------------
Patch: SUSE-2018-648
Released: Mon Apr 16 17:31:50 2018
Summary: Security update for ntp
Severity: moderate
References: 1077445,1082063,1082210,1083417,1083420,1083422,1083424,1083426,CVE-2016-1549,CVE-2018-7170,CVE-2018-7182,CVE-2018-7183,CVE-2018-7184,CVE-2018-7185
Description:
This update for ntp fixes the following issues:

- Update to 4.2.8p11 (bsc#1082210):
  * CVE-2016-1549: Sybil vulnerability: ephemeral association
    attack. While fixed in ntp-4.2.8p7, there are significant
    additional protections for this issue in 4.2.8p11.
  * CVE-2018-7182: ctl_getitem(): buffer read overrun
    leads to undefined behavior and information leak. (bsc#1083426)
  * CVE-2018-7170: Multiple authenticated ephemeral
    associations. (bsc#1083424)
  * CVE-2018-7184: Interleaved symmetric mode cannot
    recover from bad state. (bsc#1083422)
  * CVE-2018-7185: Unauthenticated packet can reset
    authenticated interleaved association. (bsc#1083420)
  * CVE-2018-7183: ntpq:decodearr() can write beyond its
    buffer limit.(bsc#1083417)
- Don't use libevent's cached time stamps in sntp. (bsc#1077445)



-----------------------------------------
Patch: SUSE-2018-651
Released: Mon Apr 16 19:25:08 2018
Summary: Initial release of python3-cssselect, -lxml, -pycparser, -simplejson and -pycurl
Severity: low
References: 1073879
Description:
This update provides the following new Python 3 modules for the SUSE Linux Enterprise Server:

- python3-cssselect
- python3-lxml
- python3-pycparser
- python3-pycurl
- python3-simplejson

-----------------------------------------
Patch: SUSE-2018-656
Released: Wed Apr 18 12:08:13 2018
Summary: Recommended update for timezone, timezone-java
Severity: low
References: 1086729
Description:
This update provides the latest timezone information (2018d) for your system, including following changes:

- In 2018, Palestine starts DST on March 24, not March 31.
- Casey Station in Antarctica changed from +11 to +08 on
  2018-03-11 at 04:00 (bsc#1086729).
- corrections for historical transitions.


-----------------------------------------
Patch: SUSE-2018-660
Released: Thu Apr 19 08:38:02 2018
Summary: Initial release of python3-idna
Severity: low
References: 1073879
Description:
This update provides the following new Python 3 module for the SUSE Linux Enterprise Server:

- python3-idna

-----------------------------------------
Patch: SUSE-2018-718
Released: Mon Apr 23 17:08:27 2018
Summary: Security update for the Linux Kernel
Severity: important
References: 1012382,1019695,1019699,1022604,1031717,1046610,1060799,1064206,1068032,1073059,1073069,1075428,1076033,1077560,1083574,1083745,1083836,1084223,1084310,1084328,1084353,1084452,1084610,1084699,1084829,1084889,1084898,1084914,1084918,1084967,1085042,1085058,1085224,1085383,1085402,1085404,1085487,1085507,1085511,1085679,1085981,1086015,1086162,1086194,1086357,1086499,1086518,1086607,1087088,1087211,1087231,1087260,1087274,1087659,1087845,1087906,1087999,1088050,1088087,1088241,1088267,1088313,1088324,1088600,1088684,1088871,802154,CVE-2017-18257,CVE-2018-1091,CVE-2018-7740,CVE-2018-8043,CVE-2018-8822
Description:


The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.126 to receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2018-1091: In the flush_tmregs_to_thread function in arch/powerpc/kernel/ptrace.c, a guest kernel crash can be triggered from unprivileged userspace during a core dump on a POWER host due to a missing processor feature check and an erroneous use of transactional memory (TM) instructions in the core dump path, leading to a denial of service (bnc#1087231).
- CVE-2018-7740: The resv_map_release function in mm/hugetlb.c allowed local users to cause a denial of service (BUG) via a crafted application that made mmap system calls and has a large pgoff argument to the remap_file_pages system call (bnc#1084353).
- CVE-2018-8043: The unimac_mdio_probe function in drivers/net/phy/mdio-bcm-unimac.c did not validate certain resource availability, which allowed local users to cause a denial of service (NULL pointer dereference) (bnc#1084829).
- CVE-2017-18257: The __get_data_block function in fs/f2fs/data.c allowed local users to cause a denial of service (integer overflow and loop) via crafted use of the open and fallocate system calls with an FS_IOC_FIEMAP ioctl. (bnc#1088241)
- CVE-2018-8822: Incorrect buffer length handling in the ncp_read_kernel function in fs/ncpfs/ncplib_kernel.c could be exploited by malicious NCPFS servers to crash the kernel or execute code (bnc#1086162).


The following non-security bugs were fixed:

- acpica: Add header support for TPM2 table changes (bsc#1084452).
- acpica: Add support for new SRAT subtable (bsc#1085981).
- acpica: iasl: Update to IORT SMMUv3 disassembling (bsc#1085981).
- acpi/iort: numa: Add numa node mapping for smmuv3 devices (bsc#1085981).
- acpi, numa: fix pxm to online numa node associations (bnc#1012382).
- acpi / pmic: xpower: Fix power_table addresses (bnc#1012382).
- acpi/processor: Fix error handling in __acpi_processor_start() (bnc#1012382).
- acpi/processor: Replace racy task affinity logic (bnc#1012382).
- add mainline tag to various patches to be able to get further work done
- af_iucv: enable control sends in case of SEND_SHUTDOWN (bnc#1085507, LTC#165135).
- agp/intel: Flush all chipset writes after updating the GGTT (bnc#1012382).
- ahci: Add PCI-id for the Highpoint Rocketraid 644L card (bnc#1012382).
- alsa: aloop: Fix access to not-yet-ready substream via cable (bnc#1012382).
- alsa: aloop: Sync stale timer before release (bnc#1012382).
- alsa: firewire-digi00x: handle all MIDI messages on streaming packets (bnc#1012382).
- alsa: hda: Add a power_save blacklist (bnc#1012382).
- alsa: hda: add dock and led support for HP EliteBook 820 G3 (bnc#1012382).
- alsa: hda: add dock and led support for HP ProBook 640 G2 (bnc#1012382).
- alsa: hda/realtek - Always immediately update mute LED with pin VREF (bnc#1012382).
- alsa: hda/realtek - Fix dock line-out volume on Dell Precision 7520 (bnc#1012382).
- alsa: hda/realtek - Fix speaker no sound after system resume (bsc#1031717).
- alsa: hda - Revert power_save option default value (git-fixes).
- alsa: pcm: Fix UAF in snd_pcm_oss_get_formats() (bnc#1012382).
- alsa: usb-audio: Add a quirck for B&W PX headphones (bnc#1012382).
- alsa: usb-audio: Fix parsing descriptor of UAC2 processing unit (bnc#1012382).
- apparmor: Make path_max parameter readonly (bnc#1012382).
- arm64: Add ARM_SMCCC_ARCH_WORKAROUND_1 BP hardening support (bsc#1068032).
- arm64: Add missing Falkor part number for branch predictor hardening (bsc#1068032).
- arm64: capabilities: Handle duplicate entries for a capability (bsc#1068032).
- arm64: cpufeature: __this_cpu_has_cap() shouldn't stop early (bsc#1068032).
- arm64 / cpuidle: Use new cpuidle macro for entering retention state (bsc#1084328).
- arm64: Enforce BBM for huge IO/VMAP mappings (bsc#1088313).
- arm64: fix smccc compilation (bsc#1068032).
- arm64: Kill PSCI_GET_VERSION as a variant-2 workaround (bsc#1068032).
- arm64: KVM: Add SMCCC_ARCH_WORKAROUND_1 fast handling (bsc#1068032).
- arm64: KVM: Increment PC after handling an SMC trap (bsc#1068032).
- arm64: KVM: Report SMCCC_ARCH_WORKAROUND_1 BP hardening support (bsc#1068032).
- arm64: mm: do not write garbage into TTBR1_EL1 register (bsc#1085487).
- arm64: mm: fix thinko in non-global page table attribute check (bsc#1088050).
- arm64: Relax ARM_SMCCC_ARCH_WORKAROUND_1 discovery (bsc#1068032).
- arm: 8668/1: ftrace: Fix dynamic ftrace with DEBUG_RODATA and !FRAME_POINTER (bnc#1012382).
- arm/arm64: KVM: Add PSCI_VERSION helper (bsc#1068032).
- arm/arm64: KVM: Add smccc accessors to PSCI code (bsc#1068032).
- arm/arm64: KVM: Advertise SMCCC v1.1 (bsc#1068032).
- arm/arm64: KVM: Consolidate the PSCI include files (bsc#1068032).
- arm/arm64: KVM: Implement PSCI 1.0 support (bsc#1068032).
- arm/arm64: KVM: Turn kvm_psci_version into a static inline (bsc#1068032).
- arm/arm64: smccc: Implement SMCCC v1.1 inline primitive (bsc#1068032).
- arm/arm64: smccc: Make function identifiers an unsigned quantity (bsc#1068032).
- arm: DRA7: clockdomain: Change the CLKTRCTRL of CM_PCIE_CLKSTCTRL to SW_WKUP (bnc#1012382).
- arm: dts: Adjust moxart IRQ controller and flags (bnc#1012382).
- arm: dts: am335x-pepper: Fix the audio CODEC's reset pin (bnc#1012382).
- arm: dts: exynos: Correct Trats2 panel reset line (bnc#1012382).
- arm: dts: koelsch: Correct clock frequency of X2 DU clock input (bnc#1012382).
- arm: dts: LogicPD Torpedo: Fix I2C1 pinmux (bnc#1012382).
- arm: dts: LogicPD Torpedo: Fix I2C1 pinmux (bnc#1012382).
- arm: dts: omap3-n900: Fix the audio CODEC's reset pin (bnc#1012382).
- arm: dts: r8a7790: Correct parent of SSI[0-9] clocks (bnc#1012382).
- arm: dts: r8a7791: Correct parent of SSI[0-9] clocks (bnc#1012382).
- arm: mvebu: Fix broken PL310_ERRATA_753970 selects (bnc#1012382).
- asoc: rcar: ssi: do not set SSICR.CKDV = 000 with SSIWSR.CONT (bnc#1012382).
- ath10k: disallow DFS simulation if DFS channel is not enabled (bnc#1012382).
- ath10k: fix invalid STS_CAP_OFFSET_MASK (bnc#1012382).
- ath10k: update tdls teardown state to target (bnc#1012382).
- ath: Fix updating radar flags for coutry code India (bnc#1012382).
- batman-adv: handle race condition for claims between gateways (bnc#1012382).
- bcache: do not attach backing with duplicate UUID (bnc#1012382).
- blkcg: fix double free of new_blkg in blkcg_init_queue (bnc#1012382).
- blk-throttle: make sure expire time isn't too big (bnc#1012382).
- block: do not assign cmd_flags in __blk_rq_prep_clone (bsc#1088087).
- block-mq: stop workqueue items in blk_mq_stop_hw_queue() (bsc#1084967).
- bluetooth: btusb: Fix quirk for Atheros 1525/QCA6174 (bnc#1012382).
- bluetooth: hci_qca: Avoid setup failure on missing rampatch (bnc#1012382).
- bnx2x: Align RX buffers (bnc#1012382).
- bonding: refine bond_fold_stats() wrap detection (bnc#1012382).
- bpf: fix incorrect sign extension in check_alu_op() (bnc#1012382).
- bpf: skip unnecessary capability check (bnc#1012382).
- bpf, x64: implement retpoline for tail call (bnc#1012382).
- bpf, x64: increase number of passes (bnc#1012382).
- braille-console: Fix value returned by _braille_console_setup (bnc#1012382).
- brcmfmac: fix P2P_DEVICE ethernet address generation (bnc#1012382).
- bridge: check brport attr show in brport_show (bnc#1012382).
- btrfs: alloc_chunk: fix DUP stripe size handling (bnc#1012382).
- btrfs: Fix use-after-free when cleaning up fs_devs with a single stale device (bnc#1012382).
- btrfs: improve delayed refs iterations (bsc#1076033).
- btrfs: incremental send, fix invalid memory access (git-fixes).
- btrfs: preserve i_mode if __btrfs_set_acl() fails (bnc#1012382).
- btrfs: send, fix file hole not being preserved due to inline extent (bnc#1012382).
- can: cc770: Fix queue stall & dropped RTR reply (bnc#1012382).
- can: cc770: Fix stalls on rt-linux, remove redundant IRQ ack (bnc#1012382).
- can: cc770: Fix use after free in cc770_tx_interrupt() (bnc#1012382).
- ceph: only dirty ITER_IOVEC pages for direct read (bsc#1084898).
- ch9200: use skb_cow_head() to deal with cloned skbs (bsc#1088684).
- clk: bcm2835: Protect sections updating shared registers (bnc#1012382).
- clk: ns2: Correct SDIO bits (bnc#1012382).
- clk: qcom: msm8916: fix mnd_width for codec_digcodec (bnc#1012382).
- clk: si5351: Rename internal plls to avoid name collisions (bnc#1012382).
- coresight: Fix disabling of CoreSight TPIU (bnc#1012382).
- coresight: Fixes coresight DT parse to get correct output port ID (bnc#1012382).
- cpufreq: Fix governor module removal race (bnc#1012382).
- cpufreq: s3c24xx: Fix broken s3c_cpufreq_init() (bnc#1012382).
- cpufreq/sh: Replace racy task affinity logic (bnc#1012382).
- cpuidle: Add new macro to enter a retention idle state (bsc#1084328).
- cros_ec: fix nul-termination for firmware build info (bnc#1012382).
- crypto: cavium - fix memory leak on info (bsc#1086518).
- dcache: Add cond_resched in shrink_dentry_list (bsc#1086194).
- dccp: check sk for closed state in dccp_sendmsg() (bnc#1012382).
- dmaengine: imx-sdma: add 1ms delay to ensure SDMA channel is stopped (bnc#1012382).
- dmaengine: ti-dma-crossbar: Fix event mapping for TPCC_EVT_MUX_60_63 (bnc#1012382).
- dm: Always copy cmd_flags when cloning a request (bsc#1088087).
- driver: (adm1275) set the m,b and R coefficients correctly for power (bnc#1012382).
- drm: Allow determining if current task is output poll worker (bnc#1012382).
- drm/amdgpu/dce: Do not turn off DP sink when disconnected (bnc#1012382).
- drm/amdgpu: Fail fb creation from imported dma-bufs. (v2) (bnc#1012382).
- drm/amdgpu: Fix deadlock on runtime suspend (bnc#1012382).
- drm/amdgpu: fix KV harvesting (bnc#1012382).
- drm/amdgpu: Notify sbios device ready before send request (bnc#1012382).
- drm/amdkfd: Fix memory leaks in kfd topology (bnc#1012382).
- drm: Defer disabling the vblank IRQ until the next interrupt (for instant-off) (bnc#1012382).
- drm/edid: set ELD connector type in drm_edid_to_eld() (bnc#1012382).
- drm/i915/cmdparser: Do not check past the cmd length (bsc#1031717).
- drm/i915/psr: Check for the specific AUX_FRAME_SYNC cap bit (bsc#1031717).
- drm/msm: fix leak in failed get_pages (bnc#1012382).
- drm/nouveau: Fix deadlock on runtime suspend (bnc#1012382).
- drm/nouveau/kms: Increase max retries in scanout position queries (bnc#1012382).
- drm/omap: DMM: Check for DMM readiness after successful transaction commit (bnc#1012382).
- drm: qxl: Do not alloc fbdev if emulation is not supported (bnc#1012382).
- drm/radeon: Do not turn off DP sink when disconnected (bnc#1012382).
- drm/radeon: Fail fb creation from imported dma-bufs (bnc#1012382).
- drm/radeon: Fix deadlock on runtime suspend (bnc#1012382).
- drm/radeon: fix KV harvesting (bnc#1012382).
- drm: udl: Properly check framebuffer mmap offsets (bnc#1012382).
- drm/vmwgfx: Fix a destoy-while-held mutex problem (bnc#1012382).
- drm/vmwgfx: Fixes to vmwgfx_fb (bnc#1012382).
- e1000e: Avoid missed interrupts following ICR read (bsc#1075428).
- e1000e: Avoid receiver overrun interrupt bursts (bsc#1075428).
- e1000e: Fix check_for_link return value with autoneg off (bsc#1075428).
- e1000e: Fix link check race condition (bsc#1075428).
- e1000e: Fix queue interrupt re-raising in Other interrupt (bsc#1075428).
- e1000e: fix timing for 82579 Gigabit Ethernet controller (bnc#1012382).
- e1000e: Remove Other from EIAC (bsc#1075428).
- edac, sb_edac: Fix out of bound writes during DIMM configuration on KNL (git-fixes 3286d3eb906c).
- ext4: inplace xattr block update fails to deduplicate blocks (bnc#1012382).
- f2fs: relax node version check for victim data in gc (bnc#1012382).
- fib_semantics: Do not match route with mismatching tclassid (bnc#1012382).
- firmware/psci: Expose PSCI conduit (bsc#1068032).
- firmware/psci: Expose SMCCC version through psci_ops (bsc#1068032).
- fixup: sctp: verify size of a new chunk in _sctp_make_chunk() (bnc#1012382).
- fs/aio: Add explicit RCU grace period when freeing kioctx (bnc#1012382).
- fs/aio: Use RCU accessors for kioctx_table->table[] (bnc#1012382).
- fs/hugetlbfs/inode.c: change put_page/unlock_page order in hugetlbfs_fallocate() (git-fixes, bsc#1083745).
- fs: Teach path_connected to handle nfs filesystems with multiple roots (bnc#1012382).
- genirq: Track whether the trigger type has been set (git-fixes).
- genirq: Use irqd_get_trigger_type to compare the trigger type for shared IRQs (bnc#1012382).
- hdlc_ppp: carrier detect ok, do not turn off negotiation (bnc#1012382).
- hid: clamp input to logical range if no null state (bnc#1012382).
- hid: reject input outside logical range only if null state is set (bnc#1012382).
- hugetlbfs: fix offset overflow in hugetlbfs mmap (bnc#1084353).
- hv_balloon: fix bugs in num_pages_onlined accounting (fate#323887).
- hv_balloon: fix printk loglevel (fate#323887).
- hv_balloon: simplify hv_online_page()/hv_page_online_one() (fate#323887).
- i2c: i2c-scmi: add a MS HID (bnc#1012382).
- i2c: xlp9xx: Check for Bus state before every transfer (bsc#1084310).
- i2c: xlp9xx: Handle NACK on DATA properly (bsc#1084310).
- i2c: xlp9xx: Handle transactions with I2C_M_RECV_LEN properly (bsc#1060799).
- i2c: xlp9xx: return ENXIO on slave address NACK (bsc#1060799).
- i40e: Acquire NVM lock before reads on all devices (bnc#1012382).
- i40e: avoid NVM acquire deadlock during NVM update (git-fixes).
- ia64: fix module loading for gcc-5.4 (bnc#1012382).
- ib/ipoib: Avoid memory leak if the SA returns a different DGID (bnc#1012382).
- ib/ipoib: Update broadcast object if PKey value was changed in index 0 (bnc#1012382).
- ib/mlx4: Change vma from shared to private (bnc#1012382).
- ib/mlx4: Take write semaphore when changing the vma struct (bnc#1012382).
- ibmvfc: Avoid unnecessary port relogin (bsc#1085404).
- ibmvnic: Disable irqs before exiting reset from closed state (bsc#1084610).
- ibmvnic: Do not reset CRQ for Mobility driver resets (bsc#1088600).
- ibmvnic: Fix DMA mapping mistakes (bsc#1088600).
- ibmvnic: Fix failover case for non-redundant configuration (bsc#1088600).
- ibmvnic: Fix reset return from closed state (bsc#1084610).
- ibmvnic: Fix reset scheduler error handling (bsc#1088600).
- ibmvnic: Potential NULL dereference in clean_one_tx_pool() (bsc#1085224, git-fixes).
- ibmvnic: Remove unused TSO resources in TX pool structure (bsc#1085224).
- ibmvnic: Update TX pool cleaning routine (bsc#1085224).
- ibmvnic: Zero used TX descriptor counter on reset (bsc#1088600).
- ib/umem: Fix use of npages/nmap fields (bnc#1012382).
- ieee802154: 6lowpan: fix possible NULL deref in lowpan_device_event() (bnc#1012382).
- iio: st_pressure: st_accel: Initialise sensor platform data properly (bnc#1012382).
- iio: st_pressure: st_accel: pass correct platform data to init (git-fixes).
- ima: relax requiring a file signature for new files with zero length (bnc#1012382).
- infiniband/uverbs: Fix integer overflows (bnc#1012382).
- input: matrix_keypad - fix race when disabling interrupts (bnc#1012382).
- input: qt1070 - add OF device ID table (bnc#1012382).
- input: tsc2007 - check for presence and power down tsc2007 during probe (bnc#1012382).
- iommu/omap: Register driver before setting IOMMU ops (bnc#1012382).
- iommu/vt-d: clean up pr_irq if request_threaded_irq fails (bnc#1012382).
- ip6_vti: adjust vti mtu according to mtu of lower device (bnc#1012382).
- ipmi: do not probe ACPI devices if si_tryacpi is unset (bsc#1060799).
- ipmi: Fix the I2C address extraction from SPMI tables (bsc#1060799).
- ipmi_ssif: Fix kernel panic at msg_done_handler (bsc#1088871).
- ipmi_ssif: Fix logic around alert handling (bsc#1060799).
- ipmi_ssif: remove redundant null check on array client->adapter->name (bsc#1060799).
- ipmi_ssif: unlock on allocation failure (bsc#1060799).
- ipmi:ssif: Use i2c_adapter_id instead of adapter->nr (bsc#1060799).
- ipmi: Use the proper default value for register size in ACPI (bsc#1060799).
- ipmi/watchdog: fix wdog hang on panic waiting for ipmi response (bnc#1012382).
- ipv6: fix access to non-linear packet in ndisc_fill_redirect_hdr_option() (bnc#1012382).
- ipv6 sit: work around bogus gcc-8 -Wrestrict warning (bnc#1012382).
- ipvlan: add L2 check for packets arriving via virtual devices (bnc#1012382).
- irqchip/gic-v3-its: Add ACPI NUMA node mapping (bsc#1085981).
- irqchip/gic-v3-its: Allow GIC ITS number more than MAX_NUMNODES (bsc#1085981).
- irqchip/gic-v3-its: Ensure nr_ites >= nr_lpis (bnc#1012382).
- irqchip/gic-v3-its: Remove ACPICA version check for ACPI NUMA (bsc#1085981).
- kbuild: disable clang's default use of -fmerge-all-constants (bnc#1012382).
- kbuild: Handle builtin dtb file names containing hyphens (bnc#1012382).
- kprobes/x86: Fix kprobe-booster not to boost far call instructions (bnc#1012382).
- kprobes/x86: Fix to set RWX bits correctly before releasing trampoline (git-fixes).
- kprobes/x86: Set kprobes pages read-only (bnc#1012382).
- kvm: arm/arm64: Handle CPU_PM_ENTER_FAILED (bsc#1086499).
- kvm: arm/arm64: vgic: Add missing irq_lock to vgic_mmio_read_pending (bsc#1086499).
- kvm: arm/arm64: vgic: Do not populate multiple LRs with the same vintid (bsc#1086499).
- kvm: arm/arm64: vgic-its: Check result of allocation before use (bsc#).
- kvm: arm/arm64: vgic-its: Preserve the revious read from the pending table (bsc#1086499).
- kvm: arm/arm64: vgic-v3: Tighten synchronization for guests using v2 on v3 (bsc#1086499).
- kvm: mmu: Fix overlap between public and private memslots (bnc#1012382).
- kvm: nVMX: fix nested tsc scaling (bsc1087999).
- kvm: PPC: Book3S PR: Exit KVM on failed mapping (bnc#1012382).
- kvm/x86: fix icebp instruction handling (bnc#1012382).
- l2tp: do not accept arbitrary sockets (bnc#1012382).
- libata: Apply NOLPM quirk to Crucial M500 480 and 960GB SSDs (bnc#1012382).
- libata: Apply NOLPM quirk to Crucial MX100 512GB SSDs (bnc#1012382).
- libata: disable LPM for Crucial BX100 SSD 500GB drive (bnc#1012382).
- libata: Enable queued TRIM for Samsung SSD 860 (bnc#1012382).
- libata: fix length validation of ATAPI-relayed SCSI commands (bnc#1012382).
- libata: Make Crucial BX100 500GB LPM quirk apply to all firmware versions (bnc#1012382).
- libata: Modify quirks for MX100 to limit NCQ_TRIM quirk to MU01 version (bnc#1012382).
- libata: remove WARN() for DMA or PIO command without data (bnc#1012382).
- lock_parent() needs to recheck if dentry got __dentry_kill'ed under it (bnc#1012382).
- loop: Fix lost writes caused by missing flag (bnc#1012382).
- lpfc: update version to 11.4.0.7-1 (bsc#1085383).
- mac80211: do not parse encrypted management frames in ieee80211_frame_acked (bnc#1012382).
- mac80211: do not WARN on bad WMM parameters from buggy APs (bsc#1031717).
- mac80211_hwsim: enforce PS_MANUAL_POLL to be set after PS_ENABLED (bnc#1012382).
- mac80211: remove BUG() when interface type is invalid (bnc#1012382).
- md-cluster: fix wrong condition check in raid1_write_request (bsc#1085402).
- md/raid10: skip spare disk as 'first' disk (bnc#1012382).
- md/raid10: wait up frozen array in handle_write_completed (bnc#1012382).
- md/raid6: Fix anomily when recovering a single device in RAID6 (bnc#1012382).
- media: au0828: fix VIDEO_V4L2 dependency (bsc#1031717).
- media: bt8xx: Fix err 'bt878_probe()' (bnc#1012382).
- media: c8sectpfe: fix potential NULL pointer dereference in c8sectpfe_timer_interrupt (bnc#1012382).
- media: cpia2: Fix a couple off by one bugs (bnc#1012382).
- media: cx25821: prevent out-of-bounds read on array card (bsc#1031717).
- media/dvb-core: Race condition when writing to CAM (bnc#1012382).
- media: i2c/soc_camera: fix ov6650 sensor getting wrong clock (bnc#1012382).
- media: m88ds3103: do not call a non-initalized function (bnc#1012382).
- media: [RESEND] media: dvb-frontends: Add delay to Si2168 restart (bnc#1012382).
- media: s3c-camif: fix out-of-bounds array access (bsc#1031717).
- mfd: palmas: Reset the POWERHOLD mux during power off (bnc#1012382).
- mmc: avoid removing non-removable hosts during suspend (bnc#1012382).
- mmc: dw_mmc: fix falling from idmac to PIO mode when dw_mci_reset occurs (bnc#1012382).
- mmc: dw_mmc: Fix the DTO/CTO timeout overflow calculation for 32-bit systems (bsc#1088267).
- mmc: sdhci-of-esdhc: limit SD clock for ls1012a/ls1046a (bnc#1012382).
- mm: Fix false-positive VM_BUG_ON() in page_cache_{get,add}_speculative() (bnc#1012382).
- mm/hugetlb.c: do not call region_abort if region_chg fails (bnc#1084353).
- mm/vmalloc: add interfaces to free unmapped page table (bnc#1012382).
- mpls, nospec: Sanitize array index in mpls_label_ok() (bnc#1012382).
- mt7601u: check return value of alloc_skb (bnc#1012382).
- mtd: nand: fix interpretation of NAND_CMD_NONE in nand_command[_lp]() (bnc#1012382).
- mtd: nand: fsl_ifc: Fix nand waitfunc return value (bnc#1012382).
- mtip32xx: use runtime tag to initialize command header (bnc#1012382).
- net/8021q: create device with all possible features in wanted_features (bnc#1012382).
- net: ethernet: arc: Fix a potential memory leak if an optional regulator is deferred (bnc#1012382).
- net: ethernet: ti: cpsw: add check for in-band mode setting with RGMII PHY interface (bnc#1012382).
- net/faraday: Add missing include of of.h (bnc#1012382).
- net: fec: Fix unbalanced PM runtime calls (bnc#1012382).
- netfilter: add back stackpointer size checks (bnc#1012382).
- netfilter: bridge: ebt_among: add missing match size checks (bnc#1012382).
- netfilter: IDLETIMER: be syzkaller friendly (bnc#1012382).
- netfilter: ipv6: fix use-after-free Write in nf_nat_ipv6_manip_pkt (bnc#1012382).
- netfilter: nat: cope with negative port range (bnc#1012382).
- netfilter: use skb_to_full_sk in ip_route_me_harder (bnc#1012382).
- netfilter: x_tables: fix missing timer initialization in xt_LED (bnc#1012382).
- netfilter: xt_CT: fix refcnt leak on error path (bnc#1012382).
- net: Fix hlist corruptions in inet_evict_bucket() (bnc#1012382).
- net: fix race on decreasing number of TX queues (bnc#1012382).
- net: hns: Fix ethtool private flags (bsc#1085511).
- net: ipv4: avoid unused variable warning for sysctl (git-fixes).
- net: ipv4: do not allow setting net.ipv4.route.min_pmtu below 68 (bnc#1012382).
- net: ipv6: send unsolicited NA after DAD (git-fixes).
- net: ipv6: send unsolicited NA on admin up (bnc#1012382).
- net/iucv: Free memory obtained by kzalloc (bnc#1012382).
- netlink: avoid a double skb free in genlmsg_mcast() (bnc#1012382).
- netlink: ensure to loop over all netns in genlmsg_multicast_allns() (bnc#1012382).
- net: mpls: Pull common label check into helper (bnc#1012382).
- net: Only honor ifindex in IP_PKTINFO if non-0 (bnc#1012382).
- net: systemport: Rewrite __bcm_sysport_tx_reclaim() (bnc#1012382).
- net: xfrm: allow clearing socket xfrm policies (bnc#1012382).
- nfc: nfcmrvl: double free on error path (bnc#1012382).
- nfc: nfcmrvl: Include unaligned.h instead of access_ok.h (bnc#1012382).
- nfsd4: permit layoutget of executable-only files (bnc#1012382).
- nfs: Fix an incorrect type in struct nfs_direct_req (bnc#1012382).
- nospec: Allow index argument to have const-qualified type (bnc#1012382).
- nospec: Include <asm/barrier.h> dependency (bnc#1012382).
- nvme: do not send keep-alive frames during reset (bsc#1084223).
- nvme: do not send keep-alives to the discovery controller (bsc#1086607).
- nvme: expand nvmf_check_if_ready checks (bsc#1085058).
- nvme/rdma: do no start error recovery twice (bsc#1084967).
- nvmet_fc: prevent new io rqsts in possible isr completions (bsc#1083574).
- of: fix of_device_get_modalias returned length when truncating buffers (bnc#1012382).
- openvswitch: Delete conntrack entry clashing with an expectation (bnc#1012382).
- Partial revert 'e1000e: Avoid receiver overrun interrupt bursts' (bsc#1075428).
- pci/ACPI: Fix bus range comparison in pci_mcfg_lookup() (bsc#1084699).
- pci: Add function 1 DMA alias quirk for Highpoint RocketRAID 644L (bnc#1012382).
- pci: Add pci_reset_function_locked() (bsc#1084889).
- pci: Apply Cavium ACS quirk only to CN81xx/CN83xx/CN88xx devices (bsc#1084914).
- pci: Avoid FLR for Intel 82579 NICs (bsc#1084889).
- pci: Avoid slot reset if bridge itself is broken (bsc#1084918).
- pci: Export pcie_flr() (bsc#1084889).
- pci: hv: Fix 2 hang issues in hv_compose_msi_msg() (fate#323887, bsc#1087659, bsc#1087906).
- pci: hv: Fix a comment typo in _hv_pcifront_read_config() (fate#323887, bsc#1087659).
- pci: hv: Only queue new work items in hv_pci_devices_present() if necessary (fate#323887, bsc#1087659).
- pci: hv: Remove the bogus test in hv_eject_device_work() (fate#323887, bsc#1087659).
- pci: hv: Serialize the present and eject work items (fate#323887, bsc#1087659).
- pci: Mark Haswell Power Control Unit as having non-compliant BARs (bsc#1086015).
- pci/MSI: Stop disabling MSI/MSI-X in pci_device_shutdown() (bnc#1012382).
- pci: Probe for device reset support during enumeration (bsc#1084889).
- pci: Protect pci_error_handlers->reset_notify() usage with device_lock() (bsc#1084889).
- pci: Protect restore with device lock to be consistent (bsc#1084889).
- pci: Remove __pci_dev_reset() and pci_dev_reset() (bsc#1084889).
- pci: Remove redundant probes for device reset support (bsc#1084889).
- pci: Wait for up to 1000ms after FLR reset (bsc#1084889).
- perf inject: Copy events when reordering events in pipe mode (bnc#1012382).
- perf probe: Return errno when not hitting any event (bnc#1012382).
- perf session: Do not rely on evlist in pipe mode (bnc#1012382).
- perf sort: Fix segfault with basic block 'cycles' sort dimension (bnc#1012382).
- perf tests kmod-path: Do not fail if compressed modules are not supported (bnc#1012382).
- perf tools: Make perf_event__synthesize_mmap_events() scale (bnc#1012382).
- perf/x86/intel: Do not accidentally clear high bits in bdw_limit_period() (bnc#1012382).
- perf/x86/intel/uncore: Fix multi-domain PCI CHA enumeration bug on Skylake servers (bsc#1086357).
- pinctrl: Really force states during suspend/resume (bnc#1012382).
- platform/chrome: Use proper protocol transfer function (bnc#1012382).
- platform/x86: asus-nb-wmi: Add wapf4 quirk for the X302UA (bnc#1012382).
- power: supply: pda_power: move from timer to delayed_work (bnc#1012382).
- ppp: prevent unregistered channels from connecting to PPP units (bnc#1012382).
- pty: cancel pty slave port buf's work in tty_release (bnc#1012382).
- pwm: tegra: Increase precision in PWM rate calculation (bnc#1012382).
- qed: Free RoCE ILT Memory on rmmod qedr (bsc#1019695 FATE#321703 bsc#1019699 FATE#321702 bsc#1022604 FATE#321747).
- qed: Use after free in qed_rdma_free() (bsc#1019695 FATE#321703 bsc#1019699 FATE#321702 bsc#1022604 FATE#321747).
- qeth: repair SBAL elements calculation (bnc#1085507, LTC#165484).
- qlcnic: fix unchecked return value (bnc#1012382).
- rcutorture/configinit: Fix build directory error message (bnc#1012382).
- rdma/cma: Use correct size when writing netlink stats (bnc#1012382).
- rdma/core: Do not use invalid destination in determining port reuse (FATE#321231 FATE#321473 FATE#322153 FATE#322149).
- rdma/iwpm: Fix uninitialized error code in iwpm_send_mapinfo() (bnc#1012382).
- rdma/mlx5: Fix integer overflow while resizing CQ (bnc#1012382).
- rdma/ocrdma: Fix permissions for OCRDMA_RESET_STATS (bnc#1012382).
- rdma/ucma: Check that user does not overflow QP state (bnc#1012382).
- rdma/ucma: Fix access to non-initialized CM_ID object (bnc#1012382).
- rdma/ucma: Limit possible option size (bnc#1012382).
- regmap: Do not use format_val in regmap_bulk_read (bsc#1031717).
- regmap: Fix reversed bounds check in regmap_raw_write() (bsc#1031717).
- regmap: Format data for raw write in regmap_bulk_write (bsc#1031717).
- regmap-i2c: Off by one in regmap_i2c_smbus_i2c_read/write() (bsc#1031717).
- regulator: anatop: set default voltage selector for pcie (bnc#1012382).
- reiserfs: Make cancel_old_flush() reliable (bnc#1012382).
- Revert 'ARM: dts: LogicPD Torpedo: Fix I2C1 pinmux' (bnc#1012382).
- Revert 'e1000e: Separate signaling for link check/link up' (bsc#1075428).
- Revert 'genirq: Use irqd_get_trigger_type to compare the trigger type for shared IRQs' (bnc#1012382).
- Revert 'ipvlan: add L2 check for packets arriving via virtual devices' (reverted in upstream).
- Revert 'led: core: Fix brightness setting when setting delay_off=0' (bnc#1012382).
- rndis_wlan: add return value validation (bnc#1012382).
- rtc: cmos: Do not assume irq 8 for rtc when there are no legacy irqs (bnc#1012382).
- rtlwifi: rtl8723be: Fix loss of signal (bnc#1012382).
- rtlwifi: rtl_pci: Fix the bug when inactiveps is enabled (bnc#1012382).
- s390/mm: fix local TLB flushing vs. detach of an mm address space (bnc#1088324, LTC#166470).
- s390/mm: fix race on mm->context.flush_mm (bnc#1088324, LTC#166470).
- s390/mm: no local TLB flush for clearing-by-ASCE IDTE (bnc#1088324, LTC#166470).
- s390/qeth: apply takeover changes when mode is toggled (bnc#1085507, LTC#165490).
- s390/qeth: do not apply takeover changes to RXIP (bnc#1085507, LTC#165490).
- s390/qeth: fix double-free on IP add/remove race (bnc#1085507, LTC#165491).
- s390/qeth: fix IPA command submission race (bnc#1012382).
- s390/qeth: fix IP address lookup for L3 devices (bnc#1085507, LTC#165491).
- s390/qeth: fix IP removal on offline cards (bnc#1085507, LTC#165491).
- s390/qeth: fix SETIP command handling (bnc#1012382).
- s390/qeth: free netdevice when removing a card (bnc#1012382).
- s390/qeth: improve error reporting on IP add/removal (bnc#1085507, LTC#165491).
- s390/qeth: lock IP table while applying takeover changes (bnc#1085507, LTC#165490).
- s390/qeth: lock read device while queueing next buffer (bnc#1012382).
- s390/qeth: on channel error, reject further cmd requests (bnc#1012382).
- s390/qeth: update takeover IPs after configuration change (bnc#1085507, LTC#165490).
- s390/qeth: when thread completes, wake up all waiters (bnc#1012382).
- sched: act_csum: do not mangle TCP and UDP GSO packets (bnc#1012382).
- sched: Stop resched_cpu() from sending IPIs to offline CPUs (bnc#1012382).
- sched: Stop switched_to_rt() from sending IPIs to offline CPUs (bnc#1012382).
- scsi: core: scsi_get_device_flags_keyed(): Always return device flags (bnc#1012382).
- scsi: devinfo: apply to HP XP the same flags as Hitachi VSP (bnc#1012382).
- scsi: dh: add new rdac devices (bnc#1012382).
- scsi: lpfc: Add missing unlock in WQ full logic (bsc#1085383).
- scsi: lpfc: Code cleanup for 128byte wqe data type (bsc#1085383).
- scsi: lpfc: Fix mailbox wait for POST_SGL mbox command (bsc#1085383).
- scsi: lpfc: Fix NVME Initiator FirstBurst (bsc#1085383).
- scsi: lpfc: Fix SCSI lun discovery when port configured for both SCSI and NVME (bsc#1085383).
- scsi: lpfc: Memory allocation error during driver start-up on power8 (bsc#1085383).
- scsi: mac_esp: Replace bogus memory barrier with spinlock (bnc#1012382).
- scsi: sg: check for valid direction before starting the request (bnc#1012382).
- scsi: sg: fix SG_DXFER_FROM_DEV transfers (bnc#1012382).
- scsi: sg: fix static checker warning in sg_is_valid_dxfer (bnc#1012382).
- scsi: sg: only check for dxfer_len greater than 256M (bnc#1012382 bsc#1064206).
- scsi: virtio_scsi: always read VPD pages for multiqueue too (git-fixes).
- scsi: virtio_scsi: Always try to read VPD pages (bnc#1012382).
- sctp: fix dst refcnt leak in sctp_v4_get_dst (bnc#1012382).
- sctp: fix dst refcnt leak in sctp_v6_get_dst() (bnc#1012382).
- sctp: verify size of a new chunk in _sctp_make_chunk() (bnc#1012382).
- selftests/x86: Add tests for the STR and SLDT instructions (bnc#1012382).
- selftests/x86: Add tests for User-Mode Instruction Prevention (bnc#1012382).
- selftests/x86/entry_from_vm86: Add test cases for POPF (bnc#1012382).
- selftests/x86/entry_from_vm86: Exit with 1 if we fail (bnc#1012382).
- selinux: check for address length in selinux_socket_bind() (bnc#1012382).
- serial: 8250_pci: Add Brainboxes UC-260 4 port serial device (bnc#1012382).
- serial: sh-sci: prevent lockup on full TTY buffers (bnc#1012382).
- skbuff: Fix not waking applications when errors are enqueued (bnc#1012382).
- sm501fb: do not return zero on failure path in sm501fb_start() (bnc#1012382).
- solo6x10: release vb2 buffers in solo_stop_streaming() (bnc#1012382).
- spi: dw: Disable clock after unregistering the host (bnc#1012382).
- spi: omap2-mcspi: poll OMAP2_MCSPI_CHSTAT_RXS for PIO transfer (bnc#1012382).
- spi: sun6i: disable/unprepare clocks on remove (bnc#1012382).
- staging: android: ashmem: Fix lockdep issue during llseek (bnc#1012382).
- staging: android: ashmem: Fix possible deadlock in ashmem_ioctl (bnc#1012382).
- staging: comedi: fix comedi_nsamples_left (bnc#1012382).
- staging: lustre: ptlrpc: kfree used instead of kvfree (bnc#1012382).
- staging: ncpfs: memory corruption in ncp_read_kernel() (bnc#1012382).
- staging: speakup: Replace BUG_ON() with WARN_ON() (bnc#1012382).
- staging: unisys: visorhba: fix s-Par to boot with option CONFIG_VMAP_STACK set to y (bnc#1012382).
- staging: wilc1000: add check for kmalloc allocation failure (bnc#1012382).
- staging: wilc1000: fix unchecked return value (bnc#1012382).
- sysrq: Reset the watchdog timers while displaying high-resolution timers (bnc#1012382).
- target: prefer dbroot of /etc/target over /var/target (bsc#1087274).
- tcm_fileio: Prevent information leak for short reads (bnc#1012382).
- tcp: remove poll() flakes with FastOpen (bnc#1012382).
- tcp: sysctl: Fix a race to avoid unexpected 0 window from space (bnc#1012382).
- team: Fix double free in error path (bnc#1012382).
- test_firmware: fix setting old custom fw path back on exit (bnc#1012382).
- time: Change posix clocks ops interfaces to use timespec64 (bnc#1012382).
- timers, sched_clock: Update timeout for clock wrap (bnc#1012382).
- tools/usbip: fixes build with musl libc toolchain (bnc#1012382).
- tpm_i2c_infineon: fix potential buffer overruns caused by bit glitches on the bus (bnc#1012382).
- tpm_i2c_nuvoton: fix potential buffer overruns caused by bit glitches on the bus (bnc#1012382).
- tpm: st33zp24: fix potential buffer overruns caused by bit glitches on the bus (bnc#1012382).
- tpm/tpm_crb: Use start method value from ACPI table directly (bsc#1084452).
- tracing: probeevent: Fix to support minus offset from symbol (bnc#1012382).
- tty/serial: atmel: add new version check for usart (bnc#1012382).
- tty: vt: fix up tabstops properly (bnc#1012382).
- uas: fix comparison for error code (bnc#1012382).
- ubi: Fix race condition between ubi volume creation and udev (bnc#1012382).
- udplite: fix partial checksum initialization (bnc#1012382).
- usb: Do not print a warning if interface driver rebind is deferred at resume (bsc#1087211).
- usb: dwc2: Make sure we disconnect the gadget state (bnc#1012382).
- usb: gadget: bdc: 64-bit pointer capability check (bnc#1012382).
- usb: gadget: dummy_hcd: Fix wrong power status bit clear/reset in dummy_hub_control() (bnc#1012382).
- usb: gadget: f_fs: Fix use-after-free in ffs_fs_kill_sb() (bnc#1012382).
- usb: gadget: udc: Add missing platform_device_put() on error in bdc_pci_probe() (bnc#1012382).
- usb: quirks: add control message delay for 1b1c:1b20 (bnc#1012382).
- usb: storage: Add JMicron bridge 152d:2567 to unusual_devs.h (bnc#1012382).
- usb: usbmon: Read text within supplied buffer size (bnc#1012382).
- usb: usbmon: remove assignment from IS_ERR argument (bnc#1012382).
- veth: set peer GSO values (bnc#1012382).
- vgacon: Set VGA struct resource types (bnc#1012382).
- video: ARM CLCD: fix dma allocation size (bnc#1012382).
- video: fbdev: udlfb: Fix buffer on stack (bnc#1012382).
- video/hdmi: Allow 'empty' HDMI infoframes (bnc#1012382).
- vxlan: vxlan dev should inherit lowerdev's gso_max_size (bnc#1012382).
- wan: pc300too: abort path on failure (bnc#1012382).
- watchdog: hpwdt: Check source of NMI (bnc#1012382).
- watchdog: hpwdt: fix unused variable warning (bnc#1012382).
- watchdog: hpwdt: SMBIOS check (bnc#1012382).
- watchdog: sbsa: use 32-bit read for WCV (bsc#1085679).
- wil6210: fix memory access violation in wil_memcpy_from/toio_32 (bnc#1012382).
- workqueue: Allow retrieval of current task's work struct (bnc#1012382).
- x86/apic/vector: Handle legacy irq data correctly (bnc#1012382).
- x86/boot/64: Verify alignment of the LOAD segment (bnc#1012382).
- x86/build/64: Force the linker to use 2MB page size (bnc#1012382).
- x86/entry/64: Do not use IST entry for #BP stack (bsc#1087088).
- x86: i8259: export legacy_pic symbol (bnc#1012382).
- x86/kaiser: Duplicate cpu_tss for an entry trampoline usage (bsc#1077560 bsc#1083836).
- x86/kaiser: enforce trampoline stack alignment (bsc#1087260).
- x86/kaiser: Remove a user mapping of cpu_tss structure (bsc#1077560 bsc#1083836).
- x86/kaiser: Use a per-CPU trampoline stack for kernel entry (bsc#1077560).
- x86/MCE: Serialize sysfs changes (bnc#1012382).
- x86/mm: Fix vmalloc_fault to use pXd_large (bnc#1012382).
- x86/mm: implement free pmd/pte page interfaces (bnc#1012382).
- x86/module: Detect and skip invalid relocations (bnc#1012382).
- x86/speculation: Remove Skylake C2 from Speculation Control microcode blacklist (bsc#1087845).
- x86: Treat R_X86_64_PLT32 as R_X86_64_PC32 (bnc#1012382).
- x86/vm86/32: Fix POPF emulation (bnc#1012382).
- xen-blkfront: fix mq start/stop race (bsc#1085042).
- xen-netback: use skb to determine number of required guest Rx requests (bsc#1046610).


-----------------------------------------
Patch: SUSE-2018-730
Released: Wed Apr 25 14:14:41 2018
Summary: Security update for perl
Severity: moderate
References: 1082216,1082233,1082234,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913
Description:
This update for perl fixes the following issues:

Security issues fixed:

- CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216).
- CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233).
- CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234).


-----------------------------------------
Patch: SUSE-2018-733
Released: Wed Apr 25 14:15:35 2018
Summary: Security update for zsh
Severity: important
References: 1082885,1082975,1082977,1082991,1082998,1083002,1083250,1084656,1087026,896914,CVE-2014-10070,CVE-2014-10071,CVE-2014-10072,CVE-2016-10714,CVE-2017-18205,CVE-2017-18206,CVE-2018-1071,CVE-2018-1083,CVE-2018-7549
Description:
This update for zsh fixes the following issues:

  - CVE-2014-10070: environment variable injection could lead to local privilege escalation (bnc#1082885)

  - CVE-2014-10071: buffer overflow in exec.c could lead to denial of service. (bnc#1082977)

  - CVE-2014-10072: buffer overflow In utils.c when scanning 
very long directory paths for symbolic links. (bnc#1082975)

  - CVE-2016-10714: In zsh before 5.3, an off-by-one error resulted in 
undersized buffers that were intended to support PATH_MAX characters. (bnc#1083250)

  - CVE-2017-18205: In builtin.c when sh compatibility mode is used, a NULL pointer dereference 
could lead to denial of service (bnc#1082998)

  - CVE-2018-1071: exec.c:hashcmd() function vulnerability could lead to denial of service. (bnc#1084656)
 
  - CVE-2018-1083: Autocomplete vulnerability could lead to privilege escalation. (bnc#1087026)

  - CVE-2018-7549: In params.c in zsh through 5.4.2, there is a crash during a copy of an empty hash table, 
as demonstrated by typeset -p. (bnc#1082991)
  
  - CVE-2017-18206: buffer overrun in xsymlinks could lead to denial of service (bnc#1083002)
    
  - Autocomplete and REPORTTIME broken (bsc#896914)



-----------------------------------------
Patch: SUSE-2018-735
Released: Wed Apr 25 14:16:37 2018
Summary: Recommended update for LibreOffice
Severity: low
References: 1042829,1077375,1080249,1083213,1083993,1088662,1089124,CVE-2017-9432,CVE-2017-9433,CVE-2018-1055,CVE-2018-6871
Description:

LibreOffice was updated to version 6.0.3.

Following new features were added:

- The Notebookbar, although still an experimental feature, has been
  enriched with two new variants: Grouped Bar Full for Writer, Calc and
  Impress, and Tabbed Compact for Writer. The Special Characters dialog
  has been reworked, with the addition of lists for Recent and Favorite
  characters, along with a Search field. The Customize dialog has also
  been redesigned, and is now more modern and intuitive.
- In Writer, a Form menu has been added, making it easier to access one
  of the most powerful – and often unknown – LibreOffice features: the
  ability to design forms, and create standards-compliant PDF forms. The
  Find toolbar has been enhanced with a drop-down list of search types, to
  speed up navigation. A new default table style has been added, together
  with a new collection of table styles to reflect evolving visual trends.
- The Mail Merge function has been improved, and it is now possible to
  use either a Writer document or an XLSX file as data source.
- In Calc, ODF 1.2-compliant functions SEARCHB, FINDB and REPLACEB have
  been added, to improve support for the ISO standard format. Also, a
  cell range selection or a selected group of shapes (images) can be now
  exported in PNG or JPG format.
- In Impress, the default slide size has been switched to 16:9, to support
  the most recent form factors of screens and projectors. As a consequence,
  10 new Impress templates have been added, and a couple of old templates
  have been updated.

Changes in components:

- The old WikiHelp has been replaced by the new Help Online system, with
  attractive web pages that can also be displayed on mobile devices. In
  general, LibreOffice Help has been updated both in terms of contents and
  code, with other improvements due all along the life of the LibreOffice
  6 family.
- User dictionaries now allow automatic affixation or compounding. This
  is a general spell checking improvement in LibreOffice which can speed
  up work for Writer users. Instead of manually handling several forms of a
  new word in a language with rich morphology or compounding, the Hunspell
  spell checker can automatically recognize a new word with affixes or
  compounds, based on a “Grammar By” model.

Security features and changes:

- OpenPGP keys can be used to sign ODF documents on all desktop operating
  systems, with experimental support for OpenPGP-based encryption. To enable
  this feature, users will have to install the specific GPG software for
  their operating systems.

- Document classification has also been improved, and allows multiple
  policies (which are now exported to OOXML files). In Writer, marking
  and signing are now supported at paragraph level.

Interoperability changes:

- OOXML interoperability has been improved in several areas: import of
  SmartArt and import/export of ActiveX controls, support of embedded text
  documents and spreadsheets, export of embedded videos to PPTX, export
  of cross-references to DOCX, export of MailMerge fields to DOCX, and
  improvements to the PPTX filter to prevent the creation of broken files.
- New filters for exporting Writer documents to ePub and importing
  QuarkXPress files have also been added, together with an improved filter
  for importing EMF+ (Enhanced Metafile Format Plus) files as used by
  Microsoft Office documents. Some improvements have also been added
  to the ODF export filter, making it easier for other ODF readers to
  display visuals.

The full blog entry for the 6.0 release can be found here:

	https://blog.documentfoundation.org/blog/2018/01/31/libreoffice-6/

The full release notes can be found here:

	https://wiki.documentfoundation.org/ReleaseNotes/6.0

The libraries that LibreOffice depends on also have been udpated to their current versions.
  

-----------------------------------------
Patch: SUSE-2018-736
Released: Wed Apr 25 14:23:49 2018
Summary: Recommended update for libsolv, libzypp
Severity: moderate
References: 1075978,1077635,1079991,1082318,1086602
Description:
This update for libsolv, libzypp provides the following fixes:

Changes in libsolv:
- Make sure the product file comes from /etc/products.d for the fallback product search.
  (bsc#1086602)
- Also make use of suggests for ordering packages. (bsc#1077635)
- Fix bad assignment in solution refinement that led to a memory leak. (bsc#1075978)
- Use license tag instead of doc in the spec file. (bsc#1082318)

Changes in libzypp:
- Make sure the product file comes from /etc/products.d for the fallback product search.
  (bsc#1086602)
- Fix a memory leak in Digest.cc. (bsc#1075978)
- Add /var/lib/gdm to CheckAccessDeleted blacklist to prevent showing superfluous `zypper ps -s`
  messages. (bsc#1079991)


-----------------------------------------
Patch: SUSE-2018-739
Released: Wed Apr 25 16:52:10 2018
Summary: Recommended update for supportutils
Severity: important
References: 1069457
Description:

This update for supportutils fixes the following issues:

- correctly detect CaaS Platforms docker installation (bsc#1069457)


-----------------------------------------
Patch: SUSE-2018-746
Released: Thu Apr 26 15:44:55 2018
Summary: Recommended update for yast2-installation, yast2-storage
Severity: low
References: 1036838,1042554,1051200,1051762
Description:
This update for yast2-installation and yast2-storage provides the following fixes:

Fixes for yast2-installation:

- Update YaST2-Firstboot.service: Deprecate `plymouth --wait` and add conflict to plymouth
  start service.
- Update YaST2-Second-Stage.service: Deprecate the plymouth deactivate command and add
  conflict to plymouth start service. (bsc#1042554)
- Make filesystem type for home and root configurable in control.xml. (bsc#1051762)
- Allow different mount point for home partition. (fate#323532, bsc#1051200)
- Move remaining CaaSP specific code to yast2-caasp package. (bsc#1036838, bsc#1051200)

Fixes for yast2-storage:

- Make filesystem type for home and root configurable in control.xml. (bsc#1051762)


-----------------------------------------
Patch: SUSE-2018-749
Released: Thu Apr 26 19:23:14 2018
Summary: Recommended update for nfs-utils
Severity: low
References: 1017909,1040968,1053691
Description:

This update for nfs-utils provides the following fixes:

- Fix nfs-client's service dependency so that when YaST restarts 'nfs' the action
  is propagated to 'nfs-client' as well. (bsc#1053691)
- Allow umount to work when NFS server is down. (bsc#1040968)
- Fix exit code of nfsstat(8). (bsc#1017909)


-----------------------------------------
Patch: SUSE-2018-754
Released: Mon Apr 30 10:59:32 2018
Summary: Recommended update for yast2-packager
Severity: low
References: 1078323
Description:
This update for yast2-packager adds a warning to inform the user that changes in a repository
managed by a service will be lost in the next refresh of the service (bsc#1078323).

-----------------------------------------
Patch: SUSE-2018-769
Released: Tue May  1 20:38:36 2018
Summary: Recommended update for gcc48
Severity: moderate
References: 1082130,1083945,1087932
Description:

This update for the system compiler gcc48 fixes the following issues:

- Support for generating IBM Z series Spectre Variant 2 fix method 'expolines' was added (bsc#1083945)
- A miscompilation of SPECcpu2017 526.blender was fixed. (bsc#1082130)
- ARM Arch64 Cortex-A53 errata 843419 and 835769 were enabled by default, which could have lead
  to crashes of built binaries. (bsc#1087932)

  

-----------------------------------------
Patch: SUSE-2018-777
Released: Wed May  2 17:46:46 2018
Summary: Security update for patch
Severity: important
References: 1080918,1080951,1088420,CVE-2016-10713,CVE-2018-1000156,CVE-2018-6951
Description:
This update for patch fixes the following issues:

Security issues fixed:

- CVE-2018-1000156: Malicious patch files cause ed to execute arbitrary commands (bsc#1088420).
- CVE-2018-6951: Fixed NULL pointer dereference in the intuit_diff_type function in pch.c (bsc#1080918).
- CVE-2016-10713: Fixed out-of-bounds access within pch_write_line() in pch.c (bsc#1080918).



-----------------------------------------
Patch: SUSE-2018-778
Released: Wed May  2 22:15:23 2018
Summary: Recommended update for sapconf
Severity: moderate
References: 1026862,1031073,1032516,1048550,1064720,1070386,1070390,1070494,1070495,1070496,1070503,1070506,1070508,1071539,1087455
Description:
This update for sapconf provides the following fixes:

- Refactoring sapconf parameter settings together with SAP Linux Lab. (fate#324491)
  ATTENTION: One main feature of this sapconf package update is a consolidation of all
  sapconf configuration settings into the central /etc/sysconfig/sapconf configuration
  file (except those settings related to ASE or BOBJ and those settings which can only
  be set via tuned.conf). This will result in a lot of configuration file changes concerning
  the following files:
  * /etc/sysconfig/sapconf
  * /etc/sysconfig/sapnote-1557506
  * /usr/lib/tuned/sap-netweaver/tuned.conf
  * /usr/lib/tuned/sap-hana/tuned.conf.
  This means that your system configuration will be changed after a restart of tuned or
  during a system reboot. Please read carefully the following information about configuration
  file handling before restarting tuned or rebooting the system. (bsc#1070508)

- The configuration file handling during the package installation has changed (bsc#1070496,
  bsc#1070508):
  * During an initial package installation the new sysconfig file, which includes the
    pagecache values from the former file sapnote-1557506 are copied to /etc/sysconfig/sapconf
    and the changes will take effect immediately after the package installation.
  * During a package update, previously created /etc/sysconfig files will exist. The file
    /etc/sysconfig/sapconf is saved to /etc/sysconfig/sapconf.rpmsave and the new sysconfig
    file is copied to /etc/sysconfig.
  * If the pagecache handling is enabled in the file /etc/sysconfig/sapnote-1557506, the
    values from this file are copied to /etc/sysconfig/sapconf and the obsolete file
    /etc/sysconfig/sapnote-1557506 is removed. The changes will take effect immediately
    after the package installation.
  * If the file /etc/sysconfig/sapconf.rpmsave exists and contains system specific
    modifications, please check after the package installation and merge these changes
    manually into /etc/sysconfig/sapconf.
  * Remove the file /etc/sysconfig/sapconf.rpmsave before you restart the sapconf service
    to get the changes take effect.

- Add a systemd unit file sapconf.service to start tuned, uuidd.socket and sysstat during
  system boot and after initial package installation and to restart tuned during package
  update so that the changes will take effect immediately. (fate#325471, bsc#1087455)

- Check if pagecache limit is available at the system and if yes, set pagecache limit
  according to the settings in /etc/sysconfig/sapconf. If not, write a message to the log
  file. (bsc#1071539, fate#323778)

- Use the same tuning values for HANA and Netweaver workloads. That means the use of the
  same tuned.conf and script.sh file for both profiles (sap-hana and sap-netweaver). This
  should lead to a better base for mixed HANA and ABAB workloads on one system. (bsc#1070508)

- The pagecache configuration is now integrated in the general sapconf sysconfig file and
  the old sysconfig file sapnote-1557506 is obsolete. As before pagecache handling is
  disabled by default.

- The following parameters are additionally specified (instead of static tuning inside
  the tuning script or defined in other configuration files like tuned.conf or
  sapnote-1557506) or changed in the central configuration file /etc/sysconfig/sapconf
  (bsc#1070494, bsc#1070495, bsc#1070496, bsc#1070508):
  * vm.max_map_count, vm.dirty_bytes, vm.dirty_background_bytes, kernel.shmmni,
    net.ipv4.tcp_slow_start_after_idle, ksm, transparent_hugepages, numa_balancing: parameters
    added and value changed.
  * vm.pagecache_limit_ignore_dirty, vm.pagecache_limit_mb: parameters added and commented out
  * kernel.shmall, kernel.shmmax, kernel.sem: parameters changed.
  But keep in mind: higher system value will ever remain unchanged. sapconf will respect
  higher values set by the system or by the administrator using sysctl configuration files.
  Values set with sysctl command will respect too, but they will not survive a system
  reboot. Every tuning action is logged to /var/log/sapconf.log

- The following parameters were specified in tuned.conf of profile sap-hana and/or
  sap-netweaver before but were removed from tuned.conf because they are redundant, not
  mentioned in any SAP Note, replaced by another parameter, moved to another configuration
  file or commented out, or because they are only valid for a special architecture or
  special tasks (like the [cpu] part was only valid for Intel architecture and only
  performance related):
  * vm.swappiness, kernel.sched_min_granularity_ns, kernel.sched_wakeup_granularity_ns,
    readahead: parameters removed.
  * [cpu] section with governor, energy_perf_bias, min_perf_pct: parameters commented out.
  * vm.dirty_ratio, vm.dirty_background_ratio: parameters removed from tuned.conf, replaced
    by vm.dirty_bytes, vm.dirty_background_bytes defined in sysconfig/sapconf.
  * kernel.sem, net.ipv4.tcp_slow_start_after_idle, transparent_hugepages: parameters moved
    to sysconfig/sapconf.
  ATTENTION: these changes will take effect immediately after
  restarting tuned.  Unless the administrator is using a custom copy of the tuned.conf
  file in /etc/tuned/<profile> (where <profile> may be sap-hana or sap-netweaver)
  to set own or changed values, the tuned.conf files in /etc/tuned/<profile> remain
  untouched during package installation. To get the new behavior SAP recommends, remove
  the profile copy from /etc/tuned or copy the new tuned.conf file from /usr/lib/tuned/<profile>
  to /etc/tuned/<profile> or compare the files in /etc/tuned/<profile> with
  the files in /usr/lib/tuned/<profile> manually and adjust the content, if needed.
  (bsc#1070494, bsc#1070495, bsc#1070496, bsc#1070503, bsc#1048550, bsc#1064720)

- Setting of UserTasksMax, a parameter of the systemd login manager, will be done in the
  post script during the package installation. The value is set to 'infinity'.
  NOTE: A reboot is needed after the first setup to get the changes to take effect. A
  message will indicate if a reboot is necessary. As before there is no automatic rollback.
  (bsc#1070386)

- Enable and start sysstat service during post script of the package installation (see
  SAP Note 1310037). (bsc#1070390)

- Add package requirements including a short description to the man page of sapconf and to
  the central configuration file /etc/sysconfig/sapconf. (bsc#1070390)

- Update the sapconf man page and associated man pages to reflect all the changes of this
  sapconf version. (bsc#1070506)

- Respect active tuned profile during reboot of the system even if it is not a 'sap' profile.
  sapconf only activates sap-netweaver profile by default, if NO tuned profile is actually
  set. (bsc#1026862)

- Re-insert 'elevator=noop' to tuned.conf of profile sap-hana and sap-netweaver.
  (bsc#1031073, bsc#1032516, bsc#1070494)

- sapconf will set ALL values specified in the file /etc/sysconfig/sapconf irrespective of
  the current system value. The values will not only be increased, but also decreased if
  the value in the sysconfig file is lower than the current system value. All actions are
  logged to /var/log/sapconf.log. (fate#325547)

- Change variable names in sysconfig file to avoid confusion. (bsc#1070495)

- Remove unnecessary TMPFS_SIZE_MIN from sysconfig file. (bsc#1070496)


-----------------------------------------
Patch: SUSE-2018-779
Released: Wed May  2 22:16:26 2018
Summary: Recommended update for rpm
Severity: low
References: 1003714,1027925,1069934
Description:

This update for rpm provides the following fixes:

- Fix find-lang.sh to handle special case of .qm file paths correctly. (bsc#1027925)
- Add %sle_version macro to suse_macros. (bsc#1003714)
- Added a %rpm_vercmp macro which accepts two versions as parameters and returns -1, 0, 1
  if the first version is less than, equal or greater than the second version respectively.
- Added a %pkg_version macro that accepts a package or capability name as argument and
  returns the version number of the installed package. If no package provides the argument,
  it returns the string '~~~'.
- Added a %pkg_vcmp macro that accepts 3 parameters. The first parameter is a package name
  or provided capability name, the second argument is an operator ( < <= = >= > != )
  and the third parameter is a version string to be compared to the installed version of
  the first argument.
- Added a %pkg_version_cmp macro which accepts a package or capability name as first argument
  and a version number as second argument and returns -1, 0, 1 or '~~~'. The number values
  have the same meaning as in %rpm_vercmp and the '~~~' string is returned if the package
  or capability can't be found. (bsc#1069934)


-----------------------------------------
Patch: SUSE-2018-797
Released: Mon May  7 07:07:38 2018
Summary: Recommended update for gcc7
Severity: important
References: 1061667,1068967,1074621,1083290,1083946,1084812,1087550,1087930
Description:

  
This update for gcc7 to 7.3 release fixes the following issues:

- Update to GCC 7.3 release and further updated to gcc-7-branch head (r258812).
- The Spectre v2 mitigation patch for s390x is now included. [bsc#1083946]
- Adds backport of x86 retpoline support via -mindirect-branch=, -mfunction-return= and friends. [bsc#1074621]
- Update includes a fix for chromium build failure.  [bsc#1083290]
- Various AArch64 compile fixes are included:

  * Picks fix to no longer enable -mpc-relative-literal-loads by default
    with --enable-fix-cortex-a53-843419.
  * Enable --enable-fix-cortex-a53-843419 for aarch64.  [bsc#1084812] [bsc#1087930]
  * Enable --enable-fix-cortex-a53-835769 for aarch64.
  * Contains fix for PR82445 which is about a RPI1 bootloader miscompile. [bsc#1061667]
  * Fixed bogus stack probe instruction on ARM. [bsc#1068967]

- Revert the ios_base::failure ABI back to compatible behavior with the default ABI.  [bsc#1087550]

- Fix nvptx offload target compiler install so GCC can pick up
  required files.  Split out the newlib part into cross-nvptx-newlib7-devel
  and avoid conflicts with GCC 8 variant via Provides/Conflicts
  of cross-nvptx-newlib-devel.



-----------------------------------------
Patch: SUSE-2018-799
Released: Mon May  7 12:57:46 2018
Summary: Recommended update for the SLE Server release-package
Severity: moderate
References: 1086279
Description:
This update removes the wrong End of Life date for SLE Server 12 SP3.

The End of Life depends on the release of the next Service Pack, which is not available yet.

-----------------------------------------
Patch: SUSE-2018-803
Released: Mon May  7 14:56:28 2018
Summary: Security update for apache2
Severity: moderate
References: 1086774,1086775,1086813,1086814,1086817,1086820,CVE-2017-15710,CVE-2017-15715,CVE-2018-1283,CVE-2018-1301,CVE-2018-1302,CVE-2018-1303,CVE-2018-1312
Description:
This update for apache2 fixes the following issues:

  * CVE-2018-1283:  when mod_session is configured to forward its session data to CGI applications 
                    (SessionEnv on, not the default), a remote user may influence their content by 
                    using a \'Session\' header leading to unexpected behavior [bsc#1086814].

  * CVE-2018-1301: due to an out of bound access after a size limit being reached by reading the HTTP header, 
                   a specially crafted request could lead to remote denial of service. [bsc#1086817]
  
  * CVE-2018-1303: a specially crafted HTTP request header could lead to crash due to an out of bound read 
                   while preparing data to be cached in shared memory.[bsc#1086813]
  
  * CVE-2017-15715: a regular expression could match '$' to a newline character in a malicious filename, 
                    rather than matching only the end of the filename. leading to corruption of uploaded files.[bsc#1086774]
  
  * CVE-2018-1312: when generating an HTTP Digest authentication challenge, the nonce sent to prevent 
                   reply attacks was not correctly generated using a pseudo-random seed. 
                   In a cluster of servers using a common Digest authentication configuration, 
                   HTTP requests could be replayed across servers by an attacker without detection. [bsc#1086775]
  
  * CVE-2017-15710: mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, 
                    uses the Accept-Language header value to lookup the right charset encoding when verifying the 
                    user's credentials. If the header value is not present in the charset conversion table, 
                    a fallback mechanism is used to truncate it to a two characters value to allow a quick retry 
                    (for example, 'en-US' is truncated to 'en'). 
                    A header value of less than two characters forces an out of bound write of one NUL byte to a 
                   memory location that is not part of the string. In the worst case, quite unlikely, the process 
                   would crash which could be used as a Denial of Service attack. In the more likely case, this memory 
                   is already reserved for future use and the issue has no effect at all. [bsc#1086820]
  
  * CVE-2018-1302: when an HTTP/2 stream was destroyed after being handled, it 
                   could have written a NULL pointer potentially to an already freed memory. 
                   The memory pools maintained by the server make this vulnerability hard to trigger in usual configurations, 
                   the reporter and the team could not reproduce it outside debug builds, so it is classified as low risk. 
                   [bsc#1086820]


-----------------------------------------
Patch: SUSE-2018-822
Released: Wed May  9 14:01:33 2018
Summary: Security update for tiff
Severity: moderate
References: 1046077,1074318,1081690,CVE-2017-17973,CVE-2017-9935,CVE-2018-5784
Description:
This update for tiff fixes the following issues:

- CVE-2017-9935: There was a heap-based buffer overflow in the t2p_write_pdf function in tools/tiff2pdf.c. This heap overflow could lead to different damages. For example, a crafted TIFF document can lead to an out-of-bounds read in TIFFCleanup, an invalid free in TIFFClose or t2p_free, memory corruption in t2p_readwrite_pdf_image, or a double free in t2p_free. Given these possibilities, it probably could cause arbitrary code execution (bsc#1046077)
- CVE-2017-17973: There is a heap-based use-after-free in the t2p_writeproc function in tiff2pdf.c. (bsc#1074318)
- CVE-2018-5784: There is an uncontrolled resource consumption in the TIFFSetDirectory function of tif_dir.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted tif file. This occurs because the declared number of directory entries is not validated against the actual number of directory entries (bsc#1081690)



-----------------------------------------
Patch: SUSE-2018-830
Released: Wed May  9 18:04:19 2018
Summary: Recommended update for yast2 and yast2-network
Severity: moderate
References: 1056109,1062596,1066982,1077435,1078991,1080630,1081353
Description:
This update provides the following fixes:
yast2:
- Restart SuSEFirewall2 if needed to apply the final configuration once written during the AY
  Second Stage.(bsc#1080630)
- Do not truncate kernel parameter when it contains '=' (bsc#1081353)

yast2-network:
- Do not propose network interfaces without link (bsc#1062596)
- Improve device name collision recognition when applying device renaming according to the
  autoyast profile. (bsc#1056109)
- Remove an unnecessary SuSEFirewall.Write call when storing the Firewall remote client
  configuration. (bsc#1066982)
- Fix the initialization and storing of firewall widget. (bsc#1066982)
- Do not crash if a LanItem does not have the hardware info. (bsc#1078991)
- Allow VNC and SSH access in SUSEFirewall in case of remote auto-installations for the
  second stage. (bsc#1080630)
- Fix a crash when handling corrupted /etc/hosts file. (bsc#1077435)


-----------------------------------------
Patch: SUSE-2018-835
Released: Wed May  9 19:58:59 2018
Summary: Security update for libapr1
Severity: moderate
References: 1064982,CVE-2017-12613
Description:

  This update fixes the following issues:
  
  -  CVE-2017-12613: DoS or information disclosure in pr_exp_time*() or apr_os_exp_time*() functions (bsc#1064982).
  

-----------------------------------------
Patch: SUSE-2018-836
Released: Wed May  9 19:59:30 2018
Summary: Security update for cairo
Severity: moderate
References: 1049092,CVE-2017-9814
Description:
This update for cairo fixes the following issues:

  - CVE-2017-9814: out-of-bounds read in cairo-truetype-subset.c could lead to denial of service (bsc#1049092).


-----------------------------------------
Patch: SUSE-2018-906
Released: Mon May 14 15:18:26 2018
Summary: Recommended update for binutils
Severity: moderate
References: 1075418
Description:
This update for binutils fixes the following issues:

- Fix pacemaker libqb problem with section start/stop symbols. (bsc#1075418)


-----------------------------------------
Patch: SUSE-2018-910
Released: Tue May 15 12:21:24 2018
Summary: Recommended update for timezone, timezone-java
Severity: low
References: 1073299
Description:
This update provides the latest timezone information (2018e) for your system, including following changes:

- North Korea switches back from +0830 to +09 on 2018-05-05.
- Ireland's standard time is in the summer, with negative DST
  offset to standard time used in Winter (bsc#1073299)


-----------------------------------------
Patch: SUSE-2018-920
Released: Tue May 15 16:32:16 2018
Summary: Initial release of python3-setuptools
Severity: low
References: 1073879
Description:
This update provides the following new Python 3 module:

- python3-setuptools


-----------------------------------------
Patch: SUSE-2018-921
Released: Tue May 15 16:33:18 2018
Summary: Initial release of python3-cffi, -cryptography and -pyOpenSSL
Severity: low
References: 1073879
Description:
This update provides the following new Python 3 module for the SUSE Linux Enterprise Server:

- python3-cffi
- python3-cryptography
- python3-pyOpenSSL

-----------------------------------------
Patch: SUSE-2018-923
Released: Wed May 16 08:27:22 2018
Summary: Recommended update for SUSEConnect
Severity: important
References: 1064264,1086420,1089320
Description:
This update for SUSEConnect provides the following fixes:

- Enable access to package search via gem
- Don't try to delete the directory of nonexistent service files. (bsc#1086420)
- Fix list-extensions to show the full SLE 15 tree. (bsc#1064264)
- Enable automatic activation of recommended extensions/modules.
- Automatically deregister all installed extensions/modules when deregistering a system.
- Fix rollback mechanism on SLE15 systems (bsc#1089320)


-----------------------------------------
Patch: SUSE-2018-932
Released: Wed May 16 21:16:38 2018
Summary: Recommended update for polkit-default-privs
Severity: moderate
References: 1048025,1089316
Description:
This update for polkit-default-privs fixes the following issues:

- added new realmd action (bsc#1048025 bsc#1089316).


-----------------------------------------
Patch: SUSE-2018-934
Released: Wed May 16 21:36:22 2018
Summary: Security update for libvorbis
Severity: moderate
References: 1059812,1091072,CVE-2017-14160,CVE-2018-10393
Description:
This update for libvorbis fixes the following issues:

Security issues fixed:

- CVE-2018-10393: Fixed stack-based buffer over-read in bark_noise_hybridm (bsc#1091072).
- CVE-2017-14160: Fixed out-of-bounds access inside bark_noise_hybridmp function (bsc#1059812).



-----------------------------------------
Patch: SUSE-2018-939
Released: Thu May 17 08:41:30 2018
Summary: Security update for curl
Severity: moderate
References: 1086825,1092098,CVE-2018-1000301
Description:
This update for curl fixes several issues:

Security issues fixed:

- CVE-2018-1000301: Fixed a RTSP bad headers buffer over-read could crash the curl client (bsc#1092098)

Non security issues fixed:

- If the DEFAULT_SUSE cipher list is not available use the HIGH cipher alias before failing.
  (bsc#1086825)


-----------------------------------------
Patch: SUSE-2018-955
Released: Tue May 22 13:33:03 2018
Summary: Security update for the Linux Kernel
Severity: important
References: 1005778,1005780,1005781,1009062,1012382,1015336,1015337,1015340,1015342,1015343,1022604,1022743,1024296,1031492,1036215,1043598,1044596,1056415,1056427,1060799,1068032,1075087,1075091,1075994,1076263,1080157,1082153,1082299,1082485,1082962,1083125,1083635,1083650,1083900,1084721,1085058,1085185,1085511,1085958,1087082,1088242,1088865,1089023,1089115,1089198,1089393,1089608,1089644,1089752,1089895,1089925,1090225,1090643,1090658,1090663,1090708,1090718,1090734,1090953,1091041,1091325,1091728,1091925,1091960,1092289,1092497,1092566,1092904,1093008,1093144,1093215,1094019,802154,966170,966172,966186,966191,969476,969477,981348,CVE-2018-1000199,CVE-2018-10087,CVE-2018-10124,CVE-2018-1065,CVE-2018-1130,CVE-2018-3639,CVE-2018-5803,CVE-2018-7492,CVE-2018-8781
Description:


The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.131 to receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2018-3639: Information leaks using 'Memory Disambiguation' feature
  in modern CPUs were mitigated, aka 'Spectre Variant 4' (bnc#1087082).

  A new boot commandline option was introduced,
  'spec_store_bypass_disable', which can have following values:

  - auto: Kernel detects whether your CPU model contains an implementation
    of Speculative Store Bypass and picks the most appropriate mitigation.
  - on: disable Speculative Store Bypass
  - off: enable Speculative Store Bypass
  - prctl: Control Speculative Store Bypass per thread via
    prctl. Speculative Store Bypass is enabled for a process by default. The
    state of the control is inherited on fork.
  - seccomp: Same as 'prctl' above, but all seccomp threads will disable
    SSB unless they explicitly opt out.

  The default is 'seccomp', meaning programs need explicit opt-in into the mitigation.

  Status can be queried via the /sys/devices/system/cpu/vulnerabilities/spec_store_bypass file, containing:

  - 'Vulnerable'
  - 'Mitigation: Speculative Store Bypass disabled'
  - 'Mitigation: Speculative Store Bypass disabled via prctl'
  - 'Mitigation: Speculative Store Bypass disabled via prctl and seccomp'


- CVE-2018-8781: The udl_fb_mmap function in drivers/gpu/drm/udl/udl_fb.c
  had an integer-overflow vulnerability allowing local users with access
  to the udldrmfb driver to obtain full read and write permissions on
  kernel physical pages, resulting in a code execution in kernel space
  (bnc#1090643).
- CVE-2018-10124: The kill_something_info function in kernel/signal.c
  might have allowed local users to cause a denial of service via an
  INT_MIN argument (bnc#1089752).
- CVE-2018-10087: The kernel_wait4 function in kernel/exit.c might
  have allowed local users to cause a denial of service by triggering an
  attempted use of the -INT_MIN value (bnc#1089608).
- CVE-2018-1000199: An address corruption flaw was discovered while
  modifying a h/w breakpoint via 'modify_user_hw_breakpoint' routine, an
  unprivileged user/process could use this flaw to crash the system kernel
  resulting in DoS OR to potentially escalate privileges on a the system. (bsc#1089895)
- CVE-2018-1130: The Linux kernel was vulnerable to a null pointer
  dereference in dccp_write_xmit() function in net/dccp/output.c in that
  allowed a local user to cause a denial of service by a number of certain
  crafted system calls (bnc#1092904).
- CVE-2018-5803: An error in the _sctp_make_chunk() function when handling
  SCTP, packet length could have been exploited by a malicious local user
  to cause a kernel crash and a DoS. (bnc#1083900).
- CVE-2018-1065: The netfilter subsystem mishandled the case of
  a rule blob that contains a jump but lacks a user-defined chain,
  which allowed local users to cause a denial of service (NULL
  pointer dereference) by leveraging the CAP_NET_RAW or CAP_NET_ADMIN
  capability, related to arpt_do_table in net/ipv4/netfilter/arp_tables.c,
  ipt_do_table in net/ipv4/netfilter/ip_tables.c, and ip6t_do_table in
  net/ipv6/netfilter/ip6_tables.c (bnc#1083650 1091925).
- CVE-2018-7492: A NULL pointer dereference was found in the
  net/rds/rdma.c __rds_rdma_map() function allowing local attackers to
  cause a system panic and a denial-of-service, related to RDS_GET_MR and
  RDS_GET_MR_FOR_DEST (bnc#1082962).

The following non-security bugs were fixed:

- acpica: Disassembler: Abort on an invalid/unknown AML opcode (bnc#1012382).
- acpica: Events: Add runtime stub support for event APIs (bnc#1012382).
- acpi / hotplug / PCI: Check presence of slot itself in get_slot_status() (bnc#1012382).
- acpi, PCI, irq: remove redundant check for null string pointer (bnc#1012382).
- acpi / scan: Send change uevent with offine environmental data (bsc#1082485).
- acpi / video: Add quirk to force acpi-video backlight on Samsung 670Z5E (bnc#1012382).
- alsa: asihpi: Hardening for potential Spectre v1 (bnc#1012382).
- alsa: control: Hardening for potential Spectre v1 (bnc#1012382).
- alsa: core: Report audio_tstamp in snd_pcm_sync_ptr (bnc#1012382).
- alsa: hda: Hardening for potential Spectre v1 (bnc#1012382).
- alsa: hda - New VIA controller suppor no-snoop path (bnc#1012382).
- alsa: hda/realtek - Add some fixes for ALC233 (bnc#1012382).
- alsa: hdspm: Hardening for potential Spectre v1 (bnc#1012382).
- alsa: line6: Use correct endpoint type for midi output (bnc#1012382).
- alsa: opl3: Hardening for potential Spectre v1 (bnc#1012382).
- alsa: oss: consolidate kmalloc/memset 0 call to kzalloc (bnc#1012382).
- alsa: pcm: Avoid potential races between OSS ioctls and read/write (bnc#1012382).
- alsa: pcm: Fix endless loop for XRUN recovery in OSS emulation (bnc#1012382).
- alsa: pcm: Fix mutex unbalance in OSS emulation ioctls (bnc#1012382).
- alsa: pcm: Fix UAF at PCM release via PCM timer access (bnc#1012382).
- alsa: pcm: potential uninitialized return values (bnc#1012382).
- alsa: pcm: Return -EBUSY for OSS ioctls changing busy streams (bnc#1012382).
- alsa: pcm: Use dma_bytes as size parameter in dma_mmap_coherent() (bnc#1012382).
- alsa: pcm: Use ERESTARTSYS instead of EINTR in OSS emulation (bnc#1012382).
- alsa: rawmidi: Fix missing input substream checks in compat ioctls (bnc#1012382).
- alsa: rme9652: Hardening for potential Spectre v1 (bnc#1012382).
- alsa: seq: oss: Fix unbalanced use lock for synth MIDI device (bnc#1012382).
- alsa: seq: oss: Hardening for potential Spectre v1 (bnc#1012382).
- alsa: usb-audio: Skip broken EU on Dell dock USB-audio (bsc#1090658).
- arm64: avoid overflow in VA_START and PAGE_OFFSET (bnc#1012382).
- arm64: futex: Fix undefined behaviour with FUTEX_OP_OPARG_SHIFT usage (bnc#1012382).
- arm: amba: Do not read past the end of sysfs 'driver_override' buffer (bnc#1012382).
- arm: amba: Fix race condition with driver_override (bnc#1012382).
- arm: amba: Make driver_override output consistent with other buses (bnc#1012382).
- arm: davinci: da8xx: Create DSP device only when assigned memory (bnc#1012382).
- arm: dts: am57xx-beagle-x15-common: Add overide powerhold property (bnc#1012382).
- arm: dts: at91: at91sam9g25: fix mux-mask pinctrl property (bnc#1012382).
- arm: dts: at91: sama5d4: fix pinctrl compatible string (bnc#1012382).
- arm: dts: dra7: Add power hold and power controller properties to palmas (bnc#1012382).
- arm: dts: imx53-qsrb: Pulldown PMIC IRQ pin (bnc#1012382).
- arm: dts: imx6qdl-wandboard: Fix audio channel swap (bnc#1012382).
- arm: dts: ls1021a: add 'fsl,ls1021a-esdhc' compatible string to esdhc node (bnc#1012382).
- arm: imx: Add MXC_CPU_IMX6ULL and cpu_is_imx6ull (bnc#1012382).
- arp: fix arp_filter on l3slave devices (bnc#1012382).
- arp: honour gratuitous ARP _replies_ (bnc#1012382).
- asoc: fsl_esai: Fix divisor calculation failure at lower ratio (bnc#1012382).
- asoc: Intel: cht_bsw_rt5645: Analog Mic support (bnc#1012382).
- asoc: rsnd: SSI PIO adjust to 24bit mode (bnc#1012382).
- asoc: ssm2602: Replace reg_default_raw with reg_default (bnc#1012382).
- async_tx: Fix DMA_PREP_FENCE usage in do_async_gen_syndrome() (bnc#1012382).
- ata: libahci: properly propagate return value of platform_get_irq() (bnc#1012382).
- ath5k: fix memory leak on buf on failed eeprom read (bnc#1012382).
- ath9k_hw: check if the chip failed to wake up (bnc#1012382).
- audit: add tty field to LOGIN event (bnc#1012382).
- autofs: mount point create should honour passed in mode (bnc#1012382).
- bcache: segregate flash only volume write streams (bnc#1012382).
- bcache: stop writeback thread after detaching (bnc#1012382).
- blacklist.conf: Add an omapdrm entry (bsc#1090708, bsc#1090718)
- blk-mq: fix bad clear of RQF_MQ_INFLIGHT in blk_mq_ct_ctx_init() (bsc#1085058).
- blk-mq: fix kernel oops in blk_mq_tag_idle() (bnc#1012382).
- block: correctly mask out flags in blk_rq_append_bio() (bsc#1085058).
- block/loop: fix deadlock after loop_set_status (bnc#1012382).
- block: sanity check for integrity intervals (bsc#1091728).
- bluetooth: Fix missing encryption refresh on Security Request (bnc#1012382).
- bluetooth: Send HCI Set Event Mask Page 2 command only when needed (bnc#1012382).
- bna: Avoid reading past end of buffer (bnc#1012382).
- bnx2x: Allow vfs to disable txvlan offload (bnc#1012382).
- bonding: do not set slave_dev npinfo before slave_enable_netpoll in bond_enslave (bnc#1012382).
- bonding: Do not update slave->link until ready to commit (bnc#1012382).
- bonding: fix the err path for dev hwaddr sync in bond_enslave (bnc#1012382).
- bonding: move dev_mc_sync after master_upper_dev_link in bond_enslave (bnc#1012382).
- bonding: process the err returned by dev_set_allmulti properly in bond_enslave (bnc#1012382).
- btrfs: fix incorrect error return ret being passed to mapping_set_error (bnc#1012382).
- btrfs: Fix wrong first_key parameter in replace_path (Followup fix for bsc#1084721).
- btrfs: Only check first key for committed tree blocks (bsc#1084721).
- btrfs: Validate child tree block's level and first key (bsc#1084721).
- bus: brcmstb_gisb: correct support for 64-bit address output (bnc#1012382).
- bus: brcmstb_gisb: Use register offsets with writes too (bnc#1012382).
- cdc_ether: flag the Cinterion AHS8 modem by gemalto as WWAN (bnc#1012382).
- cdrom: information leak in cdrom_ioctl_media_changed() (bnc#1012382).
- ceph: adding protection for showing cap reservation info (bsc#1089115).
- ceph: always update atime/mtime/ctime for new inode (bsc#1089115).
- ceph: check if mds create snaprealm when setting quota (fate#324665 bsc#1089115).
- ceph: do not check quota for snap inode (fate#324665 bsc#1089115).
- ceph: fix invalid point dereference for error case in mdsc destroy (bsc#1089115).
- ceph: fix root quota realm check (fate#324665 bsc#1089115).
- ceph: fix rsize/wsize capping in ceph_direct_read_write() (bsc#1089115).
- ceph: quota: add counter for snaprealms with quota (fate#324665 bsc#1089115).
- ceph: quota: add initial infrastructure to support cephfs quotas (fate#324665 bsc#1089115).
- ceph: quota: cache inode pointer in ceph_snap_realm (fate#324665 bsc#1089115).
- ceph: quota: do not allow cross-quota renames (fate#324665 bsc#1089115).
- ceph: quota: report root dir quota usage in statfs (fate#324665 bsc#1089115).
- ceph: quota: support for ceph.quota.max_bytes (fate#324665 bsc#1089115).
- ceph: quota: support for ceph.quota.max_files (fate#324665 bsc#1089115).
- ceph: quota: update MDS when max_bytes is approaching (fate#324665 bsc#1089115).
- cfg80211: make RATE_INFO_BW_20 the default (bnc#1012382).
- cifs: do not allow creating sockets except with SMB1 posix exensions (bnc#1012382).
- cifs: silence compiler warnings showing up with gcc-8.0.0 (bsc#1090734).
- cifs: silence lockdep splat in cifs_relock_file() (bnc#1012382).
- cifs: Use file_dentry() (bsc#1093008).
- clk: bcm2835: De-assert/assert PLL reset signal when appropriate (bnc#1012382).
- clk: Fix __set_clk_rates error print-string (bnc#1012382).
- clk: mvebu: armada-38x: add support for 1866MHz variants (bnc#1012382).
- clk: mvebu: armada-38x: add support for missing clocks (bnc#1012382).
- clk: scpi: fix return type of __scpi_dvfs_round_rate (bnc#1012382).
- clocksource/drivers/arm_arch_timer: Avoid infinite recursion when ftrace is enabled (bsc#1090225).
- cpumask: Add helper cpumask_available() (bnc#1012382).
- crypto: ahash - Fix early termination in hash walk (bnc#1012382).
- crypto: x86/cast5-avx - fix ECB encryption when long sg follows short one (bnc#1012382).
- cx25840: fix unchecked return values (bnc#1012382).
- cxgb4: fix incorrect cim_la output for T6 (bnc#1012382).
- cxgb4: Fix queue free path of ULD drivers (bsc#1022743 FATE#322540).
- cxgb4: FW upgrade fixes (bnc#1012382).
- cxgb4vf: Fix SGE FL buffer initialization logic for 64K pages (bnc#1012382).
- dmaengine: at_xdmac: fix rare residue corruption (bnc#1012382).
- dmaengine: imx-sdma: Handle return value of clk_prepare_enable (bnc#1012382).
- dm ioctl: remove double parentheses (bnc#1012382).
- Documentation: pinctrl: palmas: Add ti,palmas-powerhold-override property definition (bnc#1012382).
- Do not leak MNT_INTERNAL away from internal mounts (bnc#1012382).
- drivers/infiniband/core/verbs.c: fix build with gcc-4.4.4 (FATE#321732).
- drivers/infiniband/ulp/srpt/ib_srpt.c: fix build with gcc-4.4.4 (bnc#1024296,FATE#321265).
- drivers/misc/vmw_vmci/vmci_queue_pair.c: fix a couple integer overflow tests (bnc#1012382).
- drm/omap: fix tiled buffer stride calculations (bnc#1012382).
- drm/radeon: Fix PCIe lane width calculation (bnc#1012382).
- drm/virtio: fix vq wait_event condition (bnc#1012382).
- e1000e: fix race condition around skb_tstamp_tx() (bnc#1012382).
- e1000e: Undo e1000e_pm_freeze if __e1000_shutdown fails (bnc#1012382).
- edac, mv64x60: Fix an error handling path (bnc#1012382).
- Enable uinput driver (bsc#1092566).
- esp: Fix memleaks on error paths (git-fixes).
- ext4: add validity checks for bitmap block numbers (bnc#1012382).
- ext4: bugfix for mmaped pages in mpage_release_unused_pages() (bnc#1012382).
- ext4: do not allow r/w mounts if metadata blocks overlap the superblock (bnc#1012382).
- ext4: do not update checksum of new initialized bitmaps (bnc#1012382).
- ext4: fail ext4_iget for root directory if unallocated (bnc#1012382).
- ext4: fix bitmap position validation (bnc#1012382).
- ext4: fix deadlock between inline_data and ext4_expand_extra_isize_ea() (bnc#1012382).
- ext4: Fix hole length detection in ext4_ind_map_blocks() (bsc#1090953).
- ext4: fix off-by-one on max nr_pages in ext4_find_unwritten_pgoff() (bnc#1012382).
- ext4: prevent right-shifting extents beyond EXT_MAX_BLOCKS (bnc#1012382).
- ext4: set h_journal if there is a failure starting a reserved handle (bnc#1012382).
- fanotify: fix logic of events on child (bnc#1012382).
- fix race in drivers/char/random.c:get_reg() (bnc#1012382).
- frv: declare jiffies to be located in the .data section (bnc#1012382).
- fs: compat: Remove warning from COMPATIBLE_IOCTL (bnc#1012382).
- fs/proc: Stop trying to report thread stacks (bnc#1012382).
- fs/reiserfs/journal.c: add missing resierfs_warning() arg (bnc#1012382).
- genirq: Use cpumask_available() for check of cpumask variable (bnc#1012382).
- getname_kernel() needs to make sure that ->name != ->iname in long case (bnc#1012382).
- gpio: label descriptors using the device name (bnc#1012382).
- hdlcdrv: Fix divide by zero in hdlcdrv_ioctl (bnc#1012382).
- hid: core: Fix size as type u32 (bnc#1012382).
- hid: Fix hid_report_len usage (bnc#1012382).
- hid: hidraw: Fix crash on HIDIOCGFEATURE with a destroyed device (bnc#1012382).
- hid: i2c-hid: fix size check and type usage (bnc#1012382).
- hwmon: (ina2xx) Fix access to uninitialized mutex (git-fixes).
- hwmon: (ina2xx) Make calibration register value fixed (bnc#1012382).
- hypfs_kill_super(): deal with failed allocations (bnc#1012382).
- i40iw: Free IEQ resources (bsc#969476 FATE#319648 bsc#969477 FATE#319816).
- ib/core: Fix possible crash to access NULL netdev (bsc#966191 FATE#320230 bsc#966186 FATE#320228).
- ib/core: Generate GID change event regardless of RoCE GID table property (bsc#966191 FATE#320230 bsc#966186 FATE#320228).
- ib/mlx4: Fix corruption of RoCEv2 IPv4 GIDs (bsc#966191 FATE#320230 bsc#966186 FATE#320228).
- ib/mlx4: Include GID type when deleting GIDs from HW table under RoCE (bsc#966191 FATE#320230 bsc#966186 FATE#320228).
- ib/mlx5: Avoid passing an invalid QP type to firmware (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- ib/mlx5: Fix an error code in __mlx5_ib_modify_qp() (bsc#966170 FATE#320225 bsc#966172 FATE#320226).
- ib/mlx5: Fix incorrect size of klms in the memory region (bsc#966170 FATE#320225 bsc#966172 FATE#320226).
- ib/mlx5: Fix out-of-bounds read in create_raw_packet_qp_rq (bsc#966170 FATE#320225 bsc#966172 FATE#320226).
- ib/mlx5: revisit -Wmaybe-uninitialized warning (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- ib/mlx5: Set the default active rate and width to QDR and 4X (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- ibmvnic: Clean actual number of RX or TX pools (bsc#1092289).
- ibmvnic: Clear pending interrupt after device reset (bsc#1089644).
- ibmvnic: Define vnic_login_client_data name field as unsized array (bsc#1089198).
- ibmvnic: Do not notify peers on parameter change resets (bsc#1089198).
- ibmvnic: Handle all login error conditions (bsc#1089198).
- ib/srp: Fix completion vector assignment algorithm (bnc#1012382).
- ib/srp: Fix srp_abort() (bnc#1012382).
- ib/srpt: Fix abort handling (bnc#1012382).
- ib/srpt: Fix an out-of-bounds stack access in srpt_zerolength_write() (bnc#1024296,FATE#321265).
- iio: hi8435: avoid garbage event at first enable (bnc#1012382).
- iio: hi8435: cleanup reset gpio (bnc#1012382).
- iio: magnetometer: st_magn_spi: fix spi_device_id table (bnc#1012382).
- input: ALPS - fix multi-touch decoding on SS4 plus touchpads (git-fixes).
- input: ALPS - fix trackstick button handling on V8 devices (git-fixes).
- input: ALPS - fix TrackStick support for SS5 hardware (git-fixes).
- input: ALPS - fix two-finger scroll breakage in right side on ALPS touchpad (git-fixes).
- input: drv260x - fix initializing overdrive voltage (bnc#1012382).
- input: elan_i2c - check if device is there before really probing (bnc#1012382).
- input: elan_i2c - clear INT before resetting controller (bnc#1012382).
- input: elantech - force relative mode on a certain module (bnc#1012382).
- input: i8042 - add Lenovo ThinkPad L460 to i8042 reset list (bnc#1012382).
- input: i8042 - enable MUX on Sony VAIO VGN-CS series to fix touchpad (bnc#1012382).
- input: mousedev - fix implicit conversion warning (bnc#1012382).
- iommu/vt-d: Fix a potential memory leak (bnc#1012382).
- ip6_gre: better validate user provided tunnel names (bnc#1012382).
- ip6_tunnel: better validate user provided tunnel names (bnc#1012382).
- ipc/shm: fix use-after-free of shm file via remap_file_pages() (bnc#1012382).
- ipmi: create hardware-independent softdep for ipmi_devintf (bsc#1009062, bsc#1060799). Refresh patch to mainline version.
- ipsec: check return value of skb_to_sgvec always (bnc#1012382).
- ip_tunnel: better validate user provided tunnel names (bnc#1012382).
- ipv6: add RTA_TABLE and RTA_PREFSRC to rtm_ipv6_policy (bnc#1012382).
- ipv6: avoid dad-failures for addresses with NODAD (bnc#1012382).
- ipv6: sit: better validate user provided tunnel names (bnc#1012382).
- ipv6: the entire IPv6 header chain must fit the first fragment (bnc#1012382).
- iw_cxgb4: print mapped ports correctly (bsc#321658 FATE#1005778 bsc#321660 FATE#1005780 bsc#321661 FATE#1005781).
- jbd2: fix use after free in kjournald2() (bnc#1012382).
- jbd2: if the journal is aborted then do not allow update of the log tail (bnc#1012382).
- jffs2_kill_sb(): deal with failed allocations (bnc#1012382).
- jiffies.h: declare jiffies and jiffies_64 with ____cacheline_aligned_in_smp (bnc#1012382).
- kABI: add tty include to audit.c (kabi).
- kABI: protect hid report functions (kabi).
- kABI: protect jiffies types (kabi).
- kABI: protect skb_to_sgvec* (kabi).
- kABI: protect sound/timer.h include in sound pcm.c (kabi).
- kABI: protect struct cstate (kabi).
- kABI: protect struct _lowcore (kabi).
- kABI: protect tty include in audit.h (kabi).
- kabi/severities: Ignore kgr_shadow_* kABI changes
- kbuild: provide a __UNIQUE_ID for clang (bnc#1012382).
- kexec_file: do not add extra alignment to efi memmap (bsc#1044596).
- keys: DNS: limit the length of option strings (bnc#1012382).
- kGraft: fix small race in reversion code (bsc#1083125).
- kobject: do not use WARN for registration failures (bnc#1012382).
- kvm: Fix nopvspin static branch init usage (bsc#1056427).
- kvm: Introduce nopvspin kernel parameter (bsc#1056427).
- kvm: nVMX: Fix handling of lmsw instruction (bnc#1012382).
- kvm: PPC: Book3S PR: Check copy_to/from_user return values (bnc#1012382).
- kvm: SVM: do not zero out segment attributes if segment is unusable or not present (bnc#1012382).
- l2tp: check sockaddr length in pppol2tp_connect() (bnc#1012382).
- l2tp: fix missing print session offset info (bnc#1012382).
- lan78xx: Correctly indicate invalid OTP (bnc#1012382).
- leds: pca955x: Correct I2C Functionality (bnc#1012382).
- libceph, ceph: change permission for readonly debugfs entries (bsc#1089115).
- libceph: fix misjudgement of maximum monitor number (bsc#1089115).
- libceph: reschedule a tick in finish_hunting() (bsc#1089115).
- libceph: un-backoff on tick when we have a authenticated session (bsc#1089115).
- libceph: validate con->state at the top of try_write() (bsc#1089115).
- livepatch: Allow to call a custom callback when freeing shadow variables (bsc#1082299 fate#313296).
- livepatch: Initialize shadow variables safely by a custom callback (bsc#1082299 fate#313296).
- llc: delete timers synchronously in llc_sk_free() (bnc#1012382).
- llc: fix NULL pointer deref for SOCK_ZAPPED (bnc#1012382).
- llc: hold llc_sap before release_sock() (bnc#1012382).
- llist: clang: introduce member_address_is_nonnull() (bnc#1012382).
- lockd: fix lockd shutdown race (bnc#1012382).
- lockd: lost rollback of set_grace_period() in lockd_down_net() (git-fixes).
- mac80211: bail out from prep_connection() if a reconfig is ongoing (bnc#1012382).
- mceusb: sporadic RX truncation corruption fix (bnc#1012382).
- md: document lifetime of internal rdev pointer (bsc#1056415).
- md: fix two problems with setting the 're-add' device state (bsc#1089023).
- md: only allow remove_and_add_spares when no sync_thread running (bsc#1056415).
- md raid10: fix NULL deference in handle_write_completed() (git-fixes).
- md/raid10: reset the 'first' at the end of loop (bnc#1012382).
- md/raid5: make use of spin_lock_irq over local_irq_disable + spin_lock (bnc#1012382).
- media: v4l2-compat-ioctl32: do not oops on overlay (bnc#1012382).
- media: videobuf2-core: do not go out of the buffer range (bnc#1012382).
- mei: remove dev_err message on an unsupported ioctl (bnc#1012382).
- mISDN: Fix a sleep-in-atomic bug (bnc#1012382).
- mlx5: fix bug reading rss_hash_type from CQE (bnc#1012382).
- mmc: jz4740: Fix race condition in IRQ mask update (bnc#1012382).
- mm/filemap.c: fix NULL pointer in page_cache_tree_insert() (bnc#1012382).
- mm, slab: reschedule cache_reap() on the same CPU (bnc#1012382).
- mtd: cfi: cmdset_0001: Do not allow read/write to suspend erase block (bnc#1012382).
- mtd: cfi: cmdset_0001: Workaround Micron Erase suspend bug (bnc#1012382).
- mtd: cfi: cmdset_0002: Do not allow read/write to suspend erase block (bnc#1012382).
- mtd: jedec_probe: Fix crash in jedec_read_mfr() (bnc#1012382).
- neighbour: update neigh timestamps iff update is effective (bnc#1012382).
- net: af_packet: fix race in PACKET_{R|T}X_RING (bnc#1012382).
- net: cavium: liquidio: fix up 'Avoid dma_unmap_single on uninitialized ndata' (bnc#1012382).
- net: cdc_ncm: Fix TX zero padding (bnc#1012382).
- net: emac: fix reset timeout with AR8035 phy (bnc#1012382).
- net: ethernet: ti: cpsw: adjust cpsw fifos depth for fullduplex flow control (bnc#1012382).
- netfilter: bridge: ebt_among: add more missing match size checks (bnc#1012382).
- netfilter: ctnetlink: fix incorrect nf_ct_put during hash resize (bnc#1012382).
- netfilter: ctnetlink: Make some parameters integer to avoid enum mismatch (bnc#1012382).
- netfilter: nf_nat_h323: fix logical-not-parentheses warning (bnc#1012382).
- netfilter: x_tables: add and use xt_check_proc_name (bnc#1012382).
- net: fix deadlock while clearing neighbor proxy table (bnc#1012382).
- net: fix possible out-of-bound read in skb_network_protocol() (bnc#1012382).
- net: fool proof dev_valid_name() (bnc#1012382).
- net: freescale: fix potential null pointer dereference (bnc#1012382).
- net: hns: Fix ethtool private flags (bnc#1012382 bsc#1085511).
- net: ieee802154: fix net_device reference release too early (bnc#1012382).
- net/ipv6: Fix route leaking between VRFs (bnc#1012382).
- net/ipv6: Increment OUTxxx counters after netfilter hook (bnc#1012382).
- netlink: make sure nladdr has correct size in netlink_connect() (bnc#1012382).
- net: llc: add lock_sock in llc_ui_bind to avoid a race condition (bnc#1012382).
- net/mlx4: Check if Granular QoS per VF has been enabled before updating QP qos_vport (bnc#1012382).
- net/mlx4_core: Fix memory leak while delete slave's resources (bsc#966191 FATE#320230 bsc#966186 FATE#320228).
- net/mlx4_en: Avoid adding steering rules with invalid ring (bnc#1012382).
- net/mlx4_en: Fix mixed PFC and Global pause user control requests (bsc#1015336 FATE#321685 bsc#1015337 FATE#321686 bsc#1015340 FATE#321687).
- net/mlx4: Fix the check in attaching steering rules (bnc#1012382).
- net/mlx5: avoid build warning for uniprocessor (bnc#1012382).
- net/mlx5e: Add error print in ETS init (bsc#966170 FATE#320225 bsc#966172 FATE#320226).
- net/mlx5e: Check support before TC swap in ETS init (bsc#966170 FATE#320225 bsc#966172 FATE#320226).
- net/mlx5e: E-Switch, Use the name of static array instead of its address (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- net/mlx5e: Remove unused define MLX5_MPWRQ_STRIDES_PER_PAGE (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- net/mlx5: Fix error handling in load one (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- net/mlx5: Fix ingress/egress naming mistake (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- net/mlx5: Tolerate irq_set_affinity_hint() failures (bnc#1012382).
- net: move somaxconn init from sysctl code (bnc#1012382).
- net: phy: avoid genphy_aneg_done() for PHYs without clause 22 support (bnc#1012382).
- net: qca_spi: Fix alignment issues in rx path (bnc#1012382).
- net sched actions: fix dumping which requires several messages to user space (bnc#1012382).
- net/sched: fix NULL dereference in the error path of tcf_bpf_init() (bnc#1012382).
- net: validate attribute sizes in neigh_dump_table() (bnc#1012382).
- net: x25: fix one potential use-after-free issue (bnc#1012382).
- net: xfrm: use preempt-safe this_cpu_read() in ipcomp_alloc_tfms() (bnc#1012382).
- nfsv4.1: RECLAIM_COMPLETE must handle NFS4ERR_CONN_NOT_BOUND_TO_SESSION (bnc#1012382).
- nfsv4.1: Work around a Linux server bug.. (bnc#1012382).
- nospec: Kill array_index_nospec_mask_check() (bnc#1012382).
- nospec: Move array_index_nospec() parameter checking into separate macro (bnc#1012382).
- ovl: filter trusted xattr for non-admin (bnc#1012382).
- packet: fix bitfield update race (bnc#1012382).
- parisc: Fix out of array access in match_pci_device() (bnc#1012382).
- parport_pc: Add support for WCH CH382L PCI-E single parallel port card (bnc#1012382).
- partitions/msdos: Unable to mount UFS 44bsd partitions (bnc#1012382).
- pci/cxgb4: Extend T3 PCI quirk to T4+ devices (bsc#981348).
- pci: Make PCI_ROM_ADDRESS_MASK a 32-bit constant (bnc#1012382).
- perf/core: Correct event creation with PERF_FORMAT_GROUP (bnc#1012382).
- perf/core: Fix locking for children siblings group read (git-fixes).
- perf header: Set proper module name when build-id event found (bnc#1012382).
- perf/hwbp: Simplify the perf-hwbp code, fix documentation (bnc#1012382).
- perf intel-pt: Fix error recovery from missing TIP packet (bnc#1012382).
- perf intel-pt: Fix overlap detection to identify consecutive buffers correctly (bnc#1012382).
- perf intel-pt: Fix sync_switch (bnc#1012382).
- perf intel-pt: Fix timestamp following overflow (bnc#1012382).
- perf probe: Add warning message if there is unexpected event name (bnc#1012382).
- perf report: Ensure the perf DSO mapping matches what libdw sees (bnc#1012382).
- perf: Return proper values for user stack errors (bnc#1012382).
- perf tests: Decompress kernel module before objdump (bnc#1012382).
- perf tools: Fix copyfile_offset update of output offset (bnc#1012382).
- perf trace: Add mmap alias for s390 (bnc#1012382).
- pidns: disable pid allocation if pid_ns_prepare_proc() is failed in alloc_pid() (bnc#1012382).
- pNFS/flexfiles: missing error code in ff_layout_alloc_lseg() (bnc#1012382).
- powerpc/64: Fix smp_wmb barrier definition use use lwsync consistently (bnc#1012382).
- powerpc/64s: Add barrier_nospec (bsc#1068032, bsc#1080157).
- powerpc/64s: Add support for ori barrier_nospec patching (bsc#1068032, bsc#1080157).
- powerpc/64s: Enable barrier_nospec based on firmware settings (bsc#1068032, bsc#1080157).
- powerpc/64s: Enhance the information in cpu_show_meltdown() (bsc#1068032, bsc#1075087, bsc#1091041).
- powerpc/64s: Enhance the information in cpu_show_spectre_v1() (bsc#1068032).
- powerpc/64s: Fix section mismatch warnings from setup_rfi_flush() (bsc#1068032, bsc#1075087, bsc#1091041).
- powerpc/64s: Move cpu_show_meltdown() (bsc#1068032, bsc#1075087, bsc#1091041).
- powerpc/64s: Patch barrier_nospec in modules (bsc#1068032, bsc#1080157).
- powerpc/64s: Wire up cpu_show_spectre_v1() (bsc#1068032, bsc#1075087, bsc#1091041).
- powerpc/64s: Wire up cpu_show_spectre_v2() (bsc#1068032, bsc#1075087, bsc#1091041).
- powerpc/64: Use barrier_nospec in syscall entry (bsc#1068032, bsc#1080157).
- powerpc: Add security feature flags for Spectre/Meltdown (bsc#1068032, bsc#1075087, bsc#1091041).
- powerpc/[booke|4xx]: Do not clobber TCR[WP] when setting TCR[DIE] (bnc#1012382).
- powerpc/crash: Remove the test for cpu_online in the IPI callback (bsc#1088242).
- powerpc: Do not send system reset request through the oops path (bsc#1088242).
- powerpc/eeh: Fix enabling bridge MMIO windows (bnc#1012382).
- powerpc/lib: Fix off-by-one in alternate feature patching (bnc#1012382).
- powerpc/mm: allow memory hotplug into a memoryless node (bsc#1090663).
- powerpc/mm: Allow memory hotplug into an offline node (bsc#1090663).
- powerpc: Move default security feature flags (bsc#1068032, bsc#1075087, bsc#1091041).
- powerpc/powernv: define a standard delay for OPAL_BUSY type retry loops (bnc#1012382).
- powerpc/powernv: Fix OPAL NVRAM driver OPAL_BUSY loops (bnc#1012382).
- powerpc/powernv: Handle unknown OPAL errors in opal_nvram_write() (bnc#1012382).
- powerpc/powernv: Set or clear security feature flags (bsc#1068032, bsc#1075087, bsc#1091041).
- powerpc/powernv: Use the security flags in pnv_setup_rfi_flush() (bsc#1068032, bsc#1075087, bsc#1091041).
- powerpc/pseries: Add new H_GET_CPU_CHARACTERISTICS flags (bsc#1068032, bsc#1075087, bsc#1091041).
- powerpc/pseries: Fix clearing of security feature flags (bsc#1068032, bsc#1075087, bsc#1091041).
- powerpc/pseries: Restore default security feature flags on setup (bsc#1068032, bsc#1075087, bsc#1091041).
- powerpc/pseries: Set or clear security feature flags (bsc#1068032, bsc#1075087, bsc#1091041).
- powerpc/pseries: Use the security flags in pseries_setup_rfi_flush() (bsc#1068032, bsc#1075087, bsc#1091041).
- powerpc/rfi-flush: Always enable fallback flush on pseries (bsc#1068032, bsc#1075087, bsc#1091041).
- powerpc/rfi-flush: Differentiate enabled and patched flush types (bsc#1068032, bsc#1075087, bsc#1091041).
- powerpc/rfi-flush: Make it possible to call setup_rfi_flush() again (bsc#1068032, bsc#1075087, bsc#1091041). Update patches.suse/powerpc-pseries-rfi-flush-Call-setup_rfi_flush-after.patch (bsc#1068032, bsc#1075087, bsc#1091041).
- powerpc/spufs: Fix coredump of SPU contexts (bnc#1012382).
- powerpc: System reset avoid interleaving oops using die synchronisation (bsc#1088242).
- powerpc: Use barrier_nospec in copy_from_user() (bsc#1068032, bsc#1080157).
- pppoe: check sockaddr length in pppoe_connect() (bnc#1012382).
- pptp: remove a buggy dst release in pptp_connect() (bnc#1012382).
- qlge: Avoid reading past end of buffer (bnc#1012382).
- r8152: add Linksys USB3GIGV1 id (bnc#1012382).
- r8169: fix setting driver_data after register_netdev (bnc#1012382).
- radeon: hide pointless #warning when compile testing (bnc#1012382).
- random: use a tighter cap in credit_entropy_bits_safe() (bnc#1012382).
- random: use lockless method of accessing and updating f->reg_idx (bnc#1012382).
- ray_cs: Avoid reading past end of buffer (bnc#1012382).
- rdma/core: Avoid that ib_drain_qp() triggers an out-of-bounds stack access (FATE#321732).
- rdma/mlx5: Protect from NULL pointer derefence (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).
- rdma/qedr: fix QP's ack timeout configuration (bsc#1022604 FATE#321747).
- rdma/qedr: Fix QP state initialization race (bsc#1022604 FATE#321747).
- rdma/qedr: Fix rc initialization on CNQ allocation failure (bsc#1022604 FATE#321747).
- rdma/rxe: Fix an out-of-bounds read (FATE#322149).
- rdma/ucma: Check AF family prior resolving address (bnc#1012382).
- rdma/ucma: Check that device exists prior to accessing it (bnc#1012382).
- rdma/ucma: Check that device is connected prior to access it (bnc#1012382).
- rdma/ucma: Do not allow join attempts for unsupported AF family (bnc#1012382).
- rdma/ucma: Do not allow setting RDMA_OPTION_IB_PATH without an RDMA device (bnc#1012382).
- rdma/ucma: Ensure that CM_ID exists prior to access it (bnc#1012382).
- rdma/ucma: Fix use-after-free access in ucma_close (bnc#1012382).
- rdma/ucma: Introduce safer rdma_addr_size() variants (bnc#1012382).
- rds; Reset rs->rs_bound_addr in rds_add_bound() failure path (bnc#1012382).
- regulator: gpio: Fix some error handling paths in 'gpio_regulator_probe()' (bsc#1091960).
- resource: fix integer overflow at reallocation (bnc#1012382).
- Revert 'alsa: pcm: Fix mutex unbalance in OSS emulation ioctls' (kabi).
- Revert 'alsa: pcm: Return -EBUSY for OSS ioctls changing busy streams' (kabi).
- Revert 'arm: dts: am335x-pepper: Fix the audio CODEC's reset pin' (bnc#1012382).
- Revert 'arm: dts: omap3-n900: Fix the audio CODEC's reset pin' (bnc#1012382).
- Revert 'ath10k: send (re)assoc peer command when NSS changed' (bnc#1012382).
- Revert 'cpufreq: Fix governor module removal race' (bnc#1012382).
- Revert 'ip6_vti: adjust vti mtu according to mtu of lower device' (bnc#1012382).
- Revert 'KVM: Fix stack-out-of-bounds read in write_mmio' (bnc#1083635).
- Revert 'mtd: cfi: cmdset_0001: Do not allow read/write to suspend erase block.' (kabi).
- Revert 'mtd: cfi: cmdset_0001: Workaround Micron Erase suspend bug.' (kabi).
- Revert 'mtd: cfi: cmdset_0002: Do not allow read/write to suspend erase block.' (kabi).
- Revert 'mtip32xx: use runtime tag to initialize command header' (bnc#1012382).
- Revert 'PCI/MSI: Stop disabling MSI/MSI-X in pci_device_shutdown()' (bnc#1012382).
- Revert 'perf tests: Decompress kernel module before objdump' (bnc#1012382).
- Revert 'xhci: plat: Register shutdown for xhci_plat' (bnc#1012382).
- rpc_pipefs: fix double-dput() (bnc#1012382).
- rpm/config.sh: build against SP3 in OBS as well.
- rpm/config.sh: ensure sorted patches.
- rtc: interface: Validate alarm-time before handling rollover (bnc#1012382).
- rtc: opal: Handle disabled TPO in opal_get_tpo_time() (bnc#1012382).
- rtc: snvs: fix an incorrect check of return value (bnc#1012382).
- rtl8187: Fix NULL pointer dereference in priv->conf_mutex (bnc#1012382).
- rxrpc: check return value of skb_to_sgvec always (bnc#1012382).
- s390: add automatic detection of the spectre defense (bnc#1012382).
- s390: add optimized array_index_mask_nospec (bnc#1012382).
- s390: add options to change branch prediction behaviour for the kernel (bnc#1012382 bsc#1068032).
- s390: add sysfs attributes for spectre (bnc#1012382).
- s390/alternative: use a copy of the facility bit mask (bnc#1012382).
- s390/cio: update chpid descriptor after resource accessibility event (bnc#1012382).
- s390: correct module section names for expoline code revert (bnc#1012382).
- s390: correct nospec auto detection init order (bnc#1012382).
- s390/dasd: fix hanging safe offline (bnc#1012382).
- s390/dasd: fix IO error for newly defined devices (bnc#1093144, LTC#167398).
- s390: do not bypass BPENTER for interrupt system calls (bnc#1012382).
- s390: enable CPU alternatives unconditionally (bnc#1012382).
- s390/entry.S: fix spurious zeroing of r0 (bnc#1012382).
- s390: introduce execute-trampolines for branches (bnc#1012382).
- s390/ipl: ensure loadparm valid flag is set (bnc#1012382).
- s390: move nobp parameter functions to nospec-branch.c (bnc#1012382).
- s390: move _text symbol to address higher than zero (bnc#1012382).
- s390/qdio: do not merge ERROR output buffers (bnc#1012382).
- s390/qdio: do not retry EQBS after CCQ 96 (bnc#1012382).
- s390/qeth: consolidate errno translation (bnc#1093144, LTC#167507).
- s390/qeth: fix MAC address update sequence (bnc#1093144, LTC#167609).
- s390/qeth: translate SETVLAN/DELVLAN errors (bnc#1093144, LTC#167507).
- s390: Replace IS_ENABLED(EXPOLINE_*) with IS_ENABLED(CONFIG_EXPOLINE_*) (bnc#1012382).
- s390: report spectre mitigation via syslog (bnc#1012382).
- s390: run user space and KVM guests with modified branch prediction (bnc#1012382).
- s390: scrub registers on kernel entry and KVM exit (bnc#1012382).
- s390/uprobes: implement arch_uretprobe_is_alive() (bnc#1012382).
- sched/numa: Use down_read_trylock() for the mmap_sem (bnc#1012382).
- scsi: bnx2fc: fix race condition in bnx2fc_get_host_stats() (bnc#1012382).
- scsi: libiscsi: Allow sd_shutdown on bad transport (bnc#1012382).
- scsi: libsas: initialize sas_phy status according to response of DISCOVER (bnc#1012382).
- scsi: lpfc: Add per io channel NVME IO statistics (bsc#1088865).
- scsi: lpfc: Correct missing remoteport registration during link bounces (bsc#1088865).
- scsi: lpfc: Correct target queue depth application changes (bsc#1088865).
- scsi: lpfc: Enlarge nvmet asynchronous receive buffer counts (bsc#1088865).
- scsi: lpfc: Fix Abort request WQ selection (bsc#1088865).
- scsi: lpfc: Fix driver not recovering NVME rports during target link faults (bsc#1088865).
- scsi: lpfc: Fix lingering lpfc_wq resource after driver unload (bsc#1088865).
- scsi: lpfc: Fix multiple PRLI completion error path (bsc#1088865).
- scsi: lpfc: Fix NULL pointer access in lpfc_nvme_info_show (bsc#1088865).
- scsi: lpfc: Fix NULL pointer reference when resetting adapter (bsc#1088865).
- scsi: lpfc: Fix nvme remoteport registration race conditions (bsc#1088865).
- scsi: lpfc: Fix WQ/CQ creation for older asic's (bsc#1088865).
- scsi: lpfc: update driver version to 11.4.0.7-2 (bsc#1088865).
- scsi: mpt3sas: Proper handling of set/clear of 'ATA command pending' flag (bnc#1012382).
- scsi: mptsas: Disable WRITE SAME (bnc#1012382).
- scsi: sd: Defer spinning up drive while SANITIZE is in progress (bnc#1012382).
- sctp: do not check port in sctp_inet6_cmp_addr (bnc#1012382).
- sctp: do not leak kernel memory to user space (bnc#1012382).
- sctp: fix recursive locking warning in sctp_do_peeloff (bnc#1012382).
- sctp: sctp_sockaddr_af must check minimal addr length for AF_INET6 (bnc#1012382).
- selftests/powerpc: Fix TM resched DSCR test with some compilers (bnc#1012382).
- selinux: do not check open permission on sockets (bnc#1012382).
- selinux: Remove redundant check for unknown labeling behavior (bnc#1012382).
- selinux: Remove unnecessary check of array base in selinux_set_mapping() (bnc#1012382).
- serial: 8250: omap: Disable DMA for console UART (bnc#1012382).
- serial: mctrl_gpio: Add missing module license (bnc#1012382).
- serial: mctrl_gpio: export mctrl_gpio_disable_ms and mctrl_gpio_init (bnc#1012382).
- serial: sh-sci: Fix race condition causing garbage during shutdown (bnc#1012382).
- sh_eth: Use platform device for printing before register_netdev() (bnc#1012382).
- sit: reload iphdr in ipip6_rcv (bnc#1012382).
- skbuff: only inherit relevant tx_flags (bnc#1012382).
- skbuff: return -EMSGSIZE in skb_to_sgvec to prevent overflow (bnc#1012382).
- sky2: Increase D3 delay to sky2 stops working after suspend (bnc#1012382).
- slip: Check if rstate is initialized before uncompressing (bnc#1012382).
- sparc64: ldc abort during vds iso boot (bnc#1012382).
- spi: davinci: fix up dma_mapping_error() incorrect patch (bnc#1012382).
- staging: comedi: ni_mio_common: ack ai fifo error interrupts (bnc#1012382).
- staging: ion : Donnot wakeup kswapd in ion system alloc (bnc#1012382).
- staging: wlan-ng: prism2mgmt.c: fixed a double endian conversion before calling hfa384x_drvr_setconfig16, also fixes relative sparse warning (bnc#1012382).
- swap: divide-by-zero when zero length swap file on ssd (bsc#1082153).
- tags: honor COMPILED_SOURCE with apart output directory (bnc#1012382).
- tcp: better validation of received ack sequences (bnc#1012382).
- tcp: do not read out-of-bounds opsize (bnc#1012382).
- tcp: md5: reject TCP_MD5SIG or TCP_MD5SIG_EXT on established sockets (bnc#1012382).
- team: avoid adding twice the same option to the event list (bnc#1012382).
- team: fix netconsole setup over team (bnc#1012382).
- thermal: imx: Fix race condition in imx_thermal_probe() (bnc#1012382).
- thermal: power_allocator: fix one race condition issue for thermal_instances list (bnc#1012382).
- thunderbolt: Resume control channel after hibernation image is created (bnc#1012382).
- tipc: add policy for TIPC_NLA_NET_ADDR (bnc#1012382).
- tty: Do not call panic() at tty_ldisc_init() (bnc#1012382).
- tty: make n_tty_read() always abort if hangup is in progress (bnc#1012382).
- tty: n_gsm: Allow ADM response in addition to UA for control dlci (bnc#1012382).
- tty: n_gsm: Fix DLCI handling for ADM mode if debug & 2 is not set (bnc#1012382).
- tty: n_gsm: Fix long delays with control frame timeouts in ADM mode (bnc#1012382).
- tty: provide tty_name() even without CONFIG_TTY (bnc#1012382).
- tty: Use __GFP_NOFAIL for tty_ldisc_get() (bnc#1012382).
- ubi: fastmap: Do not flush fastmap work on detach (bnc#1012382).
- ubi: Fix error for write access (bnc#1012382).
- ubifs: Check ubifs_wbuf_sync() return code (bnc#1012382).
- ubi: Reject MLC NAND (bnc#1012382).
- um: Use POSIX ucontext_t instead of struct ucontext (bnc#1012382).
- Update config files, add expoline for s390x (bsc#1089393).
- Update patches.suse/x86-nospectre_v2-means-nospec-too.patch (bsc#1075994 bsc#1075091 bnc#1085958).
- usb: chipidea: properly handle host or gadget initialization failure (bnc#1012382).
- usb: core: Add quirk for HP v222w 16GB Mini (bnc#1012382).
- usb: dwc2: Improve gadget state disconnection handling (bnc#1012382).
- usb: dwc3: keystone: check return value (bnc#1012382).
- usb: dwc3: pci: Properly cleanup resource (bnc#1012382).
- usb: ene_usb6250: fix first command execution (bnc#1012382).
- usb: ene_usb6250: fix SCSI residue overwriting (bnc#1012382).
- usb:fix USB3 devices behind USB3 hubs not resuming at hibernate thaw (bnc#1012382).
- usb: gadget: align buffer size when allocating for OUT endpoint (bnc#1012382).
- usb: gadget: change len to size_t on alloc_ep_req() (bnc#1012382).
- usb: gadget: define free_ep_req as universal function (bnc#1012382).
- usb: gadget: f_hid: fix: Prevent accessing released memory (bnc#1012382).
- usb: gadget: fix request length error for isoc transfer (git-fixes).
- usb: gadget: fix usb_ep_align_maybe endianness and new usb_ep_align (bnc#1012382).
- usb: Increment wakeup count on remote wakeup (bnc#1012382).
- usbip: usbip_host: fix to hold parent lock for device_attach() calls (bnc#1012382).
- usbip: vhci_hcd: Fix usb device and sockfd leaks (bnc#1012382).
- usb: musb: gadget: misplaced out of bounds check (bnc#1012382).
- usb: serial: cp210x: add ELDAT Easywave RX09 id (bnc#1012382).
- usb: serial: cp210x: add ID for NI USB serial console (bnc#1012382).
- usb: serial: ftdi_sio: add RT Systems VX-8 cable (bnc#1012382).
- usb: serial: ftdi_sio: add support for Harman FirmwareHubEmulator (bnc#1012382).
- usb: serial: ftdi_sio: use jtag quirk for Arrow USB Blaster (bnc#1012382).
- usb: serial: simple: add libtransistor console (bnc#1012382).
- vfb: fix video mode and line_length being set when loaded (bnc#1012382).
- vfio/pci: Virtualize Maximum Payload Size (bnc#1012382).
- vfio/pci: Virtualize Maximum Read Request Size (bnc#1012382).
- vfio-pci: Virtualize PCIe & AF FLR (bnc#1012382).
- vhost: correctly remove wait queue during poll failure (bnc#1012382).
- virtio: add ability to iterate over vqs (bnc#1012382).
- virtio_console: free buffers after reset (bnc#1012382).
- virtio_net: check return value of skb_to_sgvec always (bnc#1012382).
- virtio_net: check return value of skb_to_sgvec in one more location (bnc#1012382).
- vlan: also check phy_driver ts_info for vlan's real device (bnc#1012382).
- vlan: Fix reading memory beyond skb->tail in skb_vlan_tagged_multi (bnc#1012382).
- vmxnet3: ensure that adapter is in proper state during force_close (bnc#1012382).
- vrf: Fix use after free and double free in vrf_finish_output (bnc#1012382).
- vt: change SGR 21 to follow the standards (bnc#1012382).
- vti6: better validate user provided tunnel names (bnc#1012382).
- vxlan: dont migrate permanent fdb entries during learn (bnc#1012382).
- watchdog: f71808e_wdt: Fix WD_EN register read (bnc#1012382).
- watchdog: hpwdt: Remove legacy NMI sourcing (bsc#1085185).
- wl1251: check return from call to wl1251_acx_arp_ip_filter (bnc#1012382).
- writeback: fix the wrong congested state variable definition (bnc#1012382).
- writeback: safer lock nesting (bnc#1012382).
- x86/asm: Do not use RBP as a temporary register in csum_partial_copy_generic() (bnc#1012382).
- x86/bugs: correctly force-disable IBRS on !SKL systems (bsc#1092497).
- x86/bugs: Make sure that _TIF_SSBD does not end up in _TIF_ALLWORK_MASK (bsc#1093215).
- x86/hweight: Do not clobber %rdi (bnc#1012382).
- x86/hweight: Get rid of the special calling convention (bnc#1012382).
- x86/ipc: Fix x32 version of shmid64_ds and msqid64_ds (bnc#1012382).
- x86/platform/UV: Add references to access fixed UV4A HUB MMRs (bsc#1076263 #fate#322814).
- x86/platform/uv/BAU: Replace hard-coded values with MMR definitions (bsc#1076263 #fate#322814).
- x86/platform/UV: Fix critical UV MMR address error (bsc#1076263
- x86/platform/UV: Fix GAM MMR changes in UV4A (bsc#1076263 #fate#322814).
- x86/platform/UV: Fix GAM MMR references in the UV x2apic code (bsc#1076263 #fate#322814).
- x86/platform/UV: Fix GAM Range Table entries less than 1GB (bsc#1091325).
- x86/platform/UV: Fix UV4A BAU MMRs (bsc#1076263 #fate#322814).
- x86/platform/UV: Fix UV4A support on new Intel Processors (bsc#1076263 #fate#322814).
- x86/platform/uv: Skip UV runtime services mapping in the efi_runtime_disabled case (bsc#1089925).
- x86/platform/UV: Update uv_mmrs.h to prepare for UV4A fixes (bsc#1076263 #fate#322814).
- x86/smpboot: Do not use mwait_play_dead() on AMD systems (bnc#1012382).
- x86/tsc: Prevent 32bit truncation in calc_hpet_ref() (bnc#1012382).
- x86/tsc: Provide 'tsc=unstable' boot parameter (bnc#1012382).
- xen: avoid type warning in xchg_xen_ulong (bnc#1012382).
- xen-netfront: Fix hang on device removal (bnc#1012382).
- xfrm: fix state migration copy replay sequence numbers (bnc#1012382).
- xfrm: Refuse to insert 32 bit userspace socket policies on 64 bit systems (bnc#1012382).
- xfrm_user: uncoditionally validate esn replay attribute struct (bnc#1012382).
- xfs: always verify the log tail during recovery (bsc#1036215).
- xfs: detect and handle invalid iclog size set by mkfs (bsc#1043598).
- xfs: detect and trim torn writes during log recovery (bsc#1036215).
- xfs: fix log recovery corruption error due to tail overwrite (bsc#1036215).
- xfs: fix recovery failure when log record header wraps log end (bsc#1036215).
- xfs: handle -EFSCORRUPTED during head/tail verification (bsc#1036215).
- xfs: refactor and open code log record crc check (bsc#1036215).
- xfs: refactor log record start detection into a new helper (bsc#1036215).
- xfs: return start block of first bad log record during recovery (bsc#1036215).
- xfs: support a crc verification only log record pass (bsc#1036215).


-----------------------------------------
Patch: SUSE-2018-957
Released: Tue May 22 15:14:05 2018
Summary: Security update for wget
Severity: moderate
References: 1092061,CVE-2018-0494
Description:
This update for wget fixes the following issues:

- CVE-2018-0494: Fixed a cookie injection vulnerability by checking for
  and joining continuation lines. (bsc#1092061)



-----------------------------------------
Patch: SUSE-2018-964
Released: Tue May 22 18:31:29 2018
Summary: Security update for python
Severity: moderate
References: 1068664,1079300,CVE-2017-1000158,CVE-2018-1000030
Description:
This update for python fixes the following issues:

Security issues fixed:

- CVE-2017-1000158: Fixed integer overflows in PyString_DecodeEscape that could have resulted in
  heap-based buffer overflow attacks and possible arbitrary code execution (bsc#1068664).
- CVE-2018-1000030: Fixed crash inside the Python interpreter when multiple threads used the same
  I/O stream concurrently (bsc#1079300).


-----------------------------------------
Patch: SUSE-2018-970
Released: Wed May 23 16:44:49 2018
Summary: Recommended update for hwinfo
Severity: important
References: 1072450,1078511
Description:
This update for hwinfo provides the following fixes:

- Detect usb controller in ARM platform devices. (bsc#1072450)
- Add more sanity checking on scsi serial id. (bsc#1078511)
- Make CDBISDN_DATE ignore timezone.


-----------------------------------------
Patch: SUSE-2018-971
Released: Wed May 23 16:45:19 2018
Summary: Recommended update for aaa_base
Severity: important
References: 1088524
Description:
This update for aaa_base fixes a regression which was introduced within the latest maintenance update
  cycle, where customized profiles were not sourced properly. (bsc#1088524)

-----------------------------------------
Patch: SUSE-2018-974
Released: Wed May 23 16:46:50 2018
Summary: Recommended update for systemd
Severity: moderate
References: 1045092,1051465,1066422,1075804,1082485,1084626,1085062,1086785,1087323
Description:
This update for systemd provides the following fixes:

- sysusers: Do not append entries after the NIS ones. (bsc#1085062, bsc#1045092)
- sysusers: Also add support for NIS entries in /etc/shadow.
- sysusers: Make sure to reset errno before calling fget*ent().
- coredump: Respect ulimit -c 0 settings. (bsc#1075804)
- systemctl: Don't make up unit states, and don't eat up errors too eagerly. (bsc#1084626)
- systemctl: Don't mangle unit names in check_unit_generic().
- rules, compat-rules: Fix errors detected by the rule syntax checker.
- python: Use raw strings for regexp patterns.
- compat-rules: Make path_id_compat build with meson.
- compat-rules: Get rid of scsi_id when generating compat symlinks for NVMe devices.
  (bsc#1051465)
- Fix memory hotplugging.
- systemd: Add offline environmental condition to the udev rules for acpi container to
  prevent them from being triggered by the 'udevadm trigger' from user space. (bsc#1082485)
- systemd-udevd: Limit children-max by the available memory. (bsc#1086785, bsc#1066422)
- Rename the tarball to reflect the exact version used, so that it is clear that it
  contains some additional patches on top of the upstream version. Use the commit hash in
  the name so the exact version can easily be identified. (bsc#1087323)


-----------------------------------------
Patch: SUSE-2018-977
Released: Wed May 23 17:14:16 2018
Summary: Security update for bash
Severity: moderate
References: 1000396,1001299,1086247,CVE-2016-0634,CVE-2016-7543
Description:
This update for bash fixes the following issues:

Security issues fixed:

- CVE-2016-7543: A code execution possibility via SHELLOPTS+PS4 variable was fixed (bsc#1001299)
- CVE-2016-0634: Arbitrary code execution via malicious hostname was fixed (bsc#1000396)

Non-security issues fixed:

- Fix repeating self-calling of traps due the combination of a non-interactive shell, a trap handler for SIGINT, an
  external process in the trap handler, and a SIGINT within the trap after the external process runs. (bsc#1086247)


-----------------------------------------
Patch: SUSE-2018-978
Released: Wed May 23 17:18:39 2018
Summary: Recommended update for zlib
Severity: moderate
References: 1071321
Description:
This update for zlib fixes the following issues:

- Fix a segmentation fault which was raised when converting a negative value into an unsigned integer (bsc#1071321)


-----------------------------------------
Patch: SUSE-2018-979
Released: Wed May 23 19:52:26 2018
Summary: Security update for icu
Severity: moderate
References: 1034674,1034678,1067203,1072193,1077999,1087932,929629,990636,CVE-2014-8146,CVE-2014-8147,CVE-2016-6293,CVE-2017-14952,CVE-2017-15422,CVE-2017-17484,CVE-2017-7867,CVE-2017-7868
Description:
icu was updated to fix two security issues.

These security issues were fixed:
- CVE-2014-8147: The resolveImplicitLevels function in common/ubidi.c
  in the Unicode Bidirectional Algorithm implementation in ICU4C in
  International Components for Unicode (ICU) used an integer data type
  that is inconsistent with a header file, which allowed remote attackers
  to cause a denial of service (incorrect malloc followed by invalid free)
  or possibly execute arbitrary code via crafted text (bsc#929629).
- CVE-2014-8146: The resolveImplicitLevels function in common/ubidi.c
  in the Unicode Bidirectional Algorithm implementation in ICU4C in
  International Components for Unicode (ICU) did not properly track
  directionally isolated pieces of text, which allowed remote attackers
  to cause a denial of service (heap-based buffer overflow) or possibly
  execute arbitrary code via crafted text (bsc#929629).
- CVE-2016-6293: The uloc_acceptLanguageFromHTTP function in
  common/uloc.cpp in International Components for Unicode (ICU) for C/C++
  did not ensure that there is a '\0' character at the end of a certain
  temporary array, which allowed remote attackers to cause a denial of
  service (out-of-bounds read) or possibly have unspecified other impact
  via a call with a long httpAcceptLanguage argument (bsc#990636).
- CVE-2017-7868: International Components for Unicode (ICU) for C/C++
  2017-02-13 has an out-of-bounds write caused by a heap-based buffer
  overflow related to the utf8TextAccess function in common/utext.cpp and
  the utext_moveIndex32* function (bsc#1034674)
- CVE-2017-7867: International Components for Unicode (ICU) for C/C++
  2017-02-13 has an out-of-bounds write caused by a heap-based buffer
  overflow related to the utf8TextAccess function in common/utext.cpp and
  the utext_setNativeIndex* function (bsc#1034678)
- CVE-2017-14952: Double free in i18n/zonemeta.cpp in International
  Components for Unicode (ICU) for C/C++ allowed remote attackers to
  execute arbitrary code via a crafted string, aka a 'redundant UVector
  entry clean up function call' issue (bnc#1067203)
- CVE-2017-17484: The ucnv_UTF8FromUTF8 function in ucnv_u8.cpp
  in International Components for Unicode (ICU) for C/C++ mishandled
  ucnv_convertEx calls for UTF-8 to UTF-8 conversion, which allowed remote
  attackers to cause a denial of service (stack-based buffer overflow
  and application crash) or possibly have unspecified other impact via a
  crafted string, as demonstrated by ZNC  (bnc#1072193)
- CVE-2017-15422: An integer overflow in icu during persian calendar
  date processing could lead to incorrect years shown (bnc#1077999)



-----------------------------------------
Patch: SUSE-2018-982
Released: Fri May 25 15:05:15 2018
Summary: Security update for jasper
Severity: low
References: 1087020,CVE-2018-9055
Description:
This update for jasper fixes the following issues:

   - CVE-2018-9055: denial of service via
      a reachable assertion in the function jpc_firstone in
      libjasper/jpc/jpc_math.c could lead to denial of service. (bsc#1087020)


-----------------------------------------
Patch: SUSE-2018-998
Released: Tue May 29 11:35:50 2018
Summary: Recommended update for pciutils-ids
Severity: moderate
References: 1081065
Description:
This update provides the latest PCI ID definitions for pciutils-ids (bsc#1081065)

-----------------------------------------
Patch: SUSE-2018-999
Released: Tue May 29 11:36:06 2018
Summary: Recommended update for javapackages-tools
Severity: moderate
References: 1090920
Description:
This update for javapackages-tools fixes the following issues:

- Fix a wrong usage of popd (bsc#1090920)


-----------------------------------------
Patch: SUSE-2018-1002
Released: Wed May 30 02:29:38 2018
Summary: Recommended update for lifecycle-data-sle-module-web-scripting
Severity: low
References: 1093517
Description:
This update for lifecycle-data-sle-module-web-scripting fixes the following issues:

- Change lifecycle of libmcrypt to 2019-07-30. (bsc#1093517)


-----------------------------------------
Patch: SUSE-2018-1004
Released: Wed May 30 02:30:19 2018
Summary: Recommended update for sysstat
Severity: low
References: 1059694,1082880
Description:
This update for sysstat provides the following fix:

- Fixed a bug that gives values of ifutil larger than 100% for NIC's 
  with speeds >= 10 Gbit/s. (bsc#1059694)
- Read uptime from /proc/uptime instead of from /proc/stat. (bsc#1082880)


-----------------------------------------
Patch: SUSE-2018-1011
Released: Thu May 31 11:10:38 2018
Summary: Security update for the Linux Kernel
Severity: important
References: 1012382,1036215,1066223,1068032,1070404,1073059,1076805,1081599,1085185,1088810,1092772,1092813,1092888,1092975,1093035,1093533,1093904,1093990,1094033,1094059,1094177,1094268,1094356,1094405,1094532,919144,973378,993388
Description:


The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.132 to receive various bugfixes.

The following non-security bugs were fixed:

- ALSA: aloop: Add missing cable lock to ctl API callbacks (bnc#1012382).
- ALSA: aloop: Mark paused device as inactive (bnc#1012382).
- ALSA: hda/conexant - Add fixup for HP Z2 G4 workstation (bsc#1092975).
- ALSA: pcm: Check PCM state at xfern compat ioctl (bnc#1012382).
- ALSA: seq: Fix races at MIDI encoding in snd_virmidi_output_trigger() (bnc#1012382).
- ALSA: timer: Fix pause event notification (bsc#973378).
- Bluetooth: Revert: btusb: Fix quirk for Atheros 1525/QCA6174' (bnc#1012382).
- IB/mlx5: Use unlimited rate when static rate is not supported (bnc#1012382).
- Input: atmel_mxt_ts - add touchpad button mapping for Samsung Chromebook Pro (bnc#1012382).
- Input: leds - fix out of bound access (bnc#1012382).
- KVM: s390: Enable all facility bits that are known good for passthrough (bnc#1012382 bsc#1073059 bsc#1076805).
- NET: usb: qmi_wwan: add support for ublox R410M PID 0x90b2 (bnc#1012382).
- PCI: hv: Fix a __local_bh_enable_ip warning in hv_compose_msi_msg() (bnc#1094268).
- RDMA/mlx5: Protect from shift operand overflow (bnc#1012382).
- RDMA/ucma: Allow resolving address w/o specifying source address (bnc#1012382).
- ath10k: Revert: rebuild crypto header in rx data frames' (kabi).
- ath10k: fix rfc1042 header retrieval in QCA4019 with eth decap mode (bnc#1012382).
- ath10k: rebuild crypto header in rx data frames (bnc#1012382).
- atm: zatm: Fix potential Spectre v1 (bnc#1012382).
- bdi: Fix oops in wb_workfn() (bnc#1012382).
- blacklist.conf: Blacklist 001ab5a67ee5
- blacklist.conf: Blacklist 3172485f4f80
- blacklist.conf: Blacklist 8a1ac5dc7be0
- blacklist.conf: Blacklist a09acf4b43b9
- blacklist.conf: Blacklist a86b06d1ccd2
- blacklist.conf: add cifs commit RMDA is unsupported in all SLE versions.
- bpf: map_get_next_key to return first key on NULL (bnc#1012382).
- bs-upload-kernel: Revert: do not set %opensuse_bs' This reverts commit e89e2b8cbef05df6c874ba70af3cb4c57f82a821.
- can: kvaser_usb: Increase correct stats counter in kvaser_usb_rx_can_msg() (bnc#1012382).
- ceph: fix st_nlink stat for directories (bsc#1093904).
- crypto: af_alg - fix possible uninit-value in alg_bind() (bnc#1012382).
- dccp: initialize ireq-&gt;ir_mark (bnc#1012382).
- drm/vmwgfx: Fix a buffer object leak (bnc#1012382).
- gpmi-nand: Handle ECC Errors in erased pages (bnc#1012382).
- ibmvnic: Fix non-fatal firmware error reset (bsc#1093990).
- ibmvnic: Fix statistics buffers memory leak (bsc#1093990).
- ibmvnic: Free coherent DMA memory if FW map failed (bsc#1093990).
- ibmvnic: Only do H_EOI for mobility events (bsc#1094356).
- ipvs: fix rtnl_lock lockups caused by start_sync_thread (bnc#1012382).
- kABI: protect struct ath10k_hw_params (kabi).
- kgraft/bnx2fc: Do not block kGraft in bnx2fc_l2_rcv kthread (bsc#1094033).
- libata: Apply NOLPM quirk for SanDisk SD7UB3Q*G1001 SSDs (bnc#1012382).
- loop: handle short DIO reads (bsc#1094177).
- mac80211: Add RX flag to indicate ICV stripped (bnc#1012382).
- mac80211: Revert: Add RX flag to indicate ICV stripped' (kabi).
- mac80211: Revert: allow not sending MIC up from driver for HW crypto' (kabi).
- mac80211: Revert: allow same PN for AMSDU sub-frames' (kabi).
- mac80211: allow not sending MIC up from driver for HW crypto (bnc#1012382).
- mac80211: allow same PN for AMSDU sub-frames (bnc#1012382).
- net: atm: Fix potential Spectre v1 (bnc#1012382).
- net: fix rtnh_ok() (bnc#1012382).
- net: fix uninit-value in __hw_addr_add_ex() (bnc#1012382).
- net: initialize skb-&gt;peeked when cloning (bnc#1012382).
- netlink: fix uninit-value in netlink_sendmsg (bnc#1012382).
- nvme-pci: Fix EEH failure on ppc (bsc#1093533).
- nvme: target: fix buffer overflow (bsc#993388).
- ocfs2/dlm: Fix up kABI in dlm_ctxt (bsc#1070404).
- ocfs2/dlm: wait for dlm recovery done when migrating all lock resources (bsc#1070404).
- percpu: include linux/sched.h for cond_resched() (bnc#1012382).
- perf/core: Fix possible Spectre-v1 indexing for -&gt;aux_pages[] (bnc#1012382).
- perf/core: Fix the perf_cpu_time_max_percent check (bnc#1012382).
- perf/x86/cstate: Fix possible Spectre-v1 indexing for pkg_msr (bnc#1012382).
- perf/x86/msr: Fix possible Spectre-v1 indexing in the MSR driver (bnc#1012382).
- perf/x86: Fix possible Spectre-v1 indexing for hw_perf_event cache_* (bnc#1012382).
- perf/x86: Fix possible Spectre-v1 indexing for x86_pmu::event_map() (bnc#1012382).
- perf: Remove superfluous allocation error check (bnc#1012382).
- platform/x86: ideapad-laptop: Add MIIX 720-12IKB to no_hw_rfkill (bsc#1093035).
- powerpc/fadump: Do not use hugepages when fadump is active (bsc#1092772).
- powerpc/fadump: exclude memory holes while reserving memory in second kernel (bsc#1092772).
- powerpc: conditionally compile platform-specific serial drivers (bsc#1066223).
- powerpc: signals: Discard transaction state from signal frames (bsc#1094059).
- rfkill: gpio: fix memory leak in probe error path (bnc#1012382).
- s390/cpum_sf: ensure sample frequency of perf event attributes is non-zero (bnc#1094532, LTC#168035).
- s390/qdio: fix access to uninitialized qdio_q fields (bnc#1094532, LTC#168037).
- scsi: zfcp: fix infinite iteration on ERP ready list (bnc#1094532, LTC#168038).
- soreuseport: initialise timewait reuseport field (bnc#1012382).
- stop_machine, sched: Fix migrate_swap() vs. active_balance() deadlock (bsc#1088810).
- target: transport should handle st FM/EOM/ILI reads (bsc#1081599).
- tcp: fix TCP_REPAIR_QUEUE bound checking (bnc#1012382).
- test_firmware: fix setting old custom fw path back on exit, second try (bnc#1012382).
- tracepoint: Do not warn on ENOMEM (bnc#1012382).
- tracing/uprobe_event: Fix strncpy corner case (bnc#1012382).
- tracing: Fix regex_match_front() to not over compare the test string (bnc#1012382).
- usb: Accept bulk endpoints with 1024-byte maxpacket (bnc#1012382 bsc#1092888).
- usb: Accept bulk endpoints with 1024-byte maxpacket (bsc#1092888).
- usb: musb: host: fix potential NULL pointer dereference (bnc#1012382).
- usb: serial: option: Add support for Quectel EP06 (bnc#1012382).
- usb: serial: option: adding support for ublox R410M (bnc#1012382).
- usb: serial: option: reimplement interface masking (bnc#1012382).
- usb: serial: visor: handle potential invalid device configuration (bnc#1012382).
- watchdog: Revert: hpwdt: Remove legacy NMI sourcing (bsc#1085185).
- watchdog: hpwdt: Modify to use watchdog core (bsc#1085185).
- watchdog: hpwdt: Update Module info and copyright (bsc#1085185).
- watchdog: hpwdt: Update nmi_panic message (bsc#1085185).
- watchdog: hpwdt: Update nmi_panic message) (bsc#1085185).
- watchdog: hpwdt: condition early return of NMI handler on iLO5 (bsc#1085185).
- x86/bugs: Respect retpoline command line option (bsc#1068032).
- x86/kaiser: export symbol kaiser_set_shadow_pgd() (bsc#1092813)
- xfrm_user: fix return value from xfrm_user_rcv_msg (bnc#1012382).
- xfs: fix endianness error when checking log block crc on big endian platforms (bsc#1094405, bsc#1036215).
- xfs: prevent creating negative-sized file via INSERT_RANGE (bnc#1012382).



-----------------------------------------
Patch: SUSE-2018-1022
Released: Mon Jun  4 17:35:43 2018
Summary: Security update for xdg-utils
Severity: moderate
References: 1093086,CVE-2017-18266
Description:
This update for xdg-utils fixes the following issues:

Security issue:

- CVE-2017-18266: Fix an argument injection when BROWSER contains %s (bsc#1093086).


-----------------------------------------
Patch: SUSE-2018-1027
Released: Tue Jun  5 11:17:51 2018
Summary: Security update for oracleasm kmp
Severity: moderate
References: 1068032,CVE-2017-5715
Description:

This update provides rebuilt kernel modules for SUSE Linux Enterprise 12 SP3 products
with retpoline enablement to address Spectre Variant 2 (CVE-2017-5715 bsc#1068032).

Following modules have been rebuilt:

- drbd
- oracleasm
- crash
- lttng-modules

  

-----------------------------------------
Patch: SUSE-2018-1028
Released: Tue Jun  5 13:20:44 2018
Summary: Recommended update for pam
Severity: low
References: 1089884
Description:
This update for pam fixes the following issues:

- Fix order of accessed configuration files in man page. (bsc#1089884)


-----------------------------------------
Patch: SUSE-2018-1077
Released: Wed Jun  6 11:44:25 2018
Summary: Security update for glibc
Severity: important
References: 1086690,1094150,1094154,1094161,CVE-2017-18269,CVE-2018-11236,CVE-2018-11237
Description:

  
This update for glibc fixes the following issues:

- CVE-2017-18269: Fix SSE2 memmove issue when crossing 2GB boundary (bsc#1094150)
- CVE-2018-11236: Fix overflow in path length computation (bsc#1094161)
- CVE-2018-11237: Don't write beyond buffer destination in __mempcpy_avx512_no_vzeroupper (bsc#1094154)

Non security bugs fixed:

- Fix crash in resolver on memory allocation failure (bsc#1086690)



-----------------------------------------
Patch: SUSE-2018-1081
Released: Thu Jun  7 11:43:48 2018
Summary: Security update for libvorbis
Severity: moderate
References: 1091070,CVE-2018-10392
Description:
This update for libvorbis fixes the following issues:
  
The following security issue was fixed:
  
- Fixed the validation of channels in mapping0_forward(), which previously
  allowed remote attackers to cause a denial of service via specially crafted
  files (CVE-2018-10392, bsc#1091070)


-----------------------------------------
Patch: SUSE-2018-1082
Released: Thu Jun  7 12:58:56 2018
Summary: Recommended update for rpm
Severity: moderate
References: 1073879,1080078,964063
Description:
This update for rpm fixes the following issues:

- Backport support for no_recompute_build_ids macro. (bsc#964063)
- Fix code execution when evaluating common python-related macros. (bsc#1080078)

Additionally, this update adds python3-rpm to the SUSE Linux Enterprise Server.


-----------------------------------------
Patch: SUSE-2018-1085
Released: Thu Jun  7 13:05:44 2018
Summary: Recommended update for grub2
Severity: low
References: 1071559,1078775,1082914,1086670
Description:
This update for grub2 provides the following fixes:

- Fix a wrong command output when default subvolume is a toplevel tree with ID 5.
  (bsc#1078775)
- Insert mdraid modules to support software RAID. (bsc#1078775)
- Fix a problem that was causing a Nvidia GPU in legacy I/O slot 2 to disappear during system
  startup. (bsc#1082914)
- Fix a corruption of contents in 'grub2-install --help' and grub2-install manual page.
  (bsc#1086670)
- Add a fallback to 'raw mode' when grub fails to open a disk for the first time. (bsc#1071559)


-----------------------------------------
Patch: SUSE-2018-1124
Released: Tue Jun 12 12:30:48 2018
Summary: Version update for docker, catatonit
Severity: moderate
References: 1065609,1073877,1085117,1089732,1091633
Description:

This update for docker fixes several issues.

These features were added in this release:

- fate#324652: docker-init support was added in the form of 'catatonit'. This
  allows users to use the --init option with 'docker run', which spawns a very
  simple init as pid1 in the container. This includes the addition of a new
  package (catatonit). (bsc#1091633)

These non-security issues were fixed:

- bsc#1073877 bsc#1089732: Update the generated AppArmor profile so that it allows contained processes to be signalled by 'docker kill'.
- bsc#1085117: Build and package the man pages for docker sub-commands.
- bsc#1065609: Do not log incorrect warnings when attempting to inject non-existent host files.
  

-----------------------------------------
Patch: SUSE-2018-1132
Released: Wed Jun 13 14:43:49 2018
Summary: Security update for samba
Severity: moderate
References: 1081024,1093664,CVE-2018-1057
Description:

  
Samba was updated to 4.6.14, fixing bugs and security issues:

Version update to 4.6.14 (bsc#1093664):

+ vfs_ceph: add fake async pwrite/pread send/recv hooks; (bso#13425).
+ Fix memory leak in vfs_ceph; (bso#13424).
+ winbind: avoid using fstrcpy(dcname,...) in _dual_init_connection;
  (bso#13294).
+ s3:smb2_server: correctly maintain request counters for compound
  requests; (bso#13215).
+ s3: smbd: Unix extensions attempts to change wrong field in fchown
  call; (bso#13375).
+ s3:smbd: map nterror on smb2_flush errorpath; (bso#13338).
+ vfs_glusterfs: Fix the wrong pointer being sent in glfs_fsync_async;
  (bso#13297).
+ s3: smbd: Fix possible directory fd leak if the underlying OS doesn't
  support fdopendir(); (bso#13270).
+ s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we
  don't own it here; (bso#13244).
+ s3:libsmb: allow -U'\\administrator' to work; (bso#13206).
+ CVE-2018-1057: s4:dsdb: fix unprivileged password changes;
  (bso#13272); (bsc#1081024).
+ s3:smbd: Do not crash if we fail to init the session table;
  (bso#13315).
+ libsmb: Use smb2 tcon if conn_protocol >= SMB2_02; (bso#13310).
+ smbXcli: Add 'force_channel_sequence'; (bso#13215).
+ smbd: Fix channel sequence number checks for long-running requests;
  (bso#13215).
+ s3:smb2_server: allow logoff, close, unlock, cancel and echo on
  expired sessions; (bso#13197).
+ s3:smbd: return the correct error for cancelled SMB2 notifies on
  expired sessions; (bso#13197).
+ samba: Only use async signal-safe functions in signal handler;
  (bso#13240).
+ subnet: Avoid a segfault when renaming subnet objects; (bso#13031).

- Fix vfs_ceph with 'aio read size' or 'aio write size' > 0;
  (bsc#1093664).
  + vfs_ceph: add fake async pwrite/pread send/recv hooks; (bso#13425).
  + Fix memory leak in vfs_ceph; (bso#13424).


-----------------------------------------
Patch: SUSE-2018-1141
Released: Fri Jun 15 13:41:08 2018
Summary: Security update for gpg2
Severity: important
References: 1096745,CVE-2018-12020
Description:
This update for gpg2 fixes the following security issue:

- CVE-2018-12020: GnuPG mishandled the original filename during decryption and
  verification actions, which allowed remote attackers to spoof the output that
  GnuPG sends on file descriptor 2 to other programs that use the '--status-fd 2'
  option (bsc#1096745)


-----------------------------------------
Patch: SUSE-2018-1144
Released: Fri Jun 15 19:19:29 2018
Summary: Recommended update for logrotate
Severity: moderate
References: 1093617
Description:
This update for logrotate provides the following fix:

- Ensure the HOME environment variable is set to /root when logrotate is started via
  systemd. This allows mariadb to rotate its logs when the database has a root password
  defined. (bsc#1093617)


-----------------------------------------
Patch: SUSE-2018-1145
Released: Fri Jun 15 19:19:51 2018
Summary: Recommended update for openssl
Severity: moderate
References: 1090765
Description:
This update for openssl provides the following fix:

- Suggest libopenssl1_0_0-hmac from libopenssl1_0_0 package to avoid dependency issues
  during updates. (bsc#1090765)


-----------------------------------------
Patch: SUSE-2018-1154
Released: Mon Jun 18 22:04:34 2018
Summary: Recommended update for release-notes-sles
Severity: low
References: 1086000,1096048
Description:
This update for release-notes-sles provides the following changes: (bsc#1096048)

- Updated template text:
  * Removed Windows version from Samba AD support statement.
  * Added Java support table. (fate#325480)
- New entries:
  - Support for 512 TB virtual address space on POWER. (fate#322470)
  - Boot and driver enablement for Raspberry Pi 3 model B. (fate#323971)
  - LibreOffice has been updated to version 6.0. (fate#324870)
  - Raspberry Pi 3 shows blurry HDMI output on some monitors. (fate#325671, bsc#1086000)
- Changed entries:
  - ntp 4.2.8. (fate#320392, fate#319040)
- Removed entries:
  - LibreOffice has been updated to version 5.4. (fate#323884)


-----------------------------------------
Patch: SUSE-2018-1156
Released: Tue Jun 19 15:10:45 2018
Summary: Recommended update for openslp
Severity: moderate
References: 1076035,1080964
Description:
This update for openslp provides the following fixes:

- Fix slpd using the peer address as local address for TCP connections. (bsc#1076035)
- Use TCP connections for unicast requests. (bsc#1080964)


-----------------------------------------
Patch: SUSE-2018-1188
Released: Wed Jun 20 15:46:10 2018
Summary: Security update for ntp
Severity: moderate
References: 1077445,1082063,1082210,1083417,1083420,1083422,1083424,1083426,CVE-2016-1549,CVE-2018-7170,CVE-2018-7182,CVE-2018-7183,CVE-2018-7184,CVE-2018-7185
Description:
This update for ntp fixes the following issues:

- Update to 4.2.8p11 (bsc#1082210):
  * CVE-2016-1549: Sybil vulnerability: ephemeral association
    attack. While fixed in ntp-4.2.8p7, there are significant
    additional protections for this issue in 4.2.8p11.
  * CVE-2018-7182: ctl_getitem(): buffer read overrun
    leads to undefined behavior and information leak. (bsc#1083426)
  * CVE-2018-7170: Multiple authenticated ephemeral
    associations. (bsc#1083424)
  * CVE-2018-7184: Interleaved symmetric mode cannot
    recover from bad state. (bsc#1083422)
  * CVE-2018-7185: Unauthenticated packet can reset
    authenticated interleaved association. (bsc#1083420)
  * CVE-2018-7183: ntpq:decodearr() can write beyond its
    buffer limit.(bsc#1083417)
- Don't use libevent's cached time stamps in sntp. (bsc#1077445)

This update is a reissue of the previous update with LTSS channels included.


-----------------------------------------
Patch: SUSE-2018-1193
Released: Wed Jun 20 18:48:16 2018
Summary: Recommended update for openslp
Severity: moderate
References: 1076035,1080964
Description:
This update for openslp provides the following fixes:

- Fix slpd using the peer address as local address for TCP connections. (bsc#1076035)
- Use TCP connections for unicast requests. (bsc#1080964)


-----------------------------------------
Patch: SUSE-2018-1199
Released: Thu Jun 21 13:52:38 2018
Summary: Security update for the Linux Kernel
Severity: important
References: 1012382,1024718,1031717,1035432,1041740,1045330,1056415,1066223,1068032,1068054,1068951,1070404,1073311,1075428,1076049,1078583,1079152,1080542,1080656,1081500,1081514,1082153,1082504,1082979,1085185,1085308,1086400,1086716,1087036,1087086,1088871,1090435,1090534,1090734,1090955,1091594,1094532,1095042,1095147,1096037,1096140,1096214,1096242,1096281,1096751,1096982,1097234,1097356,1098009,1098012,971975,973378,978907,CVE-2017-17741,CVE-2017-18241,CVE-2017-18249,CVE-2018-12233,CVE-2018-3665,CVE-2018-5848
Description:

The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.136  to receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2018-5848: In the function wmi_set_ie(), the length validation code did
  not handle unsigned integer overflow properly. As a result, a large value of
  the 'ie_len' argument could have caused a buffer overflow (bnc#1097356).
- CVE-2017-18249: The add_free_nid function did not properly track an allocated
  nid, which allowed local users to cause a denial of service (race condition) or
  possibly have unspecified other impact via concurrent threads (bnc#1087036).
- CVE-2018-3665: Prevent disclosure of FPU registers (including XMM and AVX
  registers) between processes. These registers might contain encryption keys
  when doing SSE accelerated AES enc/decryption (bsc#1087086).
- CVE-2017-18241: Prevent a NULL pointer dereference by using a noflush_merge
  option that triggers a NULL value for a flush_cmd_control data structure
  (bnc#1086400).
- CVE-2017-17741: The KVM implementation in the Linux kernel allowed attackers
  to obtain potentially sensitive information from kernel memory, aka a
  write_mmio stack-based out-of-bounds read (bnc#1073311).
- CVE-2018-12233: In the ea_get function in fs/jfs/xattr.c, a memory
  corruption bug in JFS can be triggered by calling setxattr twice with two
  different extended attribute names on the same file. This vulnerability
  can be triggered by an unprivileged user with the ability to create
  files and execute programs. A kmalloc call is incorrect, leading to
  slab-out-of-bounds in jfs_xattr (bnc#1097234).

The following non-security bugs were fixed:

- 8139too: Use disable_irq_nosync() in rtl8139_poll_controller() (bnc#1012382).
- ACPI: acpi_pad: Fix memory leak in power saving threads (bnc#1012382).
- ACPICA: acpi: acpica: fix acpi operand cache leak in nseval.c (bnc#1012382).
- ACPICA: Events: add a return on failure from acpi_hw_register_read (bnc#1012382).
- ACPI: processor_perflib: Do not send _PPC change notification if not ready (bnc#1012382).
- affs_lookup(): close a race with affs_remove_link() (bnc#1012382).
- af_key: Always verify length of provided sadb_key (bnc#1012382).
- aio: fix io_destroy(2) vs. lookup_ioctx() race (bnc#1012382).
- alsa: control: fix a redundant-copy issue (bnc#1012382).
- alsa: hda: Add Lenovo C50 All in one to the power_save blacklist (bnc#1012382).
- alsa: hda - Use IS_REACHABLE() for dependency on input (bnc#1012382 bsc#1031717).
- alsa: timer: Call notifier in the same spinlock (bnc#1012382 bsc#973378).
- alsa: timer: Fix pause event notification (bnc#1012382 bsc#973378).
- alsa: usb: mixer: volume quirk for CM102-A+/102S+ (bnc#1012382).
- alsa: vmaster: Propagate slave error (bnc#1012382).
- arc: Fix malformed ARC_EMUL_UNALIGNED default (bnc#1012382).
- arm64: Add ARCH_WORKAROUND_2 probing (bsc#1085308).
- arm64: Add per-cpu infrastructure to call ARCH_WORKAROUND_2 (bsc#1085308).
- arm64: Add 'ssbd' command-line option (bsc#1085308).
- arm64: Add this_cpu_ptr() assembler macro for use in entry.S (bsc#1085308).
- arm64: Add work around for Arm Cortex-A55 Erratum 1024718 (bnc#1012382).
- arm64: alternatives: Add dynamic patching feature (bsc#1085308).
- arm64: assembler: introduce ldr_this_cpu (bsc#1085308).
- arm64: Call ARCH_WORKAROUND_2 on transitions between EL0 and EL1 (bsc#1085308).
- arm64: do not call C code with el0's fp register (bsc#1085308).
- arm64: fix endianness annotation for __apply_alternatives()/get_alt_insn() (bsc#1085308).
- arm64: introduce mov_q macro to move a constant into a 64-bit register (bnc#1012382 bsc#1068032).
- arm64: lse: Add early clobbers to some input/output asm operands (bnc#1012382).
- arm64: spinlock: Fix theoretical trylock() A-B-A with LSE atomics (bnc#1012382).
- arm64: ssbd: Add global mitigation state accessor (bsc#1085308).
- arm64: ssbd: Add prctl interface for per-thread mitigation (bsc#1085308).
- arm64: ssbd: Introduce thread flag to control userspace mitigation (bsc#1085308).
- arm64: ssbd: Restore mitigation status on CPU resume (bsc#1085308).
- arm64: ssbd: Skip apply_ssbd if not using dynamic mitigation (bsc#1085308).
- arm: 8748/1: mm: Define vdso_start, vdso_end as array (bnc#1012382).
- arm: 8769/1: kprobes: Fix to use get_kprobe_ctlblk after irq-disabed (bnc#1012382).
- arm: 8770/1: kprobes: Prohibit probing on optimized_callback (bnc#1012382).
- arm: 8771/1: kprobes: Prohibit kprobes on do_undefinstr (bnc#1012382).
- arm: 8772/1: kprobes: Prohibit kprobes on get_user functions (bnc#1012382).
- arm/arm64: smccc: Add SMCCC-specific return codes (bsc#1085308).
- arm: dts: socfpga: fix GIC PPI warning (bnc#1012382).
- arm: OMAP1: clock: Fix debugfs_create_*() usage (bnc#1012382).
- arm: OMAP2+: timer: fix a kmemleak caused in omap_get_timer_dt (bnc#1012382).
- arm: OMAP3: Fix prm wake interrupt for resume (bnc#1012382).
- arm: OMAP: Fix dmtimer init for omap1 (bnc#1012382).
- asm-generic: provide generic_pmdp_establish() (bnc#1012382).
- ASoC: au1x: Fix timeout tests in au1xac97c_ac97_read() (bnc#1012382 bsc#1031717).
- ASoC: Intel: sst: remove redundant variable dma_dev_name (bnc#1012382).
- ASoC: samsung: i2s: Ensure the RCLK rate is properly determined (bnc#1012382).
- ASoC: topology: create TLV data for dapm widgets (bnc#1012382).
- ath10k: Fix kernel panic while using worker (ath10k_sta_rc_update_wk) (bnc#1012382).
- audit: move calcs after alloc and check when logging set loginuid (bnc#1012382).
- audit: return on memory error to avoid null pointer dereference (bnc#1012382).
- autofs: change autofs4_expire_wait()/do_expire_wait() to take struct path (bsc#1086716).
- autofs: change autofs4_wait() to take struct path (bsc#1086716).
- autofs: use path_has_submounts() to fix unreliable have_submount() checks (bsc#1086716).
- autofs: use path_is_mountpoint() to fix unreliable d_mountpoint() checks (bsc#1086716).
- batman-adv: fix header size check in batadv_dbg_arp() (bnc#1012382).
- batman-adv: fix multicast-via-unicast transmission with AP isolation (bnc#1012382).
- batman-adv: fix packet checksum in receive path (bnc#1012382).
- batman-adv: fix packet loss for broadcasted DHCP packets to a server (bnc#1012382).
- batman-adv: invalidate checksum on fragment reassembly (bnc#1012382).
- bcache: fix for allocator and register thread race (bnc#1012382).
- bcache: fix for data collapse after re-attaching an attached device (bnc#1012382).
- bcache: fix kcrashes with fio in RAID5 backend dev (bnc#1012382).
- bcache: properly set task state in bch_writeback_thread() (bnc#1012382).
- bcache: quit dc->writeback_thread when BCACHE_DEV_DETACHING is set (bnc#1012382).
- bcache: return attach error when no cache set exist (bnc#1012382).
- block: cancel workqueue entries on blk_mq_freeze_queue() (bsc#1090435).
- Bluetooth: Apply QCA Rome patches for some ATH3012 models (bsc#1082504, bsc#1095147).
- Bluetooth: btusb: Add device ID for RTL8822BE (bnc#1012382).
- Bluetooth: btusb: Add USB ID 7392:a611 for Edimax EW-7611ULB (bnc#1012382).
- bnx2x: use the right constant (bnc#1012382).
- bnxt_en: Check valid VNIC ID in bnxt_hwrm_vnic_set_tpa() (bnc#1012382).
- bonding: do not allow rlb updates to invalid mac (bnc#1012382).
- bpf: fix selftests/bpf test_kmod.sh failure when CONFIG_BPF_JIT_ALWAYS_ON=y (bnc#1012382).
- brcmfmac: Fix check for ISO3166 code (bnc#1012382).
- bridge: check iface upper dev when setting master via ioctl (bnc#1012382).
- Btrfs: bail out on error during replay_dir_deletes (bnc#1012382).
- Btrfs: fix copy_items() return value when logging an inode (bnc#1012382).
- Btrfs: fix crash when trying to resume balance without the resume flag (bnc#1012382).
- Btrfs: fix lockdep splat in btrfs_alloc_subvolume_writers (bnc#1012382).
- Btrfs: fix NULL pointer dereference in log_dir_items (bnc#1012382).
- Btrfs: Fix out of bounds access in btrfs_search_slot (bnc#1012382).
- Btrfs: Fix possible softlock on single core machines (bnc#1012382).
- Btrfs: fix reading stale metadata blocks after degraded raid1 mounts (bnc#1012382).
- Btrfs: fix scrub to repair raid6 corruption (bnc#1012382).
- Btrfs: fix xattr loss after power failure (bnc#1012382).
- Btrfs: send, fix issuing write op when processing hole in no data mode (bnc#1012382).
- Btrfs: set plug for fsync (bnc#1012382).
- Btrfs: tests/qgroup: Fix wrong tree backref level (bnc#1012382).
- cdrom: do not call check_disk_change() inside cdrom_open() (bnc#1012382).
- ceph: delete unreachable code in ceph_check_caps() (bsc#1096214).
- ceph: fix race of queuing delayed caps (bsc#1096214).
- cfg80211: further limit wiphy names to 64 bytes (bnc#1012382 git-fixes).
- cfg80211: further limit wiphy names to 64 bytes (git-fixes).
- cfg80211: limit wiphy names to 128 bytes (bnc#1012382).
- cifs: silence compiler warnings showing up with gcc-8.0.0 (bnc#1012382 bsc#1090734).
- Clarify (and fix) MAX_LFS_FILESIZE macros (bnc#1012382).
- clk: Do not show the incorrect clock phase (bnc#1012382).
- clk: rockchip: Prevent calculating mmc phase if clock rate is zero (bnc#1012382).
- clk: samsung: exynos3250: Fix PLL rates (bnc#1012382).
- clk: samsung: exynos5250: Fix PLL rates (bnc#1012382).
- clk: samsung: exynos5260: Fix PLL rates (bnc#1012382).
- clk: samsung: exynos5433: Fix PLL rates (bnc#1012382).
- clk: samsung: s3c2410: Fix PLL rates (bnc#1012382).
- clocksource/drivers/fsl_ftm_timer: Fix error return checking (bnc#1012382).
- config: arm64: enable Spectre-v4 per-thread mitigation
- Correct the prefix in references tag in previous patches (bsc#1041740).
- cpufreq: cppc_cpufreq: Fix cppc_cpufreq_init() failure path (bnc#1012382).
- cpufreq: CPPC: Initialize shared perf capabilities of CPUs (bnc#1012382).
- cpufreq: intel_pstate: Enable HWP by default (bnc#1012382).
- cpuidle: coupled: remove unused define cpuidle_coupled_lock (bnc#1012382).
- crypto: sunxi-ss - Add MODULE_ALIAS to sun4i-ss (bnc#1012382).
- crypto: vmx - Remove overly verbose printk from AES init routines (bnc#1012382).
- dccp: do not free ccid2_hc_tx_sock struct in dccp_disconnect() (bnc#1012382).
- dccp: fix tasklet usage (bnc#1012382).
- dlm: fix a clerical error when set SCTP_NODELAY (bsc#1091594).
- dlm: make sctp_connect_to_sock() return in specified time (bsc#1080542).
- dlm: remove O_NONBLOCK flag in sctp_connect_to_sock (bsc#1080542).
- dmaengine: ensure dmaengine helpers check valid callback (bnc#1012382).
- dmaengine: pl330: fix a race condition in case of threaded irqs (bnc#1012382).
- dmaengine: rcar-dmac: fix max_chunk_size for R-Car Gen3 (bnc#1012382).
- dmaengine: usb-dmac: fix endless loop in usb_dmac_chan_terminate_all() (bnc#1012382).
- dm thin: fix documentation relative to low water mark threshold (bnc#1012382).
- do d_instantiate/unlock_new_inode combinations safely (bnc#1012382).
- dp83640: Ensure against premature access to PHY registers after reset (bnc#1012382).
- drm/exynos: fix comparison to bitshift when dealing with a mask (bnc#1012382).
- drm/i915: Disable LVDS on Radiant P845 (bnc#1012382).
- drm/rockchip: Respect page offset for PRIME mmap calls (bnc#1012382).
- drm: set FMODE_UNSIGNED_OFFSET for drm files (bnc#1012382).
- e1000e: allocate ring descriptors with dma_zalloc_coherent (bnc#1012382).
- e1000e: Fix check_for_link return value with autoneg off (bnc#1012382 bsc#1075428).
- efi: Avoid potential crashes, fix the 'struct efi_pci_io_protocol_32' definition for mixed mode (bnc#1012382).
- enic: enable rq before updating rq descriptors (bnc#1012382).
- enic: set DMA mask to 47 bit (bnc#1012382).
- ext2: fix a block leak (bnc#1012382).
- fbdev: Fixing arbitrary kernel leak in case FBIOGETCMAP_SPARC in sbusfb_ioctl_helper() (bnc#1012382).
- firewire-ohci: work around oversized DMA reads on JMicron controllers (bnc#1012382).
- firmware: dmi: handle missing DMI data gracefully (bsc#1096037).
- firmware: dmi_scan: Fix handling of empty DMI strings (bnc#1012382).
- fix io_destroy()/aio_complete() race (bnc#1012382).
- Force log to disk before reading the AGF during a fstrim (bnc#1012382).
- fscache: Fix hanging wait on page discarded by writeback (bnc#1012382).
- fs/proc/proc_sysctl.c: fix potential page fault while unregistering sysctl table (bnc#1012382).
- futex: futex_wake_op, do not fail on invalid op (git-fixes).
- futex: futex_wake_op, fix sign_extend32 sign bits (bnc#1012382).
- futex: Remove duplicated code and fix undefined behaviour (bnc#1012382).
- futex: Remove unnecessary warning from get_futex_key (bnc#1012382).
- gfs2: Fix fallocate chunk size (bnc#1012382).
- gianfar: Fix Rx byte accounting for ndev stats (bnc#1012382).
- gpio: No NULL owner (bnc#1012382).
- gpio: rcar: Add Runtime PM handling for interrupts (bnc#1012382).
- hfsplus: stop workqueue when fill_super() failed (bnc#1012382).
- HID: roccat: prevent an out of bounds read in kovaplus_profile_activated() (bnc#1012382).
- hwmon: (nct6775) Fix writing pwmX_mode (bnc#1012382).
- hwmon: (pmbus/adm1275) Accept negative page register values (bnc#1012382).
- hwmon: (pmbus/max8688) Accept negative page register values (bnc#1012382).
- hwrng: stm32 - add reset during probe (bnc#1012382).
- hwtracing: stm: fix build error on some arches (bnc#1012382).
- i2c: mv64xxx: Apply errata delay only in standard mode (bnc#1012382).
- i2c: rcar: check master irqs before slave irqs (bnc#1012382).
- i2c: rcar: do not issue stop when HW does it automatically (bnc#1012382).
- i2c: rcar: init new messages in irq (bnc#1012382).
- i2c: rcar: make sure clocks are on when doing clock calculation (bnc#1012382).
- i2c: rcar: refactor setup of a msg (bnc#1012382).
- i2c: rcar: remove spinlock (bnc#1012382).
- i2c: rcar: remove unused IOERROR state (bnc#1012382).
- i2c: rcar: revoke START request early (bnc#1012382).
- i2c: rcar: rework hw init (bnc#1012382).
- IB/ipoib: Fix for potential no-carrier state (bnc#1012382).
- iio:kfifo_buf: check for uint overflow (bnc#1012382).
- ima: Fallback to the builtin hash algorithm (bnc#1012382).
- ima: Fix Kconfig to select TPM 2.0 CRB interface (bnc#1012382).
- init: fix false positives in W+X checking (bsc#1096982).
- input: elan_i2c - add ELAN0612 (Lenovo v330 14IKB) ACPI ID (bnc#1012382).
- Input: elan_i2c_smbus - fix corrupted stack (bnc#1012382).
- input: goodix - add new ACPI id for GPD Win 2 touch screen (bnc#1012382).
- ip6mr: only set ip6mr_table from setsockopt when ip6mr_new_table succeeds (bnc#1012382).
- ipc/shm: fix shmat() nil address after round-down when remapping (bnc#1012382).
- ipmi/powernv: Fix error return code in ipmi_powernv_probe() (bnc#1012382).
- ipmi_ssif: Fix kernel panic at msg_done_handler (bnc#1012382 bsc#1088871).
- ipv4: fix memory leaks in udp_sendmsg, ping_v4_sendmsg (bnc#1012382).
- ipv4: lock mtu in fnhe when received PMTU lower than net.ipv4.route.min_pmtu (bnc#1012382).
- ipv4: remove warning in ip_recv_error (bnc#1012382).
- ipv6: omit traffic class when calculating flow hash (bsc#1095042).
- irda: fix overly long udelay() (bnc#1012382).
- irqchip/gic-v3: Change pr_debug message to pr_devel (bnc#1012382).
- isdn: eicon: fix a missing-check bug (bnc#1012382).
- jffs2: Fix use-after-free bug in jffs2_iget()'s error handling path (bnc#1012382 git-fixes).
- kabi: vfs: Restore dentry_operations->d_manage (bsc#1086716).
- kasan: fix memory hotplug during boot (bnc#1012382).
- Kbuild: change CC_OPTIMIZE_FOR_SIZE definition (bnc#1012382).
- kconfig: Avoid format overflow warning from GCC 8.1 (bnc#1012382).
- kconfig: Do not leak main menus during parsing (bnc#1012382).
- kconfig: Fix automatic menu creation mem leak (bnc#1012382).
- kconfig: Fix expr_free() E_NOT leak (bnc#1012382).
- kdb: make 'mdr' command repeat (bnc#1012382).
- kernel: Fix memory leak on EP11 target list processing (bnc#1096751, LTC#168596).
- kernel/relay.c: limit kmalloc size to KMALLOC_MAX_SIZE (bnc#1012382).
- kernel/sys.c: fix potential Spectre v1 issue (bnc#1012382).
- kvm: Fix spelling mistake: 'cop_unsuable' -> 'cop_unusable' (bnc#1012382).
- kvm: lapic: stop advertising DIRECTED_EOI when in-kernel IOAPIC is in use (bnc#1012382).
- kvm: PPC: Book3S HV: Fix VRMA initialization with 2MB or 1GB memory backing (bnc#1012382).
- kvm: VMX: raise internal error for exception during invalid protected mode state (bnc#1012382).
- kvm: x86: fix KVM_XEN_HVM_CONFIG ioctl (bnc#1012382).
- kvm: x86: introduce linear_{read,write}_system (bnc#1012382).
- kvm: x86: pass kvm_vcpu to kvm_read_guest_virt and kvm_write_guest_virt_system (bnc#1012382).
- kvm: x86: Sync back MSR_IA32_SPEC_CTRL to VCPU data structure (bsc#1096242, bsc#1096281).
- kvm: x86: use correct privilege level for sgdt/sidt/fxsave/fxrstor access (bnc#1012382).
- l2tp: revert 'l2tp: fix missing print session offset info' (bnc#1012382).
- libata: blacklist Micron 500IT SSD with MU01 firmware (bnc#1012382).
- libata: Blacklist some Sandisk SSDs for NCQ (bnc#1012382).
- llc: better deal with too small mtu (bnc#1012382).
- llc: properly handle dev_queue_xmit() return value (bnc#1012382).
- lockd: lost rollback of set_grace_period() in lockd_down_net() (bnc#1012382 git-fixes).
- locking/qspinlock: Ensure node->count is updated before initialising node (bnc#1012382).
- locking/xchg/alpha: Add unconditional memory barrier to cmpxchg() (bnc#1012382).
- locking/xchg/alpha: Fix xchg() and cmpxchg() memory ordering bugs (bnc#1012382).
- m68k: set dma and coherent masks for platform FEC ethernets (bnc#1012382).
- mac80211: round IEEE80211_TX_STATUS_HEADROOM up to multiple of 4 (bnc#1012382).
- md raid10: fix NULL deference in handle_write_completed() (bnc#1012382 bsc#1056415).
- md/raid1: fix NULL pointer dereference (bnc#1012382).
- md: raid5: avoid string overflow warning (bnc#1012382).
- media: cx23885: Override 888 ImpactVCBe crystal frequency (bnc#1012382).
- media: cx23885: Set subdev host data to clk_freq pointer (bnc#1012382).
- media: cx25821: prevent out-of-bounds read on array card (bnc#1012382 bsc#1031717).
- media: dmxdev: fix error code for invalid ioctls (bnc#1012382).
- media: em28xx: USB bulk packet size fix (bnc#1012382).
- media: s3c-camif: fix out-of-bounds array access (bnc#1012382 bsc#1031717).
- mmap: introduce sane default mmap limits (bnc#1012382).
- mmap: relax file size limit for regular files (bnc#1012382).
- mmc: sdhci-iproc: fix 32bit writes for TRANSFER_MODE register (bnc#1012382).
- mm: do not allow deferred pages with NEED_PER_CPU_KM (bnc#1012382).
- mm: filemap: avoid unnecessary calls to lock_page when waiting for IO to complete during a read (bnc#1012382 bnc#971975).
- mm: filemap: remove redundant code in do_read_cache_page (bnc#1012382 bnc#971975).
- mm: fix races between address_space dereference and free in page_evicatable (bnc#1012382).
- mm: fix the NULL mapping case in __isolate_lru_page() (bnc#1012382).
- mm/kmemleak.c: wait for scan completion before disabling free (bnc#1012382).
- mm/ksm: fix interaction with THP (bnc#1012382).
- mm/mempolicy: add nodes_empty check in SYSC_migrate_pages (bnc#1012382).
- mm/mempolicy.c: avoid use uninitialized preferred_node (bnc#1012382).
- mm/mempolicy: fix the check of nodemask from user (bnc#1012382).
- mm, page_alloc: do not break __GFP_THISNODE by zonelist reset (bsc#1079152, VM Functionality).
- mm: pin address_space before dereferencing it while isolating an LRU page (bnc#1012382 bnc#1081500).
- net: bgmac: Fix endian access in bgmac_dma_tx_ring_free() (bnc#1012382).
- netdev-FAQ: clarify DaveM's position for stable backports (bnc#1012382).
- net: ethernet: sun: niu set correct packet size in skb (bnc#1012382).
- netfilter: ebtables: convert BUG_ONs to WARN_ONs (bnc#1012382).
- net: Fix untag for vlan packets without ethernet header (bnc#1012382).
- net: Fix vlan untag for bridge and vlan_dev with reorder_hdr off (bnc#1012382).
- netlabel: If PF_INET6, check sk_buff ip header version (bnc#1012382).
- net: metrics: add proper netlink validation (bnc#1012382).
- net/mlx4_en: Verify coalescing parameters are in range (bnc#1012382).
- net/mlx4: Fix irq-unsafe spinlock usage (bnc#1012382).
- net/mlx5: Protect from command bit overflow (bnc#1012382).
- net: mvneta: fix enable of all initialized RXQs (bnc#1012382).
- net/packet: refine check for priv area size (bnc#1012382).
- net: phy: broadcom: Fix bcm_write_exp() (bnc#1012382).
- net: qmi_wwan: add BroadMobi BM806U 2020:2033 (bnc#1012382).
- net_sched: fq: take care of throttled flows before reuse (bnc#1012382).
- net: support compat 64-bit time in {s,g}etsockopt (bnc#1012382).
- net/tcp/illinois: replace broken algorithm reference link (bnc#1012382).
- net: test tailroom before appending to linear skb (bnc#1012382).
- net-usb: add qmi_wwan if on lte modem wistron neweb d18q1 (bnc#1012382).
- net: usb: cdc_mbim: add flag FLAG_SEND_ZLP (bnc#1012382).
- net/usb/qmi_wwan.c: Add USB id for lt4120 modem (bnc#1012382).
- nfc: llcp: Limit size of SDP URI (bnc#1012382).
- nfs: Do not convert nfs_idmap_cache_timeout to jiffies (bnc#1012382 git-fixes).
- nfsv4: always set NFS_LOCK_LOST when a lock is lost (bnc#1012382 bsc#1068951).
- ntb_transport: Fix bug with max_mw_size parameter (bnc#1012382).
- nvme-pci: Fix nvme queue cleanup if IRQ setup fails (bnc#1012382).
- ocfs2/acl: use 'ip_xattr_sem' to protect getting extended attribute (bnc#1012382).
- ocfs2/dlm: do not handle migrate lockres if already in shutdown (bnc#1012382).
- ocfs2: return -EROFS to mount.ocfs2 if inode block is invalid (bnc#1012382).
- ocfs2: return error when we attempt to access a dirty bh in jbd2 (bnc#1012382 bsc#1070404).
- openvswitch: Do not swap table in nlattr_set() after OVS_ATTR_NESTED is found (bnc#1012382).
- packet: fix reserve calculation (bnc#1012382 git-fixes).
- packet: fix reserve calculation (git-fixes).
- packet: in packet_snd start writing at link layer allocation (bnc#1012382).
- parisc/pci: Switch LBA PCI bus from Hard Fail to Soft Fail mode (bnc#1012382).
- pci: Add function 1 DMA alias quirk for Marvell 88SE9220 (bnc#1012382).
- pci: Add function 1 DMA alias quirk for Marvell 9128 (bnc#1012382).
- pci: Restore config space on runtime resume despite being unbound (bnc#1012382).
- perf callchain: Fix attr.sample_max_stack setting (bnc#1012382).
- perf/cgroup: Fix child event counting bug (bnc#1012382).
- perf/core: Fix perf_output_read_group() (bnc#1012382).
- perf report: Fix memory corruption in --branch-history mode --branch-history (bnc#1012382).
- perf tests: Use arch__compare_symbol_names to compare symbols (bnc#1012382).
- pipe: cap initial pipe capacity according to pipe-max-size limit (bnc#1012382 bsc#1045330).
- powerpc/64s: Clear PCR on boot (bnc#1012382).
- powerpc: Add missing prototype for arch_irq_work_raise() (bnc#1012382).
- powerpc/bpf/jit: Fix 32-bit JIT for seccomp_data access (bnc#1012382).
- powerpc: Do not preempt_disable() in show_cpuinfo() (bnc#1012382 bsc#1066223).
- powerpc/mpic: Check if cpu_possible() in mpic_physmask() (bnc#1012382).
- powerpc/numa: Ensure nodes initialized for hotplug (bnc#1012382 bsc#1081514).
- powerpc/numa: Use ibm,max-associativity-domains to discover possible nodes (bnc#1012382 bsc#1081514).
- powerpc/perf: Fix kernel address leak via sampling registers (bnc#1012382).
- powerpc/perf: Prevent kernel address leak to userspace via BHRB buffer (bnc#1012382).
- powerpc/powernv: Fix NVRAM sleep in invalid context when crashing (bnc#1012382).
- powerpc/powernv: panic() on OPAL lower than V3 (bnc#1012382).
- powerpc/powernv: remove FW_FEATURE_OPALv3 and just use FW_FEATURE_OPAL (bnc#1012382).
- powerpc/powernv: Remove OPALv2 firmware define and references (bnc#1012382).
- proc: fix /proc/*/map_files lookup (bnc#1012382).
- procfs: fix pthread cross-thread naming if !PR_DUMPABLE (bnc#1012382).
- proc: meminfo: estimate available memory more conservatively (bnc#1012382).
- proc read mm's {arg,env}_{start,end} with mmap semaphore taken (bnc#1012382).
- qed: Fix mask for physical address in ILT entry (bnc#1012382).
- qla2xxx: Mask off Scope bits in retry delay (bsc#1068054).
- qmi_wwan: do not steal interfaces from class drivers (bnc#1012382).
- r8152: fix tx packets accounting (bnc#1012382).
- r8169: fix powering up RTL8168h (bnc#1012382).
- RDMA/mlx5: Avoid memory leak in case of XRCD dealloc failure (bnc#1012382).
- RDMA/ucma: Correct option size check using optlen (bnc#1012382).
- RDS: IB: Fix null pointer issue (bnc#1012382).
- Refreshed contents of patches (bsc#1085185)
- regulator: of: Add a missing 'of_node_put()' in an error handling path of 'of_regulator_match()' (bnc#1012382).
- regulatory: add NUL to request alpha2 (bnc#1012382).
- Revert 'arm: dts: imx6qdl-wandboard: Fix audio channel swap' (bnc#1012382).
- Revert 'ima: limit file hash setting by user to fix and log modes' (bnc#1012382).
- Revert 'ipc/shm: Fix shmat mmap nil-page protection' (bnc#1012382).
- Revert 'regulatory: add NUL to request alpha2' (kabi).
- Revert 'vti4: Do not override MTU passed on link creation via IFLA_MTU' (bnc#1012382).
- rtc: hctosys: Ensure system time does not overflow time_t (bnc#1012382).
- rtc: snvs: Fix usage of snvs_rtc_enable (bnc#1012382).
- rtc: tx4939: avoid unintended sign extension on a 24 bit shift (bnc#1012382).
- rtlwifi: rtl8192cu: Remove variable self-assignment in rf.c (bnc#1012382).
- rtnetlink: validate attributes in do_setlink() (bnc#1012382).
- s390: add assembler macros for CPU alternatives (bnc#1012382).
- s390/cio: clear timer when terminating driver I/O (bnc#1012382).
- s390/cio: fix return code after missing interrupt (bnc#1012382).
- s390/cpum_sf: ensure sample frequency of perf event attributes is non-zero (LTC#168035 bnc#1012382 bnc#1094532).
- s390: extend expoline to BC instructions (bnc#1012382).
- s390/ftrace: use expoline for indirect branches (bnc#1012382).
- s390/kernel: use expoline for indirect branches (bnc#1012382).
- s390/lib: use expoline for indirect branches (bnc#1012382).
- s390: move expoline assembler macros to a header (bnc#1012382).
- s390: move spectre sysfs attribute code (bnc#1012382).
- s390/qdio: do not release memory in qdio_setup_irq() (bnc#1012382).
- s390/qdio: fix access to uninitialized qdio_q fields (LTC#168037 bnc#1012382 bnc#1094532).
- s390: remove indirect branch from do_softirq_own_stack (bnc#1012382).
- s390: use expoline thunks in the BPF JIT (bnc#1012382).
- sched/rt: Fix rq->clock_update_flags lower than RQCF_ACT_SKIP warning (bnc#1012382).
- scripts/git-pre-commit:
- scsi: aacraid: fix shutdown crash when init fails (bnc#1012382).
- scsi: aacraid: Insure command thread is not recursively stopped (bnc#1012382).
- scsi: bnx2fc: Fix check in SCSI completion handler for timed out request (bnc#1012382).
- scsi: fas216: fix sense buffer initialization (bnc#1012382 bsc#1082979).
- scsi: libsas: defer ata device eh commands to libata (bnc#1012382).
- scsi: lpfc: Fix frequency of Release WQE CQEs (bnc#1012382).
- scsi: lpfc: Fix issue_lip if link is disabled (bnc#1012382 bsc#1080656).
- scsi: lpfc: Fix soft lockup in lpfc worker thread during LIP testing (bnc#1012382 bsc#1080656).
- scsi: mpt3sas: Do not mark fw_event workqueue as WQ_MEM_RECLAIM (bnc#1012382 bsc#1078583).
- scsi: mptfusion: Add bounds check in mptctl_hp_targetinfo() (bnc#1012382).
- scsi: qla2xxx: Avoid triggering undefined behavior in qla2x00_mbx_completion() (bnc#1012382).
- scsi: qla4xxx: skip error recovery in case of register disconnect (bnc#1012382).
- scsi: scsi_transport_srp: Fix shost to rport translation (bnc#1012382).
- scsi: sd: Keep disk read-only when re-reading partition (bnc#1012382).
- scsi: sg: allocate with __GFP_ZERO in sg_build_indirect() (bnc#1012382).
- scsi: storvsc: Increase cmd_per_lun for higher speed devices (bnc#1012382).
- scsi: sym53c8xx_2: iterator underflow in sym_getsync() (bnc#1012382).
- scsi: ufs: Enable quirk to ignore sending WRITE_SAME command (bnc#1012382).
- scsi: zfcp: fix infinite iteration on ERP ready list (LTC#168038 bnc#1012382 bnc#1094532).
- sctp: delay the authentication for the duplicated cookie-echo chunk (bnc#1012382).
- sctp: fix the issue that the cookie-ack with auth can't get processed (bnc#1012382).
- sctp: handle two v4 addrs comparison in sctp_inet6_cmp_addr (bnc#1012382).
- sctp: use the old asoc when making the cookie-ack chunk in dupcook_d (bnc#1012382).
- selftests: ftrace: Add a testcase for probepoint (bnc#1012382).
- selftests: ftrace: Add a testcase for string type with kprobe_event (bnc#1012382).
- selftests: ftrace: Add probe event argument syntax testcase (bnc#1012382).
- selftests: memfd: add config fragment for fuse (bnc#1012382).
- selftests/net: fixes psock_fanout eBPF test case (bnc#1012382).
- selftests/powerpc: Skip the subpage_prot tests if the syscall is unavailable (bnc#1012382).
- selftests: Print the test we're running to /dev/kmsg (bnc#1012382).
- selinux: KASAN: slab-out-of-bounds in xattr_getsecurity (bnc#1012382).
- serial: arc_uart: Fix out-of-bounds access through DT alias (bnc#1012382).
- serial: fsl_lpuart: Fix out-of-bounds access through DT alias (bnc#1012382).
- serial: imx: Fix out-of-bounds access through serial port index (bnc#1012382).
- serial: mxs-auart: Fix out-of-bounds access through serial port index (bnc#1012382).
- serial: samsung: fix maxburst parameter for DMA transactions (bnc#1012382).
- serial: samsung: Fix out-of-bounds access through serial port index (bnc#1012382).
- serial: xuartps: Fix out-of-bounds access through DT alias (bnc#1012382).
- sh: fix debug trap failure to process signals before return to user (bnc#1012382).
- sh: New gcc support (bnc#1012382).
- signals: avoid unnecessary taking of sighand->siglock (bnc#1012382 bnc#978907).
- sit: fix IFLA_MTU ignored on NEWLINK (bnc#1012382).
- smsc75xx: fix smsc75xx_set_features() (bnc#1012382).
- sock_diag: fix use-after-free read in __sk_free (bnc#1012382).
- sparc64: Fix build warnings with gcc 7 (bnc#1012382).
- sparc64: Make atomic_xchg() an inline function rather than a macro (bnc#1012382).
- spi: pxa2xx: Allow 64-bit DMA (bnc#1012382).
- sr: get/drop reference to device in revalidate and check_events (bnc#1012382).
- staging: rtl8192u: return -ENOMEM on failed allocation of priv->oldaddr (bnc#1012382).
- stm class: Use vmalloc for the master map (bnc#1012382).
- sunvnet: does not support GSO for sctp (bnc#1012382).
- swap: divide-by-zero when zero length swap file on ssd (bnc#1012382 bsc#1082153).
- tcp: avoid integer overflows in tcp_rcv_space_adjust() (bnc#1012382).
- tcp: ignore Fast Open on repair mode (bnc#1012382).
- tcp: purge write queue in tcp_connect_init() (bnc#1012382).
- team: use netdev_features_t instead of u32 (bnc#1012382).
- test_bpf: Fix testing with CONFIG_BPF_JIT_ALWAYS_ON=y on other arches (git-fixes).
- tg3: Fix vunmap() BUG_ON() triggered from tg3_free_consistent() (bnc#1012382).
- tick/broadcast: Use for_each_cpu() specially on UP kernels (bnc#1012382).
- time: Fix CLOCK_MONOTONIC_RAW sub-nanosecond accounting (bnc#1012382).
- tools/libbpf: handle issues with bpf ELF objects containing .eh_frames (bnc#1012382).
- tools lib traceevent: Fix get_field_str() for dynamic strings (bnc#1012382).
- tools lib traceevent: Simplify pointer print logic and fix %pF (bnc#1012382).
- tools/thermal: tmon: fix for segfault (bnc#1012382).
- tpm: do not suspend/resume if power stays on (bnc#1012382).
- tpm: self test failure should not cause suspend to fail (bnc#1012382).
- tracing: Fix crash when freeing instances with event triggers (bnc#1012382).
- tracing/hrtimer: Fix tracing bugs by taking all clock bases and modes into account (bnc#1012382).
- tracing/x86/xen: Remove zero data size trace events trace_xen_mmu_flush_tlb{_all} (bnc#1012382).
- udf: Provide saner default for invalid uid / gid (bnc#1012382).
- usb: dwc2: Fix dwc2_hsotg_core_init_disconnected() (bnc#1012382).
- usb: dwc2: Fix interval type issue (bnc#1012382).
- usb: dwc3: Update DWC_usb31 GTXFIFOSIZ reg fields (bnc#1012382).
- usb: gadget: composite: fix incorrect handling of OS desc requests (bnc#1012382).
- usb: gadget: ffs: Execute copy_to_user() with USER_DS set (bnc#1012382).
- usb: gadget: ffs: Let setup() return USB_GADGET_DELAYED_STATUS (bnc#1012382).
- usb: gadget: fsl_udc_core: fix ep valid checks (bnc#1012382).
- usb: gadget: f_uac2: fix bFirstInterface in composite gadget (bnc#1012382).
- usb: gadget: udc: change comparison to bitshift when dealing with a mask (bnc#1012382).
- usbip: usbip_host: delete device from busid_table after rebind (bnc#1012382).
- usbip: usbip_host: fix bad unlock balance during stub_probe() (bnc#1012382).
- usbip: usbip_host: fix NULL-ptr deref and use-after-free errors (bnc#1012382).
- usbip: usbip_host: refine probe and disconnect debug msgs to be useful (bnc#1012382).
- usbip: usbip_host: run rebind from exit when module is removed (bnc#1012382).
- usb: musb: call pm_runtime_{get,put}_sync before reading vbus registers (bnc#1012382).
- usb: musb: fix enumeration after resume (bnc#1012382).
- USB: OHCI: Fix NULL dereference in HCDs using HCD_LOCAL_MEM (bnc#1012382).
- USB: serial: cp210x: use tcflag_t to fix incompatible pointer type (bnc#1012382).
- vfs: add path_has_submounts() (bsc#1086716).
- vfs: add path_is_mountpoint() helper (bsc#1086716).
- vfs: change d_manage() to take a struct path (bsc#1086716).
- virtio-gpu: fix ioctl and expose the fixed status to userspace (bnc#1012382).
- virtio-net: Fix operstate for virtio when no VIRTIO_NET_F_STATUS (bnc#1012382).
- vmscan: do not force-scan file lru if its absolute size is small (bnc#1012382).
- vmw_balloon: fixing double free when batching mode is off (bnc#1012382).
- vti4: Do not count header length twice on tunnel setup (bnc#1012382).
- vti4: Do not override MTU passed on link creation via IFLA_MTU (bnc#1012382).
- watchdog: f71808e_wdt: Fix magic close handling (bnc#1012382).
- watchdog: sp5100_tco: Fix watchdog disable bit (bnc#1012382).
- workqueue: use put_device() instead of kfree() (bnc#1012382).
- x86/apic: Set up through-local-APIC mode on the boot CPU if 'noapic' specified (bnc#1012382).
- x86/boot: Fix early command-line parsing when partial word matches (bsc#1096140).
- x86/bugs: IBRS: make runtime disabling fully dynamic (bsc#1068032).
- x86/bugs: spec_ctrl must be cleared from cpu_caps_set when being disabled (bsc#1096140).
- x86/cpufeature: Remove unused and seldomly used cpu_has_xx macros (bnc#1012382).
- x86/crypto, x86/fpu: Remove X86_FEATURE_EAGER_FPU #ifdef from the crc32c code (bnc#1012382).
- x86/devicetree: Fix device IRQ settings in DT (bnc#1012382).
- x86/devicetree: Initialize device tree before using it (bnc#1012382).
- x86: ENABLE_IBRS is sometimes called early during boot while it should not. Let's drop the uoptimization for now. Fixes bsc#1098009 and bsc#1098012
- x86/fpu: Disable AVX when eagerfpu is off (bnc#1012382).
- x86/fpu: Hard-disable lazy FPU mode (bnc#1012382).
- x86/fpu: Revert ('x86/fpu: Disable AVX when eagerfpu is off') (bnc#1012382).
- x86/kexec: Avoid double free_page() upon do_kexec_load() failure (bnc#1012382).
- x86/pgtable: Do not set huge PUD/PMD on non-leaf entries (bnc#1012382).
- x86/pkeys: Do not special case protection key 0 (1041740).
- x86/pkeys: Override pkey when moving away from PROT_EXEC (1041740).
- x86/power: Fix swsusp_arch_resume prototype (bnc#1012382).
- x86: Remove unused function cpu_has_ht_siblings() (bnc#1012382).
- x86/topology: Update the 'cpu cores' field in /proc/cpuinfo correctly across CPU hotplug operations (bnc#1012382).
- xen/acpi: off by one in read_acpi_id() (bnc#1012382).
- xen/grant-table: Use put_page instead of free_page (bnc#1012382).
- xen-netfront: Fix race between device setup and open (bnc#1012382).
- xen/netfront: raise max number of slots in xennet_get_responses() (bnc#1076049).
- xen/pirq: fix error path cleanup when binding MSIs (bnc#1012382).
- xen-swiotlb: fix the check condition for xen_swiotlb_free_coherent (bnc#1012382).
- xen: xenbus: use put_device() instead of kfree() (bnc#1012382).
- xfrm: fix xfrm_do_migrate() with AEAD e.g(AES-GCM) (bnc#1012382).
- xfs: convert XFS_AGFL_SIZE to a helper function (bsc#1090955, bsc#1090534).
- xfs: detect agfl count corruption and reset agfl (bnc#1012382 bsc#1090534 bsc#1090955).
- xfs: detect agfl count corruption and reset agfl (bsc#1090955, bsc#1090534).
- xfs: do not log/recover swapext extent owner changes for deleted inodes (bsc#1090955).
- xfs: remove racy hasattr check from attr ops (bnc#1012382 bsc#1035432).
- xhci: Fix USB3 NULL pointer dereference at logical disconnect (git-fixes).
- xhci: Fix use-after-free in xhci_free_virt_device (git-fixes).
- xhci: zero usb device slot_id member when disabling and freeing a xhci slot (bnc#1012382).
- zorro: Set up z->dev.dma_mask for the DMA API (bnc#1012382).
- xfs: fix incorrect log_flushed on fsync (bnc#1012382).


-----------------------------------------
Patch: SUSE-2018-1200
Released: Thu Jun 21 16:04:29 2018
Summary: Recommended update for yast2-installation
Severity: important
References: 1082854,1093847,1095033,1095323
Description:
This update for yast2-installation provides the following fixes:

- Copy active_devices.txt for s390 to prevent blocking of important devices when cio_ignore
  is active. (bsc#1095033)
- Fix a crash when multipath is not available. (bsc#1095323)
- Mounting CD: Fix a crash while reporting an error. (bsc#1093847)
- CaaSP: Show license confirmation. (fate#324476)
- Do not block auto-installation when local disk controllers are not found. (bsc#1082854)


-----------------------------------------
Patch: SUSE-2018-1201
Released: Thu Jun 21 16:05:19 2018
Summary: Recommended update for yast2-ftp-server
Severity: moderate
References: 1047232,921303
Description:
This update for yast2-ftp-server provides the following fixes:

- Drop SSLv2 and SSLv3 options as they are no longer supported by vsftpd. (bsc#921303)
- Added missing StartDaemon flag to internal data structure in order to read it from the
  autoyast configuration file. (bsc#1047232)


-----------------------------------------
Patch: SUSE-2018-1210
Released: Fri Jun 22 16:14:33 2018
Summary: Recommended update for google-compute-engine
Severity: moderate
References: 1066273,1092214,1097378,1097616
Description:
This update for google-compute-engine to version 20180510 provides the following
fixes (bsc#1066273, bsc#1092214):

- Prevent delay in configuring IP forwarding routes.
- Include new google-network-daemon.
- Stop shipping deprecated google-ip-forwarding-daemon service.
- Install google_oslogin_nss_cache binary into oslogin package.
- Create a new network daemon.
- Refactor the IP forwarding daemon and network setup.
- Improvements for using NSS cache in the accounts daemon.
- Include libnss cache as part of the OS Login package.
- Add distro specific logic.
- Support SLES 11 and 12 in multi-nic setup.
- Fix boto config documentation.
- Add modprobe blacklist for nouveau and floppy modules.
- Fix irqbalance conflict in Debian package.
- Fix conflict with other applications that use curl and SSL.
- Install new kernel module blacklist into /etc/modprobe.d.
- Ensure that google-ip-forwarding-daemon service and google-network-setup are stopped and disabled during upgrade.
- Ensure that google-network-daemon service is enabled and started during upgrade.
- Set run_dir to /var/run. (bsc#1097378, bsc#1097616)


-----------------------------------------
Patch: SUSE-2018-1233
Released: Wed Jun 27 12:45:13 2018
Summary: Security update for tiff
Severity: moderate
References: 1007276,1074317,1082332,1082825,1086408,1092949,974621,CVE-2016-3632,CVE-2016-8331,CVE-2017-11613,CVE-2017-13726,CVE-2017-18013,CVE-2018-10963,CVE-2018-7456,CVE-2018-8905
Description:
This update for tiff fixes the following issues:

These security issues were fixed:

- CVE-2017-18013: There was a Null-Pointer Dereference in the tif_print.c TIFFPrintDirectory function, as demonstrated by a tiffinfo crash.  (bsc#1074317)
- CVE-2018-10963: The TIFFWriteDirectorySec() function in tif_dirwrite.c allowed remote attackers to cause a denial of service (assertion failure and application crash) via a crafted file, a different vulnerability than CVE-2017-13726.  (bsc#1092949)
- CVE-2018-7456: Prevent a NULL Pointer dereference in the function TIFFPrintDirectory when using the tiffinfo tool to print crafted TIFF information, a different vulnerability than CVE-2017-18013 (bsc#1082825)
- CVE-2017-11613: Prevent denial of service in the TIFFOpen function. During the TIFFOpen process, td_imagelength is not checked. The value of td_imagelength can be directly controlled by an input file. In the ChopUpSingleUncompressedStrip function, the _TIFFCheckMalloc function is called based on td_imagelength. If the value of td_imagelength is set close to the amount of system memory, it will hang the system or trigger the OOM killer (bsc#1082332)
- CVE-2018-8905: Prevent heap-based buffer overflow in the function LZWDecodeCompat via a crafted TIFF file (bsc#1086408)
- CVE-2016-8331: Prevent remote code execution because of incorrect handling of TIFF images. A crafted TIFF document could have lead to a type confusion vulnerability resulting in remote code execution. This vulnerability could have been be triggered via a TIFF file delivered to the application using LibTIFF's tag extension functionality (bsc#1007276)
- CVE-2016-3632: The _TIFFVGetField function allowed remote attackers to cause a denial of service (out-of-bounds write) or execute arbitrary code via a crafted TIFF image (bsc#974621)


-----------------------------------------
Patch: SUSE-2018-1240
Released: Wed Jun 27 22:20:12 2018
Summary: Security update for unixODBC
Severity: moderate
References: 1044970,1082060,1082290,1082484,CVE-2018-7409,CVE-2018-7485
Description:


This update for unixODBC to version 2.3.6 fixes the following issues:

- CVE-2018-7409: Buffer overflow in unicode_to_ansi_copy() was fixed in 2.3.5 (bsc#1082290)
- CVE-2018-7485: Swapped arguments in SQLWriteFileDSN() in odbcinst/SQLWriteFileDSN.c (bsc#1082484)

Other fixes:

- Enabled --enable-fastvalidate option in configure (bsc#1044970)


-----------------------------------------
Patch: SUSE-2018-1242
Released: Thu Jun 28 13:44:16 2018
Summary: Security update for procps
Severity: moderate
References: 1092100,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126
Description:
This update for procps fixes the following security issues:

- CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top
  with HOME unset in an attacker-controlled directory, the attacker could have
  achieved privilege escalation by exploiting one of several vulnerabilities in
  the config_file() function (bsc#1092100).
- CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow.
  Inbuilt protection in ps maped a guard page at the end of the overflowed
  buffer, ensuring that the impact of this flaw is limited to a crash (temporary
  denial of service) (bsc#1092100).
- CVE-2018-1124: Prevent multiple integer overflows leading to a heap
  corruption in file2strvec function. This allowed a privilege escalation for a
  local attacker who can create entries in procfs by starting processes, which
  could result in crashes or arbitrary code execution in proc utilities run by
  other users (bsc#1092100).
- CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was
  mitigated by FORTIFY limiting the impact to a crash (bsc#1092100).
- CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent
  truncation/integer overflow issues (bsc#1092100).


-----------------------------------------
Patch: SUSE-2018-1260
Released: Tue Jul  3 10:54:20 2018
Summary: Recommended update for sysstat
Severity: moderate
References: 1089883
Description:
This update for sysstat provides the following fix:

- Apply backported upstream patches to fix bogus CPU measurements. (bsc#1089883)


-----------------------------------------
Patch: SUSE-2018-1263
Released: Tue Jul  3 10:55:52 2018
Summary: Recommended update for SUSEConnect
Severity: moderate
References: 1093658,1094348
Description:
This update for SUSEConnect provides the following fixes:

- Add dependencies needed by the rmt-client-setup script as Recommends. (bsc#1093658, bsc#1094348)
- Enhance error message generation.
- Add not supported operation exception to PackageSearch API.
- Prevent the automatic registration of recommended products that are not mirrored by the
  registration proxy.


-----------------------------------------
Patch: SUSE-2018-1276
Released: Thu Jul  5 08:36:17 2018
Summary: Security update for openssl
Severity: moderate
References: 1097158,1097624,1098592,CVE-2018-0732
Description:
This update for openssl fixes the following issues:

- CVE-2018-0732: During key agreement in a TLS handshake using a DH(E) based
  ciphersuite a malicious server could have sent a very large prime value to the
  client. This caused the client to spend an unreasonably long period of time
  generating a key for this prime resulting in a hang until the client has
  finished. This could be exploited in a Denial Of Service attack (bsc#1097158).
- Blinding enhancements for ECDSA and DSA (bsc#1097624, bsc#1098592)


-----------------------------------------
Patch: SUSE-2018-1289
Released: Fri Jul  6 17:27:16 2018
Summary: Recommended update for yast2-network
Severity: moderate
References: 1095971
Description:
This update for yast2-network provides the following fix:

- AutoYaST: Do not crash when trying to convert the /etc/hosts profile declaration from
  multiple line host entries for the same host to just one line. (bsc#1095971)


-----------------------------------------
Patch: SUSE-2018-1290
Released: Sat Jul  7 00:29:17 2018
Summary: Recommended update for sysstat
Severity: important
References: 1089883
Description:

This update for sysstat reverts the fixes from the previous updates since they may cause
some output to be invalid or corrupt. (bsc#1089883)


-----------------------------------------
Patch: SUSE-2018-1322
Released: Fri Jul 13 09:26:04 2018
Summary: Security update for gdk-pixbuf
Severity: moderate
References: 1074462,CVE-2017-1000422
Description:
This update for gdk-pixbuf fixes the following security issue:

- CVE-2017-1000422: Prevent several integer overflow in the gif_get_lzw
  function resulting in memory corruption and potential code execution
  (bsc#1074462).


-----------------------------------------
Patch: SUSE-2018-1328
Released: Tue Jul 17 08:07:57 2018
Summary: Security update for perl
Severity: important
References: 1068565,1082216,1082233,1082234,1096718,CVE-2018-12015,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913
Description:
This update for perl fixes the following issues:

These security issue were fixed: 

- CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216).
- CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233).
- CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234).
- CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a
  directory-traversal protection mechanism and overwrite arbitrary files
  (bsc#1096718)

This non-security issue was fixed: 

- fix debugger crash in tab completion with Term::ReadLine::Gnu [bsc#1068565]



-----------------------------------------
Patch: SUSE-2018-1344
Released: Wed Jul 18 10:31:11 2018
Summary: Recommended update for supportutils
Severity: moderate
References: 1043311,1046681,1051797,1069457,1071545
Description:
This update for supportutils fixes the following issues:

- Added only cpu0 with sched_domain info
- Added missed sched_domain to blacklist
- Blacklisted sched_domain from proc.txt (bsc#1046681)
- Added kdumptool calibrate to crash.txt
- Added tuned feature OPTION_TUNED tuned.txt (bsc#1071545)
- Fixed udev service reference (bsc#1051797)
- Fixed device error with sfdisk (bsc#1043311)
- Fixed docker package detection (bsc#1069457)

-----------------------------------------
Patch: SUSE-2018-1351
Released: Thu Jul 19 09:43:21 2018
Summary: Security update for shadow
Severity: important
References: 1099310,CVE-2016-6252
Description:
This update for shadow fixes the following issues:

- CVE-2016-6252: Incorrect integer handling could results in local privilege escalation (bsc#1099310)


-----------------------------------------
Patch: SUSE-2018-1352
Released: Thu Jul 19 09:47:01 2018
Summary: Security update for openssh
Severity: moderate
References: 1076957,CVE-2016-10708
Description:
This update for openssh fixes the following issues:

Security issue fixed:

- CVE-2016-10708: Prevent DoS due to crashes caused by out-of-sequence NEWKEYS message (bsc#1076957).


-----------------------------------------
Patch: SUSE-2018-1358
Released: Thu Jul 19 12:33:22 2018
Summary: Recommended update for kdump
Severity: moderate
References: 1047609,1050349,1062026,1072711,1073972,1081864,1083155,1091304,1093795,1094581
Description:
This update for kdump fixes the following issues:

- Restore only static routes in kdump initrd (bsc#1093795)
- IP setup: don't bother with IPv4 if there are no addresses (bsc#1062026, bsc#1093795)
- IP setup: pass all routes to kdump environment (bsc#1062026, bsc#1093795)
- IPv6 setup: pass address prefix in a separate dracut argument (bsc#1062026, bsc#1093795)
- Support yes/no style for KDUMP_CONTINUE_ON_ERROR (bsc#1083155)
- Fixes an issue where a crashdump was not possible (bsc#1047609)
- Replaces obsolete perl-Bootloader library with pbl (bsc#1050349)
- Handle additional mounts in the kdump dracut module (bsc#1094581, bsc#1072711)
- Run mkinitrd if fadump is active (bsc#1094581, bsc#1072711)
- Do not touch dracut variables when generating a non-kdump initrd (bsc#1091304, bsc#1094581)


-----------------------------------------
Patch: SUSE-2018-1359
Released: Thu Jul 19 12:34:49 2018
Summary: Recommended update for perl-Bootloader
Severity: moderate
References: 1033776,1050349,1082318
Description:
This update for perl-Bootloader fixes the following issues:

- Adds --get-option to pbl (bsc#1033776, bsc#1050349)
- Install license file in the correct directory (bsc#1082318)

-----------------------------------------
Patch: SUSE-2018-1367
Released: Fri Jul 20 13:33:44 2018
Summary: Recommended update for docker
Severity: moderate
References: 1099277
Description:
This update for docker fixes the following issues:

- Update the AppArmor patchset again to fix a separate issue where changed AppArmor
  profiles don't actually get applied on Docker daemon reboot. (bsc#1099277)


-----------------------------------------
Patch: SUSE-2018-1375
Released: Mon Jul 23 10:51:02 2018
Summary: Security update for rsyslog
Severity: moderate
References: 935393,CVE-2015-3243
Description:
This update for rsyslog fixes the following issues:

The following security vulnerability was addressed:

CVE-2015-3243: Make sure that log files are not created world-readable (bsc#935393)


-----------------------------------------
Patch: SUSE-2018-1376
Released: Mon Jul 23 10:54:47 2018
Summary: Security update for python
Severity: moderate
References: 1083507,CVE-2017-18207
Description:
This update for python fixes the following issues:

The following security vulnerabilities were addressed:

- Add a check to Lib/wave.py that verifies that at least one channel is
  provided. Prior to this, attackers could cause a denial of service via a
  crafted wav format audio file. [bsc#1083507, CVE-2017-18207]


-----------------------------------------
Patch: SUSE-2018-1385
Released: Tue Jul 24 13:03:59 2018
Summary: Security update for the Linux Kernel
Severity: important
References: 1012382,1064232,1075876,1076110,1085185,1085657,1089525,1090435,1090888,1091171,1092207,1094244,1094248,1094643,1095453,1096790,1097034,1097140,1097492,1097501,1097551,1097808,1097931,1097961,1098016,1098236,1098425,1098435,1098527,1098599,1099042,1099183,1099279,1099713,1099732,1099792,1099810,1099918,1099924,1099966,1099993,1100089,1100340,1100416,1100418,1100491,1100843,1101296,CVE-2018-13053,CVE-2018-13405,CVE-2018-13406,CVE-2018-9385
Description:

The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.140 to receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2018-13053: The alarm_timer_nsleep function had an integer overflow via a
  large relative timeout because ktime_add_safe was not used (bnc#1099924)
- CVE-2018-9385: Prevent overread of the 'driver_override' buffer (bsc#1100491)
- CVE-2018-13405: The inode_init_owner function allowed local users to create
  files with an unintended group ownership allowing attackers to escalate
  privileges by making a plain file executable and SGID (bnc#1100416)
- CVE-2018-13406: An integer overflow in the uvesafb_setcmap function could
  have result in local attackers being able to crash the kernel or potentially
  elevate privileges because kmalloc_array is not used (bnc#1100418)

The following non-security bugs were fixed:

- 1wire: family module autoload fails because of upper/lower case mismatch (bnc#1012382).
- ALSA: hda - Clean up ALC299 init code (bsc#1099810).
- ALSA: hda - Enable power_save_node for CX20722 (bsc#1099810).
- ALSA: hda - Fix a wrong FIXUP for alc289 on Dell machines (bsc#1099810).
- ALSA: hda - Fix incorrect usage of IS_REACHABLE() (bsc#1099810).
- ALSA: hda - Fix pincfg at resume on Lenovo T470 dock (bsc#1099810).
- ALSA: hda - Handle kzalloc() failure in snd_hda_attach_pcm_stream() (bnc#1012382).
- ALSA: hda - Use acpi_dev_present() (bsc#1099810).
- ALSA: hda - add a new condition to check if it is thinkpad (bsc#1099810).
- ALSA: hda - silence uninitialized variable warning in activate_amp_in() (bsc#1099810).
- ALSA: hda/patch_sigmatel: Add AmigaOne X1000 pinconfigs (bsc#1099810).
- ALSA: hda/realtek - Add a quirk for FSC ESPRIMO U9210 (bsc#1099810).
- ALSA: hda/realtek - Add headset mode support for Dell laptop (bsc#1099810).
- ALSA: hda/realtek - Add support headset mode for DELL WYSE (bsc#1099810).
- ALSA: hda/realtek - Clevo P950ER ALC1220 Fixup (bsc#1099810).
- ALSA: hda/realtek - Enable Thinkpad Dock device for ALC298 platform (bsc#1099810).
- ALSA: hda/realtek - Enable mic-mute hotkey for several Lenovo AIOs (bsc#1099810).
- ALSA: hda/realtek - Fix Dell headset Mic can't record (bsc#1099810).
- ALSA: hda/realtek - Fix pop noise on Lenovo P50 and co (bsc#1099810).
- ALSA: hda/realtek - Fix the problem of two front mics on more machines (bsc#1099810).
- ALSA: hda/realtek - Fixup for HP x360 laptops with BandO speakers (bsc#1099810).
- ALSA: hda/realtek - Fixup mute led on HP Spectre x360 (bsc#1099810).
- ALSA: hda/realtek - Make dock sound work on ThinkPad L570 (bsc#1099810).
- ALSA: hda/realtek - Refactor alc269_fixup_hp_mute_led_mic*() (bsc#1099810).
- ALSA: hda/realtek - Reorder ALC269 ASUS quirk entries (bsc#1099810).
- ALSA: hda/realtek - Support headset mode for ALC215/ALC285/ALC289 (bsc#1099810).
- ALSA: hda/realtek - Update ALC255 depop optimize (bsc#1099810).
- ALSA: hda/realtek - adjust the location of one mic (bsc#1099810).
- ALSA: hda/realtek - change the location for one of two front mics (bsc#1099810).
- ALSA: hda/realtek - set PINCFG_HEADSET_MIC to parse_flags (bsc#1099810).
- ALSA: hda/realtek - update ALC215 depop optimize (bsc#1099810).
- ALSA: hda/realtek - update ALC225 depop optimize (bsc#1099810).
- ALSA: hda/realtek: Fix mic and headset jack sense on Asus X705UD (bsc#1099810).
- ALSA: hda/realtek: Limit mic boost on T480 (bsc#1099810).
- ALSA: hda: Fix forget to free resource in error handling code path in hda_codec_driver_probe (bsc#1099810).
- ALSA: hda: add dock and led support for HP EliteBook 830 G5 (bsc#1099810).
- ALSA: hda: add dock and led support for HP ProBook 640 G4 (bsc#1099810).
- ALSA: hda: fix some klockwork scan warnings (bsc#1099810).
- ARM: 8764/1: kgdb: fix NUMREGBYTES so that gdb_regs[] is the correct size (bnc#1012382).
- ARM: dts: imx6q: Use correct SDMA script for SPI5 core (bnc#1012382).
- ASoC: cirrus: i2s: Fix LRCLK configuration (bnc#1012382).
- ASoC: cirrus: i2s: Fix {TX|RX}LinCtrlData setup (bnc#1012382).
- ASoC: dapm: delete dapm_kcontrol_data paths list before freeing it (bnc#1012382).
- Bluetooth: Fix connection if directed advertising and privacy is used (bnc#1012382).
- Bluetooth: hci_qca: Avoid missing rampatch failure with userspace fw loader (bnc#1012382).
- Btrfs: fix clone vs chattr NODATASUM race (bnc#1012382).
- Btrfs: fix unexpected cow in run_delalloc_nocow (bnc#1012382).
- Btrfs: make raid6 rebuild retry more (bnc#1012382).
- Correct the arguments to verbose() (bsc#1098425)
- HID: debug: check length before copy_to_user() (bnc#1012382).
- HID: hiddev: fix potential Spectre v1 (bnc#1012382).
- HID: i2c-hid: Fix 'incomplete report' noise (bnc#1012382).
- Hang/soft lockup in d_invalidate with simultaneous calls (bsc#1094248, bsc@1097140).
- IB/qib: Fix DMA api warning with debug kernel (bnc#1012382).
- Input: elan_i2c - add ELAN0618 (Lenovo v330 15IKB) ACPI ID (bnc#1012382).
- Input: elan_i2c_smbus - fix more potential stack buffer overflows (bnc#1012382).
- Input: elantech - enable middle button of touchpads on ThinkPad P52 (bnc#1012382).
- Input: elantech - fix V4 report decoding for module with middle key (bnc#1012382).
- MIPS: BCM47XX: Enable 74K Core ExternalSync for PCIe erratum (bnc#1012382).
- MIPS: io: Add barrier after register read in inX() (bnc#1012382).
- NFSv4: Fix possible 1-byte stack overflow in nfs_idmap_read_and_verify_message (bnc#1012382).
- PCI: pciehp: Clear Presence Detect and Data Link Layer Status Changed on resume (bnc#1012382).
- RDMA/mlx4: Discard unknown SQP work requests (bnc#1012382).
- Refresh with upstream commit:62290a5c194b since the typo fix has been merged in upstream. (bsc#1085185)
- Remove broken patches for dac9063 watchdog (bsc#1100843)
- Remove sorted section marker This branch contains a small sorted section with an old format that fails the current checker. Updating the section and scripts to the new format might make merges with other branches more difficult. Instead, simply remove the section marker.
- Revert 'Btrfs: fix scrub to repair raid6 corruption' (bnc#1012382).
- Revert 'kvm: nVMX: Enforce cpl=0 for VMX instructions (bsc#1099183).' This turned out to be superfluous for 4.4.x kernels.
- Revert 'scsi: lpfc: Fix 16gb hbas failing cq create (bsc#1089525).' This reverts commit b054499f7615e2ffa7571ac0d05c7d5c9a8c0327.
- UBIFS: Fix potential integer overflow in allocation (bnc#1012382).
- USB: serial: cp210x: add CESINEL device ids (bnc#1012382).
- USB: serial: cp210x: add Silicon Labs IDs for Windows Update (bnc#1012382).
- Update patches.fixes/nvme-expand-nvmf_check_if_ready-checks.patch (bsc#1098527).
- ath10k: fix rfc1042 header retrieval in QCA4019 with eth decap mode (bnc#1012382).
- atm: zatm: fix memcmp casting (bnc#1012382).
- backlight: as3711_bl: Fix Device Tree node lookup (bnc#1012382).
- backlight: max8925_bl: Fix Device Tree node lookup (bnc#1012382).
- backlight: tps65217_bl: Fix Device Tree node lookup (bnc#1012382).
- bcache: Add __printf annotation to __bch_check_keys() (bsc#1064232).
- bcache: Annotate switch fall-through (bsc#1064232).
- bcache: Fix a compiler warning in bcache_device_init() (bsc#1064232).
- bcache: Fix indentation (bsc#1064232).
- bcache: Fix kernel-doc warnings (bsc#1064232).
- bcache: Fix, improve efficiency of closure_sync() (bsc#1076110).
- bcache: Reduce the number of sparse complaints about lock imbalances (bsc#1064232).
- bcache: Remove an unused variable (bsc#1064232).
- bcache: Suppress more warnings about set-but-not-used variables (bsc#1064232).
- bcache: Use PTR_ERR_OR_ZERO() (bsc#1076110).
- bcache: add CACHE_SET_IO_DISABLE to struct cache_set flags (bsc#1064232).
- bcache: add backing_request_endio() for bi_end_io (bsc#1064232).
- bcache: add io_disable to struct cached_dev (bsc#1064232).
- bcache: add journal statistic (bsc#1076110).
- bcache: add stop_when_cache_set_failed option to backing device (bsc#1064232).
- bcache: add wait_for_kthread_stop() in bch_allocator_thread() (bsc#1064232).
- bcache: closures: move control bits one bit right (bsc#1076110).
- bcache: correct flash only vols (check all uuids) (bsc#1064232).
- bcache: count backing device I/O error for writeback I/O (bsc#1064232).
- bcache: fix cached_dev->count usage for bch_cache_set_error() (bsc#1064232).
- bcache: fix crashes in duplicate cache device register (bsc#1076110).
- bcache: fix error return value in memory shrink (bsc#1064232).
- bcache: fix high CPU occupancy during journal (bsc#1076110).
- bcache: fix inaccurate io state for detached bcache devices (bsc#1064232).
- bcache: fix incorrect sysfs output value of strip size (bsc#1064232).
- bcache: fix misleading error message in bch_count_io_errors() (bsc#1064232).
- bcache: fix using of loop variable in memory shrink (bsc#1064232).
- bcache: fix writeback target calc on large devices (bsc#1076110).
- bcache: fix wrong return value in bch_debug_init() (bsc#1076110).
- bcache: mark closure_sync() __sched (bsc#1076110).
- bcache: move closure debug file into debug directory (bsc#1064232).
- bcache: reduce cache_set devices iteration by devices_max_used (bsc#1064232).
- bcache: ret IOERR when read meets metadata error (bsc#1076110).
- bcache: return 0 from bch_debug_init() if CONFIG_DEBUG_FS=n (bsc#1064232).
- bcache: set CACHE_SET_IO_DISABLE in bch_cached_dev_error() (bsc#1064232).
- bcache: set dc->io_disable to true in conditional_stop_bcache_device() (bsc#1064232).
- bcache: set error_limit correctly (bsc#1064232).
- bcache: set writeback_rate_update_seconds in range [1, 60] seconds (bsc#1064232).
- bcache: stop bcache device when backing device is offline (bsc#1064232).
- bcache: stop dc->writeback_rate_update properly (bsc#1064232).
- bcache: stop writeback thread after detaching (bsc#1076110).
- bcache: store disk name in struct cache and struct cached_dev (bsc#1064232).
- bcache: use pr_info() to inform duplicated CACHE_SET_IO_DISABLE set (bsc#1064232).
- block: Fix transfer when chunk sectors exceeds max (bnc#1012382).
- bonding: re-evaluate force_primary when the primary slave name changes (bnc#1012382).
- bpf: properly enforce index mask to prevent out-of-bounds speculation (bsc#1098425).
- branch-check: fix long->int truncation when profiling branches (bnc#1012382).
- btrfs: scrub: Do not use inode pages for device replace (bnc#1012382).
- cdc_ncm: avoid padding beyond end of skb (bnc#1012382).
- ceph: fix dentry leak in splice_dentry() (bsc#1098236).
- ceph: fix use-after-free in ceph_statfs() (bsc#1098236).
- ceph: fix wrong check for the case of updating link count (bsc#1098236).
- ceph: prevent i_version from going back (bsc#1098236).
- ceph: support file lock on directory (bsc#1098236).
- cifs: Check for timeout on Negotiate stage (bsc#1091171).
- cifs: Fix infinite loop when using hard mount option (bnc#1012382).
- cpufreq: Fix new policy initialization during limits updates via sysfs (bnc#1012382).
- cpuidle: powernv: Fix promotion from snooze if next state disabled (bnc#1012382).
- dm thin: handle running out of data space vs concurrent discard (bnc#1012382).
- dm: convert DM printk macros to pr level macros (bsc#1099918).
- dm: fix printk() rate limiting code (bsc#1099918).
- drbd: fix access after free (bnc#1012382).
- driver core: Do not ignore class_dir_create_and_add() failure (bnc#1012382).
- e1000e: Ignore TSYNCRXCTL when getting I219 clock attributes (bsc#1075876).
- ext4: add more inode number paranoia checks (bnc#1012382).
- ext4: add more mount time checks of the superblock (bnc#1012382).
- ext4: always check block group bounds in ext4_init_block_bitmap() (bnc#1012382).
- ext4: check superblock mapped prior to committing (bnc#1012382).
- ext4: clear i_data in ext4_inode_info when removing inline data (bnc#1012382).
- ext4: fix fencepost error in check for inode count overflow during resize (bnc#1012382).
- ext4: fix unsupported feature message formatting (bsc#1098435).
- ext4: include the illegal physical block in the bad map ext4_error msg (bnc#1012382).
- ext4: make sure bitmaps and the inode table do not overlap with bg descriptors (bnc#1012382).
- ext4: only look at the bg_flags field if it is valid (bnc#1012382).
- ext4: update mtime in ext4_punch_hole even if no blocks are released (bnc#1012382).
- ext4: verify the depth of extent tree in ext4_find_extent() (bnc#1012382).
- fs/binfmt_misc.c: do not allow offset overflow (bsc#1099279).
- fuse: atomic_o_trunc should truncate pagecache (bnc#1012382).
- fuse: do not keep dead fuse_conn at fuse_fill_super() (bnc#1012382).
- fuse: fix control dir setup and teardown (bnc#1012382).
- hv_netvsc: avoid repeated updates of packet filter (bsc#1097492).
- hv_netvsc: defer queue selection to VF (bsc#1097492).
- hv_netvsc: enable multicast if necessary (bsc#1097492).
- hv_netvsc: filter multicast/broadcast (bsc#1097492).
- hv_netvsc: fix filter flags (bsc#1097492).
- hv_netvsc: fix locking during VF setup (bsc#1097492).
- hv_netvsc: fix locking for rx_mode (bsc#1097492).
- hv_netvsc: propagate rx filters to VF (bsc#1097492).
- i2c: rcar: fix resume by always initializing registers before transfer (bnc#1012382).
- iio:buffer: make length types match kfifo types (bnc#1012382).
- iommu/vt-d: Fix race condition in add_unmap() (bsc#1096790, bsc#1097034).
- ipmi:bt: Set the timeout before doing a capabilities check (bnc#1012382).
- ipv4: Fix error return value in fib_convert_metrics() (bnc#1012382).
- ipvs: fix buffer overflow with sync daemon and service (bnc#1012382).
- iwlmvm: tdls: Check TDLS channel switch support (bsc#1099810).
- iwlwifi: fix non_shared_ant for 9000 devices (bsc#1099810).
- jbd2: do not mark block as modified if the handle is out of credits (bnc#1012382).
- kabi/severities: add 'drivers/md/bcache/* PASS' since no one uses symboles expoted by bcache.
- kmod: fix wait on recursive loop (bsc#1099792).
- kmod: reduce atomic operations on kmod_concurrent and simplify (bsc#1099792).
- kmod: throttle kmod thread limit (bsc#1099792).
- kprobes/x86: Do not modify singlestep buffer while resuming (bnc#1012382).
- kvm: nVMX: Enforce cpl=0 for VMX instructions (bsc#1099183).
- lib/vsprintf: Remove atomic-unsafe support for %pCr (bnc#1012382).
- libata: Drop SanDisk SD7UB3Q*G1001 NOLPM quirk (bnc#1012382).
- libata: zpodd: make arrays cdb static, reduces object code size (bnc#1012382).
- libata: zpodd: small read overflow in eject_tray() (bnc#1012382).
- linvdimm, pmem: Preserve read-only setting for pmem devices (bnc#1012382).
- m68k/mm: Adjust VM area to be unmapped by gap size for __iounmap() (bnc#1012382).
- mac80211: Fix condition validating WMM IE (bsc#1099810,bsc#1099732).
- media: cx231xx: Add support for AverMedia DVD EZMaker 7 (bnc#1012382).
- media: cx25840: Use subdev host data for PLL override (bnc#1012382).
- media: dvb_frontend: fix locking issues at dvb_frontend_get_event() (bnc#1012382).
- media: smiapp: fix timeout checking in smiapp_read_nvm (bsc#1099918).
- media: v4l2-compat-ioctl32: prevent go past max size (bnc#1012382).
- mfd: intel-lpss: Program REMAP register in PIO mode (bnc#1012382).
- mips: ftrace: fix static function graph tracing (bnc#1012382).
- mm: hugetlb: yield when prepping struct pages (bnc#1012382).
- mtd: cfi_cmdset_0002: Avoid walking all chips when unlocking (bnc#1012382).
- mtd: cfi_cmdset_0002: Change definition naming to retry write operation (bnc#1012382).
- mtd: cfi_cmdset_0002: Change erase functions to check chip good only (bnc#1012382).
- mtd: cfi_cmdset_0002: Change erase functions to retry for error (bnc#1012382).
- mtd: cfi_cmdset_0002: Change write buffer to check correct value (bnc#1012382).
- mtd: cfi_cmdset_0002: Fix unlocking requests crossing a chip boudary (bnc#1012382).
- mtd: cfi_cmdset_0002: Use right chip in do_ppb_xxlock() (bnc#1012382).
- mtd: cfi_cmdset_0002: fix SEGV unlocking multiple chips (bnc#1012382).
- mtd: cmdlinepart: Update comment for introduction of OFFSET_CONTINUOUS (bsc#1099918).
- mtd: partitions: add helper for deleting partition (bsc#1099918).
- mtd: partitions: remove sysfs files when deleting all master's partitions (bsc#1099918).
- mtd: rawnand: mxc: set spare area size register explicitly (bnc#1012382).
- n_tty: Access echo_* variables carefully (bnc#1012382).
- n_tty: Fix stall at n_tty_receive_char_special() (bnc#1012382).
- net/sonic: Use dma_mapping_error() (bnc#1012382).
- net: qmi_wwan: Add Netgear Aircard 779S (bnc#1012382).
- netfilter: ebtables: handle string from userspace with care (bnc#1012382).
- netfilter: nf_log: do not hold nf_log_mutex during user access (bnc#1012382).
- netfilter: nf_tables: use WARN_ON_ONCE instead of BUG_ON in nft_do_chain() (bnc#1012382).
- nfsd: restrict rd_maxcount to svc_max_payload in nfsd_encode_readdir (bnc#1012382).
- nvme-fabrics: allow duplicate connections to the discovery controller (bsc#1098527).
- nvme-fabrics: allow internal passthrough command on deleting controllers (bsc#1098527).
- nvme-fabrics: centralize discovery controller defaults (bsc#1098527).
- nvme-fabrics: fix and refine state checks in __nvmf_check_ready (bsc#1098527).
- nvme-fabrics: refactor queue ready check (bsc#1098527).
- nvme-fc: change controllers first connect to use reconnect path (bsc#1098527).
- nvme-fc: fix nulling of queue data on reconnect (bsc#1098527).
- nvme-fc: remove reinit_request routine (bsc#1098527).
- nvme-fc: remove setting DNR on exception conditions (bsc#1098527).
- nvme-pci: initialize queue memory before interrupts (bnc#1012382).
- nvme: allow duplicate controller if prior controller being deleted (bsc#1098527).
- nvme: move init of keep_alive work item to controller initialization (bsc#1098527).
- nvme: reimplement nvmf_check_if_ready() to avoid kabi breakage (bsc#1098527).
- nvmet-fc: increase LS buffer count per fc port (bsc#1098527).
- nvmet: switch loopback target state to connecting when resetting (bsc#1098527).
- of: unittest: for strings, account for trailing \0 in property length field (bnc#1012382).
- ovl: fix random return value on mount (bsc#1099993).
- ovl: fix uid/gid when creating over whiteout (bsc#1099993).
- ovl: override creds with the ones from the superblock mounter (bsc#1099993).
- perf intel-pt: Fix 'Unexpected indirect branch' error (bnc#1012382).
- perf intel-pt: Fix MTC timing after overflow (bnc#1012382).
- perf intel-pt: Fix decoding to accept CBR between FUP and corresponding TIP (bnc#1012382).
- perf intel-pt: Fix packet decoding of CYC packets (bnc#1012382).
- perf intel-pt: Fix sync_switch INTEL_PT_SS_NOT_TRACING (bnc#1012382).
- perf tools: Fix symbol and object code resolution for vdso32 and vdsox32 (bnc#1012382).
- platform/x86: thinkpad_acpi: Adding new hotkey ID for Lenovo thinkpad (bsc#1099810).
- powerpc/64s: Exception macro for stack frame and initial register save (bsc#1094244).
- powerpc/64s: Fix mce accounting for powernv (bsc#1094244).
- powerpc/fadump: Unregister fadump on kexec down path (bnc#1012382).
- powerpc/mm/hash: Add missing isync prior to kernel stack SLB switch (bnc#1012382).
- powerpc/ptrace: Fix enforcement of DAWR constraints (bnc#1012382).
- powerpc/ptrace: Fix setting 512B aligned breakpoints with PTRACE_SET_DEBUGREG (bnc#1012382).
- powerpc: Machine check interrupt is a non-maskable interrupt (bsc#1094244).
- procfs: add tunable for fd/fdinfo dentry retention (bsc#10866542).
- qla2xxx: Fix NULL pointer derefrence for fcport search (bsc#1085657).
- qla2xxx: Fix inconsistent DMA mem alloc/free (bsc#1085657).
- qla2xxx: Fix kernel crash due to late workqueue allocation (bsc#1085657).
- regulator: Do not return or expect -errno from of_map_mode() (bsc#1099042).
- restore cond_resched() in shrink_dcache_parent() (bsc#1098599).
- rmdir(),rename(): do shrink_dcache_parent() only on success (bsc#1100340).
- s390/dasd: configurable IFCC handling (bsc#1097808).
- s390: Correct register corruption in critical section cleanup (bnc#1012382).
- sbitmap: check for valid bitmap in sbitmap_for_each (bsc#1090435).
- sched/sysctl: Check user input value of sysctl_sched_time_avg (bsc#1100089).
- scsi: ipr: Format HCAM overlay ID 0x41 (bsc#1097961).
- scsi: ipr: new IOASC update (bsc#1097961).
- scsi: lpfc: Change IO submit return to EBUSY if remote port is recovering (bsc#1092207).
- scsi: lpfc: Driver NVME load fails when CPU cnt > WQ resource cnt (bsc#1092207).
- scsi: lpfc: Fix 16gb hbas failing cq create (bsc#1089525).
- scsi: lpfc: Fix 16gb hbas failing cq create (bsc#1095453).
- scsi: lpfc: Fix MDS diagnostics failure (Rx lower than Tx) (bsc#1095453).
- scsi: lpfc: Fix crash in blk_mq layer when executing modprobe -r lpfc (bsc#1095453).
- scsi: lpfc: Fix port initialization failure (bsc#1095453).
- scsi: lpfc: Fix up log messages and stats counters in IO submit code path (bsc#1092207).
- scsi: lpfc: Handle new link fault code returned by adapter firmware (bsc#1092207).
- scsi: lpfc: correct oversubscription of nvme io requests for an adapter (bsc#1095453).
- scsi: lpfc: update driver version to 11.4.0.7-3 (bsc#1092207).
- scsi: lpfc: update driver version to 11.4.0.7-4 (bsc#1095453).
- scsi: qedi: Fix truncation of CHAP name and secret (bsc#1097931)
- scsi: qla2xxx: Fix setting lower transfer speed if GPSC fails (bnc#1012382).
- scsi: qla2xxx: Spinlock recursion in qla_target (bsc#1097501)
- scsi: sg: mitigate read/write abuse (bsc#1101296).
- scsi: zfcp: fix misleading REC trigger trace where erp_action setup failed (LTC#168765 bnc#1012382 bnc#1099713).
- scsi: zfcp: fix misleading REC trigger trace where erp_action setup failed (bnc#1099713, LTC#168765).
- scsi: zfcp: fix missing REC trigger trace for all objects in ERP_FAILED (LTC#168765 bnc#1012382 bnc#1099713).
- scsi: zfcp: fix missing REC trigger trace for all objects in ERP_FAILED (bnc#1099713, LTC#168765).
- scsi: zfcp: fix missing REC trigger trace on enqueue without ERP thread (LTC#168765 bnc#1012382 bnc#1099713).
- scsi: zfcp: fix missing REC trigger trace on enqueue without ERP thread (bnc#1099713, LTC#168765).
- scsi: zfcp: fix missing REC trigger trace on terminate_rport_io early return (LTC#168765 bnc#1012382 bnc#1099713).
- scsi: zfcp: fix missing REC trigger trace on terminate_rport_io early return (bnc#1099713, LTC#168765).
- scsi: zfcp: fix missing REC trigger trace on terminate_rport_io for ERP_FAILED (LTC#168765 bnc#1012382 bnc#1099713).
- scsi: zfcp: fix missing REC trigger trace on terminate_rport_io for ERP_FAILED (bnc#1099713, LTC#168765).
- scsi: zfcp: fix missing SCSI trace for result of eh_host_reset_handler (LTC#168765 bnc#1012382 bnc#1099713).
- scsi: zfcp: fix missing SCSI trace for result of eh_host_reset_handler (bnc#1099713, LTC#168765).
- scsi: zfcp: fix missing SCSI trace for retry of abort / scsi_eh TMF (LTC#168765 bnc#1012382 bnc#1099713).
- scsi: zfcp: fix missing SCSI trace for retry of abort / scsi_eh TMF (bnc#1099713, LTC#168765).
- serial: sh-sci: Use spin_{try}lock_irqsave instead of open coding version (bnc#1012382).
- signal/xtensa: Consistenly use SIGBUS in do_unaligned_user (bnc#1012382).
- sort and rename various hyperv patches
- spi: Fix scatterlist elements size in spi_map_buf (bnc#1012382).
- staging: android: ion: Return an ERR_PTR in ion_map_kernel (bnc#1012382).
- staging: comedi: quatech_daqp_cs: fix no-op loop daqp_ao_insn_write() (bnc#1012382).
- tcp: do not overshoot window_clamp in tcp_rcv_space_adjust() (bnc#1012382).
- tcp: verify the checksum of the first data segment in a new connection (bnc#1012382).
- thinkpad_acpi: Add support for HKEY version 0x200 (bsc#1099810).
- time: Make sure jiffies_to_msecs() preserves non-zero time periods (bnc#1012382).
- tracing: Fix missing return symbol in function_graph output (bnc#1012382).
- ubi: fastmap: Cancel work upon detach (bnc#1012382).
- ubi: fastmap: Correctly handle interrupted erasures in EBA (bnc#1012382).
- udf: Detect incorrect directory size (bnc#1012382).
- usb: cdc_acm: Add quirk for Uniden UBC125 scanner (bnc#1012382).
- usb: do not reset if a low-speed or full-speed device timed out (bnc#1012382).
- usb: musb: fix remote wakeup racing with suspend (bnc#1012382).
- video/fbdev/stifb: Return -ENOMEM after a failed kzalloc() in stifb_init_fb() (bsc#1090888 bsc#1099966).
- video: uvesafb: Fix integer overflow in allocation (bnc#1012382).
- w1: mxc_w1: Enable clock before calling clk_get_rate() on it (bnc#1012382).
- wait: add wait_event_killable_timeout() (bsc#1099792).
- watchdog: da9063: Fix setting/changing timeout (bsc#1100843).
- watchdog: da9063: Fix timeout handling during probe (bsc#1100843).
- watchdog: da9063: Fix updating timeout value (bsc#1100843).
- x86/cpu/amd: Derive L3 shared_cpu_map from cpu_llc_shared_mask (bsc#1094643).
- x86/mce: Fix incorrect 'Machine check from unknown source' message (bnc#1012382).
- x86/mce: Improve error message when kernel cannot recover (git-fixes b2f9d678e28c).
- x86/pti: do not report XenPV as vulnerable (bsc#1097551).
- xen: Remove unnecessary BUG_ON from __unbind_from_irq() (bnc#1012382).
- xfrm6: avoid potential infinite loop in _decode_session6() (bnc#1012382).
- xfrm: Ignore socket policies when rebuilding hash tables (bnc#1012382).
- xfrm: skip policies marked as dead while rehashing (bnc#1012382).


-----------------------------------------
Patch: SUSE-2018-1400
Released: Thu Jul 26 16:32:29 2018
Summary: Security update for util-linux
Severity: moderate
References: 1072947,1078662,1080740,1084300,CVE-2018-7738
Description:
This update for util-linux fixes the following issues:

This non-security issue was fixed:

- CVE-2018-7738: bash-completion/umount allowed local users to gain privileges
  by embedding shell commands in a mountpoint name, which was mishandled during a
  umount command by a different user (bsc#1084300).

These non-security issues were fixed:

- Fixed crash loop in lscpu (bsc#1072947).
- Fixed possible segfault of umount -a
- Fixed mount -a on NFS bind mounts (bsc#1080740).
- Fixed lsblk on NVMe (bsc#1078662).


-----------------------------------------
Patch: SUSE-2018-1405
Released: Thu Jul 26 16:44:00 2018
Summary: Security update for libsndfile
Severity: moderate
References: 1071767,1071777,1100167,CVE-2017-17456,CVE-2017-17457,CVE-2018-13139
Description:
This update for libsndfile fixes the following issues:

Security issues fixed:

- CVE-2018-13139: Fix a stack-based buffer overflow in psf_memset in common.c that allows remote attackers to cause a denial of service (bsc#1100167).
- CVE-2017-17456: Prevent segmentation fault in the function d2alaw_array() that may have lead to a remote DoS (bsc#1071777)
- CVE-2017-17457: Prevent segmentation fault in the function d2ulaw_array() that may have lead to a remote DoS, a different vulnerability than CVE-2017-14246 (bsc#1071767)


-----------------------------------------
Patch: SUSE-2018-1412
Released: Fri Jul 27 10:50:59 2018
Summary: Recommended update for lifecycle-data-sle-module-toolchain
Severity: moderate
References: 1099853
Description:
This update for lifecycle-data-sle-module-toolchain fixes the following issues:

- Added the missed gcc6-info to the lifecycle expiration data from the Summer 2016 Refresh. (bsc#1099853)


-----------------------------------------
Patch: SUSE-2018-1413
Released: Fri Jul 27 12:41:13 2018
Summary: Security update for libgcrypt
Severity: moderate
References: 1064455,1090766,1097410,CVE-2018-0495
Description:
This update for libgcrypt fixes the following issues:

The following security vulnerability was addressed:

- CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for
  ECDSA signatures (bsc#1097410).

The following other issues were fixed:

- Extended the fipsdrv dsa-sign and dsa-verify commands with the
  --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455).
- Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766)


-----------------------------------------
Patch: SUSE-2018-1450
Released: Mon Jul 30 10:10:45 2018
Summary: Recommended update for pam
Severity: low
References: 1096282
Description:
This update for pam provides the following fix:

- Added  /etc/security/limits.d to the pam package. (bsc#1096282)


-----------------------------------------
Patch: SUSE-2018-1452
Released: Mon Jul 30 18:10:29 2018
Summary: Security update for gdk-pixbuf
Severity: moderate
References: 1053417,CVE-2015-4491
Description:
This update for gdk-pixbuf fixes the following issues:

Security issue fixed:

- CVE-2015-4491: Fix integer multiplication overflow that allows for DoS or potentially RCE (bsc#1053417).


-----------------------------------------
Patch: SUSE-2018-1463
Released: Tue Jul 31 15:06:04 2018
Summary: Recommended update for python-gcemetadata
Severity: moderate
References: 1097505
Description:
This update for python-gcemetadata fixes the following issues:

- Support instances with multiple Nics. (bsc#1097505)


-----------------------------------------
Patch: SUSE-2018-1468
Released: Wed Aug  1 13:56:48 2018
Summary: Security update for polkit
Severity: moderate
References: 1099031,CVE-2018-1116
Description:
This update for polkit fixes the following issues:

Security issue fixed:

- CVE-2018-1116: Fix uid comparison lacking in polkit_backend_interactive_authority_check_authorization (bsc#1099031).


-----------------------------------------
Patch: SUSE-2018-1471
Released: Wed Aug  1 14:02:11 2018
Summary: Security update for cups
Severity: moderate
References: 1050082,1061066,1087018,1096405,1096406,1096407,1096408,CVE-2017-18248,CVE-2018-4180,CVE-2018-4181,CVE-2018-4182,CVE-2018-4183
Description:
This update for cups fixes the following issues:

The following security vulnerabilities were fixed:

- CVE-2017-18248: Handle invalid characters properly in printing jobs. This fixes a problem that
  was causing the DBUS library to abort the calling process. (bsc#1061066 bsc#1087018)
- Fixed a local privilege escalation to root and sandbox bypasses in the
  scheduler
- CVE-2018-4180: Fixed a local privilege escalation to root in dnssd backend
  (bsc#1096405)
- CVE-2018-4181: Limited local file reads as root via cupsd.conf include
  directive (bsc#1096406)
- CVE-2018-4182: Fixed a sandbox bypass due to insecure error handling
  (bsc#1096407)
- CVE-2018-4183: Fixed a sandbox bypass due to profile misconfiguration
  (bsc#1096408)

The following other issue was fixed:

- Fixed authorization check for clients (like samba) connected through the
  local socket when Kerberos authentication is enabled (bsc#1050082)


-----------------------------------------
Patch: SUSE-2018-1474
Released: Thu Aug  2 14:19:16 2018
Summary: Security update for libtirpc
Severity: important
References: 1072183,968175
Description:
This update for libtirpc fixes the following issues:

Security issue fixed:

- bsc#968175: Fix remote crash of RPC services.

Bug fixes:

- bsc#1072183: Send RPC getport call as specified via parameter.


-----------------------------------------
Patch: SUSE-2018-1483
Released: Fri Aug  3 15:55:47 2018
Summary: Recommended update for open-iscsi
Severity: moderate
References: 1058463,1094797
Description:
This update for open-iscsi provides the following fixes:

- Fix an issue with ARP booting when using different subnets. (bsc#1058463)
- Fix a core dump which can occur if iscsiuio is started and immediately stopped.
  (bsc#1094797)


-----------------------------------------
Patch: SUSE-2018-1515
Released: Tue Aug  7 20:19:02 2018
Summary: Introduce packages added to SLES 12 SP3 after release
Severity: low
References: 1102861
Description:
This update adds packages to the SUSE Linux Enterprise Server 12 SP3 for Teradata
which were added after the released of SLES 12 SP3.
  

-----------------------------------------
Patch: SUSE-2018-1549
Released: Mon Aug 13 13:41:22 2018
Summary: Recommended update for sg3_utils
Severity: low
References: 1065448,1070431,1077787,1092640
Description:
This update for sg3_utils provides the following fix:

- Decode standard INQUIRY for CD-ROMs correctly. (bsc#1065448, bsc#1070431)
- Fix page decoding. (bsc#1077787)
- Remove initrd rebuild macros for libsgutils2 subpackage. (bsc#1092640)
- Use %post -p for ldconfig. (bsc#1092640)


-----------------------------------------
Patch: SUSE-2018-1554
Released: Tue Aug 14 11:51:51 2018
Summary: Security update for samba
Severity: important
References: 1067700,1068059,1087303,1103411,CVE-2018-10858
Description:
This update for samba fixes the following issues:

The following security vulnerability was fixed:

- CVE-2018-10858: Fixed insufficient input validation on client directory
  listing in libsmbclient; (bsc#1103411);

The following other change was made:

- s3: winbind: Fix 'winbind normalize names' in wb_getpwsid();
- winbind: honor 'winbind use default domain' with empty domain (bsc#1087303)
- winbind: do not modify credentials in NTLM passthru (bsc#1068059)
- net: fix net ads keytab handling (bsc#1067700)
- fix vfs_ceph flock stub


-----------------------------------------
Patch: SUSE-2018-1562
Released: Tue Aug 14 15:20:11 2018
Summary: Recommended update for icewm
Severity: moderate
References: 1096917
Description:
This update for icewm fixes the following issues:

- Use .desktop file from upstream instead of sle distribution to keep in line
  with SLE 15, resolving the upgrade issue from sle12 to sle15. (bsc#1096917)


-----------------------------------------
Patch: SUSE-2018-1566
Released: Tue Aug 14 19:01:54 2018
Summary: Security update for the Linux Kernel
Severity: important
References: 1012382,1082653,1085042,1085536,1087081,1089343,1090123,1090435,1092001,1094244,1095643,1096978,1097771,1099858,1100132,1100930,1101658,1101789,1102188,1102197,1102203,1102205,1102207,1102211,1102214,1102215,1102340,1102394,1102683,1102851,1103119,1103580,1103745,1103884,CVE-2017-18344,CVE-2018-14734,CVE-2018-3620,CVE-2018-3646,CVE-2018-5390
Description:


The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.143 to receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2018-5390 aka 'SegmentSmack': Linux kernel could be forced to make very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming packet which can lead to a denial of service (bnc#1102340).
- CVE-2018-14734: drivers/infiniband/core/ucma.c in the Linux kernel allowed ucma_leave_multicast to access a certain data structure after a cleanup step in ucma_process_join, which allowed attackers to cause a denial of service (use-after-free) (bnc#1103119).
- CVE-2017-18344: The timer_create syscall implementation in kernel/time/posix-timers.c didn't properly validate the sigevent->sigev_notify field, which lead to out-of-bounds access in the show_timer function (called when /proc/$PID/timers is read). This allowed userspace applications to read arbitrary kernel memory (on a kernel built with CONFIG_POSIX_TIMERS and CONFIG_CHECKPOINT_RESTORE) (bnc#1102851 bnc#1103580).
- CVE-2018-3620: Local attackers on baremetal systems could use speculative code patterns on hyperthreaded processors to read data present in the L1 Datacache used by other hyperthreads on the same CPU core, potentially leaking sensitive data. (bnc#1087081).
- CVE-2018-3646: Local attackers in virtualized guest systems could use speculative code patterns on hyperthreaded processors to read data present in the L1 Datacache used by other hyperthreads on the same CPU core, potentially leaking sensitive data, even from other virtual machines or the host system. (bnc#1089343).

The following non-security bugs were fixed:

- Add support for 5,25,50, and 100G to 802.3ad bonding driver (bsc#1096978)
- ahci: Disable LPM on Lenovo 50 series laptops with a too old BIOS (bnc#1012382).
- arm64: do not open code page table entry creation (bsc#1102197).
- arm64: kpti: Use early_param for kpti= command-line option (bsc#1102188).
- arm64: Make sure permission updates happen for pmd/pud (bsc#1102197).
- atm: zatm: Fix potential Spectre v1 (bnc#1012382).
- bcm63xx_enet: correct clock usage (bnc#1012382).
- bcm63xx_enet: do not write to random DMA channel on BCM6345 (bnc#1012382).
- blacklist 9fb8d5dc4b64 ('stop_machine: Disable preemption when waking two stopper threads') Preemption is already disabled inside cpu_stop_queue_two_works() in SLE12-SP3 because it does not have commit 6a19005157c4 ('stop_machine: Do not disable preemption in stop_two_cpus()')
- block: copy ioprio in __bio_clone_fast() (bsc#1082653).
- bpf: fix loading of BPF_MAXINSNS sized programs (bsc#1012382).
- bpf, x64: fix memleak when not converging after image (bsc#1012382).
- cachefiles: Fix missing clear of the CACHEFILES_OBJECT_ACTIVE flag (bsc#1099858).
- cachefiles: Fix refcounting bug in backing-file read monitoring (bsc#1099858).
- cachefiles: Wait rather than BUG'ing on 'Unexpected object collision' (bsc#1099858).
- cifs: fix bad/NULL ptr dereferencing in SMB2_sess_setup() (bsc#1090123).
- compiler, clang: always inline when CONFIG_OPTIMIZE_INLINING is disabled (bnc#1012382).
- compiler, clang: properly override 'inline' for clang (bnc#1012382).
- compiler, clang: suppress warning for unused static inline functions (bnc#1012382).
- compiler-gcc.h: Add __attribute__((gnu_inline)) to all inline declarations (bnc#1012382).
- cpu/hotplug: Add sysfs state interface (bsc#1089343).
- cpu/hotplug: Provide knobs to control SMT (bsc#1089343).
- cpu/hotplug: Split do_cpu_down() (bsc#1089343).
- crypto: crypto4xx - fix crypto4xx_build_pdr, crypto4xx_build_sdr leak (bnc#1012382).
- crypto: crypto4xx - remove bad list_del (bnc#1012382).
- drm/msm: Fix possible null dereference on failure of get_pages() (bsc#1102394).
- drm: re-enable error handling (bsc#1103884).
- fscache: Allow cancelled operations to be enqueued (bsc#1099858).
- fscache: Fix reference overput in fscache_attach_object() error handling (bsc#1099858).
- hid: usbhid: add quirk for innomedia INNEX GENESIS/ATARI adapter (bnc#1012382).
- ibmasm: do not write out of bounds in read handler (bnc#1012382).
- ibmvnic: Fix error recovery on login failure (bsc#1101789).
- iw_cxgb4: correctly enforce the max reg_mr depth (bnc#1012382).
- kabi protect includes in include/linux/inet.h (bsc#1095643).
- KABI protect net/core/utils.c includes (bsc#1095643).
- kABI: protect struct loop_device (kabi).
- kABI: reintroduce __static_cpu_has_safe (kabi).
- kbuild: fix # escaping in .cmd files for future Make (bnc#1012382).
- keys: DNS: fix parsing multiple options (bnc#1012382).
- kvm: arm/arm64: Drop resource size check for GICV window (bsc#1102215).
- kvm: arm/arm64: Set dist->spis to NULL after kfree (bsc#1102214).
- loop: add recursion validation to LOOP_CHANGE_FD (bnc#1012382).
- loop: remember whether sysfs_create_group() was done (bnc#1012382).
- mmc: dw_mmc: fix card threshold control configuration (bsc#1102203).
- mm: check VMA flags to avoid invalid PROT_NONE NUMA balancing (bsc#1097771).
- net: cxgb3_main: fix potential Spectre v1 (bnc#1012382).
- net: dccp: avoid crash in ccid3_hc_rx_send_feedback() (bnc#1012382).
- net: dccp: switch rx_tstamp_last_feedback to monotonic clock (bnc#1012382).
- netfilter: ebtables: reject non-bridge targets (bnc#1012382).
- netfilter: nf_queue: augment nfqa_cfg_policy (bnc#1012382).
- netfilter: x_tables: initialise match/target check parameter struct (bnc#1012382).
- net/mlx5: Fix command interface race in polling mode (bnc#1012382).
- net/mlx5: Fix incorrect raw command length parsing (bnc#1012382).
- net: mvneta: fix the Rx desc DMA address in the Rx path (bsc#1102207).
- net/nfc: Avoid stalls when nfc_alloc_send_skb() returned NULL (bnc#1012382).
- net: off by one in inet6_pton() (bsc#1095643).
- net: phy: marvell: Use strlcpy() for ethtool::get_strings (bsc#1102205).
- net_sched: blackhole: tell upper qdisc about dropped packets (bnc#1012382).
- net: sungem: fix rx checksum support (bnc#1012382).
- net/utils: generic inet_pton_with_scope helper (bsc#1095643).
- nvme-rdma: Check remotely invalidated rkey matches our expected rkey (bsc#1092001).
- nvme-rdma: default MR page size to 4k (bsc#1092001).
- nvme-rdma: do not complete requests before a send work request has completed (bsc#1092001).
- nvme-rdma: do not suppress send completions (bsc#1092001).
- nvme-rdma: Fix command completion race at error recovery (bsc#1090435).
- nvme-rdma: make nvme_rdma_[create|destroy]_queue_ib symmetrical (bsc#1092001).
- nvme-rdma: use inet_pton_with_scope helper (bsc#1095643).
- nvme-rdma: Use mr pool (bsc#1092001).
- nvme-rdma: wait for local invalidation before completing a request (bsc#1092001).
- ocfs2: subsystem.su_mutex is required while accessing the item->ci_parent (bnc#1012382).
- pci: ibmphp: Fix use-before-set in get_max_bus_speed() (bsc#1100132).
- perf tools: Move syscall number fallbacks from perf-sys.h to tools/arch/x86/include/asm/ (bnc#1012382).
- pm / hibernate: Fix oops at snapshot_write() (bnc#1012382).
- powerpc/64: Initialise thread_info for emergency stacks (bsc#1094244, bsc#1100930, bsc#1102683).
- qed: Limit msix vectors in kdump kernel to the minimum required count (bnc#1012382).
- r8152: napi hangup fix after disconnect (bnc#1012382).
- rdma/ucm: Mark UCM interface as BROKEN (bnc#1012382).
- rds: avoid unenecessary cong_update in loop transport (bnc#1012382).
- Revert 'sit: reload iphdr in ipip6_rcv' (bnc#1012382).
- Revert 'x86/cpufeature: Move some of the scattered feature bits to x86_capability' (kabi).
- Revert 'x86/cpu: Probe CPUID leaf 6 even when cpuid_level == 6' (kabi).
- rtlwifi: rtl8821ae: fix firmware is not ready to run (bnc#1012382).
- s390/qeth: fix error handling in adapter command callbacks (bnc#1103745, LTC#169699).
- sched/smt: Update sched_smt_present at runtime (bsc#1089343).
- smsc75xx: Add workaround for gigabit link up hardware errata (bsc#1100132).
- smsc95xx: Configure pause time to 0xffff when tx flow control enabled (bsc#1085536).
- tcp: fix Fast Open key endianness (bnc#1012382).
- tcp: prevent bogus FRTO undos with non-SACK flows (bnc#1012382).
- tools build: fix # escaping in .cmd files for future Make (bnc#1012382).
- uprobes/x86: Remove incorrect WARN_ON() in uprobe_init_insn() (bnc#1012382).
- usb: core: handle hub C_PORT_OVER_CURRENT condition (bsc#1100132).
- usb: quirks: add delay quirks for Corsair Strafe (bnc#1012382).
- usb: serial: ch341: fix type promotion bug in ch341_control_in() (bnc#1012382).
- usb: serial: cp210x: add another USB ID for Qivicon ZigBee stick (bnc#1012382).
- usb: serial: keyspan_pda: fix modem-status error handling (bnc#1012382).
- usb: serial: mos7840: fix status-register error handling (bnc#1012382).
- usb: yurex: fix out-of-bounds uaccess in read handler (bnc#1012382).
- vfio: platform: Fix reset module leak in error path (bsc#1102211).
- vhost_net: validate sock before trying to put its fd (bnc#1012382).
- vmw_balloon: fix inflation with batching (bnc#1012382).
- x86/alternatives: Add an auxilary section (bnc#1012382).
- x86/alternatives: Discard dynamic check after init (bnc#1012382).
- x86/apic: Ignore secondary threads if nosmt=force (bsc#1089343).
- x86/asm: Add _ASM_ARG* constants for argument registers to <asm/asm.h> (bnc#1012382).
- x86/boot: Simplify kernel load address alignment check (bnc#1012382).
- x86/CPU/AMD: Do not check CPUID max ext level before parsing SMP info (bsc#1089343).
- x86/cpu/AMD: Evaluate smp_num_siblings early (bsc#1089343).
- x86/CPU/AMD: Move TOPOEXT reenablement before reading smp_num_siblings (bsc#1089343). Update config files.
- x86/cpu/AMD: Remove the pointless detect_ht() call (bsc#1089343).
- x86/cpu/common: Provide detect_ht_early() (bsc#1089343).
- x86/cpufeature: Add helper macro for mask check macros (bnc#1012382).
- x86/cpufeature: Carve out X86_FEATURE_* (bnc#1012382).
- x86/cpufeature: Get rid of the non-asm goto variant (bnc#1012382).
- x86/cpufeature: Make sure DISABLED/REQUIRED macros are updated (bnc#1012382).
- x86/cpufeature: Move some of the scattered feature bits to x86_capability (bnc#1012382).
- x86/cpufeature: Replace the old static_cpu_has() with safe variant (bnc#1012382).
- x86/cpufeature: Speed up cpu_feature_enabled() (bnc#1012382).
- x86/cpufeature: Update cpufeaure macros (bnc#1012382).
- x86/cpu/intel: Evaluate smp_num_siblings early (bsc#1089343).
- x86/cpu: Probe CPUID leaf 6 even when cpuid_level == 6 (bnc#1012382).
- x86/cpu: Provide a config option to disable static_cpu_has (bnc#1012382).
- x86/cpu: Remove the pointless CPU printout (bsc#1089343).
- x86/cpu/topology: Provide detect_extended_topology_early() (bsc#1089343).
- x86/fpu: Add an XSTATE_OP() macro (bnc#1012382).
- x86/fpu: Get rid of xstate_fault() (bnc#1012382).
- x86/headers: Do not include asm/processor.h in asm/atomic.h (bnc#1012382).
- x86/mm/pkeys: Fix mismerge of protection keys CPUID bits (bnc#1012382).
- x86/mm: Simplify p[g4um]d_page() macros (1087081).
- x86/smpboot: Do not use smp_num_siblings in __max_logical_packages calculation (bsc#1089343).
- x86/smp: Provide topology_is_primary_thread() (bsc#1089343).
- x86/topology: Add topology_max_smt_threads() (bsc#1089343).
- x86/topology: Provide topology_smt_supported() (bsc#1089343).
- x86/vdso: Use static_cpu_has() (bnc#1012382).
- xen/grant-table: log the lack of grants (bnc#1085042).
- xen-netfront: Fix mismatched rtnl_unlock (bnc#1101658).
- xen-netfront: Update features after registering netdev (bnc#1101658).
- xhci: xhci-mem: off by one in xhci_stream_id_to_ring() (bnc#1012382).


-----------------------------------------
Patch: SUSE-2018-1575
Released: Wed Aug 15 14:47:30 2018
Summary: Security update for apache2
Severity: moderate
References: 1101689,CVE-2018-1333
Description:
This update for apache2 fixes the following issues:

The following security vulnerability were fixed:

- CVE-2018-1333: Fixed a worker exhaustion that could have lead to a denial
  of service via specially crafted HTTP/2 requests (bsc#1101689).


-----------------------------------------
Patch: SUSE-2018-1579
Released: Wed Aug 15 16:16:52 2018
Summary: Initial release of python-typing
Severity: low
References: 1072973
Description:

This update adds python-typing to the SUSE Linux Enterprise Server 12.

The typing-module backports the standard library for Python versions older than 3.5.


-----------------------------------------
Patch: SUSE-2018-1609
Released: Thu Aug 16 14:04:20 2018
Summary: Security update for cups
Severity: moderate
References: 1050082,1061066,1087018,1096405,1096406,1096407,1096408,CVE-2017-18248,CVE-2018-4180,CVE-2018-4181,CVE-2018-4182,CVE-2018-4183
Description:
This update for cups fixes the following issues:

The following security vulnerabilities were fixed:

- CVE-2017-18248: Handle invalid characters properly in printing jobs. This fixes a problem that
  was causing the DBUS library to abort the calling process. (bsc#1061066 bsc#1087018)
- Fixed a local privilege escalation to root and sandbox bypasses in the
  scheduler
- CVE-2018-4180: Fixed a local privilege escalation to root in dnssd backend
  (bsc#1096405)
- CVE-2018-4181: Limited local file reads as root via cupsd.conf include
  directive (bsc#1096406)
- CVE-2018-4182: Fixed a sandbox bypass due to insecure error handling
  (bsc#1096407)
- CVE-2018-4183: Fixed a sandbox bypass due to profile misconfiguration
  (bsc#1096408)

The following other issue was fixed:

- Fixed authorization check for clients (like samba) connected through the
  local socket when Kerberos authentication is enabled (bsc#1050082)


-----------------------------------------
Patch: SUSE-2018-1610
Released: Thu Aug 16 14:04:25 2018
Summary: Security update for libgcrypt
Severity: moderate
References: 1064455,1090766,1097410,CVE-2018-0495
Description:
This update for libgcrypt fixes the following issues:

The following security vulnerability was addressed:

- CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for
  ECDSA signatures (bsc#1097410).

The following other issues were fixed:

- Extended the fipsdrv dsa-sign and dsa-verify commands with the
  --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455).
- Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766)


-----------------------------------------
Patch: SUSE-2018-1612
Released: Thu Aug 16 14:04:38 2018
Summary: Security update for python
Severity: moderate
References: 1083507,CVE-2017-18207
Description:
This update for python fixes the following issues:

The following security vulnerabilities were addressed:

- Add a check to Lib/wave.py that verifies that at least one channel is
  provided. Prior to this, attackers could cause a denial of service via a
  crafted wav format audio file. [bsc#1083507, CVE-2017-18207]


-----------------------------------------
Patch: SUSE-2018-1613
Released: Thu Aug 16 14:04:43 2018
Summary: Security update for libsndfile
Severity: moderate
References: 1071767,1071777,1100167,CVE-2017-17456,CVE-2017-17457,CVE-2018-13139
Description:
This update for libsndfile fixes the following issues:

Security issues fixed:

- CVE-2018-13139: Fix a stack-based buffer overflow in psf_memset in common.c that allows remote attackers to cause a denial of service (bsc#1100167).
- CVE-2017-17456: Prevent segmentation fault in the function d2alaw_array() that may have lead to a remote DoS (bsc#1071777)
- CVE-2017-17457: Prevent segmentation fault in the function d2ulaw_array() that may have lead to a remote DoS, a different vulnerability than CVE-2017-14246 (bsc#1071767)


-----------------------------------------
Patch: SUSE-2018-1619
Released: Thu Aug 16 14:49:40 2018
Summary: Security update for openssh
Severity: moderate
References: 1076957,CVE-2016-10708
Description:
This update for openssh fixes the following issues:

Security issue fixed:

- CVE-2016-10708: Prevent DoS due to crashes caused by out-of-sequence NEWKEYS message (bsc#1076957).


-----------------------------------------
Patch: SUSE-2018-1620
Released: Thu Aug 16 14:49:45 2018
Summary: Security update for shadow
Severity: important
References: 1099310,CVE-2016-6252
Description:
This update for shadow fixes the following issues:

- CVE-2016-6252: Incorrect integer handling could results in local privilege escalation (bsc#1099310)


-----------------------------------------
Patch: SUSE-2018-1621
Released: Thu Aug 16 14:49:51 2018
Summary: Security update for polkit
Severity: moderate
References: 1099031,CVE-2018-1116
Description:
This update for polkit fixes the following issues:

Security issue fixed:

- CVE-2018-1116: Fix uid comparison lacking in polkit_backend_interactive_authority_check_authorization (bsc#1099031).


-----------------------------------------
Patch: SUSE-2018-1622
Released: Thu Aug 16 14:49:55 2018
Summary: Security update for libtirpc
Severity: important
References: 1072183,968175
Description:
This update for libtirpc fixes the following issues:

Security issue fixed:

- bsc#968175: Fix remote crash of RPC services.

Bug fixes:

- bsc#1072183: Send RPC getport call as specified via parameter.


-----------------------------------------
Patch: SUSE-2018-1624
Released: Thu Aug 16 14:51:32 2018
Summary: Recommended update for open-iscsi
Severity: moderate
References: 1058463,1094797
Description:
This update for open-iscsi provides the following fixes:

- Fix an issue with ARP booting when using different subnets. (bsc#1058463)
- Fix a core dump which can occur if iscsiuio is started and immediately stopped.
  (bsc#1094797)


-----------------------------------------
Patch: SUSE-2018-1629
Released: Thu Aug 16 15:24:53 2018
Summary: Recommended update for kdump
Severity: moderate
References: 1047609,1050349,1062026,1072711,1073972,1081864,1083155,1091304,1093795,1094581
Description:
This update for kdump fixes the following issues:

- Restore only static routes in kdump initrd (bsc#1093795)
- IP setup: don't bother with IPv4 if there are no addresses (bsc#1062026, bsc#1093795)
- IP setup: pass all routes to kdump environment (bsc#1062026, bsc#1093795)
- IPv6 setup: pass address prefix in a separate dracut argument (bsc#1062026, bsc#1093795)
- Support yes/no style for KDUMP_CONTINUE_ON_ERROR (bsc#1083155)
- Fixes an issue where a crashdump was not possible (bsc#1047609)
- Replaces obsolete perl-Bootloader library with pbl (bsc#1050349)
- Handle additional mounts in the kdump dracut module (bsc#1094581, bsc#1072711)
- Run mkinitrd if fadump is active (bsc#1094581, bsc#1072711)
- Do not touch dracut variables when generating a non-kdump initrd (bsc#1091304, bsc#1094581)


-----------------------------------------
Patch: SUSE-2018-1630
Released: Thu Aug 16 15:25:06 2018
Summary: Recommended update for perl-Bootloader
Severity: moderate
References: 1033776,1050349,1082318
Description:
This update for perl-Bootloader fixes the following issues:

- Adds --get-option to pbl (bsc#1033776, bsc#1050349)
- Install license file in the correct directory (bsc#1082318)

-----------------------------------------
Patch: SUSE-2018-1632
Released: Thu Aug 16 15:27:04 2018
Summary: Recommended update for systemd
Severity: moderate
References: 1039099,1080382,1082004,1082485,1083158,1088052,1088769,1088890,1089761,1090785,1091265,1093851,1095096
Description:
This update for systemd fixes the following issues:

- core: In --user mode, report READY=1 as soon as basic.target is reached.
- sd-bus: Extend D-Bus authentication timeout considerably.
- scsi_id: Fixup prefix for pre-SPC inquiry reply. (bsc#1039099)
- udev: Use MAC address match only for ibmveth/ibmvnic/mlx4. (bsc#1095096)
- compat-rules: Generate more compat by-id symlinks for NVMe devices. (bsc#1095096)
- udev: Whitelist mlx4_core locally-administered MAC addresses in the persistent rule generator. (bsc#1083158)
- udev: Don't create by-partlabel/primary and .../logical symlinks. (bsc#1089761)
- rules: Add /dev/disk/by-partuuid symlinks also for dos partition tables.
- device: Make sure to always retroactively start device dependencies. (bsc#1088052)
- device: Skip deserialization of device units when udevd is not running.
- install: 'user' and 'global' scopes are equivalent for user presets. (bsc#1093851)
- install: Search preset files in /run.
- man: Updated systemd-analyze blame description for service-units with Type=simple. (bsc#1091265)
- logind: Fix crash when shutdown is not issued from a tty. (bsc#1088890)
- logind: Do not use an uninitialized variable. (bsc#1088890)
- Disable user services by default. (bsc#1090785)
- Ship 99-sysctl.conf instead of creating it during package installation/update. (bsc#1088769)
  Previously this symlink was created in /etc/sysctl.d during %post
  which made the symlink not owned and more importantly it was created
  only if /etc/sysctl.conf is already installed which is not always
  the case during the installation process it seems.
  So ship the symlink unconditionally and put it in /usr/lib/sysctl.d
  instead since it's a distro default behavior that might be overriden
  by sysadmin later.
- systemd: Add offline environmental condition to 80-acpi-container-hotplug.rules. (bsc#1080382, bsc#1082485)
  Add the offline event environmental condition to restrict the rule
  that is can only be triggered when the change event is received with
  the 'offline' environmental data. The 27664c581 'ACPI / scan: Send
  change uevent with offine environmental data' kernel patch changed
  the corresponding code in kernel.
  This change prevents the udev rules for acpi container be triggered
  by 'udevadm trigger' from user space.
- build-sys: Explicitly require python3. (bsc#1082004)


-----------------------------------------
Patch: SUSE-2018-1636
Released: Thu Aug 16 15:30:11 2018
Summary: Recommended update for pam
Severity: low
References: 1096282
Description:
This update for pam provides the following fix:

- Added  /etc/security/limits.d to the pam package. (bsc#1096282)


-----------------------------------------
Patch: SUSE-2018-1643
Released: Thu Aug 16 17:41:07 2018
Summary: Recommended update for ca-certificates-mozilla
Severity: moderate
References: 1100415
Description:

The systemwide Root CA certificates were updated to the 2.24 state of the Mozilla NSS Certificate store.

Following CAs were removed:

* S-TRUST_Universal_Root_CA
* TC_TrustCenter_Class_3_CA_II
* TURKTRUST_Elektronik_Sertifika_Hizmet_Saglayicisi_H5
  

-----------------------------------------
Patch: SUSE-2018-1659
Released: Fri Aug 17 10:41:38 2018
Summary: Security update for gdk-pixbuf
Severity: moderate
References: 1053417,CVE-2015-4491
Description:
This update for gdk-pixbuf fixes the following issues:

Security issue fixed:

- CVE-2015-4491: Fix integer multiplication overflow that allows for DoS or potentially RCE (bsc#1053417).


-----------------------------------------
Patch: SUSE-2018-1688
Released: Mon Aug 20 09:02:23 2018
Summary: Recommended update for openslp
Severity: moderate
References: 1076035,1080964
Description:
This update for openslp provides the following fixes:

- Fix slpd using the peer address as local address for TCP connections. (bsc#1076035)
- Use TCP connections for unicast requests. (bsc#1080964)


-----------------------------------------
Patch: SUSE-2018-1689
Released: Mon Aug 20 09:02:24 2018
Summary: Recommended update for pam
Severity: low
References: 1096282
Description:
This update for pam provides the following fix:

- Added  /etc/security/limits.d to the pam package. (bsc#1096282)


-----------------------------------------
Patch: SUSE-2018-1691
Released: Mon Aug 20 09:04:17 2018
Summary: Recommended update for sg3_utils
Severity: low
References: 1065448,1070431,1077787,1092640
Description:
This update for sg3_utils provides the following fix:

- Decode standard INQUIRY for CD-ROMs correctly. (bsc#1065448, bsc#1070431)
- Fix page decoding. (bsc#1077787)
- Remove initrd rebuild macros for libsgutils2 subpackage. (bsc#1092640)
- Use %post -p for ldconfig. (bsc#1092640)


-----------------------------------------
Patch: SUSE-2018-1694
Released: Mon Aug 20 09:05:13 2018
Summary: Recommended update for SUSEConnect
Severity: moderate
References: 1093658,1094348
Description:
This update for SUSEConnect provides the following fixes:

- Add dependencies needed by the rmt-client-setup script as Recommends. (bsc#1093658, bsc#1094348)
- Enhance error message generation.
- Add not supported operation exception to PackageSearch API.
- Prevent the automatic registration of recommended products that are not mirrored by the
  registration proxy.


-----------------------------------------
Patch: SUSE-2018-1695
Released: Mon Aug 20 09:19:20 2018
Summary: Security update for perl
Severity: important
References: 1068565,1082216,1082233,1082234,1096718,CVE-2018-12015,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913
Description:
This update for perl fixes the following issues:

These security issue were fixed: 

- CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216).
- CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233).
- CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234).
- CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a
  directory-traversal protection mechanism and overwrite arbitrary files
  (bsc#1096718)

This non-security issue was fixed: 

- fix debugger crash in tab completion with Term::ReadLine::Gnu [bsc#1068565]



-----------------------------------------
Patch: SUSE-2018-1698
Released: Mon Aug 20 09:19:28 2018
Summary: Security update for shadow
Severity: important
References: 1099310,CVE-2016-6252
Description:
This update for shadow fixes the following issues:

- CVE-2016-6252: Incorrect integer handling could results in local privilege escalation (bsc#1099310)


-----------------------------------------
Patch: SUSE-2018-1703
Released: Mon Aug 20 13:49:57 2018
Summary: Initial release of python-typing
Severity: low
References: 1072973
Description:

This update adds python-typing to the SUSE Linux Enterprise Desktop 12.

The typing-module backports the standard library for Python versions older than 3.5.


-----------------------------------------
Patch: SUSE-2018-1718
Released: Tue Aug 21 08:05:23 2018
Summary: Recommended update for makedumpfile
Severity: moderate
References: 1014136,1040469,1068694,1068925,1099121
Description:
This update for makedumpfile fixes the following issues:

- elf_info: Fix file_size if segment is excluded (bsc#1068925).
- Fix the use of Xen physical and machine addresses. (bsc#1014136, bsc#1068694)
- Revert 'Clean up unused KERNEL_IMAGE_SIZE' (bsc#1068925, bsc#1099121).
- Revert 'x86_64: kill some unused initialization' (bsc#1068925, bsc#1099121).
- Revert 'x86_64: kill is_vmalloc_addr_x86_64()' (bsc#1068925, bsc#1099121).
- Revert 'x86_64: translate all VA to PA using page table values' (bsc#1068925, bsc#1099121).
- Revert 'x86_64: Calculate page_offset from pt_load' (bsc#1068925, bsc#1040469, bsc#1099121).


-----------------------------------------
Patch: SUSE-2018-1741
Released: Wed Aug 22 10:47:19 2018
Summary: Recommended update for tuned
Severity: moderate
References: 1023996,1080572,1093694,1095839
Description:

This update for tuned provides the following fixes:

- Check whether cpus are online and governors are available to avoid warnings/errors. (bsc#1093694)
- Fix manpage for tuned-adm off command. (bsc#1080572)
- Increase force-latency from 1 to 70 for latency-performance, sap-hana and
  sap-hana-vmware profiles to fix some performance regressions. (bsc#1023996)
- Do not switch governors through cpupower, but directly via sysfs
  (bsc#1095839)


This is a reissue of the update, also supplying it for SUSE Linux Enterprise Server 12 SP3.


-----------------------------------------
Patch: SUSE-2018-1753
Released: Fri Aug 24 14:24:17 2018
Summary: Security update for python
Severity: moderate
References: 1083507,CVE-2017-18207
Description:
This update for python fixes the following issues:

The following security vulnerabilities were addressed:

- Add a check to Lib/wave.py that verifies that at least one channel is
  provided. Prior to this, attackers could cause a denial of service via a
  crafted wav format audio file. [bsc#1083507, CVE-2017-18207]


-----------------------------------------
Patch: SUSE-2018-1755
Released: Fri Aug 24 17:12:33 2018
Summary: Recommended update for growpart
Severity: moderate
References: 1082318,1097455,1098681
Description:
This update for growpart provides the following fix:

- Support btrfs resize and handle ro setup in rootgrow. (bsc#1097455, bsc#1098681)
- Use %license instead of %doc in the package. (bsc#1082318)


-----------------------------------------
Patch: SUSE-2018-1758
Released: Fri Aug 24 17:13:59 2018
Summary: Recommended update for sapconf
Severity: moderate
References: 1070508,1093315,1093843,1093844,1096496,1098352
Description:
This update for sapconf provides the following fixes:

- Correct the SAP Note references in the man pages and in the
  sysconfig file. (bsc#1096496)
- Do not stop or disable uuidd.socket in sapconf as it is mandatory for every SAP
  application running. (bsc#1093843)
- Remove hardcoded default value for VSZ_TMPFS_PERCENT. This allows an admin to exclude
  VSZ_TMPFS settings from the sysconfig file, so current system value will remain
  untouched. This value only got used in the previous version, if the variable
  VSZ_TMPFS_PERCENT was removed from the sapconf configuration file /etc/sysconfig/sapconf.
  If the value of the variable was only changed (increased or decreased) in the sapconf
  configuration file everything works fine. (bsc#1093844)
- Consolidate all SAP ASE (Sybase) related configuration settings into the configuration
  file /etc/sysconfig/sapnote-1680803. (bsc#1070508)
- Correct pattern search in /etc/sysconfig/sapnote-1557506 to get updating of
  /etc/sysconfig/sapconf to work. The problem only happens if /etc/sysconfig/sapnote-1557506
  contains commented variable lines like '#PAGECACHE_LIMIT_MB=''' in addition to the
  uncommented line 'PAGECACHE_LIMIT_MB='500''. If only the uncommented lines exist,
  everything works correctly. (bsc#1093315)
- Remove a misleading deprecation warning in sapconf. (bsc#1098352)


-----------------------------------------
Patch: SUSE-2018-1763
Released: Mon Aug 27 09:30:15 2018
Summary: Recommended update for ca-certificates-mozilla
Severity: moderate
References: 1104780
Description:
This update for ca-certificates-mozilla fixes the following issues:

The Root CA store was updated to 2.26 state of the Mozilla NSS Certificate store. (bsc#1104780)

- Removed server auth from following CAs:

  - Certplus Root CA G1
  - Certplus Root CA G2
  - OpenTrust Root CA G1
   - OpenTrust Root CA G2
   - OpenTrust Root CA G3

- Removed CAs

    - ComSign CA

- Added new CAs

    - GlobalSign


-----------------------------------------
Patch: SUSE-2018-1764
Released: Mon Aug 27 09:30:49 2018
Summary: Recommended update for polkit-default-privs
Severity: moderate
References: 1100328
Description:
This update for polkit-default-privs fixes the following issues:

- whitelist incremental libvirt actions (bsc#1100328)


-----------------------------------------
Patch: SUSE-2018-1766
Released: Mon Aug 27 11:17:25 2018
Summary: Security update for openssh
Severity: moderate
References: 1076957,CVE-2016-10708
Description:
This update for openssh fixes the following issues:

Security issue fixed:

- CVE-2016-10708: Prevent DoS due to crashes caused by out-of-sequence NEWKEYS message (bsc#1076957).


-----------------------------------------
Patch: SUSE-2018-1774
Released: Tue Aug 28 12:40:15 2018
Summary: Recommended update for xfsprogs
Severity: important
References: 1105396
Description:
This update for xfsprogs fixes the following issues:

- repair: shift inode back into place if corrupted by bad log
  replay (bsc#1105396).


-----------------------------------------
Patch: SUSE-2018-1777
Released: Tue Aug 28 13:48:35 2018
Summary: Recommended update for yast2-bootloader
Severity: moderate
References: 1059603,1061850,1067131,1073633,1073827,1081967,1099394
Description:
This update fixes issues for yast2-bootloader, yast2-storage, and libstorage:

yast2-bootloader:

- Fix translating multipath udev names when activating partition (bsc#1073827)
- Does no longer repropose configuration in autoyast confirm mode (bsc#1081967)
- Fix setting pmbr flag in autoyast (bsc#1081967)
- Prevent crash when doing backup of boot sector (bsc#1067131)
- Fix detection of upgrade of grub2 (bsc#1059603)
- Prevent crash when upgrading via DVD (bsc#1059603)

yast2-storage:

- Mask systemd mount and swap units while expert partitioner is running to prevent some
  race conditions from happening. (bsc#1073633)

libstorage:

- Improve handling of udev ids starting with dm-uuid for partitions on multipath
  (bsc#1099394)
- Don't discard the stored volume label before it is applied (bsc#1061850)


-----------------------------------------
Patch: SUSE-2018-1778
Released: Tue Aug 28 17:13:56 2018
Summary: Recommended update for docker
Severity: moderate
References: 1100727
Description:
This update for docker fixes the following issues:

- Build the client binary with -buildmode=pie to fix issues on POWER. (bsc#1100727)


-----------------------------------------
Patch: SUSE-2018-1819
Released: Fri Aug 31 17:22:43 2018
Summary: Initial release of iscsiuio
Severity: low
References: 1104471
Description:
This update provides iscsiuio for SUSE CaaS Platform 3.

This utility provides the ARP and DHCP functionality for the iSCSI offload.
The communication to the driver is done via Userspace I/O (Kernel module name
'uio').

-----------------------------------------
Patch: SUSE-2018-1834
Released: Wed Sep  5 10:17:42 2018
Summary: Recommended update for systemd
Severity: moderate
References: 1089761,1090944,1101040,1103910
Description:
This update for systemd fixes the following issues:

- cryptsetup: Add support for sector-size= option. (fate#325634)
- resolved: Apply epoch to system time from PID 1. (bsc#1103910)
- core/service: Rework the hold-off time over message.
- core: Don't freeze OnCalendar= timer units when the clock goes back a lot. (bsc#1090944)
- man: SystemMaxUse= clarification in journald.conf(5). (bsc#1101040)
- Add udev.no-partlabel-links kernel command-line option. This option can be used to disable
  the generation of the by-partlabel symlinks regardless of the name used. (bsc#1089761)


-----------------------------------------
Patch: SUSE-2018-1847
Released: Thu Sep  6 10:01:43 2018
Summary: Recommended update for yast2-network
Severity: moderate
References: 1095761
Description:
This update for yast2-network provides the following fix:

- Activate s390 network devices before applying udev naming rules, avoiding the
  'Invalid key/value pair in /etc/udev/rules.d/70-persistent-net.rules' error.
  (bsc#1095761)


-----------------------------------------
Patch: SUSE-2018-1850
Released: Thu Sep  6 14:02:17 2018
Summary: Recommended update for the SLE Module Legacy release and lifecycle-data
Severity: moderate
References: 1074137
Description:
This update for lifecycle-data-sle-module-legacy, sle-module-legacy-release fixes the following issues:

- Remove End of Life Date from release-package. The lifecycle in the Legacy Module is tracked per package. (bsc#1074137)


-----------------------------------------
Patch: SUSE-2018-1872
Released: Mon Sep 10 17:59:58 2018
Summary: Security update for compat-openssl098
Severity: moderate
References: 1087102,1089039,1097158,1097624,1098592,CVE-2018-0732,CVE-2018-0737,CVE-2018-0739
Description:
This update for compat-openssl098 fixes the following security issues:

- CVE-2018-0732: During key agreement in a TLS handshake using a DH(E) based
  ciphersuite a malicious server could have sent a very large prime value to the
  client. This caused the client to spend an unreasonably long period of time
  generating a key for this prime resulting in a hang until the client has
  finished. This could be exploited in a Denial Of Service attack (bsc#1097158)
- Blinding enhancements for ECDSA and DSA (bsc#1097624, bsc#1098592)
- CVE-2018-0737: The RSA Key generation algorithm has been shown to be
  vulnerable to a cache timing side channel attack. An attacker with sufficient
  access to mount cache timing attacks during the RSA key generation process
  could have recovered the private key (bsc#1089039)
- CVE-2018-0739: Constructed ASN.1 types with a recursive definition (such as
  can be found in PKCS7) could eventually exceed the stack given malicious input
  with excessive recursion. This could have resulted in DoS (bsc#1087102).


-----------------------------------------
Patch: SUSE-2018-1886
Released: Wed Sep 12 11:53:32 2018
Summary: Security update for python3
Severity: moderate
References: 1086001,1088004,1088009,1107030,CVE-2018-1060,CVE-2018-1061
Description:
This update for python3 provides the following fixes:

These security issues were fixed:

- CVE-2018-1061: Prevent catastrophic backtracking in the difflib.IS_LINE_JUNK
  method. An attacker could have used this flaw to cause denial of service
  (bsc#1088004).
- CVE-2018-1060: Prevent catastrophic backtracking in pop3lib's apop() method.
  An attacker could have used this flaw to cause denial of service (bsc#1088009).

These non-security issues were fixed:

- Sort files and directories when creating tarfile archives so that they are created in a
  more predictable way. (bsc#1086001)
- Add -fwrapv to OPTS (bsc#1107030)


-----------------------------------------
Patch: SUSE-2018-1903
Released: Fri Sep 14 12:46:21 2018
Summary: Security update for curl
Severity: moderate
References: 1089533,1106019,CVE-2018-14618
Description:
This update for curl fixes the following issues:

This security issue was fixed:

- CVE-2018-14618: Prevent integer overflow in the NTLM authentication code (bsc#1106019)

This non-security issue was fixed:

- Fixed erroneous debug message when paired with OpenSSL (bsc#1089533)


-----------------------------------------
Patch: SUSE-2018-1924
Released: Wed Sep 19 21:32:17 2018
Summary: Recommended update for systemd-rpm-macros
Severity: moderate
References: 1104176
Description:
This update for systemd-rpm-macros fixes the following issues:

- Make sure %systemd_post() is called during package removal, and also make it more useful
  by restoring its original implementation. (bsc#1104176)


-----------------------------------------
Patch: SUSE-2018-1927
Released: Wed Sep 19 21:33:08 2018
Summary: Recommended update for python-M2Crypto
Severity: moderate
References: 1072973
Description:
This update for python-M2Crypto provides version 0.29.0 and brings many fixes and improvements.

For a detailed description, please refer to the changelog.

-----------------------------------------
Patch: SUSE-2018-1941
Released: Thu Sep 20 18:27:15 2018
Summary: Security update for the Linux Kernel
Severity: important
References: 1012382,1015342,1015343,1017967,1019695,1019699,1020412,1021121,1022604,1024361,1024365,1024376,1027968,1030552,1031492,1033962,1042286,1048317,1050431,1053685,1055014,1056596,1062604,1063646,1064232,1065364,1066223,1068032,1068075,1069138,1078921,1080157,1083663,1085042,1085536,1085539,1086457,1087092,1089066,1090888,1091171,1091860,1096254,1096748,1097105,1098253,1098822,1099597,1099810,1099811,1099813,1099832,1099844,1099845,1099846,1099849,1099863,1099864,1099922,1099999,1100000,1100001,1100132,1101822,1101841,1102346,1102486,1102517,1102715,1102797,1103269,1103445,1103717,1104319,1104485,1104494,1104495,1104683,1104897,1105271,1105292,1105322,1105323,1105392,1105396,1105524,1105536,1105769,1106016,1106105,1106185,1106229,1106271,1106275,1106276,1106278,1106281,1106283,1106369,1106509,1106511,1106697,1106929,1106934,1106995,1107060,1107078,1107319,1107320,1107689,1107735,1107966,963575,966170,966172,969470,969476,969477,970506,CVE-2018-10876,CVE-2018-10877,CVE-2018-10878,CVE-2018-10879,CVE-2018-10880,CVE-2018-10881,CVE-2018-10882,CVE-2018-10883,CVE-2018-10902,CVE-2018-10938,CVE-2018-1128,CVE-2018-1129,CVE-2018-12896,CVE-2018-13093,CVE-2018-13094,CVE-2018-13095,CVE-2018-15572,CVE-2018-16658,CVE-2018-6554,CVE-2018-6555,CVE-2018-9363
Description:

The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.155 to receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2018-13093: Prevent NULL pointer dereference and panic in lookup_slow()
  on a NULL inode->i_ops pointer when doing pathwalks on a corrupted xfs image.
  This occured because of a lack of proper validation that cached inodes are free
  during allocation (bnc#1100001).
- CVE-2018-13095: Prevent denial of service (memory corruption and BUG) that
  could have occurred for a corrupted xfs image upon encountering an inode that
  is in extent format, but has more extents than fit in the inode fork
  (bnc#1099999).
- CVE-2018-13094: Prevent OOPS that may have occured for a corrupted xfs image
  after xfs_da_shrink_inode() is called with a NULL bp (bnc#1100000).
- CVE-2018-12896: Prevent integer overflow in the POSIX timer code that was
  caused by the way the overrun accounting works. Depending on interval and
  expiry time values, the overrun can be larger than INT_MAX, but the accounting
  is int based. This basically made the accounting values, which are visible to
  user space via timer_getoverrun(2) and siginfo::si_overrun, random. This
  allowed a local user to cause a denial of service (signed integer overflow) via
  crafted mmap, futex, timer_create, and timer_settime system calls
  (bnc#1099922).
- CVE-2018-16658: Prevent information leak in cdrom_ioctl_drive_status that
  could have been used by local attackers to read kernel memory (bnc#1107689).
- CVE-2018-6555: The irda_setsockopt function allowed local users to cause a
  denial of service (ias_object use-after-free and system crash) or possibly have
  unspecified other impact via an AF_IRDA socket (bnc#1106511).
- CVE-2018-6554: Prevent memory leak in the irda_bind function that allowed
  local users to cause a denial of service (memory consumption) by repeatedly
  binding an AF_IRDA socket (bnc#1106509).
- CVE-2018-1129: A flaw was found in the way signature calculation was handled
  by cephx authentication protocol. An attacker having access to ceph cluster
  network who is able to alter the message payload was able to bypass signature
  checks done by cephx protocol (bnc#1096748).
- CVE-2018-1128: It was found that cephx authentication protocol did not verify
  ceph clients correctly and was vulnerable to replay attack. Any attacker having
  access to ceph cluster network who is able to sniff packets on network can use
  this vulnerability to authenticate with ceph service and perform actions
  allowed by ceph service (bnc#1096748).
- CVE-2018-10938: A crafted network packet sent remotely by an attacker forced
  the kernel to enter an infinite loop in the cipso_v4_optptr() function leading
  to a denial-of-service (bnc#1106016).
- CVE-2018-15572: The spectre_v2_select_mitigation function did not always fill
  RSB upon a context switch, which made it easier for attackers to conduct
  userspace-userspace spectreRSB attacks (bnc#1102517).
- CVE-2018-10902: Protect against concurrent access to prevent double realloc
  (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status(). A
  malicious local attacker could have used this for privilege escalation
  (bnc#1105322 1105323).
- CVE-2018-9363: Prevent buffer overflow in hidp_process_report (bsc#1105292)
- CVE-2018-10883: A local user could have caused an out-of-bounds write in
  jbd2_journal_dirty_metadata(), a denial of service, and a system crash by
  mounting and operating on a crafted ext4 filesystem image (bsc#1099863).
- CVE-2018-10879: A local user could have caused a use-after-free in
  ext4_xattr_set_entry function and a denial of service or unspecified other
  impact by renaming a file in a crafted ext4 filesystem image (bsc#1099844).
- CVE-2018-10878: A local user could have caused an out-of-bounds write and a
  denial of service or unspecified other impact by mounting and operating a
  crafted ext4 filesystem image (bsc#1099813).
- CVE-2018-10876: A use-after-free was possible in ext4_ext_remove_space()
  function when mounting and operating a crafted ext4 image (bsc#1099811).
- CVE-2018-10877: Prevent out-of-bound access in the ext4_ext_drop_refs()
  function when operating on a crafted ext4 filesystem image (bsc#1099846).
- CVE-2018-10881: A local user could have caused an out-of-bound access in
  ext4_get_group_info function, a denial of service, and a system crash by
  mounting and operating on a crafted ext4 filesystem image (bsc#1099864).
- CVE-2018-10882: A local user could have caused an out-of-bound write, a
  denial of service, and a system crash by unmounting a crafted ext4 filesystem
  image (bsc#1099849).
- CVE-2018-10880: Prevent stack-out-of-bounds write in the ext4 filesystem code
  when mounting and writing to a crafted ext4 image in ext4_update_inline_data().
  An attacker could have used this to cause a system crash and a denial of
  service (bsc#1099845).

The following non-security bugs were fixed:

- 9p/net: Fix zero-copy path in the 9p virtio transport (bnc#1012382).
- 9p/virtio: fix off-by-one error in sg list bounds check (bnc#1012382).
- 9p: fix multiple NULL-pointer-dereferences (bnc#1012382).
- ACPI / LPSS: Add missing prv_offset setting for byt/cht PWM devices (bnc#1012382).
- ACPI / PCI: Bail early in acpi_pci_add_bus() if there is no ACPI handle (bnc#1012382).
- ACPI / PM: save NVS memory for ASUS 1025C laptop (bnc#1012382).
- ACPI: save NVS memory for Lenovo G50-45 (bnc#1012382).
- ALSA: cs5535audio: Fix invalid endian conversion (bnc#1012382).
- ALSA: emu10k1: Rate-limit error messages about page errors (bnc#1012382).
- ALSA: emu10k1: add error handling for snd_ctl_add (bnc#1012382).
- ALSA: fm801: add error handling for snd_ctl_add (bnc#1012382).
- ALSA: hda - Sleep for 10ms after entering D3 on Conexant codecs (bnc#1012382).
- ALSA: hda - Turn CX8200 into D3 as well upon reboot (bnc#1012382).
- ALSA: hda/ca0132: fix build failure when a local macro is defined (bnc#1012382).
- ALSA: hda: Correct Asrock B85M-ITX power_save blacklist entry (bnc#1012382).
- ALSA: memalloc: Do not exceed over the requested size (bnc#1012382).
- ALSA: rawmidi: Change resized buffers atomically (bnc#1012382).
- ALSA: snd-aoa: add of_node_put() in error path (bsc#1099810).
- ALSA: usb-audio: Apply rate limit to warning messages in URB complete callback (bnc#1012382).
- ALSA: virmidi: Fix too long output trigger loop (bnc#1012382).
- ALSA: vx222: Fix invalid endian conversions (bnc#1012382).
- ALSA: vxpocket: Fix invalid endian conversions (bnc#1012382).
- ARC: Enable machine_desc->init_per_cpu for !CONFIG_SMP (bnc#1012382).
- ARC: Explicitly add -mmedium-calls to CFLAGS (bnc#1012382).
- ARC: Fix CONFIG_SWAP (bnc#1012382).
- ARC: mm: allow mprotect to make stack mappings executable (bnc#1012382).
- ARM: 8780/1: ftrace: Only set kernel memory back to read-only after boot (bnc#1012382).
- ARM: dts: Cygnus: Fix I2C controller interrupt type (bnc#1012382).
- ARM: dts: am3517.dtsi: Disable reference to OMAP3 OTG controller (bnc#1012382).
- ARM: dts: am437x: make edt-ft5x06 a wakeup source (bnc#1012382).
- ARM: dts: da850: Fix interrups property for gpio (bnc#1012382).
- ARM: dts: imx6sx: fix irq for pcie bridge (bnc#1012382).
- ARM: fix put_user() for gcc-8 (bnc#1012382).
- ARM: imx_v4_v5_defconfig: Select ULPI support (bnc#1012382).
- ARM: imx_v6_v7_defconfig: Select ULPI support (bnc#1012382).
- ARM: pxa: irq: fix handling of ICMR registers in suspend/resume (bnc#1012382).
- ARM: tegra: Fix Tegra30 Cardhu PCA954x reset (bnc#1012382).
- ASoC: Intel: cht_bsw_max98090: remove useless code, align with ChromeOS driver.
- ASoC: Intel: cht_bsw_max98090_ti: Fix jack initialization (bnc#1012382).
- ASoC: dpcm: do not merge format from invalid codec dai (bnc#1012382).
- ASoC: dpcm: fix BE dai not hw_free and shutdown (bnc#1012382).
- ASoC: pxa: Fix module autoload for platform drivers (bnc#1012382).
- ASoC: sirf: Fix potential NULL pointer dereference (bnc#1012382).
- Add reference to bsc#1091171 (bnc#1012382; bsc#1091171).
- Bluetooth: avoid killing an already killed socket (bnc#1012382).
- Bluetooth: btusb: Add a new Realtek 8723DE ID 2ff8:b011 (bnc#1012382).
- Bluetooth: btusb: Remove Yoga 920 from the btusb_needs_reset_resume_table (bsc#1087092).
- Bluetooth: btusb: Use DMI matching for QCA reset_resume quirking (bsc#1087092).
- Bluetooth: hci_qca: Fix 'Sleep inside atomic section' warning (bnc#1012382).
- Documentation/spec_ctrl: Do some minor cleanups (bnc#1012382).
- HID: hid-plantronics: Re-resend Update to map button for PTT products (bnc#1012382).
- HID: i2c-hid: check if device is there before really probing (bnc#1012382).
- HID: wacom: Correct touch maximum XY of 2nd-gen Intuos (bnc#1012382).
- IB/core: Make testing MR flags for writability a static inline function (bnc#1012382).
- IB/core: Remove duplicate declaration of gid_cache_wq (bsc#1056596).
- IB/iser: Do not reduce max_sectors (bsc#1063646).
- IB/mlx4: Fix an error handling path in 'mlx4_ib_rereg_user_mr()'.
- IB/mlx4: Mark user MR as writable if actual virtual memory is writable (bnc#1012382).
- IB/mlx5: Fetch soft WQE's on fatal error state (bsc#1015342 bsc#1015343).
- IB/mlx5: Use 'kvfree()' for memory allocated by 'kvzalloc()' (bsc#1015342 bsc#1015343).
- IB/ocrdma: fix out of bounds access to local buffer (bnc#1012382).
- Input: elan_i2c - add ACPI ID for lenovo ideapad 330 (bnc#1012382).
- Input: elan_i2c - add another ACPI ID for Lenovo Ideapad 330-15AST (bnc#1012382).
- Input: i8042 - add Lenovo LaVie Z to the i8042 reset list (bnc#1012382).
- KVM/Eventfd: Avoid crash when assign and deassign specific eventfd in parallel (bnc#1012382).
- KVM: MMU: always terminate page walks at level 1 (bsc#1062604).
- KVM: MMU: simplify last_pte_bitmap (bsc#1062604).
- KVM: VMX: Work around kABI breakage in 'enum vmx_l1d_flush_state' (bsc#1106369).
- KVM: VMX: fixes for vmentry_l1d_flush module parameter (bsc#1106369).
- KVM: arm/arm64: Skip updating PMD entry if no change (bnc#1012382).
- KVM: arm/arm64: Skip updating PTE entry if no change (bnc#1012382).
- KVM: irqfd: fix race between EPOLLHUP and irq_bypass_register_consumer (bnc#1012382).
- KVM: nVMX: update last_nonleaf_level when initializing nested EPT (bsc#1062604).
- MIPS: Correct the 64-bit DSP accumulator register size (bnc#1012382).
- MIPS: Fix off-by-one in pci_resource_to_user() (bnc#1012382).
- MIPS: ath79: fix register address in ath79_ddr_wb_flush() (bnc#1012382).
- MIPS: lib: Provide MIPS64r6 __multi3() for GCC lower than < 7 (bnc#1012382).
- NET: stmmac: align DMA stuff to largest cache line length (bnc#1012382).
- PCI: Prevent sysfs disable of device while driver is attached (bnc#1012382).
- PCI: Skip MPS logic for Virtual Functions (VFs) (bnc#1012382).
- PCI: hotplug: Do not leak pci_slot on registration failure (bnc#1012382).
- PCI: pciehp: Fix use-after-free on unplug (bnc#1012382).
- PCI: pciehp: Request control of native hotplug only if supported (bnc#1012382).
- PM / sleep: wakeup: Fix build error caused by missing SRCU support (bnc#1012382).
- RDMA/i40iw: Avoid panic when objects are being created and destroyed (bsc#969476 bsc#969477).
- RDMA/i40iw: Avoid panic when reading back the IRQ affinity hint (bsc#969476 bsc#969477).
- RDMA/i40iw: Avoid reference leaks when processing the AEQ (bsc#969476 bsc#969477).
- RDMA/i40w: Hold read semaphore while looking after VMA (bsc#1024376).
- RDMA/mad: Convert BUG_ONs to error flows (bnc#1012382).
- RDMA/mlx5: Use proper spec flow label type (bsc#1015342 bsc#1015343).
- Revert 'MIPS: BCM47XX: Enable 74K Core ExternalSync for PCIe erratum' (bnc#1012382).
- Revert 'UBIFS: Fix potential integer overflow in allocation' (bnc#1012382).
- Revert 'f2fs: handle dirty segments inside refresh_sit_entry' (bsc#1106281).
- Revert 'mm: page_alloc: skip over regions of invalid pfns where possible' (bnc#1107078).
- Revert 'block-cancel-workqueue-entries-on-blk_mq_freeze_queue' (bsc#1103717).
- Smack: Mark inode instant in smack_task_to_inode (bnc#1012382).
- USB: musb: fix external abort on suspend (bsc#1085536).
- USB: option: add support for DW5821e (bnc#1012382).
- USB: serial: metro-usb: stop I/O after failed open (bsc#1085539).
- USB: serial: sierra: fix potential deadlock at close (bnc#1012382).
- Workaround kABI breakage by __must_check drop of strscpy() (bsc#1107319).
- afs: Fix directory permissions check (bsc#1106283).
- arc: fix build errors in arc/include/asm/delay.h (bnc#1012382).
- arc: fix type warnings in arc/mm/cache.c (bnc#1012382).
- arm64: make secondary_start_kernel() notrace (bnc#1012382).
- arm64: mm: check for upper PAGE_SHIFT bits in pfn_valid() (bnc#1012382).
- ath: Add regulatory mapping for APL13_WORLD (bnc#1012382).
- ath: Add regulatory mapping for APL2_FCCA (bnc#1012382).
- ath: Add regulatory mapping for Bahamas (bnc#1012382).
- ath: Add regulatory mapping for Bermuda (bnc#1012382).
- ath: Add regulatory mapping for ETSI8_WORLD (bnc#1012382).
- ath: Add regulatory mapping for FCC3_ETSIC (bnc#1012382).
- ath: Add regulatory mapping for Serbia (bnc#1012382).
- ath: Add regulatory mapping for Tanzania (bnc#1012382).
- ath: Add regulatory mapping for Uganda (bnc#1012382).
- atl1c: reserve min skb headroom (bnc#1012382).
- atm: Preserve value of skb->truesize when accounting to vcc (bsc#1089066).
- audit: allow not equal op for audit by executable (bnc#1012382).
- backlight: as3711_bl: Fix Device Tree node leaks (bsc#1106929).
- backlight: lm3630a: Bump REG_MAX value to 0x50 instead of 0x1F (bsc#1106929).
- bcache: avoid unncessary cache prefetch bch_btree_node_get() (bsc#1064232).
- bcache: calculate the number of incremental GC nodes according to the total of btree nodes (bsc#1064232).
- bcache: display rate debug parameters to 0 when writeback is not running (bsc#1064232).
- bcache: do not check return value of debugfs_create_dir() (bsc#1064232).
- bcache: finish incremental GC (bsc#1064232).
- bcache: fix I/O significant decline while backend devices registering (bsc#1064232).
- bcache: fix error setting writeback_rate through sysfs interface (bsc#1064232).
- bcache: free heap cache_set->flush_btree in bch_journal_free (bsc#1064232).
- bcache: make the pr_err statement used for ENOENT only in sysfs_attatch section (bsc#1064232).
- bcache: release dc->writeback_lock properly in bch_writeback_thread() (bsc#1064232).
- bcache: set max writeback rate when I/O request is idle (bsc#1064232).
- bcache: simplify the calculation of the total amount of flash dirty data (bsc#1064232).
- be2net: remove unused old custom busy-poll fields (bsc#1021121 ).
- blkdev: __blkdev_direct_IO_simple: fix leak in error case (bsc#1083663).
- block: bio_iov_iter_get_pages: fix size of last iovec (bsc#1083663).
- block: bio_iov_iter_get_pages: pin more pages for multi-segment IOs (bsc#1083663).
- block: do not use interruptible wait anywhere (bnc#1012382).
- bnx2x: Fix invalid memory access in rss hash config path (bnc#1012382).
- bnx2x: Fix receiving tx-timeout in error or recovery state (bnc#1012382).
- bnxt_en: Always set output parameters in bnxt_get_max_rings() (bsc#963575).
- bnxt_en: Fix for system hang if request_irq fails (bnc#1012382).
- bnxt_en: Fix inconsistent BNXT_FLAG_AGG_RINGS logic (bsc#1020412 ).
- bpf: fix references to free_bpf_prog_info() in comments (bnc#1012382).
- brcmfmac: Add support for bcm43364 wireless chipset (bnc#1012382).
- brcmfmac: stop watchdog before detach and free everything (bnc#1012382).
- bridge: Propagate vlan add failure to user (bnc#1012382).
- btrfs: Do not remove block group still has pinned down bytes (bsc#1086457).
- btrfs: add barriers to btrfs_sync_log before log_commit_wait wakeups (bnc#1012382).
- btrfs: do not leak ret from do_chunk_alloc (bnc#1012382).
- btrfs: qgroup: Finish rescan when hit the last leaf of extent tree (bnc#1012382).
- btrfs: quota: Set rescan progress to (u64)-1 if we hit last leaf.
- btrfs: round down size diff when shrinking/growing device (bsc#1097105).
- can: ems_usb: Fix memory leak on ems_usb_disconnect() (bnc#1012382).
- can: mpc5xxx_can: check of_iomap return before use (bnc#1012382).
- can: xilinx_can: fix RX loop if RXNEMP is asserted without RXOK (bnc#1012382).
- can: xilinx_can: fix RX overflow interrupt not being enabled (bnc#1012382).
- can: xilinx_can: fix device dropping off bus on RX overrun (bnc#1012382).
- can: xilinx_can: fix incorrect clear of non-processed interrupts (bnc#1012382).
- can: xilinx_can: fix recovery from error states not being propagated (bnc#1012382).
- can: xilinx_can: keep only 1-2 frames in TX FIFO to fix TX accounting (bnc#1012382).
- cdrom: Fix info leak/OOB read in cdrom_ioctl_drive_status (bnc#1012382).
- ceph: fix incorrect use of strncpy (bsc#1107319).
- ceph: return errors from posix_acl_equiv_mode() correctly (bsc#1107320).
- cifs: Fix stack out-of-bounds in smb{2,3}_create_lease_buf() (bsc#1012382).
- cifs: add missing debug entries for kconfig options (bnc#1012382).
- cifs: check kmalloc before use (bsc#1012382).
- cifs: store the leaseKey in the fid on SMB2_open (bsc#1012382).
- clk: tegra: Fix PLL_U post divider and initial rate on Tegra30 (bnc#1012382).
- crypto: ablkcipher - fix crash flushing dcache in error path (bnc#1012382).
- crypto: authenc - do not leak pointers to authenc keys (bnc#1012382).
- crypto: authencesn - do not leak pointers to authenc keys (bnc#1012382).
- crypto: blkcipher - fix crash flushing dcache in error path (bnc#1012382).
- crypto: padlock-aes - Fix Nano workaround data corruption (bnc#1012382).
- crypto: vmac - require a block cipher with 128-bit block size (bnc#1012382).
- crypto: vmac - separate tfm and request context (bnc#1012382).
- crypto: vmx - Fix sleep-in-atomic bugs (bsc#1048317).
- cxgb4: when disabling dcb set txq dcb priority to 0 (bnc#1012382).
- cxl: Fix wrong comparison in cxl_adapter_context_get() (bsc#1055014).
- dccp: fix undefined behavior with 'cwnd' shift in ccid2_cwnd_restart() (bnc#1012382).
- disable loading f2fs module on PAGE_SIZE > 4KB (bnc#1012382).
- dm cache metadata: save in-core policy_hint_size to on-disk superblock (bnc#1012382).
- dma-iommu: Fix compilation when !CONFIG_IOMMU_DMA (bnc#1012382).
- dmaengine: k3dma: Off by one in k3_of_dma_simple_xlate() (bnc#1012382).
- dmaengine: pxa_dma: remove duplicate const qualifier (bnc#1012382).
- driver core: Partially revert 'driver core: correct device's shutdown order' (bnc#1012382).
- drivers: net: lmc: fix case value for target abort error (bnc#1012382).
- drm/armada: fix colorkey mode property (bnc#1012382).
- drm/atmel-hlcdc: check stride values in the first plane (bsc#1106929).
- drm/atomic: Handling the case when setting old crtc for plane (bnc#1012382).
- drm/bridge: adv7511: Reset registers on hotplug (bnc#1012382).
- drm/cirrus: Use drm_framebuffer_put to avoid kernel oops in clean-up (bsc#1101822).
- drm/drivers: add support for using the arch wc mapping API.
- drm/exynos/dsi: mask frame-done interrupt (bsc#1106929).
- drm/exynos: decon5433: Fix WINCONx reset value (bnc#1012382).
- drm/exynos: decon5433: Fix per-plane global alpha for XRGB modes (bnc#1012382).
- drm/exynos: gsc: Fix support for NV16/61, YUV420/YVU420 and YUV422 modes (bnc#1012382).
- drm/gma500: fix psb_intel_lvds_mode_valid()'s return type (bnc#1012382).
- drm/i915/userptr: reject zero user_size (bsc#1090888).
- drm/i915: Correctly handle limited range YCbCr data on VLV/CHV (bsc#1087092).
- drm/imx: fix typo in ipu_plane_formats (bsc#1106929).
- drm/imx: imx-ldb: check if channel is enabled before printing warning (bnc#1012382).
- drm/imx: imx-ldb: disable LDB on driver bind (bnc#1012382).
- drm/msm/hdmi: Use bitwise operators when building register values (bsc#1106929).
- drm/nouveau/gem: off by one bugs in nouveau_gem_pushbuf_reloc_apply() (bnc#1012382).
- drm/panel: type promotion bug in s6e8aa0_read_mtp_id() (bsc#1105769).
- drm/radeon: fix mode_valid's return type (bnc#1012382).
- drm: Add DP PSR2 sink enable bit (bnc#1012382).
- drm: Reject getfb for multi-plane framebuffers (bsc#1106929).
- enic: do not call enic_change_mtu in enic_probe
- enic: handle mtu change for vf properly (bnc#1012382).
- enic: initialize enic->rfs_h.lock in enic_probe (bnc#1012382).
- esp6: fix memleak on error path in esp6_input
- ext4: check for NUL characters in extended attribute's name (bnc#1012382).
- ext4: check for allocation block validity with block group locked (bsc#1104495).
- ext4: do not update s_last_mounted of a frozen fs (bsc#1101841).
- ext4: factor out helper ext4_sample_last_mounted() (bsc#1101841).
- ext4: fix check to prevent initializing reserved inodes (bsc#1104319).
- ext4: fix false negatives *and* false positives in ext4_check_descriptors() (bsc#1103445).
- ext4: fix inline data updates with checksums enabled (bsc#1104494).
- ext4: fix spectre gadget in ext4_mb_regular_allocator() (bnc#1012382).
- ext4: reset error code in ext4_find_entry in fallback (bnc#1012382).
- ext4: sysfs: print ext4_super_block fields as little-endian (bsc#1106229).
- f2fs: fix to do not trigger writeback during recovery (bnc#1012382).
- fat: fix memory allocation failure handling of match_strdup() (bnc#1012382).
- fb: fix lost console when the user unplugs a USB adapter (bnc#1012382).
- fbdev: omapfb: off by one in omapfb_register_client() (bsc#1106929).
- fix __legitimize_mnt()/mntput() race (bnc#1012382).
- fix mntput/mntput race (bnc#1012382).
- fork: unconditionally clear stack on fork (bnc#1012382).
- fs/9p/xattr.c: catch the error of p9_client_clunk when setting xattr failed (bnc#1012382).
- fs/dax.c: fix inefficiency in dax_writeback_mapping_range() (bsc#1106185).
- fs/quota: Fix spectre gadget in do_quotactl (bnc#1012382).
- fs: aio: fix the increment of aio-nr and counting against aio-max-nr (bsc#1068075, bsc#1078921).
- fuse: Add missed unlock_page() to fuse_readpages_fill() (bnc#1012382).
- fuse: Do not access pipe->buffers without pipe_lock() (bnc#1012382).
- fuse: Fix oops at process_init_reply() (bnc#1012382).
- fuse: fix double request_end() (bnc#1012382).
- fuse: fix unlocked access to processing queue (bnc#1012382).
- fuse: umount should wait for all requests (bnc#1012382).
- genirq/proc: Return proper error code when irq_set_affinity() fails (bnc#1105392).
- getxattr: use correct xattr length (bnc#1012382).
- hfsplus: Do not clear SGID when inheriting ACLs (bsc#1030552).
- hvc_opal: do not set tb_ticks_per_usec in udbg_init_opal_common() (bnc#1012382).
- hwrng: exynos - Disable runtime PM on driver unbind.
- i2c: davinci: Avoid zero value of CLKH (bnc#1012382).
- i2c: imx: Fix race condition in dma read (bnc#1012382).
- i2c: imx: Fix reinit_completion() use (bnc#1012382).
- i2c: ismt: fix wrong device address when unmap the data buffer (bnc#1012382).
- i40e: use cpumask_copy instead of direct assignment (bsc#1053685).
- i40iw: Fix memory leak in error path of create QP (bsc#969476 bsc#969477).
- i40iw: Use correct address in dst_neigh_lookup for IPv6 (bsc#969476 bsc#969477).
- ibmvnic: Include missing return code checks in reset function (bnc#1107966).
- ieee802154: at86rf230: switch from BUG_ON() to WARN_ON() on problem (bnc#1012382).
- ieee802154: at86rf230: use __func__ macro for debug messages (bnc#1012382).
- ieee802154: fakelb: switch from BUG_ON() to WARN_ON() on problem (bnc#1012382).
- igb: Fix not adding filter elements to the list (bsc#1024361 bsc#1024365).
- iio: ad9523: Fix displayed phase (bnc#1012382).
- iio: ad9523: Fix return value for ad952x_store() (bnc#1012382).
- inet: frag: enforce memory limits earlier (bnc#1012382 bsc#970506).
- iommu/amd: make sure TLB to be flushed before IOVA freed (bsc#1106105).
- iommu/vt-d: Add definitions for PFSID (bnc#1012382).
- iommu/vt-d: Fix dev iotlb pfsid use (bnc#1012382).
- iommu/vt-d: Ratelimit each dmar fault printing (bsc#1106105).
- ioremap: Update pgtable free interfaces with addr (bnc#1012382).
- ip: hash fragments consistently (bnc#1012382).
- ip: in cmsg IP(V6)_ORIGDSTADDR call pskb_may_pull (bnc#1012382).
- ipconfig: Correctly initialise ic_nameservers (bnc#1012382).
- ipv4+ipv6: Make INET*_ESP select CRYPTO_ECHAINIV (bnc#1012382).
- ipv4: Return EINVAL when ping_group_range sysctl does not map to user ns (bnc#1012382).
- ipv4: remove BUG_ON() from fib_compute_spec_dst (bnc#1012382).
- ipv6: fix useless rol32 call on hash (bnc#1012382).
- ipv6: mcast: fix unsolicited report interval after receiving querys (bnc#1012382).
- ipvlan: use ETH_MAX_MTU as max mtu (bsc#1033962).
- iscsi target: fix session creation failure handling (bnc#1012382).
- isdn: Disable IIOCDBGVAR (bnc#1012382).
- iw_cxgb4: remove duplicate memcpy() in c4iw_create_listen() (bsc#969476 bsc#969477).
- iwlwifi: pcie: fix race in Rx buffer allocator (bnc#1012382).
- ixgbe: Be more careful when modifying MAC filters (bnc#1012382).
- jfs: Do not clear SGID when inheriting ACLs (bsc#1030552).
- jump_label: Add RELEASE barrier after text changes (bsc#1105271).
- jump_label: Fix concurrent static_key_enable/disable() (bsc#1105271).
- jump_label: Move CPU hotplug locking (bsc#1105271).
- jump_label: Provide hotplug context variants (bsc#1105271).
- jump_label: Reduce the size of struct static_key (bsc#1105271).
- jump_label: Reorder hotplug lock and jump_label_lock (bsc#1105271).
- jump_label: Split out code under the hotplug lock (bsc#1105271).
- jump_label: remove bug.h, atomic.h dependencies for HAVE_JUMP_LABEL (bsc#1105271).
- kABI: protect enum tcp_ca_event (kabi).
- kABI: reexport tcp_send_ack (kabi).
- kabi/severities: Ignore missing cpu_tss_tramp (bsc#1099597)
- kabi: x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+ (bnc#1105536).
- kasan: do not emit builtin calls when sanitization is off (bnc#1012382).
- kasan: fix shadow_size calculation error in kasan_module_alloc (bnc#1012382).
- kbuild: verify that $DEPMOD is installed (bnc#1012382).
- kernel: improve spectre mitigation (bnc#1106934, LTC#171029).
- kprobes/x86: Fix %p uses in error messages (bnc#1012382).
- kprobes: Make list and blacklist root user read only (bnc#1012382).
- kthread, tracing: Do not expose half-written comm when creating kthreads (bsc#1104897).
- kvm: x86: vmx: fix vpid leak (bnc#1012382).
- l2tp: use sk_dst_check() to avoid race on sk->sk_dst_cache (bnc#1012382).
- lib/rhashtable: consider param->min_size when setting initial table size (bnc#1012382).
- libata: Fix command retry decision (bnc#1012382).
- libceph: check authorizer reply/challenge length before reading (bsc#1096748).
- libceph: factor out __ceph_x_decrypt() (bsc#1096748).
- libceph: factor out __prepare_write_connect() (bsc#1096748).
- libceph: factor out encrypt_authorizer() (bsc#1096748).
- libceph: store ceph_auth_handshake pointer in ceph_connection (bsc#1096748).
- libceph: weaken sizeof check in ceph_x_verify_authorizer_reply() (bsc#1096748).
- llc: use refcount_inc_not_zero() for llc_sap_find() (bnc#1012382).
- locking/lockdep: Do not record IRQ state within lockdep code (bnc#1012382).
- locks: pass inode pointer to locks_free_lock_context (bsc@1099832).
- locks: prink more detail when there are leaked locks (bsc#1099832).
- locks: restore a warn for leaked locks on close (bsc#1099832).
- m68k: fix 'bad page state' oops on ColdFire boot (bnc#1012382).
- mac80211: add stations tied to AP_VLANs during hw reconfig (bnc#1012382).
- md/raid10: fix that replacement cannot complete recovery after reassemble (bnc#1012382).
- md: fix NULL dereference of mddev->pers in remove_and_add_spares() (bnc#1012382).
- media: omap3isp: fix unbalanced dma_iommu_mapping (bnc#1012382).
- media: rcar_jpu: Add missing clk_disable_unprepare() on error in jpu_open() (bnc#1012382).
- media: rtl28xxu: be sure that it won't go past the array size (bsc#1050431).
- media: s5p-jpeg: fix number of components macro (bsc#1050431).
- media: saa7164: Fix driver name in debug output (bnc#1012382).
- media: si470x: fix __be16 annotations (bnc#1012382).
- media: siano: get rid of __le32/__le16 cast warnings (bnc#1012382).
- media: staging: omap4iss: Include asm/cacheflush.h after generic includes (bnc#1012382).
- media: videobuf2-core: do not call memop 'finish' when queueing (bnc#1012382).
- memory: tegra: Apply interrupts mask per SoC (bnc#1012382).
- memory: tegra: Do not handle spurious interrupts (bnc#1012382).
- mfd: cros_ec: Fail early if we cannot identify the EC (bnc#1012382).
- microblaze: Fix simpleImage format generation (bnc#1012382).
- mm/hugetlb: filter out hugetlb pages if HUGEPAGE migration is not supported (bnc#1106697).
- mm/memory.c: check return value of ioremap_prot (bnc#1012382).
- mm/slub.c: add __printf verification to slab_err() (bnc#1012382).
- mm/tlb: Remove tlb_remove_table() non-concurrent condition (bnc#1012382).
- mm: Add vm_insert_pfn_prot() (bnc#1012382).
- mm: fix cache mode tracking in vm_insert_mixed() (bnc#1012382).
- mm: memcg: fix use after free in mem_cgroup_iter() (bnc#1012382).
- mm: vmalloc: avoid racy handling of debugobjects in vunmap (bnc#1012382).
- mm: x86: move _PAGE_SWP_SOFT_DIRTY from bit 7 to bit 1 (bnc#1012382).
- mtd: rawnand: fsl_ifc: fix FSL NAND driver to read all ONFI parameter pages (bnc#1012382).
- mtd: ubi: wl: Fix error return code in ubi_wl_init().
- mwifiex: correct histogram data with appropriate index (bnc#1012382).
- mwifiex: handle race during mwifiex_usb_disconnect (bnc#1012382).
- net/9p/client.c: version pointer uninitialized (bnc#1012382).
- net/9p/trans_fd.c: fix race-condition by flushing workqueue before the kfree() (bnc#1012382).
- net/ethernet/freescale/fman: fix cross-build error (bnc#1012382).
- net/ipv4: Set oif in fib_compute_spec_dst (bnc#1012382).
- net/mlx4_core: Save the qpn from the input modifier in RST2INIT wrapper (bnc#1012382).
- net/mlx5: Add missing SET_DRIVER_VERSION command translation (bsc#1015342 bsc#1015343).
- net/mlx5: E-Switch, Include VF RDMA stats in vport statistics (bsc#966170 bsc#966172).
- net/mlx5: Eswitch, Use 'kvfree()' for memory allocated by 'kvzalloc()' (bsc#1015342 bsc#1015343).
- net/mlx5: Fix wrong size allocation for QoS ETC TC regitster (bsc#966170 bsc#966172).
- net/mlx5: Vport, Use 'kvfree()' for memory allocated by 'kvzalloc()' (bsc#966170 bsc#966172).
- net/mlx5e: Do not allow aRFS for encapsulated packets (bsc#1015342 bsc#1015343).
- net/mlx5e: Err if asked to offload TC match on frag being first (bsc#1015342 bsc#1015343).
- net/mlx5e: Fix quota counting in aRFS expire flow (bsc#1015342 bsc#1015343).
- net/mlx5e: Refine ets validation function (bsc#966170 bsc#966172).
- net: 6lowpan: fix reserved space for single frames (bnc#1012382).
- net: Do not copy pfmemalloc flag in __copy_skb_header() (bnc#1012382).
- net: add skb_condense() helper (bsc#1089066).
- net: adjust skb->truesize in ___pskb_trim() (bsc#1089066).
- net: adjust skb->truesize in pskb_expand_head() (bsc#1089066).
- net: axienet: Fix double deregister of mdio (bnc#1012382).
- net: caif: Add a missing rcu_read_unlock() in caif_flow_cb (bnc#1012382).
- net: davinci_emac: match the mdio device against its compatible if possible (bnc#1012382).
- net: dsa: Do not suspend/resume closed slave_dev (bnc#1012382).
- net: ena: Fix use of uninitialized DMA address bits field (bsc#1027968).
- net: fix amd-xgbe flow-control issue (bnc#1012382).
- net: hamradio: use eth_broadcast_addr (bnc#1012382).
- net: lan78xx: Fix misplaced tasklet_schedule() call (bnc#1012382).
- net: lan78xx: fix rx handling before first packet is send (bnc#1012382).
- net: mac802154: tx: expand tailroom if necessary (bnc#1012382).
- net: phy: fix flag masking in __set_phy_supported (bnc#1012382).
- net: prevent ISA drivers from building on PPC32 (bnc#1012382).
- net: propagate dev_get_valid_name return code (bnc#1012382).
- net: qca_spi: Avoid packet drop during initial sync (bnc#1012382).
- net: qca_spi: Fix log level if probe fails (bnc#1012382).
- net: qca_spi: Make sure the QCA7000 reset is triggered (bnc#1012382).
- net: socket: fix potential spectre v1 gadget in socketcall (bnc#1012382).
- net: usb: rtl8150: demote allmulti message to dev_dbg() (bnc#1012382).
- net: vmxnet3: use new api ethtool_{get|set}_link_ksettings (bsc#1091860 bsc#1098253).
- net_sched: Fix missing res info when create new tc_index filter (bnc#1012382).
- net_sched: fix NULL pointer dereference when delete tcindex filter (bnc#1012382).
- netfilter: conntrack: dccp: treat SYNC/SYNCACK as invalid if no prior state (bnc#1012382).
- netfilter: ipset: List timing out entries with 'timeout 1' instead of zero (bnc#1012382).
- netfilter: ipv6: nf_defrag: reduce struct net memory waste (bnc#1012382).
- netfilter: ipvs: do not create conn for ABORT packet in sctp_conn_schedule (bsc#1102797).
- netfilter: ipvs: fix the issue that sctp_conn_schedule drops non-INIT packet (bsc#1102797).
- netfilter: x_tables: set module owner for icmp(6) matches (bnc#1012382).
- netlink: Do not shift on 64 for ngroups (bnc#1012382).
- netlink: Do not shift with UB on nlk->ngroups (bnc#1012382).
- netlink: Do not subscribe to non-existent groups (bnc#1012382).
- netlink: Fix spectre v1 gadget in netlink_create() (bnc#1012382).
- netlink: do not enter direct reclaim from netlink_trim() (bsc#1042286).
- nfsd: fix potential use-after-free in nfsd4_decode_getdeviceinfo (bnc#1012382).
- nl80211: Add a missing break in parse_station_flags (bnc#1012382).
- nohz: Fix local_timer_softirq_pending() (bnc#1012382).
- nvme-fc: release io queues to allow fast fail (bsc#1102486).
- nvme: if_ready checks to fail io to deleting controller (bsc#1102486).
- nvme: kABI-compliant version of nvmf_fail_nonready_command() (bsc#1102486).
- nvmet-fc: fix target sgl list on large transfers (bsc#1102486).
- osf_getdomainname(): use copy_to_user() (bnc#1012382).
- ovl: Do d_type check only if work dir creation was successful (bnc#1012382).
- ovl: Ensure upper filesystem supports d_type (bnc#1012382).
- ovl: warn instead of error if d_type is not supported (bnc#1012382).
- packet: refine ring v3 block size test to hold one frame (bnc#1012382).
- packet: reset network header if packet shorter than ll reserved space (bnc#1012382).
- parisc: Define mb() and add memory barriers to assembler unlock sequences (bnc#1012382).
- parisc: Enable CONFIG_MLONGCALLS by default (bnc#1012382).
- parisc: Remove ordered stores from syscall.S (bnc#1012382).
- parisc: Remove unnecessary barriers from spinlock.h (bnc#1012382).
- perf auxtrace: Fix queue resize (bnc#1012382).
- perf llvm-utils: Remove bashism from kernel include fetch script (bnc#1012382).
- perf report powerpc: Fix crash if callchain is empty (bnc#1012382).
- perf test session topology: Fix test on s390 (bnc#1012382).
- perf/x86/intel/uncore: Correct fixed counter index check for NHM (bnc#1012382).
- perf/x86/intel/uncore: Correct fixed counter index check in generic code (bnc#1012382).
- perf: fix invalid bit in diagnostic entry (bnc#1012382).
- pinctrl: at91-pio4: add missing of_node_put (bnc#1012382).
- pinctrl: freescale: off by one in imx1_pinconf_group_dbg_show() (bnc#1012382).
- pnfs/blocklayout: off by one in bl_map_stripe() (bnc#1012382).
- powerpc/32: Add a missing include header (bnc#1012382).
- powerpc/64s: Default l1d_size to 64K in RFI fallback flush (bsc#1068032).
- powerpc/64s: Fix compiler store ordering to SLB shadow area (bnc#1012382).
- powerpc/8xx: fix invalid register expression in head_8xx.S (bnc#1012382).
- powerpc/chrp/time: Make some functions static, add missing header include (bnc#1012382).
- powerpc/embedded6xx/hlwd-pic: Prevent interrupts from being handled by Starlet (bnc#1012382).
- powerpc/fadump: handle crash memory ranges array index overflow (bsc#1103269).
- powerpc/fadump: merge adjacent memory ranges to reduce PT_LOAD segements (bsc#1103269).
- powerpc/lib: Fix the feature fixup tests to actually work (bsc#1066223).
- powerpc/powermac: Add missing prototype for note_bootable_part() (bnc#1012382).
- powerpc/powermac: Mark variable x as unused (bnc#1012382).
- powerpc/pseries: Fix endianness while restoring of r3 in MCE handler (bnc#1012382).
- powerpc/topology: Get topology for shared processors at boot (bsc#1104683).
- powerpc64s: Show ori31 availability in spectre_v1 sysfs file not v2 (bsc#1068032, bsc#1080157).
- powerpc: Avoid code patching freed init sections (bnc#1107735).
- powerpc: make feature-fixup tests fortify-safe (bsc#1066223).
- provide special timeout module parameters for EC2 (bsc#1065364).
- ptp: fix missing break in switch (bnc#1012382).
- pwm: tiehrpwm: Fix disabling of output of PWMs (bnc#1012382).
- qed: Add sanity check for SIMD fastpath handler (bnc#1012382).
- qed: Correct Multicast API to reflect existence of 256 approximate buckets (bsc#1019695 bsc#1019699 bsc#1022604).
- qed: Do not advertise DCBX_LLD_MANAGED capability (bsc#1019695 bsc#1019699 bsc#1022604).
- qed: Fix possible memory leak in Rx error path handling (bsc#1019695 bsc#1019699 bsc#1022604 ).
- qed: Fix possible race for the link state value (bnc#1012382).
- qed: Fix setting of incorrect eswitch mode (bsc#1019695 bsc#1019699 bsc#1022604).
- qed: Fix use of incorrect size in memcpy call (bsc#1019695 bsc#1019699 bsc#1022604).
- qede: Adverstise software timestamp caps when PHC is not available (bsc#1019695 bsc#1019699 bsc#1022604).
- qlge: Fix netdev features configuration (bsc#1098822).
- qlogic: check kstrtoul() for errors (bnc#1012382).
- random: mix rdrand with entropy sent in from userspace (bnc#1012382).
- readahead: stricter check for bdi io_pages (VM Functionality).
- regulator: pfuze100: add .is_enable() for pfuze100_swb_regulator_ops (bnc#1012382).
- reiserfs: fix broken xattr handling (heap corruption, bad retval) (bnc#1012382).
- ring_buffer: tracing: Inherit the tracing setting to next ring buffer (bnc#1012382).
- root dentries need RCU-delayed freeing (bnc#1012382).
- rsi: Fix 'invalid vdd' warning in mmc (bnc#1012382).
- rtc: ensure rtc_set_alarm fails when alarms are not supported (bnc#1012382).
- rtnetlink: add rtnl_link_state check in rtnl_configure_link (bnc#1012382).
- s390/cpum_sf: Add data entry sizes to sampling trailer entry (bnc#1012382).
- s390/kvm: fix deadlock when killed by oom (bnc#1012382).
- s390/lib: use expoline for all bcr instructions (bnc#1106934, LTC#171029).
- s390/pci: fix out of bounds access during irq setup (bnc#1012382).
- s390/qdio: reset old sbal_state flags (bnc#1012382).
- s390/qeth: do not clobber buffer on async TX completion (bnc#1104485, LTC#170349).
- s390/qeth: fix race when setting MAC address (bnc#1104485, LTC#170726).
- s390: add explicit <linux/stringify.h> for jump label (bsc#1105271).
- s390: detect etoken facility (bnc#1106934, LTC#171029).
- s390: fix br_r1_trampoline for machines without exrl (bnc#1012382 bnc#1106934 LTC#171029).
- sched/fair: Avoid divide by zero when rebalancing domains (bsc#1096254).
- scripts/tar-up.sh: Do not package gitlog-excludes file Also fix the evaluation of gitlog-excludes file, too
- scsi: 3w-xxxx: fix a missing-check bug (bnc#1012382).
- scsi: core: Avoid that SCSI device removal through sysfs triggers a deadlock (bnc#1012382).
- scsi: fcoe: drop frames in ELS LOGO error path (bnc#1012382).
- scsi: hpsa: limit transfer length to 1MB, not 512kB (bsc#1102346).
- scsi: libiscsi: fix possible NULL pointer dereference in case of TMF (bnc#1012382).
- scsi: megaraid: silence a static checker bug (bnc#1012382).
- scsi: megaraid_sas: Increase timeout by 1 sec for non-RAID fastpath IOs (bnc#1012382).
- scsi: qla2xxx: Fix ISP recovery on unload (bnc#1012382).
- scsi: qla2xxx: Return error when TMF returns (bnc#1012382).
- scsi: scsi_dh: replace too broad 'TP9' string with the exact models (bnc#1012382).
- scsi: sr: Avoid that opening a CD-ROM hangs with runtime power management enabled (bnc#1012382).
- scsi: sysfs: Introduce sysfs_{un,}break_active_protection() (bnc#1012382).
- scsi: ufs: fix exception event handling (bnc#1012382).
- scsi: vmw_pvscsi: Return DID_RESET for status SAM_STAT_COMMAND_TERMINATED (bnc#1012382).
- scsi: xen-scsifront: add error handling for xenbus_printf (bnc#1012382).
- scsi_debug: call resp_XXX function after setting host_scribble (bsc#1069138).
- scsi_debug: reset injection flags for every_nth > 0 (bsc#1069138).
- selftest/seccomp: Fix the flag name SECCOMP_FILTER_FLAG_TSYNC (bnc#1012382).
- selftest/seccomp: Fix the seccomp(2) signature (bnc#1012382).
- selftests/ftrace: Add snapshot and tracing_on test case (bnc#1012382).
- selftests/x86/sigreturn/64: Fix spurious failures on AMD CPUs (bnc#1012382).
- selftests: pstore: return Kselftest Skip code for skipped tests (bnc#1012382).
- selftests: static_keys: return Kselftest Skip code for skipped tests (bnc#1012382).
- selftests: sync: add config fragment for testing sync framework (bnc#1012382).
- selftests: user: return Kselftest Skip code for skipped tests (bnc#1012382).
- selftests: zram: return Kselftest Skip code for skipped tests (bnc#1012382).
- serial: 8250_dw: always set baud rate in dw8250_set_termios (bnc#1012382).
- sfc: stop the TX queue before pushing new buffers (bsc#1017967 ).
- skbuff: Unconditionally copy pfmemalloc in __skb_clone() (bnc#1012382).
- slab: __GFP_ZERO is incompatible with a constructor (bnc#1107060).
- smb3: Do not send SMB3 SET_INFO if nothing changed (bnc#1012382).
- smb3: do not request leases in symlink creation and query (bnc#1012382).
- spi: davinci: fix a NULL pointer dereference (bnc#1012382).
- squashfs: be more careful about metadata corruption (bnc#1012382).
- squashfs: more metadata hardening (bnc#1012382).
- squashfs: more metadata hardenings (bnc#1012382).
- staging: android: ion: check for kref overflow (bnc#1012382).
- string: drop __must_check from strscpy() and restore strscpy() usages in cgroup (bsc#1107319).
- sys: do not hold uts_sem while accessing userspace memory (bnc#1106995).
- target_core_rbd: use RCU in free_device (bsc#1105524).
- tcp: Fix missing range_truesize enlargement in the backport (bnc#1012382).
- tcp: add max_quickacks param to tcp_incr_quickack and tcp_enter_quickack_mode (bnc#1012382).
- tcp: add one more quick ack after after ECN events (bnc#1012382).
- tcp: do not aggressively quick ack after ECN events (bnc#1012382).
- tcp: do not cancel delay-AcK on DCTCP special ACK (bnc#1012382).
- tcp: do not delay ACK in DCTCP upon CE status change (bnc#1012382).
- tcp: do not force quickack when receiving out-of-order packets (bnc#1012382).
- tcp: fix dctcp delayed ACK schedule (bnc#1012382).
- tcp: helpers to send special DCTCP ack (bnc#1012382).
- tcp: identify cryptic messages as TCP seq # bugs (bnc#1012382).
- tcp: refactor tcp_ecn_check_ce to remove sk type cast (bnc#1012382).
- tcp: remove DELAYED ACK events in DCTCP (bnc#1012382).
- tg3: Add higher cpu clock for 5762 (bnc#1012382).
- thermal: exynos: fix setting rising_threshold for Exynos5433 (bnc#1012382).
- timekeeping: Eliminate the stale declaration of ktime_get_raw_and_real_ts64() (bsc#969470).
- tools/power turbostat: Read extended processor family from CPUID (bnc#1012382).
- tools/power turbostat: fix -S on UP systems (bnc#1012382).
- tools: usb: ffs-test: Fix build on big endian systems (bnc#1012382).
- tpm: fix race condition in tpm_common_write() (bnc#1012382).
- tracing/blktrace: Fix to allow setting same value (bnc#1012382).
- tracing/kprobes: Fix trace_probe flags on enable_trace_kprobe() failure (bnc#1012382).
- tracing: Do not call start/stop() functions when tracing_on does not change (bnc#1012382).
- tracing: Fix double free of event_trigger_data (bnc#1012382).
- tracing: Fix possible double free in event_enable_trigger_func() (bnc#1012382).
- tracing: Quiet gcc warning about maybe unused link variable (bnc#1012382).
- tracing: Use __printf markup to silence compiler (bnc#1012382).
- tty: Fix data race in tty_insert_flip_string_fixed_flag (bnc#1012382).
- turn off -Wattribute-alias (bnc#1012382).
- ubi: Be more paranoid while seaching for the most recent Fastmap (bnc#1012382).
- ubi: Fix Fastmap's update_vol() (bnc#1012382).
- ubi: Fix races around ubi_refill_pools() (bnc#1012382).
- ubi: Introduce vol_ignored() (bnc#1012382).
- ubi: Rework Fastmap attach base code (bnc#1012382).
- ubi: fastmap: Erase outdated anchor PEBs during attach (bnc#1012382).
- ubifs: Check data node size before truncate (bsc#1106276).
- ubifs: Fix memory leak in lprobs self-check (bsc#1106278).
- ubifs: Fix synced_i_size calculation for xattr inodes (bsc#1106275).
- ubifs: xattr: Do not operate on deleted inodes (bsc#1106271).
- udl-kms: change down_interruptible to down (bnc#1012382).
- udl-kms: fix crash due to uninitialized memory (bnc#1012382).
- udl-kms: handle allocation failure (bnc#1012382).
- udlfb: set optimal write delay (bnc#1012382).
- uprobes: Use synchronize_rcu() not synchronize_sched() (bnc#1012382).
- usb/phy: fix PPC64 build errors in phy-fsl-usb.c (bnc#1012382).
- usb: audio-v2: Correct the comment for struct uac_clock_selector_descriptor (bsc#1099810).
- usb: cdc_acm: Add quirk for Castles VEGA3000 (bnc#1012382).
- usb: dwc2: debugfs: Do not touch RX FIFO during register dump (bsc#1100132).
- usb: dwc2: fix isoc split in transfer with no data (bnc#1012382).
- usb: gadget: composite: fix delayed_status race condition when set_interface (bnc#1012382).
- usb: gadget: dwc2: fix memory leak in gadget_init() (bnc#1012382).
- usb: gadget: f_fs: Only return delayed status when len is 0 (bnc#1012382).
- usb: gadget: f_uac2: fix endianness of 'struct cntrl_*_lay3' (bnc#1012382).
- usb: gadget: r8a66597: Fix a possible sleep-in-atomic-context bugs in r8a66597_queue() (bnc#1012382).
- usb: gadget: r8a66597: Fix two possible sleep-in-atomic-context bugs in init_controller() (bnc#1012382).
- usb: hub: Do not wait for connect state at resume for powered-off ports (bnc#1012382).
- usb: renesas_usbhs: gadget: fix spin_lock_init() for &uep->lock (bsc#1085536).
- usb: xhci: increase CRS timeout value (bnc#1012382).
- usbip: usbip_detach: Fix memory, udev context and udev leak (bnc#1012382).
- userns: move user access out of the mutex (bnc#1012382).
- vfs: add the sb_start_intwrite_trylock() helper (bsc#1101841).
- virtio_balloon: fix another race between migration and ballooning (bnc#1012382).
- vmw_balloon: VMCI_DOORBELL_SET does not check status (bnc#1012382).
- vmw_balloon: do not use 2MB without batching (bnc#1012382).
- vmw_balloon: fix VMCI use when balloon built into kernel (bnc#1012382).
- vmw_balloon: fix inflation of 64-bit GFNs (bnc#1012382).
- vmxnet3: Replace msleep(1) with usleep_range() (bsc#1091860 bsc#1098253).
- vmxnet3: add receive data ring support (bsc#1091860 bsc#1098253).
- vmxnet3: add support for get_coalesce, set_coalesce ethtool operations (bsc#1091860 bsc#1098253).
- vmxnet3: allow variable length transmit data ring buffer (bsc#1091860 bsc#1098253).
- vmxnet3: avoid assumption about invalid dma_pa in vmxnet3_set_mc() (bsc#1091860 bsc#1098253).
- vmxnet3: avoid format strint overflow warning (bsc#1091860 bsc#1098253).
- vmxnet3: avoid xmit reset due to a race in vmxnet3 (bsc#1091860 bsc#1098253).
- vmxnet3: fix incorrect dereference when rxvlan is disabled (bsc#1091860 bsc#1098253).
- vmxnet3: fix non static symbol warning (bsc#1091860 bsc#1098253).
- vmxnet3: fix tx data ring copy for variable size (bsc#1091860 bsc#1098253).
- vmxnet3: increase default rx ring sizes (bsc#1091860 bsc#1098253).
- vmxnet3: introduce command to register memory region (bsc#1091860 bsc#1098253).
- vmxnet3: introduce generalized command interface to configure the device (bsc#1091860 bsc#1098253).
- vmxnet3: prepare for version 3 changes (bsc#1091860 bsc#1098253).
- vmxnet3: remove redundant initialization of pointer 'rq' (bsc#1091860 bsc#1098253).
- vmxnet3: remove unused flag 'rxcsum' from struct vmxnet3_adapter (bsc#1091860 bsc#1098253).
- vmxnet3: set the DMA mask before the first DMA map operation (bsc#1091860 bsc#1098253).
- vmxnet3: update to version 3 (bsc#1091860 bsc#1098253).
- vmxnet3: use DMA memory barriers where required (bsc#1091860 bsc#1098253).
- vmxnet3: use correct flag to indicate LRO feature (bsc#1091860 bsc#1098253).
- vsock: split dwork to avoid reinitializations (bnc#1012382).
- vti6: Fix dev->max_mtu setting (bsc#1033962).
- vti6: fix PMTU caching and reporting on xmit (bnc#1012382).
- wlcore: sdio: check for valid platform device data before suspend (bnc#1012382).
- x86/MCE: Remove min interval polling limitation (bnc#1012382).
- x86/amd: do not set X86_BUG_SYSRET_SS_ATTRS when running under Xen (bnc#1012382).
- x86/asm/entry/32: Simplify pushes of zeroed pt_regs->REGs (bnc#1012382).
- x86/bugs: Move the l1tf function and define pr_fmt properly (bnc#1012382).
- x86/bugs: Respect nospec command line option (bsc#1068032).
- x86/cpu/AMD: Fix erratum 1076 (CPB bit) (bnc#1012382).
- x86/cpu: Make alternative_msr_write work for 32-bit code (bnc#1012382).
- x86/cpu: Re-apply forced caps every time CPU caps are re-read (bnc#1012382).
- x86/cpufeatures: Add CPUID_7_EDX CPUID leaf (bnc#1012382).
- x86/cpufeatures: Clean up Spectre v2 related CPUID flags (bnc#1012382).
- x86/entry/64/compat: Clear registers for compat syscalls, to reduce speculation attack surface (bnc#1012382).
- x86/entry/64: Remove %ebx handling from error_entry/exit (bnc#1102715).
- x86/init: fix build with CONFIG_SWAP=n (bnc#1012382).
- x86/irqflags: Mark native_restore_fl extern inline (bnc#1012382).
- x86/irqflags: Provide a declaration for native_save_fl.
- x86/mm/kmmio: Make the tracer robust against L1TF (bnc#1012382).
- x86/mm/pat: Fix L1TF stable backport for CPA (bnc#1012382).
- x86/mm/pat: Fix L1TF stable backport for CPA, 2nd call (bnc#1012382).
- x86/mm/pat: Make set_memory_np() L1TF safe (bnc#1012382).
- x86/mm: Add TLB purge to free pmd/pte page interfaces (bnc#1012382).
- x86/mm: Disable ioremap free page handling on x86-PAE (bnc#1012382).
- x86/mm: Give each mm TLB flush generation a unique ID (bnc#1012382).
- x86/paravirt: Fix spectre-v2 mitigations for paravirt guests (bnc#1012382).
- x86/paravirt: Make native_save_fl() extern inline (bnc#1012382).
- x86/process: Correct and optimize TIF_BLOCKSTEP switch (bnc#1012382).
- x86/process: Optimize TIF checks in __switch_to_xtra() (bnc#1012382).
- x86/process: Optimize TIF_NOTSC switch (bnc#1012382).
- x86/process: Re-export start_thread() (bnc#1012382).
- x86/spectre: Add missing family 6 check to microcode check (bnc#1012382).
- x86/spectre_v2: Do not check microcode versions when running under hypervisors (bnc#1012382).
- x86/speculation/l1tf: Exempt zeroed PTEs from inversion (bnc#1012382).
- x86/speculation/l1tf: Extend 64bit swap file size limit (bnc#1012382).
- x86/speculation/l1tf: Fix off-by-one error when warning that system has too much RAM (bnc#1105536).
- x86/speculation/l1tf: Fix overflow in l1tf_pfn_limit() on 32bit (bnc#1012382).
- x86/speculation/l1tf: Fix up CPU feature flags (bnc#1012382).
- x86/speculation/l1tf: Fix up pte->pfn conversion for PAE (bnc#1012382).
- x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+ (bnc#1105536).
- x86/speculation/l1tf: Invert all not present mappings (bnc#1012382).
- x86/speculation/l1tf: Make pmd/pud_mknotpresent() invert (bnc#1012382).
- x86/speculation/l1tf: Protect PAE swap entries against L1TF (bnc#1012382).
- x86/speculation/l1tf: Suggest what to do on systems with too much RAM (bnc#1105536).
- x86/speculation/l1tf: Unbreak !__HAVE_ARCH_PFN_MODIFY_ALLOWED architectures (bnc#1012382).
- x86/speculation: Add <asm/msr-index.h> dependency (bnc#1012382).
- x86/speculation: Add basic IBPB (Indirect Branch Prediction Barrier) support (bnc#1012382).
- x86/speculation: Clean up various Spectre related details (bnc#1012382).
- x86/speculation: Correct Speculation Control microcode blacklist again (bnc#1012382).
- x86/speculation: Move firmware_restrict_branch_speculation_*() from C to CPP (bnc#1012382).
- x86/speculation: Update Speculation Control microcode blacklist (bnc#1012382).
- x86/speculation: Use ARCH_CAPABILITIES to skip L1D flush on vmentry (bsc#1106369).
- x86/speculation: Use IBRS if available before calling into firmware (bnc#1012382).
- x86/speculation: Use Indirect Branch Prediction Barrier in context switch (bnc#1012382).
- x86/xen: Add call of speculative_store_bypass_ht_init() to PV paths (bnc#1012382).
- xen-netfront: wait xenbus state change when load module manually (bnc#1012382).
- xen/blkback: do not keep persistent grants too long (bsc#1085042).
- xen/blkback: move persistent grants flags to bool (bsc#1085042).
- xen/blkfront: cleanup stale persistent grants (bsc#1085042).
- xen/blkfront: reorder tests in xlblk_init() (bsc#1085042).
- xen/netfront: do not cache skb_shinfo() (bnc#1012382).
- xen: set cpu capabilities from xen_start_kernel() (bnc#1012382).
- xfrm: fix missing dst_release() after policy blocking lbcast and multicast (bnc#1012382).
- xfrm: free skb if nlsk pointer is NULL (bnc#1012382).
- xfrm_user: prevent leaking 2 bytes of kernel memory (bnc#1012382).
- xfs: Remove dead code from inode recover function (bsc#1105396).
- xfs: repair malformed inode items during log recovery (bsc#1105396).
- xhci: Fix perceived dead host due to runtime suspend race with event handler (bnc#1012382).
- zswap: re-check zswap_is_full() after do zswap_shrink() (bnc#1012382).


-----------------------------------------
Patch: SUSE-2018-1942
Released: Fri Sep 21 07:51:02 2018
Summary: Security update for openslp
Severity: important
References: 1090638,CVE-2017-17833
Description:
This update for openslp fixes the following issues:

- CVE-2017-17833: Prevent heap-related memory corruption issue which may have
  manifested itself as a denial-of-service or a remote code-execution
  vulnerability (bsc#1090638)
- Prevent out of bounds reads in message parsing


-----------------------------------------
Patch: SUSE-2018-1947
Released: Fri Sep 21 11:29:55 2018
Summary: Recommended update for lsof
Severity: moderate
References: 1036304,1099847
Description:
This update for lsof provides the following fix:

- Enhance -K option with the form '-K i' to direct lsof to ignore tasks. (bsc#1036304)
- Add 'Provides: backported-option-Ki' to indicate that '-K i' option is supported so
  libzypp can safely use it. (bsc#1099847)


-----------------------------------------
Patch: SUSE-2018-1969
Released: Mon Sep 24 08:06:42 2018
Summary: Security update for libzypp, zypper
Severity: important
References: 1036304,1045735,1049825,1070851,1076192,1088705,1091624,1092413,1096803,1099847,1100028,1101349,1102429,CVE-2017-9269,CVE-2018-7685
Description:
This update for libzypp, zypper fixes the following issues:

Update libzypp to version 16.17.20:

Security issues fixed:

- PackageProvider: Validate deta rpms before caching (bsc#1091624,
  bsc#1088705, CVE-2018-7685)
- PackageProvider: Validate downloaded rpm package signatures before
  caching (bsc#1091624, bsc#1088705, CVE-2018-7685)

Other bugs fixed:

- lsof: use '-K i' if lsof supports it (bsc#1099847, bsc#1036304)
- Handle http error 502 Bad Gateway in curl backend (bsc#1070851)
- RepoManager: Explicitly request repo2solv to generate application
  pseudo packages.
- libzypp-devel should not require cmake (bsc#1101349)
- HardLocksFile: Prevent against empty commit without Target having
  been been loaded (bsc#1096803)
- Avoid zombie tar processes (bsc#1076192)

Update to zypper to version 1.13.45:

Security issues fixed:

- Improve signature check callback messages (bsc#1045735, CVE-2017-9269)
- add/modify repo: Add options to tune the GPG check settings
  (bsc#1045735, CVE-2017-9269)

Other bugs fixed:

- XML <install-summary> attribute `packages-to-change` added (bsc#1102429)
- man: Strengthen that `--config FILE' affects zypper.conf,
  not zypp.conf (bsc#1100028)
- Prevent nested calls to exit() if aborted by a signal (bsc#1092413)
- ansi.h: Prevent ESC sequence strings from going out of scope (bsc#1092413)
- Fix: zypper bash completion expands non-existing options (bsc#1049825)
- Improve signature check callback messages (bsc#1045735)
- add/modify repo: Add options to tune the GPG check settings (bsc#1045735)


-----------------------------------------
Patch: SUSE-2018-1970
Released: Mon Sep 24 08:07:42 2018
Summary: Security update for apache2
Severity: moderate
References: 1016715,1104826,CVE-2016-4975,CVE-2016-8743
Description:
This update for apache2 fixes the following issues:

Security issues fixed:

- CVE-2016-8743: Fixed liberal whitespace interpretation accepted from requests
  and sent in response lines and headers. Accepting these different behaviors
  represented a security concern when httpd participates in any chain of
  proxies or interacts with back-end application servers, either through
  mod_proxy or using conventional CGI mechanisms, and may result in request
  smuggling, response splitting and cache pollution. (bsc#1016715)
- CVE-2016-4975: Fixed possible CRLF injection allowing HTTP response splitting
  attacks for sites which use mod_userdir. This issue was mitigated by changes
  which prohibit CR or LF injection into the 'Location' or other outbound
  header key or value. (bsc#1104826)
  

-----------------------------------------
Patch: SUSE-2018-1985
Released: Mon Sep 24 11:56:08 2018
Summary: Recommended update for openldap2
Severity: moderate
References: 1089640
Description:
This update for openldap2 provides the following fix:

- Fix slapd segfaults in mdb_env_reader_dest. (bsc#1089640)


-----------------------------------------
Patch: SUSE-2018-1986
Released: Mon Sep 24 12:52:43 2018
Summary: Security update for libXcursor
Severity: moderate
References: 1103511,CVE-2015-9262
Description:
This update for libXcursor fixes the following security issue:

- CVE-2015-9262: _XcursorThemeInherits allowed remote attackers to cause denial
  of service or potentially code execution via a one-byte heap overflow
  (bsc#1103511).


-----------------------------------------
Patch: SUSE-2018-1989
Released: Mon Sep 24 12:54:37 2018
Summary: Security update for tiff
Severity: moderate
References: 1074186,1092480,983440,CVE-2016-5319,CVE-2017-17942,CVE-2018-10779
Description:
This update for tiff fixes the following issues:

Security issues fixed:

- CVE-2018-10779: Fixed a heap-based buffer overflow in TIFFWriteScanline()
  in tif_write.c (bsc#1092480)
- CVE-2017-17942: Fixed a heap-based buffer overflow in the function
  PackBitsEncode in tif_packbits.c. (bsc#1074186)
- CVE-2016-5319: Fixed a beap-based buffer overflow in bmp2tiff (bsc#983440)


-----------------------------------------
Patch: SUSE-2018-1990
Released: Mon Sep 24 12:54:57 2018
Summary: Security update for gnutls
Severity: moderate
References: 1047002,1105437,1105459,1105460,CVE-2017-10790,CVE-2018-10844,CVE-2018-10845,CVE-2018-10846
Description:
This update for gnutls fixes the following issues:

Security issues fixed:

- Improved mitigations against Lucky 13 class of attacks
  - 'Just in Time' PRIME + PROBE cache-based side channel attack can lead to plaintext recovery (CVE-2018-10846, bsc#1105460)
  - HMAC-SHA-384 vulnerable to Lucky thirteen attack due to use of wrong constant (CVE-2018-10845, bsc#1105459)
  - HMAC-SHA-256 vulnerable to Lucky thirteen attack due to not enough dummy function calls (CVE-2018-10844, bsc#1105437)
- The _asn1_check_identifier function in Libtasn1 caused a NULL pointer dereference and crash (CVE-2017-10790, bsc#1047002)


-----------------------------------------
Patch: SUSE-2018-1994
Released: Mon Sep 24 12:55:57 2018
Summary: Security update for shadow
Severity: moderate
References: 1106914
Description:
This update for shadow fixes the following security issue:

- Prevent useradd from creating intermediate directories with mode 0777 (bsc#1106914)


-----------------------------------------
Patch: SUSE-2018-2038
Released: Wed Sep 26 12:27:58 2018
Summary: Recommended update for gcc48
Severity: moderate
References: 1093797
Description:
This update for gcc48 fixes the following issues:

- Fixed a reload bug on aarch64 causing a kernel miscompile.  [bsc#1093797]



-----------------------------------------
Patch: SUSE-2018-2064
Released: Thu Sep 27 19:24:40 2018
Summary: Recommended update for kdump
Severity: important
References: 1002617,1058202,1081646,1091186,1101730
Description:
This update for kdump fixes the following issues:

- Block initrd-parse-etc.service until dump is saved (bsc#1091186).
- Always copy timezone data into kdumprd (bsc#1081646).
- Bail out of kdump_check_net if no default interface is found (bsc#1058202).
- fadump: avoid multipath optimizations that break regular boot (bsc#1101730).
- cmdline: split kdump cmdline purpose wise (bsc#1101730).
- fadump: fix network bring up issue during default boot (bsc#1101730).


-----------------------------------------
Patch: SUSE-2018-2069
Released: Fri Sep 28 08:01:25 2018
Summary: Security update for openssl
Severity: moderate
References: 1089039,1101246,1101470,1104789,1106197,997043,CVE-2018-0737
Description:
This update for openssl fixes the following issues:

These security issues were fixed:

- Prevent One&Done side-channel attack on RSA that allowed physically near
  attackers to use EM emanations to recover information (bsc#1104789)
- CVE-2018-0737: The RSA Key generation algorithm has been shown to be
  vulnerable to a cache timing side channel attack. An attacker with sufficient
  access to mount cache timing attacks during the RSA key generation process
  could have recovered the private key (bsc#1089039)

These non-security issues were fixed:

- Add openssl(cli) Provide so the packages that require the openssl
  binary can require this instead of the new openssl meta package
  (bsc#1101470)
- Fixed path to the engines which are under /lib64 on SLE-12 (bsc#1101246,
  bsc#997043)


-----------------------------------------
Patch: SUSE-2018-2079
Released: Fri Sep 28 14:55:20 2018
Summary: Recommended update for linux-glibc-devel
Severity: moderate
References: 1103375
Description:
This update for linux-glibc-devel provides the following fix:

- elf: Add powerpc specific core note sections. (fate#318470, bsc#1103375)


-----------------------------------------
Patch: SUSE-2018-2117
Released: Tue Oct  2 16:30:51 2018
Summary: Security update for unzip
Severity: moderate
References: 1013992,1013993,1080074,910683,914442,950110,950111,CVE-2014-9636,CVE-2014-9913,CVE-2015-7696,CVE-2015-7697,CVE-2016-9844,CVE-2018-1000035
Description:
This update for unzip fixes the following security issues:

- CVE-2014-9913: Specially crafted zip files could trigger invalid memory
  writes possibly resulting in DoS or corruption (bsc#1013993)
- CVE-2015-7696: Specially crafted zip files with password protection could
  trigger a crash and lead to denial of service (bsc#950110)
- CVE-2015-7697: Specially crafted zip files could trigger an endless loop and
  lead to denial of service (bsc#950111)
- CVE-2016-9844: Specially crafted zip files could trigger invalid memory
  writes possibly resulting in DoS or corruption (bsc#1013992)
- CVE-2018-1000035: Prevent heap-based buffer overflow in the processing of
  password-protected archives that allowed an attacker to perform a denial of
  service or to possibly achieve code execution (bsc#1080074).
- CVE-2014-9636: Prevent denial of service (out-of-bounds read or write and
  crash) via an extra field with an uncompressed size smaller than the compressed
  field size in a zip archive that advertises STORED method compression
  (bsc#914442).

This non-security issue was fixed:

+- Allow processing of Windows zip64 archives (Windows archivers set
  total_disks field to 0 but per standard, valid values are 1 and higher)
  (bnc#910683)


-----------------------------------------
Patch: SUSE-2018-2125
Released: Tue Oct  2 21:14:51 2018
Summary: Recommended update for grub2
Severity: moderate
References: 1063443,1085419,1088830,1092344,1106381
Description:
This update for grub2 provides the following fixes:

- Fix config_directory on Btrfs to follow path scheme. (bsc#1063443)
- Fix setparams doesn't work as expected from boot-last-label NVRAM var. (bsc#1088830)
- Fix incorrect netmask on ppc64. (bsc#1085419, bsc#1092344)
- Fix outputting invalid btrfs subvolume path on non btrfs filesystem due to bogus return
  code handling. (bsc#1106381)


-----------------------------------------
Patch: SUSE-2018-2126
Released: Tue Oct  2 21:15:06 2018
Summary: Recommended update for icewm
Severity: moderate
References: 1096917
Description:
This update for icewm fixes the following issues:

- Revert a previously applied fix to fix starting of polkit-gnome-authentication-agent-1
  in icewm. It is really not necessary in SLE-12. (bsc#1096917)


-----------------------------------------
Patch: SUSE-2018-2132
Released: Thu Oct  4 06:47:56 2018
Summary: Security update for openslp
Severity: important
References: 1090638,CVE-2017-17833
Description:
This update for openslp fixes the following issues:

- CVE-2017-17833: Prevent heap-related memory corruption issue which may have
  manifested itself as a denial-of-service or a remote code-execution
  vulnerability (bsc#1090638)
- Prevent out of bounds reads in message parsing


-----------------------------------------
Patch: SUSE-2018-2135
Released: Thu Oct  4 14:01:33 2018
Summary: Security update for the Linux Kernel
Severity: important
References: 1012382,1044189,1063026,1066223,1082863,1082979,1084427,1084536,1087209,1088087,1090535,1091815,1094244,1094555,1094562,1095344,1095753,1096547,1099810,1102495,1102715,1102870,1102875,1102877,1102879,1102882,1102896,1103156,1103269,1106095,1106434,1106512,1106594,1106934,1107924,1108096,1108170,1108240,1108399,1108803,1108823,1109333,1109336,1109337,1109441,1110297,1110337,CVE-2018-14613,CVE-2018-14617,CVE-2018-16276,CVE-2018-16597,CVE-2018-17182,CVE-2018-7480,CVE-2018-7757
Description:

The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.156 to receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2018-16597: Incorrect access checking in overlayfs mounts could have been
  used by local attackers to modify or truncate files in the underlying
  filesystem (bnc#1106512).
- CVE-2018-14613: Prevent invalid pointer dereference in io_ctl_map_page() when
  mounting and operating a crafted btrfs image, caused by a lack of block group
  item validation in check_leaf_item (bsc#1102896)
- CVE-2018-14617: Prevent NULL pointer dereference and panic in
  hfsplus_lookup() when opening a file (that is purportedly a hard link) in an
  hfs+ filesystem that has malformed catalog data, and is mounted read-only
  without a metadata directory (bsc#1102870)
- CVE-2018-16276: Incorrect bounds checking in the yurex USB driver in
  yurex_read allowed local attackers to use user access read/writes to crash the
  kernel or potentially escalate privileges (bsc#1106095)
- CVE-2018-7757: Memory leak in the sas_smp_get_phy_events function in
  drivers/scsi/libsas/sas_expander.c allowed local users to cause a denial of
  service (memory consumption) via many read accesses to files in the
  /sys/class/sas_phy directory, as demonstrated by the
  /sys/class/sas_phy/phy-1:0:12/invalid_dword_count file (bnc#1084536)
- CVE-2018-7480: The blkcg_init_queue function allowed local users to cause a
  denial of service (double free) or possibly have unspecified other impact by
  triggering a creation failure (bsc#1082863).
- CVE-2018-17182: The vmacache_flush_all function in mm/vmacache.c
  mishandled sequence number overflows. An attacker can trigger a
  use-after-free (and possibly gain privileges) via certain thread creation,
  map, unmap, invalidation, and dereference operations (bnc#1108399).

The following non-security bugs were fixed:

- asm/sections: add helpers to check for section data (bsc#1063026).
- ASoC: wm8994: Fix missing break in switch (bnc#1012382).
- block: bvec_nr_vecs() returns value for wrong slab (bsc#1082979).
- bpf: fix overflow in prog accounting (bsc#1012382).
- btrfs: Add checker for EXTENT_CSUM (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: Add sanity check for EXTENT_DATA when reading out leaf (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: Check if item pointer overlaps with the item itself (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: Check that each block group has corresponding chunk at mount time (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: Introduce mount time chunk <-> dev extent mapping check (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: Move leaf and node validation checker to tree-checker.c (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: relocation: Only remove reloc rb_trees if reloc control has been initialized (bnc#1012382).
- btrfs: replace: Reset on-disk dev stats value after replace (bnc#1012382).
- btrfs: scrub: Do not use inode page cache in scrub_handle_errored_block() (bsc#1108096).
- btrfs: tree-checker: Add checker for dir item (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: tree-checker: Detect invalid and empty essential trees (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: tree-checker: Enhance btrfs_check_node output (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: tree-checker: Enhance output for btrfs_check_leaf (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: tree-checker: Enhance output for check_csum_item (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: tree-checker: Enhance output for check_extent_data_item (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: tree-checker: Fix false panic for sanity test (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: tree-checker: Replace root parameter with fs_info (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: tree-checker: use %zu format string for size_t (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: tree-checker: use %zu format string for size_t (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: tree-checker: Verify block_group_item (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- btrfs: use correct compare function of dirty_metadata_bytes (bnc#1012382).
- btrfs: Verify that every chunk has corresponding block group at mount time (bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875,).
- cifs: check if SMB2 PDU size has been padded and suppress the warning (bnc#1012382).
- crypto: clarify licensing of OpenSSL asm code ().
- crypto: vmx - Remove overly verbose printk from AES XTS init (git-fixes).
- debugobjects: Make stack check warning more informative (bnc#1012382).
- dm kcopyd: avoid softlockup in run_complete_job (bnc#1012382).
- dm-mpath: do not try to access NULL rq (bsc#1110337).
- EDAC: Fix memleak in module init error path (bsc#1109441).
- EDAC, i7core: Fix memleaks and use-after-free on probe and remove (1109441).
- fat: validate ->i_start before using (bnc#1012382).
- Fixes: Commit cdbf92675fad ('mm: numa: avoid waiting on freed migrated pages') (bnc#1012382).
- Follow-up fix for patches.arch/01-jump_label-reduce-the-size-of-struct-static_key-kabi.patch (bsc#1108803).
- fork: do not copy inconsistent signal handler state to child (bnc#1012382).
- fs/dcache.c: fix kmemcheck splat at take_dentry_name_snapshot() (bnc#1012382).
- genirq: Delay incrementing interrupt count if it's disabled/pending (bnc#1012382).
- grow_cache: we still have a code which uses both __GFP_ZERO and constructors. The code seems to be correct and the warning does more harm than good so revert for the the meantime until we catch offenders. (bnc#1110297) 
- hfsplus: do not return 0 when fill_super() failed (bnc#1012382).
- hfs: prevent crash on exit from failed search (bnc#1012382).
- ib_srp: Remove WARN_ON in srp_terminate_io() (bsc#1094562).
- ipvs: fix race between ip_vs_conn_new() and ip_vs_del_dest() (bnc#1012382).
- irqchip/bcm7038-l1: Hide cpu offline callback when building for !SMP (bnc#1012382).
- irqchip/gic-v3: Add missing barrier to 32bit version of gic_read_iar() (bnc#1012382).
- kabi protect hnae_ae_ops (bsc#1107924).
- kbuild: make missing $DEPMOD a Warning instead of an Error (bnc#1012382).
- l2tp: cast l2tp traffic counter to unsigned (bsc#1099810).
- mei: me: allow runtime pm for platform with D0i3 (bnc#1012382).
- mfd: sm501: Set coherent_dma_mask when creating subdevices (bnc#1012382).
- mm/fadvise.c: fix signed overflow UBSAN complaint (bnc#1012382).
- net/9p: fix error path of p9_virtio_probe (bnc#1012382).
- net: bcmgenet: use MAC link status for fixed phy (bnc#1012382).
- net: ena: Eliminate duplicate barriers on weakly-ordered archs (bsc#1108240).
- net: ena: fix device destruction to gracefully free resources (bsc#1108240).
- net: ena: fix driver when PAGE_SIZE == 64kB (bsc#1108240).
- net: ena: fix incorrect usage of memory barriers (bsc#1108240).
- net: ena: fix missing calls to READ_ONCE (bsc#1108240).
- net: ena: fix missing lock during device destruction (bsc#1108240).
- net: ena: fix potential double ena_destroy_device() (bsc#1108240).
- net: ena: fix surprise unplug NULL dereference kernel crash (bsc#1108240).
- net: hns: add netif_carrier_off before change speed and duplex (bsc#1107924).
- net: hns: add the code for cleaning pkt in chip (bsc#1107924).
- nvme_fc: add 'nvme_discovery' sysfs attribute to fc transport device (bsc#1044189).
- nvmet: fixup crash on NULL device path (bsc#1082979).
- ovl: modify ovl_permission() to do checks on two inodes (bsc#1106512)
- ovl: proper cleanup of workdir (bnc#1012382).
- ovl: rename is_merge to is_lowest (bnc#1012382).
- PCI: mvebu: Fix I/O space end address calculation (bnc#1012382).
- platform/x86: asus-nb-wmi: Add keymap entry for lid flip action on UX360 (bnc#1012382).
- powerpc/64: Do load of PACAKBASE in LOAD_HANDLER (bsc#1094244).
- powerpc/book3s: Fix MCE console messages for unrecoverable MCE (bsc#1094244).
- powerpc/fadump: cleanup crash memory ranges support (bsc#1103269).
- powerpc/fadump: re-register firmware-assisted dump if already registered (bsc#1108170, bsc#1108823).
- powerpc: Fix size calculation using resource_size() (bnc#1012382).
- powerpc/mce: Move 64-bit machine check code into mce.c (bsc#1094244).
- powerpc/perf/hv-24x7: Fix off-by-one error in request_buffer check (git-fixes).
- powerpc/powernv/ioda2: Reduce upper limit for DMA window size (bsc#1066223).
- powerpc/powernv: Rename machine_check_pSeries_early() to powernv (bsc#1094244).
- powerpc/pseries: Avoid using the size greater than RTAS_ERROR_LOG_MAX (bnc#1012382).
- powerpc/pseries: Disable CPU hotplug across migrations (bsc#1066223).
- powerpc/pseries: Remove prrn_work workqueue (bsc#1102495, bsc#1109337).
- powerpc/pseries: Remove unneeded uses of dlpar work queue (bsc#1102495, bsc#1109337).
- powerpc/tm: Fix userspace r13 corruption (bsc#1109333).
- RDMA/rw: Fix rdma_rw_ctx_signature_init() kernel-doc header (bsc#1082979).
- reiserfs: change j_timestamp type to time64_t (bnc#1012382).
- Revert 'ARM: imx_v6_v7_defconfig: Select ULPI support' (bnc#1012382).
- s390/dasd: fix hanging offline processing due to canceled worker (bnc#1012382).
- s390/lib: use expoline for all bcr instructions (LTC#171029 bnc#1012382 bnc#1106934).
- sch_hhf: fix null pointer dereference on init failure (bnc#1012382).
- sch_htb: fix crash on init failure (bnc#1012382).
- sch_multiq: fix double free on init failure (bnc#1012382).
- sch_netem: avoid null pointer deref on init failure (bnc#1012382).
- sch_tbf: fix two null pointer dereferences on init failure (bnc#1012382).
- scripts: modpost: check memory allocation results (bnc#1012382).
- scsi: aic94xx: fix an error code in aic94xx_init() (bnc#1012382).
- scsi: ipr: System hung while dlpar adding primary ipr adapter back (bsc#1109336).
- scsi: qla2xxx: Add changes for devloss timeout in driver (bsc#1084427).
- scsi: qla2xxx: Add FC-NVMe abort processing (bsc#1084427).
- scsi: qla2xxx: Add longer window for chip reset (bsc#1094555).
- scsi: qla2xxx: Avoid double completion of abort command (bsc#1094555).
- scsi: qla2xxx: Cleanup code to improve FC-NVMe error handling (bsc#1084427).
- scsi: qla2xxx: Cleanup for N2N code (bsc#1094555).
- scsi: qla2xxx: correctly shift host byte (bsc#1094555).
- scsi: qla2xxx: Correct setting of SAM_STAT_CHECK_CONDITION (bsc#1094555).
- scsi: qla2xxx: Delete session for nport id change (bsc#1094555).
- scsi: qla2xxx: Fix Async GPN_FT for FCP and FC-NVMe scan (bsc#1084427).
- scsi: qla2xxx: Fix crash on qla2x00_mailbox_command (bsc#1094555).
- scsi: qla2xxx: Fix double free bug after firmware timeout (bsc#1094555).
- scsi: qla2xxx: Fix driver unload by shutting down chip (bsc#1094555).
- scsi: qla2xxx: fix error message on <qla2400 (bsc#1094555).
- scsi: qla2xxx: Fix FC-NVMe IO abort during driver reset (bsc#1084427).
- scsi: qla2xxx: Fix function argument descriptions (bsc#1094555).
- scsi: qla2xxx: Fix Inquiry command being dropped in Target mode (bsc#1094555).
- scsi: qla2xxx: Fix issue reported by static checker for qla2x00_els_dcmd2_sp_done() (bsc#1094555).
- scsi: qla2xxx: Fix login retry count (bsc#1094555).
- scsi: qla2xxx: Fix Management Server NPort handle reservation logic (bsc#1094555).
- scsi: qla2xxx: Fix memory leak for allocating abort IOCB (bsc#1094555).
- scsi: qla2xxx: Fix n2n_ae flag to prevent dev_loss on PDB change (bsc#1084427).
- scsi: qla2xxx: Fix N2N link re-connect (bsc#1094555).
- scsi: qla2xxx: Fix NPIV deletion by calling wait_for_sess_deletion (bsc#1094555).
- scsi: qla2xxx: Fix race between switch cmd completion and timeout (bsc#1094555).
- scsi: qla2xxx: Fix race condition between iocb timeout and initialisation (bsc#1094555).
- scsi: qla2xxx: Fix redundant fc_rport registration (bsc#1094555).
- scsi: qla2xxx: Fix retry for PRLI RJT with reason of BUSY (bsc#1084427).
- scsi: qla2xxx: Fix Rport and session state getting out of sync (bsc#1094555).
- scsi: qla2xxx: Fix sending ADISC command for login (bsc#1094555).
- scsi: qla2xxx: Fix session state stuck in Get Port DB (bsc#1094555).
- scsi: qla2xxx: Fix stalled relogin (bsc#1094555).
- scsi: qla2xxx: Fix TMF and Multi-Queue config (bsc#1094555).
- scsi: qla2xxx: Fix unintended Logout (bsc#1094555).
- scsi: qla2xxx: Fix unintialized List head crash (bsc#1094555).
- scsi: qla2xxx: Flush mailbox commands on chip reset (bsc#1094555).
- scsi: qla2xxx: fx00 copypaste typo (bsc#1094555).
- scsi: qla2xxx: Migrate NVME N2N handling into state machine (bsc#1094555).
- scsi: qla2xxx: Move GPSC and GFPNID out of session management (bsc#1094555).
- scsi: qla2xxx: Prevent relogin loop by removing stale code (bsc#1094555).
- scsi: qla2xxx: Prevent sysfs access when chip is down (bsc#1094555).
- scsi: qla2xxx: Reduce redundant ADISC command for RSCNs (bsc#1094555).
- scsi: qla2xxx: remove irq save in qla2x00_poll() (bsc#1094555).
- scsi: qla2xxx: Remove nvme_done_list (bsc#1084427).
- scsi: qla2xxx: Remove stale debug value for login_retry flag (bsc#1094555).
- scsi: qla2xxx: Remove unneeded message and minor cleanup for FC-NVMe (bsc#1084427).
- scsi: qla2xxx: Restore ZIO threshold setting (bsc#1084427).
- scsi: qla2xxx: Return busy if rport going away (bsc#1084427).
- scsi: qla2xxx: Save frame payload size from ICB (bsc#1094555).
- scsi: qla2xxx: Set IIDMA and fcport state before qla_nvme_register_remote() (bsc#1084427).
- scsi: qla2xxx: Silent erroneous message (bsc#1094555).
- scsi: qla2xxx: Update driver version to 10.00.00.06-k (bsc#1084427).
- scsi: qla2xxx: Update driver version to 10.00.00.07-k (bsc#1094555).
- scsi: qla2xxx: Update driver version to 10.00.00.08-k (bsc#1094555).
- scsi: qla2xxx: Use dma_pool_zalloc() (bsc#1094555).
- scsi: qla2xxx: Use predefined get_datalen_for_atio() inline function (bsc#1094555).
- selftests/powerpc: Kill child processes on SIGINT (bnc#1012382).
- smb3: fix reset of bytes read and written stats (bnc#1012382).
- SMB3: Number of requests sent should be displayed for SMB3 not just CIFS (bnc#1012382).
- staging: android: ion: fix ION_IOC_{MAP,SHARE} use-after-free (bnc#1012382).
- staging: comedi: ni_mio_common: fix subdevice flags for PFI subdevice (bnc#1012382).
- tcp: do not restart timewait timer on rst reception (bnc#1012382).
- Update patches.suse/dm-Always-copy-cmd_flags-when-cloning-a-request.patch (bsc#1088087, bsc#1103156).
- usbip: vhci_sysfs: fix potential Spectre v1 (bsc#1096547).
- vti6: remove !skb->ignore_df check from vti6_xmit() (bnc#1012382).
- watchdog: w83627hf_wdt: Add quirk for Inves system (bsc#1106434).
- x86/entry/64: Remove %ebx handling from error_entry/exit (bnc#1102715).
- x86/pae: use 64 bit atomic xchg function in native_ptep_get_and_clear (bnc#1012382).
- x86/speculation/l1tf: Fix up pte->pfn conversion for PAE (bnc#1012382).
- xen: avoid crash in disable_hotplug_cpu (bsc#1106594).
- xfs: add a new xfs_iext_lookup_extent_before helper (bsc#1095344).
- xfs: add asserts for the mmap lock in xfs_{insert,collapse}_file_space (bsc#1095344).
- xfs: add a xfs_bmap_fork_to_state helper (bsc#1095344).
- xfs: add a xfs_iext_update_extent helper (bsc#1095344).
- xfs: add comments documenting the rebalance algorithm (bsc#1095344).
- xfs: add some comments to xfs_iext_insert/xfs_iext_insert_node (bsc#1095344).
- xfs: add xfs_trim_extent (bsc#1095344).
- xfs: allow unaligned extent records in xfs_bmbt_disk_set_all (bsc#1095344).
- xfs: borrow indirect blocks from freed extent when available (bsc#1095344).
- xfs: cleanup xfs_bmap_last_before (bsc#1095344).
- xfs: do not create overlapping extents in xfs_bmap_add_extent_delay_real (bsc#1095344).
- xfs: do not rely on extent indices in xfs_bmap_collapse_extents (bsc#1095344).
- xfs: do not rely on extent indices in xfs_bmap_insert_extents (bsc#1095344).
- xfs: do not set XFS_BTCUR_BPRV_WASDEL in xfs_bunmapi (bsc#1095344).
- xfs: during btree split, save new block key and ptr for future insertion (bsc#1095344).
- xfs: factor out a helper to initialize a local format inode fork (bsc#1095344).
- xfs: fix memory leak in xfs_iext_free_last_leaf (bsc#1095344).
- xfs: fix number of records handling in xfs_iext_split_leaf (bsc#1095344).
- xfs: fix transaction allocation deadlock in IO path (bsc#1090535).
- xfs: handle indlen shortage on delalloc extent merge (bsc#1095344).
- xfs: handle zero entries case in xfs_iext_rebalance_leaf (bsc#1095344).
- xfs: improve kmem_realloc (bsc#1095344).
- xfs: inline xfs_shift_file_space into callers (bsc#1095344).
- xfs: introduce the xfs_iext_cursor abstraction (bsc#1095344).
- xfs: iterate over extents in xfs_bmap_extents_to_btree (bsc#1095344).
- xfs: iterate over extents in xfs_iextents_copy (bsc#1095344).
- xfs: make better use of the 'state' variable in xfs_bmap_del_extent_real (bsc#1095344).
- xfs: merge xfs_bmap_read_extents into xfs_iread_extents (bsc#1095344).
- xfs: move pre/post-bmap tracing into xfs_iext_update_extent (bsc#1095344).
- xfs: move some code around inside xfs_bmap_shift_extents (bsc#1095344).
- xfs: move some more code into xfs_bmap_del_extent_real (bsc#1095344).
- xfs: move xfs_bmbt_irec and xfs_exntst_t to xfs_types.h (bsc#1095344).
- xfs: move xfs_iext_insert tracepoint to report useful information (bsc#1095344).
- xfs: new inode extent list lookup helpers (bsc#1095344).
- xfs: only run torn log write detection on dirty logs (bsc#1095753).
- xfs: pass an on-disk extent to xfs_bmbt_validate_extent (bsc#1095344).
- xfs: pass a struct xfs_bmbt_irec to xfs_bmbt_lookup_eq (bsc#1095344).
- xfs: pass a struct xfs_bmbt_irec to xfs_bmbt_update (bsc#1095344).
- xfs: pass struct xfs_bmbt_irec to xfs_bmbt_validate_extent (bsc#1095344).
- xfs: provide helper for counting extents from if_bytes (bsc#1095344).
- xfs: refactor delalloc accounting in xfs_bmap_add_extent_delay_real (bsc#1095344).
- xfs: refactor delalloc indlen reservation split into helper (bsc#1095344).
- xfs: refactor dir2 leaf readahead shadow buffer cleverness (bsc#1095344).
- xfs: refactor in-core log state update to helper (bsc#1095753).
- xfs: refactor unmount record detection into helper (bsc#1095753).
- xfs: refactor xfs_bmap_add_extent_delay_real (bsc#1095344).
- xfs: refactor xfs_bmap_add_extent_hole_delay (bsc#1095344).
- xfs: refactor xfs_bmap_add_extent_hole_real (bsc#1095344).
- xfs: refactor xfs_bmap_add_extent_unwritten_real (bsc#1095344).
- xfs: refactor xfs_bunmapi_cow (bsc#1095344).
- xfs: refactor xfs_del_extent_real (bsc#1095344).
- xfs: remove a duplicate assignment in xfs_bmap_add_extent_delay_real (bsc#1095344).
- xfs: remove all xfs_bmbt_set_* helpers except for xfs_bmbt_set_all (bsc#1095344).
- xfs: remove a superflous assignment in xfs_iext_remove_node (bsc#1095344).
- xfs: remove if_rdev (bsc#1095344).
- xfs: remove prev argument to xfs_bmapi_reserve_delalloc (bsc#1095344).
- xfs: remove support for inlining data/extents into the inode fork (bsc#1095344).
- xfs: remove the never fully implemented UUID fork format (bsc#1095344).
- xfs: remove the nr_extents argument to xfs_iext_insert (bsc#1095344).
- xfs: remove the nr_extents argument to xfs_iext_remove (bsc#1095344).
- xfs: remove XFS_BMAP_MAX_SHIFT_EXTENTS (bsc#1095344).
- xfs: remove XFS_BMAP_TRACE_EXLIST (bsc#1095344).
- xfs: remove xfs_bmbt_get_state (bsc#1095344).
- xfs: remove xfs_bmse_shift_one (bsc#1095344).
- xfs: rename bno to end in __xfs_bunmapi (bsc#1095344).
- xfs: replace xfs_bmbt_lookup_ge with xfs_bmbt_lookup_first (bsc#1095344).
- xfs: replace xfs_qm_get_rtblks with a direct call to xfs_bmap_count_leaves (bsc#1095344).
- xfs: rewrite getbmap using the xfs_iext_* helpers (bsc#1095344).
- xfs: rewrite xfs_bmap_count_leaves using xfs_iext_get_extent (bsc#1095344).
- xfs: rewrite xfs_bmap_first_unused to make better use of xfs_iext_get_extent (bsc#1095344).
- xfs: separate log head record discovery from verification (bsc#1095753).
- xfs: simplify the xfs_getbmap interface (bsc#1095344).
- xfs: simplify validation of the unwritten extent bit (bsc#1095344).
- xfs: split indlen reservations fairly when under reserved (bsc#1095344).
- xfs: split xfs_bmap_shift_extents (bsc#1095344).
- xfs: switch xfs_bmap_local_to_extents to use xfs_iext_insert (bsc#1095344).
- xfs: treat idx as a cursor in xfs_bmap_add_extent_delay_real (bsc#1095344).
- xfs: treat idx as a cursor in xfs_bmap_add_extent_hole_delay (bsc#1095344).
- xfs: treat idx as a cursor in xfs_bmap_add_extent_hole_real (bsc#1095344).
- xfs: treat idx as a cursor in xfs_bmap_add_extent_unwritten_real (bsc#1095344).
- xfs: treat idx as a cursor in xfs_bmap_collapse_extents (bsc#1095344).
- xfs: treat idx as a cursor in xfs_bmap_del_extent_* (bsc#1095344).
- xfs: update freeblocks counter after extent deletion (bsc#1095344).
- xfs: update got in xfs_bmap_shift_update_extent (bsc#1095344).
- xfs: use a b+tree for the in-core extent list (bsc#1095344).
- xfs: use correct state defines in xfs_bmap_del_extent_{cow,delay} (bsc#1095344).
- xfs: use new extent lookup helpers in xfs_bmapi_read (bsc#1095344).
- xfs: use new extent lookup helpers in xfs_bmapi_write (bsc#1095344).
- xfs: use new extent lookup helpers in __xfs_bunmapi (bsc#1095344).
- xfs: use the state defines in xfs_bmap_del_extent_real (bsc#1095344).
- xfs: use xfs_bmap_del_extent_delay for the data fork as well (bsc#1095344).
- xfs: use xfs_iext_*_extent helpers in xfs_bmap_shift_extents (bsc#1095344).
- xfs: use xfs_iext_*_extent helpers in xfs_bmap_split_extent_at (bsc#1095344).
- xfs: use xfs_iext_get_extent instead of open coding it (bsc#1095344).
- xfs: use xfs_iext_get_extent in xfs_bmap_first_unused (bsc#1095344).


-----------------------------------------
Patch: SUSE-2018-2160
Released: Fri Oct  5 14:44:29 2018
Summary: Recommended update for kdump
Severity: important
References: 1091186,1102609,1107098,1108170,1109784
Description:
This update for kdump provides the following fixes:

- fadump: Add udev event support for fadump. (bsc#1108170)
- Turn off NUMA in the kdump kernel. (bsc#1109784, bsc#1102609)


-----------------------------------------
Patch: SUSE-2018-2162
Released: Fri Oct  5 14:46:53 2018
Summary: Recommended update for krb5
Severity: moderate
References: 1088921
Description:
This update for krb5 provides the following fix:

- Resolve krb5 GSS credentials immediately if the application requests the lifetime.
  (bsc#1088921)


-----------------------------------------
Patch: SUSE-2018-2178
Released: Tue Oct  9 09:00:27 2018
Summary: Recommended update for at
Severity: low
References: 879402
Description:
This update for at fixes the following issues:

- introduced -o <timeformat> switch for atq (bsc#879402)


-----------------------------------------
Patch: SUSE-2018-2180
Released: Tue Oct  9 09:01:37 2018
Summary: Recommended update for yast2-support
Severity: moderate
References: 1093358
Description:
This update for yast2-support provides the following fixes:

- Make the 'Next' button to submit the gathered information visible in ncurses.
  (bsc#1093358)
- Make the Contact Information screen fit in a 80x24 terminal.


-----------------------------------------
Patch: SUSE-2018-2181
Released: Tue Oct  9 11:08:20 2018
Summary: Security update for libxml2
Severity: moderate
References: 1088279,1088601,1102046,1105166,CVE-2017-18258,CVE-2018-14404,CVE-2018-14567,CVE-2018-9251
Description:
This update for libxml2 fixes the following security issues:

- CVE-2018-9251: The xz_decomp function allowed remote attackers to cause a
  denial of service (infinite loop) via a crafted XML file that triggers
  LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1088279).
- CVE-2018-14567: Prevent denial of service (infinite loop) via a crafted XML
  file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint
  (bsc#1105166).
- CVE-2018-14404: Prevent NULL pointer dereference in the xmlXPathCompOpEval()
  function when parsing an invalid XPath expression in the XPATH_OP_AND or
  XPATH_OP_OR case leading to a denial of service attack (bsc#1102046).
- CVE-2017-18258: The xz_head function allowed remote attackers to cause a
  denial of service (memory consumption) via a crafted LZMA file, because the
  decoder functionality did not restrict memory usage to what is required for a
  legitimate file (bsc#1088601).


-----------------------------------------
Patch: SUSE-2018-2189
Released: Tue Oct  9 14:15:17 2018
Summary: Recommended update for sudo
Severity: low
References: 1053911,1071379,1098628
Description:
This update for sudo provides the following fix:

- Fix double free if ipa_hostname is not fully qualified. (bsc#1098628)
- Disable insults by default at build time. For new installations this was done via
  sudoers file, but when upgrading from previous versions it would accidentally be
  enabled. (bsc#1053911)
- Remove not needed sudoers.dist file. (bsc#1071379)


-----------------------------------------
Patch: SUSE-2018-2196
Released: Thu Oct 11 07:45:16 2018
Summary: Optional update for gcc8
Severity: low
References: 1084812,1084842,1087550,1094222,1102564
Description:

The GNU Compiler GCC 8 is being added to the Toolchain Module by this
update.

The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other
gcc derived libraries for the base products of SUSE Linux Enterprise 12.

Various optimizers have been improved in GCC 8, several of bugs fixed,
quite some new warnings added and the error pin-pointing and
fix-suggestions have been greatly improved.

The GNU Compiler page for GCC 8 contains a summary of all the changes that
have happened:

        https://gcc.gnu.org/gcc-8/changes.html

Also changes needed or common pitfalls when porting software are described on:

        https://gcc.gnu.org/gcc-8/porting_to.html




-----------------------------------------
Patch: SUSE-2018-2202
Released: Thu Oct 11 20:46:27 2018
Summary: Security update for libX11 and libxcb
Severity: moderate
References: 1094327,1102062,1102068,1102073,CVE-2018-14598,CVE-2018-14599,CVE-2018-14600
Description:
This update for libX11 and libxcb fixes the following issue:

libX11:

These security issues were fixed:

- CVE-2018-14599: The function XListExtensions was vulnerable to an off-by-one
  error caused by malicious server responses, leading to DoS or possibly
  unspecified other impact (bsc#1102062).
- CVE-2018-14600: The function XListExtensions interpreted a variable as signed
  instead of unsigned, resulting in an out-of-bounds write (of up to 128 bytes),
  leading to DoS or remote code execution (bsc#1102068).
- CVE-2018-14598: A malicious server could have sent a reply in which the first
  string overflows, causing a variable to be set to NULL that will be freed later
  on, leading to DoS (segmentation fault) (bsc#1102073).

This non-security issue was fixed:

- Make use of the new 64-bit sequence number API in XCB 1.11.1 to avoid the 32-bit
  sequence number wrap in libX11 (bsc#1094327).

libxcb:

- Expose 64-bit sequence number from XCB API so that Xlib and others can use it even
  on 32-bit environment. (bsc#1094327)


-----------------------------------------
Patch: SUSE-2018-2203
Released: Fri Oct 12 09:21:04 2018
Summary: Recommended update for the Linux Kernel
Severity: important
References: 1110930
Description:


The SUSE Linux Enterprise 12 SP3 kernel was updated to address the following issue:

A regression in the multipath code introduced by the previous maintenance update could have prevented some machines from booting.
(bsc#1110930).



-----------------------------------------
Patch: SUSE-2018-2217
Released: Fri Oct 12 15:07:24 2018
Summary: Recommended update for bash
Severity: moderate
References: 1094121,1107430
Description:
This update for bash provides the following fixes:

- Fix an inconsistent behaviour regarding expansion of here strings. (bsc#1094121)
- Fix mis-matching of null string with '*' pattern. (bsc#1107430)
- Fix a crash when the lastpipe option is enabled.
- Fix a typo that was preventing the `compat42' shopt option from working as intended.
- Help the shell to process any pending traps at redirection.
- Fix a crashe due to incorrect conversion from an indexed to associative array.
- Avoid the expansion of escape sequences in HOSTNAME in prompt.
- Avoid `xtrace' attack over $PS4.


-----------------------------------------
Patch: SUSE-2018-2231
Released: Mon Oct 15 14:45:54 2018
Summary: Recommended update for xorg-x11-server
Severity: moderate
References: 1051350,1109187
Description:
This update for xorg-x11-server provides the following fixes:

- Fix XFillPolygon via GLAMOR. This makes the selected cell in LibreOffice Calc visible
  on Intel Gen4 graphics. (bsc#1051350)
- Fix a shader compile failure which resulted in an Xserver crash. (bsc#1109187)


-----------------------------------------
Patch: SUSE-2018-2242
Released: Tue Oct 16 11:14:50 2018
Summary: Security update for samba
Severity: moderate
References: 1068059,1087931,1095057,1102230,1110943,CVE-2018-10919
Description:


Samba was updated to 4.6.15, bringing bug and security fixes. (bsc#1110943)

Following security issues were fixed:

- CVE-2018-10919: Fix unauthorized attribute access via searches. (bsc#1095057);

Non-security bugs fixed:

- Fix ctdb_mutex_ceph_rados_helper deadlock (bsc#1102230).
- Allow idmap_rid to have primary group other than 'Domain Users' (bsc#1087931).
- winbind: avoid using fstrcpy in _dual_init_connection.
- Fix ntlm authentications with 'winbind use default domain = yes' (bsc#1068059).


-----------------------------------------
Patch: SUSE-2018-2248
Released: Tue Oct 16 14:25:25 2018
Summary: Recommended update for rsyslog
Severity: moderate
References: 1084682,901418
Description:
This update for rsyslog provides the following fixes:

- Fix path to extra apparmor profiles. (bsc#901418)
- omfile: Assure proper logfile flush when using a configuration template that configures
  messages to be written to multiple files, otherwise only the last file would be flushed.
  (bsc#1084682)


-----------------------------------------
Patch: SUSE-2018-2295
Released: Wed Oct 17 14:49:05 2018
Summary: Recommended update for SUSEConnect
Severity: moderate
References: 1098220
Description:
This update for SUSEConnect fixes the following issues:

- Add detection for cloud provider systems (AWS/Google/Azure) (fate#320935)
- Does no longer raise an exception when SUSEConnect is being used with
  zypper's sub-command 'search-packages' behind an SMT (bsc#1098220)
- Does no longer install release packages if they are already present

-----------------------------------------
Patch: SUSE-2018-2296
Released: Wed Oct 17 14:49:12 2018
Summary: Recommended update for hwinfo
Severity: moderate
References: 1072450,1105003
Description:
This update for hwinfo provides the following fixes:

- Try a more aggressive approach to catch all usb platform controllers. (bsc#1072450)
- Detect ARM HISILICON SAS controller. (bsc#1072450)
- Check for vmware only when running in a vm. (bsc#1105003)
- Add support for RISC-V.


-----------------------------------------
Patch: SUSE-2018-2297
Released: Wed Oct 17 16:56:44 2018
Summary: Security update for binutils
Severity: moderate
References: 1029907,1029908,1029909,1030296,1030297,1030298,1030584,1030585,1030588,1030589,1031590,1031593,1031595,1031638,1031644,1031656,1037052,1037057,1037061,1037066,1037273,1044891,1044897,1044901,1044909,1044925,1044927,1065643,1065689,1065693,1068640,1068643,1068887,1068888,1068950,1069176,1069202,1074741,1077745,1079103,1079741,1080556,1081527,1083528,1083532,1085784,1086608,1086784,1086786,1086788,1090997,1091015,1091365,1091368,CVE-2014-9939,CVE-2017-15938,CVE-2017-15939,CVE-2017-15996,CVE-2017-16826,CVE-2017-16827,CVE-2017-16828,CVE-2017-16829,CVE-2017-16830,CVE-2017-16831,CVE-2017-16832,CVE-2017-6965,CVE-2017-6966,CVE-2017-6969,CVE-2017-7209,CVE-2017-7210,CVE-2017-7223,CVE-2017-7224,CVE-2017-7225,CVE-2017-7226,CVE-2017-7299,CVE-2017-7300,CVE-2017-7301,CVE-2017-7302,CVE-2017-7303,CVE-2017-7304,CVE-2017-8392,CVE-2017-8393,CVE-2017-8394,CVE-2017-8396,CVE-2017-8421,CVE-2017-9746,CVE-2017-9747,CVE-2017-9748,CVE-2017-9750,CVE-2017-9755,CVE-2017-9756,CVE-2018-10372,CVE-2018-10373,CVE-2018-10534,CVE-2018-10535,CVE-2018-6323,CVE-2018-6543,CVE-2018-6759,CVE-2018-6872,CVE-2018-7208,CVE-2018-7568,CVE-2018-7569,CVE-2018-7570,CVE-2018-7642,CVE-2018-7643,CVE-2018-8945
Description:
This update for binutils to 2.31 fixes the following issues:

These security issues were fixed:

- CVE-2017-15996: readelf allowed remote attackers to cause a denial of service
  (excessive memory allocation) or possibly have unspecified other impact via a
  crafted ELF file that triggered a buffer overflow on fuzzed archive header
  (bsc#1065643).
- CVE-2017-15939: Binary File Descriptor (BFD) library (aka libbfd) mishandled
  NULL files in a .debug_line file table, which allowed remote attackers to cause
  a denial of service (NULL pointer dereference and application crash) via a
  crafted ELF file, related to concat_filename (bsc#1065689).
- CVE-2017-15938: the Binary File Descriptor (BFD) library (aka libbfd)
  miscalculated DW_FORM_ref_addr die refs in the case of a relocatable object
  file, which allowed remote attackers to cause a denial of service
  (find_abstract_instance_name invalid memory read, segmentation fault, and
  application crash) (bsc#1065693).
- CVE-2017-16826: The coff_slurp_line_table function the Binary File Descriptor
  (BFD) library (aka libbfd) allowed remote attackers to cause a denial of
  service (invalid memory access and application crash) or possibly have
  unspecified other impact via a crafted PE file (bsc#1068640).
- CVE-2017-16832: The pe_bfd_read_buildid function in the Binary File
  Descriptor (BFD) library (aka libbfd) did not validate size and offset values
  in the data dictionary, which allowed remote attackers to cause a denial of
  service (segmentation violation and application crash) or possibly have
  unspecified other impact via a crafted PE file (bsc#1068643).
- CVE-2017-16831: Binary File Descriptor (BFD) library (aka libbfd) did not
  validate the symbol count, which allowed remote attackers to cause a denial of
  service (integer overflow and application crash, or excessive memory
  allocation) or possibly have unspecified other impact via a crafted PE file
  (bsc#1068887).
- CVE-2017-16830: The print_gnu_property_note function did not have
  integer-overflow protection on 32-bit platforms, which allowed remote attackers
  to cause a denial of service (segmentation violation and application crash) or
  possibly have unspecified other impact via a crafted ELF file (bsc#1068888).
- CVE-2017-16829: The _bfd_elf_parse_gnu_properties function in the Binary File
  Descriptor (BFD) library (aka libbfd) did not prevent negative pointers, which
  allowed remote attackers to cause a denial of service (out-of-bounds read and
  application crash) or possibly have unspecified other impact via a crafted ELF
  file (bsc#1068950).
- CVE-2017-16828: The display_debug_frames function allowed remote attackers to
  cause a denial of service (integer overflow and heap-based buffer over-read,
  and application crash) or possibly have unspecified other impact via a crafted
  ELF file (bsc#1069176).
- CVE-2017-16827: The aout_get_external_symbols function in the Binary File
  Descriptor (BFD) library (aka libbfd) allowed remote attackers to cause a
  denial of service (slurp_symtab invalid free and application crash) or possibly
  have unspecified other impact via a crafted ELF file (bsc#1069202).
- CVE-2018-6323: The elf_object_p function in the Binary File Descriptor (BFD)
  library (aka libbfd) had an unsigned integer overflow because bfd_size_type
  multiplication is not used. A crafted ELF file allowed remote attackers to
  cause a denial of service (application crash) or possibly have unspecified
  other impact (bsc#1077745).
- CVE-2018-6543: Prevent integer overflow in the function
  load_specific_debug_section() which resulted in `malloc()` with 0 size. A
  crafted ELF file allowed remote attackers to cause a denial of service
  (application crash) or possibly have unspecified other impact (bsc#1079103).
- CVE-2018-6759: The bfd_get_debug_link_info_1 function in the Binary File
  Descriptor (BFD) library (aka libbfd) had an unchecked strnlen operation.
  Remote attackers could have leveraged this vulnerability to cause a denial of
  service (segmentation fault) via a crafted ELF file (bsc#1079741).
- CVE-2018-6872: The elf_parse_notes function in the Binary File Descriptor
  (BFD) library (aka libbfd) allowed remote attackers to cause a denial of
  service (out-of-bounds read and segmentation violation) via a note with a large
  alignment (bsc#1080556).
- CVE-2018-7208: In the coff_pointerize_aux function in the Binary File
  Descriptor (BFD) library (aka libbfd) an index was not validated, which allowed
  remote attackers to cause a denial of service (segmentation fault) or possibly
  have unspecified other impact via a crafted file, as demonstrated by objcopy of
  a COFF object (bsc#1081527).
- CVE-2018-7570: The assign_file_positions_for_non_load_sections function in
  the Binary File Descriptor (BFD) library (aka libbfd) allowed remote attackers
  to cause a denial of service (NULL pointer dereference and application crash)
  via an ELF file with a RELRO segment that lacks a matching LOAD segment, as
  demonstrated by objcopy (bsc#1083528).
- CVE-2018-7569: The Binary File Descriptor (BFD) library (aka libbfd) allowed
  remote attackers to cause a denial of service (integer underflow or overflow,
  and application crash) via an ELF file with a corrupt DWARF FORM block, as
  demonstrated by nm (bsc#1083532).
- CVE-2018-8945: The bfd_section_from_shdr function in the Binary File
  Descriptor (BFD) library (aka libbfd) allowed remote attackers to cause a
  denial of service (segmentation fault) via a large attribute section
  (bsc#1086608).
- CVE-2018-7643: The display_debug_ranges function allowed remote attackers to
  cause a denial of service (integer overflow and application crash) or possibly
  have unspecified other impact via a crafted ELF file, as demonstrated by
  objdump (bsc#1086784).
- CVE-2018-7642: The swap_std_reloc_in function in the Binary File Descriptor
  (BFD) library (aka libbfd) allowed remote attackers to cause a denial of
  service (aout_32_swap_std_reloc_out NULL pointer dereference and application
  crash) via a crafted ELF file, as demonstrated by objcopy (bsc#1086786).
- CVE-2018-7568: The parse_die function in the Binary File Descriptor (BFD)
  library (aka libbfd) allowed remote attackers to cause a denial of service
  (integer overflow and application crash) via an ELF file with corrupt dwarf1
  debug information, as demonstrated by nm (bsc#1086788).
- CVE-2018-10373: concat_filename in the Binary File Descriptor (BFD) library
  (aka libbfd) allowed remote attackers to cause a denial of service (NULL
  pointer dereference and application crash) via a crafted binary file, as
  demonstrated by nm-new (bsc#1090997).
- CVE-2018-10372: process_cu_tu_index allowed remote attackers to cause a
  denial of service (heap-based buffer over-read and application crash) via a
  crafted binary file, as demonstrated by readelf (bsc#1091015).
- CVE-2018-10535: The ignore_section_sym function in the Binary File Descriptor
  (BFD) library (aka libbfd) did not validate the output_section pointer in the
  case of a symtab entry with a 'SECTION' type that has a '0' value, which
  allowed remote attackers to cause a denial of service (NULL pointer dereference
  and application crash) via a crafted file, as demonstrated by objcopy
  (bsc#1091365).
- CVE-2018-10534: The _bfd_XX_bfd_copy_private_bfd_data_common function in the
  Binary File Descriptor (BFD) library (aka libbfd) processesed a negative Data
  Directory size with an unbounded loop that increased the value of
  (external_IMAGE_DEBUG_DIRECTORY) *edd so that the address exceeded its own
  memory region, resulting in an out-of-bounds memory write, as demonstrated by
  objcopy copying private info with _bfd_pex64_bfd_copy_private_bfd_data_common
  in pex64igen.c (bsc#1091368).

These non-security issues were fixed:

- The AArch64 port now supports showing disassembly notes which are emitted
  when inconsistencies are found with the instruction that may result in the
  instruction being invalid. These can be turned on with the option -M notes
  to objdump.
- The AArch64 port now emits warnings when a combination of an instruction and
  a named register could be invalid.
- Added O modifier to ar to display member offsets inside an archive
- The ADR and ADRL pseudo-instructions supported by the ARM assembler
  now only set the bottom bit of the address of thumb function symbols
  if the -mthumb-interwork command line option is active.
- Add --generate-missing-build-notes=[yes|no] option to create (or not) GNU
  Build Attribute notes if none are present in the input sources.  Add a
  --enable-generate-build-notes=[yes|no] configure time option to set the
  default behaviour.  Set the default if the configure option is not used
  to 'no'.
- Remove -mold-gcc command-line option for x86 targets.
- Add -O[2|s] command-line options to x86 assembler to enable alternate
  shorter instruction encoding.
- Add support for .nops directive.  It is currently supported only for
  x86 targets.
- Speed up direct linking with DLLs for Cygwin and Mingw targets.
- Add a configure option --enable-separate-code to decide whether
  -z separate-code should be enabled in ELF linker by default.  Default
  to yes for Linux/x86 targets. Note that -z separate-code can increase
  disk and memory size.
- RISC-V: Fix symbol address problem with versioned symbols 
- Restore riscv64-elf cross prefix via symlinks
- RISC-V: Don't enable relaxation in relocatable link
- Prevent linking faiures on i386 with assertion (bsc#1085784)
- Fix symbol size bug when relaxation deletes bytes
- Add --debug-dump=links option to readelf and --dwarf=links option to objdump
  which displays the contents of any .gnu_debuglink or .gnu_debugaltlink
  sections.
  Add a --debug-dump=follow-links option to readelf and a --dwarf=follow-links
  option to objdump which causes indirect links into separate debug info files
  to be followed when dumping other DWARF sections.
- Add support for loaction views in DWARF debug line information.
- Add -z separate-code to generate separate code PT_LOAD segment.
- Add '-z undefs' command line option as the inverse of the '-z defs' option.
- Add -z globalaudit command line option to force audit libraries to be run
  for every dynamic object loaded by an executable - provided that the loader
  supports this functionality.
- Tighten linker script grammar around file name specifiers to prevent the use
  of SORT_BY_ALIGNMENT and SORT_BY_INIT_PRIORITY on filenames.  These would
  previously be accepted but had no effect.
- The EXCLUDE_FILE directive can now be placed within any SORT_* directive
  within input section lists.
- Fix linker relaxation with --wrap
- Add arm-none-eabi symlinks (bsc#1074741)

Former updates of binutils also fixed the following security issues, for which
there was not CVE assigned at the time the update was released or no mapping
between code change and CVE existed:

- CVE-2014-9939: Prevent stack buffer overflow when printing bad bytes in Intel
  Hex objects (bsc#1030296).
- CVE-2017-7225: The find_nearest_line function in addr2line did not handle the
  case where the main file name and the directory name are both empty, triggering
  a NULL pointer dereference and an invalid write, and leading to a program crash
  (bsc#1030585).
- CVE-2017-7224: The find_nearest_line function in objdump was vulnerable to an
  invalid write (of size 1) while disassembling a corrupt binary that contains an
  empty function name, leading to a program crash (bsc#1030588).
- CVE-2017-7223: GNU assembler in was vulnerable to a global buffer overflow
  (of size 1) while attempting to unget an EOF character from the input stream,
  potentially leading to a program crash (bsc#1030589).
- CVE-2017-7226: The pe_ILF_object_p function in the Binary File Descriptor
  (BFD) library (aka libbfd) was vulnerable to a heap-based buffer over-read of
  size 4049 because it used the strlen function instead of strnlen, leading to
  program crashes in several utilities such as addr2line, size, and strings. It
  could lead to information disclosure as well (bsc#1030584).
- CVE-2017-7299: The Binary File Descriptor (BFD) library (aka libbfd) had an
  invalid read (of size 8) because the code to emit relocs (bfd_elf_final_link
  function in bfd/elflink.c) did not check the format of the input file trying to
  read the ELF reloc section header. The vulnerability leads to a GNU linker (ld)
  program crash (bsc#1031644).
- CVE-2017-7300: The Binary File Descriptor (BFD) library (aka libbfd) had an
  aout_link_add_symbols function in bfd/aoutx.h that is vulnerable to a
  heap-based buffer over-read (off-by-one) because of an incomplete check for
  invalid string offsets while loading symbols, leading to a GNU linker (ld)
  program crash (bsc#1031656).
- CVE-2017-7302: The Binary File Descriptor (BFD) library (aka libbfd) had a
  swap_std_reloc_out function in bfd/aoutx.h that is vulnerable to an invalid
  read (of size 4) because of missing checks for relocs that could not be
  recognised. This vulnerability caused Binutils utilities like strip to crash
  (bsc#1031595).
- CVE-2017-7303: The Binary File Descriptor (BFD) library (aka libbfd) was
  vulnerable to an invalid read (of size 4) because of missing a check (in the
  find_link function) for null headers attempting to match them. This
  vulnerability caused Binutils utilities like strip to crash (bsc#1031593).
- CVE-2017-7301: The Binary File Descriptor (BFD) library (aka libbfd) had an
  aout_link_add_symbols function in bfd/aoutx.h that has an off-by-one
  vulnerability because it did not carefully check the string offset. The
  vulnerability could lead to a GNU linker (ld) program crash (bsc#1031638).
- CVE-2017-7304: The Binary File Descriptor (BFD) library (aka libbfd) was
  vulnerable to an invalid read (of size 8) because of missing a check (in the
  copy_special_section_fields function) for an invalid sh_link field attempting
  to follow it. This vulnerability caused Binutils utilities like strip to crash
  (bsc#1031590).
- CVE-2017-8392: The Binary File Descriptor (BFD) library (aka libbfd) was
  vulnerable to an invalid read of size 8 because of missing a check to determine
  whether symbols are NULL in the _bfd_dwarf2_find_nearest_line function. This
  vulnerability caused programs that conduct an analysis of binary programs using
  the libbfd library, such as objdump, to crash (bsc#1037052).
- CVE-2017-8393: The Binary File Descriptor (BFD) library (aka libbfd) was
  vulnerable to a global buffer over-read error because of an assumption made by
  code that runs for objcopy and strip, that SHT_REL/SHR_RELA sections are always
  named starting with a .rel/.rela prefix. This vulnerability caused programs
  that conduct an analysis of binary programs using the libbfd library, such as
  objcopy and strip, to crash (bsc#1037057).
- CVE-2017-8394: The Binary File Descriptor (BFD) library (aka libbfd) was
  vulnerable to an invalid read of size 4 due to NULL pointer dereferencing of
  _bfd_elf_large_com_section. This vulnerability caused programs that conduct an
  analysis of binary programs using the libbfd library, such as objcopy, to crash
  (bsc#1037061).
- CVE-2017-8396: The Binary File Descriptor (BFD) library (aka libbfd) was
  vulnerable to an invalid read of size 1 because the existing reloc offset range
  tests didn't catch small negative offsets less than the size of the reloc
  field. This vulnerability caused programs that conduct an analysis of binary
  programs using the libbfd library, such as objdump, to crash (bsc#1037066).
- CVE-2017-8421: The function coff_set_alignment_hook in Binary File Descriptor
  (BFD) library (aka libbfd) had a memory leak vulnerability which can cause
  memory exhaustion in objdump via a crafted PE file (bsc#1037273).
- CVE-2017-9746: The disassemble_bytes function in objdump.c allowed remote
  attackers to cause a denial of service (buffer overflow and application crash)
  or possibly have unspecified other impact via a crafted binary file, as
  demonstrated by mishandling of rae insns printing for this file during 'objdump
  -D' execution (bsc#1044891).
- CVE-2017-9747: The ieee_archive_p function in the Binary File Descriptor
  (BFD) library (aka libbfd) might have allowed remote attackers to cause a
  denial of service (buffer overflow and application crash) or possibly have
  unspecified other impact via a crafted binary file, as demonstrated by
  mishandling of this file during 'objdump -D' execution (bsc#1044897).
- CVE-2017-9748: The ieee_object_p function in the Binary File Descriptor (BFD)
  library (aka libbfd) might have allowed remote attackers to cause a denial of
  service (buffer overflow and application crash) or possibly have unspecified
  other impact via a crafted binary file, as demonstrated by mishandling of this
  file during 'objdump -D' execution (bsc#1044901).
- CVE-2017-9750: opcodes/rx-decode.opc lacked bounds checks for certain scale
  arrays, which allowed remote attackers to cause a denial of service (buffer
  overflow and application crash) or possibly have unspecified other impact via a
  crafted binary file, as demonstrated by mishandling of this file during
  'objdump -D' execution (bsc#1044909).
- CVE-2017-9755: Not considering the the number of registers for bnd mode
  allowed remote attackers to cause a denial of service (buffer overflow and
  application crash) or possibly have unspecified other impact via a crafted
  binary file, as demonstrated by mishandling of this file during 'objdump -D'
  execution (bsc#1044925).
- CVE-2017-9756: The aarch64_ext_ldst_reglist function allowed remote attackers
  to cause a denial of service (buffer overflow and application crash) or
  possibly have unspecified other impact via a crafted binary file, as
  demonstrated by mishandling of this file during 'objdump -D' execution
  (bsc#1044927).
- CVE-2017-7209: The dump_section_as_bytes function in readelf accessed a NULL
  pointer while reading section contents in a corrupt binary, leading to a
  program crash (bsc#1030298).
- CVE-2017-6965: readelf wrote to illegal addresses while processing corrupt
  input files containing symbol-difference relocations, leading to a heap-based
  buffer overflow (bsc#1029909).
- CVE-2017-6966: readelf had a use-after-free (specifically read-after-free)
  error while processing multiple, relocated sections in an MSP430 binary. This
  is caused by mishandling of an invalid symbol index, and mishandling of state
  across invocations (bsc#1029908).
- CVE-2017-6969: readelf was vulnerable to a heap-based buffer over-read while
  processing corrupt RL78 binaries. The vulnerability can trigger program
  crashes. It may lead to an information leak as well (bsc#1029907).
- CVE-2017-7210: objdump was vulnerable to multiple heap-based buffer
  over-reads (of size 1 and size 8) while handling corrupt STABS enum type
  strings in a crafted object file, leading to program crash (bsc#1030297).
  

-----------------------------------------
Patch: SUSE-2018-2299
Released: Thu Oct 18 11:58:01 2018
Summary: Security update for fuse
Severity: moderate
References: 1101797,CVE-2018-10906
Description:
This update for fuse fixes the following security issue:

- CVE-2018-10906: fusermount was vulnerable to a restriction bypass when
  SELinux is active. This allowed non-root users to mount a FUSE file system with
  the 'allow_other' mount option regardless of whether 'user_allow_other' is set
  in the fuse configuration. An attacker may use this flaw to mount a FUSE file
  system, accessible by other users, and trick them into accessing files on that
  file system, possibly causing Denial of Service or other unspecified effects
  (bsc#1101797)


-----------------------------------------
Patch: SUSE-2018-2324
Released: Fri Oct 19 14:44:21 2018
Summary: Recommended update for man-pages
Severity: low
References: 1077249
Description:
This update for man-pages provides the following fix:

- ip.7: Document IP_BIND_ADDRESS_NO_PORT. (bsc#1077249)


-----------------------------------------
Patch: SUSE-2018-2331
Released: Fri Oct 19 14:49:17 2018
Summary: Recommended update for tdb
Severity: moderate
References: 1109571
Description:
This update for tdb fixes the following issues:

- Update license to LGPL 3.0 or later. (bsc#1109571)


-----------------------------------------
Patch: SUSE-2018-2341
Released: Sat Oct 20 09:50:41 2018
Summary: Recommended update for pciutils
Severity: moderate
References: 1098094,1098228
Description:
This update for pciutils provides the following fixes:

- Fix the displaying of the gen4 speed for GEN 4 cards like Mellanox CX5. (bsc#1098094)
- Add support for commonly used vendor specific VPD keywords described in 'Table 160.
  LoPAPR VPD Fields' of the Linux on Power Architecture Platform Reference (LoPAPR).
  (bsc#1098228)


-----------------------------------------
Patch: SUSE-2018-2342
Released: Sat Oct 20 09:51:41 2018
Summary: Recommended update for ldb
Severity: moderate
References: 1109571
Description:
This update for ldb fixes the following issues:
    
    - Update license to LGPL 3.0 or later. (bsc#1109571)
  

-----------------------------------------
Patch: SUSE-2018-2369
Released: Mon Oct 22 14:01:11 2018
Summary: Recommended update for tevent
Severity: moderate
References: 1109571
Description:
This update for tevent fixes the following issues:

- Update license to LGPL 3.0 or later. (bsc#1109571)


-----------------------------------------
Patch: SUSE-2018-2373
Released: Mon Oct 22 14:43:47 2018
Summary: Security update for rpm
Severity: moderate
References: 1077692,943457,CVE-2017-7500,CVE-2017-7501
Description:
This update for rpm fixes the following issues:

These security issues were fixed:

- CVE-2017-7500: rpm did not properly handle RPM installations when a
  destination path was a symbolic link to a directory, possibly changing
  ownership and permissions of an arbitrary directory, and RPM files being placed
  in an arbitrary destination (bsc#943457).
- CVE-2017-7501: rpm used temporary files with predictable names when
  installing an RPM. An attacker with ability to write in a directory where files
  will be installed could create symbolic links to an arbitrary location and
  modify content, and possibly permissions to arbitrary files, which could be
  used for denial of service or possibly privilege escalation (bsc#943457)

This non-security issue was fixed:

- Use ksym-provides tool [bsc#1077692]


-----------------------------------------
Patch: SUSE-2018-2375
Released: Mon Oct 22 15:30:22 2018
Summary: Security update for tiff
Severity: moderate
References: 1106853,1108627,1108637,1110358,CVE-2017-11613,CVE-2017-9935,CVE-2018-16335,CVE-2018-17100,CVE-2018-17101,CVE-2018-17795
Description:
This update for tiff fixes the following issues:

- CVE-2018-17100: There is a int32 overflow in multiply_ms in tools/ppm2tiff.c, which can cause a denial of service (crash) or possibly have unspecified other impact via a crafted image file. (bsc#1108637)
- CVE-2018-17101: There are two out-of-bounds writes in cpTags in tools/tiff2bw.c and tools/pal2rgb.c, which can cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image file. (bsc#1108627)
- CVE-2018-17795: The function t2p_write_pdf in tiff2pdf.c allowed remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, a similar issue to CVE-2017-9935. (bsc#1110358)
- CVE-2018-16335: newoffsets handling in ChopUpSingleUncompressedStrip in tif_dirread.c allowed remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, as demonstrated by tiff2pdf. This is a different vulnerability than CVE-2018-15209. (bsc#1106853)


-----------------------------------------
Patch: SUSE-2018-2383
Released: Tue Oct 23 10:35:54 2018
Summary: Recommended update for tigervnc
Severity: low
References: 1075403
Description:
This update for tigervnc fixes the following issues:

- Fix 16bit depth support in the java viewer. (bsc#1075403)


-----------------------------------------
Patch: SUSE-2018-2388
Released: Tue Oct 23 10:37:43 2018
Summary: Recommended update for yast2-installation
Severity: low
References: 1099505
Description:
This update for yast2-installation provides the following fix:

- Disable displaying of status messages on the console. (bsc#1099505)


-----------------------------------------
Patch: SUSE-2018-2404
Released: Tue Oct 23 16:44:03 2018
Summary: Security update for ntp
Severity: moderate
References: 1083424,1098531,1111853,CVE-2018-12327,CVE-2018-7170
Description:

  
NTP was updated to 4.2.8p12 (bsc#1111853):

- CVE-2018-12327: Fixed stack buffer overflow in the openhost() command-line call of NTPQ/NTPDC. (bsc#1098531)
- CVE-2018-7170: Add further tweaks to improve the fix for the ephemeral association time spoofing additional protection (bsc#1083424)

Please also see https://www.nwtime.org/network-time-foundation-publishes-ntp-4-2-8p12/ for more information.



-----------------------------------------
Patch: SUSE-2018-2405
Released: Tue Oct 23 16:54:59 2018
Summary: Recommended update for the Linux Kernel
Severity: important
References: 1085042,1112514
Description:
The SUSE Linux Enterprise 12 SP3 kernel was updated to fix the following issue:

An incomplete fix to bsc#1085042 could have caused Xen guests to crash after a few minutes of running (bsc#1112514).

  

-----------------------------------------
Patch: SUSE-2018-2413
Released: Tue Oct 23 17:28:39 2018
Summary: Recommended update for supportutils
Severity: moderate
References: 1105849
Description:
This update for supportutils provides the following fix:

- Add vulnerabilities check. (bsc#1105849)


-----------------------------------------
Patch: SUSE-2018-2422
Released: Wed Oct 24 10:30:28 2018
Summary: Recommended update for grub2
Severity: moderate
References: 1093145,1105457
Description:
This update for grub2 fixes the following issues:

- Implement FCP methods for WWPN and LUNs (bsc#1093145)
- Fix DNS device path parsing for efinet device (bsc#1105457)

-----------------------------------------
Patch: SUSE-2018-2423
Released: Wed Oct 24 10:31:10 2018
Summary: Recommended update for libXaw
Severity: moderate
References: 1098411
Description:
This update for libXaw provides the following fix:

- Fix a crash when the required font is not installed. (bsc#1098411)


-----------------------------------------
Patch: SUSE-2018-2435
Released: Wed Oct 24 14:42:43 2018
Summary: Recommended update for systemd
Severity: important
References: 1015254,1091677,1093753,1105031,1107640,1107941,1109197,991901
Description:
This update for systemd fixes the following issues:

- detect-virt: do not try to read all of /proc/cpuinfo (bsc#1109197)
- emergency: make sure console password agents don't interfere with the emergency shell
- units: remove udev control socket when systemd stops the socket unit (#4039) (bsc#1015254)
- man: document that 'nofail' also has an effect on ordering
- journald: take leading spaces into account in syslog_parse_identifier
- journal: do not remove multiple spaces after identifier in syslog message
- syslog: fix segfault in syslog_parse_priority()
- journal: fix syslog_parse_identifier()
- tmpfiles: don't adjust qgroups on existing subvolumes (bsc#1093753)
- socket-util: attempt SO_RCVBUFFORCE/SO_SNDBUFFORCE only if SO_RCVBUF/SO_SNDBUF fails (bsc#991901)
- user@.service: don't kill user manager at runlevel switch (bsc#1091677)
- units: make sure user@.service runs with dbus still up
- fix race between daemon-reload and other commands (bsc#1105031)
- nspawn: always use mode 555 for /sys (bsc#1107640)
- cryptsetup: do not define arg_sector_size if libgcrypt is v1.x (#9990)
- Enable or disable machines.target according to the presets (bsc#1107941)



-----------------------------------------
Patch: SUSE-2018-2437
Released: Wed Oct 24 16:36:46 2018
Summary: Recommended update for several Python modules
Severity: moderate
References: 1054413
Description:
This update provides several new Python modules and adds the Python 3
variants of existing modules to the Public Cloud Module.

The following Python 2 and Python 3 modules got added:

- python-appdirs
- python-python-dateutil

The following Python 3 modules got added:

- python-PySocks
- python-blinker
- python-certifi
- python-pytz

Additionally, the following packages have been updated:

python-PySocks from version 1.5.6 to 1.6.8.
python-certifi from version 2015.9.6.2 to 2018.4.16.
python-pytz from version 2016.10 to 2018.3.

-----------------------------------------
Patch: SUSE-2018-2449
Released: Thu Oct 25 09:43:12 2018
Summary: Recommended update for yast2-core
Severity: low
References: 1103076
Description:
This update for yast2-core fixes the following issues:

- Reduced risk of race condition between getenv and setenv while
  logging (bsc#1103076)


-----------------------------------------
Patch: SUSE-2018-2451
Released: Thu Oct 25 09:44:19 2018
Summary: Recommended update for branding-SLE
Severity: moderate
References: 1083702
Description:
This update for branding-SLE fixes the following issues:

- Parse '\n' in plymouth theme text to new lines (bsc#1083702)


-----------------------------------------
Patch: SUSE-2018-2455
Released: Thu Oct 25 11:20:07 2018
Summary: Recommended update for rsync
Severity: low
References: 1083017
Description:
This update for rsync provides the following fix:

- Do not send useless keepalive messages to sender if the file list is still being sent.
  This may cause a crash in older versions of rsync. (bsc#1083017)


-----------------------------------------
Patch: SUSE-2018-2457
Released: Thu Oct 25 12:44:39 2018
Summary: Recommended update for iproute2
Severity: moderate
References: 1064346,1081176
Description:
This update for iproute2 fixes the following issues:

- Add missing support for the following kernel features (bsc#1081176):
  * 'stable_secret' and 'random' values for addrgenmode
  * VF trust
  * Infiniband VF port_guid and node_guid
  * VF VLAN 802.1ad support

- Fix single line output of 'ip -d link'. (bsc#1064346)


-----------------------------------------
Patch: SUSE-2018-2464
Released: Thu Oct 25 14:49:05 2018
Summary: Recommended update for libyui-ncurses-pkg
Severity: moderate
References: 991090
Description:
This update for libyui-ncurses-pkg provides the following fixes:

- Do not display 'out of disk space' error at start when such
  a large disk (bigger than 8EiB) is present in the system. (bsc#991090)
- Fix displaying negative disk sizes in the disk usage dialog. (bsc#991090)


-----------------------------------------
Patch: SUSE-2018-2465
Released: Thu Oct 25 14:49:32 2018
Summary: Recommended update for yast2-packager
Severity: moderate
References: 1073696,926841,991090
Description:
This update for yast2-packager provides the following fixes:

- Do not display a false 'not enough free space' warning popup if the free space is bigger
  than 8EiB (2^63). (bsc#991090)
- Do not display the 'not enough free space' warning for partitions where nothing is going
  to be installed. (bsc#926841)
- Check the parent directory if the target directory does not exist. (bsc#1073696)


-----------------------------------------
Patch: SUSE-2018-2473
Released: Thu Oct 25 16:55:27 2018
Summary: Recommended update for tar
Severity: low
References: 1071340
Description:
This update for tar provides the following fix:

- Revert an upstream commit meant for optimizing sparse files as it causes a regression on
  offline files. (bsc#1071340)


-----------------------------------------
Patch: SUSE-2018-2475
Released: Thu Oct 25 16:56:24 2018
Summary: Recommended update for libzypp
Severity: moderate
References: 1099982,1109877,408814,556664,939392
Description:
This update for libzypp fixes the following issues:

- Add filesize check for downloads with known size (bsc#408814)
- Fix conversion of string and glob to regex when compiling queries
  (bsc#1099982, bsc#939392, bsc#556664)
- Fix blocking wait for finished child process (bsc#1109877)


-----------------------------------------
Patch: SUSE-2018-2476
Released: Thu Oct 25 16:57:26 2018
Summary: Recommended update for fping
Severity: important
References: 988195
Description:
This update for fping provides the following fix:

-  Fix a problem that was causing fping to flood /tmp after a network stop. (bsc#988195)


-----------------------------------------
Patch: SUSE-2018-2488
Released: Fri Oct 26 12:39:59 2018
Summary: Recommended update for cpio
Severity: low
References: 1076810,889138
Description:
This update for cpio provides the following fix:

- Remove an obsolete patch that was causing cpio not to preserve folder permissions.
  (bsc#1076810, bsc#889138)


-----------------------------------------
Patch: SUSE-2018-2501
Released: Fri Oct 26 15:21:20 2018
Summary: Recommended update for SUSEConnect
Severity: important
References: 1101470,1104183,1112702
Description:
This update for SUSEConnect fixes the following issues:

- Fix s390 activation fails due to unavailable 'dmidecode'. (bsc#1112702)
- Fix migration targets sorting. (bsc#1104183)

-----------------------------------------
Patch: SUSE-2018-2503
Released: Fri Oct 26 16:01:52 2018
Summary: Initial release of python-pyudev
Severity: low
References: 1107264
Description:
This update provides python-pyudev for the SUSE Linux Enterprise Desktop 12 SP3.

This package provides a Python binding to libudev, the hardware management library and service found
in modern linux systems.

-----------------------------------------
Patch: SUSE-2018-2516
Released: Mon Oct 29 16:14:48 2018
Summary: Recommended update for console-setup, kbd
Severity: moderate
References: 1010880,1027379,1056449,1062303,1069468,1085432,360993,675317,825385,830805,958562,963942,984958
Description:
This update for kbd and console-setup provides the following fixes:

Changes in console-setup:

- Add console-setup to SLE 12 to make it possible for kbd to provide converted X keymaps.
  (fate#325454, fate#318426)
- Make the package build reproducible. (bsc#1062303)
- Removed unneeded requires to kbd in order to resolve build cycle between kbd and
  console-setup. (bsc#963942)

Changes in kbd:
- Update to version 2.0.4, including the following fixes (FATE#325454):
    * Disable characters greater than or equal to =U+F000 as they do not work properly.
      (bsc#1085432)
    * Move initial NumLock handling from systemd back to kbd:
      * Add kbdsettings service. (bsc#1010880)
      * Exclude numlockbios support for non x86 platforms
    * Drop references to KEYTABLE and COMPOSETABLE. (bsc#1010880)
    * Drop from some fill-up templates and a couple of sysconfig variables not read by
      systemd anymore. (fate#319454)
    * Replace references to /var/adm/fillup-templates with new %_fillupdir macro. (bsc#1069468)
    * Add vlock.pamd PAM file. (bsc#1056449)
    * Enable vlock (bsc#1056449).
    * Revert dropping of kdb-legacy requirement as there are still packages and installation
      flows that needs this to be present. (bsc#1027379)
    * Fix data/keymaps/i386/querty/br-abnt2.map. (bsc#984958)
    * Fix missing dependency on coreutils for initrd macros. (bsc#958562)
    * Call missing initrd macro at postun. (bsc#958562)
    * Add the genmap4systemd.sh tool to generate entries for systemd's kbd-model-map table
      from xkeyboard-config converted keymaps. (fate#318426)
    * genmap4systemd.sh: Use 'abnt2' model for 'br' layouts, 'jp106' model for 'jp' layouts
      and 'microsoftpro' for anything else (instead of 'pc105' previously used). (fate#318426)
    * Include xkb layouts from xkeyboard-config converted to console
      keymaps. (fate#318426)
    * euro.map, euro1.map and euro2.map now produce correct unicode character for Euro sign.
      (bsc#360993)
    * Drop doshell reference from openvt.1 man page. (bsc#675317)
    * Drop the --userwait option as it is not used. (bsc#830805)
    * Fix a typo in the mac-querty-layout.inc. (bsc#825385)


-----------------------------------------
Patch: SUSE-2018-2520
Released: Mon Oct 29 17:28:57 2018
Summary: Security update for python, python-base
Severity: moderate
References: 1086001,1088004,1088009,1109663,CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061
Description:
This update for python, python-base fixes the following issues:

Security issues fixed:

- CVE-2018-1000802: Prevent command injection in shutil module (make_archive
  function) via passage of unfiltered user input (bsc#1109663).
- CVE-2018-1061: Fixed DoS via regular expression backtracking in
  difflib.IS_LINE_JUNK method in difflib (bsc#1088004).
- CVE-2018-1060: Fixed DoS via regular expression catastrophic backtracking in
  apop() method in pop3lib (bsc#1088009).

Bug fixes:

- bsc#1086001: python tarfile uses random order.


-----------------------------------------
Patch: SUSE-2018-2524
Released: Tue Oct 30 07:16:24 2018
Summary: Recommended update for autoyast2
Severity: moderate
References: 1091415,1108829
Description:
This update for autoyast2 fixes the following issues:

- Always export the partition_type for MS-DOS partition tables (bsc#1091415)
- Handles now DASD or zFCP devices even when the profile is not in a remote location (bsc#1108829)


-----------------------------------------
Patch: SUSE-2018-2525
Released: Tue Oct 30 09:22:45 2018
Summary: Recommended update for bash
Severity: important
References: 1113117
Description:
This update for bash fixes the following issues:

  Recently released update introduced a change of behavior which
  resulted in broken customers scripts. (bsc#1113117)


-----------------------------------------
Patch: SUSE-2018-2533
Released: Tue Oct 30 16:14:24 2018
Summary: Recommended update for cronie
Severity: moderate
References: 1017160,1077979
Description:
This update for cronie provides the following fixes:

- Prefer flock locking instead of fcntl locking that has different semantics. It caused a
  bug where it was possible to run more than one cron process as the locking was not
  successful. (bsc#1017160)
- Check the existence of the user at the time the job is run and do not ignore jobs for
  users that were not existing at database reload. This prevents cron from ignoring jobs
  in user crontab for users that changed group meanwhile. (bsc#1077979)


-----------------------------------------
Patch: SUSE-2018-2537
Released: Tue Oct 30 16:16:30 2018
Summary: Recommended update for lifecycle-data-sle-module-toolchain
Severity: moderate
References: 1102564
Description:
This update for lifecycle-data-sle-module-toolchain fixes the following issues:

- Added expiration data for Summer 2017 Refresh. (FATE#326486, bsc#1102564)


-----------------------------------------
Patch: SUSE-2018-2541
Released: Tue Oct 30 17:20:58 2018
Summary: Security update for apache2
Severity: important
References: 1109961,CVE-2018-11763
Description:
This update for apache2 fixes the following issues:

Security issues fixed:

- CVE-2018-11763: In Apache HTTP Server by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. (bsc#1109961)



-----------------------------------------
Patch: SUSE-2018-2542
Released: Wed Oct 31 10:45:41 2018
Summary: Security update for audiofile
Severity: moderate
References: 1111586,CVE-2018-17095
Description:
This update for audiofile fixes the following issues:

- CVE-2018-17095: A heap-based buffer overflow in Expand3To4Module::run could occurred when running sfconvert leading to crashes or code execution when handling untrusted soundfiles (bsc#1111586).


-----------------------------------------
Patch: SUSE-2018-2549
Released: Wed Oct 31 15:03:45 2018
Summary: Security update for MozillaFirefox, MozillaFirefox-branding-SLE, llvm4, mozilla-nspr, mozilla-nss, apache2-mod_nss
Severity: important
References: 1012260,1021577,1026191,1041469,1041894,1049703,1061204,1064786,1065464,1066489,1073210,1078436,1091551,1092697,1094767,1096515,1107343,1108771,1108986,1109363,1109465,1110506,1110507,703591,839074,857131,893359,CVE-2017-16541,CVE-2018-12376,CVE-2018-12377,CVE-2018-12378,CVE-2018-12379,CVE-2018-12381,CVE-2018-12383,CVE-2018-12385,CVE-2018-12386,CVE-2018-12387
Description:
This update for MozillaFirefox to ESR 60.2.2 fixes several issues.

These general changes are part of the version 60 release.

- New browser engine with speed improvements
- Redesigned graphical user interface elements
- Unified address and search bar for new installations
- New tab page listing top visited, recently visited and recommended pages
- Support for configuration policies in enterprise deployments via JSON files
- Support for Web Authentication, allowing the use of USB tokens for
  authentication to web sites

The following changes affect compatibility:
    
- Now exclusively supports extensions built using the WebExtension API.
- Unsupported legacy extensions will no longer work in Firefox 60 ESR
- TLS certificates issued by Symantec before June 1st, 2016 are no longer trusted 
  The 'security.pki.distrust_ca_policy' preference can be set to 0 to reinstate
  trust in those certificates

The following issues affect performance:

- new format for storing private keys, certificates and certificate trust
  If the user home or data directory is on a network file system, it is
  recommended that users set the following environment variable to avoid
  slowdowns: NSS_SDB_USE_CACHE=yes
  This setting is not recommended for local, fast file systems. 

These security issues were fixed:

- CVE-2018-12381: Dragging and dropping Outlook email message results in page navigation (bsc#1107343).
- CVE-2017-16541: Proxy bypass using automount and autofs (bsc#1107343).
- CVE-2018-12376: Various memory safety bugs (bsc#1107343).
- CVE-2018-12377: Use-after-free in refresh driver timers (bsc#1107343).
- CVE-2018-12378: Use-after-free in IndexedDB (bsc#1107343).
- CVE-2018-12379: Out-of-bounds write with malicious MAR file (bsc#1107343).
- CVE-2018-12386: Type confusion in JavaScript allowed remote code execution (bsc#1110506)
- CVE-2018-12387: Array.prototype.push stack pointer vulnerability may enable exploits in the sandboxed content process (bsc#1110507)
- CVE-2018-12385: Crash in TransportSecurityInfo due to cached data  (bsc#1109363)
- CVE-2018-12383: Setting a master password did not delete unencrypted previously stored passwords  (bsc#1107343)

This update for mozilla-nspr to version 4.19 fixes the follwing issues

- Added TCP Fast Open functionality
- A socket without PR_NSPR_IO_LAYER will no longer trigger
  an assertion when polling

This update for mozilla-nss to version 3.36.4 fixes the follwing issues

- Connecting to a server that was recently upgraded to TLS 1.3
  would result in a SSL_RX_MALFORMED_SERVER_HELLO error.
- Fix a rare bug with PKCS#12 files.
- Replaces existing vectorized ChaCha20 code with verified
  HACL* implementation.
- TLS 1.3 support has been updated to draft -23.
- Added formally verified implementations of non-vectorized Chacha20
  and non-vectorized Poly1305 64-bit.
- The following CA certificates were Removed:
  OU = Security Communication EV RootCA1
  CN = CA Disig Root R1
  CN = DST ACES CA X6
  Certum CA, O=Unizeto Sp. z o.o.
  StartCom Certification Authority
  StartCom Certification Authority G2
  TÜBİTAK UEKAE Kök Sertifika Hizmet Sağlayıcısı - Sürüm 3
  ACEDICOM Root
  Certinomis - Autorité Racine
  TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı
  PSCProcert
  CA 沃通根证书, O=WoSign CA Limited
  Certification Authority of WoSign
  Certification Authority of WoSign G2
  CA WoSign ECC Root
  Subject CN = VeriSign Class 3 Secure Server CA - G2
  O = Japanese Government, OU = ApplicationCA
  CN = WellsSecure Public Root Certificate Authority
  CN = TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6
  CN = Microsec e-Szigno Root
* The following CA certificates were Removed:
  AddTrust Public CA Root
  AddTrust Qualified CA Root
  China Internet Network Information Center EV Certificates Root
  CNNIC ROOT
  ComSign Secured CA
  GeoTrust Global CA 2
  Secure Certificate Services
  Swisscom Root CA 1
  Swisscom Root EV CA 2
  Trusted Certificate Services
  UTN-USERFirst-Hardware
  UTN-USERFirst-Object
* The following CA certificates were Added
  CN = D-TRUST Root CA 3 2013
  CN = TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1
  GDCA TrustAUTH R5 ROOT
  SSL.com Root Certification Authority RSA
  SSL.com Root Certification Authority ECC
  SSL.com EV Root Certification Authority RSA R2
  SSL.com EV Root Certification Authority ECC
  TrustCor RootCert CA-1
  TrustCor RootCert CA-2
  TrustCor ECA-1
* The Websites (TLS/SSL) trust bit was turned off for the following
  CA certificates:
  CN = Chambers of Commerce Root
  CN = Global Chambersign Root
* TLS servers are able to handle a ClientHello statelessly, if the
  client supports TLS 1.3.  If the server sends a HelloRetryRequest,
  it is possible to discard the server socket, and make a new socket
  to handle any subsequent ClientHello. This better enables stateless
  server operation. (This feature is added in support of QUIC, but it
  also has utility for DTLS 1.3 servers.)

Due to the update of mozilla-nss apache2-mod_nss needs to be updated to 
change to the SQLite certificate database, which is now the default (bsc#1108771)
  

-----------------------------------------
Patch: SUSE-2018-2554
Released: Fri Nov  2 12:42:11 2018
Summary: Recommended update for yast2-registration
Severity: low
References: 1043125,1045344,1088552,1100199,1102540,1103412
Description:
This update for yast2-registration provides the following fixes:

- RegistrationCode widget: Use always the custom url instead of the cached one. (bsc#1100199)
- Do not crash if getting zypp lock failed. (bnc#1043125)
- Do not build on 32-bit archs as SUSEConnect is not available there. (bsc#1088552)
- Do not display a hint about the old registration server when SCC is used. (bsc#1045344)
- Updated the unit test to pass with the latest SUSEConnect. (bsc#1102540)
- Fix online migration on PPC. (bsc#1103412)
- Check the non-installed addon products, as some specific repositories do not provide any
  product.


-----------------------------------------
Patch: SUSE-2018-2563
Released: Fri Nov  2 17:09:49 2018
Summary: Security update for curl
Severity: moderate
References: 1112758,1113660,CVE-2018-16840,CVE-2018-16842
Description:
This update for curl fixes the following issues:

- CVE-2018-16840: A use after free in closing SASL handles was fixed (bsc#1112758)
- CVE-2018-16842: A Out-of-bounds Read in tool_msgs.c was fixed which could lead to crashes (bsc#1113660)



-----------------------------------------
Patch: SUSE-2018-2567
Released: Fri Nov  2 18:59:06 2018
Summary: Recommended update for apparmor
Severity: moderate
References: 1047937,1057150,1057900,1099452,906858
Description:

This update for apparmor provides the following fixes:

- Add profile for usr.bin.lessopen.sh (bsc#906858)
- Fix dovecot apparmor profile (bsc#1057150)
- Fix creating profile rules from scanned logs when the chown operation is used (bsc#1047937)
- Fix the traceroute profile to allow ipv6 usage (bsc#1057900)
- Fix duplicate entry of capability when performing aa-logprof (bsc#1099452)



-----------------------------------------
Patch: SUSE-2018-2593
Released: Wed Nov  7 11:04:00 2018
Summary: Recommended update for rpm
Severity: moderate
References: 1095148,1113100
Description:
This update for rpm fixes the following issues:

- Fix superfluous TOC. dependency on PowerPC64 (bsc#1113100)
- Update to current find-provides.ksyms and find-requires.ksyms
  scripts (bsc#1095148)

-----------------------------------------
Patch: SUSE-2018-2594
Released: Wed Nov  7 11:13:54 2018
Summary: Security update for libarchive
Severity: moderate
References: 1032089,1037008,1037009,1057514,1059100,1059134,1059139,CVE-2016-10209,CVE-2016-10349,CVE-2016-10350,CVE-2017-14166,CVE-2017-14501,CVE-2017-14502,CVE-2017-14503
Description:
This update for libarchive fixes the following issues:

- CVE-2016-10209: The archive_wstring_append_from_mbs function in archive_string.c allowed remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted archive file. (bsc#1032089)
- CVE-2016-10349: The archive_le32dec function in archive_endian.h allowed remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file. (bsc#1037008)
- CVE-2016-10350: The archive_read_format_cab_read_header function in archive_read_support_format_cab.c allowed remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file. (bsc#1037009)
- CVE-2017-14166: libarchive allowed remote attackers to cause a denial of service (xml_data heap-based buffer over-read and application crash) via a crafted xar archive, related to the mishandling of empty strings in the atol8 function in archive_read_support_format_xar.c. (bsc#1057514)
- CVE-2017-14501: An out-of-bounds read flaw existed in parse_file_info in archive_read_support_format_iso9660.c when extracting a specially crafted iso9660 iso file, related to archive_read_format_iso9660_read_header. (bsc#1059139)
- CVE-2017-14502: read_header in archive_read_support_format_rar.c suffered from an off-by-one error for UTF-16 names in RAR archives, leading to an out-of-bounds read in archive_read_format_rar_read_header. (bsc#1059134)
- CVE-2017-14503: libarchive suffered from an out-of-bounds read within lha_read_data_none() in archive_read_support_format_lha.c when extracting a specially crafted lha archive, related to lha_crc16. (bsc#1059100)



-----------------------------------------
Patch: SUSE-2018-2611
Released: Thu Nov  8 10:29:25 2018
Summary: Recommended update for lifecycle-data-sle-module-toolchain
Severity: moderate
References: 1114275
Description:
This update for lifecycle-data-sle-module-toolchain fixes the following issues:

- Added missing Summer 2017 Refresh items (EOL of cross-nvptx-gcc7). (bsc#1114275)


-----------------------------------------
Patch: SUSE-2018-2614
Released: Thu Nov  8 17:00:56 2018
Summary: Recommended update for rubygem-cfa_grub2
Severity: low
References: 1044409,1068578
Description:
This update for rubygem-cfa_grub2 provides the following fixes:

- Do not share parsers to avoid use of wrong file content as cache. (bsc#1044409)
- Avoid crashing if the config file uses trailing comments. (bsc#1068578)
- Fix reading GRUB_TERMINAL.


-----------------------------------------
Patch: SUSE-2018-2615
Released: Thu Nov  8 17:01:34 2018
Summary: Recommended update for rpcbind
Severity: moderate
References: 969953
Description:
This update for rpcbind fixes the following issues:

- Fix stack buffer overflow in tools. (bsc#969953)


-----------------------------------------
Patch: SUSE-2018-2621
Released: Fri Nov  9 17:00:27 2018
Summary: Security update for the Linux Kernel
Severity: important
References: 1011920,1012382,1012422,1020645,1031392,1035053,1042422,1043591,1048129,1050431,1050549,1053043,1054239,1057199,1065600,1065726,1067906,1073579,1076393,1078788,1079524,1082519,1083215,1083527,1084760,1089343,1091158,1093118,1094244,1094825,1095805,1096052,1098050,1098996,1099597,1101555,1103308,1103405,1104124,1105025,1105428,1105795,1105931,1106105,1106110,1106240,1106293,1106359,1106434,1106594,1106913,1106929,1107060,1107299,1107318,1107535,1107829,1107870,1108315,1108377,1108498,1109158,1109333,1109772,1109784,1109806,1109818,1109907,1109919,1109923,1110006,1110363,1110468,1110600,1110601,1110602,1110603,1110604,1110605,1110606,1110611,1110612,1110613,1110614,1110615,1110616,1110618,1110619,1111363,1111516,1111870,1112007,1112262,1112263,1112894,1112902,1112903,1112905,1113667,1113751,1113769,1114178,1114229,1114648,981083,997172,CVE-2018-14633,CVE-2018-18281,CVE-2018-18386,CVE-2018-18690,CVE-2018-18710,CVE-2018-9516
Description:


The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.162 to receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2018-14633: A security flaw was found in the chap_server_compute_md5() function in the ISCSI target code in a way an authentication request from an ISCSI initiator is processed. An unauthenticated remote attacker can cause a stack buffer overflow and smash up to 17 bytes of the stack. The attack requires the iSCSI target to be enabled on the victim host. Depending on how the target's code was built (i.e. depending on a compiler, compile flags and hardware architecture) an attack may lead to a system crash and thus to a denial-of-service or possibly to a non-authorized access to data exported by an iSCSI target. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is highly unlikely. (bnc#1107829).
- CVE-2018-18281: The mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused. (bnc#1113769).
- CVE-2018-18386: drivers/tty/n_tty.c allowed local attackers (who are able to access pseudo terminals) to hang/block further usage of any pseudo terminal devices due to an EXTPROC versus ICANON confusion in TIOCINQ (bnc#1094825).
- CVE-2018-18690: A local attacker able to set attributes on an xfs filesystem could make this filesystem non-operational until the next mount by triggering an unchecked error condition during an xfs attribute change, because xfs_attr_shortform_addname in fs/xfs/libxfs/xfs_attr.c mishandled ATTR_REPLACE operations with conversion of an attr from short to long form (bnc#1105025).
- CVE-2018-18710: An issue was discovered in the Linux kernel An information leak in cdrom_ioctl_select_disc in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940 and CVE-2018-16658 (bnc#1113751).
- CVE-2018-9516: A lack of certain checks in the hid_debug_events_read() function in the drivers/hid/hid-debug.c file might have resulted in receiving userspace buffer overflow and an out-of-bounds write or to the infinite loop. (bnc#1108498).

The following non-security bugs were fixed:

- 6lowpan: iphc: reset mac_header after decompress to fix panic (bnc#1012382).
- alsa: bebob: use address returned by kmalloc() instead of kernel stack for streaming DMA mapping (bnc#1012382).
- alsa: emu10k1: fix possible info leak to userspace on SNDRV_EMU10K1_IOCTL_INFO (bnc#1012382).
- alsa: hda: Add AZX_DCAPS_PM_RUNTIME for AMD Raven Ridge (bnc#1012382).
- alsa: hda - Fix cancel_work_sync() stall from jackpoll work (bnc#1012382).
- alsa: hda/realtek - Cannot adjust speaker's volume on Dell XPS 27 7760 (bnc#1012382).
- alsa: msnd: Fix the default sample sizes (bnc#1012382).
- alsa: pcm: Fix snd_interval_refine first/last with open min/max (bnc#1012382).
- alsa: usb-audio: Fix multiple definitions in AU0828_DEVICE() macro (bnc#1012382).
- apparmor: remove no-op permission check in policy_unpack (git-fixes).
- arc: build: Get rid of toolchain check (bnc#1012382).
- arc: clone syscall to setp r25 as thread pointer (bnc#1012382).
- arch/hexagon: fix kernel/dma.c build warning (bnc#1012382).
- arc: [plat-axs*]: Enable SWAP (bnc#1012382).
- arm64: bpf: jit JMP_JSET_{X,K} (bsc#1110613).
- arm64: Correct type for PUD macros (bsc#1110600).
- arm64: cpufeature: Track 32bit EL0 support (bnc#1012382).
- arm64: dts: qcom: db410c: Fix Bluetooth LED trigger (bnc#1012382).
- arm64: fix erroneous __raw_read_system_reg() cases (bsc#1110606).
- arm64: Fix potential race with hardware DBM in ptep_set_access_flags() (bsc#1110605).
- arm64: fpsimd: Avoid FPSIMD context leakage for the init task (bsc#1110603).
- arm64: jump_label.h: use asm_volatile_goto macro instead of 'asm goto' (bnc#1012382).
- arm64: kasan: avoid bad virt_to_pfn() (bsc#1110612).
- arm64: kasan: avoid pfn_to_nid() before page array is initialized (bsc#1110619).
- arm64/kasan: do not allocate extra shadow memory (bsc#1110611).
- arm64: kernel: Update kerneldoc for cpu_suspend() rename (bsc#1110602).
- arm64: kgdb: handle read-only text / modules (bsc#1110604).
- arm64: kvm: Sanitize PSTATE.M when being set from userspace (bnc#1012382).
- arm64: kvm: Tighten guest core register access from userspace (bnc#1012382).
- arm64/mm/kasan: do not use vmemmap_populate() to initialize shadow (bsc#1110618).
- arm64: ptrace: Avoid setting compat FP[SC]R to garbage if get_user fails (bsc#1110601).
- arm64: supported.conf: mark armmmci as not supported
- arm64 Update config files. (bsc#1110468) Set MMC_QCOM_DML to build-in and delete driver from supported.conf
- arm64: vdso: fix clock_getres for 4GiB-aligned res (bsc#1110614).
- arm: dts: at91: add new compatibility string for macb on sama5d3 (bnc#1012382).
- arm: dts: dra7: fix DCAN node addresses (bnc#1012382).
- arm: exynos: Clear global variable on init error path (bnc#1012382).
- arm: hisi: check of_iomap and fix missing of_node_put (bnc#1012382).
- arm: hisi: fix error handling and missing of_node_put (bnc#1012382).
- arm: hisi: handle of_iomap and fix missing of_node_put (bnc#1012382).
- arm: mvebu: declare asm symbols as character arrays in pmsu.c (bnc#1012382).
- ASoC: cs4265: fix MMTLR Data switch control (bnc#1012382).
- ASoC: dapm: Fix potential DAI widget pointer deref when linking DAIs (bnc#1012382).
- ASoC: sigmadsp: safeload should not have lower byte limit (bnc#1012382).
- ASoC: wm8804: Add ACPI support (bnc#1012382).
- ata: libahci: Correct setting of DEVSLP register (bnc#1012382).
- ath10k: disable bundle mgmt tx completion event support (bnc#1012382).
- ath10k: fix scan crash due to incorrect length calculation (bnc#1012382).
- ath10k: fix use-after-free in ath10k_wmi_cmd_send_nowait (bnc#1012382).
- ath10k: prevent active scans on potential unusable channels (bnc#1012382).
- ath10k: protect ath10k_htt_rx_ring_free with rx_ring.lock (bnc#1012382).
- audit: fix use-after-free in audit_add_watch (bnc#1012382).
- autofs: fix autofs_sbi() does not check super block type (bnc#1012382).
- binfmt_elf: Respect error return from `regset->active' (bnc#1012382).
- bluetooth: Add a new Realtek 8723DE ID 0bda:b009 (bnc#1012382).
- bluetooth: h5: Fix missing dependency on BT_HCIUART_SERDEV (bnc#1012382).
- bluetooth: hidp: Fix handling of strncpy for hid->name information (bnc#1012382).
- bnxt_en: Fix TX timeout during netpoll (bnc#1012382).
- bonding: avoid possible dead-lock (bnc#1012382).
- bpf: fix cb access in socket filter programs on tail calls (bsc#1012382).
- bpf: fix map not being uncharged during map creation failure (bsc#1012382).
- bpf, s390: fix potential memleak when later bpf_jit_prog fails (git-fixes).
- bpf, s390x: do not reload skb pointers in non-skb context (git-fixes).
- bsc#1106913: Replace with upstream variants
- btrfs: add a comp_refs() helper (dependency for bsc#1031392).
- btrfs: add missing initialization in btrfs_check_shared (Git-fixes bsc#1112262).
- btrfs: add tracepoints for outstanding extents mods (dependency for bsc#1031392).
- btrfs: add wrapper for counting BTRFS_MAX_EXTENT_SIZE (dependency for bsc#1031392).
- btrfs: cleanup extent locking sequence (dependency for bsc#1031392).
- btrfs: defrag: use btrfs_mod_outstanding_extents in cluster_pages_for_defrag (Follow up fixes for bsc#1031392).
- btrfs: delayed-inode: Remove wrong qgroup meta reservation calls (bsc#1031392).
- btrfs: delayed-inode: Use new qgroup meta rsv for delayed inode and item (bsc#1031392).
- btrfs: Enhance btrfs_trim_fs function to handle error better (Dependency for bsc#1113667).
- btrfs: Ensure btrfs_trim_fs can trim the whole filesystem (bsc#1113667).
- btrfs: fix error handling in btrfs_dev_replace_start (bsc#1107535).
- btrfs: fix invalid attempt to free reserved space on failure to cow range (dependency for bsc#1031392).
- btrfs: fix missing error return in btrfs_drop_snapshot (Git-fixes bsc#1109919).
- btrfs: Fix race condition between delayed refs and blockgroup removal (Git-fixes bsc#1112263).
- btrfs: Fix wrong btrfs_delalloc_release_extents parameter (bsc#1031392).
- btrfs: kill trans in run_delalloc_nocow and btrfs_cross_ref_exist (dependency for bsc#1031392).
- btrfs: make the delalloc block rsv per inode (dependency for bsc#1031392).
- btrfs: pass delayed_refs directly to btrfs_find_delayed_ref_head (dependency for bsc#1031392).
- btrfs: qgroup: Add quick exit for non-fs extents (dependency for bsc#1031392).
- btrfs: qgroup: Cleanup btrfs_qgroup_prepare_account_extents function (dependency for bsc#1031392).
- btrfs: qgroup: Cleanup the remaining old reservation counters (bsc#1031392).
- btrfs: qgroup: Commit transaction in advance to reduce early EDQUOT (bsc#1031392).
- btrfs: qgroup: Do not use root->qgroup_meta_rsv for qgroup (bsc#1031392).
- btrfs: qgroup: Fix wrong qgroup reservation update for relationship modification (bsc#1031392).
- btrfs: qgroup: Introduce function to convert META_PREALLOC into META_PERTRANS (bsc#1031392).
- btrfs: qgroup: Introduce helpers to update and access new qgroup rsv (bsc#1031392).
- btrfs: qgroup: Make qgroup_reserve and its callers to use separate reservation type (bsc#1031392).
- btrfs: qgroup: Skeleton to support separate qgroup reservation type (bsc#1031392).
- btrfs: qgroups: opencode qgroup_free helper (dependency for bsc#1031392).
- btrfs: qgroup: Split meta rsv type into meta_prealloc and meta_pertrans (bsc#1031392).
- btrfs: qgroup: Update trace events for metadata reservation (bsc#1031392).
- btrfs: qgroup: Update trace events to use new separate rsv types (bsc#1031392).
- btrfs: qgroup: Use independent and accurate per inode qgroup rsv (bsc#1031392).
- btrfs: qgroup: Use root::qgroup_meta_rsv_* to record qgroup meta reserved space (bsc#1031392).
- btrfs: qgroup: Use separate meta reservation type for delalloc (bsc#1031392).
- btrfs: remove type argument from comp_tree_refs (dependency for bsc#1031392).
- btrfs: rework outstanding_extents (dependency for bsc#1031392).
- btrfs: switch args for comp_*_refs (dependency for bsc#1031392).
- btrfs: Take trans lock before access running trans in check_delayed_ref (Follow up fixes for bsc#1031392).
- ceph: avoid a use-after-free in ceph_destroy_options() (bsc#1112007).
- cfg80211: fix a type issue in ieee80211_chandef_to_operating_class() (bnc#1012382).
- cfg80211: nl80211_update_ft_ies() to validate NL80211_ATTR_IE (bnc#1012382).
- cfq: Give a chance for arming slice idle timer in case of group_idle (bnc#1012382).
- cgroup: Fix deadlock in cpu hotplug path (bnc#1012382).
- cgroup, netclassid: add a preemption point to write_classid (bnc#1098996).
- cifs: check for STATUS_USER_SESSION_DELETED (bsc#1112902).
- cifs: connect to servername instead of IP for IPC$ share (bsc#1106359).
- cifs: fix memory leak in SMB2_open() (bsc#1112894).
- cifs: Fix use after free of a mid_q_entry (bsc#1112903).
- cifs: fix wrapping bugs in num_entries() (bnc#1012382).
- cifs: integer overflow in in SMB2_ioctl() (bsc#1012382).
- cifs: prevent integer overflow in nxt_dir_entry() (bnc#1012382).
- cifs: read overflow in is_valid_oplock_break() (bnc#1012382).
- clk: imx6ul: fix missing of_node_put() (bnc#1012382).
- clocksource/drivers/ti-32k: Add CLOCK_SOURCE_SUSPEND_NONSTOP flag for non-am43 SoCs (bnc#1012382).
- config.sh: set BUGZILLA_PRODUCT for SLE12-SP3
- coresight: Handle errors in finding input/output ports (bnc#1012382).
- coresight: tpiu: Fix disabling timeouts (bnc#1012382).
- cpu/hotplug: Fix SMT supported evaluation (bsc#1089343).
- crypto: mxs-dcp - Fix wait logic on chan threads (bnc#1012382).
- crypto: sharah - Unregister correct algorithms for SAHARA 3 (bnc#1012382).
- crypto: skcipher - Fix -Wstringop-truncation warnings (bnc#1012382).
- Define dependencies of in-kernel KMPs statically This allows us to use rpm's internal dependency generator (bsc#981083).
- Define early_radix_enabled() (bsc#1094244).
- dmaengine: pl330: fix irq race with terminate_all (bnc#1012382).
- dm cache: fix resize crash if user does not reload cache table (bnc#1012382).
- dm thin metadata: fix __udivdi3 undefined on 32-bit (bnc#1012382).
- dm thin metadata: try to avoid ever aborting transactions (bnc#1012382).
- Do not ship firmware (bsc#1054239). Pull firmware from kernel-firmware instead.
- drivers: net: cpsw: fix parsing of phy-handle DT property in dual_emac config (bnc#1012382).
- drivers: net: cpsw: fix segfault in case of bad phy-handle (bnc#1012382).
- drivers/tty: add error handling for pcmcia_loop_config (bnc#1012382).
- drm/amdgpu: Fix SDMA HQD destroy error on gfx_v7 (bnc#1012382).
- drm/amdkfd: Fix error codes in kfd_get_process (bnc#1012382).
- drm/nouveau/drm/nouveau: Use pm_runtime_get_noresume() in connector_detect() (bnc#1012382).
- drm/nouveau/TBDdevinit: do not fail when PMU/PRE_OS is missing from VBIOS (bnc#1012382).
- drm/nouveau: tegra: Detach from ARM DMA/IOMMU mapping (bnc#1012382).
- drm/virtio: fix bounds check in virtio_gpu_cmd_get_capset() (bsc#1106929)
- Drop dtb-source.spec and move the sources to kernel-source (bsc#1011920)
- e1000: check on netif_running() before calling e1000_up() (bnc#1012382).
- e1000: ensure to free old tx/rx rings in set_ringparam() (bnc#1012382).
- ebtables: arpreply: Add the standard target sanity check (bnc#1012382).
- edac, thunderx: Fix memory leak in thunderx_l2c_threaded_isr() (bsc#1114648).
- ethernet: ti: davinci_emac: add missing of_node_put after calling of_parse_phandle (bnc#1012382).
- ethtool: Remove trailing semicolon for static inline (bnc#1012382).
- ethtool: restore erroneously removed break in dev_ethtool (bsc#1114229).
- ext4: avoid divide by zero fault when deleting corrupted inline directories (bnc#1012382).
- ext4: do not mark mmp buffer head dirty (bnc#1012382).
- ext4: fix online resize's handling of a too-small final block group (bnc#1012382).
- ext4: fix online resizing for bigalloc file systems with a 1k block size (bnc#1012382).
- ext4: recalucate superblock checksum after updating free blocks/inodes (bnc#1012382).
- f2fs: do not set free of current section (bnc#1012382).
- f2fs: fix to do sanity check with {sit,nat}_ver_bitmap_bytesize (bnc#1012382).
- fbdev: Distinguish between interlaced and progressive modes (bnc#1012382).
- fbdev: fix broken menu dependencies (bsc#1106929)
- fbdev/omapfb: fix omapfb_memory_read infoleak (bnc#1012382).
- fbdev/via: fix defined but not used warning (bnc#1012382).
- floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl (bnc#1012382).
- fs/cifs: do not translate SFM_SLASH (U+F026) to backslash (bnc#1012382).
- fs/cifs: suppress a string overflow warning (bnc#1012382).
- fs/eventpoll: loosen irq-safety when possible (bsc#1096052).
- gfs2: Special-case rindex for gfs2_grow (bnc#1012382).
- gpio: adp5588: Fix sleep-in-atomic-context bug (bnc#1012382).
- gpiolib: Mark gpio_suffixes array with __maybe_unused (bnc#1012382).
- gpio: ml-ioh: Fix buffer underwrite on probe error path (bnc#1012382).
- gpio: tegra: Move driver registration to subsys_init level (bnc#1012382).
- gso_segment: Reset skb->mac_len after modifying network header (bnc#1012382).
- hexagon: modify ffs() and fls() to return int (bnc#1012382).
- hid: hid-ntrig: add error handling for sysfs_create_group (bnc#1012382).
- hid: sony: Support DS4 dongle (bnc#1012382).
- hid: sony: Update device ids (bnc#1012382).
- hv: avoid crash in vmbus sysfs files (bnc#1108377).
- hwmon: (adt7475) Make adt7475_read_word() return errors (bnc#1012382).
- hwmon: (ina2xx) fix sysfs shunt resistor read access (bnc#1012382).
- i2c: i2c-scmi: fix for i2c_smbus_write_block_data (bnc#1012382).
- i2c: i801: Allow ACPI AML access I/O ports not reserved for SMBus (bnc#1012382).
- i2c: i801: fix DNV's SMBCTRL register offset (bnc#1012382).
- i2c: uniphier-f: issue STOP only for last message or I2C_M_STOP (bnc#1012382).
- i2c: uniphier: issue STOP only for last message or I2C_M_STOP (bnc#1012382).
- i2c: xiic: Make the start and the byte count write atomic (bnc#1012382).
- i2c: xlp9xx: Add support for SMBAlert (bsc#1103308).
- i2c: xlp9xx: Fix case where SSIF read transaction completes early (bsc#1103308).
- i2c: xlp9xx: Fix issue seen when updating receive length (bsc#1103308).
- i2c: xlp9xx: Make sure the transfer size is not more than I2C_SMBUS_BLOCK_SIZE (bsc#1103308).
- ib/ipoib: Avoid a race condition between start_xmit and cm_rep_handler (bnc#1012382).
- ib/srp: Avoid that sg_reset -d ${srp_device} triggers an infinite loop (bnc#1012382).
- input: atakbd - fix Atari CapsLock behaviour (bnc#1012382).
- input: atakbd - fix Atari keymap (bnc#1012382).
- input: atmel_mxt_ts - only use first T9 instance (bnc#1012382).
- input: elantech - enable middle button of touchpad on ThinkPad P72 (bnc#1012382).
- iommu/amd: Return devid as alias for ACPI HID devices (bsc#1106105).
- iommu/arm-smmu-v3: sync the OVACKFLG to PRIQ consumer register (bnc#1012382).
- iommu/ipmmu-vmsa: Fix allocation in atomic context (bnc#1012382).
- ip6_tunnel: be careful when accessing the inner header (bnc#1012382).
- ipmi:ssif: Add support for multi-part transmit messages > 2 parts (bsc#1103308).
- ip_tunnel: be careful when accessing the inner header (bnc#1012382).
- ipv4: fix use-after-free in ip_cmsg_recv_dstaddr() (bnc#1012382).
- ipv6: fix possible use-after-free in ip6_xmit() (bnc#1012382).
- iw_cxgb4: only allow 1 flush on user qps (bnc#1012382).
- ixgbe: pci_set_drvdata must be called before register_netdev (Git-fixes bsc#1109923).
- jffs2: return -ERANGE when xattr buffer is too small (bnc#1012382).
- KABI: move the new handler to end of machdep_calls and hide it from genksyms (bsc#1094244).
- kABI: protect struct hnae_desc_cb (kabi).
- kbuild: add .DELETE_ON_ERROR special target (bnc#1012382).
- kernel-obs-build.spec.in: add --no-hostonly-cmdline to dracut invocation (boo#1062303). call dracut with --no-hostonly-cmdline to avoid the random rootfs UUID being added into the initrd's /etc/cmdline.d/95root-dev.conf
- kernel-obs-build: use pae and lpae kernels where available (bsc#1073579).
- kernel/params.c: downgrade warning for unsafe parameters (bsc#1050549).
- kprobes/x86: Release insn_slot in failure path (bsc#1110006).
- kthread: fix boot hang (regression) on MIPS/OpenRISC (bnc#1012382).
- kthread: Fix use-after-free if kthread fork fails (bnc#1012382).
- kvm: nVMX: Do not expose MPX VMX controls when guest MPX disabled (bsc#1106240).
- kvm: nVMX: Do not flush TLB when vmcs12 uses VPID (bsc#1106240).
- kvm: PPC: Book3S HV: Do not truncate HPTE index in xlate function (bnc#1012382).
- kvm: x86: Do not re-{try,execute} after failed emulation in L2 (bsc#1106240).
- kvm: x86: Do not use kvm_x86_ops->mpx_supported() directly (bsc#1106240).
- kvm: x86: fix APIC page invalidation (bsc#1106240).
- kvm: x86: remove eager_fpu field of struct kvm_vcpu_arch (bnc#1012382).
- kvm/x86: remove WARN_ON() for when vm_munmap() fails (bsc#1106240).
- kvm: x86: SVM: Call x86_spec_ctrl_set_guest/host() with interrupts disabled (bsc#1106240).
- lib/test_hexdump.c: fix failure on big endian cpu (bsc#1106110).
- locking/osq_lock: Fix osq_lock queue corruption (bnc#1012382).
- locking/rwsem-xadd: Fix missed wakeup due to reordering of load (bnc#1012382).
- lpfc: fixup crash in lpfc_els_unsol_buffer() (bsc#1107318).
- mac80211: correct use of IEEE80211_VHT_CAP_RXSTBC_X (bnc#1012382).
- mac80211: fix a race between restart and CSA flows (bnc#1012382).
- mac80211: fix setting IEEE80211_KEY_FLAG_RX_MGMT for AP mode keys (bnc#1012382).
- mac80211: Fix station bandwidth setting after channel switch (bnc#1012382).
- mac80211_hwsim: correct use of IEEE80211_VHT_CAP_RXSTBC_X (bnc#1012382).
- mac80211: mesh: fix HWMP sequence numbering to follow standard (bnc#1012382).
- mac80211: restrict delayed tailroom needed decrement (bnc#1012382).
- mac80211: shorten the IBSS debug messages (bnc#1012382).
- mach64: detect the dot clock divider correctly on sparc (bnc#1012382).
- macintosh/via-pmu: Add missing mmio accessors (bnc#1012382).
- macros.kernel-source: define linux_arch for KMPs (boo#1098050). CONFIG_64BIT is no longer defined so KMP spec files need to include %{?linux_make_arch} in any make call to build modules or descent into the kernel directory for any reason.
- macros.kernel-source: pass -b properly in kernel module package (bsc#1107870).
- macros.kernel-source: pass -f properly in module subpackage (boo#1076393).
- md-cluster: clear another node's suspend_area after the copy is finished (bnc#1012382).
- md/raid1: exit sync request if MD_RECOVERY_INTR is set (git-fixes).
- md/raid5: fix data corruption of replacements after originals dropped (bnc#1012382).
- media: af9035: prevent buffer overflow on write (bnc#1012382).
- media: exynos4-is: Prevent NULL pointer dereference in __isp_video_try_fmt() (bnc#1012382).
- media: fsl-viu: fix error handling in viu_of_probe() (bnc#1012382).
- media: omap3isp: zero-initialize the isp cam_xclk{a,b} initial data (bnc#1012382).
- media: omap_vout: Fix a possible null pointer dereference in omap_vout_open() (bsc#1050431).
- media: s3c-camif: ignore -ENOIOCTLCMD from v4l2_subdev_call for s_power (bnc#1012382).
- media: soc_camera: ov772x: correct setting of banding filter (bnc#1012382).
- media: tm6000: add error handling for dvb_register_adapter (bnc#1012382).
- media: uvcvideo: Support realtek's UVC 1.5 device (bnc#1012382).
- media: v4l: event: Prevent freeing event subscriptions while accessed (bnc#1012382).
- media: videobuf2-core: check for q->error in vb2_core_qbuf() (bnc#1012382).
- media: videobuf-dma-sg: Fix dma_{sync,unmap}_sg() calls (bsc#1050431).
- mei: bus: type promotion bug in mei_nfc_if_version() (bnc#1012382).
- memory_hotplug: cond_resched in __remove_pages (bnc#1114178).
- mfd: omap-usb-host: Fix dts probe of children (bnc#1012382).
- mfd: ti_am335x_tscadc: Fix struct clk memory leak (bnc#1012382).
- misc: hmc6352: fix potential Spectre v1 (bnc#1012382).
- misc: mic: SCIF Fix scif_get_new_port() error handling (bnc#1012382).
- misc: ti-st: Fix memory leak in the error path of probe() (bnc#1012382).
- mmc: mmci: stop building qcom dml as module (bsc#1110468).
- mm: fix devmem_is_allowed() for sub-page System RAM intersections (bsc#1110006).
- mm: get rid of vmacache_flush_all() entirely (bnc#1012382).
- mm: madvise(MADV_DODUMP): allow hugetlbfs pages (bnc#1012382).
- mm: /proc/pid/pagemap: hide swap entries from unprivileged users (Git-fixes bsc#1109907).
- mm: shmem.c: Correctly annotate new inodes for lockdep (bnc#1012382).
- mm/vmstat.c: fix outdated vmstat_text (bnc#1012382).
- mm/vmstat.c: skip NR_TLB_REMOTE_FLUSH* properly (bnc#1012382).
- mm/vmstat.c: skip NR_TLB_REMOTE_FLUSH* properly (git fixes).
- module: exclude SHN_UNDEF symbols from kallsyms api (bnc#1012382).
- mtdchar: fix overflows in adjustment of `count` (bnc#1012382).
- mtd/maps: fix solutionengine.c printk format warnings (bnc#1012382).
- neighbour: confirm neigh entries when ARP packet is received (bnc#1012382).
- net/appletalk: fix minor pointer leak to userspace in SIOCFINDIPDDPRT (bnc#1012382).
- net: cadence: Fix a sleep-in-atomic-context bug in macb_halt_tx() (bnc#1012382).
- net: dcb: For wild-card lookups, use priority -1, not 0 (bnc#1012382).
- net: ethernet: mvneta: Fix napi structure mixup on armada 3700 (bsc#1110616).
- net: ethernet: ti: cpsw: fix mdio device reference leak (bnc#1012382).
- netfilter: x_tables: avoid stack-out-of-bounds read in xt_copy_counters_from_user (bnc#1012382).
- net: hns: fix length and page_offset overflow when CONFIG_ARM64_64K_PAGES (bnc#1012382).
- net: hp100: fix always-true check for link up state (bnc#1012382).
- net: ipv4: update fnhe_pmtu when first hop's MTU changes (bnc#1012382).
- net/ipv6: Display all addresses in output of /proc/net/if_inet6 (bnc#1012382).
- netlabel: check for IPV4MASK in addrinfo_get (bnc#1012382).
- net: macb: disable scatter-gather for macb on sama5d3 (bnc#1012382).
- net/mlx4: Use cpumask_available for eq->affinity_mask (bnc#1012382).
- net: mvneta: fix mtu change on port without link (bnc#1012382).
- net: mvneta: fix mvneta_config_rss on armada 3700 (bsc#1110615).
- net: mvpp2: Extract the correct ethtype from the skb for tx csum offload (bnc#1012382).
- net: systemport: Fix wake-up interrupt race during resume (bnc#1012382).
- net/usb: cancel pending work when unbinding smsc75xx (bnc#1012382).
- nfc: Fix possible memory corruption when handling SHDLC I-Frame commands (bnc#1012382).
- nfc: Fix the number of pipes (bnc#1012382).
- nfs: add nostatflush mount option (bsc#1065726).
- nfs: Avoid quadratic search when freeing delegations (bsc#1084760).
- nfsd: fix corrupted reply to badly ordered compound (bnc#1012382).
- nfs: Use an appropriate work queue for direct-write completion (bsc#1082519).
- nfsv4.0 fix client reference leak in callback (bnc#1012382).
- ocfs2: fix locking for res->tracking and dlm->tracking_list (bnc#1012382).
- ocfs2: fix ocfs2 read block panic (bnc#1012382).
- of: unittest: Disable interrupt node tests for old world MAC systems (bnc#1012382).
- ovl: Copy inode attributes after setting xattr (bsc#1107299).
- parport: sunbpp: fix error return code (bnc#1012382).
- partitions/aix: append null character to print data from disk (bnc#1012382).
- partitions/aix: fix usage of uninitialized lv_info and lvname structures (bnc#1012382).
- Pass x86 as architecture on x86_64 and i386 (bsc#1093118).
- pci: altera: Fix bool initialization in tlp_read_packet() (bsc#1109806).
- pci: designware: Fix I/O space page leak (bsc#1109806).
- pci: designware: Fix pci_remap_iospace() failure path (bsc#1109806).
- pci: hv: Use effective affinity mask (bsc#1109772).
- pci: OF: Fix I/O space page leak (bsc#1109806).
- pci: pciehp: Fix unprotected list iteration in IRQ handler (bsc#1109806).
- pci: Reprogram bridge prefetch registers on resume (bnc#1012382).
- pci: shpchp: Fix AMD POGO identification (bsc#1109806).
- pci: Supply CPU physical address (not bus address) to iomem_is_exclusive() (bsc#1109806).
- pci: versatile: Fix I/O space page leak (bsc#1109806).
- pci: versatile: Fix pci_remap_iospace() failure path (bsc#1109806).
- pci: xgene: Fix I/O space page leak (bsc#1109806).
- pci: xilinx: Add missing of_node_put() (bsc#1109806).
- perf powerpc: Fix callchain ip filtering (bnc#1012382).
- perf powerpc: Fix callchain ip filtering when return address is in a register (bnc#1012382).
- perf probe powerpc: Ignore SyS symbols irrespective of endianness (bnc#1012382).
- perf script python: Fix export-to-postgresql.py occasional failure (bnc#1012382).
- perf tools: Allow overriding MAX_NR_CPUS at compile time (bnc#1012382).
- phy: qcom-ufs: add MODULE_LICENSE tag (bsc#1110468).
- pinctrl: qcom: spmi-gpio: Fix pmic_gpio_config_get() to be compliant (bnc#1012382).
- pipe: actually allow root to exceed the pipe buffer limit (git-fixes).
- platform/x86: alienware-wmi: Correct a memory leak (bnc#1012382).
- platform/x86: toshiba_acpi: Fix defined but not used build warnings (bnc#1012382).
- pm / core: Clear the direct_complete flag on errors (bnc#1012382).
- powerpc/64s: move machine check SLB flushing to mm/slb.c (bsc#1094244).
- powerpc/kdump: Handle crashkernel memory reservation failure (bnc#1012382).
- powerpc/mce: Fix SLB rebolting during MCE recovery path (bsc#1094244).
- powerpc/numa: Skip onlining a offline node in kdump path (bsc#1109784).
- powerpc/numa: Use associativity if VPHN hcall is successful (bsc#1110363).
- powerpc/perf/hv-24x7: Fix passing of catalog version number (bsc#1053043).
- powerpc/powernv: opal_put_chars partial write fix (bnc#1012382).
- powerpc/pseries: Defer the logging of rtas error to irq work queue (bsc#1094244).
- powerpc/pseries: Define MCE error event section (bsc#1094244).
- powerpc/pseries: Display machine check error details (bsc#1094244).
- powerpc/pseries: Dump the SLB contents on SLB MCE errors (bsc#1094244).
- powerpc/pseries: Fix build break for SPLPAR=n and CPU hotplug (bsc#1079524, git-fixes).
- powerpc/pseries: Fix CONFIG_NUMA=n build (bsc#1067906, git-fixes).
- powerpc/pseries: Flush SLB contents on SLB MCE errors (bsc#1094244).
- powerpc/pseries/mm: call H_BLOCK_REMOVE (bsc#1109158).
- powerpc/pseries/mm: factorize PTE slot computation (bsc#1109158).
- powerpc/pseries/mm: Introducing FW_FEATURE_BLOCK_REMOVE (bsc#1109158).
- powerpc/rtas: Fix a potential race between CPU-Offline & Migration (bsc#1111870).
- powerpc/tm: Avoid possible userspace r1 corruption on reclaim (bsc#1109333).
- power: vexpress: fix corruption in notifier registration (bnc#1012382).
- printk: do not spin in printk when in nmi (bsc#1094244).
- proc: restrict kernel stack dumps to root (bnc#1012382).
- pstore: Fix incorrect persistent ram buffer mapping (bnc#1012382).
- qlcnic: fix Tx descriptor corruption on 82xx devices (bnc#1012382).
- r8169: Clear RTL_FLAG_TASK_*_PENDING when clearing RTL_FLAG_TASK_ENABLED (bnc#1012382).
- raid10 BUG_ON in raise_barrier when force is true and conf->barrier is 0 (bnc#1012382).
- rculist: add list_for_each_entry_from_rcu() (bsc#1084760).
- rculist: Improve documentation for list_for_each_entry_from_rcu() (bsc#1084760).
- rdma/cma: Do not ignore net namespace for unbound cm_id (bnc#1012382).
- rdma/cma: Protect cma dev list with lock (bnc#1012382).
- rdma/ucma: check fd type in ucma_migrate_id() (bnc#1012382).
- reiserfs: add check to detect corrupted directory entry (bsc#1109818).
- reiserfs: do not panic on bad directory entries (bsc#1109818).
- resource: Include resource end in walk_*() interfaces (bsc#1114648).
- Revert 'btrfs: qgroups: Retry after commit on getting EDQUOT' (bsc#1031392).
- Revert 'dma-buf/sync-file: Avoid enable fence signaling if poll(.timeout=0)' (bsc#1111363).
- Revert 'drm: Do not pass negative delta to ktime_sub_ns()' (bsc#1106929)
- Revert 'drm/i915: Initialize HWS page address after GPU reset' (bsc#1106929)
- Revert 'Drop kernel trampoline stack.' This reverts commit 85dead31706c1c1755adff90405ff9861c39c704.
- Revert 'kabi/severities: Ignore missing cpu_tss_tramp (bsc#1099597)' This reverts commit edde1f21880e3bfe244c6f98a3733b05b13533dc.
- Revert 'kvm: x86: remove eager_fpu field of struct kvm_vcpu_arch' (kabi).
- Revert 'media: v4l: event: Prevent freeing event subscriptions while accessed' (kabi).
- Revert 'mm: get rid of vmacache_flush_all() entirely' (kabi).
- Revert 'NFC: Fix the number of pipes' (kabi).
- Revert 'proc: restrict kernel stack dumps to root' (kabi).
- Revert 'Skip intel_crt_init for Dell XPS 8700' (bsc#1106929)
- Revert 'tcp: add tcp_ooo_try_coalesce() helper' (kabi).
- Revert 'tcp: call tcp_drop() from tcp_data_queue_ofo()' (kabi).
- Revert 'tcp: fix a stale ooo_last_skb after a replace' (kabi).
- Revert 'tcp: free batches of packets in tcp_prune_ofo_queue()' (kabi).
- Revert 'tcp: use an RB tree for ooo receive queue' (kabi).
- Revert 'usb: cdc-wdm: Fix a sleep-in-atomic-context bug in service_outstanding_interrupt()' (bnc#1012382).
- Revert 'x86/fpu: Finish excising 'eagerfpu'' (kabi).
- Revert 'x86/fpu: Remove struct fpu::counter' (kabi).
- Revert 'x86/fpu: Remove use_eager_fpu()' (kabi).
- ring-buffer: Allow for rescheduling when removing pages (bnc#1012382).
- rndis_wlan: potential buffer overflow in rndis_wlan_auth_indication() (bnc#1012382).
- rpm/kernel-binary.spec.in: Check module licenses (bsc#1083215,bsc#1083527)
- rpm/kernel-binary.spec.in: Do not sign modules if CONFIG_MODULE_SIG=n (bsc#1035053)
- rpm/kernel-binary.spec.in: Obsolete ftsteutates KMP (boo#997172)
- rpm/kernel-binary.spec.in: Only kernel-syzkaller needs gcc-devel (boo#1043591).
- rpm/kernel-docs.spec.in: Expand kernel tree directly from sources (bsc#1057199)
- rpm/kernel-docs.spec.in: Fix and cleanup for 4.13 doc build (bsc#1048129) The whole DocBook stuff has been deleted. The PDF build still non-working thus the sub-packaging disabled so far.
- rpm/kernel-docs.spec.in: refresh dependencies for PDF build (bsc#1048129) But it still does not work with Tex Live 2017, thus disabled yet. Also add texlive-anyfontsize for HTML math handling.
- rpm/kernel-module-subpackage: Generate proper supplements in the template ... instead of relying on find-provides.ksyms to do it (bsc#981083).
- rpm/kernel-source.spec.in: Do not list deleted depdendency helpers (bsc#981083).
- rpm/kernel-spec-macros: Try harder to detect Build Service environment (bsc#1078788)
- rtc: bq4802: add error handling for devm_ioremap (bnc#1012382).
- rtnl: limit IFLA_NUM_TX_QUEUES and IFLA_NUM_RX_QUEUES to 4096 (bnc#1012382).
- s390/chsc: Add exception handler for CHSC instruction (git-fixes).
- s390/extmem: fix gcc 8 stringop-overflow warning (bnc#1012382).
- s390/facilites: use stfle_fac_list array size for MAX_FACILITY_BIT (bnc#1108315, LTC#171326).
- s390/kdump: Fix elfcorehdr size calculation (git-fixes).
- s390/kdump: Make elfcorehdr size calculation ABI compliant (git-fixes).
- s390/mm: correct allocate_pgste proc_handler callback (git-fixes).
- s390/qeth: do not dump past end of unknown HW header (bnc#1012382).
- s390/qeth: fix race in used-buffer accounting (bnc#1012382).
- s390/qeth: handle failure on workqueue creation (git-fixes).
- s390/qeth: reset layer2 attribute on layer switch (bnc#1012382).
- s390/qeth: use vzalloc for QUERY OAT buffer (bnc#1108315, LTC#171527).
- s390: revert ELF_ET_DYN_BASE base changes (git-fixes).
- s390/stacktrace: fix address ranges for asynchronous and panic stack (git-fixes).
- sched/fair: Fix bandwidth timer clock drift condition (Git-fixes).
- sched/fair: Fix vruntime_normalized() for remote non-migration wakeup (Git-fixes).
- scsi: 3ware: fix return 0 on the error path of probe (bnc#1012382).
- scsi: bnx2i: add error handling for ioremap_nocache (bnc#1012382).
- scsi: ibmvscsi: Improve strings handling (bnc#1012382).
- scsi: klist: Make it safe to use klists in atomic context (bnc#1012382).
- scsi: target: fix __transport_register_session locking (bnc#1012382).
- scsi: target/iscsi: Make iscsit_ta_authentication() respect the output buffer size (bnc#1012382).
- selftests/efivarfs: add required kernel configs (bnc#1012382).
- selftest: timers: Tweak raw_skew to SKIP when ADJ_OFFSET/other clock adjustments are in progress (bnc#1012382).
- selinux: use GFP_NOWAIT in the AVC kmem_caches (bnc#1012382).
- serial: cpm_uart: return immediately from console poll (bnc#1012382).
- serial: imx: restore handshaking irq for imx1 (bnc#1012382).
- signal: Properly deliver SIGSEGV from x86 uprobes (bsc#1110006).
- slub: make ->cpu_partial unsigned int (bnc#1012382).
- smb2: fix missing files in root share directory listing (bnc#1012382).
- smb3: fill in statfs fsid and correct namelen (bsc#1112905).
- sound: enable interrupt after dma buffer initialization (bnc#1012382).
- spi: rspi: Fix interrupted DMA transfers (bnc#1012382).
- spi: rspi: Fix invalid SPI use during system suspend (bnc#1012382).
- spi: sh-msiof: Fix handling of write value for SISTR register (bnc#1012382).
- spi: sh-msiof: Fix invalid SPI use during system suspend (bnc#1012382).
- spi: tegra20-slink: explicitly enable/disable clock (bnc#1012382).
- srcu: Allow use of Tiny/Tree SRCU from both process and interrupt context (bsc#1050549).
- staging: android: ashmem: Fix mmap size validation (bnc#1012382).
- staging: rt5208: Fix a sleep-in-atomic bug in xd_copy_page (bnc#1012382).
- staging: rts5208: fix missing error check on call to rtsx_write_register (bnc#1012382).
- staging/rts5208: Fix read overflow in memcpy (bnc#1012382).
- stmmac: fix valid numbers of unicast filter entries (bnc#1012382).
- stop_machine: Atomically queue and wake stopper threads (git-fixes).
- target: log Data-Out timeouts as errors (bsc#1095805).
- target: log NOP ping timeouts as errors (bsc#1095805).
- target: split out helper for cxn timeout error stashing (bsc#1095805).
- target: stash sess_err_stats on Data-Out timeout (bsc#1095805).
- target: use ISCSI_IQN_LEN in iscsi_target_stat (bsc#1095805).
- tcp: add tcp_ooo_try_coalesce() helper (bnc#1012382).
- tcp: call tcp_drop() from tcp_data_queue_ofo() (bnc#1012382).
- tcp: fix a stale ooo_last_skb after a replace (bnc#1012382).
- tcp: free batches of packets in tcp_prune_ofo_queue() (bnc#1012382).
- tcp: increment sk_drops for dropped rx packets (bnc#1012382).
- tcp: use an RB tree for ooo receive queue (bnc#1012382).
- team: Forbid enslaving team device to itself (bnc#1012382).
- thermal: of-thermal: disable passive polling when thermal zone is disabled (bnc#1012382).
- Tools: hv: Fix a bug in the key delete code (bnc#1012382).
- tools/vm/page-types.c: fix 'defined but not used' warning (bnc#1012382).
- tools/vm/slabinfo.c: fix sign-compare warning (bnc#1012382).
- tpm: Restore functionality to xen vtpm driver (bsc#1020645, git-fixes).
- tsl2550: fix lux1_input error in low light (bnc#1012382).
- tty: Drop tty->count on tty_reopen() failure (bnc#1105428).
- tty: rocket: Fix possible buffer overwrite on register_PCI (bnc#1012382).
- tty: vt_ioctl: fix potential Spectre v1 (bnc#1012382).
- ubifs: Check for name being NULL while mounting (bnc#1012382).
- ucma: fix a use-after-free in ucma_resolve_ip() (bnc#1012382).
- uio: potential double frees if __uio_register_device() fails (bnc#1012382).
- usb: add quirk for WORLDE Controller KS49 or Prodipe MIDI 49C USB controller (bnc#1012382).
- usb: Add quirk to support DJI CineSSD (bnc#1012382).
- usb: Avoid use-after-free by flushing endpoints early in usb_set_interface() (bnc#1012382).
- usb: cdc-wdm: Fix a sleep-in-atomic-context bug in service_outstanding_interrupt() (bnc#1012382).
- usb: Do not die twice if PCI xhci host is not responding in resume (bnc#1012382).
- usb: fix error handling in usb_driver_claim_interface() (bnc#1012382).
- usb: gadget: fotg210-udc: Fix memory leak of fotg210->ep[i] (bnc#1012382).
- usb: gadget: serial: fix oops when data rx'd after close (bnc#1012382).
- usb: handle NULL config in usb_find_alt_setting() (bnc#1012382).
- usb: host: u132-hcd: Fix a sleep-in-atomic-context bug in u132_get_frame() (bnc#1012382).
- usb: misc: uss720: Fix two sleep-in-atomic-context bugs (bnc#1012382).
- usb: net2280: Fix erroneous synchronization change (bnc#1012382).
- usb: remove LPM management from usb_driver_claim_interface() (bnc#1012382).
- usb: serial: io_ti: fix array underflow in completion handler (bnc#1012382).
- usb: serial: kobil_sct: fix modem-status error handling (bnc#1012382).
- usb: serial: simple: add Motorola Tetra MTP6550 id (bnc#1012382).
- usb: serial: ti_usb_3410_5052: fix array underflow in completion handler (bnc#1012382).
- usb: usbdevfs: restore warning for nonsensical flags (bnc#1012382).
- usb: usbdevfs: sanitize flags more (bnc#1012382).
- usb: wusbcore: security: cast sizeof to int for comparison (bnc#1012382).
- usb: yurex: Check for truncation in yurex_read() (bnc#1012382).
- usb: yurex: Fix buffer over-read in yurex_write() (bnc#1012382).
- Use upstream version of pci-hyperv change 35a88a18d7
- uwb: hwa-rc: fix memory leak at probe (bnc#1012382).
- vfs: do not test owner for NFS in set_posix_acl() (bsc#1103405).
- video: goldfishfb: fix memory leak on driver remove (bnc#1012382).
- vmci: type promotion bug in qp_host_get_user_memory() (bnc#1012382).
- vmw_balloon: include asm/io.h (bnc#1012382).
- watchdog: w83627hf: Added NCT6102D support (bsc#1106434).
- wlcore: Add missing PM call for wlcore_cmd_wait_for_event_or_timeout() (bnc#1012382).
- wlcore: Fix memory leak in wlcore_cmd_wait_for_event_or_timeout (git-fixes).
- x86/apic: Fix restoring boot IRQ mode in reboot and kexec/kdump (bsc#1110006).
- x86/apic: Split disable_IO_APIC() into two functions to fix CONFIG_KEXEC_JUMP=y (bsc#1110006).
- x86/apic: Split out restore_boot_irq_mode() from disable_IO_APIC() (bsc#1110006).
- x86/boot: Fix 'run_size' calculation (bsc#1110006).
- x86/cpufeature: deduplicate X86_FEATURE_L1TF_PTEINV (kabi).
- x86/entry/64: Add two more instruction suffixes (bnc#1012382).
- x86/entry/64: Clear registers for exceptions/interrupts, to reduce speculation attack surface (bsc#1105931).
- x86/entry/64: sanitize extra registers on syscall entry (bsc#1105931).
- x86/fpu: Finish excising 'eagerfpu' (bnc#1012382).
- x86/fpu: Remove second definition of fpu in __fpu__restore_sig() (bsc#1110006).
- x86/fpu: Remove struct fpu::counter (bnc#1012382).
- x86/fpu: Remove use_eager_fpu() (bnc#1012382).
- x86/irq: implement irq_data_get_effective_affinity_mask() for v4.12 (bsc#1109772).
- x86/kaiser: Avoid loosing NMIs when using trampoline stack (bsc#1106293 bsc#1099597).
- x86/mm: Remove in_nmi() warning from vmalloc_fault() (bnc#1012382).
- x86: msr-index.h: Correct SNB_C1/C3_AUTO_UNDEMOTE defines (bsc#1110006).
- x86/numa_emulation: Fix emulated-to-physical node mapping (bnc#1012382).
- x86/paravirt: Fix some warning messages (bnc#1065600).
- x86/percpu: Fix this_cpu_read() (bsc#1110006).
- x86,sched: Allow topologies where NUMA nodes share an LLC (bsc#1091158, bsc#1101555).
- x86/spec_ctrl: Fix spec_ctrl reporting (bsc#1106913, bsc#1111516).
- x86/speculation: Apply IBPB more strictly to avoid cross-process data leak (bsc#1106913).
- x86/speculation: Enable cross-hyperthread spectre v2 STIBP mitigation (bsc#1106913).
- x86/speculation: Propagate information about RSB filling mitigation to sysfs (bsc#1106913).
- x86/time: Correct the attribute on jiffies' definition (bsc#1110006).
- x86/tsc: Add missing header to tsc_msr.c (bnc#1012382).
- x86/vdso: Fix asm constraints on vDSO syscall fallbacks (bsc#1110006).
- x86/vdso: Fix vDSO build if a retpoline is emitted (bsc#1110006).
- x86/vdso: Fix vDSO syscall fallback asm constraint regression (bsc#1110006).
- x86/vdso: Only enable vDSO retpolines when enabled and supported (bsc#1110006).
- xen: avoid crash in disable_hotplug_cpu (bnc#1012382 bsc#1106594 bsc#1042422).
- xen: fix GCC warning and remove duplicate EVTCHN_ROW/EVTCHN_COL usage (bnc#1012382).
- xen: issue warning message when out of grant maptrack entries (bsc#1105795).
- xen/manage: do not complain about an empty value in control/sysrq node (bnc#1012382).
- xen/netfront: do not bug in case of too many frags (bnc#1012382).
- xen-netfront: fix queue name setting (bnc#1012382).
- xen/netfront: fix waiting for xenbus state change (bnc#1012382).
- xen-netfront: fix warn message as irq device name has '/' (bnc#1012382).
- xen/x86/vpmu: Zero struct pt_regs before calling into sample handling code (bnc#1012382).
- xfrm: fix 'passing zero to ERR_PTR()' warning (bnc#1012382).
- xhci: Add missing CAS workaround for Intel Sunrise Point xHCI (bnc#1012382).
- xhci: Do not print a warning when setting link state for disabled ports (bnc#1012382).
- x86/kexec: Correct KEXEC_BACKUP_SRC_END off-by-one error (bsc#1114648).


-----------------------------------------
Patch: SUSE-2018-2637
Released: Mon Nov 12 20:38:05 2018
Summary: Recommended update for timezone, timezone-java
Severity: moderate
References: 1104700,1113554
Description:
This update provides the latest time zone definitions (2018g), including the following changes:

- Morocco switched from +00/+01 to permanent +01 effective 2018-10-28 (bsc#1113554)
- Volgograd moves from +03 to +04 on 2018-10-28.
- Fiji ends DST 2019-01-13, not 2019-01-20.
- Most of Chile changes DST dates, effective 2019-04-06 (bsc#1104700)
- Corrections to past timestamps of DST transitions
- Use 'PST' and 'PDT' for Philippine time
- minor code changes to zic handling of the TZif format
- documentation updates



-----------------------------------------
Patch: SUSE-2018-2639
Released: Mon Nov 12 20:39:01 2018
Summary: Recommended update for sysstat
Severity: moderate
References: 1089883
Description:
This update for sysstat fixes the following issues:

sysstat was updated to 12.0.2, bringing lots of new features and bugfixes. (fate#326576, bsc#1089883)

Sysstat was updated to 12.0.2, bringing new features and bugfixes (fate#326576, bsc#1089883)

- It contains lots of improvements in SVG output.
- New metric additions for hugepages.
- Several new options
- New database format

Please look at http://sebastien.godard.pagesperso-orange.fr/ for a more detailed history of changes.



-----------------------------------------
Patch: SUSE-2018-2640
Released: Mon Nov 12 20:39:16 2018
Summary: Recommended update for nfsidmap
Severity: moderate
References: 1098217
Description:
This update for nfsidmap fixes the following issues:

- Improve support for SAMBA with Active Directory. (bsc#1098217)


-----------------------------------------
Patch: SUSE-2018-2643
Released: Mon Nov 12 20:40:02 2018
Summary: Recommended update for sles-manuals_en, sled-manuals_en
Severity: moderate
References: 1010391,1017726,1017728,1017731,1017737,1017753,1020271,1023815,1029132,1029696,1043305,1046514,1047010,1050754,1051190,1051369,1058042,1058076,1058365,1061131,1061906,1062209,1063706,1064156,1066537,1066566,1067789,1068181,1068426,1070674,1070759,1071210,1071958,1073377,1074026,1074713,1074844,1075949,1075996,1076430,1077112,1077734,1080616,1080879,1081377,1081409,1084275,1085797,1086896,1088500,1088985,1089361,1091022,1092434,1094404,1094593,1098836,1099326,1101458,1101631,1102514,1103082,1104266,1107305,1107314,1108068,1110744,710788
Description:

  
This update for the sled-manuals_en and sles-manuals_en packages fix a lot of documentation issues.

Admin Guide:

- fate#319319: VNC: Document ability to share and reconnect sessions
- fate#315348: Document NFS optimization for large scale installations  
- bsc#1103082: Correct location of 50-udev-default.rules
- bsc#1104266: Replace 'systemd-journalctl' with 'journalctl'
- bsc#1102514: Improve the custom.cfg help description for GRUB2
- bsc#1092434: Compiling 32-bit applications is not supported
- bsc#1081409: Persistent VNC connections need the 'alwaysshared' setting in the config file enabled or the previous connection is killed 
- bsc#1081377: autofs map files must not be executable
- bsc#1074844: Add ppc64le to the supported architectures for Live Patching
- bsc#1074026: The GRUB2 parameter for GFXMODE, 'vbeinfo' needs be replaced with 'videoinfo'
- bsc#1071210: GRUB2: replace grub2-reboot with grub2-once in the explanation for 'GRUB_DEFAULT=saved' 
- bsc#1068181: kGraft - document CVSS v3.0 usage
- bsc#1062209: Document $HOME/.alias 
- bsc#1061131: Replace $attr with $env in udev substitution rules
- bsc#1051369: In a rescues system with LVM disks, run vgimport -a to find and mount the LVM volumes
- bsc#1046514: Improve Documentation on the boot process
- bsc#1017753: Replace Kernel parameter 'VGA mode' with 'console resolution'
- bsc#1017737: GRUB2 documentation: Put 'Boot Code Options' in correct context
- bsc#1017731: GRUB2 documentation: Improve explanation on disk order
- bsc#1017728: GRUB2 documentation: Removed incorrect note
- bsc#1017726: GRUB2 documentation: Improve documentation on files in /etc/grub.d/

AutoYaST Guide:

- bsc#1085797: Signature checking cannot be disable for stage 2
- bsc#1071958: Explain how to use/generate encrypted passwords
- bsc#1070759: Replace 'no_group' with 'no_groups'

Deployment Guide:

- fate#321159: Script to clean up unique identifiers after system cloning
- bsc#1094593: Add a link to the SUSE Manager Support Pack migration documentation
- bsc#1080616: The certifications module is not available for SP3
- bsc#1077734: Fix an error in the 'Upgrade Paths' graphic
- bsc#1077112: Removed LDAP and Kerberos authentication methods and added SSSD
- bsc#1075996: Added a section on how to register SLE
- bsc#1058076: Added module descriptions
- bsc#1058042: Installer Self-Update is enabled by default
- bsc#1020271: Fixed multiversion.kernels documentation

Docker Guide:

- bsc#1098836: Portus is no longer Tech Preview
- bsc#1088500: Correct SLE version numbers
- bsc#1084275: Replace postfix with apache2 as an example for background applications
- bsc#1080879: Fix links to the Portus website
- bsc#1064156: Replace package name 'sles12sp3-docker-image' with 'suse-sles12sp3-image'
- bsc#1058365: Portus package is named 'portus'
- bsc#1050754: Update image names to latest release


Security Guide:

- bsc#1073377: Firewall: The IPsec Support is no longer relevant
- bsc#1070674: Update 'Delete an AppArmor profile'
- bsc#1068426: Mention importance of pam_systemd.so in PAM stack
- bsc#1029696: Reloading Apparmor no longer unloads profiles not in /etc/apparmor.d/

SMT Guide:

- bsc#1108068: Fix path to testing environment
- bsc#1107314: Fix registration url
- bsc#1107305: Fix regcert-url 
- bsc#1094404: Correct command 'smt-setup-custom-repositories' to 'smt-setup-custom-repos'
- bsc#1063706: Update 'Disconnected SMT Servers' documentation

Storage Guide:

- bsc#1099326: Corrected documentation about the maximum number of paths with device-mapper-multipath
- bsc#1091022: z Systems: Corrected default settings for multipath devices
- bsc#1086896: LVM: Use of unpartitioned disks
- bsc#1074713: Fixed typo
- bsc#1067789: 'multipath -T' can be used when creating an initial configuration
- bsc#1066537: Added a warning to not use wiper.sh on Btrfs
- bsc#1047010: Added chapter 'Setting Up an NVMe over Fabric Target'

Tuning Guide:

- fate#319184: Add documentation for TMON
- fate#319185: Add BDW-Y thermal documentation
- fate#322036: Move logrotate.status to /var/lib/misc
- fate#322037: logrotate now uses systemd
- fate#320016: Add support for crashkernel=xx,high in Yast Kdump Commandline
- bsc#1051190: Correct information on how to capture a Kernel dump
- bsc#1043305: Fixed typo 
- bsc#1023815: Kdump documentation is missing static IP configuration settings
- bsc#710788: Remove faillog from documentation

Virtualization Guide:

- fate#321734: KVM on POWER
- fate#320490: UEFI support for XEN
- fate#319531: UEFI support for QEMU
- fate#317260: enable 'virsh snapshot-delete' to free disk space
- fate#321173: XEN: USB passthrough for HVM domains
- bsc#1101458: Values for 'swiotlb' need to be defined in Megabytes
- bsc#1089361: Update migration requirements: microcode needs to be the same
- bsc#1076430: KVM on z Systems is no longer tech preview
- bsc#1075949: Typo in USB Pass-Through documentation for XEN
- bsc#1061906: Fix XEN pci-passthrough instructions



-----------------------------------------
Patch: SUSE-2018-2651
Released: Tue Nov 13 16:25:40 2018
Summary: Recommended update for the Linux Kernel
Severity: important
References: 1115587
Description:

The SUSE Linux Enterprise 12 SP3 kernel was updated to fix the following issue:

- A previous update contained a bug that would result in invalid module
  signatures being generated, which would break secure boot
  installations. [bsc#1115587]


-----------------------------------------
Patch: SUSE-2018-2652
Released: Tue Nov 13 19:02:44 2018
Summary: Recommended update for llvm
Severity: low
References: 1073210
Description:
This update for llvm provides the following fix:

- Place gold plugin to the right directory to make sure Link Time Optimization works
  correctly. It must be in /usr/lib/bfd-plugins on all architectures. (bsc#1073210)


-----------------------------------------
Patch: SUSE-2018-2659
Released: Wed Nov 14 14:14:41 2018
Summary: Security update for systemd
Severity: important
References: 1106923,1108835,1109252,1110445,1111278,1112024,1113083,1113632,1113665,CVE-2018-15686,CVE-2018-15688
Description:

This update for systemd fixes the following issues:

Security issues fixed:

- CVE-2018-15688: A buffer overflow vulnerability in the dhcp6 client of systemd allowed a malicious dhcp6 server to overwrite heap memory in systemd-networkd. (bsc#1113632)
- CVE-2018-15686: A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. (bsc#1113665)

Non-security issues fixed:

- dhcp6: split assert_return() to be more debuggable when hit
- core: skip unit deserialization and move to the next one when unit_deserialize() fails
- core: properly handle deserialization of unknown unit types (#6476)
- core: don't create Requires for workdir if 'missing ok' (bsc#1113083)
- logind: use manager_get_user_by_pid() where appropriate
- logind: rework manager_get_{user|session}_by_pid() a bit
- login: fix user@.service case, so we don't allow nested sessions (#8051) (bsc#1112024)
- core: be more defensive if we can't determine per-connection socket peer (#7329)
- socket-util: introduce port argument in sockaddr_port()
- service: fixup ExecStop for socket-activated shutdown (#4120)
- service: Continue shutdown on socket activated unit on termination (#4108) (bsc#1106923)
- cryptsetup: build fixes for 'add support for sector-size= option'
- udev-rules: IMPORT cmdline does not recognize keys with similar names (bsc#1111278)
- core: keep the kernel coredump defaults when systemd-coredump is disabled
- core: shorten main() a bit, split out coredump initialization
- core: set RLIMIT_CORE to unlimited by default (bsc#1108835)
- core/mount: fstype may be NULL
- journald: don't ship systemd-journald-audit.socket (bsc#1109252)
- core: make 'tmpfs' dependencies on swapfs a 'default' dep, not an 'implicit' (bsc#1110445)
- mount: make sure we unmount tmpfs mounts before we deactivate swaps (#7076)
- tmp.mount.hm4: After swap.target (#3087)

- Ship systemd-sysv-install helper via the main package
  This script was part of systemd-sysvinit sub-package but it was
  wrong since systemd-sysv-install is a script used to redirect
  enable/disable operations to chkconfig when the unit targets are
  sysv init scripts. Therefore it's never been a SySV init tool.


-----------------------------------------
Patch: SUSE-2018-2760
Released: Thu Nov 22 16:25:38 2018
Summary: Security update for openssl
Severity: moderate
References: 1112209,1113534,1113652,1113742,CVE-2018-0734,CVE-2018-5407
Description:
This update for openssl fixes the following issues:

Security issues fixed:

- CVE-2018-0734: Fixed timing vulnerability in DSA signature generation (bsc#1113652).
- CVE-2018-5407: Fixed elliptic curve scalar multiplication timing attack defenses (bsc#1113534).
- Add missing timing side channel patch for DSA signature generation (bsc#1113742).

Non-security issues fixed:

- Fixed infinite loop in DSA generation with incorrect parameters (bsc#1112209).


-----------------------------------------
Patch: SUSE-2018-2766
Released: Fri Nov 23 17:07:27 2018
Summary: Security update for rpm
Severity: important
References: 943457,CVE-2017-7500,CVE-2017-7501
Description:
This update for rpm fixes the following issues:

These security issues were fixed:

- CVE-2017-7500: rpm did not properly handle RPM installations when a
  destination path was a symbolic link to a directory, possibly changing
  ownership and permissions of an arbitrary directory, and RPM files being placed
  in an arbitrary destination (bsc#943457).
- CVE-2017-7501: rpm used temporary files with predictable names when
  installing an RPM. An attacker with ability to write in a directory where files
  will be installed could create symbolic links to an arbitrary location and
  modify content, and possibly permissions to arbitrary files, which could be
  used for denial of service or possibly privilege escalation (bsc#943457)

This is a reissue of the above security fixes for SUSE Linux Enterprise 12 GA, SP1 and SP2 LTSS,
they have already been released for SUSE Linux Enterprise Server 12 SP3.



-----------------------------------------
Patch: SUSE-2018-1697
Released: Fri Nov 23 17:08:32 2018
Summary: Security update for libgcrypt
Severity: moderate
References: 1064455,1090766,1097410,CVE-2018-0495
Description:
This update for libgcrypt fixes the following issues:

The following security vulnerability was addressed:

- CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for
  ECDSA signatures (bsc#1097410).

The following other issues were fixed:

- Extended the fipsdrv dsa-sign and dsa-verify commands with the
  --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455).
- Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766)


-----------------------------------------
Patch: SUSE-2018-1696
Released: Mon Nov 26 17:46:39 2018
Summary: Security update for procps
Severity: moderate
References: 1092100,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126
Description:
This update for procps fixes the following security issues:

- CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top
  with HOME unset in an attacker-controlled directory, the attacker could have
  achieved privilege escalation by exploiting one of several vulnerabilities in
  the config_file() function (bsc#1092100).
- CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow.
  Inbuilt protection in ps maped a guard page at the end of the overflowed
  buffer, ensuring that the impact of this flaw is limited to a crash (temporary
  denial of service) (bsc#1092100).
- CVE-2018-1124: Prevent multiple integer overflows leading to a heap
  corruption in file2strvec function. This allowed a privilege escalation for a
  local attacker who can create entries in procfs by starting processes, which
  could result in crashes or arbitrary code execution in proc utilities run by
  other users (bsc#1092100).
- CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was
  mitigated by FORTIFY limiting the impact to a crash (bsc#1092100).
- CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent
  truncation/integer overflow issues (bsc#1092100).


-----------------------------------------
Patch: SUSE-2018-2782
Released: Mon Nov 26 17:46:59 2018
Summary: Security update for tiff
Severity: moderate
References: 1099257,1113094,1113672,CVE-2018-12900,CVE-2018-18557,CVE-2018-18661
Description:
This update for tiff fixes the following issues:

Security issues fixed:

- CVE-2018-12900: Fixed heap-based buffer overflow in the cpSeparateBufToContigBuf (bsc#1099257).                                                                                             
- CVE-2018-18661: Fixed NULL pointer dereference in the function LZWDecode in the file tif_lzw.c (bsc#1113672).                                                                               
- CVE-2018-18557: Fixed JBIG decode can lead to out-of-bounds write (bsc#1113094).

Non-security issues fixed:

- asan_build: build ASAN included
- debug_build: build more suitable for debugging


-----------------------------------------
Patch: SUSE-2018-2783
Released: Mon Nov 26 17:47:36 2018
Summary: Security update for openssh
Severity: moderate
References: 1091396,1105010,964336,CVE-2018-15473
Description:
This update for openssh fixes the following issues:

Following security issues have been fixed:

- CVE-2018-15473: OpenSSH was prone to a user existance oracle vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c. (bsc#1105010)

The following non-security issues were fixed:

- Stop leaking File descriptors (bsc#964336)
- sftp-client.c returns wrong error code upon failure [bsc#1091396]



-----------------------------------------
Patch: SUSE-2018-2784
Released: Tue Nov 27 00:22:49 2018
Summary: Recommended update for fonts-config
Severity: moderate
References: 1111791
Description:
This update for fonts-config provides the following fix:

- Fix a misspelling in CJK font configuration file. (bsc#1111791)


-----------------------------------------
Patch: SUSE-2018-2786
Released: Tue Nov 27 00:23:17 2018
Summary: Recommended update for yast2-users
Severity: moderate
References: 1081958,1107456,1112119
Description:
This update for yast2-users fixes the following issues:

- Read ssh keys from root user only if the user exists. (bsc#1112119, bsc#1107456)
- Fix import of RootPassword if the user is specified in autoyast profile. (bsc#1081958)


-----------------------------------------
Patch: SUSE-2018-1618
Released: Tue Nov 27 13:39:49 2018
Summary: Security update for util-linux
Severity: moderate
References: 1072947,1078662,1080740,1084300,CVE-2018-7738
Description:
This update for util-linux fixes the following issues:

This non-security issue was fixed:

- CVE-2018-7738: bash-completion/umount allowed local users to gain privileges
  by embedding shell commands in a mountpoint name, which was mishandled during a
  umount command by a different user (bsc#1084300).

These non-security issues were fixed:

- Fixed crash loop in lscpu (bsc#1072947).
- Fixed possible segfault of umount -a
- Fixed mount -a on NFS bind mounts (bsc#1080740).
- Fixed lsblk on NVMe (bsc#1078662).


-----------------------------------------
Patch: SUSE-2018-2811
Released: Thu Nov 29 11:24:19 2018
Summary: Recommended update for aaa_base
Severity: moderate
References: 1040613,1095969,1102310
Description:
This update for aaa_base provides the following fixes:

- Get mixed use case of service wrapper script straight. (bsc#1040613)
- Fix an error at login if java system directory is empty. (bsc#1102310)
- Add a test for xdgdir/applications before adding data directory (bsc#1095969)


-----------------------------------------
Patch: SUSE-2018-2817
Released: Fri Nov 30 12:56:37 2018
Summary: Security update for containerd, docker, docker-runc, go, go1.10, golang-github-docker-libnetwork, golang-packaging
Severity: moderate
References: 1047218,1080978,1086185,1094680,1095817,1102522,1104821,1105000,1108038,1113313
Description:

This security update for containerd, docker, docker-runc, go, go1.10, golang-github-docker-libnetwork, golang-packaging fixes several issues.

The following feature was added to the packages:

Enable seccomp support on SLE12, since libseccomp is now a new enough vintage to work with Docker and containerd (FATE#325877).

Non-security issues fixed:

- trackerbug: packages do not build reproducibly from including build time (bsc#1047218)
- caasp v2 to v3 upgrade fails (bsc#1080978)
- Kubelet: reserve compute resources for system daemons (bsc#1086185)
- Pod in terminating status (bsc#1094680)
- containers packages fail randomly due to %check (bsc#1095817)
- Docker v18.06-ce upgrade. (bsc#1102522)
- Make cri-o default for kubernetes on Kubic (bsc#1104821)
- harmonise docker and docker-kubic packaging (bsc#1105000)
- docker hard-requires git-core (bsc#1108038)
- Need SLE12 containers module docker update to 18.06.1-ce as soon as possible (bsc#1113313)                                                                                      


-----------------------------------------
Patch: SUSE-2018-2824
Released: Mon Dec  3 15:34:09 2018
Summary: Security update for ncurses
Severity: important
References: 1115929,CVE-2018-19211
Description:
This update for ncurses fixes the following issue:

Security issue fixed:

- CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929).


-----------------------------------------
Patch: SUSE-2018-2831
Released: Tue Dec  4 12:10:44 2018
Summary: Recommended update for python-mock, python-pbr
Severity: low
References: 1054413
Description:

This update ships newer versions of python-mock and python-pbr
to allow updates to other python modules like python-urllib3 and python-docker-py.
  

-----------------------------------------
Patch: SUSE-2018-2836
Released: Wed Dec  5 09:29:31 2018
Summary: Recommended update for apparmor
Severity: moderate
References: 1111965,1113125
Description:
This update for apparmor fixes the following issues:

- Systemd aware apparmor.spec, remove old insserv from spec file (bsc#1113125)
- Fix warnings produced because of use of uninitialized variables (bsc#1111965)


-----------------------------------------
Patch: SUSE-2018-2840
Released: Wed Dec  5 09:57:54 2018
Summary: Recommended update for permissions
Severity: moderate
References: 1028304,1047247,1050467,1097665,1111251
Description:
This update for permissions fixes the following issues:

- Allow setuid root for start-suid tool of singularity (group only) bsc#1028304
- Allow setuid root for authbind binary (bsc#1111251)
- A incorrect error message was adjusted (bsc#1047247 bsc#1097665)
- Make btmp root:utmp (bsc#1050467)



-----------------------------------------
Patch: SUSE-2018-2841
Released: Wed Dec  5 09:59:45 2018
Summary: Recommended update for glibc
Severity: moderate
References: 1105236,1110661,1112858
Description:
This update for glibc fixes the following issues:

- Added more checks for valid ld.so.cache file (bsc#1110661)
- Rewrite elf_machine_load_address using _DYNAMIC symbol (bsc#1112858)
- Always use __IPC_64 on powerpc as required by the kernel (bsc#1105236)


-----------------------------------------
Patch: SUSE-2018-2842
Released: Wed Dec  5 10:00:35 2018
Summary: Recommended update for suse-build-key
Severity: moderate
References: 1044232
Description:
This update for suse-build-key fixes the following issues:

- Install the PTF key also to /usr/lib/rpm/gnupg/keys/ so it can exists also
  on systems where documentation is not installed. (bsc#1044232)


-----------------------------------------
Patch: SUSE-2018-2885
Released: Mon Dec 10 14:06:27 2018
Summary: Security update for python-cryptography, python-pyOpenSSL
Severity: important
References: 1021578,1111634,1111635,CVE-2018-1000807,CVE-2018-1000808
Description:

This update for python-cryptography, python-pyOpenSSL fixes the following issues:

Security issues fixed:

- CVE-2018-1000808: A memory leak due to missing reference checking in PKCS#12 store handling was fixed (bsc#1111634)
- CVE-2018-1000807: A use-after-free in X509 object handling was fixed (bsc#1111635)

- avoid bad interaction with python-cryptography package. (bsc#1021578)

  

-----------------------------------------
Patch: SUSE-2018-2893
Released: Tue Dec 11 09:21:17 2018
Summary: Security update for compat-openssl098
Severity: moderate
References: 1104789,1110018,1113534,1113652,CVE-2016-8610,CVE-2018-0734,CVE-2018-5407
Description:
This update for compat-openssl098 fixes the following issues:

Security issues fixed:

- CVE-2018-0734: Fixed timing vulnerability in DSA signature generation (bsc#1113652).
- CVE-2018-5407: Fixed elliptic curve scalar multiplication timing attack defenses (bsc#1113534).
- CVE-2016-8610: Adjusted current fix and add missing error string (bsc#1110018).
- Fixed the 'One and Done' side-channel attack on RSA (bsc#1104789).


-----------------------------------------
Patch: SUSE-2018-2897
Released: Tue Dec 11 17:50:11 2018
Summary: Recommended update for python-pyOpenSSL
Severity: important
References: 1119077
Description:
This update for python-pyOpenSSL fixes the following issues:

- Fix a regression in the last security update that disrupted
  SUSE Manager installations (bsc#1119077)



-----------------------------------------
Patch: SUSE-2018-2901
Released: Tue Dec 11 21:46:34 2018
Summary: Recommended update for icewm
Severity: moderate
References: 1105301
Description:
This update for icewm fixes the following issues:

- Adds a recommended package to ensure 'Lock Workstation' works (bsc#1105301)


-----------------------------------------
Patch: SUSE-2018-2906
Released: Tue Dec 11 21:48:05 2018
Summary: Recommended update for blog
Severity: moderate
References: 1071568
Description:
This update for blog fixes the following issues:

- Hardening of the console list generation (bsc#1071568)
- Changed description of blog-plymouth in same manner as used by the release notes


-----------------------------------------
Patch: SUSE-2018-2907
Released: Tue Dec 11 21:48:20 2018
Summary: Recommended update for release-notes-sles
Severity: moderate
References: 1101609,1114516
Description:
This update for release-notes-sles fixes the following issues:

- New notes:
  * Product registration changes for HPC customers (fate#326567)
- Document fixes and changed notes:
  * Removed circular links, correct documentation URL (bsc#1101609)
  * Updated mentions of 'IBM z Systems' to use the new branding 'IBM Z'


-----------------------------------------
Patch: SUSE-2018-2909
Released: Tue Dec 11 21:48:42 2018
Summary: Recommended update for perl-Bootloader
Severity: moderate
References: 1079321,1108777,994322
Description:
This update for perl-Bootloader fixes the following issues:

- Create temporary files in /tmp (bsc#1108777)
- Work without /etc/default/grub_installdevice (bsc#1079321,
  bsc#994322)


-----------------------------------------
Patch: SUSE-2018-2917
Released: Wed Dec 12 16:05:34 2018
Summary: Security update for cups
Severity: important
References: 1115750,CVE-2018-4700
Description:
This update for cups fixes the following issues:

Security issue fixed:

- CVE-2018-4700: Fixed extremely predictable cookie generation that is effectively breaking the CSRF protection of the CUPS web interface (bsc#1115750).


-----------------------------------------
Patch: SUSE-2018-2925
Released: Wed Dec 12 19:10:30 2018
Summary: Recommended update for dracut
Severity: moderate
References: 1055834,1089332,1090884,1094603,1098448,1104090,1104178
Description:
This update for dracut fixes the following issues:

- Avoid executing emergency hook twice
- If no server is configured, read BOOTSERVERADDR from wicked's leaseinf (bsc#1089332)
- Fix finding btrfs devices (bsc#1104178)
- lsinitrd: Fix cat: write error: Broken pipe error (bsc#1094603)
- Add fix to override ACPI tables via initrd, a kernel config variable
  changed name (bsc#1098448)
- 98dracut-systemd: Start systemd-vconsole-setup before dracut-cmdline-ask
  (bsc#1055834)
- Mark the DASD udev rules host-only and handle backslashes in paths for
  hostonly files (bsc#1090884)
- Add kernel-syms to list of packages to remove with purge-kernels (bsc#1104090)
- Skip kernels that cannot be removed by purge-kernels due to dependencies and
  continue removing other kernels (bsc#1104090)


-----------------------------------------
Patch: SUSE-2018-2946
Released: Mon Dec 17 08:50:42 2018
Summary: Security update for tcpdump
Severity: moderate
References: 1117267,CVE-2018-19519
Description:
This update for tcpdump fixes the following issues:

Security issues fixed:

- CVE-2018-19519: Fixed a stack-based buffer over-read in the print_prefix function (bsc#1117267)


-----------------------------------------
Patch: SUSE-2018-2947
Released: Mon Dec 17 08:51:28 2018
Summary: Security update for openldap2
Severity: moderate
References: 1073313,CVE-2017-17740
Description:
This update for openldap2 fixes the following issues:

Security issue fixed:

- CVE-2017-17740: When both the nops module and the memberof overlay
  are enabled, attempts to free a buffer that was allocated on the stack,
  which allows remote attackers to cause a denial of service (slapd crash)
  via a member MODDN operation.  (bsc#1073313)


-----------------------------------------
Patch: SUSE-2018-2973
Released: Tue Dec 18 07:30:43 2018
Summary: Recommended update for libepubgen, libetonyek, liblangtag, libmwaw, libnumbertext, libreoffice, libstaroffice, libwps, myspell-dictionaries, xmlsec1
Severity: moderate
References: 1050305,1094779,1096360,1104876
Description:

This update for LibreOffice, libepubgen, libetonyek, liblangtag, libmwaw, libnumbertext, libstaroffice, libwps, myspell-dictionaries, xmlsec1 fixes the following issues:

LibreOffice was updated to 6.1.3.2 (fate#326624) and contains new features and lots of bugfixes:

The full changelog can be found on:

        https://wiki.documentfoundation.org/ReleaseNotes/6.1

Add more translations:

  * Belarusian
  * Bodo
  * Dogri
  * Frisian
  * Gaelic
  * Paraguayan_Guaran
  * Upper_Sorbian
  * Konkani
  * Kashmiri
  * Luxembourgish
  * Monglolian
  * Manipuri
  * Burnese
  * Occitan
  * Kinyarwanda
  * Santali
  * Sanskrit
  * Sindhi
  * Sidamo
  * Tatar
  * Uzbek
  * Upper Sorbian
  * Venetian
  * Amharic
  * Asturian
  * Tibetian
  * Bosnian
  * English GB
  * English ZA
  * Indonesian
  * Icelandic
  * Georgian
  * Khmer
  * Lao
  * Macedonian
  * Nepali
  * Oromo
  * Albanian
  * Tajik
  * Uyghur
  * Vietnamese
  * Kurdish

- Try to build all languages see bsc#1096360
- Make sure to install the KDE5/Qt5 UI/filepicker
- Try to implement safeguarding to avoid bsc#1050305
- Disable base-drivers-mysql as it needs mysqlcppcon that is only
  for mysql and not mariadb, causes issues bsc#1094779
  * Users can still connect using jdbc/odbc
- Fix java detection on machines with too many cpus

libepubgen was updated to 0.1.1:

- Avoid <div> inside <p> or <span>.
- Avoid writin vertical-align attribute without a value.
- Fix generation of invalid XHTML when there is a link starting at the beginning of a footnote.
- Handle relative width for images.
- Fixed layout: write chapter names to improve navigation.
- Support writing mode.
- Start a new HTML file at every page span in addition to the splits induced by the chosen split method. This is to ensure that specified writing mode works correctly, as it is HTML <body> attribute.



libetonyek was updated to 0.1.8:

- More support for keynote content
- Add support for Keynote 1 documents.
- Add support for Numbers 3 documents.
- Fix several issues found by oss-fuzz.
- Fix build with glm 0.9.9.
- Other fixes and improvements.

liblangtag was updated to 0.6.2:

- use standard function
- fix leak in test

libmwaw was updated to 0.3.14:

- Support MS Multiplan 1.1 files

libnumbertext was update to 1.0.5:

- Various fixes in numerical calculations and issues reported on libreoffice tracker

libstaroffice was updated to 0.0.6:

- retrieve some StarMath's formula,
- retrieve some charts as graphic,
- retrieve some fields in sda/sdc/sdp text-boxes,
- .sdw: retrieve more attachments.

libwps was updated to 0.4.9:

- QuattroPro: add parser to .wb3 files
- Multiplan: add parser to DOS v1-v3 files
- charts: try to retrieve charts in .wk*, .wq* files
- QuattroPro: add parser to .wb[12] files

myspell-dictionaries was updated to 20181025:

- Turkish dictionary added
- Updated French dictionary

xmlsec1 was updated to 1.2.26:

- Added xmlsec-mscng module based on Microsoft Cryptography API: Next Generation
- Added support for GOST 2012 and fixed CryptoPro CSP provider for GOST R 34.10-2001 in xmlsec-mscrypto

  

-----------------------------------------
Patch: SUSE-2018-2991
Released: Wed Dec 19 14:17:13 2018
Summary: Security update for tiff
Severity: moderate
References: 1017693,1054594,1115717,990460,CVE-2016-10092,CVE-2016-10093,CVE-2016-10094,CVE-2016-6223,CVE-2017-12944,CVE-2018-19210
Description:
This update for tiff fixes the following issues:

Security issues fixed:                                   
    
- CVE-2018-19210: Fixed NULL pointer dereference in the TIFFWriteDirectorySec function (bsc#1115717).
- CVE-2017-12944: Fixed denial of service issue in the TIFFReadDirEntryArray function (bsc#1054594).
- CVE-2016-10094: Fixed heap-based buffer overflow in the _tiffWriteProc function (bsc#1017693).
- CVE-2016-10093: Fixed heap-based buffer overflow in the _TIFFmemcpy function (bsc#1017693).
- CVE-2016-10092: Fixed heap-based buffer overflow in the TIFFReverseBits function (bsc#1017693).
- CVE-2016-6223: Fixed out-of-bounds read on memory-mapped files in TIFFReadRawStrip1() and TIFFReadRawTile1() (bsc#990460).


-----------------------------------------
Patch: SUSE-2018-3002
Released: Wed Dec 19 21:50:43 2018
Summary: Recommended update for psmisc
Severity: moderate
References: 1098697,1112780
Description:
This update for psmisc provides the following fix:

- Make the fuser option -m <block_device> work even with mountinfo. (bsc#1098697)
- Support also btrFS entries in mountinfo, that is use stat to determine the device of the
  mounted subvolume. (bsc#1098697, bsc#1112780)
- Respect that the seventh field(s) before the single hyphen of mountinfo are optional
  fields.


-----------------------------------------
Patch: SUSE-2018-3029
Released: Fri Dec 21 17:34:05 2018
Summary: Recommended update for libgcrypt
Severity: moderate
References: 1117355
Description:
This update for libgcrypt provides the following fix:

- Fail selftests when checksum file is missing in FIPS mode only. (bsc#1117355)


-----------------------------------------
Patch: SUSE-2018-3031
Released: Fri Dec 21 17:34:46 2018
Summary: Recommended update for yast2-bootloader
Severity: important
References: 1114932
Description:
This update for yast2-bootloader fixes the following issue:

- When changing grub2-efi, the pmbr-checkbox was not being set correctly. (bsc#1114932)


-----------------------------------------
Patch: SUSE-2018-3032
Released: Fri Dec 21 17:35:03 2018
Summary: Recommended update for fonts-config
Severity: moderate
References: 1069468,1101985,1106850,998300
Description:
This update for fonts-config fixes the following issues:

- Many font rendering fixes, specially for Chinese. (bsc#1101985)
- Use noun phrasing and user-independent wording.
- Support colorored emojis.
- Modern fonts for symbols.
- Add configurations for Noto Sans/Serif CJK.
- Do not create fonts.dir and fonts.scale in encodings directory. (bsc#1106850)
- Replace references to /var/adm/fillup-templates with new %_fillupdir macro.
  (bsc#1069468)
- Comma and the rest of family string is ignored while translating preference lists from
  sysconfig to fontconfig snippets. (bsc#998300)


-----------------------------------------
Patch: SUSE-2018-3037
Released: Fri Dec 21 17:36:19 2018
Summary: Recommended update for open-iscsi
Severity: moderate
References: 1100351,1102589,1105916,1111608
Description:
This update for open-iscsi provides the following fixes:

- Limit dhpcv6 retries. (bsc#1105916)
- Restore space to output of 'iscsiadm -m node'. (bsc#1111608)
- iscsiuio: Do not flush tx queue on each uio interrupt. This makes ping to such NICs work
  better. (bsc#1102589)
- Update to latest upstream, including fixes for iscsiuio. (bsc#1100351)


-----------------------------------------
Patch: SUSE-2018-3038
Released: Fri Dec 21 17:36:35 2018
Summary: Recommended update for lio-utils
Severity: moderate
References: 1099520,1108982
Description:
This update for lio-utils provides the following fixes:

- Ensure deprecated target.service conflicts with targetcli.service, so that
  they are not executed at the same time. (bsc#1099520)
- Ensure that the generated script lio_setup.sh ends with success by properly returning
  its exit status. (bsc#1108982)


-----------------------------------------
Patch: SUSE-2018-3045
Released: Fri Dec 21 18:49:12 2018
Summary: Security update for MozillaFirefox, mozilla-nspr and mozilla-nss
Severity: important
References: 1097410,1106873,1119069,1119105,CVE-2018-0495,CVE-2018-12384,CVE-2018-12404,CVE-2018-12405,CVE-2018-17466,CVE-2018-18492,CVE-2018-18493,CVE-2018-18494,CVE-2018-18498
Description:
This update for MozillaFirefox, mozilla-nss and mozilla-nspr fixes the following issues:

Issues fixed in MozillaFirefox:

- Update to Firefox ESR 60.4 (bsc#1119105)
- CVE-2018-17466: Fixed a buffer overflow and out-of-bounds read in ANGLE library with TextureStorage11
- CVE-2018-18492: Fixed a use-after-free with select element
- CVE-2018-18493: Fixed a buffer overflow in accelerated 2D canvas with Skia
- CVE-2018-18494: Fixed a Same-origin policy violation using location attribute and performance.getEntries
  to steal cross-origin URLs
- CVE-2018-18498: Fixed a integer overflow when calculating buffer sizes for images
- CVE-2018-12405: Fixed a few memory safety bugs

Issues fixed in mozilla-nss:

- Update to NSS 3.40.1 (bsc#1119105)
- CVE-2018-12404: Fixed a cache side-channel variant of the Bleichenbacher attack (bsc#1119069)
- CVE-2018-12384: Fixed an issue in the SSL handshake. NSS responded to an
  SSLv2-compatible ClientHello with a ServerHello that had an all-zero random. (bsc#1106873)
- CVE-2018-0495: Fixed a memory-cache side-channel attack with ECDSA signatures (bsc#1097410)
- Fixed a decryption failure during FFDHE key exchange
- Various security fixes in the ASN.1 code

Issues fixed in mozilla-nspr:

- Update mozilla-nspr to 4.20 (bsc#1119105)


-----------------------------------------
Patch: SUSE-2018-3054
Released: Fri Dec 28 17:45:34 2018
Summary: Recommended update for hwinfo
Severity: moderate
References: 1018271,1084700,1107196
Description:
This update for hwinfo provides the following fixes:

- Add script tp update PCI and USB IDs. (fate#326431)
- Adjust hwinfo know about RISC-V.
- Update git2log script.
- Fix curl commands.
- Fix ID of S-Par storage controller. (bsc#1107196)
- Add network interfaces found on mdio bus. (bsc#1018271)
- The location of the S-Par drivers virtual buses has changed.
  (bsc#1107196)
- Ensure udev device links are unique. (bsc#1084700)
  

-----------------------------------------
Patch: SUSE-2019-16
Released: Thu Jan  3 14:22:23 2019
Summary: Recommended update for yast2-ntp-client
Severity: important
References: 1058510,1075039,1086526,1108497
Description:

This update for yast2-ntp-client provides the following fix:

- Save the service status according to the user preferences
  (bsc#1075039)
- Only write the configuration once, and do not save changes when
  we are only synchronizing the date. (bsc#1108497)
- Add support for writing Tinker record via autoyast (bsc#1086526)
- Avoid internal error during AutoYaST cloning when fudge records are present (bsc#1058510)



-----------------------------------------
Patch: SUSE-2019-19
Released: Fri Jan  4 12:37:51 2019
Summary: Security update for polkit
Severity: moderate
References: 1118277,CVE-2018-19788
Description:
This update for polkit fixes the following issues:

Security issue fixed:

- CVE-2018-19788: Fixed handling of UIDs over MAX_UINT (bsc#1118277)


-----------------------------------------
Patch: SUSE-2019-34
Released: Tue Jan  8 13:03:50 2019
Summary: Recommended update for yast2-network
Severity: moderate
References: 1103712,1105230,1107470,1108852
Description:
This update for yast2-network provides the following fixes:

- Fixes to the networking AutoYaST schema. (bsc#1103712, bsc#1108852)
  * Permitted the use of 'listentry' element in list entries.
  * Added missed s390 device 'layer2' boolean element.
- Does no longer crash with internal error when 0.0.0.0 netmask is used
  in the routing tab. (bsc#1105230)
- Fix a problem that was causing duplicate entry for network devices in
  70-persistent-net-rules. (bsc#1107470)


-----------------------------------------
Patch: SUSE-2019-37
Released: Tue Jan  8 13:05:14 2019
Summary: Recommended update for yast2
Severity: moderate
References: 1093052
Description:
This update for yast2 fixes the following issues:

yast2:
- When only one firewall is installed but not running, choose it
  instead of the default SuSEfirewall2 (bsc#1093052).

yast2-firewall:
- YaST now installs SuSEFirewall2 when it is selected as the firewall
  backend (bsc#1093052)


-----------------------------------------
Patch: SUSE-2019-43
Released: Tue Jan  8 13:07:17 2019
Summary: Recommended update for acl
Severity: low
References: 953659
Description:
This update for acl fixes the following issues:

- quote: Escape literal backslashes (bsc#953659).


-----------------------------------------
Patch: SUSE-2019-46
Released: Wed Jan  9 12:04:44 2019
Summary: Recommended update for yast2-bootloader
Severity: important
References: 1070233,1093838,1119781,1119919
Description:

This update for yast2-bootloader fixes the following issues:

- Do not crash when clicking on booting during upgrade
  (bsc#1070233,bsc#1093838,bsc#1119919,bsc#1119781)


-----------------------------------------
Patch: SUSE-2019-70
Released: Thu Jan 10 20:34:06 2019
Summary: Recommended update for docker
Severity: moderate
References: 1119634
Description:

This update for docker fixes the following issues:

- Handle build breakage due to missing 'export GOPATH' (caused by resolution of
  bsc#1119634)


-----------------------------------------
Patch: SUSE-2019-72
Released: Thu Jan 10 20:34:44 2019
Summary: Recommended update for apache2
Severity: moderate
References: 1108989
Description:
This update for apache2 provides the following fix:

- Fix full scoreboard error. (bsc#1108989)


-----------------------------------------
Patch: SUSE-2019-99
Released: Tue Jan 15 18:02:05 2019
Summary: Recommended update for grub2
Severity: moderate
References: 1111955
Description:
This update for grub2 provides the following fix:

- ieee1275: Fix double free in CAS reboot. (bsc#1111955)


-----------------------------------------
Patch: SUSE-2019-101
Released: Tue Jan 15 18:02:39 2019
Summary: Recommended update for timezone
Severity: moderate
References: 1120402
Description:
This update for timezone fixes the following issues:

- Update 2018i:
  São Tomé and Príncipe switches from +01 to +00 on 2019-01-01. (bsc#1120402)
- Update 2018h:
  Qyzylorda, Kazakhstan moved from +06 to +05 on 2018-12-21
  New zone Asia/Qostanay because Qostanay, Kazakhstan didn't move
  Metlakatla, Alaska observes PST this winter only
  Guess Morocco will continue to adjust clocks around Ramadan
  Add predictions for Iran from 2038 through 2090  


-----------------------------------------
Patch: SUSE-2019-107
Released: Wed Jan 16 11:56:21 2019
Summary: Recommended update for mozilla-nss
Severity: moderate
References: 1090767,1121045,1121207
Description:
This update for mozilla-nss fixes the following issues:

- The hmac packages used for FIPS certification inadvertently removed in last update: re-added.  (bsc#1121207)
- Added 'Suggest:' for libfreebl3 and libsoftokn3 respective -hmac packages to avoid dependency issues during updates (bsc#1090767, bsc#1121045)


-----------------------------------------
Patch: SUSE-2019-111
Released: Thu Jan 17 14:18:31 2019
Summary: Security update for krb5
Severity: important
References: 1120489,CVE-2018-20217
Description:
This update for krb5 fixes the following issues:

Security issue fixed:

- CVE-2018-20217: Fixed an assertion issue with older encryption types (bsc#1120489)


-----------------------------------------
Patch: SUSE-2019-132
Released: Mon Jan 21 09:34:57 2019
Summary: Security update for openssh
Severity: important
References: 1121571,1121816,1121818,1121821,CVE-2018-20685,CVE-2019-6109,CVE-2019-6110,CVE-2019-6111
Description:
This update for openssh fixes the following issues:

Security issue fixed:

- CVE-2018-20685: Fixed an issue where scp client allows remote SSH servers to bypass intended access restrictions (bsc#1121571)
- CVE-2019-6109: Fixed an issue where the scp client would allow malicious remote SSH servers to manipulate terminal output via the object name, e.g. by inserting ANSI escape sequences (bsc#1121816)
- CVE-2019-6110: Fixed an issue where the scp client would allow malicious remote SSH servers to manipulate stderr output, e.g. by inserting ANSI escape sequences (bsc#1121818)
- CVE-2019-6111: Fixed an issue where the scp client would allow malicious remote SSH servers to execute directory traversal attacks and overwrite files (bsc#1121821)


-----------------------------------------
Patch: SUSE-2019-135
Released: Mon Jan 21 13:53:58 2019
Summary: Security update for systemd
Severity: moderate
References: 1005023,1076696,1101591,1114981,1115518,1119971,1120323,CVE-2018-16864,CVE-2018-16865,CVE-2018-16866
Description:
This update for systemd provides the following fixes:

Security issues fixed:

- CVE-2018-16864, CVE-2018-16865: Fixed two memory corruptions through attacker-controlled alloca()s (bsc#1120323)
- CVE-2018-16866: Fixed an information leak in journald (bsc#1120323)
- Fixed an issue during system startup in relation to encrypted swap disks (bsc#1119971)

Non-security issues fixed:

- core: Queue loading transient units after setting their properties. (bsc#1115518)
- logind: Stop managing VT switches if no sessions are registered on that VT. (bsc#1101591)
- terminal-util: introduce vt_release() and vt_restore() helpers.
- terminal: Unify code for resetting kbd utf8 mode a bit.
- terminal Reset should honour default_utf8 kernel setting.
- logind: Make session_restore_vt() static.
- udev: Downgrade message when settting inotify watch up fails. (bsc#1005023)
- log: Never log into foreign fd #2 in PID 1 or its pre-execve() children. (bsc#1114981)
- udev: Ignore the exit code of systemd-detect-virt for memory hot-add.  In SLE-12-SP3,
  80-hotplug-cpu-mem.rules has a memory hot-add rule that uses systemd-detect-virt to
  detect non-zvm environment. The systemd-detect-virt returns exit failure code when it
  detected _none_ state.  The exit failure code causes that the hot-add memory block can
  not be set to online. (bsc#1076696)


-----------------------------------------
Patch: SUSE-2019-139
Released: Mon Jan 21 15:54:18 2019
Summary: Security update for python-urllib3
Severity: moderate
References: 1024540,1074247,1110422,CVE-2016-9015
Description:
This update for python-urllib3 fixes the following issues:

python-urllib3 was updated to version 1.22 (fate#326733, bsc#1110422) and contains new features and lots of bugfixes:

The full changelog can be found on:

        https://github.com/Lukasa/urllib3/blob/1.22/CHANGES.rst

Security issues fixed:

- CVE-2016-9015: TLS certificate validation vulnerability (bsc#1024540).
  (This issue did not affect our previous version 1.16.)

Non security issues fixed:

- bsc#1074247: Fix test suite, use correct date (gh#shazow/urllib3#1303).


-----------------------------------------
Patch: SUSE-2019-140
Released: Mon Jan 21 17:31:39 2019
Summary: Recommended update for python-ipaddress
Severity: low
References: 1112174
Description:

This update for python-ipaddress fixes the following issue:

Version update to 1.0.18:

- various small bugfixes
- new is_global method

  

-----------------------------------------
Patch: SUSE-2019-143
Released: Tue Jan 22 14:21:55 2019
Summary: Recommended update for ncurses
Severity: important
References: 1121450
Description:

This update for ncurses fixes the following issues:

- ncurses applications freezing (bsc#1121450)


-----------------------------------------
Patch: SUSE-2019-149
Released: Wed Jan 23 17:58:18 2019
Summary: Recommended update for ca-certificates-mozilla
Severity: moderate
References: 1121446
Description:
This update for ca-certificates-mozilla fixes the following issues:

The package was updated to the 2.30 version of the Mozilla NSS Certificate store. (bsc#1121446)

Removed Root CAs:

- AC Raiz Certicamara S.A.
- Certplus Root CA G1
- Certplus Root CA G2
- OpenTrust Root CA G1
- OpenTrust Root CA G2
- OpenTrust Root CA G3
- Visa eCommerce Root

Added Root CAs:

- Certigna Root CA (email and server auth)
- GTS Root R1 (server auth)
- GTS Root R2 (server auth)
- GTS Root R3 (server auth)
- GTS Root R4 (server auth)
- OISTE WISeKey Global Root GC CA (email and server auth)
- UCA Extended Validation Root (server auth)
- UCA Global G2 Root (email and server auth)


-----------------------------------------
Patch: SUSE-2019-154
Released: Thu Jan 24 13:49:27 2019
Summary: Recommended update for yast2-firewall
Severity: low
References: 1119831
Description:
This update for yast2-firewall provides the following fix:

- Make sure yast2-firewall requires the correct version of yast2. (bsc#1119831)


-----------------------------------------
Patch: SUSE-2019-157
Released: Thu Jan 24 13:53:29 2019
Summary: Recommended update for python-pyOpenSSL
Severity: moderate
References: 1052927
Description:
This update for python-pyOpenSSL provides the following fix:

- Add python-setuptools as a requirement. (bsc#1052927)


-----------------------------------------
Patch: SUSE-2019-159
Released: Thu Jan 24 13:54:09 2019
Summary: Recommended update for hwinfo
Severity: moderate
References: 1117982
Description:
This update for hwinfo provides the following fix:

- Adjust system type detection. (bsc#1117982)


-----------------------------------------
Patch: SUSE-2019-168
Released: Fri Jan 25 08:06:14 2019
Summary: Recommended update for wicked
Severity: moderate
References: 1022872,1026807,1027099,1036675,1057007,1061051,1069468,1072343,1078245,1083670,1084462,1084527,1085020,1085786,1095818,1102871,1107579,1109147,954758,972463
Description:

  

wicked was updated to version 0.6.52.

Following issues have been addressed:

- wickedd: fix netdev detection bootstrap race (bsc#1107579)
- compat: fix ifcfg parsing crash if network/config is missed
- wireless: fix eap peap auth mapping for wpa-supplicant (bsc#1026807)
- vxlan: fix to convert dst_port to network byte order
- firewall: do not assign default zone, but pass as is (bsc#1109147)
- nanny: fix memory leaks on fast create-delete calls (bsc#1095818)
  + fsm: cleanup worker reset (reinit) vs. free
  + fsm: do not process or pass pending workers to nanny
  + nanny: catch init failures in device registration
  + netdev: allow NULL in get and put functions
  + model: fix to call (netif) dbus object destructors
  + model: removed server specific call in netif destroy
  + fsm: handle NULL in worker get and release calls
  + fsm: process device delete event separately
  + calls: split get netif service and netif list utils
  + xml-schema: fix range constraint values parsing
  + xml-schema: remove underscores from ni_xs_type_new
  + xml-schema: fix type leak around ni_xs_build_one_type
  + fsm: free worker control mode on worker free
  + xpath: trace and free complete xpath expression tree
  + nanny: fix config leak in ni_nanny_recheck_policy
  + dbus: free pending call in ni_dbus_connection_call
  + dbus: free dbus_message_iter_get_signature result
- dhcp6: fix to properly decline dynamic addresses
- extensions: do not use /etc/HOSTNAME artifact (bsc#972463)
- ethtool: call offload ioctl if requested by offload name,
  e.g. tso has been splitted into several features and the
  old STSO offload ioctl sets multiple features at once.
- ethtool: add missing pause support (bsc#1102871)
- dhcp6: refresh info using rfc4242 info-refresh-time
- dhcp6: add ia and ia addr list search utilities, improve
  status utils and use timeval struct in ia acquired times
- dhcp6: restart on NotOnLink status request reply
- ifcfg: show unknown/invalid bootproto as error
- dhcp6: Fix server preference and weight option behaviour
- dhcp6: retrigger duplicate detection on all address updates
- man: add ifcfg-lo.5 manual page
- man: add missing documentation for DHCLIENT6_CLIENT_ID
- man: improved create-cid docs in wicked-config(5) (bsc#1084527)
- address cache-info and lease acquisition time fixes and cleanups
- ethtool: streamline options available on all devices (bsc#1085786)
- dhcp4: expose broadcast response as DHCLIENT_BROADCAST in ifcfg
- ipoib: do not fail setup on mode or umcast set failure (bsc#1084462)
- bond: avoid reenslave failure in fail_over_mac mode (bsc#1083670)
- Fix show-xml filtering by interface name (issue #735,bsc#954758)
- ifconfig: refresh state before link reenslave hotfix (bsc#1061051
- ethtool: query priv-flags bitmap first (bsc#1085020)
- util: fix a memory leak in ni_var_array_free
- client: refactor arp utility to add missed arp ping (bsc#1078245)
- dbus: omit zero-length hwaddr data properties
- ibft: no IP setup on bnx2x storage-only interfaces (bsc#1072343)
- fixed format, self compare and always true issues
- client: fixed broken wicked arp utility command (bsc#1078245)
- cleanup: add mising/explicit designated field initializers
- pkgconfig: fix to request libnl3 instead of libnl1
- dbus: add missing DBUS_ERROR_FAILED type to a dbus_set_error call
  and enforce formatting input as string when an extension did not
  returned any error message.
- wickedd: clear master references on slaves when a master gets
  deleted and the deletion event arrives before unenslave event
  to avoid a bridge reenslave failure on restart (bsc#1061051).
- dhcp6: reapply confirmed addresses, also on any confirm
  status other to not-on-link
- dhcp: clear hostname on lease recovery/reboot (bsc#1057007)
- firewall: add firewalld and zone support (fate#320794)
- ifconfig: cleanup slaves before enslaving (bsc#1036675)
- ethtool: add rxvlan, txvlan, ntuple and rxhash offloads
- dhcp6: fix to send up to 5 release retransmissions
- dhcp4: fix to use rfc4361 client-id on infiniband (bsc#1022872)
- man: ifcfg.5: Fix directory name for compatibility scripts
- dhcp: cleanup common option update flags (bsc#1027099)
- vxlan: convert ifcfg VXLAN_REMOTE_IP to remote-ip


-----------------------------------------
Patch: SUSE-2019-179
Released: Fri Jan 25 17:58:07 2019
Summary: Security update for avahi
Severity: moderate
References: 1120281,CVE-2018-1000845
Description:
This update for avahi fixes the following issues:

Security issue fixed:

- CVE-2018-1000845: Fixed DNS amplification and reflection to spoofed addresses (DOS) (bsc#1120281)


-----------------------------------------
Patch: SUSE-2019-202
Released: Tue Jan 29 20:19:40 2019
Summary: Recommended update for google-compute-engine
Severity: moderate
References: 1119029,1119110,1122172
Description:
This update for google-compute-engine provides the following fixes:

- Fixes from version 20181206 (bsc#1119029, bsc#1119110):
  + Google Compute Engine
    * Support enabling OS Login two factor authentication.
    * Improve accounts support for FreeBSD.
  + Google Compute Engine OS Login
    * Support OS Login two factor authentication (Alpha).
    * Improve SELinux support.
- Fixes from version 20181023:
  + Google Compute Engine
    * Fix: Update sudoer group membership without overriding local groups.
- Fixes from version 20181018:
  + Google Compute Engine
    * Fix: Remove users from sudoers group on account removal.
- Fixes from version 20181011:
  + Google Compute Engine
    * Revert: Remove users from sudoers group on account removal.
- Fixes from version 20181008:
  + Google Compute Engine
    * Remove users from sudoers group on account removal.
    * Remove gsutil dependency for metadata scripts.
- Fixes from version 20180905:
  + Google Compute Engine
    * Remove ntp package dependency.
    * Support Debian 10 Buster.
    * Restart the network daemon if networking is restarted.
    * Prevent setup of the default ethernet interface.
    * Accounts daemon verifies username is 32 characters or less.
  + Google Compute Engine OS Login
    * Add user name validation to pam modules.
    * Return false on failed final load.
    * Support FreeBSD.
    * Support Debian 10 Buster.
- Fixes from version 20180611:
  + Google Compute Engine
    * Prevent IP forwarding daemon log spam.
    * Make default shell configurable when executing metadata scripts.
    * Rename distro directory to distro_lib.


-----------------------------------------
Patch: SUSE-2019-209
Released: Thu Jan 31 09:41:23 2019
Summary: Security update for rsyslog
Severity: important
References: 1123164,CVE-2018-16881
Description:
This update for rsyslog fixes the following issues:

Security issue fixed:

- CVE-2018-16881: Fixed a denial of service when both the imtcp module and Octet-Counted TCP Framing is enabled (bsc#1123164).


-----------------------------------------
Patch: SUSE-2019-212
Released: Thu Jan 31 13:05:47 2019
Summary: Recommended update for openssh
Severity: important
References: 1123028
Description:
This update for openssh fixes the following issues:

- A previously applied security patch unintendedly changed the behavior of
  OpenSSH's 'scp' utility such that server-side brace expansion would no longer
  be supported. Attempts to copy a set files from a remote machine to the local
  one by running 'scp 'remote:{file-a,file-b}' /tmp' would fail. This change in
  behavior broke Corosync and, potentially, many user scripts that relied on
  brace expansion. [bsc#1123028]


-----------------------------------------
Patch: SUSE-2019-218
Released: Thu Jan 31 20:30:20 2019
Summary: Recommended update for kmod
Severity: moderate
References: 1118629
Description:
This update for kmod fixes the following issues:

- Fix module dependency file corruption on parallel invocation (bsc#1118629).

-----------------------------------------
Patch: SUSE-2019-243
Released: Tue Feb  5 15:40:13 2019
Summary: Security update for python3
Severity: important
References: 1120644,1122191,CVE-2018-20406,CVE-2019-5010
Description:
This update for python3 fixes the following issues:

Security issue fixed:

- CVE-2019-5010: Fixed a denial-of-service vulnerability in the X509 certificate parser (bsc#1122191)
- CVE-2018-20406: Fixed a integer overflow via a large LONG_BINPUT (bsc#1120644)


-----------------------------------------
Patch: SUSE-2019-249
Released: Wed Feb  6 08:36:16 2019
Summary: Security update for curl
Severity: important
References: 1123371,1123377,1123378,CVE-2018-16890,CVE-2019-3822,CVE-2019-3823
Description:
This update for curl fixes the following issues:

Security issues fixed:

- CVE-2019-3823: Fixed a heap out-of-bounds read in the code handling the end-of-response for SMTP (bsc#1123378).
- CVE-2019-3822: Fixed a stack based buffer overflow in the function creating an outgoing NTLM type-3 message (bsc#1123377).
- CVE-2018-16890: Fixed a heap buffer out-of-bounds read in the function handling incoming NTLM type-2 messages (bsc#1123371).


-----------------------------------------
Patch: SUSE-2019-253
Released: Wed Feb  6 11:23:47 2019
Summary: Recommended update for grub2
Severity: moderate
References: 1114754
Description:
This update for grub2 fixes the following issues:

- Fixed possible install media boot issues on certain hardware 
  by changing default tsc calibration method to pmtimer on EFI. (bsc#1114754)


-----------------------------------------
Patch: SUSE-2019-261
Released: Wed Feb  6 11:26:21 2019
Summary: Recommended update for pam-config
Severity: moderate
References: 1114835
Description:
This update for pam-config fixes the following issues:

- Adds support for more pam_cracklib options. (bsc#1114835)


-----------------------------------------
Patch: SUSE-2019-284
Released: Thu Feb  7 13:23:54 2019
Summary: Security update for libunwind
Severity: moderate
References: 1122012,936786,976955,CVE-2015-3239
Description:
This update for libunwind fixes the following issues:

Security issues fixed:

- CVE-2015-3239: Fixed a off-by-one in the dwarf_to_unw_regnum function (bsc#936786)

Non-security issues fixed:

- Fixed a dependency issue with libzmq5 (bsc#1122012)
- Fixed build on armv7 (bsc#976955)


-----------------------------------------
Patch: SUSE-2019-336
Released: Tue Feb 12 14:16:02 2019
Summary: Security update for MozillaFirefox
Severity: important
References: 1120374,1122983,CVE-2018-18500,CVE-2018-18501,CVE-2018-18505
Description:
This update for MozillaFirefox fixes the following issues:

Security issues fixed:

CVE-2018-18500: Fixed a use-after-free parsing HTML5 stream (boo#1122983).
CVE-2018-18501: Fixed multiple memory safety bugs (boo#1122983).
CVE-2018-18505: Fixed a privilege escalation through IPC channel messages (boo#1122983).


-----------------------------------------
Patch: SUSE-2019-372
Released: Wed Feb 13 14:02:35 2019
Summary: Recommended update for xrdb
Severity: moderate
References: 1120004
Description:
This update for xrdb fixes the following issues:

- Now no warnings will be shown when parsing valid comments. (bsc#1120004)


-----------------------------------------
Patch: SUSE-2019-375
Released: Wed Feb 13 14:03:33 2019
Summary: Recommended update for boost
Severity: moderate
References: 1089363
Description:
This update for boost fixes the following issues:
    
- Fixes build issues caused by the Boost.Context library. (bnc#1089363)


-----------------------------------------
Patch: SUSE-2019-385
Released: Wed Feb 13 17:56:05 2019
Summary: Security update for docker-runc
Severity: important
References: 1121967,CVE-2019-5736
Description:
This update for docker-runc fixes the following issues:

Security issue fixed:

- CVE-2019-5736: Effectively copying /proc/self/exe during re-exec to avoid
  write attacks to the host runc binary, which could lead to a container
  breakout (bsc#1121967)


-----------------------------------------
Patch: SUSE-2019-388
Released: Thu Feb 14 13:26:34 2019
Summary: Recommended update for additional Python updates
Severity: moderate
References: 1054413
Description:

This update brings new versions for several python modules, needed for
updates for other parts of the python stack, to enable the Python Azure SDK.

It also enables and ship various modules as Python3 modules.

- python-adal: was updated to 0.5.0 and python 3 enabled.
- python-chardet: was updated to 3.0.4 and python 3 enabled.
- python-linecache2: new version 1.0.0 as a dependency of unittest2.
- python-msrestazure: was updated to 0.4.11 and python 3 enabled.
- python-msrest: was updated to 0.4.11 and python 3 enabled.
- python-oauthlib: was python 3 enabled.
- python-PyJWT: was python 3 enabled.
- python-pytest-runner: was updated to 4.2 and python 3 enabled.
- python-requests-oauthlib: was python 3 enabled.
- python-traceback2: was updated to 1.1.0 and python 3 enabled.
- python-unittest2: was updated to 1.1.10 and python 3 enabled.

  

-----------------------------------------
Patch: SUSE-2019-428
Released: Tue Feb 19 10:59:59 2019
Summary: Security update for systemd
Severity: important
References: 1111498,1117025,1117382,1120658,1122000,1122344,1123333,1123892,1125352,CVE-2019-6454
Description:
This update for systemd fixes the following issues:

Security vulnerability fixed:

- CVE-2019-6454: Fixed a crash of PID1 by sending specially crafted D-BUS
  message on the system bus by an unprivileged user (bsc#1125352)

Other bug fixes and changes:

- journal-remote: set a limit on the number of fields in a message
- journal-remote: verify entry length from header
- journald: set a limit on the number of fields (1k)
- journald: do not store the iovec entry for process commandline on stack
- core: include Found state in device dumps
- device: fix serialization and deserialization of DeviceFound
- fix path in btrfs rule (#6844)
- assemble multidevice btrfs volumes without external tools (#6607) (bsc#1117025)
- Update systemd-system.conf.xml (bsc#1122000)
- units: inform user that the default target is started after exiting from rescue or emergency mode
- manager: don't skip sigchld handler for main and control pid for services (#3738)
- core: Add helper functions unit_{main, control}_pid
- manager: Fixing a debug printf formatting mistake (#3640)
- manager: Only invoke a single sigchld per unit within a cleanup cycle (bsc#1117382)
- core: update invoke_sigchld_event() to handle NULL ->sigchld_event()
- sd-event: expose the event loop iteration counter via sd_event_get_iteration() (#3631)
- unit: rework a bit how we keep the service fdstore from being destroyed during service restart (bsc#1122344)
- core: when restarting services, don't close fds
- cryptsetup: Add dependency on loopback setup to generated units
- journal-gateway: use localStorage['cursor'] only when it has valid value
- journal-gateway: explicitly declare local variables
- analyze: actually select longest activated-time of services
- sd-bus: fix implicit downcast of bitfield reported by LGTM
- core: free lines after reading them (bsc#1123892)
- pam_systemd: reword message about not creating a session (bsc#1111498)
- pam_systemd: suppress LOG_DEBUG log messages if debugging is off (bsc#1111498)
- main: improve RLIMIT_NOFILE handling (#5795) (bsc#1120658)
- sd-bus: if we receive an invalid dbus message, ignore and proceeed
- automount: don't pass non-blocking pipe to kernel.
- units: make sure initrd-cleanup.service terminates before switching to rootfs (bsc#1123333)
- units: add Wants=initrd-cleanup.service to initrd-switch-root.target (#4345) (bsc#1123333)


-----------------------------------------
Patch: SUSE-2019-434
Released: Tue Feb 19 12:19:02 2019
Summary: Recommended update for libsemanage
Severity: moderate
References: 1115500
Description:
This update for libsemanage provides the following fix:

- Prevent an error message when reading module version if the directory does not exist.
  (bsc#1115500)


-----------------------------------------
Patch: SUSE-2019-440
Released: Tue Feb 19 18:52:51 2019
Summary: Recommended update for dmidecode
Severity: moderate
References: 1120149
Description:
This update for dmidecode fixes the following issues:

- Extensions to Memory Device (Type 17) (FATE#326831 bsc#1120149)
- Add 'Logical non-volatile device' to the memory device types (FATE#326831 bsc#1120149)


-----------------------------------------
Patch: SUSE-2019-450
Released: Wed Feb 20 16:42:38 2019
Summary: Security update for procps
Severity: important
References: 1092100,1121753,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126
Description:

  
This update for procps fixes the following security issues:

- CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top
  with HOME unset in an attacker-controlled directory, the attacker could have
  achieved privilege escalation by exploiting one of several vulnerabilities in
  the config_file() function (bsc#1092100).
- CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow.
  Inbuilt protection in ps maped a guard page at the end of the overflowed
  buffer, ensuring that the impact of this flaw is limited to a crash (temporary
  denial of service) (bsc#1092100).
- CVE-2018-1124: Prevent multiple integer overflows leading to a heap
  corruption in file2strvec function. This allowed a privilege escalation for a
  local attacker who can create entries in procfs by starting processes, which
  could result in crashes or arbitrary code execution in proc utilities run by
  other users (bsc#1092100).
- CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was
  mitigated by FORTIFY limiting the impact to a crash (bsc#1092100).
- CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent
  truncation/integer overflow issues (bsc#1092100).

(These issues were previously released for SUSE Linux Enterprise 12 SP3 and SP4.)

Also the following non-security issue was fixed:

- Fix CPU summary showing old data. (bsc#1121753)


-----------------------------------------
Patch: SUSE-2019-454
Released: Wed Feb 20 17:44:42 2019
Summary: Recommended update for google-compute-engine
Severity: moderate
References: 1123671,1123672
Description:
This update for google-compute-engine fixes the following issues:

Google Compute Engine was updated to version 20190124 (bsc#1123671, bsc#1123672)

* Fix metadata script retrieval to support Python 3.


-----------------------------------------
Patch: SUSE-2019-482
Released: Mon Feb 25 11:57:46 2019
Summary: Security update for python
Severity: important
References: 1073748,1109847,1122191,CVE-2018-14647,CVE-2019-5010
Description:
This update for python fixes the following issues:

Security issues fixed:

- CVE-2019-5010: Fixed a denial-of-service vulnerability in the X509 certificate parser (bsc#1122191).
- CVE-2018-14647: Fixed a denial-of-service vulnerability in Expat (bsc#1109847).

Non-security issue fixed:

- Fixed a bug where PyWeakReference struct was not initialized correctly leading to a crash (bsc#1073748).


-----------------------------------------
Patch: SUSE-2019-486
Released: Mon Feb 25 17:41:51 2019
Summary: Recommended update for cloud-regionsrv-client
Severity: moderate
References: 1029162,1058616,1072973,1086356,1093688,1114985,1120980
Description:
This update for cloud-regionsrv-client fixes the following issues:

Update to version 8.1.3:

- Fix file permissions for generated credentials rw root only
- Generate instance data as string as expected by zypper plugin handling
- Write the proper credentials file when switching back to RIS service
- Support registration against RMT
- Implement URL resolver to facilitate instance verification for
  zypper access
- Fixes related to bsc#1120980 also need server side support
- IPv6 support
- Fix handling of older cached SMT objects loaded from cached file
- Fix variable name issue in plugin to avoid always falling back to the
  wire server in the exception handling block. Found and fixed by jmason
- Azure plugin, use proper URL to get region information from
  metadata server
- systemd order, only start after the network is online
- systemd order start before GCE user scripts are executed
- Update to version 7.0.7 (bsc#1058616, 1058719)

-----------------------------------------
Patch: SUSE-2019-498
Released: Tue Feb 26 16:44:20 2019
Summary: Security update for apache2
Severity: moderate
References: 1121086,1122838,1122839,CVE-2018-17189,CVE-2018-17199
Description:
This update for apache2 fixes the following issues:

Security issues fixed:

- CVE-2018-17189: Fixed a denial of service in mod_http2, via slow and unneeded request bodies (bsc#1122838)
- CVE-2018-17199: Fixed that mod_session_cookie did not respect expiry time (bsc#1122839)

Non-security issue fixed:

- sysconfig.d is not created anymore if it already exists (bsc#1121086)


-----------------------------------------
Patch: SUSE-2019-514
Released: Thu Feb 28 15:39:05 2019
Summary: Recommended update for apparmor
Severity: moderate
References: 1112300
Description:
This update for apparmor fixes the following issues:

- Fix erroneously generated audit records: include status* files in dnsmasq. (bsc#1112300)


-----------------------------------------
Patch: SUSE-2019-517
Released: Thu Feb 28 15:39:57 2019
Summary: Recommended update for libapr-util1
Severity: moderate
References: 1125331
Description:
This update for libapr-util1 fixes the following issues:

- build against the threadsafe libldap_r instead of libldap to avoid potential crashes (bsc#1125331)


-----------------------------------------
Patch: SUSE-2019-541
Released: Mon Mar  4 17:45:18 2019
Summary: Security update for the Linux Kernel
Severity: important
References: 1012382,1015336,1015337,1015340,1019683,1019695,1020413,1020645,1023175,1027260,1027457,1031492,1042286,1043083,1046264,1047487,1048916,1050549,1065600,1066223,1068032,1070805,1078355,1079935,1086095,1086423,1086652,1091405,1093158,1094244,1094823,1094973,1096242,1096281,1099523,1099810,1100105,1101557,1102439,1102660,1102875,1102877,1102879,1102882,1102896,1103097,1103156,1103257,1103624,1104098,1104731,1105428,1106061,1106105,1106237,1106240,1106929,1107385,1107866,1108145,1108240,1109272,1109330,1109695,1109806,1110286,1111062,1111174,1111809,1112246,1112963,1113412,1113766,1114190,1114417,1114475,1114648,1114763,1114839,1114871,1114893,1115431,1115433,1115440,1115482,1115709,1116027,1116183,1116285,1116336,1116345,1116497,1116653,1116841,1116924,1116950,1116962,1117108,1117162,1117165,1117186,1117562,1117645,1117744,1118152,1118316,1118319,1118505,1118790,1118798,1118915,1118922,1118926,1118930,1118936,1119204,1119680,1119714,1119877,1119946,1119967,1119970,1120017,1120046,1120722,1120743,1120758,1120902,1120950,1121239,1121240,1121241,1121242,1121275,1121621,1121726,1122650,1122651,1122779,1122885,1123321,1123323,1123357,1123933,1124166,1124728,1124732,1124735,1124775,1124777,1124780,1124811,1125000,1125014,1125446,1125794,1125796,1125808,1125809,1125810,1125892,985031,CVE-2018-1120,CVE-2018-16862,CVE-2018-16884,CVE-2018-19407,CVE-2018-19824,CVE-2018-19985,CVE-2018-20169,CVE-2018-5391,CVE-2018-9568,CVE-2019-3459,CVE-2019-3460,CVE-2019-6974,CVE-2019-7221,CVE-2019-7222
Description:


The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.175 to receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2019-6974: kvm_ioctl_create_device in virt/kvm/kvm_main.c mishandled reference counting because of a race condition, leading to a use-after-free. (bnc#1124728)
- CVE-2019-7221: Fixed a user-after-free vulnerability in the KVM hypervisor related to the emulation of a preemption timer, allowing an guest user/process to crash the host kernel. (bsc#1124732).
- CVE-2019-7222: Fixed an information leakage in the KVM hypervisor related to handling page fault exceptions, which allowed a guest user/process to use this flaw to leak the host's stack memory contents to a guest (bsc#1124735).
- CVE-2018-1120: By mmap()ing a FUSE-backed file onto a process's memory containing command line arguments (or environment strings), an attacker could have caused utilities from psutils or procps (such as ps, w) or any other program which made a read() call to the /proc/<pid>/cmdline (or /proc/<pid>/environ) files to block indefinitely (denial of service) or for some controlled time (as a synchronization primitive for other attacks) (bnc#1093158).
- CVE-2018-16862: A security flaw was found in a way that the cleancache subsystem clears an inode after the final file truncation (removal). The new file created with the same inode may contain leftover pages from cleancache and the old file data instead of the new one (bnc#1117186).
- CVE-2018-16884: NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process() use wrong back-channel IDs and cause a use-after-free vulnerability. Thus a malicious container user can cause a host kernel memory corruption and a system panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out (bnc#1119946).
- CVE-2018-19407: The vcpu_scan_ioapic function in arch/x86/kvm/x86.c allowed local users to cause a denial of service (NULL pointer dereference and BUG) via crafted system calls that reach a situation where ioapic is uninitialized (bnc#1116841).
- CVE-2018-19824: A local user could exploit a use-after-free in the ALSA driver by supplying a malicious USB Sound device (with zero interfaces) that is mishandled in usb_audio_probe in sound/usb/card.c (bnc#1118152).
- CVE-2018-19985: The function hso_probe read if_num from the USB device (as an u8) and used it without a length check to index an array, resulting in an OOB memory read in hso_probe or hso_get_config_data that could be used by local attackers (bnc#1120743).
- CVE-2018-20169: The USB subsystem mishandled size checks during the reading of an extra descriptor, related to __usb_get_extra_descriptor in drivers/usb/core/usb.c (bnc#1119714).
- CVE-2018-5391: The Linux kernel was vulnerable to a denial of service attack with low rates of specially modified packets targeting IP fragment re-assembly. An attacker may cause a denial of service condition by sending specially crafted IP fragments. Various vulnerabilities in IP fragmentation have been discovered and fixed over the years. The current vulnerability (CVE-2018-5391) became exploitable in the Linux kernel with the increase of the IP fragment reassembly queue size (bnc#1103097).
- CVE-2018-9568: In sk_clone_lock of sock.c, there is a possible memory corruption due to type confusion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. (bnc#1118319).
- CVE-2019-3459,CVE-2019-3460: Two remote information leak vulnerabilities in the Bluetooth stack were fixed that could potentially leak kernel information (bsc#1120758)

The following non-security bugs were fixed:

- 9p: clear dangling pointers in p9stat_free (bnc#1012382).
- 9p locks: fix glock.client_id leak in do_lock (bnc#1012382).
- 9p/net: put a lower bound on msize (bnc#1012382).
- acpi/iort: Fix iort_get_platform_device_domain() uninitialized pointer value (bsc#1121239).
- acpi/lpss: Add alternative ACPI HIDs for Cherry Trail DMA controllers (bnc#1012382).
- acpi/nfit: Block function zero DSMs (bsc#1123321).
- acpi/nfit: Fix ARS overflow continuation (bsc#1125000).
- acpi/nfit: fix cmd_rc for acpi_nfit_ctl to always return a value (bsc#1124775).
- acpi/nfit: Fix command-supported detection (bsc#1123323).
- acpi/nfit, x86/mce: Handle only uncorrectable machine checks (bsc#1114648).
- acpi/nfit, x86/mce: Validate a MCE's address before using it (bsc#1114648).
- acpi/platform: Add SMB0001 HID to forbidden_id_list (bnc#1012382).
- acpi/power: Skip duplicate power resource references in _PRx (bnc#1012382).
- acpi/processor: Fix the return value of acpi_processor_ids_walk() (git fixes (acpi)).
- af_iucv: Move sockaddr length checks to before accessing sa_family in bind and connect handlers (bnc#1012382).
- ahci: do not ignore result code of ahci_reset_controller() (bnc#1012382).
- aio: fix spectre gadget in lookup_ioctx (bnc#1012382).
- aio: hold an extra file reference over AIO read/write operations (bsc#1116027).
- alpha: Fix Eiger NR_IRQS to 128 (bnc#1012382).
- alpha: fix page fault handling for r16-r18 targets (bnc#1012382).
- ALSA: ac97: Fix incorrect bit shift at AC97-SPSA control write (bnc#1012382).
- ALSA: bebob: fix model-id of unit for Apogee Ensemble (bnc#1012382).
- ALSA: ca0106: Disable IZD on SB0570 DAC to fix audio pops (bnc#1012382).
- ALSA: compress: Fix stop handling on compressed capture streams (bnc#1012382).
- ALSA: control: Fix race between adding and removing a user element (bnc#1012382).
- ALSA: cs46xx: Potential NULL dereference in probe (bnc#1012382).
- ALSA: emu10k1: Fix potential Spectre v1 vulnerabilities (bnc#1012382).
- ALSA: emux: Fix potential Spectre v1 vulnerabilities (bnc#1012382).
- ALSA: hda - Add mic quirk for the Lenovo G50-30 (17aa:3905) (bnc#1012382).
- ALSA: hda: add mute LED support for HP EliteBook 840 G4 (bnc#1012382).
- ALSA: hda - Add quirk for HP EliteBook 840 G5 (bnc#1012382).
- ALSA: hda: Add support for AMD Stoney Ridge (bnc#1012382).
- ALSA: hda: Check the non-cached stream buffers more explicitly (bnc#1012382).
- ALSA: hda/realtek - Disable headset Mic VREF for headset mode of ALC225 (bnc#1012382).
- ALSA: hda - Serialize codec registrations (bnc#1012382).
- ALSA: hda/tegra: clear pending irq handlers (bnc#1012382).
- ALSA: isa/wavefront: prevent some out of bound writes (bnc#1012382).
- ALSA: pcm: Call snd_pcm_unlink() conditionally at closing (bnc#1012382).
- ALSA: pcm: Fix interval evaluation with openmin/max (bnc#1012382).
- ALSA: pcm: Fix potential Spectre v1 vulnerability (bnc#1012382).
- ALSA: pcm: Fix starvation on down_write_nonblock() (bnc#1012382).
- ALSA: pcm: remove SNDRV_PCM_IOCTL1_INFO internal command (bnc#1012382).
- ALSA: rme9652: Fix potential Spectre v1 vulnerability (bnc#1012382).
- ALSA: sparc: Fix invalid snd_free_pages() at error path (bnc#1012382).
- ALSA: timer: Fix zero-division by continue of uninitialized instance (bnc#1012382).
- ALSA: trident: Suppress gcc string warning (bnc#1012382).
- ALSA: usb-audio: Avoid access before bLength check in build_audio_procunit() (bnc#1012382).
- ALSA: usb-audio: Fix an out-of-bound read in create_composite_quirks (bnc#1012382).
- ALSA: usb-audio: Fix implicit fb endpoint setup by quirk (bnc#1012382).
- ALSA: wss: Fix invalid snd_free_pages() at error path (bnc#1012382).
- amd/iommu: Fix Guest Virtual APIC Log Tail Address Register (bsc#1106105).
- arc: change defconfig defaults to ARCv2 (bnc#1012382).
- arc: [devboards] Add support of NFSv3 ACL (bnc#1012382).
- arch/alpha, termios: implement BOTHER, IBSHIFT and termios2 (bnc#1012382).
- arc: io.h: Implement reads{x}()/writes{x}() (bnc#1012382).
- arc: perf: map generic branches to correct hardware condition (bnc#1012382).
- arm64: Disable asm-operand-width warning for clang (bnc#1012382).
- arm64: Do not trap host pointer auth use to EL2 (bnc#1012382).
- arm64: dts: stratix10: Correct System Manager register size (bnc#1012382).
- arm64: Enabled ENA (Amazon network driver) for arm64
- arm64: ftrace: do not adjust the LR value (bnc#1012382).
- arm64: hardcode rodata_enabled=true earlier in the series (bsc#1114763).
- arm64: hyp-stub: Forbid kprobing of the hyp-stub (bnc#1012382).
- arm64/kvm: consistently handle host HCR_EL2 flags (bnc#1012382).
- arm64: kvm: Skip MMIO insn after emulation (bnc#1012382).
- arm64: PCI: ACPI support for legacy IRQs parsing and consolidation with DT code (bsc#985031).
- arm64: percpu: Initialize ret in the default case (bnc#1012382).
- arm64: perf: set suppress_bind_attrs flag to true (bnc#1012382).
- arm64: remove no-op -p linker flag (bnc#1012382).
- arm: 8799/1: mm: fix pci_ioremap_io() offset check (bnc#1012382).
- arm: 8808/1: kexec:offline panic_smp_self_stop CPU (bnc#1012382).
- arm: 8814/1: mm: improve/fix ARM v7_dma_inv_range() unaligned address handling (bnc#1012382).
- arm: cns3xxx: Fix writing to wrong PCI config registers after alignment (bnc#1012382).
- arm: dts: apq8064: add ahci ports-implemented mask (bnc#1012382).
- arm: dts: da850-evm: Correct the sound card name (bnc#1012382).
- arm: dts: Fix OMAP4430 SDP Ethernet startup (bnc#1012382).
- arm: dts: imx53-qsb: disable 1.2GHz OPP (bnc#1012382).
- arm: dts: kirkwood: Fix polarity of GPIO fan lines (bnc#1012382).
- arm: dts: mmp2: fix TWSI2 (bnc#1012382).
- arm: fix mis-applied iommu identity check (bsc#1116924).
- arm: imx: update the cpu power up timing setting on i.mx6sx (bnc#1012382).
- arm: iop32x/n2100: fix PCI IRQ mapping (bnc#1012382).
- arm: kvm: fix building with gcc-8 (bsc#1121241).
- arm: OMAP1: ams-delta: Fix possible use of uninitialized field (bnc#1012382).
- arm: OMAP2+: hwmod: Fix some section annotations (bnc#1012382).
- arm: OMAP2+: prm44xx: Fix section annotation on omap44xx_prm_enable_io_wakeup (bnc#1012382).
- arm: pxa: avoid section mismatch warning (bnc#1012382).
- asix: Check for supported Wake-on-LAN modes (bnc#1012382).
- ASoC: ak4613: Enable cache usage to fix crashes on resume (bnc#1012382).
- ASoC: atom: fix a missing check of snd_pcm_lib_malloc_pages (bnc#1012382).
- ASoC: dapm: Recalculate audio map forcely when card instantiated (bnc#1012382).
- ASoC: fsl: Fix SND_SOC_EUKREA_TLV320 build error on i.MX8M (bnc#1012382).
- ASoC: Intel: mrfld: fix uninitialized variable access (bnc#1012382).
- ASoC: omap-dmic: Add pm_qos handling to avoid overruns with CPU_IDLE (bnc#1012382).
- ASoC: omap-mcpdm: Add pm_qos handling to avoid under/overruns with CPU_IDLE (bnc#1012382).
- ASoC: spear: fix error return code in spdif_in_probe() (bnc#1012382).
- ASoC: wm8940: Enable cache usage to fix crashes on resume (bnc#1012382).
- ata: Fix racy link clearance (bsc#1107866).
- ataflop: fix error handling during setup (bnc#1012382).
- ath10k: fix kernel panic due to race in accessing arvif list (bnc#1012382).
- ath10k: schedule hardware restart if WMI command times out (bnc#1012382).
- ax25: fix a use-after-free in ax25_fillin_cb() (bnc#1012382).
- ax88179_178a: Check for supported Wake-on-LAN modes (bnc#1012382).
- b43: Fix error in cordic routine (bnc#1012382).
- batman-adv: Avoid WARN on net_device without parent in netns (bnc#1012382).
- batman-adv: Expand merged fragment buffer for full packet (bnc#1012382).
- batman-adv: Force mac header to start of data on xmit (bnc#1012382).
- bcache: fix miss key refill->end in writeback (bnc#1012382).
- bfs: add sanity check at bfs_fill_super() (bnc#1012382).
- binfmt_elf: fix calculations for bss padding (bnc#1012382).
- bitops: protect variables in bit_clear_unless() macro (bsc#1116285).
- block: fix inheriting request priority from bio (bsc#1116924).
- block/loop: Use global lock for ioctl() operation (bnc#1012382).
- block: respect virtual boundary mask in bvecs (bsc#1113412).
- block/swim3: Fix -EBUSY error when re-opening device after unmount (Git-fixes).
- Bluetooth: btbcm: Add entry for BCM4335C0 UART bluetooth (bnc#1012382).
- Bluetooth: Fix unnecessary error message for HCI request completion (bnc#1012382).
- Bluetooth: SMP: fix crash in unpairing (bnc#1012382).
- bna: ethtool: Avoid reading past end of buffer (bnc#1012382).
- bnx2x: Assign unique DMAE channel number for FW DMAE transactions (bnc#1012382).
- bnxt_re: Fix couple of memory leaks that could lead to IOMMU call traces (bsc#1020413).
- bonding: fix 802.3ad state sent to partner when unbinding slave (bnc#1012382).
- bpf: fix check of allowed specifiers in bpf_trace_printk (bnc#1012382).
- bpf: generally move prog destruction to RCU deferral (bnc#1012382).
- bpf: support 8-byte metafield access (bnc#1012382).
- bpf, trace: check event type in bpf_perf_event_read (bsc#1119970).
- bpf, trace: use READ_ONCE for retrieving file ptr (bsc#1119967).
- bpf/verifier: Add spi variable to check_stack_write() (bnc#1012382).
- bpf/verifier: Pass instruction index to check_mem_access() and check_xadd() (bnc#1012382).
- bridge: do not add port to router list when receives query with source 0.0.0.0 (bnc#1012382).
- btrfs: Always try all copies when reading extent buffers (bnc#1012382).
- btrfs: do not attempt to trim devices that do not support it (bnc#1012382).
- btrfs: ensure path name is null terminated at btrfs_control_ioctl (bnc#1012382).
- btrfs: fix backport error in submit_stripe_bio (bsc#1114763).
- btrfs: fix data corruption due to cloning of eof block (bnc#1012382).
- btrfs: Fix memory barriers usage with device stats counters (git-fixes).
- btrfs: fix null pointer dereference on compressed write path error (bnc#1012382).
- btrfs: fix pinned underflow after transaction aborted (bnc#1012382).
- btrfs: fix use-after-free when dumping free space (bnc#1012382).
- btrfs: fix wrong dentries after fsync of file that got its parent replaced (bnc#1012382).
- btrfs: Handle error from btrfs_uuid_tree_rem call in _btrfs_ioctl_set_received_subvol (git-fixes).
- btrfs: Handle owner mismatch gracefully when walking up tree (bnc#1012382).
- btrfs: iterate all devices during trim, instead of fs_devices::alloc_list (bnc#1012382).
- btrfs: locking: Add extra check in btrfs_init_new_buffer() to avoid deadlock (bnc#1012382).
- btrfs: make sure we create all new block groups (bnc#1012382).
- btrfs: qgroup: Dirty all qgroups before rescan (bnc#1012382).
- btrfs: release metadata before running delayed refs (bnc#1012382).
- btrfs: reset max_extent_size on clear in a bitmap (bnc#1012382).
- btrfs: send, fix infinite loop due to directory rename dependencies (bnc#1012382).
- btrfs: set max_extent_size properly (bnc#1012382).
- btrfs: tree-checker: Check level for leaves and nodes (bnc#1012382).
- btrfs: tree-checker: Do not check max block group size as current max chunk size limit is unreliable (fixes for bnc#1012382 bsc#1102875 bsc#1102877 bsc#1102879 bsc#1102882 bsc#1102896).
- btrfs: tree-checker: Fix misleading group system information (bnc#1012382).
- btrfs: tree-check: reduce stack consumption in check_dir_item (bnc#1012382).
- btrfs: validate type when reading a chunk (bnc#1012382).
- btrfs: wait on caching when putting the bg cache (bnc#1012382).
- btrfs: wait on ordered extents on abort cleanup (bnc#1012382).
- cachefiles: fix the race between cachefiles_bury_object() and rmdir(2) (bnc#1012382).
- can: bcm: check timer values before ktime conversion (bnc#1012382).
- can: dev: __can_get_echo_skb(): Do not crash the kernel if can_priv::echo_skb is accessed out of bounds (bnc#1012382).
- can: dev: can_get_echo_skb(): factor out non sending code to __can_get_echo_skb() (bnc#1012382).
- can: dev: __can_get_echo_skb(): fix bogous check for non-existing skb by removing it (bnc#1012382).
- can: dev: __can_get_echo_skb(): print error message, if trying to echo non existing skb (bnc#1012382).
- can: dev: __can_get_echo_skb(): replace struct can_frame by canfd_frame to access frame length (bnc#1012382).
- can: gw: ensure DLC boundaries after CAN frame modification (bnc#1012382).
- can: rcar_can: Fix erroneous registration (bnc#1012382).
- cdc-acm: correct counting of UART states in serial state notification (bnc#1012382).
- cdc-acm: fix abnormal DATA RX issue for Mediatek Preloader (bnc#1012382).
- ceph: call setattr_prepare from ceph_setattr instead of inode_change_ok (bsc#1114763).
- ceph: clear inode pointer when snap realm gets dropped by its inode (bsc#1125809).
- ceph: do not update importing cap's mseq when handing cap export (bsc#1121275).
- ceph: fix dentry leak in ceph_readdir_prepopulate (bsc#1114839).
- ceph: quota: fix null pointer dereference in quota check (bsc#1114839).
- cfg80211: reg: Init wiphy_idx in regulatory_hint_core() (bnc#1012382).
- char/mwave: fix potential Spectre v1 vulnerability (bnc#1012382).
- checkstack.pl: fix for aarch64 (bnc#1012382).
- cifs: Always resolve hostname before reconnecting (bnc#1012382).
- cifs: check ntwrk_buf_start for NULL before dereferencing it (bnc#1012382).
- cifs: Do not count -ENODATA as failure for query directory (bnc#1012382).
- cifs: Do not hide EINTR after sending network packets (bnc#1012382).
- cifs: Fix error mapping for SMB2_LOCK command which caused OFD lock problem (bnc#1012382).
- cifs: Fix possible hang during async MTU reads and writes (bnc#1012382).
- cifs: Fix potential OOB access of lock element array (bnc#1012382).
- cifs: Fix separator when building path from dentry (bnc#1012382).
- cifs: handle guest access errors to Windows shares (bnc#1012382).
- cifs: In Kconfig CONFIG_CIFS_POSIX needs depends on legacy (insecure cifs) (bnc#1012382).
- cifs: Limit memory used by lock request calls to a page (bnc#1012382).
- clk: imx6q: reset exclusive gates on init (bnc#1012382).
- clk: imx6sl: ensure MMDC CH0 handshake is bypassed (bnc#1012382).
- clk: mmp: Off by one in mmp_clk_add() (bnc#1012382).
- clk: s2mps11: Add used attribute to s2mps11_dt_match (git-fixes).
- clk: s2mps11: Fix matching when built as module and DT node contains compatible (bnc#1012382).
- clk: samsung: exynos5420: Enable PERIS clocks for suspend (bnc#1012382).
- clockevents/drivers/i8253: Add support for PIT shutdown quirk (bnc#1012382).
- configfs: replace strncpy with memcpy (bnc#1012382).
- cpufeature: avoid warning when compiling with clang (Git-fixes).
- cpufreq: imx6q: add return value check for voltage scale (bnc#1012382).
- cpufreq: intel_pstate: Fix HWP on boot CPU after system resume (bsc#1120017).
- cpuidle: big.LITTLE: fix refcount leak (bnc#1012382).
- cpuidle: Do not access cpuidle_devices when !CONFIG_CPU_IDLE (bnc#1012382).
- cramfs: fix abad comparison when wrap-arounds occur (bnc#1012382).
- crypto: arm64/sha - avoid non-standard inline asm tricks (bnc#1012382).
- crypto: authencesn - Avoid twice completion call in decrypt path (bnc#1012382).
- crypto: authenc - fix parsing key with misaligned rta_len (bnc#1012382).
- crypto: cts - fix crash on short inputs (bnc#1012382).
- crypto: lrw - Fix out-of bounds access on counter overflow (bnc#1012382).
- crypto: shash - Fix a sleep-in-atomic bug in shash_setkey_unaligned (bnc#1012382).
- crypto: user - support incremental algorithm dumps (bsc#1120902).
- crypto: ux500 - Use proper enum in cryp_set_dma_transfer (bnc#1012382).
- crypto: ux500 - Use proper enum in hash_set_dma_transfer (bnc#1012382).
- crypto, x86: aesni - fix token pasting for clang (bnc#1012382).
- crypto: x86/chacha20 - avoid sleeping with preemption disabled (bnc#1012382).
- cw1200: Do not leak memory if krealloc failes (bnc#1012382).
- cw1200: Fix concurrency use-after-free bugs in cw1200_hw_scan() (bnc#1012382).
- cxgb4: Add support for new flash parts (bsc#1102439).
- cxgb4: assume flash part size to be 4MB, if it can't be determined (bsc#1102439).
- cxgb4: Fix FW flash errors (bsc#1102439).
- cxgb4: fix missing break in switch and indent return statements (bsc#1102439).
- cxgb4: support new ISSI flash parts (bsc#1102439).
- dccp: fool proof ccid_hc_[rt]x_parse_options() (bnc#1012382).
- debugfs: fix debugfs_rename parameter checking (bnc#1012382).
- debugobjects: avoid recursive calls with kmemleak (bnc#1012382).
- disable stringop truncation warnings for now (bnc#1012382).
- dlm: Do not swamp the CPU with callbacks queued during recovery (bnc#1012382).
- dlm: fixed memory leaks after failed ls_remove_names allocation (bnc#1012382).
- dlm: lost put_lkb on error path in receive_convert() and receive_unlock() (bnc#1012382).
- dlm: memory leaks on error path in dlm_user_request() (bnc#1012382).
- dlm: possible memory leak on error path in create_lkb() (bnc#1012382).
- dmaengine: at_hdmac: fix memory leak in at_dma_xlate() (bnc#1012382).
- dmaengine: at_hdmac: fix module unloading (bnc#1012382).
- dmaengine: dma-jz4780: Return error if not probed from DT (bnc#1012382).
- dmaengine: imx-dma: fix wrong callback invoke (bnc#1012382).
- dm cache metadata: ignore hints array being too small during resize (Git-fixes).
- dm crypt: add cryptographic data integrity protection (authenticated encryption) (Git-fixes).
- dm crypt: factor IV constructor out to separate function (Git-fixes).
- dm crypt: fix crash by adding missing check for auth key size (git-fixes).
- dm crypt: fix error return code in crypt_ctr() (git-fixes).
- dm crypt: fix memory leak in crypt_ctr_cipher_old() (git-fixes).
- dm crypt: introduce new format of cipher with 'capi:' prefix (Git-fixes).
- dm crypt: wipe kernel key copy after IV initialization (Git-fixes).
- dm: do not allow readahead to limit IO size (git fixes (readahead)).
- dm ioctl: harden copy_params()'s copy_from_user() from malicious users (bnc#1012382).
- dm kcopyd: Fix bug causing workqueue stalls (bnc#1012382).
- dm-multipath: do not assign cmd_flags in setup_clone() (bsc#1103156).
- dm raid: stop using BUG() in __rdev_sectors() (bsc#1046264).
- dm snapshot: Fix excessive memory usage and workqueue stalls (bnc#1012382).
- dm thin: fix bug where bio that overwrites thin block ignores FUA (bnc#1012382).
- dm thin: stop no_space_timeout worker when switching to write-mode (Git-fixes).
- Documentation/network: reword kernel version reference (bnc#1012382).
- dpaa_eth: fix dpaa_get_stats64 to match prototype (bsc#1114763).
- drbd: Avoid Clang warning about pointless switch statment (bnc#1012382).
- drbd: disconnect, if the wrong UUIDs are attached on a connected peer (bnc#1012382).
- drbd: narrow rcu_read_lock in drbd_sync_handshake (bnc#1012382).
- drbd: skip spurious timeout (ping-timeo) when failing promote (bnc#1012382).
- driver/dma/ioat: Call del_timer_sync() without holding prep_lock (bnc#1012382).
- drivers: core: Remove glue dirs from sysfs earlier (bnc#1012382).
- drivers: hv: vmbus: check the creation_status in vmbus_establish_gpadl() (bsc#1104098).
- drivers: hv: vmbus: Return -EINVAL for the sys files for unopened channels (bnc#1012382).
- drivers/misc/sgi-gru: fix Spectre v1 vulnerability (bnc#1012382).
- drivers/sbus/char: add of_node_put() (bnc#1012382).
- drivers/tty: add missing of_node_put() (bnc#1012382).
- drm/ast: change resolution may cause screen blurred (bnc#1012382).
- drm/ast: fixed cursor may disappear sometimes (bnc#1012382).
- drm/ast: fixed reading monitor EDID not stable issue (bnc#1012382).
- drm/ast: Fix incorrect free on ioregs (bsc#1106929)
- drm/ast: Remove existing framebuffers before loading driver (boo#1112963)
- drm/bufs: Fix Spectre v1 vulnerability (bnc#1012382).
- drm/dp_mst: Check if primary mstb is null (bnc#1012382).
- drm/fb-helper: Ignore the value of fb_var_screeninfo.pixclock (bsc#1106929)
- drm/hisilicon: hibmc: Do not carry error code in HiBMC framebuffer (bsc#1113766)
- drm/hisilicon: hibmc: Do not overwrite fb helper surface depth (bsc#1113766)
- drm/i915: Block fbdev HPD processing during suspend (bsc#1106929)
- drm/i915/hdmi: Add HDMI 2.0 audio clock recovery N values (bnc#1012382).
- drm/i915: Prevent a race during I915_GEM_MMAP ioctl with WC set (bsc#1106929)
- drm/ioctl: Fix Spectre v1 vulnerabilities (bnc#1012382).
- drm/modes: Prevent division by zero htotal (bnc#1012382).
- drm/msm: Grab a vblank reference when waiting for commit_done (bnc#1012382).
- drm/nouveau/fbcon: fix oops without fbdev emulation (bnc#1012382).
- drm/omap: fix memory barrier bug in DMM driver (bnc#1012382).
- drm: rcar-du: Fix external clock error checks (bsc#1106929)
- drm: rcar-du: Fix vblank initialization (bsc#1106929)
- drm/rockchip: Allow driver to be shutdown on reboot/kexec (bnc#1012382).
- drm/vmwgfx: Fix setting of dma masks (bsc#1106929)
- drm/vmwgfx: Return error code from vmw_execbuf_copy_fence_user (bsc#1106929)
- e1000: avoid null pointer dereference on invalid stat type (bnc#1012382).
- e1000e: allow non-monotonic SYSTIM readings (bnc#1012382).
- e1000: fix race condition between e1000_down() and e1000_watchdog (bnc#1012382).
- edac: Raise the maximum number of memory controllers (bsc#1120722).
- efi/libstub/arm64: Force 'hidden' visibility for section markers (bnc#1012382).
- efi/libstub/arm64: Set -fpie when building the EFI stub (bnc#1012382).
- efi/libstub/arm64: Use hidden attribute for struct screen_info reference (bsc#1122650).
- enic: fix checksum validation for IPv6 (bnc#1012382).
- exec: avoid gcc-8 warning for get_task_comm (bnc#1012382).
- exec: load_script: do not blindly truncate shebang string (bnc#1012382).
- exportfs: do not read dentry after free (bnc#1012382).
- ext2: fix potential use after free (bnc#1012382).
- ext4: add missing brelse() add_new_gdb_meta_bg()'s error path (bnc#1012382).
- ext4: add missing brelse() in set_flexbg_block_bitmap()'s error path (bnc#1012382).
- ext4: add missing brelse() update_backups()'s error path (bnc#1012382).
- ext4: avoid buffer leak in ext4_orphan_add() after prior errors (bnc#1012382).
- ext4: avoid possible double brelse() in add_new_gdb() on error path (bnc#1012382).
- ext4: avoid potential extra brelse in setup_new_flex_group_blocks() (bnc#1012382).
- ext4: fix a potential fiemap/page fault deadlock w/ inline_data (bnc#1012382).
- ext4: fix argument checking in EXT4_IOC_MOVE_EXT (bnc#1012382).
- ext4: fix buffer leak in __ext4_read_dirblock() on error path (bnc#1012382).
- ext4: fix buffer leak in ext4_xattr_move_to_block() on error path (bnc#1012382).
- ext4: Fix crash during online resizing (bsc#1122779).
- ext4: fix EXT4_IOC_GROUP_ADD ioctl (bnc#1012382).
- ext4: fix missing cleanup if ext4_alloc_flex_bg_array() fails while resizing (bnc#1012382).
- ext4: fix possible inode leak in the retry loop of ext4_resize_fs() (bnc#1012382).
- ext4: fix possible leak of sbi->s_group_desc_leak in error path (bnc#1012382).
- ext4: fix possible use after free in ext4_quota_enable (bnc#1012382).
- ext4: force inode writes when nfsd calls commit_metadata() (bnc#1012382).
- ext4: initialize retries variable in ext4_da_write_inline_data_begin() (bnc#1012382).
- ext4: missing unlock/put_page() in ext4_try_to_write_inline_data() (bnc#1012382).
- ext4: release bs.bh before re-using in ext4_xattr_block_find() (bnc#1012382).
- f2fs: Add sanity_check_inode() function (bnc#1012382).
- f2fs: avoid unneeded loop in build_sit_entries (bnc#1012382).
- f2fs: check blkaddr more accuratly before issue a bio (bnc#1012382).
- f2fs: clean up argument of recover_data (bnc#1012382).
- f2fs: clean up with is_valid_blkaddr() (bnc#1012382).
- f2fs: detect wrong layout (bnc#1012382).
- f2fs: enhance sanity_check_raw_super() to avoid potential overflow (bnc#1012382).
- f2fs: factor out fsync inode entry operations (bnc#1012382).
- f2fs: fix inode cache leak (bnc#1012382).
- f2fs: fix invalid memory access (bnc#1012382).
- f2fs: fix missing up_read (bnc#1012382).
- f2fs: fix to avoid reading out encrypted data in page cache (bnc#1012382).
- f2fs: fix to convert inline directory correctly (bnc#1012382).
- f2fs: fix to determine start_cp_addr by sbi->cur_cp_pack (bnc#1012382).
- f2fs: fix to do sanity check with block address in main area (bnc#1012382).
- f2fs: fix to do sanity check with block address in main area v2 (bnc#1012382).
- f2fs: fix to do sanity check with cp_pack_start_sum (bnc#1012382).
- f2fs: fix to do sanity check with node footer and iblocks (bnc#1012382).
- f2fs: fix to do sanity check with reserved blkaddr of inline inode (bnc#1012382).
- f2fs: fix to do sanity check with secs_per_zone (bnc#1012382).
- f2fs: fix to do sanity check with user_block_count (bnc#1012382).
- f2fs: fix validation of the block count in sanity_check_raw_super (bnc#1012382).
- f2fs: fix wrong return value of f2fs_acl_create (bnc#1012382).
- f2fs: free meta pages if sanity check for ckpt is failed (bnc#1012382).
- f2fs: give -EINVAL for norecovery and rw mount (bnc#1012382).
- f2fs: introduce and spread verify_blkaddr (bnc#1012382).
- f2fs: introduce get_checkpoint_version for cleanup (bnc#1012382).
- f2fs: move dir data flush to write checkpoint process (bnc#1012382).
- f2fs: move sanity checking of cp into get_valid_checkpoint (bnc#1012382).
- f2fs: not allow to write illegal blkaddr (bnc#1012382).
- f2fs: put directory inodes before checkpoint in roll-forward recovery (bnc#1012382).
- f2fs: read page index before freeing (bnc#1012382).
- f2fs: remove an obsolete variable (bnc#1012382).
- f2fs: return error during fill_super (bnc#1012382).
- f2fs: sanity check on sit entry (bnc#1012382).
- f2fs: use crc and cp version to determine roll-forward recovery (bnc#1012382).
- fbdev: fbcon: Fix unregister crash when more than one framebuffer (bsc#1106929)
- fbdev: fbmem: behave better with small rotated displays and many CPUs (bsc#1106929)
- fcoe: remove duplicate debugging message in fcoe_ctlr_vn_add (bsc#1114763).
- Fix kabi for 'Ensure we commit after writeback is complete' (bsc#1111809).
- Fix problem with sharetransport= and NFSv4 (bsc#1114893).
- floppy: fix race condition in __floppy_read_block_0() (Git-fixes).
- flow_dissector: do not dissect l4 ports for fragments (bnc#1012382).
- fork: record start_time late (bnc#1012382).
- fs: add the fsnotify call to vfs_iter_write (bnc#1012382).
- fscache, cachefiles: remove redundant variable 'cache' (bnc#1012382).
- fscache: fix race between enablement and dropping of object (bsc#1107385).
- fscache: Fix race in fscache_op_complete() due to split atomic_sub & read (Git-fixes).
- fscache: Pass the correct cancelled indications to fscache_op_complete() (Git-fixes).
- fs/dcache: Fix incorrect nr_dentry_unused accounting in shrink_dcache_sb() (bnc#1012382).
- fs: do not scan the inode cache before SB_BORN is set (bnc#1012382).
- fs, elf: make sure to page align bss in load_elf_library (bnc#1012382).
- fs/epoll: drop ovflist branch prediction (bnc#1012382).
- fs/exofs: fix potential memory leak in mount option parsing (bnc#1012382).
- fs/fat/fatent.c: add cond_resched() to fat_count_free_clusters() (bnc#1012382).
- fs: fix lost error code in dio_complete (bsc#1117744).
- fuse: call pipe_buf_release() under pipe lock (bnc#1012382).
- fuse: decrement NR_WRITEBACK_TEMP on the right page (bnc#1012382).
- fuse: Dont call set_page_dirty_lock() for ITER_BVEC pages for async_dio (bnc#1012382).
- fuse: fix blocked_waitq wakeup (bnc#1012382).
- fuse: fix leaked notify reply (bnc#1012382).
- fuse: Fix use-after-free in fuse_dev_do_read() (bnc#1012382).
- fuse: Fix use-after-free in fuse_dev_do_write() (bnc#1012382).
- fuse: handle zero sized retrieve correctly (bnc#1012382).
- fuse: set FR_SENT while locked (bnc#1012382).
- futex: Fix (possible) missed wakeup (bsc#1050549).
- gdrom: fix a memory leak bug (bnc#1012382).
- genirq: Fix race on spurious interrupt detection (bnc#1012382).
- genwqe: Fix size check (bnc#1012382).
- gfs2: Do not leave s_fs_info pointing to freed memory in init_sbd (bnc#1012382).
- gfs2: Fix loop in gfs2_rbm_find (bnc#1012382).
- gfs2_meta: ->mount() can get NULL dev_name (bnc#1012382).
- gfs2: Put bitmap buffers in put_super (bnc#1012382).
- gfs2: Revert 'Fix loop in gfs2_rbm_find' (bnc#1012382).
- git_sort.py: Remove non-existent remote tj/libata
- gpiolib: Fix return value of gpio_to_desc() stub if !GPIOLIB (Git-fixes).
- gpio: max7301: fix driver for use with CONFIG_VMAP_STACK (bnc#1012382).
- gpio: msic: fix error return code in platform_msic_gpio_probe() (bnc#1012382).
- gpio: pl061: handle failed allocations (bnc#1012382).
- gpu: host1x: fix error return code in host1x_probe() (bnc#1012382).
- gpu: ipu-v3: Fix CSI offsets for imx53 (bsc#1106929)
- gpu: ipu-v3: Fix i.MX51 CSI control registers offset (bsc#1106929)
- gro_cell: add napi_disable in gro_cells_destroy (bnc#1012382).
- hfs: do not free node before using (bnc#1012382).
- hfsplus: do not free node before using (bnc#1012382).
- hfsplus: prevent btree data loss on root split (bnc#1012382).
- hfs: prevent btree data loss on root split (bnc#1012382).
- hid: debug: fix the ring buffer implementation (bnc#1012382).
- hid: hiddev: fix potential Spectre v1 (bnc#1012382).
- hid: lenovo: Add checks to fix of_led_classdev_register (bnc#1012382).
- hid: uhid: forbid UHID_CREATE under KERNEL_DS or elevated privileges (bnc#1012382).
- hpwdt add dynamic debugging (bsc#1114417).
- hpwdt calculate reload value on each use (bsc#1114417).
- hugetlbfs: dirty pages as they are added to pagecache (bnc#1012382).
- hugetlbfs: fix bug in pgoff overflow checking (bnc#1012382).
- hugetlbfs: fix kernel BUG at fs/hugetlbfs/inode.c:444! (bnc#1012382).
- hwmon: (ibmpowernv) Remove bogus __init annotations (bnc#1012382).
- hwmon: (ina2xx) Fix current value calculation (bnc#1012382).
- hwmon: (lm80) fix a missing check of bus read in lm80 probe (bnc#1012382).
- hwmon: (lm80) fix a missing check of the status of SMBus read (bnc#1012382).
- hwmon: (lm80) Fix missing unlock on error in set_fan_div() (git-fixes).
- hwmon: (pmbus) Fix page count auto-detection (bnc#1012382).
- hwmon: (w83795) temp4_type has writable permission (bnc#1012382).
- hwpoison, memory_hotplug: allow hwpoisoned pages to be offlined (bnc#1116336).
- i2c-axxia: check for error conditions first (bnc#1012382).
- i2c: axxia: properly handle master timeout (bnc#1012382).
- i2c: dev: prevent adapter retries and timeout being set as minus value (bnc#1012382).
- i2c: scmi: Fix probe error on devices with an empty SMB0001 ACPI device node (bnc#1012382).
- IB/core: type promotion bug in rdma_rw_init_one_mr() ().
- IB/hfi1: Fix an out-of-bounds access in get_hw_stats ().
- ibmveth: Do not process frames after calling napi_reschedule (bcs#1123357).
- ibmveth: fix DMA unmap error in ibmveth_xmit_start error path (bnc#1012382).
- ibmvnic: Add ethtool private flag for driver-defined queue limits (bsc#1121726).
- ibmvnic: Convert reset work item mutex to spin lock ().
- ibmvnic: fix accelerated VLAN handling ().
- ibmvnic: fix index in release_rx_pools (bsc#1115440).
- ibmvnic: Fix non-atomic memory allocation in IRQ context ().
- ibmvnic: Increase maximum queue size limit (bsc#1121726).
- ibmvnic: Introduce driver limits for ring sizes (bsc#1121726).
- ibmvnic: remove ndo_poll_controller ().
- ibmvnic: Update driver queues after change in ring size support ().
- ib/rxe: Fix incorrect cache cleanup in error flow ().
- ib/rxe: replace kvfree with vfree ().
- ib/ucm: Fix Spectre v1 vulnerability (bnc#1012382).
- ide: pmac: add of_node_put() (bnc#1012382).
- ieee802154: lowpan_header_create check must check daddr (bnc#1012382).
- igb: Fix an issue that PME is not enabled during runtime suspend (bnc#1012382).
- igb: Remove superfluous reset to PHY and page 0 selection (bnc#1012382).
- iio: adc: at91: fix acking DRDY irq on simple conversions (bnc#1012382).
- iio: adc: at91: fix wrong channel number in triggered buffer mode (bnc#1012382).
- ima: fix showing large 'violations' or 'runtime_measurements_count' (bnc#1012382).
- inet: frags: add a pointer to struct netns_frags (bnc#1012382).
- inet: frags: better deal with smp races (bnc#1012382).
- inet: frags: break the 2GB limit for frags storage (bnc#1012382).
- inet: frags: change inet_frags_init_net() return value (bnc#1012382).
- inet: frags: do not clone skb in ip_expire() (bnc#1012382).
- inet: frags: fix ip6frag_low_thresh boundary (bnc#1012382).
- inet: frags: get rid of ipfrag_skb_cb/FRAG_CB (bnc#1012382).
- inet: frags: get rif of inet_frag_evicting() (bnc#1012382).
- inet: frags: refactor ipfrag_init() (bnc#1012382).
- inet: frags: refactor ipv6_frag_init() (bnc#1012382).
- inet: frags: refactor lowpan_net_frag_init() (bnc#1012382).
- inet: frags: remove inet_frag_maybe_warn_overflow() (bnc#1012382).
- inet: frags: remove some helpers (bnc#1012382).
- inet: frags: reorganize struct netns_frags (bnc#1012382).
- inet: frags: use rhashtables for reassembly units (bnc#1012382).
- Input: bma150 - register input device after setting private data (bnc#1012382).
- Input: elan_i2c - add ACPI ID for Lenovo IdeaPad 330-15ARR (bnc#1012382).
- Input: elan_i2c - add ACPI ID for Lenovo IdeaPad 330-15IGM (bnc#1012382).
- Input: elan_i2c - add ACPI ID for touchpad in ASUS Aspire F5-573G (bnc#1012382).
- Input: elan_i2c - add ACPI ID for touchpad in Lenovo V330-15ISK (bnc#1012382).
- Input: elan_i2c - add ELAN0620 to the ACPI table (bnc#1012382).
- Input: elan_i2c - add support for ELAN0621 touchpad (bnc#1012382).
- Input: elantech - enable 3rd button support on Fujitsu CELSIUS H780 (bnc#1012382).
- Input: matrix_keypad - check for errors from of_get_named_gpio() (bnc#1012382).
- Input: omap-keypad - fix idle configuration to not block SoC idle states (bnc#1012382).
- Input: omap-keypad - fix keyboard debounce configuration (bnc#1012382).
- Input: restore EV_ABS ABS_RESERVED (bnc#1012382).
- Input: xpad - add GPD Win 2 Controller USB IDs (bnc#1012382).
- Input: xpad - add Mad Catz FightStick TE 2 VID/PID (bnc#1012382).
- Input: xpad - add more third-party controllers (bnc#1012382).
- Input: xpad - add PDP device id 0x02a4 (bnc#1012382).
- Input: xpad - add product ID for Xbox One S pad (bnc#1012382).
- Input: xpad - add support for PDP Xbox One controllers (bnc#1012382).
- Input: xpad - add support for SteelSeries Stratus Duo (bnc#1012382).
- Input: xpad - add support for Xbox1 PDP Camo series gamepad (bnc#1012382).
- Input: xpad - add USB IDs for Mad Catz Brawlstick and Razer Sabertooth (bnc#1012382).
- Input: xpad - avoid using __set_bit() for capabilities (bnc#1012382).
- Input: xpad - constify usb_device_id (bnc#1012382).
- Input: xpad - correctly sort vendor id's (bnc#1012382).
- Input: xpad - correct xbox one pad device name (bnc#1012382).
- Input: xpad - do not depend on endpoint order (bnc#1012382).
- Input: xpad - fix GPD Win 2 controller name (bnc#1012382).
- Input: xpad - fix PowerA init quirk for some gamepad models (bnc#1012382).
- Input: xpad - fix rumble on Xbox One controllers with 2015 firmware (bnc#1012382).
- Input: xpad - fix some coding style issues (bnc#1012382).
- Input: xpad - fix stuck mode button on Xbox One S pad (bnc#1012382).
- Input: xpad - fix Xbox One rumble stopping after 2.5 secs (bnc#1012382).
- Input: xpad - handle 'present' and 'gone' correctly (bnc#1012382).
- Input: xpad - move reporting xbox one home button to common function (bnc#1012382).
- Input: xpad - power off wireless 360 controllers on suspend (bnc#1012382).
- Input: xpad - prevent spurious input from wired Xbox 360 controllers (bnc#1012382).
- Input: xpad - quirk all PDP Xbox One gamepads (bnc#1012382).
- Input: xpad - remove spurious events of wireless xpad 360 controller (bnc#1012382).
- Input: xpad - remove unused function (bnc#1012382).
- Input: xpad - restore LED state after device resume (bnc#1012382).
- Input: xpad - simplify error condition in init_output (bnc#1012382).
- Input: xpad - sort supported devices by USB ID (bnc#1012382).
- Input: xpad - support some quirky Xbox One pads (bnc#1012382).
- Input: xpad - sync supported devices with 360Controller (bnc#1012382).
- Input: xpad - sync supported devices with XBCD (bnc#1012382).
- Input: xpad - sync supported devices with xboxdrv (bnc#1012382).
- Input: xpad - update Xbox One Force Feedback Support (bnc#1012382).
- Input: xpad - use LED API when identifying wireless controllers (bnc#1012382).
- Input: xpad - validate USB endpoint type during probe (bnc#1012382).
- Input: xpad - workaround dead irq_out after suspend/ resume (bnc#1012382).
- Input: xpad - xbox one elite controller support (bnc#1012382).
- intel_pstate: Update frequencies of policy->cpus only from ->set_policy() (bsc#1120017).
- intel_th: msu: Fix an off-by-one in attribute store (bnc#1012382).
- iommu/amd: Call free_iova_fast with pfn in map_sg (bsc#1106105).
- iommu/amd: Fix amd_iommu=force_isolation (bsc#1106105).
- iommu/amd: Fix IOMMU page flush when detach device from a domain (bsc#1106105).
- iommu/amd: Unmap all mapped pages in error path of map_sg (bsc#1106105).
- iommu/arm-smmu: Ensure that page-table updates are visible before TLBI (bsc#1106237).
- iommu/arm-smmu-v3: Use explicit mb() when moving cons pointer (bnc#1012382).
- iommu/ipmmu-vmsa: Fix crash on early domain free (bsc#1106105).
- iommu/vt-d: Fix memory leak in intel_iommu_put_resv_regions() (bsc#1106105).
- iommu/vt-d: Fix NULL pointer dereference in prq_event_thread() (bsc#1106105).
- iommu/vt-d: Handle domain agaw being less than iommu agaw (bsc#1106105).
- iommu/vt-d: Use memunmap to free memremap (bsc#1106105).
- ip6mr: Fix potential Spectre v1 vulnerability (bnc#1012382).
- ip: add helpers to process in-order fragments faster (bnc#1012382).
- ipfrag: really prevent allocation on netns exit (bnc#1012382).
- ip: frags: fix crash in ip_do_fragment() (bnc#1012382).
- ipmi: Fix timer race with module unload (bnc#1012382).
- ipmi:ssif: Fix handling of multi-part return messages (bnc#1012382).
- ip: on queued skb use skb_header_pointer instead of pskb_may_pull (bnc#1012382).
- ip: process in-order fragments efficiently (bnc#1012382).
- ip_tunnel: do not force DF when MTU is locked (bnc#1012382).
- ip_tunnel: Fix name string concatenate in __ip_tunnel_create() (bnc#1012382).
- ip: use rb trees for IP frag queue (bnc#1012382).
- ipv4: Fix potential Spectre v1 vulnerability (bnc#1012382).
- ipv4: frags: precedence bug in ip_expire() (bnc#1012382).
- ipv4: ipv6: netfilter: Adjust the frag mem limit when truesize changes (bsc#1110286).
- ipv6: Check available headroom in ip6_xmit() even without options (bnc#1012382).
- ipv6: Consider sk_bound_dev_if when binding a socket to an address (bnc#1012382).
- ipv6: Consider sk_bound_dev_if when binding a socket to a v4 mapped address (bnc#1012382).
- ipv6: explicitly initialize udp6_addr in udp_sock_create6() (bnc#1012382).
- ipv6: fix kernel-infoleak in ipv6_local_error() (bnc#1012382).
- ipv6: Fix PMTU updates for UDP/raw sockets in presence of VRF (bnc#1012382).
- ipv6: frags: rewrite ip6_expire_frag_queue() (bnc#1012382).
- ipv6: mcast: fix a use-after-free in inet6_mc_check (bnc#1012382).
- ipv6/ndisc: Preserve IPv6 control buffer if protocol error handlers are called (bnc#1012382).
- ipv6: orphan skbs in reassembly unit (bnc#1012382).
- ipv6: set rt6i_protocol properly in the route when it is installed (bsc#1114190).
- ipv6: suppress sparse warnings in IP6_ECN_set_ce() (bnc#1012382).
- ipv6: Take rcu_read_lock in __inet6_bind for mapped addresses (bnc#1012382).
- irqchip/gic-v3-its: Align PCI Multi-MSI allocation on their size (bnc#1012382).
- isdn: fix kernel-infoleak in capi_unlocked_ioctl (bnc#1012382).
- isdn: hisax: hfc_pci: Fix a possible concurrency use-after-free bug in HFCPCI_l1hw() (bnc#1012382).
- iser: set sector for ambiguous mr status errors (bnc#1012382).
- iwlwifi: mvm: fix regulatory domain update when the firmware starts (bnc#1012382).
- iwlwifi: mvm: support sta_statistics() even on older firmware (bnc#1012382).
- ixgbe: Add function for checking to see if we can reuse page (bsc#1100105).
- ixgbe: Add support for build_skb (bsc#1100105).
- ixgbe: Add support for padding packet (bsc#1100105).
- ixgbe: Break out Rx buffer page management (bsc#1100105).
- ixgbe: Fix output from ixgbe_dump (bsc#1100105).
- ixgbe: fix possible race in reset subtask (bsc#1101557).
- ixgbe: Make use of order 1 pages and 3K buffers independent of FCoE (bsc#1100105).
- ixgbe: Only DMA sync frame length (bsc#1100105).
- ixgbe: recognize 1000BaseLX SFP modules as 1Gbps (bnc#1012382).
- ixgbe: Refactor queue disable logic to take completion time into account (bsc#1101557).
- ixgbe: Reorder Tx/Rx shutdown to reduce time needed to stop device (bsc#1101557).
- ixgbe: Update code to better handle incrementing page count (bsc#1100105).
- ixgbe: Update driver to make use of DMA attributes in Rx path (bsc#1100105).
- ixgbe: Use length to determine if descriptor is done (bsc#1100105).
- jbd2: fix use after free in jbd2_log_do_checkpoint() (bnc#1012382).
- jffs2: Fix use of uninitialized delayed_work, lockdep breakage (bnc#1012382).
- jffs2: free jffs2_sb_info through jffs2_kill_sb() (bnc#1012382).
- kabi: hwpoison, memory_hotplug: allow hwpoisoned pages to be offlined (bnc#1116336).
- kabi: protect get_vaddr_frames (kabi).
- kabi: protect linux/kfifo.h include in hid-debug (kabi).
- kabi: protect struct azx (kabi).
- kabi: protect struct cfs_bandwidth (kabi).
- kabi: protect struct esp (kabi).
- kabi: protect struct fuse_io_priv (kabi).
- kabi: protect struct hda_bus (kabi).
- kabi: protect __usb_get_extra_descriptor (kabi).
- kabi: protect xen/xen-ops.h include in xlate_mmu.c (kabi).
- kabi: reorder new slabinfo fields in struct kmem_cache_node (bnc#1116653).
- kabi: revert sig change on pnfs_read_resend_pnfs (git-fixes).
- kaweth: use skb_cow_head() to deal with cloned skbs (bnc#1012382).
- kbuild: Add better clang cross build support (bnc#1012382).
- kbuild: Add __cc-option macro (bnc#1012382).
- kbuild: Add support to generate LLVM assembly files (bnc#1012382).
- kbuild: allow to use GCC toolchain not in Clang search path (bnc#1012382).
- kbuild: clang: add -no-integrated-as to KBUILD_[AC]FLAGS (bnc#1012382).
- kbuild: clang: Disable 'address-of-packed-member' warning (bnc#1012382).
- kbuild: clang: disable unused variable warnings only when constant (bnc#1012382).
- kbuild: clang: fix build failures with sparse check (bnc#1012382).
- kbuild: clang: remove crufty HOSTCFLAGS (bnc#1012382).
- kbuild: Consolidate header generation from ASM offset information (bnc#1012382).
- kbuild: consolidate redundant sed script ASM offset generation (bnc#1012382).
- kbuild: drop -Wno-unknown-warning-option from clang options (bnc#1012382).
- kbuild: fix asm-offset generation to work with clang (bnc#1012382).
- kbuild: fix kernel/bounds.c 'W=1' warning (bnc#1012382).
- kbuild: fix linker feature test macros when cross compiling with Clang (bnc#1012382).
- kbuild, LLVMLinux: Add -Werror to cc-option to support clang (bnc#1012382).
- kbuild: move cc-option and cc-disable-warning after incl. arch Makefile (bnc#1012382).
- kbuild: Set KBUILD_CFLAGS before incl. arch Makefile (bnc#1012382).
- kbuild: set no-integrated-as before incl. arch Makefile (bnc#1012382).
- kbuild: suppress packed-not-aligned warning for default setting only (bnc#1012382).
- kbuild: use -Oz instead of -Os when using clang (bnc#1012382).
- kconfig: fix file name and line number of warn_ignored_character() (bnc#1012382).
- kconfig: fix memory leak when EOF is encountered in quotation (bnc#1012382).
- kdb: use memmove instead of overlapping memcpy (bnc#1012382).
- kdb: Use strscpy with destination buffer size (bnc#1012382).
- kernel/exit.c: release ptraced tasks before zap_pid_ns_processes (bnc#1012382).
- kernel/hung_task.c: break RCU locks based on jiffies (bnc#1012382).
- kernel-source.spec: Align source numbering.
- kernfs: Replace strncpy with memcpy (bnc#1012382).
- keys: put keyring if install_session_keyring_to_cred() fails (bnc#1012382).
- kgdboc: fix KASAN global-out-of-bounds bug in param_set_kgdboc_var() (bnc#1012382).
- kgdboc: Fix restrict error (bnc#1012382).
- kgdboc: Fix warning with module build (bnc#1012382).
- kgdboc: Passing ekgdboc to command line causes panic (bnc#1012382).
- kobject: Replace strncpy with memcpy (bnc#1012382).
- kprobes: Return error if we fail to reuse kprobe instead of BUG_ON() (bnc#1012382).
- kvm/arm64: Fix caching of host MDCR_EL2 value (bsc#1121242).
- kvm/arm: Restore banked registers and physical timer access on hyp_panic() (bsc#1121240).
- kvm/mmu: Fix race in emulated page table writes (bnc#1012382).
- kvm/nvmx: Always reflect #NM VM-exits to L1 (bsc#1106240).
- kvm/nvmx: Eliminate vmcs02 pool (bnc#1012382).
- kvm/nvmx: mark vmcs12 pages dirty on L2 exit (bnc#1012382).
- kvm/ppc: Move and undef TRACE_INCLUDE_PATH/FILE (bnc#1012382).
- kvm/svm: Allow direct access to MSR_IA32_SPEC_CTRL (bnc#1012382 bsc#1068032).
- kvm/svm: Ensure an IBPB on all affected CPUs when freeing a vmcb (bsc#1114648).
- kvm/vmx: Allow direct access to MSR_IA32_SPEC_CTRL (bnc#1012382 bsc#1068032 bsc#1096242 bsc#1096281).
- kvm/vmx: Emulate MSR_IA32_ARCH_CAPABILITIES (bnc#1012382).
- kvm/vmx: Fix x2apic check in vmx_msr_bitmap_mode() (bsc#1124166).
- kvm/vmx: introduce alloc_loaded_vmcs (bnc#1012382).
- kvm/vmx: make MSR bitmaps per-VCPU (bnc#1012382).
- kvm/vmx: Missing part of upstream commit 904e14fb7cb9 (bsc#1124166).
- kvm/x86: Add IBPB support (bnc#1012382 bsc#1068032 bsc#1068032).
- kvm/x86: fix empty-body warnings (bnc#1012382).
- kvm/x86: Fix single-step debugging (bnc#1012382).
- kvm/x86: Remove indirect MSR op calls from SPEC_CTRL (bnc#1012382).
- kvm/x86: svm: report MSR_IA32_MCG_EXT_CTL as unsupported (bnc#1012382).
- kvm/x86: Use jmp to invoke kvm_spurious_fault() from .fixup (bnc#1012382).
- l2tp: copy 4 more bytes to linear part if necessary (bnc#1012382).
- l2tp: fix reading optional fields of L2TPv3 (bnc#1012382).
- l2tp: remove l2specific_len dependency in l2tp_core (bnc#1012382).
- lan78xx: Check for supported Wake-on-LAN modes (bnc#1012382).
- leds: call led_pwm_set() in leds-pwm to enforce default LED_OFF (bnc#1012382).
- leds: leds-gpio: Fix return value check in create_gpio_led() (bnc#1012382).
- leds: turn off the LED and wait for completion on unregistering LED class device (bnc#1012382).
- libata: whitelist all SAMSUNG MZ7KM* solid-state disks (bnc#1012382).
- libceph: avoid KEEPALIVE_PENDING races in ceph_con_keepalive() (bsc#1125810).
- libceph: bump CEPH_MSG_MAX_DATA_LEN (bsc#1114839).
- libceph: fall back to sendmsg for slab pages (bsc#1118316).
- libfc: sync strings with upstream versions (bsc#1114763).
- lib/interval_tree_test.c: allow full tree search (bnc#1012382).
- lib/interval_tree_test.c: allow users to limit scope of endpoint (bnc#1012382).
- lib/interval_tree_test.c: make test options module parameters (bnc#1012382).
- libnvdimm, {btt, blk}: do integrity setup before add_disk() (bsc#1118926).
- libnvdimm, dimm: fix dpa reservation vs uninitialized label area (bsc#1118936).
- libnvdimm: fix ars_status output length calculation (bsc#1124777).
- libnvdimm: fix integer overflow static analysis warning (bsc#1118922).
- libnvdimm: fix nvdimm_bus_lock() vs device_lock() ordering (bsc#1118915).
- libnvdimm: Hold reference on parent while scheduling async init (bnc#1012382).
- libnvdimm, pfn: Pad pfn namespaces relative to other regions (bsc#1124811).
- libnvdimm: Use max contiguous area for namespace size (bsc#1124780).
- lib/raid6: Fix arm64 test build (bnc#1012382).
- lib/rbtree_test.c: make input module parameters (bnc#1012382).
- lib/rbtree-test: lower default params (bnc#1012382).
- llc: do not use sk_eat_skb() (bnc#1012382).
- lockd: fix access beyond unterminated strings in prints (bnc#1012382).
- locking/lockdep: Fix debug_locks off performance problem (bnc#1012382).
- locking/rwsem: Fix (possible) missed wakeup (bsc#1050549).
- loop: Fix double mutex_unlock(&loop_ctl_mutex) in loop_control_ioctl() (bnc#1012382).
- loop: Fold __loop_release into loop_release (bnc#1012382).
- loop: Get rid of loop_index_mutex (bnc#1012382).
- lsm: Check for NULL cred-security on free (bnc#1012382).
- mac80211: Always report TX status (bnc#1012382).
- mac80211: Clear beacon_int in ieee80211_do_stop (bnc#1012382).
- mac80211: ensure that mgmt tx skbs have tailroom for encryption (bnc#1012382).
- mac80211: fix radiotap vendor presence bitmap handling (bnc#1012382).
- mac80211: fix reordering of buffered broadcast packets (bnc#1012382).
- mac80211_hwsim: do not omit multicast announce of first added radio (bnc#1012382).
- mac80211_hwsim: fix module init error paths for netlink (bnc#1012382).
- mac80211_hwsim: Timer should be initialized before device registered (bnc#1012382).
- mac80211: ignore NullFunc frames in the duplicate detection (bnc#1012382).
- mac80211: ignore tx status for PS stations in ieee80211_tx_status_ext (bnc#1012382).
- mach64: fix display corruption on big endian machines (bnc#1012382).
- mach64: fix image corruption due to reading accelerator registers (bnc#1012382).
- matroxfb: fix size of memcpy (bnc#1012382).
- md: batch flush requests (bsc#1119680).
- md: do not check MD_SB_CHANGE_CLEAN in md_allow_write (Git-fixes).
- md: fix invalid stored role for a disk (bnc#1012382).
- md: fix invalid stored role for a disk - try2 (bnc#1012382).
- md: reorder flag_bits to match upstream commits
- media: DaVinci-VPBE: fix error handling in vpbe_initialize() (bnc#1012382).
- media: dvb-frontends: fix i2c access helpers for KASAN (bnc#1012382).
- media: em28xx: fix input name for Terratec AV 350 (bnc#1012382).
- media: em28xx: Fix misplaced reset of dev->v4l::field_count (bnc#1012382).
- media: em28xx: Fix use-after-free when disconnecting (bnc#1012382).
- media: em28xx: make v4l2-compliance happier by starting sequence on zero (bnc#1012382).
- media: em28xx: use a default format if TRY_FMT fails (bnc#1012382).
- media: firewire: Fix app_info parameter type in avc_ca{,_app}_info (bnc#1012382).
- media: pci: cx23885: handle adding to list failure (bnc#1012382).
- media: tvp5150: fix width alignment during set_selection() (bnc#1012382).
- media: v4l: event: Add subscription to list before calling 'add' operation (bnc#1012382).
- media: vb2: be sure to unlock mutex on errors (bnc#1012382).
- media: vb2: vb2_mmap: move lock up (bnc#1012382).
- media: vivid: fix error handling of kthread_run (bnc#1012382).
- media: vivid: free bitmap_cap when updating std/timings/etc (bnc#1012382).
- media: vivid: set min width/height to a value > 0 (bnc#1012382).
- memstick: Prevent memstick host from getting runtime suspended during card detection (bnc#1012382).
- mfd: tps6586x: Handle interrupts on suspend (bnc#1012382).
- mips: bpf: fix encoding bug for mm_srlv32_op (bnc#1012382).
- mips: cm: reprime error cause (bnc#1012382).
- mips: fix n32 compat_ipc_parse_version (bnc#1012382).
- mips: OCTEON: do not set octeon_dma_bar_type if PCI is disabled (bnc#1012382).
- mips: SiByte: Enable swiotlb for SWARM, LittleSur and BigSur (bnc#1012382).
- mips: VDSO: Include $(ccflags-vdso) in o32,n32 .lds builds (bnc#1012382).
- misc: atmel-ssc: Fix section annotation on atmel_ssc_get_driver_data (bnc#1012382).
- misc: mic/scif: fix copy-paste error in scif_create_remote_lookup (bnc#1012382).
- misc: vexpress: Off by one in vexpress_syscfg_exec() (bnc#1012382).
- mmc: atmel-mci: do not assume idle after atmci_request_end (bnc#1012382).
- mmc: bcm2835: Fix DMA channel leak on probe error (bsc#1120902).
- mmc: core: Reset HPI enabled state during re-init and in case of errors (bnc#1012382).
- mm: cleancache: fix corruption on missed inode invalidation (bnc#1012382).
- mmc: OMAP: fix broken MMC on OMAP15XX/OMAP5910/OMAP310 (bnc#1012382).
- mmc: omap_hsmmc: fix DMA API warning (bnc#1012382).
- mmc: sdhci-iproc: handle mmc_of_parse() errors during probe (bnc#1012382).
- mmc: sdhci-pci-o2micro: Add quirk for O2 Micro dev 0x8620 rev 0x01 (bnc#1012382).
- mm, devm_memremap_pages: kill mapping 'System RAM' support (bnc#1012382).
- mm: do not bug_on on incorrect length in __mm_populate() (bnc#1012382).
- mm: do not miss the last page because of round-off error (bnc#1118798).
- mm, elf: handle vm_brk error (bnc#1012382).
- mm, hugetlb: fix huge_pte_alloc BUG_ON (bsc#1119204).
- mm: hwpoison: call shake_page() after try_to_unmap() for mlocked page (bnc#1116336).
- mm: lower the printk loglevel for __dump_page messages (generic hotplug debugability).
- mm, memory_hotplug: be more verbose for memory offline failures (generic hotplug debugability).
- mm, memory_hotplug: drop pointless block alignment checks from __offline_pages (generic hotplug debugability).
- mm, memory_hotplug: print reason for the offlining failure (generic hotplug debugability).
- mm: migrate: do not rely on __PageMovable() of newpage after unlocking it (bnc#1012382).
- mm: migration: fix migration of huge PMD shared pages (bnc#1012382).
- mm: mlock: avoid increase mm->locked_vm on mlock() when already mlock2(,MLOCK_ONFAULT) (bnc#1012382).
- mm/nommu.c: Switch __get_user_pages_unlocked() to use __get_user_pages() (bnc#1012382).
- mm: only report isolation failures when offlining memory (generic hotplug debugability).
- mm, oom: fix use-after-free in oom_kill_process (bnc#1012382).
- mm, page_alloc: drop should_suppress_show_mem (bnc#1125892, bnc#1106061).
- mm/page-writeback.c: do not break integrity writeback on ->writepage() error (bnc#1012382).
- mm: Preserve _PAGE_DEVMAP across mprotect() calls (bsc#1118790).
- mm: print more information about mapping in __dump_page (generic hotplug debugability).
- mm, proc: be more verbose about unstable VMA flags in /proc/&lt;pid>/smaps (bnc#1012382).
- mm: put_and_wait_on_page_locked() while page is migrated (bnc#1109272).
- mm: refuse wrapped vm_brk requests (bnc#1012382).
- mm: remove write/force parameters from __get_user_pages_locked() (bnc#1012382 bsc#1027260).
- mm: remove write/force parameters from __get_user_pages_unlocked() (bnc#1012382 bsc#1027260).
- mm: replace __access_remote_vm() write parameter with gup_flags (bnc#1012382).
- mm: replace access_remote_vm() write parameter with gup_flags (bnc#1012382).
- mm: replace get_user_pages_locked() write/force parameters with gup_flags (bnc#1012382 bsc#1027260).
- mm: replace get_user_pages_unlocked() write/force parameters with gup_flags (bnc#1012382 bsc#1027260).
- mm: replace get_user_pages() write/force parameters with gup_flags (bnc#1012382 bsc#1027260).
- mm: replace get_vaddr_frames() write/force parameters with gup_flags (bnc#1012382).
- mm, slab: faster active and free stats (bsc#1116653, VM Performance).
- mm/slab: improve performance of gathering slabinfo stats (bsc#1116653, VM Performance).
- mm, slab: maintain total slab count instead of active count (bsc#1116653, VM Performance).
- mm: thp: relax __GFP_THISNODE for MADV_HUGEPAGE mappings (bnc#1012382).
- modpost: validate symbol names also in find_elf_symbol (bnc#1012382).
- modules: mark __inittest/__exittest as __maybe_unused (bnc#1012382).
- mount: Do not allow copying MNT_UNBINDABLE|MNT_LOCKED mounts (bnc#1012382).
- mount: Prevent MNT_DETACH from disconnecting locked mounts (bnc#1012382).
- mount: Retest MNT_LOCKED in do_umount (bnc#1012382).
- Move patches to sorted range, p1
- Move /proc/sys/vm/procfs-drop-fd-dentries to /proc/sys/fs/procfs-drop-fd-dentries (bsc#1086652) This was incorrectly put in /proc/sys/vm.
- msi: Disable MSI also when pcie-octeon.pcie_disable on (bnc#1012382).
- mtd: docg3: do not set conflicting BCH_CONST_PARAMS option (bnc#1012382).
- mtd: rawnand: gpmi: fix MX28 bus master lockup problem (bnc#1012382).
- mtd: spi-nor: Add support for is25wp series chips (bnc#1012382).
- mv88e6060: disable hardware level MAC learning (bnc#1012382).
- mwifiex: Fix NULL pointer dereference in skb_dequeue() (bnc#1012382).
- mwifiex: fix p2p device does not find in scan problem (bnc#1012382).
- namei: allow restricted O_CREAT of FIFOs and regular files (bnc#1012382).
- neighbour: Avoid writing before skb->head in neigh_hh_output() (bnc#1012382).
- net: 8139cp: fix a BUG triggered by changing mtu with network traffic (bnc#1012382).
- net/af_iucv: drop inbound packets with invalid flags (bnc#1114475, LTC#172679).
- net/af_iucv: fix skb handling on HiperTransport xmit error (bnc#1114475, LTC#172679).
- net: amd: add missing of_node_put() (bnc#1012382).
- net: bcmgenet: fix OF child-node lookup (bnc#1012382).
- net: bridge: fix a bug on using a neighbour cache entry without checking its state (bnc#1012382).
- net: bridge: Fix ethernet header pointer before check skb forwardable (bnc#1012382).
- net: bridge: remove ipv6 zero address check in mcast queries (bnc#1012382).
- net: call sk_dst_reset when set SO_DONTROUTE (bnc#1012382).
- net: cxgb3_main: fix a missing-check bug (bnc#1012382).
- net: dp83640: expire old TX-skb (bnc#1012382).
- net: drop skb on failure in ip_check_defrag() (bnc#1012382).
- net: drop write-only stack variable (bnc#1012382).
- net: dsa: slave: Do not propagate flag changes on down slave interfaces (bnc#1012382).
- net: ena: add functions for handling Low Latency Queues in ena_com (bsc#1117562).
- net: ena: add functions for handling Low Latency Queues in ena_netdev (bsc#1117562).
- net: ena: change rx copybreak default to reduce kernel memory pressure (bsc#1117562).
- net: ena: complete host info to match latest ENA spec (bsc#1117562).
- net: ena: enable Low Latency Queues (bsc#1117562).
- net: ena: explicit casting and initialization, and clearer error handling (bsc#1117562).
- net: ena: fix auto casting to boolean (bsc#1117562).
- net: ena: fix compilation error in xtensa architecture (bsc#1117562).
- net: ena: fix crash during ena_remove() (bsc#1108240).
- net: ena: fix crash during failed resume from hibernation (bsc#1117562).
- net: ena: fix indentations in ena_defs for better readability (bsc#1117562).
- net: ena: Fix Kconfig dependency on X86 (bsc#1117562).
- net: ena: fix NULL dereference due to untimely napi initialization (bsc#1117562).
- net: ena: fix rare bug when failed restart/resume is followed by driver removal (bsc#1117562).
- net: ena: fix warning in rmmod caused by double iounmap (bsc#1117562).
- net: ena: introduce Low Latency Queues data structures according to ENA spec (bsc#1117562).
- net: ena: limit refill Rx threshold to 256 to avoid latency issues (bsc#1117562).
- net: ena: minor performance improvement (bsc#1117562).
- net: ena: remove ndo_poll_controller (bsc#1117562).
- net: ena: remove redundant parameter in ena_com_admin_init() (bsc#1117562).
- net: ena: update driver version from 2.0.1 to 2.0.2 (bsc#1108240).
- net: ena: update driver version to 2.0.1 (bsc#1117562).
- net: ena: use CSUM_CHECKED device indication to report skb's checksum status (bsc#1117562).
- net: faraday: ftmac100: remove netif_running(netdev) check before disabling interrupts (bnc#1012382).
- netfilter: ipset: actually allow allowable CIDR 0 in hash:net,port,net (bnc#1012382).
- netfilter: ipset: Correct rcu_dereference() call in ip_set_put_comment() (bnc#1012382).
- netfilter: nf_tables: fix oops when inserting an element into a verdict map (bnc#1012382).
- netfilter: xt_IDLETIMER: add sysfs filename checking routine (bnc#1012382).
- net: fix pskb_trim_rcsum_slow() with odd trim offset (bnc#1012382).
- net: Fix usage of pskb_trim_rcsum (bnc#1012382).
- net-gro: reset skb->pkt_type in napi_reuse_skb() (bnc#1012382).
- net: hisilicon: remove unexpected free_netdev (bnc#1012382).
- net: ibm: fix return type of ndo_start_xmit function ().
- net/ibmnvic: Fix deadlock problem in reset ().
- net/ibmvnic: Fix RTNL deadlock during device reset (bnc#1115431).
- net: ieee802154: 6lowpan: fix frag reassembly (bnc#1012382).
- net/ipv4: defensive cipso option parsing (bnc#1012382).
- net: ipv4: do not handle duplicate fragments as overlapping (bnc#1012382 bsc#1116345).
- net: ipv4: do not handle duplicate fragments as overlapping (bsc#1116345).
- net: ipv4: Fix memory leak in network namespace dismantle (bnc#1012382).
- net/ipv6: Fix index counter for unicast addresses in in6_dump_addrs (bnc#1012382).
- net/mlx4_core: Add masking for a few queries on HCA caps (bnc#1012382).
- net/mlx4_core: Correctly set PFC param if global pause is turned off (bsc#1015336 bsc#1015337 bsc#1015340).
- net/mlx4_core: Fix uninitialized variable compilation warning (bnc#1012382).
- net/mlx4_core: Zero out lkey field in SW2HW_MPT fw command (bnc#1012382).
- net/mlx4: Fix UBSAN warning of signed integer overflow (bnc#1012382).
- net: modify skb_rbtree_purge to return the truesize of all purged skbs (bnc#1012382).
- net: phy: do not allow __set_phy_supported to add unsupported modes (bnc#1012382).
- net: Prevent invalid access to skb->prev in __qdisc_drop_all (bnc#1012382).
- net: pskb_trim_rcsum() and CHECKSUM_COMPLETE are friends (bnc#1012382).
- net: qla3xxx: Remove overflowing shift statement (bnc#1012382).
- netrom: fix locking in nr_find_socket() (bnc#1012382).
- netrom: switch to sock timer API (bnc#1012382).
- net/rose: fix NULL ax25_cb kernel panic (bnc#1012382).
- net: sched: gred: pass the right attribute to gred_change_table_def() (bnc#1012382).
- net_sched: refetch skb protocol for each filter (bnc#1012382).
- net: socket: fix a missing-check bug (bnc#1012382).
- net: speed up skb_rbtree_purge() (bnc#1012382).
- net: stmmac: Fix stmmac_mdio_reset() when building stmmac as modules (bnc#1012382).
- net: systemport: Fix WoL with password after deep sleep (bnc#1012382).
- net: thunderx: fix NULL pointer dereference in nic_remove (bnc#1012382).
- new helper: uaccess_kernel() (bnc#1012382).
- nfc: nfcmrvl_uart: fix OF child-node lookup (bnc#1012382).
- nfc: nxp-nci: Include unaligned.h instead of access_ok.h (bnc#1012382).
- nfit: fix unchecked dereference in acpi_nfit_ctl (bsc#1125014).
- nfit: skip region registration for incomplete control regions (bsc#1118930).
- nfsd4: fix crash on writing v4_end_grace before nfsd startup (bnc#1012382).
- nfsd: Fix an Oops in free_session() (bnc#1012382).
- nfs: Ensure we commit after writeback is complete (bsc#1111809).
- nfs: nfs_compare_mount_options always compare auth flavors (bnc#1012382).
- nfsv4.1: Fix the r/wsize checking (bnc#1012382).
- nfsv4: Do not exit the state manager without clearing NFS4CLNT_MANAGER_RUNNING (git-fixes).
- niu: fix missing checks of niu_pci_eeprom_read (bnc#1012382).
- nvme: validate controller state before rescheduling keep alive (bsc#1103257).
- ocfs2: do not clear bh uptodate for block read (bnc#1012382).
- ocfs2: fix a misuse a of brelse after failing ocfs2_check_dir_entry (bnc#1012382).
- ocfs2: fix deadlock caused by ocfs2_defrag_extent() (bnc#1012382).
- ocfs2: fix panic due to unrecovered local alloc (bnc#1012382).
- ocfs2: fix potential use after free (bnc#1012382).
- of: add helper to lookup compatible child node (bnc#1012382).
- omap2fb: Fix stack memory disclosure (bsc#1106929)
- openvswitch: Avoid OOB read when parsing flow nlattrs (bnc#1012382).
- packet: Do not leak dev refcounts on error exit (bnc#1012382).
- packet: validate address length (bnc#1012382).
- packet: validate address length if non-zero (bnc#1012382).
- parisc: Fix address in HPMC IVA (bnc#1012382).
- parisc: Fix map_pages() to not overwrite existing pte entries (bnc#1012382).
- pci: Add Device IDs for Intel GPU 'spurious interrupt' quirk (bnc#1012382).
- pci: altera: Check link status before retrain link (bnc#1012382).
- pci: altera: Fix altera_pcie_link_is_up() (bnc#1012382).
- pci: altera: Move retrain from fixup to altera_pcie_host_init() (bnc#1012382).
- pci: altera: Poll for link training status after retraining the link (bnc#1012382).
- pci: altera: Poll for link up status after retraining the link (bnc#1012382).
- pci: altera: Reorder read/write functions (bnc#1012382).
- pci: altera: Rework config accessors for use without a struct pci_bus (bnc#1012382).
- pci/ASPM: Do not initialize link state when aspm_disabled is set (bsc#1109806).
- pci/ASPM: Fix link_state teardown on device removal (bsc#1109806).
- pci: vmd: Detach resources after stopping root bus (bsc#1106105).
- pcmcia: Implement CLKRUN protocol disabling for Ricoh bridges (bnc#1012382).
- perf/bpf: Convert perf_event_array to use struct file (bsc#1119967).
- perf/core: Do not leak event in the syscall error path (bnc#1012382).
- perf/core: Do not WARN() for impossible ring-buffer sizes (bnc#1012382).
- perf/core: Fix impossible ring-buffer sizes warning (bnc#1012382).
- perf intel-pt: Fix error with config term 'pt=0' (bnc#1012382).
- perf parse-events: Fix unchecked usage of strncpy() (bnc#1012382).
- perf pmu: Suppress potential format-truncation warning (bnc#1012382).
- perf/ring_buffer: Prevent concurent ring buffer access (bnc#1012382).
- perf svghelper: Fix unchecked usage of strncpy() (bnc#1012382).
- perf tests evsel-tp-sched: Fix bitwise operator (bnc#1012382).
- perf tools: Add Hygon Dhyana support (bnc#1012382).
- perf tools: Cleanup trace-event-info 'tdata' leak (bnc#1012382).
- perf tools: Disable parallelism for 'make clean' (bnc#1012382).
- perf tools: Free temporary 'sys' string in read_event_files() (bnc#1012382).
- perf unwind: Take pgoff into account when reporting elf to libdwfl (bnc#1012382).
- perf unwind: Unwind with libdw does not take symfs into account (bnc#1012382).
- perf/x86/intel/uncore: Add Node ID mask (bnc#1012382).
- pinctrl: msm: fix gpio-hog related boot issues (bnc#1012382).
- pinctrl: qcom: spmi-mpp: Fix drive strength setting (bnc#1012382).
- pinctrl: qcom: spmi-mpp: Fix err handling of pmic_mpp_set_mux (bnc#1012382).
- pinctrl: spmi-mpp: Fix pmic_mpp_config_get() to be compliant (bnc#1012382).
- pinctrl: ssbi-gpio: Fix pm8xxx_pin_config_get() to be compliant (bnc#1012382).
- pinctrl: sunxi: a83t: Fix IRQ offset typo for PH11 (bnc#1012382).
- platform/x86: acerhdf: Add BIOS entry for Gateway LT31 v1.3307 (bnc#1012382).
- platform/x86: asus-nb-wmi: Drop mapping of 0x33 and 0x34 scan codes (bnc#1012382).
- platform/x86: asus-nb-wmi: Map 0x35 to KEY_SCREENLOCK (bnc#1012382).
- platform/x86: asus-wmi: Tell the EC the OS will handle the display off hotkey (bnc#1012382).
- platform/x86: thinkpad_acpi: Proper model/release matching (bsc#1099810).
- pm / devfreq: tegra: fix error return code in tegra_devfreq_probe() (bnc#1012382).
- pNFS: Fix a deadlock between read resends and layoutreturn (git-fixes).
- pNFS/flexfiles: Fix up the ff_layout_write_pagelist failure path (git-fixes).
- pNFS/flexfiles: When checking for available DSes, conditionally check for MDS io (git-fixes).
- pnfs: set NFS_IOHDR_REDO in pnfs_read_resend_pnfs (git-fixes).
- powerpc/64s: consolidate MCE counter increment (bsc#1094244).
- powerpc/boot: Ensure _zimage_start is a weak symbol (bnc#1012382).
- powerpc/boot: Fix random libfdt related build errors (bnc#1012382).
- powerpc/boot: Request no dynamic linker for boot wrapper (bsc#1070805).
- powerpc/cacheinfo: Report the correct shared_cpu_map on big-cores (bsc#1109695).
- powerpc: Detect the presence of big-cores via 'ibm, thread-groups' (bsc#1109695).
- powerpc: Fix COFF zImage booting on old powermacs (bnc#1012382).
- powerpc: handle RFI (exrfi and fallback area) and STF (exrfi).
- powerpc, hotplug: Avoid to touch non-existent cpumasks (bsc#1109695).
- powerpc: make use of for_each_node_by_type() instead of open-coding it (bsc#1109695).
- powerpc/mm/radix: Use mm->task_size for boundary checking instead of addr_limit (bsc#1027457).
- powerpc/msi: Fix compile error on mpc83xx (bnc#1012382).
- powerpc/msi: Fix NULL pointer access in teardown code (bnc#1012382).
- powerpc/nohash: fix undefined behaviour when testing page size support (bnc#1012382).
- powerpc/numa: Suppress 'VPHN is not supported' messages (bnc#1012382).
- powerpc/powernv: Do not select the cpufreq governors (bsc#1066223).
- powerpc/powernv: Fix opal_event_shutdown() called with interrupts disabled (bsc#1066223).
- powerpc/powernv/pci: Work around races in PCI bridge enabling (bsc#1066223).
- powerpc/pseries: add of_node_put() in dlpar_detach_node() (bnc#1012382).
- powerpc/pseries/cpuidle: Fix preempt warning (bnc#1012382).
- powerpc/pseries: Fix DTL buffer registration (bsc#1066223).
- powerpc/pseries: Fix how we iterate over the DTL entries (bsc#1066223).
- powerpc/pseries/mobility: Extend start/stop topology update scope (bsc#1116950, bsc#1115709).
- powerpc/setup: Add cpu_to_phys_id array (bsc#1109695).
- powerpc/smp: Add cpu_l2_cache_map (bsc#1109695).
- powerpc/smp: Add Power9 scheduler topology (bsc#1109695).
- powerpc/smp: Rework CPU topology construction (bsc#1109695).
- powerpc/smp: Use cpu_to_chip_id() to find core siblings (bsc#1109695).
- powerpc/traps: restore recoverability of machine_check interrupts (bsc#1094244).
- powerpc/uaccess: fix warning/error with access_ok() (bnc#1012382).
- powerpc: Use cpu_smallcore_sibling_mask at SMT level on bigcores (bsc#1109695).
- powerpc/xmon: Fix invocation inside lock region (bsc#1122885).
- power: supply: olpc_battery: correct the temperature units (bnc#1012382).
- printk: Fix panic caused by passing log_buf_len to command line (bnc#1012382).
- proc: Remove empty line in /proc/self/status (bnc#1012382 bsc#1094823).
- Provide a temporary fix for STIBP on-by-default See bsc#1116497 for details.
- pstore: Convert console write to use ->write_buf (bnc#1012382).
- pstore/ram: Do not treat empty buffers as valid (bnc#1012382).
- ptp: check gettime64 return code in PTP_SYS_OFFSET ioctl (bnc#1012382).
- ptp: fix Spectre v1 vulnerability (bnc#1012382).
- pxa168fb: prepare the clock (bnc#1012382).
- qed: Fix bitmap_weight() check (bsc#1019695).
- qed: Fix PTT leak in qed_drain() (bnc#1012382).
- qed: Fix QM getters to always return a valid pq (bsc#1019695 ).
- qed: Fix reading wrong value in loop condition (bnc#1012382).
- r8152: Check for supported Wake-on-LAN Modes (bnc#1012382).
- r8169: Add support for new Realtek Ethernet (bnc#1012382).
- r8169: fix NAPI handling under high load (bnc#1012382).
- rapidio/rionet: do not free skb before reading its length (bnc#1012382).
- rbd: do not return 0 on unmap if RBD_DEV_FLAG_REMOVING is set (bsc#1125808).
- rcu: Force boolean subscript for expedited stall warnings (bnc#1012382).
- RDMA/bnxt_re: Fix a couple off by one bugs (bsc#1020413, ).
- RDMA/bnxt_re: Synchronize destroy_qp with poll_cq (bsc#1125446).
- RDMA/ucma: Fix Spectre v1 vulnerability (bnc#1012382).
- Refresh patches.kabi/x86-cpufeature-preserve-numbers.patch. (bsc#1122651)
- reiserfs: propagate errors from fill_with_dentries() properly (bnc#1012382).
- Revert 'Bluetooth: h5: Fix missing dependency on BT_HCIUART_SERDEV' (bnc#1012382).
- Revert 'ceph: fix dentry leak in splice_dentry()' (bsc#1114839).
- Revert 'cifs: In Kconfig CONFIG_CIFS_POSIX needs depends on legacy (insecure cifs)' (bnc#1012382).
- Revert 'drm/rockchip: Allow driver to be shutdown on reboot/kexec' (bsc#1106929)
- Revert 'exec: load_script: do not blindly truncate shebang string' (bnc#1012382).
- Revert 'Input: elan_i2c - add ACPI ID for touchpad in ASUS Aspire F5-573G' (bnc#1012382).
- Revert 'iommu/io-pgtable-arm: Check for v7s-incapable systems' (bsc#1106105).
- Revert 'loop: Fix double mutex_unlock(&loop_ctl_mutex) in loop_control_ioctl()' (bnc#1012382).
- Revert 'loop: Fold __loop_release into loop_release' (bnc#1012382).
- Revert 'loop: Get rid of loop_index_mutex' (bnc#1012382).
- Revert 'media: videobuf2-core: do not call memop 'finish' when queueing' (bnc#1012382).
- Revert 'mmc: bcm2835: Fix DMA channel leak on probe error (bsc#1120902).' The backport patch does not built properly.
- Revert 'PCI/ASPM: Do not initialize link state when aspm_disabled is set' (bsc#1106105).
- Revert 'usb: musb: musb_host: Enable HCD_BH flag to handle urb return in bottom half' (bsc#1047487).
- Revert 'wlcore: Add missing PM call for wlcore_cmd_wait_for_event_or_timeout()' (bnc#1012382).
- rhashtable: Add rhashtable_lookup() (bnc#1012382).
- rhashtable: add rhashtable_lookup_get_insert_key() (bnc#1012382 bsc#1042286).
- rhashtable: add schedule points (bnc#1012382).
- rhashtable: reorganize struct rhashtable layout (bnc#1012382).
- rocker: fix rocker_tlv_put_* functions for KASAN (bnc#1012382).
- rpcrdma: Add RPCRDMA_HDRLEN_ERR (git-fixes).
- rps: flow_dissector: Fix uninitialized flow_keys used in __skb_get_hash possibly (bsc#1042286 bsc#1108145).
- rtc: hctosys: Add missing range error reporting (bnc#1012382).
- rtc: snvs: add a missing write sync (bnc#1012382).
- rtc: snvs: Add timeouts to avoid kernel lockups (bnc#1012382).
- rtnetlink: Disallow FDB configuration for non-Ethernet device (bnc#1012382).
- rtnetlink: ndo_dflt_fdb_dump() only work for ARPHRD_ETHER devices (bnc#1012382).
- s390/cpum_cf: Reject request for sampling in event initialization (bnc#1012382).
- s390/early: improve machine detection (bnc#1012382).
- s390/mm: Check for valid vma before zapping in gmap_discard (bnc#1012382).
- s390/mm: Fix ERROR: '__node_distance' undefined! (bnc#1012382).
- s390: qeth_core_mpc: Use ARRAY_SIZE instead of reimplementing its function (bnc#1114475, LTC#172682).
- s390/qeth: fix HiperSockets sniffer (bnc#1114475, LTC#172953).
- s390/qeth: fix length check in SNMP processing (bnc#1012382).
- s390: qeth: Fix potential array overrun in cmd/rc lookup (bnc#1114475, LTC#172682).
- s390/smp: Fix calling smp_call_ipl_cpu() from ipl CPU (bnc#1012382).
- s390/smp: fix CPU hotplug deadlock with CPU rescan (bnc#1012382).
- s390/vdso: add missing FORCE to build targets (bnc#1012382).
- sata_rcar: fix deferred probing (bnc#1012382).
- sbus: char: add of_node_put() (bnc#1012382).
- sc16is7xx: Fix for multi-channel stall (bnc#1012382).
- sched/cgroup: Fix cgroup entity load tracking tear-down (bnc#1012382).
- sched/fair: Fix throttle_list starvation with low CFS quota (bnc#1012382).
- sched/wake_q: Document wake_q_add() (bsc#1050549).
- sched/wake_q: Fix wakeup ordering for wake_q (bsc#1050549).
- sched/wake_q: Reduce reference counting for special users (bsc#1050549).
- sch_red: update backlog as well (bnc#1012382).
- scripts/decode_stacktrace: only strip base path when a prefix of the path (bnc#1012382).
- scripts/git_sort/git_sort.py: Add mkp/scsi 5.0/scsi-fixes
- scsi: aacraid: Fix typo in blink status (bnc#1012382).
- scsi: bfa: convert to strlcpy/strlcat (bnc#1012382 bsc#1019683, ).
- scsi: bnx2fc: Fix NULL dereference in error handling (bnc#1012382).
- scsi: core: Allow state transitions from OFFLINE to BLOCKED (bsc#1112246).
- scsi: Create two versions of scsi_internal_device_unblock() (bsc#1119877).
- scsi: csiostor: Avoid content leaks and casts (bnc#1012382).
- scsi: esp_scsi: Track residual for PIO transfers (bnc#1012382).
- scsi: Introduce scsi_start_queue() (bsc#1119877).
- scsi: libfc: check fc_frame_payload_get() return value for null (bsc#1103624, bsc#1104731).
- scsi: libfc: retry PRLI if we cannot analyse the payload (bsc#1104731).
- scsi: libiscsi: Fix NULL pointer dereference in iscsi_eh_session_reset (bnc#1012382).
- scsi: lpfc: Add Buffer overflow check, when nvme_info larger than PAGE_SIZE (bsc#1102660).
- scsi: lpfc: Correct LCB RJT handling (bnc#1012382).
- scsi: lpfc: Correct MDS diag and nvmet configuration (bsc#1125796).
- scsi: lpfc: Correct soft lockup when running mds diagnostics (bnc#1012382).
- scsi: lpfc: devloss timeout race condition caused null pointer reference (bsc#1102660).
- scsi: lpfc: Fix abort error path for NVMET (bsc#1102660).
- scsi: lpfc: fix block guard enablement on SLI3 adapters (bsc#1079935).
- scsi: lpfc: Fix driver crash when re-registering NVME rports (bsc#1102660).
- scsi: lpfc: Fix ELS abort on SLI-3 adapters (bsc#1102660).
- scsi: lpfc: Fix list corruption on the completion queue (bsc#1102660).
- scsi: lpfc: Fix NVME Target crash in defer rcv logic (bsc#1102660).
- scsi: lpfc: Fix panic if driver unloaded when port is offline (bsc#1102660).
- scsi: lpfc: update driver version to 11.4.0.7-5 (bsc#1102660).
- scsi: Make __scsi_remove_device go straight from BLOCKED to DEL (bsc#1119877).
- scsi: megaraid: fix out-of-bound array accesses (bnc#1012382).
- scsi: megaraid_sas: fix a missing-check bug (bnc#1012382).
- scsi: mpt3sas: Add an I/O barrier (bsc#1117108).
- scsi: mpt3sas: Added support for nvme encapsulated request message (bsc#1117108).
- scsi: mpt3sas: Added support for SAS Device Discovery Error Event (bsc#1117108).
- scsi: mpt3sas: Adding support for SAS3616 HBA device (bsc#1117108).
- scsi: mpt3sas: Add ioc_<level> logging macros (bsc#1117108).
- scsi: mpt3sas: Add nvme device support in slave alloc, target alloc and probe (bsc#1117108).
- scsi: mpt3sas: Add PCI device ID for Andromeda (bsc#1117108).
- scsi: mpt3sas: Add-Task-management-debug-info-for-NVMe-drives (bsc#1117108).
- scsi: mpt3sas: Allow processing of events during driver unload (bsc#1117108).
- scsi: mpt3sas: always use first reserved smid for ioctl passthrough (bsc#1117108).
- scsi: mpt3sas: Annotate switch/case fall-through (bsc#1117108).
- scsi: mpt3sas: API's to remove nvme drive from sml (bsc#1117108).
- scsi: mpt3sas: API 's to support NVMe drive addition to SML (bsc#1117108).
- scsi: mpt3sas: As per MPI-spec, use combined reply queue for SAS3.5 controllers when HBA supports more than 16 MSI-x vectors (bsc#1117108).
- scsi: mpt3sas: Bug fix for big endian systems (bsc#1117108).
- scsi: mpt3sas: Bump mpt3sas driver version to v16.100.00.00 (bsc#1117108).
- scsi: mpt3sas: Cache enclosure pages during enclosure add (bsc#1117108).
- scsi: mpt3sas: check command status before attempting abort (bsc#1117108).
- scsi: mpt3sas: clarify mmio pointer types (bsc#1117108).
- scsi: mpt3sas: cleanup _scsih_pcie_enumeration_event() (bsc#1117108).
- scsi: mpt3sas: Configure reply post queue depth, DMA and sgl tablesize (bsc#1117108).
- scsi: mpt3sas: Convert logging uses with MPT3SAS_FMT and reply_q_name to %s: (bsc#1117108).
- scsi: mpt3sas: Convert logging uses with MPT3SAS_FMT without logging levels (bsc#1117108).
- scsi: mpt3sas: Convert mlsleading uses of pr_<level> with MPT3SAS_FMT (bsc#1117108).
- scsi: mpt3sas: Convert uses of pr_<level> with MPT3SAS_FMT to ioc_<level> (bsc#1117108).
- scsi: mpt3sas: Display chassis slot information of the drive (bsc#1117108).
- scsi: mpt3sas: Do not abort I/Os issued to NVMe drives while processing Async Broadcast primitive event (bsc#1117108).
- scsi: mpt3sas: Do not access the structure after decrementing it's instance reference count (bsc#1117108).
- scsi: mpt3sas: Do not use 32-bit atomic request descriptor for Ventura controllers (bsc#1117108).
- scsi: mpt3sas: Enhanced handling of Sense Buffer (bsc#1117108).
- scsi: mpt3sas: fix an out of bound write (bsc#1117108).
- scsi: mpt3sas: Fix a race condition in mpt3sas_base_hard_reset_handler() (bsc#1117108).
- scsi: mpt3sas: Fix calltrace observed while running IO & reset (bsc#1117108).
- scsi: mpt3sas: fix dma_addr_t casts (bsc#1117108).
- scsi: mpt3sas: Fixed memory leaks in driver (bsc#1117108).
- scsi: mpt3sas: Fix, False timeout prints for ioctl and other internal commands during controller reset (bsc#1117108).
- scsi: mpt3sas: fix format overflow warning (bsc#1117108).
- scsi: mpt3sas: Fix indentation (bsc#1117108).
- scsi: mpt3sas: Fix memory allocation failure test in 'mpt3sas_base_attach()' (bsc#1117108).
- scsi: mpt3sas: Fix nvme drives checking for tlr (bsc#1117108).
- scsi: mpt3sas: fix oops in error handlers after shutdown/unload (bsc#1117108).
- scsi: mpt3sas: Fix possibility of using invalid Enclosure Handle for SAS device after host reset (bsc#1117108).
- scsi: mpt3sas: fix possible memory leak (bsc#1117108).
- scsi: mpt3sas: fix pr_info message continuation (bsc#1117108).
- scsi: mpt3sas: Fix removal and addition of vSES device during host reset (bsc#1117108).
- scsi: mpt3sas: Fix sparse warnings (bsc#1117108).
- scsi: mpt3sas: fix spelling mistake: 'disbale' -> 'disable' (bsc#1117108).
- scsi: mpt3sas: For NVME device, issue a protocol level reset (bsc#1117108).
- scsi: mpt3sas: Handle NVMe PCIe device related events generated from firmware (bsc#1117108).
- scsi: mpt3sas: Improve kernel-doc headers (bsc#1117108).
- scsi: mpt3sas: Incorrect command status was set/marked as not used (bsc#1117108).
- scsi: mpt3sas: Increase event log buffer to support 24 port HBA's (bsc#1117108).
- scsi: mpt3sas: Introduce API to get BAR0 mapped buffer address (bsc#1117108).
- scsi: mpt3sas: Introduce Base function for cloning (bsc#1117108).
- scsi: mpt3sas: Introduce function to clone mpi reply (bsc#1117108).
- scsi: mpt3sas: Introduce function to clone mpi request (bsc#1117108).
- scsi: mpt3sas: Introduce mpt3sas_get_st_from_smid() (bsc#1117108).
- scsi: mpt3sas: Introduce struct mpt3sas_nvme_cmd (bsc#1117108).
- scsi: mpt3sas: Lockless access for chain buffers (bsc#1117108).
- scsi: mpt3sas: lockless command submission (bsc#1117108).
- scsi: mpt3sas: make function _get_st_from_smid static (bsc#1117108).
- scsi: mpt3sas: NVMe drive support for BTDHMAPPING ioctl command and log info (bsc#1117108).
- scsi: mpt3sas: open-code _scsih_scsi_lookup_get() (bsc#1117108).
- scsi: mpt3sas: Optimize I/O memory consumption in driver (bsc#1117108).
- scsi: mpt3sas: Pre-allocate RDPQ Array at driver boot time (bsc#1117108).
- scsi: mpt3sas: Processing of Cable Exception events (bsc#1117108).
- scsi: mpt3sas: Reduce memory footprint in kdump kernel (bsc#1117108).
- scsi: mpt3sas: remove a stray KERN_INFO (bsc#1117108).
- scsi: mpt3sas: Remove KERN_WARNING from panic uses (bsc#1117108).
- scsi: mpt3sas: remove redundant copy_from_user in _ctl_getiocinfo (bsc#1117108).
- scsi: mpt3sas: remove redundant wmb (bsc#1117108).
- scsi: mpt3sas: Remove set-but-not-used variables (bsc#1117108).
- scsi: mpt3sas: Remove unnecessary parentheses and simplify null checks (bsc#1117108).
- scsi: mpt3sas: Remove unused macro MPT3SAS_FMT (bsc#1117108).
- scsi: mpt3sas: Remove unused variable requeue_event (bsc#1117108).
- scsi: mpt3sas: Replace PCI pool old API (bsc#1117108).
- scsi: mpt3sas: Replace PCI pool old API (bsc#1117108).
- scsi: mpt3sas: Report Firmware Package Version from HBA Driver (bsc#1117108).
- scsi: mpt3sas: scan and add nvme device after controller reset (bsc#1117108).
- scsi: mpt3sas: separate out _base_recovery_check() (bsc#1117108).
- scsi: mpt3sas: set default value for cb_idx (bsc#1117108).
- scsi: mpt3sas: Set NVMe device queue depth as 128 (bsc#1117108).
- scsi: mpt3sas: SGL to PRP Translation for I/Os to NVMe devices (bsc#1117108).
- scsi: mpt3sas: simplify mpt3sas_scsi_issue_tm() (bsc#1117108).
- scsi: mpt3sas: simplify task management functions (bsc#1117108).
- scsi: mpt3sas: simplify _wait_for_commands_to_complete() (bsc#1117108).
- scsi: mpt3sas: Split _base_reset_handler(), mpt3sas_scsih_reset_handler() and mpt3sas_ctl_reset_handler() (bsc#1117108).
- scsi: mpt3sas: Swap I/O memory read value back to cpu endianness (bsc#1117108).
- scsi: mpt3sas: switch to generic DMA API (bsc#1117108).
- scsi: mpt3sas: switch to pci_alloc_irq_vectors (bsc#1117108).
- scsi: mpt3sas: Updated MPI headers to v2.00.48 (bsc#1117108).
- scsi: mpt3sas: Update driver version '25.100.00.00' (bsc#1117108).
- scsi: mpt3sas: Update driver version '26.100.00.00' (bsc#1117108).
- scsi: mpt3sas: Update MPI Headers (bsc#1117108).
- scsi: mpt3sas: Update mpt3sas driver version (bsc#1117108).
- scsi: mpt3sas: Use dma_pool_zalloc (bsc#1117108).
- scsi: mpt3sas: use list_splice_init() (bsc#1117108).
- scsi: mpt3sas: wait for and flush running commands on shutdown/unload (bsc#1117108).
- scsi: Protect SCSI device state changes with a mutex (bsc#1119877).
- scsi: qedi: Add ISCSI_BOOT_SYSFS to Kconfig (bsc#1043083).
- scsi: qla2xxx: Fix crashes in qla2x00_probe_one on probe failure (bsc#1094973).
- scsi: qla2xxx: Fix deadlock between ATIO and HW lock (bsc#1125794).
- scsi: qla2xxx: Fix incorrect port speed being set for FC adapters (bnc#1012382).
- scsi: qla2xxx: Fix small memory leak in qla2x00_probe_one on probe failure (bsc#1094973).
- scsi: Re-export scsi_internal_device_{,un}_block() (bsc#1119877).
- scsi: sd: Fix cache_type_store() (bnc#1012382).
- scsi: Split scsi_internal_device_block() (bsc#1119877).
- scsi: target: add emulate_pr backstore attr to toggle PR support (bsc#1091405).
- scsi: target: drop unused pi_prot_format attribute storage (bsc#1091405).
- scsi: target: make the pi_prot_format ConfigFS path readable (bsc#1123933).
- scsi: target: use consistent left-aligned ASCII INQUIRY data (bnc#1012382).
- scsi: ufs: fix bugs related to null pointer access and array size (bnc#1012382).
- scsi: ufs: fix race between clock gating and devfreq scaling work (bnc#1012382).
- scsi: ufshcd: Fix race between clk scaling and ungate work (bnc#1012382).
- scsi: ufshcd: release resources if probe fails (bnc#1012382).
- scsi: use 'inquiry_mutex' instead of 'state_mutex' (bsc#1119877).
- scsi: vmw_pscsi: Rearrange code to avoid multiple calls to free_irq during unload (bnc#1012382).
- scsi: zfcp: fix posting too many status read buffers leading to adapter shutdown (bnc#1012382).
- sctp: allocate sctp_sockaddr_entry with kzalloc (bnc#1012382).
- sctp: clear the transport of some out_chunk_list chunks in sctp_assoc_rm_peer (bnc#1012382).
- sctp: fix race on sctp_id2asoc (bnc#1012382).
- sctp: initialize sin6_flowinfo for ipv6 addrs in sctp_inet6addr_event (bnc#1012382).
- sd: disable logical block provisioning if 'lbpme' is not set (bsc#1086095 bsc#1078355).
- selftests: ftrace: Add synthetic event syntax testcase (bnc#1012382).
- selftests: Move networking/timestamping from Documentation (bnc#1012382).
- selinux: fix GPF on invalid policy (bnc#1012382).
- seq_buf: Make seq_buf_puts() null-terminate the buffer (bnc#1012382).
- seq_file: fix incomplete reset on read from zero offset (Git-fixes).
- ser_gigaset: use container_of() instead of detour (bnc#1012382).
- serial: fsl_lpuart: clear parity enable bit when disable parity (bnc#1012382).
- signal: Always deliver the kernel's SIGKILL and SIGSTOP to a pid namespace init (bnc#1012382).
- signal: Always notice exiting tasks (bnc#1012382).
- signal: Better detection of synchronous signals (bnc#1012382).
- signal/GenWQE: Fix sending of SIGKILL (bnc#1012382).
- signal: Restore the stop PTRACE_EVENT_EXIT (bnc#1012382).
- skge: potential memory corruption in skge_get_regs() (bnc#1012382).
- slab: alien caches must not be initialized if the allocation of the alien cache failed (bnc#1012382).
- smack: fix access permissions for keyring (bnc#1012382).
- smb3: allow stats which track session and share reconnects to be reset (bnc#1012382).
- smb3: do not attempt cifs operation in smb3 query info error path (bnc#1012382).
- smb3: on kerberos mount if server does not specify auth type use krb5 (bnc#1012382).
- smsc75xx: Check for Wake-on-LAN modes (bnc#1012382).
- smsc95xx: Check for Wake-on-LAN modes (bnc#1012382).
- smsc95xx: Use skb_cow_head to deal with cloned skbs (bnc#1012382).
- sock: Make sock->sk_stamp thread-safe (bnc#1012382).
- soc/tegra: Do not leak device tree node reference (bnc#1012382).
- soc/tegra: pmc: Fix child-node lookup (bnc#1012382).
- sparc64: Fix exception handling in UltraSPARC-III memcpy (bnc#1012382).
- sparc64 mm: Fix more TSB sizing issues (bnc#1012382).
- sparc: Fix single-pcr perf event counter management (bnc#1012382).
- sparc/pci: Refactor dev_archdata initialization into pci_init_dev_archdata (bnc#1012382).
- spi: bcm2835: Avoid finishing transfer prematurely in IRQ mode (bnc#1012382).
- spi: bcm2835: Fix book-keeping of DMA termination (bnc#1012382).
- spi: bcm2835: Fix race on DMA termination (bnc#1012382).
- spi: bcm2835: Unbreak the build of esoteric configs (bnc#1012382).
- spi/bcm63xx: fix error return code in bcm63xx_spi_probe() (bnc#1012382).
- spi/bcm63xx-hspi: fix error return code in bcm63xx_hsspi_probe() (bnc#1012382).
- spi: xlp: fix error return code in xlp_spi_probe() (bnc#1012382).
- sr9800: Check for supported Wake-on-LAN modes (bnc#1012382).
- sr: pass down correctly sized SCSI sense buffer (bnc#1012382).
- staging:iio:ad2s90: Make probe handle spi_setup failure (bnc#1012382).
- staging: iio: ad7780: update voltage on read (bnc#1012382).
- staging: iio: adc: ad7280a: handle error from __ad7280_read32() (bnc#1012382).
- staging: lustre: remove two build warnings (bnc#1012382).
- staging: rtl8188eu: Add device code for D-Link DWA-121 rev B1 (bnc#1012382).
- staging: rts5208: fix gcc-8 logic error warning (bnc#1012382).
- staging: speakup: Replace strncpy with memcpy (bnc#1012382).
- sunrpc: correct the computation for page_ptr when truncating (bnc#1012382).
- sunrpc: drop pointless static qualifier in xdr_get_next_encode_buffer() (bnc#1012382).
- sunrpc: Fix a bogus get/put in generic_key_to_expire() (bnc#1012382).
- sunrpc: Fix a potential race in xprt_connect() (git-fixes).
- sunrpc: fix cache_head leak due to queued request (bnc#1012382).
- sunrpc: Fix leak of krb5p encode pages (bnc#1012382).
- sunrpc: handle ENOMEM in rpcb_getport_async (bnc#1012382).
- sunvdc: Do not spin in an infinite loop when vio_ldc_send() returns EAGAIN (bnc#1012382).
- svcrdma: Remove unused variable in rdma_copy_tail() (git-fixes).
- swim: fix cleanup on setup error (bnc#1012382).
- swiotlb: clean up reporting (bnc#1012382).
- sysfs: Disable lockdep for driver bind/unbind files (bnc#1012382).
- sysv: return 'err' instead of 0 in __sysv_write_inode (bnc#1012382).
- target/iscsi: avoid NULL dereference in CHAP auth error path (bsc#1117165).
- target: se_dev_attrib.emulate_pr ABI stability (bsc#1091405).
- tcp: fix NULL ref in tail loss probe (bnc#1012382).
- TC: Set DMA masks for devices (bnc#1012382).
- termios, tty/tty_baudrate.c: fix buffer overrun (bnc#1012382).
- test_hexdump: use memcpy instead of strncpy (bnc#1012382).
- tg3: Add PHY reset for 5717/5719/5720 in change ring and flow control paths (bnc#1012382).
- thermal: allow spear-thermal driver to be a module (bnc#1012382).
- thermal: allow u8500-thermal driver to be a module (bnc#1012382).
- thermal: hwmon: inline helpers when CONFIG_THERMAL_HWMON is not set (bnc#1012382).
- timekeeping: Use proper seqcount initializer (bnc#1012382).
- timer/debug: Change /proc/timer_list from 0444 to 0400 (bnc#1012382).
- tipc: fix uninit-value in tipc_nl_compat_bearer_enable (bnc#1012382).
- tipc: fix uninit-value in tipc_nl_compat_doit (bnc#1012382).
- tipc: fix uninit-value in tipc_nl_compat_link_reset_stats (bnc#1012382).
- tipc: fix uninit-value in tipc_nl_compat_link_set (bnc#1012382).
- tipc: fix uninit-value in tipc_nl_compat_name_table_dump (bnc#1012382).
- tipc: use destination length for copy string (bnc#1012382).
- tmpfs: make lseek(SEEK_DATA/SEK_HOLE) return ENXIO with a negative offset (bnc#1012382).
- tpm: fix response size validation in tpm_get_random() (bsc#1020645, git-fixes).
- tpm: suppress transmit cmd error logs when TPM 1.2 is disabled/deactivated (bnc#1012382).
- tracing: Fix bad use of igrab in trace_uprobe.c (bsc#1120046).
- tracing: Fix memory leak in set_trigger_filter() (bnc#1012382).
- tracing: Fix memory leak of instance function hash filters (bnc#1012382).
- tracing: Skip more functions when doing stack tracing of events (bnc#1012382).
- tracing/uprobes: Fix output for multiple string arguments (bnc#1012382).
- tty: check name length in tty_find_polling_driver() (bnc#1012382).
- tty: Do not block on IO when ldisc change is pending (bnc#1105428).
- tty: Do not hold ldisc lock in tty_reopen() if ldisc present (bnc#1105428).
- tty: fix data race between tty_init_dev and flush of buf (bnc#1105428).
- tty: Handle problem if line discipline does not have receive_buf (bnc#1012382).
- tty: Hold tty_ldisc_lock() during tty_reopen() (bnc#1105428).
- tty/ldsem: Add lockdep asserts for ldisc_sem (bnc#1105428).
- tty/ldsem: Convert to regular lockdep annotations (bnc#1105428).
- tty/ldsem: Decrement wait_readers on timeouted down_read() (bnc#1105428).
- tty/ldsem: Wake up readers after timed out down_write() (bnc#1012382).
- tty/n_hdlc: fix __might_sleep warning (bnc#1012382).
- tty: serial: 8250_mtk: always resume the device in probe (bnc#1012382).
- tty: serial: samsung: Properly set flags in autoCTS mode (bnc#1012382).
- tty: serial: sprd: fix error return code in sprd_probe() (bnc#1012382).
- tty: Simplify tty->count math in tty_reopen() (bnc#1105428).
- tty: wipe buffer (bnc#1012382).
- tty: wipe buffer if not echoing data (bnc#1012382).
- tun: Consistently configure generic netdev params via rtnetlink (bnc#1012382).
- tun: forbid iface creation with rtnl ops (bnc#1012382).
- uapi/if_ether.h: move __UAPI_DEF_ETHHDR libc define (bnc#1012382).
- uapi/if_ether.h: prevent redefinition of struct ethhdr (bnc#1012382).
- ucc_geth: Reset BQL queue when stopping device (bnc#1012382).
- udf: Fix BUG on corrupted inode (bnc#1012382).
- uio: ensure class is registered before devices (bnc#1012382).
- uio: Fix an Oops on load (bnc#1012382).
- uio: make symbol 'uio_class_registered' static (git-fixes).
- um: Avoid longjmp/setjmp symbol clashes with libpthread.a (bnc#1012382).
- um: Avoid marking pages with 'changed protection' (bnc#1012382).
- um: Give start_idle_thread() a return code (bnc#1012382).
- unifdef: use memcpy instead of strncpy (bnc#1012382).
- Update ibmvnic: Fix RX queue buffer cleanup (bsc#1115440, bsc#1115433).
- uprobes: Fix handle_swbp() vs. unregister() + register() race once more (bnc#1012382).
- usb: Add USB_QUIRK_DELAY_CTRL_MSG quirk for Corsair K70 RGB (bnc#1012382).
- usb: appledisplay: Add 27' Apple Cinema Display (bnc#1012382).
- usb: cdc-acm: add entry for Hiro (Conexant) modem (bnc#1012382).
- usb: cdc-acm: send ZLP for Telit 3G Intel based modems (bnc#1012382).
- usb: check usb_get_extra_descriptor for proper size (bnc#1012382).
- usb: chipidea: Prevent unbalanced IRQ disable (bnc#1012382).
- usb: core: Fix hub port connection events lost (bnc#1012382).
- usb: core: quirks: add RESET_RESUME quirk for Cherry G230 Stream series (bnc#1012382).
- usb: dwc2: Remove unnecessary kfree (bnc#1012382).
- usb: dwc3: omap: fix error return code in dwc3_omap_probe() (bnc#1012382).
- usb: ehci-omap: fix error return code in ehci_hcd_omap_probe() (bnc#1012382).
- usb: fix the usbfs flag sanitization for control transfers (bnc#1012382).
- usb: gadget: dummy: fix nonsensical comparisons (bnc#1012382).
- usb: gadget: storage: Fix Spectre v1 vulnerability (bnc#1012382).
- usb: gadget: udc: net2272: Fix bitwise and boolean operations (bnc#1012382).
- usb: hub: delay hub autosuspend if USB3 port is still link training (bnc#1012382).
- usb: imx21-hcd: fix error return code in imx21_probe() (bnc#1012382).
- usb: misc: appledisplay: add 20' Apple Cinema Display (bnc#1012382).
- usbnet: ipheth: fix potential recvmsg bug and recvmsg bug 2 (bnc#1012382).
- usb: omap_udc: fix crashes on probe error and module removal (bnc#1012382).
- usb: omap_udc: fix omap_udc_start() on 15xx machines (bnc#1012382).
- usb: omap_udc: fix USB gadget functionality on Palm Tungsten E (bnc#1012382).
- usb: omap_udc: use devm_request_irq() (bnc#1012382).
- usb: phy: am335x: fix race condition in _probe (bnc#1012382).
- usb: quirk: add no-LPM quirk on SanDisk Ultra Flair device (bnc#1012382).
- usb: quirks: Add delay-init quirk for Corsair K70 LUX RGB (bnc#1012382).
- usb: quirks: Add no-lpm quirk for Raydium touchscreens (bnc#1012382).
- usb: r8a66597: Fix a possible concurrency use-after-free bug in r8a66597_endpoint_disable() (bnc#1012382).
- usb: serial: option: add Fibocom NL668 series (bnc#1012382).
- usb: serial: option: add Fibocom NL678 series (bnc#1012382).
- usb: serial: option: add GosunCn ZTE WeLink ME3630 (bnc#1012382).
- usb: serial: option: add HP lt4132 (bnc#1012382).
- usb: serial: option: add Simcom SIM7500/SIM7600 (MBIM mode) (bnc#1012382).
- usb: serial: option: add Telit LN940 series (bnc#1012382).
- usb: serial: pl2303: add ids for Hewlett-Packard HP POS pole displays (bnc#1012382).
- usb: serial: pl2303: add new PID to support PL2303TB (bnc#1012382).
- usb: serial: simple: add Motorola Tetra TPG2200 device id (bnc#1012382).
- usb: storage: add quirk for SMI SM3350 (bnc#1012382).
- usb: storage: do not insert sane sense for SPC3+ when bad sense specified (bnc#1012382).
- usb-storage: fix bogus hardware error messages for ATA pass-thru devices (bnc#1012382).
- usb: usb-storage: Add new IDs to ums-realtek (bnc#1012382).
- usb: xhci: fix timeout for transition from RExit to U0 (bnc#1012382).
- usb: xhci: fix uninitialized completion when USB3 port got wrong status (bnc#1012382).
- usb: xhci: Prevent bus suspend if a port connect change or polling state is detected (bnc#1012382).
- v9fs_dir_readdir: fix double-free on p9stat_read error (bnc#1012382).
- vfs: Avoid softlockups in drop_pagecache_sb() (bsc#1118505).
- vhost: Fix Spectre V1 vulnerability (bnc#1012382).
- vhost: make sure used idx is seen before log in vhost_add_used_n() (bnc#1012382).
- vhost/scsi: truncate T10 PI iov_iter to prot_bytes (bnc#1012382).
- video: clps711x-fb: release disp device node in probe() (bnc#1012382).
- video: fbdev: pxa3xx_gcu: fix error return code in pxa3xx_gcu_probe() (bnc#1012382).
- virtio/s390: avoid race on vcdev->config (bnc#1012382).
- virtio/s390: fix race in ccw_io_helper() (bnc#1012382).
- VSOCK: Send reset control packet when socket is partially bound (bnc#1012382).
- vti6: flush x-netns xfrm cache when vti interface is removed (bnc#1012382).
- vt: invoke notifier on screen size change (bnc#1012382).
- w1: omap-hdq: fix missing bus unregister at removal (bnc#1012382).
- writeback: do not decrement wb->refcnt if !wb->bdi (git fixes (writeback)).
- x86/a.out: Clear the dump structure initially (bnc#1012382).
- x86: boot: Fix EFI stub alignment (bnc#1012382).
- x86/boot: #undef memcpy() et al in string.c (bnc#1012382).
- x86/build: Fix stack alignment for CLang (bnc#1012382).
- x86/build: Specify stack alignment for clang (bnc#1012382).
- x86/build: Use __cc-option for boot code compiler options (bnc#1012382).
- x86/build: Use cc-option to validate stack alignment parameter (bnc#1012382).
- x86/corruption-check: Fix panic in memory_corruption_check() when boot option without value is provided (bnc#1012382).
- x86/earlyprintk/efi: Fix infinite loop on some screen widths (bnc#1012382).
- x86/entry: spell EBX register correctly in documentation (bnc#1012382).
- x86/fpu: Add might_fault() to user_insn() (bnc#1012382).
- x86/kaslr: Fix incorrect i8254 outb() parameters (bnc#1012382).
- x86/kbuild: Use cc-option to enable -falign-{jumps/loops} (bnc#1012382).
- x86/kconfig: Fall back to ticket spinlocks (bnc#1012382).
- x86/MCE: Export memory_error() (bsc#1114648).
- x86/MCE: Initialize mce.bank in the case of a fatal error in mce_no_way_out() (bnc#1012382).
- x86/MCE: Make correctable error detection look at the Deferred bit (bsc#1114648).
- x86/mm/kaslr: Use the _ASM_MUL macro for multiplication to work around Clang incompatibility (bnc#1012382).
- x86/mm/pat: Prevent hang during boot when mapping pages (bnc#1012382).
- x86/mtrr: Do not copy uninitialized gentry fields back to userspace (bnc#1012382).
- x86/PCI: Fix Broadcom CNB20LE unintended sign extension (redux) (bnc#1012382).
- x86/pkeys: Properly copy pkey state at fork() (bsc#1106105).
- x86/platform/UV: Use efi_runtime_lock to serialise BIOS calls (bnc#1012382).
- x86: respect memory size limiting via mem= parameter (bsc#1117645).
- x86/speculation/l1tf: Drop the swap storage limit restriction when l1tf=off (bnc#1114871).
- x86/speculation: Use synthetic bits for IBRS/IBPB/STIBP (bnc#1012382).
- x86/xen: dont add memory above max allowed allocation (bsc#1117645).
- xen/balloon: Support xend-based toolstack (bnc#1065600).
- xen/blkfront: avoid NULL blkfront_info dereference on device removal (bsc#1111062).
- xen: fix race in xen_qlock_wait() (bnc#1012382).
- xen: fix xen_qlock_wait() (bnc#1012382).
- xen: make xen_qlock_wait() nestable (bnc#1012382).
- xen/netback: dont overflow meta array (bnc#1099523).
- xen/netfront: tolerate frags with no data (bnc#1012382).
- xen-swiotlb: use actually allocated size on check physical continuous (bnc#1012382).
- xen/x86: add diagnostic printout to xen_mc_flush() in case of error (bnc#1116183).
- xen: xlate_mmu: add missing header to fix 'W=1' warning (bnc#1012382).
- xfrm6: call kfree_skb when skb is toobig (bnc#1012382).
- xfrm6_tunnel: Fix spi check in __xfrm6_tunnel_alloc_spi (bnc#1012382).
- xfrm: Clear sk_dst_cache when applying per-socket policy (bnc#1012382).
- xfrm: Fix bucket count reported to userspace (bnc#1012382).
- xfrm: use complete IPv6 addresses for hash (bsc#1109330).
- xfrm: Validate address prefix lengths in the xfrm selector (bnc#1012382).
- xfrm: validate template mode (bnc#1012382).
- xfs: Align compat attrlist_by_handle with native implementation (git-fixes).
- xfs/dmapi: restore event in xfs_getbmap (bsc#1114763).
- xfs: Fix error code in 'xfs_ioc_getbmap()' (git-fixes).
- xfs: fix quotacheck dquot id overflow infinite loop (bsc#1121621).
- xhci: Add quirk to workaround the errata seen on Cavium Thunder-X2 Soc (bsc#1117162).
- xhci: Do not prevent USB2 bus suspend in state check intended for USB3 only (bnc#1012382).
- xhci: Prevent U1/U2 link pm states if exit latency is too long (bnc#1012382).
- xprtrdma: checking for NULL instead of IS_ERR() (git-fixes).
- xprtrdma: Disable pad optimization by default (git-fixes).
- xprtrdma: Disable RPC/RDMA backchannel debugging messages (git-fixes).
- xprtrdma: Fix additional uses of spin_lock_irqsave(rb_lock) (git-fixes).
- xprtrdma: Fix backchannel allocation of extra rpcrdma_reps (git-fixes).
- xprtrdma: Fix Read chunk padding (git-fixes).
- xprtrdma: Fix receive buffer accounting (git-fixes).
- xprtrdma: Reset credit grant properly after a disconnect (git-fixes).
- xprtrdma: rpcrdma_bc_receive_call() should init rq_private_buf.len (git-fixes).
- xprtrdma: Serialize credit accounting again (git-fixes).
- xprtrdma: xprt_rdma_free() must not release backchannel reqs (git-fixes).
- xtensa: add NOTES section to the linker script (bnc#1012382).
- xtensa: enable coprocessors that are being flushed (bnc#1012382).
- xtensa: fix boot parameters address translation (bnc#1012382).
- xtensa: fix coprocessor context offset definitions (bnc#1012382).
- xtensa: make sure bFLT stack is 16 byte aligned (bnc#1012382).
- yama: Check for pid death before checking ancestry (bnc#1012382).
- zram: close udev startup race condition as default groups (bnc#1012382).
- xfrm: refine validation of template and selector families (bnc#1012382).


-----------------------------------------
Patch: SUSE-2019-546
Released: Tue Mar  5 14:44:33 2019
Summary: Recommended update for dracut
Severity: moderate
References: 1008352,1013573,1053248,1055834,1090884,1098448,1110519,1112327,1113712,1119499,1121251,1124088,1125327,937555
Description:
This update for dracut provides the following fixes:

- 95iscsi: Handle qedi like bnx2i. (bsc#1113712)
- 91zipl: Don't use contents of commented lines (bsc#1119499)
- dracut-installkernel: Stop keeping old kernel files as .old. The .old kernel files are
  confusing grub2 which can't find a matching directory under /lib/modules. Furthermore,
  there is no guarantee that the new modules are fully compatible with the old kernel.
  If anything goes wrong with a new self-compiled kernel, the user can always boot back to
  the distribution kernel, so the .old backup files are not needed in the first place.
  (bsc#1112327)
- 98dracut-systemd: Start systemd-vconsole-setup before dracut-cmdline-ask. (bsc#1055834)
- Bring shell and all vital information to all ttys specified as console devices in
  emergency mode. (fate#325386, bsc#1053248, bsc#937555)
- Fix displaying text on emergency consoles. (bsc#1124088)
- Remove invalid 'FONT_MAP=none' from vconsole.conf. (bsc#1013573)
- Fix a missing space in example configs. (bsc#1121251)
- Fix saving dumps to zFCP attached SCSI disks. (bsc#1008352)
- Mark the DASD udev rules host-only and handle backslashes in paths for hostonly files.
  (bsc#1090884)
- Add nfit module. (bsc#1110519)
- Add a fix to override ACPI tables via initrd, a kernel config variable changed name.
  (bsc#1098448)
- purge-kernels: Avoid endless loop when uninstalling kernels that depend on
  KMPs which in themselves depend on other packages (bsc#1125327)


-----------------------------------------
Patch: SUSE-2019-558
Released: Wed Mar  6 14:06:36 2019
Summary: Recommended update for cups
Severity: moderate
References: 1118118
Description:
This update for cups fixes the following issues:

- Fixed a cups crash when using utf8 filenames (bsc#1118118)


-----------------------------------------
Patch: SUSE-2019-561
Released: Wed Mar  6 14:12:42 2019
Summary: Recommended update for libtirpc
Severity: moderate
References: 1120689
Description:
This update for libtirpc fixes the following issues:

- Adds a new option to enforce connection via protocol version 2 first (bsc#1120689)


-----------------------------------------
Patch: SUSE-2019-566
Released: Thu Mar  7 17:48:43 2019
Summary: Recommended update for yast2-registration
Severity: moderate
References: 1125006
Description:
This update for yast2-registration fixes the following issues:

- Fixed a crash during service pack migration (bsc#1125006)


-----------------------------------------
Patch: SUSE-2019-573
Released: Fri Mar  8 13:49:40 2019
Summary: Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork, runc
Severity: important
References: 1001161,1048046,1051429,1112980,1114832,1118897,1118898,1118899,1121412,1121967,1124308,CVE-2016-9962,CVE-2018-16873,CVE-2018-16874,CVE-2018-16875,CVE-2019-5736
Description:
This update for containerd, docker, docker-runc, golang-github-docker-libnetwork, runc fixes the following issues:

Security issues fixed:

- CVE-2018-16875: Fixed a CPU Denial of Service (bsc#1118899).
- CVE-2018-16874: Fixed a vulnerabity in go get command which could allow directory traversal in GOPATH mode (bsc#1118898).
- CVE-2018-16873: Fixed a vulnerability in go get command which could allow remote code execution when executed with -u in GOPATH mode (bsc#1118897).
- CVE-2019-5736: Effectively copying /proc/self/exe during re-exec to avoid write attacks to the host runc binary, which could lead to a container
  breakout (bsc#1121967).

Other changes and bug fixes:

- Update shell completion to use Group: System/Shells.
- Add daemon.json file with rotation logs configuration (bsc#1114832)
- Update to Docker 18.09.1-ce (bsc#1124308) and to to runc 96ec2177ae84.
  See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md.
- Disable leap based builds for kubic flavor (bsc#1121412).
- Allow users to explicitly specify the NIS domain name of a container (bsc#1001161).
- Update docker.service to match upstream and avoid rlimit problems (bsc#1112980).
- Update go requirements to >= go1.10 
- Use -buildmode=pie for tests and binary build (bsc#1048046 and bsc#1051429).
- Remove the usage of 'cp -r' to reduce noise in the build logs.


-----------------------------------------
Patch: SUSE-2019-575
Released: Fri Mar  8 16:06:29 2019
Summary: Recommended update for sapconf
Severity: moderate
References: 1111243,1122741
Description:
This update for sapconf provides the following fixes:

- Source /etc/sysconfig/sapconf entries correctly, even if the /etc filesystem is
  read-only. (bsc#1122741)
- Log skipping of existing /etc/systemd/logind.conf.d/sap.conf file during package
  installation. (bsc#1111243)


-----------------------------------------
Patch: SUSE-2019-623
Released: Mon Mar 18 09:15:51 2019
Summary: Recommended update for samba
Severity: moderate
References: 1112223,1114459
Description:
This update for samba fixes the following issues:
    
- Fix winbind issues with start configuration. (bsc#1112223)
- Fix winbind running out of memory with high number of domain groups. (bsc#1114459)


-----------------------------------------
Patch: SUSE-2019-655
Released: Wed Mar 20 10:30:49 2019
Summary: Security update for libssh2_org
Severity: moderate
References: 1091236,1128471,1128472,1128474,1128476,1128480,1128481,1128490,1128492,1128493,CVE-2019-3855,CVE-2019-3856,CVE-2019-3857,CVE-2019-3858,CVE-2019-3859,CVE-2019-3860,CVE-2019-3861,CVE-2019-3862,CVE-2019-3863
Description:
This update for libssh2_org fixes the following issues:

Security issues fixed: 	  

- CVE-2019-3861: Fixed Out-of-bounds reads with specially crafted SSH packets (bsc#1128490).
- CVE-2019-3862: Fixed Out-of-bounds memory comparison with specially crafted message channel request packet (bsc#1128492).
- CVE-2019-3860: Fixed Out-of-bounds reads with specially crafted SFTP packets (bsc#1128481).
- CVE-2019-3863: Fixed an Integer overflow in user authenticate keyboard interactive which could allow out-of-bounds writes 
  with specially crafted keyboard responses (bsc#1128493).
- CVE-2019-3856: Fixed a potential Integer overflow in keyboard interactive handling which could allow out-of-bounds write 
  with specially crafted payload (bsc#1128472).
- CVE-2019-3859: Fixed Out-of-bounds reads with specially crafted payloads due to unchecked use of _libssh2_packet_require 
  and _libssh2_packet_requirev (bsc#1128480).
- CVE-2019-3855: Fixed a potential Integer overflow in transport read which could allow out-of-bounds write with specially 
  crafted payload (bsc#1128471).
- CVE-2019-3858: Fixed a potential zero-byte allocation which could lead to an out-of-bounds read with a specially crafted 
  SFTP packet (bsc#1128476).
- CVE-2019-3857: Fixed a potential Integer overflow which could lead to zero-byte allocation and out-of-bounds with specially 
  crafted message channel request SSH packet (bsc#1128474).

Other issue addressed: 

- Libbssh2 will stop using keys unsupported types in the known_hosts file (bsc#1091236).
 

-----------------------------------------
Patch: SUSE-2019-691
Released: Thu Mar 21 19:48:54 2019
Summary: Recommended update for lio-utils
Severity: moderate
References: 1123423
Description:
This update for lio-utils fixes the following issues:

- Remove systemd conflicts restriction from here, moving it
  instead to targetcli-fb, so that this package can run
  with targetcli (i.e. the old version of targetcli). (bsc#1123423)

- Updated License in SPEC file to Apache-2.0, to match
  our COPYING file contents/license type.


-----------------------------------------
Patch: SUSE-2019-737
Released: Mon Mar 25 16:17:56 2019
Summary: Recommended update for open-iscsi
Severity: moderate
References: 1122938
Description:
This update for open-iscsi fixes the following issues:

- Fix output for iscsiadm node/iface with print level P1 set. (bsc#1122938),


-----------------------------------------
Patch: SUSE-2019-789
Released: Thu Mar 28 11:56:29 2019
Summary: Security update for ntp
Severity: moderate
References: 1125401,1128525,CVE-2019-8936
Description:
This update for ntp fixes the following issues:

Security issue fixed: 	  

- CVE-2019-8936: Fixed a null pointer exception which could allow an authenticated attcker to cause 
  segmentation fault to ntpd (bsc#1128525).

Other isses addressed:

- Fixed an issue which caused openSSL mismatch (bsc#1125401)
- Fixed several bugs in the BANCOMM reclock driver.
- Fixed ntp_loopfilter.c snprintf compilation warnings.
- Fixed spurious initgroups() error message.
- Fixed STA_NANO struct timex units.
- Fixed GPS week rollover in libparse.
- Fixed incorrect poll interval in packet.
- Added a missing check for ENABLE_CMAC.


-----------------------------------------
Patch: SUSE-2019-794
Released: Thu Mar 28 12:09:29 2019
Summary: Recommended update for krb5
Severity: moderate
References: 1087481
Description:
This update for krb5 fixes the following issues:

- Add support for the GSS_KRB5_CRED_NO_CI_FLAGS_X cred option to
  suppress sending the confidentiality and integrity flags in GSS
  initiator tokens unless they are requested by the caller. These
  flags control the negotiated SASL security layer for the Microsoft
  GSS-SPNEGO SASL mechanism. (bsc#1087481).


-----------------------------------------
Patch: SUSE-2019-797
Released: Thu Mar 28 14:50:18 2019
Summary: Recommended update for apache2
Severity: moderate
References: 1125965
Description:

This update for apache2 fixes the following issues:

- mod_httpd2 HTTP/2 stream 1 was not closed cleanly: PROTOCOL_ERROR (bsc#1125965)


-----------------------------------------
Patch: SUSE-2019-799
Released: Fri Mar 29 07:06:57 2019
Summary: Recommended update for timezone
Severity: moderate
References: 1130557
Description:
This update for timezone fixes the following issues:

timezone was update to 2019a (bsc#1130557):

* Palestine 'springs forward' on 2019-03-30 instead of 2019-03-23
* Metlakatla 'fell back' to rejoin Alaska Time on 2019-01-20 at 02:00
* Israel observed DST in 1980 (08-02/09-13) and 1984 (05-05/08-25)
* zic now has an -r option to limit the time range of output data


-----------------------------------------
Patch: SUSE-2019-800
Released: Fri Mar 29 07:08:00 2019
Summary: Recommended update for libtirpc
Severity: moderate
References: 1126096
Description:
This update for libtirpc fixes the following issues:

- Fixed yp_bind_client_create_v3: RPC: Unknown host error (bsc#1126096).



-----------------------------------------
Patch: SUSE-2019-801
Released: Fri Mar 29 07:09:04 2019
Summary: Security update for the Linux Kernel
Severity: important
References: 1012382,1020413,1065600,1070767,1075697,1082943,1087092,1090435,1102959,1103429,1106929,1109137,1109248,1119019,1119843,1120691,1120902,1121713,1121805,1124235,1125315,1125446,1126389,1126772,1126773,1126805,1127082,1127155,1127561,1127725,1127731,1127961,1128166,1128452,1128565,1128696,1128756,1128893,1129080,1129179,1129237,1129238,1129239,1129240,1129241,1129413,1129414,1129415,1129416,1129417,1129418,1129419,1129581,1129770,1129923,CVE-2019-2024,CVE-2019-9213
Description:


The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.176 to receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2019-9213: expand_downwards in mm/mmap.c lacked a check for the mmap minimum address, which made it easier for attackers to exploit kernel NULL pointer dereferences on non-SMAP platforms. This is related to a capability check for the wrong task (bnc#1128166).
- CVE-2019-2024: A use-after-free when disconnecting a source was fixed which could lead to crashes. bnc#1129179).

The following non-security bugs were fixed:

- ax25: fix possible use-after-free (bnc#1012382).
- block_dev: fix crash on chained bios with O_DIRECT (bsc#1090435).
- block: do not use bio->bi_vcnt to figure out segment number (bsc#1128893).
- bnxt_re: Fix couple of memory leaks that could lead to IOMMU call traces (bsc#1020413).
- bpf: fix replace_map_fd_with_map_ptr's ldimm64 second imm field (bsc#1012382).
- btrfs: ensure that a DUP or RAID1 block group has exactly two stripes (bsc#1128452).
- ceph: avoid repeatedly adding inode to mdsc->snap_flush_list (bsc#1126773).
- ch: add missing mutex_lock()/mutex_unlock() in ch_release() (bsc#1124235).
- ch: fixup refcounting imbalance for SCSI devices (bsc#1124235).
- copy_mount_string: Limit string length to PATH_MAX (bsc#1082943).
- device property: Fix the length used in PROPERTY_ENTRY_STRING() (bsc#1129770).
- drivers: hv: vmbus: Check for ring when getting debug info (bsc#1126389).
- drm: Fix error handling in drm_legacy_addctx (bsc#1106929)
- drm/nouveau/bios/ramcfg: fix missing parentheses when calculating RON (bsc#1106929)
- drm/nouveau/pmu: do not print reply values if exec is false (bsc#1106929)
- drm/radeon/evergreen_cs: fix missing break in switch statement (bsc#1106929)
- drm/vmwgfx: Do not double-free the mode stored in par->set_mode (bsc#1103429)
- enic: add wq clean up budget (bsc#1075697, bsc#1120691. bsc#1102959).
- enic: do not overwrite error code (bnc#1012382).
- fbdev: chipsfb: remove set but not used variable 'size' (bsc#1106929)
- ibmvnic: Report actual backing device speed and duplex values (bsc#1129923).
- ibmvscsi: Fix empty event pool access during host removal (bsc#1119019).
- input: mms114 - fix license module information (bsc#1087092).
- iommu/dmar: Fix buffer overflow during PCI bus notification (bsc#1129237).
- iommu/io-pgtable-arm-v7s: Only kmemleak_ignore L2 tables (bsc#1129238).
- iommu/vt-d: Check identity map for hot-added devices (bsc#1129239).
- iommu/vt-d: Fix NULL pointer reference in intel_svm_bind_mm() (bsc#1129240).
- ixgbe: fix crash in build_skb Rx code path (git-fixes).
- kabi: protect struct inet_peer (kabi).
- kallsyms: Handle too long symbols in kallsyms.c (bsc#1126805).
- KMPs: obsolete older KMPs of the same flavour (bsc#1127155, bsc#1109137).
- kvm: arm/arm64: vgic-its: Check CBASER/BASER validity before enabling the ITS (bsc#1109248).
- kvm: arm/arm64: vgic-its: Check GITS_BASER Valid bit before saving tables (bsc#1109248).
- kvm: arm/arm64: vgic-its: Fix return value for device table restore (bsc#1109248).
- kvm: arm/arm64: vgic-its: Fix vgic_its_restore_collection_table returned value (bsc#1109248).
- kvm: nVMX: Do not halt vcpu when L1 is injecting events to L2 (bsc#1129413).
- kvm: nVMX: Free the VMREAD/VMWRITE bitmaps if alloc_kvm_area() fails (bsc#1129414).
- kvm: nVMX: NMI-window and interrupt-window exiting should wake L2 from HLT (bsc#1129415).
- kvm: nVMX: Set VM instruction error for VMPTRLD of unbacked page (bsc#1129416).
- kvm: VMX: Do not allow reexecute_instruction() when skipping MMIO instr (bsc#1129417).
- kvm: vmx: Set IA32_TSC_AUX for legacy mode guests (bsc#1129418).
- kvm: x86: Add AMD's EX_CFG to the list of ignored MSRs (bsc#1127082).
- kvm: x86: IA32_ARCH_CAPABILITIES is always supported (bsc#1129419).
- libceph: handle an empty authorize reply (bsc#1126772).
- mdio_bus: Fix use-after-free on device_register fails (git-fixes).
- mfd: as3722: Handle interrupts on suspend (bnc#1012382).
- mfd: as3722: Mark PM functions as __maybe_unused (bnc#1012382).
- mISDN: fix a race in dev_expire_timer() (bnc#1012382).
- mlxsw: pci: Correctly determine if descriptor queue is full (git-fixes).
- mlxsw: reg: Use correct offset in field definiton (git-fixes).
- mm, devm_memremap_pages: mark devm_memremap_pages() EXPORT_SYMBOL_GPL (bnc#1012382).
- mm,memory_hotplug: fix scan_movable_pages() for gigantic hugepages (bsc#1127731).
- net: Add header for usage of fls64() (bnc#1012382).
- net: Do not allocate page fragments that are not skb aligned (bnc#1012382).
- net: dsa: bcm_sf2: Do not assume DSA master supports WoL (git-fixes).
- net: dsa: mv88e6xxx: fix port VLAN maps (git-fixes).
- net: Fix for_each_netdev_feature on Big endian (bnc#1012382).
- net: fix IPv6 prefix route residue (bnc#1012382).
- net/hamradio/6pack: Convert timers to use timer_setup() (git-fixes).
- net/hamradio/6pack: use mod_timer() to rearm timers (git-fixes).
- net: ipv4: use a dedicated counter for icmp_v4 redirect packets (bnc#1012382).
- net: lan78xx: Fix race in tx pending skb size calculation (git-fixes).
- net/mlx4_core: drop useless LIST_HEAD (git-fixes).
- net/mlx4_core: Fix qp mtt size calculation (git-fixes).
- net/mlx4_core: Fix reset flow when in command polling mode (git-fixes).
- net/mlx4: Fix endianness issue in qp context params (git-fixes).
- net/mlx5: Continue driver initialization despite debugfs failure (git-fixes).
- net/mlx5e: Fix TCP checksum in LRO buffers (git-fixes).
- net/mlx5: Fix driver load bad flow when having fw initializing timeout (git-fixes).
- net/mlx5: fix uaccess beyond 'count' in debugfs read/write handlers (git-fixes).
- net/mlx5: Fix use-after-free in self-healing flow (git-fixes).
- net/mlx5: Return success for PAGE_FAULT_RESUME in internal error state (git-fixes).
- net: mv643xx_eth: fix packet corruption with TSO and tiny unaligned packets (git-fixes).
- net: phy: Avoid polling PHY with PHY_IGNORE_INTERRUPTS (git-fixes).
- net: phy: bcm7xxx: Fix shadow mode 2 disabling (git-fixes).
- net: qca_spi: Fix race condition in spi transfers (git-fixes).
- net: stmmac: Fix a race in EEE enable callback (bnc#1012382).
- net: stmmac: Fix a race in EEE enable callback (git-fixes).
- net: thunderx: set tso_hdrs pointer to NULL in nicvf_free_snd_queue (git-fixes).
- net/x25: do not hold the cpu too long in x25_new_lci() (bnc#1012382).
- PCI/PME: Fix hotplug/sysfs remove deadlock in pcie_pme_remove() (bsc#1129241).
- perf/x86: Add sysfs entry to freeze counters on SMI (bsc#1121805).
- perf/x86/intel: Delay memory deallocation until x86_pmu_dead_cpu() (bsc#1121805).
- perf/x86/intel: Do not enable freeze-on-smi for PerfMon V1 (bsc#1121805).
- perf/x86/intel: Fix memory corruption (bsc#1121805).
- perf/x86/intel: Generalize dynamic constraint creation (bsc#1121805).
- perf/x86/intel: Implement support for TSX Force Abort (bsc#1121805).
- perf/x86/intel: Make cpuc allocations consistent (bsc#1121805).
- phy: micrel: Ensure interrupts are reenabled on resume (git-fixes).
- powerpc/pseries: Add CPU dlpar remove functionality (bsc#1128756).
- powerpc/pseries: Consolidate CPU hotplug code to hotplug-cpu.c (bsc#1128756).
- powerpc/pseries: Factor out common cpu hotplug code (bsc#1128756).
- powerpc/pseries: Perform full re-add of CPU for topology update post-migration (bsc#1128756).
- pppoe: fix reception of frames with no mac header (git-fixes).
- pptp: dst_release sk_dst_cache in pptp_sock_destruct (git-fixes).
- pseries/energy: Use OF accessor function to read ibm,drc-indexes (bsc#1129080).
- rdma/bnxt_re: Synchronize destroy_qp with poll_cq (bsc#1125446).
- Revert 'mm, devm_memremap_pages: mark devm_memremap_pages() EXPORT_SYMBOL_GPL' (bnc#1012382).
- Revert 'x86/platform/UV: Use efi_runtime_lock to serialise BIOS calls' (bsc#1128565).
- s390/qeth: cancel close_dev work before removing a card (LTC#175898, bsc#1127561).
- scsi: aacraid: Fix missing break in switch statement (bsc#1128696).
- scsi: ibmvscsi: Fix empty event pool access during host removal (bsc#1119019).
- scsi: lpfc: do not set queue->page_count to 0 if pc_sli4_params.wqpcnt is invalid (bsc#1127725).
- scsi: qla2xxx: Fix early srb free on abort (bsc#1121713).
- scsi: qla2xxx: Fix for double free of SRB structure (bsc#1121713).
- scsi: qla2xxx: Increase abort timeout value (bsc#1121713).
- scsi: qla2xxx: Move {get|rel}_sp to base_qpair struct (bsc#1121713).
- scsi: qla2xxx: Return switch command on a timeout (bsc#1121713).
- scsi: qla2xxx: Turn off IOCB timeout timer on IOCB completion (bsc#1121713).
- scsi: qla2xxx: Use correct qpair for ABTS/CMD (bsc#1121713).
- scsi: sym53c8xx: fix NULL pointer dereference panic in sym_int_sir() (bsc#1125315).
- sky2: Increase D3 delay again (bnc#1012382).
- tcp: clear icsk_backoff in tcp_write_queue_purge() (bnc#1012382).
- tcp: tcp_v4_err() should be more careful (bnc#1012382).
- team: avoid complex list operations in team_nl_cmd_options_set() (bnc#1012382).
- team: Free BPF filter when unregistering netdev (git-fixes).
- tracing: Do not free iter->trace in fail path of tracing_open_pipe() (bsc#1129581).
- vsock: cope with memory allocation failure at socket creation time (bnc#1012382).
- vxlan: test dev->flags & IFF_UP before calling netif_rx() (bnc#1012382).
- wireless: airo: potential buffer overflow in sprintf() (bsc#1120902).
- x86: Add TSX Force Abort CPUID/MSR (bsc#1121805).
- x86: Fix incorrect value for X86_FEATURE_TSX_FORCE_ABORT
- x86: livepatch: Treat R_X86_64_PLT32 as R_X86_64_PC32 (bnc#1012382).
- xen, cpu_hotplug: Prevent an out of bounds access (bsc#1065600).
- xen: remove pre-xen3 fallback handlers (bsc#1065600).
- xfs: remove filestream item xfs_inode reference (bsc#1127961).


-----------------------------------------
Patch: SUSE-2019-803
Released: Fri Mar 29 13:14:21 2019
Summary: Security update for openssl
Severity: moderate
References: 1100078,1113975,1117951,1127080,CVE-2019-1559
Description:
This update for openssl fixes the following issues:

Security issues fixed: 

- The 9 Lives of Bleichenbacher's CAT: Cache Attacks on TLS Implementations (bsc#1117951)
- CVE-2019-1559: Fixed OpenSSL 0-byte Record Padding Oracle which under certain circumstances
  a TLS server can be forced to respond differently to a client and lead to the decryption of the data (bsc#1127080).

Other issues addressed: 

- Fixed IV handling in SHAEXT paths: aes/asm/aesni-sha*-x86_64.pl (bsc#1113975).
- Set TLS version to 0 in msg_callback for record messages to avoid confusing applications (bsc#1100078).


-----------------------------------------
Patch: SUSE-2019-822
Released: Fri Mar 29 20:12:56 2019
Summary: Recommended update for yast2-iscsi-lio-server
Severity: moderate
References: 1123381
Description:

This update for yast2-iscsi-lio-server fixes the following issues:

- iscsi server enables discovery authentication unexpectedly (bsc#1123381)


-----------------------------------------
Patch: SUSE-2019-838
Released: Tue Apr  2 09:52:06 2019
Summary: Security update for bash
Severity: important
References: 1130324,CVE-2019-9924
Description:
This update for bash fixes the following issues:
	  
Security issue fixed: 

- CVE-2019-9924: Fixed a vulnerability in which shell did not prevent user BASH_CMDS 
  allowing the user to execute any command with the permissions of the shell (bsc#1130324).


-----------------------------------------
Patch: SUSE-2019-839
Released: Tue Apr  2 13:13:21 2019
Summary: Security update for file
Severity: moderate
References: 1096974,1096984,1126117,1126118,1126119,CVE-2018-10360,CVE-2019-8905,CVE-2019-8906,CVE-2019-8907
Description:
This update for file fixes the following issues:

The following security vulnerabilities were addressed:

- Fixed an out-of-bounds read in the function do_core_note in readelf.c, which
  allowed remote attackers to cause a denial of service (application crash) via
  a crafted ELF file (bsc#1096974 CVE-2018-10360).
- CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c
  (bsc#1126118)
- CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c
  (bsc#1126119)
- CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c
  (bsc#1126117)


-----------------------------------------
Patch: SUSE-2019-859
Released: Wed Apr  3 15:50:53 2019
Summary: Recommended update for dracut
Severity: moderate
References: 1127891
Description:
This update for dracut fixes the following issues:

- Check SUSE kernel module dependencies recursively (bsc#1127891)
- Avoid 'Failed to chown ... Operation not permitted' when run from non-root,
  by not copying xattrs. (osc#1092178)
- Handle non-versioned dependency in purge-kernels.


-----------------------------------------
Patch: SUSE-2019-878
Released: Thu Apr  4 16:59:25 2019
Summary: Security update for apache2
Severity: important
References: 1131233,1131237,1131239,1131241,1131245,CVE-2019-0196,CVE-2019-0197,CVE-2019-0211,CVE-2019-0217,CVE-2019-0220
Description:
This update for apache2 fixes the following issues:

* CVE-2019-0220: The Apache HTTP server did not use a consistent strategy for
  URL normalization throughout all of its components. In particular,
  consecutive slashes were not always collapsed. Attackers could potentially
  abuse these inconsistencies to by-pass access control mechanisms and thus
  gain unauthorized access to protected parts of the service. [bsc#1131241]

* CVE-2019-0217: A race condition in Apache's 'mod_auth_digest' when running in
  a threaded server could have allowed users with valid credentials to
  authenticate using another username, bypassing configured access control
  restrictions. [bsc#1131239]

* CVE-2019-0211: A flaw in the Apache HTTP Server allowed less-privileged child
  processes or threads to execute arbitrary code with the privileges of the
  parent process. Attackers with control over CGI scripts or extension modules
  run by the server could have abused this issue to potentially gain super user
  privileges. [bsc#1131233]

* CVE-2019-0197: When HTTP/2 support was enabled in the Apache server for a
  'http' host or H2Upgrade was enabled for h2 on a 'https' host, an Upgrade
  request from http/1.1 to http/2 that was not the first request on a
  connection could lead to a misconfiguration and crash. This issue could have
  been abused to mount a denial-of-service attack. Servers that never enabled
  the h2 protocol or that only enabled it for https: and did not configure the
  'H2Upgrade on' are unaffected. [bsc#1131245]

* CVE-2019-0196: Through specially crafted network input the Apache's http/2
  request handler could be lead to access previously freed memory while
  determining the method of a request. This resulted in the request being
  misclassified and thus being processed incorrectly. [bsc#1131237]



-----------------------------------------
Patch: SUSE-2019-893
Released: Fri Apr  5 16:28:16 2019
Summary: Recommended update for python-keyring, python-SecretStorage
Severity: low
References: 1125941
Description:

This update ships the missing python keyring and SecretStorage modules for SUSE Linux Enterprise 12 SP1 and SP2 LTSS.
  

-----------------------------------------
Patch: SUSE-2019-899
Released: Mon Apr  8 11:09:45 2019
Summary: Security update for SDL
Severity: moderate
References: 1124799,1124800,1124802,1124803,1124805,1124806,1124824,1124825,1124826,1124827,1125099,CVE-2019-7572,CVE-2019-7573,CVE-2019-7574,CVE-2019-7575,CVE-2019-7576,CVE-2019-7577,CVE-2019-7578,CVE-2019-7635,CVE-2019-7636,CVE-2019-7637,CVE-2019-7638
Description:
This update for SDL fixes the following issues:
	  
Security issues fixed:	  

- CVE-2019-7572: Fixed a buffer over-read in IMA_ADPCM_nibble in audio/SDL_wave.c.(bsc#1124806).
- CVE-2019-7578: Fixed a heap-based buffer over-read in InitIMA_ADPCM in audio/SDL_wave.c (bsc#1125099).
- CVE-2019-7576: Fixed heap-based buffer over-read in InitMS_ADPCM in audio/SDL_wave.c (bsc#1124799).
- CVE-2019-7573: Fixed a heap-based buffer over-read in InitMS_ADPCM in audio/SDL_wave.c (bsc#1124805).
- CVE-2019-7635: Fixed a heap-based buffer over-read in Blit1to4 in video/SDL_blit_1.c. (bsc#1124827).
- CVE-2019-7636: Fixed a heap-based buffer over-read in SDL_GetRGB in video/SDL_pixels.c (bsc#1124826).
- CVE-2019-7638: Fixed a heap-based buffer over-read in Map1toN in video/SDL_pixels.c (bsc#1124824).
- CVE-2019-7574: Fixed a heap-based buffer over-read in IMA_ADPCM_decode in audio/SDL_wave.c (bsc#1124803).
- CVE-2019-7575: Fixed a heap-based buffer overflow in MS_ADPCM_decode in audio/SDL_wave.c (bsc#1124802).
- CVE-2019-7637: Fixed a heap-based buffer overflow in SDL_FillRect function in SDL_surface.c (bsc#1124825).
- CVE-2019-7577: Fixed a buffer over read in SDL_LoadWAV_RW in audio/SDL_wave.c (bsc#1124800). 


-----------------------------------------
Patch: SUSE-2019-907
Released: Tue Apr  9 00:37:23 2019
Summary: Recommended update for autoyast2
Severity: moderate
References: 1057597,1123091
Description:
This update for autoyast2 provide the following fixes:

- Do not try to resize LVM partitions within a RAID system. (bsc#1057597)
- Fix conflicting items in rule dialogs. (bsc#1123091)


-----------------------------------------
Patch: SUSE-2019-910
Released: Tue Apr  9 08:06:27 2019
Summary: Recommended update for python
Severity: low
References: 1129287
Description:

This update ships missing python-devel packages for the LTSS product lines.
  

-----------------------------------------
Patch: SUSE-2019-913
Released: Tue Apr  9 11:19:07 2019
Summary: Security update for sqlite3
Severity: moderate
References: 1119687,1131576,CVE-2018-20346,CVE-2018-20506
Description:
This update for sqlite3 fixes the following issues:

Security issues fixed: 

- CVE-2018-20346: Fixed a remote code execution vulnerability in FTS3 (Magellan) (bsc#1119687).
- CVE-2018-20506: Fixed an integer overflow when FTS3 extension is enabled (bsc#1131576).    


-----------------------------------------
Patch: SUSE-2019-931
Released: Thu Apr 11 11:11:13 2019
Summary: Security update for openldap2
Severity: important
References: 1031702,1037396,1041764,1065083,1073313,CVE-2017-17740,CVE-2017-9287
Description:
This update for openldap2 fixes the following issues:

Security issues fixed:

- CVE-2017-9287: A double free vulnerability in the mdb backend during search with page size 0 was fixed (bsc#1041764).
- CVE-2017-17740: Fixed a denial of service (slapd crash) via a member MODDN operation that could have been triggered when both the nops module and the memberof overlay are enabled (bsc#1073313).

Non-security issues fixed:

- Fix a regression in handling of non-blocking connections (bsc#1031702)
- Fix an uninitialised variable that causes startup failure (bsc#1037396)
- Fix libldap leaks socket descriptors issue (bsc#1065083)


-----------------------------------------
Patch: SUSE-2019-945
Released: Fri Apr 12 19:23:42 2019
Summary: Recommended update for grub2
Severity: moderate
References: 1113702,1122569
Description:
This update for grub2 fixes the following issues:

- Fixed a regression of crashing lvm on multipath SAN (bsc#1113702)
- Add exception handling to FCP lun enumeration (bsc#1113702)
- Fix LOADER_TYPE parsing in grub2-once (bsc#1122569)


-----------------------------------------
Patch: SUSE-2019-956
Released: Tue Apr 16 13:07:38 2019
Summary: Security update for wget
Severity: important
References: 1131493,CVE-2019-5953
Description:
This update for wget fixes the following issues:

Security issue fixed:

- CVE-2019-5953: Fixed a buffer overflow vulnerability which might cause code execution (bsc#1131493).


-----------------------------------------
Patch: SUSE-2019-961
Released: Tue Apr 16 17:12:57 2019
Summary: Security update for python3
Severity: important
References: 1129346,CVE-2019-9636
Description:
This update for python3 fixes the following issues:

Security issue fixed:

- CVE-2019-9636: Fixed an information disclosure because of incorrect handling of Unicode encoding during NFKC normalization (bsc#1129346).


-----------------------------------------
Patch: SUSE-2019-968
Released: Wed Apr 17 13:17:41 2019
Summary: Recommended update for crash
Severity: moderate
References: 1073993,1120145
Description:
This update for crash fixes the following issues:

- Fix Xen directmapping up to 5 TB. (bsc#1073993)
- Fix Xen schedulers symbol lookup for version 4.7 and later. (bsc#1073993)
- Fix crash.ko memory driver to be able to execute a live dump on a s390X kernel. (bsc#1120145)


-----------------------------------------
Patch: SUSE-2019-979
Released: Thu Apr 18 08:23:19 2019
Summary: Recommended update for sg3_utils
Severity: moderate
References: 1069384
Description:
This update for sg3_utils fixes the following issues:

- rescan-scsi-bus.sh: use LUN wildcard in idlist (bsc#1069384)


-----------------------------------------
Patch: SUSE-2019-982
Released: Thu Apr 18 14:28:53 2019
Summary: Recommended update for python-enum34
Severity: moderate
References: 1115816
Description:

This update for python-enum34 fixes the following issues:

- Provide python2-enum34 to support singlespec transparently (bsc#1115816)


-----------------------------------------
Patch: SUSE-2019-996
Released: Tue Apr 23 18:42:35 2019
Summary: Security update for curl
Severity: important
References: 1112758,1131886,CVE-2018-16839
Description:
This update for curl fixes the following issues:

Security issue fixed:

- CVE-2018-16839: Fixed a buffer overflow in the SASL authentication code (bsc#1112758).


-----------------------------------------
Patch: SUSE-2019-1037
Released: Thu Apr 25 14:54:54 2019
Summary: Security update for samba
Severity: moderate
References: 1099590,1123755,1124223,1127153,1131060,CVE-2019-3880
Description:
This update for samba fixes the following issues:

Security issue fixed:

- CVE-2019-3880: Fixed a path/symlink traversal vulnerability, which allowed an unprivileged user to save registry files outside a share (bsc#1131060).

Non-security issues fixed:

- Fix vfs_ceph ftruncate and fallocate handling (bsc#1127153).
- Abide by load_printers smb.conf parameter (bsc#1124223).
- s3:winbindd: let normalize_name_map() call find_domain_from_name_noinit() (bsc#1123755).
- s3:passdb: Do not return OK if we don't have pinfo set up (bsc#1099590).
- s3:winbind: Fix regression (bsc#1123755).


-----------------------------------------
Patch: SUSE-2019-1048
Released: Fri Apr 26 11:46:41 2019
Summary: Recommended update for docker-runc
Severity: important
References: 1131314,1131553
Description:
This update for docker-runc fixes the following issues:

- Backport various upstream patches to fix some kernel regression related to
  O_TMPFILE. bsc#1131314 bsc#1131553



-----------------------------------------
Patch: SUSE-2019-1060
Released: Sat Apr 27 09:45:38 2019
Summary: Security update for libssh2_org
Severity: important
References: 1130103,1133528,CVE-2019-3859
Description:
This update for libssh2_org fixes the following issues:

 - Incorrect upstream fix for CVE-2019-3859 broke public key authentication [bsc#1133528, bsc#1130103]



-----------------------------------------
Patch: SUSE-2019-1104
Released: Tue Apr 30 12:09:07 2019
Summary: Recommended update for gcc48
Severity: moderate
References: 1131264,SLE-6738
Description:
This update for gcc48 fixes the following issues:

- Disable switch jump tables when retpolines are enabled to increase performance of code using retpolines (bsc#1131264, jsc#SLE-6738)



-----------------------------------------
Patch: SUSE-2019-1111
Released: Tue Apr 30 12:59:27 2019
Summary: Security update for libjpeg-turbo
Severity: moderate
References: 1096209,1098155,1128712,CVE-2018-1152,CVE-2018-11813,CVE-2018-14498
Description:
This update for libjpeg-turbo fixes the following issues:

The following security vulnerabilities were addressed:

- CVE-2018-14498: Fixed a heap-based buffer over read in get_8bit_row function
  which could allow to an attacker to cause denial of service (bsc#1128712).
- CVE-2018-11813: Fixed the end-of-file mishandling in read_pixel in rdtarga.c,
  which allowed remote attackers to cause a denial-of-service via crafted JPG
  files due to a large loop (bsc#1096209)
- CVE-2018-1152: Fixed a denial of service in start_input_bmp() rdbmp.c caused
  by a divide by zero when processing a crafted BMP image (bsc#1098155)


-----------------------------------------
Patch: SUSE-2019-1122
Released: Tue Apr 30 18:03:55 2019
Summary: Security update for hostinfo, supportutils
Severity: important
References: 1054979,1099498,1115245,1117751,1117776,1118460,1118462,1118463,1125623,1125666,CVE-2018-19636,CVE-2018-19637,CVE-2018-19638,CVE-2018-19639,CVE-2018-19640
Description:
This update for hostinfo, supportutils fixes the following issues:
	  
Security issues fixed for supportutils:

- CVE-2018-19640: Fixed an issue where  users could kill arbitrary processes (bsc#1118463).
- CVE-2018-19638: Fixed an issue where users could overwrite arbitrary log files (bsc#1118460).
- CVE-2018-19639: Fixed a code execution if run with -v (bsc#1118462).
- CVE-2018-19637: Fixed an issue where static temporary filename could allow overwriting of files (bsc#1117776).
- CVE-2018-19636: Fixed a local root exploit via inclusion of attacker controlled shell script (bsc#1117751).

Other issues fixed for supportutils:

- Fixed invalid exit code commands (bsc#1125666)
- SUSE separation in supportconfig (bsc#1125623)
- Clarified supportconfig(8) -x option (bsc#1115245)
- supportconfig: 3.0.127
- btrfs filesystem usage
- List products.d
- Dump lsof errors
- Added ha commands for corosync
- Dumped find errors in ib_info

Issues fixed in hostinfo:
- Removed extra kernel install dates (bsc#1099498)
- Resolved network bond issue (bsc#1054979)


-----------------------------------------
Patch: SUSE-2019-1125
Released: Tue Apr 30 18:50:59 2019
Summary: Recommended update for glibc
Severity: important
References: 1100396,1103244
Description:
This update for glibc fixes the following issues:

- Add support for the new Japanese time era name that comes into
  effect on 2019-05-01. [bsc#1100396, bsc#1103244]


-----------------------------------------
Patch: SUSE-2019-1131
Released: Thu May  2 15:39:59 2019
Summary: Recommended update for libidn
Severity: moderate
References: 1092034
Description:
This update for libidn fixes the following issues:

- Obsoletes now the libidn 32bit package (bsc#1092034)


-----------------------------------------
Patch: SUSE-2019-1133
Released: Thu May  2 17:57:10 2019
Summary: Recommended update for quota
Severity: moderate
References: 1055450,1069468,1104898,1131513,SLE-5734
Description:
This update for quota fixes the following issues:

Quota was updated to the 4.05 release (jsc#SLE-5734).

* This release includes mostly various smaller cleanups and fixes in various areas.
* Most visible changes are addition of f2fs and exfs among recognized filesystems.
* support for new kernel interface that allows for repquota(8) to work
  reliably also for XFS or ext4 with quota feature and generally other
  filesystem where quota files are not available to quota-tools
* IPv6 support for rpc.quotad and all other tools.
* Tons of various fixes

Other changes:

- Remove quot binary functionality could be achieved by using
  repquota instead
- Fixed high cpu load issue (bsc#1104898)
- Replace references to /var/adm/fillup-templates with new 
  %_fillupdir macro (bsc#1069468)
- Enable ldapmail feature (bsc#1055450)


-----------------------------------------
Patch: SUSE-2019-1136
Released: Fri May  3 10:27:57 2019
Summary: Security update for openssl
Severity: moderate
References: 1131291
Description:
This update for openssl fixes the following issues:

- Reject invalid EC point coordinates (bsc#1131291)

  This helps openssl using services that do not do this verification on their own.


-----------------------------------------
Patch: SUSE-2019-1158
Released: Mon May  6 13:47:06 2019
Summary: Recommended update for procinfo
Severity: moderate
References: 1131008,900125
Description:
This update for procinfo fixes the following issues:

- Fix a segfault during 'procinfo -a' by increasing the number of
  available devices. (bsc#900125, bsc#1131008)


-----------------------------------------
Patch: SUSE-2019-1166
Released: Tue May  7 11:01:39 2019
Summary: Security update for audit
Severity: moderate
References: 1042781,1085003,1125535,941922,CVE-2015-5186
Description:

This update for audit fixes the following issues:

Audit on SUSE Linux Enterprise 12 SP3 was updated to 2.8.1 to bring
new features and bugfixes.  (bsc#1125535 FATE#326346)

* Many features were added to auparse_normalize
* cli option added to auditd and audispd for setting config dir
* In auditd, restore the umask after creating a log file
* Option added to auditd for skipping email verification

The full changelog can be found here: http://people.redhat.com/sgrubb/audit/ChangeLog


- Change openldap dependency to client only (bsc#1085003)

Minor security issue fixed:

- CVE-2015-5186: Audit: log terminal emulator escape sequences handling (bsc#941922)



-----------------------------------------
Patch: SUSE-2019-1174
Released: Tue May  7 15:34:16 2019
Summary: Recommended update for SUSEConnect
Severity: moderate
References: 1128969,959561
Description:
This update for SUSEConnect fixes the following issues:

- Does no longer try to remove a service during migration, if a zypper service plugin
  already exists (bsc#1128969)
- Shows non-enabled extensions with a remark about availability
- Adds output information about registration and unregistration progress
- Output proper message when SUSEConnect is called without parameters (bsc#959561)
- Default to https URI when no protocol prefix is provided for --url
- Support transactional-update systems (fate#326482)


-----------------------------------------
Patch: SUSE-2019-1202
Released: Fri May 10 10:29:32 2019
Summary: Recommended update for yast2-network
Severity: moderate
References: 709176
Description:
This update for yast2-network fixes the following issues:

- Update to 3.2.56
  * keep original hostnames untouched in /etc/hosts when only IP
    changed (bsc#709176)



-----------------------------------------
Patch: SUSE-2019-1208
Released: Fri May 10 14:03:54 2019
Summary: Security update for sqlite3
Severity: moderate
References: 1085790,1132045,CVE-2017-10989,CVE-2018-8740
Description:
This update for sqlite3 fixes the following issues:

Security issue fixed:

- CVE-2018-8740: Fixed a NULL pointer dereference related to corrupted databases schemas (bsc#1085790).
- CVE-2017-10989: Fixed a heap-based buffer over-read in getNodeSize() (bsc#1132045).


-----------------------------------------
Patch: SUSE-2019-1232
Released: Tue May 14 17:07:56 2019
Summary: Security update for libxslt
Severity: moderate
References: 1132160,CVE-2019-11068
Description:
This update for libxslt fixes the following issues:

- CVE-2019-11068: Fixed a protection mechanism bypass where callers of 
  xsltCheckRead() and xsltCheckWrite() would permit access upon receiving an
  error (bsc#1132160).


-----------------------------------------
Patch: SUSE-2019-1245
Released: Tue May 14 19:08:11 2019
Summary: Security update for the Linux Kernel
Severity: important
References: 1012382,1020645,1020989,1031492,1047487,1051510,1053043,1062056,1063638,1066223,1070872,1085539,1087092,1094244,1096480,1096728,1097104,1100132,1105348,1106110,1106913,1106929,1111331,1112178,1113399,1114542,1114638,1114648,1114893,1118338,1118506,1119086,1120902,1122822,1125580,1126356,1127445,1129278,1129326,1129770,1130130,1130343,1130344,1130345,1130346,1130347,1130356,1130425,1130567,1130737,1131107,1131416,1131427,1131587,1131659,1131857,1131900,1131934,1131935,1131980,1132227,1132534,1132589,1132618,1132619,1132634,1132635,1132636,1132637,1132638,1132727,1132828,1133308,1133584,994770,CVE-2018-1000204,CVE-2018-10853,CVE-2018-12126,CVE-2018-12127,CVE-2018-12130,CVE-2018-15594,CVE-2018-5814,CVE-2019-11091,CVE-2019-3882,CVE-2019-9503
Description:


The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.178 to receive various security and bugfixes.

Four new speculative execution issues have been identified in Intel CPUs. (bsc#1111331)

- CVE-2018-12126: Microarchitectural Store Buffer Data Sampling (MSBDS)
- CVE-2018-12127: Microarchitectural Fill Buffer Data Sampling (MFBDS)
- CVE-2018-12130: Microarchitectural Load Port Data Samling (MLPDS)
- CVE-2019-11091: Microarchitectural Data Sampling Uncacheable Memory (MDSUM)

This kernel update contains software mitigations, utilizing CPU microcode updates shipped in parallel.

For more information on this set of information leaks, check out https://www.suse.com/support/kb/doc/?id=7023736

The following security issues fixed:

- CVE-2018-5814: Multiple race condition errors when handling probe, disconnect, and rebind operations could be exploited to trigger a use-after-free condition or a NULL pointer dereference by sending multiple USB over IP packets (bnc#1096480).
- CVE-2018-1000204: Prevent infoleak caused by incorrect handling of the SG_IO ioctl (bsc#1096728)
- CVE-2018-10853: A flaw was found in the way the KVM hypervisor emulated instructions such as sgdt/sidt/fxsave/fxrstor. It did not check current privilege(CPL) level while emulating unprivileged instructions. An unprivileged guest user/process could use this flaw to potentially escalate privileges inside guest (bnc#1097104).
- CVE-2018-15594: arch/x86/kernel/paravirt.c mishandled certain indirect calls, which made it easier for attackers to conduct Spectre-v2 attacks against paravirtual guests (bnc#1105348).
- CVE-2019-9503: A brcmfmac frame validation bypass was fixed (bnc#1132828).
- CVE-2019-3882: A flaw was fixed in the vfio interface implementation that permitted violation of the user's locked memory limit. If a device is bound to a vfio driver, such as vfio-pci, and the local attacker is administratively granted ownership of the device, it may cause a system memory exhaustion and thus a denial of service (DoS). Versions 3.10, 4.14 and 4.18 are vulnerable (bnc#1131416 bnc#1131427).

The following non-security bugs were fixed:

- 9p/net: fix memory leak in p9_client_create (bnc#1012382).
- 9p: use inode->i_lock to protect i_size_write() under 32-bit (bnc#1012382).
- acpi: acpi_pad: Do not launch acpi_pad threads on idle cpus (bsc#1113399).
- acpi / bus: Only call dmi_check_system() on X86 (git-fixes).
- acpi / button: make module loadable when booted in non-ACPI mode (bsc#1051510).
- acpi / device_sysfs: Avoid OF modalias creation for removed device (bnc#1012382).
- acpi: include ACPI button driver in base kernel (bsc#1062056).
- Add hlist_add_tail_rcu() (Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net) (bnc#1012382).
- alsa: bebob: use more identical mod_alias for Saffire Pro 10 I/O against Liquid Saffire 56 (bnc#1012382).
- alsa: compress: add support for 32bit calls in a 64bit kernel (bnc#1012382).
- alsa: compress: prevent potential divide by zero bugs (bnc#1012382).
- alsa: hda - Enforces runtime_resume after S3 and S4 for each codec (bnc#1012382).
- alsa: hda - Record the current power state before suspend/resume calls (bnc#1012382).
- alsa: pcm: Do not suspend stream in unrecoverable PCM state (bnc#1012382).
- alsa: pcm: Fix possible OOB access in PCM oss plugins (bnc#1012382).
- alsa: rawmidi: Fix potential Spectre v1 vulnerability (bnc#1012382).
- alsa: seq: oss: Fix Spectre v1 vulnerability (bnc#1012382).
- applicom: Fix potential Spectre v1 vulnerabilities (bnc#1012382).
- arc: fix __ffs return value to avoid build warnings (bnc#1012382).
- arc: uacces: remove lp_start, lp_end from clobber list (bnc#1012382).
- arcv2: Enable unaligned access in early ASM code (bnc#1012382).
- arm64: fix COMPAT_SHMLBA definition for large pages (bnc#1012382).
- arm64: Fix NUMA build error when !CONFIG_ACPI (fate#319981,  git-fixes).
- arm64: Fix NUMA build error when !CONFIG_ACPI (git-fixes).
- arm64: hide __efistub_ aliases from kallsyms (bnc#1012382).
- arm64: kconfig: drop CONFIG_RTC_LIB dependency (bnc#1012382).
- arm64/kernel: fix incorrect EL0 check in inv_entry macro (bnc#1012382).
- arm64: mm: Add trace_irqflags annotations to do_debug_exception() (bnc#1012382).
- arm64: Relax GIC version check during early boot (bnc#1012382).
- arm64: support keyctl() system call in 32-bit mode (bnc#1012382).
- arm64: traps: disable irq in die() (bnc#1012382).
- arm: 8458/1: bL_switcher: add GIC dependency (bnc#1012382).
- arm: 8494/1: mm: Enable PXN when running non-LPAE kernel on LPAE processor (bnc#1012382).
- arm: 8510/1: rework ARM_CPU_SUSPEND dependencies (bnc#1012382).
- arm: 8824/1: fix a migrating irq bug when hotplug cpu (bnc#1012382).
- arm: dts: exynos: Add minimal clkout parameters to Exynos3250 PMU (bnc#1012382).
- arm: dts: exynos: Do not ignore real-world fuse values for thermal zone 0 on Exynos5420 (bnc#1012382).
- arm: imx6q: cpuidle: fix bug that CPU might not wake up at expected time (bnc#1012382).
- arm: OMAP2+: Variable 'reg' in function omap4_dsi_mux_pads() could be uninitialized (bnc#1012382).
- arm: pxa: ssp: unneeded to free devm_ allocated data (bnc#1012382).
- arm: s3c24xx: Fix boolean expressions in osiris_dvs_notify (bnc#1012382).
- ASoC: dapm: change snprintf to scnprintf for possible overflow (bnc#1012382).
- ASoC: fsl_esai: fix register setting issue in RIGHT_J mode (bnc#1012382).
- ASoC: imx-audmux: change snprintf to scnprintf for possible overflow (bnc#1012382).
- ASoC: Intel: Haswell/Broadwell: fix setting for .dynamic field (bnc#1012382).
- ASoC: topology: free created components in tplg load error (bnc#1012382).
- assoc_array: Fix shortcut creation (bnc#1012382).
- ath10k: avoid possible string overflow (bnc#1012382).
- ath9k_htc: Add a sanity check in ath9k_htc_ampdu_action() (bsc#1087092).
- atm: he: fix sign-extension overflow on large shift (bnc#1012382).
- autofs: drop dentry reference only when it is never used (bnc#1012382).
- autofs: fix error return in autofs_fill_super() (bnc#1012382).
- batman-adv: Avoid endless loop in bat-on-bat netdevice check (git-fixes).
- batman-adv: Fix lockdep annotation of batadv_tlv_container_remove (git-fixes).
- batman-adv: fix uninit-value in batadv_interface_tx() (bnc#1012382).
- batman-adv: Only put gw_node list reference when removed (git-fixes).
- batman-adv: Only put orig_node_vlan list reference when removed (git-fixes).
- bluetooth: Check L2CAP option sizes returned from l2cap_get_conf_opt (bnc#1012382).
- bnxt_en: Drop oversize TX packets to prevent errors (bnc#1012382).
- btrfs: Avoid possible qgroup_rsv_size overflow in btrfs_calculate_inode_block_rsv_size (git-fixes).
- btrfs: Fix bound checking in qgroup_trace_new_subtree_blocks (pending fix for bsc#1063638).
- btrfs: fix corruption reading shared and compressed extents after hole punching (bnc#1012382).
- btrfs: qgroup: Cleanup old subtree swap code (bsc#1063638).
- btrfs: qgroup: Do not trace subtree if we're dropping reloc tree (bsc#1063638).
- btrfs: qgroup: Introduce function to find all new tree blocks of reloc tree (bsc#1063638).
- btrfs: qgroup: Introduce function to trace two swaped extents (bsc#1063638).
- btrfs: qgroup: Introduce per-root swapped blocks infrastructure (bsc#1063638).
- btrfs: qgroup: Introduce trace event to analyse the number of dirty extents accounted (bsc#1063638 dependency).
- btrfs: qgroup: Only trace data extents in leaves if we're relocating data block group (bsc#1063638).
- btrfs: qgroup: Refactor btrfs_qgroup_trace_subtree_swap (bsc#1063638).
- btrfs: qgroup: Search commit root for rescan to avoid missing extent (bsc#1129326).
- btrfs: qgroup: Use delayed subtree rescan for balance (bsc#1063638).
- btrfs: qgroup: Use generation-aware subtree swap to mark dirty extents (bsc#1063638).
- btrfs: raid56: properly unmap parity page in finish_parity_scrub() (bnc#1012382).
- btrfs: relocation: Delay reloc tree deletion after merge_reloc_roots (bsc#1063638).
- btrfs: remove WARN_ON in log_dir_items (bnc#1012382).
- cdc-wdm: pass return value of recover_from_urb_loss (bsc#1129770).
- cfg80211: extend range deviation for DMG (bnc#1012382).
- cfg80211: size various nl80211 messages correctly (bnc#1012382).
- cifs: fix computation for MAX_SMB2_HDR_SIZE (bnc#1012382).
- cifs: fix POSIX lock leak and invalid ptr deref (bsc#1114542).
- cifs: Fix read after write for files with read caching (bnc#1012382).
- clk: ingenic: Fix round_rate misbehaving with non-integer dividers (bnc#1012382).
- clocksource/drivers/exynos_mct: Clear timer interrupt when shutdown (bnc#1012382).
- clocksource/drivers/exynos_mct: Move one-shot check from tick clear to ISR (bnc#1012382).
- cls_bpf: reset class and reuse major in da (git-fixes).
- coresight: coresight_unregister() function cleanup (bnc#1012382).
- coresight: 'DEVICE_ATTR_RO' should defined as static (bnc#1012382).
- coresight: etm4x: Check every parameter used by dma_xx_coherent (bnc#1012382).
- coresight: fixing lockdep error (bnc#1012382).
- coresight: release reference taken by 'bus_find_device()' (bnc#1012382).
- coresight: remove csdev's link from topology (bnc#1012382).
- coresight: removing bind/unbind options from sysfs (bnc#1012382).
- cpufreq: pxa2xx: remove incorrect __init annotation (bnc#1012382).
- cpufreq: tegra124: add missing of_node_put() (bnc#1012382).
- cpufreq: Use struct kobj_attribute instead of struct global_attr (bnc#1012382).
- cpu/hotplug: Handle unbalanced hotplug enable/disable (bnc#1012382).
- cpu/speculation: Add 'mitigations=' cmdline option (bsc#1112178).
- crypto: ahash - fix another early termination in hash walk (bnc#1012382).
- crypto: arm64/aes-ccm - fix logical bug in AAD MAC handling (bnc#1012382).
- crypto: caam - fixed handling of sg list (bnc#1012382).
- crypto: pcbc - remove bogus memcpy()s with src == dest (bnc#1012382).
- crypto: qat - remove unused and redundant pointer vf_info (bsc#1085539).
- crypto: tgr192 - fix unaligned memory access (bsc#1129770).
- cw1200: fix missing unlock on error in cw1200_hw_scan() (bsc#1129770).
- dccp: do not use ipv6 header for ipv4 flow (bnc#1012382).
- disable kgdboc failed by echo space to /sys/module/kgdboc/parameters/kgdboc (bnc#1012382).
- dmaengine: at_xdmac: Fix wrongfull report of a channel as in use (bnc#1012382).
- dmaengine: dmatest: Abort test in case of mapping error (bnc#1012382).
- dmaengine: usb-dmac: Make DMAC system sleep callbacks explicit (bnc#1012382).
- dm: disable DISCARD if the underlying storage no longer supports it (bsc#1114638).
- dm: fix to_sector() for 32bit (bnc#1012382).
- drivers: hv: vmbus: Fix bugs in rescind handling (bsc#1130567).
- drivers: hv: vmbus: Fix ring buffer signaling (bsc#1118506).
- drivers: hv: vmbus: Fix the offer_in_progress in vmbus_process_offer() (bsc#1130567).
- drivers: hv: vmbus: Offload the handling of channels to two workqueues (bsc#1130567).
- drivers: hv: vmbus: Reset the channel callback in vmbus_onoffer_rescind() (bsc#1130567).
- drm/msm: Unblock writer if reader closes file (bnc#1012382).
- drm/vmwgfx: Do not double-free the mode stored in par->set_mode (bsc#1106929)
- efi: stub: define DISABLE_BRANCH_PROFILING for all architectures (bnc#1012382).
- ext2: Fix underflow in ext2_max_size() (bnc#1012382).
- ext4: Avoid panic during forced reboot (bsc#1126356).
- ext4: brelse all indirect buffer in ext4_ind_remove_space() (bnc#1012382).
- ext4: fix data corruption caused by unaligned direct AIO (bnc#1012382).
- ext4: fix NULL pointer dereference while journal is aborted (bnc#1012382).
- extcon: usb-gpio: Do not miss event during suspend/resume (bnc#1012382).
- firmware: dmi: Optimize dmi_matches (git-fixes).
- floppy: check_events callback should not return a negative number (git-fixes).
- flow_dissector: Check for IP fragmentation even if not using IPv4 address (git-fixes).
- fs/9p: use fscache mutex rather than spinlock (bnc#1012382).
- fs/nfs: Fix nfs_parse_devname to not modify it's argument (git-fixes).
- fs/proc/proc_sysctl.c: fix NULL pointer dereference in put_links (bnc#1012382).
- fuse: continue to send FUSE_RELEASEDIR when FUSE_OPEN returns ENOSYS (git-fixes).
- fuse: fix possibly missed wake-up after abort (git-fixes).
- futex: Ensure that futex address is aligned in handle_futex_death() (bnc#1012382).
- futex,rt_mutex: Fix rt_mutex_cleanup_proxy_lock() (git-fixes).
- futex,rt_mutex: Restructure rt_mutex_finish_proxy_lock() (bnc#1012382).
- gpio: adnp: Fix testing wrong value in adnp_gpio_direction_input (bnc#1012382).
- gpio: vf610: Mask all GPIO interrupts (bnc#1012382).
- gro_cells: make sure device is up in gro_cells_receive() (bnc#1012382).
- hid-sensor-hub.c: fix wrong do_div() usage (bnc#1012382).
- hpet: Fix missing '=' character in the __setup() code of hpet_mmap_enable (bsc#1129770).
- hugetlbfs: fix races and page leaks during migration (bnc#1012382).
- hv_netvsc: Fix napi reschedule while receive completion is busy (bsc#1118506).
- hv_netvsc: fix race in napi poll when rescheduling (bsc#1118506).
- hv_netvsc: Fix the return status in RX path (bsc#1118506).
- hv_netvsc: use napi_schedule_irqoff (bsc#1118506).
- hv: v4.12 API for hyperv-iommu (bsc#1122822).
- hv: v4.12 API for hyperv-iommu (fate#327171, bsc#1122822).
- i2c: cadence: Fix the hold bit setting (bnc#1012382).
- i2c: tegra: fix maximum transfer size (bnc#1012382).
- ib/{hfi1, qib}: Fix WC.byte_len calculation for UD_SEND_WITH_IMM (bnc#1012382).
- ibmvnic: Enable GRO (bsc#1132227).
- ibmvnic: Fix completion structure initialization (bsc#1131659).
- ibmvnic: Fix netdev feature clobbering during a reset (bsc#1132227).
- input: elan_i2c - add id for touchpad found in Lenovo s21e-20 (bnc#1012382).
- input: matrix_keypad - use flush_delayed_work() (bnc#1012382).
- input: st-keyscan - fix potential zalloc NULL dereference (bnc#1012382).
- input: wacom_serial4 - add support for Wacom ArtPad II tablet (bnc#1012382).
- intel_th: Do not reference unassigned outputs (bnc#1012382).
- intel_th: gth: Fix an off-by-one in output unassigning (git-fixes).
- iommu/amd: Fix NULL dereference bug in match_hid_uid (bsc#1130345).
- iommu/amd: fix sg->dma_address for sg->offset bigger than PAGE_SIZE (bsc#1130346).
- iommu/amd: Reserve exclusion range in iova-domain (bsc#1130425).
- iommu/amd: Set exclusion range correctly (bsc#1130425).
- iommu: Do not print warning when IOMMU driver only supports unmanaged domains (bsc#1130130).
- iommu/hyper-v: Add Hyper-V stub IOMMU driver (bsc#1122822).
- iommu/hyper-v: Add Hyper-V stub IOMMU driver (fate#327171,  bsc#1122822).
- iommu/vt-d: Check capability before disabling protected memory (bsc#1130347).
- ip6: fix PMTU discovery when using /127 subnets (git-fixes).
- ip6mr: Do not call __IP6_INC_STATS() from preemptible context (bnc#1012382).
- ip_tunnel: fix ip tunnel lookup in collect_md mode (git-fixes).
- ipvlan: disallow userns cap_net_admin to change global mode/flags (bnc#1012382).
- ipvs: Fix signed integer overflow when setsockopt timeout (bnc#1012382).
- irqchip/mmp: Only touch the PJ4 IRQ & FIQ bits on enable/disable (bnc#1012382).
- iscsi_ibft: Fix missing break in switch statement (bnc#1012382).
- isdn: avm: Fix string plus integer warning from Clang (bnc#1012382).
- isdn: i4l: isdn_tty: Fix some concurrency double-free bugs (bnc#1012382).
- isdn: isdn_tty: fix build warning of strncpy (bnc#1012382).
- iwlwifi: dbg: do not crash if the firmware crashes in the middle of a debug dump (bsc#1119086).
- jbd2: clear dirty flag when revoking a buffer from an older transaction (bnc#1012382).
- jbd2: fix compile warning when using JBUFFER_TRACE (bnc#1012382).
- kabi fixup gendisk disk_devt revert (bsc#1020989).
- kbuild: setlocalversion: print error to STDERR (bnc#1012382).
- kernel/sysctl.c: add missing range check in do_proc_dointvec_minmax_conv (bnc#1012382).
- keys: allow reaching the keys quotas exactly (bnc#1012382).
- keys: always initialize keyring_index_key::desc_len (bnc#1012382).
- keys: restrict /proc/keys by credentials at open time (bnc#1012382).
- keys: user: Align the payload buffer (bnc#1012382).
- kvm: Call kvm_arch_memslots_updated() before updating memslots (bsc#1132634).
- kvm: nSVM: clear events pending from svm_complete_interrupts() when exiting to L1 (bnc#1012382).
- kvm: nVMX: Apply addr size mask to effective address for VMX instructions (bsc#1132635).
- kvm: nVMX: Ignore limit checks on VMX instructions using flat segments (bnc#1012382).
- kvm: nVMX: Sign extend displacements of VMX instr's mem operands (bnc#1012382).
- kvm: Reject device ioctls from processes other than the VM's creator (bnc#1012382).
- kvm: VMX: Compare only a single byte for VMCS' 'launched' in vCPU-run (bsc#1132636).
- kvm: VMX: Zero out *all* general purpose registers after VM-Exit (bsc#1132637).
- kvm: x86: Emulate MSR_IA32_ARCH_CAPABILITIES on AMD hosts (bsc#1132534).
- kvm: X86: Fix residual mmio emulation request to userspace (bnc#1012382).
- kvm: x86/mmu: Do not cache MMIO accesses while memslots are in flux (bsc#1132638).
- l2tp: fix infoleak in l2tp_ip6_recvmsg() (git-fixes).
- leds: lp5523: fix a missing check of return value of lp55xx_read (bnc#1012382).
- libertas: call into generic suspend code before turning off power (bsc#1106110).
- libertas: fix suspend and resume for SDIO connected cards (bsc#1106110).
- lib/int_sqrt: optimize small argument (bnc#1012382).
- libnvdimm/pmem: Honor force_raw for legacy pmem regions (bsc#1131857).
- locking/lockdep: Add debug_locks check in __lock_downgrade() (bnc#1012382).
- locking/static_keys: Improve uninitialized key warning (bsc#1106913).
- m68k: Add -ffreestanding to CFLAGS (bnc#1012382).
- mac80211: do not initiate TDLS connection if station is not associated to AP (bnc#1012382).
- mac80211: fix miscounting of ttl-dropped frames (bnc#1012382).
- mac80211: fix 'warning: target metric may be used uninitialized' (bnc#1012382).
- mac80211_hwsim: propagate genlmsg_reply return code (bnc#1012382).
- mac8390: Fix mmio access size probe (bnc#1012382).
- md: Fix failed allocation of md_register_thread (bnc#1012382).
- mdio_bus: Fix use-after-free on device_register fails (bnc#1012382 git-fixes).
- md/raid1: do not clear bitmap bits on interrupted recovery (git-fixes).
- media: cx88: Get rid of spurious call to cx8800_start_vbi_dma() (bsc#1100132).
- media: uvcvideo: Avoid NULL pointer dereference at the end of streaming (bnc#1012382).
- media: uvcvideo: Fix 'type' check leading to overflow (bnc#1012382).
- media: uvcvideo: Fix uvc_alloc_entity() allocation alignment (bsc#1119086).
- media: v4l2-ctrls.c/uvc: zero v4l2_event (bnc#1012382).
- media: videobuf2-v4l2: drop WARN_ON in vb2_warn_zero_bytesused() (bnc#1012382).
- media: vivid: potential integer overflow in vidioc_g_edid() (bsc#11001132).
- mfd: ab8500-core: Return zero in get_register_interruptible() (bnc#1012382).
- mfd: db8500-prcmu: Fix some section annotations (bnc#1012382).
- mfd: mc13xxx: Fix a missing check of a register-read failure (bnc#1012382).
- mfd: qcom_rpm: write fw_version to CTRL_REG (bnc#1012382).
- mfd: ti_am335x_tscadc: Use PLATFORM_DEVID_AUTO while registering mfd cells (bnc#1012382).
- mfd: twl-core: Fix section annotations on {,un}protect_pm_master (bnc#1012382).
- mfd: wm5110: Add missing ASRC rate register (bnc#1012382).
- mips: loongson64: lemote-2f: Add IRQF_NO_SUSPEND to 'cascade' irqaction (bnc#1012382).
- mISDN: hfcpci: Test both vendor & device ID for Digium HFC4S (bnc#1012382).
- missing barriers in some of unix_sock ->addr and ->path accesses (bnc#1012382).
- mmc: bcm2835: reset host on timeout (bsc#1070872).
- mmc: block: Allow more than 8 partitions per card (bnc#1012382).
- mmc: core: fix using wrong io voltage if mmc_select_hs200 fails (bnc#1012382).
- mmc: core: shut up 'voltage-ranges unspecified' pr_info() (bnc#1012382).
- mmc: debugfs: Add a restriction to mmc debugfs clock setting (bnc#1012382).
- mmc: make MAN_BKOPS_EN message a debug (bnc#1012382).
- mmc: mmc: fix switch timeout issue caused by jiffies precision (bnc#1012382).
- mmc: pwrseq_simple: Make reset-gpios optional to match doc (bnc#1012382).
- mmc: pxamci: fix enum type confusion (bnc#1012382).
- mmc: sanitize 'bus width' in debug output (bnc#1012382).
- mmc: spi: Fix card detection during probe (bnc#1012382).
- mmc: tmio_mmc_core: do not claim spurious interrupts (bnc#1012382).
- mm/debug.c: fix __dump_page when mapping->host is not set (bsc#1131934).
- mm, memory_hotplug: fix off-by-one in is_pageblock_removable (git-fixes).
- mm, memory_hotplug: is_mem_section_removable do not pass the end of a zone (bnc#1012382).
- mm, memory_hotplug: test_pages_in_a_zone do not pass the end of zone (bnc#1012382).
- mm: move is_pageblock_removable_nolock() to mm/memory_hotplug.c (git-fixes prerequisity).
- mm/page_isolation.c: fix a wrong flag in set_migratetype_isolate() (bsc#1131935)
- mm/rmap: replace BUG_ON(anon_vma->degree) with VM_WARN_ON (bnc#1012382).
- mm/vmalloc: fix size check for remap_vmalloc_range_partial() (bnc#1012382).
- move power_up_on_resume flag to end of structure for kABI (bsc#1106110).
- mwifiex: pcie: tighten a check in mwifiex_pcie_process_event_ready() (bsc#1100132).
- ncpfs: fix build warning of strncpy (bnc#1012382).
- net: add description for len argument of dev_get_phys_port_name (git-fixes).
- net: Add __icmp_send helper (bnc#1012382).
- net: altera_tse: fix connect_local_phy error path (bnc#1012382).
- net: altera_tse: fix msgdma_tx_completion on non-zero fill_level case (bnc#1012382).
- net: avoid use IPCB in cipso_v4_error (bnc#1012382).
- net: diag: support v4mapped sockets in inet_diag_find_one_icsk() (bnc#1012382).
- net: do not decrement kobj reference count on init failure (git-fixes).
- net: dsa: mv88e6xxx: Fix u64 statistics (bnc#1012382).
- net: ena: fix race between link up and device initalization (bsc#1129278).
- net: ena: update driver version from 2.0.2 to 2.0.3 (bsc#1129278).
- netfilter: ipt_CLUSTERIP: fix use-after-free of proc entry (git-fixes).
- netfilter: nf_conntrack_tcp: Fix stack out of bounds when parsing TCP options (bnc#1012382).
- netfilter: nfnetlink_acct: validate NFACCT_FILTER parameters (bnc#1012382).
- netfilter: nfnetlink_log: just returns error for unknown command (bnc#1012382).
- netfilter: nfnetlink: use original skbuff when acking batches (git-fixes).
- netfilter: x_tables: enforce nul-terminated table name from getsockopt GET_ENTRIES (bnc#1012382).
- net: hns: Fix use after free identified by SLUB debug (bnc#1012382).
- net: hns: Fix wrong read accesses via Clause 45 MDIO protocol (bnc#1012382).
- net: hsr: fix memory leak in hsr_dev_finalize() (bnc#1012382).
- net/hsr: fix possible crash in add_timer() (bnc#1012382).
- netlabel: fix out-of-bounds memory accesses (bnc#1012382).
- net/mlx4_en: Force CHECKSUM_NONE for short ethernet frames (bnc#1012382).
- net: mv643xx_eth: disable clk on error path in mv643xx_eth_shared_probe() (bnc#1012382).
- net: nfc: Fix NULL dereference on nfc_llcp_build_tlv fails (bnc#1012382).
- net/packet: fix 4gb buffer limit due to overflow check (bnc#1012382).
- net/packet: Set __GFP_NOWARN upon allocation in alloc_pg_vec (bnc#1012382).
- net: phy: Micrel KSZ8061: link failure after cable connect (bnc#1012382).
- net: rose: fix a possible stack overflow (bnc#1012382).
- net: Set rtm_table to RT_TABLE_COMPAT for ipv6 for tables > 255 (bnc#1012382).
- net: set static variable an initial value in atl2_probe() (bnc#1012382).
- net: sit: fix UBSAN Undefined behaviour in check_6rd (bnc#1012382).
- net: stmmac: dwmac-rk: fix error handling in rk_gmac_powerup() (bnc#1012382).
- net-sysfs: call dev_hold if kobject_init_and_add success (git-fixes).
- net-sysfs: Fix mem leak in netdev_register_kobject (bnc#1012382).
- net: systemport: Fix reception of BPDUs (bnc#1012382).
- net: tcp_memcontrol: properly detect ancestor socket pressure (git-fixes).
- net/x25: fix a race in x25_bind() (bnc#1012382).
- net/x25: fix use-after-free in x25_device_event() (bnc#1012382).
- net/x25: reset state in x25_connect() (bnc#1012382).
- nfc: nci: memory leak in nci_core_conn_create() (git-fixes).
- nfs41: pop some layoutget errors to application (bnc#1012382).
- nfsd: fix memory corruption caused by readdir (bsc#1127445).
- nfsd: fix wrong check in write_v4_end_grace() (git-fixes).
- nfs: Do not recoalesce on error in nfs_pageio_complete_mirror() (git-fixes).
- nfs: Fix an I/O request leakage in nfs_do_recoalesce (git-fixes).
- nfs: Fix dentry revalidation on NFSv4 lookup (bsc#1132618).
- nfs: fix mount/umount race in nlmclnt (git-fixes).
- nfs: Fix NULL pointer dereference of dev_name (bnc#1012382).
- nfsv4.x: always serialize open/close operations (bsc#1114893).
- numa: change get_mempolicy() to use nr_node_ids instead of MAX_NUMNODES (bnc#1012382).
- packets: Always register packet sk in the same order (bnc#1012382).
- parport_pc: fix find_superio io compare code, should use equal test (bnc#1012382).
- pci-hyperv: increase HV_VP_SET_BANK_COUNT_MAX to handle 1792 vcpus (bsc#1122822).
- pci-hyperv: increase HV_VP_SET_BANK_COUNT_MAX to handle 1792  vcpus (fate#327171, bsc#1122822).
- perf auxtrace: Define auxtrace record alignment (bnc#1012382).
- perf bench: Copy kernel files needed to build mem{cpy,set} x86_64 benchmarks (bnc#1012382).
- perf intel-pt: Fix CYC timestamp calculation after OVF (bnc#1012382).
- perf intel-pt: Fix overlap calculation for padding (bnc#1012382).
- perf intel-pt: Fix TSC slip (bnc#1012382).
- perf/ring_buffer: Refuse to begin AUX transaction after rb->aux_mmap_count drops (bnc#1012382).
- perf symbols: Filter out hidden symbols from labels (bnc#1012382).
- perf: Synchronously free aux pages in case of allocation failure (bnc#1012382).
- perf tools: Handle TOPOLOGY headers with no CPU (bnc#1012382).
- perf/x86/amd: Add event map for AMD Family 17h (bsc#1114648).
- phonet: fix building with clang (bnc#1012382).
- pinctrl: meson: meson8b: fix the sdxc_a data 1..3 pins (bnc#1012382).
- platform/x86: Fix unmet dependency warning for SAMSUNG_Q10 (bnc#1012382).
- pm / Hibernate: Call flush_icache_range() on pages restored in-place (bnc#1012382).
- pm / wakeup: Rework wakeup source timer cancellation (bnc#1012382).
- powerpc/32: Clear on-stack exception marker upon exception return (bnc#1012382).
- powerpc/64: Call setup_barrier_nospec() from setup_arch() (bsc#1131107).
- powerpc/64: Disable the speculation barrier from the command line (bsc#1131107).
- powerpc/64: Make stf barrier PPC_BOOK3S_64 specific (bsc#1131107).
- powerpc/64s: Add new security feature flags for count cache flush (bsc#1131107).
- powerpc/64s: Add support for software count cache flush (bsc#1131107).
- powerpc/83xx: Also save/restore SPRG4-7 during suspend (bnc#1012382).
- powerpc: Always initialize input array when calling epapr_hypercall() (bnc#1012382).
- powerpc/asm: Add a patch_site macro & helpers for patching instructions (bsc#1131107).
- powerpc/fsl: Fix spectre_v2 mitigations reporting (bsc#1131107).
- powerpc/mm/hash: Handle mmap_min_addr correctly in get_unmapped_area topdown search (bsc#1131900).
- powerpc/numa: document topology_updates_enabled, disable by default (bsc#1133584).
- powerpc/numa: improve control of topology updates (bsc#1133584).
- powerpc/perf: Fix unit_sel/cache_sel checks (bsc#1053043).
- powerpc/perf: Remove l2 bus events from HW cache event array (bsc#1053043).
- powerpc/perf: Update raw-event code encoding comment for power8 (bsc#1053043, git-fixes).
- powerpc/powernv/cpuidle: Init all present cpus for deep states (bsc#1066223).
- powerpc/powernv: Make opal log only readable by root (bnc#1012382).
- powerpc/powernv: Query firmware for count cache flush settings (bsc#1131107).
- powerpc/pseries/mce: Fix misleading print for TLB mutlihit (bsc#1094244, git-fixes).
- powerpc/pseries: Query hypervisor for count cache flush settings (bsc#1131107).
- powerpc/security: Fix spectre_v2 reporting (bsc#1131107).
- powerpc/speculation: Support 'mitigations=' cmdline option (bsc#1112178).
- powerpc/tm: Add commandline option to disable hardware transactional memory (bsc#1118338).
- powerpc/tm: Add TM Unavailable Exception (bsc#1118338).
- powerpc/tm: Flip the HTM switch default to disabled (bsc#1125580).
- powerpc/vdso32: fix CLOCK_MONOTONIC on PPC64 (bsc#1131587).
- powerpc/vdso64: Fix CLOCK_MONOTONIC inconsistencies across Y2038 (bsc#1131587).
- powerpc/wii: properly disable use of BATs when requested (bnc#1012382).
- raid10: It's wrong to add len to sector_nr in raid10 reshape twice (bnc#1012382).
- ravb: Decrease TxFIFO depth of Q3 and Q2 to one (bnc#1012382).
- rcu: Do RCU GP kthread self-wakeup from softirq and interrupt (bnc#1012382).
- rdma/core: Do not expose unsupported counters (bsc#994770).
- rdma/srp: Rework SCSI device reset handling (bnc#1012382).
- Refresh patches.fixes/0001-net-mlx4-Fix-endianness-issue-in-qp-context-params.patch. (bsc#1132619)
- regulator: s2mpa01: Fix step values for some LDOs (bnc#1012382).
- regulator: s2mps11: Fix steps for buck7, buck8 and LDO35 (bnc#1012382).
- Revert 'bridge: do not add port to router list when receives query with source 0.0.0.0' (bnc#1012382).
- Revert 'mmc: block: do not use parameter prefix if built as module' (bnc#1012382).
- Revert 'scsi, block: fix duplicate bdi name registration crashes' (bsc#1020989).
- Revert 'USB: core: only clean up what we allocated' (bnc#1012382).
- route: set the deleted fnhe fnhe_daddr to 0 in ip_del_fnhe to fix a race (bnc#1012382).
- rsi: fix a dereference on adapter before it has been null checked (bsc#1085539).
- rtc: Fix overflow when converting time64_t to rtc_time (bnc#1012382).
- rtl8xxxu: Fix missing break in switch (bsc#1120902).
- s390/dasd: fix panic for failed online processing (bsc#1132589).
- s390/dasd: fix using offset into zero size array error (bnc#1012382).
- s390: Prevent hotplug rwsem recursion (bsc#1131980).
- s390/qeth: fix use-after-free in error path (bnc#1012382).
- s390/speculation: Support 'mitigations=' cmdline option (bsc#1112178).
- s390/virtio: handle find on invalid queue gracefully (bnc#1012382).
- sched/core: Fix cpu.max vs. cpuhotplug deadlock (bsc#1106913).
- sched/smt: Expose sched_smt_present static key (bsc#1106913).
- sched/smt: Make sched_smt_present track topology (bsc#1106913).
- scripts/git_sort/git_sort.py: Add fixes branch from mkp/scsi.git.
- scsi: csiostor: fix NULL pointer dereference in csio_vport_set_state() (bnc#1012382).
- scsi: isci: initialize shost fully before calling scsi_add_host() (bnc#1012382).
- scsi: libfc: free skb when receiving invalid flogi resp (bnc#1012382).
- scsi: libiscsi: Fix race between iscsi_xmit_task and iscsi_complete_task (bnc#1012382).
- scsi: libsas: Fix rphy phy_identifier for PHYs with end devices attached (bnc#1012382).
- scsi: qla4xxx: check return code of qla4xxx_copy_from_fwddb_param (bnc#1012382).
- scsi: sd: Fix a race between closing an sd device and sd I/O (bnc#1012382).
- scsi: storvsc: Fix a race in sub-channel creation that can cause panic ().
- scsi: storvsc: Fix a race in sub-channel creation that can  cause panic (fate#323887).
- scsi: storvsc: Reduce default ring buffer size to 128 Kbytes ().
- scsi: storvsc: Reduce default ring buffer size to 128 Kbytes  (fate#323887).
- scsi: target/iscsi: Avoid iscsit_release_commands_from_conn() deadlock (bnc#1012382).
- scsi: virtio_scsi: do not send sc payload with tmfs (bnc#1012382).
- scsi: zfcp: fix rport unblock if deleted SCSI devices on Scsi_Host (bnc#1012382).
- scsi: zfcp: fix scsi_eh host reset with port_forced ERP for non-NPIV FCP devices (bnc#1012382).
- sctp: fix the transports round robin issue when init is retransmitted (git-fixes).
- sctp: get sctphdr by offset in sctp_compute_cksum (bnc#1012382).
- serial: 8250_pci: Fix number of ports for ACCES serial cards (bnc#1012382).
- serial: 8250_pci: Have ACCES cards that use the four port Pericom PI7C9X7954 chip use the pci_pericom_setup() (bnc#1012382).
- serial: fsl_lpuart: fix maximum acceptable baud rate with over-sampling (bnc#1012382).
- serial: max310x: Fix to avoid potential NULL pointer dereference (bnc#1012382).
- serial: sh-sci: Fix setting SCSCR_TIE while transferring data (bnc#1012382).
- serial: sprd: adjust TIMEOUT to a big value (bnc#1012382).
- serial: sprd: clear timeout interrupt only rather than all interrupts (bnc#1012382).
- sit: check if IPv6 enabled before calling ip6_err_gen_icmpv6_unreach() (bnc#1012382).
- sky2: Disable MSI on Dell Inspiron 1545 and Gateway P-79 (bnc#1012382).
- sockfs: getxattr: Fail with -EOPNOTSUPP for invalid attribute names (bnc#1012382).
- staging: ashmem: Add missing include (bnc#1012382).
- staging: ashmem: Avoid deadlock with mmap/shrink (bnc#1012382).
- staging: goldfish: audio: fix compiliation on arm (bnc#1012382).
- staging: ion: Set minimum carveout heap allocation order to PAGE_SHIFT (bnc#1012382).
- staging: lustre: fix buffer overflow of string buffer (bnc#1012382).
- staging: rtl8188eu: avoid a null dereference on pmlmepriv (bsc#1085539).
- staging: vt6655: Fix interrupt race condition on device start up (bnc#1012382).
- staging: vt6655: Remove vif check from vnt_interrupt (bnc#1012382).
- stm class: Do not leak the chrdev in error path (bnc#1012382).
- stm class: Fix an endless loop in channel allocation (bnc#1012382).
- stm class: Fix a race in unlinking (bnc#1012382).
- stm class: Fix link list locking (bnc#1012382).
- stm class: Fix locking in unbinding policy path (bnc#1012382).
- stm class: Fix stm device initialization order (bnc#1012382).
- stm class: Fix unbalanced module/device refcounting (bnc#1012382).
- stm class: Fix unlocking braino in the error path (bnc#1012382).
- stm class: Guard output assignment against concurrency (bnc#1012382).
- stm class: Hide STM-specific options if STM is disabled (bnc#1012382).
- stm class: Prevent division by zero (bnc#1012382).
- stm class: Prevent user-controllable allocations (bnc#1012382).
- stm class: Support devices with multiple instances (bnc#1012382).
- stmmac: copy unicast mac address to MAC registers (bnc#1012382).
- stop_machine: Provide stop_machine_cpuslocked() (bsc#1131980).
- sunrpc: do not mark uninitialised items as VALID (bsc#1130737).
- sunrpc: init xdr_stream for zero iov_len, page_len (bsc#11303356).
- svm/avic: Fix invalidate logical APIC id entry (bsc#1132727).
- svm: Fix AVIC DFR and LDR handling (bsc#1130343).
- svm: Fix improper check when deactivate AVIC (bsc#1130344).
- tcp/dccp: drop SYN packets if accept queue is full (bnc#1012382).
- tcp/dccp: remove reqsk_put() from inet_child_forget() (git-fixes).
- tcp: do not use ipv6 header for ipv4 flow (bnc#1012382).
- tcp: handle inet_csk_reqsk_queue_add() failures (git-fixes).
- thermal: int340x_thermal: Fix a NULL vs IS_ERR() check (bnc#1012382).
- time: Introduce jiffies64_to_nsecs() (bsc#1113399).
- tmpfs: fix link accounting when a tmpfile is linked in (bnc#1012382).
- tmpfs: fix uninitialized return value in shmem_link (bnc#1012382).
- tpm: fix kdoc for tpm2_flush_context_cmd() (bsc#1020645).
- tpm: Fix the type of the return value in calc_tpm2_event_size() (bsc#1020645, git-fixes).
- tpm: tpm-interface.c drop unused macros (bsc#1020645).
- tty: atmel_serial: fix a potential NULL pointer dereference (bnc#1012382).
- udf: Fix crash on IO error during truncate (bnc#1012382).
- Update patches.fixes/SUNRPC-init-xdr_stream-for-zero-iov_len-page_len.patch (bsc#1130356).
- usb: core: only clean up what we allocated (bnc#1012382).
- usb: dwc2: Fix DMA alignment to start at allocated boundary (bsc#1100132).
- usb: dwc2: fix the incorrect bitmaps for the ports of multi_tt hub (bsc#1100132).
- usb: dwc3: gadget: Fix suspend/resume during device mode (bnc#1012382).
- usb: dwc3: gadget: Fix the uninitialized link_state when udc starts (bnc#1012382).
- usb: gadget: Add the gserial port checking in gs_start_tx() (bnc#1012382).
- usb: gadget: composite: fix dereference after null check coverify warning (bnc#1012382).
- usb: gadget: configfs: add mutex lock before unregister gadget (bnc#1012382).
- usb: gadget: Potential NULL dereference on allocation error (bnc#1012382).
- usb: gadget: rndis: free response queue during REMOTE_NDIS_RESET_MSG (bnc#1012382).
- usb: renesas_usbhs: gadget: fix unused-but-set-variable warning (bnc#1012382).
- usb: serial: cp210x: add ID for Ingenico 3070 (bnc#1012382).
- usb: serial: cp210x: add new device id (bnc#1012382).
- usb: serial: cypress_m8: fix interrupt-out transfer length (bsc#1119086).
- usb: serial: ftdi_sio: add additional NovaTech products (bnc#1012382).
- usb: serial: ftdi_sio: add ID for Hjelmslund Electronics USB485 (bnc#1012382).
- usb: serial: mos7720: fix mos_parport refcount imbalance on error path (bsc#1129770).
- usb: serial: option: add Olicard 600 (bnc#1012382).
- usb: serial: option: add Telit ME910 ECM composition (bnc#1012382).
- usb: serial: option: set driver_info for SIM5218 and compatibles (bsc#1129770).
- video: fbdev: Set pixclock = 0 in goldfishfb (bnc#1012382).
- vti4: Fix a ipip packet processing bug in 'IPCOMP' virtual tunnel (bnc#1012382).
- vxlan: Do not call gro_cells_destroy() before device is unregistered (bnc#1012382).
- vxlan: Fix GRO cells race condition between receive and link delete (bnc#1012382).
- vxlan: test dev->flags & IFF_UP before calling gro_cells_receive() (bnc#1012382).
- wlcore: Fix the return value in case of error in 'wlcore_vendor_cmd_smart_config_start()' (bsc#1120902).
- x86_64: increase stack size for KASAN_EXTRA (bnc#1012382).
- x86/apic: Provide apic_ack_irq() (bsc#1122822).
- x86/apic: Provide apic_ack_irq() (fate#327171, bsc#1122822).
- x86/CPU/AMD: Set the CPB bit unconditionally on F17h (bnc#1012382).
- x86/Hyper-V: Set x2apic destination mode to physical when x2apic is available (bsc#1122822).
- x86/Hyper-V: Set x2apic destination mode to physical when  x2apic is available (fate#327171, bsc#1122822).
- x86/kexec: Do not setup EFI info if EFI runtime is not enabled (bnc#1012382).
- x86/mce: Improve error message when kernel cannot recover, p2 (bsc#1114648).
- x86/smp: Enforce CONFIG_HOTPLUG_CPU when SMP=y (bnc#1012382).
- x86/speculation: Remove redundant arch_smt_update() invocation (bsc#1111331).
- x86/speculation: Support 'mitigations=' cmdline option (bsc#1112178).
- x86/uaccess: Do not leak the AC flag into __put_user() value evaluation (bsc#1114648).
- x86/vdso: Add VCLOCK_HVCLOCK vDSO clock read method (bsc#1133308).
- xen-netback: fix occasional leak of grant ref mappings under memory pressure (bnc#1012382).
- xfrm_user: fix info leak in build_aevent() (git-fixes).
- xfrm_user: fix info leak in xfrm_notify_sa() (git-fixes).
- xhci: Do not let USB3 ports stuck in polling state prevent suspend (bsc#1047487).
- xhci: Fix port resume done detection for SS ports with LPM enabled (bnc#1012382).
- xtensa: SMP: fix ccount_timer_shutdown (bnc#1012382).
- xtensa: SMP: fix secondary CPU initialization (bnc#1012382).
- xtensa: SMP: limit number of possible CPUs by NR_CPUS (bnc#1012382).
- xtensa: smp_lx200_defconfig: fix vectors clash (bnc#1012382).
- xtensa: SMP: mark each possible CPU as present (bnc#1012382).


-----------------------------------------
Patch: SUSE-2019-1259
Released: Wed May 15 14:06:20 2019
Summary: Recommended update for sysvinit
Severity: moderate
References: 1131982
Description:
This update for sysvinit fixes the following issues:

- Handle various optional fields of /proc/<pid>/mountinfo on the entry/ies before the hyphen
  (bsc#1131982)


-----------------------------------------
Patch: SUSE-2019-1264
Released: Thu May 16 09:50:27 2019
Summary: Security update for containerd, docker, docker-runc, go, go1.11, go1.12, golang-github-docker-libnetwork
Severity: important
References: 1114209,1114832,1118897,1118898,1118899,1121397,1123013,1128376,1128746,1134068,CVE-2018-16873,CVE-2018-16874,CVE-2018-16875,CVE-2019-6486
Description:
This update for containerd, docker, docker-runc, go, go1.11, go1.12, golang-github-docker-libnetwork fixes the following issues:

Security issues fixed:

- CVE-2019-6486: go security release, fixing crypto/elliptic CPU DoS vulnerability affecting P-521 and P-384 (bsc#1123013).
- CVE-2018-16873: go security release, fixing cmd/go remote command execution (bsc#1118897).
- CVE-2018-16874: go security release, fixing cmd/go directory traversal (bsc#1118898).
- CVE-2018-16875: go security release, fixing crypto/x509 CPU denial of service (bsc#1118899).

Other changes and bug fixes:

- Update to containerd v1.2.5, which is required for v18.09.5-ce (bsc#1128376, boo#1134068).
- Update to runc 2b18fe1d885e, which is required for Docker v18.09.5-ce (bsc#1128376, boo#1134068).
- Update to Docker 18.09.6-ce see upstream changelog in the packaged
- Move daemon.json file to /etc/docker directory (bsc#1114832).
- docker-test: Improvements to test packaging (bsc#1128746).
- Update to go1.11.9 (released 2019/04/11)
- Fix go build failures (bsc#1121397).
- Update to golang-github-docker-libnetwork version git.872f0a83c98add6cae255c8859e29532febc0039 which is required for Docker v18.09.6-ce.
- Revert golang(API) removal since it turns out this breaks >= requires in certain cases (bsc#1114209).


-----------------------------------------
Patch: SUSE-2019-1265
Released: Thu May 16 09:52:22 2019
Summary: Security update for systemd
Severity: important
References: 1080919,1121563,1125352,1126056,1127557,1128657,1130230,1132348,1132400,1132721,955942,CVE-2018-6954,CVE-2019-3842,CVE-2019-6454,SLE-5933
Description:
This update for systemd fixes the following issues:

Security issues fixed:

- CVE-2018-6954: Fixed a vulnerability in the symlink handling of systemd-tmpfiles 
  which allowed a local user to obtain ownership of arbitrary files (bsc#1080919).
- CVE-2019-3842: Fixed a vulnerability in pam_systemd which allowed a local user to escalate privileges (bsc#1132348).
- CVE-2019-6454: Fixed a denial of service caused by long dbus messages (bsc#1125352).

Non-security issues fixed:

- systemd-coredump: generate a stack trace of all core dumps (jsc#SLE-5933)
- udevd: notify when max number value of children is reached only once per batch of events (bsc#1132400)
- sd-bus: bump message queue size again (bsc#1132721)
- core: only watch processes when it's really necessary (bsc#955942 bsc#1128657)
- rules: load drivers only on 'add' events (bsc#1126056)
- sysctl: Don't pass null directive argument to '%s' (bsc#1121563)
- Do not automatically online memory on s390x (bsc#1127557)


-----------------------------------------
Patch: SUSE-2019-1278
Released: Fri May 17 10:41:55 2019
Summary: Recommended update for logrotate
Severity: moderate
References: 1131477
Description:
This update for logrotate fixes the following issue:

- Trigger the rotation of weekly events more predictably [bsc#1131477]
  Introduce an optional argument for the 'weekly' directive to trigger
  the rotation on a selected day of the week.



-----------------------------------------
Patch: SUSE-2019-1319
Released: Thu May 23 12:45:33 2019
Summary: Recommended update for rsyslog
Severity: low
References: 1126233
Description:
This update for rsyslog fixes the following issues:

- Set default permission for all log files (bsc#1126233)


-----------------------------------------
Patch: SUSE-2019-1326
Released: Thu May 23 15:18:32 2019
Summary: Security update for sysstat
Severity: low
References: 1117001,1117260,CVE-2018-19416,CVE-2018-19517
Description:
This update for sysstat fixes the following issues:

Security issues fixed:

- CVE-2018-19416: Fixed out-of-bounds read during a memmove call inside the remap_struct function (bsc#1117001).
- CVE-2018-19517: Fixed out-of-bounds read during a memset call inside the remap_struct function (bsc#1117260).


-----------------------------------------
Patch: SUSE-2019-1333
Released: Fri May 24 10:10:10 2019
Summary: Recommended update for systemd-presets-branding-SLE
Severity: moderate
References: 1128428
Description:
This update for systemd-presets-branding-SLE fixes the following issues:

- Enables nvmefc-boot-connections.service to discover network-provided nvme drives on boot (bsc#1128428)


-----------------------------------------
Patch: SUSE-2019-1342
Released: Fri May 24 13:58:25 2019
Summary: Recommended update for google-compute-engine
Severity: moderate
References: 1128392,1134179
Description:
This update for google-compute-engine fixes the following issues:

google-compute-engine was updated to version 20190416 (bsc#1128392, bsc#1134179)

- Google Compute Engine OS Login

* Fix pam_group ordering detection.
* Restart cron from the OS Login control file.
* Add PAM entry to su:account stack.

Update from version 20190315:

- Google Compute Engine OS Login

* Fix alternate challenge section for two factor authentication.
* Fix FreeBSD compatibility issues in the control file.

Update from version 20190304:

- Google Compute Engine

  * Set oom_score_adjust for google_accounts_daemon.

- Google Compute Engine OS Login

  * Use pam_group to provide users with default groups.
  * Exit immediately after a two factor authentication failure.
  * Add support for Google phone prompt challenges.

- Include systemd service file to run google_optimize_local_ssd command
- Include systemd service file to run google_set_multiqueue command
- Install journald configuration files into /usr/lib/systemd/journald.conf.d


-----------------------------------------
Patch: SUSE-2019-1309
Released: Fri May 24 19:04:37 2019
Summary: Recommended update for yast2-proxy
Severity: moderate
References: 1089796
Description:
This update for yast2-proxy fixes the following issues:

- Clean up of 'No Proxy Domains' field when whitespaces are detected (bsc#1089796)


-----------------------------------------
Patch: SUSE-2019-1354
Released: Fri May 24 19:04:57 2019
Summary: Security update for screen
Severity: moderate
References: 1130831,944458,CVE-2015-6806
Description:
This update for screen fixes the following issues:

Security issue fixed:

- CVE-2015-6806: Fixed a stack overflow due to deep recursion (bsc#944458).

Non-security issue fixed:

- Fixed segmentation faults related to altscreen and resizing screen (bsc#1130831).


-----------------------------------------
Patch: SUSE-2019-1363
Released: Tue May 28 10:50:53 2019
Summary: Security update for curl
Severity: important
References: 1135170,CVE-2019-5436
Description:
This update for curl fixes the following issues:

Security issue fixed:

- CVE-2019-5436: Fixed a heap buffer overflow exists in tftp_receive_packet that receives data from a TFTP server (bsc#1135170).


-----------------------------------------
Patch: SUSE-2019-1379
Released: Wed May 29 15:07:04 2019
Summary: Security update for libtasn1
Severity: moderate
References: 1040621,1105435,CVE-2017-6891,CVE-2018-1000654
Description:
This update for libtasn1 fixes the following issues:

Security issues fixed:

- CVE-2018-1000654: Fixed a denial of service in the asn1 parser (bsc#1105435).
- CVE-2017-6891: Fixed a stack overflow in asn1_find_node() (bsc#1040621).


-----------------------------------------
Patch: SUSE-2019-1384
Released: Thu May 30 08:12:10 2019
Summary: Recommended update for supportutils
Severity: important
References: 1081326,1088234,1100529,1120967,1132865,1133723,1134599
Description:
This update for supportutils fixes the following issues:

  * SUSE specific infrastructure is now used (bsc#1132865) 
  * Uploads now use https by default (bsc#1134599)
  * Support for FTPS has been added
  * Files in the tarball now have 660 permissions instead of 600
  * The supportconfig.conf man pages have been updated to add some missing paramaters and fix some incorrect 
  information (bsc#1088234)
  * Fix issues where some customers were unable to collect logs due to commands not timing out 
  (bsc#1100529) (bsc#1120967)
  * DRBD resource configs were missing in support config (bsc#1133723)
  * FTPES now uses the --ssl-reqd paramater instead of the depricated --ftp-ssl
  * sapconf and log were missing from tuned.txt (bsc#1081326)
  * Some deprecated chkconfig code has been removed


-----------------------------------------
Patch: SUSE-2019-1402
Released: Mon Jun  3 09:12:38 2019
Summary: Recommended update for kmod
Severity: moderate
References: 1097869,1118629
Description:
This update for kmod fixes the following issues:

- Fixes a potential buffer overflow in libkmod (bsc#1118629).


-----------------------------------------
Patch: SUSE-2019-1406
Released: Mon Jun  3 13:31:35 2019
Summary: Security update for bind
Severity: important
References: 1104129,1126068,1126069,1133185,CVE-2018-5740,CVE-2018-5743,CVE-2018-5745,CVE-2019-6465
Description:
This update for bind fixes the following issues:

Security issues fixed:

- CVE-2018-5740: Fixed a denial of service vulnerability in the 'deny-answer-aliases' feature (bsc#1104129).
- CVE-2019-6465: Fixed an issue where controls for zone transfers may not be properly applied to Dynamically Loadable Zones (bsc#1126069).
- CVE-2018-5745: An assertion failure can occur if a trust anchor rolls over to an unsupported key algorithm when using managed-keys. (bsc#1126068)
- CVE-2018-5743: Limiting simultaneous TCP clients is ineffective. (bsc#1133185)



-----------------------------------------
Patch: SUSE-2019-1431
Released: Wed Jun  5 16:50:13 2019
Summary: Recommended update for xz
Severity: moderate
References: 1135709
Description:
This update for xz does only update the license:

- Add SUSE-Public-Domain license as some parts of xz utils (liblzma,
  xz, xzdec, lzmadec, documentation, translated messages, tests,
  debug, extra directory) are in public domain license (bsc#1135709)


-----------------------------------------
Patch: SUSE-2019-1439
Released: Thu Jun  6 17:50:33 2019
Summary: Security update for python
Severity: important
References: 1129346,1130847,CVE-2019-9636,CVE-2019-9948
Description:
This update for python fixes the following issues:

Security issues fixed:

- CVE-2019-9948: Fixed a 'file:' blacklist bypass in URIs by using the 'local-file:' scheme instead (bsc#1130847).
- CVE-2019-9636: Fixed an information disclosure because of incorrect handling of Unicode encoding during NFKC normalization (bsc#1129346).


-----------------------------------------
Patch: SUSE-2019-1456
Released: Tue Jun 11 10:08:27 2019
Summary: Security update for vim
Severity: important
References: 1137443,CVE-2019-12735
Description:
This update for vim fixes the following issue:

Security issue fixed: 

- CVE-2019-12735: Fixed a potential arbitrary code execution vulnerability in getchar.c (bsc#1137443).


-----------------------------------------
Patch: SUSE-2019-1468
Released: Wed Jun 12 10:01:33 2019
Summary: Security update for libcroco
Severity: moderate
References: 1034481,1034482,1043898,1043899,CVE-2017-7960,CVE-2017-7961,CVE-2017-8834,CVE-2017-8871
Description:
This update for libcroco fixes the following issues:

Security issues fixed:

- CVE-2017-7960: Fixed heap overflow (input: check end of input before reading a byte) (bsc#1034481).                                                                    
- CVE-2017-7961: Fixed undefined behavior (tknzr: support only max long rgb values) (bsc#1034482).                                                                       
- CVE-2017-8834: Fixed denial of service (memory allocation error) via a crafted CSS file (bsc#1043898).
- CVE-2017-8871: Fixed denial of service (infinite loop and CPU consumption) via a crafted CSS file (bsc#1043899).


-----------------------------------------
Patch: SUSE-2019-1469
Released: Wed Jun 12 12:02:13 2019
Summary: Recommended update for pam_mount
Severity: moderate
References: 1135310,sle-6551
Description:
This update for pam_mount fixes the following issues:

- LUKS2 support has been added to pam_mount (bnc#1135310 jsc#sle-6551)


-----------------------------------------
Patch: SUSE-2019-1474
Released: Wed Jun 12 14:46:20 2019
Summary: Recommended update for permissions
Severity: moderate
References: 1110797
Description:
This update for permissions fixes the following issues:

- Updated permissons for amanda (bsc#1110797)


-----------------------------------------
Patch: SUSE-2019-1481
Released: Thu Jun 13 07:46:01 2019
Summary: Recommended update for sg3_utils
Severity: moderate
References: 1005063,1119296,1133418,954600
Description:
This update for sg3_utils provides the following fixes:
- Fix regression for page 0xa. (bsc#1119296)
- Add pre/post scripts for lunmask.service. (bsc#954600)
- Will now generate by-path links for fibrechannel. (bsc#1005063)
- Fixes a syntax error for rule 59-fc-wwpn-id.rules. (bsc#1133418)
  

-----------------------------------------
Patch: SUSE-2019-1493
Released: Thu Jun 13 16:40:31 2019
Summary: Recommended update for binutils
Severity: moderate
References: 1137271,SLE-6206
Description:
This update for binutils fixes the following issues:

- Add support for new IBM zSeries z13 instructions. (fate#327074, jsc#SLE-6206,
  bsc#1137271)


-----------------------------------------
Patch: SUSE-2019-1500
Released: Fri Jun 14 11:11:34 2019
Summary: Recommended update for yast2-network
Severity: moderate
References: 1123102,1131588,1136103
Description:
This update for yast2-network provides the following fixes:

- Yast2 network crashes when configure a static IP without hostname. (bnc#1123102)

- Network bonding: undefined method 'split'. (bnc#1136103)

- Display a confirmation popup when a static route is going to be removed after switching
  a device to DHCP. (bsc#1131588)

  

-----------------------------------------
Patch: SUSE-2019-1514
Released: Mon Jun 17 09:34:41 2019
Summary: Security update for docker
Severity: moderate
References: 1096726,CVE-2018-15664
Description:
This update for docker fixes the following issues:

Security issue fixed: 	  

- CVE-2018-15664: Fixed an issue which made docker cp vulnerable to symlink-exchange race attacks (bsc#1096726).


-----------------------------------------
Patch: SUSE-2019-1519
Released: Mon Jun 17 14:24:29 2019
Summary: Recommended update for polkit-default-privs
Severity: moderate
References: 1138250
Description:
This update for polkit-default-privs fixes the following issues:

- whitelisted new flatpak policy kit rules after review (bsc#1138250)


-----------------------------------------
Patch: SUSE-2019-1524
Released: Mon Jun 17 17:30:16 2019
Summary: Security update for openssh
Severity: moderate
References: 1065237,1090671,1119183,1121816,1121821,1131709,CVE-2019-6109,CVE-2019-6111
Description:
This update for openssh fixes the following issues:

Security vulnerabilities addressed:

- CVE-2019-6109: Fixed an character encoding issue in the progress display of
  the scp client that could be used to manipulate client output, allowing
  for spoofing during file transfers (bsc#1121816).
- CVE-2019-6111: Properly validate object names received by the scp client to
  prevent arbitrary file overwrites when interacting with a malicious SSH server
  (bsc#1121821).

Other issues fixed: 

- Fixed two race conditions in sshd relating to SIGHUP (bsc#1119183).
- Returned proper reason for port forwarding failures (bsc#1090671).
- Fixed a double free() in the KDF CAVS testing tool (bsc#1065237).


-----------------------------------------
Patch: SUSE-2019-1532
Released: Mon Jun 17 19:21:02 2019
Summary: Security update for the Linux Kernel
Severity: important
References: 1005778,1005780,1005781,1012382,1019695,1019696,1022604,1063638,1065600,1085535,1085539,1090888,1099658,1100132,1106110,1106284,1106929,1108293,1108838,1110785,1110946,1112063,1112178,1116803,1117562,1119086,1120642,1120843,1120902,1122776,1126040,1126356,1128052,1129138,1129770,1130972,1131107,1131488,1131565,1132212,1132472,1133188,1133874,1134160,1134162,1134338,1134537,1134564,1134565,1134566,1134651,1134760,1134806,1134813,1134848,1135013,1135014,1135015,1135100,1135120,1135281,1135603,1135642,1135661,1135878,1136424,1136438,1136448,1136449,1136451,1136452,1136455,1136458,1136539,1136573,1136575,1136586,1136590,1136623,1136810,1136935,1136990,1137142,1137162,1137586,843419,CVE-2018-17972,CVE-2018-7191,CVE-2019-11190,CVE-2019-11477,CVE-2019-11478,CVE-2019-11479,CVE-2019-11486,CVE-2019-11815,CVE-2019-11833,CVE-2019-11884,CVE-2019-12382,CVE-2019-3846,CVE-2019-5489
Description:

The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.180 to receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2019-11477: A sequence of SACKs may have been crafted such that one can trigger an integer overflow, leading to a kernel panic.
- CVE-2019-11478: It was possible to send a crafted sequence of SACKs which will
fragment the TCP retransmission queue. An attacker may have been able to further exploit the fragmented queue to cause an
expensive linked-list walk for subsequent SACKs received for that same TCP connection.
- CVE-2019-11479: An attacker could force the Linux kernel to segment its responses into multiple TCP segments. This would drastically increased the bandwidth required to deliver the same amount of data. Further, it would consume additional resources such as CPU and NIC processing power.
- CVE-2019-3846: A flaw that allowed an attacker to corrupt memory and possibly escalate privileges was found in the mwifiex kernel module while connecting to a malicious wireless network. (bnc#1136424)
- CVE-2019-12382: An issue was discovered in drm_load_edid_firmware in drivers/gpu/drm/drm_edid_load.c in the Linux kernel, there was an unchecked kstrdup of fwstr, which might have allowed an attacker to cause a denial of service (NULL pointer dereference and system crash). (bnc#1136586)
- CVE-2019-5489: The mincore() implementation in mm/mincore.c in the Linux kernel allowed local attackers to observe page cache access patterns of other processes on the same system, potentially allowing sniffing of secret information. (Fixing this affects the output of the fincore program.) Limited remote exploitation may have been possible, as demonstrated by latency differences in accessing public files from an Apache HTTP Server. (bnc#1120843)
- CVE-2019-11833: fs/ext4/extents.c in the Linux kernel did not zero out the unused memory region in the extent tree block, which might have allowed local users to obtain sensitive information by reading uninitialized data in the filesystem. (bnc#1135281)
- CVE-2018-7191: In the tun subsystem in the Linux kernel, dev_get_valid_name was not called before register_netdevice. This allowed local users to cause a denial of service (NULL pointer dereference and panic) via an ioctl(TUNSETIFF) call with a dev name containing a / character. (bnc#1135603)
- CVE-2019-11190: The Linux kernel allowed local users to bypass ASLR on setuid programs (such as /bin/su) because install_exec_creds() was called too late in load_elf_binary() in fs/binfmt_elf.c, and thus the ptrace_may_access() check had a race condition when reading /proc/pid/stat. (bnc#1132472)
- CVE-2019-11815: An issue was discovered in rds_tcp_kill_sock in net/rds/tcp.c in the Linux kernel There was a race condition leading to a use-after-free, related to net namespace cleanup. (bnc#1134537)
- CVE-2019-11884: The do_hidp_sock_ioctl function in net/bluetooth/hidp/sock.c in the Linux kernel allowed a local user to obtain potentially sensitive information from kernel stack memory via a HIDPCONNADD command, because a name field may not end with a '\0' character. (bnc#1134848)
- CVE-2018-17972: An issue was discovered in the proc_pid_stack function in fs/proc/base.c in the Linux kernel It did not ensure that only root may inspect the kernel stack of an arbitrary task, allowing a local attacker to exploit racy stack unwinding and leak kernel task stack contents. (bnc#1110785)
- CVE-2019-11486: The Siemens R3964 line discipline driver in drivers/tty/n_r3964.c in the Linux kernel had multiple race conditions. (bnc#1133188)

The following non-security bugs were fixed:

- 9p locks: add mount option for lock retry interval (bnc#1012382).
- 9p: do not trust pdu content for stat item size (bnc#1012382).
- X.509: unpack RSA signatureValue field from BIT STRING (git-fixes).
- acpi / sbs: Fix GPE storm on recent MacBookPro's (bnc#1012382).
- alsa: core: Fix card races between register and disconnect (bnc#1012382).
- alsa: echoaudio: add a check for ioremap_nocache (bnc#1012382).
- alsa: info: Fix racy addition/deletion of nodes (bnc#1012382).
- alsa: line6: use dynamic buffers (bnc#1012382).
- alsa: opl3: fix mismatch between snd_opl3_drum_switch definition and declaration (bnc#1012382).
- alsa: pcm: check if ops are defined before suspending PCM (bnc#1012382).
- alsa: sb8: add a check for request_region (bnc#1012382).
- alsa: seq: Fix OOB-reads from strlcpy (bnc#1012382).
- appletalk: Fix compile regression (bnc#1012382).
- appletalk: Fix use-after-free in atalk_proc_exit (bnc#1012382).
- arm64/kernel: do not ban ADRP to work around Cortex-A53 erratum #843419 (bsc#1126040).
- arm64/kernel: rename module_emit_adrp_veneer->module_emit_veneer_for_adrp (bsc#1126040).
- arm64: Add helper to decode register from instruction (bsc#1126040).
- arm64: debug: Do not propagate UNKNOWN FAR into si_code for debug signals (bnc#1012382).
- arm64: debug: Ensure debug handlers check triggering exception level (bnc#1012382).
- arm64: futex: Fix FUTEX_WAKE_OP atomic ops with non-zero result value (bnc#1012382).
- arm64: futex: Restore oldval initialization to work around buggy compilers (bnc#1012382).
- arm64: module-plts: factor out PLT generation code for ftrace (bsc#1126040).
- arm64: module: do not BUG when exceeding preallocated PLT count (bsc#1126040).
- arm64: module: split core and init PLT sections (bsc#1126040).
- arm: 8833/1: Ensure that NEON code always compiles with Clang (bnc#1012382).
- arm: 8839/1: kprobe: make patch_lock a raw_spinlock_t (bnc#1012382).
- arm: 8840/1: use a raw_spinlock_t in unwind (bnc#1012382).
- arm: avoid Cortex-A9 livelock on tight dmb loops (bnc#1012382).
- arm: dts: at91: Fix typo in ISC_D0 on PC9 (bnc#1012382).
- arm: dts: pfla02: increase phy reset duration (bnc#1012382).
- arm: iop: do not use using 64-bit DMA masks (bnc#1012382).
- arm: orion: do not use using 64-bit DMA masks (bnc#1012382).
- arm: samsung: Limit SAMSUNG_PM_CHECK config option to non-Exynos platforms (bnc#1012382).
- asoc: Intel: avoid Oops if DMA setup fails (bnc#1012382).
- asoc: cs4270: Set auto-increment bit for register writes (bnc#1012382).
- asoc: fsl-asoc-card: fix object reference leaks in fsl_asoc_card_probe (bnc#1012382).
- asoc: fsl_esai: fix channel swap issue when stream starts (bnc#1012382).
- asoc: tlv320aic32x4: Fix Common Pins (bnc#1012382).
- asoc:soc-pcm:fix a codec fixup issue in TDM case (bnc#1012382).
- backlight: lm3630a: Return 0 on success in update_status functions (bsc#1106929)
- bcache: Move couple of functions to sysfs.c (bsc#1130972).
- bcache: Move couple of string arrays to sysfs.c (bsc#1130972).
- bcache: Populate writeback_rate_minimum attribute (bsc#1130972).
- bcache: account size of buckets used in uuid write to ca->meta_sectors_written (bsc#1130972).
- bcache: add MODULE_DESCRIPTION information (bsc#1130972).
- bcache: add a comment in super.c (bsc#1130972).
- bcache: add code comments for bset.c (bsc#1130972).
- bcache: add comment for cache_set->fill_iter (bsc#1130972).
- bcache: add identifier names to arguments of function definitions (bsc#1130972).
- bcache: add missing SPDX header (bsc#1130972).
- bcache: add separate workqueue for journal_write to avoid deadlock (bsc#1130972).
- bcache: add static const prefix to char * array declarations (bsc#1130972).
- bcache: add sysfs_strtoul_bool() for setting bit-field variables (bsc#1130972).
- bcache: add the missing comments for smp_mb()/smp_wmb() (bsc#1130972).
- bcache: cannot set writeback_running via sysfs if no writeback kthread created (bsc#1130972).
- bcache: comment on direct access to bvec table (bsc#1130972).
- bcache: correct dirty data statistics (bsc#1130972).
- bcache: do not assign in if condition in bcache_device_init() (bsc#1130972).
- bcache: do not assign in if condition in bcache_init() (bsc#1130972).
- bcache: do not assign in if condition register_bcache() (bsc#1130972).
- bcache: do not check NULL pointer before calling kmem_cache_destroy (bsc#1130972).
- bcache: do not check if debug dentry is ERR or NULL explicitly on remove (bsc#1130972).
- bcache: do not clone bio in bch_data_verify (bsc#1130972).
- bcache: do not mark writeback_running too early (bsc#1130972).
- bcache: export backing_dev_name via sysfs (bsc#1130972).
- bcache: export backing_dev_uuid via sysfs (bsc#1130972).
- bcache: fix code comments style (bsc#1130972).
- bcache: fix indent by replacing blank by tabs (bsc#1130972).
- bcache: fix indentation issue, remove tabs on a hunk of code (bsc#1130972).
- bcache: fix input integer overflow of congested threshold (bsc#1130972).
- bcache: fix input overflow to cache set sysfs file io_error_halflife (bnc#1012382).
- bcache: fix input overflow to journal_delay_ms (bsc#1130972).
- bcache: fix input overflow to sequential_cutoff (bnc#1012382).
- bcache: fix input overflow to writeback_delay (bsc#1130972).
- bcache: fix input overflow to writeback_rate_minimum (bsc#1130972).
- bcache: fix ioctl in flash device (bsc#1130972).
- bcache: fix mistaken code comments in bcache.h (bsc#1130972).
- bcache: fix mistaken comments in request.c (bsc#1130972).
- bcache: fix potential div-zero error of writeback_rate_i_term_inverse (bsc#1130972).
- bcache: fix potential div-zero error of writeback_rate_p_term_inverse (bsc#1130972).
- bcache: fix typo 'succesfully' to 'successfully' (bsc#1130972).
- bcache: fix typo in code comments of closure_return_with_destructor() (bsc#1130972).
- bcache: improve sysfs_strtoul_clamp() (bnc#1012382).
- bcache: introduce force_wake_up_gc() (bsc#1130972).
- bcache: make cutoff_writeback and cutoff_writeback_sync tunable (bsc#1130972).
- bcache: move open brace at end of function definitions to next line (bsc#1130972).
- bcache: never writeback a discard operation (bsc#1130972).
- bcache: not use hard coded memset size in bch_cache_accounting_clear() (bsc#1130972).
- bcache: option to automatically run gc thread after writeback (bsc#1130972).
- bcache: panic fix for making cache device (bsc#1130972).
- bcache: prefer 'help' in Kconfig (bsc#1130972).
- bcache: print number of keys in trace_bcache_journal_write (bsc#1130972).
- bcache: recal cached_dev_sectors on detach (bsc#1130972).
- bcache: remove unnecessary space before ioctl function pointer arguments (bsc#1130972).
- bcache: remove unused bch_passthrough_cache (bsc#1130972).
- bcache: remove useless parameter of bch_debug_init() (bsc#1130972).
- bcache: replace '%pF' by '%pS' in seq_printf() (bsc#1130972).
- bcache: replace Symbolic permissions by octal permission numbers (bsc#1130972).
- bcache: replace hard coded number with BUCKET_GC_GEN_MAX (bsc#1130972).
- bcache: replace printk() by pr_*() routines (bsc#1130972).
- bcache: set writeback_percent in a flexible range (bsc#1130972).
- bcache: split combined if-condition code into separate ones (bsc#1130972).
- bcache: stop using the deprecated get_seconds() (bsc#1130972).
- bcache: style fix to add a blank line after declarations (bsc#1130972).
- bcache: style fix to replace 'unsigned' by 'unsigned int' (bsc#1130972).
- bcache: style fixes for lines over 80 characters (bsc#1130972).
- bcache: trace missed reading by cache_missed (bsc#1130972).
- bcache: treat stale and dirty keys as bad keys (bsc#1130972).
- bcache: trivial - remove tailing backslash in macro BTREE_FLAG (bsc#1130972).
- bcache: update comment for bch_data_insert (bsc#1130972).
- bcache: use (REQ_META|REQ_PRIO) to indicate bio for metadata (bsc#1130972).
- bcache: use MAX_CACHES_PER_SET instead of magic number 8 in __bch_bucket_alloc_set (bsc#1130972).
- bcache: use REQ_PRIO to indicate bio for metadata (bsc#1130972).
- bcache: use routines from lib/crc64.c for CRC64 calculation (bsc#1130972).
- bcache: use sysfs_strtoul_bool() to set bit-field variables (bsc#1130972).
- bcache: writeback: properly order backing device IO (bsc#1130972).
- binfmt_elf: switch to new creds when switching to new mm (bnc#1012382).
- bitops: avoid integer overflow in GENMASK(_ULL) (bnc#1012382).
- block: check_events: do not bother with events if unsupported (bsc#1110946).
- block: disk_events: introduce event flags (bsc#1110946).
- block: do not leak memory in bio_copy_user_iov() (bnc#1012382).
- block: fix use-after-free on gendisk (bsc#1136448).
- bluetooth: Align minimum encryption key size for LE and BR/EDR connections (bnc#1012382).
- bluetooth: Fix decrementing reference count twice in releasing socket (bnc#1012382).
- bnxt_en: Improve multicast address setup logic (bnc#1012382).
- bonding: fix arp_validate toggling in active-backup mode (bnc#1012382).
- bonding: fix event handling for stacked bonds (bnc#1012382).
- bonding: show full hw address in sysfs for slave entries (bnc#1012382).
- bpf: reject wrong sized filters earlier (bnc#1012382).
- bridge: Fix error path for kobject_init_and_add() (bnc#1012382).
- btrfs: Do not panic when we can't find a root key (bsc#1112063).
- btrfs: Factor out common delayed refs init code (bsc#1134813).
- btrfs: Introduce init_delayed_ref_head (bsc#1134813).
- btrfs: Open-code add_delayed_data_ref (bsc#1134813).
- btrfs: Open-code add_delayed_tree_ref (bsc#1134813).
- btrfs: Use init_delayed_ref_common in add_delayed_data_ref (bsc#1134813).
- btrfs: Use init_delayed_ref_common in add_delayed_tree_ref (bsc#1134813).
- btrfs: Use init_delayed_ref_head in add_delayed_ref_head (bsc#1134813).
- btrfs: add a helper to return a head ref (bsc#1134813).
- btrfs: breakout empty head cleanup to a helper (bsc#1134813).
- btrfs: delayed-ref: Introduce better documented delayed ref structures (bsc#1063638 bsc#1128052 bsc#1108838).
- btrfs: delayed-ref: Use btrfs_ref to refactor btrfs_add_delayed_data_ref() (bsc#1063638 bsc#1128052 bsc#1108838).
- btrfs: delayed-ref: Use btrfs_ref to refactor btrfs_add_delayed_tree_ref() (bsc#1063638 bsc#1128052 bsc#1108838).
- btrfs: extent-tree: Fix a bug that btrfs is unable to add pinned bytes (bsc#1063638 bsc#1128052 bsc#1108838).
- btrfs: extent-tree: Open-code process_func in __btrfs_mod_ref (bsc#1063638 bsc#1128052 bsc#1108838).
- btrfs: extent-tree: Use btrfs_ref to refactor add_pinned_bytes() (bsc#1063638 bsc#1128052 bsc#1108838).
- btrfs: extent-tree: Use btrfs_ref to refactor btrfs_free_extent() (bsc#1063638 bsc#1128052 bsc#1108838).
- btrfs: extent-tree: Use btrfs_ref to refactor btrfs_inc_extent_ref() (bsc#1063638 bsc#1128052 bsc#1108838).
- btrfs: move all ref head cleanup to the helper function (bsc#1134813).
- btrfs: move extent_op cleanup to a helper (bsc#1134813).
- btrfs: move ref_mod modification into the if (ref) logic (bsc#1134813).
- btrfs: qgroup: Check bg while resuming relocation to avoid NULL pointer dereference (bsc#1134806).
- btrfs: qgroup: Do not scan leaf if we're modifying reloc tree (bsc#1063638 bsc#1128052 bsc#1108838).
- btrfs: qgroup: Move reserved data accounting from btrfs_delayed_ref_head to btrfs_qgroup_extent_record (bsc#1134162).
- btrfs: qgroup: Remove duplicated trace points for qgroup_rsv_add/release (bsc#1134160).
- btrfs: reloc: Also queue orphan reloc tree for cleanup to avoid BUG_ON() (bsc#1134338).
- btrfs: reloc: Fix NULL pointer dereference due to expanded reloc_root lifespan (bsc#1134651).
- btrfs: remove delayed_ref_node from ref_head (bsc#1134813).
- btrfs: split delayed ref head initialization and addition (bsc#1134813).
- btrfs: track refs in a rb_tree instead of a list (bsc#1134813).
- cdc-acm: cleaning up debug in data submission path (bsc#1136539).
- cdc-acm: fix race between reset and control messaging (bsc#1106110).
- cdc-acm: handle read pipe errors (bsc#1135878).
- cdc-acm: reassemble fragmented notifications (bsc#1136590).
- cdc-acm: store in and out pipes in acm structure (bsc#1136575).
- cdrom: Fix race condition in cdrom_sysctl_register (bnc#1012382).
- ceph: ensure d_name stability in ceph_dentry_hash() (bsc#1134564).
- ceph: fix ci->i_head_snapc leak (bsc#1122776).
- ceph: fix use-after-free on symlink traversal (bsc#1134565).
- ceph: only use d_name directly when parent is locked (bsc#1134566).
- cifs: Fix NULL pointer dereference of devname (bnc#1012382).
- cifs: do not attempt cifs operation on smb2+ rename error (bnc#1012382).
- cifs: fallback to older infolevels on findfirst queryinfo retry (bnc#1012382).
- cifs: keep FileInfo handle live during oplock break (bsc#1106284, bsc#1131565).
- cifs: use correct format characters (bnc#1012382).
- clk: fix mux clock documentation (bsc#1090888).
- coresight: etm4x: Add support to enable ETMv4.2 (bnc#1012382).
- cpu/speculation: Add 'mitigations=' cmdline option (bnc#1012382 bsc#1112178).
- cpupower: remove stringop-truncation waring (bsc#1119086).
- crypto: crypto4xx - properly set IV after de- and encrypt (bnc#1012382).
- crypto: sha256/arm - fix crash bug in Thumb2 build (bnc#1012382).
- crypto: sha512/arm - fix crash bug in Thumb2 build (bnc#1012382).
- crypto: vmx - CTR: always increment IV as quadword (bsc#1135661, bsc#1137162).
- crypto: vmx - fix copy-paste error in CTR mode (bsc#1135661, bsc#1137162).
- crypto: vmx - ghash: do nosimd fallback manually (bsc#1135661, bsc#1137162).
- crypto: vmx - return correct error code on failed setkey (bsc#1135661, bsc#1137162).
- crypto: vmx: Only call enable_kernel_vsx() (bsc#1135661, bsc#1137162).
- crypto: x86/poly1305 - fix overflow during partial reduction (bnc#1012382).
- debugfs: fix use-after-free on symlink traversal (bnc#1012382).
- device_cgroup: fix RCU imbalance in error case (bnc#1012382).
- dm thin: add sanity checks to thin-pool and external snapshot creation (bnc#1012382).
- dmaengine: imx-dma: fix warning comparison of distinct pointer types (bnc#1012382).
- dmaengine: tegra: avoid overflow of byte tracking (bnc#1012382).
- documentation: Add MDS vulnerability documentation (bnc#1012382).
- documentation: Add nospectre_v1 parameter (bnc#1012382).
- documentation: Correct the possible MDS sysfs values (bnc#1012382).
- documentation: Move L1TF to separate directory (bnc#1012382).
- drivers/virt/fsl_hypervisor.c: dereferencing error pointers in ioctl (bnc#1012382).
- drivers/virt/fsl_hypervisor.c: prevent integer overflow in ioctl (bnc#1012382).
- drm/bridge: adv7511: Fix low refresh rate selection (bsc#1106929)
- drm/dp/mst: Configure no_stop_bit correctly for remote i2c xfers (bnc#1012382).
- drm/fb-helper: dpms_legacy(): Only set on connectors in use (bnc#1106929)
- drm/i915: Fix I915_EXEC_RING_MASK (bnc#1106929)
- drm/rockchip: shutdown drm subsystem on shutdown (bsc#1106929)
- drm/ttm: Remove warning about inconsistent mapping information (bnc#1131488)
- drm/vc4: ->x_scaling[1] should never be set to VC4_SCALING_NONE (bsc#1106929)
- drm/vc4: Account for interrupts in flight (bsc#1106929)
- drm/vc4: Allocate the right amount of space for boot-time CRTC state. (bsc#1106929)
- drm/vc4: Fix NULL pointer dereference in vc4_save_hang_state() (bsc#1106929)
- drm/vc4: Fix OOPSes from trying to cache a partially constructed BO. (bsc#1106929)
- drm/vc4: Fix a couple error codes in vc4_cl_lookup_bos() (bsc#1106929)
- drm/vc4: Fix compilation error reported by kbuild test bot (bsc#1106929)
- drm/vc4: Fix memory leak during gpu reset. (bsc#1106929)
- drm/vc4: Fix memory leak of the CRTC state. (bsc#1106929)
- drm/vc4: Fix oops when userspace hands in a bad BO. (bsc#1106929)
- drm/vc4: Fix overflow mem unreferencing when the binner runs dry. (bsc#1106929)
- drm/vc4: Fix races when the CS reads from render targets. (bsc#1106929)
- drm/vc4: Fix scaling of uni-planar formats (bsc#1106929)
- drm/vc4: Fix the 'no scaling' case on multi-planar YUV formats (bsc#1106929)
- drm/vc4: Flush the caches before the bin jobs, as well. (bsc#1106929)
- drm/vc4: Free hang state before destroying BO cache. (bsc#1106929)
- drm/vc4: Move IRQ enable to PM path (bsc#1106929)
- drm/vc4: Reset ->{x, y}_scaling[1] when dealing with uniplanar (bsc#1106929)
- drm/vc4: Set ->is_yuv to false when num_planes == 1 (bsc#1106929)
- drm/vc4: Use drm_free_large() on handles to match its allocation. (bsc#1106929)
- drm/vc4: fix a bounds check (bsc#1106929)
- drm/vmwgfx: NULL pointer dereference from vmw_cmd_dx_view_define() (bsc#1106929)
- drm/vmwgfx: integer underflow in vmw_cmd_dx_set_shader() leading to (bsc#1106929)
- dt-bindings: rcar-dmac: Document missing error interrupt (bsc#1085535).
- e1000e: Add Support for 38.4MHZ frequency (bsc#1108293 ).
- e1000e: Add Support for CannonLake (bsc#1108293).
- e1000e: Fix -Wformat-truncation warnings (bnc#1012382).
- e1000e: Initial Support for CannonLake (bsc#1108293 ).
- enic: fix build warning without CONFIG_CPUMASK_OFFSTACK (bnc#1012382).
- exportfs: fix 'passing zero to ERR_PTR()' warning (bsc#1136458).
- ext4: Return EAGAIN in case of DIO is beyond end of file (bsc#1136810).
- ext4: actually request zeroing of inode table after grow (bsc#1136451).
- ext4: add missing brelse() in add_new_gdb_meta_bg() (bnc#1012382).
- ext4: avoid panic during forced reboot due to aborted journal (bsc#1126356).
- ext4: cleanup bh release code in ext4_ind_remove_space() (bnc#1012382).
- ext4: fix ext4_show_options for file systems w/o journal (bsc#1136452).
- ext4: fix use-after-free race with debug_want_extra_isize (bsc#1136449).
- ext4: make sure enough credits are reserved for dioread_nolock writes (bsc#1136623).
- ext4: prohibit fstrim in norecovery mode (bnc#1012382).
- ext4: report real fs size after failed resize (bnc#1012382).
- ext4: wait for outstanding dio during truncate in nojournal mode (bsc#1136438).
- f2fs: do not use mutex lock in atomic context (bnc#1012382).
- f2fs: fix to do sanity check with current segment number (bnc#1012382).
- fbdev: fbmem: fix memory access if logo is bigger than the screen (bnc#1012382).
- fix incorrect error code mapping for OBJECTID_NOT_FOUND (bnc#1012382).
- fs/file.c: initialize init_files.resize_wait (bnc#1012382).
- fs/proc/proc_sysctl.c: Fix a NULL pointer dereference (bnc#1012382).
- fs: fix guard_bio_eod to check for real EOD errors (bnc#1012382).
- ftrace/x86_64: Emulate call function while updating in breakpoint handler (bsc#1099658).
- genirq: Prevent use-after-free and work list corruption (bnc#1012382).
- genirq: Respect IRQCHIP_SKIP_SET_WAKE in irq_chip_set_wake_parent() (bnc#1012382).
- gpio: gpio-omap: fix level interrupt idling (bnc#1012382).
- gpu: ipu-v3: dp: fix CSC handling (bnc#1012382).
- h8300: use cc-cross-prefix instead of hardcoding h8300-unknown-linux- (bnc#1012382).
- hid: debug: fix race condition with between rdesc_show() and device removal (bnc#1012382).
- hid: input: add mapping for Expose/Overview key (bnc#1012382).
- hid: input: add mapping for keyboard Brightness Up/Down/Toggle keys (bnc#1012382).
- hugetlbfs: fix memory leak for resv_map (bnc#1012382).
- hwrng: virtio - Avoid repeated init of completion (bnc#1012382).
- i2c: core-smbus: prevent stack corruption on read I2C_BLOCK_DATA (bnc#1012382).
- ib/hfi1: Eliminate opcode tests on mr deref ().
- ib/hfi1: Unreserve a reserved request when it is completed ().
- ib/mlx4: Fix race condition between catas error reset and aliasguid flows (bnc#1012382).
- ib/mlx4: Increase the timeout for CM cache (bnc#1012382).
- ib/rdmavt: Add wc_flags and wc_immdata to cq entry trace ().
- ib/rdmavt: Fix frwr memory registration ().
- igb: Fix WARN_ONCE on runtime suspend (bnc#1012382).
- iio/gyro/bmg160: Use millidegrees for temperature scale (bnc#1012382).
- iio: ad_sigma_delta: select channel when reading register (bnc#1012382).
- iio: adc: at91: disable adc channel interrupt in timeout case (bnc#1012382).
- iio: adc: xilinx: fix potential use-after-free on remove (bnc#1012382).
- include/linux/bitrev.h: fix constant bitrev (bnc#1012382).
- include/linux/swap.h: use offsetof() instead of custom __swapoffset macro (bnc#1012382).
- init: initialize jump labels before command line option parsing (bnc#1012382).
- input: snvs_pwrkey - initialize necessary driver data before enabling IRQ (bnc#1012382).
- io: accel: kxcjk1013: restore the range after resume (bnc#1012382).
- iommu/vt-d: Do not request page request irq under dmar_global_lock (bsc#1135013).
- iommu/vt-d: Make kernel parameter igfx_off work with vIOMMU (bsc#1135014).
- iommu/vt-d: Set intel_iommu_gfx_mapped correctly (bsc#1135015).
- ip6_tunnel: Match to ARPHRD_TUNNEL6 for dev type (bnc#1012382).
- ipmi:ssif: compare block number correctly for multi-part return messages (bsc#1135120).
- ipv4: Fix raw socket lookup for local traffic (bnc#1012382).
- ipv4: add sanity checks in ipv4_link_failure() (git-fixes).
- ipv4: ensure rcu_read_lock() in ipv4_link_failure() (bnc#1012382).
- ipv4: ip_do_fragment: Preserve skb_iif during fragmentation (bnc#1012382).
- ipv4: recompile ip options in ipv4_link_failure (bnc#1012382).
- ipv4: set the tcp_min_rtt_wlen range from 0 to one day (bnc#1012382).
- ipv6/flowlabel: wait rcu grace period before put_pid() (bnc#1012382).
- ipv6: Fix dangling pointer when ipv6 fragment (bnc#1012382).
- ipv6: fix a potential deadlock in do_ipv6_setsockopt() (bnc#1012382).
- ipv6: invert flowlabel sharing check in process and user mode (bnc#1012382).
- ipv6: sit: reset ip header pointer in ipip6_rcv (bnc#1012382).
- ipvs: do not schedule icmp errors from tunnels (bnc#1012382).
- jffs2: fix use-after-free on symlink traversal (bnc#1012382).
- kABI: protect ring_buffer_read_prepare (kabi).
- kABI: protect struct tlb_state (kabi).
- kABI: protect struct usb_interface (kabi).
- kABI: restore ___ptrace_may_access (kabi).
- kABI: restore icmp_send (kabi).
- kabi: arm64: fix kabi breakage on arch specific module (bsc#1126040)
- kabi: drop LINUX_Mib_TCPWQUEUETOOBIG snmp counter (bsc#1137586).
- kabi: move sysctl_tcp_min_snd_mss to preserve struct net layout (bsc#1137586).
- kbuild: clang: choose GCC_TOOLCHAIN_DIR not on LD (bnc#1012382).
- kbuild: simplify ld-option implementation (bnc#1012382).
- kconfig/[mn]conf: handle backspace (^H) key (bnc#1012382).
- kconfig: display recursive dependency resolution hint just once (bsc#1100132).
- kernel/sysctl.c: fix out-of-bounds access when setting file-max (bnc#1012382).
- keys: Timestamp new keys (bsc#1120902).
- kprobes: Fix error check when reusing optimized probes (bnc#1012382).
- kprobes: Mark ftrace mcount handler functions nokprobe (bnc#1012382).
- kprobes: Prohibit probing on bsearch() (bnc#1012382).
- kvm: fail KVM_SET_VCPU_EVENTS with invalid exception number (bnc#1012382).
- kvm: x86: Do not clear EFER during SMM transitions for 32-bit vCPU (bnc#1012382).
- kvm: x86: avoid misreporting level-triggered irqs as edge-triggered in tracing (bnc#1012382).
- leds: lp55xx: fix null deref on firmware load failure (bnc#1012382).
- lib/div64.c: off by one in shift (bnc#1012382).
- lib/int_sqrt: optimize initial value compute (bnc#1012382).
- lib/string.c: implement a basic bcmp (bnc#1012382).
- lib: add crc64 calculation routines (bsc#1130972).
- lib: do not depend on linux headers being installed (bsc#1130972).
- libata: fix using DMA buffers on stack (bnc#1012382).
- libnvdimm/btt: Fix a kmemdup failure check (bnc#1012382).
- lpfc: validate command in lpfc_sli4_scmd_to_wqidx_distr() (bsc#1129138).
- mac80211: do not call driver wake_tx_queue op during reconfig (bnc#1012382).
- mac80211_hwsim: validate number of different channels (bsc#1085539).
- md: use mddev_suspend/resume instead of ->quiesce() (bsc#1132212).
- media: mt9m111: set initial frame size other than 0x0 (bnc#1012382).
- media: mx2_emmaprp: Correct return type for mem2mem buffer helpers (bnc#1012382).
- media: pvrusb2: Prevent a buffer overflow (bsc#1135642).
- media: s5p-g2d: Correct return type for mem2mem buffer helpers (bnc#1012382).
- media: s5p-jpeg: Check for fmt_ver_flag when doing fmt enumeration (bnc#1012382).
- media: s5p-jpeg: Correct return type for mem2mem buffer helpers (bnc#1012382).
- media: sh_veu: Correct return type for mem2mem buffer helpers (bnc#1012382).
- media: v4l2: i2c: ov7670: Fix PLL bypass register values (bnc#1012382).
- media: vb2: do not call __vb2_queue_cancel if vb2_start_streaming failed (bsc#1120902).
- mips: scall64-o32: Fix indirect syscall number load (bnc#1012382).
- mm/cma.c: cma_declare_contiguous: correct err handling (bnc#1012382).
- mm/page_ext.c: fix an imbalance with kmemleak (bnc#1012382).
- mm/slab.c: kmemleak no scan alien caches (bnc#1012382).
- mm/vmalloc.c: fix kernel BUG at mm/vmalloc.c:512! (bnc#1012382).
- mm/vmstat.c: fix /proc/vmstat format for CONFIG_DEBUG_TLBFLUSH=y CONFIG_SMP=n (bnc#1012382).
- mm: mempolicy: make mbind() return -EIO when MPOL_MF_STRICT is specified (bnc#1012382).
- mmc: davinci: remove extraneous __init annotation (bnc#1012382).
- mmc: omap: fix the maximum timeout setting (bnc#1012382).
- modpost: file2alias: check prototype of handler (bnc#1012382).
- modpost: file2alias: go back to simple devtable lookup (bnc#1012382).
- mount: copy the port field into the cloned nfs_server structure (bsc#1136990).
- mt7601u: bump supported EEPROM version (bnc#1012382).
- mtd: Fix comparison in map_word_andequal() (git-fixes).
- mwifiex: Fix heap overflow in mwifiex_uap_parse_tail_ies() (bsc#1136935).
- net/ibmvnic: Update MAC address settings after adapter reset (bsc#1134760).
- net/ibmvnic: Update carrier state after link state change (bsc#1135100).
- net: atm: Fix potential Spectre v1 vulnerabilities (bnc#1012382).
- net: bridge: multicast: use rcu to access port list from br_multicast_start_querier (bnc#1012382).
- net: ena: fix return value of ena_com_config_llq_info() (bsc#1117562).
- net: ethernet: ti: fix possible object reference leak (bnc#1012382).
- net: ethtool: not call vzalloc for zero sized memory request (bnc#1012382).
- net: fou: do not use guehdr after iptunnel_pull_offloads in gue_udp_recv (bnc#1012382).
- net: hns: Fix WARNING when remove HNS driver with SMMU enabled (bnc#1012382).
- net: hns: Use NAPI_POLL_WEIGHT for hns driver (bnc#1012382).
- net: ibm: fix possible object reference leak (bnc#1012382).
- net: ks8851: Delay requesting IRQ until opened (bnc#1012382).
- net: ks8851: Dequeue RX packets explicitly (bnc#1012382).
- net: ks8851: Reassert reset pin if chip ID check fails (bnc#1012382).
- net: ks8851: Set initial carrier state to down (bnc#1012382).
- net: rds: force to destroy connection if t_sock is NULL in rds_tcp_kill_sock() (bnc#1012382).
- net: stmmac: move stmmac_check_ether_addr() to driver probe (bnc#1012382).
- net: ucc_geth - fix Oops when changing number of buffers in the ring (bnc#1012382).
- net: xilinx: fix possible object reference leak (bnc#1012382).
- netfilter: bridge: set skb transport_header before entering NF_INET_PRE_ROUTING (bnc#1012382).
- netfilter: compat: initialize all fields in xt_init (bnc#1012382).
- netfilter: ebtables: CONFIG_COMPAT: drop a bogus WARN_ON (bnc#1012382).
- netfilter: physdev: relax br_netfilter dependency (bnc#1012382).
- netns: provide pure entropy for net_hash_mix() (bnc#1012382).
- nfs/pnfs: Bulk destroy of layouts needs to be safe w.r.t. umount (git-fixes).
- nfs: Add missing encode / decode sequence_maxsz to v4.2 operations (git-fixes).
- nfs: Fix I/O request leakages (git-fixes).
- nfs: Forbid setting AF_INET6 to 'struct sockaddr_in'->sin_family (bnc#1012382).
- nfs: clean up rest of reqs when failing to add one (git-fixes).
- nfsd: Do not release the callback slot unless it was actually held (bnc#1012382).
- ntp: Allow TAI-UTC offset to be set to zero (bsc#1135642).
- nvme-fc: resolve io failures during connect (bsc#1116803).
- nvme: Do not allow to reset a reconnecting controller (bsc#1133874).
- ocfs2: fix a panic problem caused by o2cb_ctl (bnc#1012382).
- openvswitch: fix flow actions reallocation (bnc#1012382).
- pNFS: Skip invalid stateids when doing a bulk destroy (git-fixes).
- packet: Fix error path in packet_init (bnc#1012382).
- packet: validate msg_namelen in send directly (bnc#1012382).
- pci: Add function 1 DMA alias quirk for Marvell 9170 SATA controller (bnc#1012382).
- pci: Mark AMD Stoney Radeon R7 GPU ATS as broken (bsc#1137142).
- pci: Mark Atheros AR9462 to avoid bus reset (bsc#1135642).
- pci: xilinx-nwl: Add missing of_node_put() (bsc#1100132).
- perf evsel: Free evsel->counts in perf_evsel__exit() (bnc#1012382).
- perf test: Fix failure of 'evsel-tp-sched' test on s390 (bnc#1012382).
- perf tests: Fix a memory leak in test__perf_evsel__tp_sched_test() (bnc#1012382).
- perf tests: Fix a memory leak of cpu_map object in the openat_syscall_event_on_all_cpus test (bnc#1012382).
- perf top: Fix error handling in cmd_top() (bnc#1012382).
- perf/core: Restore mmap record type correctly (bnc#1012382).
- perf/x86/intel: Allow PEBS multi-entry in watermark mode (git-fixes).
- perf/x86/intel: Fix handling of wakeup_events for multi-entry PEBS (bnc#1012382).
- platform/x86: sony-laptop: Fix unintentional fall-through (bnc#1012382).
- powerpc/64: Add CONFIG_PPC_BARRIER_NOSPEC (bnc#1012382).
- powerpc/64: Call setup_barrier_nospec() from setup_arch() (bnc#1012382 bsc#1131107).
- powerpc/64: Make meltdown reporting Book3S 64 specific (bnc#1012382).
- powerpc/64s: Include cpu header (bnc#1012382).
- powerpc/booke64: set RI in default MSR (bnc#1012382).
- powerpc/fsl: Add FSL_PPC_BOOK3E as supported arch for nospectre_v2 boot arg (bnc#1012382).
- powerpc/fsl: Add barrier_nospec implementation for NXP PowerPC Book3E (bnc#1012382).
- powerpc/fsl: Add infrastructure to fixup branch predictor flush (bnc#1012382).
- powerpc/fsl: Add macro to flush the branch predictor (bnc#1012382).
- powerpc/fsl: Add nospectre_v2 command line argument (bnc#1012382).
- powerpc/fsl: Emulate SPRN_BUCSR register (bnc#1012382).
- powerpc/fsl: Enable runtime patching if nospectre_v2 boot arg is used (bnc#1012382).
- powerpc/fsl: Fix the flush of branch predictor (bnc#1012382).
- powerpc/fsl: Fixed warning: orphan section `__btb_flush_fixup' (bnc#1012382).
- powerpc/fsl: Flush branch predictor when entering KVM (bnc#1012382).
- powerpc/fsl: Flush the branch predictor at each kernel entry (32 bit) (bnc#1012382).
- powerpc/fsl: Flush the branch predictor at each kernel entry (64bit) (bnc#1012382).
- powerpc/fsl: Sanitize the syscall table for NXP PowerPC 32 bit platforms (bnc#1012382).
- powerpc/fsl: Update Spectre v2 reporting (bnc#1012382).
- powerpc/lib: fix book3s/32 boot failure due to code patching (bnc#1012382).
- powerpc/xmon: Add RFI flush related fields to paca dump (bnc#1012382).
- qede: fix write to free'd pointer error and double free of ptp (bsc#1019695 bsc#1019696).
- qlcnic: Avoid potential NULL pointer dereference (bnc#1012382).
- qmi_wwan: add Olicard 600 (bnc#1012382).
- rdma/iw_cxgb4: Fix the unchecked ep dereference (bsc#1005778 bsc#1005780 bsc#1005781).
- rdma/qedr: Fix out of bounds index check in query pkey (bsc#1022604).
- regulator: act8865: Fix act8600_sudcdc_voltage_ranges setting (bnc#1012382).
- rsi: improve kernel thread handling to fix kernel panic (bnc#1012382).
- rtc: da9063: set uie_unsupported when relevant (bnc#1012382).
- rtc: sh: Fix invalid alarm warning for non-enabled alarm (bnc#1012382).
- s390/3270: fix lockdep false positive on view->lock (bnc#1012382).
- s390/dasd: Fix capacity calculation for large volumes (bnc#1012382).
- s390: ctcm: fix ctcm_new_device error return code (bnc#1012382).
- sc16is7xx: missing unregister/delete driver on error in sc16is7xx_init() (bnc#1012382).
- sc16is7xx: move label 'err_spi' to correct section (git-fixes).
- sched/fair: Do not re-read ->h_load_next during hierarchical load calculation (bnc#1012382).
- sched/fair: Limit sched_cfs_period_timer() loop to avoid hard lockup (bnc#1012382).
- sched/numa: Fix a possible divide-by-zero (bnc#1012382).
- sched: Add sched_smt_active() (bnc#1012382).
- scsi: core: replace GFP_ATOMIC with GFP_KERNEL in scsi_scan.c (bnc#1012382).
- scsi: csiostor: fix missing data copy in csio_scsi_err_handler() (bnc#1012382).
- scsi: libsas: fix a race condition when smp task timeout (bnc#1012382).
- scsi: megaraid_sas: return error when create DMA pool failed (bnc#1012382).
- scsi: qla2xxx: Fix incorrect region-size setting in optrom SYSFS routines (bnc#1012382).
- scsi: qla4xxx: fix a potential NULL pointer dereference (bnc#1012382).
- scsi: storvsc: Fix calculation of sub-channel count (bnc#1012382).
- scsi: zfcp: reduce flood of fcrscn1 trace records on multi-element RSCN (bnc#1012382).
- sctp: initialize _pad of sockaddr_in before copying to user memory (bnc#1012382).
- selftests/net: correct the return value for run_netsocktests (bnc#1012382).
- selinux: never allow relabeling on context mounts (bnc#1012382).
- serial: uartps: console_setup() can't be placed to init section (bnc#1012382).
- slip: make slhc_free() silently accept an error pointer (bnc#1012382).
- soc/tegra: fuse: Fix illegal free of IO base address (bnc#1012382).
- soc: imx-sgtl5000: add missing put_device() (bnc#1012382).
- soc: qcom: gsbi: Fix error handling in gsbi_probe() (bnc#1012382).
- staging: comedi: ni_usb6501: Fix possible double-free of ->usb_rx_buf (bnc#1012382).
- staging: comedi: ni_usb6501: Fix use of uninitialized mutex (bnc#1012382).
- staging: comedi: vmk80xx: Fix possible double-free of ->usb_rx_buf (bnc#1012382).
- staging: comedi: vmk80xx: Fix use of uninitialized semaphore (bnc#1012382).
- staging: iio: adt7316: allow adt751x to use internal vref for all dacs (bnc#1012382).
- staging: iio: adt7316: fix the dac read calculation (bnc#1012382).
- staging: iio: adt7316: fix the dac write calculation (bnc#1012382).
- supported.conf: add lib/crc64 because bcache uses it
- sysctl: handle overflow for file-max (bnc#1012382).
- tcp: Ensure DCTCP reacts to losses (bnc#1012382).
- tcp: add tcp_min_snd_mss sysctl (bsc#1137586).
- tcp: enforce tcp_min_snd_mss in tcp_mtu_probing() (bsc#1137586).
- tcp: limit payload size of sacked skbs (bsc#1137586).
- tcp: tcp_fragment() should apply sane memory limits (bsc#1137586).
- tcp: tcp_grow_window() needs to respect tcp_space() (bnc#1012382).
- team: fix possible recursive locking when add slaves (bnc#1012382).
- thermal/int340x_thermal: Add additional UUIDs (bnc#1012382).
- thermal/int340x_thermal: fix mode setting (bnc#1012382).
- timer/debug: Change /proc/timer_stats from 0644 to 0600 (bnc#1012382).
- tipc: check bearer name with right length in tipc_nl_compat_bearer_enable (bnc#1012382).
- tipc: check link name with right length in tipc_nl_compat_link_set (bnc#1012382).
- tipc: handle the err returned from cmd header function (bnc#1012382).
- tools lib traceevent: Fix buffer overflow in arg_eval (bnc#1012382).
- tools lib traceevent: Fix missing equality check for strcmp (bsc#1129770).
- tools/power turbostat: return the exit status of a command (bnc#1012382).
- tpm/tpm_crb: Avoid unaligned reads in crb_recv() (bnc#1012382).
- tpm/tpm_i2c_atmel: Return -E2BIG when the transfer is incomplete (bnc#1012382).
- trace: Fix preempt_enable_no_resched() abuse (bnc#1012382).
- tracing: Fix partial reading of trace event's id file (bsc#1136573).
- tracing: kdb: Fix ftdump to not sleep (bnc#1012382).
- tty/serial: atmel: Add is_half_duplex helper (bnc#1012382).
- tty/serial: atmel: RS485 HD w/DMA: enable RX after TX is stopped (bnc#1012382).
- tty: increase the default flip buffer limit to 2*640K (bnc#1012382).
- tty: ldisc: add sysctl to prevent autoloading of ldiscs (bnc#1012382).
- uas: fix alignment of scatter/gather segments (bnc#1012382 bsc#1129770).
- uas: fix alignment of scatter/gather segments (bsc#1129770).
- ufs: fix braino in ufs_get_inode_gid() for solaris UFS flavour (bsc#1136455).
- usb: Add new USB LPM helpers (bsc#1129770).
- usb: Consolidate LPM checks to avoid enabling LPM twice (bsc#1129770).
- usb: cdc-acm: fix race during wakeup blocking TX traffic (bsc#1129770).
- usb: cdc-acm: fix unthrottle races (bsc#1135642).
- usb: chipidea: Grab the (legacy) usb PHY by phandle first (bnc#1012382).
- usb: core: Fix bug caused by duplicate interface PM usage counter (bnc#1012382).
- usb: core: Fix unterminated string returned by usb_string() (bnc#1012382).
- usb: dwc3: Fix default lpm_nyet_threshold value (bnc#1012382).
- usb: gadget: net2272: Fix net2272_dequeue() (bnc#1012382).
- usb: gadget: net2280: Fix net2280_dequeue() (bnc#1012382).
- usb: gadget: net2280: Fix overrun of OUT messages (bnc#1012382).
- usb: serial: fix unthrottle races (bnc#1012382).
- usb: serial: use variable for status (bnc#1012382).
- usb: u132-hcd: fix resource leak (bnc#1012382).
- usb: usbip: fix isoc packet num validation in get_pipe (bnc#1012382).
- usb: w1 ds2490: Fix bug caused by improper use of altsetting array (bnc#1012382).
- usb: yurex: Fix protection fault after device removal (bnc#1012382).
- usbnet: ipheth: fix potential null pointer dereference in ipheth_carrier_set (bnc#1012382).
- usbnet: ipheth: prevent TX queue timeouts when device not ready (bnc#1012382).
- vfio/pci: use correct format characters (bnc#1012382).
- vlan: disable SIOCSHWTSTAMP in container (bnc#1012382).
- vrf: sit mtu should not be updated when vrf netdev is the link (bnc#1012382).
- wlcore: Fix memory leak in case wl12xx_fetch_firmware failure (bnc#1012382).
- x86/Kconfig: Select SCHED_SMT if SMP enabled (bnc#1012382).
- x86/MCE: Save microcode revision in machine check records (bnc#1012382).
- x86/bugs: Add AMD's SPEC_CTRL MSR usage (bnc#1012382).
- x86/bugs: Change L1TF mitigation string to match upstream (bnc#1012382).
- x86/bugs: Fix the AMD SSBD usage of the SPEC_CTRL MSR (bnc#1012382).
- x86/bugs: Switch the selection of mitigation from CPU vendor to CPU features (bnc#1012382).
- x86/build: Mark per-CPU symbols as absolute explicitly for LLD (bnc#1012382).
- x86/build: Specify elf_i386 linker emulation explicitly for i386 objects (bnc#1012382).
- x86/cpu/bugs: Use __initconst for 'const' init data (bnc#1012382).
- x86/cpu/cyrix: Use correct macros for Cyrix calls on Geode processors (bnc#1012382).
- x86/cpufeatures: Hide AMD-specific speculation flags (bnc#1012382).
- x86/hpet: Prevent potential NULL pointer dereference (bnc#1012382).
- x86/hw_breakpoints: Make default case in hw_breakpoint_arch_parse() return an error (bnc#1012382).
- x86/kprobes: Verify stack frame on kretprobe (bnc#1012382).
- x86/mds: Add MDSUM variant to the MDS documentation (bnc#1012382).
- x86/microcode/intel: Add a helper which gives the microcode revision (bnc#1012382).
- x86/microcode/intel: Check microcode revision before updating sibling threads (bnc#1012382).
- x86/microcode: Make sure boot_cpu_data.microcode is up-to-date (bnc#1012382).
- x86/microcode: Update the new microcode revision unconditionally (bnc#1012382).
- x86/mm: Use WRITE_ONCE() when setting PTEs (bnc#1012382).
- x86/process: Consolidate and simplify switch_to_xtra() code (bnc#1012382).
- x86/speculataion: Mark command line parser data __initdata (bnc#1012382).
- x86/speculation/l1tf: Document l1tf in sysfs (bnc#1012382).
- x86/speculation/mds: Fix comment (bnc#1012382).
- x86/speculation/mds: Fix documentation typo (bnc#1012382).
- x86/speculation: Add command line control for indirect branch speculation (bnc#1012382).
- x86/speculation: Add prctl() control for indirect branch speculation (bnc#1012382).
- x86/speculation: Add seccomp Spectre v2 user space protection mode (bnc#1012382).
- x86/speculation: Avoid __switch_to_xtra() calls (bnc#1012382).
- x86/speculation: Clean up spectre_v2_parse_cmdline() (bnc#1012382).
- x86/speculation: Disable STibP when enhanced IBRS is in use (bnc#1012382).
- x86/speculation: Enable prctl mode for spectre_v2_user (bnc#1012382).
- x86/speculation: Mark string arrays const correctly (bnc#1012382).
- x86/speculation: Move STIPB/ibPB string conditionals out of cpu_show_common() (bnc#1012382).
- x86/speculation: Prepare arch_smt_update() for PRCTL mode (bnc#1012382).
- x86/speculation: Prepare for conditional ibPB in switch_mm() (bnc#1012382).
- x86/speculation: Prepare for per task indirect branch speculation control (bnc#1012382).
- x86/speculation: Prevent stale SPEC_CTRL msr content (bnc#1012382).
- x86/speculation: Provide ibPB always command line options (bnc#1012382).
- x86/speculation: Remove SPECTRE_V2_ibRS in enum spectre_v2_mitigation (bnc#1012382).
- x86/speculation: Remove unnecessary ret variable in cpu_show_common() (bnc#1012382).
- x86/speculation: Rename SSBD update functions (bnc#1012382).
- x86/speculation: Reorder the spec_v2 code (bnc#1012382).
- x86/speculation: Reorganize speculation control MSRs update (bnc#1012382).
- x86/speculation: Split out TIF update (bnc#1012382).
- x86/speculation: Support 'mitigations=' cmdline option (bnc#1012382 bsc#1112178).
- x86/speculation: Support Enhanced ibRS on future CPUs (bnc#1012382).
- x86/speculation: Unify conditional spectre v2 print functions (bnc#1012382).
- x86/speculation: Update the TIF_SSBD comment (bnc#1012382).
- x86/vdso: Drop implicit common-page-size linker flag (bnc#1012382).
- x86/vdso: Pass --eh-frame-hdr to the linker (git-fixes).
- x86: vdso: Use $LD instead of $CC to link (bnc#1012382).
- x86_64: Add gap to int3 to allow for call emulation (bsc#1099658).
- x86_64: Allow breakpoints to emulate call instructions (bsc#1099658).
- xen: Prevent buffer overflow in privcmd ioctl (bnc#1012382).
- xenbus: drop useless LIST_HEAD in xenbus_write_watch() and xenbus_file_write() (bsc#1065600).
- xsysace: Fix error handling in ace_setup (bnc#1012382).
- xtensa: fix return_address (bnc#1012382).


-----------------------------------------
Patch: SUSE-2019-1571
Released: Wed Jun 19 22:17:34 2019
Summary: Recommended update for google-compute-engine
Severity: moderate
References: 1136266,1136267
Description:
This update for google-compute-engine fixes the following issues:

Update to version 20190522 (bsc#1136266, bsc#1136267)

+ Google Compute Engine
  * Fix guest attributes flow in Python 3.

+ Google Compute Engine OS Login
  * Update OS Login control file for FreeBSD support.

Version to version 20190521:

+ Google Compute Engine
  * Retry download for metadata scripts.
  * Fix script retrieval in Python 3.
  * Disable boto config in Python 3.
  * Update SSH host keys in guest attributes.
  * Fix XPS settings with more than 64 vCPUs.


-----------------------------------------
Patch: SUSE-2019-1572
Released: Wed Jun 19 22:17:56 2019
Summary: Recommended update for rpcbind
Severity: moderate
References: 1134659
Description:
This update for rpcbind fixes the following issues:

- change rpcbind locking path from /var/run/rpcbind.lock to 
  /run/rpcbind.lock (bsc#1134659)
- change the order of socket/service in the %postun scriptlet to
  avoid an error from rpcbind.socket when rpcbind is running 
  during package update


-----------------------------------------
Patch: SUSE-2019-1601
Released: Fri Jun 21 10:21:39 2019
Summary: Security update for sqlite3
Severity: important
References: 1136976,CVE-2019-8457
Description:
This update for sqlite3 fixes the following issues:

Security issue fixed:	  

- CVE-2019-8457: Fixed a Heap out-of-bound read in rtreenode() when handling invalid rtree tables (bsc#1136976).


-----------------------------------------
Patch: SUSE-2019-1608
Released: Fri Jun 21 10:27:11 2019
Summary: Security update for compat-openssl098
Severity: moderate
References: 1117951,1127080,1131291,CVE-2019-1559
Description:
This update for compat-openssl098 fixes the following issues:

- CVE-2019-1559: Fix 0-byte record padding oracle via SSL_shutdown (bsc#1127080)
- Reject invalid EC point coordinates (bsc#1131291)
- Fixed 'The 9 Lives of Bleichenbacher's CAT: Cache ATtacks on TLS Implementations' (bsc#1117951)


-----------------------------------------
Patch: SUSE-2019-1624
Released: Fri Jun 21 11:13:44 2019
Summary: Recommended update for yast2
Severity: moderate
References: 1128032
Description:
This update for yast2 fixes the following issues:

- Stop 'ls: write error: Broken pipe' messages. (bsc#1128032)
  

-----------------------------------------
Patch: SUSE-2019-1628
Released: Fri Jun 21 11:16:06 2019
Summary: Recommended update for samba
Severity: moderate
References: 1130245,1134452,1134697
Description:
This update for samba fixes the following issues:

- Fix cephwrap_flistxattr() debug message (bsc#1134697).
- Use the correct directory for vfs_ceph realpath (bsc#1134452).
- Explicitly enable libcephfs POSIX ACL support (bsc#1130245).


-----------------------------------------
Patch: SUSE-2019-1630
Released: Fri Jun 21 11:17:09 2019
Summary: Recommended update for rsyslog
Severity: moderate
References: 1133847
Description:
This update for rsyslog fixes the following issues:

- Fixes an issue where the 'readTimeout' option couldn't be used while using
  imfile with polling mode(bsc#1133847)


-----------------------------------------
Patch: SUSE-2019-1715
Released: Thu Jun 27 10:21:31 2019
Summary: Recommended update for cloud-init, dhcp
Severity: moderate
References: 1087331,1095627,1097388,1099340,1101894,1111427,1114160,1116767,1119397,1121878,1123694,1125950,1125992,1126101,1132692
Description:
This update for cloud-init, dhcp provides the following fixes:

Changes to cloud-init:

- When the user configures a new rules file for network devices, the rules may not apply
  immediately, so trigger udevadm. (bsc#1125950)
- Fix the order of calls when writing routes so that the SUSE implementation of route
  config file writing has precedence over the default implementation. (bsc#1125992)
- Use the proper name to designate IPv6 addresses in ifcfg-* files. (bsc#1126101)
- Drop a '-' in the route file for the last column. (bsc#1123694)
- Make sure the resulting resolv.conf file is not empty. (bsc#1119397)
- Update to version 18.5 (bsc#1121878, bsc#1116767):
  * Add cloud-id binary to packages for SUSE.
  * azure: Accept variation in error msg from mount for ntfs volumes.
  * azure: Add apply_network_config option to disable network from IMDS.
  * azure: Add udev rules to create cloud-init Gen2 disk name symlinks.
  * azure: Detect vnet migration via netlink media change event.
  * azure: Fix a copy and paste error in error handling when reading azure ovf.
  * azure: Fix a regression introduced when persisting ephemeral dhcp lease.
  * azure: _poll_imds only retry on 404, failing on timeout.
  * azure: Remove /etc/netplan/90-hotplug-azure.yaml when net from IMDS.
  * azure: Report ready to fabric after reprovision and reduce logging.
  * azure: Retry imds polling on requests.Timeout.
  * config: On ubuntu select cloud archive mirrors for armel, armhf, arm64.
  * dhclient-hook: Clean it up, add tests and fix a bug on 'down' event.
  * doc: Change dns_nameserver property to dns_nameservers.
  * docs: Remove colon from network v1 config example.
  * instance-data: Add standard keys platform and subplatform. Refactor ec2.
  * instance-data: Fallback to instance-data.json if sensitive is absent.
  * logs: collect-logs ignore instance-data-sensitive.json on non-root user
  * net: Ephemeral*Network: Add connectivity check via URL.
  * net: Ignore nics that have 'zero' mac address.
  * net: Render 'metric' values in per-subnet routes.
  * NoCloud: Allow top level 'network' key in network-config.
  * ovf: Fix ovf network config generation gateway/routes.
  * ovf: Identify label iso9660 filesystems with label 'OVF ENV'.
  * query: Better error when missing read permission on instance-data.
  * resizefs: Prefix discovered devpath with '/dev/' when path does not exist.
  * systemd: On SUSE ensure cloud-init.service runs before wicked.
  * tools: Add cloud-id command line utility.
  * Update detection of openSUSE variants.
  * write_files: Add support for appending to files.
- Fix a decoding error that could cause persisting the metadata to fail. (bsc#1101894)
- Fix a problem that could cause static network to be configured with BOOTPROTO=none.
  (bsc#1114160)
- Changes from 18.4 (bsc#1087331, bsc#1097388, bsc#1111427, bsc#1095627):
  * Avoid Python 3 dependency when building for distros with Python 2 support.
  * Add dhcp-client as requirement as cloud-init uses dhclient to setup a temporary
    network for metadata retrieval. (fate#327672)
  * Use ds._crawled_metadata instance attribute if set when writing instance-data.json.
  * ec2: Update crawled metadata and add standardized keys.
  * lxd: Adjust to snap installed lxd.
  * Add support for Infiniband network interfaces (IPoIB).
  * cli: Add cloud-init query subcommand to query instance metadata.
  * stages: Fix bug causing datasource to have incorrect sys_cfg.
  * net_util: Ensure static configurations have netmask in translate_network result.
  * Fall back to root:root on syslog permissions if other options fail.
  * OpenStack: Support setting mac address on bond.
  * EphemeralIPv4Network: Be more explicit when adding default route.
  * OpenStack: Support reading of newer versions of metadata.
  * OpenStack: Fix a bug that was causing causing 'latest' version to be used from
    network.
  * user-data: Use jinja template to render instance-data.json in cloud-config.
  * config: Disable ssh access to a configured user account.
  * sysconfig: Refactor sysconfig to accept distro specific templates paths.
  * hyperv_reporting_handler: Simplify threaded publisher.
  * VMWare: Fix a network config bug in vm with static IPv4 and no gateway.
  * logging: Add logging config type hyperv for reporting via Azure KVP
  * Add datasource Oracle Compute Infrastructure (OCI).
  * azure: Allow azure to generate network configuration from IMDS per boot.
  * Scaleway: Add network configuration to the DataSource.
  * netplan: Correctly render macaddress on a bonds and bridges when provided.
  * tools: Add 'net-convert' subcommand command to 'cloud-init devel'.
  * Use typeset or local in profile.d scripts.
  * OpenNebula: Fix null gateway6.
  * tools: add '--debug' to tools/net-convert.py
  * update_metadata: A datasource can support network re-config every boot.
  * Retry on failed import of gpg receive keys.
  * tools: Fix run-container when neither source or binary package requested.
- Changes from 18.3:
  * Explicitly prevent `sudo` access for user module.
  * lxd: Delete default network and detach device if lxd-init created them.
  * openstack: Avoid unneeded metadata probe on non-openstack platforms.
  * stages: Fix tracebacks if a module stage is undefined or empty.
  * Be safer on string/bytes when writing multipart user-data to disk.
  * Fix get_proc_env for pids that have non-utf8 content in environment.
  * netplan: Fix mtu if provided by network config for all rendered types.
  * subp: Support combine_capture argument.
  * util: Add get_linux_distro function to replace platform.dist
  * Do not use the systemd_prefix macro, not available in this environment.
  * openstack: Allow discovery in init-local using dhclient in a sandbox.
  * yaml_load/schema: Add invalid line and column nums to error message.
  * Azure: Ignore NTFS mount errors when checking ephemeral drive.
  * cc_mounts: Do not add devices to fstab that are already present.
  * ds-identify: Ensure that we have certain tokens in PATH.
  * read_file_or_url: Move to url_helper, fix bug in its FileResponse.
  * ds-identify: Recognize container-other as a container.
  * ds-identify: Remove duplicate call to is_ds_enabled.
  * azure: Add reported ready marker file.
  * netinfo: Fix netdev_pformat when a nic does not have an address assigned.
  * collect-logs: Add -v flag, write to stderr, limit journal to single boot.
  * IBMCloud: Disable config-drive and nocloud only if IBMCloud is enabled.
  * Add reporting events and log_time around early source of blocking time.
  * IBMCloud: recognize provisioning environment during debug boots.
  * net: Detect unstable network names and trigger a settle if needed.
  * sysconfig: dhcp6 subnet type should not imply dhcpv4.
  * schema: In validation, raise ImportError if strict but no jsonschema.
  * set_passwords: Add newline to end of sshd config, only restart if updated.
  * net: Depend on iproute2's ip instead of net-tools ifconfig or route.
  * renderer: Support unicode in render_from_file.
  * Implement ntp client spec with auto support for distro selection.
  * apport: Add Brightbox, IBM, LXD, and OpenTelekomCloud to list of clouds.
  * tests: Fix ec2 integration network metadata validation.
  * cc_resizefs, util: Handle no /dev/zfs.
- The distribution indicator is set to SUSE during template expansion. Do not replace
  anything set to Ubuntu.
- Do not run cloud-init after network-online, this breaks functionality in cloud-init.
  Certain parts of the code running in this phase expect to run before the network is
  on-line.
- Root should not be enabled by default. Image builders/users that want root access by
  default should provide an appropriate configuration file during image build or image
  setup.
- Set distribution default to OpenSUSE/SLES. (bsc#1099340)
- Run metadata detection after network-online. (bsc#1097388)
- Properly accumulate all the defined routes for a given network device. Previously only
  the last defined route was written to the routes file. (bsc#1132692)
- Write the udev rules to a different file than the default. (bsc#1125950)
- Settle udev if not all configured devices are in the device tree to avoid race a
  condition between udev and cloud-init. (bsc#1125950)

Changes in dhcp:
- No changes, just being released together to be included in CaaS Platform.


-----------------------------------------
Patch: SUSE-2019-1722
Released: Tue Jul  2 12:05:09 2019
Summary: Security update for glib2
Severity: important
References: 1061599,1107116,1107121,1137001,CVE-2018-16428,CVE-2018-16429,CVE-2019-12450
Description:
This update for glib2 provides the following fix:


Security issues fixed:

- CVE-2019-12450: Fixed an improper file permission when copy operation
  takes place (bsc#1137001).     
- CVE-2018-16428: Avoid a null pointer dereference that could crash glib2 users in markup processing (bnc#1107121).
- CVE-2018-16429: Fixed out-of-bounds read vulnerability ing_markup_parse_context_parse() (bsc#1107116).

Non-security issues fixed:

- Install dummy *-mimeapps.list files to prevent dead symlinks. (bsc#1061599)



-----------------------------------------
Patch: SUSE-2019-1726
Released: Tue Jul  2 17:01:24 2019
Summary: Recommended update for nfs-utils
Severity: moderate
References: 1116221,1118371
Description:
This update for nfs-utils fixes the following issues:

- Improves the integration for systemd (bsc#1116221)
- nfs.service will no longe rely on /etc/insserv.conf (bsc#1118371)


-----------------------------------------
Patch: SUSE-2019-1733
Released: Wed Jul  3 13:54:39 2019
Summary: Security update for elfutils
Severity: low
References: 1030472,1030476,1033084,1033085,1033087,1033088,1033089,1033090,1106390,1107067,1111973,1112723,1112726,1123685,1125007,CVE-2016-10254,CVE-2016-10255,CVE-2017-7607,CVE-2017-7608,CVE-2017-7610,CVE-2017-7611,CVE-2017-7612,CVE-2017-7613,CVE-2018-16062,CVE-2018-16403,CVE-2018-18310,CVE-2018-18520,CVE-2018-18521,CVE-2019-7150,CVE-2019-7665
Description:
This update for elfutils fixes the following issues:

Security issues fixed: 	  

- CVE-2018-16403: Fixed a heap-based buffer over-read that could have led to Denial of Service (bsc#1107067).  
- CVE-2016-10254: Fixed a memory allocation failure in alloxate_elf (bsc#1030472).
- CVE-2019-7665: NT_PLATFORM core file note should be a zero terminated string (bsc#1125007).
- CVE-2016-10255: Fixed a memory allocation failure in libelf_set_rawdata_wrlock (bsc#1030476).
- CVE-2019-7150: Added a missing check in dwfl_segment_report_module which could have allowed truncated files 
  to be read (bsc#1123685).
- CVE-2018-16062: Fixed a heap-buffer-overflow (bsc#1106390).
- CVE-2017-7611: Fixed a heap-based buffer over-read that could have led to Denial of Service (bsc#1033088).
- CVE-2017-7613: Fixed denial of service caused by the missing validation of the number of sections 
  and the number of segments in a crafted ELF file (bsc#1033090).
- CVE-2017-7607: Fixed a heap-based buffer overflow in handle_gnu_hash (bsc#1033084).
- CVE-2017-7608: Fixed a heap-based buffer overflow in ebl_object_note_type_name() (bsc#1033085).
- CVE-2017-7610: Fixed a heap-based buffer overflow in check_group (bsc#1033087).
- CVE-2018-18521: Fixed multiple divide-by-zero vulnerabilities in function arlib_add_symbols() (bsc#1112723).
- CVE-2017-7612: Fixed a denial of service in check_sysv_hash() via a crafted ELF file (bsc#1033089).
- CVE-2018-18310: Fixed an invalid address read in dwfl_segment_report_module.c (bsc#1111973).
- CVE-2018-18520: Fixed bad handling of ar files inside are files (bsc#1112726).


-----------------------------------------
Patch: SUSE-2019-1754
Released: Thu Jul  4 20:55:36 2019
Summary: Recommended update for yast2-storage
Severity: moderate
References: 1113714
Description:
This update for yast2-storage fixes the following issues:

- Fixes an error where YaST wrongly showed a message 'Not enough space available to
  propose separate /home' (bsc#1113714)

-----------------------------------------
Patch: SUSE-2019-1759
Released: Fri Jul  5 14:10:22 2019
Summary: Recommended update for open-iscsi
Severity: moderate
References: 1135070
Description:
This update for open-iscsi fixes the following issues:

- Adds iscsiuio support of systemd (bsc#1135070)

-----------------------------------------
Patch: SUSE-2019-1761
Released: Fri Jul  5 14:10:34 2019
Summary: Recommended update for e2fsprogs
Severity: moderate
References: 1128383,1135261
Description:
This update for e2fsprogs fixes the following issues:

- Revert 'mke2fs: prevent creation of unmountable ext4 with large flex_bg count'. (bsc#1135261)

- Place metadata blocks in the last flex_bg so they are contiguous. (bsc#1135261)

- Check and fix tails of all bitmaps. (bsc#1128383)


-----------------------------------------
Patch: SUSE-2019-1762
Released: Fri Jul  5 15:04:14 2019
Summary: Recommended update for wicked
Severity: moderate
References: 1106809,1118206,1118378,1123555,1127340
Description:
This update for wicked fixes the following issues:

Wicked was updated to version 0.6.54:

- switch to use systemd notify and prevent event backlog at start
  by calling udevadm settle before starting wickedd (bsc#1118206)
- dhcp6: don't discard confirm reply without status (bsc#1127340)
- ethtool: set lro legacy flag and not txvlan (bsc#1123555)
- init memory before use in ioctl
- fsm: fix find pending worker loop segfault (bsc#1106809)
- dhcp: request hostname/fqdn option in the tester (bsc#1118378)
- build: link with relro by default for binary hardening


-----------------------------------------
Patch: SUSE-2019-1764
Released: Sat Jul  6 21:10:19 2019
Summary: Recommended update for autoyast2
Severity: moderate
References: 1134501
Description:
This update for autoyast2 fixes the following issues:

- Fixes a bug where an error was raised when clicking the 'OK' button for
  the partition settings (bsc#1134501)


-----------------------------------------
Patch: SUSE-2019-1818
Released: Thu Jul 11 07:48:39 2019
Summary: Recommended update for timezone
Severity: moderate
References: 1135262,1140016
Description:
This update for timezone fixes the following issues:

- Timezone update 2019b. (bsc#1140016):
  - Brazil no longer observes DST.
  - 'zic -b slim' outputs smaller TZif files.
  - Palestine's 2019 spring-forward transition was on 03-29, not 03-30.
  - Add info about the Crimea situation.


-----------------------------------------
Patch: SUSE-2019-1830
Released: Fri Jul 12 17:50:41 2019
Summary: Security update for glib2
Severity: important
References: 1139959,1140122,CVE-2019-13012
Description:
This update for glib2 fixes the following issues:

Security issue fixed:

- CVE-2019-13012: Fixed improper restriction of file permissions when creating directories (bsc#1139959).

Non-security issue fixed:

- Added explicit requires between libglib2 and libgio2 (bsc#1140122).


-----------------------------------------
Patch: SUSE-2019-1834
Released: Fri Jul 12 17:55:14 2019
Summary: Security update for expat
Severity: moderate
References: 1139937,CVE-2018-20843
Description:
This update for expat fixes the following issues:

Security issue fixed:

- CVE-2018-20843: Fixed a denial of service triggered by high resource consumption 
  in the XML parser when XML names contain a large amount of colons (bsc#1139937).


-----------------------------------------
Patch: SUSE-2019-1844
Released: Mon Jul 15 07:13:09 2019
Summary: Recommended update for pam
Severity: low
References: 1116544
Description:
This update for pam fixes the following issues:

- restricted the number of file descriptors to close to a more sensible number based upon resource limits (bsc#1116544)
    

-----------------------------------------
Patch: SUSE-2019-1847
Released: Mon Jul 15 14:38:47 2019
Summary: Security update for xrdp
Severity: important
References: 1014524,1015567,1029912,1060644,1069591,1090174,1100453,1101506,CVE-2013-1430,CVE-2017-16927,CVE-2017-6967
Description:
This update for xrdp fixes the following issues:

These security issues were fixed:

- CVE-2013-1430:  When successfully logging in using RDP into an xrdp session, 
  the file ~/.vnc/sesman_${username}_passwd was created. Its content was the equivalent 
  of the user's cleartext password, DES encrypted with a known key (bsc#1015567).
- CVE-2017-16927: The scp_v0s_accept function in sesman/libscp/libscp_v0.c in the session manager 
  in xrdp through used an untrusted integer as a write length, which could lead to a 
  local denial of service (bsc#1069591).
- CVE-2017-6967: Fixed call of the PAM function auth_start_session(). This lead
  to to PAM session modules not being properly initialized, with a potential
  consequence of incorrect configurations or elevation of privileges, aka a
  pam_limits.so bypass (bsc#1029912).

These non-security issues were fixed:

- The KillDisconnected option for TigerVNC Xvnc sessions is now supported (bsc#1101506)
- Fixed an issue with delayed X KeyRelease events (bsc#1100453)    
- Force xrdp-sesman.service to start after xrdp.service. (bsc#1014524)
- Avoid use of hard-coded sesman port. (bsc#1060644)
- Fixed a regression connecting from Windows 10. (bsc#1090174)


-----------------------------------------
Patch: SUSE-2019-1852
Released: Mon Jul 15 16:01:34 2019
Summary: Security update for the Linux Kernel
Severity: important
References: 1053043,1066223,1094555,1108382,1109137,1111188,1119086,1120902,1121263,1125580,1126961,1127155,1129770,1131335,1131336,1131645,1132390,1133140,1133190,1133191,1133738,1134395,1135642,1136598,1136889,1136922,1136935,1137004,1137194,1137739,1137749,1137752,1137915,1138291,1138293,1138374,1138681,1139751,1140575,1140577,CVE-2018-20836,CVE-2019-10126,CVE-2019-10638,CVE-2019-10639,CVE-2019-11487,CVE-2019-11599,CVE-2019-12380,CVE-2019-12456,CVE-2019-12614,CVE-2019-12818,CVE-2019-12819
Description:

The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2019-10638: In the Linux kernel, a device could be tracked by an attacker using the IP ID values the kernel produces for connection-less protocols (e.g., UDP and ICMP). When such traffic was sent to multiple destination IP addresses, it was possible to obtain hash collisions (of indices to the counter array) and thereby obtain the hashing key (via enumeration). An attack may have been conducted by hosting a crafted web page that uses WebRTC or gQUIC to force UDP traffic to attacker-controlled IP addresses (bnc#1140575 1140577).
- CVE-2019-10639: The Linux kernel allowed Information Exposure (partial kernel address disclosure), that lead to a KASLR bypass. Specifically, it was possible to extract the KASLR kernel image offset using the IP ID values the kernel produces for connection-less protocols (e.g., UDP and ICMP). When such traffic is sent to multiple destination IP addresses, it was possible to obtain hash collisions (of indices to the counter array) and thereby obtain the hashing key (via enumeration). This key contains enough bits from a kernel address (of a static variable) so when the key is extracted (via enumeration), the offset of the kernel image is exposed. This attack could be carried out remotely, by the attacker forcing the target device to send UDP or ICMP (or certain other) traffic to attacker-controlled IP addresses. Forcing a server to send UDP traffic is trivial if the server is a DNS server. ICMP traffic is trivial if the server answers ICMP Echo requests (ping). For client targets, if the target visited the attacker's web page, then WebRTC or gQUIC could be used to force UDP traffic to attacker-controlled IP addresses. NOTE: this attack against KASLR became viable because IP ID generation was changed to have a dependency on an address associated with a network namespace (bnc#1140577).
- CVE-2019-10126: A flaw was found in the Linux kernel. A heap based buffer overflow in mwifiex_uap_parse_tail_ies function in drivers/net/wireless/marvell/mwifiex/ie.c might have lead to memory corruption and possibly other consequences (bnc#1136935).
- CVE-2018-20836: An issue was discovered in the Linux kernel There was a race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c, leading to a use-after-free (bnc#1134395).
- CVE-2019-11599: The coredump implementation in the Linux kernel did not use locking or other mechanisms to prevent vma layout or vma flags changes while it ran, which allowed local users to obtain sensitive information, cause a denial of service, or possibly have unspecified other impact by triggering a race condition with mmget_not_zero or get_task_mm call. This is related to fs/userfaultfd.c, mm/mmap.c, fs/proc/task_mmu.c, and drivers/infiniband/core/uverbs_main.c (bnc#1131645 1133738).
- CVE-2019-12614: An issue was discovered in dlpar_parse_cc_property in arch/powerpc/platforms/pseries/dlpar.c in the Linux kernel There was an unchecked kstrdup of prop-name, which might have allowed an attacker to cause a denial of service (NULL pointer dereference and system crash) (bnc#1137194).
- CVE-2019-12819: An issue was discovered in the Linux kernel The function __mdiobus_register() in drivers/net/phy/mdio_bus.c calls put_device(), which would trigger a fixed_mdio_bus_init use-after-free. This would cause a denial of service (bnc#1138291).
- CVE-2019-12818: An issue was discovered in the Linux kernel The nfc_llcp_build_tlv function in net/nfc/llcp_commands.c may return NULL. If the caller did not check for this, it would trigger a NULL pointer dereference. This would cause a denial of service. This affected nfc_llcp_build_gb in net/nfc/llcp_core.c (bnc#1138293).
- CVE-2019-12456: A double-fetch bug in _ctl_ioctl_main() could lead to a local denial of service attack (bsc#1136922 CVE-2019-12456).
- CVE-2019-12380: An issue was discovered in the efi subsystem in the Linux kernel phys_efi_set_virtual_address_map in arch/x86/platform/efi/efi.c and efi_call_phys_prolog in arch/x86/platform/efi/efi_64.c mishandle memory allocation failures. NOTE: This id is disputed as not being an issue because ;All the code touched by the referenced commit runs only at boot, before any user processes are started. Therefore, there is no possibility for an unprivileged user to control it (bnc#1136598).
- CVE-2019-11487: The Linux kernel before allowed page-_refcount reference count overflow, with resultant use-after-free issues, if about 140 GiB of RAM exists. This is related to fs/fuse/dev.c, fs/pipe.c, fs/splice.c, include/linux/mm.h, include/linux/pipe_fs_i.h, kernel/trace/trace.c, mm/gup.c, and mm/hugetlb.c. It could occur with FUSE requests (bnc#1133190 1133191).

The following non-security bugs were fixed:

- Drop multiversion(kernel) from the KMP template (bsc#1127155).
- Fix ixgbe backport (bsc#1133140)
- Revert 'KMPs: obsolete older KMPs of the same flavour (bsc#1127155, bsc#1109137).' This reverts commit 4cc83da426b53d47f1fde9328112364eab1e9a19.
- Update 'TCP SACK Panic' series
- ACPI / CPPC: Check for valid PCC subspace only if PCC is used (bsc#1126961).
- ACPI / CPPC: Fix KASAN global out of bounds warning (bsc#1126961).
- ACPI / CPPC: Make CPPC ACPI driver aware of PCC subspace IDs (bsc#1126961).
- ACPI / CPPC: Update all pr_(debug/err) messages to log the susbspace id (bsc#1126961).
- ACPI / CPPC: Use 64-bit arithmetic instead of 32-bit (bsc#1126961).
- ACPI / CPPC: fix build issue with ktime_t used in logical operation (bsc#1126961).
- ACPI: CPPC: remove initial assignment of pcc_ss_data (bsc#1126961).
- at76c50x-usb: Do not register led_trigger if usb_register_driver failed (bsc#1135642).
- ath6kl: Only use match sets when firmware supports it (bsc#1120902).
- btrfs: check for refs on snapshot delete resume (bsc#1131335, bsc#1137004).
- btrfs: run delayed items before dropping the snapshot (bsc#1121263, bsc#1111188, bsc#1137004).
- btrfs: save drop_progress if we drop refs at all (bsc#1131336, bsc#1137004).
- ceph: fix potential use-after-free in ceph_mdsc_build_path (bsc#1138681).
- ceph: flush dirty inodes before proceeding with remount (bsc#1138681).
- ceph: print inode number in __caps_issued_mask debugging messages (bsc#1138681).
- cpu/hotplug: Provide cpus_read|write_[un]lock() (bsc#1138374, LTC#178199).
- cpu/hotplug: Provide lockdep_assert_cpus_held() (bsc#1138374, LTC#178199).
- cpufreq / CPPC: Add cpuinfo_cur_freq support for CPPC (bsc#1126961).
- cpufreq: CPPC: fix build in absence of v3 support (bsc#1126961).
- cpufreq: Replace 'max_transition_latency' with 'dynamic_switching' (bsc#1126961).
- cpufreq: cn99xx: set platform specific sampling rate (bsc#1126961).
- ibmvnic: Add device identification to requested IRQs (bsc#1137739).
- ibmvnic: Do not close unopened driver during reset (bsc#1137752).
- ibmvnic: Fix unchecked return codes of memory allocations (bsc#1137752).
- ibmvnic: Refresh device multicast list after reset (bsc#1137752).
- ibmvnic: remove set but not used variable 'netdev' (bsc#1137739).
- iwiwifi: fix bad monitor buffer register addresses (bsc#1129770).
- kabi: cpufreq: rename dynamic_switching to max_transition_latency (bsc#1126961).
- kernel/sys.c: prctl: fix false positive in validate_prctl_map() (bsc#1137749).
- libertas_tf: prevent underflow in process_cmdrequest() (bsc#1119086).
- mailbox: PCC: Move the MAX_PCC_SUBSPACES definition to header file (bsc#1126961).
- mailbox: pcc: Drop uninformative output during boot (bsc#1126961).
- mailbox: pcc: Fix crash when request PCC channel 0 (bsc#1126961).
- mwl8k: Fix rate_idx underflow (bsc#1135642).
- net/ibmvnic: Remove tests of member address (bsc#1137739).
- net: Remove NO_IRQ from powerpc-only network drivers (bsc#1137739).
- nvmet-fc: bring Disconnect into compliance with FC-NVME spec (bsc#1136889).
- nvmet-fc: fix issues with targetport assoc_list list walking (bsc#1136889).
- nvmet: fix fatal_err_work deadlock (bsc#1136889).
- nvmet_fc: support target port removal with nvmet layer (bsc#1136889).
- powerpc/cacheinfo: add cacheinfo_teardown, cacheinfo_rebuild (bsc#1138374, LTC#178199).
- powerpc/eeh: Fix race with driver un/bind (bsc#1066223).
- powerpc/perf: Add blacklisted events for Power9 DD2.1 (bsc#1053043).
- powerpc/perf: Add blacklisted events for Power9 DD2.2 (bsc#1053043).
- powerpc/perf: Fix MMCRA corruption by bhrb_filter (bsc#1053043).
- powerpc/perf: Infrastructure to support addition of blacklisted events (bsc#1053043).
- powerpc/process: Fix sparse address space warnings (bsc#1066223).
- powerpc/pseries/mobility: prevent cpu hotplug during DT update (bsc#1138374, LTC#178199).
- powerpc/pseries/mobility: rebuild cacheinfo hierarchy post-migration (bsc#1138374, LTC#178199).
- rtlwifi: fix false rates in _rtl8821ae_mrate_idx_to_arfr_id() (bsc#1120902).
- scsi: core: add new RDAC LENOVO/DE_Series device (bsc#1132390).
- scsi: qla2xxx: Fix FC-AL connection target discovery (bsc#1094555).
- scsi: qla2xxx: Fix N2N target discovery with Local loop (bsc#1094555).
- signals: avoid random wakeups in sigsuspend() (bsc#1137915)
- treewide: Use DEVICE_ATTR_WO (bsc#1137739).
- x86/entry/64/compat: Fix stack switching for XEN PV (bsc#1108382).


-----------------------------------------
Patch: SUSE-2019-1861
Released: Wed Jul 17 11:35:02 2019
Summary: Security update for MozillaFirefox
Severity: important
References: 1140868,CVE-2019-11709,CVE-2019-11711,CVE-2019-11712,CVE-2019-11713,CVE-2019-11715,CVE-2019-11717,CVE-2019-11719,CVE-2019-11729,CVE-2019-11730,CVE-2019-9811
Description:
This update for MozillaFirefox, mozilla-nss fixes the following issues:

MozillaFirefox to version ESR 60.8:

- CVE-2019-9811: Sandbox escape via installation of malicious language pack (bsc#1140868).
- CVE-2019-11711: Script injection within domain through inner window reuse (bsc#1140868).
- CVE-2019-11712: Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects (bsc#1140868).
- CVE-2019-11713: Use-after-free with HTTP/2 cached stream (bsc#1140868).
- CVE-2019-11729: Empty or malformed p256-ECDH public keys may trigger a segmentation fault (bsc#1140868).
- CVE-2019-11715: HTML parsing error can contribute to content XSS (bsc#1140868).
- CVE-2019-11717: Caret character improperly escaped in origins (bsc#1140868).
- CVE-2019-11719: Out-of-bounds read when importing curve25519 private key (bsc#1140868).
- CVE-2019-11730: Same-origin policy treats all files in a directory as having the same-origin (bsc#1140868).
- CVE-2019-11709: Multiple Memory safety bugs fixed (bsc#1140868).

mozilla-nss to version 3.44.1:

* Added IPSEC IKE support to softoken 
* Many new FIPS test cases


-----------------------------------------
Patch: SUSE-2019-1867
Released: Wed Jul 17 13:11:03 2019
Summary: Security update for libxslt
Severity: moderate
References: 1140095,1140101,CVE-2019-13117,CVE-2019-13118
Description:
This update for libxslt fixes the following issues:

Security issues fixed:

- CVE-2019-13118: Fixed a read of uninitialized stack data (bsc#1140101).
- CVE-2019-13117: Fixed a uninitialized read which allowed to discern whether a byte on the stack contains certain special characters (bsc#1140095).


-----------------------------------------
Patch: SUSE-2019-1896
Released: Thu Jul 18 16:26:45 2019
Summary: Security update for libxml2
Severity: moderate
References: 1010675,1110146,1126613,CVE-2016-9318
Description:
This update for libxml2 fixes the following issues:

Issue fixed:

- Fixed a bug related to the fix for CVE-2016-9318 which allowed xsltproc to access 
  the internet even when --nonet was given and also was making docbook-xsl-stylesheets to have 
  incomplete xml catalog file (bsc#1010675, bsc#1126613 and bsc#1110146).


-----------------------------------------
Patch: SUSE-2019-1900
Released: Fri Jul 19 12:44:21 2019
Summary: Recommended update for rsyslog
Severity: moderate
References: 1141022
Description:

This update for rsyslog fixes the following issues:

- The rsyslog-module-mmjsonparse is shipped for the Enterprise Server. (bsc#1141022 FATE#324208)
  

-----------------------------------------
Patch: SUSE-2019-1904
Released: Fri Jul 19 12:47:59 2019
Summary: Recommended update for openssh
Severity: important
References: 1138936
Description:
This update for openssh fixes the following issues:

- Fix a regression in utf-8 handling that could cause crashes of scp (bsc#1138936).



-----------------------------------------
Patch: SUSE-2019-1911
Released: Fri Jul 19 14:44:45 2019
Summary: Recommended update for grub2
Severity: important
References: 1134287,1139345
Description:
This update for grub2 fixes the following issues:
	  
- Fix a regression introduced by the previous update which could prevent
  booting on ppc64. (bsc#1134287, bsc#1139345).



-----------------------------------------
Patch: SUSE-2019-1915
Released: Mon Jul 22 08:43:49 2019
Summary: Recommended update for openslp
Severity: moderate
References: 1117969,1136136
Description:
This update for openslp fixes the following issues:

- Use tcp connects to talk with other directory agents (DAs) (bsc#1117969)
- Fix segfault in predicate match if a registered service has
  a malformed attribute list (bsc#1136136)


-----------------------------------------
Patch: SUSE-2019-1955
Released: Tue Jul 23 11:42:41 2019
Summary: Security update for bzip2
Severity: important
References: 1139083,985657,CVE-2016-3189,CVE-2019-12900
Description:
This update for bzip2 fixes the following issues:

Security issue fixed:

- CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many selectors (bsc#1139083).
- CVE-2016-3189: Fixed a use-after-free in bzip2recover (bsc#985657).


-----------------------------------------
Patch: SUSE-2019-1957
Released: Tue Jul 23 11:56:35 2019
Summary: Recommended update for yast2-iscsi-client
Severity: moderate
References: 1045139
Description:
This update for yast2-iscsi-client fixes the following issues:

- removed onboot startup mode for LUNs on S/390 (bsc#1045139)


-----------------------------------------
Patch: SUSE-2019-1958
Released: Tue Jul 23 13:18:12 2019
Summary: Security update for glibc
Severity: moderate
References: 1127223,1127308,1128574,CVE-2009-5155,CVE-2019-9169
Description:
This update for glibc fixes the following issues:

Security issues fixed:

- CVE-2019-9169: Fixed a heap-based buffer over-read via an attempted case-insensitive regular-expression match (bsc#1127308).
- CVE-2009-5155: Fixed a denial of service in parse_reg_exp() (bsc#1127223).

Non-security issues fixed:

- Added cfi information for start routines in order to stop unwinding on S390 (bsc#1128574).


-----------------------------------------
Patch: SUSE-2019-1972
Released: Thu Jul 25 15:00:03 2019
Summary: Security update for libsolv, libzypp, zypper
Severity: moderate
References: 1109893,1110542,1111319,1112911,1113296,1120629,1120630,1120631,1127155,1131823,1134226,1137977,CVE-2018-20532,CVE-2018-20533,CVE-2018-20534
Description:
This update for libsolv, libzypp and zypper fixes the following issues:

libsolv was updated to version 0.6.36 fixes the following issues:

Security issues fixed:

- CVE-2018-20532: Fixed a NULL pointer dereference in testcase_read() (bsc#1120629).
- CVE-2018-20533: Fixed a NULL pointer dereference in testcase_str2dep_complex() (bsc#1120630).
- CVE-2018-20534: Fixed a NULL pointer dereference in pool_whatprovides() (bsc#1120631).

Non-security issues fixed:

- Made cleandeps jobs on patterns work (bsc#1137977).
- Fixed an issue multiversion packages that obsolete their own name (bsc#1127155).
- Keep consistent package name if there are multiple alternatives (bsc#1131823).

libzypp received following fixes:

- Fixes a bug where locking the kernel was not possible (bsc#1113296)

zypper received following fixes:

- Fixes a bug where the wrong exit code was set when refreshing
  repos if --root was used (bsc#1134226)
- Improved the displaying of locks (bsc#1112911)
- Fixes an issue where `https` repository urls caused an error prompt to
   appear twice (bsc#1110542)
- zypper will now always warn when no repositories are defined (bsc#1109893)


-----------------------------------------
Patch: SUSE-2019-1988
Released: Fri Jul 26 09:02:08 2019
Summary: Recommended update for libXi
Severity: low
References: 1049681,1134167
Description:

This update for libXi provides the following fix:

- Fix a crash on X11 clients when tablet inputs are connected. (bsc#1049681)
- Fix a crash that would happen in case of a _XReply() call fails, freeing an uninitialized
  pointer. (bsc#1134167)


-----------------------------------------
Patch: SUSE-2019-1990
Released: Fri Jul 26 14:59:30 2019
Summary: Security update for cronie
Severity: low
References: 1128935,1128937,1130746,1133100,CVE-2019-9704,CVE-2019-9705
Description:
This update for cronie fixes the following issues:
	  
Security issues fixed:

- CVE-2019-9704: Fixed an insufficient check in the return value of calloc which
  could allow a local user to create Denial of Service by crashing the deamon (bsc#1128937).
- CVE-2019-9705: Fixed an implementation vulnerability which could allow a local user to
  exhaust the memory resulting in Denial of Service (bsc#1128935).  

Bug fixes:

- Manual start of cron is possible even when it's already started using systemd (bsc#1133100).
- Cron schedules only one job of crontab (bsc#1130746).


-----------------------------------------
Patch: SUSE-2019-1996
Released: Fri Jul 26 16:12:34 2019
Summary: Recommended update for sysstat
Severity: moderate
References: 1138767
Description:
This update for sysstat fixes the following issues:

- Fix scaling issue with mtab symlinks and automounter. (bsc#1138767)


-----------------------------------------
Patch: SUSE-2019-2000
Released: Fri Jul 26 16:31:34 2019
Summary: Recommended update for containerd, docker, docker-runc, golang-github-docker-libnetwork
Severity: moderate
References: 1138920,1139649
Description:
This update for fixes the following issues:

containerd:

- Update to containerd v1.2.6, which is required for Docker v18.09.7-ce (bsc#1139649).

docker:

- Use %config(noreplace) for /etc/docker/daemon.json (bsc#1138920).
- Update to Docker 18.09.7-ce. See upstream changelog in
  /usr/share/doc/packages/docker/CHANGELOG.md (bsc#1139649).

docker-runc:

- Update to runc 425e105d5a03, which is required for Docker v18.09.7-ce (bsc#1139649).
- Remove docker-runc-test (it's not useful for actual testing).

golang-github-docker-libnetwork:

- Update to version git.e7933d41e7b206756115aa9df5e0599fc5169742 (bsc#1139649).


-----------------------------------------
Patch: SUSE-2019-2007
Released: Mon Jul 29 13:05:43 2019
Summary: Recommended update for autofs
Severity: moderate
References: 1038198,1062482,1066720,1068166,1087774,1127519
Description:

This update for autofs provides the following fixes:

- Fix issue where comparing CLOCK_MONOTONIC times with stat.st_mtime
  caused repeated re-reads of the map and stale ghost entries for
  failed mounts (bsc#1068166)
- Fix ordering of seteuid/setegid in do_spawn (bsc#1062482)
- Fix possible map instance memory leak (bsc#1038198)
- Check map instances for staleness on map update (bsc#1038198)
- Fix a bug that causes nanoseconds to be ignored and effectively disables sorting of
  hosts based on response time and/or weight. (bsc#1066720)
- Check for non existent negative entries in lookup_ghost(). (bsc#1087774)
- Fixes an issue with concurrent LDAP lookups on first connection (bsc#1127519)


-----------------------------------------
Patch: SUSE-2019-2013
Released: Mon Jul 29 15:42:41 2019
Summary: Security update for bzip2
Severity: important
References: 1139083,CVE-2019-12900
Description:
This update for bzip2 fixes the following issues:

- Fixed a regression with the fix for CVE-2019-12900, which caused incompatibilities
  with files that used many selectors (bsc#1139083).


-----------------------------------------
Patch: SUSE-2019-2025
Released: Tue Jul 30 19:16:57 2019
Summary: Recommended update for mozilla-nspr, mozilla-nss
Severity: moderate
References: 1141322
Description:
This update for mozilla-nspr, mozilla-nss fixes the following issues:

mozilla-nss was updated to NSS 3.45 (bsc#1141322):

* New function in pk11pub.h: PK11_FindRawCertsWithSubject
* The following CA certificates were Removed:
  CN = Certinomis - Root CA (bmo#1552374)
* Implement Delegated Credentials (draft-ietf-tls-subcerts) (bmo#1540403)
  This adds a new experimental function SSL_DelegateCredential
  Note: In 3.45, selfserv does not yet support delegated credentials (See bmo#1548360).
  Note: In 3.45 the SSLChannelInfo is left unmodified, while an upcoming change in 3.46 will set SSLChannelInfo.authKeyBits to that of the delegated credential for better policy enforcement (See bmo#1563078).
* Replace ARM32 Curve25519 implementation with one from fiat-crypto (bmo#1550579)
* Expose a function PK11_FindRawCertsWithSubject for finding certificates with a given subject on a given slot (bmo#1552262)
* Add IPSEC IKE support to softoken (bmo#1546229)
* Add support for the Elbrus lcc compiler (<=1.23) (bmo#1554616)
* Expose an external clock for SSL (bmo#1543874)
  This adds new experimental functions: SSL_SetTimeFunc, 
  SSL_CreateAntiReplayContext, SSL_SetAntiReplayContext, and 
  SSL_ReleaseAntiReplayContext.
  The experimental function SSL_InitAntiReplay is removed.
* Various changes in response to the ongoing FIPS review (bmo#1546477)
  Note: The source package size has increased substantially 
  due to the new FIPS test vectors. This will likely 
  prompt follow-on work, but please accept our 
  apologies in the meantime.

mozilla-nspr was updated to version 4.21:

* Changed prbit.h to use builtin function on aarch64.



-----------------------------------------
Patch: SUSE-2019-2026
Released: Tue Jul 30 19:19:50 2019
Summary: Recommended update for Azure Python SDK
Severity: moderate
References: 1054413,1122523,979331
Description:
This update brings the following python modules for the Azure Python SDK:

- python-Flask
- python-Werkzeug
- python-click
- python-decorator
- python-httpbin
- python-idna
- python-itsdangerous
- python-py
- python-pytest-httpbin
- python-pytest-mock
- python-requests
  

-----------------------------------------
Patch: SUSE-2019-2035
Released: Thu Aug  1 17:34:22 2019
Summary: Security update for polkit
Severity: important
References: 1121826,CVE-2019-6133
Description:
This update for polkit fixes the following issues:

Security issue fixed:

- CVE-2019-6133: Fixed improper caching of auth decisions, which could bypass 
  uid checking in the interactive backend (bsc#1121826).


-----------------------------------------
Patch: SUSE-2019-2053
Released: Tue Aug  6 09:44:54 2019
Summary: Security update for python3
Severity: important
References: 1109663,1109847,1138459,CVE-2018-1000802,CVE-2018-14647,CVE-2019-10160
Description:
This update for python3 fixes the following issues:

- CVE-2019-10160: Fixed a regression in urlparse() and urlsplit() introduced by the fix for CVE-2019-9636 (bsc#1138459).
- CVE-2018-14647: Fixed a denial of service vulnerability caused by a crafted XML document (bsc#1109847).
- CVE-2018-1000802: Fixed a command injection in the shutil module (bsc#1109663).


-----------------------------------------
Patch: SUSE-2019-2057
Released: Tue Aug  6 14:25:41 2019
Summary: Optional update for sysstat
Severity: low
References: 1142470
Description:
This update for sysstat does not fix any user visible issues.

-----------------------------------------
Patch: SUSE-2019-2088
Released: Wed Aug  7 18:17:28 2019
Summary: Security update for tcpdump
Severity: moderate
References: 1068716,1142439,CVE-2017-16808,CVE-2019-1010220
Description:
This update for tcpdump fixes the following issues:

Security issues fixed:

- CVE-2019-1010220: Fixed a buffer over-read in print_prefix() which may expose data (bsc#1142439).
- CVE-2017-16808: Fixed a heap-based buffer over-read related to aoe_print() and lookup_emem() (bsc#1068716).


-----------------------------------------
Patch: SUSE-2019-2091
Released: Thu Aug  8 13:25:31 2019
Summary: Security update for python
Severity: important
References: 1138459,1141853,CVE-2018-20852,CVE-2019-10160
Description:
This update for python fixes the following issues:

- CVE-2019-10160: Fixed a regression in urlparse() and urlsplit() introduced by the fix for CVE-2019-9636 (bsc#1138459).
- CVE-2018-20852: Fixed an information leak where cookies could be send to the wrong server because of incorrect domain validation (bsc#1141853).


-----------------------------------------
Patch: SUSE-2019-2101
Released: Fri Aug  9 10:38:55 2019
Summary: Recommended update for suse-module-tools
Severity: moderate
References: 1100989,1105495,1111300,1123697,1123704,1127155,1127891,1131635
Description:
This update for suse-module-tools to version 12.6 fixes the following issues:

- weak-modules2: emit 'inconsistent' warning only if replacement fails (bsc#1127155)
- modprobe.conf.common: add csiostor->cxgb4 dependency (bsc#1100989, bsc#1131635)
- Fix driver-check.sh (bsc#1123697, bsc#1123704)
- modsign-verify: support for parsing PKCS#7 signatures (bsc#1111300, bsc#1105495)


-----------------------------------------
Patch: SUSE-2019-2119
Released: Tue Aug 13 14:58:37 2019
Summary: Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork
Severity: important
References: 1100331,1121967,1142160,1142413,1143409,CVE-2018-10892,CVE-2019-13509,CVE-2019-14271,CVE-2019-5736
Description:
This update for containerd, docker, docker-runc, golang-github-docker-libnetwork fixes the following issues:

Docker:

- CVE-2019-14271: Fixed a code injection if the nsswitch facility dynamically loaded a library inside a chroot (bsc#1143409).
- CVE-2019-13509: Fixed an information leak in the debug log (bsc#1142160).
- Update to version 19.03.1-ce, see changelog at /usr/share/doc/packages/docker/CHANGELOG.md (bsc#1142413).

golang-github-docker-libnetwork:

- Update to version git.fc5a7d91d54cc98f64fc28f9e288b46a0bee756c, which is required by docker (bsc#1142413).


-----------------------------------------
Patch: SUSE-2019-2120
Released: Wed Aug 14 11:17:39 2019
Summary: Recommended update for pam
Severity: moderate
References: 1136298,SLE-7257
Description:
This update for pam fixes the following issues:

- Enable pam_userdb.so (SLE-7257,bsc#1136298)
- Upgraded pam_userdb to 1.3.1.  (bsc#1136298)


-----------------------------------------
Patch: SUSE-2019-2136
Released: Wed Aug 14 12:20:23 2019
Summary: Recommended update for cloud-regionsrv-client
Severity: moderate
References: 1136112,1136113,1137384,1137385
Description:
This update for cloud-regionsrv-client fixes the following issues:

- If the credentials are not valid, an error is issued and the user is
  instructed to re-register the system
- Fixes a bug where the registration client aborted with a traceback when the instance
  data cannot be retrieved (bsc#1137384, bsc#1137385)

This maintenance update for cloud-regionsrv-client includes some more smaller bug fixes as well. Please
refer to this rpm's changelog file to receive a full list of all changes.


-----------------------------------------
Patch: SUSE-2019-2137
Released: Wed Aug 14 12:45:58 2019
Summary: Recommended update for google-compute-engine
Severity: moderate
References: 1144092,1144170
Description:
This update for google-compute-engine fixes the following issues:

- updated to version 20190801 (bsc#1144092, bsc#1144170)
  * Fix for 2FA on RHEL 8
  * Support for Debian 10
  * Support for Google Private Access over IPv6
  * Support root disk expansion in RHEL 8 and Debian 10

Some more minor bug fixes were included in this maintenance update. The full list can be
retrieved from this rpm's changelog file.


-----------------------------------------
Patch: SUSE-2019-1606
Released: Wed Aug 21 13:36:49 2019
Summary: Security update for libssh2_org
Severity: moderate
References: 1128481,1136570,CVE-2019-3860
Description:
This update for libssh2_org fixes the following issues:

- Fix the previous fix for CVE-2019-3860 (bsc#1136570, bsc#1128481)
  (Out-of-bounds reads with specially crafted SFTP packets)


-----------------------------------------
Patch: SUSE-2019-2196
Released: Thu Aug 22 14:35:07 2019
Summary: Recommended update for cloud-regionsrv-client
Severity: important
References: 1144754,1146321,1146462,1146463,1146467,1146468,1146610
Description:
This update for cloud-regionsrv-client fixes the following issues:

- Adds a dependency to python3-urllib3 (bsc#1146610, bsc#1146321, bsc#1144754)
- Fixes an issue where the registration client exited with a traceback since the
  last update (bsc#1146462, bsc#1146463)
- Clear the new-registration marker if the instance has a cache of update
  servers (bsc#1146467, bsc#1146468)


-----------------------------------------
Patch: SUSE-2019-2216
Released: Mon Aug 26 11:29:42 2019
Summary: Recommended update for yast2-proxy
Severity: moderate
References: 1100366
Description:
This update for yast2-proxy provides the following fixes:

- Replace novel URLs by SUSE ones. (bsc#1100366)



-----------------------------------------
Patch: SUSE-2019-2240
Released: Wed Aug 28 14:57:51 2019
Summary: Recommended update for ca-certificates-mozilla
Severity: moderate
References: 1144169
Description:
This update for ca-certificates-mozilla fixes the following issues:

- Update to 2.34 state of the Mozilla NSS Certificate store. (bsc#1144169)

- Removed Root CAs:

  - Certinomis - Root CA

- Added root CAs from the 2.32 version:
  - emSign ECC Root CA - C3 (email and server auth)
  - emSign ECC Root CA - G3 (email and server auth)
  - emSign Root CA - C1 (email and server auth)
  - emSign Root CA - G1 (email and server auth)
  - Hongkong Post Root CA 3 (server auth)



-----------------------------------------
Patch: SUSE-2019-2251
Released: Thu Aug 29 08:18:39 2019
Summary: Recommended update for autoyast2
Severity: moderate
References: 1135083
Description:
This update for autoyast2 fixes the following issues:

- Added support for enabling snapper when installing over a Software RAID. (bsc#1135083)


-----------------------------------------
Patch: SUSE-2019-2263
Released: Mon Sep  2 09:05:46 2019
Summary: Security update for the Linux Kernel
Severity: important
References: 1106061,1123161,1125674,1127034,1128977,1130972,1133860,1134399,1135335,1135365,1137584,1139358,1139826,1140652,1140903,1140945,1141181,1141401,1141402,1141452,1141453,1141454,1142023,1142254,1142857,1143045,1143048,1143189,1143191,1143333,1144257,1144273,1144288,1144920,1145920,1145922,CVE-2018-20855,CVE-2018-20856,CVE-2019-10207,CVE-2019-1125,CVE-2019-11810,CVE-2019-13631,CVE-2019-13648,CVE-2019-14283,CVE-2019-14284,CVE-2019-15117,CVE-2019-15118,CVE-2019-3819
Description:
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2019-1125: Enable Spectre v1 swapgs mitigations (bsc#1139358).
- CVE-2018-20855: An issue was discovered in create_qp_common in drivers/infiniband/hw/mlx5/qp.c, mlx5_ib_create_qp_resp was never initialized, resulting in a leak of stack memory to userspace (bsc#1143045).
- CVE-2019-14284: The drivers/block/floppy.c allowed a denial of service by setup_format_params division-by-zero. Two consecutive ioctls can trigger the bug: the first one should set the drive geometry with .sect and .rate values that make F_SECT_PER_TRACK be zero. Next, the floppy format operation should be called. It can be triggered by an unprivileged local user even when a floppy disk has not been inserted. NOTE: QEMU creates the floppy device by default (bsc#1143189).
- CVE-2019-14283: The function set_geometry in drivers/block/floppy.c did not validate the sect and head fields, as demonstrated by an integer overflow and out-of-bounds read. It can be triggered by an unprivileged local user when a floppy disk has been inserted. NOTE: QEMU creates the floppy device by default (bsc#1143191).
- CVE-2019-11810: A NULL pointer dereference can occur when megasas_create_frame_pool() fails in megasas_alloc_cmds() in drivers/scsi/megaraid/megaraid_sas_base.c. This causes a Denial of Service, related to a use-after-free (bsc#1134399).
- CVE-2019-13648: In the Linux kernel on the powerpc platform, when hardware transactional memory is disabled, a local user can cause a denial of service (TM Bad Thing exception and system crash) via a sigreturn() system call that sends a crafted signal frame. This affects arch/powerpc/kernel/signal_32.c and arch/powerpc/kernel/signal_64.c (bnc#1142254).
- CVE-2019-13631: In parse_hid_report_descriptor in drivers/input/tablet/gtco.c, a malicious USB device can send an HID report that triggers an out-of-bounds write during generation of debugging messages (bsc#1142023).
- CVE-2019-15118: Fixed kernel stack exhaustion in check_input_term in sound/usb/mixer.c via mishandled recursion (bnc#1145922).
- CVE-2019-15117: Fixed out-of-bounds memory access in parse_audio_mixer_unit in sound/usb/mixer.c via mishandled short descriptor (bnc#1145920).
- CVE-2019-3819: A flaw was fixed in the function hid_debug_events_read() in drivers/hid/hid-debug.c file which may have enter an infinite loop with certain parameters passed from a userspace. A local privileged user ('root') could have caused a system lock up and a denial of service (bnc#1123161).
- CVE-2019-10207: Check for missing tty operations in bluetooth/hci_uart (bsc#1142857).
- CVE-2018-20856: Fixed a use-after-free issue in block/blk-core.c, where certain error case are mishandled (bnc#1143048).

The following non-security bugs were fixed:

- cifs: do not log STATUS_NOT_FOUND errors for DFS (bsc#1125674).
- dlm: Fix saving of NULL callbacks (bsc#1135365).
- bcache: Revert 'bcache: fix high CPU occupancy during journal' (bsc#1140652, bsc#1144288).
- bcache: Revert 'bcache: free heap cache_set->flush_btree in bch_journal_free' (bsc#1140652, bsc#1144288).
- bcache: add reclaimed_journal_buckets to struct cache_set (bsc#1140652, bsc#1144288).
- bcache: fix race in btree_flush_write() (bsc#1140652, bsc#1144288).
- bcache: fix stack corruption by PRECEDING_KEY() (bsc#1130972, bsc#1144257).
- bcache: only set BCACHE_DEV_WB_RUNNING when cached device attached (bsc#1130972, bsc#1144273).
- bcache: performance improvement for btree_flush_write() (bsc#1140652, bsc#1144288).
- bcache: remove retry_flush_write from struct cache_set (bsc#1140652, bsc#1144288).
- bonding: Force slave speed check after link state recovery for 802.3ad (bsc#1137584).
- clocksource: Defer override invalidation unless clock is unstable (bsc#1139826).
- kvm: mmu: Fix overflow on kvm mmu page limit calculation (bsc#1135335).
- kvmclock: fix TSC calibration for nested guests (bsc#1133860, jsc#PM-1211).
- mm, page_alloc: fix has_unmovable_pages for HugePages (bsc#1127034).
- powerpc/watchpoint: Restore NV GPRs while returning from exception (bsc#1140945, bsc#1141401, bsc#1141402, bsc#1141452, bsc#1141453, bsc#1141454).
- qla2xxx: performance degradation when enabling blk-mq (bsc#1128977).
- qlge: Deduplicate lbq_buf_size (bsc#1106061).
- qlge: Deduplicate rx buffer queue management (bsc#1106061).
- qlge: Factor out duplicated expression (bsc#1106061).
- qlge: Fix dma_sync_single calls (bsc#1106061).
- qlge: Fix irq masking in INTx mode (bsc#1106061).
- qlge: Refill empty buffer queues from wq (bsc#1106061).
- qlge: Refill rx buffers up to multiple of 16 (bsc#1106061).
- qlge: Remove bq_desc.maplen (bsc#1106061).
- qlge: Remove irq_cnt (bsc#1106061).
- qlge: Remove page_chunk.last_flag (bsc#1106061).
- qlge: Remove qlge_bq.len size (bsc#1106061).
- qlge: Remove rx_ring.sbq_buf_size (bsc#1106061).
- qlge: Remove rx_ring.type (bsc#1106061).
- qlge: Remove useless dma synchronization calls (bsc#1106061).
- qlge: Remove useless memset (bsc#1106061).
- qlge: Replace memset with assignment (bsc#1106061).
- qlge: Update buffer queue prod index despite oom (bsc#1106061).
- rbd: flush rbd_dev->watch_dwork after watch is unregistered (bsc#1143333).
- rbd: retry watch re-registration periodically (bsc#1143333).
- sched/fair: Do not free p->numa_faults with concurrent readers (bsc#1144920).
- sched/fair: Use RCU accessors consistently for ->numa_group (bsc#1144920).
- scsi: virtio_scsi: let host do exception handling (bsc#1141181).
- x86: mm: fix fast GUP with hyper-based TLB flushing (VM Functionality, bsc#1140903).
- x86: tsc: Add X86_FEATURE_TSC_KNOWN_FREQ flag (bsc#1133860, jsc#PM-1211).
- xen: let alloc_xenballooned_pages() fail if not enough memory free (XSA-300).


-----------------------------------------
Patch: SUSE-2019-2264
Released: Mon Sep  2 09:07:12 2019
Summary: Security update for perl
Severity: important
References: 1114674,CVE-2018-18311
Description:
This update for perl fixes the following issues:

Security issue fixed:

- CVE-2018-18311: Fixed integer overflow with oversize environment (bsc#1114674).


-----------------------------------------
Patch: SUSE-2019-2284
Released: Wed Sep  4 13:41:59 2019
Summary: Recommended update for google-compute-engine
Severity: moderate
References: 1146172
Description:
This update for google-compute-engine fixes the following issues:

- Fix install location of NSS and PAM shared libraries (bsc#1146172)
- Switch RPM group for oslogin package from Hardware to System/Daemons


-----------------------------------------
Patch: SUSE-2019-2285
Released: Wed Sep  4 14:21:15 2019
Summary: Recommended update for yast2-users
Severity: moderate
References: 1130158,1143205
Description:
This update for yast2-users provides the following fixes:

- Do not copy the skeleton files for system users. (bsc#1130158, bsc#1143205)
  

-----------------------------------------
Patch: SUSE-2019-2288
Released: Wed Sep  4 14:22:47 2019
Summary: Recommended update for systemd
Severity: moderate
References: 1104902,1107617,1137053,1142661
Description:
This update for systemd fixes the following issues:

- Fixes an issue where the Kernel took very long to unmount a user's runtime directory (bsc#1104902)
- udevd: changed the default value of udev.children-max (again) (bsc#1107617)


-----------------------------------------
Patch: SUSE-2019-2295
Released: Wed Sep  4 17:42:37 2019
Summary: Recommended update for SUSEConnect
Severity: moderate
References: 1136752,1144020
Description:
This update for SUSEConnect fixes the following issues:

- Fix failing on registered system without arguments (bsc#1144020)
- Fix base product service removal during de-registration in public clouds (bsc#1136752)


-----------------------------------------
Patch: SUSE-2019-2303
Released: Thu Sep  5 12:10:29 2019
Summary: Recommended update for supportutils
Severity: moderate
References: 1137336,SLE-5560
Description:
This update for supportutils fixes the following issues:

- Added sed and gawk as a runtime dependency (bsc#1137336)
- Removed Novell references (SLE-5560)
- Update getappcore to use SUSE FTP server
- Added FTPES and HTTPS upload options. HTTPS will be the default.


-----------------------------------------
Patch: SUSE-2019-2329
Released: Fri Sep  6 16:08:08 2019
Summary: Security update for apache2
Severity: important
References: 1145575,1145738,1145740,1145741,1145742,CVE-2019-10081,CVE-2019-10082,CVE-2019-10092,CVE-2019-10098,CVE-2019-9517
Description:
This update for apache2 fixes the following issues:

Security issues fixed:

- CVE-2019-9517: Fixed HTTP/2 implementations that are vulnerable to unconstrained interal data buffering (bsc#1145575).
- CVE-2019-10081: Fixed mod_http2 that is vulnerable to memory corruption on early pushes (bsc#1145742).
- CVE-2019-10082: Fixed mod_http2 that is vulnerable to read-after-free in h2 connection shutdown (bsc#1145741).
- CVE-2019-10092: Fixed limited cross-site scripting in mod_proxy (bsc#1145740).
- CVE-2019-10098: Fixed mod_rewrite configuration vulnerablility to open redirect (bsc#1145738).


-----------------------------------------
Patch: SUSE-2019-2343
Released: Tue Sep 10 12:47:17 2019
Summary: Recommended update for cloud-regionsrv-client
Severity: important
References: 1148644,1149840
Description:
This update for cloud-regionsrv-client fixes the following issues:

- Fixes an issue where repositories where missing on a system (bsc#1148644, bsc#1149840)


-----------------------------------------
Patch: SUSE-2019-2356
Released: Wed Sep 11 13:18:35 2019
Summary: Recommended update for nfs-utils
Severity: moderate
References: 1137262,983491
Description:
This update for nfs-utils fixes the following issues:

- The -u option of 'exportfs' will now fail when IP addresses are unresolvable (bsc#1137262, bsc#983491)


-----------------------------------------
Patch: SUSE-2019-2370
Released: Thu Sep 12 13:30:35 2019
Summary: Security update for python-urllib3
Severity: moderate
References: 1119376,1129071,1132663,1132900,CVE-2018-20060,CVE-2019-11236,CVE-2019-11324,CVE-2019-9740
Description:
This update for python-urllib3 fixes the following issues:

Security issues fixed:

- CVE-2019-9740: Fixed CRLF injection issue (bsc#1129071).
- CVE-2019-11324: Fixed invalid CA certificat verification (bsc#1132900).
- CVE-2019-11236: Fixed CRLF injection via request parameter (bsc#1132663).
- CVE-2018-20060: Remove Authorization header when redirecting cross-host (bsc#1119376).


-----------------------------------------
Patch: SUSE-2019-2372
Released: Thu Sep 12 14:01:27 2019
Summary: Recommended update for krb5
Severity: moderate
References: 1139942,1140914,SLE-7081
Description:
This update for krb5 fixes the following issues:

- Fix missing responder if there is no pre-auth; (bsc#1139942)
- Load mechglue config files from /etc/gss/mech.d; (bsc#1140914, jsc#SLE-7081)
- Fix impersonate_name to work with interposers; (bsc#1140914, jsc#SLE-7081)
  

-----------------------------------------
Patch: SUSE-2019-2339
Released: Thu Sep 12 14:17:53 2019
Summary: Security update for curl
Severity: important
References: 1149496,CVE-2019-5482
Description:
This update for curl fixes the following issues:

Security issue fixed:

- CVE-2019-5482: Fixed TFTP small blocksize heap buffer overflow (bsc#1149496).


-----------------------------------------
Patch: SUSE-2019-2390
Released: Tue Sep 17 15:46:02 2019
Summary: Security update for openldap2
Severity: moderate
References: 1143194,1143273,CVE-2019-13057,CVE-2019-13565
Description:
This update for openldap2 fixes the following issues:

Security issues fixed:

- CVE-2019-13565: Fixed ssf memory reuse that leads to incorrect authorization of another connection, granting excess connection rights (ssf) (bsc#1143194).
- CVE-2019-13057: Fixed rootDN of a backend that may proxyauth incorrectly to another backend, violating multi-tenant isolation (bsc#1143273).


-----------------------------------------
Patch: SUSE-2019-2413
Released: Fri Sep 20 10:44:26 2019
Summary: Security update for openssl
Severity: moderate
References: 1150003,1150250,CVE-2019-1547,CVE-2019-1563
Description:
This update for openssl fixes the following issues:

OpenSSL Security Advisory [10 September 2019]

- CVE-2019-1547: Added EC_GROUP_set_generator side channel attack avoidance (bsc#1150003).
- CVE-2019-1563: Fixed Bleichenbacher attack against cms/pkcs7 encryption transported key (bsc#1150250).


-----------------------------------------
Patch: SUSE-2019-2440
Released: Mon Sep 23 17:15:13 2019
Summary: Security update for expat
Severity: moderate
References: 1149429,CVE-2019-15903
Description:
This update for expat fixes the following issues:

Security issue fixed:

- CVE-2019-15903: Fixed a heap-based buffer over-read caused by crafted XML documents. (bsc#1149429)


-----------------------------------------
Patch: SUSE-2019-2480
Released: Fri Sep 27 13:12:08 2019
Summary: Security update for gpg2
Severity: moderate
References: 1124847,1141093,CVE-2019-13050
Description:
This update for gpg2 fixes the following issues:

Security issue fixed:

- CVE-2019-13050: Fixed denial-of-service attacks via big keys. (bsc#1141093)

Non-security issue fixed:

- Allow coredumps in X11 desktop sessions (bsc#1124847).


-----------------------------------------
Patch: SUSE-2019-2481
Released: Fri Sep 27 13:40:33 2019
Summary: Recommended update for google-compute-engine
Severity: important
References: 1150058
Description:
This update for google-compute-engine fixes the following issues:

- Fixes an issue where the implementation of Google Private Access over IPv6 was not
  complete and thus crashed the application (bsc#1150058)


-----------------------------------------
Patch: SUSE-2019-2487
Released: Sat Sep 28 10:06:15 2019
Summary: Recommended update for sle-module-containers-release
Severity: moderate
References: 1146863
Description:
This update for sle-module-containers-release fixes the following issues:

- Sync end of life date with SUSE Linux Enterprise 12 lifecycle.  (bsc#1146863)


-----------------------------------------
Patch: SUSE-2019-2510
Released: Tue Oct  1 17:37:12 2019
Summary: Security update for libgcrypt
Severity: moderate
References: 1148987,CVE-2019-13627
Description:
This update for libgcrypt fixes the following issues:

Security issues fixed:
	  
- CVE-2019-13627: Mitigated ECDSA timing attack. (bsc#1148987)


-----------------------------------------
Patch: SUSE-2019-2513
Released: Wed Oct  2 10:48:28 2019
Summary: Security update for jasper
Severity: moderate
References: 1010783,1117505,1117507,1117508,1117511,CVE-2016-9396,CVE-2018-19539,CVE-2018-19540,CVE-2018-19541,CVE-2018-19542
Description:
This update for jasper fixes the following issues:

Security issues fixed:

- CVE-2018-19540: Fixed  a heap based overflow in jas_icctxtdesc_input (bsc#1117508).
- CVE-2018-19541: Fix heap based overread in jas_image_depalettize (bsc#1117507).
- CVE-2018-19542: Fixed a denial of service in jp2_decode (bsc#1117505).
- CVE-2018-19539: Fixed a denial of service in jas_image_readcmpt (bsc#1117511).
- CVE-2016-9396: Fixed a denial of service in jpc_cox_getcompparms (bsc#1010783).


-----------------------------------------
Patch: SUSE-2019-2536
Released: Thu Oct  3 15:03:14 2019
Summary: Security update for sqlite3
Severity: moderate
References: 1150137,CVE-2019-16168
Description:
This update for sqlite3 fixes the following issues:

Security issue fixed:

- CVE-2019-16168: Fixed improper validation of sqlite_stat1 field that could lead to denial of service (bsc#1150137).


-----------------------------------------
Patch: SUSE-2019-2556
Released: Fri Oct  4 13:36:49 2019
Summary: Recommended update for tcsh
Severity: moderate
References: 1134508,992577
Description:
This update for tcsh fixes the following issues:

- Make a copy of the file descriptor of the history file to be able not only to lock but
  also unlock the file. (bsc#992577, bsc#1134508)
- Add Shift-JIS Japanese character support. (fate#324487)


-----------------------------------------
Patch: SUSE-2019-2558
Released: Fri Oct  4 13:53:18 2019
Summary: Security update for compat-openssl098
Severity: moderate
References: 1150003,1150250,CVE-2019-1547,CVE-2019-1563
Description:
This update for compat-openssl098 fixes the following issues:

OpenSSL Security Advisory [10 September 2019]

- CVE-2019-1547: Added EC_GROUP_set_generator side channel attack avoidance (bsc#1150003).
- CVE-2019-1563: Fixed Bleichenbacher attack against cms/pkcs7 encryption transported key (bsc#1150250).


-----------------------------------------
Patch: SUSE-2019-2618
Released: Tue Oct  8 16:13:39 2019
Summary: Recommended update for cloud-regionsrv-client
Severity: important
References: 1149528,1152567
Description:
This update for cloud-regionsrv-client fixes the following issues:

- Fixes a crash if a new registration flag file does not exist (bsc#1149528)
- Adds a new runtime dependency to the python3-six module to avoid a crash (bsc#1152567)


-----------------------------------------
Patch: SUSE-2019-2625
Released: Thu Oct 10 14:38:40 2019
Summary: Recommended update for lifecycle-data-sle-module-legacy
Severity: low
References: 1142850
Description:
This update for lifecycle-data-sle-module-legacy fixes the following issues:

- Extends the lifecycle of libstdc++33 and libstdc++33-32bit (bsc#1142850, fate#324015)


-----------------------------------------
Patch: SUSE-2019-2627
Released: Fri Oct 11 12:05:29 2019
Summary: Recommended update for python-setuptools and dependend packages
Severity: moderate
References: 1024540,1054413,1074247,1075812,1088358,1091826,1110422,CVE-2016-9015
Description:

All changes necessary for upgrade of python-setuptools to 40.6.2 (bsc#1075812)

New packages:
- python-cachetools
- python-google-auth
- python-packaging

Rebuilt without source changes:

- python-cffi
- python-cliff
- python-mock
- python-oauthlib
- python-pbr
- python-PyJWT
- python-pytest

Added python3 packages:

- python-hgtools
- python-pyasn1-modules
- python-rsa

Updated:

- python-kubernetes
  Updated to version 6.0

- python-pyparsing

  Was updated to version 2.2.0.

- python-setuptools

  Was upgraded to version 40.6.2.



-----------------------------------------
Patch: SUSE-2019-2636
Released: Fri Oct 11 17:08:44 2019
Summary: Recommended update for wicked
Severity: moderate
References: 1042123,1129986,1132280,1132326,1132774,1136034,1140117,1142670
Description:
This update for wicked fixes the following issues:

- Fixes an issue where dhclient incorrectly assumes a /64 IPv6 prefix (bsc#1132280)
- Fixes an issue where the system gets stuck in bringing up the network (bsc#1129986)
- Fixes an issue where udevadm settle caused systemd to kill wicked services (bsc#1136034, bsc#1132774)
- Fixes an issue where the value of LLADDR was ignored (bsc#1042123, bsc#1142670)
- Fixes an issue where wicked was unable to set up the Wifi module (bsc#1140117)
- Fixes an issue where routing options were not set correctly (bsc#1132326)

-----------------------------------------
Patch: SUSE-2019-2641
Released: Fri Oct 11 17:10:29 2019
Summary: Recommended update for SUSEConnect
Severity: moderate
References: 1124318,1130864,1143635
Description:
This update for SUSEConnect provides the following fix:

- Fix getting the list of installed products when zypper plugins are present (bsc#1143635)
- Fixes an error when trying to activate the PackageHub extension the first time (bsc#1124318)


-----------------------------------------
Patch: SUSE-2019-2650
Released: Mon Oct 14 10:52:46 2019
Summary: Security update for binutils
Severity: moderate
References: 1109412,1109413,1109414,1111996,1112534,1112535,1113247,1113252,1113255,1116827,1118830,1118831,1120640,1121034,1121035,1121056,1133131,1133232,1141913,1142772,CVE-2018-1000876,CVE-2018-17358,CVE-2018-17359,CVE-2018-17360,CVE-2018-17985,CVE-2018-18309,CVE-2018-18483,CVE-2018-18484,CVE-2018-18605,CVE-2018-18606,CVE-2018-18607,CVE-2018-19931,CVE-2018-19932,CVE-2018-20623,CVE-2018-20651,CVE-2018-20671,CVE-2019-1010180,ECO-368,SLE-6206
Description:
This update for binutils fixes the following issues:

binutils was updated to current 2.32 branch @7b468db3 [jsc#ECO-368]:

Includes the following security fixes:

- CVE-2018-17358: Fixed invalid memory access in _bfd_stab_section_find_nearest_line in syms.c (bsc#1109412)
- CVE-2018-17359: Fixed invalid memory access exists in bfd_zalloc in opncls.c (bsc#1109413)
- CVE-2018-17360: Fixed heap-based buffer over-read in bfd_getl32 in libbfd.c (bsc#1109414)
- CVE-2018-17985: Fixed a stack consumption problem caused by the cplus_demangle_type (bsc#1116827)
- CVE-2018-18309: Fixed an invalid memory address dereference was discovered in read_reloc in reloc.c (bsc#1111996)
- CVE-2018-18483: Fixed get_count function provided by libiberty that allowed attackers to cause a denial of service or other unspecified impact (bsc#1112535)
- CVE-2018-18484: Fixed stack exhaustion in the C++ demangling functions provided by libiberty, caused by recursive stack frames (bsc#1112534)
- CVE-2018-18605: Fixed a heap-based buffer over-read issue was discovered in the function sec_merge_hash_lookup causing a denial of service (bsc#1113255)
- CVE-2018-18606: Fixed a NULL pointer dereference in _bfd_add_merge_section when attempting to merge sections with large alignments, causing denial of service (bsc#1113252)
- CVE-2018-18607: Fixed a NULL pointer dereference in elf_link_input_bfd when used for finding STT_TLS symbols without any TLS section, causing denial of service (bsc#1113247)
- CVE-2018-19931: Fixed a heap-based buffer overflow in bfd_elf32_swap_phdr_in in elfcode.h (bsc#1118831)
- CVE-2018-19932: Fixed an integer overflow and infinite loop caused by the IS_CONTAINED_BY_LMA (bsc#1118830)
- CVE-2018-20623: Fixed a use-after-free in the error function in elfcomm.c (bsc#1121035)
- CVE-2018-20651: Fixed a denial of service via a NULL pointer dereference in elf_link_add_object_symbols in elflink.c (bsc#1121034)
- CVE-2018-20671: Fixed an integer overflow that can trigger a heap-based buffer overflow in  load_specific_debug_section in objdump.c (bsc#1121056)
- CVE-2018-1000876: Fixed integer overflow in bfd_get_dynamic_reloc_upper_bound,bfd_canonicalize_dynamic_reloc in objdump (bsc#1120640)
- CVE-2019-1010180: Fixed an out of bound memory access that could lead to crashes (bsc#1142772)

- Enable xtensa architecture (Tensilica lc6 and related)
- Use -ffat-lto-objects in order to provide assembly for static libs
  (bsc#1141913).
- Fixed some LTO problems (bsc#1133131 bsc#1133232).
- riscv: Don't check ABI flags if no code section

Update to binutils 2.32:

* The binutils now support for the C-SKY processor series.
* The x86 assembler now supports a -mvexwig=[0|1] option to control
  encoding of VEX.W-ignored (WIG) VEX instructions.
  It also has a new -mx86-used-note=[yes|no] option to generate (or
  not) x86 GNU property notes.
* The MIPS assembler now supports the Loongson EXTensions R2 (EXT2),
  the Loongson EXTensions (EXT) instructions, the Loongson Content
  Address Memory (CAM) ASE and the Loongson MultiMedia extensions
  Instructions (MMI) ASE.
* The addr2line, c++filt, nm and objdump tools now have a default
  limit on the maximum amount of recursion that is allowed whilst
  demangling strings.  This limit can be disabled if necessary.
* Objdump's --disassemble option can now take a parameter,
  specifying the starting symbol for disassembly.  Disassembly will
  continue from this symbol up to the next symbol or the end of the
  function.
* The BFD linker will now report property change in linker map file
  when merging GNU properties.
* The BFD linker's -t option now doesn't report members within
  archives, unless -t is given twice.  This makes it more useful
  when generating a list of files that should be packaged for a
  linker bug report.
* The GOLD linker has improved warning messages for relocations that
  refer to discarded sections.

- Improve relro support on s390 [fate#326356]
- Handle ELF compressed header alignment correctly.

  

-----------------------------------------
Patch: SUSE-2019-2666
Released: Tue Oct 15 13:15:21 2019
Summary: Security update for sudo
Severity: important
References: 1153674,CVE-2019-14287
Description:
This update for sudo fixes the following issues:

Security issue fixed: 	  

- CVE-2019-14287: Fixed an issue where a user with sudo privileges
  that allowed them to run commands with an arbitrary uid, could
  run commands as root, despite being forbidden to do so in sudoers
  (bsc#1153674).



-----------------------------------------
Patch: SUSE-2019-2669
Released: Tue Oct 15 14:38:11 2019
Summary: Security update for libpcap
Severity: important
References: 1153332,CVE-2018-16301,CVE-2019-15165
Description:
This update for libpcap fixes the following issues:

- CVE-2019-15165: Added sanity checks for PHB header length before allocating memory (bsc#1153332).
- CVE-2018-16301: Fixed a buffer overflow (bsc#1153332).


-----------------------------------------
Patch: SUSE-2019-2701
Released: Wed Oct 16 17:33:49 2019
Summary: Recommended update for cifs-utils
Severity: moderate
References: 1130528,1132087,1136031
Description:
This update for cifs-utils fixes the following issues:

- Update to cifs-utils 6.9 (bsc#1132087, bsc#1136031)
- Allow cached DNS entry to expire (fate#325270)
- Document new SMB2.1+ defaults (bsc#1130528)


-----------------------------------------
Patch: SUSE-2019-2703
Released: Thu Oct 17 10:05:41 2019
Summary: Recommended update for binutils
Severity: important
References: 1152590,1154016,1154025
Description:
This update for binutils fixes the following issues:

- Fixed a segfault in ld when building some versions of pacemaker. (bsc#1154025, bsc#1154016)
- Add avr, epiphany and rx to target_list so that the common binutils can handle all objects we can create with crosses.  (bsc#1152590)



-----------------------------------------
Patch: SUSE-2019-2708
Released: Thu Oct 17 16:42:58 2019
Summary: Recommended update for python-urllib3
Severity: moderate
References: 1150895
Description:
This update for python-urllib3 fixes the following issues:

- Add missing dependency on python-six (bsc#1150895)


-----------------------------------------
Patch: SUSE-2019-2727
Released: Mon Oct 21 14:43:41 2019
Summary: Security update for dhcp
Severity: moderate
References: 1089524,1134078,1136572,CVE-2019-6470
Description:
This update for dhcp fixes the following issues:

Secuirty issue fixed:

- CVE-2019-6470: Fixed DHCPv6 server crashes (bsc#1134078).

Bug fixes:

- Add compile option --enable-secs-byteorder to avoid duplicate lease warnings (bsc#1089524).
- Use IPv6 when called as dhclient6, dhcpd6, and dhcrelay6 (bsc#1136572).


-----------------------------------------
Patch: SUSE-2019-2740
Released: Tue Oct 22 15:34:30 2019
Summary: Recommended update for timezone
Severity: moderate
References: 1150451
Description:
This update for timezone fixes the following issues:

- Fiji observes DST from 2019-11-10 to 2020-01-12.
- Norfolk Island starts observing Australian-style DST.


-----------------------------------------
Patch: SUSE-2019-2741
Released: Tue Oct 22 15:36:39 2019
Summary: Recommended update for parted
Severity: moderate
References: 1023818,1032562,1056508,1078820,1081547,1092327,1104667,959181,969165
Description:
This update for parted fixes the following issues:

- Fix an endianness bug failing the creation of GPT partition tables in blkpg handling
  on s390x (bsc#1104667)
- mkpart: Allow empty quoted string '''' or '''' for the GPT partition name in script
  mode (bsc#1023818, bsc#1032562)
- Fix starting CHS in protective MBR (bsc#969165)
- Fixes an issue where partition names for dm devices didn't match kpartx (bsc#1056508)
- Fixes a partition device naming issue for all devices (bsc#1078820, bsc#1081547)


-----------------------------------------
Patch: SUSE-2019-2752
Released: Wed Oct 23 11:23:24 2019
Summary: Security update for sysstat
Severity: moderate
References: 1150114,CVE-2019-16167
Description:
This update for sysstat fixes the following issue:

- CVE-2019-16167: Fixed a memory corruption due to an integer overflow. (bsc#1150114)


-----------------------------------------
Patch: SUSE-2019-2761
Released: Thu Oct 24 07:08:33 2019
Summary: Recommended update for pciutils-ids
Severity: moderate
References: 1149149
Description:
This update for pciutils-ids fixes the following issues:

- updates the list of devices so that more devices will get identified (bsc#1149149)


-----------------------------------------
Patch: SUSE-2019-2781
Released: Fri Oct 25 14:27:08 2019
Summary: Security update for nfs-utils
Severity: moderate
References: 1150733,CVE-2019-3689
Description:
This update for nfs-utils fixes the following issues:

- CVE-2019-3689: Fixed root-owned files stored in insecure /var/lib/nfs. (bsc#1150733)


-----------------------------------------
Patch: SUSE-2019-2787
Released: Fri Oct 25 15:56:54 2019
Summary: Security update for docker-runc
Severity: moderate
References: 1152308,CVE-2019-16884
Description:
This update for docker-runc fixes the following issues:

- CVE-2019-16884: Fixed an LSM bypass via malicious Docker images that mount over a /proc directory. (bsc#1152308)


-----------------------------------------
Patch: SUSE-2019-2798
Released: Mon Oct 28 16:57:01 2019
Summary: Security update for python3
Severity: moderate
References: 1141853,1149955,CVE-2018-20852,CVE-2019-16056
Description:
This update for python3 fixes the following issues:

- CVE-2019-16056: Fixed a parser issue in the email module. (bsc#1149955)
- CVE-2018-20852: Fixed an incorrect domain validation that could lead to cookies being sent to the wrong server. (bsc#1141853)


-----------------------------------------
Patch: SUSE-2019-2800
Released: Mon Oct 28 17:11:35 2019
Summary: Recommended update for tcsh
Severity: moderate
References: 1151630,1153839
Description:
This update for tcsh fixes the following issues:

- An issue has been fixed where the csh reported 'Abort (core dumped)' by accident (bsc#1151630)


-----------------------------------------
Patch: SUSE-2019-2816
Released: Tue Oct 29 15:14:34 2019
Summary: Recommended update for rsyslog
Severity: moderate
References: 1149094,1153451,1153459,CVE-2019-17041,CVE-2019-17042
Description:
This update for rsyslog fixes the following issues:

Security issues fixed:

- CVE-2019-17041: Fixed a heap overflow in the parser for AIX log messages (bsc#1153451).
- CVE-2019-17042: Fixed a heap overflow in the parser for Cisco log messages (bsc#1153459).

Non-security issue fixed:

- imudp: fix segfault in ratelimit code (bsc#1149094)
  


-----------------------------------------
Patch: SUSE-2019-2818
Released: Tue Oct 29 17:22:01 2019
Summary: Recommended update for zypper and libzypp
Severity: important
References: 1049825,1116995,1140039,1145521,1146415,1153557
Description:
This update for zypper and libzypp fixes the following issues:

Package: zypper

- Fixed an issue where zypper exited on a SIGPIPE during package download (bsc#1145521)
- Rephrased the file conflicts check summary (bsc#1140039)
- Fixes an issue where the bash completion was wrongly expanded (bsc#1049825)

Package: libzypp

- Fixed an issue where YaST2 was not able to find base products via libzypp (bsc#1153557)
- Added a new 'solver.focus' option for /etc/zypp/zypp.conf to define systemwide focus
  mode when resolving jobs (bsc#1146415)
- Fixes a file descriptor leak in the media backend (bsc#1116995)


-----------------------------------------
Patch: SUSE-2019-2748
Released: Mon Nov  4 15:43:07 2019
Summary: Security update for python
Severity: moderate
References: 1149955,1153238,CVE-2019-16056,CVE-2019-16935
Description:
This update for python fixes the following issues:

Security issue fixed:

- CVE-2019-16056: Fixed a parser issue in the email module (bsc#1149955).
- CVE-2019-16935: Fixed a reflected XSS in python/Lib/DocXMLRPCServer.py (bsc#1153238).


-----------------------------------------
Patch: SUSE-2019-2887
Released: Mon Nov  4 17:31:49 2019
Summary: Recommended update for apparmor
Severity: moderate
References: 1139870
Description:
This update for apparmor provides the following fix:

- Change pathname in logprof.conf and use check_qualifiers() in autodep to make sure
  apparmor does not generate profiles for programs marked as not having their own
  profiles. (bsc#1139870)


-----------------------------------------
Patch: SUSE-2019-2890
Released: Mon Nov  4 17:46:33 2019
Summary: Security update for samba
Severity: important
References: 1144902,CVE-2019-10218
Description:
This update for samba fixes the following issues:

- CVE-2019-10218: Client code can return filenames containing path separators (bsc#1144902).


-----------------------------------------
Patch: SUSE-2019-2898
Released: Tue Nov  5 17:00:27 2019
Summary: Recommended update for systemd
Severity: important
References: 1140631,1150595,1154948
Description:
This update for systemd fixes the following issues:

- sd-bus: deal with cookie overruns (bsc#1150595)
- rules: Add by-id symlinks for persistent memory (bsc#1140631)
- Drop the old fds used for logging and reopen them in the
  sub process before doing any new logging.  (bsc#1154948)


-----------------------------------------
Patch: SUSE-2019-2936
Released: Fri Nov  8 13:19:55 2019
Summary: Security update for libssh2_org
Severity: moderate
References: 1154862,CVE-2019-17498
Description:
This update for libssh2_org fixes the following issue:

- CVE-2019-17498: Fixed an integer overflow in a bounds check that might have led to the disclosure of sensitive information or a denial of service (bsc#1154862).


-----------------------------------------
Patch: SUSE-2019-2941
Released: Tue Nov 12 10:03:32 2019
Summary: Security update for libseccomp
Severity: moderate
References: 1082318,1128828,1142614,CVE-2019-9893
Description:
This update for libseccomp fixes the following issues:

Update to new upstream release 2.4.1:

* Fix a BPF generation bug where the optimizer mistakenly
  identified duplicate BPF code blocks.

Updated to 2.4.0 (bsc#1128828 CVE-2019-9893):

* Update the syscall table for Linux v5.0-rc5
* Added support for the SCMP_ACT_KILL_PROCESS action
* Added support for the SCMP_ACT_LOG action and SCMP_FLTATR_CTL_LOG attribute
* Added explicit 32-bit (SCMP_AX_32(...)) and 64-bit (SCMP_AX_64(...)) argument comparison macros to help protect against unexpected sign extension
* Added support for the parisc and parisc64 architectures
* Added the ability to query and set the libseccomp API level via seccomp_api_get(3) and seccomp_api_set(3)
* Return -EDOM on an endian mismatch when adding an architecture to a filter
* Renumber the pseudo syscall number for subpage_prot() so it no longer conflicts with spu_run()
* Fix PFC generation when a syscall is prioritized, but no rule exists
* Numerous fixes to the seccomp-bpf filter generation code
* Switch our internal hashing function to jhash/Lookup3 to MurmurHash3
* Numerous tests added to the included test suite, coverage now at ~92%
* Update our Travis CI configuration to use Ubuntu 16.04
* Numerous documentation fixes and updates

Update to release 2.3.3:

* Updated the syscall table for Linux v4.15-rc7

Update to release 2.3.2:

* Achieved full compliance with the CII Best Practices program
* Added Travis CI builds to the GitHub repository
* Added code coverage reporting with the '--enable-code-coverage' configure
  flag and added Coveralls to the GitHub repository
* Updated the syscall tables to match Linux v4.10-rc6+
* Support for building with Python v3.x
* Allow rules with the -1 syscall if the SCMP\_FLTATR\_API\_TSKIP attribute is
  set to true
* Several small documentation fixes

- ignore make check error for ppc64/ppc64le, bypass bsc#1142614


-----------------------------------------
Patch: SUSE-2019-2966
Released: Tue Nov 12 22:33:27 2019
Summary: Recommended update for xrdp
Severity: moderate
References: 1138954,1144327,1144379,1150584,1152711,1153471,1155789
Description:
This update for xrdp fixes the following issues:

- Fixed an issue where xrdp could not start due to an error in the service 
  file use absolute path in ExecStart (bsc#1155789).	  
- Let systemd handle the daemons, fixing daemon start failures. (bsc#1138954, bsc#1144327)
- Fixed a PAM error after 2nd xrdp session after logout (bsc#1153471).
- Fixed a crash in xrdp-sesman, caused by terminating and reconnecting an xrdp session (bsc#1152711).
- Fixed a failure in RDP session recovery (bsc#1150584).
- Fixed a process leak (bsc#1144379).


-----------------------------------------
Patch: SUSE-2019-2972
Released: Thu Nov 14 12:04:52 2019
Summary: Security update for libjpeg-turbo
Severity: important
References: 1156402,CVE-2019-2201
Description:
This update for libjpeg-turbo fixes the following issues:

- CVE-2019-2201: Several integer overflow issues and subsequent segfaults occurred in libjpeg-turbo,
  when attempting to compress or decompress gigapixel images. [bsc#1156402]



-----------------------------------------
Patch: SUSE-2019-2974
Released: Thu Nov 14 14:17:44 2019
Summary: Recommended update for irqbalance
Severity: important
References: 1119465,1154905
Description:
This update for irqbalance fixes the following issues:

- Irqbalanced spreads the IRQs between the available virtual machines. (bsc#1119465, bsc#1154905)


-----------------------------------------
Patch: SUSE-2019-2949
Released: Fri Nov 15 07:29:47 2019
Summary: Security update for the Linux Kernel
Severity: important
References: 1051510,1084878,1117665,1131107,1133140,1135966,1135967,1136261,1137865,1139073,1140671,1141013,1141054,1142458,1143187,1144123,1144903,1145477,1146042,1146163,1146285,1146361,1146378,1146391,1146413,1146425,1146512,1146514,1146516,1146519,1146524,1146526,1146529,1146540,1146543,1146547,1146550,1146584,1146589,1147022,1147122,1148394,1148938,1149083,1149376,1149522,1149527,1149555,1149612,1150025,1150112,1150452,1150457,1150465,1150727,1150942,1151347,1151350,1152685,1152782,1152788,1153158,1153263,1154103,1154372,1155131,1155671,CVE-2016-10906,CVE-2017-18379,CVE-2017-18509,CVE-2017-18551,CVE-2017-18595,CVE-2018-12207,CVE-2018-20976,CVE-2019-0154,CVE-2019-0155,CVE-2019-10220,CVE-2019-11135,CVE-2019-13272,CVE-2019-14814,CVE-2019-14815,CVE-2019-14816,CVE-2019-14821,CVE-2019-14835,CVE-2019-15098,CVE-2019-15211,CVE-2019-15212,CVE-2019-15214,CVE-2019-15215,CVE-2019-15216,CVE-2019-15217,CVE-2019-15218,CVE-2019-15219,CVE-2019-15220,CVE-2019-15221,CVE-2019-15239,CVE-2019-15290,CVE-2019-15291,CVE-2019-15505,CVE-2019-15666,CVE-2019-15807,CVE-2019-15902,CVE-2019-15924,CVE-2019-15926,CVE-2019-15927,CVE-2019-16232,CVE-2019-16233,CVE-2019-16234,CVE-2019-16413,CVE-2019-16995,CVE-2019-17055,CVE-2019-17056,CVE-2019-17133,CVE-2019-17666,CVE-2019-9456,CVE-2019-9506
Description:

The SUSE Linux Enterprise 12-SP3 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2018-12207: Untrusted virtual machines on Intel CPUs could exploit a race
  condition in the Instruction Fetch Unit of the Intel CPU to cause a Machine
  Exception during Page Size Change, causing the CPU core to be non-functional.

  The Linux Kernel kvm hypervisor was adjusted to avoid page size changes in
  executable pages by splitting / merging huge pages into small pages as
  needed. More information can be found on https://www.suse.com/support/kb/doc/?id=7023735

- CVE-2019-16995: Fix a memory leak in hsr_dev_finalize() if hsr_add_port
  failed to add a port, which may have caused denial of service (bsc#1152685).

- CVE-2019-11135: Aborting an asynchronous TSX operation on Intel CPUs with
  Transactional Memory support could be used to facilitate sidechannel
  information leaks out of microarchitectural buffers, similar to the
  previously described 'Microarchitectural Data Sampling' attack.

  The Linux kernel was supplemented with the option to disable TSX operation
  altogether (requiring CPU Microcode updates on older systems) and better
  flushing of microarchitectural buffers (VERW).

  The set of options available is described in our TID at https://www.suse.com/support/kb/doc/?id=7024251

- CVE-2019-16233: drivers/scsi/qla2xxx/qla_os.c did not check the
  alloc_workqueue return value, leading to a NULL pointer dereference.
  (bsc#1150457).

- CVE-2019-10220: Added sanity checks on the pathnames passed to the user
  space. (bsc#1144903).

- CVE-2019-17666: rtlwifi: Fix potential overflow in P2P code (bsc#1154372).

- CVE-2019-17133: cfg80211 wireless extension did not reject a long SSID IE,
  leading to a Buffer Overflow (bsc#1153158).

- CVE-2019-16232: Fix a potential NULL pointer dereference in the Marwell
  libertas driver (bsc#1150465).

- CVE-2019-16234: iwlwifi pcie driver did not check the alloc_workqueue return
  value, leading to a NULL pointer dereference. (bsc#1150452).

- CVE-2019-17055: The AF_ISDN network module in the Linux kernel did not
  enforce CAP_NET_RAW, which meant that unprivileged users could create a raw
  socket (bnc#1152782).

- CVE-2019-17056: The AF_NFC network module did not enforce CAP_NET_RAW, which
  meant that unprivileged users could create a raw socket (bsc#1152788).

- CVE-2019-16413: The 9p filesystem did not protect i_size_write() properly,
  which caused an i_size_read() infinite loop and denial of service on SMP
  systems (bnc#1151347).

- CVE-2019-15902: A backporting issue was discovered that re-introduced the
  Spectre vulnerability it had aimed to eliminate. This occurred because the
  backport process depends on cherry picking specific commits, and because two
  (correctly ordered) code lines were swapped (bnc#1149376).

- CVE-2019-15291: Fixed a NULL pointer dereference issue that could be caused
  by a malicious USB device (bnc#1146519).

- CVE-2019-15807: Fixed a memory leak in the SCSI module that could be abused
  to cause denial of service (bnc#1148938).

- CVE-2019-13272: Fixed a mishandled the recording of the credentials of a
  process that wants to create a ptrace relationship, which allowed local users
  to obtain root access by leveraging certain scenarios with a parent-child
  process relationship, where a parent drops privileges and calls execve
  (potentially allowing control by an attacker). (bnc#1140671).

- CVE-2019-14821: An out-of-bounds access issue was fixed in the kernel's KVM
  hypervisor. An unprivileged host user or process with access to '/dev/kvm'
  device could use this flaw to crash the host kernel, resulting in a denial of
  service or potentially escalating privileges on the system (bnc#1151350).

- CVE-2019-15505: An out-of-bounds issue had been fixed that could be caused by
  crafted USB device traffic (bnc#1147122).

- CVE-2017-18595: A double free in allocate_trace_buffer was fixed
  (bnc#1149555).

- CVE-2019-14835: A buffer overflow flaw was found in the kernel's vhost
  functionality that translates virtqueue buffers to IOVs. A privileged guest
  user able to pass descriptors with invalid length to the host could use this
  flaw to increase their privileges on the host (bnc#1150112).

- CVE-2019-15216: A NULL pointer dereference was fixed that could be malicious
  USB device (bnc#1146361).

- CVE-2019-15924: A a NULL pointer dereference has been fixed in the
  drivers/net/ethernet/intel/fm10k module (bnc#1149612).

- CVE-2019-9456: An out-of-bounds write in the USB monitor driver has been
  fixed. This issue could lead to local escalation of privilege with System
  execution privileges needed. (bnc#1150025).

- CVE-2019-15926: An out-of-bounds access was fixed in the
  drivers/net/wireless/ath/ath6kl module. (bnc#1149527).

- CVE-2019-15927: An out-of-bounds access was fixed in the sound/usb/mixer
  module (bnc#1149522).

- CVE-2019-15666: There was an out-of-bounds array access in the net/xfrm
  module that could cause denial of service (bnc#1148394).

- CVE-2017-18379: An out-of-boundary access was fixed in the
  drivers/nvme/target module (bnc#1143187).

- CVE-2019-15219: A NULL pointer dereference was fixed that could be abused by
  a malicious USB device (bnc#1146519 1146524).

- CVE-2019-15220: A use-after-free issue was fixed that could be caused by a
  malicious USB device (bnc#1146519 1146526).

- CVE-2019-15221: A NULL pointer dereference was fixed that could be caused by
  a malicious USB device (bnc#1146519 1146529).

- CVE-2019-14814: A heap-based buffer overflow was fixed in the marvell wifi
  chip driver. That issue allowed local users to cause a denial of service
  (system crash) or possibly execute arbitrary code (bnc#1146512).

- CVE-2019-14815: A missing length check while parsing WMM IEs was fixed
  (bsc#1146512, bsc#1146514, bsc#1146516).

- CVE-2019-14816: A heap-based buffer overflow in the marvell wifi chip driver
  was fixed. Local users would have abused this issue to cause a denial of
  service (system crash) or possibly execute arbitrary code (bnc#1146516).

- CVE-2017-18509: An issue in net/ipv6 as fixed. By setting a specific socket
  option, an attacker could control a pointer in kernel land and cause an
  inet_csk_listen_stop general protection fault, or potentially execute
  arbitrary code under certain circumstances. The issue can be triggered as
  root (e.g., inside a default LXC container or with the CAP_NET_ADMIN
  capability) or after namespace unsharing. (bnc#1145477)

- CVE-2019-9506: The Bluetooth BR/EDR specification used to permit sufficiently
  low encryption key length and did not prevent an attacker from influencing
  the key length negotiation. This allowed practical brute-force attacks (aka
  'KNOB') that could decrypt traffic and inject arbitrary ciphertext without
  the victim noticing (bnc#1137865).

- CVE-2019-15098: A NULL pointer dereference in drivers/net/wireless/ath was
  fixed (bnc#1146378).

- CVE-2019-15290: A NULL pointer dereference in ath6kl_usb_alloc_urb_from_pipe
  was fixed (bsc#1146378).

- CVE-2019-15239: A incorrect patch to net/ipv4 was fixed. By adding to a write
  queue between disconnection and re-connection, a local attacker could trigger
  multiple use-after-free conditions. This could result in kernel crashes or
  potentially in privilege escalation. (bnc#1146589)

- CVE-2019-15212: A double-free issue was fixed in drivers/usb driver
  (bnc#1146391).

- CVE-2016-10906: A use-after-free issue was fixed in drivers/net/ethernet/arc
  (bnc#1146584).

- CVE-2019-15211: A use-after-free issue caused by a malicious USB device was
  fixed in the drivers/media/v4l2-core driver (bnc#1146519).

- CVE-2019-15217: A a NULL pointer dereference issue caused by a malicious USB
  device was fixed in the drivers/media/usb/zr364xx driver (bnc#1146519).

- CVE-2019-15214: An a use-after-free issue in the sound subsystem was fixed
  (bnc#1146519).

- CVE-2019-15218: A NULL pointer dereference caused by a malicious USB device
  was fixed in the drivers/media/usb/siano driver (bnc#1146413).

- CVE-2019-15215: A use-after-free issue caused by a malicious USB device was
  fixed in the drivers/media/usb/cpia2 driver (bnc#1146425).

- CVE-2018-20976: A use-after-free issue was fixed in the fs/xfs driver
  (bnc#1146285).

- CVE-2017-18551: An out-of-bounds write was fixed in the drivers/i2c driver
  (bnc#1146163).

- CVE-2019-0154: An unprotected read access to i915 registers has been fixed
  that could have been abused to facilitate a local denial-of-service attack.
  (bsc#1135966)

- CVE-2019-0155: A privilege escalation vulnerability has been fixed in the
  i915 module that allowed batch buffers from user mode to gain super user
  privileges. (bsc#1135967)

The following non-security bugs were fixed:

- array_index_nospec: Sanitize speculative array (bsc#1155671)
- bonding/802.3ad: fix link_failure_count tracking (bsc#1141013).
- bonding/802.3ad: fix slave link initialization transition states (bsc#1141013).
- bonding: correctly update link status during mii-commit phase (bsc#1141013).
- bonding: fix active-backup transition (bsc#1141013).
- bonding: make speed, duplex setting consistent with link state (bsc#1141013).
- bonding: ratelimit failed speed/duplex update warning (bsc#1141013).
- bonding: require speed/duplex only for 802.3ad, alb and tlb (bsc#1141013).
- bonding: set default miimon value for non-arp modes if not set (bsc#1141013).
- bonding: speed/duplex update at NETDEV_UP event (bsc#1141013).
- cifs: fix panic in smb2_reconnect (bsc#1142458).
- cifs: handle netapp error codes (bsc#1136261).
- cpu/speculation: Uninline and export CPU mitigations helpers (bnc#1117665).
- ib/core, ipoib: Do not overreact to SM LID change event (bsc#1154103)
- ib/core: Add mitigation for Spectre V1 (bsc#1155671)
- ixgbe: sync the first fragment unconditionally (bsc#1133140).
- kvm: Convert kvm_lock to a mutex (bsc#1117665).
- kvm: lapic: cap __delay at lapic_timer_advance_ns (bsc#1149083).
- kvm: mmu: drop vcpu param in gpte_access (bsc#1117665).
- kvm: mmu: introduce kvm_mmu_gfn_{allow,disallow}_lpage (bsc#1117665).
- kvm: mmu: rename has_wrprotected_page to mmu_gfn_lpage_is_disallowed (bsc#1117665).
- kvm: vmx, svm: always run with EFER.NXE=1 when shadow paging is active (bsc#1117665).
- kvm: x86, powerpc: do not allow clearing largepages debugfs entry (bsc#1117665).
- kvm: x86: Do not release the page inside mmu_set_spte() (bsc#1117665).
- kvm: x86: MMU: Consolidate quickly_check_mmio_pf() and is_mmio_page_fault() (bsc#1117665).
- kvm: x86: MMU: Encapsulate the type of rmap-chain head in a new struct (bsc#1117665).
- kvm: x86: MMU: Move handle_mmio_page_fault() call to kvm_mmu_page_fault() (bsc#1117665).
- kvm: x86: MMU: Move initialization of parent_ptes out from kvm_mmu_alloc_page() (bsc#1117665).
- kvm: x86: MMU: Move parent_pte handling from kvm_mmu_get_page() to link_shadow_page() (bsc#1117665).
- kvm: x86: MMU: Remove unused parameter parent_pte from kvm_mmu_get_page() (bsc#1117665).
- kvm: x86: MMU: always set accessed bit in shadow PTEs (bsc#1117665).
- kvm: x86: Reduce the overhead when lapic_timer_advance is disabled (bsc#1149083).
- kvm: x86: add tracepoints around __direct_map and FNAME(fetch) (bsc#1117665).
- kvm: x86: adjust kvm_mmu_page member to save 8 bytes (bsc#1117665).
- kvm: x86: change kvm_mmu_page_get_gfn BUG_ON to WARN_ON (bsc#1117665).
- kvm: x86: extend usage of RET_MMIO_PF_* constants (bsc#1117665).
- kvm: x86: make FNAME(fetch) and __direct_map more similar (bsc#1117665).
- kvm: x86: mmu: Apply global mitigations knob to ITLB_MULTIHIT (bnc#1117665).
- kvm: x86: move nsec_to_cycles from x86.c to x86.h (bsc#1149083).
- kvm: x86: remove now unneeded hugepage gfn adjustment (bsc#1117665).
- kvm: x86: simplify ept_misconfig (bsc#1117665).
- media: smsusb: better handle optional alignment (bsc#1146413).
- pci: hv: Use bytes 4 and 5 from instance ID as the PCI domain numbers (bsc#1153263).
- powerpc/64s: support nospectre_v2 cmdline option (bsc#1131107).
- powerpc/pseries: correctly track irq state in default idle (bsc#1150727 bsc#1150942 ltc#178925 ltc#181484).
- powerpc/rtas: use device model APIs and serialization during LPM (bsc#1144123 ltc#178840).
- powerpc/security: Show powerpc_security_features in debugfs (bsc#1131107).
- scsi: scsi_transport_fc: Drop double list_del() (bsc#1084878) During the backport of 260f4aeddb48 ('scsi: scsi_transport_fc: return -EBUSY for deleted vport') an additional list_del() was introduced. The list entry will be freed in fc_vport_terminate(). Do not free it premature in fc_remove_host().
- swiotlb: Add support for DMA_ATTR_SKIP_CPU_SYNC in Xen-swiotlb unmap path (bsc#1133140).
- vmci: Release resource if the work is already queued (bsc#1051510).
- x86/cpu: Add Atom Tremont (Jacobsville) (bsc#1117665).


-----------------------------------------
Patch: SUSE-2019-3003
Released: Tue Nov 19 10:12:33 2019
Summary: Recommended update for procps
Severity: moderate
References: 1153386,SLE-10396
Description:
This update for procps provides the following fixes:

- Backport the MemAvailable patch into SLE12-SP4/SP5 procps. (jsc#SLE-10396)
- Add missing ShmemPmdMapped entry for pmap with newer kernels. (bsc#1153386)


-----------------------------------------
Patch: SUSE-2019-3005
Released: Tue Nov 19 10:13:32 2019
Summary: Recommended update for supportutils
Severity: moderate
References: 1111029,1154482
Description:
This update for supportutils provides the following fixes:

- Added free -h
- Removed LPM/DLPAR data for POWER. (bsc#1111029)
- Removed root .snapshots directory from full file list (bsc#1154482)


-----------------------------------------
Patch: SUSE-2019-3006
Released: Tue Nov 19 10:14:11 2019
Summary: Recommended update for openssh
Severity: moderate
References: 1139089,1150574
Description:
This update for openssh contains the following fixes:

- Allow 'ssh-keygen -A' on startup only if SSHD_AUTO_KEYGEN='yes' in /etc/sysconfig/ssh. (bsc#1139089)
- Attempt to preserve the permissions of any existing known_hosts file when modified by ssh-keygen (for instance, with -R).  (bsc#1139089)


-----------------------------------------
Patch: SUSE-2019-3049
Released: Mon Nov 25 17:01:09 2019
Summary: Recommended update for man-pages
Severity: moderate
References: 1154701
Description:
This update for man-pages fixes the following issues:

- Correct documentation of 'tcp_fack' and documenting 'tcp_recovery'. (bsc#1154701)


-----------------------------------------
Patch: SUSE-2019-3050
Released: Mon Nov 25 17:26:54 2019
Summary: Security update for sqlite3
Severity: important
References: 1155787,CVE-2017-2518
Description:
This update for sqlite3 fixes the following issues:

- CVE-2017-2518: Fixed a use-after-free vulnerability which could have 
  led to buffer overflow via a crafted SQL statement (bsc#1155787).


-----------------------------------------
Patch: SUSE-2019-3057
Released: Mon Nov 25 17:31:37 2019
Summary: Security update for cups
Severity: important
References: 1146358,1146359,CVE-2019-8675,CVE-2019-8696
Description:
This update for cups fixes the following issues:

- CVE-2019-8675: Fixed a stack buffer overflow in libcups's asn1_get_type function(bsc#1146358). 
- CVE-2019-8696: Fixed a stack buffer overflow in libcups's asn1_get_packed function (bsc#1146359).


-----------------------------------------
Patch: SUSE-2019-3058
Released: Mon Nov 25 17:32:43 2019
Summary: Security update for tiff
Severity: moderate
References: 1108606,1121626,1125113,1146608,983268,CVE-2016-5102,CVE-2018-17000,CVE-2019-14973,CVE-2019-6128,CVE-2019-7663
Description:
This update for tiff fixes the following issues:

Security issues fixed:

- CVE-2019-14973: Fixed an improper check which was depended on the compiler
  which could have led to integer overflow (bsc#1146608).
- CVE-2016-5102: Fixed a buffer overflow in readgifimage() (bsc#983268)
- CVE-2018-17000: Fixed a NULL pointer dereference in the _TIFFmemcmp function (bsc#1108606).
- CVE-2019-6128: Fixed a memory leak in the TIFFFdOpen function in tif_unix.c (bsc#1121626).
- CVE-2019-7663: Fixed an invalid address dereference in the
  TIFFWriteDirectoryTagTransfer function in libtiff/tif_dirwrite.c (bsc#1125113)


-----------------------------------------
Patch: SUSE-2019-3064
Released: Mon Nov 25 18:44:36 2019
Summary: Security update for cpio
Severity: moderate
References: 1155199,CVE-2019-14866
Description:
This update for cpio fixes the following issues:
	  
- CVE-2019-14866: Fixed an improper validation of the values written 
  in the header of a TAR file through the to_oct() function which could 
  have led to unexpected TAR generation (bsc#1155199).


-----------------------------------------
Patch: SUSE-2019-3069
Released: Tue Nov 26 12:38:26 2019
Summary: Recommended update for rsyslog
Severity: moderate
References: 1152760
Description:
This update for rsyslog fixes the following issues:

- Fix shutdown hang when remote server becomes unavailable. (bsc#1152760)


-----------------------------------------
Patch: SUSE-2019-3085
Released: Thu Nov 28 10:01:53 2019
Summary: Security update for libxml2
Severity: low
References: 1123919
Description:
This update for libxml2 doesn't fix any additional security issues, but correct the rpm changelog to reflect
all CVEs that have been fixed over the past.


-----------------------------------------
Patch: SUSE-2019-3092
Released: Thu Nov 28 15:44:33 2019
Summary: Security update for libarchive
Severity: moderate
References: 1032089,1037008,1037009,1059134,1059139,1120653,1120654,1124341,1124342,1155079,CVE-2016-10209,CVE-2016-10349,CVE-2016-10350,CVE-2017-14501,CVE-2017-14502,CVE-2018-1000877,CVE-2018-1000878,CVE-2019-1000019,CVE-2019-1000020,CVE-2019-18408
Description:
This update for libarchive fixes the following issues:

Security issues fixed:

- CVE-2018-1000877: Fixed a double free vulnerability in RAR decoder (bsc#1120653).
- CVE-2018-1000878: Fixed a Use-After-Free vulnerability in RAR decoder (bsc#1120654).
- CVE-2019-1000019: Fixed an Out-Of-Bounds Read vulnerability in 7zip decompression (bsc#1124341).
- CVE-2019-1000020: Fixed an Infinite Loop vulnerability in ISO9660 parser (bsc#1124342).
- CVE-2019-18408: Fixed a use-after-free in RAR format support (bsc#1155079).


-----------------------------------------
Patch: SUSE-2019-3094
Released: Thu Nov 28 16:47:52 2019
Summary: Security update for ncurses
Severity: moderate
References: 1131830,1134550,1154036,1154037,CVE-2018-10754,CVE-2019-17594,CVE-2019-17595
Description:
This update for ncurses fixes the following issues:

Security issue fixed:

- CVE-2018-10754: Fixed a denial of service caused by a NULL Pointer Dereference in the _nc_parse_entry() (bsc#1131830).
- CVE-2019-17594: Fixed a heap-based buffer over-read in _nc_find_entry function in tinfo/comp_hash.c (bsc#1154036).
- CVE-2019-17595: Fixed a heap-based buffer over-read in fmt_entry function in tinfo/comp_hash.c (bsc#1154037).

Bug fixes:

- Fixed ppc64le build configuration (bsc#1134550).


-----------------------------------------
Patch: SUSE-2019-3103
Released: Fri Nov 29 06:46:35 2019
Summary: Recommended update for sysstat
Severity: moderate
References: 1144923,SLE-5958
Description:
This update for sysstat fixes the following issues:

- Enable log information of starting/stoping services. (bsc#1144923, jsc#SLE-5958)


-----------------------------------------
Patch: SUSE-2019-3107
Released: Fri Nov 29 06:48:48 2019
Summary: Recommended update for sle-module-legacy-release
Severity: low
References: 1125463
Description:
This update for sle-module-legacy-release provides the following fix:

- Update IBM Java 6 and Sendmail EOL message. (bsc#1125463)


-----------------------------------------
Patch: SUSE-2019-3122
Released: Fri Nov 29 14:47:02 2019
Summary: Recommended update for wicked
Severity: moderate
References: 1132280,1132977,1142214,1143182,1150183,1150972,SLE-5936
Description:
This update for wicked provides the following fixes:

- dhcp4: Fix an intermittent hang during network setup by cleaning up the defer timer
  pointer when timeout. (bsc#1142214)
- dhcp6: Initial support to request prefix for delegations. (jsc#SLE-5936)
- dhcp6: Set the noprefixroute address option. (bsc#1132280)
- dhcp6: Omit noprefixroute with address-length. Allow to assume that the address
  prefix-length override specified in the config is a valid on-link prefix length, to let
  the kernel create a route for this prefix. (bsc#1150972)
- dhcp6: Differentiated mode=auto resolving from RA. Fix to not trigger n error when ipv6
  RA is not available or the received RA disables dhcp while mode is set to auto, but to
  deliver a 'deferred' result. (bsc#1150183)
- libwicked: Fix versioning and packaging by shipping the internal helper library inside
  the wicked package itself. (bsc#1143182, bsc#1132977)


-----------------------------------------
Patch: SUSE-2019-3130
Released: Tue Dec  3 05:51:37 2019
Summary: Recommended update for supportutils
Severity: moderate
References: 1023308,1089877,1145233,1156837,1157043
Description:
This update for supportutils contains the following fixes:

- Updated version 3.0.5 to 3.0.6:
  + Supportconfig takes a long time to complete on 32TB machine. (bsc#1157043)
  + Updated detailed unit information fix in systemd.txt. (bsc#1023308)
  + Dynamically select compression method. (bsc#1145233)
  + Strip trailing commas from process names. (bsc#1156837)
  + Include IPv6 routes. (bsc#1089877)


-----------------------------------------
Patch: SUSE-2019-3132
Released: Tue Dec  3 10:52:14 2019
Summary: Recommended update for update-alternatives
Severity: moderate
References: 1154043
Description:
This update for update-alternatives fixes the following issues:

- Fix post install scripts: test if there is actual file before calling update-alternatives. (bsc#1154043)


-----------------------------------------
Patch: SUSE-2019-3134
Released: Tue Dec  3 10:55:27 2019
Summary: Recommended update for cronie
Severity: moderate
References: 1155114
Description:
This update for cronie fixes the following issues:

- Update crontab so it doesn't print the headers of crontab with the 'crontab -l' command. (bsc#1155114)


-----------------------------------------
Patch: SUSE-2019-3135
Released: Tue Dec  3 10:56:05 2019
Summary: Recommended update for growpart, growpart-rootgrow
Severity: moderate
References: 1154357,ECO-550
Description:
This update for growpart, growpart-rootgrow contains the following fixes:

growpart:

- Removed rootgrow sub-package as it is a standalone package now. (bsc#1154357, jsc#ECO-550)

growpart-rootgrow:

- Added growpart-rootgrow as a standalone package. (bsc#1154357, jsc#ECO-550)
- Bump from version 1.0.0 to 1.0.1:
 - Fixed binary location in service unit file.

  

-----------------------------------------
Patch: SUSE-2019-3180
Released: Thu Dec  5 11:42:40 2019
Summary: Security update for permissions
Severity: moderate
References: 1093414,1150734,1157198,CVE-2019-3688,CVE-2019-3690
Description:
This update for permissions fixes the following issues:

- CVE-2019-3688: Changed wrong ownership in /usr/sbin/pinger to root:squid
  which could have allowed a squid user to gain persistence by changing the 
  binary (bsc#1093414).
- CVE-2019-3690: Fixed a privilege escalation through untrusted symbolic 
  links (bsc#1150734).
- Fixed a regression which caused segmentation fault (bsc#1157198).


-----------------------------------------
Patch: SUSE-2019-3186
Released: Thu Dec  5 11:44:21 2019
Summary: Security update for Mesa
Severity: moderate
References: 1156015,CVE-2019-5068
Description:
This update for Mesa fixes the following issues:

Security issue fixed:

- CVE-2019-5068: Fixed exploitable shared memory permissions vulnerability (bsc#1156015).


-----------------------------------------
Patch: SUSE-2019-3196
Released: Fri Dec  6 09:55:42 2019
Summary: Recommended update for autoyast2
Severity: moderate
References: 1156567
Description:
This update for autoyast2 fixes the following issues:

- Consider extended partitions when trying to figure out whether the partitioning layout described in the profile fits. (bsc#1156567)


-----------------------------------------
Patch: SUSE-2019-3291
Released: Thu Dec 12 18:09:53 2019
Summary: Recommended update for lio-utils
Severity: moderate
References: 1152794
Description:
This update for lio-utils fixes the following issues:

- Fix for deleting iscsi targets restarting target.service due to false exit code. (bsc#1152794)


-----------------------------------------
Patch: SUSE-2019-3342
Released: Thu Dec 19 11:04:35 2019
Summary: Recommended update for elfutils
Severity: moderate
References: 1151577
Description:
This update for elfutils fixes the following issues:

- Add require of 'libebl1' for 'libelf1'. (bsc#1151577)


-----------------------------------------
Patch: SUSE-2019-3364
Released: Thu Dec 19 19:20:52 2019
Summary: Recommended update for ncurses
Severity: moderate
References: 1158586,1159162
Description:
This update for ncurses fixes the following issues:

- Work around a bug of old upstream gen-pkgconfig (bsc#1159162) 
- Remove doubled library path options (bsc#1159162)
- Also remove private requirements as (lib)tinfo are binary compatible
  with normal and wide version of (lib)ncurses (bsc#1158586, bsc#1159162)
- Fix last change, that is add missed library linker paths as well
  as missed include directories for none standard paths (bsc#1158586,
  bsc#1159162)
- Do not mix include directories of different ncurses ABI (bsc#1158586) 


-----------------------------------------
Patch: SUSE-2019-2694
Released: Fri Dec 20 14:21:14 2019
Summary: Recommended update for rpcbind
Severity: moderate
References: 1142343
Description:
This update for rpcbind fixes the following issues:

- Return correct IP address with multiple ip addresses in the same subnet. (bsc#1142343)


-----------------------------------------
Patch: SUSE-2019-3379
Released: Sat Dec 21 11:51:35 2019
Summary: Security update for the Linux Kernel
Severity: important
References: 1091041,1119461,1119465,1131107,1138190,1146544,1146612,1150466,1150483,1152631,1153811,1154905,1155689,1155897,1155898,1156187,1157038,1157042,1157070,1157143,1157158,1157191,1157324,1157333,1157464,1158132,1158394,1158398,1158410,1158413,1158417,1158445,1158823,1158824,1158827,1158834,1158900,1158903,1158904,1158954,CVE-2019-14895,CVE-2019-15213,CVE-2019-16231,CVE-2019-18660,CVE-2019-18680,CVE-2019-18683,CVE-2019-18805,CVE-2019-19052,CVE-2019-19062,CVE-2019-19065,CVE-2019-19073,CVE-2019-19074,CVE-2019-19332,CVE-2019-19338,CVE-2019-19523,CVE-2019-19524,CVE-2019-19525,CVE-2019-19527,CVE-2019-19530,CVE-2019-19531,CVE-2019-19532,CVE-2019-19533,CVE-2019-19534,CVE-2019-19535,CVE-2019-19536,CVE-2019-19537,SLE-4941,SLE-8953,SLE-9221
Description:
The SUSE Linux Enterprise 12 SP 3 LTSS kernel was updated to receive various security and bugfixes.


The following security bugs were fixed:

- CVE-2019-14895: A heap-based buffer overflow was discovered in the Linux kernel in Marvell WiFi chip driver. The flaw could occur when the station attempts a connection negotiation during the handling of the remote devices country settings. This could have allowed the remote device to cause a denial of service (system crash) or possibly execute arbitrary code (bnc#1157158).
- CVE-2019-18660: The Linux kernel on powerpc allowed Information Exposure because the Spectre-RSB mitigation is not in place for all applicable CPUs. This is related to arch/powerpc/kernel/entry_64.S and arch/powerpc/kernel/security.c (bnc#1157038).
- CVE-2019-18683: An issue was discovered in drivers/media/platform/vivid in the Linux kernel. It is exploitable for privilege escalation on some Linux distributions where local users have /dev/video0 access, but only if the driver happens to be loaded. There are multiple race conditions during streaming stopping in this driver (part of the V4L2 subsystem). These issues are caused by wrong mutex locking in vivid_stop_generating_vid_cap(), vivid_stop_generating_vid_out(), sdr_cap_stop_streaming(), and the corresponding kthreads. At least one of these race conditions leads to a use-after-free (bnc#1155897).
- CVE-2019-19062: A memory leak in the crypto_report() function in crypto/crypto_user_base.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering crypto_report_alg() failures (bnc#1157333).
- CVE-2019-19065: A memory leak in the sdma_init() function in drivers/infiniband/hw/hfi1/sdma.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering rhashtable_init() failures (bnc#1157191).
- CVE-2019-19052: A memory leak in the gs_can_open() function in drivers/net/can/usb/gs_usb.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering usb_submit_urb() failures (bnc#1157324).
- CVE-2019-19074: A memory leak in the ath9k_wmi_cmd() function in drivers/net/wireless/ath/ath9k/wmi.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) (bnc#1157143).
- CVE-2019-19073: Memory leaks in drivers/net/wireless/ath/ath9k/htc_hst.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering wait_for_completion_timeout() failures. This affects the htc_config_pipe_credits() function, the htc_setup_complete() function, and the htc_connect_service() function (bnc#1157070).
- CVE-2019-16231: drivers/net/fjes/fjes_main.c in the Linux kernel 5.2.14 did not check the alloc_workqueue return value, leading to a NULL pointer dereference (bnc#1150466).
- CVE-2019-18805: An issue was discovered in net/ipv4/sysctl_net_ipv4.c in the Linux kernel There was a net/ipv4/tcp_input.c signed integer overflow in tcp_ack_update_rtt() when userspace writes a very large integer to /proc/sys/net/ipv4/tcp_min_rtt_wlen, leading to a denial of service or possibly unspecified other impact (bnc#1156187).
- CVE-2019-18680: An issue was discovered in the Linux kernel. There was a NULL pointer dereference in rds_tcp_kill_sock() in net/rds/tcp.c that will cause denial of service (bnc#1155898).
- CVE-2019-15213: An use-after-free was fixed caused by malicious USB device in drivers/media/usb/dvb-usb/dvb-usb-init.c (bsc#1146544).
- CVE-2019-19536: An uninitialized Kernel memory can leak to USB devices in drivers/net/can/usb/peak_usb/pcan_usb_pro.c (bsc#1158394).
- CVE-2019-19534: An uninitialized Kernel memory can leak to USB devices in drivers/net/can/usb/peak_usb/pcan_usb_core.c (bsc#1158398).
- CVE-2019-19530: An use-after-free bug that can be caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver (bsc#1158410).
- CVE-2019-19524: An use-after-free bug that can be caused by a malicious USB device in the drivers/input/ff-memless.c driver (bsc#1158413).
- CVE-2019-19525: An use-after-free bug that can be caused by a malicious USB device in the drivers/net/ieee802154/atusb.c driver (bsc#1158417).
- CVE-2019-19531: An use-after-free in yurex_delete may lead to denial of service (bsc#1158445).
- CVE-2019-19523: An use-after-free on disconnect in USB adutux (bsc#1158823).
- CVE-2019-19532: An out-of-bounds write bugs that can be caused by a malicious USB device in the Linux kernel HID drivers (bsc#1158824).
- CVE-2019-19332: An out-of-bounds memory write via kvm_dev_ioctl_get_cpuid (bsc#1158827).
- CVE-2019-19533: An info-leak bug that can be caused by a malicious USB device in the drivers/media/usb/ttusb-dec/ttusb_dec.c driver (bsc#1158834).
- CVE-2019-19527: An use-after-free bug that can be caused by a malicious USB device in the drivers/hid/usbhid/hiddev.c driver (bsc#1158900).
- CVE-2019-19535: An info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_fd.c driver (bsc#1158903).
- CVE-2019-19537: Two races in the USB character device registration and deregistration routines (bsc#1158904).
- CVE-2019-19338: An incomplete fix for Transaction Asynchronous Abort (TAA) (bsc#1158954).


The following non-security bugs were fixed:

- hyperv: set nvme msi interrupts to unmanaged (jsc#SLE-8953, jsc#SLE-9221, jsc#SLE-4941, bsc#1119461, bsc#1119465, bsc#1138190, bsc#1154905).
- ibmvnic: Bound waits for device queries (bsc#1155689 ltc#182047).
- ibmvnic: Fix completion structure initialization (bsc#1155689 ltc#182047).
- ibmvnic: Serialize device queries (bsc#1155689 ltc#182047).
- ibmvnic: Terminate waiting device threads after loss of service (bsc#1155689 ltc#182047).
- netfilter: nf_nat: do not bug when mapping already exists (bsc#1146612).
- powerpc/security/book3s64: Report L1TF status in sysfs (bsc#1091041).
- powerpc/security: Fix wrong message when RFI Flush is disable (bsc#1131107).
- sched/fair: WARN() and refuse to set buddy when !se->on_rq (bsc#1158132).
- x86/alternatives: Add int3_emulate_call() selftest (bsc#1153811).
- x86/alternatives: Fix int3_emulate_call() selftest stack corruption (bsc#1153811).
- xen/pv: Fix a boot up hang revealed by int3 self test (bsc#1153811).
- arp: Fix cache issue during Life Partition Migration (bsc#1152631).
- futexes: Fix speed on 4.12 kernel (bsc#1157464).


-----------------------------------------
Patch: SUSE-2019-3387
Released: Mon Dec 23 18:08:08 2019
Summary: Recommended update for google-compute-engine
Severity: moderate
References: 1151398
Description:
This update for google-compute-engine contains the following fix:

-  Add a wait limit to retrying DNS resolution to avoid a forever loop. (bsc#1151398)
  

-----------------------------------------
Patch: SUSE-2020-4
Released: Thu Jan  2 12:30:27 2020
Summary: Recommended update for xrdp
Severity: moderate
References: 1155952,1157860
Description:
This update for xrdp fixes the following issues:
    
- Fix error that couldn't let xrdp service restart. (bsc#1155952)
- Don't try to create .vnc directory if it already exists. (bsc#1157860)


-----------------------------------------
Patch: SUSE-2020-26
Released: Tue Jan  7 13:53:59 2020
Summary: Security update for sysstat
Severity: moderate
References: 1144923,1159104,CVE-2019-19725,SLE-5958
Description:
This update for sysstat fixes the following issues:

Security issue fixed:                                                                                                                                                               
                                                                                                                                                                                   
- CVE-2019-19725: Fixed double free in check_file_actlst in sa_common.c (bsc#1159104).                                                                                    

Bug fixes:

- Enable log information of starting/stoping services. (bsc#1144923, jsc#SLE-5958)


-----------------------------------------
Patch: SUSE-2020-65
Released: Fri Jan 10 11:02:46 2020
Summary: Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork
Severity: moderate
References: 1122469,1143349,1150397,1152308,1153367,1158590,CVE-2019-16884
Description:
This update for containerd, docker, docker-runc, golang-github-docker-libnetwork fixes the following issues:

Security issue fixed:

- CVE-2019-16884: Fixed incomplete patch for LSM bypass via malicious Docker image that mount over a /proc directory (bsc#1152308).

Bug fixes:

- Update to Docker 19.03.5-ce (bsc#1158590).
- Update to Docker 19.03.3-ce (bsc#1153367).
- Update to Docker 19.03.2-ce (bsc#1150397).
- Fixed default installation such that --userns-remap=default works properly (bsc#1143349).
- Fixed nginx blocked by apparmor (bsc#1122469).


-----------------------------------------
Patch: SUSE-2020-79
Released: Mon Jan 13 10:37:34 2020
Summary: Security update for libzypp
Severity: moderate
References: 1158763,CVE-2019-18900
Description:
This update for libzypp fixes the following issues:

Security issue fixed:

- CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763).


-----------------------------------------
Patch: SUSE-2020-86
Released: Mon Jan 13 14:12:22 2020
Summary: Security update for e2fsprogs
Severity: moderate
References: 1160571,CVE-2019-5188
Description:
This update for e2fsprogs fixes the following issues:

- CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571).


-----------------------------------------
Patch: SUSE-2020-88
Released: Mon Jan 13 15:47:05 2020
Summary: Security update for mozilla-nspr, mozilla-nss
Severity: moderate
References: 1141322,1158527,1159819,CVE-2019-11745,CVE-2019-17006
Description:
This update for mozilla-nspr, mozilla-nss fixes the following issues:

mozilla-nss was updated to NSS 3.47.1:

Security issues fixed:

- CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819).
- CVE-2019-11745: EncryptUpdate should use maxout, not block size (bsc#1158527).
- CVE-2019-11727: Fixed vulnerability sign CertificateVerify with PKCS#1 v1.5 signatures issue (bsc#1141322).

mozilla-nspr was updated to version 4.23:

- Whitespace in C files was cleaned up and no longer uses tab characters for indenting.


-----------------------------------------
Patch: SUSE-2020-98
Released: Tue Jan 14 13:42:15 2020
Summary: Recommended update for gcc48
Severity: low
References: 1071995
Description:

This update for gcc48 fixes the following issues:

- Add changes needed for SLE15 live patching. (bsc#1071995, fate#323487)
- Provide .ipa-clones dump files. (bsc#1071995, fate#323487)



-----------------------------------------
Patch: SUSE-2020-102
Released: Tue Jan 14 16:25:22 2020
Summary: Security update for man
Severity: moderate
References: 1159105
Description:
This update for man fixes the following issues:

- Skip using 'safe-rm' in cron job below cache directory (bsc#1159105).


-----------------------------------------
Patch: SUSE-2020-105
Released: Wed Jan 15 11:55:21 2020
Summary: Recommended update for open-iscsi
Severity: moderate
References: 1158939
Description:
This update for open-iscsi fixes the following issues:

- Fixes issues with DHCP and ICMP (bsc#1158939).


-----------------------------------------
Patch: SUSE-2020-106
Released: Wed Jan 15 12:50:55 2020
Summary: Recommended update for libgcrypt
Severity: important
References: 1155338,1155339
Description:
This update for libgcrypt fixes the following issues:

- Fix test dsa-rfc6979 in FIPS mode: Disabled tests in elliptic curves with 192 bits which are not recommended in FIPS mode
- Added CMAC AES and TDES FIPS self-tests: (bsc#1155339, bsc#1155338)


-----------------------------------------
Patch: SUSE-2020-144
Released: Mon Jan 20 17:44:07 2020
Summary: Recommended update for yast2-iscsi-client
Severity: moderate
References: 1157349
Description:
This update for yast2-iscsi-client fixes the following issues:

- Fix detection of service current status (bsc#1157349).


-----------------------------------------
Patch: SUSE-2020-159
Released: Wed Jan 22 11:24:06 2020
Summary: Security update for tigervnc
Severity: important
References: 1159856,1159858,1159860,1160250,1160251,1160937,CVE-2019-15691,CVE-2019-15692,CVE-2019-15693,CVE-2019-15694,CVE-2019-15695
Description:
This update for tigervnc fixes the following issues:

- CVE-2019-15691: Fixed a use-after-return due to incorrect usage of stack memory in ZRLEDecoder (bsc#1159856).
- CVE-2019-15692: Fixed a heap-based buffer overflow in CopyRectDecode (bsc#1160250).
- CVE-2019-15693: Fixed a heap-based buffer overflow in TightDecoder::FilterGradient (bsc#1159858).
- CVE-2019-15694: Fixed a heap-based buffer overflow, caused by improper error handling in processing MemOutStream (bsc#1160251).
- CVE-2019-15695: Fixed a stack-based buffer overflow, which could be triggered from CMsgReader::readSetCursor (bsc#1159860).


-----------------------------------------
Patch: SUSE-2020-227
Released: Fri Jan 24 09:24:11 2020
Summary: Recommended update for aaa_base
Severity: moderate
References: 1084934,1115020,1118364,1128246,1149127,1157794,910904
Description:
This update for aaa_base fixes the following issues:

- Use official key binding functions in inputrc that is replace up-history with
 previous-history, down-history with next-history and backward-delete-word with
 backward-kill-word. (bsc#1084934)
- Reduces the list in /opt/* to gnome, kde4, and kde3. (bsc#910904, bsc#1149127)
- Update logic for JRE_HOME variable. (bsc#1128246)
- Restore old position of ssh/sudo source of profile. (bsc#1118364)
- Revert 'Avoid NAT on Bridges. Bridges are L2 devices, really.' (bsc#1115020)
- Generalize testing for JVM system variables supporting other shells when creating the java path. (boo#1157794)


-----------------------------------------
Patch: SUSE-2020-233
Released: Fri Jan 24 16:09:40 2020
Summary: Security update for samba
Severity: moderate
References: 1160888,CVE-2019-14907
Description:
This update for samba fixes the following issues:

- CVE-2019-14907: Fixed a Server-side crash after charset conversion failure during NTLMSSP processing (bsc#1160888).


-----------------------------------------
Patch: SUSE-2020-254
Released: Tue Jan 28 20:36:52 2020
Summary: Recommended update for kdump
Severity: important
References: 1021484,1021846,1036223,1047609,1047634,1068234,1072584,1080916,1080953,1094444,1101149,1102252,1108170,1108919,1111207,1112387,1116463,1117652,1125011,1133407,1141064,884453,951144
Description:
This update for kdump fixes the following issues:

- Fixes an issue where the OS might be hanging when triggering kdump over a USB disk (bsc#1101149)
- Fixes an issue where kdump failed when a crash is triggered after CPU hot removal (bsc#1133407)
- Fixes an issue where kdump could not be used on mounted nfs paths (bsc#1094444, bsc#1116463, bsc#1141064)
- Fixes an issue where kdump crashed after booting the OS (bsc#1021484, bsc#1080953)
- Added ':force' as an option to KDUMP_NETCONFIG to force network setup in kdump. This is needed
  to configure fence_kdump (bsc#1108919)
- Improved the handling of NSS (bsc#1021846)
- Fixes an issue where the kdump mount points were not unmounted before switching to system root. This
  could lead to devices being busy during system shutdown (bsc#1102252, bsc#1125011)
- Fixes multipath configuration with user_friendly_names or aliases (bsc#1111207)
- There's now a fallback to re-register FADUMP from userspace if the kernel is not able to do it (bsc#1108170)
- Added a better fallback solution when Kernel signature is missing (bsc#1080916)
- Fixed an issue where KDUMPTOOL_FLAGS has been passed several times to the command line on kdump restart (bsc#1072584)


-----------------------------------------
Patch: SUSE-2020-257
Released: Thu Jan 30 07:21:19 2020
Summary: Recommended update for python-tabulate, python-py, python-cryptography, python-pyOpenSSL
Severity: moderate
References: 1054413,1065275,1073879
Description:

This update for python-tabulate, python-py, python-cryptography, python-pyOpenSSL
brings updates for use by Azure Client Tools.

- python-tabulate: shipped also as python3 variant.
- python-cryptography: updated to 1.7.2
- python-py: updated to 1.5.2
- python-pyOpenSSL: updated to 17.0.0

  

-----------------------------------------
Patch: SUSE-2020-276
Released: Thu Jan 30 18:01:53 2020
Summary: Recommended update for apache2
Severity: important
References: 1160100,1161675
Description:
This update for apache2 fixes the following issues:

- Fix crash in mod_ssl: work around leaks on (graceful) restart (bsc#1161675)

- apache2-devel now provides httpd-devel [bsc#1160100]


-----------------------------------------
Patch: SUSE-2020-304
Released: Mon Feb  3 15:31:43 2020
Summary: Recommended update for ldb
Severity: moderate
References: 1161417
Description:

This update for ldb fixes the following issue:

- ship the ldb-tools package. (bsc#1161417)
  

-----------------------------------------
Patch: SUSE-2020-326
Released: Wed Feb  5 14:57:45 2020
Summary: Recommended update for cloud-regionsrv-client
Severity: moderate
References: 1154533,1158664
Description:
This update for cloud-regionsrv-client fixes the following issues:

- Properly handle IPv6 addresses in URLs
- Fix crash with a stack trace if no current_smt is present (bsc#1158664).
- Support repositories with different credentials files (bsc#1154533).
- Add --clean option and --help
- Add man page


-----------------------------------------
Patch: SUSE-2020-332
Released: Thu Feb  6 06:57:48 2020
Summary: Recommended update for rsyslog
Severity: moderate
References: 1156499
Description:
This update for rsyslog fixes the following issues:

- Fix for some QA test segfault occured in libc. (bsc#1156499)


-----------------------------------------
Patch: SUSE-2020-374
Released: Fri Feb  7 15:03:58 2020
Summary: Recommended update for python-pyparsing
Severity: moderate
References: 1122668
Description:

This update provides python-pyparsing 2.2.0:

- Bumped minor version number to reflect compatibility issues with
  OneOrMore and ZeroOrMore bugfixes in 2.1.10. (2.1.10 fixed a bug
  that was introduced in 2.1.4, but the fix could break code
  written against 2.1.4 - 2.1.9.)
- Updated setup.py to address recursive import problems now
  that pyparsing is part of 'packaging' (used by setuptools).
  Patch submitted by Joshua Root, much thanks!
- Fixed KeyError issue reported by Yann Bizeul when using packrat
  parsing in the Graphite time series database, thanks Yann!
- Fixed incorrect usages of '\' in literals, as described in
  https://docs.python.org/3/whatsnew/3.6.html#deprecated-python-behavior
  Patch submitted by Ville Skyttä - thanks!
- Minor internal change when using '-' operator, to be compatible
  with ParserElement.streamline() method.
- Expanded infixNotation to accept a list or tuple of parse actions
  to attach to an operation.
- New unit test added for dill support for storing pyparsing parsers.
  Ordinary Python pickle can be used to pickle pyparsing parsers as
  long as they do not use any parse actions. The 'dill' module is an
  extension to pickle which *does* support pickling of attached

It also provides python3 builds.

  

-----------------------------------------
Patch: SUSE-2020-376
Released: Fri Feb  7 17:31:36 2020
Summary: Security update for docker-runc
Severity: moderate
References: 1160452,CVE-2019-19921
Description:
This update for docker-runc fixes the following issues:

- CVE-2019-19921: Fixed a volume mount race condition with shared mounts (bsc#1160452).


-----------------------------------------
Patch: SUSE-2020-373
Released: Tue Feb 18 15:06:18 2020
Summary: Security update for dbus-1
Severity: important
References: 1137832,CVE-2019-12749
Description:
This update for dbus-1 fixes the following issues:
	  
Security issue fixed:     
    
- CVE-2019-12749: Fixed an implementation flaw in DBUS_COOKIE_SHA1 which 
  could have allowed local attackers to bypass authentication (bsc#1137832).   


-----------------------------------------
Patch: SUSE-2020-403
Released: Wed Feb 19 09:05:00 2020
Summary: Recommended update for apache2
Severity: moderate
References: 1162027
Description:
This update for apache2 fixes the following issues:

- For for SSL Certificate chain error when using mod_ssl and mod_md in a complex setup. (bsc#1162027)


-----------------------------------------
Patch: SUSE-2020-404
Released: Wed Feb 19 09:05:47 2020
Summary: Recommended update for p11-kit
Severity: moderate
References: 1154871
Description:
This update for p11-kit fixes the following issues:

- Support loading NSS attribute 'CKA_NSS_MOZILLA_CA_POLICY' so Firefox detects built-in certificates. (bsc#1154871)


-----------------------------------------
Patch: SUSE-2020-406
Released: Wed Feb 19 09:31:10 2020
Summary: Security update for sudo
Severity: important
References: 1162202,1162675,CVE-2019-18634
Description:
This update for sudo fixes the following issues:

Security issue fixed:

- CVE-2019-18634: Fixed a buffer overflow in the passphrase prompt that could occur when pwfeedback was enabled in /etc/sudoers (bsc#1162202).

Non-security issue fixed:

- Fixed an issue where sudo -l would ask for a password even though `listpw` was set to `never` (bsc#1162675).


-----------------------------------------
Patch: SUSE-2020-410
Released: Wed Feb 19 09:34:17 2020
Summary: Security update for wicked
Severity: important
References: 1160903,1160904,1160905,1160906,CVE-2019-18902,CVE-2019-18903,CVE-2020-7216,CVE-2020-7217
Description:
This update for wicked fixes the following issues:

- CVE-2019-18902: Fixed a use-after-free when receiving invalid DHCP6 client options (bsc#1160903).
- CVE-2019-18903: Fixed a use-after-free when receiving invalid DHCP6 IA_PD option (bsc#1160904).
- CVE-2020-7216: Fixed a potential denial of service via a memory leak when processing packets with missing message type option in DHCP4 (bsc#1160905).
- CVE-2020-7217: Fixed a memory leak in DHCP4 fsm when processing packets for other client ids (bsc#1160906).


-----------------------------------------
Patch: SUSE-2020-448
Released: Tue Feb 25 10:50:05 2020
Summary: Recommended update for yast2-sudo
Severity: moderate
References: 1156929
Description:
This update for yast2-sudo fixes the following issues:

- Prevent truncating the sudoers file after write changes. (bsc#1156929)


-----------------------------------------
Patch: SUSE-2020-474
Released: Tue Feb 25 13:24:15 2020
Summary: Security update for openssl
Severity: moderate
References: 1117951,1158809,1160163,CVE-2019-1551
Description:
This update for openssl fixes the following issues:

Security issue fixed:

- CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809).

Non-security issue fixed:

- Fixed a crash in BN_copy (bsc#1160163).


-----------------------------------------
Patch: SUSE-2020-494
Released: Wed Feb 26 14:12:23 2020
Summary: Recommended update for ldb
Severity: moderate
References: 1162481
Description:
This update for ldb fixes the following issues:

- Adjust 'LDB_MODULES_PATH' to reduce confusing informational messages in 'make test' output. (bsc#1162481)


-----------------------------------------
Patch: SUSE-2020-508
Released: Thu Feb 27 11:14:16 2020
Summary: Recommended update for autofs
Severity: moderate
References: 1140145
Description:
This update for autofs fixes the following issues:

- Perform bind mounts of nested automounts of local filesystems by default (bsc#1140145):


-----------------------------------------
Patch: SUSE-2020-545
Released: Fri Feb 28 15:50:46 2020
Summary: Security update for permissions
Severity: moderate
References: 1123886,1160594,1160764,1161779,1163922,CVE-2020-8013
Description:
This update for permissions fixes the following issues:

Security issues fixed:

- CVE-2020-8013: Fixed an issue where chkstat set unintended setuid/capabilities for mrsh and wodim (bsc#1163922).

Non-security issues fixed:

- Fixed a regression where chkstat broke when /proc was not available (bsc#1160764, bsc#1160594).
- Fixed capability handling when doing multiple permission changes at once (bsc#1161779).


-----------------------------------------
Patch: SUSE-2020-554
Released: Mon Mar  2 12:12:50 2020
Summary: Recommended update for supportutils
Severity: important
References: 1157852,1162357
Description:
This update for supportutils fixes the following issues:

- Exclude /proc/pagetypeinfo as it can be an expensive operation on some systems (bsc#1162357).
- Readded LPM/DLPAR data for Power (bsc#1157852).


-----------------------------------------
Patch: SUSE-2020-555
Released: Mon Mar  2 13:27:17 2020
Summary: Security update for python-aws-sam-translator, python-boto3, python-botocore, python-cfn-lint, python-jsonschema, python-nose2, python-parameterized, python-pathlib2, python-pytest-cov, python-requests, python-s3transfer
Severity: moderate
References: 1111622,1122668,CVE-2018-18074
Description:
This update for python-aws-sam-translator, python-boto3, python-botocore, python-cfn-lint, python-jsonschema, python-nose2, python-parameterized, python-pathlib2, python-pytest-cov, python-requests, python-s3transfer, python-jsonpatch, python-jsonpointer, python-scandir, python-PyYAML fixes the following issues:

python-cfn-lint was included as a new package in 0.21.4.


python-aws-sam-translator was updated to 1.11.0:

  * Add ReservedConcurrentExecutions to globals
  * Fix ElasticsearchHttpPostPolicy resource reference
  * Support using AWS::Region in Ref and Sub
  * Documentation and examples updates
  * Add VersionDescription property to Serverless::Function
  * Update ServerlessRepoReadWriteAccessPolicy
  * Add additional template validation

Upgrade to 1.10.0:

  * Add GSIs to DynamoDBReadPolicy and DynamoDBCrudPolicy
  * Add DynamoDBReconfigurePolicy
  * Add CostExplorerReadOnlyPolicy and OrganizationsListAccountsPolicy
  * Add EKSDescribePolicy
  * Add SESBulkTemplatedCrudPolicy
  * Add FilterLogEventsPolicy
  * Add SSMParameterReadPolicy
  * Add SESEmailTemplateCrudPolicy
  * Add s3:PutObjectAcl to S3CrudPolicy
  * Add allow_credentials CORS option
  * Add support for AccessLogSetting and CanarySetting Serverless::Api properties
  * Add support for X-Ray in Serverless::Api
  * Add support for MinimumCompressionSize in Serverless::Api
  * Add Auth to Serverless::Api globals
  * Remove trailing slashes from APIGW permissions
  * Add SNS FilterPolicy and an example application
  * Add Enabled property to Serverless::Function event sources
  * Add support for PermissionsBoundary in Serverless::Function
  * Fix boto3 client initialization
  * Add PublicAccessBlockConfiguration property to S3 bucket resource
  * Make PAY_PER_REQUEST default mode for Serverless::SimpleTable
  * Add limited support for resolving intrinsics in Serverless::LayerVersion
  * SAM now uses Flake8
  * Add example application for S3 Events written in Go
  * Updated several example applications

- Initial build
  + Version 1.9.0
- Add patch to drop compatible releases operator from setup.py,
  required for SLES12 as the setuptools version is too old
  + ast_drop-compatible-releases-operator.patch


python-jsonschema was updated to 2.6.0:

* Improved performance on CPython by adding caching around ref resolution

Update to version 2.5.0:

* Improved performance on CPython by adding caching around ref
  resolution (#203)

Update to version 2.4.0:

* Added a CLI (#134)
* Added absolute path and absolute schema path to errors (#120)
* Added ``relevance``
* Meta-schemas are now loaded via ``pkgutil``
* Added ``by_relevance`` and ``best_match`` (#91)
* Fixed ``format`` to allow adding formats for non-strings (#125)
* Fixed the ``uri`` format to reject URI references (#131)

- Install /usr/bin/jsonschema with update-alternatives support

python-nose2 was updated to 0.9.1:

* the prof plugin now uses cProfile instead of hotshot for profiling
* skipped tests now include the user's reason in junit XML's message field
* the prettyassert plugin mishandled multi-line function definitions
* Using a plugin's CLI flag when the plugin is already enabled via config
  no longer errors
* nose2.plugins.prettyassert, enabled with --pretty-assert
* Cleanup code for EOLed python versions
* Dropped support for distutils.
* Result reporter respects failure status set by other plugins
* JUnit XML plugin now includes the skip reason in its output

Upgrade to 0.8.0:

List of changes is too long to show here, see
https://github.com/nose-devs/nose2/blob/master/docs/changelog.rst
changes between 0.6.5 and 0.8.0

Update to 0.7.0:

* Added parameterized_class feature, for parameterizing entire test
  classes (many thanks to @TobyLL for their suggestions and help testing!)
* Fix DeprecationWarning on `inspect.getargs` (thanks @brettdh;
  https://github.com/wolever/parameterized/issues/67)
* Make sure that `setUp` and `tearDown` methods work correctly (#40)
* Raise a ValueError when input is empty (thanks @danielbradburn;
  https://github.com/wolever/parameterized/pull/48)
* Fix the order when number of cases exceeds 10 (thanks @ntflc;
  https://github.com/wolever/parameterized/pull/49)

python-scandir was included in version 2.3.2.

python-requests was updated to version 2.20.1 (bsc#1111622)

* Fixed bug with unintended Authorization header stripping for
  redirects using default ports (http/80, https/443).


* remove restriction for urllib3 < 1.24

Update to version 2.20.0:

* Bugfixes
  + Content-Type header parsing is now case-insensitive
    (e.g. charset=utf8 v Charset=utf8).
  + Fixed exception leak where certain redirect urls would raise
    uncaught urllib3 exceptions.
  + Requests removes Authorization header from requests redirected
    from https to http on the same hostname. (CVE-2018-18074)
  + should_bypass_proxies now handles URIs without hostnames
    (e.g. files).
* Dependencies
  + Requests now supports urllib3 v1.24.
* Deprecations
  + Requests has officially stopped support for Python 2.6.

Update to version 2.19.1:

* Fixed issue where status_codes.py’s init function failed trying
  to append to a __doc__ value of None.

Update to version 2.19.0:

* Improvements
  + Warn about possible slowdown with cryptography version < 1.3.4
  + Check host in proxy URL, before forwarding request to adapter.
  + Maintain fragments properly across redirects. (RFC7231 7.1.2)
  + Removed use of cgi module to expedite library load time.
  + Added support for SHA-256 and SHA-512 digest auth algorithms.
  + Minor performance improvement to Request.content.
  + Migrate to using collections.abc for 3.7 compatibility.
* Bugfixes
  + Parsing empty Link headers with parse_header_links() no longer
    return one bogus entry.
  + Fixed issue where loading the default certificate bundle from
    a zip archive would raise an IOError.
  + Fixed issue with unexpected ImportError on windows system
    which do not support winreg module.
  + DNS resolution in proxy bypass no longer includes the username
    and password in the request. This also fixes the issue of DNS
    queries failing on macOS.
  + Properly normalize adapter prefixes for url comparison.
  + Passing None as a file pointer to the files param no longer
    raises an exception.
  + Calling copy on a RequestsCookieJar will now preserve the
    cookie policy correctly.
* We now support idna v2.7 and urllib3 v1.23.

update to version 2.18.4:

* Improvements
  + Error messages for invalid headers now include the header name
    for easier debugging
* Dependencies
  + We now support idna v2.6.

update to version 2.18.3:

* Improvements
  + Running $ python -m requests.help now includes the installed
    version of idna.
* Bugfixes
  + Fixed issue where Requests would raise ConnectionError instead
    of SSLError when encountering SSL problems when using urllib3
    v1.22.


-----------------------------------------
Patch: SUSE-2020-561
Released: Mon Mar  2 17:24:59 2020
Summary: Recommended update for elfutils
Severity: moderate
References: 1110929,1157578
Description:
This update for elfutils fixes the following issues:

- Fix 'eu-nm' issue in elfutils: Symbol iteration will be set to start at 0 instead of 1 to avoid missing symbols in the output. (bsc#1157578)
- Fix for '.ko' file corruption in debug info. (bsc#1110929)


-----------------------------------------
Patch: SUSE-2020-569
Released: Tue Mar  3 11:43:43 2020
Summary: Security update for libpng16
Severity: moderate
References: 1124211,1141493,CVE-2017-12652,CVE-2019-7317
Description:
This update for libpng16 fixes the following issues:

Security issues fixed:

- CVE-2019-7317: Fixed a use-after-free vulnerability, triggered when
  png_image_free() was called under png_safe_execute (bsc#1124211).
- CVE-2017-12652: Fixed an Input Validation Error related to the length of chunks (bsc#1141493).


-----------------------------------------
Patch: SUSE-2020-571
Released: Tue Mar  3 13:23:35 2020
Summary: Recommended update for cyrus-sasl
Severity: moderate
References: 1162518
Description:
This update for cyrus-sasl fixes the following issues:

- Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF (bsc#1162518)
- Added support for retrieving negotiated SSF in gssapi plugin (bsc#1162518)


-----------------------------------------
Patch: SUSE-2020-576
Released: Tue Mar  3 15:22:44 2020
Summary: Security update for compat-openssl098
Severity: moderate
References: 1117951,1160163
Description:
This update for compat-openssl098 fixes the following issues:

- Add missing commits for fixes of the 'The 9 Lives of Bleichenbacher's CAT' attack (bsc#1117951)
- Fixed missing BN_copy() (bsc#1160163)


-----------------------------------------
Patch: SUSE-2020-583
Released: Wed Mar  4 11:54:12 2020
Summary: Recommended update for lifecycle-data-sle-module-toolchain
Severity: moderate
References: 1102564
Description:
This update for lifecycle-data-sle-module-toolchain fixes the following issues:

- Added expiration data for GCC 8 Toolchain Module 2018 Refresh.  [bsc#1102564] [fate#326486]


-----------------------------------------
Patch: SUSE-2020-596
Released: Thu Mar  5 15:23:51 2020
Summary: Recommended update for ca-certificates-mozilla
Severity: moderate
References: 1010996,1071152,1071390,1082318,1100415,1154871,1160160
Description:
This update for ca-certificates-mozilla fixes the following issues:

The following non-security bugs were fixed:

Updated to 2.40 state of the Mozilla NSS Certificate store (bsc#1160160):

Removed certificates:

- Certplus Class 2 Primary CA
- Deutsche Telekom Root CA 2
- CN=Swisscom Root CA 2
- UTN-USERFirst-Client Authentication and Email

Added certificates:

- Entrust Root Certification Authority - G4

- Export correct p11kit trust attributes so Firefox detects built in certificates (bsc#1154871).
- Updated to 2.24 state of the Mozilla NSS Certificate store (bsc#1100415).
- Use %license instead of %doc (bsc#1082318).
- Updated to 2.22 state of the Mozilla NSS Certificate store (bsc#1071152, bsc#1071390, bsc#1010996).


-----------------------------------------
Patch: SUSE-2020-608
Released: Fri Mar  6 14:59:10 2020
Summary: Recommended update for mozilla-nss
Severity: moderate
References: 1165270
Description:
This update for mozilla-nss fixes the following issues:

- Package also the cmac.h needed by blapi.h, needed for building tomcat (bsc#1165270)


-----------------------------------------
Patch: SUSE-2020-652
Released: Thu Mar 12 09:53:23 2020
Summary: Recommended update for ca-certificates-mozilla
Severity: important
References: 1165915,1165919,1166301
Description:
This update for ca-certificates-mozilla fixes the following issues:

This reverts a previous change to the generated pem structure, as it
require a p11-kit tools update installed first, which can not always
ensured correctly. (bsc#1166301 bsc#1165915 bsc#1165919)


-----------------------------------------
Patch: SUSE-2020-663
Released: Thu Mar 12 17:31:31 2020
Summary: Recommended update for suse-build-key
Severity: moderate
References: 1166334
Description:
This update for suse-build-key fixes the following issues:

- created a new security_at_suse.de key for email communication (bsc#1166334)


-----------------------------------------
Patch: SUSE-2020-708
Released: Wed Mar 18 06:48:30 2020
Summary: Recommended update for growpart
Severity: moderate
References: 1164736
Description:
This update for growpart fixes the following issues:

- Operation system disk is not automatically resized beyond 2TB on Azure hosts. (bsc#1164736)


-----------------------------------------
Patch: SUSE-2020-331
Released: Wed Mar 18 12:52:46 2020
Summary: Security update for systemd
Severity: important
References: 1106383,1133495,1139459,1151377,1151506,1154043,1155574,1156482,1159814,1162108,CVE-2020-1712
Description:
This update for systemd fixes the following issues:

- CVE-2020-1712 (bsc#bsc#1162108)
  Fix a heap use-after-free vulnerability, when asynchronous
  Polkit queries were performed while handling Dbus messages. A local
  unprivileged attacker could have abused this flaw to crash systemd services or
  potentially execute code and elevate their privileges, by sending specially
  crafted Dbus messages.

- Unconfirmed fix for prevent hanging of systemctl during restart. (bsc#1139459)
- Fix warnings thrown during package installation. (bsc#1154043)
- Fix for system-udevd prevent crash within OES2018. (bsc#1151506)
- Fragments of masked units ought not be considered for 'NeedDaemonReload'. (bsc#1156482)
- Wait for workers to finish when exiting. (bsc#1106383)
- Improve log message when inotify limit is reached. (bsc#1155574)
- Mention in the man pages that alias names are only effective after command 'systemctl enable'. (bsc#1151377)
- Introduce function for reading virtual files in 'sysfs' and 'procfs'. (bsc#1133495, bsc#1159814)


-----------------------------------------
Patch: SUSE-2020-720
Released: Thu Mar 19 10:58:14 2020
Summary: Recommended update for wicked
Severity: moderate
References: 1165180
Description:
This update for wicked fixes the following issues:

- Fix the package using old/wrong pattern for libzypp in package libwicked. (bsc#1165180)


-----------------------------------------
Patch: SUSE-2020-497
Released: Fri Mar 20 11:11:25 2020
Summary: Security update for python3
Severity: moderate
References: 1068664,1159208,1159623,CVE-2012-0876,CVE-2016-0718,CVE-2016-4472,CVE-2016-9063,CVE-2017-1000158,CVE-2017-9233
Description:
This update for python3 fixes the following issues:

Update to 3.4.10 (jsc#SLE-9427, bsc#1159208) from 3.4.6:

Security issues fixed:

- Update expat copy from 2.1.1 to 2.2.0 to fix the following issues:
  CVE-2012-0876, CVE-2016-0718, CVE-2016-4472, CVE-2017-9233, CVE-2016-9063
- CVE-2017-1000158: Fix an integer overflow in thePyString_DecodeEscape function in stringobject.c, resulting in heap-based bufferoverflow (bsc#1068664).


-----------------------------------------
Patch: SUSE-2020-786
Released: Wed Mar 25 06:47:18 2020
Summary: Recommended update for p11-kit
Severity: moderate
References: 1165915,1165919
Description:
This update for p11-kit fixes the following issues:

- tag this version with 'p11-kit-tools-supports-CKA_NSS_MOZILLA_CA_POLICY'
  provides so we can pull it in. (bsc#1165915 bsc#1165919)


-----------------------------------------
Patch: SUSE-2020-792
Released: Wed Mar 25 15:14:02 2020
Summary: Security update for python-cffi, python-cryptography
Severity: moderate
References: 1055478,1070737,1101820,1111657,1138748,1149792,981848,CVE-2018-10903
Description:
This update for python-cffi, python-cryptography fixes the following issues:

Security issue fixed:

- CVE-2018-10903: Fixed GCM tag forgery via truncated tag in finalize_with_tag API (bsc#1101820).

Non-security issues fixed:

python-cffi was updated to 1.11.2 (bsc#1138748, jsc#ECO-1256, jsc#PM-1598):

- fixed a build failure on i586 (bsc#1111657)
- Salt was unable to highstate in snapshot 20171129 (bsc#1070737)

- Update pytest in spec to add c directory tests in addition to 
  testing directory.

- update to version 1.11.2:
  * Fix Windows issue with managing the thread-state on CPython 3.0 to
    3.5

- Update pytest in spec to add c directory tests in addition to 
  testing directory.
- Omit test_init_once_multithread tests as they rely on multiple
  threads finishing in a given time. Returns sporadic pass/fail
  within build.
- Update to 1.11.1:
  * Fix tests, remove deprecated C API usage
  * Fix (hack) for 3.6.0/3.6.1/3.6.2 giving incompatible binary
    extensions (cpython issue #29943)
  * Fix for 3.7.0a1+

- Update to 1.11.0:
  * Support the modern standard types char16_t and char32_t. These
    work like wchar_t: they represent one unicode character, or when
    used as charN_t * or charN_t[] they represent a unicode string.
    The difference with wchar_t is that they have a known, fixed
    size. They should work at all places that used to work with
    wchar_t (please report an issue if I missed something). Note
    that with set_source(), you need to make sure that these types
    are actually defined by the C source you provide (if used in
    cdef()).
  * Support the C99 types float _Complex and double _Complex. Note
    that libffi doesn't support them, which means that in the ABI
    mode you still cannot call C functions that take complex
    numbers directly as arguments or return type.
  * Fixed a rare race condition when creating multiple FFI instances
    from multiple threads. (Note that you aren't meant to create
    many FFI instances: in inline mode, you should write
    ffi = cffi.FFI() at module level just after import cffi; and in
    out-of-line mode you don't instantiate FFI explicitly at all.)
  * Windows: using callbacks can be messy because the CFFI internal
    error messages show up to stderr-but stderr goes nowhere in many
    applications. This makes it particularly hard to get started
    with the embedding mode. (Once you get started, you can at least
    use @ffi.def_extern(onerror=...) and send the error logs where
    it makes sense for your application, or record them in log
    files, and so on.) So what is new in CFFI is that now, on
    Windows CFFI will try to open a non-modal MessageBox (in addition
    to sending raw messages to stderr). The MessageBox is only
    visible if the process stays alive: typically, console
    applications that crash close immediately, but that is also the
    situation where stderr should be visible anyway.
  * Progress on support for callbacks in NetBSD.
  * Functions returning booleans would in some case still return 0
    or 1 instead of False or True. Fixed.
  * ffi.gc() now takes an optional third parameter, which gives an
    estimate of the size (in bytes) of the object. So far, this is
    only used by PyPy, to make the next GC occur more quickly
    (issue #320). In the future, this might have an effect on
    CPython too (provided the CPython issue 31105 is addressed).
  * Add a note to the documentation: the ABI mode gives function
    objects that are slower to call than the API mode does. For
    some reason it is often thought to be faster. It is not!
- Update to 1.10.1:
  * Fixed the line numbers reported in case of cdef() errors. Also,
    I just noticed, but pycparser always supported the preprocessor
    directive # 42 'foo.h' to mean 'from the next line, we're in
    file foo.h starting from line 42';, which it puts in the error
    messages. 

- update to 1.10.0:
 * Issue #295: use calloc() directly instead of PyObject_Malloc()+memset()
   to handle ffi.new() with a default allocator. Speeds up ffi.new(large-array)
   where most of the time you never touch most of the array.
  * Some OS/X build fixes ('only with Xcode but without CLT';).
  * Improve a couple of error messages: when getting mismatched versions of
    cffi and its backend; and when calling functions which cannot be called with
    libffi because an argument is a struct that is 'too complicated'; (and not
    a struct pointer, which always works).
  * Add support for some unusual compilers (non-msvc, non-gcc, non-icc, non-clang)
  * Implemented the remaining cases for ffi.from_buffer. Now all
    buffer/memoryview objects can be passed. The one remaining check is against
    passing unicode strings in Python 2. (They support the buffer interface, but
    that gives the raw bytes behind the UTF16/UCS4 storage, which is most of the
    times not what you expect. In Python 3 this has been fixed and the unicode
    strings don't support the memoryview interface any more.)
  * The C type _Bool or bool now converts to a Python boolean when reading,
    instead of the content of the byte as an integer. The potential
    incompatibility here is what occurs if the byte contains a value different
    from 0 and 1. Previously, it would just return it; with this change, CFFI
    raises an exception in this case. But this case means 'undefined behavior';
    in C; if you really have to interface with a library relying on this,
    don't use bool in the CFFI side. Also, it is still valid to use a byte
    string as initializer for a bool[], but now it must only contain \x00 or
    \x01. As an aside, ffi.string() no longer works on bool[] (but it never made
    much sense, as this function stops at the first zero).
  * ffi.buffer is now the name of cffi's buffer type, and ffi.buffer() works
    like before but is the constructor of that type.
  * ffi.addressof(lib, 'name') now works also in in-line mode, not only in
    out-of-line mode. This is useful for taking the address of global variables.
  * Issue #255: cdata objects of a primitive type (integers, floats, char) are
    now compared and ordered by value. For example, <cdata 'int' 42> compares
    equal to 42 and <cdata 'char' b'A'> compares equal to b'A'. Unlike C,
    <cdata 'int' -1> does not compare equal to ffi.cast('unsigned int', -1): it
    compares smaller, because -1 < 4294967295.
  * PyPy: ffi.new() and ffi.new_allocator()() did not record 'memory pressure';,
    causing the GC to run too infrequently if you call ffi.new() very often
    and/or with large arrays. Fixed in PyPy 5.7.
  * Support in ffi.cdef() for numeric expressions with + or -. Assumes that
    there is no overflow; it should be fixed first before we add more general
    support for arbitrary arithmetic on constants.

- do not generate HTML documentation for packages that are indirect
  dependencies of Sphinx
  (see docs at https://cffi.readthedocs.org/ )

- update to 1.9.1
  - Structs with variable-sized arrays as their last field: now we track the
    length of the array after ffi.new() is called, just like we always tracked
    the length of ffi.new('int[]', 42). This lets us detect out-of-range
    accesses to array items. This also lets us display a better repr(), and
    have the total size returned by ffi.sizeof() and ffi.buffer(). Previously
    both functions would return a result based on the size of the declared
    structure type, with an assumed empty array. (Thanks andrew for starting
    this refactoring.)
  - Add support in cdef()/set_source() for unspecified-length arrays in
    typedefs: typedef int foo_t[...];. It was already supported for global
    variables or structure fields.
  - I turned in v1.8 a warning from cffi/model.py into an error: 'enum xxx' has
    no values explicitly defined: refusing to guess which integer type it is
    meant to be (unsigned/signed, int/long). Now I'm turning it back to a
    warning again; it seems that guessing that the enum has size int is a
    99%-safe bet. (But not 100%, so it stays as a warning.)
  - Fix leaks in the code handling FILE * arguments. In CPython 3 there is a
    remaining issue that is hard to fix: if you pass a Python file object to a
    FILE * argument, then os.dup() is used and the new file descriptor is only
    closed when the GC reclaims the Python file object-and not at the earlier
    time when you call close(), which only closes the original file descriptor.
    If this is an issue, you should avoid this automatic convertion of Python
    file objects: instead, explicitly manipulate file descriptors and call
    fdopen() from C (...via cffi).
  - When passing a void * argument to a function with a different pointer type,
    or vice-versa, the cast occurs automatically, like in C. The same occurs
    for initialization with ffi.new() and a few other places. However, I
    thought that char * had the same property-but I was mistaken. In C you get
    the usual warning if you try to give a char * to a char ** argument, for
    example. Sorry about the confusion. This has been fixed in CFFI by giving
    for now a warning, too. It will turn into an error in a future version.
  - Issue #283: fixed ffi.new() on structures/unions with nested anonymous
    structures/unions, when there is at least one union in the mix. When
    initialized with a list or a dict, it should now behave more closely like
    the { } syntax does in GCC.
  - CPython 3.x: experimental: the generated C extension modules now use the
    'limited API';, which means that, as a compiled .so/.dll, it should work
    directly on any version of CPython >= 3.2. The name produced by distutils
    is still version-specific. To get the version-independent name, you can
    rename it manually to NAME.abi3.so, or use the very recent setuptools 26.
  - Added ffi.compile(debug=...), similar to python setup.py build --debug but
    defaulting to True if we are running a debugging version of Python itself.
  - Removed the restriction that ffi.from_buffer() cannot be used on byte
    strings. Now you can get a char * out of a byte string, which is valid as
    long as the string object is kept alive. (But don't use it to modify the
    string object! If you need this, use bytearray or other official
    techniques.)
  - PyPy 5.4 can now pass a byte string directly to a char * argument (in older
    versions, a copy would be made). This used to be a CPython-only
    optimization.
  - ffi.gc(p, None) removes the destructor on an object previously created by
    another call to ffi.gc()
  - bool(ffi.cast('primitive type', x)) now returns False if the value is zero
    (including -0.0), and True otherwise. Previously this would only return
    False for cdata objects of a pointer type when the pointer is NULL.
  - bytearrays: ffi.from_buffer(bytearray-object) is now supported. (The reason
    it was not supported was that it was hard to do in PyPy, but it works since
    PyPy 5.3.) To call a C function with a char * argument from a buffer
    object-now including bytearrays-you write lib.foo(ffi.from_buffer(x)).
    Additionally, this is now supported: p[0:length] = bytearray-object. The
    problem with this was that a iterating over bytearrays gives numbers
    instead of characters. (Now it is implemented with just a memcpy, of
    course, not actually iterating over the characters.)
  - C++: compiling the generated C code with C++ was supposed to work, but
    failed if you make use the bool type (because that is rendered as the C
    _Bool type, which doesn't exist in C++).
  - help(lib) and help(lib.myfunc) now give useful information, as well as
    dir(p) where p is a struct or pointer-to-struct.

- update for multipython build

- disable 'negative left shift' warning in test suite to prevent
  failures with gcc6, until upstream fixes the undefined code
  in question (bsc#981848)

- Update to version 1.6.0:
  * ffi.list_types()
  * ffi.unpack()
  * extern 'Python+C';
  * in API mode, lib.foo.__doc__ contains the C signature now.
  * Yet another attempt at robustness of ffi.def_extern() against
    CPython's interpreter shutdown logic.
- Update in SLE-12 (bsc#1138748, jsc#ECO-1256, jsc#PM-1598)

- Make this version of the package compatible with OpenSSL 1.1.1d, thus fixing bsc#1149792.

- bsc#1101820 CVE-2018-10903 GCM tag forgery via truncated tag in
  finalize_with_tag API

- Add proper conditional for the python2, the ifpython works only
  for the requires/etc

- add missing dependency on python ssl

- update to version 2.1.4:
  * Added X509_up_ref for an upcoming pyOpenSSL release.

- update to version 2.1.3:
  * Updated Windows, macOS, and manylinux1 wheels to be compiled with
    OpenSSL 1.1.0g.

- update to version 2.1.2:
  * Corrected a bug with the manylinux1 wheels where OpenSSL's stack
    was marked executable.

- fix BuildRequires conditions for python3

- update to 2.1.1

- Fix cffi version requirement.

- Disable memleak tests to fix build with OpenSSL 1.1 (bsc#1055478)


- update to 2.0.3

- update to 2.0.2

- update to 2.0

- update to 1.9

- add python-packaging to requirements explicitly instead of relying
  on setuptools to pull it in

- Switch to singlespec approach

- update to 1.8.1
- Adust Requires and BuildRequires

-----------------------------------------
Patch: SUSE-2020-816
Released: Tue Mar 31 07:11:19 2020
Summary: Recommended update for grub2
Severity: moderate
References: 1166409
Description:
This update for grub2 fixes the following issues:

- Implement support searching for specific config files for netboot. (bsc#1166409)  
  

-----------------------------------------
Patch: SUSE-2020-822
Released: Tue Mar 31 13:06:24 2020
Summary: Recommended update for pam
Severity: moderate
References: 1166510
Description:
This update for pam fixes the following issues:

- Moved pam_userdb to a separate package pam-extra  (bsc#1166510)


-----------------------------------------
Patch: SUSE-2020-747
Released: Tue Mar 31 13:26:56 2020
Summary: Recommended update for supportutils
Severity: important
References: 1157852,1162539,1165474,1165475,1166128,1166774,915888
Description:
This update for supportutils fixes the following issues:

- Replaced obsolete Novell with SUSE FTP servers. (bsc#1165475)
- Implement core file validation and fix for hanging if the corefile is a directory. (bsc#1166128)
- Fix by adding default upload targets in 'getappcore'. (bsc#1165474)
- Changed filename prefixes for SUSE Customer Center. (bsc#1166774)
- Fix the issue when supportconfig is not collecting specific log files for power. (bsc#1162539, bsc#1157852)
- Fixed s390x typo. (bsc#915888)


-----------------------------------------
Patch: SUSE-2020-854
Released: Thu Apr  2 15:13:32 2020
Summary: Security update for python3
Severity: moderate
References: 1155094,1162224,1162367,1162825,1165894,CVE-2019-18348,CVE-2019-9674,CVE-2020-8492
Description:
This update for python3 fixes the following issue:

- CVE-2019-18348: Fixed a CRLF injection via the host part 
  of the url passed to urlopen(). Now an InvalidURL exception 
  is raised (bsc#1155094).
- CVE-2019-9674: Improved the documentation to reflect the 
  dangers of zip-bombs (bsc#1162825).
- CVE-2020-8492: Fixed a regular expression in urllib that 
  was prone to denial of service via HTTP (bsc#1162367).
- Fixed an issue with version missmatch (bsc#1162224).
- Rename idle icons to idle3 in order to not conflict with python2
  variant of the package. (bsc#1165894)
  

-----------------------------------------
Patch: SUSE-2020-911
Released: Fri Apr  3 10:47:03 2020
Summary: Security update for libpng12
Severity: moderate
References: 1141493,CVE-2017-12652
Description:
This update for libpng12 fixes the following issues:

Security issue fixed:

- CVE-2017-12652: Fixed an Input Validation Error related to the length of chunks (bsc#1141493).


-----------------------------------------
Patch: SUSE-2020-915
Released: Fri Apr  3 13:15:11 2020
Summary: Recommended update for openldap2
Severity: moderate
References: 1168195
Description:

This update for openldap2 fixes the following issue:

- The openldap2-ppolicy-check-password plugin is now included (FATE#319461 bsc#1168195)
  

-----------------------------------------
Patch: SUSE-2020-920
Released: Fri Apr  3 17:13:04 2020
Summary: Security update for libxslt
Severity: moderate
References: 1154609,CVE-2019-18197
Description:
This update for libxslt fixes the following issue:

- CVE-2019-18197: Fixed a dangling pointer in xsltCopyText which may have led to information disclosure (bsc#1154609).


-----------------------------------------
Patch: SUSE-2020-926
Released: Mon Apr  6 11:13:57 2020
Summary: Initial release of python3-requests
Severity: low
References: 1064441
Description:
This update adds python3-requests to SUSE Linux Enterprise 12-SP2 and 12-SP3.


-----------------------------------------
Patch: SUSE-2020-980
Released: Mon Apr 13 15:43:13 2020
Summary: Recommended update for growpart-rootgrow
Severity: moderate
References: 1165198
Description:
This update for growpart-rootgrow contains the following fixes:

- Switch implementation to use Popen for Python 3.4 compatibility. (bsc#1165198)

- Bump version: 1.0.2 to 1.0.3

- Fixed unit tests and style:
  This clobbers several fixes into one. This commit includes several pep8 style fixes
  mostly on the indentation level. In addition it fixes the unit tests to really cover
  all code and to make the exception tests really effective.

- Switch to use Popen instead of run.
  The run() fuction in the subprocess module was implemented after Python 3.4. However,
  Python 3.4 support for SLES 12 is needed

- Bump version: 1.0.1 to 1.0.2

- Package LICENSE file included in the rpm


-----------------------------------------
Patch: SUSE-2020-394
Released: Tue Apr 14 17:25:16 2020
Summary: Security update for gcc9
Severity: moderate
References: 1114592,1135254,1141897,1142649,1142654,1148517,1149145,CVE-2019-14250,CVE-2019-15847
Description:
This update for gcc9 fixes the following issues:

The GNU Compiler Collection is shipped in version 9.

A detailed changelog on what changed in GCC 9 is available at https://gcc.gnu.org/gcc-9/changes.html

The compilers have been added to the SUSE Linux Enterprise Toolchain Module.

To use these compilers, install e.g. gcc9, gcc9-c++ and build with CC=gcc-9
CXX=g++-9 set.


For SUSE Linux Enterprise base products, the libstdc++6, libgcc_s1 and
other compiler libraries have been switched from their gcc8 variants to
their gcc9 variants.

Security issues fixed:

- CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145)
- CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649)

Non-security issues fixed:

- Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254)
- Fixed miscompilation for vector shift on s390. (bsc#1141897)


-----------------------------------------
Version 1.0.2-Build1.387 2020-04-21T19:30:49

-----------------------------------------
Patch: SUSE-2020-1043
Released: Tue Apr 21 09:33:47 2020
Summary: Recommended update for libreoffice, QR-Code-generator, boost, myspell-dictionaries, xmlsec1
Severity: moderate
References: 1161816,1162152,1167223
Description:
This update for libreoffice, QR-Code-generator, boost, myspell-dictionaries, xmlsec1 fixes the following issues:

libreoffice was updated to 6.4.2.2 (jsc#SLE-11174 jsc#SLE-11175 jsc#SLE-11176 bsc#1167223)

Full Release Notes can be found on:

        https://wiki.documentfoundation.org/ReleaseNotes/6.4


xmlsec1 was update to 1.2.28:

* Added BoringSSL support (chenbd).
* Added gnutls-3.6.x support (alonbl).
* Added DSA and ECDSA key size getter for MSCNG (vmiklos).
* Added --enable-mans configuration option (alonbl).
* Added coninuous build integration for MacOSX (vmiklos).
* Several other small fixes (more details).

- Make sure to recommend at least one backend when you install
  just xmlsec1

- Drop the gnutls backend as based on the tests it is quite borked:
  * We still have nss and openssl backend for people to use

Version update to 1.2.27:

* Added AES-GCM support for OpenSSL and MSCNG (snargit).
* Added DSA-SHA256 and ECDSA-SHA384 support for NSS (vmiklos).
* Added RSA-OAEP support for MSCNG (vmiklos).
* Continuous build integration in Travis and Appveyor.
* Several other small fixes (more details).

QR-Code-generator was shipped new in support of LibreOffice.

myspell-dictionaries was updated to 20191219:

* Updated the English dictionaries: GB+US+CA+AU
* Bring shipped Spanish dictionary up to version 2.5

boost was updated to fix:
- add a backport of Boost.Optional::has_value() for LibreOffice



-----------------------------------------
Version 1.0.2-Build1.388 2020-04-23T14:47:57

-----------------------------------------
Patch: SUSE-2020-1045
Released: Thu Apr 23 11:32:45 2020
Summary: Security update for cups
Severity: important
References: 1168422,CVE-2020-3898
Description:
This update for cups fixes the following issues:

- CVE-2020-3898: Fixed a heap buffer overflow in ppdFindOption() (bsc#1168422).


-----------------------------------------
Version 1.0.2-Build1.389 2020-04-24T19:07:51

-----------------------------------------
Patch: SUSE-2020-1095
Released: Thu Apr 23 16:34:40 2020
Summary: Recommended update for google-compute-engine
Severity: moderate
References: 1167810
Description:
This update for google-compute-engine fixes the following issues:

- Rename the sysctl file that applies the GCE network settings, so it
  is run after the default config and adjusts net.ipv4.conf.all.rp_filter
  correctly.  (bsc#1167810)


-----------------------------------------
Version 1.0.2-Build1.395 2020-05-06T19:09:51

-----------------------------------------
Patch: SUSE-2020-1168
Released: Mon May  4 14:06:46 2020
Summary: Recommended update for libgcrypt
Severity: moderate
References: 1162879
Description:
This update for libgcrypt fixes the following issues:

- FIPS: Relax the entropy requirements on selftest during boot (bsc#1162879)


-----------------------------------------
Patch: SUSE-2020-1180
Released: Tue May  5 10:54:36 2020
Summary: Security update for icu
Severity: moderate
References: 1166844,CVE-2020-10531
Description:
This update for icu fixes the following issues:

- CVE-2020-10531: Fixed integer overflow in UnicodeString:doAppend() (bsc#1166844).


-----------------------------------------
Patch: SUSE-2020-1189
Released: Tue May  5 12:53:24 2020
Summary: Recommended update for python-pytest
Severity: moderate
References: 1123064,1138666,1143893,1166139,1167732
Description:

This update updates various packages for new python-pytest versions.
  

-----------------------------------------
Patch: SUSE-2020-1193
Released: Tue May  5 16:26:05 2020
Summary: Security update for openldap2
Severity: important
References: 1170771,CVE-2020-12243
Description:
This update for openldap2 fixes the following issues:

- CVE-2020-12243: Fixed a denial of service related to recursive filters (bsc#1170771).


-----------------------------------------
Version 1.0.2-Build1.396 2020-05-07T15:20:33

-----------------------------------------
Patch: SUSE-2020-1210
Released: Thu May  7 10:37:52 2020
Summary: Security update for openldap2
Severity: important
References: 1143194,1143273,1170771,CVE-2019-13057,CVE-2019-13565,CVE-2020-12243
Description:
This update for openldap2 fixes the following issues:

- CVE-2020-12243: Fixed a denial of service related to recursive filters (bsc#1170771).
- CVE-2019-13565: Fixed an authentication bypass caused by incorrect authorization of another connection, granting excess connection rights (bsc#1143194).
- CVE-2019-13057: Fixed an issue with improper authorization with delegated database admin privileges (bsc#1143273).


-----------------------------------------
Version 1.0.2-Build1.397 2020-05-08T19:08:31

-----------------------------------------
Patch: SUSE-2020-1224
Released: Fri May  8 08:50:50 2020
Summary: Recommended update for cloud-regionsrv-client
Severity: moderate
References: 1169599
Description:
This update for cloud-regionsrv-client contains the following fixes:

- Update to version 9.0.9: (bsc#1169599)
  + Handle the /etc/hosts file with Python 3.4 if there are non ASCII characters
    in the file.


-----------------------------------------
Version 1.0.2-Build1.401 2020-05-13T19:20:27

-----------------------------------------
Patch: SUSE-2020-1272
Released: Wed May 13 13:26:28 2020
Summary: Security update for apache2
Severity: important
References: 1168404,1168407,1169066,CVE-2020-1927,CVE-2020-1934,CVE-2020-1938
Description:
This update for apache2 fixes the following issues:

- CVE-2020-1934: mod_proxy_ftp may use uninitialized memory when proxying to a malicious FTP server (bsc#1168404).
- CVE-2020-1927: mod_rewrite configurations vulnerable to open redirect (bsc#1168407).
- CVE-2020-1938: mod_proxy_ajp: Add 'secret' parameter to proxy workers to implement legacy AJP13 authentication (bsc#1169066).


-----------------------------------------
Version 1.0.2-Build1.403 2020-05-15T19:17:46

-----------------------------------------
Patch: SUSE-2020-1275
Released: Thu May 14 11:33:59 2020
Summary: Security update for the Linux Kernel
Severity: important
References: 1056134,1087813,1120386,1133147,1137325,1145929,1149591,1154118,1154844,1155689,1157155,1157157,1157303,1157804,1158021,1158642,1158819,1159199,1159285,1159297,1159841,1159908,1159910,1159911,1159912,1160195,1161586,1162227,1162928,1162929,1162931,1163508,1163971,1164009,1164051,1164069,1164078,1164846,1165111,1165311,1165873,1165881,1165984,1165985,1167421,1167423,1167629,1168075,1168295,1168424,1168829,1168854,1170056,1170345,1170778,1170847,CVE-2017-18255,CVE-2018-12126,CVE-2018-12127,CVE-2018-12130,CVE-2018-21008,CVE-2019-11091,CVE-2019-14615,CVE-2019-14896,CVE-2019-14897,CVE-2019-18675,CVE-2019-19066,CVE-2019-19319,CVE-2019-19447,CVE-2019-19767,CVE-2019-19768,CVE-2019-19965,CVE-2019-19966,CVE-2019-20054,CVE-2019-20096,CVE-2019-3701,CVE-2019-5108,CVE-2019-9455,CVE-2019-9458,CVE-2020-10690,CVE-2020-10720,CVE-2020-10942,CVE-2020-11494,CVE-2020-11608,CVE-2020-11609,CVE-2020-2732,CVE-2020-8647,CVE-2020-8648,CVE-2020-8649,CVE-2020-8992,CVE-2020-9383
Description:
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.


The following security bugs were fixed:

- CVE-2020-11494: An issue was discovered in slc_bump in drivers/net/can/slcan.c, which allowed attackers to read uninitialized can_frame data, potentially containing sensitive information from kernel stack memory, if the configuration lacks CONFIG_INIT_STACK_ALL (bnc#1168424).
- CVE-2020-10942: In get_raw_socket in drivers/vhost/net.c lacks validation of an sk_family field, which might allow attackers to trigger kernel stack corruption via crafted system calls (bnc#1167629).
- CVE-2020-8647: Fixed a use-after-free vulnerability in the vc_do_resize function in drivers/tty/vt/vt.c (bnc#1162929).
- CVE-2020-8649: Fixed a use-after-free vulnerability in the vgacon_invert_region function in drivers/video/console/vgacon.c (bnc#1162931).
- CVE-2020-9383: Fixed an issue in set_fdc in drivers/block/floppy.c, which leads to a wait_til_ready out-of-bounds read (bnc#1165111).
- CVE-2019-9458: In the video driver there was a use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed (bnc#1168295).
- CVE-2019-3701: Fixed an issue in can_can_gw_rcv, which could cause a system crash (bnc#1120386).
- CVE-2019-19768: Fixed a use-after-free in the __blk_add_trace function in kernel/trace/blktrace.c (bnc#1159285).
- CVE-2020-11609: Fixed a NULL pointer dereference in the stv06xx subsystem caused by mishandling invalid descriptors (bnc#1168854).
- CVE-2020-10720: Fixed a use-after-free read in napi_gro_frags() (bsc#1170778).
- CVE-2020-10690: Fixed the race between the release of ptp_clock and cdev (bsc#1170056).
- CVE-2019-9455: Fixed a pointer leak due to a WARN_ON statement in a video driver. This could lead to local information disclosure with System execution privileges needed (bnc#1170345).
- CVE-2020-11608: Fixed an issue in drivers/media/usb/gspca/ov519.c caused by a NULL pointer dereferences in ov511_mode_init_regs and ov518_mode_init_regs when there are zero endpoints (bnc#1168829).
- CVE-2017-18255: The perf_cpu_time_max_percent_handler function in kernel/events/core.c allowed local users to cause a denial of service (integer overflow) or possibly have unspecified other impact via a large value, as demonstrated by an incorrect sample-rate calculation (bnc#1087813).
- CVE-2020-8648: There was a use-after-free vulnerability in the n_tty_receive_buf_common function in drivers/tty/n_tty.c (bnc#1162928).
- CVE-2020-2732: A flaw was discovered in the way that the KVM hypervisor handled instruction emulation for an L2 guest when nested virtualisation is enabled. Under some circumstances, an L2 guest may trick the L0 guest into accessing sensitive L1 resources that should be inaccessible to the L2 guest (bnc#1163971).
- CVE-2019-5108: Fixed a denial-of-service vulnerability caused by triggering AP to send IAPP location updates for stations before the required authentication process has completed (bnc#1159912).
- CVE-2020-8992: ext4_protect_reserved_inode in fs/ext4/block_validity.c allowed attackers to cause a denial of service (soft lockup) via a crafted journal size (bnc#1164069).
- CVE-2018-21008: Fixed a use-after-free which could be caused by the function rsi_mac80211_detach in the file drivers/net/wireless/rsi/rsi_91x_mac80211.c (bnc#1149591).
- CVE-2019-14896: A heap-based buffer overflow vulnerability was found in Marvell WiFi chip driver. A remote attacker could cause a denial of service (system crash) or, possibly execute arbitrary code, when the lbs_ibss_join_existing function is called after a STA connects to an AP (bnc#1157157).
- CVE-2019-14897: A stack-based buffer overflow was found in Marvell WiFi chip driver. An attacker is able to cause a denial of service (system crash) or, possibly execute arbitrary code, when a STA works in IBSS mode (allows connecting stations together without the use of an AP) and connects to another STA (bnc#1157155).
- CVE-2019-18675: Fixed an integer overflow in cpia2_remap_buffer in drivers/media/usb/cpia2/cpia2_core.c because cpia2 has its own mmap implementation. This allowed local users (with /dev/video0 access) to obtain read and write permissions on kernel physical pages, which can possibly result in a privilege escalation (bnc#1157804).
- CVE-2019-14615: Insufficient control flow in certain data structures for some Intel(R) Processors with Intel(R) Processor Graphics may have allowed an unauthenticated user to potentially enable information disclosure via local access (bnc#1160195, bsc#1165881).
- CVE-2019-19965: Fixed a NULL pointer dereference in drivers/scsi/libsas/sas_discover.c because of mishandling of port disconnection during discovery, related to a PHY down race condition (bnc#1159911).
- CVE-2019-20054: Fixed a NULL pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c, related to put_links (bnc#1159910).
- CVE-2019-20096: Fixed a memory leak in __feat_register_sp() in net/dccp/feat.c, which may cause denial of service (bnc#1159908).
- CVE-2019-19966: Fixed a use-after-free in cpia2_exit() in drivers/media/usb/cpia2/cpia2_v4l.c that will cause denial of service (bnc#1159841).
- CVE-2019-19447: Fixed an issue with mounting a crafted ext4 filesystem image, performing some operations, and unmounting could lead to a use-after-free in ext4_put_super in fs/ext4/super.c, related to dump_orphan_list in fs/ext4/super.c (bnc#1158819).
- CVE-2019-19319: Fixed an issue with a setxattr operation, after a mount of a crafted ext4 image, can cause a slab-out-of-bounds write access because of an ext4_xattr_set_entry use-after-free in fs/ext4/xattr.c when a large old_size value is used in a memset call (bnc#1158021).
- CVE-2019-19767: Fixed mishandling of ext4_expand_extra_isize, as demonstrated by use-after-free errors in __ext4_expand_extra_isize and ext4_xattr_set_entry, related to fs/ext4/inode.c and fs/ext4/super.c (bnc#1159297).
- CVE-2019-11091,CVE-2018-12126,CVE-2018-12130,CVE-2018-12127: Earlier mitigations for the 'MDS' Microarchitectural Data Sampling attacks were not complete.
  An additional fix was added to the x86_64 fast systemcall path to further mitigate these attacks. (bsc#1164846 bsc#1170847)


The following non-security bugs were fixed:

- blk: Fix kabi due to blk_trace_mutex addition (bsc#1159285).
- blktrace: fix dereference after null check (bsc#1159285).
- blktrace: fix trace mutex deadlock (bsc#1159285).
- btrfs: fix btrfs_wait_ordered_range() so that it waits for all ordered extents (bsc#1163508).
- btrfs: fix panic during relocation after ENOSPC before writeback happens (bsc#1163508).
- btrfs: qgroup: Fix root item corruption when multiple same source snapshots are created with quota enabled (bsc#1158642)
- btrfs: relocation: fix reloc_root lifespan and access (bsc#1164009).
- enic: prevent waking up stopped tx queues over watchdog reset (bsc#1133147).
- fix PageHeadHuge() race with THP split (VM Functionality, bsc#1165311).
- fs/xfs: fix f_ffree value for statfs when project quota is set (bsc#1165985).
- ibmvnic: Bound waits for device queries (bsc#1155689 ltc#182047).
- ibmvnic: Fix completion structure initialization (bsc#1155689 ltc#182047).
- ibmvnic: Serialize device queries (bsc#1155689 ltc#182047).
- ibmvnic: Terminate waiting device threads after loss of service (bsc#1155689 ltc#182047).
- input: add safety guards to input_set_keycode() (bsc#1168075).
- ipv4: correct gso_size for UFO (bsc#1154844).
- ipv6: fix memory accounting during ipv6 queue expire (bsc#1162227) (bsc#1162227).
- ipvlan: do not add hardware address of master to its unicast filter list (bsc#1137325).
- md: add mddev->pers to avoid potential NULL pointer dereference (bsc#1056134).
- md/bitmap: do not read page from device with Bitmap_sync (bsc#1056134).
- md: change the initialization value for a spare device spot to MD_DISK_ROLE_SPARE (bsc#1056134).
- md: Delete gendisk before cleaning up the request queue (bsc#1056134).
- md: do not call bitmap_create() while array is quiesced (bsc#1056134).
- md: do not set In_sync if array is frozen (bsc#1056134).
- md: fix a potential deadlock of raid5/raid10 reshape (bsc#1056134).
- md: md.c: Return -ENODEV when mddev is NULL in rdev_attr_show (bsc#1056134).
- md: notify about new spare disk in the container (bsc#1056134).
- md/raid0: Fix buffer overflow at debug print (bsc#1164051).
- md/raid10: end bio when the device faulty (bsc#1056134).
- md/raid10: Fix raid10 replace hang when new added disk faulty (bsc#1056134).
- md/raid1,raid10: silence warning about wait-within-wait (bsc#1056134).
- md: return -ENODEV if rdev has no mddev assigned (bsc#1056134).
- media: ov519: add missing endpoint sanity checks (bsc#1168829).
- media: stv06xx: add missing descriptor sanity checks (bsc#1168854).
- net: ena: Add PCI shutdown handler to allow safe kexec (bsc#1167421, bsc#1167423).
- netfilter: conntrack: sctp: use distinct states for new SCTP connections (bsc#1159199).
- net/ibmvnic: Fix typo in retry check (bsc#1155689 ltc#182047).
- rpm/kernel-binary.spec.in: Replace Novell with SUSE
- sched/fair: Scale bandwidth quota and period without losing quota/period ratio precision (bsc#1161586).
- scsi: core: avoid repetitive logging of device offline messages (bsc#1145929).
- scsi: core: kABI fix already_offline (bsc#1145929).
- tcp: clear tp->packets_out when purging write queue (bsc#1154118).
- x86/mitigations: Clear CPU buffers on the SYSCALL fast path (bsc#1164846 bsc#1170847).
- xfs: also remove cached ACLs when removing the underlying attr (bsc#1165873).
- xfs: bulkstat should copy lastip whenever userspace supplies one (bsc#1165984).


-----------------------------------------
Patch: SUSE-2020-1279
Released: Thu May 14 14:26:50 2020
Summary: Recommended update for python-pyOpenSSL
Severity: moderate
References: 1138748
Description:

This update for python-pyOpenSSL fixes the following issues:

python-pyOpenSSL was updated to version 17.1.0.

Backward-incompatible changes:

* Removed the deprecated ``OpenSSL.rand.egd()`` function.
  Applications should prefer ``os.urandom()`` for random number generation.
  `#630 <https://github.com/pyca/pyopenssl/pull/630>`_
* Removed the deprecated default ``digest`` argument to ``OpenSSL.crypto.CRL.export()``.
  Callers must now always pass an explicit ``digest``.
  `#652 <https://github.com/pyca/pyopenssl/pull/652>`_
* Fixed a bug with ``ASN1_TIME`` casting in ``X509.set_notBefore()``,
  ``X509.set_notAfter()``, ``Revoked.set_rev_date()``, ``Revoked.set_nextUpdate()``,
  and ``Revoked.set_lastUpdate()``. You must now pass times in the form
  ``YYYYMMDDhhmmssZ``. ``YYYYMMDDhhmmss+hhmm`` and ``YYYYMMDDhhmmss-hhmm``
  will no longer work. `#612 <https://github.com/pyca/pyopenssl/pull/612>`_

Deprecations:

 * Deprecated the legacy 'Type' aliases: ``ContextType``, ``ConnectionType``,
   ``PKeyType``, ``X509NameType``, ``X509ExtensionType``, ``X509ReqType``,
   ``X509Type``, ``X509StoreType``, ``CRLType``, ``PKCS7Type``, ``PKCS12Type``,
   ``NetscapeSPKIType``.
   The names without the 'Type'-suffix should be used instead.

Changes:

 * Added ``OpenSSL.crypto.X509.from_cryptography()`` and ``OpenSSL.crypto.X509.to_cryptography()``
   for converting X.509 certificate to and from pyca/cryptography objects.
   `#640 <https://github.com/pyca/pyopenssl/pull/640>`_
 * Added ``OpenSSL.crypto.X509Req.from_cryptography()``, ``OpenSSL.crypto.X509Req.to_cryptography()``,
   ``OpenSSL.crypto.CRL.from_cryptography()``, and ``OpenSSL.crypto.CRL.to_cryptography()``
   for converting X.509 CSRs and CRLs to and from pyca/cryptography objects.
   `#645 <https://github.com/pyca/pyopenssl/pull/645>`_
 *  Added ``OpenSSL.debug`` that allows to get an overview of used library versions (including
    linked OpenSSL) and other useful runtime information using ``python -m OpenSSL.debug``.
    `#620 <https://github.com/pyca/pyopenssl/pull/620>`_
 * Added a fallback path to ``Context.set_default_verify_paths()`` to accommodate the upcoming
   release of ``cryptography`` ``manylinux1`` wheels.
   `#633 <https://github.com/pyca/pyopenssl/pull/633>`_
  

-----------------------------------------
Patch: SUSE-2020-1287
Released: Fri May 15 11:26:21 2020
Summary: Recommended update for google-compute-engine
Severity: moderate
References: 1170719,1170720
Description:
This update for google-compute-engine contain the following fix:

- Do not add the created user to the adm, docker, or lxd groups if they exist. (bsc#1170719, bsc#1170720)
  

-----------------------------------------
Version 1.0.2-Build1.404 2020-05-18T19:17:38

-----------------------------------------
Patch: SUSE-2020-1306
Released: Mon May 18 09:53:45 2020
Summary: Recommended update for psmisc
Severity: moderate
References: 1170247
Description:
This update for psmisc fixes the following issues:

- Allow not unique mounts as well as not unique mountpoint. (bsc#1170247)


-----------------------------------------
Patch: SUSE-2020-1312
Released: Mon May 18 10:36:15 2020
Summary: Recommended update for timezone
Severity: moderate
References: 1169582
Description:
This update for timezone fixes the following issues:

- timezone update 2020a (bsc#1169582)
  * Morocco springs forward on 2020-05-31, not 2020-05-24.
  * Canada's Yukon advanced to -07 year-round on 2020-03-08.
  * America/Nuuk renamed from America/Godthab.
  * zic now supports expiration dates for leap second lists.


-----------------------------------------
Patch: SUSE-2020-1320
Released: Mon May 18 11:44:35 2020
Summary: Recommended update for regionServiceClientConfigGCE
Severity: important
References: 1071292,1171467,1171469
Description:
This update for regionServiceClientConfigGCE fixes the following issues:

- Unify region server setup for SLES and SLES4SAP that provides configuring traffic routing through the datacenter. (bsc#1171467, bsc#1171469)
- Fix dependency issue for SLE 15. (bsc#1071292)


-----------------------------------------
Patch: SUSE-2020-1325
Released: Mon May 18 11:50:19 2020
Summary: Recommended update for coreutils
Severity: moderate
References: 1156276
Description:
This update for coreutils fixes the following issues:

-Fix for an issue when using sort with '--human-numeric-sort-key' option the column containig the values can be faulty. (bsc#1156276)


-----------------------------------------
Version 1.0.2-Build1.408 2020-05-20T19:16:44

-----------------------------------------
Patch: SUSE-2020-1329
Released: Mon May 18 17:17:54 2020
Summary: Recommended update for gcc9
Severity: moderate
References: 1149995,1152590,1167898
Description:
This update for gcc9 fixes the following issues:

This update ships the GCC 9.3 release.

- Includes a fix for Internal compiler error when building HepMC (bsc#1167898)
- Includes fix for binutils version parsing
- Add libstdc++6-pp provides and conflicts to avoid file conflicts
  with same minor version of libstdc++6-pp from gcc10.
- Add gcc9 autodetect -g at lto link (bsc#1149995)
- Install go tool buildid for bootstrapping go



-----------------------------------------
Patch: SUSE-2020-1357
Released: Wed May 20 15:19:03 2020
Summary: Recommended update for release-notes-sles
Severity: moderate
References: 1136157,1171093
Description:
This update for release-notes-sles fixes the following issues:

- Updated release notes for SLES 12 SP3 12.3.20200504 (bsc#1171093)
- New notes:
  - SUSE Virtual Machine Driver Pack 2.5 (FATE#322145)
  - PostgreSQL Has Been Upgraded to Version 10 (FATE#325659)
  - LibreOffice Has Been Updated to Version 6.1 (FATE#326624)
  - Speed of ibmveth Interface Not Reported Accurately (bsc#1136157)
  - New GeoIP tools (jsc#SLE-11183)
- Document fixes and changed notes:
  - Support for ibmvnic Networking Driver (FATE#327576)
    Now supported and not a technology preview anymore
  - Software Requiring Specific Contracts (FATE#316990)
    Added LibreOffice to this list
  - Upgrading PostgreSQL Installations from 9.1 to 9.4 (FATE#319049)
    Fixed phrasing, simplified source link markup
  - libcgroup1 Removed From SLE 12 SP4 and Later (FATE#323093)
    Fixed categorization of this note, as the functionality is already
    removed from the product
  - Updated URLs throughout the document to use documentation.suse.com
    instead of suse.com/documentation and to use HTTPS instead of HTTP
- Removed notes:
  - LibreOffice Has Been Updated to Version 6.0 (FATE#324870)
    Replaced by LibreOffice 6.1 note


-----------------------------------------
Version 1.0.2-Build1.410 2020-05-22T19:16:59

-----------------------------------------
Patch: SUSE-2020-1368
Released: Thu May 21 19:05:40 2020
Summary: Recommended update for docker-runc
Severity: moderate
References: 1168481
Description:
This update for docker-runc contains the following fixes:

- Backport upstream fix that enable access to /dev/null in containers. Resolves many
  issues with the implementation of the runc devices cgroup code. Removes some of
  the disruptive aspects of 'runc update'. (bsc#1168481)
  

-----------------------------------------
Patch: SUSE-2020-1377
Released: Thu May 21 19:08:20 2020
Summary: Recommended update for avahi
Severity: moderate
References: 1085255,1168191
Description:
This update for avahi fixes the following issues:

- Increase data and stack limits to match the upstream samples, rather than removing them
  altogether, per discussion with security team (bsc#1168191 bsc#1085255).


-----------------------------------------
Version 1.0.2-Build1.414 2020-05-27T19:17:24

-----------------------------------------
Patch: SUSE-2020-1403
Released: Mon May 25 15:20:08 2020
Summary: Recommended update for tcsh
Severity: moderate
References: 1163593
Description:
This update for tcsh fixes the following issues:

- Fix for an issue with SLES4SAP when csh occurs system slowness and consumes a lot of memory due to '.history' corruption. (bsc#1163593)
  

-----------------------------------------
Patch: SUSE-2020-1410
Released: Mon May 25 17:58:30 2020
Summary: Recommended update for xfsprogs
Severity: moderate
References: 1171812
Description:
This update for xfsprogs fixes the following issue:

- xfs_repair: set rsumino version to 2. (bsc#1171812)


-----------------------------------------
Patch: SUSE-2020-1488
Released: Wed May 27 15:24:27 2020
Summary: Recommended update for cloud-regionsrv-client
Severity: important
References: 1171705
Description:
This update for cloud-regionsrv-client contains the following fixes:

- Improve error message for failed update server access to determine product status.

- Update to version 9.0.10. (bsc#1171704, bsc#1171705)
  + While the service starts After=network-online.target this is no guarantee that the
    cloud framework has configured the outgoing routing for the instance. This
    configuration on the framework side may take longer. Introduce a wait look that
    retries connections to the update infrastructure 3 times before giving up.


-----------------------------------------
Version 1.0.2-Build1.416 2020-05-28T19:17:27

-----------------------------------------
Patch: SUSE-2020-1489
Released: Wed May 27 18:29:21 2020
Summary: Recommended update for timezone
Severity: moderate
References: 1172055
Description:
This update for timezone fixes the following issue:

- zdump --version reported 'unknown' (bsc#1172055)


-----------------------------------------
Patch: SUSE-2020-1491
Released: Wed May 27 18:31:36 2020
Summary: Recommended update for groff
Severity: low
References: 1055985
Description:
This update for groff fixes the following issues:

- removed broken /usr/share/groff/1.22.2/current symlink (bsc#1055985)
  moved /usr/share/doc/packages/groff/pdf/mom-pdf.pdf
  to groff-doc package

- removed broken /usr/share/groff/1.22.2/current symlink (bsc#1055985)
  moved /usr/share/doc/packages/groff/pdf/mom-pdf.pdf
  to groff-doc package


-----------------------------------------
Version 1.0.2-Build1.417 2020-05-30T19:17:06

-----------------------------------------
Patch: SUSE-2020-1509
Released: Fri May 29 17:42:08 2020
Summary: Recommended update for nfs-utils
Severity: moderate
References: 1171745
Description:
This update for nfs-utils fixes the following issues:

-Fix for an issue when '/etc/exports' is empty and it raised a warning. (bsc#1171745)


-----------------------------------------
Version 1.0.2-Build1.419 2020-06-03T19:17:17

-----------------------------------------
Patch: SUSE-2017-884
Released: Tue May 30 15:28:35 2017
Summary: Initial release of python-rpm-macros
Severity: low
References: 1039368
Description:

This update adds python-rpm-macros to SUSE Linux Enterprise Software Development
Kit 12. This package contains RPM macros that ease packaging and building of
Python singlespec packages.


-----------------------------------------
Patch: SUSE-2017-1354
Released: Fri Aug 18 23:54:29 2017
Summary: Recommended update for python-rpm-macros
Severity: low
References: 1050472
Description:
This update for python-rpm-macros fixes the following issues:

- Fix skip_python2 in environment where python2 is not actually present.
- Introduce smarter buildset support.
- Fix %python_files on non-standard build sets.
- Introduce %python_for_executables in favor of magically taking 'last python in %pythons'.
- Fix %license tag handling.


-----------------------------------------
Patch: SUSE-2019-965
Released: Wed Apr 17 12:17:29 2019
Summary: Recommended update for python-rpm-macros
Severity: moderate
References: 1128323
Description:
This update for python-rpm-macros fixes the following issues:

The Python RPM macros were update to version 20190408.32abece
to fix lots of bugs. (bsc#1128323)

* Rewrite pytest and pytest_arch into Lua macros with multiple arguments.
* We should preserve existing PYTHONPATH.
* Add --ignore to pytest calls to ignore build directories.
* Actually make pytest into function to capture arguments as well
* Add pytest definitions.
* Use upstream-recommended %{_rpmconfigdir}/macros.d directory
  for the rpm macros.
* Fix an issue with epoch printing having too many \
* Remove packaging/ dir
* add epoch while printing 'Provides:'
* better fix for macro usage in rpm 4.14
* Fix macro usage for rpm 4.14
* use %_specfile macro to locate the spec file, this should help with
  factory-auto bot problems as well as issue#3


-----------------------------------------
Patch: SUSE-2019-2382
Released: Mon Sep 16 19:00:48 2019
Summary: Recommended update for python36
Severity: moderate
References: 1146165
Description:

This update provides python 3.6 packages to the SUSE Linux Enterprise 12 SP3 for Teradata codestream.
  

-----------------------------------------
Patch: SUSE-2020-337
Released: Wed Feb 19 13:25:26 2020
Summary: Recommended update for python-rpm-macros
Severity: moderate
References: 1161770
Description:
This update for python-rpm-macros fixes the following issues:

- Add macros related to the Python dist metadata dependency generator. (bsc#1161770)


-----------------------------------------
Patch: SUSE-2020-1524
Released: Wed Jun  3 09:32:11 2020
Summary: Security update for python
Severity: moderate
References: 1027282,1041090,1042670,1073269,1073748,1078326,1078485,1081750,1084650,1086001,1149792,1153830,1155094,1159035,1162224,1162367,1162825,1165894,1170411,1171561,945401,CVE-2019-18348,CVE-2019-9674,CVE-2020-8492
Description:


This update for python to version 2.7.17 fixes the following issues:

Syncing with lots of upstream bug fixes and security fixes.

Bug fixes:

- CVE-2019-9674: Improved the documentation to reflect the dangers of zip-bombs (bsc#1162825).
- CVE-2019-18348: Fixed a CRLF injection via the host part of the url passed to urlopen(). Now an InvalidURL exception is raised (bsc#1155094).
- CVE-2020-8492: Fixed a regular expression in urllib that was prone to denial of service via HTTP (bsc#1162367).
- Fixed mismatches between libpython and python-base versions (bsc#1162224).
- Fixed segfault in libpython2.7.so.1 (bsc#1073748).
- Unified packages among openSUSE:Factory and SLE versions (bsc#1159035).
- Added idle.desktop and idle.appdata.xml to provide IDLE in menus (bsc#1153830).
- Excluded tsl_check files from python-base to prevent file conflict with python-strict-tls-checks package (bsc#945401).
- Changed the name of idle3 icons to idle3.png to avoid collision with Python 2 version (bsc#1165894).

Additionally a new 'shared-python-startup' package is provided containing startup files.

python-rpm-macros was updated to fix:

- Do not write .pyc files for tests (bsc#1171561)



-----------------------------------------
Version 1.0.2-Build1.427 2020-06-16T17:34:37

-----------------------------------------
Patch: SUSE-2020-1548
Released: Mon Jun  8 08:38:53 2020
Summary: Recommended update for python
Severity: important
References: 1172544
Description:
This update for python fixes the following issues:

- Revert the recent change to macros.python2, which caused that
  multispec python packages were generated with python2- instead of
  python- prefix (bsc#1172544)


-----------------------------------------
Patch: SUSE-2020-1550
Released: Mon Jun  8 09:29:49 2020
Summary: Security update for vim
Severity: moderate
References: 1172031,1172225,CVE-2019-20807
Description:
This update for vim fixes the following issues:

- CVE-2019-20807: Fixed an issue where escaping from the restrictive mode of vim 
  was possible using interfaces (bsc#1172225 and bsc#1172031).	  


-----------------------------------------
Patch: SUSE-2020-1570
Released: Tue Jun  9 11:15:12 2020
Summary: Security update for ruby2.1
Severity: important
References: 1043983,1048072,1055265,1056286,1056782,1058754,1058755,1058757,1062452,1069607,1069632,1073002,1078782,1082007,1082008,1082009,1082010,1082011,1082014,1082058,1087433,1087434,1087436,1087437,1087440,1087441,1112530,1112532,1130611,1130617,1130620,1130622,1130623,1130627,1152990,1152992,1152994,1152995,1171517,1172275,CVE-2015-9096,CVE-2016-2339,CVE-2016-7798,CVE-2017-0898,CVE-2017-0899,CVE-2017-0900,CVE-2017-0901,CVE-2017-0902,CVE-2017-0903,CVE-2017-10784,CVE-2017-14033,CVE-2017-14064,CVE-2017-17405,CVE-2017-17742,CVE-2017-17790,CVE-2017-9228,CVE-2017-9229,CVE-2018-1000073,CVE-2018-1000074,CVE-2018-1000075,CVE-2018-1000076,CVE-2018-1000077,CVE-2018-1000078,CVE-2018-1000079,CVE-2018-16395,CVE-2018-16396,CVE-2018-6914,CVE-2018-8777,CVE-2018-8778,CVE-2018-8779,CVE-2018-8780,CVE-2019-15845,CVE-2019-16201,CVE-2019-16254,CVE-2019-16255,CVE-2019-8320,CVE-2019-8321,CVE-2019-8322,CVE-2019-8323,CVE-2019-8324,CVE-2019-8325,CVE-2020-10663
Description:
This update for ruby2.1 fixes the following issues:

Security issues fixed:

- CVE-2015-9096: Fixed an SMTP command injection via CRLFsequences in a RCPT TO or MAIL FROM command (bsc#1043983).
- CVE-2016-7798: Fixed an IV Reuse in GCM Mode (bsc#1055265).
- CVE-2017-0898: Fixed a buffer underrun vulnerability in Kernel.sprintf (bsc#1058755).
- CVE-2017-0899: Fixed an issue with malicious gem specifications, insufficient sanitation when printing gem specifications could have included terminal characters (bsc#1056286).
- CVE-2017-0900: Fixed an issue with malicious gem specifications, the query command could have led to a denial of service attack against clients (bsc#1056286).
- CVE-2017-0901: Fixed an issue with malicious gem specifications, potentially overwriting arbitrary files on the client system (bsc#1056286).
- CVE-2017-0902: Fixed an issue with malicious gem specifications, that could have enabled MITM attacks against clients (bsc#1056286).
- CVE-2017-0903: Fixed an unsafe object deserialization vulnerability (bsc#1062452).
- CVE-2017-9228: Fixed a heap out-of-bounds write in bitset_set_range() during regex compilation (bsc#1069607).
- CVE-2017-9229: Fixed an invalid pointer dereference in left_adjust_char_head() in oniguruma (bsc#1069632).
- CVE-2017-10784: Fixed an escape sequence injection vulnerability in the Basic authentication of WEBrick (bsc#1058754).
- CVE-2017-14033: Fixed a buffer underrun vulnerability in OpenSSL ASN1 decode (bsc#1058757).
- CVE-2017-14064: Fixed an arbitrary memory exposure during a JSON.generate call (bsc#1056782).
- CVE-2017-17405: Fixed a command injection vulnerability in Net::FTP (bsc#1073002).
- CVE-2017-17742: Fixed an HTTP response splitting issue in WEBrick (bsc#1087434).
- CVE-2017-17790: Fixed a command injection in lib/resolv.rb:lazy_initialize() (bsc#1078782).
- CVE-2018-6914: Fixed an unintentional file and directory creation with directory traversal in tempfile and tmpdir (bsc#1087441).
- CVE-2018-8777: Fixed a potential DoS caused by large requests in WEBrick (bsc#1087436).
- CVE-2018-8778: Fixed a buffer under-read in String#unpack (bsc#1087433).
- CVE-2018-8779: Fixed an unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket (bsc#1087440).
- CVE-2018-8780: Fixed an unintentional directory traversal by poisoned NUL byte in Dir (bsc#1087437).
- CVE-2018-16395: Fixed an issue with OpenSSL::X509::Name equality checking (bsc#1112530).
- CVE-2018-16396: Fixed an issue with tainted string handling, where the flag was not propagated in Array#pack and String#unpack with some directives (bsc#1112532).
- CVE-2018-1000073: Fixed a path traversal issue (bsc#1082007).
- CVE-2018-1000074: Fixed an unsafe object deserialization vulnerability in gem owner, allowing arbitrary code execution with specially crafted YAML (bsc#1082008).
- CVE-2018-1000075: Fixed an infinite loop vulnerability due to negative size in tar header causes Denial of Service (bsc#1082014).
- CVE-2018-1000076: Fixed an improper verification of signatures in tarballs (bsc#1082009).
- CVE-2018-1000077: Fixed an improper URL validation in the homepage attribute of ruby gems (bsc#1082010).
- CVE-2018-1000078: Fixed a XSS vulnerability in the homepage attribute when displayed via gem server (bsc#1082011).
- CVE-2018-1000079: Fixed a path traversal issue during gem installation allows to write to arbitrary filesystem locations (bsc#1082058).
- CVE-2019-8320: Fixed a directory traversal issue when decompressing tar files (bsc#1130627).
- CVE-2019-8321: Fixed an escape sequence injection vulnerability in verbose (bsc#1130623).
- CVE-2019-8322: Fixed an escape sequence injection vulnerability in gem owner (bsc#1130622).
- CVE-2019-8323: Fixed an escape sequence injection vulnerability in API response handling (bsc#1130620).
- CVE-2019-8324: Fixed an issue with malicious gems that may have led to arbitrary code execution (bsc#1130617).
- CVE-2019-8325: Fixed an escape sequence injection vulnerability in errors (bsc#1130611).
- CVE-2019-15845: Fixed a NUL injection vulnerability in File.fnmatch and File.fnmatch? (bsc#1152994).
- CVE-2019-16201: Fixed a regular expression denial of service vulnerability in WEBrick's digest access authentication (bsc#1152995).
- CVE-2019-16254: Fixed an HTTP response splitting vulnerability in WEBrick (bsc#1152992).
- CVE-2019-16255: Fixed a code injection vulnerability in Shell#[] and Shell#test (bsc#1152990).
- CVE-2020-10663: Fixed an unsafe object creation vulnerability in JSON (bsc#1171517).

Non-security issue fixed:

- Add conflicts to libruby to make sure ruby and ruby-stdlib are also updated when libruby is updated (bsc#1048072).

Also yast2-ruby-bindings on SLES 12 SP2 LTSS was updated to handle the updated ruby interpreter. (bsc#1172275)


-----------------------------------------
Patch: SUSE-2020-1577
Released: Tue Jun  9 14:19:21 2020
Summary: Recommended update for openslp
Severity: moderate
References: 1117969,1136136
Description:
This update for openslp fixes the following issues:

- Use tcp connects to talk with other directory agents (DAs) (bsc#1117969)
- Fix segfault in predicate match if a registered service has
  a malformed attribute list (bsc#1136136)


-----------------------------------------
Patch: SUSE-2020-1596
Released: Wed Jun 10 10:29:54 2020
Summary: Security update for the Linux Kernel
Severity: important
References: 1154824,1161951,1164871,1169025,1169625,1170383,1170618,1170620,1171098,1171195,1171202,1171218,1171219,1171689,1171698,1172032,1172221,1172317,CVE-2020-0543,CVE-2020-10757,CVE-2020-12114,CVE-2020-12652,CVE-2020-12653,CVE-2020-12654,CVE-2020-12656
Description:
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2020-0543: Fixed a side channel attack against special registers which could have resulted in leaking of read values to cores other than the one which called it.
  This attack is known as Special Register Buffer Data Sampling (SRBDS) or 'CrossTalk' (bsc#1154824).
- CVE-2020-12652: Fixed an issue which could have allowed local users to hold an incorrect lock during the ioctl operation and trigger a race condition (bsc#1171218).
- CVE-2020-12653: Fixed an issue in the wifi driver which could have allowed local users to gain privileges or cause a denial of service (bsc#1171195).
- CVE-2020-12654: Fixed an issue in he wifi driver which could have allowed a remote AP to trigger a heap-based buffer overflow (bsc#1171202).
- CVE-2020-12656: Fixed an improper handling of certain domain_release calls leadingch could have led to a memory leak (bsc#1171219).
- CVE-2020-12114: Fixed A pivot_root race condition which could have allowed local users to cause a denial of service (panic) by corrupting a mountpoint reference counter (bsc#1171098).
- CVE-2020-10757: Fixed an issue where remaping hugepage DAX to anon mmap could have caused user PTE access (bsc#1172317).

The following non-security bugs were fixed:

- can, slip: Protect tty->disc_data in write_wakeup and close with RCU (bsc#1171698).
- clocksource/drivers/hyper-v: Set TSC clocksource as default w/ InvariantTSC (bsc#1170620).
- Drivers: HV: Send one page worth of kmsg dump over Hyper-V during panic (bsc#1170618).
- Drivers: hv: vmbus: Fix the issue with freeing up hv_ctl_table_hdr (bsc#1170618).
- Drivers: hv: vmbus: Get rid of MSR access from vmbus_drv.c (bsc#1170618).
- Drivers: hv: vmbus: Make panic reporting to be more useful (bsc#1170618).
- Drivers: hv: vmus: Fix the check for return value from kmsg get dump buffer (bsc#1170618).
- EDAC: Convert to new X86 CPU match macros
- ibmvfc: do not send implicit logouts prior to NPIV login (bsc#1169625 ltc#184611).
- ibmvfc: Fix NULL return compiler warning (bsc#1161951 ltc#183551).
- KEYS: reaching the keys quotas correctly (bsc#1171689).
- NFS: Cleanup if nfs_match_client is interrupted (bsc#1169025).
- NFS: Fix a double unlock from nfs_match,get_client (bsc#1169025).
- NFS: make nfs_match_client killable (bsc#1169025).
- NFS: Unlock requests must never fail (bsc#1172032).
- random: always use batched entropy for get_random_u{32,64} (bsc#1164871).
- Revert 'ipc,sem: remove uneeded sem_undo_list lock usage in exit_sem()' (bsc#1172221).
- scsi: ibmvfc: Avoid loss of all paths during SVC node reboot (bsc#1161951 ltc#183551).
- scsi: ibmvfc: Fix NULL return compiler warning (bsc#1161951 ltc#183551).
- x86/dumpstack/64: Handle faults when printing the 'Stack: ' part of an OOPS (bsc#1170383).
- x86/hyperv: Allow guests to enable InvariantTSC (bsc#1170620).
- x86/Hyper-V: Free hv_panic_page when fail to register kmsg dump (bsc#1170618).
- x86/Hyper-V: Report crash data in die() when panic_on_oops is set (bsc#1170618).
- x86/Hyper-V: Report crash register data or kmsg before running crash kernel (bsc#1170618).
- x86/Hyper-V: Report crash register data when sysctl_record_panic_msg is not set (bsc#1170618).
- x86: hyperv: report value of misc_features (git fixes).
- x86/Hyper-V: Trigger crash enlightenment only once during system crash (bsc#1170618).
- x86/Hyper-V: Unload vmbus channel in hv panic callback (bsc#1170618).


-----------------------------------------
Patch: SUSE-2020-1612
Released: Fri Jun 12 09:43:17 2020
Summary: Security update for adns
Severity: important
References: 1172265,CVE-2017-9103,CVE-2017-9104,CVE-2017-9105,CVE-2017-9106,CVE-2017-9107,CVE-2017-9108,CVE-2017-9109
Description:
This update for adns fixes the following issues:
	  
- CVE-2017-9103,CVE-2017-9104,CVE-2017-9105,CVE-2017-9109: Fixed an issue in local recursive resolver
  which could have led to remote code execution (bsc#1172265).
- CVE-2017-9106: Fixed an issue with upstream DNS data sources which could have led to denial of 
  service (bsc#1172265).
- CVE-2017-9107: Fixed an issue when quering domain names which could have led to denial of service (bsc#1172265).
- CVE-2017-9108: Fixed an issue which could have led to denial of service (bsc#1172265).


-----------------------------------------
Patch: SUSE-2020-1619
Released: Fri Jun 12 12:03:20 2020
Summary: Security update for audiofile
Severity: low
References: 1100523,CVE-2018-13440
Description:
This update for audiofile fixes the following issues:

Security issue fixed:

- CVE-2018-13440: Return AF_FAIL instead of causing NULL pointer dereferences later (bsc#1100523).


-----------------------------------------
Version 1.0.2-Build1.434 2020-06-24T19:26:28

-----------------------------------------
Patch: SUSE-2020-1662
Released: Thu Jun 18 11:13:05 2020
Summary: Security update for perl
Severity: important
References: 1102840,1160039,1170601,1171863,1171864,1171866,CVE-2020-10543,CVE-2020-10878,CVE-2020-12723
Description:
This update for perl fixes the following issues:

- CVE-2020-10543: Fixed a heap buffer overflow in regular expression compiler which could have 
  allowed overwriting of allocated memory with attacker's data (bsc#1171863).
- CVE-2020-10878: Fixed multiple integer overflows which could have allowed the insertion of 
  instructions into the compiled form of Perl regular expression (bsc#1171864).
- CVE-2020-12723: Fixed an attacker's corruption of the intermediate language state of a 
  compiled regular expression (bsc#1171866).
- Fixed utf8 handling in perldoc by useing 'term' instead of 'man' (bsc#1170601).
- Some packages make assumptions about the date and time they are built. 
  This update will solve the issues caused by calling the perl function timelocal
  expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039)


-----------------------------------------
Patch: SUSE-2020-1664
Released: Thu Jun 18 11:19:28 2020
Summary: Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork
Severity: moderate
References: 1172377,CVE-2020-13401
Description:
This update for containerd, docker, docker-runc, golang-github-docker-libnetwork fixes the following issues:
Docker was updated to 19.03.11-ce
runc was updated to version 1.0.0-rc10
containerd was updated to version 1.2.13

- CVE-2020-13401: Fixed an issue where an attacker with CAP_NET_RAW capability, could have crafted IPv6 router 
  advertisements, and spoof external IPv6 hosts, resulting in obtaining  sensitive information or causing  denial 
  of service (bsc#1172377).


-----------------------------------------
Patch: SUSE-2020-1689
Released: Fri Jun 19 11:03:49 2020
Summary: Recommended update for audit
Severity: important
References: 1156159,1172295
Description:
This update for audit fixes the following issues:

- Fix specfile to require libauparse0 and libaudit1 after splitting audit-libs. (bsc#1172295)
- Fix hang on startup. (bsc#1156159)
  

-----------------------------------------
Patch: SUSE-2020-1713
Released: Tue Jun 23 11:15:49 2020
Summary: Security update for the Linux Kernel
Severity: important
References: 1172049,1172781,1172782,1172783,CVE-2020-10766,CVE-2020-10767,CVE-2020-10768
Description:
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2020-10768: Fixed an issue with the prctl() function which could have allowed indirect branch speculation even after it has been disabled (bsc#1172783).
- CVE-2020-10767: Fixed an issue where the Indirect Branch Prediction Barrier (IBPB) would have been disabled when STIBP is unavailable or enhanced IBRS is available making the system vulnerable to spectre v2 (bsc#1172782).
- CVE-2020-10766: Fixed an issue with Linux scheduler which could have allowed an attacker to turn off the SSBD protection (bsc#1172781).

- xfs: Fix tail rounding in xfs_alloc_file_space() (bsc#1172049).


-----------------------------------------
Patch: SUSE-2020-1732
Released: Wed Jun 24 09:42:55 2020
Summary: Security update for curl
Severity: important
References: 1173027,CVE-2020-8177
Description:
This update for curl fixes the following issues:

- CVE-2020-8177: Fixed an issue where curl could have been tricked by a malicious server to overwrite a local file when using the -J option (bsc#1173027).


-----------------------------------------
Version 1.0.2-Build1.437 2020-06-26T19:21:42

-----------------------------------------
Patch: SUSE-2020-1792
Released: Fri Jun 26 14:06:59 2020
Summary: Security update for python3-requests
Severity: moderate
References: 1054413,1073879,1111622,1122668,761500,922448,929736,935252,945455,947357,961596,967128,CVE-2015-2296,CVE-2018-18074
Description:
This update for python3-requests provides the following fix:

python-requests was updated to 2.20.1.

Update to version 2.20.1:

* Fixed bug with unintended Authorization header stripping for
  redirects using default ports (http/80, https/443).

Update to version 2.20.0:

* Bugfixes

  + Content-Type header parsing is now case-insensitive
    (e.g. charset=utf8 v Charset=utf8).
  + Fixed exception leak where certain redirect urls would raise
    uncaught urllib3 exceptions.
  + Requests removes Authorization header from requests redirected
    from https to http on the same hostname. (CVE-2018-18074)
  + should_bypass_proxies now handles URIs without hostnames
    (e.g. files).

Update to version 2.19.1:

* Fixed issue where status_codes.py’s init function failed trying
  to append to a __doc__ value of None.

Update to version 2.19.0:

* Improvements

  + Warn about possible slowdown with cryptography version < 1.3.4
  + Check host in proxy URL, before forwarding request to adapter.
  + Maintain fragments properly across redirects. (RFC7231 7.1.2)
  + Removed use of cgi module to expedite library load time.
  + Added support for SHA-256 and SHA-512 digest auth algorithms.
  + Minor performance improvement to Request.content.

* Bugfixes

  + Parsing empty Link headers with parse_header_links() no longer
    return one bogus entry.
  + Fixed issue where loading the default certificate bundle from
    a zip archive would raise an IOError.
  + Fixed issue with unexpected ImportError on windows system
    which do not support winreg module.
  + DNS resolution in proxy bypass no longer includes the username
    and password in the request. This also fixes the issue of DNS
    queries failing on macOS.
  + Properly normalize adapter prefixes for url comparison.
  + Passing None as a file pointer to the files param no longer
    raises an exception.
  + Calling copy on a RequestsCookieJar will now preserve the
    cookie policy correctly.

Update to version 2.18.4:

* Improvements

  + Error messages for invalid headers now include the header name
    for easier debugging

Update to version 2.18.3:

* Improvements
  + Running $ python -m requests.help now includes the installed
    version of idna.
* Bugfixes
  + Fixed issue where Requests would raise ConnectionError instead
    of SSLError when encountering SSL problems when using urllib3
    v1.22.

- Add ca-certificates (and ca-certificates-mozilla) to dependencies, otherwise https
  connections will fail.


-----------------------------------------
Version 1.0.2-Build1.444 2020-07-07T08:53:22

-----------------------------------------
Patch: SUSE-2020-1796
Released: Mon Jun 29 13:27:56 2020
Summary: Security update for unzip
Severity: moderate
References: 1110194,CVE-2018-18384
Description:
This update for unzip fixes the following issues:

- CVE-2018-18384: Fixed a buffer overflow when listing files (bsc#1110194)



-----------------------------------------
Patch: SUSE-2020-1805
Released: Tue Jun 30 17:37:15 2020
Summary: Security update for ntp
Severity: moderate
References: 1169740,1171355,1172651,1173334,CVE-2018-8956,CVE-2020-11868,CVE-2020-13817,CVE-2020-15025
Description:
This update for ntp fixes the following issues:

ntp was updated to 4.2.8p15

- CVE-2020-11868: Fixed an issue which a server mode packet with spoofed source address 
  frequently send to the client ntpd could have caused denial of service (bsc#1169740).
- CVE-2018-8956: Fixed an issue which could have allowed remote attackers to prevent 
  a broadcast client from synchronizing its clock with a broadcast NTP server via spoofed 
  mode 3 and mode 5 packets (bsc#1171355).
- CVE-2020-13817: Fixed an issue which an off-path attacker with the ability to query time 
  from victim's ntpd instance could have modified the victim's clock by a limited amount (bsc#1172651).
- CVE-2020-15025: Fixed an issue which remote attacker could have caused denial of service by consuming 
  the memory when a CMAC key was used andassociated with a CMAC algorithm in the ntp.keys (bsc#1173334).	  


-----------------------------------------
Patch: SUSE-2020-1839
Released: Fri Jul  3 12:46:12 2020
Summary: Security update for mozilla-nspr, mozilla-nss
Severity: important
References: 1159819,1168669,1169746,1170908,1171978,1173022,CVE-2019-17006,CVE-2020-12399,CVE-2020-12402
Description:
This update for mozilla-nspr, mozilla-nss fixes the following issues:

mozilla-nss was updated to version 3.53.1

- CVE-2020-12402: Fixed a potential side channel attack during RSA key generation (bsc#1173032).
- CVE-2020-12399: Fixed a timing attack on DSA signature generation (bsc#1171978).
- CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819).
- Fixed various FIPS issues in libfreebl3 which were causing segfaults in the test suite of chrony (bsc#1168669).
- Fixed an issue where Firefox tab was crashing (bsc#1170908).

Release notes: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.53_release_notes

mozilla-nspr to version 4.25


-----------------------------------------
Patch: SUSE-2020-1842
Released: Fri Jul  3 22:40:42 2020
Summary: Security update for systemd
Severity: moderate
References: 1084671,1154256,1157315,1161262,1161436,1162698,1164538,1165633,1167622,1171145,CVE-2019-20386
Description:
This update for systemd fixes the following issues:

- CVE-2019-20386: Fixed a memory leak when executing the udevadm trigger command (bsc#1161436).
- Renamed the persistent link for ATA devices (bsc#1164538)
- shared/install: try harder to find enablement symlinks when disabling a unit (bsc#1157315)
- tmpfiles: removed unnecessary assert (bsc#1171145)
- pid1: by default make user units inherit their umask from the user manager (bsc#1162698)
- manager: fixed job mode when signalled to shutdown etc (bsc#1161262)
- coredump: fixed bug that loses core dump files when core dumps are compressed and disk space is low. (bsc#1167622)
- udev: inform systemd how many workers we can potentially spawn (#4036) (bsc#1165633)
- libblkid: open device in nonblock mode. (bsc#1084671)
- udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256)


-----------------------------------------
Patch: SUSE-2020-1855
Released: Mon Jul  6 17:05:29 2020
Summary: Security update for openldap2
Severity: important
References: 1172698,1172704,CVE-2020-8023
Description:
This update for openldap2 fixes the following issues:

- CVE-2020-8023: Fixed a potential local privilege escalation from ldap to root when OPENLDAP_CONFIG_BACKEND='ldap' was used (bsc#1172698).	  
- Changed DB_CONFIG to root:ldap permissions (bsc#1172704).	  


-----------------------------------------
Patch: SUSE-2020-1859
Released: Mon Jul  6 17:08:28 2020
Summary: Security update for openldap2
Severity: important
References: 1170715,1172698,1172704,CVE-2020-8023
Description:
This update for openldap2 fixes the following issues:

- CVE-2020-8023: Fixed a potential local privilege escalation from ldap to root when OPENLDAP_CONFIG_BACKEND='ldap' was used (bsc#1172698).	  
- Changed DB_CONFIG to root:ldap permissions (bsc#1172704).	 
- Fixed an issue where slapd becomes unresponsive after many failed login/bind attempts(bsc#1170715).


-----------------------------------------
Version 1.0.3-Build1.1 2020-07-30T12:26:31

-----------------------------------------
Patch: SUSE-2020-1728
Released: Tue Jun 23 15:33:26 2020
Summary: Recommended update for python3-gcemetadata
Severity: moderate
References: 1045148,1053687,1053695,1097505,1134510,1173136
Description:
This update for python3-gcemetadata fixes the following issues:

- Add this package to SLE-12. (jsc#PM-1900, jsc#ECO-1918)
- Fixed typo, missing '=' for 'identity' option in processed command line options causes mis-identification of instance as missing identity data access
- Handle the condition where the identity data of the instance may not be accessible from the metadata server and provide proper error messaging. (bsc#1134510)
- Support instances with multiple Nics. (bsc#1097505)
- Implement new feature to generate license verification token. (bsc#1053695, bsc#1053695)
- Fix for the '--identity' argument: it must accept a value and the value is required. (bsc#1053687)
- Fix for handling overlapping enpoint names and support writing data to a file and as XML snippets.
- Set proper value for dict lookup to avoid traceback. (bsc#1045148)
 

-----------------------------------------
Patch: SUSE-2020-1884
Released: Fri Jul 10 14:53:27 2020
Summary: Recommended update for xrdp
Severity: low
References: 1129302
Description:
This update for xrdp fixes the following issues:

- dbus will now be started when it is not running to avoid an issue (bsc#1129302)


-----------------------------------------
Patch: SUSE-2020-1914
Released: Wed Jul 15 09:33:48 2020
Summary: Security update for bind
Severity: important
References: 1109160,1118367,1118368,1171740,CVE-2018-5741,CVE-2020-8616,CVE-2020-8617
Description:
This update for bind fixes the following issues:

- Amended documentation referring to rule types 'krb5-subdomain'
  and 'ms-subdomain'. This incorrect documentation could mislead
  operators into believing that policies they had configured were 
  more restrictive than they actually were. [CVE-2018-5741]
- Further limit the number of queries that can be triggered from a
  request.  Root and TLD servers are no longer exempt from 
  max-recursion-queries. Fetches for missing name server address
  records are limited to 4 for any domain. [CVE-2020-8616]
- Replaying a TSIG BADTIME response as a request could trigger an
  assertion failure. [CVE-2020-8617]
  [bsc#1109160, bsc#1171740,
   CVE-2018-5741, bind-CVE-2018-5741.patch,
   CVE-2020-8616, bind-CVE-2020-8616.patch,
   CVE-2020-8617, bind-CVE-2020-8617.patch]

- Don't rely on /etc/insserv.conf anymore for proper dependencies
  against nss-lookup.target in named.service and lwresd.service
  (bsc#1118367 bsc#1118368)
- Using a drop-in file


-----------------------------------------
Patch: SUSE-2020-1991
Released: Tue Jul 21 18:48:22 2020
Summary: Security update for xrdp
Severity: important
References: 1173580,CVE-2020-4044
Description:
This update for xrdp fixes the following issues:

- Security fixes (bsc#1173580, CVE-2020-4044):
  + Add patches:
    * xrdp-cve-2020-4044-fix-0.patch
    * xrdp-cve-2020-4044-fix-1.patch
  + Rebase SLE patch:
    * xrdp-fate318398-change-expired-password.patch
- Update patch:
  + xrdp-Allow-sessions-with-32-bpp.patch.patch


-----------------------------------------
Patch: SUSE-2020-1994
Released: Wed Jul 22 06:43:56 2020
Summary: Recommended update for apache2
Severity: important
References: 1172708
Description:
This update for apache2 fixes the following issues:
	  
- Fix for an issue when Apache can crash due to OpenSSL isse in mod_ssl even if another module or library uses OpenSSL. (bsc@1172708, SG#57603)


-----------------------------------------
Patch: SUSE-2020-2053
Released: Mon Jul 27 10:07:51 2020
Summary: Security update for rubygem-excon
Severity: moderate
References: 1159342,CVE-2019-16779
Description:
This update for rubygem-excon fixes the following issues:

- CVE-2019-16779: Fixed an information leak in the socket handling for persistent connections (bsc#1159342)


-----------------------------------------
Patch: SUSE-2020-2059
Released: Tue Jul 28 11:32:56 2020
Summary: Recommended update for grep
Severity: moderate
References: 1163834
Description:
This update for grep fixes the following issues:

Fix for an issue when command 'grep -i' produces bad performance by using multibyte with 'non-utf8' encoding. (bsc#1163834)


-----------------------------------------
Patch: SUSE-2020-2066
Released: Wed Jul 29 11:10:10 2020
Summary: Security update for samba
Severity: moderate
References: 1173160,CVE-2020-10745
Description:
This update for samba fixes the following issues:

- CVE-2020-10745: Fixed an issue which parsing and packing of NBT and DNS packets containing dots could potentially have consumed excessive CPU (bsc#1173160).	  


-----------------------------------------
Patch: SUSE-2020-2079
Released: Wed Jul 29 20:01:35 2020
Summary: Security update for grub2
Severity: important
References: 1084632,1168994,1173812,1174463,1174570,CVE-2020-10713,CVE-2020-14308,CVE-2020-14309,CVE-2020-14310,CVE-2020-14311,CVE-2020-15706,CVE-2020-15707
Description:
This update for grub2 fixes the following issues:

- Fix for CVE-2020-10713 (bsc#1168994)
- Fix for CVE-2020-14308 CVE-2020-14309, CVE-2020-14310, CVE-2020-14311
  (bsc#1173812)
- Fix for CVE-2020-15706 (bsc#1174463)
- Fix for CVE-2020-15707 (bsc#1174570)

- Use overflow checking primitives where the arithmetic expression for buffer
  allocations may include unvalidated data
- Use grub_calloc for overflow check and return NULL when it would occur 
- Use gcc-9 compiler for overflow check builtins
- Backport gcc-9 build fixes
- Fix packed-not-aligned error on GCC 8 (bsc#1084632)


-----------------------------------------
Patch: SUSE-2020-2081
Released: Thu Jul 30 09:49:01 2020
Summary: Recommended update for google-guest-agent, google-guest-configs, and google-guest-oslogin
Severity: moderate
References: 1174304,1174306
Description:
The python based packages google-compute-engine-init and google-compute-engine-oslogin were deprecated
and are now replaced by the new Go based packages google-guest-agent, google-guest-configs, and google-guest-oslogin (jsc#ECO-2099)

-----------------------------------------
Version 1.0.3-Build1.10 2020-08-07T07:53:47

-----------------------------------------
Patch: SUSE-2020-2114
Released: Tue Aug  4 11:27:19 2020
Summary: Recommended update for apache2
Severity: important
References: 1174667
Description:
This update for apache2 fixes the following issues:

- Revert the recent openssl locking changes which caused crashes
  on service reload (bsc#1174667)


-----------------------------------------
Patch: SUSE-2020-2117
Released: Tue Aug  4 15:14:39 2020
Summary: Security update for libX11
Severity: important
References: 1174628,CVE-2020-14344
Description:
This update for libX11 fixes the following issues:

- Fixed XIM client heap overflows (CVE-2020-14344, bsc#1174628)


-----------------------------------------
Patch: SUSE-2020-2125
Released: Wed Aug  5 09:26:38 2020
Summary: Recommended update for cloud-regionsrv-client
Severity: moderate
References: 1173474,1173475
Description:
This update for cloud-regionsrv-client fixes the following issues:

- Introduce containerbuild-regionsrv service to allow container building tools to access
  required data for accessing Public Cloud RMTs (bsc#1173474, bsc#1173475)


-----------------------------------------
Patch: SUSE-2020-2131
Released: Wed Aug  5 13:53:25 2020
Summary: Recommended update for sapconf
Severity: moderate
References: 1124453,1139176,1150868,1150870,1166925,1168067,1168840
Description:
This update for sapconf fixes the following issues:

- Check the values of the 'vm.dirty_*' settings to be in a valid range before activating or restoring these system values. (bsc#1168067)
- Add a logrotate drop-in file for sapconf to control the size of the logfile. (bsc#1166925)
- Implement and use the system wide security limits. (bsc#1168840)
- Add support multi-queued scheduler for block devices. (jsc#SLE-11141, jsc#SLE-11144)
- Remove usage of tuned from sapconf (jsc#SLE-10986, jsc#SLE-10989):
  - Only ONE configuration file for sapconf
  - All parameters of the tuned profile defined in tuned.conf sapconf
  - Implement Switching a sapconf profile.
  - Prevent sapconf related tuned error messages by turning off tuned in the preinstall phase and  removing the 'active' sapconf profile.
- If sapconf detects an improper tuned profile during start notes that the log, fails the start deliberatly and guides the administrator to the problem. (bsc#1139176)
- Use absolute path in the configuration file. (bsc#1124453)
- Replace the delimiter for a sed command in postinstall script, because of conflicts with rpm macros. (bsc#1150868, bsc#1150870)
  

-----------------------------------------
Patch: SUSE-2020-2135
Released: Wed Aug  5 17:53:19 2020
Summary: Optional update for python-setuptools
Severity: low
References: 1174035
Description:
This update for python-setuptools doesn't fix any user visible issues, but changes the
package meta information, in order to support building for other packages (bsc#1174035)

-----------------------------------------
Patch: SUSE-2020-2138
Released: Wed Aug  5 18:01:23 2020
Summary: Recommended update for yast2-ruby-bindings
Severity: important
References: 1172275,1172848
Description:
This update for yast2-ruby-bindings fixes the following issues:

- Fixed a Ruby error when the appliance gets configured during an installation, which
  led to a crash (bsc#1172848)
- Fixed an error where yast2 --ncurses crashed due to an update of the Ruby
  interpreter (bsc#1172275)


-----------------------------------------
Patch: SUSE-2020-2152
Released: Thu Aug  6 15:56:40 2020
Summary: Security update for the Linux Kernel
Severity: important
References: 1065729,1146351,1149652,1152457,1162002,1164910,1170011,1170618,1171078,1171189,1171191,1171220,1171732,1171988,1172453,1172458,1172775,1172999,1173280,1173658,1174115,1174462,1174543,CVE-2019-20810,CVE-2019-20812,CVE-2020-0305,CVE-2020-10135,CVE-2020-10711,CVE-2020-10732,CVE-2020-10751,CVE-2020-10773,CVE-2020-12771,CVE-2020-13974,CVE-2020-14416
Description:
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.


The following security bugs were fixed:

- CVE-2020-10135: Legacy pairing and secure-connections pairing authentication in Bluetooth may have allowed an unauthenticated user to complete authentication without pairing credentials via adjacent access. An unauthenticated, adjacent attacker could impersonate a Bluetooth BR/EDR master or slave to pair with a previously paired remote device to successfully complete the authentication procedure without knowing the link key (bnc#1171988).
- CVE-2020-10711: A NULL pointer dereference flaw was found in the SELinux subsystem. This flaw occurs while importing the Commercial IP Security Option (CIPSO) protocol's category bitmap into the SELinux extensible bitmap via the' ebitmap_netlbl_import' routine. This flaw allowed a remote network user to crash the system kernel, resulting in a denial of service (bnc#1171191).
- CVE-2020-10751: A flaw was found in the SELinux LSM hook implementation, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing (bnc#1171189).
- CVE-2019-20812: An issue was discovered in the prb_calc_retire_blk_tmo() function in net/packet/af_packet.c can result in a denial of service (CPU consumption and soft lockup) in a certain failure case involving TPACKET_V3, aka CID-b43d1f9f7067 (bnc#1172453).
- CVE-2020-10732: A flaw was found in the implementation of userspace core dumps. This flaw allowed an attacker with a local account to crash a trivial program and exfiltrate private kernel data (bnc#1171220).
- CVE-2020-0305: In cdev_get of char_dev.c, there is a possible use-after-free due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation (bnc#1174462).
- CVE-2020-12771: btree_gc_coalesce in drivers/md/bcache/btree.c had a deadlock if a coalescing operation fails (bnc#1171732).
- CVE-2020-10773: A kernel stack information leak on s390/s390x was fixed  (bnc#1172999).
- CVE-2020-14416: A race condition in tty->disc_data handling in the slip and slcan line discipline could lead to a use-after-free, aka CID-0ace17d56824. This affects drivers/net/slip/slip.c and drivers/net/can/slcan.c (bnc#1162002).
- CVE-2020-13974: drivers/tty/vt/keyboard.c had an integer overflow if k_ascii is called several times in a row, aka CID-b86dab054059. (bnc#1172775).
- CVE-2019-20810: go7007_snd_init in drivers/media/usb/go7007/snd-go7007.c in the Linux kernel did not call snd_card_free for a failure path, which causes a memory leak, aka CID-9453264ef586 (bnc#1172458).

The following non-security bugs were fixed:

- Drivers: hv: Change flag to write log level in panic msg to false (bsc#1170618).
- ibmvnic: Do not process device remove during device reset (bsc#1065729).
- ibmvnic: Do not process reset during or after device removal (bsc#1149652 ltc#179635).
- ibmvnic: Flush existing work items before device removal (bsc#1065729).
- ibmvnic: Harden device login requests (bsc#1170011 ltc#183538).
- ibmvnic: Skip fatal error reset after passive init (bsc#1171078 ltc#184239).
- ibmvnic: Unmap DMA address of TX descriptor buffers after use (bsc#1146351 ltc#180726).
- ibmvnic: continue to init in CRQ reset returns H_CLOSED (bsc#1173280 ltc#185369).
- intel_idle: Graceful probe failure when MWAIT is disabled (bsc#1174115).
- mm, vmstat: reduce zone->lock holding time by /proc/pagetypeinfo (bsc#1164910).
- net/ibmvnic: Fix missing { in __ibmvnic_reset (bsc#1149652 ltc#179635).
- net/ibmvnic: free reset work of removed device from queue (bsc#1149652 ltc#179635).
- net/ibmvnic: prevent more than one thread from running in reset (bsc#1152457 ltc#174432).
- net/ibmvnic: unlock rtnl_lock in reset so linkwatch_event can run (bsc#1152457 ltc#174432).
- udp: drop corrupt packets earlier to avoid data corruption (bsc#1173658).


-----------------------------------------
Patch: SUSE-2020-2157
Released: Thu Aug  6 20:04:22 2020
Summary: Security update for python-ipaddress
Severity: important
References: 1173274,CVE-2020-14422
Description:
This update for python-ipaddress fixes the following issues:

- Add CVE-2020-14422-ipaddress-hash-collision.patch fixing
  CVE-2020-14422 (bsc#1173274, bpo#41004), where hash collisions
  in IPv4Interface and IPv6Interface could lead to DOS. 


-----------------------------------------
Version 1.0.3-Build1.11 2020-08-08T07:53:28

-----------------------------------------
Patch: SUSE-2020-2173
Released: Fri Aug  7 16:11:16 2020
Summary: Security update for perl-XML-Twig
Severity: moderate
References: 1008644,CVE-2016-9180
Description:
This update for perl-XML-Twig fixes the following issues:

- Security fix [bsc#1008644, CVE-2016-9180]
  * Added: the no_xxe option to XML::Twig::new, which causes the
    parse to fail if external entities are used (to prevent
    malicious XML to access the filesystem).
  * Setting expand_external_ents to 0 or -1 currently doesn't work
    as expected; To completely turn off expanding external entities
    use no_xxe.
  * Update documentation for XML::Twig to mention problems with
    expand_external_ents and add information about new no_xxe argument


-----------------------------------------
Version 1.0.3-Build1.16 2020-08-12T07:52:55

-----------------------------------------
Patch: SUSE-2020-2193
Released: Tue Aug 11 11:59:39 2020
Summary: Optional update for python-setuptools
Severity: low
References: 1174035
Description:

This update for python-packaging delivers it to the Public Cloud Module to satisfy
python-setuptools dependencies.  (bsc#1174035)


-----------------------------------------
Patch: SUSE-2020-2196
Released: Tue Aug 11 13:31:24 2020
Summary: Security update for libX11
Severity: important
References: 1174628,CVE-2020-14344
Description:
This update for libX11 fixes the following issues:

- Fixed XIM client heap overflows (CVE-2020-14344, bsc#1174628).


-----------------------------------------
Version 1.0.3-Build1.17 2020-08-13T07:51:48

-----------------------------------------
Patch: SUSE-2020-2218
Released: Wed Aug 12 15:47:36 2020
Summary: Recommended update for supportutils-plugin-suse-public-cloud and python3-azuremetadata
Severity: moderate
References: 1170475,1170476,1173238,1173240,1173357,1174618,1174847
Description:
This update for supportutils-plugin-suse-public-cloud and python3-azuremetadata fixes the following issues:

supportutils-plugin-suse-public-cloud:

- Fixes an error when supportutils-plugin-suse-public-cloud and supportutils-plugin-salt
  are installed at the same time (bsc#1174618)
- Sensitive information like credentials (such as access keys) will be removed when the
  metadata is being collected (bsc#1170475, bsc#1170476)

python3-azuremetadata:

- Added latest support for `--listapis` and `--api` (bsc#1173238, bsc#1173240)
- Detects when the VM is running in ASM (Azure Classic) and does now handle the condition
  to generate the data without requiring access to the full IMDS available, only in ARM
  instances (bsc#1173357, bsc#1174847)


-----------------------------------------
Version 1.0.3-Build1.18 2020-08-15T07:53:14

-----------------------------------------
Patch: SUSE-2020-2249
Released: Fri Aug 14 15:28:24 2020
Summary: Recommended update for grub2
Severity: important
References: 1174782,1175036,1175060
Description:
This update for grub2 fixes the following issues:

- A potential regression has been fixed that would cause systems with an
  updated 'grub2' to boot no longer due to a missing 'grub-calloc' linker
  symbol. (bsc#1174782)


-----------------------------------------
Version 1.0.3-Build1.21 2020-08-19T07:53:05

-----------------------------------------
Patch: SUSE-2020-2261
Released: Tue Aug 18 11:48:30 2020
Summary: Recommended update for sysfsutils
Severity: moderate
References: 1155305
Description:
This update for sysfsutils fixes the following issue:

- Fix cdev name comparison. (bsc#1155305)


-----------------------------------------
Patch: SUSE-2020-2273
Released: Tue Aug 18 18:01:28 2020
Summary: Recommended update for wicked
Severity: moderate
References: 1165180,1174785
Description:

This update of wicked fixes the obsoletion of older libwicked-0-6-0 library. (bsc#1165180 bsc#1174785)
  

-----------------------------------------
Version 1.0.3-Build1.22 2020-08-20T07:52:54

-----------------------------------------
Patch: SUSE-2020-2275
Released: Wed Aug 19 13:21:33 2020
Summary: Security update for python
Severity: moderate
References: 1174091,CVE-2019-20907
Description:
This update for python fixes the following issues:

- CVE-2019-20907: Avoid a possible infinite loop caused by specifically crafted tarballs (bsc#1174091).


-----------------------------------------
Version 1.0.3-Build1.23 2020-08-21T07:54:07

-----------------------------------------
Patch: SUSE-2020-2287
Released: Thu Aug 20 16:07:37 2020
Summary: Recommended update for grep
Severity: moderate
References: 1174080
Description:
This update for grep fixes the following issues:

- Fix for -P treating invalid UTF-8 input and causing incosistency. (bsc#1174080)


-----------------------------------------
Version 1.0.3-Build1.24 2020-08-22T07:55:56

-----------------------------------------
Patch: SUSE-2020-2294
Released: Fri Aug 21 16:59:17 2020
Summary: Recommended update for openldap2
Severity: important
References: 1174537
Description:
This update for openldap2 fixes the following issues:

- Fixes an issue where slapd failed to start due to the missing pwdMaxRecordedFailure attribute (bsc#1174537)


-----------------------------------------
Version 1.0.3-Build1.27 2020-08-26T07:55:04

-----------------------------------------
Patch: SUSE-2020-2304
Released: Tue Aug 25 14:47:08 2020
Summary: Security update for grub2
Severity: important
References: 1172745,1174421,CVE-2020-15705
Description:
This update for grub2 fixes the following issues:

- CVE-2020-15705: Fail kernel validation without shim protocol (bsc#1174421).
- Add fibre channel device's ofpath support to grub-ofpathname and search hint to speed up root device discovery (bsc#1172745).


-----------------------------------------
Patch: SUSE-2020-2320
Released: Tue Aug 25 15:40:26 2020
Summary: Recommended update for python
Severity: moderate
References: 1175619
Description:
This update for python provides the following fix:

- Set correct value of %python2_package_prefix to python
  (as expected on SLE-12). (bsc#1175619)


-----------------------------------------
Version 1.0.3-Build1.28 2020-08-27T07:55:01

-----------------------------------------
Patch: SUSE-2020-2331
Released: Wed Aug 26 09:52:34 2020
Summary: Security update for xorg-x11-server
Severity: moderate
References: 1174633,1174635,1174638,CVE-2020-14345,CVE-2020-14346,CVE-2020-14347
Description:
This update for xorg-x11-server fixes the following issues:

- CVE-2020-14347: Leak of uninitialized heap memory from the X server to clients on pixmap allocation (bsc#1174633, ZDI-CAN-11426).
- CVE-2020-14346: XIChangeHierarchy Integer Underflow Privilege Escalation Vulnerability (bsc#1174638, ZDI-CAN-11429).
- CVE-2020-14345: XKB out-of-bounds access privilege escalation vulnerability (bsc#1174635, ZDI-CAN-11428).


-----------------------------------------
Patch: SUSE-2020-2339
Released: Wed Aug 26 13:45:17 2020
Summary: Recommended update for cloud-regionsrv-client
Severity: important
References: 1174731,1174732,1174743,1174791,1174837,1174937,1175752,1175753
Description:
This update for cloud-regionsrv-client contains the following fixes:

- Fixed an issue where the cache object for the update server was incomplete
  (bsc#1175752, bsc#1175753)
- Implemented changes to configure the client to use https only for outbound
  traffic (bsc#1174791, bsc#1174937)
- Prefering now IMDSv2 and switched all IMDS access requests to support v2 token
  (bsc#1174743, bsc#1174837)
- Improved the failover situation during registration, so that the client will now retry
  the last registration operation, before switching to another registration server.
  (bsc#1174731, bsc#1174732)


-----------------------------------------
Patch: SUSE-2020-2342
Released: Wed Aug 26 15:58:28 2020
Summary: Recommended update for regionServiceClientConfigGCE
Severity: moderate
References: 1174791,1174937
Description:
This update for regionServiceClientConfigGCE contains the following fixes:

- Update to version 3.0.1. (bsc#1174791, bsc#1174937)
  + New configuration to switch to https only outgoing traffic.


-----------------------------------------
Version 1.0.3-Build1.30 2020-08-29T07:53:20

-----------------------------------------
Patch: SUSE-2020-2379
Released: Fri Aug 28 14:53:37 2020
Summary: Recommended update for supportutils-plugin-suse-public-cloud
Severity: moderate
References: 1175250,1175251
Description:
This update for supportutils-plugin-suse-public-cloud contains the following fix:

- Update to version 1.0.5: (bsc#1175250, bsc#1175251)
  + Query for new GCE initialization code packages


-----------------------------------------
Version 1.0.3-Build1.33 2020-09-02T07:54:24

-----------------------------------------
Patch: SUSE-2020-2401
Released: Tue Sep  1 08:23:29 2020
Summary: Security update for xorg-x11-server
Severity: important
References: 1174910,1174913,CVE-2020-14361,CVE-2020-14362
Description:
This update for xorg-x11-server fixes the following issues:

- CVE-2020-14361: Fix XkbSelectEvents() integer underflow (bsc#1174910 ZDI-CAN-11573).
- CVE-2020-14362: Fix XRecordRegisterClients() Integer underflow (bsc#1174913 ZDI-CAN-11574).


-----------------------------------------
Patch: SUSE-2020-2410
Released: Tue Sep  1 13:15:48 2020
Summary: Recommended update for pam
Severity: low
References: 1173593
Description:

This update of pam fixes the following issue:

- On some SUSE Linux Enterprise 12 SP5 based media from build.suse.com
  a pam version with a higher release number than the last update of pam
  was delivered. This update releases pam with a  higher release number
  to align it with this media. (bsc#1173593)
  

-----------------------------------------
Patch: SUSE-2020-2426
Released: Tue Sep  1 13:55:11 2020
Summary: Recommended update for sysstat
Severity: low
References: 1173593
Description:

This update for sysstat fixes the following issue:

- sysstat was rebuild with a higher release number to adjust against
  other released 12 SP5 images, where the release number was too high. (bsc#1173593)
  

-----------------------------------------
Patch: SUSE-2020-2428
Released: Tue Sep  1 22:07:35 2020
Summary: Recommended update for ca-certificates-mozilla
Severity: moderate
References: 1174673
Description:
This update for ca-certificates-mozilla fixes the following issues:

Update to 2.42 state of the Mozilla NSS Certificate store (bsc#1174673)

Removed CAs:

- AddTrust External CA Root
- AddTrust Class 1 CA Root
- LuxTrust Global Root 2
- Staat der Nederlanden Root CA - G2
- Symantec Class 1 Public Primary Certification Authority - G4
- Symantec Class 2 Public Primary Certification Authority - G4
- VeriSign Class 3 Public Primary Certification Authority - G3

Added CAs:

- certSIGN Root CA G2
- e-Szigno Root CA 2017
- Microsoft ECC Root Certificate Authority 2017
- Microsoft RSA Root Certificate Authority 2017


-----------------------------------------
Patch: SUSE-2020-2439
Released: Tue Sep  1 22:13:01 2020
Summary: Recommended update for avahi
Severity: moderate
References: 1154063
Description:
This update for avahi fixes the following issues:

- When changing ownership of /var/lib/autoipd, only change
  ownership of files owned by avahi, to mitigate against
  possible exploits (bsc#1154063).


-----------------------------------------
Version 1.0.3-Build1.34 2020-09-03T07:54:19

-----------------------------------------
Patch: SUSE-2020-2450
Released: Wed Sep  2 11:47:38 2020
Summary: Security update for apache2
Severity: moderate
References: 1175070,1175071,1175072,CVE-2020-11985,CVE-2020-11993,CVE-2020-9490
Description:
This update for apache2 fixes the following issues:

- CVE-2020-9490: Fixed a crash caused by a specially crafted value for the 'Cache-Digest' header in a HTTP/2 request (bsc#1175071).
- CVE-2020-11985: IP address spoofing when proxying using mod_remoteip and mod_rewrite (bsc#1175072).
- CVE-2020-11993: When trace/debug was enabled for the HTTP/2 module logging statements were made on the wrong connection (bsc#1175070).


-----------------------------------------
Version 1.0.3-Build1.36 2020-09-04T07:54:17

-----------------------------------------
Patch: SUSE-2020-2475
Released: Thu Sep  3 12:10:58 2020
Summary: Security update for libX11
Severity: moderate
References: 1175239,CVE-2020-14363
Description:
This update for libX11 fixes the following issues:

- CVE-2020-14363: Fix an integer overflow in init_om() (bsc#1175239).


-----------------------------------------
Version 1.0.3-Build1.40 2020-09-09T07:54:28

-----------------------------------------
Patch: SUSE-2020-2570
Released: Tue Sep  8 14:59:35 2020
Summary: Security update for libjpeg-turbo
Severity: moderate
References: 1172491,CVE-2020-13790
Description:
This update for libjpeg-turbo fixes the following issues:

- CVE-2020-13790: Fixed a heap-based buffer over-read via a malformed PPM input file (bsc#1172491).


-----------------------------------------
Version 1.0.3-Build1.42 2020-09-10T07:54:05

-----------------------------------------
Patch: SUSE-2020-2582
Released: Wed Sep  9 15:26:08 2020
Summary: Security update for the Linux Kernel
Severity: important
References: 1152107,1173798,1174205,1174757,1174771,1175112,1175127,1175228,1175691,1176069,CVE-2019-16746,CVE-2020-14314,CVE-2020-14331,CVE-2020-14386,CVE-2020-16166
Description:
The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2020-14314: Fixed a potential negative array index in do_split() (bsc#1173798).
- CVE-2020-14331: Fixed a missing check in vgacon scrollback handling (bsc#1174205).
- CVE-2020-16166: Fixed a potential issue which could have allowed remote attackers to make observations that help to obtain sensitive information about the internal state of the network RNG (bsc#1174757).
- CVE-2019-16746: Fixed an improper check of the length of variable elements in a beacon head, leading to a buffer overflow (bsc#1152107).
- CVE-2020-14386: Fixed a potential local privilege escalation via memory corruption (bsc#1176069).

The following non-security bugs were fixed:

- bonding: fix active-backup failover for current ARP slave (bsc#1174771).
- Drivers: hv: vmbus: Only notify Hyper-V for die events that are oops (bsc#1175127).
- ibmvnic: Fix IRQ mapping disposal in error path (bsc#1175112 ltc#187459).
- mm, vmstat: reduce zone->lock holding time by /proc/pagetypeinfo (bsc#1175691).
- ocfs2: add trimfs dlm lock resource (bsc#1175228).
- ocfs2: add trimfs lock to avoid duplicated trims in cluster (bsc#1175228).
- ocfs2: fix the application IO timeout when fstrim is running (bsc#1175228).


-----------------------------------------
Patch: SUSE-2020-2587
Released: Wed Sep  9 22:03:04 2020
Summary: Recommended update for procps
Severity: moderate
References: 1174660
Description:
This update for procps fixes the following issues:

- Add fix for procps and its libraries to avoid issues with the 'free' tool. (bsc#1174660)


-----------------------------------------
Version 1.0.3-Build1.43 2020-09-12T07:57:13

-----------------------------------------
Patch: SUSE-2020-2609
Released: Fri Sep 11 10:58:59 2020
Summary: Security update for libxml2
Severity: moderate
References: 1159928,1161517,1161521,1172021,1176179,CVE-2019-19956,CVE-2019-20388,CVE-2020-24977,CVE-2020-7595
Description:
This update for libxml2 fixes the following issues:

- CVE-2019-20388: Fixed a memory leak in xmlSchemaPreRun (bsc#1161521).
- CVE-2020-7595: Fixed an infinite loop in an EOF situation (bsc#1161517).
- CVE-2020-24977: Fixed a global-buffer-overflow in xmlEncodeEntitiesInternal (bsc#1176179).
- Fixed invalid xmlns references due to CVE-2019-19956 (bsc#1172021).
  

-----------------------------------------
Version 1.0.3-Build1.45 2020-09-15T07:57:31

-----------------------------------------
Patch: SUSE-2020-2618
Released: Mon Sep 14 11:08:42 2020
Summary: Security update for cifs-utils
Severity: moderate
References: 1149164,1152930,1174477,CVE-2020-14342
Description:
This update for cifs-utils fixes the following issues:

- CVE-2020-14342: Fixed a shell command injection vulnerability in mount.cifs (bsc#1174477). 
- Fixed an invalid free in mount.cifs; (bsc#1152930).
- Fixed a double-free in mount.cifs; (bsc#1149164).


-----------------------------------------
Version 1.0.3-Build1.49 2020-09-19T07:57:53

-----------------------------------------
Patch: SUSE-2020-2634
Released: Tue Sep 15 11:18:53 2020
Summary: Security update for compat-openssl098
Severity: important
References: 1153785,1176331,CVE-2019-1563,CVE-2020-1968
Description:
This update for compat-openssl098 fixes the following issues:

- CVE-2020-1968: Introduced hardening against the Raccoon attack by always generating fresh DH keys 
  and never reuse them across multiple TLS connections (bsc#1176331).


-----------------------------------------
Patch: SUSE-2020-2656
Released: Wed Sep 16 14:44:53 2020
Summary: Recommended update for google-guest-agent, google-guest-configs, google-guest-oslogin
Severity: moderate
References: 1174745,1175173,1175740,1175741
Description:
This update for google-guest-agent, google-guest-configs, google-guest-oslogin contains the following fixes:

- Update to version 20200819.00. (bsc#1175740, bsc#1175741)
  * handle oslogin enable/disable cases (#70). (bsc#1175173)
  * add README (#69)
  * Fix metric for addIPForwardEntry (#68)
  * Correctly determine default route index (#67)
  * oslogin: dont add entry to pam.d/su (#66)
  * end group.conf with newline (#64)
  * Add source field in googet spec (#59)
  * Set route to metadata on interface with default route (#47)
  * fix typo in boto.cfg (#62)
- Properly handle enabling of systemd services when upgrading
  from the old google-compute-engine-init package. (bsc#1174745)

- Update to version 20200626.00. (bsc#1175740, bsc#1175741)
  * Updates the udev rules for local SSD disks. (#9)
  * Fix tx affinity logic when number of CPUs is above 32 (#6)

- Switch udev requires to pkgconfig to allow the build service to use
  the -mini package for build optimization

- Update to version 20200819.00. (bsc#1175740, bsc#1175741)
  * deny non-2fa users (#37)
  * use asterisks instead (#39)
  * set passwords to ! (#38)
  * correct index 0 bug (#36)
  * Support security key generated OTP challenges. (#35)

- No post action for ssh


-----------------------------------------
Patch: SUSE-2020-2660
Released: Wed Sep 16 16:15:10 2020
Summary: Security update for libsolv
Severity: moderate
References: 1120629,1120630,1120631,1127155,1131823,1137977,CVE-2018-20532,CVE-2018-20533,CVE-2018-20534
Description:
This update for libsolv fixes the following issues:

This is a reissue of an existing libsolv update that also included libsolv-devel for LTSS products.

libsolv was updated to version 0.6.36 fixes the following issues:

Security issues fixed:

- CVE-2018-20532: Fixed a NULL pointer dereference in testcase_read() (bsc#1120629).
- CVE-2018-20533: Fixed a NULL pointer dereference in testcase_str2dep_complex() (bsc#1120630).
- CVE-2018-20534: Fixed a NULL pointer dereference in pool_whatprovides() (bsc#1120631).

Non-security issues fixed:

- Made cleandeps jobs on patterns work (bsc#1137977).
- Fixed an issue multiversion packages that obsolete their own name (bsc#1127155).
- Keep consistent package name if there are multiple alternatives (bsc#1131823).



-----------------------------------------
Version 1.0.3-Build1.52 2020-09-23T08:17:55

-----------------------------------------
Patch: SUSE-2020-2687
Released: Mon Sep 21 10:54:58 2020
Summary: Security update for less
Severity: moderate
References: 921719,CVE-2014-9488
Description:
This update for less fixes the following issues:

Security issue fixed:

- CVE-2014-9488: Malformed UTF-8 data could have caused an out of bounds read in 
  the UTF-8 decoding routines, causing an invalid read access (bsc#921719).


-----------------------------------------
Patch: SUSE-2020-2690
Released: Mon Sep 21 10:57:00 2020
Summary: Security update for jasper
Severity: low
References: 1010786,1010979,1010980,1011829,1020451,1020456,1020458,1020460,1045450,1057152,1088278,1092115,1114498,1115637,1117328,1120805,1120807,CVE-2016-9397,CVE-2016-9398,CVE-2016-9399,CVE-2016-9557,CVE-2017-14132,CVE-2017-5499,CVE-2017-5503,CVE-2017-5504,CVE-2017-5505,CVE-2017-9782,CVE-2018-18873,CVE-2018-19139,CVE-2018-19543,CVE-2018-20570,CVE-2018-20622,CVE-2018-9154,CVE-2018-9252
Description:
This update for jasper fixes the following issues:

- CVE-2016-9398: Improved patch for already fixed issue (bsc#1010979).
- CVE-2016-9399: Fix assert in calcstepsizes (bsc#1010980).
- CVE-2016-9397: Fix assert in jpc_dequantize (bsc#1010786).
- CVE-2016-9557: Fix signed integer overflow (bsc#1011829).
- CVE-2017-5499: Validate component depth bit (bsc#1020451).
- CVE-2017-5503: Check bounds in jas_seq2d_bindsub() (bsc#1020456).
- CVE-2017-5504: Check bounds in jas_seq2d_bindsub() (bsc#1020458).
- CVE-2017-5505: Check bounds in jas_seq2d_bindsub() (bsc#1020460).
- CVE-2017-14132: Fix heap base overflow in by checking components (bsc#1057152).
- CVE-2018-9154: Fixed a potential denial of service in jpc_dec_process_sot() (bsc#1092115).
- CVE-2018-9252: Fix reachable assertion in jpc_abstorelstepsize (bsc#1088278).
- CVE-2018-18873: Fix null pointer deref in ras_putdatastd (bsc#1114498).
- CVE-2018-19139: Fix mem leaks by registering jpc_unk_destroyparms (bsc#1115637).
- CVE-2018-19543, bsc#1045450 CVE-2017-9782: Fix numchans mixup (bsc#1117328).
- CVE-2018-20570: Fix heap based buffer over-read in jp2_encode (bsc#1120807).
- CVE-2018-20622: Fix memory leak in jas_malloc.c (bsc#1120805).


-----------------------------------------
Patch: SUSE-2020-2699
Released: Mon Sep 21 17:53:48 2020
Summary: Security update for python3
Severity: important
References: 1088004,1088009,1130840,1141853,1149955,1153238,1162423,1173274,1174091,1174701,CVE-2018-14647,CVE-2018-20852,CVE-2019-16056,CVE-2019-16935,CVE-2019-20907,CVE-2019-9947,CVE-2020-14422
Description:
This update for python3 fixes the following issues:

- CVE-2019-20907: Fixed denial of service by avoiding possible infinite loop in specifically crafted tarball (bsc#1174091).
- CVE-2020-14422: Fixed an improper computation of hash values in the IPv4Interface and IPv6Interface 
  could have led to denial of service (bsc#1173274).
- CVE-2019-16935: Fixed a reflected XSS in python/Lib/DocXMLRPCServer.py (bsc#1153238).
- CVE-2019-9947: Fixed an issue in urllib2 which allowed CRLF injection if the attacker controls a url parameter (bsc#1130840).
- If the locale is 'C', coerce it to C.UTF-8 (bsc#1162423).


-----------------------------------------
Version 1.0.3-Build1.54 2020-09-24T07:55:19

-----------------------------------------
Patch: SUSE-2020-2721
Released: Wed Sep 23 11:32:27 2020
Summary: Security update for samba
Severity: important
References: 1174120,1174316,1176579,CVE-2020-1472
Description:
This update for samba fixes the following issues:

-  ZeroLogon: An elevation of privilege was possible with some configurations when an attacker established
a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC) 
(CVE-2020-1472, bsc#1176579).

- Fixed an issue where multiple home folders were created(bsc#1174316, bso#13369).

- Fixed an issue where the net command was unable to negotiate SMB2 (bsc#1174120);


-----------------------------------------
Version 1.0.3-Build1.55 2020-09-25T07:55:45

-----------------------------------------
Patch: SUSE-2020-2740
Released: Thu Sep 24 17:26:44 2020
Summary: Recommended update for open-iscsi
Severity: moderate
References: 1174838
Description:
This update for open-iscsi fixes the following issues:

- Address sysfs access (bsc#1174838)
  * Handle ENOTCONN error separately when reading sysfs values.
  * Allow reading sysfs 'port' to fail gracefully.


-----------------------------------------
Version 1.0.3-Build1.59 2020-09-30T07:55:58

-----------------------------------------
Patch: SUSE-2020-2777
Released: Tue Sep 29 11:26:41 2020
Summary: Recommended update for systemd
Severity: moderate
References: 1169488,1173227
Description:
This update for systemd fixes the following issues:

- Fixes some file mode inconsistencies  for some ghost files (bsc#1173227)
- Fixes an issue where the system could hang on reboot (bsc#1169488)


-----------------------------------------
Patch: SUSE-2020-2778
Released: Tue Sep 29 11:27:26 2020
Summary: Recommended update for rsyslog
Severity: moderate
References: 1173433
Description:
This update for rsyslog fixes the following issues:

- Fix the URL for bug reporting. (bsc#1173433)


-----------------------------------------
Version 1.0.3-Build1.60 2020-10-01T07:55:31

-----------------------------------------
Patch: SUSE-2020-2802
Released: Wed Sep 30 09:59:28 2020
Summary: Recommended update for mozilla-nss
Severity: moderate
References: 1174697
Description:
This update for mozilla-nss fixes the following issues:

- Fixes an issue for Mozilla Firefox which has failed in fips mode (bsc#1174697)


-----------------------------------------
Patch: SUSE-2020-2806
Released: Wed Sep 30 14:36:08 2020
Summary: Security update for tar
Severity: moderate
References: 1120610,1130496,CVE-2018-20482,CVE-2019-9923
Description:
This update for tar fixes the following issues:

Security issues fixed:

- CVE-2019-9923: Fixed a denial of service while parsing certain archives with malformed extended headers in pax_decode_header() (bsc#1130496).
- CVE-2018-20482: Fixed a denial of service when the '--sparse' option mishandles file shrinkage during read access (bsc#1120610).


-----------------------------------------
Version 1.0.3-Build1.62 2020-10-09T11:13:14

-----------------------------------------
Patch: SUSE-2020-2878
Released: Thu Oct  8 08:24:06 2020
Summary: Recommended update for wicked
Severity: moderate
References: 1160939,1168155,1171234,1172082,1174099,959556
Description:
This update for wicked fixes the following issues:

- Fix to avoid incomplete ifdown/timeout on route deletion error. (bsc#1174099)
- Allow 'linuxrc' to send 'RFC2132' without providing the MAC address. (jsc#SLE-15770)
- Fixes to ifreload on port changes. (bsc#1168155, bsc#1172082)
- Fix schema to use correct 'hwaddr_policy' property. (bsc#1171234)
- Enable IPv6 on ports when 'nsna_ping' linkwatch is used. (bsc#959556)
- Implement support for RFC7217. (jsc#SLE-6960)
- Fix for schema to avoid not applying 'rto_min' including new time format. (bsc#1160939)


-----------------------------------------
Version 1.0.3-Build1.63 2020-10-12T15:31:40

-----------------------------------------
Patch: SUSE-2020-2888
Released: Mon Oct 12 10:05:39 2020
Summary: Recommended update for systemd-rpm-macros
Severity: moderate
References: 1173034,1176932,1177034
Description:
This update for systemd-rpm-macros fixes the following issues:

- Introduce macro '%service_del_postun_without_restart' to resolve blocking new releases based on this. (bsc#1173034)

- Backport missing macros of directory paths from upstream
  + %_environmentdir
  + %_modulesloaddir
  + %_modprobedir

- Make sure %_restart_on_update_never and %_stop_on_removal_never don't expand to the
  empty string. (bsc#1176932)
  Otherwise sequences like the following code:
     if [ ... ]; then
        %_restart_on_update_never
     fi
  would result in the following incorrect shell syntax:
     if [ ... ]; then
     fi

- Passing %{?*} when calling a macro is broken, so workaround it. (bsc#1177034)


-----------------------------------------
Version 1.0.3-Build1.65 2020-10-13T11:21:22

-----------------------------------------
Patch: SUSE-2020-2895
Released: Tue Oct 13 10:35:14 2020
Summary: Recommended update for cloud-regionsrv-client
Severity: moderate
References: 1176858,1176859
Description:
This update for cloud-regionsrv-client fixes the following issues:

- Fix for properly handling the exit code for 'SUSEConnect' and provide log message with failure details for registration failure. (bsc#1176858, bsc#1176859)


-----------------------------------------
Version 1.0.3-Build1.67 2020-10-15T07:59:02

-----------------------------------------
Patch: SUSE-2020-2897
Released: Tue Oct 13 14:00:25 2020
Summary: Recommended update for suse-build-key
Severity: moderate
References: 1170347,1176759
Description:
This update for suse-build-key fixes the following issues:

- This update extends the suse build key (bsc#1176759)
- The SUSE container key is different from the build key. (PM-1845 bsc#1170347)


-----------------------------------------
Patch: SUSE-2020-2898
Released: Tue Oct 13 14:17:00 2020
Summary: Security update for tigervnc
Severity: critical
References: 1176733,CVE-2020-26117
Description:
This update for tigervnc fixes the following issues:

- CVE-2020-26117: Server certificates were stored as certiticate
  authorities, allowing malicious owners of these certificates
  to impersonate any server after a client had added an exception
  (bsc#1176733).


-----------------------------------------
Patch: SUSE-2020-2900
Released: Tue Oct 13 14:20:15 2020
Summary: Security update for libproxy
Severity: important
References: 1176410,1177143,CVE-2020-25219,CVE-2020-26154
Description:
This update for libproxy fixes the following issues:

- CVE-2020-25219: Rewrote url::recvline to be nonrecursive (bsc#1176410).
- CVE-2020-26154: Fixed a buffer overflow when PAC is enabled (bsc#1177143).	  


-----------------------------------------
Version 1.0.3-Build1.68 2020-10-17T07:59:33

-----------------------------------------
Patch: SUSE-2020-2942
Released: Fri Oct 16 09:47:36 2020
Summary: Security update for blktrace
Severity: low
References: 1091942,CVE-2018-10689
Description:
blktrace was updated to fix a security issue:

- CVE-2018-10689: Prevent buffer overflow in the dev_map_read function because
  the device and devno arrays were too small (bsc#1091942)
  

-----------------------------------------
Version 1.0.3-Build1.70 2020-10-21T07:59:21

-----------------------------------------
Patch: SUSE-2020-2959
Released: Tue Oct 20 12:33:48 2020
Summary: Recommended update for file
Severity: moderate
References: 1176123
Description:
This update for file fixes the following issues:

- Fixes an issue when file displays broken 'ELF' interpreter. (bsc#1176123)


-----------------------------------------
Version 1.0.3-Build1.74 2020-10-26T09:41:08

-----------------------------------------
Patch: SUSE-2020-2987
Released: Wed Oct 21 15:13:28 2020
Summary: Recommended update for sysstat
Severity: moderate
References: 1174227
Description:
This update for sysstat fixes the following issues:

- Fix for an issue when 'iowait' output of 'sar' can also decrement as a result of inaccurate tracking. (bsc#1174227)


-----------------------------------------
Patch: SUSE-2020-2998
Released: Thu Oct 22 10:04:33 2020
Summary: Security update for freetype2
Severity: important
References: 1177914,CVE-2020-15999
Description:
This update for freetype2 fixes the following issues:

- CVE-2020-15999: fixed a heap buffer overflow found in the handling of embedded PNG bitmaps (bsc#1177914).


-----------------------------------------
Patch: SUSE-2020-3024
Released: Fri Oct 23 14:21:54 2020
Summary: Security update for glibc
Severity: moderate
References: 1149332,1165784,1171878,1172085,1176013,CVE-2020-10029
Description:
This update for glibc fixes the following issues:
	  
- CVE-2020-10029: Fixed a stack corruption from range reduction of pseudo-zero (bsc#1165784)
- Use posix_spawn on popen (bsc#1149332, bsc#1176013)
- Correct locking and cancellation cleanup in syslog functions (bsc#1172085)
- Fixed concurrent changes on nscd aware files (bsc#1171878)


-----------------------------------------
Patch: SUSE-2020-3030
Released: Mon Oct 26 09:24:19 2020
Summary: Security update for SDL
Severity: moderate
References: 1141844,CVE-2019-13616
Description:
This update for SDL fixes the following issues:

Secuirty issue fixed:

- CVE-2019-13616: Fixed heap-based buffer over-read in BlitNtoN in video/SDL_blit_N.c when called from SDL_SoftBlit (bsc#1141844).


-----------------------------------------
Version 1.0.3-Build1.78 2020-10-28T07:57:43

-----------------------------------------
Patch: SUSE-2020-3043
Released: Tue Oct 27 10:18:10 2020
Summary: Recommended update for apache2
Severity: low
References: 
Description:
This update for apache2 fixes the following issues:

- Added -a argument to 'gensslcert' to allow to override the default SAN value


-----------------------------------------
Version 1.0.3-Build1.80 2020-10-30T07:59:43

-----------------------------------------
Patch: SUSE-2020-3093
Released: Thu Oct 29 16:39:14 2020
Summary: Security update for samba
Severity: important
References: 1173902,1173994,1177613,CVE-2020-14318,CVE-2020-14323,CVE-2020-14383
Description:
This update for samba fixes the following issues:

- CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records (bsc#1177613).
- CVE-2020-14323: Unprivileged user can crash winbind (bsc#1173994).
- CVE-2020-14318: Missing permissions check in SMB1/2/3 ChangeNotify (bsc#1173902).


-----------------------------------------
Patch: SUSE-2020-3100
Released: Thu Oct 29 19:34:18 2020
Summary: Recommended update for timezone
Severity: moderate
References: 1177460
Description:
This update for timezone fixes the following issues:

- timezone update 2020b (bsc#1177460)
  * Revised predictions for Morocco's changes starting in 2023.
  * Canada's Yukon changes to -07 on 2020-11-01, not 2020-03-08.
  * Macquarie Island has stayed in sync with Tasmania since 2011.
  * Casey, Antarctica is at +08 in winter and +11 in summer.
  * zic no longer supports -y, nor the TYPE field of Rules.


-----------------------------------------
Patch: SUSE-2020-3105
Released: Thu Oct 29 19:41:09 2020
Summary: Recommended update for sapconf
Severity: moderate
References: 1173347,1176061,1176565
Description:
This update for sapconf fixes the following issues:

- Fix to not blocking the start of sapconf after an unexpected and ungracefull reboot of the system. (bsc#1176565)
- Enable and start sapconf.service during package update, if tuned is running with a sapconf profile. (bsc#1176061)
- Add missing commands 'restart' and 'try-restart' to the usage message. (bsc#1173347)


-----------------------------------------
Version 1.0.3-Build1.83 2020-11-03T08:00:33

-----------------------------------------
Patch: SUSE-2020-3121
Released: Mon Nov  2 17:08:23 2020
Summary: Security update for python
Severity: moderate
References: 1177211,CVE-2020-26116
Description:
This update for python fixes the following issues:

- CVE-2020-26116: Fixed CRLF injection via HTTP request method (bsc#1177211).


-----------------------------------------
Version 1.0.3-Build1.86 2020-11-06T08:01:01

-----------------------------------------
Patch: SUSE-2020-3139
Released: Tue Nov  3 13:18:28 2020
Summary: Recommended update for timezone
Severity: important
References: 1177460,1178346,1178350,1178353
Description:
This update for timezone fixes the following issues:

- Generate 'fat' timezone files (was default before 2020b). (bsc#1178346, bsc#1178350, bsc#1178353)
- Palestine ends DST earlier than predicted, on 2020-10-24.
- Fiji starts DST later than usual, on 2020-12-20.


-----------------------------------------
Patch: SUSE-2020-3156
Released: Wed Nov  4 15:21:49 2020
Summary: Recommended update for ca-certificates-mozilla
Severity: moderate
References: 1177864
Description:
This update for ca-certificates-mozilla fixes the following issues:

The SSL Root CA store was updated to the 2.44 state of the Mozilla NSS Certificate store (bsc#1177864)

- Removed CAs:

  - EE Certification Centre Root CA
  - Taiwan GRCA

- Added CAs:

  - Trustwave Global Certification Authority
  - Trustwave Global ECC P256 Certification Authority
  - Trustwave Global ECC P384 Certification Authority


-----------------------------------------
Patch: SUSE-2020-3158
Released: Thu Nov  5 07:59:43 2020
Summary: Recommended update for crash
Severity: moderate
References: 1174543
Description:

This update of crash fixes the following issue:

- rebuilt with new signing key. (bsc#1174543)
  

-----------------------------------------
Version 1.0.3-Build1.87 2020-11-07T08:00:26

-----------------------------------------
Patch: SUSE-2020-3196
Released: Fri Nov  6 12:59:28 2020
Summary: Recommended update for grub2
Severity: moderate
References: 1172952,1176062,1177957,1178278
Description:
This update for grub2 fixes the following issues:

- Fixed an issue, where the https boot was interrupted by an unrecognized network address
  error message (bsc#1172952)
- Improve the error handling when grub2-install fails with short mbr gap (bsc#1176062)
- Fixed a boot failure issue on blocklist installations (bsc#1178278)


-----------------------------------------
Version 1.0.3-Build1.90 2020-11-11T08:00:09

-----------------------------------------
Patch: SUSE-2020-3262
Released: Tue Nov 10 09:46:06 2020
Summary: Security update for python3
Severity: moderate
References: 1177211,CVE-2020-26116
Description:
This update for python3 fixes the following issues:

- bsc#1177211 (CVE-2020-26116) no longer allowing special characters in the method parameter 
  of HTTPConnection.putrequest in httplib, stopping injection of headers.


-----------------------------------------
Patch: SUSE-2020-3263
Released: Tue Nov 10 09:48:14 2020
Summary: Security update for gcc10
Severity: moderate
References: 1172798,1172846,1173972,1174753,1174817,1175168,CVE-2020-13844
Description:
This update for gcc10 fixes the following issues:
This update provides the GCC10 compiler suite and runtime libraries.

The base SUSE Linux Enterprise libraries libgcc_s1, libstdc++6 are replaced by
the gcc10 variants.

The new compiler variants are available with '-10' suffix, you can specify them
via:

        CC=gcc-10
        CXX=g++-10

or similar commands.

For a detailed changelog check out https://gcc.gnu.org/gcc-10/changes.html
  

-----------------------------------------
Patch: SUSE-2020-3266
Released: Tue Nov 10 14:54:26 2020
Summary: Recommended update for yast2-mail
Severity: low
References: 1176645
Description:
This update for yast2-mail fixes the following issues:

- Fixes an issue when YaST2 Mail puts excess brackets in postfix configuration file. (bsc#1176645)


-----------------------------------------
Version 1.0.3-Build1.92 2020-11-14T08:01:57

-----------------------------------------
Patch: SUSE-2020-3305
Released: Thu Nov 12 14:16:00 2020
Summary: Recommended update for sysstat
Severity: moderate
References: 1177747
Description:
This update for sysstat fixes the following issues:

- Fix iostat switch '-y' to display the correct results. (bsc#1177747)


-----------------------------------------
Patch: SUSE-2020-3314
Released: Thu Nov 12 16:10:36 2020
Summary: Security update for openldap2
Severity: important
References: 1178387,CVE-2020-25692
Description:
This update for openldap2 fixes the following issues:

- CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387).


-----------------------------------------
Patch: SUSE-2020-3315
Released: Thu Nov 12 16:12:15 2020
Summary: Security update for openldap2
Severity: important
References: 1178387,CVE-2020-25692
Description:
This update for openldap2 fixes the following issues:

- CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387).


-----------------------------------------
Version 1.0.3-Build1.97 2020-11-18T08:00:50

-----------------------------------------
Patch: SUSE-2020-3336
Released: Mon Nov 16 12:51:26 2020
Summary: Recommended update for SUSEConnect
Severity: moderate
References: 1130864,1155027,1155911,1160007
Description:
This update for SUSEConnect fixes the following issues:

- Recognize more formats when parsing the '.curlrc' for proxy credentials. (bsc#1155027)
- Add 'rpmlintrc' to filter false-positive warning about patch not applied
- Extend the YaST API in order to access to the package search functionality. (jsc#SLE-9109)
- Fix cloud provider detection on AWS large instances. (bsc#1160007)
- Forbid de-registration for on-demand Public Cloud instances. (bsc#1155911)
- Fix the '.spec' file to correctly apply patches up to SLE15SP2. (bsc#1130864)


-----------------------------------------
Patch: SUSE-2020-3346
Released: Mon Nov 16 17:44:39 2020
Summary: Recommended update for zypper
Severity: moderate
References: 1169947,1178038
Description:
This update for zypper fixes the following issues:

- Fixed an issue, where zypper crashed when the system language is set to Spanish and the user
  tried to patch their system with 'zypper patch --category security' (bsc#1178038)
- Fixed a typo in man page (bsc#1169947)


-----------------------------------------
Patch: SUSE-2020-3360
Released: Tue Nov 17 13:40:54 2020
Summary: Security update for tcpdump
Severity: moderate
References: 1153098,1153332,1178466,CVE-2017-16808,CVE-2018-10103,CVE-2018-10105,CVE-2018-14461,CVE-2018-14462,CVE-2018-14463,CVE-2018-14464,CVE-2018-14465,CVE-2018-14466,CVE-2018-14467,CVE-2018-14468,CVE-2018-14469,CVE-2018-14470,CVE-2018-14879,CVE-2018-14880,CVE-2018-14881,CVE-2018-14882,CVE-2018-16227,CVE-2018-16228,CVE-2018-16229,CVE-2018-16230,CVE-2018-16300,CVE-2018-16301,CVE-2018-16451,CVE-2018-16452,CVE-2019-1010220,CVE-2019-15166,CVE-2019-15167,CVE-2020-8037
Description:
This update for tcpdump fixes the following issues:

- CVE-2020-8037: Fixed an issue where PPP decapsulator did not allocate the right buffer size (bsc#1178466).

The previous update of tcpdump already fixed variuous Buffer overflow/overread vulnerabilities [bsc#1153098, bsc#1153332]

- CVE-2017-16808 (AoE)
- CVE-2018-14468 (FrameRelay)
- CVE-2018-14469 (IKEv1)
- CVE-2018-14470 (BABEL)
- CVE-2018-14466 (AFS/RX)
- CVE-2018-14461 (LDP)
- CVE-2018-14462 (ICMP)
- CVE-2018-14465 (RSVP)
- CVE-2018-14464 (LMP)
- CVE-2019-15166 (LMP)
- CVE-2018-14880 (OSPF6)
- CVE-2018-14882 (RPL)
- CVE-2018-16227 (802.11)
- CVE-2018-16229 (DCCP)
- CVE-2018-14467 (BGP)
- CVE-2018-14881 (BGP)
- CVE-2018-16230 (BGP)
- CVE-2018-16300 (BGP)
- CVE-2018-14463 (VRRP)
- CVE-2019-15167 (VRRP)
- CVE-2018-14879 (tcpdump -V)
- CVE-2018-16228 (HNCP) is a duplicate of the already fixed CVE-2019-1010220
- CVE-2018-16301 (fixed in libpcap)
- CVE-2018-16451 (SMB)
- CVE-2018-16452 (SMB)
- CVE-2018-10103 (SMB - partially fixed, but SMB printing disabled)
- CVE-2018-10105 (SMB - too unreliably reproduced, SMB printing disabled)


-----------------------------------------
Version 1.0.3-Build1.98 2020-11-20T08:02:49

-----------------------------------------
Patch: SUSE-2020-3379
Released: Thu Nov 19 09:30:16 2020
Summary: Security update for krb5
Severity: moderate
References: 1178512,CVE-2020-28196
Description:
This update for krb5 fixes the following security issue:

- CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512).


-----------------------------------------
Version 1.0.3-Build1.102 2020-11-25T08:01:54

-----------------------------------------
Patch: SUSE-2020-3489
Released: Mon Nov 23 14:07:31 2020
Summary: Recommended update for systemd
Severity: moderate
References: 1083571,1139459,1176513,1176800,1177458,1177510
Description:
This update for systemd fixes the following issues:

- Create systemd-remote user only if journal-remote is included with the package (bsc#1177458)
- Fixed a buffer overflow in systemd ask-password (bsc#1177510)
- Fixed an issue in the boot process, when the system has an NFS moiunt on fstab that uses
  the 'bg' option while the NFS server is not reachable (bsc#1176513)
- Fixed an issue with the try-restart command, where services won't restart (bsc#1139459)

Exclusively for SUSE Linux Enterprise 12 SP5:

- cryptsetup: support LUKS2 on-disk format (bsc#1083571, jsc#SLE-13842)


-----------------------------------------
Patch: SUSE-2020-3492
Released: Mon Nov 23 18:25:16 2020
Summary: Recommended update for parted
Severity: moderate
References: 1137259
Description:
This update for parted fixes the following issue:

- Do not probe the partitions ending with `_part`. (bsc#1137259)


-----------------------------------------
Patch: SUSE-2020-3503
Released: Tue Nov 24 14:31:36 2020
Summary: Security update for the Linux Kernel
Severity: important
References: 1065600,1083244,1121826,1121872,1157298,1160917,1170415,1175228,1175306,1175721,1175749,1176011,1176069,1176235,1176253,1176278,1176381,1176382,1176423,1176482,1176721,1176722,1176725,1176816,1176896,1176990,1177027,1177086,1177121,1177165,1177206,1177226,1177410,1177411,1177511,1177513,1177725,1177766,1177816,1178123,1178622,1178782,CVE-2017-18204,CVE-2019-19063,CVE-2019-6133,CVE-2020-0404,CVE-2020-0427,CVE-2020-0431,CVE-2020-0432,CVE-2020-12352,CVE-2020-14351,CVE-2020-14381,CVE-2020-14390,CVE-2020-25212,CVE-2020-25284,CVE-2020-25641,CVE-2020-25643,CVE-2020-25645,CVE-2020-25656,CVE-2020-25668,CVE-2020-25705,CVE-2020-26088,CVE-2020-8694
Description:

The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bug fixes.


The following security bugs were fixed:

- CVE-2020-25705: A flaw in the way reply ICMP packets are limited in was found that allowed to quickly scan open UDP ports. This flaw allowed an off-path remote user to effectively bypassing source port UDP randomization. The highest threat from this vulnerability is to confidentiality and possibly integrity, because software and services that rely on UDP source port randomization (like DNS) are indirectly affected as well. Kernel versions may be vulnerable to this issue (bsc#1175721, bsc#1178782).
- CVE-2020-25668: Fixed a use-after-free in con_font_op() (bsc#1178123).
- CVE-2020-25656: Fixed a concurrency use-after-free in vt_do_kdgkb_ioctl (bnc#1177766).
- CVE-2020-14351: Fixed a race in the perf_mmap_close() function (bsc#1177086).
- CVE-2020-8694: Restricted energy meter to root access (bsc#1170415).
- CVE-2020-12352: Fixed an information leak when processing certain AMP packets aka 'BleedingTooth' (bsc#1177725).
- CVE-2020-25645: Fixed an issue which traffic between two Geneve endpoints may be unencrypted when IPsec is configured to encrypt traffic for the specific UDP port used by the GENEVE tunnel allowing anyone between the two endpoints to read the traffic unencrypted (bsc#1177511).
- CVE-2020-14381: Fixed a use-after-free in the fast user mutex (futex) wait operation, which could have lead to memory corruption and possibly privilege escalation (bsc#1176011).
- CVE-2020-25212: Fixed A TOCTOU mismatch in the NFS client code which could have been used by local attackers to corrupt memory (bsc#1176381).
- CVE-2020-14390: Fixed an out-of-bounds memory write leading to memory corruption or a denial of service when changing screen size (bnc#1176235).
- CVE-2020-25643: Fixed a memory corruption and a read overflow which could have caused by improper input validation in the ppp_cp_parse_cr function (bsc#1177206).
- CVE-2020-25641: Fixed a zero-length biovec request issued by the block subsystem could have caused the kernel to enter an infinite loop, causing a denial of service (bsc#1177121).
- CVE-2020-26088: Fixed an improper CAP_NET_RAW check in NFC socket creation could have been used by local attackers to create raw sockets, bypassing security mechanisms (bsc#1176990).
- CVE-2020-0432: Fixed an out of bounds write due to an integer overflow (bsc#1176721).
- CVE-2020-0431: Fixed an out of bounds write due to a missing bounds check (bsc#1176722).
- CVE-2020-0427: Fixed an out of bounds read due to a use after free (bsc#1176725).
- CVE-2020-0404: Fixed a linked list corruption due to an unusual root cause (bsc#1176423).
- CVE-2020-25284: Fixed an incomplete permission checking for access to rbd devices, which could have been leveraged by local attackers to map or unmap rbd block devices (bsc#1176482).
- CVE-2019-19063: Fixed two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c, which could have allowed an attacker to cause a denial of service (memory consumption) (bsc#1157298).
- CVE-2019-6133: In PolicyKit (aka polkit), the 'start time' protection mechanism can be bypassed because fork() is not atomic, and therefore authorization decisions are improperly cached. This is related to lack of uid checking in polkitbackend/polkitbackendinteractiveauthority.c (bsc#1121872).
- CVE-2017-18204: Fixed a denial of service in the ocfs2_setattr function of fs/ocfs2/file.c (bnc#1083244).

The following non-security bugs were fixed:

- hv: vmbus: Add timeout to vmbus_wait_for_unload (bsc#1177816).
- hyperv_fb: disable superfluous VERSION_WIN10_V5 case (bsc#1175306).
- hyperv_fb: Update screen_info after removing old framebuffer (bsc#1175306).
- mm, numa: fix bad pmd by atomically check for pmd_trans_huge when marking page tables prot_numa (bsc#1176816).
- net/packet: fix overflow in tpacket_rcv (bsc#1176069).
- ocfs2: give applications more IO opportunities during fstrim (bsc#1175228).
- video: hyperv: hyperv_fb: Obtain screen resolution from Hyper-V host (bsc#1175306).
- video: hyperv: hyperv_fb: Support deferred IO for Hyper-V frame buffer driver (bsc#1175306).
- video: hyperv: hyperv_fb: Use physical memory for fb on HyperV Gen 1 VMs (bsc#1175306).
- x86/kexec: Use up-to-dated screen_info copy to fill boot params (bsc#1175306).
- xen/blkback: use lateeoi irq binding (XSA-332 bsc#1177411).
- xen-blkfront: switch kcalloc to kvcalloc for large array allocation (bsc#1160917).
- xen: do not reschedule in preemption off sections (bsc#1175749).
- xen/events: add a new 'late EOI' evtchn framework (XSA-332 bsc#1177411).
- xen/events: add a proper barrier to 2-level uevent unmasking (XSA-332 bsc#1177411).
- xen/events: avoid removing an event channel while handling it (XSA-331 bsc#1177410).
- xen/events: block rogue events for some time (XSA-332 bsc#1177411).
- xen/events: defer eoi in case of excessive number of events (XSA-332 bsc#1177411).
- xen/events: do not use chip_data for legacy IRQs (XSA-332 bsc#1065600).
- xen/events: fix race in evtchn_fifo_unmask() (XSA-332 bsc#1177411).
- xen/events: switch user event channels to lateeoi model (XSA-332 bsc#1177411).
- xen/events: use a common cpu hotplug hook for event channels (XSA-332 bsc#1177411).
- xen/netback: use lateeoi irq binding (XSA-332 bsc#1177411).
- xen/pciback: use lateeoi irq binding (XSA-332 bsc#1177411).
- xen/scsiback: use lateeoi irq binding (XSA-332 bsc#1177411).
- xen uses irqdesc::irq_data_common::handler_data to store a per interrupt XEN data pointer which contains XEN specific information (XSA-332 bsc#1065600).


-----------------------------------------
Patch: SUSE-2020-3508
Released: Wed Nov 25 07:36:01 2020
Summary: Recommended update for lifecycle-data-sle-module-toolchain
Severity: moderate
References: 
Description:
This update for lifecycle-data-sle-module-toolchain fixes the following issues:

- Added lifecycle expiration data for the GCC 9 yearly update for the Toolchain/Development modules.  

  (jsc#ECO-2373, jsc#SLE-5825, jsc#SLE-5838, jsc#SLE-7268, jsc#SLE-10952, FATE#327368)


-----------------------------------------
Version 1.0.3-Build1.103 2020-11-26T08:01:34

-----------------------------------------
Patch: SUSE-2020-3527
Released: Thu Nov 26 01:49:22 2020
Summary: Recommended update for google-guest-agent
Severity: moderate
References: 1159460,1178486
Description:
This update for google-guest-agent contains the following fixes:

- Update to version 20201026.00
  * remove old unused workflow files
  * fallback to IP for metadata
  * getPasswd: Check full prefix of line for username

- dont_overwrite_ifcfg.patch: Do not overwrite existing ifcfg files
  to allow manual configuration and compatibility with
  cloud-netconfig (bsc#1159460, bsc#1178486)

- Update to version 20200929.00
  * correct varname
  * don't call dhclient -x on network setup
  * add instance id dir override
  * update agent systemd service file
  * typo, change to noadjfile
  * add gaohannk to OWNERS
  * remove illfelder from OWNERS
  * Add all license files to packages


-----------------------------------------
Version 1.0.3-Build1.106 2020-12-02T07:57:54

-----------------------------------------
Patch: SUSE-2020-3569
Released: Mon Nov 30 17:13:16 2020
Summary: Recommended update for pam
Severity: moderate
References: 1178727
Description:
This update for pam fixes the following issue:

- Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727)


-----------------------------------------
Patch: SUSE-2020-3573
Released: Mon Nov 30 18:13:05 2020
Summary: Recommended update for sg3_utils
Severity: low
References: 1116107
Description:
This update for sg3_utils fixes the following issues:

- Fixed wrong device ID for devices using NAA extended format (bsc#1116107)


-----------------------------------------
Patch: SUSE-2020-3585
Released: Tue Dec  1 16:30:20 2020
Summary: Security update for xorg-x11-server
Severity: important
References: 1174908,1177596,CVE-2020-14360,CVE-2020-25712
Description:
This update for xorg-x11-server fixes the following issues:

- CVE-2020-25712: Fixed a heap-based buffer overflow which could have led to privilege escalation (bsc#1177596).
- CVE-2020-14360: Fixed an out of bounds memory accesses on too short request which could lead to denial of service (bsc#1174908).


-----------------------------------------
Version 1.0.3-Build1.107 2020-12-03T07:58:55

-----------------------------------------
Patch: SUSE-2020-3594
Released: Wed Dec  2 10:37:03 2020
Summary: Security update for python-setuptools
Severity: important
References: 1176262,CVE-2019-20916
Description:
This update for python-setuptools fixes the following issues:

- Fixed a directory traversal in _download_http_url() (bsc#1176262 CVE-2019-20916)


-----------------------------------------
Patch: SUSE-2020-3596
Released: Wed Dec  2 10:40:50 2020
Summary: Security update for python3
Severity: important
References: 1176262,CVE-2019-20916
Description:
This update for python3 fixes the following issues:

- Fixed a directory traversal in _download_http_url() (bsc#1176262 CVE-2019-20916)


-----------------------------------------
Version 1.0.3-Build1.109 2020-12-04T08:50:12

-----------------------------------------
Patch: SUSE-2020-3621
Released: Thu Dec  3 17:05:06 2020
Summary: Recommended update for glib2
Severity: moderate
References: 1178346
Description:
This update for glib2 fixes the following issues:

- Add basic support for slim format of timezone. (bsc#1178346)
- Fix DST incorrect end day when using slim format. (bsc#1178346)


-----------------------------------------
Version 1.0.3-Build1.110 2020-12-06T08:12:14

-----------------------------------------
Patch: SUSE-2020-3629
Released: Fri Dec  4 17:03:35 2020
Summary: Security update for python-cryptography
Severity: moderate
References: 1178168,CVE-2020-25659
Description:
This update for python-cryptography fixes the following issues:

- CVE-2020-25659: Attempted to mitigate Bleichenbacher attacks on RSA decryption (bsc#1178168).


-----------------------------------------
Version 1.0.4-Build1.2 2020-12-11T12:33:20

-----------------------------------------
Patch: SUSE-2020-3278
Released: Wed Nov 11 09:07:14 2020
Summary: Recommended update for google-osconfig-agent
Severity: moderate
References: 1176427,1178249
Description:
This update for google-osconfig-agent fixes the following issues:

This update ships the google-osconfig-agent in version 20200929.00 (bsc#1176427, bsc#1178249, jsc#ECO-2702, jsc#PM-2203)



-----------------------------------------
Patch: SUSE-2020-3754
Released: Fri Dec 11 08:54:50 2020
Summary: Recommended update for yast2-tune
Severity: moderate
References: 1052770,1177035
Description:
This update for yast2-tune fixes the following issue:

- Fixed scheduler activation. (bsc#1052770, bsc#1177035)
  
  Do not activate the new scheduler for devices which do not support it.


-----------------------------------------
Version 1.0.4-Build1.3 2020-12-12T13:02:24

-----------------------------------------
Patch: SUSE-2020-3763
Released: Fri Dec 11 14:17:32 2020
Summary: Security update for openssl
Severity: important
References: 1179491,CVE-2020-1971
Description:
This update for openssl fixes the following issues:

- CVE-2020-1971: Fixed a null pointer dereference in EDIPARTYNAME (bsc#1179491).


-----------------------------------------
Patch: SUSE-2020-3765
Released: Fri Dec 11 14:27:27 2020
Summary: Security update for python
Severity: important
References: 1176262,CVE-2019-20916
Description:
This update for python fixes the following issues:

- Fixed a directory traversal in _download_http_url() (bsc#1176262 CVE-2019-20916)


-----------------------------------------
Version 1.0.4-Build1.5 2020-12-15T07:41:19

-----------------------------------------
Patch: SUSE-2020-3794
Released: Mon Dec 14 17:40:20 2020
Summary: Recommended update for libzypp, zypper
Severity: moderate
References: 1174215,1178925,1178966
Description:
This update for libzypp, zypper fixes the following issues:

Changes in zypper:

- Fix typo in `list-patches` help. (bsc#1178925)

  The options for selecting issues matching the specified string is `--issue[=STRING]`, not `--issues[=STRING]`.

Changes in libzypp:

- Fix in repository manager for removing non-directory entries related to the cache. (bsc#1178966)
- Remove from the logs the credentials available from the authorization header. (bsc#1174215)
  
  The authorization header may include base64 encoded credentials which could be restored from the log file. 
  The credentials are now stripped from the log.


-----------------------------------------
Patch: SUSE-2020-3800
Released: Mon Dec 14 18:55:59 2020
Summary: Security update for curl
Severity: moderate
References: 1175109,1179398,CVE-2020-8231,CVE-2020-8284
Description:
This update for curl fixes the following issues:

- CVE-2020-8284: Fixed an issue where a malicius FTP server could make curl connect to a different IP (bsc#1179398).
- CVE-2020-8231: Fixed an issue with trusting FTP PASV responses (bsc#1175109).


-----------------------------------------
Version 1.0.4-Build1.7 2020-12-16T07:40:20

-----------------------------------------
Patch: SUSE-2020-3810
Released: Tue Dec 15 13:46:53 2020
Summary: Recommended update for google-guest-agent, google-guest-oslogin
Severity: moderate
References: 1179031,1179032
Description:
This update for google-guest-agent, google-guest-oslogin fixes the following issues:

- Does now only attempt to connect to snapshot service once
- Added getpwnam, getpwuid, getgrnam, and getgrgid
- Does no longer require the python library of policycoreutils


-----------------------------------------
Version 1.0.4-Build1.9 2020-12-17T07:41:10

-----------------------------------------
Patch: SUSE-2020-3835
Released: Wed Dec 16 09:30:30 2020
Summary: Optional update for systemd-rpm-macros
Severity: low
References: 1059627,1178481,1179020
Description:
This update for systemd-rpm-macros fixes the following issues:

Many changes have been applied with this update. The ones outlined below are the most important ones. Please
refer to the systemd-rpm-macros.rpm changelog for a full list of all changes.

- Move macros.systemd from /etc to /usr
  macros.systemd has never meant to be modified and treated like a
  configuration file. Hence let's move it to /usr and don't tag it
  with %config. In the very unlikely case it's been modified, it will
  be backed up with .rpmsave extension but no more read by rpmbuild.
- Added missing macro %_userpresetdir
  Escape '--user' and '--global' arguments with '\\' since rpm treats
  arguments starting with '-' as macro options which causes 'Unknown
  option' rpm error.
  Use %{expand:...} to force expansion of the inner macro. Otherwise %{?*}
  is recursively defined as '\--user \--global {%?*}' which causes
  'Too many levels of recursion in macro expansion' rpm error.
- Deprecate '-f'/'-n' options
  When used with %service_del_preun, support for these options will be
  dropped as DISABLE_STOP_ON_REMOVAL support will be removed on the
  next version of SLE (jsc#SLE-8968)
  When used with %service_del_postun, they should be replaced with
  their counterpart
  %service_del_postun_with_restart/%service_del_postun_without_restart
- Backport %service_del_postun_with_restart()
  It's the counterpart of %service_del_postun_without_restart() and
  replaces the '-f' option of %service_del_postun().
- Backport %systemd_ordering
  This macro is already available in later distros and should ease
  backports of packages, which rely on it.
- Dont apply presets when migrating from a disabled initscript (bsc#1178481)


-----------------------------------------
Version 1.0.4-Build1.12 2020-12-19T07:40:12

-----------------------------------------
Patch: SUSE-2020-3876
Released: Fri Dec 18 16:45:25 2020
Summary: Security update for curl
Severity: moderate
References: 1179398,1179399,CVE-2020-8284,CVE-2020-8285
Description:
This update for curl fixes the following issue:

- CVE-2020-8285: Fixed an FTP wildcard stack overflow (bsc#1179399).
- CVE-2020-8284: Adjust trusting FTP PASV responses (bsc#1179398).


-----------------------------------------
Version 1.0.4-Build1.16 2020-12-23T07:41:30

-----------------------------------------
Patch: SUSE-2020-3926
Released: Tue Dec 22 18:24:26 2020
Summary: Recommended update for makedumpfile
Severity: moderate
References: 1014136,1068694,1116830,1162279
Description:
This update for makedumpfile fixes the following issues:

- Fixed an issue when kdump is not able to create kernel dump with 'xen hypervisor'. (bsc#1014136, bsc#1068694, bsc#1162279)
- Fix 'vaddr_to_paddr_x86_64' under 'xen'. (bsc#1116830)
- Remove a hunk that breaks 'xen' dumps. (bsc#1116830)


-----------------------------------------
Version 1.0.4-Build1.18 2020-12-29T07:40:13

-----------------------------------------
Patch: SUSE-2020-3938
Released: Mon Dec 28 14:28:50 2020
Summary: Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork
Severity: important
References: 1174075,1176708,1178801,1178969,1180243,CVE-2020-15257
Description:
This update for containerd, docker, docker-runc, golang-github-docker-libnetwork fixes the following issues:

Security issues fixed:

- CVE-2020-15257: Fixed a privilege escalation in containerd (bsc#1178969).

Non-security issues fixed:

- Update to containerd v1.3.9, which is needed for Docker v19.03.14-ce and
  fixes CVE-2020-15257. bsc#1180243

- Update to containerd v1.3.7, which is required for Docker 19.03.13-ce.
  bsc#1176708

- Update to Docker 19.03.14-ce. See upstream changelog in the packaged
  /usr/share/doc/packages/docker/CHANGELOG.md. CVE-2020-15257 bsc#1180243
  https://github.com/docker/docker-ce/releases/tag/v19.03.14

- Enable fish-completion

- Add a patch which makes Docker compatible with firewalld with
  nftables backend. Backport of https://github.com/moby/libnetwork/pull/2548
  (bsc#1178801, SLE-16460)

- Update to Docker 19.03.13-ce. See upstream changelog in the packaged
  /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1176708

- Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075)

- Emergency fix: %requires_eq does not work with provide symbols,
  only effective package names. Convert back to regular Requires.

- Update to Docker 19.03.12-ce. See upstream changelog in the packaged
  /usr/share/doc/packages/docker/CHANGELOG.md.
- Use Go 1.13 instead of Go 1.14 because Go 1.14 can cause all sorts of
  spurrious errors due to Go returning -EINTR from I/O syscalls much more often
  (due to Go 1.14's pre-emptive goroutine support).
- Add BuildRequires for all -git dependencies so that we catch missing
  dependencies much more quickly.

- Update to libnetwork 55e924b8a842, which is required for Docker 19.03.14-ce.
  bsc#1180243

- Add patch which makes libnetwork compatible with firewalld with
  nftables backend. Backport of https://github.com/moby/libnetwork/pull/2548
  (bsc#1178801, SLE-16460)


-----------------------------------------
Patch: SUSE-2020-3939
Released: Mon Dec 28 14:29:41 2020
Summary: Security update for cyrus-sasl
Severity: important
References: 1159635,CVE-2019-19906
Description:
This update for cyrus-sasl fixes the following issues:

- CVE-2019-19906: Fixed an out-of-bounds write leading to unauthenticated remote denial-of-service in OpenLDAP via a malformed LDAP packet (bsc#1159635).	  


-----------------------------------------
Version 1.0.4-Build1.22 2021-01-05T07:40:55

-----------------------------------------
Patch: SUSE-2021-17
Released: Mon Jan  4 14:46:36 2021
Summary: Security update for flac
Severity: moderate
References: 1180099,CVE-2020-0499
Description:
This update for flac fixes the following issues:

- CVE-2020-0499: Fixed an out-of-bounds access (bsc#1180099).


-----------------------------------------
Patch: SUSE-2021-20
Released: Tue Jan  5 07:14:12 2021
Summary: Recommended update for kdump
Severity: moderate
References: 1108255,1111207,1123940,1125218,1153601,1170336,1173914,1177196
Description:
This update for kdump fixes the following issues:

- Remove `console=hvc0` from command line. (bsc#1173914)
- Set serial console from Xen command line. (bsc#1173914)
- Remove `noefi` and `acpi_rsdp` for `EFI` firmware. (bsc#1123940, bsc#1170336)
- Add `skip_balance` option to `BTRFS` mounts. (bsc#1108255)
- Do not add `rd.neednet=1` to `dracut` command line. (bsc#1177196)


-----------------------------------------
Version 1.0.5-Build1.1 2021-01-06T07:37:48

-----------------------------------------
Patch: SUSE-2020-3607
Released: Tue Dec 15 13:41:58 2020
Summary: Recommended update for cloud-netconfig
Severity: moderate
References: 1159460,1178486
Description:
This update for cloud-netconfig contains the following fix:

- Update to version 1.5:
  + Add support for GCE (bsc#1159460, bsc#1178486, jsc#ECO-2800)
  + Improve default gateway determination


-----------------------------------------
Patch: SUSE-2021-22
Released: Tue Jan  5 10:21:52 2021
Summary: Security update for openssh
Severity: moderate
References: 1173513,CVE-2020-14145
Description:
This update for openssh fixes the following issues:

- CVE-2020-14145: Fixed a potential information leak during host key exchange (bsc#1173513).	  


-----------------------------------------
Patch: SUSE-2021-26
Released: Tue Jan  5 14:18:00 2021
Summary: Recommended update for libxml2
Severity: moderate
References: 1178823
Description:
This update for libxml2 fixes the following issues:

Avoid quadratic checking of identity-constraints, speeding up XML validation. (bsc#1178823)

* key/unique/keyref schema attributes currently use quadratic loops
  to check their various constraints (that keys are unique and that
  keyrefs refer to existing keys).
* This fix uses a hash table to avoid the quadratic behaviour.


-----------------------------------------
Version 1.0.5-Build1.4 2021-01-13T07:42:42

-----------------------------------------
Patch: SUSE-2021-77
Released: Tue Jan 12 10:25:40 2021
Summary: Recommended update for SUSEConnect
Severity: low
References: 
Description:
This update for SUSEConnect fixes the following issue:

Update to version 0.3.29

- Replace the Ruby path with the native one during build phase.


-----------------------------------------
Version 1.0.5-Build1.6 2021-01-15T11:43:25

-----------------------------------------
Patch: SUSE-2021-128
Released: Thu Jan 14 11:01:24 2021
Summary: Security update for openldap2
Severity: moderate
References: 1178909,CVE-2020-25709,CVE-2020-25710
Description:
This update for openldap2 fixes the following issues:

- CVE-2020-25709: Fixed a crash caused by specially crafted network traffic (bsc#1178909).
- CVE-2020-25710: Fixed a crash caused by specially crafted network traffic (bsc#1178909).


-----------------------------------------
Version 1.0.5-Build1.7 2021-01-15T14:07:07

-----------------------------------------
Patch: SUSE-2021-136
Released: Fri Jan 15 10:33:38 2021
Summary: Recommended update for timezone
Severity: moderate
References: 1177460
Description:
This update for timezone fixes the following issues:

- timezone update 2020f (bsc#1177460)
  * 'make rearguard_tarballs' no longer generates a bad rearguard.zi,
    fixing a 2020e bug.

- timezone update 2020e (bsc#1177460)
  * Volgograd switches to Moscow time on 2020-12-27 at 02:00.

- timezone update 2020f (bsc#1177460)
  * 'make rearguard_tarballs' no longer generates a bad rearguard.zi,
    fixing a 2020e bug.

- timezone update 2020e (bsc#1177460)
  * Volgograd switches to Moscow time on 2020-12-27 at 02:00.


-----------------------------------------
Patch: SUSE-2021-142
Released: Fri Jan 15 13:02:00 2021
Summary: Security update for openldap2
Severity: moderate
References: 1178909,CVE-2020-25709,CVE-2020-25710
Description:
This update for openldap2 fixes the following issues:

- CVE-2020-25709: Fixed a crash caused by specially crafted network traffic (bsc#1178909).
- CVE-2020-25710: Fixed a crash caused by specially crafted network traffic (bsc#1178909).


-----------------------------------------
Version 1.0.5-Build1.9 2021-01-16T07:40:32

-----------------------------------------
Patch: SUSE-2021-146
Released: Fri Jan 15 16:59:48 2021
Summary: Recommended update for pam-modules
Severity: low
References: 1070595
Description:

This update for pam-modules provides the following fix:

- Fix the fail delay when entering wrong password. (bsc#1070595)


-----------------------------------------
Patch: SUSE-2021-148
Released: Fri Jan 15 17:00:15 2021
Summary: Recommended update for cloud-init, python-pyserial
Severity: important
References: 1174443,1174444,1177526,1178029,1179150,1179151,1180176
Description:
This update for cloud-init, python-pyserial contains the following fixes:

Update from python-pyserial:

- Setup single spec build (jsc#PM-2335)

Update from cloud-init from 19.4 to 20.2:

- Update cloud-init-write-routes.patch (bsc#1180176)
  + Follow up to previous changes. Fix order of operations
    error to make gateway comparison between subnet configuration and
    route configuration valuable rather than self-comparing.

- Add cloud-init-sle12-compat.patch (jsc#PM-2335)
  - Python 3.4 compatibility in setup.py
  - Disable some test for mock version compatibility

- Add wget as a requirement (bsc#1178029)
  + wget is used in the CloudStack data source

- Add cloud-init-azure-def-usr-pass.patch (bsc#1179150, bsc#1179151)
  + Properly set the password for the default user in all circumstances

- Patch the full package version into the cloud-init version file

- Update cloud-init-write-routes.patch (bsc#1177526)
  + Fix missing default route when dual stack network setup is used. Once
    a default route was configured for Ipv6 or IPv4 the default route
    configuration for the othre protocol was skipped.

- Update cloud-init-write-routes.patch (bsc#1177526)
  + Avoid exception if no gateway information is present and warning
    is triggered for existing routing.

- Update to version 20.2 (bsc#1174443, bsc#1174444)
  + Remove patches included upstream:
    - 0001-Make-tests-work-with-Python-3.8-139.patch
    - cloud-init-ostack-metadat-dencode.patch
    - cloud-init-use-different-random-src.diff
    - cloud-init-long-pass.patch
    - cloud-init-mix-static-dhcp.patch
    + Remove patches build switched to Python 3 for all distributions. (jsc#PM-2335)
    - cloud-init-python2-sigpipe.patch
    - cloud-init-template-py2.patch
  + Add
    - cloud-init-after-kvp.diff
    - cloud-init-recognize-hpc.patch
  + doc/format: reference make-mime.py instead of an inline script (#334)
  + Add docs about  creating parent folders (#330) [Adrian Wilkins]
  + DataSourceNoCloud/OVF: drop claim to support FTP (#333) (LP: #1875470)
  + schema: ignore spurious pylint error (#332)
  + schema: add json schema for write_files module (#152)
  + BSD: find_devs_with_ refactoring (#298) [Goneri Le Bouder]
  + nocloud: drop work around for Linux 2.6 (#324) [Goneri Le Bouder]
  + cloudinit: drop dependencies on unittest2 and contextlib2 (#322)
  + distros: handle a potential mirror filtering error case (#328)
  + log: remove unnecessary import fallback logic (#327)
  + .travis.yml: don't run integration test on ubuntu/* branches (#321)
  + More unit test documentation (#314)
  + conftest: introduce disable_subp_usage autouse fixture (#304)
  + YAML align indent sizes for docs readability  (#323) [Tak Nishigori]
  + network_state: add missing space to log message (#325)
  + tests: add missing mocks for get_interfaces_by_mac (#326) (LP: #1873910)
  + test_mounts: expand happy path test for both happy paths (#319)
  + cc_mounts: fix incorrect format specifiers (#316) (LP: #1872836)
  + swap file 'size' being used before checked if str (#315) [Eduardo Otubo]
  + HACKING.rst: add pytest version gotchas section (#311)
  + docs: Add steps to re-run cloud-id and cloud-init (#313) [Joshua Powers]
  + readme: OpenBSD is now supported (#309) [Goneri Le Bouder]
  + net: ignore 'renderer' key in netplan config (#306) (LP: #1870421)
  + Add support for NFS/EFS mounts (#300) [Andrew Beresford] (LP: #1870370)
  + openbsd: set_passwd should not unlock user (#289) [Goneri Le Bouder]
  + tools/.github-cla-signers: add beezly as CLA signer (#301)
  + util: remove unnecessary lru_cache import fallback (#299)
  + HACKING.rst: reorganise/update CLA signature info (#297)
  + distros: drop leading/trailing hyphens from mirror URL labels (#296)
  + HACKING.rst: add note about variable annotations (#295)
  + CiTestCase: stop using and remove sys_exit helper (#283)
  + distros: replace invalid characters in mirror URLs with hyphens (#291)
    (LP: #1868232)
  + rbxcloud: gracefully handle arping errors (#262) [Adam Dobrawy]
  + Fix cloud-init ignoring some misdeclared mimetypes in user-data.
    [Kurt Garloff]
  + net: ubuntu focal prioritize netplan over eni even if both present
    (#267) (LP: #1867029)
  + cloudinit: refactor util.is_ipv4 to net.is_ipv4_address (#292)
  + net/cmdline: replace type comments with annotations (#294)
  + HACKING.rst: add Type Annotations design section (#293)
  + net: introduce is_ip_address function (#288)
  + CiTestCase: remove now-unneeded parse_and_read helper method (#286)
  + .travis.yml: allow 30 minutes of inactivity in cloud tests (#287)
  + sources/tests/test_init: drop use of deprecated inspect.getargspec (#285)
  + setup.py: drop NIH check_output implementation (#282)
  + Identify SAP Converged Cloud as OpenStack [Silvio Knizek]
  + add Openbsd support (#147) [Goneri Le Bouder]
  + HACKING.rst: add examples of the two test class types (#278)
  + VMWware: support to update guest info gc status if enabled (#261)
    [xiaofengw-vmware]
  + Add lp-to-git mapping for kgarloff (#279)
  + set_passwords: avoid chpasswd on BSD (#268) [Goneri Le Bouder]
  + HACKING.rst: add Unit Testing design section (#277)
  + util: read_cc_from_cmdline handle urlencoded yaml content (#275)
  + distros/tests/test_init: add tests for _get_package_mirror_info (#272)
  + HACKING.rst: add links to new Code Review Process doc (#276)
  + freebsd: ensure package update works (#273) [Goneri Le Bouder]
  + doc: introduce Code Review Process documentation (#160)
  + tools: use python3 (#274)
  + cc_disk_setup: fix RuntimeError (#270) (LP: #1868327)
  + cc_apt_configure/util: combine search_for_mirror implementations (#271)
  + bsd: boottime does not depend on the libc soname (#269)
    [Goneri Le Bouder]
  + test_oracle,DataSourceOracle: sort imports (#266)
  + DataSourceOracle: update .network_config docstring (#257)
  + cloudinit/tests: remove unneeded with_logs configuration (#263)
  + .travis.yml: drop stale comment (#255)
  + .gitignore: add more common directories (#258)
  + ec2: render network on all NICs and add secondary IPs as static (#114)
    (LP: #1866930)
  + ec2 json validation: fix the reference to the 'merged_cfg' key (#256)
    [Paride Legovini]
  + releases.yaml: quote the Ubuntu version numbers (#254) [Paride Legovini]
  + cloudinit: remove six from packaging/tooling (#253)
  + util/netbsd: drop six usage (#252)
  + workflows: introduce stale pull request workflow (#125)
  + cc_resolv_conf: introduce tests and stabilise output across Python
    versions (#251)
  + fix minor issue with resolv_conf template (#144) [andreaf74]
  + doc: CloudInit also support NetBSD (#250) [Goneri Le Bouder]
  + Add Netbsd support (#62) [Goneri Le Bouder]
  + tox.ini: avoid substition syntax that causes a traceback on xenial (#245)
  + Add pub_key_ed25519 to cc_phone_home (#237) [Daniel Hensby]
  + Introduce and use of a list of GitHub usernames that have signed CLA
    (#244)
  + workflows/cla.yml: use correct username for CLA check (#243)
  + tox.ini: use xenial version of jsonpatch in CI (#242)
  + workflows: CLA validation altered to fail status on pull_request (#164)
  + tox.ini: bump pyflakes version to 2.1.1 (#239)
  + cloudinit: move to pytest for running tests (#211)
  + instance-data: add cloud-init merged_cfg and sys_info keys to json
    (#214) (LP: #1865969)
  + ec2: Do not fallback to IMDSv1 on EC2 (#216)
  + instance-data: write redacted cfg to instance-data.json (#233)
    (LP: #1865947)
  + net: support network-config:disabled on the kernel commandline (#232)
    (LP: #1862702)
  + ec2: only redact token request headers in logs, avoid altering request
    (#230) (LP: #1865882)
  + docs: typo fixed: dta → data [Alexey Vazhnov]
  + Fixes typo on Amazon Web Services (#217) [Nick Wales]
  + Fix docs for OpenStack DMI Asset Tag (#228)
    [Mark T. Voelker] (LP: #1669875)
  + Add physical network type: cascading to openstack helpers (#200)
    [sab-systems]
  + tests: add focal integration tests for ubuntu (#225)
- From 20.1 (first vesrion after 19.4)
  + ec2: Do not log IMDSv2 token values, instead use REDACTED (#219)
    (LP: #1863943)
  + utils: use SystemRandom when generating random password. (#204)
    [Dimitri John Ledkov]
  + docs: mount_default_files is a list of 6 items, not 7 (#212)
  + azurecloud: fix issues with instances not starting (#205) (LP: #1861921)
  + unittest: fix stderr leak in cc_set_password random unittest
    output. (#208)
  + cc_disk_setup: add swap filesystem force flag (#207)
  + import sysvinit patches from freebsd-ports tree (#161) [Igor Galić]
  + docs: fix typo (#195) [Edwin Kofler]
  + sysconfig: distro-specific config rendering for BOOTPROTO option (#162)
    [Robert Schweikert] (LP: #1800854)
  + cloudinit: replace 'from six import X' imports (except in util.py) (#183)
  + run-container: use 'test -n' instead of 'test ! -z' (#202)
    [Paride Legovini]
  + net/cmdline: correctly handle static ip= config (#201)
    [Dimitri John Ledkov] (LP: #1861412)
  + Replace mock library with unittest.mock (#186)
  + HACKING.rst: update CLA link (#199)
  + Scaleway: Fix DatasourceScaleway to avoid backtrace (#128)
    [Louis Bouchard]
  + cloudinit/cmd/devel/net_convert.py: add missing space (#191)
  + tools/run-container: drop support for python2 (#192) [Paride Legovini]
  + Print ssh key fingerprints using sha256 hash (#188) (LP: #1860789)
  + Make the RPM build use Python 3 (#190) [Paride Legovini]
  + cc_set_password: increase random pwlength from 9 to 20 (#189)
    (LP: #1860795)
  + .travis.yml: use correct Python version for xenial tests (#185)
  + cloudinit: remove ImportError handling for mock imports (#182)
  + Do not use fallocate in swap file creation on xfs. (#70)
    [Eduardo Otubo] (LP: #1781781)
  + .readthedocs.yaml: install cloud-init when building docs (#181)
    (LP: #1860450)
  + Introduce an RTD config file, and pin the Sphinx version to the RTD
    default (#180)
  + Drop most of the remaining use of six (#179)
  + Start removing dependency on six (#178)
  + Add Rootbox & HyperOne to list of cloud in README (#176) [Adam Dobrawy]
  + docs: add proposed SRU testing procedure (#167)
  + util: rename get_architecture to get_dpkg_architecture (#173)
  + Ensure util.get_architecture() runs only once (#172)
  + Only use gpart if it is the BSD gpart (#131) [Conrad Hoffmann]
  + freebsd: remove superflu exception mapping (#166) [Goneri Le Bouder]
  + ssh_auth_key_fingerprints_disable test: fix capitalization (#165)
    [Paride Legovini]
  + util: move uptime's else branch into its own boottime function (#53)
    [Igor Galić] (LP: #1853160)
  + workflows: add contributor license agreement checker (#155)
  + net: fix rendering of 'static6' in network config (#77) (LP: #1850988)
  + Make tests work with Python 3.8 (#139) [Conrad Hoffmann]
  + fixed minor bug with mkswap in cc_disk_setup.py (#143) [andreaf74]
  + freebsd: fix create_group() cmd (#146) [Goneri Le Bouder]
  + doc: make apt_update example consistent (#154)
  + doc: add modules page toc with links (#153) (LP: #1852456)
  + Add support for the amazon variant in cloud.cfg.tmpl (#119)
    [Frederick Lefebvre]
  + ci: remove Python 2.7 from CI runs (#137)
  + modules: drop cc_snap_config config module (#134)
  + migrate-lp-user-to-github: ensure Launchpad repo exists (#136)
  + docs: add initial troubleshooting to FAQ (#104) [Joshua Powers]
  + doc: update cc_set_hostname frequency and descrip (#109)
    [Joshua Powers] (LP: #1827021)
  + freebsd: introduce the freebsd renderer (#61) [Goneri Le Bouder]
  + cc_snappy: remove deprecated module (#127)
  + HACKING.rst: clarify that everyone needs to do the LP->GH dance (#130)
  + freebsd: cloudinit service requires devd (#132) [Goneri Le Bouder]
  + cloud-init: fix capitalisation of SSH (#126)
  + doc: update cc_ssh clarify host and auth keys
    [Joshua Powers] (LP: #1827021)
  + ci: emit names of tests run in Travis (#120)
- Disable testing to aid elimination of unittest2 in Factory
  

-----------------------------------------
Patch: SUSE-2021-149
Released: Fri Jan 15 17:00:30 2021
Summary: Recommended update for java-1_6_0-ibm
Severity: low
References: 1057460
Description:
This update for java-1_6_0-ibm provides the following fix:

- Make it possible to run Java jnlp files from Firefox. (bsc#1057460)


-----------------------------------------
Version 1.0.5-Build1.12 2021-01-23T09:27:52

-----------------------------------------
Patch: SUSE-2021-161
Released: Mon Jan 18 20:03:25 2021
Summary: Recommended update for libnl3
Severity: low
References: 1025043
Description:
This update for libnl3 fixes the following issues:

- IPv6 privacy extension of NetworkManager was not working. (bsc#1025043)


-----------------------------------------
Version 1.0.5-Build1.15 2021-01-27T07:39:55

-----------------------------------------
Patch: SUSE-2021-219
Released: Tue Jan 26 12:21:31 2021
Summary: Recommended update for logrotate
Severity: moderate
References: 1179189
Description:
This update for logrotate fixes the following issues:

- Fix for an issue when the service failed to start due to false alarm when using 'su' and compress. (bsc#1179189)


-----------------------------------------
Patch: SUSE-2021-226
Released: Tue Jan 26 19:20:53 2021
Summary: Security update for sudo
Severity: important
References: 1180684,1180685,1180687,1181090,CVE-2021-23239,CVE-2021-23240,CVE-2021-3156
Description:
This update for sudo fixes the following issues:

- A Heap-based buffer overflow in sudo could be exploited to allow a user to gain root privileges 
  [bsc#1181090,CVE-2021-3156]
- It was possible for a user to test for the existence of a directory due to a Race Condition in `sudoedit`
  [bsc#1180684,CVE-2021-23239]
- A Possible Symlink Attack vector existed in `sudoedit` if SELinux was running in permissive mode [bsc#1180685,
  CVE-2021-23240]
- It was possible for a User to enable Debug Settings not Intended for them [bsc#1180687]


-----------------------------------------
Version 1.0.5-Build1.22 2021-02-03T07:40:18

-----------------------------------------
Patch: SUSE-2021-279
Released: Tue Feb  2 09:43:53 2021
Summary: Recommended update for timezone
Severity: moderate
References: 1177460
Description:
This update for timezone fixes the following issues:

- timezone update 2021a (bsc#1177460)
  * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00.

- timezone update 2021a (bsc#1177460)
  * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00.


-----------------------------------------
Patch: SUSE-2021-286
Released: Tue Feb  2 13:09:24 2021
Summary: Security update for cups
Severity: moderate
References: 1170671,1180520,CVE-2019-8842,CVE-2020-10001
Description:
This update for cups fixes the following issues:

- CVE-2020-10001: Fixed an out-of-bounds read in the ippReadIO function (bsc#1180520).
- CVE-2019-8842: Fixed an out-of-bounds read in an extension field (bsc#1170671).


-----------------------------------------
Version 1.0.5-Build1.24 2021-02-04T07:39:31

-----------------------------------------
Patch: SUSE-2021-299
Released: Wed Feb  3 19:51:49 2021
Summary: Security update for python-urllib3
Severity: moderate
References: 1177211,CVE-2020-26116
Description:
This update for python-urllib3 fixes the following issues:

- Raise ValueError if method contains control characters and thus prevents CRLF
  injection into URLs (bsc#1177211, bpo#39603, CVE-2020-26116,).


-----------------------------------------
Version 1.0.5-Build1.26 2021-02-09T07:40:23

-----------------------------------------
Patch: SUSE-2021-344
Released: Mon Feb  8 17:41:37 2021
Summary: Security update for python3
Severity: important
References: 1176262,1180686,CVE-2019-20916
Description:
This update for python3 fixes the following issues:

- Provide the newest setuptools wheel (bsc#1176262,
  CVE-2019-20916) in their correct form (bsc#1180686).