-----------------------------------------
Version 1.0.5-SAP-BYOS-Build1.7 2020-06-16T17:34:37

-----------------------------------------
Patch: SUSE-2014-85
Released: Tue Nov  4 16:29:29 2014
Summary: Recommended update for dirmngr
Severity: moderate
References: 901845
Description:
This update for dirmngr fixes a segmentation fault at start up. (bnc#901845)

-----------------------------------------
Patch: SUSE-2014-71
Released: Tue Nov  4 16:58:36 2014
Summary: Recommended update for aws-cli
Severity: moderate
References: 902598,902648
Description:
This collective update for the SUSE Linux Enterprise 12 Public Cloud module provides the following enhancements:

- Amazon Web Services Command Line Interface (aws-cli) has been updated to version 1.5.3.
- Amazon Web Services Library (python-boto) has been updated to version 2.34.0.
- Python interface for AWS (python-botocore) has been updated to version 0.67.0.
- Python's jmespath module has been updated to version 0.4.1.
- The latest Amazon Cloud region (eu-central-1) is now supported through the command line interface.

For a comprehensive list of fixes and enhancements, refer to the package's change log.

-----------------------------------------
Patch: SUSE-2014-76
Released: Wed Nov  5 16:41:10 2014
Summary: Security update for wget
Severity: moderate
References: 902709,CVE-2014-4877
Description:
wget was updated to fix one security issue.
	  
This security issue was fixed:
- FTP symlink arbitrary filesystem access (CVE-2014-4877).


-----------------------------------------
Patch: SUSE-2014-66
Released: Thu Nov  6 06:23:15 2014
Summary: Recommended update for gcc48
Severity: moderate
References: 899871
Description:
This update for gcc48 fixes a performance degradation issue caused by generation of unneeded code whe using option -pg.


-----------------------------------------
Patch: SUSE-2014-95
Released: Mon Nov 24 13:25:49 2014
Summary: Security update for java-1_7_1-ibm
Severity: important
References: 901223,901239,904889,CVE-2014-3065,CVE-2014-3566,CVE-2014-4288,CVE-2014-6456,CVE-2014-6457,CVE-2014-6458,CVE-2014-6466,CVE-2014-6476,CVE-2014-6492,CVE-2014-6493,CVE-2014-6502,CVE-2014-6503,CVE-2014-6506,CVE-2014-6511,CVE-2014-6512,CVE-2014-6513,CVE-2014-6515,CVE-2014-6527,CVE-2014-6531,CVE-2014-6532,CVE-2014-6558
Description:
java-1_7_1-ibm was updated to version 1.7.1_sr1.2 to fix 21 security issues.

These security issues were fixed:
- Unspecified vulnerability in Oracle Java (CVE-2014-3065).
- The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and
  other products, uses nondeterministic CBC padding, which makes it easier for
  man-in-the-middle attackers to obtain cleartext data via a padding-oracle
  attack, aka the 'POODLE' issue (CVE-2014-3566).
- Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and
  8u20, and Java SE Embedded 7u60, allows remote attackers to affect
  confidentiality, integrity, and availability via vectors related to AWT (CVE-2014-6513).
- Unspecified vulnerability in Oracle Java SE 7u67 and 8u20
  allows remote attackers to affect confidentiality, integrity, and
  availability via unknown vectors (CVE-2014-6456).
- Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and
  8u20 allows remote attackers to affect confidentiality, integrity, and
  availability via unknown vectors related to Deployment, a different
  vulnerability than CVE-2014-4288, CVE-2014-6493, and CVE-2014-6532 (CVE-2014-6503).
- Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and
  8u20 allows remote attackers to affect confidentiality, integrity, and
  availability via unknown vectors related to Deployment, a different
  vulnerability than CVE-2014-4288, CVE-2014-6493, and CVE-2014-6503 (CVE-2014-6532).
- Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and
  8u20 allows remote attackers to affect confidentiality, integrity, and
  availability via unknown vectors related to Deployment, a different
  vulnerability than CVE-2014-6493, CVE-2014-6503, and CVE-2014-6532 (CVE-2014-4288).
- Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and
  8u20 allows remote attackers to affect confidentiality, integrity, and
  availability via unknown vectors related to Deployment, a different
  vulnerability than CVE-2014-4288, CVE-2014-6503, and CVE-2014-6532 (CVE-2014-6493).
- Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and
  8u20, when running on Firefox, allows remote attackers to affect
  confidentiality, integrity, and availability via unknown vectors related to
  Deployment (CVE-2014-6492).
- Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and
  8u20 allows local users to affect confidentiality, integrity, and
  availability via unknown vectors related to Deployment (CVE-2014-6458).
- Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and
  8u20, when running on Internet Explorer, allows local users to affect
  confidentiality, integrity, and availability via unknown vectors related to
  Deployment (CVE-2014-6466).
- Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81,
  7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect
  confidentiality, integrity, and availability via unknown vectors related to
  Libraries (CVE-2014-6506).
- Unspecified vulnerability in Oracle Java SE 7u67 and 8u20
  allows remote attackers to affect integrity via unknown vectors related to
  Deployment, a different vulnerability than CVE-2014-6527 (CVE-2014-6476).
- Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and
  8u20 allows remote attackers to affect integrity via unknown vectors related
  to Deployment (CVE-2014-6515).
- Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81,
  7u67, and 8u20 allows remote attackers to affect confidentiality via unknown
  vectors related to 2D (CVE-2014-6511).
- Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81,
  7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect
  confidentiality via unknown vectors related to Libraries (CVE-2014-6531).
- Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81,
  7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3 and R28.3.3 allows
  remote attackers to affect integrity via unknown vectors related to Libraries
  (CVE-2014-6512).
- Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81,
  7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3, and R28.3.3
  allows remote attackers to affect confidentiality and integrity via vectors
  related to JSSE (CVE-2014-6457).
- Unspecified vulnerability in Oracle Java SE 7u67 and 8u20
  allows remote attackers to affect integrity via unknown vectors related to
  Deployment, a different vulnerability than CVE-2014-6476 (CVE-2014-6527).
- Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81,
  7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect
  integrity via unknown vectors related to Libraries (CVE-2014-6502).
- Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81,
  7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3 and JRockit
  R28.3.3 allows remote attackers to affect integrity via unknown vectors related
  to Security (CVE-2014-6558).


-----------------------------------------
Patch: SUSE-2014-97
Released: Fri Nov 28 10:20:32 2014
Summary: Security update for file
Severity: moderate
References: 888308,902367,CVE-2014-3710
Description:
file was updated to fix one security issue.

This security issue was fixed:
- Out-of-bounds read in elf note headers (CVE-2014-3710).

This non-security issues was fixed:
- Correctly identify GDBM files created by libgdbm4 (bnc#888308).
  

-----------------------------------------
Patch: SUSE-2014-123
Released: Mon Dec  1 18:03:36 2014
Summary: Recommended update for libXi
Severity: moderate
References: 883553
Description:
This update for libXi fixes a double unlock issue when connecting to an X server with XInputExtension version lower than 2.0. This could result, for example, in a segmentation fault when starting YaST over an ssh connection from SUSE Linux Enterprise 11.

-----------------------------------------
Patch: SUSE-2014-83
Released: Mon Dec  1 19:46:53 2014
Summary: Security update for compat-openssl098
Severity: moderate
References: 901223,901277,CVE-2014-3566,CVE-2014-3567,CVE-2014-3568
Description:
compat-openssl098 was updated to fix three security issues.
	  
NOTE: this update alone DOESN'T FIX the POODLE SSL protocol vulnerability.
OpenSSL only adds downgrade detection support for client applications.
See https://www.suse.com/support/kb/doc.php?id=7015773 for mitigations.

These security issues were fixed:
- Session ticket memory leak (CVE-2014-3567).
- Fixed build option no-ssl3 (CVE-2014-3568).
- Added support for TLS_FALLBACK_SCSV (CVE-2014-3566).


-----------------------------------------
Patch: SUSE-2014-113
Released: Tue Dec  2 18:17:57 2014
Summary: Security update for cpio
Severity: moderate
References: 658010,907456,CVE-2014-9112
Description:

This cpio security update fixes the following buffer overflow issue and
two non security issues:

- fix an OOB write with cpio -i (bnc#907456) (CVE-2014-9112)
- prevent cpio from extracting over a symlink (bnc#658010)
- fix a truncation check in mt


-----------------------------------------
Patch: SUSE-2015-4
Released: Wed Dec  3 15:57:25 2014
Summary: Security update for libyaml
Severity: moderate
References: 907809,CVE-2014-9130
Description:

This libyaml update fixes the following security issue:

- bnc#907809: assert failure when processing wrapped strings
  (CVE-2014-9130)


-----------------------------------------
Patch: SUSE-2015-15
Released: Thu Dec  4 15:24:10 2014
Summary: Security update for libjpeg-turbo, libjpeg62-turbo
Severity: moderate
References: 906761,CVE-2014-9092
Description:
libjpeg-turbo, libjpeg62-turbo were updated to fix one security issue.

This security issue was fixed:
- Passing special crafted jpeg file smashes stack (CVE-2014-9092).
  

-----------------------------------------
Patch: SUSE-2015-3
Released: Fri Dec  5 15:49:30 2014
Summary: Security update for mutt
Severity: important
References: 899712,907453,CVE-2014-9116
Description:
mutt was updated to fix one security issue.

This security issue was fixed:
- Heap-based buffer overflow in mutt_substrdup() (CVE-2014-9116).

This non-security issue was fixed:
- Handle text/html by default (bnc#899712)
  

-----------------------------------------
Patch: SUSE-2014-116
Released: Sat Dec  6 16:21:37 2014
Summary: Recommended update for SUSE Manager Client Tools
Severity: moderate
References: 855389,896254,898428,900498,901058,901958,908152
Description:
This collective update for SUSE Manager Client Tools provides the following fixes and enhancements:

cobbler:

- Fix port guessing in koan. (bsc#855389)
- Add 'copy-default' option to grubby-compat. (bsc#855389)
- Handle elilo in SUSE. (bsc#855389)
- Fix wrong option 'text' in SUSE environment. (bsc#901058)

osad:

- Removed PyXML dependency for RHEL systems.
- Fix osad through unauthenticated proxy case.
- Enable and install osad during first installation. (bsc#901958)

rhncfg:

- Fix compare configuration files by checking permissions on the correct file. (bsc#900498)
- Fix error in rhncfg if SELinux is disabled.
- Validate the content of configuration files before deploying.

spacewalk-backend-libs:

- Fix traceback when pushing rpms with archive size greater than 4GB.
- Adding handling for new rpm header information.

spacewalk-client-tools:

- Disable sgmlop import in rhn_check.

spacewalk-koan:

- Make spacewalk-koan work with newer cobbler/koan version. (bsc#908152)

spacewalk-oscap:

- Avoid creating profile with empty id.

spacewalk-remote-utils:

- Add channel definitions for RHEL 6.6.
- Compose format has slightly changed for RHEL 6.6.
- Add channel definitions for RHEL 5.11.

suseRegisterInfo:

- Re-add legacy suse_register_info to successfully perform the update. (bsc#898428)

zypp-plugin-spacewalk:

- Check for retrieveOnly option in up2date configuration and set download_only. (bsc#896254)


-----------------------------------------
Patch: SUSE-2014-81
Released: Sat Dec  6 17:14:40 2014
Summary: Security update for MozillaFirefox and mozilla-nss
Severity: important
References: 897890,900941,908009,CVE-2014-1568,CVE-2014-1574,CVE-2014-1575,CVE-2014-1576,CVE-2014-1577,CVE-2014-1578,CVE-2014-1581,CVE-2014-1583,CVE-2014-1585,CVE-2014-1586,CVE-2014-1587,CVE-2014-1588,CVE-2014-1590,CVE-2014-1592,CVE-2014-1593,CVE-2014-1594,CVE-2014-1595
Description:

Mozilla Firefox was updated to 31.3.0 ESR (bnc#900941) (bnc#908009).

Security issues fixed:
MFSA 2014-83 / CVE-2014-1588 / CVE-2014-1587: Mozilla developers and
community identified and fixed several memory safety bugs in the browser
engine used in Firefox and other Mozilla-based products. Some of these
bugs showed evidence of memory corruption under certain circumstances,
and we presume that with enough effort at least some of these could be
exploited to run arbitrary code.

MFSA 2014-85 / CVE-2014-1590: Security researcher Joe Vennix from Rapid7
reported that passing a JavaScript object to XMLHttpRequest that mimics
an input stream will a crash. This crash is not exploitable and can only
be used for denial of service attacks.

MFSA 2014-87 / CVE-2014-1592: Security researcher Berend-Jan Wever
reported a use-after-free created by triggering the creation of a
second root element while parsing HTML written to a document created
with document.open(). This leads to a potentially exploitable crash.

MFSA 2014-88 / CVE-2014-1593: Security researcher Abhishek Arya (Inferno)
of the Google Chrome Security Team used the Address Sanitizer tool to
discover a buffer overflow during the parsing of media content. This
leads to a potentially exploitable crash.

MFSA 2014-89 / CVE-2014-1594: Security researchers Byoungyoung Lee,
Chengyu Song, and Taesoo Kim at the Georgia Tech Information Security
Center (GTISC) reported a bad casting from the BasicThebesLayer to
BasicContainerLayer, resulting in undefined behavior. This behavior is
potentially exploitable with some compilers but no clear mechanism to
trigger it through web content was identified.

MFSA 2014-90 / CVE-2014-1595: Security researcher Kent Howard reported an
Apple issue present in OS X 10.10 (Yosemite) where log files are created
by the CoreGraphics framework of OS X in the /tmp local directory. These
log files contain a record of all inputs into Mozilla programs during
their operation. In versions of OS X from versions 10.6 through 10.9,
the CoreGraphics had this logging ability but it was turned off by
default. In OS X 10.10, this logging was turned on by default for some
applications that use a custom memory allocator, such as jemalloc,
because of an initialization bug in the framework. This issue has been
addressed in Mozilla products by explicitly turning off the framework's
logging of input events. On vulnerable systems, this issue can result
in private data such as usernames, passwords, and other inputed data
being saved to a log file on the local system.

MFSA 2014-74 / CVE-2014-1574 / CVE-2014-1575:
Mozilla developers and community identified and fixed several memory
safety bugs in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption under
certain circumstances, and we presume that with enough effort at least
some of these could be exploited to run arbitrary code.

Bobby Holley, Christian Holler, David Bolter, Byron Campen, and Jon
Coppeard reported memory safety problems and crashes that affect Firefox
ESR 31.1 and Firefox 32.

Carsten Book, Christian Holler, Martijn Wargers, Shih-Chiang Chien,
Terrence Cole, Eric Rahm , and Jeff Walden reported memory safety problems
and crashes that affect Firefox 32.

MFSA 2014-75 / CVE-2014-1576: Using the Address Sanitizer tool, security
researcher Atte Kettunen from OUSPG discovered a buffer overflow when
making capitalization style changes during CSS parsing. This can cause
a crash that is potentially exploitable.

MFSA 2014-76 / CVE-2014-1577: Security researcher Holger Fuhrmannek
used the used the Address Sanitizer tool to discover an out-of-bounds
read issue with Web Audio when interacting with custom waveforms with
invalid values. This results in a crash and could allow for the reading
of random memory which may contain sensitive data, or of memory addresses
that could be used in combination with another bug.

MFSA 2014-77 / CVE-2014-1578: Using the Address Sanitizer tool, security
researcher Abhishek Arya (Inferno) of the Google Chrome Security Team
found an out-of-bounds write when buffering WebM format video containing
frames with invalid tile sizes. This can lead to a potentially exploitable
crash during WebM video playback.

MFSA 2014-79 / CVE-2014-1581: Security researcher regenrecht reported,
via TippingPoint's Zero Day Initiative, a use-after-free during text
layout when interacting with text direction. This results in a crash
which can lead to arbitrary code execution.

MFSA 2014-81 / CVE-2014-1585 / CVE-2014-1586: Mozilla developers Eric
Shepherd and Jan-Ivar Bruaroey reported issues with privacy and video
sharing using WebRTC. Once video sharing has started within a WebRTC
session running within an <iframe>, video will continue to be shared even
if the user selects the 'Stop Sharing' button in the controls. The
camera will also remain on even if the user navigates to another site and
will begin streaming again if the user returns to the original site. This
is a privacy problem and can lead to inadvertent video streaming. This
does not affect implementations that are not within an <iframe>.

MFSA 2014-82 / CVE-2014-1583: Mozilla developer Boris Zbarsky reported
that a malicious app could use the AlarmAPI to read the values of
cross-origin references, such as an iframe's location object, as part of
an alarm's JSON data. This allows a malicious app to bypass same-origin
policy.

SSLv3 is disabled by default. See README.POODLE for more
detailed information.

Mozilla NSS was updated to 3.17.2 (bnc#900941)
Bugfix release
  * bmo#1049435 - Importing an RSA private key fails if p < q
  * bmo#1057161 - NSS hangs with 100% CPU on invalid EC key
  * bmo#1078669 - certutil crashes when using the --certVersion
    parameter
- changes from earlier version of the 3.17 branch:
  update to 3.17.1 (bnc#897890)
  * MFSA 2014-73/CVE-2014-1568 (bmo#1064636, bmo#1069405)
    RSA Signature Forgery in NSS
  * Change library's signature algorithm default to SHA256
  * Add support for draft-ietf-tls-downgrade-scsv
  * Add clang-cl support to the NSS build system
  * Implement TLS 1.3:
    * Part 1. Negotiate TLS 1.3
    * Part 2. Remove deprecated cipher suites andcompression.
  * Add support for little-endian powerpc64
  update to 3.17
  * required for Firefox 33
  New functionality:
  * When using ECDHE, the TLS server code may be configured to
    generate a fresh ephemeral ECDH key for each handshake, by
    setting the SSL_REUSE_SERVER_ECDHE_KEY socket option to
    PR_FALSE. The SSL_REUSE_SERVER_ECDHE_KEY option defaults to
    PR_TRUE, which means the server's ephemeral ECDH key is reused
    for multiple handshakes.  This option does not affect the TLS
    client code, which always generates a fresh ephemeral ECDH key
    for each handshake.
  New Macros
  * SSL_REUSE_SERVER_ECDHE_KEY
  Notable Changes:
  * The manual pages for the certutil and pp tools have been
    updated to document the new parameters that had been added in
    NSS 3.16.2.


-----------------------------------------
Patch: SUSE-2015-16
Released: Thu Dec 11 09:25:27 2014
Summary: Security update for libksba
Severity: moderate
References: 907074,CVE-2014-9087
Description:
This libksba update fixes the following security issue:

- bnc#907074: buffer overflow in OID processing (CVE-2014-9087)


-----------------------------------------
Patch: SUSE-2014-114
Released: Thu Dec 11 15:18:56 2014
Summary: Security update for mailx
Severity: moderate
References: 909208,CVE-2004-2771,CVE-2014-7844
Description:

This mailx update fixes the following security and non security issues:

- bsc#909208: shell command injection via crafted email addresses
  (CVE-2004-2771, CVE-2014-7844)
- Correct comment in spec file 

-----------------------------------------
Patch: SUSE-2014-122
Released: Mon Dec 15 14:25:41 2014
Summary: Security update for tcpdump
Severity: moderate
References: 905870,905871,905872,CVE-2014-8767,CVE-2014-8768,CVE-2014-8769
Description:
This tcpdump update fixes the following security issues:

- fix CVE-2014-8767 (bnc#905870)
  * denial of service in verbose mode using malformed OLSR payload
- fix CVE-2014-8768 (bnc#905871)
  * denial of service in verbose mode using malformed Geonet payload
- fix CVE-2014-8769 (bnc#905872)
  * unreliable output using malformed AOVD payload


-----------------------------------------
Patch: SUSE-2015-34
Released: Fri Dec 19 15:16:12 2014
Summary: Security update for ruby2.1
Severity: moderate
References: 902851,905326,CVE-2014-8080,CVE-2014-8090
Description:
This ruby update fixes the following two security issues:

- bnc#902851: fix CVE-2014-8080: Denial Of Service XML Expansion
- bnc#905326: fix CVE-2014-8090: Another Denial Of Service XML Expansion
- Enable tests to run during the build. This way we can compare
  the results on different builds.


-----------------------------------------
Patch: SUSE-2015-5
Released: Fri Dec 19 19:56:21 2014
Summary: Security update for jasper
Severity: moderate
References: 906364,909474,909475,CVE-2014-8137,CVE-2014-9029
Description:
This libjasper update fixes the following three security issues:

- bnc#906364: heap overflows in libjasper (CVE-2014-9029)
- bnc#909474: double-free in jas_iccattrval_destroy() (CVE-2014-8137)
- bnc#909475: heap overflow in jas_decode() (CVE-2014-8138)


-----------------------------------------
Patch: SUSE-2014-126
Released: Fri Dec 19 20:16:00 2014
Summary: Security update for file
Severity: moderate
References: 910252,910253,CVE-2014-8116,CVE-2014-8117
Description:
This file update fixes the following security issues:

- bsc#910252: multiple denial of service issues (resource consumption)
              (CVE-2014-8116)
- bsc#910253: denial of service issue (resource consumption)
              (CVE-2014-8117)


-----------------------------------------
Patch: SUSE-2015-22
Released: Mon Dec 22 20:12:03 2014
Summary: Recommended update for perl-Net-DNS
Severity: low
References: 904041
Description:
This update for perl-Net-DNS fixes handling of TSIG algorithms, no longer removing dots and dashes from their names.

-----------------------------------------
Patch: SUSE-2015-12
Released: Wed Jan  7 11:24:10 2015
Summary: Security update for unzip
Severity: moderate
References: 909214,CVE-2014-8139,CVE-2014-8140,CVE-2014-8141
Description:

  This update fixes the following security issues:

- CVE-2014-8139: fix heap overflow condition in
  the CRC32 verification (fixes bnc#909214)
- CVE-2014-8140 and CVE-2014-8141: fix write error
  (*_8349_*) shows a problem in extract.c:test_compr_eb(), and:
  read errors (*_6430_*, *_3422_*) show problems in
  process.c:getZip64Data() (fixes bnc#909214)



-----------------------------------------
Patch: SUSE-2015-99
Released: Wed Jan  7 19:36:45 2015
Summary: Recommended update for supportutils
Severity: low
References: 900366,904481,904729
Description:
This update for supportutils provides the following fixes and enhancements:

- Fixed NTP service in ntp.txt. (bnc#904729)
- Create a new lxc.txt file to include information about virtual containers using lxc and/or libvirt-lxc. (bnc#904481)
- Include /var/log/libvirt/libxl logs in xen.txt. (bnc#900366)

-----------------------------------------
Patch: SUSE-2015-53
Released: Tue Jan 13 12:24:12 2015
Summary: Security update for mpfr
Severity: moderate
References: 911812,CVE-2014-9474
Description:

      This update fixes the following security issue: 
      - CVE-2014-9474: possible buffer overflow in mpfr_strtofr (bnc#911812)


-----------------------------------------
Patch: SUSE-2015-33
Released: Wed Jan 14 10:47:09 2015
Summary: Security update for libpng16
Severity: important
References: 912076,912929,CVE-2014-9495,CVE-2015-0973
Description:

  This update fixes the following security issues:

  * CVE-2014-9495: libpng versions heap overflow vulnerability, that under certain circumstances could be exploit. [bnc#912076]

  * CVE-2015-0973: A heap-based overflow was found in the png_combine_row() function of the libpng library, when very large interlaced images were used.[bnc#912929]



-----------------------------------------
Patch: SUSE-2015-50
Released: Thu Jan 15 16:33:18 2015
Summary: Recommended update for ca-certificates-mozilla
Severity: moderate
References: 888534
Description:

The system root SSL certificates were updated to match Mozilla NSS 2.2.

Some removed/disabled 1024 bit certificates were temporarily reenabled/readded,
as openssl and gnutls have a different handling of intermediates than
mozilla nss and would otherwise not recognize SSL certificates from commonly used
sites like Amazon.

Updated to 2.2 (bnc#888534)
- The following CAs were added:
  + COMODO_RSA_Certification_Authority
    codeSigning emailProtection serverAuth
  + GlobalSign_ECC_Root_CA_-_R4
    codeSigning emailProtection serverAuth
  + GlobalSign_ECC_Root_CA_-_R5
    codeSigning emailProtection serverAuth
  + USERTrust_ECC_Certification_Authority
    codeSigning emailProtection serverAuth
  + USERTrust_RSA_Certification_Authority
    codeSigning emailProtection serverAuth
  + VeriSign-C3SSA-G2-temporary-intermediate-after-1024bit-removal
- The following CAs were changed:
  + Equifax_Secure_eBusiness_CA_1
    remote code signing and https trust, leave email trust
  + Verisign_Class_3_Public_Primary_Certification_Authority_-_G2
    only trust emailProtection
- Updated to 2.1 (bnc#888534)
- The following 1024-bit CA certificates were removed
  - Entrust.net Secure Server Certification Authority
  - ValiCert Class 1 Policy Validation Authority
  - ValiCert Class 2 Policy Validation Authority
  - ValiCert Class 3 Policy Validation Authority
  - TDC Internet Root CA
- The following CA certificates were added:
  - Certification Authority of WoSign
  - CA 沃通根证书
  - DigiCert Assured ID Root G2
  - DigiCert Assured ID Root G3
  - DigiCert Global Root G2
  - DigiCert Global Root G3
  - DigiCert Trusted Root G4
  - QuoVadis Root CA 1 G3
  - QuoVadis Root CA 2 G3
  - QuoVadis Root CA 3 G3
- The Trust Bits were changed for the following CA certificates
  - Class 3 Public Primary Certification Authority
  - Class 3 Public Primary Certification Authority
  - Class 2 Public Primary Certification Authority - G2
  - VeriSign Class 2 Public Primary Certification Authority - G3
  - AC Raíz Certicámara S.A.
  - NetLock Uzleti (Class B) Tanusitvanykiado
  - NetLock Expressz (Class C) Tanusitvanykiado

Temporary reenable some root ca trusts, as openssl/gnutls
have trouble using intermediates as root CA.
  - GTE CyberTrust Global Root
  - Thawte Server CA
  - Thawte Premium Server CA
  - ValiCert Class 1 VA
  - ValiCert Class 2 VA
  - RSA Root Certificate 1
  - Entrust.net Secure Server CA
  - America Online Root Certification Authority 1
  - America Online Root Certification Authority 2


-----------------------------------------
Patch: SUSE-2015-40
Released: Thu Jan 15 18:35:11 2015
Summary: Security update for rpm
Severity: important
References: 892431,906803,908128,911228,CVE-2013-6435,CVE-2014-8118
Description:
This rpm update fixes the following security and non-security issues:

- bnc#908128: Check for bad invalid name sizes (CVE-2014-8118)
- bnc#906803: Create files with mode 0 (CVE-2013-6435)
- bnc#892431: Honor --noglob in install mode 
- bnc#911228: Fix noglob patch, it broke files with space.

-----------------------------------------
Patch: SUSE-2015-26
Released: Fri Jan 16 18:54:45 2015
Summary: Security update for MozillaFirefox
Severity: important
References: 909563,910647,910669,CVE-2014-1569,CVE-2014-8634,CVE-2014-8635,CVE-2014-8638,CVE-2014-8639,CVE-2014-8641
Description:

This update fixes the following security issues in MozillaFirefox:
- MFSA 2015-01/CVE-2014-8634/CVE-2014-8635
   (bmo#1109889, bmo#1111737, bmo#1026774, bmo#1027300,
     bmo#1054538, bmo#1067473, bmo#1070962, bmo#1072130,
     bmo#1072871, bmo#1098583)
    Miscellaneous memory safety hazards (rv:35.0 / rv:31.4)
- MFSA 2015-03/CVE-2014-8638
   (bmo#1080987)
   sendBeacon requests lack an Origin header
- MFSA 2015-04/CVE-2014-8639
  (bmo#1095859)
  Cookie injection through Proxy Authenticate responses
- MFSA 2015-06/CVE-2014-8641
  (bmo#1108455)
  Read-after-free in WebRTC

Also Mozilla NSS was updated to 3.17.3 to fix:
* The QuickDER decoder now decodes lengths robustly
  (bmo#1064670/CVE-2014-1569)
* Support for TLS_FALLBACK_SCSV has been added to the ssltap
  and tstclnt utilities
* Changes in CA certificates


-----------------------------------------
Patch: SUSE-2015-44
Released: Tue Jan 20 00:18:26 2015
Summary: Security update for binutils
Severity: moderate
References: 902676,902677,903655,905735,905736,CVE-2014-8484,CVE-2014-8485,CVE-2014-8501,CVE-2014-8502,CVE-2014-8503,CVE-2014-8504,CVE-2014-8737,CVE-2014-8738
Description:
This binutils update fixes the following security issues:

- bnc#902676: lack of range checking leading to controlled write in 
  _bfd_elf_setup_sections() (CVE-2014-8485)
- bnc#902677: invalid read flaw in libbfd (CVE-2014-8484)
- bnc#903655: Multiple memory corruption issues in binary parsers of 
  libbfd (CVE-2014-8501, CVE-2014-8502, CVE-2014-8503, CVE-2014-8504)
- bnc#905735: Out-of-bounds memory write while processing a crafted 'ar'
  archive (CVE-2014-8738)
- bnc#905736: Directory traversal vulnerability allowing random file 
  deletion/creation (CVE-2014-8737)


-----------------------------------------
Patch: SUSE-2015-68
Released: Sat Jan 24 12:18:22 2015
Summary: Security update for xdg-utils
Severity: moderate
References: 906625,913676,CVE-2014-9622
Description:

This update of xdg-utils fixes a command injection security problem (CVE-2014-9622, bsc#913676)
and a bug when opening files where multiple mime handlers existed (bsc#906625).


-----------------------------------------
Patch: SUSE-2015-92
Released: Fri Jan 30 14:51:02 2015
Summary: Security update for unzip
Severity: moderate
References: 914442,CVE-2014-9636
Description:
unzip was updated to fix one security issue.

This security issue was fixed:
- Out-of-bounds read/write in test_compr_eb() in extract.c (CVE-2014-9636).
  

-----------------------------------------
Patch: SUSE-2015-76
Released: Fri Jan 30 15:01:03 2015
Summary: Security update for elfutils
Severity: moderate
References: 911662,CVE-2014-9447
Description:
elfutils was updated to fix one security issue.

This security issue was fixed:
- Directory traversal vulnerability in the read_long_names function (CVE-2014-9447).
  

-----------------------------------------
Patch: SUSE-2015-73
Released: Mon Feb  2 11:53:55 2015
Summary: Security update for jasper
Severity: moderate
References: 911837,CVE-2014-8157,CVE-2014-8158
Description:
jasper was updated to fix two security issues.

These security issues were fixed:
- CVE-2014-8157: Off-by-one error in the jpc_dec_process_sot function in JasPer 1.900.1 and earlier allowed remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted JPEG 2000 image, which triggers a heap-based buffer overflow (bnc#911837).
CVE-2014-8158: Multiple stack-based buffer overflows in jpc_qmfb.c in JasPer 1.900.1 and earlier allowed remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted JPEG 2000 image (bnc#911837).
  

-----------------------------------------
Patch: SUSE-2015-121
Released: Tue Feb  3 16:30:16 2015
Summary: Recommended update for pam
Severity: low
References: 912922
Description:
This update for pam fixes updating of NIS passwords.

-----------------------------------------
Patch: SUSE-2015-78
Released: Wed Feb  4 13:46:43 2015
Summary: Security update for compat-openssl098
Severity: moderate
References: 892403,912014,912015,912018,912293,912294,912296,CVE-2014-0224,CVE-2014-3570,CVE-2014-3571,CVE-2014-3572,CVE-2014-8275,CVE-2015-0204,CVE-2015-0205
Description:

The openssl 0.9.8j compatibility package was updated to fix several security vulnerabilities:

CVE-2014-3570: Bignum squaring (BN_sqr) may produce incorrect results
on some platforms, including x86_64.

CVE-2014-3571: Fix crash in dtls1_get_record whilst in the listen state where
you get two separate reads performed - one for the header and
one for the body of the handshake record.

CVE-2014-3572: Do not accept a handshake using an ephemeral ECDH ciphersuites
with the server key exchange message omitted.

CVE-2014-8275: Fixed various certificate fingerprint issues

CVE-2015-0204: Only allow ephemeral RSA keys in export ciphersuites

CVE-2015-0205: OpenSSL 0.9.8j is NOT vulnerable to CVE-2015-0205 as it doesn't
support DH certificates and this typo prohibits skipping of
certificate verify message for sign only certificates anyway.
(This patch only fixes the wrong condition)

This update also fixes regression caused by CVE-2014-0224.patch (bnc#892403)


-----------------------------------------
Patch: SUSE-2015-80
Released: Tue Feb 10 15:32:25 2015
Summary: Security update for java-1_7_1-ibm
Severity: important
References: 916265,916266,CVE-2014-8891,CVE-2014-8892
Description:
java-1_7_1-ibm was updated to fix two security issues.

These security issues were fixed:
- CVE-2014-8892: Unspecified vulnerability (bnc#916265).
- CVE-2014-8891: Unspecified vulnerability (bnc#916266).
  

-----------------------------------------
Patch: SUSE-2015-69
Released: Mon Feb 23 11:53:02 2015
Summary: Recommended update for timezone
Severity: important
References: 912415,915422,915693
Description:
This update provides the latest timezone information (2015a) for your system, including the following changes:

- Add positive leap second on 2015-06-30 23:59:60 UTC, as per IERS Bulletin C 49. (bsc#912415)
- Mexico state Quintana Roo (America/Cancun) shifts from Central Time with DST to Eastern Time without DST on 2015-02-01 02:00. (bsc#915422)
- Chile (America/Santiago) will retain old DST as standard time from April, also Pacific/Easter, and Antarctica/Palmer.

This release also includes changes affecting past time stamps, documentation and some minor bug fixes. For a comprehensive list, refer to the release announcement from ICANN:

- [http://mm.icann.org/pipermail/tz-announce/2015-January/000028.html](http://mm.icann.org/pipermail/tz-announce/2015-January/000028.html)


-----------------------------------------
Patch: SUSE-2015-274
Released: Mon Feb 23 22:21:35 2015
Summary: Recommended update for openslp
Severity: moderate
References: 909195
Description:
This update for openslp provides the following fixes:

- Fix storage handling in predicate code. It clashed with gcc's fortify_source extension and this could cause a segmentation fault.
- Bring back allowDoubleEqualInPredicate option.


-----------------------------------------
Patch: SUSE-2015-110
Released: Mon Mar  2 17:43:50 2015
Summary: Security update for icu
Severity: moderate
References: 917129,CVE-2014-9654
Description:
icu was updated to fix one security issue.

This security issue was fixed:
- CVE-2014-9654: Insufficient size limit checks in regular expression compiler (bnc#917129).
  

-----------------------------------------
Patch: SUSE-2015-116
Released: Mon Mar  2 21:22:56 2015
Summary: Security update for cups, cups154
Severity: moderate
References: 917799,CVE-2014-9679
Description:
cups, cups154 was updated to fix one security issue.

This security issue was fixed:
- CVE-2014-9679: A malformed compressed raster file can trigger a buffer overflow in cupsRasterReadPixels (bnc#917799).
  

-----------------------------------------
Patch: SUSE-2015-157
Released: Tue Mar 10 09:01:41 2015
Summary: Security update for libssh2_org
Severity: moderate
References: 921070,CVE-2015-1782
Description:

The ssh client library libssh2_org was updated to fix a security issue.

CVE-2015-1782: A malicious server could send a crafted SSH_MSG_KEXINIT
packet, that could lead to a buffer overread and to a crash of the
libssh2_org using application.


-----------------------------------------
Patch: SUSE-2015-208
Released: Thu Mar 12 10:43:10 2015
Summary: Security update for python-PyYAML
Severity: moderate
References: 921588,CVE-2014-9130
Description:
python-PyYAML was updated to fix one security issue which could have allowed an attacker to cause a denial of service by supplying specially crafted strings

The following issue was fixed:
- #921588: python-PyYAML: assert failure when processing wrapped strings (equivalent to CVE-2014-9130 in LibYAML) 


-----------------------------------------
Patch: SUSE-2015-313
Released: Fri Mar 13 00:47:47 2015
Summary: Recommended update for pciutils
Severity: low
References: 837347
Description:
This update for pciutils fixes a memory leak in function get_cache_name().

-----------------------------------------
Patch: SUSE-2015-275
Released: Wed Mar 18 18:21:44 2015
Summary: Recommended update for procps
Severity: low
References: 901202,908516
Description:
This update for procps provides the following fixes:

- Add description of pgrep's --list-full parameter to usage instructions (--help). (bsc#901202)
- Fix handling of arguments to -s option in free(1). (bsc#908516)
- Correct package name in descriptions: procps, not props.

-----------------------------------------
Patch: SUSE-2015-135
Released: Wed Mar 18 19:18:56 2015
Summary: Security update for compat-openssl098
Severity: important
References: 915976,919648,920236,922488,922496,922499,922500,922501,CVE-2009-5146,CVE-2015-0209,CVE-2015-0286,CVE-2015-0287,CVE-2015-0288,CVE-2015-0289,CVE-2015-0292,CVE-2015-0293
Description:
OpenSSL was updated to fix various security issues.

Following security issues were fixed:
- CVE-2015-0209: A Use After Free following d2i_ECPrivatekey error
  was fixed which could lead to crashes for attacker supplied Elliptic
  Curve keys. This could be exploited over SSL connections with client
  supplied keys.

- CVE-2015-0286: A segmentation fault in ASN1_TYPE_cmp was fixed that
  could be exploited by attackers when e.g. client authentication is
  used. This could be exploited over SSL connections.

- CVE-2015-0287: A ASN.1 structure reuse memory corruption was fixed. This
  problem can not be exploited over regular SSL connections, only if
  specific client programs use specific ASN.1 routines.

- CVE-2015-0288: A X509_to_X509_REQ NULL pointer dereference was fixed,
  which could lead to crashes. This function is not commonly used, and
  not reachable over SSL methods.

- CVE-2015-0289: Several PKCS7 NULL pointer dereferences were fixed,
  which could lead to crashes of programs using the PKCS7 APIs. The SSL
  apis do not use those by default.

- CVE-2015-0292: Various issues in base64 decoding were fixed, which
  could lead to crashes with memory corruption, for instance by using
  attacker supplied PEM data.

- CVE-2015-0293: Denial of service via reachable assert in SSLv2 servers,
  could be used by remote attackers to terminate the server process. Note
  that this requires SSLv2 being allowed, which is not the default.

- CVE-2009-5146: A memory leak in the TLS hostname extension was fixed,
  which could be used by remote attackers to run SSL services out of memory.


-----------------------------------------
Patch: SUSE-2015-159
Released: Fri Mar 20 15:25:46 2015
Summary: Security update for tcpdump
Severity: moderate
References: 922220,922221,922222,922223,923142,CVE-2014-9140,CVE-2015-0261,CVE-2015-2153,CVE-2015-2154,CVE-2015-2155
Description:
tcpdump was updated to fix five vulnerabilities in protocol printers

When running tcpdump, a remote unauthenticated user could have crashed the application or, potentially, execute arbitrary code by injecting crafted packages into the network.

The following vulnerabilities were fixed:
 * IPv6 mobility printer remote DoS (CVE-2015-0261, bnc#922220)
 * PPP printer remote DoS (CVE-2014-9140, bnc#923142)
 * force printer remote DoS (CVE-2015-2155, bnc#922223)
 * ethernet printer remote DoS (CVE-2015-2154, bnc#922222)
 * tcp printer remote DoS (CVE-2015-2153, bnc#922221)


-----------------------------------------
Patch: SUSE-2015-146
Released: Mon Mar 23 11:45:22 2015
Summary: Recommended update for timezone
Severity: low
References: 923498
Description:
This update provides the latest timezone information (2015b) for your system, including the following changes:

- Mongolia will start observing DST again in 2015, from the last Saturday in March to the last Saturday in September.
- Palestine will start DST on March 28, not March 27.
- Fix integer overflow bug in reference 'mktime' implementation.

This release also includes changes affecting past time stamps and documentation. For a comprehensive list, refer to the release announcement from ICANN:

- http://mm.icann.org/pipermail/tz-announce/2015-March/000029.html


-----------------------------------------
Patch: SUSE-2015-194
Released: Tue Mar 24 17:21:25 2015
Summary: Security update for gd
Severity: low
References: 923945,CVE-2014-9709
Description:
The graphics drawing library gd was updated to fix one security issue.

The following vulnerability was fixed:
* possible buffer read overflow (CVE-2014-9709)


-----------------------------------------
Patch: SUSE-2015-156
Released: Tue Mar 24 17:51:59 2015
Summary: Security update for pigz
Severity: moderate
References: 913627,CVE-2015-1191
Description:
Pigz, a multi-threaded implementation of gzip, was updated to fix one vulnerability.

The following vulnerability was fixed:

* A crafted file could have caused an unwanted directory traversal on extract (CVE-2015-1191)


-----------------------------------------
Patch: SUSE-2015-222
Released: Wed Apr  8 01:19:45 2015
Summary: Recommended update for supportutils
Severity: moderate
References: 890604,912797,915888,918641,920795,922607,924738,924760,924761,925230
Description:
This update for supportutils provides the following fixes:

- Fixed xz system logs compressed (bnc#924761)
- Fixed xz compressed logs in updates.txt (bnc#924760)
- Added docker support in docker.txt with OPTION_DOCKER=1 (bnc#925230)
- Added missing SUSEConnect (bnc#924738)
- Fixed kdumptool error (bnc#922607)
- Added missing wicked configuration to network.txt (bnc#920795)
- Fixed vmcp detection (bnc#915888)
- Included DNS fix (bnc#918641)
- Use /etc/drbd.conf for test instead of rpm (bnc#890604)
- Added missing taint flag E (bnc#912797)
- Added lsinitrd to boot.txt for SLE12.


-----------------------------------------
Patch: SUSE-2015-169
Released: Wed Apr 15 02:34:35 2015
Summary: Recommended update for timezone
Severity: low
References: 927184
Description:
This update provides the latest timezone information (2015c) for your
system, including the following changes:

- Egypt's spring-forward transition in 2015 will be on Thursday, April 30 at 24:00,
  not Friday, April 24 at 00:00.

This release also includes changes affecting past time stamps and documentation.
For a comprehensive list, refer to the release announcement from ICANN:

- http://mm.icann.org/pipermail/tz-announce/2015-April/000030.html


-----------------------------------------
Patch: SUSE-2015-234
Released: Thu Apr 16 15:41:43 2015
Summary: Recommended update for yp-tools
Severity: low
References: 902507
Description:
This update for yp-tools provides the following fixes:

- Add a workround for a Solaris ypbind bug, which let NIS use a 
  french server as NIS server.
- ypchfn/ypchsh are not deprecated and should not call the chfn/chsh
  variants.


-----------------------------------------
Patch: SUSE-2015-174
Released: Sat Apr 25 15:13:10 2015
Summary: Recommended update for timezone
Severity: low
References: 928246
Description:
This update adjusts Egypt's time zone definitions, canceling DST from 2015 onwards.

-----------------------------------------
Patch: SUSE-2015-267
Released: Wed May 20 14:45:05 2015
Summary: Security update for fuse
Severity: moderate
References: 931452,CVE-2015-3202
Description:

This update fixes a vulnerability in fuse that 
did not clear the environment upon execution of external programs. 
CVE-2015-3202 has been assigned to this issue


-----------------------------------------
Patch: SUSE-2015-334
Released: Tue Jun  9 17:09:01 2015
Summary: Recommended update for tcsh
Severity: low
References: 901076
Description:
This update for tcsh fixes locking of .history files when multiple instances of the shell run simultaneously.

-----------------------------------------
Patch: SUSE-2015-264
Released: Wed Jun 10 16:31:35 2015
Summary: Security update for cups
Severity: critical
References: 924208,CVE-2012-5519,CVE-2015-1158,CVE-2015-1159
Description:
The following issues are fixed by this update:

* CVE-2012-5519: privilege escalation via cross-site scripting
  and bad print job submission used to replace cupsd.conf on server (bsc#924208).
* CVE-2015-1158: Improper Update of Reference Count
* CVE-2015-1159: Cross-Site Scripting



-----------------------------------------
Patch: SUSE-2015-296
Released: Thu Jun 11 15:46:59 2015
Summary: Security update for libgcrypt
Severity: moderate
References: 896202,896435,898003,899524,900275,900276,905483,920057,928740,929919,CVE-2014-3591
Description:

This update of libgcrypt fixes one security issue and brings various FIPS 140-2 related improvements.

libgcrypt now uses ciphertext blinding for Elgamal decryption (CVE-2014-3591)

FIPS 140-2 related changes:
* The library performs its self-tests when the module is complete (the -hmac file is also installed).

* Added a NIST 800-90a compliant DRBG.

* Change DSA key generation to be FIPS 186-4 compliant.

* Change RSA key generation to be FIPS 186-4 compliant.

* Enable HW support in fips mode (bnc#896435)

* Make DSA selftest use 2048 bit keys (bnc#898003)

* Added ECDSA selftests and add support for it to the CAVS testing
  framework (bnc#896202)

* Various CAVS testing improvements.


-----------------------------------------
Patch: SUSE-2015-376
Released: Thu Jun 11 22:43:24 2015
Summary: Recommended update for libyajl
Severity: low
References: 921152
Description:
This update for libyajl fixes parsing of VM disk statistics in xentop.

-----------------------------------------
Patch: SUSE-2015-270
Released: Fri Jun 12 16:22:02 2015
Summary: 
Security update for java-1_7_0-ibm 
Severity: important
References: 912434,912447,930365,931693,931702,CVE-2015-0138,CVE-2015-0192,CVE-2015-1914,CVE-2015-2808
Description:
This update fixes the following security issues:

- Version bump to 7.1-3.0 release bnc#930365 CVE-2015-0192 CVE-2015-2808 CVE-2015-1914 CVE-2015-0138

- Fix removeing links before update-alternatives run. bnc#931702

- Fix bnc#912434, javaws/plugin stuff should slave plugin update-alternatives
- Fix bnc#912447, use system cacerts

- Update to 7.1.2.10 for sec issues bnc#916266 and bnc#916265 CVE-2014-8892 CVE-2014-8891


-----------------------------------------
Patch: SUSE-2015-283
Released: Tue Jun 16 15:02:53 2015
Summary: Recommended update for timezone
Severity: low
References: 928841,934654
Description:

This update provides the latest timezone information (2015e) for your
system, including the following changes:

- Morocco will suspend DST from 2015-06-14 03:00 through 2015-07-19 02:00,
  not 06-13 and 07-18.
- Assume Cayman Islands will observe DST starting next year, using US rules.
- Fix post-install script to overwrite the temporary file when attempting
  to create /etc/localtime as a hard link. (bsc#928841)

This release also includes changes affecting past time stamps and documentation.
For a comprehensive list, refer to the release announcements from ICANN:

http://mm.icann.org/pipermail/tz-announce/2015-June/000032.html
http://mm.icann.org/pipermail/tz-announce/2015-April/000031.html


-----------------------------------------
Patch: SUSE-2015-285
Released: Wed Jun 17 18:11:24 2015
Summary: Security update for compat-openssl098
Severity: important
References: 879179,929678,931698,933898,933911,934487,934489,934491,934493,CVE-2015-1788,CVE-2015-1789,CVE-2015-1790,CVE-2015-1791,CVE-2015-1792,CVE-2015-3216,CVE-2015-4000
Description:

This update fixes the following security issues:

- CVE-2015-4000 (boo#931698)
  * The Logjam Attack / weakdh.org
  * reject connections with DH parameters shorter than 1024 bits
  * generates 2048-bit DH parameters by default
- CVE-2015-1788 (boo#934487)
  * Malformed ECParameters causes infinite loop
- CVE-2015-1789 (boo#934489)
  * Exploitable out-of-bounds read in X509_cmp_time
- CVE-2015-1790 (boo#934491)
  * PKCS7 crash with missing EnvelopedContent
- CVE-2015-1792 (boo#934493)
  * CMS verify infinite loop with unknown hash function
- CVE-2015-1791 (boo#933911)
  * race condition in NewSessionTicket
- CVE-2015-3216 (boo#933898)
  * Crash in ssleay_rand_bytes due to locking regression
  * modified openssl-1.0.1i-fipslocking.patch
- fix timing side channel in RSA decryption (bnc#929678)
- add ECC ciphersuites to DEFAULT (bnc#879179)
- Disable EXPORT ciphers by default (bnc#931698, comment #3)


-----------------------------------------
Patch: SUSE-2015-330
Released: Tue Jul 14 20:28:10 2015
Summary: Security update for MozillaFirefox, mozilla-nspr, mozilla-nss
Severity: important
References: 856315,935033,935979,CVE-2015-2721,CVE-2015-2722,CVE-2015-2724,CVE-2015-2725,CVE-2015-2726,CVE-2015-2728,CVE-2015-2730,CVE-2015-2733,CVE-2015-2734,CVE-2015-2735,CVE-2015-2736,CVE-2015-2737,CVE-2015-2738,CVE-2015-2739,CVE-2015-2740,CVE-2015-2743,CVE-2015-4000
Description:
MozillaFirefox, mozilla-nspr and  mozilla-nss were updated to fix 17 security issues.

For more details please check the changelogs.
- CVE-2015-2724/CVE-2015-2725/CVE-2015-2726: Miscellaneous memory safety hazards (bsc#935979).
- CVE-2015-2728: Type confusion in Indexed Database Manager (bsc#935979).
- CVE-2015-2730: ECDSA signature validation fails to handle some signatures correctly (bsc#935979).
- CVE-2015-2722/CVE-2015-2733: Use-after-free in workers while using XMLHttpRequest (bsc#935979).
- CVE-2015-2734/CVE-2015-2735/CVE-2015-2736/CVE-2015-2737/CVE-2015-2738/CVE-2015-2739/CVE-2015-2740: Vulnerabilities found through code inspection (bsc#935979).
- CVE-2015-2743: Privilege escalation in PDF.js (bsc#935979).
- CVE-2015-4000: NSS accepts export-length DHE keys with regular DHE cipher suites (bsc#935033).
- CVE-2015-2721: NSS incorrectly permits skipping of ServerKeyExchange (bsc#935979).


-----------------------------------------
Patch: SUSE-2015-361
Released: Wed Jul 15 08:26:27 2015
Summary: Recommended update for gcc48, libffi48, libgcj48
Severity: moderate
References: 889990,917169,919274,922534,924525,924687,927993,930176,934689
Description:

The system compiler gcc48 was updated to the GCC 4.8.5 release, fixing
a lot of bugs and bringing some improvements.

It includes various bug fixes found by our customers:

* Fixes bogus integer overflow in constant expression.  [bnc#934689]
* Fixes ICE with atomics on aarch64.  [bnc#930176]
* Includes fix for -imacros bug.  [bnc#917169]
* Includes fix for incorrect -Warray-bounds warnings.  [bnc#919274]
* Includes updated -mhotpatch for s390x.  [bnc#924525]
* Includes fix for ppc64le issue with doubleword vector extract.  [bnc#924687]
* Includes patches to allow building against ISL 0.14.
* Backport rework of the memory allocator for C++ exceptions used in OOM situations.  [bnc#889990]
* Fix a reload issue on S390 (GCC PR66306).
* Avoid accessing invalid memory when passing aggregates by value. [bnc#922534]
  

-----------------------------------------
Patch: SUSE-2015-422
Released: Tue Jul 28 06:25:51 2015
Summary: The Toolchain module containing GCC 5.2
Severity: low
References: 926412,936050,937823
Description:

This update contains the release of the new SUSE Linux Enterprise Toolchain module.

Its major feature is the GNU Compiler Collection 5.2, please see
https://gcc.gnu.org/gcc-5/changes.html for important changes.

This update also includes a version update of binutils to 2.25 release branch
to provide features and bugfixes.

Following features have been added to binutils:

* IBM zSeries z13 hardware support (fate#318036, bnc#936050).
* various IBM Power8 improvements (fate#318238, bnc#926412).
* AVX512 support on the Intel EM64T platform (fate#318520).


The GNU Debugger gdb was updated to version 7.9.1 bringing
various features and lots of bugfixes. Also IBM zSeries z13 hardware
support has been added to gdb. (fate#318039)


-----------------------------------------
Patch: SUSE-2015-359
Released: Tue Jul 28 13:20:24 2015
Summary: Security update for java-1_7_1-ibm
Severity: important
References: 935540,938895,CVE-2015-1931,CVE-2015-2590,CVE-2015-2601,CVE-2015-2613,CVE-2015-2619,CVE-2015-2621,CVE-2015-2625,CVE-2015-2632,CVE-2015-2637,CVE-2015-2638,CVE-2015-2664,CVE-2015-2808,CVE-2015-4000,CVE-2015-4729,CVE-2015-4731,CVE-2015-4732,CVE-2015-4733,CVE-2015-4748,CVE-2015-4749,CVE-2015-4760
Description:
IBM Java was updated to 7.1-3.10 to fix several security issues.

The following vulnerabilities were fixed:
  
* CVE-2015-1931: IBM Java Security Components store plain text data in memory dumps, which could allow a local attacker to obtain information to aid in further attacks against the system.
* CVE-2015-2590: Easily exploitable vulnerability in the Libraries component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized Operating System takeover including arbitrary code execution.
* CVE-2015-2601: Easily exploitable vulnerability in the JCE component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized read access to a subset of Java accessible data.
* CVE-2015-2613: Easily exploitable vulnerability in the JCE component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data.  
* CVE-2015-2619: Easily exploitable vulnerability in the 2D component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized read access to a subset of Java accessible data.
* CVE-2015-2621: Easily exploitable vulnerability in the JMX component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized read access to a subset of Java accessible data.
* CVE-2015-2625: Very difficult to exploit vulnerability in the JSSE component allowed successful unauthenticated network attacks via SSL/TLS. Successful attack of this vulnerability could have resulted in unauthorized read access to a subset of Java accessible data.
* CVE-2015-2632: Easily exploitable vulnerability in the 2D component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized read access to a subset of Java accessible data.
* CVE-2015-2637: Easily exploitable vulnerability in the 2D component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized read access to a subset of Java accessible data.
* CVE-2015-2638: Easily exploitable vulnerability in the 2D component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized Operating System takeover including arbitrary code execution.
* CVE-2015-2664: Difficult to exploit vulnerability in the Deployment component requiring logon to Operating System. Successful attack of this vulnerability could have resulted in unauthorized Operating System takeover including arbitrary code execution.
* CVE-2015-2808: Very difficult to exploit vulnerability in the JSSE component allowed successful unauthenticated network attacks via SSL/TLS. Successful attack of this vulnerability could have resulted in unauthorized update, insert or delete access to some Java accessible data as well as read access to a subset of Java accessible data.
* CVE-2015-4000: Very difficult to exploit vulnerability in the JSSE component allowed successful unauthenticated network attacks via SSL/TLS. Successful attack of this vulnerability could have resulted in unauthorized update, insert or delete access to some Java accessible data as well as read access to a subset of Java Embedded accessible data.
* CVE-2015-4729: Very difficult to exploit vulnerability in the Deployment component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized update, insert or delete access to some Java SE accessible data as well as read access to a subset of Java SE accessible data.
* CVE-2015-4731: Easily exploitable vulnerability in the JMX component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized Operating System takeover including arbitrary code execution.
* CVE-2015-4732: Easily exploitable vulnerability in the Libraries component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized Operating System takeover including arbitrary code execution.  
* CVE-2015-4733: Easily exploitable vulnerability in the RMI component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized Operating System takeover including arbitrary code execution.
* CVE-2015-4748: Very difficult to exploit vulnerability in the Security component allowed successful unauthenticated network attacks via OCSP. Successful attack of this vulnerability could have resulted in unauthorized Operating System takeover including arbitrary code execution.
* CVE-2015-4749: Difficult to exploit vulnerability in the JNDI component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized ability to cause a partial denial of service (partial DOS).
* CVE-2015-4760: Easily exploitable vulnerability in the 2D component allowed successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability could have resulted in unauthorized Operating System takeover including arbitrary code execution.


-----------------------------------------
Patch: SUSE-2015-442
Released: Fri Jul 31 17:25:19 2015
Summary: Security update for perl-XML-LibXML
Severity: moderate
References: 929237,CVE-2015-3451
Description:

perl-XML-LibXML was updated to fix the expand_entities option to be preserved in all cases. (CVE-2015-3451).


-----------------------------------------
Patch: SUSE-2015-419
Released: Fri Aug  7 11:26:40 2015
Summary: Recommended update for compat-openssl098
Severity: moderate
References: 937492,CVE-2015-0287
Description:

This update of compat-openssl098 fixes a regression problem when loading DSA keys
from disk caused by the security fix for CVE-2015-0287. (bsc#937492)


-----------------------------------------
Patch: SUSE-2015-416
Released: Tue Aug 11 18:18:42 2015
Summary: Recommended update for timezone
Severity: low
References: 941249
Description:

This update provides the latest timezone information (2015f) for your
system, including the following changes:

- North Korea switches to +0830 on 2015-08-15. The abbreviation remains 'KST'.
- Uruguay no longer observes DST.
- Moldova starts and ends DST at 00:00 UTC, not at 01:00 UTC.

This release also includes changes affecting past time stamps, documentation
and some minor code fixes. For a comprehensive list, refer to the release
announcement from ICANN:

http://mm.icann.org/pipermail/tz-announce/2015-August/000033.html


-----------------------------------------
Patch: SUSE-2015-500
Released: Mon Aug 17 11:36:33 2015
Summary: Security update for libgcrypt
Severity: moderate
References: 920057,938343,CVE-2015-0837
Description:

This update fixes the following issues:

Security:
* Fixed data-dependent timing variations in modular exponentiation
  [related to CVE-2015-0837, Last-Level Cache Side-Channel Attacks
   are Practical] (bsc#920057)

Bugfixes:
* don't drop privileges when locking secure memory (bsc#938343)


-----------------------------------------
Patch: SUSE-2015-445
Released: Thu Aug 20 14:42:42 2015
Summary: Recommended update for aws-cli
Severity: low
References: 905354
Description:

The Amazon Web Services Command Line Interface (aws-cli) was updated to version 1.7.42,
which includes several new features and enhancements.

The following dependencies of aws-cli have also been updated to newer versions for
compatibility reasons:

- python-botocore (version 1.1.6)
- python-bcdoc (version 0.14.0)
- python-jmespath (version 0.7.1)

For a comprehensive list of changes please refer to the package's change log.


-----------------------------------------
Patch: SUSE-2015-531
Released: Fri Aug 21 13:44:15 2015
Summary: Recommended update for cronie
Severity: low
References: 900604
Description:
cronie has been updated to fix loading of PAM environment from the pam_env module.

-----------------------------------------
Patch: SUSE-2015-498
Released: Fri Aug 21 13:44:31 2015
Summary: Recommended update for mailx
Severity: low
References: 922543
Description:
This update for mailx provides the following fixes:

- Allow Form Feed as valid characters within mail messages. (bsc#922543)


-----------------------------------------
Patch: SUSE-2015-605
Released: Fri Aug 21 15:20:22 2015
Summary: Recommended update for alsa-utils
Severity: low
References: 940950
Description:
This update for alsa-utils supresses alsactl invocations on systems without
sound cards.

-----------------------------------------
Patch: SUSE-2015-573
Released: Fri Aug 21 15:55:14 2015
Summary: Recommended update for libXi
Severity: moderate
References: 940529
Description:
This update provides libXi 1.7.4, which brings several fixes and
enhancements:

- Fix handling of request elements for the XIChangeHierarchy(XIAddMaster) 
  request.
- Fix display locking inside _XIPassiveGrabDevice for error paths.
- Fix locking problems in XIGrabTouchBegin(), XIAllowTouchEvents()
  and XIUngrabTouchBegin().
- Remove fallback for _XEatDataWords, no longer needed on SLE 12.


-----------------------------------------
Patch: SUSE-2015-543
Released: Mon Aug 24 14:54:03 2015
Summary: Recommended update for rubygem-bundler
Severity: moderate
References: 922719
Description:

The rubygem-bundler package contained its own set of SSL root certificates.

This update removes them and instead uses the system's certificate database.


-----------------------------------------
Patch: SUSE-2015-473
Released: Tue Aug 25 16:06:40 2015
Summary: Security update for tiff
Severity: moderate
References: 914890,916927,CVE-2014-8127,CVE-2014-8128,CVE-2014-8129,CVE-2014-8130,CVE-2014-9655
Description:

LibTiff was updated to the 4.0.4 stable release fixing various security
issues and bugs.

These security issues were fixed:
- CVE-2014-8127: Out-of-bounds write (bnc#914890).
- CVE-2014-8128: Out-of-bounds write (bnc#914890).
- CVE-2014-8129: Out-of-bounds write (bnc#914890).
- CVE-2014-8130: Out-of-bounds write (bnc#914890).
- CVE-2014-9655: Access of uninitialized memory (bnc#916927).


-----------------------------------------
Patch: SUSE-2015-530
Released: Wed Aug 26 03:07:07 2015
Summary: Recommended update for sed
Severity: low
References: 933029
Description:

This update for sed fixes the behavior of --follow-symlinks when reading from the
standard input (stdin).

The behavior of 'sed --follow-symlinks -' is now identical to 'sed -'. In both
cases, sed will read from the standard input and no longer from a file named '-'.


-----------------------------------------
Patch: SUSE-2015-546
Released: Wed Aug 26 21:16:17 2015
Summary: Recommended update for tar
Severity: low
References: 940120
Description:

This update for tar enables support for ACLs, extended attributes (Xattr) and SELinux.


-----------------------------------------
Patch: SUSE-2015-499
Released: Mon Aug 31 11:55:14 2015
Summary: Security update for zeromq
Severity: moderate
References: 912460,931978,CVE-2014-9721
Description:
zeromq was updated to fix one security issue and one non-security bug.

The following vulnerability was fixed:

* CVE-2014-9721: zeromq protocol downgrade attack on sockets using the ZMTP v3 protocol (boo#931978)

The following bug was fixed:

* boo#912460: avoid curve test to hang for ppc ppc64 ppc64le architectures


-----------------------------------------
Patch: SUSE-2015-561
Released: Tue Sep  1 21:05:50 2015
Summary: Recommended update for kbd
Severity: low
References: 915473
Description:

This update fixes loading of some console keymaps, including the default keymap
used by 'loadkeys -d'.


-----------------------------------------
Patch: SUSE-2015-472
Released: Wed Sep  2 08:25:03 2015
Summary: Security update for MozillaFirefox, mozilla-nss
Severity: important
References: 940806,943557,943558,943608,CVE-2015-4473,CVE-2015-4474,CVE-2015-4475,CVE-2015-4478,CVE-2015-4479,CVE-2015-4484,CVE-2015-4485,CVE-2015-4486,CVE-2015-4487,CVE-2015-4488,CVE-2015-4489,CVE-2015-4491,CVE-2015-4492,CVE-2015-4495,CVE-2015-4497,CVE-2015-4498
Description:

Mozilla Firefox was updated to version 38.2.1 ESR to fix several
critical and non critical security vulnerabilities.

- Firefox was updated to 38.2.1 ESR (bsc#943608)
  * MFSA 2015-94/CVE-2015-4497 (bsc#943557)
    Use-after-free when resizing canvas element during restyling
  * MFSA 2015-95/CVE-2015-4498 (bsc#943558)
    Add-on notification bypass through data URLs

- Firefox was updated to 38.2.0 ESR (bsc#940806)
  * MFSA 2015-78/CVE-2015-4495
    (bmo#1178058, bmo#1179262)
    Same origin violation and local file stealing via PDF reader
  * MFSA 2015-79/CVE-2015-4473/CVE-2015-4474
    (bmo#1143130, bmo#1161719, bmo#1177501, bmo#1181204,
     bmo#1184068, bmo#1188590, bmo#1146213, bmo#1178890,
     bmo#1182711)
    Miscellaneous memory safety hazards (rv:40.0 / rv:38.2)
  * MFSA 2015-80/CVE-2015-4475
    (bmo#1175396)
    Out-of-bounds read with malformed MP3 file
  * MFSA 2015-82/CVE-2015-4478
    (bmo#1105914)
    Redefinition of non-configurable JavaScript object properties
  * MFSA 2015-83/CVE-2015-4479
    (bmo#1185115, bmo#1144107, bmo#1170344, bmo#1186718)
    Overflow issues in libstagefright
  * MFSA 2015-87/CVE-2015-4484
    (bmo#1171540)
    Crash when using shared memory in JavaScript
  * MFSA 2015-88/CVE-2015-4491
    (bmo#1184009)
    Heap overflow in gdk-pixbuf when scaling bitmap images
  * MFSA 2015-89/CVE-2015-4485/CVE-2015-4486
    (bmo#1177948, bmo#1178148)
    Buffer overflows on Libvpx when decoding WebM video
  * MFSA 2015-90/CVE-2015-4487/CVE-2015-4488/CVE-2015-4489
    (bmo#1176270, bmo#1182723, bmo#1171603)
    Vulnerabilities found through code inspection
  * MFSA 2015-92/CVE-2015-4492
    (bmo#1185820)
    Use-after-free in XMLHttpRequest with shared workers

Mozilla NSS switched the CKBI ABI from 1.98 to 2.4, which is what Firefox 38ESR uses.


-----------------------------------------
Patch: SUSE-2015-502
Released: Thu Sep  3 14:53:31 2015
Summary: Optional update for mozjs17
Severity: low
References: 944331
Description:
This update for mozjs17 includes fixes specific to the ARM64 architecture.

-----------------------------------------
Patch: SUSE-2015-527
Released: Fri Sep  4 16:09:17 2015
Summary: Security update for conntrack-tools
Severity: moderate
References: 942149,944339,CVE-2015-6496
Description:

Fix a possible crash if conntrackd sees DCCP, SCTP and ICMPv6 traffic
and the corresponding kernel modules that track this traffic are not
available. (bsc#942149, CVE-2015-6496)


-----------------------------------------
Patch: SUSE-2015-606
Released: Tue Sep  8 17:59:56 2015
Summary: Recommended update for blktrace
Severity: low
References: 939307
Description:
This update fixes blktrace to run on systems with more than 512 CPUs.

-----------------------------------------
Patch: SUSE-2015-568
Released: Wed Sep 16 13:30:12 2015
Summary: Recommended update for grep
Severity: low
References: 920386
Description:
This update for grep fixes undefined behaviour with -P and non-utf-8 data.

-----------------------------------------
Patch: SUSE-2015-571
Released: Wed Sep 16 15:27:13 2015
Summary: Recommended update for make
Severity: low
References: 934131
Description:
This update for make provides the following fixes:

- Force recomputing .VARIABLES when a variable was made undefined. (bsc#934131)


-----------------------------------------
Patch: SUSE-2015-598
Released: Wed Sep 23 12:20:31 2015
Summary: Initial release of Amazon's EC2 utilities
Severity: low
References: 943482
Description:
The following packages have been added to the SLES 12 Public Cloud Module:

- python-ec2deprecateimg: Deprecate images owned by the specified account by adding tags
  named 'Deprecated on', 'Removal date', and 'Replacement image'.

- python-ec2publishimg: Publish images owned by the specified account by adding tags named
  'Published on', 'Removal date', and 'Replacement image'.

- python-ec2uploadimg: Upload a compressed .raw disk image to Amazoon EC2 and create a
  snapshot or register and AMI.

- python-ec2utilsbase: Shared functionality for various ec2utils packages.


-----------------------------------------
Patch: SUSE-2015-640
Released: Wed Sep 23 20:20:09 2015
Summary: Security update for MozillaFirefox, mozilla-nspr
Severity: important
References: 947003,CVE-2015-4500,CVE-2015-4501,CVE-2015-4506,CVE-2015-4509,CVE-2015-4511,CVE-2015-4517,CVE-2015-4519,CVE-2015-4520,CVE-2015-4521,CVE-2015-4522,CVE-2015-7174,CVE-2015-7175,CVE-2015-7176,CVE-2015-7177,CVE-2015-7180
Description:

Mozilla Firefox was updated to version 38.3.0 ESR (bsc#947003),
fixing bugs and security issues.

* MFSA 2015-96/CVE-2015-4500/CVE-2015-4501
  Miscellaneous memory safety hazards (rv:41.0 / rv:38.3)
* MFSA 2015-101/CVE-2015-4506
  Buffer overflow in libvpx while parsing vp9 format video
* MFSA 2015-105/CVE-2015-4511
  Buffer overflow while decoding WebM video
* MFSA 2015-106/CVE-2015-4509
  Use-after-free while manipulating HTML media content
* MFSA 2015-110/CVE-2015-4519
  Dragging and dropping images exposes final URL after
  redirects
* MFSA 2015-111/CVE-2015-4520
  Errors in the handling of CORS preflight request headers
* MFSA 2015-112/CVE-2015-4517/CVE-2015-4521/CVE-2015-4522
  CVE-2015-7174/CVE-2015-7175/CVE-2015-7176/CVE-2015-7177
  CVE-2015-7180
  Vulnerabilities found through code inspection

More details can be found on
	https://www.mozilla.org/en-US/security/advisories/

The Mozilla NSPR library was updated to version 4.10.9, fixing various bugs.


-----------------------------------------
Patch: SUSE-2015-607
Released: Mon Sep 28 12:18:17 2015
Summary: Recommended update for python3
Severity: moderate
References: 935856
Description:

This update fixes a python3 testsuite failure due to the openssl LOGJAM fixes.  (bsc#935856)
It also fixes a python3-base build issue on aarch64.

(It is not meant for public channels)


-----------------------------------------
Patch: SUSE-2015-682
Released: Fri Oct  2 19:17:57 2015
Summary: Recommended update for timezone
Severity: low
References: 948227,948568
Description:

This update provides the latest timezone information (2015g) for your
system, including the following changes:

- Turkey's 2015 fall-back transition is scheduled for Nov. 8, not Oct. 25.
- Norfolk moves from +1130 to +1100 on 2015-10-04 at 02:00 local time.
- Fiji's 2016 fall-back transition is scheduled for January 17, not 24.
- Fort Nelson, British Columbia will not fall back on 2015-11-01.  It has 
  effectively been on MST (-0700) since it advanced its clocks on 2015-03-08.
  Add new zone America/Fort_Nelson.

This release also includes changes affecting past time stamps, documentation
and some minor code fixes. For a comprehensive list, refer to the release
announcement from ICANN:

http://mm.icann.org/pipermail/tz/2015-October/022728.html


-----------------------------------------
Patch: SUSE-2015-756
Released: Wed Oct  7 07:07:48 2015
Summary: Security update for gcc48
Severity: moderate
References: 945842,947772,947791,948168,949000,CVE-2015-5276
Description:
This update for GCC 4.8 provides the following fixes:

- Fix C++11 std::random_device short read issue that could lead to predictable
  randomness. (CVE-2015-5276, bsc#945842)
- Fix linker segmentation fault when building SLOF on ppc64le. (bsc#949000)
- Fix no_instrument_function attribute handling on PPC64 with -mprofile-kernel. (bsc#947791)
- Fix internal compiler error with aarch64 target using PCH and builtin functions. (bsc#947772)
- Fix libffi issues on aarch64. (bsc#948168)


-----------------------------------------
Patch: SUSE-2015-727
Released: Wed Oct  7 09:26:23 2015
Summary: Recommended update for cloud-init
Severity: low
References: 948930,948995,948996
Description:

cloud-init uses the Jinja2 Python module to generate configuration files from
templates, but this dependency was not defined in the package's spec file.
This update adds the missing requirement to cloud-init.


-----------------------------------------
Patch: SUSE-2015-663
Released: Wed Oct  7 16:01:20 2015
Summary: Optional update for binutils
Severity: low
References: 949066
Description:

ARM64 (aarch64) binaries produced by binutils 2.25 gold linker had incorrect (4k)
section alignment. As a result, those binaries could not be mapped when being
executed on a SLE 12 kernel.

This update adjusts the section alignment to 64k, as required by the ABI.


-----------------------------------------
Patch: SUSE-2015-797
Released: Sat Oct 10 04:42:14 2015
Summary: Recommended update for LibreOffice
Severity: moderate
References: 470073,806250,829430,86241,87222,890735,900186,900877,907966,910805,910806,913042,914911,915996,916181,918852,919409,926375,929793,934423,936188,936190,940838,943075,945692,CVE-2014-8146,CVE-2014-8147,CVE-2015-1774,CVE-2015-4551,CVE-2015-5212,CVE-2015-5213,CVE-2015-5214
Description:

This update brings LibreOffice to version 5.0.2, a major version
update.

It brings lots of new features, bugfixes and also security fixes.

Features as seen on http://www.libreoffice.org/discover/new-features/

* LibreOffice 5.0 ships an impressive number of new features for
  its spreadsheet module, Calc: complex formulae image cropping, new
  functions, more powerful conditional formatting, table addressing
  and much more. Calc's blend of performance and features makes it
  an enterprise-ready, heavy duty spreadsheet application capable of
  handling all kinds of workload for an impressive range of use cases
* New icons, major improvements to menus and sidebar : no other
  LibreOffice version has looked that good and helped you be creative and
  get things done the right way. In addition, style management is now more
  intuitive thanks to the visualization of styles right in the interface.
* LibreOffice 5 ships with numerous improvements to document import and
  export filters for MS Office, PDF, RTF, and more. You can now timestamp
  PDF documents generated with LibreOffice and enjoy enhanced document
  conversion fidelity all around.

The Pentaho Flow Reporting Engine is now added and used.

Security issues fixed:

* CVE-2014-8146: The resolveImplicitLevels function in common/ubidi.c
  in the Unicode Bidirectional Algorithm implementation in ICU4C in
  International Components for Unicode (ICU) before 55.1 did not properly
  track directionally isolated pieces of text, which allowed remote
  attackers to cause a denial of service (heap-based buffer overflow)
  or possibly execute arbitrary code via crafted text.
* CVE-2014-8147: The resolveImplicitLevels function in common/ubidi.c
  in the Unicode Bidirectional Algorithm implementation in ICU4C in
  International Components for Unicode (ICU) before 55.1 used an integer
  data type that is inconsistent with a header file, which allowed remote
  attackers to cause a denial of service (incorrect malloc followed by
  invalid free) or possibly execute arbitrary code via crafted text.
* CVE-2015-4551: An arbitrary file disclosure vulnerability in Libreoffice
  and Openoffice Calc and Writer was fixed.
* CVE-2015-1774: The HWP filter in LibreOffice allowed remote attackers
  to cause a denial of service (crash) or possibly execute arbitrary code
  via a crafted HWP document, which triggered an out-of-bounds write.
* CVE-2015-5212: A LibreOffice 'PrinterSetup Length' integer underflow
  vulnerability could be used by attackers supplying documents to execute
  code as the user opening the document.
* CVE-2015-5213: A LibreOffice 'Piece Table Counter' invalid check design
  error vulnerability allowed attackers supplying documents to execute
  code as the user opening the document.
* CVE-2015-5214: Multiple Vendor LibreOffice Bookmark Status Memory
  Corruption Vulnerability allowed attackers supplying documents to execute
  code as the user opening the document.
  

-----------------------------------------
Patch: SUSE-2015-708
Released: Tue Oct 13 17:36:20 2015
Summary: Recommended update for pciutils-ids
Severity: low
References: 911528,944104,944436,944825
Description:
The system's PCI IDs database has been updated to version 2015.10.07. Additionally, the
merge-pciids.pl script was fixed to not print warnings about conflicting definitions by
default.

-----------------------------------------
Patch: SUSE-2015-747
Released: Thu Oct 15 14:34:52 2015
Summary: Recommended update for supportutils
Severity: low
References: 944445,950216
Description:
This update for supportutils provides the following fixes and enhancements:

- Capture information about IBM's PowerNV platform. (bsc#944445)
- Collect important libvirt log files. (bsc#950216)


-----------------------------------------
Patch: SUSE-2015-760
Released: Mon Oct 19 15:06:01 2015
Summary: Recommended update for sysstat
Severity: low
References: 935144,944951
Description:
This update for sysstat provides the following fixes:

- Fix missing ',' in JSON output before 'file-utc-time' parameter. (bsc#944951)
- Add libsensors4-devel to BuildRequires on x86_64, so that sensors support is included. (bsc#935144)


-----------------------------------------
Patch: SUSE-2015-759
Released: Thu Oct 22 09:44:27 2015
Summary: Security update for polkit
Severity: moderate
References: 912889,933922,935119,939246,943816,950114,CVE-2015-3218,CVE-2015-3255,CVE-2015-3256,CVE-2015-4625
Description:

polkit was updated to the 0.113 release, fixing security issues and bugs.

Security issues fixed:
* Fixes CVE-2015-4625, a local privilege escalation due to predictable
  authentication session cookie values. Thanks to Tavis Ormandy, Google Project
  Zero for reporting this issue. For the future, authentication agents are
  encouraged to use PolkitAgentSession instead of using the D-Bus agent response
  API directly. (bsc#935119)
* Fixes CVE-2015-3256, various memory corruption vulnerabilities in use of the
  JavaScript interpreter, possibly leading to local privilege escalation.
  (bsc#943816)
* Fixes CVE-2015-3255, a memory corruption vulnerability in handling duplicate
  action IDs, possibly leading to local privilege escalation. Thanks to
  Laurent Bigonville for reporting this issue. (bsc#939246)
* Fixes CVE-2015-3218, which allowed any local user to crash polkitd. Thanks to
  Tavis Ormandy, Google Project Zero, for reporting this issue. (bsc#933922)

Other issues fixed:
* On systemd-213 and later, the 'active' state is shared across all sessions of
  an user, instead of being tracked separately.
* pkexec, when not given a program to execute, runs the users shell by
  default.
* Fixed shutdown problems on powerpc64le (bsc#950114)
* polkit had a memory leak (bsc#912889)


-----------------------------------------
Patch: SUSE-2015-776
Released: Fri Oct 30 08:06:58 2015
Summary: Recommended update for libyaml
Severity: low
References: 952625
Description:
This update adjusts libyaml's packaging to require pkg-config at build time.

-----------------------------------------
Patch: SUSE-2015-799
Released: Tue Nov  3 19:11:32 2015
Summary: Recommended update for libxkbfile, libxkbcommon
Severity: low
References: 952403
Description:

This update adds xkeyboard-config as a runtime dependency of libxkbcommon and libxkbfile.
This is needed to ensure the keymap datasets will be available even on systems installed
with the Minimal pattern.


-----------------------------------------
Patch: SUSE-2015-813
Released: Wed Nov  4 19:38:37 2015
Summary: Recommended update for supportutils
Severity: low
References: 915888,931390,939079,941773,952024
Description:
This update for supportutils provides the following fixes and enhancements:

- Added OPTION_NIT for novell-nit.txt. (bsc#939079)
- Included control group listing in systemd.txt.
- Fixed find loop for autoupg.xml. (bsc#952024)
- Added nic,lan,vswitch. (bsc#915888)
- Fixed kernel taint flags. (bsc#941773)
- Fixed package reference. (bsc#931390)


-----------------------------------------
Patch: SUSE-2015-807
Released: Thu Nov  5 07:48:32 2015
Summary: Security update for MozillaFirefox, mozilla-nspr, mozilla-nss
Severity: important
References: 908275,952810,CVE-2015-4513,CVE-2015-7181,CVE-2015-7182,CVE-2015-7183,CVE-2015-7188,CVE-2015-7189,CVE-2015-7193,CVE-2015-7194,CVE-2015-7196,CVE-2015-7197,CVE-2015-7198,CVE-2015-7199,CVE-2015-7200
Description:

This Mozilla Firefox, NSS and NSPR update fixes the following security
and non security issues.

- mozilla-nspr was updated to version 4.10.10 (bsc#952810)
  * MFSA 2015-133/CVE-2015-7183
    (bmo#1205157)
    NSPR memory corruption issues

- mozilla-nss was updated to 3.19.2.1 (bsc#952810)
  * MFSA 2015-133/CVE-2015-7181/CVE-2015-7182
    (bmo#1192028, bmo#1202868)
    NSS and NSPR memory corruption issues

- MozillaFirefox was updated to 38.4.0 ESR (bsc#952810)
  * MFSA 2015-116/CVE-2015-4513
    (bmo#1107011, bmo#1191942, bmo#1193038, bmo#1204580,
     bmo#1204669, bmo#1204700, bmo#1205707, bmo#1206564,
     bmo#1208665, bmo#1209471, bmo#1213979)
    Miscellaneous memory safety hazards (rv:42.0 / rv:38.4)
  * MFSA 2015-122/CVE-2015-7188
    (bmo#1199430)
    Trailing whitespace in IP address hostnames can bypass
    same-origin policy
  * MFSA 2015-123/CVE-2015-7189
    (bmo#1205900)
    Buffer overflow during image interactions in canvas
  * MFSA 2015-127/CVE-2015-7193
    (bmo#1210302)
    CORS preflight is bypassed when non-standard Content-Type
    headers are received
  * MFSA 2015-128/CVE-2015-7194
    (bmo#1211262)
    Memory corruption in libjar through zip files
  * MFSA 2015-130/CVE-2015-7196
    (bmo#1140616)
    JavaScript garbage collection crash with Java applet
  * MFSA 2015-131/CVE-2015-7198/CVE-2015-7199/CVE-2015-7200
    (bmo#1204061, bmo#1188010, bmo#1204155)
    Vulnerabilities found through code inspection
  * MFSA 2015-132/CVE-2015-7197
    (bmo#1204269)
    Mixed content WebSocket policy bypass through workers
  * MFSA 2015-133/CVE-2015-7181/CVE-2015-7182/CVE-2015-7183
    (bmo#1202868, bmo#1192028, bmo#1205157)
    NSS and NSPR memory corruption issues
- fix printing on landscape media (bsc#908275)


-----------------------------------------
Patch: SUSE-2015-817
Released: Fri Nov  6 23:42:46 2015
Summary: Initial release of python-azurectl
Severity: low
References: 946907
Description:

This update provides a set of command line tools to interact with the Microsoft Azure
public cloud framework.

Refer to the azurectl(1) man page, included in python-azurectl, for comprehensive
documentation and usage instructions.


-----------------------------------------
Patch: SUSE-2015-834
Released: Thu Nov 12 13:52:22 2015
Summary: Recommended update for python-Twisted
Severity: moderate
References: 940813
Description:

python-Twisted has been updated to version 15.2.1, which brings several fixes and
enhancements such as:

- twisted.positioning, a new API for positioning systems such as GPS, has been added.
  It comes with an implementation of NMEA, the most common wire protocol for GPS devices.
  It will supersede twisted.protocols.gps.
- IReactorUDP.listenUDP, IUDPTransport.write and IUDPTransport.connect now accept ipv6
  address literals.
- A new API, twisted.internet.ssl.optionsForClientTLS, allows clients to specify and
  verify the identity of the peer they're communicating with.  When used with the
  service_identity library from PyPI, this provides support for service identity
  verification from RFC 6125, as well as server name indication from RFC 6066.
- Twisted's TLS support now provides a way to ask for user-configured trust roots
  rather than having to manually configure such certificate authority certificates.
- twisted.internet.ssl.CertificateOptions now supports ECDHE for servers by default
  on pyOpenSSL 0.14 and later, if the underlying versions of cryptography.io and
  OpenSSL support it.
- twisted.internet.ssl.CertificateOptions now allows the user to set acceptable ciphers
  and uses secure ones by default.
- The new package twisted.logger provides a new, fully tested, and feature-rich logging
  framework. The old module twisted.python.log is now implemented using the new framework.
- twisted.conch.ssh.forwarding now supports local->remote forwarding of IPv6.
- twisted.mail.smtp.sendmail now uses ESMTP. It will opportunistically enable encryption
  and allow the use of authentication.
- twisted.internet.ssl.CertificateOptions now enables TLSv1.1 and TLSv1.2 by default
  (in addition to TLSv1.0) if the underlying version of OpenSSL supports these protocol
  versions.
- twisted.internet.ssl.CertificateOptions now supports Diffie-Hellman key exchange.
- twisted.internet.ssl.CertificateOptions now disables TLS compression to avoid CRIME
  attacks and, for servers, uses server preference to choose the cipher.
- MSN protocol support has been marked as deprecated.
- Removed deprecated UDPClient.
- Better support and integration with Python 3.

For a comprehensive list of changes, please refer to the file NEWS shipped within the
package.


-----------------------------------------
Patch: SUSE-2015-836
Released: Thu Nov 12 14:28:01 2015
Summary: Recommended update for compat-openssl098
Severity: moderate
References: 947833
Description:

OpenSSL was updated to fix a bug in TLS session renegotiation.

This renegotiation is for instance used with Apache2 client certificate handling,
which would fail if ECDHE key exchange is used, which is happening more often
after the last openssl update.


-----------------------------------------
Patch: SUSE-2015-854
Released: Wed Nov 18 10:40:35 2015
Summary: Security update for libpng12
Severity: moderate
References: 952051,954980,CVE-2015-7981,CVE-2015-8126
Description:
The libpng12 package was updated to fix the following security issues:

- CVE-2015-8126: Fixed a buffer overflow vulnerabilities in png_get_PLTE/png_set_PLTE functions (bsc#954980).
- CVE-2015-7981: Fixed an out-of-bound read (bsc#952051).


-----------------------------------------
Patch: SUSE-2015-855
Released: Wed Nov 18 10:41:00 2015
Summary: Security update for libpng16
Severity: moderate
References: 954980,CVE-2015-8126
Description:
The libpng16 package was updated to fix the following security issue:

- CVE-2015-8126: Fixed a buffer overflow vulnerabilities in png_get_PLTE/png_set_PLTE functions (bsc#954980).


-----------------------------------------
Patch: SUSE-2015-873
Released: Fri Nov 20 14:05:28 2015
Summary: Recommended update for python-ec2utilsbase, python-ec2uploadimg
Severity: low
References: 954990
Description:
This update provides minor fixes for Amazon's EC2 utilities.

python-ec2uploadimg:

- Check that the specified account can be found in the configuration file and
  provide error message if the account is not found.

python-ec2utilsbase:

- Fix typo in exception name.


-----------------------------------------
Patch: SUSE-2015-920
Released: Mon Dec 14 13:40:58 2015
Summary: Security update for java-1_7_1-ibm
Severity: important
References: 941939,955131,CVE-2015-0204,CVE-2015-0458,CVE-2015-0459,CVE-2015-0469,CVE-2015-0477,CVE-2015-0478,CVE-2015-0480,CVE-2015-0488,CVE-2015-0491,CVE-2015-4734,CVE-2015-4803,CVE-2015-4805,CVE-2015-4806,CVE-2015-4810,CVE-2015-4835,CVE-2015-4840,CVE-2015-4842,CVE-2015-4843,CVE-2015-4844,CVE-2015-4860,CVE-2015-4871,CVE-2015-4872,CVE-2015-4882,CVE-2015-4883,CVE-2015-4893,CVE-2015-4902,CVE-2015-4903,CVE-2015-4911,CVE-2015-5006
Description:
The java-1_7_1-ibm package was updated to versioin 7.1-3.20 to fix several security and non security issues:

- bnc#955131: Version update to 7.1-3.20:
  CVE-2015-4734 CVE-2015-4803 CVE-2015-4805 CVE-2015-4806 CVE-2015-4810
  CVE-2015-4835 CVE-2015-4840 CVE-2015-4842 CVE-2015-4843 CVE-2015-4844
  CVE-2015-4860 CVE-2015-4871 CVE-2015-4872 CVE-2015-4882 CVE-2015-4883
  CVE-2015-4893 CVE-2015-4902 CVE-2015-4903 CVE-2015-4911 CVE-2015-5006
- Add backcompat symlinks for sdkdir
- bnc#941939: Fix to provide %{name} instead of %{sdklnk} only in _jvmprivdir


-----------------------------------------
Patch: SUSE-2015-979
Released: Wed Dec 16 11:09:30 2015
Summary: Recommended update for ntp
Severity: important
References: 954982
Description:

This update for ntp fixes synchronization of local clocks. This issue was
introduced with the update to ntp 4.2.8p4 in SLE 12-SP1.


-----------------------------------------
Patch: SUSE-2015-863
Released: Thu Dec 17 16:02:51 2015
Summary: Recommended update for tar
Severity: moderate
References: 950785
Description:

The tar(1) archiving utility has been updated to fix one issue:

When the --acls option is used, explicitly set or delete default ACLs for extracted
directories. Prior to this update, arbitrary default ACLs based on standard file
permissions were being created.


-----------------------------------------
Patch: SUSE-2015-922
Released: Tue Dec 22 08:44:25 2015
Summary: Security update for gpg2
Severity: moderate
References: 918089,918090,952347,955753,CVE-2015-1606,CVE-2015-1607
Description:
The gpg2 package was updated to fix the following security and non security issues:

- CVE-2015-1606: Fixed invalid memory read using a garbled keyring (bsc#918089).
- CVE-2015-1607: Fixed memcpy with overlapping ranges (bsc#918090).

- bsc#955753: Fixed a regression of 'gpg --recv' due to keyserver import filter (also boo#952347). 


-----------------------------------------
Patch: SUSE-2015-1011
Released: Tue Dec 22 15:56:04 2015
Summary: Security update for compat-openssl098
Severity: moderate
References: 952099,957812,CVE-2015-3195
Description:

This update for compat-openssl098 fixes the following issues: 

Security issue fixed:;
- CVE-2015-3195: When presented with a malformed X509_ATTRIBUTE structure
  OpenSSL would leak memory. This structure is used by the PKCS#7 and CMS
  routines so any application which reads PKCS#7 or CMS data from untrusted
  sources is affected. SSL/TLS is not affected. (bsc#957812)

Non security issue fixed:
- Prevent segfault in s_client with invalid options (bsc#952099)


-----------------------------------------
Patch: SUSE-2015-869
Released: Wed Dec 23 10:01:16 2015
Summary: Recommended update for libksba
Severity: moderate
References: 926826
Description:
The libksba package was updated to fix the following security issues:

- Fixed an integer overflow, an out of bounds read and a stack overflow issues (bsc#926826).


-----------------------------------------
Patch: SUSE-2015-862
Released: Wed Dec 23 17:40:51 2015
Summary: Recommended update for acl
Severity: moderate
References: 945899
Description:
This update for acl provides the following fixes:

- Fix segmentation fault of getfacl -e on overly long group name.
- Make sure that acl_from_text() always sets errno when it fails.
- Fix memory and resource leaks in getfacl.


-----------------------------------------
Patch: SUSE-2015-1018
Released: Fri Dec 25 11:50:44 2015
Summary: Recommended update for ksh
Severity: moderate
References: 887320,924043,924318,926172,931908,933328,934437,939252,951430,953533,954856,955221
Description:

The Korn Shell (ksh) was downgraded from 93v to 93u, as version 93v is not
as stable as version 93u.  This is inline with the purpose of the Legacy
Module, which is to provide a compatibility layer for customers who need
more time to migrate from SUSE Linux Enterprise 11 to 12.

The updated package has its version set to 93vu to ensure the software update
stack (RPM, zypper) will see it as a regular update.  Users who want to stay
with version 93v can prevent the update with 'zypper addlock ksh'.


-----------------------------------------
Patch: SUSE-2016-4
Released: Mon Jan  4 11:20:40 2016
Summary: Recommended update for python-rsa
Severity: low
References: 935595
Description:

The python-rsa module was updated from 3.1.2 to 3.1.4. This minor version update
provides fixes for a few minor issues.

Additionally, the update adds coreutils to the list of python-rsa requirements.
This ensures rm(1) will be available at installation time.


-----------------------------------------
Patch: SUSE-2016-16
Released: Tue Jan  5 15:13:34 2016
Summary: Security update for libpng16
Severity: moderate
References: 954980,CVE-2015-8126
Description:

  This update fixes the following security issue:

  * CVE-2015-8126 Multiple buffer overflows in the png_set_PLTE and png_get_PLTE functions
    allow remote attackers to cause a denial of service (application crash) or possibly have 
    unspecified other impact [bsc#954980]


-----------------------------------------
Patch: SUSE-2016-26
Released: Wed Jan  6 21:13:06 2016
Summary: Recommended update for python-ec2uploadimg
Severity: low
References: 955993,960585
Description:

This update for python-ec2uploadimg fixes the following issues:

- Add python-paramiko as dependency. (bsc#960585)
- Fix typo in package description. (bsc#955993)


-----------------------------------------
Patch: SUSE-2016-37
Released: Thu Jan  7 13:40:33 2016
Summary: Security update for libpng12
Severity: moderate
References: 954980,CVE-2015-8126
Description:

  This update fixes the following security issue
  * CVE-2015-8126 Multiple buffer overflows in the png_set_PLTE and png_get_PLTE functions
    allow remote attackers to cause a denial of service (application crash) or possibly have 
    unspecified other impact [bsc#954980]
  

-----------------------------------------
Patch: SUSE-2016-46
Released: Fri Jan  8 12:37:34 2016
Summary: Recommended update for gcr, gnome-keyring, libgcrypt, libsecret
Severity: moderate
References: 932232
Description:

This update for gcr, gnome-keyring, libgcrypt, libsecret fixes issues when the system
operates in FIPS mode.

The various GNOME libraries and tool have been changed to use the default libgcrypt
allocators.

GNOME keyring was changed not to use MD5 anymore.

libgcrypt was adjusted to free the DRBG on exit to avoid crashes.


-----------------------------------------
Patch: SUSE-2016-61
Released: Tue Jan 12 15:44:14 2016
Summary: Recommended update for deltarpm
Severity: low
References: 948504
Description:
This update for deltarpm provides the following fixes:

- Fix off-by-one error in delta generation code which could lead to a segmentation
  fault in some rare circumstances. (bsc#948504)
- Return error rather than crashing if memory allocation fails.
- Add newline in missing prelink error.
- Do not finish applydeltarpm jobs when in the middle of a request.


-----------------------------------------
Patch: SUSE-2016-75
Released: Wed Jan 13 15:12:32 2016
Summary: Security update for python-rsa
Severity: moderate
References: 960680,CVE-2016-1494
Description:

This update for python-rsa fixes the following security issue:

* CVE-2016-1494: Possible signature forgery via Bleichenbacher attack (bsc#960680)


-----------------------------------------
Patch: SUSE-2016-98
Released: Mon Jan 18 10:20:53 2016
Summary: Security update for mozilla-nss
Severity: moderate
References: 959888,CVE-2015-7575
Description:
This update contains mozilla-nss 3.19.2.2 and fixes the following security issue:

  - CVE-2015-7575: MD5 signatures accepted within TLS 1.2 ServerKeyExchange in server signature (bsc#959888).


-----------------------------------------
Patch: SUSE-2016-104
Released: Mon Jan 18 18:38:06 2016
Summary: Security update for tiff
Severity: moderate
References: 942690,960341,CVE-2015-7554
Description:

This update to tiff 4.0.6 fixes the following issues:

- CVE-2015-7554: Out-of-bounds write in the thumbnail and tiffcmp tools allowed attacker to cause a denial of service or have unspecified further impact (bsc#960341)
- bsc#942690: potential out-of-bound write in NeXTDecode() (#2508)


-----------------------------------------
Patch: SUSE-2016-155
Released: Mon Jan 25 18:10:54 2016
Summary: Recommended update for polkit
Severity: moderate
References: 954139
Description:

The previous version update of polkit to fix security and stability issues brought
a small regression in session activeness detection. This update reverts the small
part responsible for the regression.


-----------------------------------------
Patch: SUSE-2016-157
Released: Tue Jan 26 13:19:19 2016
Summary: Recommended update for ruby-common
Severity: moderate
References: 934328,953771
Description:
This update for ruby-common provides several fixes and enhancements:

- Help the solver to pick the right gem2rpm for the default Ruby version. (bsc#934328)
- Fix premature return from from gem install.
- Fail early if gem install fails, avoiding confusing error messages at the end of the build.
- Implement cleaner solution for the extensions doc dir.
- Do not overwrite options.otheropts.
- Fixed forwarding of options to gem install.
- Call ruby with -x from shell wrappers otherwise it might run into an endless loop.
- Add shell-launcher to avoid dependency on a fixed Ruby version.
- Ignore any files found in */.gem/*. In some versions of rubygems, gems that are installed
  are also copied to ~/.gem/.


-----------------------------------------
Patch: SUSE-2016-199
Released: Thu Feb  4 15:48:09 2016
Summary: Security update for MozillaFirefox, MozillaFirefox-branding-SLE, mozilla-nss
Severity: important
References: 954447,963520,963632,963635,963731,964332,CVE-2016-1930,CVE-2016-1935,CVE-2016-1938
Description:

This update for MozillaFirefox, MozillaFirefox-branding-SLE, mozilla-nss fixes the following issues: (bsc#963520)

Mozilla Firefox was updated to 38.6.0 ESR.
Mozilla NSS was updated to 3.20.2.

The following vulnerabilities were fixed:

- CVE-2016-1930: Memory safety bugs fixed in Firefox ESR 38.6 (bsc#963632)
- CVE-2016-1935: Buffer overflow in WebGL after out of memory allocation (bsc#963635)
- CVE-2016-1938: Calculations with mp_div and mp_exptmod in Network Security Services (NSS) canproduce wrong results (bsc#963731)

The following improvements were added:

- bsc#954447: Mozilla NSS now supports a number of new DHE ciphersuites
- Tracking protection is now enabled by default
- bsc#964332: Fixed leaking file descriptors inside FIPS selfcheck code


-----------------------------------------
Patch: SUSE-2016-207
Released: Thu Feb  4 18:05:06 2016
Summary: Optional update for libXaw7, libXaw3d8
Severity: low
References: 963687
Description:

This update provides 32bit builds of libXaw7 and libXaw3d8 for SUSE Linux Enterprise
Server 12 and 12-SP1.


-----------------------------------------
Patch: SUSE-2016-237
Released: Wed Feb 10 10:09:18 2016
Summary: Security update for java-1_7_1-ibm
Severity: important
References: 960402,963937,CVE-2015-5041,CVE-2015-7575,CVE-2015-7981,CVE-2015-8126,CVE-2015-8472,CVE-2015-8540,CVE-2016-0402,CVE-2016-0448,CVE-2016-0466,CVE-2016-0483,CVE-2016-0494
Description:

This update for java-1_7_1-ibm fixes the following issues by updating to 7.1-3.30 (bsc#963937):


- CVE-2015-5041: Could could have invoked non-public interface methods under certain circumstances
- CVE-2015-7575: The TLS protocol could allow weaker than expected security caused by a collision attack when using the MD5 hash function for signing a ServerKeyExchange message during a TLS handshake. An attacker could exploit this vulnerability using man-in-the-middle techniques to impersonate a TLS server and obtain credentials
- CVE-2015-7981: libpng could allow a remote attacker to obtain sensitive information, caused by an out-of-bounds read in the png_convert_to_rfc1123 function. An attacker could exploit this vulnerability to obtain sensitive information
- CVE-2015-8126: buffer overflow in libpng caused by improper bounds checking by the png_set_PLTE() and png_get_PLTE() functions
- CVE-2015-8472: buffer overflow in libpng caused by improper bounds checking by the png_set_PLTE() and png_get_PLTE() functions
- CVE-2015-8540: libpng is vulnerable to a buffer overflow, caused by a read underflow in png_check_keyword in pngwutil.c. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
- CVE-2016-0402: An unspecified vulnerability related to the Networking component has no confidentiality impact, partial integrity impact, and no availability impact
- CVE-2016-0448: An unspecified vulnerability related to the JMX component could allow a remote attacker to obtain sensitive information
- CVE-2016-0466: An unspecified vulnerability related to the JAXP component could allow a remote attacker to cause a denial of service
- CVE-2016-0483: An unspecified vulnerability related to the AWT component has complete confidentiality impact, complete integrity impact, and complete availability impact
- CVE-2016-0494: An unspecified vulnerability related to the 2D component has complete confidentiality impact, complete integrity impact, and complete availability impact

The following bugs were fixed:

- bsc#960402: resolve package conflicts in devel package


-----------------------------------------
Patch: SUSE-2016-252
Released: Fri Feb 12 14:58:06 2016
Summary: Recommended update for timezone
Severity: low
References: 963921
Description:

This update provides the latest timezone information (2016a) for your
system, including the following changes:

- America/Cayman will not observe daylight saving this year.
- Asia/Chita switches from +0800 to +0900 on 2016-03-27 at 02:00.
- Asia/Tehran now has DST predictions for the year 2038 and later.
- America/Metlakatla switched from PST all year to AKST/AKDT on
  2015-11-01 at 02:00.
- America/Santa_Isabel has been removed, and replaced with a
  backward compatibility link to America/Tijuana.
- Asia/Karachi's two transition times in 2002 were off by a minute.

This release also includes changes affecting past time stamps, documentation
and some minor code fixes. For a comprehensive list, refer to the release
announcement from ICANN:

http://mm.icann.org/pipermail/tz/2016-January/023106.html


-----------------------------------------
Patch: SUSE-2016-259
Released: Mon Feb 15 14:25:02 2016
Summary: Security update for libnettle
Severity: moderate
References: 964845,964847,964849,CVE-2015-8803,CVE-2015-8804,CVE-2015-8805
Description:
This update for libnettle fixes the following security issues: 

- CVE-2015-8803: Fixed miscomputation bugs in secp-256r1 modulo functions. (bsc#964845)
- CVE-2015-8804: Fixed carry folding bug in x86_64 ecc_384_modp. (bsc#964847)
- CVE-2015-8805: Fixed miscomputation bugs in secp-256r1 modulo functions. (bsc#964849)


-----------------------------------------
Patch: SUSE-2016-291
Released: Fri Feb 19 19:31:54 2016
Summary: Recommended update for openslp
Severity: low
References: 950777
Description:

This update for OpenSLP adjusts slpd's initialization to use SystemD's forking
mechanism, avoiding stale PID files after the daemon is stopped.


-----------------------------------------
Patch: SUSE-2016-294
Released: Mon Feb 22 14:36:09 2016
Summary: Security update for dhcp
Severity: moderate
References: 880984,936923,956159,960506,961305,CVE-2015-8605
Description:

This update for dhcp fixes the following issues:

- CVE-2015-8605: A remote attacker could have used badly formed packets with an invalid IPv4 UDP length field to cause a DHCP server, client, or relay program to terminate abnormally (bsc#961305)

The following bugs were fixed:

- bsc#936923: Improper lease duration checking
- bsc#880984: Integer overflows in the date and time handling code
- bsc#956159: fixed service files to start dhcpd after slapd
- bsc#960506: Improve exit reason and logging when /sbin/dhclient-script is unable to pre-init requested interface


-----------------------------------------
Patch: SUSE-2016-302
Released: Tue Feb 23 13:56:57 2016
Summary: Recommended update for google-cloud-sdk
Severity: moderate
References: 954690
Description:

The Google Cloud SDK has been updated to version 0.9.87, bringing several fixes,
enhancements and new features. A comprehensive list of changes is available in
the package's change log.

The Python Client for Google APIs has been updated to version 1.4.2. This update
removes the embedded oauth2client, which is now delivered as a separate package
'python-oauth2client'.

Some runtime dependencies required by these updates have been added to the Public
Cloud Module 12:

  python-antlr3_runtime, python-enum34, python-keyring, python-oauth2,
  python-oauth2client, python-oauth2client-gce, python-portpicker.


-----------------------------------------
Patch: SUSE-2016-314
Released: Wed Feb 24 13:04:32 2016
Summary: Recommended update for python-ec2utilsbase
Severity: low
References: 966958
Description:

This update provides fixes and enhancements for Amazon's EC2 utilities.

python-ec2deprecateimg and python-ec2publishimg:

- Do not show traceback when no account is provided on command line.
- Update for compatibility with new base implementation of get_from_config().

python-ec2publishimg (update to version 0.1.1):

- Do not show traceback when no account is provided on command line.
- Update for compatibility with new base implementation of get_from_config().

python-ec2uploadimg (update to version 0.7.2):

- Add error condition if uniqueness requirement is not met on command line.
- Update for compatibility with new base implementation of get_from_config().

python-ec2utilsbase (update to version 1.0.0):

- Add new required argument to get_from_config().


-----------------------------------------
Patch: SUSE-2016-324
Released: Thu Feb 25 15:52:58 2016
Summary: Initial release of supportutils-plugin-suse-public-cloud
Severity: low
References: 963690
Description:

This patch adds supportutils-plugin-suse-public-cloud to the Public Cloud 12 Module.

This plug-in extends supportconfig functionality to collect information specific
to systems running on Public Cloud environments.


-----------------------------------------
Patch: SUSE-2016-367
Released: Thu Mar  3 12:02:37 2016
Summary: Security update for openssl
Severity: important
References: 952871,963415,968046,968048,968051,968053,968374,CVE-2015-3197,CVE-2016-0702,CVE-2016-0703,CVE-2016-0704,CVE-2016-0797,CVE-2016-0799,CVE-2016-0800
Description:

This update for compat-openssl098 fixes various security issues and bugs: 

Security issues fixed:
- CVE-2016-0800 aka the 'DROWN' attack (bsc#968046):
  OpenSSL was vulnerable to a cross-protocol attack that could lead to
  decryption of TLS sessions by using a server supporting SSLv2 and
  EXPORT cipher suites as a Bleichenbacher RSA padding oracle.

  This update changes the openssl library to:

  * Disable SSLv2 protocol support by default.

    This can be overridden by setting the environment variable
    'OPENSSL_ALLOW_SSL2' or by using SSL_CTX_clear_options using the
    SSL_OP_NO_SSLv2 flag.

    Note that various services and clients had already disabled SSL
    protocol 2 by default previously.

  * Disable all weak EXPORT ciphers by default. These can be reenabled
    if required by old legacy software using the environment variable
    'OPENSSL_ALLOW_EXPORT'.

- CVE-2016-0797 (bnc#968048):
  The BN_hex2bn() and BN_dec2bn() functions had a bug that could result
  in an attempt to de-reference a NULL pointer leading to crashes.
  This could have security consequences if these functions were ever
  called by user applications with large untrusted hex/decimal data. Also,
  internal usage of these functions in OpenSSL uses data from config files
  or application command line arguments. If user developed applications
  generated config file data based on untrusted data, then this could
  have had security consequences as well.

- CVE-2016-0799 (bnc#968374)
  On many 64 bit systems, the internal fmtstr() and doapr_outch()
  functions could miscalculate the length of a string and attempt to
  access out-of-bounds memory locations. These problems could have
  enabled attacks where large amounts of untrusted data is passed to
  the BIO_*printf functions. If applications use these functions in
  this way then they could have been vulnerable. OpenSSL itself uses
  these functions when printing out human-readable dumps of ASN.1
  data. Therefore applications that print this data could have been
  vulnerable if the data is from untrusted sources. OpenSSL command line
  applications could also have been vulnerable when they print out ASN.1
  data, or if untrusted data is passed as command line arguments. Libssl
  is not considered directly vulnerable.

- CVE-2015-3197 (bsc#963415):
  The SSLv2 protocol did not block disabled ciphers.

Note that the March 1st 2016 release also references following CVEs
that were fixed by us with CVE-2015-0293 in 2015:

- CVE-2016-0703 (bsc#968051): This issue only affected versions of
  OpenSSL prior to March 19th 2015 at which time the code was refactored
  to address vulnerability CVE-2015-0293. It would have made the above
  'DROWN' attack much easier.
- CVE-2016-0704 (bsc#968053): 'Bleichenbacher oracle in SSLv2'
  This issue only affected versions of OpenSSL prior to March 19th
  2015 at which time the code was refactored to address vulnerability
  CVE-2015-0293. It would have made the above 'DROWN' attack much easier.

Also fixes the following bug:
- Avoid running OPENSSL_config twice. This avoids breaking
  engine loading and also fixes a memory leak in libssl. (bsc#952871)


-----------------------------------------
Patch: SUSE-2016-371
Released: Thu Mar  3 15:58:18 2016
Summary: Recommended update for insserv-compat
Severity: low
References: 960820
Description:

This update for insserv-compat fixes the name of the ntpd service.


-----------------------------------------
Patch: SUSE-2016-374
Released: Fri Mar  4 15:56:02 2016
Summary: Recommended update for Qt5
Severity: moderate
References: 955381,964864
Description:

The Qt5 library was updated to version 5.5.1.

The base libraries shipped within SUSE Linux Enterprise Desktop and Server 12 SP1
received several bug fixes, performance enhancements and new features.

The complete set of Qt5 libraries is shipped within SUSE Linux Enterprise Software
Development Kit 12 SP1. There, the following new libraries have been added:
3DCollision, 3DCore, 3DInput, 3DLogic, 3DQuick, 3DQuickRenderer, 3DRenderer,
Bluetooth, Nfc and WebChannel.

Qt 5.5.x also introduces new runtime dependencies: libinput10, libprotobuf9 and
libsrtp1.

For a comprehensive overview of new features available in the updated Qt5, please
refer to the upstream release notes:

  http://blog.qt.io/blog/2015/07/01/qt-5-5-released/
  http://blog.qt.io/blog/2015/10/15/qt-5-5-1-released/


-----------------------------------------
Patch: SUSE-2016-413
Released: Fri Mar 11 10:17:57 2016
Summary: Security update for libssh2_org
Severity: moderate
References: 933336,961964,967026,CVE-2016-0787
Description:

This update for libssh2_org fixes the following issues: 

Security issue fixed:
- CVE-2016-0787 (bsc#967026):
  Weakness in diffie-hellman secret key generation lead to much shorter DH groups
  then needed, which could be used to retrieve server keys.

A feature was added:
- Support of SHA256 digests for DH group exchanges was added (fate#320343, bsc#961964)

Bug fixed:
- Properly detect EVP_aes_128_ctr at configure time (bsc#933336)


-----------------------------------------
Patch: SUSE-2016-419
Released: Fri Mar 11 16:25:09 2016
Summary: Security update for MozillaFirefox, mozilla-nspr, mozilla-nss
Severity: important
References: 969894,CVE-2016-1950,CVE-2016-1952,CVE-2016-1953,CVE-2016-1954,CVE-2016-1957,CVE-2016-1958,CVE-2016-1960,CVE-2016-1961,CVE-2016-1962,CVE-2016-1964,CVE-2016-1965,CVE-2016-1966,CVE-2016-1974,CVE-2016-1977,CVE-2016-1978,CVE-2016-1979,CVE-2016-2790,CVE-2016-2791,CVE-2016-2792,CVE-2016-2793,CVE-2016-2794,CVE-2016-2795,CVE-2016-2796,CVE-2016-2797,CVE-2016-2798,CVE-2016-2799,CVE-2016-2800,CVE-2016-2801,CVE-2016-2802
Description:

This update for MozillaFirefox, mozilla-nspr, mozilla-nss fixes the following issues:

Mozilla Firefox was updated to 38.7.0 ESR (bsc#969894), fixing
following security issues:
* MFSA 2016-16/CVE-2016-1952/CVE-2016-1953
  Miscellaneous memory safety hazards (rv:45.0 / rv:38.7)
* MFSA 2016-17/CVE-2016-1954
  Local file overwriting and potential privilege escalation
  through CSP reports
* MFSA 2016-20/CVE-2016-1957
  Memory leak in libstagefright when deleting an array during
  MP4 processing
* MFSA 2016-21/CVE-2016-1958
  Displayed page address can be overridden
* MFSA 2016-23/CVE-2016-1960
  Use-after-free in HTML5 string parser
* MFSA 2016-24/CVE-2016-1961
  Use-after-free in SetBody
* MFSA 2016-25/CVE-2016-1962
  Use-after-free when using multiple WebRTC data channels
* MFSA 2016-27/CVE-2016-1964
  Use-after-free during XML transformations
* MFSA 2016-28/CVE-2016-1965
  Addressbar spoofing though history navigation and Location
  protocol property
* MFSA 2016-31/CVE-2016-1966
  Memory corruption with malicious NPAPI plugin
* MFSA 2016-34/CVE-2016-1974
  Out-of-bounds read in HTML parser following a failed
  allocation
* MFSA 2016-35/CVE-2016-1950
  Buffer overflow during ASN.1 decoding in NSS
* MFSA 2016-37/CVE-2016-1977/CVE-2016-2790/CVE-2016-2791/
  CVE-2016-2792/CVE-2016-2793/CVE-2016-2794/CVE-2016-2795/
  CVE-2016-2796/CVE-2016-2797/CVE-2016-2798/CVE-2016-2799/
  CVE-2016-2800/CVE-2016-2801/CVE-2016-2802
  Font vulnerabilities in the Graphite 2 library

Mozilla NSPR was updated to version 4.12 (bsc#969894), fixing following bugs:
* added a PR_GetEnvSecure function, which attempts to detect if
  the program is being executed with elevated privileges, and
  returns NULL if detected. It is recommended to use this function
  in general purpose library code.
* fixed a memory allocation bug related to the PR_*printf functions
* exported API PR_DuplicateEnvironment, which had already been
  added in NSPR 4.10.9
* added support for FreeBSD aarch64
* several minor correctness and compatibility fixes

Mozilla NSS was updated to fix security issues (bsc#969894):
* MFSA 2016-15/CVE-2016-1978
  Use-after-free in NSS during SSL connections in low memory
* MFSA 2016-35/CVE-2016-1950
  Buffer overflow during ASN.1 decoding in NSS
* MFSA 2016-36/CVE-2016-1979
  Use-after-free during processing of DER encoded keys in NSS


-----------------------------------------
Patch: SUSE-2016-456
Released: Tue Mar 15 18:01:12 2016
Summary: Security update for graphite2
Severity: important
References: 965803,965807,965810,CVE-2016-1521,CVE-2016-1523,CVE-2016-1526
Description:

This update for graphite2 fixes the following issues:

- CVE-2016-1521: The directrun function in directmachine.cpp in
  Libgraphite did not validate a certain skip operation, which allowed
  remote attackers to execute arbitrary code, obtain sensitive information,
  or cause a denial of service (out-of-bounds read and application crash)
  via a crafted Graphite smart font.

- CVE-2016-1523: The SillMap::readFace function in FeatureMap.cpp in
  Libgraphite mishandled a return value, which allowed remote attackers
  to cause a denial of service (missing initialization, NULL pointer
  dereference, and application crash) via a crafted Graphite smart font.

- CVE-2016-1526: The TtfUtil:LocaLookup function in TtfUtil.cpp in
  Libgraphite incorrectly validated a size value, which allowed remote
  attackers to obtain sensitive information or cause a denial of service
  (out-of-bounds read and application crash) via a crafted Graphite
  smart font.


-----------------------------------------
Patch: SUSE-2016-462
Released: Wed Mar 16 18:17:59 2016
Summary: Recommended update for libcap
Severity: low
References: 967838
Description:

This update for libcap adds two new capabilities (CAP_WAKE_ALARM and CAP_BLOCK_SUSPEND)
which are available in Linux Kernel 3.12.


-----------------------------------------
Patch: SUSE-2016-479
Released: Fri Mar 18 15:35:18 2016
Summary: Recommended update for supportutils
Severity: low
References: 951218,958403,959252,961318,965682
Description:

This update for supportutils provides the following fixes:

- Capture the correct pacemaker logs. (bsc#958403)
- Fix name space errors. (bsc#961318)
- Change rpm to check with NCP server. (bsc#965682)
- Collect more data about Docker containers in docker.txt.
- Added OPTION_HAPROXY for haproxy.txt. (bsc#959252)
- Fixed mount option. (bsc#951218)


-----------------------------------------
Patch: SUSE-2016-490
Released: Mon Mar 21 16:45:13 2016
Summary: Recommended update for timezone
Severity: low
References: 971377
Description:

This update provides the latest timezone information (2016b) for your system, including
the following changes:

- New zones Europe/Astrakhan and Europe/Ulyanovsk for Astrakhan and Ulyanovsk Oblasts,
  Russia, both of which will switch from +03 to +04 on 2016-03-27 at 02:00 local time.
- New zone Asia/Barnaul for Altai Krai and Altai Republic, Russia, which will switch
  from +06 to +07 on the same date and local time.
- Asia/Sakhalin moves from +10 to +11 on 2016-03-27 at 02:00.
- As a trial of a new system that needs less information to be made up, the new zones
  use numeric time zone abbreviations like '+04' instead of invented abbreviations
  like 'ASTT'.
- Haiti will not observe DST in 2016.
- Palestine's spring-forward transition on 2016-03-26 is at 01:00, not 00:00.
- tzselect's diagnostics and checking, and checktab.awk's checking, have been improved.
- tzselect now tests Julian-date TZ settings more accurately.


-----------------------------------------
Patch: SUSE-2016-510
Released: Thu Mar 24 15:40:28 2016
Summary: Recommended update for timezone
Severity: low
References: 972433
Description:

This update provides the latest timezone information (2016c) for your
system, including the following changes:

- Azerbaijan no longer observes DST (Asia/Baku)
- Chile reverts from permanent to seasonal DST

This release also includes changes affecting past time stamps and documentation.
For a comprehensive list, please refer to the release announcement from ICANN:

http://mm.icann.org/pipermail/tz-announce/2016-March/000037.html


-----------------------------------------
Patch: SUSE-2016-526
Released: Wed Mar 30 17:07:30 2016
Summary: Recommended update for sysstat
Severity: moderate
References: 970770
Description:

This update for sysstat fixes the following issues:

- Don't send signal to pid 1 in signal handler (bsc#970770)


-----------------------------------------
Patch: SUSE-2016-543
Released: Fri Apr  1 18:44:16 2016
Summary: Recommended update for libgcrypt
Severity: moderate
References: 970882
Description:

This update for libgcrypt fixes a crash in GPG key generation when operating in FIPS mode. (bsc#970882)


-----------------------------------------
Patch: SUSE-2016-565
Released: Wed Apr  6 16:26:42 2016
Summary: Security update for gcc5
Severity: moderate
References: 939460,945842,952151,953831,954002,955382,962765,964468,966220,968771,CVE-2015-5276
Description:

The GNU Compiler Collection was updated to version 5.3.1, which brings several fixes
and enhancements.

The following security issue has been fixed:

- Fix C++11 std::random_device short read issue that could lead to predictable
  randomness. (CVE-2015-5276, bsc#945842)

The following non-security issues have been fixed:

- Enable frame pointer for TARGET_64BIT_MS_ABI when stack is misaligned. Fixes internal
  compiler error when building Wine. (bsc#966220)
- Fix a PowerPC specific issue in gcc-go that broke compilation of newer versions of
  Docker. (bsc#964468)
- Fix HTM built-ins on PowerPC. (bsc#955382)
- Fix libgo certificate lookup. (bsc#953831)
- Suppress deprecated-declarations warnings for inline definitions of deprecated virtual
  methods. (bsc#939460)
- Build s390[x] with '--with-tune=z9-109 --with-arch=z900' on SLE11 again. (bsc#954002)
- Revert accidental libffi ABI breakage on aarch64. (bsc#968771)
- On x86_64, set default 32bit code generation to -march=x86-64 rather than -march=i586.
- Add experimental File System TS library.


-----------------------------------------
Patch: SUSE-2016-575
Released: Thu Apr  7 15:45:32 2016
Summary: Recommended update for at
Severity: low
References: 945124
Description:

This update for 'at' provides the following fixes:

- Don't loop on corrupted files and prevent their creation. (bsc#945124)


-----------------------------------------
Patch: SUSE-2016-587
Released: Fri Apr  8 17:06:56 2016
Summary: Recommended update for ca-certificates-mozilla
Severity: moderate
References: 973042
Description:

The root SSL certificate store ca-certificates-mozilla was updated
to version 2.7 of the Mozilla NSS equivalent. (bsc#973042)

- Newly added CAs:
  * CA WoSign ECC Root
  * Certification Authority of WoSign
  * Certification Authority of WoSign G2
  * Certinomis - Root CA
  * Certum Trusted Network CA 2
  * CFCA EV ROOT
  * COMODO RSA Certification Authority
  * DigiCert Assured ID Root G2
  * DigiCert Assured ID Root G3
  * DigiCert Global Root G2
  * DigiCert Global Root G3
  * DigiCert Trusted Root G4
  * Entrust Root Certification Authority - EC1
  * Entrust Root Certification Authority - G2
  * GlobalSign
  * IdenTrust Commercial Root CA 1
  * IdenTrust Public Sector Root CA 1
  * OISTE WISeKey Global Root GB CA
  * QuoVadis Root CA 1 G3
  * QuoVadis Root CA 2 G3
  * QuoVadis Root CA 3 G3
  * Staat der Nederlanden EV Root CA
  * Staat der Nederlanden Root CA - G3
  * S-TRUST Universal Root CA
  * SZAFIR ROOT CA2
  * TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5
  * TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6
  * USERTrust ECC Certification Authority
  * USERTrust RSA Certification Authority
  * 沃通根证书

- Removed CAs:
  * AOL CA
  * A Trust nQual 03
  * Buypass Class 3 CA 1
  * CA Disig
  * Digital Signature Trust Co Global CA 1
  * Digital Signature Trust Co Global CA 3
  * E Guven Kok Elektronik Sertifika Hizmet Saglayicisi
  * NetLock Expressz (Class C) Tanusitvanykiado
  * NetLock Kozjegyzoi (Class A) Tanusitvanykiado
  * NetLock Minositett Kozjegyzoi (Class QA) Tanusitvanykiado
  * NetLock Uzleti (Class B) Tanusitvanykiado
  * SG TRUST SERVICES RACINE
  * Staat der Nederlanden Root CA
  * TC TrustCenter Class 2 CA II
  * TC TrustCenter Universal CA I
  * TDC Internet Root CA
  * UTN DATACorp SGC Root CA
  * Verisign Class 1 Public Primary Certification Authority - G2
  * Verisign Class 3 Public Primary Certification Authority
  * Verisign Class 3 Public Primary Certification Authority - G2

- Removed server trust from:
  * AC Raíz Certicámara S.A.
  * ComSign Secured CA
  * NetLock Uzleti (Class B) Tanusitvanykiado
  * NetLock Business (Class B) Root
  * NetLock Expressz (Class C) Tanusitvanykiado
  * TC TrustCenter Class 3 CA II
  * TURKTRUST Certificate Services Provider Root 1
  * TURKTRUST Certificate Services Provider Root 2
  * Equifax Secure Global eBusiness CA-1
  * Verisign Class 4 Public Primary Certification Authority G3

- Enable server trust for:
  * Actalis Authentication Root CA


-----------------------------------------
Patch: SUSE-2016-636
Released: Mon Apr 18 09:18:19 2016
Summary: Security update for libgcrypt
Severity: moderate
References: 965902,CVE-2015-7511
Description:
libgcrypt was updated to fix one security issue.

This security issue was fixed:
- CVE-2015-7511: Side-channel attack on ECDH with Weierstrass curves (bsc#965902).
  

-----------------------------------------
Patch: SUSE-2016-643
Released: Tue Apr 19 09:23:39 2016
Summary: Recommended update for bzip2
Severity: low
References: 970260
Description:

This update for bzip2 fixes the following issues:

- Fix bzgrep wrapper that always returns 0 as exit code when working on multiple
  archives, even when the pattern is not found.


-----------------------------------------
Patch: SUSE-2016-652
Released: Wed Apr 20 10:34:05 2016
Summary: Recommended update for SUSE Manager Client Tools
Severity: moderate
References: 956981,970550,970989,974864,975093
Description:

This update for SUSE Manager Client Tools provides the following new features:

- Integrate SaltStack for configuration management. (fate#312447)
- Replace upstream subscription counting with new subscription matching. (fate#311619)

This update fixes the following issues:

osad:

- Fix file permissions. (bsc#970550)
- Add possibility for OSAD to work in failover mode.

rhn-custom-info:

- Version update.

rhn-virtualization:

- Version update.

rhncfg:

- Fix file permissions. (bsc#970550)
- Fix removal of temporary files during transaction rollback for rhncfg-manager.
- Fix removal of directories which rhncfg-manager didn't create.
- Remove temporary files when exception occurs.
- Make rhncfg support sha256 and use it by default.
- Fix for assigning all groups user belongs to running process.
- Show server modified time with rhncfg-client diff.

rhnlib:

- Use TLSv1_METHOD in SSL Context. (bsc#970989)

rhnpush:

- Don't count on having newest rhn-client-tools.
- Allow to use existing rpcServer when creating RhnServer.
- Wire in timeout for rhnpush.

spacecmd:

- Text description missing for remote command by Spacecmd.
- Added functions to add/edit SSL certificates for repositories.
- Mimetype detection to set the binary flag requires 'file' tool.
- Always base64 encode to avoid trim() bugs in the XML-RPC library.
- Replace upstream subscription counting with new subscription matching. (fate#311619)

spacewalk-backend:

- Version update.

spacewalk-client-tools:

- Convert dbus.Int32 to int to fix a TypeError during registration. (bsc#974864)
- Fix client registration for network interfaces with labels. (bsc#956981)
- Show a descriptive message on reboot.
- Replace upstream subscription counting with new subscription matching. (fate#311619)

spacewalk-koan:

- Fix file permissions. (bsc#970550)
- Switch to KVM if possible.

spacewalk-oscap:

- Still require openscap-utils on RHEL5.

spacewalk-remote-utils:

- Add RHEL 7.2 channel definitions.
- Update RHEL 6.7 and 7.1 channel definitions.
- Use hostname instead of localhost for https connections.
- Spacewalk-create-channel added -o option to clone channel to current state.

spacewalksd:

- Delete file with input files after template is created.

suseRegisterInfo:

- Fix file permissions. (bsc#970550)


-----------------------------------------
Patch: SUSE-2016-661
Released: Fri Apr 22 15:18:03 2016
Summary: Recommended update for supportutils
Severity: moderate
References: 973803
Description:

This update for supportutils fixes the following issue:

- Removed 11 digit SR limit (bsc#973803)


-----------------------------------------
Patch: SUSE-2016-663
Released: Fri Apr 22 15:33:50 2016
Summary: Recommended update for timezone
Severity: low
References: 975875
Description:

This update provides the latest timezone information (2016d) for your
system, including the following changes:

- Venezuela (America/Caracas) switches from -0430 to -04 on 2016-05-01 at 02:30.
- Asia/Magadan switches from +10 to +11 on 2016-04-24 at 02:00.
- New zone Asia/Tomsk, split off from Asia/Novosibirsk. It covers Tomsk Oblast,
  Russia, which switches from +06 to +07 on 2016-05-29 at 02:00.

This release also includes changes affecting past time stamps. For a comprehensive
list, please refer to the release announcement from ICANN:

http://mm.icann.org/pipermail/tz/2016-April/023563.html


-----------------------------------------
Patch: SUSE-2016-677
Released: Tue Apr 26 08:17:51 2016
Summary: Recommended update for python-paramiko, python-ecdsa
Severity: moderate
References: 962291
Description:

The Python Paramiko module was updated to version 1.15.2, which brings several
fixes and enhancements.

The ECDSA module was updated to version 0.13 to fulfill requirements of the
newer Paramiko.

For a comprehensive list of changes please refer to the detailed change log
at http://paramiko-www.readthedocs.org/en/latest/changelog.html


-----------------------------------------
Patch: SUSE-2016-687
Released: Wed Apr 27 14:58:32 2016
Summary: Recommended update for python-ec2utilsbase
Severity: low
References: 972845,973107
Description:

This update provides fixes and enhancements for Amazon's EC2 utilities.

python-ec2uploadimg (update to version 1.1.0):

- Allow the specification of security groups to use for the helper instance.
- Support the use of the private IP of the helper instance for image uploading.
- Add command line option to launch the helper instance into a specific VPC.
- Add consistency check: When using root swap, the image used to launch the helper
  instance must be of the same virtualization type as the target image.
- Convert to use boto3. This introduces some incompatible changes:
  - Remove --timeout command line option.
  - Add --ssh-timeout command line option.
  - Add --wait-count command line option.

python-ec2publishimg (update to version 1.1.0):

- New command line option --allow-copy that shares the underlying snapshot with the
  target account to allow copying of the image. (bsc#973107)
- Convert to boto3.

python-ec2utilsbase (update to version 2.0.1):

- Convert to boto3. This introduces some incompatible changes:
  - Function get_regions() has new required arguments.
  - Return data structures changed due to switch to boto3.

python-ec2deprecateimg (update to version 3.0.0):

- Convert to boto3.


-----------------------------------------
Patch: SUSE-2016-689
Released: Wed Apr 27 20:08:42 2016
Summary: Recommended update for ruby2.1
Severity: low
References: 973073
Description:

This update for ruby2.1 brings performance improvements of Ruby on the IBM POWER platform.


-----------------------------------------
Patch: SUSE-2016-694
Released: Thu Apr 28 15:45:16 2016
Summary: Security update for ntp
Severity: important
References: 782060,916617,937837,951559,951629,956773,962318,962784,962802,962960,962966,962970,962988,962994,962995,962997,963000,963002,975496,975981,CVE-2015-5300,CVE-2015-7973,CVE-2015-7974,CVE-2015-7975,CVE-2015-7976,CVE-2015-7977,CVE-2015-7978,CVE-2015-7979,CVE-2015-8138,CVE-2015-8139,CVE-2015-8140,CVE-2015-8158
Description:
ntp was updated to version 4.2.8p6 to fix 12 security issues.

Also yast2-ntp-client was updated to match some sntp syntax changes. (bsc#937837)

These security issues were fixed:
- CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966).
- CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002).
- CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode (bsc#962784).
- CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list (bsc#963000).
- CVE-2015-7977: reslist NULL pointer dereference (bsc#962970).
- CVE-2015-7976: ntpq saveconfig command allows dangerous characters in filenames (bsc#962802).
- CVE-2015-7975: nextvar() missing length check (bsc#962988).
- CVE-2015-7974: Skeleton Key: Missing key check allows impersonation between authenticated peers (bsc#962960).
- CVE-2015-7973: Replay attack on authenticated broadcast mode (bsc#962995).
- CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994).
- CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997).
- CVE-2015-5300: MITM attacker could have forced ntpd to make a step larger than the panic threshold (bsc#951629).

These non-security issues were fixed:
- fate#320758 bsc#975981: Enable compile-time support for MS-SNTP
  (--enable-ntp-signd).  This replaces the w32 patches in 4.2.4 that added
  the authreg directive.
- bsc#962318: Call /usr/sbin/sntp with full path to synchronize in start-ntpd.
  When run as cron job, /usr/sbin/ is not in the path, which caused
  the synchronization to fail.
- bsc#782060: Speedup ntpq.
- bsc#916617: Add /var/db/ntp-kod.
- bsc#956773: Add ntp-ENOBUFS.patch to limit a warning that might happen quite a lot on loaded systems.
- bsc#951559,bsc#975496: Fix the TZ offset output of sntp during DST.
- Add ntp-fork.patch and build with threads disabled to allow name resolution even when running chrooted.


-----------------------------------------
Patch: SUSE-2016-697
Released: Thu Apr 28 16:03:24 2016
Summary: Recommended update for libssh2_org
Severity: important
References: 974691
Description:

This update for libssh2_org fixes a regression introduced by a previous update
which could result in a segmentation fault in EVP_DigestInit_Ex().


-----------------------------------------
Patch: SUSE-2016-589
Released: Mon May  2 15:01:37 2016
Summary: Security update for python-tornado
Severity: moderate
References: 930361,930362,974657,CVE-2014-9720
Description:

The python-tornado module was updated to version 4.2.1, which brings several fixes,
enhancements and new features.

The following security issues have been fixed:

- A path traversal vulnerability in StaticFileHandler, in which files whose names
  started with the static_path directory but were not actually in that directory
  could be accessed.
- The XSRF token is now encoded with a random mask on each request. This makes it
  safe to include in compressed pages without being vulnerable to the BREACH attack.
  This applies to most applications that use both the xsrf_cookies and gzip options
  (or have gzip applied by a proxy). (bsc#930362, CVE-2014-9720)
- The signed-value format used by RequestHandler.{g,s}et_secure_cookie changed to be
  more secure. (bsc#930361)

The following enhancements have been implemented:

- SSLIOStream.connect and IOStream.start_tls now validate certificates by default.
- Certificate validation will now use the system CA root certificates.
- The default SSL configuration has become stricter, using ssl.create_default_context
  where available on the client side.
- The deprecated classes in the tornado.auth module, GoogleMixin, FacebookMixin and
  FriendFeedMixin have been removed.
- New modules have been added: tornado.locks and tornado.queues.
- The tornado.websocket module now supports compression via the 'permessage-deflate'
  extension.
- Tornado now depends on the backports.ssl_match_hostname when running on Python 2.

For a comprehensive list of changes, please refer to the release notes:

- http://www.tornadoweb.org/en/stable/releases/v4.2.0.html
- http://www.tornadoweb.org/en/stable/releases/v4.1.0.html
- http://www.tornadoweb.org/en/stable/releases/v4.0.0.html
- http://www.tornadoweb.org/en/stable/releases/v3.2.0.html


-----------------------------------------
Patch: SUSE-2016-729
Released: Fri May  6 15:53:38 2016
Summary: Recommended update for pciutils-ids
Severity: low
References: 958712
Description:

The system's PCI IDs database has been updated to version 2016.04.04.


-----------------------------------------
Patch: SUSE-2016-735
Released: Mon May  9 08:50:13 2016
Summary: Security update for compat-openssl098
Severity: important
References: 889013,968050,976942,976943,977614,977615,977617,CVE-2016-0702,CVE-2016-2105,CVE-2016-2106,CVE-2016-2108,CVE-2016-2109
Description:
This update for compat-openssl098 fixes the following issues:

- CVE-2016-2108: Memory corruption in the ASN.1 encoder (bsc#977617)
- CVE-2016-2105: EVP_EncodeUpdate overflow (bsc#977614)
- CVE-2016-2106: EVP_EncryptUpdate overflow (bsc#977615)
- CVE-2016-2109: ASN.1 BIO excessive memory allocation (bsc#976942)
- CVE-2016-0702: Side channel attack on modular exponentiation 'CacheBleed' (bsc#968050)
- bsc#976943: Buffer overrun in ASN1_parse

The following non-security bugs were fixed:

- bsc#889013: Rename README.SuSE to the new spelling (bsc#889013)


-----------------------------------------
Patch: SUSE-2016-764
Released: Thu May 12 16:58:18 2016
Summary: Security update for ntp
Severity: important
References: 957226,977446,977450,977451,977452,977455,977457,977458,977459,977461,977464,CVE-2015-7704,CVE-2015-7705,CVE-2015-7974,CVE-2016-1547,CVE-2016-1548,CVE-2016-1549,CVE-2016-1550,CVE-2016-1551,CVE-2016-2516,CVE-2016-2517,CVE-2016-2518,CVE-2016-2519
Description:

This update for ntp to 4.2.8p7 fixes the following issues:

* CVE-2016-1547, bsc#977459:
  Validate crypto-NAKs, AKA: CRYPTO-NAK DoS.
* CVE-2016-1548, bsc#977461: Interleave-pivot
* CVE-2016-1549, bsc#977451:
  Sybil vulnerability: ephemeral association attack.
* CVE-2016-1550, bsc#977464: Improve NTP security against buffer
  comparison timing attacks.
* CVE-2016-1551, bsc#977450:
  Refclock impersonation vulnerability
* CVE-2016-2516, bsc#977452: Duplicate IPs on unconfig
  directives will cause an assertion botch in ntpd.
* CVE-2016-2517, bsc#977455: remote configuration trustedkey/
  requestkey/controlkey values are not properly validated.
* CVE-2016-2518, bsc#977457: Crafted addpeer with hmode > 7
  causes array wraparound with MATCH_ASSOC.
* CVE-2016-2519, bsc#977458: ctl_getitem() return value not
  always checked.
* This update also improves the fixes for:
  CVE-2015-7704, CVE-2015-7705, CVE-2015-7974

Bugs fixed:
- Restrict the parser in the startup script to the first
  occurrance of 'keys' and 'controlkey' in ntp.conf (bsc#957226).


-----------------------------------------
Patch: SUSE-2016-766
Released: Fri May 13 12:21:31 2016
Summary: Security update for java-1_7_1-ibm
Severity: important
References: 977646,977648,977650,979252,CVE-2016-0264,CVE-2016-0363,CVE-2016-0376,CVE-2016-0686,CVE-2016-0687,CVE-2016-3422,CVE-2016-3426,CVE-2016-3427,CVE-2016-3443,CVE-2016-3449
Description:

This IBM Java 1.7.1 SR3 FP40 release fixes the following issues: 

Security issues fixed:
- CVE-2016-0264: buffer overflow vulnerability in the IBM JVM (bsc#977648)
- CVE-2016-0363: insecure use of invoke method in CORBA component, incorrect CVE-2013-3009 fix (bsc#977650)
- CVE-2016-0376: insecure deserialization in CORBA, incorrect CVE-2013-5456 fix (bsc#977646)
- The following CVEs got also fixed during this update. (bsc#979252)
  CVE-2016-3443, CVE-2016-0687, CVE-2016-0686, CVE-2016-3427, CVE-2016-3449, CVE-2016-3422, CVE-2016-3426


-----------------------------------------
Patch: SUSE-2016-770
Released: Fri May 13 17:08:23 2016
Summary: Initial release of SUSE Connect Program
Severity: low
References: 978846
Description:

This update provides a YaST2 module to assist system administrators with the installation
of third-party partner products for SUSE Enterprise Linux for SAP Applications 12 SP1.

Two new packages have been added to the product: yast2-sap-scp and yast2-sap-scp-prodlist.


-----------------------------------------
Patch: SUSE-2016-797
Released: Thu May 19 13:26:11 2016
Summary: Recommended update for python-futures
Severity: low
References: 974993
Description:

This update for python-futures provides version 3.0.2 required from python-s3transfer (fate#320748) and fixes the following issues:

- Made multiprocessing optional again on implementations other than just Jython
- Made Executor.map() non-greedy
- Dropped Python 2.5 and 3.1 support
- Removed the deprecated 'futures' top level package
- Remove CFLAGS: this is a python only module
- Remove futures from package files: not provided anymore
- Added the set_exception_info() and exception_info() methods to Future to enable extraction of tracebacks on Python 2.x
- Added support for Future.set_exception_info() to ThreadPoolExecutor

-----------------------------------------
Patch: SUSE-2016-812
Released: Mon May 23 14:36:18 2016
Summary: Recommended update for tcpdump
Severity: low
References: 944294
Description:

This update for tcpdump removes a duplicated binary (/usr/sbin/tcpdump.4.5.1) from the package.


-----------------------------------------
Patch: SUSE-2016-835
Released: Wed May 25 18:27:30 2016
Summary: Recommended update for libgcrypt
Severity: moderate
References: 979629
Description:

This update for libgcrypt fixes the following issue:

- Fix failing reboot after installing fips pattern (bsc#979629) 


-----------------------------------------
Patch: SUSE-2016-880
Released: Thu Jun  2 19:57:59 2016
Summary: Recommended update for supportutils
Severity: low
References: 976358
Description:

This update for supportutils provides the following fixes:

- Added new SLE12 SP2 kernel taint flags. (bsc#976358)
- Fixed NFS service detection.


-----------------------------------------
Patch: SUSE-2016-890
Released: Mon Jun  6 08:33:13 2016
Summary: Recommended update for mailx
Severity: low
References: 974561
Description:

This update for mailx fixes the following issues:

- Correct parenthese expansion to fulfill natural order (bsc#974561)


-----------------------------------------
Patch: SUSE-2016-897
Released: Tue Jun  7 09:46:29 2016
Summary: Security update for supportutils
Severity: moderate
References: 980670,CVE-2016-1602
Description:
supportutils was updated to fix one security issue.

This security issue was fixed:
- CVE-2016-1602: Code injection and privilege escalation via unescaped filenames (bsc#980670).
  

-----------------------------------------
Patch: SUSE-2016-898
Released: Tue Jun  7 09:48:12 2016
Summary: Security update for expat
Severity: important
References: 979441,980391,CVE-2015-1283,CVE-2016-0718
Description:

This update for expat fixes the following issues: 

Security issue fixed:
- CVE-2016-0718: Fix Expat XML parser that mishandles certain kinds of malformed input documents. (bsc#979441)
- CVE-2015-1283: Fix multiple integer overflows. (bnc#980391)


-----------------------------------------
Patch: SUSE-2016-900
Released: Tue Jun  7 10:58:37 2016
Summary: Security update for libksba
Severity: moderate
References: 979261,979906,CVE-2016-4574,CVE-2016-4579
Description:

This update for libksba fixes the following issues:

- CVE-2016-4579: Out-of-bounds read in _ksba_ber_parse_tl()
- CVE-2016-4574: two OOB read access bugs (remote DoS) (bsc#979261)

Also adding reliability fixes from v1.3.4.



-----------------------------------------
Patch: SUSE-2016-930
Released: Mon Jun 13 14:31:22 2016
Summary: Security update for ntp
Severity: important
References: 979302,979981,981422,982056,982064,982065,982066,982067,982068,CVE-2016-4953,CVE-2016-4954,CVE-2016-4955,CVE-2016-4956,CVE-2016-4957
Description:
ntp was updated to version 4.2.8p8 to fix five security issues.

These security issues were fixed:
- CVE-2016-4953: Bad authentication demobilizes ephemeral associations (bsc#982065).
- CVE-2016-4954: Processing spoofed server packets (bsc#982066).
- CVE-2016-4955: Autokey association reset (bsc#982067).
- CVE-2016-4956: Broadcast interleave (bsc#982068).
- CVE-2016-4957: CRYPTO_NAK crash (bsc#982064).

These non-security issues were fixed:
- Keep the parent process alive until the daemon has finished initialisation, to make sure that the PID file exists when the parent returns.
- bsc#979302: Change the process name of the forking DNS worker process to avoid the impression that ntpd is started twice.
- bsc#981422: Don't ignore SIGCHILD because it breaks wait().
- bsc#979981: ntp-wait does not accept fractional seconds, so use 1 instead of 0.2 in ntp-wait.service.
- Separate the creation of ntp.keys and key #1 in it to avoid problems when upgrading installations that have the file, but no key #1, which is needed e.g. by 'rcntp addserver'.


-----------------------------------------
Patch: SUSE-2016-941
Released: Wed Jun 15 14:26:35 2016
Summary: Recommended update for gcc48
Severity: moderate
References: 955382,970009,976627,977654
Description:

This update for gcc48 fixes the following issues:

- Fix internal compiler error specific to the ppc64le architecture. (bsc#976627)
- Fix issue with using gcov and #pragma pack. (bsc#977654)
- Fix internal compiler error when building samba on aarch64. (bsc#970009)
- Fix HTM built-ins on PowerPC. (bsc#955382)
- Build without GRAPHITE where cloog-isl is not available.


-----------------------------------------
Patch: SUSE-2016-946
Released: Thu Jun 16 14:36:26 2016
Summary: Recommended update for man-pages
Severity: low
References: 967488
Description:

This update for man-pages fixes the following issues:

- Document in open(2) that O_TMPFILE support was added to btrfs only in kernel 3.16
  and hence is not yet available on SUSE Linux Enterprise 12-SP1. (bsc#967488)


-----------------------------------------
Patch: SUSE-2016-962
Released: Fri Jun 17 15:50:39 2016
Summary: Recommended update for perl-Net-SSLeay
Severity: low
References: 982234
Description:

This update for perl-Net-SSLeay removes a test which is executed at build time
and is now obsolete with newer (1.0.1n+) versions of OpenSSL.


-----------------------------------------
Patch: SUSE-2016-967
Released: Mon Jun 20 12:05:16 2016
Summary: Recommended update for timezone
Severity: low
References: 982833
Description:

This update provides the latest timezone information (2016e) for your
system, including the following changes:

- Africa/Cairo observes DST in 2016 from July 7 to the end of October.

This release also includes changes affecting past time stamps. For a comprehensive
list, please refer to the release announcement from ICANN:

http://mm.icann.org/pipermail/tz-announce/2016-June/000039.html


-----------------------------------------
Patch: SUSE-2016-984
Released: Wed Jun 22 11:11:35 2016
Summary: Recommended update for SUSE Manager Server, Proxy and Client Tools
Severity: moderate
References: 964932,969320,971372,973418,975303,975306,975733,975757,976148,976826,977264,978833,979313,979676,980313
Description:

This update fixes the following issues for the SUSE Manager Server 3.0 and Client Tools:

zypp-plugin-spacewalk:

- Fix failover for multiple URLs per repo. (bsc#964932)

The following issues for SUSE Manager Proxy 3.0 and Client Tools have been fixed:

cobbler:

- Remove grubby-compat because perl-Bootloader gets dropped.
- Disabling 'get-loaders' command and 'check' fixed. (bsc#973418)
- Add logrotate file for cobbler. (bsc#976826)

Additionally the following issues for the SUSE Linux Enterprise 12 Clienttools have been fixed:

salt:

- Remove option -f from startproc. (bsc#975733)
- Changed Zypper's plugin. Added Unit test and related to that 
  data. (bsc#980313)
- Zypper plugin: alter the generated event name on package set
  change.
- Fix file ownership on master keys and cache directories during upgrade.
  (handles upgrading from salt 2014, where the daemon ran as root, to 2015
  where it runs as the salt user, bsc#979676)
- Salt-proxy .service file created. (bsc#975306)
- Prevent salt-proxy test.ping crash. (bsc#975303)
- Fix shared directories ownership issues.
- Add Zypper plugin to generate an event,
  once Zypper is used outside the Salt infrastructure
  demand. (bsc#971372)
- Restore boolean values from the repo configuration
- Fix priority attribute (bsc#978833)
- Unblock-Zypper. (bsc#976148)
- Modify-environment. (bsc#971372)
- Prevent crash if pygit2 package is requesting re-compilation.
- Align OS grains from older SLES with current one. (bsc#975757)
- Bugfix: salt-key crashes if tries to generate keys 
  to the directory w/o write access. (bsc#969320)

spacecmd:

- Make spacecmd createRepo compatible with SUSE Manager 2.1 API.
  (bsc#977264)

spacewalk-backend:

- Better error message for system that is already registered as minion.
- Fix GPG bad signature detection and improve error messages. (bsc#979313)
- Send and save machine_id on traditional registration.
- Add machine info capability

spacewalk-client-tools:

- Send and save machine_id on traditional registration.
- Send machine info only if server has machine info capability.



-----------------------------------------
Patch: SUSE-2016-987
Released: Wed Jun 22 14:32:18 2016
Summary: Recommended update for procps
Severity: low
References: 981616
Description:

This update for procps fixes the following issues:

- Improve pmap(1) to be compatible with kernel 4.4. (bsc#981616)


-----------------------------------------
Patch: SUSE-2016-1003
Released: Mon Jun 27 17:01:45 2016
Summary: Security update for MozillaFirefox, MozillaFirefox-branding-SLE, mozilla-nspr, mozilla-nss
Severity: important
References: 982366,983549,983638,983639,983643,983646,983651,983652,983653,983655,984006,984126,985659,CVE-2016-2815,CVE-2016-2818,CVE-2016-2819,CVE-2016-2821,CVE-2016-2822,CVE-2016-2824,CVE-2016-2828,CVE-2016-2831,CVE-2016-2834
Description:
MozillaFirefox, MozillaFirefox-branding-SLE, mozilla-nss and mozilla-nspr were updated to fix nine security issues.

MozillaFirefox was updated to version 45.2.0 ESR. mozilla-nss was updated to version 3.21.1.

These security issues were fixed:
- CVE-2016-2834: Memory safety bugs in NSS (MFSA 2016-61) (bsc#983639).
- CVE-2016-2824: Out-of-bounds write with WebGL shader (MFSA 2016-53) (bsc#983651).
- CVE-2016-2822: Addressbar spoofing though the SELECT element (MFSA 2016-52) (bsc#983652).
- CVE-2016-2821: Use-after-free deleting tables from a contenteditable document (MFSA 2016-51) (bsc#983653).
- CVE-2016-2819: Buffer overflow parsing HTML5 fragments (MFSA 2016-50) (bsc#983655).
- CVE-2016-2828: Use-after-free when textures are used in WebGL operations after recycle pool destruction (MFSA 2016-56) (bsc#983646).
- CVE-2016-2831: Entering fullscreen and persistent pointerlock without user permission (MFSA 2016-58) (bsc#983643).
- CVE-2016-2815, CVE-2016-2818: Miscellaneous memory safety hazards (MFSA 2016-49) (bsc#983638)
  
These non-security issues were fixed:
- bsc#982366: Unknown SSL protocol error in connections 
- Fix crashes on aarch64
  * Determine page size at runtime (bsc#984006)
  * Allow aarch64 to work in safe mode (bsc#985659)
- Fix crashes on mainframes

All extensions must now be signed by addons.mozilla.org. Please read README.SUSE for more details.


-----------------------------------------
Patch: SUSE-2016-1014
Released: Thu Jun 30 21:23:05 2016
Summary: Recommended update for haveged
Severity: moderate
References: 958562,959237
Description:

This update for haveged fixes the following issues:

- Remedy the potential for deadlocks when booting the system: journald reads from
  /dev/random, which receives entropy from haveged, which in turn logs to syslog
  before providing any. (bsc#959237)
- Remove 'After=systemd-random-seed.service' from systemd service file to avoid
  the potential for deadlocks when booting the system: systemd-random-seed needs
  /var to read its previous state; mounting /var needs journald; journald needs
  entropy; and entropy is provided by haveged, which needs systemd-random-seed.
  (bsc#959237)
- Add missing dependency on coreutils for initrd macros. (bsc#958562)


-----------------------------------------
Patch: SUSE-2016-1016
Released: Fri Jul  1 14:37:29 2016
Summary: Security update for LibreOffice
Severity: moderate
References: 718113,856729,939998,945443,945445,955832,965294,965296,967014,967015,977784,CVE-2016-0794,CVE-2016-0795
Description:

LibreOffice was updated to version 5.1.3.2, bringing many new features and bug fixes.

Two security issues have been fixed:

- CVE-2016-0795: LibreOffice allowed remote attackers to cause a denial of service
  (memory corruption) or possibly have unspecified other impact via a crafted
  LwpTocSuperLayout record in a LotusWordPro (lwp) document.
- CVE-2016-0794: The lwp filter in LibreOffice allowed remote attackers to cause a
  denial of service (memory corruption) or possibly have unspecified other impact
  via a crafted LotusWordPro (lwp) document.

A comprehensive list of new features and improvements in this release is provided by
the Document Foundation at https://wiki.documentfoundation.org/ReleaseNotes/5.1 .


-----------------------------------------
Patch: SUSE-2016-1022
Released: Mon Jul  4 18:05:08 2016
Summary: Recommended update for cups
Severity: low
References: 968706
Description:

This update for cups fixes the following issues:

- Fix raw printing multiple files by adding the gziptoany filter. (bsc#968706)
- Avoid warnings in error_log of the form 'Unexpected 'document-name' operation
  attribute in a Create-Job request'.


-----------------------------------------
Patch: SUSE-2016-1026
Released: Wed Jul  6 17:20:17 2016
Summary: Recommended update for timezone
Severity: moderate
References: 987720
Description:

This update provides the latest timezone information (2016f) for your system, including the following changes:

- Egypt (Africa/Cairo) DST change 2016-07-07 cancelled (bsc#987720)
- Asia/Novosibirsk switches from +06 to +07 on 2016-07-24 02:00
- Asia/Novokuznetsk and Asia/Novosibirsk now use numeric time zone abbreviations instead of invented ones
- Europe/Minsk's 1992-03-29 spring-forward transition was at 02:00 not 00:00



-----------------------------------------
Patch: SUSE-2016-1028
Released: Thu Jul  7 11:50:47 2016
Summary: Recommended update for findutils
Severity: moderate
References: 986935
Description:

This update for findutils fixes the following issues:

- find -exec + would not pass all arguments for certain specific filename lengths (bsc#986935)


-----------------------------------------
Patch: SUSE-2016-1029
Released: Thu Jul  7 11:52:21 2016
Summary: Recommended update for w3m
Severity: moderate
References: 950468,950800
Description:

This update for w3m fixes the following issues:

- Segmentation fault when doing an https request to an unresolvable host. (bsc#950468)
- w3mman(1) displays invalid characters. (bsc#950800)


-----------------------------------------
Patch: SUSE-2016-1033
Released: Thu Jul  7 14:17:37 2016
Summary: Recommended update for python-ec2uploadimg
Severity: low
References: 981224
Description:

This update for python-ec2uploadimg fixes the following issues:

- Only pass relevant arguments to the registration API (bsc#981224)


-----------------------------------------
Patch: SUSE-2016-1036
Released: Fri Jul  8 11:38:35 2016
Summary: Recommended update for xinit
Severity: moderate
References: 921172,973559,981437
Description:

This update for xinit fixes the following issues:
 
- xinitrc.common: Run numbered scripts sequentially. All non-numbered scripts will still be run in background to avoid stalling on non-daemonizing 'services' (bsc#973559)
- xinitrc.common: Remove '$' from error message, increase timeout
- xinitrc.common: Don't expand $WINDOWMANAGER (bsc#981437, bsc#921172)
- xinitrc.common: Accept more WMs as fallbacks and make fallback errors more descriptive



-----------------------------------------
Patch: SUSE-2016-1048
Released: Wed Jul 13 12:26:15 2016
Summary: Security update for dhcp
Severity: moderate
References: 969820,972907,CVE-2016-2774
Description:

This update for dhcp fixes the following issues:

Security issue fixed:
- CVE-2016-2774: Fixed a denial of service attack against the DHCP server over the OMAPI TCP socket, which could be used
  by network adjacent attackers to make the DHCP server non-functional (bsc#969820).

Non security issues fixed:
- Rename freeaddrinfo(), getaddrinfo() and getnameinfo() in the internal libirs
  library that does not consider /etc/hosts and /etc/nsswitch.conf to use irs_
  prefix. This prevents name conflicts which would result in overriding standard
  glibc functions used by libldap. (bsc#972907)


-----------------------------------------
Patch: SUSE-2016-1085
Released: Thu Jul 21 18:45:30 2016
Summary: Recommended update for strace
Severity: low
References: 983282
Description:

This update for strace provides the following fixes:

- If the set of headers are unable to produce a valid list, printflags will try
  to pass NULL to tprints which crashes. Add a sanity check for this edge case.
  (bsc#983282)


-----------------------------------------
Patch: SUSE-2016-1087
Released: Fri Jul 22 10:53:01 2016
Summary: Recommended update for supportutils
Severity: moderate
References: 968073,968269,971778,987627
Description:

This update for supportutils fixes the following issues:

- Support for iSCSI LIO Targets (bsc#968269)
- Fixed docker error (bsc#971778)
- Fixed crash basename extra operand (bsc#968073, bsc#987627)


-----------------------------------------
Patch: SUSE-2016-1091
Released: Fri Jul 22 20:13:08 2016
Summary: Recommended update for mozjs17
Severity: low
References: 984126
Description:

This update for mozjs17 adds support for 48 bits virtual address space, used
in the arm64 architecture.


-----------------------------------------
Patch: SUSE-2016-1115
Released: Thu Jul 28 12:40:36 2016
Summary: Recommended update for psmisc
Severity: low
References: 908063,930760,974161
Description:

This update for psmisc prevents attempts to close files which are not open. This
issue could make pstree(1) terminate with a segmentation fault.


-----------------------------------------
Patch: SUSE-2016-1120
Released: Thu Jul 28 17:19:40 2016
Summary: Recommended update for ksh
Severity: moderate
References: 962069,964966,982423,987362
Description:

This update for ksh fixes the following issues:

- Own the ksh files in /etc/alternatives. (bsc#987362, bsc#962069)
- Fix leak in optimize processing. (bsc#982423)
- Fix editor prediction code garbling input. (bsc#964966)


-----------------------------------------
Patch: SUSE-2016-1121
Released: Thu Jul 28 18:01:30 2016
Summary: Recommended update for pssh
Severity: moderate
References: 985637
Description:

This update for pssh fixes the following issues:

- Fix broken -I option (bsc#985637)


-----------------------------------------
Patch: SUSE-2016-1124
Released: Fri Jul 29 13:27:52 2016
Summary: Recommended update for libxcb
Severity: low
References: 984368
Description:

This update for libxcb provides the following fixes:

- Fix encoding of 64-bit elements in PRESENT extension. (bsc#984368)


-----------------------------------------
Patch: SUSE-2016-1141
Released: Wed Aug  3 15:24:30 2016
Summary: Security update for sqlite3
Severity: moderate
References: 987394,CVE-2016-6153
Description:

This update for sqlite3 fixes the following issues: 

The following security issue was fixed:
- CVE-2016-6153: Fixed a tempdir selection vulnerability (bsc#987394)


-----------------------------------------
Patch: SUSE-2016-1149
Released: Thu Aug  4 14:06:16 2016
Summary: Recommended update for gcc48
Severity: low
References: 981311
Description:

This update for gcc48 fixes a miscompilation issue specific to the aarch64 architecture.


-----------------------------------------
Patch: SUSE-2016-1152
Released: Thu Aug  4 15:02:18 2016
Summary: Recommended update for binutils
Severity: low
References: 970239,985642
Description:

GNU Binutils was updated to version 2.26.1, which brings several fixes and
enhancements:

- Add -mrelax-relocations on x86 but keep it disabled on old products.
- Add --fix-stm32l4xx-629360 to the ARM linker to enable a link-time workaround
  for a bug in the bus matrix / memory controller for some of the STM32 Cortex-M4
  based products (STM32L4xx).
- Add a configure option --enable-compressed-debug-sections={all,ld} to decide
  whether DWARF debug sections should be compressed by default.
- Add support for the ARC EM/HS, and ARC600/700 architectures.
- Experimental support for linker garbage collection (--gc-sections) has been
  enabled for COFF and PE based targets.
- New command line option for ELF targets to compress DWARF debug sections,
  --compress-debug-sections=[none|zlib|zlib-gnu|zlib-gabi].
- New command line option, --orphan-handling=[place|warn|error|discard], to
  adjust how orphan sections are handled.  The default is 'place' which gives
  the current behavior, 'warn' and 'error' issue a warning or error respectively
  when orphan sections are found, and 'discard' will discard all orphan sections.
- Add support for LLVM plugin.
- Add --print-memory-usage option to report memory blocks usage.
- Add --require-defined option, it's like --undefined except the new symbol must
  be defined by the end of the link.
- Add a configure option --enable-compressed-debug-sections={all,gas} to decide
  whether DWARF debug sections should be compressed by default.
- Add support for the ARC EM/HS, and ARC600/700 architectures.  Remove assembler
  support for Argonaut RISC architectures.
- Add option to objcopy to insert new symbols into a file:
  --add-symbol <name>=[<section>:]<value>[,<flags>]
- Add support for the ARC EM/HS, and ARC600/700 architectures.
- Extend objcopy --compress-debug-sections option to support
  --compress-debug-sections=[none|zlib|zlib-gnu|zlib-gabi] for ELF targets.
- Add --update-section option to objcopy.
- Add --output-separator option to strings.
- Fix internal error when applying TLSDESC relocations with no TLS segment
- Fix wrong insn type for troo insn.
- Change default common-page-size to 64K on aarch64.


-----------------------------------------
Patch: SUSE-2016-1153
Released: Thu Aug  4 15:17:28 2016
Summary: Recommended update for supportutils-plugin-suse-public-cloud
Severity: low
References: 990887,990888
Description:

This update enhances supportutils-plugin-suse-public-cloud to collect information
about instance initialization recorded by the initialization code in system logs.


-----------------------------------------
Patch: SUSE-2016-1158
Released: Thu Aug  4 17:03:59 2016
Summary: Recommended update for resource-agents
Severity: low
References: 956739,977193,978680,985486
Description:

This update for resource-agents enables support for IPv6 in ldirectord.

Two new packages have been added to SLE High Availability Extension 12 SP1:
perl-IO-Socket-IP and perl-Net-INET6Glue.

Two packages received enhancements related to IPv6 support: perl-Net-HTTP
and perl-libwww-perl.

Additionally, resource-agents received two bug fixes unrelated to the IPv6
feature:

- exportfs: Add pseudo resource factor. (bsc#978680)
- send_arp: Fix for infiniband, re-merge from upstream iputils arping. (bsc#985486)
- Fixed one bugreference (bsc#956739)


-----------------------------------------
Patch: SUSE-2016-1205
Released: Thu Aug 11 15:02:18 2016
Summary: Recommended update for rpm
Severity: low
References: 829717,894610,940315,953532,965322,967728
Description:

This update for rpm provides the following fixes:

- Add is_opensuse and leap_version macros to suse_macros. (bsc#940315)
- Add option to make postinstall scriptlet errors fatal. (bsc#967728)
- Normalize big blocksizes to 4096 bytes. (bsc#894610, bsc#829717, bsc#965322)
- Fix updating of sources/patches when recursing because of a BuildArch. (bsc#953532)


-----------------------------------------
Patch: SUSE-2016-1216
Released: Fri Aug 12 18:19:22 2016
Summary: Recommended update for SUSE Manager 3.0 and Client Tools
Severity: moderate
References: 970669,972311,978150,979448,983017,983512,984622,984998,985661,988506,989193
Description:

This consolidated update includes multiple patchinfos for SUSE Manager Server,
Proxy and SUSE Enterprise Storage 3. This patchinfo is used for the codestream release only


-----------------------------------------
Patch: SUSE-2016-1228
Released: Tue Aug 16 09:29:01 2016
Summary: Security update for libidn
Severity: moderate
References: 923241,990189,990190,990191,CVE-2015-2059,CVE-2015-8948,CVE-2016-6261,CVE-2016-6262,CVE-2016-6263
Description:

This update for libidn fixes the following issues:

- CVE-2016-6262 and CVE-2015-8948: Out-of-bounds-read when reading one zero byte as input (bsc#990189)

- CVE-2016-6261: Out-of-bounds stack read in idna_to_ascii_4i (bsc#990190) 

- CVE-2016-6263: stringprep_utf8_nfkc_normalize reject invalid UTF-8 (bsc#990191)

- CVE-2015-2059: out-of-bounds read with stringprep on invalid UTF-8 (bsc#923241) 



-----------------------------------------
Patch: SUSE-2016-1245
Released: Fri Aug 19 10:31:11 2016
Summary: Security update for python
Severity: moderate
References: 984751,985177,985348,989523,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699
Description:

This update for python fixes the following issues:

- CVE-2016-0772: smtplib vulnerability opens startTLS stripping attack (bsc#984751)
- CVE-2016-5636: heap overflow when importing malformed zip files (bsc#985177)
- CVE-2016-5699: incorrect validation of HTTP headers allow header injection (bsc#985348)
- CVE-2016-1000110: HTTPoxy vulnerability in urllib, fixed by disregarding HTTP_PROXY when REQUEST_METHOD is also set (bsc#989523)


-----------------------------------------
Patch: SUSE-2016-1247
Released: Fri Aug 19 12:58:39 2016
Summary: Security update for cracklib
Severity: moderate
References: 992966,CVE-2016-6318
Description:

This update for cracklib fixes the following issues:

- Add patch to fix a buffer overflow in GECOS parser (bsc#992966 CVE-2016-6318)



-----------------------------------------
Patch: SUSE-2016-1252
Released: Mon Aug 22 15:12:43 2016
Summary: Recommended update for timezone
Severity: low
References: 988184
Description:

This update for timezone adds a positive leap second at the end of 2016-12-31.


-----------------------------------------
Patch: SUSE-2016-1259
Released: Tue Aug 23 17:25:28 2016
Summary: Recommended update for libpcap
Severity: low
References: 874131,992262
Description:

This update for libpcap provides the following fixes:

- Do not apply userspace filter until VLAN tag is reconstructed. (bsc#874131)
- Use TPID value passed by kernel rather than wild-guess 802.1Q. (bsc#874131)
- In 'vlan' filter BPF code, check also for 802.1ad (0x88a8) TPID in addition to
  802.1Q (0x8100) and non-standard 0x9100 Q-in-Q. (bsc#874131)
- Add missing DLT_INFINIBAND to dlt_choices table. (bsc#992262, fate#319438)


-----------------------------------------
Patch: SUSE-2016-1263
Released: Wed Aug 24 13:55:39 2016
Summary: Security update for dosfstools
Severity: moderate
References: 912607,980364,980377,CVE-2015-8872,CVE-2016-4804
Description:
dosfstools was updated to fix two security issues.

These security issues were fixed:
- CVE-2015-8872: The set_fat function in fat.c in dosfstools might have allowed attackers to corrupt a FAT12 filesystem or cause a denial of service (invalid memory read and crash) by writing an odd number of clusters to the third to last entry on a FAT12 filesystem, which triggers an 'off-by-two error (bsc#980364).
- CVE-2016-4804: The read_boot function in boot.c in dosfstools allowed attackers to cause a denial of service (crash) via a crafted filesystem, which triggers a heap-based buffer overflow in the (1) read_fat function or an out-of-bounds heap read in (2) get_fat function (bsc#980377).

This non-security issue was fixed:
- bsc#912607: Attempt to rename root dir in fsck due to uninitialized fields.
  

-----------------------------------------
Patch: SUSE-2016-1309
Released: Fri Sep  2 13:37:41 2016
Summary: Security update for wget
Severity: moderate
References: 937096,958342,984060,CVE-2015-2059,CVE-2016-4971
Description:

This update for wget fixes the following issues:

 - Fix for HTTP to a FTP redirection file name confusion vulnerability
   (bsc#984060, CVE-2016-4971).
 - Work around a libidn  vulnerability
   (bsc#937096, CVE-2015-2059).
 - Fix for wget fails with basicauth: Failed writing HTTP request:
   Bad file descriptor
   (bsc#958342)


-----------------------------------------
Patch: SUSE-2016-1326
Released: Thu Sep  8 11:37:44 2016
Summary: Security update for perl
Severity: moderate
References: 928292,932894,967082,984906,987887,988311,CVE-2015-8853,CVE-2016-1238,CVE-2016-2381,CVE-2016-6185
Description:

This update for Perl fixes the following issues:

- CVE-2016-6185: Xsloader looking at a '(eval)' directory. (bsc#988311)
- CVE-2016-1238: Searching current directory for optional modules. (bsc#987887)
- CVE-2015-8853: Regular expression engine hanging on bad utf8. (bsc)
- CVE-2016-2381: Environment dup handling bug. (bsc#967082)
- 'Insecure dependency in require' error in taint mode. (bsc#984906)
- Memory leak in 'use utf8' handling. (bsc#928292)
- Missing lock prototype to the debugger. (bsc#932894)


-----------------------------------------
Patch: SUSE-2016-1330
Released: Fri Sep  9 09:00:53 2016
Summary: Security update for tiff
Severity: moderate
References: 964225,973340,984808,984831,984837,984842,987351,CVE-2015-8781,CVE-2015-8782,CVE-2015-8783,CVE-2016-3186,CVE-2016-5314,CVE-2016-5316,CVE-2016-5317,CVE-2016-5320,CVE-2016-5875
Description:

This update for tiff fixes the following issues:

* CVE-2015-8781, CVE-2015-8782, CVE-2015-8783: Out-of-bounds writes for invalid images (bsc#964225)
* CVE-2016-3186: Buffer overflow in gif2tiff (bnc#973340).
* CVE-2016-5875: heap-based buffer overflow when using the PixarLog compressionformat (bsc#987351)
* CVE-2016-5316: Out-of-bounds read in PixarLogCleanup() function in tif_pixarlog.c (bsc#984837)
* CVE-2016-5314: Out-of-bounds write in PixarLogDecode() function (bsc#984831)
* CVE-2016-5317: Out-of-bounds write in PixarLogDecode() function in libtiff.so (bsc#984842)
* CVE-2016-5320: Out-of-bounds write in PixarLogDecode() function in tif_pixarlog.c (bsc#984808) 



-----------------------------------------
Patch: SUSE-2016-1344
Released: Tue Sep 13 18:10:21 2016
Summary: Recommended update for kbd
Severity: low
References: 984958
Description:

This update for kbd adds mapping for two keycodes to br-abnt2 map:

- Slash (/): alt-gr + q
- Question mark (?): alt-gr + w


-----------------------------------------
Patch: SUSE-2016-1347
Released: Wed Sep 14 09:12:04 2016
Summary: Security update for gd
Severity: moderate
References: 982176,987577,988032,991436,991622,991710,995034,CVE-2016-5116,CVE-2016-6128,CVE-2016-6132,CVE-2016-6161,CVE-2016-6207,CVE-2016-6214,CVE-2016-6905
Description:

This update for gd fixes the following issues:

  * CVE-2016-6214: Buffer over-read issue when parsing crafted TGA file [bsc#991436]
  * CVE-2016-6132: read out-of-bands was found in the parsing of TGA files using libgd [bsc#987577]
  * CVE-2016-6128: Invalid color index not properly handled [bsc#991710]
  * CVE-2016-6207: Integer overflow error within _gdContributionsAlloc() [bsc#991622]
  * CVE-2016-6161: global out of bounds read when encoding gif from malformed input withgd2togif [bsc#988032]
  * CVE-2016-5116: avoid stack overflow (read) with large names [bsc#982176]
  * CVE-2016-6905: Out-of-bounds read in function read_image_tga in gd_tga.c [bsc#995034]



-----------------------------------------
Patch: SUSE-2016-1355
Released: Thu Sep 15 14:52:37 2016
Summary: Recommended update for growpart
Severity: low
References: 998378
Description:

This update provides growpart 0.29, which brings the following enhancements and
fixes:

- Fix use of partx with newer util-linux versions.
- Fix some issues in error path reporting.
- Capture output of 'partx --help' as older versions do not support that flag and
  send output to standard error.
- Fix bug when growing partitions on disks greater than 2TB.
- Support sfdisk 2.26 or newer, and support gpt partitions with sfdisk.


-----------------------------------------
Patch: SUSE-2016-1358
Released: Thu Sep 15 20:54:21 2016
Summary: Optional update for gcc6
Severity: low
References: 983206
Description:

This update ships the GNU Compiler Collection (GCC) in version 6.2.

This update is shipped in two parts:

- SUSE Linux Enterprise Server 12 and Desktop:

  The runtime libraries libgcc_s1, libstdc++6, libatomic1, libgomp1, libitm1
  and some others can now be used by GCC 6 built binaries.

- SUSE Linux Enterprise 12 Toolchain Module:

  The Toolchain module received the GCC 6 compiler suite with this update.

Changes:

- The default mode for C++ is now -std=gnu++14 instead of -std=gnu++98.

Generic Optimization improvements:

- UndefinedBehaviorSanitizer gained a new sanitization option,
  -fsanitize=bounds-strict, which enables strict checking of array
  bounds. In particular, it enables -fsanitize=bounds as well as
  instrumentation of flexible array member-like arrays.
- Type-based alias analysis now disambiguates accesses to different
  pointers. This improves precision of the alias oracle by about 20-30%
  on higher-level C++ programs. Programs doing invalid type punning of
  pointer types may now need -fno-strict-aliasing to work correctly.
- Alias analysis now correctly supports weakref and alias attributes. This
  makes it possible to access both a variable and its alias in one
  translation unit which is common with link-time optimization.
- Value range propagation now assumes that the this pointer of C++
  member functions is non-null. This eliminates common null pointer checks
  but also breaks some non-conforming code-bases (such as Qt-5, Chromium,
  KDevelop). As a temporary work-around -fno-delete-null-pointer-checks
  can be used. Wrong code can be identified by using -fsanitize=undefined.
- Various Link-time optimization improvements.
- Inter-procedural optimization improvements:
    - Basic jump threading is now performed before profile construction
      and inline analysis, resulting in more realistic size and time
      estimates that drive the heuristics of the of inliner and function
      cloning passes.
    - Function cloning now more aggressively eliminates unused function
      parameters.
- Compared to GCC 5, the GCC 6 release series includes a much improved
  implementation of the OpenACC 2.0a specification.

C language specific improvements:

- Version 4.5 of the OpenMP specification is now supported in the C and C++ compilers.
- Source locations for the C and C++ compilers are now tracked as ranges,
  rather than just points, making it easier to identify the subexpression
  of interest within a complicated expression. In addition, there is
  now initial support for precise diagnostic locations within strings,
- Diagnostics can now contain 'fix-it hints', which are displayed in
  context underneath the relevant source code.
- The C and C++ compilers now offer suggestions for misspelled field names.
- New command-line options have been added for the C and C++ compilers:
    - -Wshift-negative-value warns about left shifting a negative value.
    - -Wshift-overflow warns about left shift overflows. This warning is
      enabled by default. -Wshift-overflow=2 also warns about left-shifting
      1 into the sign bit.
    - -Wtautological-compare warns if a self-comparison always evaluates
      to true or false. This warning is enabled by -Wall.
    - -Wnull-dereference warns if the compiler detects paths that
      trigger erroneous or undefined behavior due to dereferencing a null
      pointer. This option is only active when -fdelete-null-pointer-checks
      is active, which is enabled by optimizations in most targets. The
      precision of the warnings depends on the optimization options used.
    - -Wduplicated-cond warns about duplicated conditions in an if-else-if chain.
    - -Wmisleading-indentation warns about places where the indentation
      of the code gives a misleading idea of the block structure of the
      code to a human reader. This warning is enabled by -Wall.
- The C and C++ compilers now emit saner error messages if merge-conflict markers
  are present in a source file.

C improvements:

- It is possible to disable warnings when an initialized field
  of a structure or a union with side effects is being overridden
  when using designated initializers via a new warning option
  -Woverride-init-side-effects.
- A new type attribute scalar_storage_order applying to structures
  and unions has been introduced. It specifies the storage order (aka
  endianness) in memory of scalar fields in structures or unions.

C++ improvements:

- The default mode has been changed to -std=gnu++14.
- C++ Concepts are now supported when compiling with -fconcepts.
- -flifetime-dse is more aggressive in dead-store elimination in situations where
  a memory store to a location precedes a constructor to that memory location.
- G++ now supports C++17 fold expressions, u8 character literals, extended static_assert,
  and nested namespace definitions.
- G++ now allows constant evaluation for all non-type template arguments.
- G++ now supports C++ Transactional Memory when compiling with -fgnu-tm.

libstdc++ improvements:

- Extensions to the C++ Library to support mathematical special functions
  (ISO/IEC 29124:2010), thanks to Edward Smith-Rowland.
- Experimental support for C++17.
- An experimental implementation of the File System TS.
- Experimental support for most features of the second version of the
  Library Fundamentals TS. This includes polymorphic memory resources and
  array support in shared_ptr, thanks to Fan You.
- Some assertions checked by Debug Mode can now also be enabled by
  _GLIBCXX_ASSERTIONS. The subset of checks enabled by the new macro have
  less run-time overhead than the full _GLIBCXX_DEBUG checks and don't
  affect the library ABI, so can be enabled per-translation unit.

Fortran improvements:

- Fortran 2008 SUBMODULE support.
- Fortran 2015 EVENT_TYPE, EVENT_POST, EVENT_WAIT, and EVENT_QUERY support.
- Improved support for Fortran 2003 deferred-length character variables.
- Improved support for OpenMP and OpenACC.
- The MATMUL intrinsic is now inlined for straightforward cases if
  front-end optimization is active. The maximum size for inlining can be
  set to n with the -finline-matmul-limit=n option and turned off with
  -finline-matmul-limit=0.
- The -Wconversion-extra option will warn about REAL constants which
  have excess precision for their kind.
- The -Winteger-division option has been added, which warns about
  divisions of integer constants which are truncated. This option is
  included in -Wall by default.

Architecture improvements:

- AArch64 received a lot of improvements.

IA-32/x86-64 improvements:

- GCC now supports the Intel CPU named Skylake with AVX-512 extensions
  through -march=skylake-avx512. The switch enables the following ISA
  extensions: AVX-512F, AVX512VL, AVX-512CD, AVX-512BW, AVX-512DQ.
- Support for new AMD instructions monitorx and mwaitx has been
  added. This includes new intrinsic and built-in support. It is enabled
  through option -mmwaitx. The instructions monitorx and mwaitx implement
  the same functionality as the old monitor and mwait instructions. In
  addition mwaitx adds a configurable timer. The timer value is received
  as third argument and stored in register %ebx.
- x86-64 targets now allow stack realignment from a word-aligned stack
  pointer using the command-line option -mstackrealign or __attribute__
  ((force_align_arg_pointer)). This allows functions compiled with
  a vector-aligned stack to be invoked from objects that keep only
  word-alignment.
- Support for address spaces __seg_fs, __seg_gs, and __seg_tls. These
  can be used to access data via the %fs and %gs segments without having
  to resort to inline assembly.
- Support for AMD Zen (family 17h) processors is now available through
  the -march=znver1 and -mtune=znver1 options.

PowerPC / PowerPC64 / RS6000 improvements:

- PowerPC64 now supports IEEE 128-bit floating-point using the
  __float128 data type. In GCC 6, this is not enabled by default, but you
  can enable it with -mfloat128. The IEEE 128-bit floating-point support
  requires the use of the VSX instruction set. IEEE 128-bit floating-point
  values are passed and returned as a single vector value. The software
  emulator for IEEE 128-bit floating-point support is only built on
  PowerPC GNU/Linux systems where the default CPU is at least power7. On
  future ISA 3.0 systems (POWER 9 and later), you will be able to use the
  -mfloat128-hardware option to use the ISA 3.0 instructions that support
  IEEE 128-bit floating-point. An additional type (__ibm128) has been added
  to refer to the IBM extended double type that normally implements long
  double. This will allow for a future transition to implementing long
  double with IEEE 128-bit floating-point.
- Basic support has been added for POWER9 hardware that will use the
  recently published OpenPOWER ISA 3.0 instructions. The following new
  switches are available:
     - -mcpu=power9: Implement all of the ISA 3.0 instructions supported by
       the compiler.
     - -mtune=power9: In the future, apply tuning for POWER9 systems. Currently,
       POWER8 tunings are used.
     - -mmodulo: Generate code using the ISA 3.0 integer instructions (modulus,
       count trailing zeros, array index support, integer multiply/add).
     - -mpower9-fusion: Generate code to suitably fuse instruction sequences for
       a POWER9 system.
     - -mpower9-dform: Generate code to use the new D-form (register+offset) memory
       instructions for the vector registers.
     - -mpower9-vector: Generate code using the new ISA 3.0 vector (VSX or Altivec)
       instructions.
     - -mpower9-minmax: Reserved for future development.
     - -mtoc-fusion: Keep TOC entries together to provide more fusion opportunities.
- New constraints have been added to support IEEE 128-bit floating-point and ISA 3.0
  instructions.
- Support has been added for __builtin_cpu_is() and __builtin_cpu_supports(),
  allowing for very fast access to AT_PLATFORM, AT_HWCAP, and AT_HWCAP2 values.
  This requires use of glibc 2.23 or later.
- All hardware transactional memory builtins now correctly behave as
  memory barriers. Programmers can use #ifdef __TM_FENCE__ to determine
  whether their 'old' compiler treats the builtins as barriers.
- Split-stack support has been added for gccgo on PowerPC64 for both
  big- and little-endian (but not for 32-bit). The gold linker from at
  least binutils 2.25.1 must be available in the PATH when configuring and
  building gccgo to enable split stack. (The requirement for binutils 2.25.1
  applies to PowerPC64 only.) The split-stack feature allows a small initial
  stack size to be allocated for each goroutine, which increases as needed.
- GCC on PowerPC now supports the standard lround function.
- The 'q', 'S', 'T', and 't' asm-constraints have been removed.
- The 'b', 'B', 'm', 'M', and 'W' format modifiers have been removed.

S/390, System z, IBM z Systems improvements:

- Support for the IBM z13 processor has been added. When using the
  -march=z13 option, the compiler will generate code making use of the
  new instructions and registers introduced with the vector extension
  facility. The -mtune=z13 option enables z13 specific instruction
  scheduling without making use of new instructions.
- Compiling code with -march=z13 reduces the default alignment of vector
  types bigger than 8 bytes to 8. This is an ABI change and care must be
  taken when linking modules compiled with different arch levels which
  interchange variables containing vector type values. For newly compiled
  code the GNU linker will emit a warning.
- The -mzvector option enables a C/C++ language extension. This extension
  provides a new keyword vector which can be used to define vector type
  variables. (Note: This is not available when enforcing strict standard
  compliance e.g. with -std=c99. Either enable GNU extensions with
  e.g. -std=gnu99 or use __vector instead of vector.)
- Additionally a set of overloaded builtins is provided which is partially
  compatible to the PowerPC Altivec builtins. In order to make use of
  these builtins the vecintrin.h header file needs to be included.
- The new command line options -march=native, and -mtune=native are now
  available on native IBM z Systems. Specifying these options will cause
  GCC to auto-detect the host CPU and rewrite these options to the optimal
  setting for that system. If GCC is unable to detect the host CPU these
  options have no effect.
- The IBM z Systems port now supports target attributes and
  pragmas. Please refer to the documentation for details of available
  attributes and pragmas as well as usage instructions.
- -fsplit-stack is now supported as part of the IBM z Systems port. This
  feature requires a recent gold linker to be used.
- Support for the g5 and g6 -march=/-mtune= CPU level switches has been
  deprecated and will be removed in a future GCC release. -m31 from now
  on defaults to -march=z900 if not specified otherwise. -march=native on
  a g5/g6 machine will default to -march=z900.

An even more detailed list of features can be found at:
https://gcc.gnu.org/gcc-6/changes.html


-----------------------------------------
Patch: SUSE-2016-1370
Released: Wed Sep 21 12:58:14 2016
Summary: Security update for libgcrypt
Severity: moderate
References: 994157,CVE-2016-6313
Description:

This update for libgcrypt fixes the following issues:

  - RNG prediction vulnerability (bsc#994157, CVE-2016-6313)



-----------------------------------------
Patch: SUSE-2016-1372
Released: Wed Sep 21 16:10:49 2016
Summary: Security update for java-1_7_1-ibm
Severity: important
References: 992537,CVE-2016-3485,CVE-2016-3511,CVE-2016-3598
Description:

IBM Java 7.1 was updated to version 7.1-3.50 to fix the following security issues:

CVE-2016-3485 CVE-2016-3511 CVE-2016-3598

Please see https://www.ibm.com/developerworks/java/jdk/alerts/ for more information.

- Add hwkeytool binary for zSeries.


-----------------------------------------
Patch: SUSE-2016-1383
Released: Mon Sep 26 10:18:37 2016
Summary: Recommended update for mutt
Severity: low
References: 961470,968699,983722
Description:

The Mutt mail client was updated to version 1.6.0, which brings many new features,
fixes and enhancements:

- Enable UTF-8 mailbox support for IMAP.
- New expandos %r and %R for comma separated list of To: and Cc: recipients respectively.
- Improved support for internationalized email and SMTPUTF8 (RFCs 653[0-3]).
- Option $use_idn has been renamed to $idn_decode.
- New option $idn_encode controls whether outgoing email address domains will be IDNA
  encoded. If your MTA supports it, unset to use utf-8 email address domains.
- The S/MIME message digest algorithm is now specified using the option
  $smime_sign_digest_alg. Note that $smime_sign_command should be modified
  to include '-md %d'. Please see contrib/smime.rc.
- New option $reflow_space_quotes allows format=flowed email quotes to be displayed
  with spacing between them.
- Multipart draft files are now supported.
- The '-E' command line argument causes mutt to edit draft or include files.
  All changes made in mutt will be saved back out to those files.
- New option $resume_draft_files and $resume_edited_draft_files control how mutt
  processes draft files.
- For classic gpg mode, $pgp_decryption_okay should be set to verify multipart/encrypted
  are actually encrypted. Please see contrib/gpg.rc for the suggested value.
- mailto URL header parameters by default are now restricted to 'body' and 'subject'.
- mailto_allow and unmailto_allow can be used to add or remove allowed mailto header
  parameters.
- The method of setting $hostname has been changed. Instead of scanning /etc/resolv.conf,
  the domain will now be determined using DNS calls.
- Add terminal status-line (TS) support, a.k.a. xterm title. See the following variables:
  $ts_enabled, $ts_icon_format, $ts_status_format.
- Option $ssl_use_sslv3 is now disabled by default.
- New command-line arguments: -H now combines template and command-line address arguments.
- GnuPG signature name is set to signature.asc.
- New color object 'prompt' added.
- Ability to encrypt postponed messages. See $postpone_encrypt and $postpone_encrypt_as.
- History ring now has a scratch buffer.
- mail-key is implemented for GPGME.
- Removed GPG_AGENT_INFO check for GnuPG 2.1 compatibility. Please set pgp_use_gpg_agent
  if using GnuPG 2.1 or later.
- Option $smime_encrypt_with now defaults to aes256.
- GnuPG fingerprints are used internally when possible. '--with-fingerprint' should be
  added to $pgp_list_pubring_command and $pgp_list_secring_command to enable this. Please
  see contrib/gpg.rc. Fingerprints may also be used at the prompts for key selection.
- Option $crypt_opportunistic_encrypt automatically enables/disables encryption based on
  message recipients.
- Attachments for signed, unencrypted emails may be deleted.
- Multiple crypt-hooks may be defined for the same regexp. This means multiple keys may be
  used for a recipient.
- Option $crypt_confirmhook allows the confirmation prompt for crypt-hooks to be disabled.
- Option $ssl_ciphers allows the SSL ciphers to be directly set.
- sime_keys better handles importing certificate chains.
- sime_keys now records certificate purposes (sign/encrypt). Run 'sime_keys refresh' to
  update smime index files.
- Option $maildir_check_cur polls the maildir 'cur' directory for new mail.
- Add support for TLS 1.1/1.2.
- Correctly shorten imaps://imap.example.com/INBOX to INBOX, not to NBOX. (bsc#961470)
- Recommend installation of perl(Expect) as a useful helper script below the samples
  depends on it. (bsc#968699)

A comprehensive list of changes is available at http://www.mutt.org/doc/ChangeLog
 

-----------------------------------------
Patch: SUSE-2016-1390
Released: Tue Sep 27 15:11:15 2016
Summary: Security update for flex, at, bogofilter, cyrus-imapd, kdelibs4, libQtWebKit4, libbonobo, mdbtools, netpbm, openslp, sgmltool, virtuoso, libqt5-qtwebkit
Severity: moderate
References: 954210,990856,CVE-2015-8079,CVE-2016-6354
Description:

Various packages included vulnerable parsers generated by 'flex'.

This update provides a fixed 'flex' package and also rebuilds of packages
that might have security issues caused by the auto generated code.

Flex itself was updated to fix a buffer overflow in the generated scanner
(bsc#990856, CVE-2016-6354)

Packages that were rebuilt with the fixed flex:
- at
- bogofilter
- cyrus-imapd
- kdelibs4
- libQtWebKit4
- libbonobo
- mdbtools
- netpbm
- openslp
- sgmltool
- virtuoso

Also libqt5-qtwebkit received an additional security fix:
- CVE-2015-8079: QtWebKit logs visited URLs to WebpageIcons.db in private browsing mode (bsc#954210).


-----------------------------------------
Patch: SUSE-2016-1406
Released: Thu Sep 29 11:22:48 2016
Summary: Optional update for DirectFB, fltk, libgnomecups, libgsm, mlocate, vlan
Severity: low
References: 1001359
Description:

This update provides rebuilds of a few packages in order to synchronize their binaries on all
architectures of SUSE Linux Enterprise Server 12.

The following packages have been rebuilt: DirectFB, fltk, libgnomecups, libgsm, mlocate, vlan.


-----------------------------------------
Patch: SUSE-2016-1425
Released: Tue Oct  4 12:35:59 2016
Summary: Recommended update for Amazon's EC2 utilities
Severity: low
References: 999019,999299
Description:

This update provides fixes and enhancements for Amazon's EC2 utilities.

python-ec2utilsbase (update to version 2.0.2):

- Fix install from source by properly setting up a namespace.

python-ec2deprecateimg (update to version 3.0.2):

- Fix install from source by properly setting up a namespace.

python-ec2publishimg (update to version 1.1.3):

- When attempting to set an image private that is already private or that has a
  snapshot where sharing permission were not set an error message was produced.
  We now provide an info message and move on. (bsc#999299)
- Fix install from source by properly setting up a namespace.

python-ec2uploadimg (update to version 1.1.3):

- Support use of uploading without --verbose option. (bsc#999019) 
- Fix install from source by properly setting up a namespace.


-----------------------------------------
Patch: SUSE-2016-1441
Released: Thu Oct  6 16:46:04 2016
Summary: Security update for compat-openssl098
Severity: important
References: 979475,982575,983249,993819,994749,994844,995075,995324,995359,995377,998190,999665,999666,999668,CVE-2016-2177,CVE-2016-2178,CVE-2016-2179,CVE-2016-2181,CVE-2016-2182,CVE-2016-2183,CVE-2016-6302,CVE-2016-6303,CVE-2016-6304,CVE-2016-6306
Description:

This update for compat-openssl098 fixes the following issues:

OpenSSL Security Advisory [22 Sep 2016] (bsc#999665)

Severity: High
* OCSP Status Request extension unbounded memory growth (CVE-2016-6304) (bsc#999666)

Severity: Low
* Pointer arithmetic undefined behaviour (CVE-2016-2177) (bsc#982575)
* Constant time flag not preserved in DSA signing (CVE-2016-2178) (bsc#983249)
* DTLS buffered message DoS (CVE-2016-2179) (bsc#994844)
* DTLS replay protection DoS (CVE-2016-2181) (bsc#994749)
* OOB write in BN_bn2dec() (CVE-2016-2182) (bsc#993819)
* Birthday attack against 64-bit block ciphers (SWEET32) (CVE-2016-2183) (bsc#995359)
* Malformed SHA512 ticket DoS (CVE-2016-6302) (bsc#995324)
* OOB write in MDC2_Update() (CVE-2016-6303) (bsc#995377)
* Certificate message OOB reads (CVE-2016-6306) (bsc#999668)

More information can be found on: https://www.openssl.org/news/secadv/20160922.txt

Bugs fixed:
* update expired S/MIME certs (bsc#979475)
* fix crash in print_notice (bsc#998190)
* resume reading from /dev/urandom when interrupted by a signal (bsc#995075)


-----------------------------------------
Patch: SUSE-2016-1454
Released: Mon Oct 10 16:25:51 2016
Summary: Recommended update for timezone
Severity: low
References: 997830
Description:

This update provides the latest timezone information (2016g) for your system,
including the following changes:

- Turkey will remain on UTC+03 after 2016-10-30. (bsc#997830)
- Antarctica and nautical time zones now use numeric time zone abbreviations instead
  of obsolete alphanumeric ones.
- Renamed Asia/Rangoon to Asia/Yangon.

This release also includes changes affecting past time stamps and documentation.


-----------------------------------------
Patch: SUSE-2016-1461
Released: Wed Oct 12 11:31:33 2016
Summary: Security update for tiff
Severity: moderate
References: 974449,974614,974618,975069,975070,CVE-2016-3622,CVE-2016-3623,CVE-2016-3945,CVE-2016-3990,CVE-2016-3991
Description:
This update for tiff fixes the following security issues:

- CVE-2016-3622: Specially crafted TIFF images could trigger a crash in tiff2rgba (bsc#974449)
- Various out-of-bound write vulnerabilities with unspecified impact (MSVR 35093, MSVR 35094, MSVR 35095, MSVR 35096, MSVR 35097, MSVR 35098)
- CVE-2016-3623: Specially crafted TIFF images could trigger a crash in rgb2ycbcr (bsc#974618)
- CVE-2016-3945: Specially crafted TIFF images could trigger a crash or allow for arbitrary command execution via tiff2rgba (bsc#974614)
- CVE-2016-3990: Specially crafted TIFF images could trigger a crash or allow for arbitrary command execution (bsc#975069)
- CVE-2016-3991: Specially crafted TIFF images could trigger a crash or allow for arbitrary command execution via the tiffcrop tool (bsc#975070)


-----------------------------------------
Patch: SUSE-2016-1464
Released: Wed Oct 12 11:36:01 2016
Summary: Security update for X Window System client libraries
Severity: moderate
References: 1002991,1002995,1002998,1003000,1003002,1003012,1003017,1003023,CVE-2016-5407,CVE-2016-7942,CVE-2016-7944,CVE-2016-7945,CVE-2016-7946,CVE-2016-7947,CVE-2016-7948,CVE-2016-7949,CVE-2016-7950,CVE-2016-7951,CVE-2016-7952,CVE-2016-7953
Description:
This update for the X Window System client libraries fixes a class of privilege escalation issues.

A malicious X Server could send specially crafted data to X clients, which allowed for triggering crashes, or privilege escalation if this relationship was untrusted or crossed user or permission level boundaries.

libX11, libXfixes, libXi, libXrandr, libXrender, libXtst, libXv, libXvMC were fixed, specifically:

libX11:
- CVE-2016-7942: insufficient validation of data from the X server allowed out of boundary memory read (bsc#1002991)

libXfixes:
- CVE-2016-7944: insufficient validation of data from the X server can cause an integer overflow on 32 bit architectures (bsc#1002995)

libXi:
- CVE-2016-7945, CVE-2016-7946: insufficient validation of data from the X server can cause out of boundary memory access or endless loops (Denial of Service) (bsc#1002998)

libXtst:
- CVE-2016-7951, CVE-2016-7952: insufficient validation of data from the X server can cause out of boundary memory access or endless loops (Denial of Service) (bsc#1003012)

libXv:
- CVE-2016-5407: insufficient validation of data from the X server can cause out of boundary memory and memory corruption (bsc#1003017)

libXvMC:
- CVE-2016-7953: insufficient validation of data from the X server can cause a one byte buffer read underrun (bsc#1003023)

libXrender:
- CVE-2016-7949, CVE-2016-7950: insufficient validation of data from the X server can cause out of boundary memory writes (bsc#1003002)

libXrandr:
- CVE-2016-7947, CVE-2016-7948: insufficient validation of data from the X server can cause out of boundary memory writes (bsc#1003000)


-----------------------------------------
Patch: SUSE-2016-1480
Released: Fri Oct 14 15:25:22 2016
Summary: Recommended update for yast2-sap-scp
Severity: moderate
References: 999291
Description:

This version update from 1.0.2 to 1.0.3 for yast2-sap-scp fixes an issue with
not working HTTP redirections for the product metadata files (bsc#999291).


-----------------------------------------
Patch: SUSE-2016-1503
Released: Wed Oct 19 11:39:35 2016
Summary: Recommended update for ksh
Severity: low
References: 988213
Description:

This update for ksh fixes a locking error in spawn implementation.


-----------------------------------------
Patch: SUSE-2016-1509
Released: Thu Oct 20 12:49:14 2016
Summary: Recommended update for python-cliff, python-setuptools, python-mock
Severity: low
References: 1001350,979493,993968
Description:

This update provides newer versions of python-cliff, python-setuptools and python-mock,
including several fixes and enhancements.

python-cliff (updated from 1.7.0 to 1.14.0):

- Fix encoding issue with the default python CSV output.
- Add command fuzzy matching.
- Allow subcommands to accept --help when using 'deferred_help'.

For a comprehensive list of fixes please refer to the package's change log.

python-mock (updated from 1.0.1 to 1.3.0):

- mock_open.read_data can now be read from each instance.
- Fix unittest.mock.mock_open().reset_mock to not recurse infinitely.
- Support Python 2.6.
- Allow unittest.mock side_effects to be exceptions again.
- Abort installation if the installer is using setuptools older than 17.1.
- Fix MagicMock's initializer to work with __methods__.
- Add matmul, rdivmod support to MagicMock() objects.
- Use set literals instead of creating a set from a list.
- New method assert_not_called for Mock.
- New keyword argument `unsafe` to Mock.
- Four additional builtin types (PyTypeObject, PyMethodDescr_Type, _PyMethodWrapper_Type,
  and PyWrapperDescr_Type) have been modified to provide introspection information for
  builtins.

For a comprehensive list of fixes please refer to the package's change log.

python-setuptools (updated from 1.1.7 to 18.0.1):

- Fix certificate handling with certifi and add support for SUSE's CA bundle. (bsc#993968)
- Drop support for builds with Pyrex. Only Cython is supported.
- Bootstrap script now accepts '--to-dir' to customize save directory or allow for
  re-use of existing repository of setuptools versions.
- Removed built-in support for subversion.
- Eggs that are downloaded for 'setup_requires', 'test_requires', etc. are now
  placed in a './.eggs' directory instead of directly in the current directory.
- Correct usage of host for validation when tunneling for HTTPS.
- Improved handling of Unicode filenames when building manifests.
- More robust handling of replaced zip files and stale caches.
- Add parameter to the test command to support a custom test runner: --test-runner or -r.
- Remove 'setuptools.command.easy_install.HAS_USER_SITE'. Users expecting this
  boolean variable should use 'site.ENABLE_USER_SITE' instead.
- Remove 'pkg_resources.ImpWrapper'. Users that expected this class should use
  'pkgutil.ImpImporter' instead.
- Drop support for Python 2.4 and Python 2.5.
- Establish a more robust technique for determining the terminal encoding.
- 'easy_install' will now use credentials from .pypirc if present for connecting to
  the package index.
- Wheels are now distributed with every release.


-----------------------------------------
Patch: SUSE-2016-1510
Released: Thu Oct 20 14:04:39 2016
Summary: Recommended update for boost
Severity: low
References: 925309,970706,996917
Description:

This update for boost adapts paths for our GCC versions:

- Boost assumes /usr/include/c++/x.y.z/ existence for GCC 4.x onward while our
  version of GCC only has /usr/include/c++/x.y for 4.x GCC and /usr/include/c++/x/
  for 5.x onward. (bsc#996917)
- Fix regression in asio library. (bsc#925309)
- Add libboost_context to the -devel dependencies when it is built. (bsc#970706)


-----------------------------------------
Patch: SUSE-2016-1533
Released: Mon Oct 24 14:12:29 2016
Summary: Recommended update for SUSE Manager Client Tools
Severity: moderate
References: 1002529,986447,986978,990029,990439,990440,990738,991048,993039,993549,994619,996455,998185
Description:

This update fixes the following issues:

cobbler:

- Enabling PXE grub2 support for PowerPC (bsc#986978)

rhnlib:

- Add function aliases for backward compatibility (bsc#998185)

salt:

- Setting up OS grains for SLES-ES (SLES Expanded Support platform)
- Move salt home directory to /var/lib/salt (bsc#1002529)
- Generate Salt Thin with configured extra modules (bsc#990439)
- Prevent pkg.install failure for expired keys (bsc#996455)
- Required D-Bus and generating machine ID
- Fix python-jinja2 requirements in rhel
- Fix pkg.installed refresh repository failure (bsc#993549)
- Fix salt.states.pkgrepo.management no change failure (bsc#990440)
- Prevent snapper module crash on load if no DBus is
  available in the system (bsc#993039)
- Prevent continuous restart, if a dependency wasn't installed
  (bsc#991048)
- Fix beacon list to include all beacons being process
- Run salt-api as user salt like the master (bsc#990029)

spacewalk-backend:

- Fix for non-integer IDs for bugzilla bug
- Silently ignore non-existing errata severity label on errata import,
  remove non-used exception (bsc#986447)
- Make suseLib usable on a proxy

spacewalk-client-tools:

- Logging message in case of malformed XML file
- Prevent crashes if machine-id is None (bsc#994619)
- Print invalid package name and replace the invalid character
- Ignore packages with not UTF-8 characters in name, version and release
  (bsc#990738)



-----------------------------------------
Patch: SUSE-2016-1558
Released: Wed Oct 26 15:21:45 2016
Summary: Security update for python3
Severity: moderate
References: 951166,983582,984751,985177,985348,989523,991069,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699
Description:

This update provides Python 3.4.5, which brings many fixes and enhancements.

The following security issues have been fixed:

- CVE-2016-1000110: CGIHandler could have allowed setting of HTTP_PROXY environment
  variable based on user supplied Proxy request header. (bsc#989523)
- CVE-2016-0772: A vulnerability in smtplib could have allowed a MITM attacker to
  perform a startTLS stripping attack. (bsc#984751)
- CVE-2016-5636: A heap overflow in Python's zipimport module. (bsc#985177)
- CVE-2016-5699: A header injection flaw in urrlib2/urllib/httplib/http.client.
  (bsc#985348)

The update also includes the following non-security fixes:

- Don't force 3rd party C extensions to be built with -Werror=declaration-after-statement.
  (bsc#951166)
- Make urllib proxy var handling behave as usual on POSIX. (bsc#983582)

For a comprehensive list of changes please refer to the upstream change log:
https://docs.python.org/3.4/whatsnew/changelog.html


-----------------------------------------
Patch: SUSE-2016-1565
Released: Thu Oct 27 13:06:35 2016
Summary: Security update for openslp
Severity: moderate
References: 1001600,974655,980722,994989,CVE-2016-4912,CVE-2016-7567
Description:
This update for openslp fixes two security issues and two bugs.

The following vulnerabilities were fixed:
- CVE-2016-4912: A remote attacker could have crashed the server with a large number of packages (bsc#980722)
- CVE-2016-7567: A remote attacker could cause a memory corruption having unspecified impact (bsc#1001600)

The following bugfix changes are included:
- bsc#994989: Removed convenience code as changes bytes in the message buffer breaking the verification code
- bsc#974655: Removed no longer needed slpd init file


-----------------------------------------
Patch: SUSE-2016-1571
Released: Fri Oct 28 14:54:49 2016
Summary: Security update for gd
Severity: important
References: 1001900,1004924,1005274,CVE-2016-6911,CVE-2016-7568,CVE-2016-8670
Description:

This update for gd fixes the following security issues:

- CVE-2016-7568: A specially crafted image file could cause an application crash or potentially execute arbitrary code
                 when the image is converted to webp (bsc#1001900)
- CVE-2016-8670: Stack Buffer Overflow in GD dynamicGetbuf (bsc#1004924)
- CVE-2016-6911: Check for out-of-bound read in dynamicGetbuf() (bsc#1005274)


-----------------------------------------
Patch: SUSE-2016-1586
Released: Wed Nov  2 00:20:11 2016
Summary: Recommended update for python-boto3, python-botocore, python-ec2uploadimg, python-s3transfer
Severity: low
References: 1007084
Description:

This update for python-boto3, python-botocore, python-ec2uploadimg and python-s3transfer
provides several fixes and enhancements.

python-ec2uploadimg (update to version 2.0.0):

- Add --ena-support command line argument to enable ENA device support.
- Incompatible change: argument order for uploader class.

python-s3transfer (update to version 0.1.9):

- Support downloading to FIFOs.
- Fix memory leak when using same client to create multiple TransferManagers.
- Fix issue where S3 Object was not downloaded to disk when empty.
- Fix issue of hangs when Cntrl-C happens for many queued transfers.
- Expose messages for cancels.
- Automatically adjust the chunksize if it doesn't meet S3s requirements.
- Add support for downloading to special UNIX file by name.
- Add a .delete() method to the transfer manager.
- Fix issue where seeked position of seekable file for a non-multipart upload was
  not being taken into account.
- Patch memory leak related to unnecessarily holding onto futures for downloads.
- Fix deadlock issue with using concurrent.futures.wait.
- Add support for managed copies.
- Add support for downloading to a filename, seekable file-like object, and non-seekable
  file-like object.
- Add support for uploading a filename, seekable file-like object, and non-seekable
  file-like object.
- Add TransferManager class.
- Add subscriber interface.

python-boto3 (update to version 1.4.1):

- Fix the version requirement for botocore to ensure proper functioning of the API.
- Add missing dependency on python-s3transfer.
- Expose available_profiles property for Session.
- Fix issue when transfers would not exit quickly from signals.
- Fix issue in DeadLetterSourceQueues collection.
- Add request auto de-duplication based on specified primary keys for batch_writer.
- Add managed file-like object uploads to S3 client, Bucket, and Object.
- Add managed copies to S3 client, Bucket, and Object.
- Add managed downloads to file-like objects in the S3 client, Bucket, and Object.
- Port s3.transfer module to use s3transfer package.
- Add io_chunksize parameter to TransferConfig.
- Add custom load to ObjectSummary.
- Add method to get session credentials.
- Ensure batch writer never sends more than flush_amount.
- Add get_available_subresources to Resources.

python-botocore (update to version 1.4.67):

- Add back missing fail states to cloudformation waiters.
- Add support for us-east-2.
- Add partition to client meta object.
- Add ability to specify expected params when using add_client_error.
- Add NetworkAclExists waiter.
- Add paginators for Application Auto Scaling service.
- Add max_pool_connections to client config.
- Add MaxAttemptsReached and RetryAttempts keys to the returned ResonseMetadata dictionary.
- Add last_response attribute to WaiterError.
- Add support for s3 dualstack configuration.
- Account for boolean in query string serialization.
- S3 region redirector will now honor the original url scheme.
- Raise error when partial hard coded creds are provided when creating a client.
- Add a waiter to wait on successful deployments.
- Add support for ECS metadata credential provider.
- Fixed a bug where the S3 region redirector was potentially causing a memory leak on Python 2.6.
- RequestSigner.generate_presigned_url now requires the operation name to be passed in.
- Allow botocore.UNSIGNED to be used with generate_presigned_url and generate_presigned_post.
- Fix regression where assume role responses error out when attempting to cache a response.
- Add http response headers to the response metadata.
- Automatically redirect S3 sigv4 requests sent to the wrong region.
- Use MD5 to sign S3 bodies by default.
- Replace chars in the EC2 console output we can't decode with replacement chars.


-----------------------------------------
Patch: SUSE-2016-1609
Released: Fri Nov  4 12:43:04 2016
Summary: Recommended update for yast2-sap-scp
Severity: moderate
References: 999291
Description:

This version update from 1.0.2 to 1.0.3 for yast2-sap-scp fixes an issue with
not working HTTP redirections for the product metadata files (bsc#999291).


-----------------------------------------
Patch: SUSE-2016-1617
Released: Tue Nov  8 10:03:25 2016
Summary: Recommended update for libesmtp
Severity: low
References: 1005909
Description:

This update for libesmtp provides the following fixes:

- All TLS clients must support and use the highest TLS version available if
  possible, not only TLS 1.0. (bsc#1005909)


-----------------------------------------
Patch: SUSE-2016-1621
Released: Tue Nov  8 16:20:57 2016
Summary: Recommended update for timezone
Severity: low
References: 1007725,1007726
Description:

This update provides the latest timezone information (2016i) for your system,
including the following changes:

- Pacific/Tongatapu begins DST on 2016-11-06 at 02:00, ending on 2017-01-15 at 03:00.
  (bsc#1007725)
- Northern Cyprus is now +03 year round, causing a split in Cyprus time zones starting
  2016-10-30 at 04:00. This creates a zone Asia/Famagusta. (bsc#1007726)
- Antarctica/Casey switched from +08 to +11 on 2016-10-22.
- Asia/Gaza and Asia/Hebron end DST on 2016-10-29 at 01:00, not 2016-10-21 at 00:00.
- Asia/Colombo now uses numeric time zone abbreviations.

This release also includes changes affecting past time stamps and documentation.


-----------------------------------------
Patch: SUSE-2016-1634
Released: Thu Nov 10 11:26:56 2016
Summary: Recommended update for pciutils
Severity: low
References: 1001888
Description:

This update for pciutils fixes the following issues:

- lspci(8) incorrectly tested bit 4, not bit 0, for 'CRS Software Visibility' in
  the Root Capabilities register, so it showed 'RootCap: CRSVisible-' even for
  devices that do support Software Visibility. This update fixes it to use the
  correct definition for PCI_EXP_RTCAP_CRSVIS. (bsc#1001888)


-----------------------------------------
Patch: SUSE-2016-1639
Released: Thu Nov 10 18:05:34 2016
Summary: Security update for jasper
Severity: moderate
References: 1005084,1005090,1005242,1006591,1006593,1006597,1006598,1006599,1006836,1006839,1007009,392410,941919,942553,961886,963983,968373,CVE-2008-3522,CVE-2014-8158,CVE-2015-5203,CVE-2015-5221,CVE-2016-1577,CVE-2016-1867,CVE-2016-2089,CVE-2016-2116,CVE-2016-8690,CVE-2016-8691,CVE-2016-8692,CVE-2016-8693,CVE-2016-8880,CVE-2016-8881,CVE-2016-8882,CVE-2016-8883,CVE-2016-8884,CVE-2016-8885,CVE-2016-8886,CVE-2016-8887
Description:

This update for jasper to version 1.900.14 fixes several issues.

These security issues were fixed:
- CVE-2016-8887: NULL pointer dereference in jp2_colr_destroy (jp2_cod.c) (bsc#1006836)
- CVE-2016-8886: memory allocation failure in jas_malloc (jas_malloc.c) (bsc#1006599)
- CVE-2016-8884,CVE-2016-8885: two null pointer dereferences in bmp_getdata (incomplete fix for CVE-2016-8690) (bsc#1007009)
- CVE-2016-8883: assert in jpc_dec_tiledecode() (bsc#1006598)
- CVE-2016-8882: segfault / null pointer access in jpc_pi_destroy (bsc#1006597)
- CVE-2016-8881: Heap overflow in jpc_getuint16() (bsc#1006593)
- CVE-2016-8880: Heap overflow in jpc_dec_cp_setfromcox() (bsc#1006591)
- CVE-2016-8693 Double free vulnerability in mem_close (bsc#1005242)
- CVE-2016-8691, CVE-2016-8692: Divide by zero in jpc_dec_process_siz (bsc#1005090)
- CVE-2016-8690: Null pointer dereference in bmp_getdata triggered by crafted BMP image (bsc#1005084)
- CVE-2016-2116: Memory leak in the jas_iccprof_createfrombuf function in JasPer allowed remote attackers to cause a denial of service (memory consumption) via a crafted ICC color profile in a JPEG 2000 image file (bsc#968373) 
- CVE-2016-2089: invalid read in the JasPer's jas_matrix_clip() function (bsc#963983)
- CVE-2016-1867: Out-of-bounds Read in the JasPer's jpc_pi_nextcprl() function (bsc#961886)
- CVE-2015-5221: Use-after-free (and double-free) in Jasper JPEG-200 (bsc#942553).
- CVE-2015-5203: Double free corruption in JasPer JPEG-2000 implementation (bsc#941919)
- CVE-2008-3522: Buffer overflow in the jas_stream_printf function in libjasper/base/jas_stream.c in JasPer might have allowed context-dependent attackers to have an unknown impact via vectors related to the mif_hdr_put function and use of vsprintf (bsc#392410)
- jasper: NULL pointer dereference in jp2_colr_destroy (jp2_cod.c) (incomplete fix for CVE-2016-8887) (bsc#1006839)

For additional change description please have a look at the changelog.


-----------------------------------------
Patch: SUSE-2016-1641
Released: Thu Nov 10 20:02:04 2016
Summary: Recommended update for sg3_utils
Severity: moderate
References: 1006469,958369,979436
Description:

This update for sg3_utils provides the following fixes:

- Adjust 55-scsi-sg3_id.rules to correctly handle VPD page 0x80. This issue could
  prevent some IBM Power systems from booting after installation. (bsc#1006469)
- Fix 55-scsi_sg3_id.rules to skip sg_inq on recent kernels. (bsc#979436)
- In some circumstances, the rescan-scsi-bus.sh script failed to identify new LUNs
  that have been added to the server. (bsc#958369)


-----------------------------------------
Patch: SUSE-2016-1668
Released: Thu Nov 17 14:34:38 2016
Summary: Security update for X Window System client libraries
Severity: moderate
References: 1002991,1002995,1002998,1003000,1003002,1003012,1003017,1003023,CVE-2016-5407,CVE-2016-7942,CVE-2016-7944,CVE-2016-7945,CVE-2016-7946,CVE-2016-7947,CVE-2016-7948,CVE-2016-7949,CVE-2016-7950,CVE-2016-7951,CVE-2016-7952,CVE-2016-7953
Description:

This update for the X Window System client libraries fixes a class of privilege escalation issues.

A malicious X Server could send specially crafted data to X clients, which allowed for triggering
crashes, or privilege escalation if this relationship was untrusted or crossed user or permission
level boundaries.

libX11, libXfixes, libXi, libXrandr, libXrender, libXtst, libXv, libXvMC were fixed, specifically:

libX11:
- CVE-2016-7942: insufficient validation of data from the X server allowed out of boundary memory
  read (bsc#1002991)

libXfixes:
- CVE-2016-7944: insufficient validation of data from the X server can cause an integer overflow
  on 32 bit architectures (bsc#1002995)

libXi:
- CVE-2016-7945, CVE-2016-7946: insufficient validation of data from the X server can cause out of
  boundary memory access or endless loops (Denial of Service) (bsc#1002998)

libXtst:
- CVE-2016-7951, CVE-2016-7952: insufficient validation of data from the X server can cause out of
  boundary memory access or endless loops (Denial of Service) (bsc#1003012)

libXv:
- CVE-2016-5407: insufficient validation of data from the X server can cause out of boundary memory
  and memory corruption (bsc#1003017)

libXvMC:
- CVE-2016-7953: insufficient validation of data from the X server can cause a one byte buffer read
  underrun (bsc#1003023)

libXrender:
- CVE-2016-7949, CVE-2016-7950: insufficient validation of data from the X server can cause out of
  boundary memory writes (bsc#1003002)

libXrandr:
- CVE-2016-7947, CVE-2016-7948: insufficient validation of data from the X server can cause out of
  boundary memory writes (bsc#1003000)


-----------------------------------------
Patch: SUSE-2016-1672
Released: Thu Nov 17 20:09:17 2016
Summary: Recommended update for cloud-init
Severity: moderate
References: 1003977,1005616,1007529,998103,998836,998843,999942
Description:

This update provides cloud-init version 0.7.8, which brings several fixes and
enhancements:

- Fall back to the previous method of writing network information and fix the
  default path for network scripts. (bsc#1007529)
- Allow dmidecode usage on aarch64 systems. (bsc#1005616)
- Wait for the network to be up an running in order to get ssh key injected.
- Handle exception when attempting to detect if the network device is up when
  it is not. (bsc#1003977)
- Fix decoding error. (bsc#998843)
- Add missing closing bracket. (bsc#998836)
- Hostname of VM instance does not change after reboot. (bsc#998103)
- The service file cloud-init.service referenced networking.service which on
  SUSE is network.service. (bsc#999942)

For a comprehensive list of all changes please refer to the package's change log.


-----------------------------------------
Patch: SUSE-2016-1675
Released: Fri Nov 18 12:40:36 2016
Summary: Recommended update for boost
Severity: low
References: 925309,970706,996917
Description:

This update for boost adapts paths for our GCC versions:

- Boost assumes /usr/include/c++/x.y.z/ existence for GCC 4.x onward while our
  version of GCC only has /usr/include/c++/x.y for 4.x GCC and /usr/include/c++/x/
  for 5.x onward. (bsc#996917)
- Fix regression in asio library. (bsc#925309)
- Add libboost_context to the -devel dependencies when it is built. (bsc#970706)


-----------------------------------------
Patch: SUSE-2016-1676
Released: Fri Nov 18 12:42:16 2016
Summary: Security update for python3
Severity: moderate
References: 951166,983582,984751,985177,985348,989523,991069,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699
Description:

This update provides Python 3.4.5, which brings many fixes and enhancements.

The following security issues have been fixed:

- CVE-2016-1000110: CGIHandler could have allowed setting of HTTP_PROXY environment
  variable based on user supplied Proxy request header. (bsc#989523)
- CVE-2016-0772: A vulnerability in smtplib could have allowed a MITM attacker to
  perform a startTLS stripping attack. (bsc#984751)
- CVE-2016-5636: A heap overflow in Python's zipimport module. (bsc#985177)
- CVE-2016-5699: A header injection flaw in urrlib2/urllib/httplib/http.client.
  (bsc#985348)

The update also includes the following non-security fixes:

- Don't force 3rd party C extensions to be built with -Werror=declaration-after-statement.
  (bsc#951166)
- Make urllib proxy var handling behave as usual on POSIX. (bsc#983582)

For a comprehensive list of changes please refer to the upstream change log:
https://docs.python.org/3.4/whatsnew/changelog.html


-----------------------------------------
Patch: SUSE-2016-1690
Released: Thu Nov 24 08:36:43 2016
Summary: Security update for tar
Severity: moderate
References: 1007188,913058,CVE-2016-6321
Description:

This update for tar fixes the following issues:

- Fix the POINTYFEATHER vulnerability - GNU tar archiver can be tricked into extracting
  files and directories in the given destination, regardless of the
  path name(s) specified on the command line [bsc#1007188]
  [CVE-2016-6321]
- Fix Amanda integration issue (bsc#913058)



-----------------------------------------
Patch: SUSE-2016-1716
Released: Mon Nov 28 14:52:36 2016
Summary: Recommended update for SUSE Manager Client Tools
Severity: moderate
References: 1003449,1004047,1004260,1004723,986019,999852
Description:

This update includes the following new features:

- Support Service Pack migration for Salt minions. (fate#320559)

This update fixes the following issues:

salt:

- Fix exit codes of sysv init script. (bsc#999852)
- Include resolution parameters in the Zypper debug-solver call during a dry-run dist-upgrade.
- Fix Salt API crash via salt-ssh on empty roster. (bsc#1004723)
- Add 'dist-upgrade' support to zypper module. (fate#320559)
- Fix position of -X option to setfacl. (bsc#1004260)
- Fix generated shebang in scripts on SLES-ES 7. (bsc#1004047)

spacecmd:

- Make exception class more generic and code fixes. (bsc#1003449)
- Handle exceptions raised by listChannels. (bsc#1003449)
- Alert if a non-unique package ID is detected.


-----------------------------------------
Patch: SUSE-2016-1721
Released: Tue Nov 29 13:12:31 2016
Summary: Security update for vim
Severity: important
References: 1010685,988903,CVE-2016-1248
Description:

This update for vim fixes the following security issues:

- Fixed CVE-2016-1248 an arbitrary command execution vulnerability
  (bsc#1010685)

This update for vim fixes the following issues:

- Fix build with Python 3.5. (bsc#988903)


-----------------------------------------
Patch: SUSE-2016-1734
Released: Thu Dec  1 10:34:07 2016
Summary: Recommended update for timezone
Severity: low
References: 1011797
Description:

This update provides the latest timezone information (2016j) for your system,
including the following changes:

- Saratov, Russia switches from +03 to +04 on 2016-12-04 at 02:00. This change
  introduces a new zone Europe/Saratov split from Europe/Volgograd.

This release also includes changes affecting past time stamps. For a comprehensive
list, please refer to the release announcement from ICANN:

http://mm.icann.org/pipermail/tz-announce/2016-November/000044.html


-----------------------------------------
Patch: SUSE-2016-1738
Released: Fri Dec  2 11:22:31 2016
Summary: Recommended update for sensors
Severity: low
References: 1008552,999987
Description:

This update for sensors fixes the sensors-detect script to skip 'random' I/O port
probing on non-x86 systems. Attempting to detect such ports could lead to kernel
faults on ARM64 systems. (bsc#1008552)

Additionally, it fixes CPU detection support on ppc architectures. (bsc#999987)


-----------------------------------------
Patch: SUSE-2016-1744
Released: Fri Dec  2 11:42:41 2016
Summary: Security update for pcre
Severity: moderate
References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127,CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191
Description:

This update for pcre to version 8.39 (bsc#972127) fixes several issues.

If you use pcre extensively please be aware that this is an update to a new version. Please
make sure that your software works with the updated version.

This version fixes a number of vulnerabilities that affect pcre
and applications using the libary when accepting untrusted input
as regular expressions or as part thereof. Remote attackers could
have caused the application to crash, disclose information or
potentially execute arbitrary code. These security issues were fixed:

- CVE-2014-8964: Heap-based buffer overflow in PCRE allowed remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats (bsc#906574).
- CVE-2015-2325: Heap buffer overflow in compile_branch() (bsc#924960).
- CVE-2015-3210: Heap buffer overflow in pcre_compile2() / compile_regex() (bsc#933288)
- CVE-2015-3217: PCRE Library Call Stack Overflow Vulnerability in match() (bsc#933878).
- CVE-2015-5073: Library Heap Overflow Vulnerability in find_fixedlength() (bsc#936227).
- bsc#942865: heap overflow in compile_regex()
- CVE-2015-8380: The pcre_exec function in pcre_exec.c mishandled a // pattern with a \01 string, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957566).
- CVE-2015-2327: PCRE mishandled certain patterns with internal recursive back references, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957567).
- bsc#957598: Various security issues 
- CVE-2015-8381: Heap Overflow in compile_regex() (bsc#957598).
- CVE-2015-8382: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)(bsc#957598).
- CVE-2015-8383: Buffer overflow caused by repeated conditional group(bsc#957598).
- CVE-2015-8384: Buffer overflow caused by recursive back reference by name within certain group(bsc#957598).
- CVE-2015-8385: Buffer overflow caused by forward reference by name to certain group(bsc#957598).
- CVE-2015-8386: Buffer overflow caused by lookbehind assertion(bsc#957598).
- CVE-2015-8387: Integer overflow in subroutine calls(bsc#957598).
- CVE-2015-8388: Buffer overflow caused by certain patterns with an unmatched closing parenthesis(bsc#957598).
- CVE-2015-8389: Infinite recursion in JIT compiler when processing certain patterns(bsc#957598).
- CVE-2015-8390: Reading from uninitialized memory when processing certain patterns(bsc#957598).
- CVE-2015-8391: Some pathological patterns causes pcre_compile() to run for a very long time(bsc#957598).
- CVE-2015-8392: Buffer overflow caused by certain patterns with duplicated named groups(bsc#957598).
- CVE-2015-8393: Information leak when running pcgrep -q on crafted binary(bsc#957598).
- CVE-2015-8394: Integer overflow caused by missing check for certain conditions(bsc#957598).
- CVE-2015-8395: Buffer overflow caused by certain references(bsc#957598).
- CVE-2015-2328: PCRE mishandled the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression (bsc#957600).
- CVE-2016-1283: The pcre_compile2 function in pcre_compile.c in PCRE mishandled certain patterns with named subgroups, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression (bsc#960837).
- CVE-2016-3191: The compile_branch function in pcre_compile.c in pcre2_compile.c mishandled patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allowed remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression (bsc#971741).

These non-security issues were fixed:
- JIT compiler improvements
- performance improvements
- The Unicode data tables have been updated to Unicode 7.0.0.


-----------------------------------------
Patch: SUSE-2016-1746
Released: Fri Dec  2 13:55:49 2016
Summary: Recommended update for libpciaccess
Severity: low
References: 1006827
Description:

This update for libpciaccess provides the following fixes:

- Ignore 32bit PCI domains. They are now supported by the Linux kernel but not
  by the user land library, and this inconsistency can lead to problems such as
  startx(1) terminating with a segmentation fault. 32-bit PCI domains are not
  needed to start the X server.


-----------------------------------------
Patch: SUSE-2016-1749
Released: Mon Dec  5 09:28:00 2016
Summary: Security update for libX11
Severity: moderate
References: 1002991,CVE-2016-7942
Description:

libX11 was updated to fix a memory leak that was introduced with the
security fix for CVE-2016-7942.


-----------------------------------------
Patch: SUSE-2016-1754
Released: Mon Dec  5 18:03:45 2016
Summary: Security update for MozillaFirefox, mozilla-nss
Severity: important
References: 1009026,1010395,1010401,1010402,1010404,1010410,1010422,1010427,1010517,992549,CVE-2016-5285,CVE-2016-5290,CVE-2016-5291,CVE-2016-5296,CVE-2016-5297,CVE-2016-9064,CVE-2016-9066,CVE-2016-9074
Description:
This update for MozillaFirefox, mozilla-nss fixes security issues and bugs.

The following vulnerabilities were fixed in Firefox ESR 45.5 (bsc#1009026):

- CVE-2016-5297: Incorrect argument length checking in Javascript (bsc#1010401)
- CVE-2016-9066: Integer overflow leading to a buffer overflow in nsScriptLoadHandler (bsc#1010404)
- CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1 (bsc#1010395)
- CVE-2016-9064: Addons update must verify IDs match between current and new versions (bsc#1010402)
- CVE-2016-5290: Memory safety bugs fixed in Firefox 50 and Firefox ESR 45.5 (bsc#1010427)
- CVE-2016-5291: Same-origin policy violation using local HTML file and saved shortcut file (bsc#1010410)

The following vulnerabilities were fixed in mozilla-nss 3.21.3:

- CVE-2016-9074: Insufficient timing side-channel resistance in divSpoiler (bsc#1010422)
- CVE-2016-5285: Missing NULL check in PK11_SignWithSymKey / ssl3_ComputeRecordMACConstantTime causes server crash (bsc#1010517)  

The following bugs were fixed:

- Firefox would fail to go into fullscreen mode with some window managers (bsc#992549)

The Mozilla Firefox changelog was amended to document patched dropped in a previous update.


-----------------------------------------
Patch: SUSE-2016-1757
Released: Mon Dec  5 19:30:28 2016
Summary: Recommended update for SLES for SAP 12 SP1
Severity: low
References: 1009297,967069,972098,977644,981446,982355
Description:

The following packages have been updated on SUSE Linux Enterprise Server for
SAP Applications 12 SP1 on the ppc64le architecture:

release-notes-sles-for-sap:

- A Release Notes document has been added to SUSE Linux Enterprise Server for
  SAP Applications 12 SP1. (bsc#967069)

SAPHanaSR:

- Adapt to changed landscapeHostConfiguration.py interface beginning with SPS12
  rev 120. (bsc#982355)
- Adapt to removal of interface hdbnsutil -sr_state beginning from rev 112.03.
  (bsc#981446)
- SAPHana resource with Virtual IP not migrating from master to secondary node
  correctly. (bsc#977644)

patterns-sap:

- Fix typo in BusinessOne pattern name. (bsc#972098)

The following packages have been rebuilt for synchronization of version numbers:
yast2-sap-scp, yast2-sap-scp-prodlist, clone-master-clean-up.


-----------------------------------------
Patch: SUSE-2016-1767
Released: Wed Dec  7 16:43:38 2016
Summary: Security update for libXi
Severity: moderate
References: 1002998,CVE-2016-7945,CVE-2016-7946
Description:

libXi was updated to fix two security issues.

These security issues were fixed:
- CVE-2016-7945: Integer overflows in libXI can cause out of boundary memory access or endless loops (Denial of Service) (bsc#1002998).
- CVE-2016-7946: Insufficient validation of data in libXI can cause out of boundary memory access or endless loops (Denial of Service) (bsc#1002998).
  

-----------------------------------------
Patch: SUSE-2016-1770
Released: Wed Dec  7 16:45:33 2016
Summary: Security update for java-1_7_1-ibm
Severity: important
References: 1009280,CVE-2016-5542,CVE-2016-5554,CVE-2016-5556,CVE-2016-5568,CVE-2016-5573,CVE-2016-5597
Description:

This update for java-1_7_1-ibm fixes the following issues:

- Version update to 7.1-3.60 (bsc#1009280) Fixing the following CVE's:
  CVE-2016-5568, CVE-2016-5556, CVE-2016-5573, CVE-2016-5597, CVE-2016-5554,
  CVE-2016-5542



-----------------------------------------
Patch: SUSE-2016-1774
Released: Thu Dec  8 11:05:39 2016
Summary: Security update for w3m
Severity: moderate
References: 1011283,1011284,1011285,1011286,1011287,1011288,1011289,1011290,1011291,1011292,1011293,1012021,1012022,1012023,1012024,1012025,1012026,1012027,1012028,1012029,1012030,1012031,1012032,CVE-2016-9434,CVE-2016-9435,CVE-2016-9436,CVE-2016-9437,CVE-2016-9438,CVE-2016-9439,CVE-2016-9440,CVE-2016-9441,CVE-2016-9442,CVE-2016-9443,CVE-2016-9621,CVE-2016-9622,CVE-2016-9623,CVE-2016-9624,CVE-2016-9625,CVE-2016-9626,CVE-2016-9627,CVE-2016-9628,CVE-2016-9629,CVE-2016-9630,CVE-2016-9631,CVE-2016-9632,CVE-2016-9633
Description:

This update for w3m fixes the following issues:

- update to debian git version (bsc#1011293)
  addressed security issues:
         CVE-2016-9622: w3m: null deref (bsc#1012021)
         CVE-2016-9623: w3m: null deref (bsc#1012022)
         CVE-2016-9624: w3m: near-null deref (bsc#1012023)
         CVE-2016-9625: w3m: stack overflow (bsc#1012024)
         CVE-2016-9626: w3m: stack overflow (bsc#1012025)
         CVE-2016-9627: w3m: heap overflow read + deref (bsc#1012026)
         CVE-2016-9628: w3m: null deref (bsc#1012027)
         CVE-2016-9629: w3m: null deref (bsc#1012028)
         CVE-2016-9630: w3m: global-buffer-overflow read (bsc#1012029)
         CVE-2016-9631: w3m: null deref (bsc#1012030)
         CVE-2016-9632: w3m: global-buffer-overflow read (bsc#1012031)
         CVE-2016-9633: w3m: OOM (bsc#1012032)
         CVE-2016-9434: w3m: null deref (bsc#1011283)
         CVE-2016-9435: w3m: use uninit value (bsc#1011284)
         CVE-2016-9436: w3m: use uninit value (bsc#1011285)
         CVE-2016-9437: w3m: write to rodata (bsc#1011286)
         CVE-2016-9438: w3m: null deref (bsc#1011287)
         CVE-2016-9439: w3m: stack overflow (bsc#1011288)
         CVE-2016-9440: w3m: near-null deref (bsc#1011289)
         CVE-2016-9441: w3m: near-null deref (bsc#1011290)
         CVE-2016-9442: w3m: potential heap buffer corruption (bsc#1011291)
         CVE-2016-9443: w3m: null deref (bsc#1011292)


-----------------------------------------
Patch: SUSE-2016-1775
Released: Thu Dec  8 11:06:08 2016
Summary: Security update for gc
Severity: moderate
References: 1011276,CVE-2016-9427
Description:

This update for gc fixes the following issues:

- integer overflow in GC_MALLOC_ATOMIC() (CVE-2016-9427, bsc#1011276)



-----------------------------------------
Patch: SUSE-2016-1827
Released: Thu Dec 15 12:41:10 2016
Summary: Security update for pcre
Severity: moderate
References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127,CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191
Description:

This update for pcre to version 8.39 (bsc#972127) fixes several issues.

If you use pcre extensively please be aware that this is an update to a new version. Please
make sure that your software works with the updated version.

This version fixes a number of vulnerabilities that affect pcre
and applications using the libary when accepting untrusted input
as regular expressions or as part thereof. Remote attackers could
have caused the application to crash, disclose information or
potentially execute arbitrary code. These security issues were fixed:

- CVE-2014-8964: Heap-based buffer overflow in PCRE allowed remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats (bsc#906574).
- CVE-2015-2325: Heap buffer overflow in compile_branch() (bsc#924960).
- CVE-2015-3210: Heap buffer overflow in pcre_compile2() / compile_regex() (bsc#933288)
- CVE-2015-3217: PCRE Library Call Stack Overflow Vulnerability in match() (bsc#933878).
- CVE-2015-5073: Library Heap Overflow Vulnerability in find_fixedlength() (bsc#936227).
- bsc#942865: heap overflow in compile_regex()
- CVE-2015-8380: The pcre_exec function in pcre_exec.c mishandled a // pattern with a \01 string, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957566).
- CVE-2015-2327: PCRE mishandled certain patterns with internal recursive back references, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957567).
- bsc#957598: Various security issues 
- CVE-2015-8381: Heap Overflow in compile_regex() (bsc#957598).
- CVE-2015-8382: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)(bsc#957598).
- CVE-2015-8383: Buffer overflow caused by repeated conditional group(bsc#957598).
- CVE-2015-8384: Buffer overflow caused by recursive back reference by name within certain group(bsc#957598).
- CVE-2015-8385: Buffer overflow caused by forward reference by name to certain group(bsc#957598).
- CVE-2015-8386: Buffer overflow caused by lookbehind assertion(bsc#957598).
- CVE-2015-8387: Integer overflow in subroutine calls(bsc#957598).
- CVE-2015-8388: Buffer overflow caused by certain patterns with an unmatched closing parenthesis(bsc#957598).
- CVE-2015-8389: Infinite recursion in JIT compiler when processing certain patterns(bsc#957598).
- CVE-2015-8390: Reading from uninitialized memory when processing certain patterns(bsc#957598).
- CVE-2015-8391: Some pathological patterns causes pcre_compile() to run for a very long time(bsc#957598).
- CVE-2015-8392: Buffer overflow caused by certain patterns with duplicated named groups(bsc#957598).
- CVE-2015-8393: Information leak when running pcgrep -q on crafted binary(bsc#957598).
- CVE-2015-8394: Integer overflow caused by missing check for certain conditions(bsc#957598).
- CVE-2015-8395: Buffer overflow caused by certain references(bsc#957598).
- CVE-2015-2328: PCRE mishandled the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression (bsc#957600).
- CVE-2016-1283: The pcre_compile2 function in pcre_compile.c in PCRE mishandled certain patterns with named subgroups, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression (bsc#960837).
- CVE-2016-3191: The compile_branch function in pcre_compile.c in pcre2_compile.c mishandled patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allowed remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression (bsc#971741).

These non-security issues were fixed:
- JIT compiler improvements
- performance improvements
- The Unicode data tables have been updated to Unicode 7.0.0.


-----------------------------------------
Patch: SUSE-2016-1831
Released: Thu Dec 15 17:47:09 2016
Summary: Recommended update for tar
Severity: important
References: 1012633
Description:

This update for tar fixes a regression caused by the previous security update (bsc#1007188),
which limited append and create operations (bsc#1012633)


-----------------------------------------
Patch: SUSE-2016-1841
Released: Fri Dec 16 14:57:16 2016
Summary: Recommended update for suse-build-key
Severity: moderate
References: 1014151
Description:

This update for suse-build-key extends the lifetime of the build@suse.de
GPG key that is signing the SUSE Linux Enterprise 12 repositories. (bsc#1014151)

UID:
  pub  2048R/39DB7C82 2013-01-31 [expires: 2020-12-06]
  uid                            SuSE Package Signing Key <build@suse.de>


-----------------------------------------
Patch: SUSE-2016-1853
Released: Mon Dec 19 17:07:52 2016
Summary: Security update for ntp
Severity: moderate
References: 1009434,1011377,1011390,1011395,1011398,1011404,1011406,1011411,1011417,943216,956365,981252,988028,992038,992606,CVE-2015-5219,CVE-2016-7426,CVE-2016-7427,CVE-2016-7428,CVE-2016-7429,CVE-2016-7431,CVE-2016-7433,CVE-2016-7434,CVE-2016-9310,CVE-2016-9311
Description:

This update for ntp fixes the following issues:

ntp was updated to 4.2.8p9.

Security issues fixed:

- CVE-2016-9311, CVE-2016-9310, bsc#1011377: Mode 6
  unauthenticated trap information disclosure and DDoS vector.
- CVE-2016-7427, bsc#1011390:
  Broadcast Mode Replay Prevention DoS.
- CVE-2016-7428, bsc#1011417:
  Broadcast Mode Poll Interval Enforcement DoS.
- CVE-2016-7431, bsc#1011395:
  Regression: 010-origin: Zero Origin Timestamp Bypass.
- CVE-2016-7434, bsc#1011398:
  Null pointer dereference in _IO_str_init_static_internal().
- CVE-2016-7429, bsc#1011404: Interface selection attack.
- CVE-2016-7426, bsc#1011406:
  Client rate limiting and server responses.
- CVE-2016-7433, bsc#1011411: Reboot sync calculation problem.
- CVE-2015-5219: An endless loop due to incorrect precision to
  double conversion (bsc#943216).

Non-security issues fixed:

- Fix a spurious error message.
- Other bugfixes, see /usr/share/doc/packages/ntp/ChangeLog.
- Fix a regression in 'trap' (bsc#981252).
- Reduce the number of netlink groups to listen on for changes to
  the local network setup (bsc#992606).
- Fix segfault in 'sntp -a' (bsc#1009434).
- Silence an OpenSSL version warning (bsc#992038).
- Make the resolver task change user and group IDs to the same
  values as the main task. (bsc#988028)
- Simplify ntpd's search for its own executable to prevent AppArmor
  warnings (bsc#956365).



-----------------------------------------
Patch: SUSE-2016-1863
Released: Wed Dec 21 10:41:35 2016
Summary: Recommended updated for pth
Severity: low
References: 1013286
Description:

This update adds the 32bit version of libpth20 to SUSE Linux Enterprise 12 SP1 and 12 SP2.


-----------------------------------------
Patch: SUSE-2016-1868
Released: Wed Dec 21 16:24:02 2016
Summary: Security update for gd
Severity: moderate
References: 1015187,CVE-2016-9933
Description:

This update for gd fixes the following issues:

* CVE-2016-9933 possible stackoverflow on malicious truecolor images [bsc#1015187]



-----------------------------------------
Patch: SUSE-2016-1871
Released: Wed Dec 21 17:18:14 2016
Summary: Initial release of cloud-regionsrv
Severity: low
References: 979331
Description:

This update adds cloud-regionsrv to the Public Cloud Module for SUSE Linux Enterprise
Server 12.

The region service provides functionality to correlate SMT server information with the
region in which they are deployed and provide this information to a guest that connects
using the region server client.

For detailed setup instructions see the best practices guide:
https://www.suse.com/documentation/suse-best-practices/publiccloudinfra/data/publiccloudinfra.html


-----------------------------------------
Patch: SUSE-2016-1883
Released: Thu Dec 22 10:27:40 2016
Summary: Recommended update for supportutils
Severity: low
References: 995387,997615
Description:

This update for supportutils fixes the following issues:

- Add limits to journalctl to speed up data collection. (bsc#997615)
- Restore missing vgs and lvs commands to lvm.txt. (bsc#995387)
- Collect information about network namespaces.


-----------------------------------------
Patch: SUSE-2016-1901
Released: Thu Dec 22 17:33:41 2016
Summary: Optional update for SLE 12 Modules for ARM64
Severity: low
References: 1002576
Description:

This update introduces many packages that were missing in the ARM64 version of
the Web and Scripting, Manager Tools and Public Cloud Modules for SUSE Linux
Enterprise Server 12 SP2.


-----------------------------------------
Patch: SUSE-2016-1903
Released: Thu Dec 22 19:05:17 2016
Summary: Recommended update for aws-cli, python-boto3, python-botocore
Severity: moderate
References: 1015776
Description:

This update for aws-cli, python-boto3, python-botocore provides many fixes and
enhancements. For a comprehensive list of changes please refer to the packages'
change log.

aws-cli (update to version 1.11.29):

- cloudfront: Add lambda function associations to cache behaviors.
- rds: Add cluster create data to DBCluster APIs.
- opsworks: Fix an issue with opsworks register --local and python3.
- waf-regional: Customers can use AWS WAF directly on Application Load Balancers in a
  VPC within available regions to protect their web sites and services from malicious
  attacks such as SQL injection, Cross Site Scripting, bad bots, etc.
- opsworks-cm: Rename opsworkscm to opsworks-cm, keeping support for opsworkscm.
- alias: Add ability to alias commands in the CLI.
- --generate-cli-skeleton output: Add support for generating sample output for command.
- cloudformation deploy: Add command to simplify deployments of cloudformation stack changes.
- cloudformation package: Add command to package source code for cloudfromation template.
- cloudtrail: Use STS instead of IAM in CreateSubscription.
- --region: Add support for us-east-2.
- s3: Display transfer speed for s3 commands.
- s3: Port mv to s3transfer.
- s3: Fix regression where 'sync --delete' would not delete local files.
- s3: Integrate sync command with s3transfer.
- s3: Output progress even when discovering new files to transfer.
- s3: Refactor rb into its own command. In addition, validate that no key is supplied regardless
  of whether or not the force argument is supplied.
- s3: Fix regression when downloading empty files.
- s3: Port cp and rm to s3transfer. Improve progress for those commands, showing byte progress.
- pagination: Fix validation error when providing --no-paginate with normalized paging argument.
- route53domains: Rename --end to --end-time to fix a bug relating to argparse prefix expansion.
  Alias --start to --start-time to maintain a consistent interface while keeping the old parameter.

python-botocore (update to version 1.4.86):

- cloudfront: Add lambda function associations to cache behaviors.
- rds: Add cluster create data to DBCluster APIs.
- waf-regional: Customers can use AWS WAF directly on Application Load Balancers in a
  VPC within available regions to protect their web sites and services from malicious
  attacks such as SQL injection, Cross Site Scripting, bad bots, etc.
- health: Add paginators for Health.
- Exceptions: Allow parsing of json error responses with non-json bodies.
- opsworks-cm: Added waiter for Opsworks CM.
- parameter: Automatically inject an idempotency token into parameters marked with the
  idempotencyToken trait.
- s3: Fix presigned s3v4 URL bug related to blank query parameters being filtered incorrectly.
- Presigner: Support presigning rest-json services.
- Loader: Support loading json extra files.
- Paginator: Add paginators for AWS WAF.
- Parsers: ResponseMetadata will now always be populated, provided the response was able to
  be parsed into a dict.
- Stub: Made ANY usable for nested parameters.

python-boto3 (update to version 1.4.2)


-----------------------------------------
Patch: SUSE-2016-1908
Released: Fri Dec 23 14:45:12 2016
Summary: Recommended update for pciutils
Severity: low
References: 1006827
Description:

This update for pciutils provides the following fixes:

- Enable proper support for 32-bit PCI domain numbers. (bsc#1006827)


-----------------------------------------
Patch: SUSE-2016-1911
Released: Fri Dec 23 18:02:19 2016
Summary: Security update for wget
Severity: moderate
References: 1005091,1012677,995964,CVE-2016-7098
Description:

This update for wget fixes the following issues:

Security issues fixed:
- CVE-2016-7098: Fixed a potential race condition by creating files with .tmp ext
  and making them accessible to the current user only. (bsc#995964)

Non security issues fixed:
- bsc#1005091: Don't call xfree() on string returned by usr_error()  
- bsc#1012677: Add support for enforcing TLSv1.1 and TLSv1.2 (TLS 1.2 support was already present, but it was not enforcable).


-----------------------------------------
Patch: SUSE-2016-1937
Released: Thu Dec 29 20:47:49 2016
Summary: Security update for tiff
Severity: moderate
References: 1007280,1010161,1010163,1011103,1011107,914890,974449,974840,984813,984815,987351,CVE-2014-8127,CVE-2016-3622,CVE-2016-3658,CVE-2016-5321,CVE-2016-5323,CVE-2016-5652,CVE-2016-5875,CVE-2016-9273,CVE-2016-9297,CVE-2016-9448,CVE-2016-9453
Description:

The tiff library and tools were updated to version 4.0.7 fixing various bug and security issues.

- CVE-2014-8127: out-of-bounds read with malformed TIFF image in multiple tools [bnc#914890]
- CVE-2016-9297: tif_dirread.c read outside buffer in _TIFFPrintField() [bnc#1010161]
- CVE-2016-3658: Illegal read in TIFFWriteDirectoryTagLongLong8Array function in tiffset / tif_dirwrite.c [bnc#974840]
- CVE-2016-9273: heap overflow [bnc#1010163]
- CVE-2016-3622: divide By Zero in the tiff2rgba tool [bnc#974449]
- CVE-2016-5652: tiff2pdf JPEG Compression Tables Heap Buffer Overflow [bnc#1007280]
- CVE-2016-9453: out-of-bounds Write memcpy and less bound check in tiff2pdf [bnc#1011107]
- CVE-2016-5875: heap-based buffer overflow when using the PixarLog compressionformat [bnc#987351]
- CVE-2016-9448: regression introduced by fixing CVE-2016-9297 [bnc#1011103]
- CVE-2016-5321: out-of-bounds read in tiffcrop /  DumpModeDecode() function [bnc#984813]
- CVE-2016-5323: Divide-by-zero in _TIFFFax3fillruns() function (null ptr dereference?) [bnc#984815]


-----------------------------------------
Patch: SUSE-2017-5
Released: Mon Jan  2 16:10:06 2017
Summary: Recommended update for alsa, pulseaudio
Severity: low
References: 1010690
Description:

This update for alsa and pulseaudio provides a new UCM profile for Cherry
Trail audio devices.


-----------------------------------------
Patch: SUSE-2017-15
Released: Thu Jan  5 11:26:43 2017
Summary: Recommended update for irqbalance
Severity: low
References: 998399
Description:

This update for irqbalance increases the maximum number of files that can be
opened simultaneously to 4096.


-----------------------------------------
Patch: SUSE-2017-27
Released: Sun Jan  8 13:11:03 2017
Summary: Security update for jasper
Severity: important
References: 1010977,1010979,1011830,1012530,1015993,CVE-2016-8654,CVE-2016-9395,CVE-2016-9398,CVE-2016-9560,CVE-2016-9591
Description:

This update for jasper fixes the following issues:

- CVE-2016-8654: Heap-based buffer overflow in QMFB code in JPC codec. (bsc#1012530)
- CVE-2016-9395: Invalid jasper files could lead to abort of the library caused by attacker provided image. (bsc#1010977)
- CVE-2016-9398: Invalid jasper files could lead to abort of the library caused by attacker provided image. (bsc#1010979)
- CVE-2016-9560: Stack-based buffer overflow in jpc_tsfb_getbands2. (bsc#1011830)
- CVE-2016-9591: Use-after-free on heap in jas_matrix_destroy. (bsc#1015993)


-----------------------------------------
Patch: SUSE-2017-32
Released: Mon Jan  9 11:50:42 2017
Summary: Recommended update for dirmngr
Severity: low
References: 994794
Description:

This update for dirmngr enables support for daemon mode.


-----------------------------------------
Patch: SUSE-2017-41
Released: Tue Jan 10 13:21:32 2017
Summary: Recommended update for cloud-init
Severity: moderate
References: 1016160,998103
Description:

This update for cloud-init provides fixes and enhancements:

- Move cloud.cfg into an own sub-package, allowing introduction of product-specific
  settings. (fate#322039, bsc#1016160)
- Adjust package license: AGPL-3.0 was added with 0.7.8.
- Store previous hostname so update_hostname module does not overwrite manually set
  host names. (bsc#998103)
- Add LocalDisk datasource. (fate#321107)
- Support repositories for zypper. (fate#322038)


-----------------------------------------
Patch: SUSE-2017-69
Released: Fri Jan 13 16:57:59 2017
Summary: Recommended update for gdk-pixbuf
Severity: low
References: 1010497,929462
Description:

This update for gdk-pixbuf provides the following fixes:

- Fix RGBA conversion for big endian X11 environments. (bsc#929462, bsc#1010497)


-----------------------------------------
Patch: SUSE-2017-74
Released: Mon Jan 16 16:00:50 2017
Summary: Recommended update for python-ec2uploadimg
Severity: low
References: 1007793
Description:

This update for python-ec2uploadimg to version 3.0.1 fixes the following
issue:

- ec2uploadimg did not transfer the device mapping properties from the donor image (bsc#1007793).

It also adds the following feature:

- Support new command line argument --instance-id to designate a
  running instance as the helper instance. Brings incompatible
  change of the uploader c-tor


-----------------------------------------
Patch: SUSE-2017-77
Released: Tue Jan 17 10:06:02 2017
Summary: Recommended update for salt
Severity: moderate
References: 1003449,1004047,1004260,1004723,1008933,1012398,986019,999852,CVE-2016-9639
Description:

This update for Salt fixes one security issue and several non-security issues.

The following security issue has been fixed:

- Fix possible information leak due to revoked keys still being used. (bsc#1012398, CVE-2016-9639)

The following non-security issues have been fixed:

- Update to 2015.8.12
- Add pre-require to salt for minions.
- Do not restart salt-minion in salt package.
- Add try-restart to sys-v init scripts.
- Add 'Restart=on-failure' for salt-minion systemd service.
- Re-introduce 'KillMode=process' for salt-minion systemd service.
- Successfully exit of salt-api child processes when SIGTERM is received.
- Fix exit codes of sysv init script. (bsc#999852)
- Include resolution parameters in the Zypper debug-solver call during a dry-run dist-upgrade.
- Fix Salt API crash via salt-ssh on empty roster. (bsc#1004723)
- Add 'dist-upgrade' support to zypper module. (fate#320559)
- Fix position of -X option to setfacl. (bsc#1004260)
- Fix generated shebang in scripts on SLES-ES 7. (bsc#1004047)
- Fix changing default-timezone. (bsc#1008933)


-----------------------------------------
Patch: SUSE-2017-138
Released: Mon Jan 23 13:26:01 2017
Summary: Security update for openssh
Severity: moderate
References: 1005480,1005893,1006221,1016366,1016368,1016369,1016370,CVE-2016-10009,CVE-2016-10010,CVE-2016-10011,CVE-2016-10012,CVE-2016-8858
Description:

This update for openssh fixes several issues.

These security issues were fixed:

- CVE-2016-8858: The kex_input_kexinit function in kex.c allowed remote attackers to cause a denial of service (memory consumption) by sending many duplicate KEXINIT requests (bsc#1005480).
- CVE-2016-10012: The shared memory manager (associated with pre-authentication compression) did not ensure that a bounds check is enforced by all compilers, which might allowed local users to gain privileges by leveraging access to a sandboxed privilege-separation process, related to the m_zback and m_zlib data structures (bsc#1016370).
- CVE-2016-10009: Untrusted search path vulnerability in ssh-agent.c allowed remote attackers to execute arbitrary local PKCS#11 modules by leveraging control over a forwarded agent-socket (bsc#1016366).
- CVE-2016-10010: When forwarding unix domain sockets with privilege separation disabled, the resulting sockets have be created as 'root' instead of the authenticated user. Forwarding unix domain sockets without privilege separation enabled is now rejected.
- CVE-2016-10011: authfile.c in sshd did not properly consider the effects of realloc on buffer contents, which might allowed local users to obtain sensitive private-key information by leveraging access to a privilege-separated child process (bsc#1016369).

These non-security issues were fixed:

- Adjusted suggested command for removing conflicting server keys from the known_hosts file (bsc#1006221)
- Properly verify CIDR masks in configuration (bsc#1005893)


-----------------------------------------
Patch: SUSE-2017-147
Released: Tue Jan 24 23:01:42 2017
Summary: Recommended update for openssh
Severity: important
References: 1021626
Description:

This update for openssh fixes the following issues:

- A previous update contained a logic flaw that broke OpenSSH's interpretation
  of the 'DenyUser' config option. That regression could have lead to an exact
  inversion of the intended meaning, i.e. OpenSSH could have locked out all users
  except the one that was supposed to be denied access. [bsc#1021626]


-----------------------------------------
Patch: SUSE-2017-170
Released: Mon Jan 30 19:13:36 2017
Summary: Initial release of Salt
Severity: low
References: 989693
Description:

This update adds Salt to the Advanced Systems Management 12 Module.

Salt is a distributed remote execution system used to execute commands and
query data. It was developed in order to bring the best solutions found in
the world of remote execution together and make them better, faster and more
malleable. Salt accomplishes this via its ability to handle larger loads of
information, and not just dozens, but hundreds or even thousands of individual
servers, handle them quickly and through a simple and manageable interface.


-----------------------------------------
Patch: SUSE-2017-185
Released: Thu Feb  2 18:22:37 2017
Summary: Security update for cpio
Severity: moderate
References: 1020108,963448,CVE-2016-2037
Description:

This update for cpio fixes two issues.

This security issue was fixed:

- CVE-2016-2037: The cpio_safer_name_suffix function in util.c in cpio allowed remote attackers to cause a denial of service (out-of-bounds write) via a crafted cpio file (bsc#963448).

This non-security issue was fixed:

- bsc#1020108: Always use 32 bit CRC to prevent checksum errors for files greater than 32MB


-----------------------------------------
Patch: SUSE-2017-192
Released: Fri Feb  3 18:46:05 2017
Summary: Security update for libxml2
Severity: moderate
References: 1005544,1010675,1013930,1014873,1017497,CVE-2016-4658,CVE-2016-9318,CVE-2016-9597
Description:

This update for libxml2 fixes the following issues:

* CVE-2016-4658: use-after-free error could lead to crash [bsc#1005544]
* Fix NULL dereference in xpointer.c when in recovery mode [bsc#1014873]
* CVE-2016-9597: An XML document with many opening tags could have caused a overflow of the stack not detected by the recursion limits, allowing for DoS (bsc#1017497).

For CVE-2016-9318 we decided not to ship a fix since it can break existing setups. Please take appropriate actions if you parse untrusted XML files
and use the new -noxxe flag if possible (bnc#1010675, bnc#1013930).


-----------------------------------------
Patch: SUSE-2017-209
Released: Tue Feb  7 17:00:47 2017
Summary: Recommended update for libseccomp
Severity: low
References: 1019900
Description:

This update provides libseccomp version 2.3.1 which fixes the following issues:

- Fixed a problem with 32-bit x86 socket syscalls on some systems (fate#321647, bsc#1019900)
- Fixed problems with ipc syscalls on 32-bit x86
- Fixed problems with socket and ipc syscalls on s390 and s390x


-----------------------------------------
Patch: SUSE-2017-212
Released: Wed Feb  8 13:07:24 2017
Summary: Security update for expat
Severity: moderate
References: 983215,983216,CVE-2012-6702,CVE-2016-5300
Description:

This update for expat fixes the following security issues:

- CVE-2012-6702: Expat, when used in a parser that has not
  called XML_SetHashSalt or passed it a seed of 0, made it easier for
  context-dependent attackers to defeat cryptographic protection mechanisms
  via vectors involving use of the srand function.  (bsc#983215)
- CVE-2016-5300: The XML parser in Expat did not use sufficient entropy
  for hash initialization, which allowed context-dependent attackers to
  cause a denial of service (CPU consumption) via crafted identifiers in
  an XML document. NOTE: this vulnerability exists because of an incomplete
  fix for CVE-2012-0876.  (bsc#983216)


-----------------------------------------
Patch: SUSE-2017-231
Released: Mon Feb 13 11:40:25 2017
Summary: Security update for tiff
Severity: moderate
References: 1019611,1022103,CVE-2017-5225
Description:

This update for tiff fixes the following issues:

- A crafted TIFF image could cause a crash and potential code execution when
processed by the 'tiffcp' utility (CVE-2017-5225, bsc#1019611).

Also a regression from the version update to 4.0.7 was fixed in
handling TIFFTAG_FAXRECVPARAMS. (bsc#1022103)



-----------------------------------------
Patch: SUSE-2017-240
Released: Wed Feb 15 07:29:29 2017
Summary: Security update for libXpm
Severity: moderate
References: 1021315,CVE-2016-10164
Description:

This update for libXpm fixes the following issues:

- A heap overflow in XPM handling could be used by attackers supplying XPM files to 
  crash or potentially execute code. (bsc#1021315)


-----------------------------------------
Patch: SUSE-2017-241
Released: Wed Feb 15 07:30:57 2017
Summary: Security update for gd
Severity: moderate
References: 1022263,1022264,1022265,1022283,1022284,1022553,CVE-2016-10166,CVE-2016-10167,CVE-2016-10168,CVE-2016-6906,CVE-2016-6912,CVE-2016-9317
Description:

This update for gd fixes the following security issues:

- CVE-2016-6906: An out-of-bounds read in TGA decompression was fixed which could have lead to crashes. (bsc#1022553)
- CVE-2016-6912: Double free vulnerability in the gdImageWebPtr function
  in the GD Graphics Library (aka libgd) allowed remote attackers to have
  unspecified impact via large width and height values. (bsc#1022284)
- CVE-2016-9317: The gdImageCreate function in the GD Graphics Library
  (aka libgd) allowed remote attackers to cause a denial of service
  (system hang) via an oversized image.  (bsc#1022283)
- CVE-2016-10166: A potential unsigned underflow in gd interpolation
  functions could lead to memory corruption in the GD Graphics Library (aka libgd) (bsc#1022263)
- CVE-2016-10167: A denial of service problem in gdImageCreateFromGd2Ctx()
  could lead to libgd running out of memory even on small files. (bsc#1022264)
- CVE-2016-10168: A signed integer overflow in the GD Graphics Library (aka libgd) could lead
  to memory corruption (bsc#1022265)


-----------------------------------------
Patch: SUSE-2017-261
Released: Mon Feb 20 11:00:28 2017
Summary: Recommended update for dirmngr
Severity: low
References: 1019276
Description:

This update for dirmngr fixes the following issues:

- Properly initialize the dirmngr tmpfilesd files right away and not
  just during reboot
- Own the /usr/lib/tmpfiles.d/ folder as it is needed in older systemds
  wrt (bsc#1019276)
- Proprely require logrotate as we need it for the dirmngr configs


-----------------------------------------
Patch: SUSE-2017-319
Released: Fri Mar  3 17:46:48 2017
Summary: Security update for compat-openssl098
Severity: moderate
References: 1000677,1001912,1004499,1005878,1019334,1021641,984663,CVE-2016-2108,CVE-2016-7056,CVE-2016-8610
Description:

This update for compat-openssl098 fixes the following issues contained in the
OpenSSL Security Advisory [26 Jan 2017] (bsc#1021641)

Security issues fixed:
- CVE-2016-7056: A local ECSDA P-256 timing attack that might have allowed key recovery was fixed (bsc#1019334)
- CVE-2016-8610: A remote denial of service in SSL alert handling was fixed (bsc#1005878)
- degrade 3DES to MEDIUM in SSL2 (bsc#1001912)
- CVE-2016-2108: Added a missing commit for CVE-2016-2108, fixing the negative zero handling in the ASN.1 decoder (bsc#1004499)

Bugs fixed:
- fix crash in openssl speed (bsc#1000677)
- don't attempt session resumption if no ticket is present and session
  ID length is zero (bsc#984663)


-----------------------------------------
Patch: SUSE-2017-332
Released: Tue Mar  7 13:04:31 2017
Summary: Recommended update for boost
Severity: low
References: 1017048,1019896
Description:

This update for boost provides the following fixes:

- Enable build of 32bit version of libboost_locale1_54_0. (bsc#1017048)
- Ship ppc64le and s390x versions of libboost_random1_54_0. (bsc#1019896)


-----------------------------------------
Patch: SUSE-2017-347
Released: Wed Mar  8 12:23:47 2017
Summary: Recommended update for Salt
Severity: moderate
References: 1011304,1017078
Description:

This update for salt fixes the following issues:

- Fix invalid chars allowed for data IDs. (bsc#1011304)
- Fix timezone: Should be always in UTC. (bsc#1017078)
- Fixes wrong 'enabled' opts for yumnotify plugin.
- SSH-option parameter for salt-ssh command.


-----------------------------------------
Patch: SUSE-2017-354
Released: Thu Mar  9 11:31:22 2017
Summary: Recommended update for timezone
Severity: low
References: 1024676,1024677
Description:

This update provides the latest timezone information (2017a) for your system, including the
following changes:

- Mongolia no longer observes DST. (bsc#1024676)
- Chile's Region of Magallanes moves from -04/-03 to -03 year-round starting 2017-05-13 23:00.
  Split from America/Santiago creating a new zone America/Punta_Arenas.
  Also affects Antarctica/Palmer. (bsc#1024677)
- Fixes to historical time stamps: Spain, Ecuador, Atyrau, Oral.
- Switch to numeric, or commonly used time zone abbreviations.
- zic(8) no longer mishandles some transitions in January 2038.
- date and strftime now cause %z to generate '-0000' instead of '+0000' when the UT offset is
  zero and the time zone abbreviation begins with '-'.


-----------------------------------------
Patch: SUSE-2017-357
Released: Thu Mar  9 15:12:40 2017
Summary: Recommended update for jasper
Severity: low
References: 1028070
Description:

This update for jasper provides the following fixes:

- Add -D_BSD_SOURCE to fix redefinition of system types in jas_config.h, which
  could lead to build failures on ppc64le, s390 and s390x. (bsc#1028070)


-----------------------------------------
Patch: SUSE-2017-365
Released: Fri Mar 10 15:16:59 2017
Summary: Recommended update for sg3_utils
Severity: low
References: 1006175
Description:

This update for sg3_utils fixes the following issue:

- Add udev rules to handle legacy CCISS devices (bsc#1006175)


-----------------------------------------
Patch: SUSE-2017-369
Released: Mon Mar 13 14:39:38 2017
Summary: Recommended update for cloud-init
Severity: low
References: 1017832,1024709,930524
Description:

This update for cloud-init provides the following fixes:

- Do not set mount options for ephemeral drive, use the defaults that are built
  into the code. (bsc#930524)
- Fix path to cloud-init.target in cloud-init-generator. (bsc#1024709)
- Exit with a proper error message when user attempts to use the 'query' command.
  (bsc#1017832)
- Require net-tools for network setup.


-----------------------------------------
Patch: SUSE-2017-395
Released: Fri Mar 17 08:39:43 2017
Summary: Security update for java-1_7_1-ibm
Severity: moderate
References: 1027038,CVE-2016-2183
Description:

This update for java-1_7_1-ibm fixes the following issues:

Security issue fixed:
- CVE-2016-2183: The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and
  other protocols and products, have a birthday bound of approximately four billion blocks, which
  makes it easier for remote attackers to obtain cleartext data via a birthday attack against a
  long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode,
  aka a 'Sweet32' attack. (bsc#1027038)


-----------------------------------------
Patch: SUSE-2017-403
Released: Fri Mar 17 14:08:10 2017
Summary: Recommended update for mlocate
Severity: low
References: 1019440,902588,941296,994663
Description:

This update for mlocate provides the following fixes:

- Update the umask also in su section where it could be nulled. (bsc#1019440)
- Adjust updatedb.conf to no longer skip indexing of bind mounts. (bsc#994663)
- Exit with error code 1 when updatedb is not executable.
- Add more file systems to exclude in updatedb.conf.
- Specify umask to allow user to redefine the value in login.defs. (bsc#941296)
- Remove references to the 'locate' group that was obsoleted. (bsc#902588)


-----------------------------------------
Patch: SUSE-2017-439
Released: Tue Mar 21 10:48:47 2017
Summary: Recommended update for netcfg
Severity: low
References: 1028305,959693
Description:

This update for netcfg provides the following fixes:

- Update script to generate services to use UTF8 by default. (bsc#1028305)
- Repack services.bz2 with latest from upstream and adjust the script to not
  add all the names and emails at the bottom of the file. (bsc#959693)


-----------------------------------------
Patch: SUSE-2017-445
Released: Tue Mar 21 18:27:18 2017
Summary: Recommended update for man
Severity: low
References: 1025597,786679,986211
Description:

This update for man provides the following fixes:

- Stop using the wrapper that squashed root privileges down to uid man. (bsc#986211, bsc#1025597)
- Add description of MAN_POSIXLY_CORRECT in man.man1. (bsc#786679)


-----------------------------------------
Patch: SUSE-2017-446
Released: Wed Mar 22 13:26:13 2017
Summary: Recommended update for python3
Severity: low
References: 1027282,1029377
Description:

This update provides Python 3.4.6, which brings the following fixes:

- Fix potential crash in PyUnicode_AsDecodedObject() in debug build.
- Fix possible DoS and arbitrary execution in gettext plurals.
- Fix possible use of uninitialized memory in operator.methodcaller.
- Fix possible Py_DECREF on unowned object in _sre.
- Fix possible integer overflow in _csv module.
- Fix selectors incorrectly retaining invalid file descriptors.
- Move _elementtree to python3.rpm to match its pyexpat dependency. (bsc#1029377)

For a comprehensive list of changes, please refer to the upstream Release Notes
available at https://hg.python.org/cpython/raw-file/v3.4.6/Misc/NEWS


-----------------------------------------
Patch: SUSE-2017-448
Released: Wed Mar 22 13:31:03 2017
Summary: Recommended update for python
Severity: moderate
References: 1027282,964182
Description:

This update provides Python 2.7.13, which brings several bug fixes.

- Fix build with NCurses 6.0 and OPAQUE_WINDOW set to 1.
- Update cipher lists for OpenSSL wrapper and support OpenSSL 1.1.0 and newer.
- Incorporate more integer overflow checks from upstream. (bsc#964182)
- Provide python2-* symbols to support new packages built as python2-.

For a comprehensive list of changes, please refer to the upstream Release Notes
available at https://hg.python.org/cpython/raw-file/v2.7.13/Misc/NEWS


-----------------------------------------
Patch: SUSE-2017-451
Released: Wed Mar 22 15:55:40 2017
Summary: Security update for wget
Severity: moderate
References: 1028301,CVE-2017-6508
Description:

This update for wget fixes the following issues:

Security issue fixed:
- CVE-2017-6508: (url_parse): Reject control characters in host part of URL (bsc#1028301).


-----------------------------------------
Patch: SUSE-2017-454
Released: Thu Mar 23 11:19:45 2017
Summary: Initial release of python-kiwi
Severity: low
References: 1011342
Description:

This update adds python-kiwi to the SLE 12-SP2 codestream. This replaces python3-kiwi
released in February.


-----------------------------------------
Patch: SUSE-2017-457
Released: Fri Mar 24 12:35:18 2017
Summary: Recommended update for timezone
Severity: low
References: 1030417
Description:

This update provides the latest timezone information (2017b) for your system, including following changes:

- Haiti resumed observance of DST in 2017.
- Liberia changed from -004430 to +00 on 1972-01-07, not 1972-05-01.
- Use 'MMT' to abbreviate Liberia's time zone before 1972.


-----------------------------------------
Patch: SUSE-2017-458
Released: Fri Mar 24 13:49:49 2017
Summary: Recommended update for fdupes
Severity: low
References: 1005386
Description:

This update for fdupes provides the following fixes and enhancements:

- Add new options: --nohidden, --permissions, --order, --reverse, --immediate.
- Speed up file comparison.
- Fix bug where fdupes fails to consistently ignore hardlinks, depending on
  file processing order, when F_CONSIDERHARDLINKS flag is not set.
- Using tty for interactive input instead of regular stdin. This is to allow
  feeding filenames via stdin in future versions of fdupes without breaking
  interactive deletion feature.
- Sort the output of fdupes by filename to make it deterministic for parallel
  builds. (bsc#1005386)


-----------------------------------------
Patch: SUSE-2017-478
Released: Wed Mar 29 13:02:30 2017
Summary: Security update for libpng16
Severity: moderate
References: 1017646,CVE-2016-10087
Description:

This update for libpng16 fixes the following issues:

Security issues fixed:
- CVE-2016-10087: NULL pointer dereference in png_set_text_2() (bsc#1017646)


-----------------------------------------
Patch: SUSE-2017-482
Released: Wed Mar 29 15:40:19 2017
Summary: Security update for libpng12
Severity: moderate
References: 1017646,958791,CVE-2015-8540,CVE-2016-10087
Description:

This update for libpng12 fixes the following issues:

Security issues fixed:
- CVE-2015-8540: read underflow in libpng (bsc#958791)
- CVE-2016-10087: NULL pointer dereference in png_set_text_2() (bsc#1017646)


-----------------------------------------
Patch: SUSE-2017-540
Released: Wed Apr  5 12:16:37 2017
Summary: Recommended update for nfs-utils
Severity: moderate
References: 1005609,1019211,945937,990356
Description:

This update for nfs-utils fixes the following issues:

- Make mount.nfs return failure if statd is being slow to start due to DNS issues. (bsc#945937)
- Include various upstream systemd unit file updates to ensure correct starting dependencies
  of nfsd and rpcbind. (bsc#990356)
- Fix typos relating to version setting in nfs-utils_env.sh. (bsc#990356)
- Only require a filesystem to be mounted if it isn't marked 'noauto' in /etc/fstab.
  (bsc#1019211)
- Move rpc.svcgssd and corresponding man page from nfs-client package to nfs-kernel-server.
  For NFSv4.0 this is needed on client as well as the server to support the back-channel.
  (bsc#1005609)


-----------------------------------------
Patch: SUSE-2017-549
Released: Thu Apr  6 11:37:56 2017
Summary: Recommended update for harfbuzz
Severity: low
References: 1030465
Description:

Harfbuzz was updated to version 1.4.5, which brings several fixes and enhancements:

- Fix buffer-overrun in Bengali.
- Route Adlam script to Arabic shaper.
- Implement OpenType Font Variation tables avar/fvar/HVAR/VVAR.
- hb-shape and hb-view now accept --variations.
- Always build and use UCDN for Unicode data by default.
- Add core of support for OpenType 1.8 Font Variations.
- New APIs:
  - hb_font_set_face().
  - hb_font_set_var_coords_normalized().
  - HB_OT_LAYOUT_NO_VARIATIONS_INDEX.
  - hb_ot_layout_table_find_feature_variations().
  - hb_ot_layout_feature_with_variations_get_lookups().
  - hb_shape_plan_create2().
  - hb_shape_plan_create_cached2().
- Deprecate API: hb_graphite2_font_get_gr_font().
- Fix regression in GDEF glyph class processing.
- Add decompositions for Chakma, Limbu, and Balinese in USE shaper.
- Fix vertical glyph origin in hb-ot-font.
- Implement CBDT/CBLC color font glyph extents in hb-ot-font.
- Implement parsing of OpenType MATH table.
- Blacklist bad GDEF of more fonts.


-----------------------------------------
Patch: SUSE-2017-551
Released: Thu Apr  6 14:28:02 2017
Summary: Security update for jasper
Severity: moderate
References: 1015400,1018088,1020353,1021868,1029497,CVE-2016-10251,CVE-2016-9583,CVE-2016-9600,CVE-2017-5498,CVE-2017-6850
Description:

This update for jasper fixes the following issues:

Security issues fixed:
- CVE-2016-9600: Null Pointer Dereference due to missing check for UNKNOWN color space in JP2 encoder (bsc#1018088)
- CVE-2016-10251: Use of uninitialized value in jpc_pi_nextcprl (jpc_t2cod.c) (bsc#1029497)
- CVE-2017-5498: left-shift undefined behaviour (bsc#1020353)
- CVE-2017-6850: NULL pointer dereference in jp2_cdef_destroy (jp2_cod.c) (bsc#1021868)
- CVE-2016-9583: Out of bounds heap read in jpc_pi_nextpcrl() (bsc#1015400)


-----------------------------------------
Patch: SUSE-2017-571
Released: Tue Apr 11 14:34:28 2017
Summary: Recommended update for python-enum34
Severity: low
References: 1014478
Description:

This update provides python-enum34 1.1.3, which brings fixes for minor issues
and some enhancements.


-----------------------------------------
Patch: SUSE-2017-580
Released: Wed Apr 12 23:58:47 2017
Summary: Recommended update for cpio
Severity: important
References: 1028410
Description:

This update for cpio fixes the following issues:

- A regression caused cpio to crash for tar and ustar archive types
  [bsc#1028410]


-----------------------------------------
Patch: SUSE-2017-589
Released: Thu Apr 13 13:12:45 2017
Summary: Recommended update for libtool
Severity: moderate
References: 1010802
Description:

This update for libtool prevents a segmentation fault caused by insufficient error
handling on out-of-memory situations.


-----------------------------------------
Patch: SUSE-2017-591
Released: Thu Apr 13 13:58:28 2017
Summary: Recommended update for python-azure-sdk
Severity: low
References: 1014478
Description:

This update adds python-adal, python-msrest and python-msrestazure to the Public Cloud Module
for SUSE Linux Enterprise Server 12. These packages are new requirements of python-azure-sdk.


-----------------------------------------
Patch: SUSE-2017-598
Released: Mon Apr 17 22:56:57 2017
Summary: Recommended update for ruby-common, rubygem-gem2rpm
Severity: low
References: 963710
Description:

This update for ruby-common, rubygem-gem2rpm fixes the following issues:

ruby-common:

- Since rubygems 2.5.0 the default version in the gem bin stub changed from '>= 0'
  to '>= 0.a'. This was done to allow pre-release versions. Our patching script
  didn't take the '.a' into account and generated version fields like '= 0.10.1.a'
  instead of the expected '= 0.10.1'. This fix accounts for the '.a'.

Changes in rubygem-gem2rpm:

- Fix 'gem2rpm --fetch': prefer https for accessing rubygems.org. (bsc#963710)
- Add support for Ruby 2.3.0 and 2.4.0.
- Add :post_patch hook to run commands before we rebuild the gem used by libv8.
- Add support for rubinius 2.5 and remove support for 2.2.
- No longer require the Ruby version inside the sub-package. With BuildRequires
  we already make sure that the package is only built if we find a recent enough
  ABI. Then the normal $interpreter(abi) requires generated by rpm is enough.
- Move to new packaging templates by default.


-----------------------------------------
Patch: SUSE-2017-610
Released: Tue Apr 18 11:29:22 2017
Summary: Security update for tiff
Severity: important
References: 1031247,1031249,1031250,1031254,1031255,1031262,1031263,CVE-2016-10266,CVE-2016-10267,CVE-2016-10268,CVE-2016-10269,CVE-2016-10270,CVE-2016-10271,CVE-2016-10272
Description:

This update for tiff fixes the following issues:

Security issues fixed:
- CVE-2016-10272: LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based
  buffer overflow) or possibly have unspecified other impact via a crafted TIFF image, related to
  'WRITE of size 2048' and libtiff/tif_next.c:64:9 (bsc#1031247).
- CVE-2016-10271: tools/tiffcrop.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of
  service (heap-based buffer over-read and buffer overflow) or possibly have unspecified other
  impact via a crafted TIFF image, related to 'READ of size 1' and libtiff/tif_fax3.c:413:13
  (bsc#1031249).
- CVE-2016-10270: LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based
  buffer over-read) or possibly have unspecified other impact via a crafted TIFF image, related to
  'READ of size 8' and libtiff/tif_read.c:523:22 (bsc#1031250).
- CVE-2016-10269: LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based
  buffer over-read) or possibly have unspecified other impact via a crafted TIFF image, related to
  'READ of size 512' and libtiff/tif_unix.c:340:2 (bsc#1031254).
- CVE-2016-10268: tools/tiffcp.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of
  service (integer underflow and heap-based buffer under-read) or possibly have unspecified other
  impact via a crafted TIFF image, related to 'READ of size 78490' and libtiff/tif_unix.c:115:23
  (bsc#1031255).
- CVE-2016-10267: LibTIFF 4.0.7 allows remote attackers to cause a denial of service
  (divide-by-zero error and application crash) via a crafted TIFF image, related to
  libtiff/tif_ojpeg.c:816:8 (bsc#1031262).
- CVE-2016-10266: LibTIFF 4.0.7 allows remote attackers to cause a denial of service
  (divide-by-zero error and application crash) via a crafted TIFF image, related to
  libtiff/tif_read.c:351:22. (bsc#1031263).


-----------------------------------------
Patch: SUSE-2017-611
Released: Tue Apr 18 16:05:49 2017
Summary: Security update for ntp
Severity: moderate
References: 1014172,1030050,CVE-2016-9042,CVE-2017-6451,CVE-2017-6458,CVE-2017-6460,CVE-2017-6462,CVE-2017-6463,CVE-2017-6464
Description:

This ntp update to version 4.2.8p10 fixes serveral issues.

This updated enables leap smearing. See
/usr/share/doc/packages/ntp/README.leapsmear for details.

Security issues fixed (bsc#1030050):

- CVE-2017-6464: Denial of Service via Malformed Config
- CVE-2017-6462: Buffer Overflow in DPTS Clock
- CVE-2017-6463: Authenticated DoS via Malicious Config Option
- CVE-2017-6458: Potential Overflows in ctl_put() functions
- CVE-2017-6451: Improper use of snprintf() in mx4200_send()
- CVE-2017-6460: Buffer Overflow in ntpq when fetching reslist
- CVE-2016-9042: 0rigin (zero origin) DoS.
- ntpq_stripquotes() returns incorrect Value
- ereallocarray()/eallocarray() underused
- Copious amounts of Unused Code
- Off-by-one in Oncore GPS Receiver
- Makefile does not enforce Security Flags

Bugfixes:

- Remove spurious log messages (bsc#1014172).
- clang scan-build findings
- Support for openssl-1.1.0 without compatibility modes
- Bugfix 3072 breaks multicastclient
- forking async worker: interrupted pipe I/O
- (...) time_pps_create: Exec format error
- Incorrect Logic for Peer Event Limiting
- Change the process name of forked DNS worker
- Trap Configuration Fail
- Nothing happens if minsane < maxclock < minclock
- allow -4/-6 on restrict line with mask
- out-of-bound pointers in ctl_putsys and decode_bitflags
- Move ntp-kod to /var/lib/ntp, because /var/db is not a standard directory and causes problems for
  transactional updates.


-----------------------------------------
Patch: SUSE-2017-624
Released: Thu Apr 20 08:35:35 2017
Summary: Security update for ruby2.1
Severity: important
References: 1014863,1018808,887877,909695,926974,936032,959495,986630,CVE-2014-4975,CVE-2015-1855,CVE-2015-3900,CVE-2015-7551,CVE-2016-2339
Description:

This ruby2.1 update to version 2.1.9 fixes the following issues:

Security issues fixed:
- CVE-2016-2339: heap overflow vulnerability in the Fiddle::Function.new'initialize' (bsc#1018808)
- CVE-2015-7551: Unsafe tainted string usage in Fiddle and DL (bsc#959495)
- CVE-2015-3900: hostname validation does not work when fetching gems or making API requests (bsc#936032)
- CVE-2015-1855: Ruby'a OpenSSL extension suffers a vulnerability through overly permissive matching of
  hostnames (bsc#926974)
- CVE-2014-4975: off-by-one stack-based buffer overflow in the encodes() function (bsc#887877)

Bugfixes:
- SUSEconnect doesn't handle domain wildcards in no_proxy environment variable properly (bsc#1014863)
- Segmentation fault after pack & ioctl & unpack (bsc#909695)
- Ruby:HTTP Header injection in 'net/http' (bsc#986630)

ChangeLog:
- http://svn.ruby-lang.org/repos/ruby/tags/v2_1_9/ChangeLog


-----------------------------------------
Patch: SUSE-2017-643
Released: Tue Apr 25 19:11:45 2017
Summary: Recommended update for ruby2.1
Severity: important
References: 1014863,1035988
Description:

This update for ruby2.1 fixes a regression introduced by a previous update that
was intended to fix insufficient support for domain wildcards in the $no_proxy
environment variable.


-----------------------------------------
Patch: SUSE-2017-644
Released: Wed Apr 26 17:31:22 2017
Summary: Security update for tcpdump, libpcap
Severity: moderate
References: 1020940,1035686,905870,905871,905872,922220,922221,922222,922223,927637,CVE-2014-8767,CVE-2014-8768,CVE-2014-8769,CVE-2015-0261,CVE-2015-2153,CVE-2015-2154,CVE-2015-2155,CVE-2015-3138,CVE-2016-7922,CVE-2016-7923,CVE-2016-7924,CVE-2016-7925,CVE-2016-7926,CVE-2016-7927,CVE-2016-7928,CVE-2016-7929,CVE-2016-7930,CVE-2016-7931,CVE-2016-7932,CVE-2016-7933,CVE-2016-7934,CVE-2016-7935,CVE-2016-7936,CVE-2016-7937,CVE-2016-7938,CVE-2016-7939,CVE-2016-7940,CVE-2016-7973,CVE-2016-7974,CVE-2016-7975,CVE-2016-7983,CVE-2016-7984,CVE-2016-7985,CVE-2016-7986,CVE-2016-7992,CVE-2016-7993,CVE-2016-8574,CVE-2016-8575,CVE-2017-5202,CVE-2017-5203,CVE-2017-5204,CVE-2017-5205,CVE-2017-5341,CVE-2017-5342,CVE-2017-5482,CVE-2017-5483,CVE-2017-5484,CVE-2017-5485,CVE-2017-5486
Description:

This update for tcpdump to version 4.9.0 and libpcap to version 1.8.1 fixes the several issues.

These security issues were fixed in tcpdump:

- CVE-2016-7922: The AH parser in tcpdump had a buffer overflow in print-ah.c:ah_print() (bsc#1020940).
- CVE-2016-7923: The ARP parser in tcpdump had a buffer overflow in print-arp.c:arp_print() (bsc#1020940).
- CVE-2016-7924: The ATM parser in tcpdump had a buffer overflow in print-atm.c:oam_print() (bsc#1020940).
- CVE-2016-7925: The compressed SLIP parser in tcpdump had a buffer overflow in print-sl.c:sl_if_print() (bsc#1020940).
- CVE-2016-7926: The Ethernet parser in tcpdump had a buffer overflow in print-ether.c:ethertype_print() (bsc#1020940).
- CVE-2016-7927: The IEEE 802.11 parser in tcpdump had a buffer overflow in print-802_11.c:ieee802_11_radio_print() (bsc#1020940).
- CVE-2016-7928: The IPComp parser in tcpdump had a buffer overflow in print-ipcomp.c:ipcomp_print() (bsc#1020940).
- CVE-2016-7929: The Juniper PPPoE ATM parser in tcpdump had a buffer overflow in print-juniper.c:juniper_parse_header() (bsc#1020940).
- CVE-2016-7930: The LLC/SNAP parser in tcpdump had a buffer overflow in print-llc.c:llc_print() (bsc#1020940).
- CVE-2016-7931: The MPLS parser in tcpdump had a buffer overflow in print-mpls.c:mpls_print() (bsc#1020940).
- CVE-2016-7932: The PIM parser in tcpdump had a buffer overflow in print-pim.c:pimv2_check_checksum() (bsc#1020940).
- CVE-2016-7933: The PPP parser in tcpdump had a buffer overflow in print-ppp.c:ppp_hdlc_if_print() (bsc#1020940).
- CVE-2016-7934: The RTCP parser in tcpdump had a buffer overflow in print-udp.c:rtcp_print() (bsc#1020940).
- CVE-2016-7935: The RTP parser in tcpdump had a buffer overflow in print-udp.c:rtp_print() (bsc#1020940).
- CVE-2016-7936: The UDP parser in tcpdump had a buffer overflow in print-udp.c:udp_print() (bsc#1020940).
- CVE-2016-7937: The VAT parser in tcpdump had a buffer overflow in print-udp.c:vat_print() (bsc#1020940).
- CVE-2016-7938: The ZeroMQ parser in tcpdump had an integer overflow in print-zeromq.c:zmtp1_print_frame() (bsc#1020940).
- CVE-2016-7939: The GRE parser in tcpdump had a buffer overflow in print-gre.c, multiple functions (bsc#1020940).
- CVE-2016-7940: The STP parser in tcpdump had a buffer overflow in print-stp.c, multiple functions (bsc#1020940).
- CVE-2016-7973: The AppleTalk parser in tcpdump had a buffer overflow in print-atalk.c, multiple functions (bsc#1020940).
- CVE-2016-7974: The IP parser in tcpdump had a buffer overflow in print-ip.c, multiple functions (bsc#1020940).
- CVE-2016-7975: The TCP parser in tcpdump had a buffer overflow in print-tcp.c:tcp_print() (bsc#1020940).
- CVE-2016-7983: The BOOTP parser in tcpdump had a buffer overflow in print-bootp.c:bootp_print() (bsc#1020940).
- CVE-2016-7984: The TFTP parser in tcpdump had a buffer overflow in print-tftp.c:tftp_print() (bsc#1020940).
- CVE-2016-7985: The CALM FAST parser in tcpdump had a buffer overflow in print-calm-fast.c:calm_fast_print() (bsc#1020940).
- CVE-2016-7986: The GeoNetworking parser in tcpdump had a buffer overflow in print-geonet.c, multiple functions (bsc#1020940).
- CVE-2016-7992: The Classical IP over ATM parser in tcpdump had a buffer overflow in print-cip.c:cip_if_print() (bsc#1020940).
- CVE-2016-7993: A bug in util-print.c:relts_print() in tcpdump could cause a buffer overflow in multiple protocol parsers (DNS, DVMRP, HSRP, IGMP, lightweight resolver protocol, PIM) (bsc#1020940).
- CVE-2016-8574: The FRF.15 parser in tcpdump had a buffer overflow in print-fr.c:frf15_print() (bsc#1020940).
- CVE-2016-8575: The Q.933 parser in tcpdump had a buffer overflow in print-fr.c:q933_print(), a different vulnerability than CVE-2017-5482 (bsc#1020940).
- CVE-2017-5202: The ISO CLNS parser in tcpdump had a buffer overflow in print-isoclns.c:clnp_print() (bsc#1020940).
- CVE-2017-5203: The BOOTP parser in tcpdump had a buffer overflow in print-bootp.c:bootp_print() (bsc#1020940).
- CVE-2017-5204: The IPv6 parser in tcpdump had a buffer overflow in print-ip6.c:ip6_print() (bsc#1020940).
- CVE-2017-5205: The ISAKMP parser in tcpdump had a buffer overflow in print-isakmp.c:ikev2_e_print() (bsc#1020940).
- CVE-2017-5341: The OTV parser in tcpdump had a buffer overflow in print-otv.c:otv_print() (bsc#1020940).
- CVE-2017-5342: In tcpdump a bug in multiple protocol parsers (Geneve, GRE, NSH, OTV, VXLAN and VXLAN GPE) could cause a buffer overflow in print-ether.c:ether_print() (bsc#1020940).
- CVE-2017-5482: The Q.933 parser in tcpdump had a buffer overflow in print-fr.c:q933_print(), a different vulnerability than CVE-2016-8575 (bsc#1020940).
- CVE-2017-5483: The SNMP parser in tcpdump had a buffer overflow in print-snmp.c:asn1_parse() (bsc#1020940).
- CVE-2017-5484: The ATM parser in tcpdump had a buffer overflow in print-atm.c:sig_print() (bsc#1020940).
- CVE-2017-5485: The ISO CLNS parser in tcpdump had a buffer overflow in addrtoname.c:lookup_nsap() (bsc#1020940).
- CVE-2017-5486: The ISO CLNS parser in tcpdump had a buffer overflow in print-isoclns.c:clnp_print() (bsc#1020940).
- CVE-2015-3138: Fixed potential denial of service in print-wb.c (bsc#927637).
- CVE-2015-0261: Integer signedness error in the mobility_opt_print function in the IPv6 mobility printer in tcpdump allowed remote attackers to cause a denial of service (out-of-bounds read and crash) or possibly execute arbitrary code via a negative length value (bsc#922220).
- CVE-2015-2153: The rpki_rtr_pdu_print function in print-rpki-rtr.c in the TCP printer in tcpdump allowed remote attackers to cause a denial of service (out-of-bounds read or write and crash) via a crafted header length in an RPKI-RTR Protocol Data Unit (PDU) (bsc#922221).
- CVE-2015-2154: The osi_print_cksum function in print-isoclns.c in the ethernet printer in tcpdump allowed remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted (1) length, (2) offset, or (3) base pointer checksum value (bsc#922222).
- CVE-2015-2155: The force printer in tcpdump allowed remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unspecified vectors (bsc#922223).
- CVE-2014-8767: Integer underflow in the olsr_print function in tcpdump 3.9.6 when in verbose mode, allowed remote attackers to cause a denial of service (crash) via a crafted length value in an OLSR frame (bsc#905870).
- CVE-2014-8768: Multiple Integer underflows in the geonet_print function in tcpdump when run in verbose mode, allowed remote attackers to cause a denial of service (segmentation fault and crash) via a crafted length value in a Geonet frame (bsc#905871).
- CVE-2014-8769: tcpdump might have allowed remote attackers to obtain sensitive information from memory or cause a denial of service (packet loss or segmentation fault) via a crafted Ad hoc On-Demand Distance Vector (AODV) packet, which triggers an out-of-bounds memory access (bsc#905872).

These non-security issues were fixed in tcpdump:

- PPKI to Router Protocol: Fix Segmentation Faults and other problems
- RPKI to Router Protocol: print strings with fn_printn()
- Added a short option '#', same as long option '--number'
- nflog, mobile, forces, pptp, AODV, AHCP, IPv6, OSPFv4, RPL, DHCPv6 enhancements/fixes
- M3UA decode added.
- Added bittok2str().
- A number of unaligned access faults fixed
- The -A flag does not consider CR to be printable anymore
- fx.lebail took over coverity baby sitting
- Default snapshot size increased to 256K for accomodate USB captures

These non-security issues were fixed in libpcap:

- Provide a -devel-static subpackage that contains the static
  libraries and all the extra dependencies which are not needed
  for dynamic linking.
- Fix handling of packet count in the TPACKET_V3 inner loop
- Filter out duplicate looped back CAN frames.
- Fix the handling of loopback filters for IPv6 packets.
- Add a link-layer header type for RDS (IEC 62106) groups.
- Handle all CAN captures with pcap-linux.c, in cooked mode.
- Removes the need for the 'host-endian' link-layer header type.
- Have separate DLTs for big-endian and host-endian SocketCAN headers.
- Properly check for sock_recv() errors.
- Re-impose some of Winsock's limitations on sock_recv().
- Replace sprintf() with pcap_snprintf().
- Fix signature of pcap_stats_ex_remote().
- Have rpcap_remoteact_getsock() return a SOCKET and supply an 'is active' flag.
- Clean up {DAG, Septel, Myricom SNF}-only builds.
- pcap_create_interface() needs the interface name on Linux.
- Clean up hardware time stamp support: the 'any' device does not support any time stamp types.
- Recognize 802.1ad nested VLAN tag in vlan filter.
- Support for filtering Geneve encapsulated packets.
- Fix handling of zones for BPF on Solaris
- Added bpf_filter1() with extensions
- EBUSY can now be returned by SNFv3 code.
- Don't crash on filters testing a non-existent link-layer type field.
- Fix sending in non-blocking mode on Linux with memory-mapped capture.
- Fix timestamps when reading pcap-ng files on big-endian machines.
- Fixes for byte order issues with NFLOG captures
- Handle using cooked mode for DLT_NETLINK in activate_new().


-----------------------------------------
Patch: SUSE-2017-656
Released: Fri Apr 28 16:12:30 2017
Summary: Recommended update for sqlite3
Severity: low
References: 1019518,1025034
Description:

This update for sqlite3 provides the following fixes:

- Avoid calling sqlite3OsFetch() on a file-handle for which the xFetch method is NULL.
  This prevents a potential segmentation fault. (bsc#1025034)
- Fix defect in the in-memory journal logic that could leave the read cursor for the
  in-memory journal in an inconsistent state and result in a segmentation fault.
  (bsc#1019518)


-----------------------------------------
Patch: SUSE-2017-668
Released: Tue May  2 16:45:00 2017
Summary: Security update for graphite2
Severity: important
References: 1035204,CVE-2017-5436
Description:

This update for graphite2 fixes one issue.

This security issues was fixed:

- CVE-2017-5436: An out-of-bounds write triggered with a maliciously crafted Graphite font could lead to a crash or potentially code execution (bsc#1035204).


-----------------------------------------
Patch: SUSE-2017-732
Released: Wed May 10 14:03:43 2017
Summary: Recommended update for procps
Severity: low
References: 1030621
Description:

This update for procps fixes the following issues:

- Command w(1) with option -n doesn't work. (bsc#1030621)


-----------------------------------------
Patch: SUSE-2017-735
Released: Wed May 10 15:43:46 2017
Summary: Recommended update for gpg2
Severity: low
References: 1036736,986783
Description:

This update for gpg2 provides the following fixes:

- Do not install CAcert and other root certificates which are not needed with
  Let's Encrypt. (bsc#1036736)
- Initialize the trustdb before import attempt. (bsc#986783)


-----------------------------------------
Patch: SUSE-2017-748
Released: Thu May 11 16:23:31 2017
Summary: Security update for MozillaFirefox, mozilla-nss, mozilla-nspr, java-1_8_0-openjdk
Severity: important
References: 1015499,1015547,1021636,1026102,1030071,1035082,983639,CVE-2016-1950,CVE-2016-2834,CVE-2016-8635,CVE-2016-9574,CVE-2017-5429,CVE-2017-5432,CVE-2017-5433,CVE-2017-5434,CVE-2017-5435,CVE-2017-5436,CVE-2017-5437,CVE-2017-5438,CVE-2017-5439,CVE-2017-5440,CVE-2017-5441,CVE-2017-5442,CVE-2017-5443,CVE-2017-5444,CVE-2017-5445,CVE-2017-5446,CVE-2017-5447,CVE-2017-5448,CVE-2017-5459,CVE-2017-5460,CVE-2017-5461,CVE-2017-5462,CVE-2017-5464,CVE-2017-5465,CVE-2017-5469
Description:

Mozilla Firefox was updated to the Firefox ESR release 45.9.

Mozilla NSS was updated to support TLS 1.3 (close to release draft) and various new 
ciphers, PRFs, Diffie Hellman key agreement and support for more hashes.

Security issues fixed in Firefox (bsc#1035082)

- MFSA 2017-11/CVE-2017-5469: Potential Buffer overflow in flex-generated code
- MFSA 2017-11/CVE-2017-5429: Memory safety bugs fixed in Firefox 53, Firefox ESR 45.9, and Firefox ESR 52.1
- MFSA 2017-11/CVE-2017-5439: Use-after-free in nsTArray Length() during XSLT processing
- MFSA 2017-11/CVE-2017-5438: Use-after-free in nsAutoPtr during XSLT processing
- MFSA 2017-11/CVE-2017-5437: Vulnerabilities in Libevent library
- MFSA 2017-11/CVE-2017-5436: Out-of-bounds write with malicious font in Graphite 2
- MFSA 2017-11/CVE-2017-5435: Use-after-free during transaction processing in the editor
- MFSA 2017-11/CVE-2017-5434: Use-after-free during focus handling
- MFSA 2017-11/CVE-2017-5433: Use-after-free in SMIL animation functions
- MFSA 2017-11/CVE-2017-5432: Use-after-free in text input selection
- MFSA 2017-11/CVE-2017-5464: Memory corruption with accessibility and DOM manipulation
- MFSA 2017-11/CVE-2017-5465: Out-of-bounds read in ConvolvePixel
- MFSA 2017-11/CVE-2017-5460: Use-after-free in frame selection
- MFSA 2017-11/CVE-2017-5448: Out-of-bounds write in ClearKeyDecryptor
- MFSA 2017-11/CVE-2017-5446: Out-of-bounds read when HTTP/2 DATA frames are sent with incorrect data
- MFSA 2017-11/CVE-2017-5447: Out-of-bounds read during glyph processing
- MFSA 2017-11/CVE-2017-5444: Buffer overflow while parsing application/http-index-format content
- MFSA 2017-11/CVE-2017-5445: Uninitialized values used while parsing application/http-index-format content
- MFSA 2017-11/CVE-2017-5442: Use-after-free during style changes
- MFSA 2017-11/CVE-2017-5443: Out-of-bounds write during BinHex decoding
- MFSA 2017-11/CVE-2017-5440: Use-after-free in txExecutionState destructor during XSLT processing
- MFSA 2017-11/CVE-2017-5441: Use-after-free with selection during scroll events
- MFSA 2017-11/CVE-2017-5459: Buffer overflow in WebGL

Mozilla NSS was updated to 3.29.5, bringing new features and fixing bugs:

- Update to NSS 3.29.5:
  * MFSA 2017-11/CVE-2017-5461: Rare crashes in the base 64 decoder and encoder were fixed.
  * MFSA 2017-11/CVE-2017-5462: A carry over bug in the RNG was fixed.
  * CVE-2016-9574: Remote DoS during session handshake when using SessionTicket extention and ECDHE-ECDSA (bsc#1015499).
  * requires NSPR >= 4.13.1

- Update to NSS 3.29.3

  * enables TLS 1.3 by default

- Fixed a bug in hash computation (and build with
  GCC 7 which complains about shifts of boolean values).
  (bsc#1030071, bmo#1348767)

- Update to NSS 3.28.3

  This is a patch release to fix binary compatibility issues.

- Update to NSS 3.28.1

  This is a patch release to update the list of root CA certificates.

  * The following CA certificates were Removed

    CN = Buypass Class 2 CA 1
    CN = Root CA Generalitat Valenciana
    OU = RSA Security 2048 V3

  * The following CA certificates were Added

    OU = AC RAIZ FNMT-RCM
    CN = Amazon Root CA 1
    CN = Amazon Root CA 2
    CN = Amazon Root CA 3
    CN = Amazon Root CA 4
    CN = LuxTrust Global Root 2
    CN = Symantec Class 1 Public Primary Certification Authority - G4
    CN = Symantec Class 1 Public Primary Certification Authority - G6
    CN = Symantec Class 2 Public Primary Certification Authority - G4
    CN = Symantec Class 2 Public Primary Certification Authority - G6

  * The version number of the updated root CA list has been set to 2.11

- Update to NSS 3.28

  New functionality:

  * NSS includes support for TLS 1.3 draft -18. This includes a number
    of improvements to TLS 1.3:

    - The signed certificate timestamp, used in certificate
      transparency, is supported in TLS 1.3.
    - Key exporters for TLS 1.3 are supported. This includes the early
      key exporter, which can be used if 0-RTT is enabled. Note that
      there is a difference between TLS 1.3 and key exporters in older
      versions of TLS. TLS 1.3 does not distinguish between an empty
      context and no context.
    - The TLS 1.3 (draft) protocol can be enabled, by defining
      NSS_ENABLE_TLS_1_3=1 when building NSS.
    - NSS includes support for the X25519 key exchange algorithm,
      which is supported and enabled by default in all versions of TLS.

  Notable Changes:

  * NSS can no longer be compiled with support for additional elliptic curves.
    This was previously possible by replacing certain NSS source files.
  * NSS will now detect the presence of tokens that support additional
    elliptic curves and enable those curves for use in TLS.
    Note that this detection has a one-off performance cost, which can be
    avoided by using the SSL_NamedGroupConfig function to limit supported
    groups to those that NSS provides.
  * PKCS#11 bypass for TLS is no longer supported and has been removed.
  * Support for 'export' grade SSL/TLS cipher suites has been removed.
  * NSS now uses the signature schemes definition in TLS 1.3.
    This also affects TLS 1.2. NSS will now only generate signatures with the
    combinations of hash and signature scheme that are defined in TLS 1.3,
    even when negotiating TLS 1.2.

    - This means that SHA-256 will only be used with P-256 ECDSA certificates,
      SHA-384 with P-384 certificates, and SHA-512 with P-521 certificates.
      SHA-1 is permitted (in TLS 1.2 only) with any certificate for backward
      compatibility reasons.
    - NSS will now no longer assume that default signature schemes are
      supported by a peer if there was no commonly supported signature scheme.

  * NSS will now check if RSA-PSS signing is supported by the token that holds
    the private key prior to using it for TLS.
  * The certificate validation code contains checks to no longer trust
    certificates that are issued by old WoSign and StartCom CAs after
    October 21, 2016. This is equivalent to the behavior that Mozilla will
    release with Firefox 51.

- Update to NSS 3.27.2
  * Fixed SSL_SetTrustAnchors leaks (bmo#1318561)

  - raised the minimum softokn/freebl version to 3.28 as reported in (boo#1021636)

- Update to NSS 3.26.2

  New Functionality:

  * the selfserv test utility has been enhanced to support ALPN
    (HTTP/1.1) and 0-RTT
  * added support for the System-wide crypto policy available on
    Fedora Linux see http://fedoraproject.org/wiki/Changes/CryptoPolicy
  * introduced build flag NSS_DISABLE_LIBPKIX that allows compilation
    of NSS without the libpkix library

  Notable Changes:

  * The following CA certificate was Added
    CN = ISRG Root X1
  * NPN is disabled and ALPN is enabled by default
  * the NSS test suite now completes with the experimental TLS 1.3
    code enabled
  * several test improvements and additions, including a NIST known answer test

  Changes in 3.26.2
  * MD5 signature algorithms sent by the server in CertificateRequest
    messages are now properly ignored. Previously, with rare server
    configurations, an MD5 signature algorithm might have been selected
    for client authentication and caused the client to abort the
    connection soon after.

- Update to NSS 3.25

  New functionality:

  * Implemented DHE key agreement for TLS 1.3
  * Added support for ChaCha with TLS 1.3
  * Added support for TLS 1.2 ciphersuites that use SHA384 as the PRF
  * In previous versions, when using client authentication with TLS 1.2,
    NSS only supported certificate_verify messages that used the same
    signature hash algorithm as used by the PRF. This limitation has
    been removed.

  Notable changes:

  * An SSL socket can no longer be configured to allow both TLS 1.3 and SSLv3
  * Regression fix: NSS no longer reports a failure if an application
    attempts to disable the SSLv2 protocol.
  * The list of trusted CA certificates has been updated to version 2.8
  * The following CA certificate was Removed
    Sonera Class1 CA
  * The following CA certificates were Added
    Hellenic Academic and Research Institutions RootCA 2015
    Hellenic Academic and Research Institutions ECC RootCA 2015
    Certplus Root CA G1
    Certplus Root CA G2
    OpenTrust Root CA G1
    OpenTrust Root CA G2
    OpenTrust Root CA G3

- Update to NSS 3.24

  New functionality:

  * NSS softoken has been updated with the latest National Institute
    of Standards and Technology (NIST) guidance (as of 2015):
    - Software integrity checks and POST functions are executed on
      shared library load. These checks have been disabled by default,
      as they can cause a performance regression. To enable these
      checks, you must define symbol NSS_FORCE_FIPS when building NSS.
    - Counter mode and Galois/Counter Mode (GCM) have checks to
      prevent counter overflow.
    - Additional CSPs are zeroed in the code.
    - NSS softoken uses new guidance for how many Rabin-Miller tests
      are needed to verify a prime based on prime size.
  * NSS softoken has also been updated to allow NSS to run in FIPS
    Level 1 (no password). This mode is triggered by setting the
    database password to the empty string. In FIPS mode, you may move
    from Level 1 to Level 2 (by setting an appropriate password),
    but not the reverse.
  * A SSL_ConfigServerCert function has been added for configuring
    SSL/TLS server sockets with a certificate and private key. Use
    this new function in place of SSL_ConfigSecureServer,
    SSL_ConfigSecureServerWithCertChain, SSL_SetStapledOCSPResponses,
    and SSL_SetSignedCertTimestamps. SSL_ConfigServerCert automatically
    determines the certificate type from the certificate and private key.
    The caller is no longer required to use SSLKEAType explicitly to
    select a 'slot' into which the certificate is configured (which
    incorrectly identifies a key agreement type rather than a certificate).
    Separate functions for configuring Online Certificate Status Protocol
    (OCSP) responses or Signed Certificate Timestamps are not needed,
    since these can be added to the optional SSLExtraServerCertData struct
    provided to SSL_ConfigServerCert.  Also, partial support for RSA
    Probabilistic Signature Scheme (RSA-PSS) certificates has been added.
    Although these certificates can be configured, they will not be
    used by NSS in this version.
  * Deprecate the member attribute authAlgorithm of type SSLCipherSuiteInfo.
    Instead, applications should use the newly added attribute authType.
  * Add a shared library (libfreeblpriv3) on Linux platforms that
    define FREEBL_LOWHASH.
  * Remove most code related to SSL v2, including the ability to actively
    send a SSLv2-compatible client hello. However, the server-side
    implementation of the SSL/TLS protocol still supports processing
    of received v2-compatible client hello messages.
  * Disable (by default) NSS support in optimized builds for logging SSL/TLS
    key material to a logfile if the SSLKEYLOGFILE environment variable
    is set. To enable the functionality in optimized builds, you must define
    the symbol NSS_ALLOW_SSLKEYLOGFILE when building NSS.
  * Update NSS to protect it against the Cachebleed attack.
  * Disable support for DTLS compression.
  * Improve support for TLS 1.3. This includes support for DTLS 1.3.
    Note that TLS 1.3 support is experimental and not suitable for
    production use.

- Update to NSS 3.23

  New functionality:

  * ChaCha20/Poly1305 cipher and TLS cipher suites now supported
  * Experimental-only support TLS 1.3 1-RTT mode (draft-11).
    This code is not ready for production use.

  Notable changes:

  * The list of TLS extensions sent in the TLS handshake has been
    reordered to increase compatibility of the Extended Master Secret
    with with servers
  * The build time environment variable NSS_ENABLE_ZLIB has been
    renamed to NSS_SSL_ENABLE_ZLIB
  * The build time environment variable NSS_DISABLE_CHACHAPOLY was
    added, which can be used to prevent compilation of the
    ChaCha20/Poly1305 code.
  * The following CA certificates were Removed

    - Staat der Nederlanden Root CA
    - NetLock Minositett Kozjegyzoi (Class QA) Tanusitvanykiado
    - NetLock Kozjegyzoi (Class A) Tanusitvanykiado
    - NetLock Uzleti (Class B) Tanusitvanykiado
    - NetLock Expressz (Class C) Tanusitvanykiado
    - VeriSign Class 1 Public PCA - G2
    - VeriSign Class 3 Public PCA
    - VeriSign Class 3 Public PCA - G2
    - CA Disig

  * The following CA certificates were Added

    + SZAFIR ROOT CA2
    + Certum Trusted Network CA 2

  * The following CA certificate had the Email trust bit turned on

    + Actalis Authentication Root CA

  Security fixes:
  * CVE-2016-2834: Memory safety bugs (boo#983639)
    MFSA-2016-61 bmo#1206283 bmo#1221620 bmo#1241034 bmo#1241037

- Update to NSS 3.22.3
  * Increase compatibility of TLS extended master secret,
    don't send an empty TLS extension last in the handshake
    (bmo#1243641)
  * Fixed a heap-based buffer overflow related to the parsing of
    certain ASN.1 structures. An attacker could create a specially-crafted
    certificate which, when parsed by NSS, would cause a crash or
    execution of arbitrary code with the permissions of the user.
    (CVE-2016-1950, bmo#1245528)

- Update to NSS 3.22.2

  New functionality:

  * RSA-PSS signatures are now supported (bmo#1215295)
  * Pseudorandom functions based on hashes other than SHA-1 are now supported
  * Enforce an External Policy on NSS from a config file (bmo#1009429)

- CVE-2016-8635: Fix for DH small subgroup confinement attack (bsc#1015547)

Mozilla NSPR was updated to version 4.13.1:

  The previously released version 4.13 had changed pipes to be
  nonblocking by default, and as a consequence, PollEvent was
  changed to not block on clear.
  The NSPR development team received reports that these changes
  caused regressions in some applications that use NSPR, and it
  has been decided to revert the changes made in NSPR 4.13.
  NSPR 4.13.1 restores the traditional behavior of pipes and
  PollEvent.

Mozilla NSPR update to version 4.13 had these changes:

- PL_strcmp (and others) were fixed to return consistent results
    when one of the arguments is NULL.
- PollEvent was fixed to not block on clear.
- Pipes are always nonblocking.
- PR_GetNameForIdentity: added thread safety lock and bound checks.
- Removed the PLArena freelist.
- Avoid some integer overflows.
- fixed several comments.

This update also contains java-1_8_0-openjdk that needed to be rebuilt against the new
mozilla-nss version.


-----------------------------------------
Patch: SUSE-2017-750
Released: Thu May 11 16:34:15 2017
Summary: Recommended update for supportutils
Severity: low
References: 1014481,1023308,1030657,995625
Description:

This update for supportutils provides the following fixes:

- Added URI to zypper repos list (bsc#995625)
- Added curl timeout for shorter access times (bsc#1014481)
- Fixed detailed unit information on sle12sp2 (bsc#1023308)
- Added PPC commands and logs (bsc#1030657)



-----------------------------------------
Patch: SUSE-2017-793
Released: Tue May 16 15:40:43 2017
Summary: Security update for libxslt
Severity: moderate
References: 1005591,1035905,934119,952474,CVE-2015-7995,CVE-2015-9019,CVE-2016-4738,CVE-2017-5029
Description:

 This update for libxslt fixes the following issues:
 

- CVE-2017-5029: The xsltAddTextString function in transform.c lacked a check 
for integer overflow during a size calculation, which allowed a remote attacker 
to perform an out of bounds memory write via a crafted HTML page (bsc#1035905).

- CVE-2016-4738: Fix heap overread in xsltFormatNumberConversion: An empty decimal-separator 
could cause a heap overread. This can be exploited to leak a couple of bytes after 
the buffer that holds the pattern string (bsc#1005591).

- CVE-2015-9019: Properly initialize random generator (bsc#934119).

- CVE-2015-7995: Vulnerability in function xsltStylePreCompute' in preproc.c could cause a 
type confusion leading to DoS. (bsc#952474)

 

-----------------------------------------
Patch: SUSE-2017-794
Released: Tue May 16 15:41:09 2017
Summary: Security update for bash
Severity: moderate
References: 1010845,1035371,CVE-2016-9401
Description:

This update for bash fixes an issue that could lead to syntax errors when parsing
scripts that use expr(1) inside loops.

Additionally, the popd build-in now ensures that the normalized stack offset is
within bounds before trying to free that stack entry. This fixes a segmentation
fault.


-----------------------------------------
Patch: SUSE-2017-796
Released: Tue May 16 15:41:58 2017
Summary: Security update for libtirpc
Severity: important
References: 1037559,CVE-2017-8779
Description:

This update for libtirpc fixes the following issues:

-  CVE-2017-8779: crafted UDP packaged could lead  rpcbind to denial-of-service  (bsc#1037559)




-----------------------------------------
Patch: SUSE-2017-803
Released: Thu May 18 12:24:33 2017
Summary: Security update for rpcbind
Severity: important
References: 1037559,CVE-2017-8779
Description:

This update for rpcbind fixes the following issues:

  - CVE-2017-8779: A crafted UDP package could lead rcpbind to remote denial-of-service (bsc#1037559)



-----------------------------------------
Patch: SUSE-2017-817
Released: Thu May 18 16:04:32 2017
Summary: Recommended update for lua
Severity: low
References: 1010089
Description:

This update provides Lua 5.2.4, which brings fixes for the following issues:

- Wrong overflow check in table.unpack
- Ephemeron table wrongly collecting strong keys
- Crash in chunks that are too long
- Garbage collector can trigger too many times in recursive loops
- Wrong assert when reporting concatenation errors
- Wrong error message in some short-cut expressions
- luac listings choke on long strings
- Reorder items in private Table struct, restoring ABI compatibility.


-----------------------------------------
Patch: SUSE-2017-821
Released: Fri May 19 00:17:44 2017
Summary: Recommended update for Salt
Severity: moderate
References: 1019386,1022841,1023535,1027044,1027240,1027722,1030009,1032213,1032452
Description:

This update for salt fixes the following issues:

- Refactoring on Zypper and Yum execution and state modules to allow installation of patches/errata.
- Fix log rotation permission issue (bsc#1030009)
- Use pkg/suse/salt-api.service by this package
- Set SHELL environment variable for the salt-api.service.
- Fix 'timeout' and 'gather_job_timeout' kwargs parameters for 'local_batch' client.
- Add missing bootstrap script for Salt Cloud. (bsc#1032452)
- Add missing /var/cache/salt/cloud directory. (bsc#1032213)
- Add test case for race conditions on cache directory creation.
- Add 'pkg.install downloadonly=True' support to yum/dnf execution module.
- Makes sure 'gather_job_timeout' is an Integer.
- Add 'pkg.downloaded' state and support for installing patches/erratas.
- Merge master_tops output.
- Fix race condition on cache directory creation.
- Cleanup salt user environment preparation. (bsc#1027722)
- Don't send passwords after shim delimiter is found. (bsc#1019386)
- Allow to set 'timeout' and 'gather_job_timeout' via kwargs.
- Allow to set custom timeouts for 'manage.up' and 'manage.status'.
- Define with system for fedora and RHEL 7. (bsc#1027240)
- Fix service state returning stacktrace. (bsc#1027044)
- Add OpenSCAP Module.
- Prevents 'OSError' exception in case certain job cache path doesn't exist. (bsc#1023535)
- Fix issue with cp.push.
- Fix salt-minion update on RHEL. (bsc#1022841)
- Adding new functions to Snapper execution module.


-----------------------------------------
Patch: SUSE-2017-847
Released: Tue May 23 15:38:00 2017
Summary: Security update for java-1_7_1-ibm
Severity: important
References: 1038505,CVE-2016-9840,CVE-2016-9841,CVE-2016-9842,CVE-2016-9843,CVE-2017-1289,CVE-2017-3509,CVE-2017-3511,CVE-2017-3533,CVE-2017-3539,CVE-2017-3544
Description:

This update for java-1_7_1-ibm fixes the following issues:

- Version update to 7.1-4.5 bsc#1038505

  - CVE-2016-9840: zlib: Out-of-bounds pointer arithmetic in inftrees.c
  - CVE-2016-9841: zlib: Out-of-bounds pointer arithmetic in inffast.c
  - CVE-2016-9842: zlib: Undefined left shift of negative number
  - CVE-2016-9843: zlib: Big-endian out-of-bounds pointer
  - CVE-2017-1289: IBM JDK: XML External Entity Injection (XXE) error when processing XML data
  - CVE-2017-3509: OpenJDK: improper re-use of NTLM authenticated connections 
  - CVE-2017-3511: OpenJDK: untrusted extension directories search path in Launcher 
  - CVE-2017-3539: OpenJDK: MD5 allowed for jar verification 
  - CVE-2017-3533: OpenJDK: newline injection in the FTP client
  - CVE-2017-3544: OpenJDK: newline injection in the SMTP client



-----------------------------------------
Patch: SUSE-2017-865
Released: Wed May 24 16:23:20 2017
Summary: Security update for pam
Severity: moderate
References: 1015565,1037824,934920,CVE-2015-3238
Description:

This update for pam fixes the following issues:
 

- CVE-2015-3238: pam_unix in conjunction with SELinux allowed for DoS attacks (bsc#934920).
- log a hint to syslog if /etc/nologin is present, but empty (bsc#1015565).
- If /etc/nologin is present, but empty, log a hint to syslog. (bsc#1015565)
- Added support for libowcrypt.so, if present, to configure support for BLOWFISH (bsc#1037824)

 

-----------------------------------------
Patch: SUSE-2017-870
Released: Fri May 26 13:58:57 2017
Summary: Recommended update for sysstat
Severity: low
References: 1031674
Description:

This update for sysstat provides the following fix:

- Properly specify you want to be started by multi-user.target (bsc#1031674)



-----------------------------------------
Patch: SUSE-2017-872
Released: Fri May 26 14:05:10 2017
Summary: Recommended update for ntp
Severity: low
References: 1034892
Description:

This update for ntp provides the following fix:

- Fix systemd migration in %pre (bsc#1034892)


-----------------------------------------
Patch: SUSE-2017-884
Released: Tue May 30 15:28:35 2017
Summary: Initial release of python-rpm-macros
Severity: low
References: 1039368
Description:

This update adds python-rpm-macros to SUSE Linux Enterprise Software Development
Kit 12. This package contains RPM macros that ease packaging and building of
Python singlespec packages.


-----------------------------------------
Patch: SUSE-2017-891
Released: Tue May 30 22:28:21 2017
Summary: Security update for libxml2
Severity: moderate
References: 1039063,1039064,1039066,1039069,1039661,981114,CVE-2016-1839,CVE-2017-9047,CVE-2017-9048,CVE-2017-9049,CVE-2017-9050
Description:

This update for libxml2 fixes the following issues:

- CVE-2017-9047, CVE-2017-9048: The function xmlSnprintfElementContent in valid.c was vulnerable to a stack buffer overflow (bsc#1039063, bsc#1039064)
- CVE-2017-9049: The function xmlDictComputeFastKey in dict.c was vulnerable to a heap-based buffer over-read. (bsc#1039066)
- CVE-2017-9050: The function xmlDictAddString was vulnerable to a heap-based buffer over-read (bsc#1039661)
- CVE-2016-1839: heap-based buffer overflow (xmlDictAddString func) (bnc#1039069)



-----------------------------------------
Patch: SUSE-2017-895
Released: Wed May 31 15:00:15 2017
Summary: Recommended update for python-pyasn1
Severity: low
References: 1002895
Description:

The python-pyasn1 module was updated to version 0.1.9, which provides the following fixes
and enhancements:

- Wheel distribution format is now supported.
- Fix to make uninitialized pyasn1 objects fail properly on hash().
- Fix to ObjectIdentifier initialization from unicode string.
- Fix to CER/DER Boolean decoder: fail on non single-octet payload.


-----------------------------------------
Patch: SUSE-2017-910
Released: Fri Jun  2 15:02:55 2017
Summary: Security update for libnettle
Severity: moderate
References: 991464,CVE-2016-6489
Description:
This update for libnettle fixes the following issues:

-  CVE-2016-6489:
  * Reject invalid RSA keys with even modulo.
  * Check for invalid keys, with even p, in dsa_sign().
  * Use function mpz_powm_sec() instead of mpz_powm() (bsc#991464).


-----------------------------------------
Patch: SUSE-2017-918
Released: Tue Jun  6 12:35:44 2017
Summary: Recommended update for libsemanage, selinux-policy
Severity: moderate
References: 1020143,1032445,1035818,1038189
Description:

This update for libsemanage, selinux-policy fixes the following issues:

- Limit to policy version 29 by default.
- Fix policy module build failures and wrong policy path on SLE 12 SP2 (bsc#1038189, bsc#1035818, bsc#1020143, bsc#1032445)


-----------------------------------------
Patch: SUSE-2017-925
Released: Thu Jun  8 12:58:42 2017
Summary: Recommended update for freetype2
Severity: low
References: 1038506
Description:

This update for freetype2 fixes an issue within handling of very large fonts which
could lead to corrupted characters in the boot splash screen of systems configured
to use the Korean language.


-----------------------------------------
Patch: SUSE-2017-936
Released: Fri Jun  9 13:31:48 2017
Summary: Recommended update for supportutils
Severity: low
References: 1013119,1026175,1030448,1035683
Description:

This update for supportutils provides the following fixes:

- Fixed IFS in iscsi_info. (bsc#1030448)
- Added -T to dmesg for readability. (bsc#1013119)
- Removed kpagecgroup in proc.txt. (bsc#1026175)
- Fixed ocfs2 processing when not configured. (bsc#1035683)


-----------------------------------------
Patch: SUSE-2017-939
Released: Mon Jun 12 10:56:22 2017
Summary: Security update for libxml2
Severity: moderate
References: 1039063,1039064,1039066,1039069,1039661,CVE-2017-9047,CVE-2017-9048,CVE-2017-9049,CVE-2017-9050
Description:
This update for libxml2 fixes the following security issues:

* CVE-2017-9050: A heap-based buffer over-read in xmlDictAddString (bsc#1039069, bsc#1039661)
* CVE-2017-9049: A heap-based buffer overflow in xmlDictComputeFastKey (bsc#1039066)
* CVE-2017-9048: A stack overflow vulnerability in xmlSnprintfElementContent (bsc#1039063)
* CVE-2017-9047: A stack overflow vulnerability in xmlSnprintfElementContent (bsc#1039064)


-----------------------------------------
Patch: SUSE-2017-943
Released: Mon Jun 12 16:44:20 2017
Summary: Recommended update for cups
Severity: low
References: 1021133,955432,990045
Description:

This update for cups fixes the following issues:

- Avahi sends an ALL_FOR_NOW event when it finishes sending its cache contents.
  This patch makes cupsEnumDests finish when the signal is received so it doesn't
  block the caller until the timeout finishes. (bsc#955432, fate#322052)
- The scheduler didn't log messages for jobs at LogLevel 'info'. (bsc#1021133, bsc#990045)


-----------------------------------------
Patch: SUSE-2017-959
Released: Wed Jun 14 14:38:11 2017
Summary: Recommended update for gcc5
Severity: low
References: 1043580
Description:

This update for gcc5 fixes the version of libffi in its pkg-config configuration file.


-----------------------------------------
Patch: SUSE-2017-962
Released: Wed Jun 14 16:33:07 2017
Summary: Security update for openldap2
Severity: moderate
References: 1009470,1037396,1041764,972331,CVE-2017-9287
Description:

This update for openldap2 fixes the following issues:

Security issues fixed:

- CVE-2017-9287: A double free vulnerability in the mdb backend during search with page size 0 was fixed (bsc#1041764)

Non security bugs fixed:

- Let OpenLDAP read system-wide certificates by default and don't hide the error if
  the user-specified CA location cannot be read. (bsc#1009470)
- Fix an uninitialised variable that causes startup failure (bsc#1037396)
- Fix an issue with transaction management that can cause server crash (bsc#972331)



-----------------------------------------
Patch: SUSE-2017-974
Released: Fri Jun 16 13:49:05 2017
Summary: Security update for Salt
Severity: moderate
References: 1011800,1012999,1017078,1020831,1022562,1025896,1027240,1027722,1030009,1030073,1032931,1035912,1035914,1036125,1038855,1039370,1040584,1040886,1043111,CVE-2017-5200,CVE-2017-8109
Description:

This update for salt provides version 2016.11.4 and brings various fixes and improvements:

- Adding a salt-minion watchdog for RHEL6 and SLES11 systems (sysV) to restart salt-minion in case of crashes during upgrade.
- Fix format error. (bsc#1043111)
- Fix ownership for whole master cache directory. (bsc#1035914)
- Disable 3rd party runtime packages to be explicitly recommended. (bsc#1040886)
- Fix insecure permissions in salt-ssh temporary files. (bsc#1035912, CVE-2017-8109)
- Disable custom rosters for Salt SSH via Salt API. (bsc#1011800, CVE-2017-5200)
- Orchestrate and batches don't return false failed information anymore.
- Speed-up cherrypy by removing sleep call.
- Fix os_family grains on SUSE. (bsc#1038855)
- Fix setting the language on SUSE systems. (bsc#1038855)
- Use SUSE specific salt-api.service. (bsc#1039370)
- Fix using hostname for minion ID as '127'.
- Fix core grains constants for timezone. (bsc#1032931)
- Minor fixes on new pkg.list_downloaded.
- Listing all type of advisory patches for Yum module.
- Prevents zero length error on Python 2.6.
- Fixes zypper test error after backporting.
- Raet protocol is no longer supported. (bsc#1020831)
- Fix moving SSH data to the new home. (bsc#1027722)
- Fix logrotating /var/log/salt/minion. (bsc#1030009)
- Fix result of master_tops extension is mutually overwritten. (bsc#1030073)
- Allows to set 'timeout' and 'gather_job_timeout' via kwargs.
- Allows to set custom timeouts for 'manage.up' and 'manage.status'.
- Use salt's ordereddict for comparison.
- Fix scripts for salt-proxy.
- Add openscap module.
- File.get_managed regression fix.
- Fix translate variable arguments if they contain hidden keywords. (bsc#1025896)
- Added unit test for dockerng.sls_build dryrun.
- Added dryrun to dockerng.sls_build.
- Update dockerng minimal version requirements.
- Fix format error in error parsing.
- Keep fix for migrating salt home directory. (bsc#1022562)
- Fix  salt pkg.latest raises exception if package is not available. (bsc#1012999)
- Timezone should always be in UTC. (bsc#1017078)
- Fix timezone handling for rpm installtime. (bsc#1017078)
- Increasing timeouts for running integrations tests.
- Add buildargs option to dockerng.build module.
- Fix error when missing ssh-option parameter.
- Re-add yum notify plugin.
- All kwargs to dockerng.create to provide all features to sls_build as well.
- Datetime should be returned always in UTC.
- Fix possible crash  while deserialising data on infinite recursion in scheduled state. (bsc#1036125)
- Documentation refresh to 2016.11.4
- For a detailed description, please refer to:
  + https://docs.saltstack.com/en/develop/topics/releases/2016.11.4.html
  + https://docs.saltstack.com/en/develop/topics/releases/2016.11.3.html
  + https://docs.saltstack.com/en/develop/topics/releases/2016.11.2.html
  + https://docs.saltstack.com/en/develop/topics/releases/2016.11.1.html


-----------------------------------------
Patch: SUSE-2017-985
Released: Mon Jun 19 14:57:41 2017
Summary: Security update for libgcrypt
Severity: moderate
References: 1042326,931932,CVE-2017-9526
Description:
This update for libgcrypt fixes the following issues:

- CVE-2017-9526: Store the session key in secure memory to ensure that constant
  time point operations are used in the MPI library.  (bsc#1042326)

- Don't require secure memory for the fips selftests, this prevents the
  'Oops, secure memory pool already initialized' warning. (bsc#931932)


-----------------------------------------
Patch: SUSE-2017-1034
Released: Mon Jun 26 08:09:55 2017
Summary: Security update for cairo
Severity: moderate
References: 1007255,1036789,CVE-2016-9082,CVE-2017-7475
Description:
This update for cairo fixes the following issues:

- CVE-2017-7475: Fixed a segfault in get_bitmap_surface due to malformed font
  (bsc#1036789).
- CVE-2016-9082: fix a segfault when using >4GB images since int values were used
  for pointer operations (bsc#1007255).



-----------------------------------------
Patch: SUSE-2017-1036
Released: Mon Jun 26 08:12:24 2017
Summary: Security update for libxml2
Severity: moderate
References: 1024989,1044337,CVE-2017-0663,CVE-2017-5969
Description:
This update for libxml2 fixes the following issues:

Security issues fixed:

* CVE-2017-0663: Fixed a heap buffer overflow in xmlAddID (bsc#1044337)
* CVE-2017-5969: Fixed a NULL pointer deref in xmlDumpElementContent (bsc#1024989)


-----------------------------------------
Patch: SUSE-2017-1040
Released: Mon Jun 26 13:22:26 2017
Summary: Recommended update for libsemanage, policycoreutils
Severity: low
References: 1043237
Description:
This update for libsemanage, policycoreutils fixes the following issue:

- Show version numbers of modules where they are available (bsc#1043237) 


-----------------------------------------
Patch: SUSE-2017-1063
Released: Wed Jun 28 21:15:03 2017
Summary: Security update for vim
Severity: moderate
References: 1018870,1024724,1027053,1027057,CVE-2017-5953,CVE-2017-6349,CVE-2017-6350
Description:

This update for vim fixes the following issues:

Security issues fixed:

- CVE-2017-5953: Fixed a possible overflow with corrupted spell file (bsc#1024724)
- CVE-2017-6350: Fixed a possible overflow when reading a corrupted undo file (bsc#1027053)
- CVE-2017-6349: Fixed a possible overflow when reading a corrupted undo file (bsc#1027057)


Non security issues fixed:

- Speed up YAML syntax highlighting (bsc#1018870)



-----------------------------------------
Patch: SUSE-2017-1073
Released: Thu Jun 29 18:16:26 2017
Summary: Initial release of python-urllib3
Severity: low
References: 1002895
Description:

This update adds python-urllib3 to the Public Cloud 12 Module. This is a new runtime
requirement of recent versions of the Google Cloud SDK.


-----------------------------------------
Patch: SUSE-2017-1075
Released: Thu Jun 29 18:18:50 2017
Summary: Recommended update for python-PyYAML
Severity: low
References: 1002895
Description:

This update for python-PyYAML fixes the following issues:

- Adding an implicit resolver to a derived loader should not affect the base loader.
- Uniform representation for OrderedDict? across different versions of Python.
- Fixed comparison to None warning.


-----------------------------------------
Patch: SUSE-2017-1082
Released: Fri Jun 30 10:54:06 2017
Summary: Recommended update for dirmngr
Severity: low
References: 1045943
Description:
This update for dirmngr provides the following fix:

- Change logrotate from Requires to Recommends (bsc#1045943)


-----------------------------------------
Patch: SUSE-2017-1083
Released: Fri Jun 30 10:54:41 2017
Summary: Recommended update for OpenIPMI
Severity: low
References: 1046174
Description:
This update for OpenIPMI provides the following fix:

- Fix pthread requirements in OpenIPMIpthread pkg-config settings. (bsc#1046174)


-----------------------------------------
Patch: SUSE-2017-1086
Released: Fri Jun 30 15:36:17 2017
Summary: Security update for libxml2
Severity: moderate
References: 1044887,1044894,CVE-2017-7375,CVE-2017-7376
Description:
This update for libxml2 fixes the following issues:

Security issues fixed:

* CVE-2017-7376: Increase buffer space for port in HTTP redirect support (bsc#1044887)
* CVE-2017-7375: Prevent unwanted external entity reference [bsc#1044894, ]



-----------------------------------------
Patch: SUSE-2017-1116
Released: Thu Jul  6 11:37:18 2017
Summary: Security update for libgcrypt
Severity: moderate
References: 1046607,CVE-2017-7526
Description:
This update for libgcrypt fixes the following issues:

- CVE-2017-7526: Hardening against a local side-channel attack in RSA key handling has been added (bsc#1046607)


-----------------------------------------
Patch: SUSE-2017-1119
Released: Fri Jul  7 11:23:20 2017
Summary: Recommended update for ncurses
Severity: important
References: 1000662,1046853,1046858,CVE-2017-10684,CVE-2017-10685
Description:
This update for ncurses fixes the following issues:

Security issues fixed:
- CVE-2017-10684: Possible RCE via stack-based buffer overflow in the fmt_entry function. (bsc#1046858)
- CVE-2017-10685: Possible RCE with format string vulnerability in the fmt_entry function. (bsc#1046853)

Bugfixes:
- Drop patch ncurses-5.9-environment.dif as YaST2 ncurses GUI does
  not need it anymore and as well as it causes bug bsc#1000662 


-----------------------------------------
Patch: SUSE-2017-1124
Released: Fri Jul  7 19:32:38 2017
Summary: Recommended update for binutils
Severity: moderate
References: 1031508
Description:

This update for binutils fixes an issue that prevented ld(1) from correctly linking
the 32 bit version of libclntshcore.so.12.1 from the Oracle 12 Client.


-----------------------------------------
Patch: SUSE-2017-1134
Released: Tue Jul 11 17:56:26 2017
Summary: Security update for libICE
Severity: moderate
References: 1025068,CVE-2017-2626
Description:
This update for libICE fixes the following issues:

- CVE-2017-2626: Creation of the ICE auth session cookies used insufficient randomness, making these cookies
  predictable. A more random generation method has been implemented. (boo#1025068)



-----------------------------------------
Patch: SUSE-2017-1140
Released: Wed Jul 12 15:00:34 2017
Summary: Optional update for python-httpretty, python-urllib3
Severity: low
References: 1002895
Description:

This update adds python-httpretty and python-urllib3 to SUSE Enterprise Storage 3.
These are new runtime requirements of the next update for python-boto.


-----------------------------------------
Patch: SUSE-2017-1142
Released: Wed Jul 12 15:48:23 2017
Summary: Recommended update for openssh
Severity: moderate
References: 1016709,1017099,1023275,1024251
Description:

This update for openssh provides the following fixes:

- Enable specific ioctl calls for ICA crypto card on the zSeries platform. Without this patch,
  users using the IBMCA engine are not able to perform ssh login as the filter blocks the
  communication with the crypto card. (bsc#1016709)
- Enable case-insensitive hostname matching. (bsc#1017099)
- Add a new switch for printing diagnostic messages in sftp client's batch mode. (bsc#1023275)
- Better fix for core dumps from auditing code when trying to bind to an unavailable port. (bsc#1024251)
- Remove the limit on the amount of tasks sshd can run.


-----------------------------------------
Patch: SUSE-2017-1153
Released: Fri Jul 14 12:37:10 2017
Summary: Security update for libXdmcp
Severity: moderate
References: 1025046,CVE-2017-2625
Description:
This update for libXdmcp fixes the following issues:

- CVE-2017-2625: The generation of session key in XDM using libXdmcp might have used weak entropy, making
  the session keys predictable (bsc#1025046)



-----------------------------------------
Patch: SUSE-2017-1160
Released: Fri Jul 14 17:20:26 2017
Summary: Recommended update for openldap2
Severity: low
References: 1031702
Description:
This update for openldap2 provides the following fix:
- Fix a regression in handling of non-blocking connection (bsc#1031702)


-----------------------------------------
Patch: SUSE-2017-1191
Released: Thu Jul 20 17:16:11 2017
Summary: Security update for jasper
Severity: moderate
References: 1009994,1010756,1010757,1010766,1010774,1010782,1010968,1010975,1047958,CVE-2016-9262,CVE-2016-9388,CVE-2016-9389,CVE-2016-9390,CVE-2016-9391,CVE-2016-9392,CVE-2016-9393,CVE-2016-9394,CVE-2017-1000050
Description:
This update for jasper fixes the following issues:

Security issues fixed:
- CVE-2016-9262: Multiple integer overflows in the jas_realloc function in base/jas_malloc.c and
  mem_resize function in base/jas_stream.c allow remote attackers to cause a denial of service via
  a crafted image, which triggers use after free vulnerabilities. (bsc#1009994)
- CVE-2016-9388: The ras_getcmap function in ras_dec.c allows remote attackers to cause a denial
  of service (assertion failure) via a crafted image file. (bsc#1010975)
- CVE-2016-9389: The jpc_irct and jpc_iict functions in jpc_mct.c allow remote attackers to cause a
  denial of service (assertion failure). (bsc#1010968)
- CVE-2016-9390: The jas_seq2d_create function in jas_seq.c allows remote attackers to cause a
  denial of service (assertion failure) via a crafted image file. (bsc#1010774)
- CVE-2016-9391: The jpc_bitstream_getbits function in jpc_bs.c allows remote attackers to cause a
  denial of service (assertion failure) via a very large integer. (bsc#1010782)
- CVE-2017-1000050: The jp2_encode function in jp2_enc.c allows remote attackers to cause a denial
  of service. (bsc#1047958)

CVEs already fixed with previous update:
- CVE-2016-9392: The calcstepsizes function in jpc_dec.c allows remote attackers to cause a denial
  of service (assertion failure) via a crafted file. (bsc#1010757)
- CVE-2016-9393: The jpc_pi_nextrpcl function in jpc_t2cod.c allows remote attackers to cause a
  denial of service (assertion failure) via a crafted file. (bsc#1010766)
- CVE-2016-9394: The jas_seq2d_create function in jas_seq.c allows remote attackers to cause a
  denial of service (assertion failure) via a crafted file. (bsc#1010756)


-----------------------------------------
Patch: SUSE-2017-1192
Released: Thu Jul 20 20:07:36 2017
Summary: Recommended update for iptables
Severity: low
References: 1045130
Description:
This update for iptables provides the following fix:

- Fix a locking issue of iptables-batch when other programs modify the iptables rules in parallel (bsc#1045130)


-----------------------------------------
Patch: SUSE-2017-1198
Released: Fri Jul 21 14:04:23 2017
Summary: Recommended update for python-boto, python-simplejson
Severity: low
References: 1002895
Description:

This update provides python-boto 2.42.0 and python-simplejson 3.8.2, which bring
many fixes and enhancements.

python-boto:

- Respect is_secure parameter in generate_url_sigv4
- Update MTurk API
- Update endpoints.json
- Allow s3 bucket lifecycle policies with multiple transitions
- Fixes upload parts for glacier
- Autodetect sigv4 for ap-northeast-2
- Added support for ap-northeast-2
- Remove VeriSign Class 3 CA from trusted certs
- Add note about boto3 on all pages of boto docs
- Fix for listing EMR steps based on cluster_states filter
- Fixed param name in set_contents_from_string docstring
- Spelling and documentation fixes
- Add deprecation notice to emr methods
- Add some GovCloud endpoints.

python-simplejson:

- Fix issue with iterable_as_array and indent option
- New iterable_as_array encoder option to perform lazy serialization of any iterable objects,
  without having to convert to tuple or list
- Do not cache Decimal class in encoder, only reference the decimal module
- No longer trust custom str/repr methods for int, long, float subclasses: these instances are
  now formatted as if they were exact instances of those types
- Fix reference leak when an error occurs during dict encoding
- Fix dump when only sort_keys is set
- Automatically strip any UTF-8 BOM from input to more closely follow the latest specs
- Fix lower bound checking in scan_once / raw_decode API
- Consistently reject int_as_string_bitcount settings that are not positive integers
- Add int_as_string_bitcount encoder option
- Fix potential crash when encoder created with incorrect options
- Documentation updates.


-----------------------------------------
Patch: SUSE-2017-1222
Released: Wed Jul 26 17:15:18 2017
Summary: Recommended update for procps
Severity: low
References: 1034563,1039941
Description:

This update for procps provides the following fixes:

- Make pmap handle LazyFree in /proc/smaps (bsc#1034563)
- Allow reading and writing content lines longer than 1024 characters under /proc/sys (bsc#1039941)
- Avoid printing messages when /proc/sys/net/ipv6/conf/*/stable_secret is not set


-----------------------------------------
Patch: SUSE-2017-1243
Released: Wed Aug  2 16:00:30 2017
Summary: Recommended update for lsscsi
Severity: low
References: 1008935,1047884
Description:
This update for lsscsi provides the following fixes:

- Fix the detection of the WWN for SCSI disks (bsc#1008935)
- Fix the output of 'lsscsi -t' (bsc#1047884)


-----------------------------------------
Patch: SUSE-2017-1250
Released: Thu Aug  3 13:49:24 2017
Summary: Recommended update for binutils
Severity: moderate
References: 1031508
Description:

This update for binutils fixes an issue that prevented ld(1) from correctly linking
the 32 bit version of libclntshcore.so.12.1 from the Oracle 12 Client.


-----------------------------------------
Patch: SUSE-2017-1279
Released: Mon Aug  7 14:46:40 2017
Summary: Security update for ncurses
Severity: moderate
References: 1046853,1046858,1047964,1047965,1049344,CVE-2017-10684,CVE-2017-10685,CVE-2017-11112,CVE-2017-11113
Description:
This update for ncurses fixes the following issues:

Security issues fixed:
- CVE-2017-11112: Illegal address access in append_acs. (bsc#1047964)
- CVE-2017-11113: Dereferencing NULL pointer in _nc_parse_entry. (bsc#1047965)
- CVE-2017-10684, CVE-2017-10685: Add modified upstream fix from ncurses 6.0 to avoid broken
  termcap format (bsc#1046853, bsc#1046858, bsc#1049344)



-----------------------------------------
Patch: SUSE-2017-1299
Released: Tue Aug  8 12:55:31 2017
Summary: Recommended update for openssh
Severity: moderate
References: 1016709,1017099,1023275,1024251
Description:

This update for openssh provides the following fixes:

- Enable specific ioctl calls for ICA crypto card on the zSeries platform. Without this patch,
  users using the IBMCA engine are not able to perform ssh login as the filter blocks the
  communication with the crypto card. (bsc#1016709)
- Enable case-insensitive hostname matching. (bsc#1017099)
- Add a new switch for printing diagnostic messages in sftp client's batch mode. (bsc#1023275)
- Better fix for core dumps from auditing code when trying to bind to an unavailable port. (bsc#1024251)
- Remove the limit on the amount of tasks sshd can run.


-----------------------------------------
Patch: SUSE-2017-1316
Released: Thu Aug 10 13:54:27 2017
Summary: Recommended update for cyrus-sasl
Severity: moderate
References: 1014471,1026825,1044840,938657
Description:

This update for cyrus-sasl provides the following fixes:

- Fix SASL GSSAPI mechanism acceptor wrongly returns zero maxbufsize
- Fix unknown authentication mechanism: kerberos5 (bsc#1026825)
- Really use SASLAUTHD_PARAMS variable (bsc#938657)
- Make sure /usr/sbin/rcsaslauthd exists   
- Add /usr/sbin/rcsaslauthd symbolic link to /usr/sbin/service (bsc#1014471)
- Silence 'GSSAPI client step 1' debug log message (bsc#1044840)


-----------------------------------------
Patch: SUSE-2017-1326
Released: Fri Aug 11 16:59:04 2017
Summary: Security update for libxml2
Severity: low
References: 1038444,CVE-2017-8872
Description:
This update for libxml2 fixes the following issues:

Security issues fixed:
- CVE-2017-8872: Out-of-bounds read in htmlParseTryOrFinish. (bsc#1038444)


-----------------------------------------
Patch: SUSE-2017-1330
Released: Mon Aug 14 18:41:29 2017
Summary: Recommended update for sed
Severity: low
References: 954661
Description:
This update for sed provides the following fixes:

- Don't terminate with a segmentation fault if close of last file descriptor fails. (bsc#954661)


-----------------------------------------
Patch: SUSE-2017-1333
Released: Tue Aug 15 17:59:30 2017
Summary: Optional update for libverto
Severity: low
References: 1029561
Description:
This update adds the libverto library to OpenStack Cloud Magnum Orchestration channels.


-----------------------------------------
Patch: SUSE-2017-1344
Released: Thu Aug 17 12:20:25 2017
Summary: Recommended update for python-simplejson
Severity: low
References: 1002895
Description:
This update provides python-simplejson 3.8.2, which brings many fixes and enhancements:

- Fix issue with iterable_as_array and indent option
- New iterable_as_array encoder option to perform lazy serialization of any iterable objects,
  without having to convert to tuple or list
- Do not cache Decimal class in encoder, only reference the decimal module
- No longer trust custom str/repr methods for int, long, float subclasses: these instances are
  now formatted as if they were exact instances of those types
- Fix reference leak when an error occurs during dict encoding
- Fix dump when only sort_keys is set
- Automatically strip any UTF-8 BOM from input to more closely follow the latest specs
- Fix lower bound checking in scan_once / raw_decode API
- Consistently reject int_as_string_bitcount settings that are not positive integers
- Add int_as_string_bitcount encoder option
- Fix potential crash when encoder created with incorrect options
- Documentation updates.


-----------------------------------------
Patch: SUSE-2017-1347
Released: Fri Aug 18 11:03:57 2017
Summary: Recommended update for procps
Severity: important
References: 1053409
Description:
This update for procps fixes the following issues:

- Fix a regression introduced in a previous update that would result in sysctl
  dying with a SIGSEGV error (bsc#1053409).


-----------------------------------------
Patch: SUSE-2017-1349
Released: Fri Aug 18 12:31:07 2017
Summary: Recommended update for lua51
Severity: low
References: 1051626
Description:
This update for lua51 provides the following fixes:

- Add Lua(API) and Lua(devel) symbols to fix building of lua51-luasocket. (bsc#1051626)


-----------------------------------------
Patch: SUSE-2017-1352
Released: Fri Aug 18 18:17:48 2017
Summary: Recommended update for SuSEfirewall2
Severity: low
References: 1044523,906136,946325,963740
Description:
This update for SuSEfirewall2 provides the following fixes:

- Make SuSEfirewall2 check for existing configuration in more sysctl.d style directories to
  allow packages and the user to create overrides easily (bsc#1044523)
- Add support for customizing the sysctl paths to be scanned for existing configuration by
  changing the FW_SYSCTL_PATHS configuration variable (bsc#906136)
- Correct the initialization order between SuSEfirewall2 and NFS components to make sure
  NFS server ports are correctly opened when both services are enabled in systemd, and to
  fix NFS clients not receiving callbacks from the server when started before SuSEfirewall2.
  (bsc#946325, bsc#963740)


-----------------------------------------
Patch: SUSE-2017-1354
Released: Fri Aug 18 23:54:29 2017
Summary: Recommended update for python-rpm-macros
Severity: low
References: 1050472
Description:
This update for python-rpm-macros fixes the following issues:

- Fix skip_python2 in environment where python2 is not actually present.
- Introduce smarter buildset support.
- Fix %python_files on non-standard build sets.
- Introduce %python_for_executables in favor of magically taking 'last python in %pythons'.
- Fix %license tag handling.


-----------------------------------------
Patch: SUSE-2017-1364
Released: Tue Aug 22 14:59:14 2017
Summary: Recommended update for supportutils
Severity: low
References: 1001224,1051237
Description:
This update for supportutils fixes the following issues:

- Add Infiniband for SLES 12-SP3. (bsc#1051237)
- Fix Infiniband detection on SLES 12. (bsc#1001224)
- Fix path to virt-manager log file.


-----------------------------------------
Patch: SUSE-2017-1384
Released: Fri Aug 25 13:39:19 2017
Summary: Recommended update for Salt
Severity: moderate
References: 1036125
Description:
This update for salt fixes the following issues:

- Added bugfix when jobs scheduled to run at a future time stay pending for Salt minions. (bsc#1036125)
- Adding procps as dependency. This provides 'ps' and 'pgrep' utils which are called from different Salt
  modules and also from new salt-minion watchdog.


-----------------------------------------
Patch: SUSE-2017-1390
Released: Fri Aug 25 15:14:27 2017
Summary: Security update for libzypp
Severity: important
References: 1009745,1036659,1038984,1043218,1045735,1046417,1047785,1048315,CVE-2017-7435,CVE-2017-7436,CVE-2017-9269
Description:
The Software Update Stack was updated to receive fixes and enhancements.


libzypp:

- CVE-2017-7435, CVE-2017-7436, CVE-2017-9269: Fix GPG check workflows, mainly for unsigned
  repositories and packages. (bsc#1045735, bsc#1038984)
- Fix gpg-pubkey release (creation time) computation. (bsc#1036659)
- Update lsof blacklist. (bsc#1046417)
- Re-probe on refresh if the repository type changes. (bsc#1048315)
- Propagate proper error code to DownloadProgressReport. (bsc#1047785)
- Allow to trigger an appdata refresh unconditionally. (bsc#1009745)
- Support custom repo variables defined in /etc/zypp/vars.d.

yast2-pkg-bindings:

- Do not crash when the repository URL is not defined. (bsc#1043218)


-----------------------------------------
Patch: SUSE-2017-1395
Released: Tue Aug 29 08:06:33 2017
Summary: Security update for java-1_7_1-ibm
Severity: important
References: 1053431,CVE-2017-10053,CVE-2017-10067,CVE-2017-10074,CVE-2017-10081,CVE-2017-10087,CVE-2017-10089,CVE-2017-10090,CVE-2017-10096,CVE-2017-10101,CVE-2017-10102,CVE-2017-10105,CVE-2017-10107,CVE-2017-10108,CVE-2017-10109,CVE-2017-10110,CVE-2017-10111,CVE-2017-10115,CVE-2017-10116,CVE-2017-10125,CVE-2017-10243
Description:
This update for java-1_7_1-ibm fixes the following issues:

- Version update to 7.1-4.10 [bsc#1053431]
  * CVE-2017-10111 CVE-2017-10110 CVE-2017-10107 CVE-2017-10101
    CVE-2017-10096 CVE-2017-10090 CVE-2017-10089 CVE-2017-10087
    CVE-2017-10102 CVE-2017-10116 CVE-2017-10074 CVE-2017-10115
    CVE-2017-10067 CVE-2017-10125 CVE-2017-10243 CVE-2017-10109
    CVE-2017-10108 CVE-2017-10053 CVE-2017-10105 CVE-2017-10081: Multiple unspecified vulnerabilities 
in multiple Java components could lead to code execution or sandbox escape
 
 More information can be found here: https://developer.ibm.com/javasdk/support/security-vulnerabilities/#Oracle_July_18_2017_CPU



-----------------------------------------
Patch: SUSE-2017-1398
Released: Tue Aug 29 10:58:23 2017
Summary: Recommended update for yast2-sap-scp-prodlist
Severity: low
References: 1049873
Description:
This update adds Protera's FlexBridge to the list of available products.

-----------------------------------------
Patch: SUSE-2017-1399
Released: Tue Aug 29 12:11:42 2017
Summary: Recommended update for sapconf
Severity: moderate
References: 1031355,1039309,1043844,1048550
Description:
This update for sapconf fixes the following issues:

- Add a message to %post to remind the admin to restart the tuned service, if the configuration
  changes should take effect immediately. (bsc#1048550)
- Increase MAX_MAP_COUNT_REQ to 2147483647 conforming to SAP Note 900929. (bsc#1048550)
- Make 'tuned' a mandatory runtime dependency. (bsc#1043844)
- In all tuning profiles, do not overwrite a parameter if present value is higher than optimal
  value. (bsc#1048550)
- Amend logind's behavior. (bsc#1031355, bsc#1039309, bsc#1043844)


-----------------------------------------
Patch: SUSE-2017-1402
Released: Tue Aug 29 12:14:10 2017
Summary: Recommended update for javapackages-tools
Severity: low
References: 1039890
Description:

This update for javapackages-tools fixes the following issues:

- Add provides on javapackages-local. (bsc#1039890)


-----------------------------------------
Patch: SUSE-2017-1419
Released: Wed Aug 30 15:38:22 2017
Summary: Security update for expat
Severity: moderate
References: 1047236,1047240,CVE-2016-9063,CVE-2017-9233
Description:
This update for expat fixes the following issues:

- CVE-2016-9063: Possible integer overflow to fix inside XML_Parse leading to unexpected behaviour (bsc#1047240)
- CVE-2017-9233: External Entity Vulnerability could lead to denial of service (bsc#1047236)




-----------------------------------------
Patch: SUSE-2017-1424
Released: Thu Aug 31 17:46:42 2017
Summary: Recommended update for tcsh
Severity: low
References: 1028864
Description:
This update for tcsh provides the following fix:

- Avoid closing sockets that were not opened by tcsh itself. (bsc#1028864)

-----------------------------------------
Patch: SUSE-2017-1430
Released: Thu Aug 31 21:43:54 2017
Summary: Security update for icu
Severity: moderate
References: 929629,CVE-2014-8146,CVE-2014-8147
Description:
icu was updated to fix two security issues.

These security issues were fixed:
- CVE-2014-8147: The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectional
  Algorithm implementation in ICU4C in International Components for Unicode (ICU) used an integer
  data type that is inconsistent with a header file, which allowed remote attackers to cause a
  denial of service (incorrect malloc followed by invalid free) or possibly execute arbitrary code
  via crafted text (bsc#929629).
- CVE-2014-8146: The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectional
  Algorithm implementation in ICU4C in International Components for Unicode (ICU) did not properly
  track directionally isolated pieces of text, which allowed remote attackers to cause a denial of
  service (heap-based buffer overflow) or possibly execute arbitrary code via crafted text
  (bsc#929629).
  

-----------------------------------------
Patch: SUSE-2017-1443
Released: Mon Sep  4 13:32:24 2017
Summary: Recommended update for supportutils-plugin-suse-public-cloud
Severity: low
References: 1053737
Description:
This update for supportutils-plugin-suse-public-cloud provides version 1.0.2 and adds the following additional packages
to the framework specific package queries:

- Microsoft Azure:
  + python3-azurectl

- Amazon EC2:
  + python3-ec2deprecateimg, python3-ec2metadata, python3-ec2publishimg, python3-ec2uploadimg,
    regionServiceClientConfigSAPEC2, supportutils-plugin-suse-public-cloud

- Google Cloud Platform (GCE):
    * google-compute-engine-init, google-compute-engine-oslogin, python3-gcemetadata,
      regionServiceClientConfigSAPGCE, supportutils-plugin-suse-public-cloud


-----------------------------------------
Patch: SUSE-2017-1447
Released: Mon Sep  4 15:38:20 2017
Summary: Security update for libzypp, zypper
Severity: important
References: 1008325,1038984,1045735,1047785,1054088,1054671,1055920,CVE-2017-7436
Description:
The Software Update Stack was updated to receive fixes and enhancements.

libzypp:

- Adapt to work with GnuPG 2.1.23. (bsc#1054088)
- Support signing with subkeys. (bsc#1008325)
- Enhance sort order for media.1/products. (bsc#1054671)

zypper:

- Also show a gpg key's subkeys. (bsc#1008325)
- Improve signature check callback messages. (bsc#1045735)
- Add options to tune the GPG check settings. (bsc#1045735)
- Adapt download callback to report and handle unsigned packages. (bsc#1038984, CVE-2017-7436)
- Report missing/optional files as 'not found' rather than 'error'. (bsc#1047785)


-----------------------------------------
Patch: SUSE-2017-1450
Released: Mon Sep  4 16:36:07 2017
Summary: Recommended update for insserv-compat
Severity: low
References: 1035062,944903
Description:

This update for insserv-compat fixes the following issues:

- Add /etc/init.d hierarchy from former 'filesystem' package. (bsc#1035062)
- Fix directory argument parsing. (bsc#944903)
- Add perl(Getopt::Long) to list of requirements.


-----------------------------------------
Patch: SUSE-2017-1453
Released: Mon Sep  4 21:23:50 2017
Summary: Recommended update for libgcrypt
Severity: moderate
References: 1043333,1046659,1047008
Description:
This update for libgcrypt fixes the following issues:

- libgcrypt stored an open file descriptor to the random device in
  a static variable between invocations.
  gnome-keyring-daemon on initialization reopened descriptors 0-2
  with /dev/null which caused an infinite loop when libgcrypt
  attempted to read from the random device (bsc#1043333)
- Avoid seeding the DRBG during FIPS power-up selftests (bsc#1046659)
  * don't call gcry_drbg_instantiate() in healthcheck sanity test to
    save entropy
  * turn off blinding for RSA decryption in selftests_rsa to avoid
    allocation of a random integer
- fix a bug in gcry_drbg_healthcheck_sanity() which caused skipping
  some of the tests (bsc#1046659)
- dlsym returns PLT address on s390x, dlopen libgcrypt20.so before
  calling dlsym (bsc#1047008)


-----------------------------------------
Patch: SUSE-2017-1457
Released: Tue Sep  5 14:40:16 2017
Summary: Security update for python-pycrypto
Severity: important
References: 1017420,1047666,CVE-2013-7459
Description:
This update for python-pycrypto fixes the following issues:

- CVE-2013-7459: Fixed a potential heap buffer overflow in ALGnew (bsc#1017420).

python-paramiko was adjusted to work together with this python-pycrypto change. (bsc#1047666)



-----------------------------------------
Patch: SUSE-2017-1471
Released: Wed Sep  6 16:19:58 2017
Summary: Security update for gdk-pixbuf
Severity: important
References: 1027024,1027025,1027026,1048289,1048544,1049877,CVE-2017-2862,CVE-2017-2870,CVE-2017-6312,CVE-2017-6313,CVE-2017-6314
Description:
This update for gdk-pixbuf fixes the following issues:

- CVE-2017-2862: JPEG gdk_pixbuf__jpeg_image_load_increment Code Execution Vulnerability (bsc#1048289)
- CVE-2017-2870: tiff_image_parse Code Execution Vulnerability (bsc#1048544)
- CVE-2017-6313: A dangerous integer underflow in io-icns.c (bsc#1027024)
- CVE-2017-6314: Infinite loop in io-tiff.c (bsc#1027025)
- CVE-2017-6312: Out-of-bounds read on io-ico.c (bsc#1027026)


-----------------------------------------
Patch: SUSE-2017-1548
Released: Fri Sep 15 18:19:12 2017
Summary: Recommended update for sg3_utils
Severity: moderate
References: 1005063,1009269,1012523,1025176,1050767,1050943
Description:
This update for sg3_utils provides the following fixes:

- Add lunsearch filter to findresized() so that only LUNs specified using --luns are
  rescanned or resized. (bsc#1025176)
- In case the VPD sysfs attributes are missing or cannot be accessed, fallback to use
  sg_inq --page when using multipath devices in AutoYast2 installations. (bsc#1012523)
- Generate /dev/disk/by-path links based on WWPN for Fibre Channel NPIV setups. (bsc#1005063)
- Fix dumping data in hexadecimal format in sg_vpd when using the --hex option. (bsc#1050943)
- Fix ID_SERIAL values for KVM disks by exporting all NAA values and removing some validity
  checking. (bsc#1050767)
- Make sure initrd is rebuilt on sg3_utils updates. (bsc#1009269)


-----------------------------------------
Patch: SUSE-2017-1549
Released: Fri Sep 15 18:26:57 2017
Summary: Recommended update for at
Severity: low
References: 988890
Description:

This update for at fixes the following issues:

- The systemd atd.service will now run After=nss-user-lookup.target not after
  systemd-user-sessions.service
- Make systemd atd.service run After=time-sync.target (bsc#988890)


-----------------------------------------
Patch: SUSE-2017-1556
Released: Mon Sep 18 09:24:26 2017
Summary: Recommended update for python-boto
Severity: low
References: 1002895
Description:
This update provides python-boto 2.42.0, which brings fixes and enhancements:

- Respect is_secure parameter in generate_url_sigv4
- Update MTurk API
- Update endpoints.json
- Allow s3 bucket lifecycle policies with multiple transitions
- Fixes upload parts for glacier
- Autodetect sigv4 for ap-northeast-2
- Added support for ap-northeast-2
- Remove VeriSign Class 3 CA from trusted certs
- Add note about boto3 on all pages of boto docs
- Fix for listing EMR steps based on cluster_states filter
- Fixed param name in set_contents_from_string docstring
- Spelling and documentation fixes
- Add deprecation notice to emr methods
- Add some GovCloud endpoints.


-----------------------------------------
Patch: SUSE-2017-1564
Released: Tue Sep 19 18:38:16 2017
Summary: Security update for gcc48
Severity: moderate
References: 1011348,1022062,1028744,1039513,1044016,1050947,988274,CVE-2017-11671
Description:
This update for gcc48 fixes the following issues:

Security issues fixed:

- A new option -fstack-clash-protection is now offered, which mitigates the stack clash type of attacks. [bnc#1039513]
  Future maintenance releases of packages will be built with this option.
- CVE-2017-11671: Fixed rdrand/rdseed code generation issue [bsc#1050947]

Bugs fixed:

- Enable LFS support in 32bit libgcov.a.  [bsc#1044016]
- Bump libffi version in libffi.pc to 3.0.11.
- Fix libffi issue for armv7l.  [bsc#988274]
- Properly diagnose missing -fsanitize=address support on ppc64le.  [bnc#1028744]
- Backport patch for PR65612.  [bnc#1022062]
- Fixed DR#1288.  [bnc#1011348]


-----------------------------------------
Patch: SUSE-2017-1586
Released: Mon Sep 25 17:16:58 2017
Summary: Recommended update for xinetd
Severity: low
References: 1054532,943484,947475,972691
Description:
This update for xinetd provides the following fixes:

- Specifying multiple log targets in the configuration caused a crash in xinetd, so make
  sure this is not allowed and in case of misconfiguration handle it correctly.
  (bsc#1054532)
- Fix a race condition that was causing xinetd not to be running after receiving a SIGHUP
  and a call to bind() failing with error EADDRINUSE. The fix exposes a sysconfig variable
  named XINETD_BIND_DELAY that can be used to delay calls to bind(). (bsc#972691)
- Fix an error that was causing a failure in xinetd when trying to fallback from IPv6 to
  IPv4. (bsc#947475)
- Update the documentation about the maximum allowed size of server parameters. (bsc#943484)


-----------------------------------------
Patch: SUSE-2017-1589
Released: Tue Sep 26 09:58:51 2017
Summary: Security update for tiff
Severity: moderate
References: 1033109,1033111,1033112,1033113,1033118,1033120,1033126,1033127,1033128,1033129,1033131,1038438,1042804,1042805,CVE-2016-10371,CVE-2017-7592,CVE-2017-7593,CVE-2017-7594,CVE-2017-7595,CVE-2017-7596,CVE-2017-7597,CVE-2017-7598,CVE-2017-7599,CVE-2017-7600,CVE-2017-7601,CVE-2017-7602,CVE-2017-9403,CVE-2017-9404
Description:
This update for tiff to version 4.0.8 fixes a several bugs and security issues:

These security issues were fixed:

- CVE-2017-7595: The JPEGSetupEncode function allowed remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted image (bsc#1033127).
- CVE-2016-10371: The TIFFWriteDirectoryTagCheckedRational function allowed remote attackers to cause a denial of service (assertion failure and application exit) via a crafted TIFF file (bsc#1038438).
- CVE-2017-7598: Error in tif_dirread.c allowed remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted image (bsc#1033118).
- CVE-2017-7596: Undefined behavior because of floats outside their expected value range, which allowed remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image (bsc#1033126).
- CVE-2017-7597: Undefined behavior because of floats outside their expected value range, which allowed remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image (bsc#1033120).
- CVE-2017-7599: Undefined behavior because of shorts outside their expected value range, which allowed remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image (bsc#1033113).
- CVE-2017-7600: Undefined behavior because of chars outside their expected value range, which allowed remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image (bsc#1033112).
- CVE-2017-7601: Because of a shift exponent too large for 64-bit type long undefined behavior was caused, which allowed remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image (bsc#1033111).
- CVE-2017-7602: Prevent signed integer overflow, which allowed remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image (bsc#1033109).
- CVE-2017-7592: The putagreytile function had a left-shift undefined behavior issue, which might allowed remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image (bsc#1033131).
- CVE-2017-7593: Ensure that tif_rawdata is properly initialized, to prevent remote attackers to obtain sensitive information from process memory via a crafted image (bsc#1033129).
- CVE-2017-7594: The OJPEGReadHeaderInfoSecTablesDcTable function allowed remote attackers to cause a denial of service (memory leak) via a crafted image (bsc#1033128).
- CVE-2017-9403: Prevent memory leak in function TIFFReadDirEntryLong8Array, which allowed attackers to cause a denial of service via a crafted file (bsc#1042805).
- CVE-2017-9404: Fixed memory leak vulnerability in function OJPEGReadHeaderInfoSecTablesQTable, which allowed attackers to cause a denial of service via a crafted file (bsc#1042804).

These various other issues were fixed:

- Fix uint32 overflow in TIFFReadEncodedStrip() that caused an
  integer division by zero. Reported by Agostino Sarubbo.
- fix heap-based buffer overflow on generation of PixarLog / LUV
  compressed files, with ColorMap, TransferFunction attached and
  nasty plays with bitspersample. The fix for LUV has not been
  tested, but suffers from the same kind of issue of PixarLog.
- modify ChopUpSingleUncompressedStrip() to instanciate compute
  ntrips as TIFFhowmany_32(td->td_imagelength, rowsperstrip),
  instead of a logic based on the total size of data. Which is
  faulty is the total size of data is not sufficient to fill the
  whole image, and thus results in reading outside of the
  StripByCounts/StripOffsets arrays when using
  TIFFReadScanline()
- make OJPEGDecode() early exit in case of failure in
  OJPEGPreDecode(). This will avoid a divide by zero, and
  potential other issues.
- fix misleading indentation as warned by GCC.
- revert change done on 2016-01-09 that made Param member of
  TIFFFaxTabEnt structure a uint16 to reduce size of the
  binary. It happens that the Hylafax software uses the tables
  that follow this typedef (TIFFFaxMainTable, TIFFFaxWhiteTable,
  TIFFFaxBlackTable), although they are not in a public libtiff
  header.
- add TIFFReadRGBAStripExt() and TIFFReadRGBATileExt() variants
  of the functions without ext, with an extra argument to control
  the stop_on_error behaviour.
- fix potential memory leaks in error code path of
  TIFFRGBAImageBegin().
- increase libjpeg max memory usable to 10 MB instead of libjpeg
  1MB default. This helps when creating files with 'big' tile,
  without using libjpeg temporary files.
- add _TIFFcalloc()
- return 0 in Encode functions instead of -1 when
  TIFFFlushData1() fails.
- only run JPEGFixupTagsSubsampling() if the YCbCrSubsampling
  tag is not explicitly present. This helps a bit to reduce the
  I/O amount when the tag is present (especially on cloud hosted
  files).
- in LZWPostEncode(), increase, if necessary, the code bit-width
  after flushing the remaining code and before emitting the EOI
  code.
- fix memory leak in error code path of PixarLogSetupDecode().
- fix potential memory leak in
  OJPEGReadHeaderInfoSecTablesQTable,
  OJPEGReadHeaderInfoSecTablesDcTable and
  OJPEGReadHeaderInfoSecTablesAcTable
- avoid crash in Fax3Close() on empty file.
- TIFFFillStrip(): add limitation to the number of bytes read
  in case td_stripbytecount[strip] is bigger than reasonable,
  so as to avoid excessive memory allocation.
- fix memory leak when the underlying codec (ZIP, PixarLog)
  succeeds its setupdecode() method, but PredictorSetup fails.
- TIFFFillStrip() and TIFFFillTile(): avoid excessive memory
  allocation in case of shorten files. Only effective on 64 bit
  builds and non-mapped cases.
- TIFFFillStripPartial() / TIFFSeek(), avoid potential integer
  overflows with read_ahead in CHUNKY_STRIP_READ_SUPPORT mode.
- avoid excessive memory allocation in case of shorten files.
  Only effective on 64 bit builds.
- update tif_rawcc in CHUNKY_STRIP_READ_SUPPORT mode with
  tif_rawdataloaded when calling TIFFStartStrip() or
  TIFFFillStripPartial(). 
- avoid potential int32 overflow in TIFFYCbCrToRGBInit() Fixes
- avoid potential int32 overflows in multiply_ms() and add_ms().
- fix out-of-buffer read in PackBitsDecode() Fixes
- LogL16InitState(): avoid excessive memory allocation when
  RowsPerStrip tag is missing.
- update dec_bitsleft at beginning of LZWDecode(), and update
  tif_rawcc at end of LZWDecode(). This is needed to properly
  work with the latest chnges in tif_read.c in
  CHUNKY_STRIP_READ_SUPPORT mode.
- PixarLogDecode(): resync tif_rawcp with next_in and tif_rawcc
  with avail_in at beginning and end of function, similarly to
  what is done in LZWDecode(). Likely needed so that it works
  properly with latest chnges in tif_read.c in
  CHUNKY_STRIP_READ_SUPPORT mode.
- initYCbCrConversion(): add basic validation of luma and
  refBlackWhite coefficients (just check they are not NaN for
  now), to avoid potential float to int overflows.
- _TIFFVSetField(): fix outside range cast of double to float.
- initYCbCrConversion(): check luma[1] is not zero to avoid division by zero
- _TIFFVSetField(): fix outside range cast of double to float.
- initYCbCrConversion(): check luma[1] is not zero to avoid
  division by zero.
- initYCbCrConversion(): stricter validation for refBlackWhite
  coefficients values.
- avoid uint32 underflow in cpDecodedStrips that can cause
  various issues, such as buffer overflows in the library.
- fix readContigStripsIntoBuffer() in -i (ignore) mode so that
  the output buffer is correctly incremented to avoid write
  outside bounds.
- add 3 extra bytes at end of strip buffer in
  readSeparateStripsIntoBuffer() to avoid read outside of heap
  allocated buffer.
- fix integer division by zero when BitsPerSample is missing.
- fix null pointer dereference in -r mode when the image has no
  StripByteCount tag.
- avoid potential division by zero is BitsPerSamples tag is
  missing.
- when TIFFGetField(, TIFFTAG_NUMBEROFINKS, ) is called, limit
  the return number of inks to SamplesPerPixel, so that code
  that parses ink names doesn't go past the end of the buffer.
- avoid potential division by zero is BitsPerSamples tag is
  missing.
- fix uint32 underflow/overflow that can cause heap-based buffer
  overflow.
- replace assert( (bps % 8) == 0 ) by a non assert check.
- fix 2 heap-based buffer overflows (in PSDataBW and
  PSDataColorContig).
- prevent heap-based buffer overflow in -j mode on a paletted
  image.
- fix wrong usage of memcpy() that can trigger unspecified behaviour.
- avoid potential invalid memory read in t2p_writeproc.
- avoid potential heap-based overflow in t2p_readwrite_pdf_image_tile().
- remove extraneous TIFFClose() in error code path, that caused
  double free.
- error out cleanly in cpContig2SeparateByRow and
  cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap
  based overflow.
- avoid integer division by zero.
- call TIFFClose() in error code paths.
- emit appropriate message if the input file is empty.
- close TIFF handle in error code path.


-----------------------------------------
Patch: SUSE-2017-1606
Released: Thu Sep 28 15:52:49 2017
Summary: Recommended update for xinetd
Severity: important
References: 1060432
Description:
This update for xinetd fixes a regression that could cause a crash when an 'IPv6' flag was specified
without a 'bind' option (bsc#1060432)


-----------------------------------------
Patch: SUSE-2017-1622
Released: Mon Oct  2 20:06:28 2017
Summary: Recommended update for yast2-xml
Severity: low
References: 1047449
Description:
This update for yast2-xml provides the following fix:

- Omit libxml2 memory cleanup to prevent a crash if rubygem-nokogiri is installed.
  (bsc#1047449)


-----------------------------------------
Patch: SUSE-2017-1644
Released: Mon Oct  9 07:52:24 2017
Summary: Security update for krb5
Severity: moderate
References: 1032680,1054028,1056995,903543,CVE-2017-11462
Description:
This update for krb5 fixes several issues.

This security issue was fixed:

- CVE-2017-11462: Prevent automatic security context deletion to prevent
  double-free (bsc#1056995)

These non-security issues were fixed:

- Set 'rdns' and 'dns_canonicalize_hostname' to false in krb5.conf
  in order to improve client security in handling service principle
  names. (bsc#1054028)
- Prevent kadmind.service startup failure caused by absence of
  LDAP service. (bsc#903543)
- Remove main package's dependency on systemd (bsc#1032680)


-----------------------------------------
Patch: SUSE-2017-1657
Released: Mon Oct  9 15:38:23 2017
Summary: Optional update for SUSE Manager Server 3.1
Severity: low
References: 1051948
Description:
This update adds the following new packages to SUSE Manager Server 3.1 to provide kubernetes support for Salt:

python-fasteners:
Provides locking decorators, reader-writer locks, inter-process locks and generic helpers.

python-httplib2:
A comprehensive HTTP client library that supports many features left out of other HTTP libraries.

python-monotonic:
This module provides a 'monotonic()' function which returns the value (in fractional seconds) of a clock which
never goes backwards.

python-oauth2client:
This is a Python library for accessing resources protected by OAuth 2.0.

python-websocket-client:
This provides the low level APIs for WebSocket. All APIs are synchronous functions.

python-rsa:
Supports encryption and decryption, signing and verifying signatures, and key generation according to
PKCS#1 version 1.5.


-----------------------------------------
Patch: SUSE-2017-1658
Released: Mon Oct  9 15:38:26 2017
Summary: Optional update for SUSE Manager Server 3.1
Severity: low
References: 1051948
Description:
This update adds the following new packages to SUSE Manager Server 3.1 to provide kubernetes-support for salt:

python-kubernetes:
Python-client for Kubernetes.

python-urllib3:
HTTP library with thread-safe connection pooling, file post, and more.

-----------------------------------------
Patch: SUSE-2017-1660
Released: Mon Oct  9 15:39:22 2017
Summary: Security update for Salt
Severity: moderate
References: 1051948,1052264,1053376,1053955,CVE-2017-12791
Description:
This update for salt fixes one security issue and bugs:

The following security issue has been fixed:

- CVE-2017-12791: Directory traversal vulnerability in minion id validation
  allowed remote minions with incorrect credentials to authenticate to a master
  via a crafted minion ID (bsc#1053955).

Additionally, the following non-security issues have been fixed:

- Added support for SUSE Manager scalability features. (bsc#1052264)
- Introduced the kubernetes module. (bsc#1051948)
- Notify systemd synchronously via NOTIFY_SOCKET. (bsc#1053376)

-----------------------------------------
Patch: SUSE-2017-1662
Released: Tue Oct 10 11:58:50 2017
Summary: Security update for MozillaFirefox, mozilla-nss
Severity: important
References: 1060445,1061005,CVE-2017-7793,CVE-2017-7805,CVE-2017-7810,CVE-2017-7814,CVE-2017-7818,CVE-2017-7819,CVE-2017-7823,CVE-2017-7824,CVE-2017-7825
Description:
This update for MozillaFirefox to ESR 52.4, mozilla-nss fixes the following issues:

This security issue was fixed for mozilla-nss:

- CVE-2017-7805: Prevent use-after-free in TLS 1.2 when generating handshake hashes (bsc#1061005)

These security issues were fixed for Firefox 

- CVE-2017-7825: Fixed some Tibetan and Arabic unicode characters rendering (bsc#1060445).
- CVE-2017-7805: Prevent Use-after-free in TLS 1.2 generating handshake hashes (bsc#1060445).
- CVE-2017-7819: Prevent Use-after-free while resizing images in design mode (bsc#1060445).
- CVE-2017-7818: Prevent Use-after-free during ARIA array manipulation (bsc#1060445).
- CVE-2017-7793: Prevent Use-after-free with Fetch API (bsc#1060445).
- CVE-2017-7824: Prevent Buffer overflow when drawing and validating elements with ANGLE (bsc#1060445).
- CVE-2017-7810: Fixed several memory safety bugs (bsc#1060445).
- CVE-2017-7823: CSP sandbox directive did not create a unique origin (bsc#1060445).
- CVE-2017-7814: Blob and data URLs bypassed phishing and malware protection warnings (bsc#1060445).


-----------------------------------------
Patch: SUSE-2017-1664
Released: Tue Oct 10 12:05:44 2017
Summary: Recommended update for aws-cli, python-botocore
Severity: low
References: 1044370
Description:

This update provides aws-cli 1.11.104, which brings many fixes and enhancements.

aws-cli (update to version 1.11.104):

- https://github.com/aws/aws-cli/blob/1.11.104/CHANGELOG.rst

python-botocore (update to version 1.5.67):

- https://github.com/boto/botocore/blob/1.5.67/CHANGELOG.rst

python-jmespath (update to 0.9.2):

- Raise LexerError on invalid numbers
- Add support for custom functions
- Fix ZeroDivisionError for built-in function avg() on empty lists
- Properly handle non numerical ordering operators
- Add support for new lines with tokens in an expression
- Add support for JEP 9 which introduces 'and', 'unary', 'not' and 'paren' expressions
- Improve lexing performance
- Fix parsing error for multiselect lists
- Fix issue with escaping single quotes in literal strings
- Add support for providing your own dict cls to support ordered dictionaries
- Add map() function

python-s3transfer (update to version 0.1.10):

- Expose ability to use own executor class for TransferManager


-----------------------------------------
Patch: SUSE-2017-1676
Released: Wed Oct 11 15:49:25 2017
Summary: Recommended update for supportutils
Severity: important
References: 1061282
Description:
This update for supportutils fixes the following issues:

* A core_pattern containing pipe could have lead to a filesystem corruption (bsc#1061282)



-----------------------------------------
Patch: SUSE-2017-1683
Released: Fri Oct 13 10:30:57 2017
Summary: Recommended update for libqt5-qtbase, libqt5-qtwebengine
Severity: low
References: 1027925,1043338,1043375,1061344
Description:

This update for libqt5-qtbase and libqt5-qtwebengine provides the following fixes:

libqt5-qtbase:

- Recommend libqt5-qttranslations in libQt5Core5 so that translations are picked up correctly. (bsc#1027925)

libqt5-qtwebengine:

- Enable the use of proprietary codecs when configuring webengine so it uses the system
  ffmpeg binary thus allowing to reproduce html5 videos. (bsc#1043375)
- Fix a compatibility issue in font rendering when using newer versions of FreeType. (bsc#1061344)


-----------------------------------------
Patch: SUSE-2017-1695
Released: Tue Oct 17 11:06:57 2017
Summary: Recommended update for netcat-openbsd
Severity: low
References: 1061165
Description:
This update for netcat-openbsd provides the following fix:

- Fix a logic error that would prevent netcat from sending out UDP packets. (bsc#1061165)


-----------------------------------------
Patch: SUSE-2017-1755
Released: Fri Oct 20 18:03:54 2017
Summary: Recommended update for desktop-data-SLE
Severity: low
References: 1058231
Description:
This update for desktop-data-SLE provides the following fix:

- Disable 'Novell' branding in wallpapers. (fate#320506, bsc#1058231)


-----------------------------------------
Patch: SUSE-2017-1769
Released: Tue Oct 24 20:27:46 2017
Summary: Recommended update for corosync
Severity: low
References: 1032634,1047862,1060767
Description:
This update for corosync fixes the following issues:

- Don't terminate with assertion error after a network interface goes down. (bsc#1032634)


-----------------------------------------
Patch: SUSE-2017-1772
Released: Wed Oct 25 14:10:42 2017
Summary: Recommended update for logrotate
Severity: low
References: 1057801
Description:
This update for logrotate provides the following fix:

- Make sure log files continue to rotate properly when a stale status file is found. (bsc#1057801)


-----------------------------------------
Patch: SUSE-2017-1776
Released: Thu Oct 26 09:44:44 2017
Summary: Security update for tcpdump
Severity: moderate
References: 1047873,1057247,CVE-2017-11108,CVE-2017-11541,CVE-2017-11542,CVE-2017-11543,CVE-2017-12893,CVE-2017-12894,CVE-2017-12895,CVE-2017-12896,CVE-2017-12897,CVE-2017-12898,CVE-2017-12899,CVE-2017-12900,CVE-2017-12901,CVE-2017-12902,CVE-2017-12985,CVE-2017-12986,CVE-2017-12987,CVE-2017-12988,CVE-2017-12989,CVE-2017-12990,CVE-2017-12991,CVE-2017-12992,CVE-2017-12993,CVE-2017-12994,CVE-2017-12995,CVE-2017-12996,CVE-2017-12997,CVE-2017-12998,CVE-2017-12999,CVE-2017-13000,CVE-2017-13001,CVE-2017-13002,CVE-2017-13003,CVE-2017-13004,CVE-2017-13005,CVE-2017-13006,CVE-2017-13007,CVE-2017-13008,CVE-2017-13009,CVE-2017-13010,CVE-2017-13011,CVE-2017-13012,CVE-2017-13013,CVE-2017-13014,CVE-2017-13015,CVE-2017-13016,CVE-2017-13017,CVE-2017-13018,CVE-2017-13019,CVE-2017-13020,CVE-2017-13021,CVE-2017-13022,CVE-2017-13023,CVE-2017-13024,CVE-2017-13025,CVE-2017-13026,CVE-2017-13027,CVE-2017-13028,CVE-2017-13029,CVE-2017-13030,CVE-2017-13031,CVE-2017-13032,CVE-2017-13033,CVE-2017-13034,CVE-2017-13035,CVE-2017-13036,CVE-2017-13037,CVE-2017-13038,CVE-2017-13039,CVE-2017-13040,CVE-2017-13041,CVE-2017-13042,CVE-2017-13043,CVE-2017-13044,CVE-2017-13045,CVE-2017-13046,CVE-2017-13047,CVE-2017-13048,CVE-2017-13049,CVE-2017-13050,CVE-2017-13051,CVE-2017-13052,CVE-2017-13053,CVE-2017-13054,CVE-2017-13055,CVE-2017-13687,CVE-2017-13688,CVE-2017-13689,CVE-2017-13690,CVE-2017-13725
Description:
This update for tcpdump to version 4.9.2 fixes several issues.

These security issues were fixed:

- CVE-2017-11108: Prevent remote attackers to cause DoS (heap-based buffer over-read and application crash) via crafted packet data. The crash occured in the EXTRACT_16BITS function, called from the stp_print function for the Spanning Tree Protocol (bsc#1047873, bsc#1057247).
- CVE-2017-11543: Prevent buffer overflow in the sliplink_print function in print-sl.c that allowed remote DoS (bsc#1057247).
- CVE-2017-13011: Prevent buffer overflow in bittok2str_internal() that allowed remote DoS (bsc#1057247)
- CVE-2017-12989: Prevent infinite loop in the RESP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12990: Prevent infinite loop in the ISAKMP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12995: Prevent infinite loop in the DNS parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12997: Prevent infinite loop in the LLDP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-11541: Prevent heap-based buffer over-read in the lldp_print function in print-lldp.c, related to util-print.c that allowed remote DoS (bsc#1057247).
- CVE-2017-11542: Prevent heap-based buffer over-read in the pimv1_print function in print-pim.c that allowed remote DoS (bsc#1057247).
- CVE-2017-12893: Prevent buffer over-read in the SMB/CIFS parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12894: Prevent buffer over-read in several protocol parsers that allowed remote DoS (bsc#1057247)
- CVE-2017-12895: Prevent buffer over-read in the ICMP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12896: Prevent buffer over-read in the ISAKMP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12897: Prevent buffer over-read in the ISO CLNS parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12898: Prevent buffer over-read in the NFS parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12899: Prevent buffer over-read in the DECnet parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12900: Prevent buffer over-read in the in several protocol parsers that allowed remote DoS (bsc#1057247)
- CVE-2017-12901: Prevent buffer over-read in the EIGRP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12902: Prevent buffer over-read in the Zephyr parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12985: Prevent buffer over-read in the IPv6 parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12986: Prevent buffer over-read in the IPv6 routing header parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12987: Prevent buffer over-read in the 802.11 parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12988: Prevent buffer over-read in the telnet parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12991: Prevent buffer over-read in the BGP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12992: Prevent buffer over-read in the RIPng parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12993: Prevent buffer over-read in the Juniper protocols parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12994: Prevent buffer over-read in the BGP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12996: Prevent buffer over-read in the PIMv2 parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12998: Prevent buffer over-read in the IS-IS parser that allowed remote DoS (bsc#1057247)
- CVE-2017-12999: Prevent buffer over-read in the IS-IS parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13000: Prevent buffer over-read in the IEEE 802.15.4 parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13001: Prevent buffer over-read in the NFS parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13002: Prevent buffer over-read in the AODV parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13003: Prevent buffer over-read in the LMP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13004: Prevent buffer over-read in the Juniper protocols parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13005: Prevent buffer over-read in the NFS parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13006: Prevent buffer over-read in the L2TP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13007: Prevent buffer over-read in the Apple PKTAP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13008: Prevent buffer over-read in the IEEE 802.11 parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13009: Prevent buffer over-read in the IPv6 mobility parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13010: Prevent buffer over-read in the BEEP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13012: Prevent buffer over-read in the ICMP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13013: Prevent buffer over-read in the ARP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13014: Prevent buffer over-read in the White Board protocol parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13015: Prevent buffer over-read in the EAP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13016: Prevent buffer over-read in the ISO ES-IS parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13017: Prevent buffer over-read in the DHCPv6 parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13018: Prevent buffer over-read in the PGM parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13019: Prevent buffer over-read in the PGM parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13020: Prevent buffer over-read in the VTP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13021: Prevent buffer over-read in the ICMPv6 parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13022: Prevent buffer over-read in the IP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13023: Prevent buffer over-read in the IPv6 mobility parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13024: Prevent buffer over-read in the IPv6 mobility parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13025: Prevent buffer over-read in the IPv6 mobility parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13026: Prevent buffer over-read in the ISO IS-IS parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13027: Prevent buffer over-read in the LLDP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13028: Prevent buffer over-read in the BOOTP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13029: Prevent buffer over-read in the PPP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13030: Prevent buffer over-read in the PIM parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13031: Prevent buffer over-read in the IPv6 fragmentation header parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13032: Prevent buffer over-read in the RADIUS parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13033: Prevent buffer over-read in the VTP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13034: Prevent buffer over-read in the PGM parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13035: Prevent buffer over-read in the ISO IS-IS parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13036: Prevent buffer over-read in the OSPFv3 parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13037: Prevent buffer over-read in the IP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13038: Prevent buffer over-read in the PPP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13039: Prevent buffer over-read in the ISAKMP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13040: Prevent buffer over-read in the MPTCP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13041: Prevent buffer over-read in the ICMPv6 parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13042: Prevent buffer over-read in the HNCP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13043: Prevent buffer over-read in the BGP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13044: Prevent buffer over-read in the HNCP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13045: Prevent buffer over-read in the VQP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13046: Prevent buffer over-read in the BGP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13047: Prevent buffer over-read in the ISO ES-IS parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13048: Prevent buffer over-read in the RSVP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13049: Prevent buffer over-read in the Rx protocol parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13050: Prevent buffer over-read in the RPKI-Router parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13051: Prevent buffer over-read in the RSVP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13052: Prevent buffer over-read in the CFM parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13053: Prevent buffer over-read in the BGP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13054: Prevent buffer over-read in the LLDP parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13055: Prevent buffer over-read in the ISO IS-IS parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13687: Prevent buffer over-read in the Cisco HDLC parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13688: Prevent buffer over-read in the OLSR parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13689: Prevent buffer over-read in the IKEv1 parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13690: Prevent buffer over-read in the IKEv2 parser that allowed remote DoS (bsc#1057247)
- CVE-2017-13725: Prevent buffer over-read in the IPv6 routing header parser that allowed remote DoS (bsc#1057247)
- Prevent segmentation fault in ESP decoder with OpenSSL 1.1 (bsc#1057247)


-----------------------------------------
Patch: SUSE-2017-1790
Released: Fri Oct 27 14:38:45 2017
Summary: Initial release of cloud-netconfig
Severity: low
References: 1027212,1055553,1063292
Description:
This update adds the cloud-netconfig package, which provides scripts for
automatically configuring multiple network interfaces in EC2 and Azure instances.


-----------------------------------------
Patch: SUSE-2017-1796
Released: Fri Oct 27 21:25:06 2017
Summary: Recommended update for pcre
Severity: moderate
References: 1058722
Description:


This update for pcre fixes the following issues:

- Fixed the pcre stack frame size detection because modern compilers
  break it due to cloning and inlining pcre match() function (bsc#1058722)


-----------------------------------------
Patch: SUSE-2017-1802
Released: Tue Oct 31 12:05:17 2017
Summary: Recommended update for iptables
Severity: low
References: 1045130
Description:
This update for iptables provides the following fix:

- Fix a locking issue of iptables-batch when other programs modify the iptables rules in parallel (bsc#1045130)


-----------------------------------------
Patch: SUSE-2017-1822
Released: Mon Nov  6 17:19:11 2017
Summary: Security update for SuSEfirewall2
Severity: moderate
References: 1064127,CVE-2017-15638
Description:
This update for SuSEfirewall2 fixes the following issues:

- CVE-2017-15638: Fixed security issue with too open implicit portmapper rules
  (bsc#1064127): A source net restriction for _rpc_ services
  was not taken into account for the implicitly added rules for port 111,
  making the portmap service accessible to everyone in the affected zone when
  the 'rpc' matching was used.


-----------------------------------------
Patch: SUSE-2017-1826
Released: Wed Nov  8 08:47:17 2017
Summary: Security update for krb5
Severity: important
References: 1065274,CVE-2017-15088
Description:
This update for krb5 fixes the following issues:

Security issues fixed:

- CVE-2017-15088: A buffer overflow in get_matching_data() was fixed that could under specific circumstances be used to execute code (bsc#1065274)


-----------------------------------------
Patch: SUSE-2017-1794
Released: Thu Nov 16 11:17:40 2017
Summary: Security update for wget
Severity: important
References: 1064715,1064716,CVE-2017-13089,CVE-2017-13090
Description:


This update for wget fixes the following security issues:

- CVE-2017-13089,CVE-2017-13090: Missing checks for negative remaining_chunk_size in skip_short_body and fd_read_body could
  cause stack buffer overflows, which could have been exploited by malicious servers. (bsc#1064715,bsc#1064716)


-----------------------------------------
Patch: SUSE-2017-1881
Released: Wed Nov 22 16:29:58 2017
Summary: Security update for file
Severity: moderate
References: 1009966,1063269,910252,910253,913650,913651,917152,996511,CVE-2014-8116,CVE-2014-8117,CVE-2014-9620,CVE-2014-9621,CVE-2014-9653
Description:


The GNU file utility was updated to version 5.22.

Security issues fixed:

- CVE-2014-9621: The ELF parser in file allowed remote attackers to cause a denial of service via a long string. (bsc#913650)
- CVE-2014-9620: The ELF parser in file allowed remote attackers to cause a denial of service via a large number of notes. (bsc#913651)
- CVE-2014-9653: readelf.c in file did not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory access) or possibly have unspecified other impact via a crafted ELF file. (bsc#917152)
- CVE-2014-8116: The ELF parser (readelf.c) in file allowed remote attackers to cause a denial of service (CPU consumption or crash) via a large number of (1) program or (2) section headers or (3) invalid capabilities. (bsc#910253)
- CVE-2014-8117: softmagic.c in file did not properly limit recursion, which allowed remote attackers to cause a denial of service (CPU consumption or crash) via unspecified vectors. (bsc#910253)

Version update to file version 5.22

* add indirect relative for TIFF/Exif
* restructure elf note printing to avoid repeated messages
* add note limit, suggested by Alexander Cherepanov
* Bail out on partial pread()'s (Alexander Cherepanov)
* Fix incorrect bounds check in file_printable (Alexander Cherepanov)
* PR/405: ignore SIGPIPE from uncompress programs
* change printable -> file_printable and use it in more places for safety
* in ELF, instead of '(uses dynamic libraries)' when PT_INTERP is present print the interpreter name.

Version update to file version 5.21

* there was an incorrect free in magic_load_buffers()
* there was an out of bounds read for some pascal strings
* there was a memory leak in magic lists
* don't interpret strings printed from files using the current
  locale, convert them to ascii format first.
* there was an out of bounds read in elf note reads

Update to file version 5.20

* recognize encrypted CDF documents
* add magic_load_buffers from Brooks Davis
* add thumbs.db support

Additional non-security bug fixes:

* Fixed a memory corruption during rpmbuild (bsc#1063269)
* Backport of a fix for an increased printable string length as found in file 5.30 (bsc#996511)
* file command throws 'Composite Document File V2 Document, corrupt: Can't read SSAT' error against excel 97/2003 file format. (bsc#1009966)



-----------------------------------------
Patch: SUSE-2017-1882
Released: Wed Nov 22 16:58:12 2017
Summary: Recommended update for timezone
Severity: low
References: 1064571
Description:
This update provides the latest timezone information (2017c) for your system, including following changes:

- Northern Cyprus switches from +03 to +02/+03 on 2017-10-29
- Fiji ends DST 2018-01-14, not 2018-01-21
- Namibia switches from +01/+02 to +02 on 2018-04-01
- Sudan switches from +03 to +02 on 2017-11-01
- Tonga likely switches from +13/+14 to +13 on 2017-11-05
- Turks and Caicos switches from -04 to -05/-04 on 2018-11-04
- Corrections to past DST transitions
- Move oversized Canada/East-Saskatchewan to 'backward' file
- zic(8) and the reference runtime now reject multiple leap seconds within 28 days
  of each other, or leap seconds before the Epoch.


-----------------------------------------
Patch: SUSE-2017-1903
Released: Fri Nov 24 16:19:37 2017
Summary: Security update for perl
Severity: moderate
References: 1047178,1057721,1057724,999735,CVE-2017-12837,CVE-2017-12883,CVE-2017-6512
Description:
This update for perl fixes the following issues:

Security issues fixed:
- CVE-2017-12837: Heap-based buffer overflow in the S_regatom function in regcomp.c in Perl 5 before
  5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to cause a denial of service
  (out-of-bounds write) via a regular expression with a '\N{}' escape and the case-insensitive
  modifier. (bnc#1057724)
- CVE-2017-12883: Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before
  5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to disclose sensitive information
  or cause a denial of service (application crash) via a crafted regular expression with an invalid
  '\N{U+...}' escape. (bnc#1057721)
- CVE-2017-6512: Race condition in the rmtree and remove_tree functions in the File-Path module
  before 2.13 for Perl allows attackers to set the mode on arbitrary files via vectors involving
  directory-permission loosening logic. (bnc#1047178)

Bug fixes:
- backport set_capture_string changes from upstream (bsc#999735)
- reformat baselibs.conf as source validator workaround


-----------------------------------------
Patch: SUSE-2017-1916
Released: Fri Nov 24 20:15:01 2017
Summary: Recommended update for libgcrypt
Severity: important
References: 1043333,1059723
Description:
This update for libgcrypt provides the following fix:

- Fix a regression in a previous update which caused libgcrypt to leak file descriptors
  causing failures when starting rtkit-daemon. (bsc#1059723)


-----------------------------------------
Patch: SUSE-2017-1917
Released: Mon Nov 27 13:32:07 2017
Summary: Optional update for gcc7
Severity: low
References: 1056437,1062591,1062592
Description:

The GNU Compiler GCC 7 is being added to the Toolchain Module by this update.

New features:

- Support for specific IBM Power9 processor instructions.
- Support for specific IBM zSeries z14 processor instructions.
- New packages cross-npvtx-gcc7 and nvptx-tools added to the Toolchain Module for
  specific NVIDIA Card offload support.

The update also supplies gcc7 compatible libstdc++, libgcc_s1 and other gcc derived
libraries for the base products of SUSE Linux Enterprise 12.

Various optimizers have been improved in GCC 7, several of bugs fixed, quite some new
warnings added and the error pin-pointing and fix-suggestions have been greatly improved.

The GNU Compiler page for GCC 7 contains a summary of all the changes that have happened:

	https://gcc.gnu.org/gcc-7/changes.html


-----------------------------------------
Patch: SUSE-2017-1965
Released: Thu Nov 30 12:48:45 2017
Summary: Recommended update for libsolv, libzypp, zypper
Severity: moderate
References: 1047233,1053671,1057188,1057634,1058695,1058783,1059065,1061384,1062561,1064999,661410
Description:
The Software Update Stack was updated to receive fixes and enhancements.

libsolv:

- Many fixes and improvements for cleandeps.
- Always create dup rules for 'distupgrade' jobs.
- Use recommends also for ordering packages.
- Fix splitprovides handling with addalreadyrecommended turned off. (bsc#1059065)
- Expose solver_get_recommendations() in bindings.
- Fix bug in solver_prune_to_highest_prio_per_name resulting in bad output from solver_get_recommendations().
- Support 'without' and 'unless' dependencies.
- Use same heuristic as upstream to determine source RPMs.
- Fix memory leak in bindings.
- Add pool_best_solvables() function.
- Fix 64bit integer parsing from RPM headers.
- Enable bzip2 and xz/lzma compression support.
- Enable complex/rich dependencies on distributions with RPM 4.13+.

libzypp:

- Fix media handling in presence of a repo path prefix. (bsc#1062561)
- Fix RepoProvideFile ignoring a repo path prefix. (bsc#1062561)
- Remove unused legacy notify-message script. (bsc#1058783)
- Support multiple product licenses in repomd. (fate#322276)
- Propagate 'rpm --import' errors. (bsc#1057188)
- Fix typos in zypp.conf.

zypper:

- Locale: Fix possible segmentation fault. (bsc#1064999)
- Add summary hint if product is better updated by a different command. This is mainly
  used by rolling distributions like openSUSE Tumbleweed to remind their users to use
  'zypper dup' to update (not zypper up or patch). (bsc#1061384)
- Unify '(add|modify)(repo|service)' property related arguments.
- Fixed 'add' commands supporting to set only a subset of properties.
- Introduced '-f/-F' as preferred short option for --[no-]refresh in all four commands.
  (bsc#661410, bsc#1053671)
- Fix missing package names in installation report. (bsc#1058695)
- Differ between unsupported and packages with unknown support status. (bsc#1057634)
- Return error code '107' if an RPM's %post configuration script fails, but only
  if ZYPPER_ON_CODE12_RETURN_107=1 is set in the environment. (bsc#1047233)


-----------------------------------------
Patch: SUSE-2017-1968
Released: Thu Nov 30 19:49:33 2017
Summary: Recommended update for coreutils
Severity: low
References: 1026567,1043059,965780
Description:
This update for coreutils provides the following fixes:

- Fix df(1) to no longer interact with excluded file system types, so for example
  specifying -x nfs no longer hangs with problematic nfs mounts. (bsc#1026567)
- Ensure df -l no longer interacts with dummy file system types, so for example no
  longer hangs with problematic NFS mounted via system.automount(5). (bsc#1043059)
- Significantly speed up df(1) for huge mount lists. (bsc#965780)


-----------------------------------------
Patch: SUSE-2017-1969
Released: Thu Nov 30 19:50:53 2017
Summary: Recommended update for libtool
Severity: low
References: 1056381
Description:
This update for libtool provides the following fix:

- Add missing dependencies and provides to baselibs.conf to make sure libltdl libraries
  are properly installed. (bsc#1056381)


-----------------------------------------
Patch: SUSE-2017-1971
Released: Thu Nov 30 22:58:14 2017
Summary: Security update for binutils
Severity: moderate
References: 1003846,1025282,1029907,1029908,1029909,1029995,1030296,1030297,1030298,1030583,1030584,1030585,1030588,1030589,1031590,1031593,1031595,1031638,1031644,1031656,1033122,1037052,1037057,1037061,1037062,1037066,1037070,1037072,1037273,1038874,1038875,1038876,1038877,1038878,1038880,1038881,1044891,1044897,1044901,1044909,1044925,1044927,1046094,1052061,1052496,1052503,1052507,1052509,1052511,1052514,1052518,1053347,1056312,1056437,1057139,1057144,1057149,1058480,1059050,1060599,1060621,1061241,437293,445037,546106,561142,578249,590820,691290,698346,713504,776968,863764,938658,970239,CVE-2014-9939,CVE-2017-12448,CVE-2017-12450,CVE-2017-12452,CVE-2017-12453,CVE-2017-12454,CVE-2017-12456,CVE-2017-12799,CVE-2017-13757,CVE-2017-14128,CVE-2017-14129,CVE-2017-14130,CVE-2017-14333,CVE-2017-14529,CVE-2017-14729,CVE-2017-14745,CVE-2017-14974,CVE-2017-6965,CVE-2017-6966,CVE-2017-6969,CVE-2017-7209,CVE-2017-7210,CVE-2017-7223,CVE-2017-7224,CVE-2017-7225,CVE-2017-7226,CVE-2017-7227,CVE-2017-7299,CVE-2017-7300,CVE-2017-7301,CVE-2017-7302,CVE-2017-7303,CVE-2017-7304,CVE-2017-7614,CVE-2017-8392,CVE-2017-8393,CVE-2017-8394,CVE-2017-8395,CVE-2017-8396,CVE-2017-8397,CVE-2017-8398,CVE-2017-8421,CVE-2017-9038,CVE-2017-9039,CVE-2017-9040,CVE-2017-9041,CVE-2017-9042,CVE-2017-9043,CVE-2017-9044,CVE-2017-9746,CVE-2017-9747,CVE-2017-9748,CVE-2017-9750,CVE-2017-9755,CVE-2017-9756,CVE-2017-9954,CVE-2017-9955
Description:


GNU binutil was updated to the 2.29.1 release, bringing various new features, fixing a lot of bugs and security issues.

Following security issues are being addressed by this release:

  * 18750 bsc#1030296 CVE-2014-9939
  * 20891 bsc#1030585 CVE-2017-7225
  * 20892 bsc#1030588 CVE-2017-7224
  * 20898 bsc#1030589 CVE-2017-7223
  * 20905 bsc#1030584 CVE-2017-7226
  * 20908 bsc#1031644 CVE-2017-7299
  * 20909 bsc#1031656 CVE-2017-7300
  * 20921 bsc#1031595 CVE-2017-7302
  * 20922 bsc#1031593 CVE-2017-7303
  * 20924 bsc#1031638 CVE-2017-7301
  * 20931 bsc#1031590 CVE-2017-7304
  * 21135 bsc#1030298 CVE-2017-7209 
  * 21137 bsc#1029909 CVE-2017-6965
  * 21139 bsc#1029908 CVE-2017-6966
  * 21156 bsc#1029907 CVE-2017-6969
  * 21157 bsc#1030297 CVE-2017-7210
  * 21409 bsc#1037052 CVE-2017-8392
  * 21412 bsc#1037057 CVE-2017-8393
  * 21414 bsc#1037061 CVE-2017-8394
  * 21432 bsc#1037066 CVE-2017-8396
  * 21440 bsc#1037273 CVE-2017-8421
  * 21580 bsc#1044891 CVE-2017-9746
  * 21581 bsc#1044897 CVE-2017-9747
  * 21582 bsc#1044901 CVE-2017-9748
  * 21587 bsc#1044909 CVE-2017-9750
  * 21594 bsc#1044925 CVE-2017-9755
  * 21595 bsc#1044927 CVE-2017-9756
  * 21787 bsc#1052518 CVE-2017-12448
  * 21813 bsc#1052503, CVE-2017-12456, bsc#1052507, CVE-2017-12454, bsc#1052509, CVE-2017-12453, bsc#1052511, CVE-2017-12452, bsc#1052514, CVE-2017-12450, bsc#1052503, CVE-2017-12456, bsc#1052507, CVE-2017-12454, bsc#1052509, CVE-2017-12453, bsc#1052511, CVE-2017-12452, bsc#1052514, CVE-2017-12450
  * 21933 bsc#1053347 CVE-2017-12799
  * 21990 bsc#1058480 CVE-2017-14333
  * 22018 bsc#1056312 CVE-2017-13757
  * 22047 bsc#1057144 CVE-2017-14129
  * 22058 bsc#1057149 CVE-2017-14130
  * 22059 bsc#1057139 CVE-2017-14128
  * 22113 bsc#1059050 CVE-2017-14529
  * 22148 bsc#1060599 CVE-2017-14745
  * 22163 bsc#1061241 CVE-2017-14974
  * 22170 bsc#1060621 CVE-2017-14729

Update to binutils 2.29. [fate#321454, fate#321494, fate#323293]:

  * The MIPS port now supports microMIPS eXtended Physical Addressing (XPA)
    instructions for assembly and disassembly.
  * The MIPS port now supports the microMIPS Release 5 ISA for assembly and
    disassembly.
  * The MIPS port now supports the Imagination interAptiv MR2 processor,
    which implements the MIPS32r3 ISA, the MIPS16e2 ASE as well as a couple
    of implementation-specific regular MIPS and MIPS16e2 ASE instructions.
  * The SPARC port now supports the SPARC M8 processor, which implements the
    Oracle SPARC Architecture 2017.
  * The MIPS port now supports the MIPS16e2 ASE for assembly and disassembly.
  * Add support for ELF SHF_GNU_MBIND and PT_GNU_MBIND_XXX.
  * Add support for the wasm32 ELF conversion of the WebAssembly file format.
  * Add --inlines option to objdump, which extends the --line-numbers option
    so that inlined functions will display their nesting information.
  * Add --merge-notes options to objcopy to reduce the size of notes in
    a binary file by merging and deleting redundant notes.
  * Add support for locating separate debug info files using the build-id
    method, where the separate file has a name based upon the build-id of
    the original file.

- GAS specific:

  * Add support for ELF SHF_GNU_MBIND.
  * Add support for the WebAssembly file format and wasm32 ELF conversion.
  * PowerPC gas now checks that the correct register class is used in
    instructions.  For instance, 'addi %f4,%cr3,%r31' warns three times
    that the registers are invalid.
  * Add support for the Texas Instruments PRU processor.
  * Support for the ARMv8-R architecture and Cortex-R52 processor has been
    added to the ARM port.

- GNU ld specific:

  * Support for -z shstk in the x86 ELF linker to generate
    GNU_PROPERTY_X86_FEATURE_1_SHSTK in ELF GNU program properties.
  * Add support for GNU_PROPERTY_X86_FEATURE_1_SHSTK in ELF GNU program
    properties in the x86 ELF linker.
  * Add support for GNU_PROPERTY_X86_FEATURE_1_IBT in ELF GNU program
    properties in the x86 ELF linker.
  * Support for -z ibtplt in the x86 ELF linker to generate IBT-enabled
    PLT.
  * Support for -z ibt in the x86 ELF linker to generate IBT-enabled
    PLT as well as GNU_PROPERTY_X86_FEATURE_1_IBT in ELF GNU program
    properties.
  * Add support for ELF SHF_GNU_MBIND and PT_GNU_MBIND_XXX.
  * Add support for ELF GNU program properties.
  * Add support for the Texas Instruments PRU processor.
  * When configuring for arc*-*-linux* targets the default linker emulation will
    change if --with-cpu=nps400 is used at configure time.
  * Improve assignment of LMAs to orphan sections in some edge cases where a
    mixture of both AT>LMA_REGION and AT(LMA) are used.
  * Orphan sections placed after an empty section that has an AT(LMA) will now
    take an load memory address starting from LMA.
  * Section groups can now be resolved (the group deleted and the group members
    placed like normal sections) at partial link time either using the new
    linker option --force-group-allocation or by placing FORCE_GROUP_ALLOCATION
    into the linker script.

- Add riscv64 target, tested with gcc7 and downstream newlib 2.4.0
- Prepare riscv32 target (gh#riscv/riscv-newlib#8)
- Make compressed debug section handling explicit, disable for
  old products and enable for gas on all architectures otherwise. [bsc#1029995]
- Remove empty rpath component removal optimization from to workaround
  CMake rpath handling.  [bsc#1025282]


  Minor security bugs fixed:
  PR 21147, PR 21148, PR 21149, PR 21150, PR 21151, PR 21155, PR 21158, PR 21159

- Update to binutils 2.28.

  * Add support for locating separate debug info files using the build-id
    method, where the separate file has a name based upon the build-id of
    the original file.
  * This version of binutils fixes a problem with PowerPC VLE 16A and 16D
    relocations which were functionally swapped, for example,
    R_PPC_VLE_HA16A performed like R_PPC_VLE_HA16D while R_PPC_VLE_HA16D
    performed like R_PPC_VLE_HA16A.  This could have been fixed by
    renumbering relocations, which would keep object files created by an
    older version of gas compatible with a newer ld.  However, that would
    require an ABI update, affecting other assemblers and linkers that
    create and process the relocations correctly.  It is recommended that
    all VLE object files be recompiled, but ld can modify the relocations
    if --vle-reloc-fixup is passed to ld.  If the new ld command line
    option is not used, ld will ld warn on finding relocations inconsistent
    with the instructions being relocated.
  * The nm program has a new command line option (--with-version-strings)
    which will display a symbol's version information, if any, after the
    symbol's name.
  * The ARC port of objdump now accepts a -M option to specify the extra
    instruction class(es) that should be disassembled.
  * The --remove-section option for objcopy and strip now accepts section
    patterns starting with an exclamation point to indicate a non-matching
    section.  A non-matching section is removed from the set of sections
    matched by an earlier --remove-section pattern.
  * The --only-section option for objcopy now accepts section patterns
    starting with an exclamation point to indicate a non-matching section.
    A non-matching section is removed from the set of sections matched by
    an earlier --only-section pattern.
  * New --remove-relocations=SECTIONPATTERN option for objcopy and strip.
    This option can be used to remove sections containing relocations.
    The SECTIONPATTERN is the section to which the relocations apply, not
    the relocation section itself.

- GAS specific:

  * Add support for the RISC-V architecture.
  * Add support for the ARM Cortex-M23 and Cortex-M33 processors.

- GNU ld specific:

  * The EXCLUDE_FILE linker script construct can now be applied outside of the
    section list in order for the exclusions to apply over all input sections
    in the list.
  * Add support for the RISC-V architecture.
  * The command line option --no-eh-frame-hdr can now be used in ELF based
    linkers to disable the automatic generation of .eh_frame_hdr sections.
  * Add --in-implib=<infile> to the ARM linker to enable specifying a set of
    Secure Gateway veneers that must exist in the output import library
    specified by --out-implib=<outfile> and the address they must have.
    As such, --in-implib is only supported in combination with --cmse-implib.
  * Extended the --out-implib=<file> option, previously restricted to x86 PE
    targets, to any ELF based target.  This allows the generation of an import
    library for an ELF executable, which can then be used by another application
    to link against the executable.

- GOLD specific:

  * Add -z bndplt option (x86-64 only) to support Intel MPX.
  * Add --orphan-handling option.
  * Add --stub-group-multi option (PowerPC only).
  * Add --target1-rel, --target1-abs, --target2 options (Arm only).
  * Add -z stack-size option.
  * Add --be8 option (Arm only).
  * Add HIDDEN support in linker scripts.
  * Add SORT_BY_INIT_PRIORITY support in linker scripts.

- Other fixes:

  * Fix section alignment on .gnu_debuglink. [bso#21193]
  * Add s390x to gold_archs.
  * Fix alignment frags for aarch64 (bsc#1003846)
  * Call ldconfig for libbfd
  * Fix an assembler problem with clang on ARM.
  * Restore monotonically increasing section offsets.


- Update to binutils 2.27.

  * Add a configure option, --enable-64-bit-archive, to force use of a
    64-bit format when creating an archive symbol index.
  * Add --elf-stt-common= option to objcopy for ELF targets to control
    whether to convert common symbols to the STT_COMMON type.

- GAS specific:

  * Default to --enable-compressed-debug-sections=gas for Linux/x86 targets.
  * Add --no-pad-sections to stop the assembler from padding the end of output
    sections up to their alignment boundary.
  * Support for the ARMv8-M architecture has been added to the ARM port.
    Support for the ARMv8-M Security and DSP Extensions has also been added
    to the ARM port.
  * ARC backend accepts .extInstruction, .extCondCode, .extAuxRegister, and
    .extCoreRegister pseudo-ops that allow an user to define custom
    instructions, conditional codes, auxiliary and core registers.
  * Add a configure option --enable-elf-stt-common to decide whether ELF
    assembler should generate common symbols with the STT_COMMON type by
    default.  Default to no.
  * New command line option --elf-stt-common= for ELF targets to control
    whether to generate common symbols with the STT_COMMON type.
  * Add ability to set section flags and types via numeric values for ELF
    based targets.
  * Add a configure option --enable-x86-relax-relocations to decide whether
    x86 assembler should generate relax relocations by default.  Default to
    yes, except for x86 Solaris targets older than Solaris 12.
  * New command line option -mrelax-relocations= for x86 target to control
    whether to generate relax relocations.
  * New command line option -mfence-as-lock-add=yes for x86 target to encode
    lfence, mfence and sfence as 'lock addl $0x0, (%[re]sp)'.
  * Add assembly-time relaxation option for ARC cpus.
  * Add --with-cpu=TYPE configure option for ARC gas.  This allows the default
    cpu type to be adjusted at configure time.

- GOLD specific:

  * Add a configure option --enable-relro to decide whether -z relro should
    be enabled by default.  Default to yes.
  * Add support for s390, MIPS, AArch64, and TILE-Gx architectures.
  * Add support for STT_GNU_IFUNC symbols.
  * Add support for incremental linking (--incremental).

- GNU ld specific:

  * Add a configure option --enable-relro to decide whether -z relro should
    be enabled in ELF linker by default.  Default to yes for all Linux
    targets except FRV, HPPA, IA64 and MIPS.
  * Support for -z noreloc-overflow in the x86-64 ELF linker to disable
    relocation overflow check.
  * Add -z common/-z nocommon options for ELF targets to control whether to
    convert common symbols to the STT_COMMON type during a relocatable link.
  * Support for -z nodynamic-undefined-weak in the x86 ELF linker, which
    avoids dynamic relocations against undefined weak symbols in executable.
  * The NOCROSSREFSTO command was added to the linker script language.
  * Add --no-apply-dynamic-relocs to the AArch64 linker to do not apply
    link-time values for dynamic relocations.



-----------------------------------------
Patch: SUSE-2017-1974
Released: Fri Dec  1 11:30:25 2017
Summary: Recommended update for zip
Severity: low
References: 1068346
Description:

This update for zip provides the following fix:

- Fix memory leaks when appending files (bsc#1068346)


-----------------------------------------
Patch: SUSE-2017-2000
Released: Tue Dec  5 17:38:55 2017
Summary: Security update for libXcursor
Severity: moderate
References: 1065386,CVE-2017-16612
Description:
This update for libXcursor fixes the following issues:

Security issue fixed:

- CVE-2017-16612: Fix integeroverflow while parsing images and a signedness issue while parsing comments (bsc#1065386).


-----------------------------------------
Patch: SUSE-2017-2009
Released: Thu Dec  7 13:21:49 2017
Summary: Security update for openssh
Severity: moderate
References: 1006166,1048367,1065000,1068310,1069509,CVE-2008-1483,CVE-2017-15906
Description:
This update for openssh fixes the following issues:

Security issue fixed:

- CVE-2017-15906: Stricter checking of operations in read-only mode in sftp server (bsc#1065000).

Bug fixes:

- FIPS: Startup selfchecks (bsc#1068310).
- FIPS: Silent complaints about unsupported key exchange methods (bsc#1006166).
- Refine handling of sockets for X11 forwarding to remove reintroduced CVE-2008-1483 (bsc#1069509).
- Test configuration before running daemon to prevent looping resulting in service shutdown (bsc#1048367)


-----------------------------------------
Patch: SUSE-2017-2021
Released: Fri Dec  8 10:11:04 2017
Summary: Recommended update for file
Severity: moderate
References: 1070878,1070958
Description:
This update for file fixes detection of JPEG files.

-----------------------------------------
Patch: SUSE-2017-2022
Released: Fri Dec  8 12:26:48 2017
Summary: Recommended update for compat-openssl098
Severity: moderate
References: 1032261,1034941,1065363
Description:
This update for compat-openssl098 fixes the following issues:

Bugs fixed:

- Backport the alternative SSL root CA chain lookup patches (bsc#1032261)
- Fixed a crash in DES_fcrypt (bsc#1065363)
- backported the DEFAULT_SUSE cipher list alias (bsc#1034941)


-----------------------------------------
Patch: SUSE-2017-2042
Released: Wed Dec 13 20:09:44 2017
Summary: Recommended update for libXext
Severity: low
References: 1067406
Description:
This update for libXext provides the following fix:

- Remove warning messages about missing Xge extension when translating events in a mixed
  Xlib/xcb scenario, causing the ~/.xsession-errors file to be massively filled. (bsc#1067406)


-----------------------------------------
Patch: SUSE-2017-2044
Released: Thu Dec 14 09:54:35 2017
Summary: Recommended update for psmisc
Severity: low
References: 908068
Description:
This update for psmisc provides the following fixes:

- Use mountinfo to distinguish different mounts with same device number as it happens with NFS shares. (bsc#908068)
- Smaller cleanup as support of chroot environments and older systems.
- Add support for name_to_handle_at() system call to get the real mount ID for each file.
- Run even on older kernels missing mnt_id tag in fdinfo.


-----------------------------------------
Patch: SUSE-2017-2088
Released: Fri Dec 15 14:10:31 2017
Summary: Recommended update for hwinfo
Severity: low
References: 1041090,1047218,1051076,1062562
Description:

This update for hwinfo fixes the following issues:

- Support SMBIOS 3.0 spec (bsc#1062562)
- Ensure /var/lib/hardware/udi exists and with 755 permissions
- Sort input files (bsc#1041090)
- Allow to override current time (bsc#1047218)
- Really set default timeout to 20s for Video BIOS emulation calls


-----------------------------------------
Patch: SUSE-2017-2102
Released: Tue Dec 19 08:41:38 2017
Summary: Security update for python-PyJWT
Severity: moderate
References: 1054106,CVE-2017-12880
Description:
This update for python-PyJWT fixes the following issues:

- CVE-2017-12880: fix symmetric/asymmetric confusion when handling PKCS1 public keys (bsc#1054106)


-----------------------------------------
Patch: SUSE-2017-2111
Released: Wed Dec 20 12:12:49 2017
Summary: Security update for Salt
Severity: moderate
References: 1041993,1042749,1050003,1059291,1059758,1060230,1062462,1062464,985112,CVE-2017-14695,CVE-2017-14696
Description:
This update for salt fixes one security issue and bugs.

The following security issues have been fixed:

- CVE-2017-14695: A directory traversal vulnerability in minion id validation allowed remote minions with incorrect
  credentials to authenticate to a master via a crafted minion ID. (bsc#1062462)
- CVE-2017-14696: It was possible to force a remote Denial of Service with a specially crafted authentication 
  request. (bsc#1062464)

Additionally, the following non-security issues have been fixed:

- Removed deprecation warning for beacon configuration using dictionaries. (bsc#1041993)
- Fixed beacons failure when pillar-based suppressing config-based. (bsc#1060230)
- Fixed minion resource exhaustion when many functions are being executed in parallel. (bsc#1059758)
- Remove 'TasksTask' attribute from salt-master.service in older versions of systemd. (bsc#985112)
- Fix for delete_deployment in Kubernetes module. (bsc#1059291)
- Catching error when PIDfile cannot be deleted. (bsc#1050003)
- Use $HOME to get the user home directory instead using '~' char. (bsc#1042749)


-----------------------------------------
Patch: SUSE-2017-2145
Released: Fri Dec 22 16:38:01 2017
Summary: Recommended update for tk and tcl
Severity: low
References: 903017
Description:

This update of tk and tcl to version 8.6.7 brings many improvements and fixes including,
but not limited to, the following highlights:

- Fix a bug in Itcl that was causing the floor tool to print lots of errors and abort.
  (bsc#903017)
- Fix a crash in asynchronous connection to hosts when no address is given.
- Fix possible crashes when closing multithreaded applications.
- Fix a memory leak in [history] destruction.
- Fix a crash in Tcl_ListObjReplace().
- Invalidate VFS mounts on sytem encoding change.
- Repair drifts in timer clock when calling Tcl_GetTime from tcl-clock module.
- Fix a crash when requesting too much character data in binary scan.
- Fix a memory leak when calling geturl from the http package.
- Fix an integer overflow in [lsort] on very long lists.
- Fix a memory leak when calling TclJoinPath.
- Fix a memory leak due to a reference cycle in foreach loops.
- Fix a crash caused by an optimization in the compilation of [string replace].
- Fix a memory corruption in assembler exceptions.
- Fix a crash due to [vwait] trace undo fail.
- Fix a crash when invoking [glob -path a].
- Fix a crash in [dict update] after using lassign in an item.
- Fix a crash in [chan configure -dictionary].
- Make it possible to specify different values for the -accept option when running multiple
  asynchronous http: requests without incurring in race conditions.
- Fix a crash when calling the [expr] command while the application is being traced.
- Avoid leaking memory in Tcl_ZlibInflate when running into error conditions.
- Fix some writes beyond buffer bounds.
- Fix a memory leak in array when unsetting keys from a proc.
- Fix a lock in forking a process under heavy multithreading.
- Fix a crash caused by an allocation overflow when parsing a very large expression.
- Many fixes and improvements to regexp engine from Postgres.
- Fix a segmentation fault due to an integer overflow in TranslateInputEOL().
- Fix multiple crashes in OO teardown.
- Stop crashes when extension var resolvers misbehave.
- Fix using [read] to read past the EOF so that it works on serial devices.
- Fix a regression causing a crash in [oo::class destroy].
- Fix a segmentation fault in mangled bytecode.
- Fix a hang in some [read]s of limited size in UTF-8 channels.
- Fix a segmentation fault in [array set] of traced array.

The following fixes might show some potential incompatibilities with existing software:
- Allow an empty command to be the target of an alias.
- Reconcile libtommath updates, purging some unused files.
- Handle invalid UTF-8 characters correctly in Tcl_UtfToUniChar() to prevent the injection
  of unexpected characters.
- Update Unicode data to 10.0
- Fix some problems in the compilation of [lreplace].
- Fix using parameters with spaces in error messages.
- Make it possible to use [namespace upvar] when the target variable is also a variable of
  the class.
- Change the default transfer encoding to gzip in the http package to be more compatible.
- Limit $... and bareword parsing to ASCII characters only.


-----------------------------------------
Patch: SUSE-2017-2155
Released: Wed Dec 27 16:50:14 2017
Summary: Security update for gdk-pixbuf
Severity: low
References: 1053417
Description:

This update for gdk-pixbuf provides the following fixes:

- Add overflow checks when creating pixbuf structures in general
- Fix arithmetic overflow in the BMP loader (bsc#1053417) 
- Adds support for BMPv3 with bitmasks (bsc#1053417) 


-----------------------------------------
Patch: SUSE-2017-2160
Released: Fri Dec 29 23:11:36 2017
Summary: Security update for java-1_7_1-ibm
Severity: important
References: 1070162,CVE-2016-10165,CVE-2016-9841,CVE-2017-10281,CVE-2017-10285,CVE-2017-10293,CVE-2017-10295,CVE-2017-10345,CVE-2017-10346,CVE-2017-10347,CVE-2017-10348,CVE-2017-10349,CVE-2017-10350,CVE-2017-10355,CVE-2017-10356,CVE-2017-10357,CVE-2017-10388
Description:
This update for java-1_7_1-ibm fixes the following issues:

- Security update to version 7.1.4.15 [bsc#1070162]
  
  * CVE-2017-10349: 'Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.1 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L).'

  * CVE-2017-10348: 'Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.1 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L).'

  * CVE-2017-10388: 'Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.1 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L).'

  * CVE-2016-9841:  'Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.1 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L).'

  * CVE-2017-10293: 'Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.1 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L).'

  * CVE-2017-10345: 'Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.1 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L).'

  * CVE-2017-10350: 'Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.1 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L).'

  * CVE-2017-10356: 'Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.1 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L).'

  * CVE-2017-10357: 'Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.1 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L).'

  * CVE-2017-10347: 'Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.1 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L).'

  * CVE-2017-10355: 'Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.1 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L).'

  * CVE-2017-10285: 'Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.1 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L).'

  * CVE-2017-10281: 'Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.1 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L).'

  * CVE-2017-10295: 'Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.1 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L).'

  * CVE-2017-10346: 'Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.1 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L).'

  * CVE-2016-10165: 'Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.1 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L).'
  
  

-----------------------------------------
Patch: SUSE-2018-4
Released: Tue Jan  2 15:58:20 2018
Summary: Recommended update for libzypp, zypper
Severity: moderate
References: 1057640,1067605,1068708,1071466,969569
Description:
The Software Update Stack was updated to receive fixes and enhancements.

libzypp:

- Don't store duplicated locks. (bsc#969569)
- Fix default for solver.allowNameChange. (bsc#1071466)
- Don't filter procs with a different mnt namespace. (bsc#1068708)
- Support repo variables in an URIs host:port component. (bsc#1057640, bsc#1067605)

zypper:

- Update manpage regarding custom repository variable fixes. (bsc#1057640, bsc#1067605)


-----------------------------------------
Patch: SUSE-2018-17
Released: Thu Jan  4 11:49:33 2018
Summary: Recommended update for gcc48
Severity: moderate
References: 1059075
Description:


This update for gcc48 fixes the following issues with an earlier security fix:

- Add support for zero-sized VLAs and allocas with -fstack-clash-protection.  (bnc#1059075)



-----------------------------------------
Patch: SUSE-2018-22
Released: Fri Jan  5 11:42:02 2018
Summary: Recommended update for python-configobj
Severity: low
References: 1035106
Description:
This update for python-configobj provides the following fixes:

- Improves error messages in certain edge cases
- Added runtime dependency: python-six
- Fix error when writing out config files to disk with non-ascii characters
- Documentation corrections


-----------------------------------------
Patch: SUSE-2018-36
Released: Tue Jan  9 11:50:12 2018
Summary: Initial release of galera-python-clustercheck
Severity: low
References: 1072588
Description:
This update adds the galera-python-clustercheck package, which provides improved haproxy failover detection for MariaDB
with Galera.

-----------------------------------------
Patch: SUSE-2018-59
Released: Fri Jan 12 11:18:44 2018
Summary: Security update for tiff
Severity: important
References: 1017690,1069213,960341,969783,983436,CVE-2014-8128,CVE-2015-7554,CVE-2016-10095,CVE-2016-5318,CVE-2017-16232
Description:
This update for tiff to version 4.0.9 fixes the following issues:

Security issues fixed:

- CVE-2014-8128: Fix out-of-bounds read with malformed TIFF image in multiple tools (bsc#969783).
- CVE-2015-7554: Fix invalid write in tiffsplit / _TIFFVGetField (bsc#960341).
- CVE-2016-10095: Fix stack-based buffer overflow in _TIFFVGetField (tif_dir.c) (bsc#1017690).
- CVE-2016-5318: Fix stackoverflow in thumbnail (bsc#983436).
- CVE-2017-16232: Fix memory-based DoS in tiff2bw (bsc#1069213).


-----------------------------------------
Patch: SUSE-2018-66
Released: Fri Jan 12 16:20:16 2018
Summary: Recommended update for at-spi2-core
Severity: low
References: 1073027
Description:
This update for at-spi2-core provides the following fix:

- Fix a possible buffer overflow on reading dbus address in at-spi-bus-launcher. (bsc#1073027)


-----------------------------------------
Patch: SUSE-2018-68
Released: Mon Jan 15 11:30:39 2018
Summary: Security update for openslp
Severity: moderate
References: 1001600,974655,980722,994989,CVE-2016-4912,CVE-2016-7567
Description:
This update for openslp fixes two security issues and two bugs.

The following vulnerabilities were fixed:

- CVE-2016-4912: A remote attacker could have crashed the server with a large
  number of packages (bsc#980722)
- CVE-2016-7567: A remote attacker could cause a memory corruption having
  unspecified impact (bsc#1001600)

The following bugfix changes are included:

- bsc#994989: Removed convenience code as changes bytes in the message buffer
  breaking the verification code
- bsc#974655: Removed no longer needed slpd init file


-----------------------------------------
Patch: SUSE-2018-72
Released: Mon Jan 15 13:36:30 2018
Summary: Recommended update for OpenIPMI
Severity: moderate
References: 1060118
Description:
This update for OpenIPMI provides the following fix:

- Fix a crash at startup by making sure gui_winsys.py is properly installed. (bsc#1060118)


-----------------------------------------
Patch: SUSE-2018-86
Released: Wed Jan 17 09:38:17 2018
Summary: Security update for ncurses
Severity: moderate
References: 1056127,1056128,1056129,1056131,1056132,1056136,CVE-2017-13728,CVE-2017-13729,CVE-2017-13730,CVE-2017-13731,CVE-2017-13732,CVE-2017-13733
Description:
This update for ncurses fixes the following issues:

Security issues fixed:

- CVE-2017-13728: Fix infinite loop in the next_char function in comp_scan.c (bsc#1056136).
- CVE-2017-13730: Fix illegal address access in the function _nc_read_entry_source() (bsc#1056131).
- CVE-2017-13733: Fix illegal address access in the fmt_entry function (bsc#1056127).
- CVE-2017-13729: Fix illegal address access in the _nc_save_str (bsc#1056132).
- CVE-2017-13732: Fix illegal address access in the function dump_uses() (bsc#1056128).
- CVE-2017-13731: Fix illegal address access in the function postprocess_termcap() (bsc#1056129).


-----------------------------------------
Patch: SUSE-2018-89
Released: Wed Jan 17 14:42:04 2018
Summary: Security update for perl-XML-LibXML
Severity: moderate
References: 1046848,CVE-2017-10672
Description:
This update for perl-XML-LibXML fixes the following issues:

Security issue fixed:

- CVE-2017-10672: Fix use-after-free that allows remote attackers to execute arbitrary code by controlling the arguments to a replaceChild call (bsc#1046848).


-----------------------------------------
Patch: SUSE-2018-100
Released: Thu Jan 18 14:40:35 2018
Summary: Security update for gd
Severity: moderate
References: 1056993,CVE-2017-6362
Description:
This update for gd fixes one issues.

This security issue was fixed:

- CVE-2017-6362: Prevent double-free in gdImagePngPtr() that potentially allowed for DoS or remote code execution (bsc#1056993).


-----------------------------------------
Patch: SUSE-2018-108
Released: Fri Jan 19 16:02:13 2018
Summary: Recommended update for gcc48
Severity: moderate
References: 1074621
Description:

  
This update for gcc48 fixes the following issues:

Added support for generation of retpolines on x86_64. [bnc#1074621]

This support is used for building the Linux Kernel with retpoline support
to mitigate the Spectre Variant 2 attack.

New compiler options have been added to specify specific code generation:

* -mindirect-branch=keep
* -mindirect-branch=thunk
* -mindirect-branch=thunk-extern
* -mindirect-branch=thunk-inline
* -mindirect-branch-register
* -mfunction-return=keep
* -mfunction-return=thunk
* -mfunction-return=thunk-extern
* -mfunction-return=thunk-inline



-----------------------------------------
Patch: SUSE-2018-118
Released: Mon Jan 22 13:37:47 2018
Summary: Security update for procmail
Severity: moderate
References: 1068648,CVE-2017-16844
Description:
This update for procmail fixes the following issues:

- CVE-2017-16844: Heap-based buffer overflow in loadbuf function could lead to remote denial of service (bsc#1068648)
  


-----------------------------------------
Patch: SUSE-2018-127
Released: Tue Jan 23 13:37:09 2018
Summary: Security update for libvpx
Severity: moderate
References: 1075992,CVE-2017-13194
Description:
This update for libvpx fixes one issues.

This security issue was fixed: 

- CVE-2017-13194: Fixed incorrect memory allocation related to odd frame width (bsc#1075992).


-----------------------------------------
Patch: SUSE-2018-129
Released: Tue Jan 23 14:46:32 2018
Summary: Recommended update for python-py
Severity: low
References: 1073879
Description:
This update for python-py adds the Python 3 sub-package to the codestream.


-----------------------------------------
Patch: SUSE-2018-143
Released: Wed Jan 24 17:37:04 2018
Summary: Security update for libevent
Severity: moderate
References: 1022917,1022918,1022919,CVE-2016-10195,CVE-2016-10196,CVE-2016-10197
Description:
This update for libevent fixes the following security issues:

- CVE-2016-10195: DNS remote stack overread vulnerability (bsc#1022917) 
- CVE-2016-10196: stack/buffer overflow in evutil_parse_sockaddr_port() (bsc#1022918) 
- CVE-2016-10197: out-of-bounds read in search_make_new() (bsc#1022919) 


-----------------------------------------
Patch: SUSE-2018-146
Released: Thu Jan 25 11:44:23 2018
Summary: Recommended update for openldap2
Severity: moderate
References: 1064397,1065083
Description:
This update for openldap2 provides the following fixes:

- Fix a leak of sockets in case of unsuccessful connection attempts. (bsc#1065083)
- Fix a crash that would happen under heavy load when using back-relay. (bsc#1064397)


-----------------------------------------
Patch: SUSE-2018-178
Released: Mon Jan 29 09:55:25 2018
Summary: Security update for gd
Severity: moderate
References: 1076391,CVE-2018-5711
Description:
This update for gd fixes one issues.

This security issue was fixed:

- CVE-2018-5711: Prevent integer signedness error that could have lead to an
  infinite loop via a crafted GIF file allowing for DoS (bsc#1076391)


-----------------------------------------
Patch: SUSE-2018-184
Released: Mon Jan 29 16:05:12 2018
Summary: Recommended update for mozilla-nss
Severity: moderate
References: 1043853,1049673,1055271,1074009
Description:
This update for mozilla-nss provides the following fixes:

- Change DRBG to use the getrandom() kernel interface instead of /dev/urandom (bsc#1043853).
- Add patches for strengthening and FIPS compliance (bsc#1055271, bsc#1049673):
  * Use getrandom() instead of /dev/random and /dev/urandom where available.
  * Remove continuous DRBG test. This is no longer required for FIPS compliance.
  * Add DSA known answer POST.
  * Add ECDSA known answer POST.
  * Use FIPS compliant hash length in pairwise consistency check.
  * Make RSA key generation parameters more strict in order to meet FIPS criteria.
  * Add DH and ECDH known answer POSTs.
  * Add KDF135 CAVS test.
  * Add keywrapping CAVS test.
  * Add KAS FFC CAVS test.
  * Add KAS ECC CAVS test.
  * Restrict number of bytes generated per GCM IV for FIPS compliance.
  * Add helpers required by new CAVS tests.
  * Add fixes to make DSA CAVS tests pass.
  * Add fixes to make RSA CAVS tests pass.
  * Add constructor POSTs.
  * Disable weak ciphers in FIPS mode.
  * Prevent wraparounds in CTR mode.
  * Clear various sensitive parameters from memory when no longer in use.
  * Allow TLS 1.0 PRF to work in FIPS mode, even though it relies on MD5, which is
    otherwise banned.
  * Use strong random pool (/dev/random or getrandom() with GRND_RANDOM instead of their
    more dilute counterparts) in FIPS mode.
- We allow AESNI by default now. This can be disabled at runtime by defining NSS_DISABLE_HW_AES
  in the environment.
- Export NSS_FORCE_FIPS=1 for build, since this is needed now to prevent NSS from passing
  -DNSS_NO_INIT_SUPPORT, which disables on-load FIPS POSTs.


-----------------------------------------
Patch: SUSE-2018-209
Released: Tue Jan 30 10:53:43 2018
Summary: Security update for ncurses
Severity: moderate
References: 1056126,1056127,1056128,1056129,1056131,1056132,1056136,CVE-2017-13728,CVE-2017-13729,CVE-2017-13730,CVE-2017-13731,CVE-2017-13732,CVE-2017-13733,CVE-2017-13734
Description:
This update for ncurses fixes several issues.

These security issues were fixed:

- CVE-2017-13734: Prevent illegal address access in the _nc_safe_strcat
  function in strings.c that might have lead to a remote denial of service attack
  (bsc#1056126).
- CVE-2017-13733: Prevent illegal address access in the fmt_entry function in
  progs/dump_entry.c that might have lead to a remote denial of service attack
  (bsc#1056127).
- CVE-2017-13732: Prevent illegal address access in the function dump_uses() in
  progs/dump_entry.c that might have lead to a remote denial of service attack
  (bsc#1056128).
- CVE-2017-13731: Prevent illegal address access in the function
  postprocess_termcap() in parse_entry.c that might have lead to a remote denial
  of service attack (bsc#1056129).
- CVE-2017-13730: Prevent illegal address access in the function
  _nc_read_entry_source() in progs/tic.c that might have lead to a remote denial
  of service attack (bsc#1056131).
- CVE-2017-13729: Prevent illegal address access in the _nc_save_str function
  in alloc_entry.c that might have lead to a remote denial of service attack
  (bsc#1056132).
- CVE-2017-13728: Prevent infinite loop in the next_char function in
  comp_scan.c that might have lead to a remote denial of service attack
  (bsc#1056136).


-----------------------------------------
Patch: SUSE-2018-214
Released: Tue Jan 30 14:37:42 2018
Summary: Security update for libtasn1
Severity: moderate
References: 1076832,CVE-2018-6003
Description:
This update for libtasn1 fixes one issue.

This security issue was fixed:

- CVE-2018-6003: Prevent a stack exhaustion in  _asn1_decode_simple_ber
  (lib/decoding.c) when decoding BER encoded structure allowed for DoS
  (bsc#1076832).


-----------------------------------------
Patch: SUSE-2018-231
Released: Thu Feb  1 09:56:36 2018
Summary: Recommended update for systemd-rpm-macros
Severity: low
References: 1071543,1073715
Description:
This update for systemd-rpm-macros provides the following fixes:

- Make sure to apply presets if packages start shipping units during upgrades.
  (bsc#1071543, bsc#1073715)
- Remove a useless test in %service_add_pre(). The test was placed where the condition
  '[ '$FIRST_ARG' -gt 1 ]' was always true.


-----------------------------------------
Patch: SUSE-2018-236
Released: Thu Feb  1 12:38:32 2018
Summary: Security update for libXdmcp
Severity: moderate
References: 1025046,CVE-2017-2625
Description:
This update for libXdmcp fixes the following issues:

- CVE-2017-2625: The generation of session key in XDM using libXdmcp might have used weak entropy, making
  the session keys predictable (bsc#1025046)



-----------------------------------------
Patch: SUSE-2018-237
Released: Thu Feb  1 12:38:57 2018
Summary: Security update for libICE
Severity: moderate
References: 1025068,CVE-2017-2626
Description:
This update for libICE fixes the following issues:

- CVE-2017-2626: Creation of the ICE auth session cookies used insufficient randomness, making these cookies
  predictable. A more random generation method has been implemented. (boo#1025068)



-----------------------------------------
Patch: SUSE-2018-238
Released: Thu Feb  1 16:35:51 2018
Summary: Security update for jasper
Severity: moderate
References: 1009994,1010756,1010757,1010766,1010774,1010782,1010968,1010975,1047958,CVE-2016-9262,CVE-2016-9388,CVE-2016-9389,CVE-2016-9390,CVE-2016-9391,CVE-2016-9392,CVE-2016-9393,CVE-2016-9394,CVE-2017-1000050
Description:
This update for jasper fixes the following issues:

Security issues fixed:
- CVE-2016-9262: Multiple integer overflows in the jas_realloc function in base/jas_malloc.c and
  mem_resize function in base/jas_stream.c allow remote attackers to cause a denial of service via
  a crafted image, which triggers use after free vulnerabilities. (bsc#1009994)
- CVE-2016-9388: The ras_getcmap function in ras_dec.c allows remote attackers to cause a denial
  of service (assertion failure) via a crafted image file. (bsc#1010975)
- CVE-2016-9389: The jpc_irct and jpc_iict functions in jpc_mct.c allow remote attackers to cause a
  denial of service (assertion failure). (bsc#1010968)
- CVE-2016-9390: The jas_seq2d_create function in jas_seq.c allows remote attackers to cause a
  denial of service (assertion failure) via a crafted image file. (bsc#1010774)
- CVE-2016-9391: The jpc_bitstream_getbits function in jpc_bs.c allows remote attackers to cause a
  denial of service (assertion failure) via a very large integer. (bsc#1010782)
- CVE-2017-1000050: The jp2_encode function in jp2_enc.c allows remote attackers to cause a denial
  of service. (bsc#1047958)

CVEs already fixed with previous update:
- CVE-2016-9392: The calcstepsizes function in jpc_dec.c allows remote attackers to cause a denial
  of service (assertion failure) via a crafted file. (bsc#1010757)
- CVE-2016-9393: The jpc_pi_nextrpcl function in jpc_t2cod.c allows remote attackers to cause a
  denial of service (assertion failure) via a crafted file. (bsc#1010766)
- CVE-2016-9394: The jas_seq2d_create function in jas_seq.c allows remote attackers to cause a
  denial of service (assertion failure) via a crafted file. (bsc#1010756)


-----------------------------------------
Patch: SUSE-2018-243
Released: Fri Feb  2 09:13:13 2018
Summary: Recommended update for mozilla-nss
Severity: important
References: 1078190,1078333
Description:
This update for mozilla-nss fixes the following issue:

- This update remedies a regression caused by a previous update of mozilla-nss
  that affected users of FIPS mode. [bsc#1078333, bsc#1078190]


-----------------------------------------
Patch: SUSE-2018-250
Released: Fri Feb  2 17:33:48 2018
Summary: Recommended update for timezone, timezone-java
Severity: low
References: 1073275
Description:
This update provides the latest timezone information (2018c) for your system, including following changes:

- Sao Tome and Principe switched from +00 to +01 on 2018-01-01.
- Southern Brazil's DST will now start on November's first Sunday. (bsc#1073275)
- New zic option -t to specify the time zone file if TZ is unset.


-----------------------------------------
Patch: SUSE-2018-261
Released: Tue Feb  6 11:24:15 2018
Summary: Security update for libjpeg-turbo
Severity: moderate
References: 1062937,CVE-2017-15232
Description:
This update for libjpeg-turbo fixes the following issues:

Feature update:

- Update from version 1.3.1 to version 1.5.2 (fate#324061).
  
Security issue fixed:

- CVE-2017-15232: Fix NULL pointer dereference in jdpostct.c and jquant1.c (bsc#1062937).


-----------------------------------------
Patch: SUSE-2018-264
Released: Tue Feb  6 12:58:02 2018
Summary: Recommended update for SuSEfirewall2
Severity: moderate
References: 1069760,1074933,1075251
Description:
This update for SuSEfirewall2 provides the following fixes:

- Fix a regression in setting up the final LOG/DROP/REJECT rules for IPv6. (bsc#1075251)
- Remove duplicate rules created in the context of dynamic RPC rules. (bsc#1069760)
- Fix an issue in the logging logic to show the correct PID and avoid losing log lines.
- Set RPC related rules also for IPv6. (bsc#1074933)


-----------------------------------------
Patch: SUSE-2018-265
Released: Tue Feb  6 14:58:28 2018
Summary: Recommended update for ca-certificates-mozilla
Severity: moderate
References: 1010996,1071152,1071390
Description:

  
This update for ca-certificates-mozilla fixes the following issues:

The system SSL root certificate store was updated to Mozilla certificate
version 2.22 from January 2018.  (bsc#1071152 bsc#1071390 bsc#1010996)

We removed the old 1024 bit legacy CAs that were temporary left in to allow
in-chain root certificates as openssl is now able to handle it.

Further changes coming from Mozilla:

- New Root CAs added:

  * Amazon Root CA 1: (email protection, server auth)
  * Amazon Root CA 2: (email protection, server auth)
  * Amazon Root CA 3: (email protection, server auth)
  * Amazon Root CA 4: (email protection, server auth)
  * Certplus Root CA G1: (email protection, server auth)
  * Certplus Root CA G2: (email protection, server auth)
  * D-TRUST Root CA 3 2013: (email protection)
  * GDCA TrustAUTH R5 ROOT: (server auth)
  * Hellenic Academic and Research Institutions ECC RootCA 2015: (email protection, server auth)
  * Hellenic Academic and Research Institutions RootCA 2015: (email protection, server auth)
  * ISRG Root X1: (server auth)
  * LuxTrust Global Root 2: (server auth)
  * OpenTrust Root CA G1: (email protection, server auth)
  * OpenTrust Root CA G2: (email protection, server auth)
  * OpenTrust Root CA G3: (email protection, server auth)
  * SSL.com EV Root Certification Authority ECC: (server auth)
  * SSL.com EV Root Certification Authority RSA R2: (server auth)
  * SSL.com Root Certification Authority ECC: (email protection, server auth)
  * SSL.com Root Certification Authority RSA: (email protection, server auth)
  * Symantec Class 1 Public Primary Certification Authority - G4: (email protection)
  * Symantec Class 1 Public Primary Certification Authority - G6: (email protection)
  * Symantec Class 2 Public Primary Certification Authority - G4: (email protection)
  * Symantec Class 2 Public Primary Certification Authority - G6: (email protection)
  * TrustCor ECA-1: (email protection, server auth)
  * TrustCor RootCert CA-1: (email protection, server auth)
  * TrustCor RootCert CA-2: (email protection, server auth)
  * TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1: (server auth)

- Removed root CAs:

  * AddTrust Public Services Root
  * AddTrust Public CA Root
  * AddTrust Qualified CA Root
  * ApplicationCA - Japanese Government
  * Buypass Class 2 CA 1
  * CA Disig Root R1
  * CA WoSign ECC Root
  * Certification Authority of WoSign G2
  * Certinomis - Autorité Racine
  * Certum Root CA
  * China Internet Network Information Center EV Certificates Root
  * CNNIC ROOT
  * Comodo Secure Services root
  * Comodo Trusted Services root
  * ComSign Secured CA
  * EBG Elektronik Sertifika Hizmet Sağlayıcısı
  * Equifax Secure CA
  * Equifax Secure eBusiness CA 1
  * Equifax Secure Global eBusiness CA
  * GeoTrust Global CA 2
  * IGC/A
  * Juur-SK
  * Microsec e-Szigno Root CA
  * PSCProcert
  * Root CA Generalitat Valenciana
  * RSA Security 2048 v3
  * Security Communication EV RootCA1
  * Sonera Class 1 Root CA
  * StartCom Certification Authority
  * StartCom Certification Authority G2
  * S-TRUST Authentication and Encryption Root CA 2005 PN
  * Swisscom Root CA 1
  * Swisscom Root EV CA 2
  * TÜBİTAK UEKAE Kök Sertifika Hizmet Sağlayıcısı - Sürüm 3
  * TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı
  * TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6
  * UTN USERFirst Hardware Root CA
  * UTN USERFirst Object Root CA
  * VeriSign Class 3 Secure Server CA - G2
  * Verisign Class 1 Public Primary Certification Authority
  * Verisign Class 2 Public Primary Certification Authority - G2
  * Verisign Class 3 Public Primary Certification Authority
  * WellsSecure Public Root Certificate Authority
  * Certification Authority of WoSign
  * WoSign China

- Removed Code Signing rights from a lot of CAs (not listed here).

- Removed Server Auth rights from:

  * AddTrust Low-Value Services Root
  * Camerfirma Chambers of Commerce Root
  * Camerfirma Global Chambersign Root
  * Swisscom Root CA 2



-----------------------------------------
Patch: SUSE-2018-268
Released: Wed Feb  7 10:58:42 2018
Summary: Recommended update for python-ecdsa
Severity: low
References: 152667
Description:

This update syncs the python-ecdsa versions between the SUSE Linux Enterprise 12 Public Cloud Modules.
  

-----------------------------------------
Patch: SUSE-2018-276
Released: Thu Feb  8 17:47:43 2018
Summary: Security update for libxml2
Severity: moderate
References: 1077993,1078806,1078813,CVE-2016-5131,CVE-2017-15412,CVE-2017-5130
Description:
This update for libxml2 fixes one issue.

This security issue was fixed:

- CVE-2017-15412: Prevent use after free when calling XPath extension functions
  that allowed remote attackers to cause DoS or potentially RCE (bsc#1077993)
- CVE-2016-5131: Use-after-free vulnerability in libxml2 allowed
  remote attackers to cause a denial of service or possibly have
  unspecified other impact via vectors related to the XPointer range-to
  function. (bsc#1078813)
- CVE-2017-5130: Fixed a potential remote buffer overflow in function
  xmlMemoryStrdup() (bsc#1078806)

  

-----------------------------------------
Patch: SUSE-2018-282
Released: Fri Feb  9 15:12:31 2018
Summary: Recommended update for sapconf
Severity: low
References: 1057986
Description:
This update for sapconf provides the following fix:

- Fix a variable assignment that was preventing the pagecache_limit_mb from being calculated
  correctly. (bsc#1057986)


-----------------------------------------
Patch: SUSE-2018-286
Released: Fri Feb  9 16:48:50 2018
Summary: Security update for freetype2
Severity: important
References: 1028103,1035807,1036457,1079600,CVE-2016-10244,CVE-2017-7864,CVE-2017-8105,CVE-2017-8287
Description:

  
This update for freetype2 fixes the following security issues:

- CVE-2016-10244: Make sure that the parse_charstrings function in
  type1/t1load.c does ensure that a font contains a glyph name to prevent a DoS
  through a heap-based buffer over-read or possibly have unspecified other
  impact via a crafted file (bsc#1028103)
- CVE-2017-8105: Fix an out-of-bounds write caused by a heap-based
  buffer overflow related to the t1_decoder_parse_charstrings function in
  psaux/t1decode.ca (bsc#1035807)
- CVE-2017-8287: an out-of-bounds write caused by a heap-based buffer
  overflow related to the t1_builder_close_contour function in psaux/psobjs.c
  (bsc#1036457)
- Fix several integer overflow issues in truetype/ttinterp.c (bsc#1079600)


-----------------------------------------
Patch: SUSE-2018-291
Released: Mon Feb 12 11:50:39 2018
Summary: Recommended update for bash
Severity: low
References: 1057452,1076909
Description:
This update for bash provides the following fix:

- Allow process group assignment on all kernel versions to fix the usage of debug traps.
  (bsc#1057452)
- Fix a crash when filesystem is full. (bsc#1076909)
- Enable multi-byte characters by default.


-----------------------------------------
Patch: SUSE-2018-336
Released: Wed Feb 21 14:26:52 2018
Summary: Security update for libdb-4_8
Severity: moderate
References: 1043886
Description:
This update for libdb-4_8 fixes the following issues:

- A DB_CONFIG file in the current working directory allowed local
  users to obtain sensitive information via a symlink attack
  involving a setgid or setuid application using libdb-4_8. (bsc#1043886)


-----------------------------------------
Patch: SUSE-2018-341
Released: Wed Feb 21 16:25:20 2018
Summary: Recommended update for cloud-init
Severity: low
References: 1035106,1042913,1047363,1055649,1063716,1064594,1064854,1069471
Description:
This update provides cloud-init 17.1, which brings fixes and enhancements:

- Fix sed expression to set the distribution name in spec file. (bsc#1063716)
- Support user processes running in cloud-init-final to consume a large number of threads. (bsc#1047363)
- Start after dbus.service, needed by hostnamectl. (bsc#1055649)
- Adjust SUSE template. (bsc#1064594)
- Don't ignore network settings from config-drive in external network. (bsc#1064854)
- Fix cc_resizefs to not fail if the current root is a read-only btrfs subvolume. (bsc#1042913)

For a comprehensive list of changes please refer to the package's change log.

Additionally, cloud-init-config-caasp has been updated to stay compatible with the new version of cloud-init.

- Enable growpart and resizefs modules by default. (bsc#1069471)


-----------------------------------------
Patch: SUSE-2018-351
Released: Fri Feb 23 18:37:13 2018
Summary: Security update for dhcp
Severity: moderate
References: 1023415,1059061,1073935,1076119,987170,CVE-2017-3144
Description:
 This update for dhcp fixes several issues.

This security issue was fixed:

- CVE-2017-3144: OMAPI code didn't free socket descriptors when empty message
  is received allowing DoS (bsc#1076119).

These non-security issues were fixed:

- Optimized if and when DNS client context and ports are initted (bsc#1073935)
- Relax permission of dhclient-script for libguestfs (bsc#987170)
- Modify dhclient-script to handle static route updates (bsc#1023415).
- Use only the 12 least significant bits of an inbound packet's TCI value as the VLAN ID
  to fix some packages being wrongly discarded by the Linux packet filter. (bsc#1059061)


-----------------------------------------
Patch: SUSE-2018-375
Released: Wed Feb 28 16:33:37 2018
Summary: Recommended update for net-tools
Severity: low
References: 1009905,1063910
Description:

This update for net-tools provides the following fix:

- netstat: fix handling of large socket numbers (bsc#1063910)


-----------------------------------------
Patch: SUSE-2018-377
Released: Wed Feb 28 21:31:59 2018
Summary: Recommended update for Salt
Severity: moderate
References: 1050003,1063419,1065792,1068446,1068566,1071322,1072218,1073618,1074227,1078001
Description:
This update for salt fixes the following issues:

- Fix state files with unicode. (bsc#1074227)
- Catch ImportError for kubernetes.client import. (bsc#1078001)
- Fix epoch handling for Rhel 6 and 7.
- Fix zypper module to return UTC dates on 'pkg.list_downloaded'.
- Fix return value parsing when calling vm_state. (bsc#1073618)
- Fix 'user.present' when 'gid_from_name' is set but group does not exist.
- Split only strings, if they are such. (bsc#1072218)
- Feat: Add grain for all FQDNs. (bsc#1063419)
- Fix 'No service execution module loaded' issue. (bsc#1065792)
- Removed unnecessary logging on shutdown. (bsc#1050003)
- Add grain for retrieving FQDNs. (bsc#1063419)
- Older logrotate need su directive. (bsc#1071322)
- Fix for wrong version processing during yum pkg install. (bsc#1068566)
- Avoid excessive syslogging by watchdog cronjob.
- Check pillar: Fix the logic according to the exact described purpose of the function. (bsc#1068446)

-----------------------------------------
Patch: SUSE-2018-410
Released: Mon Mar  5 10:42:31 2018
Summary: Security update for cups
Severity: important
References: 1081557,CVE-2017-18190
Description:
This update for cups fixes the following issues:

- CVE-2017-18190: Removed localhost.localdomain from list
  of trustworthy hosts in scheduler/client.c to avoid arbitrary IPP
  command execution in conjunction with DNS rebinding.
  (bsc#1081557)


-----------------------------------------
Patch: SUSE-2018-416
Released: Mon Mar  5 20:10:33 2018
Summary: Recommended update for icewm
Severity: low
References: 1026134
Description:

This update for icewm provides the following fixes:

- Use 'mutt' as the mail client linked in the system tray icon. Previously it
  attempted to run 'alpine', which is not available on SUSE Linux Enterprise.
  (bsc#1026134)


-----------------------------------------
Patch: SUSE-2018-417
Released: Mon Mar  5 20:11:31 2018
Summary: Recommended update for supportutils
Severity: low
References: 1051237,1074866,1074867,1074868
Description:
This update for supportutils provides the following fixes:

- Fix picking up Infiniband data by requiring rdma-core. (bsc#1051237)
- route replaced with ip route list (bsc#1074866)
- Added systemd-delta to systemd.txt (bsc#1074867)
- Changed from repos -u to repos -d to get the repos service included in supportconfig.
  (bsc#1074868)


-----------------------------------------
Patch: SUSE-2018-425
Released: Wed Mar  7 20:45:27 2018
Summary: Recommended update for yast2, yast2-nfs-client, yast2-services-manager
Severity: moderate
References: 1037214,1037891,1045658,1049138,1058376,1061306,1064437,1075535,1077310,956755
Description:
This update for yast2, yast2-nfs-client and yast2-services-manager provides fixes and enhancements:

- Use fewer calls to systemctl to speed up startup. (bsc#1045658)
- Implement performance enhancements for handling systemd services. (bsc#1045658)
- Add YaST2 logs to the default list of files for System Log browser. (bsc#1049138)
- Fix the name and icon displayed for the application window. (bsc#1037891)
- Improve the logic to report if SuSEfirewall2 is selected or installed when installing
  OES using integrated media to make sure it gets properly activated. The problem would
  happen once the product is registered and manual network configuration is selected.
  (bsc#1037214)
- Fix storing device information to avoid incorrect 'not found' states when querying
  network interfaces subsequently. (bsc#956755, bsc#1061306)
- Add infrastructure to preserve existing comments in configuration files. (bsc#1064437)
- Preserve comments when editing /etc/fstab. (bsc#1064437)
- Fix starting Gnome Control Center. (bsc#1058376, bsc#1075535)
- Fixed list of the URL schemes without host and fix processing URLs with the 'hd:/' 
  scheme. (bsc#1077310)


-----------------------------------------
Patch: SUSE-2018-432
Released: Thu Mar  8 22:52:22 2018
Summary: Recommended update for yast2-drbd
Severity: low
References: 1069131,1069132
Description:
This update for yast2-drbd fixes the following issues:

- Fix error message when writing resource conf to disk (bsc#1069131, bsc#1069132)


-----------------------------------------
Patch: SUSE-2018-472
Released: Thu Mar 15 10:47:40 2018
Summary: Recommended update for libsolv, libzypp, zypper
Severity: low
References: 1074687,1075449,1076415,1079334,953130
Description:
This update for libsolv, libzypp and zypper provides the following fixes:

libsolv:
- Fix a bug that could make fileconflict detection very slow in some cases. (bnc#953130)
- Add new configuration options: ENABLE_RPMDB_LIBRPM and ENABLE_RPMPKG_LIBRPM.
- Add a new function to change the whatprovides data: pool_set_whatprovides.
- Significant improvements in the selection code.

libzypp:
- Make sure deleted keys are also removed from rpmdb. (bsc#1075449)
- plugin: Don't reject header values containing ':'. (bsc#1074687)
- RpmDb::checkPackage: Fix parsing localized rpm output. (bsc#1076415)

zypper:
- Do not recommend cron as it is not a direct dependency of zypper. (bsc#1079334)


-----------------------------------------
Patch: SUSE-2018-475
Released: Thu Mar 15 13:36:46 2018
Summary: Security update for java-1_7_1-ibm
Severity: important
References: 1057460,1076390,1082810,1085018,929900,955131,966304,CVE-2018-2579,CVE-2018-2582,CVE-2018-2588,CVE-2018-2599,CVE-2018-2602,CVE-2018-2603,CVE-2018-2618,CVE-2018-2633,CVE-2018-2634,CVE-2018-2637,CVE-2018-2641,CVE-2018-2657,CVE-2018-2663,CVE-2018-2677,CVE-2018-2678
Description:
This update for java-1_7_1-ibm fixes the following issues:

The version was updated to 7.1.4.20 [bsc#1082810]

* Security fixes:

  - CVE-2018-2633 CVE-2018-2637 CVE-2018-2634 CVE-2018-2582
    CVE-2018-2641 CVE-2018-2618 CVE-2018-2657 CVE-2018-2603
    CVE-2018-2599 CVE-2018-2602 CVE-2018-2678 CVE-2018-2677
    CVE-2018-2663 CVE-2018-2588 CVE-2018-2579

* Defect fixes:

  - IJ04281 Class Libraries: Startup time increase after applying
              apar IV96905
  - IJ03822 Class Libraries: Update timezone information to tzdata2017c
  - IJ03605 Java Virtual Machine: Legacy security for com.ibm.jvm.dump,
              trace, log was not enabled by default
  - IJ03607 JIT Compiler: Result String contains a redundant dot when
              converted from BigDecimal with 0 on all platforms
  - IX90185 ORB: Upgrade ibmcfw.jar to version O1800.01
  - IJ04282 Security: Change in location and default of jurisdiction
              policy files
  - IJ03853 Security: IBMCAC provider does not support SHA224
  - IJ02679 Security: IBMPKCS11Impl -- Bad sessions are being allocated
              internally
  - IJ02706 Security: IBMPKCS11Impl -- Bad sessions are being allocated
              internally
  - IJ03552 Security: IBMPKCS11Impl -- Config file problem with the slot
              specification attribute
  - IJ01901 Security: IBMPKCS11Impl -- SecureRandom.setSeed() exception
  - IJ03801 Security: Issue with same DN certs, iKeyman GUI error with
              stash, JKS Chain issue and JVM argument parse issue with iKeyman
  - IJ03256 Security: javax.security.auth.Subject.toString() throws NPE
  - IJ02284 JIT Compiler: Division by zero in JIT compiler

* SUSE fixes:

  - Make it possible to run Java jnlp files from Firefox. (bsc#1057460)

  - Fixed symlinks to policy files on update [bsc#1085018]

  - Fixed jpackage-java-1_7_1-ibm-webstart.desktop file to allow
    Java jnlp files run from Firefox. [bsc#1057460, bsc#1076390]

  - Fix javaws segfaults when java expiration timer has elapsed. [bsc#929900]

  - Provide IBM Java updates for IBMs PMR 55931,671,760 and for SUSEs
    SR 110991601735. [bsc#966304]


-----------------------------------------
Patch: SUSE-2018-498
Released: Mon Mar 19 14:10:22 2018
Summary: Security update for java-1_7_1-ibm
Severity: important
References: 1057460,1076390,1082810,1085018,929900,955131,966304,CVE-2018-2579,CVE-2018-2582,CVE-2018-2588,CVE-2018-2599,CVE-2018-2602,CVE-2018-2603,CVE-2018-2618,CVE-2018-2633,CVE-2018-2634,CVE-2018-2637,CVE-2018-2641,CVE-2018-2657,CVE-2018-2663,CVE-2018-2677,CVE-2018-2678
Description:
This update for java-1_7_1-ibm fixes the following issue:

The version was updated to 7.1.4.20 [bsc#1082810]

* Security fixes:

  - CVE-2018-2633 CVE-2018-2637 CVE-2018-2634 CVE-2018-2582
    CVE-2018-2641 CVE-2018-2618 CVE-2018-2657 CVE-2018-2603
    CVE-2018-2599 CVE-2018-2602 CVE-2018-2678 CVE-2018-2677
    CVE-2018-2663 CVE-2018-2588 CVE-2018-2579

* Defect fixes:

  - IJ04281 Class Libraries: Startup time increase after applying
              apar IV96905
  - IJ03822 Class Libraries: Update timezone information to tzdata2017c
  - IJ03605 Java Virtual Machine: Legacy security for com.ibm.jvm.dump,
              trace, log was not enabled by default
  - IJ03607 JIT Compiler: Result String contains a redundant dot when
              converted from BigDecimal with 0 on all platforms
  - IX90185 ORB: Upgrade ibmcfw.jar to version O1800.01
  - IJ04282 Security: Change in location and default of jurisdiction
              policy files
  - IJ03853 Security: IBMCAC provider does not support SHA224
  - IJ02679 Security: IBMPKCS11Impl -- Bad sessions are being allocated
              internally
  - IJ02706 Security: IBMPKCS11Impl -- Bad sessions are being allocated
              internally
  - IJ03552 Security: IBMPKCS11Impl -- Config file problem with the slot
              specification attribute
  - IJ01901 Security: IBMPKCS11Impl -- SecureRandom.setSeed() exception
  - IJ03801 Security: Issue with same DN certs, iKeyman GUI error with
              stash, JKS Chain issue and JVM argument parse issue with iKeyman
  - IJ03256 Security: javax.security.auth.Subject.toString() throws NPE
  - IJ02284 JIT Compiler: Division by zero in JIT compiler

* SUSE fixes:

  - Make it possible to run Java jnlp files from Firefox. (bsc#1057460)

  - Fixed jpackage-java-1_7_1-ibm-webstart.desktop file to allow
    Java jnlp files run from Firefox. [bsc#1057460, bsc#1076390]

  - Fix javaws segfaults when java expiration timer has elapsed. [bsc#929900]

  - Provide IBM Java updates for IBMs PMR 55931,671,760 and for SUSEs
    SR 110991601735. [bsc#966304]

  - Ensure that all Java policy files are symlinked into the proper file system
    locations. Without those symlinks, several OES iManager plugins did not
    function properly. [bsc#1085018]


-----------------------------------------
Patch: SUSE-2018-514
Released: Wed Mar 21 13:56:18 2018
Summary: Recommended update for java-1_7_1-ibm
Severity: important
References: 1085018,1085921
Description:

  This update for java-1_7_1-ibm fixes a regression in the previous update,
  where a collision of link names in the update-alternatives mechanism could
  have prevented java applications from starting.


-----------------------------------------
Patch: SUSE-2018-517
Released: Thu Mar 22 07:17:01 2018
Summary: Recommended update for openssh
Severity: moderate
References: 1048367,1048982,1051559,1061061
Description:
This update for openssh provides the following fixes:

- Enable systemd integration to work around various race conditions on reporting failures
  of the service. (bsc#1048367 bsc#1061061)
- Re-add tcpwrappers support (forward ported) that had been removed with the upgrade to
  6.6p1. Please note that tcpwrappers support will not be available in subsequent major
  releases of SUSE Linux Enterprise. (bsc#1048982)
- Fix for socket forwarding when logging in as root on server-side (bsc#1051559)



-----------------------------------------
Patch: SUSE-2018-524
Released: Thu Mar 22 11:53:28 2018
Summary: Recommended update for zypp-plugin
Severity: low
References: 1081596
Description:
This update provides the new Python 3 module for the zypp-plugin.

-----------------------------------------
Patch: SUSE-2018-542
Released: Mon Mar 26 10:38:34 2018
Summary: Security update for dhcp
Severity: moderate
References: 1083302,1083303,CVE-2018-5732,CVE-2018-5733
Description:
This update for dhcp fixes the following issues:

Security issues fixed:

- CVE-2018-5733: reference count overflow in dhcpd (bsc#1083303).
- CVE-2018-5732: buffer overflow in dhclient (bsc#1083302).


-----------------------------------------
Patch: SUSE-2018-560
Released: Wed Mar 28 16:39:25 2018
Summary: Recommended update for suse-build-key
Severity: moderate
References: 1082022,1085512
Description:


This update for suse-build-key fixes the following issues:

- The lifetime of the SUSE Linux Enterprise 11 signing key was extended (bsc#1085512)

- A new security@suse.de E-Mail key was added (bsc#1082022)

  pub   rsa4096/0x21FE92322BA9E067 2018-03-15 [SC] [expires: 2020-03-14]
        Key fingerprint = EC7C 5EAB 2C34 09A6 4F3B  BE6E 21FE 9232 2BA9 E067
  uid                             SUSE Security Team <security@suse.com>
  uid                             SUSE Security Team <security@suse.de>
  sub   rsa4096/0xFF97314EC1E11A0E 2018-03-15 [E] [expires: 2020-03-14]



-----------------------------------------
Patch: SUSE-2018-567
Released: Thu Mar 29 14:02:08 2018
Summary: Security update for krb5
Severity: moderate
References: 1057662,1081725,1083926,1083927,CVE-2018-5729,CVE-2018-5730
Description:
This update for krb5 provides the following fixes:

Security issues fixed:

- CVE-2018-5730: DN container check bypass by supplying special crafted data (bsc#1083927).
- CVE-2018-5729: Null pointer dereference in kadmind or DN container check bypass by supplying special crafted data (bsc#1083926).

Non-security issues fixed:

- Make it possible for legacy applications (e.g. SAP Netweaver) to remain compatible with
  newer Kerberos. System administrators who are experiencing this kind of compatibility
  issues may set the environment variable GSSAPI_ASSUME_MECH_MATCH to a non-empty value,
  and make sure the environment variable is visible and effective to the application
  startup script. (bsc#1057662)
- Fix a GSS failure in legacy applications by not indicating deprecated GSS mechanisms in
  gss_indicate_mech() list. (bsc#1081725)


-----------------------------------------
Patch: SUSE-2018-573
Released: Tue Apr  3 11:59:01 2018
Summary: Security update for graphite2
Severity: moderate
References: 1084850,CVE-2018-7999
Description:
This update for graphite2 fixes the following issues:

- CVE-2018-7999: Fixed a NULL pointer dereference vulnerability in Segment.cpp that may cause a denial of serivce (bsc#1084850).


-----------------------------------------
Patch: SUSE-2018-586
Released: Wed Apr  4 11:51:00 2018
Summary: Recommended update for aaa_base
Severity: low
References: 1025743,1036895,1038549,1049577,1052182,1079674
Description:
This update for aaa_base provides the following fixes:

- Support changing PS1 even for mksh and user root. (bsc#1036895)
- Unset unused variables on profile files. (bsc#1049577)
- Unset id in csh.cshrc instead of profile.csh. (bsc#1049577)
- Allow that personal ~/.bashrc is read again. (bsc#1052182)
- Avoid that IFS becomes global in _ls ksh shell function. (bsc#1079674, bsc#1025743)
- Replace 'cat > file' by 'mv -f ... file' in pre/post to fix issues with clients
  having these files mmapped. (bsc#1038549)


-----------------------------------------
Patch: SUSE-2018-590
Released: Wed Apr  4 15:04:46 2018
Summary: Recommended update for growpart
Severity: low
References: 1064755
Description:
This update for growpart fixes the following issues:

- Add rootgrow script to wrap growpart to the Public Cloud Module.
- Ignore sfdisk failure in 2.28.1 when due to reread failing.
- Add service file to start growpart via systemd.


-----------------------------------------
Patch: SUSE-2018-594
Released: Thu Apr  5 17:22:37 2018
Summary: Security update for libidn
Severity: moderate
References: 1056450,CVE-2017-14062
Description:
This update for libidn fixes one issues.

This security issue was fixed:

- CVE-2017-14062: Prevent integer overflow in the decode_digit function that
  allowed remote attackers to cause a denial of service or possibly have
  unspecified other impact (bsc#1056450).


-----------------------------------------
Patch: SUSE-2018-620
Released: Wed Apr 11 14:45:40 2018
Summary: Initial release of python3-ipaddress and -pyasn1
Severity: low
References: 1073879
Description:
This update provides the following new Python 3 module for the SUSE Linux Enterprise Server and the Public Cloud 
Module:

- python3-ipaddress
- python3-pyasn1

-----------------------------------------
Patch: SUSE-2018-632
Released: Thu Apr 12 18:02:21 2018
Summary: Security update for python3
Severity: moderate
References: 1083507,CVE-2017-18207
Description:
This update for python3 fixes the following issues:

Security issue fixed:

- CVE-2017-18207: Fixed possible denial of service vulnerability by adding a check to Lib/wave.py that verifies that at least one channel is provided (bsc#1083507).

Bug fixes:

- Require python-Sphinx-latex for building on Leap 42.3 or newer.


-----------------------------------------
Patch: SUSE-2018-648
Released: Mon Apr 16 17:31:50 2018
Summary: Security update for ntp
Severity: moderate
References: 1077445,1082063,1082210,1083417,1083420,1083422,1083424,1083426,CVE-2016-1549,CVE-2018-7170,CVE-2018-7182,CVE-2018-7183,CVE-2018-7184,CVE-2018-7185
Description:
This update for ntp fixes the following issues:

- Update to 4.2.8p11 (bsc#1082210):
  * CVE-2016-1549: Sybil vulnerability: ephemeral association
    attack. While fixed in ntp-4.2.8p7, there are significant
    additional protections for this issue in 4.2.8p11.
  * CVE-2018-7182: ctl_getitem(): buffer read overrun
    leads to undefined behavior and information leak. (bsc#1083426)
  * CVE-2018-7170: Multiple authenticated ephemeral
    associations. (bsc#1083424)
  * CVE-2018-7184: Interleaved symmetric mode cannot
    recover from bad state. (bsc#1083422)
  * CVE-2018-7185: Unauthenticated packet can reset
    authenticated interleaved association. (bsc#1083420)
  * CVE-2018-7183: ntpq:decodearr() can write beyond its
    buffer limit.(bsc#1083417)
- Don't use libevent's cached time stamps in sntp. (bsc#1077445)



-----------------------------------------
Patch: SUSE-2018-651
Released: Mon Apr 16 19:25:08 2018
Summary: Initial release of python3-cssselect, -lxml, -pycparser, -simplejson and -pycurl
Severity: low
References: 1073879
Description:
This update provides the following new Python 3 modules for the SUSE Linux Enterprise Server:

- python3-cssselect
- python3-lxml
- python3-pycparser
- python3-pycurl
- python3-simplejson

-----------------------------------------
Patch: SUSE-2018-656
Released: Wed Apr 18 12:08:13 2018
Summary: Recommended update for timezone, timezone-java
Severity: low
References: 1086729
Description:
This update provides the latest timezone information (2018d) for your system, including following changes:

- In 2018, Palestine starts DST on March 24, not March 31.
- Casey Station in Antarctica changed from +11 to +08 on
  2018-03-11 at 04:00 (bsc#1086729).
- corrections for historical transitions.


-----------------------------------------
Patch: SUSE-2018-660
Released: Thu Apr 19 08:38:02 2018
Summary: Initial release of python3-idna
Severity: low
References: 1073879
Description:
This update provides the following new Python 3 module for the SUSE Linux Enterprise Server:

- python3-idna

-----------------------------------------
Patch: SUSE-2018-727
Released: Tue Apr 24 12:50:53 2018
Summary: Initial release of python3-pyzmq
Severity: low
References: 1073879
Description:
This update provides the following new Python 3 module:

- python3-pyzmq

-----------------------------------------
Patch: SUSE-2018-730
Released: Wed Apr 25 14:14:41 2018
Summary: Security update for perl
Severity: moderate
References: 1082216,1082233,1082234,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913
Description:
This update for perl fixes the following issues:

Security issues fixed:

- CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216).
- CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233).
- CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234).


-----------------------------------------
Patch: SUSE-2018-733
Released: Wed Apr 25 14:15:35 2018
Summary: Security update for zsh
Severity: important
References: 1082885,1082975,1082977,1082991,1082998,1083002,1083250,1084656,1087026,896914,CVE-2014-10070,CVE-2014-10071,CVE-2014-10072,CVE-2016-10714,CVE-2017-18205,CVE-2017-18206,CVE-2018-1071,CVE-2018-1083,CVE-2018-7549
Description:
This update for zsh fixes the following issues:

  - CVE-2014-10070: environment variable injection could lead to local privilege escalation (bnc#1082885)

  - CVE-2014-10071: buffer overflow in exec.c could lead to denial of service. (bnc#1082977)

  - CVE-2014-10072: buffer overflow In utils.c when scanning 
very long directory paths for symbolic links. (bnc#1082975)

  - CVE-2016-10714: In zsh before 5.3, an off-by-one error resulted in 
undersized buffers that were intended to support PATH_MAX characters. (bnc#1083250)

  - CVE-2017-18205: In builtin.c when sh compatibility mode is used, a NULL pointer dereference 
could lead to denial of service (bnc#1082998)

  - CVE-2018-1071: exec.c:hashcmd() function vulnerability could lead to denial of service. (bnc#1084656)
 
  - CVE-2018-1083: Autocomplete vulnerability could lead to privilege escalation. (bnc#1087026)

  - CVE-2018-7549: In params.c in zsh through 5.4.2, there is a crash during a copy of an empty hash table, 
as demonstrated by typeset -p. (bnc#1082991)
  
  - CVE-2017-18206: buffer overrun in xsymlinks could lead to denial of service (bnc#1083002)
    
  - Autocomplete and REPORTTIME broken (bsc#896914)



-----------------------------------------
Patch: SUSE-2018-735
Released: Wed Apr 25 14:16:36 2018
Summary: Recommended update for LibreOffice
Severity: low
References: 1042829,1077375,1080249,1083213,1083993,1088662,1089124,CVE-2017-9432,CVE-2017-9433,CVE-2018-1055,CVE-2018-6871
Description:

LibreOffice was updated to version 6.0.3.

Following new features were added:

- The Notebookbar, although still an experimental feature, has been
  enriched with two new variants: Grouped Bar Full for Writer, Calc and
  Impress, and Tabbed Compact for Writer. The Special Characters dialog
  has been reworked, with the addition of lists for Recent and Favorite
  characters, along with a Search field. The Customize dialog has also
  been redesigned, and is now more modern and intuitive.
- In Writer, a Form menu has been added, making it easier to access one
  of the most powerful – and often unknown – LibreOffice features: the
  ability to design forms, and create standards-compliant PDF forms. The
  Find toolbar has been enhanced with a drop-down list of search types, to
  speed up navigation. A new default table style has been added, together
  with a new collection of table styles to reflect evolving visual trends.
- The Mail Merge function has been improved, and it is now possible to
  use either a Writer document or an XLSX file as data source.
- In Calc, ODF 1.2-compliant functions SEARCHB, FINDB and REPLACEB have
  been added, to improve support for the ISO standard format. Also, a
  cell range selection or a selected group of shapes (images) can be now
  exported in PNG or JPG format.
- In Impress, the default slide size has been switched to 16:9, to support
  the most recent form factors of screens and projectors. As a consequence,
  10 new Impress templates have been added, and a couple of old templates
  have been updated.

Changes in components:

- The old WikiHelp has been replaced by the new Help Online system, with
  attractive web pages that can also be displayed on mobile devices. In
  general, LibreOffice Help has been updated both in terms of contents and
  code, with other improvements due all along the life of the LibreOffice
  6 family.
- User dictionaries now allow automatic affixation or compounding. This
  is a general spell checking improvement in LibreOffice which can speed
  up work for Writer users. Instead of manually handling several forms of a
  new word in a language with rich morphology or compounding, the Hunspell
  spell checker can automatically recognize a new word with affixes or
  compounds, based on a “Grammar By” model.

Security features and changes:

- OpenPGP keys can be used to sign ODF documents on all desktop operating
  systems, with experimental support for OpenPGP-based encryption. To enable
  this feature, users will have to install the specific GPG software for
  their operating systems.

- Document classification has also been improved, and allows multiple
  policies (which are now exported to OOXML files). In Writer, marking
  and signing are now supported at paragraph level.

Interoperability changes:

- OOXML interoperability has been improved in several areas: import of
  SmartArt and import/export of ActiveX controls, support of embedded text
  documents and spreadsheets, export of embedded videos to PPTX, export
  of cross-references to DOCX, export of MailMerge fields to DOCX, and
  improvements to the PPTX filter to prevent the creation of broken files.
- New filters for exporting Writer documents to ePub and importing
  QuarkXPress files have also been added, together with an improved filter
  for importing EMF+ (Enhanced Metafile Format Plus) files as used by
  Microsoft Office documents. Some improvements have also been added
  to the ODF export filter, making it easier for other ODF readers to
  display visuals.

The full blog entry for the 6.0 release can be found here:

	https://blog.documentfoundation.org/blog/2018/01/31/libreoffice-6/

The full release notes can be found here:

	https://wiki.documentfoundation.org/ReleaseNotes/6.0

The libraries that LibreOffice depends on also have been udpated to their current versions.
  

-----------------------------------------
Patch: SUSE-2018-736
Released: Wed Apr 25 14:23:49 2018
Summary: Recommended update for libsolv, libzypp
Severity: moderate
References: 1075978,1077635,1079991,1082318,1086602
Description:
This update for libsolv, libzypp provides the following fixes:

Changes in libsolv:
- Make sure the product file comes from /etc/products.d for the fallback product search.
  (bsc#1086602)
- Also make use of suggests for ordering packages. (bsc#1077635)
- Fix bad assignment in solution refinement that led to a memory leak. (bsc#1075978)
- Use license tag instead of doc in the spec file. (bsc#1082318)

Changes in libzypp:
- Make sure the product file comes from /etc/products.d for the fallback product search.
  (bsc#1086602)
- Fix a memory leak in Digest.cc. (bsc#1075978)
- Add /var/lib/gdm to CheckAccessDeleted blacklist to prevent showing superfluous `zypper ps -s`
  messages. (bsc#1079991)


-----------------------------------------
Patch: SUSE-2018-739
Released: Wed Apr 25 16:52:10 2018
Summary: Recommended update for supportutils
Severity: important
References: 1069457
Description:

This update for supportutils fixes the following issues:

- correctly detect CaaS Platforms docker installation (bsc#1069457)


-----------------------------------------
Patch: SUSE-2018-743
Released: Thu Apr 26 15:40:28 2018
Summary: Initial release of python3-psutil and -pycrypto
Severity: low
References: 1073879
Description:
This update provides the following new Python 3 modules:

- python3-psutil
- python3-pycrypto

-----------------------------------------
Patch: SUSE-2018-749
Released: Thu Apr 26 19:23:14 2018
Summary: Recommended update for nfs-utils
Severity: low
References: 1017909,1040968,1053691
Description:

This update for nfs-utils provides the following fixes:

- Fix nfs-client's service dependency so that when YaST restarts 'nfs' the action
  is propagated to 'nfs-client' as well. (bsc#1053691)
- Allow umount to work when NFS server is down. (bsc#1040968)
- Fix exit code of nfsstat(8). (bsc#1017909)


-----------------------------------------
Patch: SUSE-2018-759
Released: Mon Apr 30 12:03:07 2018
Summary: Recommended update for Salt
Severity: moderate
References: 1072973,1079398,1085635
Description:

This update for salt fixes the following issues:

- Make module result usable in states module.run. (bsc#1085635)
- Fix Augeas module 'stripped quotes' issue. (bsc#1079398)
- Fix logging with FQDNs.
- Explore 'module.run' state module output in depth to catch the
  'result' properly.
- Fix x509 unit test to run on 2016.11.4 version.
- Fix TypeError, thrown by M2Crypto on missing fields. (bsc#1072973)


-----------------------------------------
Patch: SUSE-2018-769
Released: Tue May  1 20:38:36 2018
Summary: Recommended update for gcc48
Severity: moderate
References: 1082130,1083945,1087932
Description:

This update for the system compiler gcc48 fixes the following issues:

- Support for generating IBM Z series Spectre Variant 2 fix method 'expolines' was added (bsc#1083945)
- A miscompilation of SPECcpu2017 526.blender was fixed. (bsc#1082130)
- ARM Arch64 Cortex-A53 errata 843419 and 835769 were enabled by default, which could have lead
  to crashes of built binaries. (bsc#1087932)

  

-----------------------------------------
Patch: SUSE-2018-771
Released: Wed May  2 08:02:43 2018
Summary: Security update for corosync
Severity: important
References: 1066585,1083561,1089346,CVE-2018-1084
Description:
This update for corosync fixes the following issue:
- CVE-2018-1084: Integer overflow in totemcrypto:authenticate_nss_2_3() could lead to command execution (bsc#1089346)
- Providing an empty uid or gid results in coroparse adding uid 0. (bsc#1066585)
- Fix a problem with configuration file incompatibilities that was causing corosync to not
  work after upgrading from SLE-11-SP4-HA to SLE-12/15-HA. (bsc#1083561)


-----------------------------------------
Patch: SUSE-2018-778
Released: Wed May  2 22:15:23 2018
Summary: Recommended update for sapconf
Severity: moderate
References: 1026862,1031073,1032516,1048550,1064720,1070386,1070390,1070494,1070495,1070496,1070503,1070506,1070508,1071539,1087455
Description:
This update for sapconf provides the following fixes:

- Refactoring sapconf parameter settings together with SAP Linux Lab. (fate#324491)
  ATTENTION: One main feature of this sapconf package update is a consolidation of all
  sapconf configuration settings into the central /etc/sysconfig/sapconf configuration
  file (except those settings related to ASE or BOBJ and those settings which can only
  be set via tuned.conf). This will result in a lot of configuration file changes concerning
  the following files:
  * /etc/sysconfig/sapconf
  * /etc/sysconfig/sapnote-1557506
  * /usr/lib/tuned/sap-netweaver/tuned.conf
  * /usr/lib/tuned/sap-hana/tuned.conf.
  This means that your system configuration will be changed after a restart of tuned or
  during a system reboot. Please read carefully the following information about configuration
  file handling before restarting tuned or rebooting the system. (bsc#1070508)

- The configuration file handling during the package installation has changed (bsc#1070496,
  bsc#1070508):
  * During an initial package installation the new sysconfig file, which includes the
    pagecache values from the former file sapnote-1557506 are copied to /etc/sysconfig/sapconf
    and the changes will take effect immediately after the package installation.
  * During a package update, previously created /etc/sysconfig files will exist. The file
    /etc/sysconfig/sapconf is saved to /etc/sysconfig/sapconf.rpmsave and the new sysconfig
    file is copied to /etc/sysconfig.
  * If the pagecache handling is enabled in the file /etc/sysconfig/sapnote-1557506, the
    values from this file are copied to /etc/sysconfig/sapconf and the obsolete file
    /etc/sysconfig/sapnote-1557506 is removed. The changes will take effect immediately
    after the package installation.
  * If the file /etc/sysconfig/sapconf.rpmsave exists and contains system specific
    modifications, please check after the package installation and merge these changes
    manually into /etc/sysconfig/sapconf.
  * Remove the file /etc/sysconfig/sapconf.rpmsave before you restart the sapconf service
    to get the changes take effect.

- Add a systemd unit file sapconf.service to start tuned, uuidd.socket and sysstat during
  system boot and after initial package installation and to restart tuned during package
  update so that the changes will take effect immediately. (fate#325471, bsc#1087455)

- Check if pagecache limit is available at the system and if yes, set pagecache limit
  according to the settings in /etc/sysconfig/sapconf. If not, write a message to the log
  file. (bsc#1071539, fate#323778)

- Use the same tuning values for HANA and Netweaver workloads. That means the use of the
  same tuned.conf and script.sh file for both profiles (sap-hana and sap-netweaver). This
  should lead to a better base for mixed HANA and ABAB workloads on one system. (bsc#1070508)

- The pagecache configuration is now integrated in the general sapconf sysconfig file and
  the old sysconfig file sapnote-1557506 is obsolete. As before pagecache handling is
  disabled by default.

- The following parameters are additionally specified (instead of static tuning inside
  the tuning script or defined in other configuration files like tuned.conf or
  sapnote-1557506) or changed in the central configuration file /etc/sysconfig/sapconf
  (bsc#1070494, bsc#1070495, bsc#1070496, bsc#1070508):
  * vm.max_map_count, vm.dirty_bytes, vm.dirty_background_bytes, kernel.shmmni,
    net.ipv4.tcp_slow_start_after_idle, ksm, transparent_hugepages, numa_balancing: parameters
    added and value changed.
  * vm.pagecache_limit_ignore_dirty, vm.pagecache_limit_mb: parameters added and commented out
  * kernel.shmall, kernel.shmmax, kernel.sem: parameters changed.
  But keep in mind: higher system value will ever remain unchanged. sapconf will respect
  higher values set by the system or by the administrator using sysctl configuration files.
  Values set with sysctl command will respect too, but they will not survive a system
  reboot. Every tuning action is logged to /var/log/sapconf.log

- The following parameters were specified in tuned.conf of profile sap-hana and/or
  sap-netweaver before but were removed from tuned.conf because they are redundant, not
  mentioned in any SAP Note, replaced by another parameter, moved to another configuration
  file or commented out, or because they are only valid for a special architecture or
  special tasks (like the [cpu] part was only valid for Intel architecture and only
  performance related):
  * vm.swappiness, kernel.sched_min_granularity_ns, kernel.sched_wakeup_granularity_ns,
    readahead: parameters removed.
  * [cpu] section with governor, energy_perf_bias, min_perf_pct: parameters commented out.
  * vm.dirty_ratio, vm.dirty_background_ratio: parameters removed from tuned.conf, replaced
    by vm.dirty_bytes, vm.dirty_background_bytes defined in sysconfig/sapconf.
  * kernel.sem, net.ipv4.tcp_slow_start_after_idle, transparent_hugepages: parameters moved
    to sysconfig/sapconf.
  ATTENTION: these changes will take effect immediately after
  restarting tuned.  Unless the administrator is using a custom copy of the tuned.conf
  file in /etc/tuned/<profile> (where <profile> may be sap-hana or sap-netweaver)
  to set own or changed values, the tuned.conf files in /etc/tuned/<profile> remain
  untouched during package installation. To get the new behavior SAP recommends, remove
  the profile copy from /etc/tuned or copy the new tuned.conf file from /usr/lib/tuned/<profile>
  to /etc/tuned/<profile> or compare the files in /etc/tuned/<profile> with
  the files in /usr/lib/tuned/<profile> manually and adjust the content, if needed.
  (bsc#1070494, bsc#1070495, bsc#1070496, bsc#1070503, bsc#1048550, bsc#1064720)

- Setting of UserTasksMax, a parameter of the systemd login manager, will be done in the
  post script during the package installation. The value is set to 'infinity'.
  NOTE: A reboot is needed after the first setup to get the changes to take effect. A
  message will indicate if a reboot is necessary. As before there is no automatic rollback.
  (bsc#1070386)

- Enable and start sysstat service during post script of the package installation (see
  SAP Note 1310037). (bsc#1070390)

- Add package requirements including a short description to the man page of sapconf and to
  the central configuration file /etc/sysconfig/sapconf. (bsc#1070390)

- Update the sapconf man page and associated man pages to reflect all the changes of this
  sapconf version. (bsc#1070506)

- Respect active tuned profile during reboot of the system even if it is not a 'sap' profile.
  sapconf only activates sap-netweaver profile by default, if NO tuned profile is actually
  set. (bsc#1026862)

- Re-insert 'elevator=noop' to tuned.conf of profile sap-hana and sap-netweaver.
  (bsc#1031073, bsc#1032516, bsc#1070494)

- sapconf will set ALL values specified in the file /etc/sysconfig/sapconf irrespective of
  the current system value. The values will not only be increased, but also decreased if
  the value in the sysconfig file is lower than the current system value. All actions are
  logged to /var/log/sapconf.log. (fate#325547)

- Change variable names in sysconfig file to avoid confusion. (bsc#1070495)

- Remove unnecessary TMPFS_SIZE_MIN from sysconfig file. (bsc#1070496)


-----------------------------------------
Patch: SUSE-2018-779
Released: Wed May  2 22:16:26 2018
Summary: Recommended update for rpm
Severity: low
References: 1003714,1027925,1069934
Description:

This update for rpm provides the following fixes:

- Fix find-lang.sh to handle special case of .qm file paths correctly. (bsc#1027925)
- Add %sle_version macro to suse_macros. (bsc#1003714)
- Added a %rpm_vercmp macro which accepts two versions as parameters and returns -1, 0, 1
  if the first version is less than, equal or greater than the second version respectively.
- Added a %pkg_version macro that accepts a package or capability name as argument and
  returns the version number of the installed package. If no package provides the argument,
  it returns the string '~~~'.
- Added a %pkg_vcmp macro that accepts 3 parameters. The first parameter is a package name
  or provided capability name, the second argument is an operator ( < <= = >= > != )
  and the third parameter is a version string to be compared to the installed version of
  the first argument.
- Added a %pkg_version_cmp macro which accepts a package or capability name as first argument
  and a version number as second argument and returns -1, 0, 1 or '~~~'. The number values
  have the same meaning as in %rpm_vercmp and the '~~~' string is returned if the package
  or capability can't be found. (bsc#1069934)


-----------------------------------------
Patch: SUSE-2018-796
Released: Fri May  4 18:32:49 2018
Summary: Recommended update for cluster-glue
Severity: low
References: 1050908,1059171
Description:
This update for cluster-glue provides the following fix:

- stonith: Make sure a Reset can continue even if one of the nodes is already off by
  returning success with RESETPOWERON=0. (bsc#1050908)
- stonith:external/ec2: Enforce en_US.UTF-8 locale when invoking aws client. (bsc#1059171)


-----------------------------------------
Patch: SUSE-2018-797
Released: Mon May  7 07:07:38 2018
Summary: Recommended update for gcc7
Severity: important
References: 1061667,1068967,1074621,1083290,1083946,1084812,1087550,1087930
Description:

  
This update for gcc7 to 7.3 release fixes the following issues:

- Update to GCC 7.3 release and further updated to gcc-7-branch head (r258812).
- The Spectre v2 mitigation patch for s390x is now included. [bsc#1083946]
- Adds backport of x86 retpoline support via -mindirect-branch=, -mfunction-return= and friends. [bsc#1074621]
- Update includes a fix for chromium build failure.  [bsc#1083290]
- Various AArch64 compile fixes are included:

  * Picks fix to no longer enable -mpc-relative-literal-loads by default
    with --enable-fix-cortex-a53-843419.
  * Enable --enable-fix-cortex-a53-843419 for aarch64.  [bsc#1084812] [bsc#1087930]
  * Enable --enable-fix-cortex-a53-835769 for aarch64.
  * Contains fix for PR82445 which is about a RPI1 bootloader miscompile. [bsc#1061667]
  * Fixed bogus stack probe instruction on ARM. [bsc#1068967]

- Revert the ios_base::failure ABI back to compatible behavior with the default ABI.  [bsc#1087550]

- Fix nvptx offload target compiler install so GCC can pick up
  required files.  Split out the newlib part into cross-nvptx-newlib7-devel
  and avoid conflicts with GCC 8 variant via Provides/Conflicts
  of cross-nvptx-newlib-devel.



-----------------------------------------
Patch: SUSE-2018-801
Released: Mon May  7 12:59:12 2018
Summary: Initial release of python3-msgpack-python
Severity: low
References: 1073879
Description:
This update provides the following new Python 3 module:

- python3-msgpack-python


-----------------------------------------
Patch: SUSE-2018-806
Released: Tue May  8 12:31:07 2018
Summary: Initial release of python3-MarkupSafe
Severity: low
References: 1073879
Description:
This update provides the following new Python 3 module:

- python3-MarkupSafe


-----------------------------------------
Patch: SUSE-2018-807
Released: Tue May  8 12:33:03 2018
Summary: Initial release of python3-Jinja2
Severity: low
References: 1073879
Description:
This update provides the following new Python 3 module:

- python3-Jinja2


-----------------------------------------
Patch: SUSE-2018-810
Released: Tue May  8 17:20:51 2018
Summary: Initial release of python3-PyYAML
Severity: low
References: 1073879
Description:
This update provides the following new Python 3 module:

- python3-PyYAML

-----------------------------------------
Patch: SUSE-2018-822
Released: Wed May  9 14:01:33 2018
Summary: Security update for tiff
Severity: moderate
References: 1046077,1074318,1081690,CVE-2017-17973,CVE-2017-9935,CVE-2018-5784
Description:
This update for tiff fixes the following issues:

- CVE-2017-9935: There was a heap-based buffer overflow in the t2p_write_pdf function in tools/tiff2pdf.c. This heap overflow could lead to different damages. For example, a crafted TIFF document can lead to an out-of-bounds read in TIFFCleanup, an invalid free in TIFFClose or t2p_free, memory corruption in t2p_readwrite_pdf_image, or a double free in t2p_free. Given these possibilities, it probably could cause arbitrary code execution (bsc#1046077)
- CVE-2017-17973: There is a heap-based use-after-free in the t2p_writeproc function in tiff2pdf.c. (bsc#1074318)
- CVE-2018-5784: There is an uncontrolled resource consumption in the TIFFSetDirectory function of tif_dir.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted tif file. This occurs because the declared number of directory entries is not validated against the actual number of directory entries (bsc#1081690)



-----------------------------------------
Patch: SUSE-2018-836
Released: Wed May  9 19:59:30 2018
Summary: Security update for cairo
Severity: moderate
References: 1049092,CVE-2017-9814
Description:
This update for cairo fixes the following issues:

  - CVE-2017-9814: out-of-bounds read in cairo-truetype-subset.c could lead to denial of service (bsc#1049092).


-----------------------------------------
Patch: SUSE-2018-905
Released: Mon May 14 15:17:39 2018
Summary: Recommended update for yast2-sap-scp-prodlist
Severity: moderate
References: 1086473,1086474
Description:
This update for yast2-sap-scp-prodlist updates the product list with the following changes:

- Add ArchGlobal's Floe. (bsc#1086473)
- Remove SEP products. (bsc#1086474)


-----------------------------------------
Patch: SUSE-2018-906
Released: Mon May 14 15:18:26 2018
Summary: Recommended update for binutils
Severity: moderate
References: 1075418
Description:
This update for binutils fixes the following issues:

- Fix pacemaker libqb problem with section start/stop symbols. (bsc#1075418)


-----------------------------------------
Patch: SUSE-2018-910
Released: Tue May 15 12:21:24 2018
Summary: Recommended update for timezone, timezone-java
Severity: low
References: 1073299
Description:
This update provides the latest timezone information (2018e) for your system, including following changes:

- North Korea switches back from +0830 to +09 on 2018-05-05.
- Ireland's standard time is in the summer, with negative DST
  offset to standard time used in Winter (bsc#1073299)


-----------------------------------------
Patch: SUSE-2018-919
Released: Tue May 15 16:30:21 2018
Summary: Initial release of python3-tornado
Severity: low
References: 1073879
Description:
This update provides the following new Python 3 module:

- python3-tornado


-----------------------------------------
Patch: SUSE-2018-920
Released: Tue May 15 16:32:16 2018
Summary: Initial release of python3-setuptools
Severity: low
References: 1073879
Description:
This update provides the following new Python 3 module:

- python3-setuptools


-----------------------------------------
Patch: SUSE-2018-921
Released: Tue May 15 16:33:18 2018
Summary: Initial release of python3-cffi, -cryptography and -pyOpenSSL
Severity: low
References: 1073879
Description:
This update provides the following new Python 3 module for the SUSE Linux Enterprise Server:

- python3-cffi
- python3-cryptography
- python3-pyOpenSSL

-----------------------------------------
Patch: SUSE-2018-932
Released: Wed May 16 21:16:38 2018
Summary: Recommended update for polkit-default-privs
Severity: moderate
References: 1048025,1089316
Description:
This update for polkit-default-privs fixes the following issues:

- added new realmd action (bsc#1048025 bsc#1089316).


-----------------------------------------
Patch: SUSE-2018-957
Released: Tue May 22 15:14:05 2018
Summary: Security update for wget
Severity: moderate
References: 1092061,CVE-2018-0494
Description:
This update for wget fixes the following issues:

- CVE-2018-0494: Fixed a cookie injection vulnerability by checking for
  and joining continuation lines. (bsc#1092061)



-----------------------------------------
Patch: SUSE-2018-964
Released: Tue May 22 18:31:29 2018
Summary: Security update for python
Severity: moderate
References: 1068664,1079300,CVE-2017-1000158,CVE-2018-1000030
Description:
This update for python fixes the following issues:

Security issues fixed:

- CVE-2017-1000158: Fixed integer overflows in PyString_DecodeEscape that could have resulted in
  heap-based buffer overflow attacks and possible arbitrary code execution (bsc#1068664).
- CVE-2018-1000030: Fixed crash inside the Python interpreter when multiple threads used the same
  I/O stream concurrently (bsc#1079300).


-----------------------------------------
Patch: SUSE-2018-970
Released: Wed May 23 16:44:49 2018
Summary: Recommended update for hwinfo
Severity: important
References: 1072450,1078511
Description:
This update for hwinfo provides the following fixes:

- Detect usb controller in ARM platform devices. (bsc#1072450)
- Add more sanity checking on scsi serial id. (bsc#1078511)
- Make CDBISDN_DATE ignore timezone.


-----------------------------------------
Patch: SUSE-2018-971
Released: Wed May 23 16:45:19 2018
Summary: Recommended update for aaa_base
Severity: important
References: 1088524
Description:
This update for aaa_base fixes a regression which was introduced within the latest maintenance update
  cycle, where customized profiles were not sourced properly. (bsc#1088524)

-----------------------------------------
Patch: SUSE-2018-977
Released: Wed May 23 17:14:16 2018
Summary: Security update for bash
Severity: moderate
References: 1000396,1001299,1086247,CVE-2016-0634,CVE-2016-7543
Description:
This update for bash fixes the following issues:

Security issues fixed:

- CVE-2016-7543: A code execution possibility via SHELLOPTS+PS4 variable was fixed (bsc#1001299)
- CVE-2016-0634: Arbitrary code execution via malicious hostname was fixed (bsc#1000396)

Non-security issues fixed:

- Fix repeating self-calling of traps due the combination of a non-interactive shell, a trap handler for SIGINT, an
  external process in the trap handler, and a SIGINT within the trap after the external process runs. (bsc#1086247)


-----------------------------------------
Patch: SUSE-2018-979
Released: Wed May 23 19:52:26 2018
Summary: Security update for icu
Severity: moderate
References: 1034674,1034678,1067203,1072193,1077999,1087932,929629,990636,CVE-2014-8146,CVE-2014-8147,CVE-2016-6293,CVE-2017-14952,CVE-2017-15422,CVE-2017-17484,CVE-2017-7867,CVE-2017-7868
Description:
icu was updated to fix two security issues.

These security issues were fixed:
- CVE-2014-8147: The resolveImplicitLevels function in common/ubidi.c
  in the Unicode Bidirectional Algorithm implementation in ICU4C in
  International Components for Unicode (ICU) used an integer data type
  that is inconsistent with a header file, which allowed remote attackers
  to cause a denial of service (incorrect malloc followed by invalid free)
  or possibly execute arbitrary code via crafted text (bsc#929629).
- CVE-2014-8146: The resolveImplicitLevels function in common/ubidi.c
  in the Unicode Bidirectional Algorithm implementation in ICU4C in
  International Components for Unicode (ICU) did not properly track
  directionally isolated pieces of text, which allowed remote attackers
  to cause a denial of service (heap-based buffer overflow) or possibly
  execute arbitrary code via crafted text (bsc#929629).
- CVE-2016-6293: The uloc_acceptLanguageFromHTTP function in
  common/uloc.cpp in International Components for Unicode (ICU) for C/C++
  did not ensure that there is a '\0' character at the end of a certain
  temporary array, which allowed remote attackers to cause a denial of
  service (out-of-bounds read) or possibly have unspecified other impact
  via a call with a long httpAcceptLanguage argument (bsc#990636).
- CVE-2017-7868: International Components for Unicode (ICU) for C/C++
  2017-02-13 has an out-of-bounds write caused by a heap-based buffer
  overflow related to the utf8TextAccess function in common/utext.cpp and
  the utext_moveIndex32* function (bsc#1034674)
- CVE-2017-7867: International Components for Unicode (ICU) for C/C++
  2017-02-13 has an out-of-bounds write caused by a heap-based buffer
  overflow related to the utf8TextAccess function in common/utext.cpp and
  the utext_setNativeIndex* function (bsc#1034678)
- CVE-2017-14952: Double free in i18n/zonemeta.cpp in International
  Components for Unicode (ICU) for C/C++ allowed remote attackers to
  execute arbitrary code via a crafted string, aka a 'redundant UVector
  entry clean up function call' issue (bnc#1067203)
- CVE-2017-17484: The ucnv_UTF8FromUTF8 function in ucnv_u8.cpp
  in International Components for Unicode (ICU) for C/C++ mishandled
  ucnv_convertEx calls for UTF-8 to UTF-8 conversion, which allowed remote
  attackers to cause a denial of service (stack-based buffer overflow
  and application crash) or possibly have unspecified other impact via a
  crafted string, as demonstrated by ZNC  (bnc#1072193)
- CVE-2017-15422: An integer overflow in icu during persian calendar
  date processing could lead to incorrect years shown (bnc#1077999)



-----------------------------------------
Patch: SUSE-2018-982
Released: Fri May 25 15:05:15 2018
Summary: Security update for jasper
Severity: low
References: 1087020,CVE-2018-9055
Description:
This update for jasper fixes the following issues:

   - CVE-2018-9055: denial of service via
      a reachable assertion in the function jpc_firstone in
      libjasper/jpc/jpc_math.c could lead to denial of service. (bsc#1087020)


-----------------------------------------
Patch: SUSE-2018-998
Released: Tue May 29 11:35:50 2018
Summary: Recommended update for pciutils-ids
Severity: moderate
References: 1081065
Description:
This update provides the latest PCI ID definitions for pciutils-ids (bsc#1081065)

-----------------------------------------
Patch: SUSE-2018-999
Released: Tue May 29 11:36:06 2018
Summary: Recommended update for javapackages-tools
Severity: moderate
References: 1090920
Description:
This update for javapackages-tools fixes the following issues:

- Fix a wrong usage of popd (bsc#1090920)


-----------------------------------------
Patch: SUSE-2018-1004
Released: Wed May 30 02:30:19 2018
Summary: Recommended update for sysstat
Severity: low
References: 1059694,1082880
Description:
This update for sysstat provides the following fix:

- Fixed a bug that gives values of ifutil larger than 100% for NIC's 
  with speeds >= 10 Gbit/s. (bsc#1059694)
- Read uptime from /proc/uptime instead of from /proc/stat. (bsc#1082880)


-----------------------------------------
Patch: SUSE-2018-1022
Released: Mon Jun  4 17:35:43 2018
Summary: Security update for xdg-utils
Severity: moderate
References: 1093086,CVE-2017-18266
Description:
This update for xdg-utils fixes the following issues:

Security issue:

- CVE-2017-18266: Fix an argument injection when BROWSER contains %s (bsc#1093086).


-----------------------------------------
Patch: SUSE-2018-1028
Released: Tue Jun  5 13:20:44 2018
Summary: Recommended update for pam
Severity: low
References: 1089884
Description:
This update for pam fixes the following issues:

- Fix order of accessed configuration files in man page. (bsc#1089884)


-----------------------------------------
Patch: SUSE-2018-1031
Released: Tue Jun  5 15:17:32 2018
Summary: Recommended update for ha-cluster-bootstrap
Severity: moderate
References: 1050427
Description:
This update for ha-cluster-bootstrap provides the following fix:

- Recommend sbd, resource-agents and fence-agents. (bsc#1050427)


-----------------------------------------
Patch: SUSE-2018-1082
Released: Thu Jun  7 12:58:56 2018
Summary: Recommended update for rpm
Severity: moderate
References: 1073879,1080078,964063
Description:
This update for rpm fixes the following issues:

- Backport support for no_recompute_build_ids macro. (bsc#964063)
- Fix code execution when evaluating common python-related macros. (bsc#1080078)

Additionally, this update adds python3-rpm to the SUSE Linux Enterprise Server.


-----------------------------------------
Patch: SUSE-2018-1091
Released: Thu Jun  7 14:25:14 2018
Summary: Recommended update for cloud-init
Severity: moderate
References: 1069635,1072811,1080595,1084509,1084749,1085787,1089824,1092637,1093501,997614
Description:

This update for cloud-init provides the following:

- Fix for 'failed run' when a stage does not contain any modules in the latest version of cloud-init (bnc#1092637)
- Issue with ntp fixed (bnc#1084509)
- Update to version 18.2 (bsc#1092637, bsc#1084509)
- Update to version 18.1 (bsc#1085787, bsc#1084749)
- Fix logfile permission settings (bsc#1080595)
- drop dependency on boto (only used in examples, and
  should really be ported to botocore/boto3 instead)
- Update to version 17.2 (bsc#1069635, bsc#1072811)
- Make builds reproducible (bsc#1069635)
- Fix for a failure to recognize NoCloud datasource on boot (bnc#1093501)
- Fix for an issue with /etc/os-release (bnc#997614)



-----------------------------------------
Patch: SUSE-2018-1112
Released: Mon Jun 11 10:54:32 2018
Summary: Recommended update for cloud-netconfig
Severity: moderate
References: 1094271
Description:
This update for cloud-netconfig fixes the following issues:

- Make interface names in Azure persistent. (bsc#1094271)


-----------------------------------------
Patch: SUSE-2018-1141
Released: Fri Jun 15 13:41:08 2018
Summary: Security update for gpg2
Severity: important
References: 1096745,CVE-2018-12020
Description:
This update for gpg2 fixes the following security issue:

- CVE-2018-12020: GnuPG mishandled the original filename during decryption and
  verification actions, which allowed remote attackers to spoof the output that
  GnuPG sends on file descriptor 2 to other programs that use the '--status-fd 2'
  option (bsc#1096745)


-----------------------------------------
Patch: SUSE-2018-1144
Released: Fri Jun 15 19:19:29 2018
Summary: Recommended update for logrotate
Severity: moderate
References: 1093617
Description:
This update for logrotate provides the following fix:

- Ensure the HOME environment variable is set to /root when logrotate is started via
  systemd. This allows mariadb to rotate its logs when the database has a root password
  defined. (bsc#1093617)


-----------------------------------------
Patch: SUSE-2018-1153
Released: Mon Jun 18 22:04:14 2018
Summary: Recommended update for reiserfs
Severity: low
References: 1094401
Description:
This update for reiserfs provides the following fix:

- Move libreiserfscore.so.0 into the libreiserfscore0 package. (bsc#1094401)


-----------------------------------------
Patch: SUSE-2018-1156
Released: Tue Jun 19 15:10:45 2018
Summary: Recommended update for openslp
Severity: moderate
References: 1076035,1080964
Description:
This update for openslp provides the following fixes:

- Fix slpd using the peer address as local address for TCP connections. (bsc#1076035)
- Use TCP connections for unicast requests. (bsc#1080964)


-----------------------------------------
Patch: SUSE-2018-1157
Released: Tue Jun 19 15:31:48 2018
Summary: Security update for salt
Severity: moderate
References: 1059291,1061407,1062464,1064520,1075950,1079048,1081592,1087055,1087278,1087581,1087891,1088888,1089112,1089362,1089526,1090242,1091371,1092161,1092373,1094055,1097174,1097413,CVE-2017-14695,CVE-2017-14696
Description:
This update for salt provides version 2018.3 and brings many fixes and improvements:

- Fix for sorting of multi-version packages (bsc#1097174 and bsc#1097413)
- Align SUSE salt-master.service 'LimitNOFILES' limit with upstream Salt
- Add 'other' attribute to GECOS fields to avoid inconsistencies with chfn
- Prevent zypper from parsing repo configuration from  not .repo files (bsc#1094055)
- Collect all versions of installed packages on SUSE and RHEL  systems (bsc#1089526)
- No more AWS EC2 rate limitations in salt-cloud. (bsc#1088888)
- MySQL returner now also allows to use Unix sockets. (bsc#1091371)
- Do not override jid on returners, only sending back to master. (bsc#1092373)
- Remove minion/thin/version if exists to force thin regeneration. (bsc#1092161)
- Fix minion scheduler to return a 'retcode' attribute. (bsc#1089112)
- Fix for logging during network interface querying. (bsc#1087581)
- Fix rhel packages requires both net-tools and iproute. (bsc#1087055)
- Fix patchinstall on yum module. Bad comparison. (bsc#1087278)
- Strip trailing commas on Linux user's GECOS fields. (bsc#1089362)
- Fallback to PyMySQL. (bsc#1087891)
- Fix for [Errno 0] Resolver Error 0 (no error). (bsc#1087581)
- Add python-2.6 support to salt-ssh.
- Make it possible to use docker login, pull and push from module.run and detect errors.
- Fix unicode decode error with salt-ssh.
- Fix cp.push empty file. (bsc#1075950)
- Fix grains containing trailing '\n'.
- Remove salt-minion python2 requirement when python3 is default. (bsc#1081592)
- Restoring installation of packages for Rhel 6 and 7.
- Prevent queryformat pattern from expanding. (bsc#1079048)
- Fix for delete_deployment in Kubernetes module. (bsc#1059291)
- Fix bsc#1062464 and CVE-2017-14696 already included in 2017.7.2.
- Fix wrong version reported by Salt. (bsc#1061407)
- Run salt-api as user salt. (bsc#1064520)

For a detailed description, please refer to the upstream-changelog at 
https://docs.saltstack.com/en/latest/topics/releases/index.html or to the
rpm-changelog.

supportutils-plugin-salt:

- Collect salt-api, salt-broker and salt-ssh log files (bsc#1090242)
 

-----------------------------------------
Patch: SUSE-2018-1185
Released: Wed Jun 20 14:41:54 2018
Summary: Security update for java-1_7_1-ibm
Severity: important
References: 1085449,1093311,CVE-2018-1417,CVE-2018-2783,CVE-2018-2790,CVE-2018-2794,CVE-2018-2795,CVE-2018-2796,CVE-2018-2797,CVE-2018-2798,CVE-2018-2799,CVE-2018-2800,CVE-2018-2814
Description:


IBM Java was updated to 7.1.4.25 [bsc#1093311, bsc#1085449]:

Security fixes:

- CVE-2018-2814 CVE-2018-2794 CVE-2018-2783 CVE-2018-2799
  CVE-2018-2798 CVE-2018-2797 CVE-2018-2796 CVE-2018-2795
  CVE-2018-2800 CVE-2018-2790 CVE-2018-1417


-----------------------------------------
Patch: SUSE-2018-1188
Released: Wed Jun 20 15:46:10 2018
Summary: Security update for ntp
Severity: moderate
References: 1077445,1082063,1082210,1083417,1083420,1083422,1083424,1083426,CVE-2016-1549,CVE-2018-7170,CVE-2018-7182,CVE-2018-7183,CVE-2018-7184,CVE-2018-7185
Description:
This update for ntp fixes the following issues:

- Update to 4.2.8p11 (bsc#1082210):
  * CVE-2016-1549: Sybil vulnerability: ephemeral association
    attack. While fixed in ntp-4.2.8p7, there are significant
    additional protections for this issue in 4.2.8p11.
  * CVE-2018-7182: ctl_getitem(): buffer read overrun
    leads to undefined behavior and information leak. (bsc#1083426)
  * CVE-2018-7170: Multiple authenticated ephemeral
    associations. (bsc#1083424)
  * CVE-2018-7184: Interleaved symmetric mode cannot
    recover from bad state. (bsc#1083422)
  * CVE-2018-7185: Unauthenticated packet can reset
    authenticated interleaved association. (bsc#1083420)
  * CVE-2018-7183: ntpq:decodearr() can write beyond its
    buffer limit.(bsc#1083417)
- Don't use libevent's cached time stamps in sntp. (bsc#1077445)

This update is a reissue of the previous update with LTSS channels included.


-----------------------------------------
Patch: SUSE-2018-1193
Released: Wed Jun 20 18:48:16 2018
Summary: Recommended update for openslp
Severity: moderate
References: 1076035,1080964
Description:
This update for openslp provides the following fixes:

- Fix slpd using the peer address as local address for TCP connections. (bsc#1076035)
- Use TCP connections for unicast requests. (bsc#1080964)


-----------------------------------------
Patch: SUSE-2018-1233
Released: Wed Jun 27 12:45:13 2018
Summary: Security update for tiff
Severity: moderate
References: 1007276,1074317,1082332,1082825,1086408,1092949,974621,CVE-2016-3632,CVE-2016-8331,CVE-2017-11613,CVE-2017-13726,CVE-2017-18013,CVE-2018-10963,CVE-2018-7456,CVE-2018-8905
Description:
This update for tiff fixes the following issues:

These security issues were fixed:

- CVE-2017-18013: There was a Null-Pointer Dereference in the tif_print.c TIFFPrintDirectory function, as demonstrated by a tiffinfo crash.  (bsc#1074317)
- CVE-2018-10963: The TIFFWriteDirectorySec() function in tif_dirwrite.c allowed remote attackers to cause a denial of service (assertion failure and application crash) via a crafted file, a different vulnerability than CVE-2017-13726.  (bsc#1092949)
- CVE-2018-7456: Prevent a NULL Pointer dereference in the function TIFFPrintDirectory when using the tiffinfo tool to print crafted TIFF information, a different vulnerability than CVE-2017-18013 (bsc#1082825)
- CVE-2017-11613: Prevent denial of service in the TIFFOpen function. During the TIFFOpen process, td_imagelength is not checked. The value of td_imagelength can be directly controlled by an input file. In the ChopUpSingleUncompressedStrip function, the _TIFFCheckMalloc function is called based on td_imagelength. If the value of td_imagelength is set close to the amount of system memory, it will hang the system or trigger the OOM killer (bsc#1082332)
- CVE-2018-8905: Prevent heap-based buffer overflow in the function LZWDecodeCompat via a crafted TIFF file (bsc#1086408)
- CVE-2016-8331: Prevent remote code execution because of incorrect handling of TIFF images. A crafted TIFF document could have lead to a type confusion vulnerability resulting in remote code execution. This vulnerability could have been be triggered via a TIFF file delivered to the application using LibTIFF's tag extension functionality (bsc#1007276)
- CVE-2016-3632: The _TIFFVGetField function allowed remote attackers to cause a denial of service (out-of-bounds write) or execute arbitrary code via a crafted TIFF image (bsc#974621)


-----------------------------------------
Patch: SUSE-2018-1242
Released: Thu Jun 28 13:44:16 2018
Summary: Security update for procps
Severity: moderate
References: 1092100,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126
Description:
This update for procps fixes the following security issues:

- CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top
  with HOME unset in an attacker-controlled directory, the attacker could have
  achieved privilege escalation by exploiting one of several vulnerabilities in
  the config_file() function (bsc#1092100).
- CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow.
  Inbuilt protection in ps maped a guard page at the end of the overflowed
  buffer, ensuring that the impact of this flaw is limited to a crash (temporary
  denial of service) (bsc#1092100).
- CVE-2018-1124: Prevent multiple integer overflows leading to a heap
  corruption in file2strvec function. This allowed a privilege escalation for a
  local attacker who can create entries in procfs by starting processes, which
  could result in crashes or arbitrary code execution in proc utilities run by
  other users (bsc#1092100).
- CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was
  mitigated by FORTIFY limiting the impact to a crash (bsc#1092100).
- CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent
  truncation/integer overflow issues (bsc#1092100).


-----------------------------------------
Patch: SUSE-2018-1260
Released: Tue Jul  3 10:54:20 2018
Summary: Recommended update for sysstat
Severity: moderate
References: 1089883
Description:
This update for sysstat provides the following fix:

- Apply backported upstream patches to fix bogus CPU measurements. (bsc#1089883)


-----------------------------------------
Patch: SUSE-2018-1290
Released: Sat Jul  7 00:29:17 2018
Summary: Recommended update for sysstat
Severity: important
References: 1089883
Description:

This update for sysstat reverts the fixes from the previous updates since they may cause
some output to be invalid or corrupt. (bsc#1089883)


-----------------------------------------
Patch: SUSE-2018-1322
Released: Fri Jul 13 09:26:04 2018
Summary: Security update for gdk-pixbuf
Severity: moderate
References: 1074462,CVE-2017-1000422
Description:
This update for gdk-pixbuf fixes the following security issue:

- CVE-2017-1000422: Prevent several integer overflow in the gif_get_lzw
  function resulting in memory corruption and potential code execution
  (bsc#1074462).


-----------------------------------------
Patch: SUSE-2018-1328
Released: Tue Jul 17 08:07:57 2018
Summary: Security update for perl
Severity: important
References: 1068565,1082216,1082233,1082234,1096718,CVE-2018-12015,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913
Description:
This update for perl fixes the following issues:

These security issue were fixed: 

- CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216).
- CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233).
- CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234).
- CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a
  directory-traversal protection mechanism and overwrite arbitrary files
  (bsc#1096718)

This non-security issue was fixed: 

- fix debugger crash in tab completion with Term::ReadLine::Gnu [bsc#1068565]



-----------------------------------------
Patch: SUSE-2018-1344
Released: Wed Jul 18 10:31:11 2018
Summary: Recommended update for supportutils
Severity: moderate
References: 1043311,1046681,1051797,1069457,1071545
Description:
This update for supportutils fixes the following issues:

- Added only cpu0 with sched_domain info
- Added missed sched_domain to blacklist
- Blacklisted sched_domain from proc.txt (bsc#1046681)
- Added kdumptool calibrate to crash.txt
- Added tuned feature OPTION_TUNED tuned.txt (bsc#1071545)
- Fixed udev service reference (bsc#1051797)
- Fixed device error with sfdisk (bsc#1043311)
- Fixed docker package detection (bsc#1069457)

-----------------------------------------
Patch: SUSE-2018-1352
Released: Thu Jul 19 09:47:01 2018
Summary: Security update for openssh
Severity: moderate
References: 1076957,CVE-2016-10708
Description:
This update for openssh fixes the following issues:

Security issue fixed:

- CVE-2016-10708: Prevent DoS due to crashes caused by out-of-sequence NEWKEYS message (bsc#1076957).


-----------------------------------------
Patch: SUSE-2018-1375
Released: Mon Jul 23 10:51:02 2018
Summary: Security update for rsyslog
Severity: moderate
References: 935393,CVE-2015-3243
Description:
This update for rsyslog fixes the following issues:

The following security vulnerability was addressed:

CVE-2015-3243: Make sure that log files are not created world-readable (bsc#935393)


-----------------------------------------
Patch: SUSE-2018-1376
Released: Mon Jul 23 10:54:47 2018
Summary: Security update for python
Severity: moderate
References: 1083507,CVE-2017-18207
Description:
This update for python fixes the following issues:

The following security vulnerabilities were addressed:

- Add a check to Lib/wave.py that verifies that at least one channel is
  provided. Prior to this, attackers could cause a denial of service via a
  crafted wav format audio file. [bsc#1083507, CVE-2017-18207]


-----------------------------------------
Patch: SUSE-2018-1410
Released: Fri Jul 27 06:46:37 2018
Summary: Recommended update for SAPHanaSR
Severity: moderate
References: 1062267,1091074
Description:
This update for SAPHanaSR provides the following fixes:

- Remove show_SAPHanaSR_attributes. The user is advised to use SAPHanaSR-showAttr instead.
  (bsc#1091074)
- SAPHanaTopology: Use a stricter match for system replication 'mode' in awk.
- Adjust HAWK2 Wizards to run on both Python 2 and 3. (fate#323526)
- SAPHanaSR wizard sets IPAddr2 agent's NIC to eth0. (bsc#1062267)


-----------------------------------------
Patch: SUSE-2018-1413
Released: Fri Jul 27 12:41:13 2018
Summary: Security update for libgcrypt
Severity: moderate
References: 1064455,1090766,1097410,CVE-2018-0495
Description:
This update for libgcrypt fixes the following issues:

The following security vulnerability was addressed:

- CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for
  ECDSA signatures (bsc#1097410).

The following other issues were fixed:

- Extended the fipsdrv dsa-sign and dsa-verify commands with the
  --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455).
- Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766)


-----------------------------------------
Patch: SUSE-2018-1415
Released: Fri Jul 27 12:45:43 2018
Summary: Security update for mutt
Severity: important
References: 1061343,1094717,1101428,1101566,1101567,1101568,1101569,1101570,1101571,1101573,1101576,1101577,1101578,1101581,1101582,1101583,1101588,1101589,980830,982129,986534,CVE-2014-9116,CVE-2018-14349,CVE-2018-14350,CVE-2018-14351,CVE-2018-14352,CVE-2018-14353,CVE-2018-14354,CVE-2018-14355,CVE-2018-14356,CVE-2018-14357,CVE-2018-14358,CVE-2018-14359,CVE-2018-14360,CVE-2018-14361,CVE-2018-14362,CVE-2018-14363
Description:
This update for mutt fixes the following issues:

Security issues fixed:

- bsc#1101428: Mutt 1.10.1 security release update.
- CVE-2018-14351: Fix imap/command.c that mishandles long IMAP status mailbox literal count size (bsc#1101583).
- CVE-2018-14353: Fix imap_quote_string in imap/util.c that has an integer underflow (bsc#1101581).
- CVE-2018-14362: Fix pop.c that does not forbid characters that may have unsafe interaction with message-cache pathnames (bsc#1101567).
- CVE-2018-14354: Fix arbitrary command execution from remote IMAP servers via backquote characters (bsc#1101578).
- CVE-2018-14352: Fix imap_quote_string in imap/util.c that does not leave room for quote characters (bsc#1101582).
- CVE-2018-14356: Fix pop.c that mishandles a zero-length UID (bsc#1101576).
- CVE-2018-14355: Fix imap/util.c that mishandles '..' directory traversal in a mailbox name (bsc#1101577).
- CVE-2018-14349: Fix imap/command.c that mishandles a NO response without a message (bsc#1101589).
- CVE-2018-14350: Fix imap/message.c that has a stack-based buffer overflow for a FETCH response with along INTERNALDATE field (bsc#1101588).
- CVE-2018-14363: Fix newsrc.c that does not properlyrestrict '/' characters that may have unsafe interaction with cache pathnames (bsc#1101566).
- CVE-2018-14359: Fix buffer overflow via base64 data (bsc#1101570).
- CVE-2018-14358: Fix imap/message.c that has a stack-based buffer overflow for a FETCH response with along RFC822.SIZE field (bsc#1101571).
- CVE-2018-14360: Fix nntp_add_group in newsrc.c that has a stack-based buffer overflow because of incorrect sscanf usage (bsc#1101569).
- CVE-2018-14357: Fix that remote IMAP servers are allowed to execute arbitrary commands via backquote characters (bsc#1101573).
- CVE-2018-14361: Fix that nntp.c proceeds even if memory allocation fails for messages data (bsc#1101568).

Bug fixes:

- mutt reports as neomutt and incorrect version (bsc#1094717)
- No sidebar available in mutt 1.6.1 from Tumbleweed snapshot 20160517 (bsc#980830)
- mutt-1.6.1 unusable when built with --enable-sidebar (bsc#982129)
- (neo)mutt displaying times in Zulu time (bsc#1061343)
- mutt unconditionally segfaults when displaying a message (bsc#986534)


-----------------------------------------
Patch: SUSE-2018-1450
Released: Mon Jul 30 10:10:45 2018
Summary: Recommended update for pam
Severity: low
References: 1096282
Description:
This update for pam provides the following fix:

- Added  /etc/security/limits.d to the pam package. (bsc#1096282)


-----------------------------------------
Patch: SUSE-2018-1452
Released: Mon Jul 30 18:10:29 2018
Summary: Security update for gdk-pixbuf
Severity: moderate
References: 1053417,CVE-2015-4491
Description:
This update for gdk-pixbuf fixes the following issues:

Security issue fixed:

- CVE-2015-4491: Fix integer multiplication overflow that allows for DoS or potentially RCE (bsc#1053417).


-----------------------------------------
Patch: SUSE-2018-1468
Released: Wed Aug  1 13:56:48 2018
Summary: Security update for polkit
Severity: moderate
References: 1099031,CVE-2018-1116
Description:
This update for polkit fixes the following issues:

Security issue fixed:

- CVE-2018-1116: Fix uid comparison lacking in polkit_backend_interactive_authority_check_authorization (bsc#1099031).


-----------------------------------------
Patch: SUSE-2018-1471
Released: Wed Aug  1 14:02:11 2018
Summary: Security update for cups
Severity: moderate
References: 1050082,1061066,1087018,1096405,1096406,1096407,1096408,CVE-2017-18248,CVE-2018-4180,CVE-2018-4181,CVE-2018-4182,CVE-2018-4183
Description:
This update for cups fixes the following issues:

The following security vulnerabilities were fixed:

- CVE-2017-18248: Handle invalid characters properly in printing jobs. This fixes a problem that
  was causing the DBUS library to abort the calling process. (bsc#1061066 bsc#1087018)
- Fixed a local privilege escalation to root and sandbox bypasses in the
  scheduler
- CVE-2018-4180: Fixed a local privilege escalation to root in dnssd backend
  (bsc#1096405)
- CVE-2018-4181: Limited local file reads as root via cupsd.conf include
  directive (bsc#1096406)
- CVE-2018-4182: Fixed a sandbox bypass due to insecure error handling
  (bsc#1096407)
- CVE-2018-4183: Fixed a sandbox bypass due to profile misconfiguration
  (bsc#1096408)

The following other issue was fixed:

- Fixed authorization check for clients (like samba) connected through the
  local socket when Kerberos authentication is enabled (bsc#1050082)


-----------------------------------------
Patch: SUSE-2018-1474
Released: Thu Aug  2 14:19:16 2018
Summary: Security update for libtirpc
Severity: important
References: 1072183,968175
Description:
This update for libtirpc fixes the following issues:

Security issue fixed:

- bsc#968175: Fix remote crash of RPC services.

Bug fixes:

- bsc#1072183: Send RPC getport call as specified via parameter.


-----------------------------------------
Patch: SUSE-2018-1515
Released: Tue Aug  7 20:19:04 2018
Summary: Introduce packages added to SLES 12 SP3 after release
Severity: low
References: 1102861
Description:
This update adds packages to the SUSE Linux Enterprise Server 12 SP3 for Teradata
which were added after the released of SLES 12 SP3.
  

-----------------------------------------
Patch: SUSE-2018-1549
Released: Mon Aug 13 13:41:22 2018
Summary: Recommended update for sg3_utils
Severity: low
References: 1065448,1070431,1077787,1092640
Description:
This update for sg3_utils provides the following fix:

- Decode standard INQUIRY for CD-ROMs correctly. (bsc#1065448, bsc#1070431)
- Fix page decoding. (bsc#1077787)
- Remove initrd rebuild macros for libsgutils2 subpackage. (bsc#1092640)
- Use %post -p for ldconfig. (bsc#1092640)


-----------------------------------------
Patch: SUSE-2018-1562
Released: Tue Aug 14 15:20:11 2018
Summary: Recommended update for icewm
Severity: moderate
References: 1096917
Description:
This update for icewm fixes the following issues:

- Use .desktop file from upstream instead of sle distribution to keep in line
  with SLE 15, resolving the upgrade issue from sle12 to sle15. (bsc#1096917)


-----------------------------------------
Patch: SUSE-2018-1609
Released: Thu Aug 16 14:04:20 2018
Summary: Security update for cups
Severity: moderate
References: 1050082,1061066,1087018,1096405,1096406,1096407,1096408,CVE-2017-18248,CVE-2018-4180,CVE-2018-4181,CVE-2018-4182,CVE-2018-4183
Description:
This update for cups fixes the following issues:

The following security vulnerabilities were fixed:

- CVE-2017-18248: Handle invalid characters properly in printing jobs. This fixes a problem that
  was causing the DBUS library to abort the calling process. (bsc#1061066 bsc#1087018)
- Fixed a local privilege escalation to root and sandbox bypasses in the
  scheduler
- CVE-2018-4180: Fixed a local privilege escalation to root in dnssd backend
  (bsc#1096405)
- CVE-2018-4181: Limited local file reads as root via cupsd.conf include
  directive (bsc#1096406)
- CVE-2018-4182: Fixed a sandbox bypass due to insecure error handling
  (bsc#1096407)
- CVE-2018-4183: Fixed a sandbox bypass due to profile misconfiguration
  (bsc#1096408)

The following other issue was fixed:

- Fixed authorization check for clients (like samba) connected through the
  local socket when Kerberos authentication is enabled (bsc#1050082)


-----------------------------------------
Patch: SUSE-2018-1610
Released: Thu Aug 16 14:04:25 2018
Summary: Security update for libgcrypt
Severity: moderate
References: 1064455,1090766,1097410,CVE-2018-0495
Description:
This update for libgcrypt fixes the following issues:

The following security vulnerability was addressed:

- CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for
  ECDSA signatures (bsc#1097410).

The following other issues were fixed:

- Extended the fipsdrv dsa-sign and dsa-verify commands with the
  --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455).
- Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766)


-----------------------------------------
Patch: SUSE-2018-1612
Released: Thu Aug 16 14:04:38 2018
Summary: Security update for python
Severity: moderate
References: 1083507,CVE-2017-18207
Description:
This update for python fixes the following issues:

The following security vulnerabilities were addressed:

- Add a check to Lib/wave.py that verifies that at least one channel is
  provided. Prior to this, attackers could cause a denial of service via a
  crafted wav format audio file. [bsc#1083507, CVE-2017-18207]


-----------------------------------------
Patch: SUSE-2018-1619
Released: Thu Aug 16 14:49:40 2018
Summary: Security update for openssh
Severity: moderate
References: 1076957,CVE-2016-10708
Description:
This update for openssh fixes the following issues:

Security issue fixed:

- CVE-2016-10708: Prevent DoS due to crashes caused by out-of-sequence NEWKEYS message (bsc#1076957).


-----------------------------------------
Patch: SUSE-2018-1621
Released: Thu Aug 16 14:49:51 2018
Summary: Security update for polkit
Severity: moderate
References: 1099031,CVE-2018-1116
Description:
This update for polkit fixes the following issues:

Security issue fixed:

- CVE-2018-1116: Fix uid comparison lacking in polkit_backend_interactive_authority_check_authorization (bsc#1099031).


-----------------------------------------
Patch: SUSE-2018-1622
Released: Thu Aug 16 14:49:55 2018
Summary: Security update for libtirpc
Severity: important
References: 1072183,968175
Description:
This update for libtirpc fixes the following issues:

Security issue fixed:

- bsc#968175: Fix remote crash of RPC services.

Bug fixes:

- bsc#1072183: Send RPC getport call as specified via parameter.


-----------------------------------------
Patch: SUSE-2018-1623
Released: Thu Aug 16 14:50:00 2018
Summary: Security update for mutt
Severity: important
References: 1061343,1094717,1101428,1101566,1101567,1101568,1101569,1101570,1101571,1101573,1101576,1101577,1101578,1101581,1101582,1101583,1101588,1101589,980830,982129,986534,CVE-2014-9116,CVE-2018-14349,CVE-2018-14350,CVE-2018-14351,CVE-2018-14352,CVE-2018-14353,CVE-2018-14354,CVE-2018-14355,CVE-2018-14356,CVE-2018-14357,CVE-2018-14358,CVE-2018-14359,CVE-2018-14360,CVE-2018-14361,CVE-2018-14362,CVE-2018-14363
Description:
This update for mutt fixes the following issues:

Security issues fixed:

- bsc#1101428: Mutt 1.10.1 security release update.
- CVE-2018-14351: Fix imap/command.c that mishandles long IMAP status mailbox literal count size (bsc#1101583).
- CVE-2018-14353: Fix imap_quote_string in imap/util.c that has an integer underflow (bsc#1101581).
- CVE-2018-14362: Fix pop.c that does not forbid characters that may have unsafe interaction with message-cache pathnames (bsc#1101567).
- CVE-2018-14354: Fix arbitrary command execution from remote IMAP servers via backquote characters (bsc#1101578).
- CVE-2018-14352: Fix imap_quote_string in imap/util.c that does not leave room for quote characters (bsc#1101582).
- CVE-2018-14356: Fix pop.c that mishandles a zero-length UID (bsc#1101576).
- CVE-2018-14355: Fix imap/util.c that mishandles '..' directory traversal in a mailbox name (bsc#1101577).
- CVE-2018-14349: Fix imap/command.c that mishandles a NO response without a message (bsc#1101589).
- CVE-2018-14350: Fix imap/message.c that has a stack-based buffer overflow for a FETCH response with along INTERNALDATE field (bsc#1101588).
- CVE-2018-14363: Fix newsrc.c that does not properlyrestrict '/' characters that may have unsafe interaction with cache pathnames (bsc#1101566).
- CVE-2018-14359: Fix buffer overflow via base64 data (bsc#1101570).
- CVE-2018-14358: Fix imap/message.c that has a stack-based buffer overflow for a FETCH response with along RFC822.SIZE field (bsc#1101571).
- CVE-2018-14360: Fix nntp_add_group in newsrc.c that has a stack-based buffer overflow because of incorrect sscanf usage (bsc#1101569).
- CVE-2018-14357: Fix that remote IMAP servers are allowed to execute arbitrary commands via backquote characters (bsc#1101573).
- CVE-2018-14361: Fix that nntp.c proceeds even if memory allocation fails for messages data (bsc#1101568).

Bug fixes:

- mutt reports as neomutt and incorrect version (bsc#1094717)
- No sidebar available in mutt 1.6.1 from Tumbleweed snapshot 20160517 (bsc#980830)
- mutt-1.6.1 unusable when built with --enable-sidebar (bsc#982129)
- (neo)mutt displaying times in Zulu time (bsc#1061343)
- mutt unconditionally segfaults when displaying a message (bsc#986534)


-----------------------------------------
Patch: SUSE-2018-1636
Released: Thu Aug 16 15:30:11 2018
Summary: Recommended update for pam
Severity: low
References: 1096282
Description:
This update for pam provides the following fix:

- Added  /etc/security/limits.d to the pam package. (bsc#1096282)


-----------------------------------------
Patch: SUSE-2018-1643
Released: Thu Aug 16 17:41:07 2018
Summary: Recommended update for ca-certificates-mozilla
Severity: moderate
References: 1100415
Description:

The systemwide Root CA certificates were updated to the 2.24 state of the Mozilla NSS Certificate store.

Following CAs were removed:

* S-TRUST_Universal_Root_CA
* TC_TrustCenter_Class_3_CA_II
* TURKTRUST_Elektronik_Sertifika_Hizmet_Saglayicisi_H5
  

-----------------------------------------
Patch: SUSE-2018-1659
Released: Fri Aug 17 10:41:38 2018
Summary: Security update for gdk-pixbuf
Severity: moderate
References: 1053417,CVE-2015-4491
Description:
This update for gdk-pixbuf fixes the following issues:

Security issue fixed:

- CVE-2015-4491: Fix integer multiplication overflow that allows for DoS or potentially RCE (bsc#1053417).


-----------------------------------------
Patch: SUSE-2018-1688
Released: Mon Aug 20 09:02:23 2018
Summary: Recommended update for openslp
Severity: moderate
References: 1076035,1080964
Description:
This update for openslp provides the following fixes:

- Fix slpd using the peer address as local address for TCP connections. (bsc#1076035)
- Use TCP connections for unicast requests. (bsc#1080964)


-----------------------------------------
Patch: SUSE-2018-1689
Released: Mon Aug 20 09:02:24 2018
Summary: Recommended update for pam
Severity: low
References: 1096282
Description:
This update for pam provides the following fix:

- Added  /etc/security/limits.d to the pam package. (bsc#1096282)


-----------------------------------------
Patch: SUSE-2018-1690
Released: Mon Aug 20 09:02:27 2018
Summary: Recommended update for reiserfs
Severity: low
References: 1094401
Description:
This update for reiserfs provides the following fix:

- Move libreiserfscore.so.0 into the libreiserfscore0 package. (bsc#1094401)


-----------------------------------------
Patch: SUSE-2018-1691
Released: Mon Aug 20 09:04:17 2018
Summary: Recommended update for sg3_utils
Severity: low
References: 1065448,1070431,1077787,1092640
Description:
This update for sg3_utils provides the following fix:

- Decode standard INQUIRY for CD-ROMs correctly. (bsc#1065448, bsc#1070431)
- Fix page decoding. (bsc#1077787)
- Remove initrd rebuild macros for libsgutils2 subpackage. (bsc#1092640)
- Use %post -p for ldconfig. (bsc#1092640)


-----------------------------------------
Patch: SUSE-2018-1695
Released: Mon Aug 20 09:19:20 2018
Summary: Security update for perl
Severity: important
References: 1068565,1082216,1082233,1082234,1096718,CVE-2018-12015,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913
Description:
This update for perl fixes the following issues:

These security issue were fixed: 

- CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216).
- CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233).
- CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234).
- CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a
  directory-traversal protection mechanism and overwrite arbitrary files
  (bsc#1096718)

This non-security issue was fixed: 

- fix debugger crash in tab completion with Term::ReadLine::Gnu [bsc#1068565]



-----------------------------------------
Patch: SUSE-2018-1716
Released: Mon Aug 20 17:03:40 2018
Summary: Recommended update for Salt
Severity: moderate
References: 1057635,1072599,1089526,1095507,1096514,1098394,1099323,1099460,1099945,1100142,1100225,1100697,1101812,1101880,1102218,1102265
Description:
This update for salt fixes the following issues:

- Fix file.blockreplace to avoid throwing IndexError. (bsc#1101812)
- Fix pkg.upgrade reports when dealing with multiversion packages. (bsc#1102265)
- Fix UnicodeDecodeError using is_binary check. (bsc#1100225)
- Fix corrupt public key with m2crypto python3. (bsc#1099323)
- Prevent payload crash on decoding binary data. (bsc#1100697)
- Accounting for when files in an archive contain non-ascii characters. (bsc#1099460)
- Handle packages with multiple version properly with zypper. (bsc#1096514)
- Fix file.get_diff regression on 2018.3. (bsc#1098394)
- Provide python version mismatch solutions. (bsc#1072599)
- Add custom SUSE capabilities as Grains. (bsc#1089526)
- Fix file.managed binary file utf8 error. (bsc#1098394)
- Multiversion patch plus upstream fix and patch reordering.
- Add environment variable to know if yum is invoked from Salt. (bsc#1057635)
- Prevent deprecation warning with salt-ssh. (bsc#1095507)
- Add missing dateutils import (bsc#1099945)
- Check dmidecoder executable on each 'smbios' call to avoid race condition (bsc#1101880)
- Fix mine.get not returning data - workaround for #48020 (bsc#1100142)
- Add API log rotation on SUSE package (bsc#1102218)
- Backport the new libvirt_events engine from upstream


-----------------------------------------
Patch: SUSE-2018-1753
Released: Fri Aug 24 14:24:17 2018
Summary: Security update for python
Severity: moderate
References: 1083507,CVE-2017-18207
Description:
This update for python fixes the following issues:

The following security vulnerabilities were addressed:

- Add a check to Lib/wave.py that verifies that at least one channel is
  provided. Prior to this, attackers could cause a denial of service via a
  crafted wav format audio file. [bsc#1083507, CVE-2017-18207]


-----------------------------------------
Patch: SUSE-2018-1755
Released: Fri Aug 24 17:12:33 2018
Summary: Recommended update for growpart
Severity: moderate
References: 1082318,1097455,1098681
Description:
This update for growpart provides the following fix:

- Support btrfs resize and handle ro setup in rootgrow. (bsc#1097455, bsc#1098681)
- Use %license instead of %doc in the package. (bsc#1082318)


-----------------------------------------
Patch: SUSE-2018-1758
Released: Fri Aug 24 17:13:59 2018
Summary: Recommended update for sapconf
Severity: moderate
References: 1070508,1093315,1093843,1093844,1096496,1098352
Description:
This update for sapconf provides the following fixes:

- Correct the SAP Note references in the man pages and in the
  sysconfig file. (bsc#1096496)
- Do not stop or disable uuidd.socket in sapconf as it is mandatory for every SAP
  application running. (bsc#1093843)
- Remove hardcoded default value for VSZ_TMPFS_PERCENT. This allows an admin to exclude
  VSZ_TMPFS settings from the sysconfig file, so current system value will remain
  untouched. This value only got used in the previous version, if the variable
  VSZ_TMPFS_PERCENT was removed from the sapconf configuration file /etc/sysconfig/sapconf.
  If the value of the variable was only changed (increased or decreased) in the sapconf
  configuration file everything works fine. (bsc#1093844)
- Consolidate all SAP ASE (Sybase) related configuration settings into the configuration
  file /etc/sysconfig/sapnote-1680803. (bsc#1070508)
- Correct pattern search in /etc/sysconfig/sapnote-1557506 to get updating of
  /etc/sysconfig/sapconf to work. The problem only happens if /etc/sysconfig/sapnote-1557506
  contains commented variable lines like '#PAGECACHE_LIMIT_MB=''' in addition to the
  uncommented line 'PAGECACHE_LIMIT_MB='500''. If only the uncommented lines exist,
  everything works correctly. (bsc#1093315)
- Remove a misleading deprecation warning in sapconf. (bsc#1098352)


-----------------------------------------
Patch: SUSE-2018-1763
Released: Mon Aug 27 09:30:15 2018
Summary: Recommended update for ca-certificates-mozilla
Severity: moderate
References: 1104780
Description:
This update for ca-certificates-mozilla fixes the following issues:

The Root CA store was updated to 2.26 state of the Mozilla NSS Certificate store. (bsc#1104780)

- Removed server auth from following CAs:

  - Certplus Root CA G1
  - Certplus Root CA G2
  - OpenTrust Root CA G1
   - OpenTrust Root CA G2
   - OpenTrust Root CA G3

- Removed CAs

    - ComSign CA

- Added new CAs

    - GlobalSign


-----------------------------------------
Patch: SUSE-2018-1764
Released: Mon Aug 27 09:30:49 2018
Summary: Recommended update for polkit-default-privs
Severity: moderate
References: 1100328
Description:
This update for polkit-default-privs fixes the following issues:

- whitelist incremental libvirt actions (bsc#1100328)


-----------------------------------------
Patch: SUSE-2018-1766
Released: Mon Aug 27 11:17:25 2018
Summary: Security update for openssh
Severity: moderate
References: 1076957,CVE-2016-10708
Description:
This update for openssh fixes the following issues:

Security issue fixed:

- CVE-2016-10708: Prevent DoS due to crashes caused by out-of-sequence NEWKEYS message (bsc#1076957).


-----------------------------------------
Patch: SUSE-2018-1858
Released: Fri Sep  7 13:42:12 2018
Summary: Security update for java-1_7_1-ibm
Severity: important
References: 1104668,CVE-2018-12539,CVE-2018-1517,CVE-2018-1656,CVE-2018-2940,CVE-2018-2952,CVE-2018-2973
Description:
This update for java-1_7_1-ibm fixes the following issues:

Security issues fixed:
  
- CVE-2018-1517: Fixed a flaw in the java.math component in IBM SDK, which may
  allow an attacker to inflict a denial-of-service attack with specially
  crafted String data.
- CVE-2018-1656: Protect against path traversal attacks when extracting
  compressed dump files.
- CVE-2018-2940: Fixed an easily exploitable vulnerability in the libraries
  subcomponent, which allowed unauthenticated attackers with network access
  via multiple protocols to compromise the Java SE, leading to
  unauthorized read access.
- CVE-2018-2952: Fixed an easily exploitable vulnerability in the concurrency
  subcomponent, which allowed unauthenticated attackers with network access
  via multiple protocols to compromise the Java SE, leading to denial of
  service.
- CVE-2018-2973: Fixed a difficult to exploit vulnerability in the JSSE
  subcomponent, which allowed unauthenticated attackers with network access
  via SSL/TLS to compromise the Java SE, leading to unauthorized creation,
  deletion or modification access to critical data.
- CVE-2018-12539: Fixed a vulnerability in which users other than the process
  owner may be able to use Java Attach API to connect to the IBM JVM on the
  same machine and use Attach API operations, including the ability to execute
  untrusted arbitrary code.

Other changes made:

- Various JIT/JVM crash fixes
- Version update to 7.1.4.30 (bsc#1104668)

You can find detailed information about this update [here](https://developer.ibm.com/javasdk/support/security-vulnerabilities/#IBM_Security_Update_August_2018).


-----------------------------------------
Patch: SUSE-2018-1872
Released: Mon Sep 10 17:59:58 2018
Summary: Security update for compat-openssl098
Severity: moderate
References: 1087102,1089039,1097158,1097624,1098592,CVE-2018-0732,CVE-2018-0737,CVE-2018-0739
Description:
This update for compat-openssl098 fixes the following security issues:

- CVE-2018-0732: During key agreement in a TLS handshake using a DH(E) based
  ciphersuite a malicious server could have sent a very large prime value to the
  client. This caused the client to spend an unreasonably long period of time
  generating a key for this prime resulting in a hang until the client has
  finished. This could be exploited in a Denial Of Service attack (bsc#1097158)
- Blinding enhancements for ECDSA and DSA (bsc#1097624, bsc#1098592)
- CVE-2018-0737: The RSA Key generation algorithm has been shown to be
  vulnerable to a cache timing side channel attack. An attacker with sufficient
  access to mount cache timing attacks during the RSA key generation process
  could have recovered the private key (bsc#1089039)
- CVE-2018-0739: Constructed ASN.1 types with a recursive definition (such as
  can be found in PKCS7) could eventually exceed the stack given malicious input
  with excessive recursion. This could have resulted in DoS (bsc#1087102).


-----------------------------------------
Patch: SUSE-2018-1881
Released: Tue Sep 11 15:21:14 2018
Summary: Recommended update for cluster-glue
Severity: moderate
References: 1088656,1098758
Description:
This update for cluster-glue fixes the following issues:

- Fix: stonith:ibmhmc: Add 'managedsyspat' and 'password' as supported parameters (bsc#1098758)
- external/ec2: Avoid unicode errors and improve performance (bsc#1088656)
- external/ec2: Mitigate fence race (bsc#1088656)


-----------------------------------------
Patch: SUSE-2018-1886
Released: Wed Sep 12 11:53:32 2018
Summary: Security update for python3
Severity: moderate
References: 1086001,1088004,1088009,1107030,CVE-2018-1060,CVE-2018-1061
Description:
This update for python3 provides the following fixes:

These security issues were fixed:

- CVE-2018-1061: Prevent catastrophic backtracking in the difflib.IS_LINE_JUNK
  method. An attacker could have used this flaw to cause denial of service
  (bsc#1088004).
- CVE-2018-1060: Prevent catastrophic backtracking in pop3lib's apop() method.
  An attacker could have used this flaw to cause denial of service (bsc#1088009).

These non-security issues were fixed:

- Sort files and directories when creating tarfile archives so that they are created in a
  more predictable way. (bsc#1086001)
- Add -fwrapv to OPTS (bsc#1107030)


-----------------------------------------
Patch: SUSE-2018-1942
Released: Fri Sep 21 07:51:02 2018
Summary: Security update for openslp
Severity: important
References: 1090638,CVE-2017-17833
Description:
This update for openslp fixes the following issues:

- CVE-2017-17833: Prevent heap-related memory corruption issue which may have
  manifested itself as a denial-of-service or a remote code-execution
  vulnerability (bsc#1090638)
- Prevent out of bounds reads in message parsing


-----------------------------------------
Patch: SUSE-2018-1947
Released: Fri Sep 21 11:29:55 2018
Summary: Recommended update for lsof
Severity: moderate
References: 1036304,1099847
Description:
This update for lsof provides the following fix:

- Enhance -K option with the form '-K i' to direct lsof to ignore tasks. (bsc#1036304)
- Add 'Provides: backported-option-Ki' to indicate that '-K i' option is supported so
  libzypp can safely use it. (bsc#1099847)


-----------------------------------------
Patch: SUSE-2018-1969
Released: Mon Sep 24 08:06:42 2018
Summary: Security update for libzypp, zypper
Severity: important
References: 1036304,1045735,1049825,1070851,1076192,1088705,1091624,1092413,1096803,1099847,1100028,1101349,1102429,CVE-2017-9269,CVE-2018-7685
Description:
This update for libzypp, zypper fixes the following issues:

Update libzypp to version 16.17.20:

Security issues fixed:

- PackageProvider: Validate deta rpms before caching (bsc#1091624,
  bsc#1088705, CVE-2018-7685)
- PackageProvider: Validate downloaded rpm package signatures before
  caching (bsc#1091624, bsc#1088705, CVE-2018-7685)

Other bugs fixed:

- lsof: use '-K i' if lsof supports it (bsc#1099847, bsc#1036304)
- Handle http error 502 Bad Gateway in curl backend (bsc#1070851)
- RepoManager: Explicitly request repo2solv to generate application
  pseudo packages.
- libzypp-devel should not require cmake (bsc#1101349)
- HardLocksFile: Prevent against empty commit without Target having
  been been loaded (bsc#1096803)
- Avoid zombie tar processes (bsc#1076192)

Update to zypper to version 1.13.45:

Security issues fixed:

- Improve signature check callback messages (bsc#1045735, CVE-2017-9269)
- add/modify repo: Add options to tune the GPG check settings
  (bsc#1045735, CVE-2017-9269)

Other bugs fixed:

- XML <install-summary> attribute `packages-to-change` added (bsc#1102429)
- man: Strengthen that `--config FILE' affects zypper.conf,
  not zypp.conf (bsc#1100028)
- Prevent nested calls to exit() if aborted by a signal (bsc#1092413)
- ansi.h: Prevent ESC sequence strings from going out of scope (bsc#1092413)
- Fix: zypper bash completion expands non-existing options (bsc#1049825)
- Improve signature check callback messages (bsc#1045735)
- add/modify repo: Add options to tune the GPG check settings (bsc#1045735)


-----------------------------------------
Patch: SUSE-2018-1985
Released: Mon Sep 24 11:56:08 2018
Summary: Recommended update for openldap2
Severity: moderate
References: 1089640
Description:
This update for openldap2 provides the following fix:

- Fix slapd segfaults in mdb_env_reader_dest. (bsc#1089640)


-----------------------------------------
Patch: SUSE-2018-1986
Released: Mon Sep 24 12:52:43 2018
Summary: Security update for libXcursor
Severity: moderate
References: 1103511,CVE-2015-9262
Description:
This update for libXcursor fixes the following security issue:

- CVE-2015-9262: _XcursorThemeInherits allowed remote attackers to cause denial
  of service or potentially code execution via a one-byte heap overflow
  (bsc#1103511).


-----------------------------------------
Patch: SUSE-2018-1989
Released: Mon Sep 24 12:54:37 2018
Summary: Security update for tiff
Severity: moderate
References: 1074186,1092480,983440,CVE-2016-5319,CVE-2017-17942,CVE-2018-10779
Description:
This update for tiff fixes the following issues:

Security issues fixed:

- CVE-2018-10779: Fixed a heap-based buffer overflow in TIFFWriteScanline()
  in tif_write.c (bsc#1092480)
- CVE-2017-17942: Fixed a heap-based buffer overflow in the function
  PackBitsEncode in tif_packbits.c. (bsc#1074186)
- CVE-2016-5319: Fixed a beap-based buffer overflow in bmp2tiff (bsc#983440)


-----------------------------------------
Patch: SUSE-2018-1990
Released: Mon Sep 24 12:54:57 2018
Summary: Security update for gnutls
Severity: moderate
References: 1047002,1105437,1105459,1105460,CVE-2017-10790,CVE-2018-10844,CVE-2018-10845,CVE-2018-10846
Description:
This update for gnutls fixes the following issues:

Security issues fixed:

- Improved mitigations against Lucky 13 class of attacks
  - 'Just in Time' PRIME + PROBE cache-based side channel attack can lead to plaintext recovery (CVE-2018-10846, bsc#1105460)
  - HMAC-SHA-384 vulnerable to Lucky thirteen attack due to use of wrong constant (CVE-2018-10845, bsc#1105459)
  - HMAC-SHA-256 vulnerable to Lucky thirteen attack due to not enough dummy function calls (CVE-2018-10844, bsc#1105437)
- The _asn1_check_identifier function in Libtasn1 caused a NULL pointer dereference and crash (CVE-2017-10790, bsc#1047002)


-----------------------------------------
Patch: SUSE-2018-1991
Released: Mon Sep 24 12:55:19 2018
Summary: Security update for gd
Severity: moderate
References: 1105434,CVE-2018-1000222
Description:
This update for gd fixes the following issues:

Security issue fixed:

- CVE-2018-1000222: Fixed a double free vulnerability in gdImageBmpPtr() that
  could result in remote code execution. This could have been exploited via a
  specially crafted JPEG image files. (bsc#1105434)


-----------------------------------------
Patch: SUSE-2018-2001
Released: Tue Sep 25 11:20:40 2018
Summary: Security update for python-paramiko
Severity: important
References: 1085276,1106148,CVE-2018-7750
Description:
This update for python-paramiko to version 1.18.5 fixes the following issues:

This security issue was fixed:

- CVE-2018-7750: transport.py in the SSH server implementation of Paramiko did
  not properly check whether authentication is completed processing other
  requests. A customized SSH client could have skipped the authentication step
  (bsc#1085276)

This non-security issue was fixed:

- Prevent connection problems with ssh servers due to no acceptable macs being
  available (bsc#1106148)

For additional changes please check the changelog.
  

-----------------------------------------
Patch: SUSE-2018-2023
Released: Wed Sep 26 09:48:49 2018
Summary: Recommended update for patchinfo.salt, salt
Severity: moderate
References: 1095942,1102013,1103530,1104154
Description:
This update for salt fixes the following issues:

- Prepend current directory when path is just filename. (bsc#1095942)
- Only do reverse DNS lookup on IPs for salt-ssh. (bsc#1104154)
- Add support for Python 3.7 and Tornado 5.0.
- Decode file contents for python2. (bsc#1102013, bsc#1103530)


-----------------------------------------
Patch: SUSE-2018-2038
Released: Wed Sep 26 12:27:58 2018
Summary: Recommended update for gcc48
Severity: moderate
References: 1093797
Description:
This update for gcc48 fixes the following issues:

- Fixed a reload bug on aarch64 causing a kernel miscompile.  [bsc#1093797]



-----------------------------------------
Patch: SUSE-2018-2117
Released: Tue Oct  2 16:30:51 2018
Summary: Security update for unzip
Severity: moderate
References: 1013992,1013993,1080074,910683,914442,950110,950111,CVE-2014-9636,CVE-2014-9913,CVE-2015-7696,CVE-2015-7697,CVE-2016-9844,CVE-2018-1000035
Description:
This update for unzip fixes the following security issues:

- CVE-2014-9913: Specially crafted zip files could trigger invalid memory
  writes possibly resulting in DoS or corruption (bsc#1013993)
- CVE-2015-7696: Specially crafted zip files with password protection could
  trigger a crash and lead to denial of service (bsc#950110)
- CVE-2015-7697: Specially crafted zip files could trigger an endless loop and
  lead to denial of service (bsc#950111)
- CVE-2016-9844: Specially crafted zip files could trigger invalid memory
  writes possibly resulting in DoS or corruption (bsc#1013992)
- CVE-2018-1000035: Prevent heap-based buffer overflow in the processing of
  password-protected archives that allowed an attacker to perform a denial of
  service or to possibly achieve code execution (bsc#1080074).
- CVE-2014-9636: Prevent denial of service (out-of-bounds read or write and
  crash) via an extra field with an uncompressed size smaller than the compressed
  field size in a zip archive that advertises STORED method compression
  (bsc#914442).

This non-security issue was fixed:

+- Allow processing of Windows zip64 archives (Windows archivers set
  total_disks field to 0 but per standard, valid values are 1 and higher)
  (bnc#910683)


-----------------------------------------
Patch: SUSE-2018-2126
Released: Tue Oct  2 21:15:06 2018
Summary: Recommended update for icewm
Severity: moderate
References: 1096917
Description:
This update for icewm fixes the following issues:

- Revert a previously applied fix to fix starting of polkit-gnome-authentication-agent-1
  in icewm. It is really not necessary in SLE-12. (bsc#1096917)


-----------------------------------------
Patch: SUSE-2018-2132
Released: Thu Oct  4 06:47:56 2018
Summary: Security update for openslp
Severity: important
References: 1090638,CVE-2017-17833
Description:
This update for openslp fixes the following issues:

- CVE-2017-17833: Prevent heap-related memory corruption issue which may have
  manifested itself as a denial-of-service or a remote code-execution
  vulnerability (bsc#1090638)
- Prevent out of bounds reads in message parsing


-----------------------------------------
Patch: SUSE-2018-2154
Released: Fri Oct  5 14:18:49 2018
Summary: Recommended update for libqt5-qtbase
Severity: low
References: 1057971,1108889
Description:
This update for libqt5-qtbase provides the following fixes:

- Fix crash with XLIB_SKIP_ARGB_VISUALS set (bsc#1057971)
- Avoid using the hardcoded resolution that libinput is giving as a real pixel delta
- Add patch to fix fails to load pixmap cursors on XRendur less system. (bsc#1108889)
- Add patch to fix crash with XLIB_SKIP_ARGB_VISUALS set. (bsc#1057971, kde#384540)
- Add patch to avoid using the hardcoded resolution that libinput is giving 
  as a real pixel delta (QTBUG-59261).


-----------------------------------------
Patch: SUSE-2018-2162
Released: Fri Oct  5 14:46:53 2018
Summary: Recommended update for krb5
Severity: moderate
References: 1088921
Description:
This update for krb5 provides the following fix:

- Resolve krb5 GSS credentials immediately if the application requests the lifetime.
  (bsc#1088921)


-----------------------------------------
Patch: SUSE-2018-2178
Released: Tue Oct  9 09:00:27 2018
Summary: Recommended update for at
Severity: low
References: 879402
Description:
This update for at fixes the following issues:

- introduced -o <timeformat> switch for atq (bsc#879402)


-----------------------------------------
Patch: SUSE-2018-2179
Released: Tue Oct  9 09:01:13 2018
Summary: Recommended update for csync2
Severity: moderate
References: 1082576
Description:
This update for csync2 fixes the following issues:

- Comparison of peer names provided via command line is no longer case sensitive (bsc#1082576)


-----------------------------------------
Patch: SUSE-2018-2180
Released: Tue Oct  9 09:01:37 2018
Summary: Recommended update for yast2-support
Severity: moderate
References: 1093358
Description:
This update for yast2-support provides the following fixes:

- Make the 'Next' button to submit the gathered information visible in ncurses.
  (bsc#1093358)
- Make the Contact Information screen fit in a 80x24 terminal.


-----------------------------------------
Patch: SUSE-2018-2181
Released: Tue Oct  9 11:08:20 2018
Summary: Security update for libxml2
Severity: moderate
References: 1088279,1088601,1102046,1105166,CVE-2017-18258,CVE-2018-14404,CVE-2018-14567,CVE-2018-9251
Description:
This update for libxml2 fixes the following security issues:

- CVE-2018-9251: The xz_decomp function allowed remote attackers to cause a
  denial of service (infinite loop) via a crafted XML file that triggers
  LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1088279).
- CVE-2018-14567: Prevent denial of service (infinite loop) via a crafted XML
  file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint
  (bsc#1105166).
- CVE-2018-14404: Prevent NULL pointer dereference in the xmlXPathCompOpEval()
  function when parsing an invalid XPath expression in the XPATH_OP_AND or
  XPATH_OP_OR case leading to a denial of service attack (bsc#1102046).
- CVE-2017-18258: The xz_head function allowed remote attackers to cause a
  denial of service (memory consumption) via a crafted LZMA file, because the
  decoder functionality did not restrict memory usage to what is required for a
  legitimate file (bsc#1088601).


-----------------------------------------
Patch: SUSE-2018-2196
Released: Thu Oct 11 07:45:16 2018
Summary: Optional update for gcc8
Severity: low
References: 1084812,1084842,1087550,1094222,1102564
Description:

The GNU Compiler GCC 8 is being added to the Toolchain Module by this
update.

The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other
gcc derived libraries for the base products of SUSE Linux Enterprise 12.

Various optimizers have been improved in GCC 8, several of bugs fixed,
quite some new warnings added and the error pin-pointing and
fix-suggestions have been greatly improved.

The GNU Compiler page for GCC 8 contains a summary of all the changes that
have happened:

        https://gcc.gnu.org/gcc-8/changes.html

Also changes needed or common pitfalls when porting software are described on:

        https://gcc.gnu.org/gcc-8/porting_to.html




-----------------------------------------
Patch: SUSE-2018-2202
Released: Thu Oct 11 20:46:27 2018
Summary: Security update for libX11 and libxcb
Severity: moderate
References: 1094327,1102062,1102068,1102073,CVE-2018-14598,CVE-2018-14599,CVE-2018-14600
Description:
This update for libX11 and libxcb fixes the following issue:

libX11:

These security issues were fixed:

- CVE-2018-14599: The function XListExtensions was vulnerable to an off-by-one
  error caused by malicious server responses, leading to DoS or possibly
  unspecified other impact (bsc#1102062).
- CVE-2018-14600: The function XListExtensions interpreted a variable as signed
  instead of unsigned, resulting in an out-of-bounds write (of up to 128 bytes),
  leading to DoS or remote code execution (bsc#1102068).
- CVE-2018-14598: A malicious server could have sent a reply in which the first
  string overflows, causing a variable to be set to NULL that will be freed later
  on, leading to DoS (segmentation fault) (bsc#1102073).

This non-security issue was fixed:

- Make use of the new 64-bit sequence number API in XCB 1.11.1 to avoid the 32-bit
  sequence number wrap in libX11 (bsc#1094327).

libxcb:

- Expose 64-bit sequence number from XCB API so that Xlib and others can use it even
  on 32-bit environment. (bsc#1094327)


-----------------------------------------
Patch: SUSE-2018-2217
Released: Fri Oct 12 15:07:24 2018
Summary: Recommended update for bash
Severity: moderate
References: 1094121,1107430
Description:
This update for bash provides the following fixes:

- Fix an inconsistent behaviour regarding expansion of here strings. (bsc#1094121)
- Fix mis-matching of null string with '*' pattern. (bsc#1107430)
- Fix a crash when the lastpipe option is enabled.
- Fix a typo that was preventing the `compat42' shopt option from working as intended.
- Help the shell to process any pending traps at redirection.
- Fix a crashe due to incorrect conversion from an indexed to associative array.
- Avoid the expansion of escape sequences in HOSTNAME in prompt.
- Avoid `xtrace' attack over $PS4.


-----------------------------------------
Patch: SUSE-2018-2248
Released: Tue Oct 16 14:25:25 2018
Summary: Recommended update for rsyslog
Severity: moderate
References: 1084682,901418
Description:
This update for rsyslog provides the following fixes:

- Fix path to extra apparmor profiles. (bsc#901418)
- omfile: Assure proper logfile flush when using a configuration template that configures
  messages to be written to multiple files, otherwise only the last file would be flushed.
  (bsc#1084682)


-----------------------------------------
Patch: SUSE-2018-2296
Released: Wed Oct 17 14:49:12 2018
Summary: Recommended update for hwinfo
Severity: moderate
References: 1072450,1105003
Description:
This update for hwinfo provides the following fixes:

- Try a more aggressive approach to catch all usb platform controllers. (bsc#1072450)
- Detect ARM HISILICON SAS controller. (bsc#1072450)
- Check for vmware only when running in a vm. (bsc#1105003)
- Add support for RISC-V.


-----------------------------------------
Patch: SUSE-2018-2297
Released: Wed Oct 17 16:56:44 2018
Summary: Security update for binutils
Severity: moderate
References: 1029907,1029908,1029909,1030296,1030297,1030298,1030584,1030585,1030588,1030589,1031590,1031593,1031595,1031638,1031644,1031656,1037052,1037057,1037061,1037066,1037273,1044891,1044897,1044901,1044909,1044925,1044927,1065643,1065689,1065693,1068640,1068643,1068887,1068888,1068950,1069176,1069202,1074741,1077745,1079103,1079741,1080556,1081527,1083528,1083532,1085784,1086608,1086784,1086786,1086788,1090997,1091015,1091365,1091368,CVE-2014-9939,CVE-2017-15938,CVE-2017-15939,CVE-2017-15996,CVE-2017-16826,CVE-2017-16827,CVE-2017-16828,CVE-2017-16829,CVE-2017-16830,CVE-2017-16831,CVE-2017-16832,CVE-2017-6965,CVE-2017-6966,CVE-2017-6969,CVE-2017-7209,CVE-2017-7210,CVE-2017-7223,CVE-2017-7224,CVE-2017-7225,CVE-2017-7226,CVE-2017-7299,CVE-2017-7300,CVE-2017-7301,CVE-2017-7302,CVE-2017-7303,CVE-2017-7304,CVE-2017-8392,CVE-2017-8393,CVE-2017-8394,CVE-2017-8396,CVE-2017-8421,CVE-2017-9746,CVE-2017-9747,CVE-2017-9748,CVE-2017-9750,CVE-2017-9755,CVE-2017-9756,CVE-2018-10372,CVE-2018-10373,CVE-2018-10534,CVE-2018-10535,CVE-2018-6323,CVE-2018-6543,CVE-2018-6759,CVE-2018-6872,CVE-2018-7208,CVE-2018-7568,CVE-2018-7569,CVE-2018-7570,CVE-2018-7642,CVE-2018-7643,CVE-2018-8945
Description:
This update for binutils to 2.31 fixes the following issues:

These security issues were fixed:

- CVE-2017-15996: readelf allowed remote attackers to cause a denial of service
  (excessive memory allocation) or possibly have unspecified other impact via a
  crafted ELF file that triggered a buffer overflow on fuzzed archive header
  (bsc#1065643).
- CVE-2017-15939: Binary File Descriptor (BFD) library (aka libbfd) mishandled
  NULL files in a .debug_line file table, which allowed remote attackers to cause
  a denial of service (NULL pointer dereference and application crash) via a
  crafted ELF file, related to concat_filename (bsc#1065689).
- CVE-2017-15938: the Binary File Descriptor (BFD) library (aka libbfd)
  miscalculated DW_FORM_ref_addr die refs in the case of a relocatable object
  file, which allowed remote attackers to cause a denial of service
  (find_abstract_instance_name invalid memory read, segmentation fault, and
  application crash) (bsc#1065693).
- CVE-2017-16826: The coff_slurp_line_table function the Binary File Descriptor
  (BFD) library (aka libbfd) allowed remote attackers to cause a denial of
  service (invalid memory access and application crash) or possibly have
  unspecified other impact via a crafted PE file (bsc#1068640).
- CVE-2017-16832: The pe_bfd_read_buildid function in the Binary File
  Descriptor (BFD) library (aka libbfd) did not validate size and offset values
  in the data dictionary, which allowed remote attackers to cause a denial of
  service (segmentation violation and application crash) or possibly have
  unspecified other impact via a crafted PE file (bsc#1068643).
- CVE-2017-16831: Binary File Descriptor (BFD) library (aka libbfd) did not
  validate the symbol count, which allowed remote attackers to cause a denial of
  service (integer overflow and application crash, or excessive memory
  allocation) or possibly have unspecified other impact via a crafted PE file
  (bsc#1068887).
- CVE-2017-16830: The print_gnu_property_note function did not have
  integer-overflow protection on 32-bit platforms, which allowed remote attackers
  to cause a denial of service (segmentation violation and application crash) or
  possibly have unspecified other impact via a crafted ELF file (bsc#1068888).
- CVE-2017-16829: The _bfd_elf_parse_gnu_properties function in the Binary File
  Descriptor (BFD) library (aka libbfd) did not prevent negative pointers, which
  allowed remote attackers to cause a denial of service (out-of-bounds read and
  application crash) or possibly have unspecified other impact via a crafted ELF
  file (bsc#1068950).
- CVE-2017-16828: The display_debug_frames function allowed remote attackers to
  cause a denial of service (integer overflow and heap-based buffer over-read,
  and application crash) or possibly have unspecified other impact via a crafted
  ELF file (bsc#1069176).
- CVE-2017-16827: The aout_get_external_symbols function in the Binary File
  Descriptor (BFD) library (aka libbfd) allowed remote attackers to cause a
  denial of service (slurp_symtab invalid free and application crash) or possibly
  have unspecified other impact via a crafted ELF file (bsc#1069202).
- CVE-2018-6323: The elf_object_p function in the Binary File Descriptor (BFD)
  library (aka libbfd) had an unsigned integer overflow because bfd_size_type
  multiplication is not used. A crafted ELF file allowed remote attackers to
  cause a denial of service (application crash) or possibly have unspecified
  other impact (bsc#1077745).
- CVE-2018-6543: Prevent integer overflow in the function
  load_specific_debug_section() which resulted in `malloc()` with 0 size. A
  crafted ELF file allowed remote attackers to cause a denial of service
  (application crash) or possibly have unspecified other impact (bsc#1079103).
- CVE-2018-6759: The bfd_get_debug_link_info_1 function in the Binary File
  Descriptor (BFD) library (aka libbfd) had an unchecked strnlen operation.
  Remote attackers could have leveraged this vulnerability to cause a denial of
  service (segmentation fault) via a crafted ELF file (bsc#1079741).
- CVE-2018-6872: The elf_parse_notes function in the Binary File Descriptor
  (BFD) library (aka libbfd) allowed remote attackers to cause a denial of
  service (out-of-bounds read and segmentation violation) via a note with a large
  alignment (bsc#1080556).
- CVE-2018-7208: In the coff_pointerize_aux function in the Binary File
  Descriptor (BFD) library (aka libbfd) an index was not validated, which allowed
  remote attackers to cause a denial of service (segmentation fault) or possibly
  have unspecified other impact via a crafted file, as demonstrated by objcopy of
  a COFF object (bsc#1081527).
- CVE-2018-7570: The assign_file_positions_for_non_load_sections function in
  the Binary File Descriptor (BFD) library (aka libbfd) allowed remote attackers
  to cause a denial of service (NULL pointer dereference and application crash)
  via an ELF file with a RELRO segment that lacks a matching LOAD segment, as
  demonstrated by objcopy (bsc#1083528).
- CVE-2018-7569: The Binary File Descriptor (BFD) library (aka libbfd) allowed
  remote attackers to cause a denial of service (integer underflow or overflow,
  and application crash) via an ELF file with a corrupt DWARF FORM block, as
  demonstrated by nm (bsc#1083532).
- CVE-2018-8945: The bfd_section_from_shdr function in the Binary File
  Descriptor (BFD) library (aka libbfd) allowed remote attackers to cause a
  denial of service (segmentation fault) via a large attribute section
  (bsc#1086608).
- CVE-2018-7643: The display_debug_ranges function allowed remote attackers to
  cause a denial of service (integer overflow and application crash) or possibly
  have unspecified other impact via a crafted ELF file, as demonstrated by
  objdump (bsc#1086784).
- CVE-2018-7642: The swap_std_reloc_in function in the Binary File Descriptor
  (BFD) library (aka libbfd) allowed remote attackers to cause a denial of
  service (aout_32_swap_std_reloc_out NULL pointer dereference and application
  crash) via a crafted ELF file, as demonstrated by objcopy (bsc#1086786).
- CVE-2018-7568: The parse_die function in the Binary File Descriptor (BFD)
  library (aka libbfd) allowed remote attackers to cause a denial of service
  (integer overflow and application crash) via an ELF file with corrupt dwarf1
  debug information, as demonstrated by nm (bsc#1086788).
- CVE-2018-10373: concat_filename in the Binary File Descriptor (BFD) library
  (aka libbfd) allowed remote attackers to cause a denial of service (NULL
  pointer dereference and application crash) via a crafted binary file, as
  demonstrated by nm-new (bsc#1090997).
- CVE-2018-10372: process_cu_tu_index allowed remote attackers to cause a
  denial of service (heap-based buffer over-read and application crash) via a
  crafted binary file, as demonstrated by readelf (bsc#1091015).
- CVE-2018-10535: The ignore_section_sym function in the Binary File Descriptor
  (BFD) library (aka libbfd) did not validate the output_section pointer in the
  case of a symtab entry with a 'SECTION' type that has a '0' value, which
  allowed remote attackers to cause a denial of service (NULL pointer dereference
  and application crash) via a crafted file, as demonstrated by objcopy
  (bsc#1091365).
- CVE-2018-10534: The _bfd_XX_bfd_copy_private_bfd_data_common function in the
  Binary File Descriptor (BFD) library (aka libbfd) processesed a negative Data
  Directory size with an unbounded loop that increased the value of
  (external_IMAGE_DEBUG_DIRECTORY) *edd so that the address exceeded its own
  memory region, resulting in an out-of-bounds memory write, as demonstrated by
  objcopy copying private info with _bfd_pex64_bfd_copy_private_bfd_data_common
  in pex64igen.c (bsc#1091368).

These non-security issues were fixed:

- The AArch64 port now supports showing disassembly notes which are emitted
  when inconsistencies are found with the instruction that may result in the
  instruction being invalid. These can be turned on with the option -M notes
  to objdump.
- The AArch64 port now emits warnings when a combination of an instruction and
  a named register could be invalid.
- Added O modifier to ar to display member offsets inside an archive
- The ADR and ADRL pseudo-instructions supported by the ARM assembler
  now only set the bottom bit of the address of thumb function symbols
  if the -mthumb-interwork command line option is active.
- Add --generate-missing-build-notes=[yes|no] option to create (or not) GNU
  Build Attribute notes if none are present in the input sources.  Add a
  --enable-generate-build-notes=[yes|no] configure time option to set the
  default behaviour.  Set the default if the configure option is not used
  to 'no'.
- Remove -mold-gcc command-line option for x86 targets.
- Add -O[2|s] command-line options to x86 assembler to enable alternate
  shorter instruction encoding.
- Add support for .nops directive.  It is currently supported only for
  x86 targets.
- Speed up direct linking with DLLs for Cygwin and Mingw targets.
- Add a configure option --enable-separate-code to decide whether
  -z separate-code should be enabled in ELF linker by default.  Default
  to yes for Linux/x86 targets. Note that -z separate-code can increase
  disk and memory size.
- RISC-V: Fix symbol address problem with versioned symbols 
- Restore riscv64-elf cross prefix via symlinks
- RISC-V: Don't enable relaxation in relocatable link
- Prevent linking faiures on i386 with assertion (bsc#1085784)
- Fix symbol size bug when relaxation deletes bytes
- Add --debug-dump=links option to readelf and --dwarf=links option to objdump
  which displays the contents of any .gnu_debuglink or .gnu_debugaltlink
  sections.
  Add a --debug-dump=follow-links option to readelf and a --dwarf=follow-links
  option to objdump which causes indirect links into separate debug info files
  to be followed when dumping other DWARF sections.
- Add support for loaction views in DWARF debug line information.
- Add -z separate-code to generate separate code PT_LOAD segment.
- Add '-z undefs' command line option as the inverse of the '-z defs' option.
- Add -z globalaudit command line option to force audit libraries to be run
  for every dynamic object loaded by an executable - provided that the loader
  supports this functionality.
- Tighten linker script grammar around file name specifiers to prevent the use
  of SORT_BY_ALIGNMENT and SORT_BY_INIT_PRIORITY on filenames.  These would
  previously be accepted but had no effect.
- The EXCLUDE_FILE directive can now be placed within any SORT_* directive
  within input section lists.
- Fix linker relaxation with --wrap
- Add arm-none-eabi symlinks (bsc#1074741)

Former updates of binutils also fixed the following security issues, for which
there was not CVE assigned at the time the update was released or no mapping
between code change and CVE existed:

- CVE-2014-9939: Prevent stack buffer overflow when printing bad bytes in Intel
  Hex objects (bsc#1030296).
- CVE-2017-7225: The find_nearest_line function in addr2line did not handle the
  case where the main file name and the directory name are both empty, triggering
  a NULL pointer dereference and an invalid write, and leading to a program crash
  (bsc#1030585).
- CVE-2017-7224: The find_nearest_line function in objdump was vulnerable to an
  invalid write (of size 1) while disassembling a corrupt binary that contains an
  empty function name, leading to a program crash (bsc#1030588).
- CVE-2017-7223: GNU assembler in was vulnerable to a global buffer overflow
  (of size 1) while attempting to unget an EOF character from the input stream,
  potentially leading to a program crash (bsc#1030589).
- CVE-2017-7226: The pe_ILF_object_p function in the Binary File Descriptor
  (BFD) library (aka libbfd) was vulnerable to a heap-based buffer over-read of
  size 4049 because it used the strlen function instead of strnlen, leading to
  program crashes in several utilities such as addr2line, size, and strings. It
  could lead to information disclosure as well (bsc#1030584).
- CVE-2017-7299: The Binary File Descriptor (BFD) library (aka libbfd) had an
  invalid read (of size 8) because the code to emit relocs (bfd_elf_final_link
  function in bfd/elflink.c) did not check the format of the input file trying to
  read the ELF reloc section header. The vulnerability leads to a GNU linker (ld)
  program crash (bsc#1031644).
- CVE-2017-7300: The Binary File Descriptor (BFD) library (aka libbfd) had an
  aout_link_add_symbols function in bfd/aoutx.h that is vulnerable to a
  heap-based buffer over-read (off-by-one) because of an incomplete check for
  invalid string offsets while loading symbols, leading to a GNU linker (ld)
  program crash (bsc#1031656).
- CVE-2017-7302: The Binary File Descriptor (BFD) library (aka libbfd) had a
  swap_std_reloc_out function in bfd/aoutx.h that is vulnerable to an invalid
  read (of size 4) because of missing checks for relocs that could not be
  recognised. This vulnerability caused Binutils utilities like strip to crash
  (bsc#1031595).
- CVE-2017-7303: The Binary File Descriptor (BFD) library (aka libbfd) was
  vulnerable to an invalid read (of size 4) because of missing a check (in the
  find_link function) for null headers attempting to match them. This
  vulnerability caused Binutils utilities like strip to crash (bsc#1031593).
- CVE-2017-7301: The Binary File Descriptor (BFD) library (aka libbfd) had an
  aout_link_add_symbols function in bfd/aoutx.h that has an off-by-one
  vulnerability because it did not carefully check the string offset. The
  vulnerability could lead to a GNU linker (ld) program crash (bsc#1031638).
- CVE-2017-7304: The Binary File Descriptor (BFD) library (aka libbfd) was
  vulnerable to an invalid read (of size 8) because of missing a check (in the
  copy_special_section_fields function) for an invalid sh_link field attempting
  to follow it. This vulnerability caused Binutils utilities like strip to crash
  (bsc#1031590).
- CVE-2017-8392: The Binary File Descriptor (BFD) library (aka libbfd) was
  vulnerable to an invalid read of size 8 because of missing a check to determine
  whether symbols are NULL in the _bfd_dwarf2_find_nearest_line function. This
  vulnerability caused programs that conduct an analysis of binary programs using
  the libbfd library, such as objdump, to crash (bsc#1037052).
- CVE-2017-8393: The Binary File Descriptor (BFD) library (aka libbfd) was
  vulnerable to a global buffer over-read error because of an assumption made by
  code that runs for objcopy and strip, that SHT_REL/SHR_RELA sections are always
  named starting with a .rel/.rela prefix. This vulnerability caused programs
  that conduct an analysis of binary programs using the libbfd library, such as
  objcopy and strip, to crash (bsc#1037057).
- CVE-2017-8394: The Binary File Descriptor (BFD) library (aka libbfd) was
  vulnerable to an invalid read of size 4 due to NULL pointer dereferencing of
  _bfd_elf_large_com_section. This vulnerability caused programs that conduct an
  analysis of binary programs using the libbfd library, such as objcopy, to crash
  (bsc#1037061).
- CVE-2017-8396: The Binary File Descriptor (BFD) library (aka libbfd) was
  vulnerable to an invalid read of size 1 because the existing reloc offset range
  tests didn't catch small negative offsets less than the size of the reloc
  field. This vulnerability caused programs that conduct an analysis of binary
  programs using the libbfd library, such as objdump, to crash (bsc#1037066).
- CVE-2017-8421: The function coff_set_alignment_hook in Binary File Descriptor
  (BFD) library (aka libbfd) had a memory leak vulnerability which can cause
  memory exhaustion in objdump via a crafted PE file (bsc#1037273).
- CVE-2017-9746: The disassemble_bytes function in objdump.c allowed remote
  attackers to cause a denial of service (buffer overflow and application crash)
  or possibly have unspecified other impact via a crafted binary file, as
  demonstrated by mishandling of rae insns printing for this file during 'objdump
  -D' execution (bsc#1044891).
- CVE-2017-9747: The ieee_archive_p function in the Binary File Descriptor
  (BFD) library (aka libbfd) might have allowed remote attackers to cause a
  denial of service (buffer overflow and application crash) or possibly have
  unspecified other impact via a crafted binary file, as demonstrated by
  mishandling of this file during 'objdump -D' execution (bsc#1044897).
- CVE-2017-9748: The ieee_object_p function in the Binary File Descriptor (BFD)
  library (aka libbfd) might have allowed remote attackers to cause a denial of
  service (buffer overflow and application crash) or possibly have unspecified
  other impact via a crafted binary file, as demonstrated by mishandling of this
  file during 'objdump -D' execution (bsc#1044901).
- CVE-2017-9750: opcodes/rx-decode.opc lacked bounds checks for certain scale
  arrays, which allowed remote attackers to cause a denial of service (buffer
  overflow and application crash) or possibly have unspecified other impact via a
  crafted binary file, as demonstrated by mishandling of this file during
  'objdump -D' execution (bsc#1044909).
- CVE-2017-9755: Not considering the the number of registers for bnd mode
  allowed remote attackers to cause a denial of service (buffer overflow and
  application crash) or possibly have unspecified other impact via a crafted
  binary file, as demonstrated by mishandling of this file during 'objdump -D'
  execution (bsc#1044925).
- CVE-2017-9756: The aarch64_ext_ldst_reglist function allowed remote attackers
  to cause a denial of service (buffer overflow and application crash) or
  possibly have unspecified other impact via a crafted binary file, as
  demonstrated by mishandling of this file during 'objdump -D' execution
  (bsc#1044927).
- CVE-2017-7209: The dump_section_as_bytes function in readelf accessed a NULL
  pointer while reading section contents in a corrupt binary, leading to a
  program crash (bsc#1030298).
- CVE-2017-6965: readelf wrote to illegal addresses while processing corrupt
  input files containing symbol-difference relocations, leading to a heap-based
  buffer overflow (bsc#1029909).
- CVE-2017-6966: readelf had a use-after-free (specifically read-after-free)
  error while processing multiple, relocated sections in an MSP430 binary. This
  is caused by mishandling of an invalid symbol index, and mishandling of state
  across invocations (bsc#1029908).
- CVE-2017-6969: readelf was vulnerable to a heap-based buffer over-read while
  processing corrupt RL78 binaries. The vulnerability can trigger program
  crashes. It may lead to an information leak as well (bsc#1029907).
- CVE-2017-7210: objdump was vulnerable to multiple heap-based buffer
  over-reads (of size 1 and size 8) while handling corrupt STABS enum type
  strings in a crafted object file, leading to program crash (bsc#1030297).
  

-----------------------------------------
Patch: SUSE-2018-2299
Released: Thu Oct 18 11:58:01 2018
Summary: Security update for fuse
Severity: moderate
References: 1101797,CVE-2018-10906
Description:
This update for fuse fixes the following security issue:

- CVE-2018-10906: fusermount was vulnerable to a restriction bypass when
  SELinux is active. This allowed non-root users to mount a FUSE file system with
  the 'allow_other' mount option regardless of whether 'user_allow_other' is set
  in the fuse configuration. An attacker may use this flaw to mount a FUSE file
  system, accessible by other users, and trick them into accessing files on that
  file system, possibly causing Denial of Service or other unspecified effects
  (bsc#1101797)


-----------------------------------------
Patch: SUSE-2018-2324
Released: Fri Oct 19 14:44:21 2018
Summary: Recommended update for man-pages
Severity: low
References: 1077249
Description:
This update for man-pages provides the following fix:

- ip.7: Document IP_BIND_ADDRESS_NO_PORT. (bsc#1077249)


-----------------------------------------
Patch: SUSE-2018-2341
Released: Sat Oct 20 09:50:41 2018
Summary: Recommended update for pciutils
Severity: moderate
References: 1098094,1098228
Description:
This update for pciutils provides the following fixes:

- Fix the displaying of the gen4 speed for GEN 4 cards like Mellanox CX5. (bsc#1098094)
- Add support for commonly used vendor specific VPD keywords described in 'Table 160.
  LoPAPR VPD Fields' of the Linux on Power Architecture Platform Reference (LoPAPR).
  (bsc#1098228)


-----------------------------------------
Patch: SUSE-2018-2373
Released: Mon Oct 22 14:43:47 2018
Summary: Security update for rpm
Severity: moderate
References: 1077692,943457,CVE-2017-7500,CVE-2017-7501
Description:
This update for rpm fixes the following issues:

These security issues were fixed:

- CVE-2017-7500: rpm did not properly handle RPM installations when a
  destination path was a symbolic link to a directory, possibly changing
  ownership and permissions of an arbitrary directory, and RPM files being placed
  in an arbitrary destination (bsc#943457).
- CVE-2017-7501: rpm used temporary files with predictable names when
  installing an RPM. An attacker with ability to write in a directory where files
  will be installed could create symbolic links to an arbitrary location and
  modify content, and possibly permissions to arbitrary files, which could be
  used for denial of service or possibly privilege escalation (bsc#943457)

This non-security issue was fixed:

- Use ksym-provides tool [bsc#1077692]


-----------------------------------------
Patch: SUSE-2018-2375
Released: Mon Oct 22 15:30:22 2018
Summary: Security update for tiff
Severity: moderate
References: 1106853,1108627,1108637,1110358,CVE-2017-11613,CVE-2017-9935,CVE-2018-16335,CVE-2018-17100,CVE-2018-17101,CVE-2018-17795
Description:
This update for tiff fixes the following issues:

- CVE-2018-17100: There is a int32 overflow in multiply_ms in tools/ppm2tiff.c, which can cause a denial of service (crash) or possibly have unspecified other impact via a crafted image file. (bsc#1108637)
- CVE-2018-17101: There are two out-of-bounds writes in cpTags in tools/tiff2bw.c and tools/pal2rgb.c, which can cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image file. (bsc#1108627)
- CVE-2018-17795: The function t2p_write_pdf in tiff2pdf.c allowed remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, a similar issue to CVE-2017-9935. (bsc#1110358)
- CVE-2018-16335: newoffsets handling in ChopUpSingleUncompressedStrip in tif_dirread.c allowed remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, as demonstrated by tiff2pdf. This is a different vulnerability than CVE-2018-15209. (bsc#1106853)


-----------------------------------------
Patch: SUSE-2018-2379
Released: Tue Oct 23 10:32:56 2018
Summary: Recommended update for Salt
Severity: moderate
References: 1095651,1104491,1106164,1107333,1108557,1108834,1108969,1108995,1109893
Description:
This update fixes the following issues:

salt:
- Improved IPv6 address handling (bsc#1108557)
- Better handling for zypper exiting with exit code ZYPPER_EXIT_NO_REPOS (bsc#1108834, bsc#1109893)
- Fix for dependency problem with pip (bsc#1104491)
- Fix loosen azure sdk dependencies in azurearm cloud driver (bsc#1107333)
- Fix for Python3 issue in zypper (bsc#1108995)
- Allow running salt-cloud in GCE using instance credentials  (bsc#1108969)
- Improved handling of Python unicode literals in YAML parsing (bsc#1095651)
- Fix for Salt 'acl.present' and 'acl.absent' states to make them successfully work 
  recursively when 'recurse=True'. (bsc#1106164)
- Fix for Python3 byte/unicode mismatch and additional minor bugfixes to x509 module.
- Integration of MSI authentication for azurearm
- Compound list targeting wrongly returned with minions specified in 'not'.
- Fixes the x509 module to work, when using the sign_remote_certificate functionality.
- Fix for SUSE Expanded Support os grain detection (returned 'Redhat' instead of 'Centos')



-----------------------------------------
Patch: SUSE-2018-2404
Released: Tue Oct 23 16:44:03 2018
Summary: Security update for ntp
Severity: moderate
References: 1083424,1098531,1111853,CVE-2018-12327,CVE-2018-7170
Description:

  
NTP was updated to 4.2.8p12 (bsc#1111853):

- CVE-2018-12327: Fixed stack buffer overflow in the openhost() command-line call of NTPQ/NTPDC. (bsc#1098531)
- CVE-2018-7170: Add further tweaks to improve the fix for the ephemeral association time spoofing additional protection (bsc#1083424)

Please also see https://www.nwtime.org/network-time-foundation-publishes-ntp-4-2-8p12/ for more information.



-----------------------------------------
Patch: SUSE-2018-2413
Released: Tue Oct 23 17:28:39 2018
Summary: Recommended update for supportutils
Severity: moderate
References: 1105849
Description:
This update for supportutils provides the following fix:

- Add vulnerabilities check. (bsc#1105849)


-----------------------------------------
Patch: SUSE-2018-2415
Released: Tue Oct 23 17:29:38 2018
Summary: Recommended update for several Python modules
Severity: moderate
References: 1054413
Description:
This update adds the Python 3 variants of the following modules to the Public Cloud Module:

- python-Pygments
- python-coverage
- python-ecdsa
- python-isodate

Additionally, the following packages have been updated:

python-Pygments from version 1.6 to 2.2.0
python-coverage from version 3.7 to 4.5.1

For a detailed description of all changes, please refer to the changelog.

-----------------------------------------
Patch: SUSE-2018-2423
Released: Wed Oct 24 10:31:10 2018
Summary: Recommended update for libXaw
Severity: moderate
References: 1098411
Description:
This update for libXaw provides the following fix:

- Fix a crash when the required font is not installed. (bsc#1098411)


-----------------------------------------
Patch: SUSE-2018-2437
Released: Wed Oct 24 16:36:46 2018
Summary: Recommended update for several Python modules
Severity: moderate
References: 1054413
Description:
This update provides several new Python modules and adds the Python 3
variants of existing modules to the Public Cloud Module.

The following Python 2 and Python 3 modules got added:

- python-appdirs
- python-python-dateutil

The following Python 3 modules got added:

- python-PySocks
- python-blinker
- python-certifi
- python-pytz

Additionally, the following packages have been updated:

python-PySocks from version 1.5.6 to 1.6.8.
python-certifi from version 2015.9.6.2 to 2018.4.16.
python-pytz from version 2016.10 to 2018.3.

-----------------------------------------
Patch: SUSE-2018-2451
Released: Thu Oct 25 09:44:19 2018
Summary: Recommended update for branding-SLE
Severity: moderate
References: 1083702
Description:
This update for branding-SLE fixes the following issues:

- Parse '\n' in plymouth theme text to new lines (bsc#1083702)


-----------------------------------------
Patch: SUSE-2018-2461
Released: Thu Oct 25 14:35:20 2018
Summary: Security update for net-snmp
Severity: important
References: 1027353,1081164,1102775,1111122,CVE-2018-18065
Description:
This update for net-snmp fixes the following issues:

Security issues fixed:

- CVE-2018-18065: _set_key in agent/helpers/table_container.c had a NULL Pointer Exception bug that can be used by an authenticated attacker to remotely cause the instance to crash via a crafted UDP packet, resulting in Denial of Service. (bsc#1111122)

Non-security issues fixed:

- swintst_rpm: Protect against unspecified Group name (bsc#1102775)
- Add tsm and tlstm MIBs and the USM security module. (bsc#1081164)
- Fix agentx freezing on timeout (bsc#1027353)


-----------------------------------------
Patch: SUSE-2018-2473
Released: Thu Oct 25 16:55:27 2018
Summary: Recommended update for tar
Severity: low
References: 1071340
Description:
This update for tar provides the following fix:

- Revert an upstream commit meant for optimizing sparse files as it causes a regression on
  offline files. (bsc#1071340)


-----------------------------------------
Patch: SUSE-2018-2475
Released: Thu Oct 25 16:56:24 2018
Summary: Recommended update for libzypp
Severity: moderate
References: 1099982,1109877,408814,556664,939392
Description:
This update for libzypp fixes the following issues:

- Add filesize check for downloads with known size (bsc#408814)
- Fix conversion of string and glob to regex when compiling queries
  (bsc#1099982, bsc#939392, bsc#556664)
- Fix blocking wait for finished child process (bsc#1109877)


-----------------------------------------
Patch: SUSE-2018-2476
Released: Thu Oct 25 16:57:26 2018
Summary: Recommended update for fping
Severity: important
References: 988195
Description:
This update for fping provides the following fix:

-  Fix a problem that was causing fping to flood /tmp after a network stop. (bsc#988195)


-----------------------------------------
Patch: SUSE-2018-2488
Released: Fri Oct 26 12:39:59 2018
Summary: Recommended update for cpio
Severity: low
References: 1076810,889138
Description:
This update for cpio provides the following fix:

- Remove an obsolete patch that was causing cpio not to preserve folder permissions.
  (bsc#1076810, bsc#889138)


-----------------------------------------
Patch: SUSE-2018-2503
Released: Fri Oct 26 16:01:52 2018
Summary: Initial release of python-pyudev
Severity: low
References: 1107264
Description:
This update provides python-pyudev for the SUSE Linux Enterprise Desktop 12 SP3.

This package provides a Python binding to libudev, the hardware management library and service found
in modern linux systems.

-----------------------------------------
Patch: SUSE-2018-2516
Released: Mon Oct 29 16:14:48 2018
Summary: Recommended update for console-setup, kbd
Severity: moderate
References: 1010880,1027379,1056449,1062303,1069468,1085432,360993,675317,825385,830805,958562,963942,984958
Description:
This update for kbd and console-setup provides the following fixes:

Changes in console-setup:

- Add console-setup to SLE 12 to make it possible for kbd to provide converted X keymaps.
  (fate#325454, fate#318426)
- Make the package build reproducible. (bsc#1062303)
- Removed unneeded requires to kbd in order to resolve build cycle between kbd and
  console-setup. (bsc#963942)

Changes in kbd:
- Update to version 2.0.4, including the following fixes (FATE#325454):
    * Disable characters greater than or equal to =U+F000 as they do not work properly.
      (bsc#1085432)
    * Move initial NumLock handling from systemd back to kbd:
      * Add kbdsettings service. (bsc#1010880)
      * Exclude numlockbios support for non x86 platforms
    * Drop references to KEYTABLE and COMPOSETABLE. (bsc#1010880)
    * Drop from some fill-up templates and a couple of sysconfig variables not read by
      systemd anymore. (fate#319454)
    * Replace references to /var/adm/fillup-templates with new %_fillupdir macro. (bsc#1069468)
    * Add vlock.pamd PAM file. (bsc#1056449)
    * Enable vlock (bsc#1056449).
    * Revert dropping of kdb-legacy requirement as there are still packages and installation
      flows that needs this to be present. (bsc#1027379)
    * Fix data/keymaps/i386/querty/br-abnt2.map. (bsc#984958)
    * Fix missing dependency on coreutils for initrd macros. (bsc#958562)
    * Call missing initrd macro at postun. (bsc#958562)
    * Add the genmap4systemd.sh tool to generate entries for systemd's kbd-model-map table
      from xkeyboard-config converted keymaps. (fate#318426)
    * genmap4systemd.sh: Use 'abnt2' model for 'br' layouts, 'jp106' model for 'jp' layouts
      and 'microsoftpro' for anything else (instead of 'pc105' previously used). (fate#318426)
    * Include xkb layouts from xkeyboard-config converted to console
      keymaps. (fate#318426)
    * euro.map, euro1.map and euro2.map now produce correct unicode character for Euro sign.
      (bsc#360993)
    * Drop doshell reference from openvt.1 man page. (bsc#675317)
    * Drop the --userwait option as it is not used. (bsc#830805)
    * Fix a typo in the mac-querty-layout.inc. (bsc#825385)


-----------------------------------------
Patch: SUSE-2018-2520
Released: Mon Oct 29 17:28:57 2018
Summary: Security update for python, python-base
Severity: moderate
References: 1086001,1088004,1088009,1109663,CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061
Description:
This update for python, python-base fixes the following issues:

Security issues fixed:

- CVE-2018-1000802: Prevent command injection in shutil module (make_archive
  function) via passage of unfiltered user input (bsc#1109663).
- CVE-2018-1061: Fixed DoS via regular expression backtracking in
  difflib.IS_LINE_JUNK method in difflib (bsc#1088004).
- CVE-2018-1060: Fixed DoS via regular expression catastrophic backtracking in
  apop() method in pop3lib (bsc#1088009).

Bug fixes:

- bsc#1086001: python tarfile uses random order.


-----------------------------------------
Patch: SUSE-2018-2525
Released: Tue Oct 30 09:22:45 2018
Summary: Recommended update for bash
Severity: important
References: 1113117
Description:
This update for bash fixes the following issues:

  Recently released update introduced a change of behavior which
  resulted in broken customers scripts. (bsc#1113117)


-----------------------------------------
Patch: SUSE-2018-2533
Released: Tue Oct 30 16:14:24 2018
Summary: Recommended update for cronie
Severity: moderate
References: 1017160,1077979
Description:
This update for cronie provides the following fixes:

- Prefer flock locking instead of fcntl locking that has different semantics. It caused a
  bug where it was possible to run more than one cron process as the locking was not
  successful. (bsc#1017160)
- Check the existence of the user at the time the job is run and do not ignore jobs for
  users that were not existing at database reload. This prevents cron from ignoring jobs
  in user crontab for users that changed group meanwhile. (bsc#1077979)


-----------------------------------------
Patch: SUSE-2018-2549
Released: Wed Oct 31 15:03:45 2018
Summary: Security update for MozillaFirefox, MozillaFirefox-branding-SLE, llvm4, mozilla-nspr, mozilla-nss, apache2-mod_nss
Severity: important
References: 1012260,1021577,1026191,1041469,1041894,1049703,1061204,1064786,1065464,1066489,1073210,1078436,1091551,1092697,1094767,1096515,1107343,1108771,1108986,1109363,1109465,1110506,1110507,703591,839074,857131,893359,CVE-2017-16541,CVE-2018-12376,CVE-2018-12377,CVE-2018-12378,CVE-2018-12379,CVE-2018-12381,CVE-2018-12383,CVE-2018-12385,CVE-2018-12386,CVE-2018-12387
Description:
This update for MozillaFirefox to ESR 60.2.2 fixes several issues.

These general changes are part of the version 60 release.

- New browser engine with speed improvements
- Redesigned graphical user interface elements
- Unified address and search bar for new installations
- New tab page listing top visited, recently visited and recommended pages
- Support for configuration policies in enterprise deployments via JSON files
- Support for Web Authentication, allowing the use of USB tokens for
  authentication to web sites

The following changes affect compatibility:
    
- Now exclusively supports extensions built using the WebExtension API.
- Unsupported legacy extensions will no longer work in Firefox 60 ESR
- TLS certificates issued by Symantec before June 1st, 2016 are no longer trusted 
  The 'security.pki.distrust_ca_policy' preference can be set to 0 to reinstate
  trust in those certificates

The following issues affect performance:

- new format for storing private keys, certificates and certificate trust
  If the user home or data directory is on a network file system, it is
  recommended that users set the following environment variable to avoid
  slowdowns: NSS_SDB_USE_CACHE=yes
  This setting is not recommended for local, fast file systems. 

These security issues were fixed:

- CVE-2018-12381: Dragging and dropping Outlook email message results in page navigation (bsc#1107343).
- CVE-2017-16541: Proxy bypass using automount and autofs (bsc#1107343).
- CVE-2018-12376: Various memory safety bugs (bsc#1107343).
- CVE-2018-12377: Use-after-free in refresh driver timers (bsc#1107343).
- CVE-2018-12378: Use-after-free in IndexedDB (bsc#1107343).
- CVE-2018-12379: Out-of-bounds write with malicious MAR file (bsc#1107343).
- CVE-2018-12386: Type confusion in JavaScript allowed remote code execution (bsc#1110506)
- CVE-2018-12387: Array.prototype.push stack pointer vulnerability may enable exploits in the sandboxed content process (bsc#1110507)
- CVE-2018-12385: Crash in TransportSecurityInfo due to cached data  (bsc#1109363)
- CVE-2018-12383: Setting a master password did not delete unencrypted previously stored passwords  (bsc#1107343)

This update for mozilla-nspr to version 4.19 fixes the follwing issues

- Added TCP Fast Open functionality
- A socket without PR_NSPR_IO_LAYER will no longer trigger
  an assertion when polling

This update for mozilla-nss to version 3.36.4 fixes the follwing issues

- Connecting to a server that was recently upgraded to TLS 1.3
  would result in a SSL_RX_MALFORMED_SERVER_HELLO error.
- Fix a rare bug with PKCS#12 files.
- Replaces existing vectorized ChaCha20 code with verified
  HACL* implementation.
- TLS 1.3 support has been updated to draft -23.
- Added formally verified implementations of non-vectorized Chacha20
  and non-vectorized Poly1305 64-bit.
- The following CA certificates were Removed:
  OU = Security Communication EV RootCA1
  CN = CA Disig Root R1
  CN = DST ACES CA X6
  Certum CA, O=Unizeto Sp. z o.o.
  StartCom Certification Authority
  StartCom Certification Authority G2
  TÜBİTAK UEKAE Kök Sertifika Hizmet Sağlayıcısı - Sürüm 3
  ACEDICOM Root
  Certinomis - Autorité Racine
  TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı
  PSCProcert
  CA 沃通根证书, O=WoSign CA Limited
  Certification Authority of WoSign
  Certification Authority of WoSign G2
  CA WoSign ECC Root
  Subject CN = VeriSign Class 3 Secure Server CA - G2
  O = Japanese Government, OU = ApplicationCA
  CN = WellsSecure Public Root Certificate Authority
  CN = TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6
  CN = Microsec e-Szigno Root
* The following CA certificates were Removed:
  AddTrust Public CA Root
  AddTrust Qualified CA Root
  China Internet Network Information Center EV Certificates Root
  CNNIC ROOT
  ComSign Secured CA
  GeoTrust Global CA 2
  Secure Certificate Services
  Swisscom Root CA 1
  Swisscom Root EV CA 2
  Trusted Certificate Services
  UTN-USERFirst-Hardware
  UTN-USERFirst-Object
* The following CA certificates were Added
  CN = D-TRUST Root CA 3 2013
  CN = TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1
  GDCA TrustAUTH R5 ROOT
  SSL.com Root Certification Authority RSA
  SSL.com Root Certification Authority ECC
  SSL.com EV Root Certification Authority RSA R2
  SSL.com EV Root Certification Authority ECC
  TrustCor RootCert CA-1
  TrustCor RootCert CA-2
  TrustCor ECA-1
* The Websites (TLS/SSL) trust bit was turned off for the following
  CA certificates:
  CN = Chambers of Commerce Root
  CN = Global Chambersign Root
* TLS servers are able to handle a ClientHello statelessly, if the
  client supports TLS 1.3.  If the server sends a HelloRetryRequest,
  it is possible to discard the server socket, and make a new socket
  to handle any subsequent ClientHello. This better enables stateless
  server operation. (This feature is added in support of QUIC, but it
  also has utility for DTLS 1.3 servers.)

Due to the update of mozilla-nss apache2-mod_nss needs to be updated to 
change to the SQLite certificate database, which is now the default (bsc#1108771)
  

-----------------------------------------
Patch: SUSE-2018-2567
Released: Fri Nov  2 18:59:06 2018
Summary: Recommended update for apparmor
Severity: moderate
References: 1047937,1057150,1057900,1099452,906858
Description:

This update for apparmor provides the following fixes:

- Add profile for usr.bin.lessopen.sh (bsc#906858)
- Fix dovecot apparmor profile (bsc#1057150)
- Fix creating profile rules from scanned logs when the chown operation is used (bsc#1047937)
- Fix the traceroute profile to allow ipv6 usage (bsc#1057900)
- Fix duplicate entry of capability when performing aa-logprof (bsc#1099452)



-----------------------------------------
Patch: SUSE-2018-2593
Released: Wed Nov  7 11:04:00 2018
Summary: Recommended update for rpm
Severity: moderate
References: 1095148,1113100
Description:
This update for rpm fixes the following issues:

- Fix superfluous TOC. dependency on PowerPC64 (bsc#1113100)
- Update to current find-provides.ksyms and find-requires.ksyms
  scripts (bsc#1095148)

-----------------------------------------
Patch: SUSE-2018-2615
Released: Thu Nov  8 17:01:34 2018
Summary: Recommended update for rpcbind
Severity: moderate
References: 969953
Description:
This update for rpcbind fixes the following issues:

- Fix stack buffer overflow in tools. (bsc#969953)


-----------------------------------------
Patch: SUSE-2018-2637
Released: Mon Nov 12 20:38:05 2018
Summary: Recommended update for timezone, timezone-java
Severity: moderate
References: 1104700,1113554
Description:
This update provides the latest time zone definitions (2018g), including the following changes:

- Morocco switched from +00/+01 to permanent +01 effective 2018-10-28 (bsc#1113554)
- Volgograd moves from +03 to +04 on 2018-10-28.
- Fiji ends DST 2019-01-13, not 2019-01-20.
- Most of Chile changes DST dates, effective 2019-04-06 (bsc#1104700)
- Corrections to past timestamps of DST transitions
- Use 'PST' and 'PDT' for Philippine time
- minor code changes to zic handling of the TZif format
- documentation updates



-----------------------------------------
Patch: SUSE-2018-2639
Released: Mon Nov 12 20:39:01 2018
Summary: Recommended update for sysstat
Severity: moderate
References: 1089883
Description:
This update for sysstat fixes the following issues:

sysstat was updated to 12.0.2, bringing lots of new features and bugfixes. (fate#326576, bsc#1089883)

Sysstat was updated to 12.0.2, bringing new features and bugfixes (fate#326576, bsc#1089883)

- It contains lots of improvements in SVG output.
- New metric additions for hugepages.
- Several new options
- New database format

Please look at http://sebastien.godard.pagesperso-orange.fr/ for a more detailed history of changes.



-----------------------------------------
Patch: SUSE-2018-2640
Released: Mon Nov 12 20:39:16 2018
Summary: Recommended update for nfsidmap
Severity: moderate
References: 1098217
Description:
This update for nfsidmap fixes the following issues:

- Improve support for SAMBA with Active Directory. (bsc#1098217)


-----------------------------------------
Patch: SUSE-2018-2642
Released: Mon Nov 12 20:39:45 2018
Summary: Recommended update for gtk2
Severity: low
References: 1039465
Description:
This update for gtk2 provides the following fix:

- Prevent an infinite loop when a window is destroyed while traversed. (bsc#1039465)


-----------------------------------------
Patch: SUSE-2018-2654
Released: Tue Nov 13 19:03:13 2018
Summary: Recommended update for ipmitool
Severity: low
References: 1089782
Description:
This update for ipmitool fixes the following issues:

- Most ipmitool features do not need net-snmp. Lower package dependency from
  'Requires' to 'Recommends'. (fate#322044)
- Fix a memory leak in lanplus. (bsc#1089782)


-----------------------------------------
Patch: SUSE-2018-2745
Released: Thu Nov 22 16:13:42 2018
Summary: Security update for salt
Severity: important
References: 1110938,1113698,1113699,1113784,1114197,CVE-2018-15750,CVE-2018-15751
Description:
This update for salt fixes the following issues:

Security issues fixed:

- CVE-2018-15750: Fixed directory traversal vulnerability in salt-api (bsc#1113698).
- CVE-2018-15751: Fixed remote authentication bypass in salt-api(netapi) that allows to execute arbitrary commands (bsc#1113699).

Non-security issues fixed:

- Improved handling of LDAP group id. gid is no longer treated as a string, which could have lead to faulty group creations (bsc#1113784).
- Fix async call to process manager (bsc#1110938).
- Fixed OS arch detection when RPM is not installed (bsc#1114197).


-----------------------------------------
Patch: SUSE-2018-2766
Released: Fri Nov 23 17:07:27 2018
Summary: Security update for rpm
Severity: important
References: 943457,CVE-2017-7500,CVE-2017-7501
Description:
This update for rpm fixes the following issues:

These security issues were fixed:

- CVE-2017-7500: rpm did not properly handle RPM installations when a
  destination path was a symbolic link to a directory, possibly changing
  ownership and permissions of an arbitrary directory, and RPM files being placed
  in an arbitrary destination (bsc#943457).
- CVE-2017-7501: rpm used temporary files with predictable names when
  installing an RPM. An attacker with ability to write in a directory where files
  will be installed could create symbolic links to an arbitrary location and
  modify content, and possibly permissions to arbitrary files, which could be
  used for denial of service or possibly privilege escalation (bsc#943457)

This is a reissue of the above security fixes for SUSE Linux Enterprise 12 GA, SP1 and SP2 LTSS,
they have already been released for SUSE Linux Enterprise Server 12 SP3.



-----------------------------------------
Patch: SUSE-2018-1697
Released: Fri Nov 23 17:08:32 2018
Summary: Security update for libgcrypt
Severity: moderate
References: 1064455,1090766,1097410,CVE-2018-0495
Description:
This update for libgcrypt fixes the following issues:

The following security vulnerability was addressed:

- CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for
  ECDSA signatures (bsc#1097410).

The following other issues were fixed:

- Extended the fipsdrv dsa-sign and dsa-verify commands with the
  --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455).
- Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766)


-----------------------------------------
Patch: SUSE-2018-1696
Released: Mon Nov 26 17:46:39 2018
Summary: Security update for procps
Severity: moderate
References: 1092100,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126
Description:
This update for procps fixes the following security issues:

- CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top
  with HOME unset in an attacker-controlled directory, the attacker could have
  achieved privilege escalation by exploiting one of several vulnerabilities in
  the config_file() function (bsc#1092100).
- CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow.
  Inbuilt protection in ps maped a guard page at the end of the overflowed
  buffer, ensuring that the impact of this flaw is limited to a crash (temporary
  denial of service) (bsc#1092100).
- CVE-2018-1124: Prevent multiple integer overflows leading to a heap
  corruption in file2strvec function. This allowed a privilege escalation for a
  local attacker who can create entries in procfs by starting processes, which
  could result in crashes or arbitrary code execution in proc utilities run by
  other users (bsc#1092100).
- CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was
  mitigated by FORTIFY limiting the impact to a crash (bsc#1092100).
- CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent
  truncation/integer overflow issues (bsc#1092100).


-----------------------------------------
Patch: SUSE-2018-2782
Released: Mon Nov 26 17:46:59 2018
Summary: Security update for tiff
Severity: moderate
References: 1099257,1113094,1113672,CVE-2018-12900,CVE-2018-18557,CVE-2018-18661
Description:
This update for tiff fixes the following issues:

Security issues fixed:

- CVE-2018-12900: Fixed heap-based buffer overflow in the cpSeparateBufToContigBuf (bsc#1099257).                                                                                             
- CVE-2018-18661: Fixed NULL pointer dereference in the function LZWDecode in the file tif_lzw.c (bsc#1113672).                                                                               
- CVE-2018-18557: Fixed JBIG decode can lead to out-of-bounds write (bsc#1113094).

Non-security issues fixed:

- asan_build: build ASAN included
- debug_build: build more suitable for debugging


-----------------------------------------
Patch: SUSE-2018-2783
Released: Mon Nov 26 17:47:36 2018
Summary: Security update for openssh
Severity: moderate
References: 1091396,1105010,964336,CVE-2018-15473
Description:
This update for openssh fixes the following issues:

Following security issues have been fixed:

- CVE-2018-15473: OpenSSH was prone to a user existance oracle vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c. (bsc#1105010)

The following non-security issues were fixed:

- Stop leaking File descriptors (bsc#964336)
- sftp-client.c returns wrong error code upon failure [bsc#1091396]



-----------------------------------------
Patch: SUSE-2018-2784
Released: Tue Nov 27 00:22:49 2018
Summary: Recommended update for fonts-config
Severity: moderate
References: 1111791
Description:
This update for fonts-config provides the following fix:

- Fix a misspelling in CJK font configuration file. (bsc#1111791)


-----------------------------------------
Patch: SUSE-2018-2802
Released: Wed Nov 28 09:57:42 2018
Summary: Security update for java-1_7_1-ibm
Severity: important
References: 1116574,CVE-2018-13785,CVE-2018-3136,CVE-2018-3139,CVE-2018-3149,CVE-2018-3169,CVE-2018-3180,CVE-2018-3214
Description:

java-1_7_1-ibm was updated to Java 7.1 Service Refresh 4 Fix Pack 35 (bsc#1116574):

* Consumability

  - IJ10515 AIX JAVA 7.1.3.10 GENERAL PROTECTION FAULT WHEN ATTEMPTING TO USE HEALTH CENTER API

* Class Libraries

  - IJ10934 CVE-2018-13785
  - IJ10935 CVE-2018-3136
  - IJ10895 CVE-2018-3139
  - IJ10932 CVE-2018-3149
  - IJ10894 CVE-2018-3180
  - IJ10933 CVE-2018-3214
  - IJ09315 FLOATING POINT EXCEPTION FROM JAVA.TEXT.DECIMALFORMAT. FORMAT
  - IJ09088 INTRODUCING A NEW PROPERTY FOR TURKEY TIMEZONE FOR PRODUCTS NOT IDENTIFYING TRT
  - IJ08569 JAVA.IO.IOEXCEPTION OCCURS WHEN A FILECHANNEL IS BIGGER THAN 2GB ON AIX PLATFORM
  - IJ10800 REMOVE EXPIRING ROOT CERTIFICATES IN IBM JDK’S CACERTS.

* Java Virtual Machine

  - IJ10931 CVE-2018-3169
  - IV91132 SOME CORE PATTERN SPECIFIERS ARE NOT HANDLED BY THE JVM ON LINUX

* JIT Compiler

  - IJ08205 CRASH WHILE COMPILING
  - IJ07886 INCORRECT CALUCATIONS WHEN USING NUMBERFORMAT.FORMAT() AND BIGDECIMAL.{FLOAT/DOUBLE }VALUE()

* ORB

  - IX90187 CLIENTREQUESTIMPL.REINVO KE FAILS WITH JAVA.LANG.INDEXOUTOFBOUN DSEXCEPTION

* Security

  - IJ10492 'EC KEYSIZE < 384' IS NOT HONORED USING THE 'JDK.TLS.DISABLEDALGORIT HMS' SECURITY PROPERTY
  - IJ10491 AES/GCM CIPHER – AAD NOT RESET TO UN-INIT STATE AFTER DOFINAL( ) AND INIT( )
  - IJ08442 HTTP PUBLIC KEY PINNING FINGERPRINT,PROBLEM WITH CONVERTING TO JKS KEYSTORE
  - IJ09107 IBMPKCS11IMPL CRYPTO PROVIDER – INTERMITTENT ERROR WITH SECP521R1 SIGNATURE ON Z/OS
  - IJ10136 IBMPKCS11IMPL – INTERMITTENT ERROR WITH SECP521R1 SIG ON Z/OS AND Z/LINUX
  - IJ08530 IBMPKCS11IMPL PROVIDER USES THE WRONG RSA CIPHER MECHANISM FOR THE RSA/ECB/PKCS1PADDING CIPHER
  - IJ08723 JAAS THROWS A ‘ARRAY INDEX OUT OF RANGE’ EXCEPTION
  - IJ08704 THE SECURITY PROPERTY ‘JDK.CERTPATH.DISABLEDAL GORITHMS’ IS MISTAKENLY BEING USED TO FILTER JAR SIGNING ALGORITHMS

* z/OS Extentions

  - PH01244 OUTPUT BUFFER TOO SHORT FOR GCM MODE ENCRYPTION USING IBMJCEHYBRID


-----------------------------------------
Patch: SUSE-2018-2811
Released: Thu Nov 29 11:24:19 2018
Summary: Recommended update for aaa_base
Severity: moderate
References: 1040613,1095969,1102310
Description:
This update for aaa_base provides the following fixes:

- Get mixed use case of service wrapper script straight. (bsc#1040613)
- Fix an error at login if java system directory is empty. (bsc#1102310)
- Add a test for xdgdir/applications before adding data directory (bsc#1095969)


-----------------------------------------
Patch: SUSE-2018-2824
Released: Mon Dec  3 15:34:09 2018
Summary: Security update for ncurses
Severity: important
References: 1115929,CVE-2018-19211
Description:
This update for ncurses fixes the following issue:

Security issue fixed:

- CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929).


-----------------------------------------
Patch: SUSE-2018-2836
Released: Wed Dec  5 09:29:31 2018
Summary: Recommended update for apparmor
Severity: moderate
References: 1111965,1113125
Description:
This update for apparmor fixes the following issues:

- Systemd aware apparmor.spec, remove old insserv from spec file (bsc#1113125)
- Fix warnings produced because of use of uninitialized variables (bsc#1111965)


-----------------------------------------
Patch: SUSE-2018-2842
Released: Wed Dec  5 10:00:35 2018
Summary: Recommended update for suse-build-key
Severity: moderate
References: 1044232
Description:
This update for suse-build-key fixes the following issues:

- Install the PTF key also to /usr/lib/rpm/gnupg/keys/ so it can exists also
  on systems where documentation is not installed. (bsc#1044232)


-----------------------------------------
Patch: SUSE-2018-2846
Released: Wed Dec  5 12:50:41 2018
Summary: Security update for openssl-1_0_0
Severity: moderate
References: 1100078,1112209,1113534,1113652,1113742,CVE-2018-0734,CVE-2018-5407
Description:
This update for openssl-1_0_0 fixes the following issues:


Security issues fixed:

- CVE-2018-0734: Fixed timing vulnerability in DSA signature generation (bsc#1113652).
- CVE-2018-5407: Fixed elliptic curve scalar multiplication timing attack defenses (bsc#1113534).
- Add missing timing side channel patch for DSA signature generation (bsc#1113742).

Non-security issues fixed:

- Fixed infinite loop in DSA generation with incorrect parameters (bsc#1112209).
- Set TLS version to 0 in msg_callback for record messages to avoid confusing applications (bsc#1100078).


-----------------------------------------
Patch: SUSE-2018-2880
Released: Fri Dec  7 14:50:23 2018
Summary: Recommended update for Salt
Severity: moderate
References: 1112874,1114824
Description:

This update fixes the following issues:

salt:

- Crontab module fix: file attributes option missing (bsc#1114824)
- Fix git_pillar merging across multiple __env__ repositories (bsc#1112874)



-----------------------------------------
Patch: SUSE-2018-2885
Released: Mon Dec 10 14:06:27 2018
Summary: Security update for python-cryptography, python-pyOpenSSL
Severity: important
References: 1021578,1111634,1111635,CVE-2018-1000807,CVE-2018-1000808
Description:

This update for python-cryptography, python-pyOpenSSL fixes the following issues:

Security issues fixed:

- CVE-2018-1000808: A memory leak due to missing reference checking in PKCS#12 store handling was fixed (bsc#1111634)
- CVE-2018-1000807: A use-after-free in X509 object handling was fixed (bsc#1111635)

- avoid bad interaction with python-cryptography package. (bsc#1021578)

  

-----------------------------------------
Patch: SUSE-2018-2893
Released: Tue Dec 11 09:21:17 2018
Summary: Security update for compat-openssl098
Severity: moderate
References: 1104789,1110018,1113534,1113652,CVE-2016-8610,CVE-2018-0734,CVE-2018-5407
Description:
This update for compat-openssl098 fixes the following issues:

Security issues fixed:

- CVE-2018-0734: Fixed timing vulnerability in DSA signature generation (bsc#1113652).
- CVE-2018-5407: Fixed elliptic curve scalar multiplication timing attack defenses (bsc#1113534).
- CVE-2016-8610: Adjusted current fix and add missing error string (bsc#1110018).
- Fixed the 'One and Done' side-channel attack on RSA (bsc#1104789).


-----------------------------------------
Patch: SUSE-2018-2897
Released: Tue Dec 11 17:50:11 2018
Summary: Recommended update for python-pyOpenSSL
Severity: important
References: 1119077
Description:
This update for python-pyOpenSSL fixes the following issues:

- Fix a regression in the last security update that disrupted
  SUSE Manager installations (bsc#1119077)



-----------------------------------------
Patch: SUSE-2018-2901
Released: Tue Dec 11 21:46:34 2018
Summary: Recommended update for icewm
Severity: moderate
References: 1105301
Description:
This update for icewm fixes the following issues:

- Adds a recommended package to ensure 'Lock Workstation' works (bsc#1105301)


-----------------------------------------
Patch: SUSE-2018-2906
Released: Tue Dec 11 21:48:05 2018
Summary: Recommended update for blog
Severity: moderate
References: 1071568
Description:
This update for blog fixes the following issues:

- Hardening of the console list generation (bsc#1071568)
- Changed description of blog-plymouth in same manner as used by the release notes


-----------------------------------------
Patch: SUSE-2018-2917
Released: Wed Dec 12 16:05:34 2018
Summary: Security update for cups
Severity: important
References: 1115750,CVE-2018-4700
Description:
This update for cups fixes the following issues:

Security issue fixed:

- CVE-2018-4700: Fixed extremely predictable cookie generation that is effectively breaking the CSRF protection of the CUPS web interface (bsc#1115750).


-----------------------------------------
Patch: SUSE-2018-2946
Released: Mon Dec 17 08:50:42 2018
Summary: Security update for tcpdump
Severity: moderate
References: 1117267,CVE-2018-19519
Description:
This update for tcpdump fixes the following issues:

Security issues fixed:

- CVE-2018-19519: Fixed a stack-based buffer over-read in the print_prefix function (bsc#1117267)


-----------------------------------------
Patch: SUSE-2018-2947
Released: Mon Dec 17 08:51:28 2018
Summary: Security update for openldap2
Severity: moderate
References: 1073313,CVE-2017-17740
Description:
This update for openldap2 fixes the following issues:

Security issue fixed:

- CVE-2017-17740: When both the nops module and the memberof overlay
  are enabled, attempts to free a buffer that was allocated on the stack,
  which allows remote attackers to cause a denial of service (slapd crash)
  via a member MODDN operation.  (bsc#1073313)


-----------------------------------------
Patch: SUSE-2018-2975
Released: Tue Dec 18 13:45:02 2018
Summary: Recommended update for python-psutil
Severity: moderate
References: 1111800
Description:


python-psutil was updated to version 5.2.2 to fulfill requirements of other packages. (FATE#326775, bsc#1111800)

  

-----------------------------------------
Patch: SUSE-2018-2977
Released: Tue Dec 18 15:43:30 2018
Summary: Security update for libqt5-qtbase
Severity: moderate
References: 1118595,1118596,CVE-2018-15518,CVE-2018-19873
Description:
This update for libqt5-qtbase fixes the following issues:

Security issues fixed:

- CVE-2018-15518: Fixed double free in QXmlStreamReader (bsc#1118595)
- CVE-2018-19873: Fixed Denial of Service on malformed BMP file in QBmpHandler (bsc#1118596)


-----------------------------------------
Patch: SUSE-2018-2991
Released: Wed Dec 19 14:17:13 2018
Summary: Security update for tiff
Severity: moderate
References: 1017693,1054594,1115717,990460,CVE-2016-10092,CVE-2016-10093,CVE-2016-10094,CVE-2016-6223,CVE-2017-12944,CVE-2018-19210
Description:
This update for tiff fixes the following issues:

Security issues fixed:                                   
    
- CVE-2018-19210: Fixed NULL pointer dereference in the TIFFWriteDirectorySec function (bsc#1115717).
- CVE-2017-12944: Fixed denial of service issue in the TIFFReadDirEntryArray function (bsc#1054594).
- CVE-2016-10094: Fixed heap-based buffer overflow in the _tiffWriteProc function (bsc#1017693).
- CVE-2016-10093: Fixed heap-based buffer overflow in the _TIFFmemcpy function (bsc#1017693).
- CVE-2016-10092: Fixed heap-based buffer overflow in the TIFFReverseBits function (bsc#1017693).
- CVE-2016-6223: Fixed out-of-bounds read on memory-mapped files in TIFFReadRawStrip1() and TIFFReadRawTile1() (bsc#990460).


-----------------------------------------
Patch: SUSE-2018-3002
Released: Wed Dec 19 21:50:43 2018
Summary: Recommended update for psmisc
Severity: moderate
References: 1098697,1112780
Description:
This update for psmisc provides the following fix:

- Make the fuser option -m <block_device> work even with mountinfo. (bsc#1098697)
- Support also btrFS entries in mountinfo, that is use stat to determine the device of the
  mounted subvolume. (bsc#1098697, bsc#1112780)
- Respect that the seventh field(s) before the single hyphen of mountinfo are optional
  fields.


-----------------------------------------
Patch: SUSE-2018-3029
Released: Fri Dec 21 17:34:05 2018
Summary: Recommended update for libgcrypt
Severity: moderate
References: 1117355
Description:
This update for libgcrypt provides the following fix:

- Fail selftests when checksum file is missing in FIPS mode only. (bsc#1117355)


-----------------------------------------
Patch: SUSE-2018-3032
Released: Fri Dec 21 17:35:03 2018
Summary: Recommended update for fonts-config
Severity: moderate
References: 1069468,1101985,1106850,998300
Description:
This update for fonts-config fixes the following issues:

- Many font rendering fixes, specially for Chinese. (bsc#1101985)
- Use noun phrasing and user-independent wording.
- Support colorored emojis.
- Modern fonts for symbols.
- Add configurations for Noto Sans/Serif CJK.
- Do not create fonts.dir and fonts.scale in encodings directory. (bsc#1106850)
- Replace references to /var/adm/fillup-templates with new %_fillupdir macro.
  (bsc#1069468)
- Comma and the rest of family string is ignored while translating preference lists from
  sysconfig to fontconfig snippets. (bsc#998300)


-----------------------------------------
Patch: SUSE-2018-3035
Released: Fri Dec 21 17:35:52 2018
Summary: Recommended update for lvm2
Severity: moderate
References: 1110872,1114113
Description:
This update for lvm2 provides the following fixes:

- Take back resource agents for clvmd and cmirror. (bsc#1110872)
- Prevent writing beyond metadata area. (bsc#1114113)


-----------------------------------------
Patch: SUSE-2018-3038
Released: Fri Dec 21 17:36:35 2018
Summary: Recommended update for lio-utils
Severity: moderate
References: 1099520,1108982
Description:
This update for lio-utils provides the following fixes:

- Ensure deprecated target.service conflicts with targetcli.service, so that
  they are not executed at the same time. (bsc#1099520)
- Ensure that the generated script lio_setup.sh ends with success by properly returning
  its exit status. (bsc#1108982)


-----------------------------------------
Patch: SUSE-2018-3045
Released: Fri Dec 21 18:49:12 2018
Summary: Security update for MozillaFirefox, mozilla-nspr and mozilla-nss
Severity: important
References: 1097410,1106873,1119069,1119105,CVE-2018-0495,CVE-2018-12384,CVE-2018-12404,CVE-2018-12405,CVE-2018-17466,CVE-2018-18492,CVE-2018-18493,CVE-2018-18494,CVE-2018-18498
Description:
This update for MozillaFirefox, mozilla-nss and mozilla-nspr fixes the following issues:

Issues fixed in MozillaFirefox:

- Update to Firefox ESR 60.4 (bsc#1119105)
- CVE-2018-17466: Fixed a buffer overflow and out-of-bounds read in ANGLE library with TextureStorage11
- CVE-2018-18492: Fixed a use-after-free with select element
- CVE-2018-18493: Fixed a buffer overflow in accelerated 2D canvas with Skia
- CVE-2018-18494: Fixed a Same-origin policy violation using location attribute and performance.getEntries
  to steal cross-origin URLs
- CVE-2018-18498: Fixed a integer overflow when calculating buffer sizes for images
- CVE-2018-12405: Fixed a few memory safety bugs

Issues fixed in mozilla-nss:

- Update to NSS 3.40.1 (bsc#1119105)
- CVE-2018-12404: Fixed a cache side-channel variant of the Bleichenbacher attack (bsc#1119069)
- CVE-2018-12384: Fixed an issue in the SSL handshake. NSS responded to an
  SSLv2-compatible ClientHello with a ServerHello that had an all-zero random. (bsc#1106873)
- CVE-2018-0495: Fixed a memory-cache side-channel attack with ECDSA signatures (bsc#1097410)
- Fixed a decryption failure during FFDHE key exchange
- Various security fixes in the ASN.1 code

Issues fixed in mozilla-nspr:

- Update mozilla-nspr to 4.20 (bsc#1119105)


-----------------------------------------
Patch: SUSE-2018-3054
Released: Fri Dec 28 17:45:34 2018
Summary: Recommended update for hwinfo
Severity: moderate
References: 1018271,1084700,1107196
Description:
This update for hwinfo provides the following fixes:

- Add script tp update PCI and USB IDs. (fate#326431)
- Adjust hwinfo know about RISC-V.
- Update git2log script.
- Fix curl commands.
- Fix ID of S-Par storage controller. (bsc#1107196)
- Add network interfaces found on mdio bus. (bsc#1018271)
- The location of the S-Par drivers virtual buses has changed.
  (bsc#1107196)
- Ensure udev device links are unique. (bsc#1084700)
  

-----------------------------------------
Patch: SUSE-2018-3060
Released: Fri Dec 28 17:47:40 2018
Summary: Recommended update for yast2-instserver
Severity: moderate
References: 1103621
Description:
This update for yast2-instserver fixes the following issues:

- Do not crash when importing a SLE15 installation medium. (bsc#1103621)


-----------------------------------------
Patch: SUSE-2019-11
Released: Wed Jan  2 20:27:04 2019
Summary: Recommended update for OpenIPMI
Severity: moderate
References: 1060799
Description:
This update for OpenIPMI provides the following fix:

- On aarch64 hardware, the IPMI hardware was detected but an incorrect driver was loaded
  ('ipmi_si.ko' rather than the correct 'ipmi_ssif.ko'). The fix adds a new entry to
  /etc/sysconfig/ipmi which defines the name of the driver to load. A utility
  (/usr/lib/openipmi-helper) then uses this name to load the correct driveri. (bsc#1060799)


-----------------------------------------
Patch: SUSE-2019-19
Released: Fri Jan  4 12:37:51 2019
Summary: Security update for polkit
Severity: moderate
References: 1118277,CVE-2018-19788
Description:
This update for polkit fixes the following issues:

Security issue fixed:

- CVE-2018-19788: Fixed handling of UIDs over MAX_UINT (bsc#1118277)


-----------------------------------------
Patch: SUSE-2019-26
Released: Tue Jan  8 11:36:55 2019
Summary: Recommended update for python-ec2uploadimg
Severity: moderate
References: 1118028
Description:
This update for python-ec2uploadimg fixes the following issues:

- Support ARM architecture (bsc#1118028)
- Use the proper subnet if no default subnet exists in the account


-----------------------------------------
Patch: SUSE-2019-39
Released: Tue Jan  8 13:05:34 2019
Summary: Recommended update for crmsh
Severity: moderate
References: 1052088,1111579,1112593
Description:
This update for crmsh provides the following fixes:

- cibconfig: Normalize - to _ in parameter names. (bsc#1111579)
- ra: Handle the obsoletes attribute. (bsc#1111579)
- ui_cluster: Add restart cluster to the systemd unit. (bsc#1052088)
- Automatically commit enabling/disabling maintenance mode for a whole cluster.
  (bsc#1112593)


-----------------------------------------
Patch: SUSE-2019-43
Released: Tue Jan  8 13:07:17 2019
Summary: Recommended update for acl
Severity: low
References: 953659
Description:
This update for acl fixes the following issues:

- quote: Escape literal backslashes (bsc#953659).


-----------------------------------------
Patch: SUSE-2019-100
Released: Tue Jan 15 18:02:18 2019
Summary: Recommended update for grub2
Severity: moderate
References: 1111955
Description:
This update for grub2 provides the following fix:

- ieee1275: Fix double free in CAS reboot. (bsc#1111955)


-----------------------------------------
Patch: SUSE-2019-101
Released: Tue Jan 15 18:02:39 2019
Summary: Recommended update for timezone
Severity: moderate
References: 1120402
Description:
This update for timezone fixes the following issues:

- Update 2018i:
  São Tomé and Príncipe switches from +01 to +00 on 2019-01-01. (bsc#1120402)
- Update 2018h:
  Qyzylorda, Kazakhstan moved from +06 to +05 on 2018-12-21
  New zone Asia/Qostanay because Qostanay, Kazakhstan didn't move
  Metlakatla, Alaska observes PST this winter only
  Guess Morocco will continue to adjust clocks around Ramadan
  Add predictions for Iran from 2038 through 2090  


-----------------------------------------
Patch: SUSE-2019-107
Released: Wed Jan 16 11:56:21 2019
Summary: Recommended update for mozilla-nss
Severity: moderate
References: 1090767,1121045,1121207
Description:
This update for mozilla-nss fixes the following issues:

- The hmac packages used for FIPS certification inadvertently removed in last update: re-added.  (bsc#1121207)
- Added 'Suggest:' for libfreebl3 and libsoftokn3 respective -hmac packages to avoid dependency issues during updates (bsc#1090767, bsc#1121045)


-----------------------------------------
Patch: SUSE-2019-111
Released: Thu Jan 17 14:18:31 2019
Summary: Security update for krb5
Severity: important
References: 1120489,CVE-2018-20217
Description:
This update for krb5 fixes the following issues:

Security issue fixed:

- CVE-2018-20217: Fixed an assertion issue with older encryption types (bsc#1120489)


-----------------------------------------
Patch: SUSE-2019-120
Released: Fri Jan 18 12:35:24 2019
Summary: Recommended update for yast2, yast2-firewall
Severity: important
References: 1093052,1121627
Description:
This update for yast2, yast2-firewall provides the following fixes:

Fixes in yast2:

- In case of only one installed Firewall it will be used by YaST. (bsc#1093052)

Fixes in yast2-firewall:

- Adjust package requirements to ensure firewall_chooser exists. (bsc#1121627)


-----------------------------------------
Patch: SUSE-2019-132
Released: Mon Jan 21 09:34:57 2019
Summary: Security update for openssh
Severity: important
References: 1121571,1121816,1121818,1121821,CVE-2018-20685,CVE-2019-6109,CVE-2019-6110,CVE-2019-6111
Description:
This update for openssh fixes the following issues:

Security issue fixed:

- CVE-2018-20685: Fixed an issue where scp client allows remote SSH servers to bypass intended access restrictions (bsc#1121571)
- CVE-2019-6109: Fixed an issue where the scp client would allow malicious remote SSH servers to manipulate terminal output via the object name, e.g. by inserting ANSI escape sequences (bsc#1121816)
- CVE-2019-6110: Fixed an issue where the scp client would allow malicious remote SSH servers to manipulate stderr output, e.g. by inserting ANSI escape sequences (bsc#1121818)
- CVE-2019-6111: Fixed an issue where the scp client would allow malicious remote SSH servers to execute directory traversal attacks and overwrite files (bsc#1121821)


-----------------------------------------
Patch: SUSE-2019-139
Released: Mon Jan 21 15:54:18 2019
Summary: Security update for python-urllib3
Severity: moderate
References: 1024540,1074247,1110422,CVE-2016-9015
Description:
This update for python-urllib3 fixes the following issues:

python-urllib3 was updated to version 1.22 (fate#326733, bsc#1110422) and contains new features and lots of bugfixes:

The full changelog can be found on:

        https://github.com/Lukasa/urllib3/blob/1.22/CHANGES.rst

Security issues fixed:

- CVE-2016-9015: TLS certificate validation vulnerability (bsc#1024540).
  (This issue did not affect our previous version 1.16.)

Non security issues fixed:

- bsc#1074247: Fix test suite, use correct date (gh#shazow/urllib3#1303).


-----------------------------------------
Patch: SUSE-2019-140
Released: Mon Jan 21 17:31:39 2019
Summary: Recommended update for python-ipaddress
Severity: low
References: 1112174
Description:

This update for python-ipaddress fixes the following issue:

Version update to 1.0.18:

- various small bugfixes
- new is_global method

  

-----------------------------------------
Patch: SUSE-2019-143
Released: Tue Jan 22 14:21:55 2019
Summary: Recommended update for ncurses
Severity: important
References: 1121450
Description:

This update for ncurses fixes the following issues:

- ncurses applications freezing (bsc#1121450)


-----------------------------------------
Patch: SUSE-2019-149
Released: Wed Jan 23 17:58:18 2019
Summary: Recommended update for ca-certificates-mozilla
Severity: moderate
References: 1121446
Description:
This update for ca-certificates-mozilla fixes the following issues:

The package was updated to the 2.30 version of the Mozilla NSS Certificate store. (bsc#1121446)

Removed Root CAs:

- AC Raiz Certicamara S.A.
- Certplus Root CA G1
- Certplus Root CA G2
- OpenTrust Root CA G1
- OpenTrust Root CA G2
- OpenTrust Root CA G3
- Visa eCommerce Root

Added Root CAs:

- Certigna Root CA (email and server auth)
- GTS Root R1 (server auth)
- GTS Root R2 (server auth)
- GTS Root R3 (server auth)
- GTS Root R4 (server auth)
- OISTE WISeKey Global Root GC CA (email and server auth)
- UCA Extended Validation Root (server auth)
- UCA Global G2 Root (email and server auth)


-----------------------------------------
Patch: SUSE-2019-157
Released: Thu Jan 24 13:53:29 2019
Summary: Recommended update for python-pyOpenSSL
Severity: moderate
References: 1052927
Description:
This update for python-pyOpenSSL provides the following fix:

- Add python-setuptools as a requirement. (bsc#1052927)


-----------------------------------------
Patch: SUSE-2019-159
Released: Thu Jan 24 13:54:09 2019
Summary: Recommended update for hwinfo
Severity: moderate
References: 1117982
Description:
This update for hwinfo provides the following fix:

- Adjust system type detection. (bsc#1117982)


-----------------------------------------
Patch: SUSE-2019-179
Released: Fri Jan 25 17:58:07 2019
Summary: Security update for avahi
Severity: moderate
References: 1120281,CVE-2018-1000845
Description:
This update for avahi fixes the following issues:

Security issue fixed:

- CVE-2018-1000845: Fixed DNS amplification and reflection to spoofed addresses (DOS) (bsc#1120281)


-----------------------------------------
Patch: SUSE-2019-182
Released: Mon Jan 28 14:12:40 2019
Summary: Recommended update for kmod
Severity: moderate
References: 1118629
Description:
This update for kmod fixes the following issues:

- Fixes module dependency file corruption on parallel invocation (bsc#1118629).
- Allows 'modprobe -c' to print the status of 'allow_unsupported_modules' option.

-----------------------------------------
Patch: SUSE-2019-209
Released: Thu Jan 31 09:41:23 2019
Summary: Security update for rsyslog
Severity: important
References: 1123164,CVE-2018-16881
Description:
This update for rsyslog fixes the following issues:

Security issue fixed:

- CVE-2018-16881: Fixed a denial of service when both the imtcp module and Octet-Counted TCP Framing is enabled (bsc#1123164).


-----------------------------------------
Patch: SUSE-2019-212
Released: Thu Jan 31 13:05:47 2019
Summary: Recommended update for openssh
Severity: important
References: 1123028
Description:
This update for openssh fixes the following issues:

- A previously applied security patch unintendedly changed the behavior of
  OpenSSH's 'scp' utility such that server-side brace expansion would no longer
  be supported. Attempts to copy a set files from a remote machine to the local
  one by running 'scp 'remote:{file-a,file-b}' /tmp' would fail. This change in
  behavior broke Corosync and, potentially, many user scripts that relied on
  brace expansion. [bsc#1123028]


-----------------------------------------
Patch: SUSE-2019-243
Released: Tue Feb  5 15:40:13 2019
Summary: Security update for python3
Severity: important
References: 1120644,1122191,CVE-2018-20406,CVE-2019-5010
Description:
This update for python3 fixes the following issues:

Security issue fixed:

- CVE-2019-5010: Fixed a denial-of-service vulnerability in the X509 certificate parser (bsc#1122191)
- CVE-2018-20406: Fixed a integer overflow via a large LONG_BINPUT (bsc#1120644)


-----------------------------------------
Patch: SUSE-2019-254
Released: Wed Feb  6 11:23:55 2019
Summary: Recommended update for grub2
Severity: moderate
References: 1114754
Description:
This update for grub2 fixes the following issues:

- Fixed possible install media boot issues on certain hardware 
  by changing default tsc calibration method to pmtimer on EFI. (bsc#1114754)


-----------------------------------------
Patch: SUSE-2019-261
Released: Wed Feb  6 11:26:21 2019
Summary: Recommended update for pam-config
Severity: moderate
References: 1114835
Description:
This update for pam-config fixes the following issues:

- Adds support for more pam_cracklib options. (bsc#1114835)


-----------------------------------------
Patch: SUSE-2019-284
Released: Thu Feb  7 13:23:54 2019
Summary: Security update for libunwind
Severity: moderate
References: 1122012,936786,976955,CVE-2015-3239
Description:
This update for libunwind fixes the following issues:

Security issues fixed:

- CVE-2015-3239: Fixed a off-by-one in the dwarf_to_unw_regnum function (bsc#936786)

Non-security issues fixed:

- Fixed a dependency issue with libzmq5 (bsc#1122012)
- Fixed build on armv7 (bsc#976955)


-----------------------------------------
Patch: SUSE-2019-336
Released: Tue Feb 12 14:16:02 2019
Summary: Security update for MozillaFirefox
Severity: important
References: 1120374,1122983,CVE-2018-18500,CVE-2018-18501,CVE-2018-18505
Description:
This update for MozillaFirefox fixes the following issues:

Security issues fixed:

CVE-2018-18500: Fixed a use-after-free parsing HTML5 stream (boo#1122983).
CVE-2018-18501: Fixed multiple memory safety bugs (boo#1122983).
CVE-2018-18505: Fixed a privilege escalation through IPC channel messages (boo#1122983).


-----------------------------------------
Patch: SUSE-2019-342
Released: Wed Feb 13 11:04:32 2019
Summary: Recommended update for Salt
Severity: moderate
References: 1099887,1114029,1114474,1116837,1117995,1121091,1123044,1123512
Description:

This update fixes the following issues:

salt:

- Remove patch unable install salt minions on SLE 15 (bsc#1123512)
- Fix integration tests in state compiler (U#2068)
- Fix 'pkg.list_pkgs' output when using 'attr' to take the arch into account (bsc#1114029)
- Fix powerpc null server_id_arch (bsc#1117995)
- Fix module 'azure.storage' has no attribute '__version__'
  (bsc#1121091)
- Add supportconfig module and states for minions and SaltSSH
- Fix FIPS enabled RES clients (bsc#1099887)
- Add hold/unhold functions. Fix Debian repo 'signed-by'.
- Strip architecture from debian package names
- Fix latin1 encoding problems on file module (bsc#1116837)
- Don't error on retcode 0 in libcrypto.OPENSSL_init_crypto
- Handle anycast IPv6 addresses on network.routes (bsc#1114474)
- Debian info_installed compatibility (U#50453)
- Add compatibility with other package modules for 'list_repos'
  function
- Remove MSI Azure cloud module authentication patch (bsc#1123044)
- Don't encode response string from role API


-----------------------------------------
Patch: SUSE-2019-372
Released: Wed Feb 13 14:02:35 2019
Summary: Recommended update for xrdb
Severity: moderate
References: 1120004
Description:
This update for xrdb fixes the following issues:

- Now no warnings will be shown when parsing valid comments. (bsc#1120004)


-----------------------------------------
Patch: SUSE-2019-375
Released: Wed Feb 13 14:03:33 2019
Summary: Recommended update for boost
Severity: moderate
References: 1089363
Description:
This update for boost fixes the following issues:
    
- Fixes build issues caused by the Boost.Context library. (bnc#1089363)


-----------------------------------------
Patch: SUSE-2019-388
Released: Thu Feb 14 13:26:34 2019
Summary: Recommended update for additional Python updates
Severity: moderate
References: 1054413
Description:

This update brings new versions for several python modules, needed for
updates for other parts of the python stack, to enable the Python Azure SDK.

It also enables and ship various modules as Python3 modules.

- python-adal: was updated to 0.5.0 and python 3 enabled.
- python-chardet: was updated to 3.0.4 and python 3 enabled.
- python-linecache2: new version 1.0.0 as a dependency of unittest2.
- python-msrestazure: was updated to 0.4.11 and python 3 enabled.
- python-msrest: was updated to 0.4.11 and python 3 enabled.
- python-oauthlib: was python 3 enabled.
- python-PyJWT: was python 3 enabled.
- python-pytest-runner: was updated to 4.2 and python 3 enabled.
- python-requests-oauthlib: was python 3 enabled.
- python-traceback2: was updated to 1.1.0 and python 3 enabled.
- python-unittest2: was updated to 1.1.10 and python 3 enabled.

  

-----------------------------------------
Patch: SUSE-2019-399
Released: Thu Feb 14 15:20:11 2019
Summary: Recommended update for aws-cli, python-boto3, python-botocore
Severity: moderate
References: 1118024
Description:
This update for aws-cli, python-boto3, python-botocore fixes the following issues:

- Update aws-cli to version 1.16.61 (bsc#1118024)
- Update python-botocore to version 1.12.57 (bsc#1118024)
- Update python-boto3 to version 1.9.57 (bsc#1118024)


-----------------------------------------
Patch: SUSE-2019-434
Released: Tue Feb 19 12:19:02 2019
Summary: Recommended update for libsemanage
Severity: moderate
References: 1115500
Description:
This update for libsemanage provides the following fix:

- Prevent an error message when reading module version if the directory does not exist.
  (bsc#1115500)


-----------------------------------------
Patch: SUSE-2019-440
Released: Tue Feb 19 18:52:51 2019
Summary: Recommended update for dmidecode
Severity: moderate
References: 1120149
Description:
This update for dmidecode fixes the following issues:

- Extensions to Memory Device (Type 17) (FATE#326831 bsc#1120149)
- Add 'Logical non-volatile device' to the memory device types (FATE#326831 bsc#1120149)


-----------------------------------------
Patch: SUSE-2019-450
Released: Wed Feb 20 16:42:38 2019
Summary: Security update for procps
Severity: important
References: 1092100,1121753,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126
Description:

  
This update for procps fixes the following security issues:

- CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top
  with HOME unset in an attacker-controlled directory, the attacker could have
  achieved privilege escalation by exploiting one of several vulnerabilities in
  the config_file() function (bsc#1092100).
- CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow.
  Inbuilt protection in ps maped a guard page at the end of the overflowed
  buffer, ensuring that the impact of this flaw is limited to a crash (temporary
  denial of service) (bsc#1092100).
- CVE-2018-1124: Prevent multiple integer overflows leading to a heap
  corruption in file2strvec function. This allowed a privilege escalation for a
  local attacker who can create entries in procfs by starting processes, which
  could result in crashes or arbitrary code execution in proc utilities run by
  other users (bsc#1092100).
- CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was
  mitigated by FORTIFY limiting the impact to a crash (bsc#1092100).
- CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent
  truncation/integer overflow issues (bsc#1092100).

(These issues were previously released for SUSE Linux Enterprise 12 SP3 and SP4.)

Also the following non-security issue was fixed:

- Fix CPU summary showing old data. (bsc#1121753)


-----------------------------------------
Patch: SUSE-2019-462
Released: Fri Feb 22 09:43:35 2019
Summary: Recommended update for open-iscsi
Severity: moderate
References: 1102589,1107753,1116712,1122938
Description:
This update for open-iscsi fixes the following issues:

- iscsiuio: No longer flush tx queue on each uio interrupt. This makes ping to such NICs
  work better. (bsc#1102589)
- Do not allow multiple sessions just because they were started in parallel. (bsc#1107753)
- qedi: Use uio BD index instead on buffer index. (bsc#1116712)
- qedi: Set buf_size in case of ICMP and ARP packet. (bsc#1116712)
- Fix output for iscsiadm node/iface print level P1. (bsc#1122938)


-----------------------------------------
Patch: SUSE-2019-473
Released: Fri Feb 22 14:09:23 2019
Summary: Recommended update for yast2-instserver
Severity: moderate
References: 1122003
Description:
This update for yast2-instserver provides the following fix:

- Fix parsing DISTRO from 'content' file. (bsc#1122003)


-----------------------------------------
Patch: SUSE-2019-482
Released: Mon Feb 25 11:57:46 2019
Summary: Security update for python
Severity: important
References: 1073748,1109847,1122191,CVE-2018-14647,CVE-2019-5010
Description:
This update for python fixes the following issues:

Security issues fixed:

- CVE-2019-5010: Fixed a denial-of-service vulnerability in the X509 certificate parser (bsc#1122191).
- CVE-2018-14647: Fixed a denial-of-service vulnerability in Expat (bsc#1109847).

Non-security issue fixed:

- Fixed a bug where PyWeakReference struct was not initialized correctly leading to a crash (bsc#1073748).


-----------------------------------------
Patch: SUSE-2019-514
Released: Thu Feb 28 15:39:05 2019
Summary: Recommended update for apparmor
Severity: moderate
References: 1112300
Description:
This update for apparmor fixes the following issues:

- Fix erroneously generated audit records: include status* files in dnsmasq. (bsc#1112300)


-----------------------------------------
Patch: SUSE-2019-530
Released: Fri Mar  1 13:47:00 2019
Summary: Recommended update for cloud-netconfig
Severity: moderate
References: 1075484,1112822,1118783,1122013,1123008
Description:
This update for cloud-netconfig provides the following fixes:

- Run cloud-netconfig periodically. (bsc#1118783, bsc#1122013)
- Do not treat eth0 special with regard to routing policies. (bsc#1123008)
- Reduce the timeout on metadata read. (bsc#1112822)
- Remove dependency on udev-persistent-ifnames. (bsc#1075484)


-----------------------------------------
Patch: SUSE-2019-558
Released: Wed Mar  6 14:06:36 2019
Summary: Recommended update for cups
Severity: moderate
References: 1118118
Description:
This update for cups fixes the following issues:

- Fixed a cups crash when using utf8 filenames (bsc#1118118)


-----------------------------------------
Patch: SUSE-2019-561
Released: Wed Mar  6 14:12:42 2019
Summary: Recommended update for libtirpc
Severity: moderate
References: 1120689
Description:
This update for libtirpc fixes the following issues:

- Adds a new option to enforce connection via protocol version 2 first (bsc#1120689)


-----------------------------------------
Patch: SUSE-2019-563
Released: Wed Mar  6 17:20:15 2019
Summary: Security update for audit
Severity: moderate
References: 1042781,1085003,1125535,941922,CVE-2015-5186
Description:

This update for audit fixes the following issues:

Audit on SUSE Linux Enterprise 12 SP4 was updated to 2.8.1 to bring
new features and bugfixes.  (bsc#1125535 FATE#326346)

* Many features were added to auparse_normalize
* cli option added to auditd and audispd for setting config dir
* In auditd, restore the umask after creating a log file
* Option added to auditd for skipping email verification

The full changelog can be found here: http://people.redhat.com/sgrubb/audit/ChangeLog


- Change openldap dependency to client only (bsc#1085003)

Minor security issue fixed:

- CVE-2015-5186: Audit: log terminal emulator escape sequences handling (bsc#941922)



-----------------------------------------
Patch: SUSE-2019-564
Released: Thu Mar  7 14:25:47 2019
Summary: Recommended update for resource-agents
Severity: moderate
References: 1125138
Description:
This update for resource-agents fixes the following issues:

- Add support for multiple VPC routing tables in routing_tables 
  parameter (bsc#1125138)  


-----------------------------------------
Patch: SUSE-2019-572
Released: Fri Mar  8 09:24:21 2019
Summary: Security update for openssl-1_0_0
Severity: moderate
References: 1117951,1127080,CVE-2019-1559
Description:
This update for openssl-1_0_0 fixes the following issues:

Security issues fixed: 

- The 9 Lives of Bleichenbacher's CAT: Cache Attacks on TLS Implementations (bsc#1117951)
- CVE-2019-1559: Fixed OpenSSL 0-byte Record Padding Oracle which under certain circumstances
  a TLS server can be forced to respond differently to a client and lead to the decryption of the data (bsc#1127080).


-----------------------------------------
Patch: SUSE-2019-575
Released: Fri Mar  8 16:06:29 2019
Summary: Recommended update for sapconf
Severity: moderate
References: 1111243,1122741
Description:
This update for sapconf provides the following fixes:

- Source /etc/sysconfig/sapconf entries correctly, even if the /etc filesystem is
  read-only. (bsc#1122741)
- Log skipping of existing /etc/systemd/logind.conf.d/sap.conf file during package
  installation. (bsc#1111243)


-----------------------------------------
Patch: SUSE-2019-592
Released: Tue Mar 12 14:05:28 2019
Summary: Recommended update for Salt
Severity: moderate
References: 1122663,1123865
Description:

This update fixes the following issues:

salt:

- Don't call zypper with more than one --no-refresh parameter
  (bsc#1123865)
- Include aliases in FQDNS grain
- Prevents error when there is no job entry in filesystem cache
  due to race condition in minion onboarding (bsc#1122663)



-----------------------------------------
Patch: SUSE-2019-604
Released: Wed Mar 13 10:44:33 2019
Summary: Security update for java-1_7_1-ibm
Severity: important
References: 1122293,1122299,CVE-2018-11212,CVE-2019-2422
Description:
This update for java-1_7_1-ibm to version 7.1.4.40 fixes the following issues:

Security issues fixed: 

- CVE-2019-2422: Fixed a memory disclosure in FileChannelImpl (bsc#1122293).
- CVE-2018-11212: Fixed an issue in alloc_sarray function in jmemmgr.c (bsc#1122299).	  

More information: https://developer.ibm.com/javasdk/support/security-vulnerabilities/#IBM_Security_Update_February_2019


-----------------------------------------
Patch: SUSE-2019-620
Released: Mon Mar 18 09:13:45 2019
Summary: Recommended update for tigervnc
Severity: moderate
References: 1125290
Description:
This update for tigervnc fixes the following issues:

- Adds new support for two xorg server version: 1.18 and 1.19 (bsc#1125290)

-----------------------------------------
Patch: SUSE-2019-655
Released: Wed Mar 20 10:30:49 2019
Summary: Security update for libssh2_org
Severity: moderate
References: 1091236,1128471,1128472,1128474,1128476,1128480,1128481,1128490,1128492,1128493,CVE-2019-3855,CVE-2019-3856,CVE-2019-3857,CVE-2019-3858,CVE-2019-3859,CVE-2019-3860,CVE-2019-3861,CVE-2019-3862,CVE-2019-3863
Description:
This update for libssh2_org fixes the following issues:

Security issues fixed: 	  

- CVE-2019-3861: Fixed Out-of-bounds reads with specially crafted SSH packets (bsc#1128490).
- CVE-2019-3862: Fixed Out-of-bounds memory comparison with specially crafted message channel request packet (bsc#1128492).
- CVE-2019-3860: Fixed Out-of-bounds reads with specially crafted SFTP packets (bsc#1128481).
- CVE-2019-3863: Fixed an Integer overflow in user authenticate keyboard interactive which could allow out-of-bounds writes 
  with specially crafted keyboard responses (bsc#1128493).
- CVE-2019-3856: Fixed a potential Integer overflow in keyboard interactive handling which could allow out-of-bounds write 
  with specially crafted payload (bsc#1128472).
- CVE-2019-3859: Fixed Out-of-bounds reads with specially crafted payloads due to unchecked use of _libssh2_packet_require 
  and _libssh2_packet_requirev (bsc#1128480).
- CVE-2019-3855: Fixed a potential Integer overflow in transport read which could allow out-of-bounds write with specially 
  crafted payload (bsc#1128471).
- CVE-2019-3858: Fixed a potential zero-byte allocation which could lead to an out-of-bounds read with a specially crafted 
  SFTP packet (bsc#1128476).
- CVE-2019-3857: Fixed a potential Integer overflow which could lead to zero-byte allocation and out-of-bounds with specially 
  crafted message channel request SSH packet (bsc#1128474).

Other issue addressed: 

- Libbssh2 will stop using keys unsupported types in the known_hosts file (bsc#1091236).
 

-----------------------------------------
Patch: SUSE-2019-662
Released: Wed Mar 20 14:53:15 2019
Summary: Recommended update for lvm2
Severity: moderate
References: 1123327,1123803
Description:

This update for lvm2 fixes the following issues:

- StartLimitInterval in wrong section (bsc#1123327, bsc#1123803)


-----------------------------------------
Patch: SUSE-2019-691
Released: Thu Mar 21 19:48:54 2019
Summary: Recommended update for lio-utils
Severity: moderate
References: 1123423
Description:
This update for lio-utils fixes the following issues:

- Remove systemd conflicts restriction from here, moving it
  instead to targetcli-fb, so that this package can run
  with targetcli (i.e. the old version of targetcli). (bsc#1123423)

- Updated License in SPEC file to Apache-2.0, to match
  our COPYING file contents/license type.


-----------------------------------------
Patch: SUSE-2019-730
Released: Mon Mar 25 14:08:13 2019
Summary: Recommended update for bind
Severity: moderate
References: 1094236
Description:
This update for bind fixes the following issues:

- Fixes an issue where dynamic DNS updates with GSS-TSIG against Microsoft or Samba DNS
  servers are not working (bsc#1094236)


-----------------------------------------
Patch: SUSE-2019-747
Released: Tue Mar 26 14:35:16 2019
Summary: Security update for gd
Severity: moderate
References: 1123361,1123522,CVE-2019-6977,CVE-2019-6978
Description:
This update for gd fixes the following issues:

Security issues fixed:

- CVE-2019-6977: Fixed a heap-based buffer overflow the GD Graphics Library used in the imagecolormatch function (bsc#1123361).
- CVE-2019-6978: Fixed a double free in the gdImage*Ptr() functions (bsc#1123522).


-----------------------------------------
Patch: SUSE-2019-776
Released: Wed Mar 27 11:39:14 2019
Summary: Security update for w3m
Severity: moderate
References: 1077559,1077568,1077572,CVE-2018-6196,CVE-2018-6197,CVE-2018-6198
Description:
This update for w3m fixes several issues.

These security issues were fixed:

- CVE-2018-6196: Prevent infinite recursion in HTMLlineproc0 caused by the feed_table_block_tag function which did not prevent a negative indent value (bsc#1077559)
- CVE-2018-6197: Prevent NULL pointer dereference in formUpdateBuffer (bsc#1077568)
- CVE-2018-6198: w3m did not properly handle temporary files when the ~/.w3m directory is unwritable, which allowed a local attacker to craft a symlink attack to overwrite arbitrary files (bsc#1077572)


-----------------------------------------
Patch: SUSE-2019-789
Released: Thu Mar 28 11:56:29 2019
Summary: Security update for ntp
Severity: moderate
References: 1125401,1128525,CVE-2019-8936
Description:
This update for ntp fixes the following issues:

Security issue fixed: 	  

- CVE-2019-8936: Fixed a null pointer exception which could allow an authenticated attcker to cause 
  segmentation fault to ntpd (bsc#1128525).

Other isses addressed:

- Fixed an issue which caused openSSL mismatch (bsc#1125401)
- Fixed several bugs in the BANCOMM reclock driver.
- Fixed ntp_loopfilter.c snprintf compilation warnings.
- Fixed spurious initgroups() error message.
- Fixed STA_NANO struct timex units.
- Fixed GPS week rollover in libparse.
- Fixed incorrect poll interval in packet.
- Added a missing check for ENABLE_CMAC.


-----------------------------------------
Patch: SUSE-2019-794
Released: Thu Mar 28 12:09:29 2019
Summary: Recommended update for krb5
Severity: moderate
References: 1087481
Description:
This update for krb5 fixes the following issues:

- Add support for the GSS_KRB5_CRED_NO_CI_FLAGS_X cred option to
  suppress sending the confidentiality and integrity flags in GSS
  initiator tokens unless they are requested by the caller. These
  flags control the negotiated SASL security layer for the Microsoft
  GSS-SPNEGO SASL mechanism. (bsc#1087481).


-----------------------------------------
Patch: SUSE-2019-799
Released: Fri Mar 29 07:06:57 2019
Summary: Recommended update for timezone
Severity: moderate
References: 1130557
Description:
This update for timezone fixes the following issues:

timezone was update to 2019a (bsc#1130557):

* Palestine 'springs forward' on 2019-03-30 instead of 2019-03-23
* Metlakatla 'fell back' to rejoin Alaska Time on 2019-01-20 at 02:00
* Israel observed DST in 1980 (08-02/09-13) and 1984 (05-05/08-25)
* zic now has an -r option to limit the time range of output data


-----------------------------------------
Patch: SUSE-2019-800
Released: Fri Mar 29 07:08:00 2019
Summary: Recommended update for libtirpc
Severity: moderate
References: 1126096
Description:
This update for libtirpc fixes the following issues:

- Fixed yp_bind_client_create_v3: RPC: Unknown host error (bsc#1126096).



-----------------------------------------
Patch: SUSE-2019-822
Released: Fri Mar 29 20:12:56 2019
Summary: Recommended update for yast2-iscsi-lio-server
Severity: moderate
References: 1123381
Description:

This update for yast2-iscsi-lio-server fixes the following issues:

- iscsi server enables discovery authentication unexpectedly (bsc#1123381)


-----------------------------------------
Patch: SUSE-2019-838
Released: Tue Apr  2 09:52:06 2019
Summary: Security update for bash
Severity: important
References: 1130324,CVE-2019-9924
Description:
This update for bash fixes the following issues:
	  
Security issue fixed: 

- CVE-2019-9924: Fixed a vulnerability in which shell did not prevent user BASH_CMDS 
  allowing the user to execute any command with the permissions of the shell (bsc#1130324).


-----------------------------------------
Patch: SUSE-2019-839
Released: Tue Apr  2 13:13:21 2019
Summary: Security update for file
Severity: moderate
References: 1096974,1096984,1126117,1126118,1126119,CVE-2018-10360,CVE-2019-8905,CVE-2019-8906,CVE-2019-8907
Description:
This update for file fixes the following issues:

The following security vulnerabilities were addressed:

- Fixed an out-of-bounds read in the function do_core_note in readelf.c, which
  allowed remote attackers to cause a denial of service (application crash) via
  a crafted ELF file (bsc#1096974 CVE-2018-10360).
- CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c
  (bsc#1126118)
- CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c
  (bsc#1126119)
- CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c
  (bsc#1126117)


-----------------------------------------
Patch: SUSE-2019-867
Released: Thu Apr  4 11:25:25 2019
Summary: Recommended update for grub2
Severity: moderate
References: 1113702,1122569
Description:
This update for grub2 fixes the following issues:

- Fixed a regression of crashing lvm on multipath SAN (bsc#1113702)
- Add exception handling to FCP lun enumeration (bsc#1113702)
- Fix LOADER_TYPE parsing in grub2-once (bsc#1122569)


-----------------------------------------
Patch: SUSE-2019-868
Released: Thu Apr  4 11:46:02 2019
Summary: Recommended update for python-parallax
Severity: moderate
References: 1103832
Description:
This update for python-parallax fixes the following issues:

- Obsolete old python-parallax package to allow migration to python3-parallax. (bsc#1103832)


-----------------------------------------
Patch: SUSE-2019-893
Released: Fri Apr  5 16:28:16 2019
Summary: Recommended update for python-keyring, python-SecretStorage
Severity: low
References: 1125941
Description:

This update ships the missing python keyring and SecretStorage modules for SUSE Linux Enterprise 12 SP1 and SP2 LTSS.
  

-----------------------------------------
Patch: SUSE-2019-910
Released: Tue Apr  9 08:06:27 2019
Summary: Recommended update for python
Severity: low
References: 1129287
Description:

This update ships missing python-devel packages for the LTSS product lines.
  

-----------------------------------------
Patch: SUSE-2019-913
Released: Tue Apr  9 11:19:07 2019
Summary: Security update for sqlite3
Severity: moderate
References: 1119687,1131576,CVE-2018-20346,CVE-2018-20506
Description:
This update for sqlite3 fixes the following issues:

Security issues fixed: 

- CVE-2018-20346: Fixed a remote code execution vulnerability in FTS3 (Magellan) (bsc#1119687).
- CVE-2018-20506: Fixed an integer overflow when FTS3 extension is enabled (bsc#1131576).    


-----------------------------------------
Patch: SUSE-2019-956
Released: Tue Apr 16 13:07:38 2019
Summary: Security update for wget
Severity: important
References: 1131493,CVE-2019-5953
Description:
This update for wget fixes the following issues:

Security issue fixed:

- CVE-2019-5953: Fixed a buffer overflow vulnerability which might cause code execution (bsc#1131493).


-----------------------------------------
Patch: SUSE-2019-961
Released: Tue Apr 16 17:12:57 2019
Summary: Security update for python3
Severity: important
References: 1129346,CVE-2019-9636
Description:
This update for python3 fixes the following issues:

Security issue fixed:

- CVE-2019-9636: Fixed an information disclosure because of incorrect handling of Unicode encoding during NFKC normalization (bsc#1129346).


-----------------------------------------
Patch: SUSE-2019-965
Released: Wed Apr 17 12:17:29 2019
Summary: Recommended update for python-rpm-macros
Severity: moderate
References: 1128323
Description:
This update for python-rpm-macros fixes the following issues:

The Python RPM macros were update to version 20190408.32abece
to fix lots of bugs. (bsc#1128323)

* Rewrite pytest and pytest_arch into Lua macros with multiple arguments.
* We should preserve existing PYTHONPATH.
* Add --ignore to pytest calls to ignore build directories.
* Actually make pytest into function to capture arguments as well
* Add pytest definitions.
* Use upstream-recommended %{_rpmconfigdir}/macros.d directory
  for the rpm macros.
* Fix an issue with epoch printing having too many \
* Remove packaging/ dir
* add epoch while printing 'Provides:'
* better fix for macro usage in rpm 4.14
* Fix macro usage for rpm 4.14
* use %_specfile macro to locate the spec file, this should help with
  factory-auto bot problems as well as issue#3


-----------------------------------------
Patch: SUSE-2019-979
Released: Thu Apr 18 08:23:19 2019
Summary: Recommended update for sg3_utils
Severity: moderate
References: 1069384
Description:
This update for sg3_utils fixes the following issues:

- rescan-scsi-bus.sh: use LUN wildcard in idlist (bsc#1069384)


-----------------------------------------
Patch: SUSE-2019-982
Released: Thu Apr 18 14:28:53 2019
Summary: Recommended update for python-enum34
Severity: moderate
References: 1115816
Description:

This update for python-enum34 fixes the following issues:

- Provide python2-enum34 to support singlespec transparently (bsc#1115816)


-----------------------------------------
Patch: SUSE-2019-1009
Released: Wed Apr 24 12:07:23 2019
Summary: Recommended update for Salt
Severity: moderate
References: 1116343,1124277
Description:

This update fixes the following issues:

salt:

- Fix regression in dynamic pillarenv (bsc#1124277)
- Add parallel support for orchestrations (bsc#1116343)
- Implement asynchronous batching
- Let dpkg.info expose package status
- Make aptpkg.info return only installed packages
- Strip trailing / from repo URI when comparing repos in apktpkg.mod_repo



-----------------------------------------
Patch: SUSE-2019-1020
Released: Wed Apr 24 13:41:13 2019
Summary: Recommended update for tigervnc
Severity: important
References: 1025759,1131372,1131600
Description:
This update for tigervnc fixes the following issues:

- Fix inetd mode with X server 1.19 which prevented vnc server from working
  (bnc#1025759, bsc#1131372, bsc#1131600)

  

-----------------------------------------
Patch: SUSE-2019-1060
Released: Sat Apr 27 09:45:38 2019
Summary: Security update for libssh2_org
Severity: important
References: 1130103,1133528,CVE-2019-3859
Description:
This update for libssh2_org fixes the following issues:

 - Incorrect upstream fix for CVE-2019-3859 broke public key authentication [bsc#1133528, bsc#1130103]



-----------------------------------------
Patch: SUSE-2019-1097
Released: Mon Apr 29 15:00:20 2019
Summary: Recommended update for crmsh
Severity: moderate
References: 1120554,1120587
Description:
This update for crmsh fixes the following issues:

  - Fix a crmsh crash when using configure - template - apply (bsc#1120554)

  - Prefix bootstrap warning messages with 'WARNING:' to differentiate them
    from real errors (bsc#1120587)



-----------------------------------------
Patch: SUSE-2019-1102
Released: Tue Apr 30 12:07:42 2019
Summary: Security update for glibc
Severity: moderate
References: 1100396,1110661,1122729,1127223,1127308,1128574,1131994,CVE-2009-5155,CVE-2016-10739,CVE-2019-9169
Description:
This update for glibc fixes the following issues:

Security issues fixed:

- CVE-2019-9169: regex: fix read overrun (bsc#1127308, BZ #24114)
- CVE-2016-10739: Fully parse IPv4 address strings (bsc#1122729, BZ #20018)
- CVE-2009-5155: ERE '0|()0|\1|0' causes regexec undefined behavior (bsc#1127223, BZ #18986)

Non-security issues fixed:

- Enable TLE only if GLIBC_ELISION_ENABLE=yes is defined (bsc#1131994, fate#322271)
- Add more checks for valid ld.so.cache file (bsc#1110661, BZ #18093)
- Added cfi information for start routines in order to stop unwinding (bsc#1128574)
- ja_JP locale: Add entry for the new Japanese era (bsc#1100396, fate#325570, BZ #22964)


-----------------------------------------
Patch: SUSE-2019-1104
Released: Tue Apr 30 12:09:07 2019
Summary: Recommended update for gcc48
Severity: moderate
References: 1131264,SLE-6738
Description:
This update for gcc48 fixes the following issues:

- Disable switch jump tables when retpolines are enabled to increase performance of code using retpolines (bsc#1131264, jsc#SLE-6738)



-----------------------------------------
Patch: SUSE-2019-1111
Released: Tue Apr 30 12:59:27 2019
Summary: Security update for libjpeg-turbo
Severity: moderate
References: 1096209,1098155,1128712,CVE-2018-1152,CVE-2018-11813,CVE-2018-14498
Description:
This update for libjpeg-turbo fixes the following issues:

The following security vulnerabilities were addressed:

- CVE-2018-14498: Fixed a heap-based buffer over read in get_8bit_row function
  which could allow to an attacker to cause denial of service (bsc#1128712).
- CVE-2018-11813: Fixed the end-of-file mishandling in read_pixel in rdtarga.c,
  which allowed remote attackers to cause a denial-of-service via crafted JPG
  files due to a large loop (bsc#1096209)
- CVE-2018-1152: Fixed a denial of service in start_input_bmp() rdbmp.c caused
  by a divide by zero when processing a crafted BMP image (bsc#1098155)


-----------------------------------------
Patch: SUSE-2019-1115
Released: Tue Apr 30 14:11:09 2019
Summary: Recommended update for open-iscsi
Severity: moderate
References: 1128972
Description:
This update for open-iscsi fixes the following issues:

  - Fix a regression in behavior of iscsiadm caused by the switch to
    libopeniscsiusr (bsc#1128972)



-----------------------------------------
Patch: SUSE-2019-1122
Released: Tue Apr 30 18:03:55 2019
Summary: Security update for hostinfo, supportutils
Severity: important
References: 1054979,1099498,1115245,1117751,1117776,1118460,1118462,1118463,1125623,1125666,CVE-2018-19636,CVE-2018-19637,CVE-2018-19638,CVE-2018-19639,CVE-2018-19640
Description:
This update for hostinfo, supportutils fixes the following issues:
	  
Security issues fixed for supportutils:

- CVE-2018-19640: Fixed an issue where  users could kill arbitrary processes (bsc#1118463).
- CVE-2018-19638: Fixed an issue where users could overwrite arbitrary log files (bsc#1118460).
- CVE-2018-19639: Fixed a code execution if run with -v (bsc#1118462).
- CVE-2018-19637: Fixed an issue where static temporary filename could allow overwriting of files (bsc#1117776).
- CVE-2018-19636: Fixed a local root exploit via inclusion of attacker controlled shell script (bsc#1117751).

Other issues fixed for supportutils:

- Fixed invalid exit code commands (bsc#1125666)
- SUSE separation in supportconfig (bsc#1125623)
- Clarified supportconfig(8) -x option (bsc#1115245)
- supportconfig: 3.0.127
- btrfs filesystem usage
- List products.d
- Dump lsof errors
- Added ha commands for corosync
- Dumped find errors in ib_info

Issues fixed in hostinfo:
- Removed extra kernel install dates (bsc#1099498)
- Resolved network bond issue (bsc#1054979)


-----------------------------------------
Patch: SUSE-2019-1131
Released: Thu May  2 15:39:59 2019
Summary: Recommended update for libidn
Severity: moderate
References: 1092034
Description:
This update for libidn fixes the following issues:

- Obsoletes now the libidn 32bit package (bsc#1092034)


-----------------------------------------
Patch: SUSE-2019-1158
Released: Mon May  6 13:47:06 2019
Summary: Recommended update for procinfo
Severity: moderate
References: 1131008,900125
Description:
This update for procinfo fixes the following issues:

- Fix a segfault during 'procinfo -a' by increasing the number of
  available devices. (bsc#900125, bsc#1131008)


-----------------------------------------
Patch: SUSE-2019-1189
Released: Wed May  8 09:35:25 2019
Summary: Recommended update for resource-agents
Severity: important
References: 1133962
Description:
This update for resource-agents fixes the following issues:

- Fixed an error when updating the route table in case VM has
  multiple network interfaces (bsc#1133962)


-----------------------------------------
Patch: SUSE-2019-1208
Released: Fri May 10 14:03:54 2019
Summary: Security update for sqlite3
Severity: moderate
References: 1085790,1132045,CVE-2017-10989,CVE-2018-8740
Description:
This update for sqlite3 fixes the following issues:

Security issue fixed:

- CVE-2018-8740: Fixed a NULL pointer dereference related to corrupted databases schemas (bsc#1085790).
- CVE-2017-10989: Fixed a heap-based buffer over-read in getNodeSize() (bsc#1132045).


-----------------------------------------
Patch: SUSE-2019-1232
Released: Tue May 14 17:07:56 2019
Summary: Security update for libxslt
Severity: moderate
References: 1132160,CVE-2019-11068
Description:
This update for libxslt fixes the following issues:

- CVE-2019-11068: Fixed a protection mechanism bypass where callers of 
  xsltCheckRead() and xsltCheckWrite() would permit access upon receiving an
  error (bsc#1132160).


-----------------------------------------
Patch: SUSE-2019-1259
Released: Wed May 15 14:06:20 2019
Summary: Recommended update for sysvinit
Severity: moderate
References: 1131982
Description:
This update for sysvinit fixes the following issues:

- Handle various optional fields of /proc/<pid>/mountinfo on the entry/ies before the hyphen
  (bsc#1131982)


-----------------------------------------
Patch: SUSE-2019-1278
Released: Fri May 17 10:41:55 2019
Summary: Recommended update for logrotate
Severity: moderate
References: 1131477
Description:
This update for logrotate fixes the following issue:

- Trigger the rotation of weekly events more predictably [bsc#1131477]
  Introduce an optional argument for the 'weekly' directive to trigger
  the rotation on a selected day of the week.



-----------------------------------------
Patch: SUSE-2019-1319
Released: Thu May 23 12:45:33 2019
Summary: Recommended update for rsyslog
Severity: low
References: 1126233
Description:
This update for rsyslog fixes the following issues:

- Set default permission for all log files (bsc#1126233)


-----------------------------------------
Patch: SUSE-2019-1326
Released: Thu May 23 15:18:32 2019
Summary: Security update for sysstat
Severity: low
References: 1117001,1117260,CVE-2018-19416,CVE-2018-19517
Description:
This update for sysstat fixes the following issues:

Security issues fixed:

- CVE-2018-19416: Fixed out-of-bounds read during a memmove call inside the remap_struct function (bsc#1117001).
- CVE-2018-19517: Fixed out-of-bounds read during a memset call inside the remap_struct function (bsc#1117260).


-----------------------------------------
Patch: SUSE-2019-1345
Released: Fri May 24 13:59:54 2019
Summary: Security update for java-1_7_1-ibm
Severity: important
References: 1132728,1132729,1132732,1132734,1134718,CVE-2019-10245,CVE-2019-2602,CVE-2019-2684,CVE-2019-2697,CVE-2019-2698
Description:
This update for java-1_7_1-ibm fixes the following issues:

Update to Java 7.1 Service Refresh 4 Fix Pack 45.

Security issues fixed:

- CVE-2019-10245: Fixed Java bytecode verifier issue causing crashes (bsc#1134718).
- CVE-2019-2698: Fixed out of bounds access flaw in the 2D component (bsc#1132729).
- CVE-2019-2697: Fixed flaw inside the 2D component (bsc#1132734).
- CVE-2019-2602: Fixed flaw inside BigDecimal implementation (Component: Libraries) (bsc#1132728).
- CVE-2019-2684: Fixed flaw was found in the RMI registry implementation (bsc#1132732).


-----------------------------------------
Patch: SUSE-2019-1354
Released: Fri May 24 19:04:57 2019
Summary: Security update for screen
Severity: moderate
References: 1130831,944458,CVE-2015-6806
Description:
This update for screen fixes the following issues:

Security issue fixed:

- CVE-2015-6806: Fixed a stack overflow due to deep recursion (bsc#944458).

Non-security issue fixed:

- Fixed segmentation faults related to altscreen and resizing screen (bsc#1130831).


-----------------------------------------
Patch: SUSE-2019-1375
Released: Wed May 29 12:53:33 2019
Summary: Recommended update for resource-agents
Severity: important
References: 1131793,1132853,1133337
Description:
This update for resource-agents fixes the following issues:

- Fix version string with vendor trailer comparison (bsc#1133337)
- galera: Fix monitoring with ~/.my.cnf available (bsc#1132853)
- galera: ignores safe_to_bootstrap in grastate.dat when a uuid is
    00000000-0000-0000-0000-000000000000 (bsc#1131793)


-----------------------------------------
Patch: SUSE-2019-1379
Released: Wed May 29 15:07:04 2019
Summary: Security update for libtasn1
Severity: moderate
References: 1040621,1105435,CVE-2017-6891,CVE-2018-1000654
Description:
This update for libtasn1 fixes the following issues:

Security issues fixed:

- CVE-2018-1000654: Fixed a denial of service in the asn1 parser (bsc#1105435).
- CVE-2017-6891: Fixed a stack overflow in asn1_find_node() (bsc#1040621).


-----------------------------------------
Patch: SUSE-2019-1384
Released: Thu May 30 08:12:10 2019
Summary: Recommended update for supportutils
Severity: important
References: 1081326,1088234,1100529,1120967,1132865,1133723,1134599
Description:
This update for supportutils fixes the following issues:

  * SUSE specific infrastructure is now used (bsc#1132865) 
  * Uploads now use https by default (bsc#1134599)
  * Support for FTPS has been added
  * Files in the tarball now have 660 permissions instead of 600
  * The supportconfig.conf man pages have been updated to add some missing paramaters and fix some incorrect 
  information (bsc#1088234)
  * Fix issues where some customers were unable to collect logs due to commands not timing out 
  (bsc#1100529) (bsc#1120967)
  * DRBD resource configs were missing in support config (bsc#1133723)
  * FTPES now uses the --ssl-reqd paramater instead of the depricated --ftp-ssl
  * sapconf and log were missing from tuned.txt (bsc#1081326)
  * Some deprecated chkconfig code has been removed


-----------------------------------------
Patch: SUSE-2019-1431
Released: Wed Jun  5 16:50:13 2019
Summary: Recommended update for xz
Severity: moderate
References: 1135709
Description:
This update for xz does only update the license:

- Add SUSE-Public-Domain license as some parts of xz utils (liblzma,
  xz, xzdec, lzmadec, documentation, translated messages, tests,
  debug, extra directory) are in public domain license (bsc#1135709)


-----------------------------------------
Patch: SUSE-2019-1439
Released: Thu Jun  6 17:50:33 2019
Summary: Security update for python
Severity: important
References: 1129346,1130847,CVE-2019-9636,CVE-2019-9948
Description:
This update for python fixes the following issues:

Security issues fixed:

- CVE-2019-9948: Fixed a 'file:' blacklist bypass in URIs by using the 'local-file:' scheme instead (bsc#1130847).
- CVE-2019-9636: Fixed an information disclosure because of incorrect handling of Unicode encoding during NFKC normalization (bsc#1129346).


-----------------------------------------
Patch: SUSE-2019-1451
Released: Fri Jun  7 16:23:31 2019
Summary: Recommended update for azure-events
Severity: moderate
References: 1137038,1137231
Description:
This update for azure-events fixes the following issues:

- Fixes implicit bytes conversion that breaks py3 (bsc#1137038, bsc#1137231)
- Reduced the amount of error messages using default value on crm_attribute

-----------------------------------------
Patch: SUSE-2019-1456
Released: Tue Jun 11 10:08:27 2019
Summary: Security update for vim
Severity: important
References: 1137443,CVE-2019-12735
Description:
This update for vim fixes the following issue:

Security issue fixed: 

- CVE-2019-12735: Fixed a potential arbitrary code execution vulnerability in getchar.c (bsc#1137443).


-----------------------------------------
Patch: SUSE-2019-1468
Released: Wed Jun 12 10:01:33 2019
Summary: Security update for libcroco
Severity: moderate
References: 1034481,1034482,1043898,1043899,CVE-2017-7960,CVE-2017-7961,CVE-2017-8834,CVE-2017-8871
Description:
This update for libcroco fixes the following issues:

Security issues fixed:

- CVE-2017-7960: Fixed heap overflow (input: check end of input before reading a byte) (bsc#1034481).                                                                    
- CVE-2017-7961: Fixed undefined behavior (tknzr: support only max long rgb values) (bsc#1034482).                                                                       
- CVE-2017-8834: Fixed denial of service (memory allocation error) via a crafted CSS file (bsc#1043898).
- CVE-2017-8871: Fixed denial of service (infinite loop and CPU consumption) via a crafted CSS file (bsc#1043899).


-----------------------------------------
Patch: SUSE-2019-1475
Released: Wed Jun 12 14:46:33 2019
Summary: Recommended update for permissions
Severity: moderate
References: 1110797
Description:
This update for permissions fixes the following issues:

- Updated permissons for amanda (bsc#1110797)


-----------------------------------------
Patch: SUSE-2019-1481
Released: Thu Jun 13 07:46:01 2019
Summary: Recommended update for sg3_utils
Severity: moderate
References: 1005063,1119296,1133418,954600
Description:
This update for sg3_utils provides the following fixes:
- Fix regression for page 0xa. (bsc#1119296)
- Add pre/post scripts for lunmask.service. (bsc#954600)
- Will now generate by-path links for fibrechannel. (bsc#1005063)
- Fixes a syntax error for rule 59-fc-wwpn-id.rules. (bsc#1133418)
  

-----------------------------------------
Patch: SUSE-2019-1493
Released: Thu Jun 13 16:40:31 2019
Summary: Recommended update for binutils
Severity: moderate
References: 1137271,SLE-6206
Description:
This update for binutils fixes the following issues:

- Add support for new IBM zSeries z13 instructions. (fate#327074, jsc#SLE-6206,
  bsc#1137271)


-----------------------------------------
Patch: SUSE-2019-1496
Released: Fri Jun 14 11:04:42 2019
Summary: Recommended update for python-parallax
Severity: moderate
References: 1131136
Description:
This update for python-parallax fixes the following issues:

- Fixes an issue where an upgrade to a newer version has caused file conflicts (bsc#1131136) 


-----------------------------------------
Patch: SUSE-2019-1516
Released: Mon Jun 17 11:04:15 2019
Summary: Recommended update for e2fsprogs
Severity: moderate
References: 1128383
Description:
This update for e2fsprogs fixes the following issues:

- e2fsck: Check and fix tails of all bitmap blocks. (bsc#1128383)


-----------------------------------------
Patch: SUSE-2019-1519
Released: Mon Jun 17 14:24:29 2019
Summary: Recommended update for polkit-default-privs
Severity: moderate
References: 1138250
Description:
This update for polkit-default-privs fixes the following issues:

- whitelisted new flatpak policy kit rules after review (bsc#1138250)


-----------------------------------------
Patch: SUSE-2019-1524
Released: Mon Jun 17 17:30:16 2019
Summary: Security update for openssh
Severity: moderate
References: 1065237,1090671,1119183,1121816,1121821,1131709,CVE-2019-6109,CVE-2019-6111
Description:
This update for openssh fixes the following issues:

Security vulnerabilities addressed:

- CVE-2019-6109: Fixed an character encoding issue in the progress display of
  the scp client that could be used to manipulate client output, allowing
  for spoofing during file transfers (bsc#1121816).
- CVE-2019-6111: Properly validate object names received by the scp client to
  prevent arbitrary file overwrites when interacting with a malicious SSH server
  (bsc#1121821).

Other issues fixed: 

- Fixed two race conditions in sshd relating to SIGHUP (bsc#1119183).
- Returned proper reason for port forwarding failures (bsc#1090671).
- Fixed a double free() in the KDF CAVS testing tool (bsc#1065237).


-----------------------------------------
Patch: SUSE-2019-1543
Released: Tue Jun 18 10:54:33 2019
Summary: Recommended update for systemd-presets-branding-SLE
Severity: moderate
References: 1128428
Description:
This update for systemd-presets-branding-SLE fixes the following issues:

- Enabling nvmefc-boot-connections.service to discover network-provided nvme
  drives on boot (bsc#1128428) 


-----------------------------------------
Patch: SUSE-2019-1554
Released: Tue Jun 18 18:30:08 2019
Summary: Security update for python-Jinja2
Severity: important
References: 1125815,1132174,1132323,CVE-2016-10745,CVE-2019-10906,CVE-2019-8341
Description:
This update for python-Jinja2 fixes the following issues:

Security issues fixed:

- CVE-2016-10745: Fixed a sandbox escape caused by an information disclosure via str.format (bsc#1132174).
- CVE-2019-10906: Fixed a sandbox escape due to information disclosure via str.format (bsc#1132323).
- CVE-2019-8341: Fixed command injection in function from_string (bsc#1125815).


-----------------------------------------
Patch: SUSE-2019-1556
Released: Wed Jun 19 08:53:31 2019
Summary: Recommended update for yast2-add-on
Severity: moderate
References: 1055126
Description:
This update for yast2-add-on provides the following fixes:

- Update repository will be registered while installing an add-on on a running system.
  (bsc#1055126)

  

-----------------------------------------
Patch: SUSE-2019-1572
Released: Wed Jun 19 22:17:56 2019
Summary: Recommended update for rpcbind
Severity: moderate
References: 1134659
Description:
This update for rpcbind fixes the following issues:

- change rpcbind locking path from /var/run/rpcbind.lock to 
  /run/rpcbind.lock (bsc#1134659)
- change the order of socket/service in the %postun scriptlet to
  avoid an error from rpcbind.socket when rpcbind is running 
  during package update


-----------------------------------------
Patch: SUSE-2019-1589
Released: Thu Jun 20 19:49:46 2019
Summary: Recommended update for permissions
Severity: moderate
References: 1128598
Description:
This update for permissions fixes the following issues:

- Added whitelisting for /usr/lib/singularity/bin/starter-suid in the new singularity 3.1 version. (bsc#1128598)



-----------------------------------------
Patch: SUSE-2019-1601
Released: Fri Jun 21 10:21:39 2019
Summary: Security update for sqlite3
Severity: important
References: 1136976,CVE-2019-8457
Description:
This update for sqlite3 fixes the following issues:

Security issue fixed:	  

- CVE-2019-8457: Fixed a Heap out-of-bound read in rtreenode() when handling invalid rtree tables (bsc#1136976).


-----------------------------------------
Patch: SUSE-2019-1608
Released: Fri Jun 21 10:27:11 2019
Summary: Security update for compat-openssl098
Severity: moderate
References: 1117951,1127080,1131291,CVE-2019-1559
Description:
This update for compat-openssl098 fixes the following issues:

- CVE-2019-1559: Fix 0-byte record padding oracle via SSL_shutdown (bsc#1127080)
- Reject invalid EC point coordinates (bsc#1131291)
- Fixed 'The 9 Lives of Bleichenbacher's CAT: Cache ATtacks on TLS Implementations' (bsc#1117951)


-----------------------------------------
Patch: SUSE-2019-1611
Released: Fri Jun 21 11:02:29 2019
Summary: Recommended update for resource-agents
Severity: moderate
References: 1137038
Description:
This update for resource-agents contains the following fixes:

- Change message log level for the non action messages. The messages can still be seen
  using the verbose parameter. (bsc#1137038)



-----------------------------------------
Patch: SUSE-2019-1623
Released: Fri Jun 21 11:13:05 2019
Summary: Recommended update for yast2
Severity: moderate
References: 1128032
Description:
This update for yast2 fixes the following issues:

- Stop 'ls: write error: Broken pipe' messages. (bsc#1128032)  


-----------------------------------------
Patch: SUSE-2019-1626
Released: Fri Jun 21 11:14:56 2019
Summary: Recommended update for cloud-netconfig
Severity: moderate
References: 1135257,1135263
Description:
This update for cloud-netconfig fixes the following issues:

- cloud-netconfig will now pause and retry if API call throttling is detected
  in Azure (bsc#1135257, bsc#1135263)

-----------------------------------------
Patch: SUSE-2019-1630
Released: Fri Jun 21 11:17:09 2019
Summary: Recommended update for rsyslog
Severity: moderate
References: 1133847
Description:
This update for rsyslog fixes the following issues:

- Fixes an issue where the 'readTimeout' option couldn't be used while using
  imfile with polling mode(bsc#1133847)


-----------------------------------------
Patch: SUSE-2019-1713
Released: Wed Jun 26 14:04:14 2019
Summary: Recommended update for Salt
Severity: moderate
References: 1102819,1121439,1122680,1125015,1128061,1129079,1130784
Description:

This update includes the following new features:

- Update to 2019.2.0 release (fate#327138, bsc#1133523)

This update fixes the following issues:

salt:

- Fix async-batch to fire a single done event
- Do not make Salt CLI to crash when there are IPv6 established
  connections (bsc#1130784)
- Include aliases in FQDNS grain (bsc#1121439)
- Fix issue preventing syndic to start
- Update to 2019.2.0 release (fate#327138, bsc#1133523)
  See https://docs.saltstack.com/en/latest/topics/releases/2019.2.0.html
- Update year on spec copyright notice
- Use ThreadPool from multiprocessing.pool to avoid leakings when calculating FQDNs
- Do not report patches as installed on RHEL systems when not all the related packages are installed (bsc#1128061)
- Incorporate virt.volume_info fixes (PR#131)
- Fix for -t parameter in mount module
- No longer limiting Python3 version to <3.7
- Add virt.volume_infos and virt.volume_delete functions
- Bugfix: properly refresh pillars (bsc#1125015)
- Removes version from python3 requirement completely
- Adds missing version update to %setup
- Add virt.all_capabilities to return all host and domain capabilities at once
- Switch to better correct version nomenclature
    Background: The special character tilde (~) will be available for
    use in version representing a negative version token.
- Fix setup to use the right version tag
- Add 'id_' and 'force' to the whitelist of API check
- Add metadata to accepted keyword arguments (bsc#1122680)
- Add salt-support script to package
- Early feature: Salt support-config (salt-support)
- More fixes on the spec file
- Fix spaces and indentation
- Use Adler32 algorithm to compute string checksums (bsc#1102819)
- Update spec file patch ordering after MSI patch removal
- Calculate the 'FQDNs' grains in parallel to avoid long blocking (bsc#1129079)
- Fix batch/batch-async related issues



-----------------------------------------
Patch: SUSE-2019-1715
Released: Thu Jun 27 10:21:31 2019
Summary: Recommended update for cloud-init, dhcp
Severity: moderate
References: 1087331,1095627,1097388,1099340,1101894,1111427,1114160,1116767,1119397,1121878,1123694,1125950,1125992,1126101,1132692
Description:
This update for cloud-init, dhcp provides the following fixes:

Changes to cloud-init:

- When the user configures a new rules file for network devices, the rules may not apply
  immediately, so trigger udevadm. (bsc#1125950)
- Fix the order of calls when writing routes so that the SUSE implementation of route
  config file writing has precedence over the default implementation. (bsc#1125992)
- Use the proper name to designate IPv6 addresses in ifcfg-* files. (bsc#1126101)
- Drop a '-' in the route file for the last column. (bsc#1123694)
- Make sure the resulting resolv.conf file is not empty. (bsc#1119397)
- Update to version 18.5 (bsc#1121878, bsc#1116767):
  * Add cloud-id binary to packages for SUSE.
  * azure: Accept variation in error msg from mount for ntfs volumes.
  * azure: Add apply_network_config option to disable network from IMDS.
  * azure: Add udev rules to create cloud-init Gen2 disk name symlinks.
  * azure: Detect vnet migration via netlink media change event.
  * azure: Fix a copy and paste error in error handling when reading azure ovf.
  * azure: Fix a regression introduced when persisting ephemeral dhcp lease.
  * azure: _poll_imds only retry on 404, failing on timeout.
  * azure: Remove /etc/netplan/90-hotplug-azure.yaml when net from IMDS.
  * azure: Report ready to fabric after reprovision and reduce logging.
  * azure: Retry imds polling on requests.Timeout.
  * config: On ubuntu select cloud archive mirrors for armel, armhf, arm64.
  * dhclient-hook: Clean it up, add tests and fix a bug on 'down' event.
  * doc: Change dns_nameserver property to dns_nameservers.
  * docs: Remove colon from network v1 config example.
  * instance-data: Add standard keys platform and subplatform. Refactor ec2.
  * instance-data: Fallback to instance-data.json if sensitive is absent.
  * logs: collect-logs ignore instance-data-sensitive.json on non-root user
  * net: Ephemeral*Network: Add connectivity check via URL.
  * net: Ignore nics that have 'zero' mac address.
  * net: Render 'metric' values in per-subnet routes.
  * NoCloud: Allow top level 'network' key in network-config.
  * ovf: Fix ovf network config generation gateway/routes.
  * ovf: Identify label iso9660 filesystems with label 'OVF ENV'.
  * query: Better error when missing read permission on instance-data.
  * resizefs: Prefix discovered devpath with '/dev/' when path does not exist.
  * systemd: On SUSE ensure cloud-init.service runs before wicked.
  * tools: Add cloud-id command line utility.
  * Update detection of openSUSE variants.
  * write_files: Add support for appending to files.
- Fix a decoding error that could cause persisting the metadata to fail. (bsc#1101894)
- Fix a problem that could cause static network to be configured with BOOTPROTO=none.
  (bsc#1114160)
- Changes from 18.4 (bsc#1087331, bsc#1097388, bsc#1111427, bsc#1095627):
  * Avoid Python 3 dependency when building for distros with Python 2 support.
  * Add dhcp-client as requirement as cloud-init uses dhclient to setup a temporary
    network for metadata retrieval. (fate#327672)
  * Use ds._crawled_metadata instance attribute if set when writing instance-data.json.
  * ec2: Update crawled metadata and add standardized keys.
  * lxd: Adjust to snap installed lxd.
  * Add support for Infiniband network interfaces (IPoIB).
  * cli: Add cloud-init query subcommand to query instance metadata.
  * stages: Fix bug causing datasource to have incorrect sys_cfg.
  * net_util: Ensure static configurations have netmask in translate_network result.
  * Fall back to root:root on syslog permissions if other options fail.
  * OpenStack: Support setting mac address on bond.
  * EphemeralIPv4Network: Be more explicit when adding default route.
  * OpenStack: Support reading of newer versions of metadata.
  * OpenStack: Fix a bug that was causing causing 'latest' version to be used from
    network.
  * user-data: Use jinja template to render instance-data.json in cloud-config.
  * config: Disable ssh access to a configured user account.
  * sysconfig: Refactor sysconfig to accept distro specific templates paths.
  * hyperv_reporting_handler: Simplify threaded publisher.
  * VMWare: Fix a network config bug in vm with static IPv4 and no gateway.
  * logging: Add logging config type hyperv for reporting via Azure KVP
  * Add datasource Oracle Compute Infrastructure (OCI).
  * azure: Allow azure to generate network configuration from IMDS per boot.
  * Scaleway: Add network configuration to the DataSource.
  * netplan: Correctly render macaddress on a bonds and bridges when provided.
  * tools: Add 'net-convert' subcommand command to 'cloud-init devel'.
  * Use typeset or local in profile.d scripts.
  * OpenNebula: Fix null gateway6.
  * tools: add '--debug' to tools/net-convert.py
  * update_metadata: A datasource can support network re-config every boot.
  * Retry on failed import of gpg receive keys.
  * tools: Fix run-container when neither source or binary package requested.
- Changes from 18.3:
  * Explicitly prevent `sudo` access for user module.
  * lxd: Delete default network and detach device if lxd-init created them.
  * openstack: Avoid unneeded metadata probe on non-openstack platforms.
  * stages: Fix tracebacks if a module stage is undefined or empty.
  * Be safer on string/bytes when writing multipart user-data to disk.
  * Fix get_proc_env for pids that have non-utf8 content in environment.
  * netplan: Fix mtu if provided by network config for all rendered types.
  * subp: Support combine_capture argument.
  * util: Add get_linux_distro function to replace platform.dist
  * Do not use the systemd_prefix macro, not available in this environment.
  * openstack: Allow discovery in init-local using dhclient in a sandbox.
  * yaml_load/schema: Add invalid line and column nums to error message.
  * Azure: Ignore NTFS mount errors when checking ephemeral drive.
  * cc_mounts: Do not add devices to fstab that are already present.
  * ds-identify: Ensure that we have certain tokens in PATH.
  * read_file_or_url: Move to url_helper, fix bug in its FileResponse.
  * ds-identify: Recognize container-other as a container.
  * ds-identify: Remove duplicate call to is_ds_enabled.
  * azure: Add reported ready marker file.
  * netinfo: Fix netdev_pformat when a nic does not have an address assigned.
  * collect-logs: Add -v flag, write to stderr, limit journal to single boot.
  * IBMCloud: Disable config-drive and nocloud only if IBMCloud is enabled.
  * Add reporting events and log_time around early source of blocking time.
  * IBMCloud: recognize provisioning environment during debug boots.
  * net: Detect unstable network names and trigger a settle if needed.
  * sysconfig: dhcp6 subnet type should not imply dhcpv4.
  * schema: In validation, raise ImportError if strict but no jsonschema.
  * set_passwords: Add newline to end of sshd config, only restart if updated.
  * net: Depend on iproute2's ip instead of net-tools ifconfig or route.
  * renderer: Support unicode in render_from_file.
  * Implement ntp client spec with auto support for distro selection.
  * apport: Add Brightbox, IBM, LXD, and OpenTelekomCloud to list of clouds.
  * tests: Fix ec2 integration network metadata validation.
  * cc_resizefs, util: Handle no /dev/zfs.
- The distribution indicator is set to SUSE during template expansion. Do not replace
  anything set to Ubuntu.
- Do not run cloud-init after network-online, this breaks functionality in cloud-init.
  Certain parts of the code running in this phase expect to run before the network is
  on-line.
- Root should not be enabled by default. Image builders/users that want root access by
  default should provide an appropriate configuration file during image build or image
  setup.
- Set distribution default to OpenSUSE/SLES. (bsc#1099340)
- Run metadata detection after network-online. (bsc#1097388)
- Properly accumulate all the defined routes for a given network device. Previously only
  the last defined route was written to the routes file. (bsc#1132692)
- Write the udev rules to a different file than the default. (bsc#1125950)
- Settle udev if not all configured devices are in the device tree to avoid race a
  condition between udev and cloud-init. (bsc#1125950)

Changes in dhcp:
- No changes, just being released together to be included in CaaS Platform.


-----------------------------------------
Patch: SUSE-2019-1716
Released: Thu Jun 27 13:15:38 2019
Summary: Security update for glibc
Severity: moderate
References: 1117993,1132678,941234,CVE-2015-5180
Description:
This update for glibc fixes the following issues:

Security issue fixed:

- CVE-2015-5180: Fixed a NULL pointer dereference with internal QTYPE (bsc#941234).

Feature work:

- IBM zSeries arch13 hardware support in glibc added (fate#327072, bsc#1132678)

Other issue addressed: 

- Fixed a concurrency issue with ldconfig (bsc#1117993).


-----------------------------------------
Patch: SUSE-2019-1722
Released: Tue Jul  2 12:05:09 2019
Summary: Security update for glib2
Severity: important
References: 1061599,1107116,1107121,1137001,CVE-2018-16428,CVE-2018-16429,CVE-2019-12450
Description:
This update for glib2 provides the following fix:


Security issues fixed:

- CVE-2019-12450: Fixed an improper file permission when copy operation
  takes place (bsc#1137001).     
- CVE-2018-16428: Avoid a null pointer dereference that could crash glib2 users in markup processing (bnc#1107121).
- CVE-2018-16429: Fixed out-of-bounds read vulnerability ing_markup_parse_context_parse() (bsc#1107116).

Non-security issues fixed:

- Install dummy *-mimeapps.list files to prevent dead symlinks. (bsc#1061599)



-----------------------------------------
Patch: SUSE-2019-1726
Released: Tue Jul  2 17:01:24 2019
Summary: Recommended update for nfs-utils
Severity: moderate
References: 1116221,1118371
Description:
This update for nfs-utils fixes the following issues:

- Improves the integration for systemd (bsc#1116221)
- nfs.service will no longe rely on /etc/insserv.conf (bsc#1118371)


-----------------------------------------
Patch: SUSE-2019-1733
Released: Wed Jul  3 13:54:39 2019
Summary: Security update for elfutils
Severity: low
References: 1030472,1030476,1033084,1033085,1033087,1033088,1033089,1033090,1106390,1107067,1111973,1112723,1112726,1123685,1125007,CVE-2016-10254,CVE-2016-10255,CVE-2017-7607,CVE-2017-7608,CVE-2017-7610,CVE-2017-7611,CVE-2017-7612,CVE-2017-7613,CVE-2018-16062,CVE-2018-16403,CVE-2018-18310,CVE-2018-18520,CVE-2018-18521,CVE-2019-7150,CVE-2019-7665
Description:
This update for elfutils fixes the following issues:

Security issues fixed: 	  

- CVE-2018-16403: Fixed a heap-based buffer over-read that could have led to Denial of Service (bsc#1107067).  
- CVE-2016-10254: Fixed a memory allocation failure in alloxate_elf (bsc#1030472).
- CVE-2019-7665: NT_PLATFORM core file note should be a zero terminated string (bsc#1125007).
- CVE-2016-10255: Fixed a memory allocation failure in libelf_set_rawdata_wrlock (bsc#1030476).
- CVE-2019-7150: Added a missing check in dwfl_segment_report_module which could have allowed truncated files 
  to be read (bsc#1123685).
- CVE-2018-16062: Fixed a heap-buffer-overflow (bsc#1106390).
- CVE-2017-7611: Fixed a heap-based buffer over-read that could have led to Denial of Service (bsc#1033088).
- CVE-2017-7613: Fixed denial of service caused by the missing validation of the number of sections 
  and the number of segments in a crafted ELF file (bsc#1033090).
- CVE-2017-7607: Fixed a heap-based buffer overflow in handle_gnu_hash (bsc#1033084).
- CVE-2017-7608: Fixed a heap-based buffer overflow in ebl_object_note_type_name() (bsc#1033085).
- CVE-2017-7610: Fixed a heap-based buffer overflow in check_group (bsc#1033087).
- CVE-2018-18521: Fixed multiple divide-by-zero vulnerabilities in function arlib_add_symbols() (bsc#1112723).
- CVE-2017-7612: Fixed a denial of service in check_sysv_hash() via a crafted ELF file (bsc#1033089).
- CVE-2018-18310: Fixed an invalid address read in dwfl_segment_report_module.c (bsc#1111973).
- CVE-2018-18520: Fixed bad handling of ar files inside are files (bsc#1112726).


-----------------------------------------
Patch: SUSE-2019-1753
Released: Thu Jul  4 20:55:23 2019
Summary: Recommended update for resource-agents
Severity: moderate
References: 1131793
Description:
This update for resource-agents fixes the following issues:

- galera: Allow empty password for 'check_passwd' parameter. (bsc#1131793)
- galera: Log message when changing content of grastate.dat file. (bsc#1131793)


-----------------------------------------
Patch: SUSE-2019-1785
Released: Tue Jul  9 10:03:15 2019
Summary: Security update for zeromq
Severity: important
References: 1140255,CVE-2019-13132
Description:
This update for zeromq fixes the following issues:

  - CVE-2019-13132: An unauthenticated remote attacker could have exploited
  a stack overflow vulnerability on a server that is supposed to be protected
  by encryption and authentication to potentially gain a remote code execution.
  (bsc#1140255)

  

-----------------------------------------
Patch: SUSE-2019-1797
Released: Tue Jul  9 23:41:01 2019
Summary: Recommended update for grub2
Severity: moderate
References: 1127293,928131,940457
Description:
This update for grub2 fixes the following issues:

- Check/refresh zipl-kernel before hibernate on s390x. (bsc#940457)

- Removing hardcoded 'vmlinuz'.

- Try to refresh zipl-kernel on failed kexec. (bsc#1127293)

- Fully support 'previous' zipl-kernel with 'mem=1G' being available on dedicated entries. (bsc#928131)



-----------------------------------------
Patch: SUSE-2019-1799
Released: Wed Jul 10 07:38:53 2019
Summary: Recommended update for net-snmp
Severity: moderate
References: 1116807,1140341,SLE-6120
Description:
This update for net-snmp fixes the following issues:

- Added Lustre filesystem support (bsc#1140341, jsc#SLE-6120).
- Added info about the original agent which triggered the trap. When the trap is
  forwarded there was no info about the original agent (bsc#1116807).


-----------------------------------------
Patch: SUSE-2019-1805
Released: Wed Jul 10 11:13:54 2019
Summary: Recommended update for python-MarkupSafe
Severity: moderate
References: 1139130,1139363
Description:
This update for python-MarkupSafe fixes the following issues:

python-MarkupSafe was updated to 0.23 (bsc#1139130 bsc#1139363)

* The update provides the missing EscapeFormatter class



-----------------------------------------
Patch: SUSE-2019-1806
Released: Wed Jul 10 11:29:00 2019
Summary: Security update for libdlm, libqb
Severity: important
References: 1069468,1074327,1098449,1137835,CVE-2019-12779
Description:
This update for libdlm, libqb fixes the following issues:

libqb to version 1.0.3:

- CVE-2019-12779: Fixed an insecure treatment of IPC temporary files which could
  have allowed a local attacker to overwrite privileged system files (bsc#1137835).
- Enabled use of filesystem sockets for linux (fate#323415).
- Fixed logging with newer binutils version (bsc#1074327).

libdlm:

- Explicitly used and linked libstonithd from libpacemaker3 (bsc#1098449).


-----------------------------------------
Patch: SUSE-2019-1809
Released: Wed Jul 10 13:47:15 2019
Summary: Security update for fence-agents
Severity: low
References: 1137314,1139913,CVE-2019-10153
Description:
This update for fence-agents version 4.4.0 fixes the following issues:

Security issue fixed:

- CVE-2019-10153: Fixed a denial of service via guest VM comments (bsc#1137314).

Non-security issue fixed:

- Added aliyun fence agent (bsc#1139913).


-----------------------------------------
Patch: SUSE-2019-1818
Released: Thu Jul 11 07:48:39 2019
Summary: Recommended update for timezone
Severity: moderate
References: 1135262,1140016
Description:
This update for timezone fixes the following issues:

- Timezone update 2019b. (bsc#1140016):
  - Brazil no longer observes DST.
  - 'zic -b slim' outputs smaller TZif files.
  - Palestine's 2019 spring-forward transition was on 03-29, not 03-30.
  - Add info about the Crimea situation.


-----------------------------------------
Patch: SUSE-2019-1830
Released: Fri Jul 12 17:50:41 2019
Summary: Security update for glib2
Severity: important
References: 1139959,1140122,CVE-2019-13012
Description:
This update for glib2 fixes the following issues:

Security issue fixed:

- CVE-2019-13012: Fixed improper restriction of file permissions when creating directories (bsc#1139959).

Non-security issue fixed:

- Added explicit requires between libglib2 and libgio2 (bsc#1140122).


-----------------------------------------
Patch: SUSE-2019-1834
Released: Fri Jul 12 17:55:14 2019
Summary: Security update for expat
Severity: moderate
References: 1139937,CVE-2018-20843
Description:
This update for expat fixes the following issues:

Security issue fixed:

- CVE-2018-20843: Fixed a denial of service triggered by high resource consumption 
  in the XML parser when XML names contain a large amount of colons (bsc#1139937).


-----------------------------------------
Patch: SUSE-2019-1844
Released: Mon Jul 15 07:13:09 2019
Summary: Recommended update for pam
Severity: low
References: 1116544
Description:
This update for pam fixes the following issues:

- restricted the number of file descriptors to close to a more sensible number based upon resource limits (bsc#1116544)
    

-----------------------------------------
Patch: SUSE-2019-1845
Released: Mon Jul 15 07:13:18 2019
Summary: Recommended update for open-iscsi
Severity: moderate
References: 1135070
Description:
This update for open-iscsi fixes the following issues:

- Adds iscsiuio support of systemd (bsc#1135070)

-----------------------------------------
Patch: SUSE-2019-1861
Released: Wed Jul 17 11:35:02 2019
Summary: Security update for MozillaFirefox
Severity: important
References: 1140868,CVE-2019-11709,CVE-2019-11711,CVE-2019-11712,CVE-2019-11713,CVE-2019-11715,CVE-2019-11717,CVE-2019-11719,CVE-2019-11729,CVE-2019-11730,CVE-2019-9811
Description:
This update for MozillaFirefox, mozilla-nss fixes the following issues:

MozillaFirefox to version ESR 60.8:

- CVE-2019-9811: Sandbox escape via installation of malicious language pack (bsc#1140868).
- CVE-2019-11711: Script injection within domain through inner window reuse (bsc#1140868).
- CVE-2019-11712: Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects (bsc#1140868).
- CVE-2019-11713: Use-after-free with HTTP/2 cached stream (bsc#1140868).
- CVE-2019-11729: Empty or malformed p256-ECDH public keys may trigger a segmentation fault (bsc#1140868).
- CVE-2019-11715: HTML parsing error can contribute to content XSS (bsc#1140868).
- CVE-2019-11717: Caret character improperly escaped in origins (bsc#1140868).
- CVE-2019-11719: Out-of-bounds read when importing curve25519 private key (bsc#1140868).
- CVE-2019-11730: Same-origin policy treats all files in a directory as having the same-origin (bsc#1140868).
- CVE-2019-11709: Multiple Memory safety bugs fixed (bsc#1140868).

mozilla-nss to version 3.44.1:

* Added IPSEC IKE support to softoken 
* Many new FIPS test cases


-----------------------------------------
Patch: SUSE-2019-1867
Released: Wed Jul 17 13:11:03 2019
Summary: Security update for libxslt
Severity: moderate
References: 1140095,1140101,CVE-2019-13117,CVE-2019-13118
Description:
This update for libxslt fixes the following issues:

Security issues fixed:

- CVE-2019-13118: Fixed a read of uninitialized stack data (bsc#1140101).
- CVE-2019-13117: Fixed a uninitialized read which allowed to discern whether a byte on the stack contains certain special characters (bsc#1140095).


-----------------------------------------
Patch: SUSE-2019-1896
Released: Thu Jul 18 16:26:45 2019
Summary: Security update for libxml2
Severity: moderate
References: 1010675,1110146,1126613,CVE-2016-9318
Description:
This update for libxml2 fixes the following issues:

Issue fixed:

- Fixed a bug related to the fix for CVE-2016-9318 which allowed xsltproc to access 
  the internet even when --nonet was given and also was making docbook-xsl-stylesheets to have 
  incomplete xml catalog file (bsc#1010675, bsc#1126613 and bsc#1110146).


-----------------------------------------
Patch: SUSE-2019-1898
Released: Fri Jul 19 11:32:36 2019
Summary: Recommended update for grub2
Severity: important
References: 1134287,1139345
Description:
This update for grub2 fixes the following issues:

- Fix a regression introduced by the previous update which could prevent
  booting on ppc64. (bsc#1134287, bsc#1139345).


-----------------------------------------
Patch: SUSE-2019-1900
Released: Fri Jul 19 12:44:21 2019
Summary: Recommended update for rsyslog
Severity: moderate
References: 1141022
Description:

This update for rsyslog fixes the following issues:

- The rsyslog-module-mmjsonparse is shipped for the Enterprise Server. (bsc#1141022 FATE#324208)
  

-----------------------------------------
Patch: SUSE-2019-1904
Released: Fri Jul 19 12:47:59 2019
Summary: Recommended update for openssh
Severity: important
References: 1138936
Description:
This update for openssh fixes the following issues:

- Fix a regression in utf-8 handling that could cause crashes of scp (bsc#1138936).



-----------------------------------------
Patch: SUSE-2019-1918
Released: Mon Jul 22 08:44:49 2019
Summary: Recommended update for hawk2
Severity: moderate
References: 1137891
Description:
This update for hawk2 fixes the following issues:

- Fix nameless cluster displaying a blank screen on UI cluster dashboard. (bsc#1137891)
- Added build dependency nodejs10


-----------------------------------------
Patch: SUSE-2019-1955
Released: Tue Jul 23 11:42:41 2019
Summary: Security update for bzip2
Severity: important
References: 1139083,985657,CVE-2016-3189,CVE-2019-12900
Description:
This update for bzip2 fixes the following issues:

Security issue fixed:

- CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many selectors (bsc#1139083).
- CVE-2016-3189: Fixed a use-after-free in bzip2recover (bsc#985657).


-----------------------------------------
Patch: SUSE-2019-1957
Released: Tue Jul 23 11:56:35 2019
Summary: Recommended update for yast2-iscsi-client
Severity: moderate
References: 1045139
Description:
This update for yast2-iscsi-client fixes the following issues:

- removed onboot startup mode for LUNs on S/390 (bsc#1045139)


-----------------------------------------
Patch: SUSE-2019-1972
Released: Thu Jul 25 15:00:03 2019
Summary: Security update for libsolv, libzypp, zypper
Severity: moderate
References: 1109893,1110542,1111319,1112911,1113296,1120629,1120630,1120631,1127155,1131823,1134226,1137977,CVE-2018-20532,CVE-2018-20533,CVE-2018-20534
Description:
This update for libsolv, libzypp and zypper fixes the following issues:

libsolv was updated to version 0.6.36 fixes the following issues:

Security issues fixed:

- CVE-2018-20532: Fixed a NULL pointer dereference in testcase_read() (bsc#1120629).
- CVE-2018-20533: Fixed a NULL pointer dereference in testcase_str2dep_complex() (bsc#1120630).
- CVE-2018-20534: Fixed a NULL pointer dereference in pool_whatprovides() (bsc#1120631).

Non-security issues fixed:

- Made cleandeps jobs on patterns work (bsc#1137977).
- Fixed an issue multiversion packages that obsolete their own name (bsc#1127155).
- Keep consistent package name if there are multiple alternatives (bsc#1131823).

libzypp received following fixes:

- Fixes a bug where locking the kernel was not possible (bsc#1113296)

zypper received following fixes:

- Fixes a bug where the wrong exit code was set when refreshing
  repos if --root was used (bsc#1134226)
- Improved the displaying of locks (bsc#1112911)
- Fixes an issue where `https` repository urls caused an error prompt to
   appear twice (bsc#1110542)
- zypper will now always warn when no repositories are defined (bsc#1109893)


-----------------------------------------
Patch: SUSE-2019-1988
Released: Fri Jul 26 09:02:08 2019
Summary: Recommended update for libXi
Severity: low
References: 1049681,1134167
Description:

This update for libXi provides the following fix:

- Fix a crash on X11 clients when tablet inputs are connected. (bsc#1049681)
- Fix a crash that would happen in case of a _XReply() call fails, freeing an uninitialized
  pointer. (bsc#1134167)


-----------------------------------------
Patch: SUSE-2019-1990
Released: Fri Jul 26 14:59:30 2019
Summary: Security update for cronie
Severity: low
References: 1128935,1128937,1130746,1133100,CVE-2019-9704,CVE-2019-9705
Description:
This update for cronie fixes the following issues:
	  
Security issues fixed:

- CVE-2019-9704: Fixed an insufficient check in the return value of calloc which
  could allow a local user to create Denial of Service by crashing the deamon (bsc#1128937).
- CVE-2019-9705: Fixed an implementation vulnerability which could allow a local user to
  exhaust the memory resulting in Denial of Service (bsc#1128935).  

Bug fixes:

- Manual start of cron is possible even when it's already started using systemd (bsc#1133100).
- Cron schedules only one job of crontab (bsc#1130746).


-----------------------------------------
Patch: SUSE-2019-1996
Released: Fri Jul 26 16:12:34 2019
Summary: Recommended update for sysstat
Severity: moderate
References: 1138767
Description:
This update for sysstat fixes the following issues:

- Fix scaling issue with mtab symlinks and automounter. (bsc#1138767)


-----------------------------------------
Patch: SUSE-2019-2013
Released: Mon Jul 29 15:42:41 2019
Summary: Security update for bzip2
Severity: important
References: 1139083,CVE-2019-12900
Description:
This update for bzip2 fixes the following issues:

- Fixed a regression with the fix for CVE-2019-12900, which caused incompatibilities
  with files that used many selectors (bsc#1139083).


-----------------------------------------
Patch: SUSE-2019-2025
Released: Tue Jul 30 19:16:57 2019
Summary: Recommended update for mozilla-nspr, mozilla-nss
Severity: moderate
References: 1141322
Description:
This update for mozilla-nspr, mozilla-nss fixes the following issues:

mozilla-nss was updated to NSS 3.45 (bsc#1141322):

* New function in pk11pub.h: PK11_FindRawCertsWithSubject
* The following CA certificates were Removed:
  CN = Certinomis - Root CA (bmo#1552374)
* Implement Delegated Credentials (draft-ietf-tls-subcerts) (bmo#1540403)
  This adds a new experimental function SSL_DelegateCredential
  Note: In 3.45, selfserv does not yet support delegated credentials (See bmo#1548360).
  Note: In 3.45 the SSLChannelInfo is left unmodified, while an upcoming change in 3.46 will set SSLChannelInfo.authKeyBits to that of the delegated credential for better policy enforcement (See bmo#1563078).
* Replace ARM32 Curve25519 implementation with one from fiat-crypto (bmo#1550579)
* Expose a function PK11_FindRawCertsWithSubject for finding certificates with a given subject on a given slot (bmo#1552262)
* Add IPSEC IKE support to softoken (bmo#1546229)
* Add support for the Elbrus lcc compiler (<=1.23) (bmo#1554616)
* Expose an external clock for SSL (bmo#1543874)
  This adds new experimental functions: SSL_SetTimeFunc, 
  SSL_CreateAntiReplayContext, SSL_SetAntiReplayContext, and 
  SSL_ReleaseAntiReplayContext.
  The experimental function SSL_InitAntiReplay is removed.
* Various changes in response to the ongoing FIPS review (bmo#1546477)
  Note: The source package size has increased substantially 
  due to the new FIPS test vectors. This will likely 
  prompt follow-on work, but please accept our 
  apologies in the meantime.

mozilla-nspr was updated to version 4.21:

* Changed prbit.h to use builtin function on aarch64.



-----------------------------------------
Patch: SUSE-2019-2026
Released: Tue Jul 30 19:19:50 2019
Summary: Recommended update for Azure Python SDK
Severity: moderate
References: 1054413,1122523,979331
Description:
This update brings the following python modules for the Azure Python SDK:

- python-Flask
- python-Werkzeug
- python-click
- python-decorator
- python-httpbin
- python-idna
- python-itsdangerous
- python-py
- python-pytest-httpbin
- python-pytest-mock
- python-requests
  

-----------------------------------------
Patch: SUSE-2019-2035
Released: Thu Aug  1 17:34:22 2019
Summary: Security update for polkit
Severity: important
References: 1121826,CVE-2019-6133
Description:
This update for polkit fixes the following issues:

Security issue fixed:

- CVE-2019-6133: Fixed improper caching of auth decisions, which could bypass 
  uid checking in the interactive backend (bsc#1121826).


-----------------------------------------
Patch: SUSE-2019-2053
Released: Tue Aug  6 09:44:54 2019
Summary: Security update for python3
Severity: important
References: 1109663,1109847,1138459,CVE-2018-1000802,CVE-2018-14647,CVE-2019-10160
Description:
This update for python3 fixes the following issues:

- CVE-2019-10160: Fixed a regression in urlparse() and urlsplit() introduced by the fix for CVE-2019-9636 (bsc#1138459).
- CVE-2018-14647: Fixed a denial of service vulnerability caused by a crafted XML document (bsc#1109847).
- CVE-2018-1000802: Fixed a command injection in the shutil module (bsc#1109663).


-----------------------------------------
Patch: SUSE-2019-2057
Released: Tue Aug  6 14:25:41 2019
Summary: Optional update for sysstat
Severity: low
References: 1142470
Description:
This update for sysstat does not fix any user visible issues.

-----------------------------------------
Patch: SUSE-2019-2088
Released: Wed Aug  7 18:17:28 2019
Summary: Security update for tcpdump
Severity: moderate
References: 1068716,1142439,CVE-2017-16808,CVE-2019-1010220
Description:
This update for tcpdump fixes the following issues:

Security issues fixed:

- CVE-2019-1010220: Fixed a buffer over-read in print_prefix() which may expose data (bsc#1142439).
- CVE-2017-16808: Fixed a heap-based buffer over-read related to aoe_print() and lookup_emem() (bsc#1068716).


-----------------------------------------
Patch: SUSE-2019-2091
Released: Thu Aug  8 13:25:31 2019
Summary: Security update for python
Severity: important
References: 1138459,1141853,CVE-2018-20852,CVE-2019-10160
Description:
This update for python fixes the following issues:

- CVE-2019-10160: Fixed a regression in urlparse() and urlsplit() introduced by the fix for CVE-2019-9636 (bsc#1138459).
- CVE-2018-20852: Fixed an information leak where cookies could be send to the wrong server because of incorrect domain validation (bsc#1141853).


-----------------------------------------
Patch: SUSE-2019-2120
Released: Wed Aug 14 11:17:39 2019
Summary: Recommended update for pam
Severity: moderate
References: 1136298,SLE-7257
Description:
This update for pam fixes the following issues:

- Enable pam_userdb.so (SLE-7257,bsc#1136298)
- Upgraded pam_userdb to 1.3.1.  (bsc#1136298)


-----------------------------------------
Patch: SUSE-2019-2135
Released: Wed Aug 14 11:56:14 2019
Summary: Recommended update for resource-agents
Severity: moderate
References: 1114855,1125138,1131793,1133337,1133962,1137038,1137231,1140874
Description:
This update for resource-agents fixes the following issues:

- Pacemaker SST databases to /dev/null. (bsc#1131793)
- Include the latest aws-vpc-route53 bug fixes and improvements from upstream. (bsc#1140874)
    - Add --cli-connect-timeout 10 option to AWS CLI.
    - Replace ec2metada with curl to fetch the IP address directlyi from EC2 metadata.
- azure-events: Change message log level for the non action messages. (bsc#1137038, bsc#1137231)
- dhcpd: keep SELinux context
- Set fdisk command options on Linux or BSD
- Fix implicit bytes conversion that breaks in python3. Reduces the amount of error messages. (bsc#1137038, bsc#1137231)
- galera: Allow empty password for 'check_passwd' parameter.
- Add resource agent for dovecot.
- CTDB: fix version string with vendor trailer comparison (bsc#1133337)
- aws-vpc-move-ip: 
      - Linting adjustment. (bsc#1133962)
      - Moving shared part outside if. (bsc#1133962)
      - More robust approach of getting MAC address. (bsc#1133962)
      - Multiple VPC routing tables in routing_tables parameter - included comment in metadata section. (bsc#1125138)
      - Multiple routing tables - adjust sleep time. (bsc#1125138)
      - New feature: include support for multiple routing tables. (bsc#1125138)
      - Requested fix to avoid using AWS API. (bsc#1133962)
      - Fixing indentation. (bsc#1133962)
      - Fix for VM having multiple network interfaces. (bsc#1133962)
- Add network namespace support to IPaddr2
- IPsrcaddr: make proto optional to fix regression when used without NetworkManager
- LVM-activate: return OCF_NOT_RUNNING on initial probe. (bsc#1114855)
- Add Support for lxc-stop


-----------------------------------------
Patch: SUSE-2019-2150
Released: Thu Aug 15 07:37:35 2019
Summary: Recommended update for cloud-init
Severity: moderate
References: 1136440
Description:
This update for cloud-init fixes the following issues:

- Fixes a bug where OpenStack instances where not detected on VIO (bsc#1136440)

Some more fixes were included within the 19.1 update of cloud-init. Please refer to the package
changelog for more details.


-----------------------------------------
Patch: SUSE-2019-1606
Released: Wed Aug 21 13:36:49 2019
Summary: Security update for libssh2_org
Severity: moderate
References: 1128481,1136570,CVE-2019-3860
Description:
This update for libssh2_org fixes the following issues:

- Fix the previous fix for CVE-2019-3860 (bsc#1136570, bsc#1128481)
  (Out-of-bounds reads with specially crafted SFTP packets)


-----------------------------------------
Patch: SUSE-2019-2240
Released: Wed Aug 28 14:57:51 2019
Summary: Recommended update for ca-certificates-mozilla
Severity: moderate
References: 1144169
Description:
This update for ca-certificates-mozilla fixes the following issues:

- Update to 2.34 state of the Mozilla NSS Certificate store. (bsc#1144169)

- Removed Root CAs:

  - Certinomis - Root CA

- Added root CAs from the 2.32 version:
  - emSign ECC Root CA - C3 (email and server auth)
  - emSign ECC Root CA - G3 (email and server auth)
  - emSign Root CA - C1 (email and server auth)
  - emSign Root CA - G1 (email and server auth)
  - Hongkong Post Root CA 3 (server auth)



-----------------------------------------
Patch: SUSE-2019-2264
Released: Mon Sep  2 09:07:12 2019
Summary: Security update for perl
Severity: important
References: 1114674,CVE-2018-18311
Description:
This update for perl fixes the following issues:

Security issue fixed:

- CVE-2018-18311: Fixed integer overflow with oversize environment (bsc#1114674).


-----------------------------------------
Patch: SUSE-2019-2294
Released: Wed Sep  4 17:42:32 2019
Summary: Recommended update for open-iscsi
Severity: moderate
References: 1113712,1142029
Description:
This update for open-iscsi fixes the following issue:

- systemd[1]: [/usr/lib/systemd/system/iscsiuio.service:12] Unknown lvalue '' in section 'Service' (bsc#1142029)
- Fixes an issue where an iSCSI boot failure appeared in MPIO config with
  single path active (bsc#1113712)

Additionally: This update includes a lot of smaller bug fixes. Please refer to this rpm's changelog
file to get the full list of all changes.


-----------------------------------------
Patch: SUSE-2019-2303
Released: Thu Sep  5 12:10:29 2019
Summary: Recommended update for supportutils
Severity: moderate
References: 1137336,SLE-5560
Description:
This update for supportutils fixes the following issues:

- Added sed and gawk as a runtime dependency (bsc#1137336)
- Removed Novell references (SLE-5560)
- Update getappcore to use SUSE FTP server
- Added FTPES and HTTPS upload options. HTTPS will be the default.


-----------------------------------------
Patch: SUSE-2019-2316
Released: Fri Sep  6 09:15:01 2019
Summary: Recommended update for Salt
Severity: moderate
References: 1128554,1131114,1132076,1133647,1135360,1135507,1139761,1140193,1148714
Description:

This update fixes the following issues:

salt:

- Multiple fixes on cmdmod, chroot, freezer and zypperpkg needed for Yomi
  cmdmod: fix runas and group in run_chroot
  chroot: add missing sys directory
  chroot: change variable name to root
  chroot: fix bug in safe_kwargs iteration
  freezer: do not fail in cache dir is present
  freezer: clean freeze YAML profile on restore
  zypperpkg: fix pkg.list_pkgs cache
- Avoid traceback on http.query when there are errors with the requested URL (bsc#1128554)
- Salt python client get_full_returns seems return data from incorrect jid (bsc#1131114)
- Virt.volume_infos: don't raise an error if there is no VM
- Prevent ansiblegate unit tests to fail on Ubuntu
- Allow passing kwargs to pkg.list_downloaded for Zypper (bsc#1140193)
- Do not make 'ansiblegate' module to crash on Python3 minions (bsc#1139761)
- Provide the missing features required for Yomi (Yet one more installer)
- Fix zypper pkg.list_pkgs test expectation and dpkg mocking
- Set 'salt' group for files and directories created by 
  salt-standalone-formulas-configuration package
- Fix virt.volume_infos raising an exception when there is only virtual machine on the minion.
- Fix virt.purge() on all non-KVM hypervisors. For instance on Xen, virt.purge would simply throw an exception about unsupported flag
- Building a libvirt pool starts it. When defining a new pool, we need to
- Fix handling of Virtual Machines with white space in their name.
- Avoid batch.py exception when minion does not respond (bsc#1135507)
- Preserve already defined DESTRUCTIVE_TESTS and EXPENSIVE_TESTS
  env variables
- Do not break repo files with multiple line values on yumpkg (bsc#1135360)
- Fix return status when installing or updating RPM packages
  with 'ppc64le' arch (bsc#1133647)
- Add new 'salt-standalone-formulas-configuration' package
- Switch firewalld state to use change_interface (bsc#1132076)
- Restore default behaviour of pkg list return (bsc#1148714)



-----------------------------------------
Patch: SUSE-2019-2336
Released: Mon Sep  9 13:26:40 2019
Summary: Security update for java-1_7_1-ibm
Severity: important
References: 1141780,1141782,1141783,1141785,1141789,1147021,CVE-2019-11771,CVE-2019-11775,CVE-2019-2762,CVE-2019-2766,CVE-2019-2769,CVE-2019-2816,CVE-2019-4473,CVE-2019-7317
Description:
This update for java-1_7_1-ibm fixes the following issues:

Update to Java 7.1 Service Refresh 4 Fix Pack 50.

Security issues fixed:

- CVE-2019-11771: IBM Security Update July 2019 (bsc#1147021)
- CVE-2019-11775: IBM Security Update July 2019 (bsc#1147021)
- CVE-2019-4473: IBM Security Update July 2019 (bsc#1147021)
- CVE-2019-7317: Fixed issue inside Component AWT (libpng)(bsc#1141780).
- CVE-2019-2769: Fixed issue inside Component Utilities (bsc#1141783).
- CVE-2019-2762: Fixed issue inside Component Utilities (bsc#1141782).
- CVE-2019-2816: Fixed issue inside Component Networking (bsc#1141785).
- CVE-2019-2766: Fixed issue inside Component Networking (bsc#1141789).


-----------------------------------------
Patch: SUSE-2019-2355
Released: Wed Sep 11 13:18:25 2019
Summary: Recommended update for lvm2
Severity: moderate
References: 1122666,1135984,1137296,1145232
Description:
This update for lvm2 fixes the following issues:

- Fixes an issue where the message 'unknown feature in status' message was wrongly shown (bsc#1135984)
- Fixes an issue with the usage of device aliases with lvmetad (bsc#1137296)
- Fixes an issue with SD card readers where the error 'open failed: No medium found'
  was shown (bsc#1122666)


-----------------------------------------
Patch: SUSE-2019-2356
Released: Wed Sep 11 13:18:35 2019
Summary: Recommended update for nfs-utils
Severity: moderate
References: 1137262,983491
Description:
This update for nfs-utils fixes the following issues:

- The -u option of 'exportfs' will now fail when IP addresses are unresolvable (bsc#1137262, bsc#983491)


-----------------------------------------
Patch: SUSE-2019-2370
Released: Thu Sep 12 13:30:35 2019
Summary: Security update for python-urllib3
Severity: moderate
References: 1119376,1129071,1132663,1132900,CVE-2018-20060,CVE-2019-11236,CVE-2019-11324,CVE-2019-9740
Description:
This update for python-urllib3 fixes the following issues:

Security issues fixed:

- CVE-2019-9740: Fixed CRLF injection issue (bsc#1129071).
- CVE-2019-11324: Fixed invalid CA certificat verification (bsc#1132900).
- CVE-2019-11236: Fixed CRLF injection via request parameter (bsc#1132663).
- CVE-2018-20060: Remove Authorization header when redirecting cross-host (bsc#1119376).


-----------------------------------------
Patch: SUSE-2019-2372
Released: Thu Sep 12 14:01:27 2019
Summary: Recommended update for krb5
Severity: moderate
References: 1139942,1140914,SLE-7081
Description:
This update for krb5 fixes the following issues:

- Fix missing responder if there is no pre-auth; (bsc#1139942)
- Load mechglue config files from /etc/gss/mech.d; (bsc#1140914, jsc#SLE-7081)
- Fix impersonate_name to work with interposers; (bsc#1140914, jsc#SLE-7081)
  

-----------------------------------------
Patch: SUSE-2019-2382
Released: Mon Sep 16 19:00:48 2019
Summary: Recommended update for python36
Severity: moderate
References: 1146165
Description:

This update provides python 3.6 packages to the SUSE Linux Enterprise 12 SP3 for Teradata codestream.
  

-----------------------------------------
Patch: SUSE-2019-2383
Released: Mon Sep 16 19:18:09 2019
Summary: Recommended update for cloud-init
Severity: important
References: 1141969,1144363,1144881
Description:
This update for cloud-init fixes the following issues:

- Properly handle static routes. The EphemeralDHCP context manager did 
  not parse or handle rfc3442 classless static routes which prevented
  reading datasource metadata in some clouds (bsc#1141969)
- Fixes an issue where udevadm settle was executed incorrectly (bsc#1144363)
- If no routes are set for a subnet but the subnet has a gateway specified, set 
  the gateway as the default route for the interface (bsc#1144881)


-----------------------------------------
Patch: SUSE-2019-2390
Released: Tue Sep 17 15:46:02 2019
Summary: Security update for openldap2
Severity: moderate
References: 1143194,1143273,CVE-2019-13057,CVE-2019-13565
Description:
This update for openldap2 fixes the following issues:

Security issues fixed:

- CVE-2019-13565: Fixed ssf memory reuse that leads to incorrect authorization of another connection, granting excess connection rights (ssf) (bsc#1143194).
- CVE-2019-13057: Fixed rootDN of a backend that may proxyauth incorrectly to another backend, violating multi-tenant isolation (bsc#1143273).


-----------------------------------------
Patch: SUSE-2019-2404
Released: Wed Sep 18 16:20:00 2019
Summary: Recommended update for crmsh
Severity: moderate
References: 1093564,1116559,1120554,1120555,1120586,1120587,1123187,1129380,1129383,1129719,1130715,1135696
Description:
This update for crmsh fixes the following issues:

- Fix: bsc#1120554, bsc#1120555 crmsh crashed when using configure>template>apply
- Fix: bsc#1120587,bsc#1120586 bootstrap warning messages should better start with like 'WARNING:' instead of '!'
- Fix: bsc#1129719: check command and related files exist
- Fix: cibconfig: #425 The ID attribute is not required for select and select_attributes
- Fix: hb_report: analysis.txt should includes warning, error, critical messages(bsc#1135696)
- Fix: hb_report: handle UnicodeDecodeError(bsc#1130715)

- High: constants: add 'promotable', 'promoted-max' and 'promoted-node-max' in clone meta attributes
- High: hbreport: fix UnicodeEncodeError while print(bsc#1093564) 

- Medium: cibverify: Increase log level for verification (bsc#1116559)
- Medium: scripts: Set kind for order constraints, not score (bsc#1123187)

- Low: hb_report: collect output of 'sbd dump' and 'sbd list'. (bsc#1129383)
- Low: msg: add timestamp for DEBUG messages. (bsc#1129380)
- Low: utils: Add support for dpkg and apt-get 
- Low: utils: convert string contstants to bytes

- Dev: hb_report: Using Tempfile class to manage tempfiles


-----------------------------------------
Patch: SUSE-2019-2406
Released: Thu Sep 19 13:35:31 2019
Summary: Recommended update for aws-cli, python-boto3, python-botocore, python-s3transfer
Severity: moderate
References: 1146853
Description:
This update for aws-cli, python-boto3, python-botocore, python-s3transfer fixes the following issues:

aws-cli was updated to version 1.16.223 (bsc#1146853):

+ For detailed changes see
  https://github.com/aws/aws-cli/blob/1.16.223/CHANGELOG.rst

python-boto3 was updated to 1.12.213, python-botocore was updated to 1.9.213 and
python-s3transfer was updated to 0.2.1 bringing a lot of features and bugfixes (bsc#1146853)



-----------------------------------------
Patch: SUSE-2019-2415
Released: Fri Sep 20 12:50:53 2019
Summary: Recommended update for SAPHanaSR
Severity: moderate
References: 1082974,1101373,1133024,1133866,1134106,1139715,1149829
Description:
This update for SAPHanaSR fixes the following issues:

- Fixes a bug where an attribute was not correctly set for remoteNode (bsc#1082974)
- Does no longer set attributes to prevent unlogged failovers because of empty or
  unknown attributes (bsc#1134106, bsc#1133024, bsc#1101373)
- Will now return $OCF_RUNNING_MASTER (8) instead of $OCF_SUCCESS (0) when probing
  a promoted node (bsc#1133866)
- Using crm-attributes written by a SAP HANA SR provider hook does improve the data
  integrity in special error conditions with multiple errors coming in a short
  time frame (bsc#1139715)


-----------------------------------------
Patch: SUSE-2019-2440
Released: Mon Sep 23 17:15:13 2019
Summary: Security update for expat
Severity: moderate
References: 1149429,CVE-2019-15903
Description:
This update for expat fixes the following issues:

Security issue fixed:

- CVE-2019-15903: Fixed a heap-based buffer over-read caused by crafted XML documents. (bsc#1149429)


-----------------------------------------
Patch: SUSE-2019-2456
Released: Wed Sep 25 08:36:31 2019
Summary: Recommended update for lvm2
Severity: moderate
References: 1145231
Description:
This update for lvm2 fixes the following issues:

- MD devices will now get detected by LVM2 with metadata=1.0/0.9 (bsc#1145231)


-----------------------------------------
Patch: SUSE-2019-2457
Released: Wed Sep 25 08:36:46 2019
Summary: Recommended update for fence-agents
Severity: moderate
References: 1150504
Description:
This update for fence-agents provides the following fix:

- aliyun: Include the latest upstream fixes on the Alibaba Cloud fence-agent. (bsc#1150504)


-----------------------------------------
Patch: SUSE-2019-2480
Released: Fri Sep 27 13:12:08 2019
Summary: Security update for gpg2
Severity: moderate
References: 1124847,1141093,CVE-2019-13050
Description:
This update for gpg2 fixes the following issues:

Security issue fixed:

- CVE-2019-13050: Fixed denial-of-service attacks via big keys. (bsc#1141093)

Non-security issue fixed:

- Allow coredumps in X11 desktop sessions (bsc#1124847).


-----------------------------------------
Patch: SUSE-2019-2502
Released: Tue Oct  1 13:06:14 2019
Summary: Security update for bind
Severity: important
References: 1104129,1118367,1118368,1126068,1126069,1128220,1133185,1138687,CVE-2018-5740,CVE-2018-5743,CVE-2018-5745,CVE-2019-6465,CVE-2019-6471
Description:
This update for bind fixes the following issues:

Security issues fixed:

- CVE-2019-6465: Fixed an issue where controls for zone transfers may not be properly applied to Dynamically Loadable Zones (bsc#1126069).
- CVE-2019-6471: Fixed a reachable assert in dispatch.c. (bsc#1138687)
- CVE-2018-5745: Fixed a denial of service vulnerability if a trust anchor rolls over to an unsupported key algorithm when using managed-keys (bsc#1126068).
- CVE-2018-5743: Fixed a denial of service vulnerability which could be caused by to many simultaneous TCP connections (bsc#1133185).
- CVE-2018-5740: Fixed a denial of service vulnerability in the 'deny-answer-aliases' feature (bsc#1104129).

Non-security issues fixed:

- Don't rely on /etc/insserv.conf anymore for proper dependencies against 
  nss-lookup.target in named.service and lwresd.service (bsc#1118367, bsc#1118368).
- Fix FIPS related regression (bsc#1128220).


-----------------------------------------
Patch: SUSE-2019-2504
Released: Tue Oct  1 13:07:07 2019
Summary: Security update for openssl-1_0_0
Severity: moderate
References: 1131291,1150003,1150250,CVE-2019-1547,CVE-2019-1563
Description:
This update for openssl-1_0_0 fixes the following issues:

OpenSSL Security Advisory [10 September 2019]

* CVE-2019-1547: Added EC_GROUP_set_generator side channel attack avoidance. (bsc#1150003)
* CVE-2019-1563: Fixed Bleichenbacher attack against cms/pkcs7 encryption transported key (bsc#1150250)

In addition fixed invalid curve attacks by validating that an EC point lies on the curve (bsc#1131291).


-----------------------------------------
Patch: SUSE-2019-2505
Released: Tue Oct  1 13:10:17 2019
Summary: Recommended update for python-jmespath, python-jsonschema, python-paramiko, python-pexpect, python-pip, python-ply, python-pretend, python-process-tests, python-pycodestyle, python-pyflakes, python-pyxdg, python-tabulate, python-vcversioner
Severity: moderate
References: 1065275,CVE-2013-5123,CVE-2014-8991,CVE-2015-2296
Description:

This update for python-jmespath, python-jsonschema, python-paramiko, python-pexpect, python-pip, python-ply, python-pretend, python-process-tests, python-pycodestyle, python-pyflakes, python-pyxdg, python-tabulate, python-vcversioner fixes the following issues:

python-pip was updated to 10.0.1 (fate#324191, bsc#1065275)

Enable python3 build for:

- python-jmespath
- python-jsonschema
- python-paramiko
- python-pexpect
- python-pip
- python-ply
- python-pretend
- python-process-tests
- python-pycodestyle
- python-pyflakes
- python-pyxdg
- python-tabulate
- python-vcversioner




-----------------------------------------
Patch: SUSE-2019-2510
Released: Tue Oct  1 17:37:12 2019
Summary: Security update for libgcrypt
Severity: moderate
References: 1148987,CVE-2019-13627
Description:
This update for libgcrypt fixes the following issues:

Security issues fixed:
	  
- CVE-2019-13627: Mitigated ECDSA timing attack. (bsc#1148987)


-----------------------------------------
Patch: SUSE-2019-2513
Released: Wed Oct  2 10:48:28 2019
Summary: Security update for jasper
Severity: moderate
References: 1010783,1117505,1117507,1117508,1117511,CVE-2016-9396,CVE-2018-19539,CVE-2018-19540,CVE-2018-19541,CVE-2018-19542
Description:
This update for jasper fixes the following issues:

Security issues fixed:

- CVE-2018-19540: Fixed  a heap based overflow in jas_icctxtdesc_input (bsc#1117508).
- CVE-2018-19541: Fix heap based overread in jas_image_depalettize (bsc#1117507).
- CVE-2018-19542: Fixed a denial of service in jp2_decode (bsc#1117505).
- CVE-2018-19539: Fixed a denial of service in jas_image_readcmpt (bsc#1117511).
- CVE-2016-9396: Fixed a denial of service in jpc_cox_getcompparms (bsc#1010783).


-----------------------------------------
Patch: SUSE-2019-2536
Released: Thu Oct  3 15:03:14 2019
Summary: Security update for sqlite3
Severity: moderate
References: 1150137,CVE-2019-16168
Description:
This update for sqlite3 fixes the following issues:

Security issue fixed:

- CVE-2019-16168: Fixed improper validation of sqlite_stat1 field that could lead to denial of service (bsc#1150137).


-----------------------------------------
Patch: SUSE-2019-2541
Released: Thu Oct  3 15:03:59 2019
Summary: Recommended update for Salt
Severity: moderate
References: 1140912,1150447
Description:

This update fixes the following issues:

salt:

- Fix memory leak produced by batch async find_jobs mechanism (bsc#1140912)
- Files in salt-formulas folder can now be read and excuted by others (bsc#1150447)



-----------------------------------------
Patch: SUSE-2019-2551
Released: Fri Oct  4 13:19:48 2019
Summary: Recommended update for lvm2
Severity: important
References: 1152530
Description:
This update for lvm2 fixes the following issues:

- Remedy a regression that could cause serious performance degradation when
  lvm2 operated in a chroot environment. [bsc#1152530]


-----------------------------------------
Patch: SUSE-2019-2556
Released: Fri Oct  4 13:36:49 2019
Summary: Recommended update for tcsh
Severity: moderate
References: 1134508,992577
Description:
This update for tcsh fixes the following issues:

- Make a copy of the file descriptor of the history file to be able not only to lock but
  also unlock the file. (bsc#992577, bsc#1134508)
- Add Shift-JIS Japanese character support. (fate#324487)


-----------------------------------------
Patch: SUSE-2019-2558
Released: Fri Oct  4 13:53:18 2019
Summary: Security update for compat-openssl098
Severity: moderate
References: 1150003,1150250,CVE-2019-1547,CVE-2019-1563
Description:
This update for compat-openssl098 fixes the following issues:

OpenSSL Security Advisory [10 September 2019]

- CVE-2019-1547: Added EC_GROUP_set_generator side channel attack avoidance (bsc#1150003).
- CVE-2019-1563: Fixed Bleichenbacher attack against cms/pkcs7 encryption transported key (bsc#1150250).


-----------------------------------------
Patch: SUSE-2019-2627
Released: Fri Oct 11 12:05:29 2019
Summary: Recommended update for python-setuptools and dependend packages
Severity: moderate
References: 1024540,1054413,1074247,1075812,1088358,1091826,1110422,CVE-2016-9015
Description:

All changes necessary for upgrade of python-setuptools to 40.6.2 (bsc#1075812)

New packages:
- python-cachetools
- python-google-auth
- python-packaging

Rebuilt without source changes:

- python-cffi
- python-cliff
- python-mock
- python-oauthlib
- python-pbr
- python-PyJWT
- python-pytest

Added python3 packages:

- python-hgtools
- python-pyasn1-modules
- python-rsa

Updated:

- python-kubernetes
  Updated to version 6.0

- python-pyparsing

  Was updated to version 2.2.0.

- python-setuptools

  Was upgraded to version 40.6.2.



-----------------------------------------
Patch: SUSE-2019-2643
Released: Fri Oct 11 17:11:01 2019
Summary: Recommended update for cloud-init
Severity: important
References: 1144363
Description:
This update for cloud-init fixes the following issue:

- Fixes a regression which was introduced by fixing a different bug in the last maintenance
  update for cloud-init (bsc#1144363)

-----------------------------------------
Patch: SUSE-2019-2650
Released: Mon Oct 14 10:52:46 2019
Summary: Security update for binutils
Severity: moderate
References: 1109412,1109413,1109414,1111996,1112534,1112535,1113247,1113252,1113255,1116827,1118830,1118831,1120640,1121034,1121035,1121056,1133131,1133232,1141913,1142772,CVE-2018-1000876,CVE-2018-17358,CVE-2018-17359,CVE-2018-17360,CVE-2018-17985,CVE-2018-18309,CVE-2018-18483,CVE-2018-18484,CVE-2018-18605,CVE-2018-18606,CVE-2018-18607,CVE-2018-19931,CVE-2018-19932,CVE-2018-20623,CVE-2018-20651,CVE-2018-20671,CVE-2019-1010180,ECO-368,SLE-6206
Description:
This update for binutils fixes the following issues:

binutils was updated to current 2.32 branch @7b468db3 [jsc#ECO-368]:

Includes the following security fixes:

- CVE-2018-17358: Fixed invalid memory access in _bfd_stab_section_find_nearest_line in syms.c (bsc#1109412)
- CVE-2018-17359: Fixed invalid memory access exists in bfd_zalloc in opncls.c (bsc#1109413)
- CVE-2018-17360: Fixed heap-based buffer over-read in bfd_getl32 in libbfd.c (bsc#1109414)
- CVE-2018-17985: Fixed a stack consumption problem caused by the cplus_demangle_type (bsc#1116827)
- CVE-2018-18309: Fixed an invalid memory address dereference was discovered in read_reloc in reloc.c (bsc#1111996)
- CVE-2018-18483: Fixed get_count function provided by libiberty that allowed attackers to cause a denial of service or other unspecified impact (bsc#1112535)
- CVE-2018-18484: Fixed stack exhaustion in the C++ demangling functions provided by libiberty, caused by recursive stack frames (bsc#1112534)
- CVE-2018-18605: Fixed a heap-based buffer over-read issue was discovered in the function sec_merge_hash_lookup causing a denial of service (bsc#1113255)
- CVE-2018-18606: Fixed a NULL pointer dereference in _bfd_add_merge_section when attempting to merge sections with large alignments, causing denial of service (bsc#1113252)
- CVE-2018-18607: Fixed a NULL pointer dereference in elf_link_input_bfd when used for finding STT_TLS symbols without any TLS section, causing denial of service (bsc#1113247)
- CVE-2018-19931: Fixed a heap-based buffer overflow in bfd_elf32_swap_phdr_in in elfcode.h (bsc#1118831)
- CVE-2018-19932: Fixed an integer overflow and infinite loop caused by the IS_CONTAINED_BY_LMA (bsc#1118830)
- CVE-2018-20623: Fixed a use-after-free in the error function in elfcomm.c (bsc#1121035)
- CVE-2018-20651: Fixed a denial of service via a NULL pointer dereference in elf_link_add_object_symbols in elflink.c (bsc#1121034)
- CVE-2018-20671: Fixed an integer overflow that can trigger a heap-based buffer overflow in  load_specific_debug_section in objdump.c (bsc#1121056)
- CVE-2018-1000876: Fixed integer overflow in bfd_get_dynamic_reloc_upper_bound,bfd_canonicalize_dynamic_reloc in objdump (bsc#1120640)
- CVE-2019-1010180: Fixed an out of bound memory access that could lead to crashes (bsc#1142772)

- Enable xtensa architecture (Tensilica lc6 and related)
- Use -ffat-lto-objects in order to provide assembly for static libs
  (bsc#1141913).
- Fixed some LTO problems (bsc#1133131 bsc#1133232).
- riscv: Don't check ABI flags if no code section

Update to binutils 2.32:

* The binutils now support for the C-SKY processor series.
* The x86 assembler now supports a -mvexwig=[0|1] option to control
  encoding of VEX.W-ignored (WIG) VEX instructions.
  It also has a new -mx86-used-note=[yes|no] option to generate (or
  not) x86 GNU property notes.
* The MIPS assembler now supports the Loongson EXTensions R2 (EXT2),
  the Loongson EXTensions (EXT) instructions, the Loongson Content
  Address Memory (CAM) ASE and the Loongson MultiMedia extensions
  Instructions (MMI) ASE.
* The addr2line, c++filt, nm and objdump tools now have a default
  limit on the maximum amount of recursion that is allowed whilst
  demangling strings.  This limit can be disabled if necessary.
* Objdump's --disassemble option can now take a parameter,
  specifying the starting symbol for disassembly.  Disassembly will
  continue from this symbol up to the next symbol or the end of the
  function.
* The BFD linker will now report property change in linker map file
  when merging GNU properties.
* The BFD linker's -t option now doesn't report members within
  archives, unless -t is given twice.  This makes it more useful
  when generating a list of files that should be packaged for a
  linker bug report.
* The GOLD linker has improved warning messages for relocations that
  refer to discarded sections.

- Improve relro support on s390 [fate#326356]
- Handle ELF compressed header alignment correctly.

  

-----------------------------------------
Patch: SUSE-2019-2669
Released: Tue Oct 15 14:38:11 2019
Summary: Security update for libpcap
Severity: important
References: 1153332,CVE-2018-16301,CVE-2019-15165
Description:
This update for libpcap fixes the following issues:

- CVE-2019-15165: Added sanity checks for PHB header length before allocating memory (bsc#1153332).
- CVE-2018-16301: Fixed a buffer overflow (bsc#1153332).


-----------------------------------------
Patch: SUSE-2019-2677
Released: Tue Oct 15 21:07:14 2019
Summary: Recommended update for e2fsprogs
Severity: moderate
References: 1145716,1152101,CVE-2019-5094
Description:
This update for e2fsprogs fixes the following issues:

Security issue fixed:

- CVE-2019-5094: Fixed an arbitrary code execution via specially crafted ext4 file systems. (bsc#1152101)

Non-security issue fixed:

- libext2fs: Call fsync(2) to clear stale errors for a new a unix I/O channel. (bsc#1145716)


-----------------------------------------
Patch: SUSE-2019-2688
Released: Wed Oct 16 16:41:29 2019
Summary: Recommended update for crmsh
Severity: moderate
References: 1127716,1129210,1129317,1129383,1129702,1130715,1135585,1135586,1135696,1138115,1138405,1145823,1146922
Description:
This update for crmsh fixes the following issues:

- Fix: utils: fix logic for process non comments line. (bsc#1145823)
- Fix cibconfig: Correctly sanitize the original CIB as patch base (bsc#1127716, bsc#1138405)
- Revert 'high: cibconfig: Use correct CIB as patch base (bsc#1127716)'
- Partially revert 'medium: cibconfig: Sanitize CIB for patching (bsc#1127716)'
- Fix: utils: issue in to_ascii (bsc#1138115)
- Fix: bootstrap: bindnetaddr should accept both network and specific IP(bsc#1135585, bsc#1135586)
- Fix: hb_report: analysis.txt should includes warning, error, critical messages(bsc#1135696)
- ui_node: Check corosync state before clearstate (bsc#1129702)
- Fix: hb_report: handle UnicodeDecodeError. (bsc#1130715)
- cibconfig: Sanitize CIB for patching (bsc#1127716)
- cibconfig: Use correct CIB as patch base (bsc#1127716)
- Parse: Detect and error on illegal ordering of op attributes (bsc#1129210)
- utils: Handle sysconfig values containing = (bsc#1129317)
- hb_report: collect output of 'sbd dump' and 'sbd list'(bsc#1129383)
- hbreport: fix UnicodeEncodeError while print(bsc#1146922) 


-----------------------------------------
Patch: SUSE-2019-2689
Released: Wed Oct 16 16:42:02 2019
Summary: Recommended update for crmsh, ha-cluster-bootstrap
Severity: moderate
References: 1066196,1103833,1103834,1106946,1112593,1121912,1127716,1129317,1137783,1138353,1138405,1150759
Description:
This update for crmsh, ha-cluster-bootstrap contains the following fixes:

crmsh:
- Update to version 3.0.4(revision 945883b9):
  * high: bootstrap: revert corosync ports for mcast configuration as well (bsc#1066196)
  * high: bootstrap: Revert default corosync port to 5405/5404 (bsc#1066196)
  * High: cibconfig: Correctly sanitize the original CIB as patch base (bsc#1127716, bsc#1138405)
  * Revert 'high: cibconfig: Use correct CIB as patch base (bsc#1127716)'
  * Partially revert 'medium: cibconfig: Sanitize CIB for patching (bsc#1127716)'
  * medium: bootstrap: Pick first match for multiple routes (bsc#1106946) (bsc#1137783) (bsc#1150759)
  * Fix incorrect bindnetaddr in corosync.conf (bsc#1103833) (bsc#1103834)
  * Fix: hb_report: Report gets stuck on named pipe in /var/log/ (bsc#1121912)
  * medium: utils: Handle sysconfig values containing = (bsc#1129317)
  * auto-commit enabling/disabling maintenance mode for a whole cluster (bsc#1112593)
  * medium: cibconfig: Sanitize CIB for patching (bsc#1127716)
  * high: cibconfig: Use correct CIB as patch base (bsc#1127716)
- Remove merged patches. 

ha-cluster-bootstrap: 
- use help2man to generate init/join/remove man page (bsc#1138353)


-----------------------------------------
Patch: SUSE-2019-2703
Released: Thu Oct 17 10:05:41 2019
Summary: Recommended update for binutils
Severity: important
References: 1152590,1154016,1154025
Description:
This update for binutils fixes the following issues:

- Fixed a segfault in ld when building some versions of pacemaker. (bsc#1154025, bsc#1154016)
- Add avr, epiphany and rx to target_list so that the common binutils can handle all objects we can create with crosses.  (bsc#1152590)



-----------------------------------------
Patch: SUSE-2019-2708
Released: Thu Oct 17 16:42:58 2019
Summary: Recommended update for python-urllib3
Severity: moderate
References: 1150895
Description:
This update for python-urllib3 fixes the following issues:

- Add missing dependency on python-six (bsc#1150895)


-----------------------------------------
Patch: SUSE-2019-2725
Released: Mon Oct 21 13:41:05 2019
Summary: Recommended update for cifs-utils
Severity: moderate
References: 1130528,1132087,1136031
Description:
This update for cifs-utils fixes the following issues:

cifs-utils was updated to cifs-utils 6.9 (bsc#1132087, bsc#1136031)

- Allow cached DNS entry to expire (fate#325270)
- Document new SMB2.1+ defaults (bsc#1130528)



-----------------------------------------
Patch: SUSE-2019-2727
Released: Mon Oct 21 14:43:41 2019
Summary: Security update for dhcp
Severity: moderate
References: 1089524,1134078,1136572,CVE-2019-6470
Description:
This update for dhcp fixes the following issues:

Secuirty issue fixed:

- CVE-2019-6470: Fixed DHCPv6 server crashes (bsc#1134078).

Bug fixes:

- Add compile option --enable-secs-byteorder to avoid duplicate lease warnings (bsc#1089524).
- Use IPv6 when called as dhclient6, dhcpd6, and dhcrelay6 (bsc#1136572).


-----------------------------------------
Patch: SUSE-2019-2740
Released: Tue Oct 22 15:34:30 2019
Summary: Recommended update for timezone
Severity: moderate
References: 1150451
Description:
This update for timezone fixes the following issues:

- Fiji observes DST from 2019-11-10 to 2020-01-12.
- Norfolk Island starts observing Australian-style DST.


-----------------------------------------
Patch: SUSE-2019-2752
Released: Wed Oct 23 11:23:24 2019
Summary: Security update for sysstat
Severity: moderate
References: 1150114,CVE-2019-16167
Description:
This update for sysstat fixes the following issue:

- CVE-2019-16167: Fixed a memory corruption due to an integer overflow. (bsc#1150114)


-----------------------------------------
Patch: SUSE-2019-2761
Released: Thu Oct 24 07:08:33 2019
Summary: Recommended update for pciutils-ids
Severity: moderate
References: 1149149
Description:
This update for pciutils-ids fixes the following issues:

- updates the list of devices so that more devices will get identified (bsc#1149149)


-----------------------------------------
Patch: SUSE-2019-2781
Released: Fri Oct 25 14:27:08 2019
Summary: Security update for nfs-utils
Severity: moderate
References: 1150733,CVE-2019-3689
Description:
This update for nfs-utils fixes the following issues:

- CVE-2019-3689: Fixed root-owned files stored in insecure /var/lib/nfs. (bsc#1150733)


-----------------------------------------
Patch: SUSE-2019-2798
Released: Mon Oct 28 16:57:01 2019
Summary: Security update for python3
Severity: moderate
References: 1141853,1149955,CVE-2018-20852,CVE-2019-16056
Description:
This update for python3 fixes the following issues:

- CVE-2019-16056: Fixed a parser issue in the email module. (bsc#1149955)
- CVE-2018-20852: Fixed an incorrect domain validation that could lead to cookies being sent to the wrong server. (bsc#1141853)


-----------------------------------------
Patch: SUSE-2019-2800
Released: Mon Oct 28 17:11:35 2019
Summary: Recommended update for tcsh
Severity: moderate
References: 1151630,1153839
Description:
This update for tcsh fixes the following issues:

- An issue has been fixed where the csh reported 'Abort (core dumped)' by accident (bsc#1151630)


-----------------------------------------
Patch: SUSE-2019-2816
Released: Tue Oct 29 15:14:34 2019
Summary: Recommended update for rsyslog
Severity: moderate
References: 1149094,1153451,1153459,CVE-2019-17041,CVE-2019-17042
Description:
This update for rsyslog fixes the following issues:

Security issues fixed:

- CVE-2019-17041: Fixed a heap overflow in the parser for AIX log messages (bsc#1153451).
- CVE-2019-17042: Fixed a heap overflow in the parser for Cisco log messages (bsc#1153459).

Non-security issue fixed:

- imudp: fix segfault in ratelimit code (bsc#1149094)
  


-----------------------------------------
Patch: SUSE-2019-2818
Released: Tue Oct 29 17:22:01 2019
Summary: Recommended update for zypper and libzypp
Severity: important
References: 1049825,1116995,1140039,1145521,1146415,1153557
Description:
This update for zypper and libzypp fixes the following issues:

Package: zypper

- Fixed an issue where zypper exited on a SIGPIPE during package download (bsc#1145521)
- Rephrased the file conflicts check summary (bsc#1140039)
- Fixes an issue where the bash completion was wrongly expanded (bsc#1049825)

Package: libzypp

- Fixed an issue where YaST2 was not able to find base products via libzypp (bsc#1153557)
- Added a new 'solver.focus' option for /etc/zypp/zypp.conf to define systemwide focus
  mode when resolving jobs (bsc#1146415)
- Fixes a file descriptor leak in the media backend (bsc#1116995)


-----------------------------------------
Patch: SUSE-2019-2748
Released: Mon Nov  4 15:43:07 2019
Summary: Security update for python
Severity: moderate
References: 1149955,1153238,CVE-2019-16056,CVE-2019-16935
Description:
This update for python fixes the following issues:

Security issue fixed:

- CVE-2019-16056: Fixed a parser issue in the email module (bsc#1149955).
- CVE-2019-16935: Fixed a reflected XSS in python/Lib/DocXMLRPCServer.py (bsc#1153238).


-----------------------------------------
Patch: SUSE-2019-2887
Released: Mon Nov  4 17:31:49 2019
Summary: Recommended update for apparmor
Severity: moderate
References: 1139870
Description:
This update for apparmor provides the following fix:

- Change pathname in logprof.conf and use check_qualifiers() in autodep to make sure
  apparmor does not generate profiles for programs marked as not having their own
  profiles. (bsc#1139870)


-----------------------------------------
Patch: SUSE-2019-2923
Released: Thu Nov  7 16:42:20 2019
Summary: Recommended update for Salt
Severity: moderate
References: 1101780,1130588,1134860,1135567,1135732,1137642,1140912,1143301,1146192,1146382,1151650,1151947,1152366
Description:

This update fixes the following issues:

salt:

- Add missing 'fun' on events coming from salt-ssh wfunc executions (bsc#1151947)
- Fix failing unit tests for batch async
- Fix memory consumption problem on BatchAsync (bsc#1137642)
- Fix dependencies for RHEL 8
- Prevent systemd-run description issue when running aptpkg (bsc#1152366)
- Take checksums arg into account for postgres.datadir_init (bsc#1151650)
- Improve batch_async to release consumed memory (bsc#1140912)
- Require shadow instead of old pwdutils (bsc#1130588)
- Conflict with tornado >= 5; for now we can only cope with Tornado 4.x (bsc#1101780).
- Fix virt.full_info (bsc#1146382)
- Virt.volume_infos: silence libvirt error message
- Virt.volume_infos needs to ignore inactive pools
- Fix for various bugs in virt network and pool states
- Implement network.fqdns module function (bsc#1134860)
- Strip trailing '/' from repo.uri when comparing repos in apktpkg.mod_repo (bsc#1146192)
- Make python3 default for RHEL8
- Use python3 to build package Salt for RHEL8
- Fix aptpkg systemd call (bsc#1143301)
- Move server_id deprecation warning to reduce log spamming (bsc#1135567) (bsc#1135732)



-----------------------------------------
Patch: SUSE-2019-2936
Released: Fri Nov  8 13:19:55 2019
Summary: Security update for libssh2_org
Severity: moderate
References: 1154862,CVE-2019-17498
Description:
This update for libssh2_org fixes the following issue:

- CVE-2019-17498: Fixed an integer overflow in a bounds check that might have led to the disclosure of sensitive information or a denial of service (bsc#1154862).


-----------------------------------------
Patch: SUSE-2019-2941
Released: Tue Nov 12 10:03:32 2019
Summary: Security update for libseccomp
Severity: moderate
References: 1082318,1128828,1142614,CVE-2019-9893
Description:
This update for libseccomp fixes the following issues:

Update to new upstream release 2.4.1:

* Fix a BPF generation bug where the optimizer mistakenly
  identified duplicate BPF code blocks.

Updated to 2.4.0 (bsc#1128828 CVE-2019-9893):

* Update the syscall table for Linux v5.0-rc5
* Added support for the SCMP_ACT_KILL_PROCESS action
* Added support for the SCMP_ACT_LOG action and SCMP_FLTATR_CTL_LOG attribute
* Added explicit 32-bit (SCMP_AX_32(...)) and 64-bit (SCMP_AX_64(...)) argument comparison macros to help protect against unexpected sign extension
* Added support for the parisc and parisc64 architectures
* Added the ability to query and set the libseccomp API level via seccomp_api_get(3) and seccomp_api_set(3)
* Return -EDOM on an endian mismatch when adding an architecture to a filter
* Renumber the pseudo syscall number for subpage_prot() so it no longer conflicts with spu_run()
* Fix PFC generation when a syscall is prioritized, but no rule exists
* Numerous fixes to the seccomp-bpf filter generation code
* Switch our internal hashing function to jhash/Lookup3 to MurmurHash3
* Numerous tests added to the included test suite, coverage now at ~92%
* Update our Travis CI configuration to use Ubuntu 16.04
* Numerous documentation fixes and updates

Update to release 2.3.3:

* Updated the syscall table for Linux v4.15-rc7

Update to release 2.3.2:

* Achieved full compliance with the CII Best Practices program
* Added Travis CI builds to the GitHub repository
* Added code coverage reporting with the '--enable-code-coverage' configure
  flag and added Coveralls to the GitHub repository
* Updated the syscall tables to match Linux v4.10-rc6+
* Support for building with Python v3.x
* Allow rules with the -1 syscall if the SCMP\_FLTATR\_API\_TSKIP attribute is
  set to true
* Several small documentation fixes

- ignore make check error for ppc64/ppc64le, bypass bsc#1142614


-----------------------------------------
Patch: SUSE-2019-2967
Released: Wed Nov 13 14:18:47 2019
Summary: Recommended update for lvm2
Severity: moderate
References: 1145231,1151295
Description:
This update for lvm2 fixes the following issues:

- Declares the 'dir' configuration property in lvm.conf as 'advanced' to make it clear
  that this option could cause harm if it is not edited carefully (bsc#1151295)
- Adds a fix to detect MD devices by LVM2 with metadata=1.0/0.9 (bsc#1145231)


-----------------------------------------
Patch: SUSE-2019-2972
Released: Thu Nov 14 12:04:52 2019
Summary: Security update for libjpeg-turbo
Severity: important
References: 1156402,CVE-2019-2201
Description:
This update for libjpeg-turbo fixes the following issues:

- CVE-2019-2201: Several integer overflow issues and subsequent segfaults occurred in libjpeg-turbo,
  when attempting to compress or decompress gigapixel images. [bsc#1156402]



-----------------------------------------
Patch: SUSE-2019-2973
Released: Thu Nov 14 14:17:05 2019
Summary: Recommended update for python-parallax
Severity: moderate
References: 1146748
Description:
This update for python-parallax fixes the following issues:

- Surpress warning messages when needed. (bsc#1146748)


-----------------------------------------
Patch: SUSE-2019-2974
Released: Thu Nov 14 14:17:44 2019
Summary: Recommended update for irqbalance
Severity: important
References: 1119465,1154905
Description:
This update for irqbalance fixes the following issues:

- Irqbalanced spreads the IRQs between the available virtual machines. (bsc#1119465, bsc#1154905)


-----------------------------------------
Patch: SUSE-2019-3003
Released: Tue Nov 19 10:12:33 2019
Summary: Recommended update for procps
Severity: moderate
References: 1153386,SLE-10396
Description:
This update for procps provides the following fixes:

- Backport the MemAvailable patch into SLE12-SP4/SP5 procps. (jsc#SLE-10396)
- Add missing ShmemPmdMapped entry for pmap with newer kernels. (bsc#1153386)


-----------------------------------------
Patch: SUSE-2019-3005
Released: Tue Nov 19 10:13:32 2019
Summary: Recommended update for supportutils
Severity: moderate
References: 1111029,1154482
Description:
This update for supportutils provides the following fixes:

- Added free -h
- Removed LPM/DLPAR data for POWER. (bsc#1111029)
- Removed root .snapshots directory from full file list (bsc#1154482)


-----------------------------------------
Patch: SUSE-2019-3006
Released: Tue Nov 19 10:14:11 2019
Summary: Recommended update for openssh
Severity: moderate
References: 1139089,1150574
Description:
This update for openssh contains the following fixes:

- Allow 'ssh-keygen -A' on startup only if SSHD_AUTO_KEYGEN='yes' in /etc/sysconfig/ssh. (bsc#1139089)
- Attempt to preserve the permissions of any existing known_hosts file when modified by ssh-keygen (for instance, with -R).  (bsc#1139089)


-----------------------------------------
Patch: SUSE-2019-3007
Released: Tue Nov 19 11:38:07 2019
Summary: Recommended update for open-iscsi
Severity: moderate
References: 1152774
Description:
This update for open-iscsi fixes the following issues:

- Set timeout value when querying session info for a single session (bsc#1152774)


-----------------------------------------
Patch: SUSE-2019-3024
Released: Thu Nov 21 09:37:09 2019
Summary: Security update for python-ecdsa
Severity: moderate
References: 1153165,1154217,CVE-2019-14853,CVE-2019-14859
Description:
This update for python-ecdsa to version 0.13.3 fixes the following issues:

Security issues fixed:

- CVE-2019-14853: Fixed unexpected exceptions during signature decoding (bsc#1153165).
- CVE-2019-14859: Fixed a signature malleability caused by insufficient checks of DER encoding (bsc#1154217).


-----------------------------------------
Patch: SUSE-2019-3036
Released: Fri Nov 22 11:23:39 2019
Summary: Recommended update for python-rsa
Severity: moderate
References: 1154763
Description:
This update for python-rsa fixes the following issues:

- The error 'update-alternatives: error: alternative pyrsa-decrypt-bigfile can't be master' does no
  longer occur when updating to a newer package version (bsc#1154763)


-----------------------------------------
Patch: SUSE-2019-3037
Released: Fri Nov 22 11:58:41 2019
Summary: Recommended update for resource-agents
Severity: moderate
References: 1150046,1154465
Description:
This update for resource-agents fixes the following issues:

- Changing from 8 seconds to 20 seconds to decrease the amount of ListResourceRecordSets API calls and decrease the change of Route53 API. (bsc#1154465)
- Making the agent a little more verbose. (bsc#1154465)
- Fix potential race condition during agent probe. (bsc#1154465)
- Netcat multiple connections causing issues with pacemaker. (bsc#1150046)


-----------------------------------------
Patch: SUSE-2019-3049
Released: Mon Nov 25 17:01:09 2019
Summary: Recommended update for man-pages
Severity: moderate
References: 1154701
Description:
This update for man-pages fixes the following issues:

- Correct documentation of 'tcp_fack' and documenting 'tcp_recovery'. (bsc#1154701)


-----------------------------------------
Patch: SUSE-2019-3050
Released: Mon Nov 25 17:26:54 2019
Summary: Security update for sqlite3
Severity: important
References: 1155787,CVE-2017-2518
Description:
This update for sqlite3 fixes the following issues:

- CVE-2017-2518: Fixed a use-after-free vulnerability which could have 
  led to buffer overflow via a crafted SQL statement (bsc#1155787).


-----------------------------------------
Patch: SUSE-2019-3057
Released: Mon Nov 25 17:31:37 2019
Summary: Security update for cups
Severity: important
References: 1146358,1146359,CVE-2019-8675,CVE-2019-8696
Description:
This update for cups fixes the following issues:

- CVE-2019-8675: Fixed a stack buffer overflow in libcups's asn1_get_type function(bsc#1146358). 
- CVE-2019-8696: Fixed a stack buffer overflow in libcups's asn1_get_packed function (bsc#1146359).


-----------------------------------------
Patch: SUSE-2019-3058
Released: Mon Nov 25 17:32:43 2019
Summary: Security update for tiff
Severity: moderate
References: 1108606,1121626,1125113,1146608,983268,CVE-2016-5102,CVE-2018-17000,CVE-2019-14973,CVE-2019-6128,CVE-2019-7663
Description:
This update for tiff fixes the following issues:

Security issues fixed:

- CVE-2019-14973: Fixed an improper check which was depended on the compiler
  which could have led to integer overflow (bsc#1146608).
- CVE-2016-5102: Fixed a buffer overflow in readgifimage() (bsc#983268)
- CVE-2018-17000: Fixed a NULL pointer dereference in the _TIFFmemcmp function (bsc#1108606).
- CVE-2019-6128: Fixed a memory leak in the TIFFFdOpen function in tif_unix.c (bsc#1121626).
- CVE-2019-7663: Fixed an invalid address dereference in the
  TIFFWriteDirectoryTagTransfer function in libtiff/tif_dirwrite.c (bsc#1125113)


-----------------------------------------
Patch: SUSE-2019-3064
Released: Mon Nov 25 18:44:36 2019
Summary: Security update for cpio
Severity: moderate
References: 1155199,CVE-2019-14866
Description:
This update for cpio fixes the following issues:
	  
- CVE-2019-14866: Fixed an improper validation of the values written 
  in the header of a TAR file through the to_oct() function which could 
  have led to unexpected TAR generation (bsc#1155199).


-----------------------------------------
Patch: SUSE-2019-3069
Released: Tue Nov 26 12:38:26 2019
Summary: Recommended update for rsyslog
Severity: moderate
References: 1152760
Description:
This update for rsyslog fixes the following issues:

- Fix shutdown hang when remote server becomes unavailable. (bsc#1152760)


-----------------------------------------
Patch: SUSE-2019-3085
Released: Thu Nov 28 10:01:53 2019
Summary: Security update for libxml2
Severity: low
References: 1123919
Description:
This update for libxml2 doesn't fix any additional security issues, but correct the rpm changelog to reflect
all CVEs that have been fixed over the past.


-----------------------------------------
Patch: SUSE-2019-3094
Released: Thu Nov 28 16:47:52 2019
Summary: Security update for ncurses
Severity: moderate
References: 1131830,1134550,1154036,1154037,CVE-2018-10754,CVE-2019-17594,CVE-2019-17595
Description:
This update for ncurses fixes the following issues:

Security issue fixed:

- CVE-2018-10754: Fixed a denial of service caused by a NULL Pointer Dereference in the _nc_parse_entry() (bsc#1131830).
- CVE-2019-17594: Fixed a heap-based buffer over-read in _nc_find_entry function in tinfo/comp_hash.c (bsc#1154036).
- CVE-2019-17595: Fixed a heap-based buffer over-read in fmt_entry function in tinfo/comp_hash.c (bsc#1154037).

Bug fixes:

- Fixed ppc64le build configuration (bsc#1134550).


-----------------------------------------
Patch: SUSE-2019-3103
Released: Fri Nov 29 06:46:35 2019
Summary: Recommended update for sysstat
Severity: moderate
References: 1144923,SLE-5958
Description:
This update for sysstat fixes the following issues:

- Enable log information of starting/stoping services. (bsc#1144923, jsc#SLE-5958)


-----------------------------------------
Patch: SUSE-2019-3130
Released: Tue Dec  3 05:51:37 2019
Summary: Recommended update for supportutils
Severity: moderate
References: 1023308,1089877,1145233,1156837,1157043
Description:
This update for supportutils contains the following fixes:

- Updated version 3.0.5 to 3.0.6:
  + Supportconfig takes a long time to complete on 32TB machine. (bsc#1157043)
  + Updated detailed unit information fix in systemd.txt. (bsc#1023308)
  + Dynamically select compression method. (bsc#1145233)
  + Strip trailing commas from process names. (bsc#1156837)
  + Include IPv6 routes. (bsc#1089877)


-----------------------------------------
Patch: SUSE-2019-3132
Released: Tue Dec  3 10:52:14 2019
Summary: Recommended update for update-alternatives
Severity: moderate
References: 1154043
Description:
This update for update-alternatives fixes the following issues:

- Fix post install scripts: test if there is actual file before calling update-alternatives. (bsc#1154043)


-----------------------------------------
Patch: SUSE-2019-3134
Released: Tue Dec  3 10:55:27 2019
Summary: Recommended update for cronie
Severity: moderate
References: 1155114
Description:
This update for cronie fixes the following issues:

- Update crontab so it doesn't print the headers of crontab with the 'crontab -l' command. (bsc#1155114)


-----------------------------------------
Patch: SUSE-2019-3135
Released: Tue Dec  3 10:56:05 2019
Summary: Recommended update for growpart, growpart-rootgrow
Severity: moderate
References: 1154357,ECO-550
Description:
This update for growpart, growpart-rootgrow contains the following fixes:

growpart:

- Removed rootgrow sub-package as it is a standalone package now. (bsc#1154357, jsc#ECO-550)

growpart-rootgrow:

- Added growpart-rootgrow as a standalone package. (bsc#1154357, jsc#ECO-550)
- Bump from version 1.0.0 to 1.0.1:
 - Fixed binary location in service unit file.

  

-----------------------------------------
Patch: SUSE-2019-3140
Released: Wed Dec  4 11:13:29 2019
Summary: Recommended update for sles-manuals_en
Severity: important
References: 1158022
Description:
This update for sles-manuals_en fixes the following issues:

- Update for SLE 12 SP5 documentation (bsc#1158022)


-----------------------------------------
Patch: SUSE-2019-3164
Released: Wed Dec  4 11:22:35 2019
Summary: Recommended update for libvirt
Severity: moderate
References: 1145774,1151850,1152649,SLE-5826
Description:
This update for libvirt fixes the following issues:

- Implement supporting boot from 'vfio-ccw mdev' devices. (jsc#SLE-5826, FATE#327355, bsc#1152649)
- Fix lock manager lock mechanism preventing segmentation faults during live migration to a virtual host. (bsc#1145774)
- Fix for restoring vmsave images with virsh that lead to exit with error. (bsc#1151850)


-----------------------------------------
Patch: SUSE-2019-3183
Released: Thu Dec  5 11:43:25 2019
Summary: Security update for permissions
Severity: moderate
References: 1047247,1093414,1097665,1150734,1157198,CVE-2019-3688,CVE-2019-3690
Description:
This update for permissions fixes the following issues:

Security issues fixed: 

- CVE-2019-3688: Changed wrong ownership in /usr/sbin/pinger to root:squid
  which could have allowed a squid user to gain persistence by changing the 
  binary (bsc#1093414).
- CVE-2019-3690: Fixed a privilege escalation through untrusted symbolic 
  links (bsc#1150734).	  

Other issue addressed: 

- Corrected a badly constracted file which could have allowed treating of the
  shell environment as permissions files (bsc#1097665,bsc#1047247).
- Fixed a regression which caused sagmentation fault (bsc#1157198). 


-----------------------------------------
Patch: SUSE-2019-3191
Released: Thu Dec  5 11:45:45 2019
Summary: Security update for cloud-init
Severity: moderate
References: 1099358,1129124,1136440,1142988,1144363,1151488,1154092,CVE-2019-0816
Description:
This update for cloud-init fixes the following issues:

Security issue fixed:

- CVE-2019-0816: Fixed the unnecessary extra ssh keys that were added to authorized_keys (bsc#1129124).

Non-security issues fixed:

- Add cloud-init-renderer-detect.patch (bsc#1154092, bsc#1142988)
  + Short curcuit the conditional for identifying the sysconfig renderer.
    If we find ifup/ifdown accept the renderer as available.

- Add cloud-init-break-resolv-symlink.patch (bsc#1151488)
  + If /etc/resolv.conf is a symlink break it. This will avoid netconfig
    from clobbering the changes cloud-init applied.

- Update to cloud-init 19.2 (bsc#1099358)
  + Remove, included upstream
    - cloud-init-detect-nova.diff
    - cloud-init-add-static-routes.diff
  + net: add rfc3442 (classless static routes) to EphemeralDHCP
    (LP: #1821102)
  + templates/ntp.conf.debian.tmpl: fix missing newline for pools
    (LP: #1836598)
  + Support netplan renderer in Arch Linux [Conrad Hoffmann]
  + Fix typo in publicly viewable documentation. [David Medberry]
  + Add a cdrom size checker for OVF ds to ds-identify
    [Pengpeng Sun] (LP: #1806701)
  + VMWare: Trigger the post customization script via cc_scripts module.
    [Xiaofeng Wang] (LP: #1833192)
  + Cloud-init analyze module: Added ability to analyze boot events.
    [Sam Gilson]
  + Update debian eni network configuration location, retain Ubuntu setting
    [Janos Lenart]
  + net: skip bond interfaces in get_interfaces
    [Stanislav Makar] (LP: #1812857)
  + Fix a couple of issues raised by a coverity scan
  + Add missing dsname for Hetzner Cloud datasource [Markus Schade]
  + doc: indicate that netplan is default in Ubuntu now
  + azure: add region and AZ properties from imds compute location metadata
  + sysconfig: support more bonding options [Penghui Liao]
  + cloud-init-generator: use libexec path to ds-identify on redhat systems
    (LP: #1833264)
  + tools/build-on-freebsd: update to python3 [Gonéri Le Bouder]
  + Allow identification of OpenStack by Asset Tag
    [Mark T. Voelker] (LP: #1669875)
  + Fix spelling error making 'an Ubuntu' consistent. [Brian Murray]
  + run-container: centos: comment out the repo mirrorlist [Paride Legovini]
  + netplan: update netplan key mappings for gratuitous-arp (LP: #1827238)
  + freebsd: fix the name of cloudcfg VARIANT [Gonéri Le Bouder]
  + freebsd: ability to grow root file system [Gonéri Le Bouder]
  + freebsd: NoCloud data source support [Gonéri Le Bouder] (LP: #1645824)
  + Azure: Return static fallback address as if failed to find endpoint
    [Jason Zions (MSFT)]

- Follow up to update cloud-init-trigger-udev.patch (bsc#1144363)
- Update to version 19.1 (bsc#1136440, bsc#1129124)


-----------------------------------------
Patch: SUSE-2019-3199
Released: Fri Dec  6 17:04:04 2019
Summary: Recommended update for xen
Severity: moderate
References: 1027519,1157047,1157888
Description:
This update for xen fixes the following issues:

- Fixed a privilege escaltion where an untrusted domain with access 
  to a physical device can DMA into host memory (bsc#1157888 XSA-306).
- Fixed an issue where PCI passthrough failed on AMD machine xen host
  (bsc#1157047). 


-----------------------------------------
Patch: SUSE-2019-3200
Released: Fri Dec  6 19:11:13 2019
Summary: Security update for the Linux Kernel
Severity: important
References: 1046299,1046303,1046305,1048942,1050244,1050536,1050545,1051510,1054914,1055117,1055186,1061840,1064802,1065600,1065729,1066129,1071995,1073513,1082555,1082635,1083647,1086323,1087092,1089644,1090631,1091041,1093205,1096254,1097583,1097584,1097585,1097586,1097587,1097588,1098291,1101674,1103990,1103991,1104353,1104427,1104745,1104967,1106434,1108043,1108382,1109158,1109837,1111666,1112178,1112374,1113722,1113994,1114279,1117169,1117665,1118661,1119086,1119113,1119461,1119465,1120902,1122363,1123034,1123080,1123105,1126390,1127155,1127354,1127371,1127988,1131107,1131304,1131489,1133140,1134476,1134983,1135642,1135854,1135873,1135966,1135967,1136261,1137040,1137069,1137223,1137236,1137799,1137861,1137865,1137959,1137982,1138039,1138190,1138539,1139073,1140090,1140155,1140729,1140845,1140883,1141013,1141340,1141543,1141600,1142076,1142635,1142667,1142924,1143706,1144338,1144375,1144449,1144653,1144903,1145099,1145661,1146042,1146612,1146664,1148133,1148410,1148712,1148859,1148868,1149083,1149119,1149224,1149446,1149448,1149555,1149651,1149652,1149713,1149853,1149940,1149959,1149963,1149976,1150025,1150033,1150112,1150305,1150381,1150423,1150457,1150466,1150562,1150727,1150846,1150860,1150861,1150875,1150933,1151021,1151067,1151192,1151225,1151350,1151508,1151548,1151610,1151661,1151662,1151667,1151671,1151680,1151807,1151891,1151900,1151955,1152024,1152025,1152026,1152033,1152161,1152187,1152325,1152457,1152460,1152466,1152525,1152624,1152665,1152685,1152696,1152697,1152782,1152788,1152790,1152791,1152885,1152972,1152974,1152975,1153108,1153112,1153236,1153263,1153476,1153509,1153607,1153628,1153646,1153681,1153713,1153717,1153718,1153719,1153811,1153969,1154043,1154048,1154058,1154108,1154124,1154189,1154242,1154268,1154354,1154355,1154372,1154521,1154526,1154578,1154601,1154607,1154608,1154610,1154611,1154651,1154737,1154747,1154848,1154858,1154905,1154956,1154959,1155021,1155061,1155178,1155179,1155184,1155186,1155671,1155689,1155692,1155836,1155897,1155982,1156187,1156258,1156429,1156466,1156471,1156494,1156609,1156700,1156729,1156882,1156928,1157032,1157038,1157044,1157045,1157046,1157049,1157070,1157115,1157143,1157145,1157158,1157160,1157162,1157173,1157178,1157180,1157182,1157183,1157184,1157191,1157193,1157197,1157298,1157304,1157307,1157324,1157333,1157386,1157424,1157463,1157499,1157678,1157698,1157778,1157908,1158049,1158063,1158064,1158065,1158066,1158067,1158068,CVE-2017-18595,CVE-2019-0154,CVE-2019-0155,CVE-2019-10220,CVE-2019-11135,CVE-2019-14821,CVE-2019-14835,CVE-2019-14895,CVE-2019-15030,CVE-2019-15031,CVE-2019-15916,CVE-2019-16231,CVE-2019-16233,CVE-2019-16995,CVE-2019-17055,CVE-2019-17056,CVE-2019-17666,CVE-2019-18660,CVE-2019-18683,CVE-2019-18805,CVE-2019-18809,CVE-2019-19046,CVE-2019-19049,CVE-2019-19052,CVE-2019-19056,CVE-2019-19057,CVE-2019-19058,CVE-2019-19060,CVE-2019-19062,CVE-2019-19063,CVE-2019-19065,CVE-2019-19067,CVE-2019-19068,CVE-2019-19073,CVE-2019-19074,CVE-2019-19075,CVE-2019-19078,CVE-2019-19080,CVE-2019-19081,CVE-2019-19082,CVE-2019-19083,CVE-2019-19227,CVE-2019-9456,CVE-2019-9506
Description:
The SUSE Linux Enterprise 12 SP5 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2019-19081: Fixed a memory leak in the nfp_flower_spawn_vnic_reprs() could
  have  allowed attackers to cause a denial of service (bsc#1157045).
- CVE-2019-19080: Fixed four memory leaks in the nfp_flower_spawn_phy_reprs() could
  have allowed attackers to cause a denial of service (bsc#1157044).
- CVE-2019-19052: Fixed a memory leak in the gs_can_open() which could have led 
  to denial of service (bsc#1157324).
- CVE-2019-19067: Fixed multiple memory leaks in acp_hw_init (bsc#1157180).
- CVE-2019-19060: Fixed a memory leak in the adis_update_scan_mode() which could have 
  led to denial of service (bsc#1157178).
- CVE-2019-19049: Fixed a memory leak in unittest_data_add (bsc#1157173).
- CVE-2019-19075: Fixed a memory leak in the ca8210_probe() which could have led to 
  denial of service by triggering ca8210_get_platform_data() failures (bsc#1157162).
- CVE-2019-19058: Fixed a memory leak in the alloc_sgtable() which could have led to 
  denial of service by triggering alloc_page() failures (bsc#1157145).
- CVE-2019-19074: Fixed a memory leak in the ath9k_wmi_cmd() function which could have led to
  denial of service (bsc#1157143).
- CVE-2019-19073: Fixed multiple memory leaks in drivers/net/wireless/ath/ath9k/htc_hst.c which 
  could have led to denial of service by triggering wait_for_completion_timeout() failures (bsc#1157070).
- CVE-2019-19083: Fixed multiple memory leaks in *clock_source_create() functions which could have led 
  to denial of service (bsc#1157049).
- CVE-2019-19082: Fixed multiple memory leaks in *create_resource_pool() which could have led to 
  denial of service (bsc#1157046).
- CVE-2019-15916: Fixed a memory leak in register_queue_kobjects() which might
  have led  denial of service (bsc#1149448).
- CVE-2019-0154: Fixed an improper access control in subsystem for Intel (R)
  processor graphics whichs may have allowed an authenticated user to potentially
  enable denial of service via local access (bsc#1135966).
- CVE-2019-0155: Fixed an improper access control in subsystem for Intel (R)
  processor graphics whichs may have allowed an authenticated user to potentially
  enable escalation of privilege via local access (bsc#1135967).
- CVE-2019-16231: Fixed a NULL pointer dereference due to lack of checking the
  alloc_workqueue return value (bsc#1150466).
- CVE-2019-18805: Fixed an integer overflow in tcp_ack_update_rtt() leading to
  a denial of service or possibly unspecified other impact (bsc#1156187).
- CVE-2019-17055: Enforced CAP_NET_RAW in the AF_ISDN network module to restrict
  unprivileged users to create a raw socket (bsc#1152782).
- CVE-2019-16995: Fixed a memory leak in hsr_dev_finalize() which may have caused
  denial of service (bsc#1152685).
- CVE-2019-16233: drivers/scsi/qla2xxx/qla_os.c did not check the
  alloc_workqueue return value, leading to a NULL pointer dereference.
  (bsc#1150457).
- CVE-2019-10220: Added sanity checks on the pathnames passed to the user
  space. (bsc#1144903)
- CVE-2019-17666: rtlwifi: Fix potential overflow in P2P code (bsc#1154372).
- CVE-2019-17056: The AF_NFC network module did not enforce CAP_NET_RAW, which
  meant that unprivileged users could create a raw socket (bsc#1152788).
- CVE-2019-14821: An out-of-bounds access issue was fixed in the kernel's kvm
  hypervisor. An unprivileged host user or process with access to '/dev/kvm'
  device could use this flaw to crash the host kernel, resulting in a denial of
  service or potentially escalating privileges on the system (bnc#1151350).
- CVE-2017-18595: A double free in allocate_trace_buffer was fixed
  (bnc#1149555).
- CVE-2019-9506: The Bluetooth BR/EDR specification used to permit sufficiently
  low encryption key length and did not prevent an attacker from influencing
  the key length negotiation. This allowed practical brute-force attacks (aka
  'KNOB') that could decrypt traffic and inject arbitrary ciphertext without
  the victim noticing (bnc#1137865).
- CVE-2019-14835: A buffer overflow flaw was found in the kernel's vhost
  functionality that translates virtqueue buffers to IOVs. A privileged guest
  user able to pass descriptors with invalid length to the host could use this
  flaw to increase their privileges on the host (bnc#1150112).
- CVE-2019-9456: An out-of-bounds write in the USB monitor driver has been
  fixed. This issue could lead to local escalation of privilege with System
  execution privileges needed. (bnc#1150025).
- CVE-2019-15030, CVE-2019-15031: On the powerpc platform, a local user could
  read vector registers of other users' processes via an interrupt
  (bsc#1149713).
- CVE-2019-18683: An issue was discovered in drivers/media/platform/vivid. It is
  exploitable for privilege escalation on some Linux distributions where local
  users have /dev/video0 access, but only if the driver happens to be loaded.
  There are multiple race conditions during streaming stopping in this driver
  (part of the V4L2 subsystem). These issues are caused by wrong mutex locking
  in vivid_stop_generating_vid_cap(), vivid_stop_generating_vid_out(),
  sdr_cap_stop_streaming(), and the corresponding kthreads. At least one of
  these race conditions leads to a use-after-free (bnc#1155897).
- CVE-2019-18809: A memory leak in the af9005_identify_state() function in
  drivers/media/usb/dvb-usb/af9005.c allows attackers to cause a denial of
  service (memory consumption), aka CID-2289adbfa559 (bnc#1156258).
- CVE-2019-19078: A memory leak in the ath10k_usb_hif_tx_sg() function in
  drivers/net/wireless/ath/ath10k/usb.c allows attackers to cause a denial of
  service (memory consumption) by triggering usb_submit_urb() failures, aka
  CID-b8d17e7d93d2 (bnc#1157032).
- CVE-2019-18660: The Linux kernel on powerpc allows Information Exposure
  because the Spectre-RSB mitigation is not in place for all applicable CPUs,
  aka CID-39e72bf96f58. This is related to arch/powerpc/kernel/entry_64.S and
  arch/powerpc/kernel/security.c (bnc#1157038).
- CVE-2019-14895: A heap-based buffer overflow was discovered in Marvell WiFi
  chip driver. The flaw could occur when the station attempts a connection
  negotiation during the handling of the remote devices country settings. This
  could allow the remote device to cause a denial of service (system crash) or
  possibly execute arbitrary code (bnc#1157158).
- CVE-2019-19065: A memory leak in the sdma_init() function in
  drivers/infiniband/hw/hfi1/sdma.c allows attackers to cause a denial of
  service (memory consumption) by triggering rhashtable_init() failures, aka
  CID-34b3be18a04e (bnc#1157191).
- CVE-2019-19057: Two memory leaks in the mwifiex_pcie_init_evt_ring() function
  in drivers/net/wireless/marvell/mwifiex/pcie.c allow attackers to cause a
  denial of service (memory consumption) by triggering mwifiex_map_pci_memory()
  failures, aka CID-d10dcb615c8e (bnc#1157193).
- CVE-2019-19056: A memory leak in the mwifiex_pcie_alloc_cmdrsp_buf() function
  in drivers/net/wireless/marvell/mwifiex/pcie.c allows attackers to cause a
  denial of service (memory consumption) by triggering mwifiex_map_pci_memory()
  failures, aka CID-db8fd2cde932 (bnc#1157197).
- CVE-2019-19063: Two memory leaks in the rtl_usb_probe() function in
  drivers/net/wireless/realtek/rtlwifi/usb.c allow attackers to cause a denial
  of service (memory consumption), aka CID-3f9361695113 (bnc#1157298).
- CVE-2019-19046: A memory leak in the __ipmi_bmc_register() function in
  drivers/char/ipmi/ipmi_msghandler.c allow attackers to cause a denial of
  service (bsc#1157304).
- CVE-2019-19068: A memory leak in the rtl8xxxu_submit_int_urb() function in
  drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c allows attackers to
  cause a denial of service (memory consumption) by triggering usb_submit_urb()
  failures, aka CID-a2cdd07488e6 (bnc#1157307).
- CVE-2019-19062: A memory leak in the crypto_report() function in
  crypto/crypto_user_base.c allows attackers to cause a denial of service
  (memory consumption) by triggering crypto_report_alg() failures, aka
  CID-ffdde5932042 (bnc#1157333).
- CVE-2019-19227: In the AppleTalk subsystem, there is a potential NULL pointer
  dereference because register_snap_client may return NULL. This will lead to
  denial of service in net/appletalk/aarp.c and net/appletalk/ddp.c, as
  demonstrated by unregister_snap_client, aka CID-9804501fa122 (bnc#1157678).
- CVE-2019-11135: Aborting an asynchronous TSX operation on Intel CPUs with
  Transactional Memory support could be used to facilitate sidechannel
  information leaks out of microarchitectural buffers, similar to the previously
  described 'Microarchitectural Data Sampling' attack.

  The Linux kernel was supplemented with the option to disable TSX operation altogether (requiring CPU Microcode updates on older systems) and better flushing of microarchitectural buffers (VERW).

  The set of options available is described in our TID at https://www.suse.com/support/kb/doc/?id=7024251
 
 
The following non-security bugs were fixed:

- 940:PHYP:XM: Injecting EEH till threshold causes LPAR crash with e1000e network driver in SUSE platform. (bsc#1158049)
- 9p: avoid attaching writeback_fid on mmap with type PRIVATE (bsc#1051510).
- ACPI / CPPC: do not require the _PSD method (bsc#1051510).
- ACPI / LPSS: Exclude I2C busses shared with PUNIT from pmc_atom_d3_mask (bsc#1051510).
- ACPI / PCI: fix acpi_pci_irq_enable() memory leak (bsc#1051510).
- ACPI / processor: do not print errors for processorIDs == 0xff (bsc#1051510).
- ACPI / property: Fix acpi_graph_get_remote_endpoint() name in kerneldoc (bsc#1051510).
- ACPI: CPPC: Set pcc_data[pcc_ss_id] to NULL in acpi_cppc_processor_exit() (bsc#1051510).
- ACPI: custom_method: fix memory leaks (bsc#1051510).
- ACPICA: Increase total number of possible Owner IDs (bsc#1148859).
- ALSA: aoa: onyx: always initialize register read value (bsc#1051510).
- ALSA: bebob: Fix prototype of helper function to return negative value (bsc#1051510).
- ALSA: bebob: fix to detect configured source of sampling clock for Focusrite Saffire Pro i/o series (git-fixes).
- ALSA: firewire-motu: add support for MOTU 4pre (bsc#1111666).
- ALSA: firewire-tascam: check intermediate state of clock status and retry (bsc#1051510).
- ALSA: firewire-tascam: handle error code when getting current source of clock (bsc#1051510).
- ALSA: hda - Add a quirk model for fixing Huawei Matebook X right speaker (bsc#1051510).
- ALSA: hda - Add laptop imic fixup for ASUS M9V laptop (bsc#1051510).
- ALSA: hda - Apply AMD controller workaround for Raven platform (bsc#1051510).
- ALSA: hda - Define a fallback_pin_fixup_tbl for alc269 family (bsc#1051510).
- ALSA: hda - Drop unsol event handler for Intel HDMI codecs (bsc#1051510).
- ALSA: hda - Expand pin_match function to match upcoming new tbls (bsc#1051510).
- ALSA: hda - Fix potential endless loop at applying quirks (bsc#1051510).
- ALSA: hda - Force runtime PM on Nvidia HDMI codecs (bsc#1051510).
- ALSA: hda - Inform too slow responses (bsc#1051510).
- ALSA: hda - Show the fatal CORB/RIRB error more clearly (bsc#1051510).
- ALSA: hda/ca0132 - Fix possible workqueue stall (bsc#1155836).
- ALSA: hda/hdmi - Do not report spurious jack state changes (bsc#1051510).
- ALSA: hda/hdmi: remove redundant assignment to variable pcm_idx (bsc#1051510).
- ALSA: hda/intel: add CometLake PCI IDs (bsc#1156729).
- ALSA: hda/realtek - Add quirk for HP Pavilion 15 (bsc#1051510).
- ALSA: hda/realtek - Add support for ALC623 (bsc#1051510).
- ALSA: hda/realtek - Add support for ALC711 (bsc#1051510).
- ALSA: hda/realtek - Blacklist PC beep for Lenovo ThinkCentre M73/93 (bsc#1051510).
- ALSA: hda/realtek - Check beep whitelist before assigning in all codecs (bsc#1051510).
- ALSA: hda/realtek - Enable headset mic on Asus MJ401TA (bsc#1051510).
- ALSA: hda/realtek - Enable internal speaker & headset mic of ASUS UX431FL (bsc#1051510).
- ALSA: hda/realtek - Fix 2 front mics of codec 0x623 (bsc#1051510).
- ALSA: hda/realtek - Fix alienware headset mic (bsc#1051510).
- ALSA: hda/realtek - Fix overridden device-specific initialization (bsc#1051510).
- ALSA: hda/realtek - Fix the problem of two front mics on a ThinkCentre (bsc#1051510).
- ALSA: hda/realtek - PCI quirk for Medion E4254 (bsc#1051510).
- ALSA: hda/realtek: Reduce the Headphone static noise on XPS 9350/9360 (bsc#1051510).
- ALSA: hda/sigmatel - remove unused variable 'stac9200_core_init' (bsc#1051510).
- ALSA: hda: Add Cometlake-S PCI ID (git-fixes).
- ALSA: hda: Add Elkhart Lake PCI ID (bsc#1051510).
- ALSA: hda: Add Tigerlake/Jasperlake PCI ID (bsc#1051510).
- ALSA: hda: Add support of Zhaoxin controller (bsc#1051510).
- ALSA: hda: Fix racy display power access (bsc#1156928).
- ALSA: hda: Flush interrupts on disabling (bsc#1051510).
- ALSA: hda: Set fifo_size for both playback and capture streams (bsc#1051510).
- ALSA: hda: kabi workaround for generic parser flag (bsc#1051510).
- ALSA: i2c: ak4xxx-adda: Fix a possible null pointer dereference in build_adc_controls() (bsc#1051510).
- ALSA: intel8x0m: Register irq handler after register initializations (bsc#1051510).
- ALSA: line6: sizeof (byte) is always 1, use that fact (bsc#1051510).
- ALSA: pcm: Fix stream lock usage in snd_pcm_period_elapsed() (git-fixes).
- ALSA: pcm: signedness bug in snd_pcm_plug_alloc() (bsc#1051510).
- ALSA: seq: Do error checks at creating system ports (bsc#1051510).
- ALSA: timer: Fix incorrectly assigned timer instance (git-fixes).
- ALSA: timer: Fix mutex deadlock at releasing card (bsc#1051510).
- ALSA: usb-audio: Add DSD support for EVGA NU Audio (bsc#1051510).
- ALSA: usb-audio: Add DSD support for Gustard U16/X26 USB Interface (bsc#1051510).
- ALSA: usb-audio: Add Hiby device family to quirks for native DSD support (bsc#1051510).
- ALSA: usb-audio: Add Pioneer DDJ-SX3 PCM quirck (bsc#1051510).
- ALSA: usb-audio: Clean up check_input_term() (bsc#1051510).
- ALSA: usb-audio: DSD auto-detection for Playback Designs (bsc#1051510).
- ALSA: usb-audio: Disable quirks for BOSS Katana amplifiers (bsc#1051510).
- ALSA: usb-audio: Disable quirks for BOSS Katana amplifiers (bsc#1111666).
- ALSA: usb-audio: Fix copy&paste error in the validator (bsc#1111666).
- ALSA: usb-audio: Fix incorrect NULL check in create_yamaha_midi_quirk() (git-fixes).
- ALSA: usb-audio: Fix incorrect size check for processing/extension units (git-fixes).
- ALSA: usb-audio: Fix missing error check at mixer resolution test (git-fixes).
- ALSA: usb-audio: Fix possible NULL dereference at create_yamaha_midi_quirk() (bsc#1051510).
- ALSA: usb-audio: More validations of descriptor units (bsc#1051510).
- ALSA: usb-audio: Remove superfluous bLength checks (bsc#1051510).
- ALSA: usb-audio: Simplify parse_audio_unit() (bsc#1051510).
- ALSA: usb-audio: Skip bSynchAddress endpoint check if it is invalid (bsc#1051510).
- ALSA: usb-audio: Unify audioformat release code (bsc#1051510).
- ALSA: usb-audio: Unify the release of usb_mixer_elem_info objects (bsc#1051510).
- ALSA: usb-audio: Update DSD support quirks for Oppo and Rotel (bsc#1051510).
- ALSA: usb-audio: fix PCM device order (bsc#1051510).
- ALSA: usb-audio: not submit urb for stopped endpoint (git-fixes).
- ALSA: usb-audio: remove some dead code (bsc#1051510).
- ASoC: Define a set of DAPM pre/post-up events (bsc#1051510).
- ASoC: Intel: Baytrail: Fix implicit fallthrough warning (bsc#1051510).
- ASoC: Intel: Fix use of potentially uninitialized variable (bsc#1051510).
- ASoC: Intel: NHLT: Fix debug print format (bsc#1051510).
- ASoC: Intel: hdac_hdmi: Limit sampling rates at dai creation (bsc#1051510).
- ASoC: davinci-mcasp: Handle return value of devm_kasprintf (stable 4.14.y).
- ASoC: davinci: Kill BUG_ON() usage (stable 4.14.y).
- ASoC: dmaengine: Make the pcm->name equal to pcm->id if the name is not set (bsc#1051510).
- ASoC: dpcm: Properly initialise hw->rate_max (bsc#1051510).
- ASoC: es8328: Fix copy-paste error in es8328_right_line_controls (bsc#1051510).
- ASoC: kirkwood: fix external clock probe defer (git-fixes).
- ASoC: msm8916-wcd-analog: Fix RX1 selection in RDAC2 MUX (git-fixes).
- ASoC: rockchip: i2s: Fix RPM imbalance (bsc#1051510).
- ASoC: rsnd: Reinitialize bit clock inversion flag for every format setting (bsc#1051510).
- ASoC: sgtl5000: Fix charge pump source assignment (bsc#1051510).
- ASoC: sgtl5000: avoid division by zero if lo_vag is zero (bsc#1051510).
- ASoC: sun4i-i2s: RX and TX counter registers are swapped (bsc#1051510).
- ASoC: tlv320aic31xx: Handle inverted BCLK in non-DSP modes (stable 4.14.y).
- ASoC: tlv320dac31xx: mark expected switch fall-through (stable 4.14.y).
- ASoC: wm8737: Fix copy-paste error in wm8737_snd_controls (bsc#1051510).
- ASoC: wm8988: fix typo in wm8988_right_line_controls (bsc#1051510).
- Add 3 not-needeed commits to blacklist.conf from git-fixes.
- Add Acer Aspire Ethos 8951G model quirk (bsc#1051510).
- Add kernel module compression support (bsc#1135854) For enabling the kernel module compress, add the item COMPRESS_MODULES='xz' in config.sh, then mkspec will pass it to the spec file.
- Add some qedf commits to blacklist file (bsc#1149976)
- Blacklist 'signal: Correct namespace fixups of si_pid and si_uid' (bsc#1142667)
- Bluetooth: L2CAP: Detect if remote is not able to use the whole MPS (bsc#1051510).
- Bluetooth: btqca: Add a short delay before downloading the NVM (bsc#1051510).
- Bluetooth: btrtl: Additional Realtek 8822CE Bluetooth devices (bsc#1051510).
- Btrfs: Ensure btrfs_init_dev_replace_tgtdev sees up to date values (bsc#1154651).
- Btrfs: Ensure btrfs_init_dev_replace_tgtdev sees up to date values (bsc#1154651).
- Btrfs: Ensure replaced device does not have pending chunk allocation (bsc#1154607).
- Btrfs: bail out gracefully rather than BUG_ON (bsc#1153646).
- Btrfs: block-group: Fix a memory leak due to missing btrfs_put_block_group() (bsc#1155178).
- Btrfs: check for the full sync flag while holding the inode lock during fsync (bsc#1153713).
- Btrfs: do not abort transaction at btrfs_update_root() after failure to COW path (bsc#1150933).
- Btrfs: fix assertion failure during fsync and use of stale transaction (bsc#1150562).
- Btrfs: fix log context list corruption after rename exchange operation (bsc#1156494).
- Btrfs: fix use-after-free when using the tree modification log (bsc#1151891).
- Btrfs: qgroup: Always free PREALLOC META reserve in btrfs_delalloc_release_extents() (bsc#1155179).
- Btrfs: qgroup: Fix reserved data space leak if we have multiple reserve calls (bsc#1152975).
- Btrfs: qgroup: Fix the wrong target io_tree when freeing reserved data space (bsc#1152974).
- Btrfs: relocation: fix use-after-free on dead relocation roots (bsc#1152972).
- Btrfs: remove wrong use of volume_mutex from btrfs_dev_replace_start (bsc#1154651).
- Btrfs: remove wrong use of volume_mutex from btrfs_dev_replace_start (bsc#1154651).
- Btrfs: tracepoints: Fix bad entry members of qgroup events (bsc#1155186).
- Btrfs: tracepoints: Fix wrong parameter order for qgroup events (bsc#1155184).
- Compile nvme.ko as module (bsc#1150846)
- Drop an ASoC fix that was reverted in 4.14.y stable
- Drop multiversion(kernel) from the KMP template (bsc#1127155).
- EDAC/amd64: Adjust printed chip select sizes when interleaved (bsc#1131489).
- EDAC/amd64: Cache secondary Chip Select registers (bsc#1131489).
- EDAC/amd64: Decode syndrome before translating address (bsc#1114279).
- EDAC/amd64: Decode syndrome before translating address (bsc#1131489).
- EDAC/amd64: Find Chip Select memory size using Address Mask (bsc#1131489).
- EDAC/amd64: Initialize DIMM info for systems with more than two channels (bsc#1131489).
- EDAC/amd64: Recognize DRAM device type ECC capability (bsc#1131489).
- EDAC/amd64: Recognize x16 symbol size (bsc#1131489).
- EDAC/amd64: Set maximum channel layer size depending on family (bsc#1131489).
- EDAC/amd64: Support asymmetric dual-rank DIMMs (bsc#1131489).
- EDAC/amd64: Support more than two Unified Memory Controllers (bsc#1131489).
- EDAC/amd64: Support more than two controllers for chip selects handling (bsc#1131489).
- EDAC/amd64: Use a macro for iterating over Unified Memory Controllers (bsc#1131489).
- EDAC/ghes: Fix Use after free in ghes_edac remove path (bsc#1114279).
- Error in postinstall scripts (bsc#1154043)
- FW940: Activation of multiple namespaces simultaneously may leading to an activation failure (SCM/pmem) (Documentation/TID?) (bsc#1157778)
- Fix AMD IOMMU kABI (bsc#1154610).
- Fix NULL pointer dereference in fc_lookup_rport (bsc#1098291). 
- Fix kabi for: NFSv4: Fix OPEN / CLOSE race (git-fixes).
- HID: apple: Fix stuck function keys when using FN (bsc#1051510).
- HID: cp2112: prevent sleeping function called from invalid context (bsc#1051510).
- HID: fix error message in hid_open_report() (bsc#1051510).
- HID: hidraw: Fix invalid read in hidraw_ioctl (bsc#1051510).
- HID: logitech-hidpp: do all FF cleanup in hidpp_ff_destroy() (bsc#1051510).
- HID: logitech: Fix general protection fault caused by Logitech driver (bsc#1051510).
- HID: prodikeys: Fix general protection fault during probe (bsc#1051510).
- HID: sony: Fix memory corruption issue on cleanup (bsc#1051510).
- HID: wacom: generic: Treat serial number and related fields as unsigned (git-fixes).
- IB/core, ipoib: Do not overreact to SM LID change event (bsc#1154108)
- IB/core: Add mitigation for Spectre V1 (bsc#1155671)
- IB/hfi1: Remove overly conservative VM_EXEC flag check (bsc#1144449).
- IB/mlx5: Consolidate use_umr checks into single function (bsc#1093205).
- IB/mlx5: Fix MR re-registration flow to use UMR properly (bsc#1093205).
- IB/mlx5: Free mpi in mp_slave mode (bsc#1103991).
- IB/mlx5: Report correctly tag matching rendezvous capability (bsc#1046305).
- IB/mlx5: Support MLX5_CMD_OP_QUERY_LAG as a DEVX general command (bsc#1103991).
- Input: da9063 - fix capability and drop KEY_SLEEP (bsc#1051510).
- Input: elan_i2c - remove Lenovo Legion Y7000 PnpID (bsc#1051510).
- Input: ff-memless - kill timer in destroy() (bsc#1051510).
- Input: synaptics-rmi4 - avoid processing unknown IRQs (bsc#1051510).
- Input: synaptics-rmi4 - clear IRQ enables for F54 (bsc#1051510).
- Input: synaptics-rmi4 - destroy F54 poller workqueue when removing (bsc#1051510).
- Input: synaptics-rmi4 - disable the relative position IRQ in the F12 driver (bsc#1051510).
- Input: synaptics-rmi4 - do not consume more data than we have (F11, F12) (bsc#1051510).
- Input: synaptics-rmi4 - fix video buffer size (git-fixes).
- KVM: Convert kvm_lock to a mutex (bsc#1117665).
- KVM: MMU: drop vcpu param in gpte_access (bsc#1117665).
- KVM: PPC: Book3S HV: Check for MMU ready on piggybacked virtual cores (bsc#1061840).
- KVM: PPC: Book3S HV: Do not lose pending doorbell request on migration on P9 (bsc#1061840).
- KVM: PPC: Book3S HV: Do not push XIVE context when not using XIVE device (bsc#1061840).
- KVM: PPC: Book3S HV: Fix lockdep warning when entering the guest (bsc#1061840).
- KVM: PPC: Book3S HV: Fix race in re-enabling XIVE escalation interrupts (bsc#1061840).
- KVM: PPC: Book3S HV: Handle virtual mode in XIVE VCPU push code (bsc#1061840).
- KVM: PPC: Book3S HV: XIVE: Free escalation interrupts before disabling the VP (bsc#1061840).
- KVM: PPC: Book3S HV: use smp_mb() when setting/clearing host_ipi flag (bsc#1061840).
- KVM: PPC: Book3S: Fix incorrect guest-to-user-translation error handling (bsc#1061840).
- KVM: VMX: Consider PID.PIR to determine if vCPU has pending interrupts (bsc#1158064)
- KVM: VMX: Fix conditions for guest IA32_XSS support (bsc#1158065)
- KVM: X86: Reduce the overhead when lapic_timer_advance is disabled (bsc#1149083).
- KVM: X86: Reduce the overhead when lapic_timer_advance is disabled (bsc#1149083).
- KVM: arm/arm64: Clean dcache to PoC when changing PTE due to CoW (jsc#ECO-561,jsc#SLE-10671).
- KVM: arm/arm64: Detangle kvm_mmu.h from kvm_hyp.h (jsc#ECO-561,jsc#SLE-10671).
- KVM: arm/arm64: Drop vcpu parameter from guest cache maintenance operartions (jsc#ECO-561,jsc#SLE-10671).
- KVM: arm/arm64: Limit icache invalidation to prefetch aborts (jsc#ECO-561,jsc#SLE-10671).
- KVM: arm/arm64: Only clean the dcache on translation fault (jsc#ECO-561,jsc#SLE-10671).
- KVM: arm/arm64: Preserve Exec permission across R/W permission faults (jsc#ECO-561,jsc#SLE-10671).
- KVM: arm/arm64: Split dcache/icache flushing (jsc#ECO-561,jsc#SLE-10671).
- KVM: arm64: Set SCTLR_EL2.DSSBS if SSBD is forcefully disabled and !vhe (jsc#ECO-561).
- KVM: x86, powerpc: do not allow clearing largepages debugfs entry (bsc#1117665).
- KVM: x86/mmu: Take slots_lock when using kvm_mmu_zap_all_fast() (bsc#1158067)
- KVM: x86: Do not release the page inside mmu_set_spte() (bsc#1117665).
- KVM: x86: Introduce vcpu->arch.xsaves_enabled (bsc#1158066)
- KVM: x86: add tracepoints around __direct_map and FNAME(fetch) (bsc#1117665).
- KVM: x86: adjust kvm_mmu_page member to save 8 bytes (bsc#1117665).
- KVM: x86: change kvm_mmu_page_get_gfn BUG_ON to WARN_ON (bsc#1117665).
- KVM: x86: make FNAME(fetch) and __direct_map more similar (bsc#1117665).
- KVM: x86: remove now unneeded hugepage gfn adjustment (bsc#1117665).
- Linux freeze on VIOS reboot (using ibmvnic) (bsc#1155689)
- NFC: fix attrs checks in netlink interface (bsc#1051510).
- NFC: fix memory leak in llcp_sock_bind() (bsc#1051510).
- NFC: netlink: fix double device reference drop (git-fixes).
- NFC: nxp-nci: Fix NULL pointer dereference after I2C communication error (git-fixes).
- NFC: pn533: fix use-after-free and memleaks (bsc#1051510).
- NFS4: Fix v4.0 client state corruption when mount (git-fixes).
- NFS: Do not interrupt file writeout due to fatal errors (git-fixes).
- NFS: Do not open code clearing of delegation state (git-fixes).
- NFS: Ensure O_DIRECT reports an error if the bytes read/written is 0 (git-fixes).
- NFS: Fix regression whereby fscache errors are appearing on 'nofsc' mounts (git-fixes).
- NFS: Forbid setting AF_INET6 to 'struct sockaddr_in'->sin_family (git-fixes).
- NFS: Refactor nfs_lookup_revalidate() (git-fixes).
- NFS: Remove redundant semicolon (git-fixes).
- NFSv4.1 - backchannel request should hold ref on xprt (bsc#1152624).
- NFSv4.1: Again fix a race where CB_NOTIFY_LOCK fails to wake a waiter (git-fixes).
- NFSv4.1: Fix open stateid recovery (git-fixes).
- NFSv4.1: Only reap expired delegations (git-fixes).
- NFSv4/pnfs: Fix a page lock leak in nfs_pageio_resend() (git-fixes).
- NFSv4: Fix OPEN / CLOSE race (git-fixes).
- NFSv4: Fix a potential sleep while atomic in nfs4_do_reclaim() (git-fixes).
- NFSv4: Fix an Oops in nfs4_do_setattr (git-fixes).
- NFSv4: Fix delegation state recovery (git-fixes).
- NFSv4: Fix lookup revalidate of regular files (git-fixes).
- NFSv4: Handle the special Linux file open access mode (git-fixes).
- NFSv4: Only pass the delegation to setattr if we're sending a truncate (git-fixes).
- PCI/ACPI: Correct error message for ASPM disabling (bsc#1051510).
- PCI/VPD: Prevent VPD access for Amazon's Annapurna Labs Root Port (bsc#1152187,bsc#1152525).
- PCI: Add ACS quirk for Amazon Annapurna Labs root ports (bsc#1152187,bsc#1152525).
- PCI: Add Amazon's Annapurna Labs vendor ID (bsc#1152187,bsc#1152525).
- PCI: Add quirk to disable MSI-X support for Amazon's Annapurna Labs Root Port (bsc#1152187,bsc#1152525).
- PCI: Correct pci=resource_alignment parameter example (bsc#1051510).
- PCI: PM: Fix pci_power_up() (bsc#1051510).
- PCI: al: Add Amazon Annapurna Labs PCIe host controller driver (SLE-9332).
- PCI: dra7xx: Fix legacy INTD IRQ handling (bsc#1087092).
- PCI: hv: Detect and fix Hyper-V PCI domain number collision (bsc#1150423).
- PCI: hv: Use bytes 4 and 5 from instance ID as the PCI domain numbers (bsc#1153263).
- PM: sleep: Fix possible overflow in pm_system_cancel_wakeup() (bsc#1051510).
- PNFS fallback to MDS if no deviceid found (git-fixes).
- Parametrize kgraft vs livepatch.
- RDMA/bnxt_re: Fix spelling mistake 'missin_resp' -> 'missing_resp' (bsc#1050244).
- RDMA/efa: Add Amazon EFA driver (jsc#SLE-4805)
- RDMA/hns: Add mtr support for mixed multihop addressing (bsc#1104427).
- RDMA/hns: Add reset process for function-clear (bsc#1155061).
- RDMA/hns: Bugfix for calculating qp buffer size (bsc#1104427 ).
- RDMA/hns: Bugfix for filling the sge of srq (bsc#1104427 ).
- RDMA/hns: Fix an error code in hns_roce_set_user_sq_size() (bsc#1104427).
- RDMA/hns: Fix comparison of unsigned long variable 'end' with less than zero (bsc#1104427 bsc#1137236).
- RDMA/hns: Fix wrong assignment of qp_access_flags (bsc#1104427 ).
- RDMA/hns: Fixs hw access invalid dma memory error (bsc#1104427 ).
- RDMA/hns: Fixup qp release bug (bsc#1104427).
- RDMA/hns: Modify ba page size for cqe (bsc#1104427).
- RDMA/hns: Remove set but not used variable 'fclr_write_fail_flag' (bsc#1104427).
- RDMA/hns: Remove the some magic number (bsc#1155061).
- RDMA/hns: Remove unnecessary print message in aeq (bsc#1104427 ).
- RDMA/hns: Replace magic numbers with #defines (bsc#1104427 ).
- RDMA/hns: Set reset flag when hw resetting (bsc#1104427 ).
- RDMA/hns: Use %pK format pointer print (bsc#1104427 ).
- RDMA/hns: fix inverted logic of readl read and shift (bsc#1104427).
- RDMA/hns: reset function when removing module (bsc#1104427 ).
- RDMA/restrack: Track driver QP types in resource tracker (jsc#SLE-4805)
- RDMA: Fix goto target to release the allocated memory (bsc#1050244).
- RDMa/hns: Do not stuck in endless timeout loop (bsc#1104427 ).
- README.BRANCH: Add Denis as branch maintainer
- Roce Statistics does not increment for  Broadcom 100gb adapter. (bsc#1157115)
- SUNRPC fix regression in umount of a secure mount (git-fixes).
- SUNRPC/nfs: Fix return value for nfs4_callback_compound() (git-fixes).
- SUNRPC: Handle connection breakages correctly in call_status() (git-fixes).
- UAS: Revert commit 3ae62a42090f ('UAS: fix alignment of scatter/gather segments').
- USB: adutux: fix NULL-derefs on disconnect (bsc#1142635).
- USB: adutux: fix use-after-free on disconnect (bsc#1142635).
- USB: adutux: fix use-after-free on release (bsc#1051510).
- USB: chaoskey: fix use-after-free on release (bsc#1051510).
- USB: chipidea: Fix otg event handler (bsc#1051510).
- USB: chipidea: imx: enable OTG overcurrent in case USB subsystem is already started (bsc#1051510).
- USB: chipidea: udc: do not do hardware access if gadget has stopped (bsc#1051510).
- USB: dummy-hcd: fix power budget for SuperSpeed mode (bsc#1051510).
- USB: gadget: Reject endpoints with 0 maxpacket value (bsc#1051510).
- USB: gadget: composite: Clear 'suspended' on reset/disconnect (bsc#1051510).
- USB: gadget: udc: atmel: Fix interrupt storm in FIFO mode (bsc#1051510).
- USB: gadget: uvc: Factor out video USB request queueing (bsc#1051510).
- USB: gadget: uvc: Only halt video streaming endpoint in bulk mode (bsc#1051510).
- USB: gadget: uvc: configfs: Drop leaked references to config items (bsc#1051510).
- USB: gadget: uvc: configfs: Prevent format changes after linking header (bsc#1051510).
- USB: handle warm-reset port requests on hub resume (bsc#1051510).
- USB: host: fotg2: restart hcd after port reset (bsc#1051510).
- USB: host: ohci: fix a race condition between shutdown and irq (bsc#1051510).
- USB: iowarrior: fix use-after-free after driver unbind (bsc#1051510).
- USB: iowarrior: fix use-after-free on disconnect (bsc#1051510).
- USB: iowarrior: fix use-after-free on release (bsc#1051510).
- USB: ldusb: fix NULL-derefs on driver unbind (bsc#1051510).
- USB: ldusb: fix control-message timeout (bsc#1051510).
- USB: ldusb: fix memleak on disconnect (bsc#1051510).
- USB: ldusb: fix read info leaks (bsc#1051510).
- USB: ldusb: fix ring-buffer locking (bsc#1051510).
- USB: legousbtower: fix a signedness bug in tower_probe() (bsc#1051510).
- USB: legousbtower: fix deadlock on disconnect (bsc#1142635).
- USB: legousbtower: fix memleak on disconnect (bsc#1051510).
- USB: legousbtower: fix open after failed reset request (bsc#1142635).
- USB: legousbtower: fix potential NULL-deref on disconnect (bsc#1142635).
- USB: legousbtower: fix slab info leak at probe (bsc#1142635).
- USB: legousbtower: fix use-after-free on release (bsc#1051510).
- USB: microtek: fix info-leak at probe (bsc#1142635).
- USB: serial: fix runtime PM after driver unbind (bsc#1051510).
- USB: serial: ftdi_sio: add device IDs for Sienna and Echelon PL-20 (bsc#1051510).
- USB: serial: keyspan: fix NULL-derefs on open() and write() (bsc#1051510).
- USB: serial: option: add Telit FN980 compositions (bsc#1051510).
- USB: serial: option: add support for Cinterion CLS8 devices (bsc#1051510).
- USB: serial: ti_usb_3410_5052: fix port-close races (bsc#1051510).
- USB: serial: whiteheat: fix line-speed endianness (bsc#1051510).
- USB: serial: whiteheat: fix potential slab corruption (bsc#1051510).
- USB: storage: ums-realtek: Update module parameter description for auto_delink_en (bsc#1051510).
- USB: storage: ums-realtek: Whitelist auto-delink support (bsc#1051510).
- USB: udc: lpc32xx: fix bad bit shift operation (bsc#1051510).
- USB: usb-skeleton: fix NULL-deref on disconnect (bsc#1051510).
- USB: usb-skeleton: fix runtime PM after driver unbind (bsc#1051510).
- USB: usb-skeleton: fix use-after-free after driver unbind (bsc#1051510).
- USB: usbcore: Fix slab-out-of-bounds bug during device reset (bsc#1051510).
- USB: usblcd: fix I/O after disconnect (bsc#1142635).
- USB: usblp: fix runtime PM after driver unbind (bsc#1051510).
- USB: usblp: fix use-after-free on disconnect (bsc#1051510).
- USB: xhci-mtk: fix ISOC error when interval is zero (bsc#1051510).
- USB: xhci: wait for CNR controller not ready bit in xhci resume (bsc#1051510).
- USB: yurex: Do not retry on unexpected errors (bsc#1051510).
- USB: yurex: fix NULL-derefs on disconnect (bsc#1051510).
- USBIP: add config dependency for SGL_ALLOC (git-fixes).
- USBip: Fix free of unallocated memory in vhci tx (git-fixes).
- USBip: Fix vhci_urb_enqueue() URB null transfer buffer error path (git-fixes).
- USBip: Implement SG support to vhci-hcd and stub driver (git-fixes).
- act_mirred: Fix mirred_init_module error handling (bsc#1051510).
- add mainline tags to some patches to allow further work in this branch
- alarmtimer: Use EOPNOTSUPP instead of ENOTSUPP (bsc#1151680).
- appletalk: enforce CAP_NET_RAW for raw sockets (bsc#1051510).
- arcnet: provide a buffer big enough to actually receive packets (networking-stable-19_09_30).
- arm64/cpufeature: Convert hook_lock to raw_spin_lock_t in cpu_enable_ssbs() (jsc#ECO-561).
- arm64: Add decoding macros for CP15_32 and CP15_64 traps (jsc#ECO-561).
- arm64: Add part number for Neoverse N1 (jsc#ECO-561).
- arm64: Add silicon-errata.txt entry for ARM erratum 1188873 (jsc#ECO-561).
- arm64: Add support for new control bits CTR_EL0.DIC and CTR_EL0.IDC (jsc#ECO-561,jsc#SLE-10671).
- arm64: Apply ARM64_ERRATUM_1188873 to Neoverse-N1 (jsc#ECO-561).
- arm64: Fake the IminLine size on systems affected by Neoverse-N1 #1542419 (jsc#ECO-561,jsc#SLE-10671).
- arm64: Fix mismatched cache line size detection (jsc#ECO-561,jsc#SLE-10671).
- arm64: Fix silly typo in comment (jsc#ECO-561).
- arm64: Force SSBS on context switch (jsc#ECO-561).
- arm64: Handle erratum 1418040 as a superset of erratum 1188873 (jsc#ECO-561). 
- arm64: Introduce sysreg_clear_set() (jsc#ECO-561).
- arm64: KVM: Add invalidate_icache_range helper (jsc#ECO-561,jsc#SLE-10671).
- arm64: KVM: PTE/PMD S2 XN bit definition (jsc#ECO-561,jsc#SLE-10671).
- arm64: Make ARM64_ERRATUM_1188873 depend on COMPAT (jsc#ECO-561).
- arm64: PCI: Preserve firmware configuration when desired (SLE-9332).
- arm64: Restrict ARM64_ERRATUM_1188873 mitigation to AArch32 (jsc#ECO-561).
- arm64: Update config files. (bsc#1156466) Enable HW_RANDOM_OMAP driver and mark driver omap-rng as supported.
- arm64: arch_timer: Add workaround for ARM erratum 1188873 (jsc#ECO-561). 
- arm64: arch_timer: avoid unused function warning (jsc#ECO-561).
- arm64: compat: Add CNTFRQ trap handler (jsc#ECO-561).
- arm64: compat: Add CNTVCT trap handler (jsc#ECO-561).
- arm64: compat: Add condition code checks and IT advance (jsc#ECO-561).
- arm64: compat: Add cp15_32 and cp15_64 handler arrays (jsc#ECO-561).
- arm64: compat: Add separate CP15 trapping hook (jsc#ECO-561).
- arm64: compat: Workaround Neoverse-N1 #1542419 for compat user-space (jsc#ECO-561,jsc#SLE-10671).
- arm64: cpu: Move errata and feature enable callbacks closer to callers (jsc#ECO-561).
- arm64: cpu_errata: Remove ARM64_MISMATCHED_CACHE_LINE_SIZE (jsc#ECO-561,jsc#SLE-10671).
- arm64: cpufeature: Detect SSBS and advertise to userspace (jsc#ECO-561). 
- arm64: cpufeature: Fix handling of CTR_EL0.IDC field (jsc#ECO-561,jsc#SLE-10671).
- arm64: cpufeature: Trap CTR_EL0 access only where it is necessary (jsc#ECO-561,jsc#SLE-10671).
- arm64: cpufeature: ctr: Fix cpu capability check for late CPUs (jsc#ECO-561,jsc#SLE-10671).
- arm64: entry: Allow handling of undefined instructions from EL1 (jsc#ECO-561).
- arm64: errata: Hide CTR_EL0.DIC on systems affected by Neoverse-N1 #1542419 (jsc#ECO-561,jsc#SLE-10671).
- arm64: fix SSBS sanitization (jsc#ECO-561).
- arm64: force_signal_inject: WARN if called from kernel context (jsc#ECO-561).
- arm64: kill change_cpacr() (jsc#ECO-561).
- arm64: kill config_sctlr_el1() (jsc#ECO-561).
- arm64: move SCTLR_EL{1,2} assertions to <asm/sysreg.h> (jsc#ECO-561).
- arm64: ssbd: Add support for PSTATE.SSBS rather than trapping to EL3 (jsc#ECO-561). 
- arm64: ssbd: Drop #ifdefs for PR_SPEC_STORE_BYPASS (jsc#ECO-561).
- arm: KVM: Add optimized PIPT icache flushing (jsc#ECO-561,jsc#SLE-10671).
- ath10k: adjust skb length in ath10k_sdio_mbox_rx_packet (bsc#1111666).
- ath10k: assign 'n_cipher_suites = 11' for WCN3990 to enable WPA3 (bsc#1111666).
- ath10k: avoid possible memory access violation (bsc#1111666).
- ath10k: fix kernel panic by moving pci flush after napi_disable (bsc#1051510).
- ath10k: limit available channels via DT ieee80211-freq-limit (bsc#1051510).
- ath10k: skip resetting rx filter for WCN3990 (bsc#1111666).
- ath10k: wmi: disable softirq's while calling ieee80211_rx (bsc#1051510).
- ath9k: Fix a locking bug in ath9k_add_interface() (bsc#1051510).
- ath9k: add back support for using active monitor interfaces for tx99 (bsc#1051510).
- ath9k: dynack: fix possible deadlock in ath_dynack_node_{de}init (bsc#1051510).
- ath9k: fix tx99 with monitor mode interface (bsc#1051510).
- atm: iphase: Fix Spectre v1 vulnerability (networking-stable-19_08_08).
- auxdisplay: panel: need to delete scan_timer when misc_register fails in panel_attach (bsc#1051510).
- ax25: enforce CAP_NET_RAW for raw sockets (bsc#1051510).
- ax88172a: fix information leak on short answers (bsc#1051510).
- bcma: fix incorrect update of BCMA_CORE_PCI_MDIO_DATA (bsc#1051510).
- blk-flush: do not run queue for requests bypassing flush (bsc#1137959).
- blk-flush: use blk_mq_request_bypass_insert() (bsc#1137959).
- blk-mq-sched: decide how to handle flush rq via RQF_FLUSH_SEQ (bsc#1137959).
- blk-mq: Fix memory leak in blk_mq_init_allocated_queue error handling (bsc#1151610).
- blk-mq: backport fixes for blk_mq_complete_e_request_sync() (bsc#1145661).
- blk-mq: do not allocate driver tag upfront for flush rq (bsc#1137959).
- blk-mq: insert rq with DONTPREP to hctx dispatch list when requeue (bsc#1137959).
- blk-mq: introduce blk_mq_complete_request_sync() (bsc#1145661).
- blk-mq: introduce blk_mq_request_completed() (bsc#1149446).
- blk-mq: introduce blk_mq_tagset_wait_completed_request() (bsc#1149446).
- blk-mq: kABI fixes for blk-mq.h (bsc#1137959).
- blk-mq: move blk_mq_put_driver_tag*() into blk-mq.h (bsc#1137959).
- blk-mq: punt failed direct issue to dispatch list (bsc#1137959).
- blk-mq: put the driver tag of nxt rq before first one is requeued (bsc#1137959).
- blk-wbt: Avoid lock contention and thundering herd issue in wbt_wait (bsc#1141543).
- blk-wbt: Avoid lock contention and thundering herd issue in wbt_wait (bsc#1141543).
- blk-wbt: abstract out end IO completion handler (bsc#1135873).
- blk-wbt: fix has-sleeper queueing check (bsc#1135873).
- blk-wbt: improve waking of tasks (bsc#1135873).
- blk-wbt: move disable check into get_limit() (bsc#1135873).
- blk-wbt: use wq_has_sleeper() for wq active check (bsc#1135873).
- block: add io timeout to sysfs (bsc#1148410).
- block: add io timeout to sysfs (bsc#1148410).
- block: do not show io_timeout if driver has no timeout handler (bsc#1148410).
- block: do not show io_timeout if driver has no timeout handler (bsc#1148410).
- block: fix timeout changes for legacy request drivers (bsc#1149446).
- block: kABI fixes for BLK_EH_DONE renaming (bsc#1142076).
- block: rename BLK_EH_NOT_HANDLED to BLK_EH_DONE (bsc#1142076).
- bnx2x: Disable multi-cos feature (networking-stable-19_08_08).
- bnx2x: Fix VF's VLAN reconfiguration in reload (bsc#1086323 ).
- bnxt_en: Add PCI IDs for 57500 series NPAR devices (bsc#1153607).
- bnxt_en: Fix VNIC clearing logic for 57500 chips (bsc#1104745 ).
- bnxt_en: Fix to include flow direction in L2 key (bsc#1104745 ).
- bnxt_en: Improve RX doorbell sequence (bsc#1104745).
- bnxt_en: Increase timeout for HWRM_DBG_COREDUMP_XX commands (bsc#1104745).
- bnxt_en: Use correct src_fid to determine direction of the flow (bsc#1104745).
- bonding/802.3ad: fix link_failure_count tracking (bsc#1137069 bsc#1141013).
- bonding/802.3ad: fix slave link initialization transition states (bsc#1137069 bsc#1141013).
- bonding: Add vlan tx offload to hw_enc_features (networking-stable-19_08_21).
- bonding: set default miimon value for non-arp modes if not set (bsc#1137069 bsc#1141013).
- bonding: speed/duplex update at NETDEV_UP event (bsc#1137069 bsc#1141013).
- bpf: Fix use after free in subprog's jited symbol removal (bsc#1109837).
- bpf: fix BTF limits (bsc#1109837).
- bpf: fix BTF verification of enums (bsc#1109837).
- bpf: fix use after free in prog symbol exposure (bsc#1083647).
- brcmfmac: fix wrong strnchr usage (bsc#1111666).
- brcmfmac: increase buffer for obtaining firmware capabilities (bsc#1111666).
- brcmfmac: sdio: Disable auto-tuning around commands expected to fail (bsc#1111666).
- brcmfmac: sdio: Do not tune while the card is off (bsc#1111666).
- brcmsmac: Use kvmalloc() for ucode allocations (bsc#1111666).
- bridge/mdb: remove wrong use of NLM_F_MULTI (networking-stable-19_09_15).
- can: c_can: c_can_poll(): only read status register after status IRQ (git-fixes).
- can: dev: call netif_carrier_off() in register_candev() (bsc#1051510).
- can: mcba_usb: fix use-after-free on disconnect (git-fixes).
- can: mcp251x: mcp251x_hw_reset(): allow more time after a reset (bsc#1051510).
- can: peak_usb: fix a potential out-of-sync while decoding packets (git-fixes).
- can: peak_usb: fix slab info leak (git-fixes).
- can: rx-offload: can_rx_offload_offload_one(): do not increase the skb_queue beyond skb_queue_len_max (git-fixes).
- can: rx-offload: can_rx_offload_queue_sorted(): fix error handling, avoid skb mem leak (git-fixes).
- can: rx-offload: can_rx_offload_queue_tail(): fix error handling, avoid skb mem leak (git-fixes).
- can: usb_8dev: fix use-after-free on disconnect (git-fixes).
- can: xilinx_can: xcan_probe(): skip error message on deferred probe (bsc#1051510).
- ccw ipl bugfix (bsc#1156471)
- cdc_ether: fix rndis support for Mediatek based smartphones (networking-stable-19_09_15).
- cdc_ncm: fix divide-by-zero caused by invalid wMaxPacketSize (bsc#1051510).
- ceph: add missing check in d_revalidate snapdir handling (bsc#1157183).
- ceph: do not try to handle hashed dentries in non-O_CREAT atomic_open (bsc#1157184).
- ceph: fix directories inode i_blkbits initialization (bsc#1153717).
- ceph: fix use-after-free in __ceph_remove_cap() (bsc#1154058).
- ceph: just skip unrecognized info in ceph_reply_info_extra (bsc#1157182).
- ceph: reconnect connection if session hang in opening state (bsc#1153718).
- ceph: update the mtime when truncating up (bsc#1153719).
- ceph: use ceph_evict_inode to cleanup inode's resource (bsc#1148133).
- cfg80211: Avoid regulatory restore when COUNTRY_IE_IGNORE is set (bsc#1051510).
- cfg80211: Purge frame registrations on iftype change (bsc#1051510).
- cfg80211: add and use strongly typed element iteration macros (bsc#1051510).
- cfg80211: validate wmm rule when setting (bsc#1111666).
- cifs: System crash in smb2_push_mandatory_locks() (bsc#1154355)
- cifs: handle netapp error codes (bsc#1136261).
- clk: at91: avoid sleeping early (git-fixes).
- clk: at91: fix update bit maps on CFG_MOR write (bsc#1051510).
- clk: at91: select parent if main oscillator or bypass is enabled (bsc#1051510).
- clk: qoriq: Fix -Wunused-const-variable (bsc#1051510).
- clk: samsung: exynos5420: Preserve PLL configuration during suspend/resume (git-fixes).
- clk: sirf: Do not reference clk_init_data after registration (bsc#1051510).
- clk: sunxi-ng: a80: fix the zero'ing of bits 16 and 18 (git-fixes).
- clk: sunxi-ng: v3s: add missing clock slices for MMC2 module clocks (bsc#1051510).
- clk: sunxi-ng: v3s: add the missing PLL_DDR1 (bsc#1051510).
- clk: zx296718: Do not reference clk_init_data after registration (bsc#1051510).
- component: fix loop condition to call unbind() if bind() fails (bsc#1051510).
- config: arm64: enable erratum 1418040 and 1542419
- crypto: af_alg - Fix race around ctx->rcvused by making it atomic_t (bsc#1154737).
- crypto: af_alg - Initialize sg_num_bytes in error code path (bsc#1051510).
- crypto: af_alg - consolidation of duplicate code (bsc#1154737).
- crypto: af_alg - fix race accessing cipher request (bsc#1154737).
- crypto: af_alg - remove locking in async callback (bsc#1154737).
- crypto: af_alg - update correct dst SGL entry (bsc#1051510).
- crypto: af_alg - wait for data at beginning of recvmsg (bsc#1154737).
- crypto: algif - return error code when no data was processed (bsc#1154737).
- crypto: algif_aead - copy AAD from src to dst (bsc#1154737).
- crypto: algif_aead - fix reference counting of null skcipher (bsc#1154737).
- crypto: algif_aead - overhaul memory management (bsc#1154737).
- crypto: algif_aead - skip SGL entries with NULL page (bsc#1154737).
- crypto: algif_skcipher - overhaul memory management (bsc#1154737).
- crypto: caam - fix concurrency issue in givencrypt descriptor (bsc#1051510).
- crypto: caam - free resources in case caam_rng registration failed (bsc#1051510).
- crypto: caam/qi - fix error handling in ERN handler (bsc#1111666).
- crypto: cavium/zip - Add missing single_release() (bsc#1051510).
- crypto: ccp - Reduce maximum stack usage (bsc#1051510).
- crypto: fix a memory leak in rsa-kcs1pad's encryption mode (bsc#1051510).
- crypto: qat - Silence smp_processor_id() warning (bsc#1051510).
- crypto: s5p-sss: Fix Fix argument list alignment (bsc#1051510).
- crypto: skcipher - Unmap pages after an external error (bsc#1051510).
- crypto: talitos - fix missing break in switch statement (bsc#1142635).
- cx82310_eth: fix a memory leak bug (bsc#1051510).
- cxgb4: Signedness bug in init_one() (bsc#1097585 bsc#1097586 bsc#1097587 bsc#1097588 bsc#1097583 bsc#1097584).
- cxgb4: do not dma memory off of the stack (bsc#1152790).
- cxgb4: fix endianness for vlan value in cxgb4_tc_flower (bsc#1064802 bsc#1066129).
- cxgb4: offload VLAN flows regardless of VLAN ethtype (bsc#1064802 bsc#1066129).
- cxgb4: reduce kernel stack usage in cudbg_collect_mem_region() (bsc#1073513).
- cxgb4: request the TX CIDX updates to status page (bsc#1127354 bsc#1127371).
- cxgb4: smt: Add lock for atomic_dec_and_test (bsc#1064802 bsc#1066129).
- cxgb4:Fix out-of-bounds MSI-X info array access (networking-stable-19_10_05).
- dasd_fba: Display '00000000' for zero page when dumping sense (bsc#1123080).
- dma-buf/sw_sync: Synchronize signal vs syncpt free (bsc#1111666).
- dmaengine: bcm2835: Print error in case setting DMA mask fails (bsc#1051510).
- dmaengine: dma-jz4780: Do not depend on MACH_JZ4780 (bsc#1051510).
- dmaengine: dma-jz4780: Further residue status fix (bsc#1051510).
- dmaengine: dw: platform: Switch to acpi_dma_controller_register() (bsc#1051510).
- dmaengine: imx-sdma: fix size check for sdma script_number (bsc#1051510).
- dmaengine: iop-adma.c: fix printk format warning (bsc#1051510).
- documationat fix: adding a Network Bridge (bsc#1117169)
- drivers: thermal: int340x_thermal: Fix sysfs race condition (bsc#1051510).
- drm/amd/display: Restore backlight brightness after system resume (bsc#1112178)
- drm/amd/display: fix issue where 252-255 values are clipped (bsc#1111666).
- drm/amd/display: fix odm combine pipe reset (bsc#1111666).
- drm/amd/display: reprogram VM config when system resume (bsc#1111666).
- drm/amd/display: support spdif (bsc#1111666).
- drm/amd/dm: Understand why attaching path/tile properties are needed (bsc#1111666).
- drm/amd/powerplay/smu7: enforce minimal VBITimeout (v2) (bsc#1051510).
- drm/amd/pp: Fix truncated clock value when set watermark (bsc#1111666).
- drm/amdgpu/gfx9: Update gfx9 golden settings (bsc#1111666).
- drm/amdgpu/powerplay/vega10: allow undervolting in p7 (bsc#1111666).
- drm/amdgpu/si: fix ASIC tests (git-fixes).
- drm/amdgpu: Add APTX quirk for Dell Latitude 5495 (bsc#1142635)
- drm/amdgpu: Check for valid number of registers to read (bsc#1051510).
- drm/amdgpu: Fix KFD-related kernel oops on Hawaii (bsc#1111666).
- drm/amdgpu: Update gc_9_0 golden settings (bsc#1111666).
- drm/amdgpu: fix memory leak (bsc#1111666).
- drm/amdkfd: Add missing Polaris10 ID (bsc#1111666).
- drm/ast: Fixed reboot test may cause system hanged (bsc#1051510).
- drm/atomic_helper: Allow DPMS On<->Off changes for unregistered connectors (bsc#1111666).
- drm/atomic_helper: Disallow new modesets on unregistered connectors (bsc#1111666).
- drm/atomic_helper: Stop modesets on unregistered connectors harder (bsc#1111666).
- drm/bridge: tc358767: Increase AUX transfer length limit (bsc#1051510).
- drm/bridge: tfp410: fix memleak in get_modes() (bsc#1111666).
- drm/edid: Add 6 bpc quirk for SDC panel in Lenovo G50 (bsc#1051510).
- drm/etnaviv: fix dumping of iommuv2 (bsc#1113722)
- drm/i915/cmdparser: Add support for backward jumps (bsc#1135967)
- drm/i915/cmdparser: Ignore Length operands during command matching (bsc#1135967)
- drm/i915/cmdparser: Use explicit goto for error paths (bsc#1135967)
- drm/i915/cml: Add second PCH ID for CMP (bsc#1111666).
- drm/i915/gen8+: Add RC6 CTX corruption WA (bsc#1135967)
- drm/i915/gtt: Add read only pages to gen8_pte_encode (bsc#1135967)
- drm/i915/gtt: Disable read-only support under GVT (bsc#1135967)
- drm/i915/gtt: Read-only pages for insert_entries on bdw (bsc#1135967)
- drm/i915/gvt: update vgpu workload head pointer correctly (bsc#1112178)
- drm/i915/ilk: Fix warning when reading emon_status with no output (bsc#1111666).
- drm/i915: Add gen9 BCS cmdparsing (bsc#1135967)
- drm/i915: Add support for mandatory cmdparsing (bsc#1135967)
- drm/i915: Allow parsing of unsized batches (bsc#1135967)
- drm/i915: Cleanup gt powerstate from gem (bsc#1111666).
- drm/i915: Disable Secure Batches for gen6+
- drm/i915: Do not deballoon unused ggtt drm_mm_node in linux guest (bsc#1142635)
- drm/i915: Fix intel_dp_mst_best_encoder() (bsc#1111666).
- drm/i915: Fix various tracepoints for gen2 (bsc#1113722)
- drm/i915: Lower RM timeout to avoid DSI hard hangs (bsc#1135967)
- drm/i915: Prevent writing into a read-only object via a GGTT mmap (bsc#1135967)
- drm/i915: Remove Master tables from cmdparser
- drm/i915: Rename gen7 cmdparser tables (bsc#1135967)
- drm/i915: Restore relaxed padding (OCL_OOB_SUPPRES_ENABLE) for skl+ (bsc#1142635)
- drm/i915: Restore sane defaults for KMS on GEM error load (bsc#1111666).
- drm/i915: Support ro ppgtt mapped cmdparser shadow buffers (bsc#1135967)
- drm/imx: Drop unused imx-ipuv3-crtc.o build (bsc#1113722)
- drm/mediatek: set DMA max segment size (bsc#1111666).
- drm/msm/dpu: handle failures while initializing displays (bsc#1111666).
- drm/msm/dsi: Fix return value check for clk_get_parent (bsc#1111666).
- drm/msm/dsi: Implement reset correctly (bsc#1051510).
- drm/msm/dsi: Implement reset correctly (bsc#1154048)
- drm/nouveau/disp/nv50-: fix center/aspect-corrected scaling (bsc#1111666).
- drm/nouveau/kms/nv50-: Do not create MSTMs for eDP connectors (bsc#1112178)
- drm/nouveau/volt: Fix for some cards having 0 maximum voltage (bsc#1111666).
- drm/omap: fix max fclk divider for omap36xx (bsc#1111666).
- drm/omap: fix max fclk divider for omap36xx (bsc#1113722)
- drm/panel: check failure cases in the probe func (bsc#1111666).
- drm/panel: make drm_panel.h self-contained (bsc#1111666).
- drm/panel: simple: fix AUO g185han01 horizontal blanking (bsc#1051510).
- drm/radeon: Bail earlier when radeon.cik_/si_support=0 is passed (bsc#1111666).
- drm/radeon: Fix EEH during kexec (bsc#1051510).
- drm/radeon: fix si_enable_smc_cac() failed issue (bsc#1113722)
- drm/rockchip: Check for fast link training before enabling psr (bsc#1111666).
- drm/stm: attach gem fence to atomic state (bsc#1111666).
- drm/tilcdc: Register cpufreq notifier after we have initialized crtc (bsc#1051510).
- drm/vmwgfx: Fix double free in vmw_recv_msg() (bsc#1051510).
- drm: Flush output polling on shutdown (bsc#1051510).
- drm: add __user attribute to ptr_to_compat() (bsc#1111666).
- drm: panel-orientation-quirks: Add extra quirk table entry for GPD MicroPC (bsc#1111666).
- drm: rcar-du: lvds: Fix bridge_to_rcar_lvds (bsc#1111666).
- e1000e: add workaround for possible stalled packet (bsc#1051510).
- eeprom: at24: make spd world-readable again (git-fixes).
- efi/arm: Show SMBIOS bank/device location in CPER and GHES error logs (bsc#1152033).
- efi/memattr: Do not bail on zero VA if it equals the region's PA (bsc#1051510).
- efi: cper: print AER info of PCIe fatal error (bsc#1051510).
- efivar/ssdt: Do not iterate over EFI vars if no SSDT override was specified (bsc#1051510).
- ext4: fix warning inside ext4_convert_unwritten_extents_endio (bsc#1152025).
- ext4: set error return correctly when ext4_htree_store_dirent fails (bsc#1152024).
- extcon: cht-wc: Return from default case to avoid warnings (bsc#1051510).
- firmware: dmi: Fix unlikely out-of-bounds read in save_mem_devices (git-fixes).
- floppy: fix usercopy direction (bsc#1111666).
- gpio: Move gpiochip_lock/unlock_as_irq to gpio/driver.h (bsc#1051510).
- gpio: fix line flag validation in lineevent_create (bsc#1051510).
- gpio: fix line flag validation in linehandle_create (bsc#1051510).
- gpiolib: acpi: Add gpiolib_acpi_run_edge_events_on_boot option and blacklist (bsc#1051510).
- gpiolib: only check line handle flags once (bsc#1051510).
- gpu: drm: radeon: Fix a possible null-pointer dereference in radeon_connector_set_property() (bsc#1051510).
- hso: fix NULL-deref on tty open (bsc#1051510).
- hwmon: (acpi_power_meter) Change log level for 'unsafe software power cap' (bsc#1051510).
- hwmon: (lm75) Fix write operations for negative temperatures (bsc#1051510).
- hwmon: (shtc1) fix shtc1 and shtw1 id mask (bsc#1051510).
- hwrng: core - do not wait on add_early_randomness() (git-fixes).
- hyperv: set nvme msi interrupts to unmanaged (jsc#SLE-8953, jsc#SLE-9221, jsc#SLE-4941, bsc#1119461, bsc#1119465, bsc#1138190, bsc#1154905).
- i2c: designware: Synchronize IRQs when unregistering slave client (bsc#1111666).
- i2c: emev2: avoid race when unregistering slave client (bsc#1051510).
- i2c: piix4: Fix port selection for AMD Family 16h Model 30h (bsc#1051510).
- i2c: riic: Clear NACK in tend isr (bsc#1051510).
- i40e: Add support for X710 device (bsc#1151067).
- ibmvnic: Do not process reset during or after device removal (bsc#1149652 ltc#179635).
- ice: fix potential infinite loop because loop counter being too small (bsc#1118661).
- ieee802154: atusb: fix use-after-free at disconnect (bsc#1051510).
- ieee802154: ca8210: prevent memory leak (bsc#1051510).
- ieee802154: enforce CAP_NET_RAW for raw sockets (bsc#1051510).
- ife: error out when nla attributes are empty (networking-stable-19_08_08).
- iio: adc: ad799x: fix probe error handling (bsc#1051510).
- iio: adc: max9611: explicitly cast gain_selectors (bsc#1051510).
- iio: adc: stm32-adc: fix stopping dma (git-fixes).
- iio: dac: ad5380: fix incorrect assignment to val (bsc#1051510).
- iio: dac: mcp4922: fix error handling in mcp4922_write_raw (bsc#1051510).
- iio: imu: adis16480: make sure provided frequency is positive (git-fixes).
- iio: light: opt3001: fix mutex unlock race (bsc#1051510).
- ima: always return negative code for error (bsc#1051510).
- integrity: prevent deadlock during digsig verification (bsc#1090631).
- intel_th: pci: Add Tiger Lake support (bsc#1051510).
- intel_th: pci: Add support for another Lewisburg PCH (bsc#1051510).
- iommu/amd: Apply the same IVRS IOAPIC workaround to Acer Aspire A315-41 (bsc#1137799).
- iommu/amd: Check PM_LEVEL_SIZE() condition in locked section (bsc#1154608).
- iommu/amd: Fix race in increase_address_space() (bsc#1150860).
- iommu/amd: Flush old domains in kdump kernel (bsc#1150861).
- iommu/amd: Override wrong IVRS IOAPIC on Raven Ridge systems (bsc#1137799).
- iommu/amd: Remove domain->updated (bsc#1154610).
- iommu/amd: Wait for completion of IOTLB flush in attach_device (bsc#1154611).
- iommu/dma: Fix for dereferencing before null checking (bsc#1151667).
- iommu/iova: Avoid false sharing on fq_timer_on (bsc#1151662).
- iommu/iova: Avoid false sharing on fq_timer_on (bsc#1151671).
- iommu/vt-d: Fix QI_DEV_IOTLB_PFSID and QI_DEV_EIOTLB_PFSID macros (bsc#1158063)
- iommu: Do not use sme_active() in generic code (bsc#1151661).
- ip6_tunnel: fix possible use-after-free on xmit (networking-stable-19_08_08).
- ipmi:dmi: Ignore IPMI SMBIOS entries with a zero base address (bsc#1051510).
- ipmi_si: Only schedule continuously in the thread in maintenance mode (bsc#1051510).
- ipv6/addrconf: allow adding multicast addr if IFA_F_MCAUTOJOIN is set (networking-stable-19_08_28).
- ipv6: Fix the link time qualifier of 'ping_v6_proc_exit_net()' (networking-stable-19_09_15).
- ipv6: Handle missing host route in __ipv6_ifa_notify (networking-stable-19_10_05).
- ipv6: drop incoming packets having a v4mapped source address (networking-stable-19_10_05).
- irqchip/gic-v2m: Add support for Amazon Graviton variant of GICv3+GICv2m (SLE-9332).
- irqchip/gic-v3-its: Fix LPI release for Multi-MSI devices (jsc#ECO-561).
- irqchip/gic-v3-its: Fix command queue pointer comparison bug (jsc#ECO-561).
- irqchip/gic-v3-its: Fix misuse of GENMASK macro (jsc#ECO-561).
- irqdomain: Add the missing assignment of domain->fwnode for named fwnode (bsc#1111666).
- isdn/capi: check message length in capi_write() (bsc#1051510).
- iwlwifi: api: annotate compressed BA notif array sizes (bsc#1051510).
- iwlwifi: do not panic in error path on non-msix systems (bsc#1155692).
- iwlwifi: drop packets with bad status in CD (bsc#1111666).
- iwlwifi: exclude GEO SAR support for 3168 (bsc#1111666).
- iwlwifi: exclude GEO SAR support for 3168 (git-fixes).
- iwlwifi: fix bad dma handling in page_mem dumping flow (bsc#1120902).
- iwlwifi: fw: do not send GEO_TX_POWER_LIMIT command to FW version 36 (bsc#1111666).
- iwlwifi: fw: use helper to determine whether to dump paging (bsc#1106434). Patch needed to be adjusted, because our tree does not have the global variable IWL_FW_ERROR_DUMP_PAGING
- iwlwifi: mvm: avoid sending too many BARs (bsc#1051510).
- iwlwifi: mvm: use correct FIFO length (bsc#1111666).
- iwlwifi: pcie: fit reclaim msg to MAX_MSG_LEN (bsc#1111666).
- iwlwifi: pcie: fix memory leaks in iwl_pcie_ctxt_info_gen3_init (bsc#1111666).
- iwlwifi: pcie: read correct prph address for newer devices (bsc#1111666).
- ixgbe: Fix secpath usage for IPsec TX offload (bsc#1113994 bsc#1151807).
- ixgbe: Prevent u8 wrapping of ITR value to something less than 10us (bsc#1101674).
- ixgbe: fix double clean of Tx descriptors with xdp (bsc#1113994 ).
- ixgbe: fix possible deadlock in ixgbe_service_task() (bsc#1113994).
- ixgbe: sync the first fragment unconditionally (bsc#1133140).
- ixgbevf: Fix secpath usage for IPsec Tx offload (bsc#1113994 ).
- kABI protect enum RDMA_DRIVER_EFA (jsc#SLE-4805)
- kABI protect struct vmem_altmap (bsc#1150305).
- kABI workaround for ath10k hw_filter_reset_required field (bsc#1111666).
- kABI workaround for crypto/af_alg changes (bsc#1154737).
- kABI workaround for drm_connector.registered type changes (bsc#1111666).
- kABI workaround for drm_vma_offset_node readonly field addition (bsc#1135967)
- kABI workaround for iwlwifi iwl_rx_cmd_buffer change (bsc#1111666).
- kABI workaround for mmc_host retune_crc_disable flag addition (bsc#1111666).
- kABI workaround for snd_hda_pick_pin_fixup() changes (bsc#1051510).
- kABI/severities: Whitelist a couple of xive functions xive_cleanup_irq_data and xive_native_populate_irq_data are exported by the xive interupt controller driver and used by KVM. I do not expect any out-of-tree driver can sanely use these.
- kABI/severities: Whitelist functions internal to radix mm. To call these functions you have to first detect if you are running in radix mm mode which can't be expected of OOT code.
- kABI: media: em28xx: fix handler for vidioc_s_input() (bsc#1051510). fixes kABI
- kABI: media: em28xx: stop rewriting device's struct (bsc#1051510). fixes kABI
- kABI: net: sched: act_sample: fix psample group handling on overwrite (networking-stable-19_09_05).
- kernel-binary.spec.in: Fix build of non-modular kernels (boo#1154578).
- kernel-binary.spec.in: Obsolete kgraft packages only when not building them.
- kernel-binary: Drop .kernel-binary.spec.buildenv (boo#1154578). 
- kernel-subpackage-build: create zero size ghost for uncompressed vmlinux (bsc#1154354).
- kernel/sysctl.c: do not override max_threads provided by userspace (bnc#1150875).
- keys: Fix missing null pointer check in request_key_auth_describe() (bsc#1051510).
- ksm: cleanup stable_node chain collapse case (bnc#1144338).
- ksm: fix use after free with merge_across_nodes = 0 (bnc#1144338).
- ksm: introduce ksm_max_page_sharing per page deduplication limit (bnc#1144338).
- ksm: optimize refile of stable_node_dup at the head of the chain (bnc#1144338).
- ksm: swap the two output parameters of chain/chain_prune (bnc#1144338).
- lan78xx: Fix memory leaks (bsc#1051510).
- leds: leds-lp5562 allow firmware files up to the maximum length (bsc#1051510).
- leds: trigger: gpio: GPIO 0 is valid (bsc#1051510).
- lib/mpi: Fix karactx leak in mpi_powm (bsc#1051510).
- lib/scatterlist: Fix chaining support in sgl_alloc_order() (git-fixes).
- lib/scatterlist: Introduce sgl_alloc() and sgl_free() (git-fixes).
- libertas: Add missing sentinel at end of if_usb.c fw_table (bsc#1051510).
- libertas_tf: Use correct channel range in lbtf_geo_init (bsc#1051510).
- libiscsi: do not try to bypass SCSI EH (bsc#1142076).
- libnvdimm/altmap: Track namespace boundaries in altmap (bsc#1150305).
- libnvdimm/security: provide fix for secure-erase to use zero-key (bsc#1149853).
- libnvdimm: prevent nvdimm from requesting key when security is disabled (bsc#1137982).
- lightnvm: remove dependencies on BLK_DEV_NVME and PCI (bsc#1150846).
- liquidio: add cleanup in octeon_setup_iq() (bsc#1051510).
- liquidio: fix race condition in instruction completion processing (bsc#1051510).
- livepatch: Nullify obj->mod in klp_module_coming()'s error path (bsc#1071995).
- lpfc: Add FA-WWN Async Event reporting (bsc#1154521).
- lpfc: Add FC-AL support to lpe32000 models (bsc#1154521).
- lpfc: Add additional discovery log messages (bsc#1154521).
- lpfc: Add log macros to allow print by serverity or verbocity setting (bsc#1154521).
- lpfc: Fix SLI3 hba in loop mode not discovering devices (bsc#1154521).
- lpfc: Fix bad ndlp ptr in xri aborted handling (bsc#1154521).
- lpfc: Fix hardlockup in lpfc_abort_handler (bsc#1154521).
- lpfc: Fix lockdep errors in sli_ringtx_put (bsc#1154521).
- lpfc: Fix reporting of read-only fw error errors (bsc#1154521).
- lpfc: Make FW logging dynamically configurable (bsc#1154521).
- lpfc: Remove lock contention target write path (bsc#1154521).
- lpfc: Revise interrupt coalescing for missing scenarios (bsc#1154521).
- lpfc: Slight fast-path Performance optimizations (bsc#1154521).
- lpfc: Update lpfc version to 12.6.0.0 (bsc#1154521).
- lpfc: fix coverity error of dereference after null check (bsc#1154521).
- lpfc: fix lpfc_nvmet_mrq to be bound by hdw queue count (bsc#1154521).
- lpfc: size cpu map by last cpu id set (bsc#1157160).
- mISDN: enforce CAP_NET_RAW for raw sockets (bsc#1051510).
- mac80211: Reject malformed SSID elements (bsc#1051510).
- mac80211: accept deauth frames in IBSS mode (bsc#1051510).
- mac80211: fix txq null pointer dereference (bsc#1051510).
- mac80211: minstrel_ht: fix per-group max throughput rate initialization (bsc#1051510).
- macsec: drop skb sk before calling gro_cells_receive (bsc#1051510).
- md/raid0: avoid RAID0 data corruption due to layout confusion (bsc#1140090).
- md/raid0: avoid RAID0 data corruption due to layout confusion (bsc#1140090).
- md/raid0: fix warning message for parameter default_layout (bsc#1140090).
- md/raid0: fix warning message for parameter default_layout (bsc#1140090).
- md/raid6: Set R5_ReadError when there is read failure on parity disk (git-fixes).
- md: do not report active array_state until after revalidate_disk() completes (git-fixes).
- md: only call set_in_sync() when it is expected to succeed (git-fixes).
- media: Revert '[media] marvell-ccic: reset ccic phy when stop streaming for stability' (bsc#1051510).
- media: atmel: atmel-isc: fix asd memory allocation (bsc#1135642).
- media: atmel: atmel-isi: fix timeout value for stop streaming (bsc#1051510).
- media: au0828: Fix incorrect error messages (bsc#1051510).
- media: cpia2_usb: fix memory leaks (bsc#1051510).
- media: davinci: Fix implicit enum conversion warning (bsc#1051510).
- media: dib0700: fix link error for dibx000_i2c_set_speed (bsc#1051510).
- media: dvb-core: fix a memory leak bug (bsc#1051510).
- media: em28xx: fix handler for vidioc_s_input() (bsc#1051510).
- media: em28xx: stop rewriting device's struct (bsc#1051510).
- media: exynos4-is: fix leaked of_node references (bsc#1051510).
- media: fdp1: Reduce FCP not found message level to debug (bsc#1051510).
- media: fix: media: pci: meye: validate offset to avoid arbitrary access (bsc#1051510).
- media: gspca: zero usb_buf on error (bsc#1051510).
- media: hdpvr: Add device num check and handling (bsc#1051510).
- media: hdpvr: add terminating 0 at end of string (bsc#1051510).
- media: i2c: ov5645: Fix power sequence (bsc#1051510).
- media: iguanair: add sanity checks (bsc#1051510).
- media: marvell-ccic: do not generate EOF on parallel bus (bsc#1051510).
- media: mc-device.c: do not memset __user pointer contents (bsc#1051510).
- media: omap3isp: Do not set streaming state on random subdevs (bsc#1051510).
- media: omap3isp: Set device on omap3isp subdevs (bsc#1051510).
- media: ov6650: Fix sensor possibly not detected on probe (bsc#1051510).
- media: ov6650: Move v4l2_clk_get() to ov6650_video_probe() helper (bsc#1051510).
- media: ov9650: add a sanity check (bsc#1051510).
- media: pci: ivtv: Fix a sleep-in-atomic-context bug in ivtv_yuv_init() (bsc#1051510).
- media: radio/si470x: kill urb on error (bsc#1051510).
- media: replace strcpy() by strscpy() (bsc#1051510).
- media: saa7134: fix terminology around saa7134_i2c_eeprom_md7134_gate() (bsc#1051510).
- media: saa7146: add cleanup in hexium_attach() (bsc#1051510).
- media: sn9c20x: Add MSI MS-1039 laptop to flip_dmi_table (bsc#1051510).
- media: stkwebcam: fix runtime PM after driver unbind (bsc#1051510).
- media: technisat-usb2: break out of loop at end of buffer (bsc#1051510).
- media: tm6000: double free if usb disconnect while streaming (bsc#1051510).
- media: ttusb-dec: Fix info-leak in ttusb_dec_send_command() (bsc#1051510).
- media: vb2: Fix videobuf2 to map correct area (bsc#1051510).
- memstick: jmb38x_ms: Fix an error handling path in 'jmb38x_ms_probe()' (bsc#1051510).
- mfd: intel-lpss: Remove D3cold delay (bsc#1051510).
- mic: avoid statically declaring a 'struct device' (bsc#1051510).
- mld: fix memory leak in mld_del_delrec() (networking-stable-19_09_05).
- mlxsw: spectrum_flower: Fail in case user specifies multiple mirror actions (bsc#1112374).
- mm, page_owner, debug_pagealloc: save and dump freeing stack trace (jsc#SLE-8956, bsc#1144653, VM Debug Functionality).
- mm, page_owner: decouple freeing stack trace from debug_pagealloc (jsc#SLE-8956, bsc#1144653, VM Debug Functionality).
- mm, page_owner: fix off-by-one error in __set_page_owner_handle() (jsc#SLE-8956, bsc#1144653, VM Debug Functionality).
- mm, page_owner: keep owner info when freeing the page (jsc#SLE-8956, bsc#1144653, VM Debug Functionality).
- mm, page_owner: make init_pages_in_zone() faster (jsc#SLE-8956, bsc#1144653, VM Debug Functionality).
- mm, page_owner: record page owner for each subpage (jsc#SLE-8956, bsc#1144653, VM Debug Functionality).
- mm, page_owner: rename flag indicating that page is allocated (jsc#SLE-8956, bsc#1144653, VM Debug Functionality).
- mm/memcontrol.c: fix use after free in mem_cgroup_iter() (bsc#1149224, VM Functionality).
- mmc: core: API to temporarily disable retuning for SDIO CRC errors (bsc#1111666).
- mmc: core: Add sdio_retune_hold_now() and sdio_retune_release() (bsc#1111666).
- mmc: core: Fix init of SD cards reporting an invalid VDD range (bsc#1051510).
- mmc: sdhci-esdhc-imx: correct the fix of ERR004536 (git-fixes).
- mmc: sdhci-msm: fix mutex while in spinlock (bsc#1142635).
- mmc: sdhci-of-arasan: Do now show error message in case of deffered probe (bsc#1119086).
- mmc: sdhci-of-at91: fix quirk2 overwrite (git-fixes).
- mmc: sdhci-of-esdhc: set DMA snooping based on DMA coherence (bsc#1051510).
- mmc: sdhci: Fix incorrect switch to HS mode (bsc#1051510).
- mmc: sdhci: improve ADMA error reporting (bsc#1051510).
- mtd: nand: mtk: fix incorrect register setting order about ecc irq.
- mtd: spi-nor: Fix Cadence QSPI RCU Schedule Stall (bsc#1051510).
- mvpp2: refactor MTU change code (networking-stable-19_08_08).
- mwifex: free rx_cmd skb in suspended state (bsc#1111666).
- mwifiex: do no submit URB in suspended state (bsc#1111666).
- net/ibmvnic: Fix EOI when running in XIVE mode (bsc#1089644, ltc#166495, ltc#165544, git-fixes).
- net/ibmvnic: Fix missing { in __ibmvnic_reset (bsc#1149652 ltc#179635).
- net/ibmvnic: free reset work of removed device from queue (bsc#1149652 ltc#179635).
- net/ibmvnic: prevent more than one thread from running in reset (bsc#1152457 ltc#174432).
- net/ibmvnic: unlock rtnl_lock in reset so linkwatch_event can run (bsc#1152457 ltc#174432).
- net/mlx4_en: fix a memory leak bug (bsc#1046299).
- net/mlx5: Add device ID of upcoming BlueField-2 (bsc#1046303 ).
- net/mlx5: FWTrace, Reduce stack usage (bsc#1103990).
- net/mlx5: Fix error handling in mlx5_load() (bsc#1046305 ).
- net/mlx5: Use reversed order when unregister devices (networking-stable-19_08_08).
- net/mlx5e: Fix eswitch debug print of max fdb flow (bsc#1103990 ).
- net/mlx5e: Fix ethtool self test: link speed (bsc#1103990 ).
- net/mlx5e: Only support tx/rx pause setting for port owner (networking-stable-19_08_21).
- net/mlx5e: Prevent encap flow counter update async to user query (networking-stable-19_08_08).
- net/mlx5e: Print a warning when LRO feature is dropped or not allowed (bsc#1103990).
- net/mlx5e: Use flow keys dissector to parse packets for ARFS (networking-stable-19_08_21).
- net/packet: fix race in tpacket_snd() (networking-stable-19_08_21).
- net/phy: fix DP83865 10 Mbps HDX loopback disable function (networking-stable-19_09_30).
- net/rds: Fix error handling in rds_ib_add_one() (networking-stable-19_10_05).
- net/rds: fix warn in rds_message_alloc_sgs (bsc#1154848).
- net/rds: remove user triggered WARN_ON in rds_sendmsg (bsc#1154848).
- net/sched: act_sample: do not push mac header on ip6gre ingress (networking-stable-19_09_30).
- net/sched: cbs: Fix not adding cbs instance to list (bsc#1109837).
- net/sched: cbs: Set default link speed to 10 Mbps in cbs_set_port_rate (bsc#1109837).
- net/smc: do not schedule tx_work in SMC_CLOSED state (bsc#1149963).
- net/smc: fix SMCD link group creation with VLAN id (bsc#1154959).
- net/smc: make sure EPOLLOUT is raised (networking-stable-19_08_28).
- net/smc: original socket family in inet_sock_diag (bsc#1149959).
- net: Fix null de-reference of device refcount (networking-stable-19_09_15).
- net: Replace NF_CT_ASSERT() with WARN_ON() (bsc#1146612).
- net: Unpublish sk from sk_reuseport_cb before call_rcu (networking-stable-19_10_05).
- net: bridge: delete local fdb on device init failure (networking-stable-19_08_08).
- net: bridge: mcast: do not delete permanent entries when fast leave is enabled (networking-stable-19_08_08).
- net: fix ifindex collision during namespace removal (networking-stable-19_08_08).
- net: fix skb use after free in netpoll (networking-stable-19_09_05).
- net: gso: Fix skb_segment splat when splitting gso_size mangled skb having linear-headed frag_list (networking-stable-19_09_15).
- net: hns3: Add missing newline at end of file (bsc#1104353 ).
- net: hns3: add Asym Pause support to fix autoneg problem (bsc#1104353).
- net: hns3: add a check to pointer in error_detected and slot_reset (bsc#1104353).
- net: hns3: add aRFS support for PF (bsc#1104353).
- net: hns3: add all IMP return code (bsc#1104353).
- net: hns3: add check to number of buffer descriptors (bsc#1104353).
- net: hns3: add default value for tc_size and tc_offset (bsc#1104353).
- net: hns3: add exception handling when enable NIC HW error interrupts (bsc#1104353).
- net: hns3: add handling of two bits in MAC tunnel interrupts (bsc#1104353).
- net: hns3: add handshake with hardware while doing reset (bsc#1104353).
- net: hns3: add opcode about query and clear RAS & MSI-X to special opcode (bsc#1104353).
- net: hns3: add recovery for the H/W errors occurred before the HNS dev initialization (bsc#1104353).
- net: hns3: add some error checking in hclge_tm module (bsc#1104353).
- net: hns3: add support for dump firmware statistics by debugfs (bsc#1104353).
- net: hns3: adjust hns3_uninit_phy()'s location in the hns3_client_uninit() (bsc#1104353).
- net: hns3: bitwise operator should use unsigned type (bsc#1104353).
- net: hns3: change GFP flag during lock period (bsc#1104353 ).
- net: hns3: change SSU's buffer allocation according to UM (bsc#1104353).
- net: hns3: check msg_data before memcpy in hclgevf_send_mbx_msg (bsc#1104353).
- net: hns3: clear restting state when initializing HW device (bsc#1104353).
- net: hns3: code optimizaition of hclge_handle_hw_ras_error() (bsc#1104353).
- net: hns3: delay and separate enabling of NIC and ROCE HW errors (bsc#1104353).
- net: hns3: delay ring buffer clearing during reset (bsc#1104353 ).
- net: hns3: delay setting of reset level for hw errors until slot_reset is called (bsc#1104353).
- net: hns3: delete the redundant user NIC codes (bsc#1104353 ).
- net: hns3: do not configure new VLAN ID into VF VLAN table when it's full (bsc#1104353).
- net: hns3: do not query unsupported commands in debugfs (bsc#1104353).
- net: hns3: enable DCB when TC num is one and pfc_en is non-zero (bsc#1104353).
- net: hns3: enable broadcast promisc mode when initializing VF (bsc#1104353).
- net: hns3: extract handling of mpf/pf msi-x errors into functions (bsc#1104353).
- net: hns3: fix GFP flag error in hclge_mac_update_stats() (bsc#1126390).
- net: hns3: fix VLAN filter restore issue after reset (bsc#1104353).
- net: hns3: fix __QUEUE_STATE_STACK_XOFF not cleared issue (bsc#1104353).
- net: hns3: fix a -Wformat-nonliteral compile warning (bsc#1104353).
- net: hns3: fix a memory leak issue for hclge_map_unmap_ring_to_vf_vector (bsc#1104353).
- net: hns3: fix a statistics issue about l3l4 checksum error (bsc#1104353).
- net: hns3: fix avoid unnecessary resetting for the H/W errors which do not require reset (bsc#1104353).
- net: hns3: fix compile warning without CONFIG_RFS_ACCEL (bsc#1104353).
- net: hns3: fix dereference of ae_dev before it is null checked (bsc#1104353).
- net: hns3: fix flow control configure issue for fibre port (bsc#1104353).
- net: hns3: fix for dereferencing before null checking (bsc#1104353).
- net: hns3: fix for skb leak when doing selftest (bsc#1104353 ).
- net: hns3: fix race conditions between reset and module loading & unloading (bsc#1104353).
- net: hns3: fix some coding style issues (bsc#1104353 ).
- net: hns3: fix some reset handshake issue (bsc#1104353 ).
- net: hns3: fix wrong size of mailbox responding data (bsc#1104353).
- net: hns3: fixes wrong place enabling ROCE HW error when loading (bsc#1104353).
- net: hns3: free irq when exit from abnormal branch (bsc#1104353 ).
- net: hns3: handle empty unknown interrupt (bsc#1104353 ).
- net: hns3: initialize CPU reverse mapping (bsc#1104353 ).
- net: hns3: log detail error info of ROCEE ECC and AXI errors (bsc#1104353).
- net: hns3: make HW GRO handling compliant with SW GRO (bsc#1104353).
- net: hns3: modify handling of out of memory in hclge_err.c (bsc#1104353).
- net: hns3: modify hclge_init_client_instance() (bsc#1104353 ).
- net: hns3: modify hclgevf_init_client_instance() (bsc#1104353 ).
- net: hns3: optimize the CSQ cmd error handling (bsc#1104353 ).
- net: hns3: prevent unnecessary MAC TNL interrupt (bsc#1104353 bsc#1134983).
- net: hns3: process H/W errors occurred before HNS dev initialization (bsc#1104353).
- net: hns3: re-schedule reset task while VF reset fail (bsc#1104353).
- net: hns3: refactor PF/VF RSS hash key configuration (bsc#1104353).
- net: hns3: refactor hns3_get_new_int_gl function (bsc#1104353 ).
- net: hns3: refine the flow director handle (bsc#1104353 ).
- net: hns3: remove RXD_VLD check in hns3_handle_bdinfo (bsc#1104353).
- net: hns3: remove VF VLAN filter entry inexistent warning print (bsc#1104353).
- net: hns3: remove override_pci_need_reset (bsc#1104353 ).
- net: hns3: remove redundant core reset (bsc#1104353 ).
- net: hns3: remove setting bit of reset_requests when handling mac tunnel interrupts (bsc#1104353).
- net: hns3: remove unused linkmode definition (bsc#1104353 ).
- net: hns3: replace numa_node_id with numa_mem_id for buffer reusing (bsc#1104353).
- net: hns3: set default value for param 'type' in hclgevf_bind_ring_to_vector (bsc#1104353).
- net: hns3: set maximum length to resp_data_len for exceptional case (bsc#1104353).
- net: hns3: set ops to null when unregister ad_dev (bsc#1104353 ).
- net: hns3: set the port shaper according to MAC speed (bsc#1104353).
- net: hns3: small changes for magic numbers (bsc#1104353 ).
- net: hns3: some changes of MSI-X bits in PPU(RCB) (bsc#1104353 ).
- net: hns3: some modifications to simplify and optimize code (bsc#1104353).
- net: hns3: some variable modification (bsc#1104353).
- net: hns3: stop schedule reset service while unloading driver (bsc#1104353).
- net: hns3: sync VLAN filter entries when kill VLAN ID failed (bsc#1104353).
- net: hns3: trigger VF reset if a VF had an over_8bd_nfe_err (bsc#1104353).
- net: hns3: typo in the name of a constant (bsc#1104353 ).
- net: hns3: use HCLGEVF_STATE_NIC_REGISTERED to indicate VF NIC client has registered (bsc#1104353).
- net: hns3: use HCLGE_STATE_NIC_REGISTERED to indicate PF NIC client has registered (bsc#1104353).
- net: hns3: use HCLGE_STATE_ROCE_REGISTERED to indicate PF ROCE client has registered (bsc#1104353).
- net: hns3: use macros instead of magic numbers (bsc#1104353 ).
- net: hns: Fix the stray netpoll locks causing deadlock in NAPI path (bsc#1104353).
- net: hns: add support for vlan TSO (bsc#1104353).
- net: openvswitch: free vport unless register_netdevice() succeeds (git-fixes).
- net: phy: bcm7xxx: define soft_reset for 40nm EPHY (bsc#1119113 ).
- net: phylink: Fix flow control resolution (bsc#1119113 ).
- net: qlogic: Fix memory leak in ql_alloc_large_buffers (networking-stable-19_10_05).
- net: qrtr: Stop rx_worker before freeing node (networking-stable-19_09_30).
- net: sched: Fix a possible null-pointer dereference in dequeue_func() (networking-stable-19_08_08).
- net: sched: act_sample: fix psample group handling on overwrite (networking-stable-19_09_05).
- net: sched: cbs: Avoid division by zero when calculating the port rate (bsc#1109837).
- net: sched: fix possible crash in tcf_action_destroy() (bsc#1109837).
- net: sched: fix reordering issues (bsc#1109837).
- net: sock_map, fix missing ulp check in sock hash case (bsc#1109837).
- net: stmmac: dwmac-rk: Do not fail if phy regulator is absent (networking-stable-19_09_05).
- net_sched: add policy validation for action attributes (networking-stable-19_09_30).
- net_sched: fix backward compatibility for TCA_ACT_KIND (git-fixes).
- netfilter: nf_nat: do not bug when mapping already exists (bsc#1146612).
- nfp: flower: fix memory leak in nfp_flower_spawn_vnic_reprs (bsc#1109837).
- nfp: flower: prevent memory leak in nfp_flower_spawn_phy_reprs (bsc#1109837).
- nfsd: Do not release the callback slot unless it was actually held (git-fixes).
- nfsd: Fix overflow causing non-working mounts on 1 TB machines (bsc#1150381).
- nfsd: degraded slot-count more gracefully as allocation nears exhaustion (bsc#1150381).
- nfsd: fix performance-limiting session calculation (bsc#1150381).
- nfsd: give out fewer session slots as limit approaches (bsc#1150381).
- nfsd: handle drc over-allocation gracefully (bsc#1150381).
- nfsd: increase DRC cache limit (bsc#1150381).
- nl80211: Fix possible Spectre-v1 for CQM RSSI thresholds (bsc#1051510).
- nl80211: fix null pointer dereference (bsc#1051510).
- null_blk: complete requests from ->timeout (bsc#1149446).
- null_blk: wire up timeouts (bsc#1149446).
- nvme-fc: fix module unloads while lports still pending (bsc#1150033).
- nvme-multipath: relax ANA state check (bsc#1123105).
- nvme-rdma: Allow DELETING state change failure in (bsc#1104967,).
- nvme-rdma: centralize admin/io queue teardown sequence (bsc#1142076).
- nvme-rdma: centralize controller setup sequence (bsc#1142076).
- nvme-rdma: fix a NULL deref when an admin connect times out (bsc#1149446).
- nvme-rdma: fix a NULL deref when an admin connect times out (bsc#1149446).
- nvme-rdma: fix timeout handler (bsc#1149446).
- nvme-rdma: fix timeout handler (bsc#1149446).
- nvme-rdma: remove redundant reference between ib_device and tagset (bsc#1149446).
- nvme-rdma: stop admin queue before freeing it (bsc#1140155).
- nvme-rdma: support up to 4 segments of inline data (bsc#1142076).
- nvme-rdma: unquiesce queues when deleting the controller (bsc#1142076).
- nvme-rdma: use dynamic dma mapping per command (bsc#1149446).
- nvme-tcp: fix a NULL deref when an admin connect times out (bsc#1149446).
- nvme-tcp: fix timeout handler (bsc#1149446).
- nvme-tcp: support C2HData with SUCCESS flag (bsc#1157386).
- nvme: cancel request synchronously (bsc#1145661).
- nvme: do not abort completed request in nvme_cancel_request (bsc#1149446).
- nvme: fix multipath crash when ANA is deactivated (bsc#1149446).
- nvme: fix multipath crash when ANA is deactivated (bsc#1149446).
- nvme: remove ns sibling before clearing path (bsc#1140155).
- nvme: return BLK_EH_DONE from ->timeout (bsc#1142076).
- nvme: wait until all completed request's complete fn is called (bsc#1149446).
- nvmem: Use the same permissions for eeprom as for nvmem (git-fixes).
- objtool: Clobber user CFLAGS variable (bsc#1153236).
- openvswitch: change type of UPCALL_PID attribute to NLA_UNSPEC (networking-stable-19_09_30).
- packaging: add support for riscv64
- perf/x86/amd: Change/fix NMI latency mitigation to use a timestamp (bsc#1142924).
- phy: renesas: rcar-gen3-usb2: Disable clearing VBUS in over-current (bsc#1051510).
- phylink: fix kernel-doc warnings (bsc#1111666).
- pinctrl: cherryview: Allocate IRQ chip dynamic (git-fixes).
- pinctrl: cherryview: restore Strago DMI workaround for all versions (bsc#1111666).
- pinctrl: tegra: Fix write barrier placement in pmx_writel (bsc#1051510).
- platform/x86: classmate-laptop: remove unused variable (bsc#1051510).
- platform/x86: i2c-multi-instantiate: Derive the device name from parent (bsc#1111666).
- platform/x86: i2c-multi-instantiate: Fail the probe if no IRQ provided (bsc#1111666).
- platform/x86: pmc_atom: Add Siemens SIMATIC IPC227E to critclk_systems DMI table (bsc#1051510).
- platform/x86: pmc_atom: Add Siemens SIMATIC IPC277E to critclk_systems DMI table (bsc#1051510).
- pnfs/flexfiles: Fix PTR_ERR() dereferences in ff_layout_track_ds_error (git-fixes).
- pnfs/flexfiles: Turn off soft RPC calls (git-fixes).
- power: reset: at91-poweroff: do not procede if at91_shdwc is allocated (bsc#1051510).
- power: reset: gpio-restart: Fix typo when gpio reset is not found (bsc#1051510).
- power: supply: Init device wakeup after device_add() (bsc#1051510).
- power: supply: ab8500_fg: silence uninitialized variable warnings (bsc#1051510).
- power: supply: max14656: fix potential use-after-free (bsc#1051510).
- power: supply: sysfs: ratelimit property read error message (bsc#1051510).
- power: supply: twl4030_charger: disable eoc interrupt on linear charge (bsc#1051510).
- power: supply: twl4030_charger: fix charging current out-of-bounds (bsc#1051510).
- powerpc/64: Make meltdown reporting Book3S 64 specific (bsc#1091041).
- powerpc/64: Make sys_switch_endian() traceable (bsc#1065729).
- powerpc/64s/pseries: radix flush translations before MMU is enabled at boot (bsc#1055186).
- powerpc/64s/radix: Fix MADV_[FREE|DONTNEED] TLB flush miss problem with THP (bsc#1152161 ltc#181664).
- powerpc/64s/radix: Fix memory hot-unplug page table split (bsc#1065729).
- powerpc/64s/radix: Fix memory hotplug section page table creation (bsc#1065729).
- powerpc/64s/radix: Implement _tlbie(l)_va_range flush functions (bsc#1152161 ltc#181664).
- powerpc/64s/radix: Improve TLB flushing for page table freeing (bsc#1152161 ltc#181664).
- powerpc/64s/radix: Improve preempt handling in TLB code (bsc#1152161 ltc#181664).
- powerpc/64s/radix: Introduce local single page ceiling for TLB range
- powerpc/64s/radix: Optimize flush_tlb_range (bsc#1152161 ltc#181664).
- powerpc/64s/radix: keep kernel ERAT over local process/guest invalidates (bsc#1055186).
- powerpc/64s/radix: tidy up TLB flushing code (bsc#1055186).
- powerpc/64s: Rename PPC_INVALIDATE_ERAT to PPC_ISA_3_0_INVALIDATE_ERAT (bsc#1055186).
- powerpc/book3s64/mm: Do not do tlbie fixup for some hardware revisions (bsc#1152161 ltc#181664).
- powerpc/book3s64/radix: Rename CPU_FTR_P9_TLBIE_BUG feature flag (bsc#1152161 ltc#181664).
- powerpc/bpf: use unsigned division instruction for 64-bit operations (bsc#1065729).
- powerpc/irq: Do not WARN continuously in arch_local_irq_restore() (bsc#1065729).
- powerpc/irq: drop arch_early_irq_init() (bsc#1065729).
- powerpc/mm/book3s64: Move book3s64 code to pgtable-book3s64 (bsc#1055186).
- powerpc/mm/radix: Drop unneeded NULL check (bsc#1152161 ltc#181664).
- powerpc/mm/radix: implement LPID based TLB flushes to be used by KVM (bsc#1152161 ltc#181664).
- powerpc/mm/radix: mark __radix__flush_tlb_range_psize() as __always_inline (bsc#1055186).
- powerpc/mm/radix: mark as __tlbie_pid() and friends as__always_inline (bsc#1055186).
- powerpc/mm: Fixup tlbie vs mtpidr/mtlpidr ordering issue on POWER9 (bsc#1152161 ltc#181664).
- powerpc/mm: Properly invalidate when setting process table base (bsc#1055186).
- powerpc/mm: Simplify page_is_ram by using memblock_is_memory (bsc#1065729).
- powerpc/mm: Use memblock API for PPC32 page_is_ram (bsc#1065729).
- powerpc/mm: mark more tlb functions as __always_inline (bsc#1055186).
- powerpc/module64: Fix comment in R_PPC64_ENTRY handling (bsc#1065729).
- powerpc/powernv/ioda2: Allocate TCE table levels on demand for default DMA window (bsc#1061840).
- powerpc/powernv/ioda: Fix race in TCE level allocation (bsc#1061840).
- powerpc/powernv/npu: Remove obsolete comment about TCE_KILL_INVAL_ALL (bsc#1065729).
- powerpc/powernv: Fix compile without CONFIG_TRACEPOINTS (bsc#1065729).
- powerpc/powernv: Flush console before platform error reboot (bsc#1149940 ltc#179958).
- powerpc/powernv: Restrict OPAL symbol map to only be readable by root (bsc#1152885).
- powerpc/powernv: Use kernel crash path for machine checks (bsc#1149940 ltc#179958).
- powerpc/powernv: move OPAL call wrapper tracing and interrupt handling to C (bsc#1065729).
- powerpc/pseries, ps3: panic flush kernel messages before halting system (bsc#1149940 ltc#179958).
- powerpc/pseries/memory-hotplug: Fix return value type of find_aa_index (bsc#1065729).
- powerpc/pseries/mobility: use cond_resched when updating device tree (bsc#1153112 ltc#181778).
- powerpc/pseries: Call H_BLOCK_REMOVE when supported (bsc#1109158).
- powerpc/pseries: Export maximum memory value (bsc#1122363).
- powerpc/pseries: Export raw per-CPU VPA data via debugfs ().
- powerpc/pseries: Fix cpu_hotplug_lock acquisition in resize_hpt() (bsc#1065729).
- powerpc/pseries: Read TLB Block Invalidate Characteristics (bsc#1109158).
- powerpc/pseries: Remove confusing warning message (bsc#1109158).
- powerpc/pseries: address checkpatch warnings in dlpar_offline_cpu (bsc#1156700 ltc#182459).
- powerpc/pseries: correctly track irq state in default idle (bsc#1150727 ltc#178925).
- powerpc/pseries: safely roll back failed DLPAR cpu add (bsc#1156700 ltc#182459).
- powerpc/ptrace: Simplify vr_get/set() to avoid GCC warning (bsc#1148868).
- powerpc/rtas: allow rescheduling while changing cpu states (bsc#1153112 ltc#181778).
- powerpc/security/book3s64: Report L1TF status in sysfs (bsc#1091041).
- powerpc/security: Fix wrong message when RFI Flush is disable (bsc#1131107).
- powerpc/xive: Fix bogus error code returned by OPAL (bsc#1065729).
- powerpc/xive: Implement get_irqchip_state method for XIVE to fix shutdown race (bsc#1065729).
- powerpc/xive: Prevent page fault issues in the machine crash handler (bsc#1156882 ltc#182435).
- powerpc/xmon: Fix opcode being uninitialized in print_insn_powerpc (bsc#1065729).
- powerpc: BPF base kernel fixes (bsc#1157698)
- powerpc: Drop page_is_ram() and walk_system_ram_range() (bsc#1065729).
- powerpc: bpf: Fix generation of load/store DW instructions (bsc#1065729).
- powerpc: dump kernel log before carrying out fadump or kdump (bsc#1149940 ltc#179958).
- powerplay: Respect units on max dcfclk watermark (bsc#1111666).
- ppp: Fix memory leak in ppp_write (git-fixes).
- printk/panic: Avoid deadlock in printk() after stopping CPUs by NMI (bsc#1148712).
- printk: Do not lose last line in kmsg buffer dump (bsc#1152460).
- printk: fix printk_time race (bsc#1152466).
- pwm: bcm-iproc: Prevent unloading the driver module while in use (git-fixes).
- qed: iWARP - Fix default window size to be based on chip (bsc#1050536 bsc#1050545).
- qed: iWARP - Fix tc for MPA ll2 connection (bsc#1050536 bsc#1050545).
- qed: iWARP - Use READ_ONCE and smp_store_release to access ep->state (bsc#1050536 bsc#1050545).
- qed: iWARP - fix uninitialized callback (bsc#1050536 bsc#1050545).
- qla2xxx: kABI fixes for v10.01.00.18-k (bsc#1123034 bsc#1131304 bsc#1127988).
- qla2xxx: remove SGI SN2 support (bsc#1123034 bsc#1131304 bsc#1127988).
- qmi_wwan: add support for Cinterion CLS8 devices (networking-stable-19_10_05).
- quota: fix wrong condition in is_quota_modification() (bsc#1152026).
- qxl: fix null-pointer crash during suspend (bsc#1111666).
- r8152: Set macpassthru in reset_resume callback (bsc#1051510).
- r8152: Set memory to all 0xFFs on failed reg reads (bsc#1051510).
- rds: Fix warning (bsc#1154848).
- regression fix: losetup --logical-blocksize does not work (bsc#1108043)
- regulator: lm363x: Fix off-by-one n_voltages for lm3632 ldo_vpos/ldo_vneg (bsc#1051510).
- reiserfs: fix extended attributes on the root directory (bsc#1151225).
- rpm/config.sh: Enable kgraft.
- rpm/config.sh: Enable livepatch.
- rpm/dtb.spec.in.in: do not make dtb directory inaccessible There is no reason to lock down the dtb directory for ordinary users.
- rpm/kernel-binary.spec.in: Fix kernel-livepatch description typo.
- rpm/kernel-binary.spec.in: handle modules.builtin.modinfo It was added in 5.2.
- rpm/kernel-binary.spec.in: remove code duplicated by merge.
- rpm/kernel-binary.spec.in: support partial rt debug config.
- rpm/kernel-subpackage-spec: Mention debuginfo in the subpackage description (bsc#1149119).
- rpm/macros.kernel-source: KMPs should depend on kmod-compat to build. kmod-compat links are used in find-provides.ksyms, find-requires.ksyms, and find-supplements.ksyms in rpm-config-SUSE.
- rpm/mkspec: Correct tarball URL for rc kernels.
- rpm/mkspec: Make building DTBs optional.
- rpm/modflist: Simplify compression support.
- rpm: raise required disk space for binary packages Current disk space constraints (10 GB on s390x, 25 GB on other architectures) no longer suffice for 5.3 kernel builds. The statistics show ~30 GB of disk consumption on x86_64 and ~11 GB on s390x so raise the constraints to 35 GB in general and 14 GB on s390x.
- rpm: support compressed modules Some of our scripts and scriptlets in rpm/ do not expect module files not ending with '.ko' which currently leads to failure in preuninstall scriptlet of cluster-md-kmp-default (and probably also other subpackages). Let those which could be run on compressed module files recognize '.ko.xz' in addition to '.ko'.
- rtl8187: Fix warning generated when strncpy() destination length matches the sixe argument (bsc#1051510).
- rtlwifi: Fix file release memory leak (bsc#1111666).
- rtlwifi: rtl8192cu: Fix value set in descriptor (bsc#1142635).
- s390/cmf: set_schib_wait add timeout (bsc#1153509, bsc#1153476).
- s390/cpumsf: Check for CPU Measurement sampling (bsc#1153681 LTC#181855).
- s390/crypto: fix gcm-aes-s390 selftest failures (bsc#1137861 LTC#178091).
- s390/crypto: fix gcm-aes-s390 selftest failures (bsc#1137861 LTC#178091).
- s390/pci: add mio_enabled attribute (bsc#1152665 LTC#181729).
- s390/pci: correctly handle MIO opt-out (bsc#1152665 LTC#181729).
- s390/pci: deal with devices that have no support for MIO instructions (bsc#1152665 LTC#181729).
- s390/pci: fix MSI message data (bsc#1152697 LTC#181730).
- s390: add support for IBM z15 machines (bsc#1152696 LTC#181731).
- s390: fix setting of mio addressing control (bsc#1152665 LTC#181729).
- sc16is7xx: Fix for 'Unexpected interrupt: 8' (bsc#1051510).
- sch_cbq: validate TCA_CBQ_WRROPT to avoid crash (networking-stable-19_10_05).
- sch_dsmark: fix potential NULL deref in dsmark_init() (networking-stable-19_10_05).
- sch_hhf: ensure quantum and hhf_non_hh_weight are non-zero (networking-stable-19_09_15).
- sch_netem: fix a divide by zero in tabledist() (networking-stable-19_09_30).
- sched/fair: Avoid divide by zero when rebalancing domains (bsc#1096254).
- scripts/arch-symbols: add missing link.
- scripts/git_sort/git_sort.py:
- scripts/run_oldconfig.sh: Fix update-vanilla When CC is set we want to use it for native only. Cross-compilation still needs the crosscompilers. flush (bsc#1055117 bsc#1152161 ltc#181664).
- scsi: bfa: convert to strlcpy/strlcat (git-fixes).
- scsi: cxlflash: Prevent deadlock when adapter probe fails (git-fixes).
- scsi: lpfc: Add enablement of multiple adapter dumps (bsc#1154601).
- scsi: lpfc: Add registration for CPU Offline/Online events (bsc#1154601).
- scsi: lpfc: Change default IRQ model on AMD architectures (bsc#1154601).
- scsi: lpfc: Check queue pointer before use (bsc#1154242).
- scsi: lpfc: Clarify FAWNN error message (bsc#1154601).
- scsi: lpfc: Complete removal of FCoE T10 PI support on SLI-4 adapters (bsc#1154521).
- scsi: lpfc: Convert existing %pf users to %ps (bsc#1154521).
- scsi: lpfc: Fix GPF on scsi command completion (bsc#1154521).
- scsi: lpfc: Fix NULL check before mempool_destroy is not needed (bsc#1154601).
- scsi: lpfc: Fix NVME io abort failures causing hangs (bsc#1154521).
- scsi: lpfc: Fix NVMe ABTS in response to receiving an ABTS (bsc#1154521).
- scsi: lpfc: Fix Oops in nvme_register with target logout/login (bsc#1151900).
- scsi: lpfc: Fix a kernel warning triggered by lpfc_get_sgl_per_hdwq() (bsc#1154601).
- scsi: lpfc: Fix a kernel warning triggered by lpfc_sli4_enable_intr() (bsc#1154601).
- scsi: lpfc: Fix configuration of BB credit recovery in service parameters (bsc#1154601).
- scsi: lpfc: Fix coverity errors on NULL pointer checks (bsc#1154521).
- scsi: lpfc: Fix device recovery errors after PLOGI failures (bsc#1154521).
- scsi: lpfc: Fix devices that do not return after devloss followed by rediscovery (bsc#1137040).
- scsi: lpfc: Fix discovery failures when target device connectivity bounces (bsc#1154521).
- scsi: lpfc: Fix duplicate unreg_rpi error in port offline flow (bsc#1154601).
- scsi: lpfc: Fix dynamic fw log enablement check (bsc#1154601).
- scsi: lpfc: Fix hdwq sgl locks and irq handling (bsc#1154521).
- scsi: lpfc: Fix host hang at boot or slow boot (bsc#1154521).
- scsi: lpfc: Fix kernel crash at lpfc_nvme_info_show during remote port bounce (bsc#1154601).
- scsi: lpfc: Fix list corruption detected in lpfc_put_sgl_per_hdwq (bsc#1154521).
- scsi: lpfc: Fix list corruption in lpfc_sli_get_iocbq (bsc#1154521).
- scsi: lpfc: Fix locking on mailbox command completion (bsc#1154521).
- scsi: lpfc: Fix lpfc_cpumask_of_node_init() (bsc#1154601).
- scsi: lpfc: Fix miss of register read failure check (bsc#1154521).
- scsi: lpfc: Fix null ptr oops updating lpfc_devloss_tmo via sysfs attribute (bsc#1140845).
- scsi: lpfc: Fix premature re-enabling of interrupts in lpfc_sli_host_down (bsc#1154521).
- scsi: lpfc: Fix propagation of devloss_tmo setting to nvme transport (bsc#1140883).
- scsi: lpfc: Fix pt2pt discovery on SLI3 HBAs (bsc#1154521).
- scsi: lpfc: Fix reset recovery paths that are not recovering (bsc#1144375).
- scsi: lpfc: Fix rpi release when deleting vport (bsc#1154521).
- scsi: lpfc: Fix spinlock_irq issues in lpfc_els_flush_cmd() (bsc#1154521).
- scsi: lpfc: Fix unexpected error messages during RSCN handling (bsc#1154601).
- scsi: lpfc: Honor module parameter lpfc_use_adisc (bsc#1153628).
- scsi: lpfc: Honor module parameter lpfc_use_adisc (bsc#1154601).
- scsi: lpfc: Initialize cpu_map for not present cpus (bsc#1154601).
- scsi: lpfc: Limit xri count for kdump environment (bsc#1154124).
- scsi: lpfc: Make function lpfc_defer_pt2pt_acc static (bsc#1154521).
- scsi: lpfc: Make lpfc_debugfs_ras_log_data static (bsc#1154601).
- scsi: lpfc: Mitigate high memory pre-allocation by SCSI-MQ (bsc#1154601).
- scsi: lpfc: Raise config max for lpfc_fcp_mq_threshold variable (bsc#1154601).
- scsi: lpfc: Remove bg debugfs buffers (bsc#1144375).
- scsi: lpfc: Remove bg debugfs buffers (bsc#1144375).
- scsi: lpfc: Resolve checker warning for lpfc_new_io_buf() (bsc#1144375).
- scsi: lpfc: Sync with FC-NVMe-2 SLER change to require Conf with SLER (bsc#1154601).
- scsi: lpfc: Update async event logging (bsc#1154521).
- scsi: lpfc: Update lpfc version to 12.4.0.1 (bsc#1154521).
- scsi: lpfc: Update lpfc version to 12.6.0.1 (bsc#1154601).
- scsi: lpfc: Update lpfc version to 12.6.0.2 (bsc#1154601).
- scsi: lpfc: cleanup: remove unused fcp_txcmlpq_cnt (bsc#1154521).
- scsi: lpfc: fix build error of lpfc_debugfs.c for vfree/vmalloc (bsc#1154601).
- scsi: lpfc: fix inlining of lpfc_sli4_cleanup_poll_list() (bsc#1154601).
- scsi: lpfc: fix spelling error in MAGIC_NUMER_xxx (bsc#1154601).
- scsi: lpfc: fix: Coverity: lpfc_cmpl_els_rsp(): Null pointer dereferences (bsc#1154601).
- scsi: lpfc: fix: Coverity: lpfc_get_scsi_buf_s3(): Null pointer dereferences (bsc#1154601).
- scsi: lpfc: lpfc_attr: Fix Use plain integer as NULL pointer (bsc#1154601).
- scsi: lpfc: lpfc_nvmet: Fix Use plain integer as NULL pointer (bsc#1154601).
- scsi: lpfc: remove left-over BUILD_NVME defines (bsc#1154268).
- scsi: lpfc: revise nvme max queues to be hdwq count (bsc#1154601).
- scsi: qedf: Add debug information for unsolicited processing (bsc#1149976).
- scsi: qedf: Add shutdown callback handler (bsc#1149976).
- scsi: qedf: Add support for 20 Gbps speed (bsc#1149976).
- scsi: qedf: Check both the FCF and fabric ID before servicing clear virtual link (bsc#1149976).
- scsi: qedf: Check for link state before processing LL2 packets and send fipvlan retries (bsc#1149976).
- scsi: qedf: Check for module unloading bit before processing link update AEN (bsc#1149976).
- scsi: qedf: Decrease the LL2 MTU size to 2500 (bsc#1149976).
- scsi: qedf: Fix race betwen fipvlan request and response path (bsc#1149976).
- scsi: qedf: Initiator fails to re-login to switch after link down (bsc#1149976).
- scsi: qedf: Modify abort and tmf handler to handle edge condition and flush (bsc#1098291).
- scsi: qedf: Print message during bailout conditions (bsc#1149976).
- scsi: qedf: Stop sending fipvlan request on unload (bsc#1149976).
- scsi: qedf: Update module description string (bsc#1149976).
- scsi: qedf: Update the driver version to 8.37.25.20 (bsc#1149976).
- scsi: qedf: Update the version to 8.42.3.0 (bsc#1149976).
- scsi: qedf: Use discovery list to traverse rports (bsc#1149976).
- scsi: qedf: fc_rport_priv reference counting fixes (bsc#1098291).
- scsi: qedf: remove set but not used variables (bsc#1149976).
- scsi: qedi: remove declaration of nvm_image from stack (git-fixes).
- scsi: qla2xxx: Add 28xx flash primary/secondary status/image mechanism (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Add Device ID for ISP28XX (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Add First Burst support for FC-NVMe devices (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Add Serdes support for ISP28XX (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Add error handling for PLOGI ELS passthrough (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Add error handling for PLOGI ELS passthrough (bsc#1143706 bsc#1082635 bsc#1123034).
- scsi: qla2xxx: Add error handling for PLOGI ELS passthrough (bsc#1143706 bsc#1082635 bsc#1123034).
- scsi: qla2xxx: Add fw_attr and port_no SysFS node (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Add new FW dump template entry types (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Add pci function reset support (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Add protection mask module parameters (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Add support for multiple fwdump templates/segments (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Add support for setting port speed (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Allow NVMe IO to resume with short cable pull (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Always check the qla2x00_wait_for_hba_online() return value (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Always check the qla2x00_wait_for_hba_online() return value (bsc#1143706).
- scsi: qla2xxx: Avoid PCI IRQ affinity mapping when multiqueue is not supported (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Avoid that Coverity complains about dereferencing a NULL rport pointer (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Avoid that lockdep complains about unsafe locking in tcm_qla2xxx_close_session() (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Avoid that qla2x00_mem_free() crashes if called twice (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Capture FW dump on MPI heartbeat stop event (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Capture FW dump on MPI heartbeat stop event (bsc#1143706 bsc#1082635 bsc#1123034).
- scsi: qla2xxx: Capture FW dump on MPI heartbeat stop event (bsc#1143706 bsc#1082635 bsc#1123034).
- scsi: qla2xxx: Change abort wait_loop from msleep to wait_event_timeout (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Change data_dsd into an array (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Change data_dsd into an array (bsc#1143706).
- scsi: qla2xxx: Change default ZIO threshold (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Change the return type of qla24xx_read_flash_data() (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Change the return type of qla24xx_read_flash_data() (bsc#1143706).
- scsi: qla2xxx: Change the return type of qla2x00_update_ms_fdmi_iocb() into void (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Change the return type of qla2x00_update_ms_fdmi_iocb() into void (bsc#1143706).
- scsi: qla2xxx: Check for FW started flag before aborting (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Check for MB timeout while capturing ISP27/28xx FW dump (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Check for MB timeout while capturing ISP27/28xx FW dump (bsc#1143706 bsc#1082635 bsc#1123034).
- scsi: qla2xxx: Check for MB timeout while capturing ISP27/28xx FW dump (bsc#1143706 bsc#1082635 bsc#1123034).
- scsi: qla2xxx: Check secondary image if reading the primary image fails (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Check secondary image if reading the primary image fails (bsc#1143706).
- scsi: qla2xxx: Check the PCI info string output buffer size (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Check the PCI info string output buffer size (bsc#1143706).
- scsi: qla2xxx: Check the size of firmware data structures at compile time (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Cleanup fcport memory to prevent leak (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Cleanup redundant qla2x00_abort_all_cmds during unload (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Cleanups for NVRAM/Flash read/write path (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Complain if a command is released that is owned by the firmware (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Complain if a mailbox command times out (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Complain if a mailbox command times out (bsc#1143706).
- scsi: qla2xxx: Complain if a soft reset fails (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Complain if a soft reset fails (bsc#1143706).
- scsi: qla2xxx: Complain if parsing the version string fails (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Complain if parsing the version string fails (bsc#1143706).
- scsi: qla2xxx: Complain if sp->done() is not called from the completion path (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Complain if sp->done() is not called from the completion path (bsc#1143706).
- scsi: qla2xxx: Complain if waiting for pending commands times out (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Complain if waiting for pending commands times out (bsc#1143706).
- scsi: qla2xxx: Complain loudly about reference count underflow (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Correct error handling during initialization failures (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Correction and improvement to fwdt processing (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Correctly report max/min supported speeds (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Declare fourth qla2x00_set_model_info() argument const (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Declare fourth qla2x00_set_model_info() argument const (bsc#1143706).
- scsi: qla2xxx: Declare local symbols static (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Declare qla24xx_build_scsi_crc_2_iocbs() static (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Declare qla2x00_find_new_loop_id() static (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Declare qla_tgt_cmd.cdb const (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Declare qla_tgt_cmd.cdb const (bsc#1143706).
- scsi: qla2xxx: Declare the fourth ql_dump_buffer() argument const (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Declare the fourth ql_dump_buffer() argument const (bsc#1143706).
- scsi: qla2xxx: Disable T10-DIF feature with FC-NVMe during probe (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Do command completion on abort timeout (bsc#1143706 bsc#1082635 bsc#1154526 bsc#1048942).
- scsi: qla2xxx: Do not corrupt vha->plogi_ack_list (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Do not corrupt vha->plogi_ack_list (bsc#1143706).
- scsi: qla2xxx: Downgrade driver to 10.01.00.19-k There are upstream bug reports against 10.01.00.19-k which haven't been resolved. Also the newer version failed to get a proper review. For time being it's better to got with the older version and do not introduce new bugs.
- scsi: qla2xxx: Dual FCP-NVMe target port support (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Dual FCP-NVMe target port support (bsc#1143706 bsc#1082635 bsc#1123034).
- scsi: qla2xxx: Dual FCP-NVMe target port support (bsc#1143706 bsc#1082635 bsc#1123034).
- scsi: qla2xxx: Enable type checking for the SRB free and done callback functions (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Enable type checking for the SRB free and done callback functions (bsc#1143706).
- scsi: qla2xxx: Fix DMA error when the DIF sg buffer crosses 4GB boundary (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Fix DMA unmap leak (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Fix LUN discovery if loop id is not assigned yet by firmware (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Fix N2N link reset (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Fix N2N link reset (bsc#1143706 bsc#1082635 bsc#1123034).
- scsi: qla2xxx: Fix N2N link reset (bsc#1143706 bsc#1082635 bsc#1123034).
- scsi: qla2xxx: Fix N2N link up fail (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Fix N2N link up fail (bsc#1143706 bsc#1082635 bsc#1123034).
- scsi: qla2xxx: Fix N2N link up fail (bsc#1143706 bsc#1082635 bsc#1123034).
- scsi: qla2xxx: Fix NULL pointer crash due to stale CPUID (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Fix NVME cmd and LS cmd timeout race condition (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Fix NVMe port discovery after a short device port loss (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Fix Nport ID display value (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Fix Relogin to prevent modifying scan_state flag (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Fix SRB allocation flag to avoid sleeping in IRQ context (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Fix SRB leak on switch command timeout (bsc#1143706 bsc#1082635 bsc#1154526 bsc#1048942).
- scsi: qla2xxx: Fix a NULL pointer dereference (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Fix a NULL pointer dereference (bsc#1143706).
- scsi: qla2xxx: Fix a dma_pool_free() call (bsc#1143706 bsc#1082635 bsc#1154526 bsc#1048942).
- scsi: qla2xxx: Fix a qla24xx_enable_msix() error path (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Fix a race condition between aborting and completing a SCSI command (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Fix a race condition between aborting and completing a SCSI command (bsc#1143706).
- scsi: qla2xxx: Fix a recently introduced kernel warning (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Fix a small typo in qla_bsg.c (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Fix abort timeout race condition (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Fix code indentation for qla27xx_fwdt_entry (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Fix comment alignment in qla_bsg.c (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Fix comment in MODULE_PARM_DESC in qla2xxx (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Fix device connect issues in P2P configuration (bsc#1143706 bsc#1082635 bsc#1154526 bsc#1048942).
- scsi: qla2xxx: Fix different size DMA Alloc/Unmap (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Fix double scsi_done for abort path (bsc#1143706 bsc#1082635 bsc#1154526 bsc#1048942).
- scsi: qla2xxx: Fix driver reload for ISP82xx (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Fix driver reload for ISP82xx (bsc#1143706).
- scsi: qla2xxx: Fix driver unload hang (bsc#1143706 bsc#1082635 bsc#1154526 bsc#1048942).
- scsi: qla2xxx: Fix driver unload when FC-NVMe LUNs are connected (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Fix flash read for Qlogic ISPs (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Fix flash read for Qlogic ISPs (bsc#1143706).
- scsi: qla2xxx: Fix formatting of pointer types (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Fix fw dump corruption (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Fix fw options handle eh_bus_reset() (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Fix gnl.l memory leak on adapter init failure (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Fix hang in fcport delete path (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Fix hardirq-unsafe locking (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Fix hardlockup in abort command during driver remove (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Fix kernel crash after disconnecting NVMe devices (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Fix memory leak when sending I/O fails (bsc#1143706 bsc#1082635 bsc#1154526 bsc#1048942).
- scsi: qla2xxx: Fix message indicating vectors used by driver (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Fix message indicating vectors used by driver (bsc#1143706).
- scsi: qla2xxx: Fix panic from use after free in qla2x00_async_tm_cmd (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Fix partial flash write of MBI (bsc#1143706 bsc#1082635 bsc#1123034).
- scsi: qla2xxx: Fix possible fcport null-pointer dereferences (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Fix premature timer expiration (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Fix qla24xx_process_bidir_cmd() (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Fix qla24xx_process_bidir_cmd() (bsc#1143706).
- scsi: qla2xxx: Fix race conditions in the code for aborting SCSI commands (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Fix read offset in qla24xx_load_risc_flash() (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Fix routine qla27xx_dump_{mpi|ram}() (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Fix session cleanup hang (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Fix session lookup in qlt_abort_work() (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Fix session lookup in qlt_abort_work() (bsc#1143706).
- scsi: qla2xxx: Fix stale mem access on driver unload (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Fix stale mem access on driver unload (bsc#1143706 bsc#1082635 bsc#1123034).
- scsi: qla2xxx: Fix stale mem access on driver unload (bsc#1143706 bsc#1082635 bsc#1123034).
- scsi: qla2xxx: Fix stale session (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Fix stale session (bsc#1143706).
- scsi: qla2xxx: Fix stuck login session (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Fix stuck login session (bsc#1143706).
- scsi: qla2xxx: Fix unbound sleep in fcport delete path (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Fix unbound sleep in fcport delete path (bsc#1143706 bsc#1082635 bsc#1123034).
- scsi: qla2xxx: Fix unbound sleep in fcport delete path (bsc#1143706 bsc#1082635 bsc#1123034).
- scsi: qla2xxx: Fix unload when NVMe devices are configured (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Fix use-after-free issues in qla2xxx_qpair_sp_free_dma() (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Fix wait condition in loop (bsc#1143706 bsc#1082635 bsc#1123034).
- scsi: qla2xxx: Further limit FLASH region write access from SysFS (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Improve Linux kernel coding style conformance (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Improve Linux kernel coding style conformance (bsc#1143706).
- scsi: qla2xxx: Improve logging for scan thread (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Improve logging for scan thread (bsc#1143706 bsc#1082635 bsc#1123034).
- scsi: qla2xxx: Improve logging for scan thread (bsc#1143706 bsc#1082635 bsc#1123034).
- scsi: qla2xxx: Include the <asm/unaligned.h> header file from qla_dsd.h (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Include the <asm/unaligned.h> header file from qla_dsd.h (bsc#1143706).
- scsi: qla2xxx: Increase the max_sgl_segments to 1024 (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Increase the size of the mailbox arrays from 4 to 8 (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Initialized mailbox to prevent driver load failure (bsc#1143706 bsc#1082635 bsc#1123034).
- scsi: qla2xxx: Inline the qla2x00_fcport_event_handler() function (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Inline the qla2x00_fcport_event_handler() function (bsc#1143706).
- scsi: qla2xxx: Insert spaces where required (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Introduce qla2x00_els_dcmd2_free() (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Introduce qla2x00_els_dcmd2_free() (bsc#1143706).
- scsi: qla2xxx: Introduce qla2xxx_get_next_handle() (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Introduce qla2xxx_get_next_handle() (bsc#1143706).
- scsi: qla2xxx: Introduce the be_id_t and le_id_t data types for FC src/dst IDs (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Introduce the be_id_t and le_id_t data types for FC src/dst IDs (bsc#1143706).
- scsi: qla2xxx: Introduce the dsd32 and dsd64 data structures (bsc#1082635 bsc#1141340 bsc#1143706).
- scsi: qla2xxx: Introduce the dsd32 and dsd64 data structures (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Introduce the function qla2xxx_init_sp() (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Introduce the function qla2xxx_init_sp() (bsc#1143706).
- scsi: qla2xxx: Leave a blank line after declarations (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Let the compiler check the type of the SCSI command context pointer (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Let the compiler check the type of the SCSI command context pointer (bsc#1143706).
- scsi: qla2xxx: Log the status code if a firmware command fails (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Make it explicit that ELS pass-through IOCBs use little endian (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Make it explicit that ELS pass-through IOCBs use little endian (bsc#1143706).
- scsi: qla2xxx: Make qla24xx_async_abort_cmd() static (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Make qla2x00_abort_srb() again decrease the sp reference count (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Make qla2x00_abort_srb() again decrease the sp reference count (bsc#1143706).
- scsi: qla2xxx: Make qla2x00_mem_free() easier to verify (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Make qla2x00_process_response_queue() easier to read (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Make qlt_handle_abts_completion() more robust (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Make qlt_handle_abts_completion() more robust (bsc#1143706).
- scsi: qla2xxx: Make sure that aborted commands are freed (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Make sure that aborted commands are freed (bsc#1143706).
- scsi: qla2xxx: Modify NVMe include directives (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Modify NVMe include directives (bsc#1143706).
- scsi: qla2xxx: Move debug messages before sending srb preventing panic (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Move marker request behind QPair (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Move qla2x00_clear_loop_id() from qla_inline.h into qla_init.c (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Move qla2x00_is_reserved_id() from qla_inline.h into qla_init.c (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Move qla2x00_set_fcport_state() from a .h into a .c file (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Move qla2x00_set_reserved_loop_ids() definition (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Move the <linux/io-64-nonatomic-lo-hi.h> include directive (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Move the port_state_str definition from a .h to a .c file (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Optimize NPIV tear down process (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Optimize NPIV tear down process (bsc#1143706 bsc#1082635 bsc#1123034).
- scsi: qla2xxx: Optimize NPIV tear down process (bsc#1143706 bsc#1082635 bsc#1123034).
- scsi: qla2xxx: Pass little-endian values to the firmware (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Prevent SysFS access when chip is down (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Prevent memory leak for CT req/rsp allocation (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Prevent multiple ADISC commands per session (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Really fix qla2xxx_eh_abort() (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Really fix qla2xxx_eh_abort() (bsc#1143706).
- scsi: qla2xxx: Reduce the number of casts in GID list code (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Reduce the number of casts in GID list code (bsc#1143706).
- scsi: qla2xxx: Reduce the number of forward declarations (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Reduce the scope of three local variables in qla2xxx_queuecommand() (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Reduce the scope of three local variables in qla2xxx_queuecommand() (bsc#1143706).
- scsi: qla2xxx: Reject EH_{abort|device_reset|target_request} (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Remove FW default template (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Remove WARN_ON_ONCE in qla2x00_status_cont_entry() (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Remove WARN_ON_ONCE in qla2x00_status_cont_entry() (bsc#1143706 bsc#1082635 bsc#1123034).
- scsi: qla2xxx: Remove a comment that refers to the SCSI host lock (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Remove a set-but-not-used variable (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Remove a superfluous forward declaration (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Remove a superfluous forward declaration (bsc#1143706).
- scsi: qla2xxx: Remove a superfluous pointer check (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Remove a superfluous pointer check (bsc#1143706).
- scsi: qla2xxx: Remove an include directive (bsc#1143706 bsc#1082635 bsc#1154526 bsc#1048942).
- scsi: qla2xxx: Remove an include directive from qla_mr.c (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Remove an include directive from qla_mr.c (bsc#1143706).
- scsi: qla2xxx: Remove dead code (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Remove dead code (bsc#1143706).
- scsi: qla2xxx: Remove qla_tgt_cmd.data_work and qla_tgt_cmd.data_work_free (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Remove qla_tgt_cmd.released (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Remove set but not used variable 'ptr_dma' (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Remove superfluous sts_entry_* casts (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Remove superfluous sts_entry_* casts (bsc#1143706).
- scsi: qla2xxx: Remove the fcport test from qla_nvme_abort_work() (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Remove two superfluous casts (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Remove two superfluous if-tests (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Remove two superfluous if-tests (bsc#1143706).
- scsi: qla2xxx: Remove two superfluous tests (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Remove two superfluous tests (bsc#1143706).
- scsi: qla2xxx: Remove unnecessary locking from the target code (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Remove unnecessary null check (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Remove unreachable code from qla83xx_idc_lock() (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Remove unreachable code from qla83xx_idc_lock() (bsc#1143706).
- scsi: qla2xxx: Remove useless set memory to zero use memset() (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Replace vmalloc + memset with vzalloc (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Report invalid mailbox status codes (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Report invalid mailbox status codes (bsc#1143706).
- scsi: qla2xxx: Report the firmware status code if a mailbox command fails (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Report the firmware status code if a mailbox command fails (bsc#1143706).
- scsi: qla2xxx: Reset the FCF_ASYNC_{SENT|ACTIVE} flags (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Restore FAWWPN of Physical Port only for loop down (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Retry PLOGI on FC-NVMe PRLI failure (bsc#1143706 bsc#1082635 bsc#1154526 bsc#1048942).
- scsi: qla2xxx: Retry fabric Scan on IOCB queue full (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Rework key encoding in qlt_find_host_by_d_id() (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Rework key encoding in qlt_find_host_by_d_id() (bsc#1143706).
- scsi: qla2xxx: Secure flash update support for ISP28XX (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Set remote port devloss timeout to 0 (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Set remove flag for all VP (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Set remove flag for all VP (bsc#1143706 bsc#1082635 bsc#1123034).
- scsi: qla2xxx: Set remove flag for all VP (bsc#1143706 bsc#1082635 bsc#1123034).
- scsi: qla2xxx: Set the SCSI command result before calling the command done (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Set the qpair in SRB to NULL when SRB is released (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Set the responder mode if appropriate for ELS pass-through IOCBs (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Set the responder mode if appropriate for ELS pass-through IOCBs (bsc#1143706).
- scsi: qla2xxx: Silence Successful ELS IOCB message (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Silence fwdump template message (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Silence fwdump template message (bsc#1143706 bsc#1082635 bsc#1123034).
- scsi: qla2xxx: Silence fwdump template message (bsc#1143706 bsc#1082635 bsc#1123034).
- scsi: qla2xxx: Simplification of register address used in qla_tmpl.c (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Simplify a debug statement (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Simplify a debug statement (bsc#1143706).
- scsi: qla2xxx: Simplify conditional check again (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Simplify qla24xx_abort_sp_done() (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Simplify qla24xx_abort_sp_done() (bsc#1143706).
- scsi: qla2xxx: Simplify qla24xx_async_abort_cmd() (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Simplify qla24xx_async_abort_cmd() (bsc#1143706).
- scsi: qla2xxx: Simplify qlt_lport_dump() (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Simplify qlt_lport_dump() (bsc#1143706).
- scsi: qla2xxx: Simplify qlt_send_term_imm_notif() (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Skip FW dump on LOOP initialization error (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Suppress a Coveritiy complaint about integer overflow (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Suppress a Coveritiy complaint about integer overflow (bsc#1143706).
- scsi: qla2xxx: Suppress multiple Coverity complaint about out-of-bounds accesses (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Suppress multiple Coverity complaint about out-of-bounds accesses (bsc#1143706).
- scsi: qla2xxx: Uninline qla2x00_init_timer() (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Unregister resources in the opposite order of the registration order (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Update driver version to 10.00.00.13-k (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Update driver version to 10.00.00.14-k (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Update driver version to 10.01.00.15-k (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Update driver version to 10.01.00.16-k (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Update driver version to 10.01.00.18-k (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Update driver version to 10.01.00.19-k (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Update driver version to 10.01.00.19-k (bsc#1143706).
- scsi: qla2xxx: Update driver version to 10.01.00.20-k (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Update driver version to 10.01.00.20-k (bsc#1143706 bsc#1082635 bsc#1123034).
- scsi: qla2xxx: Update driver version to 10.01.00.20-k (bsc#1143706 bsc#1082635 bsc#1123034).
- scsi: qla2xxx: Update driver version to 10.01.00.21-k (bsc#1143706 bsc#1082635 bsc#1154526 bsc#1048942).
- scsi: qla2xxx: Update drivers (bsc#1137223)
- scsi: qla2xxx: Update flash read/write routine (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Use ARRAY_SIZE() in the definition of QLA_LAST_SPEED (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Use Correct index for Q-Pair array (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Use __le64 instead of uint32_t for sending DMA addresses to firmware (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Use __le64 instead of uint32_t[2] for sending DMA addresses to firmware (bsc#1082635 bsc#1141340 bsc#1143706).
- scsi: qla2xxx: Use an on-stack completion in qla24xx_control_vp() (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Use common update-firmware-options routine for ISP27xx+ (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Use complete switch scan for RSCN events (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Use dma_pool_zalloc() (bsc#1123034 bsc#1131304 bsc#1127988). 
- scsi: qla2xxx: Use get/put_unaligned where appropriate (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Use memcpy() and strlcpy() instead of strcpy() and strncpy() (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Use memcpy() and strlcpy() instead of strcpy() and strncpy() (bsc#1143706).
- scsi: qla2xxx: Use mutex protection during qla2x00_sysfs_read_fw_dump() (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Use strlcpy() instead of strncpy() (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Use strlcpy() instead of strncpy() (bsc#1143706).
- scsi: qla2xxx: Use tabs instead of spaces for indentation (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Use tabs instead of spaces for indentation (bsc#1143706).
- scsi: qla2xxx: Use tabs to indent code (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Verify locking assumptions at runtime (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: Verify locking assumptions at runtime (bsc#1143706).
- scsi: qla2xxx: aborted mailbox commands (bsc#1157908)
- scsi: qla2xxx: allow session delete to finish before create (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: avoid printf format warning (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: check for kstrtol() failure (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: cleanup trace buffer initialization (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: cleanup trace buffer initialization (bsc#1134476).
- scsi: qla2xxx: deadlock by configfs_depend_item (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: do not use zero for FC4_PRIORITY_NVME (bsc#1143706 bsc#1082635 bsc#1154526 bsc#1048942).
- scsi: qla2xxx: fix broken qla2xxx 10.01.00.20-k (bsc#1157424)
- scsi: qla2xxx: fix fcport null pointer access (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: fix spelling mistake 'alredy' -> 'already' (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: fix spelling mistake 'initializatin' -> 'initialization' (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: fixup incorrect usage of host_byte (bsc#1143706 bsc#1082635 bsc#1123034).
- scsi: qla2xxx: flush IO on chip reset or sess delete (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: initialize fc4_type_priority (bsc#1143706 bsc#1082635 bsc#1154526 bsc#1048942).
- scsi: qla2xxx: move IO flush to the front of NVME rport unregistration (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: multipath transport-offline qla2xxx (bsc#1151548)
- scsi: qla2xxx: no need to check return value of debugfs_create functions (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: on session delete, return nvme cmd (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: qla2x00_alloc_fw_dump: set ha->eft (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: remove double assignment in qla2x00_update_fcport (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: remove redundant assignment to pointer host (bsc#1143706 bsc#1082635 bsc#1123034).
- scsi: qla2xxx: remove redundant assignment to pointer host (bsc#1143706 bsc#1082635 bsc#1123034).
- scsi: qla2xxx: remove redundant null check on pointer sess (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: qla2xxx: stop timer in shutdown path (bsc#1143706 bsc#1082635 bsc#1123034).
- scsi: qla2xxx: target: Fix offline port handling and host reset handling (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: scsi_transport_fc: nvme: display FC-NVMe port roles (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: sd: Defer spinning up drive while SANITIZE is in progress (git-fixes).
- scsi: sd: Fix a race between closing an sd device and sd I/O (git-fixes).
- scsi: sd: Fix cache_type_store() (git-fixes).
- scsi: sd: Ignore a failure to sync cache due to lack of authorization (git-fixes).
- scsi: sd: Optimal I/O size should be a multiple of physical block size (git-fixes).
- scsi: sd: Quiesce warning if device does not report optimal I/O size (git-fixes).
- scsi: sd_zbc: Fix potential memory leak (git-fixes).
- scsi: sr: Avoid that opening a CD-ROM hangs with runtime power management enabled (git-fixes).
- scsi: storvsc: Add ability to change scsi queue depth (bsc#1155021).
- scsi: storvsc: setup 1:1 mapping between hardware queue and CPU queue (bsc#1140729).
- scsi: tcm_qla2xxx: Minimize #include directives (bsc#1123034 bsc#1131304 bsc#1127988).
- scsi: ufs: fix wrong command type of UTRD for UFSHCI v2.1 (git-fixes).
- scsi: use dma_get_cache_alignment() as minimum DMA alignment (git-fixes).
- scsi: virtio_scsi: do not send sc payload with tmfs (git-fixes).
- scsi: zfcp: fix reaction on bit error threshold notification (bsc#1154956 LTC#182054).
- scsi_transport_fc: complete requests from ->timeout (bsc#1142076).
- sctp: Fix the link time qualifier of 'sctp_ctrlsock_exit()' (networking-stable-19_09_15).
- sctp: fix the transport error_count check (networking-stable-19_08_21).
- sctp: use transport pf_retrans in sctp_do_8_2_transport_strike (networking-stable-19_09_15).
- secure boot lockdown: Fix-up backport of /dev/mem access restriction 
- serial: fix kernel-doc warning in comments (bsc#1051510).
- serial: mctrl_gpio: Check for NULL pointer (bsc#1051510).
- serial: mxs-auart: Fix potential infinite loop (bsc#1051510).
- serial: samsung: Enable baud clock for UART reset procedure in resume (bsc#1051510).
- serial: uartlite: fix exit path null pointer (bsc#1051510).
- serial: uartps: Fix suspend functionality (bsc#1051510).
- signal: Properly set TRACE_SIGNAL_LOSE_INFO in __send_signal (bsc#1157463)
- skge: fix checksum byte order (networking-stable-19_09_30).
- sky2: Disable MSI on yet another ASUS boards (P6Xxxx) (bsc#1051510).
- slcan: Fix memory leak in error path (bsc#1051510).
- slip: Fix memory leak in slip_open error path (bsc#1051510).
- slip: make slhc_free() silently accept an error pointer (bsc#1051510).
- slip: sl_alloc(): remove unused parameter 'dev_t line' (bsc#1051510).
- soc: imx: gpc: fix PDN delay (bsc#1051510).
- soc: qcom: wcnss_ctrl: Avoid string overflow (bsc#1051510).
- sock_diag: fix autoloading of the raw_diag module (bsc#1152791).
- sock_diag: request _diag module only when the family or proto has been registered (bsc#1152791).
- spi: bcm2835aux: fix corruptions for longer spi transfers (bsc#1051510).
- spi: bcm2835aux: remove dangerous uncontrolled read of fifo (bsc#1051510).
- spi: bcm2835aux: unifying code between polling and interrupt driven code (bsc#1051510).
- spi: mediatek: Do not modify spi_transfer when transfer (bsc#1051510).
- spi: pic32: Use proper enum in dmaengine_prep_slave_rg (bsc#1051510).
- spi: spi-fsl-dspi: Exit the ISR with IRQ_NONE when it's not ours (bsc#1111666).
- staging: bcm2835-audio: Fix draining behavior regression (bsc#1111666).
- staging: rtl8188eu: fix null dereference when kzalloc fails (bsc#1051510).
- staging: vt6655: Fix memory leak in vt6655_probe (bsc#1051510).
- staging: wlan-ng: fix exit return when sme->key_idx >= NUM_WEPKEYS (bsc#1051510).
- supporte.conf: add efivarfs to kernel-default-base (bsc#1154858).
- supported.conf: Mark vfio_ccw supported by SUSE, because bugs can be routed to IBM via SUSE support (jsc#SLE-6138, bsc#1151192).
- tape: Tape library devices do not disappear after disabling zone (bsc#1138039)
- tcp: Do not dequeue SYN/FIN-segments from write-queue (git-gixes).
- tcp: fix tcp_ecn_withdraw_cwr() to clear TCP_ECN_QUEUE_CWR (networking-stable-19_09_15).
- tcp: inherit timestamp on mtu probe (networking-stable-19_09_05).
- tcp: make sure EPOLLOUT wont be missed (networking-stable-19_08_28).
- tcp: remove empty skb from write queue in error cases (networking-stable-19_09_05).
- team: Add vlan tx offload to hw_enc_features (bsc#1051510).
- team: Add vlan tx offload to hw_enc_features (networking-stable-19_08_21).
- thermal: Fix use-after-free when unregistering thermal zone device (bsc#1051510).
- thermal_hwmon: Sanitize thermal_zone type (bsc#1051510).
- tipc: add NULL pointer check before calling kfree_rcu (networking-stable-19_09_15).
- tipc: fix unlimited bundling of small messages (networking-stable-19_10_05).
- tools: bpftool: close prog FD before exit on showing a single program (bsc#1109837).
- tools: bpftool: fix arguments for p_err() in do_event_pipe() (bsc#1109837).
- tools: bpftool: fix error message (prog -> object) (bsc#1109837).
- tpm_tis_core: Set TPM_CHIP_FLAG_IRQ before probing for interrupts (bsc#1082555).
- tracing: Get trace_array reference for available_tracers files (bsc#1156429).
- tracing: Initialize iter->seq after zeroing in tracing_read_pipe() (bsc#1151508).
- tty: serial: fsl_lpuart: Use appropriate lpuart32_* I/O funcs (bsc#1111666).
- tun: fix use-after-free when register netdev failed (bsc#1111666).
- tun: fix use-after-free when register netdev failed (networking-stable-19_09_15).
- tuntap: correctly set SOCKWQ_ASYNC_NOSPACE (bsc#1145099).
- tuntap: correctly set SOCKWQ_ASYNC_NOSPACE (bsc#1145099).
- usb-storage: Add new JMS567 revision to unusual_devs (bsc#1051510).
- usb-storage: Revert commit 747668dbc061 ('usb-storage: Set virt_boundary_mask to avoid SG overflows') (bsc#1051510).
- usbnet: ignore endpoints with invalid wMaxPacketSize (bsc#1051510).
- usbnet: sanity checking of packet sizes and device mtu (bsc#1051510).
- vfio_pci: Restore original state on release (bsc#1051510).
- vhost/test: fix build for vhost test (bsc#1111666).
- vhost_net: conditionally enable tx polling (bsc#1145099).
- vhost_net: conditionally enable tx polling (bsc#1145099).
- video: of: display_timing: Add of_node_put() in of_get_display_timing() (bsc#1051510).
- video: ssd1307fb: Start page range at page_offset (bsc#1113722)
- vmxnet3: update to latest ToT (bsc#1157499)
- vsock: Fix a lockdep warning in __vsock_release() (networking-stable-19_10_05).
- watchdog: bcm2835_wdt: Fix module autoload (bsc#1051510).
- watchdog: fix compile time error of pretimeout governors (bsc#1051510).
- watchdog: imx2_wdt: fix min() calculation in imx2_wdt_set_timeout (bsc#1051510).
- wcn36xx: use dynamic allocation for large variables (bsc#1111666).
- wil6210: drop Rx multicast packets that are looped-back to STA (bsc#1111666).
- wil6210: fix freeing of rx buffers in EDMA mode (bsc#1111666).
- wil6210: fix invalid memory access for rx_buff_mgmt debugfs (bsc#1111666).
- wil6210: prevent usage of tx ring 0 for eDMA (bsc#1111666).
- wil6210: set edma variables only for Talyn-MB devices (bsc#1111666).
- wimax/i2400m: fix a memory leak bug (bsc#1051510).
- x86/CPU/AMD: Clear RDRAND CPUID bit on AMD family 15h/16h (bsc#1114279).
- x86/asm: Fix MWAITX C-state hint value (bsc#1114279).
- x86/boot/64: Make level2_kernel_pgt pages invalid outside kernel area (bnc#1153969).
- x86/boot/64: Round memory hole size up to next PMD page (bnc#1153969).
- x86/entry/64/compat: Fix stack switching for XEN PV (bsc#1108382).
- x86/fpu: Add FPU state copying quirk to handle XRSTOR failure on Intel Skylake CPUs (bsc#1151955).
- x86/mm: Use WRITE_ONCE() when setting PTEs (bsc#1114279).
- x86/resctrl: Fix potential lockdep warning (bsc#1114279).
- x86/resctrl: Prevent NULL pointer dereference when reading mondata (bsc#1114279).
- x86/speculation/taa: Fix printing of TAA_MSG_SMT on IBRS_ALL CPUs (bsc#1158068)
- x86/tls: Fix possible spectre-v1 in do_get_thread_area() (bsc#1114279).
- xdp: unpin xdp umem pages in error path (bsc#1109837).
- xen-netfront: do not assume sk_buff_head list is empty in error handling (bsc#1065600).
- xen-netfront: do not use ~0U as error return value for xennet_fill_frags() (bsc#1065600).
- xen/netback: Reset nr_frags before freeing skb (networking-stable-19_08_21).
- xen/netback: fix error path of xenvif_connect_data() (bsc#1065600).
- xen/pv: Fix Xen PV guest int3 handling (bsc#1153811).
- xen/xenbus: fix self-deadlock after killing user process (bsc#1065600).
- xfrm: fix sa selector validation (bsc#1156609).
- xhci: Check all endpoints for LPM timeout (bsc#1051510).
- xhci: Fix false warning message about wrong bounce buffer write length (bsc#1051510).
- xhci: Increase STS_SAVE timeout in xhci_suspend() (bsc#1051510).
- xhci: Prevent device initiated U1/U2 link pm if exit latency is too long (bsc#1051510).
- xsk: Fix registration of Rx-only sockets (bsc#1109837).
- xsk: avoid store-tearing when assigning queues (bsc#1111666).
- xsk: avoid store-tearing when assigning umem (bsc#1111666).
- xsk: relax UMEM headroom alignment (bsc#1109837).


-----------------------------------------
Patch: SUSE-2019-3208
Released: Mon Dec  9 16:05:26 2019
Summary: Recommended update for release-notes-sles
Severity: moderate
References: 1157037,1158191
Description:
This update for release-notes-sles contains the following fixes:

- Added entry on unlimited core file size. (bsc#1157037)
- Added entry on Intel OPA. (bsc#1158191)
- Added RAID 10 performance issue to known issues.
- Including the following corrections of documentation for IBM Z, valgrid, wicked.


-----------------------------------------
Patch: SUSE-2019-2873
Released: Tue Dec 10 18:13:30 2019
Summary: Recommended update for python-applicationinsights, python-colorama, python-configparser, python-scp, python-wheel, python-xmltodict
Severity: moderate
References: 1037032,1065275,1073879
Description:

This update provides various python3 variants of python modules to support the Azure CLI commandline
toolset.

Following packages are shipped new and in python3 variants:

- python-applicationinsights
- python-colorama
- python-configparser
- python-scp
- python-wheel
- python-xmltodict
- python-ptyprocess

Following packages have received updates:

- python-cffi: update to 1.4.2
- python-cryptography: update to 1.5.3
- python-pyOpenSSL: update to 17.0.0
- python-pyexpect: update to 4.3.1

  

-----------------------------------------
Patch: SUSE-2019-3291
Released: Thu Dec 12 18:09:53 2019
Summary: Recommended update for lio-utils
Severity: moderate
References: 1152794
Description:
This update for lio-utils fixes the following issues:

- Fix for deleting iscsi targets restarting target.service due to false exit code. (bsc#1152794)


-----------------------------------------
Patch: SUSE-2019-3296
Released: Fri Dec 13 18:30:42 2019
Summary: Security update for xen
Severity: important
References: 1158003,1158004,1158005,1158006,1158007,CVE-2019-19577,CVE-2019-19578,CVE-2019-19580,CVE-2019-19581,CVE-2019-19582,CVE-2019-19583
Description:
This update for xen fixes the following issues:

- CVE-2019-19581: Fixed a potential out of bounds on 32-bit Arm (bsc#1158003 XSA-307).
- CVE-2019-19582: Fixed a potential infinite loop when x86 accesses to bitmaps with 
  a compile time known size of 64 (bsc#1158003 XSA-307).
- CVE-2019-19583: Fixed improper checks which could have allowed HVM/PVH guest userspace 
  code to crash the guest,leading to a guest denial of service (bsc#1158004 XSA-308).
- CVE-2019-19578: Fixed an issue where a malicious or buggy PV guest could have caused
  hypervisor crash resulting in denial of service affecting the entire host (bsc#1158005 XSA-309).
- CVE-2019-19580: Fixed a privilege escalation where a malicious PV guest administrator 
  could have been able to escalate their privilege to that of the host (bsc#1158006 XSA-310).
- CVE-2019-19577: Fixed an issue where a malicious guest administrator could have caused Xen 
  to access data structures while they are being modified leading to a crash (bsc#1158007 XSA-311). 


-----------------------------------------
Patch: SUSE-2019-3307
Released: Mon Dec 16 14:51:03 2019
Summary: Security update for libssh
Severity: important
References: 1158095,CVE-2019-14889
Description:
This update for libssh fixes the following issues:

- CVE-2019-14889: Fixed an arbitrary command execution (bsc#1158095).


-----------------------------------------
Patch: SUSE-2019-3312
Released: Mon Dec 16 15:46:23 2019
Summary: Recommended update for dracut
Severity: moderate
References: 1154043
Description:
This update for dracut fixes the following issues:

- Suppress error in '%post' when 'vconsole.conf' is not present. (bsc#1154043)


-----------------------------------------
Patch: SUSE-2019-3332
Released: Wed Dec 18 10:22:46 2019
Summary: Recommended update for grub2
Severity: moderate
References: 1134287,1136086,1136970,1138991,1139345,1154783
Description:
This update for grub2 fixes the following issues:

- Fix 'grub2.sleep' to load old kernel after hibernation. (bsc#1154783)
- Consistently find btrfs snapshots on s390x. (bsc#1136970)
- Include upstream fixes:
  - Fix for not responding welcome message. (bsc#1134287)
  - Fix for long delay with FC adapter. (bsc#1139345, LTC#177836, LTC#174229)
  - Fix for boot hang up on IBM Power. (bsc#1136086, bsc#1138991)


-----------------------------------------
Patch: SUSE-2019-3333
Released: Wed Dec 18 14:15:07 2019
Summary: Recommended update for yast2-packager
Severity: moderate
References: 1152482
Description:
This update for yast2-packager fixes the following issues:

- Aligned the language of the license text shown with the selected language. (bsc#1152482)


-----------------------------------------
Patch: SUSE-2019-3342
Released: Thu Dec 19 11:04:35 2019
Summary: Recommended update for elfutils
Severity: moderate
References: 1151577
Description:
This update for elfutils fixes the following issues:

- Add require of 'libebl1' for 'libelf1'. (bsc#1151577)


-----------------------------------------
Patch: SUSE-2019-3364
Released: Thu Dec 19 19:20:52 2019
Summary: Recommended update for ncurses
Severity: moderate
References: 1158586,1159162
Description:
This update for ncurses fixes the following issues:

- Work around a bug of old upstream gen-pkgconfig (bsc#1159162) 
- Remove doubled library path options (bsc#1159162)
- Also remove private requirements as (lib)tinfo are binary compatible
  with normal and wide version of (lib)ncurses (bsc#1158586, bsc#1159162)
- Fix last change, that is add missed library linker paths as well
  as missed include directories for none standard paths (bsc#1158586,
  bsc#1159162)
- Do not mix include directories of different ncurses ABI (bsc#1158586) 


-----------------------------------------
Patch: SUSE-2019-3376
Released: Fri Dec 20 12:50:54 2019
Summary: Recommended update for Salt
Severity: moderate
References: 1137642,1154620,1157479,1158441
Description:

This update includes the following new features:

- Add new 'salt-standalone-formulas-configuration' package (fate#327791)

This update fixes the following issues:

salt:

- Remove virt.pool_delete fast parameter (U#54474)
- Remove unnecessary yield causing BadYieldError (bsc#1154620)
- Prevent 'Already reading' continuous exception message (bsc#1137642)
- Fix for aptpkg test with older mock modules
- Remove wrong tests for core grain and improve debug logging
- Use rich RPM deps to get a compatible version of tornado into the
  buildroot.
- Core.py: ignore wrong product_name files
- Zypperpkg: understand product type
- Enable usage of downloadonly parameter for apt module
- Add new 'salt-standalone-formulas-configuration' package (fate#327791)
- Fix StreamClosedError issue (bsc#1157479)
- Let salt-ssh use platform-python on RHEL8 (bsc#1158441)


-----------------------------------------
Patch: SUSE-2019-2694
Released: Fri Dec 20 14:21:14 2019
Summary: Recommended update for rpcbind
Severity: moderate
References: 1142343
Description:
This update for rpcbind fixes the following issues:

- Return correct IP address with multiple ip addresses in the same subnet. (bsc#1142343)


-----------------------------------------
Patch: SUSE-2019-3389
Released: Fri Dec 27 13:32:33 2019
Summary: Security update for the Linux Kernel
Severity: important
References: 1051510,1071995,1078248,1083647,1089644,1090888,1108043,1111666,1112178,1113956,1114279,1115026,1117169,1119461,1119465,1120853,1129770,1137223,1138039,1138190,1140948,1142095,1142635,1144333,1146519,1146544,1151067,1151548,1152107,1152631,1153811,1154043,1154355,1154768,1154905,1154916,1155689,1155921,1156462,1156471,1156928,1157042,1157115,1157160,1157169,1157171,1157303,1157424,1157463,1157499,1157698,1157778,1157895,1157908,1158049,1158063,1158064,1158065,1158066,1158067,1158068,1158071,1158082,1158094,1158132,1158381,1158394,1158398,1158407,1158410,1158413,1158417,1158427,1158445,1158533,1158637,1158638,1158639,1158640,1158641,1158643,1158644,1158645,1158646,1158647,1158649,1158651,1158652,1158823,1158824,1158827,1158834,1158893,1158900,1158903,1158904,1158954,1159024,1159096,CVE-2019-14901,CVE-2019-15213,CVE-2019-16746,CVE-2019-19051,CVE-2019-19066,CVE-2019-19077,CVE-2019-19332,CVE-2019-19338,CVE-2019-19523,CVE-2019-19524,CVE-2019-19525,CVE-2019-19526,CVE-2019-19527,CVE-2019-19528,CVE-2019-19529,CVE-2019-19530,CVE-2019-19531,CVE-2019-19532,CVE-2019-19533,CVE-2019-19534,CVE-2019-19535,CVE-2019-19536,CVE-2019-19537,CVE-2019-19543,SLE-4941,SLE-8953,SLE-9221
Description:
The SUSE Linux Enterprise 12 SP5 kernel was updated to receive various security and bugfixes.


The following security bugs were fixed:

- CVE-2019-16746: There was an issue in net/wireless/nl80211.c where the kernel did not check the length of variable elements in a beacon head, leading to a buffer overflow (bnc#1152107).
- CVE-2019-19066: Fixed memory leak in the bfad_im_get_stats() function in drivers/scsi/bfa/bfad_attr.c that allowed attackers to cause a denial of service (memory consumption) by triggering bfa_port_get_stats() failures (bnc#1157303).
- CVE-2019-19051: Fixed memory leak in the i2400m_op_rfkill_sw_toggle() function in drivers/net/wimax/i2400m/op-rfkill.c that allowed attackers to cause a denial of service (memory consumption) (bnc#1159024).
- CVE-2019-19338: There was an incomplete fix for Transaction Asynchronous Abort (TAA) (bsc#1158954).
- CVE-2019-19332: There was an OOB memory write via kvm_dev_ioctl_get_cpuid (bsc#1158827).
- CVE-2019-19537: There was a race condition bug that could have been caused by a malicious USB device in the USB character device driver layer (bnc#1158904).
- CVE-2019-19535: There was an info-leak bug that could have been caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_fd.c driver (bnc#1158903).
- CVE-2019-19527: There was a use-after-free bug that could have been caused by a malicious USB device in the drivers/hid/usbhid/hiddev.c driver (bnc#1158900).
- CVE-2019-19526: There was a use-after-free bug that could have been caused by a malicious USB device in the drivers/nfc/pn533/usb.c driver (bnc#1158893).
- CVE-2019-19533: There was an info-leak bug that could have been caused by a malicious USB device in the drivers/media/usb/ttusb-dec/ttusb_dec.c driver (bnc#1158834).
- CVE-2019-19532: There were multiple out-of-bounds write bugs that could have been caused by a malicious USB device in the Linux kernel HID drivers (bnc#1158824).
- CVE-2019-19523: There was a use-after-free bug that could have been caused by a malicious USB device in the drivers/usb/misc/adutux.c driver (bnc#1158823).
- CVE-2019-15213: An issue was discovered in the Linux kernel, there was a use-after-free caused by a malicious USB device in the drivers/media/usb/dvb-usb/dvb-usb-init.c driver (bnc#1146544).
- CVE-2019-19531: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/yurex.c driver (bnc#1158445).
- CVE-2019-19543: There was a use-after-free in serial_ir_init_module() in drivers/media/rc/serial_ir.c (bnc#1158427).
- CVE-2019-19525: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/net/ieee802154/atusb.c driver (bnc#1158417).
- CVE-2019-19530: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver (bnc#1158410).
- CVE-2019-19536: There was an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_pro.c driver (bnc#1158394).
- CVE-2019-19524: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/input/ff-memless.c driver (bnc#1158413).
- CVE-2019-19528: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/iowarrior.c driver (bnc#1158407).
- CVE-2019-19534: There was an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_core.c driver (bnc#1158398).
- CVE-2019-19529: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/net/can/usb/mcba_usb.c driver (bnc#1158381).
- CVE-2019-14901: A heap overflow flaw was found in the Linux kernel in Marvell WiFi chip driver. The vulnerability allowed a remote attacker to cause a system crash, resulting in a denial of service, or execute arbitrary code. The highest threat with this vulnerability is with the availability of the system. If code execution occurs, the code will run with the permissions of root. This will affect both confidentiality and integrity of files on the system (bnc#1157042).
- CVE-2019-19077: A memory leak in the bnxt_re_create_srq() function in drivers/infiniband/hw/bnxt_re/ib_verbs.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering copy to udata failures (bnc#1157171).


The following non-security bugs were fixed:

- bnxt_en: Update firmware interface spec. to 1.10.0.47 (bsc#1157115)
- ACPI / APEI: Do not wait to serialise with oops messages when panic()ing (bsc#1051510).
- ACPI / LPSS: Ignore acpi_device_fix_up_power() return value (bsc#1051510).
- ACPI / SBS: Fix rare oops when removing modules (bsc#1051510).
- ACPI / hotplug / PCI: Allocate resources directly under the non-hotplug bridge (bsc#1111666).
- ACPI: OSL: only free map once in osl.c (bsc#1051510).
- ACPI: sysfs: Change ACPI_MASKABLE_GPE_MAX to 0x100 (bsc#1051510).
- ACPICA: Never run _REG on system_memory and system_IO (bsc#1051510).
- ACPICA: Use %d for signed int print formatting instead of %u (bsc#1051510).
- ALSA: 6fire: Drop the dead code (git-fixes).
- ALSA: cs4236: fix error return comparison of an unsigned integer (git-fixes).
- ALSA: echoaudio: simplify get_audio_levels (bsc#1051510).
- ALSA: fireface: fix return value in error path of isochronous resources reservation (bsc#1051510).
- ALSA: firewire-motu: Correct a typo in the clock proc string (git-fixes).
- ALSA: hda - Add mute led support for HP ProBook 645 G4 (git-fixes).
- ALSA: hda - Fix pending unsol events at shutdown (git-fixes).
- ALSA: hda - fixup for the bass speaker on Lenovo Carbon X1 7th gen (git-fixes).
- ALSA: hda/hdmi - Add new pci ids for AMD GPU display audio (git-fixes).
- ALSA: hda/hdmi - Clear codec->relaxed_resume flag at unbinding (git-fixes).
- ALSA: hda/hdmi - Fix duplicate unref of pci_dev (bsc#1051510).
- ALSA: hda/hdmi - fix vgaswitcheroo detection for AMD (git-fixes).
- ALSA: hda/realtek - Dell headphone has noise on unmute for ALC236 (git-fixes).
- ALSA: hda/realtek - Enable internal speaker of ASUS UX431FLC (git-fixes).
- ALSA: hda/realtek - Enable the headset-mic on a Xiaomi's laptop (git-fixes).
- ALSA: hda/realtek - Fix inverted bass GPIO pin on Acer 8951G (git-fixes).
- ALSA: hda/realtek - Line-out jack does not work on a Dell AIO (bsc#1051510).
- ALSA: hda/realtek - Move some alc236 pintbls to fallback table (git-fixes).
- ALSA: hda/realtek - Move some alc256 pintbls to fallback table (git-fixes).
- ALSA: hda: hdmi - fix port numbering for ICL and TGL platforms (git-fixes).
- ALSA: hda: hdmi - remove redundant code comments (git-fixes).
- ALSA: i2c/cs8427: Fix int to char conversion (bsc#1051510).
- ALSA: oxfw: fix return value in error path of isochronous resources reservation (bsc#1051510).
- ALSA: pcm: Yet another missing check of non-cached buffer type (bsc#1111666).
- ALSA: pcm: oss: Avoid potential buffer overflows (git-fixes).
- ALSA: usb-audio: Add skip_validation option (git-fixes).
- ALSA: usb-audio: Fix Focusrite Scarlett 6i6 gen1 - input handling (git-fixes).
- ALSA: usb-audio: Fix NULL dereference at parsing BADD (git-fixes).
- ALSA: usb-audio: sound: usb: usb true/false for bool return type (git-fixes).
- ASoC: compress: fix unsigned integer overflow check (bsc#1051510).
- ASoC: tegra_sgtl5000: fix device_node refcounting (bsc#1051510).
- Bluetooth: Fix invalid-free in bcsp_close() (git-fixes).
- Bluetooth: Fix memory leak in hci_connect_le_scan (bsc#1051510).
- Bluetooth: btusb: fix PM leak in error case of setup (bsc#1051510).
- Bluetooth: delete a stray unlock (bsc#1051510).
- Bluetooth: hci_bcm: Handle specific unknown packets after firmware loading (bsc#1051510).
- Bluetooth: hci_core: fix init for HCI_USER_CHANNEL (bsc#1051510).
- CIFS: Fix SMB2 oplock break processing (bsc#1144333, bsc#1154355).
- CIFS: Fix oplock handling for SMB 2.1+ protocols (bsc#1144333, bsc#1154355).
- CIFS: Fix retry mid list corruption on reconnects (bsc#1144333, bsc#1154355).
- CIFS: Fix use after free of file info structures (bsc#1144333, bsc#1154355).
- CIFS: Force reval dentry if LOOKUP_REVAL flag is set (bsc#1144333, bsc#1154355).
- CIFS: Force revalidate inode when dentry is stale (bsc#1144333, bsc#1154355).
- CIFS: Gracefully handle QueryInfo errors during open (bsc#1144333, bsc#1154355).
- CIFS: avoid using MID 0xFFFF (bsc#1144333, bsc#1154355).
- CIFS: fix max ea value size (bsc#1144333, bsc#1154355).
- Documentation: debugfs: Document debugfs helper for unsigned long values (git-fixes).
- Documentation: x86: convert protection-keys.txt to reST (bsc#1078248).
- EDAC/ghes: Fix locking and memory barrier issues (bsc#1114279). EDAC/ghes: Do not warn when incrementing refcount on 0 (bsc#1114279).
- Fix patches.suse/suse_msi_set_irq_unmanaged.patch (jsc#SLE-8953, jsc#SLE-9221, jsc#SLE-4941, bsc#1119461, bsc#1119465, bsc#1138190, bsc#1154905). The added code was only active with CONFIG_HYPERV=y. Adjust the condition to cover also CONFIG_HYPERV=m.
- HID: Add ASUS T100CHI keyboard dock battery quirks (bsc#1051510).
- HID: Add quirk for Microsoft PIXART OEM mouse (bsc#1051510).
- HID: Fix assumption that devices have inputs (git-fixes).
- HID: asus: Add T100CHI bluetooth keyboard dock special keys mapping (bsc#1051510).
- HID: doc: fix wrong data structure reference for UHID_OUTPUT (bsc#1051510).
- HID: intel-ish-hid: fixes incorrect error handling (bsc#1051510).
- Input: silead - try firmware reload after unsuccessful resume (bsc#1051510).
- Input: st1232 - set INPUT_PROP_DIRECT property (bsc#1051510).
- KVM: SVM: Guard against DEACTIVATE when performing WBINVD/DF_FLUSH (bsc#1114279).
- KVM: SVM: Serialize access to the SEV ASID bitmap (bsc#1114279).
- KVM: VMX: Consider PID.PIR to determine if vCPU has pending interrupts (bsc#1158064).
- KVM: VMX: Fix conditions for guest IA32_XSS support (bsc#1158065).
- KVM: s390: fix __insn32_query() inline assembly (git-fixes).
- KVM: s390: vsie: Do not shadow CRYCB when no AP and no keys (git-fixes).
- KVM: s390: vsie: Return correct values for Invalid CRYCB format (git-fixes).
- KVM: x86/mmu: Take slots_lock when using kvm_mmu_zap_all_fast() (bsc#1158067).
- KVM: x86: Introduce vcpu->arch.xsaves_enabled (bsc#1158066).
- KVM: x86: Remove a spurious export of a static function (bsc#1158954).
- PCI/MSI: Fix incorrect MSI-X masking on resume (bsc#1051510).
- PCI/MSI: Return -ENOSPC from pci_alloc_irq_vectors_affinity() (bsc#1051510).
- PCI/PM: Clear PCIe PME Status even for legacy power management (bsc#1111666).
- PCI/PME: Fix possible use-after-free on remove (git-fixes).
- PCI/PTM: Remove spurious 'd' from granularity message (bsc#1051510).
- PCI: Apply Cavium ACS quirk to ThunderX2 and ThunderX3 (bsc#1051510).
- PCI: Fix Intel ACS quirk UPDCR register address (bsc#1051510).
- PCI: dwc: Fix find_next_bit() usage (bsc#1051510).
- PCI: pciehp: Avoid returning prematurely from sysfs requests (git-fixes).
- PCI: pciehp: Do not disable interrupt twice on suspend (bsc#1111666).
- PCI: rcar: Fix missing MACCTLR register setting in initialization sequence (bsc#1051510).
- PCI: sysfs: Ignore lockdep for remove attribute (git-fixes).
- PCI: tegra: Enable Relaxed Ordering only for Tegra20 and Tegra30 (git-fixes).
- PM / AVS: SmartReflex: NULL check before some freeing functions is not needed (bsc#1051510).
- PM / Domains: Deal with multiple states but no governor in genpd (bsc#1051510).
- PM / devfreq: Check NULL governor in available_governors_show (git-fixes).
- PM / devfreq: Lock devfreq in trans_stat_show (git-fixes).
- PM / devfreq: exynos-bus: Correct clock enable sequence (bsc#1051510).
- PM / devfreq: passive: Use non-devm notifiers (bsc#1051510).
- PM / devfreq: passive: fix compiler warning (bsc#1051510).
- PM / hibernate: Check the success of generating md5 digest before hibernation (bsc#1051510).
- RDMA/bnxt_re: Enable SRIOV VF support on Broadcom's 57500 adapter series (bsc#1154916).
- RDMA/bnxt_re: Fix chip number validation Broadcom's Gen P5 series (bsc#1157895).
- RDMA/bnxt_re: Fix missing le16_to_cpu (bsc#1157895).
- RDMA/bnxt_re: Fix stat push into dma buffer on gen p5 devices (bsc#1157115)
- USB: chaoskey: fix error case of a timeout (git-fixes).
- USB: misc: appledisplay: fix backlight update_status return code (bsc#1051510).
- USB: serial: ftdi_sio: add device IDs for U-Blox C099-F9P (bsc#1051510).
- USB: serial: mos7720: fix remote wakeup (git-fixes).
- USB: serial: mos7840: add USB ID to support Moxa UPort 2210 (bsc#1051510).
- USB: serial: mos7840: fix remote wakeup (git-fixes).
- USB: serial: option: add support for DW5821e with eSIM support (bsc#1051510).
- USB: serial: option: add support for Foxconn T77W968 LTE modules (bsc#1051510).
- acpi/nfit, device-dax: Identify differentiated memory with a unique numa-node (bsc#1158071).
- appledisplay: fix error handling in the scheduled work (git-fixes).
- ata: ep93xx: Use proper enums for directions (bsc#1051510).
- ath10k: Correct error handling of dma_map_single() (bsc#1111666).
- ath10k: allocate small size dma memory in ath10k_pci_diag_write_mem (bsc#1111666).
- ath10k: fix vdev-start timeout on error (bsc#1051510).
- ath6kl: Fix off by one error in scan completion (bsc#1051510).
- ath9k: fix reporting calculated new FFT upper max (bsc#1051510).
- ath9k_hw: fix uninitialized variable data (bsc#1051510).
- atl1e: checking the status of atl1e_write_phy_reg (bsc#1051510).
- audit: Allow auditd to set pid to 0 to end auditing (bsc#1158094).
- backlight: lm3639: Unconditionally call led_classdev_unregister (bsc#1051510).
- bnxt_en: Update firmware interface spec. to 1.10.0.89 (bsc#1157115)
- bnxt_en: Update firmware interface to 1.10.0.69 (bsc#1157115)
- bpf/stackmap: Fix deadlock with rq_lock in bpf_get_stack() (bsc#1083647).
- bpf: Make use of probe_user_write in probe write helper (bsc#1083647).
- brcmfmac: fix full timeout waiting for action frame on-channel tx (bsc#1051510).
- brcmfmac: reduce timeout for action frame scan (bsc#1051510).
- brcmfmac: set F2 watermark to 256 for 4373 (bsc#1111666).
- brcmfmac: set SDIO F1 MesBusyCtrl for CYW4373 (bsc#1111666).
- brcmsmac: AP mode: update beacon when TIM changes (bsc#1051510).
- brcmsmac: never log 'tid x is not agg'able' by default (bsc#1051510).
- can: c_can: D_CAN: c_can_chip_config(): perform a sofware reset on open (bsc#1051510).
- can: peak_usb: report bus recovery as well (bsc#1051510).
- can: rx-offload: can_rx_offload_irq_offload_fifo(): continue on error (bsc#1051510).
- can: rx-offload: can_rx_offload_irq_offload_timestamp(): continue on error (bsc#1051510).
- can: rx-offload: can_rx_offload_offload_one(): increment rx_fifo_errors on queue overflow or OOM (bsc#1051510).
- can: rx-offload: can_rx_offload_offload_one(): use ERR_PTR() to propagate error value in case of errors (bsc#1051510).
- cfg80211: Prevent regulatory restore during STA disconnect in concurrent interfaces (bsc#1051510).
- cfg80211: call disconnect_wk when AP stops (bsc#1051510).
- cgroup,writeback: do not switch wbs immediately on dead wbs if the memcg is dead (bsc#1158645).
- cifs: Fix cifsInodeInfo lock_sem deadlock when reconnect occurs (bsc#1144333, bsc#1154355).
- cifs: Fix missed free operations (bsc#1144333, bsc#1154355).
- cifs: Use kzfree() to zero out the password (bsc#1144333, bsc#1154355).
- cifs: add a helper to find an existing readable handle to a file (bsc#1144333, bsc#1154355).
- cifs: create a helper to find a writeable handle by path name (bsc#1144333, bsc#1154355).
- cifs: move cifsFileInfo_put logic into a work-queue (bsc#1144333, bsc#1154355).
- cifs: prepare SMB2_Flush to be usable in compounds (bsc#1144333, bsc#1154355).
- cifs: set domainName when a domain-key is used in multiuser (bsc#1144333, bsc#1154355).
- cifs: use cifsInodeInfo->open_file_lock while iterating to avoid a panic (bsc#1144333, bsc#1154355).
- cifs: use existing handle for compound_op(OP_SET_INFO) when possible (bsc#1144333, bsc#1154355).
- clk: pxa: fix one of the pxa RTC clocks (bsc#1051510).
- clk: samsung: Use clk_hw API for calling clk framework from clk notifiers (bsc#1051510).
- clk: samsung: exynos5420: Preserve CPU clocks configuration during suspend/resume (bsc#1051510).
- clocksource/drivers/sh_cmt: Fix clocksource width for 32-bit machines (bsc#1051510).
- clocksource/drivers/sh_cmt: Fixup for 64-bit machines (bsc#1051510).
- compat_ioctl: handle SIOCOUTQNSD (bsc#1051510).
- cpufreq/pasemi: fix use-after-free in pas_cpufreq_cpu_init() (bsc#1051510).
- cpufreq: Skip cpufreq resume if it's not suspended (bsc#1051510).
- cpufreq: intel_pstate: Register when ACPI PCCH is present (bsc#1051510).
- cpufreq: powernv: fix stack bloat and hard limit on number of CPUs (bsc#1051510).
- cpufreq: ti-cpufreq: add missing of_node_put() (bsc#1051510).
- cpupower : Fix cpupower working when cpu0 is offline (bsc#1051510).
- cpupower : frequency-set -r option misses the last cpu in related cpu list (bsc#1051510).
- cpupower: Fix coredump on VMWare (bsc#1051510).
- crypto: af_alg - cast ki_complete ternary op to int (bsc#1051510).
- crypto: crypto4xx - fix double-free in crypto4xx_destroy_sdr (bsc#1051510).
- crypto: ecdh - fix big endian bug in ECC library (bsc#1051510).
- crypto: geode-aes - switch to skcipher for cbc(aes) fallback (bsc#1051510).
- crypto: mxc-scc - fix build warnings on ARM64 (bsc#1051510).
- crypto: mxs-dcp - Fix AES issues (bsc#1051510).
- crypto: mxs-dcp - Fix SHA null hashes and output length (bsc#1051510).
- crypto: mxs-dcp - make symbols 'sha1_null_hash' and 'sha256_null_hash' static (bsc#1051510).
- crypto: tgr192 - remove unneeded semicolon (bsc#1051510).
- cw1200: Fix a signedness bug in cw1200_load_firmware() (bsc#1051510).
- cxgb4: fix panic when attaching to ULD fail (networking-stable-19_11_05).
- dccp: do not leak jiffies on the wire (networking-stable-19_11_05).
- dlm: do not leak kernel pointer to userspace (bsc#1051510).
- dlm: fix invalid free (bsc#1051510).
- dma-buf: Fix memory leak in sync_file_merge() (git-fixes).
- dmaengine: ep93xx: Return proper enum in ep93xx_dma_chan_direction (bsc#1051510).
- dmaengine: imx-sdma: fix use-after-free on probe error path (bsc#1051510).
- dmaengine: rcar-dmac: set scatter/gather max segment size (bsc#1051510).
- dmaengine: timb_dma: Use proper enum in td_prep_slave_sg (bsc#1051510).
- docs: move protection-keys.rst to the core-api book (bsc#1078248).
- drivers/base/platform.c: kmemleak ignore a known leak (bsc#1051510).
- drivers/regulator: fix a missing check of return value (bsc#1051510).
- drm/amd/powerplay: issue no PPSMC_MSG_GetCurrPkgPwr on unsupported (bsc#1113956)
- drm/amdgpu: fix bad DMA from INTERRUPT_CNTL2 (bsc#1111666).
- drm/amdgpu: fix bad DMA from INTERRUPT_CNTL2 (bsc#1114279)
- drm/i915/gvt: fix dropping obj reference twice (bsc#1111666).
- drm/i915/pmu: 'Frequency' is reported as accumulated cycles (bsc#1112178)
- drm/i915: Do not dereference request if it may have been retired when (bsc#1142635)
- drm/i915: Fix and improve MCR selection logic (bsc#1112178)
- drm/i915: Lock the engine while dumping the active request (bsc#1142635)
- drm/i915: Reacquire priolist cache after dropping the engine lock (bsc#1129770)
- drm/i915: Skip modeset for cdclk changes if possible (bsc#1156928).
- drm/msm: fix memleak on release (bsc#1111666).
- drm/msm: include linux/sched/task.h (bsc#1112178)
- drm/radeon: fix bad DMA from INTERRUPT_CNTL2 (git-fixes).
- drm/rockchip: Round up _before_ giving to the clock framework (bsc#1114279)
- drm: fix module name in edid_firmware log message (bsc#1113956)
- drm: panel-lvds: Potential Oops in probe error handling (bsc#1114279)
- e1000e: Add support for Comet Lake (bsc#1158533).
- e1000e: Add support for Tiger Lake (bsc#1158533).
- e1000e: Drop unnecessary __E1000_DOWN bit twiddling (bsc#1158049).
- e1000e: Increase pause and refresh time (bsc#1158533).
- e1000e: Use dev_get_drvdata where possible (bsc#1158049).
- e1000e: Use rtnl_lock to prevent race conditions between net and pci/pm (bsc#1158049).
- ecryptfs_lookup_interpose(): lower_dentry->d_inode is not stable (bsc#1158646).
- ecryptfs_lookup_interpose(): lower_dentry->d_parent is not stable either (bsc#1158647).
- ext4: fix punch hole for inline_data file systems (bsc#1158640).
- ext4: update direct I/O read lock pattern for IOCB_NOWAIT (bsc#1158639).
- fbdev: sbuslib: integer overflow in sbusfb_ioctl_helper() (bsc#1051510).
- fbdev: sbuslib: use checked version of put_user() (bsc#1051510).
- sctp: Fix regression (bsc#1158082).
- ftrace: Introduce PERMANENT ftrace_ops flag (bsc#1120853).
- gpio: mpc8xxx: Do not overwrite default irq_set_type callback (bsc#1051510).
- gpio: syscon: Fix possible NULL ptr usage (bsc#1051510).
- gpiolib: acpi: Add Terra Pad 1061 to the run_edge_events_on_boot_blacklist (bsc#1051510).
- gsmi: Fix bug in append_to_eventlog sysfs handler (bsc#1051510).
- hwmon: (ina3221) Fix INA3221_CONFIG_MODE macros (bsc#1051510).
- hwmon: (pwm-fan) Silence error on probe deferral (bsc#1051510).
- hwrng: omap - Fix RNG wait loop timeout (bsc#1051510).
- hwrng: omap3-rom - Call clk_disable_unprepare() on exit only if not idled (bsc#1051510).
- hwrng: stm32 - fix unbalanced pm_runtime_enable (bsc#1051510).
- hypfs: Fix error number left in struct pointer member (bsc#1051510).
- i2c: of: Try to find an I2C adapter matching the parent (bsc#1129770)
- i40e: enable X710 support (bsc#1151067).
- ibmvnic: Bound waits for device queries (bsc#1155689 ltc#182047).
- ibmvnic: Bound waits for device queries (bsc#1155689 ltc#182047).
- ibmvnic: Fix completion structure initialization (bsc#1155689 ltc#182047).
- ibmvnic: Fix completion structure initialization (bsc#1155689 ltc#182047).
- ibmvnic: Serialize device queries (bsc#1155689 ltc#182047).
- ibmvnic: Serialize device queries (bsc#1155689 ltc#182047).
- ibmvnic: Terminate waiting device threads after loss of service (bsc#1155689 ltc#182047).
- ibmvnic: Terminate waiting device threads after loss of service (bsc#1155689 ltc#182047).
- idr: Fix idr_alloc_u32 on 32-bit systems (bsc#1051510).
- iio: imu: adis16480: assign bias value only if operation succeeded (git-fixes).
- iio: imu: adis: assign read val in debugfs hook only if op successful (git-fixes).
- iio: imu: adis: assign value only if return code zero in read funcs (git-fixes).
- include/linux/bitrev.h: fix constant bitrev (bsc#1114279).
- inet: stop leaking jiffies on the wire (networking-stable-19_11_05).
- intel_th: Fix a double put_device() in error path (git-fixes).
- iomap: Fix pipe page leakage during splicing (bsc#1158651).
- iommu/vt-d: Fix QI_DEV_IOTLB_PFSID and QI_DEV_EIOTLB_PFSID macros (bsc#1158063).
- ipmi: Do not allow device module unload when in use (bsc#1154768).
- ipv4: Return -ENETUNREACH if we can't create route but saddr is valid (networking-stable-19_10_24).
- iwlwifi: check kasprintf() return value (bsc#1051510).
- iwlwifi: mvm: do not send keys when entering D3 (bsc#1051510).
- iwlwifi: mvm: force TCM re-evaluation on TCM resume (bsc#1111666).
- iwlwifi: pcie: fix erroneous print (bsc#1111666).
- kABI fix for 'ipmi: Do not allow device module unload when in use' (bsc#1154768).
- kABI fixup alloc_dax_region (bsc#1158071).
- kABI workaround for ath10k last_wmi_vdev_start_status field (bsc#1051510).
- kABI workaround for struct mwifiex_power_cfg change (bsc#1051510).
- kABI: Fix for 'KVM: x86: Introduce vcpu->arch.xsaves_enabled' (bsc#1158066).
- kabi: s390: struct subchannel (git-fixes).
- kexec: bail out upon SIGKILL when allocating memory (git-fixes).
- libnvdimm: Export the target_node attribute for regions and namespaces (bsc#1158071).
- livepatch: Allow to distinguish different version of system state changes (bsc#1071995).
- livepatch: Basic API to track system state changes (bsc#1071995 ).
- livepatch: Keep replaced patches until post_patch callback is called (bsc#1071995).
- livepatch: Selftests of the API for tracking system state changes (bsc#1071995).
- loop: add ioctl for changing logical block size (bsc#1108043).
- loop: fix no-unmap write-zeroes request behavior (bsc#1158637).
- mISDN: Fix type of switch control variable in ctrl_teimanager (bsc#1051510).
- mac80211: consider QoS Null frames for STA_NULLFUNC_ACKED (bsc#1051510).
- mac80211: fix station inactive_time shortly after boot (bsc#1051510).
- mac80211: minstrel: fix CCK rate group streams value (bsc#1051510).
- mac80211: minstrel: fix sampling/reporting of CCK rates in HT mode (bsc#1051510).
- macvlan: schedule bc_work even if error (bsc#1051510).
- mailbox: mailbox-test: fix null pointer if no mmio (bsc#1051510).
- mailbox: reset txdone_method TXDONE_BY_POLL if client knows_txdone (git-fixes).
- media: bdisp: fix memleak on release (git-fixes).
- media: cxusb: detect cxusb_ctrl_msg error in query (bsc#1051510).
- media: exynos4-is: Fix recursive locking in isp_video_release() (git-fixes).
- media: flexcop-usb: ensure -EIO is returned on error condition (git-fixes).
- media: imon: invalid dereference in imon_touch_event (bsc#1051510).
- media: isif: fix a NULL pointer dereference bug (bsc#1051510).
- media: ov6650: Fix control handler not freed on init error (git-fixes).
- media: pxa_camera: Fix check for pdev->dev.of_node (bsc#1051510).
- media: radio: wl1273: fix interrupt masking on release (git-fixes).
- media: ti-vpe: vpe: Fix Motion Vector vpdma stride (git-fixes).
- media: usbvision: Fix races among open, close, and disconnect (bsc#1051510).
- media: uvcvideo: Fix error path in control parsing failure (git-fixes).
- media: v4l2-ctrl: fix flags for DO_WHITE_BALANCE (bsc#1051510).
- media: vim2m: Fix abort issue (git-fixes).
- media: vivid: Set vid_cap_streaming and vid_out_streaming to true (bsc#1051510).
- mei: bus: prefix device names on bus with the bus name (bsc#1051510).
- mei: fix modalias documentation (git-fixes).
- mei: samples: fix a signedness bug in amt_host_if_call() (bsc#1051510).
- mfd: intel-lpss: Add default I2C device properties for Gemini Lake (bsc#1051510).
- mfd: max8997: Enale irq-wakeup unconditionally (bsc#1051510).
- mfd: mc13xxx-core: Fix PMIC shutdown when reading ADC values (bsc#1051510).
- mfd: palmas: Assign the right powerhold mask for tps65917 (git-fixes).
- mfd: ti_am335x_tscadc: Keep ADC interface on if child is wakeup capable (bsc#1051510).
- mlx5: add parameter to disable enhanced IPoIB (bsc#1142095)
- mm, memory_hotplug: do not clear numa_node association after hot_remove (bnc#1115026).
- mm, thp: Do not make page table dirty unconditionally in touch_p[mu]d() (git fixes (mm/gup)).
- mm/compaction.c: clear total_{migrate,free}_scanned before scanning a new zone (git fixes (mm/compaction)).
- mm/debug.c: PageAnon() is true for PageKsm() pages (git fixes (mm/debug)).
- mmc: core: fix wl1251 sdio quirks (git-fixes).
- mmc: host: omap_hsmmc: add code for special init of wl1251 to get rid of pandora_wl1251_init_card (git-fixes).
- mmc: mediatek: fix cannot receive new request when msdc_cmd_is_ready fail (bsc#1051510).
- mmc: sdio: fix wl1251 vendor id (git-fixes).
- moduleparam: fix parameter description mismatch (bsc#1051510).
- mt7601u: fix bbp version check in mt7601u_wait_bbp_ready (bsc#1051510).
- mt76x0: init hw capabilities.
- mtd: spear_smi: Fix Write Burst mode (bsc#1051510).
- mtd: spi-nor: fix silent truncation in spi_nor_read() (bsc#1051510).
- mwifiex: Fix NL80211_TX_POWER_LIMITED (bsc#1051510).
- mwifiex: debugfs: correct histogram spacing, formatting (bsc#1051510).
- mwifiex: fix potential NULL dereference and use after free (bsc#1051510).
- nbd: prevent memory leak (bsc#1158638).
- net/ibmvnic: Fix typo in retry check (bsc#1155689 ltc#182047).
- net/ibmvnic: Ignore H_FUNCTION return from H_EOI to tolerate XIVE mode (bsc#1089644, ltc#166495, ltc#165544, git-fixes).
- net/mlx4_core: Dynamically set guaranteed amount of counters per VF (networking-stable-19_11_05).
- net/mlx5e: Fix handling of compressed CQEs in case of low NAPI budget (networking-stable-19_11_05).
- net/smc: Fix error path in smc_init (git-fixes).
- net/smc: Fix error path in smc_init (git-fixes).
- net/smc: avoid fallback in case of non-blocking connect (git-fixes).
- net/smc: avoid fallback in case of non-blocking connect (git-fixes).
- net/smc: do not schedule tx_work in SMC_CLOSED state (git-fixes).
- net/smc: fix SMCD link group creation with VLAN id (git-fixes).
- net/smc: fix closing of fallback SMC sockets (git-fixes).
- net/smc: fix closing of fallback SMC sockets (git-fixes).
- net/smc: fix ethernet interface refcounting (git-fixes).
- net/smc: fix ethernet interface refcounting (git-fixes).
- net/smc: fix fastopen for non-blocking connect() (git-fixes).
- net/smc: fix refcount non-blocking connect() -part 2 (git-fixes).
- net/smc: fix refcounting for non-blocking connect() (git-fixes).
- net/smc: fix refcounting for non-blocking connect() (git-fixes).
- net/smc: keep vlan_id for SMC-R in smc_listen_work() (git-fixes).
- net/smc: keep vlan_id for SMC-R in smc_listen_work() (git-fixes).
- net/smc: original socket family in inet_sock_diag (git-fixes).
- net: Zeroing the structure ethtool_wolinfo in ethtool_get_wol() (networking-stable-19_11_05).
- net: add READ_ONCE() annotation in __skb_wait_for_more_packets() (networking-stable-19_11_05).
- net: add skb_queue_empty_lockless() (networking-stable-19_11_05).
- net: annotate accesses to sk->sk_incoming_cpu (networking-stable-19_11_05).
- net: annotate lockless accesses to sk->sk_napi_id (networking-stable-19_11_05).
- net: avoid potential infinite loop in tc_ctl_action() (networking-stable-19_10_24).
- net: bcmgenet: Fix RGMII_MODE_EN value for GENET v1/2/3 (networking-stable-19_10_24).
- net: bcmgenet: Set phydev->dev_flags only for internal PHYs (networking-stable-19_10_24).
- net: bcmgenet: reset 40nm EPHY on energy detect (networking-stable-19_11_05).
- net: dsa: b53: Do not clear existing mirrored port mask (networking-stable-19_11_05).
- net: dsa: bcm_sf2: Fix IMP setup for port different than 8 (networking-stable-19_11_05).
- net: dsa: fix switch tree list (networking-stable-19_11_05).
- net: ethernet: ftgmac100: Fix DMA coherency issue with SW checksum (networking-stable-19_11_05).
- net: fix sk_page_frag() recursion from memory reclaim (networking-stable-19_11_05).
- net: hisilicon: Fix ping latency when deal with high throughput (networking-stable-19_11_05).
- net: phy: Check against net_device being NULL (bsc#1051510).
- net: phy: Fix not to call phy_resume() if PHY is not attached (bsc#1051510).
- net: phy: Fix the register offsets in Broadcom iProc mdio mux driver (bsc#1051510).
- net: phy: at803x: Change error to EINVAL for invalid MAC (bsc#1051510).
- net: phy: broadcom: Use strlcpy() for ethtool::get_strings (bsc#1051510).
- net: phy: dp83867: Set up RGMII TX delay (bsc#1051510).
- net: phy: fixed_phy: Fix fixed_phy not checking GPIO (bsc#1051510).
- net: phy: marvell: Use strlcpy() for ethtool::get_strings (bsc#1051510).
- net: phy: marvell: clear wol event before setting it (bsc#1051510).
- net: phy: meson-gxl: check phy_write return value (bsc#1051510).
- net: phy: micrel: Use strlcpy() for ethtool::get_strings (bsc#1051510).
- net: phy: mscc: read 'vsc8531, edge-slowdown' as an u32 (bsc#1051510).
- net: phy: mscc: read 'vsc8531,vddmac' as an u32 (bsc#1051510).
- net: phy: xgene: disable clk on error paths (bsc#1051510).
- net: phy: xgmiitorgmii: Check phy_driver ready before accessing (bsc#1051510).
- net: phy: xgmiitorgmii: Check read_status results (bsc#1051510).
- net: phy: xgmiitorgmii: Support generic PHY status read (bsc#1051510).
- net: stmmac: disable/enable ptp_ref_clk in suspend/resume flow (networking-stable-19_10_24).
- net: use skb_queue_empty_lockless() in busy poll contexts (networking-stable-19_11_05).
- net: use skb_queue_empty_lockless() in poll() handlers (networking-stable-19_11_05).
- net: wireless: ti: remove local VENDOR_ID and DEVICE_ID definitions (git-fixes).
- net: wireless: ti: wl1251 use new SDIO_VENDOR_ID_TI_WL1251 definition (git-fixes).
- netns: fix GFP flags in rtnl_net_notifyid() (networking-stable-19_11_05).
- nfc: port100: handle command failure cleanly (git-fixes).
- nl80211: Fix a GET_KEY reply attribute (bsc#1051510).
- ocfs2: fix panic due to ocfs2_wq is null (bsc#1158644).
- ocfs2: fix passing zero to 'PTR_ERR' warning (bsc#1158649).
- openvswitch: fix flow command message size (git-fixes).
- padata: use smp_mb in padata_reorder to avoid orphaned padata jobs (git-fixes).
- phy: phy-twl4030-usb: fix denied runtime access (git-fixes).
- pinctl: ti: iodelay: fix error checking on pinctrl_count_index_with_args call (git-fixes).
- pinctrl: at91: do not use the same irqchip with multiple gpiochips (git-fixes).
- pinctrl: lewisburg: Update pin list according to v1.1v6 (bsc#1051510).
- pinctrl: lpc18xx: Use define directive for PIN_CONFIG_GPIO_PIN_INT (bsc#1051510).
- pinctrl: qcom: spmi-gpio: fix gpio-hog related boot issues (bsc#1051510).
- pinctrl: samsung: Fix device node refcount leaks in S3C24xx wakeup controller init (bsc#1051510).
- pinctrl: samsung: Fix device node refcount leaks in S3C64xx wakeup controller init (bsc#1051510).
- pinctrl: samsung: Fix device node refcount leaks in init code (bsc#1051510).
- pinctrl: sunxi: Fix a memory leak in 'sunxi_pinctrl_build_state()' (bsc#1051510).
- pinctrl: xway: fix gpio-hog related boot issues (bsc#1051510).
- pinctrl: zynq: Use define directive for PIN_CONFIG_IO_STANDARD (bsc#1051510).
- pktcdvd: remove warning on attempting to register non-passthrough dev (bsc#1051510).
- platform/x86: hp-wmi: Fix ACPI errors caused by passing 0 as input size (bsc#1051510).
- platform/x86: hp-wmi: Fix ACPI errors caused by too small buffer (bsc#1051510).
- powerpc/book3s64/hash: Use secondary hash for bolted mapping if the primary is full (bsc#1157778 ltc#182520).
- powerpc/bpf: Fix tail call implementation (bsc#1157698).
- powerpc/pseries/mobility: notify network peers after migration (bsc#1152631 ltc#181798).
- powerpc/pseries: Do not fail hash page table insert for bolted mapping (bsc#1157778 ltc#182520).
- powerpc/pseries: Do not opencode HPTE_V_BOLTED (bsc#1157778 ltc#182520).
- ppdev: fix PPGETTIME/PPSETTIME ioctls (bsc#1051510).
- printk: Export console_printk (bsc#1071995).
- pwm: Clear chip_data in pwm_put() (bsc#1051510).
- pwm: clps711x: Fix period calculation (bsc#1051510).
- pwm: lpss: Only set update bit if we are actually changing the settings (bsc#1051510).
- r8152: add device id for Lenovo ThinkPad USB-C Dock Gen 2 (networking-stable-19_11_05).
- regulator: ab8500: Remove AB8505 USB regulator (bsc#1051510).
- regulator: ab8500: Remove SYSCLKREQ from enum ab8505_regulator_id (bsc#1051510).
- regulator: tps65910: fix a missing check of return value (bsc#1051510).
- remoteproc: Check for NULL firmwares in sysfs interface (git-fixes).
- reset: Fix potential use-after-free in __of_reset_control_get() (bsc#1051510).
- reset: fix of_reset_simple_xlate kerneldoc comment (bsc#1051510).
- reset: fix reset_control_get_exclusive kerneldoc comment (bsc#1051510).
- reset: fix reset_control_ops kerneldoc comment (bsc#1051510).
- resource: fix locking in find_next_iomem_res() (bsc#1114279).
- rpm/kernel-binary.spec.in: add COMPRESS_VMLINUX (bnc#1155921) Let COMPRESS_VMLINUX determine the compression used for vmlinux. By default (historically), it is gz.
- rpm/kernel-source.spec.in: Fix dependency of kernel-devel (bsc#1154043)
- rt2800: remove errornous duplicate condition (git-fixes).
- rtl818x: fix potential use after free (bsc#1051510).
- rtlwifi: Remove unnecessary NULL check in rtl_regd_init (bsc#1051510).
- rtlwifi: btcoex: Use proper enumerated types for Wi-Fi only interface (bsc#1111666).
- rtlwifi: rtl8192de: Fix misleading REG_MCUFWDL information (bsc#1051510).
- rtlwifi: rtl8192de: Fix missing callback that tests for hw release of buffer (bsc#1111666).
- rtlwifi: rtl8192de: Fix missing code to retrieve RX buffer address (bsc#1051510).
- rtlwifi: rtl8192de: Fix missing enable interrupt flag (bsc#1051510).
- s390/bpf: fix lcgr instruction encoding (bsc#1051510).
- s390/bpf: use 32-bit index for tail calls (bsc#1051510).
- s390/cio: avoid calling strlen on null pointer (bsc#1051510).
- s390/cio: exclude subchannels with no parent from pseudo check (bsc#1051510).
- s390/cio: fix virtio-ccw DMA without PV (git-fixes).
- s390/cmm: fix information leak in cmm_timeout_handler() (bsc#1051510).
- s390/idle: fix cpu idle time calculation (bsc#1051510).
- s390/mm: properly clear _PAGE_NOEXEC bit when it is not supported (bsc#1051510).
- s390/process: avoid potential reading of freed stack (bsc#1051510).
- s390/qdio: (re-)initialize tiqdio list entries (bsc#1051510).
- s390/qdio: do not touch the dsci in tiqdio_add_input_queues() (bsc#1051510).
- s390/qeth: clean up page frag creation (git-fixes).
- s390/qeth: consolidate skb allocation (git-fixes).
- s390/qeth: ensure linear access to packet headers (git-fixes).
- s390/qeth: guard against runt packets (git-fixes).
- s390/qeth: return proper errno on IO error (bsc#1051510).
- s390/setup: fix boot crash for machine without EDAT-1 (bsc#1051510 bsc#1140948).
- s390/setup: fix early warning messages (bsc#1051510 bsc#1140948).
- s390/topology: avoid firing events before kobjs are created (bsc#1051510).
- s390/zcrypt: fix memleak at release (git-fixes).
- s390: fix stfle zero padding (bsc#1051510).
- s390: vsie: Use effective CRYCBD.31 to check CRYCBD validity (git-fixes).
- sched/fair: Add tmp_alone_branch assertion (bnc#1156462).
- sched/fair: Fix O(nr_cgroups) in the load balancing path (bnc#1156462).
- sched/fair: Fix insertion in rq->leaf_cfs_rq_list (bnc#1156462).
- sched/fair: Optimize update_blocked_averages() (bnc#1156462).
- sched/fair: WARN() and refuse to set buddy when !se->on_rq (bsc#1158132).
- scsi: lpfc: use hdwq assigned cpu for allocation (bsc#1157160).
- scsi: qla2xxx: Add debug dump of LOGO payload and ELS IOCB (bsc#1157424, bsc#1157908. bsc#1117169, bsc#1151548).
- scsi: qla2xxx: Added support for MPI and PEP regions for ISP28XX (bsc#1157424, bsc#1157908, bsc#1157169, bsc#1151548).
- scsi: qla2xxx: Allow PLOGI in target mode (bsc#1157424, bsc#1157908. bsc#1117169, bsc#1151548).
- scsi: qla2xxx: Change discovery state before PLOGI (bsc#1157424, bsc#1157908. bsc#1117169, bsc#1151548).
- scsi: qla2xxx: Configure local loop for N2N target (bsc#1157424, bsc#1157908. bsc#1117169, bsc#1151548).
- scsi: qla2xxx: Correctly retrieve and interpret active flash region (bsc#1157424, bsc#1157908, bsc#1157169, bsc#1151548).
- scsi: qla2xxx: Do not call qlt_async_event twice (bsc#1157424, bsc#1157908. bsc#1117169, bsc#1151548).
- scsi: qla2xxx: Do not defer relogin unconditonally (bsc#1157424, bsc#1157908. bsc#1117169, bsc#1151548).
- scsi: qla2xxx: Drop superfluous INIT_WORK of del_work (bsc#1157424, bsc#1157908. bsc#1117169, bsc#1151548).
- scsi: qla2xxx: Fix PLOGI payload and ELS IOCB dump length (bsc#1157424, bsc#1157908. bsc#1117169, bsc#1151548).
- scsi: qla2xxx: Fix incorrect SFUB length used for Secure Flash Update MB Cmd (bsc#1157424, bsc#1157908, bsc#1157169, bsc#1151548).
- scsi: qla2xxx: Fix qla2x00_request_irqs() for MSI (bsc#1157424, bsc#1157908. bsc#1117169, bsc#1151548).
- scsi: qla2xxx: Ignore NULL pointer in tcm_qla2xxx_free_mcmd (bsc#1157424, bsc#1157908. bsc#1117169, bsc#1151548).
- scsi: qla2xxx: Ignore PORT UPDATE after N2N PLOGI (bsc#1157424, bsc#1157908. bsc#1117169, bsc#1151548).
- scsi: qla2xxx: Initialize free_work before flushing it (bsc#1157424, bsc#1157908. bsc#1117169, bsc#1151548).
- scsi: qla2xxx: Send Notify ACK after N2N PLOGI (bsc#1157424, bsc#1157908. bsc#1117169, bsc#1151548).
- scsi: qla2xxx: Use correct number of vectors for online CPUs (bsc#1137223).
- scsi: qla2xxx: Use explicit LOGO in target mode (bsc#1157424, bsc#1157908. bsc#1117169, bsc#1151548).
- scsi: qla2xxx: fix rports not being mark as lost in sync fabric scan (bsc#1138039).
- scsi: qla2xxx: unregister ports after GPN_FT failure (bsc#1138039).
- scsi: zfcp: fix request object use-after-free in send path causing wrong traces (bsc#1051510).
- scsi: zfcp: trace channel log even for FCP command responses (git-fixes).
- sctp: change sctp_prot .no_autobind with true (networking-stable-19_10_24).
- selftests: net: reuseport_dualstack: fix uninitalized parameter (networking-stable-19_11_05).
- serial: max310x: Fix tx_empty() callback (bsc#1051510).
- signal: Properly set TRACE_SIGNAL_LOSE_INFO in __send_signal (bsc#1157463).
- slip: Fix use-after-free Read in slip_open (bsc#1051510).
- smb3: Incorrect size for netname negotiate context (bsc#1144333, bsc#1154355).
- smb3: fix leak in 'open on server' perf counter (bsc#1144333, bsc#1154355).
- smb3: fix signing verification of large reads (bsc#1144333, bsc#1154355).
- smb3: fix unmount hang in open_shroot (bsc#1144333, bsc#1154355).
- smb3: improve handling of share deleted (and share recreated) (bsc#1144333, bsc#1154355).
- spi: atmel: Fix CS high support (bsc#1051510).
- spi: atmel: fix handling of cs_change set on non-last xfer (bsc#1051510).
- spi: fsl-lpspi: Prevent FIFO under/overrun by default (bsc#1051510).
- spi: mediatek: use correct mata->xfer_len when in fifo transfer (bsc#1051510).
- spi: omap2-mcspi: Fix DMA and FIFO event trigger size mismatch (bsc#1051510).
- spi: omap2-mcspi: Set FIFO DMA trigger level to word length (bsc#1051510).
- spi: rockchip: initialize dma_slave_config properly (bsc#1051510).
- spi: spidev: Fix OF tree warning logic (bsc#1051510).
- staging: rtl8192e: fix potential use after free (bsc#1051510).
- staging: rtl8723bs: Add 024c:0525 to the list of SDIO device-ids (bsc#1051510).
- staging: rtl8723bs: Drop ACPI device ids (bsc#1051510).
- stm class: Fix a double free of stm_source_device (bsc#1051510).
- supported.conf:
- synclink_gt(): fix compat_ioctl() (bsc#1051510).
- tcp_nv: fix potential integer overflow in tcpnv_acked (bsc#1051510).
- thermal: Fix deadlock in thermal thermal_zone_device_check (bsc#1051510).
- thunderbolt: Fix lockdep circular locking depedency warning (git-fixes).
- tipc: Avoid copying bytes beyond the supplied data (bsc#1051510).
- tipc: check bearer name with right length in tipc_nl_compat_bearer_enable (bsc#1051510).
- tipc: check link name with right length in tipc_nl_compat_link_set (bsc#1051510).
- tipc: check msg->req data len in tipc_nl_compat_bearer_disable (bsc#1051510).
- tipc: compat: allow tipc commands without arguments (bsc#1051510).
- tipc: fix a missing check of genlmsg_put (bsc#1051510).
- tipc: fix link name length check (bsc#1051510).
- tipc: fix link name length check (git-fixes).
- tipc: fix memory leak in tipc_nl_compat_publ_dump (bsc#1051510).
- tipc: fix skb may be leaky in tipc_link_input (bsc#1051510).
- tipc: fix tipc_mon_delete() oops in tipc_enable_bearer() error path (bsc#1051510).
- tipc: fix wrong timeout input for tipc_wait_for_cond() (bsc#1051510).
- tipc: handle the err returned from cmd header function (bsc#1051510).
- tipc: pass tunnel dev as NULL to udp_tunnel(6)_xmit_skb (bsc#1051510).
- tipc: tipc clang warning (bsc#1051510).
- tools/power/x86/intel-speed-select: Fix a read overflow in isst_set_tdp_level_msr() (bsc#1111666).
- tpm: add check after commands attribs tab allocation (bsc#1051510).
- tty: serial: fsl_lpuart: use the sg count from dma_map_sg (bsc#1051510).
- tty: serial: imx: use the sg count from dma_map_sg (bsc#1051510).
- tty: serial: msm_serial: Fix flow control (bsc#1051510).
- tty: serial: pch_uart: correct usage of dma_unmap_sg (bsc#1051510).
- tun: fix data-race in gro_normal_list() (bsc#1111666).
- uaccess: Add non-pagefault user-space write function (bsc#1083647).
- ubifs: Correctly initialize c->min_log_bytes (bsc#1158641).
- ubifs: Limit the number of pages in shrink_liability (bsc#1158643).
- udp: use skb_queue_empty_lockless() (networking-stable-19_11_05).
- usb-serial: cp201x: support Mark-10 digital force gauge (bsc#1051510).
- usb: dwc3: gadget: Check ENBLSLPM before sending ep command (bsc#1051510).
- usb: gadget: udc: fotg210-udc: Fix a sleep-in-atomic-context bug in fotg210_get_status() (bsc#1051510).
- usbip: tools: fix fd leakage in the function of read_attr_usbip_status (git-fixes).
- vfio-ccw: Fix misleading comment when setting orb.cmd.c64 (bsc#1051510).
- vfio-ccw: Set pa_nr to 0 if memory allocation fails for pa_iova_pfn (bsc#1051510).
- vfio: ccw: push down unsupported IDA check (bsc#1156471 LTC#182362).
- vfs: fix preadv64v2 and pwritev64v2 compat syscalls with offset == -1 (bsc#1051510).
- video/hdmi: Fix AVI bar unpack (git-fixes).
- video: backlight: Add devres versions of of_find_backlight (bsc#1090888) Taken for 6010831dde5.
- video: backlight: Add of_find_backlight helper in backlight.c (bsc#1090888) Taken for 6010831dde5.
- virtio/s390: fix race on airq_areas (bsc#1051510).
- virtio_console: allocate inbufs in add_port() only if it is needed (git-fixes).
- virtio_ring: fix return code on DMA mapping fails (git-fixes).
- vmxnet3: turn off lro when rxcsum is disabled (bsc#1157499).
- vsock/virtio: fix sock refcnt holding during the shutdown (git-fixes).
- watchdog: meson: Fix the wrong value of left time (bsc#1051510).
- watchdog: sama5d4: fix WDD value to be always set to max (bsc#1051510).
- wil6210: fix L2 RX status handling (bsc#1111666).
- wil6210: fix RGF_CAF_ICR address for Talyn-MB (bsc#1111666).
- wil6210: fix debugfs memory access alignment (bsc#1111666).
- wil6210: fix locking in wmi_call (bsc#1111666).
- x86/alternatives: Add int3_emulate_call() selftest (bsc#1153811).
- x86/alternatives: Fix int3_emulate_call() selftest stack corruption (bsc#1153811).
- x86/mm/pkeys: Fix typo in Documentation/x86/protection-keys.txt (bsc#1078248).
- x86/pkeys: Update documentation about availability (bsc#1078248).
- x86/speculation/taa: Fix printing of TAA_MSG_SMT on IBRS_ALL CPUs (bsc#1158068).
- x86/speculation: Fix incorrect MDS/TAA mitigation status (bsc#1114279).
- x86/speculation: Fix redundant MDS mitigation message (bsc#1114279).
- xfs: Sanity check flags of Q_XQUOTARM call (bsc#1158652).
- temporarily disable debug_pagealloc (bsc#1159096).


-----------------------------------------
Patch: SUSE-2020-3
Released: Thu Jan  2 12:29:36 2020
Summary: Recommended update for resource-agents
Severity: moderate
References: 1153889,1157709
Description:
This update for resource-agents fixes the following issues:

- The incorrect condition results in a non-sense call of the info command which is where the unexpected messages come from. (bsc#1153889)
- Fixed readlink output when a mountpoint did not exist (bsc#1157709)


-----------------------------------------
Patch: SUSE-2020-7
Released: Thu Jan  2 12:33:26 2020
Summary: Recommended update for tuned
Severity: moderate
References: 1139249
Description:
This update for tuned fixes the following issues:

- Add support for xen related disks. (bsc#1139249)


-----------------------------------------
Patch: SUSE-2020-11
Released: Thu Jan  2 12:35:41 2020
Summary: Recommended update for pacemaker
Severity: moderate
References: 1151007
Description:
This update for pacemaker fixes the following issues:

- Fixes and improvements for fencer. (bsc#1151007)
  - Indicate fencing target in the logs when scheduling and executing fencing command and improved log messages. 
  - Make sure concurrent fencing commands get triggered to execute.
  - Other commands and actions cannot be blocked by pending on the fencing.
  - No need to check the length of a non-empty list for pending fencing actions. 
 

-----------------------------------------
Patch: SUSE-2020-26
Released: Tue Jan  7 13:53:59 2020
Summary: Security update for sysstat
Severity: moderate
References: 1144923,1159104,CVE-2019-19725,SLE-5958
Description:
This update for sysstat fixes the following issues:

Security issue fixed:                                                                                                                                                               
                                                                                                                                                                                   
- CVE-2019-19725: Fixed double free in check_file_actlst in sa_common.c (bsc#1159104).                                                                                    

Bug fixes:

- Enable log information of starting/stoping services. (bsc#1144923, jsc#SLE-5958)


-----------------------------------------
Patch: SUSE-2020-28
Released: Tue Jan  7 15:10:53 2020
Summary: Security update for openssl-1_0_0
Severity: moderate
References: 1158809,CVE-2019-1551
Description:
This update for openssl-1_0_0 fixes the following issues:

Security issue fixed:

- CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809).


-----------------------------------------
Patch: SUSE-2020-30
Released: Tue Jan  7 16:08:36 2020
Summary: Recommended update for cloud-netconfig
Severity: moderate
References: 1135592,1144282,1157117,1157190
Description:
This update for cloud-netconfig contains the following fixes:

- Removed obsolete Group tag from spec file.

- Update to version 1.3:
  + Fix IPv4 address handling on secondary NICs in Azure.

- Update to version 1.2:
  + support AWS IMDSv2 token.

- Update to version 1.1
  + fix use of GATEWAY variable. (bsc#1157117, bsc#1157190)
  + remove secondary IPv4 address only when added by cloud-netconfig. (bsc#1144282)
  + simplify routing setup for single NIC systems (partly fixes bsc#1135592)


-----------------------------------------
Patch: SUSE-2020-51
Released: Thu Jan  9 09:36:17 2020
Summary: Security update for java-1_7_1-ibm
Severity: moderate
References: 1154212,1158442,CVE-2019-2933,CVE-2019-2945,CVE-2019-2962,CVE-2019-2964,CVE-2019-2973,CVE-2019-2978,CVE-2019-2981,CVE-2019-2983,CVE-2019-2989,CVE-2019-2992,CVE-2019-2999
Description:
This update for java-1_7_1-ibm fixes the following issues:

- Update to 7.1 Service Refresh 4 Fix Pack 55 [bsc#1158442, bsc#1154212]
  * Security fixes:
    CVE-2019-2933 CVE-2019-2945 CVE-2019-2962 CVE-2019-2964
    CVE-2019-2978 CVE-2019-2983 CVE-2019-2989 CVE-2019-2992
    CVE-2019-2999 CVE-2019-2973 CVE-2019-2981


-----------------------------------------
Patch: SUSE-2020-79
Released: Mon Jan 13 10:37:34 2020
Summary: Security update for libzypp
Severity: moderate
References: 1158763,CVE-2019-18900
Description:
This update for libzypp fixes the following issues:

Security issue fixed:

- CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763).


-----------------------------------------
Patch: SUSE-2020-83
Released: Mon Jan 13 11:14:43 2020
Summary: Recommended update for drbd
Severity: moderate
References: 1154084
Description:
This update for drbd fixes the following issues:

- Fix for potential double call of drbd backing device. (bsc#1154084) 


-----------------------------------------
Patch: SUSE-2020-84
Released: Mon Jan 13 13:35:35 2020
Summary: Recommended update for hawk2
Severity: moderate
References: 1158681
Description:
This update for hawk2 fixes the following issues:

- Fix the 'acl_version' method when parsing the cib.xml avoid hanging of HAWK2 (bsc#1158681)


-----------------------------------------
Patch: SUSE-2020-88
Released: Mon Jan 13 15:47:05 2020
Summary: Security update for mozilla-nspr, mozilla-nss
Severity: moderate
References: 1141322,1158527,1159819,CVE-2019-11745,CVE-2019-17006
Description:
This update for mozilla-nspr, mozilla-nss fixes the following issues:

mozilla-nss was updated to NSS 3.47.1:

Security issues fixed:

- CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819).
- CVE-2019-11745: EncryptUpdate should use maxout, not block size (bsc#1158527).
- CVE-2019-11727: Fixed vulnerability sign CertificateVerify with PKCS#1 v1.5 signatures issue (bsc#1141322).

mozilla-nspr was updated to version 4.23:

- Whitespace in C files was cleaned up and no longer uses tab characters for indenting.


-----------------------------------------
Patch: SUSE-2020-98
Released: Tue Jan 14 13:42:15 2020
Summary: Recommended update for gcc48
Severity: low
References: 1071995
Description:

This update for gcc48 fixes the following issues:

- Add changes needed for SLE15 live patching. (bsc#1071995, fate#323487)
- Provide .ipa-clones dump files. (bsc#1071995, fate#323487)



-----------------------------------------
Patch: SUSE-2020-102
Released: Tue Jan 14 16:25:22 2020
Summary: Security update for man
Severity: moderate
References: 1159105
Description:
This update for man fixes the following issues:

- Skip using 'safe-rm' in cron job below cache directory (bsc#1159105).


-----------------------------------------
Patch: SUSE-2020-106
Released: Wed Jan 15 12:50:55 2020
Summary: Recommended update for libgcrypt
Severity: important
References: 1155338,1155339
Description:
This update for libgcrypt fixes the following issues:

- Fix test dsa-rfc6979 in FIPS mode: Disabled tests in elliptic curves with 192 bits which are not recommended in FIPS mode
- Added CMAC AES and TDES FIPS self-tests: (bsc#1155339, bsc#1155338)


-----------------------------------------
Patch: SUSE-2020-131
Released: Mon Jan 20 09:21:41 2020
Summary: Security update for libssh
Severity: important
References: 1158095,CVE-2019-14889
Description:
This update for libssh fixes the following issues:

- CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location (bsc#1158095).


-----------------------------------------
Patch: SUSE-2020-137
Released: Mon Jan 20 09:55:42 2020
Summary: Recommended update for sbd
Severity: moderate
References: 1140065,1148236,1150429
Description:
This update for sbd fixes the following issues:
	  
- Add a warning log if failed to open/read device on startup. (bsc#1150429)
- Log detailed errors for monitor failures. (bsc#1148236)
- List/dump failures go to 'stderr'. (bsc#1148236)
- Rebase patch for fixing sbd cluster for disconnection cmap exit. (bsc#1140065)


-----------------------------------------
Patch: SUSE-2020-141
Released: Mon Jan 20 11:47:57 2020
Summary: Recommended update for autoyast2
Severity: moderate
References: 1155576,1156567,1156905,1159157
Description:
This update for autoyast2 fixes the following issues:

- Warn the user if no partition has been found due the given 'skip_list' list. (bsc#1155576)
- Add YaST-AutoInstSchema 'firstboot.rnc' to the desktop file to avoid error on profile validation during checking autoyast custom scripts. (bsc#1156905)    
- Consider extended partitions when trying to figure out whether the partitioning layout described in the profile fits. (bsc#1156567).
- Report XML parsing errors instead of just crashing. (bsc#1159157)
  

-----------------------------------------
Patch: SUSE-2020-144
Released: Mon Jan 20 17:44:07 2020
Summary: Recommended update for yast2-iscsi-client
Severity: moderate
References: 1157349
Description:
This update for yast2-iscsi-client fixes the following issues:

- Fix detection of service current status (bsc#1157349).


-----------------------------------------
Patch: SUSE-2020-146
Released: Tue Jan 21 09:58:42 2020
Summary: Security update for Mesa
Severity: moderate
References: 1156015,CVE-2019-5068
Description:
This update for Mesa fixes the following issues:

Security issue fixed:

- CVE-2019-5068: Fixed exploitable shared memory permissions vulnerability (bsc#1156015).


-----------------------------------------
Patch: SUSE-2020-152
Released: Tue Jan 21 17:24:48 2020
Summary: Security update for samba
Severity: moderate
References: 1160888,CVE-2019-14907
Description:
This update for samba fixes the following issues:

- CVE-2019-14907: Fixed a Server-side crash after charset conversion failure during NTLMSSP processing (bsc#1160888).


-----------------------------------------
Patch: SUSE-2020-219
Released: Thu Jan 23 13:59:37 2020
Summary: Recommended update for resource-agents
Severity: moderate
References: 1137130
Description:
This update for resource-agents fixes the following issues:

- Fix the CTDB resource agent for use by Samba 4.9.0 and later (bsc#1137130)


-----------------------------------------
Patch: SUSE-2020-227
Released: Fri Jan 24 09:24:11 2020
Summary: Recommended update for aaa_base
Severity: moderate
References: 1084934,1115020,1118364,1128246,1149127,1157794,910904
Description:
This update for aaa_base fixes the following issues:

- Use official key binding functions in inputrc that is replace up-history with
 previous-history, down-history with next-history and backward-delete-word with
 backward-kill-word. (bsc#1084934)
- Reduces the list in /opt/* to gnome, kde4, and kde3. (bsc#910904, bsc#1149127)
- Update logic for JRE_HOME variable. (bsc#1128246)
- Restore old position of ssh/sudo source of profile. (bsc#1118364)
- Revert 'Avoid NAT on Bridges. Bridges are L2 devices, really.' (bsc#1115020)
- Generalize testing for JVM system variables supporting other shells when creating the java path. (boo#1157794)


-----------------------------------------
Patch: SUSE-2020-244
Released: Tue Jan 28 09:42:21 2020
Summary: Recommended update for cloud-init
Severity: moderate
References: 1155376,1156139,1157894,1161132,1161133
Description:
This update for cloud-init fixes the following issues:

- Fixed an issue where it was not possible to add SSH keys and thus it was not possible to
  log into the system (bsc#1161132, bsc#1161133)
- Fixes an issue where the IPv6 interface variable was not correctly set in an ifcfg file (bsc#1156139)
- The route's destination network will now be written in CIDR notation. This provides support
  for correctly recording IPv6 routes (bsc#1155376)
- Many smaller fixes came with this package as well. For a full list of all changes, refer to the
  rpm's changes file.

-----------------------------------------
Patch: SUSE-2020-246
Released: Tue Jan 28 10:18:21 2020
Summary: Recommended update for crmsh
Severity: moderate
References: 1127095,1127096,1129462,1144241,1145520,1154163
Description:
This update for crmsh fixes the following issues:

- Fix for 'corosync': Reject append ipaddress to config file if already that has one. (bsc#1127095, bsc#1127096)
- Fix for 'ui_cluster': Refactoring function 'list_cluster_nodes' and handle the 'None situation'. (bsc#1145520)
- Fix for 'ui_resource': Set failcount correctly and clean it properly. (bsc#1144241)
- Fix for 'crmsh.spec': Due to regression test using mktemp to create tmp file. (bsc#1154163)
- Fix for 'bootstrap': Set the placement-strategy value as 'default' instead of 'balanced' and let the VM controlled by pacemaker. (bsc#1129462)


-----------------------------------------
Patch: SUSE-2020-251
Released: Tue Jan 28 16:34:40 2020
Summary: Security update for aws-cli
Severity: moderate
References: 1092493,1105988,1118021,1118024,1118099,CVE-2018-15869
Description:
This update for aws-cli to version 1.16.297 fixes the following issues:

Security issue fixed:

- CVE-2018-15869: Fixed an permission handling issue where an unexpected AMI could potentially be used (bsc#1105988).

Non-security issues fixed:

- Fixed an issue with the CLI client, where a ModuleNotFoundError was triggered (bsc#1092493).


-----------------------------------------
Patch: SUSE-2020-257
Released: Thu Jan 30 07:21:18 2020
Summary: Recommended update for python-tabulate, python-py, python-cryptography, python-pyOpenSSL
Severity: moderate
References: 1054413,1065275,1073879
Description:

This update for python-tabulate, python-py, python-cryptography, python-pyOpenSSL
brings updates for use by Azure Client Tools.

- python-tabulate: shipped also as python3 variant.
- python-cryptography: updated to 1.7.2
- python-py: updated to 1.5.2
- python-pyOpenSSL: updated to 17.0.0

  

-----------------------------------------
Patch: SUSE-2020-259
Released: Thu Jan 30 08:54:11 2020
Summary: Recommended update for kdump
Severity: important
References: 1021484,1021846,1036223,1047609,1047634,1068234,1080953,1094444,1101149,1102252,1108919,1116463,1117652,1125011,1133407,1141064
Description:
This update for kdump fixes the following issues:

- Fixes an issue where the OS might be hanging when triggering kdump over a USB disk (bsc#1101149)
- Fixes an issue where kdump failed when a crash is triggered after CPU hot removal (bsc#1133407)
- Fixes an issue where kdump could not be used on mounted nfs paths (bsc#1094444, bsc#1116463, bsc#1141064)
- Fixes an issue where kdump crashed after booting the OS (bsc#1021484, bsc#1080953)
- Added ':force' as an option to KDUMP_NETCONFIG to force network setup in kdump. This is needed
  to configure fence_kdump (bsc#1108919)
- Improved the handling of NSS (bsc#1021846)
- Fixes an issue where the kdump mount points were not unmounted before switching to system root. This
  could lead to devices being busy during system shutdown (bsc#1102252, bsc#1125011)


-----------------------------------------
Patch: SUSE-2020-272
Released: Thu Jan 30 16:15:18 2020
Summary: Recommended update for ldb
Severity: moderate
References: 1161417
Description:

This update for ldb fixes the following issue:

- ship the ldb-tools package. (bsc#1161417)
  

-----------------------------------------
Patch: SUSE-2020-307
Released: Mon Feb  3 17:16:50 2020
Summary: Recommended update for SAPHanaSR
Severity: moderate
References: 1155423,1156067,1156150,1157453
Description:
This update for SAPHanaSR fixes the following issues:

- Restart sapstartsrv service on master nameserver node during monitor action, if needed. But NOT during probes. (bsc#1157453, bsc#1156150)
- The SAPHana resource agent must not down-score a SAP HANA Database site, but keep high scoring during recovery of the master name server. (bsc#1156067)
- Change HAWK2 templates to python3. (bsc#1155423)


-----------------------------------------
Patch: SUSE-2020-308
Released: Mon Feb  3 17:21:38 2020
Summary: Recommended update for lvm2
Severity: moderate
References: 1150021,1155668
Description:
This update for lvm2 fixes the following issues:

- Fix LVM Metadata Error: Error writing device at 4096 length 512 (bsc#1150021).
- Fix seeing a 90 Second delay on shutdown and reboot (bsc#1155668).
 


-----------------------------------------
Patch: SUSE-2020-313
Released: Tue Feb  4 13:13:43 2020
Summary: Recommended update for yast2-pkg-bindings
Severity: moderate
References: 1132650,1157202,1158247,1159120
Description:
This update for yast2-pkg-bindings fixes the following issues:

- There was an issue on 1 GB RAM systems, where the installer freezed during system role
  selection (bsc#1132650)
- Fixes an issue with displayed product names (bsc#1157202)


-----------------------------------------
Patch: SUSE-2020-317
Released: Tue Feb  4 15:10:41 2020
Summary: Security update for libqt5-qtbase
Severity: important
References: 1118597,1130246,1161167,CVE-2018-19870,CVE-2018-19872,CVE-2020-0569
Description:
This update for libqt5-qtbase fixes the following issues:

Security issues fixed:	  

- CVE-2020-0569: Fixed a potential local code execution by loading plugins from CWD (bsc#1161167).
- CVE-2018-19870: Fixed an improper check in QImage allocation which could allow Denial of Service
  when opening crafted gif files (bsc#1118597).
- CVE-2018-19872: Fixed an issue which could allow a division by zero leading to crash (bsc#1130246).


-----------------------------------------
Patch: SUSE-2020-332
Released: Thu Feb  6 06:57:48 2020
Summary: Recommended update for rsyslog
Severity: moderate
References: 1156499
Description:
This update for rsyslog fixes the following issues:

- Fix for some QA test segfault occured in libc. (bsc#1156499)


-----------------------------------------
Patch: SUSE-2020-345
Released: Thu Feb  6 13:08:40 2020
Summary: Recommended update for suse-module-tools
Severity: moderate
References: 1132798,1142152
Description:
This update for suse-module-tools fixes the following issues:

Update to version 12.10:
- Fix papr_scm dependency. (bsc#1142152, ltc#176292, FATE#327775)

Update to version 12.9:
- Add modprobe.conf.s390x. (bsc#1132798)

Update to version 12.8:
- Add dependency of 'papr_scm' on 'libnvdimm' in the initrd image. (bsc#1142152, ltc#176292, FATE#327775)
- Load 'fbcon' module together with 'virtio_gpu' on s390. (bsc#1132798)


-----------------------------------------
Patch: SUSE-2020-351
Released: Thu Feb  6 15:25:45 2020
Summary: Security update for wicked
Severity: important
References: 1142214,1160903,1160904,1160905,1160906,CVE-2019-18902,CVE-2019-18903,CVE-2020-7216,CVE-2020-7217
Description:
This update for wicked fixes the following issues:

Security issues fixed:

- CVE-2019-18902: Fixed a use-after-free when receiving invalid DHCP6 client options (bsc#1160903).
- CVE-2019-18903: Fixed a use-after-free when receiving invalid DHCP6 IA_PD option (bsc#1160904).
- CVE-2020-7216: Fixed a potential denial of service via a memory leak when processing packets with missing message type option in DHCP4 (bsc#1160905).
- CVE-2020-7217: Fixed a memory leak in DHCP4 fsm when processing packets for other client ids (bsc#1160906).

Non-security issue fixed:

- dhcp4: Fixed an intermittent hang during network setup by cleaning up the defer timer pointer (bsc#1142214).


-----------------------------------------
Patch: SUSE-2020-353
Released: Thu Feb  6 17:34:41 2020
Summary: Security update for systemd
Severity: important
References: 1106383,1127557,1133495,1139459,1140631,1150595,1151377,1151506,1154043,1154948,1155574,1156482,1159814,1162108,CVE-2020-1712
Description:
This update for systemd provides the following fixes:

- CVE-2020-1712 (bsc#bsc#1162108)
  Fix a heap use-after-free vulnerability, when asynchronous
  Polkit queries were performed while handling Dbus messages. A local
  unprivileged attacker could have abused this flaw to crash systemd services or
  potentially execute code and elevate their privileges, by sending specially
  crafted Dbus messages.
- sd-bus: Deal with cookie overruns. (bsc#1150595)
- rules: Add by-id symlinks for persistent memory. (bsc#1140631)
- Drop the old fds used for logging and reopen them in the sub process before doing any
  new logging. (bsc#1154948)
- Fix warnings thrown during package installation (bsc#1154043)
- Fix for systemctl hanging by restart. (bsc#1139459)
- man: mention that alias names are only effective after 'systemctl enable'. (bsc#1151377)
- ask-password: improve log message when inotify limit is reached. (bsc#1155574)
- udevd: wait for workers to finish when exiting. (bsc#1106383)
- core: fragments of masked units ought not be considered for NeedDaemonReload. (bsc#1156482)
- udev: fix 'NULL' deref when executing rules. (bsc#1151506)
- Introduce function for reading virtual files in 'sysfs' and 'procfs'. (bsc#1133495, bsc#1159814)


-----------------------------------------
Patch: SUSE-2020-354
Released: Thu Feb  6 18:04:00 2020
Summary: Recommended update for samba
Severity: important
References: 1160490,1161389
Description:
This update for samba fixes the following issues:

- Fix for failing set account flags for machine account ADs, prefering principal over domain/username for NTLM. (bsc#1161389, bso#14007);
- Fix 'pam_winbind' with 'krb5_auth' or 'wbinfo -K' for users of trusted domains/forests. (bsc#1160490, bso#14124)


-----------------------------------------
Patch: SUSE-2020-360
Released: Fri Feb  7 10:44:17 2020
Summary: Security update for e2fsprogs
Severity: moderate
References: 1160571,CVE-2019-5188
Description:
This update for e2fsprogs fixes the following issues:

- CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571).


-----------------------------------------
Patch: SUSE-2020-374
Released: Fri Feb  7 15:03:58 2020
Summary: Recommended update for python-pyparsing
Severity: moderate
References: 1122668
Description:

This update provides python-pyparsing 2.2.0:

- Bumped minor version number to reflect compatibility issues with
  OneOrMore and ZeroOrMore bugfixes in 2.1.10. (2.1.10 fixed a bug
  that was introduced in 2.1.4, but the fix could break code
  written against 2.1.4 - 2.1.9.)
- Updated setup.py to address recursive import problems now
  that pyparsing is part of 'packaging' (used by setuptools).
  Patch submitted by Joshua Root, much thanks!
- Fixed KeyError issue reported by Yann Bizeul when using packrat
  parsing in the Graphite time series database, thanks Yann!
- Fixed incorrect usages of '\' in literals, as described in
  https://docs.python.org/3/whatsnew/3.6.html#deprecated-python-behavior
  Patch submitted by Ville Skyttä - thanks!
- Minor internal change when using '-' operator, to be compatible
  with ParserElement.streamline() method.
- Expanded infixNotation to accept a list or tuple of parse actions
  to attach to an operation.
- New unit test added for dill support for storing pyparsing parsers.
  Ordinary Python pickle can be used to pickle pyparsing parsers as
  long as they do not use any parse actions. The 'dill' module is an
  extension to pickle which *does* support pickling of attached

It also provides python3 builds.

  

-----------------------------------------
Patch: SUSE-2020-377
Released: Fri Feb  7 18:12:00 2020
Summary: Recommended update for release-notes-sles
Severity: moderate
References: 1161101,1161102
Description:
This update for release-notes-sles fixes the following issues:
 
- Fixes the bugreporting link (bsc#1161101)


-----------------------------------------
Patch: SUSE-2020-379
Released: Mon Feb 10 13:20:46 2020
Summary: Recommended update for perl-TimeDate
Severity: moderate
References: 1159990,1162433
Description:
This update for perl-TimeDate fixes the following issues:

- Fix for issues parsing date strings into time values correctly. (bsc#1162433)
- Fix a getdate function returning the current year wrongly. (bsc#1159990)    


-----------------------------------------
Patch: SUSE-2020-382
Released: Fri Feb 14 12:03:57 2020
Summary: Recommended update for lvm2
Severity: important
References: 1163526
Description:
This update for lvm2 fixes the following issues:

- Revert MD devices detection patches which caused a regression,
  where some volume groups couldn't be activated (bsc#1163526)


-----------------------------------------
Patch: SUSE-2020-404
Released: Wed Feb 19 09:05:47 2020
Summary: Recommended update for p11-kit
Severity: moderate
References: 1154871
Description:
This update for p11-kit fixes the following issues:

- Support loading NSS attribute 'CKA_NSS_MOZILLA_CA_POLICY' so Firefox detects built-in certificates. (bsc#1154871)


-----------------------------------------
Patch: SUSE-2020-409
Released: Wed Feb 19 09:33:27 2020
Summary: Security update for sudo
Severity: important
References: 1162202,1162675,CVE-2019-18634
Description:
This update for sudo fixes the following issues:

Security issue fixed:

- CVE-2019-18634: Fixed a buffer overflow in the passphrase prompt that could occur when pwfeedback was enabled in /etc/sudoers (bsc#1162202).

Non-security issue fixed:

- Fixed an issue where sudo -l would ask for a password even though `listpw` was set to `never` (bsc#1162675).


-----------------------------------------
Patch: SUSE-2020-337
Released: Wed Feb 19 13:25:26 2020
Summary: Recommended update for python-rpm-macros
Severity: moderate
References: 1161770
Description:
This update for python-rpm-macros fixes the following issues:

- Add macros related to the Python dist metadata dependency generator. (bsc#1161770)


-----------------------------------------
Patch: SUSE-2020-448
Released: Tue Feb 25 10:50:05 2020
Summary: Recommended update for yast2-sudo
Severity: moderate
References: 1156929
Description:
This update for yast2-sudo fixes the following issues:

- Prevent truncating the sudoers file after write changes. (bsc#1156929)


-----------------------------------------
Patch: SUSE-2020-459
Released: Tue Feb 25 11:02:12 2020
Summary: Security update for libvpx
Severity: moderate
References: 1160613,1160614,CVE-2019-9232,CVE-2019-9433
Description:
This update for libvpx fixes the following issues:

- CVE-2019-9232: Fixed an out of bound memory access (bsc#1160613).
- CVE-2019-9433: Fixdd a use-after-free in vp8_deblock() (bsc#1160614).


-----------------------------------------
Patch: SUSE-2020-465
Released: Tue Feb 25 11:50:37 2020
Summary: Recommended update for crmsh
Severity: moderate
References: 1141976,1158060
Description:
This update for crmsh fixes the following issues:

- Fixes a bug where a space was not allowed in cluster names and therefore produced
  a parser error (bsc#1141976)
- Fixes a bug where running hb_report flushed dmesg and /var/log/messages (bsc#1158060)


-----------------------------------------
Patch: SUSE-2020-506
Released: Thu Feb 27 10:59:47 2020
Summary: Recommended update for autofs
Severity: moderate
References: 1140145
Description:
This update for autofs fixes the following issues:

- Fix issue using nested automount of local filesystems and reventing hanging sessions. (bsc#1140145)


-----------------------------------------
Patch: SUSE-2020-554
Released: Mon Mar  2 12:12:50 2020
Summary: Recommended update for supportutils
Severity: important
References: 1157852,1162357
Description:
This update for supportutils fixes the following issues:

- Exclude /proc/pagetypeinfo as it can be an expensive operation on some systems (bsc#1162357).
- Readded LPM/DLPAR data for Power (bsc#1157852).


-----------------------------------------
Patch: SUSE-2020-555
Released: Mon Mar  2 13:27:17 2020
Summary: Security update for python-aws-sam-translator, python-boto3, python-botocore, python-cfn-lint, python-jsonschema, python-nose2, python-parameterized, python-pathlib2, python-pytest-cov, python-requests, python-s3transfer
Severity: moderate
References: 1111622,1122668,CVE-2018-18074
Description:
This update for python-aws-sam-translator, python-boto3, python-botocore, python-cfn-lint, python-jsonschema, python-nose2, python-parameterized, python-pathlib2, python-pytest-cov, python-requests, python-s3transfer, python-jsonpatch, python-jsonpointer, python-scandir, python-PyYAML fixes the following issues:

python-cfn-lint was included as a new package in 0.21.4.


python-aws-sam-translator was updated to 1.11.0:

  * Add ReservedConcurrentExecutions to globals
  * Fix ElasticsearchHttpPostPolicy resource reference
  * Support using AWS::Region in Ref and Sub
  * Documentation and examples updates
  * Add VersionDescription property to Serverless::Function
  * Update ServerlessRepoReadWriteAccessPolicy
  * Add additional template validation

Upgrade to 1.10.0:

  * Add GSIs to DynamoDBReadPolicy and DynamoDBCrudPolicy
  * Add DynamoDBReconfigurePolicy
  * Add CostExplorerReadOnlyPolicy and OrganizationsListAccountsPolicy
  * Add EKSDescribePolicy
  * Add SESBulkTemplatedCrudPolicy
  * Add FilterLogEventsPolicy
  * Add SSMParameterReadPolicy
  * Add SESEmailTemplateCrudPolicy
  * Add s3:PutObjectAcl to S3CrudPolicy
  * Add allow_credentials CORS option
  * Add support for AccessLogSetting and CanarySetting Serverless::Api properties
  * Add support for X-Ray in Serverless::Api
  * Add support for MinimumCompressionSize in Serverless::Api
  * Add Auth to Serverless::Api globals
  * Remove trailing slashes from APIGW permissions
  * Add SNS FilterPolicy and an example application
  * Add Enabled property to Serverless::Function event sources
  * Add support for PermissionsBoundary in Serverless::Function
  * Fix boto3 client initialization
  * Add PublicAccessBlockConfiguration property to S3 bucket resource
  * Make PAY_PER_REQUEST default mode for Serverless::SimpleTable
  * Add limited support for resolving intrinsics in Serverless::LayerVersion
  * SAM now uses Flake8
  * Add example application for S3 Events written in Go
  * Updated several example applications

- Initial build
  + Version 1.9.0
- Add patch to drop compatible releases operator from setup.py,
  required for SLES12 as the setuptools version is too old
  + ast_drop-compatible-releases-operator.patch


python-jsonschema was updated to 2.6.0:

* Improved performance on CPython by adding caching around ref resolution

Update to version 2.5.0:

* Improved performance on CPython by adding caching around ref
  resolution (#203)

Update to version 2.4.0:

* Added a CLI (#134)
* Added absolute path and absolute schema path to errors (#120)
* Added ``relevance``
* Meta-schemas are now loaded via ``pkgutil``
* Added ``by_relevance`` and ``best_match`` (#91)
* Fixed ``format`` to allow adding formats for non-strings (#125)
* Fixed the ``uri`` format to reject URI references (#131)

- Install /usr/bin/jsonschema with update-alternatives support

python-nose2 was updated to 0.9.1:

* the prof plugin now uses cProfile instead of hotshot for profiling
* skipped tests now include the user's reason in junit XML's message field
* the prettyassert plugin mishandled multi-line function definitions
* Using a plugin's CLI flag when the plugin is already enabled via config
  no longer errors
* nose2.plugins.prettyassert, enabled with --pretty-assert
* Cleanup code for EOLed python versions
* Dropped support for distutils.
* Result reporter respects failure status set by other plugins
* JUnit XML plugin now includes the skip reason in its output

Upgrade to 0.8.0:

List of changes is too long to show here, see
https://github.com/nose-devs/nose2/blob/master/docs/changelog.rst
changes between 0.6.5 and 0.8.0

Update to 0.7.0:

* Added parameterized_class feature, for parameterizing entire test
  classes (many thanks to @TobyLL for their suggestions and help testing!)
* Fix DeprecationWarning on `inspect.getargs` (thanks @brettdh;
  https://github.com/wolever/parameterized/issues/67)
* Make sure that `setUp` and `tearDown` methods work correctly (#40)
* Raise a ValueError when input is empty (thanks @danielbradburn;
  https://github.com/wolever/parameterized/pull/48)
* Fix the order when number of cases exceeds 10 (thanks @ntflc;
  https://github.com/wolever/parameterized/pull/49)

python-scandir was included in version 2.3.2.

python-requests was updated to version 2.20.1 (bsc#1111622)

* Fixed bug with unintended Authorization header stripping for
  redirects using default ports (http/80, https/443).


* remove restriction for urllib3 < 1.24

Update to version 2.20.0:

* Bugfixes
  + Content-Type header parsing is now case-insensitive
    (e.g. charset=utf8 v Charset=utf8).
  + Fixed exception leak where certain redirect urls would raise
    uncaught urllib3 exceptions.
  + Requests removes Authorization header from requests redirected
    from https to http on the same hostname. (CVE-2018-18074)
  + should_bypass_proxies now handles URIs without hostnames
    (e.g. files).
* Dependencies
  + Requests now supports urllib3 v1.24.
* Deprecations
  + Requests has officially stopped support for Python 2.6.

Update to version 2.19.1:

* Fixed issue where status_codes.py’s init function failed trying
  to append to a __doc__ value of None.

Update to version 2.19.0:

* Improvements
  + Warn about possible slowdown with cryptography version < 1.3.4
  + Check host in proxy URL, before forwarding request to adapter.
  + Maintain fragments properly across redirects. (RFC7231 7.1.2)
  + Removed use of cgi module to expedite library load time.
  + Added support for SHA-256 and SHA-512 digest auth algorithms.
  + Minor performance improvement to Request.content.
  + Migrate to using collections.abc for 3.7 compatibility.
* Bugfixes
  + Parsing empty Link headers with parse_header_links() no longer
    return one bogus entry.
  + Fixed issue where loading the default certificate bundle from
    a zip archive would raise an IOError.
  + Fixed issue with unexpected ImportError on windows system
    which do not support winreg module.
  + DNS resolution in proxy bypass no longer includes the username
    and password in the request. This also fixes the issue of DNS
    queries failing on macOS.
  + Properly normalize adapter prefixes for url comparison.
  + Passing None as a file pointer to the files param no longer
    raises an exception.
  + Calling copy on a RequestsCookieJar will now preserve the
    cookie policy correctly.
* We now support idna v2.7 and urllib3 v1.23.

update to version 2.18.4:

* Improvements
  + Error messages for invalid headers now include the header name
    for easier debugging
* Dependencies
  + We now support idna v2.6.

update to version 2.18.3:

* Improvements
  + Running $ python -m requests.help now includes the installed
    version of idna.
* Bugfixes
  + Fixed issue where Requests would raise ConnectionError instead
    of SSLError when encountering SSL problems when using urllib3
    v1.22.


-----------------------------------------
Patch: SUSE-2020-561
Released: Mon Mar  2 17:24:59 2020
Summary: Recommended update for elfutils
Severity: moderate
References: 1110929,1157578
Description:
This update for elfutils fixes the following issues:

- Fix 'eu-nm' issue in elfutils: Symbol iteration will be set to start at 0 instead of 1 to avoid missing symbols in the output. (bsc#1157578)
- Fix for '.ko' file corruption in debug info. (bsc#1110929)


-----------------------------------------
Patch: SUSE-2020-569
Released: Tue Mar  3 11:43:43 2020
Summary: Security update for libpng16
Severity: moderate
References: 1124211,1141493,CVE-2017-12652,CVE-2019-7317
Description:
This update for libpng16 fixes the following issues:

Security issues fixed:

- CVE-2019-7317: Fixed a use-after-free vulnerability, triggered when
  png_image_free() was called under png_safe_execute (bsc#1124211).
- CVE-2017-12652: Fixed an Input Validation Error related to the length of chunks (bsc#1141493).


-----------------------------------------
Patch: SUSE-2020-571
Released: Tue Mar  3 13:23:35 2020
Summary: Recommended update for cyrus-sasl
Severity: moderate
References: 1162518
Description:
This update for cyrus-sasl fixes the following issues:

- Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF (bsc#1162518)
- Added support for retrieving negotiated SSF in gssapi plugin (bsc#1162518)


-----------------------------------------
Patch: SUSE-2020-576
Released: Tue Mar  3 15:22:44 2020
Summary: Security update for compat-openssl098
Severity: moderate
References: 1117951,1160163
Description:
This update for compat-openssl098 fixes the following issues:

- Add missing commits for fixes of the 'The 9 Lives of Bleichenbacher's CAT' attack (bsc#1117951)
- Fixed missing BN_copy() (bsc#1160163)


-----------------------------------------
Patch: SUSE-2020-580
Released: Wed Mar  4 09:46:08 2020
Summary: Security update for the Linux Kernel
Severity: important
References: 1046303,1050244,1051510,1051858,1061840,1065600,1065729,1071995,1083647,1085030,1086301,1086313,1086314,1088810,1103989,1103990,1103991,1104353,1104427,1104745,1105392,1109837,1111666,1112178,1112374,1112504,1113956,1114279,1114648,1114685,1118661,1123328,1126206,1127371,1127611,1127682,1129551,1133021,1133147,1134973,1140025,1142685,1143959,1144333,1151910,1151927,1153535,1153917,1154243,1154601,1155331,1155334,1156259,1156286,1156609,1157155,1157157,1157424,1157480,1157692,1157853,1157966,1158013,1158021,1158026,1158071,1158819,1159028,1159096,1159271,1159297,1159377,1159394,1159483,1159484,1159500,1159569,1159588,1159841,1159908,1159909,1159910,1159911,1159955,1160147,1160195,1160210,1160211,1160218,1160433,1160442,1160469,1160470,1160476,1160560,1160618,1160678,1160755,1160756,1160784,1160787,1160802,1160803,1160804,1160917,1160966,1160979,1161087,1161243,1161360,1161472,1161514,1161518,1161522,1161523,1161549,1161552,1161674,1161702,1161875,1161907,1161931,1161933,1161934,1161935,1161936,1161937,1162028,1162067,1162109,1162139,1162171,1162557,1162617,1162618,1162619,1162623,1162928,1162943,1163206,1163383,1163384,1163762,1163774,1163836,1163840,1163841,1163842,1163843,1163844,1163845,1163846,1163849,1163850,1163851,1163852,1163853,1163855,1163856,1163857,1163858,1163859,1163860,1163861,1163862,1163863,1163867,1163869,1163880,1164069,1164098,1164314,1164315,1164471,CVE-2019-14615,CVE-2019-14896,CVE-2019-14897,CVE-2019-16994,CVE-2019-18808,CVE-2019-19036,CVE-2019-19045,CVE-2019-19054,CVE-2019-19318,CVE-2019-19319,CVE-2019-19447,CVE-2019-19767,CVE-2019-19927,CVE-2019-19965,CVE-2019-19966,CVE-2019-20054,CVE-2019-20095,CVE-2019-20096,CVE-2020-7053,CVE-2020-8428,CVE-2020-8648,CVE-2020-8992
Description:

The SUSE Linux Enterprise 12 SP5 kernel was updated to receive various security and bugfixes.


The following security bugs were fixed:

- CVE-2019-14615: An information disclosure vulnerability existed due to insufficient control flow in certain data structures for some Intel(R) Processors (bnc#1160195).
- CVE-2019-14896: A heap-based buffer overflow vulnerability was found in the Marvell WiFi driver. A remote attacker could cause a denial of service (system crash) or, possibly execute arbitrary code, when the lbs_ibss_join_existing function is called after a STA connects to an AP (bnc#1157157).
- CVE-2019-14897: A stack-based buffer overflow was found in the Marvell WiFi driver. An attacker is able to cause a denial of service (system crash) or, possibly execute arbitrary code, when a STA works in IBSS mode (allows connecting stations together without the use of an AP) and connects to another STA (bnc#1157155).
- CVE-2019-16994: A memory leak existed in sit_init_net() in net/ipv6/sit.c which might have caused denial of service, aka CID-07f12b26e21a (bnc#1161523).
- CVE-2019-18808: A memory leak in drivers/crypto/ccp/ccp-ops.c allowed attackers to cause a denial of service (memory consumption), aka CID-128c66429247 (bnc#1156259).
- CVE-2019-19036: An issue discovered in btrfs_root_node in fs/btrfs/ctree.c allowed a NULL pointer dereference because rcu_dereference(root->node) can be zero (bnc#1157692).
- CVE-2019-19045: A memory leak in drivers/net/ethernet/mellanox/mlx5/core/fpga/conn.c allowed attackers to cause a denial of service (memory consumption) by triggering mlx5_vector2eqn() failures, aka CID-c8c2a057fdc7 (bnc#1161522).
- CVE-2019-19054: A memory leak in the cx23888_ir_probe() function in drivers/media/pci/cx23885/cx23888-ir.c allowed attackers to cause a denial of service (memory consumption) by triggering kfifo_alloc() failures, aka CID-a7b2df76b42b (bnc#1161518).
- CVE-2019-19318: Mounting a crafted btrfs image twice could have caused a use-after-free (bnc#1158026).
- CVE-2019-19319: A slab-out-of-bounds write access could have occured when setxattr was called after mounting of a specially crafted ext4 image (bnc#1158021).
- CVE-2019-19447: Mounting a crafted ext4 filesystem image, performing some operations, and unmounting could have led to a use-after-free in fs/ext4/super.c (bnc#1158819).
- CVE-2019-19767: There were multiple use-after-free errors in __ext4_expand_extra_isize and ext4_xattr_set_entry, related to fs/ext4/inode.c and fs/ext4/super.c, aka CID-4ea99936a163 (bnc#1159297).
- CVE-2019-19927: A slab-out-of-bounds read access occured when mounting a crafted f2fs filesystem image and performing some operations on it (bnc#1160147).
- CVE-2019-19965: There was a NULL pointer dereference in drivers/scsi/libsas/sas_discover.c because of mishandling of port disconnection during discovery, related to a PHY down race condition, aka CID-f70267f379b5 (bnc#1159911).
- CVE-2019-19966: There was a use-after-free in cpia2_exit() in drivers/media/usb/cpia2/cpia2_v4l.c that could have caused a denial of service, aka CID-dea37a972655 (bnc#1159841).
- CVE-2019-20054: There was a NULL pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c, related to put_links, aka CID-23da9588037e (bnc#1159910).
- CVE-2019-20095: Several memory leaks were found in drivers/net/wireless/marvell/mwifiex/cfg80211.c, aka CID-003b686ace82 (bnc#1159909).
- CVE-2019-20096: There was a memory leak in __feat_register_sp() in net/dccp/feat.c, aka CID-1d3ff0950e2b (bnc#1159908).
- CVE-2020-7053: There was a use-after-free (write) in the i915_ppgtt_close function in drivers/gpu/drm/i915/i915_gem_gtt.c, aka CID-7dc40713618c (bnc#1160966).
- CVE-2020-8428: There was a use-after-free bug in fs/namei.c, which allowed local users to cause a denial of service (OOPS) or possibly obtain sensitive information from kernel memory, aka CID-d0cb50185ae9 (bnc#1162109).
- CVE-2020-8428: There was a use-after-free bug in fs/namei.c, which allowed local users to cause a denial of service (OOPS) or possibly obtain sensitive information from kernel memory, aka CID-d0cb50185ae9 (bnc#1162109).
- CVE-2020-8648: There was a use-after-free vulnerability in the n_tty_receive_buf_common function in drivers/tty/n_tty.c (bnc#1162928).
- CVE-2020-8992: An issue was discovered in ext4_protect_reserved_inode in fs/ext4/block_validity.c that allowed attackers to cause a soft lockup via a crafted journal size (bnc#1164069).


The following non-security bugs were fixed:

- 6pack,mkiss: fix possible deadlock (bsc#1051510).
- ACPI / APEI: Switch estatus pool to use vmalloc memory (bsc#1051510).
- ACPI / video: Add force_none quirk for Dell OptiPlex 9020M (bsc#1051510).
- ACPI / watchdog: Fix init failure with overlapping register regions (bsc#1162557).
- ACPI / watchdog: Set default timeout in probe (bsc#1162557).
- ACPI: bus: Fix NULL pointer check in acpi_bus_get_private_data() (bsc#1051510).
- ACPI: fix acpi_find_child_device() invocation in acpi_preset_companion() (bsc#1051510).
- ACPI: PM: Avoid attaching ACPI PM domain to certain devices (bsc#1051510).
- ACPI: video: Do not export a non working backlight interface on MSI MS-7721 boards (bsc#1051510).
- ACPI: watchdog: Allow disabling WDAT at boot (bsc#1162557).
- af_packet: set defaule value for tmo (bsc#1051510).
- ALSA: control: remove useless assignment in .info callback of PCM chmap element (git-fixes).
- ALSA: dummy: Fix PCM format loop in proc output (bsc#1111666).
- ALSA: hda - Add docking station support for Lenovo Thinkpad T420s (git-fixes).
- ALSA: hda - Apply sync-write workaround to old Intel platforms, too (bsc#1111666).
- ALSA: hda - constify and cleanup static NodeID tables (bsc#1111666).
- ALSA: hda - Downgrade error message for single-cmd fallback (git-fixes).
- ALSA: hda/analog - Minor optimization for SPDIF mux connections (git-fixes).
- ALSA: hda/ca0132 - Avoid endless loop (git-fixes).
- ALSA: hda/ca0132 - Fix work handling in delayed HP detection (git-fixes).
- ALSA: hda/ca0132 - Keep power on during processing DSP response (git-fixes).
- ALSA: hda/hdmi - add retry logic to parse_intel_hdmi() (git-fixes).
- ALSA: hda/hdmi - Clean up Intel platform-specific fixup checks (bsc#1111666).
- ALSA: hda/hdmi - fix atpx_present when CLASS is not VGA (bsc#1051510).
- ALSA: hda/realtek - Add Bass Speaker and fixed dac for bass speaker (bsc#1111666).
- ALSA: hda/realtek - Add headset Mic no shutup for ALC283 (bsc#1051510).
- ALSA: hda/realtek - Add Headset Mic supported for HP cPC (bsc#1111666).
- ALSA: hda/realtek - Add new codec supported for ALCS1200A (bsc#1111666).
- ALSA: hda/realtek - Add quirk for the bass speaker on Lenovo Yoga X1 7th gen (bsc#1111666).
- ALSA: hda/realtek - Apply mic mute LED quirk for Dell E7xx laptops, too (bsc#1111666).
- ALSA: hda/realtek - Enable the bass speaker of ASUS UX431FLC (bsc#1111666).
- ALSA: hda/realtek - Fixed one of HP ALC671 platform Headset Mic supported (bsc#1111666).
- ALSA: hda/realtek - More constifications (bsc#1111666).
- ALSA: hda/realtek - Set EAPD control to default for ALC222 (bsc#1111666).
- ALSA: hda: Add Clevo W65_67SB the power_save blacklist (git-fixes).
- ALSA: hda: Add JasperLake PCI ID and codec vid (bsc#1111666).
- ALSA: hda: Clear RIRB status before reading WP (bsc#1111666).
- ALSA: hda: constify copied structure (bsc#1111666).
- ALSA: hda: Constify snd_kcontrol_new items (bsc#1111666).
- ALSA: hda: Constify snd_pci_quirk tables (bsc#1111666).
- ALSA: hda: correct kernel-doc parameter descriptions (bsc#1111666).
- ALSA: hda: hdmi - add Tigerlake support (bsc#1111666).
- ALSA: hda: hdmi - fix pin setup on Tigerlake (bsc#1111666).
- ALSA: hda: More constifications (bsc#1111666).
- ALSA: hda: patch_hdmi: remove warnings with empty body (bsc#1111666).
- ALSA: hda: patch_realtek: fix empty macro usage in if block (bsc#1111666).
- ALSA: hda: Reset stream if DMA RUN bit not cleared (bsc#1111666).
- ALSA: hda: Use scnprintf() for printing texts for sysfs/procfs (git-fixes).
- ALSA: ice1724: Fix sleep-in-atomic in Infrasonic Quartet support code (bsc#1051510).
- ALSA: pcm: Avoid possible info leaks from PCM stream buffers (git-fixes).
- ALSA: seq: Avoid concurrent access to queue flags (git-fixes).
- ALSA: seq: Fix concurrent access to queue current tick/time (git-fixes).
- ALSA: seq: Fix racy access for queue timer in proc read (bsc#1051510).
- ALSA: sh: Fix compile warning wrt const (git-fixes).
- ALSA: sh: Fix unused variable warnings (bsc#1111666).
- ALSA: usb-audio: Apply the sample rate quirk for Bose Companion 5 (bsc#1111666).
- ALSA: usb-audio: Fix endianess in descriptor validation (bsc#1111666).
- ALSA: usb-audio: fix set_format altsetting sanity check (bsc#1051510).
- ALSA: usb-audio: fix sync-ep altsetting sanity check (bsc#1051510).
- apparmor: fix unsigned len comparison with less than zero (git-fixes).
- ar5523: check NULL before memcpy() in ar5523_cmd() (bsc#1051510).
- arm64: Revert support for execute-only user mappings (bsc#1160218).
- ASoC: au8540: use 64-bit arithmetic instead of 32-bit (bsc#1051510).
- ASoC: cs4349: Use PM ops 'cs4349_runtime_pm' (bsc#1051510).
- ASoC: Jack: Fix NULL pointer dereference in snd_soc_jack_report (bsc#1051510).
- ASoC: msm8916-wcd-analog: Fix selected events for MIC BIAS External1 (bsc#1051510).
- ASoC: samsung: i2s: Fix prescaler setting for the secondary DAI (bsc#1111666).
- ASoC: sun8i-codec: Fix setting DAI data format (git-fixes).
- ASoC: wm8962: fix lambda value (git-fixes).
- ath10k: Correct the DMA direction for management tx buffers (bsc#1111666).
- ath10k: fix fw crash by moving chip reset after napi disabled (bsc#1051510).
- ath10k: pci: Fix comment on ath10k_pci_dump_memory_sram (bsc#1111666).
- ath10k: pci: Only dump ATH10K_MEM_REGION_TYPE_IOREG when safe (bsc#1111666).
- ath9k: fix storage endpoint lookup (git-fixes).
- batman-adv: Fix DAT candidate selection on little endian systems (bsc#1051510).
- bcache: add code comment bch_keylist_pop() and bch_keylist_pop_front() (bsc#1163762).
- bcache: add code comment bch_keylist_pop() and bch_keylist_pop_front() (bsc#1163762).
- bcache: add code comments for state->pool in __btree_sort() (bsc#1163762).
- bcache: add code comments for state->pool in __btree_sort() (bsc#1163762).
- bcache: add code comments in bch_btree_leaf_dirty() (bsc#1163762).
- bcache: add code comments in bch_btree_leaf_dirty() (bsc#1163762).
- bcache: add cond_resched() in __bch_cache_cmp() (bsc#1163762).
- bcache: add cond_resched() in __bch_cache_cmp() (bsc#1163762).
- bcache: add idle_max_writeback_rate sysfs interface (bsc#1163762).
- bcache: add idle_max_writeback_rate sysfs interface (bsc#1163762).
- bcache: add more accurate error messages in read_super() (bsc#1163762).
- bcache: add more accurate error messages in read_super() (bsc#1163762).
- bcache: add readahead cache policy options via sysfs interface (bsc#1163762).
- bcache: add readahead cache policy options via sysfs interface (bsc#1163762).
- bcache: at least try to shrink 1 node in bch_mca_scan() (bsc#1163762).
- bcache: at least try to shrink 1 node in bch_mca_scan() (bsc#1163762).
- bcache: avoid unnecessary btree nodes flushing in btree_flush_write() (bsc#1163762).
- bcache: avoid unnecessary btree nodes flushing in btree_flush_write() (bsc#1163762).
- bcache: check return value of prio_read() (bsc#1163762).
- bcache: check return value of prio_read() (bsc#1163762).
- bcache: deleted code comments for dead code in bch_data_insert_keys() (bsc#1163762).
- bcache: deleted code comments for dead code in bch_data_insert_keys() (bsc#1163762).
- bcache: do not export symbols (bsc#1163762).
- bcache: do not export symbols (bsc#1163762).
- bcache: explicity type cast in bset_bkey_last() (bsc#1163762).
- bcache: explicity type cast in bset_bkey_last() (bsc#1163762).
- bcache: fix a lost wake-up problem caused by mca_cannibalize_lock (bsc#1163762).
- bcache: fix a lost wake-up problem caused by mca_cannibalize_lock (bsc#1163762).
- bcache: Fix an error code in bch_dump_read() (bsc#1163762).
- bcache: Fix an error code in bch_dump_read() (bsc#1163762).
- bcache: fix deadlock in bcache_allocator (bsc#1163762).
- bcache: fix deadlock in bcache_allocator (bsc#1163762).
- bcache: fix incorrect data type usage in btree_flush_write() (bsc#1163762).
- bcache: fix incorrect data type usage in btree_flush_write() (bsc#1163762).
- bcache: fix memory corruption in bch_cache_accounting_clear() (bsc#1163762).
- bcache: fix memory corruption in bch_cache_accounting_clear() (bsc#1163762).
- bcache: fix static checker warning in bcache_device_free() (bsc#1163762).
- bcache: fix static checker warning in bcache_device_free() (bsc#1163762).
- bcache: ignore pending signals when creating gc and allocator thread (bsc#1163762, bsc#1112504).
- bcache: ignore pending signals when creating gc and allocator thread (bsc#1163762, bsc#1112504).
- bcache: print written and keys in trace_bcache_btree_write (bsc#1163762).
- bcache: print written and keys in trace_bcache_btree_write (bsc#1163762).
- bcache: reap c->btree_cache_freeable from the tail in bch_mca_scan() (bsc#1163762).
- bcache: reap c->btree_cache_freeable from the tail in bch_mca_scan() (bsc#1163762).
- bcache: reap from tail of c->btree_cache in bch_mca_scan() (bsc#1163762).
- bcache: reap from tail of c->btree_cache in bch_mca_scan() (bsc#1163762).
- bcache: remove macro nr_to_fifo_front() (bsc#1163762).
- bcache: remove macro nr_to_fifo_front() (bsc#1163762).
- bcache: remove member accessed from struct btree (bsc#1163762).
- bcache: remove member accessed from struct btree (bsc#1163762).
- bcache: remove the extra cflags for request.o (bsc#1163762).
- bcache: remove the extra cflags for request.o (bsc#1163762).
- bcache: Revert 'bcache: shrink btree node cache after bch_btree_check()' (bsc#1163762, bsc#1112504).
- bcache: Revert 'bcache: shrink btree node cache after bch_btree_check()' (bsc#1163762, bsc#1112504).
- bcma: remove set but not used variable 'sizel' (git-fixes).
- blk-mq: avoid sysfs buffer overflow with too many CPU cores (bsc#1159377).
- blk-mq: avoid sysfs buffer overflow with too many CPU cores (bsc#1163840).
- blk-mq: make sure that line break can be printed (bsc#1159377).
- blk-mq: make sure that line break can be printed (bsc#1164098).
- Bluetooth: Fix race condition in hci_release_sock() (bsc#1051510).
- bnxt: apply computed clamp value for coalece parameter (bsc#1104745).
- bnxt_en: Fix MSIX request logic for RDMA driver (bsc#1104745 ).
- bnxt_en: Return error if FW returns more data than dump length (bsc#1104745).
- bonding: fix active-backup transition after link failure (git-fixes).
- bonding: fix potential NULL deref in bond_update_slave_arr (bsc#1051510).
- bonding: fix slave stuck in BOND_LINK_FAIL state (networking-stable-19_11_10).
- bonding: fix state transition issue in link monitoring (networking-stable-19_11_10).
- bonding: fix unexpected IFF_BONDING bit unset (bsc#1051510).
- bpf, offload: Unlock on error in bpf_offload_dev_create() (bsc#1109837).
- bpf/sockmap: Read psock ingress_msg before sk_receive_queue (bsc#1083647).
- bpf: add self-check logic to liveness analysis (bsc#1160618).
- bpf: add verifier stats and log_level bit 2 (bsc#1160618).
- bpf: Fix incorrect verifier simulation of ARSH under ALU32 (bsc#1083647).
- bpf: improve stacksafe state comparison (bco#1160618).
- bpf: improve verification speed by droping states (bsc#1160618).
- bpf: improve verification speed by not remarking live_read (bsc#1160618).
- bpf: improve verifier branch analysis (bsc#1160618).
- bpf: increase complexity limit and maximum program size (bsc#1160618).
- bpf: increase verifier log limit (bsc#1160618).
- bpf: Reject indirect var_off stack access in raw mode (bsc#1160618).
- bpf: Reject indirect var_off stack access in unpriv mode (bco#1160618).
- bpf: Sanity check max value for var_off stack access (bco#1160618).
- bpf: skmsg, fix potential psock NULL pointer dereference (bsc#1109837).
- bpf: speed up stacksafe check (bco#1160618).
- bpf: Support variable offset stack access from helpers (bco#1160618).
- bpf: verifier: teach the verifier to reason about the BPF_JSET instruction (bco#1160618).
- brcmfmac: fix interface sanity check (git-fixes).
- brcmfmac: Fix memory leak in brcmf_p2p_create_p2pdev() (bsc#1111666).
- brcmfmac: Fix memory leak in brcmf_usbdev_qinit (git-fixes).
- brcmfmac: Fix use after free in brcmf_sdio_readframes() (git-fixes).
- brcmfmac: sdio: Fix OOB interrupt initialization on brcm43362 (bsc#1111666).
- btrfs: abort transaction after failed inode updates in create_subvol (bsc#1161936).
- btrfs: add missing extents release on file extent cluster relocation error (bsc#1159483).
- btrfs: avoid fallback to transaction commit during fsync of files with holes (bsc#1159569).
- btrfs: dev-replace: remove warning for unknown return codes when finished (dependency for bsc#1162067).
- btrfs: do not call synchronize_srcu() in inode_tree_del (bsc#1161934).
- btrfs: do not double lock the subvol_sem for rename exchange (bsc#1162943).
- btrfs: Ensure we trim ranges across block group boundary (bsc#1151910).
- btrfs: fix block group remaining RO forever after error during device replace (bsc#1160442).
- btrfs: fix btrfs_write_inode vs delayed iput deadlock (bsc#1154243).
- btrfs: fix infinite loop during fsync after rename operations (bsc#1163383).
- btrfs: fix infinite loop during nocow writeback due to race (bsc#1160804).
- btrfs: fix integer overflow in calc_reclaim_items_nr (bsc#1160433).
- btrfs: fix missing data checksums after replaying a log tree (bsc#1161931).
- btrfs: fix negative subv_writers counter and data space leak after buffered write (bsc#1160802).
- btrfs: fix race between adding and putting tree mod seq elements and nodes (bsc#1163384).
- btrfs: fix removal logic of the tree mod log that leads to use-after-free issues (bsc#1160803).
- btrfs: fix selftests failure due to uninitialized i_mode in test inodes (Fix for dependency of bsc#1157692).
- btrfs: handle ENOENT in btrfs_uuid_tree_iterate (bsc#1161937).
- btrfs: harden agaist duplicate fsid on scanned devices (bsc#1134973).
- btrfs: inode: Verify inode mode to avoid NULL pointer dereference (dependency for bsc#1157692).
- btrfs: make tree checker detect checksum items with overlapping ranges (bsc#1161931).
- btrfs: Move btrfs_check_chunk_valid() to tree-check.[ch] and export it (dependency for bsc#1157692).
- btrfs: record all roots for rename exchange on a subvol (bsc#1161933).
- btrfs: relocation: fix reloc_root lifespan and access (bsc#1159588).
- btrfs: scrub: Require mandatory block group RO for dev-replace (bsc#1162067).
- btrfs: send, skip backreference walking for extents with many references (bsc#1162139).
- btrfs: simplify inode locking for RWF_NOWAIT (git-fixes).
- btrfs: skip log replay on orphaned roots (bsc#1161935).
- btrfs: tree-checker: Check chunk item at tree block read time (dependency for bsc#1157692).
- btrfs: tree-checker: Check level for leaves and nodes (dependency for bsc#1157692).
- btrfs: tree-checker: Enhance chunk checker to validate chunk profile (dependency for bsc#1157692).
- btrfs: tree-checker: Fix wrong check on max devid (fixes for dependency of bsc#1157692).
- btrfs: tree-checker: get fs_info from eb in block_group_err (dependency for bsc#1157692).
- btrfs: tree-checker: get fs_info from eb in check_block_group_item (dependency for bsc#1157692).
- btrfs: tree-checker: get fs_info from eb in check_csum_item (dependency for bsc#1157692).
- btrfs: tree-checker: get fs_info from eb in check_dev_item (dependency for bsc#1157692).
- btrfs: tree-checker: get fs_info from eb in check_dir_item (dependency for bsc#1157692).
- btrfs: tree-checker: get fs_info from eb in check_extent_data_item (dependency for bsc#1157692).
- btrfs: tree-checker: get fs_info from eb in check_inode_item (dependency for bsc#1157692).
- btrfs: tree-checker: get fs_info from eb in check_leaf (dependency for bsc#1157692).
- btrfs: tree-checker: get fs_info from eb in check_leaf_item (dependency for bsc#1157692).
- btrfs: tree-checker: get fs_info from eb in chunk_err (dependency for bsc#1157692).
- btrfs: tree-checker: get fs_info from eb in dev_item_err (dependency for bsc#1157692).
- btrfs: tree-checker: get fs_info from eb in dir_item_err (dependency for bsc#1157692).
- btrfs: tree-checker: get fs_info from eb in file_extent_err (dependency for bsc#1157692).
- btrfs: tree-checker: get fs_info from eb in generic_err (dependency for bsc#1157692).
- btrfs: tree-checker: Make btrfs_check_chunk_valid() return EUCLEAN instead of EIO (dependency for bsc#1157692).
- btrfs: tree-checker: Make chunk item checker messages more readable (dependency for bsc#1157692).
- btrfs: tree-checker: Verify dev item (dependency for bsc#1157692).
- btrfs: tree-checker: Verify inode item (dependency for bsc#1157692).
- btrfs: volumes: Use more straightforward way to calculate map length (bsc#1151910).
- can, slip: Protect tty->disc_data in write_wakeup and close with RCU (bsc#1051510).
- can: can_dropped_invalid_skb(): ensure an initialized headroom in outgoing CAN sk_buffs (bsc#1051510).
- can: gs_usb: gs_usb_probe(): use descriptors of current altsetting (bsc#1051510).
- can: mscan: mscan_rx_poll(): fix rx path lockup when returning from polling to irq mode (bsc#1051510).
- can: slcan: Fix use-after-free Read in slcan_open (bsc#1051510).
- CDC-NCM: handle incomplete transfer of MTU (networking-stable-19_11_10).
- cfg80211/mac80211: make ieee80211_send_layer2_update a public function (bsc#1051510).
- cfg80211: check for set_wiphy_params (bsc#1051510).
- cfg80211: fix deadlocks in autodisconnect work (bsc#1111666).
- cfg80211: fix memory leak in cfg80211_cqm_rssi_update (bsc#1111666).
- cfg80211: fix page refcount issue in A-MSDU decap (bsc#1051510).
- cgroup: pids: use atomic64_t for pids->limit (bsc#1161514).
- chardev: Avoid potential use-after-free in 'chrdev_open()' (bsc#1163849).
- cifs: add support for flock (bsc#1144333).
- cifs: Close cached root handle only if it had a lease (bsc#1144333).
- cifs: Close open handle after interrupted close (bsc#1144333).
- cifs: close the shared root handle on tree disconnect (bsc#1144333).
- cifs: Do not miss cancelled OPEN responses (bsc#1144333).
- cifs: Fix lookup of root ses in DFS referral cache (bsc#1144333).
- cifs: Fix memory allocation in __smb2_handle_cancelled_cmd() (bsc#1144333).
- cifs: fix mount option display for sec=krb5i (bsc#1161907).
- cifs: Fix mount options set in automount (bsc#1144333).
- cifs: Fix NULL pointer dereference in mid callback (bsc#1144333).
- cifs: Fix NULL-pointer dereference in smb2_push_mandatory_locks (bsc#1144333).
- cifs: Fix potential softlockups while refreshing DFS cache (bsc#1144333).
- cifs: Fix retrieval of DFS referrals in cifs_mount() (bsc#1144333).
- cifs: Fix use-after-free bug in cifs_reconnect() (bsc#1144333).
- cifs: Properly process SMB3 lease breaks (bsc#1144333).
- cifs: remove set but not used variables 'cinode' and 'netfid' (bsc#1144333).
- cifs: Respect O_SYNC and O_DIRECT flags during reconnect (bsc#1144333).
- clk: Do not try to enable critical clocks if prepare failed (bsc#1051510).
- clk: imx: clk-composite-8m: add lock to gate/mux (git-fixes).
- clk: mmp2: Fix the order of timer mux parents (bsc#1051510).
- clk: qcom: rcg2: Do not crash if our parent can't be found; return an error (bsc#1051510).
- clk: rockchip: fix I2S1 clock gate register for rk3328 (bsc#1051510).
- clk: rockchip: fix ID of 8ch clock of I2S1 for rk3328 (bsc#1051510).
- clk: rockchip: fix rk3188 sclk_mac_lbtest parameter ordering (bsc#1051510).
- clk: rockchip: fix rk3188 sclk_smc gate data (bsc#1051510).
- clk: sunxi-ng: add mux and pll notifiers for A64 CPU clock (bsc#1051510).
- clk: sunxi: sun9i-mmc: Implement reset callback for reset controls (bsc#1051510).
- clk: tegra: Mark fuse clock as critical (bsc#1051510).
- clocksource/drivers/bcm2835_timer: Fix memory leak of timer (bsc#1051510).
- clocksource: Prevent double add_timer_on() for watchdog_timer (bsc#1051510).
- closures: fix a race on wakeup from closure_sync (bsc#1163762).
- closures: fix a race on wakeup from closure_sync (bsc#1163762).
- configfs_register_group() shouldn't be (and isn't) called in rmdirable parts (bsc#1051510).
- copy/pasted 'Recommends:' instead of 'Provides:', 'Obsoletes:' and 'Conflicts:
- Cover up kABI breakage due to DH key verification (bsc#1155331).
- crypto: af_alg - Use bh_lock_sock in sk_destruct (bsc#1051510).
- crypto: api - Check spawn->alg under lock in crypto_drop_spawn (bsc#1051510).
- crypto: api - Fix race condition in crypto_spawn_alg (bsc#1051510).
- crypto: atmel-sha - fix error handling when setting hmac key (bsc#1051510).
- crypto: caam/qi2 - fix typo in algorithm's driver name (bsc#1111666).
- crypto: ccp - fix uninitialized list head (bsc#1051510).
- crypto: chelsio - fix writing tfm flags to wrong place (bsc#1051510).
- crypto: dh - add public key verification test (bsc#1155331).
- crypto: dh - fix calculating encoded key size (bsc#1155331).
- crypto: dh - fix memory leak (bsc#1155331).
- crypto: dh - update test for public key verification (bsc#1155331).
- crypto: DRBG - add FIPS 140-2 CTRNG for noise source (bsc#1155334).
- crypto: ecdh - add public key verification test (bsc#1155331).
- crypto: ecdh - fix typo of P-192 b value (bsc#1155331).
- crypto: pcrypt - Do not clear MAY_SLEEP flag in original request (bsc#1051510).
- crypto: picoxcell - adjust the position of tasklet_init and fix missed tasklet_kill (bsc#1051510).
- crypto: reexport crypto_shoot_alg() (bsc#1051510, kABI fix).
- cxgb4: request the TX CIDX updates to status page (bsc#1127371).
- dma-mapping: fix return type of dma_set_max_seg_size() (bsc#1051510).
- dmaengine: coh901318: Fix a double-lock bug (bsc#1051510).
- dmaengine: coh901318: Remove unused variable (bsc#1051510).
- dmaengine: Fix access to uninitialized dma_slave_caps (bsc#1051510).
- Documentation: Document arm64 kpti control (bsc#1162623).
- drivers/base/memory.c: cache blocks in radix tree to accelerate lookup (bsc#1159955 ltc#182993).
- drivers/base/memory.c: do not access uninitialized memmaps in soft_offline_page_store() (bsc#1051510).
- drm/amd/display: Retrain dongles when SINK_COUNT becomes non-zero (bsc#1111666).
- drm/amd/powerplay: remove set but not used variable 'us_mvdd' (bsc#1111666).
- drm/amdgpu/{uvd,vcn}: fetch ring's read_ptr after alloc (bsc#1111666).
- drm/amdgpu: add function parameter description in 'amdgpu_device_set_cg_state' (bsc#1111666).
- drm/amdgpu: add function parameter description in 'amdgpu_gart_bind' (bsc#1051510).
- drm/amdgpu: fix ring test failure issue during s3 in vce 3.0 (V2) (bsc#1111666).
- drm/amdgpu: remove 4 set but not used variable in amdgpu_atombios_get_connector_info_from_object_table (bsc#1051510).
- drm/amdgpu: remove always false comparison in 'amdgpu_atombios_i2c_process_i2c_ch' (bsc#1051510).
- drm/amdgpu: remove set but not used variable 'amdgpu_connector' (bsc#1051510).
- drm/amdgpu: remove set but not used variable 'dig' (bsc#1051510).
- drm/amdgpu: remove set but not used variable 'dig_connector' (bsc#1051510).
- drm/amdgpu: remove set but not used variable 'invalid' (bsc#1111666).
- drm/amdgpu: remove set but not used variable 'mc_shared_chmap' (bsc#1051510).
- drm/amdgpu: remove set but not used variable 'mc_shared_chmap' from 'gfx_v6_0.c' and 'gfx_v7_0.c' (bsc#1051510).
- drm/dp_mst: correct the shifting in DP_REMOTE_I2C_READ (bsc#1051510).
- drm/fb-helper: Round up bits_per_pixel if possible (bsc#1051510).
- drm/i810: Prevent underflow in ioctl (bsc#1114279)
- drm/i915/gvt: Pin vgpu dma address before using (bsc#1112178)
- drm/i915/gvt: set guest display buffer as readonly (bsc#1112178)
- drm/i915/gvt: use vgpu lock for active state setting (bsc#1112178)
- drm/i915/perf: add missing delay for OA muxes configuration (bsc#1111666).
- drm/i915: Add missing include file <linux/math64.h> (bsc#1051510).
- drm/i915: Call dma_set_max_seg_size() in i915_driver_hw_probe() (bsc#1111666).
- drm/i915: Fix pid leak with banned clients (bsc#1114279)
- drm/i915: Handle vm_mmap error during I915_GEM_MMAP ioctl with WC set (bsc#1111666).
- drm/i915: Make sure cdclk is high enough for DP audio on VLV/CHV (bsc#1111666).
- drm/i915: Sanity check mmap length against object size (bsc#1111666).
- drm/mst: Fix MST sideband up-reply failure handling (bsc#1051510).
- drm/nouveau/bar/gf100: ensure BAR is mapped (bsc#1111666).
- drm/nouveau/bar/nv50: check bar1 vmm return value (bsc#1111666).
- drm/nouveau/mmu: qualify vmm during dtor (bsc#1111666).
- drm/nouveau/secboot/gm20b: initialize pointer in gm20b_secboot_new() (bsc#1051510).
- drm/nouveau: Fix copy-paste error in nouveau_fence_wait_uevent_handler (bsc#1051510).
- drm/qxl: Return error if fbdev is not 32 bpp (bsc#1159028)
- drm/qxl: Return error if fbdev is not 32 bpp (bsc#1159028)
- drm/radeon: fix r1xx/r2xx register checker for POT textures (bsc#1114279)
- drm/rect: Avoid division by zero (bsc#1111666).
- drm/rect: update kerneldoc for drm_rect_clip_scaled() (bsc#1111666).
- drm/rockchip: lvds: Fix indentation of a #define (bsc#1051510).
- drm/sun4i: hdmi: Remove duplicate cleanup calls (bsc#1113956)
- drm/sun4i: tcon: Set min division of TCON0_DCLK to 1 (bsc#1111666).
- drm/sun4i: tcon: Set RGB DCLK min. divider based on hardware model (bsc#1111666).
- drm/ttm: ttm_tt_init_fields() can be static (bsc#1111666).
- drm/vmwgfx: prevent memory leak in vmw_cmdbuf_res_add (bsc#1051510).
- drm: bridge: dw-hdmi: constify copied structure (bsc#1051510).
- drm: limit to INT_MAX in create_blob ioctl (bsc#1051510).
- drm: meson: venc: cvbs: fix CVBS mode matching (bsc#1051510).
- drm: msm: mdp4: Adjust indentation in mdp4_dsi_encoder_enable (bsc#1111666).
- e100: Fix passing zero to 'PTR_ERR' warning in e100_load_ucode_wait (bsc#1051510).
- enic: prevent waking up stopped tx queues over watchdog reset (bsc#1133147).
- exit: panic before exit_mm() on global init exit (bsc#1161549).
- ext2: check err when partial != NULL (bsc#1163859).
- ext4, jbd2: ensure panic when aborting with zero errno (bsc#1163853).
- ext4: check for directory entries too close to block end (bsc#1163861).
- ext4: fix a bug in ext4_wait_for_tail_page_commit (bsc#1163841).
- ext4: fix checksum errors with indexed dirs (bsc#1160979).
- ext4: fix deadlock allocating crypto bounce page from mempool (bsc#1163842).
- ext4: fix mount failure with quota configured as module (bsc#1164471).
- ext4: improve explanation of a mount failure caused by a misconfigured kernel (bsc#1163843).
- extcon: max8997: Fix lack of path setting in USB device mode (bsc#1051510).
- firestream: fix memory leaks (bsc#1051510).
- fix autofs regression caused by follow_managed() changes (bsc#1159271).
- fix dget_parent() fastpath race (bsc#1159271).
- Fix partial checked out tree build ... so that bisection does not break.
- Fix the locking in dcache_readdir() and friends (bsc#1123328).
- fjes: fix missed check in fjes_acpi_add (bsc#1051510).
- fs/namei.c: fix missing barriers when checking positivity (bsc#1159271).
- fs/namei.c: pull positivity check into follow_managed() (bsc#1159271).
- fs/open.c: allow opening only regular files during execve() (bsc#1163845).
- fs: cifs: Fix atime update check vs mtime (bsc#1144333).
- fscrypt: do not set policy for a dead directory (bsc#1163846).
- ftrace: Add comment to why rcu_dereference_sched() is open coded (git-fixes).
- ftrace: Avoid potential division by zero in function profiler (bsc#1160784).
- ftrace: Protect ftrace_graph_hash with ftrace_sync (git-fixes).
- genirq/proc: Return proper error code when irq_set_affinity() fails (bnc#1105392).
- genirq: Prevent NULL pointer dereference in resend_irqs() (bsc#1051510).
- genirq: Properly pair kobject_del() with kobject_add() (bsc#1051510).
- gpio: Fix error message on out-of-range GPIO in lookup table (bsc#1051510).
- gtp: avoid zero size hashtable (networking-stable-20_01_01).
- gtp: do not allow adding duplicate tid and ms_addr pdp context (networking-stable-20_01_01).
- gtp: fix an use-after-free in ipv4_pdp_find() (networking-stable-20_01_01).
- gtp: fix wrong condition in gtp_genl_dump_pdp() (networking-stable-20_01_01).
- HID: hidraw, uhid: Always report EPOLLOUT (bsc#1051510).
- HID: hidraw: Fix returning EPOLLOUT from hidraw_poll (bsc#1051510).
- HID: uhid: Fix returning EPOLLOUT from uhid_char_poll (bsc#1051510).
- hidraw: Return EPOLLOUT from hidraw_poll (bsc#1051510).
- hotplug/drc-info: Add code to search ibm,drc-info property (bsc#1157480 ltc#181028).
- hwmon: (adt7475) Make volt2reg return same reg as reg2volt input (bsc#1051510).
- hwmon: (core) Do not use device managed functions for memory allocations (bsc#1051510).
- hwmon: (k10temp) Add support for AMD family 17h, model 70h CPUs (bsc#1163206).
- hwmon: (nct7802) Fix voltage limits to wrong registers (bsc#1051510).
- hwmon: (pmbus/ltc2978) Fix PMBus polling of MFR_COMMON definitions (bsc#1051510).
- i2c: imx: do not print error message on probe defer (bsc#1051510).
- IB/hfi1: Do not cancel unused work item (bsc#1114685 ).
- IB/mlx5: Fix steering rule of drop and count (bsc#1103991 ).
- IB/mlx5: Remove dead code (bsc#1103991).
- ibmveth: Detect unsupported packets before sending to the hypervisor (bsc#1159484 ltc#182983).
- ice: fix stack leakage (bsc#1118661).
- iio: adc: max9611: Fix too short conversion time delay (bsc#1051510).
- iio: buffer: align the size of scan bytes to size of the largest element (bsc#1051510).
- inet: protect against too small mtu values (networking-stable-19_12_16).
- init: add arch_call_rest_init to allow stack switching (jsc#SLE-11178).
- init: add arch_call_rest_init to allow stack switching (jsc#SLE-11179).
- Input: aiptek - fix endpoint sanity check (bsc#1051510).
- Input: cyttsp4_core - fix use after free bug (bsc#1051510).
- Input: goodix - add upside-down quirk for Teclast X89 tablet (bsc#1051510).
- Input: gtco - fix endpoint sanity check (bsc#1051510).
- Input: keyspan-remote - fix control-message timeouts (bsc#1051510).
- Input: pegasus_notetaker - fix endpoint sanity check (bsc#1051510).
- Input: pm8xxx-vib - fix handling of separate enable register (bsc#1051510).
- Input: rmi_f54 - read from FIFO in 32 byte blocks (bsc#1051510).
- Input: sun4i-ts - add a check for devm_thermal_zone_of_sensor_register (bsc#1051510).
- Input: sur40 - fix interface sanity checks (bsc#1051510).
- Input: synaptics - switch another X1 Carbon 6 to RMI/SMbus (bsc#1051510).
- Input: synaptics-rmi4 - do not increment rmiaddr for SMBus transfers (bsc#1051510).
- Input: synaptics-rmi4 - simplify data read in rmi_f54_work (bsc#1051510).
- iommu/amd: Fix IOMMU perf counter clobbering during init (bsc#1162617).
- iommu/arm-smmu-v3: Populate VMID field for CMDQ_OP_TLBI_NH_VA (bsc#1164314).
- iommu/iova: Init the struct iova to fix the possible memleak (bsc#1160469).
- iommu/mediatek: Correct the flush_iotlb_all callback (bsc#1160470).
- iommu/vt-d: Unlink device if failed to add to group (bsc#1160756).
- iommu: Remove device link to group on failure (bsc#1160755).
- ipv4: Fix table id reference in fib_sync_down_addr (networking-stable-19_11_10).
- iwlegacy: ensure loop counter addr does not wrap and cause an infinite loop (git-fixes).
- iwlwifi: change monitor DMA to be coherent (bsc#1161243).
- iwlwifi: clear persistence bit according to device family (bsc#1111666).
- iwlwifi: do not throw error when trying to remove IGTK (bsc#1051510).
- iwlwifi: mvm: fix NVM check for 3168 devices (bsc#1051510).
- iwlwifi: mvm: Send non offchannel traffic via AP sta (bsc#1051510).
- iwlwifi: mvm: synchronize TID queue removal (bsc#1051510).
- iwlwifi: trans: Clear persistence bit when starting the FW (bsc#1111666).
- jbd2: clear JBD2_ABORT flag before journal_reset to update log tail info when load journal (bsc#1163862).
- jbd2: do not clear the BH_Mapped flag when forgetting a metadata buffer (bsc#1163836).
- jbd2: Fix possible overflow in jbd2_log_space_left() (bsc#1163860).
- jbd2: make sure ESHUTDOWN to be recorded in the journal superblock (bsc#1163863).
- jbd2: move the clearing of b_modified flag to the journal_unmap_buffer() (bsc#1163880).
- jbd2: switch to use jbd2_journal_abort() when failed to submit the commit record (bsc#1163852).
- kABI fixup for alloc_dax_region (bsc#1158071,bsc#1160678).
- kABI workaround for can/skb.h inclusion (bsc#1051510).
- kABI/severities: Whitelist rpaphp_get_drc_props (bsc#1157480 ltc#181028).
- kABI: add _q suffix to exports that take struct dh (bsc#1155331).
- kABI: protect struct sctp_ep_common (kabi).
- kABI: Protest new fields in BPF structs (bsc#1160618).
- kconfig: fix broken dependency in randconfig-generated .config (bsc#1051510).
- kernel-binary.spec.in: do not recommend firmware for kvmsmall and azure flavor (boo#1161360).
- kernel/trace: Fix do not unregister tracepoints when register sched_migrate_task fail (bsc#1160787).
- kernfs: Fix range checks in kernfs_get_target_path (bsc#1051510).
- KVM: Clean up __kvm_gfn_to_hva_cache_init() and its callers (bsc#1133021).
- KVM: PPC: Book3S HV: Uninit vCPU if vcore creation fails (bsc#1061840).
- KVM: PPC: Book3S PR: Fix -Werror=return-type build failure (bsc#1061840).
- KVM: PPC: Book3S PR: Free shared page if mmu initialization fails (bsc#1061840).
- KVM: s390: Do not leak kernel stack data in the KVM_S390_INTERRUPT ioctl (git-fixes).
- KVM: s390: Test for bad access register and size at the start of S390_MEM_OP (git-fixes).
- KVM: SVM: Override default MMIO mask if memory encryption is enabled (bsc#1162618).
- kvm: x86: Host feature SSBD does not imply guest feature SPEC_CTRL_SSBD (bsc#1160476).
- leds: Allow to call led_classdev_unregister() unconditionally (bsc#1161674).
- leds: class: ensure workqueue is initialized before setting brightness (bsc#1161674).
- lib/scatterlist.c: adjust indentation in __sg_alloc_table (bsc#1051510).
- lib/test_kasan.c: fix memory leak in kmalloc_oob_krealloc_more() (bsc#1051510).
- lib: crc64: include <linux/crc64.h> for 'crc64_be' (bsc#1163762).
- lib: crc64: include <linux/crc64.h> for 'crc64_be' (bsc#1163762).
- libnvdimm/namespace: Differentiate between probe mapping and runtime mapping (bsc#1153535).
- libnvdimm/pfn: Account for PAGE_SIZE > info-block-size in nd_pfn_init() (bsc#1127682 bsc#1153535 ltc#175033 ltc#181834).
- libnvdimm: Fix devm_nsio_enable() kabi (bsc#1153535).
- livepatch/samples/selftest: Use klp_shadow_alloc() API correctly (bsc#1071995).
- livepatch/selftest: Clean up shadow variable names and type (bsc#1071995).
- livepatch: Simplify stack trace retrieval (jsc#SLE-11178).
- livepatch: Simplify stack trace retrieval (jsc#SLE-11179).
- mac80211: Do not send Layer 2 Update frame before authorization (bsc#1051510).
- mac80211: fix ieee80211_txq_setup_flows() failure path (bsc#1111666).
- mac80211: Fix TKIP replay protection immediately after key setup (bsc#1051510).
- mac80211: mesh: restrict airtime metric to peered established plinks (bsc#1051510).
- macvlan: do not assume mac_header is set in macvlan_broadcast() (bsc#1051510).
- macvlan: use skb_reset_mac_header() in macvlan_queue_xmit() (bsc#1051510).
- media/v4l2-core: set pages dirty upon releasing DMA buffers (bsc#1051510).
- media: af9005: uninitialized variable printked (bsc#1051510).
- media: cec.h: CEC_OP_REC_FLAG_ values were swapped (bsc#1051510).
- media: cec: CEC 2.0-only bcast messages were ignored (git-fixes).
- media: cec: report Vendor ID after initialization (bsc#1051510).
- media: digitv: do not continue if remote control state can't be read (bsc#1051510).
- media: dvb-usb/dvb-usb-urb.c: initialize actlen to 0 (bsc#1051510).
- media: exynos4-is: fix wrong mdev and v4l2 dev order in error path (git-fixes).
- media: gspca: zero usb_buf (bsc#1051510).
- media: iguanair: fix endpoint sanity check (bsc#1051510).
- media: ov6650: Fix crop rectangle alignment not passed back (git-fixes).
- media: ov6650: Fix incorrect use of JPEG colorspace (git-fixes).
- media: pulse8-cec: fix lost cec_transmit_attempt_done() call.
- media: pulse8-cec: return 0 when invalidating the logical address (bsc#1051510).
- media: stkwebcam: Bugfix for wrong return values (bsc#1051510).
- media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors (bsc#1051510).
- media: v4l2-ioctl.c: zero reserved fields for S/TRY_FMT (bsc#1051510).
- media: v4l2-rect.h: fix v4l2_rect_map_inside() top/left adjustments (bsc#1051510).
- mfd: da9062: Fix watchdog compatible string (bsc#1051510).
- mfd: dln2: More sanity checking for endpoints (bsc#1051510).
- mfd: rn5t618: Mark ADC control register volatile (bsc#1051510).
- missing escaping of backslashes in macro expansions Fixes: f3b74b0ae86b ('rpm/kernel-subpackage-spec: Unify dependency handling.') Fixes: 3fd22e219f77 ('rpm/kernel-subpackage-spec: Fix empty Recommends tag (bsc#1143959)')
- mlxsw: spectrum_qdisc: Ignore grafting of invisible FIFO (bsc#1112374).
- mlxsw: spectrum_router: Fix determining underlay for a GRE tunnel (bsc#1112374).
- mm, debug_pagealloc: do not rely on static keys too early (VM debuging functionality, bsc#1159096).
- mm/page-writeback.c: fix range_cyclic writeback vs writepages deadlock (bsc#1159394).
- mm: memory_hotplug: use put_device() if device_register fail (bsc#1159955 ltc#182993).
- mmc: mediatek: fix CMD_TA to 2 for MT8173 HS200/HS400 mode (bsc#1051510).
- mmc: sdhci-of-esdhc: fix P2020 errata handling (bsc#1051510).
- mmc: sdhci-of-esdhc: Revert 'mmc: sdhci-of-esdhc: add erratum A-009204 support' (bsc#1051510).
- mmc: sdhci: Add a quirk for broken command queuing (git-fixes).
- mmc: sdhci: fix minimum clock rate for v3 controller (bsc#1051510).
- mmc: sdhci: Workaround broken command queuing on Intel GLK (git-fixes).
- mmc: spi: Toggle SPI polarity, do not hardcode it (bsc#1051510).
- mmc: tegra: fix SDR50 tuning override (bsc#1051510).
- mod_devicetable: fix PHY module format (networking-stable-19_12_28).
- mqprio: Fix out-of-bounds access in mqprio_dump (bsc#1109837).
- mtd: fix mtd_oobavail() incoherent returned value (bsc#1051510).
- mwifiex: delete unused mwifiex_get_intf_num() (bsc#1111666).
- mwifiex: drop most magic numbers from mwifiex_process_tdls_action_frame() (git-fixes).
- mwifiex: update set_mac_address logic (bsc#1111666).
- namei: only return -ECHILD from follow_dotdot_rcu() (bsc#1163851).
- net, sysctl: Fix compiler warning when only cBPF is present (bsc#1109837).
- net/mlx4_en: fix mlx4 ethtool -N insertion (networking-stable-19_11_25).
- net/mlx4_en: Fix wrong limitation for number of TX rings (bsc#1103989).
- net/mlx5: Accumulate levels for chains prio namespaces (bsc#1103990).
- net/mlx5: prevent memory leak in mlx5_fpga_conn_create_cq (bsc#1046303).
- net/mlx5: Update the list of the PCI supported devices (bsc#1127611).
- net/mlx5e: Fix set vf link state error flow (networking-stable-19_11_25).
- net/mlx5e: Fix SFF 8472 eeprom length (git-fixes).
- net/mlx5e: Query global pause state before setting prio2buffer (bsc#1103990).
- net/mlxfw: Fix out-of-memory error in mfa2 flash burning (bsc#1051858).
- net/sched: act_pedit: fix WARN() in the traffic path (networking-stable-19_11_25).
- net: bridge: deny dev_set_mac_address() when unregistering (networking-stable-19_12_16).
- net: cdc_ncm: Signedness bug in cdc_ncm_set_dgram_size() (git-fixes).
- net: dst: Force 4-byte alignment of dst_metrics (networking-stable-19_12_28).
- net: ena: fix napi handler misbehavior when the napi budget is zero (networking-stable-20_01_01).
- net: ethernet: octeon_mgmt: Account for second possible VLAN header (networking-stable-19_11_10).
- net: ethernet: ti: cpsw: fix extra rx interrupt (networking-stable-19_12_16).
- net: fix data-race in neigh_event_send() (networking-stable-19_11_10).
- net: hisilicon: Fix a BUG trigered by wrong bytes_compl (networking-stable-19_12_28).
- net: hns3: fix ETS bandwidth validation bug (bsc#1104353 ).
- net: nfc: nci: fix a possible sleep-in-atomic-context bug in nci_uart_tty_receive() (networking-stable-19_12_28).
- net: psample: fix skb_over_panic (networking-stable-19_12_03).
- net: qlogic: Fix error paths in ql_alloc_large_buffers() (networking-stable-19_12_28).
- net: rtnetlink: prevent underflows in do_setvfinfo() (networking-stable-19_11_25).
- net: sched: ensure opts_len <= IP_TUNNEL_OPTS_MAX in act_tunnel_key (bsc#1109837).
- net: sched: fix dump qlen for sch_mq/sch_mqprio with NOLOCK subqueues (bsc#1109837).
- net: sched: fix `tc -s class show` no bstats on class with nolock subqueues (networking-stable-19_12_03).
- net: usb: lan78xx: Fix suspend/resume PHY register access error (networking-stable-19_12_28).
- net: usb: lan78xx: limit size of local TSO packets (bsc#1051510).
- net: usb: qmi_wwan: add support for DW5821e with eSIM support (networking-stable-19_11_10).
- net: usb: qmi_wwan: add support for Foxconn T77W968 LTE modules (networking-stable-19_11_18).
- netfilter: nf_queue: enqueue skbs with NULL dst (git-fixes).
- new helper: lookup_positive_unlocked() (bsc#1159271).
- NFC: fdp: fix incorrect free object (networking-stable-19_11_10).
- NFC: pn533: fix bulk-message timeout (bsc#1051510).
- NFC: pn544: Adjust indentation in pn544_hci_check_presence (git-fixes).
- NFC: st21nfca: fix double free (networking-stable-19_11_10).
- nvme: fix the parameter order for nvme_get_log in nvme_get_fw_slot_info (bsc#1163774).
- openvswitch: drop unneeded BUG_ON() in ovs_flow_cmd_build_info() (networking-stable-19_12_03).
- openvswitch: remove another BUG_ON() (networking-stable-19_12_03).
- openvswitch: support asymmetric conntrack (networking-stable-19_12_16).
- orinoco_usb: fix interface sanity check (git-fixes).
- PCI/switchtec: Fix vep_vector_number ioread width (bsc#1051510).
- PCI: Add DMA alias quirk for Intel VCA NTB (bsc#1051510).
- PCI: Do not disable bridge BARs when assigning bus resources (bsc#1051510).
- PCI: rpaphp: Add drc-info support for hotplug slot registration (bsc#1157480 ltc#181028).
- PCI: rpaphp: Annotate and correctly byte swap DRC properties (bsc#1157480 ltc#181028).
- PCI: rpaphp: Avoid a sometimes-uninitialized warning (bsc#1157480 ltc#181028).
- PCI: rpaphp: Correctly match ibm, my-drc-index to drc-name when using drc-info (bsc#1157480 ltc#181028).
- PCI: rpaphp: Do not rely on firmware feature to imply drc-info support (bsc#1157480 ltc#181028).
- PCI: rpaphp: Fix up pointer to first drc-info entry (bsc#1157480 ltc#181028).
- percpu: Separate decrypted varaibles anytime encryption can be enabled (bsc#1114279).
- perf/x86/intel: Fix inaccurate period in context switch for auto-reload (bsc#1164315).
- phy: qualcomm: Adjust indentation in read_poll_timeout (bsc#1051510).
- pinctrl: cherryview: Fix irq_valid_mask calculation (bsc#1111666).
- pinctrl: qcom: ssbi-gpio: fix gpio-hog related boot issues (bsc#1051510).
- pinctrl: sh-pfc: r8a7778: Fix duplicate SDSELF_B and SD1_CLK_B (bsc#1051510).
- platform/x86: asus-wmi: Fix keyboard brightness cannot be set to 0 (bsc#1051510).
- platform/x86: hp-wmi: Make buffer for HPWMI_FEATURE2_QUERY 128 bytes (bsc#1051510).
- platform/x86: pmc_atom: Add Siemens CONNECT X300 to critclk_systems DMI table (bsc#1051510).
- power: supply: ltc2941-battery-gauge: fix use-after-free (bsc#1051510).
- powerpc/archrandom: fix arch_get_random_seed_int() (bsc#1065729).
- powerpc/irq: fix stack overflow verification (bsc#1065729).
- powerpc/livepatch: return -ERRNO values in save_stack_trace_tsk_reliable() (bsc#1071995 bsc#1161875).
- powerpc/mm: drop #ifdef CONFIG_MMU in is_ioremap_addr() (bsc#1065729).
- powerpc/mm: Remove kvm radix prefetch workaround for Power9 DD2.2 (bsc#1061840).
- powerpc/papr_scm: Do not enable direct map for a region by default (bsc#1129551).
- powerpc/papr_scm: Fix leaking 'bus_desc.provider_name' in some paths (bsc#1142685 ltc#179509).
- powerpc/pkeys: remove unused pkey_allows_readwrite (bsc#1065729).
- powerpc/powernv: Disable native PCIe port management (bsc#1065729).
- powerpc/pseries/hotplug-memory: Change rc variable to bool (bsc#1065729).
- powerpc/pseries/lparcfg: Fix display of Maximum Memory (bsc#1162028 ltc#181740).
- powerpc/pseries/vio: Fix iommu_table use-after-free refcount warning (bsc#1065729).
- powerpc/pseries: Add cpu DLPAR support for drc-info property (bsc#1157480 ltc#181028).
- powerpc/pseries: Advance pfn if section is not present in lmb_is_removable() (bsc#1065729).
- powerpc/pseries: Allow not having ibm, hypertas-functions::hcall-multi-tce for DDW (bsc#1065729).
- powerpc/pseries: Drop pointless static qualifier in vpa_debugfs_init() (git-fixes).
- powerpc/pseries: Enable support for ibm,drc-info property (bsc#1157480 ltc#181028).
- powerpc/pseries: Fix bad drc_index_start value parsing of drc-info entry (bsc#1157480 ltc#181028).
- powerpc/pseries: Fix drc-info mappings of logical cpus to drc-index (bsc#1157480 ltc#181028).
- powerpc/pseries: Fix vector5 in ibm architecture vector table (bsc#1157480 ltc#181028).
- powerpc/pseries: Revert support for ibm,drc-info devtree property (bsc#1157480 ltc#181028).
- powerpc/security: Fix debugfs data leak on 32-bit (bsc#1065729).
- powerpc/tools: Do not quote $objdump in scripts (bsc#1065729).
- powerpc/xive: Discard ESB load value when interrupt is invalid (bsc#1085030).
- powerpc/xive: Skip ioremap() of ESB pages for LSI interrupts (bsc#1085030).
- powerpc/xmon: do not access ASDR in VMs (bsc#1065729).
- powerpc: Allow 64bit VDSO __kernel_sync_dicache to work across ranges >4GB (bnc#1151927 5.3.17).
- powerpc: Allow flush_icache_range to work across ranges >4GB (bnc#1151927 5.3.17).
- powerpc: avoid adjusting memory_limit for capture kernel memory reservation (bsc#1140025 ltc#176086).
- powerpc: Enable support for ibm,drc-info devtree property (bsc#1157480 ltc#181028).
- powerpc: Fix vDSO clock_getres() (bsc#1065729).
- powerpc: reserve memory for capture kernel after hugepages init (bsc#1140025 ltc#176086).
- ppp: Adjust indentation into ppp_async_input (git-fixes).
- prevent active file list thrashing due to refault detection (VM Performance, bsc#1156286).
- pseries/drc-info: Search DRC properties for CPU indexes (bsc#1157480 ltc#181028).
- pstore/ram: Write new dumps to start of recycled zones (bsc#1051510).
- pwm: omap-dmtimer: Remove PWM chip in .remove before making it unfunctional (git-fixes).
- pwm: Remove set but not set variable 'pwm' (git-fixes).
- pxa168fb: Fix the function used to release some memory in an error (bsc#1114279)
- qede: Disable hardware gro when xdp prog is installed (bsc#1086314 bsc#1086313 bsc#1086301 ).
- qede: Fix multicast mac configuration (networking-stable-19_12_28).
- qede: fix NULL pointer deref in __qede_remove() (networking-stable-19_11_10).
- qmi_wwan: Add support for Quectel RM500Q (bsc#1051510).
- quota: Check that quota is not dirty before release (bsc#1163858).
- quota: fix livelock in dquot_writeback_dquots (bsc#1163857).
- r8152: add missing endpoint sanity check (bsc#1051510).
- r8152: get default setting of WOL before initializing (bsc#1051510).
- random: move FIPS continuous test to output functions (bsc#1155334).
- RDMA/bnxt_re: Avoid freeing MR resources if dereg fails (bsc#1050244).
- RDMA/hns: Bugfix for qpc/cqc timer configuration (bsc#1104427 bsc#1126206).
- RDMA/hns: Correct the value of srq_desc_size (bsc#1104427 ).
- RDMA/hns: Fix to support 64K page for srq (bsc#1104427 ).
- RDMA/hns: Prevent memory leaks of eq->buf_list (bsc#1104427 ).
- README.BRANCH: Update the branch name to cve/linux-4.12
- regulator: Fix return value of _set_load() stub (bsc#1051510).
- regulator: rk808: Lower log level on optional GPIOs being not available (bsc#1051510).
- regulator: rn5t618: fix module aliases (bsc#1051510).
- reiserfs: Fix memory leak of journal device string (bsc#1163867).
- reiserfs: Fix spurious unlock in reiserfs_fill_super() error handling (bsc#1163869).
- rpm/kabi.pl: support new (>=5.4) Module.symvers format (new symbol namespace field)
- rpm/kernel-binary.spec.in: Conflict with too old powerpc-utils (jsc#ECO-920, jsc#SLE-11054, jsc#SLE-11322).
- rpm/kernel-binary.spec.in: Replace Novell with SUSE
- rpm/kernel-subpackage-spec: Exclude kernel-firmware recommends (bsc#1143959) For reducing the dependency on kernel-firmware in sub packages
- rpm/kernel-subpackage-spec: Fix empty Recommends tag (bsc#1143959)
- rpm/kernel-subpackage-spec: fix kernel-default-base build There were some issues with recent changes to subpackage dependencies handling:
- rpm/kernel-subpackage-spec: Unify dependency handling.
- rpm/modules.fips: update module list (bsc#1157853)
- rsi_91x_usb: fix interface sanity check (git-fixes).
- rtc: cmos: Stop using shared IRQ (bsc#1051510).
- rtc: dt-binding: abx80x: fix resistance scale (bsc#1051510).
- rtc: hym8563: Return -EINVAL if the time is known to be invalid (bsc#1051510).
- rtc: max8997: Fix the returned value in case of error in 'max8997_rtc_read_alarm()' (bsc#1051510).
- rtc: msm6242: Fix reading of 10-hour digit (bsc#1051510).
- rtc: pcf8523: set xtal load capacitance from DT (bsc#1051510).
- rtc: s35390a: Change buf's type to u8 in s35390a_init (bsc#1051510).
- rtl8xxxu: fix interface sanity check (git-fixes).
- s390/ftrace: generate traced function stack frame (jsc#SLE-11178 jsc#SLE-11179).
- s390/ftrace: save traced function caller (jsc#SLE-11178).
- s390/ftrace: save traced function caller (jsc#SLE-11179).
- s390/ftrace: use HAVE_FUNCTION_GRAPH_RET_ADDR_PTR (jsc#SLE-11178).
- s390/ftrace: use HAVE_FUNCTION_GRAPH_RET_ADDR_PTR (jsc#SLE-11179).
- s390/head64: correct init_task stack setup (jsc#SLE-11178).
- s390/head64: correct init_task stack setup (jsc#SLE-11179).
- s390/kasan: avoid false positives during stack unwind (jsc#SLE-11178).
- s390/kasan: avoid false positives during stack unwind (jsc#SLE-11179).
- s390/kasan: avoid report in get_wchan (jsc#SLE-11178).
- s390/kasan: avoid report in get_wchan (jsc#SLE-11179).
- s390/livepatch: Implement reliable stack tracing for the consistency model (jsc#SLE-11178).
- s390/livepatch: Implement reliable stack tracing for the consistency model (jsc#SLE-11179).
- s390/process: avoid custom stack unwinding in get_wchan (jsc#SLE-11178).
- s390/process: avoid custom stack unwinding in get_wchan (jsc#SLE-11179).
- s390/stacktrace: use common arch_stack_walk infrastructure (jsc#SLE-11178).
- s390/stacktrace: use common arch_stack_walk infrastructure (jsc#SLE-11179).
- s390/suspend: fix stack setup in swsusp_arch_suspend (jsc#SLE-11178).
- s390/suspend: fix stack setup in swsusp_arch_suspend (jsc#SLE-11179).
- s390/test_unwind: print verbose unwinding results (jsc#SLE-11178).
- s390/test_unwind: print verbose unwinding results (jsc#SLE-11179).
- s390/unwind: add stack pointer alignment sanity checks (jsc#SLE-11178).
- s390/unwind: add stack pointer alignment sanity checks (jsc#SLE-11179).
- s390/unwind: always inline get_stack_pointer (jsc#SLE-11178).
- s390/unwind: always inline get_stack_pointer (jsc#SLE-11179).
- s390/unwind: avoid int overflow in outside_of_stack (jsc#SLE-11178).
- s390/unwind: avoid int overflow in outside_of_stack (jsc#SLE-11179).
- s390/unwind: cleanup unused READ_ONCE_TASK_STACK (jsc#SLE-11178).
- s390/unwind: cleanup unused READ_ONCE_TASK_STACK (jsc#SLE-11179).
- s390/unwind: correct stack switching during unwind (jsc#SLE-11178).
- s390/unwind: correct stack switching during unwind (jsc#SLE-11179).
- s390/unwind: drop unnecessary code around calling ftrace_graph_ret_addr() (jsc#SLE-11178).
- s390/unwind: drop unnecessary code around calling ftrace_graph_ret_addr() (jsc#SLE-11179).
- s390/unwind: filter out unreliable bogus %r14 (jsc#SLE-11178).
- s390/unwind: filter out unreliable bogus %r14 (jsc#SLE-11179).
- s390/unwind: fix get_stack_pointer(NULL, NULL) (jsc#SLE-11178).
- s390/unwind: fix get_stack_pointer(NULL, NULL) (jsc#SLE-11179).
- s390/unwind: fix mixing regs and sp (jsc#SLE-11178).
- s390/unwind: fix mixing regs and sp (jsc#SLE-11179).
- s390/unwind: introduce stack unwind API (jsc#SLE-11178).
- s390/unwind: introduce stack unwind API (jsc#SLE-11179).
- s390/unwind: make reuse_sp default when unwinding pt_regs (jsc#SLE-11178).
- s390/unwind: make reuse_sp default when unwinding pt_regs (jsc#SLE-11179).
- s390/unwind: remove stack recursion warning (jsc#SLE-11178).
- s390/unwind: remove stack recursion warning (jsc#SLE-11179).
- s390/unwind: report an error if pt_regs are not on stack (jsc#SLE-11178).
- s390/unwind: report an error if pt_regs are not on stack (jsc#SLE-11179).
- s390/unwind: start unwinding from reliable state (jsc#SLE-11178).
- s390/unwind: start unwinding from reliable state (jsc#SLE-11179).
- s390/unwind: stop gracefully at task pt_regs (jsc#SLE-11178).
- s390/unwind: stop gracefully at task pt_regs (jsc#SLE-11179).
- s390/unwind: stop gracefully at user mode pt_regs in irq stack (jsc#SLE-11178).
- s390/unwind: stop gracefully at user mode pt_regs in irq stack (jsc#SLE-11179).
- s390/unwind: unify task is current checks (jsc#SLE-11178).
- s390/unwind: unify task is current checks (jsc#SLE-11179).
- s390: add stack switch helper (jsc#SLE-11178).
- s390: add stack switch helper (jsc#SLE-11179).
- s390: add support for virtually mapped kernel stacks (jsc#SLE-11178).
- s390: add support for virtually mapped kernel stacks (jsc#SLE-11179).
- s390: always inline current_stack_pointer() (jsc#SLE-11178).
- s390: always inline current_stack_pointer() (jsc#SLE-11179).
- s390: always inline disabled_wait (jsc#SLE-11178).
- s390: always inline disabled_wait (jsc#SLE-11179).
- s390: avoid misusing CALL_ON_STACK for task stack setup (jsc#SLE-11178).
- s390: avoid misusing CALL_ON_STACK for task stack setup (jsc#SLE-11179).
- s390: clean up stacks setup (jsc#SLE-11178).
- s390: clean up stacks setup (jsc#SLE-11179).
- s390: correct CALL_ON_STACK back_chain saving (jsc#SLE-11178).
- s390: correct CALL_ON_STACK back_chain saving (jsc#SLE-11179).
- s390: disable preemption when switching to nodat stack with CALL_ON_STACK (jsc#SLE-11178).
- s390: disable preemption when switching to nodat stack with CALL_ON_STACK (jsc#SLE-11179).
- s390: fine-tune stack switch helper (jsc#SLE-11178).
- s390: fine-tune stack switch helper (jsc#SLE-11179).
- s390: fix register clobbering in CALL_ON_STACK (jsc#SLE-11178).
- s390: fix register clobbering in CALL_ON_STACK (jsc#SLE-11179).
- s390: kabi workaround for ftrace_ret_stack (jsc#SLE-11178).
- s390: kabi workaround for ftrace_ret_stack (jsc#SLE-11179).
- s390: kabi workaround for lowcore changes due to vmap stack (jsc#SLE-11178).
- s390: kabi workaround for lowcore changes due to vmap stack (jsc#SLE-11179).
- s390: kabi workaround for reliable stack tracing (jsc#SLE-11178).
- s390: kabi workaround for reliable stack tracing (jsc#SLE-11179).
- s390: preserve kabi for stack unwind API (jsc#SLE-11178).
- s390: preserve kabi for stack unwind API (jsc#SLE-11179).
- s390: unify stack size definitions (jsc#SLE-11178).
- s390: unify stack size definitions (jsc#SLE-11179).
- scsi: lpfc: fix build failure with DEBUGFS disabled (bsc#1154601).
- scsi: qla2xxx: Add a shadow variable to hold disc_state history of fcport (bsc#1158013).
- scsi: qla2xxx: Add D-Port Diagnostic reason explanation logs (bsc#1158013).
- scsi: qla2xxx: Cleanup unused async_logout_done (bsc#1158013).
- scsi: qla2xxx: Consolidate fabric scan (bsc#1158013).
- scsi: qla2xxx: Correct fcport flags handling (bsc#1158013).
- scsi: qla2xxx: Fix a NULL pointer dereference in an error path (bsc#1157966 bsc#1158013 bsc#1157424).
- scsi: qla2xxx: Fix fabric scan hang (bsc#1158013).
- scsi: qla2xxx: Fix mtcp dump collection failure (bsc#1158013).
- scsi: qla2xxx: Fix RIDA Format-2 (bsc#1158013).
- scsi: qla2xxx: Fix stuck login session using prli_pend_timer (bsc#1158013).
- scsi: qla2xxx: Fix stuck session in GNL (bsc#1158013).
- scsi: qla2xxx: Fix the endianness of the qla82xx_get_fw_size() return type (bsc#1158013).
- scsi: qla2xxx: Fix unbound NVME response length (bsc#1157966 bsc#1158013 bsc#1157424).
- scsi: qla2xxx: Fix update_fcport for current_topology (bsc#1158013).
- scsi: qla2xxx: Improve readability of the code that handles qla_flt_header (bsc#1158013).
- scsi: qla2xxx: Remove defer flag to indicate immeadiate port loss (bsc#1158013).
- scsi: qla2xxx: Update driver version to 10.01.00.22-k (bsc#1158013).
- scsi: qla2xxx: Use common routine to free fcport struct (bsc#1158013).
- scsi: qla2xxx: Use get_unaligned_*() instead of open-coding these functions (bsc#1158013).
- sctp: cache netns in sctp_ep_common (networking-stable-19_12_03).
- sctp: fully initialize v4 addr in some functions (networking-stable-19_12_28).
- serial: 8250_bcm2835aux: Fix line mismatch on driver unbind (bsc#1051510).
- serial: ifx6x60: add missed pm_runtime_disable (bsc#1051510).
- serial: pl011: Fix DMA ->flush_buffer() (bsc#1051510).
- serial: serial_core: Perform NULL checks for break_ctl ops (bsc#1051510).
- serial: stm32: fix transmit_chars when tx is stopped (bsc#1051510).
- sfc: Only cancel the PPS workqueue if it exists (networking-stable-19_11_25).
- sfc: Remove 'PCIE error reporting unavailable' (bsc#1161472).
- sh_eth: check sh_eth_cpu_data::dual_port when dumping registers (bsc#1051510).
- sh_eth: fix dumping ARSTR (bsc#1051510).
- sh_eth: fix invalid context bug while calling auto-negotiation by ethtool (bsc#1051510).
- sh_eth: fix invalid context bug while changing link options by ethtool (bsc#1051510).
- sh_eth: fix TSU init on SH7734/R8A7740 (bsc#1051510).
- sh_eth: fix TXALCR1 offsets (bsc#1051510).
- sh_eth: TSU_QTAG0/1 registers the same as TSU_QTAGM0/1 (bsc#1051510).
- smb3: Fix crash in SMB2_open_init due to uninitialized field in compounding path (bsc#1144333).
- smb3: Fix persistent handles reconnect (bsc#1144333).
- smb3: fix refcount underflow warning on unmount when no directory leases (bsc#1144333).
- smb3: remove confusing dmesg when mounting with encryption ('seal') (bsc#1144333).
- soc/tegra: fuse: Correct straps' address for older Tegra124 device trees (bsc#1051510).
- soc: renesas: rcar-sysc: Add goto to of_node_put() before return (bsc#1051510).
- soc: ti: wkup_m3_ipc: Fix race condition with rproc_boot (bsc#1051510).
- spi: tegra114: clear packed bit for unpacked mode (bsc#1051510).
- spi: tegra114: configure dma burst size to fifo trig level (bsc#1051510).
- spi: tegra114: fix for unpacked mode transfers (bsc#1051510).
- spi: tegra114: flush fifos (bsc#1051510).
- spi: tegra114: terminate dma and reset on transfer timeout (bsc#1051510).
- stacktrace: Do not skip first entry on noncurrent tasks (jsc#SLE-11178).
- stacktrace: Do not skip first entry on noncurrent tasks (jsc#SLE-11179).
- stacktrace: Force USER_DS for stack_trace_save_user() (jsc#SLE-11178).
- stacktrace: Force USER_DS for stack_trace_save_user() (jsc#SLE-11179).
- stacktrace: Get rid of unneeded '!!' pattern (jsc#SLE-11178).
- stacktrace: Get rid of unneeded '!!' pattern (jsc#SLE-11179).
- stacktrace: Provide common infrastructure (jsc#SLE-11178).
- stacktrace: Provide common infrastructure (jsc#SLE-11179).
- stacktrace: Provide helpers for common stack trace operations (jsc#SLE-11178).
- stacktrace: Provide helpers for common stack trace operations (jsc#SLE-11179).
- stacktrace: Unbreak stack_trace_save_tsk_reliable() (jsc#SLE-11178).
- stacktrace: Unbreak stack_trace_save_tsk_reliable() (jsc#SLE-11179).
- stacktrace: Use PF_KTHREAD to check for kernel threads (jsc#SLE-11178).
- stacktrace: Use PF_KTHREAD to check for kernel threads (jsc#SLE-11179).
- staging: comedi: adv_pci1710: fix AI channels 16-31 for PCI-1713 (bsc#1051510).
- staging: iio: adt7316: Fix i2c data reading, set the data field (bsc#1051510).
- staging: rtl8188eu: fix interface sanity check (bsc#1051510).
- staging: vt6656: correct packet types for CTS protect, mode (bsc#1051510).
- staging: vt6656: Fix false Tx excessive retries reporting (bsc#1051510).
- staging: vt6656: use NULLFUCTION stack on mac80211 (bsc#1051510).
- staging: wlan-ng: ensure error return is actually returned (bsc#1051510).
- stop_machine, sched: Fix migrate_swap() vs. active_balance() deadlock (bsc#1088810, bsc#1161702).
- stop_machine: Atomically queue and wake stopper threads (bsc#1088810, bsc#1161702).
- stop_machine: Disable preemption after queueing stopper threads (bsc#1088810, bsc#1161702).
- stop_machine: Disable preemption when waking two stopper threads (bsc#1088810, bsc#1161702).
- swiotlb: do not panic on mapping failures (bsc#1162171).
- swiotlb: remove the overflow buffer (bsc#1162171).
- tcp: clear tp->packets_out when purging write queue (bsc#1160560).
- tcp: do not send empty skb from tcp_write_xmit() (networking-stable-20_01_01).
- tcp: exit if nothing to retransmit on RTO timeout (bsc#1160560, stable 4.14.159).
- tcp: md5: fix potential overestimation of TCP option space (networking-stable-19_12_16).
- Temporary workaround for bsc#1159096 should no longer be needed.
- tracing: Annotate ftrace_graph_hash pointer with __rcu (git-fixes).
- tracing: Annotate ftrace_graph_notrace_hash pointer with __rcu (git-fixes).
- tracing: Cleanup stack trace code (jsc#SLE-11178).
- tracing: Cleanup stack trace code (jsc#SLE-11179).
- tracing: Fix tracing_stat return values in error handling paths (git-fixes).
- tracing: Fix very unlikely race of registering two stat tracers (git-fixes).
- tracing: Have the histogram compare functions convert to u64 first (bsc#1160210).
- tracing: xen: Ordered comparison of function pointers (git-fixes).
- tty/serial: atmel: Add is_half_duplex helper (bsc#1051510).
- tty: n_hdlc: fix build on SPARC (bsc#1051510).
- tty: serial: msm_serial: Fix lockup for sysrq and oops (bsc#1051510).
- tty: vt: keyboard: reject invalid keycodes (bsc#1051510).
- ubifs: do not trigger assertion on invalid no-key filename (bsc#1163850).
- ubifs: Fix deadlock in concurrent bulk-read and writepage (bsc#1163856).
- ubifs: Fix FS_IOC_SETFLAGS unexpectedly clearing encrypt flag (bsc#1163855).
- ubifs: Reject unsupported ioctl flags explicitly (bsc#1163844).
- udp: fix integer overflow while computing available space in sk_rcvbuf (networking-stable-20_01_01).
- usb-storage: Disable UAS on JMicron SATA enclosure (bsc#1051510).
- usb: adutux: fix interface sanity check (bsc#1051510).
- usb: Allow USB device to be warm reset in suspended state (bsc#1051510).
- usb: atm: ueagle-atm: add missing endpoint check (bsc#1051510).
- usb: chipidea: host: Disable port power only if previously enabled (bsc#1051510).
- usb: core: fix check for duplicate endpoints (git-fixes).
- usb: core: hub: Improved device recognition on remote wakeup (bsc#1051510).
- usb: core: urb: fix URB structure initialization function (bsc#1051510).
- usb: documentation: flags on usb-storage versus UAS (bsc#1051510).
- usb: dwc3: debugfs: Properly print/set link state for HS (bsc#1051510).
- usb: dwc3: do not log probe deferrals; but do log other error codes (bsc#1051510).
- usb: dwc3: ep0: Clear started flag on completion (bsc#1051510).
- usb: dwc3: turn off VBUS when leaving host mode (bsc#1051510).
- usb: EHCI: Do not return -EPIPE when hub is disconnected (git-fixes).
- usb: gadget: f_ecm: Use atomic_t to track in-flight request (bsc#1051510).
- usb: gadget: f_ncm: Use atomic_t to track in-flight request (bsc#1051510).
- usb: gadget: legacy: set max_speed to super-speed (bsc#1051510).
- usb: gadget: pch_udc: fix use after free (bsc#1051510).
- usb: gadget: u_serial: add missing port entry locking (bsc#1051510).
- usb: gadget: Zero ffs_io_data (bsc#1051510).
- usb: host: xhci-hub: fix extra endianness conversion (bsc#1051510).
- usb: idmouse: fix interface sanity checks (bsc#1051510).
- usb: mon: Fix a deadlock in usbmon between mmap and read (bsc#1051510).
- usb: mtu3: fix dbginfo in qmu_tx_zlp_error_handler (bsc#1051510).
- usb: musb: dma: Correct parameter passed to IRQ handler (bsc#1051510).
- usb: musb: fix idling for suspend after disconnect interrupt (bsc#1051510).
- usb: roles: fix a potential use after free (git-fixes).
- usb: serial: ch341: handle unbound port at reset_resume (bsc#1051510).
- usb: serial: io_edgeport: add missing active-port sanity check (bsc#1051510).
- usb: serial: io_edgeport: fix epic endpoint lookup (bsc#1051510).
- usb: serial: io_edgeport: handle unbound ports on URB completion (bsc#1051510).
- usb: serial: io_edgeport: use irqsave() in USB's complete callback (bsc#1051510).
- usb: serial: ir-usb: add missing endpoint sanity check (bsc#1051510).
- usb: serial: ir-usb: fix IrLAP framing (bsc#1051510).
- usb: serial: ir-usb: fix link-speed handling (bsc#1051510).
- usb: serial: keyspan: handle unbound ports (bsc#1051510).
- usb: serial: opticon: fix control-message timeouts (bsc#1051510).
- usb: serial: option: Add support for Quectel RM500Q (bsc#1051510).
- usb: serial: option: add support for Quectel RM500Q in QDL mode (git-fixes).
- usb: serial: option: add Telit ME910G1 0x110a composition (git-fixes).
- usb: serial: option: add ZLP support for 0x1bc7/0x9010 (git-fixes).
- usb: serial: quatech2: handle unbound ports (bsc#1051510).
- usb: serial: simple: Add Motorola Solutions TETRA MTP3xxx and MTP85xx (bsc#1051510).
- usb: serial: suppress driver bind attributes (bsc#1051510).
- usb: typec: tcpci: mask event interrupts when remove driver (bsc#1051510).
- usb: uas: heed CAPACITY_HEURISTICS (bsc#1051510).
- usb: uas: honor flag to avoid CAPACITY16 (bsc#1051510).
- usb: xhci: Fix build warning seen with CONFIG_PM=n (bsc#1051510).
- usb: xhci: only set D3hot for pci device (bsc#1051510).
- usbip: Fix error path of vhci_recv_ret_submit() (git-fixes).
- usbip: Fix receive error in vhci-hcd when using scatter-gather (bsc#1051510).
- vhost/vsock: accept only packets with the right dst_cid (networking-stable-20_01_01).
- virtio_ring: fix unmap of indirect descriptors (bsc#1162171).
- watchdog: max77620_wdt: fix potential build errors (bsc#1051510).
- watchdog: rn5t618_wdt: fix module aliases (bsc#1051510).
- watchdog: wdat_wdt: fix get_timeleft call for wdat_wdt (bsc#1162557).
- wireless: fix enabling channel 12 for custom regulatory domain (bsc#1051510).
- wireless: wext: avoid gcc -O3 warning (bsc#1051510).
- workqueue: Fix pwq ref leak in rescuer_thread() (bsc#1160211).
- x86/amd_nb: Add PCI device IDs for family 17h, model 70h (bsc#1163206).
- x86/cpu: Update cached HLE state on write to TSX_CTRL_CPUID_CLEAR (bsc#1162619).
- x86/intel_rdt: Split resource group removal in two (bsc#1112178).
- x86/intel_rdt: Split resource group removal in two (bsc#1112178).
- x86/kgbd: Use NMI_VECTOR not APIC_DM_NMI (bsc#1114279).
- x86/mce/AMD: Allow any CPU to initialize the smca_banks array (bsc#1114279).
- x86/MCE/AMD: Allow Reserved types to be overwritten in smca_banks (bsc#1114279).
- x86/MCE/AMD: Do not use rdmsr_safe_on_cpu() in smca_configure() (bsc#1114279).
- x86/mce: Fix possibly incorrect severity calculation on AMD (bsc#1114279).
- x86/resctrl: Check monitoring static key in the MBM overflow handler (bsc#1114279).
- x86/resctrl: Fix a deadlock due to inaccurate reference (bsc#1112178).
- x86/resctrl: Fix a deadlock due to inaccurate reference (bsc#1112178).
- x86/resctrl: Fix an imbalance in domain_remove_cpu() (bsc#1114279).
- x86/resctrl: Fix potential memory leak (bsc#1114279).
- x86/resctrl: Fix use-after-free due to inaccurate refcount of rdtgroup (bsc#1112178).
- x86/resctrl: Fix use-after-free due to inaccurate refcount of rdtgroup (bsc#1112178).
- x86/resctrl: Fix use-after-free when deleting resource groups (bsc#1114279).
- x86/resctrl: Prevent possible overrun during bitmap operations (bsc#1114648).
- xen-blkfront: switch kcalloc to kvcalloc for large array allocation (bsc#1160917).
- xen/balloon: Support xend-based toolstack take two (bsc#1065600).
- xen/blkback: Avoid unmapping unmapped grant pages (bsc#1065600).
- xen/blkfront: Adjust indentation in xlvbd_alloc_gendisk (bsc#1065600).
- xfrm: Fix transport mode skb control buffer usage (bsc#1161552).
- xfrm: Fix sa selector validation (bsc#1156609).
- xfs: Fix tail rounding in xfs_alloc_file_space() (bsc#1161087, bsc#1153917).
- xhci: Fix memory leak in xhci_add_in_port() (bsc#1051510).
- xhci: fix USB3 device initiated resume race with roothub autosuspend (bsc#1051510).
- xhci: handle some XHCI_TRUST_TX_LENGTH quirks cases as default behaviour (bsc#1051510).
- xhci: Increase STS_HALT timeout in xhci_suspend() (bsc#1051510).
- xhci: make sure interrupts are restored to correct state (bsc#1051510).
- zd1211rw: fix storage endpoint lookup (git-fixes).


-----------------------------------------
Patch: SUSE-2020-596
Released: Thu Mar  5 15:23:51 2020
Summary: Recommended update for ca-certificates-mozilla
Severity: moderate
References: 1010996,1071152,1071390,1082318,1100415,1154871,1160160
Description:
This update for ca-certificates-mozilla fixes the following issues:

The following non-security bugs were fixed:

Updated to 2.40 state of the Mozilla NSS Certificate store (bsc#1160160):

Removed certificates:

- Certplus Class 2 Primary CA
- Deutsche Telekom Root CA 2
- CN=Swisscom Root CA 2
- UTN-USERFirst-Client Authentication and Email

Added certificates:

- Entrust Root Certification Authority - G4

- Export correct p11kit trust attributes so Firefox detects built in certificates (bsc#1154871).
- Updated to 2.24 state of the Mozilla NSS Certificate store (bsc#1100415).
- Use %license instead of %doc (bsc#1082318).
- Updated to 2.22 state of the Mozilla NSS Certificate store (bsc#1071152, bsc#1071390, bsc#1010996).


-----------------------------------------
Patch: SUSE-2020-603
Released: Fri Mar  6 11:00:57 2020
Summary: Recommended update for permissions
Severity: moderate
References: 1123886,1160594,1160764,1161779,1163922,CVE-2020-8013
Description:
This update for permissions fixes the following issues:

- CVE-2020-8013: Fixed an improper check which could have allowed the 
  setting of unintented setuid bits (bsc#1163922).
- Fixed handling of relative directory symlinks in chkstat.
- Whitelisted postgres sticky directories (bsc#1123886).
- Fixed regression where chkstat broke when /proc was not available
  (bsc#1160764, bsc#1160594)
- Fixed capability handling when doing multiple permission changes
  at once (bsc#1161779)


-----------------------------------------
Patch: SUSE-2020-608
Released: Fri Mar  6 14:59:10 2020
Summary: Recommended update for mozilla-nss
Severity: moderate
References: 1165270
Description:
This update for mozilla-nss fixes the following issues:

- Package also the cmac.h needed by blapi.h, needed for building tomcat (bsc#1165270)


-----------------------------------------
Patch: SUSE-2020-614
Released: Mon Mar  9 10:32:42 2020
Summary: Recommended update for llvm7
Severity: moderate
References: 1162317
Description:

This update provides missing llvm7 subpackages.

- libclang7, llvm7-LTO-devel and llvm7-polly-devel are provided to the SDK.


-----------------------------------------
Patch: SUSE-2020-623
Released: Mon Mar  9 16:17:26 2020
Summary: Security update for gd
Severity: moderate
References: 1050241,1140120,1165471,CVE-2017-7890,CVE-2018-14553,CVE-2019-11038
Description:
This update for gd fixes the following issues:

- CVE-2017-7890: Fixed a buffer over-read into uninitialized memory (bsc#1050241).
- CVE-2018-14553: Fixed a null pointer dereference in gdImageClone() (bsc#1165471).
- CVE-2019-11038: Fixed a information disclosure in gdImageCreateFromXbm() (bsc#1140120).


-----------------------------------------
Patch: SUSE-2020-630
Released: Tue Mar 10 13:12:19 2020
Summary: Security update for ipmitool
Severity: important
References: 1085469,1163026,CVE-2020-5208
Description:
This update for ipmitool fixes the following issues:

- CVE-2020-5208: Fixed multiple remote code executtion vulnerabilities (bsc#1163026).	  
- picmg discover messages are now DEBUG and not INFO messages (bsc#1085469).


-----------------------------------------
Patch: SUSE-2020-638
Released: Wed Mar 11 12:20:45 2020
Summary: Recommended update for autoyast2
Severity: moderate
References: 1164105
Description:
This update for autoyast2 fixes the following issue:

- Wait for a working network before starting the AutoYast init scripts. (bsc#1164105)
  This fix will avoid to start the network related AutoYast init script before the availability of a working network


-----------------------------------------
Patch: SUSE-2020-652
Released: Thu Mar 12 09:53:23 2020
Summary: Recommended update for ca-certificates-mozilla
Severity: important
References: 1165915,1165919,1166301
Description:
This update for ca-certificates-mozilla fixes the following issues:

This reverts a previous change to the generated pem structure, as it
require a p11-kit tools update installed first, which can not always
ensured correctly. (bsc#1166301 bsc#1165915 bsc#1165919)


-----------------------------------------
Patch: SUSE-2020-663
Released: Thu Mar 12 17:31:31 2020
Summary: Recommended update for suse-build-key
Severity: moderate
References: 1166334
Description:
This update for suse-build-key fixes the following issues:

- created a new security_at_suse.de key for email communication (bsc#1166334)


-----------------------------------------
Patch: SUSE-2020-664
Released: Thu Mar 12 22:50:57 2020
Summary: Recommended update for wicked
Severity: important
References: 1165180
Description:
This update for wicked fixes the following issues:

- Fix the package using old/wrong pattern for libzypp in package libwicked. (bsc#1165180)


-----------------------------------------
Patch: SUSE-2020-685
Released: Fri Mar 13 14:13:04 2020
Summary: Recommended update for Salt
Severity: moderate
References: 1135656,1153611,1157465,1158940,1159118,1160931,1162327,1162504,1165425,CVE-2019-17361,CVE-2019-18897
Description:

This update fixes the following issues:

salt:

- RHEL/CentOS 8 uses platform-python instead of python3
- New configuration option for selection of grains in the minion start event.
- Fix 'os_family' grain for Astra Linux Common Edition
- Fix for salt-api NET API where unauthenticated attacker could run
  arbitrary code (CVE-2019-17361) (bsc#1162504)
- Adds disabled parameter to mod_repo in aptpkg module
- Move token with atomic operation
- Bad API token files get deleted (bsc#1160931)
- Support for Btrfs and XFS in parted and mkfs added
- Adds list_downloaded for apt Module to enable pre-downloading support
- Adds virt.(pool|network)_get_xml functions
- Virt: adding kernel boot parameters to libvirt xml
- Fix to scheduler when data['run'] does not exist (bsc#1159118)
- Fix virt states to not fail on VMs already stopped
- Fix applying of attributes for returner rawfile_json (bsc#1158940)
- Xfs: do not fail if type is not present (bsc#1153611)
- Don't use __python indirection macros on spec file
  %__python is no longer defined in RPM 4.15 (python2 is going EOL in Jan 2020);
  additionally, python/python3 are just binaries in the path.
- Fix errors when running virt.get_hypervisor function
- Align virt.full_info fixes with upstream Salt
- Fix for log checking in x509 test
- Prevent test_mod_del_repo_multiline_values to fail
- Read repo info without using interpolation (bsc#1135656)
- Replacing pycrypto with M2Crypto as dependency for >= SLE15 (bsc#1165425)
- Batch Async: Handle exceptions, properly unregister and close instances
  after running async batching to avoid CPU starvation of the MWorkers (bsc#1162327)
- Avoid possible user escalation upgrading salt-master (bsc#1157465) (CVE-2019-18897)


-----------------------------------------
Patch: SUSE-2020-691
Released: Fri Mar 13 17:09:52 2020
Summary: Recommended update for dracut
Severity: moderate
References: 1160318,1164076
Description:
This update for dracut fixes the following issues:

- 01fips: Handle loading SHA1 kernel modules on machines without AVX (bsc#1160318)
- 01fips: Use correct kernel image name for more platforms (bsc#1164076)


-----------------------------------------
Patch: SUSE-2020-698
Released: Mon Mar 16 15:11:53 2020
Summary: Recommended update for cloud-netconfig
Severity: moderate
References: 1162705,1162707
Description:
This update for cloud-netconfig contains the following fixes:

- Update to version 1.4:
  + copy routes from default routing table. (bsc#1162705, bsc#1162707)
  + make CLOUD_NETCONFIG_MANAGE default configurable.


-----------------------------------------
Patch: SUSE-2020-708
Released: Wed Mar 18 06:48:30 2020
Summary: Recommended update for growpart
Severity: moderate
References: 1164736
Description:
This update for growpart fixes the following issues:

- Operation system disk is not automatically resized beyond 2TB on Azure hosts. (bsc#1164736)


-----------------------------------------
Patch: SUSE-2020-716
Released: Thu Mar 19 09:52:35 2020
Summary: Recommended update for python-jmespath
Severity: moderate
References: 1138748
Description:
This update for python-jmespath fixes the following issues:

Update to version 0.9.3 (bsc#1138748, jsc#ECO-1256, jsc#PM-1598)

+ Fix issue where long types in py2 and Decimal types were
  not being evaluated as numbers (issue 125)
+ Handle numbers in scientific notation in to_number()
  function (issue 120)
+ Fix issue where custom functions would override the function
  table of the builtin function class (issue 133)


-----------------------------------------
Patch: SUSE-2020-730
Released: Thu Mar 19 16:38:47 2020
Summary: Recommended update for yast2-ca-management
Severity: moderate
References: 1163058
Description:
This update for yast2-ca-management fixes the following issue:

- Export CA to file. (bsc#1163058)
  The update will solve the crash occurred when trying to export a CA
  to a file using the CA management utility in YaST.


-----------------------------------------
Patch: SUSE-2020-497
Released: Fri Mar 20 11:11:25 2020
Summary: Security update for python3
Severity: moderate
References: 1068664,1159208,1159623,CVE-2012-0876,CVE-2016-0718,CVE-2016-4472,CVE-2016-9063,CVE-2017-1000158,CVE-2017-9233
Description:
This update for python3 fixes the following issues:

Update to 3.4.10 (jsc#SLE-9427, bsc#1159208) from 3.4.6:

Security issues fixed:

- Update expat copy from 2.1.1 to 2.2.0 to fix the following issues:
  CVE-2012-0876, CVE-2016-0718, CVE-2016-4472, CVE-2017-9233, CVE-2016-9063
- CVE-2017-1000158: Fix an integer overflow in thePyString_DecodeEscape function in stringobject.c, resulting in heap-based bufferoverflow (bsc#1068664).


-----------------------------------------
Patch: SUSE-2020-739
Released: Mon Mar 23 06:21:10 2020
Summary: Recommended update for resource-agents
Severity: important
References: 1161898
Description:
This update for resource-agents fixes the following issues:

- Fix for journalctl replacing the obsolete function to 'gcp-vpc-move-route'. (bsc#1161898)


-----------------------------------------
Patch: SUSE-2020-757
Released: Tue Mar 24 11:32:10 2020
Summary: Recommended update for yast2-auth-client
Severity: important
References: 1122026,1162025
Description:
This update for yast2-auth-client fixes the following issues:

- Fix for an issue where 'yast2-auth-client' adds wrong 'domain_realm' entry to the kerberos configuration, and causes troubles especially to SAP HANA installations. (bsc#1122026)
- Change default 'bind_policy' to 'soft' if not present in the config. (bsc#1162025)


-----------------------------------------
Patch: SUSE-2020-775
Released: Tue Mar 24 17:41:19 2020
Summary: Recommended update for python-botocore
Severity: important
References: 1069697,1075263,1088310,1095041,1118021,1118024,1118027,1129696,1136184,1146853,1146854,CVE-2019-9947
Description:
This update for python-boto3, python-botocore and python-futures fixes the following issues:


python-botocore was updated to 1.13.33:

- Fix for python3-botocore versioning issues between SLES12 SP3 Teradata and Public Cloud Module. (bsc#1129696)
- Remove the broken attempt to avoid using the bundled requests module provided by the source. (boo#1088310)
- Update to the latest SDK components. (bsc#1146853, bsc#1146854)
- Add support for urllib 1.25 for CVE-2019-9947. (boo#1136184)
- Fix implementing MD5 header injection into new operations if they are necessary and create default session configuration. (bsc#1118021, bsc#1118024, bsc#1118027)
- Add attribute 'ssl_context' to 'AWSHTTPSConnection'. (bsc#1095041)

python-boto3 was updated to 1.10.33.

python-futures also provides python2-futures in the python2 build.


-----------------------------------------
Patch: SUSE-2020-786
Released: Wed Mar 25 06:47:18 2020
Summary: Recommended update for p11-kit
Severity: moderate
References: 1165915,1165919
Description:
This update for p11-kit fixes the following issues:

- tag this version with 'p11-kit-tools-supports-CKA_NSS_MOZILLA_CA_POLICY'
  provides so we can pull it in. (bsc#1165915 bsc#1165919)


-----------------------------------------
Patch: SUSE-2020-792
Released: Wed Mar 25 15:14:02 2020
Summary: Security update for python-cffi, python-cryptography
Severity: moderate
References: 1055478,1070737,1101820,1111657,1138748,1149792,981848,CVE-2018-10903
Description:
This update for python-cffi, python-cryptography fixes the following issues:

Security issue fixed:

- CVE-2018-10903: Fixed GCM tag forgery via truncated tag in finalize_with_tag API (bsc#1101820).

Non-security issues fixed:

python-cffi was updated to 1.11.2 (bsc#1138748, jsc#ECO-1256, jsc#PM-1598):

- fixed a build failure on i586 (bsc#1111657)
- Salt was unable to highstate in snapshot 20171129 (bsc#1070737)

- Update pytest in spec to add c directory tests in addition to 
  testing directory.

- update to version 1.11.2:
  * Fix Windows issue with managing the thread-state on CPython 3.0 to
    3.5

- Update pytest in spec to add c directory tests in addition to 
  testing directory.
- Omit test_init_once_multithread tests as they rely on multiple
  threads finishing in a given time. Returns sporadic pass/fail
  within build.
- Update to 1.11.1:
  * Fix tests, remove deprecated C API usage
  * Fix (hack) for 3.6.0/3.6.1/3.6.2 giving incompatible binary
    extensions (cpython issue #29943)
  * Fix for 3.7.0a1+

- Update to 1.11.0:
  * Support the modern standard types char16_t and char32_t. These
    work like wchar_t: they represent one unicode character, or when
    used as charN_t * or charN_t[] they represent a unicode string.
    The difference with wchar_t is that they have a known, fixed
    size. They should work at all places that used to work with
    wchar_t (please report an issue if I missed something). Note
    that with set_source(), you need to make sure that these types
    are actually defined by the C source you provide (if used in
    cdef()).
  * Support the C99 types float _Complex and double _Complex. Note
    that libffi doesn't support them, which means that in the ABI
    mode you still cannot call C functions that take complex
    numbers directly as arguments or return type.
  * Fixed a rare race condition when creating multiple FFI instances
    from multiple threads. (Note that you aren't meant to create
    many FFI instances: in inline mode, you should write
    ffi = cffi.FFI() at module level just after import cffi; and in
    out-of-line mode you don't instantiate FFI explicitly at all.)
  * Windows: using callbacks can be messy because the CFFI internal
    error messages show up to stderr-but stderr goes nowhere in many
    applications. This makes it particularly hard to get started
    with the embedding mode. (Once you get started, you can at least
    use @ffi.def_extern(onerror=...) and send the error logs where
    it makes sense for your application, or record them in log
    files, and so on.) So what is new in CFFI is that now, on
    Windows CFFI will try to open a non-modal MessageBox (in addition
    to sending raw messages to stderr). The MessageBox is only
    visible if the process stays alive: typically, console
    applications that crash close immediately, but that is also the
    situation where stderr should be visible anyway.
  * Progress on support for callbacks in NetBSD.
  * Functions returning booleans would in some case still return 0
    or 1 instead of False or True. Fixed.
  * ffi.gc() now takes an optional third parameter, which gives an
    estimate of the size (in bytes) of the object. So far, this is
    only used by PyPy, to make the next GC occur more quickly
    (issue #320). In the future, this might have an effect on
    CPython too (provided the CPython issue 31105 is addressed).
  * Add a note to the documentation: the ABI mode gives function
    objects that are slower to call than the API mode does. For
    some reason it is often thought to be faster. It is not!
- Update to 1.10.1:
  * Fixed the line numbers reported in case of cdef() errors. Also,
    I just noticed, but pycparser always supported the preprocessor
    directive # 42 'foo.h' to mean 'from the next line, we're in
    file foo.h starting from line 42';, which it puts in the error
    messages. 

- update to 1.10.0:
 * Issue #295: use calloc() directly instead of PyObject_Malloc()+memset()
   to handle ffi.new() with a default allocator. Speeds up ffi.new(large-array)
   where most of the time you never touch most of the array.
  * Some OS/X build fixes ('only with Xcode but without CLT';).
  * Improve a couple of error messages: when getting mismatched versions of
    cffi and its backend; and when calling functions which cannot be called with
    libffi because an argument is a struct that is 'too complicated'; (and not
    a struct pointer, which always works).
  * Add support for some unusual compilers (non-msvc, non-gcc, non-icc, non-clang)
  * Implemented the remaining cases for ffi.from_buffer. Now all
    buffer/memoryview objects can be passed. The one remaining check is against
    passing unicode strings in Python 2. (They support the buffer interface, but
    that gives the raw bytes behind the UTF16/UCS4 storage, which is most of the
    times not what you expect. In Python 3 this has been fixed and the unicode
    strings don't support the memoryview interface any more.)
  * The C type _Bool or bool now converts to a Python boolean when reading,
    instead of the content of the byte as an integer. The potential
    incompatibility here is what occurs if the byte contains a value different
    from 0 and 1. Previously, it would just return it; with this change, CFFI
    raises an exception in this case. But this case means 'undefined behavior';
    in C; if you really have to interface with a library relying on this,
    don't use bool in the CFFI side. Also, it is still valid to use a byte
    string as initializer for a bool[], but now it must only contain \x00 or
    \x01. As an aside, ffi.string() no longer works on bool[] (but it never made
    much sense, as this function stops at the first zero).
  * ffi.buffer is now the name of cffi's buffer type, and ffi.buffer() works
    like before but is the constructor of that type.
  * ffi.addressof(lib, 'name') now works also in in-line mode, not only in
    out-of-line mode. This is useful for taking the address of global variables.
  * Issue #255: cdata objects of a primitive type (integers, floats, char) are
    now compared and ordered by value. For example, <cdata 'int' 42> compares
    equal to 42 and <cdata 'char' b'A'> compares equal to b'A'. Unlike C,
    <cdata 'int' -1> does not compare equal to ffi.cast('unsigned int', -1): it
    compares smaller, because -1 < 4294967295.
  * PyPy: ffi.new() and ffi.new_allocator()() did not record 'memory pressure';,
    causing the GC to run too infrequently if you call ffi.new() very often
    and/or with large arrays. Fixed in PyPy 5.7.
  * Support in ffi.cdef() for numeric expressions with + or -. Assumes that
    there is no overflow; it should be fixed first before we add more general
    support for arbitrary arithmetic on constants.

- do not generate HTML documentation for packages that are indirect
  dependencies of Sphinx
  (see docs at https://cffi.readthedocs.org/ )

- update to 1.9.1
  - Structs with variable-sized arrays as their last field: now we track the
    length of the array after ffi.new() is called, just like we always tracked
    the length of ffi.new('int[]', 42). This lets us detect out-of-range
    accesses to array items. This also lets us display a better repr(), and
    have the total size returned by ffi.sizeof() and ffi.buffer(). Previously
    both functions would return a result based on the size of the declared
    structure type, with an assumed empty array. (Thanks andrew for starting
    this refactoring.)
  - Add support in cdef()/set_source() for unspecified-length arrays in
    typedefs: typedef int foo_t[...];. It was already supported for global
    variables or structure fields.
  - I turned in v1.8 a warning from cffi/model.py into an error: 'enum xxx' has
    no values explicitly defined: refusing to guess which integer type it is
    meant to be (unsigned/signed, int/long). Now I'm turning it back to a
    warning again; it seems that guessing that the enum has size int is a
    99%-safe bet. (But not 100%, so it stays as a warning.)
  - Fix leaks in the code handling FILE * arguments. In CPython 3 there is a
    remaining issue that is hard to fix: if you pass a Python file object to a
    FILE * argument, then os.dup() is used and the new file descriptor is only
    closed when the GC reclaims the Python file object-and not at the earlier
    time when you call close(), which only closes the original file descriptor.
    If this is an issue, you should avoid this automatic convertion of Python
    file objects: instead, explicitly manipulate file descriptors and call
    fdopen() from C (...via cffi).
  - When passing a void * argument to a function with a different pointer type,
    or vice-versa, the cast occurs automatically, like in C. The same occurs
    for initialization with ffi.new() and a few other places. However, I
    thought that char * had the same property-but I was mistaken. In C you get
    the usual warning if you try to give a char * to a char ** argument, for
    example. Sorry about the confusion. This has been fixed in CFFI by giving
    for now a warning, too. It will turn into an error in a future version.
  - Issue #283: fixed ffi.new() on structures/unions with nested anonymous
    structures/unions, when there is at least one union in the mix. When
    initialized with a list or a dict, it should now behave more closely like
    the { } syntax does in GCC.
  - CPython 3.x: experimental: the generated C extension modules now use the
    'limited API';, which means that, as a compiled .so/.dll, it should work
    directly on any version of CPython >= 3.2. The name produced by distutils
    is still version-specific. To get the version-independent name, you can
    rename it manually to NAME.abi3.so, or use the very recent setuptools 26.
  - Added ffi.compile(debug=...), similar to python setup.py build --debug but
    defaulting to True if we are running a debugging version of Python itself.
  - Removed the restriction that ffi.from_buffer() cannot be used on byte
    strings. Now you can get a char * out of a byte string, which is valid as
    long as the string object is kept alive. (But don't use it to modify the
    string object! If you need this, use bytearray or other official
    techniques.)
  - PyPy 5.4 can now pass a byte string directly to a char * argument (in older
    versions, a copy would be made). This used to be a CPython-only
    optimization.
  - ffi.gc(p, None) removes the destructor on an object previously created by
    another call to ffi.gc()
  - bool(ffi.cast('primitive type', x)) now returns False if the value is zero
    (including -0.0), and True otherwise. Previously this would only return
    False for cdata objects of a pointer type when the pointer is NULL.
  - bytearrays: ffi.from_buffer(bytearray-object) is now supported. (The reason
    it was not supported was that it was hard to do in PyPy, but it works since
    PyPy 5.3.) To call a C function with a char * argument from a buffer
    object-now including bytearrays-you write lib.foo(ffi.from_buffer(x)).
    Additionally, this is now supported: p[0:length] = bytearray-object. The
    problem with this was that a iterating over bytearrays gives numbers
    instead of characters. (Now it is implemented with just a memcpy, of
    course, not actually iterating over the characters.)
  - C++: compiling the generated C code with C++ was supposed to work, but
    failed if you make use the bool type (because that is rendered as the C
    _Bool type, which doesn't exist in C++).
  - help(lib) and help(lib.myfunc) now give useful information, as well as
    dir(p) where p is a struct or pointer-to-struct.

- update for multipython build

- disable 'negative left shift' warning in test suite to prevent
  failures with gcc6, until upstream fixes the undefined code
  in question (bsc#981848)

- Update to version 1.6.0:
  * ffi.list_types()
  * ffi.unpack()
  * extern 'Python+C';
  * in API mode, lib.foo.__doc__ contains the C signature now.
  * Yet another attempt at robustness of ffi.def_extern() against
    CPython's interpreter shutdown logic.
- Update in SLE-12 (bsc#1138748, jsc#ECO-1256, jsc#PM-1598)

- Make this version of the package compatible with OpenSSL 1.1.1d, thus fixing bsc#1149792.

- bsc#1101820 CVE-2018-10903 GCM tag forgery via truncated tag in
  finalize_with_tag API

- Add proper conditional for the python2, the ifpython works only
  for the requires/etc

- add missing dependency on python ssl

- update to version 2.1.4:
  * Added X509_up_ref for an upcoming pyOpenSSL release.

- update to version 2.1.3:
  * Updated Windows, macOS, and manylinux1 wheels to be compiled with
    OpenSSL 1.1.0g.

- update to version 2.1.2:
  * Corrected a bug with the manylinux1 wheels where OpenSSL's stack
    was marked executable.

- fix BuildRequires conditions for python3

- update to 2.1.1

- Fix cffi version requirement.

- Disable memleak tests to fix build with OpenSSL 1.1 (bsc#1055478)


- update to 2.0.3

- update to 2.0.2

- update to 2.0

- update to 1.9

- add python-packaging to requirements explicitly instead of relying
  on setuptools to pull it in

- Switch to singlespec approach

- update to 1.8.1
- Adust Requires and BuildRequires

-----------------------------------------
Patch: SUSE-2020-804
Released: Fri Mar 27 09:54:32 2020
Summary: Recommended update for grub2
Severity: moderate
References: 1161641,1162403
Description:
This update for grub2 fixes the following issues:

- Fix for minix file system detection using grub2-install. (bsc#1161641, bsc#1162403)
  

-----------------------------------------
Patch: SUSE-2020-818
Released: Tue Mar 31 09:23:26 2020
Summary: Security update for cloud-init
Severity: moderate
References: 1162936,1162937,1163178,CVE-2020-8631,CVE-2020-8632
Description:
This update for cloud-init fixes the following security issues:

- CVE-2020-8631: Replaced the theoretically predictable deterministic random number generator with the system RNG (bsc#1162937).
- CVE-2020-8632: Increased the default random password length from 9 to 20 (bsc#1162936).


-----------------------------------------
Patch: SUSE-2020-747
Released: Tue Mar 31 13:26:56 2020
Summary: Recommended update for supportutils
Severity: important
References: 1157852,1162539,1165474,1165475,1166128,1166774,915888
Description:
This update for supportutils fixes the following issues:

- Replaced obsolete Novell with SUSE FTP servers. (bsc#1165475)
- Implement core file validation and fix for hanging if the corefile is a directory. (bsc#1166128)
- Fix by adding default upload targets in 'getappcore'. (bsc#1165474)
- Changed filename prefixes for SUSE Customer Center. (bsc#1166774)
- Fix the issue when supportconfig is not collecting specific log files for power. (bsc#1162539, bsc#1157852)
- Fixed s390x typo. (bsc#915888)


-----------------------------------------
Patch: SUSE-2020-832
Released: Tue Mar 31 16:15:59 2020
Summary: Security update for glibc
Severity: important
References: 1149332,1157893,1158996,1165784,1167631,CVE-2020-10029,CVE-2020-1751,CVE-2020-1752
Description:
This update for glibc fixes the following issues:

- CVE-2020-1752: Fixed a use after free in glob which could have allowed
  a local attacker to create a specially crafted path that, when processed 
  by the glob function, could potentially have led to arbitrary code execution
  (bsc#1167631).
- CVE-2020-1751: Fixed an array overflow in backtrace for PowerPC (bsc#1158996).
- CVE-2020-10029: Fixed a stack buffer overflow during range reduction (bsc#1165784).
- Use 'posix_spawn' on popen preventing crash caused by 'subprocess'. (bsc#1149332, BZ #22834)
- Fix handling of needles crossing a page, preventing incorrect results to return during the cross page boundary search. (bsc#1157893, BZ #25226)


-----------------------------------------
Patch: SUSE-2020-854
Released: Thu Apr  2 15:13:32 2020
Summary: Security update for python3
Severity: moderate
References: 1155094,1162224,1162367,1162825,1165894,CVE-2019-18348,CVE-2019-9674,CVE-2020-8492
Description:
This update for python3 fixes the following issue:

- CVE-2019-18348: Fixed a CRLF injection via the host part 
  of the url passed to urlopen(). Now an InvalidURL exception 
  is raised (bsc#1155094).
- CVE-2019-9674: Improved the documentation to reflect the 
  dangers of zip-bombs (bsc#1162825).
- CVE-2020-8492: Fixed a regular expression in urllib that 
  was prone to denial of service via HTTP (bsc#1162367).
- Fixed an issue with version missmatch (bsc#1162224).
- Rename idle icons to idle3 in order to not conflict with python2
  variant of the package. (bsc#1165894)
  

-----------------------------------------
Patch: SUSE-2020-911
Released: Fri Apr  3 10:47:03 2020
Summary: Security update for libpng12
Severity: moderate
References: 1141493,CVE-2017-12652
Description:
This update for libpng12 fixes the following issues:

Security issue fixed:

- CVE-2017-12652: Fixed an Input Validation Error related to the length of chunks (bsc#1141493).


-----------------------------------------
Patch: SUSE-2020-915
Released: Fri Apr  3 13:15:11 2020
Summary: Recommended update for openldap2
Severity: moderate
References: 1168195
Description:

This update for openldap2 fixes the following issue:

- The openldap2-ppolicy-check-password plugin is now included (FATE#319461 bsc#1168195)
  

-----------------------------------------
Patch: SUSE-2020-916
Released: Fri Apr  3 13:29:17 2020
Summary: Recommended update for makedumpfile
Severity: moderate
References: 1142715
Description:
This update for makedumpfile fixes the following issues:

- Fix for kdump to resolve virtual address to physical on arm64 and avoid failing. (bsc#1142715)  
  

-----------------------------------------
Patch: SUSE-2020-920
Released: Fri Apr  3 17:13:04 2020
Summary: Security update for libxslt
Severity: moderate
References: 1154609,CVE-2019-18197
Description:
This update for libxslt fixes the following issue:

- CVE-2019-18197: Fixed a dangling pointer in xsltCopyText which may have led to information disclosure (bsc#1154609).


-----------------------------------------
Patch: SUSE-2020-456
Released: Tue Apr  7 09:30:33 2020
Summary: Security update for java-1_7_1-ibm
Severity: important
References: 1160968,1162972,CVE-2020-2583,CVE-2020-2593,CVE-2020-2604,CVE-2020-2659
Description:
This update for java-1_7_1-ibm fixes the following issues:

Java was updated to 7.1 Service Refresh 4 Fix Pack 60 [bsc#1162972, bsc#1160968].

Security issues fixed:

- CVE-2020-2583: Fixed a serialization vulnerability in BeanContextSupport (bsc#1162972).
- CVE-2020-2593: Fixed an incorrect check in isBuiltinStreamHandler, causing URL normalization issues (bsc#1162972).
- CVE-2020-2604: Fixed a serialization issue in jdk.serialFilter (bsc#1162972).
- CVE-2020-2659: Fixed the incomplete enforcement of the maxDatagramSockets limit in DatagramChannelImpl (bsc#1162972).

Non-security issues fixed:

* Class Libraries:
  IJ22333 HANG IN JAVA_JAVA_NET_SOCKETINPUTSTREAM_SOCKETREAD0 EVEN
          WHEN TIMEOUT IS SET
  IJ22350 JAVA 7 AND JAVA 8 NOT WORKING WELL WITH TRADITIONAL/SIMPLIFIED
          CHINESE EDITION OF WINDOWS CLIENT SYSTEM
  IJ22337 THE NAME OF THE REPUBLIC OF BELARUS IN THE RUSSIAN LOCALE
          INCONSISTENT WITH CLDR
  IJ22349 UPDATE TIMEZONE INFORMATION TO TZDATA2019C
* JIT Compiler:
  IJ11368 JAVA JIT PPC: CRASH IN JIT COMPILED CODE ON PPC MACHINES


-----------------------------------------
Patch: SUSE-2020-942
Released: Tue Apr  7 12:55:12 2020
Summary: Recommended update for crmsh
Severity: moderate
References: 1166644,1166684,1166967,1167220
Description:
This update for crmsh fixes the following issues:

- Update to version 4.1.0+git.1585823743.3acb5567:
  * corosync: Use with statement to open file
  * ui_resource: refresh <Tab> should complete resource first. (bsc#1167220)
  * doc: Update man page about completion example of crm resource. (bsc#1166644)
  * ui_context: give warning if using alias command
  * bootstrap: Change condition to add stonith-sbd resource. (bsc#1166967)
  * bootstrap: use csync2 '-f' option correctly. (bsc#1166684)


-----------------------------------------
Patch: SUSE-2020-946
Released: Tue Apr  7 16:59:52 2020
Summary: Recommended update for cloud-init
Severity: important
References: 1099358,1144881,1145622,1148645,1163178,1165296
Description:
This update for cloud-init contains the following fixes:


- Update previous patches with the following additions:
  + In cases where the config contains 2 or more default gateway specifications for
    an interface only write the first default route, log warning message about skipped
    routes
  + Avoid writing invalid route specification if neither the network nor destination
    is specified in the route configuration
  + Still need to consider the 'network' configuration option for the v1 config
    implementation. Fixes regression introduced with update from Wed Feb 12 19:30:42.
  + Add the default gateway to the ifroute config file when specified as part of
    the subnet configuration. (bsc#1165296)
  + Fix typo to properly extrakt provided netmask data (bsc#1163178, bsc#1165296)
  + Fix for default gateway and IPv6. (bsc#1144881)
  + Routes will be written if there is only a default gateway. (bsc#1148645)

- BuildRequire pkgconfig(udev) instead of udev, which allow OS to shortcut through
  the -mini flavor.

- Update to cloud-init 19.2. (bsc#1099358, bsc#1145622)


-----------------------------------------
Patch: SUSE-2020-950
Released: Wed Apr  8 08:42:27 2020
Summary: Recommended update for python-colorama, python-knack
Severity: moderate
References: 1138748
Description:
This update for python-colorama, python-knack fixes the following issues:

python-colorama was updated to 0.3.9.
python-knack was added in version 0.4.3.

These are dependencies for other python updates.



-----------------------------------------
Patch: SUSE-2020-952
Released: Wed Apr  8 09:39:33 2020
Summary: Recommended update for cryptsetup
Severity: moderate
References: 1165580
Description:
This update for cryptsetup fixes the following issues:

- Update from version 2.0.5 to version 2.0.6 (jsc#SLE-5911, bsc#1165580):
  * Fix support of larger metadata areas in LUKS2 header.
    This release properly supports all specified metadata areas, as documented
    in LUKS2 format description (see docs/on-disk-format-luks2.pdf in archive).
    Currently, only default metadata area size is used (in format or convert).
    Later cryptsetup versions will allow increasing this metadata area size.
  * If AEAD (authenticated encryption) is used, cryptsetup now tries to check
    if the requested AEAD algorithm with specified key size is available
    in kernel crypto API.
    This change avoids formatting a device that cannot be later activated.
    For this function, the kernel must be compiled with the
    CONFIG_CRYPTO_USER_API_AEAD option enabled.
    Note that kernel user crypto API options (CONFIG_CRYPTO_USER_API and
    CONFIG_CRYPTO_USER_API_SKCIPHER) are already mandatory for LUKS2.
  * Fix setting of integrity no-journal flag.
    Now you can store this flag to metadata using --persistent option.
  * Fix cryptsetup-reencrypt to not keep temporary reencryption headers
    if interrupted during initial password prompt.
  * Adds early check to plain and LUKS2 formats to disallow device format
    if device size is not aligned to requested sector size.
    Previously it was possible, and the device was rejected to activate by
    kernel later.
  * Fix checking of hash algorithms availability for PBKDF early.
    Previously LUKS2 format allowed non-existent hash algorithm with
    invalid keyslot preventing the device from activation.
  * Allow Adiantum cipher construction (a non-authenticated length-preserving
    fast encryption scheme), so it can be used both for data encryption and
    keyslot encryption in LUKS1/2 devices.
    For benchmark, use:
      # cryptsetup benchmark -c xchacha12,aes-adiantum
      # cryptsetup benchmark -c xchacha20,aes-adiantum
    For LUKS format:
      # cryptsetup luksFormat -c xchacha20,aes-adiantum-plain64 -s 256 <device>
    The support for Adiantum will be merged in Linux kernel 4.21.
    For more info see the paper https://eprint.iacr.org/2018/720.


-----------------------------------------
Patch: SUSE-2020-960
Released: Wed Apr  8 13:30:27 2020
Summary: Recommended update for grub2
Severity: moderate
References: 1166409
Description:
This update for grub2 fixes the following issues:

- Implement support searching for specific config files for netboot. (bsc#1166409)	  
  

-----------------------------------------
Patch: SUSE-2020-964
Released: Wed Apr  8 16:23:38 2020
Summary: Recommended update for e2fsprogs
Severity: moderate
References: 1160979
Description:
This update for e2fsprogs fixes the following issues:

- e2fsck: clarify overflow link count error message (bsc#1160979)
- ext2fs: update allocation info earlier in ext2fs_mkdir() (bsc#1160979)
- ext2fs: implement dir entry creation in htree directories (bsc#1160979)
- tests: add test to excercise indexed directories with metadata_csum (bsc#1160979)
- tune2fs: update dir checksums when clearing dir_index feature (bsc#1160979)


-----------------------------------------
Patch: SUSE-2020-968
Released: Thu Apr  9 11:42:14 2020
Summary: Security update for libssh
Severity: moderate
References: 1168699,CVE-2020-1730
Description:
This update for libssh fixes the following issues:

- CVE-2020-1730: Fixed a possible denial of service when using AES-CTR (bsc#1168699).


-----------------------------------------
Patch: SUSE-2020-394
Released: Tue Apr 14 17:25:16 2020
Summary: Security update for gcc9
Severity: moderate
References: 1114592,1135254,1141897,1142649,1142654,1148517,1149145,CVE-2019-14250,CVE-2019-15847
Description:
This update for gcc9 fixes the following issues:

The GNU Compiler Collection is shipped in version 9.

A detailed changelog on what changed in GCC 9 is available at https://gcc.gnu.org/gcc-9/changes.html

The compilers have been added to the SUSE Linux Enterprise Toolchain Module.

To use these compilers, install e.g. gcc9, gcc9-c++ and build with CC=gcc-9
CXX=g++-9 set.


For SUSE Linux Enterprise base products, the libstdc++6, libgcc_s1 and
other compiler libraries have been switched from their gcc8 variants to
their gcc9 variants.

Security issues fixed:

- CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145)
- CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649)

Non-security issues fixed:

- Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254)
- Fixed miscompilation for vector shift on s390. (bsc#1141897)


-----------------------------------------
Patch: SUSE-2020-990
Released: Tue Apr 14 18:30:16 2020
Summary: Recommended update for autoyast2
Severity: moderate
References: 1164105,1167596
Description:
This update for autoyast2 fixes the following issues:

- Fix for start network before AutoYaST in order to provide a working network. (bsc#1164105)
- Clone system: add not used devices to the skip list. (bsc#1167596)


-----------------------------------------
Patch: SUSE-2020-1003
Released: Thu Apr 16 06:21:11 2020
Summary: Recommended update for hawk2
Severity: important
References: 1165587
Description:
This update for hawk2 fixes the following issues:

  - Fix for hawk2 setup during fencing device the parameter 'pcm_host_list' is not saved at all. (bsc#1165587)


-----------------------------------------
Patch: SUSE-2020-1015
Released: Thu Apr 16 10:16:58 2020
Summary: Recommended update for mdadm
Severity: moderate
References: 1129900,1162479,1168532
Description:
This update for mdadm fixes the following issues:

- Add support for RAID0 layouts. (bsc#1162479)
- Fix for issue to avoid unexpected switching from raid0 to raid4 by using option '--grow'. (bsc#1129900)
- Fix for the issue that mdadm contains faulty systemd unit files. (bsc#1168532) 


-----------------------------------------
Patch: SUSE-2020-1040
Released: Mon Apr 20 15:22:46 2020
Summary: Recommended update for patterns-sles
Severity: low
References: 1156012
Description:

This update for patterns-sles fixes the following problem:

- The 'hwcrypto' pattern was only installable on s390x, on other architectures openssl-ibmca was not filtered out. (bsc#1156012)
  

-----------------------------------------
Patch: SUSE-2020-1043
Released: Tue Apr 21 09:33:47 2020
Summary: Recommended update for libreoffice, QR-Code-generator, boost, myspell-dictionaries, xmlsec1
Severity: moderate
References: 1161816,1162152,1167223
Description:
This update for libreoffice, QR-Code-generator, boost, myspell-dictionaries, xmlsec1 fixes the following issues:

libreoffice was updated to 6.4.2.2 (jsc#SLE-11174 jsc#SLE-11175 jsc#SLE-11176 bsc#1167223)

Full Release Notes can be found on:

        https://wiki.documentfoundation.org/ReleaseNotes/6.4


xmlsec1 was update to 1.2.28:

* Added BoringSSL support (chenbd).
* Added gnutls-3.6.x support (alonbl).
* Added DSA and ECDSA key size getter for MSCNG (vmiklos).
* Added --enable-mans configuration option (alonbl).
* Added coninuous build integration for MacOSX (vmiklos).
* Several other small fixes (more details).

- Make sure to recommend at least one backend when you install
  just xmlsec1

- Drop the gnutls backend as based on the tests it is quite borked:
  * We still have nss and openssl backend for people to use

Version update to 1.2.27:

* Added AES-GCM support for OpenSSL and MSCNG (snargit).
* Added DSA-SHA256 and ECDSA-SHA384 support for NSS (vmiklos).
* Added RSA-OAEP support for MSCNG (vmiklos).
* Continuous build integration in Travis and Appveyor.
* Several other small fixes (more details).

QR-Code-generator was shipped new in support of LibreOffice.

myspell-dictionaries was updated to 20191219:

* Updated the English dictionaries: GB+US+CA+AU
* Bring shipped Spanish dictionary up to version 2.5

boost was updated to fix:
- add a backport of Boost.Optional::has_value() for LibreOffice



-----------------------------------------
Patch: SUSE-2020-1052
Released: Tue Apr 21 14:18:41 2020
Summary: Recommended update for open-iscsi
Severity: moderate
References: 1164607
Description:
This update for open-iscsi fixes the following issue:

- Fix iscsi.service so it handles restarts better. (bsc#1164607)


-----------------------------------------
Patch: SUSE-2020-1045
Released: Thu Apr 23 11:32:45 2020
Summary: Security update for cups
Severity: important
References: 1168422,CVE-2020-3898
Description:
This update for cups fixes the following issues:

- CVE-2020-3898: Fixed a heap buffer overflow in ppdFindOption() (bsc#1168422).


-----------------------------------------
Patch: SUSE-2020-1091
Released: Thu Apr 23 15:33:10 2020
Summary: Security update for resource-agents
Severity: important
References: 1021689,1146687,1146690,1146691,1146692,1146766,1146776,1146784,1146785,1146787,1146789
Description:
This update for resource-agents fixes the following issues:

- Fixed multiple vulnerabilities related to unsafe tempfile usage.
  (bsc#1146690, bsc#1146691, bsc#1146692, bsc#1146766, bsc#1146776, bsc#1146784,
  bsc#1146785, bsc#1146787, bsc#1146789)
- Fixed issues where the ocfmon user was created with a default password (bsc#1021689, bsc#1146687).


-----------------------------------------
Patch: SUSE-2020-1128
Released: Tue Apr 28 08:51:10 2020
Summary: Recommended update for yast2-installation
Severity: important
References: 1169017
Description:
This update for yast2-installation fixes the following issues:

- Fix for detecting and configuring network with firstboot. (bsc#1169017)
  

-----------------------------------------
Patch: SUSE-2020-1001
Released: Wed Apr 29 10:13:47 2020
Summary: Recommended update for cifs-utils
Severity: moderate
References: 1149164,1152930,1164093
Description:
This update for cifs-utils fixes the following issues:

- Solve invalid directory mounting. (bsc#1152930)
  When attempting to change the current working directory into non-existing directories, mount.cifs crashes.

- Solve a double-free in mounting. (bsc#1149164 bsc#1164093).
  A crash occurred when mounting with setuid root.


-----------------------------------------
Patch: SUSE-2020-1139
Released: Wed Apr 29 12:53:24 2020
Summary: Security update for xen
Severity: important
References: 1027519,1134506,1155200,1157490,1160932,1161181,1162040,1165206,1167007,1167152,1168140,1168142,1168143,1169392,CVE-2020-11739,CVE-2020-11740,CVE-2020-11741,CVE-2020-11742,CVE-2020-11743,CVE-2020-7211
Description:
This update for xen to version 4.12.2 fixes the following issues:

Security issues fixed:

- CVE-2020-11742: Bad continuation handling in GNTTABOP_copy (bsc#1169392).
- CVE-2020-11740, CVE-2020-11741: xen: XSA-313 multiple xenoprof issues (bsc#1168140).
- CVE-2020-11739: Missing memory barriers in read-write unlock paths (bsc#1168142).
- CVE-2020-11743: Bad error path in GNTTABOP_map_grant (bsc#1168143).
- CVE-2020-7211: Fixed potential directory traversal using relative paths via 
  tftp server on Windows host (bsc#1161181).
- arm: a CPU may speculate past the ERET instruction (bsc#1160932).

Non-security issues fixed:

- Xenstored Crashed during VM install (bsc#1167152)
- DomU hang: soft lockup CPU #0 stuck under high load (bsc#1165206, bsc#1134506)
- Update API compatibility versions, fixes issues for libvirt. (bsc#1167007, bsc#1157490)
- aacraid blocks xen commands (bsc#1155200)
- Problems Booting Fedora31 VM on sles15 sp1 Xen Dom0 (bsc#1162040).


-----------------------------------------
Patch: SUSE-2020-1142
Released: Wed Apr 29 14:26:51 2020
Summary: Security update for the Linux Kernel
Severity: important
References: 1044231,1050549,1051510,1051858,1056686,1060463,1065600,1065729,1083647,1085030,1088810,1103990,1103992,1104353,1104745,1104967,1109837,1109911,1111666,1111974,1112178,1112374,1112504,1113956,1114279,1114685,1118338,1119680,1120386,1123328,1127611,1133021,1134090,1134395,1136157,1136333,1137325,1141895,1142685,1144162,1144333,1145051,1145929,1146539,1148868,1154385,1156510,1157424,1158187,1158552,1158983,1159037,1159142,1159198,1159199,1159285,1160659,1161561,1161702,1161951,1162171,1162929,1162931,1163403,1163508,1163762,1163897,1163971,1164051,1164078,1164115,1164284,1164388,1164471,1164507,1164598,1164632,1164705,1164712,1164727,1164728,1164729,1164730,1164731,1164732,1164733,1164734,1164735,1164777,1164780,1164893,1165019,1165111,1165182,1165185,1165211,1165404,1165488,1165527,1165581,1165741,1165813,1165823,1165873,1165929,1165949,1165950,1165980,1165984,1165985,1166003,1166101,1166102,1166103,1166104,1166632,1166658,1166730,1166731,1166732,1166733,1166734,1166735,1166780,1166860,1166861,1166862,1166864,1166866,1166867,1166868,1166870,1166940,1166982,1167005,1167216,1167288,1167290,1167316,1167421,1167423,1167627,1167629,1168075,1168202,1168273,1168276,1168295,1168367,1168424,1168443,1168486,1168552,1168760,1168762,1168763,1168764,1168765,1168829,1168854,1168881,1168884,1168952,1169013,1169057,1169307,1169308,1169390,1169514,1169625,CVE-2018-20836,CVE-2019-19768,CVE-2019-19770,CVE-2019-3701,CVE-2019-9458,CVE-2020-10942,CVE-2020-11494,CVE-2020-11669,CVE-2020-2732,CVE-2020-8647,CVE-2020-8649,CVE-2020-8834,CVE-2020-9383
Description:
The SUSE Linux Enterprise 12 SP5 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2020-8834: KVM on Power8 processors had a conflicting use of HSTATE_HOST_R1 to store r1 state in kvmppc_hv_entry plus in kvmppc_{save,restore}_tm, leading to a stack corruption. Because of this, an attacker with the ability to run code in kernel space of a guest VM can cause the host kernel to panic (bnc#1168276).
- CVE-2020-11494: An issue was discovered in slc_bump in drivers/net/can/slcan.c, which allowed attackers to read uninitialized can_frame data, potentially containing sensitive information from kernel stack memory, if the configuration lacks CONFIG_INIT_STACK_ALL (bnc#1168424).
- CVE-2020-10942: In get_raw_socket in drivers/vhost/net.c lacks validation of an sk_family field, which might allow attackers to trigger kernel stack corruption via crafted system calls (bnc#1167629).
- CVE-2019-9458: In the video driver there was a use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed (bnc#1168295).
- CVE-2019-3701: Fixed an issue in can_can_gw_rcv, which could cause a system crash (bnc#1120386).
- CVE-2019-19770: Fixed a use-after-free in the debugfs_remove function (bsc#1159198).
- CVE-2020-11669: Fixed an issue where arch/powerpc/kernel/idle_book3s.S did not have save/restore functionality for PNV_POWERSAVE_AMR, PNV_POWERSAVE_UAMOR, and PNV_POWERSAVE_AMOR (bnc#1169390).
- CVE-2020-2732: Fixed an issue where under some circumstances, an L2 guest may trick the L0 guest into accessing sensitive L1 resources that should be inaccessible to the L2 guest (bnc#1163971).
- CVE-2020-8647: There was a use-after-free vulnerability in the vc_do_resize function in drivers/tty/vt/vt.c (bnc#1162929 1164078).
- CVE-2020-8649: There was a use-after-free vulnerability in the vgacon_invert_region function in drivers/video/console/vgacon.c (bnc#1162929 1162931).
- CVE-2020-9383: An issue was discovered set_fdc in drivers/block/floppy.c leads to a wait_til_ready out-of-bounds read because the FDC index is not checked for errors before assigning it (bnc#1165111).
- CVE-2019-19768: Fixed a use-after-free in the __blk_add_trace function in kernel/trace/blktrace.c (bnc#1159285).
- CVE-2018-20836: Fixed an issue where a race condition in smp_task_timedout() and smp_task_done() cloud lead to a use-after-free (bnc#1134395).

The following non-security bugs were fixed:

- ACPICA: Introduce ACPI_ACCESS_BYTE_WIDTH() macro (bsc#1051510).
- ACPI: watchdog: Fix gas->access_width usage (bsc#1051510).
- ahci: Add support for Amazon's Annapurna Labs SATA controller (bsc#1169013).
- ALSA: ali5451: remove redundant variable capture_flag (bsc#1051510).
- ALSA: core: Add snd_device_get_state() helper (bsc#1051510).
- ALSA: core: Replace zero-length array with flexible-array member (bsc#1051510).
- ALSA: emu10k1: Fix endianness annotations (bsc#1051510).
- ALSA: hda/ca0132 - Add Recon3Di quirk to handle integrated sound on EVGA X99 Classified motherboard (bsc#1051510).
- ALSA: hda/ca0132 - Replace zero-length array with flexible-array member (bsc#1051510).
- ALSA: hda_codec: Replace zero-length array with flexible-array member (bsc#1051510).
- ALSA: hda: default enable CA0132 DSP support (bsc#1051510).
- ALSA: hda: Fix potential access overflow in beep helper (bsc#1051510).
- ALSA: hda/realtek - Add Headset Button supported for ThinkPad X1 (bsc#1111666).
- ALSA: hda/realtek - Add Headset Mic supported (bsc#1111666).
- ALSA: hda/realtek - Add more codec supported Headset Button (bsc#1111666).
- ALSA: hda/realtek - a fake key event is triggered by running shutup (bsc#1051510).
- ALSA: hda/realtek - Apply quirk for MSI GP63, too (bsc#1111666).
- ALSA: hda/realtek - Apply quirk for yet another MSI laptop (bsc#1111666).
- ALSA: hda/realtek - Enable headset mic of Acer X2660G with ALC662 (git-fixes).
- ALSA: hda/realtek: Enable mute LED on an HP system (bsc#1051510).
- ALSA: hda/realtek - Enable the headset of Acer N50-600 with ALC662 (git-fixes).
- ALSA: hda/realtek - Enable the headset of ASUS B9450FA with ALC294 (bsc#1111666).
- ALSA: hda/realtek - Fix a regression for mute led on Lenovo Carbon X1 (bsc#1111666).
- ALSA: hda/realtek: Fix pop noise on ALC225 (git-fixes).
- ALSA: hda/realtek - Fix silent output on Gigabyte X570 Aorus Master (bsc#1111666).
- ALSA: hda/realtek - Fix silent output on MSI-GL73 (git-fixes).
- ALSA: hda/realtek - Remove now-unnecessary XPS 13 headphone noise fixups (bsc#1051510).
- ALSA: hda/realtek - Set principled PC Beep configuration for ALC256 (bsc#1051510).
- ALSA: hda: remove redundant assignment to variable timeout (bsc#1051510).
- ALSA: hda: Use scnprintf() for string truncation (bsc#1051510).
- ALSA: hdsp: remove redundant assignment to variable err (bsc#1051510).
- ALSA: ice1724: Fix invalid access for enumerated ctl items (bsc#1051510).
- ALSA: info: remove redundant assignment to variable c (bsc#1051510).
- ALSA: korg1212: fix if-statement empty body warnings (bsc#1051510).
- ALSA: line6: Fix endless MIDI read loop (git-fixes).
- ALSA: pcm: Fix superfluous snprintf() usage (bsc#1051510).
- ALSA: pcm.h: add for_each_pcm_streams() (bsc#1051510).
- ALSA: pcm: oss: Avoid plugin buffer overflow (git-fixes).
- ALSA: pcm: oss: Fix regression by buffer overflow fix (bsc#1051510).
- ALSA: pcm: oss: Remove WARNING from snd_pcm_plug_alloc() checks (git-fixes).
- ALSA: pcm: oss: Unlock mutex temporarily for sleeping at read/write (bsc#1051510).
- ALSA: pcm: Use a macro for parameter masks to reduce the needed cast (bsc#1051510).
- ALSA: seq: oss: Fix running status after receiving sysex (git-fixes).
- ALSA: seq: virmidi: Fix running status after receiving sysex (git-fixes).
- ALSA: usb-audio: Add boot quirk for MOTU M Series (bsc#1111666).
- ALSA: usb-audio: Add clock validity quirk for Denon MC7000/MCX8000 (bsc#1111666).
- ALSA: usb-audio: Add delayed_register option (bsc#1051510).
- ALSA: usb-audio: add implicit fb quirk for MOTU M Series (bsc#1111666).
- ALSA: usb-audio: add quirks for Line6 Helix devices fw>=2.82 (bsc#1111666).
- ALSA: usb-audio: Add support for MOTU MicroBook IIc (bsc#1051510).
- ALSA: usb-audio: Apply 48kHz fixed rate playback for Jabra Evolve 65 headset (bsc#1111666).
- ALSA: usb-audio: Apply sample rate quirk for Audioengine D1 (git-fixes).
- ALSA: usb-audio: Create a registration quirk for Kingston HyperX Amp (0951:16d8) (bsc#1051510).
- ALSA: usb-audio: Do not create a mixer element with bogus volume range (bsc#1051510).
- ALSA: usb-audio: Fix case when USB MIDI interface has more than one extra endpoint descriptor (bsc#1051510).
- ALSA: usb-audio: fix Corsair Virtuoso mixer label collision (bsc#1111666).
- ALSA: usb-audio: Fix mixer controls' USB interface for Kingston HyperX Amp (0951:16d8) (bsc#1051510).
- ALSA: usb-audio: Fix UAC2/3 effect unit parsing (bsc#1111666).
- ALSA: usb-audio: Inform devices that need delayed registration (bsc#1051510).
- ALSA: usb-audio: Parse source ID of UAC2 effect unit (bsc#1051510).
- ALSA: usb-audio: Rewrite registration quirk handling (bsc#1051510).
- ALSA: usb-audio: unlock on error in probe (bsc#1111666).
- ALSA: usb-audio: Use lower hex numbers for IDs (bsc#1111666).
- ALSA: usb-midi: Replace zero-length array with flexible-array member (bsc#1051510).
- ALSA: usx2y: Adjust indentation in snd_usX2Y_hwdep_dsp_status (bsc#1051510).
- ALSA: usx2y: use for_each_pcm_streams() macro (bsc#1051510).
- ALSA: via82xx: Fix endianness annotations (bsc#1051510).
- amdgpu/gmc_v9: save/restore sdpif regs during S3 (bsc#1113956)
- apei/ghes: Do not delay GHES polling (bsc#1166982).
- ASoC: dapm: Correct DAPM handling of active widgets during shutdown (bsc#1051510).
- ASoC: Intel: atom: Take the drv->lock mutex before calling sst_send_slot_map() (bsc#1051510).
- ASoC: Intel: mrfld: fix incorrect check on p->sink (bsc#1051510).
- ASoC: Intel: mrfld: return error codes when an error occurs (bsc#1051510).
- ASoC: jz4740-i2s: Fix divider written at incorrect offset in register (bsc#1051510).
- ASoC: pcm512x: Fix unbalanced regulator enable call in probe error path (bsc#1051510).
- ASoC: pcm: Fix possible buffer overflow in dpcm state sysfs output (bsc#1051510).
- ASoC: pcm: update FE/BE trigger order based on the command (bsc#1051510).
- ASoC: sun8i-codec: Remove unused dev from codec struct (bsc#1051510).
- ASoC: topology: Fix memleak in soc_tplg_link_elems_load() (bsc#1051510).
- ata: ahci: Add shutdown to freeze hardware resources of ahci (bsc#1164388).
- ath9k: Handle txpower changes even when TPC is disabled (bsc#1051510).
- atm: zatm: Fix empty body Clang warnings (bsc#1051510).
- atomic: Add irqsave variant of atomic_dec_and_lock() (bsc#1166003).
- b43legacy: Fix -Wcast-function-type (bsc#1051510).
- batman-adv: Avoid spurious warnings from bat_v neigh_cmp implementation (bsc#1051510).
- batman-adv: Do not schedule OGM for disabled interface (bsc#1051510).
- batman-adv: prevent TT request storms by not sending inconsistent TT TLVLs (bsc#1051510).
- bcache: add code comment bch_keylist_pop() and bch_keylist_pop_front() (bsc#1163762).
- bcache: add code comments for state->pool in __btree_sort() (bsc#1163762).
- bcache: add code comments in bch_btree_leaf_dirty() (bsc#1163762).
- bcache: add cond_resched() in __bch_cache_cmp() (bsc#1163762).
- bcache: add idle_max_writeback_rate sysfs interface (bsc#1163762).
- bcache: add more accurate error messages in read_super() (bsc#1163762).
- bcache: add readahead cache policy options via sysfs interface (bsc#1163762).
- bcache: at least try to shrink 1 node in bch_mca_scan() (bsc#1163762).
- bcache: avoid unnecessary btree nodes flushing in btree_flush_write() (bsc#1163762).
- bcache: check return value of prio_read() (bsc#1163762).
- bcache: deleted code comments for dead code in bch_data_insert_keys() (bsc#1163762).
- bcache: do not export symbols (bsc#1163762).
- bcache: explicity type cast in bset_bkey_last() (bsc#1163762).
- bcache: fix a lost wake-up problem caused by mca_cannibalize_lock (bsc#1163762).
- bcache: Fix an error code in bch_dump_read() (bsc#1163762).
- bcache: fix deadlock in bcache_allocator (bsc#1163762).
- bcache: fix incorrect data type usage in btree_flush_write() (bsc#1163762).
- bcache: fix memory corruption in bch_cache_accounting_clear() (bsc#1163762).
- bcache: fix static checker warning in bcache_device_free() (bsc#1163762).
- bcache: ignore pending signals when creating gc and allocator thread (bsc#1163762, bsc#1112504).
- bcache: print written and keys in trace_bcache_btree_write (bsc#1163762).
- bcache: reap c->btree_cache_freeable from the tail in bch_mca_scan() (bsc#1163762).
- bcache: reap from tail of c->btree_cache in bch_mca_scan() (bsc#1163762).
- bcache: remove macro nr_to_fifo_front() (bsc#1163762).
- bcache: remove member accessed from struct btree (bsc#1163762).
- bcache: remove the extra cflags for request.o (bsc#1163762).
- bcache: Revert 'bcache: shrink btree node cache after bch_btree_check()' (bsc#1163762, bsc#1112504).
- binfmt_elf: Do not move brk for INTERP-less ET_EXEC (bsc#1169013).
- binfmt_elf: move brk out of mmap when doing direct loader exec (bsc#1169013).
- blk: Fix kabi due to blk_trace_mutex addition (bsc#1159285).
- blk-mq: Allow blocking queue tag iter callbacks (bsc#1167316).
- blktrace: fix dereference after null check (bsc#1159285).
- blktrace: fix trace mutex deadlock (bsc#1159285).
- block: allow gendisk's request_queue registration to be (bsc#1104967,bsc#1159142).
- block, bfq: fix use-after-free in bfq_idle_slice_timer_body (bsc#1168760).
- block: keep bdi->io_pages in sync with max_sectors_kb for stacked devices (bsc#1168762).
- Bluetooth: RFCOMM: fix ODEBUG bug in rfcomm_dev_ioctl (bsc#1051510).
- bnxt_en: Fix NTUPLE firmware command failures (bsc#1104745 ).
- bnxt_en: Fix TC queue mapping (networking-stable-20_02_05).
- bnxt_en: Improve device shutdown method (bsc#1104745 ).
- bnxt_en: Issue PCIe FLR in kdump kernel to cleanup pending DMAs (bsc#1134090 jsc#SLE-5954).
- bnxt_en: Support all variants of the 5750X chip family (bsc#1167216).
- bonding/alb: properly access headers in bond_alb_xmit() (networking-stable-20_02_09).
- bpf: Explicitly memset some bpf info structures declared on the stack (bsc#1083647).
- bpf: Explicitly memset the bpf_attr structure (bsc#1083647).
- bpf: fix ldx in ld_abs rewrite for large offsets (bsc#1154385).
- bpf: implement ld_abs/ld_ind in native bpf (bsc#1154385).
- bpf: make unknown opcode handling more robust (bsc#1154385).
- bpf, offload: Replace bitwise AND by logical AND in bpf_prog_offload_info_fill (bsc#1109837).
- bpf: prefix cbpf internal helpers with bpf_ (bsc#1154385).
- bpf, x64: remove ld_abs/ld_ind (bsc#1154385).
- bpf, x64: save several bytes by using mov over movabsq when possible (bsc#1154385).
- brcmfmac: abort and release host after error (bsc#1111666).
- btrfs: Account for trans_block_rsv in may_commit_transaction (bsc#1165949).
- btrfs: add a flush step for delayed iputs (bsc#1165949).
- btrfs: add assertions for releasing trans handle reservations (bsc#1165949).
- btrfs: add btrfs_delete_ref_head helper (bsc#1165949).
- btrfs: add enospc debug messages for ticket failure (bsc#1165949).
- btrfs: Add enospc_debug printing in metadata_reserve_bytes (bsc#1165949).
- btrfs: add new flushing states for the delayed refs rsv (bsc#1165949).
- btrfs: add space reservation tracepoint for reserved bytes (bsc#1165949).
- btrfs: adjust dirty_metadata_bytes after writeback failure of extent buffer (bsc#1168273).
- btrfs: allow us to use up to 90% of the global rsv for unlink (bsc#1165949).
- btrfs: always reserve our entire size for the global reserve (bsc#1165949).
- btrfs: assert on non-empty delayed iputs (bsc##1165949).
- btrfs: be more explicit about allowed flush states (bsc#1165949).
- btrfs: call btrfs_create_pending_block_groups unconditionally (bsc#1165949).
- btrfs: catch cow on deleting snapshots (bsc#1165949).
- btrfs: change the minimum global reserve size (bsc#1165949).
- btrfs: check if there are free block groups for commit (bsc#1165949).
- btrfs: clean up error handling in btrfs_truncate() (bsc#1165949).
- btrfs: cleanup extent_op handling (bsc#1165949).
- btrfs: cleanup root usage by btrfs_get_alloc_profile (bsc#1165949).
- btrfs: cleanup the target logic in __btrfs_block_rsv_release (bsc#1165949).
- btrfs: clear space cache inode generation always (bsc#1165949).
- btrfs: delayed-ref: pass delayed_refs directly to btrfs_delayed_ref_lock (bsc#1165949).
- btrfs: Do mandatory tree block check before submitting bio (bsc#1168273).
- btrfs: do not account global reserve in can_overcommit (bsc#1165949).
- btrfs: do not allow reservations if we have pending tickets (bsc#1165949).
- btrfs: do not call btrfs_start_delalloc_roots in flushoncommit (bsc#1165949).
- btrfs: do not end the transaction for delayed refs in throttle (bsc#1165949).
- btrfs: do not enospc all tickets on flush failure (bsc#1165949).
- btrfs: do not reset bio->bi_ops while writing bio (bsc#1168273).
- btrfs: do not run delayed_iputs in commit (bsc##1165949).
- btrfs: do not run delayed refs in the end transaction logic (bsc#1165949).
- btrfs: do not use ctl->free_space for max_extent_size (bsc##1165949).
- btrfs: do not use global reserve for chunk allocation (bsc#1165949).
- btrfs: drop get_extent from extent_page_data (bsc#1168273).
- btrfs: drop min_size from evict_refill_and_join (bsc##1165949).
- btrfs: drop unused space_info parameter from create_space_info (bsc#1165949).
- btrfs: dump block_rsv details when dumping space info  (bsc#1165949).
- btrfs: export block group accounting helpers (bsc#1165949).
- btrfs: export block_rsv_use_bytes (bsc#1165949).
- btrfs: export btrfs_block_rsv_add_bytes (bsc#1165949).
- btrfs: export __btrfs_block_rsv_release (bsc#1165949).
- btrfs: export space_info_add_*_bytes (bsc#1165949).
- btrfs: export the block group caching helpers (bsc#1165949).
- btrfs: export the caching control helpers (bsc#1165949).
- btrfs: export the excluded extents helpers (bsc#1165949).
- btrfs: extent_io: add proper error handling to lock_extent_buffer_for_io() (bsc#1168273).
- btrfs: extent_io: Handle errors better in btree_write_cache_pages() (bsc#1168273).
- btrfs: extent_io: Handle errors better in extent_write_full_page() (bsc#1168273).
- btrfs: extent_io: Handle errors better in extent_write_locked_range() (bsc#1168273).
- btrfs: extent_io: Handle errors better in extent_writepages() (bsc#1168273).
- btrfs: extent_io: Kill dead condition in extent_write_cache_pages() (bsc#1168273).
- btrfs: extent_io: Kill the forward declaration of flush_write_bio (bsc#1168273).
- btrfs: extent_io: Move the BUG_ON() in flush_write_bio() one level up (bsc#1168273).
- btrfs: extent-tree: Add lockdep assert when updating space info (bsc#1165949).
- btrfs: extent-tree: Add trace events for space info numbers update (bsc#1165949).
- btrfs: extent-tree: Detect bytes_may_use underflow earlier (bsc#1165949).
- btrfs: extent-tree: Detect bytes_pinned underflow earlier (bsc#1165949).
- btrfs: factor our read/write stage off csum_tree_block into its callers (bsc#1168273).
- btrfs: factor out the ticket flush handling (bsc#1165949).
- btrfs: fix btrfs_wait_ordered_range() so that it waits for all ordered extents (bsc#1163508).
- btrfs: fix crash due to 'kernel BUG at ../fs/btrfs/relocation.c:4827!'
- btrfs: fix insert_reserved error handling (bsc##1165949).
- btrfs: fix may_commit_transaction to deal with no partial filling (bsc#1165949).
- btrfs: fix missing delayed iputs on unmount (bsc#1165949).
- btrfs: fix panic during relocation after ENOSPC before writeback happens (bsc#1163508).
- btrfs: fix qgroup double free after failure to reserve metadata for delalloc (bsc#1165949).
- btrfs: fix race leading to metadata space leak after task received signal (bsc#1165949).
- btrfs: fix truncate throttling (bsc#1165949).
- btrfs: fix unwritten extent buffers and hangs on future writeback attempts (bsc#1168273).
- btrfs: force chunk allocation if our global rsv is larger than metadata (bsc#1165949).
- btrfs: Improve global reserve stealing logic (bsc#1165949).
- btrfs: introduce an evict flushing state (bsc#1165949).
- btrfs: introduce delayed_refs_rsv (bsc#1165949).
- btrfs: loop in inode_rsv_refill (bsc#1165949).
- btrfs: make btrfs_destroy_delayed_refs use btrfs_delayed_ref_lock (bsc#1165949).
- btrfs: make btrfs_destroy_delayed_refs use btrfs_delete_ref_head (bsc#1165949).
- btrfs: make caching_thread use btrfs_find_next_key (bsc#1165949).
- btrfs: make plug in writing meta blocks really work (bsc#1168273).
- btrfs: merge two flush_write_bio helpers (bsc#1168273).
- btrfs: migrate btrfs_trans_release_chunk_metadata (bsc#1165949).
- btrfs: migrate inc/dec_block_group_ro code (bsc#1165949).
- btrfs: migrate nocow and reservation helpers (bsc#1165949).
- btrfs: migrate the alloc_profile helpers (bsc#1165949).
- btrfs: migrate the block group caching code (bsc#1165949).
- btrfs: migrate the block group cleanup code (bsc#1165949).
- btrfs: migrate the block group lookup code (bsc#1165949).
- btrfs: migrate the block group read/creation code (bsc#1165949).
- btrfs: migrate the block group ref counting stuff (bsc#1165949).
- btrfs: migrate the block group removal code (bsc#1165949).
- btrfs: migrate the block group space accounting helpers (bsc#1165949).
- btrfs: migrate the block-rsv code to block-rsv.c (bsc#1165949).
- btrfs: migrate the chunk allocation code (bsc#1165949).
- btrfs: migrate the delalloc space stuff to it's own home (bsc#1165949).
- btrfs: migrate the delayed refs rsv code (bsc#1165949).
- btrfs: migrate the dirty bg writeout code (bsc#1165949).
- btrfs: migrate the global_block_rsv helpers to block-rsv.c (bsc#1165949).
- btrfs: move and export can_overcommit (bsc#1165949).
- btrfs: move basic block_group definitions to their own header (bsc#1165949).
- btrfs: move btrfs_add_free_space out of a header file (bsc#1165949).
- btrfs: move btrfs_block_rsv definitions into it's own header (bsc#1165949).
- btrfs: move btrfs_raid_group values to btrfs_raid_attr table (bsc#1165949).
- btrfs: move btrfs_space_info_add_*_bytes to space-info.c (bsc#1165949).
- btrfs: move dump_space_info to space-info.c (bsc#1165949).
- btrfs: move reserve_metadata_bytes and supporting code to space-info.c (bsc#1165949).
- btrfs: move space_info to space-info.h (bsc#1165949).
- btrfs: move the space_info handling code to space-info.c (bsc#1165949).
- btrfs: move the space info update macro to space-info.h (bsc#1165949).
- btrfs: move the subvolume reservation stuff out of extent-tree.c (bsc#1165949).
- btrfs: only check delayed ref usage in should_end_transaction (bsc#1165949).
- btrfs: only check priority tickets for priority flushing (bsc#1165949).
- btrfs: only free reserved extent if we didn't insert it (bsc##1165949).
- btrfs: only reserve metadata_size for inodes (bsc#1165949).
- btrfs: only track ref_heads in delayed_ref_updates (bsc#1165949).
- btrfs: Output ENOSPC debug info in inc_block_group_ro (bsc#1165949).
- btrfs: pass root to various extent ref mod functions (bsc#1165949).
- btrfs: qgroup: Do not hold qgroup_ioctl_lock in btrfs_qgroup_inherit() (bsc#1165823).
- btrfs: qgroup: Mark qgroup inconsistent if we're inherting snapshot to a new qgroup (bsc#1165823).
- btrfs: refactor block group replication factor calculation to a helper (bsc#1165949).
- btrfs: refactor priority_reclaim_metadata_space (bsc#1165949).
- btrfs: refactor the ticket wakeup code (bsc#1165949).
- btrfs: release metadata before running delayed refs (bsc##1165949).
- btrfs: remove bio_flags which indicates a meta block of log-tree (bsc#1168273).
- btrfs: Remove btrfs_inode::delayed_iput_count (bsc#1165949).
- btrfs: Remove fs_info from do_chunk_alloc (bsc#1165949).
- btrfs: remove orig_bytes from reserve_ticket (bsc#1165949).
- btrfs: Remove redundant argument of flush_space (bsc#1165949).
- btrfs: Remove redundant mirror_num arg (bsc#1168273).
- btrfs: Rename bin_search -> btrfs_bin_search (bsc#1168273).
- btrfs: rename btrfs_space_info_add_old_bytes (bsc#1165949).
- btrfs: rename do_chunk_alloc to btrfs_chunk_alloc (bsc#1165949).
- btrfs: rename the btrfs_calc_*_metadata_size helpers (bsc#1165949).
- btrfs: replace cleaner_delayed_iput_mutex with a waitqueue (bsc#1165949).
- btrfs: reserve delalloc metadata differently (bsc#1165949).
- btrfs: reserve extra space during evict (bsc#1165949).
- btrfs: reset max_extent_size on clear in a bitmap (bsc##1165949).
- btrfs: reset max_extent_size properly (bsc##1165949).
- btrfs: rework btrfs_check_space_for_delayed_refs (bsc#1165949).
- btrfs: rework wake_all_tickets (bsc#1165949).
- btrfs: roll tracepoint into btrfs_space_info_update helper (bsc#1165949).
- btrfs: run btrfs_try_granting_tickets if a priority ticket fails (bsc#1165949).
- btrfs: run delayed iput at unlink time (bsc#1165949).
- btrfs: run delayed iputs before committing (bsc#1165949).
- btrfs: set max_extent_size properly (bsc##1165949).
- btrfs: sink extent_write_full_page tree argument (bsc#1168273).
- btrfs: sink extent_write_locked_range tree parameter (bsc#1168273).
- btrfs: sink flush_fn to extent_write_cache_pages (bsc#1168273).
- btrfs: sink get_extent parameter to extent_fiemap (bsc#1168273).
- btrfs: sink get_extent parameter to extent_readpages (bsc#1168273).
- btrfs: sink get_extent parameter to extent_write_full_page (bsc#1168273).
- btrfs: sink get_extent parameter to extent_write_locked_range (bsc#1168273).
- btrfs: sink get_extent parameter to extent_writepages (bsc#1168273).
- btrfs: sink get_extent parameter to get_extent_skip_holes (bsc#1168273).
- btrfs: sink writepage parameter to extent_write_cache_pages (bsc#1168273).
- btrfs: stop partially refilling tickets when releasing space (bsc#1165949).
- btrfs: stop using block_rsv_release_bytes everywhere (bsc#1165949).
- btrfs: switch to on-stack csum buffer in csum_tree_block (bsc#1168273).
- btrfs: temporarily export btrfs_get_restripe_target (bsc#1165949).
- btrfs: temporarily export fragment_free_space (bsc#1165949).
- btrfs: temporarily export inc_block_group_ro (bsc#1165949).
- btrfs: track DIO bytes in flight (bsc#1165949).
- btrfs: tree-checker: Remove comprehensive root owner check (bsc#1168273).
- btrfs: unexport can_overcommit (bsc#1165949).
- btrfs: unexport the temporary exported functions (bsc#1165949).
- btrfs: unify error handling for ticket flushing (bsc#1165949).
- btrfs: unify extent_page_data type passed as void (bsc#1168273).
- btrfs: update may_commit_transaction to use the delayed refs rsv (bsc#1165949).
- btrfs: use btrfs_try_granting_tickets in update_global_rsv (bsc#1165949).
- btrfs: wait on caching when putting the bg cache (bsc#1165949).
- btrfs: wait on ordered extents on abort cleanup (bsc#1165949).
- btrfs: wakeup cleaner thread when adding delayed iput (bsc#1165949).
- cdrom: respect device capabilities during opening action (boo#1164632).
- ceph: canonicalize server path in place (bsc#1168443).
- ceph: canonicalize server path in place (bsc#1168443).
- ceph: check POOL_FLAG_FULL/NEARFULL in addition to OSDMAP_FULL/NEARFULL (bsc#1169307).
- ceph: remove the extra slashes in the server path (bsc#1168443).
- ceph: remove the extra slashes in the server path (bsc#1168443).
- cfg80211: check reg_rule for NULL in handle_channel_custom() (bsc#1051510).
- cfg80211: check wiphy driver existence for drvinfo report (bsc#1051510).
- cgroup: memcg: net: do not associate sock with unrelated cgroup (bsc#1167290).
- cifs: add a debug macro that prints \\server\share for errors (bsc#1144333).
- cifs: add missing mount option to /proc/mounts (bsc#1144333).
- cifs: add new debugging macro cifs_server_dbg (bsc#1144333).
- cifs: add passthrough for smb2 setinfo (bsc#1144333).
- cifs: add SMB2_open() arg to return POSIX data (bsc#1144333).
- cifs: add smb2 POSIX info level (bsc#1144333).
- cifs: add SMB3 change notification support (bsc#1144333).
- cifs: add support for fallocate mode 0 for non-sparse files (bsc#1144333).
- cifs: Add support for setting owner info, dos attributes, and create time (bsc#1144333).
- cifs: Add tracepoints for errors on flush or fsync (bsc#1144333).
- cifs: Adjust indentation in smb2_open_file (bsc#1144333).
- cifs: allow chmod to set mode bits using special sid (bsc#1144333).
- cifs: Avoid doing network I/O while holding cache lock (bsc#1144333).
- cifs: call wake_up(server->response_q) inside of cifs_reconnect() (bsc#1144333).
- cifs: Clean up DFS referral cache (bsc#1144333).
- cifs: create a helper function to parse the query-directory response buffer (bsc#1144333).
- cifs: do d_move in rename (bsc#1144333).
- cifs: Do not display RDMA transport on reconnect (bsc#1144333).
- cifs: do not ignore the SYNC flags in getattr (bsc#1144333).
- cifs: do not leak -EAGAIN for stat() during reconnect (bsc#1144333).
- cifs: do not use 'pre:' for MODULE_SOFTDEP (bsc#1144333).
- cifs: enable change notification for SMB2.1 dialect (bsc#1144333).
- cifs: fail i/o on soft mounts if sessionsetup errors out (bsc#1144333).
- cifs: fix a comment for the timeouts when sending echos (bsc#1144333).
- cifs: fix a white space issue in cifs_get_inode_info() (bsc#1144333).
- cifs: fix dereference on ses before it is null checked (bsc#1144333).
- cifs: Fix memory allocation in __smb2_handle_cancelled_cmd() (bsc#1144333).
- cifs: fix mode bits from dir listing when mounted with modefromsid (bsc#1144333).
- cifs: Fix mode output in debugging statements (bsc#1144333).
- cifs: Fix mount options set in automount (bsc#1144333).
- cifs: fix NULL dereference in match_prepath (bsc#1144333).
- cifs: Fix potential deadlock when updating vol in cifs_reconnect() (bsc#1144333).
- cifs: fix potential mismatch of UNC paths (bsc#1144333).
- cifs: fix rename() by ensuring source handle opened with DELETE bit (bsc#1144333).
- cifs: Fix return value in __update_cache_entry (bsc#1144333).
- cifs: fix soft mounts hanging in the reconnect code (bsc#1144333).
- cifs: fix soft mounts hanging in the reconnect code (bsc#1144333).
- cifs: Fix task struct use-after-free on reconnect (bsc#1144333).
- cifs: fix unitialized variable poential problem with network I/O cache lock patch (bsc#1144333).
- cifs: get mode bits from special sid on stat (bsc#1144333).
- cifs: Get rid of kstrdup_const()'d paths (bsc#1144333).
- cifs: handle prefix paths in reconnect (bsc#1144333).
- cifs: ignore cached share root handle closing errors (bsc#1166780).
- cifs: Introduce helpers for finding TCP connection (bsc#1144333).
- cifs: log warning message (once) if out of disk space (bsc#1144333).
- cifs: make sure we do not overflow the max EA buffer size (bsc#1144333).
- cifs: make use of cap_unix(ses) in cifs_reconnect_tcon() (bsc#1144333).
- cifs: Merge is_path_valid() into get_normalized_path() (bsc#1144333).
- cifs: modefromsid: make room for 4 ACE (bsc#1144333).
- cifs: modefromsid: write mode ACE first (bsc#1144333).
- cifs: Optimize readdir on reparse points (bsc#1144333).
- cifs: plumb smb2 POSIX dir enumeration (bsc#1144333).
- cifs: potential unintitliazed error code in cifs_getattr() (bsc#1144333).
- cifs: prepare SMB2_query_directory to be used with compounding (bsc#1144333).
- cifs: print warning once if mounting with vers=1.0 (bsc#1144333).
- cifs: refactor cifs_get_inode_info() (bsc#1144333).
- cifs: remove redundant assignment to pointer pneg_ctxt (bsc#1144333).
- cifs: remove redundant assignment to variable rc (bsc#1144333).
- cifs: remove set but not used variables (bsc#1144333).
- cifs: remove set but not used variable 'server' (bsc#1144333).
- cifs: remove unused variable (bsc#1144333).
- cifs: remove unused variable 'sid_user' (bsc#1144333).
- cifs: rename a variable in SendReceive() (bsc#1144333).
- cifs: rename posix create rsp (bsc#1144333).
- cifs: replace various strncpy with strscpy and similar (bsc#1144333).
- cifs: Return directly after a failed build_path_from_dentry() in cifs_do_create() (bsc#1144333).
- cifs: set correct max-buffer-size for smb2_ioctl_init() (bsc#1144333).
- cifs: smbd: Add messages on RDMA session destroy and reconnection (bsc#1144333).
- cifs: smbd: Invalidate and deregister memory registration on re-send for direct I/O (bsc#1144333).
- cifs: smbd: Only queue work for error recovery on memory registration (bsc#1144333).
- cifs: smbd: Return -EAGAIN when transport is reconnecting (bsc#1144333).
- cifs: smbd: Return -ECONNABORTED when trasnport is not in connected state (bsc#1144333).
- cifs: smbd: Return -EINVAL when the number of iovs exceeds SMBDIRECT_MAX_SGE (bsc#1144333).
- cifs: Use common error handling code in smb2_ioctl_query_info() (bsc#1144333).
- cifs: use compounding for open and first query-dir for readdir() (bsc#1144333).
- cifs: Use #define in cifs_dbg (bsc#1144333).
- cifs: Use memdup_user() rather than duplicating its implementation (bsc#1144333).
- cifs: use mod_delayed_work() for server->reconnect if already queued (bsc#1144333).
- cifs: use PTR_ERR_OR_ZERO() to simplify code (bsc#1144333).
- clk: imx: Align imx sc clock msg structs to 4 (bsc#1111666).
- clk: imx: Align imx sc clock msg structs to 4 (git-fixes).
- clk: qcom: rcg: Return failure for RCG update (bsc#1051510).
- closures: fix a race on wakeup from closure_sync (bsc#1163762).
- cls_rsvp: fix rsvp_policy (networking-stable-20_02_05).
- configfs: Fix bool initialization/comparison (bsc#1051510).
- core: Do not skip generic XDP program execution for cloned SKBs (bsc#1109837).
- Correct fallouts from previous AER/DPC fixes (bsc#1161561)
- cpufreq: powernv: Fix unsafe notifiers (bsc#1065729).
- cpufreq: powernv: Fix use-after-free (bsc#1065729).
- cpufreq: Register drivers only after CPU devices have been registered (bsc#1051510).
- cpuidle: Do not unset the driver if it is there already (bsc#1051510).
- crypto: arm64/sha-ce - implement export/import (bsc#1051510).
- Crypto: chelsio - Fixes a deadlock between rtnl_lock and uld_mutex (bsc#1111666).
- Crypto: chelsio - Fixes a hang issue during driver registration (bsc#1111666).
- crypto: mxs-dcp - fix scatterlist linearization for hash (bsc#1051510).
- crypto: pcrypt - Fix user-after-free on module unload (git-fixes).
- crypto: tcrypt - fix printed skcipher [a]sync mode (bsc#1051510).
- debugfs: add support for more elaborate ->d_fsdata (bsc#1159198  bsc#1109911).
- debugfs: call debugfs_real_fops() only after debugfs_file_get() (bsc#1159198).
- debugfs: call debugfs_real_fops() only after debugfs_file_get() (bsc#1159198 bsc#1109911).
- debugfs: convert to debugfs_file_get() and -put() (bsc#1159198 bsc#1109911).
- debugfs: debugfs_real_fops(): drop __must_hold sparse annotation (bsc#1159198 bsc#1109911).
- debugfs: debugfs_use_start/finish do not exist anymore (bsc#1159198).
- debugfs: defer debugfs_fsdata allocation to first usage (bsc#1159198).
- debugfs: defer debugfs_fsdata allocation to first usage (bsc#1159198 bsc#1109911).
- debugfs: fix debugfs_real_fops() build error (bsc#1159198 bsc#1109911).
- debugfs: implement per-file removal protection (bsc#1159198 bsc#1109911).
- debugfs: purge obsolete SRCU based removal protection (bsc#1159198 bsc#1109911).
- debugfs: simplify __debugfs_remove_file() (bsc#1159198).
- Delete patches which cause regression (bsc#1165527 ltc#184149).
- Deprecate NR_UNSTABLE_NFS, use NR_WRITEBACK (bsc#1163403).
- device: Use overflow helpers for devm_kmalloc() (bsc#1166003).
- devlink: report 0 after hitting end in region read (bsc#1109837).
- dmaengine: coh901318: Fix a double lock bug in dma_tc_handle() (bsc#1051510).
- dmaengine: ste_dma40: fix unneeded variable warning (bsc#1051510).
- dm: fix incomplete request_queue initialization (bsc#1104967,bsc#1159142).
- driver core: platform: fix u32 greater or equal to zero comparison (bsc#1051510).
- driver core: platform: Prevent resouce overflow from causing infinite loops (bsc#1051510).
- driver core: Print device when resources present in really_probe() (bsc#1051510).
- drivers/md/raid5.c: use the new spelling of RWH_WRITE_LIFE_NOT_SET (bsc#1166003).
- drivers/md/raid5: Do not disable irq on release_inactive_stripe_list() call (bsc#1166003).
- drivers/md/raid5-ppl.c: use the new spelling of RWH_WRITE_LIFE_NOT_SET (bsc#1166003).
- drivers/md/raid5: Use irqsave variant of atomic_dec_and_lock() (bsc#1166003).
- drm/amd/amdgpu: Fix GPR read from debugfs (v2) (bsc#1113956)
- drm/amd/display: Add link_rate quirk for Apple 15' MBP 2017 (bsc#1111666).
- drm/amd/display: Fix wrongly passed static prefix (bsc#1111666).
- drm/amd/display: remove duplicated assignment to grph_obj_type (bsc#1051510).
- drm/amd/dm/mst: Ignore payload update failures (bsc#1112178)
- drm/amdgpu: fix typo for vcn1 idle check (bsc#1111666).
- drm/amdkfd: fix a use after free race with mmu_notifer unregister (bsc#1114279)
- drm: atmel-hlcdc: enable clock before configuring timing engine (bsc#1114279)
- drm/bochs: downgrade pci_request_region failure from error to warning (bsc#1051510).
- drm/bridge: dw-hdmi: fix AVI frame colorimetry (bsc#1051510).
- drm_dp_mst_topology: fix broken drm_dp_sideband_parse_remote_dpcd_read() (bsc#1051510).
- drm/drm_dp_mst:remove set but not used variable 'origlen' (bsc#1051510).
- drm/etnaviv: fix dumping of iommuv2 (bsc#1114279)
- drm/exynos: dsi: fix workaround for the legacy clock name (bsc#1111666).
- drm/exynos: dsi: propagate error value and silence meaningless warning (bsc#1111666).
- drm/gma500: Fixup fbdev stolen size usage evaluation (bsc#1051510).
- drm/i915/gvt: Fix orphan vgpu dmabuf_objs' lifetime (git-fixes).
- drm/i915/gvt: Fix unnecessary schedule timer when no vGPU exits (git-fixes).
- drm/i915/gvt: Separate display reset from ALL_ENGINES reset (bsc#1114279)
- drm/i915: Program MBUS with rmw during initialization (git-fixes).
- drm/i915/selftests: Fix return in assert_mmap_offset() (bsc#1114279)
- drm/i915/userptr: fix size calculation (bsc#1114279)
- drm/i915/userptr: Try to acquire the page lock around (bsc#1114279)
- drm/i915: Wean off drm_pci_alloc/drm_pci_free (bsc#1114279)
- drm/lease: fix WARNING in idr_destroy (bsc#1113956)
- drm/mediatek: Add gamma property according to hardware capability (bsc#1114279)
- drm/mediatek: disable all the planes in atomic_disable (bsc#1114279)
- drm/mediatek: handle events when enabling/disabling crtc (bsc#1051510).
- drm/mipi_dbi: Fix off-by-one bugs in mipi_dbi_blank() (bsc#1114279)
- drm: msm: mdp4: Adjust indentation in mdp4_dsi_encoder_enable (bsc#1114279)
- drm/msm: Set dma maximum segment size for mdss (bsc#1051510).
- drm/msm: stop abusing dma_map/unmap for cache (bsc#1051510).
- drm/msm: Use the correct dma_sync calls harder (bsc#1051510).
- drm/msm: Use the correct dma_sync calls in msm_gem (bsc#1051510).
- drm/nouveau/disp/nv50-: prevent oops when no channel method map provided (bsc#1051510).
- drm/nouveau/gr/gk20a,gm200-: add terminators to method lists read from fw (bsc#1051510).
- drm/nouveau/kms/gv100-: Re-set LUT after clearing for modesets (git-fixes).
- drm: rcar-du: Recognize 'renesas,vsps' in addition to 'vsps' (bsc#1114279)
- drm: remove the newline for CRC source name (bsc#1051510).
- drm/sun4i: de2/de3: Remove unsupported VI layer formats (git-fixes).
- drm/sun4i: dsi: Use NULL to signify 'no panel' (bsc#1111666).
- drm/sun4i: Fix DE2 VI layer format support (git-fixes).
- drm/v3d: Replace wait_for macros to remove use of msleep (bsc#1111666).
- drm/vc4: Fix HDMI mode validation (git-fixes).
- dt-bindings: allow up to four clocks for orion-mdio (bsc#1051510).
- EDAC, ghes: Make platform-based whitelisting x86-only (bsc#1158187).
- EDAC/mc: Fix use-after-free and memleaks during device removal (bsc#1114279).
- EDAC: skx_common: downgrade message importance on missing PCI device (bsc#1165581).
- efi: Do not attempt to map RCI2 config table if it does not exist (jsc#ECO-366, bsc#1168367).
- efi: Export Runtime Configuration Interface table to sysfs (jsc#ECO-366, bsc#1168367).
- efi: Fix a race and a buffer overflow while reading efivars via sysfs (bsc#1164893).
- efi: x86: move efi_is_table_address() into arch/x86 (jsc#ECO-366, bsc#1168367).
- Enable CONFIG_BLK_DEV_SR_VENDOR (boo#1164632).
- ethtool: Factored out similar ethtool link settings for virtual devices to core (bsc#1136157 ltc#177197).
- ext4: add cond_resched() to __ext4_find_entry() (bsc#1166862).
- ext4: Avoid ENOSPC when avoiding to reuse recently deleted inodes (bsc#1165019).
- ext4: Check for non-zero journal inum in ext4_calculate_overhead (bsc#1167288).
- ext4: do not assume that mmp_nodename/bdevname have NUL (bsc#1166860).
- ext4: fix a data race in EXT4_I(inode)->i_disksize (bsc#1166861).
- ext4: fix incorrect group count in ext4_fill_super error message (bsc#1168765).
- ext4: fix incorrect inodes per group in error message (bsc#1168764).
- ext4: fix mount failure with quota configured as module (bsc#1164471).
- ext4: Fix mount failure with quota configured as module (bsc#1164471).
- ext4: fix potential race between online resizing and write operations (bsc#1166864).
- ext4: fix potential race between s_flex_groups online resizing and access (bsc#1166867).
- ext4: fix potential race between s_group_info online resizing and access (bsc#1166866).
- ext4: fix race between writepages and enabling EXT4_EXTENTS_FL (bsc#1166870).
- ext4: fix support for inode sizes > 1024 bytes (bsc#1164284).
- ext4: potential crash on allocation error in ext4_alloc_flex_bg_array() (bsc#1166940).
- ext4: rename s_journal_flag_rwsem to s_writepages_rwsem (bsc#1166868).
- ext4: validate the debug_want_extra_isize mount option at parse time (bsc#1163897).
- fat: fix uninit-memory access for partial initialized inode (bsc#1051510).
- fat: work around race with userspace's read via blockdev while mounting (bsc#1051510).
- fbdev/g364fb: Fix build failure (bsc#1051510).
- fbdev: potential information leak in do_fb_ioctl() (bsc#1114279)
- fbmem: Adjust indentation in fb_prepare_logo and fb_blank (bsc#1114279)
- fcntl: fix typo in RWH_WRITE_LIFE_NOT_SET r/w hint name (bsc#1166003).
- fcntl: fix typo in RWH_WRITE_LIFE_NOT_SET r/w hint name (bsc#1166003).
- firmware: arm_sdei: fix double-lock on hibernate with shared events (bsc#1111666).
- firmware: arm_sdei: fix possible double-lock on hibernate error path (bsc#1111666).
- firmware: imx: misc: Align imx sc msg structs to 4 (git-fixes).
- firmware: imx: scu: Ensure sequential TX (git-fixes).
- firmware: imx: scu-pd: Align imx sc msg structs to 4 (git-fixes).
- fix memory leak in large read decrypt offload (bsc#1144333).
- Fix the locking in dcache_readdir() and friends (bsc#1123328).
- fs/cifs/cifssmb.c: use true,false for bool variable (bsc#1144333).
- fs: cifs: cifsssmb: remove redundant assignment to variable ret (bsc#1144333).
- fs: cifs: Initialize filesystem timestamp ranges (bsc#1144333).
- fs: cifs: mute -Wunused-const-variable message (bsc#1144333).
- fs/cifs/sess.c: Remove set but not used variable 'capabilities' (bsc#1144333).
- fs/cifs/smb2ops.c: use true,false for bool variable (bsc#1144333).
- fs/cifs/smb2pdu.c: Make SMB2_notify_init static (bsc#1144333).
- fs/xfs: fix f_ffree value for statfs when project quota is set (bsc#1165985).
- ftrace/kprobe: Show the maxactive number on kprobe_events (git-fixes).
- gtp: make sure only SOCK_DGRAM UDP sockets are accepted (networking-stable-20_01_27).
- gtp: use __GFP_NOWARN to avoid memalloc warning (networking-stable-20_02_05).
- HID: apple: Add support for recent firmware on Magic Keyboards (bsc#1051510).
- HID: core: fix off-by-one memset in hid_report_raw_event() (bsc#1051510).
- HID: hiddev: Fix race in in hiddev_disconnect() (git-fixes).
- hv_netvsc: Fix memory leak when removing rndis device (networking-stable-20_01_20).
- hv_netvsc: Fix offset usage in netvsc_send_table() (bsc#1164598).
- hv_netvsc: Fix send_table offset in case of a host bug (bsc#1164598).
- hv_netvsc: Fix tx_table init in rndis_set_subchannel() (bsc#1164598).
- hv_netvsc: Fix unwanted rx_table reset (bsc#1164598).
- hv_netvsc: pass netvsc_device to rndis halt
- hwmon: (adt7462) Fix an error return in ADT7462_REG_VOLT() (bsc#1051510).
- i2c: hix5hd2: add missed clk_disable_unprepare in remove (bsc#1051510).
- i2c: jz4780: silence log flood on txabrt (bsc#1051510).
- IB/hfi1: Close window for pq and request coliding (bsc#1060463 ).
- IB/hfi1: convert to debugfs_file_get() and -put() (bsc#1159198 bsc#1109911).
- ibmvfc: do not send implicit logouts prior to NPIV login (bsc#1169625 ltc#184611).
- ibmvfc: Fix NULL return compiler warning (bsc#1161951 ltc#183551).
- ibmvnic: Do not process device remove during device reset (bsc#1065729).
- ibmvnic: Warn unknown speed message only when carrier is present (bsc#1065729).
- iio: gyro: adis16136: check ret val for non-zero vs less-than-zero (bsc#1051510).
- iio: imu: adis16400: check ret val for non-zero vs less-than-zero (bsc#1051510).
- iio: imu: adis16480: check ret val for non-zero vs less-than-zero (bsc#1051510).
- iio: imu: adis: check ret val for non-zero vs less-than-zero (bsc#1051510).
- iio: magnetometer: ak8974: Fix negative raw values in sysfs (bsc#1051510).
- iio: potentiostat: lmp9100: fix iio_triggered_buffer_{predisable,postenable} positions (bsc#1051510).
- Input: add safety guards to input_set_keycode() (bsc#1168075).
- Input: avoid BIT() macro usage in the serio.h UAPI header (bsc#1051510).
- Input: edt-ft5x06 - work around first register access error (bsc#1051510).
- Input: raydium_i2c_ts - fix error codes in raydium_i2c_boot_trigger() (bsc#1051510).
- Input: synaptics - enable RMI on HP Envy 13-ad105ng (bsc#1051510).
- Input: synaptics - enable SMBus on ThinkPad L470 (bsc#1051510).
- Input: synaptics - remove the LEN0049 dmi id from topbuttonpad list (bsc#1051510).
- Input: synaptics - switch T470s to RMI4 by default (bsc#1051510).
- intel_th: Fix user-visible error codes (bsc#1051510).
- intel_th: pci: Add Elkhart Lake CPU support (bsc#1051510).
- iommu/amd: Check feature support bit before accessing MSI capability registers (bsc#1166101).
- iommu/amd: Fix the configuration of GCR3 table root pointer (bsc#1169057).
- iommu/amd: Only support x2APIC with IVHD type 11h/40h (bsc#1166102).
- iommu/amd: Remap the IOMMU device table with the memory encryption mask for kdump (bsc#1141895).
- iommu/dma: Fix MSI reservation allocation (bsc#1166730).
- iommu/io-pgtable-arm: Fix race handling in split_blk_unmap() (bsc#1164115).
- iommu/vt-d: dmar: replace WARN_TAINT with pr_warn + add_taint (bsc#1166731).
- iommu/vt-d: Fix a bug in intel_iommu_iova_to_phys() for huge page (bsc#1166732).
- iommu/vt-d: Fix compile warning from intel-svm.h (bsc#1166103).
- iommu/vt-d: Fix the wrong printing in RHSA parsing (bsc#1166733).
- iommu/vt-d: Ignore devices with out-of-spec domain number (bsc#1166734).
- iommu/vt-d: quirk_ioat_snb_local_iommu: replace WARN_TAINT with pr_warn + add_taint (bsc#1166735).
- ipmi: fix hung processes in __get_guid() (bsc#1111666).
- ipmi:ssif: Handle a possible NULL pointer reference (bsc#1051510).
- ipv4: ensure rcu_read_lock() in cipso_v4_error() (git-fixes).
- ipv6: restrict IPV6_ADDRFORM operation (bsc#1109837).
- ipvlan: do not add hardware address of master to its unicast filter list (bsc#1137325).
- irqchip/bcm2835: Quiesce IRQs left enabled by bootloader (bsc#1051510).
- irqdomain: Fix a memory leak in irq_domain_push_irq() (bsc#1051510).
- iwlegacy: Fix -Wcast-function-type (bsc#1051510).
- iwlwifi: mvm: Do not require PHY_SKU NVM section for 3168 devices (bsc#1166632).
- iwlwifi: mvm: Fix thermal zone registration (bsc#1051510).
- kABI: fixes for debugfs per-file removal protection backports (bsc#1159198 bsc#1109911).
- kabi: invoke bpf_gen_ld_abs() directly (bsc#1158552).
- kABI: restore debugfs_remove_recursive() (bsc#1159198).
- kABI workaround for pcie_port_bus_type change (bsc#1161561).
- kdump, proc/vmcore: Enable kdumping encrypted memory with SME enabled (bsc#1141895).
- kernel/module.c: Only return -EEXIST for modules that have finished loading (bsc#1165488).
- kernel/module.c: wakeup processes in module_wq on module unload (bsc#1165488).
- kexec: Allocate decrypted control pages for kdump if SME is enabled (bsc#1141895).
- KVM: arm64: Store vcpu on the stack during __guest_enter() (bsc#1133021).
- KVM: fix spectrev1 gadgets (bsc#1164705).
- KVM: s390: do not clobber registers during guest reset/store status (bsc#1133021).
- KVM: s390: ENOTSUPP -> EOPNOTSUPP fixups (bsc#1133021).
- KVM: VMX: check descriptor table exits on instruction emulation (bsc#1166104).
- KVM: x86: Protect DR-based index computations from Spectre-v1/L1TF attacks (bsc#1164734).
- KVM: x86: Protect ioapic_read_indirect() from Spectre-v1/L1TF attacks (bsc#1164728).
- KVM: x86: Protect ioapic_write_indirect() from Spectre-v1/L1TF attacks (bsc#1164729).
- KVM: x86: Protect kvm_hv_msr_[get|set]_crash_data() from Spectre-v1/L1TF attacks (bsc#1164712).
- KVM: x86: Protect kvm_lapic_reg_write() from Spectre-v1/L1TF attacks (bsc#1164730).
- KVM: x86: Protect MSR-based index computations from Spectre-v1/L1TF attacks in x86.c (bsc#1164733).
- KVM: x86: Protect MSR-based index computations in fixed_msr_to_seg_unit() from Spectre-v1/L1TF attacks (bsc#1164731).
- KVM: x86: Protect MSR-based index computations in pmu.h from Spectre-v1/L1TF attacks (bsc#1164732).
- KVM: x86: Protect pmu_intel.c from Spectre-v1/L1TF attacks (bsc#1164735).
- KVM: x86: Protect x86_decode_insn from Spectre-v1/L1TF attacks (bsc#1164705).
- KVM: x86: Refactor picdev_write() to prevent Spectre-v1/L1TF attacks (bsc#1164727).
- l2tp: Allow duplicate session creation with UDP (networking-stable-20_02_05).
- lcoking/rwsem: Add missing ACQUIRE to read_slowpath sleep loop (bsc#1050549).
- lcoking/rwsem: Add missing ACQUIRE to read_slowpath sleep loop (bsc#1050549).
- libceph: fix alloc_msg_with_page_vector() memory leaks (bsc#1169308).
- lib: crc64: include &lt;linux/crc64.h> for 'crc64_be' (bsc#1163762).
- libfs: fix infoleak in simple_attr_read() (bsc#1168881).
- libnvdimm/pfn_dev: Do not clear device memmap area during generic namespace probe (bsc#1165929 bsc#1165950).
- libnvdimm/pfn: fix fsdax-mode namespace info-block zero-fields (bsc#1165929).
- libnvdimm: remove redundant __func__ in dev_dbg (bsc#1165929).
- lib/raid6: add missing include for raid6test (bsc#1166003).
- lib/raid6: add missing include for raid6test (bsc#1166003).
- lib/raid6: add option to skip algo benchmarking (bsc#1166003).
- lib/raid6: add option to skip algo benchmarking (bsc#1166003).
- lib/raid6/altivec: Add vpermxor implementation for raid6 Q syndrome (bsc#1166003).
- lib/raid6: avoid __attribute_const__ redefinition (bsc#1166003).
- lib/raid6: avoid __attribute_const__ redefinition (bsc#1166003).
- locking/rwsem: Prevent decrement of reader count before increment (bsc#1050549).
- locking/rwsem: Prevent decrement of reader count before increment (bsc#1050549).
- lpfc: add support for translating an RSCN rcv into a discovery rescan (bsc#1164777 bsc#1164780 bsc#1165211).
- lpfc: add support to generate RSCN events for nport (bsc#1164777 bsc#1164780 bsc#1165211).
- mac80211: consider more elements in parsing CRC (bsc#1051510).
- mac80211: Do not send mesh HWMP PREQ if HWMP is disabled (bsc#1051510).
- mac80211: free peer keys before vif down in mesh (bsc#1051510).
- mac80211: mesh: fix RCU warning (bsc#1051510).
- mac80211: only warn once on chanctx_conf being NULL (bsc#1051510).
- mac80211: rx: avoid RCU list traversal under mutex (bsc#1051510).
- macsec: add missing attribute validation for port (bsc#1051510).
- macsec: fix refcnt leak in module exit routine (bsc#1051510).
- md: add __acquires/__releases annotations to handle_active_stripes (bsc#1166003).
- md: add __acquires/__releases annotations to (un)lock_two_stripes (bsc#1166003).
- md: add a missing endianness conversion in check_sb_changes (bsc#1166003).
- md: add bitmap_abort label in md_run (bsc#1166003).
- md: add feature flag MD_FEATURE_RAID0_LAYOUT (bsc#1166003).
- md: allow last device to be forcibly removed from RAID1/RAID10 (bsc#1166003).
- md: avoid invalid memory access for array sb->dev_roles (bsc#1166003).
- md/bitmap: avoid race window between md_bitmap_resize and bitmap_file_clear_bit (bsc#1166003).
- md-bitmap: create and destroy wb_info_pool with the change of backlog (bsc#1166003).
- md-bitmap: create and destroy wb_info_pool with the change of bitmap (bsc#1166003).
- md-bitmap: small cleanups (bsc#1166003).
- md/bitmap: use mddev_suspend/resume instead of ->quiesce() (bsc#1166003).
- md-cluster/bitmap: do not call md_bitmap_sync_with_cluster during reshaping stage (bsc#1166003).
- md-cluster: introduce resync_info_get interface for sanity check (bsc#1166003).
- md-cluster/raid10: call update_size in md_reap_sync_thread (bsc#1166003).
- md-cluster/raid10: do not call remove_and_add_spares during reshaping stage (bsc#1166003).
- md-cluster/raid10: resize all the bitmaps before start reshape (bsc#1166003).
- md-cluster/raid10: support add disk under grow mode (bsc#1166003).
- md-cluster: remove suspend_info (bsc#1166003).
- md-cluster: send BITMAP_NEEDS_SYNC message if reshaping is interrupted (bsc#1166003).
- md: convert to kvmalloc (bsc#1166003).
- md: do not call spare_active in md_reap_sync_thread if all member devices can't work (bsc#1166003).
- md: do not set In_sync if array is frozen (bsc#1166003).
- md: fix an error code format and remove unsed bio_sector (bsc#1166003).
- md: fix a typo s/creat/create (bsc#1166003).
- md: fix for divide error in status_resync (bsc#1166003).
- md: fix spelling typo and add necessary space (bsc#1166003).
- md: introduce mddev_create/destroy_wb_pool for the change of member device (bsc#1166003).
- md: introduce new personality funciton start() (bsc#1166003).
- md-linear: use struct_size() in kzalloc() (bsc#1166003).
- md: Make bio_alloc_mddev use bio_alloc_bioset (bsc#1166003).
- md: make sure desc_nr less than MD_SB_DISKS (bsc#1166003).
- md: md.c: Return -ENODEV when mddev is NULL in rdev_attr_show (bsc#1166003).
- md: no longer compare spare disk superblock events in super_load (bsc#1166003).
- md/r5cache: remove redundant pointer bio (bsc#1166003).
- md/raid0: Fix an error message in raid0_make_request() (bsc#1166003).
- md/raid0: Fix buffer overflow at debug print (bsc#1164051).
- md raid0/linear: Mark array as 'broken' and fail BIOs if a member is gone (bsc#1166003).
- md/raid10: end bio when the device faulty (bsc#1166003).
- md/raid10: Fix raid10 replace hang when new added disk faulty (bsc#1166003).
- md/raid10: prevent access of uninitialized resync_pages offset (bsc#1166003).
- md/raid10: read balance chooses idlest disk for SSD (bsc#1166003).
- md: raid10: Use struct_size() in kmalloc() (bsc#1166003).
- md/raid1: avoid soft lockup under high load (bsc#1166003).
- md: raid1: check rdev before reference in raid1_sync_request func (bsc#1166003).
- md/raid1: end bio when the device faulty (bsc#1166003).
- md/raid1: fail run raid1 array when active disk less than one (bsc#1166003).
- md/raid1: Fix a warning message in remove_wb() (bsc#1166003).
- md/raid1: fix potential data inconsistency issue with write behind device (bsc#1166003).
- md/raid1: get rid of extra blank line and space (bsc#1166003).
- md/raid5: Assigning NULL to sh->batch_head before testing bit R5_Overlap of a stripe (bsc#1166003).
- md/raid5: use bio_end_sector to calculate last_sector (bsc#1166003).
- md/raid6: fix algorithm choice under larger PAGE_SIZE (bsc#1166003).
- md/raid6: implement recovery using ARM NEON intrinsics (bsc#1166003).
- md: remove a bogus comment (bsc#1166003).
- md: remove redundant code that is no longer reachable (bsc#1166003).
- md: remove set but not used variable 'bi_rdev' (bsc#1166003).
- md: rename wb stuffs (bsc#1166003).
- md: return -ENODEV if rdev has no mddev assigned (bsc#1166003).
- md: use correct type in super_1_load (bsc#1166003).
- md: use correct type in super_1_sync (bsc#1166003).
- md: use correct types in md_bitmap_print_sb (bsc#1166003).
- media: dib0700: fix rc endpoint lookup (bsc#1051510).
- media: flexcop-usb: fix endpoint sanity check (git-fixes).
- media: go7007: Fix URB type for interrupt handling (bsc#1051510).
- media: ov519: add missing endpoint sanity checks (bsc#1168829).
- media: ov6650: Fix .get_fmt() V4L2_SUBDEV_FORMAT_TRY support (bsc#1051510).
- media: ov6650: Fix some format attributes not under control (bsc#1051510).
- media: ov6650: Fix stored crop rectangle not in sync with hardware (bsc#1051510).
- media: ov6650: Fix stored frame format not in sync with hardware (bsc#1051510).
- media: stv06xx: add missing descriptor sanity checks (bsc#1168854).
- media: tda10071: fix unsigned sign extension overflow (bsc#1051510).
- media: usbtv: fix control-message timeouts (bsc#1051510).
- media: uvcvideo: Refactor teardown of uvc on USB disconnect (bsc#1164507).
- media: v4l2-core: fix entity initialization in device_register_subdev (bsc#1051510).
- media: vsp1: tidyup VI6_HGT_LBn_H() macro (bsc#1051510).
- media: xirlink_cit: add missing descriptor sanity checks (bsc#1051510).
- mfd: dln2: Fix sanity checking for endpoints (bsc#1051510).
- misc: pci_endpoint_test: Fix to support > 10 pci-endpoint-test devices (bsc#1051510).
- mlxsw: spectrum_qdisc: Include MC TCs in Qdisc counters (bsc#1112374).
- mlxsw: spectrum: Wipe xstats.backlog of down ports (bsc#1112374).
- mmc: sdhci-of-at91: fix cd-gpios for SAMA5D2 (bsc#1051510).
- mm/filemap.c: do not initiate writeback if mapping has no dirty pages (bsc#1168884).
- mm/memory_hotplug.c: only respect mem= parameter during boot stage (bsc#1065600).
- MM: replace PF_LESS_THROTTLE with PF_LOCAL_THROTTLE (bsc#1163403).
- mm: Use overflow helpers in kvmalloc() (bsc#1166003).
- mwifiex: set needed_headroom, not hard_header_len (bsc#1051510).
- net: add sendmsg_locked and sendpage_locked to af_inet6 (bsc#1144162).
- net: core: another layer of lists, around PF_MEMALLOC skb handling (bsc#1050549).
- net: cxgb3_main: Add CAP_NET_ADMIN check to CHELSIO_GET_MEM (networking-stable-20_01_27).
- net: dsa: mv88e6xxx: Preserve priority when setting CPU port (networking-stable-20_01_11).
- net: dsa: tag_qca: fix doubled Tx statistics (networking-stable-20_01_20).
- net: dsa: tag_qca: Make sure there is headroom for tag (networking-stable-20_02_19).
- net: ena: Add PCI shutdown handler to allow safe kexec (bsc#1167421, bsc#1167423).
- net/ethtool: Introduce link_ksettings API for virtual network devices (bsc#1136157 ltc#177197).
- netfilter: conntrack: sctp: use distinct states for new SCTP connections (bsc#1159199).
- net: Fix Tx hash bound checking (bsc#1109837).
- net: hns3: fix a copying IPv6 address error in hclge_fd_get_flow_tuples() (bsc#1104353).
- net: hns: fix soft lockup when there is not enough memory (networking-stable-20_01_20).
- net: hsr: fix possible NULL deref in hsr_handle_frame() (networking-stable-20_02_05).
- net: ip6_gre: fix moving ip6gre between namespaces (networking-stable-20_01_27).
- net, ip6_tunnel: fix namespaces move (networking-stable-20_01_27).
- net, ip_tunnel: fix namespaces move (networking-stable-20_01_27).
- net: macb: Limit maximum GEM TX length in TSO (networking-stable-20_02_09).
- net: macb: Remove unnecessary alignment check for TSO (networking-stable-20_02_09).
- net/mlx5: Fix lowest FDB pool size (bsc#1103990).
- net/mlx5: IPsec, Fix esp modify function attribute (bsc#1103990 ).
- net/mlx5: IPsec, fix memory leak at mlx5_fpga_ipsec_delete_sa_ctx (bsc#1103990).
- net/mlx5: Update the list of the PCI supported devices (bsc#1127611).
- net/mlxfw: Verify FSM error code translation does not exceed array size (bsc#1051858).
- net: mvneta: move rx_dropped and rx_errors in per-cpu stats (networking-stable-20_02_09).
- net/nfc: Avoid stalls when nfc_alloc_send_skb() returned NULL (bsc#1051510).
- net: nfc: fix bounds checking bugs on 'pipe' (bsc#1051510).
- net: phy: micrel: kszphy_resume(): add delay after genphy_resume() before accessing PHY registers (bsc#1051510).
- net: rtnetlink: validate IFLA_MTU attribute in rtnl_create_link() (networking-stable-20_01_27).
- net: sched: correct flower port blocking (git-fixes).
- net_sched: ematch: reject invalid TCF_EM_SIMPLE (networking-stable-20_01_30).
- net_sched: fix an OOB access in cls_tcindex (networking-stable-20_02_05).
- net_sched: fix a resource leak in tcindex_set_parms() (networking-stable-20_02_09).
- net_sched: fix datalen for ematch (networking-stable-20_01_27).
- net/sched: flower: add missing validation of TCA_FLOWER_FLAGS (networking-stable-20_02_19).
- net_sched: keep alloc_hash updated after hash allocation (git-fixes).
- net/sched: matchall: add missing validation of TCA_MATCHALL_FLAGS (networking-stable-20_02_19).
- net: sch_prio: When ungrafting, replace with FIFO (networking-stable-20_01_11).
- net/smc: add fallback check to connect() (git-fixes).
- net/smc: add fallback check to connect() (git-fixes).
- net/smc: fix cleanup for linkgroup setup failures (git-fixes).
- net/smc: fix leak of kernel memory to user space (networking-stable-20_02_19).
- net/smc: fix refcount non-blocking connect() -part 2 (git-fixes).
- net/smc: no peer ID in CLC decline for SMCD (git-fixes).
- net/smc: transfer fasync_list in case of fallback (git-fixes).
- net: stmmac: Delete txtimer in suspend() (networking-stable-20_02_05).
- net: stmmac: dwmac-sunxi: Allow all RGMII modes (networking-stable-20_01_11).
- net-sysfs: Fix reference count leak (networking-stable-20_01_27).
- net: systemport: Avoid RBUF stuck in Wake-on-LAN mode (networking-stable-20_02_09).
- net/tls: fix async operation (bsc#1109837).
- net/tls: free the record on encryption error (bsc#1109837).
- net/tls: take into account that bpf_exec_tx_verdict() may free the record (bsc#1109837).
- net: usb: lan78xx: Add .ndo_features_check (networking-stable-20_01_27).
- net: usb: lan78xx: fix possible skb leak (networking-stable-20_01_11).
- net/wan/fsl_ucc_hdlc: fix out of bounds write on array utdm_info (networking-stable-20_01_20).
- NFC: fdp: Fix a signedness bug in fdp_nci_send_patch() (bsc#1051510).
- NFC: pn544: Fix a typo in a debug message (bsc#1051510).
- NFC: port100: Convert cpu_to_le16(le16_to_cpu(E1) + E2) to use le16_add_cpu() (bsc#1051510).
- NFS: send state management on a single connection (bsc#1167005).
- nvme: fix a possible deadlock when passthru commands sent to a multipath device (bsc#1158983).
- nvme: fix controller removal race with scan work (bsc#1158983).
- nvme: Fix parsing of ANA log page (bsc#1166658).
- nvme-multipath: also check for a disabled path if there is a single sibling (bsc#1158983).
- nvme-multipath: do not select namespaces which are about to be removed (bsc#1158983).
- nvme-multipath: factor out a nvme_path_is_disabled helper (bsc#1158983).
- nvme-multipath: fix crash in nvme_mpath_clear_ctrl_paths (bsc#1158983).
- nvme-multipath: fix possible io hang after ctrl reconnect (bsc#1158983).
- nvme-multipath: fix possible I/O hang when paths are updated (bsc#1158983).
- nvme-multipath: remove unused groups_only mode in ana log (bsc#1158983).
- nvme-multipath: round-robin I/O policy (bsc#1158983).
- nvme: resync include/linux/nvme.h with nvmecli (bsc#1156510).
- nvme: Translate more status codes to blk_status_t (bsc#1156510).
- objtool: Add is_static_jump() helper (bsc#1169514).
- objtool: Add relocation check for alternative sections (bsc#1169514).
- OMAP: DSS2: remove non-zero check on variable r (bsc#1114279)
- orinoco: avoid assertion in case of NULL pointer (bsc#1051510).
- padata: always acquire cpu_hotplug_lock before pinst->lock (git-fixes).
- partitions/efi: Fix partition name parsing in GUID partition entry (bsc#1168763).
- PCI/AER: Clear device status bits during ERR_COR handling (bsc#1161561).
- PCI/AER: Clear device status bits during ERR_FATAL and ERR_NONFATAL (bsc#1161561).
- PCI/AER: Clear only ERR_FATAL status bits during fatal recovery (bsc#1161561).
- PCI/AER: Clear only ERR_NONFATAL bits during non-fatal recovery (bsc#1161561).
- PCI/AER: Do not clear AER bits if error handling is Firmware-First (bsc#1161561).
- PCI/AER: Do not read upstream ports below fatal errors (bsc#1161561).
- PCI/AER: Factor message prefixes with dev_fmt() (bsc#1161561).
- PCI/AER: Factor out ERR_NONFATAL status bit clearing (bsc#1161561).
- PCI/AER: Log which device prevents error recovery (bsc#1161561).
- PCI/AER: Remove ERR_FATAL code from ERR_NONFATAL path (bsc#1161561).
- PCI/AER: Take reference on error devices (bsc#1161561).
- PCI/ASPM: Clear the correct bits when enabling L1 substates (bsc#1051510).
- PCI: endpoint: Fix clearing start entry in configfs (bsc#1051510).
- PCI/ERR: Always report current recovery status for udev (bsc#1161561).
- PCI/ERR: Handle fatal error recovery (bsc#1161561).
- PCI/ERR: Remove duplicated include from err.c (bsc#1161561).
- PCI/ERR: Run error recovery callbacks for all affected devices (bsc#1161561).
- PCI/ERR: Simplify broadcast callouts (bsc#1161561).
- PCI/ERR: Use slot reset if available (bsc#1161561).
- PCI/IOV: Fix memory leak in pci_iov_add_virtfn() (git-fixes).
- PCI: pciehp: Fix MSI interrupt race (bsc#1159037).
- PCI: portdrv: Initialize service drivers directly (bsc#1161561).
- PCI/portdrv: Remove pcie_port_bus_type link order dependency (bsc#1161561).
- PCI: Simplify disconnected marking (bsc#1161561).
- PCI/switchtec: Fix init_completion race condition with poll_wait() (bsc#1051510).
- PCI: Unify device inaccessible (bsc#1161561).
- perf/amd/uncore: Replace manual sampling check with CAP_NO_INTERRUPT flag (bsc#1114279).
- perf: qcom_l2: fix column exclusion check (git-fixes).
- pinctrl: baytrail: Do not clear IRQ flags on direct-irq enabled pins (bsc#1051510).
- pinctrl: core: Remove extra kref_get which blocks hogs being freed (bsc#1051510).
- pinctrl: imx: scu: Align imx sc msg structs to 4 (git-fixes).
- pinctrl: sh-pfc: sh7264: Fix CAN function GPIOs (bsc#1051510).
- pinctrl: sh-pfc: sh7269: Fix CAN function GPIOs (bsc#1051510).
- pkt_sched: fq: do not accept silly TCA_FQ_QUANTUM (networking-stable-20_01_11).
- platform/mellanox: fix potential deadlock in the tmfifo driver (bsc#1136333 jsc#SLE-4994).
- platform/x86: pmc_atom: Add Lex 2I385SW to critclk_systems DMI table (bsc#1051510).
- PM: core: Fix handling of devices deleted during system-wide resume (git-fixes).
- powerpc/64: mark start_here_multiplatform as __ref (bsc#1148868).
- powerpc/64s: Fix section mismatch warnings from boot code (bsc#1148868).
- powerpc/64/tm: Do not let userspace set regs->trap via sigreturn (bsc#1118338 ltc#173734).
- powerpc: fix hardware PMU exception bug on PowerVM compatibility mode systems (bsc#1056686).
- powerpc/hash64/devmap: Use H_PAGE_THP_HUGE when setting up huge devmap PTE entries (bsc#1065729).
- powerpc/kprobes: Ignore traps that happened in real mode (bsc#1065729).
- powerpc/mm: Fix section mismatch warning in stop_machine_change_mapping() (bsc#1148868).
- powerpc/pseries: Avoid NULL pointer dereference when drmem is unavailable (bsc#1160659).
- powerpc/pseries/ddw: Extend upper limit for huge DMA window for persistent memory (bsc#1142685 ltc#179509).
- powerpc/pseries: fix of_read_drc_info_cell() to point at next record (bsc#1165980 ltc#183834).
- powerpc/pseries: group lmb operation and memblock's (bsc#1165404 ltc#183498).
- powerpc/pseries/iommu: Fix set but not used values (bsc#1142685 ltc#179509).
- powerpc/pseries/iommu: Use memory@ nodes in max RAM address calculation (bsc#1142685 ltc#179509).
- powerpc/pseries/memory-hotplug: Only update DT once per memory DLPAR request (bsc#1165404 ltc#183498).
- powerpc/pseries: update device tree before ejecting hotplug uevents (bsc#1165404 ltc#183498).
- powerpc/smp: Use nid as fallback for package_id (bsc#1165813 ltc#184091).
- powerpc/tm: Fix clearing MSR[TS] in current when reclaiming on signal delivery (bsc#1118338 ltc#173734).
- powerpc/vmlinux.lds: Explicitly retain .gnu.hash (bsc#1148868).
- powerpc/xive: Replace msleep(x) with msleep(OPAL_BUSY_DELAY_MS) (bsc#1085030).
- powerpc/xive: Use XIVE_BAD_IRQ instead of zero to catch non configured IPIs (bsc#1085030).
- ptr_ring: add include of linux/mm.h (bsc#1109837).
- pwm: bcm2835: Dynamically allocate base (bsc#1051510).
- pwm: meson: Fix confusing indentation (bsc#1051510).
- pwm: pca9685: Fix PWM/GPIO inter-operation (bsc#1051510).
- pwm: rcar: Fix late Runtime PM enablement (bsc#1051510).
- pwm: renesas-tpu: Fix late Runtime PM enablement (bsc#1051510).
- pxa168fb: fix release function mismatch in probe failure (bsc#1051510).
- qmi_wwan: re-add DW5821e pre-production variant (bsc#1051510).
- qmi_wwan: unconditionally reject 2 ep interfaces (bsc#1051510).
- raid10: refactor common wait code from regular read/write request (bsc#1166003).
- raid10: refactor common wait code from regular read/write request (bsc#1166003).
- raid1: factor out a common routine to handle the completion of sync write (bsc#1166003).
- raid1: simplify raid1_error function (bsc#1166003).
- raid1: use an int as the return value of raise_barrier() (bsc#1166003).
- raid5: block failing device if raid will be failed (bsc#1166003).
- raid5-cache: Need to do start() part job after adding journal device (bsc#1166003).
- raid5: copy write hint from origin bio to stripe (bsc#1166003).
- raid5: do not increment read_errors on EILSEQ return (bsc#1166003).
- raid5: do not set STRIPE_HANDLE to stripe which is in batch list (bsc#1166003).
- raid5 improve too many read errors msg by adding limits (bsc#1166003).
- raid5: need to set STRIPE_HANDLE for batch head (bsc#1166003).
- raid5: remove STRIPE_OPS_REQ_PENDING (bsc#1166003).
- raid5: remove worker_cnt_per_group argument from alloc_thread_groups (bsc#1166003).
- raid5: set write hint for PPL (bsc#1166003).
- raid5: use bio_end_sector in r5_next_bio (bsc#1166003).
- raid6/test: fix a compilation error (bsc#1166003).
- raid6/test: fix a compilation warning (bsc#1166003).
- RDMA/cma: Fix unbalanced cm_id reference count during address resolve (bsc#1103992).
- RDMA/hfi1: Fix memory leak in _dev_comp_vect_mappings_create (bsc#1114685).
- RDMA/uverbs: Verify MR access flags (bsc#1103992).
- remoteproc: Initialize rproc_class before use (bsc#1051510).
- rtlwifi: Fix MAX MPDU of VHT capability (git-fixes).
- rtlwifi: Remove redundant semicolon in wifi.h (git-fixes).
- rtlwifi: rtl8192de: Fix missing callback that tests for hw release of buffer (git-fixes).
- rtlwifi: rtl_pci: Fix -Wcast-function-type (bsc#1051510).
- rxrpc: Fix insufficient receive notification generation (networking-stable-20_02_05).
- s390/mm: fix dynamic pagetable upgrade for hugetlbfs (bsc#1165182 LTC#184102).
- s390/pci: Fix unexpected write combine on resource (git-fixes).
- s390/qeth: fix potential deadlock on workqueue flush (bsc#1165185 LTC#184108).
- s390/uv: Fix handling of length extensions (git-fixes).
- scsi: core: avoid repetitive logging of device offline messages (bsc#1145929).
- scsi: core: kABI fix offline_already (bsc#1145929).
- scsi: fc: Update Descriptor definition and add RDF and Link Integrity FPINs (bsc#1164777 bsc#1164780 bsc#1165211).
- scsi: fnic: do not queue commands during fwreset (bsc#1146539).
- scsi: ibmvfc: Add failed PRLI to cmd_status lookup array (bsc#1161951 ltc#183551).
- scsi: ibmvfc: Avoid loss of all paths during SVC node reboot (bsc#1161951 ltc#183551).
- scsi: ibmvfc: Byte swap status and error codes when logging (bsc#1161951 ltc#183551).
- scsi: ibmvfc: Clean up transport events (bsc#1161951 ltc#183551).
- scsi: ibmvfc: constify dev_pm_ops structures (bsc#1161951 ltc#183551).
- scsi: ibmvfc: Do not call fc_block_scsi_eh() on host reset (bsc#1161951 ltc#183551).
- scsi: ibmvfc: Fix NULL return compiler warning (bsc#1161951 ltc#183551).
- scsi: ibmvfc: ibmvscsi: ibmvscsi_tgt: constify vio_device_id (bsc#1161951 ltc#183551).
- scsi: ibmvfc: Mark expected switch fall-throughs (bsc#1161951 ltc#183551).
- scsi: ibmvfc: Remove 'failed' from logged errors (bsc#1161951 ltc#183551).
- scsi: ibmvfc: Remove unneeded semicolons (bsc#1161951 ltc#183551).
- scsi: ibmvscsi: change strncpy+truncation to strlcpy (bsc#1161951 ltc#183551).
- scsi: ibmvscsi: constify dev_pm_ops structures (bsc#1161951 ltc#183551).
- scsi: ibmvscsi: Do not use rc uninitialized in ibmvscsi_do_work (bsc#1161951 ltc#183551).
- scsi: ibmvscsi: fix tripping of blk_mq_run_hw_queue WARN_ON (bsc#1161951 ltc#183551).
- scsi: ibmvscsi: Improve strings handling (bsc#1161951 ltc#183551).
- scsi: ibmvscsi: redo driver work thread to use enum action states (bsc#1161951 ltc#183551).
- scsi: ibmvscsi: Wire up host_reset() in the driver's scsi_host_template (bsc#1161951 ltc#183551).
- scsi: lpfc: add RDF registration and Link Integrity FPIN logging (bsc#1164777 bsc#1164780 bsc#1165211).
- scsi: lpfc: Change default SCSI LUN QD to 64 (bsc#1164777 bsc#1164780 bsc#1165211 jsc#SLE-8654).
- scsi: lpfc: Clean up hba max_lun_queue_depth checks (bsc#1164777 bsc#1164780 bsc#1165211).
- scsi: lpfc: Copyright updates for 12.6.0.4 patches (bsc#1164777 bsc#1164780 bsc#1165211).
- scsi: lpfc: Fix broken Credit Recovery after driver load (bsc#1164777 bsc#1164780 bsc#1165211).
- scsi: lpfc: Fix compiler warning on frame size (bsc#1164777 bsc#1164780 bsc#1165211).
- scsi: lpfc: Fix coverity errors in fmdi attribute handling (bsc#1164777 bsc#1164780 bsc#1165211).
- scsi: lpfc: Fix crash after handling a pci error (bsc#1164777 bsc#1164780 bsc#1165211).
- scsi: lpfc: Fix crash in target side cable pulls hitting WAIT_FOR_UNREG (bsc#1164777 bsc#1164780 bsc#1165211).
- scsi: lpfc: Fix disablement of FC-AL on lpe35000 models (bsc#1164777 bsc#1164780 bsc#1165211).
- scsi: lpfc: Fix driver nvme rescan logging (bsc#1164777 bsc#1164780 bsc#1165211).
- scsi: lpfc: Fix erroneous cpu limit of 128 on I/O statistics (bsc#1164777 bsc#1164780 bsc#1165211).
- scsi: lpfc: Fix Fabric hostname registration if system hostname changes (bsc#1164777 bsc#1164780 bsc#1165211).
- scsi: lpfc: Fix improper flag check for IO type (bsc#1164777 bsc#1164780 bsc#1165211).
- scsi: lpfc: Fix incomplete NVME discovery when target (bsc#1164777 bsc#1164780 bsc#1165211).
- scsi: lpfc: Fix kasan slab-out-of-bounds error in lpfc_unreg_login (bsc#1164777 bsc#1164780 bsc#1165211).
- scsi: lpfc: Fix lockdep error - register non-static key (bsc#1164777 bsc#1164780 bsc#1165211).
- scsi: lpfc: Fix lpfc_io_buf resource leak in lpfc_get_scsi_buf_s4 error path (bsc#1164777 bsc#1164780 bsc#1165211).
- scsi: lpfc: Fix lpfc overwrite of sg_cnt field in nvmefc_tgt_fcp_req (bsc#1164777 bsc#1164780 bsc#1165211).
- scsi: lpfc: Fix MDS Latency Diagnostics Err-drop rates (bsc#1164777 bsc#1164780 bsc#1165211).
- scsi: lpfc: Fix memory leak on lpfc_bsg_write_ebuf_set func (bsc#1164777 bsc#1164780 bsc#1165211).
- scsi: lpfc: Fix missing check for CSF in Write Object Mbox Rsp (bsc#1164777 bsc#1164780 bsc#1165211).
- scsi: lpfc: Fix ras_log via debugfs (bsc#1164777 bsc#1164780 bsc#1165211).
- scsi: lpfc: Fix registration of ELS type support in fdmi (bsc#1164777 bsc#1164780 bsc#1165211).
- scsi: lpfc: Fix release of hwq to clear the eq relationship (bsc#1164777 bsc#1164780 bsc#1165211).
- scsi: lpfc: Fix: Rework setting of fdmi symbolic node name registration (bsc#1164777 bsc#1164780 bsc#1165211).
- scsi: lpfc: Fix RQ buffer leakage when no IOCBs available (bsc#1164777 bsc#1164780 bsc#1165211).
- scsi: lpfc: Fix scsi host template for SLI3 vports (bsc#1164777 bsc#1164780 bsc#1165211).
- scsi: lpfc: fix spelling mistake 'Notication' -> 'Notification' (bsc#1164777 bsc#1164780 bsc#1165211).
- scsi: lpfc: fix spelling mistakes of asynchronous (bsc#1164777 bsc#1164780 bsc#1165211).
- scsi: lpfc: Fix unmap of dpp bars affecting next driver load (bsc#1164777 bsc#1164780 bsc#1165211).
- scsi: lpfc: Fix update of wq consumer index in lpfc_sli4_wq_release (bsc#1164777 bsc#1164780 bsc#1165211).
- scsi: lpfc: Make debugfs ktime stats generic for NVME and SCSI (bsc#1164777 bsc#1164780 bsc#1165211).
- scsi: lpfc: Make lpfc_defer_acc_rsp static (bsc#1164777 bsc#1164780 bsc#1165211).
- scsi: lpfc: Remove handler for obsolete ELS - Read Port Status (RPS) (bsc#1164777 bsc#1164780 bsc#1165211).
- scsi: lpfc: Remove prototype FIPS/DSS options from SLI-3 (bsc#1164777 bsc#1164780 bsc#1165211).
- scsi: lpfc: Update lpfc version to 12.8.0.0 (bsc#1164777 bsc#1164780 bsc#1165211).
- scsi: qla2xxx: Add 16.0GT for PCI String (bsc#1157424).
- scsi: qla2xxx: Add beacon LED config sysfs interface (bsc#1157424).
- scsi: qla2xxx: Add changes in preparation for vendor extended FDMI/RDP (bsc#1157424).
- scsi: qla2xxx: Add deferred queue for processing ABTS and RDP (bsc#1157424).
- scsi: qla2xxx: Add endianizer macro calls to fc host stats (bsc#1157424).
- scsi: qla2xxx: Add fixes for mailbox command (bsc#1157424).
- scsi: qla2xxx: add more FW debug information (bsc#1157424).
- scsi: qla2xxx: Add ql2xrdpenable module parameter for RDP (bsc#1157424).
- scsi: qla2xxx: Add sysfs node for D-Port Diagnostics AEN data (bsc#1157424).
- scsi: qla2xxx: Add vendor extended FDMI commands (bsc#1157424).
- scsi: qla2xxx: Add vendor extended RDP additions and amendments (bsc#1157424).
- scsi: qla2xxx: Avoid setting firmware options twice in 24xx_update_fw_options (bsc#1157424).
- scsi: qla2xxx: Check locking assumptions at runtime in qla2x00_abort_srb() (bsc#1157424).
- scsi: qla2xxx: Cleanup ELS/PUREX iocb fields (bsc#1157424).
- scsi: qla2xxx: Convert MAKE_HANDLE() from a define into an inline function (bsc#1157424).
- scsi: qla2xxx: Correction to selection of loopback/echo test (bsc#1157424).
- scsi: qla2xxx: Display message for FCE enabled (bsc#1157424).
- scsi: qla2xxx: Fix control flags for login/logout IOCB (bsc#1157424).
- scsi: qla2xxx: Fix FCP-SCSI FC4 flag passing error (bsc#1157424).
- scsi: qla2xxx: fix FW resource count values (bsc#1157424).
- scsi: qla2xxx: Fix I/Os being passed down when FC device is being deleted (bsc#1157424).
- scsi: qla2xxx: Fix NPIV instantiation after FW dump (bsc#1157424).
- scsi: qla2xxx: Fix qla2x00_echo_test() based on ISP type (bsc#1157424).
- scsi: qla2xxx: Fix RDP respond data format (bsc#1157424).
- scsi: qla2xxx: Fix RDP response size (bsc#1157424).
- scsi: qla2xxx: Fix sparse warning reported by kbuild bot (bsc#1157424).
- scsi: qla2xxx: Fix sparse warnings triggered by the PCI state checking code (bsc#1157424).
- scsi: qla2xxx: Force semaphore on flash validation failure (bsc#1157424).
- scsi: qla2xxx: Handle cases for limiting RDP response payload length (bsc#1157424).
- scsi: qla2xxx: Handle NVME status iocb correctly (bsc#1157424).
- scsi: qla2xxx: Improved secure flash support messages (bsc#1157424).
- scsi: qla2xxx: Move free of fcport out of interrupt context (bsc#1157424).
- scsi: qla2xxx: Print portname for logging in qla24xx_logio_entry() (bsc#1157424).
- scsi: qla2xxx: Remove restriction of FC T10-PI and FC-NVMe (bsc#1157424).
- scsi: qla2xxx: Return appropriate failure through BSG Interface (bsc#1157424).
- scsi: qla2xxx: Save rscn_gen for new fcport (bsc#1157424).
- scsi: qla2xxx: Serialize fc_port alloc in N2N (bsc#1157424).
- scsi: qla2xxx: Set Nport ID for N2N (bsc#1157424).
- scsi: qla2xxx: Show correct port speed capabilities for RDP command (bsc#1157424).
- scsi: qla2xxx: Simplify the code for aborting SCSI commands (bsc#1157424).
- scsi: qla2xxx: Suppress endianness complaints in qla2x00_configure_local_loop() (bsc#1157424).
- scsi: qla2xxx: Update BPM enablement semantics (bsc#1157424).
- scsi: qla2xxx: Update driver version to 10.01.00.24-k (bsc#1157424).
- scsi: qla2xxx: Update driver version to 10.01.00.25-k (bsc#1157424).
- scsi: qla2xxx: Use a dedicated interrupt handler for 'handshake-required' ISPs (bsc#1157424).
- scsi: qla2xxx: Use correct ISP28xx active FW region (bsc#1157424).
- scsi: qla2xxx: Use endian macros to assign static fields in fwdump header (bsc#1157424).
- scsi: qla2xxx: Use FC generic update firmware options routine for ISP27xx (bsc#1157424).
- scsi: qla2xxx: Use QLA_FW_STOPPED macro to propagate flag (bsc#1157424).
- scsi: tcm_qla2xxx: Make qlt_alloc_qfull_cmd() set cmd->se_cmd.map_tag (bsc#1157424).
- sctp: free cmd->obj.chunk for the unprocessed SCTP_CMD_REPLY (networking-stable-20_01_11).
- serdev: ttyport: restore client ops on deregistration (bsc#1051510).
- smb3: add debug messages for closing unmatched open (bsc#1144333).
- smb3: Add defines for new information level, FileIdInformation (bsc#1144333).
- smb3: add dynamic tracepoints for flush and close (bsc#1144333).
- smb3: add missing flag definitions (bsc#1144333).
- smb3: Add missing reparse tags (bsc#1144333).
- smb3: add missing worker function for SMB3 change notify (bsc#1144333).
- smb3: add mount option to allow forced caching of read only share (bsc#1144333).
- smb3: add mount option to allow RW caching of share accessed by only 1 client (bsc#1144333).
- smb3: add one more dynamic tracepoint missing from strict fsync path (bsc#1144333).
- smb3: add some more descriptive messages about share when mounting cache=ro (bsc#1144333).
- smb3: allow decryption keys to be dumped by admin for debugging (bsc#1144333).
- smb3: allow disabling requesting leases (bsc#1144333).
- smb3: allow parallelizing decryption of reads (bsc#1144333).
- smb3: allow skipping signature verification for perf sensitive configurations (bsc#1144333).
- SMB3: Backup intent flag missing from some more ops (bsc#1144333).
- smb3: cleanup some recent endian errors spotted by updated sparse (bsc#1144333).
- smb3: display max smb3 requests in flight at any one time (bsc#1144333).
- smb3: dump in_send and num_waiters stats counters by default (bsc#1144333).
- smb3: enable offload of decryption of large reads via mount option (bsc#1144333).
- smb3: fix default permissions on new files when mounting with modefromsid (bsc#1144333).
- smb3: fix mode passed in on create for modetosid mount option (bsc#1144333).
- smb3: fix performance regression with setting mtime (bsc#1144333).
- smb3: fix potential null dereference in decrypt offload (bsc#1144333).
- smb3: fix problem with null cifs super block with previous patch (bsc#1144333).
- smb3: Fix regression in time handling (bsc#1144333).
- smb3: improve check for when we send the security descriptor context on create (bsc#1144333).
- smb3: log warning if CSC policy conflicts with cache mount option (bsc#1144333).
- smb3: missing ACL related flags (bsc#1144333).
- smb3: only offload decryption of read responses if multiple requests (bsc#1144333).
- smb3: pass mode bits into create calls (bsc#1144333).
- smb3: print warning once if posix context returned on open (bsc#1144333).
- smb3: query attributes on file close (bsc#1144333).
- smb3: remove noisy debug message and minor cleanup (bsc#1144333).
- smb3: remove unused flag passed into close functions (bsc#1144333).
- sr_vendor: support Beurer GL50 evo CD-on-a-chip devices (boo#1164632).
- staging: ccree: use signal safe completion wait (git-fixes).
- staging: rtl8188eu: Add ASUS USB-N10 Nano B1 to device table (bsc#1051510).
- staging: rtl8188eu: Fix potential overuse of kernel memory (bsc#1051510).
- staging: rtl8188eu: Fix potential security hole (bsc#1051510).
- staging: rtl8723bs: Fix potential overuse of kernel memory (bsc#1051510).
- staging: rtl8723bs: Fix potential security hole (bsc#1051510).
- staging: vt6656: fix sign of rx_dbm to bb_pre_ed_rssi (bsc#1051510).
- staging: wlan-ng: fix ODEBUG bug in prism2sta_disconnect_usb (bsc#1051510).
- staging: wlan-ng: fix use-after-free Read in hfa384x_usbin_callback (bsc#1051510).
- stop_machine: Atomically queue and wake stopper threads (bsc#1088810, bsc#1161702).
- stop_machine: Disable preemption after queueing stopper threads (bsc#1088810, bsc#1161702).
- stop_machine: Disable preemption when waking two stopper threads (bsc#1088810, bsc#1161702).
- stop_machine, sched: Fix migrate_swap() vs. active_balance() deadlock (bsc#1088810, bsc#1161702).
- SUNRPC: defer slow parts of rpc_free_client() to a workqueue (bsc#1168202).
- SUNRPC: Fix svcauth_gss_proxy_init() (bsc#1103992).
- swiotlb: do not panic on mapping failures (bsc#1162171).
- swiotlb: remove the overflow buffer (bsc#1162171).
- tcp_bbr: improve arithmetic division in bbr_update_bw() (networking-stable-20_01_27).
- tcp: clear tp->data_segs{in|out} in tcp_disconnect() (networking-stable-20_02_05).
- tcp: clear tp->delivered in tcp_disconnect() (networking-stable-20_02_05).
- tcp: clear tp->segs_{in|out} in tcp_disconnect() (networking-stable-20_02_05).
- tcp: clear tp->total_retrans in tcp_disconnect() (networking-stable-20_02_05).
- tcp: fix marked lost packets not being retransmitted (networking-stable-20_01_20).
- tcp: fix 'old stuff' D-SACK causing SACK to be treated as D-SACK (networking-stable-20_01_11).
- thermal: devfreq_cooling: inline all stubs for CONFIG_DEVFREQ_THERMAL=n (bsc#1051510).
- thunderbolt: Prevent crash if non-active NVMem file is read (git-fixes).
- tick: broadcast-hrtimer: Fix a race in bc_set_next (bsc#1044231).
- tools lib traceevent: Do not free tep->cmdlines in add_new_comm() on failure (git-fixes).
- tools: Update include/uapi/linux/fcntl.h copy from the kernel (bsc#1166003).
- tpm: ibmvtpm: Wait for buffer to be set before proceeding (bsc#1065729).
- tty: evh_bytechan: Fix out of bounds accesses (bsc#1051510).
- ttyprintk: fix a potential deadlock in interrupt context issue (git-fixes).
- tty/serial: atmel: manage shutdown in case of RS485 or ISO7816 mode (bsc#1051510).
- tty: serial: imx: setup the correct sg entry for tx dma (bsc#1051510).
- tun: add mutex_unlock() call and napi.skb clearing in tun_get_user() (bsc#1109837).
- USB: audio-v2: Add uac2_effect_unit_descriptor definition (bsc#1051510).
- USB: cdc-acm: fix rounding error in TIOCSSERIAL (git-fixes).
- USB: core: add endpoint-blacklist quirk (git-fixes).
- USB: core: hub: do error out if usb_autopm_get_interface() fails (git-fixes).
- USB: core: port: do error out if usb_autopm_get_interface() fails (git-fixes).
- USB: Disable LPM on WD19's Realtek Hub (git-fixes).
- USB: dwc2: Fix in ISOC request length checking (git-fixes).
- USB: Fix novation SourceControl XL after suspend (git-fixes).
- USB: gadget: composite: Fix bMaxPower for SuperSpeedPlus (git-fixes).
- USB: gadget: f_fs: Fix use after free issue as part of queue failure (bsc#1051510).
- USB: host: xhci-plat: add a shutdown (git-fixes).
- USB: host: xhci: update event ring dequeue pointer on purpose (git-fixes).
- USB: hub: Do not record a connect-change event during reset-resume (git-fixes).
- usbip: Fix uninitialized symbol 'nents' in stub_recv_cmd_submit() (git-fixes).
- USB: misc: iowarrior: add support for 2 OEMed devices (git-fixes).
- USB: misc: iowarrior: add support for the 100 device (git-fixes).
- USB: misc: iowarrior: add support for the 28 and 28L devices (git-fixes).
- USB: musb: Disable pullup at init (git-fixes).
- USB: musb: fix crash with highmen PIO and usbmon (bsc#1051510).
- USB: quirks: add NO_LPM quirk for Logitech Screen Share (git-fixes).
- USB: quirks: add NO_LPM quirk for RTL8153 based ethernet adapters (git-fixes).
- USB: quirks: blacklist duplicate ep on Sound Devices USBPre2 (git-fixes).
- USB: serial: io_edgeport: fix slab-out-of-bounds read in edge_interrupt_callback (bsc#1051510).
- USB: serial: option: add ME910G1 ECM composition 0x110b (git-fixes).
- USB: serial: pl2303: add device-id for HP LD381 (git-fixes).
- USB: storage: Add quirk for Samsung Fit flash (git-fixes).
- USB: uas: fix a plug & unplug racing (git-fixes).
- USB: xhci: apply XHCI_SUSPEND_DELAY to AMD XHCI controller 1022:145c (git-fixes).
- uvcvideo: Refactor teardown of uvc on USB disconnect (bsc#1164507)
- vgacon: Fix a UAF in vgacon_invert_region (bsc#1114279)
- virtio-blk: fix hw_queue stopped on arbitrary error (git-fixes).
- virtio-blk: improve virtqueue error to BLK_STS (bsc#1167627).
- virtio_ring: fix unmap of indirect descriptors (bsc#1162171).
- vlan: fix memory leak in vlan_dev_set_egress_priority (networking-stable-20_01_11).
- vlan: vlan_changelink() should propagate errors (networking-stable-20_01_11).
- vxlan: fix tos value before xmit (networking-stable-20_01_11).
- x86/cpu/amd: Enable the fixed Instructions Retired counter IRPERF (bsc#1114279).
- x86/ioremap: Add an ioremap_encrypted() helper (bsc#1141895).
- x86/kdump: Export the SME mask to vmcoreinfo (bsc#1141895).
- x86/mce/amd: Fix kobject lifetime (bsc#1114279).
- x86/mce/amd: Publish the bank pointer only after setup has succeeded (bsc#1114279).
- x86/mce: Fix logic and comments around MSR_PPIN_CTL (bsc#1114279).
- x86/mm: Split vmalloc_sync_all() (bsc#1165741).
- x86/pkeys: Manually set X86_FEATURE_OSPKE to preserve existing changes (bsc#1114279).
- xen/blkfront: fix memory allocation flags in blkfront_setup_indirect() (bsc#1168486).
- xen: Enable interrupts when calling _cond_resched() (bsc#1065600).
- xfs: also remove cached ACLs when removing the underlying attr (bsc#1165873).
- xfs: bulkstat should copy lastip whenever userspace supplies one (bsc#1165984).
- xhci: apply XHCI_PME_STUCK_QUIRK to Intel Comet Lake platforms (git-fixes).
- xhci: Do not open code __print_symbolic() in xhci trace events (git-fixes).
- xhci: fix runtime pm enabling for quirky Intel hosts (bsc#1051510).
- xhci: Force Maximum Packet size for Full-speed bulk devices to valid range (bsc#1051510).


-----------------------------------------
Patch: SUSE-2020-1147
Released: Wed Apr 29 22:53:36 2020
Summary: Security update for salt
Severity: critical
References: 1170595,CVE-2020-11651,CVE-2020-11652
Description:
This update for salt fixes the following issues:

- Fix CVE-2020-11651 and CVE-2020-11652 (bsc#1170595)


-----------------------------------------
Patch: SUSE-2020-1168
Released: Mon May  4 14:06:46 2020
Summary: Recommended update for libgcrypt
Severity: moderate
References: 1162879
Description:
This update for libgcrypt fixes the following issues:

- FIPS: Relax the entropy requirements on selftest during boot (bsc#1162879)


-----------------------------------------
Patch: SUSE-2020-1169
Released: Mon May  4 14:07:49 2020
Summary: Recommended update for glibc
Severity: moderate
References: 1162721
Description:
This update for glibc fixes the following issues:

- fork: Remove bogus parent PID assertions to avoid hangs (bsc#1162721)


-----------------------------------------
Patch: SUSE-2020-1180
Released: Tue May  5 10:54:36 2020
Summary: Security update for icu
Severity: moderate
References: 1166844,CVE-2020-10531
Description:
This update for icu fixes the following issues:

- CVE-2020-10531: Fixed integer overflow in UnicodeString:doAppend() (bsc#1166844).


-----------------------------------------
Patch: SUSE-2020-1189
Released: Tue May  5 12:53:22 2020
Summary: Recommended update for python-pytest
Severity: moderate
References: 1123064,1138666,1143893,1166139,1167732
Description:

This update updates various packages for new python-pytest versions.
  

-----------------------------------------
Patch: SUSE-2020-1193
Released: Tue May  5 16:26:05 2020
Summary: Security update for openldap2
Severity: important
References: 1170771,CVE-2020-12243
Description:
This update for openldap2 fixes the following issues:

- CVE-2020-12243: Fixed a denial of service related to recursive filters (bsc#1170771).


-----------------------------------------
Patch: SUSE-2020-1245
Released: Mon May 11 16:19:59 2020
Summary: Recommended update for Salt
Severity: moderate
References: 1138952,1167556,1169800,1170042
Description:

This update fixes the following issues:

salt:

- Avoid 'NameError: name '__salt_system_encoding__' is not defined' (bsc#1138952)
- Fix load cached grain 'osrelease_info' to prevent exceptions on 'pkg.info_installed'
  on Debian and Ubuntu minion (bsc#1170042)
- Build: Buildequire pkgconfig(systemd) instead of systemd
- Backport saltutil state module to 2019.2 codebase (bsc#1167556)
- Add new custom SUSE capability for saltutil state module
- Virt._get_domain: don't raise an exception if there is no VM
- Fix partition.mkpart to work without fstype (bsc#1169800)

python-singledispatch:

- Include the package as it is required by salt.


-----------------------------------------
Patch: SUSE-2020-1251
Released: Tue May 12 10:46:46 2020
Summary: Recommended update for regionServiceClientConfigEC2
Severity: moderate
References: 1157901,1157902,1171232,1171233,924626,994138,994139
Description:
This update for regionServiceClientConfigEC2 fixes the following issues:

- Improved the way how regions are resolved by IP addresses.

Others:

- Added python3-ec2metadata to the Public Cloud Module 12.

-----------------------------------------
Patch: SUSE-2020-1254
Released: Tue May 12 11:17:06 2020
Summary: Recommended update for geolite2legacy, geoipupdate
Severity: moderate
References: 1156194,1169766
Description:
This update for geolite2legacy and geoipupdate fixes the following issues:

- Create the initial package of GeoIP 2 Legacy, as the GeoIP is discontinued. (bsc#1156194)
- Update README.SUSE in GeoIP with a description how to get the latest Geo IP data after the distribution changes. (jsc#SLE-11184, bsc#1156194, jsc#ECO-1405)
  

-----------------------------------------
Patch: SUSE-2020-1270
Released: Wed May 13 12:05:24 2020
Summary: Recommended update for dracut
Severity: moderate
References: 1169030
Description:
This update for dracut fixes the following issue:

- Solve bringing up network interface prematurely. (bsc#1169030)


-----------------------------------------
Patch: SUSE-2020-1277
Released: Thu May 14 13:59:52 2020
Summary: Security update for libvirt
Severity: important
References: 1157490,1161883,1162160,1167007,1168683,1170765,CVE-2020-10703,CVE-2020-12430
Description:
This update for libvirt fixes the following issues:

Security issues fixed:

- CVE-2020-10703: Fixed a daemon crash caused by pools without target paths (bsc#1168683).
- CVE-2020-12430: Fixed a memory leak in qemuDomainGetStatsIOThread (bsc#1170765).

Non-security issues fixed:

- Support setting credit2 scheduler parameters for xen (bsc#1162160).
- Enable use of newer libxl APIs for retrieving memory statistics (bsc#1157490, bsc#1167007).
- Create multipath targets for qemu PR (bsc#1161883).


-----------------------------------------
Patch: SUSE-2020-1279
Released: Thu May 14 14:26:50 2020
Summary: Recommended update for python-pyOpenSSL
Severity: moderate
References: 1138748
Description:

This update for python-pyOpenSSL fixes the following issues:

python-pyOpenSSL was updated to version 17.1.0.

Backward-incompatible changes:

* Removed the deprecated ``OpenSSL.rand.egd()`` function.
  Applications should prefer ``os.urandom()`` for random number generation.
  `#630 <https://github.com/pyca/pyopenssl/pull/630>`_
* Removed the deprecated default ``digest`` argument to ``OpenSSL.crypto.CRL.export()``.
  Callers must now always pass an explicit ``digest``.
  `#652 <https://github.com/pyca/pyopenssl/pull/652>`_
* Fixed a bug with ``ASN1_TIME`` casting in ``X509.set_notBefore()``,
  ``X509.set_notAfter()``, ``Revoked.set_rev_date()``, ``Revoked.set_nextUpdate()``,
  and ``Revoked.set_lastUpdate()``. You must now pass times in the form
  ``YYYYMMDDhhmmssZ``. ``YYYYMMDDhhmmss+hhmm`` and ``YYYYMMDDhhmmss-hhmm``
  will no longer work. `#612 <https://github.com/pyca/pyopenssl/pull/612>`_

Deprecations:

 * Deprecated the legacy 'Type' aliases: ``ContextType``, ``ConnectionType``,
   ``PKeyType``, ``X509NameType``, ``X509ExtensionType``, ``X509ReqType``,
   ``X509Type``, ``X509StoreType``, ``CRLType``, ``PKCS7Type``, ``PKCS12Type``,
   ``NetscapeSPKIType``.
   The names without the 'Type'-suffix should be used instead.

Changes:

 * Added ``OpenSSL.crypto.X509.from_cryptography()`` and ``OpenSSL.crypto.X509.to_cryptography()``
   for converting X.509 certificate to and from pyca/cryptography objects.
   `#640 <https://github.com/pyca/pyopenssl/pull/640>`_
 * Added ``OpenSSL.crypto.X509Req.from_cryptography()``, ``OpenSSL.crypto.X509Req.to_cryptography()``,
   ``OpenSSL.crypto.CRL.from_cryptography()``, and ``OpenSSL.crypto.CRL.to_cryptography()``
   for converting X.509 CSRs and CRLs to and from pyca/cryptography objects.
   `#645 <https://github.com/pyca/pyopenssl/pull/645>`_
 *  Added ``OpenSSL.debug`` that allows to get an overview of used library versions (including
    linked OpenSSL) and other useful runtime information using ``python -m OpenSSL.debug``.
    `#620 <https://github.com/pyca/pyopenssl/pull/620>`_
 * Added a fallback path to ``Context.set_default_verify_paths()`` to accommodate the upcoming
   release of ``cryptography`` ``manylinux1`` wheels.
   `#633 <https://github.com/pyca/pyopenssl/pull/633>`_
  

-----------------------------------------
Patch: SUSE-2020-1284
Released: Thu May 14 15:59:31 2020
Summary: Recommended update for fence-agents
Severity: moderate
References: 1169485,1169852
Description:
This update for fence-agents fixes the following issues:

- Disable cache discovery for 'gcp-vpc-move-route' resource agent. (bsc#1169852)
- fence_vmware_rest Failed: 'error' object does not support indexing. (bsc#1169485)


-----------------------------------------
Patch: SUSE-2020-1285
Released: Fri May 15 09:52:34 2020
Summary: Security update for python-PyYAML
Severity: important
References: 1165439,CVE-2020-1747
Description:
This update for python-PyYAML fixes the following issues:

- CVE-2020-1747: Fixed an arbitrary code execution when YAML files are parsed by FullLoader (bsc#1165439).


-----------------------------------------
Patch: SUSE-2020-1306
Released: Mon May 18 09:53:45 2020
Summary: Recommended update for psmisc
Severity: moderate
References: 1170247
Description:
This update for psmisc fixes the following issues:

- Allow not unique mounts as well as not unique mountpoint. (bsc#1170247)


-----------------------------------------
Patch: SUSE-2020-1312
Released: Mon May 18 10:36:15 2020
Summary: Recommended update for timezone
Severity: moderate
References: 1169582
Description:
This update for timezone fixes the following issues:

- timezone update 2020a (bsc#1169582)
  * Morocco springs forward on 2020-05-31, not 2020-05-24.
  * Canada's Yukon advanced to -07 year-round on 2020-03-08.
  * America/Nuuk renamed from America/Godthab.
  * zic now supports expiration dates for leap second lists.


-----------------------------------------
Patch: SUSE-2020-1314
Released: Mon May 18 10:38:21 2020
Summary: Recommended update for resource-agents
Severity: moderate
References: 1136928,1169852
Description:
This update for resource-agents fixes the following issues:

- Disable cache discovery for 'gcp-vpc-move-route' resource agent. (bsc#1169852)
- Can not manually call the check operation for a resource. (bsc#1136928)


-----------------------------------------
Patch: SUSE-2020-1325
Released: Mon May 18 11:50:19 2020
Summary: Recommended update for coreutils
Severity: moderate
References: 1156276
Description:
This update for coreutils fixes the following issues:

-Fix for an issue when using sort with '--human-numeric-sort-key' option the column containig the values can be faulty. (bsc#1156276)


-----------------------------------------
Patch: SUSE-2020-1329
Released: Mon May 18 17:17:54 2020
Summary: Recommended update for gcc9
Severity: moderate
References: 1149995,1152590,1167898
Description:
This update for gcc9 fixes the following issues:

This update ships the GCC 9.3 release.

- Includes a fix for Internal compiler error when building HepMC (bsc#1167898)
- Includes fix for binutils version parsing
- Add libstdc++6-pp provides and conflicts to avoid file conflicts
  with same minor version of libstdc++6-pp from gcc10.
- Add gcc9 autodetect -g at lto link (bsc#1149995)
- Install go tool buildid for bootstrapping go



-----------------------------------------
Patch: SUSE-2020-1331
Released: Mon May 18 17:19:25 2020
Summary: Recommended update for aws-cli, python-boto3, python-botocore, python-s3transfer
Severity: moderate
References: 1075263,1117074,1166924,1168943
Description:
This update for aws-cli, python-boto3, python-botocore, python-s3transfer fixes the following issues:

aws-cli was updated to version 1.18.38 (bsc#1166924, bsc#1168943)

- For detailed changes see:

  - https://github.com/aws/aws-cli/blob/1.18.38/CHANGELOG.rst
  - https://github.com/aws/aws-cli/blob/1.18.35/CHANGELOG.rst
  - https://github.com/aws/aws-cli/blob/1.18.27/CHANGELOG.rst
    https://github.com/aws/aws-cli/blob/1.18.0/CHANGELOG.rst

- Install aws bash completetion script into system path
- Install aws zsh completion script into /etc/zsh_completion.d
- Update Requires in spec file from setup.py
- make it possible to find the package under the name 'awscli'
- Add bash command completion capability (bsc#1117074)

Update to version 1.17.9:

- For detailed changes see

  https://github.com/aws/aws-cli/blob/1.17.9/CHANGELOG.rst

python-boto3 was updated to 1.12.38 (bsc#1166924, bsc#1168943):

* api-change:``apigateway``: [``botocore``] Update apigateway client to latest version
* api-change:``codeguru-reviewer``: [``botocore``] Update codeguru-reviewer client to latest version
* api-change:``mediaconnect``: [``botocore``] Update mediaconnect client to latest version
* api-change:``transcribe``: [``botocore``] Update transcribe client to latest version
* api-change:``chime``: [``botocore``] Update chime client to latest version
* api-change:``iam``: [``botocore``] Update iam client to latest version
* api-change:``elasticbeanstalk``: [``botocore``] Update elasticbeanstalk client to latest version
* api-change:``personalize-runtime``: [``botocore``] Update personalize-runtime client to latest version
* api-change:``robomaker``: [``botocore``] Update robomaker client to latest version
* api-change:``medialive``: [``botocore``] Update medialive client to latest version
* api-change:``redshift``: [``botocore``] Update redshift client to latest version
* api-change:``gamelift``: [``botocore``] Update gamelift client to latest version
* api-change:``cloudwatch``: [``botocore``] Update cloudwatch client to latest version
* api-change:``rds``: [``botocore``] Update rds client to latest version
* api-change:``iot``: [``botocore``] Update iot client to latest version
* api-change:``mediaconnect``: [``botocore``] Update mediaconnect client to latest version
* api-change:``opsworkscm``: [``botocore``] Update opsworkscm client to latest version
* api-change:``wafv2``: [``botocore``] Update wafv2 client to latest version
* api-change:``glue``: [``botocore``] Update glue client to latest version
* api-change:``elastic-inference``: [``botocore``] Update elastic-inference client to latest version
* api-change:``lambda``: [``botocore``] Update lambda client to latest version
* api-change:``mediastore``: [``botocore``] Update mediastore client to latest version
* api-change:``pinpoint``: [``botocore``] Update pinpoint client to latest version
* api-change:``storagegateway``: [``botocore``] Update storagegateway client to latest version
* api-change:``rekognition``: [``botocore``] Update rekognition client to latest version
* api-change:``fms``: [``botocore``] Update fms client to latest version
* api-change:``organizations``: [``botocore``] Update organizations client to latest version
* api-change:``detective``: [``botocore``] Update detective client to latest version
* api-change:``appconfig``: [``botocore``] Update appconfig client to latest version
* api-change:``accessanalyzer``: [``botocore``] Update accessanalyzer client to latest version
* api-change:``globalaccelerator``: [``botocore``] Update globalaccelerator client to latest version
* api-change:``kendra``: [``botocore``] Update kendra client to latest version
* api-change:``servicecatalog``: [``botocore``] Update servicecatalog client to latest version
* api-change:``sagemaker``: [``botocore``] Update sagemaker client to latest version
* api-change:``fsx``: [``botocore``] Update fsx client to latest version
* api-change:``securityhub``: [``botocore``] Update securityhub client to latest version
* api-change:``managedblockchain``: [``botocore``] Update managedblockchain client to latest version
* api-change:``ce``: [``botocore``] Update ce client to latest version
* api-change:``application-insights``: [``botocore``] Update application-insights client to latest version
* api-change:``detective``: [``botocore``] Update detective client to latest version
* api-change:``es``: [``botocore``] Update es client to latest version
* api-change:``xray``: [``botocore``] Update xray client to latest version
* api-change:``athena``: [``botocore``] Update athena client to latest version
* api-change:``rds-data``: [``botocore``] Update rds-data client to latest version
* api-change:``eks``: [``botocore``] Update eks client to latest version
* api-change:``organizations``: [``botocore``] Update organizations client to latest version
* api-change:``apigatewayv2``: [``botocore``] Update apigatewayv2 client to latest version
* api-change:``eks``: [``botocore``] Update eks client to latest version
* api-change:``route53``: [``botocore``] Update route53 client to latest version
* api-change:``servicecatalog``: [``botocore``] Update servicecatalog client to latest version
* api-change:``outposts``: [``botocore``] Update outposts client to latest version
* api-change:``acm``: [``botocore``] Update acm client to latest version
* api-change:``rds``: [``botocore``] Update rds client to latest version
* api-change:``mediaconnect``: [``botocore``] Update mediaconnect client to latest version
* api-change:``personalize``: [``botocore``] Update personalize client to latest version
* api-change:``mediaconvert``: [``botocore``] Update mediaconvert client to latest version
* api-change:``s3control``: [``botocore``] Update s3control client to latest version
* bugfix:Stubber: [``botocore``] fixes `#1884 <https://github.com/boto/botocore/issues/1884>`__
* api-change:``cognito-idp``: [``botocore``] Update cognito-idp client to latest version
* api-change:``ssm``: [``botocore``] Update ssm client to latest version
* api-change:``ecs``: [``botocore``] Update ecs client to latest version
* api-change:``elasticache``: [``botocore``] Update elasticache client to latest version
* api-change:``appconfig``: [``botocore``] Update appconfig client to latest version
* api-change:``lex-models``: [``botocore``] Update lex-models client to latest version
* api-change:``securityhub``: [``botocore``] Update securityhub client to latest version
* api-change:``ec2``: [``botocore``] Update ec2 client to latest version
* api-change:``apigatewayv2``: [``botocore``] Update apigatewayv2 client to latest version
* api-change:``iot``: [``botocore``] Update iot client to latest version
* api-change:``efs``: [``botocore``] Update efs client to latest version
* api-change:``redshift``: [``botocore``] Update redshift client to latest version
* api-change:``serverlessrepo``: [``botocore``] Update serverlessrepo client to latest version
* api-change:``iotevents``: [``botocore``] Update iotevents client to latest version
* api-change:``ec2``: [``botocore``] Update ec2 client to latest version
* enhancement:timezones: [``botocore``] Improved timezone parsing for
  Windows with new fallback method (#1939)
* api-change:``marketplacecommerceanalytics``: [``botocore``] Update
  marketplacecommerceanalytics client to latest version
* api-change:``ec2``: [``botocore``] Update ec2 client to latest version
* api-change:``medialive``: [``botocore``] Update medialive client to latest version
* api-change:``dms``: [``botocore``] Update dms client to latest version
* api-change:``signer``: [``botocore``] Update signer client to latest version
* api-change:``guardduty``: [``botocore``] Update guardduty client to latest version
* api-change:``appmesh``: [``botocore``] Update appmesh client to latest version
* api-change:``ec2``: [``botocore``] Update ec2 client to latest version
* api-change:``robomaker``: [``botocore``] Update robomaker client to latest version
* api-change:``eks``: [``botocore``] Update eks client to latest version
* api-change:``ec2``: [``botocore``] Update ec2 client to latest version
* api-change:``opsworkscm``: [``botocore``] Update opsworkscm client to latest version
* api-change:``guardduty``: [``botocore``] Update guardduty client to latest version
* api-change:``pinpoint``: [``botocore``] Update pinpoint client to latest version
* api-change:``ec2``: [``botocore``] Update ec2 client to latest version
* api-change:``cloudwatch``: [``botocore``] Update cloudwatch client to latest version
* api-change:``comprehendmedical``: [``botocore``] Update comprehendmedical client to latest version
* api-change:``config``: [``botocore``] Update config client to latest version
* api-change:``config``: [``botocore``] Update config client to latest version
* api-change:``glue``: [``botocore``] Update glue client to latest version
* api-change:``sagemaker-a2i-runtime``: [``botocore``] Update sagemaker-a2i-runtime client to latest version
* api-change:``appmesh``: [``botocore``] Update appmesh client to latest version
* api-change:``elbv2``: [``botocore``] Update elbv2 client to latest version
* api-change:``workdocs``: [``botocore``] Update workdocs client to latest version
* api-change:``quicksight``: [``botocore``] Update quicksight client to latest version
* api-change:``accessanalyzer``: [``botocore``] Update accessanalyzer client to latest version
* api-change:``codeguruprofiler``: [``botocore``] Update codeguruprofiler client to latest version
* api-change:``lightsail``: [``botocore``] Update lightsail client to latest version
* api-change:``globalaccelerator``: [``botocore``] Update globalaccelerator client to latest version
* api-change:``transcribe``: [``botocore``] Update transcribe client to latest version
* api-change:``ec2``: [``botocore``] Update ec2 client to latest version
* api-change:``sagemaker``: [``botocore``] Update sagemaker client to latest version
* api-change:``securityhub``: [``botocore``] Update securityhub client to latest version
* api-change:``stepfunctions``: [``botocore``] Update stepfunctions client to latest version
* api-change:``kafka``: [``botocore``] Update kafka client to latest version
* api-change:``secretsmanager``: [``botocore``] Update secretsmanager client to latest version
* api-change:``outposts``: [``botocore``] Update outposts client to latest version
* api-change:``iotevents``: [``botocore``] Update iotevents client to latest version
* api-change:``docdb``: [``botocore``] Update docdb client to latest version
* api-change:``snowball``: [``botocore``] Update snowball client to latest version
* api-change:``fsx``: [``botocore``] Update fsx client to latest version
* api-change:``events``: [``botocore``] Update events client to latest version
* api-change:``imagebuilder``: [``botocore``] Update imagebuilder client to latest version
* api-change:``wafv2``: [``botocore``] Update wafv2 client to latest version
* api-change:``redshift``: [``botocore``] Update redshift client to latest version
* api-change:``savingsplans``: [``botocore``] Update savingsplans client to latest version
* api-change:``appconfig``: [``botocore``] Update appconfig client to latest version
* api-change:``pinpoint``: [``botocore``] Update pinpoint client to latest version
* api-change:``autoscaling``: [``botocore``] Update autoscaling client to latest version
* api-change:``servicecatalog``: [``botocore``] Update servicecatalog client to latest version
* api-change:``lambda``: [``botocore``] Update lambda client to latest version
* api-change:``autoscaling``: [``botocore``] Update autoscaling client to latest version
* api-change:``chime``: [``botocore``] Update chime client to latest version
* api-change:``rds``: [``botocore``] Update rds client to latest version
* api-change:``cloud9``: [``botocore``] Update cloud9 client to latest version
* api-change:``ec2``: [``botocore``] Update ec2 client to latest version
* api-change:``dynamodb``: [``botocore``] Update dynamodb client to latest version
* api-change:``rekognition``: [``botocore``] Update rekognition client to latest version
* feature:retries: [``botocore``] Add support for retry modes, including ``standard``
  and ``adaptive`` modes (`#1972 <https://github.com/boto/botocore/issues/1972>`__)
* api-change:``ec2``: [``botocore``] Update ec2 client to latest version
* api-change:``mediatailor``: [``botocore``] Update mediatailor client to latest version
* api-change:``securityhub``: [``botocore``] Update securityhub client to latest version
* api-change:``shield``: [``botocore``] Update shield client to latest version
* api-change:``mediapackage-vod``: [``botocore``] Update mediapackage-vod client to latest version
* api-change:``glue``: [``botocore``] Update glue client to latest version
* api-change:``chime``: [``botocore``] Update chime client to latest version
* api-change:``workmail``: [``botocore``] Update workmail client to latest version
* api-change:``ds``: [``botocore``] Update ds client to latest version
* api-change:``ec2``: [``botocore``] Update ec2 client to latest version
* api-change:``es``: [``botocore``] Update es client to latest version
* api-change:``neptune``: [``botocore``] Update neptune client to latest version
* api-change:``ec2``: [``botocore``] Update ec2 client to latest version
* api-change:``cognito-idp``: [``botocore``] Update cognito-idp client to latest version
* api-change:``cloudformation``: [``botocore``] Update cloudformation client to latest version
* api-change:``docdb``: [``botocore``] Update docdb client to latest version
* api-change:``kms``: [``botocore``] Update kms client to latest version
* api-change:``robomaker``: [``botocore``] Update robomaker client to latest version
* api-change:``imagebuilder``: [``botocore``] Update imagebuilder client to latest version
* api-change:``rds``: [``botocore``] Update rds client to latest version
* api-change:``ebs``: [``botocore``] Update ebs client to latest version
* api-change:``appsync``: [``botocore``] Update appsync client to latest version
* api-change:``lex-models``: [``botocore``] Update lex-models client to latest version
* api-change:``ecr``: [``botocore``] Update ecr client to latest version
* api-change:``ec2``: [``botocore``] Update ec2 client to latest version
* api-change:``codebuild``: [``botocore``] Update codebuild client to latest version
* api-change:``groundstation``: [``botocore``] Update groundstation client to latest version
* api-change:``mediaconvert``: [``botocore``] Update mediaconvert client to latest version
* api-change:``dlm``: [``botocore``] Update dlm client to latest version
* api-change:``ec2``: [``botocore``] Update ec2 client to latest version
* api-change:``forecastquery``: [``botocore``] Update forecastquery client to latest version
* api-change:``securityhub``: [``botocore``] Update securityhub client to latest version
* api-change:``resourcegroupstaggingapi``: [``botocore``] Update
  resourcegroupstaggingapi client to latest version
* api-change:``workmail``: [``botocore``] Update workmail client to latest version
* api-change:``iot``: [``botocore``] Update iot client to latest version
* api-change:``cloudfront``: [``botocore``] Update cloudfront client to latest version
* api-change:``storagegateway``: [``botocore``] Update storagegateway client to latest version
* api-change:``ssm``: [``botocore``] Update ssm client to latest version
* api-change:``kafka``: [``botocore``] Update kafka client to latest version
* api-change:``ec2``: [``botocore``] Update ec2 client to latest version
* api-change:``ecs``: [``botocore``] Update ecs client to latest version
* api-change:``opsworkscm``: [``botocore``] Update opsworkscm client to latest version
* api-change:``workspaces``: [``botocore``] Update workspaces client to latest version
* api-change:``datasync``: [``botocore``] Update datasync client to latest version
* api-change:``eks``: [``botocore``] Update eks client to latest version
* api-change:``rds``: [``botocore``] Update rds client to latest version
* api-change:``iam``: [``botocore``] Update iam client to latest version
* api-change:``ec2``: [``botocore``] Update ec2 client to latest version
* api-change:``codepipeline``: [``botocore``] Update codepipeline client to latest version
* api-change:``discovery``: [``botocore``] Update discovery client to latest version
* api-change:``iotevents``: [``botocore``] Update iotevents client to latest version
* api-change:``marketplacecommerceanalytics``: [``botocore``] Update marketplacecommerceanalytics client to latest version
* api-change:``lambda``: [``botocore``] Update lambda client to latest version
* api-change:``application-insights``: [``botocore``] Update application-insights client to latest version
* api-change:``ec2``: [``botocore``] Update ec2 client to latest version
* api-change:``cloudwatch``: [``botocore``] Update cloudwatch client to latest version
* api-change:``kms``: [``botocore``] Update kms client to latest version
* api-change:``alexaforbusiness``: [``botocore``] Update alexaforbusiness client to latest version
* api-change:``mediaconvert``: [``botocore``] Update mediaconvert client to latest version
* api-change:``neptune``: [``botocore``] Update neptune client to latest version
* api-change:``cloudhsmv2``: [``botocore``] Update cloudhsmv2 client to latest version
* api-change:``redshift``: [``botocore``] Update redshift client to latest version
* api-change:``batch``: [``botocore``] Update batch client to latest version
* api-change:``ecs``: [``botocore``] Update ecs client to latest version
* api-change:``ec2``: [``botocore``] Update ec2 client to latest version
* api-change:``sagemaker``: [``botocore``] Update sagemaker client to latest version
* api-change:``ds``: [``botocore``] Update ds client to latest version
* api-change:``securityhub``: [``botocore``] Update securityhub client to latest version
* api-change:``ssm``: [``botocore``] Update ssm client to latest version
* api-change:``ec2``: [``botocore``] Update ec2 client to latest version
* api-change:``organizations``: [``botocore``] Update organizations client to latest version
* api-change:``ec2``: [``botocore``] Update ec2 client to latest version
* api-change:``efs``: [``botocore``] Update efs client to latest version
* api-change:``ec2``: [``botocore``] Update ec2 client to latest version
* api-change:``backup``: [``botocore``] Update backup client to latest version
* api-change:``sagemaker``: [``botocore``] Update sagemaker client to latest version
* feature:Python: Dropped support for Python 2.6 and 3.3.
* api-change:``chime``: [``botocore``] Update chime client to latest version
* api-change:``transfer``: [``botocore``] Update transfer client to latest version
* api-change:``ec2``: [``botocore``] Update ec2 client to latest version
* feature:Python: [``botocore``] Dropped support for Python 2.6 and 3.3.
* api-change:``workspaces``: [``botocore``] Update workspaces client to latest version
* api-change:``rds``: [``botocore``] Update rds client to latest version
* api-change:``logs``: [``botocore``] Update logs client to latest version
* api-change:``fms``: [``botocore``] Update fms client to latest version
* api-change:``translate``: [``botocore``] Update translate client to latest version
* api-change:``ce``: [``botocore``] Update ce client to latest version
* api-change:``codebuild``: [``botocore``] Update codebuild client to latest version
* api-change:``mgh``: [``botocore``] Update mgh client to latest version
* api-change:``xray``: [``botocore``] Update xray client to latest version
* api-change:``comprehend``: [``botocore``] Update comprehend client to latest version
* api-change:``mediapackage``: [``botocore``] Update mediapackage client to latest version
* api-change:``ec2``: [``botocore``] Update ec2 client to latest version
* api-change:``lex-models``: [``botocore``] Update lex-models client to latest version
* api-change:``ecr``: [``botocore``] Update ecr client to latest version
* api-change:``lightsail``: [``botocore``] Update lightsail client to latest version
* api-change:``ce``: [``botocore``] Update ce client to latest version
* api-change:``fsx``: [``botocore``] Update fsx client to latest version
* api-change:``health``: [``botocore``] Update health client to latest version
* api-change:``detective``: [``botocore``] Update detective client to latest version
* api-change:``transcribe``: [``botocore``] Update transcribe client to latest version
* api-change:``eks``: [``botocore``] Update eks client to latest version
* api-change:``ec2``: [``botocore``] Update ec2 client to latest version
* api-change:``rds``: [``botocore``] Update rds client to latest version
* api-change:``ssm``: [``botocore``] Update ssm client to latest version
* api-change:``redshift``: [``botocore``] Update redshift client to latest version
* api-change:``pinpoint``: [``botocore``] Update pinpoint client to latest version
* api-change:``securityhub``: [``botocore``] Update securityhub client to latest version
* api-change:``devicefarm``: [``botocore``] Update devicefarm client to latest version
* api-change:``transcribe``: [``botocore``] Update transcribe client to latest version
* api-change:``dlm``: [``botocore``] Update dlm client to latest version
* api-change:``lex-models``: [``botocore``] Update lex-models client to latest version
* api-change:``personalize-runtime``: [``botocore``] Update personalize-runtime client to latest version
* api-change:``ssm``: [``botocore``] Update ssm client to latest version
* api-change:``codestar-connections``: [``botocore``] Update codestar-connections client to latest version
* api-change:``gamelift``: [``botocore``] Update gamelift client to latest version
* api-change:``ec2``: [``botocore``] Update ec2 client to latest version
* api-change:``ec2``: [``botocore``] Update ec2 client to latest version
* api-change:``s3``: [``botocore``] Update s3 client to latest version
* api-change:``resourcegroupstaggingapi``: [``botocore``] Update resourcegroupstaggingapi client to latest version
* api-change:``cloudfront``: [``botocore``] Update cloudfront client to latest version
* api-change:``opsworkscm``: [``botocore``] Update opsworkscm client to latest version
* api-change:``kinesisanalyticsv2``: [``botocore``] Update kinesisanalyticsv2 client to latest version
* api-change:``ssm``: [``botocore``] Update ssm client to latest version
* api-change:``medialive``: [``botocore``] Update medialive client to latest version
* api-change:``iot``: [``botocore``] Update iot client to latest version
* api-change:``ecs``: [``botocore``] Update ecs client to latest version
* api-change:``ec2``: [``botocore``] Update ec2 client to latest version
* api-change:``mq``: [``botocore``] Update mq client to latest version
* api-change:``comprehendmedical``: [``botocore``] Update comprehendmedical client to latest version
* api-change:``ec2``: [``botocore``] Update ec2 client to latest version
* api-change:``codebuild``: [``botocore``] Update codebuild client to latest version
* api-change:``detective``: [``botocore``] Update detective client to latest version
* api-change:``sesv2``: [``botocore``] Update sesv2 client to latest version
* api-change:``accessanalyzer``: [``botocore``] Update accessanalyzer client to latest version
* api-change:``ec2``: [``botocore``] Update ec2 client to latest version
* api-change:``kendra``: [``botocore``] Update kendra client to latest version
* bugfix:s3: [``botocore``] Add stricter validation to s3 control account id parameter.
* api-change:``quicksight``: [``botocore``] Update quicksight client to latest version
* api-change:``kms``: [``botocore``] Update kms client to latest version
* api-change:``ssm``: [``botocore``] Update ssm client to latest version
* api-change:``kafka``: [``botocore``] Update kafka client to latest version
* bugfix:s3: [``botocore``] Fixed an issue where the request path was set
  incorrectly if access point name was present in key path.

python-botocore was updated to 1.15.38 (bsc#1166924, bsc#1168943):

* api-change:``apigateway``: Update apigateway client to latest version
* api-change:``codeguru-reviewer``: Update codeguru-reviewer client to latest version
* api-change:``mediaconnect``: Update mediaconnect client to latest version
* api-change:``transcribe``: Update transcribe client to latest version
* api-change:``chime``: Update chime client to latest version
* api-change:``iam``: Update iam client to latest version
* api-change:``elasticbeanstalk``: Update elasticbeanstalk client to latest version
* api-change:``personalize-runtime``: Update personalize-runtime client to latest version
* api-change:``robomaker``: Update robomaker client to latest version
* api-change:``medialive``: Update medialive client to latest version
* api-change:``redshift``: Update redshift client to latest version
* api-change:``gamelift``: Update gamelift client to latest version
* api-change:``cloudwatch``: Update cloudwatch client to latest version
* api-change:``rds``: Update rds client to latest version
* api-change:``iot``: Update iot client to latest version
* api-change:``mediaconnect``: Update mediaconnect client to latest version
* api-change:``opsworkscm``: Update opsworkscm client to latest version
* api-change:``wafv2``: Update wafv2 client to latest version
* api-change:``glue``: Update glue client to latest version
* api-change:``elastic-inference``: Update elastic-inference client to latest version
* api-change:``lambda``: Update lambda client to latest version
* api-change:``mediastore``: Update mediastore client to latest version
* api-change:``pinpoint``: Update pinpoint client to latest version
* api-change:``storagegateway``: Update storagegateway client to latest version
* api-change:``rekognition``: Update rekognition client to latest version
* api-change:``fms``: Update fms client to latest version
* api-change:``organizations``: Update organizations client to latest version
* api-change:``detective``: Update detective client to latest version
* api-change:``appconfig``: Update appconfig client to latest version
* api-change:``accessanalyzer``: Update accessanalyzer client to latest version
* api-change:``globalaccelerator``: Update globalaccelerator client to latest version
* api-change:``kendra``: Update kendra client to latest version
* api-change:``servicecatalog``: Update servicecatalog client to latest version
* api-change:``sagemaker``: Update sagemaker client to latest version
* api-change:``fsx``: Update fsx client to latest version
* api-change:``securityhub``: Update securityhub client to latest version
* api-change:``managedblockchain``: Update managedblockchain client to latest version
* api-change:``ce``: Update ce client to latest version
* api-change:``application-insights``: Update application-insights client to latest version
* api-change:``detective``: Update detective client to latest version
* api-change:``es``: Update es client to latest version
* api-change:``xray``: Update xray client to latest version
* api-change:``athena``: Update athena client to latest version
* api-change:``rds-data``: Update rds-data client to latest version
* api-change:``eks``: Update eks client to latest version
* api-change:``organizations``: Update organizations client to latest version
* api-change:``apigatewayv2``: Update apigatewayv2 client to latest version
* api-change:``eks``: Update eks client to latest version
* api-change:``route53``: Update route53 client to latest version
* api-change:``servicecatalog``: Update servicecatalog client to latest version
* api-change:``outposts``: Update outposts client to latest version
* api-change:``acm``: Update acm client to latest version
* api-change:``rds``: Update rds client to latest version
* api-change:``mediaconnect``: Update mediaconnect client to latest version
* api-change:``personalize``: Update personalize client to latest version
* api-change:``mediaconvert``: Update mediaconvert client to latest version
* api-change:``s3control``: Update s3control client to latest version
* bugfix:Stubber: fixes `#1884 <https://github.com/boto/botocore/issues/1884>`__
* api-change:``cognito-idp``: Update cognito-idp client to latest version
* api-change:``ssm``: Update ssm client to latest version
* api-change:``ecs``: Update ecs client to latest version
* api-change:``elasticache``: Update elasticache client to latest version
* api-change:``appconfig``: Update appconfig client to latest version
* api-change:``lex-models``: Update lex-models client to latest version
* api-change:``securityhub``: Update securityhub client to latest version
* api-change:``ec2``: Update ec2 client to latest version
* api-change:``apigatewayv2``: Update apigatewayv2 client to latest version
* api-change:``iot``: Update iot client to latest version
* api-change:``efs``: Update efs client to latest version
* api-change:``redshift``: Update redshift client to latest version
* api-change:``serverlessrepo``: Update serverlessrepo client to latest version
* api-change:``iotevents``: Update iotevents client to latest version
* api-change:``ec2``: Update ec2 client to latest version
* enhancement:timezones: Improved timezone parsing for Windows
  with new fallback method (#1939)
* api-change:``marketplacecommerceanalytics``: Update
  marketplacecommerceanalytics client to latest version
* api-change:``ec2``: Update ec2 client to latest version
* api-change:``medialive``: Update medialive client to latest version
* api-change:``dms``: Update dms client to latest version
* api-change:``signer``: Update signer client to latest version
* api-change:``guardduty``: Update guardduty client to latest version
* api-change:``appmesh``: Update appmesh client to latest version
* api-change:``ec2``: Update ec2 client to latest version
* api-change:``robomaker``: Update robomaker client to latest version
* api-change:``eks``: Update eks client to latest version
* api-change:``ec2``: Update ec2 client to latest version
* api-change:``opsworkscm``: Update opsworkscm client to latest version
* api-change:``guardduty``: Update guardduty client to latest version
* api-change:``pinpoint``: Update pinpoint client to latest version
* api-change:``ec2``: Update ec2 client to latest version
* api-change:``cloudwatch``: Update cloudwatch client to latest version
* api-change:``comprehendmedical``: Update comprehendmedical client to latest version
* api-change:``config``: Update config client to latest version
* api-change:``config``: Update config client to latest version
* api-change:``glue``: Update glue client to latest version
* api-change:``sagemaker-a2i-runtime``: Update sagemaker-a2i-runtime client to latest version
* api-change:``appmesh``: Update appmesh client to latest version
* api-change:``elbv2``: Update elbv2 client to latest version
* api-change:``workdocs``: Update workdocs client to latest version
* api-change:``quicksight``: Update quicksight client to latest version
* api-change:``accessanalyzer``: Update accessanalyzer client to latest version
* api-change:``codeguruprofiler``: Update codeguruprofiler client to latest version
* api-change:``lightsail``: Update lightsail client to latest version
* api-change:``globalaccelerator``: Update globalaccelerator client to latest version
* api-change:``transcribe``: Update transcribe client to latest version
* api-change:``ec2``: Update ec2 client to latest version
* api-change:``sagemaker``: Update sagemaker client to latest version
* api-change:``securityhub``: Update securityhub client to latest version
* api-change:``stepfunctions``: Update stepfunctions client to latest version
* api-change:``kafka``: Update kafka client to latest version
* api-change:``secretsmanager``: Update secretsmanager client to latest version
* api-change:``outposts``: Update outposts client to latest version
* api-change:``iotevents``: Update iotevents client to latest version
* api-change:``docdb``: Update docdb client to latest version
* api-change:``snowball``: Update snowball client to latest version
* api-change:``fsx``: Update fsx client to latest version
* api-change:``events``: Update events client to latest version
* api-change:``imagebuilder``: Update imagebuilder client to latest version
* api-change:``wafv2``: Update wafv2 client to latest version
* api-change:``redshift``: Update redshift client to latest version
* api-change:``savingsplans``: Update savingsplans client to latest version
* api-change:``appconfig``: Update appconfig client to latest version
* api-change:``pinpoint``: Update pinpoint client to latest version
* api-change:``autoscaling``: Update autoscaling client to latest version
* api-change:``servicecatalog``: Update servicecatalog client to latest version
* api-change:``lambda``: Update lambda client to latest version
* api-change:``autoscaling``: Update autoscaling client to latest version
* api-change:``chime``: Update chime client to latest version
* api-change:``rds``: Update rds client to latest version
* api-change:``cloud9``: Update cloud9 client to latest version
* api-change:``ec2``: Update ec2 client to latest version
* api-change:``dynamodb``: Update dynamodb client to latest version
* api-change:``rekognition``: Update rekognition client to latest version

Version update to 1.15.0

* feature:retries: Add support for retry modes, including ``standard`` and ``adaptive`` modes (`#1972 <https://github.com/boto/botocore/issues/1972>`__)
* api-change:``ec2``: Update ec2 client to latest version
* api-change:``mediatailor``: Update mediatailor client to latest version
* api-change:``securityhub``: Update securityhub client to latest version
* api-change:``shield``: Update shield client to latest version
* api-change:``mediapackage-vod``: Update mediapackage-vod client to latest version
* api-change:``glue``: Update glue client to latest version
* api-change:``chime``: Update chime client to latest version
* api-change:``workmail``: Update workmail client to latest version
* api-change:``ds``: Update ds client to latest version
* api-change:``ec2``: Update ec2 client to latest version
* api-change:``es``: Update es client to latest version
* api-change:``neptune``: Update neptune client to latest version
* api-change:``ec2``: Update ec2 client to latest version
* api-change:``cognito-idp``: Update cognito-idp client to latest version
* api-change:``cloudformation``: Update cloudformation client to latest version
* api-change:``docdb``: Update docdb client to latest version
* api-change:``kms``: Update kms client to latest version
* api-change:``robomaker``: Update robomaker client to latest version
* api-change:``imagebuilder``: Update imagebuilder client to latest version
* api-change:``rds``: Update rds client to latest version
* api-change:``ebs``: Update ebs client to latest version
* api-change:``appsync``: Update appsync client to latest version
* api-change:``lex-models``: Update lex-models client to latest version
* api-change:``ecr``: Update ecr client to latest version
* api-change:``ec2``: Update ec2 client to latest version
* api-change:``codebuild``: Update codebuild client to latest version
* api-change:``groundstation``: Update groundstation client to latest version
* api-change:``mediaconvert``: Update mediaconvert client to latest version
* api-change:``dlm``: Update dlm client to latest version
* api-change:``ec2``: Update ec2 client to latest version
* api-change:``forecastquery``: Update forecastquery client to latest version
* api-change:``securityhub``: Update securityhub client to latest version
* api-change:``resourcegroupstaggingapi``: Update resourcegroupstaggingapi client to latest version
* api-change:``workmail``: Update workmail client to latest version
* api-change:``iot``: Update iot client to latest version
* api-change:``cloudfront``: Update cloudfront client to latest version
* api-change:``storagegateway``: Update storagegateway client to latest version
* api-change:``ssm``: Update ssm client to latest version
* api-change:``kafka``: Update kafka client to latest version
* api-change:``ec2``: Update ec2 client to latest version
* api-change:``ecs``: Update ecs client to latest version
* api-change:``opsworkscm``: Update opsworkscm client to latest version
* api-change:``workspaces``: Update workspaces client to latest version
* api-change:``datasync``: Update datasync client to latest version
* api-change:``eks``: Update eks client to latest version
* api-change:``rds``: Update rds client to latest version
* api-change:``iam``: Update iam client to latest version
* api-change:``ec2``: Update ec2 client to latest version
* api-change:``codepipeline``: Update codepipeline client to latest version
* api-change:``discovery``: Update discovery client to latest version
* api-change:``iotevents``: Update iotevents client to latest version
* api-change:``marketplacecommerceanalytics``: Update marketplacecommerceanalytics client to latest version
* api-change:``lambda``: Update lambda client to latest version
* api-change:``application-insights``: Update application-insights client to latest version
* api-change:``ec2``: Update ec2 client to latest version
* api-change:``cloudwatch``: Update cloudwatch client to latest version
* api-change:``kms``: Update kms client to latest version
* api-change:``alexaforbusiness``: Update alexaforbusiness client to latest version
* api-change:``mediaconvert``: Update mediaconvert client to latest version
* api-change:``neptune``: Update neptune client to latest version
* api-change:``cloudhsmv2``: Update cloudhsmv2 client to latest version
* api-change:``redshift``: Update redshift client to latest version
* api-change:``batch``: Update batch client to latest version
* api-change:``ecs``: Update ecs client to latest version
* api-change:``ec2``: Update ec2 client to latest version
* api-change:``sagemaker``: Update sagemaker client to latest version
* api-change:``ds``: Update ds client to latest version
* api-change:``securityhub``: Update securityhub client to latest version
* api-change:``ssm``: Update ssm client to latest version
* api-change:``ec2``: Update ec2 client to latest version
* api-change:``organizations``: Update organizations client to latest version
* api-change:``ec2``: Update ec2 client to latest version
* api-change:``efs``: Update efs client to latest version
* api-change:``ec2``: Update ec2 client to latest version
* api-change:``backup``: Update backup client to latest version
* api-change:``sagemaker``: Update sagemaker client to latest version
* api-change:``chime``: Update chime client to latest version
* api-change:``transfer``: Update transfer client to latest version
* api-change:``ec2``: Update ec2 client to latest version
* feature:Python: Dropped support for Python 2.6 and 3.3.
* api-change:``workspaces``: Update workspaces client to latest version
* api-change:``rds``: Update rds client to latest version
* api-change:``logs``: Update logs client to latest version
* api-change:``fms``: Update fms client to latest version
* api-change:``translate``: Update translate client to latest version
* api-change:``ce``: Update ce client to latest version
* api-change:``codebuild``: Update codebuild client to latest version
* api-change:``mgh``: Update mgh client to latest version
* api-change:``xray``: Update xray client to latest version
* api-change:``comprehend``: Update comprehend client to latest version
* api-change:``mediapackage``: Update mediapackage client to latest version
* api-change:``ec2``: Update ec2 client to latest version
* api-change:``lex-models``: Update lex-models client to latest version
* api-change:``ecr``: Update ecr client to latest version
* api-change:``lightsail``: Update lightsail client to latest version
* api-change:``ce``: Update ce client to latest version
* api-change:``fsx``: Update fsx client to latest version
* api-change:``health``: Update health client to latest version
* api-change:``detective``: Update detective client to latest version
* api-change:``transcribe``: Update transcribe client to latest version
* api-change:``eks``: Update eks client to latest version
* api-change:``ec2``: Update ec2 client to latest version
* api-change:``rds``: Update rds client to latest version
* api-change:``ssm``: Update ssm client to latest version
* api-change:``redshift``: Update redshift client to latest version
* api-change:``pinpoint``: Update pinpoint client to latest version
* api-change:``securityhub``: Update securityhub client to latest version
* api-change:``devicefarm``: Update devicefarm client to latest version
* api-change:``transcribe``: Update transcribe client to latest version
* api-change:``dlm``: Update dlm client to latest version
* api-change:``lex-models``: Update lex-models client to latest version
* api-change:``personalize-runtime``: Update personalize-runtime client to latest version
* api-change:``ssm``: Update ssm client to latest version
* api-change:``codestar-connections``: Update codestar-connections client to latest version
* api-change:``gamelift``: Update gamelift client to latest version
* api-change:``ec2``: Update ec2 client to latest version
* api-change:``ec2``: Update ec2 client to latest version
* api-change:``s3``: Update s3 client to latest version
* api-change:``resourcegroupstaggingapi``: Update resourcegroupstaggingapi client to latest version
* api-change:``cloudfront``: Update cloudfront client to latest version
* enhancement:``s3``: Add support for opting into using the us-east-1 regional endpoint.
* api-change:``opsworkscm``: Update opsworkscm client to latest version
* api-change:``kinesisanalyticsv2``: Update kinesisanalyticsv2 client to latest version
* api-change:``ssm``: Update ssm client to latest version
* api-change:``medialive``: Update medialive client to latest version
* api-change:``iot``: Update iot client to latest version
* api-change:``ecs``: Update ecs client to latest version
* api-change:``ec2``: Update ec2 client to latest version
* api-change:``mq``: Update mq client to latest version
* api-change:``comprehendmedical``: Update comprehendmedical client to latest version
* api-change:``ec2``: Update ec2 client to latest version
* api-change:``codebuild``: Update codebuild client to latest version
* api-change:``detective``: Update detective client to latest version
* api-change:``sesv2``: Update sesv2 client to latest version
* api-change:``accessanalyzer``: Update accessanalyzer client to latest version
* api-change:``ec2``: Update ec2 client to latest version
* api-change:``kendra``: Update kendra client to latest version
* bugfix:s3: Add stricter validation to s3 control account id parameter.
* api-change:``quicksight``: Update quicksight client to latest version
* api-change:``kms``: Update kms client to latest version
* api-change:``ssm``: Update ssm client to latest version
* api-change:``kafka``: Update kafka client to latest version from version 1.13.34
* bugfix:s3: Fixed an issue where the request path was set incorrectly
  if access point name was present in key path.


python-s3transfers was updated to version 0.3.3 (bsc#1166924):

* bugfix:s3: Fixes boto/botocore`#1916 <https://github.com/boto/botocore/issues/1916>`__
* enhancement:TransferManager: Expose client and config properties
* enhancement:Tags: Add support for Tagging and TaggingDirective

Update to 0.1.13 (bsc#1075263)

* Plumb ``RequestPayer` argument to the ``CompleteMultipartUpload` operation 
* enhancement:max_bandwidth: Add ability to set maximum bandwidth consumption
for streaming of S3 uploads and downloads

Update to version 0.1.11:

* Properly handle unicode exceptions in the context manager

-----------------------------------------
Patch: SUSE-2020-1350
Released: Wed May 20 13:00:39 2020
Summary: Security update for bind
Severity: important
References: 1161168,1171740,CVE-2020-8616,CVE-2020-8617
Description:
This update for bind fixes the following issues:

Security issues fixed:

- CVE-2020-8616: Fixed the insufficient limit on the number of fetches performed when processing referrals (bsc#1171740).
- CVE-2020-8617: Fixed a logic error in code which checks TSIG validity (bsc#1171740).

Non-security issue fixed:

- Fixed an invalid string comparison in the handling of cookie-secrets (bsc#1161168).


-----------------------------------------
Patch: SUSE-2020-1376
Released: Thu May 21 19:07:39 2020
Summary: Recommended update for release-notes-sles
Severity: moderate
References: 1136157,1164127,1164744,1171074
Description:
This update for release-notes-sles fixes the following issues:

- Release notes update for SLES 12 SP5 12.5.20200504 (bsc#1171074)
- New notes:
  - Support for ibmvnic Networking Driver (FATE#327576)
  - Supported VM hosts/guests and VM migration scenarios (bsc#1164744)
  - Speed of `ibmveth` Interface Not Reported Accurately (bsc#1136157)
  - New GeoIP tools (jsc#SLE-11183)
- Changed notes and document fixes:
  - Fixed listing of supported Java versions (bsc#1164127)
  - Fixed spellings in Virtualization section
  - Fix unclickable links to documentation.suse.com


-----------------------------------------
Patch: SUSE-2020-1377
Released: Thu May 21 19:08:20 2020
Summary: Recommended update for avahi
Severity: moderate
References: 1085255,1168191
Description:
This update for avahi fixes the following issues:

- Increase data and stack limits to match the upstream samples, rather than removing them
  altogether, per discussion with security team (bsc#1168191 bsc#1085255).


-----------------------------------------
Patch: SUSE-2020-1386
Released: Fri May 22 09:59:26 2020
Summary: Recommended update for cluster-glue
Severity: moderate
References: 1131545,1169784
Description:
This update for cluster-glue fixes the following issues:

- Fix for EC2 storage evices with stonith plugin to use the profile correctly. (bsc#1169784)
- Fix for stonith by created a template to prevent the installation to fail. (bsc#1131545)


-----------------------------------------
Patch: SUSE-2020-822
Released: Fri May 22 10:59:33 2020
Summary: Recommended update for pam
Severity: moderate
References: 1166510
Description:
This update for pam fixes the following issues:

- Moved pam_userdb to a separate package pam-extra  (bsc#1166510)


-----------------------------------------
Patch: SUSE-2020-1403
Released: Mon May 25 15:20:08 2020
Summary: Recommended update for tcsh
Severity: moderate
References: 1163593
Description:
This update for tcsh fixes the following issues:

- Fix for an issue with SLES4SAP when csh occurs system slowness and consumes a lot of memory due to '.history' corruption. (bsc#1163593)
  

-----------------------------------------
Patch: SUSE-2020-1408
Released: Mon May 25 16:40:20 2020
Summary: Recommended update for zlib
Severity: moderate
References: 1138793,1166260
Description:
This update for zlib fixes the following issues:

- Includes the last fixes from IBM for bsc#1166260
  IBM Z mainframes starting from version z15 provide DFLTCC instruction, which implements
  deflate algorithm in hardware with estimated compression and decompression performance
  orders of magnitude faster than the current zlib and ratio comparable with that of level 1.
- Add SUSE specific fix to solve bsc#1138793
  The fix will avoid to test if the app was linked with exactly same version of zlib
  like the one that is present on the runtime.


-----------------------------------------
Patch: SUSE-2020-1416
Released: Tue May 26 11:18:53 2020
Summary: Recommended update for ocfs2-tools
Severity: moderate
References: 1170530
Description:
This update for ocfs2-tools fixes the following issue:

- Fix debugfs.ocfs2 error on devices with sector size 4096. (bsc#1170530)


-----------------------------------------
Patch: SUSE-2020-1489
Released: Wed May 27 18:29:21 2020
Summary: Recommended update for timezone
Severity: moderate
References: 1172055
Description:
This update for timezone fixes the following issue:

- zdump --version reported 'unknown' (bsc#1172055)


-----------------------------------------
Patch: SUSE-2020-1490
Released: Wed May 27 18:30:36 2020
Summary: Recommended update for glibc
Severity: moderate
References: 1162930
Description:
This update for glibc fixes the following issue:

- nptl: wait for pending setxid request also in detached thread (bsc#1162930)


-----------------------------------------
Patch: SUSE-2020-1491
Released: Wed May 27 18:31:36 2020
Summary: Recommended update for groff
Severity: low
References: 1055985
Description:
This update for groff fixes the following issues:

- removed broken /usr/share/groff/1.22.2/current symlink (bsc#1055985)
  moved /usr/share/doc/packages/groff/pdf/mom-pdf.pdf
  to groff-doc package

- removed broken /usr/share/groff/1.22.2/current symlink (bsc#1055985)
  moved /usr/share/doc/packages/groff/pdf/mom-pdf.pdf
  to groff-doc package


-----------------------------------------
Patch: SUSE-2020-1503
Released: Fri May 29 11:06:27 2020
Summary: Recommended update for xfsprogs
Severity: moderate
References: 1171813
Description:
This update for xfsprogs fixes the following issue:

- xfs_repair: Add missing braces to allow zeroing of corrupt log. (bsc#1171813)


-----------------------------------------
Patch: SUSE-2020-1509
Released: Fri May 29 17:42:08 2020
Summary: Recommended update for nfs-utils
Severity: moderate
References: 1171745
Description:
This update for nfs-utils fixes the following issues:

-Fix for an issue when '/etc/exports' is empty and it raised a warning. (bsc#1171745)


-----------------------------------------
Patch: SUSE-2020-1524
Released: Wed Jun  3 09:32:11 2020
Summary: Security update for python
Severity: moderate
References: 1027282,1041090,1042670,1073269,1073748,1078326,1078485,1081750,1084650,1086001,1149792,1153830,1155094,1159035,1162224,1162367,1162825,1165894,1170411,1171561,945401,CVE-2019-18348,CVE-2019-9674,CVE-2020-8492
Description:


This update for python to version 2.7.17 fixes the following issues:

Syncing with lots of upstream bug fixes and security fixes.

Bug fixes:

- CVE-2019-9674: Improved the documentation to reflect the dangers of zip-bombs (bsc#1162825).
- CVE-2019-18348: Fixed a CRLF injection via the host part of the url passed to urlopen(). Now an InvalidURL exception is raised (bsc#1155094).
- CVE-2020-8492: Fixed a regular expression in urllib that was prone to denial of service via HTTP (bsc#1162367).
- Fixed mismatches between libpython and python-base versions (bsc#1162224).
- Fixed segfault in libpython2.7.so.1 (bsc#1073748).
- Unified packages among openSUSE:Factory and SLE versions (bsc#1159035).
- Added idle.desktop and idle.appdata.xml to provide IDLE in menus (bsc#1153830).
- Excluded tsl_check files from python-base to prevent file conflict with python-strict-tls-checks package (bsc#945401).
- Changed the name of idle3 icons to idle3.png to avoid collision with Python 2 version (bsc#1165894).

Additionally a new 'shared-python-startup' package is provided containing startup files.

python-rpm-macros was updated to fix:

- Do not write .pyc files for tests (bsc#1171561)



-----------------------------------------
Patch: SUSE-2020-1548
Released: Mon Jun  8 08:38:53 2020
Summary: Recommended update for python
Severity: important
References: 1172544
Description:
This update for python fixes the following issues:

- Revert the recent change to macros.python2, which caused that
  multispec python packages were generated with python2- instead of
  python- prefix (bsc#1172544)


-----------------------------------------
Patch: SUSE-2020-1550
Released: Mon Jun  8 09:29:49 2020
Summary: Security update for vim
Severity: moderate
References: 1172031,1172225,CVE-2019-20807
Description:
This update for vim fixes the following issues:

- CVE-2019-20807: Fixed an issue where escaping from the restrictive mode of vim 
  was possible using interfaces (bsc#1172225 and bsc#1172031).	  


-----------------------------------------
Patch: SUSE-2020-1561
Released: Mon Jun  8 12:38:39 2020
Summary: Recommended update for lvm2
Severity: moderate
References: 1145231,1150021,1158358,1163526,1164126,1164718
Description:
This update for lvm2 fixes the following issues:

- MD devices should be detected by LVM2 with metadata=1.0/0.9. (bsc#1145231)
  This the detection of MD devices with metadata 0.9 or 1.0 on lvm2
- Fix heap memory leak in lvmetad. (bsc#1164126)
- lvmetad uses devices/global_filter but not devices/filter after lvm2 update. (bsc#1163526)
  This config item global_filter_compat is a SUSE special. 
  The default value is 1, which means the devices/global_filter behaviour is same as before.
  When the value is 0, user should use global_filter to control system-wide software, 
  e.g. udev and lvmetad global_filter_compat are not opened by LVM.
- Avoid creation of mixed-blocksize 'PV' on 'LVM' volume groups (LVM2). (bsc#1149408)
- Fix for LVM metadata when an error occurs writing device. (bsc#1150021)
- Fix for boot when it takes extremely long time with 400 LUN's. (bsc#1158358)
- Enhance block cache code to fix issues with 'lvmtad' and 'lvmcache'. (bsc#1164718)


-----------------------------------------
Patch: SUSE-2020-1570
Released: Tue Jun  9 11:15:12 2020
Summary: Security update for ruby2.1
Severity: important
References: 1043983,1048072,1055265,1056286,1056782,1058754,1058755,1058757,1062452,1069607,1069632,1073002,1078782,1082007,1082008,1082009,1082010,1082011,1082014,1082058,1087433,1087434,1087436,1087437,1087440,1087441,1112530,1112532,1130611,1130617,1130620,1130622,1130623,1130627,1152990,1152992,1152994,1152995,1171517,1172275,CVE-2015-9096,CVE-2016-2339,CVE-2016-7798,CVE-2017-0898,CVE-2017-0899,CVE-2017-0900,CVE-2017-0901,CVE-2017-0902,CVE-2017-0903,CVE-2017-10784,CVE-2017-14033,CVE-2017-14064,CVE-2017-17405,CVE-2017-17742,CVE-2017-17790,CVE-2017-9228,CVE-2017-9229,CVE-2018-1000073,CVE-2018-1000074,CVE-2018-1000075,CVE-2018-1000076,CVE-2018-1000077,CVE-2018-1000078,CVE-2018-1000079,CVE-2018-16395,CVE-2018-16396,CVE-2018-6914,CVE-2018-8777,CVE-2018-8778,CVE-2018-8779,CVE-2018-8780,CVE-2019-15845,CVE-2019-16201,CVE-2019-16254,CVE-2019-16255,CVE-2019-8320,CVE-2019-8321,CVE-2019-8322,CVE-2019-8323,CVE-2019-8324,CVE-2019-8325,CVE-2020-10663
Description:
This update for ruby2.1 fixes the following issues:

Security issues fixed:

- CVE-2015-9096: Fixed an SMTP command injection via CRLFsequences in a RCPT TO or MAIL FROM command (bsc#1043983).
- CVE-2016-7798: Fixed an IV Reuse in GCM Mode (bsc#1055265).
- CVE-2017-0898: Fixed a buffer underrun vulnerability in Kernel.sprintf (bsc#1058755).
- CVE-2017-0899: Fixed an issue with malicious gem specifications, insufficient sanitation when printing gem specifications could have included terminal characters (bsc#1056286).
- CVE-2017-0900: Fixed an issue with malicious gem specifications, the query command could have led to a denial of service attack against clients (bsc#1056286).
- CVE-2017-0901: Fixed an issue with malicious gem specifications, potentially overwriting arbitrary files on the client system (bsc#1056286).
- CVE-2017-0902: Fixed an issue with malicious gem specifications, that could have enabled MITM attacks against clients (bsc#1056286).
- CVE-2017-0903: Fixed an unsafe object deserialization vulnerability (bsc#1062452).
- CVE-2017-9228: Fixed a heap out-of-bounds write in bitset_set_range() during regex compilation (bsc#1069607).
- CVE-2017-9229: Fixed an invalid pointer dereference in left_adjust_char_head() in oniguruma (bsc#1069632).
- CVE-2017-10784: Fixed an escape sequence injection vulnerability in the Basic authentication of WEBrick (bsc#1058754).
- CVE-2017-14033: Fixed a buffer underrun vulnerability in OpenSSL ASN1 decode (bsc#1058757).
- CVE-2017-14064: Fixed an arbitrary memory exposure during a JSON.generate call (bsc#1056782).
- CVE-2017-17405: Fixed a command injection vulnerability in Net::FTP (bsc#1073002).
- CVE-2017-17742: Fixed an HTTP response splitting issue in WEBrick (bsc#1087434).
- CVE-2017-17790: Fixed a command injection in lib/resolv.rb:lazy_initialize() (bsc#1078782).
- CVE-2018-6914: Fixed an unintentional file and directory creation with directory traversal in tempfile and tmpdir (bsc#1087441).
- CVE-2018-8777: Fixed a potential DoS caused by large requests in WEBrick (bsc#1087436).
- CVE-2018-8778: Fixed a buffer under-read in String#unpack (bsc#1087433).
- CVE-2018-8779: Fixed an unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket (bsc#1087440).
- CVE-2018-8780: Fixed an unintentional directory traversal by poisoned NUL byte in Dir (bsc#1087437).
- CVE-2018-16395: Fixed an issue with OpenSSL::X509::Name equality checking (bsc#1112530).
- CVE-2018-16396: Fixed an issue with tainted string handling, where the flag was not propagated in Array#pack and String#unpack with some directives (bsc#1112532).
- CVE-2018-1000073: Fixed a path traversal issue (bsc#1082007).
- CVE-2018-1000074: Fixed an unsafe object deserialization vulnerability in gem owner, allowing arbitrary code execution with specially crafted YAML (bsc#1082008).
- CVE-2018-1000075: Fixed an infinite loop vulnerability due to negative size in tar header causes Denial of Service (bsc#1082014).
- CVE-2018-1000076: Fixed an improper verification of signatures in tarballs (bsc#1082009).
- CVE-2018-1000077: Fixed an improper URL validation in the homepage attribute of ruby gems (bsc#1082010).
- CVE-2018-1000078: Fixed a XSS vulnerability in the homepage attribute when displayed via gem server (bsc#1082011).
- CVE-2018-1000079: Fixed a path traversal issue during gem installation allows to write to arbitrary filesystem locations (bsc#1082058).
- CVE-2019-8320: Fixed a directory traversal issue when decompressing tar files (bsc#1130627).
- CVE-2019-8321: Fixed an escape sequence injection vulnerability in verbose (bsc#1130623).
- CVE-2019-8322: Fixed an escape sequence injection vulnerability in gem owner (bsc#1130622).
- CVE-2019-8323: Fixed an escape sequence injection vulnerability in API response handling (bsc#1130620).
- CVE-2019-8324: Fixed an issue with malicious gems that may have led to arbitrary code execution (bsc#1130617).
- CVE-2019-8325: Fixed an escape sequence injection vulnerability in errors (bsc#1130611).
- CVE-2019-15845: Fixed a NUL injection vulnerability in File.fnmatch and File.fnmatch? (bsc#1152994).
- CVE-2019-16201: Fixed a regular expression denial of service vulnerability in WEBrick's digest access authentication (bsc#1152995).
- CVE-2019-16254: Fixed an HTTP response splitting vulnerability in WEBrick (bsc#1152992).
- CVE-2019-16255: Fixed a code injection vulnerability in Shell#[] and Shell#test (bsc#1152990).
- CVE-2020-10663: Fixed an unsafe object creation vulnerability in JSON (bsc#1171517).

Non-security issue fixed:

- Add conflicts to libruby to make sure ruby and ruby-stdlib are also updated when libruby is updated (bsc#1048072).

Also yast2-ruby-bindings on SLES 12 SP2 LTSS was updated to handle the updated ruby interpreter. (bsc#1172275)


-----------------------------------------
Patch: SUSE-2020-1577
Released: Tue Jun  9 14:19:21 2020
Summary: Recommended update for openslp
Severity: moderate
References: 1117969,1136136
Description:
This update for openslp fixes the following issues:

- Use tcp connects to talk with other directory agents (DAs) (bsc#1117969)
- Fix segfault in predicate match if a registered service has
  a malformed attribute list (bsc#1136136)


-----------------------------------------
Patch: SUSE-2020-1598
Released: Wed Jun 10 10:52:04 2020
Summary: Recommended update for audit
Severity: important
References: 1156159,1172295
Description:
This update for audit fixes the following issues:

- Fix hang on startup. (bsc#1156159)
- Fix specfile to require libauparse0 and libaudit1 after splitting audit-libs. (bsc#1172295)
  

-----------------------------------------
Patch: SUSE-2020-1602
Released: Wed Jun 10 15:28:11 2020
Summary: Security update for the Linux Kernel
Severity: important
References: 1051510,1058115,1065729,1071995,1082555,1083647,1089895,1103990,1103991,1103992,1104745,1109837,1111666,1112178,1112374,1113956,1114279,1124278,1127354,1127355,1127371,1133021,1141558,1142685,1144333,1151794,1152489,1154824,1157169,1158265,1160388,1160947,1164780,1164871,1165183,1165478,1165741,1166969,1166978,1167574,1167851,1167867,1168332,1168503,1168670,1168789,1169005,1169020,1169514,1169525,1169762,1170056,1170125,1170145,1170284,1170345,1170457,1170522,1170592,1170617,1170618,1170620,1170621,1170770,1170778,1170791,1170901,1171078,1171098,1171118,1171189,1171191,1171195,1171202,1171205,1171214,1171217,1171218,1171219,1171220,1171244,1171293,1171417,1171527,1171599,1171600,1171601,1171602,1171604,1171605,1171606,1171607,1171608,1171609,1171610,1171611,1171612,1171613,1171614,1171615,1171616,1171617,1171618,1171619,1171620,1171621,1171622,1171623,1171624,1171625,1171626,1171662,1171679,1171691,1171692,1171694,1171695,1171736,1171761,1171817,1171948,1171949,1171951,1171952,1171979,1171982,1171983,1172017,1172096,1172097,1172098,1172099,1172101,1172102,1172103,1172104,1172127,1172130,1172185,1172188,1172199,1172201,1172202,1172218,1172221,1172249,1172251,1172253,1172317,1172342,1172343,1172344,1172366,1172378,1172391,1172397,1172453,CVE-2018-1000199,CVE-2019-19462,CVE-2019-20806,CVE-2019-20812,CVE-2019-9455,CVE-2020-0543,CVE-2020-10690,CVE-2020-10711,CVE-2020-10720,CVE-2020-10732,CVE-2020-10751,CVE-2020-10757,CVE-2020-12114,CVE-2020-12464,CVE-2020-12652,CVE-2020-12653,CVE-2020-12654,CVE-2020-12655,CVE-2020-12656,CVE-2020-12657,CVE-2020-12659,CVE-2020-12768,CVE-2020-12769,CVE-2020-13143
Description:
The SUSE Linux Enterprise 12 SP5 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2020-0543: Fixed a side channel attack against special registers which could have resulted in leaking of read values to cores other than the one which called it.
  This attack is known as Special Register Buffer Data Sampling (SRBDS) or 'CrossTalk' (bsc#1154824).
- CVE-2020-13143: Fixed an out-of-bounds read in gadget_dev_desc_UDC_store in drivers/usb/gadget/configfs.c (bsc#1171982).
- CVE-2020-12769: Fixed an issue which could have allowed attackers to cause a panic via concurrent calls to dw_spi_irq and dw_spi_transfer_one (bsc#1171983).
- CVE-2020-12768: Fixed a memory leak in svm_cpu_uninit in arch/x86/kvm/svm.c (bsc#1171736).
- CVE-2020-12659: Fixed an out-of-bounds write (by a user with the CAP_NET_ADMIN capability) due to improper headroom validation (bsc#1171214).
- CVE-2020-12657: An a use-after-free in block/bfq-iosched.c (bsc#1171205).
- CVE-2020-12656: Fixed an improper handling of certain domain_release calls leadingch could have led to a memory leak (bsc#1171219).
- CVE-2020-12655: Fixed an issue which could have allowed attackers to trigger a sync of excessive duration via an XFS v5 image with crafted metadata (bsc#1171217).
- CVE-2020-12654: Fixed an issue in he wifi driver which could have allowed a remote AP to trigger a heap-based buffer overflow (bsc#1171202).
- CVE-2020-12653: Fixed an issue in the wifi driver which could have allowed local users to gain privileges or cause a denial of service (bsc#1171195).
- CVE-2020-12652: Fixed an issue which could have allowed local users to hold an incorrect lock during the ioctl operation and trigger a race condition (bsc#1171218).
- CVE-2020-12464: Fixed a use-after-free due to a transfer without a reference (bsc#1170901).
- CVE-2020-12114: Fixed a pivot_root race condition which could have allowed local users to cause a denial of service (panic) by corrupting a mountpoint reference counter (bsc#1171098).
- CVE-2020-10757: Fixed an issue where remaping hugepage DAX to anon mmap could have caused user PTE access (bsc#1172317).
- CVE-2020-10751: Fixed an improper implementation in SELinux LSM hook  where it was assumed that an skb would only contain a single netlink message (bsc#1171189).
- CVE-2020-10732: Fixed kernel data leak in userspace coredumps due to uninitialized data (bsc#1171220).
- CVE-2020-10720: Fixed a use-after-free read in napi_gro_frags() (bsc#1170778).
- CVE-2020-10711: Fixed a null pointer dereference in SELinux subsystem which could have allowed a remote network user to crash the kernel resulting in a denial of service (bsc#1171191).
- CVE-2020-10690: Fixed the race between the release of ptp_clock and cdev (bsc#1170056).
- CVE-2019-9455: Fixed a pointer leak due to a WARN_ON statement in a video driver. This could lead to local information disclosure with System execution privileges needed (bsc#1170345).
- CVE-2019-20812: Fixed an issue in prb_calc_retire_blk_tmo() which could have resulted in a denial of service (bsc#1172453).
- CVE-2019-20806: Fixed a null pointer dereference which may had lead to denial of service (bsc#1172199).
- CVE-2019-19462: Fixed an issue which could have allowed local user to cause denial of service (bsc#1158265).
- CVE-2018-1000199: Fixed a potential local code execution via ptrace (bsc#1089895).

The following non-security bugs were fixed:

- ACPI: CPPC: Fix reference count leak in acpi_cppc_processor_probe() (bsc#1051510).
- ACPI: sysfs: Fix reference count leak in acpi_sysfs_add_hotplug_profile() (bsc#1051510).
- acpi/x86: ignore unspecified bit positions in the ACPI global lock field (bsc#1051510).
- Add br_netfilter to kernel-default-base (bsc#1169020)
- Add commit for git-fix that's not a fix This commit cleans up debug code but does not fix anything, and it relies on a new kernel function that isn't yet in this version of SLE.
- agp/intel: Reinforce the barrier after GTT updates (bsc#1051510).
- ALSA: ctxfi: Remove unnecessary cast in kfree (bsc#1051510).
- ALSA: doc: Document PC Beep Hidden Register on Realtek ALC256 (bsc#1051510).
- ALSA: dummy: Fix PCM format loop in proc output (bsc#1111666).
- ALSA: hda: Add driver blacklist (bsc#1051510).
- ALSA: hda: Always use jackpoll helper for jack update after resume (bsc#1051510).
- ALSA: hda: call runtime_allow() for all hda controllers (bsc#1051510).
- ALSA: hda: Do not release card at firmware loading error (bsc#1051510).
- ALSA: hda: Explicitly permit using autosuspend if runtime PM is supported (bsc#1051510).
- ALSA: hda/hdmi: fix race in monitor detection during probe (bsc#1051510).
- ALSA: hda/hdmi: fix without unlocked before return (bsc#1051510).
- ALSA: hda: Honor PM disablement in PM freeze and thaw_noirq ops (bsc#1051510).
- ALSA: hda: Keep the controller initialization even if no codecs found (bsc#1051510).
- ALSA: hda: Match both PCI ID and SSID for driver blacklist (bsc#1111666).
- ALSA: hda/realtek - Add a model for Thinkpad T570 without DAC workaround (bsc#1172017).
- ALSA: hda/realtek - Add COEF workaround for ASUS ZenBook UX431DA (git-fixes).
- ALSA: hda/realtek - Add HP new mute led supported for ALC236 (git-fixes).
- ALSA: hda/realtek - Add more fixup entries for Clevo machines (git-fixes).
- ALSA: hda/realtek - Add new codec supported for ALC245 (bsc#1051510).
- ALSA: hda/realtek - Add new codec supported for ALC287 (git-fixes).
- ALSA: hda/realtek: Add quirk for Samsung Notebook (git-fixes).
- ALSA: hda/realtek - Add supported new mute Led for HP (git-fixes).
- ALSA: hda/realtek - Enable headset mic of ASUS GL503VM with ALC295 (git-fixes).
- ALSA: hda/realtek - Enable headset mic of ASUS UX550GE with ALC295 (git-fixes).
- ALSA: hda/realtek: Enable headset mic of ASUS UX581LV with ALC295 (git-fixes).
- ALSA: hda/realtek - Enable the headset mic on Asus FX505DT (bsc#1051510).
- ALSA: hda/realtek - Fix S3 pop noise on Dell Wyse (git-fixes).
- ALSA: hda/realtek - Fix silent output on Gigabyte X570 Aorus Xtreme (bsc#1111666).
- ALSA: hda/realtek - Fix unexpected init_amp override (bsc#1051510).
- ALSA: hda/realtek - Limit int mic boost for Thinkpad T530 (git-fixes bsc#1171293).
- ALSA: hda/realtek - Two front mics on a Lenovo ThinkCenter (bsc#1051510).
- ALSA: hda: Release resources at error in delayed probe (bsc#1051510).
- ALSA: hda: Remove ASUS ROG Zenith from the blacklist (bsc#1051510).
- ALSA: hda: Skip controller resume if not needed (bsc#1051510).
- ALSA: hwdep: fix a left shifting 1 by 31 UB bug (git-fixes).
- ALSA: iec1712: Initialize STDSP24 properly when using the model=staudio option (git-fixes).
- ALSA: opti9xx: shut up gcc-10 range warning (bsc#1051510).
- ALSA: pcm: fix incorrect hw_base increase (git-fixes).
- ALSA: pcm: oss: Place the plugin buffer overflow checks correctly (bsc#1170522).
- ALSA: rawmidi: Fix racy buffer resize under concurrent accesses (git-fixes).
- ALSA: usb-audio: Add connector notifier delegation (bsc#1051510).
- ALSA: usb-audio: Add control message quirk delay for Kingston HyperX headset (git-fixes).
- ALSA: usb-audio: add mapping for ASRock TRX40 Creator (git-fixes).
- ALSA: usb-audio: Add mixer workaround for TRX40 and co (bsc#1051510).
- ALSA: usb-audio: Add quirk for Focusrite Scarlett 2i2 (bsc#1051510).
- ALSA: usb-audio: Add static mapping table for ALC1220-VB-based mobos (bsc#1051510).
- ALSA: usb-audio: Apply async workaround for Scarlett 2i4 2nd gen (bsc#1051510).
- ALSA: usb-audio: Check mapping at creating connector controls, too (bsc#1051510).
- ALSA: usb-audio: Correct a typo of NuPrime DAC-10 USB ID (bsc#1051510).
- ALSA: usb-audio: Do not create jack controls for PCM terminals (bsc#1051510).
- ALSA: usb-audio: Do not override ignore_ctl_error value from the map (bsc#1051510).
- ALSA: usb-audio: Filter error from connector kctl ops, too (bsc#1051510).
- ALSA: usb-audio: Fix usb audio refcnt leak when getting spdif (bsc#1051510).
- ALSA: usb-audio: mixer: volume quirk for ESS Technology Asus USB DAC (git-fixes).
- ALSA: usb-audio: Quirks for Gigabyte TRX40 Aorus Master onboard audio (git-fixes).
- ALSA: usx2y: Fix potential NULL dereference (bsc#1051510).
- ASoC: codecs: hdac_hdmi: Fix incorrect use of list_for_each_entry (bsc#1051510).
- ASoC: dapm: connect virtual mux with default value (bsc#1051510).
- ASoC: dapm: fixup dapm kcontrol widget (bsc#1051510).
- ASoC: dpcm: allow start or stop during pause for backend (bsc#1051510).
- ASoC: fix regwmask (bsc#1051510).
- ASoC: msm8916-wcd-digital: Reset RX interpolation path after use (bsc#1051510).
- ASoC: samsung: Prevent clk_get_rate() calls in atomic context (bsc#1111666).
- ASoC: topology: Check return value of pcm_new_ver (bsc#1051510).
- ASoC: topology: use name_prefix for new kcontrol (bsc#1051510).
- b43legacy: Fix case where channel status is corrupted (bsc#1051510).
- batman-adv: fix batadv_nc_random_weight_tq (git-fixes).
- batman-adv: Fix refcnt leak in batadv_show_throughput_override (git-fixes).
- batman-adv: Fix refcnt leak in batadv_store_throughput_override (git-fixes).
- batman-adv: Fix refcnt leak in batadv_v_ogm_process (git-fixes).
- bcache: avoid unnecessary btree nodes flushing in btree_flush_write() (git fixes (block drivers)).
- bcache: fix incorrect data type usage in btree_flush_write() (git fixes (block drivers)).
- bcache: Revert 'bcache: shrink btree node cache after bch_btree_check()' (git fixes (block drivers)).
- blk-mq: honor IO scheduler for multiqueue devices (bsc#1165478).
- blk-mq: simplify blk_mq_make_request() (bsc#1165478).
- block/drbd: delete invalid function drbd_md_mark_dirty_ (bsc#1171527).
- block: drbd: remove a stray unlock in __drbd_send_protocol() (bsc#1171599).
- block: fix busy device checking in blk_drop_partitions again (bsc#1171948).
- block: fix busy device checking in blk_drop_partitions (bsc#1171948).
- block: fix memleak of bio integrity data (git fixes (block drivers)).
- block: remove the bd_openers checks in blk_drop_partitions (bsc#1171948).
- bnxt_en: fix memory leaks in bnxt_dcbnl_ieee_getets() (networking-stable-20_03_28).
- bnxt_en: Reduce BNXT_MSIX_VEC_MAX value to supported CQs per PF (bsc#1104745).
- bnxt_en: reinitialize IRQs when MTU is modified (networking-stable-20_03_14).
- bnxt_en: Return error if bnxt_alloc_ctx_mem() fails (bsc#1104745 ).
- bnxt_en: Return error when allocating zero size context memory (bsc#1104745).
- bonding/alb: make sure arp header is pulled before accessing it (networking-stable-20_03_14).
- bpf: Fix sk_psock refcnt leak when receiving message (bsc#1083647).
- bpf: Forbid XADD on spilled pointers for unprivileged users (bsc#1083647).
- brcmfmac: abort and release host after error (bsc#1051510).
- btrfs: fix deadlock with memory reclaim during scrub (bsc#1172127).
- btrfs: fix log context list corruption after rename whiteout error (bsc#1172342).
- btrfs: fix partial loss of prealloc extent past i_size after fsync (bsc#1172343).
- btrfs: move the dio_sem higher up the callchain (bsc#1171761).
- btrfs: relocation: add error injection points for cancelling balance (bsc#1171417).
- btrfs: relocation: Check cancel request after each data page read (bsc#1171417).
- btrfs: relocation: Check cancel request after each extent found (bsc#1171417).
- btrfs: relocation: Clear the DEAD_RELOC_TREE bit for orphan roots to prevent runaway balance (bsc#1171417).
- btrfs: relocation: Fix reloc root leakage and the NULL pointer reference caused by the leakage (bsc#1171417).
- btrfs: relocation: Work around dead relocation stage loop (bsc#1171417).
- btrfs: reloc: clear DEAD_RELOC_TREE bit for orphan roots to prevent runaway balance (bsc#1171417 bsc#1160947 bsc#1172366).
- btrfs: reloc: fix reloc root leak and NULL pointer dereference (bsc#1171417 bsc#1160947 bsc#1172366).
- btrfs: setup a nofs context for memory allocation at btrfs_create_tree() (bsc#1172127).
- btrfs: setup a nofs context for memory allocation at __btrfs_set_acl (bsc#1172127).
- btrfs: use nofs context when initializing security xattrs to avoid deadlock (bsc#1172127).
- can: add missing attribute validation for termination (networking-stable-20_03_14).
- cdc-acm: close race betrween suspend() and acm_softint (git-fixes).
- cdc-acm: introduce a cool down (git-fixes).
- ceph: check if file lock exists before sending unlock request (bsc#1168789).
- ceph: demote quotarealm lookup warning to a debug message (bsc#1171692).
- ceph: fix double unlock in handle_cap_export() (bsc#1171694).
- ceph: fix double unlock in handle_cap_export() (bsc#1171694).
- ceph: fix endianness bug when handling MDS session feature bits (bsc#1171695).
- ceph: fix endianness bug when handling MDS session feature bits (bsc#1171695).
- cgroup, netclassid: periodically release file_lock on classid updating (networking-stable-20_03_14).
- CIFS: Allocate crypto structures on the fly for calculating signatures of incoming packets (bsc#1144333).
- CIFS: Allocate encryption header through kmalloc (bsc#1144333).
- CIFS: allow unlock flock and OFD lock across fork (bsc#1144333).
- CIFS: check new file size when extending file by fallocate (bsc#1144333).
- CIFS: cifspdu.h: Replace zero-length array with flexible-array member (bsc#1144333).
- CIFS: clear PF_MEMALLOC before exiting demultiplex thread (bsc#1144333).
- CIFS: do not share tcons with DFS (bsc#1144333).
- CIFS: dump the session id and keys also for SMB2 sessions (bsc#1144333).
- CIFS: ensure correct super block for DFS reconnect (bsc#1144333).
- CIFS: Fix bug which the return value by asynchronous read is error (bsc#1144333).
- CIFS: fix uninitialised lease_key in open_shroot() (bsc#1144333).
- CIFS: improve read performance for page size 64KB & cache=strict & vers=2.1+ (bsc#1144333).
- CIFS: Increment num_remote_opens stats counter even in case of smb2_query_dir_first (bsc#1144333).
- CIFS: minor update to comments around the cifs_tcp_ses_lock mutex (bsc#1144333).
- CIFS: protect updating server->dstaddr with a spinlock (bsc#1144333).
- CIFS: smb2pdu.h: Replace zero-length array with flexible-array member (bsc#1144333).
- CIFS: smbd: Calculate the correct maximum packet size for segmented SMBDirect send/receive (bsc#1144333).
- CIFS: smbd: Check and extend sender credits in interrupt context (bsc#1144333).
- CIFS: smbd: Check send queue size before posting a send (bsc#1144333).
- CIFS: smbd: Do not schedule work to send immediate packet on every receive (bsc#1144333).
- CIFS: smbd: Merge code to track pending packets (bsc#1144333).
- CIFS: smbd: Properly process errors on ib_post_send (bsc#1144333).
- CIFS: smbd: Update receive credits before sending and deal with credits roll back on failure before sending (bsc#1144333).
- CIFS: Warn less noisily on default mount (bsc#1144333).
- clk: Add clk_hw_unregister_composite helper function definition (bsc#1051510).
- clk: imx6ull: use OSC clock during AXI rate change (bsc#1051510).
- clk: imx: make mux parent strings const (bsc#1051510).
- clk: mediatek: correct the clocks for MT2701 HDMI PHY module (bsc#1051510).
- clk: sunxi-ng: a64: Fix gate bit of DSI DPHY (bsc#1051510).
- clocksource/drivers/hyper-v: Set TSC clocksource as default w/ InvariantTSC (bsc#1170620).
- clocksource/drivers/hyper-v: Set TSC clocksource as default w/ InvariantTSC (bsc#1170620, bsc#1170621).
- clocksource: dw_apb_timer_of: Fix missing clockevent timers (bsc#1051510).
- component: Silence bind error on -EPROBE_DEFER (bsc#1051510).
- coresight: do not use the BIT() macro in the UAPI header (git fixes (block drivers)).
- cpufreq: s3c64xx: Remove pointless NULL check in s3c64xx_cpufreq_driver_init (bsc#1051510).
- crypto: ccp - AES CFB mode is a stream cipher (git-fixes).
- crypto: ccp - Change a message to reflect status instead of failure (bsc#1172218).
- crypto: ccp - Clean up and exit correctly on allocation failure (git-fixes).
- crypto: ccp - Cleanup misc_dev on sev_exit() (bsc#1114279).
- crypto: ccp - Cleanup sp_dev_master in psp_dev_destroy() (bsc#1114279).
- cxgb4: fix MPS index overwrite when setting MAC address (bsc#1127355).
- cxgb4: fix Txq restart check during backpressure (bsc#1127354 bsc#1127371).
- debugfs: Add debugfs_create_xul() for hexadecimal unsigned long (git-fixes).
- debugfs_lookup(): switch to lookup_one_len_unlocked() (bsc#1171979).
- devlink: fix return value after hitting end in region read (bsc#1109837).
- devlink: validate length of param values (bsc#1109837).
- devlink: validate length of region addr/len (bsc#1109837).
- dmaengine: dmatest: Fix iteration non-stop logic (bsc#1051510).
- dm mpath: switch paths in dm_blk_ioctl() code path (bsc#1167574).
- dm-raid1: fix invalid return value from dm_mirror (bsc#1172378).
- dm writecache: fix data corruption when reloading the target (git fixes (block drivers)).
- dm writecache: fix incorrect flush sequence when doing SSD mode commit (git fixes (block drivers)).
- dm writecache: verify watermark during resume (git fixes (block drivers)).
- dm zoned: fix invalid memory access (git fixes (block drivers)).
- dm zoned: reduce overhead of backing device checks (git fixes (block drivers)).
- dm zoned: remove duplicate nr_rnd_zones increase in dmz_init_zone() (git fixes (block drivers)).
- dm zoned: support zone sizes smaller than 128MiB (git fixes (block drivers)).
- dp83640: reverse arguments to list_add_tail (git-fixes).
- Drivers: hv: Add a module description line to the hv_vmbus driver (bsc#1172249, bsc#1172251).
- Drivers: hv: Add a module description line to the hv_vmbus driver (bsc#1172253).
- Drivers: HV: Send one page worth of kmsg dump over Hyper-V during panic (bsc#1170618).
- Drivers: hv: vmbus: Fix the issue with freeing up hv_ctl_table_hdr (bsc#1170618).
- Drivers: hv: vmbus: Get rid of MSR access from vmbus_drv.c (bsc#1170618).
- Drivers: hv: vmus: Fix the check for return value from kmsg get dump buffer (bsc#1170618).
- drivers/net/ibmvnic: Update VNIC protocol version reporting (bsc#1065729).
- Drivers: w1: add hwmon support structures (jsc#SLE-11048).
- Drivers: w1: add hwmon temp support for w1_therm (jsc#SLE-11048).
- Drivers: w1: refactor w1_slave_show to make the temp reading functionality separate (jsc#SLE-11048).
- drm: amd/acp: fix broken menu structure (bsc#1114279) 	* context changes
- drm/amdgpu: Correctly initialize thermal controller for GPUs with Powerplay table v0 (e.g Hawaii) (bsc#1111666).
- drm/amdgpu: Fix oops when pp_funcs is unset in ACPI event (bsc#1111666).
- drm/amd/powerplay: force the trim of the mclk dpm_levels if OD is (bsc#1113956)
- drm/atomic: Take the atomic toys away from X (bsc#1112178) 	* context changes
- drm/crc: Actually allow to change the crc source (bsc#1114279) 	* offset changes
- drm/dp_mst: Fix clearing payload state on topology disable (bsc#1051510).
- drm/dp_mst: Reformat drm_dp_check_act_status() a bit (bsc#1051510).
- drm/edid: Fix off-by-one in DispID DTD pixel clock (bsc#1114279)
- drm/etnaviv: fix perfmon domain interation (bsc#1113956)
- drm/etnaviv: rework perfmon query infrastructure (bsc#1112178)
- drm/i915: Apply Wa_1406680159:icl,ehl as an engine workaround (bsc#1112178) 	* rename gt/intel_workarounds.c to intel_workarounds.c 	* context changes
- drm/i915/gvt: Init DPLL/DDI vreg for virtual display instead of (bsc#1114279)
- drm/i915: HDCP: fix Ri prime check done during link check (bsc#1112178) 	* rename display/intel_hdmi.c to intel_hdmi.c 	* context changes
- drm/i915: properly sanity check batch_start_offset (bsc#1114279) 	* renamed display/intel_fbc.c -> intel_fb.c 	* renamed gt/intel_rc6.c -> intel_pm.c 	* context changes
- drm/meson: Delete an error message in meson_dw_hdmi_bind() (bsc#1051510).
- drm: NULL pointer dereference [null-pointer-deref] (CWE 476) problem (bsc#1114279)
- drm/qxl: qxl_release leak in qxl_draw_dirty_fb() (bsc#1051510).
- drm/qxl: qxl_release leak in qxl_hw_surface_alloc() (bsc#1051510).
- drm/qxl: qxl_release use after free (bsc#1051510).
- drm: Remove PageReserved manipulation from drm_pci_alloc (bsc#1114279) 	* offset changes
- drm/sun4i: dsi: Allow binding the host without a panel (bsc#1113956)
- drm/sun4i: dsi: Avoid hotplug race with DRM driver bind (bsc#1113956)
- drm/sun4i: dsi: Remove incorrect use of runtime PM (bsc#1113956) 	* context changes
- drm/sun4i: dsi: Remove unused drv from driver context (bsc#1113956) 	* context changes 	* keep include of sun4i_drv.h
- dump_stack: avoid the livelock of the dump_lock (git fixes (block drivers)).
- EDAC/amd64: Add family ops for Family 19h Models 00h-0Fh (jsc#SLE-11833).
- EDAC/amd64: Drop some family checks for newer systems (jsc#SLE-11833).
- EDAC/mce_amd: Always load on SMCA systems (jsc#SLE-11833).
- EDAC/mce_amd: Make fam_ops static global (jsc#SLE-11833).
- EDAC, sb_edac: Add support for systems with segmented PCI buses (bsc#1169525).
- ext4: do not zeroout extents beyond i_disksize (bsc#1167851).
- ext4: fix extent_status fragmentation for plain files (bsc#1171949).
- ext4: use non-movable memory for superblock readahead (bsc#1171952).
- fanotify: fix merging marks masks with FAN_ONDIR (bsc#1171679).
- fbcon: fix null-ptr-deref in fbcon_switch (bsc#1114279) 	* rename drivers/video/fbdev/core to drivers/video/console 	* context changes
- fib: add missing attribute validation for tun_id (networking-stable-20_03_14).
- firmware: qcom: scm: fix compilation error when disabled (bsc#1051510).
- Fix a backport bug, where btrfs_put_root() -> btrfs_put_fs_root() modification is not needed due to missing dependency
- fs/cifs: fix gcc warning in sid_to_id (bsc#1144333).
- fs/seq_file.c: simplify seq_file iteration code and interface (bsc#1170125).
- gpio: tegra: mask GPIO IRQs during IRQ shutdown (bsc#1051510).
- gre: fix uninit-value in __iptunnel_pull_header (networking-stable-20_03_14).
- HID: hid-input: clear unmapped usages (git-fixes).
- HID: hyperv: Add a module description line (bsc#1172249, bsc#1172251).
- HID: hyperv: Add a module description line (bsc#1172253).
- HID: i2c-hid: add Trekstor Primebook C11B to descriptor override (git-fixes).
- HID: i2c-hid: override HID descriptors for certain devices (git-fixes).
- HID: multitouch: add eGalaxTouch P80H84 support (bsc#1051510).
- HID: wacom: Read HID_DG_CONTACTMAX directly for non-generic devices (git-fixes).
- hrtimer: Annotate lockless access to timer->state (git fixes (block drivers)).
- hsr: add restart routine into hsr_get_node_list() (networking-stable-20_03_28).
- hsr: check protocol version in hsr_newlink() (networking-stable-20_04_17).
- hsr: fix general protection fault in hsr_addr_is_self() (networking-stable-20_03_28).
- hsr: set .netnsok flag (networking-stable-20_03_28).
- hsr: use rcu_read_lock() in hsr_get_node_{list/status}() (networking-stable-20_03_28).
- i2c: acpi: Force bus speed to 400KHz if a Silead touchscreen is present (git-fixes).
- i2c: acpi: put device when verifying client fails (git-fixes).
- i2c: brcmstb: remove unused struct member (git-fixes).
- i2c: core: Allow empty id_table in ACPI case as well (git-fixes).
- i2c: core: decrease reference count of device node in i2c_unregister_device (git-fixes).
- i2c: dev: Fix the race between the release of i2c_dev and cdev (bsc#1051510).
- i2c: fix missing pm_runtime_put_sync in i2c_device_probe (git-fixes).
- i2c-hid: properly terminate i2c_hid_dmi_desc_override_table array (git-fixes).
- i2c: i801: Do not add ICH_RES_IO_SMI for the iTCO_wdt device (git-fixes).
- i2c: iproc: Stop advertising support of SMBUS quick cmd (git-fixes).
- i2c: isch: Remove unnecessary acpi.h include (git-fixes).
- i2c: mux: demux-pinctrl: Fix an error handling path in 'i2c_demux_pinctrl_probe()' (bsc#1051510).
- i2c: st: fix missing struct parameter description (bsc#1051510).
- IB/ipoib: Add child to parent list only if device initialized (bsc#1168503).
- IB/ipoib: Consolidate checking of the proposed child interface (bsc#1168503).
- IB/ipoib: Do not remove child devices from within the ndo_uninit (bsc#1168503).
- IB/ipoib: Get rid of IPOIB_FLAG_GOING_DOWN (bsc#1168503).
- IB/ipoib: Get rid of the sysfs_mutex (bsc#1168503).
- IB/ipoib: Maintain the child_intfs list from ndo_init/uninit (bsc#1168503).
- IB/ipoib: Move all uninit code into ndo_uninit (bsc#1168503).
- IB/ipoib: Move init code to ndo_init (bsc#1168503).
- IB/ipoib: Replace printk with pr_warn (bsc#1168503).
- IB/ipoib: Use cancel_delayed_work_sync for neigh-clean task (bsc#1168503).
- IB/ipoib: Warn when one port fails to initialize (bsc#1168503).
- IB/mlx5: Fix missing congestion control debugfs on rep rdma device (bsc#1103991).
- ibmvnic: Skip fatal error reset after passive init (bsc#1171078 ltc#184239).
- iio:ad7797: Use correct attribute_group (bsc#1051510).
- iio: adc: stm32-adc: fix device used to request dma (bsc#1051510).
- iio: adc: stm32-adc: fix sleep in atomic context (git-fixes).
- iio: adc: stm32-adc: Use dma_request_chan() instead dma_request_slave_channel() (bsc#1051510).
- iio: dac: vf610: Fix an error handling path in 'vf610_dac_probe()' (bsc#1051510).
- iio: sca3000: Remove an erroneous 'get_device()' (bsc#1051510).
- iio: xilinx-xadc: Fix ADC-B powerdown (bsc#1051510).
- iio: xilinx-xadc: Fix clearing interrupt when enabling trigger (bsc#1051510).
- iio: xilinx-xadc: Fix sequencer configuration for aux channels in simultaneous mode (bsc#1051510).
- ima: Fix return value of ima_write_policy() (git-fixes).
- Input: evdev - call input_flush_device() on release(), not flush() (bsc#1051510).
- Input: hyperv-keyboard - add module description (bsc#1172249, bsc#1172251).
- Input: hyperv-keyboard - add module description (bsc#1172253).
- Input: i8042 - add Acer Aspire 5738z to nomux list (bsc#1051510).
- Input: i8042 - add ThinkPad S230u to i8042 reset list (bsc#1051510).
- Input: raydium_i2c_ts - use true and false for boolean values (bsc#1051510).
- Input: synaptics-rmi4 - fix error return code in rmi_driver_probe() (bsc#1051510).
- Input: synaptics-rmi4 - really fix attn_data use-after-free (git-fixes).
- Input: usbtouchscreen - add support for BonXeon TP (bsc#1051510).
- Input: xpad - add custom init packet for Xbox One S controllers (bsc#1051510).
- iommu/amd: Call domain_flush_complete() in update_domain() (bsc#1172096).
- iommu/amd: Do not flush Device Table in iommu_map_page() (bsc#1172097).
- iommu/amd: Do not loop forever when trying to increase address space (bsc#1172098).
- iommu/amd: Fix legacy interrupt remapping for x2APIC-enabled system (bsc#1172099).
- iommu/amd: Fix over-read of ACPI UID from IVRS table (bsc#1172101).
- iommu/amd: Fix race in increase_address_space()/fetch_pte() (bsc#1172102).
- iommu/amd: Update Device Table in increase_address_space() (bsc#1172103).
- iommu: Fix reference count leak in iommu_group_alloc (bsc#1172397).
- ip6_tunnel: Allow rcv/xmit even if remote address is a local address (bsc#1166978).
- ipmi: fix hung processes in __get_guid() (git-fixes).
- ipv4: fix a RCU-list lock in fib_triestat_seq_show (networking-stable-20_04_02).
- ipv6/addrconf: call ipv6_mc_up() for non-Ethernet interface (networking-stable-20_03_14).
- ipv6: do not auto-add link-local address to lag ports (networking-stable-20_04_09).
- ipv6: fix IPV6_ADDRFORM operation logic (bsc#1171662).
- ipv6: Fix nlmsg_flags when splitting a multipath route (networking-stable-20_03_01).
- ipv6: fix restrict IPV6_ADDRFORM operation (bsc#1171662).
- ipv6: Fix route replacement with dev-only route (networking-stable-20_03_01).
- ipvlan: add cond_resched_rcu() while processing muticast backlog (networking-stable-20_03_14).
- ipvlan: do not deref eth hdr before checking it's set (networking-stable-20_03_14).
- ipvlan: do not use cond_resched_rcu() in ipvlan_process_multicast() (networking-stable-20_03_14).
- iwlwifi: pcie: actually release queue memory in TVQM (bsc#1051510).
- ixgbe: do not check firmware errors (bsc#1170284).
- kabi fix for early XHCI debug (git-fixes).
- kabi for for md: improve handling of bio with REQ_PREFLUSH in md_flush_request() (git-fixes).
- kabi, protect struct ib_device (bsc#1168503).
- kabi/severities: Do not track KVM internal symbols.
- kabi/severities: Ingnore get_dev_data() The function is internal to the AMD IOMMU driver and must not be called by any third party.
- kabi workaround for snd_rawmidi buffer_ref field addition (git-fixes).
- KEYS: reaching the keys quotas correctly (bsc#1051510).
- KVM: arm64: Change hyp_panic()s dependency on tpidr_el2 (bsc#1133021).
- KVM: arm64: Stop save/restoring host tpidr_el1 on VHE (bsc#1133021).
- KVM: Check validity of resolved slot when searching memslots (bsc#1172104).
- KVM: s390: vsie: Fix delivery of addressing exceptions (git-fixes).
- KVM: s390: vsie: Fix possible race when shadowing region 3 tables (git-fixes).
- KVM: s390: vsie: Fix region 1 ASCE sanity shadow address checks (git-fixes).
- KVM: SVM: Fix potential memory leak in svm_cpu_init() (bsc#1171736).
- KVM x86: Extend AMD specific guest behavior to Hygon virtual CPUs (bsc#1152489).
- l2tp: Allow management of tunnels and session in user namespace (networking-stable-20_04_17).
- libata: Remove extra scsi_host_put() in ata_scsi_add_hosts() (bsc#1051510).
- libata: Return correct status in sata_pmp_eh_recover_pm() when ATA_DFLAG_DETACH is set (bsc#1051510).
- lib: raid6: fix awk build warnings (git fixes (block drivers)).
- lib/raid6/test: fix build on distros whose /bin/sh is not bash (git fixes (block drivers)).
- lib/stackdepot.c: fix global out-of-bounds in stack_slabs (git fixes (block drivers)).
- locks: print unsigned ino in /proc/locks (bsc#1171951). 
- mac80211: add ieee80211_is_any_nullfunc() (bsc#1051510).
- mac80211_hwsim: Use kstrndup() in place of kasprintf() (bsc#1051510).
- mac80211: mesh: fix discovery timer re-arming issue / crash (bsc#1051510).
- macsec: avoid to set wrong mtu (bsc#1051510).
- macsec: restrict to ethernet devices (networking-stable-20_03_28).
- macvlan: add cond_resched() during multicast processing (networking-stable-20_03_14).
- macvlan: fix null dereference in macvlan_device_event() (bsc#1051510).
- make some Fujitsu systems run (bsc#1141558).
- md: improve handling of bio with REQ_PREFLUSH in md_flush_request() (git-fixes).
- md/raid0: Fix an error message in raid0_make_request() (git fixes (block drivers)).
- md/raid10: prevent access of uninitialized resync_pages offset (git-fixes).
- media: dvb: return -EREMOTEIO on i2c transfer failure (bsc#1051510).
- media: platform: fcp: Set appropriate DMA parameters (bsc#1051510).
- media: ti-vpe: cal: fix disable_irqs to only the intended target (git-fixes).
- mei: release me_cl object reference (bsc#1051510).
- mlxsw: Fix some IS_ERR() vs NULL bugs (networking-stable-20_04_27).
- mlxsw: spectrum_flower: Do not stop at FLOW_ACTION_VLAN_MANGLE (networking-stable-20_04_09).
- mlxsw: spectrum_mr: Fix list iteration in error path (bsc#1112374).
- mmc: atmel-mci: Fix debugfs on 64-bit platforms (git-fixes).
- mmc: core: Check request type before completing the request (git-fixes).
- mmc: core: Fix recursive locking issue in CQE recovery path (git-fixes).
- mmc: cqhci: Avoid false 'cqhci: CQE stuck on' by not open-coding timeout loop (git-fixes).
- mmc: dw_mmc: Fix debugfs on 64-bit platforms (git-fixes).
- mmc: meson-gx: make sure the descriptor is stopped on errors (git-fixes).
- mmc: meson-gx: simplify interrupt handler (git-fixes).
- mmc: renesas_sdhi: limit block count to 16 bit for old revisions (git-fixes).
- mmc: sdhci-esdhc-imx: fix the mask for tuning start point (bsc#1051510).
- mmc: sdhci-msm: Clear tuning done flag while hs400 tuning (bsc#1051510).
- mmc: sdhci-of-at91: fix memleak on clk_get failure (git-fixes).
- mmc: sdhci-pci: Fix eMMC driver strength for BYT-based controllers (bsc#1051510).
- mmc: sdhci-xenon: fix annoying 1.8V regulator warning (bsc#1051510).
- mmc: sdio: Fix potential NULL pointer error in mmc_sdio_init_card() (bsc#1051510).
- mmc: tmio: fix access width of Block Count Register (git-fixes).
- mm: limit boost_watermark on small zones (git fixes (mm/pgalloc)).
- mm: thp: handle page cache THP correctly in PageTransCompoundMap (git fixes (block drivers)).
- mtd: cfi: fix deadloop in cfi_cmdset_0002.c do_write_buffer (bsc#1051510).
- mtd: spi-nor: cadence-quadspi: add a delay in write sequence (git-fixes).
- mtd: spi-nor: enable 4B opcodes for mx66l51235l (git-fixes).
- mtd: spi-nor: fsl-quadspi: Do not let -EINVAL on the bus (git-fixes).
- mwifiex: avoid -Wstringop-overflow warning (bsc#1051510).
- mwifiex: Fix memory corruption in dump_station (bsc#1051510).
- net: bcmgenet: correct per TX/RX ring statistics (networking-stable-20_04_27).
- net: dsa: b53: Fix ARL register definitions (networking-stable-20_04_27).
- net: dsa: b53: Rework ARL bin logic (networking-stable-20_04_27).
- net: dsa: bcm_sf2: Do not register slave MDIO bus with OF (networking-stable-20_04_09).
- net: dsa: bcm_sf2: Ensure correct sub-node is parsed (networking-stable-20_04_09).
- net: dsa: bcm_sf2: Fix overflow checks (git-fixes).
- net: dsa: Fix duplicate frames flooded by learning (networking-stable-20_03_28).
- net: dsa: mv88e6xxx: fix lockup on warm boot (networking-stable-20_03_14).
- net/ethernet: add Google GVE driver (jsc#SLE-10538)
- net: fec: add phy_reset_after_clk_enable() support (git-fixes).
- net: fec: validate the new settings in fec_enet_set_coalesce() (networking-stable-20_03_14).
- net: fib_rules: Correctly set table field when table number exceeds 8 bits (networking-stable-20_03_01).
- net: fix race condition in __inet_lookup_established() (bsc#1151794).
- net: fq: add missing attribute validation for orphan mask (networking-stable-20_03_14).
- net: hns3: fix 'tc qdisc del' failed issue (bsc#1109837).
- net, ip_tunnel: fix interface lookup with no key (networking-stable-20_04_02).
- net: ipv4: devinet: Fix crash when add/del multicast IP with autojoin (networking-stable-20_04_17).
- net: ipv6: do not consider routes via gateways for anycast address check (networking-stable-20_04_17).
- netlink: Use netlink header as base to calculate bad attribute offset (networking-stable-20_03_14).
- net: macsec: update SCI upon MAC address change (networking-stable-20_03_14).
- net: memcg: fix lockdep splat in inet_csk_accept() (networking-stable-20_03_14).
- net: memcg: late association of sock to memcg (networking-stable-20_03_14).
- net/mlx4_en: avoid indirect call in TX completion (networking-stable-20_04_27).
- net/mlx5: Add new fields to Port Type and Speed register (bsc#1171118).
- net/mlx5: Add new fields to Port Type and Speed register (bsc#1171118).
- net/mlx5: Add RoCE RX ICRC encapsulated counter (bsc#1171118).
- net/mlx5e: Fix ethtool self test: link speed (bsc#1171118).
- net/mlx5e: Move port speed code from en_ethtool.c to en/port.c (bsc#1171118).
- net/mlx5: Expose link speed directly (bsc#1171118).
- net/mlx5: Expose link speed directly (bsc#1171118).
- net/mlx5: Expose port speed when possible (bsc#1171118).
- net/mlx5: Expose port speed when possible (bsc#1171118).
- net/mlx5: Fix failing fw tracer allocation on s390 (bsc#1103990 ).
- net: mvneta: Fix the case where the last poll did not process all rx (networking-stable-20_03_28).
- net: netrom: Fix potential nr_neigh refcnt leak in nr_add_node (networking-stable-20_04_27).
- net/packet: tpacket_rcv: do not increment ring index on drop (networking-stable-20_03_14).
- net: phy: restore mdio regs in the iproc mdio driver (networking-stable-20_03_01).
- net: qmi_wwan: add support for ASKEY WWHC050 (networking-stable-20_03_28).
- net: revert default NAPI poll timeout to 2 jiffies (networking-stable-20_04_17).
- net_sched: cls_route: remove the right filter from hashtable (networking-stable-20_03_28).
- net_sched: sch_skbprio: add message validation to skbprio_change() (bsc#1109837).
- net/x25: Fix x25_neigh refcnt leak when receiving frame (networking-stable-20_04_27).
- nfc: add missing attribute validation for SE API (networking-stable-20_03_14).
- nfc: add missing attribute validation for vendor subcommand (networking-stable-20_03_14).
- nfc: pn544: Fix occasional HW initialization failure (networking-stable-20_03_01).
- nfc: st21nfca: add missed kfree_skb() in an error path (bsc#1051510).
- nfp: abm: fix a memory leak bug (bsc#1109837).
- nfsd4: fix up replay_matches_cache() (git-fixes).
- nfsd: Ensure CLONE persists data and metadata changes to the target file (git-fixes).
- nfsd: fix delay timer on 32-bit architectures (git-fixes).
- nfsd: fix jiffies/time_t mixup in LRU list (git-fixes).
- nfs: Directory page cache pages need to be locked when read (git-fixes).
- nfsd: memory corruption in nfsd4_lock() (git-fixes).
- nfs: Do not call generic_error_remove_page() while holding locks (bsc#1170457).
- nfs: Fix memory leaks and corruption in readdir (git-fixes).
- nfs: Fix O_DIRECT accounting of number of bytes read/written (git-fixes).
- nfs: Fix potential posix_acl refcnt leak in nfs3_set_acl (git-fixes).
- nfs: fix racey wait in nfs_set_open_stateid_locked (bsc#1170592).
- nfs/flexfiles: Use the correct TCP timeout for flexfiles I/O (git-fixes).
- nfs/pnfs: Fix pnfs_generic_prepare_to_resend_writes() (git-fixes).
- nfs: Revalidate the file size on a fatal write error (git-fixes).
- NFSv4.0: nfs4_do_fsinfo() should not do implicit lease renewals (git-fixes).
- NFSv4: Do not allow a cached open with a revoked delegation (git-fixes).
- NFSv4: Fix leak of clp->cl_acceptor string (git-fixes).
- NFSv4/pnfs: Return valid stateids in nfs_layout_find_inode_by_stateid() (git-fixes).
- NFSv4: try lease recovery on NFS4ERR_EXPIRED (git-fixes).
- NFSv4.x: Drop the slot if nfs4_delegreturn_prepare waits for layoutreturn (git-fixes).
- nl802154: add missing attribute validation for dev_type (networking-stable-20_03_14).
- nl802154: add missing attribute validation (networking-stable-20_03_14).
- nvme-fc: print proper nvme-fc devloss_tmo value (bsc#1172391).
- objtool: Fix stack offset tracking for indirect CFAs (bsc#1169514).
- objtool: Fix switch table detection in .text.unlikely (bsc#1169514).
- objtool: Make BP scratch register warning more robust (bsc#1169514).
- padata: Remove broken queue flushing (git-fixes).
- Partially revert 'kfifo: fix kfifo_alloc() and kfifo_init()' (git fixes (block drivers)).
- PCI: hv: Add support for protocol 1.3 and support PCI_BUS_RELATIONS2 (bsc#1172201, bsc#1172202).
- PCI: hv: Decouple the func definition in hv_dr_state from VSP message (bsc#1172201, bsc#1172202).
- PCI: sanity test on PCI vendor to be sure we do not touch everything (bsc#1141558).
- perf/x86/amd: Add support for Large Increment per Cycle Events (jsc#SLE-11831).
- perf/x86/amd: Constrain Large Increment per Cycle events (jsc#SLE-11831).
- pinctrl: baytrail: Enable pin configuration setting for GPIO chip (git-fixes).
- pinctrl: cherryview: Add missing spinlock usage in chv_gpio_irq_handler (git-fixes).
- pinctrl: sunrisepoint: Fix PAD lock register offset for SPT-H (git-fixes).
- platform/x86: asus-nb-wmi: Do not load on Asus T100TA and T200TA (bsc#1051510).
- pNFS: Ensure we do clear the return-on-close layout stateid on fatal errors (git-fixes).
- powerpc: Add attributes for setjmp/longjmp (bsc#1065729).
- powerpc/pci/of: Parse unassigned resources (bsc#1065729).
- powerpc/setup_64: Set cache-line-size based on cache-block-size (bsc#1065729).
- powerpc/sstep: Fix DS operand in ld encoding to appropriate value (bsc#1065729).
- qede: Fix race between rdma destroy workqueue and link change event (networking-stable-20_03_01).
- r8152: check disconnect status after long sleep (networking-stable-20_03_14).
- raid6/ppc: Fix build for clang (git fixes (block drivers)).
- random: always use batched entropy for get_random_u{32,64} (bsc#1164871).
- rcu: locking and unlocking need to always be at least barriers (git fixes (block drivers)).
- RDMA/ipoib: Fix use of sizeof() (bsc#1168503).
- RDMA/netdev: Fix netlink support in IPoIB (bsc#1168503).
- RDMA/netdev: Hoist alloc_netdev_mqs out of the driver (bsc#1168503).
- RDMA/netdev: Use priv_destructor for netdev cleanup (bsc#1168503).
- Remove 2 git-fixes that cause build issues. (bsc#1171691) 
- Revert 'drm/panel: simple: Add support for Sharp LQ150X1LG11 panels' (bsc#1114279) 
- Revert 'ipc,sem: remove uneeded sem_undo_list lock usage in exit_sem()' (bsc#1172221).
- Revert 'RDMA/cma: Simplify rdma_resolve_addr() error flow' (bsc#1103992).
- rtlwifi: Fix a double free in _rtl_usb_tx_urb_setup() (bsc#1051510).
- s390/cpum_cf: Add new extended counters for IBM z15 (bsc#1169762 LTC#185291).
- s390/pci: Fix possible deadlock in recover_store() (bsc#1165183 LTC#184103).
- s390/pci: Recover handle in clp_set_pci_fn() (bsc#1165183 LTC#184103).
- scripts/decodecode: fix trapping instruction formatting (bsc#1065729).
- scripts/dtc: Remove redundant YYLOC global declaration (bsc#1160388).
- scsi: bnx2i: fix potential use after free (bsc#1171600).
- scsi: core: Handle drivers which set sg_tablesize to zero (bsc#1171601) 
- scsi: core: save/restore command resid for error handling (bsc#1171602).
- scsi: core: scsi_trace: Use get_unaligned_be*() (bsc#1171604).
- scsi: core: try to get module before removing device (bsc#1171605).
- scsi: csiostor: Adjust indentation in csio_device_reset (bsc#1171606).
- scsi: csiostor: Do not enable IRQs too early (bsc#1171607).
- scsi: esas2r: unlock on error in esas2r_nvram_read_direct() (bsc#1171608).
- scsi: fnic: fix invalid stack access (bsc#1171609).
- scsi: fnic: fix msix interrupt allocation (bsc#1171610).
- scsi: ibmvscsi: Fix WARN_ON during event pool release (bsc#1170791 ltc#185128).
- scsi: iscsi: Avoid potential deadlock in iscsi_if_rx func (bsc#1171611).
- scsi: iscsi: Fix a potential deadlock in the timeout handler (bsc#1171612).
- scsi: iscsi: qla4xxx: fix double free in probe (bsc#1171613).
- scsi: lpfc: Change default queue allocation for reduced memory consumption (bsc#1164780).
- scsi: lpfc: fix: Coverity: lpfc_cmpl_els_rsp(): Null pointer dereferences (bsc#1171614).
- scsi: lpfc: Fix crash in target side cable pulls hitting WAIT_FOR_UNREG (bsc#1171615).
- scsi: lpfc: Fix lpfc_nodelist leak when processing unsolicited event (bsc#1164780).
- scsi: lpfc: Fix MDS Diagnostic Enablement definition (bsc#1164780).
- scsi: lpfc: Fix negation of else clause in lpfc_prep_node_fc4type (bsc#1164780).
- scsi: lpfc: Fix noderef and address space warnings (bsc#1164780).
- scsi: lpfc: Maintain atomic consistency of queue_claimed flag (bsc#1164780).
- scsi: lpfc: remove duplicate unloading checks (bsc#1164780).
- scsi: lpfc: Remove re-binding of nvme rport during registration (bsc#1164780).
- scsi: lpfc: Remove redundant initialization to variable rc (bsc#1164780).
- scsi: lpfc: Remove unnecessary lockdep_assert_held calls (bsc#1164780).
- scsi: lpfc: Update lpfc version to 12.8.0.1 (bsc#1164780).
- scsi: megaraid_sas: Do not initiate OCR if controller is not in ready state (bsc#1171616).
- scsi: qla2xxx: add ring buffer for tracing debug logs (bsc#1157169).
- scsi: qla2xxx: check UNLOADING before posting async work (bsc#1157169).
- scsi: qla2xxx: Delete all sessions before unregister local nvme port (bsc#1157169).
- scsi: qla2xxx: Do not log message when reading port speed via sysfs (bsc#1157169).
- scsi: qla2xxx: Fix hang when issuing nvme disconnect-all in NPIV (bsc#1157169).
- scsi: qla2xxx: Fix regression warnings (bsc#1157169).
- scsi: qla2xxx: Remove non functional code (bsc#1157169).
- scsi: qla2xxx: set UNLOADING before waiting for session deletion (bsc#1157169).
- scsi: qla4xxx: Adjust indentation in qla4xxx_mem_free (bsc#1171617).
- scsi: qla4xxx: fix double free bug (bsc#1171618).
- scsi: sd: Clear sdkp->protection_type if disk is reformatted without PI (bsc#1171619).
- scsi: sg: add sg_remove_request in sg_common_write (bsc#1171620).
- scsi: tracing: Fix handling of TRANSFER LENGTH == 0 for READ(6) and WRITE(6) (bsc#1171621).
- scsi: ufs: change msleep to usleep_range (bsc#1171622).
- scsi: ufs: Clean up ufshcd_scale_clks() and clock scaling error out path (bsc#1171623).
- scsi: ufs: Fix ufshcd_hold() caused scheduling while atomic (bsc#1171624).
- scsi: ufs: Fix ufshcd_probe_hba() reture value in case ufshcd_scsi_add_wlus() fails (bsc#1171625).
- scsi: ufs: Recheck bkops level if bkops is disabled (bsc#1171626).
- sctp: fix possibly using a bad saddr with a given dst (networking-stable-20_04_02).
- sctp: fix refcount bug in sctp_wfree (networking-stable-20_04_02).
- sctp: move the format error check out of __sctp_sf_do_9_1_abort (networking-stable-20_03_01).
- selftests/powerpc: Fix build errors in powerpc ptrace selftests (boo#1124278).
- seq_file: fix problem when seeking mid-record (bsc#1170125).
- sfc: detach from cb_page in efx_copy_channel() (networking-stable-20_03_14).
- signal/pid_namespace: Fix reboot_pid_ns to use send_sig not force_sig (bsc#1172185).
- slcan: not call free_netdev before rtnl_unlock in slcan_open (networking-stable-20_03_28).
- slip: make slhc_compress() more robust against malicious packets (networking-stable-20_03_14).
- smb3: Additional compression structures (bsc#1144333).
- smb3: Add new compression flags (bsc#1144333).
- smb3: change noisy error message to FYI (bsc#1144333).
- smb3: enable swap on SMB3 mounts (bsc#1144333).
- smb3: Minor cleanup of protocol definitions (bsc#1144333).
- smb3: remove overly noisy debug line in signing errors (bsc#1144333).
- smb3: smbdirect support can be configured by default (bsc#1144333).
- smb3: use SMB2_SIGNATURE_SIZE define (bsc#1144333).
- spi: bcm63xx-hsspi: Really keep pll clk enabled (bsc#1051510).
- spi: bcm-qspi: when tx/rx buffer is NULL set to 0 (bsc#1051510).
- spi: dw: Add SPI Rx-done wait method to DMA-based transfer (bsc#1051510).
- spi: dw: Add SPI Tx-done wait method to DMA-based transfer (bsc#1051510).
- spi: dw: Zero DMA Tx and Rx configurations on stack (bsc#1051510).
- spi: pxa2xx: Add CS control clock quirk (bsc#1051510).
- spi: qup: call spi_qup_pm_resume_runtime before suspending (bsc#1051510).
- spi/zynqmp: remove entry that causes a cs glitch (bsc#1051510).
- staging: comedi: dt2815: fix writing hi byte of analog output (bsc#1051510).
- staging: comedi: Fix comedi_device refcnt leak in comedi_open (bsc#1051510).
- staging: iio: ad2s1210: Fix SPI reading (bsc#1051510).
- supported.conf: Add br_netfilter to base (bsc#1169020).
- supported.conf: support w1 core and thermometer support
- svcrdma: Fix double svc_rdma_send_ctxt_put() in an error path (bsc#1103992).
- svcrdma: Fix leak of transport addresses (git-fixes).
- svcrdma: Fix trace point use-after-free race (bsc#1103992 ).
- taskstats: fix data-race (bsc#1172188).
- tcp: cache line align MAX_TCP_HEADER (networking-stable-20_04_27).
- tcp: repair: fix TCP_QUEUE_SEQ implementation (networking-stable-20_03_28).
- team: add missing attribute validation for array index (networking-stable-20_03_14).
- team: add missing attribute validation for port ifindex (networking-stable-20_03_14).
- team: fix hang in team_mode_get() (networking-stable-20_04_27).
- tpm: ibmvtpm: retry on H_CLOSED in tpm_ibmvtpm_send() (bsc#1065729).
- tpm/tpm_tis: Free IRQ if probing fails (bsc#1082555).
- tun: Do not put_page() for all negative return values from XDP program (bsc#1109837).
- Update config files: Build w1 bus on arm64 (jsc#SLE-11048)
- usb: core: Fix misleading driver bug report (bsc#1051510).
- usb: gadget: legacy: fix redundant initialization warnings (bsc#1051510).
- usbnet: silence an unnecessary warning (bsc#1170770).
- video: fbdev: sis: Remove unnecessary parentheses and commented code (bsc#1114279)
- video: fbdev: w100fb: Fix a potential double free (bsc#1051510).
- vrf: Check skb for XFRM_TRANSFORMED flag (networking-stable-20_04_27).
- vxlan: check return value of gro_cells_init() (networking-stable-20_03_28).
- w1: Add subsystem kernel public interface (jsc#SLE-11048).
- w1: Fix slave count on 1-Wire bus (resend) (jsc#SLE-11048).
- w1: keep balance of mutex locks and refcnts (jsc#SLE-11048).
- w1: use put_device() if device_register() fail (jsc#SLE-11048).
- wcn36xx: Fix error handling path in 'wcn36xx_probe()' (bsc#1051510).
- wimax/i2400m: Fix potential urb refcnt leak (bsc#1051510).
- workqueue: do not use wq_select_unbound_cpu() for bound works (bsc#1172130).
- x86/amd_nb: Add Family 19h PCI IDs (jsc#SLE-11834).
- x86/entry/64: Fix unwind hints in kernel exit path (bsc#1058115).
- x86/entry/64: Fix unwind hints in register clearing code (bsc#1058115).
- x86/entry/64: Fix unwind hints in rewind_stack_do_exit() (bsc#1058115).
- x86/entry/64: Fix unwind hints in __switch_to_asm() (bsc#1058115).
- x86/Hyper-V: Allow guests to enable InvariantTSC (bsc#1170620).
- x86/Hyper-V: Allow guests to enable InvariantTSC (bsc#1170621, bsc#1170620).
- x86/Hyper-V: Free hv_panic_page when fail to register kmsg dump (bsc#1170617, bsc#1170618).
- x86/Hyper-V: Free hv_panic_page when fail to register kmsg dump (bsc#1170618).
- x86/Hyper-V: Report crash data in die() when panic_on_oops is set (bsc#1170617, bsc#1170618).
- x86/Hyper-V: Report crash data in die() when panic_on_oops is set (bsc#1170618).
- x86/Hyper-V: Report crash register data or kmsg before running crash kernel (bsc#1170617, bsc#1170618).
- x86/Hyper-V: Report crash register data or kmsg before running crash kernel (bsc#1170618).
- x86/Hyper-V: Report crash register data when sysctl_record_panic_msg is not set (bsc#1170617, bsc#1170618).
- x86/Hyper-V: Report crash register data when sysctl_record_panic_msg is not set (bsc#1170618).
- x86: Hyper-V: report value of misc_features (git fixes).
- x86/Hyper-V: Trigger crash enlightenment only once during system crash (bsc#1170617, bsc#1170618).
- x86/Hyper-V: Trigger crash enlightenment only once during system crash (bsc#1170618).
- x86/Hyper-V: Unload vmbus channel in hv panic callback (bsc#1170617, bsc#1170618).
- x86/Hyper-V: Unload vmbus channel in hv panic callback (bsc#1170618).
- x86/kprobes: Avoid kretprobe recursion bug (bsc#1114279).
- x86/MCE/AMD: Add a KABI workaround for enum smca_bank_types (jsc#SLE-11833).
- x86/MCE/AMD, EDAC/mce_amd: Add new Load Store unit McaType (jsc#SLE-11833).
- x86/microcode/AMD: Increase microcode PATCH_MAX_SIZE (bsc#1169005).
- x86/resctrl: Preserve CDP enable over CPU hotplug (bsc#1114279).
- x86/unwind/orc: Do not skip the first frame for inactive tasks (bsc#1058115).
- x86/unwind/orc: Fix error handling in __unwind_start() (bsc#1058115).
- x86/unwind/orc: Fix error path for bad ORC entry type (bsc#1058115).
- x86/unwind/orc: Fix unwind_get_return_address_ptr() for inactive tasks (bsc#1058115).
- x86/unwind/orc: Prevent unwinding before ORC initialization (bsc#1058115).
- x86/unwind: Prevent false warnings for non-current tasks (bsc#1058115).
- x86/xen: fix booting 32-bit pv guest (bsc#1071995).
- x86/xen: Make the boot CPU idle task reliable (bsc#1071995).
- x86/xen: Make the secondary CPU idle tasks reliable (bsc#1071995).
- xen/pci: reserve MCFG areas earlier (bsc#1170145).
- xfrm: Always set XFRM_TRANSFORMED in xfrm{4,6}_output_finish (networking-stable-20_04_27).
- xfs: Correctly invert xfs_buftarg LRU isolation logic (git-fixes).
- xfs: do not ever return a stale pointer from __xfs_dir3_free_read (git-fixes).
- xprtrdma: Fix completion wait during device removal (git-fixes).


-----------------------------------------
Patch: SUSE-2020-1608
Released: Thu Jun 11 15:16:07 2020
Summary: Security update for ed
Severity: low
References: 1019807,CVE-2017-5357
Description:

This update for ed fixes the following security issue:

- CVE-2017-5357: An invalid free in the regular expression handling 
  of the 'ed' command processing could allow local users to crash ed. (bsc#1019807)


-----------------------------------------
Patch: SUSE-2020-1612
Released: Fri Jun 12 09:43:17 2020
Summary: Security update for adns
Severity: important
References: 1172265,CVE-2017-9103,CVE-2017-9104,CVE-2017-9105,CVE-2017-9106,CVE-2017-9107,CVE-2017-9108,CVE-2017-9109
Description:
This update for adns fixes the following issues:
	  
- CVE-2017-9103,CVE-2017-9104,CVE-2017-9105,CVE-2017-9109: Fixed an issue in local recursive resolver
  which could have led to remote code execution (bsc#1172265).
- CVE-2017-9106: Fixed an issue with upstream DNS data sources which could have led to denial of 
  service (bsc#1172265).
- CVE-2017-9107: Fixed an issue when quering domain names which could have led to denial of service (bsc#1172265).
- CVE-2017-9108: Fixed an issue which could have led to denial of service (bsc#1172265).


-----------------------------------------
Version 1.0.5-SAP-BYOS-Build1.13 2020-06-24T19:26:28

-----------------------------------------
Patch: SUSE-2020-1633
Released: Wed Jun 17 10:35:22 2020
Summary: Security update for xen
Severity: important
References: 1027519,1168178,1172205,CVE-2020-0543
Description:
This update for xen fixes the following issues:

- CVE-2020-0543: Fixed a side channel attack against special registers which could have resulted in leaking of read values to cores other than the one which called it.
  This attack is known as Special Register Buffer Data Sampling (SRBDS) or 'CrossTalk' (bsc#1172205).	  
- Fixed an issue with efi boot when  nvidia optimus or newer graphic cards are used (bsc#1168178).d


-----------------------------------------
Patch: SUSE-2020-1662
Released: Thu Jun 18 11:13:05 2020
Summary: Security update for perl
Severity: important
References: 1102840,1160039,1170601,1171863,1171864,1171866,CVE-2020-10543,CVE-2020-10878,CVE-2020-12723
Description:
This update for perl fixes the following issues:

- CVE-2020-10543: Fixed a heap buffer overflow in regular expression compiler which could have 
  allowed overwriting of allocated memory with attacker's data (bsc#1171863).
- CVE-2020-10878: Fixed multiple integer overflows which could have allowed the insertion of 
  instructions into the compiled form of Perl regular expression (bsc#1171864).
- CVE-2020-12723: Fixed an attacker's corruption of the intermediate language state of a 
  compiled regular expression (bsc#1171866).
- Fixed utf8 handling in perldoc by useing 'term' instead of 'man' (bsc#1170601).
- Some packages make assumptions about the date and time they are built. 
  This update will solve the issues caused by calling the perl function timelocal
  expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039)


-----------------------------------------
Patch: SUSE-2020-1672
Released: Thu Jun 18 13:41:30 2020
Summary: Security update for dbus-1
Severity: important
References: 1137832,1140091,CVE-2019-12749
Description:
This update for dbus-1 fixes the following issues:

- CVE-2019-12749: Fixed an implementation flaw in DBUS_COOKIE_SHA1 which 
  could have allowed local attackers to bypass authentication (bsc#1137832). 


-----------------------------------------
Patch: SUSE-2020-1678
Released: Thu Jun 18 20:06:45 2020
Summary: Recommended update for cloud-init
Severity: moderate
References: 1170154,1171546,1171995
Description:
This update for cloud-init contains the following fixes:

- rsyslog warning, '~' is deprecated: (bsc#1170154)
  + replace deprecated syntax '& ~' by '& stop' for more information please
    see https://www.rsyslog.com/rsyslog-error-2307/.

  + Explicitly test for netconfig version 1 as well as 2.

  + Handle netconfig v2 device configurations (bsc#1171546, bsc#1171995)


-----------------------------------------
Patch: SUSE-2020-1683
Released: Fri Jun 19 09:46:55 2020
Summary: Security update for java-1_7_1-ibm
Severity: important
References: 1169511,1172277,CVE-2020-2654,CVE-2020-2756,CVE-2020-2757,CVE-2020-2781,CVE-2020-2800,CVE-2020-2803,CVE-2020-2805,CVE-2020-2830
Description:
This update for java-1_7_1-ibm fixes the following issues:

java-1_7_1-ibm was updated to Java 7.1 Service Refresh 4 Fix Pack 65 (bsc#1172277 and bsc#1169511)

- CVE-2020-2654: Fixed an issue which could have resulted in unauthorized ability to cause a partial denial of service    
- CVE-2020-2756: Improved mapping of serial ENUMs 
- CVE-2020-2757: Less Blocking Array Queues 
- CVE-2020-2781: Improved TLS session handling 
- CVE-2020-2800: Improved Headings for HTTP Servers 
- CVE-2020-2803: Enhanced buffering of byte buffers 
- CVE-2020-2805: Enhanced typing of methods 
- CVE-2020-2830: Improved Scanner conversions 


-----------------------------------------
Patch: SUSE-2020-1688
Released: Fri Jun 19 11:02:27 2020
Summary: Recommended update for dracut
Severity: important
References: 1171370
Description:
This update for dracut fixes the following issue:

- modules.d: fix udev rules detection of multipath devices. (bsc#1171370)


-----------------------------------------
Patch: SUSE-2020-1693
Released: Fri Jun 19 14:25:26 2020
Summary: Security update for the Linux Kernel
Severity: important
References: 1051510,1065729,1071995,1085030,1111666,1113956,1114279,1144333,1148868,1158983,1161016,1162063,1166985,1168081,1169194,1170592,1171904,1172458,1172472,1172537,1172538,1172759,1172775,1172781,1172782,1172783,1172884,CVE-2019-20810,CVE-2020-10766,CVE-2020-10767,CVE-2020-10768,CVE-2020-13974
Description:


The SUSE Linux Enterprise 12 SP5 kernel was updated to receive various security and bugfixes.


The following security bugs were fixed:

- CVE-2020-10768: The prctl() function could be used to enable indirect branch speculation even after it has been disabled. (bnc#1172783)
- CVE-2020-10766: A bug in the logic handling could allow an attacker with a local account to disable SSBD protection. (bnc#1172781)
- CVE-2020-10767: A IBPB would be disabled when STIBP was not available or when Enhanced Indirect Branch Restricted Speculation (IBRS) was available. This is unexpected behaviour could leave the system open to a spectre v2 style attack (bnc#1172782)
- CVE-2020-13974: drivers/tty/vt/keyboard.c had an integer overflow if k_ascii was called several times in a row (bnc#1172775)
- CVE-2019-20810: go7007_snd_init did not call snd_card_free for a failure path, which caused a memory leak (bnc#1172458)

The following non-security bugs were fixed:

- ACPI: PM: Avoid using power resources if there are none for D0 (bsc#1051510).
- ALSA: es1688: Add the missed snd_card_free() (bsc#1051510).
- ALSA: hda/hdmi - enable runtime pm for newer AMD display audio (bsc#1111666).
- ALSA: hda/realtek - Add LED class support for micmute LED (bsc#1111666).
- ALSA: hda/realtek - Enable micmute LED on and HP system (bsc#1111666).
- ALSA: hda/realtek - Fix unused variable warning w/o CONFIG_LEDS_TRIGGER_AUDIO (bsc#1111666).
- ALSA: hda/realtek - Introduce polarity for micmute LED GPIO (bsc#1111666).
- ALSA: hda/realtek - add a pintbl quirk for several Lenovo machines (bsc#1111666).
- ALSA: hda: Add ElkhartLake HDMI codec vid (bsc#1111666).
- ALSA: hda: add sienna_cichlid audio asic id for sienna_cichlid up (bsc#1111666).
- ALSA: pcm: disallow linking stream to itself (bsc#1111666).
- ALSA: usb-audio: Add Pioneer DJ DJM-900NXS2 support (bsc#1111666).
- ALSA: usb-audio: Add duplex sound support for USB devices using implicit feedback (bsc#1111666).
- ALSA: usb-audio: Add vendor, product and profile name for HP Thunderbolt Dock (bsc#1111666).
- ALSA: usb-audio: Clean up quirk entries with macros (bsc#1111666).
- ALSA: usb-audio: Fix inconsistent card PM state after resume (bsc#1111666).
- ALSA: usb-audio: Fix racy list management in output queue (bsc#1111666).
- ALSA: usb-audio: Manage auto-pm of all bundled interfaces (bsc#1111666).
- ALSA: usb-audio: Use the new macro for HP Dock rename quirks (bsc#1111666).
- CDC-ACM: heed quirk also in error handling (git-fixes).
- HID: sony: Fix for broken buttons on DS3 USB dongles (bsc#1051510).
- KVM: x86/mmu: Set mmio_value to '0' if reserved #PF can't be generated (bsc#1171904).
- KVM: x86: only do L1TF workaround on affected processors (bsc#1171904).
- NFS: Fix an RCU lock leak in nfs4_refresh_delegation_stateid() (bsc#1170592).
- NFSv4: Retry CLOSE and DELEGRETURN on NFS4ERR_OLD_STATEID (bsc#1170592).
- PCI/PM: Call .bridge_d3() hook only if non-NULL (git-fixes).
- PCI/PTM: Inherit Switch Downstream Port PTM settings from Upstream Port (bsc#1051510).
- PCI: Allow pci_resize_resource() for devices on root bus (bsc#1051510).
- PCI: Fix pci_register_host_bridge() device_register() error handling (bsc#1051510).
- PCI: Program MPS for RCiEP devices (bsc#1051510).
- RDMA/efa: Fix setting of wrong bit in get/set_feature commands (bsc#1111666)
- RDMA/efa: Support remote read access in MR registration (bsc#1111666)
- RDMA/efa: Unified getters/setters for device structs bitmask access (bsc#1111666)
- USB: gadget: udc: s3c2410_udc: Remove pointless NULL check in s3c2410_udc_nuke (bsc#1051510).
- USB: host: ehci-mxc: Add error handling in ehci_mxc_drv_probe() (bsc#1051510).
- USB: serial: option: add Telit LE910C1-EUX compositions (bsc#1051510).
- USB: serial: qcserial: add DW5816e QDL support (bsc#1051510).
- USB: serial: usb_wwan: do not resubmit rx urb on fatal errors (bsc#1051510).
- USB: serial: usb_wwan: do not resubmit rx urb on fatal errors (git-fixes).
- arm64: map FDT as RW for early_init_dt_scan() (jsc#SLE-12423).
- bcache: Fix an error code in bch_dump_read() (git fixes (block drivers)).
- block: remove QUEUE_FLAG_STACKABLE (git fixes (block drivers)).
- block: sed-opal: fix sparse warning: convert __be64 data (git fixes (block drivers)).
- brcmfmac: fix wrong location to get firmware feature (bsc#1111666).
- btrfs: do not zero f_bavail if we have available space (bsc#1168081).
- btrfs: do not zero f_bavail if we have available space (bsc#1168081).
- char/random: Add a newline at the end of the file (jsc#SLE-12423).
- cifs: get rid of unused parameter in reconn_setup_dfs_targets() (bsc#1144333).
- cifs: handle hostnames that resolve to same ip in failover (bsc#1144333 bsc#1161016).
- cifs: set up next DFS target before generic_ip_connect() (bsc#1144333 bsc#1161016).
- clk: bcm2835: Fix return type of bcm2835_register_gate (bsc#1051510).
- clk: clk-flexgen: fix clock-critical handling (bsc#1051510).
- clk: sunxi: Fix incorrect usage of round_down() (bsc#1051510).
- compat_ioctl: block: handle BLKREPORTZONE/BLKRESETZONE (git fixes (block drivers)).
- compat_ioctl: block: handle Persistent Reservations (git fixes (block drivers)).
- copy_{to,from}_user(): consolidate object size checks (git fixes).
- crypto: caam - update xts sector size for large input length (bsc#1111666).
- crypto: chelsio/chtls: properly set tp->lsndtime (bsc#1111666).
- dm btree: increase rebalance threshold in __rebalance2() (git fixes (block drivers)).
- dm cache: fix a crash due to incorrect work item cancelling (git fixes (block drivers)).
- dm crypt: fix benbi IV constructor crash if used in authenticated mode (git fixes (block drivers)).
- dm space map common: fix to ensure new block isn't already in use (git fixes (block drivers)).
- dm verity fec: fix hash block number in verity_fec_decode (git fixes (block drivers)).
- dm verity fec: fix memory leak in verity_fec_dtr (git fixes (block drivers)).
- dm: fix potential for q->make_request_fn NULL pointer (git fixes (block drivers)).
- dm: various cleanups to md->queue initialization code (git fixes).
- dmaengine: tegra210-adma: Fix an error handling path in 'tegra_adma_probe()' (bsc#1111666).
- drivers: soc: ti: knav_qmss_queue: Make knav_gp_range_ops static (bsc#1051510).
- drm/i915: Whitelist context-local timestamp in the gen9 cmdparser (bsc#1111666).
- drm: amd/display: fix Kconfig help text (bsc#1113956)
- efi/random: Increase size of firmware supplied randomness (jsc#SLE-12423).
- efi/random: Treat EFI_RNG_PROTOCOL output as bootloader randomness (jsc#SLE-12423).
- efi: READ_ONCE rng seed size before munmap (jsc#SLE-12423).
- efi: Reorder pr_notice() with add_device_randomness() call (jsc#SLE-12423).
- evm: Check also if *tfm is an error pointer in init_desc() (bsc#1051510).
- evm: Fix a small race in init_desc() (bsc#1051510).
- extcon: adc-jack: Fix an error handling path in 'adc_jack_probe()' (bsc#1051510).
- fdt: Update CRC check for rng-seed (jsc#SLE-12423).
- fdt: add support for rng-seed (jsc#SLE-12423).
- firmware: imx: scu: Fix corruption of header (git-fixes).
- firmware: imx: scu: Fix possible memory leak in imx_scu_probe() (bsc#1111666).
- firmware: revert letter case change which broke compatibility with the SAP license generator (bsc#1172472).
- fpga: dfl: afu: Corrected error handling levels (git-fixes).
- fs/reiserfs: Reenabled reiserfs (bsc#1172884)
- gpiolib: Document that GPIO line names are not globally unique (bsc#1051510).
- gpu: ipu-v3: pre: do not trigger update if buffer address does not change (bsc#1111666).
- iio: buffer: Do not allow buffers without any channels enabled to be activated (bsc#1051510).
- iio: pressure: bmp280: Tolerate IRQ before registering (bsc#1051510).
- ima: Directly assign the ima_default_policy pointer to ima_rules (bsc#1051510).
- ima: Fix ima digest hash table key calculation (bsc#1051510).
- include/asm-generic/topology.h: guard cpumask_of_node() macro argument (bsc#1148868).
- kabi: ppc64le: prevent struct dma_map_ops to become defined (jsc#SLE-12423).
- kvm: x86: Fix L1TF mitigation for shadow MMU (bsc#1171904).
- livepatch: Apply vmlinux-specific KLP relocations early (bsc#1071995).
- livepatch: Disallow vmlinux.ko (bsc#1071995).
- livepatch: Make klp_apply_object_relocs static (bsc#1071995).
- livepatch: Prevent module-specific KLP rela sections from referencing vmlinux symbols (bsc#1071995).
- livepatch: Remove .klp.arch (bsc#1071995).
- mac80211: add option for setting control flags (bsc#1111666).
- mac80211: set IEEE80211_TX_CTRL_PORT_CTRL_PROTO for nl80211 TX (bsc#1111666).
- mailbox: imx: Disable the clock on devm_mbox_controller_register() failure (git-fixes).
- md: Avoid namespace collision with bitmap API (git fixes (block drivers)).
- md: use memalloc scope APIs in mddev_suspend()/mddev_resume() (bsc#1166985)).
- md: use memalloc scope APIs in mddev_suspend()/mddev_resume() (git fixes (block drivers)).
- mdraid: fix read/write bytes accounting (bsc#1172537).
- mmc: block: Fix request completion in the CQE timeout path (bsc#1111666).
- mmc: block: Fix use-after-free issue for rpmb (bsc#1111666).
- mmc: fix compilation of user API (bsc#1051510).
- netfilter: connlabels: prefer static lock initialiser (git-fixes).
- netfilter: not mark a spinlock as __read_mostly (git-fixes).
- nl80211: fix NL80211_ATTR_CHANNEL_WIDTH attribute type (bsc#1111666).
- nvme-fc: Fail transport errors with NVME_SC_HOST_PATH (bsc#1158983 bsc#1172538).
- nvme-tcp: fail command with NVME_SC_HOST_PATH_ERROR send failed (bsc#1158983 bsc#1172538).
- nvme: fail cancelled commands with NVME_SC_HOST_PATH_ERROR (bsc#1158983 bsc#1172538).
- overflow.h: Add arithmetic shift helper (git fixes).
- overflow: Fix -Wtype-limits compilation warnings (git fixes).
- p54usb: add AirVasT USB stick device-id (bsc#1051510).
- pcm_native: result of put_user() needs to be checked (bsc#1111666).
- perf, pt, coresight: Fix address filters for vmas with non-zero offset (git-fixes).
- perf, pt, coresight: Fix address filters for vmas with non-zero offset (git-fixes).
- perf/cgroup: Fix perf cgroup hierarchy support (git-fixes).
- perf/cgroup: Fix perf cgroup hierarchy support (git-fixes).
- perf/core: Add sanity check to deal with pinned event failure (git-fixes).
- perf/core: Add sanity check to deal with pinned event failure (git-fixes).
- perf/core: Avoid freeing static PMU contexts when PMU is unregistered (git-fixes).
- perf/core: Avoid freeing static PMU contexts when PMU is unregistered (git-fixes).
- perf/core: Correct event creation with PERF_FORMAT_GROUP (git-fixes).
- perf/core: Correct event creation with PERF_FORMAT_GROUP (git-fixes).
- perf/core: Do not WARN() for impossible ring-buffer sizes (git-fixes).
- perf/core: Do not WARN() for impossible ring-buffer sizes (git-fixes).
- perf/core: Fix __perf_read_group_add() locking (git-fixes (dependent patch)).
- perf/core: Fix __perf_read_group_add() locking (git-fixes (dependent patch)).
- perf/core: Fix bad use of igrab() (git fixes (dependent patch)).
- perf/core: Fix crash when using HW tracing kernel filters (git-fixes).
- perf/core: Fix ctx_event_type in ctx_resched() (git-fixes).
- perf/core: Fix ctx_event_type in ctx_resched() (git-fixes).
- perf/core: Fix error handling in perf_event_alloc() (git-fixes).
- perf/core: Fix error handling in perf_event_alloc() (git-fixes).
- perf/core: Fix exclusive events' grouping (git-fixes).
- perf/core: Fix exclusive events' grouping (git-fixes).
- perf/core: Fix group scheduling with mixed hw and sw events (git-fixes).
- perf/core: Fix group scheduling with mixed hw and sw events (git-fixes).
- perf/core: Fix impossible ring-buffer sizes warning (git-fixes).
- perf/core: Fix impossible ring-buffer sizes warning (git-fixes).
- perf/core: Fix lock inversion between perf,trace,cpuhp (git-fixes (dependent patch for 18736eef1213)).
- perf/core: Fix lock inversion between perf,trace,cpuhp (git-fixes (dependent patch for 18736eef1213)).
- perf/core: Fix locking for children siblings group read (git-fixes).
- perf/core: Fix locking for children siblings group read (git-fixes).
- perf/core: Fix perf_event_read_value() locking (git-fixes).
- perf/core: Fix perf_event_read_value() locking (git-fixes).
- perf/core: Fix perf_pmu_unregister() locking (git-fixes).
- perf/core: Fix perf_pmu_unregister() locking (git-fixes).
- perf/core: Fix perf_sample_regs_user() mm check (git-fixes).
- perf/core: Fix perf_sample_regs_user() mm check (git-fixes).
- perf/core: Fix possible Spectre-v1 indexing for ->aux_pages (git-fixes).
- perf/core: Fix possible Spectre-v1 indexing for ->aux_pages (git-fixes).
- perf/core: Fix race between close() and fork() (git-fixes).
- perf/core: Fix race between close() and fork() (git-fixes).
- perf/core: Fix the address filtering fix (git-fixes).
- perf/core: Fix the address filtering fix (git-fixes).
- perf/core: Fix use-after-free in uprobe_perf_close() (git-fixes).
- perf/core: Fix use-after-free in uprobe_perf_close() (git-fixes).
- perf/core: Force USER_DS when recording user stack data (git-fixes).
- perf/core: Force USER_DS when recording user stack data (git-fixes).
- perf/core: Restore mmap record type correctly (git-fixes).
- perf/core: Restore mmap record type correctly (git-fixes).
- perf/ioctl: Add check for the sample_period value (git-fixes).
- perf/ioctl: Add check for the sample_period value (git-fixes).
- perf/x86/pt, coresight: Clean up address filter structure (git fixes (dependent patch)).
- perf: Allocate context task_ctx_data for child event (git-fixes).
- perf: Allocate context task_ctx_data for child event (git-fixes).
- perf: Copy parent's address filter offsets on clone (git-fixes).
- perf: Copy parent's address filter offsets on clone (git-fixes).
- perf: Fix header.size for namespace events (git-fixes).
- perf: Fix header.size for namespace events (git-fixes).
- perf: Return proper values for user stack errors (git-fixes).
- perf: Return proper values for user stack errors (git-fixes).
- pid: Improve the comment about waiting in zap_pid_ns_processes (git fixes)).
- pinctrl: freescale: imx: Fix an error handling path in 'imx_pinctrl_probe()' (bsc#1051510).
- pinctrl: imxl: Fix an error handling path in 'imx1_pinctrl_core_probe()' (bsc#1051510).
- pinctrl: samsung: Save/restore eint_mask over suspend for EINT_TYPE GPIOs (bsc#1051510).
- platform/x86: dell-laptop: do not register micmute LED if there is no token (bsc#1111666).
- pnp: Use list_for_each_entry() instead of open coding (git fixes).
- power: supply: bq24257_charger: Replace depends on REGMAP_I2C with select (bsc#1051510).
- power: supply: lp8788: Fix an error handling path in 'lp8788_charger_probe()' (bsc#1051510).
- power: supply: smb347-charger: IRQSTAT_D is volatile (bsc#1051510).
- powerpc/64s: Do not let DT CPU features set FSCR_DSCR (bsc#1065729).
- powerpc/64s: Save FSCR to init_task.thread.fscr after feature init (bsc#1065729).
- powerpc/xive: Clear the page tables for the ESB IO mapping (bsc#1085030).
- raid5: remove gfp flags from scribble_alloc() (bsc#1166985).
- raid5: remove gfp flags from scribble_alloc() (git fixes (block drivers)).
- resolve KABI warning for perf-pt-coresight (git-fixes).
- resolve KABI warning for perf-pt-coresight (git-fixes).
- s390/bpf: Maintain 8-byte stack alignment (bsc#1169194).
- scsi: ibmvscsi: Do not send host info in adapter info MAD after LPM (bsc#1172759 ltc#184814).
- spi: dw: use 'smp_mb()' to avoid sending spi data error (bsc#1051510).
- spi: spi-mem: Fix Dual/Quad modes on Octal-capable devices (bsc#1111666).
- staging: rtl8712: Fix IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK (bsc#1051510).
- staging: sm750fb: add missing case while setting FB_VISUAL (bsc#1051510).
- tty: n_gsm: Fix SOF skipping (bsc#1051510).
- tty: n_gsm: Fix bogus i++ in gsm_data_kick (bsc#1051510).
- tty: n_gsm: Fix waking up upper tty layer when room available (bsc#1051510).
- usb: dwc2: gadget: move gadget resume after the core is in L0 state (bsc#1051510).
- usb: gadget: lpc32xx_udc: do not dereference ep pointer before null check (bsc#1051510).
- usb: musb: Fix runtime PM imbalance on error (bsc#1051510).
- usb: musb: start session in resume for host port (bsc#1051510).
- virtio-blk: handle block_device_operations callbacks after hot unplug (git fixes (block drivers)).
- w1: omap-hdq: cleanup to add missing newline for some dev_dbg (bsc#1051510).
- watchdog: sp805: fix restart handler (bsc#1111666).
- wil6210: add general initialization/size checks (bsc#1111666).
- wil6210: check rx_buff_mgmt before accessing it (bsc#1111666).
- wil6210: ignore HALP ICR if already handled (bsc#1111666).
- work around mvfs bug (bsc#1162063).
- x86/cpu/amd: Make erratum #1054 a legacy erratum (bsc#1114279).
- x86: Fix early boot crash on gcc-10, third try (bsc#1114279).
- xfrm: fix error in comment (git fixes).


-----------------------------------------
Patch: SUSE-2020-1734
Released: Wed Jun 24 09:43:55 2020
Summary: Security update for curl
Severity: important
References: 1173027,CVE-2020-8177
Description:
This update for curl fixes the following issues:
	  
- CVE-2020-8177: Fixed an issue where curl could have been tricked by a malicious 
  server to overwrite a local file when using the -J option (bsc#1173027).


-----------------------------------------
Version 1.0.5-SAP-BYOS-Build1.21 2020-07-07T08:53:22

-----------------------------------------
Patch: SUSE-2020-1749
Released: Thu Jun 25 18:27:37 2020
Summary: Security update for tigervnc
Severity: important
References: 1159856,1159858,1159860,1160249,1160250,1160251,1160937,1165680,1169952,CVE-2019-15691,CVE-2019-15692,CVE-2019-15693,CVE-2019-15694,CVE-2019-15695
Description:
This update for tigervnc fixes the following issues:

- CVE-2019-15691: Fixed a use-after-return due to incorrect usage of stack memory in ZRLEDecoder (bsc#1159856).
- CVE-2019-15692: Fixed a heap-based buffer overflow in CopyRectDecode (bsc#1160250).
- CVE-2019-15693: Fixed a heap-based buffer overflow in TightDecoder::FilterGradient (bsc#1159858).
- CVE-2019-15694: Fixed a heap-based buffer overflow, caused by improper error handling in processing MemOutStream (bsc#1160251).
- CVE-2019-15695: Fixed a stack-based buffer overflow, which could be triggered from CMsgReader::readSetCursor (bsc#1159860).

Other bugs fixed:

- Fix random connection freezes (bsc#1169952, bsc#1160249, bsc#1165680):


-----------------------------------------
Patch: SUSE-2020-1792
Released: Fri Jun 26 14:06:59 2020
Summary: Security update for python3-requests
Severity: moderate
References: 1054413,1073879,1111622,1122668,761500,922448,929736,935252,945455,947357,961596,967128,CVE-2015-2296,CVE-2018-18074
Description:
This update for python3-requests provides the following fix:

python-requests was updated to 2.20.1.

Update to version 2.20.1:

* Fixed bug with unintended Authorization header stripping for
  redirects using default ports (http/80, https/443).

Update to version 2.20.0:

* Bugfixes

  + Content-Type header parsing is now case-insensitive
    (e.g. charset=utf8 v Charset=utf8).
  + Fixed exception leak where certain redirect urls would raise
    uncaught urllib3 exceptions.
  + Requests removes Authorization header from requests redirected
    from https to http on the same hostname. (CVE-2018-18074)
  + should_bypass_proxies now handles URIs without hostnames
    (e.g. files).

Update to version 2.19.1:

* Fixed issue where status_codes.py’s init function failed trying
  to append to a __doc__ value of None.

Update to version 2.19.0:

* Improvements

  + Warn about possible slowdown with cryptography version < 1.3.4
  + Check host in proxy URL, before forwarding request to adapter.
  + Maintain fragments properly across redirects. (RFC7231 7.1.2)
  + Removed use of cgi module to expedite library load time.
  + Added support for SHA-256 and SHA-512 digest auth algorithms.
  + Minor performance improvement to Request.content.

* Bugfixes

  + Parsing empty Link headers with parse_header_links() no longer
    return one bogus entry.
  + Fixed issue where loading the default certificate bundle from
    a zip archive would raise an IOError.
  + Fixed issue with unexpected ImportError on windows system
    which do not support winreg module.
  + DNS resolution in proxy bypass no longer includes the username
    and password in the request. This also fixes the issue of DNS
    queries failing on macOS.
  + Properly normalize adapter prefixes for url comparison.
  + Passing None as a file pointer to the files param no longer
    raises an exception.
  + Calling copy on a RequestsCookieJar will now preserve the
    cookie policy correctly.

Update to version 2.18.4:

* Improvements

  + Error messages for invalid headers now include the header name
    for easier debugging

Update to version 2.18.3:

* Improvements
  + Running $ python -m requests.help now includes the installed
    version of idna.
* Bugfixes
  + Fixed issue where Requests would raise ConnectionError instead
    of SSLError when encountering SSL problems when using urllib3
    v1.22.

- Add ca-certificates (and ca-certificates-mozilla) to dependencies, otherwise https
  connections will fail.


-----------------------------------------
Patch: SUSE-2020-1794
Released: Mon Jun 29 11:09:55 2020
Summary: Security update for mutt
Severity: important
References: 1172906,1172935,1173197,CVE-2020-14093,CVE-2020-14154,CVE-2020-14954
Description:
This update for mutt fixes the following issues:

- CVE-2020-14954: Fixed a response injection due to a STARTTLS buffering issue which was
  affecting IMAP, SMTP, and POP3 (bsc#1173197).
- CVE-2020-14093: Fixed a potential IMAP Man-in-the-Middle attack via a PREAUTH response (bsc#1172906, bsc#1172935).
- CVE-2020-14154: Fixed an issue where Mutt was ignoring an expired certificate and was
  proceeding with a connection (bsc#1172906, bsc#1172935).


-----------------------------------------
Patch: SUSE-2020-1796
Released: Mon Jun 29 13:27:56 2020
Summary: Security update for unzip
Severity: moderate
References: 1110194,CVE-2018-18384
Description:
This update for unzip fixes the following issues:

- CVE-2018-18384: Fixed a buffer overflow when listing files (bsc#1110194)



-----------------------------------------
Patch: SUSE-2020-1805
Released: Tue Jun 30 17:37:15 2020
Summary: Security update for ntp
Severity: moderate
References: 1169740,1171355,1172651,1173334,CVE-2018-8956,CVE-2020-11868,CVE-2020-13817,CVE-2020-15025
Description:
This update for ntp fixes the following issues:

ntp was updated to 4.2.8p15

- CVE-2020-11868: Fixed an issue which a server mode packet with spoofed source address 
  frequently send to the client ntpd could have caused denial of service (bsc#1169740).
- CVE-2018-8956: Fixed an issue which could have allowed remote attackers to prevent 
  a broadcast client from synchronizing its clock with a broadcast NTP server via spoofed 
  mode 3 and mode 5 packets (bsc#1171355).
- CVE-2020-13817: Fixed an issue which an off-path attacker with the ability to query time 
  from victim's ntpd instance could have modified the victim's clock by a limited amount (bsc#1172651).
- CVE-2020-15025: Fixed an issue which remote attacker could have caused denial of service by consuming 
  the memory when a CMAC key was used andassociated with a CMAC algorithm in the ntp.keys (bsc#1173334).	  


-----------------------------------------
Patch: SUSE-2020-1813
Released: Wed Jul  1 10:25:36 2020
Summary: Recommended update for mdadm
Severity: important
References: 1163727,1168953,1173137
Description:
This update for mdadm fixes the following issues:

- OnCalendar format fix of mdcheck_start.timer (bsc#1173137)
- Detail: differentiate between container and inactive arrays
  (bsc#1163727)
- Monitor: improve check_one_sharer() for checking duplicated process
  (bsc#1168953)


-----------------------------------------
Patch: SUSE-2020-1828
Released: Thu Jul  2 13:07:28 2020
Summary: Security update for systemd
Severity: moderate
References: 1084671,1154256,1157315,1161262,1161436,1162698,1164538,1165633,1167622,1171145,CVE-2019-20386
Description:
This update for systemd fixes the following issues:

- CVE-2019-20386: Fixed a memory leak when executing the udevadm trigger command (bsc#1161436).
- Renamed the persistent link for ATA devices (bsc#1164538)
- shared/install: try harder to find enablement symlinks when disabling a unit (bsc#1157315)
- tmpfiles: removed unnecessary assert (bsc#1171145)
- pid1: by default make user units inherit their umask from the user manager (bsc#1162698)
- manager: fixed job mode when signalled to shutdown etc (bsc#1161262)
- coredump: fixed bug that loses core dump files when core dumps are compressed and disk space is low. (bsc#1167622)
- udev: inform systemd how many workers we can potentially spawn (#4036) (bsc#1165633)
- libblkid: open device in nonblock mode. (bsc#1084671)
- udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256)


-----------------------------------------
Patch: SUSE-2020-1839
Released: Fri Jul  3 12:46:12 2020
Summary: Security update for mozilla-nspr, mozilla-nss
Severity: important
References: 1159819,1168669,1169746,1170908,1171978,1173022,CVE-2019-17006,CVE-2020-12399,CVE-2020-12402
Description:
This update for mozilla-nspr, mozilla-nss fixes the following issues:

mozilla-nss was updated to version 3.53.1

- CVE-2020-12402: Fixed a potential side channel attack during RSA key generation (bsc#1173032).
- CVE-2020-12399: Fixed a timing attack on DSA signature generation (bsc#1171978).
- CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819).
- Fixed various FIPS issues in libfreebl3 which were causing segfaults in the test suite of chrony (bsc#1168669).
- Fixed an issue where Firefox tab was crashing (bsc#1170908).

Release notes: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.53_release_notes

mozilla-nspr to version 4.25


-----------------------------------------
Patch: SUSE-2020-1844
Released: Mon Jul  6 12:16:54 2020
Summary: Recommended update for resource-agents
Severity: moderate
References: 1160121,1162978,1170270
Description:
This update for resource-agents fixes the following issues:

- Added a check whether underlying devs for LVM's have disappeared to prevent an issue with the status check. (bsc#1160121)
- Fixed a bug where the pulling of images was stuck (bsc#1170270)


-----------------------------------------
Patch: SUSE-2020-1846
Released: Mon Jul  6 12:22:17 2020
Summary: Recommended update for yast2-ruby-bindings
Severity: important
References: 1172275,1172848
Description:
This update for yast2-ruby-bindings fixes the following issues:

- Fixed a Ruby error when the appliance gets configured during an installation, which
  led to a crash (bsc#1172848)
- Fixed an error where yast2 --ncureses crashed due to an update of the Ruby
  interpreter (bsc#1172275)


-----------------------------------------
Patch: SUSE-2020-1848
Released: Mon Jul  6 12:35:40 2020
Summary: Recommended update for crmsh
Severity: moderate
References: 1170037,1170999
Description:
This update for crmsh fixes the following issues:

- Fix for using SBDManager to configure sbd and enable systemd service as it is necessary. (bsc#1170037, bsc#1170999)
  

-----------------------------------------
Patch: SUSE-2020-1857
Released: Mon Jul  6 17:07:31 2020
Summary: Security update for permissions
Severity: moderate
References: 1171883
Description:
This update for permissions fixes the following issues:

- Removed conflicting entries which might expose pcp to security issues (bsc#1171883) 	  


-----------------------------------------
Patch: SUSE-2020-1859
Released: Mon Jul  6 17:08:28 2020
Summary: Security update for openldap2
Severity: important
References: 1170715,1172698,1172704,CVE-2020-8023
Description:
This update for openldap2 fixes the following issues:

- CVE-2020-8023: Fixed a potential local privilege escalation from ldap to root when OPENLDAP_CONFIG_BACKEND='ldap' was used (bsc#1172698).	  
- Changed DB_CONFIG to root:ldap permissions (bsc#1172704).	 
- Fixed an issue where slapd becomes unresponsive after many failed login/bind attempts(bsc#1170715).


-----------------------------------------
Version 1.0.5-SAP-BYOS-Build1.35 2020-07-30T12:26:31

-----------------------------------------
Patch: SUSE-2020-1887
Released: Fri Jul 10 15:49:55 2020
Summary: Security update for xen
Severity: important
References: 1027519,1172205,1173376,1173377,1173378,1173380,CVE-2020-0543,CVE-2020-15563,CVE-2020-15565,CVE-2020-15566,CVE-2020-15567
Description:
This update for xen fixes the following issues:

- CVE-2020-15563: Fixed inverted code paths in x86 dirty VRAM tracking (bsc#1173377).
- CVE-2020-15565: Fixed insufficient cache write-back under VT-d (bsc#1173378).
- CVE-2020-15566: Fixed incorrect error handling in event channel port allocation (bsc#1173376).
- CVE-2020-15567: Fixed non-atomic modification of live EPT PTE (bsc#1173380).
- CVE-2020-0543: Special Register Buffer Data Sampling (SRBDS) aka 'CrossTalk' (bsc#1172205).

Additional upstream bug fixes (bsc#1027519)


-----------------------------------------
Patch: SUSE-2020-1890
Released: Sat Jul 11 06:08:16 2020
Summary: Recommended update for fence-agents
Severity: moderate
References: 1169485
Description:
This update for fence-agents fixes the following issues:

- Fix for the issue where object does not support indexing. (bsc#1169485)
  

-----------------------------------------
Patch: SUSE-2020-1896
Released: Mon Jul 13 10:41:14 2020
Summary: Recommended update for drbd-utils
Severity: moderate
References: 1172624
Description:
This update for drbd-utils fixes the following issues:

- Fixes the output of 'drbdsetup status --json'. Sometimes it didn't return a valid JSON string (bsc#1172624)


-----------------------------------------
Patch: SUSE-2020-1945
Released: Fri Jul 17 13:58:34 2020
Summary: Recommended update for pacemaker
Severity: moderate
References: 1148236,1154881,1155290,1160410,1168771,1171372
Description:
This update for pacemaker fixes the following issues:

- Fixes handling of fence-agents through its parameters in pacemaker (bsc#1171372)
- Implement priority fencing delay to make a coordinated, successful fencing in case of 'split-brain'. (jsc#ECO-1611, jsc#SLE-12237)
- Fix for an issue when cluster rolling upgrade brakes due to too high corosync ringid that pacemake is not able to handle. (bsc#1168771)
- Fixes an issue when pacemaker fails with option '-fno-common'. (bsc#1160410)
- Improve error checking and log messages for API action requests in fencer. (bsc#1148236)
- Fix for faulty mode indication by checking if  cluster-wide 'maintenance-mode=true' overrides per-resource settings. (bsc#1154881)
- Clear all prefer constraints when performing a move. (bsc#1155290)


-----------------------------------------
Patch: SUSE-2020-1971
Released: Tue Jul 21 02:38:19 2020
Summary: Security update for Salt
Severity: moderate
References: 1157465,1159284,1162327,1165572,1167437,1168340,1169604,1169800,1170104,1170288,1170595,1171906,1172075,1173072,1174165,CVE-2019-18897,CVE-2020-11651,CVE-2020-11652
Description:

This update fixes the following issues:

salt:

- Fix for TypeError in Tornado importer (bsc#1174165)
- Require python3-distro only for TW (bsc#1173072)
- Various virt backports from 3000.2
- Avoid traceback on debug logging for swarm module (bsc#1172075)
- Add publish_batch to ClearFuncs exposed methods
- Update to salt version 3000
  See release notes: https://docs.saltstack.com/en/latest/topics/releases/3000.html
- Zypperpkg: filter patterns that start with dot (bsc#1171906)
- Batch mode now also correctly provides return value (bsc#1168340)
- Add docker.logout to docker execution module (bsc#1165572)
- Testsuite fix
- Add option to enable/disable force refresh for zypper
- Python3.8 compatibility changes
- Prevent sporious 'salt-api' stuck processes when managing SSH minions because of logging deadlock (bsc#1159284)
- Avoid segfault from 'salt-api' under certain conditions of heavy load managing SSH minions (bsc#1169604)
- Revert broken changes to slspath made on Salt 3000 (saltstack/salt#56341) (bsc#1170104)
- Returns a the list of IPs filtered by the optional network list
- Fix CVE-2020-11651 and CVE-2020-11652 (bsc#1170595)
- Do not require vendored backports-abc (bsc#1170288)
- Fix partition.mkpart to work without fstype (bsc#1169800)
- Enable building and installation for Fedora
- Disable python2 build on Tumbleweed
  We are removing the python2 interpreter from openSUSE (SLE16).
  As such disable salt building for python2 there.
- More robust remote port detection
- Sanitize grains loaded from roster_grains.json cache during 'state.pkg'
- Do not make file.recurse state to fail when msgpack 0.5.4 (bsc#1167437)
- Build: Buildequire pkgconfig(systemd) instead of systemd
  pkgconfig(systemd) is provided by systemd, so this is de-facto no change.
  But inside the Open Build Service (OBS), the same symbol is also provided by
  systemd-mini, which exists to shorten build-chains by only enabling what other
  packages need to successfully build
- Add new custom SUSE capability for saltutil state module
- Fixes status attribute issue in aptpkg test
- Make setup.py script not to require setuptools greater than 9.1
- Loop: fix variable names for until_no_eval
- Drop conflictive module.run state patch (bsc#1167437)
- Update patches after rebase with upstream v3000 tag (bsc#1167437)
- Fix some requirements issues depending on Python3 versions
- Removes obsolete patch
- Fix for low rpm_lowpkg unit test
- Add python-singledispatch as dependency for python2-salt
- Virt._get_domain: don't raise an exception if there is no VM
- Fix for temp folder definition in loader unit test
- Adds test for zypper abbreviation fix
- Improved storage pool or network handling
- Better import cache handline
- Make 'salt.ext.tornado.gen' to use 'salt.ext.backports_abc' on Python 2
- Fix regression in service states with reload argument
- Fix integration test failure for test_mod_del_repo_multiline_values
- Fix for unless requisite when pip is not installed
- Fix errors from unit tests due NO_MOCK and NO_MOCK_REASON deprecation
- Fix tornado imports and missing _utils after rebasing patches
- Removes unresolved merge conflict in yumpkg module
- Use full option name instead of undocumented abbreviation for zypper
- Requiring python3-distro only for openSUSE/SLE >= 15 and not for Python 2 builds
- Avoid possible user escalation upgrading salt-master (bsc#1157465) (CVE-2019-18897)
- Fix unit tests failures in test_batch_async tests
- Batch Async: Handle exceptions, properly unregister and close instances after
  running async batching to avoid CPU starvation of the MWorkers (bsc#1162327)
- RHEL/CentOS 8 uses platform-python instead of python3
- Loader: invalidate the import cachefor extra modules
- Zypperpkg: filter patterns that start with dot (bsc#1171906)
- Batch mode now also correctly provides return value (bsc#1168340)
- Add docker.logout to docker execution module (bsc#1165572)
- Improvements for chroot module
- Add option to enable/disable force refresh for zypper
- Prevent sporious 'salt-api' stuck processes when managing SSH minions
  because of logging deadlock (bsc#1159284)
- Avoid segfault from 'salt-api' under certain conditions of heavy load
  managing SSH minions (bsc#1169604)



-----------------------------------------
Patch: SUSE-2020-2020
Released: Thu Jul 23 09:43:18 2020
Summary: Recommended update for SAPHanaSR
Severity: moderate
References: 1173581
Description:
This update for SAPHanaSR fixes the following issues:

- Fix for log empty site names, but do not generate bad formatted cluster attribute name. (bsc#1173581)
- Fix for documentation of some parameter defaults.
- Adjust start/stop/promote/monitor action timeouts to match official recommendations.


-----------------------------------------
Patch: SUSE-2020-2036
Released: Fri Jul 24 13:32:43 2020
Summary: Security update for samba
Severity: moderate
References: 1169473,1169521,1172810,1173160,1173429,CVE-2020-10745
Description:
This update for samba fixes the following issues:

- CVE-2020-10745: Fixed an issue which parsing and packing of NBT and DNS packets 
  containing dots could potentially have consumed excessive CPU (bsc#1173160).	  
- Fixed a packaging issue where samba_winbind package was installing python3-base without
  python3 (bsc#1169521).
- Fixed an issue with spnego fallback from kerberos to ntlmssp in smbd server (bsc#1169473).
- Fixed ntlm authentications with 'winbind use default domain = yes' (bsc#1173429).
- Added solution for upgrade problem with libsmbldap2 package (bsc#1172810).


-----------------------------------------
Patch: SUSE-2020-2038
Released: Fri Jul 24 13:58:15 2020
Summary: Recommended update for hawk2
Severity: moderate
References: 1098637,1137891,1158681,1165587
Description:
This update for hawk2 fixes the following issues:

Update to version 2.2.0+git.1593534571.0edec1ee:

- Update puma rubygem requirement to 2.16 for disabling TLSv1.0 and TLSv1.1. (jsc#SLE-6965)
- Fix omission of built-in stonith attributes. (bsc#1165587)
- Fix cib.xml parsing for acl_version. (bsc#1158681)
- Add application/x-bzip2 mime type. (bsc#1098637)
- Fix mime type issue in MS windows. (bsc#1098637)
- Fix nameless cluster display. (bsc#1137891)

-----------------------------------------
Patch: SUSE-2020-2050
Released: Fri Jul 24 15:18:56 2020
Summary: Recommended update for crmsh
Severity: important
References: 1166962,1169581,1170037,1170999
Description:
This update for crmsh fixes the following issues:

- Fix for collecting of binary data to avoid CRC error in report. (bsc#1166962)
- Implement ssh key configuration improvement to avoid security issues. (bsc#1169581, ECO-2035)
- Fix for using class 'SBDManager' for sbd configuration and management. (bsc#1170037, bsc#1170999)


-----------------------------------------
Patch: SUSE-2020-2059
Released: Tue Jul 28 11:32:56 2020
Summary: Recommended update for grep
Severity: moderate
References: 1163834
Description:
This update for grep fixes the following issues:

Fix for an issue when command 'grep -i' produces bad performance by using multibyte with 'non-utf8' encoding. (bsc#1163834)


-----------------------------------------
Patch: SUSE-2020-2078
Released: Wed Jul 29 19:30:02 2020
Summary: Security update for grub2
Severity: important
References: 1168994,1173812,1174463,1174570,CVE-2020-10713,CVE-2020-14308,CVE-2020-14309,CVE-2020-14310,CVE-2020-14311,CVE-2020-15706,CVE-2020-15707
Description:
This update for grub2 fixes the following issues:

- Fix for CVE-2020-10713 (bsc#1168994)
- Fix for CVE-2020-14308 CVE-2020-14309, CVE-2020-14310, CVE-2020-14311
  (bsc#1173812)
- Fix for CVE-2020-15706 (bsc#1174463)
- Fix for CVE-2020-15707 (bsc#1174570)
- Use overflow checking primitives where the arithmetic expression for buffer
  allocations may include unvalidated data
- Use grub_calloc for overflow check and return NULL when it would occur 
- Use gcc-9 compiler for overflow check builtins
- Backport gcc-9 build fixes


-----------------------------------------
Version 1.0.5-SAP-BYOS-Build1.42 2020-08-07T07:53:47

-----------------------------------------
Patch: SUSE-2020-2092
Released: Thu Jul 30 14:55:46 2020
Summary: Recommended update for glibc
Severity: moderate
References: 1171878,1172085,1173593
Description:
This update for glibc fixes the following issues:

- Fix concurrent changes on nscd aware files (bsc#1171878, BZ #23178)
- nscd: bump GC cycle during cache pruning (bsc#1171878, BZ #26130)
- Correct locking and cancellation cleanup in syslog functions (bsc#1172085, BZ #26100)


-----------------------------------------
Patch: SUSE-2020-2117
Released: Tue Aug  4 15:14:39 2020
Summary: Security update for libX11
Severity: important
References: 1174628,CVE-2020-14344
Description:
This update for libX11 fixes the following issues:

- Fixed XIM client heap overflows (CVE-2020-14344, bsc#1174628)


-----------------------------------------
Patch: SUSE-2020-2122
Released: Tue Aug  4 20:09:59 2020
Summary: Security update for the Linux Kernel
Severity: important
References: 1051510,1065729,1104967,1111666,1112178,1113956,1114279,1150660,1151927,1152107,1152624,1158983,1159058,1162002,1163309,1167104,1168959,1169514,1169771,1169795,1170011,1170442,1170617,1170618,1171124,1171424,1171529,1171530,1171558,1171673,1171732,1171739,1171743,1171753,1171759,1171761,1171835,1171841,1171868,1171988,1172247,1172257,1172344,1172484,1172687,1172719,1172871,1172872,1172999,1173060,1173074,1173146,1173265,1173280,1173284,1173428,1173462,1173514,1173567,1173573,1173746,1173818,1173820,1173825,1173826,1173833,1173838,1173839,1173845,1173857,1174113,1174115,1174122,1174123,1174130,1174205,1174296,1174343,1174356,1174409,1174438,1174462,1174543,CVE-2019-16746,CVE-2019-20908,CVE-2020-0305,CVE-2020-10135,CVE-2020-10769,CVE-2020-10773,CVE-2020-10781,CVE-2020-12771,CVE-2020-12888,CVE-2020-14331,CVE-2020-14416,CVE-2020-15393,CVE-2020-15780
Description:


The SUSE Linux Enterprise 12 SP5 kernel was updated to receive various security and bugfixes.


The following security bugs were fixed:

- CVE-2020-14331: A buffer over write in vgacon_scroll was fixed (bnc#1174205).
- CVE-2020-10135: Legacy pairing and secure-connections pairing authentication in Bluetooth BR/EDR Core Specification v5.2 and earlier may have allowed an unauthenticated user to complete authentication without pairing credentials via adjacent access. An unauthenticated, adjacent attacker could impersonate a Bluetooth BR/EDR master or slave to pair with a previously paired remote device to successfully complete the authentication procedure without knowing the link key (bnc#1171988).
- CVE-2020-0305: In cdev_get of char_dev.c, there is a possible use-after-free due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation (bnc#1174462).
- CVE-2019-20908: An issue was discovered in drivers/firmware/efi/efi.c where incorrect access permissions for the efivar_ssdt ACPI variable could be used by attackers to bypass lockdown or secure boot restrictions, aka CID-1957a85b0032 (bnc#1173567).
- CVE-2020-10781: zram sysfs resource consumption was fixed (bnc#1173074).
- CVE-2020-15780: An issue was discovered in drivers/acpi/acpi_configfs.c where injection of malicious ACPI tables via configfs could be used by attackers to bypass lockdown and secure boot restrictions, aka CID-75b0cea7bf30 (bnc#1173573).
- CVE-2020-15393: usbtest_disconnect in drivers/usb/misc/usbtest.c had a memory leak, aka CID-28ebeb8db770 (bnc#1173514).
- CVE-2020-12771: btree_gc_coalesce in drivers/md/bcache/btree.c had a deadlock if a coalescing operation fails (bnc#1171732).
- CVE-2019-16746: net/wireless/nl80211.c did not check the length of variable elements in a beacon head, leading to a buffer overflow (bnc#1152107).
- CVE-2020-12888: The VFIO PCI driver mishandled attempts to access disabled memory space (bnc#1171868).
- CVE-2020-10769: A buffer over-read flaw was found in crypto_authenc_extractkeys in crypto/authenc.c in the IPsec Cryptographic algorithm's module, authenc. When a payload longer than 4 bytes, and is not following 4-byte alignment boundary guidelines, it causes a buffer over-read threat, leading to a system crash. This flaw allowed a local attacker with user privileges to cause a denial of service (bnc#1173265).
- CVE-2020-10773: A kernel stack information leak on s390/s390x was fixed (bnc#1172999).
- CVE-2020-14416: A race condition in tty->disc_data handling in the slip and slcan line discipline could lead to a use-after-free, aka CID-0ace17d56824. This affects drivers/net/slip/slip.c and drivers/net/can/slcan.c (bnc#1162002).

The following non-security bugs were fixed:

- ACPI: GED: add support for _Exx / _Lxx handler methods (bsc#1111666).
- ACPI: GED: use correct trigger type field in _Exx / _Lxx handling (bsc#1111666).
- ACPI: NFIT: Fix unlock on error in scrub_show() (bsc#1171753).
- ACPI: sysfs: Fix pm_profile_attr type (bsc#1111666).
- ACPI: video: Use native backlight on Acer Aspire 5783z (bsc#1111666).
- ACPI: video: Use native backlight on Acer TravelMate 5735Z (bsc#1111666).
- ALSA: hda - let hs_mic be picked ahead of hp_mic (bsc#1111666).
- ALSA: hda/realtek - Enable Speaker for ASUS UX533 and UX534 (bsc#1111666).
- ALSA: lx6464es - add support for LX6464ESe pci express variant (bsc#1111666).
- ALSA: opl3: fix infoleak in opl3 (bsc#1111666).
- ALSA: usb-audio: add quirk for MacroSilicon MS2109 (bsc#1111666).
- ALSA: usb-audio: Fix packet size calculation (bsc#1111666).
- ALSA: usb-audio: Improve frames size computation (bsc#1111666).
- amdgpu: a NULL ->mm does not mean a thread is a kthread (git-fixes).
- ath9k: Fix general protection fault in ath9k_hif_usb_rx_cb (bsc#1111666).
- ath9k: Fix use-after-free Read in ath9k_wmi_ctrl_rx (bsc#1111666).
- ath9k: Fix use-after-free Write in ath9k_htc_rx_msg (bsc#1111666).
- ath9x: Fix stack-out-of-bounds Write in ath9k_hif_usb_rx_cb (bsc#1111666).
- ax25: fix setsockopt(SO_BINDTODEVICE) (networking-stable-20_05_27).
- b43: Fix connection problem with WPA3 (bsc#1111666).
- b43_legacy: Fix connection problem with WPA3 (bsc#1111666).
- be2net: fix link failure after ethtool offline test (git-fixes).
- block, bfq: add requeue-request hook (bsc#1104967 bsc#1171673).
- block, bfq: postpone rq preparation to insert or merge (bsc#1104967 bsc#1171673). Refresh patches.suse/block-bfq-fix-use-after-free-in-bfq_idle_slice_timer.patch
- block: nr_sects_write(): Disable preemption on seqcount write (bsc#1173818).
- Bluetooth: Add SCO fallback for invalid LMP parameters error (bsc#1111666).
- bnxt_en: Fix AER reset logic on 57500 chips (git-fixes).
- bnxt_en: Fix ethtool selftest crash under error conditions (git-fixes).
- bnxt_en: Fix handling FRAG_ERR when NVM_INSTALL_UPDATE cmd fails (git-fixes).
- bnxt_en: Fix ipv6 RFS filter matching logic (git-fixes).
- bnxt_en: fix NULL dereference in case SR-IOV configuration fails (git-fixes).
- bnxt_en: Fix VF anti-spoof filter setup (networking-stable-20_05_12).
- bnxt_en: Fix VLAN acceleration handling in bnxt_fix_features() (networking-stable-20_05_12).
- bnxt_en: Improve AER slot reset (networking-stable-20_05_12).
- brcmfmac: Transform compatible string for FW loading (bsc#1169771).
- btrfs: add assertions for tree == inode->io_tree to extent IO helpers (bsc#1174438).
- btrfs: add new helper btrfs_lock_and_flush_ordered_range (bsc#1174438).
- btrfs: Always use a cached extent_state in btrfs_lock_and_flush_ordered_range (bsc#1174438).
- btrfs: always wait on ordered extents at fsync time (bsc#1171761).
- btrfs: clean up the left over logged_list usage (bsc#1171761).
- btrfs: drop argument tree from btrfs_lock_and_flush_ordered_range (bsc#1174438).
- btrfs: fix extent_state leak in btrfs_lock_and_flush_ordered_range (bsc#1174438).
- btrfs: fix failure of RWF_NOWAIT write into prealloc extent beyond eof (bsc#1174438).
- btrfs: fix hang on snapshot creation after RWF_NOWAIT write (bsc#1174438).
- btrfs: fix list_add corruption and soft lockups in fsync (bsc#1171761).
- btrfs: fix missing data checksums after a ranged fsync (msync) (bsc#1171761).
- btrfs: fix missing file extent item for hole after ranged fsync (bsc#1171761).
- btrfs: fix missing hole after hole punching and fsync when using NO_HOLES (bsc#1171761).
- btrfs: fix missing semaphore unlock in btrfs_sync_file (bsc#1171761).
- btrfs: fix rare chances for data loss when doing a fast fsync (bsc#1171761).
- btrfs: fix RWF_NOWAIT write not failling when we need to cow (bsc#1174438).
- btrfs: fix RWF_NOWAIT writes blocking on extent locks and waiting for IO (bsc#1174438).
- btrfs: qgroup: Fix a bug that prevents qgroup to be re-enabled after disable (bsc#1172247).
- btrfs: Remove extra parentheses from condition in copy_items() (bsc#1171761).
- btrfs: remove no longer used io_err from btrfs_log_ctx (bsc#1171761).
- btrfs: remove no longer used logged range variables when logging extents (bsc#1171761).
- btrfs: remove no longer used 'sync' member from transaction handle (bsc#1171761).
- btrfs: remove remaing full_sync logic from btrfs_sync_file (bsc#1171761).
- btrfs: remove the logged extents infrastructure (bsc#1171761).
- btrfs: remove the wait ordered logic in the log_one_extent path (bsc#1171761).
- btrfs: Return EAGAIN if we can't start no snpashot write in check_can_nocow (bsc#1174438).
- btrfs: use correct count in btrfs_file_write_iter() (bsc#1174438).
- btrfs: Use newly introduced btrfs_lock_and_flush_ordered_range (bsc#1174438).
- btrfs: volumes: Remove ENOSPC-prone btrfs_can_relocate() (bsc#1171124).
- bus: sunxi-rsb: Return correct data when mixing 16-bit and 8-bit reads (bsc#1111666).
- carl9170: remove P2P_GO support (bsc#1111666).
- ceph: convert mdsc->cap_dirty to a per-session list (bsc#1167104).
- ceph: request expedited service on session's last cap flush (bsc#1167104).
- cgroup, blkcg: Prepare some symbols for module and !CONFIG_CGROUP usages (bsc#1173857).
- clocksource: dw_apb_timer: Make CPU-affiliation being optional (bsc#1111666).
- crypto: algboss - do not wait during notifier callback (bsc#1111666).
- crypto: algif_skcipher - Cap recv SG list at ctx->used (bsc#1111666).
- crypto: cavium/nitrox - Fix 'nitrox_get_first_device()' when ndevlist is fully iterated (bsc#1111666).
- crypto: cavium/nitrox - Fix 'nitrox_get_first_device()' when ndevlist is fully iterated (git-fixes).
- crypto/chcr: fix for ccm(aes) failed test (bsc#1111666).
- crypto: talitos - fix IPsec cipher in length (git-fixes).
- crypto: talitos - reorder code in talitos_edesc_alloc() (git-fixes).
- debugfs: Check module state before warning in {full/open}_proxy_open() (bsc#1173746).
- devinet: fix memleak in inetdev_init() (networking-stable-20_06_07).
- /dev/mem: Add missing memory barriers for devmem_inode (git-fixes).
- /dev/mem: Revoke mappings when a driver claims the region (git-fixes).
- dpaa_eth: fix usage as DSA master, try 3 (networking-stable-20_05_27).
- driver-core, libnvdimm: Let device subsystems add local lockdep coverage (bsc#1171753).
- Drivers: hv: Change flag to write log level in panic msg to false (bsc#1170617, bsc#1170618).
- drm: bridge: adv7511: Extend list of audio sample rates (bsc#1111666).
- drm/dp_mst: Increase ACT retry timeout to 3s (bsc#1113956)  * context changes
- drm: encoder_slave: fix refcouting error for modules (bsc#1111666).
- drm: encoder_slave: fix refcouting error for modules (bsc#1114279)
- drm/i915/icl+: Fix hotplug interrupt disabling after storm detection (bsc#1112178)
- drm/mediatek: Check plane visibility in atomic_update (bsc#1113956)  * context changes
- drm/msm/dpu: fix error return code in dpu_encoder_init (bsc#1111666).
- drm: panel-orientation-quirks: Add quirk for Asus T101HA panel (bsc#1111666).
- drm: panel-orientation-quirks: Use generic orientation-data for Acer S1003 (bsc#1111666).
- drm/qxl: Use correct notify port address when creating cursor ring (bsc#1113956)
- drm/radeon: fix double free (bsc#1113956)
- drm/radeon: fix fb_div check in ni_init_smc_spll_table() (bsc#1113956)
- drm/sun4i: hdmi ddc clk: Fix size of m divider (bsc#1111666).
- drm/tegra: hub: Do not enable orphaned window group (bsc#1111666).
- drm/vkms: Hold gem object while still in-use (bsc#1113956)  * context changes
- e1000: Distribute switch variables for initialization (bsc#1111666).
- e1000e: Disable TSO for buffer overrun workaround (bsc#1051510).
- e1000e: Do not wake up the system via WOL if device wakeup is disabled (bsc#1051510).
- e1000e: Relax condition to trigger reset for ME workaround (bsc#1111666).
- EDAC/amd64: Read back the scrub rate PCI register on F15h (bsc#1114279).
- ext4: fix a data race at inode->i_blocks (bsc#1171835).
- ext4: fix partial cluster initialization when splitting extent (bsc#1173839).
- ext4: fix race between ext4_sync_parent() and rename() (bsc#1173838).
- ext4, jbd2: ensure panic by fix a race between jbd2 abort and ext4 error handlers (bsc#1173833).
- fanotify: fix ignore mask logic for events on child and on dir (bsc#1172719).
- Fix boot crash with MD (bsc#1174343) Refresh patches.suse/mdraid-fix-read-write-bytes-accounting.patch
- fix multiplication overflow in copy_fdtable() (bsc#1173825).
- Fix Patch-mainline tag in the previous zram fix patch
- fq_codel: fix TCA_FQ_CODEL_DROP_BATCH_SIZE sanity checks (networking-stable-20_05_12).
- gpu: host1x: Detach driver on unregister (bsc#1111666).
- HID: magicmouse: do not set up autorepeat (git-fixes).
- hv_netvsc: Fix netvsc_start_xmit's return type (git-fixes).
- hwmon: (acpi_power_meter) Fix potential memory leak in acpi_power_meter_add() (bsc#1111666).
- hwmon: (emc2103) fix unable to change fan pwm1_enable attribute (bsc#1111666).
- hwmon: (max6697) Make sure the OVERT mask is set correctly (bsc#1111666).
- i2c: algo-pca: Add 0x78 as SCL stuck low status for PCA9665 (bsc#1111666).
- i2c: eg20t: Load module automatically if ID matches (bsc#1111666).
- i2c: mlxcpld: check correct size of maximum RECV_LEN packet (bsc#1111666).
- i40e: reduce stack usage in i40e_set_fc (git-fixes).
- IB/hfi1: Do not destroy hfi1_wq when the device is shut down (bsc#1174409).
- IB/hfi1: Do not destroy link_wq when the device is shut down (bsc#1174409).
- ibmveth: Fix max MTU limit (bsc#1173428 ltc#186397).
- ibmvnic: continue to init in CRQ reset returns H_CLOSED (bsc#1173280 ltc#185369).
- ibmvnic: Flush existing work items before device removal (bsc#1065729).
- ibmvnic: Harden device login requests (bsc#1170011 ltc#183538).
- iio:health:afe4404 Fix timestamp alignment and prevent data leak (bsc#1111666).
- iio:humidity:hdc100x Fix alignment and data leak issues (bsc#1111666).
- iio:magnetometer:ak8974: Fix alignment and data leak issues (bsc#1111666).
- iio: mma8452: Add missed iio_device_unregister() call in mma8452_probe() (bsc#1111666).
- iio:pressure:ms5611 Fix buffer element alignment (bsc#1111666).
- iio: pressure: zpa2326: handle pm_runtime_get_sync failure (bsc#1111666).
- Input: i8042 - add Lenovo XiaoXin Air 12 to i8042 nomux list (bsc#1111666).
- input: i8042 - Remove special PowerPC handling (git-fixes).
- Input: synaptics - add a second working PNP_ID for Lenovo T470s (bsc#1111666).
- intel_idle: Graceful probe failure when MWAIT is disabled (bsc#1174115).
- intel_th: Fix a NULL dereference when hub driver is not loaded (bsc#1111666).
- iommu/vt-d: Enable PCI ACS for platform opt in hint (bsc#1174130).
- ipvlan: call dev_change_flags when ipvlan mode is reset (git-fixes).
- ixgbevf: Remove limit of 10 entries for unicast filter list (git-fixes).
- jbd2: avoid leaking transaction credits when unreserving handle (bsc#1173845).
- jbd2: Preserve kABI when adding j_abort_mutex (bsc#1173833).
- kabi: hv: prevent struct device_node to become defined (bsc#1172871).
- kABI: protect struct mlx5_cmd_work_ent (kabi).
- kABI: reintroduce inet_hashtables.h include to l2tp_ip (kabi).
- kernfs: fix barrier usage in __kernfs_new_node() (bsc#1111666).
- KVM: nVMX: Do not reread VMCS-agnostic state when switching VMCS (bsc#1114279).
- KVM: nVMX: Skip IBPB when switching between vmcs01 and vmcs02 (bsc#1114279).
- KVM: x86: Fix APIC page invalidation race (bsc#1174122).
- l2tp: add sk_family checks to l2tp_validate_socket (networking-stable-20_06_07).
- l2tp: do not use inet_hash()/inet_unhash() (networking-stable-20_06_07).
- libceph: do not omit recovery_deletes in target_copy() (bsc#1173462).
- libceph: do not omit recovery_deletes in target_copy() (bsc#1174113).
- libceph: ignore pool overlay and cache logic on redirects (bsc#1173146).
- libnvdimm/bus: Fix wait_nvdimm_bus_probe_idle() ABBA deadlock (bsc#1171753).
- libnvdimm/bus: Prepare the nd_ioctl() path to be re-entrant (bsc#1171753).
- libnvdimm/bus: Stop holding nvdimm_bus_list_mutex over __nd_ioctl() (bsc#1171753).
- libnvdimm: cover up changes in struct nvdimm_bus (bsc#1171753).
- libnvdimm: cover up nd_pfn_sb changes (bsc#1171759).
- libnvdimm/dax: Pick the right alignment default when creating dax devices (bsc#1171759).
- libnvdimm/label: Remove the dpa align check (bsc#1171759).
- libnvdimm/of_pmem: Provide a unique name for bus provider (bsc#1171739).
- libnvdimm/pfn_dev: Add a build check to make sure we notice when struct page size change (bsc#1171743).
- libnvdimm/pfn_dev: Add page size and struct page size to pfn superblock (bsc#1171759).
- libnvdimm/pfn: Prevent raw mode fallback if pfn-infoblock valid (bsc#1171743).
- libnvdimm/pmem: Advance namespace seed for specific probe errors (bsc#1171743).
- libnvdimm/region: Initialize bad block for volatile namespaces (bnc#1151927 5.3.6).
- libnvdimm/region: Rewrite _probe_success() to _advance_seeds() (bsc#1171743).
- libnvdimm: Use PAGE_SIZE instead of SZ_4K for align check (bsc#1171759).
- loop: replace kill_bdev with invalidate_bdev (bsc#1173820).
- lpfc_debugfs: get rid of pointless access_ok() (bsc#1172687 bsc#1171530).
- lpfc: Synchronize NVME transport and lpfc driver devloss_tmo (bcs#1173060).
- media: cec: silence shift wrapping warning in __cec_s_log_addrs() (git-fixes).
- media: si2157: Better check for running tuner in init (bsc#1111666).
- mlxsw: core: Do not use WQ_MEM_RECLAIM for mlxsw ordered workqueue (git-fixes).
- mlxsw: core: Do not use WQ_MEM_RECLAIM for mlxsw workqueue (git-fixes).
- mlxsw: pci: Return error on PCI reset timeout (git-fixes).
- mlxsw: spectrum_acl_tcam: Position vchunk in a vregion list properly (networking-stable-20_05_12).
- mlxsw: spectrum: Disallow prio-tagged packets when PVID is removed (git-fixes).
- mlxsw: spectrum_dpipe: Add missing error path (git-fixes).
- mlxsw: spectrum: Prevent force of 56G (git-fixes).
- mlxsw: spectrum_router: Refresh nexthop neighbour when it becomes dead (git-fixes).
- mlxsw: spectrum_router: Remove inappropriate usage of WARN_ON() (git-fixes).
- mlxsw: spectrum_switchdev: Add MDB entries in prepare phase (git-fixes).
- mlxsw: spectrum_switchdev: Do not treat static FDB entries as sticky (git-fixes).
- mmc: sdhci: do not enable card detect interrupt for gpio cd type (bsc#1111666).
- mmc: sdhci-msm: Set SDHCI_QUIRK_MULTIBLOCK_READ_ACMD12 quirk (bsc#1111666).
- mvpp2: remove misleading comment (git-fixes).
- net: be more gentle about silly gso requests coming from user (networking-stable-20_06_07).
- net: check untrusted gso_size at kernel entry (networking-stable-20_06_07).
- net/cxgb4: Check the return from t4_query_params properly (git-fixes).
- net: dsa: bcm_sf2: Fix node reference count (git-fixes).
- net: dsa: loop: Add module soft dependency (networking-stable-20_05_16).
- net: dsa: mt7530: fix roaming from DSA user ports (networking-stable-20_05_27).
- net: ena: add intr_moder_rx_interval to struct ena_com_dev and use it (git-fixes).
- net: ena: add missing ethtool TX timestamping indication (git-fixes).
- net: ena: avoid memory access violation by validating req_id properly (git-fixes).
- net: ena: do not wake up tx queue when down (git-fixes).
- net: ena: ena-com.c: prevent NULL pointer dereference (git-fixes).
- net: ena: ethtool: use correct value for crc32 hash (git-fixes).
- net: ena: fix continuous keep-alive resets (git-fixes).
- net: ena: fix corruption of dev_idx_to_host_tbl (git-fixes).
- net: ena: fix default tx interrupt moderation interval (git-fixes).
- net: ena: fix incorrect default RSS key (git-fixes).
- net: ena: fix incorrectly saving queue numbers when setting RSS indirection table (git-fixes).
- net: ena: fix issues in setting interrupt moderation params in ethtool (git-fixes).
- net: ena: fix potential crash when rxfh key is NULL (git-fixes).
- net: ena: fix retrieval of nonadaptive interrupt moderation intervals (git-fixes).
- net: ena: fix uses of round_jiffies() (git-fixes).
- net: ena: make ena rxfh support ETH_RSS_HASH_NO_CHANGE (git-fixes).
- net: ena: reimplement set/get_coalesce() (git-fixes).
- net: ena: rss: do not allocate key when not supported (git-fixes).
- net: ena: rss: fix failure to get indirection table (git-fixes).
- net: ena: rss: store hash function as values and not bits (git-fixes).
- netfilter: ctnetlink: netns exit must wait for callbacks (bsc#1169795).
- net: fix a potential recursive NETDEV_FEAT_CHANGE (networking-stable-20_05_16).
- net: inet_csk: Fix so_reuseport bind-address cache in tb->fast* (networking-stable-20_05_27).
- net: ipip: fix wrong address family in init error path (networking-stable-20_05_27).
- net: ipvlan: Fix ipvlan device tso disabled while NETIF_F_IP_CSUM is set (git-fixes).
- net: macsec: preserve ingress frame ordering (networking-stable-20_05_12).
- net/mlx4_core: drop useless LIST_HEAD (git-fixes).
- net/mlx4_core: fix a memory leak bug (git-fixes).
- net/mlx4_core: Fix use of ENOSPC around mlx4_counter_alloc() (networking-stable-20_05_12).
- net/mlx5: Add command entry handling completion (networking-stable-20_05_27).
- net/mlx5: Avoid panic when setting vport rate (git-fixes).
- net/mlx5: Continue driver initialization despite debugfs failure (git-fixes).
- net/mlx5e: ethtool, Fix a typo in WOL function names (git-fixes).
- net/mlx5e: Fix traffic duplication in ethtool steering (git-fixes).
- net/mlx5e: Remove unnecessary clear_bit()s (git-fixes).
- net/mlx5e: Update netdev txq on completions during closure (networking-stable-20_05_27).
- net/mlx5: Fix command entry leak in Internal Error State (networking-stable-20_05_12).
- net/mlx5: Fix crash upon suspend/resume (networking-stable-20_06_07).
- net/mlx5: Fix forced completion access non initialized command entry (networking-stable-20_05_12).
- net: mvmdio: allow up to four clocks to be specified for orion-mdio (git-fixes).
- net: mvpp2: prs: Do not override the sign bit in SRAM parser shift (git-fixes).
- net: phy: fix aneg restart in phy_ethtool_set_eee (networking-stable-20_05_16).
- netprio_cgroup: Fix unlimited memory leak of v2 cgroups (networking-stable-20_05_16).
- net: qede: stop adding events on an already destroyed workqueue (git-fixes).
- net: qed: fix excessive QM ILT lines consumption (git-fixes).
- net: qed: fix NVMe login fails over VFs (git-fixes).
- net: qrtr: Fix passing invalid reference to qrtr_local_enqueue() (networking-stable-20_05_27).
- net: revert 'net: get rid of an signed integer overflow in ip_idents_reserve()' (networking-stable-20_05_27).
- net sched: fix reporting the first-time use timestamp (networking-stable-20_05_27).
- net: stricter validation of untrusted gso packets (networking-stable-20_05_12).
- net/tls: Fix sk_psock refcnt leak in bpf_exec_tx_verdict() (networking-stable-20_05_12).
- net/tls: Fix sk_psock refcnt leak when in tls_data_ready() (networking-stable-20_05_12).
- net: usb: qmi_wwan: add support for DW5816e (networking-stable-20_05_12).
- net: usb: qmi_wwan: add Telit 0x1050 composition (networking-stable-20_06_07).
- net: usb: qmi_wwan: add Telit LE910C1-EUX composition (networking-stable-20_06_07).
- net: vmxnet3: fix possible buffer overflow caused by bad DMA value in vmxnet3_get_rss() (bsc#1172484).
- nfp: bpf: fix code-gen bug on BPF_ALU | BPF_XOR | BPF_K (git-fixes).
- nilfs2: fix null pointer dereference at nilfs_segctor_do_construct() (bsc#1173857).
- nvdimm: Avoid race between probe and reading device attributes (bsc#1170442).
- nvme: check for NVME_CTRL_LIVE in nvme_report_ns_ids() (bcs#1171558 bsc#1159058).
- nvme: do not update multipath disk information if the controller is down (bcs#1171558 bsc#1159058).
- objtool: Clean instruction state before each function validation (bsc#1169514).
- objtool: Ignore empty alternatives (bsc#1169514).
- ocfs2: no need try to truncate file beyond i_size (bsc#1171841).
- padata: ensure the reorder timer callback runs on the correct CPU (git-fixes).
- padata: reorder work kABI fixup (git-fixes).
- PCI/AER: Remove HEST/FIRMWARE_FIRST parsing for AER ownership (bsc#1174356).
- PCI/AER: Use only _OSC to determine AER ownership (bsc#1174356).
- PCI: Generalize multi-function power dependency device links (bsc#1111666).
- PCI: hv: Change pci_protocol_version to per-hbus (bsc#1172871, bsc#1172872).
- PCI: hv: Fix the PCI HyperV probe failure path to release resource properly (bsc#1172871, bsc#1172872).
- PCI: hv: Introduce hv_msi_entry (bsc#1172871, bsc#1172872).
- PCI: hv: Move hypercall related definitions into tlfs header (bsc#1172871, bsc#1172872).
- PCI: hv: Move retarget related structures into tlfs header (bsc#1172871, bsc#1172872).
- PCI: hv: Reorganize the code in preparation of hibernation (bsc#1172871, bsc#1172872).
- PCI: hv: Retry PCI bus D0 entry on invalid device state (bsc#1172871, bsc#1172872).
- PCI: pciehp: Fix indefinite wait on sysfs requests (git-fixes).
- PCI: pciehp: Support interrupts sent from D3hot (git-fixes).
- pci: Revive pci_dev __aer_firmware_first* fields for kABI (bsc#1174356).
- perf/x86/amd: Constrain Large Increment per Cycle events (git-fixes).
- perf/x86/amd: Constrain Large Increment per Cycle events (git-fixes).
- perf/x86/amd/ibs: Fix reading of the IBS OpData register and thus precise RIP validity (git-fixes).
- perf/x86/amd/ibs: Fix reading of the IBS OpData register and thus precise RIP validity (git-fixes).
- perf/x86/amd/ibs: Fix sample bias for dispatched micro-ops (git-fixes).
- perf/x86/amd/ibs: Fix sample bias for dispatched micro-ops (git-fixes).
- perf/x86/amd/ibs: Handle erratum #420 only on the affected CPU family (10h) (git-fixes).
- perf/x86/amd/ibs: Handle erratum #420 only on the affected CPU family (10h) (git-fixes).
- perf/x86/amd/iommu: Make the 'amd_iommu_attr_groups' symbol static (git-fixes).
- perf/x86/amd/iommu: Make the 'amd_iommu_attr_groups' symbol static (git-fixes).
- perf/x86/amd/uncore: Do not set 'ThreadMask' and 'SliceMask' for non-L3 PMCs (git-fixes stable).
- perf/x86/amd/uncore: Do not set 'ThreadMask' and 'SliceMask' for non-L3 PMCs (git-fixes stable).
- perf/x86/amd/uncore: Set the thread mask for F17h L3 PMCs (git-fixes).
- perf/x86/amd/uncore: Set the thread mask for F17h L3 PMCs (git-fixes).
- perf/x86/amd/uncore: Set ThreadMask and SliceMask for L3 Cache perf events (git-fixes stable).
- perf/x86/amd/uncore: Set ThreadMask and SliceMask for L3 Cache perf events (git-fixes stable).
- perf/x86: Enable free running PEBS for REGS_USER/INTR (git-fixes).
- perf/x86: Enable free running PEBS for REGS_USER/INTR (git-fixes).
- perf/x86: Fix incorrect PEBS_REGS (git-fixes).
- perf/x86: Fix incorrect PEBS_REGS (git-fixes).
- perf/x86/intel: Add generic branch tracing check to intel_pmu_has_bts() (git-fixes).
- perf/x86/intel: Add generic branch tracing check to intel_pmu_has_bts() (git-fixes).
- perf/x86/intel: Add proper condition to run sched_task callbacks (git-fixes).
- perf/x86/intel: Add proper condition to run sched_task callbacks (git-fixes).
- perf/x86/intel/bts: Fix the use of page_private() (git-fixes).
- perf/x86/intel/bts: Fix the use of page_private() (git-fixes).
- perf/x86/intel: Fix PT PMI handling (git-fixes).
- perf/x86/intel: Fix PT PMI handling (git-fixes).
- perf/x86/intel: Move branch tracing setup to the Intel-specific source file (git-fixes).
- perf/x86/intel: Move branch tracing setup to the Intel-specific source file (git-fixes).
- perf/x86/intel/uncore: Add Node ID mask (git-fixes).
- perf/x86/intel/uncore: Add Node ID mask (git-fixes).
- perf/x86/intel/uncore: Fix PCI BDF address of M3UPI on SKX (git-fixes).
- perf/x86/intel/uncore: Fix PCI BDF address of M3UPI on SKX (git-fixes).
- perf/x86/intel/uncore: Handle invalid event coding for free-running counter (git-fixes).
- perf/x86/uncore: Fix event group support (git-fixes).
- perf/x86/uncore: Fix event group support (git-fixes).
- platform/x86: hp-wmi: Convert simple_strtoul() to kstrtou32() (bsc#1111666).
- PM / Domains: Allow genpd users to specify default active wakeup behavior (git-fixes).
- powerpc/book3s64: Export has_transparent_hugepage() related functions (bsc#1171759).
- powerpc/book3s64/pkeys: Fix pkey_access_permitted() for execute disable pkey (bsc#1065729).
- powerpc/fadump: fix race between pstore write and fadump crash trigger (bsc#1168959 ltc#185010).
- powerpc/xmon: Reset RCU and soft lockup watchdogs (bsc#1065729).
- power: vexpress: add suppress_bind_attrs to true (bsc#1111666).
- pppoe: only process PADT targeted at local interfaces (networking-stable-20_05_16).
- qed: reduce maximum stack frame size (git-fixes).
- qlcnic: fix missing release in qlcnic_83xx_interrupt_test (git-fixes).
- r8152: support additional Microsoft Surface Ethernet Adapter variant (networking-stable-20_05_27).
- RDMA/efa: Set maximum pkeys device attribute (bsc#1111666)
- README.BRANCH: Add Takashi Iwai as primary maintainer.
- regmap: debugfs: Do not sleep while atomic for fast_io regmaps (bsc#1111666).
- Revert commit e918e570415c ('tpm_tis: Remove the HID IFX0102') (bsc#1111666).
- Revert 'ipv6: add mtu lock check in __ip6_rt_update_pmtu' (networking-stable-20_05_16).
- Revert 'thermal: mediatek: fix register index error' (bsc#1111666).
- rpm/kernel-docs.spec.in: Require python-packaging for build.
- rtnetlink: Fix memory(net_device) leak when ->newlink fails (git-fixes).
- s390: fix syscall_get_error for compat processes (git-fixes).
- s390/qdio: consistently restore the IRQ handler (git-fixes).
- s390/qdio: lock device while installing IRQ handler (git-fixes).
- s390/qdio: put thinint indicator after early error (git-fixes).
- s390/qdio: tear down thinint indicator after early error (git-fixes).
- s390/qeth: fix error handling for isolation mode cmds (git-fixes).
- sch_choke: avoid potential panic in choke_reset() (networking-stable-20_05_12).
- sch_sfq: validate silly quantum values (networking-stable-20_05_12).
- scsi: aacraid: fix a signedness bug (bsc#1174296).
- scsi: hisi_sas: fix calls to dma_set_mask_and_coherent() (bsc#1174296).
- scsi: lpfc: Add an internal trace log buffer (bsc#1172687 bsc#1171530).
- scsi: lpfc: Add blk_io_poll support for latency improvment (bsc#1172687 bsc#1171530).
- scsi: lpfc: Add support to display if adapter dumps are available (bsc#1172687 bsc#1171530).
- scsi: lpfc: Allow applications to issue Common Set Features mailbox command (bsc#1172687 bsc#1171530).
- scsi: lpfc: Avoid another null dereference in lpfc_sli4_hba_unset() (bsc#1172687 bsc#1171530).
- scsi: lpfc: Fix inconsistent indenting (bsc#1158983).
- scsi: lpfc: Fix interrupt assignments when multiple vectors are supported on same CPU (bsc#1158983).
- scsi: lpfc: Fix kdump hang on PPC (bsc#1172687 bsc#1171530).
- scsi: lpfc: Fix language in 0373 message to reflect non-error message (bsc#1172687 bsc#1171530).
- scsi: lpfc: Fix less-than-zero comparison of unsigned value (bsc#1158983).
- scsi: lpfc: Fix missing MDS functionality (bsc#1172687 bsc#1171530).
- scsi: lpfc: Fix NVMe rport deregister and registration during ADISC (bsc#1172687 bsc#1171530).
- scsi: lpfc: Fix oops due to overrun when reading SLI3 data (bsc#1172687 bsc#1171530).
- scsi: lpfc: Fix shost refcount mismatch when deleting vport (bsc#1172687 bsc#1171530).
- scsi: lpfc: Fix stack trace seen while setting rrq active (bsc#1172687 bsc#1171530).
- scsi: lpfc: Fix unused assignment in lpfc_sli4_bsg_link_diag_test (bsc#1172687 bsc#1171530).
- scsi: lpfc: Update lpfc version to 12.8.0.2 (bsc#1158983).
- scsi: megaraid_sas: Fix a compilation warning (bsc#1174296).
- scsi: mpt3sas: Fix double free in attach error handling (bsc#1174296).
- scsi: qedf: Add port_id getter (bsc#1150660).
- scsi: qla2xxx: Fix a condition in qla2x00_find_all_fabric_devs() (bsc#1174296).
- scsi: qla2xxx: Set NVMe status code for failed NVMe FCP request (bsc#1158983).
- sctp: Do not add the shutdown timer if its already been added (networking-stable-20_05_27).
- sctp: Start shutdown on association restart if in SHUTDOWN-SENT state and socket is closed (networking-stable-20_05_27).
- spi: fix initial SPI_SR value in spi-fsl-dspi (bsc#1111666).
- spi: pxa2xx: Apply CS clk quirk to BXT (bsc#1111666).
- spi: spidev: fix a race between spidev_release and spidev_remove (bsc#1111666).
- spi: spi-sun6i: sun6i_spi_transfer_one(): fix setting of clock rate (bsc#1111666).
- staging: comedi: verify array index is correct before using it (bsc#1111666).
- SUNRPC: The TCP back channel mustn't disappear while requests are outstanding (bsc#1152624).
- tg3: driver sleeps indefinitely when EEH errors exceed eeh_max_freezes (bsc#1173284).
- timers: Add a function to start/reduce a timer (networking-stable-20_05_27).
- tpm_tis: extra chip->ops check on error path in tpm_tis_core_init (bsc#1111666).
- tpm_tis: Remove the HID IFX0102 (bsc#1111666).
- tracing: Fix event trigger to accept redundant spaces (git-fixes).
- tty: hvc_console, fix crashes on parallel open/close (git-fixes).
- tunnel: Propagate ECT(1) when decapsulating as recommended by RFC6040 (networking-stable-20_05_12).
- ubifs: remove broken lazytime support (bsc#1173826).
- usb: add USB_QUIRK_DELAY_INIT for Logitech C922 (git-fixes).
- usb: c67x00: fix use after free in c67x00_giveback_urb (bsc#1111666).
- usb: chipidea: core: add wakeup support for extcon (bsc#1111666).
- usb: dwc2: Fix shutdown callback in platform (bsc#1111666).
- usb: dwc3: gadget: introduce cancelled_list (git-fixes).
- usb: dwc3: gadget: never call ->complete() from ->ep_queue() (git-fixes).
- usb: dwc3: gadget: Properly handle ClearFeature(halt) (git-fixes).
- usb: dwc3: gadget: Properly handle failed kick_transfer (git-fixes).
- usb: ehci: reopen solution for Synopsys HC bug (git-fixes).
- usb: gadget: fix potential double-free in m66592_probe (bsc#1111666).
- usb: gadget: udc: atmel: fix uninitialized read in debug printk (bsc#1111666).
- usb: gadget: udc: atmel: remove outdated comment in usba_ep_disable() (bsc#1111666).
- usb: gadget: udc: Potential Oops in error handling code (bsc#1111666).
- usb: host: ehci-exynos: Fix error check in exynos_ehci_probe() (bsc#1111666).
- usbnet: smsc95xx: Fix use-after-free after removal (bsc#1111666).
- usb: ohci-sm501: Add missed iounmap() in remove (bsc#1111666).
- usb: serial: ch341: add new Product ID for CH340 (bsc#1111666).
- usb: serial: cypress_m8: enable Simply Automated UPB PIM (bsc#1111666).
- usb: serial: iuu_phoenix: fix memory corruption (bsc#1111666).
- usb: serial: option: add GosunCn GM500 series (bsc#1111666).
- usb: serial: option: add Quectel EG95 LTE modem (bsc#1111666).
- vfio/pci: Fix SR-IOV VF handling with MMIO blocking (bsc#1174123).
- vfs: Fix EOVERFLOW testing in put_compat_statfs64 (bnc#1151927 5.3.6).
- virtio: virtio_console: add missing MODULE_DEVICE_TABLE() for rproc serial (git-fixes).
- vmxnet3: add geneve and vxlan tunnel offload support (bsc#1172484).
- vmxnet3: add support to get/set rx flow hash (bsc#1172484).
- vmxnet3: allow rx flow hash ops only when rss is enabled (bsc#1172484).
- vmxnet3: avoid format strint overflow warning (bsc#1172484).
- vmxnet3: prepare for version 4 changes (bsc#1172484).
- vmxnet3: Remove always false conditional statement (bsc#1172484).
- vmxnet3: remove redundant initialization of pointer 'rq' (bsc#1172484).
- vmxnet3: remove unused flag 'rxcsum' from struct vmxnet3_adapter (bsc#1172484).
- vmxnet3: Replace msleep(1) with usleep_range() (bsc#1172484).
- vmxnet3: update to version 4 (bsc#1172484).
- vmxnet3: use correct hdr reference when packet is encapsulated (bsc#1172484).
- vsock: fix timeout in vsock_accept() (networking-stable-20_06_07).
- vxlan: Avoid infinite loop when suppressing NS messages with invalid options (git-fixes).
- wil6210: make sure Rx ring sizes are correlated (git-fixes).
- x86/apic: Install an empty physflat_init_apic_ldr (bsc#1163309).
- x86/events/intel/ds: Add PERF_SAMPLE_PERIOD into PEBS_FREERUNNING_FLAGS (git-fixes).
- x86/events/intel/ds: Add PERF_SAMPLE_PERIOD into PEBS_FREERUNNING_FLAGS (git-fixes).
- x86/{mce,mm}: Unmap the entire page if the whole page is affected and poisoned (bsc#1172257).
- x86/reboot/quirks: Add MacBook6,1 reboot quirk (bsc#1114279).
- xhci: Fix incorrect EP_STATE_MASK (git-fixes).


-----------------------------------------
Patch: SUSE-2020-2131
Released: Wed Aug  5 13:53:25 2020
Summary: Recommended update for sapconf
Severity: moderate
References: 1124453,1139176,1150868,1150870,1166925,1168067,1168840
Description:
This update for sapconf fixes the following issues:

- Check the values of the 'vm.dirty_*' settings to be in a valid range before activating or restoring these system values. (bsc#1168067)
- Add a logrotate drop-in file for sapconf to control the size of the logfile. (bsc#1166925)
- Implement and use the system wide security limits. (bsc#1168840)
- Add support multi-queued scheduler for block devices. (jsc#SLE-11141, jsc#SLE-11144)
- Remove usage of tuned from sapconf (jsc#SLE-10986, jsc#SLE-10989):
  - Only ONE configuration file for sapconf
  - All parameters of the tuned profile defined in tuned.conf sapconf
  - Implement Switching a sapconf profile.
  - Prevent sapconf related tuned error messages by turning off tuned in the preinstall phase and  removing the 'active' sapconf profile.
- If sapconf detects an improper tuned profile during start notes that the log, fails the start deliberatly and guides the administrator to the problem. (bsc#1139176)
- Use absolute path in the configuration file. (bsc#1124453)
- Replace the delimiter for a sed command in postinstall script, because of conflicts with rpm macros. (bsc#1150868, bsc#1150870)
  

-----------------------------------------
Patch: SUSE-2020-2135
Released: Wed Aug  5 17:53:19 2020
Summary: Optional update for python-setuptools
Severity: low
References: 1174035
Description:
This update for python-setuptools doesn't fix any user visible issues, but changes the
package meta information, in order to support building for other packages (bsc#1174035)

-----------------------------------------
Patch: SUSE-2020-2136
Released: Wed Aug  5 17:55:42 2020
Summary: Recommended update for yast2-bootloader
Severity: moderate
References: 1172720
Description:
This update for yast2-bootloader fixes the following issues:

- Fixes an issue where the pmbr setup was accidentally applied to non-GPT formatted disks,
  which led to an error during installation (bsc#1172720)


-----------------------------------------
Patch: SUSE-2020-2145
Released: Thu Aug  6 11:15:27 2020
Summary: Recommended update for SUSEConnect
Severity: moderate
References: 1124318,1130864,1155911,1160007
Description:
This update for SUSEConnect fixes the following issues:

- Fixes an issue where SUSEConnect was not able to detect cloud_provider on large AWS instances
  e.g. c5n.9xlarge (bsc#1160007)
- Removed the ability to unregister on-demand Public Cloud instances (bsc#1155911)


-----------------------------------------
Patch: SUSE-2020-2157
Released: Thu Aug  6 20:04:22 2020
Summary: Security update for python-ipaddress
Severity: important
References: 1173274,CVE-2020-14422
Description:
This update for python-ipaddress fixes the following issues:

- Add CVE-2020-14422-ipaddress-hash-collision.patch fixing
  CVE-2020-14422 (bsc#1173274, bpo#41004), where hash collisions
  in IPv4Interface and IPv6Interface could lead to DOS. 


-----------------------------------------
Version 1.0.5-SAP-BYOS-Build1.45 2020-08-08T07:53:28

-----------------------------------------
Patch: SUSE-2020-2164
Released: Fri Aug  7 11:04:39 2020
Summary: Recommended update for Linux Kernel
Severity: important
References: 1174887
Description:

The SUSE Linux Enterprise 12 SP5 kernel was updated to receive the following fixes:

Fix a regression where virt-manager generated KVM setups and possible others could fail to boot the kernel (bsc#1174887)



-----------------------------------------
Patch: SUSE-2020-2166
Released: Fri Aug  7 13:20:20 2020
Summary: Security update for xen
Severity: important
References: 1172356,1174543
Description:
This update for xen fixes the following issues:

- bsc#1174543 - secure boot related fixes
- bsc#1172356 - Not able to hot-plug NIC via virt-manager, asks to attach on next 
    reboot while it should be live attached


-----------------------------------------
Patch: SUSE-2020-2173
Released: Fri Aug  7 16:11:16 2020
Summary: Security update for perl-XML-Twig
Severity: moderate
References: 1008644,CVE-2016-9180
Description:
This update for perl-XML-Twig fixes the following issues:

- Security fix [bsc#1008644, CVE-2016-9180]
  * Added: the no_xxe option to XML::Twig::new, which causes the
    parse to fail if external entities are used (to prevent
    malicious XML to access the filesystem).
  * Setting expand_external_ents to 0 or -1 currently doesn't work
    as expected; To completely turn off expanding external entities
    use no_xxe.
  * Update documentation for XML::Twig to mention problems with
    expand_external_ents and add information about new no_xxe argument


-----------------------------------------
Version 1.0.6-SAP-BYOS-Build1.1 2020-08-11T07:51:45

-----------------------------------------
Patch: SUSE-2020-2177
Released: Mon Aug 10 09:29:50 2020
Summary: Recommended update for drbd
Severity: moderate
References: 1174543
Description:

This update of drbd fixes the following issue:

- rebuilt with new signing key. (bsc#1174543)
  

-----------------------------------------
Version 1.0.6-SAP-BYOS-Build1.2 2020-08-12T07:52:55

-----------------------------------------
Patch: SUSE-2020-2193
Released: Tue Aug 11 11:59:39 2020
Summary: Optional update for python-setuptools
Severity: low
References: 1174035
Description:

This update for python-packaging delivers it to the Public Cloud Module to satisfy
python-setuptools dependencies.  (bsc#1174035)


-----------------------------------------
Patch: SUSE-2020-2196
Released: Tue Aug 11 13:31:24 2020
Summary: Security update for libX11
Severity: important
References: 1174628,CVE-2020-14344
Description:
This update for libX11 fixes the following issues:

- Fixed XIM client heap overflows (CVE-2020-14344, bsc#1174628).


-----------------------------------------
Version 1.0.6-SAP-BYOS-Build1.4 2020-08-13T07:51:48

-----------------------------------------
Patch: SUSE-2020-2213
Released: Wed Aug 12 10:44:22 2020
Summary: Security update for python3-PyYAML
Severity: moderate
References: 1002895,1073879,1082318,1099308,1122668,1165439,921588,CVE-2014-9130,CVE-2017-18342,CVE-2020-1747
Description:
This update for python3-PyYAML fixes the following issues:

python3-PyYAML was updated to version 5.1.2 (fate#326950, bsc#1122668, jsc#PM-1447).

The following security issues were fixed:

- CVE-2020-1747: arbitrary code execution during python/object/* constructors (bsc#1165439).
- CVE-2017-18342: arbitrary code execution in yaml.load() API (bsc#1099308).
- CVE-2014-9130: assertion failure when processing wrapped strings (bsc#921588).

The following non-security issues were fixed:

- Build python3 subpackage (FATE#324435, bsc#1073879).
- Build against libyaml to get the faster module.


-----------------------------------------
Patch: SUSE-2020-2218
Released: Wed Aug 12 15:47:36 2020
Summary: Recommended update for supportutils-plugin-suse-public-cloud and python3-azuremetadata
Severity: moderate
References: 1170475,1170476,1173238,1173240,1173357,1174618,1174847
Description:
This update for supportutils-plugin-suse-public-cloud and python3-azuremetadata fixes the following issues:

supportutils-plugin-suse-public-cloud:

- Fixes an error when supportutils-plugin-suse-public-cloud and supportutils-plugin-salt
  are installed at the same time (bsc#1174618)
- Sensitive information like credentials (such as access keys) will be removed when the
  metadata is being collected (bsc#1170475, bsc#1170476)

python3-azuremetadata:

- Added latest support for `--listapis` and `--api` (bsc#1173238, bsc#1173240)
- Detects when the VM is running in ASM (Azure Classic) and does now handle the condition
  to generate the data without requiring access to the full IMDS available, only in ARM
  instances (bsc#1173357, bsc#1174847)


-----------------------------------------
Version 1.0.6-SAP-BYOS-Build1.5 2020-08-14T07:51:46

-----------------------------------------
Patch: SUSE-2020-2229
Released: Thu Aug 13 10:14:37 2020
Summary: Recommended update for util-linux
Severity: moderate
References: 1149911,1151708,1168235,1168389
Description:
This update for util-linux fixes the following issues:

- blockdev: Do not fail --report on kpartx-style partitions on multipath. (bsc#1168235)
- nologin: Add support for -c to prevent error from su -c. (bsc#1151708)
- Avoid triggering autofs in lookup_umount_fs_by_statfs. (bsc#1168389)
- mount: Fall back to device node name if /dev/mapper link not found. (bsc#1149911)


-----------------------------------------
Patch: SUSE-2020-2233
Released: Thu Aug 13 11:33:13 2020
Summary: Security update for libvirt
Severity: important
References: 1161883,1171946,1172052,1174458,CVE-2020-14339
Description:
This update for libvirt fixes the following issues:

- CVE-2020-14339: Don't leak /dev/mapper/control into QEMU. Use
  ioctl's to obtain the dependency tree of disks and drop use of
  libdevmapper. - bsc#1161883, bsc#1174458
- qemu: Setup emulator thread and cpuset.mems before exec - bsc#1171946
- libxl: Normalize MAC address in device conf on netdev hotplug - bsc#1172052


-----------------------------------------
Version 1.0.6-SAP-BYOS-Build1.6 2020-08-15T07:53:14

-----------------------------------------
Patch: SUSE-2020-2247
Released: Fri Aug 14 15:28:07 2020
Summary: Recommended update for grub2
Severity: important
References: 1174782,1175036,1175060
Description:
This update for grub2 fixes the following issues:

- A potential regression has been fixed that would cause systems with an
  updated 'grub2' to boot no longer due to a missing 'grub-calloc' linker
  symbol. (bsc#1174782)


-----------------------------------------
Version 1.0.6-SAP-BYOS-Build1.8 2020-08-19T07:53:05

-----------------------------------------
Patch: SUSE-2020-2261
Released: Tue Aug 18 11:48:30 2020
Summary: Recommended update for sysfsutils
Severity: moderate
References: 1155305
Description:
This update for sysfsutils fixes the following issue:

- Fix cdev name comparison. (bsc#1155305)


-----------------------------------------
Version 1.0.6-SAP-BYOS-Build1.9 2020-08-20T07:52:54

-----------------------------------------
Patch: SUSE-2020-2275
Released: Wed Aug 19 13:21:33 2020
Summary: Security update for python
Severity: moderate
References: 1174091,CVE-2019-20907
Description:
This update for python fixes the following issues:

- CVE-2019-20907: Avoid a possible infinite loop caused by specifically crafted tarballs (bsc#1174091).


-----------------------------------------
Version 1.0.6-SAP-BYOS-Build1.10 2020-08-21T07:54:07

-----------------------------------------
Patch: SUSE-2020-2287
Released: Thu Aug 20 16:07:37 2020
Summary: Recommended update for grep
Severity: moderate
References: 1174080
Description:
This update for grep fixes the following issues:

- Fix for -P treating invalid UTF-8 input and causing incosistency. (bsc#1174080)


-----------------------------------------
Version 1.0.6-SAP-BYOS-Build1.11 2020-08-22T07:55:56

-----------------------------------------
Patch: SUSE-2020-2294
Released: Fri Aug 21 16:59:17 2020
Summary: Recommended update for openldap2
Severity: important
References: 1174537
Description:
This update for openldap2 fixes the following issues:

- Fixes an issue where slapd failed to start due to the missing pwdMaxRecordedFailure attribute (bsc#1174537)


-----------------------------------------
Version 1.0.6-SAP-BYOS-Build1.12 2020-08-26T07:55:04

-----------------------------------------
Patch: SUSE-2020-2305
Released: Tue Aug 25 14:47:47 2020
Summary: Security update for grub2
Severity: important
References: 1172745,1174421,CVE-2020-15705
Description:
This update for grub2 fixes the following issues:

- CVE-2020-15705: Fail kernel validation without shim protocol (bsc#1174421).
- Add fibre channel device's ofpath support to grub-ofpathname and search hint to speed up root device discovery (bsc#1172745).


-----------------------------------------
Patch: SUSE-2020-2319
Released: Tue Aug 25 15:39:37 2020
Summary: Recommended update for python3-ec2metadata
Severity: moderate
References: 1174743,1174837
Description:
This update for python3-ec2metadata contains the following fixes:

- Update to version 3.0.3 (bsc#1174743, bsc#1174837)
  + Prefer IMDSv2 and switch all IMDS access requests to support v2 token
    based access method.


-----------------------------------------
Patch: SUSE-2020-2320
Released: Tue Aug 25 15:40:26 2020
Summary: Recommended update for python
Severity: moderate
References: 1175619
Description:
This update for python provides the following fix:

- Set correct value of %python2_package_prefix to python
  (as expected on SLE-12). (bsc#1175619)


-----------------------------------------
Version 1.0.6-SAP-BYOS-Build1.15 2020-08-31T07:53:58

-----------------------------------------
Patch: SUSE-2020-2371
Released: Fri Aug 28 12:56:29 2020
Summary: Recommended update for Salt
Severity: moderate
References: 1171461,1172211,1173936
Description:
 This update fixes the following issues:

salt:

- Require /usr/bin/python instead of /bin/python for RHEL-family (bsc#1173936)
- Don't install SuSEfirewall2 service files in Factory
- Fix __mount_device wrapper to accept separate args and kwargs
- Fix the registration of libvirt pool and nodedev events
- Accept nested namespaces in spacewalk.api runner function. (bsc#1172211)
- Info_installed works without status attr now (bsc#1171461)



-----------------------------------------
Patch: SUSE-2020-2379
Released: Fri Aug 28 14:53:37 2020
Summary: Recommended update for supportutils-plugin-suse-public-cloud
Severity: moderate
References: 1175250,1175251
Description:
This update for supportutils-plugin-suse-public-cloud contains the following fix:

- Update to version 1.0.5: (bsc#1175250, bsc#1175251)
  + Query for new GCE initialization code packages


-----------------------------------------
Patch: SUSE-2020-2385
Released: Sat Aug 29 01:16:07 2020
Summary: Recommended update for resource-agents
Severity: moderate
References: 1170354,1175101
Description:
This update for resource-agents fixes the following issues:

- Fix for supporting 'multi alias IP' for resource agent to meet the requirements properly of multiple scenarios. (bsc#1175101)
- Fix for version checking of pacemaker to make it compatible with with the SUSE version format. (bsc#1170354)


-----------------------------------------
Patch: SUSE-2020-2388
Released: Sat Aug 29 01:22:47 2020
Summary: Recommended update for Mesa
Severity: moderate
References: 1172468
Description:
This update for Mesa fixes the following issues:

- Fixes memory leaks locking up desktop ups randomly. (bsc#1172468)


-----------------------------------------
Version 1.0.6-SAP-BYOS-Build1.18 2020-09-02T07:54:24

-----------------------------------------
Patch: SUSE-2020-2410
Released: Tue Sep  1 13:15:48 2020
Summary: Recommended update for pam
Severity: low
References: 1173593
Description:

This update of pam fixes the following issue:

- On some SUSE Linux Enterprise 12 SP5 based media from build.suse.com
  a pam version with a higher release number than the last update of pam
  was delivered. This update releases pam with a  higher release number
  to align it with this media. (bsc#1173593)
  

-----------------------------------------
Patch: SUSE-2020-2426
Released: Tue Sep  1 13:55:11 2020
Summary: Recommended update for sysstat
Severity: low
References: 1173593
Description:

This update for sysstat fixes the following issue:

- sysstat was rebuild with a higher release number to adjust against
  other released 12 SP5 images, where the release number was too high. (bsc#1173593)
  

-----------------------------------------
Patch: SUSE-2020-2428
Released: Tue Sep  1 22:07:35 2020
Summary: Recommended update for ca-certificates-mozilla
Severity: moderate
References: 1174673
Description:
This update for ca-certificates-mozilla fixes the following issues:

Update to 2.42 state of the Mozilla NSS Certificate store (bsc#1174673)

Removed CAs:

- AddTrust External CA Root
- AddTrust Class 1 CA Root
- LuxTrust Global Root 2
- Staat der Nederlanden Root CA - G2
- Symantec Class 1 Public Primary Certification Authority - G4
- Symantec Class 2 Public Primary Certification Authority - G4
- VeriSign Class 3 Public Primary Certification Authority - G3

Added CAs:

- certSIGN Root CA G2
- e-Szigno Root CA 2017
- Microsoft ECC Root Certificate Authority 2017
- Microsoft RSA Root Certificate Authority 2017


-----------------------------------------
Patch: SUSE-2020-2439
Released: Tue Sep  1 22:13:01 2020
Summary: Recommended update for avahi
Severity: moderate
References: 1154063
Description:
This update for avahi fixes the following issues:

- When changing ownership of /var/lib/autoipd, only change
  ownership of files owned by avahi, to mitigate against
  possible exploits (bsc#1154063).


-----------------------------------------
Version 1.0.6-SAP-BYOS-Build1.20 2020-09-03T07:54:19

-----------------------------------------
Patch: SUSE-2020-2444
Released: Wed Sep  2 09:32:43 2020
Summary: Security update for curl
Severity: moderate
References: 1175109,CVE-2020-8231
Description:
This update for curl fixes the following issues:

- An application that performs multiple requests with libcurl's
  multi API and sets the 'CURLOPT_CONNECT_ONLY' option, might in
  rare circumstances experience that when subsequently using the
  setup connect-only transfer, libcurl will pick and use the wrong
  connection and instead pick another one the application has
  created since then. [bsc#1175109, CVE-2020-8231]


-----------------------------------------
Patch: SUSE-2020-2468
Released: Wed Sep  2 23:29:07 2020
Summary: Recommended update for aws-cli, python-boto3, and python-botocore
Severity: moderate
References: 1175147,1175148
Description:
This update for aws-cli, python-boto3, and python-botocore fixes the following issues:

- This update mainly focuses on updating the API clients. Please refer to the rpm changelog of each package
  to receive a detailed list of all changes.

-----------------------------------------
Version 1.0.6-SAP-BYOS-Build1.21 2020-09-04T07:54:17

-----------------------------------------
Patch: SUSE-2020-2475
Released: Thu Sep  3 12:10:58 2020
Summary: Security update for libX11
Severity: moderate
References: 1175239,CVE-2020-14363
Description:
This update for libX11 fixes the following issues:

- CVE-2020-14363: Fix an integer overflow in init_om() (bsc#1175239).


-----------------------------------------
Patch: SUSE-2020-2482
Released: Thu Sep  3 15:21:44 2020
Summary: Security update for java-1_7_1-ibm
Severity: moderate
References: 1174157,1175259,CVE-2019-17639,CVE-2020-14577,CVE-2020-14578,CVE-2020-14579,CVE-2020-14583,CVE-2020-14593,CVE-2020-14621
Description:
This update for java-1_7_1-ibm fixes the following issues:

- Update to Java 7.1 Service Refresh 4 Fix Pack 70 [bsc#1175259, bsc#1174157]
  CVE-2020-14577 CVE-2020-14578 CVE-2020-14579 CVE-2020-14621
  CVE-2020-14593 CVE-2020-14583 CVE-2019-17639
  * Class Libraries:
    - UPDATE TIMEZONE INFORMATION TO TZDATA2020A
  * Security:
    - CERTIFICATEEXCEPTION OCCURS WHEN FILE.ENCODING PROPERTY SET TO
      NON DEFAULT VALUE


-----------------------------------------
Version 1.0.6-SAP-BYOS-Build1.22 2020-09-05T07:53:06

-----------------------------------------
Patch: SUSE-2020-2547
Released: Fri Sep  4 18:17:13 2020
Summary: Recommended update for zlib
Severity: moderate
References: 1174551,1174736
Description:
This update for zlib provides the following fixes:

- Permit a deflateParams() parameter change as soon as possible. (bsc#1174736)
- Fix DFLTCC not flushing EOBS when creating raw streams. (bsc#1174551)


-----------------------------------------
Version 1.0.6-SAP-BYOS-Build1.23 2020-09-08T07:53:43

-----------------------------------------
Patch: SUSE-2020-2555
Released: Mon Sep  7 14:30:36 2020
Summary: Recommended update for systemd
Severity: moderate
References: 1169488,1173227
Description:
This update for systemd fixes the following issues:

- Fix inconsistent file modes for some ghost files. (bsc#1173227)
- Fix for an issue where nfs-server clone causes cluster node to hang on reboot. (bsc#1169488)


-----------------------------------------
Version 1.0.6-SAP-BYOS-Build1.25 2020-09-09T07:54:28

-----------------------------------------
Patch: SUSE-2020-2570
Released: Tue Sep  8 14:59:35 2020
Summary: Security update for libjpeg-turbo
Severity: moderate
References: 1172491,CVE-2020-13790
Description:
This update for libjpeg-turbo fixes the following issues:

- CVE-2020-13790: Fixed a heap-based buffer over-read via a malformed PPM input file (bsc#1172491).


-----------------------------------------
Patch: SUSE-2020-2574
Released: Tue Sep  8 17:53:31 2020
Summary: Security update for the Linux Kernel
Severity: important
References: 1058115,1065600,1065729,1071995,1074701,1083548,1085030,1085235,1085308,1087078,1087082,1094912,1100394,1102640,1105412,1111666,1112178,1113956,1120163,1133021,1136666,1144333,1152148,1163524,1165629,1166965,1169790,1170232,1171558,1171688,1172073,1172108,1172247,1172418,1172428,1172871,1172872,1172873,1172963,1173060,1173485,1173798,1173954,1174003,1174026,1174070,1174161,1174205,1174387,1174484,1174547,1174549,1174550,1174625,1174658,1174685,1174689,1174699,1174734,1174757,1174771,1174840,1174841,1174843,1174844,1174845,1174852,1174873,1174904,1174926,1174968,1175062,1175063,1175064,1175065,1175066,1175067,1175112,1175127,1175128,1175149,1175199,1175213,1175228,1175232,1175284,1175393,1175394,1175396,1175397,1175398,1175399,1175400,1175401,1175402,1175403,1175404,1175405,1175406,1175407,1175408,1175409,1175410,1175411,1175412,1175413,1175414,1175415,1175416,1175417,1175418,1175419,1175420,1175421,1175422,1175423,1175440,1175493,1175515,1175518,1175526,1175550,1175654,1175666,1175667,1175668,1175669,1175670,1175691,1175767,1175768,1175769,1175770,1175771,1175772,1175786,1175873,1176069,CVE-2020-14314,CVE-2020-14331,CVE-2020-14356,CVE-2020-14386,CVE-2020-16166,CVE-2020-1749,CVE-2020-24394
Description:
The SUSE Linux Enterprise 12 SP5 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2020-1749: Use ip6_dst_lookup_flow instead of  ip6_dst_lookup (bsc#1165629).
- CVE-2020-14314: Fixed a potential negative array index in do_split()  (bsc#1173798). 
- CVE-2020-14356: Fixed a null pointer dereference in cgroupv2 subsystem which could have led to privilege escalation (bsc#1175213). 
- CVE-2020-14331: Fixed a missing check in vgacon scrollback handling (bsc#1174205). 
- CVE-2020-16166: Fixed a potential issue which could have allowed remote attackers to make observations that help to obtain sensitive information about the internal state of the network RNG (bsc#1174757).
- CVE-2020-24394: Fixed an issue which could set incorrect permissions on new filesystem objects when the filesystem lacks ACL support (bsc#1175518).
- CVE-2020-14386: Fixed a potential local privilege escalation via memory corruption (bsc#1176069).

The following non-security bugs were fixed:

- ACPI: kABI fixes for subsys exports (bsc#1174968).
- ACPI / LPSS: Resume BYT/CHT I2C controllers from resume_noirq (bsc#1174968).
- ACPI / LPSS: Use acpi_lpss_* instead of acpi_subsys_* functions for hibernate (bsc#1174968).
- ACPI: PM: Introduce 'poweroff' callbacks for ACPI PM domain and LPSS (bsc#1174968).
- ACPI: PM: Simplify and fix PM domain hibernation callbacks (bsc#1174968).
- ALSA: core: pcm_iec958: fix kernel-doc (bsc#1111666).
- ALSA: echoaduio: Drop superfluous volatile modifier (bsc#1111666).
- ALSA: echoaudio: Fix potential Oops in snd_echo_resume() (bsc#1111666).
- ALSA: hda: Add support for Loongson 7A1000 controller (bsc#1111666).
- ALSA: hda/ca0132 - Add new quirk ID for Recon3D (bsc#1111666).
- ALSA: hda/ca0132 - Fix AE-5 microphone selection commands (bsc#1111666).
- ALSA: hda/ca0132 - Fix ZxR Headphone gain control get value (bsc#1111666).
- ALSA: hda: fix NULL pointer dereference during suspend (git-fixes).
- ALSA: hda: fix snd_hda_codec_cleanup() documentation (bsc#1111666).
- ALSA: hda - fix the micmute led status for Lenovo ThinkCentre AIO (bsc#1111666).
- ALSA: hda/realtek: Add alc269/alc662 pin-tables for Loongson-3 laptops (bsc#1111666).
- ALSA: hda/realtek: Add model alc298-samsung-headphone (git-fixes).
- ALSA: hda/realtek: Add mute LED and micmute LED support for HP systems (bsc#1111666).
- ALSA: hda/realtek - Add quirk for Lenovo Carbon X1 8th gen (bsc#1111666).
- ALSA: hda/realtek - Add quirk for MSI GE63 laptop (bsc#1111666).
- ALSA: hda/realtek - Add quirk for MSI GL63 (bsc#1111666).
- ALSA: hda/realtek: Add quirk for Samsung Galaxy Book Ion (git-fixes).
- ALSA: hda/realtek: Add quirk for Samsung Galaxy Flex Book (git-fixes).
- ALSA: hda/realtek - change to suitable link model for ASUS platform (bsc#1111666).
- ALSA: hda/realtek - Check headset type by unplug and resume (bsc#1111666).
- ALSA: hda/realtek - Enable audio jacks of Acer vCopperbox with ALC269VC (bsc#1111666).
- ALSA: hda/realtek: Enable headset mic of Acer C20-820 with ALC269VC (bsc#1111666).
- ALSA: hda/realtek: Enable headset mic of Acer TravelMate B311R-31 with ALC256 (bsc#1111666).
- ALSA: hda/realtek: Enable headset mic of Acer Veriton N4660G with ALC269VC (bsc#1111666).
- ALSA: hda/realtek: enable headset mic of ASUS ROG Zephyrus G14(G401) series with ALC289 (bsc#1111666).
- ALSA: hda/realtek: enable headset mic of ASUS ROG Zephyrus G15(GA502) series with ALC289 (bsc#1111666).
- ALSA: hda/realtek - Enable Speaker for ASUS UX563 (bsc#1111666).
- ALSA: hda/realtek: Fix add a 'ultra_low_power' function for intel reference board (alc256) (bsc#1111666).
- ALSA: hda/realtek: Fixed ALC298 sound bug by adding quirk for Samsung Notebook Pen S (bsc#1111666).
- ALSA: hda/realtek - Fixed HP right speaker no sound (bsc#1111666).
- ALSA: hda/realtek - Fix Lenovo Thinkpad X1 Carbon 7th quirk subdevice id (bsc#1111666).
- ALSA: hda/realtek: Fix pin default on Intel NUC 8 Rugged (bsc#1111666).
- ALSA: hda/realtek - Fix unused variable warning (bsc#1111666).
- ALSA: hda/realtek: typo_fix: enable headset mic of ASUS ROG Zephyrus G14(GA401) series with ALC289 (bsc#1111666).
- ALSA: hda - reverse the setting value in the micmute_led_set (bsc#1111666).
- ALSA: hda: Workaround for spurious wakeups on some Intel platforms (git-fixes).
- ALSA: pci: delete repeated words in comments (bsc#1111666).
- ALSA: seq: oss: Serialize ioctls (bsc#1111666).
- ALSA: usb-audio: Add capture support for Saffire 6 (USB 1.1) (git-fixes).
- ALSA: usb-audio: add quirk for Pioneer DDJ-RB (bsc#1111666).
- ALSA: usb-audio: add startech usb audio dock name (bsc#1111666).
- ALSA: usb-audio: Add support for Lenovo ThinkStation P620 (bsc#1111666).
- ALSA: usb-audio: Creative USB X-Fi Pro SB1095 volume knob support (bsc#1111666).
- ALSA: usb-audio: Disable Lenovo P620 Rear line-in volume control (bsc#1111666).
- ALSA: usb-audio: endpoint : remove needless check before usb_free_coherent() (bsc#1111666).
- ALSA: usb-audio: fix overeager device match for MacroSilicon MS2109 (bsc#1174625).
- ALSA: usb-audio: fix spelling mistake 'buss' -> 'bus' (bsc#1111666).
- ALSA: usb-audio: ignore broken processing/extension unit (git-fixes).
- ALSA: usb-audio: work around streaming quirk for MacroSilicon MS2109 (bsc#1111666).
- ALSA: usb/line6: remove 'defined but not used' warning (bsc#1111666).
- arm64: Add MIDR encoding for HiSilicon Taishan CPUs (bsc#1174547).
- arm64: Add MIDR encoding for NVIDIA CPUs (bsc#1174547).
- arm64: add sysfs vulnerability show for meltdown (bsc#1174547).
- arm64: Add sysfs vulnerability show for spectre-v1 (bsc#1174547).
- arm64: add sysfs vulnerability show for spectre-v2 (bsc#1174547).
- arm64: add sysfs vulnerability show for speculative store bypass (bsc#1174547). 
- arm64: Advertise mitigation of Spectre-v2, or lack thereof (bsc#1174547). 
- arm64: Always enable spectre-v2 vulnerability detection (bsc#1174547). 
- arm64: Always enable ssb vulnerability detection (bsc#1174547). 
- arm64: backtrace: Do not bother trying to unwind the userspace stack (bsc#1175397).
- arm64: capabilities: Add NVIDIA Denver CPU to bp_harden list (bsc#1174547).
- arm64: capabilities: Merge duplicate Cavium erratum entries (bsc#1174547).
- arm64: capabilities: Merge entries for ARM64_WORKAROUND_CLEAN_CACHE (bsc#1174547). 
- arm64: cpufeature: Enable Qualcomm Falkor/Kryo errata 1003 (bsc#1175398).
- arm64: Do not mask out PTE_RDONLY in pte_same() (bsc#1175393).
- arm64: enable generic CPU vulnerabilites support (bsc#1174547). Update config/arm64/default
- arm64: Ensure VM_WRITE|VM_SHARED ptes are clean by default (bsc#1175394).
- arm64: errata: Do not define type field twice for arm64_errata entries (bsc#1174547).
- arm64: errata: Update stale comment (bsc#1174547).
- arm64: Get rid of __smccc_workaround_1_hvc_* (bsc#1174547).
- arm64: kpti: Avoid rewriting early page tables when KASLR is enabled (bsc#1174547).
- arm64: kpti: Update arm64_kernel_use_ng_mappings() when forced on (bsc#1174547).
- arm64: kpti: Whitelist Cortex-A CPUs that do not implement the CSV3 field (bsc#1174547).
- arm64: kpti: Whitelist HiSilicon Taishan v110 CPUs (bsc#1174547).
- arm64: KVM: Avoid setting the upper 32 bits of VTCR_EL2 to 1 (bsc#1133021).
- arm64: KVM: Guests can skip __install_bp_hardening_cb()s HYP work (bsc#1174547).
- arm64: KVM: Use SMCCC_ARCH_WORKAROUND_1 for Falkor BP hardening (bsc#1174547). 
- arm64: mm: Fix pte_mkclean, pte_mkdirty semantics (bsc#1175526). 
- arm64: Provide a command line to disable spectre_v2 mitigation (bsc#1174547).
- arm64: Silence clang warning on mismatched value/register sizes (bsc#1175396).
- arm64/speculation: Support 'mitigations=' cmdline option (bsc#1174547). 
- arm64: ssbd: explicitly depend on <linux/prctl.h> (bsc#1175399).
- arm64: ssbs: Do not treat CPUs with SSBS as unaffected by SSB (bsc#1174547).
- arm64: ssbs: Fix context-switch when SSBS is present on all CPUs (bsc#1175669).
- arm64/sve: Fix wrong free for task->thread.sve_state (bsc#1175400).
- arm64/sve: <uapi/asm/ptrace.h> should not depend on <uapi/linux/prctl.h> (bsc#1175401).
- arm64: tlbflush: avoid writing RES0 bits (bsc#1175402).
- arm64: Use firmware to detect CPUs that are not affected by Spectre-v2 (bsc#1174547).
- ARM: KVM: invalidate BTB on guest exit for Cortex-A12/A17 (bsc#1133021). 
- ARM: KVM: invalidate icache on guest exit for Cortex-A15 (bsc#1133021).
- ARM: spectre-v2: KVM: invalidate icache on guest exit for Brahma B15 (bsc#1133021).
- ASoC: hda/tegra: Set buffer alignment to 128 bytes (bsc#1111666).
- bcache: allocate meta data pages as compound pages (bsc#1172873).
- bcache: allocate meta data pages as compound pages (bsc#1172873).
- block: check queue's limits.discard_granularity in __blkdev_issue_discard() (bsc#1152148).
- block: check queue's limits.discard_granularity in __blkdev_issue_discard() (bsc#1152148).
- block: Fix use-after-free in blkdev_get() (bsc#1174843).
- block: improve discard bio alignment in __blkdev_issue_discard() (bsc#1152148).
- block: improve discard bio alignment in __blkdev_issue_discard() (bsc#1152148).
- Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt() (bsc#1111666).
- Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_evt() (bsc#1111666).
- Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_with_rssi_evt() (bsc#1111666).
- bonding: fix active-backup failover for current ARP slave (bsc#1174771).
- bonding: fix a potential double-unregister (git-fixes).
- bonding: show saner speed for broadcast mode (git-fixes).
- bpf: Fix map leak in HASH_OF_MAPS map (git-fixes).
- brcmfmac: keep SDIO watchdog running when console_interval is non-zero (bsc#1111666).
- brcmfmac: set state of hanger slot to FREE when flushing PSQ (bsc#1111666).
- brcmfmac: To fix Bss Info flag definition Bug (bsc#1111666).
- btrfs: change timing for qgroup reserved space for ordered extents to fix reserved space leak (bsc#1172247).
- btrfs: file: reserve qgroup space after the hole punch range is locked (bsc#1172247).
- btrfs: fix a block group ref counter leak after failure to remove block group (bsc#1175149).
- btrfs: fix block group leak when removing fails (bsc#1175149).
- btrfs: fix bytes_may_use underflow when running balance and scrub in parallel (bsc#1175149).
- btrfs: fix corrupt log due to concurrent fsync of inodes with shared extents (bsc#1175149).
- btrfs: fix data block group relocation failure due to concurrent scrub (bsc#1175149).
- btrfs: fix double free on ulist after backref resolution failure (bsc#1175149).
- btrfs: fix fatal extent_buffer readahead vs releasepage race (bsc#1175149).
- btrfs: fix memory leaks after failure to lookup checksums during inode logging (bsc#1175550).
- btrfs: fix page leaks after failure to lock page for delalloc (bsc#1175149).
- btrfs: fix race between block group removal and block group creation (bsc#1175149).
- btrfs: fix space_info bytes_may_use underflow after nocow buffered write (bsc#1175149).
- btrfs: fix space_info bytes_may_use underflow during space cache writeout (bsc#1175149).
- btrfs: fix wrong file range cleanup after an error filling dealloc range (bsc#1175149).
- btrfs: inode: fix NULL pointer dereference if inode does not need compression (bsc#1174484).
- btrfs: inode: move qgroup reserved space release to the callers of insert_reserved_file_extent() (bsc#1172247).
- btrfs: inode: refactor the parameters of insert_reserved_file_extent() (bsc#1172247).
- btrfs: make btrfs_ordered_extent naming consistent with btrfs_file_extent_item (bsc#1172247).
- btrfs: Open code btrfs_write_and_wait_marked_extents (bsc#1175149).
- btrfs: qgroup: allow to unreserve range without releasing other ranges (bsc#1120163).
- btrfs: qgroup: fix data leak caused by race between writeback and truncate (bsc#1172247).
- btrfs: qgroup: remove ASYNC_COMMIT mechanism in favor of reserve retry-after-EDQUOT (bsc#1120163).
- btrfs: qgroup: try to flush qgroup space when we get -EDQUOT (bsc#1120163).
- btrfs: Rename and export clear_btree_io_tree (bsc#1175149).
- btrfs: treat RWF_{,D}SYNC writes as sync for CRCs (bsc#1175493).
- bus: hisi_lpc: Add .remove method to avoid driver unbind crash (bsc#1174658).
- bus: hisi_lpc: Do not fail probe for unrecognised child devices (bsc#1174658).
- bus: hisi_lpc: Unregister logical PIO range to avoid potential use-after-free (bsc#1174658).
- cdc-acm: Add DISABLE_ECHO quirk for Microchip/SMSC chip (git-fixes).
- cfg80211: check vendor command doit pointer before use (git-fixes).
- char: virtio: Select VIRTIO from VIRTIO_CONSOLE (bsc#1175667).
- cifs: document and cleanup dfs mount (bsc#1144333 bsc#1172428).
- cifs: Fix an error pointer dereference in cifs_mount() (bsc#1144333 bsc#1172428).
- cifs: fix double free error on share and prefix (bsc#1144333 bsc#1172428).
- cifs: handle empty list of targets in cifs_reconnect() (bsc#1144333 bsc#1172428).
- cifs: handle RESP_GET_DFS_REFERRAL.PathConsumed in reconnect (bsc#1144333 bsc#1172428).
- cifs: merge __{cifs,smb2}_reconnect[_tcon]() into cifs_tree_connect() (bsc#1144333 bsc#1172428).
- cifs: only update prefix path of DFS links in cifs_tree_connect() (bsc#1144333 bsc#1172428).
- cifs: reduce number of referral requests in DFS link lookups (bsc#1144333 bsc#1172428).
- cifs: rename reconn_inval_dfs_target() (bsc#1144333 bsc#1172428).
- clk: at91: clk-generated: check best_rate against ranges (bsc#1111666).
- clk: clk-atlas6: fix return value check in atlas6_clk_init() (bsc#1111666).
- clk: iproc: round clock rate to the closest (bsc#1111666).
- clk: spear: Remove uninitialized_var() usage (git-fixes).
- clk: st: Remove uninitialized_var() usage (git-fixes).
- config: arm64: enable CONFIG_IOMMU_DEFAULT_PASSTHROUGH References: bsc#1174549
- console: newport_con: fix an issue about leak related system resources (git-fixes).
- constrants: fix malformed XML Closing tag of an element is '</foo>', not '<foo/>'. Fixes: 8b37de2eb835 ('rpm/constraints.in: Increase memory for kernel-docs')
- Created new preempt kernel flavor (jsc#SLE-11309) Configs are cloned from the respective $arch/default configs. All changed configs appart from CONFIG_PREEMPT->y are a result of dependencies, namely many lock/unlock primitives are no longer inlined in the preempt kernel. TREE_RCU has been also changed to PREEMPT_RCU which is the default implementation for PREEMPT kernel.
- crypto: ccp - Fix use of merged scatterlists (git-fixes).
- crypto: cpt - do not sleep of CRYPTO_TFM_REQ_MAY_SLEEP was not specified (git-fixes).
- crypto: qat - fix double free in qat_uclo_create_batch_init_list (git-fixes).
- crypto: rockchip - fix scatterlist nents error (git-fixes).
- crypto: stm32/crc32 - fix ext4 chksum BUG_ON() (git-fixes).
- crypto: talitos - check AES key size (git-fixes).
- crypto: talitos - fix ablkcipher for CONFIG_VMAP_STACK (git-fixes).
- crypto: virtio: Fix src/dst scatterlist calculation in __virtio_crypto_skcipher_do_req() (git-fixes).
- dev: Defer free of skbs in flush_backlog (git-fixes).
- device property: Fix the secondary firmware node handling in set_primary_fwnode() (git-fixes).
- devres: keep both device name and resource name in pretty name (git-fixes).
- dlm: Fix kobject memleak (bsc#1175768).
- dlm: remove BUG() before panic() (bsc#1174844).
- dmaengine: fsl-edma: Fix NULL pointer exception in fsl_edma_tx_handler (git-fixes).
- Documentation/networking: Add net DIM documentation (bsc#1174852).
- dpaa2-eth: Fix passing zero to 'PTR_ERR' warning (bsc#1175403).
- dpaa2-eth: free already allocated channels on probe defer (bsc#1175404).
- dpaa2-eth: prevent array underflow in update_cls_rule() (bsc#1175405).
- dpaa_eth: add dropped frames to percpu ethtool stats (bsc#1174550).
- dpaa_eth: add newline in dev_err() msg (bsc#1174550).
- dpaa_eth: avoid timestamp read on error paths (bsc#1175406).
- dpaa_eth: change DMA device (bsc#1174550).
- dpaa_eth: cleanup skb_to_contig_fd() (bsc#1174550).
- dpaa_eth: defer probing after qbman (bsc#1174550).
- dpaa_eth: extend delays in ndo_stop (bsc#1174550).
- dpaa_eth: fix DMA mapping leak (bsc#1174550).
- dpaa_eth: Fix one possible memleak in dpaa_eth_probe (bsc#1174550).
- dpaa_eth: FMan erratum A050385 workaround (bsc#1174550).
- dpaa_eth: perform DMA unmapping before read (bsc#1175407).
- dpaa_eth: register a device link for the qman portal used (bsc#1174550).
- dpaa_eth: remove netdev_err() for user errors (bsc#1174550).
- dpaa_eth: remove redundant code (bsc#1174550).
- dpaa_eth: simplify variables used in dpaa_cleanup_tx_fd() (bsc#1174550).
- dpaa_eth: use a page to store the SGT (bsc#1174550).
- dpaa_eth: use fd information in dpaa_cleanup_tx_fd() (bsc#1174550).
- dpaa_eth: use only one buffer pool per interface (bsc#1174550).
- dpaa_eth: use page backed rx buffers (bsc#1174550).
- driver core: Avoid binding drivers to dead devices (git-fixes).
- Drivers: hv: balloon: Remove dependencies on guest page size (git-fixes).
- Drivers: hv: vmbus: Fix virt_to_hvpfn() for X86_PAE (git-fixes).
- Drivers: hv: vmbus: Only notify Hyper-V for die events that are oops (bsc#1175127, bsc#1175128).
- Drivers: hv: vmbus: Remove the undesired put_cpu_ptr() in hv_synic_cleanup() (git-fixes).
- drivers/perf: hisi: Fix typo in events attribute array (bsc#1175408).
- drivers/perf: hisi: Fixup one DDRC PMU register offset (bsc#1175410).
- drivers/perf: hisi: Fix wrong value for all counters enable (bsc#1175409).
- drm: Added orientation quirk for ASUS tablet model T103HAF (bsc#1111666).
- drm/amd/display: fix pow() crashing when given base 0 (git-fixes).
- drm/amdgpu: avoid dereferencing a NULL pointer (bsc#1111666).
- drm/amdgpu: Fix bug where DPM is not enabled after hibernate and resume (bsc#1111666).
- drm/amdgpu: Fix NULL dereference in dpm sysfs handlers (bsc#1113956) 	* refresh for context changes
- drm/amdgpu: Prevent kernel-infoleak in amdgpu_info_ioctl() (git-fixes).
- drm/amdgpu: Replace invalid device ID with a valid device ID (bsc#1113956)
- drm/arm: fix unintentional integer overflow on left shift (git-fixes).
- drm/bridge: dw-hdmi: Do not cleanup i2c adapter and ddc ptr in (bsc#1113956) 	* refreshed for context changes
- drm/bridge: sil_sii8620: initialize return of sii8620_readb (git-fixes).
- drm/dbi: Fix SPI Type 1 (9-bit) transfer (bsc#1113956) 	* move drm_mipi_dbi.c -> tinydrm/mipi-drm.c 	* refresh for context changes
- drm/debugfs: fix plain echo to connector 'force' attribute (bsc#1111666).
- drm/etnaviv: Fix error path on failure to enable bus clk (git-fixes).
- drm/etnaviv: fix ref count leak via pm_runtime_get_sync (bsc#1111666).
- drm: fix drm_dp_mst_port refcount leaks in drm_dp_mst_allocate_vcpi (bsc#1112178) 	* updated names of get/put functions
- drm: hold gem reference until object is no longer accessed (bsc#1113956)
- drm/imx: fix use after free (git-fixes).
- drm/imx: imx-ldb: Disable both channels for split mode in enc->disable() (git-fixes).
- drm/imx: tve: fix regulator_disable error path (git-fixes).
- drm/mipi: use dcs write for mipi_dsi_dcs_set_tear_scanline (git-fixes).
- drm/msm/adreno: fix updating ring fence (git-fixes).
- drm/msm: ratelimit crtc event overflow error (bsc#1111666).
- drm/nouveau/fbcon: fix module unload when fbcon init has failed for some reason (git-fixes).
- drm/nouveau/fbcon: zero-initialise the mode_cmd2 structure (git-fixes).
- drm/nouveau: fix multiple instances of reference count leaks (bsc#1111666).
- drm/panel: otm8009a: Drop unnessary backlight_device_unregister() (git-fixes).
- drm: panel: simple: Fix bpc for LG LB070WV8 panel (git-fixes).
- drm/radeon: disable AGP by default (bsc#1111666).
- drm/radeon: fix array out-of-bounds read and write issues (git-fixes).
- drm/radeon: Fix reference count leaks caused by pm_runtime_get_sync (bsc#1111666).
- drm/rockchip: fix VOP_WIN_GET macro (bsc#1175411).
- drm/tilcdc: fix leak & null ref in panel_connector_get_modes (bsc#1111666).
- drm/ttm/nouveau: do not call tt destroy callback on alloc failure (bsc#1175232).
- drm/vmwgfx: Fix two list_for_each loop exit tests (bsc#1111666).
- drm/vmwgfx: Use correct vmw_legacy_display_unit pointer (bsc#1111666).
- drm/xen-front: Fix misused IS_ERR_OR_NULL checks (bsc#1065600).
- EDAC: Fix reference count leaks (bsc#1112178).
- efi/memreserve: deal with memreserve entries in unmapped memory (bsc#1174685).
- ext4: check journal inode extents more carefully (bsc#1173485).
- ext4: do not allow overlapping system zones (bsc#1173485).
- ext4: fix checking of directory entry validity for inline directories (bsc#1175771).
- ext4: fix EXT_MAX_EXTENT/INDEX to check for zeroed eh_max (bsc#1174840).
- ext4: handle error of ext4_setup_system_zone() on remount (bsc#1173485).
- fat: do not allow to mount if the FAT length == 0 (bsc#1174845).
- fbdev: Detect integer underflow at 'struct fbcon_ops'->clear_margins. (bsc#1112178) 	* move files drivers/video/fbdev/core -> drivers/video/console 	* refresh for context changes
- firmware: google: check if size is valid when decoding VPD data (git-fixes).
- firmware: google: increment VPD key_len properly (git-fixes).
- fpga: dfl: fix bug in port reset handshake (git-fixes).
- fsl/fman: add API to get the device behind a fman port (bsc#1174550).
- fsl/fman: check dereferencing null pointer (git-fixes).
- fsl/fman: detect FMan erratum A050385 (bsc#1174550).
- fsl/fman: do not touch liodn base regs reserved on non-PAMU SoCs (bsc#1174550).
- fsl/fman: fix dereference null return value (git-fixes).
- fsl/fman: fix eth hash table allocation (git-fixes).
- fsl/fman: fix unreachable code (git-fixes).
- fsl/fman: remove unused struct member (bsc#1174550).
- fsl/fman: use 32-bit unsigned integer (git-fixes).
- fuse: fix memleak in cuse_channel_open (bsc#1174926).
- fuse: fix missing unlock_page in fuse_writepage() (bsc#1174904).
- fuse: Fix parameter for FS_IOC_{GET,SET}FLAGS (bsc#1175062).
- fuse: fix weird page warning (bsc#1175063).
- fuse: flush dirty data/metadata before non-truncate setattr (bsc#1175064).
- fuse: truncate pending writes on O_TRUNC (bsc#1175065).
- fuse: verify attributes (bsc#1175066).
- fuse: verify nlink (bsc#1175067).
- genetlink: remove genl_bind (networking-stable-20_07_17).
- go7007: add sanity checking for endpoints (git-fixes).
- gpu: host1x: debug: Fix multiple channels emitting messages simultaneously (bsc#1111666).
- HID: hiddev: fix mess in hiddev_open() (git-fixes).
- HISI LPC: Re-Add ACPI child enumeration support (bsc#1174658).
- HISI LPC: Stop using MFD APIs (bsc#1174658).
- hv_balloon: Balloon up according to request page number (git-fixes).
- hv_balloon: Use a static page for the balloon_up send buffer (git-fixes).
- hv_netvsc: Allow scatter-gather feature to be tunable (git-fixes).
- hv_netvsc: do not use VF device if link is down (git-fixes).
- hv_netvsc: Fix a warning of suspicious RCU usage (git-fixes).
- hv_netvsc: Fix error handling in netvsc_attach() (git-fixes).
- hv_netvsc: Fix extra rcu_read_unlock in netvsc_recv_callback() (git-fixes).
- hv_netvsc: Fix the queue_mapping in netvsc_vf_xmit() (git-fixes).
- hv_netvsc: Fix unwanted wakeup in netvsc_attach() (git-fixes).
- hv_netvsc: flag software created hash value (git-fixes).
- hv_netvsc: Remove 'unlikely' from netvsc_select_queue (git-fixes).
- i2c: rcar: in slave mode, clear NACK earlier (git-fixes).
- i2c: rcar: slave: only send STOP event when we have been addressed (bsc#1111666).
- i40e: Fix crash during removing i40e driver (git-fixes).
- i40e: Set RX_ONLY mode for unicast promiscuous on VLAN (git-fixes).
- ibmveth: Fix use of ibmveth in a bridge (bsc#1174387 ltc#187506).
- ibmvnic: Fix IRQ mapping disposal in error path (bsc#1175112 ltc#187459).
- ibmvnic fix NULL tx_pools and rx_tools issue at do_reset (bsc#1175873 ltc#187922).
- include/linux/poison.h: remove obsolete comment (git fixes (poison)).
- Input: psmouse - add a newline when printing 'proto' by sysfs (git-fixes).
- Input: sentelic - fix error return when fsp_reg_write fails (bsc#1111666).
- integrity: remove redundant initialization of variable ret (git-fixes).
- io-mapping: indicate mapping failure (git-fixes).
- ip6_gre: fix null-ptr-deref in ip6gre_init_net() (git-fixes).
- ip6_gre: fix use-after-free in ip6gre_tunnel_lookup() (networking-stable-20_06_28).
- ip6_tunnel: allow not to count pkts on tstats by passing dev as NULL (bsc#1175515).
- ip_tunnel: allow not to count pkts on tstats by setting skb's dev to NULL (bsc#1175515).
- ip_tunnel: Emit events for post-register MTU changes (git-fixes).
- ip_tunnel: fix use-after-free in ip_tunnel_lookup() (networking-stable-20_06_28).
- ip_tunnel: restore binding to ifaces with a large mtu (git-fixes).
- ipv4: fill fl4_icmp_{type,code} in ping_v4_sendmsg (networking-stable-20_07_17).
- ipv4: Silence suspicious RCU usage warning (git-fixes).
- ipv6: fix memory leaks on IPV6_ADDRFORM path (git-fixes).
- ipvlan: fix device features (git-fixes).
- ipvs: allow connection reuse for unconfirmed conntrack (git-fixes).
- ipvs: fix refcount usage for conns in ops mode (git-fixes).
- ipvs: fix the connection sync failed in some cases (bsc#1174699).
- irqchip/gic: Atomically update affinity (bsc#1111666).
- iwlegacy: Check the return value of pcie_capability_read_*() (bsc#1111666).
- jbd2: add the missing unlock_buffer() in the error path of jbd2_write_superblock() (bsc#1175772).
- kabi: genetlink: remove genl_bind (kabi).
- kabi: hide new parameter of ip6_dst_lookup_flow() (bsc#1165629).
- kabi: mask changes to struct ipv6_stub (bsc#1165629).
- kernel/cpu_pm: Fix uninitted local in cpu_pm (git fixes (kernel/pm)).
- kernel-docs: Change Requires on python-Sphinx to earlier than version 3 References: bsc#1166965 From 3 on the internal API that the build system uses was rewritten in an incompatible way. See https://github.com/sphinx-doc/sphinx/issues/7421 and https://bugzilla.suse.com/show_bug.cgi?id=1166965#c16 for some details.
- kernel/relay.c: fix memleak on destroy relay channel (git-fixes).
- kernfs: do not call fsnotify() with name without a parent (bsc#1175770).
- KVM: arm64: Ensure 'params' is initialised when looking up sys register (bsc#1133021).
- KVM: arm64: Stop clobbering x0 for HVC_SOFT_RESTART (bsc#1133021).
- KVM: arm/arm64: Fix young bit from mmu notifier (bsc#1133021).
- KVM: arm/arm64: vgic: Do not rely on the wrong pending table (bsc#1133021).
- KVM: arm/arm64: vgic-its: Fix restoration of unmapped collections (bsc#1133021).
- KVM: arm: Fix DFSR setting for non-LPAE aarch32 guests (bsc#1133021).
- KVM: arm: Make inject_abt32() inject an external abort instead (bsc#1133021).
- KVM: Change offset in kvm_write_guest_offset_cached to unsigned (bsc#1133021).
- KVM: Check for a bad hva before dropping into the ghc slow path (bsc#1133021).
- KVM: PPC: Book3S PR: Remove uninitialized_var() usage (bsc#1065729).
- KVM: SVM: fix svn_pin_memory()'s use of get_user_pages_fast() (bsc#1112178).
- l2tp: remove skb_dst_set() from l2tp_xmit_skb() (networking-stable-20_07_17).
- leds: 88pm860x: fix use-after-free on unbind (git-fixes).
- leds: core: Flush scheduled work for system suspend (git-fixes).
- leds: da903x: fix use-after-free on unbind (git-fixes).
- leds: lm3533: fix use-after-free on unbind (git-fixes).
- leds: lm355x: avoid enum conversion warning (git-fixes).
- leds: wm831x-status: fix use-after-free on unbind (git-fixes).
- lib/dim: Fix -Wunused-const-variable warnings (bsc#1174852).
- lib: dimlib: fix help text typos (bsc#1174852).
- lib: logic_pio: Add logic_pio_unregister_range() (bsc#1174658).
- lib: logic_pio: Avoid possible overlap for unregistering regions (bsc#1174658).
- lib: logic_pio: Fix RCU usage (bsc#1174658).
- linux/dim: Add completions count to dim_sample (bsc#1174852).
- linux/dim: Fix overflow in dim calculation (bsc#1174852).
- linux/dim: Move implementation to .c files (bsc#1174852).
- linux/dim: Move logic to dim.h (bsc#1174852).
- linux/dim: Remove 'net' prefix from internal DIM members (bsc#1174852).
- linux/dim: Rename externally exposed macros (bsc#1174852).
- linux/dim: Rename externally used net_dim members (bsc#1174852).
- linux/dim: Rename net_dim_sample() to net_dim_update_sample() (bsc#1174852).
- liquidio: Fix wrong return value in cn23xx_get_pf_num() (git-fixes).
- llc: make sure applications use ARPHRD_ETHER (networking-stable-20_07_17).
- mac80211: mesh: Free ie data when leaving mesh (git-fixes).
- mac80211: mesh: Free pending skb when destroying a mpath (git-fixes).
- MAINTAINERS: add entry for Dynamic Interrupt Moderation (bsc#1174852).
- md-cluster: Fix potential error pointer dereference in resize_bitmaps() (git-fixes).
- md/raid5: Fix Force reconstruct-write io stuck in degraded raid5 (git-fixes).
- media: budget-core: Improve exception handling in budget_register() (git-fixes).
- media: exynos4-is: Add missed check for pinctrl_lookup_state() (git-fixes).
- media: firewire: Using uninitialized values in node_probe() (git-fixes).
- media: omap3isp: Add missed v4l2_ctrl_handler_free() for preview_init_entities() (git-fixes).
- media: vpss: clean up resources in init (git-fixes).
- mfd: arizona: Ensure 32k clock is put on driver unbind and error (git-fixes).
- mfd: dln2: Run event handler loop under spinlock (git-fixes).
- mfd: rk808: Fix RK818 ID template (bsc#1175412).
- mld: fix memory leak in ipv6_mc_destroy_dev() (networking-stable-20_06_28).
- mm: filemap: clear idle flag for writes (bsc#1175769).
- mm/migrate.c: add missing flush_dcache_page for non-mapped page migrate (git fixes (mm/migrate)).
- mm/mmu_notifier: use hlist_add_head_rcu() (git fixes (mm/mmu_notifiers)).
- mm: remove VM_BUG_ON(PageSlab()) from page_mapcount() (git fixes (mm/compaction)).
- mm/rmap.c: do not reuse anon_vma if we just want a copy (git fixes (mm/rmap)).
- mm/shmem.c: cast the type of unmap_start to u64 (git fixes (mm/shmem)).
- mm, thp: fix defrag setting if newline is not used (git fixes (mm/thp)).
- mm, vmstat: reduce zone->lock holding time by /proc/pagetypeinfo (bsc#1175691).
- mm/vunmap: add cond_resched() in vunmap_pmd_range (bsc#1175654 ltc#184617).
- mtd: spi-nor: Fix an error code in spi_nor_read_raw() (bsc#1175413).
- mtd: spi-nor: fix kernel-doc for spi_nor::info (bsc#1175414).
- mtd: spi-nor: fix kernel-doc for spi_nor::reg_proto (bsc#1175415).
- mtd: spi-nor: fix silent truncation in spi_nor_read_raw() (bsc#1175416).
- mwifiex: Prevent memory corruption handling keys (git-fixes).
- net: Added pointer check for dst->ops->neigh_lookup in dst_neigh_lookup_skb (git-fixes).
- net: bridge: enfore alignment for ethernet address (networking-stable-20_06_28).
- net: core: reduce recursion limit value (networking-stable-20_06_28).
- net: Do not clear the sock TX queue in sk_set_socket() (networking-stable-20_06_28).
- net: dsa: b53: check for timeout (git-fixes).
- net: ena: Add first_interrupt field to napi struct (bsc#1174852).
- net: ena: add reserved PCI device ID (bsc#1174852).
- net: ena: add support for reporting of packet drops (bsc#1174852).
- net: ena: add support for the rx offset feature (bsc#1174852).
- net: ena: add support for traffic mirroring (bsc#1174852).
- net: ena: add unmask interrupts statistics to ethtool (bsc#1174852).
- net: ena: allow setting the hash function without changing the key (bsc#1174852).
- net: ena: avoid unnecessary admin command when RSS function set fails (bsc#1174852).
- net: ena: avoid unnecessary rearming of interrupt vector when busy-polling (bsc#1174852).
- net: ena: change default RSS hash function to Toeplitz (bsc#1174852).
- net: ena: change num_queues to num_io_queues for clarity and consistency (bsc#1174852).
- net: ena: changes to RSS hash key allocation (bsc#1174852).
- net: ena: Change WARN_ON expression in ena_del_napi_in_range() (bsc#1174852).
- net: ena: clean up indentation issue (bsc#1174852).
- net: ena: cosmetic: change ena_com_stats_admin stats to u64 (bsc#1174852).
- net: ena: cosmetic: code reorderings (bsc#1174852).
- net: ena: cosmetic: extract code to ena_indirection_table_set() (bsc#1174852).
- net: ena: cosmetic: fix line break issues (bsc#1174852).
- net: ena: cosmetic: fix spacing issues (bsc#1174852).
- net: ena: cosmetic: fix spelling and grammar mistakes in comments (bsc#1174852).
- net: ena: cosmetic: minor code changes (bsc#1174852).
- net: ena: cosmetic: remove unnecessary code (bsc#1174852).
- net: ena: cosmetic: remove unnecessary spaces and tabs in ena_com.h macros (bsc#1174852).
- net: ena: cosmetic: rename ena_update_tx/rx_rings_intr_moderation() (bsc#1174852).
- net: ena: cosmetic: satisfy gcc warning (bsc#1174852).
- net: ena: cosmetic: set queue sizes to u32 for consistency (bsc#1174852).
- net: ena: drop superfluous prototype (bsc#1174852).
- net: ena: enable support of rss hash key and function changes (bsc#1174852).
- net: ena: enable the interrupt_moderation in driver_supported_features (bsc#1174852).
- net: ena: ethtool: clean up minor indentation issue (bsc#1174852).
- net: ena: ethtool: get_channels: use combined only (bsc#1174852).
- net: ena: ethtool: remove redundant non-zero check on rc (bsc#1174852).
- net: ena: ethtool: support set_channels callback (bsc#1174852).
- net/ena: Fix build warning in ena_xdp_set() (bsc#1174852).
- net: ena: fix ena_com_comp_status_to_errno() return value (bsc#1174852).
- net: ena: fix error returning in ena_com_get_hash_function() (bsc#1174852).
- net: ena: fix incorrect setting of the number of msix vectors (bsc#1174852).
- net: ena: fix incorrect update of intr_delay_resolution (bsc#1174852).
- net: ena: fix request of incorrect number of IRQ vectors (bsc#1174852).
- net: ena: fix update of interrupt moderation register (bsc#1174852).
- net: ena: Fix using plain integer as NULL pointer in ena_init_napi_in_range (bsc#1174852).
- net: ena: implement XDP drop support (bsc#1174852).
- net: ena: Implement XDP_TX action (bsc#1174852).
- net: ena: make ethtool -l show correct max number of queues (bsc#1174852).
- net: ena: Make missed_tx stat incremental (bsc#1083548).
- net: ena: Make some functions static (bsc#1174852).
- net: ena: move llq configuration from ena_probe to ena_device_init() (bsc#1174852).
- net: ena: multiple queue creation related cleanups (bsc#1174852).
- net: ena: Prevent reset after device destruction (bsc#1083548).
- net: ena: reduce driver load time (bsc#1174852).
- net: ena: remove all old adaptive rx interrupt moderation code from ena_com (bsc#1174852).
- net: ena: remove code duplication in ena_com_update_nonadaptive_moderation_interval _*() (bsc#1174852).
- net: ena: remove code that does nothing (bsc#1174852).
- net: ena: remove ena_restore_ethtool_params() and relevant fields (bsc#1174852).
- net: ena: remove old adaptive interrupt moderation code from ena_netdev (bsc#1174852).
- net: ena: remove redundant print of number of queues (bsc#1174852).
- net: ena: remove set but not used variable 'hash_key' (bsc#1174852).
- net: ena: remove set but not used variable 'rx_ring' (bsc#1174852).
- net: ena: rename ena_com_free_desc to make API more uniform (bsc#1174852).
- net: ena: Select DIMLIB for ENA_ETHERNET (bsc#1174852).
- net: ena: simplify ena_com_update_intr_delay_resolution() (bsc#1174852).
- net: ena: support new LLQ acceleration mode (bsc#1174852).
- net: ena: switch to dim algorithm for rx adaptive interrupt moderation (bsc#1174852).
- net: ena: use explicit variable size for clarity (bsc#1174852).
- net: ena: use SHUTDOWN as reset reason when closing interface (bsc#1174852).
- net: ena: xdp: update napi budget for DROP and ABORTED (bsc#1174852).
- net: ena: xdp: XDP_TX: fix memory leak (bsc#1174852).
- net: ethernet: aquantia: Fix wrong return value (git-fixes).
- net: ethernet: broadcom: have drivers select DIMLIB as needed (bsc#1174852).
- net: ethernet: stmmac: Disable hardware multicast filter (git-fixes).
- net: fec: correct the error path for regulator disable in probe (git-fixes).
- netfilter: x_tables: add counters allocation wrapper (git-fixes).
- netfilter: x_tables: cap allocations at 512 mbyte (git-fixes).
- netfilter: x_tables: limit allocation requests for blob rule heads (git-fixes).
- net: Fix a documentation bug wrt. ip_unprivileged_port_start (git-fixes). (SLES tuning guide refers to ip-sysctl.txt.)
- net: fix memleak in register_netdevice() (networking-stable-20_06_28).
- net: Fix the arp error in some cases (networking-stable-20_06_28).
- net: gre: recompute gre csum for sctp over gre tunnels (git-fixes).
- net: hns3: add autoneg and change speed support for fibre port (bsc#1174070).
- net: hns3: add support for FEC encoding control (bsc#1174070).
- net: hns3: add support for multiple media type (bsc#1174070).
- net: hns3: fix a not link up issue when fibre port supports autoneg (bsc#1174070).
- net: hns3: fix for FEC configuration (bsc#1174070).
- net: hns3: fix port capbility updating issue (bsc#1174070).
- net: hns3: fix port setting handle for fibre port (bsc#1174070).
- net: hns3: fix selftest fail issue for fibre port with autoneg on (bsc#1174070).
- net: hns3: restore the MAC autoneg state after reset (bsc#1174070).
- net: increment xmit_recursion level in dev_direct_xmit() (networking-stable-20_06_28).
- net: ip6_gre: Request headroom in __gre6_xmit() (git-fixes).
- net: lan78xx: add missing endpoint sanity check (git-fixes).
- net: lan78xx: fix transfer-buffer memory leak (git-fixes).
- net: make symbol 'flush_works' static (git-fixes).
- net/mlx5e: vxlan: Use RCU for vxlan table lookup (git-fixes).
- net: mvpp2: fix memory leak in mvpp2_rx (git-fixes).
- net: netsec: Fix signedness bug in netsec_probe() (bsc#1175417).
- net: netsec: initialize tx ring on ndo_open (bsc#1175418).
- net: phy: Check harder for errors in get_phy_id() (bsc#1111666).
- net: qcom/emac: add missed clk_disable_unprepare in error path of emac_clks_phase1_init (git-fixes).
- net: Set fput_needed iff FDPUT_FPUT is set (git-fixes).
- net: socionext: Fix a signedness bug in ave_probe() (bsc#1175419).
- net: socionext: replace napi_alloc_frag with the netdev variant on init (bsc#1175420).
- net: spider_net: Fix the size used in a 'dma_free_coherent()' call (git-fixes).
- net: stmmac: dwmac1000: provide multicast filter fallback (git-fixes).
- net: stmmac: Fix RX packet size > 8191 (git-fixes).
- net: udp: Fix wrong clean up for IS_UDPLITE macro (git-fixes).
- net: update net_dim documentation after rename (bsc#1174852).
- net: usb: ax88179_178a: fix packet alignment padding (networking-stable-20_06_28).
- net: usb: qmi_wwan: add support for Quectel EG95 LTE modem (networking-stable-20_07_17).
- netvsc: unshare skb in VF rx handler (git-fixes).
- nfc: nci: add missed destroy_workqueue in nci_register_device (git-fixes).
- NTB: Fix an error in get link status (git-fixes).
- ntb_netdev: fix sleep time mismatch (git-fixes).
- NTB: ntb_transport: Use scnprintf() for avoiding potential buffer overflow (git-fixes).
- nvme: fix possible deadlock when I/O is blocked (git-fixes).
- nvme-multipath: do not fall back to __nvme_find_path() for non-optimized paths (bsc#1172108).
- nvme-multipath: fix logic for non-optimized paths (bsc#1172108).
- nvme-multipath: round-robin: eliminate 'fallback' variable (bsc#1172108).
- nvme: multipath: round-robin: fix single non-optimized path case (bsc#1172108).
- obsolete_kmp: provide newer version than the obsoleted one (boo#1170232).
- ocfs2: add trimfs dlm lock resource (bsc#1175228).
- ocfs2: add trimfs lock to avoid duplicated trims in cluster (bsc#1175228).
- ocfs2: avoid inode removal while nfsd is accessing it (bsc#1172963).
- ocfs2: avoid inode removal while nfsd is accessing it (bsc#1172963).
- ocfs2: change slot number type s16 to u16 (bsc#1175786).
- ocfs2: fix panic on nfs server over ocfs2 (bsc#1172963).
- ocfs2: fix panic on nfs server over ocfs2 (bsc#1172963).
- ocfs2: fix remounting needed after setfacl command (bsc#1173954).
- ocfs2: fix the application IO timeout when fstrim is running (bsc#1175228).
- ocfs2: fix value of OCFS2_INVALID_SLOT (bsc#1175767).
- ocfs2: load global_inode_alloc (bsc#1172963).
- ocfs2: load global_inode_alloc (bsc#1172963).
- omapfb: dss: Fix max fclk divider for omap36xx (bsc#1113956)
- openvswitch: Prevent kernel-infoleak in ovs_ct_put_key() (git-fixes).
- PCI/ASPM: Add missing newline in sysfs 'policy' (git-fixes).
- PCI: dwc: Move interrupt acking into the proper callback (bsc#1175666).
- PCI: Fix pci_cfg_wait queue locking problem (git-fixes).
- PCI: Fix 'try' semantics of bus and slot reset (git-fixes).
- PCI: hotplug: ACPI: Fix context refcounting in acpiphp_grab_context() (git-fixes).
- PCI: hv: Fix a timing issue which causes kdump to fail occasionally (bsc#1172871, bsc#1172872, git-fixes).
- PCI: Release IVRS table in AMD ACS quirk (git-fixes).
- PCI: switchtec: Add missing __iomem and __user tags to fix sparse warnings (git-fixes).
- PCI: switchtec: Add missing __iomem tag to fix sparse warnings (git-fixes).
- phy: sun4i-usb: fix dereference of pointer phy0 before it is null checked (git-fixes).
- pinctrl: single: fix function name in documentation (git-fixes).
- pinctrl-single: fix pcs_parse_pinconf() return value (git-fixes).
- platform/x86: intel-hid: Fix return value check in check_acpi_dev() (git-fixes).
- platform/x86: intel-vbtn: Fix return value check in check_acpi_dev() (git-fixes).
- PM / CPU: replace raw_notifier with atomic_notifier (git fixes (kernel/pm)).
- PM / devfreq: rk3399_dmc: Add missing of_node_put() (bsc#1175668).
- PM / devfreq: rk3399_dmc: Disable devfreq-event device when fails.
- PM / devfreq: rk3399_dmc: Fix kernel oops when rockchip,pmu is absent (bsc#1175668).
- PM: sleep: core: Fix the handling of pending runtime resume requests (git-fixes).
- powerpc/64s: Do not init FSCR_DSCR in __init_FSCR() (bsc#1065729).
- powerpc/64s: Fix early_init_mmu section mismatch (bsc#1065729).
- powerpc: Allow 4224 bytes of stack expansion for the signal frame (bsc#1065729).
- powerpc/book3s64/pkeys: Use PVR check instead of cpu feature (bsc#1065729).
- powerpc/boot: Fix CONFIG_PPC_MPC52XX references (bsc#1065729).
- powerpc/eeh: Fix pseries_eeh_configure_bridge() (bsc#1174689).
- powerpc/nvdimm: Use HCALL error as the return value (bsc#1175284).
- powerpc/nvdimm: use H_SCM_QUERY hcall on H_OVERLAP error (bsc#1175284).
- powerpc/perf: Fix missing is_sier_aviable() during build (bsc#1065729).
- powerpc/pseries: Do not initiate shutdown when system is running on UPS (bsc#1175440 ltc#187574).
- powerpc/pseries/hotplug-cpu: Remove double free in error path (bsc#1065729).
- powerpc/pseries/hotplug-cpu: wait indefinitely for vCPU death (bsc#1085030 ltC#165630).
- powerpc/pseries: PCIE PHB reset (bsc#1174689).
- powerpc/pseries: remove cede offline state for CPUs (bsc#1065729).
- powerpc/rtas: do not online CPUs for partition suspend (bsc#1065729).
- powerpc/vdso: Fix vdso cpu truncation (bsc#1065729).
- power: supply: check if calc_soc succeeded in pm860x_init_battery (git-fixes).
- propagate_one(): mnt_set_mountpoint() needs mount_lock (bsc#1174841).
- pseries: Fix 64 bit logical memory block panic (bsc#1065729).
- pwm: bcm-iproc: handle clk_get_rate() return (git-fixes).
- rds: Prevent kernel-infoleak in rds_notify_queue_get() (git-fixes).
- regulator: gpio: Honor regulator-boot-on property (git-fixes).
- Revert 'ALSA: hda: call runtime_allow() for all hda controllers' (bsc#1111666).
- Revert 'drm/amdgpu: Fix NULL dereference in dpm sysfs handlers' (bsc#1113956) 	* refresh for context changes
- Revert 'ocfs2: avoid inode removal while nfsd is accessing it' This reverts commit 9e096c72476eda333a9998ff464580c00ff59c83.
- Revert 'ocfs2: fix panic on nfs server over ocfs2 (bsc#1172963).' This reverts commit 0bf6e248f93736b3f17f399b4a8f64ffa30d371e.
- Revert 'ocfs2: load global_inode_alloc (bsc#1172963).' This reverts commit fc476497b53f967dc615b9cbad9427ba3107b5c4.
- Revert 'scsi: qla2xxx: Disable T10-DIF feature with FC-NVMe during probe' (bsc#1171688 bsc#1174003).
- Revert 'scsi: qla2xxx: Fix crash on qla2x00_mailbox_command' (bsc#1171688 bsc#1174003).
- Revert 'sign also s390x kernel images (bsc#1163524)' This reverts commit b38b61155f0a2c3ebca06d4bb0c2e11a19a87f1f.
- Revert 'xen/balloon: Fix crash when ballooning on x86 32 bit PAE' (bsc#1065600).
- rocker: fix incorrect error handling in dma_rings_init (networking-stable-20_06_28).
- rpm/check-for-config-changes: Ignore CONFIG_CC_VERSION_TEXT
- rpm/check-for-config-changes: Ignore CONFIG_LD_VERSION
- rpm/constraints.in: Increase memory for kernel-docs References: https://build.opensuse.org/request/show/792664
- rpm: drop execute permissions on source files Sometimes a source file with execute permission appears in upstream repository and makes it into our kernel-source packages. This is caught by OBS build checks and may even result in build failures. Sanitize the source tree by removing execute permissions from all C source and header files.
- rpm/kabi.pl: account for namespace field being moved last Upstream is moving the namespace field in Module.symvers last in order to preserve backwards compatibility with kmod tools (depmod, etc). Fix the kabi.pl script to expect the namespace field last. Since split() ignores trailing empty fields and delimeters, switch to using tr to count how many fields/tabs are in a line. Also, in load_symvers(), pass LIMIT of -1 to split() so it does not strip trailing empty fields, as namespace is an optional field.
- rpm/kernel-binary.spec.in: do not run klp-symbols for configs with no modules Starting with 5.8-rc1, s390x/zfcpdump builds fail because rpm/klp-symbols script does not find .tmp_versions directory. This is missing because s390x/zfcpdump is built without modules (CONFIG_MODULES disabled). As livepatching cannot work without modules, the cleanest solution is setting %klp_symbols to 0 if CONFIG_MODULES is disabled. (We cannot simply add another condition to the place where %klp_symbols is set as it can be already set to 1 from prjconf.)
- rpm/kernel-binary.spec.in: restrict livepatch metapackage to default flavor It has been reported that the kernel-*-livepatch metapackage got erroneously enabled for SLE15-SP3's new -preempt flavor, leading to a unresolvable dependency to a non-existing kernel-livepatch-x.y.z-preempt package. As SLE12 and SLE12-SP1 have run out of livepatching support, the need to build said metapackage for the -xen flavor is gone and the only remaining flavor for which they're still wanted is -default. Restrict the build of the kernel-*-livepatch metapackage to the -default flavor.
- rpm/kernel-obs-build.spec.in: add dm-crypt for building with cryptsetup Co-Authored-By: Adam Spiers <aspiers@suse.com>
- rpm/kernel-obs-build.spec.in: Enable overlayfs Overlayfs is needed for podman or docker builds when no more specific driver can be used (like lvm or btrfs). As the default build fs is ext4 currently, we need overlayfs kernel modules to be available.
- rpm/kernel-source.spec.in: Add obsolete_rebuilds (boo#1172073).
- rpm/mkspec-dtb: add mt76 based dtb package
- rpm/package-descriptions: garbege collection remove old ARM and Xen flavors.
- rtlwifi: rtl8192cu: Remove uninitialized_var() usage (git-fixes).
- s390, dcssblk: kaddr and pfn can be NULL to ->direct_access() (bsc#1174873).
- sched: consistently handle layer3 header accesses in the presence of VLANs (networking-stable-20_07_17).
- sched/deadline: Initialize ->dl_boosted (bsc#1112178).    
- scsi: dh: Add Fujitsu device to devinfo and dh lists (bsc#1174026).
- scsi: Fix trivial spelling (bsc#1171688 bsc#1174003).
- scsi: lpfc: Add and rename a whole bunch of function parameter descriptions (bsc#1171558 bsc#1136666).
- scsi: lpfc: Add description for lpfc_release_rpi()'s 'ndlpl param (bsc#1171558 bsc#1136666).
- scsi: lpfc: Add missing misc_deregister() for lpfc_init() (bsc#1171558 bsc#1136666).
- scsi: lpfc: Ensure variable has the same stipulations as code using it (bsc#1171558 bsc#1136666).
- scsi: lpfc: Fix a bunch of kerneldoc misdemeanors (bsc#1171558 bsc#1136666).
- scsi: lpfc: Fix FCoE speed reporting (bsc#1171558 bsc#1136666).
- scsi: lpfc: Fix kerneldoc parameter formatting/misnaming/missing issues (bsc#1171558 bsc#1136666).
- scsi: lpfc: Fix LUN loss after cable pull (bsc#1171558 bsc#1136666).
- scsi: lpfc: Fix no message shown for lpfc_hdw_queue out of range value (bsc#1171558 bsc#1136666).
- scsi: lpfc: Fix oops when unloading driver while running mds diags (bsc#1171558 bsc#1136666).
- scsi: lpfc: Fix retry of PRLI when status indicates its unsupported (bsc#1171558 bsc#1136666).
- scsi: lpfc: Fix RSCN timeout due to incorrect gidft counter (bsc#1171558 bsc#1136666).
- scsi: lpfc: Fix some function parameter descriptions (bsc#1171558 bsc#1136666).
- scsi: lpfc: Fix typo in comment for ULP (bsc#1171558 bsc#1136666).
- scsi: lpfc: Fix-up around 120 documentation issues (bsc#1171558 bsc#1136666).
- scsi: lpfc: Fix-up formatting/docrot where appropriate (bsc#1171558 bsc#1136666).
- scsi: lpfc: Fix validation of bsg reply lengths (bsc#1171558 bsc#1136666).
- scsi: lpfc: NVMe remote port devloss_tmo from lldd (bsc#1171558 bsc#1136666 bsc#1173060).
- scsi: lpfc: nvmet: Avoid hang / use-after-free again when destroying targetport (bsc#1171558 bsc#1136666).
- scsi: lpfc: Provide description for lpfc_mem_alloc()'s 'align' param (bsc#1171558 bsc#1136666).
- scsi: lpfc: Quieten some printks (bsc#1171558 bsc#1136666).
- scsi: lpfc: Remove unused variable 'pg_addr' (bsc#1171558 bsc#1136666).
- scsi: lpfc: Update lpfc version to 12.8.0.3 (bsc#1171558 bsc#1136666).
- scsi: lpfc: Use __printf() format notation (bsc#1171558 bsc#1136666).
- scsi: qla2xxx: Add more BUILD_BUG_ON() statements (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Address a set of sparse warnings (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Allow ql2xextended_error_logging special value 1 to be set anytime (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Cast explicitly to uint16_t / uint32_t (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Change in PUREX to handle FPIN ELS requests (bsc#1171688 bsc#1174003). 
- scsi: qla2xxx: Change {RD,WRT}_REG_*() function names from upper case into lower case (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Change two hardcoded constants into offsetof() / sizeof() expressions (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Check if FW supports MQ before enabling (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Check the size of struct fcp_hdr at compile time (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Fix a Coverity complaint in qla2100_fw_dump() (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Fix endianness annotations in header files (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Fix endianness annotations in source files (bsc#1171688 bsc#1174003). 
- scsi: qla2xxx: Fix failure message in qlt_disable_vha() (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Fix issue with adapter's stopping state (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Fix login timeout (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Fix MPI failure AEN (8200) handling (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Fix null pointer access during disconnect from subsystem (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Fix spelling of a variable name (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Fix the code that reads from mailbox registers (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Fix warning after FC target reset (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Fix WARN_ON in qla_nvme_register_hba (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Flush all sessions on zone disable (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Flush I/O on zone disable (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Increase the size of struct qla_fcp_prio_cfg to FCP_PRIO_CFG_SIZE (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Indicate correct supported speeds for Mezz card (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Initialize 'n' before using it (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Introduce a function for computing the debug message prefix (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Keep initiator ports after RSCN (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: make 1-bit bit-fields unsigned int (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Make a gap in struct qla2xxx_offld_chain explicit (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Make __qla2x00_alloc_iocbs() initialize 32 bits of request_t.handle (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Make qla2x00_restart_isp() easier to read (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Make qla82xx_flash_wait_write_finish() easier to read (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Make qlafx00_process_aen() return void (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Make qla_set_ini_mode() return void (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Reduce noisy debug message (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Remove an unused function (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Remove a superfluous cast (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Remove return value from qla_nvme_ls() (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Remove the __packed annotation from struct fcp_hdr and fcp_hdr_le (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: SAN congestion management implementation (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Simplify the functions for dumping firmware (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Sort BUILD_BUG_ON() statements alphabetically (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Split qla2x00_configure_local_loop() (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Use ARRAY_SIZE() instead of open-coding it (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Use make_handle() instead of open-coding it (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Use MBX_TOV_SECONDS for mailbox command timeout values (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Use register names instead of register offsets (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Use true, false for ha->fw_dumped (bsc#1171688 bsc#1174003).
- scsi: qla2xxx: Use true, false for need_mpi_reset (bsc#1171688 bsc#1174003).
- scsi: smartpqi: add bay identifier (bsc#1172418).
- scsi: smartpqi: add gigabyte controller (bsc#1172418).
- scsi: smartpqi: add id support for SmartRAID 3152-8i (bsc#1172418).
- scsi: smartpqi: add inquiry timeouts (bsc#1172418).
- scsi: smartpqi: add module param for exposure order (bsc#1172418).
- scsi: smartpqi: add module param to hide vsep (bsc#1172418).
- scsi: smartpqi: add new pci ids (bsc#1172418).
- scsi: smartpqi: add pci ids for fiberhome controller (bsc#1172418).
- scsi: smartpqi: add RAID bypass counter (bsc#1172418).
- scsi: smartpqi: add sysfs entries (bsc#1172418).
- scsi: smartpqi: Align driver syntax with oob (bsc#1172418).
- scsi: smartpqi: avoid crashing kernel for controller issues (bsc#1172418).
- scsi: smartpqi: bump version (bsc#1172418).
- scsi: smartpqi: bump version (bsc#1172418).
- scsi: smartpqi: bump version to 1.2.16-010 (bsc#1172418).
- scsi: smartpqi: change TMF timeout from 60 to 30 seconds (bsc#1172418).
- scsi: smartpqi: correct hang when deleting 32 lds (bsc#1172418).
- scsi: smartpqi: correct REGNEWD return status (bsc#1172418).
- scsi: smartpqi: correct syntax issue (bsc#1172418).
- scsi: smartpqi: fix call trace in device discovery (bsc#1172418).
- scsi: smartpqi: fix controller lockup observed during force reboot (bsc#1172418).
- scsi: smartpqi: fix LUN reset when fw bkgnd thread is hung (bsc#1172418).
- scsi: smartpqi: fix problem with unique ID for physical device (bsc#1172418).
- scsi: smartpqi: identify physical devices without issuing INQUIRY (bsc#1172418).
- scsi: smartpqi: properly set both the DMA mask and the coherent DMA mask (bsc#1172418).
- scsi: smartpqi: remove unused manifest constants (bsc#1172418).
- scsi: smartpqi: Reporting unhandled SCSI errors (bsc#1172418).
- scsi: smartpqi: support device deletion via sysfs (bsc#1172418).
- scsi: smartpqi: update copyright (bsc#1172418).
- scsi: smartpqi: update logical volume size after expansion (bsc#1172418).
- scsi: smartpqi: Use scnprintf() for avoiding potential buffer overflow (bsc#1172418).
- scsi: storvsc: Correctly set number of hardware queues for IDE disk (git-fixes).
- scsi: target/iblock: fix WRITE SAME zeroing (bsc#1169790).
- sctp: Do not advertise IPv4 addresses if ipv6only is set on the socket (networking-stable-20_06_28).
- selftests/livepatch: fix mem leaks in test-klp-shadow-vars (bsc#1071995).
- selftests/livepatch: more verification in test-klp-shadow-vars (bsc#1071995).
- selftests/livepatch: rework test-klp-shadow-vars (bsc#1071995).
- selftests/livepatch: simplify test-klp-callbacks busy target tests (bsc#1071995).
- serial: 8250: change lock order in serial8250_do_startup() (git-fixes).
- serial: pl011: Do not leak amba_ports entry on driver register error (git-fixes).
- serial: pl011: Fix oops on -EPROBE_DEFER (git-fixes).
- Set VIRTIO_CONSOLE=y (bsc#1175667).
- sign also s390x kernel images (bsc#1163524)
- soc: fsl: qbman: allow registering a device link for the portal user (bsc#1174550).
- soc: fsl: qbman_portals: add APIs to retrieve the probing status (bsc#1174550).
- spi: davinci: Remove uninitialized_var() usage (git-fixes).
- spi: lantiq: fix: Rx overflow error in full duplex mode (git-fixes).
- spi: nxp-fspi: Ensure width is respected in spi-mem operations (bsc#1175421).
- spi: spi-fsl-dspi: Fix 16-bit word order in 32-bit XSPI mode (bsc#1175422).
- spi: spi-mem: export spi_mem_default_supports_op() (bsc#1175421).
- tcp_cubic: fix spurious HYSTART_DELAY exit upon drop in min RTT (networking-stable-20_06_28).
- tcp: grow window for OOO packets only for SACK flows (networking-stable-20_06_28).
- tcp: make sure listeners do not initialize congestion-control state (networking-stable-20_07_17).
- tcp: md5: add missing memory barriers in tcp_md5_do_add()/tcp_md5_hash_key() (networking-stable-20_07_17).
- tcp: md5: do not send silly options in SYNCOOKIES (networking-stable-20_07_17).
- tcp: md5: refine tcp_md5_do_add()/tcp_md5_hash_key() barriers (networking-stable-20_07_17).
- tracepoint: Mark __tracepoint_string's __used (git-fixes).
- tracing: Use trace_sched_process_free() instead of exit() for pid tracing (git-fixes).
- tty: serial: fsl_lpuart: add imx8qxp support (bsc#1175670).
- tty: serial: fsl_lpuart: free IDs allocated by IDA (bsc#1175670).
- USB: cdc-acm: rework notification_buffer resizing (git-fixes).
- USB: gadget: f_tcm: Fix some resource leaks in some error paths (git-fixes).
- USB: host: ohci-exynos: Fix error handling in exynos_ohci_probe() (git-fixes).
- USB: Ignore UAS for JMicron JMS567 ATA/ATAPI Bridge (git-fixes).
- USB: iowarrior: fix up report size handling for some devices (git-fixes).
- usbip: tools: fix module name in man page (git-fixes).
- USB: rename USB quirk to USB_QUIRK_ENDPOINT_IGNORE (git-fixes).
- USB: serial: cp210x: enable usb generic throttle/unthrottle (git-fixes).
- USB: serial: cp210x: re-enable auto-RTS on open (git-fixes).
- USB: serial: ftdi_sio: clean up receive processing (git-fixes).
- USB: serial: ftdi_sio: fix break and sysrq handling (git-fixes).
- USB: serial: ftdi_sio: make process-packet buffer unsigned (git-fixes).
- USB: serial: iuu_phoenix: fix led-activity helpers (git-fixes).
- USB: serial: qcserial: add EM7305 QDL product ID (git-fixes).
- USB: xhci: define IDs for various ASMedia host controllers (git-fixes).
- USB: xhci: Fix ASM2142/ASM3142 DMA addressing (git-fixes).
- USB: xhci: Fix ASMedia ASM1142 DMA addressing (git-fixes).
- USB: xhci-mtk: fix the failure of bandwidth allocation (git-fixes).
- VFS: Check rename_lock in lookup_fast() (bsc#1174734).
- video: fbdev: sm712fb: fix an issue about iounmap for a wrong address (git-fixes).
- video: pxafb: Fix the function used to balance a 'dma_alloc_coherent()' call (git-fixes).
- vlan: consolidate VLAN parsing code and limit max parsing depth (networking-stable-20_07_17).
- vmxnet3: use correct tcp hdr length when packet is encapsulated (bsc#1175199).
- vt_compat_ioctl(): clean up, use compat_ptr() properly (git-fixes).
- vt: vt_ioctl: remove unnecessary console allocation checks (git-fixes).
- watchdog: f71808e_wdt: clear watchdog timeout occurred flag (bsc#1111666).
- watchdog: f71808e_wdt: indicate WDIOF_CARDRESET support in watchdog_info.options (bsc#1111666).
- watchdog: f71808e_wdt: remove use of wrong watchdog_info option (bsc#1111666).
- wl1251: fix always return 0 error (git-fixes).
- x86/fsgsbase/64: Fix NULL deref in 86_fsgsbase_read_task (bsc#1112178).
- x86/hyperv: Create and use Hyper-V page definitions (git-fixes).
- x86/hyper-v: Fix overflow bug in fill_gva_list() (git-fixes).
- x86/hyperv: Make hv_vcpu_is_preempted() visible (git-fixes).
- x86/mce/inject: Fix a wrong assignment of i_mce.status (bsc#1112178).
- x86/unwind/orc: Fix ORC for newly forked tasks (bsc#1058115).
- xen/balloon: fix accounting in alloc_xenballooned_pages error path (bsc#1065600).
- xen/balloon: make the balloon wait interruptible (bsc#1065600).
- xfrm: check id proto in validate_tmpl() (git-fixes).
- xfrm: clean up xfrm protocol checks (git-fixes).
- xfrm_user: uncoditionally validate esn replay attribute struct (git-fixes).
- xfs: fix inode allocation block res calculation precedence (git-fixes).
- xfs: fix reflink quota reservation accounting error (git-fixes).
- xhci: Fix enumeration issue when setting max packet size for FS devices (git-fixes).


-----------------------------------------
Version 1.0.6-SAP-BYOS-Build1.26 2020-09-10T07:54:05

-----------------------------------------
Patch: SUSE-2020-2587
Released: Wed Sep  9 22:03:04 2020
Summary: Recommended update for procps
Severity: moderate
References: 1174660
Description:
This update for procps fixes the following issues:

- Add fix for procps and its libraries to avoid issues with the 'free' tool. (bsc#1174660)


-----------------------------------------
Version 1.0.6-SAP-BYOS-Build1.27 2020-09-12T07:57:13

-----------------------------------------
Patch: SUSE-2020-2609
Released: Fri Sep 11 10:58:59 2020
Summary: Security update for libxml2
Severity: moderate
References: 1159928,1161517,1161521,1172021,1176179,CVE-2019-19956,CVE-2019-20388,CVE-2020-24977,CVE-2020-7595
Description:
This update for libxml2 fixes the following issues:

- CVE-2019-20388: Fixed a memory leak in xmlSchemaPreRun (bsc#1161521).
- CVE-2020-7595: Fixed an infinite loop in an EOF situation (bsc#1161517).
- CVE-2020-24977: Fixed a global-buffer-overflow in xmlEncodeEntitiesInternal (bsc#1176179).
- Fixed invalid xmlns references due to CVE-2019-19956 (bsc#1172021).
  

-----------------------------------------
Version 1.0.6-SAP-BYOS-Build1.33 2020-09-19T07:57:53

-----------------------------------------
Patch: SUSE-2020-2634
Released: Tue Sep 15 11:18:53 2020
Summary: Security update for compat-openssl098
Severity: important
References: 1153785,1176331,CVE-2019-1563,CVE-2020-1968
Description:
This update for compat-openssl098 fixes the following issues:

- CVE-2020-1968: Introduced hardening against the Raccoon attack by always generating fresh DH keys 
  and never reuse them across multiple TLS connections (bsc#1176331).


-----------------------------------------
Patch: SUSE-2020-2642
Released: Wed Sep 16 10:17:36 2020
Summary: Recommended update for crmsh
Severity: important
References: 1175057,1176178
Description:
This update for crmsh fixes the following issues:

- Fixes an issue by 'ssh_merge' function for compatibility. (bsc#1175057)
- Adjust sbd config process to fix bug on sbd stage. (bsc#1175057)
- Fixes an issue when parallax shows an error by joining a node. (bsc#1176178)


-----------------------------------------
Patch: SUSE-2020-2652
Released: Wed Sep 16 14:43:23 2020
Summary: Recommended update for zlib
Severity: moderate
References: 1175811,1175830,1175831
Description:
This update for zlib fixes the following issues:

- Fix compression level switching (bsc#1175811, bsc#1175830, bsc#1175831)
- Enable hardware compression on s390/s390x (jsc#SLE-13776)


-----------------------------------------
Patch: SUSE-2020-2660
Released: Wed Sep 16 16:15:10 2020
Summary: Security update for libsolv
Severity: moderate
References: 1120629,1120630,1120631,1127155,1131823,1137977,CVE-2018-20532,CVE-2018-20533,CVE-2018-20534
Description:
This update for libsolv fixes the following issues:

This is a reissue of an existing libsolv update that also included libsolv-devel for LTSS products.

libsolv was updated to version 0.6.36 fixes the following issues:

Security issues fixed:

- CVE-2018-20532: Fixed a NULL pointer dereference in testcase_read() (bsc#1120629).
- CVE-2018-20533: Fixed a NULL pointer dereference in testcase_str2dep_complex() (bsc#1120630).
- CVE-2018-20534: Fixed a NULL pointer dereference in pool_whatprovides() (bsc#1120631).

Non-security issues fixed:

- Made cleandeps jobs on patterns work (bsc#1137977).
- Fixed an issue multiversion packages that obsolete their own name (bsc#1127155).
- Keep consistent package name if there are multiple alternatives (bsc#1131823).



-----------------------------------------
Patch: SUSE-2020-2673
Released: Thu Sep 17 15:32:53 2020
Summary: Security update for samba
Severity: important
References: 1141267,1144902,1154289,1154598,1158108,1158109,1160850,1160852,1160888,1169850,1169851,1173159,1173160,1173359,1174120,CVE-2019-10197,CVE-2019-10218,CVE-2019-14833,CVE-2019-14847,CVE-2019-14861,CVE-2019-14870,CVE-2019-14902,CVE-2019-14907,CVE-2019-19344,CVE-2020-10700,CVE-2020-10704,CVE-2020-10730,CVE-2020-10745,CVE-2020-10760,CVE-2020-14303
Description:
This update for samba to version 4.10.17 fixes the following issues:

- Fixed net command unable to negotiate SMB2; (bsc#1174120);
	  
- Update to 4.10.17
  - CVE-2020-10745: Invalid DNS or NBT queries containing dots use
    several seconds of CPU each; (bso#14378); (bsc#1173160).
  - CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ
    and VLV combined; (bso#14364); (bsc#1173159).
  - CVE-2020-10760: Fix use-after-free in AD DC Global Catalog LDAP
    server with paged_result or VLV; (bso#14402); (1173161).
  - CVE-2020-14303: Fix endless loop from empty UDP packet sent to
    AD DC nbt_server; (bso#14417); (bsc#1173359).
  - CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ
    and VLV combined, ldb: Bump version to 1.5.8; (bso#14364);
    (bsc#1173159).
- Update to 4.10.16
    s3: lib: Paranoia around use of snprintf copying into a fixed-size buffer
    from a getenv() pointer.
    lib:util: Fix smbclient -l basename dir; (bso#14345).
    Malicous SMB1 server can crash libsmbclient; (bso#14366).
    s3:libads: Fix ads_get_upn(); (bso#14336).
    docs-xml: Fix usernames in pam_winbind manpages; (bso#14358).
    Client tools are not able to read gencache anymore since 4.10; (bso#14370).
- Update to 4.10.15
   - CVE-2020-10700: Fix use-after-free in AD DC LDAP server when
     ASQ and paged_results combined; (bso#14331); (bsc#1169850).
   - CVE-2020-10704: Fix LDAP Denial of Service (stack overflow) in
     Samba AD DC; (bso#20454); (bsc#1169851).
- Update to 4.10.14
    s3: lib: nmblib. Clean up and harden nmb packet processing; (bso#14239).
    s3: VFS: full_audit. Use system session_info if called from a
    temporary share definition; (bso#14283).
    nmblib: Avoid undefined behaviour in handle_name_ptrs(); (bso#20193).
    dsdb: Correctly handle memory in objectclass_attrs; (bso#14258).
    auth: Fix CID 1458418 Null pointer dereferences (REVERSE_INULL),
    auth: Fix CID 1458420 Null pointer dereferences (REVERSE_INULL); (bso#14247).
    winbind member (source3) fails local SAM auth with empty domain
    name; (bso#14247).
    winbindd: Handling missing idmap in getgrgid(); (bso#14265).
    lib:util: Log mkdir error on correct debug levels; (bso#14253).
    wafsamba: Do not use 'rU' as the 'U' is deprecated in
    Python 3.9; (bso#14266).
    ctdb-tcp: Make error handling for outbound connection
    consistent; (bso#14274).
    Starting ctdb node that was powered off hard before results in
     recovery loop; (bso#14295).
- Update to 4.10.13
    s3: libsmb: Ensure SMB1 cli_qpathinfo2() doesn't return an
    inode number; (bso#14161).
    s3: utils: smbtree. Ensure we don't call cli_RNetShareEnum()
    on an SMB1 connection; (bso#14174).
    s3: libsmb: Ensure return from net_share_enum_rpc() sets
    cli->raw_status on error; (bso#14176).
    s3: smbd: SMB2 - Ensure we use the correct session_id if
    encrypting an interim response; (bso#14189).
    s3: smbd: Only set xconn->smb1.negprot.done = true after
    supported_protocols[protocol].proto_reply_fn() succeeds; (bso#14205).
    pygpo: Use correct method flags; (bso#14209).
    s3: Remove now unneeded call to cmdline_messaging_context(); (bso#13925).
    Incomplete conversion of former parametric options; (bso#14069).
    Fix sync dosmode fallback in async dosmode codepath; (bso#14070).
    vfs_fruit returns capped resource fork length; (bso#14171).
    s3:printing: Fix %J substition; (bso#13745).
    libnet_join: Add SPNs for additional-dns-hostnames entries; (bso#14116).
    Avoiding bad call flags with python 3.8, using METH_NOARGS
    instead of zero; (bso#14209).
    docs-xml/winbindnssinfo: Clarify interaction with idmap_ad etc; (bso#14122).
    ctdb-tcp: Close inflight connecting TCP sockets after fork; (bso#14175).
    s4:dirsync: Fix interaction of dirsync and extended_dn controls; (bso#14153).
    upgradedns: Ensure lmdb lock files linked; (bso#14199).
    s3: VFS: glusterfs: Reset nlinks for symlink entries during
    readdir; (bso#14182).
    wscript: Remove checks for shm_open and shmget; (bso#14140).
    libsmbclient: smbc_stat() doesn't return the correct st_mode
    and also the uid/gid is not filled (SMBv1); (bso#14101).
    replace: Only link libnsl and libsocket if required; (bso#14168).
    librpc: Fix string length checking in
    ndr_pull_charset_to_null(); (bso#14219).
    heimdal-build: Avoid hard-coded /usr/include/heimdal in
    asn1_compile-generated code; (bso#13856).
    ctdb-tcp: Drop tracking of file descriptor for incoming
    connections; (bso#14175).
    ctdb-scripts: Strip square brackets when gathering connection
     info; (bso#14227).
- Update to 4.10.12
   - CVE-2019-14902: Replication of ACLs down subtree on AD Directory
     not automatic; (bso#12497); (bsc#1160850);
   - CVE-2019-14907: lib/util: Do not print the failed to convert
     string into the logs; (bso#14208); (bsc#1160888).
   - CVE-2019-19344: kcc dns scavenging: Fix use after free in
     dns_tombstone_records_zone; (bso#14050); (bsc#1160852).
- Update to 4.10.11
   - CVE-2019-14861: Fix DNSServer RPC server crash; (bso#14138);
     (bsc#1158108).
   - CVE-2019-14870: DelegationNotAllowed not being enforced; (bso#14187);
     (bsc#1158109).
- Update to 4.10.10
   - CVE-2019-10218 - s3: libsmb: Protect SMB1 and SMB2 client code
     from evil server returned names; (bso#14071); (bsc#1144902).
   - CVE-2019-14833: Use utf8 characters in the unacceptable
     password; (bso#12438); (bsc#1154289).
   - CVE-2019-14847 dsdb: Correct behaviour of ranged_results when
     combined with dirsync; (bso#14040); (bsc#1154598).
   - CVE-2019-14833 dsdb: Send full password to check password
     script; (bso#12438); (bsc#1154289).
- Update to 4.10.9
    Different Device Id for GlusterFS FUSE mount is causing data
    loss in CTDB cluster; (bso#13972).
    winbind: Provide passwd struct for group sid with ID_TYPE_BOTH
    mapping (again); (bso#14141).
    smbc_readdirplus() is incompatible with smbc_telldir() and
    smbc_lseekdir(); (bso#14094).
    s3: smbclient: Stop an SMB2-connection from blundering into
    SMB1-specific calls; (bso#14152).
    s4/scripting: MORE py3 compatible print functions.
    ldb: Release ldb 1.5.6; (bso#13978).
    undoduididx: Add 'or later' to warning about using tools from
    Samba 4.8; (bso#13978).
    ldb_tdb fails to check error return when parsing pack formats; (bso#13959).
    ctdb: Fix compilation on systems with glibc robust mutexes; (bso#14038).
    GPO security filtering based on the groups in Kerberos PAC (but
    primary group is missing); (bso#11362).
    Fix spnego fallback from kerberos to ntlmssp in smbd server; (bso#14106).
    s3-winbindd: fix forest trusts with additional trust attributes; (bso#14130).
    vfs_glusterfs: Use pthreadpool for scheduling aio operations; (bso#14098).
    ldb: baseinfo pack format check on init; (bso#13977).
    ldb: ldbdump key and pack format version comments; (bso#13978).
    Overlinking libreplace against librt and pthread against every
    binary or library causes issues; (bso#14140).
    ctdb-vacuum: Process all records not deleted on a remote node; (bso#14147).
    classicupgrade: Fix uncaught exception; (bso#14136).
    fault.c: Improve fault_report message text pointing to our wiki; (bso#14139).
    s3:client:Use DEVICE_URI, instead of argv[0],for Device URI; (bso#14128).
    We should send SMB2_NETNAME_NEGOTIATE_CONTEXT_ID negotiation
    context; (bso#14055).
    'pam_winbind' with 'krb5_auth' or 'wbinfo -K' doesn't work for
    users of trusted domains/forests principals' logic; (bso#14124).
    vfs_glusterfs: Enable profiling for file system operations; (bso#14093).
    vfs_gpfs: Implement special case for denying owner access to
    ACL; (bso#14032).
    Joining Active Directory should not use SAMR to set the
    password; (bso#13884).
    s3:libsmb: Do not check the SPNEGO neg token for KRB5; (bso#14106).
    Overlinking libreplace against librt and pthread against every
    binary or library causes issues; (bso#14140).
    'kpasswd' fails when built with MIT Kerberos; (bso#14155).
    CTDB replies can be lost before nodes are bidirectionally
    connected; (bso#14084).
    'ctdb stop' command completes before databases are frozen; (bso#14087).
    ctdb-tools: Stop deleted nodes from influencing ctdb nodestatus
    exit code; (bso#14129).
    s3:ldap: Fix join with don't exists machine account; (bso#14007).
- Update to 4.10.8
   - CVE-2019-10197: Permissions check deny can allow user to escape
     from the share; (bso#14035); (bsc#1141267).
   - CVE-2019-10197: Permissions check deny can allow user to escape
     from the share; (bso#14035); (bsc#1141267).
- Update to 4.10.7
    Unable to create or rename file/directory inside shares
    configured with vfs_glusterfs_fuse module; (bso#14010).
    build: Allow build when '--disable-gnutls' is set; (bso#13844).
    samba-tool: Add 'import samba.drs_utils' to fsmo.py; (bso#13973).
    Fix 'Error 32 determining PSOs in system' message on old DB
    with FL upgrade; (bso#14008).
    s4/libnet: Fix joining a Windows pre-2008R2 DC; (bso#14021).
    join: Use a specific attribute order for the DsAddEntry
    nTDSDSA object; (bso#14046).
    vfs_catia: Pass stat info to synthetic_smb_fname(); (bso#14015).
    lookup_name: Allow own domain lookup when flags == 0; (bso#14091).
    s4 librpc rpc pyrpc: Ensure tevent_context deleted last; (bso#13932).
    DEBUGC and DEBUGADDC doesn't print into a class specific log
    file; (bso#13915).
    Request to keep deprecated option 'server schannel',
    VMWare Quickprep requires 'auto'; (bso#13949).
    dbcheck: Fallback to the default tombstoneLifetime of 180 days; (bso#13967).
    dnsProperty fails to decode values from older Windows versions; (bso#13969).
    samba-tool: Use only one LDAP modify for dns partition fsmo
    role transfer; (bso#13973).
    third_party: Update waf to version 2.0.17; (bso#13960).
    netcmd: Allow 'drs replicate --local' to create partitions; (bso#14051).
    ctdb-config: Depend on /etc/ctdb/nodes file; (bso#14017).
- Update to 4.10.6
    s3: winbind: Fix crash when invoking winbind idmap scripts; (bso#13956).
    smbd does not correctly parse arguments passed to dfree and
    quota scripts; (bso#13964).
    samba-tool dns: use bytes for inet_ntop; (bso#13965).
    samba-tool domain provision: Fix --interactive module in
    python3; (bso#13828).
    ldb_kv: Skip @ records early in a search full scan; (bso#13893).
    docs: Improve documentation of 'lanman auth' and 'ntlm auth'
    connection; (bso#13981).
    python/ntacls: Use correct 'state directory' smb.conf option
    instead of 'state dir'; (bso#14002).
    registry: Add a missing include; (bso#13840).
    Fix SMB guest authentication; (bso#13944).
    AppleDouble conversion breaks Resourceforks; (bso#13958).
    vfs_fruit makes direct use of syscalls like mmap() and pread(); (bso#13968).
    s3:mdssvc: Fix flex compilation error; (bso#13987).
    s3/vfs_glusterfs[_fuse]: Avoid using NAME_MAX directly:; (bso#13872).
    dsdb:samdb: schemainfo update with relax control; (bso#13799).
    s3:util: Move static file_pload() function to lib/util; (bso#13964).
    smbd: Fix a panic; (bso#13957).
    ldap server: Generate correct referral schemes; (bso#12478).
    s4 dsdb/repl_meta_data: fix use after free in
    dsdb_audit_add_ldb_value; (bso#13941).
    s4 dsdb: Fix use after free in
    samldb_rename_search_base_callback; (bso#13942).
    dsdb/repl: we need to replicate the whole schema before we can
    apply it; (bso#12204).
    ldb: Release ldb 1.5.5; (bso#12478).
    Schema replication fails if link crosses chunk boundary
    backwards; (bso#13713).
    'samba-tool domain schemaupgrade' uses relax control and skips
    the schemaInfo update provision; (bso#13799).
    dsdb_audit: avoid printing '... remote host [Unknown]
    SID [(NULL SID)] ...'; (bso#13916).
    python/ntacls: We only need security.SEC_STD_READ_CONTROL in
    order to get the ACL; (bso#13917).
    s3:loadparm: Ensure to truncate FS Volume Label at multibyte
    boundary; (bso#13947).
    Using Kerberos credentials to print using spoolss doesn't work; (bso#13939).
    wafsamba: Use native waf timer; (bso#13998).
    ctdb-scripts: Fix tcp_tw_recycle existence check; (bso#13984).

This update for ldb to version 1.5.8 fixes the following issues:

- Update to 1.5.8
   - CVE-2020-10730: Fixed a null de-reference in AD DC LDAP server when ASQ and VLV combined (bsc#1173159).
- Update to 1.5.7
   - CVE-2020-10700: Fixed a use-after-free in AD DC LDAP server when ASQ and paged_results combined (bsc#1169850).
- Update to 1.5.6
   - Fix segfault parsing new pack formats or invalid packed data 
   - Check for new pack formats during startup 
   - Making ldbdump print out pack format info and keys so we have
    low level visibility for testing in python 
- Update to 1.5.5
   LDAP_REFERRAL_SCHEME_OPAQUE was added 
   Skip @ records early in a search full scan 




-----------------------------------------
Patch: SUSE-2020-2674
Released: Thu Sep 17 23:46:11 2020
Summary: Recommended update for libvirt
Severity: moderate
References: 1175465
Description:
This update for libvirt fixes the following issue:

- Handle kernel without device-mapper support. (bsc#1175465)


-----------------------------------------
Version 1.0.6-SAP-BYOS-Build1.36 2020-09-23T08:17:55

-----------------------------------------
Patch: SUSE-2020-2687
Released: Mon Sep 21 10:54:58 2020
Summary: Security update for less
Severity: moderate
References: 921719,CVE-2014-9488
Description:
This update for less fixes the following issues:

Security issue fixed:

- CVE-2014-9488: Malformed UTF-8 data could have caused an out of bounds read in 
  the UTF-8 decoding routines, causing an invalid read access (bsc#921719).


-----------------------------------------
Patch: SUSE-2020-2690
Released: Mon Sep 21 10:57:00 2020
Summary: Security update for jasper
Severity: low
References: 1010786,1010979,1010980,1011829,1020451,1020456,1020458,1020460,1045450,1057152,1088278,1092115,1114498,1115637,1117328,1120805,1120807,CVE-2016-9397,CVE-2016-9398,CVE-2016-9399,CVE-2016-9557,CVE-2017-14132,CVE-2017-5499,CVE-2017-5503,CVE-2017-5504,CVE-2017-5505,CVE-2017-9782,CVE-2018-18873,CVE-2018-19139,CVE-2018-19543,CVE-2018-20570,CVE-2018-20622,CVE-2018-9154,CVE-2018-9252
Description:
This update for jasper fixes the following issues:

- CVE-2016-9398: Improved patch for already fixed issue (bsc#1010979).
- CVE-2016-9399: Fix assert in calcstepsizes (bsc#1010980).
- CVE-2016-9397: Fix assert in jpc_dequantize (bsc#1010786).
- CVE-2016-9557: Fix signed integer overflow (bsc#1011829).
- CVE-2017-5499: Validate component depth bit (bsc#1020451).
- CVE-2017-5503: Check bounds in jas_seq2d_bindsub() (bsc#1020456).
- CVE-2017-5504: Check bounds in jas_seq2d_bindsub() (bsc#1020458).
- CVE-2017-5505: Check bounds in jas_seq2d_bindsub() (bsc#1020460).
- CVE-2017-14132: Fix heap base overflow in by checking components (bsc#1057152).
- CVE-2018-9154: Fixed a potential denial of service in jpc_dec_process_sot() (bsc#1092115).
- CVE-2018-9252: Fix reachable assertion in jpc_abstorelstepsize (bsc#1088278).
- CVE-2018-18873: Fix null pointer deref in ras_putdatastd (bsc#1114498).
- CVE-2018-19139: Fix mem leaks by registering jpc_unk_destroyparms (bsc#1115637).
- CVE-2018-19543, bsc#1045450 CVE-2017-9782: Fix numchans mixup (bsc#1117328).
- CVE-2018-20570: Fix heap based buffer over-read in jp2_encode (bsc#1120807).
- CVE-2018-20622: Fix memory leak in jas_malloc.c (bsc#1120805).


-----------------------------------------
Patch: SUSE-2020-2696
Released: Mon Sep 21 15:33:10 2020
Summary: Recommended update for crmsh
Severity: moderate
References: 1148873,1176441
Description:
This update for crmsh fixes the following issues:

- Fixed an issue when 'hb_report' does not collect data from archived logs. (bsc#1148873, bsc#1176441)


-----------------------------------------
Patch: SUSE-2020-2699
Released: Mon Sep 21 17:53:48 2020
Summary: Security update for python3
Severity: important
References: 1088004,1088009,1130840,1141853,1149955,1153238,1162423,1173274,1174091,1174701,CVE-2018-14647,CVE-2018-20852,CVE-2019-16056,CVE-2019-16935,CVE-2019-20907,CVE-2019-9947,CVE-2020-14422
Description:
This update for python3 fixes the following issues:

- CVE-2019-20907: Fixed denial of service by avoiding possible infinite loop in specifically crafted tarball (bsc#1174091).
- CVE-2020-14422: Fixed an improper computation of hash values in the IPv4Interface and IPv6Interface 
  could have led to denial of service (bsc#1173274).
- CVE-2019-16935: Fixed a reflected XSS in python/Lib/DocXMLRPCServer.py (bsc#1153238).
- CVE-2019-9947: Fixed an issue in urllib2 which allowed CRLF injection if the attacker controls a url parameter (bsc#1130840).
- If the locale is 'C', coerce it to C.UTF-8 (bsc#1162423).


-----------------------------------------
Version 1.0.6-SAP-BYOS-Build1.38 2020-09-24T07:55:19

-----------------------------------------
Patch: SUSE-2020-2720
Released: Wed Sep 23 11:31:00 2020
Summary: Security update for samba
Severity: important
References: 1176579,CVE-2020-1472
Description:
This update for samba fixes the following issues:

- Update to 4.10.18
-  ZeroLogon: An elevation of privilege was possible with some non default configurations when an attacker established
a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC) 
(CVE-2020-1472, bsc#1176579).


-----------------------------------------
Patch: SUSE-2020-2728
Released: Wed Sep 23 16:00:13 2020
Summary: Security update for cifs-utils
Severity: moderate
References: 1174477,CVE-2020-14342
Description:
This update for cifs-utils fixes the following issues:

- CVE-2020-14342: Fixed a shell command injection vulnerability in mount.cifs (bsc#1174477). 


-----------------------------------------
Version 1.0.6-SAP-BYOS-Build1.41 2020-09-29T07:55:30

-----------------------------------------
Patch: SUSE-2020-2751
Released: Fri Sep 25 12:55:39 2020
Summary: Security update for libqt5-qtbase
Severity: important
References: 1172515,1176315,CVE-2020-17507
Description:
This update for libqt5-qtbase fixes the following issues:

- CVE-2020-17507: Fixed a buffer overflow in XBM parser (bsc#1176315)
- Made handling of XDG_RUNTIME_DIR more secure (bsc#1172515)	  


-----------------------------------------
Patch: SUSE-2020-2756
Released: Fri Sep 25 19:45:25 2020
Summary: Recommended update for sbd
Severity: moderate
References: 1108393,1143064,1148236,1174915,963674
Description:
This update for sbd fixes the following issues:

- sbd-inquisitor: Refuse to start if any of the configured device names is invalid.
  (bsc#1174915)
- scheduling: Complete overhaul. (bsc#1143064)
- doc: Add environment section to man-page.
- agent: Correctly compare string values when calculating timeout. (bsc#1148236)
- regressions.sh: Relaxed timeouts for tests under load.
- systemd: Make pacemaker & dlm wait for sbd-start to complete. (bsc#1108393)
- Fix node name parameter in manpage. (bsc#963674)


-----------------------------------------
Version 1.0.6-SAP-BYOS-Build1.42 2020-09-30T07:55:58

-----------------------------------------
Patch: SUSE-2020-2778
Released: Tue Sep 29 11:27:26 2020
Summary: Recommended update for rsyslog
Severity: moderate
References: 1173433
Description:
This update for rsyslog fixes the following issues:

- Fix the URL for bug reporting. (bsc#1173433)


-----------------------------------------
Patch: SUSE-2020-2788
Released: Tue Sep 29 14:13:01 2020
Summary: Security update for xen
Severity: important
References: 1027519,1175534,1176339,1176341,1176343,1176344,1176345,1176346,1176347,1176348,1176349,1176350,CVE-2020-14364,CVE-2020-25595,CVE-2020-25596,CVE-2020-25597,CVE-2020-25598,CVE-2020-25599,CVE-2020-25600,CVE-2020-25601,CVE-2020-25602,CVE-2020-25603,CVE-2020-25604
Description:
This update for xen fixes the following issues:

- CVE-2020-25602: Fixed an issue where there was a crash when
  handling guest access to MSR_MISC_ENABLE was thrown (bsc#1176339,XSA-333)
- CVE-2020-25598: Added a missing unlock in XENMEM_acquire_resource error path
  (bsc#1176341,XSA-334)
- CVE-2020-25604: Fixed a race condition when migrating timers between x86 
  HVM vCPU-s (bsc#1176343,XSA-336)
- CVE-2020-25595: Fixed an issue where PCI passthrough code was reading back hardware registers (bsc#1176344,XSA-337)
- CVE-2020-25597: Fixed an issue where a valid event channels may not turn invalid (bsc#1176346,XSA-338)
- CVE-2020-25596: Fixed a potential denial of service in x86 pv guest kernel via SYSENTER (bsc#1176345,XSA-339)
- CVE-2020-25603: Fixed an issue due to  missing barriers when accessing/allocating an event channel (bsc#1176347,XSA-340)
- CVE-2020-25600: Fixed out of bounds event channels available to 32-bit x86 domains (bsc#1176348,XSA-342)
- CVE-2020-25599: Fixed race conditions with evtchn_reset() (bsc#1176349,XSA-343)
- CVE-2020-25601: Fixed an issue due to lack of preemption in evtchn_reset() / evtchn_destroy() (bsc#1176350,XSA-344)	  
- CVE-2020-14364: Fixed an out-of-bounds read/write access while processing usb packets (bsc#1175534).
- Various bug fixes (bsc#1027519)


-----------------------------------------
Version 1.0.6-SAP-BYOS-Build1.44 2020-10-01T07:55:31

-----------------------------------------
Patch: SUSE-2020-2802
Released: Wed Sep 30 09:59:28 2020
Summary: Recommended update for mozilla-nss
Severity: moderate
References: 1174697
Description:
This update for mozilla-nss fixes the following issues:

- Fixes an issue for Mozilla Firefox which has failed in fips mode (bsc#1174697)


-----------------------------------------
Patch: SUSE-2020-2806
Released: Wed Sep 30 14:36:08 2020
Summary: Security update for tar
Severity: moderate
References: 1120610,1130496,CVE-2018-20482,CVE-2019-9923
Description:
This update for tar fixes the following issues:

Security issues fixed:

- CVE-2019-9923: Fixed a denial of service while parsing certain archives with malformed extended headers in pax_decode_header() (bsc#1130496).
- CVE-2018-20482: Fixed a denial of service when the '--sparse' option mishandles file shrinkage during read access (bsc#1120610).


-----------------------------------------
Patch: SUSE-2020-2810
Released: Wed Sep 30 15:06:04 2020
Summary: Recommended update for lvm2
Severity: moderate
References: 1123327,1172597,1173503,1175110,998893
Description:
This update for lvm2 fixes the following issues:

- Fixed an issue where the system hangs for 90 seconds before it actually shuts down (bsc#1172597)
- Fixed an issue when the hot spares in LVM not added automatically. (bsc#1175110)
- Fixed an issue when lvm produces a large number of luns with error message 'Too many open files'. (bsc#1173503)
- Fixes an issue when LVM initialization failed during reboot. (bsc#998893)
- Fixed a misplaced parameter in the lvm configuration. (bsc#1123327)


-----------------------------------------
Version 1.0.6-SAP-BYOS-Build1.45 2020-10-04T07:58:11

-----------------------------------------
Patch: SUSE-2020-2838
Released: Fri Oct  2 12:15:15 2020
Summary: Recommended update for Salt
Severity: moderate
References: 1173909,1173911,1175549,1176480
Description:

This update fixes the following issues:

salt:

- Fix virt.update with CPU defined
- Fix virt issues and invalid input errors from 'salt.utils.data' (bsc#1176480)
- Reintroduces the patches from
  opensuse-3000.2-virt-backports-236.patch coming from Salt 3001
- Do not raise StreamClosedError traceback but only log it (bsc#1175549)
- Various fixes to the mysql module to break out the handling of user
- Take care of failed, skipped and unreachable tasks and propagate 'retcode' (bsc#1173911) (bsc#1173909)



-----------------------------------------
Version 1.0.6-SAP-BYOS-Build1.48 2020-10-13T07:58:25

-----------------------------------------
Patch: SUSE-2020-2881
Released: Fri Oct  9 14:43:50 2020
Summary: Security update for tigervnc
Severity: critical
References: 1176733,CVE-2020-26117
Description:
This update for tigervnc fixes the following issues:

- CVE-2020-26117: Server certificates were stored as certiticate
  authorities, allowing malicious owners of these certificates
  to impersonate any server after a client had added an exception
  (bsc#1176733)


-----------------------------------------
Version 1.0.6-SAP-BYOS-Build1.49 2020-10-15T07:59:02

-----------------------------------------
Patch: SUSE-2020-2897
Released: Tue Oct 13 14:00:25 2020
Summary: Recommended update for suse-build-key
Severity: moderate
References: 1170347,1176759
Description:
This update for suse-build-key fixes the following issues:

- This update extends the suse build key (bsc#1176759)
- The SUSE container key is different from the build key. (PM-1845 bsc#1170347)


-----------------------------------------
Patch: SUSE-2020-2900
Released: Tue Oct 13 14:20:15 2020
Summary: Security update for libproxy
Severity: important
References: 1176410,1177143,CVE-2020-25219,CVE-2020-26154
Description:
This update for libproxy fixes the following issues:

- CVE-2020-25219: Rewrote url::recvline to be nonrecursive (bsc#1176410).
- CVE-2020-26154: Fixed a buffer overflow when PAC is enabled (bsc#1177143).	  


-----------------------------------------
Patch: SUSE-2020-2904
Released: Tue Oct 13 15:46:50 2020
Summary: Security update for the Linux Kernel
Severity: important
References: 1055186,1065600,1065729,1094244,1112178,1113956,1154366,1163524,1167527,1168468,1169972,1171675,1171688,1171742,1173115,1174354,1174899,1175228,1175528,1175716,1175749,1175882,1176011,1176022,1176038,1176235,1176242,1176278,1176316,1176317,1176318,1176319,1176320,1176321,1176381,1176423,1176482,1176507,1176536,1176544,1176545,1176546,1176548,1176659,1176698,1176699,1176700,1176721,1176722,1176725,1176732,1176788,1176789,1176869,1176877,1176935,1176950,1176962,1176966,1176990,1177030,1177041,1177042,1177043,1177044,1177121,1177206,1177258,1177291,1177293,1177294,1177295,1177296,CVE-2020-0404,CVE-2020-0427,CVE-2020-0431,CVE-2020-0432,CVE-2020-14381,CVE-2020-14390,CVE-2020-25212,CVE-2020-25284,CVE-2020-25641,CVE-2020-25643,CVE-2020-26088
Description:
The SUSE Linux Enterprise 12 SP5 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2020-26088: Fixed an improper CAP_NET_RAW check in NFC socket creation could have been used by local attackers to create raw sockets, bypassing security mechanisms (bsc#1176990).
- CVE-2020-14390: Fixed an out-of-bounds memory write leading to memory corruption or a denial of service when changing screen size (bnc#1176235).
- CVE-2020-0432: Fixed an out of bounds write due to an integer overflow (bsc#1176721).
- CVE-2020-0427: Fixed an out of bounds read due to a use after free (bsc#1176725).
- CVE-2020-0431: Fixed an out of bounds write due to a missing bounds check (bsc#1176722).
- CVE-2020-0404: Fixed a linked list corruption due to an unusual root cause (bsc#1176423).
- CVE-2020-25212: Fixed getxattr kernel panic and memory overflow (bsc#1176381).
- CVE-2020-25284: Fixed an incomplete permission checking for access to rbd devices, which could have been leveraged by local attackers to map or unmap rbd block devices (bsc#1176482).
- CVE-2020-14381: Fixed requeue paths such that filp was valid when dropping the references (bsc#1176011).
- CVE-2019-25643: Fixed an improper input validation in ppp_cp_parse_cr function which could have led to memory corruption and read overflow (bsc#1177206).
- CVE-2020-25641: Fixed ann issue where length bvec was causing softlockups (bsc#1177121).

The following non-security bugs were fixed:

- 9p: Fix memory leak in v9fs_mount (git-fixes).
- ACPI: EC: Reference count query handlers under lock (git-fixes).
- airo: Add missing CAP_NET_ADMIN check in AIROOLDIOCTL/SIOCDEVPRIVATE (git-fixes).
- airo: Fix possible info leak in AIROOLDIOCTL/SIOCDEVPRIVATE (git-fixes).
- airo: Fix read overflows sending packets (git-fixes).
- ALSA: asihpi: fix iounmap in error handler (git-fixes).
- ALSA: firewire-digi00x: exclude Avid Adrenaline from detection (git-fixes).
- ALSA: firewire-tascam: exclude Tascam FE-8 from detection (git-fixes).
- ALSA: hda: Fix 2 channel swapping for Tegra (git-fixes).
- ALSA: hda: fix a runtime pm issue in SOF when integrated GPU is disabled (git-fixes).
- ALSA: hda/realtek: Add quirk for Samsung Galaxy Book Ion NT950XCJ-X716A (git-fixes).
- ALSA: hda/realtek - Improved routing for Thinkpad X1 7th/8th Gen (git-fixes).
- altera-stapl: altera_get_note: prevent write beyond end of 'key' (git-fixes).
- ar5523: Add USB ID of SMCWUSBT-G2 wireless adapter (git-fixes).
- arm64: KVM: Do not generate UNDEF when LORegion feature is present (jsc#SLE-4084).
- arm64: KVM: regmap: Fix unexpected switch fall-through (jsc#SLE-4084).
- asm-generic: fix -Wtype-limits compiler warnings (bsc#1112178).
- ASoC: kirkwood: fix IRQ error handling (git-fixes).
- ASoC: tegra: Fix reference count leaks (git-fixes).
- ath10k: fix array out-of-bounds access (git-fixes).
- ath10k: fix memory leak for tpc_stats_final (git-fixes).
- ath10k: use kzalloc to read for ath10k_sdio_hif_diag_read (git-fixes).
- batman-adv: Add missing include for in_interrupt() (git-fixes).
- batman-adv: Avoid uninitialized chaddr when handling DHCP (git-fixes).
- batman-adv: bla: fix type misuse for backbone_gw hash indexing (git-fixes).
- batman-adv: bla: use netif_rx_ni when not in interrupt context (git-fixes).
- batman-adv: mcast: fix duplicate mcast packets in BLA backbone from mesh (git-fixes).
- batman-adv: mcast/TT: fix wrongly dropped or rerouted packets (git-fixes).
- bcache: Convert pr_<level> uses to a more typical style (git fixes (block drivers)).
- bcache: fix overflow in offset_to_stripe() (git fixes (block drivers)).
- bcm63xx_enet: correct clock usage (git-fixes).
- bcm63xx_enet: do not write to random DMA channel on BCM6345 (git-fixes).
- bitfield.h: do not compile-time validate _val in FIELD_FIT (git fixes (bitfield)).
- blktrace: fix debugfs use after free (git fixes (block drivers)).
- block: add docs for gendisk / request_queue refcount helpers (git fixes (block drivers)).
- block: revert back to synchronous request_queue removal (git fixes (block drivers)).
- block: Use non _rcu version of list functions for tag_set_list (git-fixes).
- Bluetooth: Fix refcount use-after-free issue (git-fixes).
- Bluetooth: guard against controllers sending zero'd events (git-fixes).
- Bluetooth: Handle Inquiry Cancel error after Inquiry Complete (git-fixes).
- Bluetooth: L2CAP: handle l2cap config request during open state (git-fixes).
- Bluetooth: prefetch channel before killing sock (git-fixes).
- bnxt_en: Fix completion ring sizing with TPA enabled (networking-stable-20_07_29).
- bonding: use nla_get_u64 to extract the value for IFLA_BOND_AD_ACTOR_SYSTEM (git-fixes).
- btrfs: avoid possible signal interruption of btrfs_drop_snapshot() on relocation tree (bsc#1174354).
- btrfs: balance: print to system log when balance ends or is paused (bsc#1174354).
- btrfs: relocation: allow signal to cancel balance (bsc#1174354).
- btrfs: relocation: review the call sites which can be interrupted by signal (bsc#1174354).
- btrfs: require only sector size alignment for parent eb bytenr (bsc#1176789).
- btrfs: take overcommit into account in inc_block_group_ro (bsc#1174354).
- btrfs: tree-checker: fix the error message for transid error (bsc#1176788).
- ceph: do not allow setlease on cephfs (bsc#1177041).
- ceph: fix potential mdsc use-after-free crash (bsc#1177042).
- ceph: fix use-after-free for fsc->mdsc (bsc#1177043).
- ceph: handle zero-length feature mask in session messages (bsc#1177044).
- cfg80211: regulatory: reject invalid hints (bsc#1176699).
- cifs: Fix leak when handling lease break for cached root fid (bsc#1176242).
- cifs/smb3: Fix data inconsistent when punch hole (bsc#1176544).
- cifs/smb3: Fix data inconsistent when zero file range (bsc#1176536).
- clk: Add (devm_)clk_get_optional() functions (git-fixes).
- clk: rockchip: Fix initialization of mux_pll_src_4plls_p (git-fixes).
- clk: samsung: exynos4: mark 'chipid' clock as CLK_IGNORE_UNUSED (git-fixes).
- clk/ti/adpll: allocate room for terminating null (git-fixes).
- clocksource/drivers/h8300_timer8: Fix wrong return value in h8300_8timer_init() (git-fixes).
- cpufreq: intel_pstate: Fix EPP setting via sysfs in active mode (bsc#1176966).
- crypto: dh - check validity of Z before export (bsc#1175716).
- crypto: dh - SP800-56A rev 3 local public key validation  (bsc#1175716).
- crypto: ecc - SP800-56A rev 3 local public key validation (bsc#1175716).
- crypto: ecdh - check validity of Z before export (bsc#1175716).
- dmaengine: at_hdmac: check return value of of_find_device_by_node() in at_dma_xlate() (git-fixes).
- dmaengine: of-dma: Fix of_dma_router_xlate's of_dma_xlate handling (git-fixes).
- dmaengine: pl330: Fix burst length if burst size is smaller than bus width (git-fixes).
- dmaengine: tegra-apb: Prevent race conditions on channel's freeing (git-fixes).
- dmaengine: zynqmp_dma: fix burst length configuration (git-fixes).
- dm crypt: avoid truncating the logical block size (git fixes (block drivers)).
- dm: fix redundant IO accounting for bios that need splitting (git fixes (block drivers)).
- dm integrity: fix a deadlock due to offloading to an incorrect workqueue (git fixes (block drivers)).
- dm integrity: fix integrity recalculation that is improperly skipped (git fixes (block drivers)).
- dm: report suspended device during destroy (git fixes (block drivers)).
- dm rq: do not call blk_mq_queue_stopped() in dm_stop_queue() (git fixes (block drivers)).
- dm: use noio when sending kobject event (git fixes (block drivers)).
- dm writecache: add cond_resched to loop in persistent_memory_claim() (git fixes (block drivers)).
- dm writecache: correct uncommitted_block when discarding uncommitted entry (git fixes (block drivers)).
- dm zoned: assign max_io_len correctly (git fixes (block drivers)).
- Drivers: char: tlclk.c: Avoid data race between init and interrupt handler (git-fixes).
- Drivers: hv: Specify receive buffer size using Hyper-V page size (bsc#1176877).
- Drivers: hv: vmbus: Add timeout to vmbus_wait_for_unload (git-fixes).
- drivers/net/wan/x25_asy: Fix to make it work (networking-stable-20_07_29).
- drm/amd/display: dal_ddc_i2c_payloads_create can fail causing panic (git-fixes).
- drm/amd/display: fix ref count leak in amdgpu_drm_ioctl (git-fixes).
- drm/amdgpu/display: fix ref count leak when pm_runtime_get_sync fails (git-fixes).
- drm/amdgpu: Fix buffer overflow in INFO ioctl (git-fixes).
- drm/amdgpu: Fix bug in reporting voltage for CIK (git-fixes).
- drm/amdgpu: fix ref count leak in amdgpu_driver_open_kms (git-fixes).
- drm/amdgpu: increase atombios cmd timeout (git-fixes).
- drm/amdgpu/powerplay: fix AVFS handling with custom powerplay table (git-fixes).
- drm/amdgpu/powerplay/smu7: fix AVFS handling with custom powerplay table (git-fixes).
- drm/amdkfd: fix a memory leak issue (git-fixes).
- drm/amdkfd: Fix reference count leaks (git-fixes).
- drm/amd/pm: correct Vega10 swctf limit setting (git-fixes).
- drm/amd/pm: correct Vega12 swctf limit setting (git-fixes).
- drm/ast: Initialize DRAM type before posting GPU (bsc#1113956) 	* context changes
- drm/mediatek: Add exception handing in mtk_drm_probe() if component init fail (git-fixes).
- drm/mediatek: Add missing put_device() call in mtk_hdmi_dt_parse_pdata() (git-fixes).
- drm/msm/a5xx: Always set an OPP supported hardware value (git-fixes).
- drm/msm: add shutdown support for display platform_driver (git-fixes).
- drm/msm: Disable preemption on all 5xx targets (git-fixes).
- drm/msm: fix leaks if initialization fails (git-fixes).
- drm/msm/gpu: make ringbuffer readonly (bsc#1112178) 	* context changes
- drm/nouveau/debugfs: fix runtime pm imbalance on error (git-fixes).
- drm/nouveau/dispnv50: fix runtime pm imbalance on error (git-fixes).
- drm/nouveau/drm/noveau: fix reference count leak in nouveau_fbcon_open (git-fixes).
- drm/nouveau: Fix reference count leak in nouveau_connector_detect (git-fixes).
- drm/nouveau: fix reference count leak in nv50_disp_atomic_commit (git-fixes).
- drm/nouveau: fix runtime pm imbalance on error (git-fixes).
- drm/omap: fix possible object reference leak (git-fixes).
- drm/radeon: fix multiple reference count leak (git-fixes).
- drm/radeon: Prefer lower feedback dividers (git-fixes).
- drm/radeon: revert 'Prefer lower feedback dividers' (git-fixes).
- drm/sun4i: Fix dsi dcs long write function (git-fixes).
- drm/sun4i: sun8i-csc: Secondary CSC register correction (git-fixes).
- drm/tve200: Stabilize enable/disable (git-fixes).
- drm/vc4/vc4_hdmi: fill ASoC card owner (git-fixes).
- e1000: Do not perform reset in reset_task if we are already down (git-fixes).
- fbcon: prevent user font height or width change from causing (bsc#1112178) 	* move from drivers/video/fbdev/fbcon to drivers/video/console 	* context changes
- Fix error in kabi fix for: NFSv4: Fix OPEN / CLOSE race (bsc#1176950).
- ftrace: Move RCU is watching check after recursion check (git-fixes).
- ftrace: Setup correct FTRACE_FL_REGS flags for module (git-fixes).
- gma/gma500: fix a memory disclosure bug due to uninitialized bytes (git-fixes).
- gpio: tc35894: fix up tc35894 interrupt configuration (git-fixes).
- gtp: add missing gtp_encap_disable_sock() in gtp_encap_enable() (git-fixes).
- gtp: fix Illegal context switch in RCU read-side critical section (git-fixes).
- gtp: fix use-after-free in gtp_newlink() (git-fixes).
- HID: hiddev: Fix slab-out-of-bounds write in hiddev_ioctl_usage() (git-fixes).
- hsr: use netdev_err() instead of WARN_ONCE() (bsc#1176659).
- hv_utils: drain the timesync packets on onchannelcallback (bsc#1176877).
- hv_utils: return error if host timesysnc update is stale (bsc#1176877).
- hwmon: (applesmc) check status earlier (git-fixes).
- i2c: core: Do not fail PRP0001 enumeration when no ID table exist (git-fixes).
- i2c: cpm: Fix i2c_ram structure (git-fixes).
- ibmvnic: add missing parenthesis in do_reset() (bsc#1176700 ltc#188140).
- ieee802154/adf7242: check status of adf7242_read_reg (git-fixes).
- ieee802154: fix one possible memleak in ca8210_dev_com_init (git-fixes).
- iio:accel:bmc150-accel: Fix timestamp alignment and prevent data leak (git-fixes).
- iio: accel: kxsd9: Fix alignment of local buffer (git-fixes).
- iio:accel:mma7455: Fix timestamp alignment and prevent data leak (git-fixes).
- iio:adc:ina2xx Fix timestamp alignment issue (git-fixes).
- iio: adc: mcp3422: fix locking on error path (git-fixes).
- iio: adc: mcp3422: fix locking scope (git-fixes).
- iio:adc:ti-adc081c Fix alignment and data leak issues (git-fixes).
- iio: adc: ti-ads1015: fix conversion when CONFIG_PM is not set (git-fixes).
- iio: improve IIO_CONCENTRATION channel type description (git-fixes).
- iio:light:ltr501 Fix timestamp alignment issue (git-fixes).
- iio:light:max44000 Fix timestamp alignment and prevent data leak (git-fixes).
- iio:magnetometer:ak8975 Fix alignment and data leak issues (git-fixes).
- include: add additional sizes (bsc#1094244 ltc#168122).
- iommu/amd: Fix IOMMU AVIC not properly update the is_run bit in IRTE (bsc#1177293).
- iommu/amd: Fix potential @entry null deref (bsc#1177294).
- iommu/amd: Print extended features in one line to fix divergent log levels (bsc#1176316).
- iommu/amd: Re-factor guest virtual APIC (de-)activation code (bsc#1177291).
- iommu/amd: Restore IRTE.RemapEn bit after programming IRTE (bsc#1176317).
- iommu/amd: Restore IRTE.RemapEn bit for amd_iommu_activate_guest_mode (bsc#1177295).
- iommu/amd: Use cmpxchg_double() when updating 128-bit IRTE (bsc#1176318).
- iommu/exynos: add missing put_device() call in exynos_iommu_of_xlate() (bsc#1177296).
- iommu/omap: Check for failure of a call to omap_iommu_dump_ctx (bsc#1176319).
- iommu/vt-d: Serialize IOMMU GCMD register modifications (bsc#1176320).
- kernel-binary.spec.in: SLE12 tar does not understand --verbatim-files-from
- kernel-syms.spec.in: Also use bz compression (boo#1175882).
- KVM: arm64: Change 32-bit handling of VM system registers (jsc#SLE-4084).
- KVM: arm64: Cleanup __activate_traps and __deactive_traps for VHE and non-VHE (jsc#SLE-4084).
- KVM: arm64: Configure c15, PMU, and debug register traps on cpu load/put for VHE (jsc#SLE-4084).
- KVM: arm64: Defer saving/restoring 32-bit sysregs to vcpu load/put (jsc#SLE-4084).
- KVM: arm64: Defer saving/restoring 64-bit sysregs to vcpu load/put on VHE (jsc#SLE-4084).
- KVM: arm64: Directly call VHE and non-VHE FPSIMD enabled functions (jsc#SLE-4084).
- KVM: arm64: Do not deactivate VM on VHE systems (jsc#SLE-4084).
- KVM: arm64: Do not save the host ELR_EL2 and SPSR_EL2 on VHE systems (jsc#SLE-4084).
- KVM: arm64: Factor out fault info population and gic workarounds (jsc#SLE-4084).
- KVM: arm64: Fix order of vcpu_write_sys_reg() arguments (jsc#SLE-4084).
- KVM: arm64: Forbid kprobing of the VHE world-switch code (jsc#SLE-4084).
- KVM: arm64: Improve debug register save/restore flow (jsc#SLE-4084).
- KVM: arm64: Introduce framework for accessing deferred sysregs (jsc#SLE-4084).
- KVM: arm64: Introduce separate VHE/non-VHE sysreg save/restore functions (jsc#SLE-4084).
- KVM: arm64: Introduce VHE-specific kvm_vcpu_run (jsc#SLE-4084).
- KVM: arm64: Move common VHE/non-VHE trap config in separate functions (jsc#SLE-4084).
- KVM: arm64: Move debug dirty flag calculation out of world switch (jsc#SLE-4084).
- KVM: arm64: Move HCR_INT_OVERRIDE to default HCR_EL2 guest flag (jsc#SLE-4084).
- KVM: arm64: Move userspace system registers into separate function (jsc#SLE-4084).
- KVM: arm64: Prepare to handle deferred save/restore of 32-bit registers (jsc#SLE-4084).
- KVM: arm64: Prepare to handle deferred save/restore of ELR_EL1 (jsc#SLE-4084).
- KVM: arm64: Remove kern_hyp_va() use in VHE switch function (jsc#SLE-4084).
- KVM: arm64: Remove noop calls to timer save/restore from VHE switch (jsc#SLE-4084).
- KVM: arm64: Rework hyp_panic for VHE and non-VHE (jsc#SLE-4084).
- KVM: arm64: Rewrite sysreg alternatives to static keys (jsc#SLE-4084).
- KVM: arm64: Rewrite system register accessors to read/write functions (jsc#SLE-4084).
- KVM: arm64: Slightly improve debug save/restore functions (jsc#SLE-4084).
- KVM: arm64: Unify non-VHE host/guest sysreg save and restore functions (jsc#SLE-4084).
- KVM: arm64: Write arch.mdcr_el2 changes since last vcpu_load on VHE (jsc#SLE-4084).
- KVM: arm/arm64: Avoid vcpu_load for other vcpu ioctls than KVM_RUN (jsc#SLE-4084).
- KVM: arm/arm64: Avoid VGICv3 save/restore on VHE with no IRQs (jsc#SLE-4084).
- KVM: arm/arm64: Get rid of vcpu->arch.irq_lines (jsc#SLE-4084).
- KVM: arm/arm64: Handle VGICv3 save/restore from the main VGIC code on VHE (jsc#SLE-4084).
- KVM: arm/arm64: Move vcpu_load call after kvm_vcpu_first_run_init (jsc#SLE-4084).
- KVM: arm/arm64: Move VGIC APR save/restore to vgic put/load (jsc#SLE-4084).
- KVM: arm/arm64: Prepare to handle deferred save/restore of SPSR_EL1 (jsc#SLE-4084).
- KVM: arm/arm64: Remove leftover comment from kvm_vcpu_run_vhe (jsc#SLE-4084).
- KVM: introduce kvm_arch_vcpu_async_ioctl (jsc#SLE-4084).
- KVM: Move vcpu_load to arch-specific kvm_arch_vcpu_ioctl_get_fpu (jsc#SLE-4084).
- KVM: Move vcpu_load to arch-specific kvm_arch_vcpu_ioctl_get_mpstate (jsc#SLE-4084).
- KVM: Move vcpu_load to arch-specific kvm_arch_vcpu_ioctl_get_regs (jsc#SLE-4084).
- KVM: Move vcpu_load to arch-specific kvm_arch_vcpu_ioctl (jsc#SLE-4084).
- KVM: Move vcpu_load to arch-specific kvm_arch_vcpu_ioctl_run (jsc#SLE-4084).
- KVM: Move vcpu_load to arch-specific kvm_arch_vcpu_ioctl_set_fpu (jsc#SLE-4084).
- KVM: Move vcpu_load to arch-specific kvm_arch_vcpu_ioctl_set_guest_debug (jsc#SLE-4084).
- KVM: Move vcpu_load to arch-specific kvm_arch_vcpu_ioctl_set_mpstate (jsc#SLE-4084).
- KVM: Move vcpu_load to arch-specific kvm_arch_vcpu_ioctl_set_regs (jsc#SLE-4084).
- KVM: Move vcpu_load to arch-specific kvm_arch_vcpu_ioctl_set_sregs (jsc#SLE-4084).
- KVM: Move vcpu_load to arch-specific kvm_arch_vcpu_ioctl_translate (jsc#SLE-4084).
- KVM: PPC: Fix compile error that occurs when CONFIG_ALTIVEC=n (jsc#SLE-4084).
- KVM: Prepare for moving vcpu_load/vcpu_put into arch specific code (jsc#SLE-4084).
- KVM: SVM: Add a dedicated INVD intercept routine (bsc#1112178).
- KVM: SVM: Fix disable pause loop exit/pause filtering capability on SVM (bsc#1176321).
- KVM: Take vcpu->mutex outside vcpu_load (jsc#SLE-4084).
- libceph: allow setting abort_on_full for rbd (bsc#1169972).
- lib/mpi: Add mpi_sub_ui() (bsc#1175716).
- libnvdimm: cover up nvdimm_security_ops changes (bsc#1171742).
- libnvdimm: cover up struct nvdimm changes (bsc#1171742).
- libnvdimm/security, acpi/nfit: unify zero-key for all security commands (bsc#1171742).
- libnvdimm/security: fix a typo (bsc#1171742 bsc#1167527).
- libnvdimm/security: Introduce a 'frozen' attribute (bsc#1171742).
- lib/raid6: use vdupq_n_u8 to avoid endianness warnings (git fixes (block drivers)).
- mac802154: tx: fix use-after-free (git-fixes).
- md: raid0/linear: fix dereference before null check on pointer mddev (git fixes (block drivers)).
- media: davinci: vpif_capture: fix potential double free (git-fixes).
- media: pci: ttpci: av7110: fix possible buffer overflow caused by bad DMA value in debiirq() (git-fixes).
- media: smiapp: Fix error handling at NVM reading (git-fixes).
- media: ti-vpe: cal: Restrict DMA to avoid memory corruption (git-fixes).
- mfd: intel-lpss: Add Intel Emmitsburg PCH PCI IDs (git-fixes).
- mfd: mfd-core: Protect against NULL call-back function pointer (git-fixes).
- mm: Avoid calling build_all_zonelists_init under hotplug context (bsc#1154366).
- mmc: cqhci: Add cqhci_deactivate() (git-fixes).
- mmc: sdhci-msm: Add retries when all tuning phases are found valid (git-fixes).
- mmc: sdhci-pci: Fix SDHCI_RESET_ALL for CQHCI for Intel GLK-based controllers (git-fixes).
- mmc: sdhci: Workaround broken command queuing on Intel GLK based IRBIS models (git-fixes).
- mm/page_alloc.c: fix a crash in free_pages_prepare() (git fixes (mm/pgalloc)).
- mm/vmalloc.c: move 'area->pages' after if statement (git fixes (mm/vmalloc)).
- mtd: cfi_cmdset_0002: do not free cfi->cfiq in error path of cfi_amdstd_setup() (git-fixes).
- mtd: lpddr: Fix a double free in probe() (git-fixes).
- mtd: phram: fix a double free issue in error path (git-fixes).
- mtd: properly check all write ioctls for permissions (git-fixes).
- net: dsa: b53: Fix sparse warnings in b53_mmap.c (git-fixes).
- net: dsa: b53: Use strlcpy() for ethtool::get_strings (git-fixes).
- net: dsa: mv88e6xxx: fix 6085 frame mode masking (git-fixes).
- net: dsa: mv88e6xxx: Fix interrupt masking on removal (git-fixes).
- net: dsa: mv88e6xxx: Fix name of switch 88E6141 (git-fixes).
- net: dsa: mv88e6xxx: fix shift of FID bits in mv88e6185_g1_vtu_loadpurge() (git-fixes).
- net: dsa: mv88e6xxx: Unregister MDIO bus on error path (git-fixes).
- net: dsa: qca8k: Allow overwriting CPU port setting (git-fixes).
- net: dsa: qca8k: Enable RXMAC when bringing up a port (git-fixes).
- net: dsa: qca8k: Force CPU port to its highest bandwidth (git-fixes).
- net: ethernet: mlx4: Fix memory allocation in mlx4_buddy_init() (git-fixes).
- net: fs_enet: do not call phy_stop() in interrupts (git-fixes).
- net: initialize fastreuse on inet_inherit_port (networking-stable-20_08_15).
- net: lan78xx: Bail out if lan78xx_get_endpoints fails (git-fixes).
- net: lan78xx: replace bogus endpoint lookup (networking-stable-20_08_08).
- net: lio_core: fix potential sign-extension overflow on large shift (git-fixes).
- net/mlx5: Add meaningful return codes to status_to_err function (git-fixes).
- net/mlx5: E-Switch, Use correct flags when configuring vlan (git-fixes).
- net/mlx5e: XDP, Avoid checksum complete when XDP prog is loaded (git-fixes).
- net: mvneta: fix mtu change on port without link (git-fixes).
- net-next: ax88796: Do not free IRQ in ax_remove() (already freed in ax_close()) (git-fixes).
- net/nfc/rawsock.c: add CAP_NET_RAW check (networking-stable-20_08_15).
- net: qca_spi: Avoid packet drop during initial sync (git-fixes).
- net: qca_spi: Make sure the QCA7000 reset is triggered (git-fixes).
- net: refactor bind_bucket fastreuse into helper (networking-stable-20_08_15).
- net/smc: fix dmb buffer shortage (git-fixes).
- net/smc: fix restoring of fallback changes (git-fixes).
- net/smc: fix sock refcounting in case of termination (git-fixes).
- net/smc: improve close of terminated socket (git-fixes).
- net/smc: Prevent kernel-infoleak in __smc_diag_dump() (git-fixes).
- net/smc: remove freed buffer from list (git-fixes).
- net/smc: reset sndbuf_desc if freed (git-fixes).
- net/smc: set rx_off for SMCR explicitly (git-fixes).
- net/smc: switch smcd_dev_list spinlock to mutex (git-fixes).
- net/smc: tolerate future SMCD versions (git-fixes).
- net: stmmac: call correct function in stmmac_mac_config_rx_queues_routing() (git-fixes).
- net: stmmac: Disable ACS Feature for GMAC >= 4 (git-fixes).
- net: stmmac: do not stop NAPI processing when dropping a packet (git-fixes).
- net: stmmac: dwmac4: fix flow control issue (git-fixes).
- net: stmmac: dwmac_lib: fix interchanged sleep/timeout values in DMA reset function (git-fixes).
- net: stmmac: dwmac-meson8b: Add missing boundary to RGMII TX clock array (git-fixes).
- net: stmmac: dwmac-meson8b: fix internal RGMII clock configuration (git-fixes).
- net: stmmac: dwmac-meson8b: fix setting the RGMII TX clock on Meson8b (git-fixes).
- net: stmmac: dwmac-meson8b: Fix the RGMII TX delay on Meson8b/8m2 SoCs (git-fixes).
- net: stmmac: dwmac-meson8b: only configure the clocks in RGMII mode (git-fixes).
- net: stmmac: dwmac-meson8b: propagate rate changes to the parent clock (git-fixes).
- net: stmmac: Fix error handling path in 'alloc_dma_rx_desc_resources()' (git-fixes).
- net: stmmac: Fix error handling path in 'alloc_dma_tx_desc_resources()' (git-fixes).
- net: stmmac: rename dwmac4_tx_queue_routing() to match reality (git-fixes).
- net: stmmac: set MSS for each tx DMA channel (git-fixes).
- net: stmmac: Use correct values in TQS/RQS fields (git-fixes).
- net-sysfs: add a newline when printing 'tx_timeout' by sysfs (networking-stable-20_07_29).
- net: systemport: Fix software statistics for SYSTEMPORT Lite (git-fixes).
- net: systemport: Fix sparse warnings in bcm_sysport_insert_tsb() (git-fixes).
- net: tulip: de4x5: Drop redundant MODULE_DEVICE_TABLE() (git-fixes).
- net: ucc_geth - fix Oops when changing number of buffers in the ring (git-fixes).
- NFSv4: do not mark all open state for recovery when handling recallable state revoked flag (bsc#1176935).
- nvme-fc: set max_segments to lldd max value (bsc#1176038).
- nvme-pci: override the value of the controller's numa node (bsc#1176507).
- ocfs2: give applications more IO opportunities during fstrim (bsc#1175228).
- omapfb: fix multiple reference count leaks due to pm_runtime_get_sync (git-fixes).
- PCI/ASPM: Allow re-enabling Clock PM (git-fixes).
- PCI: Fix pci_create_slot() reference count leak (git-fixes).
- PCI: qcom: Add missing ipq806x clocks in PCIe driver (git-fixes).
- PCI: qcom: Add missing reset for ipq806x (git-fixes).
- PCI: qcom: Add support for tx term offset for rev 2.1.0 (git-fixes).
- PCI: qcom: Define some PARF params needed for ipq8064 SoC (git-fixes).
- PCI: rcar: Fix incorrect programming of OB windows (git-fixes).
- phy: samsung: s5pv210-usb2: Add delay after reset (git-fixes).
- pinctrl: mvebu: Fix i2c sda definition for 98DX3236 (git-fixes).
- powerpc/64s: Blacklist functions invoked on a trap (bsc#1094244 ltc#168122).
- powerpc/64s: Fix HV NMI vs HV interrupt recoverability test (bsc#1094244 ltc#168122).
- powerpc/64s: Fix unrelocated interrupt trampoline address test (bsc#1094244 ltc#168122).
- powerpc/64s: Include <asm/nmi.h> header file to fix a warning (bsc#1094244 ltc#168122).
- powerpc/64s: machine check do not trace real-mode handler (bsc#1094244 ltc#168122).
- powerpc/64s: sreset panic if there is no debugger or crash dump handlers (bsc#1094244 ltc#168122).
- powerpc/64s: system reset interrupt preserve HSRRs (bsc#1094244 ltc#168122).
- powerpc: Add cputime_to_nsecs() (bsc#1065729).
- powerpc/book3s64/radix: Add kernel command line option to disable radix GTSE (bsc#1055186 ltc#153436).
- powerpc/book3s64/radix: Fix boot failure with large amount of guest memory (bsc#1176022 ltc#187208).
- powerpc: Implement ftrace_enabled() helpers (bsc#1094244 ltc#168122).
- powerpc/init: Do not advertise radix during client-architecture-support (bsc#1055186 ltc#153436 ).
- powerpc/kernel: Cleanup machine check function declarations (bsc#1065729).
- powerpc/kernel: Enables memory hot-remove after reboot on pseries guests (bsc#1177030 ltc#187588).
- powerpc/mm: Enable radix GTSE only if supported (bsc#1055186 ltc#153436).
- powerpc/mm: Limit resize_hpt_for_hotplug() call to hash guests only (bsc#1177030 ltc#187588).
- powerpc/mm: Move book3s64 specifics in subdirectory mm/book3s64 (bsc#1176022 ltc#187208).
- powerpc/powernv: Remove real mode access limit for early allocations (bsc#1176022 ltc#187208).
- powerpc/prom: Enable Radix GTSE in cpu pa-features (bsc#1055186 ltc#153436).
- powerpc/pseries/le: Work around a firmware quirk (bsc#1094244 ltc#168122).
- powerpc/pseries: lift RTAS limit for radix (bsc#1176022 ltc#187208).
- powerpc/pseries: Limit machine check stack to 4GB (bsc#1094244 ltc#168122).
- powerpc/pseries: Machine check use rtas_call_unlocked() with args on stack (bsc#1094244 ltc#168122).
- powerpc/pseries: radix is not subject to RMA limit, remove it (bsc#1176022 ltc#187208).
- powerpc/pseries/ras: Avoid calling rtas_token() in NMI paths (bsc#1094244 ltc#168122).
- powerpc/pseries/ras: Fix FWNMI_VALID off by one (bsc#1094244 ltc#168122).
- powerpc/pseries/ras: fwnmi avoid modifying r3 in error case (bsc#1094244 ltc#168122).
- powerpc/pseries/ras: fwnmi sreset should not interlock (bsc#1094244 ltc#168122).
- powerpc/traps: Do not trace system reset (bsc#1094244 ltc#168122).
- powerpc/traps: fix recoverability of machine check handling on book3s/32 (bsc#1094244 ltc#168122).
- powerpc/traps: Make unrecoverable NMIs die instead of panic (bsc#1094244 ltc#168122).
- powerpc/xmon: Use `dcbf` inplace of `dcbi` instruction for 64bit Book3S (bsc#1065729).
- power: supply: max17040: Correct voltage reading (git-fixes).
- rcu: Do RCU GP kthread self-wakeup from softirq and interrupt (git fixes (rcu)).
- regulator: push allocation in set_consumer_device_supply() out of lock (git-fixes).
- rpadlpar_io: Add MODULE_DESCRIPTION entries to kernel modules (bsc#1176869 ltc#188243).
- rpm/constraints.in: recognize also kernel-source-azure (bsc#1176732)
- rpm/kernel-binary.spec.in: Also sign ppc64 kernels (jsc#SLE-15857 jsc#SLE-13618).
- rpm/kernel-cert-subpackage: add CA check on key enrollment (bsc#1173115) To avoid the unnecessary key enrollment, when enrolling the signing key of the kernel package, '--ca-check' is added to mokutil so that mokutil will ignore the request if the CA of the signing key already exists in MokList or UEFI db. Since the macro, %_suse_kernel_module_subpackage, is only defined in a kernel module package (KMP), it's used to determine whether the %post script is running in a kernel package, or a kernel module package.
- rpm/kernel-source.spec.in: Also use bz compression (boo#1175882).
- rpm/macros.kernel-source: pass -c proerly in kernel module package (bsc#1176698) The '-c' option wasn't passed down to %_kernel_module_package so the ueficert subpackage wasn't generated even if the certificate is specified in the spec file.
- rtc: ds1374: fix possible race condition (git-fixes).
- rtlwifi: rtl8192cu: Prevent leaking urb (git-fixes).
- rxrpc: Fix race between recvmsg and sendmsg on immediate call failure (networking-stable-20_08_08).
- rxrpc: Fix sendmsg() returning EPIPE due to recvmsg() returning ENODATA (networking-stable-20_07_29).
- s390/mm: fix huge pte soft dirty copying (git-fixes).
- s390/qeth: do not process empty bridge port events (git-fixes).
- s390/qeth: integrate RX refill worker with NAPI (git-fixes).
- s390/qeth: tolerate pre-filled RX buffer (git-fixes).
- scsi: fcoe: Memory leak fix in fcoe_sysfs_fcf_del() (bsc#1174899).
- scsi: fnic: Do not call 'scsi_done()' for unhandled commands (bsc#1168468, bsc#1171675).
- scsi: ibmvfc: Avoid link down on FS9100 canister reboot (bsc#1176962 ltc#188304).
- scsi: ibmvfc: Use compiler attribute defines instead of __attribute__() (bsc#1176962 ltc#188304).
- scsi: iscsi: iscsi_tcp: Avoid holding spinlock while calling getpeername() (bsc#1177258).
- scsi: libfc: Fix for double free() (bsc#1174899).
- scsi: libfc: free response frame from GPN_ID (bsc#1174899).
- scsi: libfc: Free skb in fc_disc_gpn_id_resp() for valid cases (bsc#1174899).
- scsi: libfc: free skb when receiving invalid flogi resp (bsc#1175528).
- scsi: libfc: Handling of extra kref (bsc#1175528).
- scsi: libfc: If PRLI rejected, move rport to PLOGI state (bsc#1175528).
- scsi: libfc: rport state move to PLOGI if all PRLI retry exhausted (bsc#1175528).
- scsi: libfc: Skip additional kref updating work event (bsc#1175528).
- scsi: lpfc: Add dependency on CPU_FREQ (git-fixes).
- scsi: lpfc: Fix setting IRQ affinity with an empty CPU mask (git-fixes).
- scsi: qla2xxx: Fix regression on sparc64 (git-fixes).
- scsi: qla2xxx: Fix the return value (bsc#1171688).
- scsi: qla2xxx: Fix the size used in a 'dma_free_coherent()' call (bsc#1171688).
- scsi: qla2xxx: Fix wrong return value in qla_nvme_register_hba() (bsc#1171688).
- scsi: qla2xxx: Fix wrong return value in qlt_chk_unresolv_exchg() (bsc#1171688).
- scsi: qla2xxx: Handle incorrect entry_type entries (bsc#1171688).
- scsi: qla2xxx: Log calling function name in qla2x00_get_sp_from_handle() (bsc#1171688).
- scsi: qla2xxx: Remove pci-dma-compat wrapper API (bsc#1171688).
- scsi: qla2xxx: Remove redundant variable initialization (bsc#1171688).
- scsi: qla2xxx: Remove superfluous memset() (bsc#1171688).
- scsi: qla2xxx: Simplify return value logic in qla2x00_get_sp_from_handle() (bsc#1171688).
- scsi: qla2xxx: Suppress two recently introduced compiler warnings (git-fixes).
- scsi: qla2xxx: Warn if done() or free() are called on an already freed srb (bsc#1171688).
- sdhci: tegra: Remove SDHCI_QUIRK_DATA_TIMEOUT_USES_SDCLK for Tegra186 (git-fixes).
- sdhci: tegra: Remove SDHCI_QUIRK_DATA_TIMEOUT_USES_SDCLK for Tegra210 (git-fixes).
- serial: 8250: 8250_omap: Terminate DMA before pushing data on RX timeout (git-fixes).
- serial: 8250_omap: Fix sleeping function called from invalid context during probe (git-fixes).
- serial: 8250_port: Do not service RX FIFO if throttled (git-fixes).
- Set CONFIG_HAVE_KVM_VCPU_ASYNC_IOCTL=y (jsc#SLE-4084).
- SMB3: Honor persistent/resilient handle flags for multiuser mounts (bsc#1176546).
- SMB3: Honor 'seal' flag for multiuser mounts (bsc#1176545).
- SMB3: warn on confusing error scenario with sec=krb5 (bsc#1176548).
- stmmac: Do not access tx_q->dirty_tx before netif_tx_lock (git-fixes).
- tcp: apply a floor of 1 for RTT samples from TCP timestamps (networking-stable-20_08_08).
- thermal: ti-soc-thermal: Fix bogus thermal shutdowns for omap4430 (git-fixes).
- tools/power/cpupower: Fix initializer override in hsw_ext_cstates (bsc#1112178).
- USB: core: fix slab-out-of-bounds Read in read_descriptors (git-fixes).
- USB: dwc3: Increase timeout for CmdAct cleared by device controller (git-fixes).
- USB: EHCI: ehci-mv: fix error handling in mv_ehci_probe() (git-fixes).
- USB: EHCI: ehci-mv: fix less than zero comparison of an unsigned int (git-fixes).
- USB: Fix out of sync data toggle if a configured device is reconfigured (git-fixes).
- USB: gadget: f_ncm: add bounds checks to ncm_unwrap_ntb() (git-fixes).
- USB: gadget: f_ncm: Fix NDP16 datagram validation (git-fixes).
- USB: gadget: u_f: add overflow checks to VLA macros (git-fixes).
- USB: gadget: u_f: Unbreak offset calculation in VLAs (git-fixes).
- USB: hso: check for return value in hso_serial_common_create() (networking-stable-20_08_08).
- usblp: fix race between disconnect() and read() (git-fixes).
- USB: lvtest: return proper error code in probe (git-fixes).
- usbnet: ipheth: fix potential null pointer dereference in ipheth_carrier_set (git-fixes).
- USB: qmi_wwan: add D-Link DWM-222 A2 device ID (git-fixes).
- USB: quirks: Add no-lpm quirk for another Raydium touchscreen (git-fixes).
- USB: quirks: Add USB_QUIRK_IGNORE_REMOTE_WAKEUP quirk for BYD zhaoxin notebook (git-fixes).
- USB: quirks: Ignore duplicate endpoint on Sound Devices MixPre-D (git-fixes).
- USB: serial: ftdi_sio: add IDs for Xsens Mti USB converter (git-fixes).
- USB: serial: option: add support for SIM7070/SIM7080/SIM7090 modules (git-fixes).
- USB: serial: option: support dynamic Quectel USB compositions (git-fixes).
- USB: sisusbvga: Fix a potential UB casued by left shifting a negative value (git-fixes).
- USB: storage: Add unusual_uas entry for Sony PSZ drives (git-fixes).
- USB: typec: ucsi: acpi: Check the _DEP dependencies (git-fixes).
- USB: uas: Add quirk for PNY Pro Elite (git-fixes).
- USB: UAS: fix disconnect by unplugging a hub (git-fixes).
- USB: yurex: Fix bad gfp argument (git-fixes).
- vgacon: remove software scrollback support (bsc#1176278).
- video: fbdev: fix OOB read in vga_8planes_imageblit() (git-fixes).
- virtio-blk: free vblk-vqs in error path of virtblk_probe() (git fixes (block drivers)).
- vrf: prevent adding upper devices (git-fixes).
- vxge: fix return of a free'd memblock on a failed dma mapping (git-fixes).
- xen: do not reschedule in preemption off sections (bsc#1175749).
- xen/events: do not use chip_data for legacy IRQs (bsc#1065600).
- xen uses irqdesc::irq_data_common::handler_data to store a per interrupt XEN data pointer which contains XEN specific information (bsc#1065600).
- xhci: Do warm-reset when both CAS and XDEV_RESUME are set (git-fixes).
- yam: fix possible memory leak in yam_init_driver (git-fixes).


-----------------------------------------
Patch: SUSE-2020-2915
Released: Tue Oct 13 17:33:40 2020
Summary: Recommended update for bind
Severity: moderate
References: 1092283,1094236,1127583,1173983,1175443,CVE-2020-8622,CVE-2020-8623,CVE-2020-8624
Description:
This update for bind fixes the following issues:

Bind was updated to version 9.11.22

Note:

- bind is now more strict in regards to DNSSEC. If queries are not working,
  check for DNSSEC issues. For instance, if bind is used in a namserver 
  forwarder chain, the forwarding DNS servers must support DNSSEC.

This upgrade also fixes the following security issues:

* 5481.   [security]      'update-policy' rules of type 'subdomain' were
                          incorrectly treated as 'zonesub' rules, which allowed
                          keys used in 'subdomain' rules to update names outside
                          of the specified subdomains. The problem was fixed by
                          making sure 'subdomain' rules are again processed as
                          described in the ARM. (CVE-2020-8624 bsc#1175443)
* 5480.   [security]      When BIND 9 was compiled with native PKCS#11 support, it
                          was possible to trigger an assertion failure in code
                          determining the number of bits in the PKCS#11 RSA public
                          key with a specially crafted packet. (CVE-2020-8623 bsc#1175443)
* 5476.   [security]      It was possible to trigger an assertion failure when
                          verifying the response to a TSIG-signed request.
                          (CVE-2020-8622 bsc#1175443)

- Suppress warning message about missing file. (bsc#1092283, bsc#1127583, bsc#1094236, bsc#1173983)
  Added */etc/bind.keys* to *NAMED_CONF_INCLUDE_FILES* in */etc/sysconfig/named*.



-----------------------------------------
Version 1.0.6-SAP-BYOS-Build1.50 2020-10-16T07:59:15

-----------------------------------------
Patch: SUSE-2020-2933
Released: Thu Oct 15 13:37:02 2020
Summary: Recommended update for xfsprogs
Severity: moderate
References: 1138237
Description:
This update for xfsprogs fixes the following issues:

- xfs_repair: allow '/' in attribute names (bsc#1138237)


-----------------------------------------
Patch: SUSE-2020-2940
Released: Thu Oct 15 17:52:14 2020
Summary: Recommended update for autoyast2
Severity: moderate
References: 1175624,1175714
Description:
This update for autoyast2 fixes the following issues:

- Enable encryption for RAIDs (bsc#1175624)


-----------------------------------------
Version 1.0.6-SAP-BYOS-Build1.51 2020-10-17T07:59:33

-----------------------------------------
Patch: SUSE-2020-2942
Released: Fri Oct 16 09:47:36 2020
Summary: Security update for blktrace
Severity: low
References: 1091942,CVE-2018-10689
Description:
blktrace was updated to fix a security issue:

- CVE-2018-10689: Prevent buffer overflow in the dev_map_read function because
  the device and devno arrays were too small (bsc#1091942)
  

-----------------------------------------
Version 1.0.6-SAP-BYOS-Build1.54 2020-10-21T07:59:21

-----------------------------------------
Patch: SUSE-2020-2955
Released: Tue Oct 20 09:07:18 2020
Summary: Recommended update for crash
Severity: moderate
References: 1174543
Description:

This update of crash fixes the following issue:

- rebuilt with new signing key. (bsc#1174543)
  

-----------------------------------------
Patch: SUSE-2020-2959
Released: Tue Oct 20 12:33:48 2020
Summary: Recommended update for file
Severity: moderate
References: 1176123
Description:
This update for file fixes the following issues:

- Fixes an issue when file displays broken 'ELF' interpreter. (bsc#1176123)


-----------------------------------------
Patch: SUSE-2020-2964
Released: Tue Oct 20 13:26:50 2020
Summary: Recommended update for yast2-network
Severity: moderate
References: 1149234
Description:
This update for yast2-network fixes the following issues:

- Apply udev rule from AY profile according to device's mac
  value when permanent_mac is missing in list of the device's
  options. (bsc#1149234)


-----------------------------------------
Version 1.0.6-SAP-BYOS-Build1.58 2020-10-26T09:41:08

-----------------------------------------
Patch: SUSE-2020-2974
Released: Wed Oct 21 08:14:03 2020
Summary: Recommended update for kexec-tools
Severity: critical
References: 1133877,1141559,1168698,1172688
Description:
This update for kexec-tools fixes the following issues:

- Fixes an issue where XEN fails to start 'kdump' service. (bsc#1133877, bsc#1141559, bsc#1172688)
- Fix for loading kdump kernel with kexec on startup. (bsc#1168698)


-----------------------------------------
Patch: SUSE-2020-2981
Released: Wed Oct 21 13:29:11 2020
Summary: Security update for the Linux Kernel
Severity: critical
References: 1065729,1140683,1152624,1172538,1172757,1174748,1175520,1176381,1176400,1176713,1176946,1177027,1177340,1177359,1177511,1177685,1177687,1177724,1177725,CVE-2020-12351,CVE-2020-12352,CVE-2020-25212,CVE-2020-25645
Description:
The SUSE Linux Enterprise 12 SP5 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2020-12351: Fixed a type confusion while processing AMP packets aka 'BleedingTooth' aka 'BadKarma' (bsc#1177724).
- CVE-2020-12352: Fixed an information leak when processing certain AMP packets aka 'BleedingTooth' aka 'BadChoice' (bsc#1177725).
- CVE-2020-25645: Fixed an issue which traffic between two Geneve endpoints may be unencrypted when IPsec is configured to encrypt traffic for the specific UDP port used by the GENEVE tunnel allowing anyone between the two endpoints to read the traffic unencrypted (bsc#1177511).
- CVE-2020-25212: Fixed a TOCTOU mismatch in the NFS client code (bsc#1176381).

The following non-security bugs were fixed:

- btrfs: check the right error variable in btrfs_del_dir_entries_in_log (bsc#1177687).
- btrfs: do not set the full sync flag on the inode during page release (bsc#1177687).
- btrfs: fix incorrect updating of log root tree (bsc#1177687).
- btrfs: fix race between page release and a fast fsync (bsc#1177687).
- btrfs: only commit delayed items at fsync if we are logging a directory (bsc#1177687).
- btrfs: only commit the delayed inode when doing a full fsync (bsc#1177687).
- btrfs: reduce contention on log trees when logging checksums (bsc#1177687).
- btrfs: release old extent maps during page release (bsc#1177687).
- btrfs: remove no longer needed use of log_writers for the log root tree (bsc#1177687).
- btrfs: stop incremening log_batch for the log root tree when syncing log (bsc#1177687).
- drm/amdgpu: prevent double kfree ttm->sg (git-fixes).
- drm/nouveau/mem: guard against NULL pointer access in mem_del (git-fixes).
- drm/sun4i: mixer: Extend regmap max_register (git-fixes).
- ext4: fix dir_nlink behaviour (bsc#1177359).
- i2c: meson: fix clock setting overwrite (git-fixes).
- include/linux/swapops.h: correct guards for non_swap_entry() (git-fixes (mm/swap)).
- iommu/vt-d: Correctly calculate agaw in domain_init() (bsc#1176400).
- leds: mt6323: move period calculation (git-fixes).
- mac80211: do not allow bigger VHT MPDUs than the hardware supports (git-fixes).
- macsec: avoid use-after-free in macsec_handle_frame() (git-fixes).
- mfd: sm501: Fix leaks in probe() (git-fixes).
- mmc: core: do not set limits.discard_granularity as 0 (git-fixes).
- mm/huge_memory.c: use head to check huge zero page (git-fixes (mm/thp)).
- mm: hugetlb: switch to css_tryget() in hugetlb_cgroup_charge_cgroup() (git-fixes (mm/hugetlb)).
- mm/ksm.c: do not WARN if page is still mapped in remove_stable_node() (git-fixes (mm/hugetlb)).
- mm: memcg: switch to css_tryget() in get_mem_cgroup_from_mm() (bsc#1177685).
- mm/mempolicy.c: fix out of bounds write in mpol_parse_str() (git-fixes (mm/mempolicy)).
- mm/mempolicy.c: use match_string() helper to simplify the code (git-fixes (mm/mempolicy)).
- mm, numa: fix bad pmd by atomically check for pmd_trans_huge when marking page tables prot_numa (git-fixes (mm/numa)).
- mm/page_owner.c: remove drain_all_pages from init_early_allocated_pages (git-fixes (mm/debug)).
- mm/page-writeback.c: avoid potential division by zero in wb_min_max_ratio() (git-fixes (mm/writeback)).
- mm/page-writeback.c: improve arithmetic divisions (git-fixes (mm/writeback)).
- mm/page-writeback.c: use div64_ul() for u64-by-unsigned-long divide (git-fixes (mm/writeback)).
- mm/rmap: fixup copying of soft dirty and uffd ptes (git-fixes (mm/rmap)).
- mm/zsmalloc.c: fix build when CONFIG_COMPACTION=n (git-fixes (mm/zsmalloc)).
- mm/zsmalloc.c: fix race condition in zs_destroy_pool (git-fixes (mm/zsmalloc)).
- mm/zsmalloc.c: fix the migrated zspage statistics (git-fixes (mm/zsmalloc)).
- mm/zsmalloc.c: migration can leave pages in ZS_EMPTY indefinitely (git-fixes (mm/zsmalloc)).
- Move the upstreamed bluetooth fix into sorted section
- net: wireless: nl80211: fix out-of-bounds access in nl80211_del_key() (git-fixes).
- NFS: On fatal writeback errors, we need to call nfs_inode_remove_request() (bsc#1177340).
- NFS: Revalidate the file mapping on all fatal writeback errors (bsc#1177340).
- NFSv4.1 - backchannel request should hold ref on xprt (bsc#1152624).
- nvme: add a Identify Namespace Identification Descriptor list quirk (bsc#1174748). add two previous futile attempts to fix the bug to blacklist.conf
- nvme: Fix ctrl use-after-free during sysfs deletion (bsc#1174748).
- nvme: fix deadlock caused by ANA update wrong locking (bsc#1174748).
- nvme: fix possible io failures when removing multipathed ns (bsc#1174748).
- nvme: make nvme_identify_ns propagate errors back (bsc#1174748). 
- nvme: make nvme_report_ns_ids propagate error back (bsc#1174748).
- nvme-multipath: do not reset on unknown status (bsc#1174748).
- nvme: Namepace identification descriptor list is optional (bsc#1174748).
- nvme: pass status to nvme_error_status (bsc#1174748).
- nvme-rdma: Avoid double freeing of async event data (bsc#1174748).
- nvme: return error from nvme_alloc_ns() (bsc#1174748).
- platform/x86: mlx-platform: Remove PSU EEPROM configuration (git-fixes).
- powerpc/dma: Fix dma_map_ops::get_required_mask (bsc#1065729).
- pty: do tty_flip_buffer_push without port->lock in pty_write (git-fixes).
- scsi: hisi_sas: Add debugfs ITCT file and add file operations (bsc#1140683).
- scsi: hisi_sas: Add manual trigger for debugfs dump (bsc#1140683).
- scsi: hisi_sas: Add missing seq_printf() call in hisi_sas_show_row_32() (bsc#1140683).
- scsi: hisi_sas: Change return variable type in phy_up_v3_hw() (bsc#1140683).
- scsi: hisi_sas: Correct memory allocation size for DQ debugfs (bsc#1140683).
- scsi: hisi_sas: Do some more tidy-up (bsc#1140683).
- scsi: hisi_sas: Fix a timeout race of driver internal and SMP IO (bsc#1140683).
- scsi: hisi_sas: Fix type casting and missing static qualifier in debugfs code (bsc#1140683). Refresh:
- scsi: hisi_sas: No need to check return value of debugfs_create functions (bsc#1140683). Update:
- scsi: hisi_sas: Some misc tidy-up (bsc#1140683).
- scsi: qla2xxx: Add IOCB resource tracking (bsc#1176946 bsc#1175520 bsc#1172538).
- scsi: qla2xxx: Add rport fields in debugfs (bsc#1176946 bsc#1175520 bsc#1172538).
- scsi: qla2xxx: Add SLER and PI control support (bsc#1176946 bsc#1175520 bsc#1172538).
- scsi: qla2xxx: Allow dev_loss_tmo setting for FC-NVMe devices (bsc#1176946 bsc#1175520 bsc#1172538).
- scsi: qla2xxx: Correct the check for sscanf() return value (bsc#1176946 bsc#1175520 bsc#1172538).
- scsi: qla2xxx: Fix buffer-buffer credit extraction error (bsc#1176946 bsc#1175520 bsc#1172538).
- scsi: qla2xxx: Fix crash on session cleanup with unload (bsc#1176946 bsc#1175520 bsc#1172538).
- scsi: qla2xxx: Fix inconsistent format argument type in qla_dbg.c (bsc#1176946 bsc#1175520 bsc#1172538).
- scsi: qla2xxx: Fix inconsistent format argument type in qla_os.c (bsc#1176946 bsc#1175520 bsc#1172538).
- scsi: qla2xxx: Fix inconsistent format argument type in tcm_qla2xxx.c (bsc#1176946 bsc#1175520 bsc#1172538).
- scsi: qla2xxx: Fix I/O errors during LIP reset tests (bsc#1176946 bsc#1175520 bsc#1172538).
- scsi: qla2xxx: Fix I/O failures during remote port toggle testing (bsc#1176946 bsc#1175520 bsc#1172538).
- scsi: qla2xxx: Fix memory size truncation (bsc#1176946 bsc#1175520 bsc#1172538).
- scsi: qla2xxx: Fix MPI reset needed message (bsc#1176946 bsc#1175520 bsc#1172538).
- scsi: qla2xxx: Fix point-to-point (N2N) device discovery issue (bsc#1176946 bsc#1175520 bsc#1172538).
- scsi: qla2xxx: Fix reset of MPI firmware (bsc#1176946 bsc#1175520 bsc#1172538).
- scsi: qla2xxx: Honor status qualifier in FCP_RSP per spec (bsc#1176946 bsc#1175520 bsc#1172538).
- scsi: qla2xxx: Make tgt_port_database available in initiator mode (bsc#1176946 bsc#1175520 bsc#1172538).
- scsi: qla2xxx: Performance tweak (bsc#1176946 bsc#1175520 bsc#1172538).
- scsi: qla2xxx: Reduce duplicate code in reporting speed (bsc#1176946 bsc#1175520 bsc#1172538).
- scsi: qla2xxx: Remove unneeded variable 'rval' (bsc#1176946 bsc#1175520 bsc#1172538).
- scsi: qla2xxx: Setup debugfs entries for remote ports (bsc#1176946 bsc#1175520 bsc#1172538).
- scsi: qla2xxx: Update version to 10.02.00.102-k (bsc#1176946 bsc#1175520 bsc#1172538).
- scsi: qla2xxx: Update version to 10.02.00.103-k (bsc#1176946 bsc#1175520 bsc#1172538).
- spi: fsl-espi: Only process interrupts for expected events (git-fixes).
- tty: serial: earlycon dependency (git-fixes).
- x86, fakenuma: Fix invalid starting node ID (git-fixes (mm/x86/fakenuma)).
- x86/xen: disable Firmware First mode for correctable memory errors (bsc#1176713).


-----------------------------------------
Patch: SUSE-2020-2987
Released: Wed Oct 21 15:13:28 2020
Summary: Recommended update for sysstat
Severity: moderate
References: 1174227
Description:
This update for sysstat fixes the following issues:

- Fix for an issue when 'iowait' output of 'sar' can also decrement as a result of inaccurate tracking. (bsc#1174227)


-----------------------------------------
Patch: SUSE-2020-2998
Released: Thu Oct 22 10:04:33 2020
Summary: Security update for freetype2
Severity: important
References: 1177914,CVE-2020-15999
Description:
This update for freetype2 fixes the following issues:

- CVE-2020-15999: fixed a heap buffer overflow found in the handling of embedded PNG bitmaps (bsc#1177914).


-----------------------------------------
Patch: SUSE-2020-3015
Released: Fri Oct 23 11:11:03 2020
Summary: Recommended update for multipath-tools
Severity: moderate
References: 1139775,1149319,1161923,1165786,1172157,1172429,1173060,1173064,1176644,1176670
Description:
This update for multipath-tools fixes the following issues:

- Fixed an issue where mapping two WWID's to the same multipath led to a data corruption (bsc#1172429)
- Fix handling of hardware properties for maps without paths (bsc#1176644)
- Improved logging of some failure cases (bsc#1173060, bsc#1173064)
- Fixes an issue where the time origin haven't been resetted while waiting for the recovery
  time to expire (bsc#1149319)
- Fixed handling of incompletely initialized udev devices (bsc#1172157) 
- Fixed an issue when handling synthetic uevents (bsc#1161923)
- Fixed an issue where DASD on loop devices was no longer recognized correctly (bsc#1139775)
- Limited the PRIN allocation length to 8192 bytes (bsc#1165786)


-----------------------------------------
Version 1.0.6-SAP-BYOS-Build1.62 2020-10-28T07:57:43

-----------------------------------------
Patch: SUSE-2020-3039
Released: Tue Oct 27 09:08:21 2020
Summary: Security update for libvirt
Severity: important
References: 1174955,1175574,1176430,1177155,1177480,CVE-2020-15708,CVE-2020-25637
Description:
This update for libvirt fixes the following issues:

- CVE-2020-15708: Added a  note to libvirtd.conf about polkit auth in SUSE distros (bsc#1174955).
- CVE-2020-25637: Fixed a double free in qemuAgentGetInterfaces() (bsc#1177155).
- qemu: Adjust max memlock on mdev hotplug (bsc#1177480).
- Xen: Don't add dom0 twice on driver reload (bsc#1176430).	  
- Fixed an issue where building was failing (bsc#1175574).


-----------------------------------------
Patch: SUSE-2020-3050
Released: Tue Oct 27 16:08:42 2020
Summary: Security update for xen
Severity: important
References: 1177409,1177412,1177413,1177414,CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27673
Description:
This update for xen fixes the following issues:

- bsc#1177409 - VUL-0: CVE-2020-27673: xen: x86 PV guest INVLPG-like flushes may leave stale TLB entries (XSA-286)
- bsc#1177412 - VUL-0: CVE-2020-27672: xen: Race condition in Xen mapping code (XSA-345)
- bsc#1177413 - VUL-0: CVE-2020-27671: xen: undue deferral of IOMMU TLB flushes (XSA-346)
- bsc#1177414 - VUL-0: CVE-2020-27670: xen: unsafe AMD IOMMU page table updates (XSA-347)


-----------------------------------------
Patch: SUSE-2020-3056
Released: Wed Oct 28 06:10:04 2020
Summary: Recommended update for wicked
Severity: moderate
References: 1160939,1168155,1171234,1172082,1174099,959556
Description:
This update for wicked fixes the following issues:

- Fix to avoid incomplete ifdown/timeout on route deletion error. (bsc#1174099)
- Allow 'linuxrc' to send 'RFC2132' without providing the MAC address. (jsc#SLE-15770)
- Fixes to ifreload on port changes. (bsc#1168155, bsc#1172082)
- Fix schema to use correct 'hwaddr_policy' property. (bsc#1171234)
- Enable IPv6 on ports when 'nsna_ping' linkwatch is used. (bsc#959556)
- Implement support for RFC7217. (jsc#SLE-6960)
- Fix for schema to avoid not applying 'rto_min' including new time format. (bsc#1160939)


-----------------------------------------
Version 1.0.6-SAP-BYOS-Build1.63 2020-10-29T07:59:05

-----------------------------------------
Patch: SUSE-2020-3064
Released: Wed Oct 28 09:09:37 2020
Summary: Security update for zeromq
Severity: moderate
References: 1176257,1176258
Description:
This update for zeromq fixes the following issues:

- Fixed a memory leak in client induced by malicious server(s) without CURVE/ZAP (bsc#1176257)
- Fixed a stack overflow in PUB/XPUB subscription store (bsc#1176258)


-----------------------------------------
Version 1.0.6-SAP-BYOS-Build1.65 2020-10-30T07:59:43

-----------------------------------------
Patch: SUSE-2020-3082
Released: Thu Oct 29 11:01:07 2020
Summary: Security update for samba
Severity: important
References: 1173902,1173994,1177613,CVE-2020-14318,CVE-2020-14323,CVE-2020-14383
Description:
This update for samba fixes the following issues:

- CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records (bsc#1177613).
- CVE-2020-14323: Unprivileged user can crash winbind (bsc#1173994).
- CVE-2020-14318: Missing permissions check in SMB1/2/3 ChangeNotify (bsc#1173902).


-----------------------------------------
Patch: SUSE-2020-3086
Released: Thu Oct 29 13:29:33 2020
Summary: Security update for pacemaker
Severity: important
References: 1167171,1173668,1175557,1177916,CVE-2020-25654
Description:
This update for pacemaker fixes the following issues:

- attrd: handle shutdown more cleanly (bsc#1173668)
- executor: restrict certain IPC requests to Pacemaker daemons (CVE-2020-25654, bsc#1177916)
- extra: quote shell variables in agent code where appropriate (bsc#1175557)
- fencer: restrict certain IPC requests to privileged users (CVE-2020-25654, bsc#1177916)
- Fixes for %_libexecdir changing to /usr/libexec
- pacemakerd: ignore shutdown requests from unprivileged users (CVE-2020-25654, bsc#1177916)
- resources: use ocf_is_true in SysInfo
- rpm: use the user/group ID 90 for haclient/hacluster to be consistent with cluster-glue (bsc#1167171)


-----------------------------------------
Patch: SUSE-2020-3090
Released: Thu Oct 29 14:16:41 2020
Summary: Security update for graphviz
Severity: low
References: 1093447,CVE-2018-10196
Description:
This update for graphviz fixes the following issues:

- CVE-2018-10196: Fixed a null dereference in rebuild_vlis (bsc#1093447).	  


-----------------------------------------
Patch: SUSE-2020-3100
Released: Thu Oct 29 19:34:18 2020
Summary: Recommended update for timezone
Severity: moderate
References: 1177460
Description:
This update for timezone fixes the following issues:

- timezone update 2020b (bsc#1177460)
  * Revised predictions for Morocco's changes starting in 2023.
  * Canada's Yukon changes to -07 on 2020-11-01, not 2020-03-08.
  * Macquarie Island has stayed in sync with Tasmania since 2011.
  * Casey, Antarctica is at +08 in winter and +11 in summer.
  * zic no longer supports -y, nor the TYPE field of Rules.


-----------------------------------------
Patch: SUSE-2020-3105
Released: Thu Oct 29 19:41:09 2020
Summary: Recommended update for sapconf
Severity: moderate
References: 1173347,1176061,1176565
Description:
This update for sapconf fixes the following issues:

- Fix to not blocking the start of sapconf after an unexpected and ungracefull reboot of the system. (bsc#1176565)
- Enable and start sapconf.service during package update, if tuned is running with a sapconf profile. (bsc#1176061)
- Add missing commands 'restart' and 'try-restart' to the usage message. (bsc#1173347)


-----------------------------------------
Version 1.0.6-SAP-BYOS-Build1.66 2020-10-31T08:00:06

-----------------------------------------
Patch: SUSE-2020-3108
Released: Fri Oct 30 12:43:28 2020
Summary: Recommended update for drbd
Severity: moderate
References: 1174783
Description:
This update for drbd fixes the following issues:

- Fixes an issue when I/O to drbd volumes stops 'NFS'/drbd cluster. (bsc@1174783)


-----------------------------------------
Version 1.0.6-SAP-BYOS-Build1.67 2020-11-03T08:00:33

-----------------------------------------
Patch: SUSE-2020-3121
Released: Mon Nov  2 17:08:23 2020
Summary: Security update for python
Severity: moderate
References: 1177211,CVE-2020-26116
Description:
This update for python fixes the following issues:

- CVE-2020-26116: Fixed CRLF injection via HTTP request method (bsc#1177211).


-----------------------------------------
Version 1.0.7-SAP-BYOS-Build1.2 2020-11-07T08:00:26

-----------------------------------------
Patch: SUSE-2020-3139
Released: Tue Nov  3 13:18:28 2020
Summary: Recommended update for timezone
Severity: important
References: 1177460,1178346,1178350,1178353
Description:
This update for timezone fixes the following issues:

- Generate 'fat' timezone files (was default before 2020b). (bsc#1178346, bsc#1178350, bsc#1178353)
- Palestine ends DST earlier than predicted, on 2020-10-24.
- Fiji starts DST later than usual, on 2020-12-20.


-----------------------------------------
Patch: SUSE-2020-3146
Released: Wed Nov  4 08:38:54 2020
Summary: Recommended update for openssl-1_0_0
Severity: moderate
References: 1155346,1176029,1177479,1177575,1177673,1177793
Description:
This update for openssl-1_0_0 fixes the following issues:

Various changes required for FIPS 140-2 certification (jsc#SLE-10541)

- FIPS: Use SHA-2 in the RSA pairwise consistency check (bsc#1155346)
- FIPS: Add shared secret KAT to FIPS DH selftest (bsc#1176029)
- FIPS: Include ECDH/DH Requirements from SP800-56Arev3 (bsc#1176029 bsc#1177479 bsc#1177575 bsc#1177673 bsc#1177793)


-----------------------------------------
Patch: SUSE-2020-3156
Released: Wed Nov  4 15:21:49 2020
Summary: Recommended update for ca-certificates-mozilla
Severity: moderate
References: 1177864
Description:
This update for ca-certificates-mozilla fixes the following issues:

The SSL Root CA store was updated to the 2.44 state of the Mozilla NSS Certificate store (bsc#1177864)

- Removed CAs:

  - EE Certification Centre Root CA
  - Taiwan GRCA

- Added CAs:

  - Trustwave Global Certification Authority
  - Trustwave Global ECC P256 Certification Authority
  - Trustwave Global ECC P384 Certification Authority


-----------------------------------------
Patch: SUSE-2020-3245
Released: Fri Nov  6 16:58:44 2020
Summary: Security update for Salt
Severity: critical
References: 1159670,1175987,1176024,1176294,1176397,1177867,1178319,1178361,1178362,1178485,CVE-2020-16846,CVE-2020-17490,CVE-2020-25592
Description:

This update fixes the following issues:

salt:

- Fix disk.blkid to avoid unexpected keyword argument '__pub_user' (bsc#1177867)
- Ensure virt.update stop_on_reboot is updated with its default value
- Do not break package building for systemd OSes
- Drop wrong mock from chroot unit test
- Support systemd versions with dot (bsc#1176294)
- Fix for grains.test_core unit test
- Fix file/directory user and group ownership containing
  UTF-8 characters (bsc#1176024)
- Several changes to virtualization:
  - Fix virt update when cpu and memory are changed
  - Memory Tuning GSoC
  - Properly fix memory setting regression in virt.update
  - Expose libvirt on_reboot in virt states
- Support transactional systems (MicroOS)
- Zypperpkg module ignores retcode 104 for search() (bsc#1159670)
- Xen disk fixes. No longer generates volumes for Xen disks, but the corresponding
  file or block disk (bsc#1175987)
- Invalidate file list cache when cache file modified time is in the future (bsc#1176397)
- Prevent import errors when running test_btrfs unit tests
- Properly validate eauth credentials and tokens on SSH calls made by Salt API 
  (bsc#1178319, bsc#1178362, bsc#1178361, CVE-2020-25592, CVE-2020-17490, CVE-2020-16846)
- Avoid regression on 'salt-master': set passphrase for salt-ssh keys to empty string (bsc#1178485)



-----------------------------------------
Version 1.0.7-SAP-BYOS-Build1.4 2020-11-12T08:01:14

-----------------------------------------
Patch: SUSE-2020-3262
Released: Tue Nov 10 09:46:06 2020
Summary: Security update for python3
Severity: moderate
References: 1177211,CVE-2020-26116
Description:
This update for python3 fixes the following issues:

- bsc#1177211 (CVE-2020-26116) no longer allowing special characters in the method parameter 
  of HTTPConnection.putrequest in httplib, stopping injection of headers.


-----------------------------------------
Patch: SUSE-2020-3263
Released: Tue Nov 10 09:48:14 2020
Summary: Security update for gcc10
Severity: moderate
References: 1172798,1172846,1173972,1174753,1174817,1175168,CVE-2020-13844
Description:
This update for gcc10 fixes the following issues:
This update provides the GCC10 compiler suite and runtime libraries.

The base SUSE Linux Enterprise libraries libgcc_s1, libstdc++6 are replaced by
the gcc10 variants.

The new compiler variants are available with '-10' suffix, you can specify them
via:

        CC=gcc-10
        CXX=g++-10

or similar commands.

For a detailed changelog check out https://gcc.gnu.org/gcc-10/changes.html
  

-----------------------------------------
Patch: SUSE-2020-3266
Released: Tue Nov 10 14:54:26 2020
Summary: Recommended update for yast2-mail
Severity: low
References: 1176645
Description:
This update for yast2-mail fixes the following issues:

- Fixes an issue when YaST2 Mail puts excess brackets in postfix configuration file. (bsc#1176645)


-----------------------------------------
Version 1.0.7-SAP-BYOS-Build1.6 2020-11-14T08:01:57

-----------------------------------------
Patch: SUSE-2020-3305
Released: Thu Nov 12 14:16:00 2020
Summary: Recommended update for sysstat
Severity: moderate
References: 1177747
Description:
This update for sysstat fixes the following issues:

- Fix iostat switch '-y' to display the correct results. (bsc#1177747)


-----------------------------------------
Patch: SUSE-2020-3314
Released: Thu Nov 12 16:10:36 2020
Summary: Security update for openldap2
Severity: important
References: 1178387,CVE-2020-25692
Description:
This update for openldap2 fixes the following issues:

- CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387).


-----------------------------------------
Patch: SUSE-2020-3316
Released: Thu Nov 12 17:17:02 2020
Summary: Recommended update for grub2
Severity: moderate
References: 1172952,1176062,1177957,1178278
Description:
This update for grub2 fixes the following issues:

- Fixed an issue, where the https boot was interrupted by an unrecognized network address
  error message (bsc#1172952)
- Improve the error handling when grub2-install fails with short mbr gap (bsc#1176062)
- Fixed a boot failure issue on blocklist installations (bsc#1178278)


-----------------------------------------
Patch: SUSE-2020-3325
Released: Fri Nov 13 16:53:06 2020
Summary: Recommended update for crmsh
Severity: important
References: 1148874,1163581,1165644,1175708,1177980
Description:
This update for crmsh fixes the following issues:

- Update to version 4.1.0+git.1604285251.0b4387e3:
  * Fix: hb_report: collect corosync.log if it defined in config file (bsc#1148874).

- Update to version 4.1.0+git.1604284147.380c355b:
  * Fix: ui_cluster: check service status while start/stop (bsc#1177980).
  * Fix: bootstrap: Stop hawk service when removing node (bsc#1175708)
  * Fix: bootstrap: remove specific configured address while removing node (bsc#1165644)

- Update to version 4.1.0+git.1602227275.3d680577:
  * Fix: hb_report: Fix sanitize functionality (bsc#1163581)

- Update to version 4.1.0+git.1600931231.b9c8441d:
  * Fix start_delay with start-delay
  * Fix on_fail should be on-fail
  * Low: config: Try to handle configparser.MissingSectionHeaderError while reading config file
  * Medium: ui_configure: Obscure sensitive data by default (bsc#1163581)


-----------------------------------------
Patch: SUSE-2020-3326
Released: Fri Nov 13 17:00:25 2020
Summary: Security update for the Linux Kernel
Severity: moderate
References: 1055014,1058115,1061843,1065600,1065729,1066382,1077428,1112178,1114648,1131277,1134760,1157424,1163592,1167030,1170415,1171558,1172538,1173432,1174748,1175520,1175721,1176354,1176485,1176560,1176723,1176907,1176946,1177086,1177101,1177271,1177281,1177410,1177411,1177470,1177719,1177740,1177749,1177750,1177753,1177754,1177755,1177766,1177855,1177856,1177861,1178003,1178027,1178166,1178185,1178187,1178188,1178202,1178234,1178330,CVE-2020-0430,CVE-2020-14351,CVE-2020-16120,CVE-2020-25285,CVE-2020-25656,CVE-2020-25705,CVE-2020-8694
Description:

The SUSE Linux Enterprise 12 SP5 kernel was updated to receive various security and bug fixes.


The following security bugs were fixed:

- CVE-2020-25656: Fixed a concurrency use-after-free in vt_do_kdgkb_ioctl (bnc#1177766).
- CVE-2020-25285: Fixed a race condition between hugetlb sysctl handlers in mm/hugetlb.c (bnc#1176485).
- CVE-2020-0430: Fixed an OOB read in skb_headlen of /include/linux/skbuff.h (bnc#1176723).
- CVE-2020-14351: Fixed a race in the perf_mmap_close() function (bsc#1177086).
- CVE-2020-16120: Fixed a permissions issue in ovl_path_open() (bsc#1177470).
- CVE-2020-8694: Restricted energy meter to root access (bsc#1170415).
- CVE-2020-25705: A ICMP global rate limiting side-channel was removed which could lead to e.g. the SADDNS attack (bsc#1175721)


The following non-security bugs were fixed:

- ACPI: dock: fix enum-conversion warning (git-fixes).
- ALSA: bebob: potential info leak in hwdep_read() (git-fixes).
- ALSA: compress_offload: remove redundant initialization (git-fixes).
- ALSA: core: init: use DECLARE_COMPLETION_ONSTACK() macro (git-fixes).
- ALSA: core: pcm: simplify locking for timers (git-fixes).
- ALSA: core: timer: clarify operator precedence (git-fixes).
- ALSA: core: timer: remove redundant assignment (git-fixes).
- ALSA: ctl: Workaround for lockdep warning wrt card->ctl_files_rwlock (git-fixes).
- ALSA: hda: auto_parser: remove shadowed variable declaration (git-fixes).
- ALSA: hda - Do not register a cb func if it is registered already (git-fixes).
- ALSA: hda/realtek - Add mute Led support for HP Elitebook 845 G7 (git-fixes).
- ALSA: hda/realtek: Enable audio jacks of ASUS D700SA with ALC887 (git-fixes).
- ALSA: hda/realtek - The front Mic on a HP machine does not work (git-fixes).
- ALSA: hda: use semicolons rather than commas to separate statements (git-fixes).
- ALSA: mixart: Correct comment wrt obsoleted tasklet usage (git-fixes).
- ALSA: rawmidi: (cosmetic) align function parameters (git-fixes).
- ALSA: seq: oss: Avoid mutex lock for a long-time ioctl (git-fixes).
- ALSA: usb-audio: Add mixer support for Pioneer DJ DJM-250MK2 (git-fixes).
- ALSA: usb-audio: endpoint.c: fix repeated word 'there' (git-fixes).
- ALSA: usb-audio: fix spelling mistake 'Frequence' -> 'Frequency' (git-fixes).
- ASoC: qcom: lpass-cpu: fix concurrency issue (git-fixes).
- ASoC: qcom: lpass-platform: fix memory leak (git-fixes).
- ath10k: check idx validity in __ath10k_htt_rx_ring_fill_n() (git-fixes).
- ath10k: Fix the size used in a 'dma_free_coherent()' call in an error handling path (git-fixes).
- ath10k: provide survey info as accumulated data (git-fixes).
- ath6kl: prevent potential array overflow in ath6kl_add_new_sta() (git-fixes).
- ath6kl: wmi: prevent a shift wrapping bug in ath6kl_wmi_delete_pstream_cmd() (git-fixes).
- ath9k: Fix potential out of bounds in ath9k_htc_txcompletion_cb() (git-fixes).
- ath9k: hif_usb: fix race condition between usb_get_urb() and usb_kill_anchored_urbs() (git-fixes).
- blk-mq: order adding requests to hctx->dispatch and checking SCHED_RESTART (bsc#1177750).
- block: ensure bdi->io_pages is always initialized (bsc#1177749).
- Bluetooth: MGMT: Fix not checking if BT_HS is enabled (git-fixes).
- Bluetooth: Only mark socket zapped after unlocking (git-fixes).
- bnxt: do not enable NAPI until rings are ready (networking-stable-20_09_11).
- bnxt_en: Check for zero dir entries in NVRAM (networking-stable-20_09_11).
- brcm80211: fix possible memleak in brcmf_proto_msgbuf_attach (git-fixes).
- brcmfmac: check ndev pointer (git-fixes).
- brcmsmac: fix memory leak in wlc_phy_attach_lcnphy (git-fixes).
- btrfs: do not force read-only after error in drop snapshot (bsc#1176354).
- btrfs: qgroup: fix qgroup meta rsv leak for subvolume operations (bsc#1177856).
- btrfs: qgroup: fix wrong qgroup metadata reserve for delayed inode (bsc#1177855).
- btrfs: remove root usage from can_overcommit (bsc#1131277).
- btrfs: take overcommit into account in inc_block_group_ro (bsc#1176560).
- btrfs: tree-checker: fix false alert caused by legacy btrfs root item (bsc#1177861).
- can: c_can: reg_map_{c,d}_can: mark as __maybe_unused (git-fixes).
- can: flexcan: flexcan_chip_stop(): add error handling and propagate error value (git-fixes).
- can: softing: softing_card_shutdown(): add braces around empty body in an 'if' statement (git-fixes).
- ceph: fix memory leak in ceph_cleanup_snapid_map() (bsc#1178234).
- ceph: map snapid to anonymous bdev ID (bsc#1178234).
- ceph: promote to unsigned long long before shifting (bsc#1178187).
- clk: at91: clk-main: update key before writing AT91_CKGR_MOR (git-fixes).
- clk: at91: remove the checking of parent_name (git-fixes).
- clk: bcm2835: add missing release if devm_clk_hw_register fails (git-fixes).
- clk: imx8mq: Fix usdhc parents order (git-fixes).
- coredump: fix crash when umh is disabled (bsc#1177753).
- crypto: algif_skcipher - EBUSY on aio should be an error (git-fixes).
- crypto: ccp - fix error handling (git-fixes).
- crypto: ixp4xx - Fix the size used in a 'dma_free_coherent()' call (git-fixes).
- crypto: mediatek - Fix wrong return value in mtk_desc_ring_alloc() (git-fixes).
- crypto: omap-sham - fix digcnt register handling with export/import (git-fixes).
- cxl: Rework error message for incompatible slots (bsc#1055014 git-fixes).
- cypto: mediatek - fix leaks in mtk_desc_ring_alloc (git-fixes).
- device property: Do not clear secondary pointer for shared primary firmware node (git-fixes).
- device property: Keep secondary firmware node secondary by type (git-fixes).
- Disable ipa-clones dump for KMP builds (bsc#1178330) The feature is not really useful for KMP, and rather confusing, so let's disable it at building out-of-tree codes
- dmaengine: dma-jz4780: Fix race in jz4780_dma_tx_status (git-fixes).
- drm/gma500: fix error check (git-fixes).
- drm/msm: Drop debug print in _dpu_crtc_setup_lm_bounds() (git-fixes).
- EDAC/i5100: Fix error handling order in i5100_init_one() (bsc#1112178).
- eeprom: at25: set minimum read/write access stride to 1 (git-fixes).
- Fix use after free in get_capset_info callback (git-fixes).
- gre6: Fix reception with IP6_TNL_F_RCV_DSCP_COPY (networking-stable-20_08_24).
- gtp: add GTPA_LINK info to msg sent to userspace (networking-stable-20_09_11).
- HID: roccat: add bounds checking in kone_sysfs_write_settings() (git-fixes).
- HID: wacom: Avoid entering wacom_wac_pen_report for pad / battery (git-fixes).
- i2c: imx: Fix external abort on interrupt in exit paths (git-fixes).
- ibmveth: Identify ingress large send packets (bsc#1178185 ltc#188897).
- ibmveth: Switch order of ibmveth_helper calls (bsc#1061843 git-fixes).
- ibmvnic: fix ibmvnic_set_mac (bsc#1066382 ltc#160943 git-fixes).
- ibmvnic: save changed mac address to adapter->mac_addr (bsc#1134760 ltc#177449 git-fixes).
- iio:accel:bma180: Fix use of true when should be iio_shared_by enum (git-fixes).
- iio:adc:max1118 Fix alignment of timestamp and data leak issues (git-fixes).
- iio:adc:ti-adc0832 Fix alignment issue with timestamp (git-fixes).
- iio:adc:ti-adc12138 Fix alignment issue with timestamp (git-fixes).
- iio:dac:ad5592r: Fix use of true for IIO_SHARED_BY_TYPE (git-fixes).
- iio:gyro:itg3200: Fix timestamp alignment and prevent data leak (git-fixes).
- iio:light:si1145: Fix timestamp alignment and prevent data leak (git-fixes).
- iio:magn:hmc5843: Fix passing true where iio_shared_by enum required (git-fixes).
- ima: Remove semicolon at the end of ima_get_binary_runtime_size() (git-fixes).
- Input: ep93xx_keypad - fix handling of platform_get_irq() error (git-fixes).
- Input: imx6ul_tsc - clean up some errors in imx6ul_tsc_resume() (git-fixes).
- Input: omap4-keypad - fix handling of platform_get_irq() error (git-fixes).
- Input: sun4i-ps2 - fix handling of platform_get_irq() error (git-fixes).
- Input: twl4030_keypad - fix handling of platform_get_irq() error (git-fixes).
- iomap: Make sure iomap_end is called after iomap_begin (bsc#1177754).
- ip: fix tos reflection in ack and reset packets (networking-stable-20_09_24).
- ipv4: Restore flowi4_oif update before call to xfrm_lookup_route (git-fixes).
- iwlwifi: mvm: split a print to avoid a WARNING in ROC (git-fixes).
- kbuild: enforce -Werror=return-type (bsc#1177281).
- libceph: clear con->out_msg on Policy::stateful_server faults (bsc#1178188).
- lib/crc32.c: fix trivial typo in preprocessor condition (git-fixes).
- livepatch: Test if -fdump-ipa-clones is really available As of now we add -fdump-ipa-clones unconditionally. It does not cause a trouble if the kernel is build with the supported toolchain. Otherwise it could fail easily. Do the correct thing and test for the availability.
- mac80211: handle lack of sband->bitrates in rates (git-fixes).
- mailbox: avoid timer start from callback (git-fixes).
- media: ati_remote: sanity check for both endpoints (git-fixes).
- media: bdisp: Fix runtime PM imbalance on error (git-fixes).
- media: exynos4-is: Fix a reference count leak due to pm_runtime_get_sync (git-fixes).
- media: exynos4-is: Fix a reference count leak (git-fixes).
- media: exynos4-is: Fix several reference count leaks due to pm_runtime_get_sync (git-fixes).
- media: firewire: fix memory leak (git-fixes).
- media: m5mols: Check function pointer in m5mols_sensor_power (git-fixes).
- media: media/pci: prevent memory leak in bttv_probe (git-fixes).
- media: omap3isp: Fix memleak in isp_probe (git-fixes).
- media: platform: fcp: Fix a reference count leak (git-fixes).
- media: platform: s3c-camif: Fix runtime PM imbalance on error (git-fixes).
- media: platform: sti: hva: Fix runtime PM imbalance on error (git-fixes).
- media: Revert 'media: exynos4-is: Add missed check for pinctrl_lookup_state()' (git-fixes).
- media: s5p-mfc: Fix a reference count leak (git-fixes).
- media: saa7134: avoid a shift overflow (git-fixes).
- media: st-delta: Fix reference count leak in delta_run_work (git-fixes).
- media: sti: Fix reference count leaks (git-fixes).
- media: tc358743: initialize variable (git-fixes).
- media: ti-vpe: Fix a missing check and reference count leak (git-fixes).
- media: tuner-simple: fix regression in simple_set_radio_freq (git-fixes).
- media: usbtv: Fix refcounting mixup (git-fixes).
- media: uvcvideo: Ensure all probed info is returned to v4l2 (git-fixes).
- media: vsp1: Fix runtime PM imbalance on error (git-fixes).
- memory: fsl-corenet-cf: Fix handling of platform_get_irq() error (git-fixes).
- memory: omap-gpmc: Fix a couple off by ones (git-fixes).
- mic: vop: copy data to kernel space then write to io memory (git-fixes).
- misc: mic: scif: Fix error handling path (git-fixes).
- misc: rtsx: Fix memory leak in rtsx_pci_probe (git-fixes).
- misc: vop: add round_up(x,4) for vring_size to avoid kernel panic (git-fixes).
- mlx5 PPC ringsize workaround (bsc#1173432).
- mlx5: remove support for ib_get_vector_affinity (bsc#1174748).
- mmc: sdhci-of-esdhc: set timeout to max before tuning (git-fixes).
- mmc: sdio: Check for CISTPL_VERS_1 buffer size (git-fixes).
- mtd: lpddr: fix excessive stack usage with clang (git-fixes).
- mtd: mtdoops: Do not write panic data twice (git-fixes).
- mwifiex: do not call del_timer_sync() on uninitialized timer (git-fixes).
- mwifiex: Do not use GFP_KERNEL in atomic context (git-fixes).
- mwifiex: fix double free (git-fixes).
- mwifiex: remove function pointer check (git-fixes).
- mwifiex: Remove unnecessary braces from HostCmd_SET_SEQ_NO_BSS_INFO (git-fixes).
- net: disable netpoll on fresh napis (networking-stable-20_09_11).
- net: fec: Fix phy_device lookup for phy_reset_after_clk_enable() (git-fixes).
- net: fec: Fix PHY init after phy_reset_after_clk_enable() (git-fixes).
- net: Fix potential wrong skb->protocol in skb_vlan_untag() (networking-stable-20_08_24).
- net: hns: Fix memleak in hns_nic_dev_probe (networking-stable-20_09_11).
- net: ipv6: fix kconfig dependency warning for IPV6_SEG6_HMAC (networking-stable-20_09_24).
- netlabel: fix problems with mapping removal (networking-stable-20_09_11).
- net/mlx5e: Take common TIR context settings into a function (bsc#1177740).
- net/mlx5e: Turn on HW tunnel offload in all TIRs (bsc#1177740).
- net: phy: Avoid NPD upon phy_detach() when driver is unbound (networking-stable-20_09_24).
- net: qrtr: fix usage of idr in port assignment to socket (networking-stable-20_08_24).
- net: systemport: Fix memleak in bcm_sysport_probe (networking-stable-20_09_11).
- net: usb: dm9601: Add USB ID of Keenetic Plus DSL (networking-stable-20_09_11).
- net: usb: qmi_wwan: add Cellient MPL200 card (git-fixes).
- net: usb: rtl8150: set random MAC address when set_ethernet_addr() fails (git-fixes).
- nfc: Ensure presence of NFC_ATTR_FIRMWARE_NAME attribute in nfc_genl_fw_download() (git-fixes).
- nl80211: fix non-split wiphy information (git-fixes).
- NTB: hw: amd: fix an issue about leak system resources (git-fixes).
- nvme: do not update disk info for multipathed device (bsc#1171558).
- nvme-rdma: fix crash due to incorrect cqe (bsc#1174748).
- nvme-rdma: fix crash when connect rejected (bsc#1174748).
- perf/x86/amd: Fix sampling Large Increment per Cycle events (bsc#1114648).
- perf/x86: Fix n_pair for cancelled txn (bsc#1114648).
- powerpc: Fix undetected data corruption with P9N DD2.1 VSX CI load emulation (bsc#1065729).
- powerpc/hwirq: Remove stale forward irq_chip declaration (bsc#1065729).
- powerpc/icp-hv: Fix missing of_node_put() in success path (bsc#1065729).
- powerpc/irq: Drop forward declaration of struct irqaction (bsc#1065729).
- powerpc/perf/hv-gpci: Fix starting index value (bsc#1065729).
- powerpc/powernv/dump: Fix race while processing OPAL dump (bsc#1065729).
- powerpc/powernv/elog: Fix race while processing OPAL error log event (bsc#1065729).
- powerpc/pseries: explicitly reschedule during drmem_lmb list traversal (bsc#1077428 ltc#163882 git-fixes).
- powerpc/pseries: Fix missing of_node_put() in rng_init() (bsc#1065729).
- pwm: lpss: Add range limit check for the base_unit register value (git-fixes).
- pwm: lpss: Fix off by one error in base_unit math in pwm_lpss_prepare() (git-fixes).
- ring-buffer: Return 0 on success from ring_buffer_resize() (git-fixes).
- rtl8xxxu: prevent potential memory leak (git-fixes).
- scsi: ibmvfc: Fix error return in ibmvfc_probe() (bsc#1065729).
- scsi: ibmvscsi: Fix potential race after loss of transport (bsc#1178166 ltc#188226).
- sctp: not disable bh in the whole sctp_get_port_local() (networking-stable-20_09_11).
- tg3: Fix soft lockup when tg3_reset_task() fails (networking-stable-20_09_11).
- tipc: fix memory leak caused by tipc_buf_append() (git-fixes).
- tipc: fix shutdown() of connectionless socket (networking-stable-20_09_11).
- tipc: fix shutdown() of connection oriented socket (networking-stable-20_09_24).
- tipc: fix the skb_unshare() in tipc_buf_append() (git-fixes).
- tipc: fix uninit skb->data in tipc_nl_compat_dumpit() (networking-stable-20_08_24).
- tipc: use skb_unshare() instead in tipc_buf_append() (networking-stable-20_09_24).
- tty: ipwireless: fix error handling (git-fixes).
- tty: serial: fsl_lpuart: fix lpuart32_poll_get_char (git-fixes).
- usb: cdc-acm: add quirk to blacklist ETAS ES58X devices (git-fixes).
- usb: cdc-acm: handle broken union descriptors (git-fixes).
- usb: cdc-wdm: Make wdm_flush() interruptible and add wdm_fsync() (git-fixes).
- usb: core: Solve race condition in anchor cleanup functions (git-fixes).
- usb: dwc2: Fix INTR OUT transfers in DDMA mode (git-fixes).
- usb: dwc2: Fix parameter type in function pointer prototype (git-fixes).
- usb: dwc3: core: add phy cleanup for probe error handling (git-fixes).
- usb: dwc3: core: do not trigger runtime pm when remove driver (git-fixes).
- usb: dwc3: ep0: Fix ZLP for OUT ep0 requests (git-fixes).
- usb: gadget: f_ncm: allow using NCM in SuperSpeed Plus gadgets (git-fixes).
- usb: gadget: f_ncm: fix ncm_bitrate for SuperSpeed and above (git-fixes).
- usb: gadget: function: printer: fix use-after-free in __lock_acquire (git-fixes).
- usb: gadget: u_ether: enable qmult on SuperSpeed Plus as well (git-fixes).
- usb: host: fsl-mph-dr-of: check return of dma_set_mask() (git-fixes).
- usb: ohci: Default to per-port over-current protection (git-fixes).
- usb: serial: qcserial: fix altsetting probing (git-fixes).
- vfs: fix FIGETBSZ ioctl on an overlayfs file (bsc#1178202).
- video: fbdev: sis: fix null ptr dereference (git-fixes).
- video: fbdev: vga16fb: fix setting of pixclock because a pass-by-value error (git-fixes).
- VMCI: check return value of get_user_pages_fast() for errors (git-fixes).
- w1: mxc_w1: Fix timeout resolution problem leading to bus error (git-fixes).
- watchdog: iTCO_wdt: Export vendorsupport (bsc#1177101).
- watchdog: iTCO_wdt: Make ICH_RES_IO_SMI optional (bsc#1177101).
- wcn36xx: Fix reported 802.11n rx_highest rate wcn3660/wcn3680 (git-fixes).
- writeback: Avoid skipping inode writeback (bsc#1177755).
- writeback: Fix sync livelock due to b_dirty_time processing (bsc#1177755).
- writeback: Protect inode->i_io_list with inode->i_lock (bsc#1177755).
- x86/apic: Unify duplicated local apic timer clockevent initialization (bsc#1112178).
- x86/fpu: Allow multiple bits in clearcpuid= parameter (bsc#1112178).
- xen/blkback: use lateeoi irq binding (XSA-332 bsc#1177411).
- xen/events: add a new 'late EOI' evtchn framework (XSA-332 bsc#1177411).
- xen/events: add a proper barrier to 2-level uevent unmasking (XSA-332 bsc#1177411).
- xen/events: avoid removing an event channel while handling it (XSA-331 bsc#1177410).
- xen/events: block rogue events for some time (XSA-332 bsc#1177411).
- xen/events: defer eoi in case of excessive number of events (XSA-332 bsc#1177411).
- xen/events: do not use chip_data for legacy IRQs (XSA-332 bsc#1065600).
- xen/events: fix race in evtchn_fifo_unmask() (XSA-332 bsc#1177411).
- xen/events: switch user event channels to lateeoi model (XSA-332 bsc#1177411).
- xen/events: use a common cpu hotplug hook for event channels (XSA-332 bsc#1177411).
- xen/gntdev.c: Mark pages as dirty (bsc#1065600).
- xen/netback: use lateeoi irq binding (XSA-332 bsc#1177411).
- xen/pciback: use lateeoi irq binding (XSA-332 bsc#1177411).
- xen/scsiback: use lateeoi irq binding (XSA-332 bsc#1177411).
- xen: XEN uses irqdesc::irq_data_common::handler_data to store a per interrupt XEN data pointer which contains XEN specific information (XSA-332 bsc#1065600).
- xfs: avoid infinite loop when cancelling CoW blocks after writeback failure (bsc#1178027).
- xfs: don't update mtime on COW faults (bsc#1167030).
- xfs: limit entries returned when counting fsmap records (git-fixes).


-----------------------------------------
Version 1.0.7-SAP-BYOS-Build1.10 2020-11-18T08:00:50

-----------------------------------------
Patch: SUSE-2020-3339
Released: Mon Nov 16 13:11:53 2020
Summary: Recommended update for SUSEConnect
Severity: moderate
References: 1130864,1155027,1155911,1160007
Description:
This update for SUSEConnect fixes the following issues:

- Recognize more formats when parsing the '.curlrc' for proxy credentials. (bsc#1155027)
- Add 'rpmlintrc' to filter false-positive warning about patch not applied
- Extend the YaST API in order to access to the package search functionality. (jsc#SLE-9109)
- Fix cloud provider detection on AWS large instances. (bsc#1160007)
- Forbid de-registration for on-demand Public Cloud instances. (bsc#1155911)
- Fix the '.spec' file to correctly apply patches up to SLE15SP2. (bsc#1130864)


-----------------------------------------
Patch: SUSE-2020-3346
Released: Mon Nov 16 17:44:39 2020
Summary: Recommended update for zypper
Severity: moderate
References: 1169947,1178038
Description:
This update for zypper fixes the following issues:

- Fixed an issue, where zypper crashed when the system language is set to Spanish and the user
  tried to patch their system with 'zypper patch --category security' (bsc#1178038)
- Fixed a typo in man page (bsc#1169947)


-----------------------------------------
Patch: SUSE-2020-3360
Released: Tue Nov 17 13:40:54 2020
Summary: Security update for tcpdump
Severity: moderate
References: 1153098,1153332,1178466,CVE-2017-16808,CVE-2018-10103,CVE-2018-10105,CVE-2018-14461,CVE-2018-14462,CVE-2018-14463,CVE-2018-14464,CVE-2018-14465,CVE-2018-14466,CVE-2018-14467,CVE-2018-14468,CVE-2018-14469,CVE-2018-14470,CVE-2018-14879,CVE-2018-14880,CVE-2018-14881,CVE-2018-14882,CVE-2018-16227,CVE-2018-16228,CVE-2018-16229,CVE-2018-16230,CVE-2018-16300,CVE-2018-16301,CVE-2018-16451,CVE-2018-16452,CVE-2019-1010220,CVE-2019-15166,CVE-2019-15167,CVE-2020-8037
Description:
This update for tcpdump fixes the following issues:

- CVE-2020-8037: Fixed an issue where PPP decapsulator did not allocate the right buffer size (bsc#1178466).

The previous update of tcpdump already fixed variuous Buffer overflow/overread vulnerabilities [bsc#1153098, bsc#1153332]

- CVE-2017-16808 (AoE)
- CVE-2018-14468 (FrameRelay)
- CVE-2018-14469 (IKEv1)
- CVE-2018-14470 (BABEL)
- CVE-2018-14466 (AFS/RX)
- CVE-2018-14461 (LDP)
- CVE-2018-14462 (ICMP)
- CVE-2018-14465 (RSVP)
- CVE-2018-14464 (LMP)
- CVE-2019-15166 (LMP)
- CVE-2018-14880 (OSPF6)
- CVE-2018-14882 (RPL)
- CVE-2018-16227 (802.11)
- CVE-2018-16229 (DCCP)
- CVE-2018-14467 (BGP)
- CVE-2018-14881 (BGP)
- CVE-2018-16230 (BGP)
- CVE-2018-16300 (BGP)
- CVE-2018-14463 (VRRP)
- CVE-2019-15167 (VRRP)
- CVE-2018-14879 (tcpdump -V)
- CVE-2018-16228 (HNCP) is a duplicate of the already fixed CVE-2019-1010220
- CVE-2018-16301 (fixed in libpcap)
- CVE-2018-16451 (SMB)
- CVE-2018-16452 (SMB)
- CVE-2018-10103 (SMB - partially fixed, but SMB printing disabled)
- CVE-2018-10105 (SMB - too unreliably reproduced, SMB printing disabled)


-----------------------------------------
Version 1.0.7-SAP-BYOS-Build1.10 2020-11-19T08:00:48

-----------------------------------------
Patch: SUSE-2020-3363
Released: Wed Nov 18 08:24:36 2020
Summary: Recommended update for yast2-ruby-bindings
Severity: moderate
References: 1174198
Description:
This update for yast2-ruby-bindings fixes the following issues:

- Fixed an issue that caused yast2 network settings to hang (bsc#1174198)


-----------------------------------------
Version 1.0.7-SAP-BYOS-Build1.11 2020-11-20T08:02:49

-----------------------------------------
Patch: SUSE-2020-3370
Released: Thu Nov 19 09:26:46 2020
Summary: Recommended update for resource-agents
Severity: important
References: 1175435
Description:
This update for resource-agents fixes the following issue:

- Fixed an issue with galera cluster member not being saved into grastate.dat (bsc#1175435).


-----------------------------------------
Patch: SUSE-2020-3379
Released: Thu Nov 19 09:30:16 2020
Summary: Security update for krb5
Severity: moderate
References: 1178512,CVE-2020-28196
Description:
This update for krb5 fixes the following security issue:

- CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512).


-----------------------------------------
Patch: SUSE-2020-3414
Released: Thu Nov 19 12:45:36 2020
Summary: Security update for xen
Severity: important
References: 1027519,1177950,1178591,CVE-2020-28368
Description:
This update for xen fixes the following issues:

Security issue fixed:

- CVE-2020-28368: Fixed the Intel RAPL sidechannel attack, aka PLATYPUS attack, aka XSA-351 (bsc#1178591).

Non-security issues fixed:

- Updated to Xen 4.12.4 bug fix release (bsc#1027519).
- Fixed a panic during MSI cleanup on AMD hardware (bsc#1027519).
- Adjusted help for --max_iters, default is 5 (bsc#1177950).
- Improved performance of live migration to get more throughput on 10Gbs+ connections (jsc#SLE-16899).


-----------------------------------------
Patch: SUSE-2020-3421
Released: Thu Nov 19 13:41:08 2020
Summary: Recommended update for multipath-tools
Severity: moderate
References: 1162896,1178354
Description:
This update for multipath-tools fixes the following issues:

- Avoid reading files extensions other than '.conf' from config dir. (bsc#1162896)
- Fix wrong usage of '%service_del_preun -n' macro in spec file. (bsc#1178354)


-----------------------------------------
Patch: SUSE-2020-3422
Released: Thu Nov 19 16:04:50 2020
Summary: Recommended update for hawk2
Severity: moderate
References: 1163381
Description:
This update for hawk2 fixes the following issues:


- Update hawk2 from version 2.2.0+git.1593796097.86578496 to version 2.2.1+git.1604928548.070a8e0c
  - Update puma to 3.11.4 in gemfile and rails config for disabling TLS 1.0 (jsc#SLE-6965)
  - Allow user to disable TLS 1.1 in puma webserver (jsc#SLE-6965)
  - Fix server error after authentication if a resource has the same name as a node (bsc#1163381)
  - Allow also users in haclient group to view history explorer (jsc#SLE-7358)
  

-----------------------------------------
Version 1.0.7-SAP-BYOS-Build1.12 2020-11-21T08:01:55

-----------------------------------------
Patch: SUSE-2020-3467
Released: Fri Nov 20 15:10:16 2020
Summary: Recommended update for ocfs2-tools
Severity: moderate
References: 1178248
Description:
This update for ocfs2-tools fixes the following issues:

- Fix for pointing out the default value of mount options. (bsc#1178248)


-----------------------------------------
Version 1.0.7-SAP-BYOS-Build1.15 2020-11-25T08:01:54

-----------------------------------------
Patch: SUSE-2020-3489
Released: Mon Nov 23 14:07:31 2020
Summary: Recommended update for systemd
Severity: moderate
References: 1083571,1139459,1176513,1176800,1177458,1177510
Description:
This update for systemd fixes the following issues:

- Create systemd-remote user only if journal-remote is included with the package (bsc#1177458)
- Fixed a buffer overflow in systemd ask-password (bsc#1177510)
- Fixed an issue in the boot process, when the system has an NFS moiunt on fstab that uses
  the 'bg' option while the NFS server is not reachable (bsc#1176513)
- Fixed an issue with the try-restart command, where services won't restart (bsc#1139459)

Exclusively for SUSE Linux Enterprise 12 SP5:

- cryptsetup: support LUKS2 on-disk format (bsc#1083571, jsc#SLE-13842)


-----------------------------------------
Patch: SUSE-2020-3496
Released: Tue Nov 24 10:13:59 2020
Summary: Recommended update for samba
Severity: moderate
References: 1176640
Description:
This update for samba fixes the following issues:

- Do not hold locking.tdb mutexes while doing filesystem-level operations, base locking on g_lock. (bsc#1176640)


-----------------------------------------
Version 1.0.7-SAP-BYOS-Build1.16 2020-11-26T08:01:34

-----------------------------------------
Patch: SUSE-2020-3526
Released: Wed Nov 25 17:00:54 2020
Summary: Recommended update for openssh
Severity: moderate
References: 1177939
Description:
This update for openssh fixes the following issues:

- Ensure only approved DH parameters are used in FIPS mode. (bsc#1177939).


-----------------------------------------
Version 1.0.7-SAP-BYOS-Build1.17 2020-11-28T07:58:38

-----------------------------------------
Patch: SUSE-2020-3554
Released: Fri Nov 27 21:35:36 2020
Summary: Recommended update for resource-agents
Severity: moderate
References: 1178977
Description:
This update for resource-agents fixes the following issues:

- Fix handling of probe actions (bsc#1178977)


-----------------------------------------
Version 1.0.7-SAP-BYOS-Build1.19 2020-12-02T07:57:54

-----------------------------------------
Patch: SUSE-2020-3558
Released: Mon Nov 30 08:51:37 2020
Summary: Recommended update for openssh
Severity: important
References: 1179242
Description:
This update for openssh fixes the following issues:
     - openssh would hang creating a connection when using specific encryption
       algorithms (bsc#1179242).


-----------------------------------------
Patch: SUSE-2020-3569
Released: Mon Nov 30 17:13:16 2020
Summary: Recommended update for pam
Severity: moderate
References: 1178727
Description:
This update for pam fixes the following issue:

- Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727)


-----------------------------------------
Patch: SUSE-2020-3573
Released: Mon Nov 30 18:13:05 2020
Summary: Recommended update for sg3_utils
Severity: low
References: 1116107
Description:
This update for sg3_utils fixes the following issues:

- Fixed wrong device ID for devices using NAA extended format (bsc#1116107)


-----------------------------------------
Patch: SUSE-2020-3575
Released: Mon Nov 30 18:14:26 2020
Summary: Recommended update for lvm2
Severity: important
References: 1177533
Description:
This update for lvm2 fixes the following issues:

- Fixed an issue where /boot logical volume was accidentally unmounted (bsc#1177533)


-----------------------------------------
Version 1.0.7-SAP-BYOS-Build1.21 2020-12-03T07:58:55

-----------------------------------------
Patch: SUSE-2020-3594
Released: Wed Dec  2 10:37:03 2020
Summary: Security update for python-setuptools
Severity: important
References: 1176262,CVE-2019-20916
Description:
This update for python-setuptools fixes the following issues:

- Fixed a directory traversal in _download_http_url() (bsc#1176262 CVE-2019-20916)


-----------------------------------------
Patch: SUSE-2020-3596
Released: Wed Dec  2 10:40:50 2020
Summary: Security update for python3
Severity: important
References: 1176262,CVE-2019-20916
Description:
This update for python3 fixes the following issues:

- Fixed a directory traversal in _download_http_url() (bsc#1176262 CVE-2019-20916)


-----------------------------------------
Patch: SUSE-2020-3604
Released: Wed Dec  2 15:57:27 2020
Summary: Recommended update for kdump
Severity: important
References: 1108255,1123940,1170336,1173914,1177196
Description:
This update for kdump fixes the following issues:

- Remove `console=hvc0` from commandline. (bsc#1173914)
- Set serial console from Xen cmdline. (bsc#1173914)
- Remove `noefi` and `acpi_rsdp` for EFI firmware. (bsc#1123940, bsc#1170336)
- Add `skip_balance` option to BTRFS mounts. (bsc#1108255)
- Do not add `rd.neednet=1` to dracut command line. (bsc#1177196)


-----------------------------------------
Patch: SUSE-2020-3607
Released: Wed Dec  2 18:15:38 2020
Summary: Recommended update for cloud-netconfig
Severity: moderate
References: 1159460,1178486
Description:
This update for cloud-netconfig contains the following fix:

- Update to version 1.5:
  + Add support for GCE (bsc#1159460, bsc#1178486)
  + Improve default gateway determination


-----------------------------------------
Version 1.0.7-SAP-BYOS-Build1.23 2020-12-04T08:50:12

-----------------------------------------
Patch: SUSE-2020-3612
Released: Thu Dec  3 09:34:04 2020
Summary: Security update for xen
Severity: important
References: 1178591,1178963,CVE-2020-28368
Description:
This update for xen fixes the following issues:

- bsc#1178963 - VUL-0: xen: stack corruption from XSA-346 change (XSA-355) 


-----------------------------------------
Patch: SUSE-2020-3621
Released: Thu Dec  3 17:05:06 2020
Summary: Recommended update for glib2
Severity: moderate
References: 1178346
Description:
This update for glib2 fixes the following issues:

- Add basic support for slim format of timezone. (bsc#1178346)
- Fix DST incorrect end day when using slim format. (bsc#1178346)


-----------------------------------------
Version 1.0.7-SAP-BYOS-Build1.24 2020-12-07T07:46:58

-----------------------------------------
Patch: SUSE-2020-3629
Released: Fri Dec  4 17:03:35 2020
Summary: Security update for python-cryptography
Severity: moderate
References: 1178168,CVE-2020-25659
Description:
This update for python-cryptography fixes the following issues:

- CVE-2020-25659: Attempted to mitigate Bleichenbacher attacks on RSA decryption (bsc#1178168).


-----------------------------------------
Version 1.0.7-SAP-BYOS-Build1.26 2020-12-08T13:36:26

-----------------------------------------
Patch: SUSE-2020-3632
Released: Mon Dec  7 11:50:30 2020
Summary: Security update for mutt
Severity: important
References: 1179035,1179113,1179461,CVE-2020-28896
Description:
This update for mutt fixes the following issues:

- Find and display the content of messages properly. (bsc#1179461)
- CVE-2020-28896: incomplete connection termination could send credentials over unencrypted connections. (bsc#1179035)
- Avoid that message with a million tiny parts can freeze MUA for several minutes. (bsc#1179113)


-----------------------------------------
Patch: SUSE-2020-3636
Released: Mon Dec  7 11:52:55 2020
Summary: Recommended update for fence-agents
Severity: moderate
References: 1178343
Description:
This update for fence-agents fixes the following issues:

Update from version 4.4.0+git.1558595666.5f79f9e9 to version 4.6.0+git.1605185986.7b0f11c1 (bsc#1178343)

- Add `pkg-config` file
- `fence_scsi`: do not write key to device if it's already registered, and open file correctly to avoid 
  using regex against end-of-file
- `fencing`: fix run_command() to allow timeout=0 to mean forever
- `fencing`: fix to make timeout(s)=0 be treated as forever for agents using `pexpect`
- Add a `fence_crosslink` agent
- `fencing`: fix `power-timeout` when using the new `disable-timeout` parameter


-----------------------------------------
Version 1.0.7-SAP-BYOS-Build1.27 2020-12-09T18:06:15

-----------------------------------------
Patch: SUSE-2020-3717
Released: Wed Dec  9 10:29:31 2020
Summary: Security update for the Linux Kernel
Severity: important
References: 1050549,1067665,1111666,1112178,1158775,1170139,1170630,1172542,1172873,1174726,1175306,1175721,1175916,1176109,1176855,1176983,1177304,1177397,1177703,1177805,1177808,1177809,1177819,1177820,1178123,1178182,1178393,1178589,1178607,1178635,1178669,1178686,1178765,1178782,1178838,1178853,1178854,1178878,1178886,1178897,1178940,1178962,1179107,1179140,1179141,1179211,1179213,1179259,1179424,1179426,1179427,1179429,927455,CVE-2020-15436,CVE-2020-15437,CVE-2020-25668,CVE-2020-25669,CVE-2020-25704,CVE-2020-25705,CVE-2020-27777,CVE-2020-28915,CVE-2020-28974,CVE-2020-29371
Description:
The SUSE Linux Enterprise 12 SP5 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2020-15436: Fixed a use after free vulnerability in fs/block_dev.c which could have allowed local users to gain privileges or cause a denial of service (bsc#1179141).
- CVE-2020-15437: Fixed a null pointer dereference which could have allowed local users to cause a denial of service(bsc#1179140).
- CVE-2020-25668: Fixed a concurrency use-after-free in con_font_op (bsc#1178123).
- CVE-2020-25669: Fixed a use-after-free read in sunkbd_reinit() (bsc#1178182).
- CVE-2020-25704: Fixed a leak in perf_event_parse_addr_filter() (bsc#1178393).
- CVE-2020-27777: Restrict RTAS requests from userspace  (bsc#1179107)
- CVE-2020-28915: Fixed a buffer over-read in the fbcon code which could have been used by local attackers to read kernel memory (bsc#1178886).
- CVE-2020-28974: Fixed a slab-out-of-bounds read in fbcon which could have been used by local attackers to read privileged information or potentially crash the kernel (bsc#1178589).
- CVE-2020-29371: Fixed uninitialized memory leaks to userspace (bsc#1179429).
- CVE-2020-25705: Fixed an issue which could have allowed to quickly scan open UDP ports. This flaw allowed an off-path remote user to effectively bypassing source port UDP randomization (bsc#1175721).

The following non-security bugs were fixed:

- 9P: Cast to loff_t before multiplying (git-fixes).
- ACPI: GED: fix -Wformat (git-fixes).
- ACPI: NFIT: Fix comparison to '-ENXIO' (git-fixes).
- ALSA: ctl: fix error path at adding user-defined element set (git-fixes).
- ALSA: firewire: Clean up a locking issue in copy_resp_to_buf() (git-fixes).
- ALSA: hda - Fix the return value if cb func is already registered (git-fixes).
- ALSA: hda: prevent undefined shift in snd_hdac_ext_bus_get_link() (git-fixes).
- ALSA: mixart: Fix mutex deadlock (git-fixes).
- arm64: KVM: Fix system register enumeration (bsc#1174726).
- arm/arm64: KVM: Add PSCI version selection API (bsc#1174726).
- ASoC: qcom: lpass-platform: Fix memory leak (git-fixes).
- ath10k: Acquire tx_lock in tx error paths (git-fixes).
- batman-adv: set .owner to THIS_MODULE (git-fixes).
- Bluetooth: btusb: Fix and detect most of the Chinese Bluetooth controllers (git-fixes).
- Bluetooth: hci_bcm: fix freeing not-requested IRQ (git-fixes).
- bpf: Zero-fill re-used per-cpu map element (git-fixes).
- btrfs: account ticket size at add/delete time (bsc#1178897).
- btrfs: add helper to obtain number of devices with ongoing dev-replace (bsc#1178897).
- btrfs: check rw_devices, not num_devices for balance (bsc#1178897).
- btrfs: do not delete mismatched root refs (bsc#1178962).
- btrfs: fix btrfs_calc_reclaim_metadata_size calculation (bsc#1178897).
- btrfs: fix force usage in inc_block_group_ro (bsc#1178897).
- btrfs: fix invalid removal of root ref (bsc#1178962).
- btrfs: fix reclaim counter leak of space_info objects (bsc#1178897).
- btrfs: fix reclaim_size counter leak after stealing from global reserve (bsc#1178897).
- btrfs: kill min_allocable_bytes in inc_block_group_ro (bsc#1178897).
- btrfs: rework arguments of btrfs_unlink_subvol (bsc#1178962).
- btrfs: split dev-replace locking helpers for read and write (bsc#1178897). 
- can: af_can: prevent potential access of uninitialized member in canfd_rcv() (git-fixes).
- can: af_can: prevent potential access of uninitialized member in can_rcv() (git-fixes).
- can: can_create_echo_skb(): fix echo skb generation: always use skb_clone() (git-fixes).
- can: dev: __can_get_echo_skb(): fix real payload length return value for RTR frames (git-fixes).
- can: dev: can_get_echo_skb(): prevent call to kfree_skb() in hard IRQ context (git-fixes).
- can: dev: can_restart(): post buffer from the right context (git-fixes).
- can: gs_usb: fix endianess problem with candleLight firmware (git-fixes).
- can: m_can: fix nominal bitiming tseg2 min for version >= 3.1 (git-fixes).
- can: m_can: m_can_handle_state_change(): fix state change (git-fixes).
- can: m_can: m_can_stop(): set device to software init mode before closing (git-fixes).
- can: mcba_usb: mcba_usb_start_xmit(): first fill skb, then pass to can_put_echo_skb() (git-fixes).
- can: peak_canfd: pucan_handle_can_rx(): fix echo management when loopback is on (git-fixes).
- can: peak_usb: add range checking in decode operations (git-fixes).
- can: peak_usb: fix potential integer overflow on shift of a int (git-fixes).
- can: peak_usb: peak_usb_get_ts_time(): fix timestamp wrapping (git-fixes).
- can: rx-offload: do not call kfree_skb() from IRQ context (git-fixes).
- ceph: add check_session_state() helper and make it global (bsc#1179259).
- ceph: check session state after bumping session->s_seq (bsc#1179259).
- ceph: fix race in concurrent __ceph_remove_cap invocations (bsc#1178635).
- cifs: Fix incomplete memory allocation on setxattr path (bsc#1179211).
- cifs: remove bogus debug code (bsc#1179427).
- cifs: Return the error from crypt_message when enc/dec key not found (bsc#1179426).
- Convert trailing spaces and periods in path components (bsc#1179424).
- crypto: bcm - Verify GCM/CCM key length in setkey (git-fixes).
- docs: ABI: stable: remove a duplicated documentation (git-fixes).
- docs: ABI: sysfs-c2port: remove a duplicated entry (git-fixes).
- drbd: code cleanup by using sendpage_ok() to check page for kernel_sendpage() (bsc#1172873).
- Drivers: hv: vmbus: Remove the unused 'tsc_page' from struct hv_context (git-fixes).
- drm/i915: Break up error capture compression loops with cond_resched() (git-fixes).
- drm/i915/gvt: Set ENHANCED_FRAME_CAP bit (git-fixes).
- drm/imx: tve remove extraneous type qualifier (git-fixes).
- drm/sun4i: dw-hdmi: fix error return code in sun8i_dw_hdmi_bind() (git-fixes).
- drm/vc4: drv: Add error handding for bind (git-fixes).
- Drop sysctl files for dropped archs, add ppc64le and arm64 (bsc#1178838).
- efi: cper: Fix possible out-of-bounds access (git-fixes).
- efi/efivars: Add missing kobject_put() in sysfs entry creation error path (git-fixes).
- efi/esrt: Fix reference count leak in esre_create_sysfs_entry (git-fixes).
- efi: provide empty efi_enter_virtual_mode implementation (git-fixes).
- efivarfs: fix memory leak in efivarfs_create() (git-fixes).
- efivarfs: revert 'fix memory leak in efivarfs_create()' (git-fixes).
- efi/x86: Do not panic or BUG() on non-critical error conditions (git-fixes).
- efi/x86: Free efi_pgd with free_pages() (bsc#1112178).
- efi/x86: Ignore the memory attributes table on i386 (git-fixes).
- efi/x86: Map the entire EFI vendor string before copying it (git-fixes).
- fs/proc/array.c: allow reporting eip/esp for all coredumping threads (bsc#1050549).
- ftrace: Fix recursion check for NMI test (git-fixes).
- ftrace: Handle tracing when switching between context (git-fixes).
- fuse: fix page dereference after free (bsc#1179213).
- futex: Do not enable IRQs unconditionally in put_pi_state() (bsc#1067665).
- futex: Handle transient 'ownerless' rtmutex state correctly (bsc#1067665).
- hv_balloon: disable warning when floor reached (git-fixes).
- hv_netvsc: Add XDP support (bsc#1177819, bsc#1177820).
- hv_netvsc: deal with bpf API differences in 4.12 (bsc#1177819, bsc#1177820).
- hv_netvsc: Fix XDP refcnt for synthetic and VF NICs (bsc#1177819, bsc#1177820).
- hv_netvsc: make recording RSS hash depend on feature flag (bsc#1178853, bsc#1178854).
- hv_netvsc: record hardware hash in skb (bsc#1178853, bsc#1178854).
- hyperv_fb: Update screen_info after removing old framebuffer (bsc#1175306).
- i40iw: Fix error handling in i40iw_manage_arp_cache() (bsc#1111666)
- i40iw: fix null pointer dereference on a null wqe pointer (bsc#1111666)
- i40iw: Report correct firmware version (bsc#1111666)
- IB/cma: Fix ports memory leak in cma_configfs (bsc#1111666)
- IB/core: Set qp->real_qp before it may be accessed (bsc#1111666)
- IB/hfi1: Add missing INVALIDATE opcodes for trace (bsc#1111666)
- IB/hfi1: Add RcvShortLengthErrCnt to hfi1stats (bsc#1111666)
- IB/hfi1: Add software counter for ctxt0 seq drop (bsc#1111666)
- IB/hfi1: Avoid hardlockup with flushlist_lock (bsc#1111666)
- IB/hfi1: Call kobject_put() when kobject_init_and_add() fails (bsc#1111666)
- IB/hfi1: Check for error on call to alloc_rsm_map_table (bsc#1111666)
- IB/hfi1: Close PSM sdma_progress sleep window (bsc#1111666)
- IB/hfi1: Define variables as unsigned long to fix KASAN warning (bsc#1111666)
- IB/hfi1: Ensure full Gen3 speed in a Gen4 system (bsc#1111666)
- IB/hfi1: Fix memory leaks in sysfs registration and unregistration (bsc#1111666)
- IB/hfi1: Fix Spectre v1 vulnerability (bsc#1111666)
- IB/hfi1: Handle port down properly in pio (bsc#1111666)
- IB/hfi1: Handle wakeup of orphaned QPs for pio (bsc#1111666)
- IB/hfi1: Insure freeze_work work_struct is canceled on shutdown (bsc#1111666)
- IB/hfi1, qib: Ensure RCU is locked when accessing list (bsc#1111666)
- IB/{hfi1, qib}: Fix WC.byte_len calculation for UD_SEND_WITH_IMM (bsc#1111666)
- IB/hfi1: Remove unused define (bsc#1111666)
- IB/hfi1: Silence txreq allocation warnings (bsc#1111666)
- IB/hfi1: Validate page aligned for a given virtual address (bsc#1111666)
- IB/hfi1: Wakeup QPs orphaned on wait list after flush (bsc#1111666)
- IB/ipoib: drop useless LIST_HEAD (bsc#1111666)
- IB/ipoib: Fix double free of skb in case of multicast traffic in CM mode (bsc#1111666)
- IB/ipoib: Fix for use-after-free in ipoib_cm_tx_start (bsc#1111666)
- IB/iser: Fix dma_nents type definition (bsc#1111666)
- IB/iser: Pass the correct number of entries for dma mapped SGL (bsc#1111666)
- IB/mad: Fix use-after-free in ib mad completion handling (bsc#1111666)
- IB/mlx4: Add and improve logging (bsc#1111666)
- IB/mlx4: Add support for MRA (bsc#1111666)
- IB/mlx4: Adjust delayed work when a dup is observed (bsc#1111666)
- IB/mlx4: Fix leak in id_map_find_del (bsc#1111666)
- IB/mlx4: Fix memory leak in add_gid error flow (bsc#1111666)
- IB/mlx4: Fix race condition between catas error reset and aliasguid flows (bsc#1111666)
- IB/mlx4: Fix starvation in paravirt mux/demux (bsc#1111666)
- IB/mlx4: Follow mirror sequence of device add during device removal (bsc#1111666)
- IB/mlx4: Remove unneeded NULL check (bsc#1111666)
- IB/mlx4: Test return value of calls to ib_get_cached_pkey (bsc#1111666)
- IB/mlx5: Add missing XRC options to QP optional params mask (bsc#1111666)
- IB/mlx5: Compare only index part of a memory window rkey (bsc#1111666)
- IB/mlx5: Do not override existing ip_protocol (bsc#1111666)
- IB/mlx5: Fix clean_mr() to work in the expected order (bsc#1111666)
- IB/mlx5: Fix implicit MR release flow (bsc#1111666)
- IB/mlx5: Fix outstanding_pi index for GSI qps (bsc#1111666)
- IB/mlx5: Fix RSS Toeplitz setup to be aligned with the HW specification (bsc#1111666)
- IB/mlx5: Fix unreg_umr to ignore the mkey state (bsc#1111666)
- IB/mlx5: Improve ODP debugging messages (bsc#1111666)
- IB/mlx5: Move MRs to a kernel PD when freeing them to the MR cache (bsc#1111666)
- IB/mlx5: Prevent concurrent MR updates during invalidation (bsc#1111666)
- IB/mlx5: Reset access mask when looping inside page fault handler (bsc#1111666)
- IB/mlx5: Set correct write permissions for implicit ODP MR (bsc#1111666)
- IB/mlx5: Use direct mkey destroy command upon UMR unreg failure (bsc#1111666)
- IB/mlx5: Use fragmented QP's buffer for in-kernel users (bsc#1111666)
- IB/mlx5: WQE dump jumps over first 16 bytes (bsc#1111666)
- IB/mthca: fix return value of error branch in mthca_init_cq() (bsc#1111666)
- IB/qib: Call kobject_put() when kobject_init_and_add() fails (bsc#1111666)
- IB/qib: Fix an error code in qib_sdma_verbs_send() (bsc#1111666)
- IB/{qib, hfi1, rdmavt}: Correct ibv_devinfo max_mr value (bsc#1111666)
- IB/qib: Remove a set-but-not-used variable (bsc#1111666)
- IB/rdmavt: Convert timers to use timer_setup() (bsc#1111666)
- IB/rdmavt: Fix alloc_qpn() WARN_ON() (bsc#1111666)
- IB/rdmavt: Fix sizeof mismatch (bsc#1111666)
- IB/rdmavt: Reset all QPs when the device is shut down (bsc#1111666)
- IB/rxe: Fix incorrect cache cleanup in error flow (bsc#1111666)
- IB/rxe: Make counters thread safe (bsc#1111666)
- IB/srpt: Fix memory leak in srpt_add_one (bsc#1111666)
- IB/umad: Avoid additional device reference during open()/close() (bsc#1111666)
- IB/umad: Avoid destroying device while it is accessed (bsc#1111666)
- IB/umad: Do not check status of nonseekable_open() (bsc#1111666)
- IB/umad: Fix kernel crash while unloading ib_umad (bsc#1111666)
- IB/umad: Refactor code to use cdev_device_add() (bsc#1111666)
- IB/umad: Simplify and avoid dynamic allocation of class (bsc#1111666)
- IB/usnic: Fix out of bounds index check in query pkey (bsc#1111666)
- IB/uverbs: Fix OOPs upon device disassociation (bsc#1111666)
- iio: accel: kxcjk1013: Add support for KIOX010A ACPI DSM for setting tablet-mode (git-fixes).
- iio: accel: kxcjk1013: Replace is_smo8500_device with an acpi_type enum (git-fixes).
- inet_diag: Fix error path to cancel the meseage in inet_req_diag_fill() (git-fixes).
- Input: adxl34x - clean up a data type in adxl34x_probe() (git-fixes).
- ipmi: use vzalloc instead of kmalloc for user creation (bsc#1178607).
- iw_cxgb4: fix ECN check on the passive accept (bsc#1111666)
- iw_cxgb4: only reconnect with MPAv1 if the peer aborts (bsc#1111666)
- kABI: add back flush_dcache_range (jsc#SLE-16402 jsc#SLE-16497 bsc#1176109 ltc#187964).
- kthread_worker: prevent queuing delayed work from timer_fn when it is being canceled (git-fixes).
- KVM: arm64: Add missing #include of -<linux/string.h> in guest.c (bsc#1174726).
- KVM: arm64: Factor out core register ID enumeration (bsc#1174726).
- KVM: arm64: Filter out invalid core register IDs in KVM_GET_REG_LIST (bsc#1174726).
- KVM: arm64: Refactor kvm_arm_num_regs() for easier maintenance (bsc#1174726).
- KVM: arm64: Reject ioctl access to FPSIMD V-regs on SVE vcpus (bsc#1174726).
- KVM host: kabi fixes for psci_version (bsc#1174726).
- libceph: use sendpage_ok() in ceph_tcp_sendpage() (bsc#1172873).
- libnvdimm/nvdimm/flush: Allow architecture to override the flush barrier (jsc#SLE-16402 jsc#SLE-16497 bsc#1176109 ltc#187964).
- locking/lockdep: Add debug_locks check in __lock_downgrade() (bsc#1050549).
- locking/percpu-rwsem: Use this_cpu_{inc,dec}() for read_count (bsc#1050549).
- locktorture: Print ratio of acquisitions, not failures (bsc#1050549).
- mac80211: always wind down STA state (git-fixes).
- mac80211: free sta in sta_info_insert_finish() on errors (git-fixes).
- mac80211: minstrel: fix tx status processing corner case (git-fixes).
- mac80211: minstrel: remove deferred sampling code (git-fixes).
- memcg: fix NULL pointer dereference in __mem_cgroup_usage_unregister_event (bsc#1177703).
- mm: always have io_remap_pfn_range() set pgprot_decrypted() (bsc#1112178).
- mmc: sdhci-of-esdhc: Handle pulse width detection erratum for more SoCs (git-fixes).
- mm/memcg: fix refcount error while moving and swapping (bsc#1178686).
- net: add WARN_ONCE in kernel_sendpage() for improper zero-copy send (bsc#1172873).
- net: ena: Capitalize all log strings and improve code readability (bsc#1177397).
- net: ena: Change license into format to SPDX in all files (bsc#1177397).
- net: ena: Change log message to netif/dev function (bsc#1177397).
- net: ena: Change RSS related macros and variables names (bsc#1177397).
- net: ena: ethtool: Add new device statistics (bsc#1177397).
- net: ena: ethtool: add stats printing to XDP queues (bsc#1177397).
- net: ena: ethtool: convert stat_offset to 64 bit resolution (bsc#1177397).
- net: ena: Fix all static chekers' warnings (bsc#1177397).
- net: ena: Remove redundant print of placement policy (bsc#1177397).
- net: ena: xdp: add queue counters for xdp actions (bsc#1177397).
- netfilter: nat: can't use dst_hold on noref dst (bsc#1178878).
- net: introduce helper sendpage_ok() in include/linux/net.h (bsc#1172873). kABI workaround for including mm.h in include/linux/net.h (bsc#1172873).
- net/mlx4_core: Fix init_hca fields offset (git-fixes).
- net: usb: qmi_wwan: add Telit LE910Cx 0x1230 composition (git-fixes).
- nfc: s3fwrn5: use signed integer for parsing GPIO numbers (git-fixes).
- NFS: mark nfsiod as CPU_INTENSIVE (bsc#1177304).
- NFS: only invalidate dentrys that are clearly invalid (bsc#1178669 bsc#1170139).
- NFSv4.1: fix handling of backchannel binding in BIND_CONN_TO_SESSION (bsc#1170630).
- nvme-tcp: check page by sendpage_ok() before calling kernel_sendpage() (bsc#1172873).
- PCI: pci-hyperv: Fix build errors on non-SYSFS config (git-fixes).
- pinctrl: amd: fix incorrect way to disable debounce filter (git-fixes).
- pinctrl: amd: use higher precision for 512 RtcClk (git-fixes).
- pinctrl: aspeed: Fix GPI only function problem (git-fixes).
- pinctrl: intel: Set default bias in case no particular value given (git-fixes).
- platform/x86: toshiba_acpi: Fix the wrong variable assignment (git-fixes).
- powerpc/32: define helpers to get L1 cache sizes (jsc#SLE-16402 jsc#SLE-16497 bsc#1176109 ltc#187964).
- powerpc/64: flush_inval_dcache_range() becomes flush_dcache_range() (jsc#SLE-16402 jsc#SLE-16497 bsc#1176109 ltc#187964).
- powerpc/64: reuse PPC32 static inline flush_dcache_range() (jsc#SLE-16402 jsc#SLE-16497 bsc#1176109 ltc#187964).
- powerpc: Chunk calls to flush_dcache_range in arch_*_memory (jsc#SLE-16402 jsc#SLE-16497 bsc#1176109 ltc#187964 git-fixes).
- powerpc: define helpers to get L1 icache sizes (jsc#SLE-16402 jsc#SLE-16497 bsc#1176109 ltc#187964).
- powerpc/mm: Flush cache on memory hot(un)plug (jsc#SLE-16402 jsc#SLE-16497 bsc#1176109 ltc#187964).
- powerpc/pmem: Add flush routines using new pmem store and sync instruction (jsc#SLE-16402 jsc#SLE-16497 bsc#1176109 ltc#187964).
- powerpc/pmem: Add new instructions for persistent storage and sync (jsc#SLE-16402 jsc#SLE-16497 bsc#1176109 ltc#187964).
- powerpc/pmem: Avoid the barrier in flush routines (jsc#SLE-16402 jsc#SLE-16497 bsc#1176109 ltc#187964).
- powerpc/pmem: Fix kernel crash due to wrong range value usage in flush_dcache_range (jsc#SLE-16497 bsc#1176109 ltc#187964).
- powerpc/pmem: Initialize pmem device on newer hardware (jsc#SLE-16402 jsc#SLE-16497 bsc#1176109 ltc#187964).
- powerpc/pmem: Restrict papr_scm to P8 and above (jsc#SLE-16402 jsc#SLE-16497 bsc#1176109 ltc#187964).
- powerpc/pmem: Update ppc64 to use the new barrier instruction (jsc#SLE-16402 jsc#SLE-16497 bsc#1176109 ltc#187964).
- powerpc/pseries/cpuidle: add polling idle for shared processor guests (bsc#1178765 ltc#188968).
- powerpc/vnic: Extend 'failover pending' window (bsc#1176855 ltc#187293).
- powerpc/vnic: Extend 'failover pending' window (bsc#1176855 ltc#187293).
- RDMA/bnxt_re: Fix lifetimes in bnxt_re_task (bsc#1111666)
- RDMA/bnxt_re: Fix Send Work Entry state check while polling completions (bsc#1111666)
- RDMA/bnxt_re: Fix sizeof mismatch for allocation of pbl_tbl. (bsc#1111666)
- RDMA/bnxt_re: Fix stack-out-of-bounds in bnxt_qplib_rcfw_send_message (bsc#1111666)
- RDMA/cma: add missed unregister_pernet_subsys in init failure (bsc#1111666)
- RDMA/cm: Add missing locking around id.state in cm_dup_req_handler (bsc#1111666)
- RDMA/cma: Fix false error message (bsc#1111666)
- RDMA/cma: fix null-ptr-deref Read in cma_cleanup (bsc#1111666)
- RDMA/cma: Protect bind_list and listen_list while finding matching cm id (bsc#1111666)
- RDMA/cm: Fix checking for allowed duplicate listens (bsc#1111666)
- RDMA/cm: Remove a race freeing timewait_info (bsc#1111666)
- RDMA/cm: Update num_paths in cma_resolve_iboe_route error flow (bsc#1111666)
- RDMA/core: Do not depend device ODP capabilities on kconfig option (bsc#1111666)
- RDMA/core: Fix invalid memory access in spec_filter_size (bsc#1111666)
- RDMA/core: Fix locking in ib_uverbs_event_read (bsc#1111666)
- RDMA/core: Fix protection fault in ib_mr_pool_destroy (bsc#1111666)
- RDMA/core: Fix race between destroy and release FD object (bsc#1111666)
- RDMA/core: Fix race when resolving IP address (bsc#1111666)
- RDMA/core: Prevent mixed use of FDs between shared ufiles (bsc#1111666)
- RDMA/cxgb3: Delete and properly mark unimplemented resize CQ function (bsc#1111666)
- RDMA: Directly cast the sockaddr union to sockaddr (bsc#1111666)
- RDMA/hns: Correct the value of HNS_ROCE_HEM_CHUNK_LEN (bsc#1111666)
- RDMA/hns: Correct typo of hns_roce_create_cq() (bsc#1111666)
- RDMA/hns: Remove unsupported modify_port callback (bsc#1111666)
- RDMA/hns: Set the unsupported wr opcode (bsc#1111666)
- RDMA/i40iw: fix a potential NULL pointer dereference (bsc#1111666)
- RDMA/i40iw: Set queue pair state when being queried (bsc#1111666)
- RDMA/ipoib: Fix ABBA deadlock with ipoib_reap_ah() (bsc#1111666)
- RDMA/ipoib: Remove check for ETH_SS_TEST (bsc#1111666)
- RDMA/ipoib: Return void from ipoib_ib_dev_stop() (bsc#1111666)
- RDMA/ipoib: Set rtnl_link_ops for ipoib interfaces (bsc#1111666)
- RDMA/iwcm: Fix a lock inversion issue (bsc#1111666)
- RDMA/iwcm: Fix iwcm work deallocation (bsc#1111666)
- RDMA/iwcm: move iw_rem_ref() calls out of spinlock (bsc#1111666)
- RDMA/iw_cxgb4: Avoid freeing skb twice in arp failure case (bsc#1111666)
- RDMA/iw_cxgb4: Fix the unchecked ep dereference (bsc#1111666)
- RDMA/mad: Fix possible memory leak in ib_mad_post_receive_mads() (bsc#1111666)
- RDMA/mlx4: Initialize ib_spec on the stack (bsc#1111666)
- RDMA/mlx4: Read pkey table length instead of hardcoded value (bsc#1111666)
- RDMA/mlx5: Clear old rate limit when closing QP (bsc#1111666)
- RDMA/mlx5: Delete unreachable handle_atomic code by simplifying SW completion (bsc#1111666)
- RDMA/mlx5: Fix access to wrong pointer while performing flush due to error (bsc#1111666)
- RDMA/mlx5: Fix a race with mlx5_ib_update_xlt on an implicit MR (bsc#1111666)
- RDMA/mlx5: Fix function name typo 'fileds' -> 'fields' (bsc#1111666)
- RDMA/mlx5: Return proper error value (bsc#1111666)
- RDMA/mlx5: Set GRH fields in query QP on RoCE (bsc#1111666)
- RDMA/mlx5: Verify that QP is created with RQ or SQ (bsc#1111666)
- RDMA/nes: Remove second wait queue initialization call (bsc#1111666)
- RDMA/netlink: Do not always generate an ACK for some netlink operations (bsc#1111666)
- RDMA/ocrdma: Fix out of bounds index check in query pkey (bsc#1111666)
- RDMA/ocrdma: Remove unsupported modify_port callback (bsc#1111666)
- RDMA/pvrdma: Fix missing pci disable in pvrdma_pci_probe() (bsc#1111666)
- RDMA/qedr: Endianness warnings cleanup (bsc#1111666)
- RDMA/qedr: Fix doorbell setting (bsc#1111666)
- RDMA/qedr: Fix memory leak in user qp and mr (bsc#1111666)
- RDMA/qedr: Fix reported firmware version (bsc#1111666)
- RDMA/qedr: Fix use of uninitialized field (bsc#1111666)
- RDMA/qedr: Remove unsupported modify_port callback (bsc#1111666)
- RDMA/qedr: SRQ's bug fixes (bsc#1111666)
- RDMA/qib: Delete extra line (bsc#1111666)
- RDMA/qib: Remove all occurrences of BUG_ON() (bsc#1111666)
- RDMA/qib: Validate ->show()/store() callbacks before calling them (bsc#1111666)
- RDMA/rxe: Drop pointless checks in rxe_init_ports (bsc#1111666)
- RDMA/rxe: Fill in wc byte_len with IB_WC_RECV_RDMA_WITH_IMM (bsc#1111666)
- RDMA/rxe: Fix configuration of atomic queue pair attributes (bsc#1111666)
- RDMA/rxe: Fix memleak in rxe_mem_init_user (bsc#1111666)
- RDMA/rxe: Fix slab-out-bounds access which lead to kernel crash later (bsc#1111666)
- RDMA/rxe: Fix soft lockup problem due to using tasklets in softirq (bsc#1111666)
- RDMA/rxe: Fix the parent sysfs read when the interface has 15 chars (bsc#1111666)
- RDMA/rxe: Prevent access to wr->next ptr afrer wr is posted to send queue (bsc#1111666)
- RDMA/rxe: Remove unused rxe_mem_map_pages (bsc#1111666)
- RDMA/rxe: Remove useless rxe_init_device_param assignments (bsc#1111666)
- RDMA/rxe: Return void from rxe_init_port_param() (bsc#1111666)
- RDMA/rxe: Return void from rxe_mem_init_dma() (bsc#1111666)
- RDMA/rxe: Set default vendor ID (bsc#1111666)
- RDMA/rxe: Set sys_image_guid to be aligned with HW IB devices (bsc#1111666)
- RDMA/rxe: Skip dgid check in loopback mode (bsc#1111666)
- RDMA/rxe: Use for_each_sg_page iterator on umem SGL (bsc#1111666)
- RDMA/srp: Rework SCSI device reset handling (bsc#1111666)
- RDMA/srpt: Fix typo in srpt_unregister_mad_agent docstring (bsc#1111666)
- RDMA/srpt: Report the SCSI residual to the initiator (bsc#1111666)
- RDMA/ucma: Add missing locking around rdma_leave_multicast() (bsc#1111666)
- RDMA/ucma: Put a lock around every call to the rdma_cm layer (bsc#1111666)
- RDMA/uverbs: Make the event_queue fds return POLLERR when disassociated (bsc#1111666)
- RDMA/vmw_pvrdma: Fix memory leak on pvrdma_pci_remove (bsc#1111666)
- RDMA/vmw_pvrdma: Use atomic memory allocation in create AH (bsc#1111666)
- regulator: avoid resolve_supply() infinite recursion (git-fixes).
- regulator: defer probe when trying to get voltage from unresolved supply (git-fixes).
- regulator: fix memory leak with repeated set_machine_constraints() (git-fixes).
- regulator: resolve supply after creating regulator (git-fixes).
- regulator: ti-abb: Fix array out of bound read access on the first transition (git-fixes).
- regulator: workaround self-referent regulators (git-fixes).
- Revert 'cdc-acm: hardening against malicious devices' (git-fixes).
- ring-buffer: Fix recursion protection transitions between interrupt context (git-fixes).
- RMDA/cm: Fix missing ib_cm_destroy_id() in ib_cm_insert_listen() (bsc#1111666)
- rxe: correctly calculate iCRC for unaligned payloads (bsc#1111666)
- rxe: fix error completion wr_id and qp_num (bsc#1111666)
- s390/cio: add cond_resched() in the slow_eval_known_fn() loop (bsc#1177805 LTC#188737).
- s390/cpum_cf,perf: change DFLT_CCERROR counter name (bsc#1175916 LTC#187937).
- s390/dasd: fix inability to use DASD with DIAG driver (bsc#1177809 LTC#188738).
- s390/dasd: Fix zero write for FBA devices (bsc#1177808 LTC#188739).
- s390: kernel/uv: handle length extension properly (bsc#1178940 LTC#189323).
- sched/core: Fix PI boosting between RT and DEADLINE tasks (bsc#1112178).
- sched/x86: SaveFLAGS on context switch (bsc#1112178).
- scripts/git_sort/git_sort.py: add ceph maintainers git tree
- scsi: libiscsi: use sendpage_ok() in iscsi_tcp_segment_map() (bsc#1172873).
- scsi: lpfc: Fix initial FLOGI failure due to BBSCN not supported (git-fixes).
- scsi: RDMA/srpt: Fix a credit leak for aborted commands (bsc#1111666)
- Staging: rtl8188eu: rtw_mlme: Fix uninitialized variable authmode (git-fixes).
- staging: rtl8723bs: Add 024c:0627 to the list of SDIO device-ids (git-fixes).
- thunderbolt: Add the missed ida_simple_remove() in ring_request_msix() (git-fixes).
- time: Prevent undefined behaviour in timespec64_to_ns() (git-fixes).
- tty: serial: imx: keep console clocks always on (git-fixes).
- Update patches.suse/vfs-add-super_operations-get_inode_dev (bsc#927455 bsc#1176983). 
- Update references in patches.suse/net-smc-tolerate-future-smcd-versions (bsc#1172542 LTC#186070 git-fixes).
- USB: Add NO_LPM quirk for Kingston flash drive (git-fixes).
- USB: cdc-acm: Add DISABLE_ECHO for Renesas USB Download mode (git-fixes).
- USB: cdc-acm: fix cooldown mechanism (git-fixes).
- USB: core: driver: fix stray tabs in error messages (git-fixes).
- USB: core: Fix regression in Hercules audio card (git-fixes).
- USB: gadget: Fix memleak in gadgetfs_fill_super (git-fixes).
- USB: gadget: f_midi: Fix memleak in f_midi_alloc (git-fixes).
- USB: host: ehci-tegra: Fix error handling in tegra_ehci_probe() (git-fixes).
- USB: host: xhci: fix ep context print mismatch in debugfs (git-fixes).
- USB: host: xhci-mtk: avoid runtime suspend when removing hcd (git-fixes).
- USB: mtu3: fix panic in mtu3_gadget_stop() (git-fixes).
- USB: serial: cyberjack: fix write-URB completion race (git-fixes).
- USB: serial: ftdi_sio: add support for FreeCalypso JTAG+UART adapters (git-fixes).
- USB: serial: option: add Cellient MPL200 card (git-fixes).
- USB: serial: option: add LE910Cx compositions 0x1203, 0x1230, 0x1231 (git-fixes).
- USB: serial: option: add Quectel EC200T module support (git-fixes).
- USB: serial: option: add Telit FN980 composition 0x1055 (git-fixes).
- USB: serial: option: Add Telit FT980-KS composition (git-fixes).
- USB: serial: pl2303: add device-id for HP GC device (git-fixes).
- USB: typec: tcpm: reset hard_reset_count for any disconnect (git-fixes).
- USB: xhci: force all memory allocations to node (git-fixes).
- video: hyperv_fb: Fix the cache type when mapping the VRAM (git-fixes).
- video: hyperv: hyperv_fb: Obtain screen resolution from Hyper-V host (bsc#1175306).
- video: hyperv: hyperv_fb: Support deferred IO for Hyper-V frame buffer driver (bsc#1175306).
- video: hyperv: hyperv_fb: Use physical memory for fb on HyperV Gen 1 VMs (bsc#1175306).
- vt: Disable KD_FONT_OP_COPY (bsc#1178589).
- x86/hyperv: Clarify comment on x2apic mode (git-fixes).
- x86/hyperv: Make vapic support x2apic mode (git-fixes).
- x86/kexec: Use up-to-dated screen_info copy to fill boot params (bsc#1175306).
- x86/microcode/intel: Check patch signature before saving microcode for early loading (bsc#1112178).
- x86/PCI: Avoid AMD FCH XHCI USB PME# from D0 defect (git-fixes).
- x86/PCI: Fix intel_mid_pci.c build error when ACPI is not enabled (git-fixes).
- x86/PCI: Mark Intel C620 MROMs as having non-compliant BARs (git-fixes).
- x86/speculation: Allow IBPB to be conditionally enabled on CPUs with always-on STIBP (bsc#1112178).
- x86/sysfb_efi: Add quirks for some devices with swapped width and height (git-fixes).
- xfrm: Fix memleak on xfrm state destroy (bsc#1158775).
- xfs: fix a missing unlock on error in xfs_fs_map_blocks (git-fixes).
- xfs: fix flags argument to rmap lookup when converting shared file rmaps (git-fixes).
- xfs: fix rmap key and record comparison functions (git-fixes).
- xfs: flush new eof page on truncate to avoid post-eof corruption (git-fixes).
- xfs: revert 'xfs: fix rmap key and record comparison functions' (git-fixes).
- xhci: do not create endpoint debugfs entry before ring buffer is set (git-fixes).
- xhci: Fix sizeof() mismatch (git-fixes).


-----------------------------------------
Version 1.0.7-SAP-BYOS-Build1.28 2020-12-10T07:41:00

-----------------------------------------
Patch: SUSE-2020-3732
Released: Wed Dec  9 18:18:03 2020
Summary: Security update for openssl-1_0_0
Severity: important
References: 1179491,CVE-2020-1971
Description:
This update for openssl-1_0_0 fixes the following issues:

- CVE-2020-1971: Fixed a null pointer dereference in EDIPARTYNAME (bsc#1179491).


-----------------------------------------
Version 1.0.7-SAP-BYOS-Build1.30 2020-12-11T12:33:20

-----------------------------------------
Patch: SUSE-2020-3739
Released: Thu Dec 10 09:17:34 2020
Summary: Security update for curl
Severity: moderate
References: 1179398,1179399,1179593,CVE-2020-8284,CVE-2020-8285,CVE-2020-8286
Description:
This update for curl fixes the following issues:

- CVE-2020-8286: Fixed improper OSCP verification in the client side (bsc#1179593). 
- CVE-2020-8285: Fixed a stack overflow due to FTP wildcard (bsc#1179399).
- CVE-2020-8284: Fixed an issue where a malicius FTP server could make curl connect to a different IP (bsc#1179398).


-----------------------------------------
Patch: SUSE-2020-3746
Released: Thu Dec 10 12:39:59 2020
Summary: Recommended update for dracut
Severity: moderate
References: 1169997,996146
Description:
This update for dracut fixes the following issues:

- Fix for error handling and downgrade module load failure to a warning as it is not fatal at all. (bsc#1169997)
- Implement network setup on 'infiniband' devices. (bsc#996146)


-----------------------------------------
Patch: SUSE-2020-3754
Released: Fri Dec 11 08:54:50 2020
Summary: Recommended update for yast2-tune
Severity: moderate
References: 1052770,1177035
Description:
This update for yast2-tune fixes the following issue:

- Fixed scheduler activation. (bsc#1052770, bsc#1177035)
  
  Do not activate the new scheduler for devices which do not support it.


-----------------------------------------
Version 1.0.7-SAP-BYOS-Build1.31 2020-12-12T13:02:24

-----------------------------------------
Patch: SUSE-2020-3765
Released: Fri Dec 11 14:27:27 2020
Summary: Security update for python
Severity: important
References: 1176262,CVE-2019-20916
Description:
This update for python fixes the following issues:

- Fixed a directory traversal in _download_http_url() (bsc#1176262 CVE-2019-20916)


-----------------------------------------
Version 1.0.7-SAP-BYOS-Build1.34 2020-12-15T07:41:19

-----------------------------------------
Patch: SUSE-2020-3771
Released: Mon Dec 14 10:51:56 2020
Summary: Recommended update for hawk2
Severity: critical
References: 1179651,1179841
Description:
This update for hawk2 fixes the following issues:
	
- Reduce CPU usage to avoid resource consumption of hawk. (bsc#1179651)
- Improve the way we disable TLS and use sysconfig vars. (bsc#1179841)
- Simplify puma config file.


-----------------------------------------
Patch: SUSE-2020-3786
Released: Mon Dec 14 12:04:07 2020
Summary: Recommended update for Salt
Severity: moderate
References: 1102248
Description:
This update fixes the following issues:

salt:

- Fix syntax error on `pkgrepo` state with Python 2.7
- Transactional_update: unify with `chroot.call`
- Add `migrated` state and GPG key management functions
- Master can read grains
- Fix for broken psutil (bsc#1102248)
- Fix `novendorchange` handling in `zypperpkg` module



-----------------------------------------
Patch: SUSE-2020-3794
Released: Mon Dec 14 17:40:20 2020
Summary: Recommended update for libzypp, zypper
Severity: moderate
References: 1174215,1178925,1178966
Description:
This update for libzypp, zypper fixes the following issues:

Changes in zypper:

- Fix typo in `list-patches` help. (bsc#1178925)

  The options for selecting issues matching the specified string is `--issue[=STRING]`, not `--issues[=STRING]`.

Changes in libzypp:

- Fix in repository manager for removing non-directory entries related to the cache. (bsc#1178966)
- Remove from the logs the credentials available from the authorization header. (bsc#1174215)
  
  The authorization header may include base64 encoded credentials which could be restored from the log file. 
  The credentials are now stripped from the log.


-----------------------------------------
Version 1.0.7-SAP-BYOS-Build1.35 2020-12-17T07:41:10

-----------------------------------------
Patch: SUSE-2020-3836
Released: Wed Dec 16 10:31:24 2020
Summary: Recommended update for mdadm
Severity: moderate
References: 1163727
Description:
This update for mdadm fixes the following issues:

- Introduce new array state 'broken' for raid0/linear. (bsc#1163727)
- Show correct state for clustered array. (bsc#1163727)
- Show correct bitmap info for cluster raid device.
- Adding sync status for cluster device. (bsc#1163727)


-----------------------------------------
Patch: SUSE-2020-3844
Released: Wed Dec 16 10:42:11 2020
Summary: Security update for openssh
Severity: moderate
References: 1148566,1161684,1173513,CVE-2020-14145
Description:
This update for openssh fixes the following issues:

- CVE-2020-14145: Fixed an observable discrepancy leading to an information leak in the algorithm negotiation (bsc#1173513).
- Fixed an issue where AuthorizedKeysCommand produced a lot of output (bsc#1161684).
- Fixed an issue where oracle cluster with  cluvfy using 'scp' failing/missinterpreted (bsc#1148566).


-----------------------------------------
Patch: SUSE-2020-3852
Released: Wed Dec 16 12:27:02 2020
Summary: Recommended update for util-linux
Severity: moderate
References: 1084671,1169006,1174942,1175514,1175623,1178554,1178825
Description:
This update for util-linux fixes the following issues:

- Do not trigger CDROM autoclose. (bsc#1084671)
- Try to autoconfigure broken serial lines.
- Avoid sulogin failing on not existing or not functional console devices. (bsc#1175514)
- Build with libudev support to support non-root users. (bsc#1169006)
- Aavoid segfault on PowerPC systems with valid hardware configurations. (bsc#1175623, bsc#1178554, bsc#1178825)
- Fix warning on mounts to CIFS with mount –a. (SG#57988, bsc#1174942)


-----------------------------------------
Version 1.0.7-SAP-BYOS-Build1.37 2020-12-18T15:45:39

-----------------------------------------
Patch: SUSE-2020-3874
Released: Fri Dec 18 14:19:41 2020
Summary: Recommended update for parted
Severity: moderate
References: 1137259
Description:
This update for parted fixes the following issue:

- Do not probe the partitions ending with `_part`. (bsc#1137259)


-----------------------------------------
Version 1.0.7-SAP-BYOS-Build1.38 2020-12-19T07:40:12

-----------------------------------------
Patch: SUSE-2020-3880
Released: Fri Dec 18 16:46:58 2020
Summary: Security update for xen
Severity: moderate
References: 1027519,1163019,1176782,1179477,1179496,1179498,1179501,1179502,1179506,1179514,1179516,CVE-2020-29130,CVE-2020-29480,CVE-2020-29481,CVE-2020-29483,CVE-2020-29484,CVE-2020-29566,CVE-2020-29570,CVE-2020-29571,CVE-2020-8608
Description:
This update for xen fixes the following issues:

- CVE-2020-29480: Fixed an issue which could have allowed leak of non-sensitive data to administrator guests (bsc#117949 XSA-115).
- CVE-2020-29481: Fixed an issue which could have allowd to new domains to inherit existing node permissions (bsc#1179498 XSA-322). 
- CVE-2020-29483: Fixed an issue where guests could disturb domain cleanup (bsc#1179502 XSA-325).
- CVE-2020-29484: Fixed an issue where guests could crash xenstored via watchs (bsc#1179501 XSA-324). 
- CVE-2020-29566: Fixed an undue recursion in x86 HVM context switch code (bsc#1179506 XSA-348).
- CVE-2020-29570: Fixed an issue where FIFO event channels control block related ordering (bsc#1179514 XSA-358).
- CVE-2020-29571: Fixed an issue where FIFO event channels control structure ordering (bsc#1179516 XSA-359).
- CVE-2020-29130: Fixed an out-of-bounds access while processing ARP packets (bsc#1179477). 
- Fixed an issue where dump-core shows missing nr_pages during core (bsc#1176782).
- Multiple other bugs (bsc#1027519)


-----------------------------------------
Version 1.0.7-SAP-BYOS-Build1.40 2020-12-22T07:41:40

-----------------------------------------
Patch: SUSE-2020-3889
Released: Mon Dec 21 10:02:39 2020
Summary: Recommended update for crmsh
Severity: moderate
References: 1175976,1176569,1178333
Description:
This update for crmsh fixes the following issues:

- Fix for bootstrap using class JoinLock to manage lock in parallel join. (bsc#1175976) 
- Fix for bootstrap changing for '_get_sbd_device_interactive' function to avoid possible crash when configure sbd. (bsc#1178333)
- Fixes an issue when HAWK wizard interval parsing wrong in SAP ASCS instance. (bsc#1176569)


-----------------------------------------
Patch: SUSE-2020-3890
Released: Mon Dec 21 10:09:28 2020
Summary: Recommended update for mutt
Severity: moderate
References: 1179461
Description:
This update for mutt fixes the following issues:

- Add a further correction in for external bodies as well. (bsc#1179461)


-----------------------------------------
Version 1.0.7-SAP-BYOS-Build1.42 2020-12-29T07:40:13

-----------------------------------------
Patch: SUSE-2020-3939
Released: Mon Dec 28 14:29:41 2020
Summary: Security update for cyrus-sasl
Severity: important
References: 1159635,CVE-2019-19906
Description:
This update for cyrus-sasl fixes the following issues:

- CVE-2019-19906: Fixed an out-of-bounds write leading to unauthenticated remote denial-of-service in OpenLDAP via a malformed LDAP packet (bsc#1159635).	  


-----------------------------------------
Version 1.0.7-SAP-BYOS-Build1.43 2021-01-05T07:40:55

-----------------------------------------
Patch: SUSE-2021-12
Released: Mon Jan  4 10:36:57 2021
Summary: Recommended update for pacemaker
Severity: moderate
References: 1174696,1178865
Description:
This update for pacemaker fixes the following issues:

Update to version 1.1.24+20201209.8f22be2ae

- Improve the documentation of `stonith-watchdog-timeout` and `have-watchdog` cluster options (bsc#1174696)
- Downgrade the message about the meaning of `have-watchdog=true` to info (bsc#1174696)
- crmadmin: printing DC quietly if needed (bsc#1178865)


-----------------------------------------
Patch: SUSE-2021-19
Released: Mon Jan  4 16:14:11 2021
Summary: Security update for java-1_7_1-ibm
Severity: moderate
References: 1177943,1180063,CVE-2020-14779,CVE-2020-14781,CVE-2020-14782,CVE-2020-14792,CVE-2020-14796,CVE-2020-14797,CVE-2020-14798,CVE-2020-14803
Description:
This update for java-1_7_1-ibm fixes the following issues:

- Update to Java 7.1 Service Refresh 4 Fix Pack 75 [bsc#1180063, bsc#1177943]
  CVE-2020-14792 CVE-2020-14797 CVE-2020-14782 CVE-2020-14781
  CVE-2020-14779 CVE-2020-14798 CVE-2020-14796 CVE-2020-14803
  * Class Libraries:
    - Z/OS specific C function send_file is changing the file pointer position
  * Security:
    - Add the new oracle signer certificate
    - Certificate parsing error
    - JVM memory growth can be caused by the IBMPKCS11IMPL crypto provider
    - Remove check for websphere signed jars
    - sessionid.hashcode generates too many collisions
    - The Java 8 IBM certpath provider does not honor the user
      specified system property for CLR connect timeout


-----------------------------------------
Version 1.0.7-SAP-BYOS-Build1.44 2021-01-06T07:37:48

-----------------------------------------
Patch: SUSE-2021-26
Released: Tue Jan  5 14:18:00 2021
Summary: Recommended update for libxml2
Severity: moderate
References: 1178823
Description:
This update for libxml2 fixes the following issues:

Avoid quadratic checking of identity-constraints, speeding up XML validation. (bsc#1178823)

* key/unique/keyref schema attributes currently use quadratic loops
  to check their various constraints (that keys are unique and that
  keyrefs refer to existing keys).
* This fix uses a hash table to avoid the quadratic behaviour.


-----------------------------------------
Version 1.0.8-SAP-BYOS-Build1.3 2021-01-09T07:42:20

-----------------------------------------
Patch: SUSE-2021-51
Released: Fri Jan  8 16:27:07 2021
Summary: Recommended update for yast2-cluster
Severity: moderate
References: 1180424
Description:
This update for yast2-cluster fixes the following issues:

- Add watchdog config to the default list. (bsc#1180424)


-----------------------------------------
Patch: SUSE-2021-55
Released: Fri Jan  8 22:36:25 2021
Summary: Recommended update for libyajl
Severity: low
References: 
Description:

This update for libyajl fixes the following issues:

- Fix popd syntax to be compatible with newer versions of the bash shell.


-----------------------------------------
Version 1.0.8-SAP-BYOS-Build1.5 2021-01-13T07:42:42

-----------------------------------------
Patch: SUSE-2021-74
Released: Tue Jan 12 10:25:01 2021
Summary: Recommended update for SUSEConnect
Severity: low
References: 
Description:
This update for SUSEConnect fixes the following issue:

Update to version 0.3.29

- Replace the Ruby path with the native one during build phase.


-----------------------------------------
Patch: SUSE-2021-83
Released: Tue Jan 12 14:31:53 2021
Summary: Security update for crmsh
Severity: important
References: 1179999,CVE-2020-35459
Description:
This update for crmsh fixes the following issue:

- CVE-2020-35459: Fixed a privilege escalation in hawk_invoke (bsc#1179999).


-----------------------------------------
Patch: SUSE-2021-89
Released: Tue Jan 12 14:33:58 2021
Summary: Security update for hawk2
Severity: important
References: 1179998,CVE-2020-35458
Description:
This update for hawk2 fixes the following security issue:

- CVE-2020-35458: Fixed an insufficient input handler that could have led to remote code execution (bsc#1179998).


-----------------------------------------
Version 1.0.8-SAP-BYOS-Build1.6 2021-01-14T07:42:46

-----------------------------------------
Patch: SUSE-2021-116
Released: Wed Jan 13 18:36:51 2021
Summary: Recommended update for release-notes-sles
Severity: low
References: 1024946,1143465,1168741,1170958,1172752,1173570,1180183
Description:
This update for release-notes-sles fixes the following issues:

Release notes 12.5.20210104 (bsc#1180183)

- Make sure that the Containers section is included in the output document
- Added note about Git 2.26.2 update (jsc#SLE-11177)
- Added note about postgressql 12 (jsc#SLE-11078)
- Added note about Salt 3000 update (jsc#SLE-12830)
- Added note about end of support for packaged Docker images (bsc#1168741)
- Added note about PHP 7.4 Upgrade (jsc#SLE-12474)
- Added note about updated Apache NSS to SLES 12 SP5 (jsc#SLE-12751)
- Added note about new kernel-firmware package (bsc#1143465)
- Fixed section about software requiring external contracts (bsc#1173570)
- Python 3.6 is shipped in `python-3.6` package (bsc#1172752)
- Added info that Btrfs quota groups can degrade performance (bsc#1024946)
- Btrfs features: Added missing data for SLES 12 SP5
- Fixed typo in the word 'module' (bsc#1170958)


-----------------------------------------
Version 1.0.8-SAP-BYOS-Build1.8 2021-01-15T11:43:25

-----------------------------------------
Patch: SUSE-2021-128
Released: Thu Jan 14 11:01:24 2021
Summary: Security update for openldap2
Severity: moderate
References: 1178909,CVE-2020-25709,CVE-2020-25710
Description:
This update for openldap2 fixes the following issues:

- CVE-2020-25709: Fixed a crash caused by specially crafted network traffic (bsc#1178909).
- CVE-2020-25710: Fixed a crash caused by specially crafted network traffic (bsc#1178909).


-----------------------------------------
Patch: SUSE-2021-133
Released: Fri Jan 15 09:10:23 2021
Summary: Security update for the Linux Kernel
Severity: important
References: 1040855,1044120,1044767,1050242,1050536,1050545,1055117,1056653,1056657,1056787,1064802,1065729,1066129,1094840,1103990,1103992,1104389,1104393,1109695,1109837,1110096,1112178,1112374,1114648,1115431,1118657,1122971,1129770,1136460,1136461,1138374,1139944,1144912,1152457,1163727,1164780,1171078,1172145,1172538,1172694,1174784,1174852,1176558,1176559,1176956,1177666,1178270,1178372,1178401,1178590,1178634,1178762,1179014,1179015,1179045,1179082,1179107,1179142,1179204,1179403,1179406,1179418,1179419,1179421,1179444,1179520,1179578,1179601,1179616,1179663,1179666,1179670,1179671,1179672,1179673,1179711,1179713,1179714,1179715,1179716,1179722,1179723,1179724,1179745,1179810,1179888,1179895,1179896,1179960,1179963,1180027,1180029,1180031,1180052,1180086,1180117,1180258,1180506,1180559,CVE-2018-20669,CVE-2019-20934,CVE-2020-0444,CVE-2020-0465,CVE-2020-0466,CVE-2020-27068,CVE-2020-27777,CVE-2020-27786,CVE-2020-27825,CVE-2020-28374,CVE-2020-29660,CVE-2020-29661,CVE-2020-36158,CVE-2020-4788
Description:

The SUSE Linux Enterprise 12 SP5 kernel was updated to receive various security and bugfixes.


The following security bugs were fixed:

- CVE-2020-28374: Fixed a LIO security issue (bsc#1178372).
- CVE-2020-36158: Fixed a potential remote code execution in the Marvell mwifiex driver (bsc#1180559).
- CVE-2020-27825: Fixed a race in the trace_open and buffer resize calls (bsc#1179960).
- CVE-2020-0466: Fixed a use-after-free due to a logic error in do_epoll_ctl and ep_loop_check_proc of eventpoll.c (bnc#1180031).
- CVE-2020-27068: Fixed an out-of-bounds read due to a missing bounds check in the nl80211_policy policy of nl80211.c (bnc#1180086).
- CVE-2020-0465: Fixed multiple missing bounds checks in hid-multitouch.c that could have led to local privilege escalation (bnc#1180029).
- CVE-2020-0444: Fixed a bad kfree due to a logic error in audit_data_to_entry (bnc#1180027).
- CVE-2020-29660: Fixed a locking inconsistency in the tty subsystem that may have allowed a read-after-free attack against TIOCGSID (bnc#1179745).
- CVE-2020-29661: Fixed a locking issue in the tty subsystem that allowed a use-after-free attack against TIOCSPGRP (bsc#1179745).
- CVE-2020-27777: Fixed a privilege escalation in the Run-Time Abstraction Services (RTAS) interface, affecting guests running on top of PowerVM or KVM hypervisors (bnc#1179107).
- CVE-2019-20934: Fixed a use-after-free in show_numa_stats() because NUMA fault statistics were inappropriately freed, aka CID-16d51a590a8c (bsc#1179663).
- CVE-2020-27786: Fixed a use after free in kernel midi subsystem snd_rawmidi_kernel_read1() (bsc#1179601).
- CVE-2020-4788: Fixed an issue with IBM Power9 processors could have allowed a local user to obtain sensitive information from the data in the L1 cache under extenuating circumstances (bsc#1177666).
- CVE-2018-20669: Fixed an improper check i915_gem_execbuffer2_ioctl in drivers/gpu/drm/i915/i915_gem_execbuffer.c (bsc#1122971).

The following non-security bugs were fixed:

- ACPI: PNP: compare the string length in the matching_id() (git-fixes).
- ACPICA: Disassembler: create buffer fields in ACPI_PARSE_LOAD_PASS1 (git-fixes).
- ACPICA: Do not increment operation_region reference counts for field units (git-fixes).
- ALSA: ca0106: fix error code handling (git-fixes).
- ALSA: ctl: allow TLV read operation for callback type of element in locked case (git-fixes).
- ALSA: hda - Fix silent audio output and corrupted input on MSI X570-A PRO (git-fixes).
- ALSA: hda/ca0132 - Change Input Source enum strings (git-fixes).
- ALSA: hda/ca0132 - Fix AE-5 rear headphone pincfg (git-fixes).
- ALSA: hda/generic: Add option to enforce preferred_dacs pairs (git-fixes).
- ALSA: hda/hdmi: always check pin power status in i915 pin fixup (git-fixes).
- ALSA: hda/realtek - Add new codec supported for ALC897 (git-fixes).
- ALSA: hda/realtek - Couldn't detect Mic if booting with headset plugged (git-fixes).
- ALSA: hda/realtek - Enable headset mic of ASUS Q524UQK with ALC255 (git-fixes).
- ALSA: hda/realtek: Add mute LED quirk to yet another HP x360 model (git-fixes).
- ALSA: hda/realtek: Add some Clove SSID in the ALC293(ALC1220) (git-fixes).
- ALSA: hda/realtek: Enable front panel headset LED on Lenovo ThinkStation P520 (git-fixes).
- ALSA: hda/realtek: Enable headset of ASUS UX482EG & B9400CEA with ALC294 (git-fixes).
- ALSA: hda: Add NVIDIA codec IDs 9a & 9d through a0 to patch table (git-fixes).
- ALSA: hda: Fix potential race in unsol event handler (git-fixes).
- ALSA: hda: Fix regressions on clear and reconfig sysfs (git-fixes).
- ALSA: info: Drop WARN_ON() from buffer NULL sanity check (git-fixes).
- ALSA: isa/wavefront: prevent out of bounds write in ioctl (git-fixes).
- ALSA: line6: Perform sanity check for each URB creation (git-fixes).
- ALSA: pcm: oss: Fix a few more UBSAN fixes (git-fixes).
- ALSA: pcm: oss: Fix potential out-of-bounds shift (git-fixes).
- ALSA: pcm: oss: Remove superfluous WARN_ON() for mulaw sanity check (git-fixes).
- ALSA: timer: Limit max amount of slave instances (git-fixes).
- ALSA: usb-audio: Add delay quirk for all Logitech USB devices (git-fixes).
- ALSA: usb-audio: Add delay quirk for H570e USB headsets (git-fixes).
- ALSA: usb-audio: Add implicit feedback quirk for MODX (git-fixes).
- ALSA: usb-audio: Add implicit feedback quirk for Qu-16 (git-fixes).
- ALSA: usb-audio: Add implicit feedback quirk for Zoom UAC-2 (git-fixes).
- ALSA: usb-audio: add quirk for Denon DCD-1500RE (git-fixes).
- ALSA: usb-audio: add quirk for Samsung USBC Headset (AKG) (git-fixes).
- ALSA: usb-audio: Add registration quirk for Kingston HyperX Cloud Alpha S (git-fixes).
- ALSA: usb-audio: Add registration quirk for Kingston HyperX Cloud Flight S (git-fixes).
- ALSA: usb-audio: add usb vendor id as DSD-capable for Khadas devices (git-fixes).
- ALSA: usb-audio: Disable sample read check if firmware does not give back (git-fixes).
- ALSA: usb-audio: Fix control 'access overflow' errors from chmap (git-fixes).
- ALSA: usb-audio: Fix OOB access of mixer element list (git-fixes).
- ALSA: usb-audio: Fix potential out-of-bounds shift (git-fixes).
- ALSA: usb-audio: Fix race against the error recovery URB submission (git-fixes).
- ALSA: usb-audio: US16x08: fix value count for level meters (git-fixes).
- ASoC: arizona: Fix a wrong free in wm8997_probe (git-fixes).
- ASoC: cx2072x: Fix doubly definitions of Playback and Capture streams (git-fixes).
- ASoC: fsl_asrc_dma: Fix dma_chan leak when config DMA channel failed (git-fixes).
- ASoC: jz4740-i2s: add missed checks for clk_get() (git-fixes).
- ASoC: pcm3168a: The codec does not support S32_LE (git-fixes).
- ASoC: pcm: DRAIN support reactivation (git-fixes).
- ASoC: rt5677: Mark reg RT5677_PWR_ANLG2 as volatile (git-fixes).
- ASoC: sti: fix possible sleep-in-atomic (git-fixes).
- ASoC: wm8904: fix regcache handling (git-fixes).
- ASoC: wm8998: Fix PM disable depth imbalance on error (git-fixes).
- ASoC: wm_adsp: Do not generate kcontrols without READ flags (git-fixes).
- ASoC: wm_adsp: remove 'ctl' from list on error in wm_adsp_create_control() (git-fixes).
- ata/libata: Fix usage of page address by page_address in ata_scsi_mode_select_xlat function (git-fixes).
- ath10k: Fix an error handling path (git-fixes).
- ath10k: fix backtrace on coredump (git-fixes).
- ath10k: fix get invalid tx rate for Mesh metric (git-fixes).
- ath10k: fix offchannel tx failure when no ath10k_mac_tx_frm_has_freq (git-fixes).
- ath10k: Release some resources in an error handling path (git-fixes).
- ath10k: Remove msdu from idr when management pkt send fails (git-fixes).
- ath6kl: fix enum-conversion warning (git-fixes).
- ath9k_htc: Discard undersized packets (git-fixes).
- ath9k_htc: Modify byte order for an error message (git-fixes).
- ath9k_htc: Silence undersized packet warnings (git-fixes).
- ath9k_htc: Use appropriate rs_datalen type (git-fixes).
- Avoid a GCC warning about '/*' within a comment.
- backlight: lp855x: Ensure regulators are disabled on probe failure (git-fixes).
- Bluetooth: add a mutex lock to avoid UAF in do_enale_set (git-fixes).
- Bluetooth: btusb: Fix detection of some fake CSR controllers with a bcdDevice val of 0x0134 (git-fixes).
- Bluetooth: Fix advertising duplicated flags (git-fixes).
- Bluetooth: Fix null pointer dereference in hci_event_packet() (git-fixes).
- Bluetooth: Fix slab-out-of-bounds read in hci_le_direct_adv_report_evt() (git-fixes).
- bnxt_en: Fix race when modifying pause settings (bsc#1050242 ).
- bnxt_en: Protect bnxt_set_eee() and bnxt_set_pauseparam() with mutex (bsc#1050242).
- btmrvl: Fix firmware filename for sd8997 chipset (bsc#1172694).
- btrfs: fix use-after-free on readahead extent after failure to create it (bsc#1179963).
- btrfs: qgroup: do not commit transaction when we already hold the handle (bsc#1178634).
- btrfs: remove a BUG_ON() from merge_reloc_roots() (bsc#1174784).
- bus: fsl-mc: fix error return code in fsl_mc_object_allocate() (git-fixes).
- can: mcp251x: add error check when wq alloc failed (git-fixes).
- can: softing: softing_netdev_open(): fix error handling (git-fixes).
- cfg80211: initialize rekey_data (git-fixes).
- cfg80211: regulatory: Fix inconsistent format argument (git-fixes).
- cifs: add NULL check for ses->tcon_ipc (bsc#1178270).
- cifs: allow syscalls to be restarted in __smb_send_rqst() (bsc#1176956).
- cifs: fix check of tcon dfs in smb1 (bsc#1178270).
- cifs: fix potential use-after-free in cifs_echo_request() (bsc#1139944).
- cirrus: cs89x0: remove set but not used variable 'lp' (git-fixes).
- cirrus: cs89x0: use devm_platform_ioremap_resource() to simplify code (git-fixes).
- clk: at91: usb: continue if clk_hw_round_rate() return zero (git-fixes).
- clk: mvebu: a3700: fix the XTAL MODE pin to MPP1_9 (git-fixes).
- clk: qcom: Allow constant ratio freq tables for rcg (git-fixes).
- clk: qcom: msm8916: Fix the address location of pll->config_reg (git-fixes).
- clk: s2mps11: Fix a resource leak in error handling paths in the probe function (git-fixes).
- clk: samsung: exynos5433: Add IGNORE_UNUSED flag to sclk_i2s1 (git-fixes).
- clk: sunxi-ng: Make sure divider tables have sentinel (git-fixes).
- clk: tegra: Fix duplicated SE clock entry (git-fixes).
- clk: tegra: Fix Tegra PMC clock out parents (git-fixes).
- clk: ti: composite: fix memory leak (git-fixes).
- clk: ti: dra7-atl-clock: Remove ti_clk_add_alias call (git-fixes).
- clk: ti: Fix memleak in ti_fapll_synth_setup (git-fixes).
- clocksource/drivers/asm9260: Add a check for of_clk_get (git-fixes).
- coredump: fix core_pattern parse error (git-fixes).
- cpufreq: highbank: Add missing MODULE_DEVICE_TABLE (git-fixes).
- cpufreq: loongson1: Add missing MODULE_ALIAS (git-fixes).
- cpufreq: scpi: Add missing MODULE_ALIAS (git-fixes).
- cpufreq: st: Add missing MODULE_DEVICE_TABLE (git-fixes).
- crypto: af_alg - avoid undefined behavior accessing salg_name (git-fixes).
- crypto: omap-aes - Fix PM disable depth imbalance in omap_aes_probe (git-fixes).
- crypto: qat - fix status check in qat_hal_put_rel_rd_xfer() (git-fixes).
- crypto: talitos - Fix return type of current_desc_hdr() (git-fixes).
- cw1200: fix missing destroy_workqueue() on error in cw1200_init_common (git-fixes).
- cxgb4: Fix offset when clearing filter byte counters (bsc#1064802 bsc#1066129).
- drivers: base: Fix NULL pointer exception in __platform_driver_probe() if a driver developer is foolish (git-fixes).
- drivers: soc: ti: knav_qmss_queue: Fix error return code in knav_queue_probe (git-fixes).
- drm/amd/display: remove useless if/else (git-fixes).
- drm/amdgpu: fix build_coefficients() argument (git-fixes).
- drm/dp_aux_dev: check aux_dev before use in drm_dp_aux_dev_get_by_minor() (git-fixes).
- drm/gma500: fix double free of gma_connector (git-fixes).
- drm/gma500: Fix out-of-bounds access to struct drm_device.vblank[] (bsc#1129770)
- drm/meson: dw-hdmi: Register a callback to disable the regulator (git-fixes).
- drm/msm/dpu: Add newline to printks (git-fixes).
- drm/msm/dsi_phy_10nm: implement PHY disabling (git-fixes).
- drm/omap: dmm_tiler: fix return error code in omap_dmm_probe() (git-fixes).
- drm/rockchip: Avoid uninitialized use of endpoint id in LVDS (git-fixes).
- EDAC/i10nm: Use readl() to access MMIO registers (12sp5).
- epoll: Keep a reference on files added to the check list (bsc#1180031).
- ext4: correctly report 'not supported' for {usr,grp}jquota when !CONFIG_QUOTA (bsc#1179672).
- ext4: fix bogus warning in ext4_update_dx_flag() (bsc#1179716).
- ext4: fix error handling code in add_new_gdb (bsc#1179722).
- ext4: fix invalid inode checksum (bsc#1179723).
- ext4: fix leaking sysfs kobject after failed mount (bsc#1179670).
- ext4: limit entries returned when counting fsmap records (bsc#1179671).
- ext4: unlock xattr_sem properly in ext4_inline_data_truncate() (bsc#1179673).
- extcon: max77693: Fix modalias string (git-fixes).
- fbcon: Fix user font detection test at fbcon_resize(). (bsc#1112178) Backporting changes: 	* updated path drivers/video/fbcon/core to drivers/video/console
- fbcon: Remove the superfluous break (bsc#1129770) Backporting changes: 	* updated path drivers/video/fbcon/core to drivers/video/console 	* context changes
- firmware: qcom: scm: Ensure 'a0' status code is treated as signed (git-fixes).
- fix regression in 'epoll: Keep a reference on files added to the check list' (bsc#1180031, git-fixes).
- forcedeth: use per cpu to collect xmit/recv statistics (git-fixes).
- fs: Do not invalidate page buffers in block_write_full_page() (bsc#1179711).
- geneve: change from tx_error to tx_dropped on missing metadata (git-fixes).
- genirq/irqdomain: Add an irq_create_mapping_affinity() function (bsc#1065729).
- gpio: arizona: handle pm_runtime_get_sync failure case (git-fixes).
- gpio: gpio-grgpio: fix possible sleep-in-atomic-context bugs in grgpio_irq_map/unmap() (git-fixes).
- gpio: max77620: Add missing dependency on GPIOLIB_IRQCHIP (git-fixes).
- gpio: max77620: Fixup debounce delays (git-fixes).
- gpio: max77620: Use correct unit for debounce times (git-fixes).
- gpio: mpc8xxx: Add platform device to gpiochip->parent (git-fixes).
- gpio: mvebu: fix potential user-after-free on probe (git-fixes).
- gpiolib: acpi: Add honor_wakeup module-option + quirk mechanism (git-fixes).
- gpiolib: acpi: Add quirk to ignore EC wakeups on HP x2 10 BYT + AXP288 model (git-fixes).
- gpiolib: acpi: Add quirk to ignore EC wakeups on HP x2 10 CHT + AXP288 model (git-fixes).
- gpiolib: acpi: Correct comment for HP x2 10 honor_wakeup quirk (git-fixes).
- gpiolib: acpi: Rework honor_wakeup option into an ignore_wake option (git-fixes).
- gpiolib: acpi: Turn dmi_system_id table into a generic quirk table (git-fixes).
- gpiolib: fix up emulated open drain outputs (git-fixes).
- HID: Add another Primax PIXART OEM mouse quirk (git-fixes).
- HID: apple: Disable Fn-key key-re-mapping on clone keyboards (git-fixes).
- HID: core: check whether Usage Page item is after Usage ID items (git-fixes).
- HID: core: Correctly handle ReportSize being zero (git-fixes).
- HID: cypress: Support Varmilo Keyboards' media hotkeys (git-fixes).
- HID: Fix slab-out-of-bounds read in hid_field_extract (bsc#1180052).
- HID: hid-sensor-hub: Fix issue with devices with no report ID (git-fixes).
- HID: Improve Windows Precision Touchpad detection (git-fixes).
- HID: intel-ish-hid: fix wrong error handling in ishtp_cl_alloc_tx_ring() (git-fixes).
- HID: logitech-hidpp: Silence intermittent get_battery_capacity errors (git-fixes).
- HSI: omap_ssi: Do not jump to free ID in ssi_add_controller() (git-fixes).
- hwmon: (aspeed-pwm-tacho) Avoid possible buffer overflow (git-fixes).
- hwmon: (jc42) Fix name to have no illegal characters (git-fixes).
- i2c: algo: pca: Reapply i2c bus settings after reset (git-fixes).
- i2c: i801: Fix resume bug (git-fixes).
- i2c: piix4: Detect secondary SMBus controller on AMD AM4 chipsets (git-fixes).
- i2c: pxa: clear all master action bits in i2c_pxa_stop_message() (git-fixes).
- i2c: pxa: fix i2c_pxa_scream_blue_murder() debug output (git-fixes).
- i2c: qup: Fix error return code in qup_i2c_bam_schedule_desc() (git-fixes).
- ibmvnic: add some debugs (bsc#1179896 ltc#190255).
- ibmvnic: avoid memset null scrq msgs (bsc#1044767 ltc#155231 git-fixes).
- ibmvnic: continue fatal error reset after passive init (bsc#1171078 ltc#184239 git-fixes).
- ibmvnic: delay next reset if hard reset fails (bsc#1094840 ltc#167098 git-fixes).
- ibmvnic: enhance resetting status check during module exit (bsc#1065729).
- ibmvnic: fix call_netdevice_notifiers in do_reset (bsc#1115431 ltc#171853 git-fixes).
- ibmvnic: fix NULL pointer dereference in reset_sub_crq_queues (bsc#1040855 ltc#155067 git-fixes).
- ibmvnic: fix: NULL pointer dereference (bsc#1044767 ltc#155231 git-fixes).
- ibmvnic: notify peers when failover and migration happen (bsc#1044120 ltc#155423 git-fixes).
- ibmvnic: restore adapter state on failed reset (bsc#1152457 ltc#174432 git-fixes).
- igc: Fix returning wrong statistics (bsc#1118657).
- iio: adc: max1027: Reset the device at probe time (git-fixes).
- iio: adc: rockchip_saradc: fix missing clk_disable_unprepare() on error in rockchip_saradc_resume (git-fixes).
- iio: bmp280: fix compensation of humidity (git-fixes).
- iio: buffer: Fix demux update (git-fixes).
- iio: dac: ad5592r: fix unbalanced mutex unlocks in ad5592r_read_raw() (git-fixes).
- iio: fix center temperature of bmc150-accel-core (git-fixes).
- iio: humidity: hdc100x: fix IIO_HUMIDITYRELATIVE channel reporting (git-fixes).
- iio: light: bh1750: Resolve compiler warning and make code more readable (git-fixes).
- iio: srf04: fix wrong limitation in distance measuring (git-fixes).
- iio:imu:bmi160: Fix too large a buffer (git-fixes).
- iio:pressure:mpl3115: Force alignment of buffer (git-fixes).
- inet_ecn: Fix endianness of checksum update when setting ECT(1) (git-fixes).
- Input: ads7846 - fix integer overflow on Rt calculation (git-fixes).
- Input: ads7846 - fix race that causes missing releases (git-fixes).
- Input: ads7846 - fix unaligned access on 7845 (git-fixes).
- Input: atmel_mxt_ts - disable IRQ across suspend (git-fixes).
- Input: cm109 - do not stomp on control URB (git-fixes).
- Input: cros_ec_keyb - send 'scancodes' in addition to key events (git-fixes).
- Input: cyapa_gen6 - fix out-of-bounds stack access (git-fixes).
- Input: goodix - add upside-down quirk for Teclast X98 Pro tablet (git-fixes).
- Input: i8042 - add Acer laptops to the i8042 reset list (git-fixes).
- Input: i8042 - add ByteSpeed touchpad to noloop table (git-fixes).
- Input: i8042 - add Entroware Proteus EL07R4 to nomux and reset lists (git-fixes).
- Input: i8042 - allow insmod to succeed on devices without an i8042 controller (git-fixes).
- Input: i8042 - fix error return code in i8042_setup_aux() (git-fixes).
- Input: omap4-keypad - fix runtime PM error handling (git-fixes).
- Input: synaptics - enable InterTouch for ThinkPad X1E 1st gen (git-fixes).
- Input: trackpoint - add new trackpoint variant IDs (git-fixes).
- Input: trackpoint - enable Synaptics trackpoints (git-fixes).
- Input: xpad - support Ardwiino Controllers (git-fixes).
- ipw2x00: Fix -Wcast-function-type (git-fixes).
- irqchip/alpine-msi: Fix freeing of interrupts on allocation error path (git-fixes).
- iwlwifi: mvm: fix kernel panic in case of assert during CSA (git-fixes).
- iwlwifi: mvm: fix unaligned read of rx_pkt_status (git-fixes).
- iwlwifi: pcie: limit memory read spin time (git-fixes).
- kABI fix for g2d (git-fixes).
- kABI workaround for dsa/b53 changes (git-fixes).
- kABI workaround for HD-audio generic parser (git-fixes).
- kABI workaround for net/ipvlan changes (git-fixes).
- kABI workaround for usermodehelper changes (bsc#1179406).
- kABI: ath10k: move a new structure member to the end (git-fixes).
- kABI: genirq: add back irq_create_mapping (bsc#1065729).
- kernel-source.spec: Fix build with rpm 4.16 (boo#1179015). RPM_BUILD_ROOT is cleared before %%install. Do the unpack into RPM_BUILD_ROOT in %%install
- kernel-{binary,source}.spec.in: do not create loop symlinks (bsc#1179082)
- kernel/cpu: add arch override for clear_tasks_mm_cpumask() mm handling (bsc#1055117 ltc#159753 git-fixes bsc#1179888 ltc#190253).
- kgdb: Fix spurious true from in_dbg_master() (git-fixes).
- KVM: x86: reinstate vendor-agnostic check on SPEC_CTRL cpuid bits (bsc#1112178).
- mac80211: allow rx of mesh eapol frames with default rx key (git-fixes).
- mac80211: Check port authorization in the ieee80211_tx_dequeue() case (git-fixes).
- mac80211: do not set set TDLS STA bandwidth wider than possible (git-fixes).
- mac80211: fix authentication with iwlwifi/mvm (git-fixes).
- mac80211: fix use of skb payload instead of header (git-fixes).
- mac80211: mesh: fix mesh_pathtbl_init() error path (git-fixes).
- matroxfb: avoid -Warray-bounds warning (git-fixes).
- md-cluster: fix rmmod issue when md_cluster convert bitmap to none (bsc#1163727).
- md-cluster: fix safemode_delay value when converting to clustered bitmap (bsc#1163727).
- md-cluster: fix wild pointer of unlock_all_bitmaps() (bsc#1163727).
- md/bitmap: fix memory leak of temporary bitmap (bsc#1163727).
- md/bitmap: md_bitmap_get_counter returns wrong blocks (bsc#1163727).
- md/bitmap: md_bitmap_read_sb uses wrong bitmap blocks (bsc#1163727).
- md/cluster: block reshape with remote resync job (bsc#1163727).
- md/cluster: fix deadlock when node is doing resync job (bsc#1163727).
- md/raid5: fix oops during stripe resizing (git-fixes).
- media: am437x-vpfe: Setting STD to current value is not an error (git-fixes).
- media: cec-funcs.h: add status_req checks (git-fixes).
- media: cx88: Fix some error handling path in 'cx8800_initdev()' (git-fixes).
- media: gspca: Fix memory leak in probe (git-fixes).
- media: i2c: mt9v032: fix enum mbus codes and frame sizes (git-fixes).
- media: i2c: ov2659: Fix missing 720p register config (git-fixes).
- media: i2c: ov2659: fix s_stream return value (git-fixes).
- media: msi2500: assign SPI bus number dynamically (git-fixes).
- media: mtk-mdp: Fix a refcounting bug on error in init (git-fixes).
- media: mtk-vcodec: add missing put_device() call in mtk_vcodec_release_dec_pm() (git-fixes).
- media: platform: add missing put_device() call in mtk_jpeg_probe() and mtk_jpeg_remove() (git-patches).
- media: pvrusb2: Fix oops on tear-down when radio support is not present (git-fixes).
- media: s5p-g2d: Fix a memory leak in an error handling path in 'g2d_probe()' (git-fixes).
- media: saa7146: fix array overflow in vidioc_s_audio() (git-fixes).
- media: si470x-i2c: add missed operations in remove (git-fixes).
- media: siano: fix memory leak of debugfs members in smsdvb_hotplug (git-fixes).
- media: solo6x10: fix missing snd_card_free in error handling case (git-fixes).
- media: sti: bdisp: fix a possible sleep-in-atomic-context bug in bdisp_device_run() (git-fixes).
- media: sunxi-cir: ensure IR is handled when it is continuous (git-fixes).
- media: ti-vpe: vpe: ensure buffers are cleaned up properly in abort cases (git-fixes).
- media: ti-vpe: vpe: fix a v4l2-compliance failure about frame sequence number (git-fixes).
- media: ti-vpe: vpe: fix a v4l2-compliance failure about invalid sizeimage (git-fixes).
- media: ti-vpe: vpe: fix a v4l2-compliance failure causing a kernel panic (git-fixes).
- media: ti-vpe: vpe: fix a v4l2-compliance warning about invalid pixel format (git-fixes).
- media: ti-vpe: vpe: Make sure YUYV is set as default format (git-fixes).
- media: uvcvideo: Set media controller entity functions (git-fixes).
- media: uvcvideo: Silence shift-out-of-bounds warning (git-fixes).
- media: v4l2-async: Fix trivial documentation typo (git-fixes).
- media: v4l2-core: fix touch support in v4l_g_fmt (git-fixes).
- media: v4l2-device.h: Explicitly compare grp{id,mask} to zero in v4l2_device macros (git-fixes).
- mei: bus: do not clean driver pointer (git-fixes).
- mei: protect mei_cl_mtu from null dereference (git-fixes).
- memstick: fix a double-free bug in memstick_check (git-fixes).
- memstick: r592: Fix error return in r592_probe() (git-fixes).
- mfd: rt5033: Fix errorneous defines (git-fixes).
- mfd: wm8994: Fix driver operation if loaded as modules (git-fixes).
- mlxsw: core: Fix memory leak on module removal (bsc#1112374).
- mm,memory_failure: always pin the page in madvise_inject_error (bsc#1180258).
- mm/userfaultfd: do not access vma->vm_mm after calling handle_userfault() (bsc#1179204).
- Move upstreamed bt fixes into sorted section
- mwifiex: fix mwifiex_shutdown_sw() causing sw reset failure (git-fixes).
- net/smc: fix valid DMBE buffer sizes (git-fixes).
- net/tls: Fix kmap usage (bsc#1109837).
- net/tls: missing received data after fast remote close (bsc#1109837).
- net/x25: prevent a couple of overflows (bsc#1178590).
- net: aquantia: Fix aq_vec_isr_legacy() return value (git-fixes).
- net: aquantia: fix LRO with FCS error (git-fixes).
- net: DCB: Validate DCB_ATTR_DCB_BUFFER argument (bsc#1103990 ).
- net: dsa: b53: Always use dev->vlan_enabled in b53_configure_vlan() (git-fixes).
- net: dsa: b53: Ensure the default VID is untagged (git-fixes).
- net: dsa: b53: Fix default VLAN ID (git-fixes).
- net: dsa: b53: Properly account for VLAN filtering (git-fixes).
- net: dsa: bcm_sf2: Do not assume DSA master supports WoL (git-fixes).
- net: dsa: bcm_sf2: potential array overflow in bcm_sf2_sw_suspend() (git-fixes).
- net: dsa: qca8k: remove leftover phy accessors (git-fixes).
- net: ena: fix packet's addresses for rx_offset feature (bsc#1174852).
- net: ena: handle bad request id in ena_netdev (git-fixes).
- net: ethernet: ti: cpsw: clear all entries when delete vid (git-fixes).
- net: ethernet: ti: cpsw: fix runtime_pm while add/kill vlan (git-fixes).
- net: hisilicon: Fix signedness bug in hix5hd2_dev_probe() (git-fixes).
- net: macb: add missing barriers when reading descriptors (git-fixes).
- net: macb: fix dropped RX frames due to a race (git-fixes).
- net: macb: fix error format in dev_err() (git-fixes).
- net: macb: fix random memory corruption on RX with 64-bit DMA (git-fixes).
- net: pasemi: fix an use-after-free in pasemi_mac_phy_init() (git-fixes).
- net: phy: Avoid multiple suspends (git-fixes).
- net: qed: fix 'maybe uninitialized' warning (bsc#1136460 jsc#SLE-4691 bsc#1136461 jsc#SLE-4692).
- net: qed: fix async event callbacks unregistering (bsc#1104393 bsc#1104389).
- net: qede: fix PTP initialization on recovery (bsc#1136460 jsc#SLE-4691 bsc#1136461 jsc#SLE-4692).
- net: qede: fix use-after-free on recovery and AER handling (bsc#1136460 jsc#SLE-4691 bsc#1136461 jsc#SLE-4692).
- net: seeq: Fix the function used to release some memory in an error handling path (git-fixes).
- net: sh_eth: fix a missing check of of_get_phy_mode (git-fixes).
- net: sonic: replace dev_kfree_skb in sonic_send_packet (git-fixes).
- net: sonic: return NETDEV_TX_OK if failed to map buffer (git-fixes).
- net: stmmac: fix csr_clk can't be zero issue (git-fixes).
- net: stmmac: Fix reception of Broadcom switches tags (git-fixes).
- net: thunderx: use spin_lock_bh in nicvf_set_rx_mode_task() (bsc#1110096).
- net: usb: sr9800: fix uninitialized local variable (git-fixes).
- net:ethernet:aquantia: Extra spinlocks removed (git-fixes).
- net_sched: fix a memory leak in atm_tc_init() (bsc#1056657 bsc#1056653 bsc#1056787).
- nfc: s3fwrn5: add missing release on skb in s3fwrn5_recv_frame (git-fixes).
- nfc: s3fwrn5: Release the nfc firmware (git-fixes).
- nfc: st95hf: Fix memleak in st95hf_in_send_cmd (git-fixes).
- nfp: use correct define to return NONE fec (bsc#1109837).
- NFS: fix nfs_path in case of a rename retry (git-fixes).
- NFSD: Add missing NFSv2 .pc_func methods (git-fixes).
- NFSv4.2: fix client's attribute cache management for copy_file_range (git-fixes).
- NFSv4.2: support EXCHGID4_FLAG_SUPP_FENCE_OPS 4.2 EXCHANGE_ID flag (git-fixes).
- ocfs2: fix unbalanced locking (bsc#1180506).
- ocfs2: initialize ip_next_orphan (bsc#1179724).
- orinoco: Move context allocation after processing the skb (git-fixes).
- parport: load lowlevel driver if ports not found (git-fixes).
- PCI/ASPM: Allow ASPM on links to PCIe-to-PCI/PCI-X Bridges (git-fixes).
- PCI/ASPM: Disable ASPM on ASMedia ASM1083/1085 PCIe-to-PCI bridge (git-fixes).
- PCI: Do not disable decoding when mmio_always_on is set (git-fixes).
- PCI: Fix pci_slot_release() NULL pointer dereference (git-fixes).
- phy: Revert toggling reset changes (git-fixes).
- pinctrl: amd: fix __iomem annotation in amd_gpio_irq_handler() (git-fixes).
- pinctrl: amd: fix npins for uart0 in kerncz_groups (git-fixes).
- pinctrl: amd: remove debounce filter setting in IRQ type setting (git-fixes).
- pinctrl: aspeed: Fix GPIO requests on pass-through banks (git-fixes).
- pinctrl: baytrail: Avoid clearing debounce value when turning it off (git-fixes).
- pinctrl: falcon: add missing put_device() call in pinctrl_falcon_probe() (git-fixes).
- pinctrl: merrifield: Set default bias in case no particular value given (git-fixes).
- pinctrl: sh-pfc: sh7734: Fix duplicate TCLK1_B (git-fixes).
- platform/x86: acer-wmi: add automatic keyboard background light toggle key as KEY_LIGHTS_TOGGLE (git-fixes).
- platform/x86: dell-smbios-base: Fix error return code in dell_smbios_init (git-fixes).
- platform/x86: mlx-platform: Fix item counter assignment for MSN2700, MSN24xx systems (git-fixes).
- platform/x86: mlx-platform: remove an unused variable (git-fixes).
- platform/x86: mlx-platform: Remove PSU EEPROM from default platform configuration (git-fixes).
- platform/x86: mlx-platform: Remove PSU EEPROM from MSN274x platform configuration (git-fixes).
- PM / hibernate: memory_bm_find_bit(): Tighten node optimisation (git-fixes).
- PM: ACPI: Output correct message on target power state (git-fixes).
- PM: hibernate: Freeze kernel threads in software_resume() (git-fixes).
- PM: hibernate: remove the bogus call to get_gendisk() in software_resume() (git-fixes).
- pNFS/flexfiles: Fix list corruption if the mirror count changes (git-fixes).
- power: supply: bq24190_charger: fix reference leak (git-fixes).
- power: supply: bq27xxx_battery: Silence deferred-probe error (git-fixes).
- powerpc/64: Set up a kernel stack for secondaries before cpu_restore() (bsc#1065729).
- powerpc/64s/pseries: Fix hash tlbiel_all_isa300 for guest kernels (bsc#1179888 ltc#190253).
- powerpc/64s: Fix hash ISA v3.0 TLBIEL instruction generation (bsc#1055117 ltc#159753 git-fixes bsc#1179888 ltc#190253).
- powerpc/64s: Trim offlined CPUs from mm_cpumasks (bsc#1055117 ltc#159753 git-fixes bsc#1179888 ltc#190253).
- powerpc/pci: Fix broken INTx configuration via OF (bsc#1172145 ltc#184630).
- powerpc/pci: Remove legacy debug code (bsc#1172145 ltc#184630 git-fixes).
- powerpc/pci: Remove LSI mappings on device teardown (bsc#1172145 ltc#184630).
- powerpc/pci: Use of_irq_parse_and_map_pci() helper (bsc#1172145 ltc#184630).
- powerpc/perf: Fix crash with is_sier_available when pmu is not set (bsc#1179578 ltc#189313).
- powerpc/pseries/hibernation: remove redundant cacheinfo update (bsc#1138374 ltc#178199 git-fixes).
- powerpc/pseries: Pass MSI affinity to irq_create_mapping() (bsc#1065729).
- powerpc/smp: Add __init to init_big_cores() (bsc#1109695 ltc#171067 git-fixes).
- powerpc/xmon: Change printk() to pr_cont() (bsc#1065729).
- powerpc: Convert to using %pOF instead of full_name (bsc#1172145 ltc#184630).
- powerpc: Fix incorrect stw{, ux, u, x} instructions in __set_pte_at (bsc#1065729).
- ppp: remove the PPPIOCDETACH ioctl (git-fixes).
- pwm: lp3943: Dynamically allocate PWM chip base (git-fixes).
- qed: fix error return code in qed_iwarp_ll2_start() (bsc#1050536 bsc#1050545).
- qed: suppress 'do not support RoCE & iWARP' flooding on HW init (bsc#1050536 bsc#1050545).
- qed: suppress false-positives interrupt error messages on HW init (bsc#1136460 jsc#SLE-4691 bsc#1136461 jsc#SLE-4692).
- quota: clear padding in v2r1_mem2diskdqb() (bsc#1179714).
- radeon: insert 10ms sleep in dce5_crtc_load_lut (git-fixes).
- ravb: Fix use-after-free ravb_tstamp_skb (git-fixes).
- RDMA/qedr: Fix KASAN: use-after-free in ucma_event_handler+0x532 (bsc#1050545).
- RDMA/qedr: Fix memory leak in iWARP CM (bsc#1050545 ).
- reboot: fix overflow parsing reboot cpu number (bsc#1179421).
- regmap: debugfs: check count when read regmap file (git-fixes).
- regmap: dev_get_regmap_match(): fix string comparison (git-fixes).
- regmap: Remove duplicate `type` field from regmap `regcache_sync` trace event (git-fixes).
- regulator: max8907: Fix the usage of uninitialized variable in max8907_regulator_probe() (git-fixes).
- regulator: pfuze100-regulator: Variable 'val' in pfuze100_regulator_probe() could be uninitialized (git-fixes).
- regulator: ti-abb: Fix timeout in ti_abb_wait_txdone/ti_abb_clear_all_txdone (git-fixes).
- reiserfs: Fix oops during mount (bsc#1179715).
- reiserfs: Initialize inode keys properly (bsc#1179713).
- remoteproc: Fix wrong rvring index computation (git-fixes).
- rfkill: Fix incorrect check to avoid NULL pointer dereference (git-fixes).
- rtc: 88pm860x: fix possible race condition (git-fixes).
- rtc: hym8563: enable wakeup when applicable (git-fixes).
- rtl8xxxu: fix RTL8723BU connection failure issue after warm reboot (git-fixes).
- rtlwifi: fix memory leak in rtl92c_set_fw_rsvdpagepkt() (git-fixes).
- s390/bpf: Fix multiple tail calls (git-fixes).
- s390/cpuinfo: show processor physical address (git-fixes).
- s390/cpum_sf.c: fix file permission for cpum_sfb_size (git-fixes).
- s390/dasd: fix hanging device offline processing (bsc#1144912).
- s390/dasd: fix null pointer dereference for ERP requests (git-fixes).
- s390/pci: fix CPU address in MSI for directed IRQ (git-fixes).
- s390/qeth: fix af_iucv notification race (git-fixes).
- s390/qeth: fix tear down of async TX buffers (git-fixes).
- s390/qeth: make af_iucv TX notification call more robust (git-fixes).
- s390/stp: add locking to sysfs functions (git-fixes).
- s390/zcrypt: Fix ZCRYPT_PERDEV_REQCNT ioctl (git-fixes).
- scripts/lib/SUSE/MyBS.pm: properly close prjconf Macros: section
- scsi: lpfc: Add FDMI Vendor MIB support (bsc#1164780).
- scsi: lpfc: Convert abort handling to SLI-3 and SLI-4 handlers (bsc#1164780).
- scsi: lpfc: Convert SCSI I/O completions to SLI-3 and SLI-4 handlers (bsc#1164780).
- scsi: lpfc: Convert SCSI path to use common I/O submission path (bsc#1164780).
- scsi: lpfc: Correct null ndlp reference on routine exit (bsc#1164780).
- scsi: lpfc: Drop nodelist reference on error in lpfc_gen_req() (bsc#1164780).
- scsi: lpfc: Enable common send_io interface for SCSI and NVMe (bsc#1164780).
- scsi: lpfc: Enable common wqe_template support for both SCSI and NVMe (bsc#1164780).
- scsi: lpfc: Enlarge max_sectors in scsi host templates (bsc#1164780).
- scsi: lpfc: Extend the RDF FPIN Registration descriptor for additional events (bsc#1164780).
- scsi: lpfc: Fix duplicate wq_create_version check (bsc#1164780).
- scsi: lpfc: Fix fall-through warnings for Clang (bsc#1164780).
- scsi: lpfc: Fix FLOGI/PLOGI receive race condition in pt2pt discovery (bsc#1164780).
- scsi: lpfc: Fix invalid sleeping context in lpfc_sli4_nvmet_alloc() (bsc#1164780).
- scsi: lpfc: Fix memory leak on lcb_context (bsc#1164780).
- scsi: lpfc: Fix missing prototype for lpfc_nvmet_prep_abort_wqe() (bsc#1164780).
- scsi: lpfc: Fix missing prototype warning for lpfc_fdmi_vendor_attr_mi() (bsc#1164780).
- scsi: lpfc: Fix NPIV discovery and Fabric Node detection (bsc#1164780).
- scsi: lpfc: Fix NPIV Fabric Node reference counting (bsc#1164780).
- scsi: lpfc: Fix pointer defereference before it is null checked issue (bsc#1164780).
- scsi: lpfc: Fix refcounting around SCSI and NVMe transport APIs (bsc#1164780).
- scsi: lpfc: Fix removal of SCSI transport device get and put on dev structure (bsc#1164780).
- scsi: lpfc: Fix scheduling call while in softirq context in lpfc_unreg_rpi (bsc#1164780).
- scsi: lpfc: Fix set but not used warnings from Rework remote port lock handling (bsc#1164780).
- scsi: lpfc: Fix set but unused variables in lpfc_dev_loss_tmo_handler() (bsc#1164780).
- scsi: lpfc: Fix spelling mistake 'Cant' -> 'Can't' (bsc#1164780).
- scsi: lpfc: Fix variable 'vport' set but not used in lpfc_sli4_abts_err_handler() (bsc#1164780).
- scsi: lpfc: lpfc_attr: Demote kernel-doc format for redefined functions (bsc#1164780).
- scsi: lpfc: lpfc_attr: Fix-up a bunch of kernel-doc misdemeanours (bsc#1164780).
- scsi: lpfc: lpfc_debugfs: Fix a couple of function documentation issues (bsc#1164780).
- scsi: lpfc: lpfc_scsi: Fix a whole host of kernel-doc issues (bsc#1164780).
- scsi: lpfc: Refactor WQE structure definitions for common use (bsc#1164780).
- scsi: lpfc: Reject CT request for MIB commands (bsc#1164780).
- scsi: lpfc: Remove dead code on second !ndlp check (bsc#1164780).
- scsi: lpfc: Remove ndlp when a PLOGI/ADISC/PRLI/REG_RPI ultimately fails (bsc#1164780).
- scsi: lpfc: Remove set but not used 'qp' (bsc#1164780).
- scsi: lpfc: Remove unneeded variable 'status' in lpfc_fcp_cpu_map_store() (bsc#1164780).
- scsi: lpfc: Removed unused macros in lpfc_attr.c (bsc#1164780).
- scsi: lpfc: Rework locations of ndlp reference taking (bsc#1164780).
- scsi: lpfc: Rework remote port lock handling (bsc#1164780).
- scsi: lpfc: Rework remote port ref counting and node freeing (bsc#1164780).
- scsi: lpfc: Unsolicited ELS leaves node in incorrect state while dropping it (bsc#1164780).
- scsi: lpfc: Update changed file copyrights for 2020 (bsc#1164780).
- scsi: lpfc: Update lpfc version to 12.8.0.4 (bsc#1164780).
- scsi: lpfc: Update lpfc version to 12.8.0.5 (bsc#1164780).
- scsi: lpfc: Update lpfc version to 12.8.0.6 (bsc#1164780).
- scsi: lpfc: Use generic power management (bsc#1164780).
- scsi: qla2xxx: Change post del message from debug level to log level (bsc#1172538 bsc#1179142 bsc#1179810).
- scsi: qla2xxx: Convert to DEFINE_SHOW_ATTRIBUTE (bsc#1172538 bsc#1179142 bsc#1179810).
- scsi: qla2xxx: Do not check for fw_started while posting NVMe command (bsc#1172538 bsc#1179142 bsc#1179810).
- scsi: qla2xxx: Do not consume srb greedily (bsc#1172538 bsc#1179142 bsc#1179810).
- scsi: qla2xxx: Drop TARGET_SCF_LOOKUP_LUN_FROM_TAG (bsc#1172538 bsc#1179142 bsc#1179810).
- scsi: qla2xxx: Fix compilation issue in PPC systems (bsc#1172538 bsc#1179142 bsc#1179810).
- scsi: qla2xxx: Fix crash during driver load on big endian machines (bsc#1172538 bsc#1179142 bsc#1179810).
- scsi: qla2xxx: Fix device loss on 4G and older HBAs (bsc#1172538 bsc#1179142 bsc#1179810).
- scsi: qla2xxx: Fix flash update in 28XX adapters on big endian machines (bsc#1172538 bsc#1179142 bsc#1179810).
- scsi: qla2xxx: Fix FW initialization error on big endian machines (bsc#1172538 bsc#1179142 bsc#1179810).
- scsi: qla2xxx: Fix N2N and NVMe connect retry failure (bsc#1172538 bsc#1179142 bsc#1179810).
- scsi: qla2xxx: Fix return of uninitialized value in rval (bsc#1172538 bsc#1179142 bsc#1179810).
- scsi: qla2xxx: Fix the call trace for flush workqueue (bsc#1172538 bsc#1179142 bsc#1179810).
- scsi: qla2xxx: Handle aborts correctly for port undergoing deletion (bsc#1172538 bsc#1179142 bsc#1179810).
- scsi: qla2xxx: Handle incorrect entry_type entries (bsc#1172538 bsc#1179142 bsc#1179810).
- scsi: qla2xxx: If fcport is undergoing deletion complete I/O with retry (bsc#1172538 bsc#1179142 bsc#1179810).
- scsi: qla2xxx: Initialize variable in qla8044_poll_reg() (bsc#1172538 bsc#1179142 bsc#1179810).
- scsi: qla2xxx: Limit interrupt vectors to number of CPUs (bsc#1172538 bsc#1179142 bsc#1179810).
- scsi: qla2xxx: Move sess cmd list/lock to driver (bsc#1172538 bsc#1179142 bsc#1179810).
- scsi: qla2xxx: Remove in_interrupt() from qla82xx-specific code (bsc#1172538 bsc#1179142 bsc#1179810).
- scsi: qla2xxx: Remove in_interrupt() from qla83xx-specific code (bsc#1172538 bsc#1179142 bsc#1179810).
- scsi: qla2xxx: remove incorrect sparse #ifdef (bsc#1172538 bsc#1179142 bsc#1179810).
- scsi: qla2xxx: Remove trailing semicolon in macro definition (bsc#1172538 bsc#1179142 bsc#1179810).
- scsi: qla2xxx: Return EBUSY on fcport deletion (bsc#1172538 bsc#1179142 bsc#1179810).
- scsi: qla2xxx: Tear down session if FW say it is down (bsc#1172538 bsc#1179142 bsc#1179810).
- scsi: qla2xxx: Update version to 10.02.00.104-k (bsc#1172538 bsc#1179142 bsc#1179810).
- scsi: qla2xxx: Use constant when it is known (bsc#1172538 bsc#1179142 bsc#1179810).
- scsi: Remove unneeded break statements (bsc#1164780).
- scsi: storvsc: Fix error return in storvsc_probe() (git-fixes).
- scsi: target: tcm_qla2xxx: Remove BUG_ON(in_interrupt()) (bsc#1172538 bsc#1179142 bsc#1179810).
- serial: 8250_omap: Avoid FIFO corruption caused by MDR1 access (git-fixes).
- serial: 8250_pci: Add Realtek 816a and 816b (git-fixes).
- serial: amba-pl011: Make sure we initialize the port.lock spinlock (git-fixes).
- serial: ar933x_uart: set UART_CS_{RX,TX}_READY_ORIDE (git-fixes).
- serial: txx9: add missing platform_driver_unregister() on error in serial_txx9_init (git-fixes).
- serial_core: Check for port state when tty is in error state (git-fixes).
- SMB3: Honor 'handletimeout' flag for multiuser mounts (bsc#1176558).
- SMB3: Honor 'posix' flag for multiuser mounts (bsc#1176559).
- SMB3: Honor lease disabling for multiuser mounts (git-fixes).
- soc/tegra: fuse: Fix index bug in get_process_id (git-fixes).
- soc: imx: gpc: fix power up sequencing (git-fixes).
- soc: mediatek: Check if power domains can be powered on at boot time (git-fixes).
- soc: qcom: smp2p: Safely acquire spinlock without IRQs (git-fixes).
- soc: ti: Fix reference imbalance in knav_dma_probe (git-fixes).
- soc: ti: knav_qmss: fix reference leak in knav_queue_probe (git-fixes).
- spi: Add call to spi_slave_abort() function when spidev driver is released (git-fixes).
- spi: bcm63xx-hsspi: fix missing clk_disable_unprepare() on error in bcm63xx_hsspi_resume (git-fixes).
- spi: davinci: Fix use-after-free on unbind (git-fixes).
- spi: dw: Enable interrupts in accordance with DMA xfer mode (git-fixes).
- spi: dw: Fix Rx-only DMA transfers (git-fixes).
- spi: dw: Return any value retrieved from the dma_transfer callback (git-fixes).
- spi: Fix memory leak on splited transfers (git-fixes).
- spi: img-spfi: fix potential double release (git-fixes).
- spi: img-spfi: fix reference leak in img_spfi_resume (git-fixes).
- spi: pic32: Do not leak DMA channels in probe error path (git-fixes).
- spi: pxa2xx: Add missed security checks (git-fixes).
- spi: spi-cavium-thunderx: Add missing pci_release_regions() (git-fixes).
- spi: spi-loopback-test: Fix out-of-bounds read (git-fixes).
- spi: spi-mem: Fix passing zero to 'PTR_ERR' warning (git-fixes).
- spi: spi-mem: fix reference leak in spi_mem_access_start (git-fixes).
- spi: spi-ti-qspi: fix reference leak in ti_qspi_setup (git-fixes).
- spi: spidev: fix a potential use-after-free in spidev_release() (git-fixes).
- spi: st-ssc4: add missed pm_runtime_disable (git-fixes).
- spi: st-ssc4: Fix unbalanced pm_runtime_disable() in probe error path (git-fixes).
- spi: tegra114: fix reference leak in tegra spi ops (git-fixes).
- spi: tegra20-sflash: fix reference leak in tegra_sflash_resume (git-fixes).
- spi: tegra20-slink: add missed clk_unprepare (git-fixes).
- spi: tegra20-slink: fix reference leak in slink ops of tegra20 (git-fixes).
- splice: only read in as much information as there is pipe buffer space (bsc#1179520).
- staging: comedi: check validity of wMaxPacketSize of usb endpoints found (git-fixes).
- staging: comedi: gsc_hpdi: check dma_alloc_coherent() return value (git-fixes).
- staging: comedi: mf6x4: Fix AI end-of-conversion detection (git-fixes).
- staging: olpc_dcon: add a missing dependency (git-fixes).
- staging: olpc_dcon: Do not call platform_device_unregister() in dcon_probe() (git-fixes).
- staging: rtl8188eu: Add device code for TP-Link TL-WN727N v5.21 (git-fixes).
- staging: rtl8188eu: Add device id for MERCUSYS MW150US v2 (git-fixes).
- staging: rtl8188eu: fix possible null dereference (git-fixes).
- staging: rtl8192u: fix multiple memory leaks on error path (git-fixes).
- staging: vt6656: set usb_set_intfdata on driver fail (git-fixes).
- staging: wlan-ng: fix out of bounds read in prism2sta_probe_usb() (git-fixes).
- staging: wlan-ng: properly check endpoint types (git-fixes).
- sunrpc: fix copying of multiple pages in gss_read_proxy_verf() (bsc#1103992).
- sunrpc: fixed rollback in rpc_gssd_dummy_populate() (git-fixes).
- sunrpc: Properly set the @subbuf parameter of xdr_buf_subsegment() (git-fixes).
- sunrpc: The RDMA back channel mustn't disappear while requests are outstanding (git-fixes).
- svcrdma: fix bounce buffers for unaligned offsets and multiple pages (bsc#1103992).
- svcrdma: Fix page leak in svc_rdma_recv_read_chunk() (bsc#1103992).
- tcp: Set INET_ECN_xmit configuration in tcp_reinit_congestion_control (bsc#1109837).
- thunderbolt: Use 32-bit writes when writing ring producer/consumer (git-fixes).
- timer: Fix wheel index calculation on last level (git fixes)
- timer: Prevent base->clk from moving backward (git-fixes)
- tracing: Fix out of bounds write in get_trace_buf (bsc#1179403).
- tty: always relink the port (git-fixes).
- tty: Fix ->pgrp locking in tiocspgrp() (git-fixes).
- tty: link tty and port before configuring it as console (git-fixes).
- tty: synclink_gt: Adjust indentation in several functions (git-fixes).
- tty: synclinkmp: Adjust indentation in several functions (git-fixes).
- tty:serial:mvebu-uart:fix a wrong return (git-fixes).
- uapi/if_ether.h: move __UAPI_DEF_ETHHDR libc define (git-fixes).
- uapi/if_ether.h: prevent redefinition of struct ethhdr (git-fixes).
- usb: add RESET_RESUME quirk for Snapscan 1212 (git-fixes).
- usb: chipidea: ci_hdrc_imx: Pass DISABLE_DEVICE_STREAMING flag to imx6ul (git-fixes).
- usb: dummy-hcd: Fix uninitialized array use in init() (git-fixes).
- usb: dwc2: Fix IN FIFO allocation (git-fixes).
- usb: dwc3: remove the call trace of USBx_GFLADJ (git-fixes).
- usb: ehci-omap: Fix PM disable depth umbalance in ehci_hcd_omap_probe (git-fixes).
- usb: Fix: Do not skip endpoint descriptors with maxpacket=0 (git-fixes).
- usb: fsl: Check memory resource before releasing it (git-fixes).
- usb: gadget: composite: Fix possible double free memory bug (git-fixes).
- usb: gadget: configfs: fix concurrent issue between composite APIs (git-fixes).
- usb: gadget: configfs: Fix missing spin_lock_init() (git-fixes).
- usb: gadget: f_acm: add support for SuperSpeed Plus (git-fixes).
- usb: gadget: f_fs: Use local copy of descriptors for userspace copy (git-fixes).
- usb: gadget: f_midi: setup SuperSpeed Plus descriptors (git-fixes).
- usb: gadget: f_rndis: fix bitrate for SuperSpeed and above (git-fixes).
- usb: gadget: ffs: ffs_aio_cancel(): Save/restore IRQ flags (git-fixes).
- usb: gadget: fix wrong endpoint desc (git-fixes).
- usb: gadget: goku_udc: fix potential crashes in probe (git-fixes).
- usb: gadget: net2280: fix memory leak on probe error handling paths (git-fixes).
- usb: gadget: serial: fix Tx stall after buffer overflow (git-fixes).
- usb: gadget: udc: fix possible sleep-in-atomic-context bugs in gr_probe() (git-fixes).
- usb: gadget: udc: gr_udc: fix memleak on error handling path in gr_ep_init() (git-fixes).
- usb: hso: Fix debug compile warning on sparc32 (git-fixes).
- usb: ldusb: use unsigned size format specifiers (git-fixes).
- usb: musb: omap2430: Get rid of musb .set_vbus for omap2430 glue (git-fixes).
- usb: oxu210hp-hcd: Fix memory leak in oxu_create (git-fixes).
- usb: serial: ch341: add new Product ID for CH341A (git-fixes).
- usb: serial: ch341: sort device-id entries (git-fixes).
- usb: serial: digi_acceleport: clean up modem-control handling (git-fixes).
- usb: serial: digi_acceleport: clean up set_termios (git-fixes).
- usb: serial: digi_acceleport: fix write-wakeup deadlocks (git-fixes).
- usb: serial: digi_acceleport: remove in_interrupt() usage.
- usb: serial: digi_acceleport: remove redundant assignment to pointer priv (git-fixes).
- usb: serial: digi_acceleport: rename tty flag variable (git-fixes).
- usb: serial: digi_acceleport: use irqsave() in USB's complete callback (git-fixes).
- usb: serial: keyspan_pda: fix dropped unthrottle interrupts (git-fixes).
- usb: serial: keyspan_pda: fix stalled writes (git-fixes).
- usb: serial: keyspan_pda: fix tx-unthrottle use-after-free (git-fixes).
- usb: serial: keyspan_pda: fix write deadlock (git-fixes).
- usb: serial: keyspan_pda: fix write unthrottling (git-fixes).
- usb: serial: keyspan_pda: fix write-wakeup use-after-free (git-fixes).
- usb: serial: kl5kusb105: fix memleak on open (git-fixes).
- usb: serial: mos7720: fix parallel-port state restore (git-fixes).
- usb: serial: option: add Fibocom NL668 variants (git-fixes).
- usb: serial: option: add interface-number sanity check to flag handling (git-fixes).
- usb: serial: option: add support for Thales Cinterion EXS82 (git-fixes).
- usb: serial: option: fix Quectel BG96 matching (git-fixes).
- usb: Skip endpoints with 0 maxpacket length (git-fixes).
- usb: UAS: introduce a quirk to set no_write_same (git-fixes).
- usb: usbfs: Suppress problematic bind and unbind uevents (git-fixes).
- usblp: poison URBs upon disconnect (git-fixes).
- usbnet: ipheth: fix connectivity with iOS 14 (git-fixes).
- usermodehelper: reset umask to default before executing user process (bsc#1179406).
- video: fbdev: neofb: fix memory leak in neo_scan_monitor() (git-fixes).
- vt: do not hardcode the mem allocation upper bound (git-fixes).
- vt: Reject zero-sized screen buffer size (git-fixes).
- watchdog: coh901327: add COMMON_CLK dependency (git-fixes).
- watchdog: da9062: do not ping the hw during stop() (git-fixes).
- watchdog: da9062: No need to ping manually before setting timeout (git-fixes).
- watchdog: qcom: Avoid context switch in restart handler (git-fixes).
- watchdog: sirfsoc: Add missing dependency on HAS_IOMEM (git-fixes).
- wimax: fix duplicate initializer warning (git-fixes).
- wireless: Use linux/stddef.h instead of stddef.h (git-fixes).
- wireless: Use offsetof instead of custom macro (git-fixes).
- x86/apic: Fix integer overflow on 10 bit left shift of cpu_khz (bsc#1112178).
- x86/insn-eval: Use new for_each_insn_prefix() macro to loop over prefixes bytes (bsc#1112178).
- x86/mm/ident_map: Check for errors from ident_pud_init() (bsc#1112178).
- x86/mm/mem_encrypt: Fix definition of PMD_FLAGS_DEC_WP (bsc#1112178).
- x86/resctrl: Add necessary kernfs_put() calls to prevent refcount leak (bsc#1112178).
- x86/resctrl: Fix AMD L3 QOS CDP enable/disable (bsc#1114648).
- x86/resctrl: Fix incorrect local bandwidth when mba_sc is enabled (bsc#1112178).
- x86/resctrl: Remove superfluous kernfs_get() calls to prevent refcount leak (bsc#1112178).
- x86/resctrl: Remove unused struct mbm_state::chunks_bw (bsc#1112178).
- x86/speculation: Fix prctl() when spectre_v2_user={seccomp,prctl},ibpb (bsc#1112178).
- x86/tracing: Introduce a static key for exception tracing (bsc#1179895).
- x86/traps: Simplify pagefault tracing logic (bsc#1179895).
- x86/uprobes: Do not use prefixes.nbytes when looping over prefixes.bytes (bsc#1112178).
- xhci: Give USB2 ports time to enter U3 in bus suspend (git-fixes).
- xprtrdma: fix incorrect header size calculations (git-fixes).


-----------------------------------------
Version 1.0.8-SAP-BYOS-Build1.9 2021-01-15T16:40:18

-----------------------------------------
Patch: SUSE-2021-136
Released: Fri Jan 15 10:33:38 2021
Summary: Recommended update for timezone
Severity: moderate
References: 1177460
Description:
This update for timezone fixes the following issues:

- timezone update 2020f (bsc#1177460)
  * 'make rearguard_tarballs' no longer generates a bad rearguard.zi,
    fixing a 2020e bug.

- timezone update 2020e (bsc#1177460)
  * Volgograd switches to Moscow time on 2020-12-27 at 02:00.

- timezone update 2020f (bsc#1177460)
  * 'make rearguard_tarballs' no longer generates a bad rearguard.zi,
    fixing a 2020e bug.

- timezone update 2020e (bsc#1177460)
  * Volgograd switches to Moscow time on 2020-12-27 at 02:00.


-----------------------------------------
Version 1.0.8-SAP-BYOS-Build1.10 2021-01-16T07:40:32

-----------------------------------------
Patch: SUSE-2020-926
Released: Mon Apr  6 11:13:57 2020
Summary: Initial release of python3-requests
Severity: low
References: 1064441
Description:
This update adds python3-requests to SUSE Linux Enterprise 12-SP2 and 12-SP3.


-----------------------------------------
Patch: SUSE-2021-146
Released: Fri Jan 15 16:59:48 2021
Summary: Recommended update for pam-modules
Severity: low
References: 1070595
Description:

This update for pam-modules provides the following fix:

- Fix the fail delay when entering wrong password. (bsc#1070595)


-----------------------------------------
Patch: SUSE-2021-148
Released: Fri Jan 15 17:00:15 2021
Summary: Recommended update for cloud-init, python-pyserial
Severity: important
References: 1174443,1174444,1177526,1178029,1179150,1179151,1180176
Description:
This update for cloud-init, python-pyserial contains the following fixes:

Update from python-pyserial:

- Setup single spec build (jsc#PM-2335)

Update from cloud-init from 19.4 to 20.2:

- Update cloud-init-write-routes.patch (bsc#1180176)
  + Follow up to previous changes. Fix order of operations
    error to make gateway comparison between subnet configuration and
    route configuration valuable rather than self-comparing.

- Add cloud-init-sle12-compat.patch (jsc#PM-2335)
  - Python 3.4 compatibility in setup.py
  - Disable some test for mock version compatibility

- Add wget as a requirement (bsc#1178029)
  + wget is used in the CloudStack data source

- Add cloud-init-azure-def-usr-pass.patch (bsc#1179150, bsc#1179151)
  + Properly set the password for the default user in all circumstances

- Patch the full package version into the cloud-init version file

- Update cloud-init-write-routes.patch (bsc#1177526)
  + Fix missing default route when dual stack network setup is used. Once
    a default route was configured for Ipv6 or IPv4 the default route
    configuration for the othre protocol was skipped.

- Update cloud-init-write-routes.patch (bsc#1177526)
  + Avoid exception if no gateway information is present and warning
    is triggered for existing routing.

- Update to version 20.2 (bsc#1174443, bsc#1174444)
  + Remove patches included upstream:
    - 0001-Make-tests-work-with-Python-3.8-139.patch
    - cloud-init-ostack-metadat-dencode.patch
    - cloud-init-use-different-random-src.diff
    - cloud-init-long-pass.patch
    - cloud-init-mix-static-dhcp.patch
    + Remove patches build switched to Python 3 for all distributions. (jsc#PM-2335)
    - cloud-init-python2-sigpipe.patch
    - cloud-init-template-py2.patch
  + Add
    - cloud-init-after-kvp.diff
    - cloud-init-recognize-hpc.patch
  + doc/format: reference make-mime.py instead of an inline script (#334)
  + Add docs about  creating parent folders (#330) [Adrian Wilkins]
  + DataSourceNoCloud/OVF: drop claim to support FTP (#333) (LP: #1875470)
  + schema: ignore spurious pylint error (#332)
  + schema: add json schema for write_files module (#152)
  + BSD: find_devs_with_ refactoring (#298) [Goneri Le Bouder]
  + nocloud: drop work around for Linux 2.6 (#324) [Goneri Le Bouder]
  + cloudinit: drop dependencies on unittest2 and contextlib2 (#322)
  + distros: handle a potential mirror filtering error case (#328)
  + log: remove unnecessary import fallback logic (#327)
  + .travis.yml: don't run integration test on ubuntu/* branches (#321)
  + More unit test documentation (#314)
  + conftest: introduce disable_subp_usage autouse fixture (#304)
  + YAML align indent sizes for docs readability  (#323) [Tak Nishigori]
  + network_state: add missing space to log message (#325)
  + tests: add missing mocks for get_interfaces_by_mac (#326) (LP: #1873910)
  + test_mounts: expand happy path test for both happy paths (#319)
  + cc_mounts: fix incorrect format specifiers (#316) (LP: #1872836)
  + swap file 'size' being used before checked if str (#315) [Eduardo Otubo]
  + HACKING.rst: add pytest version gotchas section (#311)
  + docs: Add steps to re-run cloud-id and cloud-init (#313) [Joshua Powers]
  + readme: OpenBSD is now supported (#309) [Goneri Le Bouder]
  + net: ignore 'renderer' key in netplan config (#306) (LP: #1870421)
  + Add support for NFS/EFS mounts (#300) [Andrew Beresford] (LP: #1870370)
  + openbsd: set_passwd should not unlock user (#289) [Goneri Le Bouder]
  + tools/.github-cla-signers: add beezly as CLA signer (#301)
  + util: remove unnecessary lru_cache import fallback (#299)
  + HACKING.rst: reorganise/update CLA signature info (#297)
  + distros: drop leading/trailing hyphens from mirror URL labels (#296)
  + HACKING.rst: add note about variable annotations (#295)
  + CiTestCase: stop using and remove sys_exit helper (#283)
  + distros: replace invalid characters in mirror URLs with hyphens (#291)
    (LP: #1868232)
  + rbxcloud: gracefully handle arping errors (#262) [Adam Dobrawy]
  + Fix cloud-init ignoring some misdeclared mimetypes in user-data.
    [Kurt Garloff]
  + net: ubuntu focal prioritize netplan over eni even if both present
    (#267) (LP: #1867029)
  + cloudinit: refactor util.is_ipv4 to net.is_ipv4_address (#292)
  + net/cmdline: replace type comments with annotations (#294)
  + HACKING.rst: add Type Annotations design section (#293)
  + net: introduce is_ip_address function (#288)
  + CiTestCase: remove now-unneeded parse_and_read helper method (#286)
  + .travis.yml: allow 30 minutes of inactivity in cloud tests (#287)
  + sources/tests/test_init: drop use of deprecated inspect.getargspec (#285)
  + setup.py: drop NIH check_output implementation (#282)
  + Identify SAP Converged Cloud as OpenStack [Silvio Knizek]
  + add Openbsd support (#147) [Goneri Le Bouder]
  + HACKING.rst: add examples of the two test class types (#278)
  + VMWware: support to update guest info gc status if enabled (#261)
    [xiaofengw-vmware]
  + Add lp-to-git mapping for kgarloff (#279)
  + set_passwords: avoid chpasswd on BSD (#268) [Goneri Le Bouder]
  + HACKING.rst: add Unit Testing design section (#277)
  + util: read_cc_from_cmdline handle urlencoded yaml content (#275)
  + distros/tests/test_init: add tests for _get_package_mirror_info (#272)
  + HACKING.rst: add links to new Code Review Process doc (#276)
  + freebsd: ensure package update works (#273) [Goneri Le Bouder]
  + doc: introduce Code Review Process documentation (#160)
  + tools: use python3 (#274)
  + cc_disk_setup: fix RuntimeError (#270) (LP: #1868327)
  + cc_apt_configure/util: combine search_for_mirror implementations (#271)
  + bsd: boottime does not depend on the libc soname (#269)
    [Goneri Le Bouder]
  + test_oracle,DataSourceOracle: sort imports (#266)
  + DataSourceOracle: update .network_config docstring (#257)
  + cloudinit/tests: remove unneeded with_logs configuration (#263)
  + .travis.yml: drop stale comment (#255)
  + .gitignore: add more common directories (#258)
  + ec2: render network on all NICs and add secondary IPs as static (#114)
    (LP: #1866930)
  + ec2 json validation: fix the reference to the 'merged_cfg' key (#256)
    [Paride Legovini]
  + releases.yaml: quote the Ubuntu version numbers (#254) [Paride Legovini]
  + cloudinit: remove six from packaging/tooling (#253)
  + util/netbsd: drop six usage (#252)
  + workflows: introduce stale pull request workflow (#125)
  + cc_resolv_conf: introduce tests and stabilise output across Python
    versions (#251)
  + fix minor issue with resolv_conf template (#144) [andreaf74]
  + doc: CloudInit also support NetBSD (#250) [Goneri Le Bouder]
  + Add Netbsd support (#62) [Goneri Le Bouder]
  + tox.ini: avoid substition syntax that causes a traceback on xenial (#245)
  + Add pub_key_ed25519 to cc_phone_home (#237) [Daniel Hensby]
  + Introduce and use of a list of GitHub usernames that have signed CLA
    (#244)
  + workflows/cla.yml: use correct username for CLA check (#243)
  + tox.ini: use xenial version of jsonpatch in CI (#242)
  + workflows: CLA validation altered to fail status on pull_request (#164)
  + tox.ini: bump pyflakes version to 2.1.1 (#239)
  + cloudinit: move to pytest for running tests (#211)
  + instance-data: add cloud-init merged_cfg and sys_info keys to json
    (#214) (LP: #1865969)
  + ec2: Do not fallback to IMDSv1 on EC2 (#216)
  + instance-data: write redacted cfg to instance-data.json (#233)
    (LP: #1865947)
  + net: support network-config:disabled on the kernel commandline (#232)
    (LP: #1862702)
  + ec2: only redact token request headers in logs, avoid altering request
    (#230) (LP: #1865882)
  + docs: typo fixed: dta → data [Alexey Vazhnov]
  + Fixes typo on Amazon Web Services (#217) [Nick Wales]
  + Fix docs for OpenStack DMI Asset Tag (#228)
    [Mark T. Voelker] (LP: #1669875)
  + Add physical network type: cascading to openstack helpers (#200)
    [sab-systems]
  + tests: add focal integration tests for ubuntu (#225)
- From 20.1 (first vesrion after 19.4)
  + ec2: Do not log IMDSv2 token values, instead use REDACTED (#219)
    (LP: #1863943)
  + utils: use SystemRandom when generating random password. (#204)
    [Dimitri John Ledkov]
  + docs: mount_default_files is a list of 6 items, not 7 (#212)
  + azurecloud: fix issues with instances not starting (#205) (LP: #1861921)
  + unittest: fix stderr leak in cc_set_password random unittest
    output. (#208)
  + cc_disk_setup: add swap filesystem force flag (#207)
  + import sysvinit patches from freebsd-ports tree (#161) [Igor Galić]
  + docs: fix typo (#195) [Edwin Kofler]
  + sysconfig: distro-specific config rendering for BOOTPROTO option (#162)
    [Robert Schweikert] (LP: #1800854)
  + cloudinit: replace 'from six import X' imports (except in util.py) (#183)
  + run-container: use 'test -n' instead of 'test ! -z' (#202)
    [Paride Legovini]
  + net/cmdline: correctly handle static ip= config (#201)
    [Dimitri John Ledkov] (LP: #1861412)
  + Replace mock library with unittest.mock (#186)
  + HACKING.rst: update CLA link (#199)
  + Scaleway: Fix DatasourceScaleway to avoid backtrace (#128)
    [Louis Bouchard]
  + cloudinit/cmd/devel/net_convert.py: add missing space (#191)
  + tools/run-container: drop support for python2 (#192) [Paride Legovini]
  + Print ssh key fingerprints using sha256 hash (#188) (LP: #1860789)
  + Make the RPM build use Python 3 (#190) [Paride Legovini]
  + cc_set_password: increase random pwlength from 9 to 20 (#189)
    (LP: #1860795)
  + .travis.yml: use correct Python version for xenial tests (#185)
  + cloudinit: remove ImportError handling for mock imports (#182)
  + Do not use fallocate in swap file creation on xfs. (#70)
    [Eduardo Otubo] (LP: #1781781)
  + .readthedocs.yaml: install cloud-init when building docs (#181)
    (LP: #1860450)
  + Introduce an RTD config file, and pin the Sphinx version to the RTD
    default (#180)
  + Drop most of the remaining use of six (#179)
  + Start removing dependency on six (#178)
  + Add Rootbox & HyperOne to list of cloud in README (#176) [Adam Dobrawy]
  + docs: add proposed SRU testing procedure (#167)
  + util: rename get_architecture to get_dpkg_architecture (#173)
  + Ensure util.get_architecture() runs only once (#172)
  + Only use gpart if it is the BSD gpart (#131) [Conrad Hoffmann]
  + freebsd: remove superflu exception mapping (#166) [Goneri Le Bouder]
  + ssh_auth_key_fingerprints_disable test: fix capitalization (#165)
    [Paride Legovini]
  + util: move uptime's else branch into its own boottime function (#53)
    [Igor Galić] (LP: #1853160)
  + workflows: add contributor license agreement checker (#155)
  + net: fix rendering of 'static6' in network config (#77) (LP: #1850988)
  + Make tests work with Python 3.8 (#139) [Conrad Hoffmann]
  + fixed minor bug with mkswap in cc_disk_setup.py (#143) [andreaf74]
  + freebsd: fix create_group() cmd (#146) [Goneri Le Bouder]
  + doc: make apt_update example consistent (#154)
  + doc: add modules page toc with links (#153) (LP: #1852456)
  + Add support for the amazon variant in cloud.cfg.tmpl (#119)
    [Frederick Lefebvre]
  + ci: remove Python 2.7 from CI runs (#137)
  + modules: drop cc_snap_config config module (#134)
  + migrate-lp-user-to-github: ensure Launchpad repo exists (#136)
  + docs: add initial troubleshooting to FAQ (#104) [Joshua Powers]
  + doc: update cc_set_hostname frequency and descrip (#109)
    [Joshua Powers] (LP: #1827021)
  + freebsd: introduce the freebsd renderer (#61) [Goneri Le Bouder]
  + cc_snappy: remove deprecated module (#127)
  + HACKING.rst: clarify that everyone needs to do the LP->GH dance (#130)
  + freebsd: cloudinit service requires devd (#132) [Goneri Le Bouder]
  + cloud-init: fix capitalisation of SSH (#126)
  + doc: update cc_ssh clarify host and auth keys
    [Joshua Powers] (LP: #1827021)
  + ci: emit names of tests run in Travis (#120)
- Disable testing to aid elimination of unittest2 in Factory
  

-----------------------------------------
Version 1.0.8-SAP-BYOS-Build1.16 2021-01-23T09:27:52

-----------------------------------------
Patch: SUSE-2021-161
Released: Mon Jan 18 20:03:25 2021
Summary: Recommended update for libnl3
Severity: low
References: 1025043
Description:
This update for libnl3 fixes the following issues:

- IPv6 privacy extension of NetworkManager was not working. (bsc#1025043)


-----------------------------------------
Patch: SUSE-2021-168
Released: Tue Jan 19 14:58:17 2021
Summary: Recommended update for mdadm
Severity: moderate
References: 1177144
Description:
This update for mdadm fixes the following issues:
	  
- Fixed mount issues with arrays by rolling back to SLE-12 SP2. (bsc#1177144)


-----------------------------------------
Patch: SUSE-2021-187
Released: Fri Jan 22 07:43:56 2021
Summary: Recommended update for fence-agents
Severity: important
References: 1178343
Description:
This update for fence-agents fixes the following issues:

- Fixes a regression which broke fencing in GCE (bsc#1178343)


-----------------------------------------
Patch: SUSE-2021-192
Released: Fri Jan 22 10:36:44 2021
Summary: Security update for hawk2
Severity: critical
References: 1179998,CVE-2020-35458
Description:
This update for hawk2 fixes the following issues:

hawk2 was updated to version 2.5.

Security issue fixed:

- Fixed another possible code execution vulnerability in the controller code (bsc#1179998).


-----------------------------------------
Patch: SUSE-2021-196
Released: Fri Jan 22 15:17:30 2021
Summary: Security update for mutt
Severity: moderate
References: 1181221,CVE-2021-3181
Description:
This update for mutt fixes the following issue:

- CVE-2021-3181: Fixed a memory leak in recipient parsing (bsc#1181221).


-----------------------------------------
Version 1.0.8-SAP-BYOS-Build1.19 2021-01-27T07:39:55

-----------------------------------------
Patch: SUSE-2021-214
Released: Tue Jan 26 09:02:06 2021
Summary: Recommended update for resource-agents
Severity: moderate
References: 1179977
Description:
This update for resource-agents fixes the following issues:

- A bug was fixed where the stop operation failed if /root/.profile has unexpected content (bsc#1179977)


-----------------------------------------
Patch: SUSE-2021-216
Released: Tue Jan 26 12:03:49 2021
Summary: Recommended update for fence-agents
Severity: important
References: 1178343
Description:
This update for fence-agents fixes the following issues:

- Update to version 4.7.0+git.1607346448.17bd8552:
  * fence_mpath, fence_scsi: Improve logging for failed res/key get
  * fence_mpath, fence_scsi: Capture stderr in run_cmd()
  * build: depend on config changes to rebuild when running make after running ./configure
  * fence_redfish: Fix typo in help.
  * fence_aws: add support for IMDSv2
  * spec: add pkg-config file, and set version for obsoletes to avoid failing to build on Fedora 33
  * Add pkg-config file
  * fence_scsi: dont write key to device if it's already registered, and open file correctly to avoid using regex against end-of-file
  * fencing: fix run_command() to allow timeout=0 to mean forever
  * fencing: fix to make timeout(s)=0 be treated as forever for agents using pexpect

- Fix a regression which broke fencing in GCE. [bsc#1178343]


-----------------------------------------
Patch: SUSE-2021-219
Released: Tue Jan 26 12:21:31 2021
Summary: Recommended update for logrotate
Severity: moderate
References: 1179189
Description:
This update for logrotate fixes the following issues:

- Fix for an issue when the service failed to start due to false alarm when using 'su' and compress. (bsc#1179189)


-----------------------------------------
Patch: SUSE-2021-225
Released: Tue Jan 26 19:20:09 2021
Summary: Security update for sudo
Severity: important
References: 1180684,1180685,1180687,1181090,CVE-2021-23239,CVE-2021-23240,CVE-2021-3156
Description:
This update for sudo fixes the following issues:

- A Heap-based buffer overflow in sudo could be exploited to allow a user to gain root privileges 
  [bsc#1181090,CVE-2021-3156]
- It was possible for a user to test for the existence of a directory due to a Race Condition in `sudoedit`
  [bsc#1180684,CVE-2021-23239]
- A Possible Symlink Attack vector existed in `sudoedit` if SELinux was running in permissive mode [bsc#1180685,
  CVE-2021-23240]
- It was possible for a User to enable Debug Settings not Intended for them [bsc#1180687]


-----------------------------------------
Version 1.0.9-SAP-BYOS-Build1.1 2021-01-29T07:41:39

-----------------------------------------
Patch: SUSE-2017-401
Released: Fri Mar 17 12:17:06 2017
Summary: Initial release of amazon-ssm-agent
Severity: low
References: 1017899
Description:

This update adds amazon-ssm-agent to the Public Cloud Module 12.

This package provides the Amazon SSM Agent for managing EC2 Instances using
Amazon EC2 Systems Manager (SSM).

The SSM Agent runs on EC2 or on-premise instances and enables you to quickly
and easily execute remote commands or scripts against one or more instances.
When you execute a command, the agent on the instance processes the document
and configures the instance as specified.

This collection of capabilities helps you automate management tasks such as
collecting system inventory, applying operating system (OS) patches, automating
the creation of Amazon Machine Images (AMIs), and configuring operating systems
(OSs) and applications at scale. Systems Manager works with managed instances:
Amazon EC2 instances, or servers and virtual machines (VMs) in your on-premises
environment that are configured for Systems Manager.


-----------------------------------------
Patch: SUSE-2017-1152
Released: Fri Jul 14 12:35:44 2017
Summary: Recommended update for amazon-ssm-agent
Severity: low
References: 1047581
Description:
This update for amazon-ssm-agent provides version 2.0.790.0 and brings the following fixes and
improvements:

- Added support for step-level preconditions.
- Added support for rate/interval based schedule expressions for associations.
- Added Summary and PackageID fields to inventory's aws:application gatherer.
- Changed inventory's aws:application gatherer to use win32_processor: addressWidth to detect OS architecture to avoid
  localization based errors.
- Fixed CloudWatch issue with large configuration.
- Fixed S3 upload when instance and bucket are not in the same region.
- Fixed bug that prevented native language AMIs (Japanese AMI) from launching Cloudwatch.
- Returning longer StandardOutput and StandardError from RunShellScript and RunPowerShellScript which show up in the
  results of GetCommandInvocation and the detailed output of ListCommandInvocation.
- Added Document v2.0 support for Run Command, which includes support for multiple actions of same plugin type.
- Fixed issues with agent starting before network is ready on systemd systems.
- Pass proxy settings to domain join and CloudWatch.
- Added support for installing Docker on Linux.
- Removed the upper limit for the maximum number of parallel executing documents on the agent.
  (previously the max was 10)
  + You can configure this number by setting the 'CommandWorkerLimit' attribute in amazon-ssm-agent.json file.
- Added bucket-owner-full-control ACL to S3 outputs to support cross-account upload.
- Standardized S3 result paths across plugins; commands append command-id/instance-id/plugin-name/step-id associations
  append instance-id/association-id/execution-date/plugin-name/step-id.
  + step-id is the id field in plugin input if present and supported, otherwise the step name (in 2.0 schema 
  documents), otherwise the plugin-name again.
  + plugin-name and step-id have : characters removed.
- Various other bug fixes


-----------------------------------------
Patch: SUSE-2017-1421
Released: Wed Aug 30 18:23:28 2017
Summary: Recommended update for amazon-ssm-agent
Severity: low
References: 1055766
Description:
This update for amazon-ssm-agent provides version 2.0.922.0 and brings the following fixes and improvements:

- Added ssm-cli binary.
- Removed requirement on lsb-release. Agent now parses os-release by default.
- Added Raspbian support for armv6 to support Raspberry Pi
- Increased run command document maximum execution timeout to 48 hours.
- Added support for uploading agent logs to CloudWatch for SSM Agent diagnostics.
- Added additional gatherers for inventory.
- Added configuration compliance support for association.
- Added capability to configure custom s3 endpoint for the agent.
- Added rollback support in aws:configurePackage.
- Added support for SLES. (64-bit, v12 and above)
- Linux platform version now based on os-release when available.
- Various additional bug fixes.


-----------------------------------------
Patch: SUSE-2017-2025
Released: Fri Dec  8 13:01:25 2017
Summary: Recommended update for amazon-ssm-agent
Severity: low
References: 1067256
Description:
This update for amazon-ssm-agent provides version 2.2.45.0 and brings the following fixes and improvements:

- Added versioning support for Parameter Store.
- Added additional gatherers for inventory, including windows service gatherer, windows registry gatherer, file
  metadata gatherer, windows role gatherer.
- Added support for aws:downloadContent plugin to download content from GitHub, S3 and documents from SSM documents.
- Added support for aws:runDocument plugin to execute SSM documents.
- Improved speed of initial association application on boot.
- Various aws:configurePackage service integration changes.
- Improved home directory detection in non-x64 linux platforms to address cases where shared AWS SDK credentials were
  not available in on-prem instances.
- Added exponential backoff in bucket region check for s3 upload.
- Fixed an issue with orchestration directory cleanup for RunCommand.
- Support for command execution out-of-process

-----------------------------------------
Patch: SUSE-2018-990
Released: Mon May 28 11:24:51 2018
Summary: Recommended update for amazon-ssm-agent
Severity: moderate
References: 1085670
Description:
This update for amazon-ssm-agent to version 2.2.325.0 (bsc#1085670) provides
the following fixes:

- Change the default sourceHashType to be sha256 on psmodule.
- Fix an issue that can prevent the agent from processing associations after a restart.
- Execute 'pwsh' on linux when using runPowershellScript plugin.
- Update to latest AWS SDK.
- Switching to use Birdwatcher distribution service for AWS packages.


-----------------------------------------
Patch: SUSE-2018-2386
Released: Tue Oct 23 10:36:51 2018
Summary: Recommended update for amazon-ssm-agent
Severity: moderate
References: 1108265
Description:
This update for amazon-ssm-agent provides version 2.3.50.0 and fixes the following issues:

- Enables the Session Manager capability that lets you manage
  your Amazon EC2 instance through an interactive one-click
  browser-based shell or through the AWS CLI.
- Beginning this agent version, SSM Agent will create a local
  user 'ssm-user' and add it to /etc/sudoers (Linux) every time
  the agent starts. The ssm-user is the default OS user when a
  Session Manager session is started, and the password for this
  user is reset on every session. You can change the permissions
  by moving the ssm-user to a less-privileged group or by
  changing the sudoers file. The ssm-user is not removed from the
  system when SSM Agent is uninstalled.
- Retry sending Run Command execution results for up to 2 hours.
- More detailed error messages are returned for inventory plugin
  failures during State Manager association executions.
- Bug fix to clean the orchestration directory.
- Streaming AWS Systems Manager Run Command output to CloudWatch Logs.
- Reducing number of retries for serial port opening.
- Add retry logic to installation verification.
- Bug fix to retry sending document results if they couldn't reach the
  service.
- Bug fix so that aws:downloadContent does not change permissions of
  directories.
- Bug fix to Cloudwatch plugin where StartType has duplicated Enabled
  value.
- Added support for agent hibernation so that Agent backs off or enters
  hibernation mode if it does not have access to the service.
- Fix S3Download to download from cross regions.

-----------------------------------------
Patch: SUSE-2020-1406
Released: Mon May 25 15:54:43 2020
Summary: Recommended update for amazon-ssm-agent
Severity: moderate
References: 1170744
Description:
This update for amazon-ssm-agent fixes the following issues:

- Update to 2.3.978.0 (2020-04-08) (bsc#1170744)
  + Stop pty on receiving TerminateSession request
  + Add support for Debian arm64 architecture
  + Refactoring session log generation logic
- Update to 2.3.930.0  (2020-03-17)
  + Bug fix for CloudWatch agent version showing twice in Inventory console
  + Bug fix for retrieving minor version for CentOS7
  + Add snap appData collection for inventory in ubuntu 18
  + Add validation for contents of os release files
  + Add retry for fingerprint generation
- Update to 2.3.871.0 (2020-02-20)
  + Various bug fix for SSM Agent
- Update to 2.3.842.0 (2020-01-29)
  + Bug fix for updating document state file prior agent reboot
  + Add support to restart agent after SIGPIPE exit status
- Update to 2.3.814.0 (2020-01-16)
  + Bug fix for metadata service V2
  + Update Golang version 1.12 for travis
  + Optimize session manager retry logic 
- Update to 2.3.786.0 (2019-12-19)
  + Add support for Oracle Linux v7.5 and v7.7
  + Bug fix for Inventory data provider to support special characters
  + Bug fix for SSM MDS service name
- Update to 2.3.772.0 (2019-12-13)
  + Upgrade AWS SDK
  + Add logging for fingerprint generation
- Update to 2.3.760.0 (2019-11-15)
  + Session manager supports handling of Task metadata
- Update to 2.3.758.0 (2019-11-11)
  + Add support to update SSM Distributor packages in place
- Update to 2.3.756.0 (2019-11-05)
  + Terminate port forwarding session on receiving TerminateSession flag
  + Bug fix to reload SSM client if region has not been initialize correctly
  + Bug fix for retrieval of user groups on Linux 
- Update to 2.3.722.0 (2019-10-11)
  + Bug fix for the delay when registering non-EC2 on-prem instances
  + Bug fix for missing ACL when uploading logs to S3 buckets
  + Upgrade GoLang version from 1.9 to 1.12
- Update to 2.3.714.0 (2019-09-26)
  + For port forwarding session, close server connection when client drops it's connection
  + Bug fix for missing condition of rules from inventory registry
  + Update service domain information fetch logic from EC2 Metadata
- Update to 2.3.707.0 (2019-09-11)
  + Bug fix for characters dropping from session manager shell output 
  + Bug fix for session manager freezing caused by non utf8 character
  + Switch the request protocol order for getting S3 Header
  + Keep port forwarding session open until session is terminated
- Update to 2.3.701.0 (2019-08-21)
  + Send platform type information in controlChannel input 
- Update to 2.3.687.0 (2019-08-05)
  + Bug fix for runPowershellScript plugin on linux platform
  + Add support for document 2.x version to ssm-cli 
- Update to 2.3.680.0 (2019-07-24)
  + Added a new Inventory gatherer AWS:BillingInfo which will gather the billing product ids for LicenseIncluded and Marketplace instance
- Update to 2.3.672.0 (2019-07-09)
  + Add Port plugin for SSH/SCP
  + Add support for Session Manager RunAs functionality on Linux platform
- Update to 2.3.668.0 (2019-07-01)
  + Add Session Manager InteractiveCommands plugin	
  + Bug fix for log formatting issue for session manager
- Update to 2.3.662.0 (2019-06-19)
  + Bug fix for Session Manager when handling line endings on Windows platform
  + Bug fix for token validation for aws:downloadContent plugin
  + Check if log group exists before uploading Session Manager logs to CloudWatch
  + Bug fix for broken S3 urls when using custom documents
- Update to 2.3.634.0 (2019-05-28)
  + Disable appconfig to load credential from specific profile path, add EC2 credentials as the default fallback
  + Remove sudoers file creation logic if ssm-user already exists
  + Enable supplementary groups for ssm-user on Linux
- Update to 2.3.612.0 (2019-05-08)
  + Bug fix for UTF-8 encoded issue caused by locale activation on Ubuntu 16.04 instance
  + Refactor ssm-user creation logic
  + Bug fix for reporting IP address with wrong network interface
  + Update configure package document arn pattern
- Update to 2.3.542.0 (2019-04-18)
  + Bug fix for on-premises instance registration in CN region
- Update to 2.3.539.0 (2019-04-04)
  + Add support for further encryption of session data using AWS KMS
  + Bug fix for excessive instance-id fetching by document workers
- Update to 2.3.479.0 (2019-03-06)
  + Bug fix for downloading content failure caused by wrong S3 endpoint
  + Bug fix for reboot failure caused by session manager panic
  + Bug fix for session manager shell output dropping character
  + Bug fix for mgs endpoint configuration consistency
- Update to 2.3.444.0 (2019-02-10)
  + Updates to UpdateInstanceInformation call, Windows initialization
- Update to 2.3.415.0 (2019-01-25)
  + Bug fix addressing issues in Distributor package upgrade
- Update to 2.3.372.0 (2019-01-08)
  + Bug fix to allow installation of Distributor packages that do
    not have a version name.
  + Bug fix for agent crash with message 'WaitGroup is reused
    before previous Wait has returned'.
- Update to 2.3.344.0 (2018-12-14)
  + Add frequent collector to detect changed inventory types and
    upload it to SSM service between two scheduled collections.
  + Change AWS Systems Manager Distributor to reduce calls to
    GetDocument by calling DescribeDocument.
  + Add exit code when ssm-cli execution fails.
  + Create ssm-user only after the control channel has been
    successfully created.
- Update to 2.3.274.0 (2018-11-26)
  + Enabled AWS Systems Manager Distributor that lets you securely
    distribute and install software packages.
  + Add support for the arm64 architecture on Amazon Linux 2,
    Ubuntu 16.04/18.04, and RHEL 7.6 to support EC2 A1 instances.
- Update to 2.3.235.0 (2018-10-23)
  + Bug fix for session manager logging on Windows
  + Bug fix for ConfigureCloudWatch plugin
  + Bug fix for update SSM agent occasionally failing due to SSM
    agent service stuck in starting state
- Update to 2.3.193.0 (2018-10-23)
  + Bug fix for past sessions occasionally stuck in terminating
    state
  + Darwin masquerades as Linux to bypass OS validation on the
    backend until official support can be added
- Update to 2.3.169.0 (2018-10-23)
  + Update managed instance role token more frequently
- Update to 2.3.136.0 (2018-10-09)
  + Bug fix for issue that GatherInventory throw out error when
    there is no Windows Update in instance
  + Add more filters when getting the Windows event logs at
    startup to improve performance
  + Add random jitter before call PutInventory in inventory
    datauploader
- Update to 2.3.117.0 (2018-10-02)
  + Bug fix for issues during process termination on instances
    where IAM policy does not grant ssmmessages permissions.
- Update to 2.3.101.0 (2018-10-02)
  + Bug fix to prevent defunct processes when creating the local
    user ssm-user.
  + Bug fix for sudoersFile permission to avoid 'sudo' command
    warnings in Session Manager.
  + Disable hibernation on Windows platform if Cloudwatch
    configuration is present.
- Update to 2.3.68.0 (2018-09-17)
  + Enables the Session Manager capability that lets you manage
    your Amazon EC2 instance through an interactive one-click
    browser-based shell or through the AWS CLI.
  + Beginning this agent version, SSM Agent will create a local
    user 'ssm-user' and either add it to /etc/sudoers (Linux) or
    to the Administrators group (Windows) every time the agent
    starts. The ssm-user is the default OS user when a Session
    Manager session is started, and the password for this user is
    reset on every session. You can change the permissions by
    moving the ssm-user to a less-privileged group or by changing
    the sudoers file. The ssm-user is not removed from the system
    when SSM Agent is uninstalled.
- Add patch to remove unused import
- Build-Depend on pkgconfig(systemd) instead of systemd
  + Allows OBS to depend on the -mini flavors
- Refresh patches for new version


-----------------------------------------
Version 1.0.9-SAP-BYOS-Build1.3 2021-01-30T07:41:10

-----------------------------------------
Patch: SUSE-2021-244
Released: Fri Jan 29 09:46:42 2021
Summary: Recommended update for openssl-1_0_0
Severity: moderate
References: 1180777,1180959
Description:
This update for openssl-1_0_0 fixes the following issues:

- Add declaration of BN_secure_new() function needed by other packages. (bsc#1180777)
- Add FIPS elliptic curve key check necessary for FIPS 140-2 certification. (bsc#1180959)


-----------------------------------------
Patch: SUSE-2021-247
Released: Fri Jan 29 16:03:46 2021
Summary: Recommended update for lvm2
Severity: moderate
References: 1177533,1179326
Description:
This update for lvm2 fixes the following issues:

- The destination Logical Volume has a wrong `read_ahead` setting. (bsc#1179326)

  When moving extents from one physical volume to another (`pmove`), the destination Logical Volume (`LV`) has a wrong
  `read_ahead` setting.
- Fix the changelog entry for bsc#1177533


-----------------------------------------
Version 1.0.9-SAP-BYOS-Build1.5 2021-02-02T07:40:18

-----------------------------------------
Patch: SUSE-2021-256
Released: Mon Feb  1 13:31:40 2021
Summary: Recommended update for crmsh
Severity: moderate
References: 1177023,1180149,1180421,1180424
Description:
This update for crmsh fixes the following issues:

- Fix for an issue when 'cluster-init' fails due to wrong declaration of netmask. (bsc#1180421)
- Fix for crmsh and yast2-cluster by adding '/etc/modules-load.d/watchdog.conf' into corosync config. (bsc#1180424)
- Fix for bootstrap to return more specific error messages. (bsc#1177023)
- Fix for a bootstrap isue when cluster init process not protected by lock and exclude other not joinging. (bsc#1180149)
- Implement to use ping to test host is reachable before joining.
- Check cluster was running on init node.


-----------------------------------------
Patch: SUSE-2021-269
Released: Mon Feb  1 21:03:49 2021
Summary: Recommended update for bind
Severity: moderate
References: 1181372
Description:
This update for bind fixes the following issues:

- Updated named.root (aka /var/lib/named/root.hint) to the newest version available (bsc#1181372)


-----------------------------------------
Version 1.0.9-SAP-BYOS-Build1.7 2021-02-03T07:40:18

-----------------------------------------
Patch: SUSE-2021-279
Released: Tue Feb  2 09:43:53 2021
Summary: Recommended update for timezone
Severity: moderate
References: 1177460
Description:
This update for timezone fixes the following issues:

- timezone update 2021a (bsc#1177460)
  * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00.

- timezone update 2021a (bsc#1177460)
  * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00.


-----------------------------------------
Patch: SUSE-2021-286
Released: Tue Feb  2 13:09:24 2021
Summary: Security update for cups
Severity: moderate
References: 1170671,1180520,CVE-2019-8842,CVE-2020-10001
Description:
This update for cups fixes the following issues:

- CVE-2020-10001: Fixed an out-of-bounds read in the ippReadIO function (bsc#1180520).
- CVE-2019-8842: Fixed an out-of-bounds read in an extension field (bsc#1170671).


-----------------------------------------
Version 1.0.9-SAP-BYOS-Build1.8 2021-02-04T07:39:31

-----------------------------------------
Patch: SUSE-2021-299
Released: Wed Feb  3 19:51:49 2021
Summary: Security update for python-urllib3
Severity: moderate
References: 1177211,CVE-2020-26116
Description:
This update for python-urllib3 fixes the following issues:

- Raise ValueError if method contains control characters and thus prevents CRLF
  injection into URLs (bsc#1177211, bpo#39603, CVE-2020-26116,).


-----------------------------------------
Version 1.0.9-SAP-BYOS-Build1.10 2021-02-09T07:40:23

-----------------------------------------
Patch: SUSE-2021-319
Released: Mon Feb  8 10:29:08 2021
Summary: Recommended update for Salt
Severity: moderate
References: 1083110
Description:
This update fixes the following issues:

salt:

- Revert wrong zypper  patch to support vendorchanges flags on pkg.install
- Adjusted python2-cherrypy naming in salt-api
- Force zyppnotify to prefer Packages.db than Packages if it exists
- Allow vendor change option with zypper
- Add pkg.services_need_restart
- Bigvm backports:
  virt consoles, CPU tuning and topology, and memory tuning.
- Fix for file.check_perms to work with numeric uid/gid
- Change 'Requires(pre)' to 'Requires' for salt-minion package (bsc#1083110)


-----------------------------------------
Patch: SUSE-2021-344
Released: Mon Feb  8 17:41:37 2021
Summary: Security update for python3
Severity: important
References: 1176262,1180686,CVE-2019-20916
Description:
This update for python3 fixes the following issues:

- Provide the newest setuptools wheel (bsc#1176262,
  CVE-2019-20916) in their correct form (bsc#1180686).


-----------------------------------------
Version 1.0.9-SAP-BYOS-Build1.12 2021-02-10T07:40:12

-----------------------------------------
Patch: SUSE-2021-349
Released: Tue Feb  9 11:11:14 2021
Summary: Recommended update for sudo
Severity: moderate
References: 1176473
Description:
This update for sudo fixes the following issues:

- Restore 'sudo ldap' behavior to ignore expire dates when 'SUDOERS_TIMED' option is not set in ldap. (bsc#1176473)


-----------------------------------------
Patch: SUSE-2021-353
Released: Tue Feb  9 16:36:55 2021
Summary: Security update for the Linux Kernel
Severity: important
References: 1046305,1046306,1046540,1046542,1046648,1050242,1050244,1050536,1050538,1050545,1056653,1056657,1056787,1064802,1066129,1073513,1074220,1075020,1086282,1086301,1086313,1086314,1098633,1103990,1103991,1103992,1104270,1104277,1104279,1104353,1104427,1104742,1104745,1109837,1111981,1112178,1112374,1113956,1119113,1126206,1126390,1127354,1127371,1129770,1136348,1149032,1174206,1176395,1176831,1176846,1178036,1178049,1178631,1178900,1179093,1179508,1179509,1179563,1179573,1179575,1179878,1180008,1180130,1180765,1180812,1180859,1180891,1180912,1181001,1181018,1181170,1181230,1181231,1181349,1181425,1181553,CVE-2020-25211,CVE-2020-25639,CVE-2020-27835,CVE-2020-29568,CVE-2020-29569,CVE-2021-0342,CVE-2021-20177,CVE-2021-3347
Description:
The SUSE Linux Enterprise 12 SP5 kernel was updated to receive various security and bugfixes.


The following security bugs were fixed:

- CVE-2021-3347: A use-after-free was discovered in the PI futexes during fault handling, allowing local users to execute code in the kernel (bnc#1181349).
- CVE-2021-20177: Fixed a kernel panic related to iptables string matching rules. A privileged user could insert a rule which could lead to denial of service (bnc#1180765).
- CVE-2021-0342: In tun_get_user of tun.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges required. (bnc#1180812)
- CVE-2020-27835: A use-after-free in the infiniband hfi1 driver was found, specifically in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system (bnc#1179878).
- CVE-2020-25639: Fixed a NULL pointer dereference via nouveau ioctl (bnc#1176846).
- CVE-2020-29569: Fixed a potential privilege escalation and information leaks related to the PV block backend, as used by Xen (bnc#1179509).
- CVE-2020-29568: Fixed a denial of service issue, related to processing watch events (bnc#1179508).
- CVE-2020-25211: Fixed a flaw where a local attacker was able to inject conntrack netlink configuration that could cause a denial of service or trigger the use of incorrect protocol numbers in ctnetlink_parse_tuple_filter (bnc#1176395).

The following non-security bugs were fixed:

- ACPI: scan: add stub acpi_create_platform_device() for !CONFIG_ACPI (git-fixes).
- ACPI: scan: Harden acpi_device_add() against device ID overflows (git-fixes).
- ACPI: scan: Make acpi_bus_get_device() clear return pointer on error (git-fixes).
- ALSA: doc: Fix reference to mixart.rst (git-fixes).
- ALSA: fireface: Fix integer overflow in transmit_midi_msg() (git-fixes).
- ALSA: firewire-tascam: Fix integer overflow in midi_port_work() (git-fixes).
- ALSA: hda/via: Add minimum mute flag (git-fixes).
- ALSA: hda/via: Fix runtime PM for Clevo W35xSS (git-fixes).
- ALSA: pcm: Clear the full allocated memory at hw_params (git-fixes).
- ALSA: seq: oss: Fix missing error check in snd_seq_oss_synth_make_info() (git-fixes).
- arm64: pgtable: Ensure dirty bit is preserved across pte_wrprotect() (bsc#1180130).
- arm64: pgtable: Fix pte_accessible() (bsc#1180130).
- ASoC: dapm: remove widget from dirty list on free (git-fixes).
- ASoC: Intel: haswell: Add missing pm_ops (git-fixes).
- bnxt_en: Do not query FW when netif_running() is false (bsc#1086282).
- bnxt_en: Fix accumulation of bp->net_stats_prev (bsc#1104745 ).
- bnxt_en: fix error return code in bnxt_init_board() (git-fixes).
- bnxt_en: fix error return code in bnxt_init_one() (bsc#1050242 ).
- bnxt_en: fix HWRM error when querying VF temperature (bsc#1104745).
- bnxt_en: Improve stats context resource accounting with RDMA driver loaded (bsc#1104745).
- bnxt_en: read EEPROM A2h address using page 0 (git-fixes).
- bnxt_en: Release PCI regions when DMA mask setup fails during probe (git-fixes).
- bnxt_en: Reset rings if ring reservation fails during open() (bsc#1086282).
- bnxt_en: return proper error codes in bnxt_show_temp (bsc#1104745).
- bonding: set dev->needed_headroom in bond_setup_by_slave() (git-fixes).
- btrfs: add a flags argument to LOGICAL_INO and call it LOGICAL_INO_V2 (bsc#1174206).
- btrfs: add a flag to iterate_inodes_from_logical to find all
- btrfs: add a flag to iterate_inodes_from_logical to find all extent refs for uncompressed extents (bsc#1174206).
- btrfs: add a flag to iterate_inodes_from_logical to find all extent refs for uncompressed extents (bsc#1174206).
- btrfs: increase output size for LOGICAL_INO_V2 ioctl (bsc#1174206).
- btrfs: qgroup: do not try to wait flushing if we're already holding a transaction (bsc#1179575).
- caif: no need to check return value of debugfs_create functions (git-fixes).
- can: c_can: c_can_power_up(): fix error handling (git-fixes).
- can: dev: prevent potential information leak in can_fill_info() (git-fixes).
- can: vxcan: vxcan_xmit: fix use after free bug (git-fixes).
- chelsio/chtls: correct function return and return type (bsc#1104270).
- chelsio/chtls: correct netdevice for vlan interface (bsc#1104270 ).
- chelsio/chtls: fix a double free in chtls_setkey() (bsc#1104270 ).
- chelsio/chtls: fix always leaking ctrl_skb (bsc#1104270 ).
- chelsio/chtls: fix deadlock issue (bsc#1104270).
- chelsio/chtls: fix memory leaks caused by a race (bsc#1104270 ).
- chelsio/chtls: fix memory leaks in CPL handlers (bsc#1104270 ).
- chelsio/chtls: fix panic during unload reload chtls (bsc#1104270 ).
- chelsio/chtls: fix socket lock (bsc#1104270).
- chelsio/chtls: fix tls record info to user (bsc#1104270 ).
- chtls: Added a check to avoid NULL pointer dereference (bsc#1104270).
- chtls: Fix chtls resources release sequence (bsc#1104270 ).
- chtls: Fix hardware tid leak (bsc#1104270).
- chtls: Remove invalid set_tcb call (bsc#1104270).
- chtls: Replace skb_dequeue with skb_peek (bsc#1104270 ).
- cpumap: Avoid warning when CONFIG_DEBUG_PER_CPU_MAPS is enabled (bsc#1109837).
- cxgb3: fix error return code in t3_sge_alloc_qset() (git-fixes).
- cxgb4/cxgb4vf: fix flow control display for auto negotiation (bsc#1046540 bsc#1046542).
- cxgb4: fix adapter crash due to wrong MC size (bsc#1073513).
- cxgb4: fix all-mask IP address comparison (bsc#1064802 bsc#1066129).
- cxgb4: fix large delays in PTP synchronization (bsc#1046540 bsc#1046648).
- cxgb4: fix SGE queue dump destination buffer context (bsc#1073513).
- cxgb4: fix the panic caused by non smac rewrite (bsc#1064802 bsc#1066129).
- cxgb4: fix thermal zone device registration (bsc#1104279 bsc#1104277).
- cxgb4: fix throughput drop during Tx backpressure (bsc#1127354 bsc#1127371).
- cxgb4: move DCB version extern to header file (bsc#1104279 ).
- cxgb4: remove cast when saving IPv4 partial checksum (bsc#1074220).
- cxgb4: set up filter action after rewrites (bsc#1064802 bsc#1066129).
- cxgb4: use correct type for all-mask IP address comparison (bsc#1064802 bsc#1066129).
- cxgb4: use unaligned conversion for fetching timestamp (bsc#1046540 bsc#1046648).
- dmaengine: xilinx_dma: check dma_async_device_register return value (git-fixes).
- dmaengine: xilinx_dma: fix mixed_enum_type coverity warning (git-fixes).
- docs: Fix reST markup when linking to sections (git-fixes).
- drivers: net: xgene: Fix the order of the arguments of 'alloc_etherdev_mqs()' (git-fixes).
- drm/amdkfd: Put ACPI table after using it (bsc#1129770) Backporting changes: 	* context changes
- drm/amd/powerplay: fix a crash when overclocking Vega M (bsc#1113956)
- drm/atomic: put state on error path (git-fixes).
- drm/i915: Check for all subplatform bits (git-fixes).
- drm/i915: Clear the repeater bit on HDCP disable (bsc#1112178) Backporting changes: 	* context changes
- drm/i915: Fix sha_text population code (bsc#1112178) Backporting changes: 	* context changes
- drm/msm: Avoid div-by-zero in dpu_crtc_atomic_check() (bsc#1129770) Backporting changes: 	* context changes 	* moved num_mixers from struct dpu_crtc_state to struct dpu_crtc
- drm/msm: Fix use-after-free in msm_gem with carveout (bsc#1129770) Backporting changes: 	* context changes 	* removed reference to msm_gem_is_locked()
- drm/msm: Fix WARN_ON() splat in _free_object() (bsc#1129770) Backporting changes: 	 * context changes
- drm/nouveau/bios: fix issue shadowing expansion ROMs (git-fixes).
- drm/nouveau/i2c/gm200: increase width of aux semaphore owner fields (git-fixes).
- drm/nouveau/privring: ack interrupts the same way as RM (git-fixes).
- drm: sun4i: hdmi: Fix inverted HPD result (bsc#1112178) Backporting changes: 	* context changes
- drm: sun4i: hdmi: Remove extra HPD polling (bsc#1112178)
- drm/tve200: Fix handling of platform_get_irq() error (bsc#1129770)
- drm/vgem: Replace opencoded version of drm_gem_dumb_map_offset() (bsc#1112178) Backporting changes: 	* context changes
- EDAC/amd64: Fix PCI component registration (bsc#1112178).
- ehci: fix EHCI host controller initialization sequence (git-fixes).
- ethernet: ucc_geth: fix use-after-free in ucc_geth_remove() (git-fixes).
- floppy: reintroduce O_NDELAY fix (boo#1181018).
- futex: Do not enable IRQs unconditionally in put_pi_state() (bsc#1149032).
- futex: Ensure the correct return value from futex_lock_pi() (bsc#1181349 bsc#1149032).
- futex: Fix incorrect should_fail_futex() handling (bsc#1181349).
- futex: Handle faults correctly for PI futexes (bsc#1181349 bsc#1149032).
- futex: Provide and use pi_state_update_owner() (bsc#1181349 bsc#1149032).
- futex: Replace pointless printk in fixup_owner() (bsc#1181349 bsc#1149032).
- futex: Simplify fixup_pi_state_owner() (bsc#1181349 bsc#1149032).
- futex: Use pi_state_update_owner() in put_pi_state() (bsc#1181349 bsc#1149032).
- i2c: octeon: check correct size of maximum RECV_LEN packet (git-fixes).
- i40e: avoid premature Rx buffer reuse (bsc#1111981).
- i40e: Fix removing driver while bare-metal VFs pass traffic (git-fixes).
- IB/mlx5: Fix DEVX support for MLX5_CMD_OP_INIT2INIT_QP command (bsc#1103991).
- igb: Report speed and duplex as unknown when device is runtime suspended (git-fixes).
- igc: fix link speed advertising (jsc#SLE-4799).
- iio: ad5504: Fix setting power-down state (git-fixes).
- iommu/vt-d: Do not dereference iommu_device if IOMMU_API is not built (bsc#1181001, jsc#ECO-3191).
- iommu/vt-d: Gracefully handle DMAR units with no supported address widths (bsc#1181001, jsc#ECO-3191).
- ixgbe: avoid premature Rx buffer reuse (bsc#1109837 ).
- ixgbe: Fix XDP redirect on archs with PAGE_SIZE above 4K (bsc#1109837).
- kABI: Fix kABI for extended APIC-ID support (bsc#1181001, jsc#ECO-3191).
- KVM: SVM: Initialize prev_ga_tag before use (bsc#1180912).
- KVM: x86/mmu: Commit zap of remaining invalid pages when recovering lpages (bsc#1181230).
- lockd: do not use interval-based rebinding over TCP (git-fixes).
- locking/futex: Allow low-level atomic operations to return -EAGAIN (bsc#1149032).
- md: fix a warning caused by a race between concurrent md_ioctl()s (git-fixes).
- md/raid10: initialize r10_bio->read_slot before use (git-fixes).
- media: gp8psk: initialize stats at power control logic (git-fixes).
- misc: vmw_vmci: fix kernel info-leak by initializing dbells in vmci_ctx_get_chkpt_doorbells() (git-fixes).
- misdn: dsp: select CONFIG_BITREVERSE (git-fixes).
- mlxsw: core: Fix use-after-free in mlxsw_emad_trans_finish() (git-fixes).
- mlxsw: destroy workqueue when trap_register in mlxsw_emad_init (bsc#1112374).
- mlxsw: spectrum: Do not modify cloned SKBs during xmit (git-fixes).
- mlxsw: spectrum: Fix use-after-free of split/unsplit/type_set in case reload fails (bsc#1112374).
- mlxsw: switchx2: Do not modify cloned SKBs during xmit (git-fixes).
- mmc: sdhci-xenon: fix 1.8v regulator stabilization (git-fixes).
- mm: do not wake kswapd prematurely when watermark boosting is disabled (git fixes (mm/vmscan)).
- mm: hwpoison: disable memory error handling on 1GB hugepage (git fixes (mm/hwpoison)).
- mm, page_alloc: fix core hung in free_pcppages_bulk() (git fixes (mm/hotplug)).
- mm/page_alloc: fix watchdog soft lockups during set_zone_contiguous() (git fixes (mm/pgalloc)).
- mm/rmap: map_pte() was not handling private ZONE_DEVICE page properly (git fixes (mm/hmm)).
- mm/slab: use memzero_explicit() in kzfree() (git fixes (mm/slab)).
- module: delay kobject uevent until after module init call (bsc#1178631).
- net/af_iucv: always register net_device notifier (git-fixes).
- net/af_iucv: fix null pointer dereference on shutdown (bsc#1179563 LTC#190108).
- net/af_iucv: set correct sk_protocol for child sockets (git-fixes).
- net: atlantic: fix potential error handling (git-fixes).
- net: atlantic: fix use after free kasan warn (git-fixes).
- net: bcmgenet: keep MAC in reset until PHY is up (git-fixes).
- net: bcmgenet: reapply manual settings to the PHY (git-fixes).
- net: broadcom/bcmsysport: Fix signedness in bcm_sysport_probe() (git-fixes).
- net: cbs: Fix software cbs to consider packet sending time (bsc#1109837).
- net: dsa: b53: b53_arl_rw_op() needs to select IVL or SVL (git-fixes).
- net: dsa: LAN9303: select REGMAP when LAN9303 enable (git-fixes).
- net: ena: set initial DMA width to avoid intel iommu issue (git-fixes).
- net: ethernet: mlx4: Avoid assigning a value to ring_cons but not used it anymore in mlx4_en_xmit() (git-fixes).
- net: ethernet: stmmac: Fix signedness bug in ipq806x_gmac_of_parse() (git-fixes).
- net_failover: fixed rollback in net_failover_open() (bsc#1109837).
- net/filter: Permit reading NET in load_bytes_relative when MAC not set (bsc#1109837).
- net: freescale: fec: Fix ethtool -d runtime PM (git-fixes).
- net: hns3: add a missing uninit debugfs when unload driver (bsc#1104353).
- net: hns3: add compatible handling for command HCLGE_OPC_PF_RST_DONE (git-fixes).
- net: hns3: add management table after IMP reset (bsc#1104353 ).
- net: hns3: check reset interrupt status when reset fails (git-fixes).
- net: hns3: clear reset interrupt status in hclge_irq_handle() (git-fixes).
- net: hns3: fix a TX timeout issue (bsc#1104353).
- net: hns3: fix a wrong reset interrupt status mask (git-fixes).
- net: hns3: fix error handling for desc filling (bsc#1104353 ).
- net: hns3: fix error VF index when setting VLAN offload (bsc#1104353).
- net: hns3: fix for not calculating TX BD send size correctly (bsc#1126390).
- net: hns3: fix interrupt clearing error for VF (bsc#1104353 ).
- net: hns3: fix mis-counting IRQ vector numbers issue (bsc#1104353).
- net: hns3: fix shaper parameter algorithm (bsc#1104353 ).
- net: hns3: fix the number of queues actually used by ARQ (bsc#1104353).
- net: hns3: fix use-after-free when doing self test (bsc#1104353 ).
- net: hns3: reallocate SSU' buffer size when pfc_en changes (bsc#1104353).
- __netif_receive_skb_core: pass skb by reference (bsc#1109837).
- net/liquidio: Delete driver version assignment (git-fixes).
- net/liquidio: Delete non-working LIQUIDIO_PACKAGE check (git-fixes).
- net/mlx4_en: Avoid scheduling restart task if it is already running (git-fixes).
- net/mlx5: Add handling of port type in rule deletion (bsc#1103991).
- net/mlx5e: fix bpf_prog reference count leaks in mlx5e_alloc_rq (bsc#1103990).
- net/mlx5e: Fix memleak in mlx5e_create_l2_table_groups (git-fixes).
- net/mlx5e: Fix two double free cases (bsc#1046305).
- net/mlx5e: Fix VLAN cleanup flow (git-fixes).
- net/mlx5e: Fix VLAN create flow (git-fixes).
- net/mlx5e: IPoIB, Drop multicast packets that this interface sent (bsc#1075020).
- net/mlx5e: TX, Fix consumer index of error cqe dump (bsc#1103990 ).
- net/mlx5: Fix memory leak on flow table creation error flow (bsc#1046305).
- net: mvpp2: Fix error return code in mvpp2_open() (bsc#1119113 ).
- net: mvpp2: Fix GoP port 3 Networking Complex Control configurations (bsc#1098633).
- net: mvpp2: fix pkt coalescing int-threshold configuration (bsc#1098633).
- net: phy: Allow BCM54616S PHY to setup internal TX/RX clock delay (git-fixes).
- net: phy: broadcom: Fix RGMII delays configuration for BCM54210E (git-fixes).
- net: phy: micrel: Discern KSZ8051 and KSZ8795 PHYs (git-fixes).
- net: phy: micrel: make sure the factory test bit is cleared (git-fixes).
- net: qca_spi: Move reset_count to struct qcaspi (git-fixes).
- net/sched: act_tunnel_key: fix OOB write in case of IPv6 ERSPAN tunnels (bsc#1109837).
- net_sched: let qdisc_put() accept NULL pointer (bsc#1056657 bsc#1056653 bsc#1056787).
- net: smc911x: Adjust indentation in smc911x_phy_configure (git-fixes).
- net/smc: cancel event worker during device removal (git-fixes).
- net/smc: check for valid ib_client_data (git-fixes).
- net/smc: fix sleep bug in smc_pnet_find_roce_resource() (git-fixes).
- net/smc: receive pending data after RCV_SHUTDOWN (git-fixes).
- net/smc: receive returns without data (git-fixes).
- net/sonic: Add mutual exclusion for accessing shared state (git-fixes).
- net: stmmac: 16KB buffer must be 16 byte aligned (git-fixes).
- net: stmmac: Do not accept invalid MTU values (git-fixes).
- net: stmmac: dwmac-meson8b: Fix signedness bug in probe (git-fixes).
- net: stmmac: dwmac-sunxi: Provide TX and RX fifo sizes (git-fixes).
- net: stmmac: Enable 16KB buffer size (git-fixes).
- net: stmmac: fix length of PTP clock's name string (git-fixes).
- net: stmmac: gmac4+: Not all Unicast addresses may be available (git-fixes).
- net: stmmac: RX buffer size must be 16 byte aligned (git-fixes).
- net: sunrpc: interpret the return value of kstrtou32 correctly (git-fixes).
- net: team: fix memory leak in __team_options_register (git-fixes).
- net: tulip: Adjust indentation in {dmfe, uli526x}_init_module (git-fixes).
- net: usb: lan78xx: Fix error message format specifier (git-fixes).
- net: vlan: avoid leaks on register_vlan_dev() failures (git-fixes).
- nfp: validate the return code from dev_queue_xmit() (git-fixes).
- NFS4: Fix use-after-free in trace_event_raw_event_nfs4_set_lock (git-fixes).
- nfs_common: need lock during iterate through the list (git-fixes).
- nfsd4: readdirplus shouldn't return parent of export (git-fixes).
- nfsd: Fix message level for normal termination (git-fixes).
- NFS: nfs_igrab_and_active must first reference the superblock (git-fixes).
- NFS: switch nfsiod to be an UNBOUND workqueue (git-fixes).
- NFSv4.2: condition READDIR's mask for security label based on LSM state (git-fixes).
- page_frag: Recover from memory pressure (git fixes (mm/pgalloc)).
- pNFS: Mark layout for return if return-on-close was not sent (git-fixes).
- powerpc/perf: Add generic compat mode pmu driver (bsc#1178900 ltc#189284).
- powerpc/perf: Fix crashes with generic_compat_pmu & BHRB (bsc#1178900 ltc#189284 git-fixes).
- powerpc/perf: init pmu from core-book3s (bsc#1178900 ltc#189284).
- qed: Fix race condition between scheduling and destroying the slowpath workqueue (bsc#1086314 bsc#1086313 bsc#1086301).
- qed: Fix use after free in qed_chain_free (bsc#1050536 bsc#1050538).
- r8152: Add Lenovo Powered USB-C Travel Hub (git-fixes).
- RDMA/addr: Fix race with netevent_callback()/rdma_addr_cancel() (bsc#1103992).
- RDMA/bnxt_re: Do not add user qps to flushlist (bsc#1050244 ).
- RDMA/bnxt_re: Do not report transparent vlan from QP1 (bsc#1104742).
- RDMA/cma: Do not overwrite sgid_attr after device is released (bsc#1103992).
- RDMA/core: Ensure security pkey modify is not lost (bsc#1046306 ).
- RDMA/core: Fix pkey and port assignment in get_new_pps (bsc#1046306).
- RDMA/core: Fix protection fault in get_pkey_idx_qp_list (bsc#1046306).
- RDMA/core: Fix reported speed and width (bsc#1046306 ).
- RDMA/core: Fix return error value in _ib_modify_qp() to negative (bsc#1103992).
- RDMA/core: Fix use of logical OR in get_new_pps (bsc#1046306 ).
- RDMA/hns: Bugfix for memory window mtpt configuration (bsc#1104427).
- RDMA/hns: bugfix for slab-out-of-bounds when loading hip08 driver (bsc#1104427).
- RDMA/hns: Bugfix for slab-out-of-bounds when unloading hip08 driver (bsc#1104427).
- RDMA/hns: Fix cmdq parameter of querying pf timer resource (bsc#1104427 bsc#1126206).
- RDMA/hns: Fix missing sq_sig_type when querying QP (bsc#1104427 ).
- RDMA/iw_cxgb4: Fix incorrect function parameters (bsc#1136348 jsc#SLE-4684).
- RDMA/iw_cxgb4: initiate CLOSE when entering TERM (bsc#1136348 jsc#SLE-4684).
- RDMA/mlx5: Add init2init as a modify command (bsc#1103991 ).
- RDMA/mlx5: Fix typo in enum name (bsc#1103991).
- RDMA/mlx5: Fix wrong free of blue flame register on error (bsc#1103991).
- RDMA/qedr: Fix inline size returned for iWARP (bsc#1050545 ).
- rtmutex: Remove unused argument from rt_mutex_proxy_unlock() (bsc#1181349 bsc#1149032).
- s390/cio: fix use-after-free in ccw_device_destroy_console (git-fixes).
- s390/dasd: fix list corruption of lcu list (bsc#1181170 LTC#190915).
- s390/dasd: fix list corruption of pavgroup group list (bsc#1181170 LTC#190915).
- s390/dasd: prevent inconsistent LCU device data (bsc#1181170 LTC#190915).
- s390/qeth: delay draining the TX buffers (git-fixes).
- s390/qeth: fix deadlock during recovery (git-fixes).
- s390/qeth: fix L2 header access in qeth_l3_osa_features_check() (git-fixes).
- s390/qeth: fix locking for discipline setup / removal (git-fixes).
- s390/smp: perform initial CPU reset also for SMT siblings (git-fixes).
- sched/fair: Fix enqueue_task_fair warning (bsc#1179093).
- sched/fair: Fix enqueue_task_fair() warning some more (bsc#1179093).
- sched/fair: Fix reordering of enqueue/dequeue_task_fair() (bsc#1179093).
- sched/fair: Fix unthrottle_cfs_rq() for leaf_cfs_rq list (bsc#1179093).
- sched/fair: Reorder enqueue/dequeue_task_fair path (bsc#1179093).
- scsi: core: Fix VPD LUN ID designator priorities (bsc#1178049, git-fixes).
- scsi: ibmvfc: Set default timeout to avoid crash during migration (bsc#1181425 ltc#188252).
- scsi: lpfc: Enhancements to LOG_TRACE_EVENT for better readability (bsc#1180891).
- scsi: lpfc: Fix auto sli_mode and its effect on CONFIG_PORT for SLI3 (bsc#1180891).
- scsi: lpfc: Fix crash when a fabric node is released prematurely (bsc#1180891).
- scsi: lpfc: Fix error log messages being logged following SCSI task mgnt (bsc#1180891).
- scsi: lpfc: Fix FW reset action if I/Os are outstanding (bsc#1180891).
- scsi: lpfc: Fix NVMe recovery after mailbox timeout (bsc#1180891).
- scsi: lpfc: Fix PLOGI S_ID of 0 on pt2pt config (bsc#1180891).
- scsi: lpfc: Fix target reset failing (bsc#1180891).
- scsi: lpfc: Fix vport create logging (bsc#1180891).
- scsi: lpfc: Implement health checking when aborting I/O (bsc#1180891).
- scsi: lpfc: Prevent duplicate requests to unregister with cpuhp framework (bsc#1180891).
- scsi: lpfc: Refresh ndlp when a new PRLI is received in the PRLI issue state (bsc#1180891).
- scsi: lpfc: Simplify bool comparison (bsc#1180891).
- scsi: lpfc: Update lpfc version to 12.8.0.7 (bsc#1180891).
- scsi: lpfc: Use the nvme-fc transport supplied timeout for LS requests (bsc#1180891).
- serial: mvebu-uart: fix tx lost characters at power off (git-fixes).
- spi: cadence: cache reference clock rate during probe (git-fixes).
- SUNRPC: cache: ignore timestamp written to 'flush' file (bsc#1178036).
- team: set dev->needed_headroom in team_setup_by_port() (git-fixes).
- tun: fix return value when the number of iovs exceeds MAX_SKB_FRAGS (bsc#1109837).
- usb: chipidea: ci_hdrc_imx: add missing put_device() call in usbmisc_get_init_data() (git-fixes).
- usb: dwc3: ulpi: Use VStsDone to detect PHY regs access completion (git-fixes).
- USB: ehci: fix an interrupt calltrace error (git-fixes).
- usb: gadget: configfs: Preserve function ordering after bind failure (git-fixes).
- usb: gadget: f_uac2: reset wMaxPacketSize (git-fixes).
- USB: gadget: legacy: fix return error code in acm_ms_bind() (git-fixes).
- usb: gadget: select CONFIG_CRC32 (git-fixes).
- USB: serial: iuu_phoenix: fix DMA from stack (git-fixes).
- usb: udc: core: Use lock when write to soft_connect (git-fixes).
- USB: xhci: fix U1/U2 handling for hardware with XHCI_INTEL_HOST quirk set (git-fixes).
- USB: yurex: fix control-URB timeout handling (git-fixes).
- veth: Adjust hard_start offset on redirect XDP frames (bsc#1109837).
- vfio iommu: Add dma available capability (bsc#1179573 LTC#190106).
- vfio-pci: Use io_remap_pfn_range() for PCI IO memory (bsc#1181231).
- vhost/vsock: fix vhost vsock cid hashing inconsistent (git-fixes).
- virtio_net: Keep vnet header zeroed if XDP is loaded for small buffer (git-fixes).
- wan: ds26522: select CONFIG_BITREVERSE (git-fixes).
- wil6210: select CONFIG_CRC32 (git-fixes).
- x86/apic: Fix x2apic enablement without interrupt remapping (bsc#1181001, jsc#ECO-3191).
- x86/apic: Support 15 bits of APIC ID in IOAPIC/MSI where available (bsc#1181001, jsc#ECO-3191).
- x86/hyperv: Fix kexec panic/hang issues (bsc#1176831).
- x86/i8259: Use printk_deferred() to prevent deadlock (bsc#1112178).
- x86/ioapic: Handle Extended Destination ID field in RTE (bsc#1181001, jsc#ECO-3191).
- x86/kvm: Add KVM_FEATURE_MSI_EXT_DEST_ID (bsc#1181001, jsc#ECO-3191).
- x86/kvm: Reserve KVM_FEATURE_MSI_EXT_DEST_ID (bsc#1181001, jsc#ECO-3191).
- x86/mm: Fix leak of pmd ptlock (bsc#1112178).
- x86/mm/numa: Remove uninitialized_var() usage (bsc#1112178).
- x86/msi: Only use high bits of MSI address for DMAR unit (bsc#1181001, jsc#ECO-3191).
- x86/mtrr: Correct the range check before performing MTRR type lookups (bsc#1112178).
- x86/resctrl: Do not move a task to the same resource group (bsc#1112178).
- x86/resctrl: Use an IPI instead of task_work_add() to update PQR_ASSOC MSR (bsc#1112178).
- xdp: Fix xsk_generic_xmit errno (bsc#1109837).
- xhci: make sure TRB is fully written before giving it to the controller (git-fixes).
- xhci: tegra: Delay for disabling LFPS detector (git-fixes).