SUSE Image Update Advisory: ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2020:93-1 Image Tags : Image Release : Severity : important Type : security References : 1001161 1002895 1005023 1005063 1007715 1009532 1013125 1014478 1023308 1027282 1027519 1029377 1029902 1033084 1033085 1033086 1033087 1033088 1033089 1033090 1036463 1038194 1039099 1040164 1042670 1043311 1044232 1044840 1045723 1046681 1047218 1048046 1051143 1051429 1051797 1054413 1058115 1063675 1065270 1065609 1065729 1068716 1068716 1069384 1070853 1071321 1071545 1071995 1072183 1073299 1073313 1073421 1073877 1074971 1076696 1079603 1079761 1080919 1080978 1081326 1081495 1081750 1081947 1081947 1082007 1082008 1082009 1082010 1082011 1082014 1082058 1082293 1082318 1082318 1082318 1082318 1083158 1083507 1084533 1084671 1084812 1084842 1084934 1085030 1085196 1086001 1086185 1087433 1087434 1087436 1087437 1087440 1087441 1087550 1087982 1088004 1088009 1088052 1088234 1088279 1088524 1088573 1089524 1089640 1089761 1089777 1089877 1090767 1090944 1091109 1091265 1091677 1092100 1092877 1092920 1093392 1093617 1093753 1093753 1093851 1093910 1094150 1094154 1094161 1094222 1094225 1094236 1094680 1094814 1094814 1095096 1095661 1095670 1095817 1095973 1096191 1096405 1096406 1096407 1096408 1096515 1096718 1096726 1096745 1096974 1096984 1097073 1097410 1097455 1097643 1098017 1098217 1098569 1098681 1099272 1099277 1099358 1099358 1100077 1100137 1100331 1100396 1100488 1100529 1100687 1100727 1101023 1101040 1101470 1101591 1101797 1102046 1102310 1102522 1102526 1102564 1102840 1102908 1103320 1103320 1104129 1104531 1104700 1104821 1105000 1105031 1105068 1105166 1105396 1105435 1105832 1105849 1106214 1106383 1106390 1106843 1106843 1106873 1107030 1107030 1107066 1107067 1107105 1107238 1107617 1107640 1107941 1108038 1109197 1109252 1109663 1109664 1109847 1110304 1110445 1110700 1111019 1111029 1111388 1111498 1111622 1111973 1112024 1112310 1112461 1112530 1112532 1112570 1112723 1112726 1112928 1112980 1113083 1113313 1113554 1113632 1113665 1113719 1113978 1114135 1114209 1114209 1114407 1114592 1114674 1114675 1114681 1114686 1114832 1114832 1114845 1114933 1114984 1114993 1115245 1115464 1115640 1115750 1115929 1116767 1117025 1117063 1117147 1117267 1117776 1117993 1118086 1118118 1118364 1118367 1118368 1118460 1118462 1118463 1118629 1118897 1118897 1118897 1118897 1118898 1118898 1118898 1118898 1118899 1118899 1118899 1118899 1118990 1119063 1119069 1119069 1119105 1119397 1119634 1119687 1119706 1119971 1120049 1120323 1120346 1120374 1120382 1120402 1120610 1120644 1120644 1120689 1120862 1120967 1121043 1121045 1121197 1121207 1121397 1121412 1121563 1121563 1121624 1121753 1121878 1121967 1121967 1121967 1121967 1122000 1122191 1122191 1122271 1122417 1122469 1122669 1122729 1122983 1123013 1123043 1123333 1123685 1123694 1123710 1123727 1123784 1123892 1123919 1124122 1124153 1124211 1124223 1124308 1124847 1125007 1125306 1125352 1125352 1125410 1125604 1125609 1125623 1125666 1125815 1125886 1125950 1125992 1126056 1126068 1126069 1126096 1126101 1126117 1126118 1126119 1126377 1126590 1127063 1127069 1127223 1127308 1127544 1127557 1127701 1127734 1127838 1127840 1128246 1128323 1128376 1128383 1128746 1128828 1129071 1129124 1129346 1129346 1129576 1129598 1129859 1129914 1130028 1130045 1130230 1130325 1130326 1130496 1130528 1130557 1130611 1130617 1130620 1130622 1130623 1130627 1130840 1130840 1131060 1131314 1131330 1131334 1131482 1131493 1131553 1131686 1132087 1132174 1132323 1132348 1132400 1132663 1132692 1132721 1132865 1132869 1132900 1133185 1133297 1133418 1133452 1133452 1133495 1133506 1133509 1133581 1133773 1133790 1133808 1133844 1134068 1134078 1134193 1134217 1134524 1134599 1134659 1135123 1135254 1135534 1135708 1135709 1136031 1136132 1136184 1136245 1136440 1136440 1136572 1136717 1137053 1137336 1137443 1137624 1137832 1137942 1138201 1138459 1138459 1138666 1138687 1138793 1138869 1138920 1138920 1138939 1139083 1139083 1139459 1139459 1139649 1139937 1139939 1140016 1140565 1140631 1140647 1140844 1140868 1141059 1141093 1141113 1141320 1141322 1141322 1141853 1141853 1141883 1141897 1141969 1142160 1142343 1142413 1142439 1142614 1142649 1142654 1142988 1143055 1143194 1143273 1143349 1143409 1144047 1144363 1144363 1144881 1144881 1145023 1145233 1145622 1145676 1145716 1145802 1146358 1146359 1146853 1146854 1146866 1148244 1148517 1148645 1148868 1148987 1149121 1149121 1149145 1149164 1149332 1149429 1149792 1149792 1149792 1149911 1149955 1149955 1149955 1149995 1150137 1150397 1150451 1150595 1150733 1150895 1151023 1151023 1151377 1151488 1151490 1151490 1151582 1151708 1152101 1152308 1152308 1152472 1152489 1152590 1152692 1152755 1152990 1152992 1152994 1152995 1153098 1153165 1153238 1153238 1153274 1153332 1153332 1153367 1153520 1153533 1153674 1153774 1153936 1154036 1154037 1154092 1154217 1154256 1154295 1154353 1154357 1154482 1154492 1154661 1154871 1154884 1154887 1155199 1155207 1155271 1155305 1155327 1155337 1155338 1155339 1155350 1155357 1155360 1155376 1155518 1155574 1155798 1156139 1156194 1156213 1156395 1156482 1156837 1156884 1156913 1157169 1157278 1157292 1157315 1157438 1157794 1157893 1157894 1158050 1158095 1158095 1158242 1158265 1158485 1158504 1158509 1158527 1158560 1158590 1158630 1158630 1158748 1158758 1158765 1158830 1158833 1158921 1158983 1158996 1159006 1159018 1159035 1159086 1159622 1159781 1159814 1159819 1159819 1159840 1159867 1159928 1160039 1160452 1160571 1160595 1160735 1160947 1160970 1160978 1160979 1161119 1161132 1161133 1161215 1161216 1161218 1161219 1161220 1161262 1161436 1161495 1161517 1161521 1161573 1161770 1161783 1162002 1162063 1162108 1162108 1162202 1162224 1162357 1162367 1162396 1162400 1162423 1162518 1162539 1162539 1162675 1162680 1162698 1162702 1162825 1162930 1162936 1162937 1163178 1163178 1163184 1164260 1164260 1164505 1164538 1164562 1164648 1164717 1164736 1164777 1164780 1164804 1164950 1164950 1165011 1165211 1165296 1165439 1165475 1165539 1165579 1165784 1165828 1165894 1165894 1165933 1165975 1166106 1166260 1166334 1166510 1166510 1166748 1166880 1166881 1166985 1167104 1167205 1167206 1167244 1167601 1167602 1167631 1167651 1167674 1167732 1167773 1167898 1167919 1168076 1168230 1168235 1168345 1168389 1168422 1168481 1168669 1168669 1168699 1168756 1168779 1168838 1168938 1168959 1168994 1169021 1169094 1169095 1169194 1169357 1169444 1169488 1169512 1169514 1169521 1169569 1169582 1169681 1169746 1169771 1169850 1169851 1169872 1169944 1169947 1169997 1170011 1170154 1170160 1170175 1170284 1170347 1170442 1170475 1170476 1170527 1170554 1170571 1170572 1170617 1170745 1170771 1170774 1170801 1170838 1170879 1170891 1170895 1170908 1170964 1171145 1171150 1171189 1171191 1171219 1171220 1171246 1171284 1171417 1171437 1171513 1171529 1171530 1171546 1171561 1171652 1171656 1171662 1171688 1171699 1171732 1171739 1171743 1171759 1171828 1171857 1171863 1171864 1171866 1171868 1171872 1171878 1171904 1171915 1171978 1171982 1171983 1171988 1171995 1172017 1172021 1172040 1172046 1172055 1172061 1172062 1172063 1172064 1172065 1172066 1172067 1172068 1172069 1172072 1172073 1172085 1172086 1172095 1172113 1172169 1172170 1172201 1172205 1172208 1172223 1172225 1172307 1172342 1172343 1172344 1172348 1172356 1172365 1172366 1172374 1172377 1172383 1172384 1172386 1172391 1172393 1172394 1172396 1172453 1172458 1172467 1172477 1172484 1172495 1172537 1172543 1172566 1172687 1172698 1172704 1172710 1172719 1172739 1172745 1172751 1172759 1172775 1172781 1172782 1172783 1172807 1172807 1172810 1172814 1172816 1172823 1172841 1172861 1172871 1172925 1172929 1172938 1172939 1172940 1172956 1172983 1172984 1172985 1172986 1172987 1172988 1172989 1172990 1172999 1173026 1173027 1173032 1173060 1173068 1173074 1173085 1173106 1173139 1173159 1173160 1173161 1173206 1173227 1173229 1173238 1173240 1173271 1173274 1173280 1173284 1173336 1173357 1173359 1173376 1173377 1173378 1173380 1173422 1173428 1173438 1173461 1173514 1173552 1173560 1173573 1173582 1173625 1173746 1173776 1173812 1173817 1173818 1173820 1173822 1173823 1173824 1173825 1173826 1173827 1173828 1173830 1173831 1173832 1173833 1173834 1173836 1173837 1173838 1173839 1173841 1173843 1173844 1173845 1173847 1173849 1173860 1173866 1173894 1173941 1174011 1174018 1174072 1174091 1174116 1174120 1174126 1174127 1174128 1174129 1174185 1174244 1174263 1174264 1174320 1174331 1174332 1174333 1174345 1174356 1174396 1174398 1174407 1174409 1174411 1174421 1174438 1174443 1174444 1174462 1174463 1174513 1174527 1174543 1174543 1174570 1174618 1174627 1174673 1174782 1174847 1175036 1175060 1175198 1175250 1175251 353876 637176 658604 673071 709442 743787 747125 751718 754447 754677 787526 809831 831629 834601 840054 871152 885662 885882 901577 915402 917607 918346 941629 942751 951166 953659 960273 962849 965748 969953 982804 983582 984751 985177 985348 985657 989523 991901 999200 CVE-2009-5155 CVE-2011-3389 CVE-2011-4944 CVE-2012-0845 CVE-2012-1150 CVE-2012-6708 CVE-2013-1752 CVE-2013-4238 CVE-2014-2667 CVE-2014-4650 CVE-2015-0247 CVE-2015-1572 CVE-2015-9251 CVE-2016-0772 CVE-2016-1000110 CVE-2016-10739 CVE-2016-10745 CVE-2016-3189 CVE-2016-5636 CVE-2016-5699 CVE-2017-16808 CVE-2017-16808 CVE-2017-17740 CVE-2017-17742 CVE-2017-18207 CVE-2017-18269 CVE-2017-7607 CVE-2017-7608 CVE-2017-7609 CVE-2017-7610 CVE-2017-7611 CVE-2017-7612 CVE-2017-7613 CVE-2018-0495 CVE-2018-1000073 CVE-2018-1000074 CVE-2018-1000075 CVE-2018-1000076 CVE-2018-1000077 CVE-2018-1000078 CVE-2018-1000079 CVE-2018-1000654 CVE-2018-1000802 CVE-2018-1000858 CVE-2018-10103 CVE-2018-10105 CVE-2018-10360 CVE-2018-1060 CVE-2018-1061 CVE-2018-10892 CVE-2018-10906 CVE-2018-1122 CVE-2018-1123 CVE-2018-11236 CVE-2018-11237 CVE-2018-1124 CVE-2018-1125 CVE-2018-1126 CVE-2018-12015 CVE-2018-12020 CVE-2018-12384 CVE-2018-12404 CVE-2018-12404 CVE-2018-12405 CVE-2018-13785 CVE-2018-14404 CVE-2018-14461 CVE-2018-14462 CVE-2018-14463 CVE-2018-14464 CVE-2018-14465 CVE-2018-14466 CVE-2018-14467 CVE-2018-14468 CVE-2018-14469 CVE-2018-14470 CVE-2018-14567 CVE-2018-14647 CVE-2018-14879 CVE-2018-14880 CVE-2018-14881 CVE-2018-14882 CVE-2018-15664 CVE-2018-15686 CVE-2018-15688 CVE-2018-15853 CVE-2018-15854 CVE-2018-15855 CVE-2018-15856 CVE-2018-15857 CVE-2018-15858 CVE-2018-15859 CVE-2018-15861 CVE-2018-15862 CVE-2018-15863 CVE-2018-15864 CVE-2018-16062 CVE-2018-16227 CVE-2018-16228 CVE-2018-16229 CVE-2018-16230 CVE-2018-16300 CVE-2018-16301 CVE-2018-16301 CVE-2018-16395 CVE-2018-16396 CVE-2018-16402 CVE-2018-16403 CVE-2018-16451 CVE-2018-16452 CVE-2018-16864 CVE-2018-16865 CVE-2018-16866 CVE-2018-16869 CVE-2018-16873 CVE-2018-16873 CVE-2018-16873 CVE-2018-16873 CVE-2018-16874 CVE-2018-16874 CVE-2018-16874 CVE-2018-16874 CVE-2018-16875 CVE-2018-16875 CVE-2018-16875 CVE-2018-16875 CVE-2018-17466 CVE-2018-17953 CVE-2018-18074 CVE-2018-18310 CVE-2018-18311 CVE-2018-18312 CVE-2018-18313 CVE-2018-18314 CVE-2018-18492 CVE-2018-18493 CVE-2018-18494 CVE-2018-18498 CVE-2018-18500 CVE-2018-18501 CVE-2018-18505 CVE-2018-18508 CVE-2018-18520 CVE-2018-18521 CVE-2018-18751 CVE-2018-19211 CVE-2018-19519 CVE-2018-19637 CVE-2018-19638 CVE-2018-19639 CVE-2018-19640 CVE-2018-20346 CVE-2018-20406 CVE-2018-20406 CVE-2018-20482 CVE-2018-20483 CVE-2018-20843 CVE-2018-20852 CVE-2018-20852 CVE-2018-4180 CVE-2018-4181 CVE-2018-4182 CVE-2018-4183 CVE-2018-4700 CVE-2018-5740 CVE-2018-5743 CVE-2018-5745 CVE-2018-6914 CVE-2018-6942 CVE-2018-6954 CVE-2018-7187 CVE-2018-8777 CVE-2018-8778 CVE-2018-8779 CVE-2018-8780 CVE-2018-9251 CVE-2019-0804 CVE-2019-0816 CVE-2019-1010220 CVE-2019-1010220 CVE-2019-10160 CVE-2019-10160 CVE-2019-10906 CVE-2019-11236 CVE-2019-11324 CVE-2019-11709 CVE-2019-11711 CVE-2019-11712 CVE-2019-11713 CVE-2019-11715 CVE-2019-11717 CVE-2019-11719 CVE-2019-11729 CVE-2019-11730 CVE-2019-11745 CVE-2019-12290 CVE-2019-12735 CVE-2019-12749 CVE-2019-12900 CVE-2019-12900 CVE-2019-12904 CVE-2019-13050 CVE-2019-13057 CVE-2019-13509 CVE-2019-13565 CVE-2019-13627 CVE-2019-14250 CVE-2019-14271 CVE-2019-14287 CVE-2019-14853 CVE-2019-14859 CVE-2019-14866 CVE-2019-14889 CVE-2019-14889 CVE-2019-15165 CVE-2019-15166 CVE-2019-15167 CVE-2019-15845 CVE-2019-15847 CVE-2019-15903 CVE-2019-15903 CVE-2019-16056 CVE-2019-16056 CVE-2019-16056 CVE-2019-16168 CVE-2019-16201 CVE-2019-16254 CVE-2019-16255 CVE-2019-16884 CVE-2019-16884 CVE-2019-16935 CVE-2019-16935 CVE-2019-17006 CVE-2019-17006 CVE-2019-17543 CVE-2019-17594 CVE-2019-17595 CVE-2019-18218 CVE-2019-18224 CVE-2019-18634 CVE-2019-19126 CVE-2019-19462 CVE-2019-19921 CVE-2019-19956 CVE-2019-19956 CVE-2019-20386 CVE-2019-20388 CVE-2019-20807 CVE-2019-20810 CVE-2019-20812 CVE-2019-20907 CVE-2019-3689 CVE-2019-3842 CVE-2019-3843 CVE-2019-3844 CVE-2019-3880 CVE-2019-5010 CVE-2019-5010 CVE-2019-5021 CVE-2019-5094 CVE-2019-5188 CVE-2019-5736 CVE-2019-5736 CVE-2019-5736 CVE-2019-5736 CVE-2019-5953 CVE-2019-6454 CVE-2019-6454 CVE-2019-6465 CVE-2019-6470 CVE-2019-6471 CVE-2019-6486 CVE-2019-6706 CVE-2019-7150 CVE-2019-7317 CVE-2019-7665 CVE-2019-8320 CVE-2019-8321 CVE-2019-8322 CVE-2019-8323 CVE-2019-8324 CVE-2019-8325 CVE-2019-8341 CVE-2019-8675 CVE-2019-8696 CVE-2019-8905 CVE-2019-8906 CVE-2019-8907 CVE-2019-9169 CVE-2019-9636 CVE-2019-9636 CVE-2019-9674 CVE-2019-9740 CVE-2019-9811 CVE-2019-9893 CVE-2019-9923 CVE-2019-9936 CVE-2019-9937 CVE-2019-9947 CVE-2019-9947 CVE-2020-0305 CVE-2020-0543 CVE-2020-10029 CVE-2020-10135 CVE-2020-10543 CVE-2020-10663 CVE-2020-10700 CVE-2020-10704 CVE-2020-10711 CVE-2020-10713 CVE-2020-10730 CVE-2020-10732 CVE-2020-10745 CVE-2020-10751 CVE-2020-10760 CVE-2020-10761 CVE-2020-10766 CVE-2020-10767 CVE-2020-10768 CVE-2020-10773 CVE-2020-10781 CVE-2020-10878 CVE-2020-10933 CVE-2020-11501 CVE-2020-12243 CVE-2020-12399 CVE-2020-12402 CVE-2020-12656 CVE-2020-12723 CVE-2020-12769 CVE-2020-12771 CVE-2020-12888 CVE-2020-13143 CVE-2020-13361 CVE-2020-13362 CVE-2020-13401 CVE-2020-13659 CVE-2020-13800 CVE-2020-13974 CVE-2020-14303 CVE-2020-14308 CVE-2020-14309 CVE-2020-14310 CVE-2020-14311 CVE-2020-14416 CVE-2020-14422 CVE-2020-15393 CVE-2020-15563 CVE-2020-15565 CVE-2020-15566 CVE-2020-15567 CVE-2020-15705 CVE-2020-15706 CVE-2020-15707 CVE-2020-15780 CVE-2020-1712 CVE-2020-1712 CVE-2020-1730 CVE-2020-1747 CVE-2020-1752 CVE-2020-3898 CVE-2020-7595 CVE-2020-8023 CVE-2020-8130 CVE-2020-8169 CVE-2020-8177 CVE-2020-8492 CVE-2020-8631 CVE-2020-8632 ECO-550 PM-1350 SLE-5807 SLE-5933 SLE-6533 SLE-6536 SLE-7687 SLE-9132 SLE-9426 ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1223-1 Released: Tue Jun 26 11:41:00 2018 Summary: Security update for gpg2 Type: security Severity: important References: 1096745,CVE-2018-12020 This update for gpg2 fixes the following security issue: - CVE-2018-12020: GnuPG mishandled the original filename during decryption and verification actions, which allowed remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the '--status-fd 2' option (bsc#1096745). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1327-1 Released: Tue Jul 17 08:07:24 2018 Summary: Security update for perl Type: security Severity: moderate References: 1096718,CVE-2018-12015 This update for perl fixes the following issues: - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1332-1 Released: Tue Jul 17 09:01:19 2018 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1073299,1093392 This update for timezone provides the following fixes: - North Korea switches back from +0830 to +09 on 2018-05-05. - Ireland's standard time is in the summer, with negative DST offset to standard time used in Winter. (bsc#1073299) - yast2-country is no longer setting TIMEZONE in /etc/sysconfig/clock and is calling systemd timedatectl instead. Do not set /etc/localtime on timezone package updates to avoid setting an incorrect timezone. (bsc#1093392) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1333-1 Released: Tue Jul 17 09:03:21 2018 Summary: Recommended update for bind Type: recommended Severity: moderate References: 901577,965748 This update for bind provides the following fix: - Fixed ldapdump to use a temporary pseudo nameserver that conforms to BIND's expected syntax. Prior versions would not work correctly with an LDAP backed DNS server. (bsc#965748) - Add SPF records in dnszone-schema file. (bsc#901577) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1334-1 Released: Tue Jul 17 09:06:41 2018 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1096515 This update for mozilla-nss provides the following fixes: - Update to NSS 3.36.4 required by Firefox 60.0.2. (bsc#1096515) - Fix a problem that would cause connections to a server that was recently upgraded to TLS 1.3 to result in a SSL_RX_MALFORMED_SERVER_HELLO error. - Fix a rare bug with PKCS#12 files. - Use relro linker option. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1346-1 Released: Thu Jul 19 09:25:08 2018 Summary: Security update for glibc Type: security Severity: moderate References: 1082318,1092877,1094150,1094154,1094161,CVE-2017-18269,CVE-2018-11236,CVE-2018-11237 This update for glibc fixes the following security issues: - CVE-2017-18269: An SSE2-optimized memmove implementation for i386 did not correctly perform the overlapping memory check if the source memory range spaned the middle of the address space, resulting in corrupt data being produced by the copy operation. This may have disclosed information to context-dependent attackers, resulted in a denial of service or code execution (bsc#1094150). - CVE-2018-11236: Prevent integer overflow on 32-bit architectures when processing very long pathname arguments to the realpath function, leading to a stack-based buffer overflow (bsc#1094161). - CVE-2018-11237: An AVX-512-optimized implementation of the mempcpy function may have writen data beyond the target buffer, leading to a buffer overflow in __mempcpy_avx512_no_vzeroupper (bsc#1092877, bsc#1094154). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1353-1 Released: Thu Jul 19 09:50:32 2018 Summary: Security update for e2fsprogs Type: security Severity: moderate References: 1009532,1038194,915402,918346,960273,CVE-2015-0247,CVE-2015-1572 This update for e2fsprogs fixes the following issues: Security issues fixed: - CVE-2015-0247: Fixed couple of heap overflows in e2fsprogs (fsck, dumpe2fs, e2image...) (bsc#915402). - CVE-2015-1572: Fixed potential buffer overflow in closefs() (bsc#918346). Bug fixes: - bsc#1038194: generic/405 test fails with /dev/mapper/thin-vol is inconsistent on ext4 file system. - bsc#1009532: resize2fs hangs when trying to resize a large ext4 file system. - bsc#960273: xfsprogs does not call %{?regenerate_initrd_post}. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1409-1 Released: Fri Jul 27 06:45:10 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1039099,1083158,1088052,1091265,1093851,1095096,1095973,1098569 This update for systemd provides the following fixes: - systemctl: Mask always reports the same unit names when different unknown units are passed. (bsc#1095973) - systemctl: Check the existence of all units, not just the first one. - scsi_id: Fix the prefix for pre-SPC inquiry reply. (bsc#1039099) - device: Make sure to always retroactively start device dependencies. (bsc#1088052) - locale-util: On overlayfs FTW_MOUNT causes nftw(3) to not list *any* files. - Fix pattern to detect distribution. - install: The 'user' and 'global' scopes are equivalent for user presets. (bsc#1093851) - install: Search for preset files in /run (#7715) - install: Consider globally enabled units as 'enabled' for the user. (bsc#1093851) - install: Consider non-Alias=/non-DefaultInstance= symlinks as 'indirect' enablement. - install: Only consider names in Alias= as 'enabling'. - udev: Whitelist mlx4_core locally-administered MAC addresses in the persistent rule generator. (bsc#1083158) - man: Updated systemd-analyze blame description for service-units with Type=simple. (bsc#1091265) - fileio: Support writing atomic files with timestamp. - fileio.c: Fix incorrect mtime - Drop runtime dependency on dracut, otherwise systemd pulls in tools to generate the initrd even in container/chroot installations that don't have a kernel. For environments where initrd matters, dracut should be pulled via a pattern. (bsc#1098569) - An update broke booting with encrypted partitions on NVMe (bsc#1095096) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1476-1 Released: Thu Aug 2 14:20:03 2018 Summary: Security update for cups Type: security Severity: moderate References: 1096405,1096406,1096407,1096408,CVE-2018-4180,CVE-2018-4181,CVE-2018-4182,CVE-2018-4183 This update for cups fixes the following issues: The following security vulnerabilities were fixed: - Fixed a local privilege escalation to root and sandbox bypasses in the scheduler - CVE-2018-4180: Fixed a local privilege escalation to root in dnssd backend (bsc#1096405) - CVE-2018-4181: Limited local file reads as root via cupsd.conf include directive (bsc#1096406) - CVE-2018-4182: Fixed a sandbox bypass due to insecure error handling (bsc#1096407) - CVE-2018-4183: Fixed a sandbox bypass due to profile misconfiguration (bsc#1096408) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1756-1 Released: Fri Aug 24 17:12:55 2018 Summary: Recommended update for growpart Type: recommended Severity: moderate References: 1097455,1098681 This update for growpart provides the following fix: - Support btrfs resize and handle ro setup in rootgrow. (bsc#1097455, bsc#1098681) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1760-1 Released: Fri Aug 24 17:14:53 2018 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1072183 This update for libtirpc fixes the following issues: - rpcinfo: send RPC getport call as specified via parameter (bsc#1072183) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1775-1 Released: Tue Aug 28 12:40:50 2018 Summary: Recommended update for xfsprogs Type: recommended Severity: important References: 1089777,1105396 This update for xfsprogs fixes the following issues: - avoid divide-by-zero when hardware reports optimal i/o size as 0 (bsc#1089777) - repair: shift inode back into place if corrupted by bad log replay (bsc#1105396). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1804-1 Released: Fri Aug 31 13:02:24 2018 Summary: Recommended update for docker Type: recommended Severity: moderate References: 1065609,1073877,1099277,1100727 This update for docker fixes the following issues: - Build the client binary with -buildmode=pie to fix issues on POWER. (bsc#1100727) - Fix an issue where changed AppArmor profiles don't actually get applied on Docker daemon reboot. (bsc#1099277) - Update to AppArmor patch so that signal mediation also works for signals between in-container processes. (bsc#1073877) - Do not log incorrect warnings when attempting to inject non-existent host files. (bsc#1065609) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1999-1 Released: Tue Sep 25 08:20:35 2018 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1071321 This update for zlib provides the following fixes: - Speedup zlib on power8. (fate#325307) - Add safeguard against negative values in uInt. (bsc#1071321) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2055-1 Released: Thu Sep 27 14:30:14 2018 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1089640 This update for openldap2 provides the following fix: - Fix slapd segfaults in mdb_env_reader_dest. (bsc#1089640) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2138-1 Released: Thu Oct 4 15:52:15 2018 Summary: Recommended update for sudo Type: recommended Severity: low References: 1097643 This update for sudo fixes the following issues: - fix permissions for /var/lib/sudo and /var/lib/sudo/ts (bsc#1097643) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2155-1 Released: Fri Oct 5 14:41:17 2018 Summary: Recommended update for ca-certificates Type: recommended Severity: moderate References: 1101470 This update for ca-certificates fixes the following issues: - Changed 'openssl' requirement to 'openssl(cli)' (bsc#1101470) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2170-1 Released: Mon Oct 8 10:31:14 2018 Summary: Recommended update for python3 Type: recommended Severity: moderate References: 1107030 This update for python3 fixes the following issues: - Add -fwrapv to OPTS, which is default for python3 for bugs which are caused by avoiding it. (bsc#1107030) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2177-1 Released: Tue Oct 9 09:00:13 2018 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1095661,1095670,1100488 This update for bash provides the following fixes: - Bugfix: Parse settings in inputrc for all screen TERM variables starting with 'screen.' (bsc#1095661) - Make the generation of bash.html reproducible. (bsc#1100488) - Use initgroups(3) instead of setgroups(2) to fix the usage of suid programs. (bsc#1095670) - Fix a problem that could cause hash table bash uses to store exit statuses from asynchronous processes to develop loops in circumstances involving long-running scripts that create and reap many processes. - Fix a problem that could cause the shell to loop if a SIGINT is received inside of a SIGINT trap handler. - Fix cases where a failing readline command (e.g., delete-char at the end of a line) can cause a multi-character key sequence to 'back up' and attempt to re-read some of the characters in the sequence. - Fix a problem when sourcing a file from an interactive shell, that setting the SIGINT handler to the default and typing ^C would cause the shell to exit. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2182-1 Released: Tue Oct 9 11:08:36 2018 Summary: Security update for libxml2 Type: security Severity: moderate References: 1088279,1102046,1105166,CVE-2018-14404,CVE-2018-14567,CVE-2018-9251 This update for libxml2 fixes the following security issues: - CVE-2018-9251: The xz_decomp function allowed remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1088279) - CVE-2018-14567: Prevent denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1105166) - CVE-2018-14404: Prevent NULL pointer dereference in the xmlXPathCompOpEval() function when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case leading to a denial of service attack (bsc#1102046) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2340-1 Released: Fri Oct 19 16:05:53 2018 Summary: Security update for fuse Type: security Severity: moderate References: 1101797,CVE-2018-10906 This update for fuse fixes the following issues: - CVE-2018-10906: fusermount was vulnerable to a restriction bypass when SELinux is active. This allowed non-root users to mount a FUSE file system with the 'allow_other' mount option regardless of whether 'user_allow_other' is set in the fuse configuration. An attacker may use this flaw to mount a FUSE file system, accessible by other users, and trick them into accessing files on that file system, possibly causing Denial of Service or other unspecified effects (bsc#1101797) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2346-1 Released: Mon Oct 22 09:40:46 2018 Summary: Recommended update for logrotate Type: recommended Severity: moderate References: 1093617 This update for logrotate provides the following fix: - Ensure the HOME environment variable is set to /root when logrotate is started via systemd. This allows mariadb to rotate its logs when the database has a root password defined. (bsc#1093617) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2370-1 Released: Mon Oct 22 14:02:01 2018 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1102310,1104531 This update for aaa_base provides the following fixes: - Let bash.bashrc work even for (m)ksh. (bsc#1104531) - Fix an error at login if java system directory is empty. (bsc#1102310) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2412-1 Released: Tue Oct 23 17:28:04 2018 Summary: Recommended update for gettext-runtime Type: recommended Severity: moderate References: 1106843 This update for gettext-runtime provides the following fix: - Reset the length of message string after a line has been removed to fix a crash in msgfmt when writing java source code and the .po file has a POT-Creation-Date header. (bsc#1106843) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2463-1 Released: Thu Oct 25 14:48:34 2018 Summary: Recommended update for timezone, timezone-java Type: recommended Severity: moderate References: 1104700,1112310 This update for timezone, timezone-java fixes the following issues: The timezone database was updated to 2018f: - Volgograd moves from +03 to +04 on 2018-10-28. - Fiji ends DST 2019-01-13, not 2019-01-20. - Most of Chile changes DST dates, effective 2019-04-06 (bsc#1104700) - Corrections to past timestamps of DST transitions - Use 'PST' and 'PDT' for Philippine time - minor code changes to zic handling of the TZif format - documentation updates Other bugfixes: - Fixed a zic problem with the 1948-1951 DST transition in Japan (bsc#1112310) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2485-1 Released: Fri Oct 26 12:38:01 2018 Summary: Recommended update for kmod Type: recommended Severity: moderate References: 1112928 This update for kmod provides the following fixes: - Allow 'modprobe -c' print the status of 'allow_unsupported_modules' option. (bsc#1112928) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2486-1 Released: Fri Oct 26 12:38:27 2018 Summary: Recommended update for xfsprogs Type: recommended Severity: moderate References: 1105068 This update for xfsprogs fixes the following issues: - Explictly disable systemd unit files for scrub (bsc#1105068). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2487-1 Released: Fri Oct 26 12:39:07 2018 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1102526 This update for glibc fixes the following issues: - Fix build on aarch64 with binutils newer than 2.30. - Fix year 2039 bug for localtime with 64-bit time_t (bsc#1102526) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2550-1 Released: Wed Oct 31 16:16:56 2018 Summary: Recommended update for timezone, timezone-java Type: recommended Severity: moderate References: 1113554 This update provides the latest time zone definitions (2018g), including the following change: - Morocco switched from +00/+01 to permanent +01 effective 2018-10-28 (bsc#1113554) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2569-1 Released: Fri Nov 2 19:00:18 2018 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1110700 This update for pam fixes the following issues: - Remove limits for nproc from /etc/security/limits.conf (bsc#1110700) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2595-1 Released: Wed Nov 7 11:14:42 2018 Summary: Security update for systemd Type: security Severity: important References: 1089761,1090944,1091677,1093753,1101040,1102908,1105031,1107640,1107941,1109197,1109252,1110445,1112024,1113083,1113632,1113665,1114135,991901,CVE-2018-15686,CVE-2018-15688 This update for systemd fixes the following issues: Security issues fixed: - CVE-2018-15688: A buffer overflow vulnerability in the dhcp6 client of systemd allowed a malicious dhcp6 server to overwrite heap memory in systemd-networkd. (bsc#1113632) - CVE-2018-15686: A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. (bsc#1113665) Non security issues fixed: - dhcp6: split assert_return() to be more debuggable when hit - core: skip unit deserialization and move to the next one when unit_deserialize() fails - core: properly handle deserialization of unknown unit types (#6476) - core: don't create Requires for workdir if 'missing ok' (bsc#1113083) - logind: use manager_get_user_by_pid() where appropriate - logind: rework manager_get_{user|session}_by_pid() a bit - login: fix user@.service case, so we don't allow nested sessions (#8051) (bsc#1112024) - core: be more defensive if we can't determine per-connection socket peer (#7329) - core: introduce systemd.early_core_pattern= kernel cmdline option - core: add missing 'continue' statement - core/mount: fstype may be NULL - journald: don't ship systemd-journald-audit.socket (bsc#1109252) - core: make 'tmpfs' dependencies on swapfs a 'default' dep, not an 'implicit' (bsc#1110445) - mount: make sure we unmount tmpfs mounts before we deactivate swaps (#7076) - detect-virt: do not try to read all of /proc/cpuinfo (bsc#1109197) - emergency: make sure console password agents don't interfere with the emergency shell - man: document that 'nofail' also has an effect on ordering - journald: take leading spaces into account in syslog_parse_identifier - journal: do not remove multiple spaces after identifier in syslog message - syslog: fix segfault in syslog_parse_priority() - journal: fix syslog_parse_identifier() - install: drop left-over debug message (#6913) - Ship systemd-sysv-install helper via the main package This script was part of systemd-sysvinit sub-package but it was wrong since systemd-sysv-install is a script used to redirect enable/disable operations to chkconfig when the unit targets are sysv init scripts. Therefore it's never been a SySV init tool. - Add udev.no-partlabel-links kernel command-line option. This option can be used to disable the generation of the by-partlabel symlinks regardless of the name used. (bsc#1089761) - man: SystemMaxUse= clarification in journald.conf(5). (bsc#1101040) - systemctl: load unit if needed in 'systemctl is-active' (bsc#1102908) - core: don't freeze OnCalendar= timer units when the clock goes back a lot (bsc#1090944) - Enable or disable machines.target according to the presets (bsc#1107941) - cryptsetup: add support for sector-size= option (fate#325697) - nspawn: always use permission mode 555 for /sys (bsc#1107640) - Bugfix for a race condition between daemon-reload and other commands (bsc#1105031) - Fixes an issue where login with root credentials was not possible in init level 5 (bsc#1091677) - Fix an issue where services of type 'notify' harmless DENIED log entries. (bsc#991901) - Does no longer adjust qgroups on existing subvolumes (bsc#1093753) - cryptsetup: add support for sector-size= option (#9936) (fate#325697 bsc#1114135) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2607-1 Released: Wed Nov 7 15:42:48 2018 Summary: Optional update for gcc8 Type: recommended Severity: low References: 1084812,1084842,1087550,1094222,1102564 The GNU Compiler GCC 8 is being added to the Development Tools Module by this update. The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the Basesystem module of SUSE Linux Enterprise 15. Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-8/changes.html Also changes needed or common pitfalls when porting software are described on: https://gcc.gnu.org/gcc-8/porting_to.html ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2620-1 Released: Thu Nov 8 17:57:34 2018 Summary: Security update for libxkbcommon Type: security Severity: low References: 1105832,CVE-2018-15853,CVE-2018-15854,CVE-2018-15855,CVE-2018-15856,CVE-2018-15857,CVE-2018-15858,CVE-2018-15859,CVE-2018-15861,CVE-2018-15862,CVE-2018-15863,CVE-2018-15864 This update for libxkbcommon to version 0.8.2 fixes the following issues: - Fix a few NULL-dereferences, out-of-bounds access and undefined behavior in the XKB text format parser. - CVE-2018-15853: Endless recursion could have been used by local attackers to crash xkbcommon users by supplying a crafted keymap file that triggers boolean negation (bsc#1105832). - CVE-2018-15854: Unchecked NULL pointer usage could have been used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file, because geometry tokens were desupported incorrectly (bsc#1105832). - CVE-2018-15855: Unchecked NULL pointer usage could have been used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file, because the XkbFile for an xkb_geometry section was mishandled (bsc#1105832). - CVE-2018-15856: An infinite loop when reaching EOL unexpectedly could be used by local attackers to cause a denial of service during parsing of crafted keymap files (bsc#1105832). - CVE-2018-15857: An invalid free in ExprAppendMultiKeysymList could have been used by local attackers to crash xkbcommon keymap parsers or possibly have unspecified other impact by supplying a crafted keymap file (bsc#1105832). - CVE-2018-15858: Unchecked NULL pointer usage when handling invalid aliases in CopyKeyAliasesToKeymap could have been used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file (bsc#1105832). - CVE-2018-15859: Unchecked NULL pointer usage when parsing invalid atoms in ExprResolveLhs could have been used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file, because lookup failures are mishandled (bsc#1105832). - CVE-2018-15861: Unchecked NULL pointer usage in ExprResolveLhs could have been used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file that triggers an xkb_intern_atom failure (bsc#1105832). - CVE-2018-15862: Unchecked NULL pointer usage in LookupModMask could have been used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file with invalid virtual modifiers (bsc#1105832). - CVE-2018-15863: Unchecked NULL pointer usage in ResolveStateAndPredicate could have been used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file with a no-op modmask expression (bsc#1105832). - CVE-2018-15864: Unchecked NULL pointer usage in resolve_keysym could have been used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file, because a map access attempt can occur for a map that was never created (bsc#1105832). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2641-1 Released: Mon Nov 12 20:39:30 2018 Summary: Recommended update for nfsidmap Type: recommended Severity: moderate References: 1098217 This update for nfsidmap fixes the following issues: - Improve support for SAMBA with Active Directory. (bsc#1098217) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2742-1 Released: Thu Nov 22 13:28:36 2018 Summary: Recommended update for rpcbind Type: recommended Severity: moderate References: 969953 This update for rpcbind fixes the following issues: - Fix tool stack buffer overflow aborting (bsc#969953) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2825-1 Released: Mon Dec 3 15:35:02 2018 Summary: Security update for pam Type: security Severity: important References: 1115640,CVE-2018-17953 This update for pam fixes the following issue: Security issue fixed: - CVE-2018-17953: Fixed IP address and subnet handling of pam_access.so that was not honoured correctly when a single host was specified (bsc#1115640). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2861-1 Released: Thu Dec 6 14:32:01 2018 Summary: Security update for ncurses Type: security Severity: important References: 1103320,1115929,CVE-2018-19211 This update for ncurses fixes the following issues: Security issue fixed: - CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929). Non-security issue fixed: - Remove scree.xterm from terminfo data base as with this screen uses fallback TERM=screen (bsc#1103320). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2882-1 Released: Mon Dec 10 08:07:44 2018 Summary: Security update for cups Type: security Severity: important References: 1115750,CVE-2018-4700 This update for cups fixes the following issues: Security issue fixed: - CVE-2018-4700: Fixed extremely predictable cookie generation that is effectively breaking the CSRF protection of the CUPS web interface (bsc#1115750). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2945-1 Released: Fri Dec 14 16:43:57 2018 Summary: Security update for tcpdump Type: security Severity: moderate References: 1117267,CVE-2018-19519 This update for tcpdump fixes the following issues: Security issues fixed: - CVE-2018-19519: Fixed a stack-based buffer over-read in the print_prefix function (bsc#1117267) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2984-1 Released: Wed Dec 19 11:32:39 2018 Summary: Security update for perl Type: security Severity: moderate References: 1114674,1114675,1114681,1114686,CVE-2018-18311,CVE-2018-18312,CVE-2018-18313,CVE-2018-18314 This update for perl fixes the following issues: Secuirty issues fixed: - CVE-2018-18311: Fixed integer overflow with oversize environment (bsc#1114674). - CVE-2018-18312: Fixed heap-buffer-overflow write / reg_node overrun (bsc#1114675). - CVE-2018-18313: Fixed heap-buffer-overflow read if regex contains \0 chars (bsc#1114681). - CVE-2018-18314: Fixed heap-buffer-overflow in regex (bsc#1114686). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2986-1 Released: Wed Dec 19 13:53:22 2018 Summary: Security update for libnettle Type: security Severity: moderate References: 1118086,CVE-2018-16869 This update for libnettle fixes the following issues: Security issues fixed: - CVE-2018-16869: Fixed a leaky data conversion exposing a manager oracle (bsc#1118086) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:3044-1 Released: Fri Dec 21 18:47:21 2018 Summary: Security update for MozillaFirefox, mozilla-nspr and mozilla-nss Type: security Severity: important References: 1097410,1106873,1119069,1119105,CVE-2018-0495,CVE-2018-12384,CVE-2018-12404,CVE-2018-12405,CVE-2018-17466,CVE-2018-18492,CVE-2018-18493,CVE-2018-18494,CVE-2018-18498 This update for MozillaFirefox, mozilla-nss and mozilla-nspr fixes the following issues: Issues fixed in MozillaFirefox: - Update to Firefox ESR 60.4 (bsc#1119105) - CVE-2018-17466: Fixed a buffer overflow and out-of-bounds read in ANGLE library with TextureStorage11 - CVE-2018-18492: Fixed a use-after-free with select element - CVE-2018-18493: Fixed a buffer overflow in accelerated 2D canvas with Skia - CVE-2018-18494: Fixed a Same-origin policy violation using location attribute and performance.getEntries to steal cross-origin URLs - CVE-2018-18498: Fixed a integer overflow when calculating buffer sizes for images - CVE-2018-12405: Fixed a few memory safety bugs Issues fixed in mozilla-nss: - Update to NSS 3.40.1 (bsc#1119105) - CVE-2018-12404: Fixed a cache side-channel variant of the Bleichenbacher attack (bsc#1119069) - CVE-2018-12384: Fixed an issue in the SSL handshake. NSS responded to an SSLv2-compatible ClientHello with a ServerHello that had an all-zero random. (bsc#1106873) - CVE-2018-0495: Fixed a memory-cache side-channel attack with ECDSA signatures (bsc#1097410) - Fixed a decryption failure during FFDHE key exchange - Various security fixes in the ASN.1 code Issues fixed in mozilla-nspr: - Update mozilla-nspr to 4.20 (bsc#1119105) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:3064-1 Released: Fri Dec 28 18:39:08 2018 Summary: Security update for containerd, docker and go Type: security Severity: important References: 1047218,1074971,1080978,1081495,1084533,1086185,1094680,1095817,1098017,1102522,1104821,1105000,1108038,1113313,1113978,1114209,1118897,1118898,1118899,1119634,1119706,CVE-2018-16873,CVE-2018-16874,CVE-2018-16875,CVE-2018-7187 This update for containerd, docker and go fixes the following issues: containerd and docker: - Add backport for building containerd (bsc#1102522, bsc#1113313) - Upgrade to containerd v1.1.2, which is required for Docker v18.06.1-ce. (bsc#1102522) - Enable seccomp support on SLE12 (fate#325877) - Update to containerd v1.1.1, which is the required version for the Docker v18.06.0-ce upgrade. (bsc#1102522) - Put containerd under the podruntime slice (bsc#1086185) - 3rd party registries used the default Docker certificate (bsc#1084533) - Handle build breakage due to missing 'export GOPATH' (caused by resolution of boo#1119634). I believe Docker is one of the only packages with this problem. go: - golang: arbitrary command execution via VCS path (bsc#1081495, CVE-2018-7187) - Make profile.d/go.sh no longer set GOROOT=, in order to make switching between versions no longer break. This ends up removing the need for go.sh entirely (because GOPATH is also set automatically) (boo#1119634) - Fix a regression that broke go get for import path patterns containing '...' (bsc#1119706) Additionally, the package go1.10 has been added. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:23-1 Released: Mon Jan 7 16:30:33 2019 Summary: Security update for gpg2 Type: security Severity: moderate References: 1120346,CVE-2018-1000858 This update for gpg2 fixes the following issue: Security issue fixed: - CVE-2018-1000858: Fixed a Cross Site Request Forgery(CSRF) vulnerability in dirmngr that can result in Attacker controlled CSRF (bsc#1120346). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:44-1 Released: Tue Jan 8 13:07:32 2019 Summary: Recommended update for acl Type: recommended Severity: low References: 953659 This update for acl fixes the following issues: - test: Add helper library to fake passwd/group files. - quote: Escape literal backslashes. (bsc#953659) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:62-1 Released: Thu Jan 10 20:30:58 2019 Summary: Recommended update for xfsprogs Type: recommended Severity: moderate References: 1119063 This update for xfsprogs fixes the following issues: - Fix root inode's parent when it's bogus for sf directory (xfs repair). (bsc#1119063) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:82-1 Released: Fri Jan 11 17:16:48 2019 Summary: Recommended update for suse-build-key Type: recommended Severity: moderate References: 1044232 This update for suse-build-key fixes the following issues: - Include the SUSE PTF GPG key in the key directory to avoid it being stripped via %doc stripping in CAASP. (bsc#1044232) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:91-1 Released: Tue Jan 15 14:14:43 2019 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1090767,1121045,1121207 This update for mozilla-nss fixes the following issues: - The hmac packages used in FIPS certification inadvertently removed in last update: re-added. (bsc#1121207) - Added 'Suggest:' for libfreebl3 and libsoftokn3 respective -hmac packages to avoid dependency issues during updates (bsc#1090767, bsc#1121045) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:93-1 Released: Tue Jan 15 14:48:33 2019 Summary: Security update for wget Type: security Severity: important References: 1120382,CVE-2018-20483 This update for wget fixes the following issues: Security issue fixed: - CVE-2018-20483: Fixed an information disclosure through file metadata (bsc#1120382) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:102-1 Released: Tue Jan 15 18:02:58 2019 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1120402 This update for timezone fixes the following issues: - Update 2018i: São Tomé and Príncipe switches from +01 to +00 on 2019-01-01. (bsc#1120402) - Update 2018h: Qyzylorda, Kazakhstan moved from +06 to +05 on 2018-12-21 New zone Asia/Qostanay because Qostanay, Kazakhstan didn't move Metlakatla, Alaska observes PST this winter only Guess Morocco will continue to adjust clocks around Ramadan Add predictions for Iran from 2038 through 2090 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:104-1 Released: Tue Jan 15 18:03:13 2019 Summary: Recommended update for chrony Type: recommended Severity: moderate References: 1117147 This update for chrony fixes the following issues: - Generate chronyd sysconfig file. (bsc#1117147) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:137-1 Released: Mon Jan 21 15:52:45 2019 Summary: Security update for systemd Type: security Severity: important References: 1005023,1045723,1076696,1080919,1093753,1101591,1111498,1114933,1117063,1119971,1120323,CVE-2018-16864,CVE-2018-16865,CVE-2018-16866,CVE-2018-6954 This update for systemd provides the following fixes: Security issues fixed: - CVE-2018-16864, CVE-2018-16865: Fixed two memory corruptions through attacker-controlled alloca()s (bsc#1120323) - CVE-2018-16866: Fixed an information leak in journald (bsc#1120323) - CVE-2018-6954: Fix mishandling of symlinks present in non-terminal path components (bsc#1080919) - Fixed an issue during system startup in relation to encrypted swap disks (bsc#1119971) Non-security issues fixed: - pam_systemd: Fix 'Cannot create session: Already running in a session' (bsc#1111498) - systemd-vconsole-setup: vconsole setup fails, fonts will not be copied to tty (bsc#1114933) - systemd-tmpfiles-setup: symlinked /tmp to /var/tmp breaking multiple units (bsc#1045723) - Fixed installation issue with /etc/machine-id during update (bsc#1117063) - btrfs: qgroups are assigned to parent qgroups after reboot (bsc#1093753) - logind: Stop managing VT switches if no sessions are registered on that VT. (bsc#1101591) - udev: Downgrade message when settting inotify watch up fails. (bsc#1005023) - udev: Ignore the exit code of systemd-detect-virt for memory hot-add. In SLE-12-SP3, 80-hotplug-cpu-mem.rules has a memory hot-add rule that uses systemd-detect-virt to detect non-zvm environment. The systemd-detect-virt returns exit failure code when it detected _none_ state. The exit failure code causes that the hot-add memory block can not be set to online. (bsc#1076696) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:170-1 Released: Fri Jan 25 13:43:29 2019 Summary: Recommended update for kmod Type: recommended Severity: moderate References: 1118629 This update for kmod fixes the following issues: - Fixes module dependency file corruption on parallel invocation (bsc#1118629). - Allows 'modprobe -c' to print the status of 'allow_unsupported_modules' option. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:215-1 Released: Thu Jan 31 15:59:57 2019 Summary: Security update for python3 Type: security Severity: important References: 1120644,1122191,CVE-2018-20406,CVE-2019-5010 This update for python3 fixes the following issues: Security issue fixed: - CVE-2019-5010: Fixed a denial-of-service vulnerability in the X509 certificate parser (bsc#1122191) - CVE-2018-20406: Fixed a integer overflow via a large LONG_BINPUT (bsc#1120644) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:247-1 Released: Wed Feb 6 07:18:45 2019 Summary: Security update for lua53 Type: security Severity: moderate References: 1123043,CVE-2019-6706 This update for lua53 fixes the following issues: Security issue fixed: - CVE-2019-6706: Fixed a use-after-free bug in the lua_upvaluejoin function of lapi.c (bsc#1123043) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:273-1 Released: Wed Feb 6 16:48:18 2019 Summary: Security update for MozillaFirefox Type: security Severity: important References: 1119069,1120374,1122983,CVE-2018-12404,CVE-2018-18500,CVE-2018-18501,CVE-2018-18505 This update for MozillaFirefox, mozilla-nss fixes the following issues: Security issues fixed: - CVE-2018-18500: Fixed a use-after-free parsing HTML5 stream (bsc#1122983). - CVE-2018-18501: Fixed multiple memory safety bugs (bsc#1122983). - CVE-2018-18505: Fixed a privilege escalation through IPC channel messages (bsc#1122983). - CVE-2018-12404: Cache side-channel variant of the Bleichenbacher attack (bsc#1119069). Non-security issue fixed: - Update to MozillaFirefox ESR 60.5.0 - Update to mozilla-nss 3.41.1 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:286-1 Released: Thu Feb 7 13:45:27 2019 Summary: Security update for docker Type: security Severity: moderate References: 1001161,1112980,1115464,1118897,1118898,1118899,1118990,1121412,CVE-2018-16873,CVE-2018-16874,CVE-2018-16875 This update for containerd, docker, docker-runc and golang-github-docker-libnetwork fixes the following issues: Security issues fixed for containerd, docker, docker-runc and golang-github-docker-libnetwork: - CVE-2018-16873: cmd/go: remote command execution during 'go get -u' (bsc#1118897) - CVE-2018-16874: cmd/go: directory traversal in 'go get' via curly braces in import paths (bsc#1118898) - CVE-2018-16875: crypto/x509: CPU denial of service (bsc#1118899) Non-security issues fixed for docker: - Disable leap based builds for kubic flavor (bsc#1121412) - Allow users to explicitly specify the NIS domainname of a container (bsc#1001161) - Update docker.service to match upstream and avoid rlimit problems (bsc#1112980) - Allow docker images larger then 23GB (bsc#1118990) - Docker version update to version 18.09.0-ce (bsc#1115464) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:362-1 Released: Wed Feb 13 13:31:56 2019 Summary: Security update for docker-runc Type: security Severity: important References: 1121967,CVE-2019-5736 This update for docker-runc fixes the following issues: Security issue fixed: - CVE-2019-5736: Effectively copying /proc/self/exe during re-exec to avoid write attacks to the host runc binary, which could lead to a container breakout (bsc#1121967) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:369-1 Released: Wed Feb 13 14:01:42 2019 Summary: Recommended update for itstool Type: recommended Severity: moderate References: 1065270,1111019 This update for itstool and python-libxml2-python fixes the following issues: Package: itstool - Updated version to support Python3. (bnc#1111019) Package: python-libxml2-python - Fix segfault when parsing invalid data. (bsc#1065270) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:426-1 Released: Mon Feb 18 17:46:55 2019 Summary: Security update for systemd Type: security Severity: important References: 1117025,1121563,1122000,1123333,1123727,1123892,1124153,1125352,CVE-2019-6454 This update for systemd fixes the following issues: - CVE-2019-6454: Overlong DBUS messages could be used to crash systemd (bsc#1125352) - units: make sure initrd-cleanup.service terminates before switching to rootfs (bsc#1123333) - logind: fix bad error propagation - login: log session state 'closing' (as well as New/Removed) - logind: fix borked r check - login: don't remove all devices from PID1 when only one was removed - login: we only allow opening character devices - login: correct comment in session_device_free() - login: remember that fds received from PID1 need to be removed eventually - login: fix FDNAME in call to sd_pid_notify_with_fds() - logind: fd 0 is a valid fd - logind: rework sd_eviocrevoke() - logind: check file is device node before using .st_rdev - logind: use the new FDSTOREREMOVE=1 sd_notify() message (bsc#1124153) - core: add a new sd_notify() message for removing fds from the FD store again - logind: make sure we don't trip up on half-initialized session devices (bsc#1123727) - fd-util: accept that kcmp might fail with EPERM/EACCES - core: Fix use after free case in load_from_path() (bsc#1121563) - core: include Found state in device dumps - device: fix serialization and deserialization of DeviceFound - fix path in btrfs rule (#6844) - assemble multidevice btrfs volumes without external tools (#6607) (bsc#1117025) - Update systemd-system.conf.xml (bsc#1122000) - units: inform user that the default target is started after exiting from rescue or emergency mode - core: free lines after reading them (bsc#1123892) - sd-bus: if we receive an invalid dbus message, ignore and proceeed - automount: don't pass non-blocking pipe to kernel. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:464-1 Released: Fri Feb 22 09:43:52 2019 Summary: Recommended update for xkeyboard-config Type: recommended Severity: moderate References: 1123784 This update for xkeyboard-config fixes the following issues: - Fixes missing mappings for evdev keys KEY_RFKILL and KEY_WWAN. (bsc#1123784) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:480-1 Released: Mon Feb 25 11:55:21 2019 Summary: Security update for supportutils Type: security Severity: important References: 1043311,1046681,1051797,1071545,1105849,1112461,1115245,1117776,1118460,1118462,1118463,1125609,1125666,CVE-2018-19637,CVE-2018-19638,CVE-2018-19639,CVE-2018-19640 This update for supportutils fixes the following issues: Security issues fixed: - CVE-2018-19640: Fixed an issue where users could kill arbitrary processes (bsc#1118463). - CVE-2018-19638: Fixed an issue where users could overwrite arbitrary log files (bsc#1118460). - CVE-2018-19639: Fixed a code execution if run with -v (bsc#1118462). - CVE-2018-19637: Fixed an issue where static temporary filename could allow overwriting of files (bsc#1117776). Other issues fixed: - Fixed invalid exit code commands (bsc#1125666). - Included additional SUSE separation (bsc#1125609). - Merged added listing of locked packes by zypper. - Exclude pam.txt per GDPR by default (bsc#1112461). - Clarified -x functionality in supportconfig(8) (bsc#1115245). - udev service and provide the whole journal content in supportconfig (bsc#1051797). - supportconfig collects tuned profile settings (bsc#1071545). - sfdisk -d no disk device specified (bsc#1043311). - Added vulnerabilites status check in basic-health.txt (bsc#1105849). - Added only sched_domain from cpu0. - Blacklist sched_domain from proc.txt (bsc#1046681). - Added firewall-cmd info. - Add ls -lA --time-style=long-iso /etc/products.d/ - Dump lsof errors. - Added corosync status to ha_info. - Dump find errors in ib_info. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:495-1 Released: Tue Feb 26 16:42:35 2019 Summary: Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork, runc Type: security Severity: important References: 1048046,1051429,1114832,1118897,1118898,1118899,1121967,1124308,CVE-2018-16873,CVE-2018-16874,CVE-2018-16875,CVE-2019-5736 This update for containerd, docker, docker-runc, golang-github-docker-libnetwork, runc fixes the following issues: Security issues fixed: - CVE-2018-16875: Fixed a CPU Denial of Service (bsc#1118899). - CVE-2018-16874: Fixed a vulnerabity in go get command which could allow directory traversal in GOPATH mode (bsc#1118898). - CVE-2018-16873: Fixed a vulnerability in go get command which could allow remote code execution when executed with -u in GOPATH mode (bsc#1118897). - CVE-2019-5736: Effectively copying /proc/self/exe during re-exec to avoid write attacks to the host runc binary, which could lead to a container breakout (bsc#1121967). Other changes and fixes: - Update shell completion to use Group: System/Shells. - Add daemon.json file with rotation logs configuration (bsc#1114832) - Update to Docker 18.09.1-ce (bsc#1124308) and to to runc 96ec2177ae84. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. - Update go requirements to >= go1.10 - Use -buildmode=pie for tests and binary build (bsc#1048046 and bsc#1051429). - Remove the usage of 'cp -r' to reduce noise in the build logs. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:565-1 Released: Thu Mar 7 17:46:16 2019 Summary: Recommended update for supportutils Type: recommended Severity: moderate References: 1094225,1109664,1120049,1121043,1127063,1127069 This update for supportutils fixes the following issues: - Dont show error if /proc/fb is not present (bsc#1127069) - Fixed issue where dasdview got called with wrong arguments (bsc#1109664) - Clarified -t argument description in help output (bsc#1121043) - Fixed grep error in NTP when /etc/cron.d is empty (bsc#1127063) - Collect systemd journal logs with minimum installation (bsc#1094225) - Fixed tar file generation (bsc#1120049) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:570-1 Released: Thu Mar 7 17:50:46 2019 Summary: Recommended update for bind Type: recommended Severity: moderate References: 1094236 This update for bind fixes the following issues: - Fixes dynamic DNS updates against samba and Microsoft DNS servers (bsc#1094236). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:571-1 Released: Thu Mar 7 18:13:46 2019 Summary: Security update for file Type: security Severity: moderate References: 1096974,1096984,1126117,1126118,1126119,CVE-2018-10360,CVE-2019-8905,CVE-2019-8906,CVE-2019-8907 This update for file fixes the following issues: The following security vulnerabilities were addressed: - CVE-2018-10360: Fixed an out-of-bounds read in the function do_core_note in readelf.c, which allowed remote attackers to cause a denial of service (application crash) via a crafted ELF file (bsc#1096974) - CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c (bsc#1126118) - CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c (bsc#1126119) - CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c (bsc#1126117) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:608-1 Released: Wed Mar 13 15:21:02 2019 Summary: Recommended update for cups Type: recommended Severity: moderate References: 1118118 This update for cups fixes the following issues: - Fixed validation of UTF-8 filenames to avoid crashes (bsc#1118118) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:641-1 Released: Tue Mar 19 13:17:28 2019 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1112570,1114984,1114993 This update for glibc provides the following fixes: - Fix Haswell CPU string flags. (bsc#1114984) - Fix waiters-after-spinning case. (bsc#1114993) - Do not relocate absolute symbols. (bsc#1112570) - Add glibc-locale-base subpackage containing only C, C.UTF-8 and en_US.UTF-8 locales. (fate#326551) - Add HWCAP_ATOMICS to HWCAP_IMPORTANT (fate#325962) - Remove slow paths from math routines. (fate#325815, fate#325879, fate#325880, fate#325881, fate#325882) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:700-1 Released: Thu Mar 21 19:54:00 2019 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1044840 This update for cyrus-sasl provides the following fix: - Fix a problem that was causing syslog to be polluted with messages 'GSSAPI client step 1'. By server context the connection will be sent to the log function but the client content does not have log level information, so there is no way to stop DEBUG level logs. (bsc#1044840) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:713-1 Released: Fri Mar 22 15:55:05 2019 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1063675,1126590 This update for glibc fixes the following issues: - Add MAP_SYNC from Linux 4.15 (bsc#1126590) - Add MAP_SHARED_VALIDATE from Linux 4.15 (bsc#1126590) - nptl: Preserve error in setxid thread broadcast in coredumps (bsc#1063675, BZ #22153) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:732-1 Released: Mon Mar 25 14:10:04 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1088524,1118364,1128246 This update for aaa_base fixes the following issues: - Restore old position of ssh/sudo source of profile (bsc#1118364). - Update logic for JRE_HOME env variable (bsc#1128246) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:788-1 Released: Thu Mar 28 11:55:06 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1119687,CVE-2018-20346 This update for sqlite3 to version 3.27.2 fixes the following issue: Security issue fixed: - CVE-2018-20346: Fixed a remote code execution vulnerability in FTS3 (Magellan) (bsc#1119687). Release notes: https://www.sqlite.org/releaselog/3_27_2.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:790-1 Released: Thu Mar 28 12:06:17 2019 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1130557 This update for timezone fixes the following issues: timezone was updated 2019a: * Palestine 'springs forward' on 2019-03-30 instead of 2019-03-23 * Metlakatla 'fell back' to rejoin Alaska Time on 2019-01-20 at 02:00 * Israel observed DST in 1980 (08-02/09-13) and 1984 (05-05/08-25) * zic now has an -r option to limit the time range of output data ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:791-1 Released: Thu Mar 28 12:06:50 2019 Summary: Security update for libnettle Type: recommended Severity: moderate References: 1129598 This update for libnettle to version 3.4.1 fixes the following issues: Issues addressed and new features: - Updated to 3.4.1 (fate#327114 and bsc#1129598) - Fixed a missing break statements in the parsing of PEM input files in pkcs1-conv. - Fixed a link error on the pss-mgf1-test which was affecting builds without public key support. - All functions using RSA private keys are now side-channel silent. This applies both to the bignum calculations, which now use GMP's mpn_sec_* family of functions, and the processing of PKCS#1 padding needed for RSA decryption. - Changes in behavior: The functions rsa_decrypt and rsa_decrypt_tr may now clobber all of the provided message buffer, independent of the actual message length. They are side-channel silent, in that branches and memory accesses don't depend on the validity or length of the message. Side-channel leakage from the caller's use of length and return value may still provide an oracle useable for a Bleichenbacher-style chosen ciphertext attack. Which is why the new function rsa_sec_decrypt is recommended. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:858-1 Released: Wed Apr 3 15:50:37 2019 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1120689,1126096 This update for libtirpc fixes the following issues: - Fix a yp_bind_client_create_v3: RPC: Unknown host error (bsc#1126096). - add an option to enforce connection via protocol version 2 first (bsc#1120689). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:903-1 Released: Mon Apr 8 15:41:44 2019 Summary: Security update for glibc Type: security Severity: moderate References: 1100396,1122729,1130045,CVE-2016-10739 This update for glibc fixes the following issues: Security issue fixed: - CVE-2016-10739: Fixed an improper implementation of getaddrinfo function which could allow applications to incorrectly assume that had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings (bsc#1122729). Other issue fixed: - Fixed an issue where pthread_mutex_trylock did not use a correct order of instructions while maintained the robust mutex list due to missing compiler barriers (bsc#1130045). - Added new Japanese Era name support (bsc#1100396). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:909-1 Released: Tue Apr 9 08:04:44 2019 Summary: Recommended update for chrony Type: recommended Severity: moderate References: 1129914 This update for chrony fixes the following issues: - Fix ordering and dependencies of chronyd.service, so that it is started after name resolution is up (bsc#1129914). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:925-1 Released: Wed Apr 10 16:32:50 2019 Summary: Security update for wget Type: security Severity: important References: 1131493,CVE-2019-5953 This update for wget fixes the following issues: Security issue fixed: - CVE-2019-5953: Fixed a buffer overflow vulnerability which might cause code execution (bsc#1131493). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:926-1 Released: Wed Apr 10 16:33:12 2019 Summary: Security update for tar Type: security Severity: moderate References: 1120610,1130496,CVE-2018-20482,CVE-2019-9923 This update for tar fixes the following issues: Security issues fixed: - CVE-2019-9923: Fixed a denial of service while parsing certain archives with malformed extended headers in pax_decode_header() (bsc#1130496). - CVE-2018-20482: Fixed a denial of service when the '--sparse' option mishandles file shrinkage during read access (bsc#1120610). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:966-1 Released: Wed Apr 17 12:20:13 2019 Summary: Recommended update for python-rpm-macros Type: recommended Severity: moderate References: 1128323 This update for python-rpm-macros fixes the following issues: The Python RPM macros were updated to version 20190408.32abece, fixing bugs (bsc#1128323) * Add missing $ expansion on the pytest call * Rewrite pytest and pytest_arch into Lua macros with multiple arguments. * We should preserve existing PYTHONPATH. * Add --ignore to pytest calls to ignore build directories. * Actually make pytest into function to capture arguments as well * Add pytest definitions. * Use upstream-recommended %{_rpmconfigdir}/macros.d directory for the rpm macros. * Fix an issue with epoch printing having too many \ * add epoch while printing 'Provides:' ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:971-1 Released: Wed Apr 17 14:43:26 2019 Summary: Security update for python3 Type: security Severity: important References: 1129346,CVE-2019-9636 This update for python3 fixes the following issues: Security issue fixed: - CVE-2019-9636: Fixed an information disclosure because of incorrect handling of Unicode encoding during NFKC normalization (bsc#1129346). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1002-1 Released: Wed Apr 24 10:13:34 2019 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1110304,1129576 This update for zlib fixes the following issues: - Fixes a segmentation fault error (bsc#1110304, bsc#1129576) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1034-1 Released: Thu Apr 25 13:39:50 2019 Summary: Recommended update for docker-runc Type: recommended Severity: important References: 1131314,1131553 This update for docker-runc fixes the following issues: - Backport various upstream patches to fix some kernel regression related to O_TMPFILE. bsc#1131314 bsc#1131553 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1040-1 Released: Thu Apr 25 17:09:21 2019 Summary: Security update for samba Type: security Severity: important References: 1114407,1124223,1125410,1126377,1131060,1131686,CVE-2019-3880 This update for samba fixes the following issues: Security issue fixed: - CVE-2019-3880: Fixed a path/symlink traversal vulnerability, which allowed an unprivileged user to save registry files outside a share (bsc#1131060). ldb was updated to version 1.2.4 (bsc#1125410 bsc#1131686): - Out of bound read in ldb_wildcard_compare - Hold at most 10 outstanding paged result cookies - Put 'results_store' into a doubly linked list - Refuse to build Samba against a newer minor version of ldb Non-security issues fixed: - Fixed update-apparmor-samba-profile script after apparmor switched to using named profiles (bsc#1126377). - Abide to the load_printers parameter in smb.conf (bsc#1124223). - Provide the 32bit samba winbind PAM module and its dependend 32bit libraries. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1127-1 Released: Thu May 2 09:39:24 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1130325,1130326,CVE-2019-9936,CVE-2019-9937 This update for sqlite3 to version 3.28.0 fixes the following issues: Security issues fixed: - CVE-2019-9936: Fixed a heap-based buffer over-read, when running fts5 prefix queries inside transaction (bsc#1130326). - CVE-2019-9937: Fixed a denial of service related to interleaving reads and writes in a single transaction with an fts5 virtual table (bsc#1130325). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1156-1 Released: Mon May 6 13:46:07 2019 Summary: Security update for python-Jinja2 Type: security Severity: important References: 1125815,1132174,1132323,CVE-2016-10745,CVE-2019-10906,CVE-2019-8341 This update for python-Jinja2 to version 2.10.1 fixes the following issues: Security issues fixed: - CVE-2019-8341: Fixed a command injection in from_string() (bsc#1125815). - CVE-2019-10906: Fixed a sandbox escape due to information disclosure via str.format (bsc#1132323). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1160-1 Released: Mon May 6 14:24:31 2019 Summary: Recommended update for sg3_utils Type: recommended Severity: moderate References: 1005063,1069384,1131482,1133418,840054 This update for sg3_utils fixes the following issues: - Update to version 1.44~763+19.1ed0757: * rescan-scsi-bus.sh: use LUN wildcard in idlist (bsc#1069384) * 40-usb-blacklist.rules: use ID_SCSI_INQUIRY (bsc#840054, bsc#1131482) * Changed versioning scheme (svn r763, pre-release of upstream 1.44, plus 16 SUSE patches, SUSE git commit b2fedfa) * 59-fc-wwpn-id.rules: fix rule syntax (bsc#1133418) - Spec file: add fc_wwpn_id to generate by-path links for fibrechannel (bsc#1005063) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1206-1 Released: Fri May 10 14:01:55 2019 Summary: Security update for bzip2 Type: security Severity: low References: 985657,CVE-2016-3189 This update for bzip2 fixes the following issues: Security issue fixed: - CVE-2016-3189: Fixed a use-after-free in bzip2recover (bsc#985657). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1234-1 Released: Tue May 14 18:31:52 2019 Summary: Security update for containerd, docker, docker-runc, go, go1.11, go1.12, golang-github-docker-libnetwork Type: security Severity: important References: 1114209,1114832,1118897,1118898,1118899,1121397,1121967,1123013,1128376,1128746,1134068,CVE-2018-16873,CVE-2018-16874,CVE-2018-16875,CVE-2019-5736,CVE-2019-6486 This update for containerd, docker, docker-runc, go, go1.11, go1.12, golang-github-docker-libnetwork fixes the following issues: Security issues fixed: - CVE-2019-5736: containerd: Fixing container breakout vulnerability (bsc#1121967). - CVE-2019-6486: go security release, fixing crypto/elliptic CPU DoS vulnerability affecting P-521 and P-384 (bsc#1123013). - CVE-2018-16873: go secuirty release, fixing cmd/go remote command execution (bsc#1118897). - CVE-2018-16874: go security release, fixing cmd/go directory traversal (bsc#1118898). - CVE-2018-16875: go security release, fixing crypto/x509 CPU denial of service (bsc#1118899). Other changes and bug fixes: - Update to containerd v1.2.5, which is required for v18.09.5-ce (bsc#1128376, bsc#1134068). - Update to runc 2b18fe1d885e, which is required for Docker v18.09.5-ce (bsc#1128376, bsc#1134068). - Update to Docker 18.09.5-ce see upstream changelog in the packaged (bsc#1128376, bsc#1134068). - docker-test: Improvements to test packaging (bsc#1128746). - Move daemon.json file to /etc/docker directory (bsc#1114832). - Revert golang(API) removal since it turns out this breaks >= requires in certain cases (bsc#1114209). - Fix go build failures (bsc#1121397). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1312-1 Released: Wed May 22 12:19:12 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1096191 This update for aaa_base fixes the following issue: * Shell detection in /etc/profile and /etc/bash.bashrc was broken within AppArmor-confined containers (bsc#1096191) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1352-1 Released: Fri May 24 14:41:44 2019 Summary: Security update for python3 Type: security Severity: moderate References: 1130840,1133452,CVE-2019-9947 This update for python3 to version 3.6.8 fixes the following issues: Security issue fixed: - CVE-2019-9947: Fixed an issue in urllib2 which allowed CRLF injection if the attacker controls a url parameter (bsc#1130840). Non-security issue fixed: - Fixed broken debuginfo packages by switching off LTO and PGO optimization (bsc#1133452). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1364-1 Released: Tue May 28 10:51:38 2019 Summary: Security update for systemd Type: security Severity: moderate References: 1036463,1121563,1124122,1125352,1125604,1126056,1127557,1130230,1132348,1132400,1132721,1133506,1133509,CVE-2019-3842,CVE-2019-3843,CVE-2019-3844,CVE-2019-6454,SLE-5933 This update for systemd fixes the following issues: Security issues fixed: - CVE-2019-3842: Fixed a privilege escalation in pam_systemd which could be exploited by a local user (bsc#1132348). - CVE-2019-6454: Fixed a denial of service via crafted D-Bus message (bsc#1125352). - CVE-2019-3843, CVE-2019-3844: Fixed a privilege escalation where services with DynamicUser could gain new privileges or create SUID/SGID binaries (bsc#1133506, bsc#1133509). Non-security issued fixed: - logind: fix killing of scopes (bsc#1125604) - namespace: make MountFlags=shared work again (bsc#1124122) - rules: load drivers only on 'add' events (bsc#1126056) - sysctl: Don't pass null directive argument to '%s' (bsc#1121563) - systemd-coredump: generate a stack trace of all core dumps and log into the journal (jsc#SLE-5933) - udevd: notify when max number value of children is reached only once per batch of events (bsc#1132400) - sd-bus: bump message queue size again (bsc#1132721) - Do not automatically online memory on s390x (bsc#1127557) - Removed sg.conf (bsc#1036463) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1368-1 Released: Tue May 28 13:15:38 2019 Summary: Recommended update for sles12sp3-docker-image, sles12sp4-image, system-user-root Type: security Severity: important References: 1134524,CVE-2019-5021 This update for sles12sp3-docker-image, sles12sp4-image, system-user-root fixes the following issues: - CVE-2019-5021: Include an invalidated root password by default, not an empty one (bsc#1134524) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1372-1 Released: Tue May 28 16:53:28 2019 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1105435,CVE-2018-1000654 This update for libtasn1 fixes the following issues: Security issue fixed: - CVE-2018-1000654: Fixed a denial of service in the asn1 parser (bsc#1105435). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1383-1 Released: Thu May 30 08:11:26 2019 Summary: Recommended update for supportutils Type: recommended Severity: moderate References: 1081326,1088234,1100529,1120967,1125623,1132865,1133844,1134599 This update for supportutils fixes the following issues: - Updated to version 3.1.3 + Uses SUSE FTP servers (bsc#1132865) + btrfs quota #43 + supportconfig: open-files: add file flags #44 + Merged etc_info: Add support for .cfg files in /etc dir #46 + Silence warning in rpm backup db collection path #47 + Set files in tarball to 660 instead of 600 #48 + SUSE separation finalized (bsc#1125623) + Default compression through xz, but -z forces bzip2 + Updated man pages (bsc#1088234) + Changed VAR_OPTION_BIN_TIMEOUT_SEC from 300 to 120 + Avoids some IO delays (bsc#1100529) + Corrected supported services help info for -U + Collects iSCSI Target information (bsc#1133844) + FTPES uses --ssl-reqd instead of depricated --ftp-ssl + Defaults to https FTP server uploads (bsc#1134599) - Updated to version 3.1.2 + Fixed missing sapconf and log (bsc#1081326) + Added timed_log_cmd to hwinfo and showmount commands (bsc#1120967) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1398-1 Released: Fri May 31 12:54:22 2019 Summary: Security update for libpng16 Type: security Severity: low References: 1100687,1121624,1124211,CVE-2018-13785,CVE-2019-7317 This update for libpng16 fixes the following issues: Security issues fixed: - CVE-2019-7317: Fixed a use-after-free vulnerability, triggered when png_image_free() was called under png_safe_execute (bsc#1124211). - CVE-2018-13785: Fixed a wrong calculation of row_factor in the png_check_chunk_length function in pngrutil.c, which could haved triggered and integer overflow and result in an divide-by-zero while processing a crafted PNG file, leading to a denial of service (bsc#1100687) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1407-1 Released: Mon Jun 3 13:33:51 2019 Summary: Security update for bind Type: security Severity: important References: 1104129,1126068,1126069,1133185,CVE-2018-5740,CVE-2018-5743,CVE-2018-5745,CVE-2019-6465 This update for bind fixes the following issues: Security issues fixed: - CVE-2019-6465: Fixed an issue where controls for zone transfers may not be properly applied to Dynamically Loadable Zones (bsc#1126069). - CVE-2018-5745: Fixed a denial of service vulnerability if a trust anchor rolls over to an unsupported key algorithm when using managed-keys (bsc#1126068). - CVE-2018-5743: Fixed a denial of service vulnerability which could be caused by to many simultaneous TCP connections (bsc#1133185). - CVE-2018-5740: Fixed a denial of service vulnerability in the 'deny-answer-aliases' feature (bsc#1104129). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1457-1 Released: Tue Jun 11 10:09:14 2019 Summary: Security update for vim Type: security Severity: important References: 1137443,CVE-2019-12735 This update for vim fixes the following issue: Security issue fixed: - CVE-2019-12735: Fixed a potential arbitrary code execution vulnerability in getchar.c (bsc#1137443). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1484-1 Released: Thu Jun 13 07:46:46 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1128383 This update for e2fsprogs fixes the following issues: - Check and fix tails of all bitmap blocks (bsc#1128383) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1486-1 Released: Thu Jun 13 09:40:24 2019 Summary: Security update for elfutils Type: security Severity: moderate References: 1033084,1033085,1033086,1033087,1033088,1033089,1033090,1106390,1107066,1107067,1111973,1112723,1112726,1123685,1125007,CVE-2017-7607,CVE-2017-7608,CVE-2017-7609,CVE-2017-7610,CVE-2017-7611,CVE-2017-7612,CVE-2017-7613,CVE-2018-16062,CVE-2018-16402,CVE-2018-16403,CVE-2018-18310,CVE-2018-18520,CVE-2018-18521,CVE-2019-7150,CVE-2019-7665 This update for elfutils fixes the following issues: Security issues fixed: - CVE-2017-7607: Fixed a heap-based buffer overflow in handle_gnu_hash (bsc#1033084) - CVE-2017-7608: Fixed a heap-based buffer overflow in ebl_object_note_type_name() (bsc#1033085) - CVE-2017-7609: Fixed a memory allocation failure in __libelf_decompress (bsc#1033086) - CVE-2017-7610: Fixed a heap-based buffer overflow in check_group (bsc#1033087) - CVE-2017-7611: Fixed a denial of service via a crafted ELF file (bsc#1033088) - CVE-2017-7612: Fixed a denial of service in check_sysv_hash() via a crafted ELF file (bsc#1033089) - CVE-2017-7613: Fixed denial of service caused by the missing validation of the number of sections and the number of segments in a crafted ELF file (bsc#1033090) - CVE-2018-16062: Fixed a heap-buffer overflow in /elfutils/libdw/dwarf_getaranges.c:156 (bsc#1106390) - CVE-2018-16402: Fixed a denial of service/double free on an attempt to decompress the same section twice (bsc#1107066) - CVE-2018-16403: Fixed a heap buffer overflow in readelf (bsc#1107067) - CVE-2018-18310: Fixed an invalid address read problem in dwfl_segment_report_module.c (bsc#1111973) - CVE-2018-18520: Fixed bad handling of ar files inside are files (bsc#1112726) - CVE-2018-18521: Fixed a denial of service vulnerabilities in the function arlib_add_symbols() used by eu-ranlib (bsc#1112723) - CVE-2019-7150: dwfl_segment_report_module doesn't check whether the dyn data read from core file is truncated (bsc#1123685) - CVE-2019-7665: NT_PLATFORM core file note should be a zero terminated string (bsc#1125007) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1487-1 Released: Thu Jun 13 09:40:56 2019 Summary: Security update for python-requests Type: security Severity: moderate References: 1111622,CVE-2018-18074 This update for python-requests to version 2.20.1 fixes the following issues: Security issue fixed: - CVE-2018-18074: Fixed an information disclosure vulnerability of the HTTP Authorization header (bsc#1111622). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1492-1 Released: Thu Jun 13 14:51:01 2019 Summary: Recommended update for libidn Type: recommended Severity: low References: 1132869 This update for libidn fixes the following issue: - The missing libidn11-32bit compat library package was provided. (bsc#1132869) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1562-1 Released: Wed Jun 19 09:16:07 2019 Summary: Security update for docker Type: security Severity: moderate References: 1096726,CVE-2018-15664 This update for docker fixes the following issues: Security issue fixed: - CVE-2018-15664: Fixed an issue which could make docker cp vulnerable to symlink-exchange race attacks (bsc#1096726). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1595-1 Released: Fri Jun 21 10:17:44 2019 Summary: Security update for dbus-1 Type: security Severity: important References: 1137832,CVE-2019-12749 This update for dbus-1 fixes the following issues: Security issue fixed: - CVE-2019-12749: Fixed an implementation flaw in DBUS_COOKIE_SHA1 which could have allowed local attackers to bypass authentication (bsc#1137832). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1616-1 Released: Fri Jun 21 11:04:39 2019 Summary: Recommended update for rpcbind Type: recommended Severity: moderate References: 1134659 This update for rpcbind fixes the following issues: - Change rpcbind locking path from /var/run/rpcbind.lock to /run/rpcbind.lock. (bsc#1134659) - Change the order of socket/service in the %postun scriptlet to avoid an error from rpcbind.socket when rpcbind is running during package update. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1627-1 Released: Fri Jun 21 11:15:11 2019 Summary: Recommended update for xfsprogs Type: recommended Severity: moderate References: 1073421,1122271,1129859 This update for xfsprogs fixes the following issues: - xfs_repair: will now allow '/' in attribute names (bsc#1122271) - xfs_repair: will now allow zeroing of corrupt log (bsc#1073421) - enabdled offline (unmounted) filesystem geometry queries (bsc#1129859) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1631-1 Released: Fri Jun 21 11:17:21 2019 Summary: Recommended update for xz Type: recommended Severity: low References: 1135709 This update for xz fixes the following issues: Add SUSE-Public-Domain licence as some parts of xz utils (liblzma, xz, xzdec, lzmadec, documentation, translated messages, tests, debug, extra directory) are in public domain licence [bsc#1135709] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1635-1 Released: Fri Jun 21 12:45:53 2019 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1134217 This update for krb5 provides the following fix: - Move LDAP schema files from /usr/share/doc/packages/krb5 to /usr/share/kerberos/ldap. (bsc#1134217) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1700-1 Released: Tue Jun 25 13:19:21 2019 Summary: Security update for libssh Type: recommended Severity: moderate References: 1134193 This update for libssh fixes the following issue: Issue addressed: - Added support for new AES-GCM encryption types (bsc#1134193). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1804-1 Released: Wed Jul 10 10:40:44 2019 Summary: Security update for ruby-bundled-gems-rpmhelper, ruby2.5 Type: security Severity: important References: 1082007,1082008,1082009,1082010,1082011,1082014,1082058,1087433,1087434,1087436,1087437,1087440,1087441,1112530,1112532,1130028,1130611,1130617,1130620,1130622,1130623,1130627,1133790,CVE-2017-17742,CVE-2018-1000073,CVE-2018-1000074,CVE-2018-1000075,CVE-2018-1000076,CVE-2018-1000077,CVE-2018-1000078,CVE-2018-1000079,CVE-2018-16395,CVE-2018-16396,CVE-2018-6914,CVE-2018-8777,CVE-2018-8778,CVE-2018-8779,CVE-2018-8780,CVE-2019-8320,CVE-2019-8321,CVE-2019-8322,CVE-2019-8323,CVE-2019-8324,CVE-2019-8325 This update for ruby2.5 and ruby-bundled-gems-rpmhelper fixes the following issues: Changes in ruby2.5: Update to 2.5.5 and 2.5.4: https://www.ruby-lang.org/en/news/2019/03/15/ruby-2-5-5-released/ https://www.ruby-lang.org/en/news/2019/03/13/ruby-2-5-4-released/ Security issues fixed: - CVE-2019-8320: Delete directory using symlink when decompressing tar (bsc#1130627) - CVE-2019-8321: Escape sequence injection vulnerability in verbose (bsc#1130623) - CVE-2019-8322: Escape sequence injection vulnerability in gem owner (bsc#1130622) - CVE-2019-8323: Escape sequence injection vulnerability in API response handling (bsc#1130620) - CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution (bsc#1130617) - CVE-2019-8325: Escape sequence injection vulnerability in errors (bsc#1130611) Ruby 2.5 was updated to 2.5.3: This release includes some bug fixes and some security fixes. Security issues fixed: - CVE-2018-16396: Tainted flags are not propagated in Array#pack and String#unpack with some directives (bsc#1112532) - CVE-2018-16395: OpenSSL::X509::Name equality check does not work correctly (bsc#1112530) Ruby 2.5 was updated to 2.5.1: This release includes some bug fixes and some security fixes. Security issues fixed: - CVE-2017-17742: HTTP response splitting in WEBrick (bsc#1087434) - CVE-2018-6914: Unintentional file and directory creation with directory traversal in tempfile and tmpdir (bsc#1087441) - CVE-2018-8777: DoS by large request in WEBrick (bsc#1087436) - CVE-2018-8778: Buffer under-read in String#unpack (bsc#1087433) - CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket (bsc#1087440) - CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir (bsc#1087437) - Multiple vulnerabilities in RubyGems were fixed: - CVE-2018-1000079: Fixed path traversal issue during gem installation allows to write to arbitrary filesystem locations (bsc#1082058) - CVE-2018-1000075: Fixed infinite loop vulnerability due to negative size in tar header causes Denial of Service (bsc#1082014) - CVE-2018-1000078: Fixed XSS vulnerability in homepage attribute when displayed via gem server (bsc#1082011) - CVE-2018-1000077: Fixed that missing URL validation on spec home attribute allows malicious gem to set an invalid homepage URL (bsc#1082010) - CVE-2018-1000076: Fixed improper verification of signatures in tarball allows to install mis-signed gem (bsc#1082009) - CVE-2018-1000074: Fixed unsafe Object Deserialization Vulnerability in gem owner allowing arbitrary code execution on specially crafted YAML (bsc#1082008) - CVE-2018-1000073: Fixed path traversal when writing to a symlinked basedir outside of the root (bsc#1082007) Other changes: - Fixed Net::POPMail methods modify frozen literal when using default arg - ruby: change over of the Japanese Era to the new emperor May 1st 2019 (bsc#1133790) - build with PIE support (bsc#1130028) Changes in ruby-bundled-gems-rpmhelper: - Add a new helper for bundled ruby gems. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1808-1 Released: Wed Jul 10 13:16:29 2019 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1133808 This update for libgcrypt fixes the following issues: - Fixed redundant fips tests in some situations causing sudo to stop working when pam-kwallet is installed. bsc#1133808 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1815-1 Released: Thu Jul 11 07:47:55 2019 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1140016 This update for timezone fixes the following issues: - Timezone update 2019b. (bsc#1140016): - Brazil no longer observes DST. - 'zic -b slim' outputs smaller TZif files. - Palestine's 2019 spring-forward transition was on 03-29, not 03-30. - Add info about the Crimea situation. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1835-1 Released: Fri Jul 12 18:06:31 2019 Summary: Security update for expat Type: security Severity: moderate References: 1139937,CVE-2018-20843 This update for expat fixes the following issues: Security issue fixed: - CVE-2018-20843: Fixed a denial of service triggered by high resource consumption in the XML parser when XML names contain a large amount of colons (bsc#1139937). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1846-1 Released: Mon Jul 15 11:36:33 2019 Summary: Security update for bzip2 Type: security Severity: important References: 1139083,CVE-2019-12900 This update for bzip2 fixes the following issues: Security issue fixed: - CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many selectors (bsc#1139083). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1853-1 Released: Mon Jul 15 16:03:36 2019 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1107617,1137053 This update for systemd fixes the following issues: - conf-parse: remove 4K line length limit (bsc#1137053) - udevd: change the default value of udev.children-max (again) (bsc#1107617) - meson: stop creating enablement symlinks in /etc during installation (sequel) - Fixed build for openSUSE Leap 15+ - Make sure we don't ship any static enablement symlinks in /etc Those symlinks must only be created by the presets. There are no changes in practice since systemd/udev doesn't ship such symlinks in /etc but let's make sure no future changes will introduce new ones by mistake. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1869-1 Released: Wed Jul 17 14:03:20 2019 Summary: Security update for MozillaFirefox Type: security Severity: important References: 1140868,CVE-2019-11709,CVE-2019-11711,CVE-2019-11712,CVE-2019-11713,CVE-2019-11715,CVE-2019-11717,CVE-2019-11719,CVE-2019-11729,CVE-2019-11730,CVE-2019-9811 This update for MozillaFirefox, mozilla-nss fixes the following issues: MozillaFirefox to version ESR 60.8: - CVE-2019-9811: Sandbox escape via installation of malicious language pack (bsc#1140868). - CVE-2019-11711: Script injection within domain through inner window reuse (bsc#1140868). - CVE-2019-11712: Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects (bsc#1140868). - CVE-2019-11713: Use-after-free with HTTP/2 cached stream (bsc#1140868). - CVE-2019-11729: Empty or malformed p256-ECDH public keys may trigger a segmentation fault (bsc#1140868). - CVE-2019-11715: HTML parsing error can contribute to content XSS (bsc#1140868). - CVE-2019-11717: Caret character improperly escaped in origins (bsc#1140868). - CVE-2019-11719: Out-of-bounds read when importing curve25519 private key (bsc#1140868). - CVE-2019-11730: Same-origin policy treats all files in a directory as having the same-origin (bsc#1140868). - CVE-2019-11709: Multiple Memory safety bugs fixed (bsc#1140868). mozilla-nss to version 3.44.1: * Added IPSEC IKE support to softoken * Many new FIPS test cases ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1877-1 Released: Thu Jul 18 11:31:46 2019 Summary: Security update for glibc Type: security Severity: moderate References: 1117993,1123710,1127223,1127308,1131330,CVE-2009-5155,CVE-2019-9169 This update for glibc fixes the following issues: Security issues fixed: - CVE-2019-9169: Fixed a heap-based buffer over-read via an attempted case-insensitive regular-expression match (bsc#1127308). - CVE-2009-5155: Fixed a denial of service in parse_reg_exp() (bsc#1127223). Non-security issues fixed: - Does no longer compress debug sections in crt*.o files (bsc#1123710) - Fixes a concurrency problem in ldconfig (bsc#1117993) - Fixes a race condition in pthread_mutex_lock while promoting to PTHREAD_MUTEX_ELISION_NP (bsc#1131330) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1971-1 Released: Thu Jul 25 14:58:52 2019 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1138939,CVE-2019-12904 This update for libgcrypt fixes the following issues: Security issue fixed: - CVE-2019-12904: Fixed a flush-and-reload side-channel attack in the AES implementation (bsc#1138939). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1994-1 Released: Fri Jul 26 16:12:05 2019 Summary: Recommended update for libxml2 Type: recommended Severity: moderate References: 1135123 This update for libxml2 fixes the following issues: - Added a new configurable variable XPATH_DEFAULT_MAX_NODESET_LENGTH to avoid nodeset limit when processing large XML files. (bsc#1135123) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2001-1 Released: Fri Jul 26 18:09:41 2019 Summary: Recommended update for docker Type: recommended Severity: important References: 1138920 This update for docker fixes the following issues: - Mark daemon.json as %config(noreplace) to not overwrite it during installation (bsc#1138920) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2004-1 Released: Mon Jul 29 13:01:59 2019 Summary: Security update for bzip2 Type: security Severity: important References: 1139083,CVE-2019-12900 This update for bzip2 fixes the following issues: - Fixed a regression with the fix for CVE-2019-12900, which caused incompatibilities with files that used many selectors (bsc#1139083). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2005-1 Released: Mon Jul 29 13:02:15 2019 Summary: Recommended update for cloud-init Type: recommended Severity: moderate References: 1116767,1119397,1121878,1123694,1125950,1125992,1126101,1132692,1136440 This update for cloud-init fixes the following issues: - Fixes a bug where only the last defined route was written to the routes configuration file (bsc#1132692) - Fixes a bug where a new network rules file for network devices didn't apply immediately (bsc#1125950) - Improved the writing of route config files to avoid issues (bsc#1125992) - Fixes a bug where OpenStack instances where not detected on VIO (bsc#1136440) - Fixes a bug where IPv4 and IPv6 were not set up as default routes (bsc#1121878) - Added a fix to prevent the resolv.conf to be empty (bsc#1119397) - Uses now the proper name to designate IPv6 addresses in ifcfg-* files (bsc#1126101) - Fixes an issue where the ifroute-eth0 file got corrupted when cloning an existing instance (bsc#1123694) Some more fixes were included within the 19.1 update of cloud-init. Please refer to the package changelog for more details. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2006-1 Released: Mon Jul 29 13:02:49 2019 Summary: Security update for gpg2 Type: security Severity: important References: 1124847,1141093,CVE-2019-13050 This update for gpg2 fixes the following issues: Security issue fixed: - CVE-2019-13050: Fixed a denial of service attacks via big keys (bsc#1141093). Non-security issue fixed: - Allow coredumps in X11 desktop sessions (bsc#1124847) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2050-1 Released: Tue Aug 6 09:42:37 2019 Summary: Security update for python3 Type: security Severity: important References: 1094814,1138459,1141853,CVE-2018-20852,CVE-2019-10160 This update for python3 fixes the following issues: Security issue fixed: - CVE-2019-10160: Fixed a regression in urlparse() and urlsplit() introduced by the fix for CVE-2019-9636 (bsc#1138459). - CVE-2018-20852: Fixed an information leak where cookies could be send to the wrong server because of incorrect domain validation (bsc#1141853). Non-security issue fixed: - Fixed an issue where the SIGINT signal was ignored or not handled (bsc#1094814). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2087-1 Released: Wed Aug 7 18:16:48 2019 Summary: Security update for tcpdump Type: security Severity: moderate References: 1068716,1142439,CVE-2017-16808,CVE-2019-1010220 This update for tcpdump fixes the following issues: Security issues fixed: - CVE-2019-1010220: Fixed a buffer over-read in print_prefix() which may expose data (bsc#1142439). - CVE-2017-16808: Fixed a heap-based buffer over-read related to aoe_print() and lookup_emem() (bsc#1068716). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2096-1 Released: Fri Aug 9 06:57:23 2019 Summary: Recommended update for docker-img-store-setup Type: recommended Severity: moderate References: 1138201 This update for docker-img-store-setup fixes the following issues: - Support creation of the container storage filesystem with XFS to use the overlay fs driver. (bsc#1138201) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2097-1 Released: Fri Aug 9 09:31:17 2019 Summary: Recommended update for libgcrypt Type: recommended Severity: important References: 1097073 This update for libgcrypt fixes the following issues: - Fixed a regression where system were unable to boot in fips mode, caused by an incomplete implementation of previous change (bsc#1097073). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2117-1 Released: Tue Aug 13 14:56:55 2019 Summary: Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork Type: security Severity: important References: 1100331,1121967,1138920,1139649,1142160,1142413,1143409,CVE-2018-10892,CVE-2019-13509,CVE-2019-14271,CVE-2019-5736 This update for containerd, docker, docker-runc, golang-github-docker-libnetwork fixes the following issues: Docker: - CVE-2019-14271: Fixed a code injection if the nsswitch facility dynamically loaded a library inside a chroot (bsc#1143409). - CVE-2019-13509: Fixed an information leak in the debug log (bsc#1142160). - Update to version 19.03.1-ce, see changelog at /usr/share/doc/packages/docker/CHANGELOG.md (bsc#1142413, bsc#1139649). runc: - Use %config(noreplace) for /etc/docker/daemon.json (bsc#1138920). - Update to runc 425e105d5a03, which is required by Docker (bsc#1139649). containerd: - CVE-2019-5736: Fixed a container breakout vulnerability (bsc#1121967). - Update to containerd v1.2.6, which is required by docker (bsc#1139649). golang-github-docker-libnetwork: - Update to version git.fc5a7d91d54cc98f64fc28f9e288b46a0bee756c, which is required by docker (bsc#1142413, bsc#1139649). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2134-1 Released: Wed Aug 14 11:54:56 2019 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1136717,1137624,1141059,SLE-5807 This update for zlib fixes the following issues: - Update the s390 patchset. (bsc#1137624) - Tweak zlib-power8 to have type of crc32_vpmsum conform to usage. (bsc#1141059) - Use FAT LTO objects in order to provide proper static library. - Do not enable the previous patchset on s390 but just s390x. (bsc#1137624) - Add patchset for s390 improvements. (jsc#SLE-5807, bsc#1136717) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2142-1 Released: Wed Aug 14 18:14:04 2019 Summary: Recommended update for mozilla-nspr, mozilla-nss Type: recommended Severity: moderate References: 1141322 This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to NSS 3.45 (bsc#1141322) : * New function in pk11pub.h: PK11_FindRawCertsWithSubject * The following CA certificates were Removed: CN = Certinomis - Root CA (bmo#1552374) * Implement Delegated Credentials (draft-ietf-tls-subcerts) (bmo#1540403) This adds a new experimental function SSL_DelegateCredential Note: In 3.45, selfserv does not yet support delegated credentials (See bmo#1548360). Note: In 3.45 the SSLChannelInfo is left unmodified, while an upcoming change in 3.46 will set SSLChannelInfo.authKeyBits to that of the delegated credential for better policy enforcement (See bmo#1563078). * Replace ARM32 Curve25519 implementation with one from fiat-crypto (bmo#1550579) * Expose a function PK11_FindRawCertsWithSubject for finding certificates with a given subject on a given slot (bmo#1552262) * Add IPSEC IKE support to softoken (bmo#1546229) * Add support for the Elbrus lcc compiler (<=1.23) (bmo#1554616) * Expose an external clock for SSL (bmo#1543874) This adds new experimental functions: SSL_SetTimeFunc, SSL_CreateAntiReplayContext, SSL_SetAntiReplayContext, and SSL_ReleaseAntiReplayContext. The experimental function SSL_InitAntiReplay is removed. * Various changes in response to the ongoing FIPS review (bmo#1546477) Note: The source package size has increased substantially due to the new FIPS test vectors. This will likely prompt follow-on work, but please accept our apologies in the meantime. mozilla-nspr was updated to version 4.21 * Changed prbit.h to use builtin function on aarch64. * Removed Gonk/B2G references. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2188-1 Released: Wed Aug 21 10:10:29 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1140647 This update for aaa_base fixes the following issues: - Make systemd detection cgroup oblivious. (bsc#1140647) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2197-1 Released: Thu Aug 22 14:35:12 2019 Summary: Recommended update for shim Type: recommended Severity: moderate References: 1145676,1145802 This update for shim fixes the following issues: - Fixes an issue where shim-install crashed (bsc#1145802, bsc#1145676) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2218-1 Released: Mon Aug 26 11:29:57 2019 Summary: Recommended update for pinentry Type: recommended Severity: moderate References: 1141883 This update for pinentry fixes the following issues: - Fix a dangling pointer in qt/main.cpp that caused crashes. (bsc#1141883) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2306-1 Released: Thu Sep 5 14:39:23 2019 Summary: Recommended update for parted Type: recommended Severity: moderate References: 1082318,1136245 This update for parted fixes the following issues: - Included several minor bug fixes - for more details please refer to this rpm's changelog (bsc#1136245) - Installs the license file in the correct directory (bsc#1082318) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2307-1 Released: Thu Sep 5 14:45:08 2019 Summary: Security update for util-linux and shadow Type: security Severity: moderate References: 1081947,1082293,1085196,1106214,1121197,1122417,1125886,1127701,1135534,1135708,1141113,353876 This update for util-linux and shadow fixes the following issues: util-linux: - Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197) - Prevent outdated pam files (bsc#1082293). - De-duplicate fstrim -A properly (bsc#1127701). - Do not trim read-only volumes (bsc#1106214). - Integrate pam_keyinit pam module to login (bsc#1081947). - Perform one-time reset of /etc/default/su (bsc#1121197). - Fix problems in reading of login.defs values (bsc#1121197) - libmount: To prevent incorrect behavior, recognize more pseudofs and netfs (bsc#1122417). - raw.service: Add RemainAfterExit=yes (bsc#1135534). - agetty: Return previous response of agetty for special characters (bsc#1085196, bsc#1125886) - libmount: print a blacklist hint for 'unknown filesystem type' (jsc#SUSE-4085, fate#326832) - Fix /etc/default/su comments and create /etc/default/runuser (bsc#1121197). shadow: - Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197) - Fix segfault in useradd during setting password inactivity period. (bsc#1141113) - Hardening for su wrappers (bsc#353876) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2332-1 Released: Mon Sep 9 10:17:16 2019 Summary: Security update for python-urllib3 Type: security Severity: moderate References: 1129071,1132663,1132900,CVE-2019-11236,CVE-2019-11324,CVE-2019-9740 This update for python-urllib3 fixes the following issues: Security issues fixed: - CVE-2019-9740: Fixed CRLF injection issue (bsc#1129071). - CVE-2019-11324: Fixed invalid CA certificat verification (bsc#1132900). - CVE-2019-11236: Fixed CRLF injection via request parameter (bsc#1132663). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2357-1 Released: Wed Sep 11 13:26:14 2019 Summary: Recommended update for lmdb Type: recommended Severity: moderate References: 1136132 This update for lmdb fixes the following issues: - Fix occasional crash when freed pages landed on the dirty list twice (bsc#1136132). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2361-1 Released: Thu Sep 12 07:54:54 2019 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1081947,1144047 This update for krb5 contains the following fixes: - Integrate pam_keyinit PAM module, ksu-pam.d. (bsc#1081947) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2395-1 Released: Wed Sep 18 08:31:38 2019 Summary: Security update for openldap2 Type: security Severity: moderate References: 1073313,1111388,1114845,1143194,1143273,CVE-2017-17740,CVE-2019-13057,CVE-2019-13565 This update for openldap2 fixes the following issues: Security issue fixed: - CVE-2019-13565: Fixed an authentication bypass when using SASL authentication and session encryption (bsc#1143194). - CVE-2019-13057: Fixed an issue with delegated database admin privileges (bsc#1143273). - CVE-2017-17740: When both the nops module and the member of overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. (bsc#1073313) Non-security issues fixed: - Fixed broken shebang line in openldap_update_modules_path.sh (bsc#1114845). - Create files in /var/lib/ldap/ during initial start to allow for transactional updates (bsc#1111388) - Fixed incorrect post script call causing tmpfiles creation not to be run (bsc#1111388). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2422-1 Released: Fri Sep 20 16:36:43 2019 Summary: Recommended update for python-urllib3 Type: recommended Severity: moderate References: 1150895 This update for python-urllib3 fixes the following issues: - Add missing dependency on python-six (bsc#1150895) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2423-1 Released: Fri Sep 20 16:41:45 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1146866,SLE-9132 This update for aaa_base fixes the following issues: Added sysctl.d/51-network.conf to tighten network security (bsc#1146866) (jira#SLE-9132) Following settings have been tightened (and set to 0): - net.ipv4.conf.all.accept_redirects - net.ipv4.conf.default.accept_redirects - net.ipv4.conf.default.accept_source_route - net.ipv6.conf.all.accept_redirects - net.ipv6.conf.default.accept_redirects ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2429-1 Released: Mon Sep 23 09:28:40 2019 Summary: Security update for expat Type: security Severity: moderate References: 1149429,CVE-2019-15903 This update for expat fixes the following issues: Security issues fixed: - CVE-2019-15903: Fixed heap-based buffer over-read caused by crafted XML input. (bsc#1149429) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2494-1 Released: Mon Sep 30 16:22:20 2019 Summary: Recommended update for cloud-init Type: recommended Severity: important References: 1141969,1144363,1144881 This update for cloud-init provides the following fixes: - Properly handle static routes. The EphemeralDHCP context manager did not parse or handle rfc3442 classless static routes which prevented reading datasource metadata in some clouds. (bsc#1141969) - The __str__ implementation no longer delivers the name of the interface, use the 'name' attribute instead to form a proper path in the sysfs tree. (bsc#1144363) - If no routes are set for a subnet but the subnet has a gateway specified, set the gateway as the default route for the interface. (bsc#1144881) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2517-1 Released: Wed Oct 2 10:49:20 2019 Summary: Security update for libseccomp Type: security Severity: moderate References: 1082318,1128828,1142614,CVE-2019-9893 This update for libseccomp fixes the following issues: Security issues fixed: - CVE-2019-9893: An incorrect generation of syscall filters in libseccomp was fixed (bsc#1128828) libseccomp was updated to new upstream release 2.4.1: - Fix a BPF generation bug where the optimizer mistakenly identified duplicate BPF code blocks. libseccomp was updated to 2.4.0 (bsc#1128828 CVE-2019-9893): - Update the syscall table for Linux v5.0-rc5 - Added support for the SCMP_ACT_KILL_PROCESS action - Added support for the SCMP_ACT_LOG action and SCMP_FLTATR_CTL_LOG attribute - Added explicit 32-bit (SCMP_AX_32(...)) and 64-bit (SCMP_AX_64(...)) argument comparison macros to help protect against unexpected sign extension - Added support for the parisc and parisc64 architectures - Added the ability to query and set the libseccomp API level via seccomp_api_get(3) and seccomp_api_set(3) - Return -EDOM on an endian mismatch when adding an architecture to a filter - Renumber the pseudo syscall number for subpage_prot() so it no longer conflicts with spu_run() - Fix PFC generation when a syscall is prioritized, but no rule exists - Numerous fixes to the seccomp-bpf filter generation code - Switch our internal hashing function to jhash/Lookup3 to MurmurHash3 - Numerous tests added to the included test suite, coverage now at ~92% - Update our Travis CI configuration to use Ubuntu 16.04 - Numerous documentation fixes and updates libseccomp was updated to release 2.3.3: - Updated the syscall table for Linux v4.15-rc7 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2533-1 Released: Thu Oct 3 15:02:50 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1150137,CVE-2019-16168 This update for sqlite3 fixes the following issues: Security issue fixed: - CVE-2019-16168: Fixed improper validation of sqlite_stat1 field that could lead to denial of service (bsc#1150137). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2550-1 Released: Fri Oct 4 13:17:15 2019 Summary: Security update for bind Type: security Severity: important References: 1118367,1118368,1138687,CVE-2019-6471 This update for bind fixes the following issues: Security issue fixed: - CVE-2019-6471: Fixed a reachable assert in dispatch.c. (bsc#1138687) Non-security issue fixed: - bind will no longer rely on /etc/insserv.conf (bsc#1118367, bsc#1118368) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2656-1 Released: Mon Oct 14 17:02:24 2019 Summary: Security update for sudo Type: security Severity: important References: 1153674,CVE-2019-14287 This update for sudo fixes the following issue: - CVE-2019-14287: Fixed an issue where a user with sudo privileges that allowed them to run commands with an arbitrary uid, could run commands as root, despite being forbidden to do so in sudoers (bsc#1153674). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2657-1 Released: Mon Oct 14 17:04:07 2019 Summary: Security update for dhcp Type: security Severity: moderate References: 1089524,1134078,1136572,CVE-2019-6470 This update for dhcp fixes the following issues: Secuirty issue fixed: - CVE-2019-6470: Fixed DHCPv6 server crashes (bsc#1134078). Bug fixes: - Add compile option --enable-secs-byteorder to avoid duplicate lease warnings (bsc#1089524). - Use IPv6 when called as dhclient6, dhcpd6, and dhcrelay6 (bsc#1136572). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2673-1 Released: Tue Oct 15 16:53:08 2019 Summary: Security update for libpcap Type: security Severity: important References: 1153332,CVE-2018-16301,CVE-2019-15165 This update for libpcap fixes the following issues: - CVE-2019-15165: Added sanity checks for PHB header length before allocating memory (bsc#1153332). - CVE-2018-16301: Fixed a buffer overflow (bsc#1153332). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2674-1 Released: Tue Oct 15 16:53:28 2019 Summary: Security update for tcpdump Type: security Severity: important References: 1068716,1153098,1153332,CVE-2017-16808,CVE-2018-10103,CVE-2018-10105,CVE-2018-14461,CVE-2018-14462,CVE-2018-14463,CVE-2018-14464,CVE-2018-14465,CVE-2018-14466,CVE-2018-14467,CVE-2018-14468,CVE-2018-14469,CVE-2018-14470,CVE-2018-14879,CVE-2018-14880,CVE-2018-14881,CVE-2018-14882,CVE-2018-16227,CVE-2018-16228,CVE-2018-16229,CVE-2018-16230,CVE-2018-16300,CVE-2018-16301,CVE-2018-16451,CVE-2018-16452,CVE-2019-1010220,CVE-2019-15166,CVE-2019-15167 This update for tcpdump fixes the following issues: - CVE-2017-16808: Fixed a heap-based buffer over-read related to aoe_print and lookup_emem (bsc#1068716 bsc#1153098). - CVE-2018-10103: Fixed a mishandling of the printing of SMB data (bsc#1153098). - CVE-2018-10105: Fixed a mishandling of the printing of SMB data (bsc#1153098). - CVE-2018-14461: Fixed a buffer over-read in print-ldp.c:ldp_tlv_print (bsc#1153098). - CVE-2018-14462: Fixed a buffer over-read in print-icmp.c:icmp_print (bsc#1153098). - CVE-2018-14463: Fixed a buffer over-read in print-vrrp.c:vrrp_print (bsc#1153098). - CVE-2018-14464: Fixed a buffer over-read in print-lmp.c:lmp_print_data_link_subobjs (bsc#1153098). - CVE-2018-14465: Fixed a buffer over-read in print-rsvp.c:rsvp_obj_print (bsc#1153098). - CVE-2018-14466: Fixed a buffer over-read in print-rx.c:rx_cache_find (bsc#1153098). - CVE-2018-14467: Fixed a buffer over-read in print-bgp.c:bgp_capabilities_print (bsc#1153098). - CVE-2018-14468: Fixed a buffer over-read in print-fr.c:mfr_print (bsc#1153098). - CVE-2018-14469: Fixed a buffer over-read in print-isakmp.c:ikev1_n_print (bsc#1153098). - CVE-2018-14470: Fixed a buffer over-read in print-babel.c:babel_print_v2 (bsc#1153098). - CVE-2018-14879: Fixed a buffer overflow in the command-line argument parser (bsc#1153098). - CVE-2018-14880: Fixed a buffer over-read in the OSPFv3 parser (bsc#1153098). - CVE-2018-14881: Fixed a buffer over-read in the BGP parser (bsc#1153098). - CVE-2018-14882: Fixed a buffer over-read in the ICMPv6 parser (bsc#1153098). - CVE-2018-16227: Fixed a buffer over-read in the IEEE 802.11 parser in print-802_11.c for the Mesh Flags subfield (bsc#1153098). - CVE-2018-16228: Fixed a buffer over-read in the HNCP parser (bsc#1153098). - CVE-2018-16229: Fixed a buffer over-read in the DCCP parser (bsc#1153098). - CVE-2018-16230: Fixed a buffer over-read in the BGP parser in print-bgp.c:bgp_attr_print (bsc#1153098). - CVE-2018-16300: Fixed an unlimited recursion in the BGP parser that allowed denial-of-service by stack consumption (bsc#1153098). - CVE-2018-16301: Fixed a buffer overflow (bsc#1153332 bsc#1153098). - CVE-2018-16451: Fixed several buffer over-reads in print-smb.c:print_trans() for \MAILSLOT\BROWSE and \PIPE\LANMAN (bsc#1153098). - CVE-2018-16452: Fixed a stack exhaustion in smbutil.c:smb_fdata (bsc#1153098). - CVE-2019-15166: Fixed a bounds check in lmp_print_data_link_subobjs (bsc#1153098). - CVE-2019-15167: Fixed a vulnerability in VRRP (bsc#1153098). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2676-1 Released: Tue Oct 15 21:06:54 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1145716,1152101,CVE-2019-5094 This update for e2fsprogs fixes the following issues: Security issue fixed: - CVE-2019-5094: Fixed an arbitrary code execution via specially crafted ext4 file systems. (bsc#1152101) Non-security issue fixed: - libext2fs: Call fsync(2) to clear stale errors for a new a unix I/O channel. (bsc#1145716) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2681-1 Released: Tue Oct 15 22:01:40 2019 Summary: Recommended update for libdb-4_8 Type: recommended Severity: moderate References: 1148244 This update for libdb-4_8 fixes the following issues: - Add off-page deadlock patch as found and documented by Red Hat. (bsc#1148244) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2693-1 Released: Wed Oct 16 16:43:30 2019 Summary: Recommended update for rpcbind Type: recommended Severity: moderate References: 1142343 This update for rpcbind fixes the following issues: - Return correct IP address with multiple ip addresses in the same subnet. (bsc#1142343) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2722-1 Released: Mon Oct 21 11:14:20 2019 Summary: Recommended update for pciutils-ids Type: recommended Severity: moderate References: 1127840,1133581 This is a version update for pciutils-ids to version 20190830 (bsc#1133581, bsc#1127840) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2730-1 Released: Mon Oct 21 16:04:57 2019 Summary: Security update for procps Type: security Severity: important References: 1092100,1121753,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 This update for procps fixes the following issues: procps was updated to 3.3.15. (bsc#1092100) Following security issues were fixed: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). Also this non-security issue was fixed: - Fix CPU summary showing old data. (bsc#1121753) The update to 3.3.15 contains the following fixes: * library: Increment to 8:0:1 No removals, no new functions Changes: slab and pid structures * library: Just check for SIGLOST and don't delete it * library: Fix integer overflow and LPE in file2strvec CVE-2018-1124 * library: Use size_t for alloc functions CVE-2018-1126 * library: Increase comm size to 64 * pgrep: Fix stack-based buffer overflow CVE-2018-1125 * pgrep: Remove >15 warning as comm can be longer * ps: Fix buffer overflow in output buffer, causing DOS CVE-2018-1123 * ps: Increase command name selection field to 64 * top: Don't use cwd for location of config CVE-2018-1122 * update translations * library: build on non-glibc systems * free: fix scaling on 32-bit systems * Revert 'Support running with child namespaces' * library: Increment to 7:0:1 No changes, no removals New fuctions: numa_init, numa_max_node, numa_node_of_cpu, numa_uninit, xalloc_err_handler * doc: Document I idle state in ps.1 and top.1 * free: fix some of the SI multiples * kill: -l space between name parses correctly * library: dont use vm_min_free on non Linux * library: don't strip off wchan prefixes (ps & top) * pgrep: warn about 15+ char name only if -f not used * pgrep/pkill: only match in same namespace by default * pidof: specify separator between pids * pkill: Return 0 only if we can kill process * pmap: fix duplicate output line under '-x' option * ps: avoid eip/esp address truncations * ps: recognizes SCHED_DEADLINE as valid CPU scheduler * ps: display NUMA node under which a thread ran * ps: Add seconds display for cputime and time * ps: Add LUID field * sysctl: Permit empty string for value * sysctl: Don't segv when file not available * sysctl: Read and write large buffers * top: add config file support for XDG specification * top: eliminated minor libnuma memory leak * top: show fewer memory decimal places (configurable) * top: provide command line switch for memory scaling * top: provide command line switch for CPU States * top: provides more accurate cpu usage at startup * top: display NUMA node under which a thread ran * top: fix argument parsing quirk resulting in SEGV * top: delay interval accepts non-locale radix point * top: address a wishlist man page NLS suggestion * top: fix potential distortion in 'Mem' graph display * top: provide proper multi-byte string handling * top: startup defaults are fully customizable * watch: define HOST_NAME_MAX where not defined * vmstat: Fix alignment for disk partition format * watch: Support ANSI 39,49 reset sequences ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2757-1 Released: Wed Oct 23 17:21:17 2019 Summary: Security update for lz4 Type: security Severity: moderate References: 1153936,CVE-2019-17543 This update for lz4 fixes the following issues: - CVE-2019-17543: Fixed a heap-based buffer overflow in LZ4_write32 (bsc#1153936). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2762-1 Released: Thu Oct 24 07:08:44 2019 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1150451 This update for timezone fixes the following issues: - Fiji observes DST from 2019-11-10 to 2020-01-12. - Norfolk Island starts observing Australian-style DST. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2777-1 Released: Thu Oct 24 16:13:20 2019 Summary: Recommended update for fipscheck Type: recommended Severity: moderate References: 1149792 This update for fipscheck fixes the following issues: - Remove #include of unused fips.h to fix build with OpenSSL 1.1.1 (bsc#1149792) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2782-1 Released: Fri Oct 25 14:27:52 2019 Summary: Security update for nfs-utils Type: security Severity: moderate References: 1150733,CVE-2019-3689 This update for nfs-utils fixes the following issues: - CVE-2019-3689: Fixed root-owned files stored in insecure /var/lib/nfs. (bsc#1150733) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2786-1 Released: Fri Oct 25 15:56:35 2019 Summary: Security update for docker-runc Type: security Severity: moderate References: 1152308,CVE-2019-16884 This update for docker-runc fixes the following issues: - CVE-2019-16884: Fixed an LSM bypass via malicious Docker images that mount over a /proc directory. (bsc#1152308) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2802-1 Released: Tue Oct 29 11:39:05 2019 Summary: Security update for python3 Type: security Severity: moderate References: 1149121,1149792,1149955,1151490,1153238,CVE-2019-16056,CVE-2019-16935,PM-1350,SLE-9426 This update for python3 to 3.6.9 fixes the following issues: Security issues fixed: - CVE-2019-16056: Fixed a parser issue in the email module. (bsc#1149955) - CVE-2019-16935: Fixed a reflected XSS in python/Lib/DocXMLRPCServer.py (bsc#1153238). Non-security issues fixed: - Fixed regression of OpenSSL 1.1.1b-1 in EVP_PBE_scrypt() with salt=NULL. (bsc#1151490) - Improved locale handling by implementing PEP 538. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2812-1 Released: Tue Oct 29 14:57:55 2019 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1139459,1140631,1145023,1150595,SLE-7687 This update for systemd provides the following fixes: - Fix a problem that would cause invoking try-restart to an inactive service to hang when a daemon-reload is invoked before the try-restart returned. (bsc#1139459) - man: Add a note about _netdev usage. - units: Replace remote-cryptsetup-pre.target with remote-fs-pre.target. - units: Add [Install] section to remote-cryptsetup.target. - cryptsetup: Ignore _netdev, since it is used in generator. - cryptsetup-generator: Use remote-cryptsetup.target when _netdev is present. (jsc#SLE-7687) - cryptsetup-generator: Add a helper utility to create symlinks. - units: Add remote-cryptsetup.target and remote-cryptsetup-pre.target. - man: Add an explicit description of _netdev to systemd.mount(5). - man: Order fields alphabetically in crypttab(5). - man: Make crypttab(5) a bit easier to read. - units: Order cryptsetup-pre.target before cryptsetup.target. - Fix reporting of enabled-runtime units. - sd-bus: Deal with cookie overruns. (bsc#1150595) - rules: Add by-id symlinks for persistent memory. (bsc#1140631) - Buildrequire polkit so /usr/share/polkit-1/rules.d subdir can be only owned by polkit. (bsc#1145023) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2870-1 Released: Thu Oct 31 08:09:14 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1051143,1138869,1151023 This update for aaa_base provides the following fixes: - Check if variables can be set before modifying them to avoid warnings on login with a restricted shell. (bsc#1138869) - Add s390x compressed kernel support. (bsc#1151023) - service: Check if there is a second argument before using it. (bsc#1051143) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2891-1 Released: Mon Nov 4 17:47:10 2019 Summary: Security update for python-ecdsa Type: security Severity: moderate References: 1153165,1154217,CVE-2019-14853,CVE-2019-14859 This update for python-ecdsa to version 0.13.3 fixes the following issues: Security issues fixed: - CVE-2019-14853: Fixed unexpected exceptions during signature decoding (bsc#1153165). - CVE-2019-14859: Fixed a signature malleability caused by insufficient checks of DER encoding (bsc#1154217). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2418-1 Released: Thu Nov 14 11:53:03 2019 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1133773,1143055 This update for bash fixes the following issues: - Rework patch readline-7.0-screen (bsc#1143055): map all 'screen(-xxx)?.yyy(-zzz)?' to 'screen' as well as map 'konsole(-xxx)?' and 'gnome(-xxx)?' to 'xterm' - Add a backport from bash 5.0 to perform better with large numbers of sub processes. (bsc#1133773) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2992-1 Released: Mon Nov 18 11:52:10 2019 Summary: Recommended update for supportutils Type: recommended Severity: moderate References: 1111029,1127734,1137336 This update for supportutils fixes the following issues: - Removed LPM/DLPAR data for POWER. (bsc#1111029) - Prevent running 'systool -vb memory' by default on systems with 16TB or more. (bsc#1127734) - Added sed and gawk to spec requirements (bsc#1137336) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2997-1 Released: Mon Nov 18 15:16:38 2019 Summary: Security update for ncurses Type: security Severity: moderate References: 1103320,1154036,1154037,CVE-2019-17594,CVE-2019-17595 This update for ncurses fixes the following issues: Security issues fixed: - CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036). - CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037). Non-security issue fixed: - Removed screen.xterm from terminfo database (bsc#1103320). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3018-1 Released: Wed Nov 20 12:48:21 2019 Summary: Recommended update for xkeyboard-config Type: recommended Severity: moderate References: 1153774 This update for xkeyboard-config fixes the following issues: - Fix capslock in Old Hungarian layout (bsc#1153774) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3030-1 Released: Thu Nov 21 19:11:25 2019 Summary: Security update for cups Type: security Severity: important References: 1146358,1146359,CVE-2019-8675,CVE-2019-8696 This update for cups fixes the following issues: - CVE-2019-8675: Fixed a stack buffer overflow in libcups's asn1_get_type function(bsc#1146358). - CVE-2019-8696: Fixed a stack buffer overflow in libcups's asn1_get_packed function (bsc#1146359). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3059-1 Released: Mon Nov 25 17:33:07 2019 Summary: Security update for cpio Type: security Severity: moderate References: 1155199,CVE-2019-14866 This update for cpio fixes the following issues: - CVE-2019-14866: Fixed an improper validation of the values written in the header of a TAR file through the to_oct() function which could have led to unexpected TAR generation (bsc#1155199). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3061-1 Released: Mon Nov 25 17:34:22 2019 Summary: Security update for gcc9 Type: security Severity: moderate References: 1114592,1135254,1141897,1142649,1142654,1148517,1149145,CVE-2019-14250,CVE-2019-15847,SLE-6533,SLE-6536 This update includes the GNU Compiler Collection 9. A full changelog is provided by the GCC team on: https://www.gnu.org/software/gcc/gcc-9/changes.html The base system compiler libraries libgcc_s1, libstdc++6 and others are now built by the gcc 9 packages. To use it, install 'gcc9' or 'gcc9-c++' or other compiler brands and use CC=gcc-9 / CXX=g++-9 during configuration for using it. Security issues fixed: - CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145) - CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649) Non-security issues fixed: - Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254) - Fixed miscompilation for vector shift on s390. (bsc#1141897) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3070-1 Released: Tue Nov 26 12:39:29 2019 Summary: Recommended update for gpg2 Type: recommended Severity: low References: 1152755 This update for gpg2 provides the following fix: - Remove a build requirement on self. This is causing Leap 15.2 bootstrap to fail. (bsc#1152755) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3086-1 Released: Thu Nov 28 10:02:24 2019 Summary: Security update for libidn2 Type: security Severity: moderate References: 1154884,1154887,CVE-2019-12290,CVE-2019-18224 This update for libidn2 to version 2.2.0 fixes the following issues: - CVE-2019-12290: Fixed an improper round-trip check when converting A-labels to U-labels (bsc#1154884). - CVE-2019-18224: Fixed a heap-based buffer overflow that was caused by long domain strings (bsc#1154887). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3087-1 Released: Thu Nov 28 10:03:00 2019 Summary: Security update for libxml2 Type: security Severity: low References: 1123919 This update for libxml2 doesn't fix any additional security issues, but correct its rpm changelog to reflect all CVEs that have been fixed over the past. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3096-1 Released: Thu Nov 28 16:48:21 2019 Summary: Security update for cloud-init Type: security Severity: moderate References: 1099358,1129124,1136440,1142988,1144363,1151488,1154092,CVE-2019-0816 This update for cloud-init to version 19.2 fixes the following issues: Security issue fixed: - CVE-2019-0816: Fixed the unnecessary extra ssh keys that were added to authorized_keys (bsc#1129124). Non-security issues fixed: - Short circuit the conditional for identifying the sysconfig renderer (bsc#1154092, bsc#1142988). - If /etc/resolv.conf is a symlink, break it. This will avoid netconfig from clobbering the changes cloud-init applied (bsc#1151488). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3118-1 Released: Fri Nov 29 14:41:35 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1154295 This update for e2fsprogs fixes the following issues: - Make minimum size estimates more reliable for mounted filesystem. (bsc#1154295) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3166-1 Released: Wed Dec 4 11:24:42 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1007715,1084934,1157278 This update for aaa_base fixes the following issues: - Use official key binding functions in inputrc that is replace up-history with previous-history, down-history with next-history and backward-delete-word with backward-kill-word. (bsc#1084934) - Add some missed key escape sequences for urxvt-unicode terminal as well. (bsc#1007715) - Clear broken ghost entry in patch which breaks 'readline'. (bsc#1157278) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3173-1 Released: Wed Dec 4 20:22:45 2019 Summary: Recommended update for growpart, growpart-rootgrow Type: recommended Severity: moderate References: 1154357,ECO-550 This update for growpart, growpart-rootgrow contains the following fixes: growpart: - Removed rootgrow sub-package as it is a standalone package now. (bsc#1154357, jsc#ECO-550) growpart-rootgrow: - Added growpart-rootgrow as a standalone package. (bsc#1154357, jsc#ECO-550) - Bump from version 1.0.0 to 1.0.1: - Fixed binary location in service unit file. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3240-1 Released: Tue Dec 10 10:40:19 2019 Summary: Recommended update for ca-certificates-mozilla, p11-kit Type: recommended Severity: moderate References: 1154871 This update for ca-certificates-mozilla, p11-kit fixes the following issues: Changes in ca-certificates-mozilla: - export correct p11kit trust attributes so Firefox detects built in certificates (bsc#1154871). Changes in p11-kit: - support loading NSS attribute CKA_NSS_MOZILLA_CA_POLICY so Firefox detects built in certificates (bsc#1154871) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3267-1 Released: Wed Dec 11 11:19:53 2019 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an arbitrary command execution (bsc#1158095). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3392-1 Released: Fri Dec 27 13:33:29 2019 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1148987,1155338,1155339,CVE-2019-13627 This update for libgcrypt fixes the following issues: Security issues fixed: - CVE-2019-13627: Mitigation against an ECDSA timing attack (bsc#1148987). Bug fixes: - Added CMAC AES self test (bsc#1155339). - Added CMAC TDES self test missing (bsc#1155338). - Fix test dsa-rfc6979 in FIPS mode. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3395-1 Released: Mon Dec 30 14:05:06 2019 Summary: Security update for mozilla-nspr, mozilla-nss Type: security Severity: moderate References: 1141322,1158527,1159819,CVE-2018-18508,CVE-2019-11745,CVE-2019-17006 This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to NSS 3.47.1: Security issues fixed: - CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819). - CVE-2019-11745: EncryptUpdate should use maxout, not block size (bsc#1158527). - CVE-2019-11727: Fixed vulnerability sign CertificateVerify with PKCS#1 v1.5 signatures issue (bsc#1141322). mozilla-nspr was updated to version 4.23: - Whitespace in C files was cleaned up and no longer uses tab characters for indenting. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:9-1 Released: Thu Jan 2 12:33:47 2020 Summary: Recommended update for xfsprogs Type: recommended Severity: moderate References: 1157438 This update for xfsprogs fixes the following issues: - Remove the 'xfs_scrub_all' script from the package, and the corresponding dependency of python. (bsc#1157438) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:35-1 Released: Wed Jan 8 09:06:32 2020 Summary: Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork Type: security Severity: moderate References: 1122469,1143349,1150397,1152308,1153367,1158590,CVE-2019-16884 This update for containerd, docker, docker-runc, golang-github-docker-libnetwork fixes the following issues: Security issue fixed: - CVE-2019-16884: Fixed incomplete patch for LSM bypass via malicious Docker image that mount over a /proc directory (bsc#1152308). Bug fixes: - Update to Docker 19.03.5-ce (bsc#1158590). - Update to Docker 19.03.3-ce (bsc#1153367). - Update to Docker 19.03.2-ce (bsc#1150397). - Fixed default installation such that --userns-remap=default works properly (bsc#1143349). - Fixed nginx blocked by apparmor (bsc#1122469). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:114-1 Released: Thu Jan 16 10:11:52 2020 Summary: Security update for python3 Type: security Severity: important References: 1027282,1029377,1029902,1040164,1042670,1070853,1079761,1081750,1083507,1086001,1088004,1088009,1088573,1094814,1107030,1109663,1109847,1120644,1122191,1129346,1130840,1133452,1137942,1138459,1141853,1149121,1149792,1149955,1151490,1153238,1159035,1159622,637176,658604,673071,709442,743787,747125,751718,754447,754677,787526,809831,831629,834601,871152,885662,885882,917607,942751,951166,983582,984751,985177,985348,989523,CVE-2011-3389,CVE-2011-4944,CVE-2012-0845,CVE-2012-1150,CVE-2013-1752,CVE-2013-4238,CVE-2014-2667,CVE-2014-4650,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699,CVE-2017-18207,CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061,CVE-2018-14647,CVE-2018-20406,CVE-2018-20852,CVE-2019-10160,CVE-2019-15903,CVE-2019-16056,CVE-2019-16935,CVE-2019-5010,CVE-2019-9636,CVE-2019-9947 This update for python3 to version 3.6.10 fixes the following issues: - CVE-2017-18207: Fixed a denial of service in Wave_read._read_fmt_chunk() (bsc#1083507). - CVE-2019-16056: Fixed an issue where email parsing could fail for multiple @ (bsc#1149955). - CVE-2019-15903: Fixed a heap-based buffer over-read in libexpat (bsc#1149429). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:119-1 Released: Thu Jan 16 15:42:39 2020 Summary: Recommended update for python-jsonpatch Type: recommended Severity: moderate References: 1160978 This update for python-jsonpatch fixes the following issues: - Drop jsondiff binary to avoid conflict with python-jsondiff package. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:129-1 Released: Mon Jan 20 09:21:13 2020 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location (bsc#1158095). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:225-1 Released: Fri Jan 24 06:49:07 2020 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1158830 This update for procps fixes the following issues: - Fix for 'ps -C' allowing to accept any arguments longer than 15 characters anymore. (bsc#1158830) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:245-1 Released: Tue Jan 28 09:42:30 2020 Summary: Recommended update for cloud-init Type: recommended Severity: moderate References: 1155376,1156139,1157894,1161132,1161133 This update for cloud-init fixes the following issues: - Fixed an issue where it was not possible to add SSH keys and thus it was not possible to log into the system (bsc#1161132, bsc#1161133) - Fixes an issue where the IPv6 interface variable was not correctly set in an ifcfg file (bsc#1156139) - The route's destination network will now be written in CIDR notation. This provides support for correctly recording IPv6 routes (bsc#1155376) - Many smaller fixes came with this package as well. For a full list of all changes, refer to the rpm's changes file. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:256-1 Released: Wed Jan 29 09:39:17 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1157794,1160970 This update for aaa_base fixes the following issues: - Improves the way how the Java path is created to fix an issue with sapjvm. (bsc#1157794) - Drop 'dev.cdrom.autoclose' = 0 from sysctl config. (bsc#1160970) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:262-1 Released: Thu Jan 30 11:02:42 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1149332,1151582,1157292,1157893,1158996,CVE-2019-19126 This update for glibc fixes the following issues: Security issue fixed: - CVE-2019-19126: Fixed to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition (bsc#1157292). Bug fixes: - Fixed z15 (s390x) strstr implementation that can return incorrect results if search string cross page boundary (bsc#1157893). - Fixed Hardware support in toolchain (bsc#1151582). - Fixed syscalls during early process initialization (SLE-8348). - Fixed an array overflow in backtrace for PowerPC (bsc#1158996). - Moved to posix_spawn on popen (bsc#1149332). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:265-1 Released: Thu Jan 30 14:05:34 2020 Summary: Security update for e2fsprogs Type: security Severity: moderate References: 1160571,CVE-2019-5188 This update for e2fsprogs fixes the following issues: - CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:279-1 Released: Fri Jan 31 12:01:39 2020 Summary: Recommended update for p11-kit Type: recommended Severity: moderate References: 1013125 This update for p11-kit fixes the following issues: - Also build documentation (bsc#1013125) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:325-1 Released: Wed Feb 5 14:57:02 2020 Summary: Recommended update for dmidecode Type: recommended Severity: moderate References: 1153533,1158833 This update for dmidecode fixes the following issues: - Add enumerated values from SMBIOS 3.3.0 preventing incorrect report of new VGA card. (bsc#1153533, bsc#1158833, jsc#SLE-10875) - Only scan '/dev/mem' for entry point on x86 (fixes reboot on ARM64). - Fix formatting of TPM table output (missing newlines). - Fix displaying system slot information for PCIe SSD. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:335-1 Released: Thu Feb 6 11:37:24 2020 Summary: Security update for systemd Type: security Severity: important References: 1084671,1092920,1106383,1133495,1151377,1154256,1155207,1155574,1156213,1156482,1158485,1159814,1161436,1162108,CVE-2019-20386,CVE-2020-1712 This update for systemd fixes the following issues: - CVE-2020-1712 (bsc#bsc#1162108) Fix a heap use-after-free vulnerability, when asynchronous Polkit queries were performed while handling Dbus messages. A local unprivileged attacker could have abused this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted Dbus messages. - Use suse.pool.ntp.org server pool on SLE distros (jsc#SLE-7683) - libblkid: open device in nonblock mode. (bsc#1084671) - udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256) - bus_open leak sd_event_source when udevadm trigger。 (bsc#1161436 CVE-2019-20386) - fileio: introduce read_full_virtual_file() for reading virtual files in sysfs, procfs (bsc#1133495 bsc#1159814) - fileio: initialize errno to zero before we do fread() - fileio: try to read one byte too much in read_full_stream() - logind: consider 'greeter' sessions suitable as 'display' sessions of a user (bsc#1158485) - logind: never elect a session that is stopping as display - journal: include kmsg lines from the systemd process which exec()d us (#8078) - udevd: don't use monitor after manager_exit() - udevd: capitalize log messages in on_sigchld() - udevd: merge conditions to decrease indentation - Revert 'udevd: fix crash when workers time out after exit is signal caught' - core: fragments of masked units ought not be considered for NeedDaemonReload (#7060) (bsc#1156482) - udevd: fix crash when workers time out after exit is signal caught - udevd: wait for workers to finish when exiting (bsc#1106383) - Improve bash completion support (bsc#1155207) * shell-completion: systemctl: do not list template units in {re,}start * shell-completion: systemctl: pass current word to all list_unit* * bash-completion: systemctl: pass current partial unit to list-unit* (bsc#1155207) * bash-completion: systemctl: use systemctl --no-pager * bash-completion: also suggest template unit files * bash-completion: systemctl: add missing options and verbs * bash-completion: use the first argument instead of the global variable (#6457) - networkd: VXLan Make group and remote variable separate (bsc#1156213) - networkd: vxlan require Remote= to be a non multicast address (#8117) (bsc#1156213) - fs-util: let's avoid unnecessary strerror() - fs-util: introduce inotify_add_watch_and_warn() helper - ask-password: improve log message when inotify limit is reached (bsc#1155574) - shared/install: failing with -ELOOP can be due to the use of an alias in install_error() (bsc#1151377) - man: alias names can't be used with enable command (bsc#1151377) - Add boot option to not use swap at system start (jsc#SLE-7689) - Allow YaST to select Iranian (Persian, Farsi) keyboard layout (bsc#1092920) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:339-1 Released: Thu Feb 6 13:03:22 2020 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1158921 This update for openldap2 provides the following fix: - Add libldap-data to the product (as it contains ldap.conf). (bsc#1158921) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:340-1 Released: Thu Feb 6 13:03:56 2020 Summary: Recommended update for python-rpm-macros Type: recommended Severity: moderate References: 1161770 This update for python-rpm-macros fixes the following issues: - Add macros related to the Python dist metadata dependency generator. (bsc#1161770) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:365-1 Released: Fri Feb 7 13:48:54 2020 Summary: Recommended update for lmdb Type: recommended Severity: moderate References: 1159086 This update for lmdb fixes the following issues: - Fix assert in LMBD during 'mdb_page_search_root'. (bsc#1159086). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:375-1 Released: Fri Feb 7 17:30:25 2020 Summary: Security update for docker-runc Type: security Severity: moderate References: 1160452,CVE-2019-19921 This update for docker-runc fixes the following issues: - CVE-2019-19921: Fixed a volume mount race condition with shared mounts (bsc#1160452). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:408-1 Released: Wed Feb 19 09:32:46 2020 Summary: Security update for sudo Type: security Severity: important References: 1162202,1162675,CVE-2019-18634 This update for sudo fixes the following issues: Security issue fixed: - CVE-2019-18634: Fixed a buffer overflow in the passphrase prompt that could occur when pwfeedback was enabled in /etc/sudoers (bsc#1162202). Non-security issue fixed: - Fixed an issue where sudo -l would ask for a password even though `listpw` was set to `never` (bsc#1162675). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:417-1 Released: Wed Feb 19 11:40:02 2020 Summary: Recommended update for chrony Type: recommended Severity: moderate References: 1159840 This update for chrony fixes the following issues: - Fix 'make check' builds made after 2019-12-20. Existing installations do not need to be updated as the bug only affects the test, but not chrony itself (bsc#1159840). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:440-1 Released: Mon Feb 24 15:31:42 2020 Summary: Security update for python-azure-agent Type: security Severity: moderate References: 1127838,CVE-2019-0804 This update for python-azure-agent fixes the following issues: python-azure-agent was updated to version 2.2.45 (jsc#ECO-80) + Add support for Gen2 VM resource disks + Use alternate systemd detection + Fix /proc/net/route requirement that causes errors on FreeBSD + Add cloud-init auto-detect to prevent multiple provisioning mechanisms from relying on configuration for coordination + Disable cgroups when daemon is setup incorrectly + Remove upgrade extension loop for the same goal state + Add container id for extension telemetry events + Be more exact when detecting IMDS service health + Changing add_event to start sending missing fields From 2.2.44 update: + Remove outdated extension ZIP packages + Improved error handling when starting extensions using systemd + Reduce provisioning time of some custom images + Improve the handling of extension download errors + New API for extension authors to handle errors during extension update + Fix handling of errors in calls to openssl + Improve logic to determine current distro + Reduce verbosity of several logging statements From 2.2.42 update: + Poll for artifact blob, addresses goal state procesing issue From 2.2.41 update: + Rewriting the mechanism to start the extension using systemd-run for systems using systemd for managing + Refactoring of resource monitoring framework using cgroup for both systemd and non-systemd approaches [#1530, #1534] + Telemetry pipeline for resource monitoring data From 2.2.40 update: + Fixed tracking of memory/cpu usage + Do not prevent extensions from running if setting up cgroups fails + Enable systemd-aware deprovisioning on all versions >= 18.04 + Add systemd support for Debian Jessie, Stretch, and Buster + Support for Linux Openwrt From 2.2.38 update: Security issue fixed: + CVE-2019-0804: An issue with swapfile handling in the agent creates a data leak situation that exposes system memory data. (bsc#1127838) + Add fixes for handling swap file and other nit fixes From 2.2.37 update: + Improves re-try logic to handle errors while downloading extensions ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:451-1 Released: Tue Feb 25 10:50:35 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1155337,1161215,1161216,1161218,1161219,1161220 This update for libgcrypt fixes the following issues: - ECDSA: Check range of coordinates (bsc#1161216) - FIPS: libgcrypt DSA PQG parameter generation: Missing value [bsc#1161219] - FIPS: libgcrypt DSA PQG verification incorrect results [bsc#1161215] - FIPS: libgcrypt RSA siggen/keygen: 4k not supported [bsc#1161220] - FIPS: keywrap gives incorrect results [bsc#1161218] - FIPS: RSA/DSA/ECDSA are missing hashing operation [bsc#1155337] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:462-1 Released: Tue Feb 25 11:49:30 2020 Summary: Recommended update for xfsprogs Type: recommended Severity: moderate References: 1158504,1158509,1158630,1158758 This update for xfsprogs fixes the following issues: - Allow the filesystem utility xfs_io to suffix sizes with k,m,g for kilobytes, megabytes or gigabytes respectively. (bsc#1158630) - Validate extent size hint parameters through libxfs to avoid output mismatch. (bsc#1158509) - Fix for 'xfs_repair' not to fail recovery of orphaned shortform directories. (bsc#1158504) - Fix for 'xfs_quota' to avoid false error reporting of project inheritance flag is not set. (bsc#1158758) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:467-1 Released: Tue Feb 25 12:00:39 2020 Summary: Security update for python3 Type: security Severity: moderate References: 1162224,1162367,1162423,1162825,CVE-2019-9674,CVE-2020-8492 This update for python3 fixes the following issues: Security issues fixed: - CVE-2019-9674: Improved the documentation to reflect the dangers of zip-bombs (bsc#1162825). - CVE-2020-8492: Fixed a regular expression in urrlib that was prone to denial of service via HTTP (bsc#1162367). Non-security issue fixed: - If the locale is 'C', coerce it to C.UTF-8 (bsc#1162423). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:476-1 Released: Tue Feb 25 14:23:14 2020 Summary: Recommended update for perl Type: recommended Severity: moderate References: 1102840,1160039 This update for perl fixes the following issues: - Some packages make assumptions about the date and time they are built. This update will solve the issues caused by calling the perl function timelocal expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:480-1 Released: Tue Feb 25 17:38:22 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1160735 This update for aaa_base fixes the following issues: - Change 'rp_filter' to increase the default priority to ethernet over the wifi. (bsc#1160735) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:498-1 Released: Wed Feb 26 17:59:44 2020 Summary: Recommended update for aws-cli, python-boto3, python-botocore, python-s3transfer, python-aws-sam-translator, python-cfn-lint, python-nose2, python-parameterized Type: recommended Severity: moderate References: 1122669,1136184,1146853,1146854,1159018 This update for aws-cli, python-aws-sam-translator, python-cfn-lint, python-nose2, python-parameterized, python-boto3, python-botocore, python-s3transfer fixes the following issues: python-aws-sam-translator was updated to 1.11.0 (bsc#1159018, jsc#PM-1507): Upgrade to 1.11.0: * Add ReservedConcurrentExecutions to globals * Fix ElasticsearchHttpPostPolicy resource reference * Support using AWS::Region in Ref and Sub * Documentation and examples updates * Add VersionDescription property to Serverless::Function * Update ServerlessRepoReadWriteAccessPolicy * Add additional template validation Upgrade to 1.10.0: * Add GSIs to DynamoDBReadPolicy and DynamoDBCrudPolicy * Add DynamoDBReconfigurePolicy * Add CostExplorerReadOnlyPolicy and OrganizationsListAccountsPolicy * Add EKSDescribePolicy * Add SESBulkTemplatedCrudPolicy * Add FilterLogEventsPolicy * Add SSMParameterReadPolicy * Add SESEmailTemplateCrudPolicy * Add s3:PutObjectAcl to S3CrudPolicy * Add allow_credentials CORS option * Add support for AccessLogSetting and CanarySetting Serverless::Api properties * Add support for X-Ray in Serverless::Api * Add support for MinimumCompressionSize in Serverless::Api * Add Auth to Serverless::Api globals * Remove trailing slashes from APIGW permissions * Add SNS FilterPolicy and an example application * Add Enabled property to Serverless::Function event sources * Add support for PermissionsBoundary in Serverless::Function * Fix boto3 client initialization * Add PublicAccessBlockConfiguration property to S3 bucket resource * Make PAY_PER_REQUEST default mode for Serverless::SimpleTable * Add limited support for resolving intrinsics in Serverless::LayerVersion * SAM now uses Flake8 * Add example application for S3 Events written in Go * Updated several example applications python-cfn-lint was added in version 0.21.4: - Add upstream patch to fix EOL dates for lambda runtimes - Add upstream patch to fix test_config_expand_paths test - Rename to python-cfn-lint. This package has a python API, which is required by python-moto. Update to version 0.21.4: + Features * Include more resource types in W3037 + CloudFormation Specifications * Add Resource Type `AWS::CDK::Metadata` + Fixes * Uncap requests dependency in setup.py * Check Join functions have lists in the correct sections * Pass a parameter value for AutoPublishAlias when doing a Transform * Show usage examples when displaying the help Update to version 0.21.3 + Fixes * Support dumping strings for datetime objects when doing a Transform Update to version 0.21.2 + CloudFormation Specifications * Update CloudFormation specs to 3.3.0 * Update instance types from pricing API as of 2019.05.23 Update to version 0.21.1 + Features * Add `Info` logging capability and set the default logging to `NotSet` + Fixes * Only do rule logging (start/stop/time) when the rule is going to be called * Update rule E1019 to allow `Fn::Transform` inside a `Fn::Sub` * Update rule W2001 to not break when `Fn::Transform` inside a `Fn::Sub` * Update rule E2503 to allow conditions to be used and to not default to `network` load balancer when an object is used for the Load Balancer type Update to version 0.21.0 + Features * New rule E3038 to check if a Serverless resource includes the appropriate Transform * New rule E2531 to validate a Lambda's runtime against the deprecated dates * New rule W2531 to validate a Lambda's runtime against the EOL dates * Update rule E2541 to include updates to Code Pipeline capabilities * Update rule E2503 to include checking of values for load balancer attributes + CloudFormation Specifications * Update CloudFormation specs to 3.2.0 * Update instance types from pricing API as of 2019.05.20 + Fixes * Include setuptools in setup.py requires Update to version 0.20.3 + CloudFormation Specifications * Update instance types from pricing API as of 2019.05.16 + Fixes * Update E7001 to allow float/doubles for mapping values * Update W1020 to check pre-transformed Fn::Sub(s) to determine if a Sub is needed * Pin requests to be below or equal to 2.21.0 to prevent issues with botocore Update to version 0.20.2 + Features * Add support for List Parameter types + CloudFormation Specifications * Add allowed values for AWS::EC2 EIP, FlowLog, CustomerGateway, DHCPOptions, EC2Fleet * Create new property type for Security Group IDs or Names * Add new Lambda runtime environment for NodeJs 10.x * Move AWS::ServiceDiscovery::Service Health checks from Only One to Exclusive * Update Glue Crawler Role to take an ARN or a name * Remove PrimitiveType from MaintenanceWindowTarget Targets * Add Min/Max values for Load Balancer Ports to be between 1-65535 + Fixes * Include License file in the pypi package to help with downstream projects * Filter out dynamic references from rule E3031 and E3030 * Convert Python linting and Code Coverage from Python 3.6 to 3.7 Update to version 0.20.1 + Fixes * Update rule E8003 to support more functions inside a Fn::Equals Update to version 0.20.0 + Features * Allow a rule's exception to be defined in a resource's metadata * Add rule configuration capabilities * Update rule E3012 to allow for non strict property checking * Add rule E8003 to test Fn::Equals structure and syntax * Add rule E8004 to test Fn::And structure and syntax * Add rule E8005 to test Fn::Not structure and syntax * Add rule E8006 to test Fn::Or structure and syntax * Include Path to error in the JSON output * Update documentation to describe how to install cfn-lint from brew + CloudFormation Specifications * Update CloudFormation specs to version 3.0.0 * Add new region ap-east-1 * Add list min/max and string min/max for CloudWatch Alarm Actions * Add allowed values for EC2::LaunchTemplate * Add allowed values for EC2::Host * Update allowed values for Amazon MQ to include 5.15.9 * Add AWS::Greengrass::ResourceDefinition to GreenGrass supported regions * Add AWS::EC2::VPCEndpointService to all regions * Update AWS::ECS::TaskDefinition ExecutionRoleArn to be a IAM Role ARN * Patch spec files for SSM MaintenanceWindow to look for Target and not Targets * Update ManagedPolicyArns list size to be 20 which is the hard limit. 10 is the soft limit. + Fixes * Fix rule E3033 to check the string size when the string is inside a list * Fix an issue in which AWS::NotificationARNs was not a list * Add AWS::EC2::Volume to rule W3010 * Fix an issue with W2001 where SAM translate would remove the Ref to a parameter causing this error to falsely trigger * Fix rule W3010 to not error when the availability zone is 'all' Update to version 0.19.1 + Fixes * Fix core Condition processing to support direct Condition in another Condition * Fix the W2030 to check numbers against string allowed values Update to version 0.19.0 + Features * Add NS and PTR Route53 record checking to rule E3020 * New rule E3050 to check if a Ref to IAM Role has a Role path of '/' * New rule E3037 to look for duplicates in a list that doesn't support duplicates * New rule I3037 to look for duplicates in a list when duplicates are allowed + CloudFormation Specifications * Add Min/Max values to AWS::ElasticLoadBalancingV2::TargetGroup HealthCheckTimeoutSeconds * Add Max JSON size to AWS::IAM::ManagedPolicy PolicyDocument * Add allowed values for AWS::EC2 SpotFleet, TransitGateway, NetworkAcl NetworkInterface, PlacementGroup, and Volume * Add Min/max values to AWS::Budgets::Budget.Notification Threshold * Update RDS Instance types by database engine and license definitions using the pricing API * Update AWS::CodeBuild::Project ServiceRole to support Role Name or ARN * Update AWS::ECS::Service Role to support Role Name or ARN + Fixes * Update E3025 to support the new structure of data in the RDS instance type json * Update E2540 to remove all nested conditions from the object * Update E3030 to not do strict type checking * Update E3020 to support conditions nested in the record sets * Update E3008 to better handle CloudFormation sub stacks with different GetAtt formats Update to version 0.18.1 + CloudFormation Specifications * Update CloudFormation Specs to 2.30.0 * Fix IAM Regex Path to support more character types * Update AWS::Batch::ComputeEnvironment.ComputeResources InstanceRole to reference an InstanceProfile or GetAtt the InstanceProfile Arn * Allow VPC IDs to Ref a Parameter of type String + Fixes * Fix E3502 to check the size of the property instead of the parent object Update to version 0.18.0 + Features * New rule E3032 to check the size of lists * New rule E3502 to check JSON Object Size using definitions in the spec file * New rule E3033 to test the minimum and maximum length of a string * New rule E3034 to validate the min and max of a number * Remove Ebs Iops check from E2504 and use rule E3034 instead * Remove rule E2509 and use rule E3033 instead * Remove rule E2508 as it replaced by E3032 and E3502 * Update rule E2503 to check that there are at least two 2 Subnets or SubnetMappings for ALBs * SAM requirement upped to minimal version of 1.10.0 + CloudFormation Specifications * Extend specs to include: > `ListMin` and `ListMax` for the minimum and maximum size of a list > `JsonMax` to check the max size of a JSON Object > `StringMin` and `StringMax` to check the minimum and maximum length of a String > `NumberMin` and `NumberMax` to check the minimum and maximum value of a Number, Float, Long * Update State and ExecutionRoleArn to be required on AWS::DLM::LifecyclePolicy * Add AllowedValues for PerformanceInsightsRetentionPeriod for AWS::RDS::Instance * Add AllowedValues for the AWS::GuardDuty Resources * Add AllowedValues for AWS::EC2 VPC and VPN Resources * Switch IAM Instance Profiles for certain resources to the type that only takes the name * Add regex pattern for IAM Instance Profile when a name (not Arn) is used * Add regex pattern for IAM Paths * Add Regex pattern for IAM Role Arn * Update OnlyOne spec to require require at least one of Subnets or SubnetMappings with ELB v2 + Fixes * Fix serverless transform to use DefinitionBody when Auth is in the API definition * Fix rule W2030 to not error when checking SSM or List Parameters Update to version 0.17.1 + Features * Update rule E2503 to make sure NLBs don't have a Security Group configured + CloudFormation Specifications * Add all the allowed values of the `AWS::Glue` Resources * Update OnlyOne check for `AWS::CloudWatch::Alarm` to only `MetricName` or `Metrics` * Update Exclusive check for `AWS::CloudWatch::Alarm` for properties mixed with `Metrics` and `Statistic` * Update CloudFormation specs to 2.29.0 * Fix type with MariaDB in the AllowedValues * Update pricing information for data available on 2018.3.29 + Fixes * Fix rule E1029 to not look for a sub is needed when looking for iot strings in policies * Fix rule E2541 to allow for ActionId Versions of length 1-9 and meets regex `[0-9A-Za-z_-]+` * Fix rule E2532 to allow for `Parameters` inside a `Pass` action * Fix an issue when getting the location of an error in which numbers are causing an attribute error Update to version 0.17.0 + Features * Add new rule E3026 to validate Redis cluster settings including AutomaticFailoverEnabled and NumCacheClusters. Status: Released * Add new rule W3037 to validate IAM resource policies. Status: Experimental * Add new parameter `-e/--include-experimental` to allow for new rules in that aren't ready to be fully released + CloudFormation Specifications * Update Spec files to 2.28.0 * Add all the allowed values of the AWS::Redshift::* Resources * Add all the allowed values of the AWS::Neptune::* Resources * Patch spec to make AWS::CloudFront::Distribution.LambdaFunctionAssociation.LambdaFunctionARN required * Patch spec to make AWS::DynamoDB::Table AttributeDefinitions required + Fixes * Remove extra blank lines when there is no errors in the output * Add exception to rule E1029 to have exceptions for EMR CloudWatchAlarmDefinition * Update rule E1029 to allow for literals in a Sub * Remove sub checks from rule E3031 as it won't match in all cases of an allowed pattern regex check * Correct typos for errors in rule W1001 * Switch from parsing a template as Yaml to Json when finding an escape character * Fix an issue with SAM related to transforming templates with Serverless Application and Lambda Layers * Fix an issue with rule E2541 when non strings were used for Stage Names Update to version 0.16.0 + Features * Add rule E3031 to look for regex patterns based on the patched spec file * Remove regex checks from rule E2509 * Add parameter `ignore-templates` to allow the ignoring of templates when doing bulk linting + CloudFormation Specifications * Update Spec files to 2.26.0 * Add all the allowed values of the AWS::DirectoryService::* Resources * Add all the allowed values of the AWS::DynamoDB::* Resources * Added AWS::Route53Resolver resources to the Spec Patches of ap-southeast-2 * Patch the spec file with regex patterns * Add all the allowed values of the AWS::DocDb::* Resources + Fixes * Update rule E2504 to have '20000' as the max value * Update rule E1016 to not allow ImportValue inside of Conditions * Update rule E2508 to check conditions when providing limit checks on managed policies * Convert unicode to strings when in Py 3.4/3.5 and updating specs * Convert from `awslabs` to `aws-cloudformation` organization * Remove suppression of logging that was removed from samtranslator >1.7.0 and incompatibility with samtranslator 1.10.0 Update to version 0.15.0 + Features * Add scaffolding for arbitrary Match attributes, adding attributes for Type checks * Add rule E3024 to validate that ProvisionedThroughput is not specified with BillingMode PAY_PER_REQUEST + CloudFormation Specifications * Update Spec files to 2.24.0 * Update OnlyOne spec to have BlockDeviceMapping to include NoDevice with Ebs and VirtualName * Add all the allowed values of the AWS::CloudFront::* Resources * Add all the allowed values of the AWS::DAX::* Resources + Fixes * Update config parsing to use the builtin Yaml decoder * Add condition support for Inclusive E2521, Exclusive E2520, and AtLeastOne E2522 rules * Update rule E1029 to better check Resource strings inside IAM Policies * Improve the line/column information of a Match with array support Update to version 0.14.1 + CloudFormation Specifications * Update CloudFormation Specs to version 2.23.0 * Add allowed values for AWS::Config::* resources * Add allowed values for AWS::ServiceDiscovery::* resources * Fix allowed values for Apache MQ + Fixes * Update rule E3008 to not error when using a list from a custom resource * Support simple types in the CloudFormation spec * Add tests for the formatters Update to version 0.14.0 + Features * Add rule E3035 to check the values of DeletionPolicy * Add rule E3036 to check the values of UpdateReplacePolicy * Add rule E2014 to check that there are no REFs in the Parameter section * Update rule E2503 to support TLS on NLBs + CloudFormation Specifications * Update CloudFormation spec to version 2.22.0 * Add allowed values for AWS::Cognito::* resources + Fixes * Update rule E3002 to allow GetAtts to Custom Resources under a Condition Update to version 0.13.2 + Features * Introducing the cfn-lint logo! * Update SAM dependency version + Fixes * Fix CloudWatchAlarmComparisonOperator allowed values. * Fix typo resoruce_type_spec in several files * Better support for nested And, Or, and Not when processing Conditions Update to version 0.13.1 + CloudFormation Specifications * Add allowed values for AWS::CloudTrail::Trail resources * Patch spec to have AWS::CodePipeline::CustomActionType Version included + Fixes * Fix conditions logic to use AllowedValues when REFing a Parameter that has AllowedValues specified Update to version 0.13.0 + Features * New rule W1011 to check if a FindInMap is using the correct map name and keys * New rule W1001 to check if a Ref/GetAtt to a resource that exists when Conditions are used * Removed logic in E1011 and moved it to W1011 for validating keys * Add property relationships for AWS::ApplicationAutoScaling::ScalingPolicy into Inclusive, Exclusive, and AtLeastOne * Update rule E2505 to check the netmask bit * Include the ability to update the CloudFormation Specs using the Pricing API + CloudFormation Specifications * Update to version 2.21.0 * Add allowed values for AWS::Budgets::Budget * Add allowed values for AWS::CertificateManager resources * Add allowed values for AWS::CodePipeline resources * Add allowed values for AWS::CodeCommit resources * Add allowed values for EC2 InstanceTypes from pricing API * Add allowed values for RedShift InstanceTypes from pricing API * Add allowed values for MQ InstanceTypes from pricing API * Add allowed values for RDS InstanceTypes from pricing API + Fixes * Fixed README indentation issue with .pre-commit-config.yaml * Fixed rule E2541 to allow for multiple inputs/outputs in a CodeBuild task * Fixed rule E3020 to allow for a period or no period at the end of a ACM registration record * Update rule E3001 to support UpdateReplacePolicy * Fix a cli issue where `--template` wouldn't be used when a .cfnlintrc was in the same folder * Update rule E3002 and E1024 to support packaging of AWS::Lambda::LayerVersion content - Initial build + Version 0.12.1 Update to 0.9.1 * the prof plugin now uses cProfile instead of hotshot for profiling * skipped tests now include the user's reason in junit XML's message field * the prettyassert plugin mishandled multi-line function definitions * Using a plugin's CLI flag when the plugin is already enabled via config no longer errors * nose2.plugins.prettyassert, enabled with --pretty-assert * Cleanup code for EOLed python versions * Dropped support for distutils. * Result reporter respects failure status set by other plugins * JUnit XML plugin now includes the skip reason in its output Upgrade to 0.8.0: - List of changes is too long to show here, see https://github.com/nose-devs/nose2/blob/master/docs/changelog.rst changes between 0.6.5 and 0.8.0 Update to 0.7.0: * Added parameterized_class feature, for parameterizing entire test classes (many thanks to @TobyLL for their suggestions and help testing!) * Fix DeprecationWarning on `inspect.getargs` (thanks @brettdh; https://github.com/wolever/parameterized/issues/67) * Make sure that `setUp` and `tearDown` methods work correctly (#40) * Raise a ValueError when input is empty (thanks @danielbradburn; https://github.com/wolever/parameterized/pull/48) * Fix the order when number of cases exceeds 10 (thanks @ntflc; https://github.com/wolever/parameterized/pull/49) aws-cli was updated to version 1.16.223: For detailed changes see the changes entries: https://github.com/aws/aws-cli/blob/1.16.223/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.189/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.182/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.176/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.103/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.94/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.84/CHANGELOG.rst python-boto3 was updated to 1.9.213, python-botocore was updated to 1.9.188, and python-s3transfer was updated to 1.12.74, fixing lots of bugs and adding features (bsc#1146853, bsc#1146854) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:503-1 Released: Wed Feb 26 19:29:07 2020 Summary: Recommended update for zypper-migration-plugin Type: recommended Severity: moderate References: 1100137,1107238 This update for zypper-migration-plugin fixes the following issues: - Check if snapper is configured. (jsc#SLE-7752) - Fix for returning non-zero exit code if there are possible migrations, but none is mirrored on registration server. (bsc#1107238) - Check for closed stdin in salt by transactional-update. (bsc#1100137) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:517-1 Released: Thu Feb 27 14:39:01 2020 Summary: Recommended update for cifs-utils Type: recommended Severity: moderate References: 1130528,1132087,1136031,1149164 This update for cifs-utils fixes the following issues: Update cifs-utils 6.9; (bsc#1132087); (bsc#1136031). * follow SMB default version changes in the kernel. * adds fixes for Azure * new smbinfo utility - Fix double-free in mount.cifs; (bsc#1149164). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:521-1 Released: Thu Feb 27 18:08:56 2020 Summary: Recommended update for c-ares Type: recommended Severity: moderate References: 1125306,1159006 This update for c-ares fixes the following issues: c-ares version update to 1.15.0: * Add ares_init_options() configurability for path to resolv.conf file * Ability to exclude building of tools (adig, ahost, acountry) in CMake * Report ARES_ENOTFOUND for .onion domain names as per RFC7686 (bsc#1125306) * Apply the IPv6 server blacklist to all nameserver sources * Prevent changing name servers while queries are outstanding * ares_set_servers_csv() on failure should not leave channel in a bad state * getaddrinfo - avoid infinite loop in case of NXDOMAIN * ares_getenv - return NULL in all cases * implement ares_getaddrinfo - Fixed a regression in DNS results that contain both A and AAAA answers. - Add netcfg as the build requirement and runtime requirement. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:525-1 Released: Fri Feb 28 11:49:36 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1164562 This update for pam fixes the following issues: - Add libdb as build-time dependency to enable pam_userdb module. Enable pam_userdb.so (jsc#sle-7258, bsc#1164562) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:566-1 Released: Tue Mar 3 09:14:05 2020 Summary: Recommended update for supportutils Type: recommended Severity: important References: 1023308,1089877,1145233,1154482,1156837,1162357,1162539 This update for supportutils fixes the following issues: - Exclude /proc/pagetypeinfo as it can be an expensive operation on some systems (bsc#1162357). - Readded LPM/DLPAR data for power (bsc#1162539). - Strip trailing commas from process names #64 (bsc#1156837). - Dynamically select compression method (bsc#1145233). - Updated detailed unit information fix in systemd.txt (bsc#1023308). - Include IPv6 routes (bsc#1089877). - Removed root .snapshots directory from full file list (bsc#1154482). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:572-1 Released: Tue Mar 3 13:25:41 2020 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1162518 This update for cyrus-sasl fixes the following issues: - Added support for retrieving negotiated SSF in gssapi plugin (bsc#1162518) - Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF (bsc#1162518) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:597-1 Released: Thu Mar 5 15:24:09 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1164950 This update for libgcrypt fixes the following issues: - FIPS: Run the self-tests from the constructor [bsc#1164950] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:633-1 Released: Tue Mar 10 16:23:08 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1139939,1151023 This update for aaa_base fixes the following issues: - get_kernel_version: fix for current kernel on s390x (bsc#1151023, bsc#1139939) - added '-h'/'--help' to the command old - change feedback url from http://www.suse.de/feedback to https://github.com/openSUSE/aaa_base/issues ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:655-1 Released: Thu Mar 12 13:17:03 2020 Summary: Recommended update for growpart Type: recommended Severity: moderate References: 1164736 This update for growpart fixes the following issues: - Operation system disk is not automatically resized beyond 2TB on Azure hosts. (bsc#1164736) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:668-1 Released: Fri Mar 13 10:48:58 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1163184,1164505,1165784,CVE-2020-10029 This update for glibc fixes the following issues: - CVE-2020-10029: Fixed a potential overflow in on-stack buffer during range reduction (bsc#1165784). - Fixed an issue where pthread were not always locked correctly (bsc#1164505). - Document mprotect and introduce section on memory protection (bsc#1163184). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:689-1 Released: Fri Mar 13 17:09:01 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for PAM fixes the following issue: - The license of libdb linked against pam_userdb is not always wanted, so we temporary disabled pam_userdb again. It will be published in a different package at a later time. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:690-1 Released: Fri Mar 13 17:09:28 2020 Summary: Recommended update for suse-build-key Type: recommended Severity: moderate References: 1166334 This update for suse-build-key fixes the following issues: - created a new security@suse.de communication key (bsc#1166334) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:475-1 Released: Thu Mar 19 11:00:46 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1160595 This update for systemd fixes the following issues: - Remove TasksMax limit for both user and system slices (jsc#SLE-10123) - Backport IP filtering feature (jsc#SLE-7743 bsc#1160595) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:729-1 Released: Thu Mar 19 14:44:22 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1166106 This update for glibc fixes the following issues: - Allow dlopen of filter object to work (bsc#1166106, BZ #16272) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:737-1 Released: Fri Mar 20 13:47:16 2020 Summary: Recommended update for ruby2.5 Type: security Severity: important References: 1140844,1152990,1152992,1152994,1152995,1162396,1164804,CVE-2012-6708,CVE-2015-9251,CVE-2019-15845,CVE-2019-16201,CVE-2019-16254,CVE-2019-16255,CVE-2020-8130 This update for ruby2.5 toversion 2.5.7 fixes the following issues: ruby 2.5 was updated to version 2.5.7 - CVE-2020-8130: Fixed a command injection in intree copy of rake (bsc#1164804). - CVE-2019-16255: Fixed a code injection vulnerability of Shell#[] and Shell#test (bsc#1152990). - CVE-2019-16254: Fixed am HTTP response splitting in WEBrick (bsc#1152992). - CVE-2019-15845: Fixed a null injection vulnerability of File.fnmatch and File.fnmatch? (bsc#1152994). - CVE-2019-16201: Fixed a regular expression denial of service of WEBrick Digest access authentication (bsc#1152995). - CVE-2012-6708: Fixed an XSS in JQuery - CVE-2015-9251: Fixed an XSS in JQuery - Fixed unit tests (bsc#1140844) - Removed some unneeded test files (bsc#1162396). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:751-1 Released: Mon Mar 23 16:32:44 2020 Summary: Security update for cloud-init Type: security Severity: moderate References: 1162936,1162937,1163178,CVE-2020-8631,CVE-2020-8632 This update for cloud-init fixes the following security issues: - CVE-2020-8631: Replaced the theoretically predictable deterministic RNG with the system RNG (bsc#1162937). - CVE-2020-8632: Increased the default random password length from 9 to 20 (bsc#1162936). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:777-1 Released: Tue Mar 24 18:07:52 2020 Summary: Recommended update for python3 Type: recommended Severity: moderate References: 1165894 This update for python3 fixes the following issue: - Rename idle icons to idle3 in order to not conflict with python2 variant of the package (bsc#1165894) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:793-1 Released: Wed Mar 25 15:16:00 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1139459,1161262,1162108,1164717,1165579,CVE-2020-1712 This update for systemd fixes the following issues: - manager: fix job mode when signalled to shutdown etc (bsc#1161262) - remove fallback for user/exit.target - dbus method Manager.Exit() does not start exit.target - do not install rescue.target for alt-↑ - %j/%J unit specifiers Added support for I/O scheduler selection with blk-mq (bsc#1165579, bsc#1164717). Added the udev 60-ssd-scheduler.rules: - This rules file which select the default IO scheduler for SSDs is being moved out from the git repo since this is not related to systemd or udev at all and is maintained by the kernel team. - core: coldplug possible nop_job (bsc#1139459) - Revert 'udev: use 'deadline' IO scheduler for SSD disks' - Fix typo in function name - polkit: when authorizing via PK let's re-resolve callback/userdata instead of caching it (bsc#1162108 CVE-2020-1712) - sd-bus: introduce API for re-enqueuing incoming messages - polkit: on async pk requests, re-validate action/details ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:820-1 Released: Tue Mar 31 13:02:22 2020 Summary: Security update for glibc Type: security Severity: important References: 1167631,CVE-2020-1752 This update for glibc fixes the following issues: - CVE-2020-1752: Fixed a use after free in glob which could have allowed a local attacker to create a specially crafted path that, when processed by the glob function, could potentially have led to arbitrary code execution (bsc#1167631). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:823-1 Released: Tue Mar 31 13:28:14 2020 Summary: Recommended update for parted Type: recommended Severity: moderate References: 1161783,1164260 This update for parted fixes the following issue: - Make parted work with pmemXs devices. (bsc#1164260) - Fix for error when parted output size crashing parted in yast. (bsc#1161783) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:846-1 Released: Thu Apr 2 07:24:07 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1164950,1166748,1167674 This update for libgcrypt fixes the following issues: - FIPS: Remove an unneeded check in _gcry_global_constructor (bsc#1164950) - FIPS: Fix drbg to be threadsafe (bsc#1167674) - FIPS: Run self-tests from constructor during power-on [bsc#1166748] * Set up global_init as the constructor function: * Relax the entropy requirements on selftest. This is especially important for virtual machines to boot properly before the RNG is available: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:848-1 Released: Thu Apr 2 11:24:38 2020 Summary: Recommended update for GeoIP Type: recommended Severity: moderate References: 1156194 This update for GeoIP fixes the following issues: - Update README.SUSE with a description how to get the latest Geo IP data after the distribution changes. (jsc#SLE-11184, bsc#1156194, jsc#ECO-1405) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:850-1 Released: Thu Apr 2 14:37:31 2020 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1155350,1155357,1155360,1166880 This update for mozilla-nss fixes the following issues: Added various fixes related to FIPS certification: * Use getrandom() to obtain entropy where possible. * Make DSA KAT FIPS compliant. * Use FIPS compliant hash when validating keypair. * Enforce FIPS requirements on RSA key generation. * Miscellaneous fixes to CAVS tests. * Enforce FIPS limits on how much data can be processed without rekeying. * Run self tests on library initialization in FIPS mode. * Disable non-compliant algorithms in FIPS mode (hashes and the SEED cipher). * Clear various temporary variables after use. * Allow MD5 to be used in TLS PRF. * Preferentially gather entropy from /dev/random over /dev/urandom. * Allow enabling FIPS mode consistently with NSS_FIPS environment variable. * Fix argument parsing bug in lowhashtest. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:914-1 Released: Fri Apr 3 12:07:10 2020 Summary: Recommended update for btrfsprogs Type: recommended Severity: moderate References: 1131334,1158560 This update for btrfsprogs fixes the following issue: - handling metadata created by a very old kernel. (bsc#1131334) - 'btrfs check' tool segfaulting. (bsc#1158560) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:917-1 Released: Fri Apr 3 15:02:25 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for pam fixes the following issues: - Moved pam_userdb into a separate package pam-extra. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:934-1 Released: Tue Apr 7 03:46:20 2020 Summary: Recommended update for wget Type: recommended Severity: moderate References: 1167919 This update for wget fixes the following issues: wget was updated to 1.20.3, fixing various bugs, including: - Fix for wget ignoring domains with leading '.' in environment variable 'no_proxy'. (bsc#1167919) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:935-1 Released: Tue Apr 7 03:46:39 2020 Summary: Recommended update for xfsprogs Type: recommended Severity: moderate References: 1158630,1167205,1167206 This update for xfsprogs fixes the following issues: - xfs_quota: reformat commands in the manpage. (bsc#1167206) Reformat commands in the manpage so that fstest can check that each command is actually documented. - xfs_db: document missing commands. (bsc#1167205) Document the commands 'attr_set', 'attr_remove', 'logformat' in the manpage. - xfs_io: allow size suffixes for the copy_range command. (bsc#1158630) Allow the usage of size suffixes k,m,g for kilobytes, megabytes or gigabytes respectively for the copy_range command ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:948-1 Released: Wed Apr 8 07:44:21 2020 Summary: Security update for gmp, gnutls, libnettle Type: security Severity: moderate References: 1152692,1155327,1166881,1168345,CVE-2020-11501 This update for gmp, gnutls, libnettle fixes the following issues: Security issue fixed: - CVE-2020-11501: Fixed zero random value in DTLS client hello (bsc#1168345) FIPS related bugfixes: - FIPS: Install checksums for binary integrity verification which are required when running in FIPS mode (bsc#1152692, jsc#SLE-9518) - FIPS: Fixed a cfb8 decryption issue, no longer truncate output IV if input is shorter than block size. (bsc#1166881) - FIPS: Added Diffie Hellman public key verification test. (bsc#1155327) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:949-1 Released: Wed Apr 8 07:45:48 2020 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1168669 This update for mozilla-nss fixes the following issues: - Use secure_getenv() to avoid PR_GetEnvSecure() being called when NSPR is unavailable, resulting in an abort (bsc#1168669). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:959-1 Released: Wed Apr 8 12:59:50 2020 Summary: Security update for python-PyYAML Type: security Severity: important References: 1165439,CVE-2020-1747 This update for python-PyYAML fixes the following issues: - CVE-2020-1747: Fixed an arbitrary code execution when YAML files are parsed by FullLoader (bsc#1165439). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:961-1 Released: Wed Apr 8 13:34:06 2020 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1160979 This update for e2fsprogs fixes the following issues: - e2fsck: clarify overflow link count error message (bsc#1160979) - ext2fs: update allocation info earlier in ext2fs_mkdir() (bsc#1160979) - ext2fs: implement dir entry creation in htree directories (bsc#1160979) - tests: add test to excercise indexed directories with metadata_csum (bsc#1160979) - tune2fs: update dir checksums when clearing dir_index feature (bsc#1160979) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:967-1 Released: Thu Apr 9 11:41:53 2020 Summary: Security update for libssh Type: security Severity: moderate References: 1168699,CVE-2020-1730 This update for libssh fixes the following issues: - CVE-2020-1730: Fixed a possible denial of service when using AES-CTR (bsc#1168699). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:979-1 Released: Mon Apr 13 15:42:59 2020 Summary: Recommended update for parted Type: recommended Severity: moderate References: 1168756 This update for parted fixes the following issue: - fix null pointer dereference. (bsc#1168756) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:995-1 Released: Wed Apr 15 08:30:39 2020 Summary: Security update for ruby2.5 Type: security Severity: moderate References: 1167244,1168938,CVE-2020-10663,CVE-2020-10933 This update for ruby2.5 to version 2.5.8 fixes the following issues: - CVE-2020-10663: Unsafe Object Creation Vulnerability in JSON (bsc#1167244). - CVE-2020-10933: Heap exposure vulnerability in the socket library (bsc#1168938). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1000-1 Released: Wed Apr 15 14:18:57 2020 Summary: Recommended update for azure-cli tools, python-adal, python-applicationinsights, python-azure modules, python-msrest, python-msrestazure, python-pydocumentdb, python-uamqp, python-vsts-cd-manager Type: recommended Severity: moderate References: 1014478,1054413,1140565,982804,999200 This update for azure-cli tools, python-adal, python-applicationinsights, python-azure modules, python-msrest, python-msrestazure, python-pydocumentdb, python-uamqp, python-vsts-cd-manager fixes the following issues: The Azure python modules and client tool stack was updated to the 2020 state. Various other python modules were added and updated. - python-PyYAML was updated to 5.1.2. - python-humanfriendly was updated 4.16.1. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1037-1 Released: Mon Apr 20 10:49:39 2020 Summary: Recommended update for python-pytest Type: recommended Severity: low References: 1002895,1107105,1138666,1167732 This update fixes the following issues: New python-pytest versions are provided. In Basesystem: - python3-pexpect: updated to 4.8.0 - python3-py: updated to 1.8.1 - python3-zipp: shipped as dependency in version 0.6.0 In Python2: - python2-pexpect: updated to 4.8.0 - python2-py: updated to 1.8.1 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1042-1 Released: Tue Apr 21 08:00:15 2020 Summary: Recommended update for supportutils Type: recommended Severity: important References: 1162539,1165475 This update for supportutils fixes the following issues: - Replaced Novell with SUSE FTP servers (bsc#1165475) - Added missed Power collection (bsc#1162539) - Added core file validation (bsc#1166126) - Changed filename prefixes from nts_ to scc_ referencing the SUSE Customer Center (SLE-8702, SLE-6762) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1056-1 Released: Tue Apr 21 16:26:22 2020 Summary: Recommended update for cloud-init Type: recommended Severity: important References: 1099358,1144881,1145622,1148645,1163178,1165296 This update for cloud-init contains the following fixes: - Update previous patches with the following additions: + In cases where the config contains 2 or more default gateway specifications for an interface only write the first default route, log warning message about skipped routes + Avoid writing invalid route specification if neither the network nor destination is specified in the route configuration + Still need to consider the 'network' configuration uption for the v1 config implementation. Fixes regression introduced with update from Wed Feb 12 19:30:42. + Add the default gateway to the ifroute config file when specified as part of the subnet configuration. (bsc#1165296) + Fix typo to properly extrakt provided netmask data (bsc#1163178, bsc#1165296) + Fix for default gateway and IPv6. (bsc#1144881) + Routes will be written if there is only a default gateway. (bsc#1148645) - BuildRequire pkgconfig(udev) instead of udev, which allow OS to shortcut through the -mini flavor. - Update to cloud-init 19.2. (bsc#1099358, bsc#1145622) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1061-1 Released: Wed Apr 22 10:45:41 2020 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1169872 This update for mozilla-nss fixes the following issues: - This implements API mechanisms for performing DSA and ECDSA hash-and-sign in a single call, which will be required in future FIPS cycles (bsc#1169872). - Always perform nssdbm checksumming on softoken load, even if nssdbm itself is not loaded. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1063-1 Released: Wed Apr 22 10:46:50 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1165539,1169569 This update for libgcrypt fixes the following issues: This update for libgcrypt fixes the following issues: - FIPS: Switch the PCT to use the new signature operation (bsc#1165539) - FIPS: Verify that the generated signature and the original input differ in test_keys function for RSA, DSA and ECC (bsc#1165539) - Add zero-padding when qx and qy have different lengths when assembling the Q point from affine coordinates. - Ship the FIPS checksum file in the shared library package and create a separate trigger file for the FIPS selftests (bsc#1169569) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1083-1 Released: Thu Apr 23 11:31:23 2020 Summary: Security update for cups Type: security Severity: important References: 1168422,CVE-2020-3898 This update for cups fixes the following issues: - CVE-2020-3898: Fixed a heap buffer overflow in ppdFindOption() (bsc#1168422). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1112-1 Released: Fri Apr 24 16:44:20 2020 Summary: Recommended update for suse-build-key Type: recommended Severity: moderate References: 1170347 This update for suse-build-key fixes the following issues: - add a /usr/share/container-keys/ directory for GPG based Container verification. - Add the SUSE build key as 'suse-container-key.asc'. (PM-1845 bsc#1170347) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1131-1 Released: Tue Apr 28 11:59:17 2020 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1170571,1170572 This update for mozilla-nss fixes the following issues: - FIPS: Add Softoken POSTs for new DSA and ECDSA hash-and-sign update functions. (bsc#1170571) - FIPS: Add pairwise consistency check for CKM_SHA224_RSA_PKCS. Remove ditto checks for CKM_RSA_PKCS, CKM_DSA and CKM_ECDSA, since these are served by the new CKM_SHA224_RSA_PKCS, CKM_DSA_SHA224, CKM_ECDSA_SHA224 checks. - FIPS: Replace bad attempt at unconditional nssdbm checksumming with a dlopen(), so it can be located consistently and perform its own self-tests. - FIPS: This fixes an instance of inverted logic due to a boolean being mistaken for a SECStatus, which caused key derivation to fail when the caller provided a valid subprime. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1175-1 Released: Tue May 5 08:33:43 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1165011,1168076 This update for systemd fixes the following issues: - Fix check for address to keep interface names stable. (bsc#1168076) - Fix for checking non-normalized WHAT for network FS. (bsc#1165011) - Allow to specify an arbitrary string for when vfs is used. (bsc#1165011) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1181-1 Released: Tue May 5 12:02:39 2020 Summary: Recommended update for pciutils-ids Type: recommended Severity: moderate References: 1170160 This update for pciutils-ids fixes the following issues: - Update the PCI utilities database to 20200324. (bsc#1170160) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1182-1 Released: Tue May 5 12:06:55 2020 Summary: Recommended update for chrony Type: recommended Severity: moderate References: 1099272,1156884,1161119 This update for chrony fixes the following issues: - Read runtime servers from /var/run/netconfig/chrony.servers (bsc#1099272, bsc#1161119) - Move chrony-helper to /usr/lib/chrony/helper, because there should be no executables in /usr/share. - Add chrony-pool-suse and chrony-pool-openSUSE subpackages that preconfigure chrony to use NTP servers from the respective pools for SUSE and openSUSE. (bsc#1156884, SLE-11424) - Add chrony-pool-empty to still allow installing chrony without preconfigured servers. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1214-1 Released: Thu May 7 11:20:34 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1169944 This update for libgcrypt fixes the following issues: - FIPS: libgcrypt: Fixed a double free in test_keys() on failed signature verification (bsc#1169944) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1219-1 Released: Thu May 7 17:10:42 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1170771,CVE-2020-12243 This update for openldap2 fixes the following issues: - CVE-2020-12243: Fixed a denial of service related to recursive filters (bsc#1170771). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1222-1 Released: Fri May 8 08:23:57 2020 Summary: Recommended update for python-azure-agent Type: recommended Severity: moderate References: 1167601,1167602 This update for python-azure-agent fixes the following issues: - Set the hostname using hostnamectl to ensure setting is properly applied (bsc#1167601, bsc#1167602) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1226-1 Released: Fri May 8 10:51:05 2020 Summary: Recommended update for gcc9 Type: recommended Severity: moderate References: 1149995,1152590,1167898 This update for gcc9 fixes the following issues: This update ships the GCC 9.3 release. - Includes a fix for Internal compiler error when building HepMC (bsc#1167898) - Includes fix for binutils version parsing - Add libstdc++6-pp provides and conflicts to avoid file conflicts with same minor version of libstdc++6-pp from gcc10. - Add gcc9 autodetect -g at lto link (bsc#1149995) - Install go tool buildid for bootstrapping go ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1266-1 Released: Wed May 13 10:20:54 2020 Summary: Recommended update for jq Type: recommended Severity: moderate References: 1170838 This update for jq fixes the following issues: jq was updated to version 1.6: * Destructuring Alternation * many new builtins (see docs) * Add support for ASAN and UBSAN * Make it easier to use jq with shebangs * Add $ENV builtin variable to access environment * Add JQ_COLORS env var for configuring the output colors * change: Calling jq without a program argument now always assumes '.' for the program, regardless of stdin/stdout * fix: Make sorting stable regardless of qsort. - Make jq depend on libjq1, so upgrading jq upgrades both ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1294-1 Released: Mon May 18 07:38:36 2020 Summary: Security update for file Type: security Severity: moderate References: 1154661,1169512,CVE-2019-18218 This update for file fixes the following issues: Security issues fixed: - CVE-2019-18218: Fixed a heap-based buffer overflow in cdf_read_property_info() (bsc#1154661). Non-security issue fixed: - Fixed broken '--help' output (bsc#1169512). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1299-1 Released: Mon May 18 07:43:21 2020 Summary: Security update for libxml2 Type: security Severity: moderate References: 1159928,1161517,1161521,CVE-2019-19956,CVE-2019-20388,CVE-2020-7595 This update for libxml2 fixes the following issues: - CVE-2019-20388: Fixed a memory leak in xmlSchemaPreRun (bsc#1161521). - CVE-2019-19956: Fixed a memory leak (bsc#1159928). - CVE-2020-7595: Fixed an infinite loop in an EOF situation (bsc#1161517). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1303-1 Released: Mon May 18 09:40:36 2020 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1169582 This update for timezone fixes the following issues: - timezone update 2020a. (bsc#1169582) * Morocco springs forward on 2020-05-31, not 2020-05-24. * Canada's Yukon advanced to -07 year-round on 2020-03-08. * America/Nuuk renamed from America/Godthab. * zic now supports expiration dates for leap second lists. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1328-1 Released: Mon May 18 17:16:04 2020 Summary: Recommended update for grep Type: recommended Severity: moderate References: 1155271 This update for grep fixes the following issues: - Update testsuite expectations, no functional changes (bsc#1155271) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1342-1 Released: Tue May 19 13:27:31 2020 Summary: Recommended update for python3 Type: recommended Severity: moderate References: 1149955,1165894,CVE-2019-16056 This update for python3 fixes the following issues: - Changed the name of idle3 icons to idle3.png to avoid collision with Python 2 version (bsc#1165894). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1348-1 Released: Wed May 20 11:37:41 2020 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1170908 This update for mozilla-nss fixes the following issues: The following issues are fixed: - Add AES Keywrap POST. - Accept EACCES in lieu of ENOENT when trying to access /proc/sys/crypto/fips_enabled (bsc#1170908). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1353-1 Released: Wed May 20 13:02:32 2020 Summary: Security update for freetype2 Type: security Severity: moderate References: 1079603,1091109,CVE-2018-6942 This update for freetype2 to version 2.10.1 fixes the following issues: Security issue fixed: - CVE-2018-6942: Fixed a NULL pointer dereference within ttinerp.c (bsc#1079603). Non-security issues fixed: - Update to version 2.10.1 * The bytecode hinting of OpenType variation fonts was flawed, since the data in the `CVAR' table wasn't correctly applied. * Auto-hinter support for Mongolian. * The handling of the default character in PCF fonts as introduced in version 2.10.0 was partially broken, causing premature abortion of charmap iteration for many fonts. * If `FT_Set_Named_Instance' was called with the same arguments twice in a row, the function returned an incorrect error code the second time. * Direct rendering using FT_RASTER_FLAG_DIRECT crashed (bug introduced in version 2.10.0). * Increased precision while computing OpenType font variation instances. * The flattening algorithm of cubic Bezier curves was slightly changed to make it faster. This can cause very subtle rendering changes, which aren't noticeable by the eye, however. * The auto-hinter now disables hinting if there are blue zones defined for a `style' (i.e., a certain combination of a script and its related typographic features) but the font doesn't contain any characters needed to set up at least one blue zone. - Add tarball signatures and freetype2.keyring - Update to version 2.10.0 * A bunch of new functions has been added to access and process COLR/CPAL data of OpenType fonts with color-layered glyphs. * As a GSoC 2018 project, Nikhil Ramakrishnan completely overhauled and modernized the API reference. * The logic for computing the global ascender, descender, and height of OpenType fonts has been slightly adjusted for consistency. * `TT_Set_MM_Blend' could fail if called repeatedly with the same arguments. * The precision of handling deltas in Variation Fonts has been increased.The problem did only show up with multidimensional designspaces. * New function `FT_Library_SetLcdGeometry' to set up the geometry of LCD subpixels. * FreeType now uses the `defaultChar' property of PCF fonts to set the glyph for the undefined character at glyph index 0 (as FreeType already does for all other supported font formats). As a consequence, the order of glyphs of a PCF font if accessed with FreeType can be different now compared to previous versions. This change doesn't affect PCF font access with cmaps. * `FT_Select_Charmap' has been changed to allow parameter value `FT_ENCODING_NONE', which is valid for BDF, PCF, and Windows FNT formats to access built-in cmaps that don't have a predefined `FT_Encoding' value. * A previously reserved field in the `FT_GlyphSlotRec' structure now holds the glyph index. * The usual round of fuzzer bug fixes to better reject malformed fonts. * `FT_Outline_New_Internal' and `FT_Outline_Done_Internal' have been removed.These two functions were public by oversight only and were never documented. * A new function `FT_Error_String' returns descriptions of error codes if configuration macro FT_CONFIG_OPTION_ERROR_STRINGS is defined. * `FT_Set_MM_WeightVector' and `FT_Get_MM_WeightVector' are new functions limited to Adobe MultiMaster fonts to directly set and get the weight vector. - Enable subpixel rendering with infinality config: - Re-enable freetype-config, there is just too many fallouts. - Update to version 2.9.1 * Type 1 fonts containing flex features were not rendered correctly (bug introduced in version 2.9). * CVE-2018-6942: Older FreeType versions can crash with certain malformed variation fonts. * Bug fix: Multiple calls to `FT_Get_MM_Var' returned garbage. * Emboldening of bitmaps didn't work correctly sometimes, showing various artifacts (bug introduced in version 2.8.1). * The auto-hinter script ranges have been updated for Unicode 11. No support for new scripts have been added, however, with the exception of Georgian Mtavruli. - freetype-config is now deprecated by upstream and not enabled by default. - Update to version 2.10.1 * The `ftmulti' demo program now supports multiple hidden axes with the same name tag. * `ftview', `ftstring', and `ftgrid' got a `-k' command line option to emulate a sequence of keystrokes at start-up. * `ftview', `ftstring', and `ftgrid' now support screen dumping to a PNG file. * The bytecode debugger, `ttdebug', now supports variation TrueType fonts; a variation font instance can be selected with the new `-d' command line option. - Add tarball signatures and freetype2.keyring - Update to version 2.10.0 * The `ftdump' demo program has new options `-c' and `-C' to display charmaps in compact and detailed format, respectively. Option `-V' has been removed. * The `ftview', `ftstring', and `ftgrid' demo programs use a new command line option `-d' to specify the program window's width, height, and color depth. * The `ftview' demo program now displays red boxes for zero-width glyphs. * `ftglyph' has limited support to display fonts with color-layered glyphs.This will be improved later on. * `ftgrid' can now display bitmap fonts also. * The `ttdebug' demo program has a new option `-f' to select a member of a TrueType collection (TTC). * Other various improvements to the demo programs. - Remove 'Supplements: fonts-config' to avoid accidentally pulling in Qt dependencies on some non-Qt based desktops.(bsc#1091109) fonts-config is fundamental but ft2demos seldom installs by end users. only fonts-config maintainers/debuggers may use ft2demos along to debug some issues. - Update to version 2.9.1 * No changelog upstream. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1361-1 Released: Thu May 21 09:31:18 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1171872 This update for libgcrypt fixes the following issues: - FIPS: RSA/DSA/ECC test_keys() print out debug messages only in debug mode (bsc#1171872) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1370-1 Released: Thu May 21 19:06:00 2020 Summary: Recommended update for systemd-presets-branding-SLE Type: recommended Severity: moderate References: 1171656 This update for systemd-presets-branding-SLE fixes the following issues: Cleanup of outdated autostart services (bsc#1171656): - Remove acpid.service. acpid is only available on SLE via openSUSE backports. In openSUSE acpid.service is *not* autostarted. I see no reason why it should be on SLE. - Remove spamassassin.timer. This timer never seems to have existed. Instead spamassassin ships a 'sa-update.timer'. But it is not default-enabled and nobody ever complained about this. - Remove snapd.apparmor.service: This service was proactively added a year ago, but snapd didn't even make it into openSUSE yet. There's no reason to keep this entry unless snapd actually enters SLE which is not foreseeable. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1400-1 Released: Mon May 25 14:09:02 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1162930 This update for glibc fixes the following issues: - nptl: wait for pending setxid request also in detached thread. (bsc#1162930) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1404-1 Released: Mon May 25 15:32:34 2020 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1138793,1166260 This update for zlib fixes the following issues: - Including the latest fixes from IBM (bsc#1166260) IBM Z mainframes starting from version z15 provide DFLTCC instruction, which implements deflate algorithm in hardware with estimated compression and decompression performance orders of magnitude faster than the current zlib and ratio comparable with that of level 1. - Add SUSE specific fix to solve bsc#1138793. The fix will avoid to test if the app was linked with exactly same version of zlib like the one that is present on the runtime. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1427-1 Released: Tue May 26 14:55:16 2020 Summary: Recommended update for docker-runc Type: recommended Severity: moderate References: 1168481 This update for docker-runc contains the following fixes: - Backport upstream fix that enable access to /dev/null in containers. Resolves many issues with the implementation of the runc devices cgroup code. Removes some of the disruptive aspects of 'runc update'. (bsc#1168481) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1492-1 Released: Wed May 27 18:32:41 2020 Summary: Recommended update for python-rpm-macros Type: recommended Severity: moderate References: 1171561 This update for python-rpm-macros fixes the following issue: - Update to version 20200207.5feb6c1 (bsc#1171561) * Do not write .pyc files for tests ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1496-1 Released: Wed May 27 20:30:31 2020 Summary: Recommended update for python-requests Type: recommended Severity: low References: 1170175 This update for python-requests fixes the following issues: - Fix for warnings 'test fails to build' for python http. (bsc#1170175) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1506-1 Released: Fri May 29 17:22:11 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1087982,1170527 This update for aaa_base fixes the following issues: - Not all XTerm based emulators do have a terminfo entry. (bsc#1087982) - Better support of Midnight Commander. (bsc#1170527) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1532-1 Released: Thu Jun 4 10:16:12 2020 Summary: Security update for libxml2 Type: security Severity: moderate References: 1172021,CVE-2019-19956 This update for libxml2 fixes the following issues: - CVE-2019-19956: Reverted the upstream fix for this memory leak because it introduced other, more severe vulnerabilities (bsc#1172021). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1541-1 Released: Thu Jun 4 13:23:27 2020 Summary: Recommended update for pciutils Type: recommended Severity: moderate References: 1170554 This update for pciutils fixes the following issues: - Fix lspci outputs when few of the VPD data fields are displayed as unknown. (bsc#1170554, ltc#185587) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1542-1 Released: Thu Jun 4 13:24:37 2020 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1172055 This update for timezone fixes the following issue: - zdump --version reported 'unknown' (bsc#1172055) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1551-1 Released: Mon Jun 8 09:31:41 2020 Summary: Security update for vim Type: security Severity: moderate References: 1172225,CVE-2019-20807 This update for vim fixes the following issues: - CVE-2019-20807: Fixed an issue where escaping from the restrictive mode of vim was possible using interfaces (bsc#1172225). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1558-1 Released: Mon Jun 8 10:36:32 2020 Summary: Recommended update for chrony Type: recommended Severity: moderate References: 1172113 This update for chrony fixes the following issue: - Use iburst in the default pool statements to speed up initial synchronization. (bsc#1172113) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1657-1 Released: Thu Jun 18 10:49:53 2020 Summary: Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork Type: security Severity: moderate References: 1172377,CVE-2020-13401 This update for containerd, docker, docker-runc, golang-github-docker-libnetwork fixes the following issues: Docker was updated to 19.03.11-ce runc was updated to version 1.0.0-rc10 containerd was updated to version 1.2.13 - CVE-2020-13401: Fixed an issue where an attacker with CAP_NET_RAW capability, could have crafted IPv6 router advertisements, and spoof external IPv6 hosts, resulting in obtaining sensitive information or causing denial of service (bsc#1172377). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1677-1 Released: Thu Jun 18 18:16:39 2020 Summary: Security update for mozilla-nspr, mozilla-nss Type: security Severity: important References: 1159819,1169746,1171978,CVE-2019-17006,CVE-2020-12399 This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to version 3.53 - CVE-2020-12399: Fixed a timing attack on DSA signature generation (bsc#1171978). - CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819). Release notes: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.53_release_notes mozilla-nspr to version 4.25 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1682-1 Released: Fri Jun 19 09:44:54 2020 Summary: Security update for perl Type: security Severity: important References: 1171863,1171864,1171866,1172348,CVE-2020-10543,CVE-2020-10878,CVE-2020-12723 This update for perl fixes the following issues: - CVE-2020-10543: Fixed a heap buffer overflow in regular expression compiler which could have allowed overwriting of allocated memory with attacker's data (bsc#1171863). - CVE-2020-10878: Fixed multiple integer overflows which could have allowed the insertion of instructions into the compiled form of Perl regular expression (bsc#1171864). - CVE-2020-12723: Fixed an attacker's corruption of the intermediate language state of a compiled regular expression (bsc#1171866). - Fixed a bad warning in features.ph (bsc#1172348). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1733-1 Released: Wed Jun 24 09:43:36 2020 Summary: Security update for curl Type: security Severity: important References: 1173026,1173027,CVE-2020-8169,CVE-2020-8177 This update for curl fixes the following issues: - CVE-2020-8177: Fixed an issue where curl could have been tricked by a malicious server to overwrite a local file when using the -J option (bsc#1173027). - CVE-2020-8169: Fixed an issue where could have led to partial password leak over DNS on HTTP redirect (bsc#1173026). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1759-1 Released: Thu Jun 25 18:44:37 2020 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1169357 This update for krb5 fixes the following issue: - Call systemd to reload the services instead of init-scripts. (bsc#1169357) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1760-1 Released: Thu Jun 25 18:46:13 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1157315,1162698,1164538,1169488,1171145,1172072 This update for systemd fixes the following issues: - Merge branch 'SUSE/v234' into SLE15 units: starting suspend.target should not fail when suspend is successful (bsc#1172072) core/mount: do not add Before=local-fs.target or remote-fs.target if nofail mount option is set mount: let mount_add_extras() take care of remote-fs.target deps (bsc#1169488) mount: set up local-fs.target/remote-fs.target deps in mount_add_default_dependencies() too udev: rename the persistent link for ATA devices (bsc#1164538) shared/install: try harder to find enablement symlinks when disabling a unit (bsc#1157315) tmpfiles: remove unnecessary assert (bsc#1171145) test-engine: manager_free() was called too early pid1: by default make user units inherit their umask from the user manager (bsc#1162698) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1795-1 Released: Mon Jun 29 11:22:45 2020 Summary: Recommended update for lvm2 Type: recommended Severity: important References: 1172566 This update for lvm2 fixes the following issues: - Fix potential data loss problem with LVM cache (bsc#1172566) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1821-1 Released: Thu Jul 2 08:39:34 2020 Summary: Recommended update for dracut Type: recommended Severity: moderate References: 1172807,1172816 This update for dracut fixes the following issues: - 35network-legacy: Fix dual stack setups. (bsc#1172807) - 95iscsi: fix missing space when compiling cmdline args. (bsc#1172816) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1822-1 Released: Thu Jul 2 11:30:42 2020 Summary: Security update for python3 Type: security Severity: important References: 1173274,CVE-2020-14422 This update for python3 fixes the following issues: - CVE-2020-14422: Fixed an improper computation of hash values in the IPv4Interface and IPv6Interface could have led to denial of service (bsc#1173274). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1396-1 Released: Fri Jul 3 12:33:05 2020 Summary: Security update for zstd Type: security Severity: moderate References: 1082318,1133297 This update for zstd fixes the following issues: - Fix for build error caused by wrong static libraries. (bsc#1133297) - Correction in spec file marking the license as documentation. (bsc#1082318) - Add new package for SLE-15. (jsc#ECO-1886) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1850-1 Released: Mon Jul 6 14:44:39 2020 Summary: Security update for mozilla-nss Type: security Severity: moderate References: 1168669,1173032,CVE-2020-12402 This update for mozilla-nss fixes the following issues: mozilla-nss was updated to version 3.53.1 - CVE-2020-12402: Fixed a potential side channel attack during RSA key generation (bsc#1173032) - Fixed various FIPS issues in libfreebl3 which were causing segfaults in the test suite of chrony (bsc#1168669). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1852-1 Released: Mon Jul 6 16:50:21 2020 Summary: Recommended update for fontforge, ghostscript-fonts, ttf-converter, xorg-x11-fonts Type: recommended Severity: moderate References: 1169444 This update for fontforge, ghostscript-fonts, ttf-converter, xorg-x11-fonts fixes the following issues: Changes in fontforge: - Support transforming bitmap glyphs from python. (bsc#1169444) - Allow python-Sphinx >= 3 Changes in ttf-converter: - Update from version 1.0 to version 1.0.6: * ftdump is now shipped additionally as new dependency for ttf-converter * Standardize output when converting vector and bitmap fonts * Add more subfamilies fixes (bsc#1169444) * Add --family and --subfamily arguments to force values on those fields * Add parameters to fix glyph unicode values --fix-glyph-unicode : Try to fix unicode points and glyph names based on glyph names containing hexadecimal codes (like '$0C00', 'char12345' or 'uni004F') --replace-unicode-values: When passed 2 comma separated numbers a,b the glyph with an unicode value of a is replaced with the unicode value b. Can be used more than once. --shift-unicode-values: When passed 3 comma separated numbers a,b,c this shifts the unicode values of glyphs between a and b (both included) by adding c. Can be used more than once. * Add --bitmapTransform parameter to transform bitmap glyphs. (bsc#1169444) When used, all glyphs are modified with the transformation function and values passed as parameters. The parameter has three values separated by commas: fliph|flipv|rotate90cw|rotate90ccw|rotate180|skew|transmove,xoff,yoff * Add support to convert bitmap fonts (bsc#1169444) * Rename MediumItalic subfamily to Medium Italic * Show some more information when removing duplicated glyphs * Add a --force-monospaced argument instead of hardcoding font names * Convert `BoldCond` subfamily to `Bold Condensed` * Fixes for Monospaced fonts and force the Nimbus Mono L font to be Monospaced. (bsc#1169444 #c41) * Add a --version argument * Fix subfamily names so the converted font's subfamily match the original ones. (bsc#1169444 #c41) Changes in xorg-x11-fonts: - Use ttf-converter 1.0.6 to build an Italic version of cu12.pcf.gz in the converted subpackage - Include the subfamily in the filename of converted fonts - Use ttf-converter's new bitmap font support to convert Schumacher Clean and Schumacher Clean Wide (bsc#1169444 #c41) - Replace some unicode values in cu-pua12.pcf.gz to fix them - Shift some unicode values in arabic24.pcf.gz and cuarabic12.pcf.gz so glyphs don't pretend to be latin characters when they're not. - Don't distribute converted fonts with wrong unicode values in their glyphs. (bsc#1169444) Bitstream-Charter-*.otb, Cursor.ttf,Sun-OPEN-LOOK-*.otb, MUTT-ClearlyU-Devangari-Extra-Regular, MUTT-ClearlyU-Ligature-Wide-Regular, and MUTT-ClearlyU-Devanagari-Regular Changes in ghostscript-fonts: - Force the converted Nimbus Mono font to be monospaced. (bsc#1169444 #c41) Use the --force-monospaced argument of ttf-converter 1.0.3 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1856-1 Released: Mon Jul 6 17:05:51 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1172698,1172704,CVE-2020-8023 This update for openldap2 fixes the following issues: - CVE-2020-8023: Fixed a potential local privilege escalation from ldap to root when OPENLDAP_CONFIG_BACKEND='ldap' was used (bsc#1172698). - Changed DB_CONFIG to root:ldap permissions (bsc#1172704). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1885-1 Released: Fri Jul 10 14:54:22 2020 Summary: Recommended update for cloud-init Type: recommended Severity: moderate References: 1170154,1171546,1171995 This update for cloud-init contains the following fixes: - rsyslog warning, '~' is deprecated: (bsc#1170154) + replace deprecated syntax '& ~' by '& stop' for more information please see https://www.rsyslog.com/rsyslog-error-2307/. + Explicitly test for netconfig version 1 as well as 2. + Handle netconfig v2 device configurations (bsc#1171546, bsc#1171995) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1902-1 Released: Tue Jul 14 15:19:43 2020 Summary: Security update for xen Type: security Severity: important References: 1027519,1172205,1173376,1173377,1173378,1173380,CVE-2020-0543,CVE-2020-15563,CVE-2020-15565,CVE-2020-15566,CVE-2020-15567 This update for xen fixes the following issues: - CVE-2020-15563: Fixed inverted code paths in x86 dirty VRAM tracking (bsc#1173377). - CVE-2020-15565: Fixed insufficient cache write-back under VT-d (bsc#1173378). - CVE-2020-15566: Fixed incorrect error handling in event channel port allocation (bsc#1173376). - CVE-2020-15567: Fixed non-atomic modification of live EPT PTE (bsc#1173380). - CVE-2020-0543: Special Register Buffer Data Sampling (SRBDS) aka 'CrossTalk' (bsc#1172205). Additional upstream bug fixes (bsc#1027519) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1938-1 Released: Thu Jul 16 14:43:32 2020 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate References: 1169947,1170801,1172925,1173106 This update for libsolv, libzypp, zypper fixes the following issues: libsolv was updated to: - Enable zstd compression support for sle15 zypper was updated to version 1.14.37: - Print switch abbrev warning to stderr (bsc#1172925) - Fix typo in man page (bsc#1169947) libzypp was updated to 17.24.0 - Fix core dump with corrupted history file (bsc#1170801) - Enable zchunk metadata download if libsolv supports it. - Better handling of the purge-kernels algorithm. (bsc#1173106) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1948-1 Released: Fri Jul 17 14:48:02 2020 Summary: Security update for ldb, samba Type: security Severity: important References: 1141320,1162680,1169095,1169521,1169850,1169851,1171437,1172307,1173159,1173160,1173161,1173359,1174120,CVE-2020-10700,CVE-2020-10704,CVE-2020-10730,CVE-2020-10745,CVE-2020-10760,CVE-2020-14303 This update for ldb, samba fixes the following issues: Changes in samba: - Update to samba 4.11.11 + CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ and VLV combined; (bso#14364); (bsc#1173159] + CVE-2020-10745: invalid DNS or NBT queries containing dots use several seconds of CPU each; (bso#14378); (bsc#1173160). + CVE-2020-10760: Use-after-free in AD DC Global Catalog LDAP server with paged_result or VLV; (bso#14402); (bsc#1173161) + CVE-2020-14303: Endless loop from empty UDP packet sent to AD DC nbt_server; (bso#14417); (bsc#1173359). - Update to samba 4.11.10 + Fix segfault when using SMBC_opendir_ctx() routine for share folder that contains incorrect symbols in any file name; (bso#14374). + vfs_shadow_copy2 doesn't fail case looking in snapdirseverywhere mode; (bso#14350) + ldb_ldap: Fix off-by-one increment in lldb_add_msg_attr; (bso#14413). + Malicous SMB1 server can crash libsmbclient; (bso#14366) + winbindd: Fix a use-after-free when winbind clients exit; (bso#14382) + ldb: Bump version to 2.0.11, LMDB databases can grow without bounds. (bso#14330) - Update to samba 4.11.9 + nmblib: Avoid undefined behaviour in handle_name_ptrs(); (bso#14242). + 'samba-tool group' commands do not handle group names with special chars correctly; (bso#14296). + smbd: avoid calling vfs_file_id_from_sbuf() if statinfo is not valid; (bso#14237). + Missing check for DMAPI offline status in async DOS attributes; (bso#14293). + smbd: Ignore set NTACL requests which contain S-1-5-88 NFS ACEs; (bso#14307). + vfs_recycle: Prevent flooding the log if we're called on non-existant paths; (bso#14316) + smbd mistakenly updates a file's write-time on close; (bso#14320). + RPC handles cannot be differentiated in source3 RPC server; (bso#14359). + librpc: Fix IDL for svcctl_ChangeServiceConfigW; (bso#14313). + nsswitch: Fix use-after-free causing segfault in _pam_delete_cred; (bso#14327). + Fix fruit:time machine max size on arm; (bso#13622) + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294). + ctdb: Fix a memleak; (bso#14348). + libsmb: Don't try to find posix stat info in SMBC_getatr(). + ctdb-tcp: Move free of inbound queue to TCP restart; (bso#14295); (bsc#1162680). + s3/librpc/crypto: Fix double free with unresolved credential cache; (bso#14344); (bsc#1169095) + s3:libads: Fix ads_get_upn(); (bso#14336). + CTDB recovery corner cases can cause record resurrection and node banning; (bso#14294) + Starting ctdb node that was powered off hard before results in recovery loop; (bso#14295); (bsc#1162680). + ctdb-recoverd: Avoid dereferencing NULL rec->nodemap; (bso#14324) - Update to samba 4.11.8 + CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ; (bso#14331); (bsc#1169850); + CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC; (bso#14334); (bsc#1169851); - Update to samba 4.11.7 + s3: lib: nmblib. Clean up and harden nmb packet processing; (bso#14239). + s3: VFS: full_audit. Use system session_info if called from a temporary share definition; (bso#14283) + dsdb: Correctly handle memory in objectclass_attrs; (bso#14258). + ldb: version 2.0.9, Samba 4.11 and later give incorrect results for SCOPE_ONE searches; (bso#14270) + auth: Fix CIDs 1458418 and 1458420 Null pointer dereferences; (bso#14247). + smbd: Handle EINTR from open(2) properly; (bso#14285) + winbind member (source3) fails local SAM auth with empty domain name; (bso#14247) + winbindd: Handling missing idmap in getgrgid(); (bso#14265). + lib:util: Log mkdir error on correct debug levels; (bso#14253). + wafsamba: Do not use 'rU' as the 'U' is deprecated in Python 3.9; (bso#14266). + ctdb-tcp: Make error handling for outbound connection consistent; (bso#14274). - Update to samba 4.11.6 + pygpo: Use correct method flags; (bso#14209). + vfs_ceph_snapshots: Fix root relative path handling; (bso#14216); (bsc#1141320). + Avoiding bad call flags with python 3.8, using METH_NOARGS instead of zero; (bso#14209). + source4/utils/oLschema2ldif: Include stdint.h before cmocka.h; (bso#14218). + docs-xml/winbindnssinfo: Clarify interaction with idmap_ad etc; (bso#14122). + smbd: Fix the build with clang; (bso#14251). + upgradedns: Ensure lmdb lock files linked; (bso#14199). + s3: VFS: glusterfs: Reset nlinks for symlink entries during readdir; (bso#14182). + smbc_stat() doesn't return the correct st_mode and also the uid/gid is not filled (SMBv1) file; (bso#14101). + librpc: Fix string length checking in ndr_pull_charset_to_null(); (bso#14219). + ctdb-scripts: Strip square brackets when gathering connection info; (bso#14227). - Add libnetapi-devel to baselibs conf, for wine usage; (bsc#1172307); - Installing: samba - samba-ad-dc.service does not exist and unit not found; (bsc#1171437); - Fix samba_winbind package is installing python3-base without python3 package; (bsc#1169521); Changes in ldb: - Update to version 2.0.12 + CVE-2020-10730: NULL de-reference in AD DC LDAP server when ASQ and VLV combined; (bso#14364); (bsc#1173159). + ldb_ldap: fix off-by-one increment in lldb_add_msg_attr; (bso#14413). + lib/ldb: add unit test for ldb_ldap internal code. - Update to version 2.0.11 + lib ldb: lmdb init var before calling mdb_reader_check. + lib ldb: lmdb clear stale readers on write txn start; (bso#14330). + ldb tests: Confirm lmdb free list handling ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1950-1 Released: Fri Jul 17 17:16:21 2020 Summary: Recommended update for dracut Type: recommended Severity: moderate References: 1161573,1165828,1169997,1172807,1173560 This update for dracut fixes the following issues: - Update to version 049.1+suse.152.g8506e86f: * 01fips: modprobe failures during manual module loading is not fatal. (bsc#bsc#1169997) * 91zipl: parse-zipl.sh: honor SYSTEMD_READY. (bsc#1165828) * 95iscsi: fix ipv6 target discovery. (bsc#1172807) * 35network-legacy: correct conditional for creating did-setup file. (bsc#1172807) - Update to version 049.1+suse.148.gc4a6c2dd: * 95fcoe: load 'libfcoe' module as a fallback. (bsc#1173560) * 99base: enable the initqueue in both 'dracut --add-device' and 'dracut --mount' cases. (bsc#1161573) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1952-1 Released: Fri Jul 17 17:35:24 2020 Summary: Recommended update for zypper-migration-plugin Type: recommended Severity: moderate References: 1171652 This update for zypper-migration-plugin fixes the following issue: - Update from version 0.12.1580220831.7102be8 to version 0.12.1590748670.86b0749 * Make sure that all the release packages are installed. (bsc#1171652) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1953-1 Released: Sat Jul 18 03:06:11 2020 Summary: Recommended update for parted Type: recommended Severity: important References: 1164260 This update for parted fixes the following issue: - fix support of NVDIMM (pmemXs) devices (bsc#1164260) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1954-1 Released: Sat Jul 18 03:07:15 2020 Summary: Recommended update for cracklib Type: recommended Severity: moderate References: 1172396 This update for cracklib fixes the following issues: - Fixed a buffer overflow when processing long words. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1986-1 Released: Tue Jul 21 16:06:12 2020 Summary: Recommended update for openvswitch Type: recommended Severity: moderate References: 1172861,1172929 This update for openvswitch fixes the following issues: - Preserve the old default OVS_USER_ID for users that removed the override at /etc/sysconfig/openvswitch. (bsc#1172861) - Fix possible changes of openvswitch configuration during upgrades. (bsc#1172929) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1987-1 Released: Tue Jul 21 17:02:15 2020 Summary: Recommended update for libsolv, libzypp, yast2-packager, yast2-pkg-bindings Type: recommended Severity: important References: 1172477,1173336,1174011 This update for libsolv, libzypp, yast2-packager, yast2-pkg-bindings fixes the following issues: libsolv: - No source changes, just shipping it as an installer update (required by yast2-pkg-bindings). libzypp: - Proactively send credentials if the URL specifes '?auth=basic' and a username. (bsc#1174011) - ZYPP_MEDIA_CURL_DEBUG: Strip credentials in header log. (bsc#1174011) yast2-packager: - Handle variable expansion in repository name. (bsc#1172477) - Improve medium type detection, do not report Online medium when the /media.1/products file is missing in the repository, SMT does not mirror this file. (bsc#1173336) yast2-pkg-bindings: - Extensions to handle raw repository name. (bsc#1172477) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1989-1 Released: Tue Jul 21 17:58:58 2020 Summary: Recommended update to SLES-releases Type: recommended Severity: important References: 1173582 This update of SLES-release provides the following fix: - Obsolete Leap 15.2 as well to allow migration from Leap to SLE. (bsc#1173582) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2000-1 Released: Wed Jul 22 09:04:41 2020 Summary: Recommended update for efivar Type: recommended Severity: important References: 1100077,1101023,1120862,1127544 This update for efivar fixes the following issues: - fix logic that checks for UCS-2 string termination (bsc#1127544) - fix casting of IPv4 addresses - Don't require an EUI for NVMe (bsc#1100077) - Add support for ACPI Generic Container and Embedded Controller root nodes (bsc#1101023) - fix for compilation failures bsc#1120862 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2015-1 Released: Thu Jul 23 09:21:24 2020 Summary: Security update for qemu Type: security Severity: important References: 1172383,1172384,1172386,1172495,1172710,CVE-2020-10761,CVE-2020-13361,CVE-2020-13362,CVE-2020-13659,CVE-2020-13800 This update for qemu to version 4.2.1 fixes the following issues: - CVE-2020-10761: Fixed a denial of service in Network Block Device (nbd) support infrastructure (bsc#1172710). - CVE-2020-13800: Fixed a denial of service possibility in ati-vga emulation (bsc#1172495). - CVE-2020-13659: Fixed a null pointer dereference possibility in MegaRAID SAS 8708EM2 emulation (bsc#1172386). - CVE-2020-13362: Fixed an OOB access possibility in MegaRAID SAS 8708EM2 emulation (bsc#1172383). - CVE-2020-13361: Fixed an OOB access possibility in ES1370 audio device emulation (bsc#1172384). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2018-1 Released: Thu Jul 23 09:35:42 2020 Summary: Recommended update for apparmor Type: recommended Severity: moderate References: 1172040 This update for apparmor fixes the following issues: - Add 'UI_Showfile' so Yast shows the profile correctly. (bsc#1172040) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2074-1 Released: Wed Jul 29 18:59:46 2020 Summary: Security update for grub2 Type: security Severity: important References: 1168994,1173812,1174463,1174570,CVE-2020-10713,CVE-2020-14308,CVE-2020-14309,CVE-2020-14310,CVE-2020-14311,CVE-2020-15706,CVE-2020-15707 This update for grub2 fixes the following issues: - Fix for CVE-2020-10713 (bsc#1168994) - Fix for CVE-2020-14308 CVE-2020-14309, CVE-2020-14310, CVE-2020-14311 (bsc#1173812) - Fix for CVE-2020-15706 (bsc#1174463) - Fix for CVE-2020-15707 (bsc#1174570) - Use overflow checking primitives where the arithmetic expression for buffer - Use grub_calloc for overflow check and return NULL when it would occur ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2083-1 Released: Thu Jul 30 10:27:59 2020 Summary: Recommended update for diffutils Type: recommended Severity: moderate References: 1156913 This update for diffutils fixes the following issue: - Disable a sporadically failing test for ppc64 and ppc64le builds. (bsc#1156913) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2099-1 Released: Fri Jul 31 08:06:40 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1173227,1173229,1173422 This update for systemd fixes the following issues: - migrate-sysconfig-i18n.sh: fixed marker handling (bsc#1173229) The marker is used to make sure the script is run only once. Instead of storing it in /usr, use /var which is more appropriate for such file. Also make it owned by systemd package. - Fix inconsistent file modes for some ghost files (bsc#1173227) Ghost files are assumed by rpm to have mode 000 by default which is not consistent with file permissions set at runtime. Also /var/lib/systemd/random-seed was tracked wrongly as a directory. Also don't track (ghost) /etc/systemd/system/runlevel*.target aliases since we're not supposed to track units or aliases user might define/override. - Fix build of systemd on openSUSE Leap 15.2 (bsc#1173422) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2105-1 Released: Mon Aug 3 16:42:25 2020 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1058115,1065729,1071995,1085030,1148868,1152472,1152489,1153274,1154353,1154492,1155518,1155798,1156395,1157169,1158050,1158242,1158265,1158748,1158765,1158983,1159781,1159867,1160947,1161495,1162002,1162063,1162400,1162702,1164648,1164777,1164780,1165211,1165933,1165975,1166985,1167104,1167651,1167773,1168230,1168779,1168838,1168959,1169021,1169094,1169194,1169514,1169681,1169771,1170011,1170284,1170442,1170617,1170774,1170879,1170891,1170895,1171150,1171189,1171191,1171219,1171220,1171246,1171417,1171513,1171529,1171530,1171662,1171688,1171699,1171732,1171739,1171743,1171759,1171828,1171857,1171868,1171904,1171915,1171982,1171983,1171988,1172017,1172046,1172061,1172062,1172063,1172064,1172065,1172066,1172067,1172068,1172069,1172073,1172086,1172095,1172169,1172170,1172201,1172208,1172223,1172342,1172343,1172344,1172365,1172366,1172374,1172391,1172393,1172394,1172453,1172458,1172467,1172484,1172537,1172543,1172687,1172719,1172739,1172751,1172759,1172775,1172781,1172782,1172783,1172814,1172823,1172841,1172871,1172938,1172939,1172940,1172956,1172983,1172984,1172985,1172986,1172987,1172988,1172989,1172990,1172999,1173060,1173068,1173074,1173085,1173139,1173206,1173271,1173280,1173284,1173428,1173438,1173461,1173514,1173552,1173573,1173625,1173746,1173776,1173817,1173818,1173820,1173822,1173823,1173824,1173825,1173826,1173827,1173828,1173830,1173831,1173832,1173833,1173834,1173836,1173837,1173838,1173839,1173841,1173843,1173844,1173845,1173847,1173849,1173860,1173894,1173941,1174018,1174072,1174116,1174126,1174127,1174128,1174129,1174185,1174244,1174263,1174264,1174331,1174332,1174333,1174345,1174356,1174396,1174398,1174407,1174409,1174411,1174438,1174462,1174513,1174527,1174543,1174627,962849,CVE-2019-19462,CVE-2019-20810,CVE-2019-20812,CVE-2020-0305,CVE-2020-10135,CVE-2020-10711,CVE-2020-10732,CVE-2020-10751,CVE-2020-10766,CVE-2020-10767,CVE-2020-10768,CVE-2020-10773,CVE-2020-10781,CVE-2020-12656,CVE-2020-12769,CVE-2020-12771,CVE-2020-12888,CVE-2020-13143,CVE-2020-13974,CVE-2020-14416,CVE-2020-15393,CVE-2020-15780 The SUSE Linux Enterprise 15 SP2 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2019-19462: relay_open in kernel/relay.c in the Linux kernel allowed local users to cause a denial of service (such as relay blockage) by triggering a NULL alloc_percpu result (bnc#1158265). - CVE-2019-20810: Fixed a memory leak in go7007_snd_init in drivers/media/usb/go7007/snd-go7007.c because it did not call snd_card_free for a failure path (bnc#1172458). - CVE-2019-20812: An issue was discovered in the prb_calc_retire_blk_tmo() function in net/packet/af_packet.c could result in a denial of service (CPU consumption and soft lockup) in a certain failure case involving TPACKET_V3 (bnc#1172453). - CVE-2020-0305: In cdev_get of char_dev.c, there is a possible use-after-free due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation (bnc#1174462). - CVE-2020-10135: Legacy pairing and secure-connections pairing authentication in Bluetooth® BR/EDR Core Specification v5.2 and earlier may have allowed an unauthenticated user to complete authentication without pairing credentials via adjacent access. An unauthenticated, adjacent attacker could impersonate a Bluetooth BR/EDR master or slave to pair with a previously paired remote device to successfully complete the authentication procedure without knowing the link key (bnc#1171988). - CVE-2020-10711: A NULL pointer dereference flaw was found in the SELinux subsystem in versions This flaw occurs while importing the Commercial IP Security Option (CIPSO) protocol's category bitmap into the SELinux extensible bitmap via the' ebitmap_netlbl_import' routine. This flaw allowed a remote network user to crash the system kernel, resulting in a denial of service (bnc#1171191). - CVE-2020-10732: A flaw was found in the implementation of Userspace core dumps. This flaw allowed an attacker with a local account to crash a trivial program and exfiltrate private kernel data (bnc#1171220). - CVE-2020-10751: A flaw was found in the SELinux LSM hook implementation, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing (bnc#1171189). - CVE-2020-10766: Fixed an issue which allowed an attacker with a local account to disable SSBD protection (bnc#1172781). - CVE-2020-10767: Fixed an issue where Indirect Branch Prediction Barrier was disabled in certain circumstances, leaving the system open to a spectre v2 style attack (bnc#1172782). - CVE-2020-10768: Fixed an issue with the prctl() function, where indirect branch speculation could be enabled even though it was diabled before (bnc#1172783). - CVE-2020-10773: Fixed a memory leak on s390/s390x, in the cmm_timeout_hander in file arch/s390/mm/cmm.c (bnc#1172999). - CVE-2020-10781: A zram sysfs resource consumption was fixed (bnc#1173074). - CVE-2020-12656: Fixed a memory leak in gss_mech_free in the rpcsec_gss_krb5 implementation, caused by a lack of certain domain_release calls (bnc#1171219). - CVE-2020-12769: An issue was discovered in drivers/spi/spi-dw.c allowed attackers to cause a panic via concurrent calls to dw_spi_irq and dw_spi_transfer_one (bnc#1171983). - CVE-2020-12771: An issue was discovered in btree_gc_coalesce in drivers/md/bcache/btree.c has a deadlock if a coalescing operation fails (bnc#1171732). - CVE-2020-12888: The VFIO PCI driver mishandled attempts to access disabled memory space (bnc#1171868). - CVE-2020-13143: gadget_dev_desc_UDC_store in drivers/usb/gadget/configfs.c relies on kstrdup without considering the possibility of an internal '\0' value, which allowed attackers to trigger an out-of-bounds read (bnc#1171982). - CVE-2020-13974: Fixed a integer overflow in drivers/tty/vt/keyboard.c, if k_ascii is called several times in a row (bnc#1172775). - CVE-2020-14416: Fixed a race condition in tty->disc_data handling in the slip and slcan line discipline could lead to a use-after-free. This affects drivers/net/slip/slip.c and drivers/net/can/slcan.c (bnc#1162002). - CVE-2020-15393: Fixed a memory leak in usbtest_disconnect (bnc#1173514). - CVE-2020-15780: An issue was discovered in drivers/acpi/acpi_configfs.c where injection of malicious ACPI tables via configfs could be used by attackers to bypass lockdown and secure boot restrictions, aka CID-75b0cea7bf30 (bnc#1173573). The following non-security bugs were fixed: - ACPICA: Dispatcher: add status checks (git-fixes). - ACPICA: Fixes for acpiExec namespace init file (git-fixes). - ACPI: configfs: Disallow loading ACPI tables when locked down (git-fixes). - ACPI: CPPC: Fix reference count leak in acpi_cppc_processor_probe() (git-fixes). - ACPI: GED: add support for _Exx / _Lxx handler methods (git-fixes). - ACPI: GED: use correct trigger type field in _Exx / _Lxx handling (git-fixes). - ACPI/IORT: Fix PMCG node single ID mapping handling (git-fixes). - ACPI: PM: Avoid using power resources if there are none for D0 (git-fixes). - ACPI: sysfs: Fix pm_profile_attr type (git-fixes). - ACPI: sysfs: Fix reference count leak in acpi_sysfs_add_hotplug_profile() (git-fixes). - ACPI: video: Use native backlight on Acer Aspire 5783z (git-fixes). - ACPI: video: Use native backlight on Acer TravelMate 5735Z (git-fixes). - af_unix: add compat_ioctl support (git-fixes). - agp/intel: Reinforce the barrier after GTT updates (git-fixes). - aio: fix async fsync creds (bsc#1173828). - ALSA: emu10k1: delete an unnecessary condition (git-fixes). - ALSA: es1688: Add the missed snd_card_free() (git-fixes). - ALSA: fireface: fix configuration error for nominal sampling transfer frequency (git-fixes). - ALSA: firewire-lib: fix invalid assignment to union data for directional parameter (git-fixes). - ALSA: hda: Add ElkhartLake HDMI codec vid (git-fixes). - ALSA: hda: add member to store ratio for stripe control (git-fixes). - ALSA: hda: Add NVIDIA codec IDs 9a & 9d through a0 to patch table (git-fixes). - ALSA: hda: add sienna_cichlid audio asic id for sienna_cichlid up (git-fixes). - ALSA: hda: Fix potential race in unsol event handler (git-fixes). - ALSA: hda/hdmi: fix failures at PCM open on Intel ICL and later (git-fixes). - ALSA: hda/hdmi: improve debug traces for stream lookups (git-fixes). - ALSA: hda: Intel: add missing PCI IDs for ICL-H, TGL-H and EKL (jsc#SLE-13261). - ALSA: hda - let hs_mic be picked ahead of hp_mic (git-fixes). - ALSA: hda/realtek - Add a model for Thinkpad T570 without DAC workaround (bsc#1172017). - ALSA: hda/realtek - add a pintbl quirk for several Lenovo machines (git-fixes). - ALSA: hda/realtek - Add LED class support for micmute LED (git-fixes). - ALSA: hda/realtek - Add more fixup entries for Clevo machines (git-fixes). - ALSA: hda/realtek: Add mute LED and micmute LED support for HP systems (git-fixes). - ALSA: hda/realtek - Add new codec supported for ALC287 (git-fixes). - ALSA: hda/realtek - Add quirk for MSI GE63 laptop (git-fixes). - ALSA: hda/realtek - change to suitable link model for ASUS platform (git-fixes). - ALSA: hda/realtek - Enable audio jacks of Acer vCopperbox with ALC269VC (git-fixes). - ALSA: hda/realtek: Enable headset mic of Acer C20-820 with ALC269VC (git-fixes). - ALSA: hda/realtek: Enable headset mic of Acer TravelMate B311R-31 with ALC256 (git-fixes). - ALSA: hda/realtek: Enable headset mic of Acer Veriton N4660G with ALC269VC (git-fixes). - ALSA: hda/realtek: enable headset mic of ASUS ROG Zephyrus G14(G401) series with ALC289 (git-fixes). - ALSA: hda/realtek - Enable micmute LED on and HP system (git-fixes). - ALSA: hda/realtek - Enable Speaker for ASUS UX533 and UX534 (git-fixes). - ALSA: hda/realtek - Enable Speaker for ASUS UX563 (git-fixes). - ALSA: hda/realtek: Fixed ALC298 sound bug by adding quirk for Samsung Notebook Pen S (git-fixes). - ALSA: hda/realtek - Fix Lenovo Thinkpad X1 Carbon 7th quirk subdevice id (git-fixes). - ALSA: hda/realtek - Fix silent output on Gigabyte X570 Aorus Xtreme (git-fixes). - ALSA: hda/realtek - Fix unused variable warning w/o CONFIG_LEDS_TRIGGER_AUDIO (git-fixes). - ALSA: hda/realtek - fixup for yet another Intel reference board (git-fixes). - ALSA: hda/realtek - Introduce polarity for micmute LED GPIO (git-fixes). - ALSA: hda/tegra: correct number of SDO lines for Tegra194 (git-fixes). - ALSA: hda/tegra: workaround playback failure on Tegra194 (git-fixes). - ALSA: hwdep: fix a left shifting 1 by 31 UB bug (git-fixes). - ALSA: iec1712: Initialize STDSP24 properly when using the model=staudio option (git-fixes). - ALSA: info: Drop WARN_ON() from buffer NULL sanity check (git-fixes). - ALSA: isa/wavefront: prevent out of bounds write in ioctl (git-fixes). - ALSA: line6: Perform sanity check for each URB creation (git-fixes). - ALSA: line6: Sync the pending work cancel at disconnection (git-fixes). - ALSA: opl3: fix infoleak in opl3 (git-fixes). - ALSA: pcm: disallow linking stream to itself (git-fixes). - ALSA: pcm: fix incorrect hw_base increase (git-fixes). - ALSA: pcm: fix snd_pcm_link() lockdep splat (git-fixes). - ALSA: usb-audio: Add duplex sound support for USB devices using implicit feedback (git-fixes). - ALSA: usb-audio: Add implicit feedback quirk for RTX6001 (git-fixes). - ALSA: usb-audio: Add implicit feedback quirk for SSL2+ (git-fixes). - ALSA: usb-audio: Add Pioneer DJ DJM-900NXS2 support (git-fixes). - ALSA: usb-audio: add quirk for Denon DCD-1500RE (git-fixes). - ALSA: usb-audio: add quirk for MacroSilicon MS2109 (git-fixes). - ALSA: usb-audio: add quirk for Samsung USBC Headset (AKG) (git-fixes). - ALSA: usb-audio: Add registration quirk for Kingston HyperX Cloud Flight S (git-fixes). - ALSA: usb-audio: Add vendor, product and profile name for HP Thunderbolt Dock (git-fixes). - ALSA: usb-audio: Clean up quirk entries with macros (git-fixes). - ALSA: usb-audio: Fix a limit check in proc_dump_substream_formats() (git-fixes). - ALSA: usb-audio: Fix inconsistent card PM state after resume (git-fixes). - ALSA: usb-audio: fixing upper volume limit for RME Babyface Pro routing crosspoints (git-fixes). - ALSA: usb-audio: Fixing usage of plain int instead of NULL (git-fixes). - ALSA: usb-audio: Fix OOB access of mixer element list (git-fixes). - ALSA: usb-audio: Fix packet size calculation (bsc#1173847). - ALSA: usb-audio: Fix potential use-after-free of streams (git-fixes). - ALSA: usb-audio: Fix race against the error recovery URB submission (git-fixes). - ALSA: usb-audio: Fix racy list management in output queue (git-fixes). - ALSA: usb-audio: Improve frames size computation (git-fixes). - ALSA: usb-audio: Manage auto-pm of all bundled interfaces (git-fixes). - ALSA: usb-audio: mixer: volume quirk for ESS Technology Asus USB DAC (git-fixes). - ALSA: usb-audio: Print more information in stream proc files (git-fixes). - ALSA: usb-audio: Quirks for Gigabyte TRX40 Aorus Master onboard audio (git-fixes). - ALSA: usb-audio: Remove async workaround for Scarlett 2nd gen (git-fixes). - ALSA: usb-audio: Replace s/frame/packet/ where appropriate (git-fixes). - ALSA: usb-audio: RME Babyface Pro mixer patch (git-fixes). - ALSA: usb-audio: Use the new macro for HP Dock rename quirks (git-fixes). - amdgpu: a NULL ->mm does not mean a thread is a kthread (git-fixes). - amd-xgbe: Use __napi_schedule() in BH context (networking-stable-20_04_17). - apparmor: ensure that dfa state tables have entries (git-fixes). - apparmor: fix introspection of of task mode for unconfined tasks (git-fixes). - apparmor: Fix memory leak of profile proxy (git-fixes). - apparmor: Fix use-after-free in aa_audit_rule_init (git-fixes). - apparmor: remove useless aafs_create_symlink (git-fixes). - arm64: dts: ls1043a-rdb: correct RGMII delay mode to rgmii-id (bsc#1174398). - arm64: dts: ls1046ardb: set RGMII interfaces to RGMII_ID mode (bsc#1174398). - arm64: map FDT as RW for early_init_dt_scan() (jsc#SLE-12424). - ARM: oxnas: make ox820_boot_secondary static (git-fixes). - asm-gemeric/tlb: remove stray function declarations (bsc#1156395). - ASoC: codecs: max98373: Removed superfluous volume control from chip default (git-fixes). - ASoc: codecs: max98373: remove Idle_bias_on to let codec suspend (git-fixes). - ASoC: core: only convert non DPCM link to DPCM link (git-fixes). - ASoC: davinci-mcasp: Fix dma_chan refcnt leak when getting dma type (git-fixes). - ASoC: fix incomplete error-handling in img_i2s_in_probe (git-fixes). - ASoC: fsl_asrc_dma: Fix dma_chan leak when config DMA channel failed (git-fixes). - ASoC: fsl_ssi: Fix bclk calculation for mono channel (git-fixes). - ASoC: Intel: bytcht_es8316: Add missed put_device() (git-fixes). - ASoC: Intel: bytcr_rt5640: Add quirk for Toshiba Encore WT10-A tablet (git-fixes). - ASoC: Intel: bytcr_rt5640: Add quirk for Toshiba Encore WT8-A tablet (git-fixes). - ASoC: intel: cht_bsw_max98090_ti: Add all Chromebooks that need pmc_plt_clk_0 quirk (bsc#1171246). - ASoC: intel - fix the card names (git-fixes). - ASoC: max98373: reorder max98373_reset() in resume (git-fixes). - ASoC: max9867: fix volume controls (git-fixes). - ASoC: meson: add missing free_irq() in error path (git-fixes). - ASoc: q6afe: add support to get port direction (git-fixes). - ASoC: q6asm: handle EOS correctly (git-fixes). - ASoC: qcom: q6asm-dai: kCFI fix (git-fixes). - ASoC: rockchip: add format and rate constraints on rk3399 (git-fixes). - ASoC: rockchip: Fix a reference count leak (git-fixes). - ASoC: rt286: fix unexpected interrupt happens (git-fixes). - ASoC: rt5645: Add platform-data for Asus T101HA (git-fixes). - ASoC: rt5670: Add new gpio1_is_ext_spk_en quirk and enable it on the Lenovo Miix 2 10 (git-fixes). - ASoC: rt5670: Correct RT5670_LDO_SEL_MASK (git-fixes). - ASoC: rt5670: Fix dac- and adc- vol-tlv values being off by a factor of 10 (git-fixes). - ASoC: rt5682: Report the button event in the headset type only (git-fixes). - ASoC: SOF: core: fix error return code in sof_probe_continue() (git-fixes). - ASoC: SOF: Do nothing when DSP PM callbacks are not set (git-fixes). - ASoC: SOF: nocodec: conditionally set dpcm_capture/dpcm_playback flags (git-fixes). - ASoC: tegra: tegra_wm8903: Support nvidia, headset property (git-fixes). - ASoC: ti: omap-mcbsp: Fix an error handling path in 'asoc_mcbsp_probe()' (git-fixes). - ASoC: topology: fix kernel oops on route addition error (git-fixes). - ASoC: topology: fix tlvs in error handling for widget_dmixer (git-fixes). - ASoC: ux500: mop500: Fix some refcounted resources issues (git-fixes). - ASoC: wm8974: fix Boost Mixer Aux Switch (git-fixes). - ASoC: wm8974: remove unsupported clock mode (git-fixes). - ata/libata: Fix usage of page address by page_address in ata_scsi_mode_select_xlat function (git-fixes). - ath10k: fix kernel null pointer dereference (git-fixes). - ath10k: Fix the race condition in firmware dump work queue (git-fixes). - ath10k: Remove ath10k_qmi_register_service_notifier() declaration (git-fixes). - ath10k: remove the max_sched_scan_reqs value (git-fixes). - ath10k: Skip handling del_server during driver exit (git-fixes). - ath9k: Fix general protection fault in ath9k_hif_usb_rx_cb (git-fixes). - ath9k: Fix use-after-free Read in ath9k_wmi_ctrl_rx (git-fixes). - ath9k: Fix use-after-free Read in htc_connect_service (git-fixes). - ath9k: Fix use-after-free Write in ath9k_htc_rx_msg (git-fixes). - ath9k_htc: Silence undersized packet warnings (git-fixes). - ath9x: Fix stack-out-of-bounds Write in ath9k_hif_usb_rx_cb (git-fixes). - ax25: fix setsockopt(SO_BINDTODEVICE) (git-fixes). - ax88172a: fix ax88172a_unbind() failures (git-fixes). - b43: Fix connection problem with WPA3 (git-fixes). - b43legacy: Fix case where channel status is corrupted (git-fixes). - b43_legacy: Fix connection problem with WPA3 (git-fixes). - backlight: lp855x: Ensure regulators are disabled on probe failure (git-fixes). - batman-adv: Revert 'disable ethtool link speed detection when auto negotiation off' (git-fixes). - bdev: fix bdev inode reference count disbalance regression (bsc#1174244) - bfq: Avoid false bfq queue merging (bsc#1171513). - bfq: Fix check detecting whether waker queue should be selected (bsc#1168838). - bfq: Use only idle IO periods for think time calculations (bsc#1171513). - bfq: Use 'ttime' local variable (bsc#1171513). - blacklist.conf: Add 9486727f5981 iommu/vt-d: Make Intel SVM code 64-bit only - blacklist.conf: Add superfluous stable commit IDs - blacklist.conf: cleanup removing unused exported symbols, unavoidable kABI breakage - blacklist.conf: for future infrastructure, and will need kABI workarounds in each user, only if we really need it - blk-iocost: Fix error on iocost_ioc_vrate_adj (bsc#1173206). - blk-iocost: fix incorrect vtime comparison in iocg_is_idle() (bsc#1173206). - blk-mq: consider non-idle request as 'inflight' in blk_mq_rq_inflight() (bsc#1165933). - block/bio-integrity: do not free 'buf' if bio_integrity_add_page() failed (bsc#1173817). - block: Fix use-after-free in blkdev_get() (bsc#1173834). - block: nr_sects_write(): Disable preemption on seqcount write (bsc#1173818). - Bluetooth: Add SCO fallback for invalid LMP parameters error (git-fixes). - Bluetooth: btbcm: Add 2 missing models to subver tables (git-fixes). - Bluetooth: btmtkuart: Improve exception handling in btmtuart_probe() (git-fixes). - Bluetooth: hci_bcm: fix freeing not-requested IRQ (git-fixes). - bnxt_en: Fix AER reset logic on 57500 chips (bsc#1171150). - bnxt_en: fix firmware message length endianness (bsc#1173894). - bnxt_en: Fix return code to 'flash_device' (bsc#1173894). - bnxt_en: Improve TQM ring context memory sizing formulas (jsc#SLE-8371 bsc#1153274). - bnxt_en: Re-enable SRIOV during resume (jsc#SLE-8371 bsc#1153274). - bnxt_en: Return from timer if interface is not in open state (jsc#SLE-8371 bsc#1153274). - bnxt_en: Simplify bnxt_resume() (jsc#SLE-8371 bsc#1153274). - bpf: Document optval > PAGE_SIZE behavior for sockopt hooks (bsc#1155518). - bpf: Do not allow btf_ctx_access with __int128 types (bsc#1155518). - bpf: Do not return EINVAL from {get,set}sockopt when optlen > PAGE_SIZE (bsc#1155518). - bpf: Fix an error code in check_btf_func() (bsc#1154353). - bpf: Fix map permissions check (bsc#1155518). - bpf: Prevent mmap()'ing read-only maps as writable (bsc#1155518). - bpf: Restrict bpf_probe_read{, str}() only to archs where they work (bsc#1172344). - bpf: Restrict bpf_trace_printk()'s %s usage and add %pks, %pus specifier (bsc#1172344). - bpf, sockhash: Synchronize_rcu before free'ing map (git-fixes). - bpf, sockmap: Check update requirements after locking (git-fixes). - bpf: Undo internal BPF_PROBE_MEM in BPF insns dump (bsc#1155518). - bpf, xdp, samples: Fix null pointer dereference in *_user code (bsc#1155518). - brcmfmac: expose RPi firmware config files through modinfo (bsc#1169094). - brcmfmac: fix wrong location to get firmware feature (git-fixes). - brcmfmac: Transform compatible string for FW loading (bsc#1169771). - bridge: Avoid infinite loop when suppressing NS messages with invalid options (networking-stable-20_06_10). - bridge: mcast: Fix MLD2 Report IPv6 payload length check (git-fixes). - btrfs: add assertions for tree == inode->io_tree to extent IO helpers (bsc#1174438). - btrfs: drop argument tree from btrfs_lock_and_flush_ordered_range (bsc#1174438). - btrfs: fix failure of RWF_NOWAIT write into prealloc extent beyond eof (bsc#1174438). - btrfs: fix hang on snapshot creation after RWF_NOWAIT write (bsc#1174438). - btrfs: fix log context list corruption after rename whiteout error (bsc#1172342). - btrfs: fix partial loss of prealloc extent past i_size after fsync (bsc#1172343). - btrfs: fix RWF_NOWAIT write not failling when we need to cow (bsc#1174438). - btrfs: fix RWF_NOWAIT writes blocking on extent locks and waiting for IO (bsc#1174438). - btrfs: reloc: clear DEAD_RELOC_TREE bit for orphan roots to prevent runaway balance (bsc#1171417 bsc#1160947 bsc#1172366). - btrfs: reloc: fix reloc root leak and NULL pointer dereference (bsc#1171417 bsc#1160947 bsc#1172366). - btrfs: use correct count in btrfs_file_write_iter() (bsc#1174438). - bus: ti-sysc: Do not disable on suspend for no-idle (git-fixes). - bus: ti-sysc: Ignore clockactivity unless specified as a quirk (git-fixes). - carl9170: remove P2P_GO support (git-fixes). - cdc-acm: Add DISABLE_ECHO quirk for Microchip/SMSC chip (git-fixes). - CDC-ACM: heed quirk also in error handling (git-fixes). - CDC-ACM: heed quirk also in error handling (git-fixes). - ceph: add comments for handle_cap_flush_ack logic (bsc#1172940). - ceph: allow rename operation under different quota realms (bsc#1172988). - ceph: ceph_kick_flushing_caps needs the s_mutex (bsc#1172986). - ceph: convert mdsc->cap_dirty to a per-session list (bsc#1172984 bsc#1167104). - ceph: document what protects i_dirty_item and i_flushing_item (bsc#1172940). - ceph: do not release i_ceph_lock in handle_cap_trunc (bsc#1172940). - ceph: do not return -ESTALE if there's still an open file (bsc#1171915). - ceph: do not take i_ceph_lock in handle_cap_import (bsc#1172940). - ceph: fix potential race in ceph_check_caps (bsc#1172940). - ceph: flush release queue when handling caps for unknown inode (bsc#1172939). - ceph: make sure mdsc->mutex is nested in s->s_mutex to fix dead lock (bsc#1172989). - ceph: normalize 'delta' parameter usage in check_quota_exceeded (bsc#1172987). - ceph: reorganize __send_cap for less spinlock abuse (bsc#1172940). - ceph: request expedited service on session's last cap flush (bsc#1172985 bsc#1167104). - ceph: reset i_requested_max_size if file write is not wanted (bsc#1172983). - ceph: skip checking caps when session reconnecting and releasing reqs (bsc#1172990). - ceph: split up __finish_cap_flush (bsc#1172940). - ceph: throw a warning if we destroy session with mutex still locked (bsc#1172940). - char/random: Add a newline at the end of the file (jsc#SLE-12424). - clk: bcm2835: Fix return type of bcm2835_register_gate (git-fixes). - clk: bcm2835: Remove casting to bcm2835_clk_register (git-fixes). - clk: clk-flexgen: fix clock-critical handling (git-fixes). - clk: mediatek: assign the initial value to clk_init_data of mtk_mux (git-fixes). - clk: meson: meson8b: Do not rely on u-boot to init all GP_PLL registers (git-fixes). - clk: meson: meson8b: Fix the polarity of the RESET_N lines (git-fixes). - clk: meson: meson8b: Fix the vclk_div{1, 2, 4, 6, 12}_en gate bits (git-fixes). - clk: qcom: Add missing msm8998 ufs_unipro_core_clk_src (git-fixes). - clk: qcom: msm8916: Fix the address location of pll->config_reg (git-fixes). - clk: renesas: cpg-mssr: Fix STBCR suspend/resume handling (git-fixes). - clk: samsung: exynos5433: Add IGNORE_UNUSED flag to sclk_i2s1 (git-fixes). - clk: samsung: Mark top ISP and CAM clocks on Exynos542x as critical (git-fixes). - clk: sifive: allocate sufficient memory for struct __prci_data (git-fixes). - clk: sprd: return correct type of value for _sprd_pll_recalc_rate (git-fixes). - clk: sunxi: Fix incorrect usage of round_down() (git-fixes). - clk: ti: am33xx: fix RTC clock parent (git-fixes). - clk: ti: composite: fix memory leak (git-fixes). - clk: zynqmp: fix memory leak in zynqmp_register_clocks (git-fixes). - clocksource: dw_apb_timer: Make CPU-affiliation being optional (git-fixes). - clocksource: dw_apb_timer_of: Fix missing clockevent timers (git-fixes). - component: Silence bind error on -EPROBE_DEFER (git-fixes). - config: arm64: enable CONFIG_IOMMU_DEFAULT_PASSTHROUGH References: bsc#1172739 - coredump: fix crash when umh is disabled (git-fixes). - coredump: fix null pointer dereference on coredump (git-fixes). - cpufreq: Fix up cpufreq_boost_set_sw() (git-fixes). - cpufreq: intel_pstate: Only mention the BIOS disabling turbo mode once (git-fixes). - cpufreq: powernv: Fix frame-size-overflow in powernv_cpufreq_work_fn (git-fixes). - cpuidle: Fix three reference count leaks (git-fixes). - crypto: algapi - Avoid spurious modprobe on LOADED (git-fixes). - crypto: algboss - do not wait during notifier callback (git-fixes). - crypto: algif_skcipher - Cap recv SG list at ctx->used (git-fixes). - crypto - Avoid free() namespace collision (git-fixes). - crypto: cavium/nitrox - Fix 'nitrox_get_first_device()' when ndevlist is fully iterated (git-fixes). - crypto: ccp -- do not 'select' CONFIG_DMADEVICES (git-fixes). - crypto/chcr: fix for ccm(aes) failed test (git-fixes). - crypto: chelsio/chtls: properly set tp->lsndtime (git-fixes). - crypto: drbg - fix error return code in drbg_alloc_state() (git-fixes). - crypto: omap-sham - add proper load balancing support for multicore (git-fixes). - crypto: stm32/crc32 - fix ext4 chksum BUG_ON() (git-fixes). - crypto: stm32/crc32 - fix multi-instance (git-fixes). - crypto: stm32/crc32 - fix run-time self test issue (git-fixes). - cxgb4: fix adapter crash due to wrong MC size (networking-stable-20_04_27). - cxgb4: fix large delays in PTP synchronization (networking-stable-20_04_27). - dccp: Fix possible memleak in dccp_init and dccp_fini (networking-stable-20_06_16). - debugfs: Check module state before warning in {full/open}_proxy_open() (bsc#1173746). - devinet: fix memleak in inetdev_init() (networking-stable-20_06_07). - devlink: fix return value after hitting end in region read (networking-stable-20_05_12). - devmap: Use bpf_map_area_alloc() for allocating hash buckets (bsc#1154353). - /dev/mem: Add missing memory barriers for devmem_inode (git-fixes). - /dev/mem: Revoke mappings when a driver claims the region (git-fixes). - dma-coherent: fix integer overflow in the reserved-memory dma allocation (git-fixes). - dma-debug: fix displaying of dma allocation type (git-fixes). - dma-direct: fix data truncation in dma_direct_get_required_mask() (git-fixes). - dmaengine: dmatest: Fix process hang when reading 'wait' parameter (git-fixes). - dmaengine: dmatest: Restore default for channel (git-fixes). - dmaengine: dmatest: stop completed threads when running without set channel (git-fixes). - dmaengine: dw: Initialize channel before each transfer (git-fixes). - dmaengine: fsl-edma-common: correct DSIZE_32BYTE (git-fixes). - dmaengine: fsl-edma: Fix NULL pointer exception in fsl_edma_tx_handler (git-fixes). - dmaengine: imx-sdma: Fix: Remove 'always true' comparison (git-fixes). - dmaengine: mcf-edma: Fix NULL pointer exception in mcf_edma_tx_handler (git-fixes). - dmaengine: mmp_tdma: Do not ignore slave config validation errors (git-fixes). - dmaengine: mmp_tdma: Reset channel error on release (git-fixes). - dmaengine: owl: Use correct lock in owl_dma_get_pchan() (git-fixes). - dmaengine: pch_dma.c: Avoid data race between probe and irq handler (git-fixes). - dmaengine: sh: usb-dmac: set tx_result parameters (git-fixes). - dmaengine: tegra210-adma: Fix an error handling path in 'tegra_adma_probe()' (git-fixes). - dm: do not use waitqueue for request-based DM (bsc#1165933). - dm verity fec: fix hash block number in verity_fec_decode (git fixes (block drivers)). - dm writecache: fix data corruption when reloading the target (git fixes (block drivers)). - dm writecache: reject asynchronous pmem devices (bsc#1156395). - dpaa2-eth: prevent array underflow in update_cls_rule() (networking-stable-20_05_16). - dpaa2-eth: properly handle buffer size restrictions (networking-stable-20_05_16). - dpaa_eth: fix usage as DSA master, try 3 (networking-stable-20_05_27). - dpaa_eth: FMan erratum A050385 workaround (bsc#1174396). - dpaa_eth: Make dpaa_a050385_wa static (bsc#1174396). - drivers: base: Fix NULL pointer exception in __platform_driver_probe() if a driver developer is foolish (git-fixes). - drivers: hv: Change flag to write log level in panic msg to false (bsc#1170617). - drivers/net/ibmvnic: Update VNIC protocol version reporting (bsc#1065729). - drivers: phy: sr-usb: do not use internal fsm for USB2 phy init (git-fixes). - drivers: soc: ti: knav_qmss_queue: Make knav_gp_range_ops static (git-fixes). - drm/amd/display: add basic atomic check for cursor plane (git-fixes). - drm/amd/display: drop cursor position check in atomic test (git-fixes). - drm: amd/display: fix Kconfig help text (bsc#1152489) * context changes - drm/amd/display: Only revalidate bandwidth on medium and fast updates (git-fixes). - drm/amd/display: Prevent dpcd reads with passive dongles (git-fixes). - drm/amd/display: Revalidate bandwidth before commiting DC updates (git-fixes). - drm/amd/display: Use kfree() to free rgb_user in calculate_user_regamma_ramp() (git-fixes). - drm/amd: fix potential memleak in err branch (git-fixes). - drm/amdgpu: add fw release for sdma v5_0 (git-fixes). - drm/amdgpu/atomfirmware: fix vram_info fetching for renoir (git-fixes). - drm/amdgpu: do not do soft recovery if gpu_recovery=0 (git-fixes). - drm/amdgpu: drop redundant cg/pg ungate on runpm enter (git-fixes). - drm/amdgpu: fix gfx hang during suspend with video playback (v2) (git-fixes). - drm/amdgpu: fix the hw hang during perform system reboot and reset (git-fixes). - drm/amdgpu: force fbdev into vram (bsc#1152472) * context changes - drm/amdgpu: Init data to avoid oops while reading pp_num_states (git-fixes). - drm/amdgpu: invalidate L2 before SDMA IBs (v2) (git-fixes). - drm/amdgpu: move kfd suspend after ip_suspend_phase1 (git-fixes). - drm/amdgpu: Replace invalid device ID with a valid device ID (bsc#1152472) - drm/amdgpu/sdma5: fix wptr overwritten in ->get_wptr() (git-fixes). - drm/amdgpu: simplify padding calculations (v2) (git-fixes). - drm/amdgpu: use %u rather than %d for sclk/mclk (git-fixes). - drm/amd/powerpay: Disable gfxoff when setting manual mode on picasso and raven (git-fixes). - drm/amd/powerplay: avoid using pm_en before it is initialized revised (git-fixes). - drm/amd/powerplay: perform PG ungate prior to CG ungate (git-fixes). - drm: bridge: adv7511: Extend list of audio sample rates (git-fixes). - drm/connector: notify userspace on hotplug after register complete (bsc#1152489) * context changes - drm/dp_mst: Increase ACT retry timeout to 3s (bsc#1152472) * context changes - drm/dp_mst: Reformat drm_dp_check_act_status() a bit (git-fixes). - drm/edid: Add Oculus Rift S to non-desktop list (git-fixes). - drm: encoder_slave: fix refcouting error for modules (git-fixes). - drm/etnaviv: fix perfmon domain interation (git-fixes). - drm/etnaviv: rework perfmon query infrastructure (git-fixes). - drm/exynos: fix ref count leak in mic_pre_enable (git-fixes). - drm/exynos: Properly propagate return value in drm_iommu_attach_device() (git-fixes). - drm/i915: Do not enable WaIncreaseLatencyIPCEnabled when IPC is (bsc#1152489) - drm/i915: Do not enable WaIncreaseLatencyIPCEnabled when IPC is disabled (git-fixes). - drm/i915: extend audio CDCLK>=2*BCLK constraint to more platforms (git-fixes). - drm/i915: Extend WaDisableDARBFClkGating to icl,ehl,tgl (bsc#1152489) - drm/i915: fix port checks for MST support on gen >= 11 (git-fixes). - drm/i915/gem: Avoid iterating an empty list (git-fixes). - drm/i915/gt: Do not schedule normal requests immediately along (bsc#1152489) - drm/i915/gt: Ignore irq enabling on the virtual engines (git-fixes). - drm/i915/gvt: Fix kernel oops for 3-level ppgtt guest (bsc#1152489) - drm/i915/gvt: Fix kernel oops for 3-level ppgtt guest (git-fixes). - drm/i915/gvt: Fix two CFL MMIO handling caused by regression. (bsc#1152489) - drm/i915/gvt: Fix two CFL MMIO handling caused by regression (git-fixes). - drm/i915/gvt: Init DPLL/DDI vreg for virtual display instead of (bsc#1152489) - drm/i915/gvt: Init DPLL/DDI vreg for virtual display instead of inheritance (git-fixes). - drm/i915: HDCP: fix Ri prime check done during link check (bsc#1152489) * context changes - drm/i915: HDCP: fix Ri prime check done during link check (git-fixes). - drm/i915/icl+: Fix hotplug interrupt disabling after storm detection (bsc#1152489) - drm/i915: Limit audio CDCLK>=2*BCLK constraint back to GLK only (git-fixes). - drm/i915: Propagate error from completed fences (git-fixes). - drm/i915: Whitelist context-local timestamp in the gen9 cmdparser (git-fixes). - drm/i915: work around false-positive maybe-uninitialized warning (git-fixes). - drm/mcde: dsi: Fix return value check in mcde_dsi_bind() (git-fixes). - drm: mcde: Fix display initialization problem (git-fixes). - drm/mediatek: Check plane visibility in atomic_update (git-fixes). - drm/msm: Check for powered down HW in the devfreq callbacks (bsc#1152489) - drm/msm/dpu: allow initialization of encoder locks during encoder init (git-fixes). - drm/msm/dpu: fix error return code in dpu_encoder_init (bsc#1152489) - drm/msm/dpu: fix error return code in dpu_encoder_init (git-fixes). - drm/msm: fix potential memleak in error branch (git-fixes). - drm/msm/mdp5: Fix mdp5_init error path for failed mdp5_kms allocation (git-fixes). - drm/nouveau/disp/gm200-: fix NV_PDISP_SOR_HDMI2_CTRL(n) selection (git-fixes). - drm: panel-orientation-quirks: Add quirk for Asus T101HA panel (git-fixes). - drm: panel-orientation-quirks: Use generic orientation-data for Acer S1003 (git-fixes). - drm/qxl: lost qxl_bo_kunmap_atomic_page in qxl_image_init_helper() (git-fixes). - drm/qxl: Use correct notify port address when creating cursor ring (bsc#1152472) - drm/radeon: fix double free (git-fixes). - drm/radeon: fix fb_div check in ni_init_smc_spll_table() (bsc#1152472) - drm: rcar-du: Fix build error (bsc#1152472) - drm/sun4i: hdmi ddc clk: Fix size of m divider (git-fixes). - drm: sun4i: hdmi: Remove extra HPD polling (bsc#1152489) - drm: sun4i: hdmi: Remove extra HPD polling (git-fixes). - drm/sun4i: tcon: Separate quirks for tcon0 and tcon1 on A20 (git-fixes). - drm/tegra: hub: Do not enable orphaned window group (git-fixes). - drm/vkms: Hold gem object while still in-use (git-fixes). - Drop a couple of block layer git-fixes (bsc#1170891 bsc#1173139) Upstream changed the partition usage counter check back and forth and ended up reverting all changes. Let's drop our the partial backport. (cherry picked from commit 70ad1b2fa5955d91e1a09a8027daf210e28fee30) - Drop a couple of block layer git-fixes Upstream changed the partition usage counter check back and forth and ended up reverting all changes. Let's drop our the partial backport. - dwc3: Remove check for HWO flag in dwc3_gadget_ep_reclaim_trb_sg() (git-fixes). - e1000: Distribute switch variables for initialization (git-fixes). - e1000e: Disable TSO for buffer overrun workaround (git-fixes). - e1000e: Do not wake up the system via WOL if device wakeup is disabled (git-fixes). - e1000e: Relax condition to trigger reset for ME workaround (git-fixes). - EDAC/amd64: Add PCI device IDs for family 17h, model 70h (bsc#1165975). - EDAC/ghes: Setup DIMM label from DMI and use it in error reports (bsc#1168779). - EDAC/skx: Use the mcmtr register to retrieve close_pg/bank_xor_enable (bsc#1152489). - EDAC/synopsys: Do not dump uninitialized pinf->col (bsc#1152489). - efi/efivars: Add missing kobject_put() in sysfs entry creation error path (git-fixes). - efi/random: Treat EFI_RNG_PROTOCOL output as bootloader randomness (jsc#SLE-12424). - efi: READ_ONCE rng seed size before munmap (jsc#SLE-12424). - efi/tpm: Verify event log header before parsing (bsc#1173461). - eventpoll: fix missing wakeup for ovflist in ep_poll_callback (bsc#1159867). - evm: Check also if *tfm is an error pointer in init_desc() (git-fixes). - evm: Fix a small race in init_desc() (git-fixes). - evm: Fix possible memory leak in evm_calc_hmac_or_hash() (git-fixes). - evm: Fix RCU list related warnings (git-fixes). - exfat: add missing brelse() calls on error paths (git-fixes). - exfat: fix incorrect update of stream entry in __exfat_truncate() (git-fixes). - exfat: fix memory leak in exfat_parse_param() (git-fixes). - exfat: move setting VOL_DIRTY over exfat_remove_entries() (git-fixes). - ext4: avoid utf8_strncasecmp() with unstable name (bsc#1173843). - ext4: fix error pointer dereference (bsc#1173837). - ext4: fix EXT_MAX_EXTENT/INDEX to check for zeroed eh_max (bsc#1173836). - ext4: fix partial cluster initialization when splitting extent (bsc#1173839). - ext4: fix race between ext4_sync_parent() and rename() (bsc#1173838). - ext4, jbd2: ensure panic by fix a race between jbd2 abort and ext4 error handlers (bsc#1173833). - ext4: stop overwrite the errcode in ext4_setup_super (bsc#1173841). - extcon: adc-jack: Fix an error handling path in 'adc_jack_probe()' (git-fixes). - fanotify: fix ignore mask logic for events on child and on dir (bsc#1172719). - fat: do not allow to mount if the FAT length == 0 (bsc#1173831). - fdt: add support for rng-seed (jsc#SLE-12424). - fdt: Update CRC check for rng-seed (jsc#SLE-12424). - firmware: imx: scu: Fix corruption of header (git-fixes). - firmware: imx: scu: Fix possible memory leak in imx_scu_probe() (git-fixes). - firmware: imx-scu: Support one TX and one RX (git-fixes). - firmware: imx: warn on unexpected RX (git-fixes). - firmware: qcom_scm: fix bogous abuse of dma-direct internals (git-fixes). - firmware: xilinx: Fix an error handling path in 'zynqmp_firmware_probe()' (git-fixes). - Fix a regression of AF_ALG crypto interface hang with aes_s390 (bsc#1167651) - fix multiplication overflow in copy_fdtable() (bsc#1173825). - fork: prevent accidental access to clone3 features (bsc#1174018). - fpga: dfl: afu: Corrected error handling levels (git-fixes). - fq_codel: fix TCA_FQ_CODEL_DROP_BATCH_SIZE sanity checks (networking-stable-20_05_12). - fs: Do not check if there is a fsnotify watcher on pseudo inodes (bsc#1158765). - fsl/fman: detect FMan erratum A050385 (bsc#1174396) Update arm64 config file - fsnotify: Rearrange fast path to minimise overhead when there is no watcher (bsc#1158765). - fuse: copy_file_range should truncate cache (git-fixes). - fuse: fix copy_file_range cache issues (git-fixes). - genetlink: clean up family attributes allocations (git-fixes). - genetlink: fix memory leaks in genl_family_rcv_msg_dumpit() (bsc#1154353). - geneve: allow changing DF behavior after creation (git-fixes). - geneve: change from tx_error to tx_dropped on missing metadata (git-fixes). - gfs2: fix glock reference problem in gfs2_trans_remove_revoke (bsc#1173823). - gfs2: Multi-block allocations in gfs2_page_mkwrite (bsc#1173822). - gpio: bcm-kona: Fix return value of bcm_kona_gpio_probe() (git-fixes). - gpio: dwapb: Append MODULE_ALIAS for platform driver (git-fixes). - gpio: dwapb: Call acpi_gpiochip_free_interrupts() on GPIO chip de-registration (git-fixes). - gpio: exar: Fix bad handling for ida_simple_get error path (git-fixes). - gpiolib: Document that GPIO line names are not globally unique (git-fixes). - gpio: pca953x: disable regmap locking for automatic address incrementing (git-fixes). - gpio: pca953x: Fix GPIO resource leak on Intel Galileo Gen 2 (git-fixes). - gpio: pca953x: fix handling of automatic address incrementing (git-fixes). - gpio: pca953x: Fix pca953x_gpio_set_config (git-fixes). - gpio: pca953x: Override IRQ for one of the expanders on Galileo Gen 2 (git-fixes). - gpio: pxa: Fix return value of pxa_gpio_probe() (git-fixes). - gpio: tegra: mask GPIO IRQs during IRQ shutdown (git-fixes). - gpu/drm: Ingenic: Fix opaque pointer casted to wrong type (git-fixes). - gpu: host1x: Detach driver on unregister (git-fixes). - habanalabs: Align protection bits configuration of all TPCs (git-fixes). - HID: Add quirks for Trust Panora Graphic Tablet (git-fixes). - HID: alps: Add AUI1657 device ID (git-fixes). - HID: alps: ALPS_1657 is too specific; use U1_UNICORN_LEGACY instead (git-fixes). - HID: i2c-hid: add Schneider SCL142ALM to descriptor override (git-fixes). - HID: i2c-hid: reset Synaptics SYNA2393 on resume (git-fixes). - HID: intel-ish-hid: avoid bogus uninitialized-variable warning (git-fixes). - HID: logitech-hidpp: avoid repeated 'multiplier = ' log messages (git-fixes). - HID: magicmouse: do not set up autorepeat (git-fixes). - HID: multitouch: add eGalaxTouch P80H84 support (git-fixes). - HID: multitouch: enable multi-input as a quirk for some devices (git-fixes). - HID: quirks: Add HID_QUIRK_NO_INIT_REPORTS quirk for Dell K12A keyboard-dock (git-fixes). - HID: quirks: Always poll Obins Anne Pro 2 keyboard (git-fixes). - HID: quirks: Ignore Simply Automated UPB PIM (git-fixes). - HID: quirks: Remove ITE 8595 entry from hid_have_special_driver (git-fixes). - HID: sony: Fix for broken buttons on DS3 USB dongles (git-fixes). - hinic: fix a bug of ndo_stop (networking-stable-20_05_16). - hinic: fix wrong para of wait_for_completion_timeout (networking-stable-20_05_16). - hsr: check protocol version in hsr_newlink() (networking-stable-20_04_17). - hv_netvsc: Fix netvsc_start_xmit's return type (git-fixes). - hwmon: (acpi_power_meter) Fix potential memory leak in acpi_power_meter_add() (git-fixes). - hwmon: (emc2103) fix unable to change fan pwm1_enable attribute (git-fixes). - hwmon: (k10temp) Add AMD family 17h model 60h PCI match (git-fixes). - hwmon: (max6697) Make sure the OVERT mask is set correctly (git-fixes). - hwmon: (pmbus) fix a typo in Kconfig SENSORS_IR35221 option (git-fixes). - hwrng: ks-sa - Fix runtime PM imbalance on error (git-fixes). - i2c: acpi: put device when verifying client fails (git-fixes). - i2c: algo-pca: Add 0x78 as SCL stuck low status for PCA9665 (git-fixes). - i2c: altera: Fix race between xfer_msg and isr thread (git-fixes). - i2c: core: check returned size of emulated smbus block read (git-fixes). - i2c: designware-pci: Add support for Elkhart Lake PSE I2C (jsc#SLE-12734). - i2c: designware-pci: Fix BUG_ON during device removal (jsc#SLE-12734). - i2c: designware-pci: Switch over to MSI interrupts (jsc#SLE-12734). - i2c: dev: Fix the race between the release of i2c_dev and cdev (git-fixes). - i2c: eg20t: Load module automatically if ID matches (git-fixes). - i2c: fix missing pm_runtime_put_sync in i2c_device_probe (git-fixes). - i2c: fsi: Fix the port number field in status register (git-fixes). - i2c: mlxcpld: check correct size of maximum RECV_LEN packet (git-fixes). - i2c: mux: demux-pinctrl: Fix an error handling path in 'i2c_demux_pinctrl_probe()' (git-fixes). - i2c: piix4: Detect secondary SMBus controller on AMD AM4 chipsets (git-fixes). - i2c: pxa: clear all master action bits in i2c_pxa_stop_message() (git-fixes). - i2c: pxa: fix i2c_pxa_scream_blue_murder() debug output (git-fixes). - IB/hfi1: Do not destroy hfi1_wq when the device is shut down (bsc#1174409). - IB/hfi1: Do not destroy link_wq when the device is shut down (bsc#1174409). - IB/hfi1: Fix another case where pq is left on waitlist (bsc#1174411). - IB/hfi1: Fix module use count flaw due to leftover module put calls (bsc#1174407). - ibmveth: Fix max MTU limit (bsc#1173428 ltc#186397). - ibmvnic: continue to init in CRQ reset returns H_CLOSED (bsc#1173280 ltc#185369). - ibmvnic: Flush existing work items before device removal (bsc#1065729). - ibmvnic: Harden device login requests (bsc#1170011 ltc#183538). - IB/rdmavt: Free kernel completion queue when done (bsc#1173625). - ice: Fix error return code in ice_add_prof() (jsc#SLE-7926). - ice: Fix inability to set channels when down (jsc#SLE-7926). - ieee80211: Fix incorrect mask for default PE duration (git-fixes). - iio: adc: ad7780: Fix a resource handling path in 'ad7780_probe()' (git-fixes). - iio: adc: stm32-adc: fix device used to request dma (git-fixes). - iio: adc: stm32-adc: Use dma_request_chan() instead dma_request_slave_channel() (git-fixes). - iio: adc: stm32-dfsdm: fix device used to request dma (git-fixes). - iio: adc: stm32-dfsdm: Use dma_request_chan() instead dma_request_slave_channel() (git-fixes). - iio: adc: ti-ads8344: Fix channel selection (git-fixes). - iio: bmp280: fix compensation of humidity (git-fixes). - iio: buffer: Do not allow buffers without any channels enabled to be activated (git-fixes). - iio:chemical:pms7003: Fix timestamp alignment and prevent data leak (git-fixes). - iio:chemical:sps30: Fix timestamp alignment (git-fixes). - iio: core: add missing IIO_MOD_H2/ETHANOL string identifiers (git-fixes). - iio: dac: vf610: Fix an error handling path in 'vf610_dac_probe()' (git-fixes). - iio:health:afe4404 Fix timestamp alignment and prevent data leak (git-fixes). - iio:humidity:hdc100x Fix alignment and data leak issues (git-fixes). - iio:humidity:hts221 Fix alignment and data leak issues (git-fixes). - iio:magnetometer:ak8974: Fix alignment and data leak issues (git-fixes). - iio: magnetometer: ak8974: Fix runtime PM imbalance on error (git-fixes). - iio: mma8452: Add missed iio_device_unregister() call in mma8452_probe() (git-fixes). - iio: pressure: bmp280: Tolerate IRQ before registering (git-fixes). - iio:pressure:ms5611 Fix buffer element alignment (git-fixes). - iio: pressure: zpa2326: handle pm_runtime_get_sync failure (git-fixes). - iio: sca3000: Remove an erroneous 'get_device()' (git-fixes). - iio: vcnl4000: Fix i2c swapped word reading (git-fixes). - ima: Call ima_calc_boot_aggregate() in ima_eventdigest_init() (bsc#1172223). - ima: Directly assign the ima_default_policy pointer to ima_rules (bsc#1172223) - ima: Directly free *entry in ima_alloc_init_template() if digests is NULL (bsc#1172223). - ima: Remove __init annotation from ima_pcrread() (git-fixes). - include/asm-generic/topology.h: guard cpumask_of_node() macro argument (bsc#1148868). - Input: dlink-dir685-touchkeys - fix a typo in driver name (git-fixes). - Input: edt-ft5x06 - fix get_default register write access (git-fixes). - Input: elan_i2c - add more hardware ID for Lenovo laptops (git-fixes). - Input: evdev - call input_flush_device() on release(), not flush() (git-fixes). - Input: goodix - fix touch coordinates on Cube I15-TC (git-fixes). - Input: i8042 - add Lenovo XiaoXin Air 12 to i8042 nomux list (git-fixes). - Input: i8042 - add ThinkPad S230u to i8042 reset list (git-fixes). - input: i8042 - Remove special PowerPC handling (git-fixes). - Input: mms114 - add extra compatible for mms345l (git-fixes). - Input: mms114 - fix handling of mms345l (git-fixes). - Input: synaptics - add a second working PNP_ID for Lenovo T470s (git-fixes). - Input: synaptics-rmi4 - fix error return code in rmi_driver_probe() (git-fixes). - Input: synaptics-rmi4 - really fix attn_data use-after-free (git-fixes). - Input: usbtouchscreen - add support for BonXeon TP (git-fixes). - Input: xpad - add custom init packet for Xbox One S controllers (git-fixes). - intel_th: Fix a NULL dereference when hub driver is not loaded (git-fixes). - intel_th: pci: Add Emmitsburg PCH support (git-fixes). - intel_th: pci: Add Jasper Lake CPU support (git-fixes). - intel_th: pci: Add Tiger Lake PCH-H support (git-fixes). - iocost: check active_list of all the ancestors in iocg_activate() (bsc#1173206). - iocost: over-budget forced IOs should schedule async delay (bsc#1173206). - iommu/amd: Call domain_flush_complete() in update_domain() (bsc#1172061). - iommu/amd: Do not flush Device Table in iommu_map_page() (bsc#1172062). - iommu/amd: Do not loop forever when trying to increase address space (bsc#1172063). - iommu/amd: Fix legacy interrupt remapping for x2APIC-enabled system (bsc#1172393). - iommu/amd: Fix over-read of ACPI UID from IVRS table (bsc#1172064). - iommu/amd: Fix race in increase_address_space()/fetch_pte() (bsc#1172065). - iommu/amd: Update Device Table in increase_address_space() (bsc#1172066). - iommu/arm-smmu-v3: Do not reserve implementation defined register space (bsc#1174126). - iommu: Fix reference count leak in iommu_group_alloc (bsc#1172394). - iommu/qcom: Fix local_base status check (bsc#1172067). - iommu/virtio: Reverse arguments to list_add (bsc#1172068). - iommu/vt-d: Enable PCI ACS for platform opt in hint (bsc#1174127). - iommu/vt-d: Update scalable mode paging structure coherency (bsc#1174128). - ionic: add pcie_print_link_status (bsc#1167773). - ionic: centralize queue reset code (bsc#1167773). - ionic: export features for vlans to use (bsc#1167773). - ionic: no link check while resetting queues (bsc#1167773). - ionic: remove support for mgmt device (bsc#1167773). - ionic: tame the watchdog timer on reconfig (bsc#1167773). - ionic: update the queue count on open (bsc#1167773). - ionic: wait on queue start until after IFF_UP (bsc#1167773). - io_uring: use kvfree() in io_sqe_buffer_register() (bsc#1173832). - ipmi: use vzalloc instead of kmalloc for user creation (git-fixes). - ipv4: Update fib_select_default to handle nexthop objects (networking-stable-20_04_27). - ipv6: fix IPV6_ADDRFORM operation logic (bsc#1171662). - ipvs: Improve robustness to the ipvs sysctl (git-fixes). - irqchip/al-fic: Add support for irq retrigger (jsc#SLE-10505). - irqchip/ti-sci-inta: Fix processing of masked irqs (git-fixes). - irqchip/versatile-fpga: Apply clear-mask earlier (git-fixes). - irqchip/versatile-fpga: Handle chained IRQs properly (git-fixes). - iwlwifi: avoid debug max amsdu config overwriting itself (git-fixes). - iwlwifi: mvm: fix aux station leak (git-fixes). - iwlwifi: mvm: limit maximum queue appropriately (git-fixes). - iwlwifi: pcie: handle QuZ configs with killer NICs as well (bsc#1172374). - ixgbe: do not check firmware errors (bsc#1170284). - jbd2: avoid leaking transaction credits when unreserving handle (bsc#1173845). - jbd2: fix data races at struct journal_head (bsc#1173438). - jbd2: Preserve kABI when adding j_abort_mutex (bsc#1173833). - kabi fix for SUNRPC-dont-update-timeout-value-on-connection-reset.patch (bsc1174263). - kABI fixup mtk-vpu: avoid unaligned access to DTCM buffer (git-fixes). - kabi: hv: prevent struct device_node to become defined (bsc#1172871). - kabi: ppc64le: prevent struct dma_map_ops to become defined (jsc#SLE-12424). - kABI: protect struct fib_dump_filter (kabi). - kABI: protect struct mlx5_cmd_work_ent (kabi). - kABI: reintroduce inet_hashtables.h include to l2tp_ip (kabi). - kabi/severities: Ingnore get_dev_data() The function is internal to the AMD IOMMU driver and must not be called by any third party. - kABI workaround for struct hdac_bus changes (git-fixes). - keys: asymmetric: fix error return code in software_key_query() (git-fixes). - ktest: Add timeout for ssh sync testing (git-fixes). - KVM: Check validity of resolved slot when searching memslots (bsc#1172069). - KVM: nVMX: always update CR3 in VMCS (git-fixes). - KVM: x86/mmu: Set mmio_value to '0' if reserved #PF can't be generated (bsc#1171904). - KVM: x86: only do L1TF workaround on affected processors (bsc#1171904). - l2tp: add sk_family checks to l2tp_validate_socket (networking-stable-20_06_07). - l2tp: Allow management of tunnels and session in user namespace (networking-stable-20_04_17). - l2tp: do not use inet_hash()/inet_unhash() (networking-stable-20_06_07). - libbpf: Fix perf_buffer__free() API for sparse allocs (bsc#1155518). - libceph: do not omit recovery_deletes in target_copy() (git-fixes). - libceph: ignore pool overlay and cache logic on redirects (bsc#1172938). - lib: devres: add a helper function for ioremap_uc (git-fixes). - libertas_tf: avoid a null dereference in pointer priv (git-fixes). - lib/lzo: fix ambiguous encoding bug in lzo-rle (git-fixes). - libnvdimm/btt: fix variable 'rc' set but not used (bsc#1162400). - libnvdimm: cover up nd_pfn_sb changes (bsc#1171759). - libnvdimm: cover up nd_region changes (bsc#1162400). - libnvdimm/dax: Pick the right alignment default when creating dax devices (bsc#1171759). - libnvdimm/label: Remove the dpa align check (bsc#1171759). - libnvdimm/namespace: Enforce memremap_compat_align() (bsc#1162400). - libnvdimm/namsepace: Do not set claim_class on error (bsc#1162400). - libnvdimm/of_pmem: Provide a unique name for bus provider (bsc#1171739). - libnvdimm: Out of bounds read in __nd_ioctl() (bsc#1065729). - libnvdimm/pfn_dev: Add a build check to make sure we notice when struct page size change (bsc#1171743). - libnvdimm/pfn_dev: Add page size and struct page size to pfn superblock (bsc#1171759). - libnvdimm/pfn: Prevent raw mode fallback if pfn-infoblock valid (bsc#1171743). - libnvdimm/pmem: Advance namespace seed for specific probe errors (bsc#1171743). - libnvdimm/region: Fix build error (bsc#1162400). - libnvdimm/region: Introduce an 'align' attribute (bsc#1162400). - libnvdimm/region: Introduce NDD_LABELING (bsc#1162400). - libnvdimm/region: Rewrite _probe_success() to _advance_seeds() (bsc#1171743). - libnvdimm: Use PAGE_SIZE instead of SZ_4K for align check (bsc#1171759). - lib: Reduce user_access_begin() boundaries in strncpy_from_user() and strnlen_user() (bsc#1174331). - lib: Uplevel the pmem 'region' ida to a global allocator (bc#1162400). - list: Add hlist_unhashed_lockless() (bsc#1173438). - livepatch: Apply vmlinux-specific KLP relocations early (bsc#1071995). - livepatch: Disallow vmlinux.ko (bsc#1071995). - livepatch: Make klp_apply_object_relocs static (bsc#1071995). - livepatch: Prevent module-specific KLP rela sections from referencing vmlinux symbols (bsc#1071995). - livepatch: Remove .klp.arch (bsc#1071995). - locktorture: Allow CPU-hotplug to be disabled via --bootargs (bsc#1173068). - loop: replace kill_bdev with invalidate_bdev (bsc#1173820). - lpfc_debugfs: get rid of pointless access_ok() (bsc#1171530). - lpfc: fix axchg pointer reference after free and double frees (bsc#1171530). - lpfc: Fix pointer checks and comments in LS receive refactoring (bsc#1171530). - lpfc: Fix return value in __lpfc_nvme_ls_abort (bsc#1171530). - lpfc: Synchronize NVME transport and lpfc driver devloss_tmo (bcs#1173060). - mac80211: mesh: fix discovery timer re-arming issue / crash (git-fixes). - mailbox: zynqmp-ipi: Fix NULL vs IS_ERR() check in zynqmp_ipi_mbox_probe() (git-fixes). - Make the 'Reducing compressed framebufer size' message be DRM_INFO_ONCE() (git-fixes). - mdraid: fix read/write bytes accounting (bsc#1172537). - media: cec: silence shift wrapping warning in __cec_s_log_addrs() (git-fixes). - media: cedrus: Program output format during each run (git-fixes). - media: dvbdev: Fix tuner->demod media controller link (git-fixes). - media: dvb: return -EREMOTEIO on i2c transfer failure (git-fixes). - media: dvbsky: add support for eyeTV Geniatech T2 lite (bsc#1173776). - media: dvbsky: add support for Mygica T230C v2 (bsc#1173776). - media: imx: imx7-mipi-csis: Cleanup and fix subdev pad format handling (git-fixes). - media: mtk-vpu: avoid unaligned access to DTCM buffer (git-fixes). - media: ov5640: fix use of destroyed mutex (git-fixes). - media: platform: fcp: Set appropriate DMA parameters (git-fixes). - media: Revert 'staging: imgu: Address a compiler warning on alignment' (git-fixes). - media: si2157: Better check for running tuner in init (git-fixes). - media: si2168: add support for Mygica T230C v2 (bsc#1173776). - media: staging: imgu: do not hold spinlock during freeing mmu page table (git-fixes). - media: staging/intel-ipu3: Implement lock for stream on/off operations (git-fixes). - media: staging: ipu3: Fix stale list entries on parameter queue failure (git-fixes). - media: staging: ipu3-imgu: Move alignment attribute to field (git-fixes). - media: vicodec: Fix error codes in probe function (git-fixes). - mei: bus: do not clean driver pointer (git-fixes). - mei: release me_cl object reference (git-fixes). - mfd: intel-lpss: Add Intel Jasper Lake PCI IDs (jsc#SLE-12602). - mfd: intel-lpss: Add Intel Tiger Lake PCI IDs (jsc#SLE-12737). - mfd: intel-lpss: Use devm_ioremap_uc for MMIO (git-fixes). - mfd: stmfx: Fix stmfx_irq_init error path (git-fixes). - mfd: stmfx: Reset chip on resume as supply was disabled (git-fixes). - mfd: wm8994: Fix driver operation if loaded as modules (git-fixes). - misc: fastrpc: fix potential fastrpc_invoke_ctx leak (git-fixes). - misc: rtsx: Add short delay after exit from ASPM (git-fixes). - mlxsw: core: Use different get_trend() callbacks for different thermal zones (networking-stable-20_06_10). - mlxsw: Fix some IS_ERR() vs NULL bugs (networking-stable-20_04_27). - mlxsw: spectrum_acl_tcam: Position vchunk in a vregion list properly (networking-stable-20_05_12). - mm: adjust vm_committed_as_batch according to vm overcommit policy (bnc#1173271). - mmc: block: Fix use-after-free issue for rpmb (git-fixes). - mmc: core: Use DEFINE_DEBUGFS_ATTRIBUTE instead of DEFINE_SIMPLE_ATTRIBUTE (git-fixes). - mmc: fix compilation of user API (git-fixes). - mmc: meson-gx: limit segments to 1 when dram-access-quirk is needed (git-fixes). - mmc: meson-mx-sdio: trigger a soft reset after a timeout or CRC error (git-fixes). - mmc: mmci_sdmmc: fix DMA API warning overlapping mappings (git-fixes). - mmc: sdhci: do not enable card detect interrupt for gpio cd type (git-fixes). - mmc: sdhci-esdhc-imx: fix the mask for tuning start point (git-fixes). - mmc: sdhci-msm: Clear tuning done flag while hs400 tuning (git-fixes). - mmc: sdhci-msm: Set SDHCI_QUIRK_MULTIBLOCK_READ_ACMD12 quirk (git-fixes). - mmc: sdio: Fix potential NULL pointer error in mmc_sdio_init_card() (git-fixes). - mmc: sdio: Fix several potential memory leaks in mmc_sdio_init_card() (git-fixes). - mmc: tmio: Further fixup runtime PM management at remove (git-fixes). - mmc: uniphier-sd: call devm_request_irq() after tmio_mmc_host_probe() (git-fixes). - mmc: via-sdmmc: Respect the cmd->busy_timeout from the mmc core (git-fixes). - mm: do not prepare anon_vma if vma has VM_WIPEONFORK (bsc#1169681). - mm: fix NUMA node file count error in replace_page_cache() (bsc#1173844). - mm: memcontrol: fix memory.low proportional distribution (bsc#1168230). - mm/memory_hotplug: refrain from adding memory into an impossible node (bsc#1173552). - mm/memremap: drop unused SECTION_SIZE and SECTION_MASK (bsc#1162400 bsc#1170895 ltc#184375 ltc#185686). - mm/memremap_pages: Introduce memremap_compat_align() (bsc#1162400). - mm/memremap_pages: Kill unused __devm_memremap_pages() (bsc#1162400). - mm/mmap.c: close race between munmap() and expand_upwards()/downwards() (bsc#1174527). - mm/util.c: make vm_memory_committed() more accurate (bnc#1173271). - move unsortable patch out of sorted section patches.suse/revert-zram-convert-remaining-class_attr-to-class_attr_ro - mt76: mt76x02u: Add support for newer versions of the XBox One wifi adapter (git-fixes). - mtd: Fix mtd not registered due to nvmem name collision (git-fixes). - mtd: rawnand: brcmnand: correctly verify erased pages (git-fixes). - mtd: rawnand: brcmnand: fix CS0 layout (git-fixes). - mtd: rawnand: brcmnand: fix hamming oob layout (git-fixes). - mtd: rawnand: diskonchip: Fix the probe error path (git-fixes). - mtd: rawnand: Fix nand_gpio_waitrdy() (git-fixes). - mtd: rawnand: ingenic: Fix the probe error path (git-fixes). - mtd: rawnand: marvell: Fix probe error path (git-fixes). - mtd: rawnand: marvell: Fix the condition on a return code (git-fixes). - mtd: rawnand: marvell: Use nand_cleanup() when the device is not yet registered (git-fixes). - mtd: rawnand: mtk: Fix the probe error path (git-fixes). - mtd: rawnand: onfi: Fix redundancy detection check (git-fixes). - mtd: rawnand: orion: Fix the probe error path (git-fixes). - mtd: rawnand: oxnas: Keep track of registered devices (git-fixes). - mtd: rawnand: oxnas: Release all devices in the _remove() path (git-fixes). - mtd: rawnand: pasemi: Fix the probe error path (git-fixes). - mtd: rawnand: plat_nand: Fix the probe error path (git-fixes). - mtd: rawnand: sharpsl: Fix the probe error path (git-fixes). - mtd: rawnand: socrates: Fix the probe error path (git-fixes). - mtd: rawnand: sunxi: Fix the probe error path (git-fixes). - mtd: rawnand: timings: Fix default tR_max and tCCS_min timings (git-fixes). - mtd: rawnand: tmio: Fix the probe error path (git-fixes). - mtd: rawnand: xway: Fix the probe error path (git-fixes). - mtd: spinand: Propagate ECC information to the MTD structure (git-fixes). - mtd: spi-nor: intel-spi: Add support for Intel Tiger Lake SPI serial flash (jsc#SLE-12737). - mvpp2: remove module bugfix (bsc#1154353). - mwifiex: avoid -Wstringop-overflow warning (git-fixes). - mwifiex: Fix memory corruption in dump_station (git-fixes). - namei: only return -ECHILD from follow_dotdot_rcu() (bsc#1173824). - nbd: Fix memory leak in nbd_add_socket (git-fixes). - neigh: send protocol value in neighbor create notification (networking-stable-20_05_12). - net: bcmgenet: correct per TX/RX ring statistics (networking-stable-20_04_27). - net: be more gentle about silly gso requests coming from user (networking-stable-20_06_07). - net: check untrusted gso_size at kernel entry (networking-stable-20_06_07). - net: core: device_rename: Use rwsem instead of a seqcount (bsc#1162702). - net: do not return invalid table id error when we fall back to PF_UNSPEC (networking-stable-20_05_27). - net: dsa: b53: b53_arl_rw_op() needs to select IVL or SVL (networking-stable-20_04_27). - net: dsa: b53: Fix ARL register definitions (networking-stable-20_04_27). - net: dsa: b53: Lookup VID in ARL searches when VLAN is enabled (networking-stable-20_04_27). - net: dsa: b53: Rework ARL bin logic (networking-stable-20_04_27). - net: dsa: bcm_sf2: Fix node reference count (git-fixes). - net: dsa: declare lockless TX feature for slave ports (bsc#1154353). - net: dsa: Do not leave DSA master with NULL netdev_ops (networking-stable-20_05_12). - net: dsa: loop: Add module soft dependency (networking-stable-20_05_16). - net: dsa: mt7530: fix roaming from DSA user ports (networking-stable-20_05_27). - net: dsa: mt7530: fix tagged frames pass-through in VLAN-unaware mode (networking-stable-20_04_17). - net: ena: xdp: update napi budget for DROP and ABORTED (bsc#1154492). - net: ena: xdp: XDP_TX: fix memory leak (bsc#1154492). - net: ethernet: ti: cpsw: fix ASSERT_RTNL() warning during suspend (networking-stable-20_05_27). - net_failover: fixed rollback in net_failover_open() (networking-stable-20_06_10). - netfilter: connlabels: prefer static lock initialiser (git-fixes). - netfilter: ip6tables: Add a .pre_exit hook in all ip6table_foo.c (bsc#1171857). - netfilter: ip6tables: Split ip6t_unregister_table() into pre_exit and exit helpers (bsc#1171857). - netfilter: iptables: Add a .pre_exit hook in all iptable_foo.c (bsc#1171857). - netfilter: iptables: Split ipt_unregister_table() into pre_exit and exit helpers (bsc#1171857). - netfilter: nf_queue: enqueue skbs with NULL dst (git-fixes). - netfilter: nf_tables_offload: return EOPNOTSUPP if rule specifies no actions (git-fixes). - netfilter: nft_tproxy: Fix port selector on Big Endian (git-fixes). - netfilter: nft_tunnel: add the missing ERSPAN_VERSION nla_policy (git-fixes). - netfilter: not mark a spinlock as __read_mostly (git-fixes). - net: fix a potential recursive NETDEV_FEAT_CHANGE (networking-stable-20_05_16). - net: fsl/fman: treat all RGMII modes in memac_adjust_link() (bsc#1174398). - net: hns3: check reset pending after FLR prepare (bsc#1154353). - __netif_receive_skb_core: pass skb by reference (networking-stable-20_05_27). - net: inet_csk: Fix so_reuseport bind-address cache in tb->fast* (networking-stable-20_05_27). - net: ipip: fix wrong address family in init error path (networking-stable-20_05_27). - net: ipv4: devinet: Fix crash when add/del multicast IP with autojoin (networking-stable-20_04_17). - net: ipv4: Fix wrong type conversion from hint to rt in ip_route_use_hint() (bsc#1154353). - net: ipv6: do not consider routes via gateways for anycast address check (networking-stable-20_04_17). - net: macb: call pm_runtime_put_sync on failure path (git-fixes). - net: macb: fix an issue about leak related system resources (networking-stable-20_05_12). - net: macsec: preserve ingress frame ordering (networking-stable-20_05_12). - net/mlx4_core: Fix use of ENOSPC around mlx4_counter_alloc() (networking-stable-20_05_12). - net/mlx4_en: avoid indirect call in TX completion (networking-stable-20_04_27). - net/mlx5: Add command entry handling completion (networking-stable-20_05_27). - net/mlx5: Disable reload while removing the device (jsc#SLE-8464). - net/mlx5: drain health workqueue in case of driver load error (networking-stable-20_06_16). - net/mlx5: DR, Fix freeing in dr_create_rc_qp() (jsc#SLE-8464). - net/mlx5e: Add missing release firmware call (networking-stable-20_04_17). - net/mlx5e: Fix CPU mapping after function reload to avoid aRFS RX crash (jsc#SLE-8464). - net/mlx5e: Fix inner tirs handling (networking-stable-20_05_27). - net/mlx5e: Fix pfnum in devlink port attribute (networking-stable-20_04_17). - net/mlx5e: Fix repeated XSK usage on one channel (networking-stable-20_06_16). - net/mlx5e: Fix stats update for matchall classifier (jsc#SLE-8464). - net/mlx5e: Fix VXLAN configuration restore after function reload (jsc#SLE-8464). - net/mlx5e: kTLS, Destroy key object after destroying the TIS (networking-stable-20_05_27). - net/mlx5e: replace EINVAL in mlx5e_flower_parse_meta() (jsc#SLE-8464). - net/mlx5e: Update netdev txq on completions during closure (networking-stable-20_05_27). - net/mlx5: Fix cleaning unmanaged flow tables (jsc#SLE-8464). - net/mlx5: Fix command entry leak in Internal Error State (networking-stable-20_05_12). - net/mlx5: Fix crash upon suspend/resume (bsc#1172365). - net/mlx5: Fix error flow in case of function_setup failure (networking-stable-20_05_27). - net/mlx5: Fix fatal error handling during device load (networking-stable-20_06_16). - net/mlx5: Fix forced completion access non initialized command entry (networking-stable-20_05_12). - net/mlx5: Fix frequent ioread PCI access during recovery (networking-stable-20_04_17). - net/mlx5: Fix memory leak in mlx5_events_init (networking-stable-20_05_27). - net: mvpp2: cls: Prevent buffer overflow in mvpp2_ethtool_cls_rule_del() (networking-stable-20_05_12). - net: mvpp2: fix RX hashing for non-10G ports (networking-stable-20_05_27). - net: mvpp2: prevent buffer overflow in mvpp22_rss_ctx() (networking-stable-20_05_12). - net: netrom: Fix potential nr_neigh refcnt leak in nr_add_node (networking-stable-20_04_27). - net: nlmsg_cancel() if put fails for nhmsg (networking-stable-20_05_27). - net: openvswitch: ovs_ct_exit to be done under ovs_lock (networking-stable-20_04_27). - net: phy: fix aneg restart in phy_ethtool_set_eee (networking-stable-20_05_16). - net: phy: propagate an error back to the callers of phy_sfp_probe (bsc#1154353). - net: phy: realtek: add support for configuring the RX delay on RTL8211F (bsc#1174398). - netprio_cgroup: Fix unlimited memory leak of v2 cgroups (networking-stable-20_05_16). - net: qrtr: Fix passing invalid reference to qrtr_local_enqueue() (networking-stable-20_05_27). - net: qrtr: send msgs from local of same id as broadcast (networking-stable-20_04_17). - net: revert default NAPI poll timeout to 2 jiffies (networking-stable-20_04_17). - net: revert 'net: get rid of an signed integer overflow in ip_idents_reserve()' (bnc#1158748 (network regression)). - net sched: fix reporting the first-time use timestamp (networking-stable-20_05_27). - net_sched: sch_skbprio: add message validation to skbprio_change() (networking-stable-20_05_12). - net/smc: fix restoring of fallback changes (git-fixes). - net/smc: tolerate future SMCD versions (bsc#1172543 LTC#186069). - net: stmmac: do not attach interface until resume finishes (bsc#1174072). - net: stmmac: dwc-qos: avoid clk and reset for acpi device (bsc#1174072). - net: stmmac: dwc-qos: use generic device api (bsc#1174072). - net: stmmac: enable timestamp snapshot for required PTP packets in dwmac v5.10a (networking-stable-20_06_07). - net: stmmac: fix num_por initialization (networking-stable-20_05_16). - net: stmmac: platform: fix probe for ACPI devices (bsc#1174072). - net: stricter validation of untrusted gso packets (networking-stable-20_05_12). - net: tc35815: Fix phydev supported/advertising mask (networking-stable-20_05_12). - net: tcp: fix rx timestamp behavior for tcp_recvmsg (networking-stable-20_05_16). - net/tls: fix encryption error checking (git-fixes). - net/tls: fix race condition causing kernel panic (networking-stable-20_05_27). - net/tls: Fix sk_psock refcnt leak in bpf_exec_tx_verdict() (networking-stable-20_05_12). - net/tls: Fix sk_psock refcnt leak when in tls_data_ready() (networking-stable-20_05_12). - net/tls: free record only on encryption error (git-fixes). - net: tun: record RX queue in skb before do_xdp_generic() (networking-stable-20_04_17). - net: usb: qmi_wwan: add support for DW5816e (networking-stable-20_05_12). - net: usb: qmi_wwan: add Telit LE910C1-EUX composition (networking-stable-20_06_07). - net: vmxnet3: fix possible buffer overflow caused by bad DMA value in vmxnet3_get_rss() (bsc#1172484). - net/x25: Fix x25_neigh refcnt leak when receiving frame (networking-stable-20_04_27). - nexthop: Fix attribute checking for groups (networking-stable-20_05_27). - NFC: st21nfca: add missed kfree_skb() in an error path (git-fixes). - nfp: abm: fix a memory leak bug (networking-stable-20_05_12). - nfp: abm: fix error return code in nfp_abm_vnic_alloc() (networking-stable-20_05_16). - nfp: flower: fix used time of merge flow statistics (networking-stable-20_06_07). - nfs: add minor version to nfs_server_key for fscache (bsc#1172467). - nfsd4: fix nfsdfs reference count loop (git-fixes). - nfsd4: make drc_slab global, not per-net (git-fixes). - nfsd: always check return value of find_any_file (bsc#1172208). - nfsd: apply umask on fs without ACL support (git-fixes). - nfsd: fix nfsdfs inode reference count leak (git-fixes). - NFS: Fix fscache super_cookie index_key from changing after umount (git-fixes). - NFS: Fix interrupted slots by sending a solo SEQUENCE operation (bsc#1174264). - nfs: fix NULL deference in nfs4_get_valid_delegation. - nfs: fscache: use timespec64 in inode auxdata (git-fixes). - nfs: set invalid blocks after NFSv4 writes (git-fixes). - NFSv4.1 fix rpc_call_done assignment for BIND_CONN_TO_SESSION (git-fixes). - NFSv4 fix CLOSE not waiting for direct IO compeletion (git-fixes). - NFSv4: Fix fscache cookie aux_data to ensure change_attr is included (git-fixes). - ntb: intel: add hw workaround for NTB BAR alignment (jsc#SLE-12710). - ntb: intel: Add Icelake (gen4) support for Intel NTB (jsc#SLE-12710). - ntb: intel: fix static declaration (jsc#SLE-12710). - nvdimm: Avoid race between probe and reading device attributes (bsc#1170442). - nvme-fc: avoid gcc-10 zero-length-bounds warning (bsc#1173206). - nvme-fc: do not call nvme_cleanup_cmd() for AENs (bsc#1171688). - nvme-fc: print proper nvme-fc devloss_tmo value (bsc#1172391). - objtool: Allow no-op CFI ops in alternatives (bsc#1169514). - objtool: Clean instruction state before each function validation (bsc#1169514). - objtool: Fix !CFI insn_state propagation (bsc#1169514). - objtool: Fix ORC vs alternatives (bsc#1169514). - objtool: Ignore empty alternatives (bsc#1169514). - objtool: Remove check preventing branches within alternative (bsc#1169514). - objtool: Rename struct cfi_state (bsc#1169514). - objtool: Uniquely identify alternative instruction groups (bsc#1169514). - ovl: inode reference leak in ovl_is_inuse true case (git-fixes). - p54usb: add AirVasT USB stick device-id (git-fixes). - padata: add separate cpuhp node for CPUHP_PADATA_DEAD (git-fixes). - padata: kABI fixup for struct padata_instance splitting nodes (git-fixes). - panic: do not print uninitialized taint_flags (bsc#1172814). - PCI: aardvark: Do not blindly enable ASPM L0s and do not write to read-only register (git-fixes). - PCI: Add ACS quirk for Intel Root Complex Integrated Endpoints (git-fixes). - PCI: Add Loongson vendor ID (git-fixes). - PCI/AER: Remove HEST/FIRMWARE_FIRST parsing for AER ownership (bsc#1174356). - PCI/AER: Use only _OSC to determine AER ownership (bsc#1174356). - PCI: Allow pci_resize_resource() for devices on root bus (git-fixes). - PCI: amlogic: meson: Do not use FAST_LINK_MODE to set up link (git-fixes). - PCI/ASPM: Allow ASPM on links to PCIe-to-PCI/PCI-X Bridges (git-fixes). - PCI: Avoid FLR for AMD Matisse HD Audio & USB 3.0 (git-fixes). - PCI: Avoid FLR for AMD Starship USB 3.0 (git-fixes). - PCI: brcmstb: Assert fundamental reset on initialization (git-fixes). - PCI: brcmstb: Assert fundamental reset on initialization (git-fixes). - PCI: brcmstb: Fix window register offset from 4 to 8 (git-fixes). - PCI: brcmstb: Fix window register offset from 4 to 8 (git-fixes). - PCI: Do not disable decoding when mmio_always_on is set (git-fixes). - PCI: dwc: Fix inner MSI IRQ domain registration (git-fixes). - PCI/EDR: Log only ACPI_NOTIFY_DISCONNECT_RECOVER events (bsc#1174513). - pcie: mobiveil: remove patchset v9 Prepare to backport upstream version. - PCI: Fix pci_register_host_bridge() device_register() error handling (git-fixes). - PCI: hv: Add support for protocol 1.3 and support PCI_BUS_RELATIONS2 (bsc#1172201). - PCI: hv: Change pci_protocol_version to per-hbus (bsc#1172871). - PCI: hv: Decouple the func definition in hv_dr_state from VSP message (bsc#1172871). - PCI: hv: Fix the PCI HyperV probe failure path to release resource properly (bsc#1172871). - PCI: hv: Introduce hv_msi_entry (bsc#1172871). - PCI: hv: Move hypercall related definitions into tlfs header (bsc#1172871). - PCI: hv: Move retarget related structures into tlfs header (bsc#1172871). - PCI: hv: Reorganize the code in preparation of hibernation (bsc#1172871). - PCI: hv: Retry PCI bus D0 entry on invalid device state (bsc#1172871). - PCI: mobiveil: Add 8-bit and 16-bit CSR register accessors (bsc#1161495). - PCI: mobiveil: Add callback function for interrupt initialization (bsc#1161495). - PCI: mobiveil: Add callback function for link up check (bsc#1161495). - PCI: mobiveil: Add Header Type field check (bsc#1161495). - PCI: mobiveil: Add PCIe Gen4 RC driver for Layerscape SoCs (bsc#1161495). - PCI: mobiveil: Allow mobiveil_host_init() to be used to re-init host (bsc#1161495). - PCI: mobiveil: Collect the interrupt related operations into a function (bsc#1161495). - PCI: mobiveil: Fix sparse different address space warnings (bsc#1161495). - PCI: mobiveil: Fix unmet dependency warning for PCIE_MOBIVEIL_PLAT (bsc#1161495). - PCI: mobiveil: Introduce a new structure mobiveil_root_port (bsc#1161495). - PCI: mobiveil: ls_pcie_g4: add Workaround for A-011451 (bsc#1161495). - PCI: mobiveil: ls_pcie_g4: add Workaround for A-011577 (bsc#1161495). - PCI: mobiveil: ls_pcie_g4: fix SError when accessing config space (bsc#1161495). - PCI: mobiveil: Modularize the Mobiveil PCIe Host Bridge IP driver (bsc#1161495). - PCI: mobiveil: Move the host initialization into a function (bsc#1161495). - PCI: pci-bridge-emul: Fix PCIe bit conflicts (git-fixes). - PCI/PM: Adjust pcie_wait_for_link_delay() for caller delay (git-fixes). - PCI/PM: Call .bridge_d3() hook only if non-NULL (git-fixes). - PCI: Program MPS for RCiEP devices (git-fixes). - PCI/PTM: Inherit Switch Downstream Port PTM settings from Upstream Port (git-fixes). - PCI: rcar: Fix incorrect programming of OB windows (git-fixes). - pci: Revive pci_dev __aer_firmware_first* fields for kABI (bsc#1174356). - PCI: v3-semi: Fix a memory leak in v3_pci_probe() error handling paths (git-fixes). - PCI: vmd: Add device id for VMD device 8086:9A0B (git-fixes). - PCI: vmd: Filter resource type bits from shadow register (git-fixes). - pcm_native: result of put_user() needs to be checked (git-fixes). - percpu: Separate decrypted varaibles anytime encryption can be enabled (bsc#1174332). - perf/core: Fix endless multiplex timer (git-fixes). - perf/core: fix parent pid/tid in task exit events (git-fixes). - pinctrl: freescale: imx: Fix an error handling path in 'imx_pinctrl_probe()' (git-fixes). - pinctrl: freescale: imx: Use 'devm_of_iomap()' to avoid a resource leak in case of error in 'imx_pinctrl_probe()' (git-fixes). - pinctrl: imxl: Fix an error handling path in 'imx1_pinctrl_core_probe()' (git-fixes). - pinctrl: intel: Add Intel Tiger Lake pin controller support (jsc#SLE-12737). - pinctrl: ocelot: Fix GPIO interrupt decoding on Jaguar2 (git-fixes). - pinctrl: rockchip: fix memleak in rockchip_dt_node_to_map (git-fixes). - pinctrl: rza1: Fix wrong array assignment of rza1l_swio_entries (git-fixes). - pinctrl: samsung: Correct setting of eint wakeup mask on s5pv210 (git-fixes). - pinctrl: samsung: Save/restore eint_mask over suspend for EINT_TYPE GPIOs (git-fixes). - pinctrl: sprd: Fix the incorrect pull-up definition (git-fixes). - pinctrl: stmfx: stmfx_pinconf_set does not require to get direction anymore (git-fixes). - pinctrl: tegra: Use noirq suspend/resume callbacks (git-fixes). - pinctrl: tigerlake: Tiger Lake uses _HID enumeration (jsc#SLE-12737). - platform/x86: asus-nb-wmi: Do not load on Asus T100TA and T200TA (git-fixes). - platform/x86: asus_wmi: Reserve more space for struct bias_args (git-fixes). - platform/x86: dell-laptop: do not register micmute LED if there is no token (git-fixes). - platform/x86: hp-wmi: Convert simple_strtoul() to kstrtou32() (git-fixes). - platform/x86: intel-hid: Add a quirk to support HP Spectre X2 (2015) (git-fixes). - platform/x86: intel-vbtn: Also handle tablet-mode switch on 'Detachable' and 'Portable' chassis-types (git-fixes). - platform/x86: intel-vbtn: Do not advertise switches to userspace if they are not there (git-fixes). - platform/x86: intel-vbtn: Only blacklist SW_TABLET_MODE on the 9 / 'Laptop' chasis-type (git-fixes). - platform/x86: intel-vbtn: Split keymap into buttons and switches parts (git-fixes). - platform/x86: intel-vbtn: Use acpi_evaluate_integer() (git-fixes). - platform/x86: ISST: Increase timeout (bsc#1174185). - PM: runtime: clk: Fix clk_pm_runtime_get() error path (git-fixes). - pNFS/flexfiles: Fix list corruption if the mirror count changes (git-fixes). - pnp: Use list_for_each_entry() instead of open coding (git-fixes). - powerpc/64s: Do not let DT CPU features set FSCR_DSCR (bsc#1065729). - powerpc/64s/exception: Fix machine check no-loss idle wakeup (bsc#1156395). - powerpc/64s/kuap: Restore AMR in system reset exception (bsc#1156395). - powerpc/64s: Save FSCR to init_task.thread.fscr after feature init (bsc#1065729). - powerpc/book3s64: Export has_transparent_hugepage() related functions (bsc#1171759). - powerpc/book3s64/pkeys: Fix pkey_access_permitted() for execute disable pkey (bsc#1065729). - powerpc/bpf: Enable bpf_probe_read{, str}() on powerpc again (bsc#1172344). - powerpc/fadump: Account for memory_limit while reserving memory (jsc#SLE-9099 git-fixes). - powerpc/fadump: consider reserved ranges while reserving memory (jsc#SLE-9099 git-fixes). - powerpc/fadump: fix race between pstore write and fadump crash trigger (bsc#1168959 ltc#185010). - powerpc/fadump: use static allocation for reserved memory ranges (jsc#SLE-9099 git-fixes). - powerpc/kasan: Fix issues by lowering KASAN_SHADOW_END (git-fixes). - powerpc/kuap: PPC_KUAP_DEBUG should depend on PPC_KUAP (bsc#1156395). - powerpc/powernv: Fix a warning message (bsc#1156395). - powerpc/setup_64: Set cache-line-size based on cache-block-size (bsc#1065729). - powerpc/xive: Clear the page tables for the ESB IO mapping (bsc#1085030). - powerpc/xmon: Reset RCU and soft lockup watchdogs (bsc#1065729). - power: reset: qcom-pon: reg write mask depends on pon generation (git-fixes). - power: supply: bq24257_charger: Replace depends on REGMAP_I2C with select (git-fixes). - power: supply: core: fix HWMON temperature labels (git-fixes). - power: supply: core: fix memory leak in HWMON error path (git-fixes). - power: supply: lp8788: Fix an error handling path in 'lp8788_charger_probe()' (git-fixes). - power: supply: smb347-charger: IRQSTAT_D is volatile (git-fixes). - pppoe: only process PADT targeted at local interfaces (networking-stable-20_05_16). - printk: queue wake_up_klogd irq_work only if per-CPU areas are ready (bsc#1172095). - proc/meminfo: avoid open coded reading of vm_committed_as (bnc#1173271). - proc: Use new_inode not new_inode_pseudo (bsc#1173830). - pwm: img: Call pm_runtime_put() in pm_runtime_get_sync() failed case (git-fixes). - pwm: sun4i: Move pwm_calculate() out of spin_lock() (git-fixes). - r8152: support additional Microsoft Surface Ethernet Adapter variant (git-fixes). - r8169: Revive default chip version for r8168 (bsc#1173085). - raid5: remove gfp flags from scribble_alloc() (bsc#1166985). - random: fix data races at timer_rand_state (bsc#1173438). - rcu: Avoid data-race in rcu_gp_fqs_check_wake() (bsc#1171828). - rcu: Fix data-race due to atomic_t copy-by-value (bsc#1171828). - rcu: Make rcu_read_unlock_special() checks match raise_softirq_irqoff() (bsc#1172046). - rcu: Simplify rcu_read_unlock_special() deferred wakeups (bsc#1172046). - rcutorture: Add 100-CPU configuration (bsc#1173068). - rcutorture: Add worst-case call_rcu() forward-progress results (bsc#1173068). - rcutorture: Dispense with Dracut for initrd creation (bsc#1173068). - rcutorture: Make kvm-find-errors.sh abort on bad directory (bsc#1173068). - rcutorture: Remove CONFIG_HOTPLUG_CPU=n from scenarios (bsc#1173068). - rcutorture: Summarize summary of build and run results (bsc#1173068). - rcutorture: Test TREE03 with the threadirqs kernel boot parameter (bsc#1173068). - rcu: Use *_ONCE() to protect lockless ->expmask accesses (bsc#1171828). - rcu: Use WRITE_ONCE() for assignments to ->pprev for hlist_nulls (bsc#1173438). - RDMA/bnxt_re: Remove dead code from rcfw (bsc#1170774). - RDMA/core: Check that type_attrs is not NULL prior access (jsc#SLE-8449). - RDMA/core: Move and rename trace_cm_id_create() (jsc#SLE-8449). - RDMA/mlx5: Fix NULL pointer dereference in destroy_prefetch_work (jsc#SLE-8446). - RDMA/nl: Do not permit empty devices names during RDMA_NLDEV_CMD_NEWLINK/SET (bsc#1172841). - RDMA/srpt: Fix disabling device management (jsc#SLE-8449). - RDMA/uverbs: Make the event_queue fds return POLLERR when disassociated (jsc#SLE-8449). - regmap: debugfs: Do not sleep while atomic for fast_io regmaps (git-fixes). - regmap: fix alignment issue (git-fixes). - regmap: Fix memory leak from regmap_register_patch (git-fixes). - regualtor: pfuze100: correct sw1a/sw2 on pfuze3000 (git-fixes). - remoteproc: Add missing '\n' in log messages (git-fixes). - remoteproc: Fall back to using parent memory pool if no dedicated available (git-fixes). - remoteproc: Fix and restore the parenting hierarchy for vdev (git-fixes). - remoteproc: Fix IDR initialisation in rproc_alloc() (git-fixes). - remoteproc: qcom_q6v5_mss: map/unmap mpss segments before/after use (git-fixes). - Revert commit e918e570415c ('tpm_tis: Remove the HID IFX0102') (git-fixes). - Revert 'drm/amd/display: disable dcn20 abm feature for bring up' (git-fixes). - Revert 'i2c: tegra: Fix suspending in active runtime PM state' (git-fixes). - Revert 'pinctrl: freescale: imx: Use 'devm_of_iomap()' to avoid a resource leak in case of error in 'imx_pinctrl_probe()'' (git-fixes). - Revert 'thermal: mediatek: fix register index error' (git-fixes). - ring-buffer: Zero out time extend if it is nested and not absolute (git-fixes). - rpm: drop execute permissions on source files Sometimes a source file with execute permission appears in upstream repository and makes it into our kernel-source packages. This is caught by OBS build checks and may even result in build failures. Sanitize the source tree by removing execute permissions from all C source and header files. - rpm/modules.fips: add aes-ce-ccm, des3_ede-x86_64, aes_ti and aes_neon_bs - rtc: mc13xxx: fix a double-unlock issue (git-fixes). - rtc: rv3028: Add missed check for devm_regmap_init_i2c() (git-fixes). - rtlwifi: Fix a double free in _rtl_usb_tx_urb_setup() (git-fixes). - rtw88: fix an issue about leak system resources (git-fixes). - rxrpc: Fix call RCU cleanup using non-bh-safe locks (git-fixes). - s390/bpf: Maintain 8-byte stack alignment (bsc#1169194, LTC#185911). - s390: fix syscall_get_error for compat processes (git-fixes). - s390/ism: fix error return code in ism_probe() (git-fixes). - s390/kaslr: add support for R_390_JMP_SLOT relocation type (git-fixes). - s390/pci: Fix s390_mmio_read/write with MIO (git-fixes). - s390/pci: Log new handle in clp_disable_fh() (git-fixes). - s390/qdio: consistently restore the IRQ handler (git-fixes). - s390/qdio: put thinint indicator after early error (git-fixes). - s390/qdio: tear down thinint indicator after early error (git-fixes). - s390/qeth: fix error handling for isolation mode cmds (git-fixes). - sata_rcar: handle pm_runtime_get_sync failure cases (git-fixes). - sch_choke: avoid potential panic in choke_reset() (networking-stable-20_05_12). - sched/cfs: change initial value of runnable_avg (bsc#1158765). - sched/core: Check cpus_mask, not cpus_ptr in __set_cpus_allowed_ptr(), to fix mask corruption (bnc#1155798 (CPU scheduler functional and performance backports)). - sched/core: Fix PI boosting between RT and DEADLINE tasks (bsc#1172823). - sched/core: Fix PI boosting between RT and DEADLINE tasks (git fixes (sched)). - sched/core: Fix ttwu() race (bnc#1155798 (CPU scheduler functional and performance backports)). - sched/core: s/WF_ON_RQ/WQ_ON_CPU/ (bnc#1155798 (CPU scheduler functional and performance backports)). - sched/cpuacct: Fix charge cpuacct.usage_sys (bnc#1155798 (CPU scheduler functional and performance backports)). - sched/deadline: Initialize ->dl_boosted (bsc#1172823). - sched/deadline: Initialize ->dl_boosted (git fixes (sched)). - sched: etf: do not assume all sockets are full blown (networking-stable-20_04_27). - sched/fair: find_idlest_group(): Remove unused sd_flag parameter (bnc#1155798 (CPU scheduler functional and performance backports)). - sched/fair: Fix enqueue_task_fair() warning some more (bnc#1155798 (CPU scheduler functional and performance backports)). - sched/fair: fix nohz next idle balance (bnc#1155798 (CPU scheduler functional and performance backports)). - sched/fair: handle case of task_h_load() returning 0 (bnc#1155798 (CPU scheduler functional and performance backports)). - sched/fair: Optimize dequeue_task_fair() (bnc#1155798 (CPU scheduler functional and performance backports)). - sched/fair: Optimize enqueue_task_fair() (bnc#1155798 (CPU scheduler functional and performance backports)). - sched/fair: Simplify the code of should_we_balance() (bnc#1155798 (CPU scheduler functional and performance backports)). - sched: Fix loadavg accounting race (bnc#1155798 (CPU scheduler functional and performance backports)). - sched: Fix race against ptrace_freeze_trace() (bsc#1174345). - sched: Make newidle_balance() static again (bnc#1155798 (CPU scheduler functional and performance backports)). - sched: Offload wakee task activation if it the wakee is descheduling (bnc#1158748, bnc#1159781). - sched: Optimize ttwu() spinning on p->on_cpu (bnc#1158748, bnc#1159781). - sched/pelt: Sync util/runnable_sum with PELT window when propagating (bnc#1155798 (CPU scheduler functional and performance backports)). - sch_sfq: validate silly quantum values (networking-stable-20_05_12). - scripts/decodecode: fix trapping instruction formatting (bsc#1065729). - scsi: ibmvscsi: Do not send host info in adapter info MAD after LPM (bsc#1172759 ltc#184814). - scsi: libfc: free response frame from GPN_ID (bsc#1173849). - scsi: libfc: Handling of extra kref (bsc#1173849). - scsi: libfc: If PRLI rejected, move rport to PLOGI state (bsc#1173849). - scsi: libfc: rport state move to PLOGI if all PRLI retry exhausted (bsc#1173849). - scsi: libfc: Skip additional kref updating work event (bsc#1173849). - scsi: lpfc: Add an internal trace log buffer (bsc#1172687 bsc#1171530). - scsi: lpfc: Add blk_io_poll support for latency improvment (bsc#1172687 bsc#1171530). - scsi: lpfc: Add support to display if adapter dumps are available (bsc#1172687 bsc#1171530). - scsi: lpfc: Allow applications to issue Common Set Features mailbox command (bsc#1172687 bsc#1171530). - scsi: lpfc: Change default queue allocation for reduced memory consumption (bsc#1164777 bsc#1164780 bsc#1165211 jsc#SLE-8654). - scsi: lpfc: fix build failure with DEBUGFS disabled (bsc#1171530). - scsi: lpfc: Fix incomplete NVME discovery when target (bsc#1171530). - scsi: lpfc: Fix inconsistent indenting (bsc#1172687 bsc#1171530). - scsi: lpfc: Fix interrupt assignments when multiple vectors are supported on same CPU (bsc#1172687 bsc#1171530). - scsi: lpfc: Fix kdump hang on PPC (bsc#1172687 bsc#1171530). - scsi: lpfc: Fix language in 0373 message to reflect non-error message (bsc#1172687 bsc#1171530). - scsi: lpfc: Fix less-than-zero comparison of unsigned value (bsc#1172687 bsc#1171530). - scsi: lpfc: Fix lpfc_nodelist leak when processing unsolicited event (bsc#1164777 bsc#1164780 bsc#1165211 jsc#SLE-8654). - scsi: lpfc: Fix MDS Diagnostic Enablement definition (bsc#1164777 bsc#1164780 bsc#1165211 jsc#SLE-8654). - scsi: lpfc: Fix memory leak on lpfc_bsg_write_ebuf_set func (bsc#1171530). - scsi: lpfc: Fix missing MDS functionality (bsc#1172687 bsc#1171530). - scsi: lpfc: Fix negation of else clause in lpfc_prep_node_fc4type (bsc#1164777 bsc#1164780 bsc#1165211 jsc#SLE-8654). - scsi: lpfc: Fix noderef and address space warnings (bsc#1164777 bsc#1164780 bsc#1165211 jsc#SLE-8654). - scsi: lpfc: Fix NVMe rport deregister and registration during ADISC (bsc#1172687 bsc#1171530). - scsi: lpfc: Fix oops due to overrun when reading SLI3 data (bsc#1172687 bsc#1171530). - scsi: lpfc: Fix shost refcount mismatch when deleting vport (bsc#1172687 bsc#1171530). - scsi: lpfc: fix spelling mistakes of asynchronous (bsc#1171530). - scsi: lpfc: Fix stack trace seen while setting rrq active (bsc#1172687 bsc#1171530). - scsi: lpfc: Fix unused assignment in lpfc_sli4_bsg_link_diag_test (bsc#1172687 bsc#1171530). - scsi: lpfc: Maintain atomic consistency of queue_claimed flag (bsc#1164777 bsc#1164780 bsc#1165211 jsc#SLE-8654). - scsi: lpfc: Make lpfc_defer_acc_rsp static (bsc#1171530). - scsi: lpfc: remove duplicate unloading checks (bsc#1164777 bsc#1164780 bsc#1165211 jsc#SLE-8654). - scsi: lpfc: Remove re-binding of nvme rport during registration (bsc#1164777 bsc#1164780 bsc#1165211 jsc#SLE-8654). - scsi: lpfc: Remove redundant initialization to variable rc (bsc#1164777 bsc#1164780 bsc#1165211 jsc#SLE-8654). - scsi: lpfc: Remove unnecessary lockdep_assert_held calls (bsc#1164777 bsc#1164780 bsc#1165211 jsc#SLE-8654). - scsi: lpfc: Update lpfc version to 12.8.0.1 (bsc#1164777 bsc#1164780 bsc#1165211 jsc#SLE-8654). - scsi: lpfc: Update lpfc version to 12.8.0.2 (bsc#1172687 bsc#1171530). - scsi: megaraid_sas: Replace undefined MFI_BIG_ENDIAN macro with __BIG_ENDIAN_BITFIELD macro (bsc#1173206). - scsi: qla2xxx: Delete all sessions before unregister local nvme port (jsc#SLE-9714 jsc#SLE-10327 jsc#SLE-10334 bsc#1157169). - scsi: qla2xxx: Do not log message when reading port speed via sysfs (jsc#SLE-9714 jsc#SLE-10327 jsc#SLE-10334 bsc#1157169). - scsi: qla2xxx: Fix hang when issuing nvme disconnect-all in NPIV (jsc#SLE-9714 jsc#SLE-10327 jsc#SLE-10334 bsc#1157169). - scsi: qla2xxx: Set NVMe status code for failed NVMe FCP request (bsc#1158983). - scsi: sd_zbc: Fix sd_zbc_complete() (bsc#1173206). - scsi: smartpqi: Update attribute name to `driver_version` (bsc#1173206). - scsi: ufs-bsg: Fix runtime PM imbalance on error (git-fixes). - scsi: zfcp: add diagnostics buffer for exchange config data (bsc#1158050). - scsi: zfcp: auto variables for dereferenced structs in open port handler (bsc#1158050). - scsi: zfcp: diagnostics buffer caching and use for exchange port data (bsc#1158050). - scsi: zfcp: enhance handling of FC Endpoint Security errors (bsc#1158050). - scsi: zfcp: expose fabric name as common fc_host sysfs attribute (bsc#1158050). - scsi: zfcp: Fence adapter status propagation for common statuses (bsc#1158050). - scsi: zfcp: Fence early sysfs interfaces for accesses of shost objects (bsc#1158050). - scsi: zfcp: Fence fc_host updates during link-down handling (bsc#1158050). - scsi: zfcp: fix fc_host attributes that should be unknown on local link down (bsc#1158050). - scsi: zfcp: Fix panic on ERP timeout for previously dismissed ERP action (git-fixes). - scsi: zfcp: fix wrong data and display format of SFP+ temperature (bsc#1158050). - scsi: zfcp: implicitly refresh config-data diagnostics when reading sysfs (bsc#1158050). - scsi: zfcp: implicitly refresh port-data diagnostics when reading sysfs (bsc#1158050). - scsi: zfcp: introduce sysfs interface for diagnostics of local SFP transceiver (bsc#1158050). - scsi: zfcp: introduce sysfs interface to read the local B2B-Credit (bsc#1158050). - scsi: zfcp: log FC Endpoint Security errors (bsc#1158050). - scsi: zfcp: log FC Endpoint Security of connections (bsc#1158050). - scsi: zfcp: Move allocation of the shost object to after xconf- and xport-data (bsc#1158050). - scsi: zfcp: Move fc_host updates during xport data handling into fenced function (bsc#1158050). - scsi: zfcp: move maximum age of diagnostic buffers into a per-adapter variable (bsc#1158050). - scsi: zfcp: Move p-t-p port allocation to after xport data (bsc#1158050). - scsi: zfcp: Move shost modification after QDIO (re-)open into fenced function (bsc#1158050). - scsi: zfcp: Move shost updates during xconfig data handling into fenced function (bsc#1158050). - scsi: zfcp: proper indentation to reduce confusion in zfcp_erp_required_act (bsc#1158050). - scsi: zfcp: report FC Endpoint Security in sysfs (bsc#1158050). - scsi: zfcp: signal incomplete or error for sync exchange config/port data (bsc#1158050). - scsi: zfcp: support retrieval of SFP Data via Exchange Port Data (bsc#1158050). - scsi: zfcp: trace FC Endpoint Security of FCP devices and connections (bsc#1158050). - scsi: zfcp: wire previously driver-specific sysfs attributes also to fc_host (bsc#1158050). - sctp: Do not add the shutdown timer if its already been added (networking-stable-20_05_27). - sctp: Start shutdown on association restart if in SHUTDOWN-SENT state and socket is closed (networking-stable-20_05_27). - selftests/bpf: CONFIG_IPV6_SEG6_BPF required for test_seg6_loop.o (bsc#1155518). - selftests/bpf: CONFIG_LIRC required for test_lirc_mode2.sh (bsc#1155518). - selftests/bpf: Fix invalid memory reads in core_relo selftest (bsc#1155518). - selftests/bpf: Fix memory leak in extract_build_id() (bsc#1155518). - selftests/bpf, flow_dissector: Close TAP device FD after the test (bsc#1155518). - selftests/bpf: Make sure optvals > PAGE_SIZE are bypassed (bsc#1155518). - selftests/net: in rxtimestamp getopt_long needs terminating null entry (networking-stable-20_06_16). - selftests/timens: handle a case when alarm clocks are not supported (bsc#1164648,jsc#SLE-11493). - selinux: fall back to ref-walk if audit is required (bsc#1174333). - selinux: revert 'stop passing MAY_NOT_BLOCK to the AVC upon follow_link' (bsc#1174333). - serial: 8250: Fix max baud limit in generic 8250 port (git-fixes). - serial: 8250_tegra: Create Tegra specific 8250 driver (bsc#1173941). - signal: Avoid corrupting si_pid and si_uid in do_notify_parent (bsc#1171529). - slimbus: core: Fix mismatch in of_node_get/put (git-fixes). - slimbus: ngd: get drvdata from correct device (git-fixes). - SMB3: Honor lease disabling for multiuser mounts (git-fixes). - socionext: account for napi_gro_receive never returning GRO_DROP (bsc#1154353). - soc: mediatek: cmdq: return send msg error code (git-fixes). - soc: qcom: rpmh: Dirt can only make you dirtier, not cleaner (git-fixes). - soc: qcom: rpmh: Invalidate SLEEP and WAKE TCSes before flushing new data (git-fixes). - soc: qcom: rpmh-rsc: Allow using free WAKE TCS for active request (git-fixes). - soc: qcom: rpmh-rsc: Clear active mode configuration for wake TCS (git-fixes). - soc: qcom: rpmh: Update dirty flag only when data changes (git-fixes). - soc/tegra: pmc: Select GENERIC_PINCONF (git-fixes). - soundwire: intel: fix memory leak with devm_kasprintf (git-fixes). - spi: bcm2835aux: Fix controller unregister order (git-fixes). - spi: bcm2835: Fix controller unregister order (git-fixes). - spi: bcm-qspi: Handle clock probe deferral (git-fixes). - spi: bcm-qspi: when tx/rx buffer is NULL set to 0 (git-fixes). - SPI: designware: pci: Switch over to MSI interrupts (jsc#SLE-12735). - spi: dt-bindings: spi-controller: Fix #address-cells for slave mode (git-fixes). - spi: dw: Add SPI Rx-done wait method to DMA-based transfer (git-fixes). - spi: dw: Add SPI Tx-done wait method to DMA-based transfer (git-fixes). - spi: dw: Enable interrupts in accordance with DMA xfer mode (git-fixes). - spi: dw: Fix controller unregister order (git-fixes). - spi: dw: Fix native CS being unset (git-fixes). - spi: dw: Fix Rx-only DMA transfers (git-fixes). - spi: dw-pci: Add MODULE_DEVICE_TABLE (jsc#SLE-12735). - spi: dw-pci: Add runtime power management support (jsc#SLE-12735). - spi: dw-pci: Add support for Intel Elkhart Lake PSE SPI (jsc#SLE-12735). - spi: dw-pci: Fix Chip Select amount on Intel Elkhart Lake PSE SPI (jsc#SLE-12735). - spi: dw: Return any value retrieved from the dma_transfer callback (git-fixes). - spi: dw: use 'smp_mb()' to avoid sending spi data error (git-fixes). - spi: dw: Zero DMA Tx and Rx configurations on stack (git-fixes). - spi: Fix controller unregister order (git-fixes). - spi: fsl: do not map irq during probe (git-fixes). - spi: fsl: use platform_get_irq() instead of of_irq_to_resource() (git-fixes). - spi: pxa2xx: Apply CS clk quirk to BXT (git-fixes). - spi: pxa2xx: Fix controller unregister order (git-fixes). - spi: pxa2xx: Fix runtime PM ref imbalance on probe error (git-fixes). - spi: Respect DataBitLength field of SpiSerialBusV2() ACPI resource (git-fixes). - spi: spidev: fix a potential use-after-free in spidev_release() (git-fixes). - spi: spidev: fix a race between spidev_release and spidev_remove (git-fixes). - spi: spi-fsl-dspi: Change usage pattern of SPI_MCR_* and SPI_CTAR_* macros (git-fixes). - spi: spi-fsl-dspi: Do not access reserved fields in SPI_MCR (git-fixes). - spi: spi-fsl-dspi: Fix 16-bit word order in 32-bit XSPI mode (git-fixes). - spi: spi-fsl-dspi: Replace interruptible wait queue with a simple completion (git-fixes). - spi: spi-mem: Fix Dual/Quad modes on Octal-capable devices (git-fixes). - spi: spi-sun6i: sun6i_spi_transfer_one(): fix setting of clock rate (git-fixes). - spi: sprd: switch the sequence of setting WDG_LOAD_LOW and _HIGH (git-fixes). - staging: comedi: verify array index is correct before using it (git-fixes). - staging: iio: ad2s1210: Fix SPI reading (git-fixes). - staging: kpc2000: fix error return code in kp2000_pcie_probe() (git-fixes). - staging: rtl8712: Fix IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK (git-fixes). - Staging: rtl8723bs: prevent buffer overflow in update_sta_support_rate() (git-fixes). - staging: sm750fb: add missing case while setting FB_VISUAL (git-fixes). - sun6i: dsi: fix gcc-4.8 (bsc#1152489) - SUNRPC dont update timeout value on connection reset (bsc#1174263). - sunrpc: fixed rollback in rpc_gssd_dummy_populate() (git-fixes). - sunrpc: Fix gss_unwrap_resp_integ() again (bsc#1174116). - SUNRPC: Properly set the @subbuf parameter of xdr_buf_subsegment() (git-fixes). - SUNRPC: Signalled ASYNC tasks need to exit (git-fixes). - supported.conf: Add pinctrl-tigerlake as supported - supported.conf: Mark two hwtracing helper modules as externally supported (bsc#1170879) - svcrdma: Fix leak of svc_rdma_recv_ctxt objects (git-fixes). - tcp: cache line align MAX_TCP_HEADER (networking-stable-20_04_27). - tcp: fix error recovery in tcp_zerocopy_receive() (networking-stable-20_05_16). - tcp: fix SO_RCVLOWAT hangs with fat skbs (networking-stable-20_05_16). - tcp: md5: allow changing MD5 keys in all socket states (git-fixes). - team: fix hang in team_mode_get() (networking-stable-20_04_27). - tg3: driver sleeps indefinitely when EEH errors exceed eeh_max_freezes (bsc#1173284). - thermal/drivers: imx: Fix missing of_node_put() at probe time (git-fixes). - thermal/drivers/mediatek: Fix bank number settings on mt8183 (git-fixes). - thermal/drivers/rcar_gen3: Fix undefined temperature if negative (git-fixes). - thermal/drivers/ti-soc-thermal: Avoid dereferencing ERR_PTR (git-fixes). - thermal: int3403_thermal: Downgrade error message (git-fixes). - thermal: intel: intel_pch_thermal: Add Comet Lake (CML) platform support (jsc#SLE-12668). - tick/sched: Annotate lockless access to last_jiffies_update (bsc#1173438). - timer: Use hlist_unhashed_lockless() in timer_pending() (bsc#1173438). - tipc: block BH before using dst_cache (networking-stable-20_05_27). - tipc: fix partial topology connection closure (networking-stable-20_05_12). - torture: Allow 'CFLIST' to specify default list of scenarios (bsc#1173068). - torture: Expand last_ts variable in kvm-test-1-run.sh (bsc#1173068). - torture: Handle jitter for CPUs that cannot be offlined (bsc#1173068). - torture: Handle systems lacking the mpstat command (bsc#1173068). - torture: Hoist calls to lscpu to higher-level kvm.sh script (bsc#1173068). - torture: Make results-directory date format completion-friendly (bsc#1173068). - torture: Use gawk instead of awk for systime() function (bsc#1173068). - tpm: Fix TIS locality timeout problems (git-fixes). - tpm: ibmvtpm: retry on H_CLOSED in tpm_ibmvtpm_send() (bsc#1065729). - tpm_tis: extra chip->ops check on error path in tpm_tis_core_init (git-fixes). - tpm_tis: Remove the HID IFX0102 (git-fixes). - tracing: Fix event trigger to accept redundant spaces (git-fixes). - tty: hvc_console, fix crashes on parallel open/close (git-fixes). - tty: n_gsm: Fix bogus i++ in gsm_data_kick (git-fixes). - tty: n_gsm: Fix SOF skipping (git-fixes). - tty: n_gsm: Fix waking up upper tty layer when room available (git-fixes). - tty: serial: add missing spin_lock_init for SiFive serial console (git-fixes). - tun: correct header offsets in napi frags mode (git-fixes). - tunnel: Propagate ECT(1) when decapsulating as recommended by RFC6040 (networking-stable-20_05_12). - ubifs: fix wrong use of crypto_shash_descsize() (bsc#1173827). - ubifs: remove broken lazytime support (bsc#1173826). - udp: Copy has_conns in reuseport_grow() (git-fixes). - udp: Improve load balancing for SO_REUSEPORT (git-fixes). - usb: add USB_QUIRK_DELAY_INIT for Logitech C922 (git-fixes). - USB: c67x00: fix use after free in c67x00_giveback_urb (git-fixes). - usb: chipidea: core: add wakeup support for extcon (git-fixes). - USB: core: Fix misleading driver bug report (git-fixes). - usb: core: hub: limit HUB_QUIRK_DISABLE_AUTOSUSPEND to USB5534B (git-fixes). - usb: dwc2: Fix shutdown callback in platform (git-fixes). - usb: dwc2: gadget: move gadget resume after the core is in L0 state (git-fixes). - usb: dwc3: gadget: Properly handle ClearFeature(halt) (git-fixes). - usb: dwc3: gadget: Properly handle failed kick_transfer (git-fixes). - usb: dwc3: pci: Enable extcon driver for Intel Merrifield (git-fixes). - usb: dwc3: pci: Fix reference count leak in dwc3_pci_resume_work (git-fixes). - usb/ehci-platform: Set PM runtime as active on resume (git-fixes). - USB: ehci: reopen solution for Synopsys HC bug (git-fixes). - usb: gadget: audio: Fix a missing error return value in audio_bind() (git-fixes). - USB: gadget: fix illegal array access in binding with UDC (git-fixes). - usb: gadget: Fix issue with config_ep_by_speed function (git-fixes). - usb: gadget: fix potential double-free in m66592_probe (git-fixes). - usb: gadget: function: fix missing spinlock in f_uac1_legacy (git-fixes). - usb: gadget: legacy: fix error return code in cdc_bind() (git-fixes). - usb: gadget: legacy: fix error return code in gncm_bind() (git-fixes). - usb: gadget: legacy: fix redundant initialization warnings (git-fixes). - usb: gadget: lpc32xx_udc: do not dereference ep pointer before null check (git-fixes). - usb: gadget: net2272: Fix a memory leak in an error handling path in 'net2272_plat_probe()' (git-fixes). - usb: gadget: udc: atmel: fix uninitialized read in debug printk (git-fixes). - usb: gadget: udc: atmel: Make some symbols static (git-fixes). - usb: gadget: udc: atmel: remove outdated comment in usba_ep_disable() (git-fixes). - usb: gadget: udc: Potential Oops in error handling code (git-fixes). - USB: gadget: udc: s3c2410_udc: Remove pointless NULL check in s3c2410_udc_nuke (git-fixes). - usb: host: ehci-exynos: Fix error check in exynos_ehci_probe() (git-fixes). - USB: host: ehci-mxc: Add error handling in ehci_mxc_drv_probe() (git-fixes). - usb: host: ehci-platform: add a quirk to avoid stuck (git-fixes). - usb: host: xhci-mtk: avoid runtime suspend when removing hcd (git-fixes). - usb: host: xhci-plat: keep runtime active when removing host (git-fixes). - usblp: poison URBs upon disconnect (git-fixes). - usb: musb: Fix runtime PM imbalance on error (git-fixes). - usb: musb: start session in resume for host port (git-fixes). - usbnet: smsc95xx: Fix use-after-free after removal (git-fixes). - usb/ohci-platform: Fix a warning when hibernating (git-fixes). - USB: ohci-sm501: Add missed iounmap() in remove (git-fixes). - USB: ohci-sm501: fix error return code in ohci_hcd_sm501_drv_probe() (git-fixes). - usb: renesas_usbhs: getting residue from callback_result (git-fixes). - USB: serial: ch341: add basis for quirk detection (git-fixes). - USB: serial: ch341: add new Product ID for CH340 (git-fixes). - USB: serial: cypress_m8: enable Simply Automated UPB PIM (git-fixes). - USB: serial: iuu_phoenix: fix memory corruption (git-fixes). - USB: serial: option: add GosunCn GM500 series (git-fixes). - USB: serial: option: add Quectel EG95 LTE modem (git-fixes). - USB: serial: option: add Telit LE910C1-EUX compositions (git-fixes). - USB: serial: qcserial: add DW5816e QDL support (git-fixes). - USB: serial: usb_wwan: do not resubmit rx urb on fatal errors (git-fixes). - usb: typec: tcpci_rt1711h: avoid screaming irq causing boot hangs (git-fixes). - usb: usbfs: correct kernel->user page attribute mismatch (git-fixes). - USB: usbfs: fix mmap dma mismatch (git-fixes). - usb/xhci-plat: Set PM runtime as active on resume (git-fixes). - vfio: avoid possible overflow in vfio_iommu_type1_pin_pages (git-fixes). - vfio: Ignore -ENODEV when getting MSI cookie (git-fixes). - vfio/mdev: Fix reference count leak in add_mdev_supported_type (git-fixes). - vfio/pci: fix memory leaks in alloc_perm_bits() (git-fixes). - vfio/pci: Fix SR-IOV VF handling with MMIO blocking (bsc#1174129). - vfio/type1: Fix VA->PA translation for PFNMAP VMAs in vaddr_get_pfn() (git-fixes). - video: fbdev: w100fb: Fix a potential double free (git-fixes). - video: vt8500lcdfb: fix fallthrough warning (bsc#1152489) - virtio-blk: handle block_device_operations callbacks after hot unplug (git fixes (block drivers)). - virtio_net: fix lockdep warning on 32 bit (networking-stable-20_05_16). - virtio: virtio_console: add missing MODULE_DEVICE_TABLE() for rproc serial (git-fixes). - virt: vbox: Fix guest capabilities mask check (git-fixes). - virt: vbox: Fix VBGL_IOCTL_VMMDEV_REQUEST_BIG and _LOG req numbers to match upstream (git-fixes). - vmxnet3: add geneve and vxlan tunnel offload support (bsc#1172484). - vmxnet3: add support to get/set rx flow hash (bsc#1172484). - vmxnet3: allow rx flow hash ops only when rss is enabled (bsc#1172484). - vmxnet3: prepare for version 4 changes (bsc#1172484). - vmxnet3: update to version 4 (bsc#1172484). - vmxnet3: use correct hdr reference when packet is encapsulated (bsc#1172484). - vrf: Check skb for XFRM_TRANSFORMED flag (networking-stable-20_04_27). - vrf: Fix IPv6 with qdisc and xfrm (networking-stable-20_04_27). - vsock: fix timeout in vsock_accept() (networking-stable-20_06_07). - vsprintf: do not obfuscate NULL and error pointers (bsc#1172086). - vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console (git-fixes). - vt: vt_ioctl: remove unnecessary console allocation checks (git-fixes). - vxlan: Avoid infinite loop when suppressing NS messages with invalid options (networking-stable-20_06_10). - vxlan: use the correct nlattr array in NL_SET_ERR_MSG_ATTR (networking-stable-20_04_27). - w1: omap-hdq: cleanup to add missing newline for some dev_dbg (git-fixes). - watchdog: da9062: No need to ping manually before setting timeout (git-fixes). - watchdog: imx_sc_wdt: Fix reboot on crash (git-fixes). - watchdog: iTCO: Add support for Cannon Lake PCH iTCO (jsc#SLE-13202). - wcn36xx: Fix error handling path in 'wcn36xx_probe()' (git-fixes). - wil6210: account for napi_gro_receive never returning GRO_DROP (bsc#1154353). - wil6210: add wil_netif_rx() helper function (bsc#1154353). - wil6210: use after free in wil_netif_rx_any() (bsc#1154353). - wireguard: device: avoid circular netns references (git-fixes). - wireguard: noise: do not assign initiation time in if condition (git-fixes). - wireguard: noise: read preshared key while taking lock (bsc#1169021 jsc#SLE-12250). - wireguard: noise: separate receive counter from send counter (bsc#1169021 jsc#SLE-12250). - wireguard: queueing: preserve flow hash across packet scrubbing (bsc#1169021 jsc#SLE-12250). - wireguard: receive: account for napi_gro_receive never returning GRO_DROP (git-fixes). - wireguard: selftests: initalize ipv6 members to NULL to squelch clang warning (git-fixes). - wireguard: selftests: use newer iproute2 for gcc-10 (bsc#1169021 jsc#SLE-12250). - work around mvfs bug (bsc#1162063). - workqueue: do not use wq_select_unbound_cpu() for bound works (git-fixes). - workqueue: Remove the warning in wq_worker_sleeping() (git-fixes). - x86/amd_nb: Add AMD family 17h model 60h PCI IDs (git-fixes). - x86/cpu/amd: Make erratum #1054 a legacy erratum (bsc#1152489). - x86: Fix early boot crash on gcc-10, third try (bsc#1152489). - x86/mm/cpa: Flush direct map alias during cpa (bsc#1152489). - x86/PCI: Mark Intel C620 MROMs as having non-compliant BARs (git-fixes). - x86/reboot/quirks: Add MacBook6,1 reboot quirk (git-fixes). - x86/resctrl: Fix invalid attempt at removing the default resource group (bsc#1152489). - x86/resctrl: Preserve CDP enable over CPU hotplug (bsc#1152489). - x86/unwind/orc: Fix unwind_get_return_address_ptr() for inactive tasks (bsc#1058115). - xfrm: Always set XFRM_TRANSFORMED in xfrm{4,6}_output_finish (networking-stable-20_04_27). - xfrm: fix error in comment (git fixes (block drivers)). - xfs: clean up the error handling in xfs_swap_extents (git-fixes). - xfs: do not commit sunit/swidth updates to disk if that would cause repair failures (bsc#1172169). - xfs: do not fail unwritten extent conversion on writeback due to edquot (bsc#1158242). - xfs: fix duplicate verification from xfs_qm_dqflush() (git-fixes). - xfs: force writes to delalloc regions to unwritten (bsc#1158242). - xfs: measure all contiguous previous extents for prealloc size (bsc#1158242). - xfs: preserve default grace interval during quotacheck (bsc#1172170). - xfs: refactor agfl length computation function (bsc#1172169). - xfs: split the sunit parameter update into two parts (bsc#1172169). - xhci: Fix enumeration issue when setting max packet size for FS devices (git-fixes). - xhci: Fix incorrect EP_STATE_MASK (git-fixes). - xhci: Poll for U0 after disabling USB2 LPM (git-fixes). - xhci: Return if xHCI does not support LPM (git-fixes). - xprtrdma: Fix handling of RDMA_ERROR replies (git-fixes). - workqueue: Remove unnecessary kfree() call in rcu_free_wq() (git-fixes). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2127-1 Released: Wed Aug 5 10:28:23 2020 Summary: Recommended update for python-azure-agent Type: recommended Severity: important References: 1173866 This update for python-azure-agent fixes the following issues: - Properly set the DHCP configuration to push the hostname to the DHCP server. (bsc#1173866) - Do not bring the interface down to push the hostname, just use 'ifup'. (bsc#1173866) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2148-1 Released: Thu Aug 6 13:36:17 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: important References: 1174673 This update for ca-certificates-mozilla fixes the following issues: Update to 2.42 state of the Mozilla NSS Certificate store (bsc#1174673) Removed CAs: * AddTrust External CA Root * AddTrust Class 1 CA Root * LuxTrust Global Root 2 * Staat der Nederlanden Root CA - G2 * Symantec Class 1 Public Primary Certification Authority - G4 * Symantec Class 2 Public Primary Certification Authority - G4 * VeriSign Class 3 Public Primary Certification Authority - G3 Added CAs: * certSIGN Root CA G2 * e-Szigno Root CA 2017 * Microsoft ECC Root Certificate Authority 2017 * Microsoft RSA Root Certificate Authority 2017 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2160-1 Released: Thu Aug 6 20:05:42 2020 Summary: Security update for xen Type: security Severity: important References: 1172356,1174543 This update for xen fixes the following issues: - bsc#1174543 - secure boot related fixes - bsc#1172356 - Not able to hot-plug NIC via virt-manager, asks to attach on next reboot while it should be live attached ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2182-1 Released: Mon Aug 10 11:39:48 2020 Summary: Recommended update for open-lldp Type: recommended Severity: moderate References: 1153520,1170745,1171284 This update for open-lldp fixes the following issues: - Fix for a segementation fault, when agents change their MAC address (bsc#1171284) - lldapd will now transmit the permanent MAC address (the MAC address of the underlying physical device) as port id, thus allowing the switch or any management application to differentiate between those ports. (bsc#1153520) - Fix for a segmentation fault, when lldapd registers an interface and it gets shortly removed afterwards. (bsc#1170745) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2219-1 Released: Wed Aug 12 15:47:42 2020 Summary: Recommended update for supportutils-plugin-suse-public-cloud and python3-azuremetadata Type: recommended Severity: moderate References: 1170475,1170476,1173238,1173240,1173357,1174618,1174847 This update for supportutils-plugin-suse-public-cloud and python3-azuremetadata fixes the following issues: supportutils-plugin-suse-public-cloud: - Fixes an error when supportutils-plugin-suse-public-cloud and supportutils-plugin-salt are installed at the same time (bsc#1174618) - Sensitive information like credentials (such as access keys) will be removed when the metadata is being collected (bsc#1170475, bsc#1170476) python3-azuremetadata: - Added latest support for `--listapis` and `--api` (bsc#1173238, bsc#1173240) - Detects when the VM is running in ASM (Azure Classic) and does now handle the condition to generate the data without requiring access to the full IMDS available, only in ARM instances (bsc#1173357, bsc#1174847) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2224-1 Released: Thu Aug 13 09:15:47 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1171878,1172085 This update for glibc fixes the following issues: - Fix concurrent changes on nscd aware files appeared by 'getent' when the NSCD cache was enabled. (bsc#1171878, BZ #23178) - Implement correct locking and cancellation cleanup in syslog functions. (bsc#1172085, BZ #26100) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2244-1 Released: Fri Aug 14 15:27:35 2020 Summary: Recommended update for grub2 Type: recommended Severity: important References: 1174782,1175036,1175060 This update for grub2 fixes the following issues: - A potential regression has been fixed that would cause systems with an updated 'grub2' to boot no longer due to a missing 'grub-calloc' linker symbol. (bsc#1174782) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2256-1 Released: Mon Aug 17 15:08:46 2020 Summary: Recommended update for sysfsutils Type: recommended Severity: moderate References: 1155305 This update for sysfsutils fixes the following issue: - Fix cdev name comparison. (bsc#1155305) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2277-1 Released: Wed Aug 19 13:24:03 2020 Summary: Security update for python3 Type: security Severity: moderate References: 1174091,CVE-2019-20907 This update for python3 fixes the following issues: - bsc#1174091, CVE-2019-20907: avoiding possible infinite loop in specifically crafted tarball. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2278-1 Released: Wed Aug 19 21:26:08 2020 Summary: Recommended update for util-linux Type: recommended Severity: moderate References: 1149911,1151708,1168235,1168389 This update for util-linux fixes the following issues: - blockdev: Do not fail --report on kpartx-style partitions on multipath. (bsc#1168235) - nologin: Add support for -c to prevent error from su -c. (bsc#1151708) - Avoid triggering autofs in lookup_umount_fs_by_statfs. (bsc#1168389) - mount: Fall back to device node name if /dev/mapper link not found. (bsc#1149911) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2296-1 Released: Mon Aug 24 10:34:37 2020 Summary: Security update for gettext-runtime Type: security Severity: moderate References: 1106843,1113719,941629,CVE-2018-18751 This update for gettext-runtime fixes the following issues: - Fix boo941629-unnessary-rpath-on-standard-path.patch (bsc#941629) - Added msgfmt-double-free.patch to fix a double free error (CVE-2018-18751 bsc#1113719) - Add patch msgfmt-reset-msg-length-after-remove.patch which does reset the length of message string after a line has been removed (bsc#1106843) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2306-1 Released: Tue Aug 25 14:48:17 2020 Summary: Security update for grub2 Type: security Severity: important References: 1172745,1174421,CVE-2020-15705 This update for grub2 fixes the following issue: - CVE-2020-15705: Fail kernel validation without shim protocol (bsc#1174421). - Add fibre channel device's ofpath support to grub-ofpathname and search hint to speed up root device discovery (bsc#1172745). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2335-1 Released: Wed Aug 26 11:47:28 2020 Summary: Recommended update for perl-Bootloader Type: recommended Severity: moderate References: 1174320 This update for perl-Bootloader fixes the following issues: Update from version 0.928 to version 0.931 - The *grub2* module directory has been moved to */usr/share/grub2*, the *tpm.mod* is now checked there. (bsc#1174320) - Reduce the number of warning about fstab. - Do not warn about missing *SECURE_BOOT* sysconfig on systems with a minimalistic */etc/sysconfig/bootloader*. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2349-1 Released: Wed Aug 26 17:15:21 2020 Summary: Recommended update for hyper-v Type: recommended Severity: moderate References: 1093910,1174443,1174444 This update for hyper-v fixes the following issues: - Remove dependency to network-online.target now that gethostname is used in kvp_daemon. (bsc#1174443, bsc#1174444) - Reopen the devices if read() or write() returns errors. - Use either python2 or python3 for lsvmbus. (bsc#1093910) - Remove sysv init scripts. - Enable build on aarch64. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2378-1 Released: Fri Aug 28 14:52:31 2020 Summary: Recommended update for python-azure-agent Type: recommended Severity: moderate References: 1175198 This update for python-azure-agent contains the following fix: - Drop paa_sudo_sle15_nopwd.patch (bsc#1175198) + sudoers file is managed by cloud-init we no longer need this hack ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2380-1 Released: Fri Aug 28 14:54:08 2020 Summary: Recommended update for supportutils-plugin-suse-public-cloud Type: recommended Severity: moderate References: 1175250,1175251 This update for supportutils-plugin-suse-public-cloud contains the following fix: - Update to version 1.0.5: (bsc#1175250, bsc#1175251) + Query for new GCE initialization code packages ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2384-1 Released: Sat Aug 29 00:57:13 2020 Summary: Recommended update for e2fsprogs Type: recommended Severity: low References: 1170964 This update for e2fsprogs fixes the following issues: - Fix for an issue when system message with placeholders are not properly replaced. (bsc#1170964) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2386-1 Released: Sat Aug 29 01:21:01 2020 Summary: Recommended update for samba Type: recommended Severity: moderate References: 1172810 This update for samba fixes the following issues: - Add 'libsmbldap0' to 'libsmbldap2' package to fix upgrades from previous versions. (bsc#1172810) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2396-1 Released: Mon Aug 31 17:27:13 2020 Summary: Recommended update for open-iscsi Type: recommended Severity: moderate References: This update for open-iscsi fixes the following issues: Upgrade to upstream version 2.1.2 as 2.1.2-suse (jsc#SES-1081) - Use openssl for random data generation - Misspelled socket name might cause confusion to inexperienced user. - Let initiator name be created by iscsi-init.service. - iscsi: fix fd leak - Fix a compiler issue about string copy in iscsiuio - Fix a compiler issue about writing one byte - Fix issue with zero-length arrays at end of struct - Add *iscsi-init.service* Note that the '*iscsi-init.service*' adds a new systemd service called '*iscsi-init*', that creates the iSCSI initiator name file */etc/iscsi/initiatorname.iscsi*, if and only if it does not exist. - Proper disconnect of TCP connection - Fix SIGPIPE loop in signal handler - Update iscsi-iname.c - log:modify iSCSI shared memory permissions for logs - Sequence systemd services correctly when upgrading - Ignore iface.example in iface match checks - Fix type mismatch under musl. - Add Wants=remote-fs-pre.target for sequencing. - Fix issue where 'iscsi-iname -p' core dumps. - iscsi-iname: fix iscsi-iname -p access NULL pointer without given IQN prefix - Fix iscsi.service so it handles restarts better