SUSE Image Update Advisory: ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2023:601-1 Image Tags : Image Release : Severity : critical Type : security References : 1027519 1118088 1158763 1179534 1182142 1184177 1184758 1186606 1193412 1193752 1194038 1194609 1194900 1198666 1200085 1201253 1201519 1204040 1204844 1206418 1206627 1207129 1207805 1208194 1209242 1209741 1210070 1210273 1210323 1210419 1210627 1210687 1210702 1210740 1210780 1211079 1211131 1211461 1211576 1211738 1211746 1211757 1212434 1212502 1212604 1212879 1212901 1212928 1213049 1213167 1213185 1213189 1213212 1213231 1213272 1213287 1213304 1213443 1213472 1213514 1213517 1213557 1213575 1213582 1213585 1213586 1213588 1213616 1213620 1213653 1213673 1213713 1213715 1213747 1213756 1213759 1213777 1213810 1213812 1213842 1213853 1213856 1213857 1213863 1213867 1213870 1213871 1213873 1213951 1214025 1214054 1214071 1214082 1214083 1214248 1214290 1214566 CVE-2018-19787 CVE-2020-27783 CVE-2021-28957 CVE-2021-3429 CVE-2021-43818 CVE-2022-2309 CVE-2022-40982 CVE-2022-40982 CVE-2022-41409 CVE-2022-48468 CVE-2023-0459 CVE-2023-0950 CVE-2023-1786 CVE-2023-2004 CVE-2023-20569 CVE-2023-20569 CVE-2023-20593 CVE-2023-20900 CVE-2023-21400 CVE-2023-2156 CVE-2023-2166 CVE-2023-2255 CVE-2023-26112 CVE-2023-31083 CVE-2023-3268 CVE-2023-33460 CVE-2023-3567 CVE-2023-36054 CVE-2023-3609 CVE-2023-3611 CVE-2023-3776 CVE-2023-3817 CVE-2023-4004 CVE-2023-4016 CVE-2023-4156 ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:803-1 Released: Thu Mar 10 17:35:53 2022 Summary: Security update for python-lxml Type: security Severity: important References: 1118088,1179534,1184177,1193752,CVE-2018-19787,CVE-2020-27783,CVE-2021-28957,CVE-2021-43818 This update for python-lxml fixes the following issues: - CVE-2018-19787: Fixed XSS vulnerability via unescaped URL (bsc#1118088). - CVE-2021-28957: Fixed XSS vulnerability ia HTML5 attributes unescaped (bsc#1184177). - CVE-2021-43818: Fixed XSS vulnerability via script content in SVG images using data URIs (bnc#1193752). - CVE-2020-27783: Fixed mutation XSS with improper parser use (bnc#1179534). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:2548-1 Released: Tue Jul 26 13:48:28 2022 Summary: Critical update for python-cssselect Type: recommended Severity: critical References: This update for python-cssselect implements packages to the unrestrictied repository. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2908-1 Released: Fri Aug 26 11:36:03 2022 Summary: Security update for python-lxml Type: security Severity: important References: 1201253,CVE-2022-2309 This update for python-lxml fixes the following issues: - CVE-2022-2309: Fixed NULL pointer dereference due to state leak between parser runs (bsc#1201253). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2143-1 Released: Tue May 9 14:49:45 2023 Summary: Security update for protobuf-c Type: security Severity: important References: 1210323,CVE-2022-48468 This update for protobuf-c fixes the following issues: - CVE-2022-48468: Fixed an unsigned integer overflow. (bsc#1210323) ----------------------------------------------------------------- Advisory ID: SUSE-feature-2023:2898-1 Released: Thu Jul 20 09:15:33 2023 Summary: Recommended update for python-instance-billing-flavor-check Type: feature Severity: critical References: This update for python-instance-billing-flavor-check fixes the following issues: - Include PAYG checker package in SLE (jsc#PED-4791) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2905-1 Released: Thu Jul 20 10:17:54 2023 Summary: Recommended update for fstrm Type: recommended Severity: moderate References: This update for fstrm fixes the following issues: - Update to 0.6.1: - fstrm_capture: ignore SIGPIPE, which will cause the interrupted connections to generate an EPIPE instead. - Fix truncation in snprintf calls in argument processing. - fstrm_capture: Fix output printf format. - Update to 0.6.0 It adds a new feature for fstrm_capture. It can perform output file rotation when a SIGUSR1 signal is received by fstrm_capture. (See the --gmtime or --localtime options.) This allows fstrm_capture's output file to be rotated by logrotate or a similar external utility. (Output rotation is suppressed if fstrm_capture is writing to stdout.) Update to 0.5.0 - Change license to modern MIT license for compatibility with GPLv2 software. Contact software@farsightsecurity.com for alternate licensing. - src/fstrm_replay.c: For OpenBSD and Posix portability include netinet/in.h and sys/socket.h to get struct sockaddr_in and the AF_* defines respectively. - Fix various compiler warnings. Update to 0.4.0 The C implementation of the Frame Streams data transport protocol, fstrm version 0.4.0, was released. It adds TCP support, a new tool, new documentation, and several improvements. - Added manual pages for fstrm_capture and fstrm_dump. - Added new tool, fstrm_replay, for replaying saved Frame Streams data to a socket connection. - Adds TCP support. Add tcp_writer to the core library which implements a bi-directional Frame Streams writer as a TCP socket client. Introduces new developer API: fstrm_tcp_writer_init, fstrm_tcp_writer_options_init, fstrm_tcp_writer_options_destroy, fstrm_tcp_writer_options_set_socket_address, and fstrm_tcp_writer_options_set_socket_port. - fstrm_capture: new options for reading from TCP socket. - fstrm_capture: add '-c' / '--connections' option to limit the number of concurrent connections it will accept. - fstrm_capture: add '-b / --buffer-size' option to set the read buffer size (effectively the maximum frame size) to a value other than the default 256 KiB. - fstrm_capture: skip oversize messages to fix stalled connections caused by messages larger than the read highwater mark of the input buffer. Discarded messages are logged for the purposes of tuning the input buffer size. - fstrm_capture: complete sending of FINISH frame before closing connection. - Various test additions and improvements. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3196-1 Released: Fri Aug 4 10:02:04 2023 Summary: Recommended update for protobuf-c Type: recommended Severity: moderate References: 1213443 This update for protobuf-c fixes the following issues: - Include executables required to generate Protocol Buffers glue code in the devel subpackage (bsc#1213443) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3217-1 Released: Mon Aug 7 16:51:10 2023 Summary: Recommended update for cryptsetup Type: recommended Severity: moderate References: 1211079 This update for cryptsetup fixes the following issues: - Handle system with low memory and no swap space (bsc#1211079) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3270-1 Released: Thu Aug 10 19:34:35 2023 Summary: Recommended update for vim Type: recommended Severity: moderate References: 1211461 This update for vim fixes the following issues: - Calling vim on xterm leads to missing first character of the command prompt (bsc#1211461) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3275-1 Released: Fri Aug 11 10:19:36 2023 Summary: Recommended update for apparmor Type: recommended Severity: moderate References: 1213472 This update for apparmor fixes the following issues: - Add pam_apparmor README (bsc#1213472) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3282-1 Released: Fri Aug 11 10:26:23 2023 Summary: Recommended update for blog Type: recommended Severity: moderate References: This update for blog fixes the following issues: - Fix big endian cast problems to be able to read commands and ansers as well as passphrases ----------------------------------------------------------------- Advisory ID: SUSE-feature-2023:3283-1 Released: Fri Aug 11 10:28:34 2023 Summary: Feature update for cloud-init Type: feature Severity: moderate References: 1184758,1210273,1212879,CVE-2021-3429,CVE-2023-1786 This update for cloud-init fixes the following issues: - Default route is not configured (bsc#1212879) - cloud-final service failing in powerVS (bsc#1210273) - Randomly generated passwords logged in clear-text to world-readable file (bsc#1184758, CVE-2021-3429) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3285-1 Released: Fri Aug 11 10:30:38 2023 Summary: Recommended update for shadow Type: recommended Severity: moderate References: 1206627,1213189 This update for shadow fixes the following issues: - Prevent lock files from remaining after power interruptions (bsc#1213189) - Add --prefix support to passwd, chpasswd and chage (bsc#1206627) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3286-1 Released: Fri Aug 11 10:32:03 2023 Summary: Recommended update for util-linux Type: recommended Severity: moderate References: 1194038,1194900 This update for util-linux fixes the following issues: - Fix blkid for floppy drives (bsc#1194900) - Fix rpmbuild %checks fail when @ in the directory path (bsc#1194038) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3288-1 Released: Fri Aug 11 12:30:14 2023 Summary: Recommended update for python-apipkg Type: recommended Severity: moderate References: 1213582 This update for python-apipkg provides python3-apipkg to SUSE Linux Enterprise Micro 5.2. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3301-1 Released: Mon Aug 14 07:24:59 2023 Summary: Security update for libyajl Type: security Severity: moderate References: 1212928,CVE-2023-33460 This update for libyajl fixes the following issues: - CVE-2023-33460: Fixed memory leak which could cause out-of-memory in server (bsc#1212928). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3313-1 Released: Mon Aug 14 17:34:46 2023 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1206418,1207129,1210627,1210780,1211131,1211738,1212502,1212604,1212901,1213167,1213272,1213287,1213304,1213585,1213586,1213588,1213620,1213653,1213713,1213715,1213747,1213756,1213759,1213777,1213810,1213812,1213842,1213856,1213857,1213863,1213867,1213870,1213871,CVE-2022-40982,CVE-2023-0459,CVE-2023-20569,CVE-2023-21400,CVE-2023-2156,CVE-2023-2166,CVE-2023-31083,CVE-2023-3268,CVE-2023-3567,CVE-2023-3609,CVE-2023-3611,CVE-2023-3776,CVE-2023-4004 The SUSE Linux Enterprise 15 SP4 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2022-40982: Fixed transient execution attack called 'Gather Data Sampling' (bsc#1206418). - CVE-2023-0459: Fixed information leak in __uaccess_begin_nospec (bsc#1211738). - CVE-2023-20569: Fixed side channel attack ‘Inception’ or ‘RAS Poisoning’ (bsc#1213287). - CVE-2023-21400: Fixed several memory corruptions due to improper locking in io_uring (bsc#1213272). - CVE-2023-2156: Fixed a flaw in the networking subsystem within the handling of the RPL protocol (bsc#1211131). - CVE-2023-2166: Fixed NULL pointer dereference in can_rcv_filter (bsc#1210627). - CVE-2023-31083: Fixed race condition in hci_uart_tty_ioctl (bsc#1210780). - CVE-2023-3268: Fixed an out of bounds memory access flaw in relay_file_read_start_pos in the relayfs (bsc#1212502). - CVE-2023-3567: Fixed a use-after-free in vcs_read in drivers/tty/vt/vc_screen.c (bsc#1213167). - CVE-2023-3609: Fixed reference counter leak leading to overflow in net/sched (bsc#1213586). - CVE-2023-3611: Fixed an out-of-bounds write in net/sched sch_qfq(bsc#1213585). - CVE-2023-3776: Fixed improper refcount update in cls_fw leads to use-after-free (bsc#1213588). - CVE-2023-4004: Fixed improper element removal netfilter nft_set_pipapo (bsc#1213812). The following non-security bugs were fixed: - afs: Fix access after dec in put functions (git-fixes). - afs: Fix afs_getattr() to refetch file status if callback break occurred (git-fixes). - afs: Fix dynamic root getattr (git-fixes). - afs: Fix fileserver probe RTT handling (git-fixes). - afs: Fix infinite loop found by xfstest generic/676 (git-fixes). - afs: Fix lost servers_outstanding count (git-fixes). - afs: Fix server->active leak in afs_put_server (git-fixes). - afs: Fix setting of mtime when creating a file/dir/symlink (git-fixes). - afs: Fix updating of i_size with dv jump from server (git-fixes). - afs: Fix vlserver probe RTT handling (git-fixes). - afs: Return -EAGAIN, not -EREMOTEIO, when a file already locked (git-fixes). - afs: Use refcount_t rather than atomic_t (git-fixes). - afs: Use the operation issue time instead of the reply time for callbacks (git-fixes). - afs: adjust ack interpretation to try and cope with nat (git-fixes). - alsa: emu10k1: roll up loops in dsp setup code for audigy (git-fixes). - alsa: hda/realtek: support asus g713pv laptop (git-fixes). - alsa: hda/relatek: enable mute led on hp 250 g8 (git-fixes). - alsa: usb-audio: add quirk for microsoft modern wireless headset (bsc#1207129). - alsa: usb-audio: update for native dsd support quirks (git-fixes). - asoc: atmel: fix the 8k sample parameter in i2sc master (git-fixes). - asoc: codecs: es8316: fix dmic config (git-fixes). - asoc: da7219: check for failure reading aad irq events (git-fixes). - asoc: da7219: flush pending aad irq when suspending (git-fixes). - asoc: fsl_sai: disable bit clock with transmitter (git-fixes). - asoc: fsl_spdif: silence output on stop (git-fixes). - asoc: rt5682-sdw: fix for jd event handling in clockstop mode0 (git-fixes). - asoc: rt711-sdca: fix for jd event handling in clockstop mode0 (git-fixes). - asoc: rt711: fix for jd event handling in clockstop mode0 (git-fixes). - asoc: wm8904: fill the cache for wm8904_adc_test_0 register (git-fixes). - ata: pata_ns87415: mark ns87560_tf_read static (git-fixes). - block, bfq: Fix division by zero error on zero wsum (bsc#1213653). - block: Fix a source code comment in include/uapi/linux/blkzoned.h (git-fixes). - can: gs_usb: gs_can_close(): add missing set of CAN state to CAN_STATE_STOPPED (git-fixes). - ceph: do not let check_caps skip sending responses for revoke msgs (bsc#1213856). - coda: Avoid partial allocation of sig_inputArgs (git-fixes). - dlm: fix missing lkb refcount handling (git-fixes). - dlm: fix plock invalid read (git-fixes). - documentation: devices.txt: reconcile serial/ucc_uart minor numers (git-fixes). - drm/amd/display: Disable MPC split by default on special asic (git-fixes). - drm/amd/display: Keep PHY active for DP displays on DCN31 (git-fixes). - drm/client: Fix memory leak in drm_client_modeset_probe (git-fixes). - drm/msm/adreno: Fix snapshot BINDLESS_DATA size (git-fixes). - drm/msm/dpu: drop enum dpu_core_perf_data_bus_id (git-fixes). - drm/msm: Fix IS_ERR_OR_NULL() vs NULL check in a5xx_submit_in_rb() (git-fixes). - drm/radeon: Fix integer overflow in radeon_cs_parser_init (git-fixes). - file: always lock position for FMODE_ATOMIC_POS (bsc#1213759). - fs: dlm: add midcomms init/start functions (git-fixes). - fs: dlm: do not set stop rx flag after node reset (git-fixes). - fs: dlm: filter user dlm messages for kernel locks (git-fixes). - fs: dlm: fix log of lowcomms vs midcomms (git-fixes). - fs: dlm: fix race between test_bit() and queue_work() (git-fixes). - fs: dlm: fix race in lowcomms (git-fixes). - fs: dlm: handle -EBUSY first in lock arg validation (git-fixes). - fs: dlm: move sending fin message into state change handling (git-fixes). - fs: dlm: retry accept() until -EAGAIN or error returns (git-fixes). - fs: dlm: return positive pid value for F_GETLK (git-fixes). - fs: dlm: start midcomms before scand (git-fixes). - fs: hfsplus: remove WARN_ON() from hfsplus_cat_{read,write}_inode() (git-fixes). - fs: jfs: Fix UBSAN: array-index-out-of-bounds in dbAllocDmapLev (git-fixes). - fs: jfs: check for read-only mounted filesystem in txbegin (git-fixes). - fs: jfs: fix null-ptr-deref read in txbegin (git-fixes). - gve: Set default duplex configuration to full (git-fixes). - gve: unify driver name usage (git-fixes). - hwmon: (k10temp) Enable AMD3255 Proc to show negative temperature (git-fixes). - hwmon: (nct7802) Fix for temp6 (PECI1) processed even if PECI1 disabled (git-fixes). - iavf: Fix out-of-bounds when setting channels on remove (git-fixes). - iavf: Fix use-after-free in free_netdev (git-fixes). - iavf: use internal state to free traffic IRQs (git-fixes). - igc: Check if hardware TX timestamping is enabled earlier (git-fixes). - igc: Enable and fix RX hash usage by netstack (git-fixes). - igc: Fix Kernel Panic during ndo_tx_timeout callback (git-fixes). - igc: Fix inserting of empty frame for launchtime (git-fixes). - igc: Fix launchtime before start of cycle (git-fixes). - igc: Fix race condition in PTP tx code (git-fixes). - igc: Handle PPS start time programming for past time values (git-fixes). - igc: Prevent garbled TX queue with XDP ZEROCOPY (git-fixes). - igc: Remove delay during TX ring configuration (git-fixes). - igc: Work around HW bug causing missing timestamps (git-fixes). - igc: set TP bit in 'supported' and 'advertising' fields of ethtool_link_ksettings (git-fixes). - input: i8042 - add clevo pcx0dx to i8042 quirk table (git-fixes). - input: iqs269a - do not poll during ati (git-fixes). - input: iqs269a - do not poll during suspend or resume (git-fixes). - jffs2: GC deadlock reading a page that is used in jffs2_write_begin() (git-fixes). - jffs2: fix memory leak in jffs2_do_fill_super (git-fixes). - jffs2: fix memory leak in jffs2_do_mount_fs (git-fixes). - jffs2: fix memory leak in jffs2_scan_medium (git-fixes). - jffs2: fix use-after-free in jffs2_clear_xattr_subsystem (git-fixes). - jffs2: reduce stack usage in jffs2_build_xattr_subsystem() (git-fixes). - jfs: jfs_dmap: Validate db_l2nbperpage while mounting (git-fixes). - kvm: arm64: do not read a hw interrupt pending state in user context (git-fixes) - kvm: arm64: warn if accessing timer pending state outside of vcpu (bsc#1213620) - kvm: do not null dereference ops->destroy (git-fixes) - kvm: downgrade two bug_ons to warn_on_once (git-fixes) - kvm: initialize debugfs_dentry when a vm is created to avoid null (git-fixes) - kvm: s390: pv: fix index value of replaced asce (git-fixes bsc#1213867). - kvm: vmx: inject #gp on encls if vcpu has paging disabled (cr0.pg==0) (git-fixes). - kvm: vmx: inject #gp, not #ud, if sgx2 encls leafs are unsupported (git-fixes). - kvm: vmx: restore vmx_vmexit alignment (git-fixes). - kvm: x86: account fastpath-only vm-exits in vcpu stats (git-fixes). - libceph: harden msgr2.1 frame segment length checks (bsc#1213857). - media: staging: atomisp: select V4L2_FWNODE (git-fixes). - net/sched: sch_qfq: refactor parsing of netlink parameters (bsc#1213585). - net/sched: sch_qfq: reintroduce lmax bound check for MTU (bsc#1213585). - net: ena: fix shift-out-of-bounds in exponential backoff (git-fixes). - net: mana: Batch ringing RX queue doorbell on receiving packets (bsc#1212901). - net: mana: Use the correct WQE count for ringing RQ doorbell (bsc#1212901). - net: phy: marvell10g: fix 88x3310 power up (git-fixes). - nfsd: add encoding of op_recall flag for write delegation (git-fixes). - nfsd: fix double fget() bug in __write_ports_addfd() (git-fixes). - nfsd: fix sparse warning (git-fixes). - nfsd: remove open coding of string copy (git-fixes). - nfsv4.1: always send a reclaim_complete after establishing lease (git-fixes). - nfsv4.1: freeze the session table upon receiving nfs4err_badsession (git-fixes). - nvme-pci: fix DMA direction of unmapping integrity data (git-fixes). - nvme-pci: remove nvme_queue from nvme_iod (git-fixes). - octeontx-af: fix hardware timestamp configuration (git-fixes). - octeontx2-af: Move validation of ptp pointer before its usage (git-fixes). - octeontx2-pf: Add additional check for MCAM rules (git-fixes). - phy: hisilicon: Fix an out of bounds check in hisi_inno_phy_probe() (git-fixes). - pinctrl: amd: Do not show `Invalid config param` errors (git-fixes). - pinctrl: amd: Use amd_pinconf_set() for all config options (git-fixes). - platform/x86: msi-laptop: Fix rfkill out-of-sync on MSI Wind U100 (git-fixes). - rdma/bnxt_re: fix hang during driver unload (git-fixes) - rdma/bnxt_re: prevent handling any completions after qp destroy (git-fixes) - rdma/core: update cma destination address on rdma_resolve_addr (git-fixes) - rdma/irdma: add missing read barriers (git-fixes) - rdma/irdma: fix data race on cqp completion stats (git-fixes) - rdma/irdma: fix data race on cqp request done (git-fixes) - rdma/irdma: fix op_type reporting in cqes (git-fixes) - rdma/irdma: report correct wc error (git-fixes) - rdma/mlx4: make check for invalid flags stricter (git-fixes) - rdma/mthca: fix crash when polling cq for shared qps (git-fixes) - regmap: Account for register length in SMBus I/O limits (git-fixes). - regmap: Drop initial version of maximum transfer length fixes (git-fixes). - revert 'debugfs, coccinelle: check for obsolete define_simple_attribute() usage' (git-fixes). - revert 'nfsv4: retry lock on old_stateid during delegation return' (git-fixes). - revert 'usb: dwc3: core: enable autoretry feature in the controller' (git-fixes). - revert 'usb: gadget: tegra-xudc: fix error check in tegra_xudc_powerdomain_init()' (git-fixes). - revert 'usb: xhci: tegra: fix error check' (git-fixes). - revert 'xhci: add quirk for host controllers that do not update endpoint dcs' (git-fixes). - rxrpc, afs: Fix selection of abort codes (git-fixes). - s390/bpf: Add expoline to tail calls (git-fixes bsc#1213870). - s390/dasd: fix hanging device after quiesce/resume (git-fixes bsc#1213810). - s390/decompressor: specify __decompress() buf len to avoid overflow (git-fixes bsc#1213863). - s390/ipl: add missing intersection check to ipl_report handling (git-fixes bsc#1213871). - s390/qeth: Fix vipa deletion (git-fixes bsc#1213713). - s390/vmem: fix empty page tables cleanup under KASAN (git-fixes bsc#1213715). - s390: introduce nospec_uses_trampoline() (git-fixes bsc#1213870). - scftorture: Count reschedule IPIs (git-fixes). - scsi: lpfc: Abort outstanding ELS cmds when mailbox timeout error is detected (bsc#1213756). - scsi: lpfc: Avoid -Wstringop-overflow warning (bsc#1213756). - scsi: lpfc: Clean up SLI-4 sysfs resource reporting (bsc#1213756). - scsi: lpfc: Copyright updates for 14.2.0.14 patches (bsc#1213756). - scsi: lpfc: Fix a possible data race in lpfc_unregister_fcf_rescan() (bsc#1213756). - scsi: lpfc: Fix incorrect big endian type assignment in bsg loopback path (bsc#1213756). - scsi: lpfc: Fix incorrect big endian type assignments in FDMI and VMID paths (bsc#1213756). - scsi: lpfc: Fix lpfc_name struct packing (bsc#1213756). - scsi: lpfc: Make fabric zone discovery more robust when handling unsolicited LOGO (bsc#1213756). - scsi: lpfc: Pull out fw diagnostic dump log message from driver's trace buffer (bsc#1213756). - scsi: lpfc: Qualify ndlp discovery state when processing RSCN (bsc#1213756). - scsi: lpfc: Refactor cpu affinity assignment paths (bsc#1213756). - scsi: lpfc: Remove extra ndlp kref decrement in FLOGI cmpl for loop topology (bsc#1213756). - scsi: lpfc: Replace all non-returning strlcpy() with strscpy() (bsc#1213756). - scsi: lpfc: Replace one-element array with flexible-array member (bsc#1213756). - scsi: lpfc: Revise ndlp kref handling for dev_loss_tmo_callbk and lpfc_drop_node (bsc#1213756). - scsi: lpfc: Set Establish Image Pair service parameter only for Target Functions (bsc#1213756). - scsi: lpfc: Simplify fcp_abort transport callback log message (bsc#1213756). - scsi: lpfc: Update lpfc version to 14.2.0.14 (bsc#1213756). - scsi: lpfc: Use struct_size() helper (bsc#1213756). - scsi: qla2xxx: Adjust IOCB resource on qpair create (bsc#1213747). - scsi: qla2xxx: Array index may go out of bound (bsc#1213747). - scsi: qla2xxx: Avoid fcport pointer dereference (bsc#1213747). - scsi: qla2xxx: Check valid rport returned by fc_bsg_to_rport() (bsc#1213747). - scsi: qla2xxx: Correct the index of array (bsc#1213747). - scsi: qla2xxx: Drop useless LIST_HEAD (bsc#1213747). - scsi: qla2xxx: Fix NULL pointer dereference in target mode (bsc#1213747). - scsi: qla2xxx: Fix TMF leak through (bsc#1213747). - scsi: qla2xxx: Fix buffer overrun (bsc#1213747). - scsi: qla2xxx: Fix command flush during TMF (bsc#1213747). - scsi: qla2xxx: Fix deletion race condition (bsc#1213747). - scsi: qla2xxx: Fix end of loop test (bsc#1213747). - scsi: qla2xxx: Fix erroneous link up failure (bsc#1213747). - scsi: qla2xxx: Fix error code in qla2x00_start_sp() (bsc#1213747). - scsi: qla2xxx: Fix potential NULL pointer dereference (bsc#1213747). - scsi: qla2xxx: Fix session hang in gnl (bsc#1213747). - scsi: qla2xxx: Limit TMF to 8 per function (bsc#1213747). - scsi: qla2xxx: Pointer may be dereferenced (bsc#1213747). - scsi: qla2xxx: Remove unused nvme_ls_waitq wait queue (bsc#1213747). - scsi: qla2xxx: Replace one-element array with DECLARE_FLEX_ARRAY() helper (bsc#1213747). - scsi: qla2xxx: Silence a static checker warning (bsc#1213747). - scsi: qla2xxx: Turn off noisy message log (bsc#1213747). - scsi: qla2xxx: Update version to 10.02.08.400-k (bsc#1213747). - scsi: qla2xxx: Update version to 10.02.08.500-k (bsc#1213747). - scsi: qla2xxx: Use vmalloc_array() and vcalloc() (bsc#1213747). - scsi: qla2xxx: fix inconsistent TMF timeout (bsc#1213747). - serial: qcom-geni: drop bogus runtime pm state update (git-fixes). - serial: sifive: Fix sifive_serial_console_setup() section (git-fixes). - soundwire: qcom: update status correctly with mask (git-fixes). - staging: ks7010: potential buffer overflow in ks_wlan_set_encode_ext() (git-fixes). - staging: r8712: Fix memory leak in _r8712_init_xmit_priv() (git-fixes). - sunrpc: always free ctxt when freeing deferred request (git-fixes). - sunrpc: double free xprt_ctxt while still in use (git-fixes). - sunrpc: fix trace_svc_register() call site (git-fixes). - sunrpc: fix uaf in svc_tcp_listen_data_ready() (git-fixes). - sunrpc: remove dead code in svc_tcp_release_rqst() (git-fixes). - sunrpc: remove the maximum number of retries in call_bind_status (git-fixes). - svcrdma: Prevent page release when nothing was received (git-fixes). - tpm_tis: Explicitly check for error code (git-fixes). - tty: n_gsm: fix UAF in gsm_cleanup_mux (git-fixes). - ubifs: Add missing iput if do_tmpfile() failed in rename whiteout (git-fixes). - ubifs: Error path in ubifs_remount_rw() seems to wrongly free write buffers (git-fixes). - ubifs: Fix 'ui->dirty' race between do_tmpfile() and writeback work (git-fixes). - ubifs: Fix AA deadlock when setting xattr for encrypted file (git-fixes). - ubifs: Fix build errors as symbol undefined (git-fixes). - ubifs: Fix deadlock in concurrent rename whiteout and inode writeback (git-fixes). - ubifs: Fix memory leak in alloc_wbufs() (git-fixes). - ubifs: Fix memory leak in do_rename (git-fixes). - ubifs: Fix read out-of-bounds in ubifs_wbuf_write_nolock() (git-fixes). - ubifs: Fix to add refcount once page is set private (git-fixes). - ubifs: Fix wrong dirty space budget for dirty inode (git-fixes). - ubifs: Free memory for tmpfile name (git-fixes). - ubifs: Rectify space amount budget for mkdir/tmpfile operations (git-fixes). - ubifs: Rectify space budget for ubifs_symlink() if symlink is encrypted (git-fixes). - ubifs: Rectify space budget for ubifs_xrename() (git-fixes). - ubifs: Rename whiteout atomically (git-fixes). - ubifs: Reserve one leb for each journal head while doing budget (git-fixes). - ubifs: do_rename: Fix wrong space budget when target inode's nlink > 1 (git-fixes). - ubifs: rename_whiteout: Fix double free for whiteout_ui->data (git-fixes). - ubifs: rename_whiteout: correct old_dir size computing (git-fixes). - ubifs: setflags: Make dirtied_ino_d 8 bytes aligned (git-fixes). - ubifs: ubifs_writepage: Mark page dirty after writing inode failed (git-fixes). - usb: dwc3: do not reset device side if dwc3 was configured as host-only (git-fixes). - usb: dwc3: pci: skip BYT GPIO lookup table for hardwired phy (git-fixes). - usb: gadget: core: remove unbalanced mutex_unlock in usb_gadget_activate (git-fixes). - usb: xhci-mtk: set the dma max_seg_size (git-fixes). - vhost: support PACKED when setting-getting vring_base (git-fixes). - vhost_net: revert upend_idx only on retriable error (git-fixes). - virtio-net: Maintain reverse cleanup order (git-fixes). - virtio_net: Fix error unwinding of XDP initialization (git-fixes). - x86/PVH: obtain VGA console info in Dom0 (git-fixes). - xen/blkfront: Only check REQ_FUA for writes (git-fixes). - xen/pvcalls-back: fix double frees with pvcalls_new_active_socket() (git-fixes). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3327-1 Released: Wed Aug 16 08:45:25 2023 Summary: Security update for pcre2 Type: security Severity: moderate References: 1213514,CVE-2022-41409 This update for pcre2 fixes the following issues: - CVE-2022-41409: Fixed integer overflow vulnerability in pcre2test that allows attackers to cause a denial of service via negative input (bsc#1213514). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3330-1 Released: Wed Aug 16 08:59:33 2023 Summary: Recommended update for python-pyasn1 Type: recommended Severity: important References: 1207805 This update for python-pyasn1 fixes the following issues: - To avoid users of this package having to recompile bytecode files, change the mtime of any __init__.py. (bsc#1207805) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3363-1 Released: Fri Aug 18 14:54:16 2023 Summary: Security update for krb5 Type: security Severity: important References: 1214054,CVE-2023-36054 This update for krb5 fixes the following issues: - CVE-2023-36054: Fixed a DoS that could be triggered by an authenticated remote user. (bsc#1214054) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3369-1 Released: Tue Aug 22 11:12:02 2023 Summary: Security update for python-configobj Type: security Severity: low References: 1210070,CVE-2023-26112 This update for python-configobj fixes the following issues: - CVE-2023-26112: Fixed regular expression denial of service vulnerability in validate.py (bsc#1210070). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3371-1 Released: Tue Aug 22 13:30:18 2023 Summary: Recommended update for liblognorm Type: recommended Severity: moderate References: This update for liblognorm fixes the following issues: - Update to liblognorm v2.0.6 (jsc#PED-4883) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3372-1 Released: Tue Aug 22 13:44:38 2023 Summary: Recommended update for rsyslog Type: recommended Severity: moderate References: 1211757,1213212 This update for rsyslog fixes the following issues: - Fix removal of imfile state files (bsc#1213212) - Fix segfaults in modExit() of imklog.c (bsc#1211757) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3395-1 Released: Wed Aug 23 18:09:24 2023 Summary: Security update for xen Type: security Severity: moderate References: 1027519,1213616,1214082,1214083,CVE-2022-40982,CVE-2023-20569,CVE-2023-20593 This update for xen fixes the following issues: - CVE-2023-20569: Fixed side channel attack Inception or RAS Poisoning. (bsc#1214082, XSA-434) - CVE-2022-40982: Fixed transient execution attack called 'Gather Data Sampling'. (bsc#1214083, XSA-435) - CVE-2023-20593: Fixed a ZenBleed issue in 'Zen 2' CPUs that could allow an attacker to potentially access sensitive information. (bsc#1213616, XSA-433) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3397-1 Released: Wed Aug 23 18:35:56 2023 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1213517,1213853,CVE-2023-3817 This update for openssl-1_1 fixes the following issues: - CVE-2023-3817: Fixed a potential DoS due to excessive time spent checking DH q parameter value. (bsc#1213853) - Don't pass zero length input to EVP_Cipher because s390x assembler optimized AES cannot handle zero size. (bsc#1213517) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3410-1 Released: Thu Aug 24 06:56:32 2023 Summary: Recommended update for audit Type: recommended Severity: moderate References: 1201519,1204844 This update for audit fixes the following issues: - Create symbolic link from /sbin/audisp-syslog to /usr/sbin/audisp-syslog (bsc#1201519) - Fix rules not loaded when restarting auditd.service (bsc#1204844) ----------------------------------------------------------------- Advisory ID: SUSE-feature-2023:3413-1 Released: Thu Aug 24 07:32:09 2023 Summary: Feature update for LibreOffice and xmlsec1 Type: feature Severity: important References: 1198666,1200085,1204040,1209242,1210687,1211746,CVE-2023-0950,CVE-2023-2255 This update for LibreOffice and xmlsec1 fixes the following issue: libreoffice: - Version update from 7.4.3.2 to 7.5.4.1 (jsc#PED-3561, jsc#PED-3550, jsc#3549): * For the highlights of changes of version 7.5 please consult the official release notes: https://wiki.documentfoundation.org/ReleaseNotes/7.5 * Security issues fixed: + CVE-2023-0950: Fixed stack underflow in ScInterpreter (bsc#1209242) + CVE-2023-2255: Fixed vulnerability where remote documents could be loaded without prompt via IFrame (bsc#1211746) * Bug fixes: + Fix PPTX shadow effect for table offset (bsc#1204040) + Fix ability to set the default tab size for each text object (bsc#1198666) + Fix PPTX extra vertical space between different text formats (bsc#1200085) + Do not use binutils-gold as the package is unmaintained and will be removed in the future (boo#1210687) * Updated bundled dependencies: * boost version update from 1_77_0 to 1_80_0 * curl version update from 7.83.1 to 8.0.1 * gpgme version update from 1.16.0 to 1.18.0 * icu4c-data version update from 70_1 to 72_1 * icu4c version update from 70_1 to 72_1 * pdfium version update from 4699 to 5408 * poppler version update from 21.11.0 to 22.12.0 xmlsec1: - Version update from 1.2.28 to 1.2.37 required by LibreOffice 7.5.2.2 (jsc#PED-3561, jsc#PED-3550): * Retired the XMLSec mailing list 'xmlsec@aleksey.com' and the XMLSec Online Signature Verifier. * Migration to OpenSSL 3.0 API Note that OpenSSL engines are disabled by default when XMLSec library is compiled against OpenSSL 3.0. To re-enable OpenSSL engines, use `--enable-openssl3-engines` configure flag (there will be a lot of deprecation warnings). * The OpenSSL before 1.1.0 and LibreSSL before 2.7.0 are now deprecated and will be removed in the future versions of XMLSec Library. * Refactored all the integer casts to ensure cast-safety. Fixed all warnings and enabled `-Werror` and `-pedantic` flags on CI builds. * Added configure flag to use size_t for xmlSecSize (currently disabled by default for backward compatibility). * Support for OpenSSL compiled with OPENSSL_NO_ERR. * Full support for LibreSSL 3.5.0 and above * Several other small fixes * Fix decrypting session key for two recipients * Added `--privkey-openssl-engine` option to enhance openssl engine support * Remove MD5 for NSS 3.59 and above * Fix PKCS12_parse return code handling * Fix OpenSSL lookup * xmlSecX509DataGetNodeContent(): don't return 0 for non-empty elements - fix for LibreOffice * Unload error strings in OpenSSL shutdown. * Make userData available when executing preExecCallback function * Add an option to use secure memset. * Enabled XML_PARSE_HUGE for all xml parsers. * Various build and tests fixes and improvements. * Move remaining private header files away from xmlsec/include/`` folder - Other packaging changes: * Relax the crypto policies for the test-suite. It allows the tests using certificates with small key lengths to pass. * Pass `--disable-md5` to configure: The cryptographic strength of the MD5 algorithm is sufficiently doubtful that its use is discouraged at this time. It is not listed as an algorithm in [XMLDSIG-CORE1] https://www.w3.org/TR/xmlsec-algorithms/#bib-XMLDSIG-CORE1 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3440-1 Released: Mon Aug 28 08:57:10 2023 Summary: Security update for gawk Type: security Severity: low References: 1214025,CVE-2023-4156 This update for gawk fixes the following issues: - CVE-2023-4156: Fix a heap out of bound read by validating the index into argument list. (bsc#1214025) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3451-1 Released: Mon Aug 28 12:15:22 2023 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1186606,1194609,1208194,1209741,1210702,1211576,1212434,1213185,1213575,1213873 This update for systemd fixes the following issues: - Fix reboot and shutdown issues by getting only active MD arrays (bsc#1211576, bsc#1212434, bsc#1213575) - Decrease devlink priority for iso disks (bsc#1213185) - Do not ignore mount point paths longer than 255 characters (bsc#1208194) - Refuse hibernation if there's no possible way to resume (bsc#1186606) - Update 'korean' and 'arabic' keyboard layouts (bsc#1210702) - Drop some entries no longer needed by YaST (bsc#1194609) - The 'systemd --user' instances get their own session keyring instead of the user default one (bsc#1209741) - Dynamically allocate receive buffer to handle large amount of mounts (bsc#1213873) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3452-1 Released: Mon Aug 28 12:41:11 2023 Summary: Recommended update for supportutils-plugin-suse-public-cloud Type: recommended Severity: moderate References: 1213951 This update for supportutils-plugin-suse-public-cloud fixes the following issues: - Update from version 1.0.7 to 1.0.8 (bsc#1213951) - Capture CSP billing adapter config and log - Accept upper case Amazon string in DMI table ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3454-1 Released: Mon Aug 28 13:43:18 2023 Summary: Security update for ca-certificates-mozilla Type: security Severity: important References: 1214248 This update for ca-certificates-mozilla fixes the following issues: - Updated to 2.62 state of Mozilla SSL root CAs (bsc#1214248) Added: - Atos TrustedRoot Root CA ECC G2 2020 - Atos TrustedRoot Root CA ECC TLS 2021 - Atos TrustedRoot Root CA RSA G2 2020 - Atos TrustedRoot Root CA RSA TLS 2021 - BJCA Global Root CA1 - BJCA Global Root CA2 - LAWtrust Root CA2 (4096) - Sectigo Public Email Protection Root E46 - Sectigo Public Email Protection Root R46 - Sectigo Public Server Authentication Root E46 - Sectigo Public Server Authentication Root R46 - SSL.com Client ECC Root CA 2022 - SSL.com Client RSA Root CA 2022 - SSL.com TLS ECC Root CA 2022 - SSL.com TLS RSA Root CA 2022 Removed CAs: - Chambers of Commerce Root - E-Tugra Certification Authority - E-Tugra Global Root CA ECC v3 - E-Tugra Global Root CA RSA v3 - Hongkong Post Root CA 1 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3461-1 Released: Mon Aug 28 17:25:09 2023 Summary: Security update for freetype2 Type: security Severity: moderate References: 1210419,CVE-2023-2004 This update for freetype2 fixes the following issues: - CVE-2023-2004: Fixed integer overflow in tt_hvadvance_adjust (bsc#1210419). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3468-1 Released: Tue Aug 29 09:22:18 2023 Summary: Recommended update for python3 Type: recommended Severity: low References: This update for python3 fixes the following issue: - Rename sources in preparation of python3.11 (jsc#PED-68) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3470-1 Released: Tue Aug 29 10:49:33 2023 Summary: Recommended update for parted Type: recommended Severity: low References: 1182142,1193412 This update for parted fixes the following issues: - fix null pointer dereference (bsc#1193412) - update mkpart options in manpage (bsc#1182142) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3472-1 Released: Tue Aug 29 10:55:16 2023 Summary: Security update for procps Type: security Severity: low References: 1214290,CVE-2023-4016 This update for procps fixes the following issues: - CVE-2023-4016: Fixed ps buffer overflow (bsc#1214290). ----------------------------------------------------------------- Advisory ID: SUSE-feature-2023:3484-1 Released: Tue Aug 29 13:49:29 2023 Summary: Feature update for bind Type: feature Severity: moderate References: 1213049 This update for bind fixes the following issues: - Add dnstap support (jsc#PED-4852, jsc#PED-4853) - Log named-checkconf output (bsc#1213049) - Update to release 9.16.43 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3486-1 Released: Tue Aug 29 14:25:23 2023 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1214071 This update for lvm2 fixes the following issues: - blkdeactivate calls wrong mountpoint cmd (bsc#1214071) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3507-1 Released: Thu Aug 31 19:58:03 2023 Summary: Security update for open-vm-tools Type: security Severity: important References: 1214566,CVE-2023-20900 This update for open-vm-tools fixes the following issues: - CVE-2023-20900: Fixed SAML token signature bypass vulnerability (bsc#1214566). This update also ships a open-vm-tools-containerinfo plugin. (jsc#PED-3421) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3514-1 Released: Fri Sep 1 15:48:52 2023 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1158763,1210740,1213231,1213557,1213673 This update for libzypp, zypper fixes the following issues: - Fix occasional isue with downloading very small files (bsc#1213673) - Fix negative ZYPP_LOCK_TIMEOUT not waiting forever (bsc#1213231) - Fix OES synchronization issues when cookie file has mode 0600 (bsc#1158763) - Don't cleanup orphaned dirs if read-only mode was promised (bsc#1210740) - Revised explanation of --force-resolution in man page (bsc#1213557) - Print summary hint if policies were violated due to --force-resolution (bsc#1213557) The following package changes have been done: - apparmor-abstractions-3.0.4-150400.5.6.1 updated - apparmor-parser-3.0.4-150400.5.6.1 updated - audit-3.0.6-150400.4.13.1 updated - bind-utils-9.16.43-150400.5.34.1 updated - blog-2.26-150300.4.6.1 updated - ca-certificates-mozilla-2.62-150200.30.1 updated - cloud-init-config-suse-23.1-150100.8.66.1 updated - cloud-init-23.1-150100.8.66.1 updated - gawk-4.2.1-150000.3.3.1 updated - kernel-default-5.14.21-150400.24.81.1 updated - krb5-1.19.2-150400.3.6.1 updated - libapparmor1-3.0.4-150400.5.6.1 updated - libaudit1-3.0.6-150400.4.13.1 updated - libauparse0-3.0.6-150400.4.13.1 updated - libblkid1-2.37.2-150400.8.20.1 updated - libblogger2-2.26-150300.4.6.1 updated - libcryptsetup12-2.4.3-150400.3.3.1 updated - libdevmapper1_03-2.03.05_1.02.163-150400.188.1 updated - libfdisk1-2.37.2-150400.8.20.1 updated - libfreetype6-2.10.4-150000.4.15.1 updated - libfstrm0-0.6.1-150300.9.3.1 added - liblognorm5-2.0.6-150000.3.3.1 updated - libmount1-2.37.2-150400.8.20.1 updated - libopenssl1_1-1.1.1l-150400.7.53.1 updated - libparted0-3.2-150300.21.3.1 updated - libpcre2-8-0-10.39-150400.4.9.1 updated - libprocps7-3.3.15-150000.7.34.1 updated - libprotobuf-c1-1.3.2-150200.3.6.1 added - libsmartcols1-2.37.2-150400.8.20.1 updated - libsystemd0-249.16-150400.8.33.1 updated - libudev1-249.16-150400.8.33.1 updated - libuuid1-2.37.2-150400.8.20.1 updated - libvmtools0-12.2.0-150300.33.1 updated - libxmlsec1-1-1.2.37-150400.14.3.4 updated - libxmlsec1-openssl1-1.2.37-150400.14.3.4 updated - libyajl2-2.1.0-150000.4.6.1 updated - libzypp-17.31.20-150400.3.40.1 updated - login_defs-4.8.1-150400.10.9.1 updated - open-vm-tools-12.2.0-150300.33.1 updated - openssl-1_1-1.1.1l-150400.7.53.1 updated - parted-3.2-150300.21.3.1 updated - procps-3.3.15-150000.7.34.1 updated - python-instance-billing-flavor-check-0.0.2-150000.1.3.1 added - python3-apipkg-1.4-150000.3.6.1 updated - python3-bind-9.16.43-150400.5.34.1 updated - python3-configobj-5.0.6-150000.3.3.1 updated - python3-cssselect-1.0.3-150000.3.3.1 added - python3-lxml-4.7.1-150200.3.10.1 added - python3-more-itertools-8.10.0-150400.5.69 updated - python3-ordered-set-4.0.2-150400.8.34 updated - python3-pyOpenSSL-21.0.0-150400.7.62 updated - python3-pyasn1-0.4.2-150000.3.5.1 updated - rsyslog-module-relp-8.2306.0-150400.5.18.1 updated - rsyslog-8.2306.0-150400.5.18.1 updated - shadow-4.8.1-150400.10.9.1 updated - supportutils-plugin-suse-public-cloud-1.0.8-150000.3.17.1 updated - system-group-audit-3.0.6-150400.4.13.1 updated - systemd-sysvinit-249.16-150400.8.33.1 updated - systemd-249.16-150400.8.33.1 updated - udev-249.16-150400.8.33.1 updated - util-linux-systemd-2.37.2-150400.8.20.1 updated - util-linux-2.37.2-150400.8.20.1 updated - vim-data-common-9.0.1572-150000.5.49.1 updated - vim-9.0.1572-150000.5.49.1 updated - xen-libs-4.16.5_02-150400.4.31.1 updated - zypper-1.14.63-150400.3.29.1 updated