Image summary for SUSE:SLE-15-SP3:Update:QR:QU3

SUSE-IU-2000:21-1

Container Advisory ID	SUSE-IU-2000:21-1
Container Tags	SUSE:SLE-15-SP3:3
Container Release

The following patches have been included in this update:

Advisory ID	SUSE-SU-2021:3387-1
Released	Tue Oct 12 17:09:16 2021
Summary	Security update for the Linux Kernel
Type	security
Severity	important
References	1065729,1148868,1152489,1154353,1159886,1167773,1170774,1171688,1173746,1174003,1176447,1176940,1177028,1178134,1184439,1184804,1185302,1185550,1185677,1185726,1185762,1187211,1188067,1188418,1188651,1188986,1189257,1189297,1189841,1189884,1190023,1190062,1190115,1190138,1190159,1190358,1190406,1190432,1190467,1190523,1190534,1190543,1190544,1190561,1190576,1190595,1190596,1190598,1190620,1190626,1190679,1190705,1190717,1190746,1190758,1190784,1190785,1191172,1191193,1191292,CVE-2020-3702,CVE-2021-3669,CVE-2021-3744,CVE-2021-3752,CVE-2021-3759,CVE-2021-3764,CVE-2021-40490

Description:

The SUSE Linux Enterprise 15 SP3 kernel was updated.
The following security bugs were fixed:

CVE-2020-3702: Fixed a bug which could be triggered with specifically timed and handcrafted traffic and cause internal errors in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure. (bnc#1191193)
CVE-2021-3752: Fixed a use after free vulnerability in the Linux kernel's bluetooth module. (bsc#1190023)
CVE-2021-40490: Fixed a race condition discovered in the ext4 subsystem that could leat to local priviledge escalation. (bnc#1190159)
CVE-2021-3744: Fixed a bug which could allows attackers to cause a denial of service. (bsc#1189884)
CVE-2021-3764: Fixed a bug which could allows attackers to cause a denial of service. (bsc#1190534)
CVE-2021-3669: Fixed a bug that doesn't allow /proc/sysvipc/shm to scale with large shared memory segment counts which could lead to resource exhaustion and DoS. (bsc#1188986)
CVE-2021-3759: Unaccounted ipc objects in Linux kernel could have lead to breaking memcg limits and DoS attacks (bsc#1190115).

The following non-security bugs were fixed:

ALSA: firewire-motu: fix truncated bytes in message tracepoints (git-fixes).
apparmor: remove duplicate macro list_entry_is_head() (git-fixes).
ASoC: fsl_micfil: register platform component before registering cpu dai (git-fixes).
ASoC: Intel: Fix platform ID matching (git-fixes).
ASoC: mediatek: common: handle NULL case in suspend/resume function (git-fixes).
ASoC: rockchip: i2s: Fix regmap_ops hang (git-fixes).
ASoC: rockchip: i2s: Fixup config for DAIFMT_DSP_A/B (git-fixes).
ASoC: rt5682: Implement remove callback (git-fixes).
ASoC: rt5682: Properly turn off regulators if wrong device ID (git-fixes).
ASoC: rt5682: Remove unused variable in rt5682_i2c_remove() (git-fixes).
ASoC: SOF: Fix DSP oops stack dump output contents (git-fixes).
ath9k: fix OOB read ar9300_eeprom_restore_internal (git-fixes).
ath9k: fix sleeping in atomic context (git-fixes).
backlight: pwm_bl: Improve bootloader/kernel device handover (git-fixes).
bareudp: Fix invalid read beyond skb's linear data (jsc#SLE-15172).
blk-mq: do not deactivate hctx if managed irq isn't used (bsc#1185762).
blk-mq: do not deactivate hctx if managed irq isn't used (bsc#1185762).
blk-mq: kABI fixes for blk_mq_queue_map (bsc#1185762).
blk-mq: kABI fixes for blk_mq_queue_map (bsc#1185762).
blk-mq: mark if one queue map uses managed irq (bsc#1185762).
blk-mq: mark if one queue map uses managed irq (bsc#1185762).
Bluetooth: skip invalid hci_sync_conn_complete_evt (git-fixes).
bnx2x: fix an error code in bnx2x_nic_load() (git-fixes).
bnxt_en: Add missing DMA memory barriers (git-fixes).
bnxt_en: Disable aRFS if running on 212 firmware (git-fixes).
bnxt_en: Do not enable legacy TX push on older firmware (git-fixes).
bnxt_en: Fix asic.rev in devlink dev info command (jsc#SLE-16649).
bnxt_en: fix stored FW_PSID version masks (jsc#SLE-16649).
bnxt_en: Store the running firmware version code (git-fixes).
bnxt: count Tx drops (git-fixes).
bnxt: disable napi before canceling DIM (git-fixes).
bnxt: do not lock the tx queue from napi poll (git-fixes).
bnxt: make sure xmit_more + errors does not miss doorbells (git-fixes).
bpf, samples: Add missing mprog-disable to xdp_redirect_cpu's optstring (git-fixes).
bpf: Fix ringbuf helper function compatibility (git-fixes).
bpftool: Add sock_release help info for cgroup attach/prog load command (bsc#1177028).
btrfs: prevent rename2 from exchanging a subvol with a directory from different parents (bsc#1190626).
clk: at91: clk-generated: Limit the requested rate to our range (git-fixes).
clk: at91: clk-generated: pass the id of changeable parent at registration (git-fixes).
console: consume APC, DM, DCS (git-fixes).
cpuidle: pseries: Do not cap the CEDE0 latency in fixup_cede0_latency() (bsc#1185550 ltc#192610 git-fixes jsc#SLE-18128).
cuse: fix broken release (bsc#1190596).
cxgb4: dont touch blocked freelist bitmap after free (git-fixes).
debugfs: Return error during {full/open}_proxy_open() on rmmod (bsc#1173746).
devlink: Break parameter notification sequence to be before/after unload/load driver (bsc#1154353).
devlink: Clear whole devlink_flash_notify struct (bsc#1176447).
dma-buf: DMABUF_MOVE_NOTIFY should depend on DMA_SHARED_BUFFER (git-fixes).
dmaengine: ioat: depends on !UML (git-fixes).
dmaengine: sprd: Add missing MODULE_DEVICE_TABLE (git-fixes).
dmaengine: xilinx_dma: Set DMA mask for coherent APIs (git-fixes).
docs: Fix infiniband uverbs minor number (git-fixes).
drivers: gpu: amd: Initialize amdgpu_dm_backlight_caps object to 0 in amdgpu_dm_update_backlight_caps (git-fixes).
drm: avoid blocking in drm_clients_info's rcu section (git-fixes).
drm/amd/amdgpu: Update debugfs link_settings output link_rate field in hex (git-fixes).
drm/amd/display: Fix timer_per_pixel unit error (git-fixes).
drm/amdgpu: Fix BUG_ON assert (git-fixes).
drm/ast: Fix missing conversions to managed API (git-fixes).
drm/gma500: Fix end of loop tests for list_for_each_entry (git-fixes).
drm/i915: Allow the sysadmin to override security mitigations (git-fixes).
drm/i915/rkl: Remove require_force_probe protection (bsc#1189257).
drm/ingenic: Switch IPU plane to type OVERLAY (git-fixes).
drm/mgag200: Select clock in PLL update functions (git-fixes).
drm/msm/mdp4: move HW revision detection to earlier phase (git-fixes).
drm/msm/mdp4: refactor HW revision detection into read_mdp_hw_revision (git-fixes).
drm/nouveau/nvkm: Replace -ENOSYS with -ENODEV (git-fixes).
drm/panfrost: Clamp lock region to Bifrost minimum (git-fixes).
drm/pl111: depend on CONFIG_VEXPRESS_CONFIG (git-fixes).
drm/rockchip: cdn-dp-core: Make cdn_dp_core_resume __maybe_unused (git-fixes).
e1000e: Do not take care about recovery NVM checksum (jsc#SLE-8100).
e1000e: Fix the max snoop/no-snoop latency for 10M (git-fixes).
EDAC/i10nm: Fix NVDIMM detection (bsc#1152489).
EDAC/mce_amd: Do not load edac_mce_amd module on guests (bsc#1190138).
EDAC/synopsys: Fix wrong value type assignment for edac_mode (bsc#1152489).
enetc: Fix uninitialized struct dim_sample field usage (git-fixes).
erofs: fix up erofs_lookup tracepoint (git-fixes).
fbmem: do not allow too huge resolutions (git-fixes).
fpga: machxo2-spi: Fix missing error code in machxo2_write_complete() (git-fixes).
fpga: machxo2-spi: Return an error on failure (git-fixes).
fuse: flush extending writes (bsc#1190595).
fuse: truncate pagecache on atomic_o_trunc (bsc#1190705).
genirq: add device_has_managed_msi_irq (bsc#1185762).
genirq: add device_has_managed_msi_irq (bsc#1185762).
gpio: uniphier: Fix void functions to remove return value (git-fixes).
gpu: drm: amd: amdgpu: amdgpu_i2c: fix possible uninitialized-variable access in amdgpu_i2c_router_select_ddc_port() (git-fixes).
gve: fix the wrong AdminQ buffer overflow check (bsc#1176940).
hv_netvsc: Make netvsc/VF binding check both MAC and serial number (jsc#SLE-18779, bsc#1185726).
hv: mana: remove netdev_lockdep_set_classes usage (jsc#SLE-18779, bsc#1185726).
hwmon: (mlxreg-fan) Return non-zero value when fan current state is enforced from sysfs (git-fixes).
hwmon: (tmp421) fix rounding for negative values (git-fixes).
hwmon: (tmp421) report /PVLD condition as fault (git-fixes).
i40e: Add additional info to PHY type error (git-fixes).
i40e: Fix firmware LLDP agent related warning (git-fixes).
i40e: Fix log TC creation failure when max num of queues is exceeded (git-fixes).
i40e: Fix logic of disabling queues (git-fixes).
i40e: Fix queue-to-TC mapping on Tx (git-fixes).
i40e: improve locking of mac_filter_hash (jsc#SLE-13701).
iavf: Fix ping is lost after untrusted VF had tried to change MAC (jsc#SLE-7940).
iavf: Set RSS LUT and key in reset handle path (git-fixes).
IB/hfi1: Indicate DMA wait when txq is queued for wakeup (jsc#SLE-13208).
ibmvnic: check failover_pending in login response (bsc#1190523 ltc#194510).
ibmvnic: Consolidate code in replenish_rx_pool() (bsc#1190758 ltc#191943).
ibmvnic: Fix up some comments and messages (bsc#1190758 ltc#191943).
ibmvnic: init_tx_pools move loop-invariant code (bsc#1190758 ltc#191943).
ibmvnic: Reuse LTB when possible (bsc#1190758 ltc#191943).
ibmvnic: Reuse rx pools when possible (bsc#1190758 ltc#191943).
ibmvnic: Reuse tx pools when possible (bsc#1190758 ltc#191943).
ibmvnic: Use bitmap for LTB map_ids (bsc#1190758 ltc#191943).
ibmvnic: Use/rename local vars in init_rx_pools (bsc#1190758 ltc#191943).
ibmvnic: Use/rename local vars in init_tx_pools (bsc#1190758 ltc#191943).
ice: do not abort devlink info if board identifier can't be found (jsc#SLE-12878).
ice: do not remove netdev->dev_addr from uc sync list (git-fixes).
ice: Prevent probing virtual functions (git-fixes).
igc: Use num_tx_queues when iterating over tx_ring queue (jsc#SLE-13533).
iio: dac: ad5624r: Fix incorrect handling of an optional regulator (git-fixes).
include/linux/list.h: add a macro to test if entry is pointing to the head (git-fixes).
iomap: Fix negative assignment to unsigned sis->pages in iomap_swapfile_activate (bsc#1190784).
ionic: cleanly release devlink instance (bsc#1167773).
ionic: cleanly release devlink instance (bsc#1167773).
ionic: count csum_none when offload enabled (bsc#1167773).
ionic: drop useless check of PCI driver data validity (bsc#1167773).
ipc: remove memcg accounting for sops objects in do_semtimedop() (bsc#1190115).
ipc: remove memcg accounting for sops objects in do_semtimedop() (bsc#1190115).
ipc/util.c: use binary search for max_idx (bsc#1159886).
ipvs: allow connection reuse for unconfirmed conntrack (bsc#1190467).
ipvs: avoid expiring many connections from timer (bsc#1190467).
ipvs: Fix up kabi for expire_nodest_conn_work addition (bsc#1190467).
ipvs: queue delayed work to expire no destination connections if expire_nodest_conn=1 (bsc#1190467).
iwlwifi Add support for ax201 in Samsung Galaxy Book Flex2 Alpha (git-fixes).
iwlwifi: mvm: fix a memory leak in iwl_mvm_mac_ctxt_beacon_changed (git-fixes).
kernel-binary.spec: Check for no kernel signing certificates. Also remove unused variable.
kernel-binary.spec: Do not fail silently when KMP is empty (bsc#1190358). Copy the code from kernel-module-subpackage that deals with empty KMPs.
kernel-binary.spec.in Stop templating the scriptlets for subpackages (bsc#1190358). The script part for base package case is completely separate from the part for subpackages. Remove the part for subpackages from the base package script and use the KMP scripts for subpackages instead.
libata: fix ata_host_start() (git-fixes).
libbpf: Fix removal of inner map in bpf_object__create_map (git-fixes).
libbpf: Fix the possible memory leak on error (git-fixes).
mac80211-hwsim: fix late beacon hrtimer handling (git-fixes).
mac80211: Fix ieee80211_amsdu_aggregate frag_tail bug (git-fixes).
mac80211: fix use-after-free in CCMP/GCMP RX (git-fixes).
mac80211: limit injected vht mcs/nss in ieee80211_parse_tx_radiotap (git-fixes).
mac80211: mesh: fix potentially unaligned access (git-fixes).
media: cedrus: Fix SUNXI tile size calculation (git-fixes).
media: coda: fix frame_mem_ctrl for YUV420 and YVU420 formats (git-fixes).
media: dib8000: rewrite the init prbs logic (git-fixes).
media: imx258: Limit the max analogue gain to 480 (git-fixes).
media: imx258: Rectify mismatch of VTS value (git-fixes).
media: rc-loopback: return number of emitters rather than error (git-fixes).
media: TDA1997x: fix tda1997x_query_dv_timings() return value (git-fixes).
media: uvc: do not do DMA on stack (git-fixes).
media: v4l2-dv-timings.c: fix wrong condition in two for-loops (git-fixes).
mfd: Do not use irq_create_mapping() to resolve a mapping (git-fixes).
misc: sram: Only map reserved areas in Tegra SYSRAM (git-fixes).
misc: sram: use devm_platform_ioremap_resource_wc() (git-fixes).
mlx4: Fix missing error code in mlx4_load_one() (git-fixes).
mm: always have io_remap_pfn_range() set pgprot_decrypted() (git-fixes).
mm/swap: consider max pages in iomap_swapfile_add_extent (bsc#1190785).
mmc: core: Return correct emmc response in case of ioctl error (git-fixes).
mmc: rtsx_pci: Fix long reads when clock is prescaled (git-fixes).
mmc: sdhci-of-arasan: Check return value of non-void funtions (git-fixes).
mmc: sdhci: Fix issue with uninitialized dma_slave_config (git-fixes).
net: ethernet: ti: cpsw: fix min eth packet size for non-switch use-cases (git-fixes).
net: mana: Add a driver for Microsoft Azure Network Adapter (MANA) (jsc#SLE-18779, bsc#1185726).
net: mana: Add support for EQ sharing (jsc#SLE-18779, bsc#1185726).
net: mana: Add WARN_ON_ONCE in case of CQE read overflow (jsc#SLE-18779, bsc#1185726).
net: mana: Fix a memory leak in an error handling path in (jsc#SLE-18779, bsc#1185726).
net: mana: fix PCI_HYPERV dependency (jsc#SLE-18779, bsc#1185726).
net: mana: Move NAPI from EQ to CQ (jsc#SLE-18779, bsc#1185726).
net: mana: Prefer struct_size over open coded arithmetic (jsc#SLE-18779, bsc#1185726).
net: mana: remove redundant initialization of variable err (jsc#SLE-18779, bsc#1185726).
net: mana: Use int to check the return value of mana_gd_poll_cq() (jsc#SLE-18779, bsc#1185726).
net: mana: Use struct_size() in kzalloc() (jsc#SLE-18779, bsc#1185726).
net: qlcnic: add missed unlock in qlcnic_83xx_flash_read32 (git-fixes).
net: sched: sch_teql: fix null-pointer dereference (bsc#1190717).
net/mlx5: E-Switch, handle devcom events only for ports on the same device (git-fixes).
net/mlx5: Fix flow table chaining (git-fixes).
net/mlx5: Fix missing return value in mlx5_devlink_eswitch_inline_mode_set() (jsc#SLE-15172).
net/mlx5: Fix return value from tracer initialization (git-fixes).
net/mlx5: Unload device upon firmware fatal error (git-fixes).
net/mlx5e: Avoid creating tunnel headers for local route (git-fixes).
net/mlx5e: Fix nullptr in mlx5e_hairpin_get_mdev() (git-fixes).
net/mlx5e: Prohibit inner indir TIRs in IPoIB (git-fixes).
netfilter: conntrack: do not renew entry stuck in tcp SYN_SENT state (bsc#1190062).
nfp: update ethtool reporting of pauseframe control (git-fixes).
NFS: change nfs_access_get_cached to only report the mask (bsc#1190746).
NFS: do not store 'struct cred *' in struct nfs_access_entry (bsc#1190746).
NFS: pass cred explicitly for access tests (bsc#1190746).
nvme-multipath: revalidate paths during rescan (bsc#1187211).
nvme-tcp: Do not reset transport on data digest errors (bsc#1188418).
nvme: avoid race in shutdown namespace removal (bsc#1188067).
nvme: fix refcounting imbalance when all paths are down (bsc#1188067).
nvme: only call synchronize_srcu when clearing current path (bsc#1188067).
optee: Fix memory leak when failing to register shm pages (git-fixes).
parport: remove non-zero check on count (git-fixes).
PCI: aardvark: Fix checking for PIO status (git-fixes).
PCI: aardvark: Fix masking and unmasking legacy INTx interrupts (git-fixes).
PCI: aardvark: Increase polling delay to 1.5s while waiting for PIO response (git-fixes).
PCI: Add ACS quirks for Cavium multi-function devices (git-fixes).
PCI: Add ACS quirks for NXP LX2xx0 and LX2xx2 platforms (git-fixes).
PCI: Add AMD GPU multi-function power dependencies (git-fixes).
PCI: ibmphp: Fix double unmap of io_mem (git-fixes).
PCI: of: Do not fail devm_pci_alloc_host_bridge() on missing 'ranges' (git-fixes).
PCI: pci-bridge-emul: Add PCIe Root Capabilities Register (git-fixes).
PCI: pci-bridge-emul: Fix array overruns, improve safety (git-fixes).
PCI: pci-bridge-emul: Fix big-endian support (git-fixes).
PCI: Restrict ASMedia ASM1062 SATA Max Payload Size Supported (git-fixes).
PCI: Use pci_update_current_state() in pci_enable_device_flags() (git-fixes).
phy: tegra: xusb: Fix dangling pointer on probe failure (git-fixes).
PM: base: power: do not try to use non-existing RTC for storing data (git-fixes).
PM: EM: Increase energy calculation precision (git-fixes).
power: supply: axp288_fuel_gauge: Report register-address on readb / writeb errors (git-fixes).
power: supply: max17042_battery: fix typo in MAx17042_TOFF (git-fixes).
powercap: intel_rapl: add support for Sapphire Rapids (jsc#SLE-15289).
powerpc: fix function annotations to avoid section mismatch warnings with gcc-10 (bsc#1148868).
powerpc/drmem: Make LMB walk a bit more flexible (bsc#1190543 ltc#194523).
powerpc/numa: Consider the max NUMA node for migratable LPAR (bsc#1190544 ltc#194520).
powerpc/perf: Drop the case of returning 0 as instruction pointer (bsc#1065729).
powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set (bsc#1065729).
powerpc/perf: Fix the check for SIAR value (bsc#1065729).
powerpc/perf: Use regs->nip when SIAR is zero (bsc#1065729).
powerpc/perf: Use stack siar instead of mfspr (bsc#1065729).
powerpc/perf: Use the address from SIAR register to set cpumode flags (bsc#1065729).
powerpc/perf/hv-gpci: Fix counter value parsing (bsc#1065729).
powerpc/powernv: Fix machine check reporting of async store errors (bsc#1065729).
powerpc/pseries: Prevent free CPU ids being reused on another node (bsc#1190620 ltc#194498).
powerpc/pseries/dlpar: use rtas_get_sensor() (bsc#1065729).
pseries/drmem: update LMBs after LPM (bsc#1190543 ltc#194523).
pwm: img: Do not modify HW state in .remove() callback (git-fixes).
pwm: rockchip: Do not modify HW state in .remove() callback (git-fixes).
pwm: stm32-lp: Do not modify HW state in .remove() callback (git-fixes).
qlcnic: Remove redundant unlock in qlcnic_pinit_from_rom (git-fixes).
RDMA/bnxt_re: Remove unpaired rtnl unlock in bnxt_re_dev_init() (bsc#1170774).
RDMA/hns: Fix QP's resp incomplete assignment (jsc#SLE-14777).
RDMA/mlx5: Delay emptying a cache entry when a new MR is added to it recently (jsc#SLE-15175).
RDMA/mlx5: Delete not-available udata check (jsc#SLE-15175).
RDMA/rtrs: Remove a useless kfree() (jsc#SLE-15176).
Re-enable UAS for LaCie Rugged USB3-FW with fk quirk (git-fixes).
regmap: fix page selection for noinc reads (git-fixes).
regmap: fix page selection for noinc writes (git-fixes).
regmap: fix the offset of register error log (git-fixes).
Restore kabi after NFS: pass cred explicitly for access tests (bsc#1190746).
rpm: Abolish scritplet templating (bsc#1189841). Outsource kernel-binary and KMP scriptlets to suse-module-tools. This allows fixing bugs in the scriptlets as well as defining initrd regeneration policy independent of the kernel packages.
rpm/kernel-binary.spec: Use only non-empty certificates.
rpm/kernel-binary.spec.in: avoid conflicting suse-release suse-release had arbitrary values in staging, we can't use it for dependencies. The filesystem one has to be enough (boo#1184804).
rtc: rx8010: select REGMAP_I2C (git-fixes).
rtc: tps65910: Correct driver module alias (git-fixes).
s390/unwind: use current_frame_address() to unwind current task (bsc#1185677).
sch_cake: fix srchost/dsthost hashing mode (bsc#1176447).
sched/fair: Add ancestors of unthrottled undecayed cfs_rq (bsc#1191292).
scsi: core: Add helper to return number of logical blocks in a request (bsc#1190576).
scsi: core: Introduce the scsi_cmd_to_rq() function (bsc#1190576).
scsi: fc: Add EDC ELS definition (bsc#1190576).
scsi: fc: Update formal FPIN descriptor definitions (bsc#1190576).
scsi: lpfc: Add bsg support for retrieving adapter cmf data (bsc#1190576).
scsi: lpfc: Add cm statistics buffer support (bsc#1190576).
scsi: lpfc: Add cmf_info sysfs entry (bsc#1190576).
scsi: lpfc: Add cmfsync WQE support (bsc#1190576).
scsi: lpfc: Add debugfs support for cm framework buffers (bsc#1190576).
scsi: lpfc: Add EDC ELS support (bsc#1190576).
scsi: lpfc: Add MIB feature enablement support (bsc#1190576).
scsi: lpfc: Add rx monitoring statistics (bsc#1190576).
scsi: lpfc: Add SET_HOST_DATA mbox cmd to pass date/time info to firmware (bsc#1190576).
scsi: lpfc: Add support for cm enablement buffer (bsc#1190576).
scsi: lpfc: Add support for maintaining the cm statistics buffer (bsc#1190576).
scsi: lpfc: Add support for the CM framework (bsc#1190576).
scsi: lpfc: Adjust bytes received vales during cmf timer interval (bsc#1190576).
scsi: lpfc: Copyright updates for 14.0.0.1 patches (bsc#1190576).
scsi: lpfc: Do not release final kref on Fport node while ABTS outstanding (bsc#1190576).
scsi: lpfc: Do not remove ndlp on PRLI errors in P2P mode (bsc#1190576).
scsi: lpfc: Expand FPIN and RDF receive logging (bsc#1190576).
scsi: lpfc: Fix compilation errors on kernels with no CONFIG_DEBUG_FS (bsc#1190576).
scsi: lpfc: Fix CPU to/from endian warnings introduced by ELS processing (bsc#1190576).
scsi: lpfc: Fix EEH support for NVMe I/O (bsc#1190576).
scsi: lpfc: Fix FCP I/O flush functionality for TMF routines (bsc#1190576).
scsi: lpfc: Fix gcc -Wstringop-overread warning, again (bsc#1190576).
scsi: lpfc: Fix hang on unload due to stuck fport node (bsc#1190576).
scsi: lpfc: Fix I/O block after enabling managed congestion mode (bsc#1190576).
scsi: lpfc: Fix list_add() corruption in lpfc_drain_txq() (bsc#1190576).
scsi: lpfc: Fix NVMe I/O failover to non-optimized path (bsc#1190576).
scsi: lpfc: Fix premature rpi release for unsolicited TPLS and LS_RJT (bsc#1190576).
scsi: lpfc: Fix rediscovery of tape device after LIP (bsc#1190576).
scsi: lpfc: Fix sprintf() overflow in lpfc_display_fpin_wwpn() (bsc#1190576).
scsi: lpfc: Improve PBDE checks during SGL processing (bsc#1190576).
scsi: lpfc: Remove unneeded variable (bsc#1190576).
scsi: lpfc: Update lpfc version to 14.0.0.1 (bsc#1190576).
scsi: lpfc: Update lpfc version to 14.0.0.2 (bsc#1190576).
scsi: lpfc: Use correct scnprintf() limit (bsc#1190576).
scsi: lpfc: Use scsi_cmd_to_rq() instead of scsi_cmnd.request (bsc#1190576).
scsi: lpfc: Use the proper SCSI midlayer interfaces for PI (bsc#1190576).
scsi: lpfc: Zero CGN stats only during initial driver load and stat reset (bsc#1190576).
scsi: scsi_devinfo: Add blacklist entry for HPE OPEN-V (bsc#1189297).
scsi/fc: kABI fixes for new ELS_EDC, ELS_RDP definition (bsc#1171688 bsc#1174003 bsc#1190576).
selftests/bpf: Define string const as global for test_sysctl_prog.c (git-fixes).
selftests/bpf: Fix bpf-iter-tcp4 test to print correctly the dest IP (git-fixes).
selftests/bpf: Fix test_sysctl_loop{1, 2} failure due to clang change (git-fixes).
selftests/bpf: Whitelist test_progs.h from .gitignore (git-fixes).
serial: 8250_pci: make setup_port() parameters explicitly unsigned (git-fixes).
serial: 8250: Define RX trigger levels for OxSemi 950 devices (git-fixes).
serial: mvebu-uart: fix driver's tx_empty callback (git-fixes).
serial: sh-sci: fix break handling for sysrq (git-fixes).
spi: Fix tegra20 build with CONFIG_PM=n (git-fixes).
staging: board: Fix uninitialized spinlock when attaching genpd (git-fixes).
staging: ks7010: Fix the initialization of the 'sleep_status' structure (git-fixes).
staging: rts5208: Fix get_ms_information() heap buffer size (git-fixes).
thermal/core: Potential buffer overflow in thermal_build_list_of_policies() (git-fixes).
time: Handle negative seconds correctly in timespec64_to_ns() (git-fixes).
tools: bpf: Fix error in 'make -C tools/ bpf_install' (git-fixes).
tty: Fix data race between tiocsti() and flush_to_ldisc() (git-fixes).
tty: serial: jsm: hold port lock when reporting modem line changes (git-fixes).
tty: synclink_gt, drop unneeded forward declarations (git-fixes).
usb-storage: Add quirk for ScanLogic SL11R-IDE older than 2.6c (git-fixes).
usb: core: hcd: Add support for deferring roothub registration (git-fixes).
usb: dwc2: Add missing cleanups when usb_add_gadget_udc() fails (git-fixes).
usb: dwc2: Avoid leaving the error_debugfs label unused (git-fixes).
usb: dwc2: gadget: Fix ISOC flow for BDMA and Slave (git-fixes).
usb: dwc2: gadget: Fix ISOC transfer complete handling for DDMA (git-fixes).
usb: EHCI: ehci-mv: improve error handling in mv_ehci_enable() (git-fixes).
usb: gadget: r8a66597: fix a loop in set_feature() (git-fixes).
usb: gadget: u_ether: fix a potential null pointer dereference (git-fixes).
usb: host: fotg210: fix the actual_length of an iso packet (git-fixes).
usb: host: fotg210: fix the endpoint's transactional opportunities calculation (git-fixes).
usb: musb: musb_dsps: request_irq() after initializing musb (git-fixes).
usb: musb: tusb6010: uninitialized data in tusb_fifo_write_unaligned() (git-fixes).
usb: serial: cp210x: add ID for GW Instek GDM-834x Digital Multimeter (git-fixes).
usb: serial: option: add device id for Foxconn T99W265 (git-fixes).
usb: serial: option: add Telit LN920 compositions (git-fixes).
usb: serial: option: remove duplicate USB device ID (git-fixes).
usbip: give back URBs for unsent unlink requests during cleanup (git-fixes).
usbip:vhci_hcd USB port can get stuck in the disabled state (git-fixes).
video: fbdev: asiliantfb: Error out if 'pixclock' equals zero (git-fixes).
video: fbdev: kyro: Error out if 'pixclock' equals zero (git-fixes).
video: fbdev: kyro: fix a DoS bug by restricting user input (git-fixes).
video: fbdev: riva: Error out if 'pixclock' equals zero (git-fixes).
vmxnet3: add support for 32 Tx/Rx queues (bsc#1190406).
vmxnet3: add support for ESP IPv6 RSS (bsc#1190406).
vmxnet3: increase maximum configurable mtu to 9190 (bsc#1190406).
vmxnet3: prepare for version 6 changes (bsc#1190406).
vmxnet3: remove power of 2 limitation on the queues (bsc#1190406).
vmxnet3: set correct hash type based on rss information (bsc#1190406).
vmxnet3: update to version 6 (bsc#1190406).
watchdog/sb_watchdog: fix compilation problem due to COMPILE_TEST (git-fixes).
x86/alternatives: Teach text_poke_bp() to emulate instructions (bsc#1185302).
x86/alternatives: Teach text_poke_bp() to emulate instructions (bsc#1190561).
x86/apic/msi: Plug non-maskable MSI affinity race (bsc#1184439).
x86/asm: Fix SETZ size enqcmds() build failure (bsc#1178134).
x86/cpu: Fix core name for Sapphire Rapids (jsc#SLE-15289).
x86/mm: Fix kern_addr_valid() to cope with existing but not present entries (bsc#1152489).
x86/resctrl: Fix a maybe-uninitialized build warning treated as error (bsc#1152489).
x86/resctrl: Fix default monitoring groups reporting (bsc#1152489).
xfs: allow mount/remount when stripe width alignment is zero (bsc#1188651).
xfs: sync lazy sb accounting on quiesce of read-only mounts (bsc#1190679).
xgene-v2: Fix a resource leak in the error handling path of 'xge_probe()' (git-fixes).
xhci: Set HCD flag to defer primary roothub registration (git-fixes).

Advisory ID	SUSE-RU-2021:3589-1
Released	Mon Nov 1 19:27:52 2021
Summary	Recommended update for apparmor
Type	recommended
Severity	moderate
References	1191690

Description:

This update for apparmor fixes the following issues:

Fixed an issue when apparmor provides python2 and python3 libraries with the same name. (bsc#1191690)

Advisory ID	SUSE-SU-2021:3675-1
Released	Tue Nov 16 17:47:44 2021
Summary	Security update for the Linux Kernel
Type	security
Severity	important
References	1065729,1085030,1089118,1094840,1133021,1152472,1152489,1154353,1156395,1157177,1167773,1172073,1173604,1176447,1176774,1176914,1176940,1178134,1180100,1180749,1181147,1184673,1185762,1186063,1186109,1187167,1188563,1188601,1189841,1190006,1190067,1190349,1190351,1190479,1190620,1190642,1190795,1190801,1190941,1191229,1191240,1191241,1191315,1191317,1191349,1191384,1191449,1191450,1191451,1191452,1191455,1191456,1191628,1191645,1191663,1191731,1191800,1191851,1191867,1191934,1191958,1191980,1192040,1192041,1192074,1192107,1192145,1192229,1192267,1192288,1192549,CVE-2021-33033,CVE-2021-34866,CVE-2021-3542,CVE-2021-3655,CVE-2021-3715,CVE-2021-37159,CVE-2021-3760,CVE-2021-3772,CVE-2021-3896,CVE-2021-41864,CVE-2021-42008,CVE-2021-42252,CVE-2021-42739,CVE-2021-43056,CVE-2021-43389

Description:

The following security bugs were fixed:

CVE-2021-3542: Fixed heap buffer overflow in firedtv driver (bsc#1186063).
CVE-2021-3655: Fixed a missing size validations on inbound SCTP packets, which may have allowed the kernel to read uninitialized memory (bsc#1188563).
CVE-2021-3715: Fixed a use-after-free in route4_change() in net/sched/cls_route.c (bsc#1190349).
CVE-2021-3760: Fixed a use-after-free vulnerability with the ndev->rf_conn_info object (bsc#1190067).
CVE-2021-3772: Fixed sctp vtag check in sctp_sf_ootb (bsc#1190351).
CVE-2021-3896: Fixed a array-index-out-bounds in detach_capi_ctr in drivers/isdn/capi/kcapi.c (bsc#1191958).
CVE-2021-33033: Fixed a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled (bsc#1186109).
CVE-2021-34866: Fixed eBPF Type Confusion Privilege Escalation Vulnerability (bsc#1191645).
CVE-2021-37159: hso_free_net_device in drivers/net/usb/hso.c called without checking for the NETREG_REGISTERED state, leading to a use-after-free and a double free (bnc#1188601).
CVE-2021-41864: Fixed prealloc_elems_and_freelist that allowed unprivileged users to trigger an eBPF multiplication integer overflow with a resultant out-of-bounds write (bnc#1191317).
CVE-2021-42008: Fixed a slab out-of-bounds write in the decode_data function in drivers/net/hamradio/6pack.c. Input from a process that had the CAP_NET_ADMIN capability could have lead to root access (bsc#1191315).
CVE-2021-42252: Fixed an issue inside aspeed_lpc_ctrl_mmap that could have allowed local attackers to access the Aspeed LPC control interface to overwrite memory in the kernel and potentially execute privileges (bnc#1190479).
CVE-2021-42739: The firewire subsystem had a buffer overflow related to drivers/media/firewire/firedtv-avc.c and drivers/media/firewire/firedtv-ci.c, because avc_ca_pmt mishandled bounds checking (bsc#1184673).
CVE-2021-43056: Fixed possible KVM host crash via malicious KVM guest on Power8 (bnc#1192107).
CVE-2021-43389: There was an array-index-out-of-bounds flaw in the detach_capi_ctr function in drivers/isdn/capi/kcapi.c (bnc#1191958).

The following non-security bugs were fixed:

acpi/arm64: fix next_platform_timer() section mismatch error (git-fixes).
ACPI: bgrt: Fix CFI violation (git-fixes).
ACPI: fix NULL pointer dereference (git-fixes).
ACPI: NFIT: Use fallback node id when numa info in NFIT table is incorrect (git-fixes).
Add obsolete_rebuilds_subpackage (boo#1172073 bsc#1191731).
ALSA: hda: avoid write to STATESTS if controller is in reset (git-fixes).
ALSA: hda - Enable headphone mic on Dell Latitude laptops with ALC3254 (git-fixes).
ALSA: hda: intel: Allow repeatedly probing on codec configuration errors (bsc#1190801).
ALSA: hda/realtek: Add quirk for Clevo PC50HS (git-fixes).
ALSA: hda/realtek: Add quirk for Clevo X170KM-G (git-fixes).
ALSA: hda/realtek: Add quirk for TongFang PHxTxX1 (git-fixes).
ALSA: hda/realtek - ALC236 headset MIC recording issue (git-fixes).
ALSA: hda/realtek: Complete partial device name to avoid ambiguity (git-fixes).
ALSA: hda/realtek: Enable 4-speaker output for Dell Precision 5560 laptop (git-fixes).
ALSA: hda/realtek: Fix for quirk to enable speaker output on the Lenovo 13s Gen2 (git-fixes).
ALSA: hda/realtek: Fix mic mute LED for the HP Spectre x360 14 (git-fixes).
ALSA: hda/realtek: Fix the mic type detection issue for ASUS G551JW (git-fixes).
ALSA: hda/realtek: Quirks to enable speaker output for Lenovo Legion 7i 15IMHG05, Yoga 7i 14ITL5/15ITL5, and 13s Gen2 laptops (git-fixes).
ALSA: hda: Reduce udelay() at SKL+ position reporting (git-fixes).
ALSA: hda: Use position buffer for SKL+ again (git-fixes).
ALSA: pcm: Workaround for a wrong offset in SYNC_PTR compat ioctl (git-fixes).
ALSA: seq: Fix a potential UAF by wrong private_free call order (git-fixes).
ALSA: ua101: fix division by zero at probe (git-fixes).
ALSA: uapi: Fix a C++ style comment in asound.h (git-fixes).
ALSA: usb-audio: Add quirk for VF0770 (git-fixes).
ALSA: usb-audio: Provide quirk for Sennheiser GSP670 Headset (git-fixes).
ASoC: atmel: ATMEL drivers do not need HAS_DMA (git-fixes).
ASoC: cs42l42: Correct some register default values (git-fixes).
ASoC: cs42l42: Defer probe if request_threaded_irq() returns EPROBE_DEFER (git-fixes).
ASoC: cs42l42: Do not set defaults for volatile registers (git-fixes).
ASoC: DAPM: Fix missing kctl change notifications (git-fixes).
ASoC: dapm: use component prefix when checking widget names (git-fixes).
ASoC: dt-bindings: cs42l42: Correct description of ts-inv (git-fixes).
ASoC: fsl_spdif: register platform component before registering cpu dai (git-fixes).
ASoC: Intel: bytcr_rt5640: Move 'Platform Clock' routes to the maps for the matching in-/output (git-fixes).
ASoC: Intel: Skylake: Fix module configuration for KPB and MIXER (git-fixes).
ASoC: Intel: Skylake: Fix passing loadable flag for module (git-fixes).
ASoC: Intel: sof_sdw: tag SoundWire BEs as non-atomic (git-fixes).
ASoC: mediatek: mt8195: Remove unsued irqs_lock (git-fixes).
ASoC: rockchip: Use generic dmaengine code (git-fixes).
ASoC: SOF: imx: imx8: Bar index is only valid for IRAM and SRAM types (git-fixes).
ASoC: SOF: imx: imx8m: Bar index is only valid for IRAM and SRAM types (git-fixes).
ASoC: SOF: loader: release_firmware() on load failure to avoid batching (git-fixes).
ASoC: SOF: topology: do not power down primary core during topology removal (git-fixes).
ASoC: topology: Fix stub for snd_soc_tplg_component_remove() (git-fixes).
ASoC: wm8960: Fix clock configuration on slave mode (git-fixes).
ata: ahci_platform: fix null-ptr-deref in ahci_platform_enable_regulators() (git-fixes).
ata: sata_dwc_460ex: No need to call phy_exit() befre phy_init() (git-fixes).
ata: sata_mv: Fix the error handling of mv_chip_id() (git-fixes).
ath10k: fix control-message timeout (git-fixes).
ath10k: fix division by zero in send path (git-fixes).
ath10k: fix max antenna gain unit (git-fixes).
ath10k: Fix missing frame timestamp for beacon/probe-resp (git-fixes).
ath10k: sdio: Add missing BH locking around napi_schdule() (git-fixes).
ath6kl: fix control-message timeout (git-fixes).
ath6kl: fix division by zero in send path (git-fixes).
ath9k: Fix potential interrupt storm on queue reset (git-fixes).
audit: fix possible null-pointer dereference in audit_filter_rules (git-fixes).
b43: fix a lower bounds test (git-fixes).
b43legacy: fix a lower bounds test (git-fixes).
bfq: Remove merged request already in bfq_requests_merged() (bsc#1191456).
blk: Fix lock inversion between ioc lock and bfqd lock (bsc#1191456).
blktrace: Fix uaf in blk_trace access after removing by sysfs (bsc#1191452).
block: bfq: fix bfq_set_next_ioprio_data() (bsc#1191451).
Bluetooth: btmtkuart: fix a memleak in mtk_hci_wmt_sync (git-fixes).
Bluetooth: fix init and cleanup of sco_conn.timeout_work (git-fixes).
bnxt_en: Fix TX timeout when TX ring size is set to the smallest (git-fixes).
bnxt_en: make bnxt_free_skbs() safe to call after bnxt_free_mem() (jsc#SLE-16649).
bpf: Add bpf_patch_call_args prototype to include/linux/bpf.h (git-fixes).
bpf: Fix a typo of reuseport map in bpf.h (git-fixes).
bpf: Fix OOB read when printing XDP link fdinfo (git-fixes).
bpf: Fix up bpf_skb_adjust_room helper's skb csum setting (git-fixes).
can: dev: can_restart: fix use after free bug (git-fixes).
can: peak_pci: peak_pci_remove(): fix UAF (git-fixes).
can: peak_usb: fix use after free bugs (git-fixes).
can: peak_usb: pcan_usb_fd_decode_status(): fix back to ERROR_ACTIVE state notification (git-fixes).
can: rcar_can: fix suspend/resume (git-fixes).
can: ti_hecc: ti_hecc_probe(): add missed clk_disable_unprepare() in error path (git-fixes).
can: xilinx_can: handle failure cases of pm_runtime_get_sync (git-fixes).
cb710: avoid NULL pointer subtraction (git-fixes).
ceph: fix handling of 'meta' errors (bsc#1192041).
ceph: skip existing superblocks that are blocklisted or shut down when mounting (bsc#1192040).
cfg80211: correct bridge/4addr mode check (git-fixes).
cfg80211: fix management registrations locking (git-fixes).
cfg80211: scan: fix RCU in cfg80211_add_nontrans_list() (git-fixes).
Configure mpi3mr as currently unsupported (jsc#SLE-18120)
cpuidle: pseries: Mark pseries_idle_proble() as __init (jsc#SLE-13614 bsc#1176914 ltc#186394 git-fixes).
driver core: add a min_align_mask field to struct device_dma_parameters (bsc#1191851).
drm/amd/display: Pass PCI deviceid into DC (git-fixes).
drm/amdgpu: correct initial cp_hqd_quantum for gfx9 (git-fixes).
drm/amdgpu/display: add quirk handling for stutter mode (git-fixes).
drm/amdgpu: fix gart.bo pin_count leak (git-fixes).
drm/amdgpu: fix warning for overflow check (git-fixes).
drm/amdgpu/gmc6: fix DMA mask from 44 to 40 bits (git-fixes).
drm/edid: In connector_bad_edid() cap num_of_ext by num_blocks read (git-fixes).
drm/i915: Fix syncmap memory leak (bsc#1152489) Backporting notes: * context changes in intel_timeline_fini()
drm/msm: Avoid potential overflow in timeout_to_jiffies() (git-fixes).
drm/msm/dsi: Fix an error code in msm_dsi_modeset_init() (git-fixes).
drm/msm/dsi: fix off by one in dsi_bus_clk_enable error handling (git-fixes).
drm/msm: Fix null pointer dereference on pointer edp (git-fixes).
drm/msm: Fix potential NULL dereference in DPU SSPP (git-fixes).
drm/msm: potential error pointer dereference in init() (git-fixes).
drm/msm: uninitialized variable in msm_gem_import() (git-fixes).
drm/nouveau: avoid a use-after-free when BO init fails (bsc#1152472)
drm/nouveau/debugfs: fix file release memory leak (git-fixes).
drm/nouveau/kms/nv50-: fix file release memory leak (git-fixes).
drm/nouveau/kms/tu102-: delay enabling cursor until after assign_windows (git-fixes).
drm/panel: olimex-lcd-olinuxino: select CRC32 (git-fixes).
drm/panfrost: Make sure MMU context lifetime is not bound to (bsc#1152472)
drm/sun4i: dw-hdmi: Fix HDMI PHY clock setup (git-fixes).
drm/sun4i: Fix macros in sun8i_csc.h (git-fixes).
drm/ttm: stop calling tt_swapin in vm_access (git-fixes).
drm/v3d: fix wait for TMU write combiner flush (git-fixes).
e1000e: Drop patch to avoid regressions until real fix is available (bsc#1191663).
e1000e: Fix packet loss on Tiger Lake and later (git-fixes).
e100: fix buffer overrun in e100_get_regs (git-fixes).
e100: fix length calculation in e100_get_regs_len (git-fixes).
e100: handle eeprom as little endian (git-fixes).
EDAC/amd64: Set proper family type for Family 19h Models 20h-2Fh (bsc#1192288).
ext4: fix reserved space counter leakage (bsc#1191450).
ext4: report correct st_size for encrypted symlinks (bsc#1191449).
firmware/psci: fix application of sizeof to pointer (git-fixes).
fscrypt: add fscrypt_symlink_getattr() for computing st_size (bsc#1191449).
fs, mm: fix race in unlinking swapfile (bsc#1191455).
ftrace: Fix scripts/recordmcount.pl due to new binutils (bsc#1192267).
genirq: Provide IRQCHIP_AFFINITY_PRE_STARTUP (bsc#1152489).
gpio: pca953x: Improve bias setting (git-fixes).
gve: Avoid freeing NULL pointer (git-fixes).
gve: Correct available tx qpl check (git-fixes).
gve: fix gve_get_stats() (git-fixes).
gve: Properly handle errors in gve_assign_qpl (bsc#1176940).
gve: report 64bit tx_bytes counter from gve_handle_report_stats() (bsc#1176940).
HID: apple: Fix logical maximum and usage maximum of Magic Keyboard JIS (git-fixes).
HID: betop: fix slab-out-of-bounds Write in betop_probe (git-fixes).
HID: u2fzero: ignore incomplete packets without data (git-fixes).
HID: usbhid: free raw_report buffers in usbhid_stop (git-fixes).
HID: wacom: Add new Intuos BT (CTL-4100WL/CTL-6100WL) device IDs (git-fixes).
hso: fix bailout in error case of probe (git-fixes).
hwmon: Fix possible memleak in __hwmon_device_register() (git-fixes).
hwmon: (pmbus/lm25066) Add offset coefficients (git-fixes).
hwmon: (pmbus/lm25066) Let compiler determine outer dimension of lm25066_coeff (git-fixes).
hwrng: mtk - Force runtime pm ops for sleep ops (git-fixes).
i2c: acpi: fix resource leak in reconfiguration device addition (git-fixes).
i40e: Fix ATR queue selection (git-fixes).
i40e: fix endless loop under rtnl (git-fixes).
i40e: Fix freeing of uninitialized misc IRQ vector (git-fixes).
iavf: fix double unlock of crit_lock (git-fixes).
ibmvnic: delay complete() (bsc#1094840 ltc#167098 git-fixes).
ice: Add missing E810 device ids (jsc#SLE-7966 bsc#1157177).
ice: fix getting UDP tunnel entry (jsc#SLE-12878).
ICMPv6: Add ICMPv6 Parameter Problem, code 3 definition (bsc#1191241).
iio: adc128s052: Fix the error handling path of 'adc128_probe()' (git-fixes).
iio: adc: aspeed: set driver data when adc probe (git-fixes).
iio: dac: ti-dac5571: fix an error code in probe() (git-fixes).
iio: light: opt3001: Fixed timeout error when 0 lux (git-fixes).
iio: mtk-auxadc: fix case IIO_CHAN_INFO_PROCESSED (git-fixes).
iio: ssp_sensors: add more range checking in ssp_parse_dataframe() (git-fixes).
iio: ssp_sensors: fix error code in ssp_print_mcu_debug() (git-fixes).
Input: i8042 - Add quirk for Fujitsu Lifebook T725 (bsc#1191980).
Input: snvs_pwrkey - add clk handling (git-fixes).
Input: xpad - add support for another USB ID of Nacon GC-100 (git-fixes).
ionic: do not remove netdev->dev_addr when syncing uc list (bsc#1167773).
ipv6/netfilter: Discard first fragment not including all headers (bsc#1191241).
IPv6: reply ICMP error if the first fragment do not include all headers (bsc#1191241).
isdn: cpai: check ctr->cnr to avoid array index out of bound (git-fixes).
isdn: mISDN: Fix sleeping function called from invalid context (git-fixes).
iwlwifi: mvm: fix some kerneldoc issues (git-fixes).
iwlwifi: pcie: add configuration of a Wi-Fi adapter on Dell XPS 15 (git-fixes).
ixgbe: Fix NULL pointer dereference in ixgbe_xdp_setup (git-fixes).
kabi: block: Fix kabi of blk_mq_sched_try_insert_merge() (bsc#1191456).
kABI: Fix kABI after 36950f2da1ea (bsc#1191851).
kABI workaround for cfg80211 mgmt_registration_lock changes (git-fixes).
kABI workaround for HD-audio probe retry changes (bsc#1190801).
kernel-binary.spec: Do not sign kernel when no key provided (bsc#1187167).
kernel-binary.spec: Do not sign kernel when no key provided (bsc#1187167 bsc#1191240 ltc#194716).
kernel-binary.spec: suse-kernel-rpm-scriptlets required for uninstall as well. Fixes: e98096d5cf85 ('rpm: Abolish scritplet templating (bsc#1189841).')
kernel-spec-macros: Since rpm 4.17 %verbose is unusable (bsc#1191229).
KVM: PPC: Book3S HV: Fix copy_tofrom_guest routines (jsc#SLE-12936 git-fixes).
KVM: PPC: Book3S HV Nested: Reflect guest PMU in-use to L0 when guest SPRs are live (bsc#1156395).
KVM: PPC: Book3S HV Nested: Sanitise H_ENTER_NESTED TM state (bsc#1156395).
KVM: PPC: Book3S HV: Save host FSCR in the P7/8 path (bsc#1065729).
KVM: PPC: Book3S HV: Tolerate treclaim. in fake-suspend mode changing registers (bsc#1156395).
KVM: PPC: Fix clearing never mapped TCEs in realmode (bsc#1156395).
KVM: PPC: Fix kvm_arch_vcpu_ioctl vcpu_load leak (bsc#1156395).
KVM: s390: extend kvm_s390_shadow_fault to return entry pointer (bsc#1133021).
KVM: s390: index kvm->arch.idle_mask by vcpu_idx (bsc#1133021).
KVM: s390: split kvm_s390_logical_to_effective (bsc#1133021).
KVM: s390: VSIE: correctly handle MVPG when in VSIE (bsc#1133021).
lan78xx: select CRC32 (git-fixes).
libata: Add ATA_HORKAGE_NO_NCQ_ON_ATI for Samsung 860 and 870 SSD (git-fixes).
libertas: Fix possible memory leak in probe and disconnect (git-fixes).
libertas_tf: Fix possible memory leak in probe and disconnect (git-fixes).
mac80211: check return value of rhashtable_init (git-fixes).
mac80211: Drop frames from invalid MAC address in ad-hoc mode (git-fixes).
media: cedrus: Fix SUNXI tile size calculation (git-fixes).
media: cx23885: Fix snd_card_free call on null card pointer (git-fixes).
media: cxd2880-spi: Fix a null pointer dereference on error handling path (git-fixes).
media: dvb-frontends: mn88443x: Handle errors of clk_prepare_enable() (git-fixes).
media: dvb-usb: fix ununit-value in az6027_rc_query (git-fixes).
media: em28xx: add missing em28xx_close_extension (git-fixes).
media: em28xx: Do not use ops->suspend if it is NULL (git-fixes).
media: i2c: ths8200 needs V4L2_ASYNC (git-fixes).
media: ite-cir: IR receiver stop working after receive overflow (git-fixes).
media: mtk-vpu: Fix a resource leak in the error handling path of 'mtk_vpu_probe()' (git-fixes).
media: mxl111sf: change mutex_init() location (git-fixes).
media: radio-wl1273: Avoid card name truncation (git-fixes).
media: si470x: Avoid card name truncation (git-fixes).
media: staging/intel-ipu3: css: Fix wrong size comparison imgu_css_fw_init (git-fixes).
media: TDA1997x: handle short reads of hdmi info frame (git-fixes).
media: tm6000: Avoid card name truncation (git-fixes).
media: v4l2-ioctl: Fix check_ext_ctrls (git-fixes).
media: v4l2-ioctl: S_CTRL output the right value (git-fixes).
mei: me: add Ice Lake-N device id (git-fixes).
memory: fsl_ifc: fix leak of irq and nand_irq in fsl_ifc_ctrl_probe (git-fixes).
memstick: avoid out-of-range warning (git-fixes).
memstick: jmb38x_ms: use appropriate free function in jmb38x_ms_alloc_host() (git-fixes).
mlx5: count all link events (git-fixes).
mlxsw: thermal: Fix out-of-bounds memory accesses (git-fixes).
mmc: dw_mmc: exynos: fix the finding clock sample value (git-fixes).
mmc: meson-gx: do not use memcpy_to/fromio for dram-access-quirk (git-fixes).
mmc: mxs-mmc: disable regulator on error and in the remove function (git-fixes).
mmc: sdhci: Map more voltage level to SDHCI_POWER_330 (git-fixes).
mmc: sdhci-omap: Fix NULL pointer exception if regulator is not configured (git-fixes).
mmc: vub300: fix control-message timeouts (git-fixes).
mt76: mt7615: fix endianness warning in mt7615_mac_write_txwi (git-fixes).
mt76: mt76x02: fix endianness warnings in mt76x02_mac.c (git-fixes).
mt76: mt7915: fix muar_idx in mt7915_mcu_alloc_sta_req() (git-fixes).
mt76: mt7915: fix possible infinite loop release semaphore (git-fixes).
mt76: mt7915: fix sta_rec_wtbl tag len (git-fixes).
mwifiex: fix division by zero in fw download path (git-fixes).
mwifiex: Send DELBA requests according to spec (git-fixes).
net/af_unix: fix a data-race in unix_dgram_poll (bsc#1154353).
net: batman-adv: fix error handling (git-fixes).
net: bridge: use nla_total_size_64bit() in br_get_linkxstats_size() (git-fixes).
net: can: ems_usb: fix use-after-free in ems_usb_disconnect() (git-fixes).
net: cdc_eem: fix tx fixup skb leak (git-fixes).
net: cdc_ncm: correct overhead in delayed_ndp_size (git-fixes).
netfilter: conntrack: collect all entries in one cycle (bsc#1173604).
netfilter: Drop fragmented ndisc packets assembled in netfilter (git-fixes).
netfilter: xt_IDLETIMER: fix panic that occurs when timer_type has garbage value (bsc#1176447).
net: hns3: check queue id range before using (jsc#SLE-14777).
net: hns3: fix vf reset workqueue cannot exit (bsc#1154353).
net: hso: add failure handler for add_net_device (git-fixes).
net: hso: fix NULL-deref on disconnect regression (git-fixes).
net: hso: fix null-ptr-deref during tty device unregistration (git-fixes).
net: ipv6: Discard next-hop MTU less than minimum link MTU (bsc#1191241).
net: lan78xx: fix division by zero in send path (git-fixes).
net: mana: Fix error handling in mana_create_rxq() (git-fixes, bsc#1191800).
net/mlx4_en: Do not allow aRFS for encapsulated packets (git-fixes).
net/mlx4_en: Resolve bad operstate value (git-fixes).
net/mlx5e: IPSEC RX, enable checksum complete (jsc#SLE-15172).
net/mlx5e: Mutually exclude RX-FCS and RX-port-timestamp (git-fixes).
net/mlx5e: RX, Avoid possible data corruption when relaxed ordering and LRO combined (jsc#SLE-15172).
net/mlx5: E-Switch, Fix double allocation of acl flow counter (jsc#SLE-15172).
net/mlx5: Fix unpublish devlink parameters (jsc#SLE-8464).
net/mlx5: FWTrace, cancel work on alloc pd error flow (git-fixes).
net/sched: ets: fix crash when flipping from 'strict' to 'quantum' (bsc#1176774).
net: usb: Fix uninit-was-stored issue in asix_read_phy_addr() (git-fixes).
NFC: digital: fix possible memory leak in digital_in_send_sdd_req() (git-fixes).
NFC: digital: fix possible memory leak in digital_tg_listen_mdaa() (git-fixes).
nfc: fix error handling of nfc_proto_register() (git-fixes).
nfc: port100: fix using -ERRNO as command type mask (git-fixes).
nfs: dir_cookie is a pointer to the cookie in older kernels, not the cookie itself. (bsc#1191628 bsc#1192549).
NFS: Do uncached readdir when we're seeking a cookie in an empty page cache (bsc#1191628).
nvme: add command id quirk for apple controllers (git-fixes).
nvme-fc: avoid race between time out and tear down (bsc#1185762).
nvme-fc: remove freeze/unfreeze around update_nr_hw_queues (bsc#1185762).
nvme-fc: update hardware queues before using them (bsc#1185762).
nvme-pci: Fix abort command id (git-fixes).
nvme-pci: fix error unwind in nvme_map_data (bsc#1191934).
nvme-pci: refactor nvme_unmap_data (bsc#1191934).
nvme-pci: set min_align_mask (bsc#1191851).
ocfs2: fix data corruption after conversion from inline format (bsc#1190795).
pata_legacy: fix a couple uninitialized variable bugs (git-fixes).
PCI: Fix pci_host_bridge struct device release/free handling (git-fixes).
phy: mdio: fix memory leak (git-fixes).
platform/mellanox: mlxreg-io: Fix argument base in kstrtou32() call (git-fixes).
platform/mellanox: mlxreg-io: Fix read access of n-bytes size attributes (git-fixes).
platform/x86: dell-smbios-wmi: Add missing kfree in error-exit from run_smbios_call (git-fixes).
platform/x86: intel_scu_ipc: Fix busy loop expiry time (git-fixes).
platform/x86: thinkpad_acpi: Fix bitwise vs. logical warning (git-fixes).
PM / devfreq: rk3399_dmc: Add missing of_node_put() (git-fixes).
PM / devfreq: rk3399_dmc: Disable devfreq-event device when fails (git-fixes).
PM / devfreq: rk3399_dmc: Fix kernel oops when rockchip,pmu is absent (git-fixes).
PM / devfreq: rk3399_dmc: Fix spelling typo (git-fixes).
PM / devfreq: rk3399_dmc: Remove unneeded semicolon (git-fixes).
PM: sleep: Do not let 'syscore' devices runtime-suspend during system transitions (git-fixes).
powerpc/64s: Fix entry flush patching w/strict RWX & hash (jsc#SLE-13847 git-fixes).
powerpc/64s: Fix stf mitigation patching w/strict RWX & hash (jsc#SLE-13847 git-fixes).
powerpc/64s: Remove irq mask workaround in accumulate_stolen_time() (jsc#SLE-9246 git-fixes).
powerpc/bpf: Fix BPF_MOD when imm == 1 (bsc#1065729).
powerpc/bpf: Fix BPF_SUB when imm == 0x80000000 (bsc#1065729).
powerpc/bpf: Use bctrl for making function calls (bsc#1065729).
powerpc: Do not dereference code as 'struct ppc_inst' (uprobe, code-patching, feature-fixups) (jsc#SLE-13847 git-fixes).
powerpc: Do not use 'struct ppc_inst' to reference instruction location (jsc#SLE-13847 git-fixes).
powerpc/lib/code-patching: Do not use struct 'ppc_inst' for runnable code in tests (jsc#SLE-13847 git-fixes).
powerpc/lib/code-patching: Make instr_is_branch_to_addr() static (jsc#SLE-13847 git-fixes).
powerpc/lib: Fix emulate_step() std test (bsc#1065729).
powerpc: Move arch_cpu_idle_dead() into smp.c (jsc#SLE-13615 bsc#1180100 ltc#190257 git-fixes).
powerpc/numa: Update cpu_cpu_map on CPU online/offline (jsc#SLE-13615 bsc#1180100 ltc#190257 git-fixes).
powerpc/pseries: Fix build error when NUMA=n (bsc#1190620 ltc#194498 git-fixes).
powerpc/smp: Cache CPU to chip lookup (jsc#SLE-13615 bsc#1180100 ltc#190257 git-fixes).
powerpc/smp: Enable CACHE domain for shared processor (jsc#SLE-13615 bsc#1180100 ltc#190257 git-fixes).
powerpc/smp: Fix a crash while booting kvm guest with nr_cpus=2 (jsc#SLE-13615 bsc#1180100 ltc#190257 git-fixes).
powerpc/smp: Fold cpu_die() into its only caller (jsc#SLE-13615 bsc#1180100 ltc#190257 git-fixes).
powerpc/smp: Set numa node before updating mask (jsc#SLE-13615 bsc#1180100 ltc#190257 git-fixes).
powerpc/smp: Update cpu_core_map on all PowerPc systems (jsc#SLE-13615 bsc#1180100 ltc#190257 git-fixes).
powerpc/uprobes: Validation for prefixed instruction (jsc#SLE-13847 git-fixes).
powerpc/xive: Discard disabled interrupts in get_irqchip_state() (bsc#1085030 git-fixes).
pseries/eeh: Fix the kdump kernel crash during eeh_pseries_init (git-fixes).
ptp_pch: Load module automatically if ID matches (git-fixes).
ptp_pch: Restore dependency on PCI (git-fixes).
qed: Fix missing error code in qed_slowpath_start() (git-fixes).
qed: Handle management FW error (git-fixes).
qed: rdma - do not wait for resources under hw error recovery flow (git-fixes).
RDMA/cma: Do not change route.addr.src_addr.ss_family (bsc#1181147).
RDMA/cma: Fix listener leak in rdma_cma_listen_on_all() failure (bsc#1181147).
regmap: Fix possible double-free in regcache_rbtree_exit() (git-fixes).
regulator: dt-bindings: samsung,s5m8767: correct s5m8767,pmic-buck-default-dvs-idx property (git-fixes).
regulator: s5m8767: do not use reset value as DVS voltage if GPIO DVS is disabled (git-fixes).
rpm: fix kmp install path
rpm: use _rpmmacrodir (boo#1191384)
rsi: fix control-message timeout (git-fixes).
rsi: Fix module dev_oper_mode parameter description (git-fixes).
rsi: stop thread firstly in rsi_91x_init() error handling (git-fixes).
rtl8187: fix control-message timeouts (git-fixes).
scsi: ibmvfc: Fix up duplicate response detection (bsc#1191867 ltc#194757).
scsi: iscsi: Fix deadlock on recovery path during GFP_IO reclaim (git-fixes).
scsi: lpfc: Allow fabric node recovery if recovery is in progress before devloss (bsc#1192145).
scsi: lpfc: Allow PLOGI retry if previous PLOGI was aborted (bsc#1192145).
scsi: lpfc: Correct sysfs reporting of loop support after SFP status change (bsc#1192145).
scsi: lpfc: Fix link down processing to address NULL pointer dereference (bsc#1192145).
scsi: lpfc: Fix memory overwrite during FC-GS I/O abort handling (bsc#1191349).
scsi: lpfc: Fix use-after-free in lpfc_unreg_rpi() routine (bsc#1192145).
scsi: lpfc: Revert LOG_TRACE_EVENT back to LOG_INIT prior to driver_resource_setup() (bsc#1192145).
scsi: lpfc: Update lpfc version to 14.0.0.3 (bsc#1192145).
scsi: lpfc: Wait for successful restart of SLI3 adapter during host sg_reset (bsc#1192145).
scsi: mpi3mr: Add bios_param SCSI host template hook (jsc#SLE-18120).
scsi: mpi3mr: Add change queue depth support (jsc#SLE-18120).
scsi: mpi3mr: Add EEDP DIF DIX support (jsc#SLE-18120).
scsi: mpi3mr: Add event handling debug prints (jsc#SLE-18120).
scsi: mpi3mr: Additional event handling (jsc#SLE-18120).
scsi: mpi3mr: Add mpi30 Rev-R headers and Kconfig (jsc#SLE-18120).
scsi: mpi3mr: Add support for device add/remove event handling (jsc#SLE-18120).
scsi: mpi3mr: Add support for DSN secure firmware check (jsc#SLE-18120).
scsi: mpi3mr: Add support for internal watchdog thread (jsc#SLE-18120).
scsi: mpi3mr: Add support for PCIe device event handling (jsc#SLE-18120).
scsi: mpi3mr: Add support for PM suspend and resume (jsc#SLE-18120).
scsi: mpi3mr: Add support for queue command processing (jsc#SLE-18120).
scsi: mpi3mr: Add support for recovering controller (jsc#SLE-18120).
scsi: mpi3mr: Add support for threaded ISR (jsc#SLE-18120).
scsi: mpi3mr: Add support for timestamp sync with firmware (jsc#SLE-18120).
scsi: mpi3mr: Allow certain commands during pci-remove hook (jsc#SLE-18120).
scsi: mpi3mr: Base driver code (jsc#SLE-18120).
scsi: mpi3mr: Complete support for soft reset (jsc#SLE-18120).
scsi: mpi3mr: Create operational request and reply queue pair (jsc#SLE-18120).
scsi: mpi3mr: Fix error handling in mpi3mr_setup_isr() (git-fixes).
scsi: mpi3mr: Fix missing unlock on error (git-fixes).
scsi: mpi3mr: Hardware workaround for UNMAP commands to NVMe drives (jsc#SLE-18120).
scsi: mpi3mr: Implement SCSI error handler hooks (jsc#SLE-18120).
scsi: mpi3mr: Print IOC info for debugging (jsc#SLE-18120).
scsi: mpi3mr: Print pending host I/Os for debugging (jsc#SLE-18120).
scsi: mpi3mr: Set up IRQs in resume path (jsc#SLE-18120).
scsi: mpi3mr: Use scsi_cmd_to_rq() instead of scsi_cmnd.request (jsc#SLE-18120).
scsi: mpi3mr: Use the proper SCSI midlayer interfaces for PI (jsc#SLE-18120).
scsi: mpi3mr: Wait for pending I/O completions upon detection of VD I/O timeout (jsc#SLE-18120).
scsi: qla2xxx: Add debug print of 64G link speed (bsc#1190941).
scsi: qla2xxx: Add host attribute to trigger MPI hang (bsc#1190941).
scsi: qla2xxx: Add support for mailbox passthru (bsc#1190941).
scsi: qla2xxx: Adjust request/response queue size for 28xx (bsc#1190941).
scsi: qla2xxx: Call process_response_queue() in Tx path (bsc#1190941).
scsi: qla2xxx: Changes to support FCP2 Target (bsc#1190941).
scsi: qla2xxx: Changes to support kdump kernel (bsc#1190941).
scsi: qla2xxx: Changes to support kdump kernel for NVMe BFS (bsc#1190941).
scsi: qla2xxx: Check for firmware capability before creating QPair (bsc#1190941).
scsi: qla2xxx: Display 16G only as supported speeds for 3830c card (bsc#1190941).
scsi: qla2xxx: Do not call fc_block_scsi_eh() during bus reset (bsc#1190941).
scsi: qla2xxx: edif: Add N2N support for EDIF (bsc#1190941).
scsi: qla2xxx: edif: Do secure PLOGI when auth app is present (bsc#1190941).
scsi: qla2xxx: edif: Fix EDIF enable flag (bsc#1190941).
scsi: qla2xxx: edif: Fix returnvar.cocci warnings (bsc#1190941).
scsi: qla2xxx: edif: Fix stale session (bsc#1190941).
scsi: qla2xxx: edif: Reject AUTH ELS on session down (bsc#1190941).
scsi: qla2xxx: edif: Use link event to wake up app (bsc#1190941).
scsi: qla2xxx: Fix crash in NVMe abort path (bsc#1190941).
scsi: qla2xxx: Fix excessive messages during device logout (bsc#1190941).
scsi: qla2xxx: Fix hang during NVMe session tear down (bsc#1190941).
scsi: qla2xxx: Fix hang on NVMe command timeouts (bsc#1190941).
scsi: qla2xxx: Fix kernel crash when accessing port_speed sysfs file (bsc#1190941).
scsi: qla2xxx: Fix NPIV create erroneous error (bsc#1190941).
scsi: qla2xxx: Fix NVMe | FCP personality change (bsc#1190941).
scsi: qla2xxx: Fix NVMe retry (bsc#1190941).
scsi: qla2xxx: Fix NVMe session down detection (bsc#1190941).
scsi: qla2xxx: Fix port type info (bsc#1190941).
scsi: qla2xxx: Fix unsafe removal from linked list (bsc#1190941).
scsi: qla2xxx: Fix use after free in eh_abort path (bsc#1190941).
scsi: qla2xxx: Move heartbeat handling from DPC thread to workqueue (bsc#1190941).
scsi: qla2xxx: Open-code qla2xxx_eh_device_reset() (bsc#1190941).
scsi: qla2xxx: Open-code qla2xxx_eh_target_reset() (bsc#1190941).
scsi: qla2xxx: Remove redundant initialization of pointer req (bsc#1190941).
scsi: qla2xxx: Restore initiator in dual mode (bsc#1190941).
scsi: qla2xxx: Show OS name and version in FDMI-1 (bsc#1190941).
scsi: qla2xxx: Suppress unnecessary log messages during login (bsc#1190941).
scsi: qla2xxx: Sync queue idx with queue_pair_map idx (bsc#1190941).
scsi: qla2xxx: Update version to 10.02.06.100-k (bsc#1190941).
scsi: qla2xxx: Update version to 10.02.06.200-k (bsc#1190941).
scsi: qla2xxx: Update version to 10.02.07.100-k (bsc#1190941).
scsi: qla2xxx: Use scsi_cmd_to_rq() instead of scsi_cmnd.request (bsc#1190941).
scsi: target: Fix the pgr/alua_support_store functions (git-fixes).
sctp: check asoc peer.asconf_capable before processing asconf (bsc#1190351).
soc: qcom: mdt_loader: Drop PT_LOAD check on hash segment (git-fixes).
spi: spi-nxp-fspi: do not depend on a specific node name erratum workaround (git-fixes).
swiotlb: add a IO_TLB_SIZE define (bsc#1191851).
swiotlb: clean up swiotlb_tbl_unmap_single (bsc#1191851).
swiotlb: do not modify orig_addr in swiotlb_tbl_sync_single (bsc#1191851).
swiotlb: factor out an io_tlb_offset helper (bsc#1191851).
swiotlb: factor out a nr_slots helper (bsc#1191851).
swiotlb: refactor swiotlb_tbl_map_single (bsc#1191851).
swiotlb: respect min_align_mask (bsc#1191851).
swiotlb: Split size parameter to map/unmap APIs (bsc#1191851).
tpm: Check for integer overflow in tpm2_map_response_body() (git-fixes).
tpm: ibmvtpm: Avoid error message when process gets signal while waiting (bsc#1065729).
Update patch reference for AMDGPU fix (bsc#1180749)
USB: cdc-acm: clean up probe error labels (git-fixes).
USB: cdc-acm: fix minor-number release (git-fixes).
usb: chipidea: ci_hdrc_imx: Also search for 'phys' phandle (git-fixes).
usb: hso: fix error handling code of hso_create_net_device (git-fixes).
usb: hso: remove the bailout parameter (git-fixes).
usb: musb: dsps: Fix the probe error path (git-fixes).
usbnet: fix error return code in usbnet_probe() (git-fixes).
usbnet: sanity check for maxpacket (git-fixes).
USB: serial: option: add prod. id for Quectel EG91 (git-fixes).
USB: serial: option: add Quectel EC200S-CN module support (git-fixes).
USB: serial: option: add Telit LE910Cx composition 0x1204 (git-fixes).
USB: serial: qcserial: add EM9191 QDL support (git-fixes).
USB: xhci: dbc: fix tty registration race (git-fixes).
video: fbdev: gbefb: Only instantiate device when built for IP32 (git-fixes).
virtio-gpu: fix possible memory allocation failure (git-fixes).
virtio: write back F_VERSION_1 before validate (git-fixes).
watchdog: orion: use 0 for unset heartbeat (git-fixes).
wcn36xx: Add ability for wcn36xx_smd_dump_cmd_req to pass two's complement (git-fixes).
wcn36xx: add proper DMA memory barriers in rx path (git-fixes).
wcn36xx: Fix HT40 capability for 2Ghz band (git-fixes).
x86/ioapic: Force affinity setup before startup (bsc#1152489).
x86/msi: Force affinity setup before startup (bsc#1152489).
x86/pat: Pass valid address to sanitize_phys() (bsc#1152489).
x86/reboot: Limit Dell Optiplex 990 quirk to early BIOS versions (bsc#1152489).
x86/resctrl: Free the ctrlval arrays when domain_setup_mon_state() fails (bsc#1152489).
x86/sev: Return an error on a returned non-zero SW_EXITINFO1[31:0] (bsc#1178134).
xen: fix setting of max_pfn in shared_info (git-fixes).
xen: reset legacy rtc flag for PV domU (git-fixes).
xfs: do not allow log writes if the data device is readonly (bsc#1192229).
xfs: ensure that the inode uid/gid match values match the icdinode ones (bsc#1190006).
xfs: Fixed non-directory creation in SGID directories introduced by CVE-2018-13405 patch (bsc#1190006).
xfs: fix I_DONTCACHE (bsc#1192074).
xfs: fix log intent recovery ENOSPC shutdowns when inactivating inodes (bsc#1190642).
xfs: merge the projid fields in struct xfs_icdinode (bsc#1190006).
xfs: remove the icdinode di_uid/di_gid members (bsc#1190006).
xhci: Enable trust tx length quirk for Fresco FL11 USB controller (git-fixes).
xhci: Fix command ring pointer corruption while aborting a command (git-fixes).
xhci: guard accesses to ep_state in xhci_endpoint_reset() (git-fixes).

Advisory ID	SUSE-SU-2021:3941-1
Released	Mon Dec 6 14:45:20 2021
Summary	Security update for the Linux Kernel
Type	security
Severity	important
References	1152489,1169263,1170269,1184924,1190523,1190795,1191790,1191961,1192045,1192217,1192273,1192328,1192375,1192473,1192718,1192740,1192745,1192750,1192753,1192758,1192781,1192802,1192896,1192906,1192918,CVE-2021-0941,CVE-2021-20322,CVE-2021-31916,CVE-2021-34981

Description:

The SUSE Linux Enterprise 15 SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:

Unprivileged BPF has been disabled by default to reduce attack surface as too many security issues have happened in the past (jsc#SLE-22573)

You can reenable via systemctl setting /proc/sys/kernel/unprivileged_bpf_disabled to 0. (kernel.unprivileged_bpf_disabled = 0)

CVE-2021-0941: In bpf_skb_change_head of filter.c, there is a possible out of bounds read due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation (bnc#1192045 ).
CVE-2021-31916: An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi-device driver module in the Linux kernel A bound check failure allowed an attacker with special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability (bnc#1192781).
CVE-2021-20322: Make the ipv4 and ipv6 ICMP exception caches less predictive to avoid information leaks about UDP ports in use. (bsc#1191790)
CVE-2021-34981: Fixed file refcounting in cmtp when cmtp_attach_device fails (bsc#1191961).

The following non-security bugs were fixed:

ABI: sysfs-kernel-slab: Document some stats (git-fixes).
ALSA: hda: fix general protection fault in azx_runtime_idle (git-fixes).
ALSA: hda: Free card instance properly at probe errors (git-fixes).
ALSA: usb-audio: Add Audient iD14 to mixer map quirk table (git-fixes).
ALSA: usb-audio: Add minimal-mute notion in dB mapping table (bsc#1192375).
ALSA: usb-audio: Add Schiit Hel device to mixer map quirk table (git-fixes).
ALSA: usb-audio: Fix dB level of Bose Revolve+ SoundLink (bsc#1192375).
ALSA: usb-audio: Use int for dB map values (bsc#1192375).
ARM: socfpga: Fix crash with CONFIG_FORTIRY_SOURCE (bsc#1192473).
auxdisplay: ht16k33: Connect backlight to fbdev (git-fixes).
auxdisplay: ht16k33: Fix frame buffer device blanking (git-fixes).
auxdisplay: img-ascii-lcd: Fix lock-up when displaying empty string (git-fixes).
bpf: Add kconfig knob for disabling unpriv bpf by default (jsc#SLE-22573)
bpf: Add kconfig knob for disabling unpriv bpf by default (jsc#SLE-22574)
bpf: Disallow unprivileged bpf by default (jsc#SLE-22573).
bpf: Disallow unprivileged bpf by default (jsc#SLE-22574).
bpf: Fix BPF_JIT kconfig symbol dependency (git-fixes jsc#SLE-22574).
bpf: Fix potential race in tail call compatibility check (git-fixes).
bpf, kconfig: Add consolidated menu entry for bpf with core options (jsc#SLE-22574).
btrfs: block-group: Rework documentation of check_system_chunk function (bsc#1192896).
btrfs: fix deadlock between chunk allocation and chunk btree modifications (bsc#1192896).
btrfs: fix memory ordering between normal and ordered work functions (git-fixes).
btrfs: update comments for chunk allocation -ENOSPC cases (bsc#1192896).
cgroup/cpuset: Change references of cpuset_mutex to cpuset_rwsem (git-fixes).
config: disable unprivileged BPF by default (jsc#SLE-22573) Backport of mainline commit 8a03e56b253e ('bpf: Disallow unprivileged bpf by default') only changes kconfig default, used e.g. for 'make oldconfig' when the config option is missing, but does not update our kernel configs used for build. Update also these to make sure unprivileged BPF is really disabled by default.
crypto: caam - disable pkc for non-E SoCs (git-fixes).
crypto: qat - detect PFVF collision after ACK (git-fixes).
crypto: qat - disregard spurious PFVF interrupts (git-fixes).
drm/i915: Introduce intel_hpd_hotplug_irqs() (bsc#1192758).
drm: prevent spectre issue in vmw_execbuf_ioctl (bsc#1192802).
EDAC/sb_edac: Fix top-of-high-memory value for Broadwell/Haswell (bsc#1152489).
Eradicate Patch-mainline: No The pre-commit check can reject this deprecated tag then.
exfat: fix erroneous discard when clear cluster bit (git-fixes).
exfat: handle wrong stream entry size in exfat_readdir() (git-fixes).
exfat: properly set s_time_gran (bsc#1192328).
exfat: truncate atimes to 2s granularity (bsc#1192328).
Fix problem with missing installkernel on Tumbleweed.
fuse: fix page stealing (bsc#1192718).
gpio: mpc8xxx: Use 'devm_gpiochip_add_data()' to simplify the code and avoid a leak (git-fixes).
gpio/rockchip: add driver for rockchip gpio (bsc#1192217).
gpio/rockchip: drop irq_gc_lock/irq_gc_unlock for irq set type (bsc#1192217).
gpio/rockchip: extended debounce support is only available on v2 (bsc#1192217).
gpio/rockchip: fetch deferred output settings on probe (bsc#1192217).
gpio/rockchip: fix get_direction value handling (bsc#1192217).
gpio/rockchip: support next version gpio controller (bsc#1192217).
gpio/rockchip: use struct rockchip_gpio_regs for gpio controller (bsc#1192217).
HID: u2fzero: clarify error check and length calculations (git-fixes).
HID: u2fzero: properly handle timeouts in usb_submit_urb (git-fixes).
ibmvnic: check failover_pending in login response (bsc#1190523 ltc#194510).
ibmvnic: do not stop queue in xmit (bsc#1192273 ltc#194629).
ibmvnic: Process crqs after enabling interrupts (bsc#1192273 ltc#194629).
iio: dac: ad5446: Fix ad5622_write() return value (git-fixes).
Input: elantench - fix misreporting trackpoint coordinates (bsc#1192918).
kernel-*-subpackage: Add dependency on kernel scriptlets (bsc#1192740).
mm/hugetlb: initialize hugetlb_usage in mm_init (bsc#1192906).
Move upstreamed sound fix into sorted section
net: dsa: felix: re-enable TX flow control in ocelot_port_flush() (git-fixes).
net: mscc: ocelot: fix hardware timestamp dequeue logic.
net: mscc: ocelot: warn when a PTP IRQ is raised for an unknown skb (git-fixes).
net/smc: Correct smc link connection counter in case of smc client (git-fixes).
net/smc: fix 'workqueue leaked lock' in smc_conn_abort_work (git-fixes).
ocfs2: do not zero pages beyond i_size (bsc#1190795).
ocfs2: fix data corruption on truncate (bsc#1190795).
PCI: aardvark: Do not clear status bits of masked interrupts (git-fixes).
PCI: aardvark: Do not spam about PIO Response Status (git-fixes).
PCI: aardvark: Do not unmask unused interrupts (git-fixes).
PCI: aardvark: Fix checking for link up via LTSSM state (git-fixes).
PCI: aardvark: Fix reporting Data Link Layer Link Active (git-fixes).
PCI: aardvark: Fix return value of MSI domain .alloc() method (git-fixes).
PCI: aardvark: Read all 16-bits from PCIE_MSI_PAYLOAD_REG (git-fixes).
PCI/ACPI: Check for _OSC support in acpi_pci_osc_control_set() (bsc#1169263).
PCI/ACPI: Clarify message about _OSC failure (bsc#1169263).
PCI/ACPI: Move _OSC query checks to separate function (bsc#1169263).
PCI/ACPI: Move supported and control calculations to separate functions (bsc#1169263).
PCI/ACPI: Remove OSC_PCI_SUPPORT_MASKS and OSC_PCI_CONTROL_MASKS (bsc#1169263).
PCI/ACPI: Remove unnecessary osc_lock (bsc#1169263).
PCI: pci-bridge-emul: Fix emulation of W1C bits (git-fixes).
PCI: uniphier: Serialize INTx masking/unmasking and fix the bit operation (git-fixes).
pinctrl: core: fix possible memory leak in pinctrl_enable() (git-fixes).
pinctrl: pinctrl-rockchip: Fix a bunch of kerneldoc misdemeanours (bsc#1192217).
pinctrl/rockchip: add a queue for deferred pin output settings on probe (bsc#1192217).
pinctrl/rockchip: add pinctrl device to gpio bank struct (bsc#1192217).
pinctrl: rockchip: add rk3308 SoC support (bsc#1192217).
pinctrl: rockchip: add support for rk3568 (bsc#1192217).
pinctrl/rockchip: always enable clock for gpio controller (bsc#1192217).
pinctrl: rockchip: clear int status when driver probed (bsc#1192217).
pinctrl: rockchip: create irq mapping in gpio_to_irq (bsc#1192217).
pinctrl: rockchip: do coding style for mux route struct (bsc#1192217).
pinctrl/rockchip: drop the gpio related codes (bsc#1192217).
pinctrl: rockchip: enable gpio pclk for rockchip_gpio_to_irq (bsc#1192217).
pinctrl: rockchip: make driver be tristate module (bsc#1192217).
pinctrl: rockchip: Replace HTTP links with HTTPS ones (bsc#1192217).
pinctrl: rockchip: return ENOMEM instead of EINVAL if allocation fails (bsc#1192217).
pinctrl/rockchip: separate struct rockchip_pin_bank to a head file (bsc#1192217).
power: supply: bq27xxx: Fix kernel crash on IRQ handler register error (git-fixes).
power: supply: max17042_battery: Prevent int underflow in set_soc_threshold (git-fixes).
power: supply: max17042_battery: use VFSOC for capacity when no rsns (git-fixes).
power: supply: rt5033-battery: Change voltage values to 5V (git-fixes).
printk/console: Allow to disable console output by using console='' or console=null (bsc#1192753).
printk: handle blank console arguments passed in (bsc#1192753).
qtnfmac: fix potential Spectre vulnerabilities (bsc#1192802).
r8152: add a helper function about setting EEE (git-fixes).
r8152: Add macpassthru support for ThinkPad Thunderbolt 3 Dock Gen 2 (git-fixes).
r8152: Disable PLA MCU clock speed down (git-fixes).
r8152: disable U2P3 for RTL8153B (git-fixes).
r8152: divide the tx and rx bottom functions (git-fixes).
r8152: do not enable U1U2 with USB_SPEED_HIGH for RTL8153B (git-fixes).
r8152: fix runtime resume for linking change (git-fixes).
r8152: replace array with linking list for rx information (git-fixes).
r8152: reset flow control patch when linking on for RTL8153B (git-fixes).
r8152: saving the settings of EEE (git-fixes).
r8152: separate the rx buffer size (git-fixes).
r8152: use alloc_pages for rx buffer (git-fixes).
random: fix crash on multiple early calls to add_bootloader_randomness() (bsc#1184924)
Revert 'ibmvnic: check failover_pending in login response' (bsc#1190523 ltc#194510).
Revert 'platform/x86: i2c-multi-instantiate: Do not create platform device for INT3515 ACPI nodes' (git-fixes).
Revert 'r8152: adjust the settings about MAC clock speed down for RTL8153' (git-fixes).
Revert 'scsi: ufs: fix a missing check of devm_reset_control_get' (git-fixes).
Revert 'x86/kvm: fix vcpu-id indexed array sizes' (git-fixes).
rndis_host: set proper input size for OID_GEN_PHYSICAL_MEDIUM request (git-fixes).
s390/dasd: fix use after free in dasd path handling (git-fixes).
s390/pci: fix use after free of zpci_dev (git-fixes).
s390/pci: fix zpci_zdev_put() on reserve (git-fixes).
s390/qeth: fix deadlock during failing recovery (git-fixes).
s390/qeth: Fix deadlock in remove_discipline (git-fixes).
s390/qeth: fix NULL deref in qeth_clear_working_pool_list() (git-fixes).
s390/topology: clear thread/group maps for offline cpus (git-fixes).
scsi: be2iscsi: Fix an error handling path in beiscsi_dev_probe() (git-fixes).
scsi: BusLogic: Fix missing pr_cont() use (git-fixes).
scsi: core: Fix spelling in a source code comment (git-fixes).
scsi: csiostor: Add module softdep on cxgb4 (git-fixes).
scsi: csiostor: Uninitialized data in csio_ln_vnp_read_cbfn() (git-fixes).
scsi: dc395: Fix error case unwinding (git-fixes).
scsi: fdomain: Fix error return code in fdomain_probe() (git-fixes).
scsi: FlashPoint: Rename si_flags field (git-fixes).
scsi: iscsi: Fix iface sysfs attr detection (git-fixes).
scsi: libsas: Use _safe() loop in sas_resume_port() (git-fixes).
scsi: mpt3sas: Fix error return value in _scsih_expander_add() (git-fixes).
scsi: qedf: Add pointer checks in qedf_update_link_speed() (git-fixes).
scsi: qedf: Fix error codes in qedf_alloc_global_queues() (git-fixes).
scsi: qedi: Fix error codes in qedi_alloc_global_queues() (git-fixes).
scsi: qla2xxx: Fix a memory leak in an error path of qla2x00_process_els() (git-fixes).
scsi: qla2xxx: Make sure that aborted commands are freed (git-fixes).
scsi: smartpqi: Fix an error code in pqi_get_raid_map() (git-fixes).
scsi: snic: Fix an error message (git-fixes).
scsi: ufs-pci: Add quirk for broken auto-hibernate for Intel EHL (git-fixes).
scsi: ufs: ufshcd-pltfrm: Fix memory leak due to probe defer (git-fixes).
serial: 8250_dw: Drop wrong use of ACPI_PTR() (git-fixes).
serial: xilinx_uartps: Fix race condition causing stuck TX (git-fixes).
staging: r8712u: fix control-message timeout (git-fixes).
staging: rtl8192u: fix control-message timeouts (git-fixes).
stmmac: platform: Fix signedness bug in stmmac_probe_config_dt() (git-fixes).
tracing: Increase PERF_MAX_TRACE_SIZE to handle Sentinel1 and docker together (bsc#1192745).
Update config files: Add CONFIG_BPF_UNPRIV_DEFAULT_OFF is not set
Update config files: pull BPF configs together
usb: gadget: hid: fix error code in do_config() (git-fixes).
USB: iowarrior: fix control-message timeouts (git-fixes).
usb: max-3421: Use driver data instead of maintaining a list of bound devices (git-fixes).
usb: musb: Balance list entry in musb_gadget_queue (git-fixes).
USB: serial: keyspan: fix memleak on probe errors (git-fixes).
video: fbdev: chipsfb: use memset_io() instead of memset() (git-fixes).
x86/sme: Use #define USE_EARLY_PGTABLE_L5 in mem_encrypt_identity.c (bsc#1152489).
x86/xen: Mark cpu_bringup_and_idle() as dead_end_function (git-fixes).
xen-pciback: Fix return in pm_ctrl_init() (git-fixes).
xen: Fix implicit type conversion (git-fixes).

Advisory ID	SUSE-SU-2021:3999-1
Released	Sun Dec 12 10:17:43 2021
Summary	Security update for log4j
Type	security
Severity	important
References	1193611,CVE-2021-44228

Description:

This update for log4j fixes the following issues:

CVE-2021-44228: Fix a remote code execution vulnerability that existed in the LDAP JNDI parser. [bsc#1193611, CVE-2021-44228]

Advisory ID	SUSE-RU-2021:4014-1
Released	Mon Dec 13 13:57:39 2021
Summary	Recommended update for apparmor
Type	recommended
Severity	moderate
References	1191532,1191690

Description:

This update for apparmor fixes the following issues:
Changes in apparmor:

Add a profile for 'samba-bgqd'. (bsc#1191532)
Fix 'Requires' of python3 module. (bsc#1191690)

Advisory ID	SUSE-SU-2021:4094-1
Released	Wed Dec 15 11:17:24 2021
Summary	Security update for log4j
Type	security
Severity	important
References	1193611,1193743,CVE-2021-44228,CVE-2021-45046

Description:

This update for log4j fixes the following issue:
CVE-2021-44228: The previously published fix by upstream turned out to be incomplete. Therefore, upstream has recommended disabling JNDI support in log4j by default to be completely sure that this vulnerability cannot be exploited.
This update implements that recommendation and disables JNDI support by default. [bsc#1193611, CVE-2021-44228]
CVE-2021-45046: A Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack is also fixed by disabling JNDI support by default (bsc#1193743)

Advisory ID	SUSE-SU-2021:4107-1
Released	Thu Dec 16 19:02:22 2021
Summary	Security update for log4j
Type	security
Severity	important
References	1193743,CVE-2021-44228,CVE-2021-45046

Description:

This update for log4j fixes the following issue:

Previously published fixes for log4jshell turned out to be incomplete. Upstream has followed up on the original patch for CVE-2021-44228 with several additional changes (LOG4J2-3198, LOG4J2-3201, LOG4J2-3208, and LOG4J2-3211) that are included in this update. Since the totality of those patches is pretty much equivalent to an update to the latest version of log4j, we did update the package's tarball from version 2.13.0 to 2.16.0 instead of trying to apply those patches to the old version. This change brings in a new dependency on 'jakarta-servlet' and a version update of 'disruptor'. [bsc#1193743, CVE-2021-45046]

Advisory ID	SUSE-SU-2021:4118-1
Released	Mon Dec 20 12:43:09 2021
Summary	Security update for log4j
Type	security
Severity	important
References	1193887,1193888,CVE-2021-45105

Description:

This update for log4j fixes the following issues:

Update to 2.17.0
CVE-2021-45105: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation. (bsc#1193887, bsc#1193888)

Advisory ID	SUSE-SU-2021:4208-1
Released	Thu Dec 30 12:55:58 2021
Summary	Security update for log4j
Type	security
Severity	moderate
References	1194127,CVE-2021-44832

Description:

This update for log4j fixes the following issues:

CVE-2021-44832: Fixes a remote code execution via JDBC Appender (bsc#1194127)

Advisory ID	SUSE-RU-2022:47-1
Released	Tue Jan 11 09:11:59 2022
Summary	Recommended update for wsmancli
Type	recommended
Severity	moderate
References	1047218

Description:

This update for wsmancli fixes the following issues:

Add patch to have fixed build date (bsc#1047218)

Version 2.6.0 - add '-L locale' flag to specify request-locale

Update to version 2.5.0 - 'wsman -h' exits with zero - properties and selectors are kept sorted (requires Openwsman 2.5 now) - use API to set properties - exit with non-zero code if connection fails - add man pages (Kent Baxley) - add '--non-interactive' option to prevent asking for credentials in scripts - don't crash on filter parse error - remove -Q (don't send request) option - complain about bad filter expression - fix autotools build for MacOS - adapt to reduced libu exposure in openwsman - openwsman C++ bindings need libwsman_clientpp-devel now - add wseventmgr - fix the default port setting to match wsmc_create() call. Use https (port 5986) when CA info is set. - in debug mode, dump the complete response XML if it can't be parsed - fix '--sslkey' handling - add warning if ssl used without --cacert
Enhance enumerate with association filter to have the ability to specify the optional elements

Advisory ID	SUSE-feature-2022:122-1
Released	Tue Jan 18 17:56:11 2022
Summary	Feature update for zxing-cpp
Type	feature
Severity	moderate
References	1158377,1180479,1181915,1183655,1187982,1189813

Description:

This feature update for zxing-cpp fixes the following issues:
Update LibreOffice from version 7.1.4.2 to 7.2.3.2 (jsc#SLE-18214):

Fix UI scaling on HIDPI Wayland/KDE screens
Fix gtk popover usage on gtk 3.20 for SUSE Linux Enterprise 12
Fix inteaction between multi-column shape text and automatic height. (bsc#1187982)
Fix interaction of transparent cell fill and transparent shadow. (bsc#1189813)
Use external `poppler` version 21.01.0 (jsc#SLE-18214)
Use external `CMIS` version 0.5.2
Update external `boost` to version 1.75.0
Update external `pdfium` to version 4500
Update external `skia` to version `m90`
Do not use `qrcodegen-devel` but move to `zxing-cpp` (jsc#SLE-18214)
Keep upstream desktop file names (bsc#1183655)
Display math icon (bsc#1180479)
Source `profile.d/alljava.sh` from either `/etc` (if found) or `/usr/etc`.

Provide `zxing-cpp` 1.2.0 as new LibreOffice dependency. (jsc#SLE-18214)

Do not build examples to avoid a cycle with `QT5Multimedia`
Use `cmake3-full` package instead of `cmake` on SUSE Linux Enterprise 12
Do not build examples on SUSE Linux Enterprise 12
Only build blackbox tests on openSUSE Tumbleweed
New `BarcodeFormat`
New ZXingQtCamReader demo app based on `QtMultimedia` and `QtQuick`
New QRCode reader, faster and better support for rotated symbols
Add `Structured Append` support for `DataMatrix`, `Aztec` and `MaxiCode`
Add `DMRE` support for `DataMatrix`
Switch to the reimplemented 1D detectors, about 5x faster
Faster and more capable `isPure` detection for all 2D codes
20% faster `ReedSolomon` error correction.
`ReedSolomon` error detection code 2x speedup.
PDF417 is faster and supports flipped symbols
Reduced false positive rate for `UPC/EAN` barcodes and improved Add-On symbol handling
Fix country-code metadata decoding for UPC/EAN codes.
Proper ECI handling in all 2D barcodes
Add baselibs.conf
Many performance improvements for 1D readers
More meta-data exported when reading specific format
Improve DataMatrix encoder
Add interface to simplify basic usage
WASM API to support pixels array as input
`LuminanceSource` based API is now deprecated but still compiles.
New BarcodeFormats flag type to specify the set of barcodes to look for.
New simplified and consistent Python API
Slightly improved QRCode detection for rotated symbols.

Advisory ID	SUSE-SU-2022:131-1
Released	Wed Jan 19 17:30:58 2022
Summary	Security update for the Linux Kernel
Type	security
Severity	important
References	1139944,1151927,1152489,1153275,1154353,1154355,1161907,1164565,1166780,1169514,1176242,1176447,1176536,1176544,1176545,1176546,1176548,1176558,1176559,1176774,1176940,1176956,1177440,1178134,1178270,1179211,1179424,1179426,1179427,1179599,1181148,1181507,1181710,1182404,1183534,1183540,1183897,1184318,1185726,1185902,1186332,1187541,1189126,1189158,1191793,1191876,1192267,1192320,1192507,1192511,1192569,1192606,1192691,1192845,1192847,1192874,1192946,1192969,1192987,1192990,1192998,1193002,1193042,1193139,1193169,1193306,1193318,1193349,1193440,1193442,1193655,1193993,1194087,1194094,CVE-2020-24504,CVE-2020-27820,CVE-2021-28711,CVE-2021-28712,CVE-2021-28713,CVE-2021-28714,CVE-2021-28715,CVE-2021-4001,CVE-2021-4002,CVE-2021-43975,CVE-2021-43976,CVE-2021-45485,CVE-2021-45486

Description:

The SUSE Linux Enterprise 15 SP3 kernel was updated

Unprivileged BPF has been disabled by default to reduce attack surface as too many security issues have happened in the past (jsc#SLE-22573) You can reenable via systemctl setting /proc/sys/kernel/unprivileged_bpf_disabled to 0. (kernel.unprivileged_bpf_disabled = 0)

The following security bugs were fixed:

CVE-2021-45485: Fixed an information leak because of certain use of a hash table which use IPv6 source addresses. (bsc#1194094)
CVE-2021-45486: Fixed an information leak because the hash table is very small in net/ipv4/route.c. (bnc#1194087).
CVE-2021-4001: Fixed a race condition when the EBPF map is frozen. (bsc#1192990)
CVE-2021-28715: Fixed an issue where a guest could force Linux netback driver to hog large amounts of kernel memory by do not queueing unlimited number of packages. (bsc#1193442)
CVE-2021-28714: Fixed an issue where a guest could force Linux netback driver to hog large amounts of kernel memory by fixing rx queue stall detection. (bsc#1193442)
CVE-2021-28713: Fixed a rogue backends that could cause DoS of guests via high frequency events by hardening hvc_xen against event channel storms. (bsc#1193440)
CVE-2021-28712: Fixed a rogue backends that could cause DoS of guests via high frequency events by hardening netfront against event channel storms. (bsc#1193440)
CVE-2021-28711: Fixed a rogue backends that could cause DoS of guests via high frequency events by hardening blkfront against event channel storms. (bsc#1193440)
CVE-2020-24504: Fixed an uncontrolled resource consumption in some Intel(R) Ethernet E810 Adapter drivers that may have allowed an authenticated user to potentially enable denial of service via local access. (bnc#1182404)
CVE-2021-43975: Fixed a flaw in hw_atl_utils_fw_rpc_wait that could allow an attacker (who can introduce a crafted device) to trigger an out-of-bounds write via a crafted length value. (bnc#1192845)
CVE-2021-43976: Fixed a flaw that could allow an attacker (who can connect a crafted USB device) to cause a denial of service. (bnc#1192847)
CVE-2021-4002: Added a missing TLB flush that could lead to leak or corruption of data in hugetlbfs. (bsc#1192946)
CVE-2020-27820: Fixed a vulnerability where a use-after-frees in nouveau's postclose() handler could happen if removing device. (bnc#1179599)

The following non-security bugs were fixed:

ACPI: battery: Accept charges over the design capacity as full (git-fixes).
ACPI: PMIC: Fix intel_pmic_regs_handler() read accesses (git-fixes).
ACPICA: Avoid evaluating methods too early during system resume (git-fixes).
Add SMB 2 support for getting and setting SACLs (bsc#1192606).
Add to supported.conf: fs/smbfs_common/cifs_arc4 fs/smbfs_common/cifs_md4
ALSA: ctxfi: Fix out-of-range access (git-fixes).
ALSA: gus: fix null pointer dereference on pointer block (git-fixes).
ALSA: hda: hdac_ext_stream: fix potential locking issues (git-fixes).
ALSA: hda: hdac_stream: fix potential locking issue in snd_hdac_stream_assign() (git-fixes).
ALSA: hda/realtek: Add a quirk for Acer Spin SP513-54N (git-fixes).
ALSA: hda/realtek: Add quirk for ASUS UX550VE (git-fixes).
ALSA: hda/realtek: Add quirk for Clevo PC70HS (git-fixes).
ALSA: hda/realtek: Add quirk for HP EliteBook 840 G7 mute LED (git-fixes).
ALSA: ISA: not for M68K (git-fixes).
ALSA: synth: missing check for possible NULL after the call to kstrdup (git-fixes).
ALSA: timer: Fix use-after-free problem (git-fixes).
ALSA: timer: Unconditionally unlink slave instances, too (git-fixes).
ALSA: usb-audio: Add registration quirk for JBL Quantum 400 (git-fixes).
ARM: 8970/1: decompressor: increase tag size (git-fixes).
ARM: 8974/1: use SPARSMEM_STATIC when SPARSEMEM is enabled (git-fixes)
ARM: 8986/1: hw_breakpoint: Do not invoke overflow handler on uaccess watchpoints (git-fixes)
ARM: 9007/1: l2c: fix prefetch bits init in L2X0_AUX_CTRL using DT (git-fixes)
ARM: 9019/1: kprobes: Avoid fortify_panic() when copying optprobe (git-fixes)
ARM: 9046/1: decompressor: Do not clear SCTLR.nTLSMD for ARMv7+ cores (git-fixes)
ARM: 9064/1: hw_breakpoint: Do not directly check the event's (git-fixes)
ARM: 9071/1: uprobes: Do not hook on thumb instructions (git-fixes)
ARM: 9081/1: fix gcc-10 thumb2-kernel regression (git-fixes)
ARM: 9091/1: Revert 'mm: qsd8x50: Fix incorrect permission faults' (git-fixes)
ARM: 9133/1: mm: proc-macros: ensure *_tlb_fns are 4B aligned (git-fixes)
ARM: 9134/1: remove duplicate memcpy() definition (git-fixes)
ARM: 9139/1: kprobes: fix arch_init_kprobes() prototype (git-fixes)
ARM: 9141/1: only warn about XIP address when not compile testing (git-fixes)
ARM: 9155/1: fix early early_iounmap() (git-fixes)
ARM: at91: pm: add missing put_device() call in at91_pm_sram_init() (git-fixes)
ARM: at91: pm: of_node_put() after its usage (git-fixes)
ARM: at91: pm: use proper master clock register offset (git-fixes)
ARM: bcm: Select ARM_TIMER_SP804 for ARCH_BCM_NSP (git-fixes)
ARM: dts sunxi: Relax a bit the CMA pool allocation range (git-fixes)
ARM: dts: am335x-pocketbeagle: Fix mmc0 Write Protect (git-fixes)
ARM: dts: am335x: align ti,pindir-d0-out-d1-in property with dt-shema (git-fixes)
ARM: dts: am437x-idk-evm: Fix incorrect OPP node names (git-fixes)
ARM: dts: am437x-l4: fix typo in can@0 node (git-fixes)
ARM: dts: armada-38x: fix NETA lockup when repeatedly switching speeds (git-fixes)
ARM: dts: armada388-helios4: assign pinctrl to each fan (git-fixes)
ARM: dts: armada388-helios4: assign pinctrl to LEDs (git-fixes)
ARM: dts: aspeed: s2600wf: Fix VGA memory region location (git-fixes)
ARM: dts: aspeed: tiogapass: Remove vuart (git-fixes)
ARM: dts: at91-sama5d27_som1: fix phy address to 7 (git-fixes)
ARM: dts: at91: add pinctrl-{names, 0} for all gpios (git-fixes)
ARM: dts: at91: at91sam9rl: fix ADC triggers (git-fixes)
ARM: dts: at91: sama5d2_ptc_ek: fix sdmmc0 node description (git-fixes)
ARM: dts: at91: sama5d2_ptc_ek: fix vbus pin (git-fixes)
ARM: dts: at91: sama5d2_xplained: classd: pull-down the R1 and R3 lines (git-fixes)
ARM: dts: at91: sama5d2: fix CAN message ram offset and size (git-fixes)
ARM: dts: at91: sama5d2: map securam as device (git-fixes)
ARM: dts: at91: sama5d3_xplained: add pincontrol for USB Host (git-fixes)
ARM: dts: at91: sama5d4_xplained: add pincontrol for USB Host (git-fixes)
ARM: dts: at91: sama5d4: fix pinctrl muxing (git-fixes)
ARM: dts: at91: tse850: the emaclt;->phy interface is rmii (git-fixes)
ARM: dts: bcm: HR2: Fix PPI interrupt types (git-fixes)
ARM: dts: bcm: HR2: Fixed QSPI compatible string (git-fixes)
ARM: dts: bcm2835-rpi-zero-w: Fix led polarity (git-fixes)
ARM: dts: BCM5301X: Add interrupt properties to GPIO node (git-fixes)
ARM: dts: BCM5301X: Fix I2C controller interrupt (git-fixes)
ARM: dts: BCM5301X: Fixed QSPI compatible string (git-fixes)
ARM: dts: colibri-imx6ull: limit SDIO clock to 25MHz (git-fixes)
ARM: dts: Configure missing thermal interrupt for 4430 (git-fixes)
ARM: dts: dra76x: Fix mmc3 max-frequency (git-fixes)
ARM: dts: dra76x: m_can: fix order of clocks (git-fixes)
ARM: dts: dra7xx-clocks: Fixup IPU1 mux clock parent source (git-fixes)
ARM: dts: exynos: correct fuel gauge interrupt trigger level on Midas (git-fixes)
ARM: dts: exynos: correct MUIC interrupt trigger level on Midas (git-fixes)
ARM: dts: exynos: correct PMIC interrupt trigger level on Arndale (git-fixes)
ARM: dts: exynos: correct PMIC interrupt trigger level on Artik 5 (git-fixes)
ARM: dts: exynos: correct PMIC interrupt trigger level on Midas (git-fixes)
ARM: dts: exynos: correct PMIC interrupt trigger level on Monk (git-fixes)
ARM: dts: exynos: correct PMIC interrupt trigger level on Odroid X/U3 (git-fixes)
ARM: dts: exynos: correct PMIC interrupt trigger level on Odroid XU3 (git-fixes)
ARM: dts: exynos: correct PMIC interrupt trigger level on Rinato (git-fixes)
ARM: dts: exynos: correct PMIC interrupt trigger level on SMDK5250 (git-fixes)
ARM: dts: exynos: correct PMIC interrupt trigger level on Snow (git-fixes)
ARM: dts: exynos: correct PMIC interrupt trigger level on Spring (git-fixes)
ARM: dts: exynos: Fix GPIO polarity for thr GalaxyS3 CM36651 sensor's bus (git-fixes)
ARM: dts: exynos: fix PWM LED max brightness on Odroid HC1 (git-fixes)
ARM: dts: exynos: fix PWM LED max brightness on Odroid XU/XU3 (git-fixes)
ARM: dts: exynos: fix PWM LED max brightness on Odroid XU4 (git-fixes)
ARM: dts: exynos: fix roles of USB 3.0 ports on Odroid XU (git-fixes)
ARM: dts: exynos: fix USB 3.0 pins supply being turned off on Odroid (git-fixes)
ARM: dts: exynos: fix USB 3.0 VBUS control and over-current pins on (git-fixes)
ARM: dts: Fix dcan driver probe failed on am437x platform (git-fixes)
ARM: dts: Fix duovero smsc interrupt for suspend (git-fixes)
ARM: dts: gemini-rut1xx: remove duplicate ethernet node (git-fixes)
ARM: dts: gose: Fix ports node name for adv7180 (git-fixes)
ARM: dts: gose: Fix ports node name for adv7612 (git-fixes)
ARM: dts: imx: emcon-avari: Fix nxp,pca8574 #gpio-cells (git-fixes)
ARM: dts: imx: Fix USB host power regulator polarity on M53Menlo (git-fixes)
ARM: dts: imx: Swap M53Menlo pinctrl_power_button/pinctrl_power_out (git-fixes)
ARM: dts: imx27-phytec-phycard-s-rdk: Fix the I2C1 pinctrl entries (git-fixes)
ARM: dts: imx50-evk: Fix the chip select 1 IOMUX (git-fixes)
ARM: dts: imx6: pbab01: Set vmmc supply for both SD interfaces (git-fixes)
ARM: dts: imx6: phycore-som: fix arm and soc minimum voltage (git-fixes)
ARM: dts: imx6: phycore-som: fix emmc supply (git-fixes)
ARM: dts: imx6: Use gpc for FEC interrupt controller to fix wake on LAN (git-fixes)
ARM: dts: imx6dl-colibri-eval-v3: fix sram compatible properties (git-fixes).
ARM: dts: imx6dl-yapp4: Fix RGMII connection to QCA8334 switch (git-fixes)
ARM: dts: imx6dl-yapp4: Fix Ursa board Ethernet connection (git-fixes)
ARM: dts: imx6q-dhcom: Add gpios pinctrl for i2c bus recovery (git-fixes)
ARM: dts: imx6q-dhcom: Add PU,VDD1P1,VDD2P5 regulators (git-fixes)
ARM: dts: imx6q-dhcom: Fix ethernet plugin detection problems (git-fixes)
ARM: dts: imx6q-dhcom: Fix ethernet reset time properties (git-fixes)
ARM: dts: imx6qdl-gw52xx: fix duplicate regulator naming (git-fixes)
ARM: dts: imx6qdl-gw551x: Do not use 'simple-audio-card,dai-link' (git-fixes)
ARM: dts: imx6qdl-gw551x: fix audio SSI (git-fixes)
ARM: dts: imx6qdl-icore: Fix OTG_ID pin and sdcard detect (git-fixes)
ARM: dts: imx6qdl-kontron-samx6i: fix i2c_lcd/cam default status (git-fixes)
ARM: dts: imx6qdl-kontron-samx6i: fix I2C_PM scl pin (git-fixes)
ARM: dts: imx6qdl-sr-som: Increase the PHY reset duration to 10ms (git-fixes)
ARM: dts: imx6qdl-udoo: fix rgmii phy-mode for ksz9031 phy (git-fixes)
ARM: dts: imx6sl: fix rng node (git-fixes)
ARM: dts: imx6sx-sabreauto: Fix the phy-mode on fec2 (git-fixes)
ARM: dts: imx6sx-sdb: Fix the phy-mode on fec2 (git-fixes)
ARM: dts: imx6sx: Add missing UART RTS/CTS pins mux (git-fixes)
ARM: dts: imx6sx: fix the pad QSPI1B_SCLK mux mode for uart3 (git-fixes)
ARM: dts: imx6sx: Improve UART pins macro defines (git-fixes)
ARM: dts: imx7-colibri: Fix frequency for sd/mmc (git-fixes)
ARM: dts: imx7-colibri: fix muxing of usbc_det pin (git-fixes)
ARM: dts: imx7-colibri: prepare module device tree for FlexCAN (git-fixes)
ARM: dts: imx7d-meerkat96: Fix the 'tuning-step' property (git-fixes)
ARM: dts: imx7d-pico: Fix the 'tuning-step' property (git-fixes)
ARM: dts: imx7d: Correct speed grading fuse settings (git-fixes)
ARM: dts: imx7d: fix opp-supported-hw (git-fixes)
ARM: dts: imx7ulp: Correct gpio ranges (git-fixes)
ARM: dts: logicpd-som-lv-baseboard: Fix broken audio (git-fixes)
ARM: dts: logicpd-som-lv-baseboard: Fix missing video (git-fixes)
ARM: dts: logicpd-torpedo-baseboard: Fix broken audio (git-fixes)
ARM: dts: lpc32xx: Revert set default clock rate of HCLK PLL (git-fixes)
ARM: dts: ls1021a: fix QuadSPI-memory reg range (git-fixes)
ARM: dts: ls1021a: Restore MDIO compatible to gianfar (git-fixes)
ARM: dts: meson: fix PHY deassert timing requirements (git-fixes)
ARM: dts: meson8: remove two invalid interrupt lines from the GPU (git-fixes)
ARM: dts: meson8: Use a higher default GPU clock frequency (git-fixes)
ARM: dts: meson8b: ec100: Fix the pwm regulator supply properties (git-fixes)
ARM: dts: meson8b: mxq: Fix the pwm regulator supply properties (git-fixes)
ARM: dts: meson8b: odroidc1: Fix the pwm regulator supply properties (git-fixes)
ARM: dts: mt7623: add missing pause for switchport (git-fixes)
ARM: dts: N900: fix onenand timings (git-fixes).
ARM: dts: NSP: Correct FA2 mailbox node (git-fixes)
ARM: dts: NSP: Disable PL330 by default, add dma-coherent property (git-fixes)
ARM: dts: NSP: Fixed QSPI compatible string (git-fixes)
ARM: dts: omap3-gta04a4: accelerometer irq fix (git-fixes)
ARM: dts: omap3430-sdp: Fix NAND device node (git-fixes)
ARM: dts: owl-s500: Fix incorrect PPI interrupt specifiers (git-fixes)
ARM: dts: oxnas: Fix clear-mask property (git-fixes)
ARM: dts: pandaboard: fix pinmux for gpio user button of Pandaboard (git-fixes)
ARM: dts: qcom: apq8064: Use 27MHz PXO clock as DSI PLL reference (git-fixes)
ARM: dts: qcom: msm8974: Add xo_board reference clock to DSI0 PHY (git-fixes)
ARM: dts: r7s9210: Remove bogus clock-names from OSTM nodes (git-fixes)
ARM: dts: r8a73a4: Add missing CMT1 interrupts (git-fixes)
ARM: dts: r8a7740: Add missing extal2 to CPG node (git-fixes)
ARM: dts: r8a7779, marzen: Fix DU clock names (git-fixes)
ARM: dts: Remove non-existent i2c1 from 98dx3236 (git-fixes)
ARM: dts: renesas: Fix IOMMU device node names (git-fixes)
ARM: dts: s5pv210: Set keep-power-in-suspend for SDHCI1 on Aries (git-fixes)
ARM: dts: socfpga: Align L2 cache-controller nodename with dtschema (git-fixes)
ARM: dts: socfpga: fix register entry for timer3 on Arria10 (git-fixes)
ARM: dts: stm32: fix a typo for DAC io-channel-cells on stm32f429 (git-fixes)
ARM: dts: stm32: fix a typo for DAC io-channel-cells on stm32h743 (git-fixes)
ARM: dts: sun6i: a31-hummingbird: Enable RGMII RX/TX delay on (git-fixes)
ARM: dts: sun7i: a20: bananapro: Fix ethernet phy-mode (git-fixes)
ARM: dts: sun7i: bananapi-m1-plus: Enable RGMII RX/TX delay on (git-fixes)
ARM: dts: sun7i: bananapi: Enable RGMII RX/TX delay on Ethernet PHY (git-fixes)
ARM: dts: sun7i: cubietruck: Enable RGMII RX/TX delay on Ethernet PHY (git-fixes)
ARM: dts: sun7i: pcduino3-nano: enable RGMII RX/TX delay on PHY (git-fixes)
ARM: dts: sun8i-a83t-tbs-a711: Fix USB OTG mode detection (git-fixes)
ARM: dts: sun8i-h2-plus-bananapi-m2-zero: Fix led polarity (git-fixes)
ARM: dts: sun8i: a83t: Enable both RGMII RX/TX delay on Ethernet PHY (git-fixes)
ARM: dts: sun8i: h3: orangepi-plus2e: Enable RGMII RX/TX delay on (git-fixes)
ARM: dts: sun8i: r40: bananapi-m2-berry: Fix dcdc1 regulator (git-fixes)
ARM: dts: sun8i: r40: bananapi-m2-ultra: Fix dcdc1 regulator (git-fixes)
ARM: dts: sun8i: r40: bananapi-m2-ultra: Fix ethernet node (git-fixes)
ARM: dts: sun8i: r40: Move AHCI device node based on address order (git-fixes)
ARM: dts: sun8i: v3s: fix GIC node memory range (git-fixes)
ARM: dts: sun8i: v40: bananapi-m2-berry: Fix ethernet node (git-fixes)
ARM: dts: sun9i: Enable both RGMII RX/TX delay on Ethernet PHY (git-fixes)
ARM: dts: sunxi: bananapi-m2-plus-v1.2: Fix CPU supply voltages (git-fixes)
ARM: dts: sunxi: bananapi-m2-plus: Enable RGMII RX/TX delay on (git-fixes)
ARM: dts: sunxi: Fix DE2 clocks register range (git-fixes)
ARM: dts: turris-omnia: add comphy handle to eth2 (git-fixes)
ARM: dts: turris-omnia: add SFP node (git-fixes)
ARM: dts: turris-omnia: configure LED[2]/INTn pin as interrupt pin (git-fixes)
ARM: dts: turris-omnia: describe switch interrupt (git-fixes)
ARM: dts: turris-omnia: enable HW buffer management (git-fixes)
ARM: dts: turris-omnia: fix hardware buffer management (git-fixes)
ARM: dts: uniphier: Change phy-mode to RGMII-ID to enable delay pins (git-fixes)
ARM: dts: uniphier: Set SCSSI clock and reset IDs for each channel (git-fixes).
ARM: dts: vf610-zii-dev-rev-b: Remove #address-cells and #size-cells (git-fixes)
ARM: dts: vfxxx: Add syscon compatible with OCOTP (git-fixes)
ARM: exynos: add missing of_node_put for loop iteration (git-fixes)
ARM: exynos: MCPM: Restore big.LITTLE cpuidle support (git-fixes)
ARM: footbridge: fix PCI interrupt mapping (git-fixes)
ARM: imx: add missing clk_disable_unprepare() (git-fixes)
ARM: imx: add missing iounmap() (git-fixes)
ARM: imx: build suspend-imx6.S with arm instruction set (git-fixes)
ARM: imx: fix missing 3rd argument in macro imx_mmdc_perf_init (git-fixes)
ARM: imx5: add missing put_device() call in imx_suspend_alloc_ocram() (git-fixes)
ARM: imx6: disable the GIC CPU interface before calling stby-poweroff (git-fixes)
ARM: mvebu: drop pointless check for coherency_base (git-fixes)
ARM: OMAP2+: Fix legacy mode dss_reset (git-fixes)
ARM: OMAP2+: omap_device: fix idling of devices during probe (git-fixes)
ARM: OMAP2+: pm33xx-core: Make am43xx_get_rtc_base_addr static (git-fixes)
ARM: p2v: fix handling of LPAE translation in BE mode (git-fixes)
ARM: s3c: irq-s3c24xx: Fix return value check for s3c24xx_init_intc() (git-fixes)
ARM: s3c24xx: fix missing system reset (git-fixes)
ARM: s3c24xx: fix mmc gpio lookup tables (git-fixes)
ARM: samsung: do not build plat/pm-common for Exynos (git-fixes)
ARM: samsung: fix PM debug build with DEBUG_LL but !MMU (git-fixes)
ARM: socfpga: PM: add missing put_device() call in socfpga_setup_ocram_self_refresh() (git-fixes)
ASoC: DAPM: Cover regression by kctl change notification fix (git-fixes).
ASoC: nau8824: Add DMI quirk mechanism for active-high jack-detect (git-fixes).
ASoC: qdsp6: q6routing: Conditionally reset FrontEnd Mixer (git-fixes).
ASoC: SOF: Intel: hda-dai: fix potential locking issue (git-fixes).
ASoC: topology: Add missing rwsem around snd_ctl_remove() calls (git-fixes).
ath: dfs_pattern_detector: Fix possible null-pointer dereference in channel_detector_create() (git-fixes).
ath10k: fix invalid dma_addr_t token assignment (git-fixes).
ath10k: high latency fixes for beacon buffer (git-fixes).
Bbluetooth: btusb: Add another Bluetooth part for Realtek 8852AE (bsc#1193655).
bfq: Limit number of requests consumed by each cgroup (bsc#1184318).
bfq: Store full bitmap depth in bfq_data (bsc#1184318).
bfq: Track number of allocated requests in bfq_entity (bsc#1184318).
block: Fix use-after-free issue accessing struct io_cq (bsc#1193042).
block: Provide blk_mq_sched_get_icq() (bsc#1184318).
Bluetooth: Add additional Bluetooth part for Realtek 8852AE (bsc#1193655).
Bluetooth: btrtl: Refine the ic_id_table for clearer and more regular (bsc#1193655).
Bluetooth: btusb: Add the more support IDs for Realtek RTL8822CE (bsc#1193655).
Bluetooth: btusb: Add the new support ID for Realtek RTL8852A (bsc#1193655).
Bluetooth: btusb: btrtl: Add support for RTL8852A (bsc#1193655).
Bluetooth: fix use-after-free error in lock_sock_nested() (git-fixes).
bnxt_en: reject indirect blk offload when hw-tc-offload is off (jsc#SLE-8372 bsc#1153275).
bonding: Fix a use-after-free problem when bond_sysfs_slave_add() failed (git-fixes).
bpf, arm: Fix register clobbering in div/mod implementation (git-fixes)
bpf, s390: Fix potential memory leak about jit_data (git-fixes).
bpf, x86: Fix 'no previous prototype' warning (git-fixes).
brcmfmac: Add DMI nvram filename quirk for Cyberbook T116 tablet (git-fixes).
btrfs: do not ignore error from btrfs_next_leaf() when inserting checksums (bsc#1193002).
btrfs: fix fsync failure and transaction abort after writes to prealloc extents (bsc#1193002).
btrfs: fix lost inode on log replay after mix of fsync, rename and inode eviction (bsc#1192998).
btrfs: fix race causing unnecessary inode logging during link and rename (bsc#1192998).
btrfs: make checksum item extension more efficient (bsc#1193002).
cfg80211: call cfg80211_stop_ap when switch from P2P_GO type (git-fixes).
cifs use true,false for bool variable (bsc#1164565).
cifs_atomic_open(): fix double-put on late allocation failure (bsc#1192606).
cifs_debug: use %pd instead of messing with ->d_name (bsc#1192606).
cifs: add a debug macro that prints \\server\share for errors (bsc#1164565).
cifs: add a function to get a cached dir based on its dentry (bsc#1192606).
cifs: add a helper to find an existing readable handle to a file (bsc#1154355).
cifs: add a timestamp to track when the lease of the cached dir was taken (bsc#1192606).
cifs: add an smb3_fs_context to cifs_sb (bsc#1192606).
cifs: add FALLOC_FL_INSERT_RANGE support (bsc#1192606).
cifs: add files to host new mount api (bsc#1192606).
cifs: add fs_context param to parsing helpers (bsc#1192606).
cifs: Add get_security_type_str function to return sec type (bsc#1192606).
cifs: add initial reconfigure support (bsc#1192606).
cifs: add missing mount option to /proc/mounts (bsc#1164565).
cifs: add missing parsing of backupuid (bsc#1192606).
cifs: Add missing sentinel to smb3_fs_parameters (bsc#1192606).
cifs: add mount parameter tcpnodelay (bsc#1192606).
cifs: add multichannel mount options and data structs (bsc#1192606).
cifs: add new debugging macro cifs_server_dbg (bsc#1164565).
cifs: Add new mount parameter 'acdirmax' to allow caching directory metadata (bsc#1192606).
cifs: Add new parameter 'acregmax' for distinct file and directory metadata timeout (bsc#1192606).
cifs: add NULL check for ses->tcon_ipc (bsc#1178270).
cifs: add passthrough for smb2 setinfo (bsc#1164565).
cifs: add server param (bsc#1192606).
cifs: add shutdown support (bsc#1192606).
cifs: add smb2 POSIX info level (bsc#1164565).
cifs: add SMB2_open() arg to return POSIX data (bsc#1164565).
cifs: add SMB3 change notification support (bsc#1164565).
cifs: add support for FALLOC_FL_COLLAPSE_RANGE (bsc#1192606).
cifs: add support for fallocate mode 0 for non-sparse files (bsc#1164565).
cifs: add support for flock (bsc#1164565).
cifs: Add support for setting owner info, dos attributes, and create time (bsc#1164565).
cifs: Add tracepoints for errors on flush or fsync (bsc#1164565).
cifs: Add witness information to debug data dump (bsc#1192606).
cifs: add witness mount option and data structs (bsc#1192606).
cifs: added WARN_ON for all the count decrements (bsc#1192606).
cifs: Adjust indentation in smb2_open_file (bsc#1164565).
cifs: Adjust key sizes and key generation routines for AES256 encryption (bsc#1192606).
cifs: allocate buffer in the caller of build_path_from_dentry() (bsc#1192606).
cifs: Allocate crypto structures on the fly for calculating signatures of incoming packets (bsc#1192606).
cifs: Allocate encryption header through kmalloc (bsc#1192606).
cifs: allow chmod to set mode bits using special sid (bsc#1164565).
cifs: allow syscalls to be restarted in __smb_send_rqst() (bsc#1176956).
cifs: allow unlock flock and OFD lock across fork (bsc#1192606).
cifs: Always update signing key of first channel (bsc#1192606).
cifs: ask for more credit on async read/write code paths (bsc#1192606).
cifs: Assign boolean values to a bool variable (bsc#1192606).
cifs: Avoid doing network I/O while holding cache lock (bsc#1164565).
cifs: Avoid error pointer dereference (bsc#1192606).
cifs: avoid extra calls in posix_info_parse (bsc#1192606).
cifs: Avoid field over-reading memcpy() (bsc#1192606).
cifs: avoid starvation when refreshing dfs cache (bsc#1185902).
cifs: avoid using MID 0xFFFF (bnc#1151927 5.3.8).
cifs: call wake_up(server->response_q) inside of cifs_reconnect() (bsc#1164565).
cifs: change confusing field serverName (to ip_addr) (bsc#1192606).
cifs: change format of CIFS_FULL_KEY_DUMP ioctl (bsc#1192606).
cifs: change noisy error message to FYI (bsc#1181507).
cifs: Change SIDs in ACEs while transferring file ownership (bsc#1192606).
cifs: check all path components in resolved dfs target (bsc#1181710).
cifs: check new file size when extending file by fallocate (bsc#1192606).
cifs: check pointer before freeing (bsc#1183534).
cifs: check the timestamp for the cached dirent when deciding on revalidate (bsc#1192606).
cifs: cifs_md4 convert to SPDX identifier (bsc#1192606).
cifs: cifspdu.h: Replace one-element array with flexible-array member (bsc#1192606).
cifs: cifspdu.h: Replace zero-length array with flexible-array member (bsc#1192606).
cifs: cifsssmb: remove redundant assignment to variable ret (bsc#1164565).
cifs: clarify comment about timestamp granularity for old servers (bsc#1192606).
cifs: clarify hostname vs ip address in /proc/fs/cifs/DebugData (bsc#1192606).
cifs: Clarify SMB1 code for delete (bsc#1192606).
cifs: Clarify SMB1 code for POSIX Create (bsc#1192606).
cifs: Clarify SMB1 code for POSIX delete file (bsc#1192606).
cifs: Clarify SMB1 code for POSIX Lock (bsc#1192606).
cifs: Clarify SMB1 code for rename open file (bsc#1192606).
cifs: Clarify SMB1 code for SetFileSize (bsc#1192606).
cifs: clarify SMB1 code for UnixCreateHardLink (bsc#1192606).
cifs: Clarify SMB1 code for UnixCreateSymLink (bsc#1192606).
cifs: Clarify SMB1 code for UnixSetPathInfo (bsc#1192606).
cifs: Clean up DFS referral cache (bsc#1164565).
cifs: cleanup a few le16 vs. le32 uses in cifsacl.c (bsc#1192606).
cifs: cleanup misc.c (bsc#1192606).
cifs: clear PF_MEMALLOC before exiting demultiplex thread (bsc#1192606).
cifs: Close cached root handle only if it had a lease (bsc#1164565).
cifs: Close open handle after interrupted close (bsc#1164565).
cifs: close the shared root handle on tree disconnect (bsc#1164565).
cifs: compute full_path already in cifs_readdir() (bsc#1192606).
cifs: connect individual channel servers to primary channel server (bsc#1192606).
cifs: connect: style: Simplify bool comparison (bsc#1192606).
cifs: constify get_normalized_path() properly (bsc#1185902).
cifs: constify path argument of ->make_node() (bsc#1192606).
cifs: constify pathname arguments in a bunch of helpers (bsc#1192606).
cifs: Constify static struct genl_ops (bsc#1192606).
cifs: convert list_for_each to entry variant (bsc#1192606, jsc#SLE-20042).
cifs: convert list_for_each to entry variant in cifs_debug.c (bsc#1192606).
cifs: convert list_for_each to entry variant in smb2misc.c (bsc#1192606).
cifs: convert revalidate of directories to using directory metadata cache timeout (bsc#1192606).
cifs: convert to use be32_add_cpu() (bsc#1192606).
cifs: Convert to use the fallthrough macro (bsc#1192606).
cifs: correct comments explaining internal semaphore usage in the module (bsc#1192606).
cifs: correct four aliased mount parms to allow use of previous names (bsc#1192606).
cifs: create a helper function to parse the query-directory response buffer (bsc#1164565).
cifs: create a helper to find a writeable handle by path name (bsc#1154355).
cifs: create a MD4 module and switch cifs.ko to use it (bsc#1192606).
cifs: Create a new shared file holding smb2 pdu definitions (bsc#1192606).
cifs: create sd context must be a multiple of 8 (bsc#1192606).
cifs: Deal with some warnings from W=1 (bsc#1192606).
cifs: Delete a stray unlock in cifs_swn_reconnect() (bsc#1192606).
cifs: delete duplicated words in header files (bsc#1192606).
cifs: detect dead connections only when echoes are enabled (bsc#1192606).
cifs: Display local UID details for SMB sessions in DebugData (bsc#1192606).
cifs: do d_move in rename (bsc#1164565).
cifs: do not allow changing posix_paths during remount (bsc#1192606).
cifs: do not cargo-cult strndup() (bsc#1185902).
cifs: do not create a temp nls in cifs_setup_ipc (bsc#1192606).
cifs: do not disable noperm if multiuser mount option is not provided (bsc#1192606).
cifs: Do not display RDMA transport on reconnect (bsc#1164565).
cifs: do not duplicate fscache cookie for secondary channels (bsc#1192606).
cifs: do not fail __smb_send_rqst if non-fatal signals are pending (git-fixes).
cifs: do not ignore the SYNC flags in getattr (bsc#1164565).
cifs: do not leak -EAGAIN for stat() during reconnect (bsc#1164565).
cifs: Do not leak EDEADLK to dgetents64 for STATUS_USER_SESSION_DELETED (bsc#1192606).
cifs: Do not miss cancelled OPEN responses (bsc#1164565).
cifs: do not negotiate session if session already exists (bsc#1192606).
cifs: do not send close in compound create+close requests (bsc#1181507).
cifs: do not send tree disconnect to ipc shares (bsc#1185902).
cifs: do not share tcons with DFS (bsc#1178270).
cifs: do not share tcp servers with dfs mounts (bsc#1185902).
cifs: do not share tcp sessions of dfs connections (bsc#1185902).
cifs: do not use 'pre:' for MODULE_SOFTDEP (bsc#1164565).
cifs: Do not use iov_iter::type directly (bsc#1192606).
cifs: Do not use the original cruid when following DFS links for multiuser mounts (bsc#1192606).
cifs: document and cleanup dfs mount (bsc#1178270).
cifs: dump channel info in DebugData (bsc#1192606).
cifs: dump Security Type info in DebugData (bsc#1192606).
cifs: dump the session id and keys also for SMB2 sessions (bsc#1192606).
cifs: enable change notification for SMB2.1 dialect (bsc#1164565).
cifs: enable extended stats by default (bsc#1192606).
cifs: Enable sticky bit with cifsacl mount option (bsc#1192606).
cifs: ensure correct super block for DFS reconnect (bsc#1178270).
cifs: escape spaces in share names (bsc#1192606).
cifs: export supported mount options via new mount_params /proc file (bsc#1192606).
cifs: fail i/o on soft mounts if sessionsetup errors out (bsc#1164565).
cifs: fiemap: do not return EINVAL if get nothing (bsc#1192606).
cifs: fix a comment for the timeouts when sending echos (bsc#1164565).
cifs: fix a memleak with modefromsid (bsc#1192606).
cifs: fix a sign extension bug (bsc#1192606).
cifs: fix a white space issue in cifs_get_inode_info() (bsc#1164565).
cifs: fix allocation size on newly created files (bsc#1192606).
cifs: Fix an error pointer dereference in cifs_mount() (bsc#1178270).
cifs: Fix atime update check vs mtime (bsc#1164565).
cifs: Fix bug which the return value by asynchronous read is error (bsc#1192606).
cifs: Fix cached_fid refcnt leak in open_shroot (bsc#1192606).
cifs: fix channel signing (bsc#1192606).
cifs: fix check of dfs interlinks (bsc#1185902).
cifs: fix check of tcon dfs in smb1 (bsc#1178270).
cifs: Fix chmod with modefromsid when an older ACE already exists (bsc#1192606).
cifs: fix chown and chgrp when idsfromsid mount option enabled (bsc#1192606).
cifs: Fix cifsacl ACE mask for group and others (bsc#1192606).
cifs: Fix cifsInodeInfo lock_sem deadlock when reconnect occurs (bnc#1151927 5.3.10).
cifs: fix credit accounting for extra channel (bsc#1192606).
cifs: fix dereference on ses before it is null checked (bsc#1164565).
cifs: fix dfs domain referrals (bsc#1192606).
cifs: fix DFS failover (bsc#1192606).
cifs: fix DFS mount with cifsacl/modefromsid (bsc#1178270).
cifs: fix dfs-links (bsc#1192606).
cifs: fix doc warnings in cifs_dfs_ref.c (bsc#1192606).
cifs: Fix double add page to memcg when cifs_readpages (bsc#1192606).
cifs: fix double free error on share and prefix (bsc#1178270).
cifs: Fix fall-through warnings for Clang (bsc#1192606).
cifs: fix fallocate when trying to allocate a hole (bsc#1192606).
cifs: fix gcc warning in sid_to_id (bsc#1192606).
cifs: fix handling of escaped ',' in the password mount argument (bsc#1192606).
cifs: Fix in error types returned for out-of-credit situations (bsc#1192606).
cifs: Fix incomplete memory allocation on setxattr path (bsc#1179211).
cifs: Fix inconsistent indenting (bsc#1192606).
cifs: Fix inconsistent IS_ERR and PTR_ERR (bsc#1192606).
cifs: fix incorrect check for null pointer in header_assemble (bsc#1192606).
cifs: fix incorrect kernel doc comments (bsc#1192606).
cifs: fix interrupted close commands (git-fixes).
cifs: fix ipv6 formating in cifs_ses_add_channel (bsc#1192606).
cifs: fix leak in cifs_smb3_do_mount() ctx (bsc#1192606).
cifs: Fix leak when handling lease break for cached root fid (bsc#1176242).
cifs: fix leaked reference on requeued write (bsc#1178270).
cifs: Fix lookup of root ses in DFS referral cache (bsc#1164565).
cifs: Fix lookup of SMB connections on multichannel (bsc#1192606).
cifs: fix max ea value size (bnc#1151927 5.3.4).
cifs: Fix memory allocation in __smb2_handle_cancelled_cmd() (bsc#1164565).
cifs: fix memory leak in smb2_copychunk_range (git-fixes).
cifs: fix memory leak of smb3_fs_context_dup::server_hostname (bsc#1192606).
cifs: fix minor typos in comments and log messages (bsc#1192606).
cifs: Fix missed free operations (bnc#1151927 5.3.8).
cifs: fix missing null session check in mount (bsc#1192606).
cifs: fix missing spinlock around update to ses->status (bsc#1192606).
cifs: fix misspellings using codespell tool (bsc#1192606).
cifs: fix mode bits from dir listing when mounted with modefromsid (bsc#1164565).
cifs: Fix mode output in debugging statements (bsc#1164565).
cifs: fix mount option display for sec=krb5i (bsc#1161907).
cifs: Fix mount options set in automount (bsc#1164565).
cifs: fix mounts to subdirectories of target (bsc#1192606).
cifs: fix nodfs mount option (bsc#1181710).
cifs: fix NULL dereference in match_prepath (bsc#1164565).
cifs: fix NULL dereference in smb2_check_message() (bsc#1192606).
cifs: Fix null pointer check in cifs_read (bsc#1192606).
cifs: Fix NULL pointer dereference in mid callback (bsc#1164565).
cifs: Fix NULL-pointer dereference in smb2_push_mandatory_locks (bnc#1151927 5.3.16).
cifs: Fix oplock handling for SMB 2.1+ protocols (bnc#1151927 5.3.4).
cifs: fix out-of-bound memory access when calling smb3_notify() at mount point (bsc#1192606).
cifs: fix path comparison and hash calc (bsc#1185902).
cifs: fix possible uninitialized access and race on iface_list (bsc#1192606).
cifs: Fix potential deadlock when updating vol in cifs_reconnect() (bsc#1164565).
cifs: fix potential mismatch of UNC paths (bsc#1164565).
cifs: Fix potential softlockups while refreshing DFS cache (bsc#1164565).
cifs: fix potential use-after-free bugs (bsc#1192606, jsc#SLE-20042).
cifs: fix potential use-after-free in cifs_echo_request() (bsc#1139944).
cifs: Fix preauth hash corruption (git-fixes).
cifs: fix print of hdr_flags in dfscache_proc_show() (bsc#1192606, jsc#SLE-20042).
cifs: fix reference leak for tlink (bsc#1192606).
cifs: fix regression when mounting shares with prefix paths (bsc#1192606).
cifs: fix rename() by ensuring source handle opened with DELETE bit (bsc#1164565).
cifs: Fix resource leak (bsc#1192606).
cifs: Fix retrieval of DFS referrals in cifs_mount() (bsc#1164565).
cifs: Fix retry mid list corruption on reconnects (bnc#1151927 5.3.10).
cifs: Fix return value in __update_cache_entry (bsc#1164565).
cifs: fix rsize/wsize to be negotiated values (bsc#1192606).
cifs: fix SMB1 error path in cifs_get_file_info_unix (bsc#1192606).
cifs: Fix SMB2 oplock break processing (bsc#1154355 bnc#1151927 5.3.16).
cifs: fix soft mounts hanging in the reconnect code (bsc#1164565).
cifs: fix soft mounts hanging in the reconnect code (bsc#1164565).
cifs: Fix some error pointers handling detected by static checker (bsc#1192606).
cifs: Fix spelling of 'security' (bsc#1192606).
cifs: fix string declarations and assignments in tracepoints (bsc#1192606).
cifs: Fix support for remount when not changing rsize/wsize (bsc#1192606).
cifs: Fix task struct use-after-free on reconnect (bsc#1164565).
cifs: fix the out of range assignment to bit fields in parse_server_interfaces (bsc#1192606).
cifs: Fix the target file was deleted when rename failed (bsc#1192606).
cifs: fix trivial typo (bsc#1192606).
cifs: fix uninitialised lease_key in open_shroot() (bsc#1178270).
cifs: fix uninitialized variable in smb3_fs_context_parse_param (bsc#1192606).
cifs: fix unitialized variable poential problem with network I/O cache lock patch (bsc#1164565).
cifs: Fix unix perm bits to cifsacl conversion for 'other' bits (bsc#1192606).
cifs: fix unneeded null check (bsc#1192606).
cifs: fix use after free in cifs_smb3_do_mount() (bsc#1192606).
cifs: Fix use after free of file info structures (bnc#1151927 5.3.8).
cifs: Fix use-after-free bug in cifs_reconnect() (bsc#1164565).
cifs: fix wrong release in sess_alloc_buffer() failed path (bsc#1192606).
cifs: for compound requests, use open handle if possible (bsc#1192606).
cifs: Force reval dentry if LOOKUP_REVAL flag is set (bnc#1151927 5.3.7).
cifs: Force revalidate inode when dentry is stale (bnc#1151927 5.3.7).
cifs: fork arc4 and create a separate module for it for cifs and other users (bsc#1192606).
cifs: get mode bits from special sid on stat (bsc#1164565).
cifs: get rid of @noreq param in __dfs_cache_find() (bsc#1185902).
cifs: get rid of cifs_sb->mountdata (bsc#1192606).
cifs: Get rid of kstrdup_const()'d paths (bsc#1164565).
cifs: get rid of unused parameter in reconn_setup_dfs_targets() (bsc#1178270).
cifs: Grab a reference for the dentry of the cached directory during the lifetime of the cache (bsc#1192606).
cifs: Gracefully handle QueryInfo errors during open (bnc#1151927 5.3.7).
cifs: handle -EINTR in cifs_setattr (bsc#1192606).
cifs: handle 'guest' mount parameter (bsc#1192606).
cifs: handle 'nolease' option for vers=1.0 (bsc#1192606).
cifs: handle different charsets in dfs cache (bsc#1185902).
cifs: handle empty list of targets in cifs_reconnect() (bsc#1178270).
cifs: handle hostnames that resolve to same ip in failover (bsc#1178270).
cifs: handle prefix paths in reconnect (bsc#1164565).
cifs: handle reconnect of tcon when there is no cached dfs referral (bsc#1192606).
cifs: handle RESP_GET_DFS_REFERRAL.PathConsumed in reconnect (bsc#1178270).
cifs: Handle witness client move notification (bsc#1192606).
cifs: have ->mkdir() handle race with another client sanely (bsc#1192606).
cifs: have cifs_fattr_to_inode() refuse to change type on live inode (bsc#1192606).
cifs: Identify a connection by a conn_id (bsc#1192606).
cifs: If a corrupted DACL is returned by the server, bail out (bsc#1192606).
cifs: ignore auto and noauto options if given (bsc#1192606).
cifs: ignore cached share root handle closing errors (bsc#1166780).
cifs: improve fallocate emulation (bsc#1192606).
cifs: improve read performance for page size 64KB cache=strict vers=2.1+ (bsc#1192606).
cifs: In the new mount api we get the full devname as source= (bsc#1192606).
cifs: Increment num_remote_opens stats counter even in case of smb2_query_dir_first (bsc#1192606).
cifs: Initialize filesystem timestamp ranges (bsc#1164565).
cifs: introduce cifs_ses_mark_for_reconnect() helper (bsc#1192606).
cifs: introduce helper for finding referral server (bsc#1181710).
cifs: Introduce helpers for finding TCP connection (bsc#1164565).
cifs: introduce new helper for cifs_reconnect() (bsc#1192606, jsc#SLE-20042).
cifs: keep referral server sessions alive (bsc#1185902).
cifs: log mount errors using cifs_errorf() (bsc#1192606).
cifs: log warning message (once) if out of disk space (bsc#1164565).
cifs: make build_path_from_dentry() return const char * (bsc#1192606).
cifs: make const array static, makes object smaller (bsc#1192606).
cifs: Make extract_hostname function public (bsc#1192606).
cifs: Make extract_sharename function public (bsc#1192606).
cifs: make fs_context error logging wrapper (bsc#1192606).
cifs: make locking consistent around the server session status (bsc#1192606).
cifs: make multichannel warning more visible (bsc#1192606).
cifs: Make SMB2_notify_init static (bsc#1164565).
cifs: make sure we do not overflow the max EA buffer size (bsc#1164565).
cifs: make use of cap_unix(ses) in cifs_reconnect_tcon() (bsc#1164565).
cifs: map STATUS_ACCOUNT_LOCKED_OUT to -EACCES (bsc#1192606).
cifs: merge __{cifs,smb2}_reconnect[_tcon]() into cifs_tree_connect() (bsc#1178270).
cifs: Merge is_path_valid() into get_normalized_path() (bsc#1164565).
cifs: minor fix to two debug messages (bsc#1192606).
cifs: minor kernel style fixes for comments (bsc#1192606).
cifs: minor simplification to smb2_is_network_name_deleted (bsc#1192606).
cifs: minor update to comments around the cifs_tcp_ses_lock mutex (bsc#1192606).
cifs: minor updates to Kconfig (bsc#1192606).
cifs: misc: Use array_size() in if-statement controlling expression (bsc#1192606).
cifs: missed ref-counting smb session in find (bsc#1192606).
cifs: missing null check for newinode pointer (bsc#1192606).
cifs: missing null pointer check in cifs_mount (bsc#1185902).
cifs: modefromsid: make room for 4 ACE (bsc#1164565).
cifs: modefromsid: write mode ACE first (bsc#1164565).
cifs: move [brw]size from cifs_sb to cifs_sb->ctx (bsc#1192606).
cifs: move cache mount options to fs_context.ch (bsc#1192606).
cifs: move cifs_cleanup_volume_info[_content] to fs_context.c (bsc#1192606).
cifs: move cifs_parse_devname to fs_context.c (bsc#1192606).
cifs: move cifsFileInfo_put logic into a work-queue (bsc#1154355).
cifs: move debug print out of spinlock (bsc#1192606).
cifs: Move more definitions into the shared area (bsc#1192606).
cifs: move NEGOTIATE_PROTOCOL definitions out into the common area (bsc#1192606).
cifs: move security mount options into fs_context.ch (bsc#1192606).
cifs: move SMB FSCTL definitions to common code (bsc#1192606).
cifs: move smb version mount options into fs_context.c (bsc#1192606).
cifs: Move SMB2_Create definitions to the shared area (bsc#1192606).
cifs: move some variables off the stack in smb2_ioctl_query_info (bsc#1192606).
cifs: move the check for nohandlecache into open_shroot (bsc#1192606).
cifs: move the enum for cifs parameters into fs_context.h (bsc#1192606).
cifs: move update of flags into a separate function (bsc#1192606).
cifs: multichannel: always zero struct cifs_io_parms (bsc#1192606).
cifs: multichannel: move channel selection above transport layer (bsc#1192606).
cifs: multichannel: move channel selection in function (bsc#1192606).
cifs: multichannel: try to rebind when reconnecting a channel (bsc#1192606).
cifs: multichannel: use pointer for binding channel (bsc#1192606).
cifs: mute -Wunused-const-variable message (bnc#1151927 5.3.9).
cifs: New optype for session operations (bsc#1181507).
cifs: nosharesock should be set on new server (bsc#1192606).
cifs: nosharesock should not share socket with future sessions (bsc#1192606).
cifs: On cifs_reconnect, resolve the hostname again (bsc#1192606).
cifs: only update prefix path of DFS links in cifs_tree_connect() (bsc#1178270).
cifs: only write 64kb at a time when fallocating a small region of a file (bsc#1192606).
cifs: Optimize readdir on reparse points (bsc#1164565).
cifs: pass a path to open_shroot and check if it is the root or not (bsc#1192606).
cifs: pass the dentry instead of the inode down to the revalidation check functions (bsc#1192606).
cifs: plumb smb2 POSIX dir enumeration (bsc#1164565).
cifs: populate server_hostname for extra channels (bsc#1192606).
cifs: potential unintitliazed error code in cifs_getattr() (bsc#1164565).
cifs: prepare SMB2_Flush to be usable in compounds (bsc#1154355).
cifs: prepare SMB2_query_directory to be used with compounding (bsc#1164565).
cifs: prevent NULL deref in cifs_compose_mount_options() (bsc#1185902).
cifs: prevent truncation from long to int in wait_for_free_credits (bsc#1192606).
cifs: print MIDs in decimal notation (bsc#1181507).
cifs: Print the address and port we are connecting to in generic_ip_connect() (bsc#1192606).
cifs: print warning mounting with vers=1.0 (bsc#1164565).
cifs: properly invalidate cached root handle when closing it (bsc#1192606).
cifs: Properly process SMB3 lease breaks (bsc#1164565).
cifs: protect session channel fields with chan_lock (bsc#1192606).
cifs: protect srv_count with cifs_tcp_ses_lock (bsc#1192606).
cifs: protect updating server->dstaddr with a spinlock (bsc#1192606).
cifs: Re-indent cifs_swn_reconnect() (bsc#1192606).
cifs: reduce number of referral requests in DFS link lookups (bsc#1178270).
cifs: reduce stack use in smb2_compound_op (bsc#1192606).
cifs: refactor cifs_get_inode_info() (bsc#1164565).
cifs: refactor create_sd_buf() and and avoid corrupting the buffer (bsc#1192606).
cifs: Reformat DebugData and index connections by conn_id (bsc#1192606).
cifs: Register generic netlink family (bsc#1192606). Update configs with CONFIG_SWN_UPCALL unset.
cifs: release lock earlier in dequeue_mid error case (bsc#1192606).
cifs: remove [gu]id/backup[gu]id/file_mode/dir_mode from cifs_sb (bsc#1192606).
cifs: remove actimeo from cifs_sb (bsc#1192606).
cifs: remove bogus debug code (bsc#1179427).
cifs: remove ctx argument from cifs_setup_cifs_sb (bsc#1192606).
cifs: remove duplicated prototype (bsc#1192606).
cifs: remove old dead code (bsc#1192606).
cifs: remove pathname for file from SPDX header (bsc#1192606).
cifs: remove redundant assignment to pointer pneg_ctxt (bsc#1164565).
cifs: remove redundant assignment to variable rc (bsc#1164565).
cifs: remove redundant initialization of variable rc (bsc#1192606).
cifs: remove redundant initialization of variable rc (bsc#1192606).
cifs: Remove repeated struct declaration (bsc#1192606).
cifs: Remove set but not used variable 'capabilities' (bsc#1164565).
cifs: remove set but not used variable 'server' (bsc#1164565).
cifs: remove set but not used variables 'cinode' and 'netfid' (bsc#1164565).
cifs: remove set but not used variables (bsc#1164565).
cifs: remove some minor warnings pointed out by kernel test robot (bsc#1192606).
cifs: remove the devname argument to cifs_compose_mount_options (bsc#1192606).
cifs: remove the retry in cifs_poxis_lock_set (bsc#1192606).
cifs: Remove the superfluous break (bsc#1192606).
cifs: remove two cases where rc is set unnecessarily in sid_to_id (bsc#1192606).
cifs: remove unnecessary copies of tcon->crfid.fid (bsc#1192606).
cifs: Remove unnecessary struct declaration (bsc#1192606).
cifs: remove unneeded variable in smb3_fs_context_dup (bsc#1192606).
cifs: Remove unused inline function is_sysvol_or_netlogon() (bsc#1185902).
cifs: remove unused variable 'server' (bsc#1192606).
cifs: remove unused variable 'sid_user' (bsc#1164565).
cifs: remove unused variable (bsc#1164565).
cifs: Remove useless variable (bsc#1192606).
cifs: remove various function description warnings (bsc#1192606).
cifs: rename a variable in SendReceive() (bsc#1164565).
cifs: rename cifs_common to smbfs_common (bsc#1192606).
cifs: rename dup_vol to smb3_fs_context_dup and move it into fs_context.c (bsc#1192606).
cifs: rename posix create rsp (bsc#1164565).
cifs: rename reconn_inval_dfs_target() (bsc#1178270).
cifs: rename smb_vol as smb3_fs_context and move it to fs_context.h (bsc#1192606).
cifs: rename the *_shroot* functions to *_cached_dir* (bsc#1192606).
cifs: report error instead of invalid when revalidating a dentry fails (bsc#1177440).
cifs: Respect O_SYNC and O_DIRECT flags during reconnect (bsc#1164565).
cifs: Retain old ACEs when converting between mode bits and ACL (bsc#1192606).
cifs: retry lookup and readdir when EAGAIN is returned (bsc#1192606).
cifs: return cached_fid from open_shroot (bsc#1192606).
cifs: Return correct error code from smb2_get_enc_key (git-fixes).
cifs: Return directly after a failed build_path_from_dentry() in cifs_do_create() (bsc#1164565).
cifs: return proper error code in statfs(2) (bsc#1181507).
cifs: Return the error from crypt_message when enc/dec key not found (bsc#1179426).
cifs: returning mount parm processing errors correctly (bsc#1192606).
cifs: revalidate mapping when we open files for SMB1 POSIX (bsc#1192606).
cifs: Send witness register and unregister commands to userspace daemon (bsc#1192606).
cifs: Send witness register messages to userspace daemon in echo task (bsc#1192606).
cifs: send workstation name during ntlmssp session setup (bsc#1192606).
cifs: set a minimum of 120s for next dns resolution (bsc#1192606).
cifs: set a minimum of 2 minutes for refreshing dfs cache (bsc#1185902).
cifs: Set CIFS_MOUNT_USE_PREFIX_PATH flag on setting cifs_sb->prepath (bsc#1192606).
cifs: set correct max-buffer-size for smb2_ioctl_init() (bsc#1164565).
cifs: set server->cipher_type to AES-128-CCM for SMB3.0 (bsc#1192606).
cifs: set up next DFS target before generic_ip_connect() (bsc#1178270).
cifs: Set witness notification handler for messages from userspace daemon (bsc#1192606).
cifs: Silently ignore unknown oplock break handle (bsc#1192606).
cifs: Simplify bool comparison (bsc#1192606).
cifs: simplify handling of cifs_sb/ctx->local_nls (bsc#1192606).
cifs: Simplify reconnect code when dfs upcall is enabled (bsc#1192606).
cifs: simplify SWN code with dummy funcs instead of ifdefs (bsc#1192606).
cifs: smb1: Try failing back to SetFileInfo if SetPathInfo fails (bsc#1192606).
cifs: smb2pdu.h: Replace zero-length array with flexible-array member (bsc#1192606).
cifs: smbd: Add messages on RDMA session destroy and reconnection (bsc#1164565).
cifs: smbd: Calculate the correct maximum packet size for segmented SMBDirect send/receive (bsc#1192606).
cifs: smbd: Check and extend sender credits in interrupt context (bsc#1192606).
cifs: smbd: Check send queue size before posting a send (bsc#1192606).
cifs: smbd: Do not schedule work to send immediate packet on every receive (bsc#1192606).
cifs: smbd: Invalidate and deregister memory registration on re-send for direct I/O (bsc#1164565).
cifs: smbd: Merge code to track pending packets (bsc#1192606).
cifs: smbd: Only queue work for error recovery on memory registration (bsc#1164565).
cifs: smbd: Properly process errors on ib_post_send (bsc#1192606).
cifs: smbd: Return -EAGAIN when transport is reconnecting (bsc#1164565).
cifs: smbd: Return -ECONNABORTED when trasnport is not in connected state (bsc#1164565).
cifs: smbd: Return -EINVAL when the number of iovs exceeds SMBDIRECT_MAX_SGE (bsc#1164565).
cifs: smbd: Update receive credits before sending and deal with credits roll back on failure before sending (bsc#1192606).
cifs: sort interface list by speed (bsc#1192606).
cifs: Spelling s/EACCESS/EACCES/ (bsc#1192606).
cifs: split out dfs code from cifs_reconnect() (bsc#1192606, jsc#SLE-20042).
cifs: Standardize logging output (bsc#1192606).
cifs: store a pointer to the root dentry in cifs_sb_info once we have completed mounting the share (bsc#1192606).
cifs: style: replace one-element array with flexible-array (bsc#1192606).
cifs: support nested dfs links over reconnect (bsc#1192606, jsc#SLE-20042).
cifs: support share failover when remounting (bsc#1192606, jsc#SLE-20042).
cifs: switch build_path_from_dentry() to using dentry_path_raw() (bsc#1192606).
cifs: switch servers depending on binding state (bsc#1192606).
cifs: switch to new mount api (bsc#1192606).
cifs: To match file servers, make sure the server hostname matches (bsc#1192606).
cifs: Tracepoints and logs for tracing credit changes (bsc#1181507).
cifs: try harder to open new channels (bsc#1192606).
cifs: try opening channels after mounting (bsc#1192606).
cifs: uncomplicate printing the iocharset parameter (bsc#1192606).
cifs: Unlock on errors in cifs_swn_reconnect() (bsc#1192606).
cifs: update ctime and mtime during truncate (bsc#1192606).
cifs: update FSCTL definitions (bsc#1192606).
cifs: update internal module version number (bsc#1192606).
cifs: update internal module version number (bsc#1192606).
cifs: update internal module version number (bsc#1192606).
cifs: update internal module version number (bsc#1192606).
cifs: update internal module version number (bsc#1192606).
cifs: update internal module version number (bsc#1192606).
cifs: update internal module version number (bsc#1192606).
cifs: update internal module version number (bsc#1192606).
cifs: update internal version number (bsc#1192606).
cifs: update internal version number (bsc#1192606).
cifs: update internal version number (bsc#1192606).
cifs: update internal version number (bsc#1192606).
cifs: update mnt_cifs_flags during reconfigure (bsc#1192606).
cifs: update new ACE pointer after populate_new_aces (bsc#1192606).
cifs: update super_operations to show_devname (bsc#1192606).
cifs: Use #define in cifs_dbg (bsc#1164565).
cifs: use cifsInodeInfo->open_file_lock while iterating to avoid a panic (bnc#1151927 5.3.7).
cifs: Use common error handling code in smb2_ioctl_query_info() (bsc#1164565).
cifs: use compounding for open and first query-dir for readdir() (bsc#1164565).
cifs: use discard iterator to discard unneeded network data more efficiently (bsc#1192606).
cifs: use echo_interval even when connection not ready (bsc#1192606).
cifs: use existing handle for compound_op(OP_SET_INFO) when possible (bsc#1154355).
cifs: use helpers when parsing uid/gid mount options and validate them (bsc#1192606).
cifs: Use memdup_user() rather than duplicating its implementation (bsc#1164565).
cifs: use mod_delayed_work() for server->reconnect if already queued (bsc#1164565).
cifs: use PTR_ERR_OR_ZERO() to simplify code (bsc#1164565).
cifs: use SPDX-Licence-Identifier (bsc#1192606).
cifs: use the expiry output of dns_query to schedule next resolution (bsc#1192606).
cifs: use true,false for bool variable (bsc#1164565).
cifs: warn and fail if trying to use rootfs without the config option (bsc#1192606).
cifs: Warn less noisily on default mount (bsc#1192606).
cifs: we do not allow changing username/password/unc/... during remount (bsc#1192606).
cifs/smb3: Fix data inconsistent when punch hole (bsc#1176544).
cifs/smb3: Fix data inconsistent when zero file range (bsc#1176536).
cifs`: handle ERRBaduid for SMB1 (bsc#1192606).
clk: imx: imx6ul: Move csi_sel mux to correct base register (git-fixes).
clk: ingenic: Fix bugs with divided dividers (git-fixes).
config: refresh BPF configs (jsc#SLE-22574) The SUSE-commit 9a413cc7eb56 ('config: disable unprivileged BPF by default (jsc#SLE-22573)') inherited from SLE15-SP2 puts the BPF config into the wrong place due to SLE15-SP3 additionally backported b24abcff918a ('bpf, kconfig: Add consolidated menu entry for bpf with core options'), and leads to duplicate CONFIG_BPF_UNPRIV_DEFAULT_OFF entires; this commit remove those BPF config. Also, disable unprivileged BPF for armv7hl, which did not inherit the config change from SLE15-SP2.
constraints: Build aarch64 on recent ARMv8.1 builders. Request asimdrdm feature which is available only on recent ARMv8.1 CPUs. This should prevent scheduling the kernel on an older slower builder.
Convert trailing spaces and periods in path components (bsc#1179424).
crypto: ecc - fix CRYPTO_DEFAULT_RNG dependency (git-fixes).
crypto: pcrypt - Delay write to padata->info (git-fixes).
crypto: s5p-sss - Add error handling in s5p_aes_probe() (git-fixes).
cxgb4: fix eeprom len when diagnostics not implemented (git-fixes).
dm raid: remove unnecessary discard limits for raid0 and raid10 (bsc#1192320).
dm: fix deadlock when swapping to encrypted device (bsc#1186332).
dmaengine: at_xdmac: fix AT_XDMAC_CC_PERID() macro (git-fixes).
dmaengine: dmaengine_desc_callback_valid(): Check for `callback_result` (git-fixes).
do_cifs_create(): do not set ->i_mode of something we had not created (bsc#1192606).
drm: panel-orientation-quirks: Add quirk for Aya Neo 2021 (git-fixes).
drm: panel-orientation-quirks: Add quirk for GPD Win3 (git-fixes).
drm: panel-orientation-quirks: Add quirk for KD Kurio Smart C15200 2-in-1 (git-fixes).
drm: panel-orientation-quirks: Add quirk for the Samsung Galaxy Book 10.6 (git-fixes).
drm: panel-orientation-quirks: Update the Lenovo Ideapad D330 quirk (v2) (git-fixes).
drm/amd/display: Set plane update flags for all planes in reset (git-fixes).
drm/amdgpu: fix set scaling mode Full/Full aspect/Center not works on vga and dvi connectors (git-fixes).
drm/msm: Do hw_init() before capturing GPU state (git-fixes).
drm/msm/a6xx: Allocate enough space for GMU registers (git-fixes).
drm/nouveau: hdmigv100.c: fix corrupted HDMI Vendor InfoFrame (git-fixes).
drm/nouveau/acr: fix a couple NULL vs IS_ERR() checks (git-fixes).
drm/nouveau/svm: Fix refcount leak bug and missing check against null bug (git-fixes).
drm/panel-orientation-quirks: add Valve Steam Deck (git-fixes).
drm/pl111: Actually fix CONFIG_VEXPRESS_CONFIG depends (git-fixes).
drm/plane-helper: fix uninitialized variable reference (git-fixes).
drm/vc4: fix error code in vc4_create_object() (git-fixes).
drop superfluous empty lines
e1000e: Separate TGP board type from SPT (bsc#1192874).
EDAC/amd64: Handle three rank interleaving mode (bsc#1152489).
elfcore: correct reference to CONFIG_UML (git-fixes).
elfcore: fix building with clang (bsc#1169514).
ethtool: fix ethtool msg len calculation for pause stats (jsc#SLE-15075).
firmware: qcom_scm: Mark string array const (git-fixes).
fuse: release pipe buf after last use (bsc#1193318).
gve: Add netif_set_xps_queue call (bsc#1176940).
gve: Add rx buffer pagecnt bias (bsc#1176940).
gve: Allow pageflips on larger pages (bsc#1176940).
gve: Do lazy cleanup in TX path (git-fixes).
gve: DQO: avoid unused variable warnings (bsc#1176940).
gve: Switch to use napi_complete_done (git-fixes).
gve: Track RX buffer allocation failures (bsc#1176940).
hwmon: (k10temp) Add additional missing Zen2 and Zen3 APUs (jsc#SLE-17823 jsc#SLE-23139 jsc#ECO-3666).
hwmon: (k10temp) Add support for yellow carp (jsc#SLE-17823 jsc#SLE-23139 jsc#ECO-3666).
hwmon: (k10temp) Add support for Zen3 CPUs (jsc#SLE-17823 jsc#SLE-23139 jsc#ECO-3666).
hwmon: (k10temp) Create common functions and macros for Zen CPU families (jsc#SLE-17823 jsc#SLE-23139 jsc#ECO-3666).
hwmon: (k10temp) Define SVI telemetry and current factors for Zen2 CPUs (jsc#SLE-17823 jsc#SLE-23139 jsc#ECO-3666).
hwmon: (k10temp) Do not show Tdie for all Zen/Zen2/Zen3 CPU/APU (jsc#SLE-17823 jsc#SLE-23139 jsc#ECO-3666).
hwmon: (k10temp) make some symbols static (jsc#SLE-17823 jsc#SLE-23139 jsc#ECO-3666).
hwmon: (k10temp) Remove residues of current and voltage (jsc#SLE-17823 jsc#SLE-23139 jsc#ECO-3666).
hwmon: (k10temp) Remove support for displaying voltage and current on Zen CPUs (jsc#SLE-17823 jsc#SLE-23139 jsc#ECO-3666).
hwmon: (k10temp) Reorganize and simplify temperature support detection (jsc#SLE-17823 jsc#SLE-23139 jsc#ECO-3666).
hwmon: (k10temp) Rework the temperature offset calculation (jsc#SLE-17823 jsc#SLE-23139 jsc#ECO-3666).
hwmon: (k10temp) support Zen3 APUs (jsc#SLE-17823 jsc#SLE-23139 jsc#ECO-3666).
hwmon: (k10temp) Swap Tdie and Tctl on Family 17h CPUs (jsc#SLE-17823 jsc#SLE-23139 jsc#ECO-3666).
hwmon: (k10temp) Update documentation and add temp2_input info (jsc#SLE-17823 jsc#SLE-23139 jsc#ECO-3666).
hwmon: (k10temp) Update driver documentation (jsc#SLE-17823 jsc#SLE-23139 jsc#ECO-3666).
hwmon: (k10temp) Zen3 Ryzen Desktop CPUs support (jsc#SLE-17823 jsc#SLE-23139 jsc#ECO-3666).
i2c: cbus-gpio: set atomic transfer callback (git-fixes).
i2c: stm32f7: flush TX FIFO upon transfer errors (git-fixes).
i2c: stm32f7: recover the bus on access timeout (git-fixes).
i2c: stm32f7: stop dma transfer in case of NACK (git-fixes).
i2c: xlr: Fix a resource leak in the error handling path of 'xlr_i2c_probe()' (git-fixes).
i40e: Fix changing previously set num_queue_pairs for PFs (git-fixes).
i40e: Fix correct max_pkt_size on VF RX queue (git-fixes).
i40e: Fix creation of first queue by omitting it if is not power of two (git-fixes).
i40e: Fix display error code in dmesg (git-fixes).
i40e: Fix failed opcode appearing if handling messages from VF (git-fixes).
i40e: Fix NULL ptr dereference on VSI filter sync (git-fixes).
i40e: Fix ping is lost after configuring ADq on VF (git-fixes).
i40e: Fix pre-set max number of queues for VF (git-fixes).
i40e: Fix warning message and call stack during rmmod i40e driver (git-fixes).
iavf: check for null in iavf_fix_features (git-fixes).
iavf: do not clear a lock we do not hold (git-fixes).
iavf: Fix failure to exit out from last all-multicast mode (git-fixes).
iavf: Fix for setting queues to 0 (jsc#SLE-12877).
iavf: Fix for the false positive ASQ/ARQ errors while issuing VF reset (git-fixes).
iavf: Fix reporting when setting descriptor count (git-fixes).
iavf: Fix return of set the new channel count (jsc#SLE-12877).
iavf: free q_vectors before queues in iavf_disable_vf (git-fixes).
iavf: prevent accidental free of filter structure (git-fixes).
iavf: Prevent changing static ITR values if adaptive moderation is on (git-fixes).
iavf: Restore VLAN filters after link down (git-fixes).
iavf: validate pointers (git-fixes).
ibmvnic: drop bad optimization in reuse_rx_pools() (bsc#1193349 ltc#195568).
ibmvnic: drop bad optimization in reuse_tx_pools() (bsc#1193349 ltc#195568).
ice: avoid bpf_prog refcount underflow (jsc#SLE-7926).
ice: avoid bpf_prog refcount underflow (jsc#SLE-7926).
ice: Delete always true check of PF pointer (git-fixes).
ice: Fix not stopping Tx queues for VFs (jsc#SLE-7926).
ice: Fix VF true promiscuous mode (jsc#SLE-12878).
ice: fix vsi->txq_map sizing (jsc#SLE-7926).
ice: ignore dropped packets during init (git-fixes).
ice: Remove toggling of antispoof for VF trusted promiscuous mode (jsc#SLE-12878).
igb: fix netpoll exit with traffic (git-fixes).
igc: Remove _I_PHY_ID checking (bsc#1193169).
igc: Remove phy->type checking (bsc#1193169).
iio: imu: st_lsm6dsx: Avoid potential array overflow in st_lsm6dsx_set_odr() (git-fixes).
Input: iforce - fix control-message timeout (git-fixes).
iommu: Check if group is NULL before remove device (git-fixes).
iommu/amd: Relocate GAMSup check to early_enable_iommus (git-fixes).
iommu/amd: Remove iommu_init_ga() (git-fixes).
iommu/mediatek: Fix out-of-range warning with clang (git-fixes).
iommu/vt-d: Consolidate duplicate cache invaliation code (git-fixes).
iommu/vt-d: Fix incomplete cache flush in intel_pasid_tear_down_entry() (git-fixes).
iommu/vt-d: Update the virtual command related registers (git-fixes).
ipmi: Disable some operations during a panic (git-fixes).
kABI: dm: fix deadlock when swapping to encrypted device (bsc#1186332).
kabi: hide changes to struct uv_info (git-fixes).
kernel-obs-build: include the preferred kernel parameters Currently the Open Build Service hardcodes the kernel boot parameters globally. Recently functionality was added to control the parameters by the kernel-obs-build package, so make use of that. parameters here will overwrite what is used by OBS otherwise.
kernel-obs-build: inform build service about virtio-serial Inform the build worker code that this kernel supports virtio-serial, which improves performance and relability of logging.
kernel-obs-build: remove duplicated/unused parameters lbs=0 - this parameters is just giving 'unused parameter' and it looks like I can not find any version that implemented this. rd.driver.pre=binfmt_misc is not needed when setup_obs is used, it alread loads the kernel module. quiet and panic=1 will now be also always added by OBS, so we do not have to set it here anymore.
kernel-source.spec: install-kernel-tools also required on 15.4
lib/xz: Avoid overlapping memcpy() with invalid input with in-place decompression (git-fixes).
lib/xz: Validate the value before assigning it to an enum variable (git-fixes).
libata: fix checking of DMA state (git-fixes).
linux/parser.h: add include guards (bsc#1192606).
lpfc: Reintroduce old IRQ probe logic (bsc#1183897).
md: add md_submit_discard_bio() for submitting discard bio (bsc#1192320).
md: fix a lock order reversal in md_alloc (git-fixes).
md/raid10: extend r10bio devs to raid disks (bsc#1192320).
md/raid10: improve discard request for far layout (bsc#1192320).
md/raid10: improve raid10 discard request (bsc#1192320).
md/raid10: initialize r10_bio->read_slot before use (bsc#1192320).
md/raid10: pull the code that wait for blocked dev into one function (bsc#1192320).
md/raid10: Remove unnecessary rcu_dereference in raid10_handle_discard (bsc#1192320).
mdio: aspeed: Fix 'Link is Down' issue (bsc#1176447).
media: imx: set a media_device bus_info string (git-fixes).
media: ipu3-imgu: imgu_fmt: Handle properly try (git-fixes).
media: ipu3-imgu: VIDIOC_QUERYCAP: Fix bus_info (git-fixes).
media: ir-kbd-i2c: improve responsiveness of hauppauge zilog receivers (git-fixes).
media: mceusb: return without resubmitting URB in case of -EPROTO error (git-fixes).
media: mt9p031: Fix corrupted frame after restarting stream (git-fixes).
media: netup_unidvb: handle interrupt properly according to the firmware (git-fixes).
media: rcar-csi2: Add checking to rcsi2_start_receiver() (git-fixes).
media: s5p-mfc: fix possible null-pointer dereference in s5p_mfc_probe() (git-fixes).
media: stm32: Potential NULL pointer dereference in dcmi_irq_thread() (git-fixes).
media: usb: dvd-usb: fix uninit-value bug in dibusb_read_eeprom_byte() (git-fixes).
media: uvcvideo: Return -EIO for control errors (git-fixes).
media: uvcvideo: Set capability in s_param (git-fixes).
media: uvcvideo: Set unique vdev name based in type (git-fixes).
memstick: r592: Fix a UAF bug when removing the driver (git-fixes).
MM: reclaim mustn't enter FS for swap-over-NFS (bsc#1191876).
mmc: dw_mmc: Dont wait for DRTO on Write RSP error (git-fixes).
mmc: winbond: do not build on M68K (git-fixes).
mtd: core: do not remove debugfs directory if device is in use (git-fixes).
mwifiex: Properly initialize private structure on interface type changes (git-fixes).
mwifiex: Read a PCI register after writing the TX ring write pointer (git-fixes).
mwifiex: Run SET_BSS_MODE when changing from P2P to STATION vif-type (git-fixes).
mwl8k: Fix use-after-free in mwl8k_fw_state_machine() (git-fixes).
net: asix: fix uninit value bugs (git-fixes).
net: bnx2x: fix variable dereferenced before check (git-fixes).
net: bridge: fix under estimation in br_get_linkxstats_size() (bsc#1176447).
net: cdc_ncm: Allow for dwNtbOutMaxSize to be unset or zero (git-fixes).
net: delete redundant function declaration (git-fixes).
net: hns3: change affinity_mask to numa node range (bsc#1154353).
net: hns3: fix misuse vf id and vport id in some logs (bsc#1154353).
net: hns3: remove check VF uc mac exist when set by PF (bsc#1154353).
net: hso: fix control-request directions (git-fixes).
net: hso: fix muxed tty registration (git-fixes).
net: linkwatch: fix failure to restore device state across suspend/resume (bsc#1192511).
net: mana: Allow setting the number of queues while the NIC is down (jsc#SLE-18779, bsc#1185726).
net: mana: Fix memory leak in mana_hwc_create_wq (jsc#SLE-18779, bsc#1185726).
net: mana: Fix spelling mistake 'calledd' -> 'called' (jsc#SLE-18779, bsc#1185726).
net: mana: Fix the netdev_err()'s vPort argument in mana_init_port() (jsc#SLE-18779, bsc#1185726).
net: mana: Improve the HWC error handling (jsc#SLE-18779, bsc#1185726).
net: mana: Support hibernation and kexec (jsc#SLE-18779, bsc#1185726).
net: mana: Use kcalloc() instead of kzalloc() (jsc#SLE-18779, bsc#1185726).
net: pegasus: fix uninit-value in get_interrupt_interval (git-fixes).
net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings() (git-fixes).
net: stmmac: add EHL 2.5Gbps PCI info and PCI ID (bsc#1192691).
net: stmmac: add EHL PSE0 PSE1 1Gbps PCI info and PCI ID (bsc#1192691).
net: stmmac: add EHL RGMII 1Gbps PCI info and PCI ID (bsc#1192691).
net: stmmac: add EHL SGMII 1Gbps PCI info and PCI ID (bsc#1192691).
net: stmmac: add TGL SGMII 1Gbps PCI info and PCI ID (bsc#1192691).
net: stmmac: create dwmac-intel.c to contain all Intel platform (bsc#1192691).
net: stmmac: pci: Add HAPS support using GMAC5 (bsc#1192691).
net: usb: lan78xx: lan78xx_phy_init(): use PHY_POLL instead of '0' if no IRQ is available (git-fixes).
net: usb: lan78xx: lan78xx_phy_init(): use PHY_POLL instead of '0' if no IRQ is available (git-fixes).
net: usb: Merge cpu_to_le32s + memcpy to put_unaligned_le32 (git-fixes).
net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources() (git-fixes).
net/mlx5: E-Switch, return error if encap isn't supported (jsc#SLE-15172).
net/mlx5e: reset XPS on error flow if netdev isn't registered yet (git-fixes).
net/sched: sch_ets: do not peek at classes beyond 'nbands' (bsc#1176774).
netfilter: ctnetlink: do not erase error code with EINVAL (bsc#1176447).
netfilter: ctnetlink: fix filtering with CTA_TUPLE_REPLY (bsc#1176447).
netfilter: flowtable: fix IPv6 tunnel addr match (bsc#1176447).
NFC: add NCI_UNREG flag to eliminate the race (git-fixes).
NFC: pn533: Fix double free when pn533_fill_fragment_skbs() fails (git-fixes).
NFC: reorder the logic in nfc_{un,}register_device (git-fixes).
NFC: reorganize the functions in nci_request (git-fixes).
nfp: checking parameter process for rx-usecs/tx-usecs is invalid (git-fixes).
nfp: Fix memory leak in nfp_cpp_area_cache_add() (git-fixes).
NFS: Do not set NFS_INO_DATA_INVAL_DEFER and NFS_INO_INVALID_DATA (git-fixes).
NFS: do not take i_rwsem for swap IO (bsc#1191876).
NFS: Fix deadlocks in nfs_scan_commit_list() (git-fixes).
NFS: Fix up commit deadlocks (git-fixes).
NFS: move generic_write_checks() call from nfs_file_direct_write() to nfs_file_write() (bsc#1191876).
nfsd: do not alloc under spinlock in rpc_parse_scope_id (git-fixes).
nfsd: fix error handling of register_pernet_subsys() in init_nfsd() (git-fixes).
nfsd4: Handle the NFSv4 READDIR 'dircount' hint being zero (git-fixes).
NFSv4: Fix a regression in nfs_set_open_stateid_locked() (git-fixes).
nvme-multipath: Skip not ready namespaces when revalidating paths (bsc#1191793 bsc#1192507 bsc#1192969).
nvme-pci: add NO APST quirk for Kioxia device (git-fixes).
objtool: Support Clang non-section symbols in ORC generation (bsc#1169514).
PCI: Add PCI_EXP_DEVCTL_PAYLOAD_* macros (git-fixes).
PCI: Mark Atheros QCA6174 to avoid bus reset (git-fixes).
PCI/MSI: Deal with devices lying about their MSI mask capability (git-fixes).
perf: Correctly handle failed perf_get_aux_event() (git-fixes).
perf/x86/intel: Fix unchecked MSR access error caused by VLBR_EVENT (git-fixes).
perf/x86/intel/uncore: Fix Intel ICX IIO event constraints (git-fixes).
perf/x86/intel/uncore: Fix M2M event umask for Ice Lake server (git-fixes).
perf/x86/intel/uncore: Fix the scale of the IMC free-running events (git-fixes).
perf/x86/intel/uncore: Support extra IMC channel on Ice Lake server (git-fixes).
perf/x86/vlbr: Add c->flags to vlbr event constraints (git-fixes).
platform/x86: hp_accel: Fix an error handling path in 'lis3lv02d_probe()' (git-fixes).
platform/x86: wmi: do not fail if disabling fails (git-fixes).
PM: hibernate: Get block device exclusively in swsusp_check() (git-fixes).
PM: hibernate: use correct mode for swsusp_close() (git-fixes).
pnfs/flexfiles: Fix misplaced barrier in nfs4_ff_layout_prepare_ds (git-fixes).
powerpc: fix unbalanced node refcount in check_kvm_guest() (jsc#SLE-15869 jsc#SLE-16321 git-fixes).
powerpc/iommu: Report the correct most efficient DMA mask for PCI devices (git-fixes).
powerpc/paravirt: correct preempt debug splat in vcpu_is_preempted() (bsc#1181148 ltc#190702 git-fixes).
powerpc/paravirt: vcpu_is_preempted() commentary (bsc#1181148 ltc#190702 git-fixes).
powerpc/perf: Fix cycles/instructions as PM_CYC/PM_INST_CMPL in power10 (jsc#SLE-13513 git-fixes).
powerpc/pseries: Move some PAPR paravirt functions to their own file (bsc#1181148 ltc#190702 git-fixes).
powerpc/watchdog: Avoid holding wd_smp_lock over printk and smp_send_nmi_ipi (bsc#1187541 ltc#192129).
powerpc/watchdog: Fix missed watchdog reset due to memory ordering race (bsc#1187541 ltc#192129).
powerpc/watchdog: Fix wd_smp_last_reset_tb reporting (bsc#1187541 ltc#192129).
powerpc/watchdog: read TB close to where it is used (bsc#1187541 ltc#192129).
powerpc/watchdog: tighten non-atomic read-modify-write access (bsc#1187541 ltc#192129).
printk: Remove printk.h inclusion in percpu.h (bsc#1192987).
qede: validate non LSO skb length (git-fixes).
r8152: limit the RX buffer size of RTL8153A for USB 2.0 (git-fixes).
r8169: Add device 10ec:8162 to driver r8169 (git-fixes).
RDMA/bnxt_re: Update statistics counter name (jsc#SLE-16649).
recordmcount.pl: fix typo in s390 mcount regex (bsc#1192267).
recordmcount.pl: look for jgnop instruction as well as bcrl on s390 (bsc#1192267).
reset: socfpga: add empty driver allowing consumers to probe (git-fixes).
ring-buffer: Protect ring_buffer_reset() from reentrancy (bsc#1179960).
rpm/*.spec.in: use buildroot macro instead of env variable The RPM_BUILD_ROOT variable is considered deprecated over a buildroot macro. future proof the spec files.
rpm/kernel-binary.spec.in: do not strip vmlinux again (bsc#1193306) After usrmerge, vmlinux file is not named vmlinux-lt;version>, but simply vmlinux. And this is not reflected in STRIP_KEEP_SYMTAB we set. So fix this by removing the dash...
rpm/kernel-obs-build.spec.in: move to zstd for the initrd Newer distros have capability to decompress zstd, which provides a 2-5% better compression ratio at very similar cpu overhead. Plus this tests the zstd codepaths now as well.
rt2x00: do not mark device gone on EPROTO errors during start (git-fixes).
rxrpc: Fix rxrpc_local leak in rxrpc_lookup_peer() (bsc#1154353 bnc#1151927 5.3.9).
s390: mm: Fix secure storage access exception handling (git-fixes).
s390/bpf: Fix branch shortening during codegen pass (bsc#1193993).
s390/uv: fully validate the VMA before calling follow_page() (git-fixes).
scsi: iscsi: Adjust iface sysfs attr detection (git-fixes).
scsi: lpfc: Fix non-recovery of remote ports following an unsolicited LOGO (bsc#1189126).
scsi: mpi3mr: Fix duplicate device entries when scanning through sysfs (git-fixes).
scsi: mpt3sas: Fix kernel panic during drive powercycle test (git-fixes).
scsi: mpt3sas: Fix system going into read-only mode (git-fixes).
scsi: pm80xx: Do not call scsi_remove_host() in pm8001_alloc() (git-fixes).
scsi: qla2xxx: Fix gnl list corruption (git-fixes).
scsi: qla2xxx: Relogin during fabric disturbance (git-fixes).
scsi: qla2xxx: Turn off target reset during issue_lip (git-fixes).
serial: 8250_pci: Fix ACCES entries in pci_serial_quirks array (git-fixes).
serial: 8250_pci: rewrite pericom_do_set_divisor() (git-fixes).
serial: 8250: Fix RTS modem control while in rs485 mode (git-fixes).
serial: core: fix transmit-buffer reset and memleak (git-fixes).
smb2: clarify rc initialization in smb2_reconnect (bsc#1192606).
smb2: fix use-after-free in smb2_ioctl_query_info() (bsc#1192606).
smb3: add additional null check in SMB2_ioctl (bsc#1192606).
smb3: add additional null check in SMB2_open (bsc#1192606).
smb3: add additional null check in SMB2_tcon (bsc#1192606).
smb3: add additional null check in SMB311_posix_mkdir (bsc#1192606).
smb3: Add debug message for new file creation with idsfromsid mount option (bsc#1192606).
smb3: add debug messages for closing unmatched open (bsc#1164565).
smb3: add defines for new crypto algorithms (bsc#1192606).
smb3: Add defines for new information level, FileIdInformation (bsc#1164565).
smb3: add defines for new signing negotiate context (bsc#1192606).
smb3: add dynamic trace point to trace when credits obtained (bsc#1181507).
smb3: add dynamic trace points for socket connection (bsc#1192606).
smb3: add dynamic tracepoints for flush and close (bsc#1164565).
smb3: add indatalen that can be a non-zero value to calculation of credit charge in smb2 ioctl (bsc#1192606).
smb3: add missing flag definitions (bsc#1164565).
smb3: Add missing reparse tags (bsc#1164565).
smb3: add missing worker function for SMB3 change notify (bsc#1164565).
smb3: add mount option to allow forced caching of read only share (bsc#1164565).
smb3: add mount option to allow RW caching of share accessed by only 1 client (bsc#1164565).
smb3: Add new compression flags (bsc#1192606).
smb3: Add new info level for query directory (bsc#1192606).
smb3: add new module load parm enable_gcm_256 (bsc#1192606).
smb3: add new module load parm require_gcm_256 (bsc#1192606).
smb3: Add new parm 'nodelete' (bsc#1192606).
smb3: add one more dynamic tracepoint missing from strict fsync path (bsc#1164565).
smb3: add rasize mount parameter to improve readahead performance (bsc#1192606).
smb3: add some missing definitions from MS-FSCC (bsc#1192606).
smb3: add some more descriptive messages about share when mounting cache=ro (bsc#1164565).
smb3: Add support for getting and setting SACLs (bsc#1192606).
smb3: Add support for lookup with posix extensions query info (bsc#1192606).
smb3: Add support for negotiating signing algorithm (bsc#1192606).
smb3: Add support for query info using posix extensions (level 100) (bsc#1192606).
smb3: add support for recognizing WSL reparse tags (bsc#1192606).
smb3: Add support for SMB311 query info (non-compounded) (bsc#1192606).
smb3: add support for stat of WSL reparse points for special file types (bsc#1192606).
smb3: add support for using info level for posix extensions query (bsc#1192606).
smb3: Add tracepoints for new compound posix query info (bsc#1192606).
smb3: Additional compression structures (bsc#1192606).
smb3: allow decryption keys to be dumped by admin for debugging (bsc#1164565).
smb3: allow disabling requesting leases (bnc#1151927 5.3.4).
smb3: allow dumping GCM256 keys to improve debugging of encrypted shares (bsc#1192606).
smb3: allow dumping keys for multiuser mounts (bsc#1192606).
smb3: allow parallelizing decryption of reads (bsc#1164565).
smb3: allow skipping signature verification for perf sensitive configurations (bsc#1164565).
smb3: allow uid and gid owners to be set on create with idsfromsid mount option (bsc#1192606).
smb3: avoid confusing warning message on mount to Azure (bsc#1192606).
smb3: Avoid Mid pending list corruption (bsc#1192606).
smb3: Backup intent flag missing from some more ops (bsc#1164565).
smb3: Call cifs reconnect from demultiplex thread (bsc#1192606).
smb3: change noisy error message to FYI (bsc#1192606).
smb3: cleanup some recent endian errors spotted by updated sparse (bsc#1164565).
smb3: correct server pointer dereferencing check to be more consistent (bsc#1192606).
smb3: correct smb3 ACL security descriptor (bsc#1192606).
smb3: default to minimum of two channels when multichannel specified (bsc#1192606).
smb3: display max smb3 requests in flight at any one time (bsc#1164565).
smb3: do not attempt multichannel to server which does not support it (bsc#1192606).
smb3: do not error on fsync when readonly (bsc#1192606).
smb3: do not fail if no encryption required but server does not support it (bsc#1192606).
smb3: do not log warning message if server does not populate salt (bsc#1192606).
smb3: do not setup the fscache_super_cookie until fsinfo initialized (bsc#1192606).
smb3: do not try to cache root directory if dir leases not supported (bsc#1192606).
smb3: dump in_send and num_waiters stats counters by default (bsc#1164565).
smb3: enable negotiating stronger encryption by default (bsc#1192606).
smb3: enable offload of decryption of large reads via mount option (bsc#1164565).
smb3: enable swap on SMB3 mounts (bsc#1192606).
smb3: extend fscache mount volume coherency check (bsc#1192606).
smb3: fix access denied on change notify request to some servers (bsc#1192606).
smb3: fix cached file size problems in duplicate extents (reflink) (bsc#1192606).
smb3: Fix crash in SMB2_open_init due to uninitialized field in compounding path (bsc#1164565).
smb3: fix crediting for compounding when only one request in flight (bsc#1181507).
smb3: fix default permissions on new files when mounting with modefromsid (bsc#1164565).
smb3: Fix ids returned in POSIX query dir (bsc#1192606).
smb3: fix incorrect number of credits when ioctl MaxOutputResponse > 64K (bsc#1192606).
smb3: fix leak in 'open on server' perf counter (bnc#1151927 5.3.4).
smb3: Fix mkdir when idsfromsid configured on mount (bsc#1192606).
smb3: fix mode passed in on create for modetosid mount option (bsc#1164565).
smb3: fix mount failure to some servers when compression enabled (bsc#1192606).
smb3: Fix out-of-bounds bug in SMB2_negotiate() (bsc#1183540).
smb3: fix performance regression with setting mtime (bsc#1164565).
smb3: Fix persistent handles reconnect (bnc#1151927 5.3.11).
smb3: fix posix extensions mount option (bsc#1192606).
smb3: fix possible access to uninitialized pointer to DACL (bsc#1192606).
smb3: fix potential null dereference in decrypt offload (bsc#1164565).
smb3: fix problem with null cifs super block with previous patch (bsc#1164565).
smb3: fix readpage for large swap cache (bsc#1192606).
smb3: fix refcount underflow warning on unmount when no directory leases (bsc#1164565).
smb3: Fix regression in time handling (bsc#1164565).
smb3: fix signing verification of large reads (bsc#1154355).
smb3: fix stat when special device file and mounted with modefromsid (bsc#1192606).
smb3: fix typo in compression flag (bsc#1192606).
smb3: fix typo in header file (bsc#1192606).
smb3: fix typo in mount options displayed in /proc/mounts (bsc#1192606).
smb3: fix uninitialized value for port in witness protocol move (bsc#1192606).
smb3: fix unmount hang in open_shroot (bnc#1151927 5.3.4).
smb3: fix unneeded error message on change notify (bsc#1192606).
smb3: Handle error case during offload read path (bsc#1192606).
smb3: Honor 'handletimeout' flag for multiuser mounts (bsc#1176558).
smb3: Honor 'posix' flag for multiuser mounts (bsc#1176559).
smb3: Honor 'seal' flag for multiuser mounts (bsc#1176545).
smb3: Honor lease disabling for multiuser mounts (git-fixes).
smb3: Honor persistent/resilient handle flags for multiuser mounts (bsc#1176546).
smb3: if max_channels set to more than one channel request multichannel (bsc#1192606).
smb3: improve check for when we send the security descriptor context on create (bsc#1164565).
smb3: improve handling of share deleted (and share recreated) (bsc#1154355).
smb3: incorrect file id in requests compounded with open (bsc#1192606).
smb3: Incorrect size for netname negotiate context (bsc#1154355).
smb3: limit noisy error (bsc#1192606).
smb3: log warning if CSC policy conflicts with cache mount option (bsc#1164565).
smb3: Minor cleanup of protocol definitions (bsc#1192606).
smb3: minor update to compression header definitions (bsc#1192606).
smb3: missing ACL related flags (bsc#1164565).
smb3: negotiate current dialect (SMB3.1.1) when version 3 or greater requested (bsc#1192606).
smb3: only offload decryption of read responses if multiple requests (bsc#1164565).
smb3: pass mode bits into create calls (bsc#1164565).
smb3: prevent races updating CurrentMid (bsc#1192606).
smb3: print warning if server does not support requested encryption type (bsc#1192606).
smb3: print warning once if posix context returned on open (bsc#1164565).
smb3: query attributes on file close (bsc#1164565).
smb3: rc uninitialized in one fallocate path (bsc#1192606).
smb3: remind users that witness protocol is experimental (bsc#1192606).
smb3: remove confusing dmesg when mounting with encryption ('seal') (bsc#1164565).
smb3: remove confusing mount warning when no SPNEGO info on negprot rsp (bsc#1192606).
smb3: remove dead code for non compounded posix query info (bsc#1192606).
smb3: remove noisy debug message and minor cleanup (bsc#1164565).
smb3: remove overly noisy debug line in signing errors (bsc#1192606).
smb3: remove static checker warning (bsc#1192606).
smb3: remove trivial dfs compile warning (bsc#1192606, jsc#SLE-20042).
smb3: remove two unused variables (bsc#1192606).
smb3: remove unused flag passed into close functions (bsc#1164565).
smb3: rename nonces used for GCM and CCM encryption (bsc#1192606).
smb3: Resolve data corruption of TCP server info fields (bsc#1192606).
smb3: set COMPOUND_FID to FileID field of subsequent compound request (bsc#1192606).
smb3: set gcm256 when requested (bsc#1192606).
smb3: smbdirect support can be configured by default (bsc#1192606).
smb3: update comments clarifying SPNEGO info in negprot response (bsc#1192606).
smb3: update protocol header definitions based to include new flags (bsc#1192606).
smb3: update structures for new compression protocol definitions (bsc#1192606).
smb3: use SMB2_SIGNATURE_SIZE define (bsc#1192606).
smb3: warn on confusing error scenario with sec=krb5 (bsc#1176548).
smb3: when mounting with multichannel include it in requested capabilities (bsc#1192606).
smbdirect: missing rc checks while waiting for rdma events (bsc#1192606).
soc/tegra: Fix an error handling path in tegra_powergate_power_up() (git-fixes).
soc/tegra: pmc: Fix imbalanced clock disabling in error code path (git-fixes).
spi: bcm-qspi: Fix missing clk_disable_unprepare() on error in bcm_qspi_probe() (git-fixes).
spi: spl022: fix Microwire full duplex mode (git-fixes).
SUNRPC: improve 'swap' handling: scheduling and PF_MEMALLOC (bsc#1191876).
SUNRPC: remove scheduling boost for 'SWAPPER' tasks (bsc#1191876).
SUNRPC/auth: async tasks mustn't block waiting for memory (bsc#1191876).
SUNRPC/call_alloc: async tasks mustn't block waiting for memory (bsc#1191876).
SUNRPC/xprt: async tasks mustn't block waiting for memory (bsc#1191876).
supported.conf: add pwm-rockchip References: jsc#SLE-22615
swiotlb: avoid double free (git-fixes).
swiotlb: Fix the type of index (git-fixes).
TCON Reconnect during STATUS_NETWORK_NAME_DELETED (bsc#1192606).
tlb: mmu_gather: add tlb_flush_*_range APIs
tracing: Add length protection to histogram string copies (git-fixes).
tracing: Change STR_VAR_MAX_LEN (git-fixes).
tracing: Check pid filtering when creating events (git-fixes).
tracing: Fix pid filtering when triggers are attached (git-fixes).
tracing: use %ps format string to print symbols (git-fixes).
tracing/histogram: Do not copy the fixed-size char array field over the field size (git-fixes).
tty: hvc: replace BUG_ON() with negative return value (git-fixes).
tty: serial: msm_serial: Deactivate RX DMA for polling support (git-fixes).
tty: tty_buffer: Fix the softlockup issue in flush_to_ldisc (git-fixes).
usb-storage: Add compatibility quirk flags for iODD 2531/2541 (git-fixes).
usb: chipidea: ci_hdrc_imx: fix potential error pointer dereference in probe (git-fixes).
usb: dwc2: gadget: Fix ISOC flow for elapsed frames (git-fixes).
usb: dwc2: hcd_queue: Fix use of floating point literal (git-fixes).
usb: host: ohci-tmio: check return value after calling platform_get_resource() (git-fixes).
usb: musb: tusb6010: check return value after calling platform_get_resource() (git-fixes).
usb: serial: option: add Fibocom FM101-GL variants (git-fixes).
usb: serial: option: add Telit LE910S1 0x9200 composition (git-fixes).
usb: typec: fusb302: Fix masking of comparator and bc_lvl interrupts (git-fixes).
usb: typec: tcpm: Wait in SNK_DEBOUNCED until disconnect (git-fixes).
usb: typec: tcpm: Wait in SNK_DEBOUNCED until disconnect (git-fixes).
usb: xhci: Enable runtime-pm by default on AMD Yellow Carp platform (git-fixes).
vfs: do not parse forbidden flags (bsc#1192606).
x86/amd_nb: Add AMD family 19h model 50h PCI ids (jsc#SLE-17823 jsc#SLE-23139 jsc#ECO-3666).
x86/cpu: Fix migration safety with X86_BUG_NULL_SEL (bsc#1152489).
x86/efi: Restore Firmware IDT before calling ExitBootServices() (git-fixes).
x86/entry: Add a fence for kernel entry SWAPGS in paranoid_entry() (bsc#1178134).
x86/mpx: Disable MPX for 32-bit userland (bsc#1193139).
x86/pkey: Fix undefined behaviour with PKRU_WD_BIT (bsc#1152489).
x86/pvh: add prototype for xen_pvh_init() (git-fixes).
x86/sev: Allow #VC exceptions on the VC2 stack (git-fixes).
x86/sev: Fix SEV-ES INS/OUTS instructions for word, dword, and qword (bsc#1178134).
x86/sev: Fix stack type check in vc_switch_off_ist() (git-fixes).
x86/xen: Add xenpv_restore_regs_and_return_to_usermode() (bsc#1152489).
x86/Xen: swap NX determination and GDT setup on BSP (git-fixes).
xen: sync include/xen/interface/io/ring.h with Xen's newest version (git-fixes).
xen/blkfront: do not take local copy of a request from the ring page (git-fixes).
xen/blkfront: do not trust the backend response data blindly (git-fixes).
xen/blkfront: read response from backend only once (git-fixes).
xen/netfront: disentangle tx_skb_freelist (git-fixes).
xen/netfront: do not read data from request on the ring page (git-fixes).
xen/netfront: do not trust the backend response data blindly (git-fixes).
xen/netfront: read response from backend only once (git-fixes).
xen/privcmd: fix error handling in mmap-resource processing (git-fixes).
xen/pvh: add missing prototype to header (git-fixes).
xen/x86: fix PV trap handling on secondary processors (git-fixes).
xhci: Fix commad ring abort, write all 64 bits to CRCR register (bsc#1192569).
xhci: Fix commad ring abort, write all 64 bits to CRCR register (bsc#1192569).
xhci: Fix commad ring abort, write all 64 bits to CRCR register (git-fixes).
xhci: Fix USB 3.1 enumeration issues by increasing roothub power-on-good delay (git-fixes).
zram: fix return value on writeback_store (git-fixes).
zram: off by one in read_block_state() (git-fixes).

Advisory ID	SUSE-SU-2022:157-1
Released	Mon Jan 24 10:10:38 2022
Summary	Security update for zxing-cpp
Type	security
Severity	important
References	1191743,1191942,1191944,CVE-2021-28021,CVE-2021-42715,CVE-2021-42716

Description:

This update for zxing-cpp fixes the following issues:

CVE-2021-28021: Fixed buffer overflow vulnerability in function stbi__extend_receive in stb_image.h via a crafted JPEG file. (bsc#1191743).
CVE-2021-42715: Fixed buffer overflow in stb_image PNM loader (bsc#1191942).
CVE-2021-42716: Fixed denial of service in stb_image HDR loader when reading crafted HDR files (bsc#1191944).

Advisory ID	SUSE-SU-2022:190-1
Released	Tue Jan 25 19:10:04 2022
Summary	Security update for polkit
Type	security
Severity	important
References	1194568,CVE-2021-4034

Description:

This update for polkit fixes the following issues:

CVE-2021-4034: Fixed a local privilege escalation in pkexec (bsc#1194568).

Advisory ID	SUSE-SU-2022:198-1
Released	Wed Jan 26 07:42:51 2022
Summary	Security update for the Linux Kernel
Type	security
Severity	important
References	1065729,1071995,1154353,1154492,1156395,1167773,1176447,1176774,1177437,1190256,1191271,1191929,1192931,1193255,1193328,1193660,1193669,1193727,1193901,1193927,1194001,1194027,1194087,1194094,1194266,1194302,1194493,1194516,1194517,1194518,1194529,1194578,1194580,1194584,1194586,1194587,1194589,1194590,1194591,1194592,1194888,1194953,1194985,CVE-2021-4083,CVE-2021-4135,CVE-2021-4149,CVE-2021-4197,CVE-2021-4202,CVE-2021-45485,CVE-2021-45486,CVE-2021-46283,CVE-2022-0185,CVE-2022-0322

Description:

The SUSE Linux Enterprise 15 SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:

CVE-2022-0185: Incorrect param length parsing in legacy_parse_param which could have led to a local privilege escalation (bsc#1194517).
CVE-2022-0322: Fixed a denial of service in SCTP sctp_addto_chunk (bsc#1194985).
CVE-2021-4197: Fixed a cgroup issue where lower privileged processes could write to fds of lower privileged ones that could lead to privilege escalation (bsc#1194302).
CVE-2021-46283: nf_tables_newset in net/netfilter/nf_tables_api.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and general protection fault) because of the missing initialization for nft_set_elem_expr_alloc. A local user can set a netfilter table expression in their own namespace (bnc#1194518).
CVE-2021-4135: Fixed an information leak in the nsim_bpf_map_alloc function (bsc#1193927).
CVE-2021-4202: Fixed a race condition during NFC device remove which could lead to a use-after-free memory corruption (bsc#1194529)
CVE-2021-4083: A read-after-free memory flaw was found in the Linux kernel's garbage collection for Unix domain socket file handlers in the way users call close() and fget() simultaneously and can potentially trigger a race condition. This flaw allowed a local user to crash the system or escalate their privileges on the system. This flaw affects Linux kernel versions prior to 5.16-rc4 (bnc#1193727).
CVE-2021-4149: Fixed a locking condition in btrfs which could lead to system deadlocks (bsc#1194001).
CVE-2021-45485: In the IPv6 implementation in net/ipv6/output_core.c has an information leak because of certain use of a hash table which, although big, doesn't properly consider that IPv6-based attackers can typically choose among many IPv6 source addresses (bnc#1194094).
CVE-2021-45486: In the IPv4 implementation in net/ipv4/route.c has an information leak because the hash table is very small (bnc#1194087).

The following non-security bugs were fixed:

ACPI: APD: Check for NULL pointer after calling devm_ioremap() (git-fixes).
ACPI: Add stubs for wakeup handler functions (git-fixes).
ACPI: scan: Create platform device for BCM4752 and LNV4752 ACPI nodes (git-fixes).
ALSA: PCM: Add missing rwsem around snd_ctl_remove() calls (git-fixes).
ALSA: ctl: Fix copy of updated id with element read/write (git-fixes).
ALSA: drivers: opl3: Fix incorrect use of vp->state (git-fixes).
ALSA: hda/hdmi: Disable silent stream on GLK (git-fixes).
ALSA: hda/realtek - Add headset Mic support for Lenovo ALC897 platform (git-fixes).
ALSA: hda/realtek - Fix silent output on Gigabyte X570 Aorus Master after reboot from Windows (git-fixes).
ALSA: hda/realtek: Add a quirk for HP OMEN 15 mute LED (git-fixes).
ALSA: hda/realtek: Add quirk for ASRock NUC Box 1100 (git-fixes).
ALSA: hda/realtek: Amp init fixup for HP ZBook 15 G6 (git-fixes).
ALSA: hda/realtek: Fix quirk for Clevo NJ51CU (git-fixes).
ALSA: hda/realtek: Fix quirk for TongFang PHxTxX1 (git-fixes).
ALSA: hda/realtek: Fixes HP Spectre x360 15-eb1xxx speakers (git-fixes).
ALSA: hda/realtek: Headset fixup for Clevo NH77HJQ (git-fixes).
ALSA: hda: Add missing rwsem around snd_ctl_remove() calls (git-fixes).
ALSA: hda: Make proper use of timecounter (git-fixes).
ALSA: jack: Add missing rwsem around snd_ctl_remove() calls (git-fixes).
ALSA: jack: Check the return value of kstrdup() (git-fixes).
ALSA: oss: fix compile error when OSS_DEBUG is enabled (git-fixes).
ALSA: pcm: oss: Fix negative period/buffer sizes (git-fixes).
ALSA: pcm: oss: Handle missing errors in snd_pcm_oss_change_params*() (git-fixes).
ALSA: pcm: oss: Limit the period size to 16MB (git-fixes).
ALSA: usb-audio: Drop superfluous '0' in Presonus Studio 1810c's ID (git-fixes).
ALSA: usb-audio: Line6 HX-Stomp XL USB_ID for 48k-fixed quirk (git-fixes).
ASoC: codecs: wcd934x: handle channel mappping list correctly (git-fixes).
ASoC: codecs: wcd934x: return correct value from mixer put (git-fixes).
ASoC: codecs: wcd934x: return error code correctly from hw_params (git-fixes).
ASoC: codecs: wsa881x: fix return values from kcontrol put (git-fixes).
ASoC: cs42l42: Correct configuring of switch inversion from ts-inv (git-fixes).
ASoC: cs42l42: Disable regulators if probe fails (git-fixes).
ASoC: cs42l42: Use device_property API instead of of_property (git-fixes).
ASoC: fsl_asrc: refine the check of available clock divider (git-fixes).
ASoC: fsl_mqs: fix MODULE_ALIAS (git-fixes).
ASoC: mediatek: Check for error clk pointer (git-fixes).
ASoC: meson: aiu: Move AIU_I2S_MISC hold setting to aiu-fifo-i2s (git-fixes).
ASoC: meson: aiu: fifo: Add missing dma_coerce_mask_and_coherent() (git-fixes).
ASoC: qdsp6: q6routing: Fix return value from msm_routing_put_audio_mixer (git-fixes).
ASoC: rt5663: Handle device_property_read_u32_array error codes (git-fixes).
ASoC: samsung: idma: Check of ioremap return value (git-fixes).
ASoC: soc-core: fix null-ptr-deref in snd_soc_del_component_unlocked() (git-fixes).
ASoC: sunxi: fix a sound binding broken reference (git-fixes).
ASoC: tegra: Fix kcontrol put callback in ADMAIF (git-fixes).
ASoC: tegra: Fix kcontrol put callback in AHUB (git-fixes).
ASoC: tegra: Fix kcontrol put callback in DMIC (git-fixes).
ASoC: tegra: Fix kcontrol put callback in DSPK (git-fixes).
ASoC: tegra: Fix kcontrol put callback in I2S (git-fixes).
ASoC: tegra: Fix wrong value type in ADMAIF (git-fixes).
ASoC: tegra: Fix wrong value type in DMIC (git-fixes).
ASoC: tegra: Fix wrong value type in DSPK (git-fixes).
ASoC: tegra: Fix wrong value type in I2S (git-fixes).
ASoC: uniphier: drop selecting non-existing SND_SOC_UNIPHIER_AIO_DMA (git-fixes).
Add cherry-picked IDs for qemu fw_cfg patches
Bluetooth: L2CAP: Fix using wrong mode (git-fixes).
Bluetooth: bfusb: fix division by zero in send path (git-fixes).
Bluetooth: btmtksdio: fix resume failure (git-fixes).
Bluetooth: btusb: fix memory leak in btusb_mtk_submit_wmt_recv_urb() (git-fixes).
Bluetooth: cmtp: fix possible panic when cmtp_init_sockets() fails (git-fixes).
Bluetooth: hci_bcm: Check for error irq (git-fixes).
Bluetooth: hci_qca: Stop IBS timer during BT OFF (git-fixes).
Bluetooth: stop proccessing malicious adv data (git-fixes).
Documentation: ACPI: Fix data node reference documentation (git-fixes).
Documentation: dmaengine: Correctly describe dmatest with channel unset (git-fixes).
Documentation: refer to config RANDOMIZE_BASE for kernel address-space randomization (git-fixes).
HID: add USB_HID dependancy to hid-chicony (git-fixes).
HID: add USB_HID dependancy to hid-prodikeys (git-fixes).
HID: asus: Add depends on USB_HID to HID_ASUS Kconfig option (git-fixes).
HID: bigbenff: prevent null pointer dereference (git-fixes).
HID: google: add eel USB id (git-fixes).
HID: hid-uclogic-params: Invalid parameter check in uclogic_params_frame_init_v1_buttonpad (git-fixes).
HID: hid-uclogic-params: Invalid parameter check in uclogic_params_get_str_desc (git-fixes).
HID: hid-uclogic-params: Invalid parameter check in uclogic_params_huion_init (git-fixes).
HID: hid-uclogic-params: Invalid parameter check in uclogic_params_init (git-fixes).
HID: quirks: Add quirk for the Microsoft Surface 3 type-cover (git-fixes).
Input: appletouch - initialize work before device registration (git-fixes).
Input: atmel_mxt_ts - fix double free in mxt_read_info_block (git-fixes).
Input: elantech - fix stack out of bound access in elantech_change_report_id() (git-fixes).
Input: i8042 - add deferred probe support (bsc#1190256).
Input: i8042 - enable deferred probe quirk for ASUS UM325UA (bsc#1190256).
Input: max8925_onkey - do not mark comment as kernel-doc (git-fixes).
Input: spaceball - fix parsing of movement data packets (git-fixes).
Input: ti_am335x_tsc - fix STEPCONFIG setup for Z2 (git-fixes).
Input: ti_am335x_tsc - set ADCREFM for X configuration (git-fixes).
Move upstreamed patches into sorted section
NFC: st21nfca: Fix memory leak in device probe and remove (git-fixes).
NFSD: Fix zero-length NFSv3 WRITEs (git-fixes).
NFSv42: Do not fail clone() unless the OP_CLONE operation failed (git-fixes).
NFSv42: Fix pagecache invalidation after COPY/CLONE (git-fixes).
PCI/ACPI: Fix acpi_pci_osc_control_set() kernel-doc comment (git-fixes).
PCI/MSI: Clear PCI_MSIX_FLAGS_MASKALL on error (git-fixes).
PCI/MSI: Fix pci_irq_vector()/pci_irq_get_affinity() (git-fixes).
PCI/MSI: Mask MSI-X vectors only on success (git-fixes).
PCI: cadence: Add cdns_plat_pcie_probe() missing return (git-fixes).
PCI: dwc: Do not remap invalid res (git-fixes).
PCI: mvebu: Check for errors from pci_bridge_emul_init() call (git-fixes).
PCI: mvebu: Do not modify PCI IO type bits in conf_write (git-fixes).
PCI: mvebu: Fix support for DEVCAP2, DEVCTL2 and LNKCTL2 registers on emulated bridge (git-fixes).
PCI: mvebu: Fix support for PCI_EXP_DEVCTL on emulated bridge (git-fixes).
PCI: mvebu: Fix support for PCI_EXP_RTSTA on emulated bridge (git-fixes).
PCI: pci-bridge-emul: Properly mark reserved PCIe bits in PCI config space (git-fixes).
PCI: pci-bridge-emul: Set PCI_STATUS_CAP_LIST for PCIe device (git-fixes).
PCI: pciehp: Fix infinite loop in IRQ handler upon power fault (git-fixes).
PCI: xgene: Fix IB window setup (git-fixes).
PM: runtime: Defer suspending suppliers (git-fixes).
PM: sleep: Do not assume that 'mem' is always present (git-fixes).
RDMA/hns: Replace kfree() with kvfree() (jsc#SLE-14777).
Revert 'PM: sleep: Do not assume that 'mem' is always present' (git-fixes).
Revert 'USB: xhci: fix U1/U2 handling for hardware with XHCI_INTEL_HOST quirk set' (git-fixes).
Revert 'net/mlx5: Add retry mechanism to the command entry index allocation' (jsc#SLE-15172).
USB: Fix 'slab-out-of-bounds Write' bug in usb_hcd_poll_rh_status (git-fixes).
USB: NO_LPM quirk Lenovo Powered USB-C Travel Hub (git-fixes).
USB: NO_LPM quirk Lenovo USB-C to Ethernet Adapher(RTL8153-04) (git-fixes).
USB: cdc-acm: fix break reporting (git-fixes).
USB: cdc-acm: fix racy tty buffer accesses (git-fixes).
USB: chipidea: fix interrupt deadlock (git-fixes).
USB: core: Fix bug in resuming hub's handling of wakeup requests (git-fixes).
USB: gadget: bRequestType is a bitfield, not a enum (git-fixes).
USB: gadget: detect too-big endpoint 0 requests (git-fixes).
USB: gadget: zero allocate endpoint 0 buffers (git-fixes).
USB: serial: cp210x: fix CP2105 GPIO registration (git-fixes).
USB: serial: option: add Telit FN990 compositions (git-fixes).
Update patches.suse/tpm-fix-potential-NULL-pointer-access-in-tpm_del_cha.patch (git-fixes bsc#1193660 ltc#195634).
Updated mpi3mr entry in supported.conf (bsc#1194578 jsc#SLE-18120) Moving this driver into the 'supported' package.
amd/display: downgrade validation failure log level (git-fixes).
ata: ahci: Add Green Sardine vendor ID as board_ahci_mobile (git-fixes).
atlantic: Fix buff_ring OOB in aq_ring_rx_clean (git-fixes).
ax25: NPD bug when detaching AX25 device (git-fixes).
backlight: qcom-wled: Fix off-by-one maximum with default num_strings (git-fixes).
backlight: qcom-wled: Override default length with qcom,enabled-strings (git-fixes).
backlight: qcom-wled: Pass number of elements to read to read_u32_array (git-fixes).
backlight: qcom-wled: Validate enabled string indices in DT (git-fixes).
batman-adv: mcast: do not send link-local multicast to mcast routers (git-fixes).
blk-cgroup: synchronize blkg creation against policy deactivation (bsc#1194584).
block/scsi-ioctl: Fix kernel-infoleak in scsi_put_cdrom_generic_arg() (git-fixes).
block: fix ioprio_get(IOPRIO_WHO_PGRP) vs setuid(2) (bsc#1194586).
can: gs_usb: fix use of uninitialized variable, detach device on reception of invalid USB data (git-fixes).
can: gs_usb: gs_can_start_xmit(): zero-initialize hf->{flags,reserved} (git-fixes).
can: kvaser_usb: get CAN clock frequency from device (git-fixes).
can: sja1000: fix use after free in ems_pcmcia_add_card() (git-fixes).
can: softing: softing_startstop(): fix set but not used variable warning (git-fixes).
can: softing_cs: softingcs_probe(): fix memleak on registration failure (git-fixes).
can: usb_8dev: remove unused member echo_skb from struct usb_8dev_priv (git-fixes).
can: xilinx_can: xcan_probe(): check for error irq (git-fixes).
char/mwave: Adjust io port register size (git-fixes).
clk: Do not parent clks until the parent is fully registered (git-fixes).
clk: Gemini: fix struct name in kernel-doc (git-fixes).
clk: bcm-2835: Pick the closest clock rate (git-fixes).
clk: bcm-2835: Remove rounding up the dividers (git-fixes).
clk: imx8mn: Fix imx8mn_clko1_sels (git-fixes).
clk: imx: pllv1: fix kernel-doc notation for struct clk_pllv1 (git-fixes).
clk: qcom: gcc-msm8996: Drop (again) gcc_aggre1_pnoc_ahb_clk (git-fixes).
clk: qcom: regmap-mux: fix parent clock lookup (git-fixes).
clk: stm32: Fix ltdc's clock turn off by clk_disable_unused() after system enter shell (git-fixes).
crypto: caam - replace this_cpu_ptr with raw_cpu_ptr (git-fixes).
crypto: mxs-dcp - Use sg_mapping_iter to copy data (git-fixes).
crypto: omap-sham - clear dma flags only after omap_sham_update_dma_stop() (git-fixes).
crypto: qat - do not ignore errors from enable_vf2pf_comms() (git-fixes).
crypto: qat - fix reuse of completion variable (git-fixes).
crypto: qat - handle both source of interrupt in VF ISR (git-fixes).
crypto: qce - fix uaf on qce_ahash_register_one (git-fixes).
crypto: stm32/crc32 - Fix kernel BUG triggered in probe() (git-fixes).
crypto: stm32/cryp - fix double pm exit (git-fixes).
crypto: stm32/cryp - fix lrw chaining mode (git-fixes).
crypto: stm32/cryp - fix xts and race condition in crypto_engine requests (git-fixes).
debugfs: lockdown: Allow reading debugfs files that are not world readable (bsc#1193328 ltc#195566).
device property: Fix documentation for FWNODE_GRAPH_DEVICE_DISABLED (git-fixes).
dm crypt: document encrypted keyring key option (git-fixes).
dm writecache: add 'cleaner' and 'max_age' to Documentation (git-fixes).
dm writecache: advance the number of arguments when reporting max_age (git-fixes).
dm writecache: fix performance degradation in ssd mode (git-fixes).
dm writecache: flush origin device when writing and cache is full (git-fixes).
dma_fence_array: Fix PENDING_ERROR leak in dma_fence_array_signaled() (git-fixes).
dmaengine: at_xdmac: Do not start transactions at tx_submit level (git-fixes).
dmaengine: at_xdmac: Fix at_xdmac_lld struct definition (git-fixes).
dmaengine: at_xdmac: Fix concurrency over xfers_list (git-fixes).
dmaengine: at_xdmac: Fix lld view setting (git-fixes).
dmaengine: at_xdmac: Print debug message after realeasing the lock (git-fixes).
dmaengine: bestcomm: fix system boot lockups (git-fixes).
dmaengine: idxd: add module parameter to force disable of SVA (bsc#1192931).
dmaengine: idxd: enable SVA feature for IOMMU (bsc#1192931).
dmaengine: pxa/mmp: stop referencing config->slave_id (git-fixes).
dmaengine: st_fdma: fix MODULE_ALIAS (git-fixes).
drm/amd/amdgpu: Increase HWIP_MAX_INSTANCE to 10 (git-fixes).
drm/amd/display: Fix for the no Audio bug with Tiled Displays (git-fixes).
drm/amd/display: Update bounding box states (v2) (git-fixes).
drm/amd/display: Update number of DCN3 clock states (git-fixes).
drm/amd/display: add connector type check for CRC source set (git-fixes).
drm/amd/display: dcn20_resource_construct reduce scope of FPU enabled (git-fixes).
drm/amd/display: fix incorrect CM/TF programming sequence in dwb (git-fixes).
drm/amd/display: fix missing writeback disablement if plane is removed (git-fixes).
drm/amdgpu: Fix a NULL pointer dereference in amdgpu_connector_lcd_native_mode() (git-fixes).
drm/amdgpu: Fix a printing message (git-fixes).
drm/amdgpu: Fix amdgpu_ras_eeprom_init() (git-fixes).
drm/amdgpu: correct register access for RLC_JUMP_TABLE_RESTORE (git-fixes).
drm/amdgpu: revert 'Add autodump debugfs node for gpu reset v8' (git-fixes).
drm/amdkfd: Account for SH/SE count when setting up cu masks (git-fixes).
drm/amdkfd: Check for null pointer after calling kmemdup (git-fixes).
drm/ast: potential dereference of null pointer (git-fixes).
drm/atomic: Check new_crtc_state->active to determine if CRTC needs disable in self refresh mode (git-fixes).
drm/bridge: analogix_dp: Make PSR-exit block less (git-fixes).
drm/bridge: display-connector: fix an uninitialized pointer in probe() (git-fixes).
drm/bridge: nwl-dsi: Avoid potential multiplication overflow on 32-bit (git-fixes).
drm/bridge: ti-sn65dsi86: Set max register for regmap (git-fixes).
drm/display: fix possible null-pointer dereference in dcn10_set_clock() (git-fixes).
drm/exynos: Always initialize mapping in exynos_drm_register_dma() (git-fixes).
drm/i915/fb: Fix rounding error in subsampled plane size calculation (git-fixes).
drm/i915: Avoid bitwise vs logical OR warning in snb_wm_latency_quirk() (git-fixes).
drm/mediatek: Check plane visibility in atomic_update (git-fixes).
drm/msm/dpu: fix safe status debugfs file (git-fixes).
drm/msm/dsi: Fix DSI and DSI PHY regulator config from SDM660 (git-fixes).
drm/msm/dsi: set default num_data_lanes (git-fixes).
drm/msm/mdp5: fix cursor-related warnings (git-fixes).
drm/msm: mdp4: drop vblank get/put from prepare/complete_commit (git-fixes).
drm/msm: prevent NULL dereference in msm_gpu_crashstate_capture() (git-fixes).
drm/panel: innolux-p079zca: Delete panel on attach() failure (git-fixes).
drm/panel: kingdisplay-kd097d04: Delete panel on attach() failure (git-fixes).
drm/radeon/radeon_kms: Fix a NULL pointer dereference in radeon_driver_open_kms() (git-fixes).
drm/rockchip: dsi: Disable PLL clock on bind error (git-fixes).
drm/rockchip: dsi: Fix unbalanced clock on probe error (git-fixes).
drm/rockchip: dsi: Hold pm-runtime across bind/unbind (git-fixes).
drm/rockchip: dsi: Reconfigure hardware on resume() (git-fixes).
drm/sun4i: dw-hdmi: Fix missing put_device() call in sun8i_hdmi_phy_get (git-fixes).
drm/sun4i: fix unmet dependency on RESET_CONTROLLER for PHY_SUN6I_MIPI_DPHY (git-fixes).
drm/syncobj: Deal with signalled fences in drm_syncobj_find_fence (git-fixes).
drm/tegra: vic: Fix DMA API misuse (git-fixes).
drm/vboxvideo: fix a NULL vs IS_ERR() check (git-fixes).
drm/vc4: hdmi: Make sure the controller is powered up during bind (git-fixes).
drm/vc4: hdmi: Set HD_CTL_WHOLSMP and HD_CTL_CHALIGN_SET (git-fixes).
drm/vc4: hdmi: Set a default HSM rate (git-fixes).
drm: fix null-ptr-deref in drm_dev_init_release() (git-fixes).
drm: xlnx: zynqmp: release reset to DP controller before accessing DP registers (git-fixes).
drm: xlnx: zynqmp_dpsub: Call pm_runtime_get_sync before setting pixel clock (git-fixes).
eeprom: idt_89hpesx: Put fwnode in matching case during ->probe() (git-fixes).
eeprom: idt_89hpesx: Restore printing the unsupported fwnode name (git-fixes).
ext4: Avoid trim error on fs with small groups (bsc#1191271).
ext4: fix lazy initialization next schedule time computation in more granular unit (bsc#1194580).
fget: clarify and improve __fget_files() implementation (bsc#1193727).
firmware: Update Kconfig help text for Google firmware (git-fixes).
firmware: arm_scmi: pm: Propagate return value to caller (git-fixes).
firmware: arm_scpi: Fix string overflow in SCPI genpd driver (git-fixes).
firmware: qcom_scm: Fix error retval in __qcom_scm_is_call_available() (git-fixes).
firmware: qemu_fw_cfg: fix NULL-pointer deref on duplicate entries (git-fixes).
firmware: qemu_fw_cfg: fix kobject leak in probe error path (git-fixes).
firmware: qemu_fw_cfg: fix sysfs information leak (git-fixes).
firmware: raspberrypi: Fix a leak in 'rpi_firmware_get()' (git-fixes).
firmware: smccc: Fix check for ARCH_SOC_ID not implemented (git-fixes).
firmware: tegra: Fix error application of sizeof() to pointer (git-fixes).
firmware: tegra: Reduce stack usage (git-fixes).
firmware_loader: fix pre-allocated buf built-in firmware use (git-fixes).
floppy: Fix hang in watchdog when disk is ejected (git-fixes).
flow_offload: return EOPNOTSUPP for the unsupported mpls action type (bsc#1154353).
fuse: Pass correct lend value to filemap_write_and_wait_range() (bsc#1194953).
gpiolib: acpi: Make set-debounce-timeout failures non fatal (git-fixes).
gpu: host1x: Add back arm_iommu_detach_device() (git-fixes).
hwmon: (lm90) Add basic support for TI TMP461 (git-fixes).
hwmon: (lm90) Add max6654 support to lm90 driver (git-fixes).
hwmon: (lm90) Do not report 'busy' status bit as alarm (git-fixes).
hwmon: (lm90) Drop critical attribute support for MAX6654 (git-fixes).
hwmon: (lm90) Fix usage of CONFIG2 register in detect function (git-fixes).
hwmon: (lm90) Introduce flag indicating extended temperature support (git-fixes).
i2c: rk3x: Handle a spurious start completion interrupt flag (git-fixes).
i2c: validate user data in compat ioctl (git-fixes).
i3c: fix incorrect address slot lookup on 64-bit (git-fixes).
i3c: master: dw: check return of dw_i3c_master_get_free_pos() (git-fixes).
i40e: Fix NULL pointer dereference in i40e_dbg_dump_desc (git-fixes).
i40e: Fix for displaying message regarding NVM version (git-fixes).
i40e: Fix incorrect netdev's real number of RX/TX queues (git-fixes).
i40e: Fix to not show opcode msg on unsuccessful VF MAC change (git-fixes).
i40e: fix use-after-free in i40e_sync_filters_subtask() (git-fixes).
iavf: Fix limit of total number of queues to active queues of VF (git-fixes).
iavf: restore MSI state on reset (git-fixes).
ieee802154: atusb: fix uninit value in atusb_set_extended_addr (git-fixes).
ieee802154: fix error return code in ieee802154_llsec_getparams() (git-fixes).
ieee802154: fix error return code in ieee802154_add_iface() (git-fixes).
ieee802154: hwsim: Fix memory leak in hwsim_add_one (git-fixes).
ieee802154: hwsim: Fix possible memory leak in hwsim_subscribe_all_others (git-fixes).
ieee802154: hwsim: avoid possible crash in hwsim_del_edge_nl() (git-fixes).
ieee802154: hwsim: fix GPF in hwsim_set_edge_lqi (git-fixes).
igb: Fix removal of unicast MAC filters of VFs (git-fixes).
igbvf: fix double free in `igbvf_probe` (git-fixes).
igc: Fix typo in i225 LTR functions (jsc#SLE-13533).
iio: accel: kxcjk-1013: Fix possible memory leak in probe and remove (git-fixes).
iio: ad7768-1: Call iio_trigger_notify_done() on error (git-fixes).
iio: adc: axp20x_adc: fix charging current reporting on AXP22x (git-fixes).
iio: at91-sama5d2: Fix incorrect sign extension (git-fixes).
iio: dln2-adc: Fix lockdep complaint (git-fixes).
iio: dln2: Check return value of devm_iio_trigger_register() (git-fixes).
iio: itg3200: Call iio_trigger_notify_done() on error (git-fixes).
iio: kxsd9: Do not return error code in trigger handler (git-fixes).
iio: ltr501: Do not return error code in trigger handler (git-fixes).
iio: mma8452: Fix trigger reference couting (git-fixes).
iio: stk3310: Do not return error code in interrupt handler (git-fixes).
iio: trigger: Fix reference counting (git-fixes).
iio: trigger: stm32-timer: fix MODULE_ALIAS (git-fixes).
ionic: Initialize the 'lif->dbid_inuse' bitmap (bsc#1167773).
isofs: Fix out of bound access for corrupted isofs image (bsc#1194591).
iwlwifi: fw: correctly limit to monitor dump (git-fixes).
iwlwifi: mvm: Fix scan channel flags settings (git-fixes).
iwlwifi: mvm: Use div_s64 instead of do_div in iwl_mvm_ftm_rtt_smoothing() (git-fixes).
iwlwifi: mvm: avoid static queue number aliasing (git-fixes).
iwlwifi: mvm: disable RX-diversity in powersave (git-fixes).
iwlwifi: mvm: fix 32-bit build in FTM (git-fixes).
iwlwifi: mvm: fix access to BSS elements (git-fixes).
iwlwifi: mvm: test roc running status bits before removing the sta (git-fixes).
iwlwifi: pcie: free RBs during configure (git-fixes).
ixgbe: set X550 MDIO speed before talking to PHY (git-fixes).
kmod: make request_module() return an error when autoloading is disabled (git-fixes).
kobject: Restore old behaviour of kobject_del(NULL) (git-fixes).
kobject_uevent: remove warning in init_uevent_argv() (git-fixes).
kprobes: Limit max data_size of the kretprobe instances (bsc#1193669).
libata: add horkage for ASMedia 1092 (git-fixes).
libata: if T_LENGTH is zero, dma direction should be DMA_NONE (git-fixes).
livepatch: Avoid CPU hogging with cond_resched (bsc#1071995).
lockdown: Allow unprivileged users to see lockdown status (git-fixes).
mISDN: change function names to avoid conflicts (git-fixes).
mac80211: Fix monitor MTU limit so that A-MSDUs get through (git-fixes).
mac80211: agg-tx: do not schedule_and_wake_txq() under sta->lock (git-fixes).
mac80211: do not access the IV when it was stripped (git-fixes).
mac80211: fix lookup when adding AddBA extension element (git-fixes).
mac80211: fix regression in SSN handling of addba tx (git-fixes).
mac80211: initialize variable have_higher_than_11mbit (git-fixes).
mac80211: mark TX-during-stop for TX in in_reconfig (git-fixes).
mac80211: send ADDBA requests using the tid/queue of the aggregation session (git-fixes).
mac80211: track only QoS data frames for admission control (git-fixes).
mac80211: validate extended element ID is present (git-fixes).
mailbox: hi3660: convert struct comments to kernel-doc notation (git-fixes).
media: Revert 'media: uvcvideo: Set unique vdev name based in type' (bsc#1193255).
media: aspeed: Update signal status immediately to ensure sane hw state (git-fixes).
media: aspeed: fix mode-detect always time out at 2nd run (git-fixes).
media: cpia2: fix control-message timeouts (git-fixes).
media: dib0700: fix undefined behavior in tuner shutdown (git-fixes).
media: dib8000: Fix a memleak in dib8000_init() (git-fixes).
media: dmxdev: fix UAF when dvb_register_device() fails (git-fixes).
media: dw2102: Fix use after free (git-fixes).
media: em28xx: fix control-message timeouts (git-fixes).
media: em28xx: fix memory leak in em28xx_init_dev (git-fixes).
media: flexcop-usb: fix control-message timeouts (git-fixes).
media: hantro: Fix probe func error path (git-fixes).
media: i2c: imx274: fix trivial typo expsoure/exposure (git-fixes).
media: i2c: imx274: fix trivial typo obainted/obtained (git-fixes).
media: imx-pxp: Initialize the spinlock prior to using it (git-fixes).
media: mceusb: fix control-message timeouts (git-fixes).
media: msi001: fix possible null-ptr-deref in msi001_probe() (git-fixes).
media: mtk-vcodec: call v4l2_m2m_ctx_release first when file is released (git-fixes).
media: pvrusb2: fix control-message timeouts (git-fixes).
media: rcar-csi2: Correct the selection of hsfreqrange (git-fixes).
media: rcar-csi2: Optimize the selection PHTW register (git-fixes).
media: redrat3: fix control-message timeouts (git-fixes).
media: s2255: fix control-message timeouts (git-fixes).
media: saa7146: mxb: Fix a NULL pointer dereference in mxb_attach() (git-fixes).
media: si2157: Fix 'warm' tuner state detection (git-fixes).
media: si470x-i2c: fix possible memory leak in si470x_i2c_probe() (git-fixes).
media: stk1160: fix control-message timeouts (git-fixes).
media: streamzap: remove unnecessary ir_raw_event_reset and handle (git-fixes).
media: uvcvideo: fix division by zero at stream start (git-fixes).
media: venus: core: Fix a resource leak in the error handling path of 'venus_probe()' (git-fixes).
memblock: ensure there is no overflow in memblock_overlaps_region() (git-fixes).
memory: emif: Remove bogus debugfs error handling (git-fixes).
mfd: intel-lpss: Fix too early PM enablement in the ACPI ->probe() (git-fixes).
misc: fastrpc: Add missing lock before accessing find_vma() (git-fixes).
misc: fastrpc: fix improper packet size calculation (git-fixes).
misc: lattice-ecp3-config: Fix task hung when firmware load failed (git-fixes).
mmc: meson-mx-sdio: add IRQ check (git-fixes).
mmc: sdhci-esdhc-imx: clear the buffer_read_ready to reset standard tuning circuit (git-fixes).
mmc: sdhci-esdhc-imx: disable CMDQ support (git-fixes).
mmc: sdhci-pci: Add PCI ID for Intel ADL (git-fixes).
mmc: sdhci-tegra: Fix switch to HS400ES mode (git-fixes).
move to 'mainline soon' section: - patches.suse/0001-mmc-moxart_remove-Fix-UAF.patch
moxart: fix potential use-after-free on remove path (bsc#1194516).
mt76: mt7915: fix NULL pointer dereference in mt7915_get_phy_mode (git-fixes).
mt76: mt7915: fix an off-by-one bound check (git-fixes).
mtd: rawnand: fsmc: Fix timing computation (git-fixes).
mtd: rawnand: fsmc: Take instruction delay into account (git-fixes).
mtd: rawnand: mpc5121: Remove unused variable in ads5121_select_chip() (git-fixes).
mtd: spi-nor: hisi-sfc: Remove excessive clk_disable_unprepare() (git-fixes).
mwifiex: Fix possible ABBA deadlock (git-fixes).
mwifiex: Try waking the firmware until we get an interrupt (git-fixes).
net/mlx5: DR, Fix NULL vs IS_ERR checking in dr_domain_init_resources (jsc#SLE-8464).
net/mlx5: Set command entry semaphore up once got index free (jsc#SLE-15172).
net/mlx5e: Fix wrong features assignment in case of error (git-fixes).
net/mlx5e: Wrap the tx reporter dump callback to extract the sq (jsc#SLE-15172).
net/sched: fq_pie: prevent dismantle issue (jsc#SLE-15172).
net/sched: sch_ets: do not remove idle classes from the round-robin list (bsc#1176774).
net: create netdev->dev_addr assignment helpers (git-fixes).
net: ena: Fix error handling when calculating max IO queues number (bsc#1154492).
net: ena: Fix undefined state when tx request id is out of bounds (bsc#1154492).
net: ena: Fix wrong rx request id by resetting device (git-fixes).
net: hns3: fix use-after-free bug in hclgevf_send_mbx_msg (jsc#SLE-14777).
net: usb: lan78xx: add Allied Telesis AT29M2-AF (git-fixes).
net: usb: pegasus: Do not drop long Ethernet frames (git-fixes).
netfilter: nft_set_pipapo: allocate pcpu scratch maps on clone (bsc#1176447).
nfc: fix potential NULL pointer deref in nfc_genl_dump_ses_done (git-fixes).
nfc: fix segfault in nfc_genl_dump_devices_done (git-fixes).
nfsd: Fix nsfd startup race (again) (git-fixes).
nft_set_pipapo: Fix bucket load in AVX2 lookup routine for six 8-bit groups (bsc#1176447).
nvme-tcp: block BH in sk state_change sk callback (git-fixes).
nvme-tcp: can't set sk_user_data without write_lock (git-fixes).
nvme-tcp: check sgl supported by target (git-fixes).
nvme-tcp: do not update queue count when failing to set io queues (git-fixes).
nvme-tcp: fix a NULL deref when receiving a 0-length r2t PDU (git-fixes).
nvme-tcp: fix crash triggered with a dataless request submission (git-fixes).
nvme-tcp: fix error codes in nvme_tcp_setup_ctrl() (git-fixes).
nvme-tcp: fix io_work priority inversion (git-fixes).
nvme-tcp: fix possible data corruption with bio merges (git-fixes).
nvme-tcp: fix possible req->offset corruption (git-fixes).
nvme-tcp: fix wrong setting of request iov_iter (git-fixes).
nvme-tcp: get rid of unused helper function (git-fixes).
nvme-tcp: pair send_mutex init with destroy (git-fixes).
nvme-tcp: pass multipage bvec to request iov_iter (git-fixes).
nvme-tcp: remove incorrect Kconfig dep in BLK_DEV_NVME (git-fixes).
pcmcia: fix setting of kthread task states (git-fixes).
pcmcia: rsrc_nonstatic: Fix a NULL pointer dereference in __nonstatic_find_io_region() (git-fixes).
pcmcia: rsrc_nonstatic: Fix a NULL pointer dereference in nonstatic_find_mem_region() (git-fixes).
pcnet32: Use pci_resource_len to validate PCI resource (git-fixes).
pinctrl: mediatek: fix global-out-of-bounds issue (git-fixes).
pinctrl: qcom: spmi-gpio: correct parent irqspec translation (git-fixes).
pinctrl: stm32: consider the GPIO offset to expose all the GPIO lines (git-fixes).
pinctrl: stm32: use valid pin identifier in stm32_pinctrl_resume() (git-fixes).
pipe: increase minimum default pipe size to 2 pages (bsc#1194587).
platform/x86: apple-gmux: use resource_size() with res (git-fixes).
platform/x86: thinkpad_acpi: Fix WWAN device disabled issue after S3 deep (git-fixes).
power: reset: ltc2952: Fix use of floating point literals (git-fixes).
power: supply: core: Break capacity loop (git-fixes).
power: supply: max17042_battery: Clear status bits in interrupt handler (git-fixes).
powerpc/64s: fix program check interrupt emergency stack path (bsc#1156395).
powerpc/fadump: Fix inaccurate CPU state info in vmcore generated with panic (bsc#1193901 ltc#194976).
powerpc/perf: Fix PMU callbacks to clear pending PMI before resetting an overflown PMC (bsc#1156395).
powerpc/perf: Fix data source encodings for L2.1 and L3.1 accesses (bsc#1065729).
powerpc/prom_init: Fix improper check of prom_getprop() (bsc#1065729).
powerpc/pseries/cpuhp: cache node corrections (bsc#1065729).
powerpc/pseries/cpuhp: delete add/remove_by_count code (bsc#1065729).
powerpc/pseries/mobility: ignore ibm, platform-facilities updates (bsc#1065729).
powerpc/traps: do not enable irqs in _exception (bsc#1065729).
powerpc/xive: Add missing null check after calling kmalloc (bsc#1177437 ltc#188522 jsc#SLE-13294 git-fixes).
powerpc: add interrupt_cond_local_irq_enable helper (bsc#1065729).
powerpc: handle kdump appropriately with crash_kexec_post_notifiers option (bsc#1193901 ltc#194976).
pwm: mxs: Do not modify HW state in .probe() after the PWM chip was registered (git-fixes).
pwm: tiecap: Drop .free() callback (git-fixes).
qlcnic: potential dereference null pointer of rx_queue->page_ring (git-fixes).
quota: check block number when reading the block in quota file (bsc#1194589).
quota: correct error number in free_dqentry() (bsc#1194590).
random: fix data race on crng init time (git-fixes).
random: fix data race on crng_node_pool (git-fixes).
regmap: Call regmap_debugfs_exit() prior to _init() (git-fixes).
rndis_host: support Hytera digital radios (git-fixes).
rpmsg: core: Clean up resources on announce_create failure (git-fixes).
rtl8xxxu: Fix the handling of TX A-MPDU aggregation (git-fixes).
rtlwifi: rtl8192cu: Fix WARNING when calling local_irq_restore() with interrupts enabled (git-fixes).
rtw88: use read_poll_timeout instead of fixed sleep (git-fixes).
rtw88: wow: build wow function only if CONFIG_PM is on (git-fixes).
rtw88: wow: fix size access error of probe request (git-fixes).
sata: nv: fix debug format string mismatch (git-fixes).
scsi: lpfc: Add additional debugfs support for CMF (bsc#1194266).
scsi: lpfc: Adjust CMF total bytes and rxmonitor (bsc#1194266).
scsi: lpfc: Cap CMF read bytes to MBPI (bsc#1194266).
scsi: lpfc: Change return code on I/Os received during link bounce (bsc#1194266).
scsi: lpfc: Fix NPIV port deletion crash (bsc#1194266).
scsi: lpfc: Fix leaked lpfc_dmabuf mbox allocations with NPIV (bsc#1194266).
scsi: lpfc: Fix lpfc_force_rscn ndlp kref imbalance (bsc#1194266).
scsi: lpfc: Trigger SLI4 firmware dump before doing driver cleanup (bsc#1194266).
scsi: lpfc: Update lpfc version to 14.0.0.4 (bsc#1194266).
scsi: qla2xxx: Fix mailbox direction flags in qla2xxx_get_adapter_id() (git-fixes).
scsi: qla2xxx: Format log strings only if needed (git-fixes).
scsi: qla2xxx: edif: Fix EDIF bsg (git-fixes).
scsi: qla2xxx: edif: Fix app start delay (git-fixes).
scsi: qla2xxx: edif: Fix app start fail (git-fixes).
scsi: qla2xxx: edif: Fix off by one bug in qla_edif_app_getfcinfo() (git-fixes).
scsi: qla2xxx: edif: Flush stale events and msgs on session down (git-fixes).
scsi: qla2xxx: edif: Increase ELS payload (git-fixes).
select: Fix indefinitely sleeping task in poll_schedule_timeout() (bsc#1194027).
selftests: KVM: Explicitly use movq to read xmm registers (git-fixes).
selinux: fix potential memleak in selinux_add_opt() (git-fixes).
seq_buf: Fix overflow in seq_buf_putmem_hex() (git-fixes).
seq_buf: Make trace_seq_putmem_hex() support data longer than 8 (git-fixes).
serial: pl011: Add ACPI SBSA UART match id (git-fixes).
serial: tty: uartlite: fix console setup (git-fixes).
sfc: Check null pointer of rx_queue->page_ring (git-fixes).
sfc: The RX page_ring is optional (git-fixes).
sfc: falcon: Check null pointer of rx_queue->page_ring (git-fixes).
sfc_ef100: potential dereference of null pointer (jsc#SLE-16683).
shmem: shmem_writepage() split unlikely i915 THP (git-fixes).
slimbus: qcom: fix potential NULL dereference in qcom_slim_prg_slew() (git-fixes).
soc/tegra: fuse: Fix bitwise vs. logical OR warning (git-fixes).
soc: fsl: dpaa2-console: free buffer before returning from dpaa2_console_read (git-fixes).
soc: fsl: dpio: rename the enqueue descriptor variable (git-fixes).
soc: fsl: dpio: replace smp_processor_id with raw_smp_processor_id (git-fixes).
soc: fsl: dpio: use an explicit NULL instead of 0 (git-fixes).
soc: fsl: dpio: use the combined functions to protect critical zone (git-fixes).
spi: change clk_disable_unprepare to clk_unprepare (git-fixes).
spi: spi-meson-spifc: Add missing pm_runtime_disable() in meson_spifc_probe (git-fixes).
spi: spi-rspi: Drop redeclaring ret variable in qspi_transfer_in() (git-fixes).
staging: emxx_udc: Fix passing of NULL to dma_alloc_coherent() (git-fixes).
staging: fbtft: Do not spam logs when probe is deferred (git-fixes).
staging: fbtft: Rectify GPIO handling (git-fixes).
staging: fieldbus: anybuss: jump to correct label in an error path (git-fixes).
staging: ks7010: select CRYPTO_HASH/CRYPTO_MICHAEL_MIC (git-fixes).
staging: rtl8192e: return error code from rtllib_softmac_init() (git-fixes).
staging: rtl8192e: rtllib_module: fix error handle case in alloc_rtllib() (git-fixes).
staging: wlan-ng: Avoid bitwise vs logical OR warning in hfa384x_usb_throttlefn() (git-fixes).
string.h: fix incompatibility between FORTIFY_SOURCE and KASAN (git-fixes).
thermal/drivers/imx8mm: Enable ADC when enabling monitor (git-fixes).
thermal/drivers/int340x: Do not set a wrong tcc offset on resume (git-fixes).
thermal: core: Reset previous low and high trip during thermal zone init (git-fixes).
tpm: add request_locality before write TPM_INT_ENABLE (git-fixes).
tpm: fix potential NULL pointer access in tpm_del_char_device (git-fixes).
tracing/kprobes: 'nmissed' not showed correctly for kretprobe (git-fixes).
tracing/uprobes: Check the return value of kstrdup() for tu->filename (git-fixes).
tracing: Add test for user space strings when filtering on string pointers (git-fixes).
tracing: Fix check for trace_percpu_buffer validity in get_trace_buf() (git-fixes).
tty: max310x: fix flexible_array.cocci warnings (git-fixes).
tty: serial: atmel: Call dma_async_issue_pending() (git-fixes).
tty: serial: atmel: Check return code of dmaengine_submit() (git-fixes).
tty: serial: earlycon dependency (git-fixes).
tty: serial: qcom_geni_serial: Drop __init from qcom_geni_console_setup (git-fixes).
tty: serial: uartlite: allow 64 bit address (git-fixes).
tty: synclink_gt: rename a conflicting function name (git-fixes).
udf: Fix crash after seekdir (bsc#1194592).
uio: uio_dmem_genirq: Catch the Exception (git-fixes).
usb: core: config: fix validation of wMaxPacketValue entries (git-fixes).
usb: core: config: using bit mask instead of individual bits (git-fixes).
usb: dwc2: check return value after calling platform_get_resource() (git-fixes).
usb: dwc3: gadget: Continue to process pending requests (git-fixes).
usb: dwc3: gadget: Ignore EP queue requests during bus reset (git-fixes).
usb: dwc3: gadget: Reclaim extra TRBs after request completion (git-fixes).
usb: dwc3: pci: Enable dis_uX_susphy_quirk for Intel Merrifield (git-fixes).
usb: dwc3: ulpi: Fix USB2.0 HS/FS/LS PHY suspend regression (git-fixes).
usb: dwc3: ulpi: Replace CPU-based busyloop with Protocol-based one (git-fixes).
usb: dwc3: ulpi: fix checkpatch warning (git-fixes).
usb: ftdi-elan: fix memory leak on device disconnect (git-fixes).
usb: gadget: composite: Allow bMaxPower=0 if self-powered (git-fixes).
usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear (git-fixes).
usb: gadget: u_ether: fix race in setting MAC address in setup phase (git-fixes).
usb: mtu3: add memory barrier before set GPD's HWO (git-fixes).
usb: mtu3: fix interval value for intr and isoc (git-fixes).
usb: mtu3: fix list_head check warning (git-fixes).
usb: mtu3: set interval of FS intr and isoc endpoint (git-fixes).
usb: typec: tcpm: handle SRC_STARTUP state if cc changes (git-fixes).
usb: xhci: Extend support for runtime power management for AMD's Yellow carp (git-fixes).
usermodehelper: reset umask to default before executing user process (git-fixes).
vfs: check fd has read access in kernel_read_file_from_fd() (bsc#1194888).
video: backlight: Drop maximum brightness override for brightness zero (git-fixes).
watchdog: Fix OMAP watchdog early handling (git-fixes).
watchdog: f71808e_wdt: fix inaccurate report in WDIOC_GETTIMEOUT (git-fixes).
wcn36xx: Fix missing frame timestamp for beacon/probe-resp (git-fixes).
wcn36xx: Indicate beacon not connection loss on MISSED_BEACON_IND (git-fixes).
wcn36xx: Release DMA channel descriptor allocations (git-fixes).
wcn36xx: handle connection loss indication (git-fixes).
wireguard: allowedips: add missing __rcu annotation to satisfy sparse (git-fixes).
wireguard: device: reset peer src endpoint when netns exits (git-fixes).
wireguard: ratelimiter: use kvcalloc() instead of kvzalloc() (git-fixes).
wireguard: receive: drop handshakes if queue lock is contended (git-fixes).
wireguard: receive: use ring buffer for incoming handshakes (git-fixes).
wireguard: selftests: actually test for routing loops (git-fixes).
wireguard: selftests: increase default dmesg log size (git-fixes).
wireless: iwlwifi: Fix a double free in iwl_txq_dyn_alloc_dma (git-fixes).
x86/platform/uv: Add more to secondary CPU kdump info (bsc#1194493).
xhci: Fresco FL1100 controller should not have BROKEN_MSI quirk set (git-fixes).
xhci: Remove CONFIG_USB_DEFAULT_PERSIST to prevent xHCI from runtime suspending (git-fixes).
xhci: avoid race between disable slot command and host runtime suspend (git-fixes).
xhci: fix unsafe memory usage in xhci tracing (git-fixes).

Advisory ID	SUSE-SU-2022:199-1
Released	Wed Jan 26 09:36:05 2022
Summary	Security update for MozillaThunderbird
Type	security
Severity	important
References	1194547,CVE-2021-4140,CVE-2022-22737,CVE-2022-22738,CVE-2022-22739,CVE-2022-22740,CVE-2022-22741,CVE-2022-22742,CVE-2022-22743,CVE-2022-22744,CVE-2022-22745,CVE-2022-22746,CVE-2022-22747,CVE-2022-22748,CVE-2022-22751

Description:

This update for MozillaThunderbird fixes the following issues:

CVE-2021-4140: Fixed Iframe sandbox bypass with XSLT (bsc#1194547).
CVE-2022-22737: Fixed race condition when playing audio files (bsc#1194547).
CVE-2022-22738: Fixed heap-buffer-overflow in blendGaussianBlur (bsc#1194547).
CVE-2022-22739: Fixed missing throttling on external protocol launch dialog (bsc#1194547).
CVE-2022-22740: Fixed use-after-free of ChannelEventQueue::mOwner (bsc#1194547).
CVE-2022-22741: Fixed browser window spoof using fullscreen mode (bsc#1194547).
CVE-2022-22742: Fixed out-of-bounds memory access when inserting text in edit mode (bsc#1194547).
CVE-2022-22743: Fixed browser window spoof using fullscreen mode (bsc#1194547).
CVE-2022-22744: Fixed possible command injection via the 'Copy as curl' feature in DevTools (bsc#1194547).
CVE-2022-22745: Fixed leaking cross-origin URLs through securitypolicyviolation event (bsc#1194547).
CVE-2022-22746: Fixed calling into reportValidity could have lead to fullscreen window spoof (bsc#1194547).
CVE-2022-22747: Fixed crash when handling empty pkcs7 sequence(bsc#1194547).
CVE-2022-22748: Fixed spoofed origin on external protocol launch dialog (bsc#1194547).
CVE-2022-22751: Fixed memory safety bugs (bsc#1194547).

Advisory ID	SUSE-RU-2022:203-1
Released	Wed Jan 26 14:13:45 2022
Summary	Recommended update for cloud-init
Type	recommended
Severity	important
References	1186004

Description:

This update for cloud-init fixes the following issues:

Update to version 21.2 (bsc#1186004) + Add \r\n check for SSH keys in Azure (#889) + Revert 'Add support to resize rootfs if using LVM (#721)' (#887) (LP: #1922742) + Add Vultaire as contributor (#881) [Paul Goins] + Azure: adding support for consuming userdata from IMDS (#884) [Anh Vo] + test_upgrade: modify test_upgrade_package to run for more sources (#883) + Fix chef module run failure when chef_license is set (#868) [Ben Hughes] + Azure: Retry net metadata during nic attach for non-timeout errs (#878) [aswinrajamannar] + Azure: Retrieve username and hostname from IMDS (#865) [Thomas Stringer] + Azure: eject the provisioning iso before reporting ready (#861) [Anh Vo] + Use `partprobe` to re-read partition table if available (#856) [Nicolas Bock] (LP: #1920939) + fix error on upgrade caused by new vendordata2 attributes (#869) (LP: #1922739) + add prefer_fqdn_over_hostname config option (#859) [hamalq] (LP: #1921004) + Emit dots on travis to avoid timeout (#867) + doc: Replace remaining references to user-scripts as a config module (#866) [Ryan Harper] + azure: Removing ability to invoke walinuxagent (#799) [Anh Vo] + Add Vultr support (#827) [David Dymko] + Fix unpickle for source paths missing run_dir (#863) [lucasmoura] (LP: #1899299) + sysconfig: use BONDING_MODULE_OPTS on SUSE (#831) [Jens Sandmann] + bringup_static_routes: fix gateway check (#850) [Petr Fedchenkov] + add hamalq user (#860) [hamalq] + Add support to resize rootfs if using LVM (#721) [Eduardo Otubo] (LP: #1799953) + Fix mis-detecting network configuration in initramfs cmdline (#844) (LP: #1919188) + tools/write-ssh-key-fingerprints: do not display empty header/footer (#817) [dermotbradley] + Azure helper: Ensure Azure http handler sleeps between retries (#842) [Johnson Shi] + Fix chef apt source example (#826) [timothegenzmer] + .travis.yml: generate an SSH key before running tests (#848) + write passwords only to serial console, lock down cloud-init-output.log (#847) (LP: #1918303) + Fix apt default integration test (#845) + integration_tests: bump pycloudlib dependency (#846) + Fix stack trace if vendordata_raw contained an array (#837) [eb3095] + archlinux: Fix broken locale logic (#841) [Kristian Klausen] (LP: #1402406) + Integration test for #783 (#832) + integration_tests: mount more paths IN_PLACE (#838) + Fix requiring device-number on EC2 derivatives (#836) (LP: #1917875) + Remove the vi comment from the part-handler example (#835) + net: exclude OVS internal interfaces in get_interfaces (#829) (LP: #1912844) + tox.ini: pass OS_* environment variables to integration tests (#830) + integration_tests: add OpenStack as a platform (#804) + Add flexibility to IMDS api-version (#793) [Thomas Stringer] + Fix the TestApt tests using apt-key on Xenial and Hirsute (#823) [Paride Legovini] (LP: #1916629) + doc: remove duplicate 'it' from nocloud.rst (#825) [V.I. Wood] + archlinux: Use hostnamectl to set the transient hostname (#797) [Kristian Klausen] + cc_keys_to_console.py: Add documentation for recently added config key (#824) [dermotbradley] + Update cc_set_hostname documentation (#818) [Toshi Aoyama]

From 21.1 + Azure: Support for VMs without ephemeral resource disks. (#800) [Johnson Shi] (LP: #1901011) + cc_keys_to_console: add option to disable key emission (#811) [Michael Hudson-Doyle] (LP: #1915460) + integration_tests: introduce lxd_use_exec mark (#802) + azure: case-insensitive UUID to avoid new IID during kernel upgrade (#798) (LP: #1835584) + stale.yml: don't ask submitters to reopen PRs (#816) + integration_tests: fix use of SSH agent within tox (#815) + integration_tests: add UPGRADE CloudInitSource (#812) + integration_tests: use unique MAC addresses for tests (#813) + Update .gitignore (#814) + Port apt cloud_tests to integration tests (#808) + integration_tests: fix test_gh626 on LXD VMs (#809) + Fix attempting to decode binary data in test_seed_random_data test (#806) + Remove wait argument from tests with session_cloud calls (#805) + Datasource for UpCloud (#743) [Antti Myyrä] + test_gh668: fix failure on LXD VMs (#801) + openstack: read the dynamic metadata group vendor_data2.json (#777) [Andrew Bogott] (LP: #1841104) + includedir in suoders can be prefixed by 'arroba' (#783) [Jordi Massaguer Pla] + [VMware] change default max wait time to 15s (#774) [xiaofengw-vmware] + Revert integration test associated with reverted #586 (#784) + Add jordimassaguerpla as contributor (#787) [Jordi Massaguer Pla] + Add Rick Harding to CLA signers (#792) [Rick Harding] + HACKING.rst: add clarifying note to LP CLA process section (#789) + Stop linting cloud_tests (#791) + cloud-tests: update cryptography requirement (#790) [Joshua Powers] + Remove 'remove-raise-on-failure' calls from integration_tests (#788) + Use more cloud defaults in integration tests (#757) + Adding self to cla signers (#776) [Andrew Bogott] + doc: avoid two warnings (#781) [Dan Kenigsberg] + Use proper spelling for Red Hat (#778) [Dan Kenigsberg] + Add antonyc to .github-cla-signers (#747) [Anton Chaporgin] + integration_tests: log image serial if available (#772) + [VMware] Support cloudinit raw data feature (#691) [xiaofengw-vmware] + net: Fix static routes to host in eni renderer (#668) [Pavel Abalikhin] + .travis.yml: don't run cloud_tests in CI (#756) + test_upgrade: add some missing commas (#769) + cc_seed_random: update documentation and fix integration test (#771) (LP: #1911227) + Fix test gh-632 test to only run on NoCloud (#770) (LP: #1911230) + archlinux: fix package upgrade command handling (#768) [Bao Trinh] + integration_tests: add integration test for LP: #1910835 (#761) + Fix regression with handling of IMDS ssh keys (#760) [Thomas Stringer] + integration_tests: log cloud-init version in SUT (#758) + Add ajmyyra as contributor (#742) [Antti Myyrä] + net_convert: add some missing help text (#755) + Missing IPV6_AUTOCONF=no to render sysconfig dhcp6 stateful on RHEL (#753) [Eduardo Otubo] + doc: document missing IPv6 subnet types (#744) [Antti Myyrä] + Add example configuration for datasource `AliYun` (#751) [Xiaoyu Zhong] + integration_tests: add SSH key selection settings (#754) + fix a typo in man page cloud-init.1 (#752) [Amy Chen] + network-config-format-v2.rst: add Netplan Passthrough section (#750) + stale: re-enable post holidays (#749) + integration_tests: port ca_certs tests from cloud_tests (#732) + Azure: Add telemetry for poll IMDS (#741) [Johnson Shi] + doc: move testing section from HACKING to its own doc (#739) + No longer allow integration test failures on travis (#738) + stale: fix error in definition (#740) + integration_tests: set log-cli-level to INFO by default (#737) + PULL_REQUEST_TEMPLATE.md: use backticks around commit message (#736) + stale: disable check for holiday break (#735) + integration_tests: log the path we collect logs into (#733) + .travis.yml: add (most) supported Python versions to CI (#734) + integration_tests: fix IN_PLACE CLOUD_INIT_SOURCE (#731) + cc_ca_certs: add RHEL support (#633) [cawamata] + Azure: only generate config for NICs with addresses (#709) [Thomas Stringer] + doc: fix CloudStack configuration example (#707) [Olivier Lemasle] + integration_tests: restrict test_lxd_bridge appropriately (#730) + Add integration tests for CLI functionality (#729) + Integration test for gh-626 (#728) + Some test_upgrade fixes (#726) + Ensure overriding test vars with env vars works for booleans (#727) + integration_tests: port lxd_bridge test from cloud_tests (#718) + Integration test for gh-632. (#725) + Integration test for gh-671 (#724) + integration-requirements.txt: bump pycloudlib commit (#723) + Drop unnecessary shebang from cmd/main.py (#722) [Eduardo Otubo] + Integration test for LP: #1813396 and #669 (#719) + integration_tests: include timestamp in log output (#720) + integration_tests: add test for LP: #1898997 (#713) + Add integration test for power_state_change module (#717) + Update documentation for network-config-format-v2 (#701) [ggiesen] + sandbox CA Cert tests to not require ca-certificates (#715) [Eduardo Otubo] + Add upgrade integration test (#693) + Integration test for 570 (#712) + Add ability to keep snapshotted images in integration tests (#711) + Integration test for pull #586 (#706) + integration_tests: introduce skipping of tests by OS (#702) + integration_tests: introduce IntegrationInstance.restart (#708) + Add lxd-vm to list of valid integration test platforms (#705) + Adding BOOTPROTO = dhcp to render sysconfig dhcp6 stateful on RHEL (#685) [Eduardo Otubo] + Delete image snapshots created for integration tests (#682) + Parametrize ssh_keys_provided integration test (#700) [lucasmoura] + Drop use_sudo attribute on IntegrationInstance (#694) [lucasmoura] + cc_apt_configure: add riscv64 as a ports arch (#687) [Dimitri John Ledkov] + cla: add xnox (#692) [Dimitri John Ledkov] + Collect logs from integration test runs (#675) From 20.4.1 + Revert 'ssh_util: handle non-default AuthorizedKeysFile config (#586)' From 20.4 + tox: avoid tox testenv subsvars for xenial support (#684) + Ensure proper root permissions in integration tests (#664) [James Falcon] + LXD VM support in integration tests (#678) [James Falcon] + Integration test for fallocate falling back to dd (#681) [James Falcon] + .travis.yml: correctly integration test the built .deb (#683) + Ability to hot-attach NICs to preprovisioned VMs before reprovisioning (#613) [aswinrajamannar] + Support configuring SSH host certificates. (#660) [Jonathan Lung] + add integration test for LP: #1900837 (#679) + cc_resizefs on FreeBSD: Fix _can_skip_ufs_resize (#655) [Mina Galić] (LP: #1901958, #1901958) + DataSourceAzure: push dmesg log to KVP (#670) [Anh Vo] + Make mount in place for tests work (#667) [James Falcon] + integration_tests: restore emission of settings to log (#657) + DataSourceAzure: update password for defuser if exists (#671) [Anh Vo] + tox.ini: only select 'ci' marked tests for CI runs (#677) + Azure helper: Increase Azure Endpoint HTTP retries (#619) [Johnson Shi] + DataSourceAzure: send failure signal on Azure datasource failure (#594) [Johnson Shi] + test_persistence: simplify VersionIsPoppedFromState (#674) + only run a subset of integration tests in CI (#672) + cli: add + -system param to allow validating system user-data on a machine (#575) + test_persistence: add VersionIsPoppedFromState test (#673) + introduce an upgrade framework and related testing (#659) + add + -no-tty option to gpg (#669) [Till Riedel] (LP: #1813396) + Pin pycloudlib to a working commit (#666) [James Falcon] + DataSourceOpenNebula: exclude SRANDOM from context output (#665) + cloud_tests: add hirsute release definition (#662) + split integration and cloud_tests requirements (#652) + faq.rst: add warning to answer that suggests running `clean` (#661) + Fix stacktrace in DataSourceRbxCloud if no metadata disk is found (#632) [Scott Moser] + Make wakeonlan Network Config v2 setting actually work (#626) [dermotbradley] + HACKING.md: unify network-refactoring namespace (#658) [Mina Galić] + replace usage of dmidecode with kenv on FreeBSD (#621) [Mina Galić] + Prevent timeout on travis integration tests. (#651) [James Falcon] + azure: enable pushing the log to KVP from the last pushed byte (#614) [Moustafa Moustafa] + Fix launch_kwargs bug in integration tests (#654) [James Falcon] + split read_fs_info into linux & freebsd parts (#625) [Mina Galić] + PULL_REQUEST_TEMPLATE.md: expand commit message section (#642) + Make some language improvements in growpart documentation (#649) [Shane Frasier] + Revert '.travis.yml: use a known-working version of lxd (#643)' (#650) + Fix not sourcing default 50-cloud-init ENI file on Debian (#598) [WebSpider] + remove unnecessary reboot from gpart resize (#646) [Mina Galić] + cloudinit: move dmi functions out of util (#622) [Scott Moser] + integration_tests: various launch improvements (#638) + test_lp1886531: don't assume /etc/fstab exists (#639) + Remove Ubuntu restriction from PR template (#648) [James Falcon] + util: fix mounting of vfat on *BSD (#637) [Mina Galić] + conftest: improve docstring for disable_subp_usage (#644) + doc: add example query commands to debug Jinja templates (#645) + Correct documentation and testcase data for some user-data YAML (#618) [dermotbradley] + Hetzner: Fix instance_id / SMBIOS serial comparison (#640) [Markus Schade] + .travis.yml: use a known-working version of lxd (#643) + tools/build-on-freebsd: fix comment explaining purpose of the script (#635) [Mina Galić] + Hetzner: initialize instance_id from system-serial-number (#630) [Markus Schade] (LP: #1885527) + Explicit set IPV6_AUTOCONF and IPV6_FORCE_ACCEPT_RA on static6 (#634) [Eduardo Otubo] + get_interfaces: don't exclude Open vSwitch bridge/bond members (#608) [Lukas Märdian] (LP: #1898997) + Add config modules for controlling IBM PowerVM RMC. (#584) [Aman306] (LP: #1895979) + Update network config docs to clarify MAC address quoting (#623) [dermotbradley] + gentoo: fix hostname rendering when value has a comment (#611) [Manuel Aguilera] + refactor integration testing infrastructure (#610) [James Falcon] + stages: don't reset permissions of cloud-init.log every boot (#624) (LP: #1900837) + docs: Add how to use cloud-localds to boot qemu (#617) [Joshua Powers] + Drop vestigial update_resolve_conf_file function (#620) [Scott Moser] + cc_mounts: correctly fallback to dd if fallocate fails (#585) (LP: #1897099) + .travis.yml: add integration-tests to Travis matrix (#600) + ssh_util: handle non-default AuthorizedKeysFile config (#586) [Eduardo Otubo] + Multiple file fix for AuthorizedKeysFile config (#60) [Eduardo Otubo] + bddeb: new + -packaging-branch argument to pull packaging from branch (#576) [Paride Legovini] + Add more integration tests (#615) [lucasmoura] + DataSourceAzure: write marker file after report ready in preprovisioning (#590) [Johnson Shi] + integration_tests: emit settings to log during setup (#601) + integration_tests: implement citest tests run in Travis (#605) + Add Azure support to integration test framework (#604) [James Falcon] + openstack: consider product_name as valid chassis tag (#580) [Adrian Vladu] (LP: #1895976) + azure: clean up and refactor report_diagnostic_event (#563) [Johnson Shi] + net: add the ability to blacklist network interfaces based on driver during enumeration of physical network devices (#591) [Anh Vo] + integration_tests: don't error on cloud-init failure (#596) + integration_tests: improve cloud-init.log assertions (#593) + conftest.py: remove top-level import of httpretty (#599) + tox.ini: add integration-tests testenv definition (#595) + PULL_REQUEST_TEMPLATE.md: empty checkboxes need a space (#597) + add integration test for LP: #1886531 (#592) + Initial implementation of integration testing infrastructure (#581) [James Falcon] + Fix name of ntp and chrony service on CentOS and RHEL. (#589) [Scott Moser] (LP: #1897915) + Adding a PR template (#587) [James Falcon] + Azure parse_network_config uses fallback cfg when generate IMDS network cfg fails (#549) [Johnson Shi] + features: refresh docs for easier out-of-context reading (#582) + Fix typo in resolv_conf module's description (#578) [Wacław Schiller] + cc_users_groups: minor doc formatting fix (#577) + Fix typo in disk_setup module's description (#579) [Wacław Schiller] + Add vendor-data support to seedfrom parameter for NoCloud and OVF (#570) [Johann Queuniet] + boot.rst: add First Boot Determination section (#568) (LP: #1888858) + opennebula.rst: minor readability improvements (#573) [Mina Galić] + cloudinit: remove unused LOG variables (#574) + create a shutdown_command method in distro classes (#567) [Emmanuel Thomé] + user_data: remove unused constant (#566) + network: Fix type and respect name when rendering vlan in sysconfig. (#541) [Eduardo Otubo] (LP: #1788915, #1826608) + Retrieve SSH keys from IMDS first with OVF as a fallback (#509) [Thomas Stringer] + Add jqueuniet as contributor (#569) [Johann Queuniet] + distros: minor typo fix (#562) + Bump the integration-requirements versioned dependencies (#565) [Paride Legovini] + network-config-format-v1: fix typo in nameserver example (#564) [Stanislas] + Run cloud-init-local.service after the hv_kvp_daemon (#505) [Robert Schweikert] + Add method type hints for Azure helper (#540) [Johnson Shi] + systemd: add Before=shutdown.target when Conflicts=shutdown.target is used (#546) [Paride Legovini] + LXD: detach network from profile before deleting it (#542) [Paride Legovini] (LP: #1776958) + redhat spec: add missing BuildRequires (#552) [Paride Legovini] + util: remove debug statement (#556) [Joshua Powers] + Fix cloud config on chef example (#551) [lucasmoura] From 20.3 + Azure: Add netplan driver filter when using hv_netvsc driver (#539) [James Falcon] (LP: #1830740) + query: do not handle non-decodable non-gzipped content (#543) + DHCP sandboxing failing on noexec mounted /var/tmp (#521) [Eduardo Otubo] + Update the list of valid ssh keys. (#487) [Ole-Martin Bratteng] (LP: #1877869) + cmd: cloud-init query to handle compressed userdata (#516) (LP: #1889938) + Pushing cloud-init log to the KVP (#529) [Moustafa Moustafa] + Add Alpine Linux support. (#535) [dermotbradley] + Detect kernel version before swap file creation (#428) [Eduardo Otubo] + cli: add devel make-mime subcommand (#518) + user-data: only verify mime-types for TYPE_NEEDED and x-shellscript (#511) (LP: #1888822) + DataSourceOracle: retry twice (and document why we retry at all) (#536) + Refactor Azure report ready code (#468) [Johnson Shi] + tox.ini: pin correct version of httpretty in xenial{,-dev} envs (#531) + Support Oracle IMDSv2 API (#528) [James Falcon] + .travis.yml: run a doc build during CI (#534) + doc/rtd/topics/datasources/ovf.rst: fix doc8 errors (#533) + Fix 'Users and Groups' configuration documentation (#530) [sshedi] + cloudinit.distros: update docstrings of add_user and create_user (#527) + Fix headers for device types in network v2 docs (#532) [Caleb Xavier Berger] + Add AlexBaranowski as contributor (#508) [Aleksander Baranowski] + DataSourceOracle: refactor to use only OPC v1 endpoint (#493) + .github/workflows/stale.yml: s/Josh/Rick/ (#526) + Fix a typo in apt pipelining module (#525) [Xiao Liang] + test_util: parametrize devlist tests (#523) [James Falcon] + Recognize LABEL_FATBOOT labels (#513) [James Falcon] (LP: #1841466) + Handle additional identifier for SLES For HPC (#520) [Robert Schweikert] + Revert 'test-requirements.txt: pin pytest to <6 (#512)' (#515) + test-requirements.txt: pin pytest to <6 (#512) + Add 'tsanghan' as contributor (#504) [tsanghan] + fix brpm building (LP: #1886107) + Adding eandersson as a contributor (#502) [Erik Olof Gunnar Andersson] + azure: disable bouncing hostname when setting hostname fails (#494) [Anh Vo] + VMware: Support parsing DEFAULT-RUN-POST-CUST-SCRIPT (#441) [xiaofengw-vmware] + DataSourceAzure: Use ValueError when JSONDecodeError is not available (#490) [Anh Vo] + cc_ca_certs.py: fix blank line problem when removing CAs and adding new one (#483) [dermotbradley] + freebsd: py37-serial is now py37-pyserial (#492) [Gonéri Le Bouder] + ssh exit with non-zero status on disabled user (#472) [Eduardo Otubo] (LP: #1170059) + cloudinit: remove global disable of pylint W0107 and fix errors (#489) + networking: refactor wait_for_physdevs from cloudinit.net (#466) (LP: #1884626) + HACKING.rst: add pytest.param pytest gotcha (#481) + cloudinit: remove global disable of pylint W0105 and fix errors (#480) + Fix two minor warnings (#475) + test_data: fix faulty patch (#476) + cc_mounts: handle missing fstab (#484) (LP: #1886531) + LXD cloud_tests: support more lxd image formats (#482) [Paride Legovini] + Add update_etc_hosts as default module on *BSD (#479) [Adam Dobrawy] + cloudinit: fix tip-pylint failures and bump pinned pylint version (#478) + Added BirknerAlex as contributor and sorted the file (#477) [Alexander Birkner] + Update list of types of modules in cli.rst [saurabhvartak1982] + tests: use markers to configure disable_subp_usage (#473) + Add mention of vendor-data to no-cloud format documentation (#470) [Landon Kirk] + Fix broken link to OpenStack metadata service docs (#467) [Matt Riedemann] + Disable ec2 mirror for non aws instances (#390) [lucasmoura] (LP: #1456277) + cloud_tests: don't pass + -python-version to read-dependencies (#465) + networking: refactor is_physical from cloudinit.net (#457) (LP: #1884619) + Enable use of the caplog fixture in pytest tests, and add a cc_final_message test using it (#461) + RbxCloud: Add support for FreeBSD (#464) [Adam Dobrawy] + Add schema for cc_chef module (#375) [lucasmoura] (LP: #1858888) + test_util: add (partial) testing for util.mount_cb (#463) + .travis.yml: revert to installing ubuntu-dev-tools (#460) + HACKING.rst: add details of net refactor tracking (#456) + .travis.yml: rationalise installation of dependencies in host (#449) + Add dermotbradley as contributor. (#458) [dermotbradley] + net/networking: remove unused functions/methods (#453) + distros.networking: initial implementation of layout (#391) + cloud-init.service.tmpl: use 'rhel' instead of 'redhat' (#452) + Change from redhat to rhel in systemd generator tmpl (#450) [Eduardo Otubo] + Hetzner: support reading user-data that is base64 encoded. (#448) [Scott Moser] (LP: #1884071) + HACKING.rst: add strpath gotcha to testing gotchas section (#446) + cc_final_message: don't create directories when writing boot-finished (#445) (LP: #1883903) + .travis.yml: only store new schroot if something has changed (#440) + util: add ensure_dir_exists parameter to write_file (#443) + printing the error stream of the dhclient process before killing it (#369) [Moustafa Moustafa] + Fix link to the MAAS documentation (#442) [Paride Legovini] (LP: #1883666) + RPM build: disable the dynamic mirror URLs when using a proxy (#437) [Paride Legovini] + util: rename write_file's copy_mode parameter to preserve_mode (#439) + .travis.yml: use $TRAVIS_BUILD_DIR for lxd_image caching (#438) + cli.rst: alphabetise devel subcommands and add net-convert to list (#430) + Default to UTF-8 in /var/log/cloud-init.log (#427) [James Falcon] + travis: cache the chroot we use for package builds (#429) + test: fix all flake8 E126 errors (#425) [Joshua Powers] + Fixes KeyError for bridge with no 'parameters:' setting (#423) [Brian Candler] (LP: #1879673) + When tools.conf does not exist, running cmd 'vmware-toolbox-cmd config get deployPkg enable-custom-scripts', the return code will be EX_UNAVAILABLE(69), on this condition, it should not take it as error. (#413) [chengcheng-chcheng] + Document CloudStack data-server well-known hostname (#399) [Gregor Riepl] + test: move conftest.py to top-level, to cover tests/ also (#414) + Replace cc_chef is_installed with use of subp.is_exe. (#421) [Scott Moser] + Move runparts to subp. (#420) [Scott Moser] + Move subp into its own module. (#416) [Scott Moser] + readme: point at travis-ci.com (#417) [Joshua Powers] + New feature flag functionality and fix includes failing silently (#367) [James Falcon] (LP: #1734939) + Enhance poll imds logging (#365) [Moustafa Moustafa] + test: fix all flake8 E121 and E123 errors (#404) [Joshua Powers] + test: fix all flake8 E241 (#403) [Joshua Powers] + test: ignore flake8 E402 errors in main.py (#402) [Joshua Powers] + cc_grub_dpkg: determine idevs in more robust manner with grub-probe (#358) [Matthew Ruffell] (LP: #1877491) + test: fix all flake8 E741 errors (#401) [Joshua Powers] + tests: add groovy integration tests for ubuntu (#400) + Enable chef_license support for chef infra client (#389) [Bipin Bachhao] + testing: use flake8 again (#392) [Joshua Powers] + enable Puppet, Chef mcollective in default config (#385) [Mina Galić (deprecated: Igor Galić)] (LP: #1880279) + HACKING.rst: introduce .net + > Networking refactor section (#384) + Travis: do not install python3-contextlib2 (dropped dependency) (#388) [Paride Legovini] + HACKING: mention that .github-cla-signers is alpha-sorted (#380) + Add bipinbachhao as contributor (#379) [Bipin Bachhao] + cc_snap: validate that assertions property values are strings (#370) + conftest: implement partial disable_subp_usage (#371) + test_resolv_conf: refresh stale comment (#374) + cc_snap: apply validation to snap.commands properties (#364) + make finding libc platform independent (#366) [Mina Galić (deprecated: Igor Galić)] + doc/rtd/topics/faq: Updates LXD docs links to current site (#368) [TomP] + templater: drop Jinja Python 2 compatibility shim (#353) + cloudinit: minor pylint fixes (#360) + cloudinit: remove unneeded __future__ imports (#362) + migrating momousta lp user to Moustafa-Moustafa GitHub user (#361) [Moustafa Moustafa] + cloud_tests: emit dots on Travis while fetching images (#347) + Add schema to apt configure config (#357) [lucasmoura] (LP: #1858884) + conftest: add docs and tests regarding CiTestCase's subp functionality (#343) + analyze/dump: refactor shared string into variable (#350) + doc: update boot.rst with correct timing of runcmd (#351) + HACKING.rst: change contact info to Rick Harding (#359) [lucasmoura] + HACKING.rst: guide people to add themselves to the CLA file (#349) + HACKING.rst: more unit testing documentation (#354) + .travis.yml: don't run lintian during integration test package builds (#352) + Add test to ensure docs examples are valid cloud-init configs (#355) [James Falcon] (LP: #1876414) + make suse and sles support 127.0.1.1 (#336) [chengcheng-chcheng] + Create tests to validate schema examples (#348) [lucasmoura] (LP: #1876412) + analyze/dump: add support for Amazon Linux 2 log lines (#346) (LP: #1876323) + bsd: upgrade support (#305) [Gonéri Le Bouder] + Add lucasmoura as contributor (#345) [lucasmoura] + Add 'therealfalcon' as contributor (#344) [James Falcon] + Adapt the package building scripts to use Python 3 (#231) [Paride Legovini] + DataSourceEc2: use metadata's NIC ordering to determine route-metrics (#342) (LP: #1876312) + .travis.yml: introduce caching (#329) + cc_locale: introduce schema (#335) + doc/rtd/conf.py: bump copyright year to 2020 (#341) + yum_add_repo: Add Centos to the supported distro list (#340)

Fix unit test fail in TestGetPackageMirrorInfo::test_substitution.

Add patch from upstream to remove python2 compatibility so cloud-init builds fine in Tumbleweed with a recent Jinja2 version. This patch is only applied in TW.

Advisory ID	SUSE-RU-2022:207-1
Released	Thu Jan 27 09:24:49 2022
Summary	Recommended update for glibc
Type	recommended
Severity	moderate
References

Description:

This update for glibc fixes the following issues:

Add support for livepatches on x86_64 for SUSE Linux Enterprise 15 SP4 (jsc#SLE-20049).

Advisory ID	SUSE-RU-2022:209-1
Released	Thu Jan 27 14:03:58 2022
Summary	Recommended update for opencl-headers
Type	recommended
Severity	moderate
References	1193617

Description:

This update for opencl-headers fixes the following issues:
Update opencl-headers from 2.2+git.20170617 to version 2.2+git.20211214 (bsc#1193617)

Add definitions for cl_arm_protected_memory_allocation
Update headers for cl_intel_unified_shared_memory
Add provisional command-buffer extension
Rename cl_intel_thread_local_exec to cl_intel_exec_by_local_thread
Fix API suffix version macros for semaphore extensions command definitions
If change the include path destination when run cmake configure with `DCMAKE_INSTALL_INCLUDEDIR`, the .cmake generated still point to hardcoded path `include`. this fix it
Add external memory, external semaphore, and semaphore provisional extensions
Fix condition for warning 4201 pop
Update extension headers for cl_intel_device_attribute_query
Update extension headers for cl_intel_sharing_format_query
Add support for cl_khr_integer_dot_product v2
Update headers for cl_khr_integer_dot_product
Add cl_khr_pci_bus_info and cl_khr_suggested_local_work_size
Add missing 'stdint.h' include to 'CL/cl.h'
Disable failing CI configs
Fixes for usage of macro CL_API_ENTRY
cl_intel_command_queue_families extension
Update default OpenCL version in README
Replace uses of CL_EXT_{PRE,SUF}FIX* with CL_API_{PRE,SUF}FIX*
Do not include cl_gl_ext.h from opencl.h
Move cl_khr_gl_event to cl_gl.h
Add testing for cl_d3d10.h, cl_d3d11.h, and cl_dx9_media_sharing.h
Add definitions for cl_arm_import_memory_android_hardware_buffer v1.1.0
Add support for user-supplied prefix/suffix in function declarations
Move cl_icd_layer.h from OpenCL-ICD-Loader to OpenCL-Headers.
Add definitions for cl_arm_controlled_kernel_termination
Add definitions for cl_arm_scheduling_controls v0.3.0
Remove unused CL_EXTENSION_WEAK_LINK definition
Move Intel extensions into common files
Add definitions for cl_arm_scheduling_controls v0.2.0
Update apt package list in CI before running cmake
Re-enable format string warning in CI
Use PRId64 and PRIu64 when printing 64-bit values
Fix test format string warnings
Fix origin argument names for rect functions
Enable GitHub Actions for pull requests
Added definitions for cl_img_generate_mipmap.
Added missing define for cl_img_use_gralloc_ptr.
Use the alignment attribute under Integrity OS.
Comprehensive CMake Package Config support
Added definitions for cl_img_mem_properties.
Switch the default version for the OpenCL headers to OpenCL 3.0
Re-enable anonymous unions by default
Avoid anon structs when MSVC uses /Za
Update APIs and enums for cl_intel_unified_shared_memory for rev Q
Header changes for cl_intel_mem_force_host_memory
Add definitions for cl_ext_cxx_for_opencl
Add definitions for cl_arm_scheduling_controls
Add cl_intel_create_buffer_with_properties and cl_intel_mem_channel_property extensions
Add cl_api prefix for clSetContextDestructorCallback
Update ICD dispatch table with clSetContextDestructorCallback
Deprecate clSetProgramReleaseCallback
Add CL_DEVICE_LATEST_CONFORMANCE_VERSION_PASSED
Add clSetContextDestructorCallback
Introduce cl_properties type
Switch device enqueue boolean query to capabilities query
Fix build of dependent software with clang
Add APIs and enums for cl_intel_unified_shared_memory
Add cl_khr_device_uuid definitions
Add cl_half.h header
Add tokens for cl_amd_device_attribute_query
Add Windows CI using Travis
Update headers for OpenCL 3.0
Add cl_khr_extended_versioning macro
Synchronize experimental enum etc with cl.xml
Include the DirectX sharing headers from CL/cl_icd.h.
Add missing error code CL_CONTEXT_TERMINATED_KHR
Change license to Apache 2.0
Add enum value for `cl_khronos_vendor_id`
Experimental enum cl_khronos_vendor_id
Experimental enums for language queries
Add experimental enum CL_COMMAND_SVM_MIGRATE_MEM
Move two subgroup queries from cl_kernel_info to cl_kernel_sub_group_info
Add experimental enums
Add CL_IMPORT_DMA_BUF_DATA_CONSISTENCY_WITH_HOST_ARM definition
Add tests and Travis CI config
Add definitions for cl_arm_import_memory_android_hardware_buffer
Add version guards to ICD declarations
Add cl_khr_extended_versioning definitions
Add API function pointer and ICD dispatch table definitions
Add definitions for cl_arm_job_slot_selection
Fix _cl_image_desc for OpenCL 1.2 compatibility
Simplify the definition of deprecation prefixes/suffixes
Added suffixed enums for cl_khr_image2d_from_buffer
Drop __attribute__((aligned(X))) from cl_X defs
Small typo fix for pfn_notify
Use __vector instead of vector to fix altivec builds
Fix clCreateFromGLBuffer error code result type
Fixed w4201 triggering with MSVC in /W4 /Za builds
Add suffixed enums for cl_khr_mipmap_image
Remove all Apple specific content from headers
Add enums for cl_arm_get_core_id
Rename CL_IMPORT_TYPE_SECURE_ARM
Add CL_DEVICE_DOUBLE_FP_CONFIG
Remove CL_DEVICE_HALF_FP_CONFIG
Unified Headers and added clSetCommandQueueProperty to unified headers
Add cl_khr_il_program to OpenCL 1.2 and 2.0 headers
Add cl_khr_create_command_queue
Use correctly rounded decimal mathematical constants
Shorten CL_DBL_MAX for Visual Studio to fix token overflow
Anon structs supported in C11

Advisory ID	SUSE-RU-2022:220-1
Released	Fri Jan 28 08:13:30 2022
Summary	Recommended update for saptune
Type	recommended
Severity	important
References	1192029,1192697,1193241,1193435,1193576,1193580,1194299,1194334

Description:

This update for saptune fixes the following issues:

Fix LVM slave devices not to be excluded when they are valid block devices (bsc#1194299)
Fix 'not compliant' state for energy_perf_bias on PowerPC systems and suppress misleading error message regarding missing 'mokutil' (bsc#1193435)
Remove the dependency to 'mokutil' by relying on sysfs to detect a secure boot environment (bsc#1193435)
Fix problem with command `saptune revert all`, if the saptune service was stopped between the two commands `apply` and `revert all`
Fix `saptune service enablestart|disablestop` to always perform both actions and no longer stop working, if the service is already started|stopped (bsc#1193241)
Fix support support for AWS x1e instances (bsc#1192029)
Support /etc/fstab entries with 4 instead of 6 fields and change error handling from 'panic' to error log messages (bsc#1193580)
Enhance documentation in man page 'saptune.8' with the entry 'configured Note' and some more descriptions of the entries from `saptune service status` (bsc#1192697)
Fix block device settings (e.g. NRREQ) for multipath devices (bsc#1193576)
Fix `saptune verify` command to report a non existing sysctl or sys parameter as 'not available on the system'. An additional warning is displayed to raise attention to typos in the parameter name.
Fix `saptune status` command to accurately report the unit state (bsc#1194334)
Added a hint to the man page and some additional log messages as the PowerPC systems (hardware architecture 'ppc64le') don't support files in '/sys/class/dmi'

Advisory ID	SUSE-RU-2022:222-1
Released	Fri Jan 28 09:57:54 2022
Summary	Recommended update for xrdp
Type	recommended
Severity	moderate
References	1187258

Description:

This update for xrdp fixes the following issues:

Fix crash in xrdp-fate318398-change-expired-password.patch (bsc#1187258)

Advisory ID	SUSE-SU-2022:226-1
Released	Fri Jan 28 17:21:40 2022
Summary	Security update for log4j12
Type	security
Severity	important
References	1193184,1194842,1194843,1194844,CVE-2022-23302,CVE-2022-23305,CVE-2022-23307

Description:

This update for log4j12 fixes the following issues:

CVE-2022-23307: Fix deserialization issue by removing the chainsaw sub-package. (bsc#1194844)
CVE-2022-23305: Fix SQL injection by removing src/main/java/org/apache/log4j/jdbc/JDBCAppender.java. (bsc#1194843)
CVE-2022-23302: Fix remote code execution by removing src/main/java/org/apache/log4j/net/JMSSink.java. (bsc#1194842)

Advisory ID	SUSE-RU-2022:227-1
Released	Mon Jan 31 06:05:25 2022
Summary	Recommended update for git
Type	recommended
Severity	moderate
References	1193722

Description:

This update for git fixes the following issues:

update to 2.34.1 (bsc#1193722): * 'git grep' looking in a blob that has non-UTF8 payload was completely broken when linked with certain versions of PCREv2 library in the latest release. * 'git pull' with any strategy when the other side is behind us should succeed as it is a no-op, but doesn't. * An earlier change in 2.34.0 caused JGit application (that abused GIT_EDITOR mechanism when invoking 'git config') to get stuck with a SIGTTOU signal; it has been reverted. * An earlier change that broke .gitignore matching has been reverted. * SubmittingPatches document gained a syntactically incorrect mark-up, which has been corrected.

git 2.33.0: * 'git send-email' learned the '--sendmail-cmd' command line option and the 'sendemail.sendmailCmd' configuration variable, which is a more sensible approach than the current way of repurposing the 'smtp-server' that is meant to name the server to instead name the command to talk to the server. * The userdiff pattern for C# learned the token 'record'. * 'git rev-list' learns to omit the 'commit ' header lines from the output with the `--no-commit-header` option. * 'git worktree add --lock' learned to record why the worktree is locked with a custom message. * internal improvements including performance optimizations * a number of bug fixes

git 2.32.0: * '.gitattributes', '.gitignore', and '.mailmap' files that are symbolic links are ignored * 'git apply --3way' used to first attempt a straight application, and only fell back to the 3-way merge algorithm when the straight application failed. Starting with this version, the command will first try the 3-way merge algorithm and only when it fails (either resulting with conflict or the base versions of blobs are missing), falls back to the usual patch application. * 'git stash show' can now show the untracked part of the stash * Improved 'git repack' strategy * http code can now unlock a certificate with a cached password respectively. * 'git clone --reject-shallow' option fails the clone as soon as we notice that we are cloning from a shallow repository. * 'gitweb' learned 'e-mail privacy' feature * Multiple improvements to output and configuration options * Bug fixes and developer visible fixes

Advisory ID	SUSE-RU-2022:228-1
Released	Mon Jan 31 06:07:52 2022
Summary	Recommended update for boost
Type	recommended
Severity	moderate
References	1194522

Description:

This update for boost fixes the following issues:

Fix compilation errors (bsc#1194522)

Advisory ID	SUSE-RU-2022:273-1
Released	Tue Feb 1 14:15:21 2022
Summary	Recommended update for google-guest-agent, google-guest-configs, google-guest-oslogin, google-osconfig-agent
Type	recommended
Severity	important
References	1102408,1192652,1192653,1193257,1193258

Description:

This update for google-guest-agent, google-guest-configs, google-guest-oslogin, google-osconfig-agent contains the following fixes:
Changes in google-guest-agent:

Update to version 20211116.00 (bsc#1193257, bsc#1193258) * dont duplicate logs (#146) * Add WantedBy network dependencies to google-guest-agent service (#136) * dont try dhcpv6 when not needed (#145) * Integration tests: instance setup (#143) * Integration test: test create and remove google user (#128) * handle comm errors in script runner (#140) * enforce script ordering (#138) * enable ipv6 on secondary interfaces (#133)
from version 20211103.00 * Integration tests: instance setup (#143)
from version 20211027.00 * Integration test: test create and remove google user (#128)

Update to version 20211019.00 * handle comm errors in script runner (#140)
from version 20211015.00 * enforce script ordering (#138)
from version 20211014.00 * enable ipv6 on secondary interfaces (#133)
from version 20211013.00 * dont open ssh tempfile exclusively (#137)
from version 20211011.00 * correct linux startup script order (#135) * Emit sshable attribute (#123)
from version 20210908.1 * restore line (#127)
from version 20210908.00 * New integ test (#124)
from version 20210901.00 * support enable-oslogin-sk key (#120) * match script logging to guest agent (#125)
from version 20210804.00 * Debug logging (#122)
Refresh patches for new version * dont_overwrite_ifcfg.patch

Build with go1.15 for reproducible build results (bsc#1102408)

Update to version 20210707.00 * Use IP address for calling the metadata server. (#116)
from version 20210629.00 * use IP for MDS (#115)

Update to version 20210603.00 * systemd-notify in agentInit (#113) * dont check status (#112)
from version 20210524.00 * more granular service restarts (#111)
from version 20210414.00 * (no functional changes)

Changes in google-guest-configs:

Add missing pkg-config dependency to BuildRequires for SLE-12

Install modprobe configuration files into /etc again on SLE-15-SP2 and older since that's stil the default location on these distributions
Probe udev directory using the 'udevdir' pkg-config variable on SLE-15-SP2 and older since the variable got renamed to 'udev_dir' in later versions
Remove redundant pkgconfig(udev) from BuildRequires for SLE-12

Update to version 20211116.00 (bsc#1193257, bsc#1193258) * GCE supports up to 24 NVMe local SSDs, but the regex in the PROGRAM field only looks for the last digit of the given string causing issues when there are >= 10 local SSDs. Changed REGEX to get the last number of the string instead to support the up to 24 local SSDs. (#30) * chmod+x google_nvme_id on EL (#31)
Fix duplicate installation of google_optimize_local_ssd and google_set_multiqueue
Install google_nvme_id into /usr/lib/udev (bsc#1192652, bsc#1192653)

Update to version 20210916.00 * Revert 'dont set IP in etc/hosts; remove rsyslog (#26)' (#28)
from version 20210831.00 * restore rsyslog (#27)
from version 20210830.00 * Fix NVMe partition names (#25)
from version 20210824.00 * dont set IP in etc/hosts; remove rsyslog (#26) * update OWNERS

Use %_modprobedir for modprobe.d files (out of /etc)
Use %_sysctldir for sysctl.d files (out of /etc)

Update to version 20210702.00 * use grep for hostname check (#23)
from version 20210629.00 * address set_hostname vuln (#22)
from version 20210324.00 * dracut.conf wants spaces around values (#19)

Changes in google-guest-oslogin:

Update to version 20211013.00 (bsc#1193257, bsc#1193258) * remove deprecated binary (#79)
from version 20211001.00 * no message if no groups (#78)
from version 20210907.00 * use sigaction for signals (#76)
from version 20210906.00 * include cstdlib for exit (#75) * catch SIGPIPE in authorized_keys (#73)
from version 20210805.00 * fix double free in ParseJsonToKey (#70)
from version 20210804.00 * fix packaging for authorized_keys_sk (#68) * add authorized_keys_sk (#66)
Add google_authorized_keys_sk to %files section
Remove google_oslogin_control from %files section

Changes in google-osconfig-agent:

Update to version 20211117.00 (bsc#1193257, bsc#1193258) * Add retry logic for RegisterAgent (#404)
from version 20211111.01 * e2e_test: drop ubuntu 1604 image as its EOL (#403)
from version 20211111.00 * e2e_test: move to V1 api for OSPolicies (#397)
from version 20211102.00 * Fix context logging and fix label names (#400)
from version 20211028.00 * Add cloudops example for gcloud (#399)

Update to version 20211021.00 * Added patch report logging for Zypper. (#395)
from version 20211012.00 * Replace deprecated instance filters with the new filters (#394)
from version 20211006.00 * Added patch report log messages for Yum and Apt (#392)
from version 20210930.00 * Config: Add package info caching (#391)
from version 20210928.00 * Fixed the runWithPty function to set ctty to child's filedesc (#389)
from version 20210927.00 * e2e_tests: fix a test output mismatch (#390)
from version 20210924.00 * Fix some e2e test failures (#388)
from version 20210923.02 * Correctly check for folder existance in package upgrade (#387)
from version 20210923.01 * ReportInventory: Fix bug in deb/rpm inventory, reduce calls to append (#386)
from version 20210923.00 * Deprecate old config directory in favor of new cache directory (#385)
from version 20210922.02 * Fix rpm/deb package formating for inventory reporting (#384)
from version 20210922.01 * Add centos stream rocky linux and available package tests (#383)
from version 20210922.00 * Add more info logs, actually cleanup unmanaged repos (#382)
from version 20210901.00 * Add E2E tests for Windows Application (#379) * Return lower-case package name (#377) * Update Terraform scripts for multi-project deployments tutorial. (#378)
from version 20210811.00 * Support Windows Application Inventory (#371)
from version 20210723.00 * Send basic inventory with RegisterAgent (#373)
from version 20210722.1 * e2e_tests: move to manually generated osconfig library (#372)
from version 20210722.00 * Create OWNERS file for examples directory (#368)
from version 20210719.00 * Update Zypper patch info parsing (#370)

Build with go1.15 for reproducible build results (bsc#1102408)

Update to version 20210712.1 * Skip getting patch info when no patches are found. (#369)
from version 20210712.00 * Add Terraform scripts for multi-project deployments (#367)
from version 20210709.00 * Add examples/Terraform directory. (#366)
from version 20210707.00 * Fix bug in printing packages to update, return error for zypper patch (#365)
from version 20210629.00 * Add CloudOps examples for CentOS (#364)

Update to version 20210621.00 * chore: Fixing a comment. (#363)
from version 20210617.00 * Use exec.CommandContext so that canceling the context also kills any running processes (#362)
from version 20210608.1 * e2e_tests: point to official osconfig client library (#359)
from version 20210608.00 * e2e_tests: deflake tests (#358)
from version 20210607.00 * Fix build on some architectures (#357)
from version 20210603.00 * Create win-validation-powershell.yaml (#356)
from version 20210602.00 * Agent efficiency improvements/bugfixes/logging updates (#355) * e2e_tests: add tests for ExecResource output (#354)
from version 20210525.00 * Run fieldalignment on all structs (#353)
from version 20210521.00 * Config Task: add error message and ExecResource output recording (#350) * e2e_tests: remove Windows server 1909 and add server 20h2 (#352) * Added a method for logging structured data (#349)

Advisory ID	SUSE-RU-2022:302-1
Released	Wed Feb 2 11:07:47 2022
Summary	Recommended update for rpmlint, rpmlint-mini, obs-service-format_spec_file
Type	recommended
Severity	moderate
References	1195085

Description:

This update for rpmlint, rpmlint-mini, obs-service-format_spec_file fixes the following issues:
obs-service-format_spec_file:

Synchronize the license identifiers from SPDX (spdx.org). (jsc#SLE-18915)

rpmlint:

Accept any license ending with a '+' as indicated in the SPDX syntax. (bsc#1195085)
Remove licenses ending with '+' from the valid license array
Rebuild rpmlint with the new obs-service-format_spec_file.

rpmlint-mini:

Rebuild rpmlint-mini with the new obs-service-format_spec_file and rpmlint.

Advisory ID	SUSE-RU-2022:303-1
Released	Wed Feb 2 11:11:34 2022
Summary	Recommended update for hplip
Type	recommended
Severity	moderate
References	1193656,1193718

Description:

This update for hplip fixes the following issues:

Replace keyserver with `pgp.surf.nl` (bsc#1193656)
Add build dependency on `python-rpm-macros` (bsc#1193718)
Update hplip to version 3.21.10 and added support for the following new printers: * HP Color LaserJet Enterprise M455dn * HP Color LaserJet Enterprise MFP M480f * HP Color LaserJet Managed E45028dn * HP Color LaserJet Managed MFP E47528f * HP DesignJet Z6 Pro 64in * HP DesignJet Z9 Pro 64in * HP DeskJet Ink Advantage Ultra 4800 All-in-One Printer series * HP ENVY Inspire 7200e series * HP ENVY Inspire 7900e series * HP Envy 6400 series * HP Lasejet M211d * HP LaserJet Enterprise M406dn * HP LaserJet Enterprise M407dn * HP LaserJet Enterprise MFP M430f * HP LaserJet Enterprise MFP M431f * HP LaserJet M109a * HP LaserJet M109w * HP LaserJet M109we * HP LaserJet M110a * HP LaserJet M110w * HP LaserJet M110we * HP LaserJet M111a * HP LaserJet M111w * HP LaserJet M111we * HP LaserJet M112a * HP LaserJet M112w * HP LaserJet M112we * HP LaserJet M212dwe * HP LaserJet MFP M139a * HP LaserJet MFP M139w * HP LaserJet MFP M139we * HP LaserJet MFP M140a * HP LaserJet MFP M140w * HP LaserJet MFP M140we * HP LaserJet MFP M141a * HP LaserJet MFP M141w * HP LaserJet MFP M141we * HP LaserJet MFP M142a * HP LaserJet MFP M142w * HP LaserJet MFP M142we * HP LaserJet MFP M232d * HP LaserJet MFP M232dw * HP LaserJet MFP M232dwc * HP LaserJet MFP M232sdn * HP LaserJet MFP M232sdw * HP LaserJet MFP M233d * HP LaserJet MFP M233dw * HP LaserJet MFP M233sdn * HP LaserJet MFP M233sdw * HP LaserJet MFP M234dw * HP LaserJet MFP M234dwe * HP LaserJet MFP M234sdn * HP LaserJet MFP M234sdne * HP LaserJet MFP M234sdw * HP LaserJet MFP M234sdwe * HP LaserJet MFP M235d * HP LaserJet MFP M235dw * HP LaserJet MFP M235dwe * HP LaserJet MFP M235sdn * HP LaserJet MFP M235sdne * HP LaserJet MFP M235sdw * HP LaserJet MFP M235sdwe * HP LaserJet MFP M236d * HP LaserJet MFP M236dw * HP LaserJet MFP M236sdn * HP LaserJet MFP M236sdw * HP LaserJet MFP M237d * HP LaserJet MFP M237dw * HP LaserJet MFP M237dwe * HP LaserJet MFP M237sdn * HP LaserJet MFP M237sdne * HP LaserJet MFP M237sdw * HP LaserJet MFP M237sdwe * HP LaserJet Managed E40040dn * HP LaserJet Managed MFP E42540f * HP Laserjet M207d * HP Laserjet M207dw * HP Laserjet M208d * HP Laserjet M208dw * HP Laserjet M209d * HP Laserjet M209dw * HP Laserjet M209dwe * HP Laserjet M210d * HP Laserjet M210dw * HP Laserjet M210dwe * HP Laserjet M211dw * HP Laserjet M212d * HP Laserjet M212dw * HP PageWide XL 3920 MFP * HP PageWide XL 3920 MFP * HP PageWide XL 4200 Multifunction Printer * HP PageWide XL 4200 Multifunction Printer * HP PageWide XL 4200 Printer * HP PageWide XL 4200 Printer * HP PageWide XL 4700 Multifunction Printer * HP PageWide XL 4700 Multifunction Printer * HP PageWide XL 4700 Printer * HP PageWide XL 4700 Printer * HP PageWide XL 5200 Multifunction Printer * HP PageWide XL 5200 Multifunction Printer * HP PageWide XL 5200 Printer * HP PageWide XL 5200 Printer * HP PageWide XL 8200 Printer * HP PageWide XL 8200 Printer * HP PageWide XL Pro 5200 PS MFP series * HP PageWide XL Pro 8200 PS MFP series * HP Smart Tank 500 series * HP Smart Tank 530 series * HP Smart Tank 750 * HP Smart Tank 7600 * HP Smart Tank 790 * HP Smart Tank Plus 570 series * HP Smart Tank Plus 6000 * HP Smart Tank Plus 660-670 * HP Smart Tank Plus 7000 * HP Smart Tank Plus 710-720
Remove libtool archives
Fixes to the built artifacts: * Disabled image processor build with the configure option `--disable-imageProcessor-build` * Remove executable bit in `%{_datadir}/hplip/` * Ignore duplicate files in `hplip-rpmlintrc ('__init__.*.pyc?')`

Advisory ID	SUSE-RU-2022:312-1
Released	Wed Feb 2 13:49:08 2022
Summary	Recommended update for rrdtool
Type	recommended
Severity	moderate
References	1189375

Description:

This update for rrdtool fixes the following issues:

Remove umask usage as it creates issues and it's not thread safe. (bsc#1189375)

Advisory ID	SUSE-RU-2022:313-1
Released	Wed Feb 2 13:52:26 2022
Summary	Recommended update for infinipath-psm
Type	recommended
Severity	moderate
References	1047218,1133133,1160270

Description:

This update for infinipath-psm fixes the following issues:

Fix compilation with GCC10. (bsc#1160270)
Disable LTO. (bsc#1133133)
Fix build date. (bsc#1047218)

Advisory ID	SUSE-RU-2022:316-1
Released	Thu Feb 3 10:06:50 2022
Summary	Recommended update for vino
Type	recommended
Severity	moderate
References	1177663

Description:

This update for vino fixes the following issues:

Remove telepathy dbus service because telepathy is disabled (bsc#1177663)

Advisory ID	SUSE-RU-2022:317-1
Released	Thu Feb 3 10:06:59 2022
Summary	Recommended update for wicked
Type	recommended
Severity	moderate
References	1057592,1156920,1160654,1178357,1181163,1181812,1182227,1183407,1183495,1188019,1189560,1192164,1192311,1192353,1194392

Description:

This update for wicked fixes the following issues:

Fix device rename issue when done via Yast2 (bsc#1194392)
Prepare RPM packaging for migration of dbus configuration files from /etc to /usr, however this change does not affect SUSE Linux Enterprise 15 Service Pack 3 (bsc#1183407,jsc#SLE-9750)
Parse sysctl files in the correct order
Fix sysctl values for loopback device (bsc#1181163, bsc#1178357)
Add option for dhcp4 to set route pref-src to dhcp IP (bsc#1192353)
Cleanup warnings, time calculations and add dhcp fixes to reduce resource usage (bsc#1188019)
Avoid sysfs attribute read error when the kernel has already deleted the TUN/TAP interface (bsc#1192311)
Fix warning in `ifstatus` about unexpected interface flag combination (bsc#1192164)
Fix `ifstatus` not to show link as 'up' when interface is not running
Make firewalld zone assignment permanent (bsc#1189560)
Initial fixes for dracut integration and improved option handling (bsc#1182227)
Fix `nanny` to identify node owner exit condition
Add `ethtool --get-permanent-address` option in the client
Reconnect on unexpected wpa_supplicant restart (bsc#1183495)
Migrate wireless to wpa-supplicant v1 DBus interface (bsc#1156920)
Support multiple wireless networks configurations per interface
Show wireless connection status and scan-results (bsc#1160654)
Fix eap-tls,ttls cetificate handling and fix open vs. shared wep,open,psk,eap-tls,ttls,peap parsing from ifcfg (bsc#1057592)
Updated `man ifcfg-wireless` manual pages

Advisory ID	SUSE-RU-2022:319-1
Released	Thu Feb 3 10:22:30 2022
Summary	Recommended update for cargo-packaging, rustup, sccache
Type	recommended
Severity	moderate
References

Description:

This update for cargo-packaging, rustup, sccache fixes the following issues:
rustup, cargo-packaging and sccache were added to the Development Tools Module.

rustup version 1.24.3~git0.ce5817a9.
cargo-packaging version 1.0.0~git6.d878e38.
sccache version 0.2.15~git1.22a176c.

Advisory ID	SUSE-RU-2022:322-1
Released	Thu Feb 3 14:03:19 2022
Summary	Recommended update for dracut
Type	recommended
Severity	moderate
References	1192685,1194716

Description:

This update for dracut fixes the following issues:

Fix(network): consistent use of '$gw' for gateway (bsc#1192685)
Fix(install): handle builtin modules (bsc#1194716)

Advisory ID	SUSE-RU-2022:324-1
Released	Fri Feb 4 07:55:18 2022
Summary	Recommended update for supportutils-plugin-cloud-init
Type	recommended
Severity	moderate
References

Description:

This update for supportutils-plugin-cloud-init fixes the following issues:

This plugin adds functionality to the supportconfig tool, making it include logs and status of systemd services relating to cloud-init in the supportconfig tarballs. (jsc#SLE-19069, jsc#SLE-20508)

Advisory ID	SUSE-SU-2022:330-1
Released	Fri Feb 4 09:29:08 2022
Summary	Security update for glibc
Type	security
Severity	important
References	1194640,1194768,1194770,1194785,CVE-2021-3999,CVE-2022-23218,CVE-2022-23219

Description:

This update for glibc fixes the following issues:

CVE-2021-3999: Fixed incorrect errno in getcwd (bsc#1194640)
CVE-2022-23219: Fixed buffer overflow in sunrpc clnt_create for 'unix' (bsc#1194768)
CVE-2022-23218: Fixed buffer overflow in sunrpc svcunix_create (bsc#1194770)

Features added:

IBM Power 10 string operation improvements (bsc#1194785, jsc#SLE-18195)

Advisory ID	SUSE-SU-2022:333-1
Released	Fri Feb 4 09:30:26 2022
Summary	Security update for xen
Type	security
Severity	important
References	1194576,1194581,1194588,CVE-2022-23033,CVE-2022-23034,CVE-2022-23035

Description:

This update for xen fixes the following issues:

CVE-2022-23033: Fixed guest_physmap_remove_page not removing the p2m mappings. (XSA-393) (bsc#1194576)
CVE-2022-23034: Fixed possible DoS by a PV guest Xen while unmapping a grant. (XSA-394) (bsc#1194581)
CVE-2022-23035: Fixed insufficient cleanup of passed-through device IRQs. (XSA-395) (bsc#1194588)

Advisory ID	SUSE-SU-2022:334-1
Released	Fri Feb 4 09:30:58 2022
Summary	Security update for containerd, docker
Type	security
Severity	moderate
References	1191015,1191121,1191334,1191434,1193273,CVE-2021-41089,CVE-2021-41091,CVE-2021-41092,CVE-2021-41103,CVE-2021-41190

Description:

This update for containerd, docker fixes the following issues:

CVE-2021-41089: Fixed 'cp' can chmod host files (bsc#1191015).
CVE-2021-41091: Fixed flaw that could lead to data directory traversal in moby (bsc#1191434).
CVE-2021-41092: Fixed exposed user credentials with a misconfigured configuration file (bsc#1191334).
CVE-2021-41103: Fixed file access to local users in containerd (bsc#1191121).
CVE-2021-41190: Fixed OCI manifest and index parsing confusion (bsc#1193273).

Advisory ID	SUSE-RU-2022:335-1
Released	Fri Feb 4 10:24:02 2022
Summary	Recommended update for coreutils
Type	recommended
Severity	moderate
References	1189152

Description:

This update for coreutils fixes the following issues:

Add 'fuse.portal' as a dummy file system (used in flatpak implementations) (bsc#1189152).

Advisory ID	SUSE-RU-2022:336-1
Released	Fri Feb 4 10:24:16 2022
Summary	Recommended update for yast2-add-on
Type	recommended
Severity	moderate
References	1194851,972046

Description:

This update for yast2-add-on fixes the following issues:

Restore the repo unexpanded URL to get it properly saved in the /etc/zypp/repos.d file (bsc#972046, bsc#1194851).

Advisory ID	SUSE-RU-2022:339-1
Released	Mon Feb 7 10:22:03 2022
Summary	Recommended update for google-droid-fonts
Type	recommended
Severity	moderate
References	1190886

Description:

This update for google-droid-fonts fixes the following issue:

Add sources DroidSansFallback.ttf DroidSansFallbackFull.ttf DroidSansMono.ttf: Merge the latest modification from Android project (bsc#1190886).

Advisory ID	SUSE-RU-2022:340-1
Released	Mon Feb 7 13:08:14 2022
Summary	Security update for the Linux Kernel
Type	recommended
Severity	moderate
References	1195142

Description:

The SUSE Linux Enterprise 15 SP3 kernel was updated to receive various a regression bugfix.
The following non-security bugs were fixed:

drm/radeon: fix error handling in radeon_driver_open_kms that could lead to non-booting systems with Radeon cards (bsc#1195142).

Advisory ID	SUSE-RU-2022:343-1
Released	Mon Feb 7 15:16:58 2022
Summary	Recommended update for systemd
Type	recommended
Severity	moderate
References	1193086

Description:

This update for systemd fixes the following issues:

disable DNSSEC until the following issue is solved: https://github.com/systemd/systemd/issues/10579
disable fallback DNS servers and fail when no DNS server info could be obtained from the links.
DNSSEC support requires openssl therefore document this build dependency in systemd-network sub-package.
Improve warning messages (bsc#1193086).

Advisory ID	SUSE-RU-2022:348-1
Released	Tue Feb 8 13:02:20 2022
Summary	Recommended update for libzypp
Type	recommended
Severity	important
References	1193007,1193488,1194597,1194898,954813

Description:

This update for libzypp fixes the following issues:

RepoManager: remember execution errors in exception history (bsc#1193007)
Fix exception handling when reading or writing credentials (bsc#1194898)
Fix install path for parser (bsc#1194597)
Fix Legacy include (bsc#1194597)
Public header files on older distros must use c++11 (bsc#1194597)
Use the default zypp.conf settings if no zypp.conf exists (bsc#1193488)
Fix wrong encoding of URI compontents of ISO images (bsc#954813)
When invoking 32bit mode in userland of an aarch64 kernel, handle armv8l as armv7hl compatible
Introduce zypp-curl as a sublibrary for CURL related code
zypp-rpm: Increase rpm loglevel if ZYPP_RPM_DEBUG is set
Save all signatures associated with a public key in its PublicKeyData

Advisory ID	SUSE-SU-2022:283-1
Released	Tue Feb 8 16:10:39 2022
Summary	Security update for samba
Type	security
Severity	critical
References	1139519,1183572,1183574,1188571,1191227,1191532,1192684,1193690,1194859,1195048,CVE-2020-27840,CVE-2021-20277,CVE-2021-20316,CVE-2021-36222,CVE-2021-43566,CVE-2021-44141,CVE-2021-44142,CVE-2022-0336

Description:

CVE-2021-44141: Information leak via symlinks of existance of files or directories outside of the exported share; (bso#14911); (bsc#1193690);
CVE-2021-44142: Out-of-bounds heap read/write vulnerability in VFS module vfs_fruit allows code execution; (bso#14914); (bsc#1194859);
CVE-2022-0336: Samba AD users with permission to write to an account can impersonate arbitrary services; (bso#14950); (bsc#1195048);

samba was updated to 4.15.4 (jsc#SLE-23329);

Duplicate SMB file_ids leading to Windows client cache poisoning; (bso#14928);
Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error - NT_STATUS_BUFFER_TOO_SMALL; (bso#14932);
kill_tcp_connections does not work; (bso#14934);
Can't connect to Windows shares not requiring authentication using KDE/Gnome; (bso#14935);
smbclient -L doesn't set 'client max protocol' to NT1 before calling the 'Reconnecting with SMB1 for workgroup listing' path; (bso#14939);
Cross device copy of the crossrename module always fails; (bso#14940);
symlinkat function from VFS cap module always fails with an error; (bso#14941);
Fix possible fsp pointer deference; (bso#14942);
Missing pop_sec_ctx() in error path inside close_directory(); (bso#14944);
'smbd --build-options' no longer works without an smb.conf file; (bso#14945);

Samba was updated to version 4.15.3

CVE-2021-43566: Symlink race error can allow directory creation outside of the exported share; (bsc#1139519);
CVE-2021-20316: Symlink race error can allow metadata read and modify outside of the exported share; (bsc#1191227);
Reorganize libs packages. Split samba-libs into samba-client-libs, samba-libs, samba-winbind-libs and samba-ad-dc-libs, merging samba public libraries depending on internal samba libraries into these packages as there were dependency problems everytime one of these public libraries changed its version (bsc#1192684). The devel packages are merged into samba-devel.
Rename package samba-core-devel to samba-devel
Update the symlink create by samba-dsdb-modules to private samba ldb modules following libldb2 changes from /usr/lib64/ldb/samba to /usr/lib64/ldb2/modules/ldb/samba

krb5 was updated to 1.16.3 to 1.19.2

Fix a denial of service attack against the KDC encrypted challenge code; (CVE-2021-36222);
Fix a memory leak when gss_inquire_cred() is called without a credential handle.

Changes from 1.19.1:

Fix a linking issue with Samba.
Better support multiple pkinit_identities values by checking whether certificates can be loaded for each value.

Changes from 1.19
Administrator experience * When a client keytab is present, the GSSAPI krb5 mech will refresh credentials even if the current credentials were acquired manually. * It is now harder to accidentally delete the K/M entry from a KDB. Developer experience * gss_acquire_cred_from() now supports the 'password' and 'verify' options, allowing credentials to be acquired via password and verified using a keytab key. * When an application accepts a GSS security context, the new GSS_C_CHANNEL_BOUND_FLAG will be set if the initiator and acceptor both provided matching channel bindings. * Added the GSS_KRB5_NT_X509_CERT name type, allowing S4U2Self requests to identify the desired client principal by certificate. * PKINIT certauth modules can now cause the hw-authent flag to be set in issued tickets. * The krb5_init_creds_step() API will now issue the same password expiration warnings as krb5_get_init_creds_password(). Protocol evolution * Added client and KDC support for Microsoft's Resource-Based Constrained Delegation, which allows cross-realm S4U2Proxy requests. A third-party database module is required for KDC support. * kadmin/admin is now the preferred server principal name for kadmin connections, and the host-based form is no longer created by default. The client will still try the host-based form as a fallback. * Added client and server support for Microsoft's KERB_AP_OPTIONS_CBT extension, which causes channel bindings to be required for the initiator if the acceptor provided them. The client will send this option if the client_aware_gss_bindings profile option is set. User experience * kinit will now issue a warning if the des3-cbc-sha1 encryption type is used in the reply. This encryption type will be deprecated and removed in future releases. * Added kvno flags --out-cache, --no-store, and --cached-only (inspired by Heimdal's kgetcred).
Changes from 1.18.3

Fix a denial of service vulnerability when decoding Kerberos protocol messages.
Fix a locking issue with the LMDB KDB module which could cause KDC and kadmind processes to lose access to the database.
Fix an assertion failure when libgssapi_krb5 is repeatedly loaded and unloaded while libkrb5support remains loaded.

Changes from 1.18.2

Fix a SPNEGO regression where an acceptor using the default credential would improperly filter mechanisms, causing a negotiation failure.
Fix a bug where the KDC would fail to issue tickets if the local krbtgt principal's first key has a single-DES enctype.
Add stub functions to allow old versions of OpenSSL libcrypto to link against libkrb5.
Fix a NegoEx bug where the client name and delegated credential might not be reported.

Changes from 1.18.1

Fix a crash when qualifying short hostnames when the system has no primary DNS domain.
Fix a regression when an application imports 'service@' as a GSS host-based name for its acceptor credential handle.
Fix KDC enforcement of auth indicators when they are modified by the KDB module.
Fix removal of require_auth string attributes when the LDAP KDB module is used.
Fix a compile error when building with musl libc on Linux.
Fix a compile error when building with gcc 4.x.
Change the KDC constrained delegation precedence order for consistency with Windows KDCs.

Changes from 1.18 Administrator experience: * Remove support for single-DES encryption types. * Change the replay cache format to be more efficient and robust. Replay cache filenames using the new format end with '.rcache2' by default. * setuid programs will automatically ignore environment variables that normally affect krb5 API functions, even if the caller does not use krb5_init_secure_context(). * Add an 'enforce_ok_as_delegate' krb5.conf relation to disable credential forwarding during GSSAPI authentication unless the KDC sets the ok-as-delegate bit in the service ticket. * Use the permitted_enctypes krb5.conf setting as the default value for default_tkt_enctypes and default_tgs_enctypes. Developer experience: * Implement krb5_cc_remove_cred() for all credential cache types. * Add the krb5_pac_get_client_info() API to get the client account name from a PAC. Protocol evolution: * Add KDC support for S4U2Self requests where the user is identified by X.509 certificate. (Requires support for certificate lookup from a third-party KDB module.) * Remove support for an old ('draft 9') variant of PKINIT. * Add support for Microsoft NegoEx. (Requires one or more third-party GSS modules implementing NegoEx mechanisms.) User experience: * Add support for 'dns_canonicalize_hostname=fallback', causing host-based principal names to be tried first without DNS canonicalization, and again with DNS canonicalization if the un-canonicalized server is not found. * Expand single-component hostnames in host-based principal names when DNS canonicalization is not used, adding the system's first DNS search path as a suffix. Add a 'qualify_shortname' krb5.conf relation to override this suffix or disable expansion. * Honor the transited-policy-checked ticket flag on application servers, eliminating the requirement to configure capaths on servers in some scenarios. Code quality: * The libkrb5 serialization code (used to export and import krb5 GSS security contexts) has been simplified and made type-safe. * The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED messages has been revised to conform to current coding practices. * The test suite has been modified to work with macOS System Integrity Protection enabled. * The test suite incorporates soft-pkcs11 so that PKINIT PKCS11 support can always be tested.
Changes from 1.17.1

Fix a bug preventing 'addprinc -randkey -kvno' from working in kadmin.
Fix a bug preventing time skew correction from working when a KCM credential cache is used.

Changes from 1.17: Administrator experience:

A new Kerberos database module using the Lightning Memory-Mapped Database library (LMDB) has been added. The LMDB KDB module should be more performant and more robust than the DB2 module, and may become the default module for new databases in a future release.
'kdb5_util dump' will no longer dump policy entries when specific principal names are requested.

Developer experience:

The new krb5_get_etype_info() API can be used to retrieve enctype, salt, and string-to-key parameters from the KDC for a client principal.

The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise principal names to be used with GSS-API functions.

KDC and kadmind modules which call com_err() will now write to the log file in a format more consistent with other log messages.

Programs which use large numbers of memory credential caches should perform better.

Protocol evolution:

The SPAKE pre-authentication mechanism is now supported. This mechanism protects against password dictionary attacks without requiring any additional infrastructure such as certificates. SPAKE is enabled by default on clients, but must be manually enabled on the KDC for this release.

PKINIT freshness tokens are now supported. Freshness tokens can protect against scenarios where an attacker uses temporary access to a smart card to generate authentication requests for the future.

Password change operations now prefer TCP over UDP, to avoid spurious error messages about replays when a response packet is dropped.

The KDC now supports cross-realm S4U2Self requests when used with a third-party KDB module such as Samba's. The client code for cross-realm S4U2Self requests is also now more robust.

User experience:

The new ktutil addent -f flag can be used to fetch salt information from the KDC for password-based keys.

The new kdestroy -p option can be used to destroy a credential cache within a collection by client principal name.

The Kerberos man page has been restored, and documents the environment variables that affect programs using the Kerberos library.

Code quality:

Python test scripts now use Python 3.

Python test scripts now display markers in verbose output, making it easier to find where a failure occurred within the scripts.

The Windows build system has been simplified and updated to work with more recent versions of Visual Studio. A large volume of unused Windows-specific code has been removed. Visual Studio 2013 or later is now required.

Build with full Cyrus SASL support. Negotiating SASL credentials with an EXTERNAL bind mechanism requires interaction. Kerberos provides its own interaction function that skips all interaction, thus preventing the mechanism from working.

ldb was updated to version 2.4.1 (jsc#SLE-23329);

Release 2.4.1

+ Corrected python behaviour for 'in' for LDAP attributes contained as part of ldb.Message; (bso#14845); + Fix memory handling in ldb.msg_diff; (bso#14836);

Release 2.4.0

+ pyldb: Fix Message.items() for a message containing elements + pyldb: Add test for Message.items() + tests: Use ldbsearch '--scope instead of '-s' + Change page size of guidindexpackv1.ldb + Use a 1MiB lmdb so the test also passes on aarch64 CentOS stream + attrib_handler casefold: simplify space dropping + fix ldb_comparison_fold off-by-one overrun + CVE-2020-27840: pytests: move Dn.validate test to ldb + CVE-2020-27840 ldb_dn: avoid head corruption in ldb_dn_explode + CVE-2021-20277 ldb/attrib_handlers casefold: stay in bounds + CVE-2021-20277 ldb tests: ldb_match tests with extra spaces + improve comments for ldb_module_connect_backend() + test/ldb_tdb: correct introductory comments + ldb.h: remove undefined async_ctx function signatures + correct comments in attrib_handers val_to_int64 + dn tests use cmocka print functions + ldb_match: remove redundant check + add tests for ldb_wildcard_compare + ldb_match: trailing chunk must match end of string + pyldb: catch potential overflow error in py_timestring + ldb: remove some 'if PY3's in tests
talloc was updated to 2.3.3:

various bugfixes
python: Ensure reference counts are properly incremented
Change pytalloc source to LGPL
Upgrade waf to 2.0.18 to fix a cross-compilation issue; (bso#13846).

tdb was updated to version 1.4.4:

various bugfixes

tevent was updated to version 0.11.0:

Add custom tag to events
Add event trace api

sssd was updated to:

Fix tests test_copy_ccache & test_copy_keytab for later versions of krb5
Update the private ldb modules installation following libldb2 changes from /usr/lib64/ldb/samba to /usr/lib64/ldb2/modules/ldb/samba

apparmor was updated to:

Cater for changes to ldb packaging to allow parallel installation with libldb (bsc#1192684).
add profile for samba-bgqd (bsc#1191532).

Advisory ID	SUSE-RU-2022:350-1
Released	Tue Feb 8 16:15:10 2022
Summary	Recommended update for release-notes-sles-for-sap
Type	recommended
Severity	moderate
References	933411

Description:

This update for release-notes-sles-for-sap fixes the following issues:

15.3.20220202 (tracked in bsc#933411) - Add Trento disclaimer (jsc#SLE-SLE-22808) - Change support length to 3.5 years

Advisory ID	SUSE-RU-2022:352-1
Released	Tue Feb 8 17:06:16 2022
Summary	Recommended update for release-notes-ha
Type	recommended
Severity	moderate
References	1187664,1188305,933411

Description:

This update for release-notes-ha fixes the following issues:

15.3.20220202 (tracked in bsc#933411)
Added note about pingd deprecation (jsc#DOCTEAM-62)
Added note about python-cluster-preflight-check deprecation (jsc#SLE-22898)
Removed mention of SES (bsc#1188305)
Updated links (bsc#1187664)

Advisory ID	SUSE-RU-2022:353-1
Released	Tue Feb 8 17:41:48 2022
Summary	Recommended update for systemd-rpm-macros
Type	recommended
Severity	moderate
References

Description:

This update for systemd-rpm-macros fixes the following issues:

Bump version to 10

%sysusers_create_inline was wrongly marked as deprecated
%sysusers_create can be useful in certain cases and won't go away until we'll move to file triggers. So don't mark it as deprecated too

Advisory ID	SUSE-SU-2022:363-1
Released	Thu Feb 10 17:01:32 2022
Summary	Security update for the Linux Kernel
Type	security
Severity	critical
References	1154353,1154488,1160634,1176447,1177599,1183405,1185377,1187428,1187723,1188605,1191881,1193096,1193506,1193767,1193802,1193861,1193864,1193867,1194048,1194227,1194291,1194880,1195009,1195062,1195065,1195073,1195183,1195184,1195254,1195267,1195293,1195371,CVE-2020-28097,CVE-2021-22600,CVE-2021-39648,CVE-2021-39657,CVE-2021-39685,CVE-2021-4159,CVE-2021-44733,CVE-2021-45095,CVE-2022-0286,CVE-2022-0330,CVE-2022-0435,CVE-2022-22942

Description:

The SUSE Linux Enterprise 15 SP3 Azure kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

CVE-2022-0435: Fixed remote stack overflow in net/tipc module that validate domain record count on input (bsc#1195254).
CVE-2022-0330: Fixed flush TLBs before releasing backing store (bsc#1194880).
CVE-2022-0286: Fixed null pointer dereference in bond_ipsec_add_sa() that may have lead to local denial of service (bnc#1195371).
CVE-2022-22942: Fixed stale file descriptors on failed usercopy (bsc#1195065).
CVE-2021-45095: Fixed refcount leak in pep_sock_accept in net/phonet/pep.c (bnc#1193867).
CVE-2021-44733: Fixed a use-after-free exists in drivers/tee/tee_shm.c in the TEE subsystem, that could have occured because of a race condition in tee_shm_get_from_id during an attempt to free a shared memory object (bnc#1193767).
CVE-2021-39657: Fixed out of bounds read due to a missing bounds check in ufshcd_eh_device_reset_handler of ufshcd.c. This could lead to local information disclosure with System execution privileges needed (bnc#1193864).
CVE-2021-39648: Fixed possible disclosure of kernel heap memory due to a race condition in gadget_dev_desc_UDC_show of configfs.c. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation (bnc#1193861).
CVE-2021-22600: Fixed double free bug in packet_set_ring() in net/packet/af_packet.c that could have been exploited by a local user through crafted syscalls to escalate privileges or deny service (bnc#1195184).
CVE-2020-28097: Fixed out-of-bounds read in vgacon subsystem that mishandled software scrollback (bnc#1187723).
CVE-2021-4159: Fixed kernel ptr leak vulnerability via BPF in coerce_reg_to_size (bsc#1194227).

The following security references were added to already fixed issues:

CVE-2021-39685: Fixed USB gadget buffer overflow caused by too large endpoint 0 requests (bsc#1193802).

The following non-security bugs were fixed:

ACPI: battery: Add the ThinkPad 'Not Charging' quirk (git-fixes).
ACPICA: Executer: Fix the REFCLASS_REFOF case in acpi_ex_opcode_1A_0T_1R() (git-fixes).
ACPICA: Fix wrong interpretation of PCC address (git-fixes).
ACPICA: Hardware: Do not flush CPU cache when entering S4 and S5 (git-fixes).
ACPICA: Utilities: Avoid deleting the same object twice in a row (git-fixes).
ACPICA: actypes.h: Expand the ACPI_ACCESS_ definitions (git-fixes).
ALSA: seq: Set upper limit of processed events (git-fixes).
ASoC: mediatek: mt8173: fix device_node leak (git-fixes).
Bluetooth: Fix debugfs entry leak in hci_register_dev() (git-fixes).
Documentation: fix firewire.rst ABI file path error (git-fixes).
HID: apple: Do not reset quirks when the Fn key is not found (git-fixes).
HID: quirks: Allow inverting the absolute X/Y values (git-fixes).
HID: uhid: Fix worker destroying device without any protection (git-fixes).
HID: wacom: Reset expected and received contact counts at the same time (git-fixes).
PCI: Add function 1 DMA alias quirk for Marvell 88SE9125 SATA controller (git-fixes).
RDMA/core: Clean up cq pool mechanism (jsc#SLE-15176).
RDMA/rxe: Remove the unnecessary variable (jsc#SLE-15176).
ar5523: Fix null-ptr-deref with unexpected WDCMSG_TARGET_START reply (git-fixes).
arm64: Kconfig: add a choice for endianness (jsc#SLE-23432).
asix: fix wrong return value in asix_check_host_enable() (git-fixes).
ata: pata_platform: Fix a NULL pointer dereference in __pata_platform_probe() (git-fixes).
ath10k: Fix tx hanging (git-fixes).
ath9k: Fix out-of-bound memcpy in ath9k_hif_usb_rx_stream (git-fixes).
batman-adv: allow netlink usage in unprivileged containers (git-fixes).
btrfs: tree-checker: Add EXTENT_ITEM and METADATA_ITEM check (bsc#1195009).
btrfs: tree-checker: annotate all error branches as unlikely (bsc#1195009).
btrfs: tree-checker: check for BTRFS_BLOCK_FLAG_FULL_BACKREF being set improperly (bsc#1195009).
cgroup/cpuset: Fix a partition bug with hotplug (bsc#1194291).
clk: si5341: Fix clock HW provider cleanup (git-fixes).
crypto: qat - fix undetected PFVF timeout in ACK loop (git-fixes).
drm/amdgpu: fixup bad vram size on gmc v8 (git-fixes).
drm/bridge: megachips: Ensure both bridges are probed before registration (git-fixes).
drm/etnaviv: limit submit sizes (git-fixes).
drm/etnaviv: relax submit size limits (git-fixes).
drm/lima: fix warning when CONFIG_DEBUG_SG=y & CONFIG_DMA_API_DEBUG=y (git-fixes).
drm/msm/dpu: invalid parameter check in dpu_setup_dspp_pcc (git-fixes).
drm/msm/dsi: invalid parameter check in msm_dsi_phy_enable (git-fixes).
drm/msm/hdmi: Fix missing put_device() call in msm_hdmi_get_phy (git-fixes).
drm/msm: Fix wrong size calculation (git-fixes).
drm/nouveau/kms/nv04: use vzalloc for nv04_display (git-fixes).
drm/nouveau/pmu/gm200-: avoid touching PMU outside of DEVINIT/PREOS/ACR (git-fixes).
drm/radeon: fix error handling in radeon_driver_open_kms (git-fixes).
drm: panel-orientation-quirks: Add quirk for the Lenovo Yoga Book X91F/L (git-fixes).
ext4: set csum seed in tmp inode while migrating to extents (bsc#1195267).
floppy: Add max size check for user space request (git-fixes).
gpio: aspeed: Convert aspeed_gpio.lock to raw_spinlock (git-fixes).
gpiolib: acpi: Do not set the IRQ type if the IRQ is already in use (git-fixes).
hv_netvsc: Set needed_headroom according to VF (bsc#1193506).
hwmom: (lm90) Fix citical alarm status for MAX6680/MAX6681 (git-fixes).
hwmon: (lm90) Mark alert as broken for MAX6646/6647/6649 (git-fixes).
hwmon: (lm90) Mark alert as broken for MAX6654 (git-fixes).
hwmon: (lm90) Mark alert as broken for MAX6680 (git-fixes).
hwmon: (lm90) Reduce maximum conversion rate for G781 (git-fixes).
i2c: designware-pci: Fix to change data types of hcnt and lcnt parameters (git-fixes).
i2c: i801: Do not silently correct invalid transfer size (git-fixes).
i2c: mpc: Correct I2C reset procedure (git-fixes).
ibmvnic: Allow extra failures before disabling (bsc#1195073 ltc#195713).
ibmvnic: Update driver return codes (bsc#1195293 ltc#196198).
ibmvnic: do not spin in tasklet (bsc#1195073 ltc#195713).
ibmvnic: init ->running_cap_crqs early (bsc#1195073 ltc#195713).
ibmvnic: remove unused ->wait_capability (bsc#1195073 ltc#195713).
ibmvnic: remove unused defines (bsc#1195293 ltc#196198).
igc: Fix TX timestamp support for non-MSI-X platforms (bsc#1160634).
iwlwifi: fix leaks/bad data after failed firmware load (git-fixes).
iwlwifi: mvm: Fix calculation of frame length (git-fixes).
iwlwifi: mvm: Increase the scan timeout guard to 30 seconds (git-fixes).
iwlwifi: mvm: synchronize with FW after multicast commands (git-fixes).
iwlwifi: remove module loading failure message (git-fixes).
lib82596: Fix IRQ check in sni_82596_probe (git-fixes).
lightnvm: Remove lightnvm implemenation (bsc#1191881).
mac80211: allow non-standard VHT MCS-10/11 (git-fixes).
media: b2c2: Add missing check in flexcop_pci_isr: (git-fixes).
media: coda/imx-vdoa: Handle dma_set_coherent_mask error codes (git-fixes).
media: igorplugusb: receiver overflow should be reported (git-fixes).
media: m920x: do not use stack on USB reads (git-fixes).
media: saa7146: hexium_gemini: Fix a NULL pointer dereference in hexium_attach() (git-fixes).
media: saa7146: hexium_orion: Fix a NULL pointer dereference in hexium_attach() (git-fixes).
media: uvcvideo: Increase UVC_CTRL_CONTROL_TIMEOUT to 5 seconds (git-fixes).
mlxsw: Only advertise link modes supported by both driver and device (bsc#1154488).
mmc: core: Fixup storing of OCR for MMC_QUIRK_NONSTD_SDIO (git-fixes).
mtd: nand: bbt: Fix corner case in bad block table handling (git-fixes).
mtd: rawnand: gpmi: Add ERR007117 protection for nfc_apply_timings (git-fixes).
mtd: rawnand: gpmi: Remove explicit default gpmi clock setting for i.MX6 (git-fixes).
net, xdp: Introduce xdp_init_buff utility routine (bsc#1193506).
net, xdp: Introduce xdp_prepare_buff utility routine (bsc#1193506).
net/mlx5: DR, Proper handling of unsupported Connect-X6DX SW steering (jsc#SLE-8464).
net/mlx5: E-Switch, fix changing vf VLANID (jsc#SLE-15172).
net/mlx5e: Protect encap route dev from concurrent release (jsc#SLE-8464).
net: allow retransmitting a TCP packet if original is still in queue (bsc#1188605 bsc#1187428).
net: bonding: fix bond_xmit_broadcast return value error bug (bsc#1176447).
net: bridge: vlan: fix memory leak in __allowed_ingress (bsc#1176447).
net: bridge: vlan: fix single net device option dumping (bsc#1176447).
net: mana: Add RX fencing (bsc#1193506).
net: mana: Add XDP support (bsc#1193506).
net: sch_generic: aviod concurrent reset and enqueue op for lockless qdisc (bsc#1183405).
net: sched: add barrier to ensure correct ordering for lockless qdisc (bsc#1183405).
net: sched: avoid unnecessary seqcount operation for lockless qdisc (bsc#1183405).
net: sched: fix packet stuck problem for lockless qdisc (bsc#1183405).
net: sched: fix tx action reschedule issue with stopped queue (bsc#1183405).
net: sched: fix tx action rescheduling issue during deactivation (bsc#1183405).
net: sched: replaced invalid qdisc tree flush helper in qdisc_replace (bsc#1183405).
net: sfp: fix high power modules without diagnostic monitoring (bsc#1154353).
netdevsim: set .owner to THIS_MODULE (bsc#1154353).
nfc: llcp: fix NULL error pointer dereference on sendmsg() after failed bind() (git-fixes).
nvme: add 'iopolicy' module parameter (bsc#1177599 bsc#1193096).
phy: uniphier-usb3ss: fix unintended writing zeros to PHY register (git-fixes).
phylib: fix potential use-after-free (git-fixes).
pinctrl: bcm2835: Add support for wake-up interrupts (git-fixes).
pinctrl: bcm2835: Match BCM7211 compatible string (git-fixes).
powerpc/book3s64/radix: make tlb_single_page_flush_ceiling a debugfs entry (bsc#1195183 ltc#193865).
regulator: qcom_smd: Align probe function with rpmh-regulator (git-fixes).
rsi: Fix use-after-free in rsi_rx_done_handler() (git-fixes).
sched/fair: Fix detection of per-CPU kthreads waking a task (git fixes (sched/fair)).
sched/numa: Fix is_core_idle() (git fixes (sched/numa)).
scripts/dtc: dtx_diff: remove broken example from help text (git-fixes).
serial: 8250: of: Fix mapped region size when using reg-offset property (git-fixes).
serial: Fix incorrect rs485 polarity on uart open (git-fixes).
serial: amba-pl011: do not request memory region twice (git-fixes).
serial: core: Keep mctrl register state and cached copy in sync (git-fixes).
serial: pl010: Drop CR register reset on set_termios (git-fixes).
serial: stm32: fix software flow control transfer (git-fixes).
supported.conf: mark rtw88 modules as supported (jsc#SLE-22690)
tty: n_gsm: fix SW flow control encoding/handling (git-fixes).
ucsi_ccg: Check DEV_INT bit only when starting CCG4 (git-fixes).
usb: common: ulpi: Fix crash in ulpi_match() (git-fixes).
usb: gadget: f_fs: Use stream_open() for endpoint files (git-fixes).
usb: gadget: f_sourcesink: Fix isoc transfer for USB_SPEED_SUPER_PLUS (git-fixes).
usb: hub: Add delay for SuperSpeed hub resume to let links transit to U0 (git-fixes).
usb: roles: fix include/linux/usb/role.h compile issue (git-fixes).
usb: typec: tcpm: Do not disconnect while receiving VBUS off (git-fixes).
usb: uhci: add aspeed ast2600 uhci support (git-fixes).
vfio/iommu_type1: replace kfree with kvfree (git-fixes).
video: hyperv_fb: Fix validation of screen resolution (git-fixes).
vxlan: fix error return code in __vxlan_dev_create() (bsc#1154353).
workqueue: Fix unbind_workers() VS wq_worker_running() race (bsc#1195062).
x86/gpu: Reserve stolen memory for first integrated Intel GPU (git-fixes).
xfrm: fix MTU regression (bsc#1185377, bsc#1194048).

Advisory ID	SUSE-SU-2022:370-1
Released	Fri Feb 11 08:35:29 2022
Summary	Security update for the Linux Kernel
Type	security
Severity	critical
References	1154353,1154488,1156395,1160634,1176447,1177599,1183405,1185377,1187428,1187723,1188605,1191881,1193096,1193506,1193767,1193802,1193861,1193864,1193867,1194048,1194227,1194291,1194880,1195009,1195062,1195065,1195073,1195183,1195184,1195254,1195267,1195293,1195371,1195476,1195477,1195478,1195479,1195480,1195481,1195482,CVE-2020-28097,CVE-2021-22600,CVE-2021-39648,CVE-2021-39657,CVE-2021-39685,CVE-2021-44733,CVE-2021-45095,CVE-2022-0286,CVE-2022-0330,CVE-2022-0435,CVE-2022-22942

Description:

The SUSE Linux Enterprise 15 SP3 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

CVE-2022-0435: Fixed remote stack overflow in net/tipc module that validate domain record count on input (bsc#1195254).
CVE-2022-0330: Fixed flush TLBs before releasing backing store (bsc#1194880).
CVE-2022-0286: Fixed null pointer dereference in bond_ipsec_add_sa() that may have lead to local denial of service (bnc#1195371).
CVE-2022-22942: Fixed stale file descriptors on failed usercopy (bsc#1195065).
CVE-2021-45095: Fixed refcount leak in pep_sock_accept in net/phonet/pep.c (bnc#1193867).
CVE-2021-44733: Fixed a use-after-free exists in drivers/tee/tee_shm.c in the TEE subsystem, that could have occured because of a race condition in tee_shm_get_from_id during an attempt to free a shared memory object (bnc#1193767).
CVE-2021-39685: Fixed USB gadget buffer overflow caused by too large endpoint 0 requests (bsc#1193802).
CVE-2021-39657: Fixed out of bounds read due to a missing bounds check in ufshcd_eh_device_reset_handler of ufshcd.c. This could lead to local information disclosure with System execution privileges needed (bnc#1193864).
CVE-2021-39648: Fixed possible disclosure of kernel heap memory due to a race condition in gadget_dev_desc_UDC_show of configfs.c. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation (bnc#1193861).
CVE-2021-22600: Fixed double free bug in packet_set_ring() in net/packet/af_packet.c that could have been exploited by a local user through crafted syscalls to escalate privileges or deny service (bnc#1195184).
CVE-2020-28097: Fixed out-of-bounds read in vgacon subsystem that mishandled software scrollback (bnc#1187723).

The following non-security bugs were fixed:

ACPI: battery: Add the ThinkPad 'Not Charging' quirk (git-fixes).
ACPICA: Executer: Fix the REFCLASS_REFOF case in acpi_ex_opcode_1A_0T_1R() (git-fixes).
ACPICA: Fix wrong interpretation of PCC address (git-fixes).
ACPICA: Hardware: Do not flush CPU cache when entering S4 and S5 (git-fixes).
ACPICA: Utilities: Avoid deleting the same object twice in a row (git-fixes).
ACPICA: actypes.h: Expand the ACPI_ACCESS_ definitions (git-fixes).
ALSA: seq: Set upper limit of processed events (git-fixes).
ALSA: usb-audio: Correct quirk for VF0770 (git-fixes).
ALSA: usb-audio: initialize variables that could ignore errors (git-fixes).
ASoC: cpcap: Check for NULL pointer after calling of_get_child_by_name (git-fixes).
ASoC: fsl: Add missing error handling in pcm030_fabric_probe (git-fixes).
ASoC: max9759: fix underflow in speaker_gain_control_put() (git-fixes).
ASoC: mediatek: mt8173: fix device_node leak (git-fixes).
ASoC: xilinx: xlnx_formatter_pcm: Make buffer bytes multiple of period bytes (git-fixes).
Bluetooth: Fix debugfs entry leak in hci_register_dev() (git-fixes).
Bluetooth: refactor malicious adv data check (git-fixes).
Documentation: fix firewire.rst ABI file path error (git-fixes).
HID: apple: Do not reset quirks when the Fn key is not found (git-fixes).
HID: quirks: Allow inverting the absolute X/Y values (git-fixes).
HID: uhid: Fix worker destroying device without any protection (git-fixes).
HID: wacom: Reset expected and received contact counts at the same time (git-fixes).
IB/cm: Avoid a loop when device has 255 ports (git-fixes)
IB/hfi1: Fix error return code in parse_platform_config() (git-fixes)
IB/hfi1: Use kzalloc() for mmu_rb_handler allocation (git-fixes)
IB/isert: Fix a use after free in isert_connect_request (git-fixes)
IB/mlx4: Separate tunnel and wire bufs parameters (git-fixes)
IB/mlx5: Add missing error code (git-fixes)
IB/mlx5: Add mutex destroy call to cap_mask_mutex mutex (git-fixes)
IB/mlx5: Fix error unwinding when set_has_smi_cap fails (git-fixes)
IB/mlx5: Return appropriate error code instead of ENOMEM (git-fixes)
IB/umad: Return EIO in case of when device disassociated (git-fixes)
IB/umad: Return EPOLLERR in case of when device disassociated (git-fixes)
Input: wm97xx: Simplify resource management (git-fixes).
NFS: Ensure the server had an up to date ctime before renaming (git-fixes).
NFSv4: Handle case where the lookup of a directory fails (git-fixes).
NFSv4: nfs_atomic_open() can race when looking up a non-regular file (git-fixes).
PCI: Add function 1 DMA alias quirk for Marvell 88SE9125 SATA controller (git-fixes).
PM: wakeup: simplify the output logic of pm_show_wakelocks() (git-fixes).
RDMA/addr: Be strict with gid size (git-fixes)
RDMA/bnxt_re: Fix a double free in bnxt_qplib_alloc_res (git-fixes)
RDMA/bnxt_re: Fix error return code in bnxt_qplib_cq_process_terminal() (git-fixes)
RDMA/bnxt_re: Set queue pair state when being queried (git-fixes)
RDMA/cm: Fix an attempt to use non-valid pointer when cleaning timewait (git-fixes)
RDMA/core: Clean up cq pool mechanism (jsc#SLE-15176).
RDMA/core: Do not access cm_id after its destruction (git-fixes)
RDMA/core: Do not indicate device ready when device enablement fails (git-fixes)
RDMA/core: Fix corrupted SL on passive side (git-fixes)
RDMA/core: Unify RoCE check and re-factor code (git-fixes)
RDMA/cxgb4: Fix adapter LE hash errors while destroying ipv6 listening server (git-fixes)
RDMA/cxgb4: Fix the reported max_recv_sge value (git-fixes)
RDMA/cxgb4: Validate the number of CQEs (git-fixes)
RDMA/cxgb4: add missing qpid increment (git-fixes)
RDMA/hns: Add a check for current state before modifying QP (git-fixes)
RDMA/hns: Remove the portn field in UD SQ WQE (git-fixes)
RDMA/hns: Remove unnecessary access right set during INIT2INIT (git-fixes)
RDMA/i40iw: Address an mmap handler exploit in i40iw (git-fixes)
RDMA/i40iw: Fix error unwinding when i40iw_hmc_sd_one fails (git-fixes)
RDMA/mlx5: Fix corruption of reg_pages in mlx5_ib_rereg_user_mr() (git-fixes)
RDMA/mlx5: Fix potential race between destroy and CQE poll (git-fixes)
RDMA/mlx5: Fix query DCT via DEVX (git-fixes)
RDMA/mlx5: Fix type warning of sizeof in __mlx5_ib_alloc_counters() (git-fixes)
RDMA/mlx5: Fix wrong free of blue flame register on error (git-fixes)
RDMA/mlx5: Issue FW command to destroy SRQ on reentry (git-fixes)
RDMA/mlx5: Recover from fatal event in dual port mode (git-fixes)
RDMA/mlx5: Use the correct obj_id upon DEVX TIR creation (git-fixes)
RDMA/ocrdma: Fix use after free in ocrdma_dealloc_ucontext_pd() (git-fixes)
RDMA/rxe: Clear all QP fields if creation failed (git-fixes)
RDMA/rxe: Compute PSN windows correctly (git-fixes)
RDMA/rxe: Correct skb on loopback path (git-fixes)
RDMA/rxe: Fix coding error in rxe_rcv_mcast_pkt (git-fixes)
RDMA/rxe: Fix coding error in rxe_recv.c (git-fixes)
RDMA/rxe: Fix missing kconfig dependency on CRYPTO (git-fixes)
RDMA/rxe: Remove the unnecessary variable (jsc#SLE-15176).
RDMA/rxe: Remove useless code in rxe_recv.c (git-fixes)
RDMA/siw: Fix a use after free in siw_alloc_mr (git-fixes)
RDMA/siw: Fix calculation of tx_valid_cpus size (git-fixes)
RDMA/siw: Fix handling of zero-sized Read and Receive Queues. (git-fixes)
RDMA/siw: Properly check send and receive CQ pointers (git-fixes)
RDMA/usnic: Fix memleak in find_free_vf_and_create_qp_grp (git-fixes)
RDMA/uverbs: Fix a NULL vs IS_ERR() bug (git-fixes)
RDMA/uverbs: Tidy input validation of ib_uverbs_rereg_mr() (git-fixes)
RMDA/sw: Do not allow drivers using dma_virt_ops on highmem configs (git-fixes)
USB: core: Fix hang in usb_kill_urb by adding memory barriers (git-fixes).
USB: serial: mos7840: fix probe error handling (git-fixes).
ar5523: Fix null-ptr-deref with unexpected WDCMSG_TARGET_START reply (git-fixes).
arm64: Kconfig: add a choice for endianness (jsc#SLE-23432).
asix: fix wrong return value in asix_check_host_enable() (git-fixes).
ata: pata_platform: Fix a NULL pointer dereference in __pata_platform_probe() (git-fixes).
ath10k: Fix tx hanging (git-fixes).
ath9k: Fix out-of-bound memcpy in ath9k_hif_usb_rx_stream (git-fixes).
batman-adv: allow netlink usage in unprivileged containers (git-fixes).
blk-cgroup: fix missing put device in error path from blkg_conf_pref() (bsc#1195481).
blk-mq: introduce blk_mq_set_request_complete (git-fixes).
bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds() (bsc#1194227).
btrfs: tree-checker: Add EXTENT_ITEM and METADATA_ITEM check (bsc#1195009).
btrfs: tree-checker: annotate all error branches as unlikely (bsc#1195009).
btrfs: tree-checker: check for BTRFS_BLOCK_FLAG_FULL_BACKREF being set improperly (bsc#1195009).
cgroup/cpuset: Fix a partition bug with hotplug (bsc#1194291).
clk: si5341: Fix clock HW provider cleanup (git-fixes).
crypto: qat - fix undetected PFVF timeout in ACK loop (git-fixes).
dma-buf: heaps: Fix potential spectre v1 gadget (git-fixes).
drm/amdgpu: fixup bad vram size on gmc v8 (git-fixes).
drm/bridge: megachips: Ensure both bridges are probed before registration (git-fixes).
drm/etnaviv: limit submit sizes (git-fixes).
drm/etnaviv: relax submit size limits (git-fixes).
drm/i915/overlay: Prevent divide by zero bugs in scaling (git-fixes).
drm/lima: fix warning when CONFIG_DEBUG_SG=y & CONFIG_DMA_API_DEBUG=y (git-fixes).
drm/msm/dpu: invalid parameter check in dpu_setup_dspp_pcc (git-fixes).
drm/msm/dsi: Fix missing put_device() call in dsi_get_phy (git-fixes).
drm/msm/dsi: invalid parameter check in msm_dsi_phy_enable (git-fixes).
drm/msm/hdmi: Fix missing put_device() call in msm_hdmi_get_phy (git-fixes).
drm/msm: Fix wrong size calculation (git-fixes).
drm/nouveau/kms/nv04: use vzalloc for nv04_display (git-fixes).
drm/nouveau/pmu/gm200-: avoid touching PMU outside of DEVINIT/PREOS/ACR (git-fixes).
drm/nouveau: fix off by one in BIOS boundary checking (git-fixes).
drm: panel-orientation-quirks: Add quirk for the Lenovo Yoga Book X91F/L (git-fixes).
ext4: fix an use-after-free issue about data=journal writeback mode (bsc#1195482).
ext4: make sure quota gets properly shutdown on error (bsc#1195480).
ext4: set csum seed in tmp inode while migrating to extents (bsc#1195267).
floppy: Add max size check for user space request (git-fixes).
fsnotify: fix fsnotify hooks in pseudo filesystems (bsc#1195479).
fsnotify: invalidate dcache before IN_DELETE event (bsc#1195478).
gpio: aspeed: Convert aspeed_gpio.lock to raw_spinlock (git-fixes).
gpiolib: acpi: Do not set the IRQ type if the IRQ is already in use (git-fixes).
hv_netvsc: Set needed_headroom according to VF (bsc#1193506).
hwmom: (lm90) Fix citical alarm status for MAX6680/MAX6681 (git-fixes).
hwmon: (lm90) Mark alert as broken for MAX6646/6647/6649 (git-fixes).
hwmon: (lm90) Mark alert as broken for MAX6654 (git-fixes).
hwmon: (lm90) Mark alert as broken for MAX6680 (git-fixes).
hwmon: (lm90) Reduce maximum conversion rate for G781 (git-fixes).
i2c: designware-pci: Fix to change data types of hcnt and lcnt parameters (git-fixes).
i2c: i801: Do not silently correct invalid transfer size (git-fixes).
i2c: mpc: Correct I2C reset procedure (git-fixes).
i40iw: Add support to make destroy QP synchronous (git-fixes)
ibmvnic: Allow extra failures before disabling (bsc#1195073 ltc#195713).
ibmvnic: Update driver return codes (bsc#1195293 ltc#196198).
ibmvnic: do not spin in tasklet (bsc#1195073 ltc#195713).
ibmvnic: init ->running_cap_crqs early (bsc#1195073 ltc#195713).
ibmvnic: remove unused ->wait_capability (bsc#1195073 ltc#195713).
ibmvnic: remove unused defines (bsc#1195293 ltc#196198).
igc: Fix TX timestamp support for non-MSI-X platforms (bsc#1160634).
iwlwifi: fix leaks/bad data after failed firmware load (git-fixes).
iwlwifi: mvm: Fix calculation of frame length (git-fixes).
iwlwifi: mvm: Increase the scan timeout guard to 30 seconds (git-fixes).
iwlwifi: mvm: synchronize with FW after multicast commands (git-fixes).
iwlwifi: remove module loading failure message (git-fixes).
lib82596: Fix IRQ check in sni_82596_probe (git-fixes).
lightnvm: Remove lightnvm implemenation (bsc#1191881).
mac80211: allow non-standard VHT MCS-10/11 (git-fixes).
media: b2c2: Add missing check in flexcop_pci_isr: (git-fixes).
media: coda/imx-vdoa: Handle dma_set_coherent_mask error codes (git-fixes).
media: igorplugusb: receiver overflow should be reported (git-fixes).
media: m920x: do not use stack on USB reads (git-fixes).
media: saa7146: hexium_gemini: Fix a NULL pointer dereference in hexium_attach() (git-fixes).
media: saa7146: hexium_orion: Fix a NULL pointer dereference in hexium_attach() (git-fixes).
media: uvcvideo: Increase UVC_CTRL_CONTROL_TIMEOUT to 5 seconds (git-fixes).
mlxsw: Only advertise link modes supported by both driver and device (bsc#1154488).
mmc: core: Fixup storing of OCR for MMC_QUIRK_NONSTD_SDIO (git-fixes).
mtd: nand: bbt: Fix corner case in bad block table handling (git-fixes).
mtd: rawnand: gpmi: Add ERR007117 protection for nfc_apply_timings (git-fixes).
mtd: rawnand: gpmi: Remove explicit default gpmi clock setting for i.MX6 (git-fixes).
net, xdp: Introduce xdp_init_buff utility routine (bsc#1193506).
net, xdp: Introduce xdp_prepare_buff utility routine (bsc#1193506).
net/mlx5: DR, Proper handling of unsupported Connect-X6DX SW steering (jsc#SLE-8464).
net/mlx5: E-Switch, fix changing vf VLANID (jsc#SLE-15172).
net/mlx5e: Protect encap route dev from concurrent release (jsc#SLE-8464).
net: allow retransmitting a TCP packet if original is still in queue (bsc#1188605 bsc#1187428).
net: bonding: fix bond_xmit_broadcast return value error bug (bsc#1176447).
net: bridge: vlan: fix memory leak in __allowed_ingress (bsc#1176447).
net: bridge: vlan: fix single net device option dumping (bsc#1176447).
net: mana: Add RX fencing (bsc#1193506).
net: mana: Add XDP support (bsc#1193506).
net: sch_generic: aviod concurrent reset and enqueue op for lockless qdisc (bsc#1183405).
net: sched: add barrier to ensure correct ordering for lockless qdisc (bsc#1183405).
net: sched: avoid unnecessary seqcount operation for lockless qdisc (bsc#1183405).
net: sched: fix packet stuck problem for lockless qdisc (bsc#1183405).
net: sched: fix tx action reschedule issue with stopped queue (bsc#1183405).
net: sched: fix tx action rescheduling issue during deactivation (bsc#1183405).
net: sched: replaced invalid qdisc tree flush helper in qdisc_replace (bsc#1183405).
net: sfp: fix high power modules without diagnostic monitoring (bsc#1154353).
netdevsim: set .owner to THIS_MODULE (bsc#1154353).
nfc: llcp: fix NULL error pointer dereference on sendmsg() after failed bind() (git-fixes).
nvme-core: use list_add_tail_rcu instead of list_add_tail for nvme_init_ns_head (git-fixes).
nvme-fabrics: avoid double completions in nvmf_fail_nonready_command (git-fixes).
nvme-fabrics: ignore invalid fast_io_fail_tmo values (git-fixes).
nvme-fabrics: remove superfluous nvmf_host_put in nvmf_parse_options (git-fixes).
nvme-tcp: fix data digest pointer calculation (git-fixes).
nvme-tcp: fix incorrect h2cdata pdu offset accounting (git-fixes).
nvme-tcp: fix memory leak when freeing a queue (git-fixes).
nvme-tcp: fix possible use-after-completion (git-fixes).
nvme-tcp: validate R2T PDU in nvme_tcp_handle_r2t() (git-fixes).
nvme: add 'iopolicy' module parameter (bsc#1177599 bsc#1193096).
nvme: fix use after free when disconnecting a reconnecting ctrl (git-fixes).
nvme: introduce a nvme_host_path_error helper (git-fixes).
nvme: refactor ns->ctrl by request (git-fixes).
phy: uniphier-usb3ss: fix unintended writing zeros to PHY register (git-fixes).
phylib: fix potential use-after-free (git-fixes).
pinctrl: bcm2835: Add support for wake-up interrupts (git-fixes).
pinctrl: bcm2835: Match BCM7211 compatible string (git-fixes).
pinctrl: intel: Fix a glitch when updating IRQ flags on a preconfigured line (git-fixes).
pinctrl: intel: fix unexpected interrupt (git-fixes).
powerpc/book3s64/radix: make tlb_single_page_flush_ceiling a debugfs entry (bsc#1195183 ltc#193865).
powerpc/perf: Fix power_pmu_disable to call clear_pmi_irq_pending only if PMI is pending (bsc#1156395).
regulator: qcom_smd: Align probe function with rpmh-regulator (git-fixes).
rpmsg: char: Fix race between the release of rpmsg_ctrldev and cdev (git-fixes).
rpmsg: char: Fix race between the release of rpmsg_eptdev and cdev (git-fixes).
rsi: Fix use-after-free in rsi_rx_done_handler() (git-fixes).
sched/fair: Fix detection of per-CPU kthreads waking a task (git fixes (sched/fair)).
sched/numa: Fix is_core_idle() (git fixes (sched/numa)).
scripts/dtc: dtx_diff: remove broken example from help text (git-fixes).
scripts/dtc: only append to HOST_EXTRACFLAGS instead of overwriting (git-fixes).
serial: 8250: of: Fix mapped region size when using reg-offset property (git-fixes).
serial: Fix incorrect rs485 polarity on uart open (git-fixes).
serial: amba-pl011: do not request memory region twice (git-fixes).
serial: core: Keep mctrl register state and cached copy in sync (git-fixes).
serial: pl010: Drop CR register reset on set_termios (git-fixes).
serial: stm32: fix software flow control transfer (git-fixes).
spi: bcm-qspi: check for valid cs before applying chip select (git-fixes).
spi: mediatek: Avoid NULL pointer crash in interrupt (git-fixes).
spi: meson-spicc: add IRQ check in meson_spicc_probe (git-fixes).
supported.conf: mark rtw88 modules as supported (jsc#SLE-22690)
tty: Add support for Brainboxes UC cards (git-fixes).
tty: n_gsm: fix SW flow control encoding/handling (git-fixes).
ucsi_ccg: Check DEV_INT bit only when starting CCG4 (git-fixes).
udf: Fix NULL ptr deref when converting from inline format (bsc#1195476).
udf: Restore i_lenAlloc when inode expansion fails (bsc#1195477).
usb-storage: Add unusual-devs entry for VL817 USB-SATA bridge (git-fixes).
usb: common: ulpi: Fix crash in ulpi_match() (git-fixes).
usb: gadget: f_fs: Use stream_open() for endpoint files (git-fixes).
usb: gadget: f_sourcesink: Fix isoc transfer for USB_SPEED_SUPER_PLUS (git-fixes).
usb: hub: Add delay for SuperSpeed hub resume to let links transit to U0 (git-fixes).
usb: roles: fix include/linux/usb/role.h compile issue (git-fixes).
usb: typec: tcpm: Do not disconnect while receiving VBUS off (git-fixes).
usb: uhci: add aspeed ast2600 uhci support (git-fixes).
vfio/iommu_type1: replace kfree with kvfree (git-fixes).
video: hyperv_fb: Fix validation of screen resolution (git-fixes).
vxlan: fix error return code in __vxlan_dev_create() (bsc#1154353).
workqueue: Fix unbind_workers() VS wq_worker_running() race (bsc#1195062).
x86/gpu: Reserve stolen memory for first integrated Intel GPU (git-fixes).
xfrm: fix MTU regression (bsc#1185377, bsc#1194048).
xhci-pci: Allow host runtime PM as default for Intel Alpine Ridge LP (git-fixes).

Advisory ID	SUSE-RU-2022:373-1
Released	Mon Feb 14 09:58:35 2022
Summary	Recommended update for rpmlint
Type	recommended
Severity	moderate
References	1195491,1195548,1195662

Description:

This update for rpmlint fixes the following issues:

Whitelisting `kdenetwork-filesharing`. (bsc#1195548)
Whitelisting of `powerdevil5`. (bsc#1195662)
Whitelisting of `plasma5-disks`. (bsc#1195491)

Advisory ID	SUSE-SU-2022:375-1
Released	Mon Feb 14 11:12:42 2022
Summary	Security update for wireshark
Type	security
Severity	moderate
References	1194166,1194167,1194168,1194169,1194170,1194171,1194780,CVE-2021-4181,CVE-2021-4182,CVE-2021-4183,CVE-2021-4184,CVE-2021-4185,CVE-2021-4190

Description:

This update for wireshark fixes the following issues:
Update to version 3.6.1:

CVE-2021-4185: RTMPT dissector infinite loop (bsc#1194166)
CVE-2021-4184: BitTorrent DHT dissector infinite loop (bsc#1194167)
CVE-2021-4183: pcapng file parser crash (bsc#1194168)
CVE-2021-4182: RFC 7468 file parser infinite loop (bsc#1194169)
CVE-2021-4181: Sysdig Event dissector crash (bsc#1194170)
CVE-2021-4190: Kafka dissector infinite loop (bsc#1194171)
Support for Shared Memory Communications (SMC) (jsc#SLE-18727)

Advisory ID	SUSE-RU-2022:378-1
Released	Tue Feb 15 13:20:44 2022
Summary	Recommended update for pacemaker
Type	recommended
Severity	moderate
References	1191676

Description:

This update for pacemaker fixes the following issues:

attrd: check election status upon loss of a voter to prevent unexpected pending (bsc#1191676)

Advisory ID	SUSE-RU-2022:383-1
Released	Tue Feb 15 17:47:36 2022
Summary	Recommended update for cyrus-sasl
Type	recommended
Severity	moderate
References	1194265

Description:

This update for cyrus-sasl fixes the following issues:

Fixed an issue when in postfix 'sasl' authentication with password fails. (bsc#1194265)
Add config parameter '--with-dblib=gdbm'
Avoid converting of '/etc/sasldb2 by every update. Convert '/etc/sasldb2' only if it is a Berkeley DB.

Advisory ID	SUSE-RU-2022:386-1
Released	Wed Feb 16 09:32:34 2022
Summary	Recommended update for autoyast2
Type	recommended
Severity	moderate
References	1192437,1194440,1194881

Description:

This update for autoyast2 fixes the following issues:

Fix handling of add-on signature settings (bsc#1194881).
Properly merge the autoupgrade workflow when using the online medium (bsc#1192437, bsc#1194440).

Advisory ID	SUSE-RU-2022:439-1
Released	Wed Feb 16 12:41:11 2022
Summary	Recommended update for release-notes-sles
Type	recommended
Severity	important
References	1192121,1193843,1195107,933411

Description:

This update for release-notes-sles fixes the following issues:

15.3.20220202 (tracked in bsc#933411)
Added kernel parameter changes (bsc#1195107)
Added note about IBM Power10 support (bsc#1192121)
Added note about deprecating XFS V4 (jsc#SLE-22663)
Updated note about unixODBC drivers in production (jsc#SLE-20555)
Added note about RTL8821CE support (jsc#SLE-22690)
Updated KillMode=none note (bsc#1193843)

Advisory ID	SUSE-RU-2022:476-1
Released	Thu Feb 17 10:31:35 2022
Summary	Recommended update for nfs-utils
Type	recommended
Severity	moderate
References	1194661

Description:

This update for nfs-utils fixes the following issues:

If an error or warning message is produced before closeall() is called, mountd doesn't work. (bsc#1194661)

Advisory ID	SUSE-SU-2022:479-1
Released	Thu Feb 17 14:48:24 2022
Summary	Security update for virglrenderer
Type	security
Severity	important
References	1195389,CVE-2022-0135

Description:

This update for virglrenderer fixes the following issues:

CVE-2022-0135: Fixed out-of-bonds write in read_transfer_data() (bsc#1195389).

Advisory ID	SUSE-SU-2022:480-1
Released	Thu Feb 17 15:10:52 2022
Summary	Security update for tiff
Type	security
Severity	important
References	1071031,1154365,1182808,1182809,1182811,1182812,1190312,1194539,CVE-2017-17095,CVE-2019-17546,CVE-2020-19131,CVE-2020-35521,CVE-2020-35522,CVE-2020-35523,CVE-2020-35524,CVE-2022-22844

Description:

This update for tiff fixes the following issues:

CVE-2017-17095: Fixed DoS in tools/pal2rgb.c in pal2rgb (bsc#1071031).
CVE-2019-17546: Fixed integer overflow that potentially causes a heap-based buffer overflow via a crafted RGBA image (bsc#1154365).
CVE-2020-19131: Fixed buffer overflow in tiffcrop that may cause DoS via the invertImage() function (bsc#1190312).
CVE-2020-35521: Fixed memory allocation failure in tif_read.c (bsc#1182808).
CVE-2020-35522: Fixed memory allocation failure in tif_pixarlog.c (bsc#1182809).
CVE-2020-35523: Fixed integer overflow in tif_getimage.c (bsc#1182811).
CVE-2020-35524: Fixed heap-based buffer overflow in TIFF2PDF tool (bsc#1182812).
CVE-2022-22844: Fixed out-of-bounds read in _TIFFmemcpy in tif_unix.c (bsc#1194539).

Advisory ID	SUSE-feature-2022:482-1
Released	Thu Feb 17 15:57:49 2022
Summary	Feature update for libreoffice
Type	feature
Severity	moderate
References	1180479,1183308,1183655,1187982,1189813

Description:

This update for libreoffice fixes the following issues:
Update LibreOffice from version 7.1.4.2 to 7.2.3.2 (jsc#SLE-18214)

Improve the rendering and loading rendering of shapes. (bsc#1183308)
Removed unrecognized option `--disable-vlc` This option has been removed from upstream in commit https://gerrit.libreoffice.org/c/core/+/108283 There's no real change in our build given that the VLC avmedia backend was explicitly disabled.
Fix gtk popover usage on gtk 3.20
Revert upstream commit https://gerrit.libreoffice.org/c/core/+/116884
Fix generated list of files for python scripts
Updating some LibreOffice buildrequires
Fix UI scaling on HIDPI Wayland/KDE screens
Fix inteaction between multi-column shape text and automatic height. (bsc#1187982)
Fix interaction of transparent cell fill and transparent shadow. (bsc#1189813)
Use vendored boost for all codestreams except Tumbleweed. Update boost vendored version.
Add vendored poppler to use for all codestreams except Tumbleweed.
Keep upstream desktop file names (bsc#1183655) and display math icon (bsc#1180479)
Source profile.d/alljava.sh from either /etc (if found) or /usr/etc).

Advisory ID	SUSE-RU-2022:485-1
Released	Fri Feb 18 04:30:56 2022
Summary	Recommended update for tomcat
Type	recommended
Severity	moderate
References	1193569

Description:

This update for tomcat fixes the following issues:

Fix Null Pointer Exception in JNDIRealm, when userRoleAttribute is not set (bsc#1193569)

Advisory ID	SUSE-RU-2022:487-1
Released	Fri Feb 18 07:25:30 2022
Summary	Recommended update for transactional-update
Type	recommended
Severity	moderate
References	1133891,1149131,1177149,1183521,1183539,1183856,1184529,1185224,1185226,1185625,1185766,1186213,1186775,1186842,1188110,1188322,1188648,1189728,1189807,1190383,1190574,1190788,1191475,1191945,1192078,1192242,1192302

Description:

This update for transactional-update fixes the following issues:

Version 3.6.2 - Bind mount root file system snapshot on itself, this makes the temporary directory in '/tmp' unnecessary; also fixes to return the correct snapshot's working directory via API call. (bsc#1188110) - Use separate mount namespace for transactional-update; this should fix several applications that fail to run if a mount point has the 'unbindable' mount flag set

Version 3.6.1
Fix rsyncing '/etc' into the running system with '--drop-if-no-change'. (bsc#1192242)

Version 3.6.0 - Simplify mount hierarchy by just using a single slave bind mount as the root of the update environment; this may avoid the error messages of failed unmounts. (bsc#1191945)

Version 3.5.7 Various fixes affecting Salt support: - t-u: Don't squash stderr messages into stdout - t-u: Correctly handle case when the snapshot has been deleted due to using --drop-if-no-change: Don't show reboot messages and avoid an awk error message. (bsc#1191475) - tukit: Make inotify handler less sensitive / ignore more directories (bsc#1191475)

Version 3.5.6 - tukit: Add S/390 bootloader support (bsc#1189807) - t-u: support purge-kernels with t-u patch (bsc#1190788)

Version 3.5.5 - t-u: Use tukit for SUSEConnect call (bsc#1190574) Correctly registers repositories

Version 3.5.4 - tukit: Fix resolved support (bsc#1190383)

Version 3.5.3 - t-u: Purge kernels as part of package operations Required for live patching support (bsc#1189728)

Version 3.5.2 - tukit: Fix overlay syncing errors with SELinux (bsc#1188648) - Don't print message for `shell` with --quiet

Version 3.5.1 - t-u: Disable status file generation by default The new experimental `status` command requires the availability of /etc/YaST2/control.xml, which is not present on all systems. Hide the creation of the corresponding status file behind a new EXPERIMENTAL_STATUS option to try out this functionality. - Increase library version

Version 3.5.0 - Add alias setDiscardIfUnchanged for setDiscard. The old method name wasn't really clear and will be removed if we should have an API break in the future - Replace 'mkinitrd' with direct dracut call. (bsc#1186213) - tukit: Add configuration file support (/etc/tukit.conf) - Allow users to configure additional bind mounts (see /usr/etc/tukit.conf for an example and limitations). (bsc#1188322) - Add 'transactional-update status' call. This is a POC for obtaining a hash of a system to verify its integrity. - Internal bugfixes / optimizations

Version 3.4.0 - Apply 'SElinux' context on '/etc' in transaction. (bsc#1185625, bsc#1185766, bsc#1186842, bsc#1186775) - Implement inotify handling in C instead of Bash; this makes the --drop-if-no-change option work on SLE Micro. (bsc#1184529) - Use `tukit call` for up, dup and patch to allow resuming an update after zypper updated itself in the snapshot. (bsc#1185226) - Fix obsolete output type messages in 'initrd'. (bsc#1177149) - Make different base snapshot warning more visible. (bsc#1185224)

Version 3.3.0 - Add support for more package managers by bind mounting their directories - Support snapshots without dedicated overlay [bsc#1183539], (bsc#1183539) - Link RPM database correctly with older zypper versions (bsc#1183521) - Don't discard manual changes in fstab (bsc#1183856, bsc#1192302)

Advisory ID	SUSE-SU-2022:492-1
Released	Fri Feb 18 10:32:49 2022
Summary	Security update for strongswan
Type	security
Severity	important
References	1194471,CVE-2021-45079

Description:

This update for strongswan fixes the following issues:

CVE-2021-45079: Fixed authentication bypass in EAP authentication. (bsc#1194471)

Advisory ID	SUSE-SU-2022:493-1
Released	Fri Feb 18 10:36:59 2022
Summary	Security update for clamav
Type	security
Severity	important
References	1194731,CVE-2022-20698

Description:

This update for clamav fixes the following issues:

CVE-2022-20698: Fixed invalid pointer read allowing denial of service crash. (bsc#1194731)

Advisory ID	SUSE-SU-2022:498-1
Released	Fri Feb 18 10:46:56 2022
Summary	Security update for expat
Type	security
Severity	important
References	1195054,1195217,CVE-2022-23852,CVE-2022-23990

Description:

This update for expat fixes the following issues:

CVE-2022-23852: Fixed signed integer overflow in XML_GetBuffer (bsc#1195054).
CVE-2022-23990: Fixed integer overflow in the doProlog function (bsc#1195217).

Advisory ID	SUSE-SU-2022:499-1
Released	Fri Feb 18 10:50:15 2022
Summary	Security update for python-Twisted
Type	security
Severity	important
References	1195667,CVE-2022-21712

Description:

This update for python-Twisted fixes the following issues:

CVE-2022-21712: Fixed secret exposure in cross-origin redirects by properly removing sensitive headers when redirecting to a different origin (bsc#1195667).

Advisory ID	SUSE-SU-2022:503-1
Released	Fri Feb 18 10:55:49 2022
Summary	Security update for xerces-j2
Type	security
Severity	important
References	1195108,CVE-2022-23437

Description:

This update for xerces-j2 fixes the following issues:

CVE-2022-23437: Fixed infinite loop within Apache XercesJ xml parser (bsc#1195108).

Advisory ID	SUSE-RU-2022:513-1
Released	Fri Feb 18 12:43:10 2022
Summary	Recommended update for grub2
Type	recommended
Severity	moderate
References	1159205,1190395

Description:

This update for grub2 fixes the following issues:

Fix wrong default entry when booting snapshot (bsc#1159205).
Improve support for SLE Micro 5.1 on s390x (bsc#1190395).

Advisory ID	SUSE-RU-2022:519-1
Released	Fri Feb 18 12:44:57 2022
Summary	Recommended update for sysstat
Type	recommended
Severity	moderate
References	1194679

Description:

This update for sysstat fixes the following issues:

Fix possible segfault (bsc#1194679).

Advisory ID	SUSE-RU-2022:520-1
Released	Fri Feb 18 12:45:19 2022
Summary	Recommended update for rpm
Type	recommended
Severity	moderate
References	1194968

Description:

This update for rpm fixes the following issues:

Revert unwanted /usr/bin/python to /usr/bin/python2 change we got with the update to 4.14.3 (bsc#1194968)

Advisory ID	SUSE-RU-2022:522-1
Released	Fri Feb 18 12:47:18 2022
Summary	Recommended update for fetchmail
Type	recommended
Severity	moderate
References	1193894

Description:

This update for fetchmail fixes the following issues:

Restore autoprobe functionality (bsc#1193894)

Advisory ID	SUSE-RU-2022:523-1
Released	Fri Feb 18 12:49:09 2022
Summary	Recommended update for systemd
Type	recommended
Severity	moderate
References	1193759,1193841

Description:

This update for systemd fixes the following issues:

systemctl: exit with 1 if no unit files found (bsc#1193841).
add rules for virtual devices (bsc#1193759).
enforce 'none' for loop devices (bsc#1193759).

Advisory ID	SUSE-SU-2022:525-1
Released	Fri Feb 18 15:12:10 2022
Summary	Security update for polkit
Type	security
Severity	moderate
References	1195542,CVE-2021-4115

Description:

This update for polkit fixes the following issues:

CVE-2021-4115: Fixed a denial of service via file descriptor leak (bsc#1195542).

Advisory ID	SUSE-SU-2022:526-1
Released	Fri Feb 18 16:56:16 2022
Summary	Security update for kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools-container, virt-operator-container
Type	security
Severity	moderate
References	CVE-2021-43565

Description:

This update for kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools-container, virt-operator-container fixes the following issues:

Update to version 0.49.0 Release notes https://github.com/kubevirt/kubevirt/releases/tag/v0.49.0
Drop kubevirt-psp-caasp.yaml

Install curl and lsscsi (needed for testing)

Symlink UEFI firmware with AMD SEV support

Install tar package to enable kubectl cp ...

Make a 'fixed appliance' for libguestfs
Explicitly install libguestfs{,-devel} and supermin

Advisory ID	SUSE-RU-2022:528-1
Released	Fri Feb 18 16:56:37 2022
Summary	Recommended update for resource-agents
Type	recommended
Severity	moderate
References

Description:

This update for resource-agents fixes the following issues:

Provide a way to manage autofs mounts from within the HA Filesystem Resource Agent script. (jsc#SLE-23739)

Advisory ID	SUSE-RU-2022:533-1
Released	Mon Feb 21 09:28:48 2022
Summary	Recommended update for python-kiwi
Type	recommended
Severity	moderate
References	1180539,1184128,1184823,1185287,1185937,1187460,1187461,1187515,1192975,1195229

Description:

This update for python-kiwi fixes the following issues:
This version upgrade includes several fixes:

Ensure backward compatibility on deprecated methods This commit ensures backward compatibility for deprecated config bash script utilities. (bsc#1195229)

* Fixed regression in compression detection. (bsc#1192975) * index.rst: Change title (bsc#1189294#c2) * suggested in bsc#1189294#c2 for more clarity * change has been discussed with and approved by main author (Marcus S.) * Care for different snapper template locations. (bsc#1192940) * Do not force dracut into a compression setting * Fixed secure boot fallback setup Make sure MokManager gets copied. The name and location of the mok manager is distribution specific in the same way as the shim loader. Thus we need to apply a similar concept for looking it up. (bsc#1187515) * Allow creation of LUKS system with empty key To support cloud platforms better we should allow the creation of an initial(insecure) LUKS encrypted image with an empty passphrase/keyfile. (bsc#1187461, bsc#1187460) * Delete obsolete 'ddb.adapterType' patching When building a vmdk image with pvscsi as adapter type, kiwi implicitly changed the adapter_type from pvscsi to lsilogic because qemu only knows lsilogic. At the end kiwi patched the adapter type in the descriptor of the vmdk header back to pvscsi. That patching seems to be wrong according to information from users and VMware support. This commit deletes the descriptor patching and only leaves the pvscsi setting in the guest configuration(vmx). bsc#1180539) * Make dracut version check more robust The check_dracut_module_versions_compatible_to_kiwi() runtime check calls the package manager from the host and reads the package database from the image root. Doing this requires the package database in the image to be compatible with the package manager on the host. However this cannot be guarenteed and it is more robust to chroot into the image root and call the package manager from there. However, this change also comes with the cost that it's required to have a package manager available in the image root tree. Therefore along with the chroot based call, eventual exceptions from the call are now catched and leads to a debug message in the log file but will not lead the runtime check to fail. I consider the cases without a package database inside of the image to be less critical than the incompatibility issue between the host tooling and the package database in the image. (bsc#1185937) * Fixed setup of repository architecture Unfortunately the architecture reported by uname is not necessarily the same name as used in the repository metadata. Therefore it was not a good idea to set the architecture and manage the name via a mapping table. It also has turned out that repo arch names are distro specific which causes more complexity on an eventual mapping table. In the end this commit changes the way how the repository architecture is setup in a way that we only set the architecture if a name was explicitly specified such that the user keeps full control over it without any mapping magic included (bsc#1185287) * Do not apply default subcommand for derivate containers This commit does not apply the default subcommand for derivate containers. (bsc#1184823) * Added openssl to the core requires openssl is used in kiwi to construct a password hash if the plaintext password feature for user settings is used. (bsc#1184128)

Advisory ID	SUSE-RU-2022:537-1
Released	Mon Feb 21 13:21:56 2022
Summary	Recommended update for yast2-dhcp-server
Type	recommended
Severity	low
References

Description:

This update for yast2-dhcp-server fixes the following issues:

Fix DNS zone creation by fixing a maintained DNS zone check.

Advisory ID	SUSE-SU-2022:539-1
Released	Mon Feb 21 13:47:51 2022
Summary	Security update for systemd
Type	security
Severity	moderate
References	1191826,1192637,1194178,CVE-2021-3997

Description:

This update for systemd fixes the following issues:

CVE-2021-3997: Fixed an uncontrolled recursion in systemd's systemd-tmpfiles (bsc#1194178).

The following non-security bugs were fixed:

udev/net_id: don't generate slot based names if multiple devices might claim the same slot (bsc#1192637)
localectl: don't omit keymaps files that are symlinks (bsc#1191826)

Advisory ID	SUSE-SU-2022:540-1
Released	Mon Feb 21 13:48:32 2022
Summary	Security update for ImageMagick
Type	security
Severity	moderate
References	1195563,CVE-2022-0284

Description:

This update for ImageMagick fixes the following issues:

CVE-2022-0284: Fixed heap buffer overread in GetPixelAlpha() in MagickCore/pixel-accessor.h (bsc#1195563).

Advisory ID	SUSE-RU-2022:545-1
Released	Mon Feb 21 20:30:54 2022
Summary	Recommended update for cdi-apiserver-container, cdi-cloner-container, cdi-controller-container, cdi-importer-container, cdi-operator-container, cdi-uploadproxy-container, cdi-uploadserver-container, containerized-data-importer, libnbd, nbdkit
Type	recommended
Severity	moderate
References

Description:

This update for cdi-apiserver-container, cdi-cloner-container, cdi-controller-container, cdi-importer-container, cdi-operator-container, cdi-uploadproxy-container, cdi-uploadserver-container, containerized-data-importer, libnbd, nbdkit fixes the following issues:

Update to version 1.43.0 Release notes https://github.com/kubevirt/containerized-data-importer/releases/tag/v1.43.0

Update to version 1.42.0 Release notes https://github.com/kubevirt/containerized-data-importer/releases/tag/v1.42.0

Detect SLE15 SP4 build environment

Update to version 1.41.0 Release notes https://github.com/kubevirt/containerized-data-importer/releases/tag/v1.41.0

Update to version 1.40.0 Release notes https://github.com/kubevirt/containerized-data-importer/releases/tag/v1.40.0

Install util-linux package (provides blockdev)

Update to version 1.29.4: * Remove deprecated nbdkit-streaming-plugin * Added retry-request-filter, an alternative, more lightweight, filter with different trade-offs for nbdkit-retry-filter. * cc: Document how to create OCaml plugin scripts * cc: Add binding for .cleanup * docs: Document NBDKIT_VERSION_* macros

Advisory ID	SUSE-RU-2022:546-1
Released	Mon Feb 21 20:36:36 2022
Summary	Recommended update for monitoring-plugins
Type	recommended
Severity	important
References	1047218,1114483,1191011

Description:

This update for monitoring-plugins fixes the following issues:
the patch just reverts the problem, if you get more than 64K on stdout

recommend syslog for monitoring-plugins-log, as people probably want to analize logs generated by (r)syslog or journald check_snmp will segfaults at line 489 if number of lines returned by SNMPD is greater than number of defined thresholds

Remove unneeded build requirement on 'syslog'

Remove unneeded BuildRequires on python-devel (bsc#1191011)

Call gettextize with --no-changelog to make package build reproducible (bsc#1047218)

Update to 2.3.1: Enhancements * check_curl: Add an option to verify the peer certificate and host using the system CA's Fixes * check_curl: fixed help, usage and errors for TLS 1.3 * check_curl: fixed a potential buffer overflow in url buffer * check_dns: split multiple IP addresses passed in one -a argument * check_curl: added string_statuscode function for printing HTTP/1.1 and HTTP/2 correctly * check_curl: fix crash if http header contains leading spaces * check_curl: display a specific human-readable error message where possible * check_pgsql: Using snprintf which honors the buffers size and guarantees null termination. * check_snmp: put the 'c' (to mark a counter) after the perfdata value * check_http: Increase regexp limit * check_http: make -C obvious * check_curl: Increase regexp limit (to 1024 as in check_http) * check_curl: make -C obvious (from check_http)

Update to 2.3 (final): Enhancements * check_dns: allow 'expected address' (-a) to be specified in CIDR notation (IPv4 only). * check_dns: allow for IPv6 RDNS * check_dns: Accept CIDR * check_dns: allow unsorted addresses * check_dns: allow forcing complete match of all addresses * check_apt: add --only-critical switch * check_apt: add -l/--list option to print packages * check_file_age: add range checking * check_file_age: enable to test for maximum file size * check_apt: adding packages-warning option * check_load: Adding top consuming processes option * check_http: Adding Proxy-Authorization and extra headers * check_snmp: make calcualtion of timeout value in help output more clear * check_uptime: new plugin for checking uptime to see how long the system is running * check_curl: check_http replacement based on libcurl * check_http: Allow user to specify HTTP method after proxy CONNECT * check_http: Add new flag --show-body/-B to print body * check_cluster: Added data argument validation * check_icmp: Add IPv6 support * check_icmp: Automatically detect IP protocol * check_icmp: emit error if multiple protocol version * check_disk: add support to display inodes usage in perfdata * check_hpjd: Added -D option to disable warning on 'out of paper' * check_http: support the --show-body/-B flag when --expect is used * check_mysql: allow mariadbclient to be used * check_tcp: add --sni * check_dns: detect unreachable dns service in nslookup output Fixes * Fix regression where check_dhcp was rereading response in a tight loop * check_dns: fix error detection on sles nslookup * check_disk_smb: fix timeout issue * check_swap: repaired -n behaviour * check_icmp: Correctly set address_family on lookup * check_icmp: Do not overwrite -4,-6 on lookup * check_smtp: initializes n before it is used * check_dns: fix typo in parameter description * check_by_ssh: fix child process leak on timeouts * check_mysql: Allow sockets to be specified to -H * check_procs: improve command examples for 'at least' processes * check_disk: include -P switch in help * check_mailq: restore accidentially removed options

change version to 2.3~alpha.$date.$commit changes summarized * detect unreachable dns service in nslookup output * check_curl: host_name may be null * update test parameter according to check_http * check_curl: use CURLOPT_RESOLVE to fix connecting to the right ip * workaround for issue #1550 - better use 'ping -4' instead of 'ping' if supported * Use size_t instead of int when calling sysctl(3) * check_tcp: add --sni * Fix timeout_interval declarations * check_curl: NSS, parse more date formats from certificate (in -C cert check) * check_curl: more tolerant CN= parsing when checking certificates (hit on Centos 8) * setting no_body to TRUE when we have a HEAD request * some LIBCURL_VERSION checks around HTTP/2 feature * added --http-version option to check_curl to choose HTTP * improved curlhelp_parse_statusline to handle both HTTP/1.x and HTTP/2 * check_curl: updates embedded picohttpparser to newest git version * setting progname of check_curl plugin to check_curl (at least for now) * Allow mariadbclient to be used for check_mysql * fix maxfd being zero * include -P switch in help * check_swap: repaired '-n' behaviour * improve command examples for 'at least' processes * check_mysql: Allow sockets to be specified to -H * Adding packages-warning option to check_apt plugin * Adding print top consuming processes option to check_load * check_snmp: make calcualtion of timeout value in help output more clear * [check_disk] add support to display inodes usage in perfdata * check_by_ssh: fix child process leak on timeouts * check_icmp: Add IPv6 support * check_dns: fix typo in parameter description * Also support the --show-body/-B flag when --expect is used * check_dns: improve support for checking multiple addresses * check_hpjd: Added -D option to disable warning on 'out of paper' * check_icmp: Do not overwrite -4,-6 on lookup * check_icmp: emit error if multiple protocol version * check_icmp: move opts string into a variable * check_cluster.c: Added data argument validation. * check_icmp: Correctly set address_family on lookup * check_icmp: process protocol version args first * check_icmp: Add IPv6 support
drop explicit attr in filelist for check_host and check_rta_multi as they are symlinks to check_icmp
add new subpackage monitoring-plugins-uptime

include upstream fixes for check_swap
simply fix the plugin name in the comment
improve the output if the swap has zero size
use unknown exit code for help/version in plugins
updated context in

monitoring-plugins-mysql should also provide monitoring-plugins-mysql_query
Provide/Obsolete nagios-plugins in old version for better compatibility and to allow dist upgrade (bsc#1114483)

Advisory ID	SUSE-RU-2022:548-1
Released	Tue Feb 22 13:48:55 2022
Summary	Recommended update for blog
Type	recommended
Severity	moderate
References	1186506,1191057

Description:

This update for blog fixes the following issues:

Update to version 2.26 * On s390/x and PPC64 gcc misses unused arg0

Update to version 2.24 * Avoid install errror due missed directory

Update to version 2.22 * Avoid KillMode=none for newer systemd version as well as rework the systemd unit files of blog (bsc#1186506)

Move to /usr for UsrMerge (bsc#1191057)

Update to version 2.21 * Merge pull request #4 from samueldr/fix/makefile Fixup Makefile for better build system support * Silent new gcc compiler

Advisory ID	SUSE-SU-2022:559-1
Released	Wed Feb 23 15:04:54 2022
Summary	Security update for MozillaThunderbird
Type	security
Severity	important
References	1195682,1196072,CVE-2022-0566,CVE-2022-22753,CVE-2022-22754,CVE-2022-22756,CVE-2022-22759,CVE-2022-22760,CVE-2022-22761,CVE-2022-22763,CVE-2022-22764

Description:

This update for MozillaThunderbird fixes the following issues:

Mozilla Thunderbird 91.6.1 / MFSA 2022-07 (bsc#1196072) * CVE-2022-0566 (bmo#1753094) Crafted email could trigger an out-of-bounds write

Mozilla Thunderbird 91.6 / MFSA 2022-06 (bsc#1195682) * CVE-2022-22753 (bmo#1732435) Privilege Escalation to SYSTEM on Windows via Maintenance Service * CVE-2022-22754 (bmo#1750565) Extensions could have bypassed permission confirmation during update * CVE-2022-22756 (bmo#1317873) Drag and dropping an image could have resulted in the dropped object being an executable * CVE-2022-22759 (bmo#1739957) Sandboxed iframes could have executed script if the parent appended elements * CVE-2022-22760 (bmo#1740985, bmo#1748503) Cross-Origin responses could be distinguished between script and non-script content-types * CVE-2022-22761 (bmo#1745566) frame-ancestors Content Security Policy directive was not enforced for framed extension pages * CVE-2022-22763 (bmo#1740534) Script Execution during invalid object state * CVE-2022-22764 (bmo#1742682, bmo#1744165, bmo#1746545, bmo#1748210, bmo#1748279) Memory safety bugs fixed in Thunderbird 91.6

Advisory ID	SUSE-SU-2022:562-1
Released	Thu Feb 24 08:37:16 2022
Summary	Security update for jasper
Type	security
Severity	moderate
References	1188437,CVE-2021-27845

Description:

This update for jasper fixes the following issues:

CVE-2021-27845: Fixed divide-by-zery issue in cp_create() (bsc#1188437).

Advisory ID	SUSE-RU-2022:572-1
Released	Thu Feb 24 11:58:05 2022
Summary	Recommended update for psmisc
Type	recommended
Severity	moderate
References	1194172

Description:

This update for psmisc fixes the following issues:

Determine the namespace of a process only once to speed up the parsing of 'fdinfo'. (bsc#1194172)

Advisory ID	SUSE-SU-2022:574-1
Released	Fri Feb 25 16:59:28 2022
Summary	Security update for ucode-intel
Type	security
Severity	important
References	1192615,1195779,1195780,1195781,CVE-2021-0127,CVE-2021-0145,CVE-2021-0146,CVE-2021-33120

Description:

This update for ucode-intel fixes the following issues:
Updated to Intel CPU Microcode 20220207 release.

CVE-2021-0146: Fixed a potential security vulnerability in some Intel Processors may allow escalation of privilege (bsc#1192615)
CVE-2021-0127: Intel Processor Breakpoint Control Flow (bsc#1195779)
CVE-2021-0145: Fast store forward predictor - Cross Domain Training (bsc#1195780)
CVE-2021-33120: Out of bounds read for some Intel Atom processors (bsc#1195781)

Security updates for [INTEL-SA-00528](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00528.html)
Security updates for [INTEL-SA-00532](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00532.html)

Advisory ID	SUSE-RU-2022:584-1
Released	Mon Feb 28 16:41:33 2022
Summary	Recommended update for salt
Type	recommended
Severity	moderate
References	1097531,1190781,1193357

Description:

This update for salt fixes the following issues:

Fix inspector module export function (bsc#1097531)
Add all ssh kwargs to sanitize_kwargs method
Wipe NOTIFY_SOCKET from env in cmdmod (bsc#1193357)
Don't check for cached pillar errors on state.apply (bsc#1190781)
Simplify 'transactional_update' module to not use SSH wrapper and allow more flexible execution
Add '--no-return-event' option to salt-call to prevent sending return event back to master.
Make 'state.highstate' to acts on concurrent flag.

Advisory ID	SUSE-RU-2022:598-1
Released	Mon Feb 28 16:58:48 2022
Summary	Recommended update for SUSE Manager 4.2.5 Release Notes
Type	recommended
Severity	moderate
References	1097531,1173103,1189561,1190781,1191192,1191285,1191857,1192321,1192368,1192440,1192487,1192510,1192514,1192550,1192566,1192699,1192776,1193008,1193292,1193565,1193585,1193600,1193612,1193694,1193832,1194044,1194397,1194862,1194905,1194990,1195171

Description:

This update for SUSE Manager 4.2.5 Release Notes provides the following additions:
Release notes for SUSE Manager:

Update to 4.2.5 * Ubuntu errata installation support * Make it to possible to sync content from SUSE Cloud RMT Servers * New matchers in Content Lifecycle Management * Change proxy used for clients from the WebUI * Bugs mentioned: bsc#1097531, bsc#1173103, bsc#1189561, bsc#1190781, bsc#1191192 bsc#1191285, bsc#1191857, bsc#1192321, bsc#1192368, bsc#1192440 bsc#1192487, bsc#1192510, bsc#1192514, bsc#1192550, bsc#1192566 bsc#1192699, bsc#1192776, bsc#1193008, bsc#1193292, bsc#1193565 bsc#1193585, bsc#1193612, bsc#1193694, bsc#1193832, bsc#1194044 bsc#1194397, bsc#1194862, bsc#1194905, bsc#1194990, bsc#1195171

Release notes for SUSE Manager proxy:

Update to 4.2.5 * Change proxy used for clients from the WebUI * Bugs mentioned: bsc#1192487, bsc#1192514, bsc#1192699, bsc#1192776, bsc#1193585 bsc#1193600,bsc#1194397

Advisory ID	SUSE-RU-2022:604-1
Released	Tue Mar 1 07:13:50 2022
Summary	Recommended update for rsyslog
Type	recommended
Severity	low
References	1194669

Description:

This update for rsyslog fixes the following issues:

update config example in remote.conf to match upstream documentation (bsc#1194669)

Advisory ID	SUSE-RU-2022:651-1
Released	Tue Mar 1 12:23:21 2022
Summary	Recommended update for crmsh
Type	recommended
Severity	important
References	1194026,1194615,1194870

Description:

This update for crmsh fixes the following issues:

Fix SBD not to overwrite SYSCONFIG_SBD and sbd-disk-metadata if input is 'n' during the configuration (bsc#1194870)
Fix help output of `crm cluster crash_test -h` (bsc#1194615)
Fix information message when the user need to change login shell (bsc#1194026)

Advisory ID	SUSE-SU-2022:657-1
Released	Wed Mar 2 10:11:51 2022
Summary	Security update for nodejs12
Type	security
Severity	important
References	1191962,1191963,1192153,1192154,1192696,CVE-2021-23343,CVE-2021-32803,CVE-2021-32804,CVE-2021-3807,CVE-2021-3918

Description:

This update for nodejs12 fixes the following issues:

CVE-2021-23343: Fixed ReDoS via splitDeviceRe, splitTailRe and splitPathRe (bsc#1192153).
CVE-2021-32803: Fixed insufficient symlink protection in node-tar allowing arbitrary file creation and overwrite (bsc#1191963).
CVE-2021-32804: Fixed insufficient absolute path sanitization in node-tar allowing arbitrary file creation and overwrite (bsc#1191962).
CVE-2021-3918: Fixed improper controlled modification of object prototype attributes in json-schema (bsc#1192696).
CVE-2021-3807: Fixed regular expression denial of service (ReDoS) matching ANSI escape codes in node-ansi-regex (bsc#1192154).

Advisory ID	SUSE-RU-2022:674-1
Released	Wed Mar 2 13:24:38 2022
Summary	Recommended update for yast2-network
Type	recommended
Severity	moderate
References	1187512

Description:

This update for yast2-network fixes the following issues:

Don't crash at the end of installation when storing wifi configuration for NetworkManager. (bsc#1187512)

Advisory ID	SUSE-SU-2022:675-1
Released	Wed Mar 2 18:50:37 2022
Summary	Security update for ldns
Type	security
Severity	moderate
References	1195057,1195058,CVE-2020-19860,CVE-2020-19861

Description:

This update for ldns fixes the following issues:

CVE-2020-19860: Fixed heap-based out of bounds read when verifying a zone file (bsc#1195057).
CVE-2020-19861: Fixed heap-based out of bounds read in ldns_nsec3_salt_data() (bsc#1195058).

Advisory ID	SUSE-RU-2022:681-1
Released	Thu Mar 3 11:36:29 2022
Summary	Recommended update for cloud-regionsrv-client
Type	recommended
Severity	critical
References	1195414,1195564,1196305

Description:

This update for cloud-regionsrv-client fixes the following issues:

Update -addon-azure to 1.0.2 (bsc#1196305) - Fix regression in the cloud-regionsrv-client' with OnDemand images
Update to version 10.0.0 (bsc#1195414, bsc#1195564) - Refactor removes check_registration() function in utils implementation - Only start the registration service for PAYG images - addon-azure sub-package to version 1.0.1

Advisory ID	SUSE-RU-2022:682-1
Released	Thu Mar 3 11:37:03 2022
Summary	Recommended update for supportutils-plugin-suse-public-cloud
Type	recommended
Severity	important
References	1195095,1195096

Description:

This update for supportutils-plugin-suse-public-cloud fixes the following issues:

Update to version 1.0.6 (bsc#1195095, bsc#1195096) - Include cloud-init logs whenever they are present - Update the packages we track in AWS, Azure, and Google - Include the ecs logs for AWS ECS instances

Advisory ID	SUSE-RU-2022:685-1
Released	Thu Mar 3 11:37:36 2022
Summary	Recommended update for clingo, python-Sphinx_4_2_0, python-sphinxcontrib-applehelp, python-sphinxcontrib-devhelp, python-sphinxcontrib-htmlhelp, python-sphinxcontrib-jsmath, python-sphinxcontrib-qthelp, python-sphinxcontrib-serializinghtml, spack
Type	recommended
Severity	important
References	1166965,1193712

Description:

This update for clingo, python-Sphinx_4_2_0, python-sphinxcontrib-applehelp, python-sphinxcontrib-devhelp, python-sphinxcontrib-htmlhelp, python-sphinxcontrib-jsmath, python-sphinxcontrib-qthelp, python-sphinxcontrib-serializinghtml, spack fixes the following issues:

added python-cffi as Requires (bsc#1193712)

create a sub lib package

fix some build errors, remove unwanted files
update to version 5.5.0
clingo is used by default for spack version earlier than 0.17 (jsc#SLE-22137)

first release for SUSE (from fedora spec)

Advisory ID	SUSE-RU-2022:687-1
Released	Thu Mar 3 11:39:23 2022
Summary	Recommended update for libvirt
Type	recommended
Severity	moderate
References	1191668,1192119

Description:

This update for libvirt fixes the following issues:

libxl: Mark auto-allocated graphics ports to used on reconnect.
libxl: Release all auto-allocated graphics ports. (bsc#1191668)
libxl: Add lock process indicator to saved VM state. (bsc#1191668)
spec: Weaken apparmor-abstractions dependency to Recommends. (bsc#1192119, jsc#SLE-23394)

Advisory ID	SUSE-RU-2022:689-1
Released	Thu Mar 3 11:41:05 2022
Summary	Recommended update for python-openstackclient, python-openstackdocstheme, python-oslo.context, python-oslosphinx, python-reno
Type	recommended
Severity	important
References	1191205

Description:

This update for python-openstackclient fixes the following issues:

update to version 5.2.0 (bsc#1191205) - Add bindep file - Use 'KeyValueAppendAction' from osc-lib - Bump lower constraint of MarkupSafe - Replace six.iteritems() with .items() - Don't look up project by id if given id - Add storage policy option to create container command - Stop configuring install_command in tox and stop use pip. - Update http links in docs - Doc: launchpad => storyboard - Allow setting floating IP description - Deflate .htaccess - Fix network segment range '_get_ranges' function - Fix copypaste errors in access rule command - Remove redundant OpenStackShell.prepare_to_run_command - Remove plugin projects from test-requirements.txt - neutron: autogenerate docs - Incorrect title for service provider - Add plugin doc page for watcher - Show correct name for resource with quota set to zero - Disallow setting default on internal network - Fix openstack server list --deleted --marker option - Add support for app cred access rules - Fix plugin autodoc generation - Switch image to use SDK - Provide stderr in exception when check_parser fails - Microversion 2.79: Add delete_on_termination to volume-attach API - Complete switch from glanceclient to SDK for image service - Use autoprogram-cliff for remaining plugin docs - Bump tox minversion - Add unit tests and release note for dns_publish_fixed_ip - common: autogenerate docs - Update master for stable/train - Create Volume v3 functional tests - Change dockerhub password - Honor endpoint override from config for volume - Fix functional tests for py3 - Stop testing python 2 in tox and zuul. - Raise hacking to more recent 2.0.0 - Now we can add description for role creation in OSC - Build utility image for using osc - Replace port 35357 with 5000 for 'auth_url' - Switch to using osc_lib.utils.tags - Split plugin docs per project - Fix router create/show if extraroute not supported - Add qos_network_policy_id to network port tests - Link to (some) plugin doc pages - Refactor AggregateTests - Remove trailing newline from dockerhub secret - Update a stale doc reference to use :neutron-doc: - Add dns_publish_fixed_ip attribute to subnets - Fix osc-lib interface change: catch osc-lib Forbidden - Use SDK to get compute API extensions - Add placement to known plugins - Update the content about Import Format - compute: autogenerate docs - versions: Fix 'versions show' help message - Add parent project filter for listing projects - Raise flake8-import-order version to latest - Add 'fields' parameter to ListSecurityGroup query - openstack.cli: autogenerate docs - Add redirect testing - Stop silently ignoring invalid 'server create --hint' options - Produce complete content for plugin docs - Remove mention of meetings from docs - Update image building jobs - Add 'openstack server migrate (confirm|revert)' commands - Complete 'Drop python2 support' goal - Fix faulthy state argument choice

remove nonsensical update-alternatives, which leaves an empty file behind

switch to python 3.x only package

update to version 4.0.0 - Batch up minor cleanups for release - Bump min osc-lib to 1.14.0 - Fix RuntimeError when showing project which has extra properties - Fix BFV server list handling with --name-lookup-one-by-one - Fix typo: 'to and endpoint' - Fix functional.base.TestCase.openstack() to optionally omit --os-auth-type - Use cliff formattable columns in image commands - Add server add/remove volume description for microversion 2.20 - Document that server dump create requires 2.17 - Remove code migrated to osc-lib long ago - Fix docs bug link to go to storyboard rather than launchpad - Mention compute service set --up|--down requires 2.11 or greater - Update master for stable/stein - Compute: Add description support for server - Remove deprecated volume commands and args - Volume backup functional test tweak - Use cliff formattable columns in network commands - Deprecate openstack server migrate --host option - Ignore case in security group rule --ethertype - Add host and hypervisor_hostname to create servers - Delete the LB object quotas set command in openstackclient - Rename review.openstack.org to review.opendev.org - Fix: incorrect check when no shared/private input - Remove deprecated image commands - Tweak network segment range fiunction tests - Default to Cinder v3 API - Fix description for --block-device-mapping - Add floating IP Port Forwarding commands - Format aggregate command fields and de-race functional tests - docs: clarify compute service --service option - Fix bug in endpoint group deletion - Format location columns in network commands - Fix --limit option in image list sub-command - Add 'openstack server resize (confirm|revert)' commands - openstack port create support --extra-dhcp-option - Update release table for Train and 4.0.0 - Update api-ref location - Add openstack server create --boot-from-volume option - Microversion 2.73: Support adding the reason behind a server lock - Aggregate functional test tweak - Bump lower constraint of python-zunclient - Follow-up: fix the invalid releasenote link - Change default security group protocol to 'any' - Followup opendev cleanup and test jobs - OpenDev Migration Patch - Fix link to new opendev repo - Remove token_endpoint auth type - Allow 'server migrate' (not live) to take '--host' option - Add 'security_group' type support to network rbac commands - Bump hacking version - Fix: set invalid None project_id on range creation - Stop leaving temp files after unit test runs - Support type=image with --block-device-mapping option - Remove races in floating ip functional tests - Remove deprecated network options - Use cliff formattable columns in volume v1 commands - Fix compute service set handling for 2.53+ - Add changes-before attribute to server list - Use cliff formattable columns in identity commands - Support IPv6 addresses better - Fix service discovery in functional tests - Serialize more aggregate functional tests - Update the constraints url - Add CLI argument tests before making changes - More aggregate functional race chasing - Dropping the py35 testing - Remove deprecated compute commands - Add Python 3 Train unit tests - Blacklist Bandit 1.6.0 due to directory exclusion bug - Remove deprecated identity commands and args - Microversion 2.77: Support Specifying AZ to unshelve - Use cliff formattable columns in object storage commands - Document 2.53 behavior for compute service list/delete - document the --timing option - Add server event command documentation for compute API 2.21 - Update sphinx requirement. - Fix module paths for volumev3 volume backup commands - Make configuration show not require auth - Before writing object data to stdout, re-open it in binary mode - Add doc and relnote for review 639652 - Clean up app initialization and config - Use cliff formattable columns in volume v2 commands

update to version 3.18.0 - Fix missing trailing spaces in network help messages - Add volume backend capability show command - Add metavar for name parameter in subnet create - Modify the help message for 'registered limit set' - image/v2: support multiple property filters - Add note about version 2.5 when listing servers using --ip6 - Add dns-domain support to Network object - Fix broken gate jobs - Fix 'project purge' deleting wrong project's servers and volumes - Support enable/disable uplink status propagation - Allow endpoint filtering on both project and project-domain - Add --key-name and --key-unset option for server rebuild API. - Remove invalid 'unlock-volume' migration arg - Default --nic to 'auto' if creating a server with >= 2.37 - Add monascaclient to `not plugins` list - import zuul job settings from project-config - Add DNS support to floating IP commands - More state handling in volume transfer requests functional tests - Updated the take_actions for unified limits - More volume functional test fixes - Use devstack functional base job - Add --property option to 'server rebuild' command - This fix removes an erroneous underscore found within the function named - Partially Revert 'Add command to unset information from Subnet-pools' - API microversion 2.69: Handles Down Cells - Don't display router's is_ha and is_distributed attributes always - trivial: modify spelling error of project - Disabling c-backup service for osc-functional-devstack-tips job - Detailed help message for QoS max-burst-kbps value - Update release note version reference table - Update reno for stable/rocky - Update the Neutron CLI decoder document - Make use of keystoneauth service-type filtering for versions - add python 3.6 unit test job - Deprecate volume create --project and --user options - Trivial: remove commented-out code - Typo fix - Change openstack-dev to openstack-discuss - Remove str() when setting network objects names - Add Python 3.6 classifier to setup.cfg - Replace assertEqual(True/False, expr) with assertTrue/assertFalse - Remove testr.conf as it's been replaced by stestr - Add py36 env - add lib-forward-testing-python3 test job - Fix inconsistency (nit) - osc-included image signing (using openstacksdk) - Update the URL in doc - Add possibility to filter images using member_status - Handle multiple ports in AddFloatingIP - Mention 2.51 in help for openstack server event show - Add osc repo to the base job definition - Add --name-lookup-one-by-one option to server list - switch documentation job to new PTI - Add floating IP filter to floating IP list command - Address issues from volume backend commands - Paginate over usage list to return all usages - Fix tox python3 overrides - Fix i18n issue - Add network segment range command object - Improve document 'openstack complete' - Add volume backup import/export commands - Supports router gateway IP QoS - Add volume backend pool list command - fix multiple server delete produce multiple new lines - Fix some spaces in help messages - Fix: Restore output 'VolumeBackupsRestore' object is not iterable - Fix help message for subnetpool default-quota value - Use os-cloud instead of OS env vars for functional tests - Fix help message of image add project - Handle not having cinderclient.v1 available - Mention compute API 2.50 in openstack quota show --class - Add support for get details of Quota - Add --attached / --detached parameter to volume set - add python 3.7 unit test job - Remove python-ceilometerclient - Use templates for cover and lower-constraints - Add project param in LimitList parser

update to version 3.16.2 - Fix 'project purge' deleting wrong project's servers and volumes - Allow endpoint filtering on both project and project-domain - Handle multiple ports in AddFloatingIP - Default --nic to 'auto' if creating a server with >= 2.37

update to version 3.16.1 - Update UPPER_CONSTRAINTS_FILE for stable/rocky - Update .gitreview for stable/rocky - import zuul job settings from project-config - Fix broken gate jobs

update to version 3.16.0 - Implement support for registered limits - Prevent 'server migrate --wait' from hanging - Pass volume snapshot size to volume create - Update reno for stable/queens - neutron: add --mtu for create/set network - Make osc-functional-devstack-tips actually use tips - Update role document to include system parameter - Imported Translations from Zanata - Format port_details field of Floating IP - Rename python-openstacksdk to openstacksdk - Fix limits show command without Nova and Cinder - Clean up W503 and E402 pep8 errors - Correct application credential usage doc - Use Server.to_dict() rather than Server._info - Support filtering port with IP address substring - Retry floating IP tests - Remove deprecated ip floating commands - Fix volume type functional tests - Display private flavors in server list - Fix server show for microversion 2.47 - compute: host: expand kwargs in host_set() call - Zuul: Remove project name - Add release note link in README - Fix docs from I0dc80bee3ba6ff4ec8cc3fc113b6de7807e0bf2a - Add support for endpoint group commands - Fix crashing 'console log show' - Add project tags functionality - Fix additional output encoding issues - Add ability to filter image list by tag - Replace pbr autodoc with sphinxcontrib-apidoc - Add help for nova interface-list to decoder - Slow down and retry aggregate create/delete to lessen race - Add --image-property parameter in 'server create' - Change bug url to a correct one - Add support for '--dns-domain' argument - Add cliff project link - Update command test for volume.v3 - Fix the `role implies list` command. - Add command to show all service versions - compute: limit the service's force down command above 2.10 - Update help text for encryption provider - Update links in README - Trivial: Update pypi url to new url - Add system role functionality - Remove duplicated network attributes - Fix tox -e venv -- reno new - Implement support for project limits - Add bgp commands to neutron decoder - Add support to list image members - Release note cleanup for 3.16.0 release - Allow setting network-segment on subnet update - Use find_ip from openstacksdk - Network: Add tag support for security group - Skip calls to glance and nova when got no servers - Network: Add tag support for floating ip - Fix typo in 'floating ip associate' command and doc - Fix functional job failed - Cleanup error messages on failure - Don't sent disk_over_commit if nova api > 2.24 - Add CRUD support for application credentials - Optimize _prep_server_detail to avoid redundant find_resource - Fix error with image show when image name is None - Make max_burst_kbps option as optional for bw limit QoS rule - Fix subnet host_routes error - add lower-constraints job - Re-implement novaclient bits removed in 10.0 - Adding api_version to FakeApp - Make functional-tips job voting - Do not require port argument when updating floating IP - Support --community in openstack image list - Fix lower-constraints.txt - Compute: Add description support for flavor - Updated from global requirements - Make Profile fallback go bye-bye - Fix urls in README.rst

This update for python-openstackdocstheme the following issues:

update to version 2.0.2 (bsc#1191205): * [ussuri][goal] Drop python 2.7 support and testing

This update for python-oslo.context the following issues:

update to 3.0.2 (bsc#1191205): * Update hacking for Python3 * Filter out auth\_token\_info from logging values * trivial: Cleanup tox.ini * remove outdated header * reword releasenote for py27 support dropping * Drop python 2.7 support and testing * tox: Trivial cleanup * tox: Trivial cleanup * Bump the openstackdocstheme extension to 1.20 * gitignore: Hide reno cache files * tox: Stop using 'python setup.py test' * Switch to Ussuri jobs * tox: Keeping going with docs * Switch to Ussuri jobs * Update the constraints url * Update master for stable/train * Add Python 3 Train unit tests * Cap Bandit below 1.6.0 and update Sphinx requirement * Replace git.openstack.org URLs with opendev.org URLs * OpenDev Migration Patch * Dropping the py35 testing * Update master for stable/stein * add python 3.7 unit test job * Update hacking version * Use template for lower-constraints * Update mailinglist from dev to discuss * Implement domain-scope for context objects * Clean up .gitignore references to personal tools * Always build universal wheels * add lib-forward-testing-python3 test job * add python 3.6 unit test job * import zuul job settings from project-config * import zuul job settings from project-config * Update reno for stable/rocky * Switch to stestr * Add release notes link to README * fix tox python3 overrides * Implement system-scope * Remove stale pip-missing-reqs tox test * Trivial: Update pypi url to new url * Switch pep8 job to python 3 * add lower-constraints job * pypy not checked at gate * Updated from global requirements * Update links in README * Add -W for document build * Update reno for stable/queens * Updated from global requirements

This update for python-oslosphinx the following issues:

switch to stable/ussuri spec template (bsc#1191205)

This update for python-reno the following issues:

update to version 3.0.1 (bsc#1191205) * Add python 3.6 unit test job * Update the min version of tox to 2.0 * Switch to use stestr for unit test * Update sphinx extension logging * only override config values from command line if they are actually set * refactor handling of missing config files for better testing * update test fixtures to capture log output * build universal wheels * update the oudated URL in doc * sphinxext: Use unicode\_literals * Use unicode for debug string * link to the europython 2018 presentation about reno * build our docs with the lower-constraints * update sphinx to at least 1.6.1 * move sphinx flags to tox.ini * add lower-constraints tox environment and job * Migrate the link of bug report button to storyboard * Allow tags prefixed with v in default regex * move package publishing template back to project-config * fix documentation project template * Fix traceback when no args are passed to reno * sphinxext: Use 'sphinx.util.logging' * switch doc and pypi jobs to use python3 * import zuul job settings from project-config * fix tox python3 overrides * report line numbers for generated content more accurately * tests: Use mock decorator instead of context manager * preserve the order of tags when reading the cache file * include the branch name in anchors to make them more unique * report when loading data from the cache file * Streamline published release notes * Collapse Unreleased and Mainline sections * Make section titles have stable anchor links * Integrate a setuptools command * Enhance the travis hack * add unreleased\_version\_title configuration option * Add usage with travis CI to docs * cleanups for dev workflow descriptions * doc: Note development workflows supported by reno * update bug report URLs to use storyboard * Update links in 'README' * Update url in 'HACKING.rst' * trivial change to contributing instructions

Advisory ID	SUSE-RU-2022:692-1
Released	Thu Mar 3 15:46:47 2022
Summary	Recommended update for filesystem
Type	recommended
Severity	moderate
References	1190447

Description:

This update for filesystem fixes the following issues:

Release ported filesystem to LTSS channels (bsc#1190447).

Advisory ID	SUSE-SU-2022:696-1
Released	Thu Mar 3 16:18:29 2022
Summary	Security update for MozillaFirefox
Type	security
Severity	important
References	1195230,1195682,CVE-2022-22753,CVE-2022-22754,CVE-2022-22756,CVE-2022-22759,CVE-2022-22760,CVE-2022-22761,CVE-2022-22763,CVE-2022-22764

Description:

This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 91.6.0 ESR / MFSA 2022-05 (bsc#1195682)

CVE-2022-22753: Privilege Escalation to SYSTEM on Windows via Maintenance Service
CVE-2022-22754: Extensions could have bypassed permission confirmation during update
CVE-2022-22756: Drag and dropping an image could have resulted in the dropped object being an executable
CVE-2022-22759: Sandboxed iframes could have executed script if the parent appended elements
CVE-2022-22760: Cross-Origin responses could be distinguished between script and non-script content-types
CVE-2022-22761: frame-ancestors Content Security Policy directive was not enforced for framed extension pages
CVE-2022-22763: Script Execution during invalid object state
CVE-2022-22764: Memory safety bugs fixed in Firefox 97 and Firefox ESR 91.6

Firefox Extended Support Release 91.5.1 ESR (bsc#1195230)

Fixed an issue that allowed unexpected data to be submitted in some of our search telemetry

Advisory ID	SUSE-RU-2022:697-1
Released	Thu Mar 3 16:29:47 2022
Summary	Recommended update for yast2
Type	recommended
Severity	important
References	1195910

Description:

This update for yast2 fixes the following issues:

Do not strip surrounding white space in CDATA XML elements. (bsc#1195910)

Advisory ID	SUSE-SU-2022:699-1
Released	Thu Mar 3 16:38:50 2022
Summary	Security update for php7
Type	security
Severity	moderate
References	1038980,CVE-2017-8923

Description:

This update for php7 fixes the following issues:

CVE-2017-8923: Fixed denial of service (application crash) when using .= with a long string (zend_string_extend func in Zend/zend_string.h) (bsc#1038980).

Advisory ID	SUSE-SU-2022:705-1
Released	Fri Mar 4 07:44:58 2022
Summary	Security update for webkit2gtk3
Type	security
Severity	important
References	1195064,1195735,1196133,CVE-2021-30934,CVE-2021-30936,CVE-2021-30951,CVE-2021-30952,CVE-2021-30953,CVE-2021-30954,CVE-2021-30984,CVE-2021-45481,CVE-2021-45482,CVE-2021-45483,CVE-2022-22589,CVE-2022-22590,CVE-2022-22592,CVE-2022-22620

Description:

This update for webkit2gtk3 fixes the following issues:
Update to version 2.34.6 (bsc#1196133):

CVE-2022-22620: Processing maliciously crafted web content may have lead to arbitrary code execution.

Update to version 2.34.5 (bsc#1195735):

CVE-2022-22589: A validation issue was addressed with improved input sanitization.
CVE-2022-22590: A use after free issue was addressed with improved memory management.
CVE-2022-22592: A logic issue was addressed with improved state management.

Update to version 2.34.4 (bsc#1195064):

CVE-2021-30934: A buffer overflow issue was addressed with improved memory handling.
CVE-2021-30936: A use after free issue was addressed with improved memory management.
CVE-2021-30951: A use after free issue was addressed with improved memory management.
CVE-2021-30952: An integer overflow was addressed with improved input validation.
CVE-2021-30953: An out-of-bounds read was addressed with improved bounds checking.
CVE-2021-30954: A type confusion issue was addressed with improved memory handling.
CVE-2021-30984: A race condition was addressed with improved state handling.
CVE-2022-22594: A cross-origin issue in the IndexDB API was addressed with improved input validation.

The following CVEs were addressed in a previous update:

CVE-2021-45481: Incorrect memory allocation in WebCore::ImageBufferCairoImageSurfaceBackend::create.
CVE-2021-45482: A use-after-free in WebCore::ContainerNode::firstChild.
CVE-2021-45483: A use-after-free in WebCore::Frame::page.

Advisory ID	23018
Released	Fri Mar 4 08:31:54 2022
Summary	Security update for conmon, libcontainers-common, libseccomp, podman
Type	security
Severity	moderate
References	1176804,1177598,1181640,1182998,1188520,1188914,1193166,1193273,CVE-2020-14370,CVE-2020-15157,CVE-2021-20199,CVE-2021-20291,CVE-2021-3602,CVE-2021-4024,CVE-2021-41190

Description:

This update for conmon, libcontainers-common, libseccomp, podman fixes the following issues:
podman was updated to 3.4.4.
Security issues fixed:

fix CVE-2021-41190 [bsc#1193273], opencontainers: OCI manifest and index parsing confusion
fix CVE-2021-4024 [bsc#1193166], podman machine spawns gvproxy with port binded to all IPs
fix CVE-2021-20199 [bsc#1181640], Remote traffic to rootless containers is seen as orginating from localhost

Add: Provides: podman:/usr/bin/podman-remote subpackage for a clearer upgrade path from podman < 3.1.2

Update to version 3.4.4:
* Bugfixes
- Fixed a bug where the podman exec command would, under some circumstances, print a warning message about failing to move conmon to the appropriate cgroup (#12535). - Fixed a bug where named volumes created as part of container creation (e.g. podman run --volume avolume:/a/mountpoint or similar) would be mounted with incorrect permissions (#12523). - Fixed a bug where the podman-remote create and podman-remote run commands did not properly handle the --entrypoint='' option (to clear the container's entrypoint) (#12521).

Update to version 3.4.3:

* Security
- This release addresses CVE-2021-4024, where the podman machine command opened the gvproxy API (used to forward ports to podman machine VMs) to the public internet on port 7777. - This release addresses CVE-2021-41190, where incomplete specification of behavior regarding image manifests could lead to inconsistent decoding on different clients.
* Features
- The --secret type=mount option to podman create and podman run supports a new option, target=, which specifies where in the container the secret will be mounted (#12287).
* Bugfixes
- Fixed a bug where rootless Podman would occasionally print warning messages about failing to move the pause process to a new cgroup (#12065). - Fixed a bug where the podman run and podman create commands would, when pulling images, still require TLS even with registries set to Insecure via config file (#11933). - Fixed a bug where the podman generate systemd command generated units that depended on multi-user.target, which has been removed from some distributions (#12438). - Fixed a bug where Podman could not run containers with images that had /etc/ as a symlink (#12189). - Fixed a bug where the podman logs -f command would, when using the journald logs backend, exit immediately if the container had previously been restarted (#12263). - Fixed a bug where, in containers on VMs created by podman machine, the host.containers.internal name pointed to the VM, not the host system (#11642). - Fixed a bug where containers and pods created by the podman play kube command in VMs managed by podman machine would not automatically forward ports from the host machine (#12248). - Fixed a bug where podman machine init would fail on OS X when GNU Coreutils was installed (#12329). - Fixed a bug where podman machine start would exit before SSH on the started VM was accepting connections (#11532). - Fixed a bug where the podman run command with signal proxying (--sig-proxy) enabled could print an error if it attempted to send a signal to a container that had just exited (#8086). - Fixed a bug where the podman stats command would not return correct information for containers running Systemd as PID1 (#12400). - Fixed a bug where the podman image save command would fail on OS X when writing the image to STDOUT (#12402). - Fixed a bug where the podman ps command did not properly handle PS arguments which contained whitespace (#12452). - Fixed a bug where the podman-remote wait command could fail to detect that the container exited and return an error under some circumstances (#12457). - Fixed a bug where the Windows MSI installer for podman-remote would break the PATH environment variable by adding an extra ' (#11416).
* API
- The Libpod Play Kube endpoint now also accepts ConfigMap YAML as part of its payload, and will use provided any ConfigMap to configure provided pods and services. - Fixed a bug where the Compat Create endpoint for Containers would not always create the container's working directory if it did not exist (#11842). - Fixed a bug where the Compat Create endpoint for Containers returned an incorrect error message with 404 errors when the requested image was not found (#12315). - Fixed a bug where the Compat Create endpoint for Containers did not properly handle the HostConfig.Mounts field (#12419). - Fixed a bug where the Compat Archive endpoint for Containers did not properly report errors when the operation failed (#12420). - Fixed a bug where the Compat Build endpoint for Images ignored the layers query parameter (for caching intermediate layers from the build) (#12378). - Fixed a bug where the Compat Build endpoint for Images did not report errors in a manner compatible with Docker (#12392). - Fixed a bug where the Compat Build endpoint for Images would fail to build if the context directory was a symlink (#12409). - Fixed a bug where the Compat List endpoint for Images included manifest lists (and not just images) in returned results (#12453).

Update to version 3.4.2:

* Fixed a bug where podman tag could not tag manifest lists (#12046). * Fixed a bug where built-in volumes specified by images would not be created correctly under some circumstances. * Fixed a bug where, when using Podman Machine on OS X, containers in pods did not have working port forwarding from the host (#12207). * Fixed a bug where the podman network reload command command on containers using the slirp4netns network mode and the rootlessport port forwarding driver would make an unnecessary attempt to restart rootlessport on containers that did not forward ports. * Fixed a bug where the podman generate kube command would generate YAML including some unnecessary (set to default) fields (e.g. empty SELinux and DNS configuration blocks, and the privileged flag when set to false) (#11995). * Fixed a bug where the podman pod rm command could, if interrupted at the right moment, leave a reference to an already-removed infra container behind (#12034). * Fixed a bug where the podman pod rm command would not remove pods with more than one container if all containers save for the infra container were stopped unless --force was specified (#11713). * Fixed a bug where the --memory flag to podman run and podman create did not accept a limit of 0 (which should specify unlimited memory) (#12002). * Fixed a bug where the remote Podman client's podman build command could attempt to build a Dockerfile in the working directory of the podman system service instance instead of the Dockerfile specified by the user (#12054). * Fixed a bug where the podman logs --tail command could function improperly (printing more output than requested) when the journald log driver was used. * Fixed a bug where containers run using the slirp4netns network mode with IPv6 enabled would not have IPv6 connectivity until several seconds after they started (#11062). * Fixed a bug where some Podman commands could cause an extra dbus-daemon process to be created (#9727). * Fixed a bug where rootless Podman would sometimes print warnings about a failure to move the pause process into a given CGroup (#12065). * Fixed a bug where the checkpointed field in podman inspect on a container was not set to false after a container was restored. * Fixed a bug where the podman system service command would print overly-verbose logs about request IDs (#12181). * Fixed a bug where Podman could, when creating a new container without a name explicitly specified by the user, sometimes use an auto-generated name already in use by another container if multiple containers were being created in parallel (#11735).
Update to version 3.4.1:
* Bugfixes
- Fixed a bug where podman machine init could, under some circumstances, create invalid machine configurations which could not be started (#11824). - Fixed a bug where the podman machine list command would not properly populate some output fields. - Fixed a bug where podman machine rm could leave dangling sockets from the removed machine (#11393). - Fixed a bug where podman run --pids-limit=-1 was not supported (it now sets the PID limit in the container to unlimited) (#11782). - Fixed a bug where podman run and podman attach could throw errors about a closed network connection when STDIN was closed by the client (#11856). - Fixed a bug where the podman stop command could fail when run on a container that had another podman stop command run on it previously. - Fixed a bug where the --sync flag to podman ps was nonfunctional. - Fixed a bug where the Windows and OS X remote clients' podman stats command would fail (#11909). - Fixed a bug where the podman play kube command did not properly handle environment variables whose values contained an = (#11891). - Fixed a bug where the podman generate kube command could generate invalid annotations when run on containers with volumes that use SELinux relabelling (:z or :Z) (#11929). - Fixed a bug where the podman generate kube command would generate YAML including some unnecessary (set to default) fields (e.g. user and group, entrypoint, default protocol for forwarded ports) (#11914, #11915, and #11965). - Fixed a bug where the podman generate kube command could, under some circumstances, generate YAML including an invalid targetPort field for forwarded ports (#11930). - Fixed a bug where rootless Podman's podman info command could, under some circumstances, not read available CGroup controllers (#11931). - Fixed a bug where podman container checkpoint --export would fail to checkpoint any container created with --log-driver=none (#11974).
* API
- Fixed a bug where the Compat Create endpoint for Containers could panic when no options were passed to a bind mount of tmpfs (#11961).
Update to version 3.4.0:
* Features
- Pods now support init containers! Init containers are containers which run before the rest of the pod starts. There are two types of init containers: 'always', which always run before the pod is started, and 'once', which only run the first time the pod starts and are subsequently removed. They can be added using the podman create command's --init-ctr option. - Support for init containers has also been added to podman play kube and podman generate kube - init containers contained in Kubernetes YAML will be created as Podman init containers, and YAML generated by Podman will include any init containers created. - The podman play kube command now supports building images. If the --build option is given and a directory with the name of the specified image exists in the current working directory and contains a valid Containerfile or Dockerfile, the image will be built and used for the container. - The podman play kube command now supports a new option, --teardown, which removes any pods and containers created by the given Kubernetes YAML. - The podman generate kube command now generates annotations for SELinux mount options on volume (:z and :Z) that are respected by the podman play kube command. - A new command has been added, podman pod logs, to return logs for all containers in a pod at the same time. - Two new commands have been added, podman volume export (to export a volume to a tar file) and podman volume import) (to populate a volume from a given tar file). - The podman auto-update command now supports simple rollbacks. If a container fails to start after an automatic update, it will be rolled back to the previous image and restarted again. - Pods now share their user namespace by default, and the podman pod create command now supports the --userns option. This allows rootless pods to be created with the --userns=keep-id option. - The podman pod ps command now supports a new filter with its --filter option, until, which returns pods created before a given timestamp. - The podman image scp command has been added. This command allows images to be transferred between different hosts. - The podman stats command supports a new option, --interval, to specify the amount of time before the information is refreshed. - The podman inspect command now includes ports exposed (but not published) by containers (e.g. ports from --expose when --publish-all is not specified). - The podman inspect command now has a new boolean value, Checkpointed, which indicates that a container was stopped as a result of a podman container checkpoint operation. - Volumes created by podman volume create now support setting quotas when run atop XFS. The size and inode options allow the maximum size and maximum number of inodes consumed by a volume to be limited. - The podman info command now outputs information on what log drivers, network drivers, and volume plugins are available for use (#11265). - The podman info command now outputs the current log driver in use, and the variant and codename of the distribution in use. - The parameters of the VM created by podman machine init (amount of disk space, memory, CPUs) can now be set in containers.conf. - The podman machine ls command now shows additional information (CPUs, memory, disk size) about VMs managed by podman machine. - The podman ps command now includes healthcheck status in container state for containers that have healthchecks (#11527).
* Changes
- The podman build command has a new alias, podman buildx, to improve compatibility with Docker. We have already added support for many docker buildx flags to podman build and aim to continue to do so. - Cases where Podman is run without a user session or a writable temporary files directory will now produce better error messages. - The default log driver has been changed from file to journald. The file driver did not properly support log rotation, so this should lead to a better experience. If journald is not available on the system, Podman will automatically revert to the file. - Podman no longer depends on ip for removing networks (#11403). - The deprecated --macvlan flag to podman network create now warns when it is used. It will be removed entirely in the Podman 4.0 release. - The podman machine start command now prints a message when the VM is successfully started. - The podman stats command can now be used on containers that are paused. - The podman unshare command will now return the exit code of the command that was run in the user namespace (assuming the command was successfully run). - Successful healthchecks will no longer add a healthy line to the system log to reduce log spam. - As a temporary workaround for a lack of shortname prompts in the Podman remote client, VMs created by podman machine now default to only using the docker.io registry.
* Bugfixes
- Fixed a bug where whitespace in the definition of sysctls (particularly default sysctls specified in containers.conf) would cause them to be parsed incorrectly. - Fixed a bug where the Windows remote client improperly validated volume paths (#10900). - Fixed a bug where the first line of logs from a container run with the journald log driver could be skipped. - Fixed a bug where images created by podman commit did not include ports exposed by the container. - Fixed a bug where the podman auto-update command would ignore the io.containers.autoupdate.authfile label when pulling images (#11171). - Fixed a bug where the --workdir option to podman create and podman run could not be set to a directory where a volume was mounted (#11352). - Fixed a bug where systemd socket-activation did not properly work with systemd-managed Podman containers (#10443). - Fixed a bug where environment variable secrets added to a container were not available to exec sessions launched in the container. - Fixed a bug where rootless containers could fail to start the rootlessport port-forwarding service when XDG_RUNTIME_DIR was set to a long path. - Fixed a bug where arguments to the --systemd option to podman create and podman run were case-sensitive (#11387). - Fixed a bug where the podman manifest rm command would also remove images referenced by the manifest, not just the manifest itself (#11344). - Fixed a bug where the Podman remote client on OS X would not function properly if the TMPDIR environment variable was not set (#11418). - Fixed a bug where the /etc/hosts file was not guaranteed to contain an entry for localhost (this is still not guaranteed if --net=host is used; such containers will exactly match the host's /etc/hosts) (#11411). - Fixed a bug where the podman machine start command could print warnings about unsupported CPU features (#11421). - Fixed a bug where the podman info command could segfault when accessing cgroup information. - Fixed a bug where the podman logs -f command could hang when a container exited (#11461). - Fixed a bug where the podman generate systemd command could not be used on containers that specified a restart policy (#11438). - Fixed a bug where the remote Podman client's podman build command would fail to build containers if the UID and GID on the client were higher than 65536 (#11474). - Fixed a bug where the remote Podman client's podman build command would fail to build containers if the context directory was a symlink (#11732). - Fixed a bug where the --network flag to podman play kube was not properly parsed when a non-bridge network configuration was specified. - Fixed a bug where the podman inspect command could error when the container being inspected was removed as it was being inspected (#11392). - Fixed a bug where the podman play kube command ignored the default pod infra image specified in containers.conf. - Fixed a bug where the --format option to podman inspect was nonfunctional under some circumstances (#8785). - Fixed a bug where the remote Podman client's podman run and podman exec commands could skip a byte of output every 8192 bytes (#11496). - Fixed a bug where the podman stats command would print nonsensical results if the container restarted while it was running (#11469). - Fixed a bug where the remote Podman client would error when STDOUT was redirected on a Windows client (#11444). - Fixed a bug where the podman run command could return 0 when the application in the container exited with 125 (#11540). - Fixed a bug where containers with --restart=always set using the rootlessport port-forwarding service could not be restarted automatically. - Fixed a bug where the --cgroups=split option to podman create and podman run was silently discarded if the container was part of a pod. - Fixed a bug where the podman container runlabel command could fail if the image name given included a tag. - Fixed a bug where Podman could add an extra 127.0.0.1 entry to /etc/hosts under some circumstances (#11596). - Fixed a bug where the remote Podman client's podman untag command did not properly handle tags including a digest (#11557). - Fixed a bug where the --format option to podman ps did not properly support the table argument for tabular output. - Fixed a bug where the --filter option to podman ps did not properly handle filtering by healthcheck status (#11687). - Fixed a bug where the podman run and podman start --attach commands could race when retrieving the exit code of a container that had already been removed resulting in an error (e.g. by an external podman rm -f) (#11633). - Fixed a bug where the podman generate kube command would add default environment variables to generated YAML. - Fixed a bug where the podman generate kube command would add the default CMD from the image to generated YAML (#11672). - Fixed a bug where the podman rm --storage command could fail to remove containers under some circumstances (#11207). - Fixed a bug where the podman machine ssh command could fail when run on Linux (#11731). - Fixed a bug where the podman stop command would error when used on a container that was already stopped (#11740). - Fixed a bug where renaming a container in a pod using the podman rename command, then removing the pod using podman pod rm, could cause Podman to believe the new name of the container was permanently in use, despite the container being removed (#11750).
* API
- The Libpod Pull endpoint for Images now has a new query parameter, quiet, which (when set to true) suppresses image pull progress reports (#10612). - The Compat Events endpoint now includes several deprecated fields from the Docker v1.21 API for improved compatibility with older clients. - The Compat List and Inspect endpoints for Images now prefix image IDs with sha256: for improved Docker compatibility (#11623). - The Compat Create endpoint for Containers now properly sets defaults for healthcheck-related fields (#11225). - The Compat Create endpoint for Containers now supports volume options provided by the Mounts field (#10831). - The Compat List endpoint for Secrets now supports a new query parameter, filter, which allows returned results to be filtered. - The Compat Auth endpoint now returns the correct response code (500 instead of 400) when logging into a registry fails. - The Version endpoint now includes information about the OCI runtime and Conmon in use (#11227). - Fixed a bug where the X-Registry-Config header was not properly handled, leading to errors when pulling images (#11235). - Fixed a bug where invalid query parameters could cause a null pointer dereference when creating error messages. - Logging of API requests and responses at trace level has been greatly improved, including the addition of an X-Reference-Id header to correlate requests and responses (#10053).
Update to version 3.3.1:
* Bugfixes
- Fixed a bug where unit files created by podman generate systemd could not cleanup shut down containers when stopped by systemctl stop (#11304). - Fixed a bug where podman machine commands would not properly locate the gvproxy binary in some circumstances. - Fixed a bug where containers created as part of a pod using the --pod-id-file option would not join the pod's network namespace (#11303). - Fixed a bug where Podman, when using the systemd cgroups driver, could sometimes leak dbus sessions. - Fixed a bug where the until filter to podman logs and podman events was improperly handled, requiring input to be negated (#11158). - Fixed a bug where rootless containers using CNI networking run on systems using systemd-resolved for DNS would fail to start if resolved symlinked /etc/resolv.conf to an absolute path (#11358).
* API
- A large number of potential file descriptor leaks from improperly closing client connections have been fixed.
Update to version 3.3.0:
* Fix network aliases with network id * machine: compute sha256 as we read the image file * machine: check for file exists instead of listing directory * pkg/bindings/images.nTar(): slashify hdr.Name values * Volumes: Only remove from DB if plugin removal succeeds * For compatibility, ignore Content-Type * [v3.3] Bump c/image 5.15.2, buildah v1.22.3 * Implement SD-NOTIFY proxy in conmon * Fix rootless cni dns without systemd stub resolver * fix rootlessport flake * Skip stats test in CGv1 container environments * Fix AVC denials in tests of volume mounts * Restore buildah-bud test requiring new images * Revert '.cirrus.yml: use fresh images for all VMs' * Fix device tests using ls test files * Enhance priv. dev. check * Workaround host availability of /dev/kvm * Skip cgroup-parent test due to frequent flakes * Cirrus: Fix not uploading logformatter html
Switch to crun (bsc#1188914)
Update to version 3.2.3:
* Bump to v3.2.3 * Update release notes for v3.2.3 * vendor containers/common@v0.38.16 * vendor containers/buildah@v1.21.3 * Fix race conditions in rootless cni setup * CNI-in-slirp4netns: fix bind-mount for /run/systemd/resolve/stub-resolv.conf * Make rootless-cni setup more robust * Support uid,gid,mode options for secrets * vendor containers/common@v0.38.15 * [CI:DOCS] podman search: clarify that results depend on implementation * vendor containers/common@v0.38.14 * vendor containers/common@v0.38.13 * [3.2] vendor containers/common@v0.38.12 * Bump README to v3.2.2 * Bump to v3.2.3-dev

Update to version 3.2.2: * Bump to v3.2.2 * fix systemcontext to use correct TMPDIR * Scrub podman commands to use report package * Fix volumes with uid and gid options * Vendor in c/common v0.38.11 * Initial release notes for v3.2.2 * Fix restoring of privileged containers * Fix handling of podman-remote build --device * Add support for podman remote build -f - . * Fix panic condition in cgroups.getAvailableControllers * Fix permissions on initially created named volumes * Fix building static podman-remote * add correct slirp ip to /etc/hosts * disable tty-size exec checks in system tests * Fix resize race with podman exec -it * Fix documentation of the --format option of podman push * Fix systemd-resolved detection. * Health Check is not handled in the compat LibpodToContainerJSON * Do not use inotify for OCICNI * getContainerNetworkInfo: lock netNsCtr before sync * [NO TESTS NEEDED] Create /etc/mtab with the correct ownership * Create the /etc/mtab file if does not exists * [v3.2] cp: do not allow dir->file copying * create: support images with invalid platform * vendor containers/common@v0.38.10 * logs: k8s-file: restore poll sleep * logs: k8s-file: fix spurious error logs * utils: move message from warning to debug * Bump to v3.2.2-dev

Update to version 3.2.1: * Bump to v3.2.1 * Updated release notes for v3.2.1 * Fix network connect race with docker-compose * Revert 'Ensure minimum API version is set correctly in tests' * Fall back to string for dockerfile parameter * remote events: fix --stream=false * [CI:DOCS] fix incorrect network remove api doc * remote: always send resize before the container starts * remote events: support labels * remote pull: cancel pull when connection is closed * Fix network prune api docs * Improve systemd-resolved detection * logs: k8s-file: fix race * Fix image prune --filter cmd behavior * Several shell completion fixes * podman-remote build should handle -f option properly * System tests: deal with crun 0.20.1 * Fix build tags for pkg/machine... * Fix pre-checkpointing * container: ignore named hierarchies * [v3.2] vendor containers/common@v0.38.9 * rootless: fix fast join userns path * [v3.2] vendor containers/common@v0.38.7 * [v3.2] vendor containers/common@v0.38.6 * Correct qemu options for Intel macs * Ensure minimum API version is set correctly in tests * Bump to v3.2.1-dev

Update to version 3.2.0: * Bump to v3.2.0 * Fix network create macvlan with subnet option * Final release notes updates for v3.2.0 * add ipv6 nameservers only when the container has ipv6 enabled * Use request context instead of background * [v.3.2] events: support disjunctive filters * System tests: add :Z to volume mounts * generate systemd: make mounts portable * vendor containers/storage@v1.31.3 * vendor containers/common@v0.38.5 * Bump to v3.2.0-dev * Bump to v3.2.0-RC3 * Update release notes for v3.2.0-RC3 * Fix race on podman start --all * Fix race condition in running ls container in a pod * docs: --cert-dir: point to containers-certs.d(5) * Handle hard links in different directories * Improve OCI Runtime error * Handle hard links in remote builds * Podman info add support for status of cgroup controllers * Drop container does not exist on removal to debugf * Downgrade API service routing table logging * add libimage events * docs: generate systemd: XDG_RUNTIME_DIR * Fix problem copying files when container is in host pid namespace * Bump to v3.2.0-dev * Bump to v3.2.0-RC2 * update c/common * Update Cirrus DEST_BRANCH to v3.2 * Updated vendors of c/image, c/storage, Buildah * Initial release notes for v3.2.0-RC2 * Add script for identifying commits in release branches * Add host.containers.internal entry into container's etc/hosts * image prune: remove unused images only with `--all` * podman network reload add rootless support * Use more recent `stale` release... * network tutorial: update with rootless cni changes * [CI:DOCS] Update first line in intro page * Use updated VM images + updated automation tooling * auto-update service: prune images * make vendor * fix system upgrade tests * Print 'extracting' only on compressed file * podman image tree: restore previous behavior * fix network restart always test * fix incorrect log driver in podman container image * Add support for cli network prune --filter flag * Move filter parsing to common utils * Bump github.com/containers/storage from 1.30.2 to 1.30.3 * Update nix pin with `make nixpkgs` * [CI:DOCS] hack/bats - new helper for running system tests * fix restart always with slirp4netns * Bump github.com/opencontainers/runc from 1.0.0-rc93 to 1.0.0-rc94 * Bump github.com/coreos/go-systemd/v22 from 22.3.1 to 22.3.2 * Add host.serviceIsRemote to podman info results * Add client disconnect to build handler loop * Remove obsolete skips * Fix podman-remote build --rm=false ... * fix: improved 'containers/{name}/wait' endpoint * Bump github.com/containers/storage from 1.30.1 to 1.30.2 * Add envars to the generated systemd unit * fix: use UTC Time Stamps in response JSON * fix container startup for empty pidfile * Kube like pods should share ipc,net,uts by default * fix: compat API 'images/get' for multiple images * Revert escaped double dash man page flag syntax * Report Download complete in Compatibility mode * Add documentation on short-names * Bump github.com/docker/docker * Adds support to preserve auto update labels in generate and play kube * [CI:DOCS] Stop conversion of `--` into en dash * Revert Patch to relabel if selinux not enabled * fix per review request * Add support for environment variable secrets * fix pre review request * Fix infinite loop in isPathOnVolume * Add containers.conf information for changing defaults * CI: run rootless tests under ubuntu * Fix wrong macvlan PNG in networking doc. * Add restart-policy to container filters & --filter to podman start * Fixes docker-compose cannot set static ip when use ipam * channel: simplify implementation * build: improve regex for iidfile * Bump github.com/onsi/gomega from 1.11.0 to 1.12.0 * cgroup: fix rootless --cgroup-parent with pods * fix: docker APIv2 `images/get` * codespell cleanup * Minor podmanimage docs updates. * Fix handling of runlabel IMAGE and NAME * Bump to v3.2.0-dev * Bump to v3.2.0-rc1 * rootless: improve automatic range split * podman: set volatile storage flag for --rm containers * Bump github.com/onsi/ginkgo from 1.16.1 to 1.16.2 * Bump github.com/containers/image/v5 from 5.11.1 to 5.12.0 * migrate Podman to containers/common/libimage * Add filepath glob support to --security-opt unmask * Force log_driver to k8s-file for containers in containers * add --mac-address to podman play kube * compat api: Networks must be empty instead of null * System tests: honor $OCI_RUNTIME (for CI) * is this a bug? * system test image: add arm64v8 image * Fix troubleshooting documentation on handling sublemental groups. * Add --all to podman start * Fix variable reference typo. in multi-arch image action * cgroup: always honor --cgroup-parent with cgroupfs * Bump github.com/uber/jaeger-client-go * Don't require tests for github-actions & metadata * Detect if in podman machine virtual vm * Fix multi-arch image workflow typo * [CI:DOCS] Add titles to remote docs (windows) * Remove unused VolumeList* structs * Cirrus: Update F34beta -> F34 * Update container image docs + fix unstable execution * Bump github.com/containers/storage from 1.30.0 to 1.30.1 * TODO complete * Docker returns 'die' status rather then 'died' status * Check if another VM is running on machine start * [CI:DOCS] Improve titles of command HTML pages * system tests: networking: fix another race condition * Use seccomp_profile as default profile if defined in containers.conf * Bump github.com/json-iterator/go from 1.1.10 to 1.1.11 * Vendored * Autoupdate local label functional * System tests: fix two race conditions * Add more documentation on conmon * Allow docker volume create API to pass without name * Cirrus: Update Ubuntu images to 21.04 * Skip blkio-weight test when no kernel BFQ support * rootless: Tell the user what was led to the error, not just what it is * Add troubleshooting advice about the --userns option. * Fix images prune filter until * Fix logic for pushing stable multi-arch images * Fixes generate kube incorrect when bind-mounting '/' and '/root' * libpod/image: unit tests: don't use system's registries.conf.d * runtime: create userns when CAP_SYS_ADMIN is not present * rootless: attempt to copy current mappings first * [CI:DOCS] Restore missing content to manpages * [CI:DOCS] Fix Markdown layout bugs * Fix podman ps --filter ancestor to match exact ImageName/ImageID * Add machine-enabled to containers.conf for machine * Several multi-arch image build/push fixes * Add podman run --timeout option * Parse slirp4netns net options with compat api * Fix rootlesskit port forwarder with custom slirp cidr * Fix removal race condition in ListContainers * Add github-action workflow to build/push multi-arch * rootless: if root is not sub?id raise a debug message * Bump github.com/containers/common from 0.36.0 to 0.37.0 * Add go template shell completion for --format * Add --group-add keep-groups: suplimentary groups into container * Fixes from make codespell * Typo fix to usage text of --compress option * corrupt-image test: fix an oops * Add --noheading flag to all list commands * Bump github.com/containers/storage from 1.29.0 to 1.30.0 * Bump github.com/containers/image/v5 from 5.11.0 to 5.11.1 * [CI:DOCS] Fix Markdown table layout bugs * podman-remote should show podman.sock info * rmi: don't break when the image is missing a manifest * [CI:DOCS] Rewrite --uidmap doc in podman-create.1.md and podman-run.1.md * Add support for CDI device configuration * [CI:DOCS] Add missing dash to verbose option * Bump github.com/uber/jaeger-client-go * Remove an advanced layer diff function * Ensure mount destination is clean, no trailing slash * add it for inspect pidfile * [CI:DOCS] Fix introduction page typo * support pidfile on container restore * fix start it * skip pidfile test on remote * improve document * set pidfile default value int containerconfig * add pidfile in inspection * add pidfile it for container start * skip pidfile it on remote * Modify according to comments * WIP: drop test requirement * runtime: bump required conmon version * runtime: return findConmon to libpod * oci: drop ExecContainerCleanup * oci: use `--full-path` option for conmon * use AttachSocketPath when removing conmon files * hide conmon-pidfile flag on remote mode * Fix possible panic in libpod/image/prune.go * add --ip to podman play kube * add flag autocomplete * add ut * add flag '--pidfile' for podman create/run * Add network bindings tests: remove and list * Fix build with GO111MODULE=off * system tests: build --pull-never: deal with flakes * compose test: diagnose flakes v3 * podman play kube apply correct log driver * Fixes podman-remote save to directories does not work * Bump github.com/rootless-containers/rootlesskit from 0.14.1 to 0.14.2 * Update documentation of podman-run to reflect volume 'U' option * Fix flake on failed podman-remote build : try 2 * compose test: ongoing efforts to diagnose flakes * Test that we don't error out on advertised --log-level values * At trace log level, print error text using %+v instead of %v * pkg/errorhandling.JoinErrors: don't throw away context for lone errors * Recognize --log-level=trace * Fix flake on failed podman-remote build * System tests: fix racy podman-inspect * Fixes invalid expression in save command * Bump github.com/containers/common from 0.35.4 to 0.36.0 * Update nix pin with `make nixpkgs` * compose test: try to get useful data from flakes * Remove in-memory state implementation * Fix message about runtime to show only the actual runtime * System tests: setup: better cleanup of stray images * Bump github.com/containers/ocicrypt from 1.1.0 to 1.1.1 * Reflect current state of prune implementation in docs * Do not delete container twice * [CI:DOCS] Correct status code for /pods/create * vendor in containers/storage v1.29.0 * cgroup: do not set cgroup parent when rootless and cgroupfs * Overhaul Makefile binary and release worflows * Reorganize Makefile with sections and guide * Simplify Makefile help target * Don't shell to obtain current directory * Remove unnecessary/not-needed release.txt target * Fix incorrect version number output * Exclude .gitignore from test req. * Fix handling of $NAME and $IMAGE in runlabel * Update podman image Dockerfile to support Podman in container * Bump github.com/containers/image/v5 from 5.10.5 to 5.11.0 * Fix slashes in socket URLs * Add network prune filters support to bindings * Add support for play/generate kube volumes * Update manifest API endpoints * Fix panic when not giving a machine name for ssh * cgroups: force 64 bits to ParseUint * Bump k8s.io/api from 0.20.5 to 0.21.0 * [CI:DOCS] Fix formatting of podman-build man page * buildah-bud tests: simplify * Add missing return * Bump github.com/onsi/ginkgo from 1.16.0 to 1.16.1 * speed up CI handling of images * Volumes prune endpoint should use only prune filters * Cirrus: Use Fedora 34beta images * Bump go.sum + Makefile for golang 1.16 * Exempt Makefile changes from test requirements * Adjust libpod API Container Wait documentation to the code * [CI:DOCS] Update swagger definition of inspect manifest * use updated ubuntu images * podman unshare: add --rootless-cni to join the ns * Update swagger-check * swagger: remove name wildcards * Update buildah-bud diffs * Handle podman-remote --arch, --platform, --os * buildah-bud tests: handle go pseudoversions, plus... * Fix flaking rootless compose test * rootless cni add /usr/sbin to PATH if not present * System tests: special case for RHEL: require runc * Add --requires flag to podman run/create * [CI:DOCS] swagger-check: compare operations * [CI:DOCS] Polish swagger OpertionIDs * [NO TESTS NEEDED] Update nix pin with `make nixpkgs` * Ensure that `--userns=keep-id` sets user in config * [CI:DOCS] Set all operation id to be compatibile * Move operationIds to swagger:operation line * swagger: add operationIds that match with docker * Cirrus: Make use of shared get_ci_vm container * Don't relabel volumes if running in a privileged container * Allow users to override default storage opts with --storage-opt * Add support for podman --context default * Verify existence of auth file if specified * fix machine naming conventions * Initial network bindings tests * Update release notes to indicate CVE fix * Move socket activation check into init() and set global condition. * Bump github.com/onsi/ginkgo from 1.15.2 to 1.16.0 * Http api tests for network prune with until filter * podman-run.1.md, podman-create.1.md : Adjust Markdown layout for --userns * Fix typos --uidmapping and --gidmapping * Add transport and destination info to manifest doc * Bump github.com/rootless-containers/rootlesskit from 0.14.0 to 0.14.1 * Add default template functions * Fix missing podman-remote build options * Bump github.com/coreos/go-systemd/v22 from 22.3.0 to 22.3.1 * Add ssh connection to root user * Add rootless docker-compose test to the CI * Use the slrip4netns dns in the rootless cni ns * Cleanup the rootless cni namespace * Add new docker-compose test for two networks * Make the docker-compose test work rootless * Remove unused rootless-cni-infra container files * Only use rootless RLK when the container has ports * Fix dnsname test * Enable rootless network connect/disconnect * Move slirp4netns functions into an extra file * Fix pod infra container cni network setup * Add rootless support for cni and --uidmap * rootless cni without infra container * Recreate until container prune tests for bindings * Remove --execute from podman machine ssh * Fixed podman-remote --network flag * Makefile: introduce install.docker-full * Makefile: ensure install.docker creates BINDIR * Fix unmount doc reference in image.rst * Should send the OCI runtime path not just the name to buildah * podman machine shell completion * Fix handling of remove --log-rusage param * Fix bindings prune containers flaky test * [CI:DOCS] Add local html build info to docs/README.md * Add podman machine list * Trim white space from /top endpoint results * Remove semantic version suffices from API calls * podman machine init --ignition-path * Document --volume from podman-remote run/create client * Update main branch to reflect the release of v3.1.0 * Silence podman network reload errors with iptables-nft * Containers prune endpoint should use only prune filters * resolve proper aarch64 image names * APIv2 basic test: relax APIVersion check * Add machine support for qemu-system-aarch64 * podman machine init user input * manpage xref: helpful diagnostic for unescaped dash-dash * Bump to v3.2.0-dev * swagger: update system version response body * buildah-bud tests: reenable pull-never test * [NO TESTS NEEDED] Shrink the size of podman-remote * Add powershell completions * [NO TESTS NEEDED] Drop Warning to Info, if cgroups not mounted * Fix long option format on docs.podman.io * system tests: friendier messages for 2-arg is() * service: use LISTEN_FDS * man pages: correct seccomp-policy label * rootless: use is_fd_inherited * podman generate systemd --new do not duplicate params * play kube: add support for env vars defined from secrets * play kube: support optional/mandatory env var from config map * play kube: prepare supporting other env source than config maps * Add machine support for more Linux distros * [NO TESTS NEEDED] Use same function podman-remote rmi as podman * Podman machine enhancements * Add problematic volume name to kube play error messages * Fix podman build --pull-never * [NO TESTS NEEDED] Fix for kernel without CONFIG_USER_NS * [NO TESTS NEEDED] Turn on podman-remote build --isolation * Fix list pods filter handling in libpod api * Remove resize race condition * [NO TESTS NEEDED] Vendor in containers/buildah v1.20.0 * Use TMPDIR when commiting images * Add RequiresMountsFor= to systemd generate * Bump github.com/vbauerster/mpb/v6 from 6.0.2 to 6.0.3 * Fix swapped dimensions from terminal.GetSize * Rename podman machine create to init and clean up * Correct json field name * system tests: new interactive tests * Improvements for machine * libpod/image: unit tests: use a `registries.conf` for aliases * libpod/image: unit tests: defer cleanup * libpod/image: unit tests: use `require.NoError` * Add --execute flag to podman machine ssh * introduce podman machine * Podman machine CLI and interface stub * Support multi doc yaml for generate/play kube * Fix filters in image http compat/libpod api endpoints * Bump github.com/containers/common from 0.35.3 to 0.35.4 * Bump github.com/containers/storage from 1.28.0 to 1.28.1 * Check if stdin is a term in --interactive --tty mode * [NO TESTS NEEDED] Remove /tmp/containers-users-* files on reboot * [NO TESTS NEEDED] Fix rootless volume plugins * Ensure manually-created volumes have correct ownership * Bump github.com/rootless-containers/rootlesskit * Unification of until filter across list/prune endpoints * Unification of label filter across list/prune endpoints * fixup * fix: build endpoint for compat API * [CI:DOCS] Add note to mappings for user/group userns in build * Bump k8s.io/api from 0.20.1 to 0.20.5 * Validate passed in timezone from tz option * WIP: run buildah bud tests using podman * Fix containers list/prune http api filter behaviour * Generate Kubernetes PersistentVolumeClaims from named volumes

Update to version 3.1.2: * Bump to v3.1.2 * Update release notes for v3.1.2 * Ensure mount destination is clean, no trailing slash * Fixes podman-remote save to directories does not work * [CI:DOCS] Add missing dash to verbose option * [CI:DOCS] Fix Markdown table layout bugs * [CI:DOCS] Rewrite --uidmap doc in podman-create.1.md and podman-run.1.md * rmi: don't break when the image is missing a manifest * Bump containers/image to v5.11.1 * Bump github.com/coreos/go-systemd from 22.2.0 to 22.3.1 * Fix lint * Bump to v3.1.2-dev
Split podman-remote into a subpackage
Add missing scriptlets for systemd units
Escape macros in comments
Drop some obsolete workarounds, including %{go_nostrip}

Update to version 3.1.1: * Bump to v3.1.1 * Update release notes for v3.1.1 * podman play kube apply correct log driver * Fix build with GO111MODULE=off * [CI:DOCS] Set all operation id to be compatibile * Move operationIds to swagger:operation line * swagger: add operationIds that match with docker * Fix missing podman-remote build options * [NO TESTS NEEDED] Shrink the size of podman-remote * Move socket activation check into init() and set global condition. * rootless: use is_fd_inherited * Recreate until container prune tests for bindings * System tests: special case for RHEL: require runc * Document --volume from podman-remote run/create client * Containers prune endpoint should use only prune filters * Trim white space from /top endpoint results * Fix unmount doc reference in image.rst * Fix handling of remove --log-rusage param * Makefile: introduce install.docker-full * Makefile: ensure install.docker creates BINDIR * Should send the OCI runtime path not just the name to buildah * Fixed podman-remote --network flag * podman-run.1.md, podman-create.1.md : Adjust Markdown layout for --userns * Fix typos --uidmapping and --gidmapping * Add default template functions * Don't relabel volumes if running in a privileged container * Allow users to override default storage opts with --storage-opt * Add transport and destination info to manifest doc * Verify existence of auth file if specified * Ensure that `--userns=keep-id` sets user in config * [CI:DOCS] Update swagger definition of inspect manifest * Volumes prune endpoint should use only prune filters * Adjust libpod API Container Wait documentation to the code * Add missing return * [CI:DOCS] Fix formatting of podman-build man page * cgroups: force 64 bits to ParseUint * Fix slashes in socket URLs * [CI:DOCS] Correct status code for /pods/create * cgroup: do not set cgroup parent when rootless and cgroupfs * Reflect current state of prune implementation in docs * Do not delete container twice * Test that we don't error out on advertised --log-level values * At trace log level, print error text using %+v instead of %v * pkg/errorhandling.JoinErrors: don't throw away context for lone errors * Recognize --log-level=trace * Fix message about runtime to show only the actual runtime * Fix handling of $NAME and $IMAGE in runlabel * Fix flake on failed podman-remote build : try 2 * Fix flake on failed podman-remote build * Update documentation of podman-run to reflect volume 'U' option * Fixes invalid expression in save command * Fix possible panic in libpod/image/prune.go * Update all containers/ project vendors * Fix tests * Bump to v3.1.1-dev

Update to version 3.1.0: * Bump to v3.1.0 * Fix test failure * Update release notes for v3.1.0 final release * [NO TESTS NEEDED] Turn on podman-remote build --isolation * Fix long option format on docs.podman.io * Fix containers list/prune http api filter behaviour * [CI:DOCS] Add note to mappings for user/group userns in build * Validate passed in timezone from tz option * Generate Kubernetes PersistentVolumeClaims from named volumes * libpod/image: unit tests: use a `registries.conf` for aliases
Require systemd 241 or newer due to podman dependency go-systemd v22, otherwise build will fail with unknown C name errors

Create docker subpackage to allow replacing docker with corresponding aliases to podman.

Update to v3.0.1 * Changes - Several frequently-occurring WARN level log messages have been downgraded to INFO or DEBUG to not clutter terminal output.

Bugfixes - Fixed a bug where the Created field of podman ps --format=json was formatted as a string instead of an Unix timestamp (integer) (#9315). - Fixed a bug where failing lookups of individual layers during the podman images command would cause the whole command to fail without printing output. - Fixed a bug where --cgroups=split did not function properly on cgroups v1 systems. - Fixed a bug where mounting a volume over an directory in the container that existed, but was empty, could fail (#9393). - Fixed a bug where mounting a volume over a directory in the container that existed could copy the entirety of the container's rootfs, instead of just the directory mounted over, into the volume (#9415). - Fixed a bug where Podman would treat the --entrypoint=[''] option to podman run and podman create as a literal empty string in the entrypoint, when instead it should have been ignored (#9377). - Fixed a bug where Podman would set the HOME environment variable to '' when the container ran as a user without an assigned home directory (#9378). - Fixed a bug where specifying a pod infra image that had no tags (by using its ID) would cause podman pod create to panic (#9374). - Fixed a bug where the --runtime option was not properly handled by the podman build command (#9365). - Fixed a bug where Podman would incorrectly print an error message related to the remote API when the remote API was not in use and starting Podman failed. - Fixed a bug where Podman would change ownership of a container's working directory, even if it already existed (#9387). - Fixed a bug where the podman generate systemd --new command would incorrectly escape %t when generating the path for the PID file (#9373). - Fixed a bug where Podman could, when run inside a Podman container with the host's containers/storage directory mounted into the container, erroneously detect a reboot and reset container state if the temporary directory was not also mounted in (#9191). - Fixed a bug where some options of the podman build command (including but not limited to --jobs) were nonfunctional (#9247). * API - Fixed a breaking change to the Libpod Wait API for Containers where the Conditions parameter changed type in Podman v3.0 (#9351). - Fixed a bug where the Compat Create endpoint for Containers did not properly handle forwarded ports that did not specify a host port. - Fixed a bug where the Libpod Wait endpoint for Containers could write duplicate headers after an error occurred. - Fixed a bug where the Compat Create endpoint for Images would not pull images that already had a matching tag present locally, even if a more recent version was available at the registry (#9232). - The Compat Create endpoint for Images has had its compatibility with Docker improved, allowing its use with the docker-java library. * Misc - Updated Buildah to v1.19.4 - Updated the containers/storage library to v1.24.6

Changes from v3.0.0 * Features - Podman now features initial support for Docker Compose. - Added the podman rename command, which allows containers to be renamed after they are created (#1925). - The Podman remote client now supports the podman copy command. - A new command, podman network reload, has been added. This command will re-configure the network of all running containers, and can be used to recreate firewall rules lost when the system firewall was reloaded (e.g. via firewall-cmd --reload). - Podman networks now have IDs. They can be seen in podman network ls and can be used when removing and inspecting networks. Existing networks receive IDs automatically. - Podman networks now also support labels. They can be added via the --label option to network create, and podman network ls can filter labels based on them. - The podman network create command now supports setting bridge MTU and VLAN through the --opt option (#8454). - The podman container checkpoint and podman container restore commands can now checkpoint and restore containers that include volumes. - The podman container checkpoint command now supports the --with-previous and --pre-checkpoint options, and the podman container restore command now support the --import-previous option. These add support for two-step checkpointing with lowered dump times. - The podman push command can now push manifest lists. Podman will first attempt to push as an image, then fall back to pushing as a manifest list if that fails. - The podman generate kube command can now be run on multiple containers at once, and will generate a single pod containing all of them. - The podman generate kube and podman play kube commands now support Kubernetes DNS configuration, and will preserve custom DNS configuration when exporting or importing YAML (#9132). - The podman generate kube command now properly supports generating YAML for containers and pods creating using host networking (--net=host) (#9077). - The podman kill command now supports a --cidfile option to kill containers given a file containing the container's ID (#8443). - The podman pod create command now supports the --net=none option (#9165). - The podman volume create command can now specify volume UID and GID as options with the UID and GID fields passed to the the --opt option. - Initial support has been added for Docker Volume Plugins. Podman can now define available plugins in containers.conf and use them to create volumes with podman volume create --driver. - The podman run and podman create commands now support a new option, --platform, to specify the platform of the image to be used when creating the container. - The --security-opt option to podman run and podman create now supports the systempaths=unconfined option to unrestrict access to all paths in the container, as well as mask and unmask options to allow more granular restriction of container paths. - The podman stats --format command now supports a new format specified, MemUsageBytes, which prints the raw bytes of memory consumed by a container without human-readable formatting #8945. - The podman ps command can now filter containers based on what pod they are joined to via the pod filter (#8512). - The podman pod ps command can now filter pods based on what networks they are joined to via the network filter. The podman pod ps command can now print information on what networks a pod is joined to via the .Networks specifier to the --format option. - The podman system prune command now supports filtering what containers, pods, images, and volumes will be pruned. - The podman volume prune commands now supports filtering what volumes will be pruned. - The podman system prune command now includes information on space reclaimed (#8658). - The podman info command will now properly print information about packages in use on Gentoo and Arch systems. - The containers.conf file now contains an option for disabling creation of a new kernel keyring on container creation (#8384). - The podman image sign command can now sign multi-arch images by producing a signature for each image in a given manifest list. - The podman image sign command, when run as rootless, now supports per-user registry configuration files in $HOME/.config/containers/registries.d. - Configuration options for slirp4netns can now be set system-wide via the NetworkCmdOptions configuration option in containers.conf. - The MTU of slirp4netns can now be configured via the mtu= network command option (e.g. podman run --net slirp4netns:mtu=9000). * Security - A fix for CVE-2021-20199 is included. Podman between v1.8.0 and v2.2.1 used 127.0.0.1 as the source address for all traffic forwarded into rootless containers by a forwarded port; this has been changed to address the issue. * Changes - Shortname aliasing support has now been turned on by default. All Podman commands that must pull an image will, if a TTY is available, prompt the user about what image to pull. - The podman load command no longer accepts a NAME[:TAG] argument. The presence of this argument broke CLI compatibility with Docker by making docker load commands unusable with Podman (#7387). - The Go bindings for the HTTP API have been rewritten with a focus on limiting dependency footprint and improving extensibility. Read more here. - The legacy Varlink API has been completely removed from Podman. - The default log level for Podman has been changed from Error to Warn. - The podman network create command can now create macvlan networks using the --driver macvlan option for Docker compatibility. The existing --macvlan flag has been deprecated and will be removed in Podman 4.0 some time next year. - The podman inspect command has had the LogPath and LogTag fields moved into the LogConfig structure (from the root of the Inspect structure). The maximum size of the log file is also included. - The podman generate systemd command no longer generates unit files using the deprecated KillMode=none option (#8615). - The podman stop command now releases the container lock while waiting for it to stop - as such, commands like podman ps will no longer block until podman stop completes (#8501). - Networks created with podman network create --internal no longer use the dnsname plugin. This configuration never functioned as expected. - Error messages for the remote Podman client have been improved when it cannot connect to a Podman service. - Error messages for podman run when an invalid SELinux is specified have been improved. - Rootless Podman features improved support for containers with a single user mapped into the rootless user namespace. - Pod infra containers now respect default sysctls specified in containers.conf allowing for advanced configuration of the namespaces they will share. - SSH public key handling for remote Podman has been improved. * Bugfixes - Fixed a bug where the podman history --no-trunc command would truncate the Created By field (#9120). - Fixed a bug where root containers that did not explicitly specify a CNI network to join did not generate an entry for the network in use in the Networks field of the output of podman inspect (#6618). - Fixed a bug where, under some circumstances, container working directories specified by the image (via the WORKDIR instruction) but not present in the image, would not be created (#9040). - Fixed a bug where the podman generate systemd command would generate invalid unit files if the container was creating using a command line that included doubled braces ({{ and }}), e.g. --log-opt-tag={{.Name}} (#9034). - Fixed a bug where the podman generate systemd --new command could generate unit files including invalid Podman commands if the container was created using merged short options (e.g. podman run -dt) (#8847). - Fixed a bug where the podman generate systemd --new command could generate unit files that did not handle Podman commands including some special characters (e.g. $) (#9176 - Fixed a bug where rootless containers joining CNI networks could not set a static IP address (#7842). - Fixed a bug where rootless containers joining CNI networks could not set network aliases (#8567). - Fixed a bug where the remote client could, under some circumstances, not include the Containerfile when sending build context to the server (#8374). - Fixed a bug where rootless Podman did not mount /sys as a new sysfs in some circumstances where it was acceptable. - Fixed a bug where rootless containers that both joined a user namespace and a CNI networks would cause a segfault. These options are incompatible and now return an error. - Fixed a bug where the podman play kube command did not properly handle CMD and ARGS from images (#8803). - Fixed a bug where the podman play kube command did not properly handle environment variables from images (#8608). - Fixed a bug where the podman play kube command did not properly print errors that occurred when starting containers. - Fixed a bug where the podman play kube command errored when hostNetwork was used (#8790). - Fixed a bug where the podman play kube command would always pull images when the :latest tag was specified, even if the image was available locally (#7838). - Fixed a bug where the podman play kube command did not properly handle SELinux configuration, rending YAML with custom SELinux configuration unusable (#8710). - Fixed a bug where the podman generate kube command incorrectly populated the args and command fields of generated YAML (#9211). - Fixed a bug where containers in a pod would create a duplicate entry in the pod's shared /etc/hosts file every time the container restarted (#8921). - Fixed a bug where the podman search --list-tags command did not support the --format option (#8740). - Fixed a bug where the http_proxy option in containers.conf was not being respected, and instead was set unconditionally to true (#8843). - Fixed a bug where rootless Podman could, on systems with a recent Conmon and users with a long username, fail to attach to containers (#8798). - Fixed a bug where the podman images command would break and fail to display any images if an empty manifest list was present in storage (#8931). - Fixed a bug where locale environment variables were not properly passed on to Conmon. - Fixed a bug where Podman would not build on the MIPS architecture (#8782). - Fixed a bug where rootless Podman could fail to properly configure user namespaces for rootless containers when the user specified a --uidmap option that included a mapping beginning with UID 0. - Fixed a bug where the podman logs command using the k8s-file backend did not properly handle partial log lines with a length of 1 (#8879). - Fixed a bug where the podman logs command with the --follow option did not properly handle log rotation (#8733). - Fixed a bug where user-specified HOSTNAME environment variables were overwritten by Podman (#8886). - Fixed a bug where Podman would applied default sysctls from containers.conf in too many situations (e.g. applying network sysctls when the container shared its network with a pod). - Fixed a bug where Podman did not properly handle cases where a secondary image store was in use and an image was present in both the secondary and primary stores (#8176). - Fixed a bug where systemd-managed rootless Podman containers where the user in the container was not root could fail as the container's PID file was not accessible to systemd on the host (#8506). - Fixed a bug where the --privileged option to podman run and podman create would, under some circumstances, not disable Seccomp (#8849). - Fixed a bug where the podman exec command did not properly add capabilities when the container or exec session were run with --privileged. - Fixed a bug where rootless Podman would use the --enable-sandbox option to slirp4netns unconditionally, even when pivot_root was disabled, rendering slirp4netns unusable when pivot_root was disabled (#8846). - Fixed a bug where podman build --logfile did not actually write the build's log to the logfile. - Fixed a bug where the podman system service command did not close STDIN, and could display user-interactive prompts (#8700). - Fixed a bug where the podman system reset command could, under some circumstances, remove all the contents of the XDG_RUNTIME_DIR directory (#8680). - Fixed a bug where the podman network create command created CNI configurations that did not include a default gateway (#8748). - Fixed a bug where the podman.service systemd unit provided by default used the wrong service type, and would cause systemd to not correctly register the service as started (#8751). - Fixed a bug where, if the TMPDIR environment variable was set for the container engine in containers.conf, it was being ignored. - Fixed a bug where the podman events command did not properly handle future times given to the --until option (#8694). - Fixed a bug where the podman logs command wrote container STDERR logs to STDOUT instead of STDERR (#8683). - Fixed a bug where containers created from an image with multiple tags would report that they were created from the wrong tag (#8547). - Fixed a bug where container capabilities were not set properly when the --cap-add=all and --user options to podman create and podman run were combined. - Fixed a bug where the --layers option to podman build was nonfunctional (#8643). - Fixed a bug where the podman system prune command did not act recursively, and thus would leave images, containers, pods, and volumes present that would be removed by a subsequent call to podman system prune (#7990). - Fixed a bug where the --publish option to podman run and podman create did not properly handle ports specified as a range of ports with no host port specified (#8650). - Fixed a bug where --format did not support JSON output for individual fields (#8444). - Fixed a bug where the podman stats command would fail when run on root containers using the slirp4netns network mode (#7883). - Fixed a bug where the Podman remote client would ask for a password even if the server's SSH daemon did not support password authentication (#8498). - Fixed a bug where the podman stats command would fail if the system did not support one or more of the cgroup controllers Podman supports (#8588). - Fixed a bug where the --mount option to podman create and podman run did not ignore the consistency mount option. - Fixed a bug where failures during the resizing of a container's TTY would print the wrong error. - Fixed a bug where the podman network disconnect command could cause the podman inspect command to fail for a container until it was restarted (#9234). - Fixed a bug where containers created from a read-only rootfs (using the --rootfs option to podman create and podman run) would fail (#9230). - Fixed a bug where specifying Go templates to the --format option to multiple Podman commands did not support the join function (#8773). - Fixed a bug where the podman rmi command could, when run in parallel on multiple images, return layer not known errors (#6510). - Fixed a bug where the podman inspect command on containers displayed unlimited ulimits incorrectly (#9303). - Fixed a bug where Podman would fail to start when a volume was mounted over a directory in a container that contained symlinks that terminated outside the directory and its subdirectories (#6003).

API - Libpod API version has been bumped to v3.0.0. - All Libpod Pod APIs have been modified to properly report errors with individual containers. Cases where the operation as a whole succeeded but individual containers failed now report an HTTP 409 error (#8865). - The Compat API for Containers now supports the Rename and Copy APIs. - Fixed a bug where the Compat Prune APIs (for volumes, containers, and images) did not return the amount of space reclaimed in their responses. - Fixed a bug where the Compat and Libpod Exec APIs for Containers would drop errors that occurred prior to the exec session successfully starting (e.g. a 'no such file' error if an invalid executable was passed) (#8281) - Fixed a bug where the Volumes field in the Compat Create API for Containers was being ignored (#8649). - Fixed a bug where the NetworkMode field in the Compat Create API for Containers was not handling some values, e.g. container:, correctly. - Fixed a bug where the Compat Create API for Containers did not set container name properly. - Fixed a bug where containers created using the Compat Create API unconditionally used Kubernetes file logging (the default specified in containers.conf is now used). - Fixed a bug where the Compat Inspect API for Containers could include container states not recognized by Docker. - Fixed a bug where Podman did not properly clean up after calls to the Events API when the journald backend was in use, resulting in a leak of file descriptors (#8864). - Fixed a bug where the Libpod Pull endpoint for Images could fail with an index out of range error under certain circumstances (#8870). - Fixed a bug where the Libpod Exists endpoint for Images could panic. - Fixed a bug where the Compat List API for Containers did not support all filters (#8860). - Fixed a bug where the Compat List API for Containers did not properly populate the Status field. - Fixed a bug where the Compat and Libpod Resize APIs for Containers ignored the height and width parameters (#7102). - Fixed a bug where the Compat Search API for Images returned an incorrectly-formatted JSON response (#8758). - Fixed a bug where the Compat Load API for Images did not properly clean up temporary files. - Fixed a bug where the Compat Create API for Networks could panic when an empty IPAM configuration was specified. - Fixed a bug where the Compat Inspect and List APIs for Networks did not include Scope. - Fixed a bug where the Compat Wait endpoint for Containers did not support the same wait conditions that Docker did. * Misc - Updated Buildah to v1.19.2 - Updated the containers/storage library to v1.24.5 - Updated the containers/image library to v5.10.2 - Updated the containers/common library to v0.33.4

Update to v2.2.1 * Changes - Due to a conflict with a previously-removed field, we were forced to modify the way image volumes (mounting images into containers using --mount type=image) were handled in the database. As a result, containers created in Podman 2.2.0 with image volume will not have them in v2.2.1, and these containers will need to be re-created. * Bugfixes - Fixed a bug where rootless Podman would, on systems without the XDG_RUNTIME_DIR environment variable defined, use an incorrect path for the PID file of the Podman pause process, causing Podman to fail to start (#8539). - Fixed a bug where containers created using Podman v1.7 and earlier were unusable in Podman due to JSON decode errors (#8613). - Fixed a bug where Podman could retrieve invalid cgroup paths, instead of erroring, for containers that were not running. - Fixed a bug where the podman system reset command would print a warning about a duplicate shutdown handler being registered. - Fixed a bug where rootless Podman would attempt to mount sysfs in circumstances where it was not allowed; some OCI runtimes (notably crun) would fall back to alternatives and not fail, but others (notably runc) would fail to run containers. - Fixed a bug where the podman run and podman create commands would fail to create containers from untagged images (#8558). - Fixed a bug where remote Podman would prompt for a password even when the server did not support password authentication (#8498). - Fixed a bug where the podman exec command did not move the Conmon process for the exec session into the correct cgroup. - Fixed a bug where shell completion for the ancestor option to podman ps --filter did not work correctly. - Fixed a bug where detached containers would not properly clean themselves up (or remove themselves if --rm was set) if the Podman command that created them was invoked with --log-level=debug. * API - Fixed a bug where the Compat Create endpoint for Containers did not properly handle the Binds and Mounts parameters in HostConfig. - Fixed a bug where the Compat Create endpoint for Containers ignored the Name query parameter. - Fixed a bug where the Compat Create endpoint for Containers did not properly handle the 'default' value for NetworkMode (this value is used extensively by docker-compose) (#8544). - Fixed a bug where the Compat Build endpoint for Images would sometimes incorrectly use the target query parameter as the image's tag. * Misc - Podman v2.2.0 vendored a non-released, custom version of the github.com/spf13/cobra package; this has been reverted to the latest upstream release to aid in packaging. - Updated the containers/image library to v5.9.0

Update to v2.2.0 * Features - Experimental support for shortname aliasing has been added. This is not enabled by default, but can be turned on by setting the environment variable CONTAINERS_SHORT_NAME_ALIASING to on. Documentation is available here and here. - Initial support has been added for the podman network connect and podman network disconnect commands, which allow existing containers to modify what networks they are connected to. At present, these commands can only be used on running containers that did not specify --network=none when they were created. - The podman run command now supports the --network-alias option to set network aliases (additional names the container can be accessed at from other containers via DNS if the dnsname CNI plugin is in use). Aliases can also be added and removed using the new podman network connect and podman network disconnect commands. Please note that this requires a new release (v1.1.0) of the dnsname plugin, and will only work on newly-created CNI networks. - The podman generate kube command now features support for exporting container's memory and CPU limits (#7855). - The podman play kube command now features support for setting CPU and Memory limits for containers (#7742). - The podman play kube command now supports persistent volumes claims using Podman named volumes. - The podman play kube command now supports Kubernetes configmaps via the --configmap option (#7567). - The podman play kube command now supports a --log-driver option to set the log driver for created containers. - The podman play kube command now supports a --start option, enabled by default, to start the pod after creating it. This allows for podman play kube to be more easily used in systemd unitfiles. - The podman network create command now supports the --ipv6 option to enable dual-stack IPv6 networking for created networks (#7302). - The podman inspect command can now inspect pods, networks, and volumes, in addition to containers and images (#6757). - The --mount option for podman run and podman create now supports a new type, image, to mount the contents of an image into the container at a given location. - The Bash and ZSH completions have been completely reworked and have received significant enhancements! Additionally, support for Fish completions and completions for the podman-remote executable have been added. - The --log-opt option for podman create and podman run now supports the max-size option to set the maximum size for a container's logs (#7434). - The --network option to the podman pod create command now allows pods to be configured to use slirp4netns networking, even when run as root (#6097). - The podman pod stop, podman pod pause, podman pod unpause, and podman pod kill commands now work on multiple containers in parallel and should be significantly faster. - The podman search command now supports a --list-tags option to list all available tags for a single image in a single repository. - The podman search command can now output JSON using the --format=json option. - The podman diff and podman mount commands now work with all containers in the storage library, including those not created by Podman. This allows them to be used with Buildah and CRI-O containers. - The podman container exists command now features a --external option to check if a container exists not just in Podman, but also in the storage library. This will allow Podman to identify Buildah and CRI-O containers. - The --tls-verify and --authfile options have been enabled for use with remote Podman. - The /etc/hosts file now includes the container's name and hostname (both pointing to localhost) when the container is run with --net=none (#8095). - The podman events command now supports filtering events based on the labels of the container they occurred on using the --filter label=key=value option. - The podman volume ls command now supports filtering volumes based on their labels using the --filter label=key=value option. - The --volume and --mount options to podman run and podman create now support two new mount propagation options, unbindable and runbindable. - The name and id filters for podman pod ps now match based on a regular expression, instead of requiring an exact match. - The podman pod ps command now supports a new filter status, that matches pods in a certain state. * Changes - The podman network rm --force command will now also remove pods that are using the network (#7791). - The podman volume rm, podman network rm, and podman pod rm commands now return exit code 1 if the object specified for removal does not exist, and exit code 2 if the object is in use and the --force option was not given. - If /dev/fuse is passed into Podman containers as a device, Podman will open it before starting the container to ensure that the kernel module is loaded on the host and the device is usable in the container. - Global Podman options that were not supported with remote operation have been removed from podman-remote (e.g. --cgroup-manager, --storage-driver). - Many errors have been changed to remove repetition and be more clear as to what has gone wrong. - The --storage option to podman rm is now enabled by default, with slightly changed semantics. If the given container does not exist in Podman but does exist in the storage library, it will be removed even without the --storage option. If the container exists in Podman it will be removed normally. The --storage option for podman rm is now deprecated and will be removed in a future release. - The --storage option to podman ps has been renamed to --external. An alias has been added so the old form of the option will continue to work. - Podman now delays the SIGTERM and SIGINT signals during container creation to ensure that Podman is not stopped midway through creating a container resulting in potential resource leakage (#7941). - The podman save command now strips signatures from images it is exporting, as the formats we export to do not support signatures (#7659). - A new Degraded state has been added to pods. Pods that have some, but not all, of their containers running are now considered to be Degraded instead of Running. - Podman will now print a warning when conflicting network options related to port forwarding (e.g. --publish and --net=host) are specified when creating a container. - The --restart on-failure and --rm options for containers no longer conflict. When both are specified, the container will be restarted if it exits with a non-zero error code, and removed if it exits cleanly (#7906). - Remote Podman will no longer use settings from the client's containers.conf; defaults will instead be provided by the server's containers.conf (#7657). - The podman network rm command now has a new alias, podman network remove (#8402). * Bugfixes - Fixed a bug where podman load on the remote client did not error when attempting to load a directory, which is not yet supported for remote use. - Fixed a bug where rootless Podman could hang when the newuidmap binary was not installed (#7776). - Fixed a bug where the --pull option to podman run, podman create, and podman build did not match Docker's behavior. - Fixed a bug where sysctl settings from the containers.conf configuration file were applied, even if the container did not join the namespace associated with a sysctl. - Fixed a bug where Podman would not return the text of errors encounted when trying to run a healthcheck for a container. - Fixed a bug where Podman was accidentally setting the containers environment variable in addition to the expected container environment variable. - Fixed a bug where rootless Podman using CNI networking did not properly clean up DNS entries for removed containers (#7789). - Fixed a bug where the podman untag --all command was not supported with remote Podman. - Fixed a bug where the podman system service command could time out even if active attach connections were present (#7826). - Fixed a bug where the podman system service command would sometimes never time out despite no active connections being present. - Fixed a bug where Podman's handling of capabilities, specifically inheritable, did not match Docker's. - Fixed a bug where podman run would fail if the image specified was a manifest list and had already been pulled (#7798). - Fixed a bug where Podman did not take search registries into account when looking up images locally (#6381). - Fixed a bug where the podman manifest inspect command would fail for images that had already been pulled (#7726). - Fixed a bug where rootless Podman would not add supplemental GIDs to containers when when a user, but not a group, was set via the --user option to podman create and podman run and sufficient GIDs were available to add the groups (#7782). - Fixed a bug where remote Podman commands did not properly handle cases where the user gave a name that could also be a short ID for a pod or container (#7837). - Fixed a bug where podman image prune could leave images ready to be pruned after podman image prune was run (#7872). - Fixed a bug where the podman logs command with the journald log driver would not read all available logs (#7476). - Fixed a bug where the --rm and --restart options to podman create and podman run did not conflict when a restart policy that is not on-failure was chosen (#7878). - Fixed a bug where the --format 'table {{ .Field }}' option to numerous Podman commands ceased to function on Podman v2.0 and up. - Fixed a bug where pods did not properly share an SELinux label between their containers, resulting in containers being unable to see the processes of other containers when the pod shared a PID namespace (#7886). - Fixed a bug where the --namespace option to podman ps did not work with the remote client (#7903). - Fixed a bug where rootless Podman incorrectly calculated the number of UIDs available in the container if multiple different ranges of UIDs were specified. - Fixed a bug where the /etc/hosts file would not be correctly populated for containers in a user namespace (#7490). - Fixed a bug where the podman network create and podman network remove commands could race when run in parallel, with unpredictable results (#7807). - Fixed a bug where the -p option to podman run, podman create, and podman pod create would, when given only a single number (e.g. -p 80), assign the same port for both host and container, instead of generating a random host port (#7947). - Fixed a bug where Podman containers did not properly store the cgroup manager they were created with, causing them to stop functioning after the cgroup manager was changed in containers.conf or with the --cgroup-manager option (#7830). - Fixed a bug where the podman inspect command did not include information on the CNI networks a container was connected to if it was not running. - Fixed a bug where the podman attach command would not print a newline after detaching from the container (#7751). - Fixed a bug where the HOME environment variable was not set properly in containers when the --userns=keep-id option was set (#8004). - Fixed a bug where the podman container restore command could panic when the container in question was in a pod (#8026). - Fixed a bug where the output of the podman image trust show --raw command was not properly formatted. - Fixed a bug where the podman runlabel command could panic if a label to run was not given (#8038). - Fixed a bug where the podman run and podman start --attach commands would exit with an error when the user detached manually using the detach keys on remote Podman (#7979). - Fixed a bug where rootless CNI networking did not use the dnsname CNI plugin if it was not available on the host, despite it always being available in the container used for rootless networking (#8040). - Fixed a bug where Podman did not properly handle cases where an OCI runtime is specified by its full path, and could revert to using another OCI runtime with the same binary path that existed in the system $PATH on subsequent invocations. - Fixed a bug where the --net=host option to podman create and podman run would cause the /etc/hosts file to be incorrectly populated (#8054). - Fixed a bug where the podman inspect command did not include container network information when the container shared its network namespace (IE, joined a pod or another container's network namespace via --net=container:...) (#8073). - Fixed a bug where the podman ps command did not include information on all ports a container was publishing. - Fixed a bug where the podman build command incorrectly forwarded STDIN into build containers from RUN instructions. - Fixed a bug where the podman wait command's --interval option did not work when units were not specified for the duration (#8088). - Fixed a bug where the --detach-keys and --detach options could be passed to podman create despite having no effect (and not making sense in that context). - Fixed a bug where Podman could not start containers if running on a system without a /etc/resolv.conf file (which occurs on some WSL2 images) (#8089). - Fixed a bug where the --extract option to podman cp was nonfunctional. - Fixed a bug where the --cidfile option to podman run would, when the container was not run with --detach, only create the file after the container exited (#8091). - Fixed a bug where the podman images and podman images -a commands could panic and not list any images when certain improperly-formatted images were present in storage (#8148). - Fixed a bug where the podman events command could, when the journald events backend was in use, become nonfunctional when a badly-formatted event or a log message that container certain string was present in the journal (#8125). - Fixed a bug where remote Podman would, when using SSH transport, not authenticate to the server using hostkeys when connecting on a port other than 22 (#8139). - Fixed a bug where the podman attach command would not exit when containers stopped (#8154). - Fixed a bug where Podman did not properly clean paths before verifying them, resulting in Podman refusing to start if the root or temporary directories were specified with extra trailing / characters (#8160). - Fixed a bug where remote Podman did not support hashed hostnames in the known_hosts file on the host for establishing connections (#8159). - Fixed a bug where the podman image exists command would return non-zero (false) when multiple potential matches for the given name existed. - Fixed a bug where the podman manifest inspect command on images that are not manifest lists would error instead of inspecting the image (#8023). - Fixed a bug where the podman system service command would fail if the directory the Unix socket was to be created inside did not exist (#8184). - Fixed a bug where pods that shared the IPC namespace (which is done by default) did not share a /dev/shm filesystem between all containers in the pod (#8181). - Fixed a bug where filters passed to podman volume list were not inclusive (#6765). - Fixed a bug where the podman volume create command would fail when the volume's data directory already existed (as might occur when a volume was not completely removed) (#8253). - Fixed a bug where the podman run and podman create commands would deadlock when trying to create a container that mounted the same named volume at multiple locations (e.g. podman run -v testvol:/test1 -v testvol:/test2) (#8221). - Fixed a bug where the parsing of the --net option to podman build was incorrect (#8322). - Fixed a bug where the podman build command would print the ID of the built image twice when using remote Podman (#8332). - Fixed a bug where the podman stats command did not show memory limits for containers (#8265). - Fixed a bug where the podman pod inspect command printed the static MAC address of the pod in a non-human-readable format (#8386). - Fixed a bug where the --tls-verify option of the podman play kube command had its logic inverted (false would enforce the use of TLS, true would disable it). - Fixed a bug where the podman network rm command would error when trying to remove macvlan networks and rootless CNI networks (#8491). - Fixed a bug where Podman was not setting sane defaults for missing XDG_ environment variables. - Fixed a bug where remote Podman would check if volume paths to be mounted in the container existed on the host, not the server (#8473). - Fixed a bug where the podman manifest create and podman manifest add commands on local images would drop any images in the manifest not pulled by the host. - Fixed a bug where networks made by podman network create did not include the tuning plugin, and as such did not support setting custom MAC addresses (#8385). - Fixed a bug where container healthchecks did not use $PATH when searching for the Podman executable to run the healthcheck. - Fixed a bug where the --ip-range option to podman network create did not properly handle non-classful subnets when calculating the last usable IP for DHCP assignment (#8448). - Fixed a bug where the podman container ps alias for podman ps was missing (#8445). * API - The Compat Create endpoint for Container has received a major refactor to share more code with the Libpod Create endpoint, and should be significantly more stable. - A Compat endpoint for exporting multiple images at once, GET /images/get, has been added (#7950). - The Compat Network Connect and Network Disconnect endpoints have been added. - Endpoints that deal with image registries now support a X-Registry-Config header to specify registry authentication configuration. - The Compat Create endpoint for images now properly supports specifying images by digest. - The Libpod Build endpoint for images now supports an httpproxy query parameter which, if set to true, will forward the server's HTTP proxy settings into the build container for RUN instructions. - The Libpod Untag endpoint for images will now remove all tags for the given image if no repository and tag are specified for removal. - Fixed a bug where the Ping endpoint misspelled a header name (Libpod-Buildha-Version instead of Libpod-Buildah-Version). - Fixed a bug where the Ping endpoint sent an extra newline at the end of its response where Docker did not. - Fixed a bug where the Compat Logs endpoint for containers did not send a newline character after each log line. - Fixed a bug where the Compat Logs endpoint for containers would mangle line endings to change newline characters to add a preceding carriage return (#7942). - Fixed a bug where the Compat Inspect endpoint for Containers did not properly list the container's stop signal (#7917). - Fixed a bug where the Compat Inspect endpoint for Containers formatted the container's create time incorrectly (#7860). - Fixed a bug where the Compat Inspect endpoint for Containers did not include the container's Path, Args, and Restart Count. - Fixed a bug where the Compat Inspect endpoint for Containers prefixed added and dropped capabilities with CAP_ (Docker does not do so). - Fixed a bug where the Compat Info endpoint for the Engine did not include configured registries. - Fixed a bug where the server could panic if a client closed a connection midway through an image pull (#7896). - Fixed a bug where the Compat Create endpoint for volumes returned an error when a volume with the same name already existed, instead of succeeding with a 201 code (#7740). - Fixed a bug where a client disconnecting from the Libpod or Compat events endpoints could result in the server using 100% CPU (#7946). - Fixed a bug where the 'no such image' error message sent by the Compat Inspect endpoint for Images returned a 404 status code with an error that was improperly formatted for Docker compatibility. - Fixed a bug where the Compat Create endpoint for networks did not properly set a default for the driver parameter if it was not provided by the client. - Fixed a bug where the Compat Inspect endpoint for images did not populate the RootFS field of the response. - Fixed a bug where the Compat Inspect endpoint for images would omit the ParentId field if the image had no parent, and the Created field if the image did not have a creation time. - Fixed a bug where the Compat Remove endpoint for Networks did not support the Force query parameter.

add dependency to timezone package or podman fails to build a
Correct invalid use of %{_libexecdir} to ensure files should be in /usr/lib

SELinux support [jsc#SMO-15]

libseccomp was updated to release 2.5.3:

Update the syscall table for Linux v5.15
Fix issues with multiplexed syscalls on mipsel introduced in v2.5.2
Document that seccomp_rule_add() may return -EACCES

Update to release 2.5.2

Update the syscall table for Linux v5.14-rc7
Add a function, get_notify_fd(), to the Python bindings to get the nofication file descriptor.
Consolidate multiplexed syscall handling for all architectures into one location.
Add multiplexed syscall support to PPC and MIPS
The meaning of SECCOMP_IOCTL_NOTIF_ID_VALID changed within the kernel. libseccomp's fd notification logic was modified to support the kernel's previous and new usage of SECCOMP_IOCTL_NOTIF_ID_VALID.

update to 2.5.1:

Fix a bug where seccomp_load() could only be called once
Change the notification fd handling to only request a notification fd if
the filter has a _NOTIFY action
Add documentation about SCMP_ACT_NOTIFY to the seccomp_add_rule(3) manpage
Clarify the maintainers' GPG keys

Update to release 2.5.0

Add support for the seccomp user notifications, see the seccomp_notify_alloc(3), seccomp_notify_receive(3), seccomp_notify_respond(3) manpages for more information
Add support for new filter optimization approaches, including a balanced tree optimization, see the SCMP_FLTATR_CTL_OPTIMIZE filter attribute for more information
Add support for the 64-bit RISC-V architecture
Performance improvements when adding new rules to a filter thanks to the use of internal shadow transactions and improved syscall lookup tables
Properly document the libseccomp API return values and include them in the stable API promise
Improvements to the s390 and s390x multiplexed syscall handling
Multiple fixes and improvements to the libseccomp manpages
Moved from manually maintained syscall tables to an automatically generated syscall table in CSV format
Update the syscall tables to Linux v5.8.0-rc5
Python bindings and build now default to Python 3.x
Improvements to the tests have boosted code coverage to over 93%

Update to release 2.4.3

Add list of authorized release signatures to README.md
Fix multiplexing issue with s390/s390x shm* syscalls
Remove the static flag from libseccomp tools compilation
Add define for __SNR_ppoll
Fix potential memory leak identified by clang in the scmp_bpf_sim tool

Update to release 2.4.2

Add support for io-uring related system calls

conmon was updated to version 2.0.30:
* Remove unreachable code path * exit: report if the exit command was killed * exit: fix race zombie reaper * conn_sock: allow watchdog messages through the notify socket proxy * seccomp: add support for seccomp notify
Update to version 2.0.29:
* Reset OOM score back to 0 for container runtime * call functions registered with atexit on SIGTERM * conn_sock: fix potential segfault
Update to version 2.0.27:
* Add CRI-O integration test GitHub action * exec: don't fail on EBADFD * close_fds: fix close of external fds * Add arm64 static build binary
Update to version 2.0.26:
* conn_sock: do not fail on EAGAIN * fix segfault from a double freed pointer * Fix a bug where conmon could never spawn a container, because a disagreement between the caller and itself on where the attach socket was. * improve --full-attach to ignore the socket-dir directly. that means callers don't need to specify a socket dir at all (and can remove it) * add full-attach option to allow callers to not truncate a very long path for the attach socket * close only opened FDs * set locale to inherit environment
Update to version 2.0.22:
* added man page * attach: always chdir * conn_sock: Explicitly free a heap-allocated string * refactor I/O and add SD_NOTIFY proxy support
Update to version 2.0.21:
* protect against kill(-1) * Makefile: enable debuginfo generation * Remove go.sum file and add go.mod * Fail if conmon config could not be written * nix: remove double definition for e2fsprogs * Speedup static build by utilizing CI cache on `/nix` folder * Fix nix build for failing e2fsprogs tests * test: fix CI * Use Podman for building
libcontainers-common was updated to include:

common 0.44.0
image 5.16.0
podman 3.3.1
storage 1.36.0

(changes too long to list)
CVEs fixed: CVE-2020-14370,CVE-2020-15157,CVE-2021-20199,CVE-2021-20291,CVE-2021-3602

Advisory ID	SUSE-RU-2022:711-1
Released	Fri Mar 4 09:15:11 2022
Summary	Recommended update for sudo
Type	recommended
Severity	moderate
References	1181703

Description:

This update for sudo fixes the following issues:

Add support in the LDAP filter for negated users (jsc#SLE-20068)
Restrict use of sudo -U other -l to people who have permission to run commands as that user (bsc#1181703, jsc#SLE-22569)

Advisory ID	SUSE-SU-2022:712-1
Released	Fri Mar 4 09:30:52 2022
Summary	Security update for flatpak
Type	security
Severity	important
References	1194610,1194611,CVE-2021-43860,CVE-2022-21682

Description:

This update for flatpak fixes the following issues:
Update to flatpak 1.10.7:

CVE-2022-21682: Introduce new option --nofilesystem=host:reset to support flatpak-builder 1.2.2 (bsc#1194611).
CVE-2021-43860: A malicious repository could hav sent invalid application metadata in a way that hides some of the app permissions displayed during installation (bsc#1194610).

Advisory ID	SUSE-SU-2022:713-1
Released	Fri Mar 4 09:34:17 2022
Summary	Security update for expat
Type	security
Severity	important
References	1196025,1196026,1196168,1196169,1196171,CVE-2022-25235,CVE-2022-25236,CVE-2022-25313,CVE-2022-25314,CVE-2022-25315

Description:

This update for expat fixes the following issues:

CVE-2022-25236: Fixed possible namespace-separator characters insertion into namespace URIs (bsc#1196025).
CVE-2022-25235: Fixed UTF-8 character validation in a certain context (bsc#1196026).
CVE-2022-25313: Fixed stack exhaustion in build_model() via uncontrolled recursion (bsc#1196168).
CVE-2022-25314: Fixed integer overflow in copyString (bsc#1196169).
CVE-2022-25315: Fixed integer overflow in storeRawNames (bsc#1196171).

Advisory ID	SUSE-SU-2022:715-1
Released	Fri Mar 4 09:37:47 2022
Summary	Security update for nodejs14
Type	security
Severity	important
References	1191962,1191963,1192153,1192154,1192696,CVE-2021-23343,CVE-2021-32803,CVE-2021-32804,CVE-2021-3807,CVE-2021-3918

Description:

This update for nodejs14 fixes the following issues:

CVE-2021-23343: Fixed ReDoS via splitDeviceRe, splitTailRe and splitPathRe (bsc#1192153).
CVE-2021-32803: Fixed insufficient symlink protection in node-tar allowing arbitrary file creation and overwrite (bsc#1191963).
CVE-2021-32804: Fixed insufficient absolute path sanitization in node-tar allowing arbitrary file creation and overwrite (bsc#1191962).
CVE-2021-3918: Fixed improper controlled modification of object prototype attributes in json-schema (bsc#1192696).
CVE-2021-3807: Fixed regular expression denial of service (ReDoS) matching ANSI escape codes in node-ansi-regex (bsc#1192154).

Advisory ID	SUSE-SU-2022:716-1
Released	Fri Mar 4 09:42:53 2022
Summary	Security update for wpa_supplicant
Type	security
Severity	important
References	1194732,1194733,CVE-2022-23303,CVE-2022-23304

Description:

This update for wpa_supplicant fixes the following issues:

CVE-2022-23303: Fixed side-channel attacks in SAE (bsc#1194732).
CVE-2022-23304: Fixed side-channel attacks in EAP-pwd (bsc#1194733).

Advisory ID	SUSE-SU-2022:717-1
Released	Fri Mar 4 09:45:20 2022
Summary	Security update for gnutls
Type	security
Severity	moderate
References	1196167,CVE-2021-4209

Description:

This update for gnutls fixes the following issues:

CVE-2021-4209: Fixed null pointer dereference in MD_UPDATE (bsc#1196167).

Advisory ID	SUSE-feature-2022:718-1
Released	Fri Mar 4 10:10:19 2022
Summary	Feature update for duperemove
Type	feature
Severity	moderate
References

Description:

This feature update for duperemove fixes the following issue:
Update from version 0.11.beta4 to version 0.11.3 (jsc#SLE-11306)

Increase open file limit.
Create hash database file with 600 permission for improved security.
Read more data per pread, for v2 hashfile format this reduces the overall number of syscalls made which in turns results in better performance.
Fix truncated file handling, eliminating a an infinite loop case.

Advisory ID	SUSE-SU-2022:720-1
Released	Fri Mar 4 10:20:28 2022
Summary	Security update for containerd
Type	security
Severity	moderate
References	1196441,CVE-2022-23648

Description:

This update for containerd fixes the following issues:

CVE-2022-23648: A specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host (bsc#1196441).

Advisory ID	SUSE-SU-2022:722-1
Released	Fri Mar 4 10:28:09 2022
Summary	Security update for wireshark
Type	security
Severity	important
References	1195866,1195867,1195868,1195869,1195870,CVE-2022-0581,CVE-2022-0582,CVE-2022-0583,CVE-2022-0585,CVE-2022-0586

Description:

This update for wireshark fixes the following issues:
Update to Wireshark 3.6.2:

CVE-2022-0586: RTMPT dissector infinite loop (bsc#1195866)
CVE-2022-0585: Large loops in multiple dissectors (bsc#1195867)
CVE-2022-0583: PVFS dissector crash (bsc#1195868)
CVE-2022-0582: CSN.1 dissector crash (bsc#1195869)
CVE-2022-0581: CMS dissector crash (bsc#1195870)

Advisory ID	SUSE-SU-2022:723-1
Released	Fri Mar 4 10:31:46 2022
Summary	Security update for go1.17
Type	security
Severity	important
References	1190649,1195834,1195835,1195838,CVE-2022-23772,CVE-2022-23773,CVE-2022-23806

Description:

This update for go1.17 fixes the following issues:

CVE-2022-23806: Fixed incorrect returned value in crypto/elliptic IsOnCurve (bsc#1195838).
CVE-2022-23772: Fixed overflow in Rat.SetString in math/big can lead to uncontrolled memory consumption (bsc#1195835).
CVE-2022-23773: Fixed incorrect access control in cmd/go (bsc#1195834).

The following non-security bugs were fixed:

go#50978 crypto/elliptic: IsOnCurve returns true for invalid field elements
go#50701 math/big: Rat.SetString may consume large amount of RAM and crash
go#50687 cmd/go: do not treat branches with semantic-version names as releases
go#50942 cmd/asm: 'compile: loop' compiler bug?
go#50867 cmd/compile: incorrect use of CMN on arm64
go#50812 cmd/go: remove bitbucket VCS probing
go#50781 runtime: incorrect frame information in traceback traversal may hang the process.
go#50722 debug/pe: reading debug_info section of PE files that use the DWARF5 form DW_FORM_line_strp causes error
go#50683 cmd/compile: MOVWreg missing sign-extension following a Copy from a floating-point LoadReg
go#50586 net/http/httptest: add fipsonly compliant certificate in for NewTLSServer(), for dev.boringcrypto branch
go#50297 cmd/link: does not set section type of .init_array correctly
go#50246 runtime: intermittent os/exec.Command.Start() Hang on Darwin in Presence of 'plugin' Package

Advisory ID	SUSE-SU-2022:724-1
Released	Fri Mar 4 10:34:01 2022
Summary	Security update for go1.16
Type	security
Severity	important
References	1182345,1195834,1195835,1195838,CVE-2022-23772,CVE-2022-23773,CVE-2022-23806

Description:

This update for go1.16 fixes the following issues:

CVE-2022-23806: Fixed incorrect returned value in crypto/elliptic IsOnCurve (bsc#1195838).
CVE-2022-23772: Fixed overflow in Rat.SetString in math/big can lead to uncontrolled memory consumption (bsc#1195835).
CVE-2022-23773: Fixed incorrect access control in cmd/go (bsc#1195834).

The following non-security bugs were fixed:

go#50977 crypto/elliptic: IsOnCurve returns true for invalid field elements
go#50700 math/big: Rat.SetString may consume large amount of RAM and crash
go#50686 cmd/go: do not treat branches with semantic-version names as releases
go#50866 cmd/compile: incorrect use of CMN on arm64
go#50832 runtime/race: NoRaceMutexPureHappensBefore failures
go#50811 cmd/go: remove bitbucket VCS probing
go#50780 runtime: incorrect frame information in traceback traversal may hang the process.
go#50721 debug/pe: reading debug_info section of PE files that use the DWARF5 form DW_FORM_line_strp causes error
go#50682 cmd/compile: MOVWreg missing sign-extension following a Copy from a floating-point LoadReg
go#50645 testing: surprising interaction of subtests with TempDir
go#50585 net/http/httptest: add fipsonly compliant certificate in for NewTLSServer(), for dev.boringcrypto branch
go#50245 runtime: intermittent os/exec.Command.Start() Hang on Darwin in Presence of 'plugin' Package

Advisory ID	SUSE-SU-2022:727-1
Released	Fri Mar 4 10:39:21 2022
Summary	Security update for libeconf, shadow and util-linux
Type	security
Severity	moderate
References	1188507,1192954,1193632,1194976,CVE-2021-3995,CVE-2021-3996

Description:

This security update for libeconf, shadow and util-linux fix the following issues:
libeconf:

Add libeconf to SLE-Module-Basesystem_15-SP3 because needed by 'util-linux' and 'shadow' to fix autoyast handling of security related parameters (bsc#1192954, jsc#SLE-23384, jsc#SLE-23402)

Issues fixed in libeconf:

Reading numbers with different bases (e.g. oktal) (bsc#1193632) (#157)
Fixed different issues while writing string values to file.
Writing comments to file too.
Fixed crash while merging values.
Added econftool cat option (#146)
new API call: econf_readDirsHistory (showing ALL locations)
new API call: econf_getPath (absolute path of the configuration file)
Man pages libeconf.3 and econftool.8.
Handling multiline strings.
Added libeconf_ext which returns more information like line_nr, comments, path of the configuration file,...
Econftool, an command line interface for handling configuration files.
Generating HTML API documentation with doxygen.
Improving error handling and semantic file check.
Joining entries with the same key to one single entry if env variable ECONF_JOIN_SAME_ENTRIES has been set.

shadow:

The legacy code does not support /etc/login.defs.d used by YaST. Enable libeconf to read it (bsc#1192954, jsc#SLE-23384, jsc#SLE-23402)

util-linux:

The legacy code does not support /etc/login.defs.d used by YaST. Enable libeconf to read it (bsc#1192954, jsc#SLE-23384, jsc#SLE-23402)
Allow use of larger values for start sector to prevent `blockdev --report` aborting (bsc#1188507)
Fixed `blockdev --report` using non-space characters as a field separator (bsc#1188507)
CVE-2021-3995: Fixed unauthorized unmount in util-linux's libmount. (bsc#1194976)
CVE-2021-3996: Fixed unauthorized unmount in util-linux's libmount. (bsc#1194976)

Advisory ID	SUSE-RU-2022:728-1
Released	Fri Mar 4 11:51:48 2022
Summary	Recommended update for SUSE Manager 4.2.5 Release Notes
Type	recommended
Severity	moderate
References

Description:

This update for SUSE Manager 4.2.5 Release Notes provides the following additions:
Release notes for SUSE Manager:

Fix the documentation URL for the 'Pay-as-you-go' feature.

Advisory ID	SUSE-SU-2022:731-1
Released	Fri Mar 4 14:47:06 2022
Summary	Security update for mariadb
Type	security
Severity	important
References	1195325,1195334,1195339,1196016,CVE-2021-46657,CVE-2021-46658,CVE-2021-46659,CVE-2021-46661,CVE-2021-46663,CVE-2021-46664,CVE-2021-46665,CVE-2021-46668,CVE-2022-24048,CVE-2022-24050,CVE-2022-24051,CVE-2022-24052

Description:

This update for mariadb fixes the following issues:

Update to 10.5.15 (bsc#1196016): * 10.5.15: CVE-2021-46665 CVE-2021-46664 CVE-2021-46661 CVE-2021-46668 CVE-2021-46663 * 10.5.14: CVE-2022-24052 CVE-2022-24051 CVE-2022-24050 CVE-2022-24048 CVE-2021-46659, bsc#1195339

The following issues have already been fixed in this package but weren't previously mentioned in the changes file: CVE-2021-46658, bsc#1195334 CVE-2021-46657, bsc#1195325

Advisory ID	SUSE-SU-2022:735-1
Released	Fri Mar 4 14:49:47 2022
Summary	Security update for zsh
Type	security
Severity	important
References	1163882,1196435,CVE-2019-20044,CVE-2021-45444

Description:

This update for zsh fixes the following issues:

CVE-2021-45444: Fixed a vulnerability where arbitrary shell commands could be executed related to prompt expansion (bsc#1196435).
CVE-2019-20044: Fixed a vulnerability where shell privileges would not be properly dropped when unsetting the PRIVILEGED option (bsc#1163882).

Advisory ID	SUSE-SU-2022:736-1
Released	Fri Mar 4 14:51:57 2022
Summary	Security update for vim
Type	security
Severity	important
References	1190533,1190570,1191893,1192478,1192481,1193294,1193298,1194216,1194556,1195004,1195066,1195126,1195202,1195356,CVE-2021-3778,CVE-2021-3796,CVE-2021-3872,CVE-2021-3927,CVE-2021-3928,CVE-2021-3984,CVE-2021-4019,CVE-2021-4193,CVE-2021-46059,CVE-2022-0318,CVE-2022-0319,CVE-2022-0351,CVE-2022-0361,CVE-2022-0413

Description:

This update for vim fixes the following issues:

CVE-2022-0318: Fixed heap-based buffer overflow (bsc#1195004).
CVE-2021-3796: Fixed use-after-free in nv_replace() in normal.c (bsc#1190570).
CVE-2021-3872: Fixed heap-based buffer overflow in win_redr_status() drawscreen.c (bsc#1191893).
CVE-2021-3927: Fixed heap-based buffer overflow (bsc#1192481).
CVE-2021-3928: Fixed stack-based buffer overflow (bsc#1192478).
CVE-2021-4019: Fixed heap-based buffer overflow (bsc#1193294).
CVE-2021-3984: Fixed illegal memory access when C-indenting could have led to heap buffer overflow (bsc#1193298).
CVE-2021-3778: Fixed heap-based buffer overflow in regexp_nfa.c (bsc#1190533).
CVE-2021-4193: Fixed out-of-bounds read (bsc#1194216).
CVE-2021-46059: Fixed pointer dereference vulnerability via the vim_regexec_multi function at regexp.c (bsc#1194556).
CVE-2022-0319: Fixded out-of-bounds read (bsc#1195066).
CVE-2022-0351: Fixed uncontrolled recursion in eval7() (bsc#1195126).
CVE-2022-0361: Fixed buffer overflow (bsc#1195126).
CVE-2022-0413: Fixed use-after-free in src/ex_cmds.c (bsc#1195356).

Advisory ID	SUSE-RU-2022:739-1
Released	Mon Mar 7 09:10:12 2022
Summary	Recommended update for mdadm
Type	recommended
Severity	moderate
References	1183229

Description:

This update for mdadm fixes the following issues:

Monitor: print message before quit for no array to monitor (bsc#1183229)

Advisory ID	SUSE-RU-2022:740-1
Released	Mon Mar 7 12:36:33 2022
Summary	Recommended update for supportutils-plugin-cloud-init
Type	recommended
Severity	moderate
References	1195961

Description:

This update for supportutils-plugin-cloud-init contains the following fixes:

Script name stripped for dashes and dots, which made the execution fail. (bsc#1195961)

Advisory ID	SUSE-SU-2022:743-1
Released	Mon Mar 7 22:08:12 2022
Summary	Security update for cyrus-sasl
Type	security
Severity	important
References	1194265,1196036,CVE-2022-24407

Description:

This update for cyrus-sasl fixes the following issues:

CVE-2022-24407: Fixed SQL injection in sql_auxprop_store in plugins/sql.c (bsc#1196036).

The following non-security bugs were fixed:

postfix: sasl authentication with password fails (bsc#1194265).

Advisory ID	SUSE-OU-2022:752-1
Released	Tue Mar 8 13:21:39 2022
Summary	Optional update for SUSE Package Hub
Type	optional
Severity	moderate
References

Description:

This optional update provides the following changes:

Provide binaries for non x86_64 architectures directly to SUSE Package Hub.
There are no visible changes for the final user.
Affected source packages: babl

Advisory ID	SUSE-SU-2022:755-1
Released	Tue Mar 8 19:02:39 2022
Summary	Security update for the Linux Kernel
Type	security
Severity	important
References	1089644,1154353,1156395,1157038,1157923,1176447,1176940,1178134,1181147,1181588,1183872,1187716,1188404,1189126,1190812,1190972,1191580,1191655,1191741,1192210,1192483,1193096,1193233,1193243,1193787,1194163,1194967,1195012,1195081,1195142,1195352,1195378,1195476,1195477,1195478,1195479,1195480,1195481,1195482,1195506,1195516,1195543,1195668,1195701,1195798,1195799,1195823,1195908,1195928,1195947,1195957,1195995,1196195,1196235,1196339,1196400,1196403,1196516,1196584,1196601,1196612,1196776,CVE-2022-0001,CVE-2022-0002,CVE-2022-0492,CVE-2022-0516,CVE-2022-0847,CVE-2022-25375

Description:

The SUSE Linux Enterprise 15 SP3 Azure kernel was updated to receive various security and bugfixes.

Transient execution side-channel attacks attacking the Branch History Buffer (BHB), named 'Branch Target Injection' and 'Intra-Mode Branch History Injection' are now mitigated.
The following security bugs were fixed:

CVE-2022-0847: Fixed a vulnerability were a local attackers could overwrite data in arbitrary (read-only) files (bsc#1196584).
CVE-2022-0001: Fixed Branch History Injection vulnerability (bsc#1191580).
CVE-2022-0002: Fixed Intra-Mode Branch Target Injection vulnerability (bsc#1191580).
CVE-2022-25375: The RNDIS USB gadget lacks validation of the size of the RNDIS_MSG_SET command. Attackers can obtain sensitive information from kernel memory (bsc#1196235).
CVE-2022-0516: Fixed missing check in ioctl related to KVM in s390 allows kernel memory read/write (bsc#1195516).
CVE-2022-0492: Fixed a privilege escalation related to cgroups v1 release_agent feature, which allowed bypassing namespace isolation unexpectedly (bsc#1195543).

The following non-security bugs were fixed:

ACPI/IORT: Check node revision for PMCG resources (git-fixes).
ALSA: hda/realtek: Add missing fixup-model entry for Gigabyte X570 ALC1220 quirks (git-fixes).
ALSA: hda/realtek: Add quirk for ASUS GU603 (git-fixes).
ALSA: hda/realtek: Fix silent output on Gigabyte X570 Aorus Xtreme after reboot from Windows (git-fixes).
ALSA: hda/realtek: Fix silent output on Gigabyte X570S Aorus Master (newer chipset) (git-fixes).
ALSA: hda: Fix missing codec probe on Shenker Dock 15 (git-fixes).
ALSA: hda: Fix regression on forced probe mask option (git-fixes).
ALSA: usb-audio: Correct quirk for VF0770 (git-fixes).
ALSA: usb-audio: initialize variables that could ignore errors (git-fixes).
ASoC: Revert 'ASoC: mediatek: Check for error clk pointer' (git-fixes).
ASoC: cpcap: Check for NULL pointer after calling of_get_child_by_name (git-fixes).
ASoC: fsl: Add missing error handling in pcm030_fabric_probe (git-fixes).
ASoC: max9759: fix underflow in speaker_gain_control_put() (git-fixes).
ASoC: ops: Fix stereo change notifications in snd_soc_put_volsw() (git-fixes).
ASoC: ops: Fix stereo change notifications in snd_soc_put_volsw_range() (git-fixes).
ASoC: ops: Reject out of bounds values in snd_soc_put_volsw() (git-fixes).
ASoC: ops: Reject out of bounds values in snd_soc_put_volsw_sx() (git-fixes).
ASoC: ops: Reject out of bounds values in snd_soc_put_xr_sx() (git-fixes).
ASoC: xilinx: xlnx_formatter_pcm: Make buffer bytes multiple of period bytes (git-fixes).
Align s390 NVME target options with other architectures (bsc#1188404, jsc#SLE-22494).
Bluetooth: refactor malicious adv data check (git-fixes).
EDAC/xgene: Fix deferred probing (bsc#1178134).
HID:Add support for UGTABLET WP5540 (git-fixes).
IB/cm: Avoid a loop when device has 255 ports (git-fixes)
IB/cma: Do not send IGMP leaves for sendonly Multicast groups (git-fixes).
IB/hfi1: Fix AIP early init panic (jsc#SLE-13208).
IB/hfi1: Fix error return code in parse_platform_config() (git-fixes)
IB/hfi1: Use kzalloc() for mmu_rb_handler allocation (git-fixes)
IB/isert: Fix a use after free in isert_connect_request (git-fixes)
IB/mlx4: Separate tunnel and wire bufs parameters (git-fixes)
IB/mlx5: Add missing error code (git-fixes)
IB/mlx5: Add mutex destroy call to cap_mask_mutex mutex (git-fixes)
IB/mlx5: Fix error unwinding when set_has_smi_cap fails (git-fixes)
IB/mlx5: Return appropriate error code instead of ENOMEM (git-fixes)
IB/umad: Return EIO in case of when device disassociated (git-fixes)
IB/umad: Return EPOLLERR in case of when device disassociated (git-fixes)
Input: wm97xx: Simplify resource management (git-fixes).
KVM: remember position in kvm->vcpus array (bsc#1190972 LTC#194674).
NFS: Ensure the server had an up to date ctime before renaming (git-fixes).
NFSD: Fix the behavior of READ near OFFSET_MAX (bsc#1195957).
NFSv4: Handle case where the lookup of a directory fails (git-fixes).
NFSv4: nfs_atomic_open() can race when looking up a non-regular file (git-fixes).
PM: hibernate: Remove register_nosave_region_late() (git-fixes).
PM: s2idle: ACPI: Fix wakeup interrupts handling (git-fixes).
PM: wakeup: simplify the output logic of pm_show_wakelocks() (git-fixes).
RDMA/addr: Be strict with gid size (git-fixes)
RDMA/bnxt_re: Fix a double free in bnxt_qplib_alloc_res (git-fixes)
RDMA/bnxt_re: Fix error return code in bnxt_qplib_cq_process_terminal() (git-fixes)
RDMA/bnxt_re: Set queue pair state when being queried (git-fixes)
RDMA/cm: Fix an attempt to use non-valid pointer when cleaning timewait (git-fixes)
RDMA/cma: Use correct address when leaving multicast group (bsc#1181147).
RDMA/core: Always release restrack object (git-fixes)
RDMA/core: Do not access cm_id after its destruction (git-fixes)
RDMA/core: Do not indicate device ready when device enablement fails (git-fixes)
RDMA/core: Fix corrupted SL on passive side (git-fixes)
RDMA/core: Unify RoCE check and re-factor code (git-fixes)
RDMA/cxgb4: Fix adapter LE hash errors while destroying ipv6 listening server (git-fixes)
RDMA/cxgb4: Fix the reported max_recv_sge value (git-fixes)
RDMA/cxgb4: Validate the number of CQEs (git-fixes)
RDMA/cxgb4: add missing qpid increment (git-fixes)
RDMA/cxgb4: check for ipv6 address properly while destroying listener (git-fixes)
RDMA/hns: Add a check for current state before modifying QP (git-fixes)
RDMA/hns: Remove the portn field in UD SQ WQE (git-fixes)
RDMA/hns: Remove unnecessary access right set during INIT2INIT (git-fixes)
RDMA/i40iw: Address an mmap handler exploit in i40iw (git-fixes)
RDMA/i40iw: Fix error unwinding when i40iw_hmc_sd_one fails (git-fixes)
RDMA/mlx5: Fix corruption of reg_pages in mlx5_ib_rereg_user_mr() (git-fixes)
RDMA/mlx5: Fix potential race between destroy and CQE poll (git-fixes)
RDMA/mlx5: Fix query DCT via DEVX (git-fixes)
RDMA/mlx5: Fix type warning of sizeof in __mlx5_ib_alloc_counters() (git-fixes)
RDMA/mlx5: Fix wrong free of blue flame register on error (git-fixes)
RDMA/mlx5: Issue FW command to destroy SRQ on reentry (git-fixes)
RDMA/mlx5: Recover from fatal event in dual port mode (git-fixes)
RDMA/mlx5: Use the correct obj_id upon DEVX TIR creation (git-fixes)
RDMA/ocrdma: Fix use after free in ocrdma_dealloc_ucontext_pd() (git-fixes)
RDMA/rxe: Clear all QP fields if creation failed (git-fixes)
RDMA/rxe: Compute PSN windows correctly (git-fixes)
RDMA/rxe: Correct skb on loopback path (git-fixes)
RDMA/rxe: Fix coding error in rxe_rcv_mcast_pkt (git-fixes)
RDMA/rxe: Fix coding error in rxe_recv.c (git-fixes)
RDMA/rxe: Fix missing kconfig dependency on CRYPTO (git-fixes)
RDMA/rxe: Remove useless code in rxe_recv.c (git-fixes)
RDMA/siw: Fix a use after free in siw_alloc_mr (git-fixes)
RDMA/siw: Fix calculation of tx_valid_cpus size (git-fixes)
RDMA/siw: Fix handling of zero-sized Read and Receive Queues. (git-fixes)
RDMA/siw: Properly check send and receive CQ pointers (git-fixes)
RDMA/siw: Release xarray entry (git-fixes)
RDMA/ucma: Protect mc during concurrent multicast leaves (bsc#1181147).
RDMA/usnic: Fix memleak in find_free_vf_and_create_qp_grp (git-fixes)
RDMA/uverbs: Fix a NULL vs IS_ERR() bug (git-fixes)
RDMA/uverbs: Tidy input validation of ib_uverbs_rereg_mr() (git-fixes)
RMDA/sw: Do not allow drivers using dma_virt_ops on highmem configs (git-fixes)
USB: core: Fix hang in usb_kill_urb by adding memory barriers (git-fixes).
USB: serial: ch341: add support for GW Instek USB2.0-Serial devices (git-fixes).
USB: serial: cp210x: add CPI Bulk Coin Recycler id (git-fixes).
USB: serial: cp210x: add NCR Retail IO box id (git-fixes).
USB: serial: ftdi_sio: add support for Brainboxes US-159/235/320 (git-fixes).
USB: serial: mos7840: fix probe error handling (git-fixes).
USB: serial: mos7840: remove duplicated 0xac24 device ID (git-fixes).
USB: serial: option: add ZTE MF286D modem (git-fixes).
ata: libata-core: Disable TRIM on M88V29 (git-fixes).
ax25: improve the incomplete fix to avoid UAF and NPD bugs (git-fixes).
blk-cgroup: fix missing put device in error path from blkg_conf_pref() (bsc#1195481).
blk-mq: always allow reserved allocation in hctx_may_queue (bsc#1193787).
blk-mq: avoid to iterate over stale request (bsc#1193787).
blk-mq: clear stale request in tags->rq before freeing one request pool (bsc#1193787).
blk-mq: clearing flush request reference in tags->rqs (bsc#1193787).
blk-mq: do not grab rq's refcount in blk_mq_check_expired() (bsc#1193787 git-fixes).
blk-mq: fix is_flush_rq (bsc#1193787 git-fixes).
blk-mq: fix kernel panic during iterating over flush request (bsc#1193787 git-fixes).
blk-mq: grab rq->refcount before calling ->fn in blk_mq_tagset_busy_iter (bsc#1193787).
blk-mq: introduce blk_mq_set_request_complete (git-fixes).
blk-mq: mark flush request as IDLE in flush_end_io() (bsc#1193787).
blk-tag: Hide spin_lock (bsc#1193787).
block: avoid double io accounting for flush request (bsc#1193787).
block: do not send a rezise udev event for hidden block device (bsc#1193096).
block: mark flush request as IDLE when it is really finished (bsc#1193787).
bonding: pair enable_port with slave_arr_updates (git-fixes).
bpf: Adjust BTF log size limit (git-fixes).
bpf: Disallow BPF_LOG_KERNEL log level for bpf(BPF_BTF_LOAD) (git-fixes).
btrfs: check for missing device in btrfs_trim_fs (bsc#1195701).
btrfs: check worker before need_preemptive_reclaim (bsc#1196195).
btrfs: do not do preemptive flushing if the majority is global rsv (bsc#1196195).
btrfs: do not include the global rsv size in the preemptive used amount (bsc#1196195).
btrfs: handle preemptive delalloc flushing slightly differently (bsc#1196195).
btrfs: make sure SB_I_VERSION does not get unset by remount (bsc#1192210).
btrfs: only clamp the first time we have to start flushing (bsc#1196195).
btrfs: only ignore delalloc if delalloc is much smaller than ordered (bsc#1196195).
btrfs: reduce the preemptive flushing threshold to 90% (bsc#1196195).
btrfs: take into account global rsv in need_preemptive_reclaim (bsc#1196195).
btrfs: use the global rsv size in the preemptive thresh calculation (bsc#1196195).
ceph: properly put ceph_string reference after async create attempt (bsc#1195798).
ceph: set pool_ns in new inode layout for async creates (bsc#1195799).
dma-buf: heaps: Fix potential spectre v1 gadget (git-fixes).
drm/amdgpu: fix logic inversion in check (git-fixes).
drm/i915/gvt: Make DRM_I915_GVT depend on X86 (git-fixes).
drm/i915/gvt: clean up kernel-doc in gtt.c (git-fixes).
drm/i915/opregion: check port number bounds for SWSCI display power state (git-fixes).
drm/i915/overlay: Prevent divide by zero bugs in scaling (git-fixes).
drm/i915: Correctly populate use_sagv_wm for all pipes (git-fixes).
drm/i915: Fix bw atomic check when switching between SAGV vs. no SAGV (git-fixes).
drm/msm/dsi: Fix missing put_device() call in dsi_get_phy (git-fixes).
drm/nouveau: fix off by one in BIOS boundary checking (git-fixes).
drm/panel: simple: Assign data from panel_dpi_probe() correctly (git-fixes).
drm/radeon: Fix backlight control on iMac 12,1 (git-fixes).
drm/rockchip: dw_hdmi: Do not leave clock enabled in error case (git-fixes).
drm/rockchip: vop: Correct RK3399 VOP register fields (git-fixes).
drm/vc4: hdmi: Allow DBLCLK modes even if horz timing is odd (git-fixes).
drm: panel-orientation-quirks: Add quirk for the 1Netbook OneXPlayer (git-fixes).
ext4: check for inconsistent extents between index and leaf block (bsc#1194163 bsc#1196339).
ext4: check for out-of-order index extents in ext4_valid_extent_entries() (bsc#1194163 bsc#1196339).
ext4: fix an use-after-free issue about data=journal writeback mode (bsc#1195482).
ext4: make sure quota gets properly shutdown on error (bsc#1195480).
ext4: prevent partial update of the extent blocks (bsc#1194163 bsc#1196339).
fsnotify: fix fsnotify hooks in pseudo filesystems (bsc#1195479).
fsnotify: invalidate dcache before IN_DELETE event (bsc#1195478).
gve: Add RX context (bsc#1191655).
gve: Add a jumbo-frame device option (bsc#1191655).
gve: Add consumed counts to ethtool stats (bsc#1191655).
gve: Add optional metadata descriptor type GVE_TXD_MTD (bsc#1191655).
gve: Correct order of processing device options (bsc#1191655).
gve: Fix GFP flags when allocing pages (git-fixes).
gve: Fix off by one in gve_tx_timeout() (bsc#1191655).
gve: Implement packet continuation for RX (bsc#1191655).
gve: Implement suspend/resume/shutdown (bsc#1191655).
gve: Move the irq db indexes out of the ntfy block struct (bsc#1191655).
gve: Recording rx queue before sending to napi (bsc#1191655).
gve: Recover from queue stall due to missed IRQ (bsc#1191655).
gve: Update gve_free_queue_page_list signature (bsc#1191655).
gve: Use kvcalloc() instead of kvzalloc() (bsc#1191655).
gve: fix for null pointer dereference (bsc#1191655).
gve: fix the wrong AdminQ buffer queue index check (bsc#1176940).
gve: fix unmatched u64_stats_update_end() (bsc#1191655).
gve: remove memory barrier around seqno (bsc#1191655).
i2c: brcmstb: fix support for DSL and CM variants (git-fixes).
i40e: Fix for failed to init adminq while VF reset (git-fixes).
i40e: Fix issue when maximum queues is exceeded (git-fixes).
i40e: Fix queues reservation for XDP (git-fixes).
i40e: Increase delay to 1 s after global EMP reset (git-fixes).
i40e: fix unsigned stat widths (git-fixes).
i40iw: Add support to make destroy QP synchronous (git-fixes)
ibmvnic: Allow queueing resets during probe (bsc#1196516 ltc#196391).
ibmvnic: clear fop when retrying probe (bsc#1196516 ltc#196391).
ibmvnic: complete init_done on transport events (bsc#1196516 ltc#196391).
ibmvnic: define flush_reset_queue helper (bsc#1196516 ltc#196391).
ibmvnic: do not release napi in __ibmvnic_open() (bsc#1195668 ltc#195811).
ibmvnic: free reset-work-item when flushing (bsc#1196516 ltc#196391).
ibmvnic: init init_done_rc earlier (bsc#1196516 ltc#196391).
ibmvnic: initialize rc before completing wait (bsc#1196516 ltc#196391).
ibmvnic: register netdev after init of adapter (bsc#1196516 ltc#196391).
ibmvnic: schedule failover only if vioctl fails (bsc#1196400 ltc#195815).
ice: fix IPIP and SIT TSO offload (git-fixes).
ice: fix an error code in ice_cfg_phy_fec() (jsc#SLE-12878).
ima: Allow template selection with ima_template[_fmt]= after ima_hash= (git-fixes).
ima: Do not print policy rule with inactive LSM labels (git-fixes).
ima: Remove ima_policy file before directory (git-fixes).
integrity: Make function integrity_add_key() static (git-fixes).
integrity: check the return value of audit_log_start() (git-fixes).
integrity: double check iint_cache was initialized (git-fixes).
iommu/amd: Fix loop timeout issue in iommu_ga_log_enable() (git-fixes).
iommu/amd: Remove useless irq affinity notifier (git-fixes).
iommu/amd: Restore GA log/tail pointer on host resume (git-fixes).
iommu/amd: X2apic mode: mask/unmask interrupts on suspend/resume (git-fixes).
iommu/amd: X2apic mode: re-enable after resume (git-fixes).
iommu/amd: X2apic mode: setup the INTX registers on mask/unmask (git-fixes).
iommu/io-pgtable-arm-v7s: Add error handle for page table allocation failure (git-fixes).
iommu/io-pgtable-arm: Fix table descriptor paddr formatting (git-fixes).
iommu/iova: Fix race between FQ timeout and teardown (git-fixes).
iommu/vt-d: Fix potential memory leak in intel_setup_irq_remapping() (git-fixes).
iwlwifi: fix use-after-free (git-fixes).
iwlwifi: pcie: fix locking when 'HW not ready' (git-fixes).
iwlwifi: pcie: gen2: fix locking when 'HW not ready' (git-fixes).
ixgbevf: Require large buffers for build_skb on 82599VF (git-fixes).
kABI fixup after adding vcpu_idx to struct kvm_cpu (bsc#1190972 LTC#194674).
kABI: Fix kABI for AMD IOMMU driver (git-fixes).
kabi: Hide changes to s390/AP structures (jsc#SLE-20807).
lib/iov_iter: initialize 'flags' in new pipe_buffer (bsc#1196584).
libsubcmd: Fix use-after-free for realloc(..., 0) (git-fixes).
md/raid5: fix oops during stripe resizing (bsc#1181588).
misc: fastrpc: avoid double fput() on failed usercopy (git-fixes).
mmc: sdhci-of-esdhc: Check for error num after setting mask (git-fixes).
mtd: rawnand: brcmnand: Fixed incorrect sub-page ECC status (git-fixes).
mtd: rawnand: gpmi: do not leak PM reference in error path (git-fixes).
mtd: rawnand: qcom: Fix clock sequencing in qcom_nandc_probe() (git-fixes).
net/ibmvnic: Cleanup workaround doing an EOI after partition migration (bsc#1089644 ltc#166495 ltc#165544 git-fixes).
net/mlx5e: Fix handling of wrong devices during bond netevent (jsc#SLE-15172).
net: macb: Align the dma and coherent dma masks (git-fixes).
net: mdio: aspeed: Add missing MODULE_DEVICE_TABLE (bsc#1176447).
net: phy: marvell: Fix MDI-x polarity setting in 88e1118-compatible PHYs (git-fixes).
net: phy: marvell: Fix RGMII Tx/Rx delays setting in 88e1121-compatible PHYs (git-fixes).
net: phy: marvell: configure RGMII delays for 88E1118 (git-fixes).
net: usb: qmi_wwan: Add support for Dell DW5829e (git-fixes).
nfp: flower: fix ida_idx not being released (bsc#1154353).
nfsd: allow delegation state ids to be revoked and then freed (bsc#1192483).
nfsd: allow lock state ids to be revoked and then freed (bsc#1192483).
nfsd: allow open state ids to be revoked and then freed (bsc#1192483).
nfsd: do not admin-revoke NSv4.0 state ids (bsc#1192483).
nfsd: prepare for supporting admin-revocation of state (bsc#1192483).
nvme-core: use list_add_tail_rcu instead of list_add_tail for nvme_init_ns_head (git-fixes).
nvme-fabrics: avoid double completions in nvmf_fail_nonready_command (git-fixes).
nvme-fabrics: fix state check in nvmf_ctlr_matches_baseopts() (bsc#1195012).
nvme-fabrics: ignore invalid fast_io_fail_tmo values (git-fixes).
nvme-fabrics: remove superfluous nvmf_host_put in nvmf_parse_options (git-fixes).
nvme-multipath: fix ANA state updates when a namespace is not present (git-fixes).
nvme-tcp: fix data digest pointer calculation (git-fixes).
nvme-tcp: fix incorrect h2cdata pdu offset accounting (git-fixes).
nvme-tcp: fix memory leak when freeing a queue (git-fixes).
nvme-tcp: fix possible use-after-completion (git-fixes).
nvme-tcp: validate R2T PDU in nvme_tcp_handle_r2t() (git-fixes).
nvme: also mark passthrough-only namespaces ready in nvme_update_ns_info (git-fixes).
nvme: do not return an error from nvme_configure_metadata (git-fixes).
nvme: fix use after free when disconnecting a reconnecting ctrl (git-fixes).
nvme: introduce a nvme_host_path_error helper (git-fixes).
nvme: let namespace probing continue for unsupported features (git-fixes).
nvme: refactor ns->ctrl by request (git-fixes).
pinctrl: intel: Fix a glitch when updating IRQ flags on a preconfigured line (git-fixes).
pinctrl: intel: fix unexpected interrupt (git-fixes).
powerpc/64: Move paca allocation later in boot (bsc#1190812).
powerpc/64s: Fix debugfs_simple_attr.cocci warnings (bsc#1157038 bsc#1157923 ltc#182612 git-fixes).
powerpc/perf: Fix power_pmu_disable to call clear_pmi_irq_pending only if PMI is pending (bsc#1156395).
powerpc/pseries/ddw: Revert 'Extend upper limit for huge DMA window for persistent memory' (bsc#1195995 ltc#196394).
powerpc/pseries: read the lpar name from the firmware (bsc#1187716 ltc#193451).
powerpc: Set crashkernel offset to mid of RMA region (bsc#1190812).
powerpc: add link stack flush mitigation status in debugfs (bsc#1157038 bsc#1157923 ltc#182612 git-fixes).
rpmsg: char: Fix race between the release of rpmsg_ctrldev and cdev (git-fixes).
rpmsg: char: Fix race between the release of rpmsg_eptdev and cdev (git-fixes).
s390/AP: support new dynamic AP bus size limit (jsc#SLE-20807).
s390/bpf: Fix 64-bit subtraction of the -0x80000000 constant (git-fixes).
s390/bpf: Fix optimizing out zero-extensions (git-fixes).
s390/cio: make ccw_device_dma_* more robust (bsc#1193243 LTC#195549).
s390/cio: verify the driver availability for path_event call (bsc#1195928 LTC#196418).
s390/cpumf: Support for CPU Measurement Facility CSVN 7 (bsc#1195081 LTC#196088).
s390/cpumf: Support for CPU Measurement Sampling Facility LS bit (bsc#1195081 LTC#196088).
s390/pci: add s390_iommu_aperture kernel parameter (bsc#1193233 LTC#195540).
s390/pci: move pseudo-MMIO to prevent MIO overlap (bsc#1194967 LTC#196028).
s390/protvirt: fix error return code in uv_info_init() (jsc#SLE-22135).
s390/sclp: fix Secure-IPL facility detection (bsc#1191741 LTC#194816).
s390/uv: add prot virt guest/host indication files (jsc#SLE-22135).
s390/uv: fix prot virt host indication compilation (jsc#SLE-22135).
scripts/dtc: only append to HOST_EXTRACFLAGS instead of overwriting (git-fixes).
scsi: core: Add a new error code DID_TRANSPORT_MARGINAL in scsi.h (bsc#1195506).
scsi: core: Add limitless cmd retry support (bsc#1195506).
scsi: core: No retries on abort success (bsc#1195506).
scsi: kABI fix for 'eh_should_retry_cmd' (bsc#1195506).
scsi: lpfc: Add support for eh_should_retry_cmd() (bsc#1195506).
scsi: lpfc: Fix pt2pt NVMe PRLI reject LOGO loop (bsc#1189126).
scsi: qla2xxx: Add devids and conditionals for 28xx (bsc#1195823).
scsi: qla2xxx: Add marginal path handling support (bsc#1195506).
scsi: qla2xxx: Add ql2xnvme_queues module param to configure number of NVMe queues (bsc#1195823).
scsi: qla2xxx: Add qla2x00_async_done() for async routines (bsc#1195823).
scsi: qla2xxx: Add retry for exec firmware (bsc#1195823).
scsi: qla2xxx: Check for firmware dump already collected (bsc#1195823).
scsi: qla2xxx: Fix T10 PI tag escape and IP guard options for 28XX adapters (bsc#1195823).
scsi: qla2xxx: Fix device reconnect in loop topology (bsc#1195823).
scsi: qla2xxx: Fix premature hw access after PCI error (bsc#1195823).
scsi: qla2xxx: Fix scheduling while atomic (bsc#1195823).
scsi: qla2xxx: Fix stuck session in gpdb (bsc#1195823).
scsi: qla2xxx: Fix unmap of already freed sgl (bsc#1195823).
scsi: qla2xxx: Fix warning for missing error code (bsc#1195823).
scsi: qla2xxx: Fix warning message due to adisc being flushed (bsc#1195823).
scsi: qla2xxx: Fix wrong FDMI data for 64G adapter (bsc#1195823).
scsi: qla2xxx: Implement ref count for SRB (bsc#1195823).
scsi: qla2xxx: Refactor asynchronous command initialization (bsc#1195823).
scsi: qla2xxx: Remove a declaration (bsc#1195823).
scsi: qla2xxx: Remove unused qla_sess_op_cmd_list from scsi_qla_host_t (bsc#1195823).
scsi: qla2xxx: Return -ENOMEM if kzalloc() fails (bsc#1195823).
scsi: qla2xxx: Suppress a kernel complaint in qla_create_qpair() (bsc#1195823).
scsi: qla2xxx: Update version to 10.02.07.200-k (bsc#1195823).
scsi: qla2xxx: Update version to 10.02.07.300-k (bsc#1195823).
scsi: qla2xxx: edif: Fix clang warning (bsc#1195823).
scsi: qla2xxx: edif: Fix inconsistent check of db_flags (bsc#1195823).
scsi: qla2xxx: edif: Reduce connection thrash (bsc#1195823).
scsi: qla2xxx: edif: Replace list_for_each_safe with list_for_each_entry_safe (bsc#1195823).
scsi: qla2xxx: edif: Tweak trace message (bsc#1195823).
scsi: scsi_transport_fc: Add a new rport state FC_PORTSTATE_MARGINAL (bsc#1195506).
scsi: scsi_transport_fc: Add store capability to rport port_state in sysfs (bsc#1195506).
scsi: target: iscsi: Fix cmd abort fabric stop race (bsc#1195286).
scsi: zfcp: Fix failed recovery on gone remote port with non-NPIV FCP devices (bsc#1195378 LTC#196244).
scsi_transport_fc: kabi fix blank out FC_PORTSTATE_MARGINAL (bsc#1195506).
spi: bcm-qspi: check for valid cs before applying chip select (git-fixes).
spi: mediatek: Avoid NULL pointer crash in interrupt (git-fixes).
spi: meson-spicc: add IRQ check in meson_spicc_probe (git-fixes).
staging/fbtft: Fix backlight (git-fixes).
staging: fbtft: Fix error path in fbtft_driver_module_init() (git-fixes).
tracing: Do not inc err_log entry count if entry allocation fails (git-fixes).
tracing: Dump stacktrace trigger to the corresponding instance (git-fixes).
tracing: Fix smatch warning for null glob in event_hist_trigger_parse() (git-fixes).
tracing: Have traceon and traceoff trigger honor the instance (git-fixes).
tracing: Propagate is_signed to expression (git-fixes).
tty: Add support for Brainboxes UC cards (git-fixes).
udf: Fix NULL ptr deref when converting from inline format (bsc#1195476).
udf: Restore i_lenAlloc when inode expansion fails (bsc#1195477).
usb-storage: Add unusual-devs entry for VL817 USB-SATA bridge (git-fixes).
usb: dwc2: Fix NULL qh in dwc2_queue_transaction (git-fixes).
usb: dwc2: gadget: do not try to disable ep0 in dwc2_hsotg_suspend (git-fixes).
usb: dwc3: do not set gadget->is_otg flag (git-fixes).
usb: dwc3: gadget: Prevent core from processing stale TRBs (git-fixes).
usb: f_fs: Fix use-after-free for epfile (git-fixes).
usb: gadget: f_uac2: Define specific wTerminalType (git-fixes).
usb: gadget: rndis: check size of RNDIS_MSG_SET command (git-fixes).
usb: gadget: s3c: remove unused 'udc' variable (git-fixes).
usb: gadget: udc: renesas_usb3: Fix host to USB_ROLE_NONE transition (git-fixes).
usb: host: ehci-tegra: Fix error handling in tegra_ehci_probe() (git-fixes).
usb: ulpi: Call of_node_put correctly (git-fixes).
usb: ulpi: Move of_node_put to ulpi_dev_release (git-fixes).
xhci-pci: Allow host runtime PM as default for Intel Alpine Ridge LP (git-fixes).

Advisory ID	SUSE-SU-2022:760-1
Released	Tue Mar 8 19:06:23 2022
Summary	Security update for the Linux Kernel
Type	security
Severity	important
References	1089644,1154353,1157038,1157923,1176447,1176940,1178134,1181147,1181588,1183872,1187716,1188404,1189126,1190812,1190972,1191580,1191655,1191741,1192210,1192483,1193096,1193233,1193243,1193787,1194163,1194967,1195012,1195081,1195286,1195352,1195378,1195506,1195516,1195543,1195668,1195701,1195798,1195799,1195823,1195908,1195928,1195947,1195957,1195995,1196195,1196235,1196339,1196373,1196400,1196403,1196516,1196584,1196585,1196601,1196612,1196776,CVE-2022-0001,CVE-2022-0002,CVE-2022-0492,CVE-2022-0516,CVE-2022-0847,CVE-2022-25375

Description:

The SUSE Linux Enterprise 15 SP3 kernel was updated to receive various security and bugfixes.

Transient execution side-channel attacks attacking the Branch History Buffer (BHB), named 'Branch Target Injection' and 'Intra-Mode Branch History Injection' are now mitigated.
The following security bugs were fixed:

CVE-2022-0001: Fixed Branch History Injection vulnerability (bsc#1191580).
CVE-2022-0002: Fixed Intra-Mode Branch Target Injection vulnerability (bsc#1191580).
CVE-2022-0847: Fixed a vulnerability were a local attackers could overwrite data in arbitrary (read-only) files (bsc#1196584).
CVE-2022-25375: The RNDIS USB gadget lacks validation of the size of the RNDIS_MSG_SET command. Attackers can obtain sensitive information from kernel memory (bnc#1196235 ).
CVE-2022-0492: Fixed a privilege escalation related to cgroups v1 release_agent feature, which allowed bypassing namespace isolation unexpectedly (bsc#1195543).
CVE-2022-0516: Fixed missing check in ioctl related to KVM in s390 allows kernel memory read/write (bsc#1195516).

The following non-security bugs were fixed:

ACPI/IORT: Check node revision for PMCG resources (git-fixes).
ALSA: hda/realtek: Add missing fixup-model entry for Gigabyte X570 ALC1220 quirks (git-fixes).
ALSA: hda/realtek: Add quirk for ASUS GU603 (git-fixes).
ALSA: hda/realtek: Fix silent output on Gigabyte X570 Aorus Xtreme after reboot from Windows (git-fixes).
ALSA: hda/realtek: Fix silent output on Gigabyte X570S Aorus Master (newer chipset) (git-fixes).
ALSA: hda: Fix missing codec probe on Shenker Dock 15 (git-fixes).
ALSA: hda: Fix regression on forced probe mask option (git-fixes).
ASoC: Revert 'ASoC: mediatek: Check for error clk pointer' (git-fixes).
ASoC: ops: Fix stereo change notifications in snd_soc_put_volsw() (git-fixes).
ASoC: ops: Fix stereo change notifications in snd_soc_put_volsw_range() (git-fixes).
ASoC: ops: Reject out of bounds values in snd_soc_put_volsw() (git-fixes).
ASoC: ops: Reject out of bounds values in snd_soc_put_volsw_sx() (git-fixes).
ASoC: ops: Reject out of bounds values in snd_soc_put_xr_sx() (git-fixes).
Align s390 NVME target options with other architectures (bsc#1188404, jsc#SLE-22494).
Drop PCI xgene patch that caused a regression for mxl4 (bsc#1195352)
EDAC/xgene: Fix deferred probing (bsc#1178134).
HID:Add support for UGTABLET WP5540 (git-fixes).
IB/cma: Do not send IGMP leaves for sendonly Multicast groups (git-fixes).
IB/hfi1: Fix AIP early init panic (jsc#SLE-13208).
KVM: remember position in kvm->vcpus array (bsc#1190972 LTC#194674).
NFSD: Fix the behavior of READ near OFFSET_MAX (bsc#1195957).
PM: hibernate: Remove register_nosave_region_late() (git-fixes).
PM: s2idle: ACPI: Fix wakeup interrupts handling (git-fixes).
RDMA/cma: Use correct address when leaving multicast group (bsc#1181147).
RDMA/core: Always release restrack object (git-fixes)
RDMA/cxgb4: check for ipv6 address properly while destroying listener (git-fixes)
RDMA/siw: Release xarray entry (git-fixes)
RDMA/ucma: Protect mc during concurrent multicast leaves (bsc#1181147).
USB: serial: ch341: add support for GW Instek USB2.0-Serial devices (git-fixes).
USB: serial: cp210x: add CPI Bulk Coin Recycler id (git-fixes).
USB: serial: cp210x: add NCR Retail IO box id (git-fixes).
USB: serial: ftdi_sio: add support for Brainboxes US-159/235/320 (git-fixes).
USB: serial: mos7840: remove duplicated 0xac24 device ID (git-fixes).
USB: serial: option: add ZTE MF286D modem (git-fixes).
ata: libata-core: Disable TRIM on M88V29 (git-fixes).
ax25: improve the incomplete fix to avoid UAF and NPD bugs (git-fixes).
blk-mq: always allow reserved allocation in hctx_may_queue (bsc#1193787).
blk-mq: avoid to iterate over stale request (bsc#1193787).
blk-mq: clear stale request in tags->rq before freeing one request pool (bsc#1193787).
blk-mq: clearing flush request reference in tags->rqs (bsc#1193787).
blk-mq: do not grab rq's refcount in blk_mq_check_expired() (bsc#1193787 git-fixes).
blk-mq: fix is_flush_rq (bsc#1193787 git-fixes).
blk-mq: fix kernel panic during iterating over flush request (bsc#1193787 git-fixes).
blk-mq: grab rq->refcount before calling ->fn in blk_mq_tagset_busy_iter (bsc#1193787).
blk-mq: mark flush request as IDLE in flush_end_io() (bsc#1193787).
blk-tag: Hide spin_lock (bsc#1193787).
block: avoid double io accounting for flush request (bsc#1193787).
block: do not send a rezise udev event for hidden block device (bsc#1193096).
block: mark flush request as IDLE when it is really finished (bsc#1193787).
bonding: pair enable_port with slave_arr_updates (git-fixes).
bpf: Adjust BTF log size limit (git-fixes).
bpf: Disallow BPF_LOG_KERNEL log level for bpf(BPF_BTF_LOAD) (git-fixes).
btrfs: check for missing device in btrfs_trim_fs (bsc#1195701).
btrfs: check worker before need_preemptive_reclaim (bsc#1196195).
btrfs: do not do preemptive flushing if the majority is global rsv (bsc#1196195).
btrfs: do not include the global rsv size in the preemptive used amount (bsc#1196195).
btrfs: handle preemptive delalloc flushing slightly differently (bsc#1196195).
btrfs: make sure SB_I_VERSION does not get unset by remount (bsc#1192210).
btrfs: only clamp the first time we have to start flushing (bsc#1196195).
btrfs: only ignore delalloc if delalloc is much smaller than ordered (bsc#1196195).
btrfs: reduce the preemptive flushing threshold to 90% (bsc#1196195).
btrfs: take into account global rsv in need_preemptive_reclaim (bsc#1196195).
btrfs: use the global rsv size in the preemptive thresh calculation (bsc#1196195).
ceph: properly put ceph_string reference after async create attempt (bsc#1195798).
ceph: set pool_ns in new inode layout for async creates (bsc#1195799).
drm/amdgpu: fix logic inversion in check (git-fixes).
drm/i915/gvt: Make DRM_I915_GVT depend on X86 (git-fixes).
drm/i915/gvt: clean up kernel-doc in gtt.c (git-fixes).
drm/i915/opregion: check port number bounds for SWSCI display power state (git-fixes).
drm/i915: Correctly populate use_sagv_wm for all pipes (git-fixes).
drm/i915: Fix bw atomic check when switching between SAGV vs. no SAGV (git-fixes).
drm/panel: simple: Assign data from panel_dpi_probe() correctly (git-fixes).
drm/radeon: Fix backlight control on iMac 12,1 (git-fixes).
drm/rockchip: dw_hdmi: Do not leave clock enabled in error case (git-fixes).
drm/rockchip: vop: Correct RK3399 VOP register fields (git-fixes).
drm/vc4: hdmi: Allow DBLCLK modes even if horz timing is odd (git-fixes).
drm: panel-orientation-quirks: Add quirk for the 1Netbook OneXPlayer (git-fixes).
ext4: check for inconsistent extents between index and leaf block (bsc#1194163 bsc#1196339).
ext4: check for out-of-order index extents in ext4_valid_extent_entries() (bsc#1194163 bsc#1196339).
ext4: prevent partial update of the extent blocks (bsc#1194163 bsc#1196339).
gve: Add RX context (bsc#1191655).
gve: Add a jumbo-frame device option (bsc#1191655).
gve: Add consumed counts to ethtool stats (bsc#1191655).
gve: Add optional metadata descriptor type GVE_TXD_MTD (bsc#1191655).
gve: Correct order of processing device options (bsc#1191655).
gve: Fix GFP flags when allocing pages (git-fixes).
gve: Fix off by one in gve_tx_timeout() (bsc#1191655).
gve: Implement packet continuation for RX (bsc#1191655).
gve: Implement suspend/resume/shutdown (bsc#1191655).
gve: Move the irq db indexes out of the ntfy block struct (bsc#1191655).
gve: Recording rx queue before sending to napi (bsc#1191655).
gve: Recover from queue stall due to missed IRQ (bsc#1191655).
gve: Update gve_free_queue_page_list signature (bsc#1191655).
gve: Use kvcalloc() instead of kvzalloc() (bsc#1191655).
gve: fix for null pointer dereference (bsc#1191655).
gve: fix the wrong AdminQ buffer queue index check (bsc#1176940).
gve: fix unmatched u64_stats_update_end() (bsc#1191655).
gve: remove memory barrier around seqno (bsc#1191655).
i2c: brcmstb: fix support for DSL and CM variants (git-fixes).
i40e: Fix for failed to init adminq while VF reset (git-fixes).
i40e: Fix issue when maximum queues is exceeded (git-fixes).
i40e: Fix queues reservation for XDP (git-fixes).
i40e: Increase delay to 1 s after global EMP reset (git-fixes).
i40e: fix unsigned stat widths (git-fixes).
ibmvnic: Allow queueing resets during probe (bsc#1196516 ltc#196391).
ibmvnic: clear fop when retrying probe (bsc#1196516 ltc#196391).
ibmvnic: complete init_done on transport events (bsc#1196516 ltc#196391).
ibmvnic: define flush_reset_queue helper (bsc#1196516 ltc#196391).
ibmvnic: do not release napi in __ibmvnic_open() (bsc#1195668 ltc#195811).
ibmvnic: free reset-work-item when flushing (bsc#1196516 ltc#196391).
ibmvnic: init init_done_rc earlier (bsc#1196516 ltc#196391).
ibmvnic: initialize rc before completing wait (bsc#1196516 ltc#196391).
ibmvnic: register netdev after init of adapter (bsc#1196516 ltc#196391).
ibmvnic: schedule failover only if vioctl fails (bsc#1196400 ltc#195815).
ice: fix IPIP and SIT TSO offload (git-fixes).
ice: fix an error code in ice_cfg_phy_fec() (jsc#SLE-12878).
ima: Allow template selection with ima_template[_fmt]= after ima_hash= (git-fixes).
ima: Do not print policy rule with inactive LSM labels (git-fixes).
ima: Remove ima_policy file before directory (git-fixes).
integrity: Make function integrity_add_key() static (git-fixes).
integrity: check the return value of audit_log_start() (git-fixes).
integrity: double check iint_cache was initialized (git-fixes).
iommu/amd: Fix loop timeout issue in iommu_ga_log_enable() (git-fixes).
iommu/amd: Remove useless irq affinity notifier (git-fixes).
iommu/amd: Restore GA log/tail pointer on host resume (git-fixes).
iommu/amd: X2apic mode: mask/unmask interrupts on suspend/resume (git-fixes).
iommu/amd: X2apic mode: re-enable after resume (git-fixes).
iommu/amd: X2apic mode: setup the INTX registers on mask/unmask (git-fixes).
iommu/io-pgtable-arm-v7s: Add error handle for page table allocation failure (git-fixes).
iommu/io-pgtable-arm: Fix table descriptor paddr formatting (git-fixes).
iommu/iova: Fix race between FQ timeout and teardown (git-fixes).
iommu/vt-d: Fix potential memory leak in intel_setup_irq_remapping() (git-fixes).
iwlwifi: fix use-after-free (git-fixes).
iwlwifi: pcie: fix locking when 'HW not ready' (git-fixes).
iwlwifi: pcie: gen2: fix locking when 'HW not ready' (git-fixes).
ixgbevf: Require large buffers for build_skb on 82599VF (git-fixes).
kABI fixup after adding vcpu_idx to struct kvm_cpu (bsc#1190972 LTC#194674).
kABI: Fix kABI for AMD IOMMU driver (git-fixes).
kabi: Hide changes to s390/AP structures (jsc#SLE-20807).
lib/iov_iter: initialize 'flags' in new pipe_buffer (bsc#1196584).
libsubcmd: Fix use-after-free for realloc(..., 0) (git-fixes).
md/raid5: fix oops during stripe resizing (bsc#1181588).
misc: fastrpc: avoid double fput() on failed usercopy (git-fixes).
mmc: sdhci-of-esdhc: Check for error num after setting mask (git-fixes).
mtd: rawnand: brcmnand: Fixed incorrect sub-page ECC status (git-fixes).
mtd: rawnand: gpmi: do not leak PM reference in error path (git-fixes).
mtd: rawnand: qcom: Fix clock sequencing in qcom_nandc_probe() (git-fixes).
net/ibmvnic: Cleanup workaround doing an EOI after partition migration (bsc#1089644 ltc#166495 ltc#165544 git-fixes).
net/mlx5e: Fix handling of wrong devices during bond netevent (jsc#SLE-15172).
net: macb: Align the dma and coherent dma masks (git-fixes).
net: mdio: aspeed: Add missing MODULE_DEVICE_TABLE (bsc#1176447).
net: phy: marvell: Fix MDI-x polarity setting in 88e1118-compatible PHYs (git-fixes).
net: phy: marvell: Fix RGMII Tx/Rx delays setting in 88e1121-compatible PHYs (git-fixes).
net: phy: marvell: configure RGMII delays for 88E1118 (git-fixes).
net: usb: qmi_wwan: Add support for Dell DW5829e (git-fixes).
nfp: flower: fix ida_idx not being released (bsc#1154353).
nfsd: allow delegation state ids to be revoked and then freed (bsc#1192483).
nfsd: allow lock state ids to be revoked and then freed (bsc#1192483).
nfsd: allow open state ids to be revoked and then freed (bsc#1192483).
nfsd: do not admin-revoke NSv4.0 state ids (bsc#1192483).
nfsd: prepare for supporting admin-revocation of state (bsc#1192483).
nvme-fabrics: fix state check in nvmf_ctlr_matches_baseopts() (bsc#1195012).
nvme: also mark passthrough-only namespaces ready in nvme_update_ns_info (git-fixes).
nvme: do not return an error from nvme_configure_metadata (git-fixes).
nvme: let namespace probing continue for unsupported features (git-fixes).
powerpc/64: Move paca allocation later in boot (bsc#1190812).
powerpc/64s: Fix debugfs_simple_attr.cocci warnings (bsc#1157038 bsc#1157923 ltc#182612 git-fixes).
powerpc/pseries/ddw: Revert 'Extend upper limit for huge DMA window for persistent memory' (bsc#1195995 ltc#196394).
powerpc/pseries: read the lpar name from the firmware (bsc#1187716 ltc#193451).
powerpc: Set crashkernel offset to mid of RMA region (bsc#1190812).
powerpc: add link stack flush mitigation status in debugfs (bsc#1157038 bsc#1157923 ltc#182612 git-fixes).
s390/AP: support new dynamic AP bus size limit (jsc#SLE-20807).
s390/bpf: Fix 64-bit subtraction of the -0x80000000 constant (git-fixes).
s390/bpf: Fix optimizing out zero-extensions (git-fixes).
s390/cio: make ccw_device_dma_* more robust (bsc#1193243 LTC#195549).
s390/cio: verify the driver availability for path_event call (bsc#1195928 LTC#196418).
s390/cpumf: Support for CPU Measurement Facility CSVN 7 (bsc#1195081 LTC#196088).
s390/cpumf: Support for CPU Measurement Sampling Facility LS bit (bsc#1195081 LTC#196088).
s390/pci: add s390_iommu_aperture kernel parameter (bsc#1193233 LTC#195540).
s390/pci: move pseudo-MMIO to prevent MIO overlap (bsc#1194967 LTC#196028).
s390/protvirt: fix error return code in uv_info_init() (jsc#SLE-22135).
s390/sclp: fix Secure-IPL facility detection (bsc#1191741 LTC#194816).
s390/uv: add prot virt guest/host indication files (jsc#SLE-22135).
s390/uv: fix prot virt host indication compilation (jsc#SLE-22135).
scsi: core: Add a new error code DID_TRANSPORT_MARGINAL in scsi.h (bsc#1195506).
scsi: core: Add limitless cmd retry support (bsc#1195506).
scsi: core: No retries on abort success (bsc#1195506).
scsi: kABI fix for 'eh_should_retry_cmd' (bsc#1195506).
scsi: lpfc: Add support for eh_should_retry_cmd() (bsc#1195506).
scsi: lpfc: Fix pt2pt NVMe PRLI reject LOGO loop (bsc#1189126).
scsi: qla2xxx: Add devids and conditionals for 28xx (bsc#1195823).
scsi: qla2xxx: Add marginal path handling support (bsc#1195506).
scsi: qla2xxx: Add ql2xnvme_queues module param to configure number of NVMe queues (bsc#1195823).
scsi: qla2xxx: Add qla2x00_async_done() for async routines (bsc#1195823).
scsi: qla2xxx: Add retry for exec firmware (bsc#1195823).
scsi: qla2xxx: Check for firmware dump already collected (bsc#1195823).
scsi: qla2xxx: Fix T10 PI tag escape and IP guard options for 28XX adapters (bsc#1195823).
scsi: qla2xxx: Fix device reconnect in loop topology (bsc#1195823).
scsi: qla2xxx: Fix premature hw access after PCI error (bsc#1195823).
scsi: qla2xxx: Fix scheduling while atomic (bsc#1195823).
scsi: qla2xxx: Fix stuck session in gpdb (bsc#1195823).
scsi: qla2xxx: Fix unmap of already freed sgl (bsc#1195823).
scsi: qla2xxx: Fix warning for missing error code (bsc#1195823).
scsi: qla2xxx: Fix warning message due to adisc being flushed (bsc#1195823).
scsi: qla2xxx: Fix wrong FDMI data for 64G adapter (bsc#1195823).
scsi: qla2xxx: Implement ref count for SRB (bsc#1195823).
scsi: qla2xxx: Refactor asynchronous command initialization (bsc#1195823).
scsi: qla2xxx: Remove a declaration (bsc#1195823).
scsi: qla2xxx: Remove unused qla_sess_op_cmd_list from scsi_qla_host_t (bsc#1195823).
scsi: qla2xxx: Return -ENOMEM if kzalloc() fails (bsc#1195823).
scsi: qla2xxx: Suppress a kernel complaint in qla_create_qpair() (bsc#1195823).
scsi: qla2xxx: Update version to 10.02.07.200-k (bsc#1195823).
scsi: qla2xxx: Update version to 10.02.07.300-k (bsc#1195823).
scsi: qla2xxx: edif: Fix clang warning (bsc#1195823).
scsi: qla2xxx: edif: Fix inconsistent check of db_flags (bsc#1195823).
scsi: qla2xxx: edif: Reduce connection thrash (bsc#1195823).
scsi: qla2xxx: edif: Replace list_for_each_safe with list_for_each_entry_safe (bsc#1195823).
scsi: qla2xxx: edif: Tweak trace message (bsc#1195823).
scsi: scsi_transport_fc: Add a new rport state FC_PORTSTATE_MARGINAL (bsc#1195506).
scsi: scsi_transport_fc: Add store capability to rport port_state in sysfs (bsc#1195506).
scsi: target: iscsi: Fix cmd abort fabric stop race (bsc#1195286).
scsi: zfcp: Fix failed recovery on gone remote port with non-NPIV FCP devices (bsc#1195378 LTC#196244).
scsi_transport_fc: kabi fix blank out FC_PORTSTATE_MARGINAL (bsc#1195506).
staging/fbtft: Fix backlight (git-fixes).
staging: fbtft: Fix error path in fbtft_driver_module_init() (git-fixes).
tracing: Do not inc err_log entry count if entry allocation fails (git-fixes).
tracing: Dump stacktrace trigger to the corresponding instance (git-fixes).
tracing: Fix smatch warning for null glob in event_hist_trigger_parse() (git-fixes).
tracing: Have traceon and traceoff trigger honor the instance (git-fixes).
tracing: Propagate is_signed to expression (git-fixes).
usb: dwc2: Fix NULL qh in dwc2_queue_transaction (git-fixes).
usb: dwc2: gadget: do not try to disable ep0 in dwc2_hsotg_suspend (git-fixes).
usb: dwc3: do not set gadget->is_otg flag (git-fixes).
usb: dwc3: gadget: Prevent core from processing stale TRBs (git-fixes).
usb: f_fs: Fix use-after-free for epfile (git-fixes).
usb: gadget: f_uac2: Define specific wTerminalType (git-fixes).
usb: gadget: rndis: check size of RNDIS_MSG_SET command (git-fixes).
usb: gadget: s3c: remove unused 'udc' variable (git-fixes).
usb: gadget: udc: renesas_usb3: Fix host to USB_ROLE_NONE transition (git-fixes).
usb: host: ehci-tegra: Fix error handling in tegra_ehci_probe() (git-fixes).
usb: ulpi: Call of_node_put correctly (git-fixes).
usb: ulpi: Move of_node_put to ulpi_dev_release (git-fixes).

Advisory ID	SUSE-SU-2022:769-1
Released	Wed Mar 9 09:23:56 2022
Summary	Security update for libcaca
Type	security
Severity	important
References	1184751,1184752,CVE-2021-30498,CVE-2021-30499

Description:

This update for libcaca fixes the following issues:

CVE-2021-30498, CVE-2021-30499: If an image has a size of 0x0, when exporting, no data is written and space is allocated for the header only, not taking into account that sprintf appends a NUL byte (bsc#1184751, bsc#1184752).

Advisory ID	SUSE-SU-2022:770-1
Released	Wed Mar 9 09:24:51 2022
Summary	Security update for buildah
Type	security
Severity	moderate
References	1187812,1192999,CVE-2019-10214,CVE-2020-10696,CVE-2021-20206

Description:

This update for buildah fixes the following issues:
buildah was updated to version 1.23.1:
Update to version 1.22.3:

Update dependencies
Post-branch commit
Accept repositories on login/logout

Update to version 1.22.0:

c/image, c/storage, c/common vendor before Podman 3.3 release
Proposed patch for 3399 (shadowutils)
Fix handling of --restore shadow-utils
runtime-flag (debug) test: handle old & new runc
Allow dst and destination for target in secret mounts
Multi-arch: Always push updated version-tagged img
imagebuildah.stageExecutor.prepare(): remove pseudonym check
refine dangling filter
Chown with environment variables not set should fail
Just restore protections of shadow-utils
Remove specific kernel version number requirement from install.md
Multi-arch image workflow: Make steps generic
chroot: fix environment value leakage to intermediate processes
Update nix pin with `make nixpkgs`
buildah source - create and manage source images
Update cirrus-cron notification GH workflow
Reuse code from containers/common/pkg/parse
Cirrus: Freshen VM images
Fix excludes exception begining with / or ./
Fix syntax for --manifest example
vendor containers/common@main
Cirrus: Drop dependence on fedora-minimal
Adjust conformance-test error-message regex
Workaround appearance of differing debug messages
Cirrus: Install docker from package cache
Switch rusagelogfile to use options.Out
Turn stdio back to blocking when command finishes
Add support for default network creation
Cirrus: Updates for master->main rename
Change references from master to main
Add `--env` and `--workingdir` flags to run command
[CI:DOCS] buildah bud: spelling --ignore-file requires parameter
[CI:DOCS] push/pull: clarify supported transports
Remove unused function arguments
Create mountOptions for mount command flags
Extract version command implementation to function
Add --json flags to `mount` and `version` commands
copier.Put(): set xattrs after ownership
buildah add/copy: spelling
buildah copy and buildah add should support .containerignore
Remove unused util.StartsWithValidTransport
Fix documentation of the --format option of buildah push
Don't use alltransports.ParseImageName with known transports
man pages: clarify `rmi` removes dangling parents
[CI:DOCS] Fix links to c/image master branch
imagebuildah: use the specified logger for logging preprocessing warnings
Fix copy into workdir for a single file
Fix docs links due to branch rename
Update nix pin with `make nixpkgs`
fix(docs): typo
Move to v1.22.0-dev
Fix handling of auth.json file while in a user namespace
Add rusage-logfile flag to optionally send rusage to a file
imagebuildah: redo step logging
Add volumes to make running buildah within a container easier
Add and use a 'copy' helper instead of podman load/save
Bump github.com/containers/common from 0.38.4 to 0.39.0
containerImageRef/containerImageSource: don't buffer uncompressed layers
containerImageRef(): squashed images have no parent images
Sync. workflow across skopeo, buildah, and podman
Bump github.com/containers/storage from 1.31.1 to 1.31.2
Bump github.com/opencontainers/runc from 1.0.0-rc94 to 1.0.0-rc95
Bump to v1.21.1-dev [NO TESTS NEEDED]

Advisory ID	SUSE-RU-2022:771-1
Released	Wed Mar 9 09:27:07 2022
Summary	Recommended update for libseccomp
Type	recommended
Severity	moderate
References	1196825

Description:

This update for libseccomp fixes the following issues:

Check if we have NR_openat2, avoid using its definition when not (bsc#1196825), this fixes build of systemd.

Advisory ID	SUSE-RU-2022:772-1
Released	Wed Mar 9 09:44:13 2022
Summary	Recommended update for icewm-theme-branding
Type	recommended
Severity	moderate
References	1195328,1196336

Description:

This update for icewm-theme-branding fixes the following issues:

Fix font configuration after google-droid-fonts update (bsc#1195328 bsc#1196336)

Advisory ID	SUSE-RU-2022:773-1
Released	Wed Mar 9 09:53:03 2022
Summary	Recommended update for fwupd
Type	recommended
Severity	moderate
References	1193921

Description:

This update for fwupd fixes the following issues:

Ignore non-PCI NVMe devices (e.g. NVMe-over-Fabrics) when probing (bsc#1193921)

Advisory ID	SUSE-SU-2022:774-1
Released	Wed Mar 9 10:52:10 2022
Summary	Security update for tcpdump
Type	security
Severity	moderate
References	1195825,CVE-2018-16301

Description:

This update for tcpdump fixes the following issues:

CVE-2018-16301: Fixed segfault when handling large files (bsc#1195825).

Advisory ID	SUSE-RU-2022:775-1
Released	Wed Mar 9 12:55:03 2022
Summary	Recommended update for pciutils
Type	recommended
Severity	moderate
References	1192862

Description:

This update for pciutils fixes the following issues:

Report the theoretical speeds for PCIe 5.0 and 6.0 (bsc#1192862)

Advisory ID	SUSE-RU-2022:776-1
Released	Wed Mar 9 12:56:05 2022
Summary	Recommended update for mutter
Type	recommended
Severity	moderate
References	1188759

Description:

This update for mutter fixes the following issues:

Improve mutter behavior when receiving a ClientMessage event, not to just assume that it's a WM_PROTOCOLS event but to actually check the type before using it (bsc#1188759)

Advisory ID	SUSE-RU-2022:780-1
Released	Wed Mar 9 14:46:12 2022
Summary	Recommended update for nvme-cli
Type	recommended
Severity	moderate
References	1193540

Description:

This update for nvme-cli fixes the following issues:

fabrics: fix 'nvme connect' segfault if transport type is omitted (bsc#1193540)

Advisory ID	SUSE-OU-2022:781-1
Released	Wed Mar 9 15:00:10 2022
Summary	Optional update for SUSE Package Hub
Type	optional
Severity	moderate
References

Description:

This optional update provides the following changes:

Provide binaries for non x86_64 architectures directly to SUSE Package Hub.
There are no visible changes for the final user.
Affected source packages: MozillaThunderbird, enigmail

Advisory ID	SUSE-SU-2022:783-1
Released	Wed Mar 9 15:16:36 2022
Summary	Security update for MozillaFirefox
Type	security
Severity	important
References	1196809,CVE-2022-26485,CVE-2022-26486

Description:

This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 91.6.1 ESR (bsc#1196809):

CVE-2022-26485: Use-after-free in XSLT parameter processing
CVE-2022-26486: Use-after-free in WebGPU IPC Framework

Advisory ID	SUSE-RU-2022:787-1
Released	Thu Mar 10 11:20:13 2022
Summary	Recommended update for openldap2
Type	recommended
Severity	moderate
References

Description:

This update for openldap2 fixes the following issue:

restore CLDAP functionality in CLI tools (jsc#PM-3288)

Advisory ID	SUSE-RU-2022:788-1
Released	Thu Mar 10 11:21:04 2022
Summary	Recommended update for libzypp, zypper
Type	recommended
Severity	moderate
References	1195326

Description:

This update for libzypp, zypper fixes the following issues:

Fix handling of redirected command in-/output (bsc#1195326) This fixes delays at the end of zypper operations, where zypper unintentionally waits for appdata plugin scripts to complete.

Advisory ID	SUSE-RU-2022:789-1
Released	Thu Mar 10 11:22:05 2022
Summary	Recommended update for update-alternatives
Type	recommended
Severity	moderate
References	1195654

Description:

This update for update-alternatives fixes the following issues:

Break bash - update-alternatives cycle rewrite of '%post' in 'lua'. (bsc#1195654)

Advisory ID	SUSE-RU-2022:791-1
Released	Thu Mar 10 11:53:04 2022
Summary	Recommended update for scap-security-guide
Type	recommended
Severity	moderate
References

Description:

This update for scap-security-guide fixes the following issues:
scap-security-guide (ComplianceAsCode) was updated to 0.1.60 (jsc#ECO-3319)

Various bugfixes
New draft stig profile v1r1 for OL8
New product Amazon EKS platform and initial CIS profiles
New product CentOS Stream 9, as a derivative from RHEL9 product

Note that SUSE only supports for SUSE Linux Enterprise 12 and 15:

STIG profiles
HIPAA profiles
PCI-DSS profiles

The CIS profile is community supplied and currently not supported by SUSE.

Advisory ID	SUSE-RU-2022:792-1
Released	Thu Mar 10 11:58:18 2022
Summary	Recommended update for suse-build-key
Type	recommended
Severity	moderate
References	1194845,1196494,1196495

Description:

This update for suse-build-key fixes the following issues:

The old SUSE PTF key was extended, but also move it to suse_ptf_key_old.asc (as it is a DSA1024 key).
Added a new SUSE PTF key with RSA2048 bit as suse_ptf_key.asc (bsc#1196494)
Extended the expiry of SUSE Linux Enterprise 11 key (bsc#1194845)
Added SUSE Container signing key in PEM format for use e.g. by cosign.
The SUSE security key was replaced with 2022 edition (E-Mail usage only). (bsc#1196495)

Advisory ID	SUSE-RU-2022:799-1
Released	Thu Mar 10 13:09:24 2022
Summary	Recommended update for sssd
Type	recommended
Severity	moderate
References	1182058,1195552,1196166

Description:

This update for sssd fixes the following issues:

Remove caches only when performing a package downgrade. The sssd daemon takes care of upgrading the database format when necessary (bsc#1195552)
Fix 32-bit libraries package. Libraries were moved from sssd to sssd-common to fix bsc#1182058 and baselibs.conf was not updated accordingly; (bsc#1196166);

Advisory ID	SUSE-SU-2022:802-1
Released	Thu Mar 10 17:32:46 2022
Summary	Security update for python-libxml2-python
Type	security
Severity	important
References	1196490,CVE-2022-23308

Description:

This update for python-libxml2-python fixes the following issues:

CVE-2022-23308: Fixed a use-after-free of ID and IDREF attributes (bsc#1196490).

Advisory ID	SUSE-SU-2022:803-1
Released	Thu Mar 10 17:35:53 2022
Summary	Security update for python-lxml
Type	security
Severity	important
References	1118088,1179534,1184177,1193752,CVE-2018-19787,CVE-2020-27783,CVE-2021-28957,CVE-2021-43818

Description:

This update for python-lxml fixes the following issues:

CVE-2018-19787: Fixed XSS vulnerability via unescaped URL (bsc#1118088).
CVE-2021-28957: Fixed XSS vulnerability ia HTML5 attributes unescaped (bsc#1184177).
CVE-2021-43818: Fixed XSS vulnerability via script content in SVG images using data URIs (bnc#1193752).
CVE-2020-27783: Fixed mutation XSS with improper parser use (bnc#1179534).

Advisory ID	SUSE-SU-2022:804-1
Released	Thu Mar 10 17:52:55 2022
Summary	Security update for MozillaThunderbird
Type	security
Severity	important
References	1196809,CVE-2022-26485,CVE-2022-26486

Description:

This update for MozillaThunderbird fixes the following issues:
Mozilla Thunderbird 91.6.2 (bsc#1196809):

CVE-2022-26485: Use-after-free in XSLT parameter processing
CVE-2022-26486: Use-after-free in WebGPU IPC Framework

Advisory ID	SUSE-RU-2022:808-1
Released	Fri Mar 11 06:07:58 2022
Summary	Recommended update for procps
Type	recommended
Severity	moderate
References	1195468

Description:

This update for procps fixes the following issues:

Stop registering signal handler for SIGURG, to avoid `ps` failure if someone sends such signal. Without the signal handler, SIGURG will just be ignored. (bsc#1195468)

Advisory ID	SUSE-SU-2022:815-1
Released	Mon Mar 14 10:21:35 2022
Summary	Security update for flac
Type	security
Severity	moderate
References	1196660,CVE-2021-0561

Description:

This update for flac fixes the following issues:

CVE-2021-0561: Fixed out of bound write in append_to_verify_fifo_interleaved_ (bsc#1196660).

Advisory ID	SUSE-SU-2022:816-1
Released	Mon Mar 14 10:22:04 2022
Summary	Security update for java-11-openjdk
Type	security
Severity	moderate
References	1194925,1194926,1194927,1194928,1194929,1194930,1194931,1194932,1194933,1194934,1194935,1194937,1194939,1194940,1194941,CVE-2022-21248,CVE-2022-21277,CVE-2022-21282,CVE-2022-21283,CVE-2022-21291,CVE-2022-21293,CVE-2022-21294,CVE-2022-21296,CVE-2022-21299,CVE-2022-21305,CVE-2022-21340,CVE-2022-21341,CVE-2022-21360,CVE-2022-21365,CVE-2022-21366

Description:

This update for java-11-openjdk fixes the following issues:

CVE-2022-21248: Fixed incomplete deserialization class filtering in ObjectInputStream. (bnc#1194926)
CVE-2022-21277: Fixed incorrect reading of TIFF files in TIFFNullDecompressor. (bnc#1194930)
CVE-2022-21282: Fixed Insufficient URI checks in the XSLT TransformerImpl. (bnc#1194933)
CVE-2022-21283: Fixed unexpected exception thrown in regex Pattern. (bnc#1194937)
CVE-2022-21291: Fixed Incorrect marking of writeable fields. (bnc#1194925)
CVE-2022-21293: Fixed Incomplete checks of StringBuffer and StringBuilder during deserialization. (bnc#1194935)
CVE-2022-21294: Fixed Incorrect IdentityHashMap size checks during deserialization. (bnc#1194934)
CVE-2022-21296: Fixed Incorrect access checks in XMLEntityManager. (bnc#1194932)
CVE-2022-21299: Fixed Infinite loop related to incorrect handling of newlines in XMLEntityScanner. (bnc#1194931)
CVE-2022-21305: Fixed Array indexing issues in LIRGenerator. (bnc#1194939)
CVE-2022-21340: Fixed Excessive resource use when reading JAR manifest attributes. (bnc#1194940)
CVE-2022-21341: Fixed OpenJDK: Insufficient checks when deserializing exceptions in ObjectInputStream. (bnc#1194941)
CVE-2022-21360: Fixed Excessive memory allocation in BMPImageReader. (bnc#1194929)
CVE-2022-21365: Fixed Integer overflow in BMPImageReader. (bnc#1194928)
CVE-2022-21366: Fixed Excessive memory allocation in TIFF*Decompressor. (bnc#1194927)

Advisory ID	SUSE-SU-2022:817-1
Released	Mon Mar 14 10:22:28 2022
Summary	Security update for xstream
Type	security
Severity	moderate
References	1195458,CVE-2021-43859

Description:

This update for xstream fixes the following issues:

CVE-2021-43859: Fixed a denial of service when unmarshalling highly recursive collections or maps (bsc#1195458).

Advisory ID	SUSE-SU-2022:818-1
Released	Mon Mar 14 10:23:01 2022
Summary	Security update for tomcat
Type	security
Severity	important
References	1195255,1196137,CVE-2022-23181

Description:

This update for tomcat fixes the following issues:
Security issues fixed:

CVE-2022-23181: Make calculation of session storage location more robust (bsc#1195255)
Remove log4j (bsc#1196137)

Advisory ID	SUSE-SU-2022:821-1
Released	Mon Mar 14 14:52:30 2022
Summary	Security update for MozillaFirefox
Type	security
Severity	important
References	1196900,CVE-2022-26381,CVE-2022-26383,CVE-2022-26384,CVE-2022-26386,CVE-2022-26387

Description:

This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 91.7.0 ESR (bsc#1196900):

CVE-2022-26383: Browser window spoof using fullscreen mode
CVE-2022-26384: iframe allow-scripts sandbox bypass
CVE-2022-26387: Time-of-check time-of-use bug when verifying add-on signatures
CVE-2022-26381: Use-after-free in text reflows
CVE-2022-26386: Temporary files downloaded to /tmp and accessible by other local users

Advisory ID	SUSE-RU-2022:833-1
Released	Mon Mar 14 18:51:58 2022
Summary	Recommended update for open-iscsi
Type	recommended
Severity	moderate
References	1195656

Description:

This update for open-iscsi fixes the following issue:

Update to latest upstream, including test cleanup, minor bug fixes (cosmetic), and fixing iscsi-init (bsc#1195656).

Advisory ID	SUSE-RU-2022:836-1
Released	Tue Mar 15 07:47:48 2022
Summary	Recommended update for gdb
Type	recommended
Severity	moderate
References

Description:

This update for gdb fixes the following issues:

Support for new IBM Z Hardware - GDB Part (jsc#SLE-22287)

Advisory ID	SUSE-SU-2022:841-1
Released	Tue Mar 15 11:31:47 2022
Summary	Security update for libqt5-qtbase
Type	security
Severity	important
References	1195386,1196501,CVE-2022-23853,CVE-2022-25255

Description:

This update for libqt5-qtbase fixes the following issues:

CVE-2022-23853, CVE-2022-25255: Avoid unintentionally using binaries from CWD (bsc#1195386, bsc#1196501).

Advisory ID	SUSE-SU-2022:843-1
Released	Tue Mar 15 11:33:44 2022
Summary	Security update for rust, rust1.58, rust1.59
Type	security
Severity	moderate
References	1194767,CVE-2022-21658

Description:

This update for rust, rust1.58, rust1.59 fixes the following issues:
This update provides both rust1.58 and rust1.59.
Changes in rust1.58:

Add recommends for GCC for installs to be able to link.
Add suggests for lld/clang which are faster than gcc for linking to allow users choice on what they use.
CVE-2022-21658: Resolve race condition in std::fs::remove_dir_all (bsc#1194767)

Version 1.58.0 (2022-01-13) ==========================
Language --------

[Format strings can now capture arguments simply by writing `{ident}` in the string.][90473] This works in all macros accepting format strings. Support for this in `panic!` (`panic!('{ident}')`) requires the 2021 edition; panic invocations in previous editions that appear to be trying to use this will result in a warning lint about not having the intended effect.
[`*const T` pointers can now be dereferenced in const contexts.][89551]
[The rules for when a generic struct implements `Unsize` have been relaxed.][90417]

Compiler --------

[Add LLVM CFI support to the Rust compiler][89652]

[Stabilize -Z strip as -C strip][90058]. Note that while release builds already don't add debug symbols for the code you compile, the compiled standard library that ships with Rust includes debug symbols, so you may want to use the `strip` option to remove these symbols to produce smaller release binaries. Note that this release only includes support in rustc, not directly in cargo.

[Add support for LLVM coverage mapping format versions 5 and 6][91207]

[Emit LLVM optimization remarks when enabled with `-Cremark`][90833]

[Update the minimum external LLVM to 12][90175]

[Add `x86_64-unknown-none` at Tier 3*][89062]

[Build musl dist artifacts with debuginfo enabled][90733]. When building release binaries using musl, you may want to use the newly stabilized strip option to remove these debug symbols, reducing the size of your binaries.

[Don't abort compilation after giving a lint error][87337]

[Error messages point at the source of trait bound obligations in more places][89580]

\* Refer to Rust's [platform support page][platform-support-doc] for more information on Rust's tiered platform support.
Libraries ---------

[All remaining functions in the standard library have `#[must_use]` annotations where appropriate][89692], producing a warning when ignoring their return value. This helps catch mistakes such as expecting a function to mutate a value in place rather than return a new value.
[Paths are automatically canonicalized on Windows for operations that support it][89174]
[Re-enable debug checks for `copy` and `copy_nonoverlapping`][90041]
[Implement `RefUnwindSafe` for `Rc`][87467]
[Make RSplit: Clone not require T: Clone][90117]
[Implement `Termination` for `Result`][88601]. This allows writing `fn main() -> Result`, for a program whose successful exits never involve returning from `main` (for instance, a program that calls `exit`, or that uses `exec` to run another program).

Stabilized APIs ---------------

[`Metadata::is_symlink`]
[`Path::is_symlink`]
[`{integer}::saturating_div`]
[`Option::unwrap_unchecked`]
[`Result::unwrap_unchecked`]
[`Result::unwrap_err_unchecked`]
[`NonZero{unsigned}::is_power_of_two`]
[`File::options`]

These APIs are now usable in const contexts:

[`Duration::new`]

[`Duration::checked_add`]

[`Duration::saturating_add`]

[`Duration::checked_sub`]

[`Duration::saturating_sub`]

[`Duration::checked_mul`]

[`Duration::saturating_mul`]

[`Duration::checked_div`]

[`MaybeUninit::as_ptr`]

[`MaybeUninit::as_mut_ptr`]

[`MaybeUninit::assume_init`]

[`MaybeUninit::assume_init_ref`]

Cargo -----

[Add --message-format for install command][cargo/10107]
[Warn when alias shadows external subcommand][cargo/10082]

Rustdoc -------

[Show all Deref implementations recursively in rustdoc][90183]
[Use computed visibility in rustdoc][88447]

Compatibility Notes -------------------

[Try all stable method candidates first before trying unstable ones][90329]. This change ensures that adding new nightly-only methods to the Rust standard library will not break code invoking methods of the same name from traits outside the standard library.
Windows: [`std::process::Command` will no longer search the current directory for executables.][87704]
[All proc-macro backward-compatibility lints are now deny-by-default.][88041]
[proc_macro: Append .0 to unsuffixed float if it would otherwise become int token][90297]
[Refactor weak symbols in std::sys::unix][90846]. This optimizes accesses to glibc functions, by avoiding the use of dlopen. This does not increase the [minimum expected version of glibc](https://doc.rust-lang.org/nightly/rustc/platform-support.html). However, software distributions that use symbol versions to detect library dependencies, and which take weak symbols into account in that analysis, may detect rust binaries as requiring newer versions of glibc.
[rustdoc now rejects some unexpected semicolons in doctests][91026]

Version 1.59.0 (2022-02-24) ==========================
Language --------

[Stabilize default arguments for const generics][90207]
[Stabilize destructuring assignment][90521]
[Relax private in public lint on generic bounds and where clauses of trait impls][90586]
[Stabilize asm! and global_asm! for x86, x86_64, ARM, Aarch64, and RISC-V][91728]

Compiler --------

[Stabilize new symbol mangling format, leaving it opt-in (-Csymbol-mangling-version=v0)][90128]
[Emit LLVM optimization remarks when enabled with `-Cremark`][90833]
[Fix sparc64 ABI for aggregates with floating point members][91003]
[Warn when a `#[test]`-like built-in attribute macro is present multiple times.][91172]
[Add support for riscv64gc-unknown-freebsd][91284]
[Stabilize `-Z emit-future-incompat` as `--json future-incompat`][91535]

Libraries ---------

[Remove unnecessary bounds for some Hash{Map,Set} methods][91593]

Stabilized APIs ---------------

[`std::thread::available_parallelism`][available_parallelism]
[`Result::copied`][result-copied]
[`Result::cloned`][result-cloned]
[`arch::asm!`][asm]
[`arch::global_asm!`][global_asm]
[`ops::ControlFlow::is_break`][is_break]
[`ops::ControlFlow::is_continue`][is_continue]
[`TryFrom for u8`][try_from_char_u8]
[`char::TryFromCharError`][try_from_char_err] implementing `Clone`, `Debug`, `Display`, `PartialEq`, `Copy`, `Eq`, `Error`
[`iter::zip`][zip]
[`NonZeroU8::is_power_of_two`][is_power_of_two8]
[`NonZeroU16::is_power_of_two`][is_power_of_two16]
[`NonZeroU32::is_power_of_two`][is_power_of_two32]
[`NonZeroU64::is_power_of_two`][is_power_of_two64]
[`NonZeroU128::is_power_of_two`][is_power_of_two128]
[`DoubleEndedIterator for ToLowercase`][lowercase]
[`DoubleEndedIterator for ToUppercase`][uppercase]
[`TryFrom<&mut [T]> for [T; N]`][tryfrom_ref_arr]
[`UnwindSafe for Once`][unwindsafe_once]
[`RefUnwindSafe for Once`][refunwindsafe_once]
[armv8 neon intrinsics for aarch64][stdarch/1266]

Const-stable:

[`mem::MaybeUninit::as_ptr`][muninit_ptr]

[`mem::MaybeUninit::assume_init`][muninit_init]

[`mem::MaybeUninit::assume_init_ref`][muninit_init_ref]

[`ffi::CStr::from_bytes_with_nul_unchecked`][cstr_from_bytes]

Cargo -----

[Stabilize the `strip` profile option][cargo/10088]
[Stabilize future-incompat-report][cargo/10165]
[Support abbreviating `--release` as `-r`][cargo/10133]
[Support `term.quiet` configuration][cargo/10152]
[Remove `--host` from cargo {publish,search,login}][cargo/10145]

Compatibility Notes -------------------

[Refactor weak symbols in std::sys::unix][90846] This may add new, versioned, symbols when building with a newer glibc, as the standard library uses weak linkage rather than dynamically attempting to load certain symbols at runtime.
[Deprecate crate_type and crate_name nested inside `#![cfg_attr]`][83744] This adds a future compatibility lint to supporting the use of cfg_attr wrapping either crate_type or crate_name specification within Rust files; it is recommended that users migrate to setting the equivalent command line flags.
[Remove effect of `#[no_link]` attribute on name resolution][92034] This may expose new names, leading to conflicts with preexisting names in a given namespace and a compilation failure.
[Cargo will document libraries before binaries.][cargo/10172]
[Respect doc=false in dependencies, not just the root crate][cargo/10201]
[Weaken guarantee around advancing underlying iterators in zip][83791]
[Make split_inclusive() on an empty slice yield an empty output][89825]
[Update std::env::temp_dir to use GetTempPath2 on Windows when available.][89999]

Changes in rust wrapper package:

Update to version 1.59.0 - for details see the rust1.59 package

Update package description to help users choose what tooling to install.

Provide rust+cargo by cargo: all cargo package provide this symbol too. Having the meta package provide it allows OBS to have a generic prefernece on the meta package for all packages 'just' requiring rust+cargo.

Update to version 1.58.0

Advisory ID	SUSE-SU-2022:844-1
Released	Tue Mar 15 11:33:57 2022
Summary	Security update for expat
Type	security
Severity	important
References	1196025,1196784,CVE-2022-25236

Description:

This update for expat fixes the following issues:

Fixed a regression caused by the patch for CVE-2022-25236 (bsc#1196784).

Advisory ID	SUSE-SU-2022:845-1
Released	Tue Mar 15 11:40:52 2022
Summary	Security update for chrony
Type	security
Severity	moderate
References	1099272,1115529,1128846,1162964,1172113,1173277,1174075,1174911,1180689,1181826,1187906,1190926,1194229,CVE-2020-14367

Description:

This update for chrony fixes the following issues:
Chrony was updated to 4.1, bringing features and bugfixes.
Update to 4.1
* Add support for NTS servers specified by IP address (matching Subject Alternative Name in server certificate) * Add source-specific configuration of trusted certificates * Allow multiple files and directories with trusted certificates * Allow multiple pairs of server keys and certificates * Add copy option to server/pool directive * Increase PPS lock limit to 40% of pulse interval * Perform source selection immediately after loading dump files * Reload dump files for addresses negotiated by NTS-KE server * Update seccomp filter and add less restrictive level * Restart ongoing name resolution on online command * Fix dump files to not include uncorrected offset * Fix initstepslew to accept time from own NTP clients * Reset NTP address and port when no longer negotiated by NTS-KE server

Ensure the correct pool packages are installed for openSUSE and SLE (bsc#1180689).
Fix pool package dependencies, so that SLE prefers chrony-pool-suse over chrony-pool-empty. (bsc#1194229)

Enable syscallfilter unconditionally [bsc#1181826].

Update to 4.0
- Enhancements
- Add support for Network Time Security (NTS) authentication - Add support for AES-CMAC keys (AES128, AES256) with Nettle - Add authselectmode directive to control selection of unauthenticated sources - Add binddevice, bindacqdevice, bindcmddevice directives - Add confdir directive to better support fragmented configuration - Add sourcedir directive and 'reload sources' command to support dynamic NTP sources specified in files - Add clockprecision directive - Add dscp directive to set Differentiated Services Code Point (DSCP) - Add -L option to limit log messages by severity - Add -p option to print whole configuration with included files - Add -U option to allow start under non-root user - Allow maxsamples to be set to 1 for faster update with -q/-Q option - Avoid replacing NTP sources with sources that have unreachable address - Improve pools to repeat name resolution to get 'maxsources' sources - Improve source selection with trusted sources - Improve NTP loop test to prevent synchronisation to itself - Repeat iburst when NTP source is switched from offline state to online - Update clock synchronisation status and leap status more frequently - Update seccomp filter - Add 'add pool' command - Add 'reset sources' command to drop all measurements - Add authdata command to print details about NTP authentication - Add selectdata command to print details about source selection - Add -N option and sourcename command to print original names of sources - Add -a option to some commands to print also unresolved sources - Add -k, -p, -r options to clients command to select, limit, reset data
- Bug fixes
- Don’t set interface for NTP responses to allow asymmetric routing - Handle RTCs that don’t support interrupts - Respond to command requests with correct address on multihomed hosts - Removed features - Drop support for RIPEMD keys (RMD128, RMD160, RMD256, RMD320) - Drop support for long (non-standard) MACs in NTPv4 packets (chrony 2.x clients using non-MD5/SHA1 keys need to use option 'version 3') - Drop support for line editing with GNU Readline

By default we don't write log files but log to journald, so only recommend logrotate.

Adjust and rename the sysconfig file, so that it matches the expectations of chronyd.service (bsc#1173277).

Update to 3.5.1:
* Create new file when writing pidfile (CVE-2020-14367, bsc#1174911)

Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075)

Use iburst in the default pool statements to speed up initial synchronisation (bsc#1172113).

Update to 3.5:

Add support for more accurate reading of PHC on Linux 5.0
Add support for hardware timestamping on interfaces with read-only timestamping configuration
Add support for memory locking and real-time priority on FreeBSD, NetBSD, Solaris
Update seccomp filter to work on more architectures
Validate refclock driver options
Fix bindaddress directive on FreeBSD
Fix transposition of hardware RX timestamp on Linux 4.13 and later
Fix building on non-glibc systems

Fix location of helper script in chrony-dnssrv@.service (bsc#1128846).

Read runtime servers from /var/run/netconfig/chrony.servers to fix bsc#1099272.
Move chrony-helper to /usr/lib/chrony/helper, because there should be no executables in /usr/share.

Update to version 3.4
* Enhancements
+ Add filter option to server/pool/peer directive + Add minsamples and maxsamples options to hwtimestamp directive + Add support for faster frequency adjustments in Linux 4.19 + Change default pidfile to /var/run/chrony/chronyd.pid to allow chronyd without root privileges to remove it on exit + Disable sub-second polling intervals for distant NTP sources + Extend range of supported sub-second polling intervals + Get/set IPv4 destination/source address of NTP packets on FreeBSD + Make burst options and command useful with short polling intervals + Modify auto_offline option to activate when sending request failed + Respond from interface that received NTP request if possible + Add onoffline command to switch between online and offline state according to current system network configuration + Improve example NetworkManager dispatcher script
* Bug fixes
+ Avoid waiting in Linux getrandom system call + Fix PPS support on FreeBSD and NetBSD
Update to version 3.3
* Enhancements:
+ Add burst option to server/pool directive + Add stratum and tai options to refclock directive + Add support for Nettle crypto library + Add workaround for missing kernel receive timestamps on Linux + Wait for late hardware transmit timestamps + Improve source selection with unreachable sources + Improve protection against replay attacks on symmetric mode + Allow PHC refclock to use socket in /var/run/chrony + Add shutdown command to stop chronyd + Simplify format of response to manual list command + Improve handling of unknown responses in chronyc
* Bug fixes:
+ Respond to NTPv1 client requests with zero mode + Fix -x option to not require CAP_SYS_TIME under non-root user + Fix acquisitionport directive to work with privilege separation + Fix handling of socket errors on Linux to avoid high CPU usage + Fix chronyc to not get stuck in infinite loop after clock step

Advisory ID	SUSE-RU-2022:846-1
Released	Tue Mar 15 11:41:51 2022
Summary	Recommended update for log4j
Type	recommended
Severity	moderate
References

Description:

This update ships log4j 2.17.1 to the SUSE Linux Enterprise Basesystem module. (jsc#SLE-23508)

Removed alias log4j:log4j from log4j-1.2-api, since it is not a drop-in replacement

Update to 2.17.1.
Fixed bugs:

JdbcAppender now uses JndiManager to access JNDI resources. JNDI is only enabled when system property log4j2.enableJndiJdbc is set to true.
Remove unused method.
ExtendedLoggerWrapper.logMessage no longer double-logs when location is requested.
log4j-to-slf4j no longer re-interpolates formatted message contents.
Correct SpringLookup package name in Interpolator.
log4j-to-slf4j takes the provided MessageFactory into account.
Fix MapLookup to lookup MapMessage before DefaultMap.
Buffered I/O checked had inverted logic in RollingFileAppenderBuidler.
Fix NPE when input is null in StrSubstitutor.replace(String, Properties).
Lookups with no prefix only read values from the configuration properties as expected.
Reduce ignored package scope of KafkaAppender.

Advisory ID	SUSE-SU-2022:847-1
Released	Tue Mar 15 13:09:59 2022
Summary	Security update for php7
Type	security
Severity	important
References	1196252,CVE-2021-21708

Description:

This update for php7 fixes the following issues:

CVE-2021-21708: Fixed a memory corruption issue when processing integers from an untrusted source (bsc#1196252).

Advisory ID	SUSE-RU-2022:849-1
Released	Tue Mar 15 13:18:56 2022
Summary	Recommended update for python-kiwi
Type	recommended
Severity	important
References	1196644

Description:

This update for python-kiwi fixes the following issues:

Don't exit the script on deprecated function use (bsc#1196644) * The 'exit 0' stops processing of the calling script with a success exit code, which leads to incomplete and broken images.

Advisory ID	SUSE-SU-2022:856-1
Released	Tue Mar 15 19:31:39 2022
Summary	Security update for openssl-1_0_0
Type	security
Severity	important
References	1196877,CVE-2022-0778

Description:

This update for openssl-1_0_0 fixes the following issues:

CVE-2022-0778: Infinite loop in BN_mod_sqrt() reachable when parsing certificates (bsc#1196877).

Advisory ID	SUSE-RU-2022:861-1
Released	Tue Mar 15 23:30:48 2022
Summary	Recommended update for openssl-1_1
Type	recommended
Severity	moderate
References	1182959,1195149,1195792,1195856

Description:

This update for openssl-1_1 fixes the following issues:
openssl-1_1:

Fix PAC pointer authentication in ARM (bsc#1195856)
Pull libopenssl-1_1 when updating openssl-1_1 with the same version (bsc#1195792)
FIPS: Fix function and reason error codes (bsc#1182959)
Enable zlib compression support (bsc#1195149)

glibc:

Resolve installation issue of `glibc-devel` in SUSE Linux Enterprise Micro 5.1

linux-glibc-devel:

Resolve installation issue of `linux-kernel-headers` in SUSE Linux Enterprise Micro 5.1

libxcrypt:

Resolve installation issue of `libxcrypt-devel` in SUSE Linux Enterprise Micro 5.1

zlib:

Resolve installation issue of `zlib-devel` in SUSE Linux Enterprise Micro 5.1

Advisory ID	SUSE-RU-2022:862-1
Released	Wed Mar 16 05:32:11 2022
Summary	Recommended update for SAPHanaSR-ScaleOut
Type	recommended
Severity	important
References	1182774,1189532,1189533,1189540

Description:

This update for SAPHanaSR-ScaleOut fixes the following issues:

Add systemd support for the resource agent to interact with the new SAP unit files for sapstartsrv. As the new version of the SAP Startup Framework uses systemd unit files to control the sapstartsrv process instead of the previous used SysV init script, the handling of sapstartsrv inside the resource agents is adapted to support both ways. (bsc#1189532, bsc#1189533)
Add dedicated logging of HANA_CALL problems. It is now possible to identify if the called `hana` command or the needed `su` command throws the error, and for further hints it logs the stderr output. Additionally it is possible to get regular log messages for the used commands, their return code and their stderr output by enabling the 'debug' mode of the resource agents. (bsc#1182774)
Add switch 'cib_access' to the SAPHanaSrMultiTarget hook to give control over the hook runtime. Default is 'all-on' which means there are 3 cib calls performed inside the hook script. Changing the value of 'cib_access' inside the global.ini file to'site-on' to perform the absolute minimum cib calls (only one). (bsc#1189540)

Advisory ID	SUSE-RU-2022:863-1
Released	Wed Mar 16 05:32:42 2022
Summary	Recommended update for sapstartsrv-resource-agents
Type	recommended
Severity	important
References	1189529,1193568

Description:

This update for sapstartsrv-resource-agents fixes the following issues:

Add systemd support for the resource agent to interact with the new SAP unit files for sapstartsrv. As the new version of the SAP Startup Framework uses systemd unit files to control the sapstartsrv process instead of the previous used SysV init script, handling of sapstartsrv inside the resource agents is adapted to support both ways (bsc#1189529)
Prevent false posivite with pgrep in function '_get_status' (bsc#1193568)

Advisory ID	SUSE-RU-2022:864-1
Released	Wed Mar 16 05:33:13 2022
Summary	Recommended update for SAPHanaSR
Type	recommended
Severity	important
References	1174557,1181765,1182201,1182545,1182774,1189530,1189531

Description:

This update for SAPHanaSR fixes the following issues:

Add systemd support for the resource agent to interact with the new SAP unit files for sapstartsrv. As the new version of the SAP Startup Framework will use systemd unit files to control the sapstartsrv process instead of the previous used SysV init script, the handling of sapstartsrv inside the resource agents is adapted to support both ways. (bsc#1189530, bsc#1189531)
The resource start and stop timeout is now configurable by increasing the timeout for the action 'start' and/or 'stop'. 95% of this action timeouts will be used to calculate the new resource start and stop timeout for the 'WaitforStarted' and 'WaitforStopped' functions. If the new, calculated timeout value is less than '3600', it will be set to '3600', so that we do not decrease this timeout by accident. (bsc#1182545)
Change promotion scoring during maintenance procedure to prevent that both sides have an equal promotion scoring after refresh which might result in a critical promotion of the secondary. (bsc#1174557)
Update of man page SAPHanaSR.py.7 - correct the supported HANA version (bsc#1182201)
If the $hdbState command fails to retrieve the current state of the System Replication, the resource agent now uses the system_replication/actual_mode attribute (if available) from the global.ini file as a fallback. This should prevent some confusing and misleading log messages during a takeover and solves the problem of a not working takeover back (after a successful first takeover) (bsc#1181765)
Add dedicated logging of HANA_CALL problems. It is now possible to identify if the called `hana` command or the needed `su` command throws the error, and for further hints it logs the stderr output. Additionally it is possible to get regular log messages for the used commands, their return code and their stderr output by enabling the 'debug' mode of the resource agents (bsc#1182774)

Advisory ID	SUSE-feature-2022:868-1
Released	Wed Mar 16 07:16:06 2022
Summary	Feature update for tcl and tk
Type	feature
Severity	moderate
References	1138797,1185662,1195257,903017,CVE-2021-35331

Description:

This feature update for tcl and tk fixes the following issues:
Update tcl and tk to version 8.6.12 (jsc#SLE-21016, jsc#SLE-23284):

Move tcl.macros to /usr/lib/rpm/macros.d (bsc#1185662)
Use FAT LTO objects in order to provide proper static library (bsc#1138797)
Fix a bug in itcl that was affecting iwidgets (bsc#903017)
Add [combobox current] support 'end' index
Add fixes in [text] bindings
Add missing 'deferred clear code' support to GIF photo images
Add new virtual event <>
Add new keycodes: CodeInput, SingleCandidate, MultipleCandidate, PreviousCandidate
Add new support for POSIX error: EILSEQ
Add new command [tcl::unsupported::corotype]
Add new command [tcl::unsupported::timerate] for performance testing
Add new option -state to [ttk::scale]
Add portable keycodes: OE, oe, Ydiaeresis
Add support for backrefs in [array names -regexp]
Add support for Unicode 14
Disfavor Master/Slave terminology
Enhance [oo::object] to acquire or lose a class identity dynamically
Fix canvas rotated text overlap detection
Fix canvas closed polylines yo fully honor -joinstyle
Fix display of Long non-wrapped lines in text
Fix display treeview focus ring when -selectmode none
Fix focus events not to break entry validation
Fix [package prefer stable] failing case
Fix auto_path initialization by Safe Base interps
Fix bad interaction between grab and mouse pointer warp
Fix borderwidth calculations on menu items
Fix cascade tearoff menu redraw artifacts
Fix coords rounding when drawing canvas items
Fix corrupt result from [$c postscript] with -file or -channel
Fix errno management in socket full close
Fix failure when a [proc] argument name is computed, not literal
Fix focus on unmapped windows
Fix handling of duplicates in spinbox -values list
Fix incomplete read of multi-image GIF
Fix initialization order of static package in wish
Fix issue when trying to display angled text without Xft
Fix issue with font initialization when no font is installed
Fix problems with Noto Color Emoji font
Fix race conditions in [file delete] and [file mkdir]
Fix Std channel initialization for multi-thread operations
Fix tearoff menu redraw artifacts
Fix up arrow key in [text] to correctly move cursor to index 1.0
Fix various cursor issues
Fix various encoding issues
Fix various fontchooser issues
Fix various issues causing crashes and hang in
Fix various memory issues
Fix various scrolling bugs and add improvements
Fix 32/64-bit confusion of FS DIR operations reported for AIX
Improve appearance of text selection in [*entry] widgets
Improve checkbutton handling of -selectcolor
Improve handling of resolution changes
Improve multi-thread safety when Xft is in use
Improve ttk high-contrast-mode support
Improve emoji support
Improve legacy support for [tk_setPalette]
Make combobox -postoffset option work with default style
Make spinbox use proper names in query of option database
Menu flaws when empty menubar clicked
New index argument in [$menubutton post x y index]
Preserve canvas tag list order during add/delete
Prevent cross-manager loops of geom management
Rewrite of zlib inflation for multi-stream and completeness
Run fileevents in proper thread after [thread::attach $channel]
Stop [unload] corruption of list of loaded packages
Stop app switching exposing withdrawn windows as zombies
Tk now denied access to PRIMARY selection from safe interps
TkpDrawAngledCharsInContext leaked a CGColor
Try to restore Tcl's [update] command when Tk is unloaded
Changed [info * methods] to include mixins
[package require] is now NR-enabled

The following fixes might show some potential incompatibilities with existing software:

Revised [binary (en|de)code base64] for RFC compliance and roundtrip
Tcl_DStringAppendElement # quoting precision, dstring-2.13, dstring-3.10
Extended [clock scan] ISO format and time zone support
Allow for select/copy from disabled text widget on all platforms
Revised case of [info loaded] module names
[info hostname] reports DNS name, not NetBIOS name
Force -eofchar \032 when evaluating library scripts
Revised error messages: 'too few' => 'not enough'
Performed rewrite of Tk event loop to prevent ring overflow
Refactored all MouseWheel bindings
Revised precision of ::scale widget tick mark values
Prevent transient window cycles (crashed on Aqua)
Builds no longer use -lieee
Quoting of command line arguments by [exec] on Windows revised. Prior quoting rules left holes where some values would not pass through, but could trigger substitutions or program execution. See https://core.tcl-lang.org/tcl/info/21b0629c81
[lreplace] accepts all out-of-range index values

Advisory ID	SUSE-SU-2022:872-1
Released	Wed Mar 16 10:35:02 2022
Summary	Security update for stunnel
Type	security
Severity	important
References	1181400,1182529

Description:

This update for stunnel fixes the following issues:
Update to 5.62 including new features and bugfixes:
* Security bugfixes - The 'redirect' option was fixed to properly handle unauthenticated requests (bsc#1182529). - Fixed a double free with OpenSSL older than 1.1.0. - Added hardening to systemd service (bsc#1181400). * New features - Added new 'protocol = capwin' and 'protocol = capwinctrl' configuration file options. - Added support for the new SSL_set_options() values. - Added a bash completion script. - New 'sessionResume' service-level option to allow or disallow session resumption - Download fresh ca-certs.pem for each new release. - New 'protocolHeader' service-level option to insert custom 'connect' protocol negotiation headers. This feature can be used to impersonate other software (e.g. web browsers). - 'protocolHost' can also be used to control the client SMTP protocol negotiation HELO/EHLO value. - Initial FIPS 3.0 support. - Client-side 'protocol = ldap' support * Bugfixes - Fixed a transfer() loop bug. - Fixed reloading configuration with 'systemctl reload stunnel.service'. - Fixed incorrect messages logged for OpenSSL errors. - Fixed 'redirect' with 'protocol'. This combination is not supported by 'smtp', 'pop3' and 'imap' protocols. - X.509v3 extensions required by modern versions of OpenSSL are added to generated self-signed test certificates. - Fixed a tiny memory leak in configuration file reload error handling. - Fixed engine initialization. - FIPS TLS feature is reported when a provider or container is available, and not when FIPS control API is available. - Fix configuration reload when compression is used - Fix test suite fixed not to require external connectivity

Advisory ID	SUSE-SU-2022:873-1
Released	Wed Mar 16 10:36:01 2022
Summary	Security update for java-1_8_0-openjdk
Type	security
Severity	important
References	1193314,1193444,1193491,1194926,1194928,1194929,1194931,1194932,1194933,1194934,1194935,1194937,1194939,1194940,1194941,1195163,CVE-2022-21248,CVE-2022-21282,CVE-2022-21283,CVE-2022-21293,CVE-2022-21294,CVE-2022-21296,CVE-2022-21299,CVE-2022-21305,CVE-2022-21340,CVE-2022-21341,CVE-2022-21349,CVE-2022-21360,CVE-2022-21365

Description:

This update for java-1_8_0-openjdk fixes the following issues:
Update to version jdk8u322 (icedtea-3.22.0)
Including the following security fixes:

CVE-2022-21248, bsc#1194926: Enhance cross VM serialization
CVE-2022-21283, bsc#1194937: Better String matching
CVE-2022-21293, bsc#1194935: Improve String constructions
CVE-2022-21294, bsc#1194934: Enhance construction of Identity maps
CVE-2022-21282, bsc#1194933: Better resolution of URIs
CVE-2022-21296, bsc#1194932: Improve SAX Parser configuration management
CVE-2022-21299, bsc#1194931: Improved scanning of XML entities
CVE-2022-21305, bsc#1194939: Better array indexing
CVE-2022-21340, bsc#1194940: Verify Jar Verification
CVE-2022-21341, bsc#1194941: Improve serial forms for transport
CVE-2022-21349: Improve Solaris font rendering
CVE-2022-21360, bsc#1194929: Enhance BMP image support
CVE-2022-21365, bsc#1194928: Enhanced BMP processing

Advisory ID	SUSE-RU-2022:874-1
Released	Wed Mar 16 10:40:52 2022
Summary	Recommended update for openldap2
Type	recommended
Severity	moderate
References	1197004

Description:

This update for openldap2 fixes the following issue:

Revert jsc#PM-3288 - CLDAP ( -DLDAP_CONNECTIONLESS ) due to regression (bsc#1197004)

Advisory ID	SUSE-RU-2022:876-1
Released	Wed Mar 16 10:51:39 2022
Summary	Recommended update for xorg-x11-server
Type	recommended
Severity	moderate
References	1188970,1196577

Description:

This update for xorg-x11-server fixes the following issue:

Fix segmentation fault during terminal switches with multiple attached displays. (bsc#1188970)
Fix a regression that may cause gdm/lightdm fail to start. (bsc#1196577)

Advisory ID	SUSE-RU-2022:884-1
Released	Thu Mar 17 09:47:43 2022
Summary	Recommended update for python-jsonschema, python-rfc3987, python-strict-rfc3339
Type	recommended
Severity	moderate
References	1082318

Description:

This update for python-jsonschema, python-rfc3987, python-strict-rfc3339 fixes the following issues:

Add patch to fix build with new webcolors.

update to version 3.2.0 (jsc#SLE-18756): * Added a format_nongpl setuptools extra, which installs only format dependencies that are non-GPL (#619).

specfile: * require python-importlib-metadata
update to version 3.1.1: * Temporarily revert the switch to js-regex until #611 and #612 are resolved.
changes from version 3.1.0: - Regular expressions throughout schemas now respect the ECMA 262 dialect, as recommended by the specification (#609).

Activate more of the test suite
Remove tests and benchmarking from the runtime package
Update to v3.0.2 - Fixed a bug where 0 and False were considered equal by const and enum
from v3.0.1 - Fixed a bug where extending validators did not preserve their notion of which validator property contains $id information.

Update to 3.0.1: - Support for Draft 6 and Draft 7 - Draft 7 is now the default - New TypeChecker object for more complex type definitions (and overrides) - Falling back to isodate for the date-time format checker is no longer attempted, in accordance with the specification

Use %license instead of %doc (bsc#1082318)

Remove hashbang from runtime module
Replace PyPI URL with https://github.com/dgerber/rfc3987
Activate doctests

Add missing runtime dependency on timezone
Replace dead link with GitHub URL
Activate test suite

Trim bias from descriptions.

Initial commit, needed by flex

Advisory ID	SUSE-OU-2022:885-1
Released	Thu Mar 17 09:47:48 2022
Summary	Optional update for SUSE Package Hub
Type	optional
Severity	moderate
References

Description:

This optional update provides the following changes:

Provide binaries for non x86_64 architectures directly to SUSE Package Hub.
There are no visible changes for the final user.
Affected source packages: freerdp, libgsm

Advisory ID	SUSE-SU-2022:886-1
Released	Thu Mar 17 10:06:43 2022
Summary	Security update for libreoffice
Type	security
Severity	moderate
References	1196456,CVE-2021-25636

Description:

This update for libreoffice fixes the following issues:
Update to version 7.2.5.1 (jsc#SLE-18214):

CVE-2021-25636: Fixed an incorrect vadidation of digitally signed documents (bsc#1196456).

Advisory ID	SUSE-RU-2022:888-1
Released	Thu Mar 17 10:56:42 2022
Summary	Recommended update for avahi
Type	recommended
Severity	moderate
References	1179060,1194561,1195614,1196282

Description:

This update for avahi fixes the following issues:

Change python3-Twisted to a soft dependency. It is not available on SLED or PackageHub, and it is only needed by avahi-bookmarks (bsc#1196282)
Fix warning when Twisted is not available
Have python3-avahi require python3-dbus-python, not the python 2 dbus-1-python package (bsc#1195614)
Ensure that NetworkManager or wicked have already started before initializing (bsc#1194561)
Move sftp-ssh and ssh services to the doc directory. They allow a host's up/down status to be easily discovered and should not be enabled by default (bsc#1179060)

Advisory ID	SUSE-RU-2022:889-1
Released	Thu Mar 17 10:57:36 2022
Summary	Recommended update for postgresql10
Type	recommended
Severity	moderate
References	1190740,1195680

Description:

This update for postgresql10 fixes the following issues:
Upgrade to version 10.20 (bsc#1195680):

Reindexing might be needed after applying this upgrade, so please read the release notes carefully https://www.postgresql.org/docs/10/release-10-20.html
Add constraints file with 12GB of memory for s390x as a workaround (bsc#1190740)
Add a llvmjit-devel subpackage to pull in the right versions of clang and llvm for building extensions
Fix some mistakes in the interdependencies between the implementation packages and their noarch counterpart

Advisory ID	SUSE-RU-2022:892-1
Released	Thu Mar 17 11:14:50 2022
Summary	Recommended update for libyui
Type	recommended
Severity	low
References	1195114

Description:

This update for libyui fixes the following issue:

Add package libyui-qt-pkg15 to Basesystem (bsc#1195114).

Advisory ID	SUSE-RU-2022:893-1
Released	Thu Mar 17 13:17:55 2022
Summary	Recommended update for postgresql13
Type	recommended
Severity	moderate
References	1190740,1195680

Description:

This update for postgresql13 fixes the following issues:

Upgrade to 13.6: (bsc#1195680) * https://www.postgresql.org/docs/13/release-13-6.html * Reindexing might be needed after applying this upgrade, so please read the release notes carefully.
Add constraints file with 12GB of memory for s390x as a workaround. (bsc#1190740)
Add a llvmjit-devel subpackage to pull in the right versions of clang and llvm for building extensions.
Fix some mistakes in the interdependencies between the implementation packages and their noarch counterpart.
Update the BuildIgnore section.

Advisory ID	SUSE-RU-2022:898-1
Released	Fri Mar 18 09:34:38 2022
Summary	Recommended update for lifecycle-data-sle-module-live-patching
Type	recommended
Severity	moderate
References	1020320

Description:

This update for lifecycle-data-sle-module-live-patching fixes the following issues:

Added data for 5_3_18-150300_59_43, 5_3_18-24_99, 5_3_18-59_40. (bsc#1020320)

Advisory ID	SUSE-RU-2022:899-1
Released	Fri Mar 18 09:34:51 2022
Summary	Recommended update for smartmontools
Type	recommended
Severity	moderate
References	1195785

Description:

This update for smartmontools fixes the following issues:

Restart smartd and generate smartd_opts only if there are real sysconfig changes; do not trigger generate_smartd_opts by YaST, systemd is enough. (bsc#1195785)

Update smartmontools to the latest version from the upstream branch. (jsc#SLE-21751)
Fix update needed logic.

update to 7.2 (jsc#SLE-21751): - smartctl: New option '--json=y[c]' selects YAML output. - smartctl '-i': Prints ATA TRIM and Zoned Device capabilities. - smartctl '-j': Fixed 'scsi_grown_defect_list' value. - smartctl '-a': Prints SCSI 'Accumulated power on time'. - smartctl '-n POWERMODE': SCSI support. - smartctl '-s standby,now' and '-s standby,off': SCSI support. - smartctl '-c': NVMe 1.4 additions. - smartd: Support for staggered self-tests. - smartd: No longer writes attribute log if no attributes were read due to standby mode or other error. - smartd: Now resolves symlinks before device names are checked for duplicates. - smartd: Fixed SMARTD_DEVICETYPE environment variable if DEVICESCAN is used without '-d TYPE'. - ATA: Device type '-d jmb39x-q,N' for JMB39x protocol variant used by some QNAP NAS devices. - ATA: Device type '-d jms56x,N' for JMS562 USB to SATA RAID bridges. - SCSI: Improved heuristics for log subpages of new and very old disks. - NVMe: Log transfer size limited to avoid device or kernel crashes. - NVMEe/USB: Device type '-d sntrealtek' for Realtek RTL9210 USB to NVMe bridges. - update-smart-drivedb: New option '--branch X.Y'. - HDD, SSD and USB additions to drive database. - Dropped support for pre-C99 snprintf(). - configure: Dropped option '--without-working-snprintf'. - configure: Fixed '-fstack-protector*' detection. - Linux: Various fixes of smartd.service file (bsc#1183699). - Darwin: NVMe log support. - FreeBSD: Device scan does no longer include T_ENCLOSURE devices. - NetBSD: Fixed timeout handling. - NetBSD big endian: Fixed ATA register handling. - OpenBSD: Fixed timeout handling. - Windows: Dropped backward compatibility fixes for very old compilers.

Update to version 7.1: - smartctl: Fixed bogus exception on unknown form factor value. - smartctl '--json=cg': Suppresses extra spaces also in 'g' format. - smartctl '-i': ATA ACS-4 and ACS-5 enhancements. - smartd: No longer truncates very long device names in warning emails. - smartd: No longer skips scheduled tests if system clock has been adjusted to the past. - smartd '-A': Attribute logs now use local time instead of UTC. - Autodetection of '-d sntjmicron' type for JMicron USB to NVMe bridges. - Fixed segfault on CCISS transfer sizes. - Fixed smartd.service 'Type' if libsystemd-dev is not available. - Fixed '/dev/megaraid_sas_ioctl_node' fd leak.

Advisory ID	SUSE-SU-2022:901-1
Released	Fri Mar 18 12:02:00 2022
Summary	Security update for frr
Type	security
Severity	important
References	1180217,1196503,1196504,1196505,1196506,1196507,CVE-2022-26125,CVE-2022-26126,CVE-2022-26127,CVE-2022-26128,CVE-2022-26129

Description:

This update for frr fixes the following issues:

CVE-2022-26125, CVE-2022-26126: Fixed buffer overflows in unpack_tlv_router_cap() (bsc#1196505, bsc#1196506).
CVE-2022-26127: Fixed heap buffer overflow in babel_packet_examin() (bsc#1196503).
CVE-2022-26128: Fixed buffer overflows in babel_packet_examin() (bsc#1196507).
CVE-2022-26129: Fixed buffer overflows in parse_hello_subtlv(), parse_ihu_subtlv() and parse_update_subtlv() (bsc#1196504).

Advisory ID	SUSE-OU-2022:902-1
Released	Fri Mar 18 15:28:03 2022
Summary	Optional update for SUSE Package Hub
Type	optional
Severity	moderate
References

Description:

This optional update provides the following changes:

Provide binaries for non x86_64 architectures directly to SUSE Package Hub.
There are no visible changes for the final user.
Affected source packages: argyllcms, csync

Advisory ID	SUSE-RU-2022:904-1
Released	Fri Mar 18 20:09:48 2022
Summary	Recommended update for go1.18
Type	recommended
Severity	moderate
References	1193742

Description:

This update for go1.18 fixes the following issues: go1.18 (released 2022-03-15) is a major release of Go. (boo#1193742)
go1.18.x minor releases will be provided through February 2023, please see: https://github.com/golang/go/wiki/Go-Release-Cycle
Go 1.18 is a significant release, including changes to the language, implementation of the toolchain, runtime, and libraries. Go 1.18 arrives seven months after Go 1.17. As always, the release maintains the Go 1 promise of compatibility. We expect almost all Go programs to continue to compile and run as before.

See release notes https://golang.org/doc/go1.18.

Excerpts relevant to OBS environment and for SUSE/openSUSE follow:

Go 1.18 includes an implementation of generic features as described by the Type Parameters Proposal. This includes major but fully backward-compatible changes to the language.
The Go 1.18 compiler now correctly reports declared but not used errors for variables that are set inside a function literal but are never used. Before Go 1.18, the compiler did not report an error in such cases. This fixes long-outstanding compiler issue go#8560.
The Go 1.18 compiler now reports an overflow when passing a rune constant expression such as '1' << 32 as an argument to the predeclared functions print and println, consistent with the behavior of user-defined functions. Before Go 1.18, the compiler did not report an error in such cases but silently accepted such constant arguments if they fit into an int64. Since go vet always pointed out this error, the number of affected programs is likely very small.
AMD64: Go 1.18 introduces the new GOAMD64 environment variable, which selects at compile time a minimum target version of the AMD64 architecture. Allowed values are v1, v2, v3, or v4. Each higher level requires, and takes advantage of, additional processor features. A detailed description can be found here. The GOAMD64 environment variable defaults to v1.
RISC-V: The 64-bit RISC-V architecture on Linux (the linux/riscv64 port) now supports the c-archive and c-shared build modes.
Linux: Go 1.18 requires Linux kernel version 2.6.32 or later.
Fuzzing: Go 1.18 includes an implementation of fuzzing as described by the fuzzing proposal. See the fuzzing landing page to get started. Please be aware that fuzzing can consume a lot of memory and may impact your machine’s performance while it runs.
go get: go get no longer builds or installs packages in module-aware mode. go get is now dedicated to adjusting dependencies in go.mod. Effectively, the -d flag is always enabled. To install the latest version of an executable outside the context of the current module, use go install example.com/cmd@latest. Any version query may be used instead of latest. This form of go install was added in Go 1.16, so projects supporting older versions may need to provide install instructions for both go install and go get. go get now reports an error when used outside a module, since there is no go.mod file to update. In GOPATH mode (with GO111MODULE=off), go get still builds and installs packages, as before.
Automatic go.mod and go.sum updates: The go mod graph, go mod vendor, go mod verify, and go mod why subcommands no longer automatically update the go.mod and go.sum files. (Those files can be updated explicitly using go get, go mod tidy, or go mod download.)
go version: The go command now embeds version control information in binaries. It includes the currently checked-out revision, commit time, and a flag indicating whether edited or untracked files are present. Version control information is embedded if the go command is invoked in a directory within a Git, Mercurial, Fossil, or Bazaar repository, and the main package and its containing main module are in the same repository. This information may be omitted using the flag -buildvcs=false. Additionally, the go command embeds information about the build, including build and tool tags (set with -tags), compiler, assembler, and linker flags (like -gcflags), whether cgo was enabled, and if it was, the values of the cgo environment variables (like CGO_CFLAGS). Both VCS and build information may be read together with module information using go version -m file or runtime/debug.ReadBuildInfo (for the currently running binary) or the new debug/buildinfo package. The underlying data format of the embedded build information can change with new go releases, so an older version of go may not handle the build information produced with a newer version of go. To read the version information from a binary built with go 1.18, use the go version command and the debug/buildinfo package from go 1.18+.
go mod download: If the main module's go.mod file specifies go 1.17 or higher, go mod download without arguments now downloads source code for only the modules explicitly required in the main module's go.mod file. (In a go 1.17 or higher module, that set already includes all dependencies needed to build the packages and tests in the main module.) To also download source code for transitive dependencies, use go mod download all.
go mod vendor: The go mod vendor subcommand now supports a -o flag to set the output directory. (Other go commands still read from the vendor directory at the module root when loading packages with -mod=vendor, so the main use for this flag is for third-party tools that need to collect package source code.)
go mod tidy: The go mod tidy command now retains additional checksums in the go.sum file for modules whose source code is needed to verify that each imported package is provided by only one module in the build list. Because this condition is rare and failure to apply it results in a build error, this change is not conditioned on the go version in the main module's go.mod file.
go work: The go command now supports a 'Workspace' mode. If a go.work file is found in the working directory or a parent directory, or one is specified using the GOWORK environment variable, it will put the go command into workspace mode. In workspace mode, the go.work file will be used to determine the set of main modules used as the roots for module resolution, instead of using the normally-found go.mod file to specify the single main module. For more information see the go work documentation.
go build -asan: The go build command and related commands now support an -asan flag that enables interoperation with C (or C++) code compiled with the address sanitizer (C compiler option -fsanitize=address).
//go:build lines: Go 1.17 introduced //go:build lines as a more readable way to write build constraints, instead of // +build lines. As of Go 1.17, gofmt adds //go:build lines to match existing +build lines and keeps them in sync, while go vet diagnoses when they are out of sync. Since the release of Go 1.18 marks the end of support for Go 1.16, all supported versions of Go now understand //go:build lines. In Go 1.18, go fix now removes the now-obsolete // +build lines in modules declaring go 1.17 or later in their go.mod files. For more information, see https://go.dev/design/draft-gobuild.
go vet: The vet tool is updated to support generic code. In most cases, it reports an error in generic code whenever it would report an error in the equivalent non-generic code after substituting for type parameters with a type from their type set.
go vet: The cmd/vet checkers copylock, printf, sortslice, testinggoroutine, and tests have all had moderate precision improvements to handle additional code patterns. This may lead to newly reported errors in existing packages.
Runtime: The garbage collector now includes non-heap sources of garbage collector work (e.g., stack scanning) when determining how frequently to run. As a result, garbage collector overhead is more predictable when these sources are significant. For most applications these changes will be negligible; however, some Go applications may now use less memory and spend more time on garbage collection, or vice versa, than before. The intended workaround is to tweak GOGC where necessary. The runtime now returns memory to the operating system more efficiently and has been tuned to work more aggressively as a result.
Compiler: Go 1.17 implemented a new way of passing function arguments and results using registers instead of the stack on 64-bit x86 architecture on selected operating systems. Go 1.18 expands the supported platforms to include 64-bit ARM (GOARCH=arm64), big- and little-endian 64-bit PowerPC (GOARCH=ppc64, ppc64le), as well as 64-bit x86 architecture (GOARCH=amd64) on all operating systems. On 64-bit ARM and 64-bit PowerPC systems, benchmarking shows typical performance improvements of 10% or more. As mentioned in the Go 1.17 release notes, this change does not affect the functionality of any safe Go code and is designed to have no impact on most assembly code. See the Go 1.17 release notes for more details.
Compiler: The compiler now can inline functions that contain range loops or labeled for loops.
Compiler: The new -asan compiler option supports the new go command -asan option.
Compiler: Because the compiler's type checker was replaced in its entirety to support generics, some error messages now may use different wording than before. In some cases, pre-Go 1.18 error messages provided more detail or were phrased in a more helpful way. We intend to address these cases in Go 1.19. Because of changes in the compiler related to supporting generics, the Go 1.18 compile speed can be roughly 15% slower than the Go 1.17 compile speed. The execution time of the compiled code is not affected. We intend to improve the speed of the compiler in Go 1.19.
Linker: The linker emits far fewer relocations. As a result, most codebases will link faster, require less memory to link, and generate smaller binaries. Tools that process Go binaries should use Go 1.18's debug/gosym package to transparently handle both old and new binaries.
Linker: The new -asan linker option supports the new go command -asan option.
Bootstrap: When building a Go release from source and GOROOT_BOOTSTRAP is not set, previous versions of Go looked for a Go 1.4 or later bootstrap toolchain in the directory $HOME/go1.4 (%HOMEDRIVE%%HOMEPATH%\go1.4 on Windows). Go now looks first for $HOME/go1.17 or $HOME/sdk/go1.17 before falling back to $HOME/go1.4. We intend for Go 1.19 to require Go 1.17 or later for bootstrap, and this change should make the transition smoother. For more details, see go#44505.
The new debug/buildinfo package provides access to module versions, version control information, and build flags embedded in executable files built by the go command. The same information is also available via runtime/debug.ReadBuildInfo for the currently running binary and via go version -m on the command line.
The new net/netip package defines a new IP address type, Addr. Compared to the existing net.IP type, the netip.Addr type takes less memory, is immutable, and is comparable so it supports == and can be used as a map key.
TLS 1.0 and 1.1 disabled by default client-side: If Config.MinVersion is not set, it now defaults to TLS 1.2 for client connections. Any safely up-to-date server is expected to support TLS 1.2, and browsers have required it since 2020. TLS 1.0 and 1.1 are still supported by setting Config.MinVersion to VersionTLS10. The server-side default is unchanged at TLS 1.0. The default can be temporarily reverted to TLS 1.0 by setting the GODEBUG=tls10default=1 environment variable. This option will be removed in Go 1.19.
Rejecting SHA-1 certificates: crypto/x509 will now reject certificates signed with the SHA-1 hash function. This doesn't apply to self-signed root certificates. Practical attacks against SHA-1 have been demonstrated since 2017 and publicly trusted Certificate Authorities have not issued SHA-1 certificates since 2015. This can be temporarily reverted by setting the GODEBUG=x509sha1=1 environment variable. This option will be removed in Go 1.19.
crypto/elliptic The P224, P384, and P521 curve implementations are now all backed by code generated by the addchain and fiat-crypto projects, the latter of which is based on a formally-verified model of the arithmetic operations. They now use safer complete formulas and internal APIs. P-224 and P-384 are now approximately four times faster. All specific curve implementations are now constant-time. Operating on invalid curve points (those for which the IsOnCurve method returns false, and which are never returned by Unmarshal or a Curve method operating on a valid point) has always been undefined behavior, can lead to key recovery attacks, and is now unsupported by the new backend. If an invalid point is supplied to a P224, P384, or P521 method, that method will now return a random point. The behavior might change to an explicit panic in a future release.
crypto/tls: The new Conn.NetConn method allows access to the underlying net.Conn.
crypto/x509: Certificate.Verify now uses platform APIs to verify certificate validity on macOS and iOS when it is called with a nil VerifyOpts.Roots or when using the root pool returned from SystemCertPool. SystemCertPool is now available on Windows.
crypto/x509: CertPool.Subjects is deprecated. On Windows, macOS, and iOS the CertPool returned by SystemCertPool will return a pool which does not include system roots in the slice returned by Subjects, as a static list can't appropriately represent the platform policies and might not be available at all from the platform APIs.
crypto/x509: Support for signing certificates using signature algorithms that depend on the MD5 and SHA-1 hashes (MD5WithRSA, SHA1WithRSA, and ECDSAWithSHA1) may be removed in Go 1.19.
net/http: When looking up a domain name containing non-ASCII characters, the Unicode-to-ASCII conversion is now done in accordance with Nontransitional Processing as defined in the Unicode IDNA Compatibility Processing standard (UTS #46). The interpretation of four distinct runes are changed: ß, ς, zero-width joiner U+200D, and zero-width non-joiner U+200C. Nontransitional Processing is consistent with most applications and web browsers.
os/user: User.GroupIds now uses a Go native implementation when cgo is not available.
runtime/debug: The BuildInfo struct has two new fields, containing additional information about how the binary was built: GoVersion holds the version of Go used to build the binary. Settings is a slice of BuildSettings structs holding key/value pairs describing the build.
runtime/pprof: The CPU profiler now uses per-thread timers on Linux. This increases the maximum CPU usage that a profile can observe, and reduces some forms of bias.
syscall: The new function SyscallN has been introduced for Windows, allowing for calls with arbitrary number of arguments. As a result, Syscall, Syscall6, Syscall9, Syscall12, Syscall15, and Syscall18 are deprecated in favor of SyscallN.

Advisory ID	SUSE-RU-2022:905-1
Released	Mon Mar 21 08:46:09 2022
Summary	Recommended update for util-linux
Type	recommended
Severity	important
References	1172427,1194642

Description:

This update for util-linux fixes the following issues:

Prevent root owning of `/var/lib/libuuid/clock.txt`. (bsc#1194642)
Make uuidd lock state file usable and time based UUIDs safer. (bsc#1194642)
Fix `su -s` bash completion. (bsc#1172427)

Advisory ID	SUSE-SU-2022:906-1
Released	Mon Mar 21 09:47:11 2022
Summary	Security update for MozillaThunderbird
Type	security
Severity	important
References	1196900,CVE-2022-26381,CVE-2022-26383,CVE-2022-26384,CVE-2022-26386,CVE-2022-26387

Description:

This update for MozillaThunderbird fixes the following issues:
Updated to version 91.7 (bsc#1196900): - CVE-2022-26381: Fixed an invalid memory access due to text reflow when SVG objects were present. - CVE-2022-26383: Fixed an issue where, when resizing a popup after requesting fullscreen access, the popup would not display the fullscreen notification. - CVE-2022-26384: Fixed an iframe XSS sandbox bypass when allow-popups was used on the iframe. - CVE-2022-26386: Fixed an issue where downloadable temporary files were accessible to other local users. - CVE-2022-26387: Fixed a potential add-on signature verification bypass due to a race condition.

Advisory ID	SUSE-feature-2022:911-1
Released	Mon Mar 21 13:00:39 2022
Summary	Feature update for libbluray
Type	feature
Severity	moderate
References

Description:

This feature update for libbluray fixes the following issues:
Update to version 1.3.0 (jsc#SLE-23838):

Remove unused dependencies from pkgconfig(libbluray)
Enable build against java-devel >= 10.
Add functions to list and read BD-ROM files.
Add initial support for .fmts files.
Add initial support for OpenJDK 11.
Add initial support for UHD disc BD-J menus.
Add support for AWT mouse events (BD-J).
Add support for compiling .jar file with Java 9+ compiler.
Add support for separate key pressed / typed / released user input events.
Enable playback without menus when index.bdmv is missing.
Fix JVM bootstrap issues with some Java 9 versions.
Fix build with Java 1.6.
Fix build with OpenJDK 12 / 13.
Fix creating organization and disc specific BD-J BUDA directories.
Fix memory leak
Fix loading classes with Windows Java 8.
Fix loading libmmbd in Windows 64-bit.
Fix long delay in 'Evangelion, You are (not) alone' menu.
Fix mark triggering when multiple marks are passed during single read().
Fix playback of discs without normal titles (only TopMenu / FirstPlay title).
Fix playback of some broken BD-J discs.
Fix polygon-based BD-J graphics primitives.
Fix reading resources indirectly from mounted .jar file.
Fix resetting user-selected streams when playing without menus.
Fix seek bar pop-up at chapter boundary with some discs.
Fix sign extended bytes when reading single bytes in BDJ.
Fix stack overflow when using Java9+ with debugger connection.
Improve BD-J compability.
Improve JVM and .jar file probing.
Improve Java 8+ compability.
Improve UHD metadata support.
Improve error resilience and stability.
Improve main title selection.
Improve missing/broken playlist handling.
Improve portability.
Move AWT classes to separate .jar file.
Rename list_titles to bd_list_titles and add it to installed programs.
Update libudfread submodule repository URL.
Use external libudfread when available.

Advisory ID	SUSE-SU-2022:915-1
Released	Mon Mar 21 16:50:43 2022
Summary	Security update for lapack
Type	security
Severity	moderate
References	1193562,CVE-2021-4048

Description:

This update for lapack fixes the following issues:

CVE-2021-4048: Fixed an out of bounds read when user input was not validated properly (bsc#1193562).

Advisory ID	SUSE-SU-2022:930-1
Released	Tue Mar 22 09:22:44 2022
Summary	Security update for qemu
Type	security
Severity	important
References	1178049,1192525,1193364,1193545,1194938,1195161,1196087,1196737,CVE-2021-3930,CVE-2022-0358

Description:

This update for qemu fixes the following issues:

CVE-2022-0358: Fixed a potential privilege escalation via virtiofsd (bsc#1195161).
CVE-2021-3930: Fixed a potential denial of service in the emulated SCSI device (bsc#1192525).

Non-security fixes:

Fixed a kernel data corruption via a long kernel boot cmdline (bsc#1196737).
Included vmxcap in the qemu-tools package (bsc#1193364).
Fixed package dependencies (bsc#1196087).
Fixed an issue were PowerPC firmwares would not be built for non-PowerPC builds (bsc#1193545).
Fixed multiple issues in I/O (bsc#1178049 bsc#1194938).

Advisory ID	SUSE-RU-2022:936-1
Released	Tue Mar 22 18:10:17 2022
Summary	Recommended update for filesystem and systemd-rpm-macros
Type	recommended
Severity	moderate
References	1196275,1196406

Description:

This update for filesystem and systemd-rpm-macros fixes the following issues:
filesystem:

Add path /lib/modprobe.d (bsc#1196275, jsc#SLE-20639)

systemd-rpm-macros:

Make %_modprobedir point to /lib/modprobe.d (bsc#1196275, bsc#1196406)

Advisory ID	SUSE-SU-2022:940-1
Released	Wed Mar 23 10:41:16 2022
Summary	Security update for xen
Type	security
Severity	important
References	1027519,1191668,1194267,1196915,CVE-2021-26401,CVE-2022-0001,CVE-2022-0002

Description:

This update for xen fixes the following issues:
Update Xen to version 4.14.4 (bsc#1027519)
Transient execution side-channel attacks attacking the Branch History Buffer (BHB), named 'Branch Target Injection' and 'Intra-Mode Branch History Injection' are now mitigated.
Security issues fixed:

CVE-2022-0001, CVE-2022-0002, CVE-2021-26401: BHB speculation issues (bsc#1196915).

Non-security issues fixed:

Fixed issue around xl and virsh operation - virsh list not giving any output (bsc#1191668).

Advisory ID	SUSE-SU-2022:942-1
Released	Thu Mar 24 10:30:15 2022
Summary	Security update for python3
Type	security
Severity	moderate
References	1186819,CVE-2021-3572

Description:

This update for python3 fixes the following issues:

CVE-2021-3572: Fixed an improper handling of unicode characters in pip (bsc#1186819).

Advisory ID	SUSE-SU-2022:943-1
Released	Thu Mar 24 12:52:54 2022
Summary	Security update for slirp4netns
Type	security
Severity	moderate
References	1179467,CVE-2020-29130

Description:

This update for slirp4netns fixes the following issues:

CVE-2020-29130: Fixed an invalid memory access while processing ARP packets (bsc#1179467).

Advisory ID	SUSE-SU-2022:944-1
Released	Thu Mar 24 12:53:09 2022
Summary	Security update for libarchive
Type	security
Severity	moderate
References	1022528,1188572,1189528,CVE-2017-5601,CVE-2021-36976

Description:

This update for libarchive fixes the following issues:

CVE-2021-36976: Fixed an invalid memory access that could cause data corruption (bsc#1188572).

Non-security updates:

Updated references for CVE-2017-5601, which was already fixed in a previous version (bsc#1022528 bsc#1189528).

Advisory ID	SUSE-SU-2022:945-1
Released	Thu Mar 24 12:53:37 2022
Summary	Security update for bind
Type	security
Severity	important
References	1197135,CVE-2021-25220

Description:

This update for bind fixes the following issues:

CVE-2021-25220: Fixed a DNS cache poisoning vulnerability due to loose caching rules (bsc#1197135).

Advisory ID	SUSE-RU-2022:947-1
Released	Thu Mar 24 18:49:41 2022
Summary	Recommended update for dapl
Type	recommended
Severity	moderate
References	1047218

Description:

This update for dapl fixes the following issues:

Allow to override build date in order to allow for reproducible builds. (bsc#1047218)

Advisory ID	SUSE-RU-2022:948-1
Released	Fri Mar 25 12:46:42 2022
Summary	Recommended update for sudo
Type	recommended
Severity	moderate
References	1193446

Description:

This update for sudo fixes the following issues:

Fix user set timeout not being honored (bsc#1193446)

Advisory ID	SUSE-feature-2022:950-1
Released	Fri Mar 25 12:47:04 2022
Summary	Feature update for lifecycle-data-sle-module-development-tools
Type	feature
Severity	moderate
References

Description:

This feature update for lifecycle-data-sle-module-development-tools fixes the following issues:

Added expiration data for GCC 10 yearly update for the Toolchain/Development modules (jsc#ECO-2373, jsc#SLE-16821, jsc#SLE-16822)

Advisory ID	SUSE-RU-2022:952-1
Released	Fri Mar 25 15:27:53 2022
Summary	Recommended update for rpmlint
Type	recommended
Severity	moderate
References	1178848,1194799,1196149

Description:

This update for rpmlint fixes the following issues:

Add tukitd dbus whitelist (bsc#1196149)
Add kpmcore whitelisting (bsc#1178848).
Add whitelisting for NetworkManager nm-priv helper for SLE-15-SP4 (bsc#1194799).

Advisory ID	SUSE-SU-2022:953-1
Released	Mon Mar 28 09:21:37 2022
Summary	Security update for perl-DBD-SQLite
Type	security
Severity	moderate
References	1195771

Description:

This update for perl-DBD-SQLite fixes the following issues:

updated to 1.66
Use external sqlite3 library rather than internal code. (bsc#1195771)

Advisory ID	SUSE-SU-2022:954-1
Released	Mon Mar 28 09:21:52 2022
Summary	Security update for wavpack
Type	security
Severity	moderate
References	1197020,CVE-2021-44269

Description:

This update for wavpack fixes the following issues:

CVE-2021-44269: Fixed out of bounds read in processing .wav files (bsc#1197020).

Advisory ID	SUSE-RU-2022:957-1
Released	Mon Mar 28 12:01:45 2022
Summary	Recommended update for trilinos
Type	recommended
Severity	moderate
References	1194648

Description:

This update for trilinos fixes the following issues:

Update to version 13.2.0 For information on changes consult the release notes of its sub-packages.
Add dependency for library package to devel package.
Fix by calculating the relative path elements between the 'cmake' directory and the installation directory. This works only if 'Trilinos_INSTALL_LIB_DIR' is relative, while other parts of the code allow it to be absolute. (bsc#1194648)
Fix doc building.

Advisory ID	SUSE-RU-2022:1021-1
Released	Tue Mar 29 13:24:21 2022
Summary	Recommended update for systemd
Type	recommended
Severity	moderate
References	1195899

Description:

This update for systemd fixes the following issues:

allow setting external core size to infinity (bsc#1195899 jsc#SLE-23868 jsc#SLE-23870)

Advisory ID	SUSE-SU-2022:1027-1
Released	Tue Mar 29 15:41:51 2022
Summary	Security update for java-1_8_0-ibm
Type	security
Severity	important
References	1194925,1194926,1194927,1194928,1194929,1194930,1194931,1194932,1194933,1194934,1194935,1194937,1194939,1194940,1194941,1195146,1196500,1197126,CVE-2022-21248,CVE-2022-21271,CVE-2022-21277,CVE-2022-21282,CVE-2022-21283,CVE-2022-21291,CVE-2022-21293,CVE-2022-21294,CVE-2022-21296,CVE-2022-21299,CVE-2022-21305,CVE-2022-21340,CVE-2022-21341,CVE-2022-21349,CVE-2022-21360,CVE-2022-21365,CVE-2022-21366

Description:

This update for java-1_8_0-ibm fixes the following issues:
Update Java 8.0 to Service Refresh 7 Fix Pack 5 (bsc#1197126).
Including fixes for the following vulnerabilities:
CVE-2022-21366, CVE-2022-21365, CVE-2022-21360, CVE-2022-21349, CVE-2022-21341, CVE-2022-21340, CVE-2022-21305, CVE-2022-21277, CVE-2022-21299, CVE-2022-21296, CVE-2022-21282, CVE-2022-21294, CVE-2022-21293, CVE-2022-21291, CVE-2022-21283, CVE-2022-21248, CVE-2022-21271.
Non-securtiy fix:

Fixed a broken symlink for javaws (bsc#1195146).

Advisory ID	SUSE-RU-2022:1028-1
Released	Tue Mar 29 16:37:33 2022
Summary	Recommended update for chrony
Type	recommended
Severity	moderate
References	1194220

Description:

This update for chrony fixes the following issues:

Disable 'ntsdumpdir' in default config, because augeas-lenses cannot parse it during installation of SUSE Linux Enterprise Micro 5.1 and openSUSE Leap 15.3 (bsc#1194220).

Advisory ID	SUSE-SU-2022:1029-1
Released	Tue Mar 29 17:29:05 2022
Summary	Security update for openvpn
Type	security
Severity	important
References	1197341,CVE-2022-0547

Description:

This update for openvpn fixes the following issues:

CVE-2022-0547: Fixed possible authentication bypass in external authentication plug-in (bsc#1197341).

Advisory ID	SUSE-SU-2022:1031-1
Released	Tue Mar 29 17:34:36 2022
Summary	Security update for apache2
Type	security
Severity	important
References	1197091,1197095,1197096,1197098,CVE-2022-22719,CVE-2022-22720,CVE-2022-22721,CVE-2022-23943

Description:

This update for apache2 fixes the following issues:

CVE-2022-23943: heap out-of-bounds write in mod_sed (bsc#1197098).
CVE-2022-22720: HTTP request smuggling due to incorrect error handling (bsc#1197095).
CVE-2022-22719: use of uninitialized value of in r:parsebody in mod_lua (bsc#1197091).
CVE-2022-22721: possible buffer overflow with very large or unlimited LimitXMLRequestBody (bsc#1197096).

Advisory ID	SUSE-RU-2022:1033-1
Released	Tue Mar 29 18:42:05 2022
Summary	Recommended update for java-11-openjdk
Type	recommended
Severity	moderate
References

Description:

This update for java-11-openjdk fixes the following issues:

Build failure on Solaris.
Unable to connect to https://google.com using java.net.HttpClient.

Advisory ID	SUSE-SU-2022:1037-1
Released	Wed Mar 30 09:36:58 2022
Summary	Security update for the Linux Kernel
Type	security
Severity	important
References	1176447,1176774,1178134,1179439,1181147,1191428,1192273,1193731,1193787,1193864,1194463,1194516,1195211,1195254,1195403,1195612,1195897,1195905,1195939,1195949,1195987,1196079,1196095,1196132,1196155,1196299,1196301,1196433,1196468,1196472,1196627,1196723,1196779,1196830,1196836,1196866,1196868,CVE-2021-0920,CVE-2021-39657,CVE-2021-44879,CVE-2022-0487,CVE-2022-0617,CVE-2022-0644,CVE-2022-24448,CVE-2022-24958,CVE-2022-24959,CVE-2022-25258,CVE-2022-25636,CVE-2022-26490

Description:

The SUSE Linux Enterprise 15 SP3 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

CVE-2022-25636: Fixed an issue which allowed a local users to gain privileges because of a heap out-of-bounds write in nf_dup_netdev.c, related to nf_tables_offload (bsc#1196299).
CVE-2022-26490: Fixed a buffer overflow in the st21nfca driver. An attacker with adjacent NFC access could trigger crash the system or corrupt system memory (bsc#1196830).
CVE-2022-0487: A use-after-free vulnerability was found in rtsx_usb_ms_drv_remove() in drivers/memstick/host/rtsx_usb_ms.c (bsc#1194516).
CVE-2022-24448: Fixed an issue if an application sets the O_DIRECTORY flag, and tries to open a regular file, nfs_atomic_open() performs a regular lookup. If a regular file is found, ENOTDIR should have occured, but the server instead returned uninitialized data in the file descriptor (bsc#1195612).
CVE-2022-0617: Fixed a null pointer dereference in UDF file system functionality. A local user could crash the system by triggering udf_file_write_iter() via a malicious UDF image. (bsc#1196079)
CVE-2022-0644: Fixed a denial of service by a local user. A assertion failure could be triggered in kernel_read_file_from_fd(). (bsc#1196155)
CVE-2022-25258: The USB Gadget subsystem lacked certain validation of interface OS descriptor requests, which could have lead to memory corruption (bsc#1196096).
CVE-2022-24958: drivers/usb/gadget/legacy/inode.c mishandled dev->buf release (bsc#1195905).
CVE-2022-24959: Fixed a memory leak in yam_siocdevprivate() in drivers/net/hamradio/yam.c (bsc#1195897).
CVE-2021-44879: In gc_data_segment() in fs/f2fs/gc.c, special files were not considered, which lead to a move_data_page NULL pointer dereference (bsc#1195987).
CVE-2021-0920: Fixed a local privilege escalation due to a use-after-free vulnerability in unix_scm_to_skb of af_unix (bsc#1193731).
CVE-2021-39657: Fixed an information leak in the Universal Flash Storage subsystem (bsc#1193864).

The following non-security bugs were fixed:

ALSA: intel_hdmi: Fix reference to PCM buffer address (git-fixes).
ARM: 9182/1: mmu: fix returns from early_param() and __setup() functions (git-fixes).
ARM: Fix kgdb breakpoint for Thumb2 (git-fixes).
ASoC: cs4265: Fix the duplicated control name (git-fixes).
ASoC: ops: Shift tested values in snd_soc_put_volsw() by +min (git-fixes).
ASoC: rt5668: do not block workqueue if card is unbound (git-fixes).
ASoC: rt5682: do not block workqueue if card is unbound (git-fixes).
Bluetooth: btusb: Add missing Chicony device for Realtek RTL8723BE (bsc#1196779).
EDAC/altera: Fix deferred probing (bsc#1178134).
HID: add mapping for KEY_ALL_APPLICATIONS (git-fixes).
HID: add mapping for KEY_DICTATE (git-fixes).
Hand over the maintainership to SLE15-SP3 maintainers
IB/hfi1: Correct guard on eager buffer deallocation (git-fixes).
IB/hfi1: Fix early init panic (git-fixes).
IB/hfi1: Fix leak of rcvhdrtail_dummy_kvaddr (git-fixes).
IB/hfi1: Insure use of smp_processor_id() is preempt disabled (git-fixes).
IB/rdmavt: Validate remote_addr during loopback atomic tests (git-fixes).
Input: clear BTN_RIGHT/MIDDLE on buttonpads (git-fixes).
Input: elan_i2c - fix regulator enable count imbalance after suspend/resume (git-fixes).
Input: elan_i2c - move regulator_[en|dis]able() out of elan_[en|dis]able_power() (git-fixes).
RDMA/bnxt_re: Scan the whole bitmap when checking if 'disabling RCFW with pending cmd-bit' (git-fixes).
RDMA/cma: Do not change route.addr.src_addr outside state checks (bsc#1181147).
RDMA/cma: Let cma_resolve_ib_dev() continue search even after empty entry (git-fixes).
RDMA/cma: Remove open coding of overflow checking for private_data_len (git-fixes).
RDMA/core: Do not infoleak GRH fields (git-fixes).
RDMA/core: Let ib_find_gid() continue search even after empty entry (git-fixes).
RDMA/cxgb4: Set queue pair state when being queried (git-fixes).
RDMA/hns: Validate the pkey index (git-fixes).
RDMA/ib_srp: Fix a deadlock (git-fixes).
RDMA/mlx4: Do not continue event handler after memory allocation failure (git-fixes).
RDMA/rtrs-clt: Fix possible double free in error case (jsc#SLE-15176).
RDMA/rxe: Fix a typo in opcode name (git-fixes).
RDMA/siw: Fix broken RDMA Read Fence/Resume logic (git-fixes).
RDMA/uverbs: Check for null return of kmalloc_array (git-fixes).
RDMA/uverbs: Remove the unnecessary assignment (git-fixes).
Revert 'USB: serial: ch341: add new Product ID for CH341A' (git-fixes).
SUNRPC: avoid race between mod_timer() and del_timer_sync() (bnc#1195403).
USB: gadget: validate endpoint index for xilinx udc (git-fixes).
USB: gadget: validate interface OS descriptor requests (git-fixes).
USB: hub: Clean up use of port initialization schemes and retries (git-fixes).
USB: serial: option: add Telit LE910R1 compositions (git-fixes).
USB: serial: option: add support for DW5829e (git-fixes).
USB: zaurus: support another broken Zaurus (git-fixes).
arm64: dts: rockchip: Switch RK3399-Gru DP to SPDIF output (git-fixes).
asix: fix uninit-value in asix_mdio_read() (git-fixes).
ata: pata_hpt37x: disable primary channel on HPT371 (git-fixes).
batman-adv: Do not expect inter-netns unique iflink indices (git-fixes).
batman-adv: Request iflink once in batadv-on-batadv check (git-fixes).
batman-adv: Request iflink once in batadv_get_real_netdevice (git-fixes).
blk-mq: do not free tags if the tag_set is used by other device in queue initialztion (bsc#1193787).
bnxt_en: Fix active FEC reporting to ethtool (jsc#SLE-16649).
bnxt_en: Fix incorrect multicast rx mask setting when not requested (git-fixes).
bnxt_en: Fix occasional ethtool -t loopback test failures (git-fixes).
bnxt_en: Fix offline ethtool selftest with RDMA enabled (git-fixes).
bonding: force carrier update when releasing slave (git-fixes).
can: gs_usb: change active_channels's type from atomic_t to u8 (git-fixes).
cgroup-v1: Correct privileges check in release_agent writes (bsc#1196723).
cgroup/cpuset: Fix 'suspicious RCU usage' lockdep warning (bsc#1196868).
clk: jz4725b: fix mmc0 clock gating (git-fixes).
cpufreq: schedutil: Use kobject release() method to free (git-fixes)
cpuset: Fix the bug that subpart_cpus updated wrongly in update_cpumask() (bsc#1196866).
cputime, cpuacct: Include guest time in user time in (git-fixes)
dma-direct: Fix potential NULL pointer dereference (bsc#1196472 ltc#192278).
dma-mapping: Allow mixing bypass and mapped DMA operation (bsc#1196472 ltc#192278).
dmaengine: shdma: Fix runtime PM imbalance on error (git-fixes).
drm/amdgpu: disable MMHUB PG for Picasso (git-fixes).
drm/edid: Always set RGB444 (git-fixes).
drm/i915/dg1: Wait for pcode/uncore handshake at startup (bsc#1195211).
drm/i915/gen11+: Only load DRAM information from pcode (bsc#1195211).
drm/i915: Nuke not needed members of dram_info (bsc#1195211).
drm/i915: Remove memory frequency calculation (bsc#1195211).
drm/i915: Rename is_16gb_dimm to wm_lv_0_adjust_needed (bsc#1195211).
efivars: Respect 'block' flag in efivar_entry_set_safe() (git-fixes).
exfat: fix i_blocks for files truncated over 4 GiB (git-fixes).
exfat: fix incorrect loading of i_blocks for large files (git-fixes).
firmware: arm_scmi: Remove space in MODULE_ALIAS name (git-fixes).
gpio: rockchip: Reset int_bothedge when changing trigger (git-fixes).
gpio: tegra186: Fix chip_data type confusion (git-fixes).
gtp: remove useless rcu_read_lock() (git-fixes).
hamradio: fix macro redefine warning (git-fixes).
i2c: bcm2835: Avoid clock stretching timeouts (git-fixes).
iavf: Fix missing check for running netdev (git-fixes).
ice: initialize local variable 'tlv' (jsc#SLE-12878).
igc: igc_read_phy_reg_gpy: drop premature return (git-fixes).
igc: igc_write_phy_reg_gpy: drop premature return (git-fixes).
iio: Fix error handling for PM (git-fixes).
iio: adc: ad7124: fix mask used for setting AIN_BUFP & AIN_BUFM bits (git-fixes).
iio: adc: men_z188_adc: Fix a resource leak in an error handling path (git-fixes).
ixgbe: xsk: change !netif_carrier_ok() handling in ixgbe_xmit_zc() (git-fixes).
mac80211: fix forwarded mesh frames AC & queue selection (git-fixes).
mac80211_hwsim: initialize ieee80211_tx_info at hw_scan_work (git-fixes).
mac80211_hwsim: report NOACK frames in tx_status (git-fixes).
mask out added spinlock in rndis_params (git-fixes).
net/mlx5: Fix possible deadlock on rule deletion (git-fixes).
net/mlx5: Fix wrong limitation of metadata match on ecpf (git-fixes).
net/mlx5: Update the list of the PCI supported devices (git-fixes).
net/mlx5: Update the list of the PCI supported devices (git-fixes).
net/mlx5e: Fix modify header actions memory leak (git-fixes).
net/mlx5e: Fix page DMA map/unmap attributes (bsc#1196468).
net/mlx5e: Fix wrong return value on ioctl EEPROM query failure (git-fixes).
net/mlx5e: TC, Reject rules with drop and modify hdr action (git-fixes).
net/mlx5e: TC, Reject rules with forward and drop actions (git-fixes).
net/mlx5e: kTLS, Use CHECKSUM_UNNECESSARY for device-offloaded packets (jsc#SLE-15172).
net/sched: act_ct: Fix flow table lookup after ct clear or switching zones (jsc#SLE-15172).
net: dsa: mv88e6xxx: MV88E6097 does not support jumbo configuration (git-fixes).
net: ethernet: ti: cpsw: disable PTPv1 hw timestamping advertisement (git-fixes).
net: fix up skbs delta_truesize in UDP GRO frag_list (bsc#1176447).
net: hns3: Clear the CMDQ registers before unmapping BAR region (git-fixes).
net: sfc: Replace in_interrupt() usage (git-fixes).
net: tipc: validate domain record count on input (bsc#1195254).
net: usb: cdc_mbim: avoid altsetting toggling for Telit FN990 (git-fixes).
netfilter: nf_tables: fix memory leak during stateful obj update (bsc#1176447).
netsec: ignore 'phy-mode' device property on ACPI systems (git-fixes).
nfp: flower: Fix a potential leak in nfp_tunnel_add_shared_mac() (git-fixes).
nl80211: Handle nla_memdup failures in handle_nan_filter (git-fixes).
ntb: intel: fix port config status offset for SPR (git-fixes).
nvme-multipath: use vmalloc for ANA log buffer (bsc#1193787).
nvme-rdma: fix possible use-after-free in transport error_recovery work (git-fixes).
nvme-tcp: fix possible use-after-free in transport error_recovery work (git-fixes).
nvme: fix a possible use-after-free in controller reset during load (git-fixes).
powerpc/dma: Fallback to dma_ops when persistent memory present (bsc#1196472 ltc#192278). Update config files.
powerpc/fadump: register for fadump as early as possible (bsc#1179439 ltc#190038).
powerpc/mm: Remove dcache flush from memory remove (bsc#1196433 ltc#196449).
powerpc/powernv/memtrace: Fix dcache flushing (bsc#1196433 ltc#196449).
powerpc/pseries/iommu: Fix window size for direct mapping with pmem (bsc#1196472 ltc#192278).
sched/core: Mitigate race (git-fixes)
scsi: bnx2fc: Flush destroy_work queue before calling bnx2fc_interface_put() (git-fixes).
scsi: bnx2fc: Make bnx2fc_recv_frame() mp safe (git-fixes).
scsi: lpfc: Terminate string in lpfc_debugfs_nvmeio_trc_write() (git-fixes).
scsi: nsp_cs: Check of ioremap return value (git-fixes).
scsi: qedf: Fix potential dereference of NULL pointer (git-fixes).
scsi: smartpqi: Add PCI IDs (bsc#1196627).
scsi: ufs: Fix race conditions related to driver data (git-fixes).
selftests: mlxsw: tc_police_scale: Make test more robust (bsc#1176774).
soc: fsl: Correct MAINTAINERS database (QUICC ENGINE LIBRARY) (git-fixes).
soc: fsl: Correct MAINTAINERS database (SOC) (git-fixes).
soc: fsl: qe: Check of ioremap return value (git-fixes).
spi: spi-zynq-qspi: Fix a NULL pointer dereference in zynq_qspi_exec_mem_op() (git-fixes).
sr9700: sanity check for packet length (bsc#1196836).
tracing: Fix return value of __setup handlers (git-fixes).
tty: n_gsm: fix encoding of control signal octet bit DV (git-fixes).
tty: n_gsm: fix proper link termination after failed open (git-fixes).
usb: dwc2: use well defined macros for power_down (git-fixes).
usb: dwc3: gadget: Let the interrupt handler disable bottom halves (git-fixes).
usb: dwc3: pci: Fix Bay Trail phy GPIO mappings (git-fixes).
usb: gadget: rndis: add spinlock for rndis response list (git-fixes).
usb: hub: Fix usb enumeration issue due to address0 race (git-fixes).
vrf: Fix fast path output packet handling with async Netfilter rules (git-fixes).
xhci: Prevent futile URB re-submissions due to incorrect return value (git-fixes).
xhci: re-initialize the HC during resume if HCE was set (git-fixes).

Advisory ID	SUSE-SU-2022:1039-1
Released	Wed Mar 30 09:38:11 2022
Summary	Security update for the Linux Kernel
Type	security
Severity	important
References	1176447,1176774,1178134,1179439,1181147,1191428,1192273,1193731,1193787,1193864,1194463,1194516,1194943,1195051,1195211,1195254,1195353,1195403,1195612,1195897,1195905,1195939,1195949,1195987,1196079,1196095,1196130,1196132,1196155,1196299,1196301,1196433,1196468,1196472,1196488,1196627,1196723,1196779,1196830,1196836,1196866,1196868,1196956,1196959,CVE-2021-0920,CVE-2021-39657,CVE-2021-39698,CVE-2021-44879,CVE-2021-45402,CVE-2022-0487,CVE-2022-0617,CVE-2022-0644,CVE-2022-23036,CVE-2022-23037,CVE-2022-23038,CVE-2022-23039,CVE-2022-23040,CVE-2022-23041,CVE-2022-23042,CVE-2022-24448,CVE-2022-24958,CVE-2022-24959,CVE-2022-25258,CVE-2022-25636,CVE-2022-26490,CVE-2022-26966

Description:

The SUSE Linux Enterprise 15 SP3 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

CVE-2022-25636: Fixed an issue which allowed a local users to gain privileges because of a heap out-of-bounds write in nf_dup_netdev.c, related to nf_tables_offload (bsc#1196299).
CVE-2022-26490: Fixed a buffer overflow in the st21nfca driver. An attacker with adjacent NFC access could trigger crash the system or corrupt system memory (bsc#1196830).
CVE-2022-0487: A use-after-free vulnerability was found in rtsx_usb_ms_drv_remove() in drivers/memstick/host/rtsx_usb_ms.c (bsc#1194516).
CVE-2022-24448: Fixed an issue if an application sets the O_DIRECTORY flag, and tries to open a regular file, nfs_atomic_open() performs a regular lookup. If a regular file is found, ENOTDIR should have occured, but the server instead returned uninitialized data in the file descriptor (bsc#1195612).
CVE-2022-0617: Fixed a null pointer dereference in UDF file system functionality. A local user could crash the system by triggering udf_file_write_iter() via a malicious UDF image. (bsc#1196079)
CVE-2022-0644: Fixed a denial of service by a local user. A assertion failure could be triggered in kernel_read_file_from_fd(). (bsc#1196155)
CVE-2022-25258: The USB Gadget subsystem lacked certain validation of interface OS descriptor requests, which could have lead to memory corruption (bsc#1196096).
CVE-2022-24958: drivers/usb/gadget/legacy/inode.c mishandled dev->buf release (bsc#1195905).
CVE-2022-24959: Fixed a memory leak in yam_siocdevprivate() in drivers/net/hamradio/yam.c (bsc#1195897).
CVE-2021-44879: In gc_data_segment() in fs/f2fs/gc.c, special files were not considered, which lead to a move_data_page NULL pointer dereference (bsc#1195987).
CVE-2021-0920: Fixed a local privilege escalation due to a use-after-free vulnerability in unix_scm_to_skb of af_unix (bsc#1193731).
CVE-2021-39657: Fixed an information leak in the Universal Flash Storage subsystem (bsc#1193864).
CVE-2022-26966: Fixed an issue in drivers/net/usb/sr9700.c, which allowed attackers to obtain sensitive information from heap memory via crafted frame lengths from a device (bsc#1196836).
CVE-2021-39698: Fixed a possible memory corruption due to a use after free in aio_poll_complete_work. This could lead to local escalation of privilege with no additional execution privileges needed. (bsc#1196956)
CVE-2021-45402: The check_alu_op function in kernel/bpf/verifier.c did not properly update bounds while handling the mov32 instruction, which allowed local users to obtain potentially sensitive address information (bsc#1196130).
CVE-2022-23036,CVE-2022-23037,CVE-2022-23038,CVE-2022-23039,CVE-2022-23040,CVE-2022-23041,CVE-2022-23042: Fixed multiple issues which could have lead to read/write access to memory pages or denial of service. These issues are related to the Xen PV device frontend drivers. (bsc#1196488)

The following non-security bugs were fixed:

ALSA: intel_hdmi: Fix reference to PCM buffer address (git-fixes).
ARM: 9182/1: mmu: fix returns from early_param() and __setup() functions (git-fixes).
ARM: Fix kgdb breakpoint for Thumb2 (git-fixes).
ASoC: cs4265: Fix the duplicated control name (git-fixes).
ASoC: ops: Shift tested values in snd_soc_put_volsw() by +min (git-fixes).
ASoC: rt5668: do not block workqueue if card is unbound (git-fixes).
ASoC: rt5682: do not block workqueue if card is unbound (git-fixes).
Bluetooth: btusb: Add missing Chicony device for Realtek RTL8723BE (bsc#1196779).
EDAC/altera: Fix deferred probing (bsc#1178134).
EDAC: Fix calculation of returned address and next offset in edac_align_ptr() (bsc#1178134).
HID: add mapping for KEY_ALL_APPLICATIONS (git-fixes).
HID: add mapping for KEY_DICTATE (git-fixes).
Hand over the maintainership to SLE15-SP3 maintainers
IB/hfi1: Correct guard on eager buffer deallocation (git-fixes).
IB/hfi1: Fix early init panic (git-fixes).
IB/hfi1: Fix leak of rcvhdrtail_dummy_kvaddr (git-fixes).
IB/hfi1: Insure use of smp_processor_id() is preempt disabled (git-fixes).
IB/rdmavt: Validate remote_addr during loopback atomic tests (git-fixes).
Input: clear BTN_RIGHT/MIDDLE on buttonpads (git-fixes).
Input: elan_i2c - fix regulator enable count imbalance after suspend/resume (git-fixes).
Input: elan_i2c - move regulator_[en|dis]able() out of elan_[en|dis]able_power() (git-fixes).
NFC: port100: fix use-after-free in port100_send_complete (git-fixes).
RDMA/bnxt_re: Scan the whole bitmap when checking if 'disabling RCFW with pending cmd-bit' (git-fixes).
RDMA/cma: Do not change route.addr.src_addr outside state checks (bsc#1181147).
RDMA/cma: Let cma_resolve_ib_dev() continue search even after empty entry (git-fixes).
RDMA/cma: Remove open coding of overflow checking for private_data_len (git-fixes).
RDMA/core: Do not infoleak GRH fields (git-fixes).
RDMA/core: Let ib_find_gid() continue search even after empty entry (git-fixes).
RDMA/cxgb4: Set queue pair state when being queried (git-fixes).
RDMA/hns: Validate the pkey index (git-fixes).
RDMA/ib_srp: Fix a deadlock (git-fixes).
RDMA/mlx4: Do not continue event handler after memory allocation failure (git-fixes).
RDMA/rtrs-clt: Fix possible double free in error case (jsc#SLE-15176).
RDMA/rxe: Fix a typo in opcode name (git-fixes).
RDMA/siw: Fix broken RDMA Read Fence/Resume logic (git-fixes).
RDMA/uverbs: Check for null return of kmalloc_array (git-fixes).
RDMA/uverbs: Remove the unnecessary assignment (git-fixes).
Revert 'USB: serial: ch341: add new Product ID for CH341A' (git-fixes).
SUNRPC: avoid race between mod_timer() and del_timer_sync() (bnc#1195403).
USB: gadget: validate endpoint index for xilinx udc (git-fixes).
USB: gadget: validate interface OS descriptor requests (git-fixes).
USB: hub: Clean up use of port initialization schemes and retries (git-fixes).
USB: serial: option: add Telit LE910R1 compositions (git-fixes).
USB: serial: option: add support for DW5829e (git-fixes).
USB: zaurus: support another broken Zaurus (git-fixes).
arm64: dts: rockchip: Switch RK3399-Gru DP to SPDIF output (git-fixes).
asix: fix uninit-value in asix_mdio_read() (git-fixes).
ata: pata_hpt37x: disable primary channel on HPT371 (git-fixes).
ax25: Fix NULL pointer dereference in ax25_kill_by_device (git-fixes).
batman-adv: Do not expect inter-netns unique iflink indices (git-fixes).
batman-adv: Request iflink once in batadv-on-batadv check (git-fixes).
batman-adv: Request iflink once in batadv_get_real_netdevice (git-fixes).
blk-mq: do not free tags if the tag_set is used by other device in queue initialztion (bsc#1193787).
bnxt_en: Fix active FEC reporting to ethtool (jsc#SLE-16649).
bnxt_en: Fix incorrect multicast rx mask setting when not requested (git-fixes).
bnxt_en: Fix occasional ethtool -t loopback test failures (git-fixes).
bnxt_en: Fix offline ethtool selftest with RDMA enabled (git-fixes).
bonding: force carrier update when releasing slave (git-fixes).
build initrd without systemd This reduces the size of the initrd by over 25%, which improves startup time of the virtual machine by 0.5-0.6s on very fast machines, more on slower ones.
can: gs_usb: change active_channels's type from atomic_t to u8 (git-fixes).
cgroup-v1: Correct privileges check in release_agent writes (bsc#1196723).
cgroup/cpuset: Fix 'suspicious RCU usage' lockdep warning (bsc#1196868).
clk: jz4725b: fix mmc0 clock gating (git-fixes).
constraints: Also adjust disk requirement for x86 and s390.
constraints: Increase disk space for aarch64
cpufreq: schedutil: Use kobject release() method to free (git-fixes)
cpuset: Fix the bug that subpart_cpus updated wrongly in update_cpumask() (bsc#1196866).
cputime, cpuacct: Include guest time in user time in (git-fixes)
dma-direct: Fix potential NULL pointer dereference (bsc#1196472 ltc#192278).
dma-mapping: Allow mixing bypass and mapped DMA operation (bsc#1196472 ltc#192278).
dmaengine: shdma: Fix runtime PM imbalance on error (git-fixes).
drm/amdgpu: disable MMHUB PG for Picasso (git-fixes).
drm/edid: Always set RGB444 (git-fixes).
drm/i915/dg1: Wait for pcode/uncore handshake at startup (bsc#1195211).
drm/i915/gen11+: Only load DRAM information from pcode (bsc#1195211).
drm/i915: Nuke not needed members of dram_info (bsc#1195211).
drm/i915: Remove memory frequency calculation (bsc#1195211).
drm/i915: Rename is_16gb_dimm to wm_lv_0_adjust_needed (bsc#1195211).
drm/sun4i: mixer: Fix P010 and P210 format numbers (git-fixes).
efivars: Respect 'block' flag in efivar_entry_set_safe() (git-fixes).
exfat: fix i_blocks for files truncated over 4 GiB (git-fixes).
exfat: fix incorrect loading of i_blocks for large files (git-fixes).
firmware: arm_scmi: Remove space in MODULE_ALIAS name (git-fixes).
fix rpm build warning tumbleweed rpm is adding these warnings to the log: It's not recommended to have unversioned Obsoletes: Obsoletes: microcode_ctl
gianfar: ethtool: Fix refcount leak in gfar_get_ts_info (git-fixes).
gpio: rockchip: Reset int_bothedge when changing trigger (git-fixes).
gpio: tegra186: Fix chip_data type confusion (git-fixes).
gpio: ts4900: Do not set DAT and OE together (git-fixes).
gpiolib: acpi: Convert ACPI value of debounce to microseconds (git-fixes).
gtp: remove useless rcu_read_lock() (git-fixes).
hamradio: fix macro redefine warning (git-fixes).
i2c: bcm2835: Avoid clock stretching timeouts (git-fixes).
iavf: Fix missing check for running netdev (git-fixes).
ice: initialize local variable 'tlv' (jsc#SLE-12878).
igc: igc_read_phy_reg_gpy: drop premature return (git-fixes).
igc: igc_write_phy_reg_gpy: drop premature return (git-fixes).
iio: Fix error handling for PM (git-fixes).
iio: adc: ad7124: fix mask used for setting AIN_BUFP & AIN_BUFM bits (git-fixes).
iio: adc: men_z188_adc: Fix a resource leak in an error handling path (git-fixes).
ixgbe: xsk: change !netif_carrier_ok() handling in ixgbe_xmit_zc() (git-fixes).
kernel-binary.spec.in: Move 20-kernel-default-extra.conf to the correctr directory (bsc#1195051).
kernel-binary.spec: Also exclude the kernel signing key from devel package. There is a check in OBS that fails when it is included. Also the key is not reproducible. Fixes: bb988d4625a3 ('kernel-binary: Do not include sourcedir in certificate path.')
kernel-binary.spec: Do not use the default certificate path (bsc#1194943). Using the the default path is broken since Linux 5.17
kernel-binary: Do not include sourcedir in certificate path. The certs macro runs before build directory is set up so it creates the aggregate of supplied certificates in the source directory. Using this file directly as the certificate in kernel config works but embeds the source directory path in the kernel config. To avoid this symlink the certificate to the build directory and use relative path to refer to it. Also fabricate a certificate in the same location in build directory when none is provided.
kernel-obs-build: include 9p (boo#1195353) To be able to share files between host and the qemu vm of the build script, the 9p and 9p_virtio kernel modules need to be included in the initrd of kernel-obs-build.
mac80211: fix forwarded mesh frames AC & queue selection (git-fixes).
mac80211_hwsim: initialize ieee80211_tx_info at hw_scan_work (git-fixes).
mac80211_hwsim: report NOACK frames in tx_status (git-fixes).
mask out added spinlock in rndis_params (git-fixes).
mmc: meson: Fix usage of meson_mmc_post_req() (git-fixes).
net/mlx5: Fix possible deadlock on rule deletion (git-fixes).
net/mlx5: Fix wrong limitation of metadata match on ecpf (git-fixes).
net/mlx5: Update the list of the PCI supported devices (git-fixes).
net/mlx5: Update the list of the PCI supported devices (git-fixes).
net/mlx5e: Fix modify header actions memory leak (git-fixes).
net/mlx5e: Fix page DMA map/unmap attributes (bsc#1196468).
net/mlx5e: Fix wrong return value on ioctl EEPROM query failure (git-fixes).
net/mlx5e: TC, Reject rules with drop and modify hdr action (git-fixes).
net/mlx5e: TC, Reject rules with forward and drop actions (git-fixes).
net/mlx5e: kTLS, Use CHECKSUM_UNNECESSARY for device-offloaded packets (jsc#SLE-15172).
net/sched: act_ct: Fix flow table lookup after ct clear or switching zones (jsc#SLE-15172).
net: dsa: mv88e6xxx: MV88E6097 does not support jumbo configuration (git-fixes).
net: ethernet: ti: cpsw: disable PTPv1 hw timestamping advertisement (git-fixes).
net: fix up skbs delta_truesize in UDP GRO frag_list (bsc#1176447).
net: hns3: Clear the CMDQ registers before unmapping BAR region (git-fixes).
net: phy: DP83822: clear MISR2 register to disable interrupts (git-fixes).
net: sfc: Replace in_interrupt() usage (git-fixes).
net: tipc: validate domain record count on input (bsc#1195254).
net: usb: cdc_mbim: avoid altsetting toggling for Telit FN990 (git-fixes).
netfilter: nf_tables: fix memory leak during stateful obj update (bsc#1176447).
netsec: ignore 'phy-mode' device property on ACPI systems (git-fixes).
nfp: flower: Fix a potential leak in nfp_tunnel_add_shared_mac() (git-fixes).
nl80211: Handle nla_memdup failures in handle_nan_filter (git-fixes).
ntb: intel: fix port config status offset for SPR (git-fixes).
nvme-multipath: use vmalloc for ANA log buffer (bsc#1193787).
nvme-rdma: fix possible use-after-free in transport error_recovery work (git-fixes).
nvme-tcp: fix possible use-after-free in transport error_recovery work (git-fixes).
nvme: fix a possible use-after-free in controller reset during load (git-fixes).
powerpc/dma: Fallback to dma_ops when persistent memory present (bsc#1196472 ltc#192278). Update config files.
powerpc/fadump: register for fadump as early as possible (bsc#1179439 ltc#190038).
powerpc/mm: Remove dcache flush from memory remove (bsc#1196433 ltc#196449).
powerpc/powernv/memtrace: Fix dcache flushing (bsc#1196433 ltc#196449).
powerpc/pseries/iommu: Fix window size for direct mapping with pmem (bsc#1196472 ltc#192278).
rpm/*.spec.in: Use https:// urls
rpm/arch-symbols,guards,*driver: Replace Novell with SUSE.
rpm/check-for-config-changes: Ignore PAHOLE_VERSION.
rpm/kernel-docs.spec.in: use %%license for license declarations Limited to SLE15+ to avoid compatibility nightmares.
rpm/kernel-source.spec.in: call fdupes per subpackage It is a waste of time to do a global fdupes when we have subpackages.
rpm: SC2006: Use $(...) notation instead of legacy backticked `...`.
sched/core: Mitigate race (git-fixes)
scsi: bnx2fc: Flush destroy_work queue before calling bnx2fc_interface_put() (git-fixes).
scsi: bnx2fc: Make bnx2fc_recv_frame() mp safe (git-fixes).
scsi: lpfc: Terminate string in lpfc_debugfs_nvmeio_trc_write() (git-fixes).
scsi: nsp_cs: Check of ioremap return value (git-fixes).
scsi: qedf: Fix potential dereference of NULL pointer (git-fixes).
scsi: smartpqi: Add PCI IDs (bsc#1196627).
scsi: ufs: Fix race conditions related to driver data (git-fixes).
selftests: mlxsw: tc_police_scale: Make test more robust (bsc#1176774).
soc: fsl: Correct MAINTAINERS database (QUICC ENGINE LIBRARY) (git-fixes).
soc: fsl: Correct MAINTAINERS database (SOC) (git-fixes).
soc: fsl: qe: Check of ioremap return value (git-fixes).
spi: spi-zynq-qspi: Fix a NULL pointer dereference in zynq_qspi_exec_mem_op() (git-fixes).
sr9700: sanity check for packet length (bsc#1196836).
staging: gdm724x: fix use after free in gdm_lte_rx() (git-fixes).
tracing: Fix return value of __setup handlers (git-fixes).
tty: n_gsm: fix encoding of control signal octet bit DV (git-fixes).
tty: n_gsm: fix proper link termination after failed open (git-fixes).
usb: dwc2: Fix Stalling a Non-Isochronous OUT EP (git-fixes).
usb: dwc2: gadget: Fix GOUTNAK flow for Slave mode (git-fixes).
usb: dwc2: gadget: Fix kill_all_requests race (git-fixes).
usb: dwc2: use well defined macros for power_down (git-fixes).
usb: dwc3: gadget: Let the interrupt handler disable bottom halves (git-fixes).
usb: dwc3: meson-g12a: Disable the regulator in the error handling path of the probe (git-fixes).
usb: dwc3: pci: Fix Bay Trail phy GPIO mappings (git-fixes).
usb: gadget: rndis: add spinlock for rndis response list (git-fixes).
usb: host: xen-hcd: add missing unlock in error path (git-fixes).
usb: hub: Fix locking issues with address0_mutex (git-fixes).
usb: hub: Fix usb enumeration issue due to address0 race (git-fixes).
vrf: Fix fast path output packet handling with async Netfilter rules (git-fixes).
xen/usb: do not use gnttab_end_foreign_access() in xenhcd_gnttab_done() (bsc#1196488, XSA-396).
xhci: Prevent futile URB re-submissions due to incorrect return value (git-fixes).
xhci: re-initialize the HC during resume if HCE was set (git-fixes).

Advisory ID	SUSE-SU-2022:1040-1
Released	Wed Mar 30 09:40:58 2022
Summary	Security update for protobuf
Type	security
Severity	moderate
References	1195258,CVE-2021-22570

Description:

This update for protobuf fixes the following issues:

CVE-2021-22570: Fix incorrect parsing of nullchar in the proto symbol (bsc#1195258).

Advisory ID	SUSE-RU-2022:1046-1
Released	Wed Mar 30 15:37:00 2022
Summary	Recommended update for firewalld
Type	recommended
Severity	moderate
References	1191837

Description:

This update for firewalld fixes the following issues:

Fixed ability to setting the default zone to external during installation (bsc#1191837)

Advisory ID	SUSE-RU-2022:1047-1
Released	Wed Mar 30 16:20:56 2022
Summary	Recommended update for pam
Type	recommended
Severity	moderate
References	1196093,1197024

Description:

This update for pam fixes the following issues:

Define _pam_vendordir as the variable is needed by systemd and others. (bsc#1196093)
Between allocating the variable 'ai' and free'ing them, there are two 'return NO' were we don't free this variable. This patch inserts freaddrinfo() calls before the 'return NO;'s. (bsc#1197024)

Advisory ID	SUSE-SU-2022:1050-1
Released	Wed Mar 30 16:30:04 2022
Summary	Security update for SUSE Manager 4.2.5.1 Release Notes
Type	security
Severity	important
References	1197417,CVE-2022-22934,CVE-2022-22935,CVE-2022-22936,CVE-2022-22941

Description:

This update for SUSE Manager 4.2.5.1 Release Notes provides the following additions:
Release notes for SUSE Manager:

Update to 4.2.5.1 * CVEs fixed CVE-2022-22934, CVE-2022-22935, CVE-2022-22936, CVE-2022-22941 * Bugs mentioned bsc#1197417

Advisory ID	SUSE-SU-2022:1059-1
Released	Wed Mar 30 17:32:55 2022
Summary	Security update for salt
Type	security
Severity	important
References	1197417,CVE-2022-22934,CVE-2022-22935,CVE-2022-22936,CVE-2022-22941

Description:

This update for salt fixes the following issues:

CVE-2022-22935: Sign authentication replies to prevent MiTM (bsc#1197417)
CVE-2022-22934: Sign pillar data to prevent MiTM attacks. (bsc#1197417)
CVE-2022-22936: Prevent job and fileserver replays (bsc#1197417)
CVE-2022-22941: Fixed targeting bug, especially visible when using syndic and user auth. (bsc#1197417)

Advisory ID	SUSE-SU-2022:1061-1
Released	Wed Mar 30 18:27:06 2022
Summary	Security update for zlib
Type	security
Severity	important
References	1197459,CVE-2018-25032

Description:

This update for zlib fixes the following issues:

CVE-2018-25032: Fixed memory corruption on deflate (bsc#1197459).

Advisory ID	SUSE-SU-2022:1064-1
Released	Thu Mar 31 09:58:08 2022
Summary	Security update for python2-numpy
Type	security
Severity	moderate
References	1193907,1193911,1193913,CVE-2021-33430,CVE-2021-41495,CVE-2021-41496

Description:

This update for python2-numpy fixes the following issues:

CVE-2021-33430: Fixed buffer overflow that could lead to DoS in PyArray_NewFromDescr_int function of ctors.c (bsc#1193913).
CVE-2021-41496: Fixed buffer overflow that could lead to DoS in array_from_pyobj function of fortranobject.c (bsc#1193907).
CVE-2021-41495: Fixed Null Pointer Dereference in numpy.sort due to missing return value validation (bsc#1193911).

Advisory ID	SUSE-SU-2022:1065-1
Released	Thu Mar 31 12:06:14 2022
Summary	Security update for kernel-firmware
Type	security
Severity	important
References	1186938,1188662,1192953,1195786,1196333,CVE-2021-0066,CVE-2021-0071,CVE-2021-0072,CVE-2021-0076,CVE-2021-0161,CVE-2021-0164,CVE-2021-0165,CVE-2021-0166,CVE-2021-0168,CVE-2021-0170,CVE-2021-0172,CVE-2021-0173,CVE-2021-0174,CVE-2021-0175,CVE-2021-0176,CVE-2021-0183,CVE-2021-33139,CVE-2021-33155

Description:

This update for kernel-firmware fixes the following issues:
Update Intel Wireless firmware for 9xxx (INTEL-SA-00539, bsc#1196333):
CVE-2021-0161: Improper input validation in firmware for Intel PROSet/Wireless Wi-Fi and Killer Wi-Fi may allow a privileged user to potentially enable escalation of privilege via local access. CVE-2021-0164: Improper access control in firmware for Intel PROSet/Wireless Wi-Fi and Killer Wi-Fi may allow an unauthenticated user to potentially enable escalation of privilege via local access. CVE-2021-0165: Improper input validation in firmware for Intel PROSet/Wireless Wi-Fi and Killer Wi-Fi may allow an unauthenticated user to potentially enable denial of service via adjacent access. CVE-2021-0066: Improper input validation in firmware for Intel PROSet/Wireless Wi-Fi and Killer Wi-Fi may allow an unauthenticated user to potentially enable escalation of privilege via local access. CVE-2021-0166: Exposure of Sensitive Information to an Unauthorized Actor in firmware for some Intel PROSet/Wireless Wi-Fi and some Killer Wi-Fi may allow a privileged user to potentially enable escalation of privilege via local access. CVE-2021-0168: Improper input validation in firmware for some Intel PROSet/Wireless Wi-Fi and some Killer Wi-Fi may allow a privileged user to potentially enable escalation of privilege via local access. CVE-2021-0170: Exposure of Sensitive Information to an Unauthorized Actor in firmware for some Intel PROSet/Wireless Wi-Fi and some Killer Wi-Fi may allow an authenticated user to potentially enable information disclosure via local access. CVE-2021-0172: Improper input validation in firmware for some Intel PROSet/Wireless Wi-Fi and some Killer Wi-Fi may allow an unauthenticated user to potentially enable denial of service via adjacent access. CVE-2021-0173: Improper Validation of Consistency within input in firmware for some Intel PROSet/Wireless Wi-Fi and some Killer Wi-Fi may allow a unauthenticated user to potentially enable denial of service via adjacent access. CVE-2021-0174: Improper Use of Validation Framework in firmware for some Intel PROSet/Wireless Wi-Fi and some Killer Wi-Fi may allow a unauthenticated user to potentially enable denial of service via adjacent access. CVE-2021-0175: Improper Validation of Specified Index, Position, or Offset in Input in firmware for some Intel PROSet/Wireless Wi-Fi and some Killer Wi-Fi may allow an unauthenticated user to potentially enable denial of service via adjacent access. CVE-2021-0076: Improper Validation of Specified Index, Position, or Offset in Input in firmware for some Intel PROSet/Wireless Wi-Fi and some Killer Wi-Fi may allow a privileged user to potentially enable denial of service via local access. CVE-2021-0176: Improper input validation in firmware for some Intel PROSet/Wireless Wi-Fi and some Killer Wi-Fi may allow a privileged user to potentially enable denial of service via local access. CVE-2021-0183: Improper Validation of Specified Index, Position, or Offset in Input in software for some Intel PROSet/Wireless Wi-Fi and some Killer Wi-Fi may allow an unauthenticated user to potentially enable denial of service via adjacent access. CVE-2021-0072: Improper input validation in firmware for some Intel PROSet/Wireless Wi-Fi and some Killer Wi-Fi may allow a privileged user to potentially enable information disclosure via local access. CVE-2021-0071: Improper input validation in firmware for some Intel PROSet/Wireless WiFi in UEFI may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.

Update Intel Bluetooth firmware (INTEL-SA-00604,bsc#1195786):

CVE-2021-33139: Improper conditions check in firmware for some Intel Wireless Bluetooth and Killer Bluetooth products before may allow an authenticated user to potentially enable denial of service via adjacent access.
CVE-2021-33155: Improper input validation in firmware for some Intel Wireless Bluetooth and Killer Bluetooth products before may allow an authenticated user to potentially enable denial of service via adjacent access.

Bug fixes:

Updated the AMD SEV firmware (bsc#1186938)
Reduced the LZMA2 dictionary size (bsc#1188662)

Advisory ID	SUSE-RU-2022:1066-1
Released	Thu Mar 31 12:16:09 2022
Summary	Recommended update for mlocate
Type	recommended
Severity	important
References	1195144

Description:

This update for mlocate fixes the following issues:

Require `apparmor-abstractions`, because `apparmor.service` will fail if `mlocate` is installed. (bsc#1195144)

Advisory ID	SUSE-RU-2022:1070-1
Released	Fri Apr 1 10:52:52 2022
Summary	Recommended update for release-notes-sles
Type	recommended
Severity	low
References	933411

Description:

This update for release-notes-sles fixes the following issues:
Update the release notes to version 15.3.20220324. (bsc#933411)

Move KubeVirt out of technology previews for Intel 64/AMD64 (x86-64)
Fix GICv4.1 acronym in aarch64. (jsc#SLE-14763)

Advisory ID	SUSE-SU-2022:1073-1
Released	Fri Apr 1 11:45:01 2022
Summary	Security update for yaml-cpp
Type	security
Severity	moderate
References	1121227,1121230,1122004,1122021,CVE-2018-20573,CVE-2018-20574,CVE-2019-6285,CVE-2019-6292

Description:

This update for yaml-cpp fixes the following issues:

CVE-2018-20573: Fixed remote DOS via a crafted YAML file in function Scanner:EnsureTokensInQueue (bsc#1121227).
CVE-2018-20574: Fixed remote DOS via a crafted YAML file in function SingleDocParser:HandleFlowMap (bsc#1121230).
CVE-2019-6285: Fixed remote DOS via a crafted YAML file in function SingleDocParser::HandleFlowSequence (bsc#1122004).
CVE-2019-6292: Fixed DOS by stack consumption in singledocparser.cpp (bsc#1122021).

Advisory ID	SUSE-RU-2022:1074-1
Released	Fri Apr 1 13:27:00 2022
Summary	Recommended update for cloud-init
Type	recommended
Severity	moderate
References	1193531

Description:

This update for cloud-init contains the following fixes:

Enable broader systemctl location. (bsc#1193531)

Remove unneeded BuildRequires on python3-nose.

Advisory ID	SUSE-SU-2022:1091-1
Released	Fri Apr 1 16:59:21 2022
Summary	Security update for python
Type	security
Severity	moderate
References	1175619,1186819,1194146,1195396,CVE-2021-3572,CVE-2021-4189,CVE-2022-0391

Description:

This update for python fixes the following issues:

CVE-2022-0391: Fixed URL sanitization containing ASCII newline and tabs in urlparse (bsc#1195396).
CVE-2021-4189: Fixed ftplib not to trust the PASV response (bsc#1194146).
CVE-2021-3572: Fixed an improper handling of unicode characters in pip (bsc#1186819).

Advisory ID	SUSE-RU-2022:1092-1
Released	Fri Apr 1 17:24:58 2022
Summary	Recommended update for cloud-regionsrv-client
Type	recommended
Severity	critical
References	1195414,1195564,1197113

Description:

This update for cloud-regionsrv-client fixes the following issues:

Update to version 10.0.2 + Fix name of logfile in error message + Fix variable scoping to properly detect registration error + Cleanup any artifacts on registration failure + Fix latent bug with /etc/hosts population + Do not throw error when attemting to unregister a system that is not registered + Skip extension registration if the extension is recommended by the baseproduct as it gets automatically installed

Update to version 10.0.1 (bsc#1197113) + Provide status feedback on registration, success or failure + Log warning message if data provider is configured but no data can be retrieved
Update -addon-azure to 1.0.3 follow up fix for (bsc#1195414, bsc#1195564) + The repo enablement timer cannot depend on 'guestregister.service'

Advisory ID	SUSE-RU-2022:1095-1
Released	Mon Apr 4 10:44:43 2022
Summary	Recommended update for sssd
Type	recommended
Severity	moderate
References	1190775,1196564

Description:

This update for sssd fixes the following issues:

Fix a crash caused by a read-after-free condition. (bsc#1196564)
Add 'ldap_ignore_unreadable_references' parameter to skip unreadable objects referenced by 'member' attribute. (bsc#1190775)

Advisory ID	SUSE-RU-2022:1097-1
Released	Mon Apr 4 10:45:38 2022
Summary	Recommended update for xorg-x11-server
Type	recommended
Severity	moderate
References	1197045,1197046,1197269

Description:

This update for xorg-x11-server fixes the following issues:

sync pci ids with Mesa 20.2.4 (bsc#1197046)
sync GL driver PCI IDs with Mesa. (bsc#1197045)
avoid consequently failing page flip. (bsc#1197269)

Advisory ID	SUSE-RU-2022:1098-1
Released	Mon Apr 4 12:51:35 2022
Summary	Recommended update for davfs2
Type	recommended
Severity	moderate
References	1188967,1193733,1194537

Description:

This update for davfs2 fixes the following issues:

Fix potential crash on umount (bsc#1194537)
Check for valid server etag property (bsc#1193733)
Fix cached file attributes (bsc#1188967)

Advisory ID	SUSE-RU-2022:1099-1
Released	Mon Apr 4 12:53:05 2022
Summary	Recommended update for aaa_base
Type	recommended
Severity	moderate
References	1194883

Description:

This update for aaa_base fixes the following issues:

Set net.ipv4.ping_group_range to allow ICMP ping (bsc#1194883)
Include all fixes and changes for systemwide inputrc to remove the 8 bit escape sequence which interfere with UTF-8 multi byte characters as well as support the vi mode of readline library

Advisory ID	SUSE-SU-2022:1100-1
Released	Mon Apr 4 13:00:05 2022
Summary	Security update for 389-ds
Type	security
Severity	important
References	1194068,1194084,1197275,1197345,CVE-2022-0918,CVE-2022-0996

Description:

This update for 389-ds fixes the following issues:

CVE-2022-0918: Fixed a potential denial of service via crafted packet (bsc#1197275).
CVE-2022-0996: Fixed a mishandling of password expiry (bsc#1197345).
Resolved LDAP-Support not working with DHCP by adding required schema (bsc#1194068)
Resolved multiple index migration bug (bsc#1194084)

Advisory ID	SUSE-RU-2022:1107-1
Released	Mon Apr 4 17:49:17 2022
Summary	Recommended update for util-linux
Type	recommended
Severity	moderate
References	1194642

Description:

This update for util-linux fixes the following issue:

Improve throughput and reduce clock sequence increments for high load situation with time based version 1 uuids. (bsc#1194642)

Advisory ID	SUSE-feature-2022:1115-1
Released	Tue Apr 5 18:31:13 2022
Summary	Feature update for alsa-oss
Type	feature
Severity	moderate
References	1181571

Description:

This feature update for alsa-oss provides the following changes:
Update from version 1.0.28 to version 1.1.8 (bsc#1181571)

Drop the superfluous build requires `alsa-topology-devel`. It is no longer mandatory.
Avoid repetition of name in package summary and updated description.
Fix build issues with the recent `glibc` (bsc#1181571)
Update the Free Software Foundation, Inc. address
Provide binaries for non x86_64 architectures directly to SUSE Package Hub.

Advisory ID	SUSE-OU-2022:1116-1
Released	Tue Apr 5 18:31:34 2022
Summary	Optional update for SUSE Package Hub
Type	optional
Severity	moderate
References

Description:

This optional update provides the following changes:

Provide binaries for non x86_64 architectures directly to SUSE Package Hub.
There are no visible changes for the final user.
Affected source packages: libexttextcat

Advisory ID	SUSE-RU-2022:1118-1
Released	Tue Apr 5 18:34:06 2022
Summary	Recommended update for timezone
Type	recommended
Severity	moderate
References	1177460

Description:

This update for timezone fixes the following issues:

timezone update 2022a (bsc#1177460): * Palestine will spring forward on 2022-03-27, not on 03-26 * `zdump -v` now outputs better failure indications * Bug fixes for code that reads corrupted TZif data

Advisory ID	SUSE-RU-2022:1119-1
Released	Wed Apr 6 09:16:06 2022
Summary	Recommended update for supportutils
Type	recommended
Severity	moderate
References	1189028,1190315,1190943,1191096,1191794,1193204,1193732,1193868,1195797

Description:

This update for supportutils fixes the following issues:

Add command `blkid`
Add email.txt based on OPTION_EMAIL (bsc#1189028)
Add rpcinfo -p output #116
Add s390x specific files and output
Add shared memory as a log directory for emergency use (bsc#1190943)
Fix cron package for RPM validation (bsc#1190315)
Fix for invalid argument during updates (bsc#1193204)
Fix iscsi initiator name (bsc#1195797)
Improve `lsblk` readability with `--ascsi` option
Include 'multipath -t' output in mpio.txt
Include /etc/sssd/conf.d configuration files
Include udev rules in /lib/udev/rules.d/
Made /proc directory and network names spaces configurable (bsc#1193868)
Prepare future installation of binaries to /usr/sbin instead of /sbin. This does not affect SUSE Linux Enterprise 15 Serivce Pack 3 and 4 (bsc#1191096)
Move localmessage/warm logs out of messages.txt to new localwarn.txt
Optimize configuration files
Remove chronyc DNS lookups with -n switch (bsc#1193732)
Remove duplicate commands in network.txt
Remove duplicate firewalld status output
getappcore identifies compressed core files (bsc#1191794)

Advisory ID	SUSE-RU-2022:1124-1
Released	Wed Apr 6 13:07:05 2022
Summary	Recommended update for compat-libpthread-nonshared
Type	recommended
Severity	low
References	1197272

Description:

This update for compat-libpthread-nonshared fixes the following issues:

Also build s390x version (bsc#1197272)

Advisory ID	SUSE-RU-2022:1126-1
Released	Thu Apr 7 14:05:02 2022
Summary	Recommended update for nfs-utils
Type	recommended
Severity	moderate
References	1197297,1197788

Description:

This update for nfs-utils fixes the following issues:

Ensure `sloppy` is added correctly for newer kernels. (bsc#1197297) * This is required for kernels since 5.6 (like in SUSE Linux Enterprise 15 SP4), and it's safe for all kernels.
Fix the source build with new `glibc` like in SUSE Linux Enterprise 15 SP4. (bsc#1197788)

Advisory ID	SUSE-SU-2022:1127-1
Released	Thu Apr 7 17:03:49 2022
Summary	Security update for MozillaFirefox
Type	security
Severity	important
References	1197698,1197903,CVE-2022-1097,CVE-2022-1196,CVE-2022-24713,CVE-2022-28281,CVE-2022-28282,CVE-2022-28285,CVE-2022-28286,CVE-2022-28289

Description:

This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 91.8.0 ESR (bsc#1197903):
MFSA 2022-14 (bsc#1197903)

CVE-2022-1097: Fixed memory safety violations that could occur when PKCS#11 tokens are removed while in use
CVE-2022-28281: Fixed an out of bounds write due to unexpected WebAuthN Extensions
CVE-2022-1196: Fixed a use-after-free after VR Process destruction
CVE-2022-28282: Fixed a use-after-free in DocumentL10n::TranslateDocument
CVE-2022-28285: Fixed incorrect AliasSet used in JIT Codegen
CVE-2022-28286: Fixed that iframe contents could be rendered outside the border
CVE-2022-24713: Fixed a denial of service via complex regular expressions
CVE-2022-28289: Memory safety bugs fixed in Firefox 99 and Firefox ESR 91.8

The following non-security bugs were fixed:

Adjust rust dependency for SP3 and later. TW uses always the newest version of rust, but we don't, so we can't use the rust+cargo notation, which would need both < and >= requirements. (bsc#1197698)

Advisory ID	SUSE-RU-2022:1132-1
Released	Fri Apr 8 13:11:16 2022
Summary	Recommended update for kdump
Type	recommended
Severity	moderate
References	1189923,1197069

Description:

This update for kdump fixes the following issues:

Fix return code when no watchdog sysfs entry is found (bsc#1197069)
Add watchdog modules to kdump initrd to ensure kernel crash dumps are properly collected before a machine is rebooted by a watchdog (bsc#1189923)

Advisory ID	SUSE-OU-2022:1134-1
Released	Fri Apr 8 13:11:34 2022
Summary	Optional update for SUSE Package Hub
Type	optional
Severity	moderate
References

Description:

This optional update provides the following changes:

Provide binaries for non x86_64 architectures directly to SUSE Package Hub.
There are no visible changes for the final user.
Affected source packages: gfbgraph, librest, gnome-online-accounts, gcr

Advisory ID	SUSE-RU-2022:1138-1
Released	Fri Apr 8 13:46:18 2022
Summary	Recommended update for gnome-shell
Type	recommended
Severity	moderate
References	1185944,1187571,1190745,1196708

Description:

This update for gnome-shell fixes the following issues:

Show message 'Multiple logins are not supported' when mixed locally/remotely login. (bsc#1190745)
Fix grab issue when destroying open popup menu. (bsc#1187571)
The previous code always restarted whole ECalClientView when it received any changes in it, which could sometimes lead to constant repeated restarts of the view. (bsc#1185944)
Fix the failed login when remotely login. (bsc#1196708)

Advisory ID	SUSE-RU-2022:1143-1
Released	Mon Apr 11 13:01:09 2022
Summary	Recommended update for libxkbcommon
Type	recommended
Severity	moderate
References	1184688

Description:

This update for libxkbcommon fixes the following issues:

Update to release 1.3.0 (jsc#SLE-24272)

* `xkbcli list` was changed to output YAML instead of a custom format. * Fix segmentation fault in case-insensitive `xkb_keysym_from_name` for certain values like the empty string.

Update to release 1.2.1 [boo#1184688]

* Fix `xkb_x11_keymap_new_from_device()` failing when the keymap contains key types with missing level names, like the one used by the `numpad:mac` option in xkeyboard-config. (Regressed in 1.2.0.)

Update to release 1.2.0

* `xkb_x11_keymap_new_from_device()` is much faster. It now performs only 2 roundtrips to the X server, instead of dozens (in first-time calls). * Case-sensitive `xkb_keysym_from_name()` is much faster. * Keysym names of the form `0x12AB` and `U12AB` are parsed more strictly. * Compose files now have a size limit (65535 internal nodes). * Compose table loading (`xkb_compose_table_new_from_locale()` and similar) is much faster.

Update to release 1.1.0

* Update keysym definitions to latest xorgproto. In particular, this adds many special keysyms corresponding to Linux evdev keycodes. * New XKB_KEY_* definitions.

Update to release 1.0.3

* Fix (hopefully) a segfault in xkb_x11_keymap_new_from_device() in some unclear situation (bug introduced in 1.0.2). * Fix keymaps created with xkb_x11_keymap_new_from_device() do not have level names (bug introduced in 0.8.0).

Update to release 1.0.2

* Fix a bug where a keysym that cannot be resolved in a keymap gets compiled to a garbage keysym. Now it is set to XKB_KEY_NoSymbol instead. * Improve the speed of xkb_x11_keymap_new_from_device() on repeated calls in the same xkb_context().

Update to release 1.0.1

* Make the table output of `xkbcli how-to-type` aligned.

Update to release 1.0.0

* Now it is possible to add custom layouts and options at the system (/etc) and user (~/.config) level, at least when libxkbcommon is in use. * libxkbregistry is a C library that lists available XKB models, layouts and variants for a given ruleset. This is a separate library (.so/.pc files) and aimed at tools that provide a listing of available keyboard layouts to the user. * Add an `xkbcli` command-line utility.

Update to release 0.10.0

* Fix quadratic complexity in the XKB file parser. * Add $XDG_CONFIG_HOME/xkb to the default search path. If $XDG_CONFIG_HOME is not set, $HOME/.config/xkb is used. If $HOME is not set, the path is not added. The XDG path is looked up before the existing default search path $HOME/.xkb. * Add support for include statements in XKB rules files. * Fix bug where the merge mode only applied to the first vmod in a 'virtual_modifiers' statement. * Reject interpret modifier predicate with more than one value. * Correctly handle capitalization of the ssharp keysym.

Update to release 0.9.1

* Fix context creation failing when run in privileged processes as defined by `secure_getenv(3)`, e.g. GDM.

Update to release 0.9.0

* Move ~/.xkb to before XKB_CONFIG_ROOT. This enables the user to have full control of the keymap definitions, instead of only augmenting them.

Update to new upstream release 0.8.3

* New APIs: XKB_KEY_XF86MonBrightnessCycle, XKB_KEY_XF86RotationLockToggle.

Advisory ID	SUSE-feature-2022:1144-1
Released	Mon Apr 11 14:38:40 2022
Summary	Feature update for yast2
Type	feature
Severity	important
References	1177863,1190228,1194895,1195059,1195910,1196061,1196120,1196431,1196566,1196590,1196594,1196614,1197265

Description:

This feature update for yast2, yast2-country, yast2-installation, autoyast2, yast2-audit-laf, yast2-fcoe-client, yast2-schema fixes the following issues:
autoyst2:

Properly handle the 'dopackages' option in the openFile method of the AyastSetup module (bsc#1196566)
Avoid login while running AutoYaST init-scripts (bsc#1196594, bsc#1195059)
Add yast namespace to merge.xslt to fix CDATA handling (bsc#1195910)
Modified init-scripts service dependencies fixing a root login systemd timeout when installing with ssh (bsc#1195059)

yast2:

Fixed refreshing old repositories during system upgrade (bsc#1196120, bsc#1190228)

yast2-audit-laf:

Set the name of the auto client in the desktop file (bsc#1196590)

yast2-country:

Fixed passing multiple arguments to 'localectl set-locale' (bsc#1177863)

yast2-fcoe-client:

Added AutoYaST schema (bsc#1194895)

yast2-installation:

Do not stop xvnc.socket but run the YaST2-Second-Stage and YaST2-Firsboot services before it in order to prevent early vnc connections (bsc#1197265)
Run the YaST2-Second-Stage and YaST2-Firsboot services after purge-kernels to prevent a zypper lock error message (bsc#1196431)
Prevent getty auto-generation because it makes xvnc fail when it is started in YaST second stage (bsc#1196614)
Avoid terminal login prompt when running Second Stage service (bsc#1196594, bsc#1195059)
Modified Second Stage service dependencies fixing a root login systemd timeout when installing with ssh (bsc#1195059)
Do not create a Btrfs snapshot at the end of the installation or upgrade when the root filesystem is mounted as read-only (jsc#SLE-22582, jsc#SLE-22560)

yast2-packager:

Ensure that the file handling repositories metadata is properly closed to avoid conflicts and installation errors (bsc#1196061)

yast2-schema:
-Added fcoe-client schema (bsc#1194895)

Advisory ID	SUSE-RU-2022:1145-1
Released	Mon Apr 11 14:59:54 2022
Summary	Recommended update for tcmu-runner
Type	recommended
Severity	moderate
References	1196787

Description:

This update for tcmu-runner fixes the following issues:

fix g_object_unref: assertion 'G_IS_OBJECT (object)' failed. (bsc#1196787)

Advisory ID	SUSE-RU-2022:1146-1
Released	Mon Apr 11 15:40:25 2022
Summary	Recommended update for reload4j
Type	recommended
Severity	moderate
References	1197642

Description:

This update for reload4j fixes the following issues:
This update provides reload4j 1.2.19, a upstream supported drop-in replace of log4j 1.2.x, which is declared EOL upstream.
Additional changes:

Some projects using log4j12 expect the org.apache.log4j.MDC class to have internal boolean variable java1. We add it there just to avoid runtime incompatibilities as a log4j12 drop-in replacement.
Add Provides and Obsoletes to the javadoc package in order to transition smoothly out of log4j12-javadoc and log4j12-manual

Advisory ID	SUSE-RU-2022:1147-1
Released	Mon Apr 11 15:49:43 2022
Summary	Recommended update for containerd
Type	recommended
Severity	moderate
References	1195784

Description:

This update of containerd fixes the following issue:

container-ctr is shipped to the PackageHub repos.

Advisory ID	SUSE-SU-2022:1148-1
Released	Mon Apr 11 15:55:14 2022
Summary	Security update for libexif
Type	security
Severity	important
References	1172768,1172802,1178479,CVE-2020-0181,CVE-2020-0198,CVE-2020-0452

Description:

This update for libexif fixes the following issues:

CVE-2020-0181: Fixed an integer overflow that could lead to denial of service (bsc#1172802).
CVE-2020-0198: Fixed and unsigned integer overflow that could lead to denial of service (bsc#1172768).
CVE-2020-0452: Fixed a buffer overflow check that could be optimized away by the compiler (bsc#1178479).

Advisory ID	SUSE-SU-2022:1149-1
Released	Mon Apr 11 16:29:14 2022
Summary	Security update for mozilla-nss
Type	security
Severity	important
References	1197903,CVE-2022-1097

Description:

This update for mozilla-nss fixes the following issues:
Mozilla NSS 3.68.3 (bsc#1197903): - CVE-2022-1097: Fixed memory safety violations that could occur when PKCS#11 tokens are removed while in use.

Advisory ID	SUSE-RU-2022:1150-1
Released	Mon Apr 11 17:34:19 2022
Summary	Recommended update for suse-build-key
Type	recommended
Severity	moderate
References	1197293

Description:

This update for suse-build-key fixes the following issues:
No longer install 1024bit keys by default. (bsc#1197293)

The SLE11 key has been moved to documentation directory, and is obsoleted / removed by the package.
The old PTF (pre March 2022) key moved to documentation directory.

Advisory ID	SUSE-RU-2022:1155-1
Released	Tue Apr 12 06:18:52 2022
Summary	Recommended update for fence-agents
Type	recommended
Severity	moderate
References	1196350

Description:

This update for fence-agents fixes the following issues:

Give users the options to timeout while waiting for pending resets and allows them to run a follow command if the reset fails (bsc#1196350)

Advisory ID	SUSE-SU-2022:1156-1
Released	Tue Apr 12 09:55:07 2022
Summary	Security update for opensc
Type	security
Severity	important
References	1114649,1191957,1191992,1192000,1192005,CVE-2021-42779,CVE-2021-42780,CVE-2021-42781,CVE-2021-42782

Description:

This update for opensc fixes the following issues:
Security issues fixed:

CVE-2021-42782: Stack buffer overflow issues in various places (bsc#1191957).
CVE-2021-42781: Fixed multiple heap buffer overflows in pkcs15-oberthur.c (bsc#1192000).
CVE-2021-42780: Fixed use after return in insert_pin() (bsc#1192005).
CVE-2021-42779: Fixed use after free in sc_file_valid() (bsc#1191992).

Non-security issues fixed:

Fixes segmentation fault in 'pkcs11-tool.c'. (bsc#1114649)

Advisory ID	SUSE-SU-2022:1157-1
Released	Tue Apr 12 13:26:19 2022
Summary	Security update for libsolv, libzypp, zypper
Type	security
Severity	important
References	1184501,1194848,1195999,1196061,1196317,1196368,1196514,1196925,1197134

Description:

This update for libsolv, libzypp, zypper fixes the following issues:
Security relevant fix:

Harden package signature checks (bsc#1184501).

libsolv update to 0.7.22:

reworked choice rule generation to cover more usecases
support SOLVABLE_PREREQ_IGNOREINST in the ordering code (bsc#1196514)
support parsing of Debian's Multi-Arch indicator
fix segfault on conflict resolution when using bindings
fix split provides not working if the update includes a forbidden vendor change
support strict repository priorities new solver flag: SOLVER_FLAG_STRICT_REPO_PRIORITY
support zstd compressed control files in debian packages
add an ifdef allowing to rename Solvable dependency members ('requires' is a keyword in C++20)
support setting/reading userdata in solv files new functions: repowriter_set_userdata, solv_read_userdata
support queying of the custom vendor check function new function: pool_get_custom_vendorcheck
support solv files with an idarray block
allow accessing the toolversion at runtime

libzypp update to 17.30.0:

ZConfig: Update solver settings if target changes (bsc#1196368)
Fix possible hang in singletrans mode (bsc#1197134)
Do 2 retries if mount is still busy.
Fix package signature check (bsc#1184501) Pay attention that header and payload are secured by a valid signature and report more detailed which signature is missing.
Retry umount if device is busy (bsc#1196061, closes #381) A previously released ISO image may need a bit more time to release it's loop device. So we wait a bit and retry.
Fix serializing/deserializing type mismatch in zypp-rpm protocol (bsc#1196925)
Fix handling of ISO media in releaseAll (bsc#1196061)
Hint on common ptf resolver conflicts (bsc#1194848)
Hint on ptf<>patch resolver conflicts (bsc#1194848)

zypper update to 1.14.52:

info: print the packages upstream URL if available (fixes #426)
info: Fix SEGV with not installed PTFs (bsc#1196317)
Don't prevent less restrictive umasks (bsc#1195999)

Advisory ID	SUSE-SU-2022:1158-1
Released	Tue Apr 12 14:44:43 2022
Summary	Security update for xz
Type	security
Severity	important
References	1198062,CVE-2022-1271

Description:

This update for xz fixes the following issues:

CVE-2022-1271: Fixed an incorrect escaping of malicious filenames (ZDI-CAN-16587). (bsc#1198062)

Advisory ID	SUSE-SU-2022:1162-1
Released	Tue Apr 12 14:58:20 2022
Summary	Security update for subversion
Type	security
Severity	important
References	1197939,1197940,CVE-2021-28544,CVE-2022-24070

Description:

This update for subversion fixes the following issues:

CVE-2022-24070: Fixed a memory corruption issue in mod_dav_svn as used by Apache HTTP server. This could be exploited by a remote attacker to cause a denial of service (bsc#1197940).
CVE-2021-28544: Fixed an information leak issue where Subversion servers may reveal the original path of files protected by path-based authorization (bsc#1197939).

Advisory ID	SUSE-SU-2022:1163-1
Released	Tue Apr 12 14:59:52 2022
Summary	Security update for the Linux Kernel
Type	security
Severity	important
References	1065729,1156395,1175667,1177028,1178134,1179639,1180153,1189562,1194589,1194625,1194649,1194943,1195051,1195353,1195640,1195926,1196018,1196130,1196196,1196478,1196488,1196761,1196823,1196956,1197227,1197243,1197245,1197300,1197302,1197331,1197343,1197366,1197389,1197460,1197462,1197501,1197534,1197661,1197675,1197677,1197702,1197811,1197812,1197815,1197817,1197819,1197820,1197888,1197889,1197894,1198027,1198028,1198029,1198030,1198031,1198032,1198033,1198077,CVE-2021-39698,CVE-2021-45402,CVE-2021-45868,CVE-2022-0850,CVE-2022-0854,CVE-2022-1011,CVE-2022-1016,CVE-2022-1048,CVE-2022-1055,CVE-2022-1195,CVE-2022-1198,CVE-2022-1199,CVE-2022-1205,CVE-2022-23036,CVE-2022-23037,CVE-2022-23038,CVE-2022-23039,CVE-2022-23040,CVE-2022-23041,CVE-2022-23042,CVE-2022-27223,CVE-2022-27666,CVE-2022-28388,CVE-2022-28389,CVE-2022-28390

Description:

The SUSE Linux Enterprise 15 SP3 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

CVE-2022-0854: Fixed a memory leak flaw was found in the Linux kernels DMA subsystem. This flaw allowed a local user to read random memory from the kernel space. (bnc#1196823)
CVE-2022-1016: Fixed a vulnerability in the nf_tables component of the netfilter subsystem. This vulnerability gives an attacker a powerful primitive that can be used to both read from and write to relative stack data, which can lead to arbitrary code execution. (bsc#1197227)
CVE-2022-1199: Fixed null-ptr-deref and use-after-free vulnerabilities that allow an attacker to crash the linux kernel by simulating Amateur Radio. (bsc#1198028)
CVE-2022-1205: Fixed null pointer dereference and use-after-free vulnerabilities that allow an attacker to crash the linux kernel by simulating Amateur Radio. (bsc#1198027)
CVE-2022-1198: Fixed an use-after-free vulnerability that allow an attacker to crash the linux kernel by simulating Amateur Radio (bsc#1198030).
CVE-2022-1195: Fixed an use-after-free vulnerability which could allow a local attacker with a user privilege to execute a denial of service. (bsc#1198029)
CVE-2022-28389: Fixed a double free in drivers/net/can/usb/mcba_usb.c vulnerability in the Linux kernel. (bnc#1198033)
CVE-2022-28388: Fixed a double free in drivers/net/can/usb/usb_8dev.c vulnerability in the Linux kernel. (bnc#1198032)
CVE-2022-28390: Fixed a double free in drivers/net/can/usb/ems_usb.c vulnerability in the Linux kernel. (bnc#1198031)
CVE-2022-1048: Fixed a race Condition in snd_pcm_hw_free leading to use-after-free due to the AB/BA lock with buffer_mutex and mmap_lock. (bsc#1197331)
CVE-2022-1055: Fixed a use-after-free in tc_new_tfilter that could allow a local attacker to gain privilege escalation. (bnc#1197702)
CVE-2022-0850: Fixed a kernel information leak vulnerability in iov_iter.c. (bsc#1196761)
CVE-2022-27666: Fixed a buffer overflow vulnerability in IPsec ESP transformation code. This flaw allowed a local attacker with a normal user privilege to overwrite kernel heap objects and may cause a local privilege escalation. (bnc#1197462)
CVE-2021-45868: Fixed a wrong validation check in fs/quota/quota_tree.c which could lead to an use-after-free if there is a corrupted quota file. (bnc#1197366)
CVE-2022-1011: Fixed an use-after-free vulnerability which could allow a local attacker to retireve (partial) /etc/shadow hashes or any other data from filesystem when he can mount a FUSE filesystems. (bnc#1197343)
CVE-2022-27223: Fixed an out-of-array access in /usb/gadget/udc/udc-xilinx.c. (bsc#1197245)
CVE-2021-39698: Fixed a possible memory corruption due to a use after free in aio_poll_complete_work. This could lead to local escalation of privilege with no additional execution privileges needed. (bsc#1196956)
CVE-2021-45402: Fixed a pointer leak in check_alu_op() of kernel/bpf/verifier.c. (bsc#1196130).
CVE-2022-23036,CVE-2022-23037,CVE-2022-23038,CVE-2022-23039,CVE-2022-23040,CVE-2022-23041,CVE-2022-23042: Fixed multiple issues which could have lead to read/write access to memory pages or denial of service. These issues are related to the Xen PV device frontend drivers. (bsc#1196488)

The following non-security bugs were fixed:

ACPI / x86: Work around broken XSDT on Advantech DAC-BJ01 board (git-fixes).
ACPI: APEI: fix return value of __setup handlers (git-fixes).
ACPI: battery: Add device HID and quirk for Microsoft Surface Go 3 (git-fixes).
ACPI: CPPC: Avoid out of bounds access when parsing _CPC data (git-fixes).
ACPI: docs: enumeration: Discourage to use custom _DSM methods (git-fixes).
ACPI: docs: enumeration: Remove redundant .owner assignment (git-fixes).
ACPI: properties: Consistently return -ENOENT if there are no more references (git-fixes).
ACPI: video: Force backlight native for Clevo NL5xRU and NL5xNU (git-fixes).
ALSA: cmipci: Restore aux vol on suspend/resume (git-fixes).
ALSA: firewire-lib: fix uninitialized flag for AV/C deferred transaction (git-fixes).
ALSA: hda/realtek - Fix headset mic problem for a HP machine with alc671 (git-fixes).
ALSA: hda/realtek: Add quirk for ASUS GA402 (git-fixes).
ALSA: oss: Fix PCM OSS buffer allocation overflow (git-fixes).
ALSA: pci: fix reading of swapped values from pcmreg in AC97 codec (git-fixes).
ALSA: pcm: Add stream lock during PCM reset ioctl operations (git-fixes).
ALSA: spi: Add check for clk_enable() (git-fixes).
ALSA: usb-audio: Add mute TLV for playback volumes on RODE NT-USB (git-fixes).
ASoC: atmel_ssc_dai: Handle errors for clk_enable (git-fixes).
ASoC: atmel: Add missing of_node_put() in at91sam9g20ek_audio_probe (git-fixes).
ASoC: codecs: wcd934x: Add missing of_node_put() in wcd934x_codec_parse_data (git-fixes).
ASoC: codecs: wcd934x: fix return value of wcd934x_rx_hph_mode_put (git-fixes).
ASoC: dmaengine: do not use a NULL prepare_slave_config() callback (git-fixes).
ASoC: dwc-i2s: Handle errors for clk_enable (git-fixes).
ASoC: fsi: Add check for clk_enable (git-fixes).
ASoC: fsl_spdif: Disable TX clock when stop (git-fixes).
ASoC: imx-es8328: Fix error return code in imx_es8328_probe() (git-fixes).
ASoC: msm8916-wcd-analog: Fix error handling in pm8916_wcd_analog_spmi_probe (git-fixes).
ASoC: msm8916-wcd-digital: Fix missing clk_disable_unprepare() in msm8916_wcd_digital_probe (git-fixes).
ASoC: mxs-saif: Handle errors for clk_enable (git-fixes).
ASoC: mxs: Fix error handling in mxs_sgtl5000_probe (git-fixes).
ASoC: rt5663: check the return value of devm_kzalloc() in rt5663_parse_dp() (git-fixes).
ASoC: SOF: Add missing of_node_put() in imx8m_probe (git-fixes).
ASoC: SOF: topology: remove redundant code (git-fixes).
ASoC: sti: Fix deadlock via snd_pcm_stop_xrun() call (git-fixes).
ASoC: ti: davinci-i2s: Add check for clk_enable() (git-fixes).
ASoC: topology: Allow TLV control to be either read or write (git-fixes).
ASoC: topology: Optimize soc_tplg_dapm_graph_elems_load behavior (git-fixes).
ASoC: wm8350: Handle error for wm8350_register_irq (git-fixes).
ASoC: xilinx: xlnx_formatter_pcm: Handle sysclk setting (git-fixes).
ax25: Fix NULL pointer dereference in ax25_kill_by_device (git-fixes).
ax88179_178a: Merge memcpy + le32_to_cpus to get_unaligned_le32 (bsc#1196018).
block: update io_ticks when io hang (bsc#1197817).
block/wbt: fix negative inflight counter when remove scsi device (bsc#1197819).
bpf: Fix comment for helper bpf_current_task_under_cgroup() (git-fixes).
bpf: Remove config check to enable bpf support for branch records (git-fixes bsc#1177028).
btrfs: avoid unnecessary lock and leaf splits when updating inode in the log (bsc#1194649).
btrfs: avoid unnecessary log mutex contention when syncing log (bsc#1194649).
btrfs: avoid unnecessary logging of xattrs during fast fsyncs (bsc#1194649).
btrfs: check error value from btrfs_update_inode in tree log (bsc#1194649).
btrfs: check if a log root exists before locking the log_mutex on unlink (bsc#1194649).
btrfs: check if a log tree exists at inode_logged() (bsc#1194649).
btrfs: do not commit delayed inode when logging a file in full sync mode (bsc#1194649).
btrfs: do not log new dentries when logging that a new name exists (bsc#1194649).
btrfs: eliminate some false positives when checking if inode was logged (bsc#1194649).
btrfs: fix race leading to unnecessary transaction commit when logging inode (bsc#1194649).
btrfs: fix race that causes unnecessary logging of ancestor inodes (bsc#1194649).
btrfs: fix race that makes inode logging fallback to transaction commit (bsc#1194649).
btrfs: fix race that results in logging old extents during a fast fsync (bsc#1194649).
btrfs: fixup error handling in fixup_inode_link_counts (bsc#1194649).
btrfs: remove no longer needed full sync flag check at inode_logged() (bsc#1194649).
btrfs: Remove unnecessary check from join_running_log_trans (bsc#1194649).
btrfs: remove unnecessary directory inode item update when deleting dir entry (bsc#1194649).
btrfs: remove unnecessary list head initialization when syncing log (bsc#1194649).
btrfs: skip unnecessary searches for xattrs when logging an inode (bsc#1194649).
can: ems_usb: ems_usb_start_xmit(): fix double dev_kfree_skb() in error path (git-fixes).
can: mcba_usb: mcba_usb_start_xmit(): fix double dev_kfree_skb in error path (git-fixes).
can: mcba_usb: properly check endpoint type (git-fixes).
can: rcar_canfd: rcar_canfd_channel_probe(): register the CAN device when fully ready (git-fixes).
cifs: do not skip link targets when an I/O fails (bsc#1194625).
cifs: use the correct max-length for dentry_path_raw() (bsc1196196).
clk: actions: Terminate clk_div_table with sentinel element (git-fixes).
clk: bcm2835: Remove unused variable (git-fixes).
clk: clps711x: Terminate clk_div_table with sentinel element (git-fixes).
clk: imx7d: Remove audio_mclk_root_clk (git-fixes).
clk: Initialize orphan req_rate (git-fixes).
clk: loongson1: Terminate clk_div_table with sentinel element (git-fixes).
clk: nxp: Remove unused variable (git-fixes).
clk: qcom: gcc-msm8994: Fix gpll4 width (git-fixes).
clk: qcom: ipq8074: Use floor ops for SDCC1 clock (git-fixes).
clk: tegra: tegra124-emc: Fix missing put_device() call in emc_ensure_emc_driver (git-fixes).
clk: uniphier: Fix fixed-rate initialization (git-fixes).
clocksource: acpi_pm: fix return value of __setup handler (git-fixes).
clocksource/drivers/timer-of: Check return value of of_iomap in timer_of_base_init() (git-fixes).
cpufreq: schedutil: Destroy mutex before kobject_put() frees (git-fixes)
crypto: authenc - Fix sleep in atomic context in decrypt_tail (git-fixes).
crypto: cavium/nitrox - do not cast parameter in bit operations (git-fixes).
crypto: ccp - ccp_dmaengine_unregister release dma channels (git-fixes).
crypto: ccree - do not attempt 0 len DMA mappings (git-fixes).
crypto: mxs-dcp - Fix scatterlist processing (git-fixes).
crypto: qat - do not cast parameter in bit operations (git-fixes).
crypto: rsa-pkcs1pad - correctly get hash from source scatterlist (git-fixes).
crypto: rsa-pkcs1pad - fix buffer overread in pkcs1pad_verify_complete() (git-fixes).
crypto: rsa-pkcs1pad - restore signature length check (git-fixes).
crypto: vmx - add missing dependencies (git-fixes).
dma/pool: create dma atomic pool only if dma zone has managed pages (bsc#1197501).
driver core: dd: fix return value of __setup handler (git-fixes).
drm: bridge: adv7511: Fix ADV7535 HPD enablement (git-fixes).
drm/amd/display: Add affected crtcs to atomic state for dsc mst unplug (git-fixes).
drm/amd/pm: return -ENOTSUPP if there is no get_dpm_ultimate_freq function (git-fixes).
drm/bridge: dw-hdmi: use safe format when first in bridge chain (git-fixes).
drm/bridge: nwl-dsi: Fix PM disable depth imbalance in nwl_dsi_probe (git-fixes).
drm/doc: overview before functions for drm_writeback.c (git-fixes).
drm/i915: Fix dbuf slice config lookup (git-fixes).
drm/i915/gem: add missing boundary check in vm_access (git-fixes).
drm/imx: parallel-display: Remove bus flags check in imx_pd_bridge_atomic_check() (git-fixes).
drm/meson: Fix error handling when afbcd.ops->init fails (git-fixes).
drm/meson: osd_afbcd: Add an exit callback to struct meson_afbcd_ops (git-fixes).
drm/msm/dpu: add DSPP blocks teardown (git-fixes).
drm/nouveau/acr: Fix undefined behavior in nvkm_acr_hsfw_load_bl() (git-fixes).
drm/panel: simple: Fix Innolux G070Y2-L01 BPP settings (git-fixes).
drm/sun4i: mixer: Fix P010 and P210 format numbers (git-fixes).
drm/vc4: crtc: Fix runtime_pm reference counting (git-fixes).
drm/vc4: crtc: Make sure the HDMI controller is powered when disabling (git-fixes).
drm/vrr: Set VRR capable prop only if it is attached to connector (git-fixes).
Drop HID multitouch fix patch (bsc#1197243),
ecryptfs: fix kernel panic with null dev_name (bsc#1197812).
ecryptfs: Fix typo in message (bsc#1197811).
EDAC: Fix calculation of returned address and next offset in edac_align_ptr() (bsc#1178134).
ext2: correct max file size computing (bsc#1197820).
firmware: google: Properly state IOMEM dependency (git-fixes).
firmware: qcom: scm: Remove reassignment to desc following initializer (git-fixes).
fscrypt: do not ignore minor_hash when hash is 0 (bsc#1197815).
gianfar: ethtool: Fix refcount leak in gfar_get_ts_info (git-fixes).
gpio: ts4900: Do not set DAT and OE together (git-fixes).
gpiolib: acpi: Convert ACPI value of debounce to microseconds (git-fixes).
HID: multitouch: fix Dell Precision 7550 and 7750 button type (bsc#1197243).
hwmon: (pmbus) Add mutex to regulator ops (git-fixes).
hwmon: (pmbus) Add Vin unit off handling (git-fixes).
hwmon: (sch56xx-common) Replace WDOG_ACTIVE with WDOG_HW_RUNNING (git-fixes).
hwrng: atmel - disable trng on failure path (git-fixes).
i915_vma: Rename vma_lookup to i915_vma_lookup (git-fixes).
ibmvnic: fix race between xmit and reset (bsc#1197302 ltc#197259).
iio: accel: mma8452: use the correct logic to get mma8452_data (git-fixes).
iio: adc: Add check for devm_request_threaded_irq (git-fixes).
iio: afe: rescale: use s64 for temporary scale calculations (git-fixes).
iio: inkern: apply consumer scale on IIO_VAL_INT cases (git-fixes).
iio: inkern: apply consumer scale when no channel scale is available (git-fixes).
iio: inkern: make a best effort on offset calculation (git-fixes).
Input: aiptek - properly check endpoint type (git-fixes).
iwlwifi: do not advertise TWT support (git-fixes).
kernel-binary.spec: Do not use the default certificate path (bsc#1194943).
KVM: SVM: Do not flush cache if hardware enforces cache coherency across encryption domains (bsc#1178134).
llc: fix netdevice reference leaks in llc_ui_bind() (git-fixes).
mac80211: fix potential double free on mesh join (git-fixes).
mac80211: refuse aggregations sessions before authorized (git-fixes).
media: aspeed: Correct value for h-total-pixels (git-fixes).
media: bttv: fix WARNING regression on tunerless devices (git-fixes).
media: coda: Fix missing put_device() call in coda_get_vdoa_data (git-fixes).
media: davinci: vpif: fix unbalanced runtime PM get (git-fixes).
media: em28xx: initialize refcount before kref_get (git-fixes).
media: hantro: Fix overfill bottom register field name (git-fixes).
media: Revert 'media: em28xx: add missing em28xx_close_extension' (git-fixes).
media: stk1160: If start stream fails, return buffers with VB2_BUF_STATE_QUEUED (git-fixes).
media: usb: go7007: s2250-board: fix leak in probe() (git-fixes).
media: video/hdmi: handle short reads of hdmi info frame (git-fixes).
membarrier: Execute SYNC_CORE on the calling thread (git-fixes)
membarrier: Explicitly sync remote cores when SYNC_CORE is (git-fixes)
memory: emif: Add check for setup_interrupts (git-fixes).
memory: emif: check the pointer temp in get_device_details() (git-fixes).
misc: alcor_pci: Fix an error handling path (git-fixes).
misc: sgi-gru: Do not cast parameter in bit operations (git-fixes).
mm_zone: add function to check if managed dma zone exists (bsc#1197501).
mm/page_alloc.c: do not warn allocation failure on zone DMA if no managed pages (bsc#1197501).
mmc: davinci_mmc: Handle error for clk_enable (git-fixes).
mmc: meson: Fix usage of meson_mmc_post_req() (git-fixes).
net: dsa: mv88e6xxx: override existent unicast portvec in port_fdb_add (git-fixes).
net: enetc: initialize the RFS and RSS memories (git-fixes).
net: hns3: add a check for tqp_index in hclge_get_ring_chain_from_mbx() (git-fixes).
net: phy: broadcom: Fix brcm_fet_config_init() (git-fixes).
net: phy: DP83822: clear MISR2 register to disable interrupts (git-fixes).
net: phy: marvell: Fix invalid comparison in the resume and suspend functions (git-fixes).
net: stmmac: set TxQ mode back to DCB after disabling CBS (git-fixes).
net: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixup (bsc#1196018).
net: watchdog: hold device global xmit lock during tx disable (git-fixes).
net/smc: Fix loop in smc_listen (git-fixes).
net/smc: fix using of uninitialized completions (git-fixes).
net/smc: fix wrong list_del in smc_lgr_cleanup_early (git-fixes).
net/smc: Make sure the link_id is unique (git-fixes).
net/smc: Reset conn->lgr when link group registration fails (git-fixes).
netfilter: conntrack: do not refresh sctp entries in closed state (bsc#1197389).
netxen_nic: fix MSI/MSI-x interrupts (git-fixes).
NFC: port100: fix use-after-free in port100_send_complete (git-fixes).
NFS: Avoid duplicate uncached readdir calls on eof (git-fixes).
NFS: Do not report writeback errors in nfs_getattr() (git-fixes).
NFS: Do not skip directory entries when doing uncached readdir (git-fixes).
NFS: Ensure the server had an up to date ctime before hardlinking (git-fixes).
NFS: Fix initialisation of nfs_client cl_flags field (git-fixes).
NFS: LOOKUP_DIRECTORY is also ok with symlinks (git-fixes).
NFS: Return valid errors from nfs2/3_decode_dirent() (git-fixes).
NFS: Use of mapping_set_error() results in spurious errors (git-fixes).
nfsd: nfsd4_setclientid_confirm mistakenly expires confirmed client (git-fixes).
NFSv4.1: do not retry BIND_CONN_TO_SESSION on session error (git-fixes).
NFSv4/pNFS: Fix another issue with a list iterator pointing to the head (git-fixes).
pinctrl: mediatek: Fix missing of_node_put() in mtk_pctrl_init (git-fixes).
pinctrl: mediatek: paris: Fix 'argument' argument type for mtk_pinconf_get() (git-fixes).
pinctrl: mediatek: paris: Fix pingroup pin config state readback (git-fixes).
pinctrl: nomadik: Add missing of_node_put() in nmk_pinctrl_probe (git-fixes).
pinctrl: nuvoton: npcm7xx: Rename DS() macro to DSTR() (git-fixes).
pinctrl: nuvoton: npcm7xx: Use %zu printk format for ARRAY_SIZE() (git-fixes).
pinctrl: pinconf-generic: Print arguments for bias-pull-* (git-fixes).
pinctrl: samsung: drop pin banks references on error paths (git-fixes).
pinctrl/rockchip: Add missing of_node_put() in rockchip_pinctrl_probe (git-fixes).
PM: hibernate: fix __setup handler error handling (git-fixes).
PM: suspend: fix return value of __setup handler (git-fixes).
powerpc/lib/sstep: Fix 'sthcx' instruction (bsc#1156395).
powerpc/mm: Fix verification of MMU_FTR_TYPE_44x (bsc#1156395).
powerpc/mm/numa: skip NUMA_NO_NODE onlining in parse_numa_properties() (bsc#1179639 ltc#189002 git-fixes).
powerpc/perf: Do not use perf_hw_context for trace IMC PMU (bsc#1156395).
powerpc/perf: Expose Performance Monitor Counter SPR's as part of extended regs (bsc#1198077 ltc#197299).
powerpc/perf: Include PMCs as part of per-cpu cpuhw_events struct (bsc#1198077 ltc#197299).
powerpc/pseries: Fix use after free in remove_phb_dynamic() (bsc#1065729).
powerpc/sysdev: fix incorrect use to determine if list is empty (bsc#1065729).
powerpc/tm: Fix more userspace r13 corruption (bsc#1065729).
powerpc/xive: fix return value of __setup handler (bsc#1065729).
printk: Add panic_in_progress helper (bsc#1197894).
printk: disable optimistic spin during panic (bsc#1197894).
pwm: lpc18xx-sct: Initialize driver data and hardware before pwmchip_add() (git-fixes).
regulator: qcom_smd: fix for_each_child.cocci warnings (git-fixes).
remoteproc: qcom_wcnss: Add missing of_node_put() in wcnss_alloc_memory_region (git-fixes).
remoteproc: qcom: Fix missing of_node_put in adsp_alloc_memory_region (git-fixes).
Revert 'build initrd without systemd' (bsc#1197300).
Revert 'Input: clear BTN_RIGHT/MIDDLE on buttonpads' (bsc#1197243).
Revert 'module, async: async_synchronize_full() on module init iff async is used' (bsc#1197888).
Revert 'Revert 'build initrd without systemd' (bsc#1197300)'
Revert 'usb: dwc3: gadget: Use list_replace_init() before traversing lists' (git-fixes).
s390/bpf: Perform r1 range checking before accessing jit->seen_reg (git-fixes).
s390/gmap: do not unconditionally call pte_unmap_unlock() in __gmap_zap() (git-fixes).
s390/gmap: validate VMA in __gmap_zap() (git-fixes).
s390/hypfs: include z/VM guests with access control group set (bsc#1195640 LTC#196352).
s390/kexec_file: fix error handling when applying relocations (git-fixes).
s390/kexec: fix memory leak of ipl report buffer (git-fixes).
s390/kexec: fix return code handling (git-fixes).
s390/mm: fix VMA and page table handling code in storage key handling functions (git-fixes).
s390/mm: validate VMA in PGSTE manipulation functions (git-fixes).
s390/module: fix loading modules with a lot of relocations (git-fixes).
s390/pci_mmio: fully validate the VMA before calling follow_pte() (git-fixes).
s390/tape: fix timer initialization in tape_std_assign() (bsc#1197677 LTC#197378).
scsi: lpfc: Copyright updates for 14.2.0.0 patches (bsc#1197675).
scsi: lpfc: Drop lpfc_no_handler() (bsc#1197675).
scsi: lpfc: Fix broken SLI4 abort path (bsc#1197675).
scsi: lpfc: Fix locking for lpfc_sli_iocbq_lookup() (bsc#1197675).
scsi: lpfc: Fix queue failures when recovering from PCI parity error (bsc#1197675 bsc#1196478).
scsi: lpfc: Fix typos in comments (bsc#1197675).
scsi: lpfc: Fix unload hang after back to back PCI EEH faults (bsc#1197675 bsc#1196478).
scsi: lpfc: Improve PCI EEH Error and Recovery Handling (bsc#1197675 bsc#1196478).
scsi: lpfc: Kill lpfc_bus_reset_handler() (bsc#1197675).
scsi: lpfc: Reduce log messages seen after firmware download (bsc#1197675).
scsi: lpfc: Remove failing soft_wwn support (bsc#1197675).
scsi: lpfc: Remove NVMe support if kernel has NVME_FC disabled (bsc#1197675).
scsi: lpfc: Remove redundant flush_workqueue() call (bsc#1197675).
scsi: lpfc: SLI path split: Introduce lpfc_prep_wqe (bsc#1197675).
scsi: lpfc: SLI path split: Refactor Abort paths (bsc#1197675).
scsi: lpfc: SLI path split: Refactor base ELS paths and the FLOGI path (bsc#1197675).
scsi: lpfc: SLI path split: Refactor BSG paths (bsc#1197675).
scsi: lpfc: SLI path split: Refactor CT paths (bsc#1197675).
scsi: lpfc: SLI path split: Refactor fast and slow paths to native SLI4 (bsc#1197675).
scsi: lpfc: SLI path split: Refactor FDISC paths (bsc#1197675).
scsi: lpfc: SLI path split: Refactor lpfc_iocbq (bsc#1197675).
scsi: lpfc: SLI path split: Refactor LS_ACC paths (bsc#1197675).
scsi: lpfc: SLI path split: Refactor LS_RJT paths (bsc#1197675).
scsi: lpfc: SLI path split: Refactor misc ELS paths (bsc#1197675).
scsi: lpfc: SLI path split: Refactor PLOGI/PRLI/ADISC/LOGO paths (bsc#1197675).
scsi: lpfc: SLI path split: Refactor SCSI paths (bsc#1197675).
scsi: lpfc: SLI path split: Refactor the RSCN/SCR/RDF/EDC/FARPR paths (bsc#1197675).
scsi: lpfc: SLI path split: Refactor VMID paths (bsc#1197675).
scsi: lpfc: Update lpfc version to 14.2.0.0 (bsc#1197675).
scsi: lpfc: Update lpfc version to 14.2.0.1 (bsc#1197675).
scsi: lpfc: Use fc_block_rport() (bsc#1197675).
scsi: lpfc: Use kcalloc() (bsc#1197675).
scsi: lpfc: Use rport as argument for lpfc_chk_tgt_mapped() (bsc#1197675).
scsi: lpfc: Use rport as argument for lpfc_send_taskmgmt() (bsc#1197675).
scsi: qla2xxx: Fix crash during module load unload test (bsc#1197661).
scsi: qla2xxx: Fix disk failure to rediscover (bsc#1197661).
scsi: qla2xxx: Fix hang due to session stuck (bsc#1197661).
scsi: qla2xxx: Fix incorrect reporting of task management failure (bsc#1197661).
scsi: qla2xxx: Fix laggy FC remote port session recovery (bsc#1197661).
scsi: qla2xxx: Fix loss of NVMe namespaces after driver reload test (bsc#1197661).
scsi: qla2xxx: Fix missed DMA unmap for NVMe ls requests (bsc#1197661).
scsi: qla2xxx: Fix N2N inconsistent PLOGI (bsc#1197661).
scsi: qla2xxx: Fix stuck session of PRLI reject (bsc#1197661).
scsi: qla2xxx: Fix typos in comments (bsc#1197661).
scsi: qla2xxx: Increase max limit of ql2xnvme_queues (bsc#1197661).
scsi: qla2xxx: Reduce false trigger to login (bsc#1197661).
scsi: qla2xxx: Stop using the SCSI pointer (bsc#1197661).
scsi: qla2xxx: Update version to 10.02.07.400-k (bsc#1197661).
scsi: qla2xxx: Use correct feature type field during RFF_ID processing (bsc#1197661).
scsi: qla2xxx: Use named initializers for port_state_str (bsc#1197661).
scsi: qla2xxx: Use named initializers for q_dev_state (bsc#1197661).
serial: 8250_lpss: Balance reference count for PCI DMA device (git-fixes).
serial: 8250_mid: Balance reference count for PCI DMA device (git-fixes).
serial: 8250: Fix race condition in RTS-after-send handling (git-fixes).
serial: core: Fix the definition name in the comment of UPF_* flags (git-fixes).
soc: qcom: aoss: remove spurious IRQF_ONESHOT flags (git-fixes).
soc: qcom: rpmpd: Check for null return of devm_kcalloc (git-fixes).
soc: ti: wkup_m3_ipc: Fix IRQ check in wkup_m3_ipc_probe (git-fixes).
soundwire: intel: fix wrong register name in intel_shim_wake (git-fixes).
spi: pxa2xx-pci: Balance reference count for PCI DMA device (git-fixes).
spi: tegra114: Add missing IRQ check in tegra_spi_probe (git-fixes).
staging: gdm724x: fix use after free in gdm_lte_rx() (git-fixes).
staging:iio:adc:ad7280a: Fix handing of device address bit reversing (git-fixes).
tcp: add some entropy in __inet_hash_connect() (bsc#1180153).
tcp: change source port randomizarion at connect() time (bsc#1180153).
team: protect features update by RCU to avoid deadlock (git-fixes).
thermal: int340x: Check for NULL after calling kmemdup() (git-fixes).
thermal: int340x: Increase bitmap size (git-fixes).
udp_tunnel: Fix end of loop test in udp_tunnel_nic_unregister() (git-fixes).
Update config files (bsc#1195926 bsc#1175667). VIRTIO_PCI=m -> VIRTIO_PCI=y
usb: bdc: Adb shows offline after resuming from S2 (git-fixes).
usb: bdc: Fix a resource leak in the error handling path of 'bdc_probe()' (git-fixes).
usb: bdc: Fix unused assignment in bdc_probe() (git-fixes).
usb: bdc: remove duplicated error message (git-fixes).
usb: bdc: Use devm_clk_get_optional() (git-fixes).
usb: bdc: use devm_platform_ioremap_resource() to simplify code (git-fixes).
usb: dwc2: Fix Stalling a Non-Isochronous OUT EP (git-fixes).
usb: dwc2: gadget: Fix GOUTNAK flow for Slave mode (git-fixes).
usb: dwc2: gadget: Fix kill_all_requests race (git-fixes).
usb: dwc3: gadget: Use list_replace_init() before traversing lists (git-fixes).
usb: dwc3: meson-g12a: Disable the regulator in the error handling path of the probe (git-fixes).
usb: dwc3: qcom: add IRQ check (git-fixes).
usb: gadget: bdc: use readl_poll_timeout() to simplify code (git-fixes).
usb: gadget: Fix use-after-free bug by not setting udc->dev.driver (git-fixes).
usb: gadget: rndis: prevent integer overflow in rndis_set_response() (git-fixes).
usb: host: xen-hcd: add missing unlock in error path (git-fixes).
usb: hub: Fix locking issues with address0_mutex (git-fixes).
usb: usbtmc: Fix bug in pipe direction for control transfers (git-fixes).
VFS: filename_create(): fix incorrect intent (bsc#1197534).
video: fbdev: atmel_lcdfb: fix an error code in atmel_lcdfb_probe() (git-fixes).
video: fbdev: controlfb: Fix COMPILE_TEST build (git-fixes).
video: fbdev: fbcvt.c: fix printing in fb_cvt_print_name() (git-fixes).
video: fbdev: matroxfb: set maxvram of vbG200eW to the same as vbG200 to avoid black screen (git-fixes).
video: fbdev: matroxfb: set maxvram of vbG200eW to the same as vbG200 to avoid black screen (git-fixes).
video: fbdev: omapfb: Add missing of_node_put() in dvic_probe_of (git-fixes).
video: fbdev: smscufx: Fix null-ptr-deref in ufx_usb_probe() (git-fixes).
VMCI: Fix the description of vmci_check_host_caps() (git-fixes).
vsprintf: Fix %pK with kptr_restrict == 0 (bsc#1197889).
wireguard: queueing: use CFI-safe ptr_ring cleanup function (git-fixes).
wireguard: selftests: rename DEBUG_PI_LIST to DEBUG_PLIST (git-fixes).
wireguard: socket: free skb in send6 when ipv6 is disabled (git-fixes).
wireguard: socket: ignore v6 endpoints when ipv6 is disabled (git-fixes).
x86/cpu: Add hardware-enforced cache coherency as a CPUID feature (bsc#1178134).
x86/mm/pat: Do not flush cache if hardware enforces cache coherency across encryption domnains (bsc#1178134).
x86/speculation: Warn about eIBRS + LFENCE + Unprivileged eBPF + SMT (bsc#1178134).
x86/speculation: Warn about Spectre v2 LFENCE mitigation (bsc#1178134).
xen/usb: do not use gnttab_end_foreign_access() in xenhcd_gnttab_done() (bsc#1196488, XSA-396).
xhci: fix garbage USBSTS being logged in some cases (git-fixes).

Advisory ID	SUSE-SU-2022:1164-1
Released	Tue Apr 12 15:03:24 2022
Summary	Security update for go1.16
Type	security
Severity	important
References	1182345,1183043,1196732,CVE-2022-24921

Description:

This update for go1.16 fixes the following issues:
Update to version 1.16.15 (bsc#1182345): - CVE-2022-24921: Fixed a potential denial of service via large regular expressions (bsc#1196732).
Non-security fixes: - Fixed an issue with v2 modules (go#51331). - Fixed an issue when building source in riscv64 (go#51198). - Increased compatibility for the DNS protocol in the net module (go#51161). - Fixed an issue with histograms in the runtime/metrics module (go#50733).

Advisory ID	SUSE-RU-2022:1166-1
Released	Tue Apr 12 16:18:25 2022
Summary	Recommended update for cloud-regionsrv-client
Type	recommended
Severity	important
References

Description:

Recommended update for cloud-regionsrv-client contains the following fix:
cloud-regionsrv-client: Shipping cloud-regionsrv-client-addon-azure to unrestricted channels. (#MSC-282)

Advisory ID	SUSE-SU-2022:1167-1
Released	Tue Apr 12 17:51:47 2022
Summary	Security update for go1.17
Type	security
Severity	important
References	1183043,1190649,1196732,CVE-2022-24921

Description:

This update for go1.17 fixes the following issues:
Update to version 1.17.8 (bsc#1190649): - CVE-2022-24921: Fixed a potential denial of service via large regular expressions (bsc#1196732).
Non-security fixes: - Fixed an issue with v2 modules (go#51332). - Fixed an issue when building source in riscv64 (go#51199). - Increased compatibility for the DNS protocol in the net module (go#51162). - Fixed an issue with histograms in the runtime/metrics module (go#50734). - Fixed an issue when parsing x509 certificates (go#51000).

Advisory ID	SUSE-RU-2022:1170-1
Released	Tue Apr 12 18:20:07 2022
Summary	Recommended update for systemd
Type	recommended
Severity	moderate
References	1191502,1193086,1195247,1195529,1195899,1196567

Description:

This update for systemd fixes the following issues:

Fix the default target when it's been incorrectly set to one of the runlevel targets (bsc#1196567)
When migrating from sysvinit to systemd (it probably won't happen anymore), let's use the default systemd target, which is the graphical.target one.
Don't open /var journals in volatile mode when runtime_journal==NULL
udev: 60-persistent-storage-tape.rules: handle duplicate device ID (bsc#1195529)
man: tweak description of auto/noauto (bsc#1191502)
shared/install: ignore failures for auxiliary files
install: make UnitFileChangeType enum anonymous
shared/install: reduce scope of iterator variables
systemd-coredump: allow setting external core size to infinity (bsc#1195899 jsc#SLE-23867)
Update s390 udev rules conversion script to include the case when the legacy rule was also 41-* (bsc#1195247)
Drop or soften some of the deprecation warnings (bsc#1193086)

Advisory ID	SUSE-RU-2022:1175-1
Released	Wed Apr 13 10:40:30 2022
Summary	Recommended update for crmsh
Type	recommended
Severity	moderate
References	1196726,1197351

Description:

This update for crmsh fixes the following issues:

utils: Update 'detect_cloud' pattern for 'aws'. (bsc#1197351)
Fix: utils: Only raise exception when return code of systemctl command over ssh larger than 4. (bsc#1196726)

Advisory ID	SUSE-SU-2022:1176-1
Released	Wed Apr 13 12:15:44 2022
Summary	Security update for MozillaThunderbird
Type	security
Severity	important
References	1197903,CVE-2022-1097,CVE-2022-1196,CVE-2022-1197,CVE-2022-24713,CVE-2022-28281,CVE-2022-28282,CVE-2022-28285,CVE-2022-28286,CVE-2022-28289

Description:

This update for MozillaThunderbird fixes the following issues:

Updated to version 91.8 (bsc#1197903): - CVE-2022-1097: Fixed a memory corruption issue with NSSToken objects. - CVE-2022-28281: Fixed a memory corruption issue due to unexpected WebAuthN Extensions. - CVE-2022-1197: Fixed an issue where OpenPGP revocation information was ignored. - CVE-2022-1196: Fixed a memory corruption issue after VR process destruction. - CVE-2022-28282: Fixed a memory corruption issue in document translation. - CVE-2022-28285: Fixed a memory corruption issue in JIT code generation. - CVE-2022-28286: Fixed an iframe layout issue that could have been exploited to stage spoofing attacks. - CVE-2022-24713: Fixed a potential denial of service via complex regular expressions. - CVE-2022-28289: Fixed multiple memory corruption issues.

Non-security fixes:

Changed Google accounts using password authentication to use OAuth2.
Fixed an issue where OpenPGP ECC keys created by Thunderbird could not be imported into GnuPG.
Fixed an issue where exporting multiple public PGP keys from Thunderbird was not possible.
Fixed an issue where replying to a newsgroup message erroneously displayed a 'No-reply' popup warning.
Fixed an issue with opening older address books.
Fixed an issue where LDAP directories would be lost when switching to 'Offline' mode.
Fixed an issue when importing webcals.

Advisory ID	SUSE-RU-2022:1179-1
Released	Wed Apr 13 15:47:16 2022
Summary	Recommended update for net-snmp
Type	recommended
Severity	moderate
References	1196955

Description:

This update for net-snmp fixes the following issues:

Decouple snmp-mibs from net-snmp version to allow major version upgrade (bsc#1196955).

Advisory ID	SUSE-SU-2022:1183-1
Released	Wed Apr 13 16:58:27 2022
Summary	Security update for the Linux Kernel
Type	security
Severity	important
References	1065729,1156395,1175667,1177028,1178134,1179639,1180153,1189562,1194649,1195640,1195926,1196018,1196196,1196478,1196761,1196823,1197227,1197243,1197300,1197302,1197331,1197343,1197366,1197389,1197462,1197501,1197534,1197661,1197675,1197702,1197811,1197812,1197815,1197817,1197819,1197820,1197888,1197889,1197894,1197914,1198027,1198028,1198029,1198030,1198031,1198032,1198033,CVE-2021-45868,CVE-2022-0850,CVE-2022-0854,CVE-2022-1011,CVE-2022-1016,CVE-2022-1048,CVE-2022-1055,CVE-2022-1195,CVE-2022-1198,CVE-2022-1199,CVE-2022-1205,CVE-2022-27666,CVE-2022-28388,CVE-2022-28389,CVE-2022-28390

Description:

The SUSE Linux Enterprise 15 SP3 kernel was updated.
The following security bugs were fixed:

CVE-2022-0854: Fixed a memory leak flaw was found in the Linux kernels DMA subsystem. This flaw allowed a local user to read random memory from the kernel space. (bnc#1196823)
CVE-2022-1016: Fixed a vulnerability in the nf_tables component of the netfilter subsystem. This vulnerability gives an attacker a powerful primitive that can be used to both read from and write to relative stack data, which can lead to arbitrary code execution. (bsc#1197227)
CVE-2022-28390: Fixed a double free in drivers/net/can/usb/ems_usb.c vulnerability in the Linux kernel. (bnc#1198031)
CVE-2022-28388: Fixed a double free in drivers/net/can/usb/usb_8dev.c vulnerability in the Linux kernel. (bnc#1198032)
CVE-2022-28389: Fixed a double free in drivers/net/can/usb/mcba_usb.c vulnerability in the Linux kernel. (bnc#1198033)
CVE-2022-1055: Fixed a use-after-free in tc_new_tfilter that could allow a local attacker to gain privilege escalation. (bnc#1197702)
CVE-2022-1048: Fixed a race Condition in snd_pcm_hw_free leading to use-after-free due to the AB/BA lock with buffer_mutex and mmap_lock. (bsc#1197331)
CVE-2021-45868: Fixed a wrong validation check in fs/quota/quota_tree.c which could lead to an use-after-free if there is a corrupted quota file. (bnc#1197366)
CVE-2022-27666: Fixed a buffer overflow vulnerability in IPsec ESP transformation code. This flaw allowed a local attacker with a normal user privilege to overwrite kernel heap objects and may cause a local privilege escalation. (bnc#1197462)
CVE-2022-0850: Fixed a kernel information leak vulnerability in iov_iter.c. (bsc#1196761)
CVE-2022-1199: Fixed null-ptr-deref and use-after-free vulnerabilities that allow an attacker to crash the linux kernel by simulating Amateur Radio. (bsc#1198028)
CVE-2022-1205: Fixed null pointer dereference and use-after-free vulnerabilities that allow an attacker to crash the linux kernel by simulating Amateur Radio. (bsc#1198027)
CVE-2022-1198: Fixed an use-after-free vulnerability that allow an attacker to crash the linux kernel by simulating Amateur Radio (bsc#1198030).
CVE-2022-1195: Fixed an use-after-free vulnerability which could allow a local attacker with a user privilege to execute a denial of service. (bsc#1198029)
CVE-2022-1011: Fixed an use-after-free vulnerability which could allow a local attacker to retireve (partial) /etc/shadow hashes or any other data from filesystem when he can mount a FUSE filesystems. (bnc#1197343)

The following non-security bugs were fixed:

ACPI / x86: Work around broken XSDT on Advantech DAC-BJ01 board (git-fixes).
ACPI: APEI: fix return value of __setup handlers (git-fixes).
ACPI: battery: Add device HID and quirk for Microsoft Surface Go 3 (git-fixes).
ACPI: CPPC: Avoid out of bounds access when parsing _CPC data (git-fixes).
ACPI: docs: enumeration: Discourage to use custom _DSM methods (git-fixes).
ACPI: docs: enumeration: Remove redundant .owner assignment (git-fixes).
ACPI: docs: enumeration: Update UART serial bus resource documentation (git-fixes).
ACPI: properties: Consistently return -ENOENT if there are no more references (git-fixes).
ACPI: video: Force backlight native for Clevo NL5xRU and NL5xNU (git-fixes).
ALSA: cmipci: Restore aux vol on suspend/resume (git-fixes).
ALSA: firewire-lib: fix uninitialized flag for AV/C deferred transaction (git-fixes).
ALSA: hda/realtek - Fix headset mic problem for a HP machine with alc671 (git-fixes).
ALSA: hda/realtek: Add quirk for ASUS GA402 (git-fixes).
ALSA: oss: Fix PCM OSS buffer allocation overflow (git-fixes).
ALSA: pci: fix reading of swapped values from pcmreg in AC97 codec (git-fixes).
ALSA: pcm: Add stream lock during PCM reset ioctl operations (git-fixes).
ALSA: spi: Add check for clk_enable() (git-fixes).
ALSA: usb-audio: Add mute TLV for playback volumes on RODE NT-USB (git-fixes).
ASoC: atmel_ssc_dai: Handle errors for clk_enable (git-fixes).
ASoC: atmel: Add missing of_node_put() in at91sam9g20ek_audio_probe (git-fixes).
ASoC: codecs: wcd934x: Add missing of_node_put() in wcd934x_codec_parse_data (git-fixes).
ASoC: codecs: wcd934x: fix return value of wcd934x_rx_hph_mode_put (git-fixes).
ASoC: dmaengine: do not use a NULL prepare_slave_config() callback (git-fixes).
ASoC: dwc-i2s: Handle errors for clk_enable (git-fixes).
ASoC: fsi: Add check for clk_enable (git-fixes).
ASoC: fsl_spdif: Disable TX clock when stop (git-fixes).
ASoC: imx-es8328: Fix error return code in imx_es8328_probe() (git-fixes).
ASoC: msm8916-wcd-analog: Fix error handling in pm8916_wcd_analog_spmi_probe (git-fixes).
ASoC: msm8916-wcd-digital: Fix missing clk_disable_unprepare() in msm8916_wcd_digital_probe (git-fixes).
ASoC: mxs-saif: Handle errors for clk_enable (git-fixes).
ASoC: mxs: Fix error handling in mxs_sgtl5000_probe (git-fixes).
ASoC: rt5663: check the return value of devm_kzalloc() in rt5663_parse_dp() (git-fixes).
ASoC: SOF: Add missing of_node_put() in imx8m_probe (git-fixes).
ASoC: SOF: topology: remove redundant code (git-fixes).
ASoC: sti: Fix deadlock via snd_pcm_stop_xrun() call (git-fixes).
ASoC: ti: davinci-i2s: Add check for clk_enable() (git-fixes).
ASoC: topology: Allow TLV control to be either read or write (git-fixes).
ASoC: topology: Optimize soc_tplg_dapm_graph_elems_load behavior (git-fixes).
ASoC: wm8350: Handle error for wm8350_register_irq (git-fixes).
ASoC: xilinx: xlnx_formatter_pcm: Handle sysclk setting (git-fixes).
ax88179_178a: Merge memcpy + le32_to_cpus to get_unaligned_le32 (bsc#1196018).
block: update io_ticks when io hang (bsc#1197817).
block/wbt: fix negative inflight counter when remove scsi device (bsc#1197819).
bpf: Fix comment for helper bpf_current_task_under_cgroup() (git-fixes).
bpf: Remove config check to enable bpf support for branch records (git-fixes bsc#1177028).
btrfs: avoid unnecessary lock and leaf splits when updating inode in the log (bsc#1194649).
btrfs: avoid unnecessary log mutex contention when syncing log (bsc#1194649).
btrfs: avoid unnecessary logging of xattrs during fast fsyncs (bsc#1194649).
btrfs: check error value from btrfs_update_inode in tree log (bsc#1194649).
btrfs: check if a log root exists before locking the log_mutex on unlink (bsc#1194649).
btrfs: check if a log tree exists at inode_logged() (bsc#1194649).
btrfs: do not commit delayed inode when logging a file in full sync mode (bsc#1194649).
btrfs: do not log new dentries when logging that a new name exists (bsc#1194649).
btrfs: eliminate some false positives when checking if inode was logged (bsc#1194649).
btrfs: fix race leading to unnecessary transaction commit when logging inode (bsc#1194649).
btrfs: fix race that causes unnecessary logging of ancestor inodes (bsc#1194649).
btrfs: fix race that makes inode logging fallback to transaction commit (bsc#1194649).
btrfs: fix race that results in logging old extents during a fast fsync (bsc#1194649).
btrfs: fixup error handling in fixup_inode_link_counts (bsc#1194649).
btrfs: remove no longer needed full sync flag check at inode_logged() (bsc#1194649).
btrfs: Remove unnecessary check from join_running_log_trans (bsc#1194649).
btrfs: remove unnecessary directory inode item update when deleting dir entry (bsc#1194649).
btrfs: remove unnecessary list head initialization when syncing log (bsc#1194649).
btrfs: skip unnecessary searches for xattrs when logging an inode (bsc#1194649).
can: ems_usb: ems_usb_start_xmit(): fix double dev_kfree_skb() in error path (git-fixes).
can: mcba_usb: mcba_usb_start_xmit(): fix double dev_kfree_skb in error path (git-fixes).
can: mcba_usb: properly check endpoint type (git-fixes).
can: rcar_canfd: rcar_canfd_channel_probe(): register the CAN device when fully ready (git-fixes).
cifs: use the correct max-length for dentry_path_raw() (bsc1196196).
clk: actions: Terminate clk_div_table with sentinel element (git-fixes).
clk: bcm2835: Remove unused variable (git-fixes).
clk: clps711x: Terminate clk_div_table with sentinel element (git-fixes).
clk: imx7d: Remove audio_mclk_root_clk (git-fixes).
clk: Initialize orphan req_rate (git-fixes).
clk: loongson1: Terminate clk_div_table with sentinel element (git-fixes).
clk: nxp: Remove unused variable (git-fixes).
clk: qcom: clk-rcg2: Update logic to calculate D value for RCG (git-fixes).
clk: qcom: clk-rcg2: Update the frac table for pixel clock (git-fixes).
clk: qcom: gcc-msm8994: Fix gpll4 width (git-fixes).
clk: qcom: ipq8074: Use floor ops for SDCC1 clock (git-fixes).
clk: tegra: tegra124-emc: Fix missing put_device() call in emc_ensure_emc_driver (git-fixes).
clk: uniphier: Fix fixed-rate initialization (git-fixes).
clocksource: acpi_pm: fix return value of __setup handler (git-fixes).
clocksource/drivers/timer-of: Check return value of of_iomap in timer_of_base_init() (git-fixes).
cpufreq: schedutil: Destroy mutex before kobject_put() frees (git-fixes)
crypto: authenc - Fix sleep in atomic context in decrypt_tail (git-fixes).
crypto: cavium/nitrox - do not cast parameter in bit operations (git-fixes).
crypto: ccp - ccp_dmaengine_unregister release dma channels (git-fixes).
crypto: ccree - do not attempt 0 len DMA mappings (git-fixes).
crypto: mxs-dcp - Fix scatterlist processing (git-fixes).
crypto: qat - do not cast parameter in bit operations (git-fixes).
crypto: rsa-pkcs1pad - correctly get hash from source scatterlist (git-fixes).
crypto: rsa-pkcs1pad - fix buffer overread in pkcs1pad_verify_complete() (git-fixes).
crypto: rsa-pkcs1pad - restore signature length check (git-fixes).
crypto: vmx - add missing dependencies (git-fixes).
dma/pool: create dma atomic pool only if dma zone has managed pages (bsc#1197501).
driver core: dd: fix return value of __setup handler (git-fixes).
drm: add a locked version of drm_is_current_master (bsc#1197914).
drm: bridge: adv7511: Fix ADV7535 HPD enablement (git-fixes).
drm: drm_file struct kABI compatibility workaround (bsc#1197914).
drm: protect drm_master pointers in drm_lease.c (bsc#1197914).
drm: serialize drm_file.master with a new spinlock (bsc#1197914).
drm: use the lookup lock in drm_is_current_master (bsc#1197914).
drm/amd/display: Add affected crtcs to atomic state for dsc mst unplug (git-fixes).
drm/amd/pm: return -ENOTSUPP if there is no get_dpm_ultimate_freq function (git-fixes).
drm/bridge: dw-hdmi: use safe format when first in bridge chain (git-fixes).
drm/bridge: nwl-dsi: Fix PM disable depth imbalance in nwl_dsi_probe (git-fixes).
drm/doc: overview before functions for drm_writeback.c (git-fixes).
drm/i915: Fix dbuf slice config lookup (git-fixes).
drm/i915/gem: add missing boundary check in vm_access (git-fixes).
drm/imx: parallel-display: Remove bus flags check in imx_pd_bridge_atomic_check() (git-fixes).
drm/meson: Fix error handling when afbcd.ops->init fails (git-fixes).
drm/meson: osd_afbcd: Add an exit callback to struct meson_afbcd_ops (git-fixes).
drm/msm/dpu: add DSPP blocks teardown (git-fixes).
drm/nouveau/acr: Fix undefined behavior in nvkm_acr_hsfw_load_bl() (git-fixes).
drm/panel: simple: Fix Innolux G070Y2-L01 BPP settings (git-fixes).
drm/vc4: crtc: Fix runtime_pm reference counting (git-fixes).
drm/vc4: crtc: Make sure the HDMI controller is powered when disabling (git-fixes).
drm/vrr: Set VRR capable prop only if it is attached to connector (git-fixes).
ecryptfs: fix kernel panic with null dev_name (bsc#1197812).
ecryptfs: Fix typo in message (bsc#1197811).
ext2: correct max file size computing (bsc#1197820).
firmware: google: Properly state IOMEM dependency (git-fixes).
firmware: qcom: scm: Remove reassignment to desc following initializer (git-fixes).
fscrypt: do not ignore minor_hash when hash is 0 (bsc#1197815).
HID: multitouch: fix Dell Precision 7550 and 7750 button type (bsc#1197243).
hwmon: (pmbus) Add mutex to regulator ops (git-fixes).
hwmon: (pmbus) Add Vin unit off handling (git-fixes).
hwmon: (sch56xx-common) Replace WDOG_ACTIVE with WDOG_HW_RUNNING (git-fixes).
hwrng: atmel - disable trng on failure path (git-fixes).
i915_vma: Rename vma_lookup to i915_vma_lookup (git-fixes).
ibmvnic: fix race between xmit and reset (bsc#1197302 ltc#197259).
iio: accel: mma8452: use the correct logic to get mma8452_data (git-fixes).
iio: adc: Add check for devm_request_threaded_irq (git-fixes).
iio: afe: rescale: use s64 for temporary scale calculations (git-fixes).
iio: inkern: apply consumer scale on IIO_VAL_INT cases (git-fixes).
iio: inkern: apply consumer scale when no channel scale is available (git-fixes).
iio: inkern: make a best effort on offset calculation (git-fixes).
Input: aiptek - properly check endpoint type (git-fixes).
iwlwifi: do not advertise TWT support (git-fixes).
KVM: SVM: Do not flush cache if hardware enforces cache coherency across encryption domains (bsc#1178134).
llc: fix netdevice reference leaks in llc_ui_bind() (git-fixes).
mac80211: fix potential double free on mesh join (git-fixes).
mac80211: refuse aggregations sessions before authorized (git-fixes).
media: aspeed: Correct value for h-total-pixels (git-fixes).
media: bttv: fix WARNING regression on tunerless devices (git-fixes).
media: coda: Fix missing put_device() call in coda_get_vdoa_data (git-fixes).
media: davinci: vpif: fix unbalanced runtime PM get (git-fixes).
media: em28xx: initialize refcount before kref_get (git-fixes).
media: hantro: Fix overfill bottom register field name (git-fixes).
media: Revert 'media: em28xx: add missing em28xx_close_extension' (git-fixes).
media: stk1160: If start stream fails, return buffers with VB2_BUF_STATE_QUEUED (git-fixes).
media: usb: go7007: s2250-board: fix leak in probe() (git-fixes).
media: video/hdmi: handle short reads of hdmi info frame (git-fixes).
membarrier: Execute SYNC_CORE on the calling thread (git-fixes)
membarrier: Explicitly sync remote cores when SYNC_CORE is (git-fixes)
memory: emif: Add check for setup_interrupts (git-fixes).
memory: emif: check the pointer temp in get_device_details() (git-fixes).
misc: alcor_pci: Fix an error handling path (git-fixes).
misc: sgi-gru: Do not cast parameter in bit operations (git-fixes).
mm_zone: add function to check if managed dma zone exists (bsc#1197501).
mm: add vma_lookup(), update find_vma_intersection() comments (git-fixes).
mm/page_alloc.c: do not warn allocation failure on zone DMA if no managed pages (bsc#1197501).
mmc: davinci_mmc: Handle error for clk_enable (git-fixes).
net: dsa: mv88e6xxx: override existent unicast portvec in port_fdb_add (git-fixes).
net: enetc: initialize the RFS and RSS memories (git-fixes).
net: hns3: add a check for tqp_index in hclge_get_ring_chain_from_mbx() (git-fixes).
net: phy: broadcom: Fix brcm_fet_config_init() (git-fixes).
net: phy: marvell: Fix invalid comparison in the resume and suspend functions (git-fixes).
net: stmmac: set TxQ mode back to DCB after disabling CBS (git-fixes).
net: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixup (bsc#1196018).
net: watchdog: hold device global xmit lock during tx disable (git-fixes).
net/smc: Fix loop in smc_listen (git-fixes).
net/smc: fix using of uninitialized completions (git-fixes).
net/smc: fix wrong list_del in smc_lgr_cleanup_early (git-fixes).
net/smc: Make sure the link_id is unique (git-fixes).
net/smc: Reset conn->lgr when link group registration fails (git-fixes).
netfilter: conntrack: do not refresh sctp entries in closed state (bsc#1197389).
netxen_nic: fix MSI/MSI-x interrupts (git-fixes).
NFS: Avoid duplicate uncached readdir calls on eof (git-fixes).
NFS: Do not report writeback errors in nfs_getattr() (git-fixes).
NFS: Do not skip directory entries when doing uncached readdir (git-fixes).
NFS: Ensure the server had an up to date ctime before hardlinking (git-fixes).
NFS: Fix initialisation of nfs_client cl_flags field (git-fixes).
NFS: LOOKUP_DIRECTORY is also ok with symlinks (git-fixes).
NFS: Return valid errors from nfs2/3_decode_dirent() (git-fixes).
NFS: Use of mapping_set_error() results in spurious errors (git-fixes).
NFS: nfsd4_setclientid_confirm mistakenly expires confirmed client (git-fixes).
NFS: do not retry BIND_CONN_TO_SESSION on session error (git-fixes).
NFS: Fix another issue with a list iterator pointing to the head (git-fixes).
nl80211: Update bss channel on channel switch for P2P_CLIENT (git-fixes).
pinctrl: mediatek: Fix missing of_node_put() in mtk_pctrl_init (git-fixes).
pinctrl: mediatek: paris: Fix 'argument' argument type for mtk_pinconf_get() (git-fixes).
pinctrl: mediatek: paris: Fix pingroup pin config state readback (git-fixes).
pinctrl: nomadik: Add missing of_node_put() in nmk_pinctrl_probe (git-fixes).
pinctrl: nuvoton: npcm7xx: Rename DS() macro to DSTR() (git-fixes).
pinctrl: nuvoton: npcm7xx: Use %zu printk format for ARRAY_SIZE() (git-fixes).
pinctrl: pinconf-generic: Print arguments for bias-pull-* (git-fixes).
pinctrl: samsung: drop pin banks references on error paths (git-fixes).
pinctrl/rockchip: Add missing of_node_put() in rockchip_pinctrl_probe (git-fixes).
PM: hibernate: fix __setup handler error handling (git-fixes).
PM: suspend: fix return value of __setup handler (git-fixes).
powerpc/lib/sstep: Fix 'sthcx' instruction (bsc#1156395).
powerpc/mm: Fix verification of MMU_FTR_TYPE_44x (bsc#1156395).
powerpc/mm/numa: skip NUMA_NO_NODE onlining in parse_numa_properties() (bsc#1179639 ltc#189002 git-fixes).
powerpc/perf: Do not use perf_hw_context for trace IMC PMU (bsc#1156395).
powerpc/pseries: Fix use after free in remove_phb_dynamic() (bsc#1065729).
powerpc/sysdev: fix incorrect use to determine if list is empty (bsc#1065729).
powerpc/tm: Fix more userspace r13 corruption (bsc#1065729).
powerpc/xive: fix return value of __setup handler (bsc#1065729).
printk: Add panic_in_progress helper (bsc#1197894).
printk: disable optimistic spin during panic (bsc#1197894).
pwm: lpc18xx-sct: Initialize driver data and hardware before pwmchip_add() (git-fixes).
regulator: qcom_smd: fix for_each_child.cocci warnings (git-fixes).
remoteproc: qcom_wcnss: Add missing of_node_put() in wcnss_alloc_memory_region (git-fixes).
remoteproc: qcom: Fix missing of_node_put in adsp_alloc_memory_region (git-fixes).
s390/bpf: Perform r1 range checking before accessing jit->seen_reg (git-fixes).
s390/gmap: do not unconditionally call pte_unmap_unlock() in __gmap_zap() (git-fixes).
s390/gmap: validate VMA in __gmap_zap() (git-fixes).
s390/hypfs: include z/VM guests with access control group set (bsc#1195640 LTC#196352).
s390/kexec_file: fix error handling when applying relocations (git-fixes).
s390/kexec: fix memory leak of ipl report buffer (git-fixes).
s390/kexec: fix return code handling (git-fixes).
s390/mm: fix VMA and page table handling code in storage key handling functions (git-fixes).
s390/mm: validate VMA in PGSTE manipulation functions (git-fixes).
s390/module: fix loading modules with a lot of relocations (git-fixes).
s390/pci_mmio: fully validate the VMA before calling follow_pte() (git-fixes).
scsi: lpfc: Copyright updates for 14.2.0.0 patches (bsc#1197675).
scsi: lpfc: Drop lpfc_no_handler() (bsc#1197675).
scsi: lpfc: Fix broken SLI4 abort path (bsc#1197675).
scsi: lpfc: Fix locking for lpfc_sli_iocbq_lookup() (bsc#1197675).
scsi: lpfc: Fix queue failures when recovering from PCI parity error (bsc#1197675 bsc#1196478).
scsi: lpfc: Fix typos in comments (bsc#1197675).
scsi: lpfc: Fix unload hang after back to back PCI EEH faults (bsc#1197675 bsc#1196478).
scsi: lpfc: Improve PCI EEH Error and Recovery Handling (bsc#1197675 bsc#1196478).
scsi: lpfc: Kill lpfc_bus_reset_handler() (bsc#1197675).
scsi: lpfc: Reduce log messages seen after firmware download (bsc#1197675).
scsi: lpfc: Remove failing soft_wwn support (bsc#1197675).
scsi: lpfc: Remove NVMe support if kernel has NVME_FC disabled (bsc#1197675).
scsi: lpfc: Remove redundant flush_workqueue() call (bsc#1197675).
scsi: lpfc: SLI path split: Introduce lpfc_prep_wqe (bsc#1197675).
scsi: lpfc: SLI path split: Refactor Abort paths (bsc#1197675).
scsi: lpfc: SLI path split: Refactor base ELS paths and the FLOGI path (bsc#1197675).
scsi: lpfc: SLI path split: Refactor BSG paths (bsc#1197675).
scsi: lpfc: SLI path split: Refactor CT paths (bsc#1197675).
scsi: lpfc: SLI path split: Refactor fast and slow paths to native SLI4 (bsc#1197675).
scsi: lpfc: SLI path split: Refactor FDISC paths (bsc#1197675).
scsi: lpfc: SLI path split: Refactor lpfc_iocbq (bsc#1197675).
scsi: lpfc: SLI path split: Refactor LS_ACC paths (bsc#1197675).
scsi: lpfc: SLI path split: Refactor LS_RJT paths (bsc#1197675).
scsi: lpfc: SLI path split: Refactor misc ELS paths (bsc#1197675).
scsi: lpfc: SLI path split: Refactor PLOGI/PRLI/ADISC/LOGO paths (bsc#1197675).
scsi: lpfc: SLI path split: Refactor SCSI paths (bsc#1197675).
scsi: lpfc: SLI path split: Refactor the RSCN/SCR/RDF/EDC/FARPR paths (bsc#1197675).
scsi: lpfc: SLI path split: Refactor VMID paths (bsc#1197675).
scsi: lpfc: Update lpfc version to 14.2.0.0 (bsc#1197675).
scsi: lpfc: Update lpfc version to 14.2.0.1 (bsc#1197675).
scsi: lpfc: Use fc_block_rport() (bsc#1197675).
scsi: lpfc: Use kcalloc() (bsc#1197675).
scsi: lpfc: Use rport as argument for lpfc_chk_tgt_mapped() (bsc#1197675).
scsi: lpfc: Use rport as argument for lpfc_send_taskmgmt() (bsc#1197675).
scsi: qla2xxx: Fix crash during module load unload test (bsc#1197661).
scsi: qla2xxx: Fix disk failure to rediscover (bsc#1197661).
scsi: qla2xxx: Fix hang due to session stuck (bsc#1197661).
scsi: qla2xxx: Fix incorrect reporting of task management failure (bsc#1197661).
scsi: qla2xxx: Fix laggy FC remote port session recovery (bsc#1197661).
scsi: qla2xxx: Fix loss of NVMe namespaces after driver reload test (bsc#1197661).
scsi: qla2xxx: Fix missed DMA unmap for NVMe ls requests (bsc#1197661).
scsi: qla2xxx: Fix N2N inconsistent PLOGI (bsc#1197661).
scsi: qla2xxx: Fix stuck session of PRLI reject (bsc#1197661).
scsi: qla2xxx: Fix typos in comments (bsc#1197661).
scsi: qla2xxx: Increase max limit of ql2xnvme_queues (bsc#1197661).
scsi: qla2xxx: Reduce false trigger to login (bsc#1197661).
scsi: qla2xxx: Stop using the SCSI pointer (bsc#1197661).
scsi: qla2xxx: Update version to 10.02.07.400-k (bsc#1197661).
scsi: qla2xxx: Use correct feature type field during RFF_ID processing (bsc#1197661).
scsi: qla2xxx: Use named initializers for port_state_str (bsc#1197661).
scsi: qla2xxx: Use named initializers for q_dev_state (bsc#1197661).
serial: 8250_lpss: Balance reference count for PCI DMA device (git-fixes).
serial: 8250_mid: Balance reference count for PCI DMA device (git-fixes).
serial: 8250: Fix race condition in RTS-after-send handling (git-fixes).
serial: core: Fix the definition name in the comment of UPF_* flags (git-fixes).
soc: qcom: aoss: remove spurious IRQF_ONESHOT flags (git-fixes).
soc: qcom: rpmpd: Check for null return of devm_kcalloc (git-fixes).
soc: ti: wkup_m3_ipc: Fix IRQ check in wkup_m3_ipc_probe (git-fixes).
soundwire: intel: fix wrong register name in intel_shim_wake (git-fixes).
spi: pxa2xx-pci: Balance reference count for PCI DMA device (git-fixes).
spi: tegra114: Add missing IRQ check in tegra_spi_probe (git-fixes).
staging:iio:adc:ad7280a: Fix handing of device address bit reversing (git-fixes).
tcp: add some entropy in __inet_hash_connect() (bsc#1180153).
tcp: change source port randomizarion at connect() time (bsc#1180153).
thermal: int340x: Check for NULL after calling kmemdup() (git-fixes).
thermal: int340x: Increase bitmap size (git-fixes).
udp_tunnel: Fix end of loop test in udp_tunnel_nic_unregister() (git-fixes).
Update config files (bsc#1195926 bsc#1175667). VIRTIO_PCI=m -> VIRTIO_PCI=y
usb: bdc: Adb shows offline after resuming from S2 (git-fixes).
usb: bdc: Fix a resource leak in the error handling path of 'bdc_probe()' (git-fixes).
usb: bdc: Fix unused assignment in bdc_probe() (git-fixes).
usb: bdc: remove duplicated error message (git-fixes).
usb: bdc: Use devm_clk_get_optional() (git-fixes).
usb: bdc: use devm_platform_ioremap_resource() to simplify code (git-fixes).
usb: dwc3: gadget: Use list_replace_init() before traversing lists (git-fixes).
usb: dwc3: qcom: add IRQ check (git-fixes).
usb: gadget: bdc: use readl_poll_timeout() to simplify code (git-fixes).
usb: gadget: Fix use-after-free bug by not setting udc->dev.driver (git-fixes).
usb: gadget: rndis: prevent integer overflow in rndis_set_response() (git-fixes).
usb: usbtmc: Fix bug in pipe direction for control transfers (git-fixes).
VFS: filename_create(): fix incorrect intent (bsc#1197534).
video: fbdev: atmel_lcdfb: fix an error code in atmel_lcdfb_probe() (git-fixes).
video: fbdev: controlfb: Fix COMPILE_TEST build (git-fixes).
video: fbdev: fbcvt.c: fix printing in fb_cvt_print_name() (git-fixes).
video: fbdev: matroxfb: set maxvram of vbG200eW to the same as vbG200 to avoid black screen (git-fixes).
video: fbdev: matroxfb: set maxvram of vbG200eW to the same as vbG200 to avoid black screen (git-fixes).
video: fbdev: omapfb: Add missing of_node_put() in dvic_probe_of (git-fixes).
video: fbdev: smscufx: Fix null-ptr-deref in ufx_usb_probe() (git-fixes).
VMCI: Fix the description of vmci_check_host_caps() (git-fixes).
vsprintf: Fix %pK with kptr_restrict == 0 (bsc#1197889).
wireguard: queueing: use CFI-safe ptr_ring cleanup function (git-fixes).
wireguard: selftests: rename DEBUG_PI_LIST to DEBUG_PLIST (git-fixes).
wireguard: socket: free skb in send6 when ipv6 is disabled (git-fixes).
wireguard: socket: ignore v6 endpoints when ipv6 is disabled (git-fixes).
x86/cpu: Add hardware-enforced cache coherency as a CPUID feature (bsc#1178134).
x86/mm/pat: Do not flush cache if hardware enforces cache coherency across encryption domnains (bsc#1178134).
x86/speculation: Warn about eIBRS + LFENCE + Unprivileged eBPF + SMT (bsc#1178134).
x86/speculation: Warn about Spectre v2 LFENCE mitigation (bsc#1178134).
xhci: fix garbage USBSTS being logged in some cases (git-fixes).

Advisory ID	SUSE-RU-2022:1190-1
Released	Wed Apr 13 20:52:23 2022
Summary	Recommended update for cloud-init
Type	recommended
Severity	important
References	1192343

Description:

This update for cloud-init contains the following fixes:

Update to version 21.4 (bsc#1192343, jsc#PM-3181) + Also include VMWare functionality for (jsc#PM-3175) + Remove patches included upstream. + Forward port fixes. + Fix for VMware Test, system dependend, not properly mocked previously. + Azure: fallback nic needs to be reevaluated during reprovisioning (#1094) [Anh Vo] + azure: pps imds (#1093) [Anh Vo] + testing: Remove calls to 'install_new_cloud_init' (#1092) + Add LXD datasource (#1040) + Fix unhandled apt_configure case. (#1065) [Brett Holman] + Allow libexec for hotplug (#1088) + Add necessary mocks to test_ovf unit tests (#1087) + Remove (deprecated) apt-key (#1068) [Brett Holman] (LP: #1836336) + distros: Remove a completed 'TODO' comment (#1086) + cc_ssh.py: Add configuration for controlling ssh-keygen output (#1083) [dermotbradley] + Add 'install hotplug' module (SC-476) (#1069) (LP: #1946003) + hosts.alpine.tmpl: rearrange the order of short and long hostnames (#1084) [dermotbradley] + Add max version to docutils + cloudinit/dmi.py: Change warning to debug to prevent console display (#1082) [dermotbradley] + remove unnecessary EOF string in disable-sshd-keygen-if-cloud-init-active.conf (#1075) [Emanuele Giuseppe Esposito] + Add module 'write-files-deferred' executed in stage 'final' (#916) [Lucendio] + Bump pycloudlib to fix CI (#1080) + Remove pin in dependencies for jsonschema (#1078) + Add 'Google' as possible system-product-name (#1077) [vteratipally] + Update Debian security suite for bullseye (#1076) [Johann Queuniet] + Leave the details of service management to the distro (#1074) [Andy Fiddaman] + Fix typos in setup.py (#1059) [Christian Clauss] + Update Azure _unpickle (SC-500) (#1067) (LP: #1946644) + cc_ssh.py: fix private key group owner and permissions (#1070) [Emanuele Giuseppe Esposito] + VMware: read network-config from ISO (#1066) [Thomas Weißschuh] + testing: mock sleep in gce unit tests (#1072) + CloudStack: fix data-server DNS resolution (#1004) [Olivier Lemasle] (LP: #1942232) + Fix unit test broken by pyyaml upgrade (#1071) + testing: add get_cloud function (SC-461) (#1038) + Inhibit sshd-keygen@.service if cloud-init is active (#1028) [Ryan Harper] + VMWARE: search the deployPkg plugin in multiarch dir (#1061) [xiaofengw-vmware] (LP: #1944946) + Fix set-name/interface DNS bug (#1058) [Andrew Kutz] (LP: #1946493) + Use specified tmp location for growpart (#1046) [jshen28] + .gitignore: ignore tags file for ctags users (#1057) [Brett Holman] + Allow comments in runcmd and report failed commands correctly (#1049) [Brett Holman] (LP: #1853146) + tox integration: pass the *_proxy, GOOGLE_*, GCP_* env vars (#1050) [Paride Legovini] + Allow disabling of network activation (SC-307) (#1048) (LP: #1938299) + renderer: convert relative imports to absolute (#1052) [Paride Legovini] + Support ETHx_IP6_GATEWAY, SET_HOSTNAME on OpenNebula (#1045) [Vlastimil Holer] + integration-requirements: bump the pycloudlib commit (#1047) [Paride Legovini] + Allow Vultr to set MTU and use as-is configs (#1037) [eb3095] + pin jsonschema in requirements.txt (#1043) + testing: remove cloud_tests (#1020) + Add andgein as contributor (#1042) [Andrew Gein] + Make wording for module frequency consistent (#1039) [Nicolas Bock] + Use ascii code for growpart (#1036) [jshen28] + Add jshen28 as contributor (#1035) [jshen28] + Skip test_cache_purged_on_version_change on Azure (#1033) + Remove invalid ssh_import_id from examples (#1031) + Cleanup Vultr support (#987) [eb3095] + docs: update cc_disk_setup for fs to raw disk (#1017) + HACKING.rst: change contact info to James Falcon (#1030) + tox: bump the pinned flake8 and pylint version (#1029) [Paride Legovini] (LP: #1944414) + Add retries to DataSourceGCE.py when connecting to GCE (#1005) [vteratipally] + Set Azure to apply networking config every BOOT (#1023) + Add connectivity_url to Oracle's EphemeralDHCPv4 (#988) (LP: #1939603) + docs: fix typo and include sudo for report bugs commands (#1022) [Renan Rodrigo] (LP: #1940236) + VMware: Fix typo introduced in #947 and add test (#1019) [PengpengSun] + Update IPv6 entries in /etc/hosts (#1021) [Richard Hansen] (LP: #1943798) + Integration test upgrades for the 21.3-1 SRU (#1001) + Add Jille to tools/.github-cla-signers (#1016) [Jille Timmermans] + Improve ug_util.py (#1013) [Shreenidhi Shedi] + Support openEuler OS (#1012) [zhuzaifangxuele] + ssh_utils.py: ignore when sshd_config options are not key/value pairs (#1007) [Emanuele Giuseppe Esposito] + Set Azure to only update metadata on BOOT_NEW_INSTANCE (#1006) + cc_update_etc_hosts: Use the distribution-defined path for the hosts file (#983) [Andy Fiddaman] + Add CloudLinux OS support (#1003) [Alexandr Kravchenko] + puppet config: add the start_agent option (#1002) [Andrew Bogott] + Fix `make style-check` errors (#1000) [Shreenidhi Shedi] + Make cloud-id copyright year (#991) [Andrii Podanenko] + Add support to accept-ra in networkd renderer (#999) [Shreenidhi Shedi] + Update ds-identify to pass shellcheck (#979) [Andrew Kutz] + Azure: Retry dhcp on timeouts when polling reprovisiondata (#998) [aswinrajamannar] + testing: Fix ssh keys integration test (#992)

From 21.3 + Azure: During primary nic detection, check interface status continuously before rebinding again (#990) [aswinrajamannar] + Fix home permissions modified by ssh module (SC-338) (#984) (LP: #1940233) + Add integration test for sensitive jinja substitution (#986) + Ignore hotplug socket when collecting logs (#985) (LP: #1940235) + testing: Add missing mocks to test_vmware.py (#982) + add Zadara Edge Cloud Platform to the supported clouds list (#963) [sarahwzadara] + testing: skip upgrade tests on LXD VMs (#980) + Only invoke hotplug socket when functionality is enabled (#952) + Revert unnecesary lcase in ds-identify (#978) [Andrew Kutz] + cc_resolv_conf: fix typos (#969) [Shreenidhi Shedi] + Replace broken httpretty tests with mock (SC-324) (#973) + Azure: Check if interface is up after sleep when trying to bring it up (#972) [aswinrajamannar] + Update dscheck_VMware's rpctool check (#970) [Shreenidhi Shedi] + Azure: Logging the detected interfaces (#968) [Moustafa Moustafa] + Change netifaces dependency to 0.10.4 (#965) [Andrew Kutz] + Azure: Limit polling network metadata on connection errors (#961) [aswinrajamannar] + Update inconsistent indentation (#962) [Andrew Kutz] + cc_puppet: support AIO installations and more (#960) [Gabriel Nagy] + Add Puppet contributors to CLA signers (#964) [Noah Fontes] + Datasource for VMware (#953) [Andrew Kutz] + photon: refactor hostname handling and add networkd activator (#958) [sshedi] + Stop copying ssh system keys and check folder permissions (#956) [Emanuele Giuseppe Esposito] + testing: port remaining cloud tests to integration testing framework (SC-191) (#955) + generate contents for ovf-env.xml when provisioning via IMDS (#959) [Anh Vo] + Add support for EuroLinux 7 && EuroLinux 8 (#957) [Aleksander Baranowski] + Implementing device_aliases as described in docs (#945) [Mal Graty] (LP: #1867532) + testing: fix test_ssh_import_id.py (#954) + Add ability to manage fallback network config on PhotonOS (#941) [sshedi] + Add VZLinux support (#951) [eb3095] + VMware: add network-config support in ovf-env.xml (#947) [PengpengSun] + Update pylint to v2.9.3 and fix the new issues it spots (#946) [Paride Legovini] + Azure: mount default provisioning iso before try device listing (#870) [Anh Vo] + Document known hotplug limitations (#950) + Initial hotplug support (#936) + Fix MIME policy failure on python version upgrade (#934) + run-container: fixup the centos repos baseurls when using http_proxy (#944) [Paride Legovini] + tools: add support for building rpms on rocky linux (#940) + ssh-util: allow cloudinit to merge all ssh keys into a custom user file, defined in AuthorizedKeysFile (#937) [Emanuele Giuseppe Esposito] (LP: #1911680) + VMware: new 'allow_raw_data' switch (#939) [xiaofengw-vmware] + bump pycloudlib version (#935) + add renanrodrigo as a contributor (#938) [Renan Rodrigo] + testing: simplify test_upgrade.py (#932) + freebsd/net_v1 format: read MTU from root (#930) [Gonéri Le Bouder] + Add new network activators to bring up interfaces (#919) + Detect a Python version change and clear the cache (#857) [Robert Schweikert] + cloud_tests: fix the Impish release name (#931) [Paride Legovini] + Removed distro specific network code from Photon (#929) [sshedi] + Add support for VMware PhotonOS (#909) [sshedi] + cloud_tests: add impish release definition (#927) [Paride Legovini] + docs: fix stale links rename master branch to main (#926) + Fix DNS in NetworkState (SC-133) (#923) + tests: Add 'adhoc' mark for integration tests (#925) + Fix the spelling of 'DigitalOcean' (#924) [Mark Mercado] + Small Doc Update for ReportEventStack and Test (#920) [Mike Russell] + Replace deprecated collections.Iterable with abc replacement (#922) (LP: #1932048) + testing: OCI availability domain is now required (SC-59) (#910) + add DragonFlyBSD support (#904) [Gonéri Le Bouder] + Use instance-data-sensitive.json in jinja templates (SC-117) (#917) (LP: #1931392) + doc: Update NoCloud docs stating required files (#918) (LP: #1931577) + build-on-netbsd: don't pin a specific py3 version (#913) [Gonéri Le Bouder] + Create the log file with 640 permissions (#858) [Robert Schweikert] + Allow braces to appear in dhclient output (#911) [eb3095] + Docs: Replace all freenode references with libera (#912) + openbsd/net: flush the route table on net restart (#908) [Gonéri Le Bouder] + Add Rocky Linux support to cloud-init (#906) [Louis Abel] + Add 'esposem' as contributor (#907) [Emanuele Giuseppe Esposito] + Add integration test for #868 (#901) + Added support for importing keys via primary/security mirror clauses (#882) [Paul Goins] (LP: #1925395) + [examples] config-user-groups expire in the future (#902) [Geert Stappers] + BSD: static network, set the mtu (#894) [Gonéri Le Bouder] + Add integration test for lp-1920939 (#891) + Fix unit tests breaking from new httpretty version (#903) + Allow user control over update events (#834) + Update test characters in substitution unit test (#893) + cc_disk_setup.py: remove UDEVADM_CMD definition as not used (#886) [dermotbradley] + Add AlmaLinux OS support (#872) [Andrew Lukoshko]

+ Still need to consider the 'network' configuration option

Advisory ID	SUSE-RU-2022:1200-1
Released	Thu Apr 14 11:33:22 2022
Summary	Recommended update for ClusterTools2
Type	recommended
Severity	moderate
References	1188456,1188652

Description:

This update for ClusterTools2 fixes the following issues:

change version from 3.1.1 to 3.1.2
As newer versions of pacemaker display the output from command 'crmadmin --quiet' on stdout instead on stderr, the command 'cs_clusterstate' was enhanced to adapt these change. (bsc#1188652)
Adapt 'cs_show_scores' to support newer versions of pacemaker and crmshi. (bsc#1188456)
man page updates

Advisory ID	SUSE-RU-2022:1201-1
Released	Thu Apr 14 11:40:33 2022
Summary	Recommended update for grub2
Type	recommended
Severity	moderate
References	1179981,1191974,1192622,1195204

Description:

This update for grub2 fixes the following issues:

Fix grub-install error when efi system partition is created as mdadm software raid1 device. (bsc#1179981, bsc#1195204)
Fix error in grub-install when linux root device is on lvm thin volume. (bsc#1192622, bsc#1191974)

Advisory ID	SUSE-RU-2022:1203-1
Released	Thu Apr 14 11:43:28 2022
Summary	Recommended update for lvm2
Type	recommended
Severity	moderate
References	1195231

Description:

This update for lvm2 fixes the following issues:

udev: create symlinks and watch even in suspended state (bsc#1195231)

Advisory ID	SUSE-RU-2022:1204-1
Released	Thu Apr 14 12:15:55 2022
Summary	Recommended update for hwdata
Type	recommended
Severity	moderate
References	1196332

Description:

This update for hwdata fixes the following issues:

Updated pci, usb and vendor ids (bsc#1196332)

Advisory ID	SUSE-RU-2022:1208-1
Released	Thu Apr 14 12:41:38 2022
Summary	Recommended update for vncmanager
Type	recommended
Severity	moderate
References	1169732,1171344,1189247

Description:

This update for vncmanager fixes the following issues:

Consider different pixel format depths on Tight Encoding. TightPixel was considering only pixels defined with 3 bytes. (bsc#1189247)
Fix tight decoder with 888 pixel encodings. (bsc#1169732, bsc#1171344)
Fix PixelFormat::ntoh() and PixelFormat::hton(). (bsc#1169732, bsc#1171344)
Fix tight compression decoder on big-endian systems. (bsc#1171344)

Advisory ID	SUSE-SU-2022:1218-1
Released	Thu Apr 14 16:53:33 2022
Summary	Security update for SDL2
Type	security
Severity	important
References	1198001,CVE-2021-33657

Description:

This update for SDL2 fixes the following issues:

CVE-2021-33657: Fix a buffer overflow when parsing a crafted BMP image (bsc#1198001).

Advisory ID	SUSE-SU-2022:1252-1
Released	Tue Apr 19 08:51:06 2022
Summary	Security update for openjpeg2
Type	security
Severity	important
References	1076314,1076967,1079845,1102016,1106881,1106882,1140130,1160782,1162090,1173578,1180457,1184774,1197738,CVE-2018-14423,CVE-2018-16375,CVE-2018-16376,CVE-2018-20845,CVE-2018-5727,CVE-2018-5785,CVE-2018-6616,CVE-2020-15389,CVE-2020-27823,CVE-2020-6851,CVE-2020-8112,CVE-2021-29338,CVE-2022-1122

Description:

This update for openjpeg2 fixes the following issues:

CVE-2018-5727: Fixed integer overflow vulnerability in theopj_t1_encode_cblks function (bsc#1076314).
CVE-2018-5785: Fixed integer overflow caused by an out-of-bounds leftshift in the opj_j2k_setup_encoder function (bsc#1076967).
CVE-2018-6616: Fixed excessive iteration in the opj_t1_encode_cblks function of openjp2/t1.c (bsc#1079845).
CVE-2018-14423: Fixed division-by-zero vulnerabilities in the functions pi_next_pcrl, pi_next_cprl,and pi_next_rpcl in lib/openjp3d/pi.c (bsc#1102016).
CVE-2018-16375: Fixed missing checks for header_info.height and header_info.width in the function pnmtoimage in bin/jpwl/convert.c (bsc#1106882).
CVE-2018-16376: Fixed heap-based buffer overflow function t2_encode_packet in lib/openmj2/t2.c (bsc#1106881).
CVE-2018-20845: Fixed division-by-zero in the functions pi_next_pcrl, pi_next_cprl, and pi_next_rpcl in openmj2/pi.ci (bsc#1140130).
CVE-2020-6851: Fixed heap-based buffer overflow in opj_t1_clbl_decode_processor (bsc#1160782).
CVE-2020-8112: Fixed heap-based buffer overflow in opj_t1_clbl_decode_processor in openjp2/t1.c (bsc#1162090).
CVE-2020-15389: Fixed use-after-free if t a mix of valid and invalid files in a directory operated on by the decompressor (bsc#1173578).
CVE-2020-27823: Fixed heap buffer over-write in opj_tcd_dc_level_shift_encode() (bsc#1180457).
CVE-2021-29338: Fixed integer overflow that allows remote attackers to crash the application (bsc#1184774).
CVE-2022-1122: Fixed segmentation fault in opj2_decompress due to uninitialized pointer (bsc#1197738).

Advisory ID	SUSE-SU-2022:1259-1
Released	Tue Apr 19 11:10:16 2022
Summary	Security update for icedtea-web
Type	security
Severity	important
References	1142825,1142832,1142835,CVE-2019-10181,CVE-2019-10182,CVE-2019-10185

Description:

This update for icedtea-web fixes the following issues:

CVE-2019-10181: Fixed an issue where an attacker could inject unsigned code in a signed JAR file (bsc#1142835).
CVE-2019-10182: Fixed a path traversal issue where an attacker could upload arbritrary files by tricking a victim into running a specially crafted application(bsc#1142825).
CVE-2019-10185: Fixed an issue where an attacker could write files to arbitrary locations during JAR auto-extraction (bsc#1142832).

Advisory ID	SUSE-RU-2022:1263-1
Released	Tue Apr 19 13:32:00 2022
Summary	Recommended update for cloud-regionsrv-client
Type	recommended
Severity	critical
References	1198389

Description:

This update for cloud-regionsrv-client fixes the following issues:

Update to version 10.0.3 (bsc#1198389) - Descend into the extension tree even if top level module is recommended - Cache license state for AHB support to detect type switch - Properly clean suse.com credentials when switching from SCC to update infrastructure - New log message to indicate base product registration success

Advisory ID	SUSE-SU-2022:1265-1
Released	Tue Apr 19 15:22:37 2022
Summary	Security update for jsoup, jsr-305
Type	security
Severity	important
References	1189749,CVE-2021-37714

Description:

This update for jsoup, jsr-305 fixes the following issues:

CVE-2021-37714: Fixed infinite in untrusted HTML or XML data parsing (bsc#1189749).

Changes in jsr-305:

Build with java source and target levels 8
Upgrade to upstream version 3.0.2

Changes in jsoup:

Upgrade to upstream version 1.14.2
Generate tarball using source service instead of a script

Advisory ID	SUSE-SU-2022:1273-1
Released	Wed Apr 20 09:09:48 2022
Summary	Security update for SDL
Type	security
Severity	important
References	1181201,1181202,1198001,CVE-2020-14409,CVE-2020-14410,CVE-2021-33657

Description:

This update for SDL fixes the following issues:

CVE-2020-14409: Fixed an integer overflow (and resultant SDL_memcpy heap corruption) in SDL_BlitCopy in video/SDL_blit_copy.c. (bsc#1181202)
CVE-2020-14410: Fixed a heap-based buffer over-read in Blit_3or4_to_3or4__inversed_rgb in video/SDL_blit_N.c. (bsc#1181201)
CVE-2021-33657: Fixed a Heap overflow problem in video/SDL_pixels.c. (bsc#1198001)

Advisory ID	SUSE-RU-2022:1279-1
Released	Wed Apr 20 12:22:48 2022
Summary	Recommended update for sgi-bitmap-fonts
Type	recommended
Severity	important
References	1197854

Description:

This update for sgi-bitmap-fonts fixes the following issues:

Fix package building issue (bsc#1197854)

Advisory ID	SUSE-RU-2022:1280-1
Released	Wed Apr 20 12:23:33 2022
Summary	Recommended update for HANA-Firewall
Type	recommended
Severity	important
References	1197697

Description:

This update for HANA-Firewall fixes the following issues:

Fix package building issues (bsc#1197697)

Advisory ID	SUSE-RU-2022:1281-1
Released	Wed Apr 20 12:26:38 2022
Summary	Recommended update for libtirpc
Type	recommended
Severity	moderate
References	1196647

Description:

This update for libtirpc fixes the following issues:

Add option to enforce connection via protocol version 2 first (bsc#1196647)

Advisory ID	SUSE-SU-2022:1296-1
Released	Thu Apr 21 17:28:44 2022
Summary	Security update for openjpeg
Type	security
Severity	important
References	1102016,1106881,1162090,1173578,1180457,1184774,CVE-2018-14423,CVE-2018-16376,CVE-2020-15389,CVE-2020-27823,CVE-2020-8112,CVE-2021-29338

Description:

This update for openjpeg fixes the following issues:

CVE-2018-14423: Fixed division-by-zero vulnerabilities in the functions pi_next_pcrl, pi_next_cprl,and pi_next_rpcl in lib/openjp3d/pi.c (bsc#1102016).
CVE-2018-16376: Fixed heap-based buffer overflow function t2_encode_packet in lib/openmj2/t2.c (bsc#1106881).
CVE-2020-8112: Fixed a heap buffer overflow in opj_t1_clbl_decode_processor in openjp2/t1.c (bsc#1162090).
CVE-2020-15389: Fixed a use-after-free if a mix of valid and invalid files in a directory operated on by the decompressor (bsc#1173578).
CVE-2020-27823: Fixed a heap buffer over-write in opj_tcd_dc_level_shift_encode() (bsc#1180457),
CVE-2021-29338: Fixed an integer Overflow allows remote attackers to crash the application (bsc#1184774).

Advisory ID	SUSE-SU-2022:1297-1
Released	Thu Apr 21 17:31:54 2022
Summary	Security update for swtpm
Type	security
Severity	low
References	1196240,CVE-2022-23645

Description:

This update for swtpm fixes the following issues:

Update to version 0.5.3 - CVE-2022-23645: Check header size indicator against expected size (bsc#1196240).

SUSE-IU-2000:20-1

Container Advisory ID	SUSE-IU-2000:20-1
Container Tags	SUSE:SLE-15-SP3:2
Container Release

The following patches have been included in this update:

Advisory ID	SUSE-RU-2021:444-1
Released	Fri Feb 12 08:46:46 2021
Summary	Recommended update for libmodulemd
Type	recommended
Severity	low
References	1181004

Description:

This update for libmodulemd fixes the following issues:

Fixed a building issue for 32-bit architectures

Advisory ID	SUSE-RU-2021:1477-1
Released	Tue May 4 14:04:28 2021
Summary	Recommended update for libmodulemd
Type	recommended
Severity	low
References

Description:

This update for libmodulemd fixes the following issues:

Added support for 'buildorder' to Packager documents
Fixed an issue with ModuleIndex when input contains only Obsoletes documents
Extended read_packager_[file|string]() to support overriding the module name and stream
Ignore Packager documents when running ModuleIndex.update_from_*()
Added python overrides for XMD in PackagerV3
Added python override to ignore the GType return when reading packager files
Added PackagerV3.get_mdversion()

Advisory ID	SUSE-RU-2021:2670-1
Released	Thu Aug 12 12:04:06 2021
Summary	Recommended update for libmodulemd
Type	recommended
Severity	moderate
References

Description:

This recommended update for libmodulemd fixes the following issues:
Provide libmodulemd (jsc#ECO-3458)

Make available libmodulemd to Basesystem Module 15 SP2
Make available libmodulemd to Basesystem Module 15 SP3
Make the package 'createrepo_c' installable

Advisory ID	SUSE-RU-2021:3227-1
Released	Mon Sep 27 09:50:51 2021
Summary	Recommended update for createrepo_c, libmodulemd, and zchunk
Type	recommended
Severity	moderate
References

Description:

This update for createrepo_c fixes the following issues:
createrepo_c:

Does no longer perform a dir walk when --recycle-pkglist is specified
Added automatic module metadata handling for repos
Fixed a couple of memory leaks
Added --arch-expand option
Added --recycle-pkglist option
Set global_exit_status on sigint so that .repodata are cleaned up
Enhance error handling when locating repositories

libmodulemd:

Just a rebuild of the package, no source changes

zchunk:

Initial shipment of zchunk to SUSE Linux Enterprise

Advisory ID	SUSE-RU-2021:3274-1
Released	Fri Oct 1 10:34:17 2021
Summary	Recommended update for ca-certificates-mozilla
Type	recommended
Severity	important
References	1190858

Description:

This update for ca-certificates-mozilla fixes the following issues:

remove one of the Letsencrypt CAs DST_Root_CA_X3.pem, as it expires September 30th 2021 and openssl certificate chain handling does not handle this correctly in openssl 1.0.2 and older. (bsc#1190858)

Advisory ID	SUSE-SU-2021:3291-1
Released	Wed Oct 6 16:45:36 2021
Summary	Security update for glibc
Type	security
Severity	moderate
References	1186489,1187911,CVE-2021-33574,CVE-2021-35942

Description:

This update for glibc fixes the following issues:

CVE-2021-33574: Fixed use __pthread_attr_copy in mq_notify (bsc#1186489).
CVE-2021-35942: Fixed wordexp handle overflow in positional parameter number (bsc#1187911).

Advisory ID	SUSE-SU-2021:3292-1
Released	Wed Oct 6 16:46:16 2021
Summary	Security update for go1.16
Type	security
Severity	important
References	1182345,1190589,CVE-2021-39293

Description:

This update for go1.16 fixes the following issues:

Update to go 1.16.8
CVE-2021-39293: Fixed a buffer overflow issue in preallocation check that can cause OOM panic. (bas#)

Advisory ID	SUSE-SU-2021:3293-1
Released	Wed Oct 6 16:47:31 2021
Summary	Security update for ffmpeg
Type	security
Severity	moderate
References	1186761,CVE-2020-22042

Description:

This update for ffmpeg fixes the following issues:

CVE-2020-22042: Fixed a denial of service vulnerability led by a memory leak in the link_filter_inouts function in libavfilter/graphparser.c. (bsc#1186761)

Advisory ID	SUSE-SU-2021:3298-1
Released	Wed Oct 6 16:54:52 2021
Summary	Security update for curl
Type	security
Severity	moderate
References	1190373,1190374,CVE-2021-22946,CVE-2021-22947

Description:

This update for curl fixes the following issues:

CVE-2021-22947: Fixed STARTTLS protocol injection via MITM (bsc#1190374).
CVE-2021-22946: Fixed protocol downgrade required TLS bypassed (bsc#1190373).

Advisory ID	SUSE-SU-2021:3301-1
Released	Wed Oct 6 16:58:33 2021
Summary	Security update for libcryptopp
Type	security
Severity	moderate
References	1015243,CVE-2016-9939

Description:

This update for libcryptopp fixes the following issues:

CVE-2016-9939: Fixed potential DoS in Crypto++ (libcryptopp) ASN.1 parser (bsc#1015243).

Advisory ID	SUSE-RU-2021:3304-1
Released	Wed Oct 6 18:11:33 2021
Summary	Recommended update for kdump
Type	recommended
Severity	moderate
References	1172670,1183070,1184616,1186037

Description:

This update for kdump fixes the following issues:

Do not iterate past end of string (bsc#1186037).
Fix incorrect exit code checking after 'local' with assignment (bsc#1184616).
Avoid an endless loop when resolving a hostname fails with EAI_AGAIN (bsc#1183070).
Install /etc/resolv.conf using its resolved path (bsc#1183070).
Make sure that initrd.target.wants directory exists (bsc#1172670).

Advisory ID	SUSE-RU-2021:3306-1
Released	Wed Oct 6 18:11:57 2021
Summary	Recommended update for numactl
Type	recommended
Severity	moderate
References

Description:

This update for numactl fixes the following issues:

Fix System call numbers on s390x.
Debug verify for --preferred option.
Description for the usage of numactl.
Varios memleacks on source files: sysfs.c, shm.c and numactl.c
Description for numa_node_size64 and definition for numa_node_size in manpage.
link with -latomic when needed.
Clear race conditions on numa_police_memory().
numademo: Use first two nodes instead of node 0 and 1
Enhance _service settings
Enable automake

Advisory ID	SUSE-RU-2021:3307-1
Released	Wed Oct 6 18:12:07 2021
Summary	Recommended update for virt-what
Type	recommended
Severity	moderate
References	1161850,1176132

Description:

This update for virt-what fixes the following issues:

Nutanix Acropolis Hypervisor detection
podman detection
Add 'which' to requires

Advisory ID	SUSE-RU-2021:3309-1
Released	Wed Oct 6 18:12:31 2021
Summary	Recommended update for google-roboto-mono-fonts
Type	recommended
Severity	low
References

Description:

This update for google-roboto-mono-fonts fixes the following issue:

Add google-roboto-mono-fonts. (jsc#SLE-21182, jsc#SLE-17946, jsc#SLE-17947)

Advisory ID	SUSE-RU-2021:3310-1
Released	Wed Oct 6 18:12:41 2021
Summary	Recommended update for systemd
Type	recommended
Severity	moderate
References	1134353,1184994,1188291,1188588,1188713,1189446,1189480

Description:

This update for systemd fixes the following issues:

Switch I/O scheduler from 'mq-deadline' to 'bfq' for rotating disks(HD's) (jsc#SLE-21032, bsc#1134353).
Multipath: Rules weren't applied to dm devices (bsc#1188713).
Ignore obsolete 'elevator' kernel parameter (bsc#1184994).
Remove kernel unsupported single-queue block I/O.
Make sure the versions of both udev and systemd packages are always the same (bsc#1189480).
Avoid error message when updating active udev on sockets restart (bsc#1188291).

Merge of v246.16, for a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/8d8f5fc31eece95644b299b784bbfb8f836d0108...f5c33d9f82d3d782d28938df9ff09484360c540d

Drop 1007-tmpfiles-follow-SUSE-policies.patch: Since most of the tmpfiles config files shipped by upstream are ignored (see previous commit 'Drop most of the tmpfiles that deal with generic paths'), this patch is no more relevant.

Additional fixes:

core: make sure cgroup_oom_queue is flushed on manager exit.
cgroup: do 'catchup' for unit cgroup inotify watch files.
journalctl: never fail at flushing when the flushed flag is set (bsc#1188588).
manager: reexecute on SIGRTMIN+25, user instances only.
manager: fix HW watchdog when systemd starts before driver loaded (bsc#1189446).
pid1: watchdog modernizations.

Advisory ID	SUSE-RU-2021:3311-1
Released	Wed Oct 6 18:12:56 2021
Summary	Recommended update for perl-Bootloader
Type	recommended
Severity	moderate
References	1188768

Description:

This update for perl-Bootloader fixes the following issues:

Report error if config file could not be updated (bsc#1188768).
Fix typo in update-bootloader.

Advisory ID	SUSE-RU-2021:3312-1
Released	Wed Oct 6 18:13:09 2021
Summary	Recommended update for yast2-installation
Type	recommended
Severity	moderate
References	1186044

Description:

This update for yast2-installation fixes the following issues:

Display release notes during upgrade. (bsc#1186044)

Advisory ID	SUSE-RU-2021:3314-1
Released	Wed Oct 6 18:13:38 2021
Summary	Recommended update for xerces-c
Type	recommended
Severity	moderate
References	1190105

Description:

This update for xerces-c fixes the following issues:

release libxerces-c-3_1 for SLE-15.3 (bsc#1190105)

Advisory ID	SUSE-RU-2021:3315-1
Released	Wed Oct 6 19:29:43 2021
Summary	Recommended update for go1.17
Type	recommended
Severity	moderate
References	1190589,1190649,CVE-2021-39293

Description:

This update for go1.17 fixes the following issues:
This is the initial go 1.17 shipment.
go1.17.1 (released 2021-09-09) includes a security fix to the archive/zip package, as well as bug fixes to the compiler, linker, the go command, and to the crypto/rand, embed, go/types, html/template, and net/http packages. (bsc#1190649)
CVE-2021-39293: Fixed an overflow in preallocation check that can cause OOM panic in archive/zip (bsc#1190589)
go1.17 (released 2021-08-16) is a major release of Go.
go1.17.x minor releases will be provided through August 2022.
See https://github.com/golang/go/wiki/Go-Release-Cycle
Most changes are in the implementation of the toolchain, runtime, and libraries. As always, the release maintains the Go 1 promise of compatibility. We expect almost all Go programs to continue to compile and run as before. (bsc#1190649)

See release notes https://golang.org/doc/go1.17. Excerpts relevant to OBS environment and for SUSE/openSUSE follow:
The compiler now implements a new way of passing function arguments and results using registers instead of the stack. Benchmarks for a representative set of Go packages and programs show performance improvements of about 5%, and a typical reduction in binary size of about 2%. This is currently enabled for Linux, macOS, and Windows on the 64-bit x86 architecture (the linux/amd64, darwin/amd64, and windows/amd64 ports). This change does not affect the functionality of any safe Go code and is designed to have no impact on most assembly code.
When the linker uses external linking mode, which is the default when linking a program that uses cgo, and the linker is invoked with a -I option, the option will now be passed to the external linker as a -Wl,--dynamic-linker option.
The runtime/cgo package now provides a new facility that allows to turn any Go values to a safe representation that can be used to pass values between C and Go safely. See runtime/cgo.Handle for more information.
ARM64 Go programs now maintain stack frame pointers on the 64-bit ARM architecture on all operating systems. Previously, stack frame pointers were only enabled on Linux, macOS, and iOS.
Pruned module graphs in go 1.17 modules: If a module specifies go 1.17 or higher, the module graph includes only the immediate dependencies of other go 1.17 modules, not their full transitive dependencies. To convert the go.mod file for an existing module to Go 1.17 without changing the selected versions of its dependencies, run: go mod tidy -go=1.17 By default, go mod tidy verifies that the selected versions of dependencies relevant to the main module are the same versions that would be used by the prior Go release (Go 1.16 for a module that specifies go 1.17), and preserves the go.sum entries needed by that release even for dependencies that are not normally needed by other commands. The -compat flag allows that version to be overridden to support older (or only newer) versions, up to the version specified by the go directive in the go.mod file. To tidy a go 1.17 module for Go 1.17 only, without saving checksums for (or checking for consistency with) Go 1.16: go mod tidy -compat=1.17 Note that even if the main module is tidied with -compat=1.17, users who require the module from a go 1.16 or earlier module will still be able to use it, provided that the packages use only compatible language and library features. The go mod graph subcommand also supports the -go flag, which causes it to report the graph as seen by the indicated Go version, showing dependencies that may otherwise be pruned out.
Module deprecation comments: Module authors may deprecate a module by adding a // Deprecated: comment to go.mod, then tagging a new version. go get now prints a warning if a module needed to build packages named on the command line is deprecated. go list -m -u prints deprecations for all dependencies (use -f or -json to show the full message). The go command considers different major versions to be distinct modules, so this mechanism may be used, for example, to provide users with migration instructions for a new major version.
go get -insecure flag is deprecated and has been removed. To permit the use of insecure schemes when fetching dependencies, please use the GOINSECURE environment variable. The -insecure flag also bypassed module sum validation, use GOPRIVATE or GONOSUMDB if you need that functionality. See go help environment for details.
go get prints a deprecation warning when installing commands outside the main module (without the -d flag). go install cmd@version should be used instead to install a command at a specific version, using a suffix like @latest or @v1.2.3. In Go 1.18, the -d flag will always be enabled, and go get will only be used to change dependencies in go.mod.
go.mod files missing go directives: If the main module's go.mod file does not contain a go directive and the go command cannot update the go.mod file, the go command now assumes go 1.11 instead of the current release. (go mod init has added go directives automatically since Go 1.12.) If a module dependency lacks an explicit go.mod file, or its go.mod file does not contain a go directive, the go command now assumes go 1.16 for that dependency instead of the current release. (Dependencies developed in GOPATH mode may lack a go.mod file, and the vendor/modules.txt has to date never recorded the go versions indicated by dependencies' go.mod files.)
vendor contents: If the main module specifies go 1.17 or higher, go mod vendor now annotates vendor/modules.txt with the go version indicated by each vendored module in its own go.mod file. The annotated version is used when building the module's packages from vendored source code. If the main module specifies go 1.17 or higher, go mod vendor now omits go.mod and go.sum files for vendored dependencies, which can otherwise interfere with the ability of the go command to identify the correct module root when invoked within the vendor tree.
Password prompts: The go command by default now suppresses SSH password prompts and Git Credential Manager prompts when fetching Git repositories using SSH, as it already did previously for other Git password prompts. Users authenticating to private Git repos with password-protected SSH may configure an ssh-agent to enable the go command to use password-protected SSH keys.
go mod download: When go mod download is invoked without arguments, it will no longer save sums for downloaded module content to go.sum. It may still make changes to go.mod and go.sum needed to load the build list. This is the same as the behavior in Go 1.15. To save sums for all modules, use: go mod download all
The go command now understands //go:build lines and prefers them over // +build lines. The new syntax uses boolean expressions, just like Go, and should be less error-prone. As of this release, the new syntax is fully supported, and all Go files should be updated to have both forms with the same meaning. To aid in migration, gofmt now automatically synchronizes the two forms. For more details on the syntax and migration plan, see https://golang.org/design/draft-gobuild.
go run now accepts arguments with version suffixes (for example, go run example.com/cmd@v1.0.0). This causes go run to build and run packages in module-aware mode, ignoring the go.mod file in the current directory or any parent directory, if there is one. This is useful for running executables without installing them or without changing dependencies of the current module.
The format of stack traces from the runtime (printed when an uncaught panic occurs, or when runtime.Stack is called) is improved.
TLS strict ALPN: When Config.NextProtos is set, servers now enforce that there is an overlap between the configured protocols and the ALPN protocols advertised by the client, if any. If there is no mutually supported protocol, the connection is closed with the no_application_protocol alert, as required by RFC 7301. This helps mitigate the ALPACA cross-protocol attack. As an exception, when the value 'h2' is included in the server's Config.NextProtos, HTTP/1.1 clients will be allowed to connect as if they didn't support ALPN. See issue go#46310 for more information.
crypto/ed25519: The crypto/ed25519 package has been rewritten, and all operations are now approximately twice as fast on amd64 and arm64. The observable behavior has not otherwise changed.
crypto/elliptic: CurveParams methods now automatically invoke faster and safer dedicated implementations for known curves (P-224, P-256, and P-521) when available. Note that this is a best-effort approach and applications should avoid using the generic, not constant-time CurveParams methods and instead use dedicated Curve implementations such as P256. The P521 curve implementation has been rewritten using code generated by the fiat-crypto project, which is based on a formally-verified model of the arithmetic operations. It is now constant-time and three times faster on amd64 and arm64. The observable behavior has not otherwise changed.
crypto/tls: The new Conn.HandshakeContext method allows the user to control cancellation of an in-progress TLS handshake. The provided context is accessible from various callbacks through the new ClientHelloInfo.Context and CertificateRequestInfo.Context methods. Canceling the context after the handshake has finished has no effect. Cipher suite ordering is now handled entirely by the crypto/tls package. Currently, cipher suites are sorted based on their security, performance, and hardware support taking into account both the local and peer's hardware. The order of the Config.CipherSuites field is now ignored, as well as the Config.PreferServerCipherSuites field. Note that Config.CipherSuites still allows applications to choose what TLS 1.0–1.2 cipher suites to enable. The 3DES cipher suites have been moved to InsecureCipherSuites due to fundamental block size-related weakness. They are still enabled by default but only as a last resort, thanks to the cipher suite ordering change above. Beginning in the next release, Go 1.18, the Config.MinVersion for crypto/tls clients will default to TLS 1.2, disabling TLS 1.0 and TLS 1.1 by default. Applications will be able to override the change by explicitly setting Config.MinVersion. This will not affect crypto/tls servers.
crypto/x509: CreateCertificate now returns an error if the provided private key doesn't match the parent's public key, if any. The resulting certificate would have failed to verify.
crypto/x509: The temporary GODEBUG=x509ignoreCN=0 flag has been removed.
crypto/x509: ParseCertificate has been rewritten, and now consumes ~70% fewer resources. The observable behavior has not otherwise changed, except for error messages.
crypto/x509: Beginning in the next release, Go 1.18, crypto/x509 will reject certificates signed with the SHA-1 hash function. This doesn't apply to self-signed root certificates. Practical attacks against SHA-1 have been demonstrated in 2017 and publicly trusted Certificate Authorities have not issued SHA-1 certificates since 2015.
go/build: The new Context.ToolTags field holds the build tags appropriate to the current Go toolchain configuration.
net/http package now uses the new (*tls.Conn).HandshakeContext with the Request context when performing TLS handshakes in the client or server.
syscall: On Unix-like systems, the process group of a child process is now set with signals blocked. This avoids sending a SIGTTOU to the child when the parent is in a background process group.
time: The new Time.IsDST method can be used to check whether the time is in Daylight Savings Time in its configured location.
time: The new Time.UnixMilli and Time.UnixMicro methods return the number of milliseconds and microseconds elapsed since January 1, 1970 UTC respectively.
time: The new UnixMilli and UnixMicro functions return the local Time corresponding to the given Unix time.

Add bash scripts used by go tool commands to provide a more complete cross-compiling go toolchain install.

Advisory ID	SUSE-RU-2021:3317-1
Released	Wed Oct 6 19:30:39 2021
Summary	Recommended update for postgresql10
Type	recommended
Severity	moderate
References	1179945,1185952,1187751,1190177

Description:

This update for postgresql10 fixes the following issues:

Upgrade to version 10.18. (bsc#1190177) - A dump/restore is not required for those running 10.X. - if you are upgrading from a version older than 10.16 a reindexing of indexes after the upgrade may be advisable. - Allow PostgreSQL version 10 to build with ICU 69 and newer - Clarify error messages referring to 'non-negative' values - Fix incorrect log message when 'point-in-time' recovery stops at a 'ROLLBACK PREPARED' record - In 'contrib/postgres_fdw', avoid attempting catalog lookups after an error - Messages about data conversion errors will now mention the query's table and column aliases (if used) rather than the true underlying name of a foreign table or column. - Avoid problems when 'switching pg_receivewal' between compressed and non-compressed 'WAL' storage - Extend 'pg_upgrade' to detect and warn about extensions that should be upgraded. - Make 'pg_upgrade' carry forward the old installation's 'oldestXID' value. - This solves unwanted forced shutdowns happening soon after an upgrade in particular on installations using large values of 'autovacuum_freeze_max_age'. - Avoid 'invalid creation date in header' warnings observed when running 'pg_restore' on an archive file created in a different time zone. - In psql and other client programs, avoid overrunning the ends of strings when dealing with invalidly-encoded data. - Don't abort the process for an out-of-memory failure in libpq's printing functions - Fix uninitialized-variable bug that could cause 'PL/pgSQL' to act as though an 'INTO' clause specified 'STRICT', even though it didn't. - Fix latent crash in sorting code - Fix possible race condition when releasing BackgroundWorkerSlots
Solve a build issue fix build with 'llvm12' on s390x. (bsc#1185952)
Re-enable 'icu' for 'PostgreSQL 10'. (bsc#1179945)
Relax the dependency of 'postgresqlXX-server-devel' on 'llvm' and 'clang'. (bsc#1187751)

Advisory ID	SUSE-RU-2021:3321-1
Released	Thu Oct 7 15:46:40 2021
Summary	Recommended update for autoyast2
Type	recommended
Severity	moderate
References	1176089,1188153,1190696

Description:

This update for autoyast2 fixes the following issues:

Update elements on rules.xml schema: Add the 'hostname' (bsc#1190696). Add Installed_product and installed_product_version (boo#1176089). Add Dialog section (bsc#1188153).

Advisory ID	SUSE-SU-2021:3325-1
Released	Sat Oct 9 19:45:01 2021
Summary	Security update for rabbitmq-server
Type	security
Severity	moderate
References	1185075,1186203,1187818,1187819,CVE-2021-22116,CVE-2021-32718,CVE-2021-32719

Description:

This update for rabbitmq-server fixes the following issues:

CVE-2021-32718: Fixed improper neutralization of script-related HTML tags in a web page (basic XSS) in management UI (bsc#1187818).
CVE-2021-32719: Fixed improper neutralization of script-related HTML tags in a web page (basic XSS) in federation management plugin (bsc#1187819).
CVE-2021-22116: Fixed improper input validation may lead to DoS (bsc#1186203).

Use /run instead of /var/run in tmpfiles.d configuration (bsc#1185075).

Advisory ID	SUSE-OU-2021:3327-1
Released	Mon Oct 11 11:44:50 2021
Summary	Optional update for coreutils
Type	optional
Severity	low
References	1189454

Description:

This optional update for coreutils fixes the following issue:

Provide coreutils documentation, 'coreutils-doc', with 'L2' support level. (bsc#1189454)

Advisory ID	SUSE-RU-2021:3328-1
Released	Mon Oct 11 11:48:14 2021
Summary	Recommended update for patterns-sap
Type	recommended
Severity	moderate
References

Description:

This update for patterns-sap fixes the following issue:

Remove 'libssh2-1' from SAP-HANA pattern (jsc#SLE-20033) - 'libssh2-1' is not longer needed for newer HANA 2.0 versions
Adjust the 'patterns-sap' version to 15.3

Advisory ID	SUSE-SU-2021:3338-1
Released	Tue Oct 12 11:06:00 2021
Summary	Security update for the Linux Kernel
Type	security
Severity	important
References	1065729,1148868,1152489,1154353,1159886,1167773,1170774,1171688,1173746,1174003,1176447,1176940,1177028,1178134,1184439,1184804,1185302,1185550,1185677,1185726,1185762,1187211,1188067,1188418,1188651,1188986,1189257,1189297,1189841,1189884,1190023,1190062,1190115,1190138,1190159,1190358,1190406,1190432,1190467,1190523,1190534,1190543,1190544,1190561,1190576,1190595,1190596,1190598,1190620,1190626,1190679,1190705,1190717,1190746,1190758,1190784,1190785,1191172,1191193,1191292,CVE-2020-3702,CVE-2021-3669,CVE-2021-3744,CVE-2021-3752,CVE-2021-3764,CVE-2021-40490

Description:

The SUSE Linux Enterprise 15 SP3 kernel was updated.
The following security bugs were fixed:

CVE-2020-3702: Fixed a bug which could be triggered with specifically timed and handcrafted traffic and cause internal errors in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure. (bnc#1191193)
CVE-2021-3752: Fixed a use after free vulnerability in the Linux kernel's bluetooth module. (bsc#1190023)
CVE-2021-40490: Fixed a race condition discovered in the ext4 subsystem that could leat to local priviledge escalation. (bnc#1190159)
CVE-2021-3744: Fixed a bug which could allows attackers to cause a denial of service. (bsc#1189884)
CVE-2021-3764: Fixed a bug which could allows attackers to cause a denial of service. (bsc#1190534)
CVE-2021-3669: Fixed a bug that doesn't allow /proc/sysvipc/shm to scale with large shared memory segment counts which could lead to resource exhaustion and DoS. (bsc#1188986)

The following non-security bugs were fixed:

ALSA: firewire-motu: fix truncated bytes in message tracepoints (git-fixes).
apparmor: remove duplicate macro list_entry_is_head() (git-fixes).
ASoC: fsl_micfil: register platform component before registering cpu dai (git-fixes).
ASoC: Intel: Fix platform ID matching (git-fixes).
ASoC: mediatek: common: handle NULL case in suspend/resume function (git-fixes).
ASoC: rockchip: i2s: Fix regmap_ops hang (git-fixes).
ASoC: rockchip: i2s: Fixup config for DAIFMT_DSP_A/B (git-fixes).
ASoC: rt5682: Implement remove callback (git-fixes).
ASoC: rt5682: Properly turn off regulators if wrong device ID (git-fixes).
ASoC: rt5682: Remove unused variable in rt5682_i2c_remove() (git-fixes).
ASoC: SOF: Fix DSP oops stack dump output contents (git-fixes).
ath9k: fix OOB read ar9300_eeprom_restore_internal (git-fixes).
ath9k: fix sleeping in atomic context (git-fixes).
backlight: pwm_bl: Improve bootloader/kernel device handover (git-fixes).
bareudp: Fix invalid read beyond skb's linear data (jsc#SLE-15172).
blk-mq: do not deactivate hctx if managed irq isn't used (bsc#1185762).
blk-mq: do not deactivate hctx if managed irq isn't used (bsc#1185762).
blk-mq: kABI fixes for blk_mq_queue_map (bsc#1185762).
blk-mq: kABI fixes for blk_mq_queue_map (bsc#1185762).
blk-mq: mark if one queue map uses managed irq (bsc#1185762).
blk-mq: mark if one queue map uses managed irq (bsc#1185762).
Bluetooth: skip invalid hci_sync_conn_complete_evt (git-fixes).
bnx2x: fix an error code in bnx2x_nic_load() (git-fixes).
bnxt_en: Add missing DMA memory barriers (git-fixes).
bnxt_en: Disable aRFS if running on 212 firmware (git-fixes).
bnxt_en: Do not enable legacy TX push on older firmware (git-fixes).
bnxt_en: Fix asic.rev in devlink dev info command (jsc#SLE-16649).
bnxt_en: fix stored FW_PSID version masks (jsc#SLE-16649).
bnxt_en: Store the running firmware version code (git-fixes).
bnxt: count Tx drops (git-fixes).
bnxt: disable napi before canceling DIM (git-fixes).
bnxt: do not lock the tx queue from napi poll (git-fixes).
bnxt: make sure xmit_more + errors does not miss doorbells (git-fixes).
bpf, samples: Add missing mprog-disable to xdp_redirect_cpu's optstring (git-fixes).
bpf: Fix ringbuf helper function compatibility (git-fixes).
bpftool: Add sock_release help info for cgroup attach/prog load command (bsc#1177028).
btrfs: prevent rename2 from exchanging a subvol with a directory from different parents (bsc#1190626).
clk: at91: clk-generated: Limit the requested rate to our range (git-fixes).
clk: at91: clk-generated: pass the id of changeable parent at registration (git-fixes).
console: consume APC, DM, DCS (git-fixes).
cpuidle: pseries: Do not cap the CEDE0 latency in fixup_cede0_latency() (bsc#1185550 ltc#192610 git-fixes jsc#SLE-18128).
cuse: fix broken release (bsc#1190596).
cxgb4: dont touch blocked freelist bitmap after free (git-fixes).
debugfs: Return error during {full/open}_proxy_open() on rmmod (bsc#1173746).
devlink: Break parameter notification sequence to be before/after unload/load driver (bsc#1154353).
devlink: Clear whole devlink_flash_notify struct (bsc#1176447).
dma-buf: DMABUF_MOVE_NOTIFY should depend on DMA_SHARED_BUFFER (git-fixes).
dmaengine: ioat: depends on !UML (git-fixes).
dmaengine: sprd: Add missing MODULE_DEVICE_TABLE (git-fixes).
dmaengine: xilinx_dma: Set DMA mask for coherent APIs (git-fixes).
docs: Fix infiniband uverbs minor number (git-fixes).
drivers: gpu: amd: Initialize amdgpu_dm_backlight_caps object to 0 in amdgpu_dm_update_backlight_caps (git-fixes).
drm: avoid blocking in drm_clients_info's rcu section (git-fixes).
drm/amd/amdgpu: Update debugfs link_settings output link_rate field in hex (git-fixes).
drm/amd/display: Fix timer_per_pixel unit error (git-fixes).
drm/amdgpu: Fix BUG_ON assert (git-fixes).
drm/ast: Fix missing conversions to managed API (git-fixes).
drm/gma500: Fix end of loop tests for list_for_each_entry (git-fixes).
drm/i915: Allow the sysadmin to override security mitigations (git-fixes).
drm/i915/rkl: Remove require_force_probe protection (bsc#1189257).
drm/ingenic: Switch IPU plane to type OVERLAY (git-fixes).
drm/mgag200: Select clock in PLL update functions (git-fixes).
drm/msm/mdp4: move HW revision detection to earlier phase (git-fixes).
drm/msm/mdp4: refactor HW revision detection into read_mdp_hw_revision (git-fixes).
drm/nouveau/nvkm: Replace -ENOSYS with -ENODEV (git-fixes).
drm/panfrost: Clamp lock region to Bifrost minimum (git-fixes).
drm/pl111: depend on CONFIG_VEXPRESS_CONFIG (git-fixes).
drm/rockchip: cdn-dp-core: Make cdn_dp_core_resume __maybe_unused (git-fixes).
e1000e: Do not take care about recovery NVM checksum (jsc#SLE-8100).
e1000e: Fix the max snoop/no-snoop latency for 10M (git-fixes).
EDAC/i10nm: Fix NVDIMM detection (bsc#1152489).
EDAC/mce_amd: Do not load edac_mce_amd module on guests (bsc#1190138).
EDAC/synopsys: Fix wrong value type assignment for edac_mode (bsc#1152489).
enetc: Fix uninitialized struct dim_sample field usage (git-fixes).
erofs: fix up erofs_lookup tracepoint (git-fixes).
fbmem: do not allow too huge resolutions (git-fixes).
fpga: machxo2-spi: Fix missing error code in machxo2_write_complete() (git-fixes).
fpga: machxo2-spi: Return an error on failure (git-fixes).
fuse: flush extending writes (bsc#1190595).
fuse: truncate pagecache on atomic_o_trunc (bsc#1190705).
genirq: add device_has_managed_msi_irq (bsc#1185762).
genirq: add device_has_managed_msi_irq (bsc#1185762).
gpio: uniphier: Fix void functions to remove return value (git-fixes).
gpu: drm: amd: amdgpu: amdgpu_i2c: fix possible uninitialized-variable access in amdgpu_i2c_router_select_ddc_port() (git-fixes).
gve: fix the wrong AdminQ buffer overflow check (bsc#1176940).
hv_netvsc: Make netvsc/VF binding check both MAC and serial number (jsc#SLE-18779, bsc#1185726).
hv: mana: remove netdev_lockdep_set_classes usage (jsc#SLE-18779, bsc#1185726).
hwmon: (mlxreg-fan) Return non-zero value when fan current state is enforced from sysfs (git-fixes).
hwmon: (tmp421) fix rounding for negative values (git-fixes).
hwmon: (tmp421) report /PVLD condition as fault (git-fixes).
i40e: Add additional info to PHY type error (git-fixes).
i40e: Fix firmware LLDP agent related warning (git-fixes).
i40e: Fix log TC creation failure when max num of queues is exceeded (git-fixes).
i40e: Fix logic of disabling queues (git-fixes).
i40e: Fix queue-to-TC mapping on Tx (git-fixes).
i40e: improve locking of mac_filter_hash (jsc#SLE-13701).
iavf: Fix ping is lost after untrusted VF had tried to change MAC (jsc#SLE-7940).
iavf: Set RSS LUT and key in reset handle path (git-fixes).
IB/hfi1: Indicate DMA wait when txq is queued for wakeup (jsc#SLE-13208).
ibmvnic: check failover_pending in login response (bsc#1190523 ltc#194510).
ibmvnic: Consolidate code in replenish_rx_pool() (bsc#1190758 ltc#191943).
ibmvnic: Fix up some comments and messages (bsc#1190758 ltc#191943).
ibmvnic: init_tx_pools move loop-invariant code (bsc#1190758 ltc#191943).
ibmvnic: Reuse LTB when possible (bsc#1190758 ltc#191943).
ibmvnic: Reuse rx pools when possible (bsc#1190758 ltc#191943).
ibmvnic: Reuse tx pools when possible (bsc#1190758 ltc#191943).
ibmvnic: Use bitmap for LTB map_ids (bsc#1190758 ltc#191943).
ibmvnic: Use/rename local vars in init_rx_pools (bsc#1190758 ltc#191943).
ibmvnic: Use/rename local vars in init_tx_pools (bsc#1190758 ltc#191943).
ice: do not abort devlink info if board identifier can't be found (jsc#SLE-12878).
ice: do not remove netdev->dev_addr from uc sync list (git-fixes).
ice: Prevent probing virtual functions (git-fixes).
igc: Use num_tx_queues when iterating over tx_ring queue (jsc#SLE-13533).
iio: dac: ad5624r: Fix incorrect handling of an optional regulator (git-fixes).
include/linux/list.h: add a macro to test if entry is pointing to the head (git-fixes).
iomap: Fix negative assignment to unsigned sis->pages in iomap_swapfile_activate (bsc#1190784).
ionic: cleanly release devlink instance (bsc#1167773).
ionic: cleanly release devlink instance (bsc#1167773).
ionic: count csum_none when offload enabled (bsc#1167773).
ionic: drop useless check of PCI driver data validity (bsc#1167773).
ipc: remove memcg accounting for sops objects in do_semtimedop() (bsc#1190115).
ipc/util.c: use binary search for max_idx (bsc#1159886).
ipvs: allow connection reuse for unconfirmed conntrack (bsc#1190467).
ipvs: avoid expiring many connections from timer (bsc#1190467).
ipvs: Fix up kabi for expire_nodest_conn_work addition (bsc#1190467).
ipvs: queue delayed work to expire no destination connections if expire_nodest_conn=1 (bsc#1190467).
iwlwifi Add support for ax201 in Samsung Galaxy Book Flex2 Alpha (git-fixes).
iwlwifi: mvm: fix a memory leak in iwl_mvm_mac_ctxt_beacon_changed (git-fixes).
kernel-binary.spec: Check for no kernel signing certificates. Also remove unused variable.
kernel-binary.spec: Do not fail silently when KMP is empty (bsc#1190358). Copy the code from kernel-module-subpackage that deals with empty KMPs.
kernel-binary.spec.in Stop templating the scriptlets for subpackages (bsc#1190358). The script part for base package case is completely separate from the part for subpackages. Remove the part for subpackages from the base package script and use the KMP scripts for subpackages instead.
libata: fix ata_host_start() (git-fixes).
libbpf: Fix removal of inner map in bpf_object__create_map (git-fixes).
libbpf: Fix the possible memory leak on error (git-fixes).
mac80211-hwsim: fix late beacon hrtimer handling (git-fixes).
mac80211: Fix ieee80211_amsdu_aggregate frag_tail bug (git-fixes).
mac80211: fix use-after-free in CCMP/GCMP RX (git-fixes).
mac80211: limit injected vht mcs/nss in ieee80211_parse_tx_radiotap (git-fixes).
mac80211: mesh: fix potentially unaligned access (git-fixes).
media: cedrus: Fix SUNXI tile size calculation (git-fixes).
media: coda: fix frame_mem_ctrl for YUV420 and YVU420 formats (git-fixes).
media: dib8000: rewrite the init prbs logic (git-fixes).
media: imx258: Limit the max analogue gain to 480 (git-fixes).
media: imx258: Rectify mismatch of VTS value (git-fixes).
media: rc-loopback: return number of emitters rather than error (git-fixes).
media: TDA1997x: fix tda1997x_query_dv_timings() return value (git-fixes).
media: uvc: do not do DMA on stack (git-fixes).
media: v4l2-dv-timings.c: fix wrong condition in two for-loops (git-fixes).
mfd: Do not use irq_create_mapping() to resolve a mapping (git-fixes).
misc: sram: Only map reserved areas in Tegra SYSRAM (git-fixes).
misc: sram: use devm_platform_ioremap_resource_wc() (git-fixes).
mlx4: Fix missing error code in mlx4_load_one() (git-fixes).
mm: always have io_remap_pfn_range() set pgprot_decrypted() (git-fixes).
mm/swap: consider max pages in iomap_swapfile_add_extent (bsc#1190785).
mmc: core: Return correct emmc response in case of ioctl error (git-fixes).
mmc: rtsx_pci: Fix long reads when clock is prescaled (git-fixes).
mmc: sdhci-of-arasan: Check return value of non-void funtions (git-fixes).
mmc: sdhci: Fix issue with uninitialized dma_slave_config (git-fixes).
net: ethernet: ti: cpsw: fix min eth packet size for non-switch use-cases (git-fixes).
net: mana: Add a driver for Microsoft Azure Network Adapter (MANA) (jsc#SLE-18779, bsc#1185726).
net: mana: Add support for EQ sharing (jsc#SLE-18779, bsc#1185726).
net: mana: Add WARN_ON_ONCE in case of CQE read overflow (jsc#SLE-18779, bsc#1185726).
net: mana: Fix a memory leak in an error handling path in (jsc#SLE-18779, bsc#1185726).
net: mana: fix PCI_HYPERV dependency (jsc#SLE-18779, bsc#1185726).
net: mana: Move NAPI from EQ to CQ (jsc#SLE-18779, bsc#1185726).
net: mana: Prefer struct_size over open coded arithmetic (jsc#SLE-18779, bsc#1185726).
net: mana: remove redundant initialization of variable err (jsc#SLE-18779, bsc#1185726).
net: mana: Use int to check the return value of mana_gd_poll_cq() (jsc#SLE-18779, bsc#1185726).
net: mana: Use struct_size() in kzalloc() (jsc#SLE-18779, bsc#1185726).
net: qlcnic: add missed unlock in qlcnic_83xx_flash_read32 (git-fixes).
net: sched: sch_teql: fix null-pointer dereference (bsc#1190717).
net/mlx5: E-Switch, handle devcom events only for ports on the same device (git-fixes).
net/mlx5: Fix flow table chaining (git-fixes).
net/mlx5: Fix missing return value in mlx5_devlink_eswitch_inline_mode_set() (jsc#SLE-15172).
net/mlx5: Fix return value from tracer initialization (git-fixes).
net/mlx5: Unload device upon firmware fatal error (git-fixes).
net/mlx5e: Avoid creating tunnel headers for local route (git-fixes).
net/mlx5e: Fix nullptr in mlx5e_hairpin_get_mdev() (git-fixes).
net/mlx5e: Prohibit inner indir TIRs in IPoIB (git-fixes).
netfilter: conntrack: do not renew entry stuck in tcp SYN_SENT state (bsc#1190062).
nfp: update ethtool reporting of pauseframe control (git-fixes).
NFS: change nfs_access_get_cached to only report the mask (bsc#1190746).
NFS: do not store 'struct cred *' in struct nfs_access_entry (bsc#1190746).
NFS: pass cred explicitly for access tests (bsc#1190746).
nvme-multipath: revalidate paths during rescan (bsc#1187211).
nvme-tcp: Do not reset transport on data digest errors (bsc#1188418).
nvme: avoid race in shutdown namespace removal (bsc#1188067).
nvme: fix refcounting imbalance when all paths are down (bsc#1188067).
nvme: only call synchronize_srcu when clearing current path (bsc#1188067).
optee: Fix memory leak when failing to register shm pages (git-fixes).
parport: remove non-zero check on count (git-fixes).
PCI: aardvark: Fix checking for PIO status (git-fixes).
PCI: aardvark: Fix masking and unmasking legacy INTx interrupts (git-fixes).
PCI: aardvark: Increase polling delay to 1.5s while waiting for PIO response (git-fixes).
PCI: Add ACS quirks for Cavium multi-function devices (git-fixes).
PCI: Add ACS quirks for NXP LX2xx0 and LX2xx2 platforms (git-fixes).
PCI: Add AMD GPU multi-function power dependencies (git-fixes).
PCI: ibmphp: Fix double unmap of io_mem (git-fixes).
PCI: of: Do not fail devm_pci_alloc_host_bridge() on missing 'ranges' (git-fixes).
PCI: pci-bridge-emul: Add PCIe Root Capabilities Register (git-fixes).
PCI: pci-bridge-emul: Fix array overruns, improve safety (git-fixes).
PCI: pci-bridge-emul: Fix big-endian support (git-fixes).
PCI: Restrict ASMedia ASM1062 SATA Max Payload Size Supported (git-fixes).
PCI: Use pci_update_current_state() in pci_enable_device_flags() (git-fixes).
phy: tegra: xusb: Fix dangling pointer on probe failure (git-fixes).
PM: base: power: do not try to use non-existing RTC for storing data (git-fixes).
PM: EM: Increase energy calculation precision (git-fixes).
power: supply: axp288_fuel_gauge: Report register-address on readb / writeb errors (git-fixes).
power: supply: max17042_battery: fix typo in MAx17042_TOFF (git-fixes).
powercap: intel_rapl: add support for Sapphire Rapids (jsc#SLE-15289).
powerpc: fix function annotations to avoid section mismatch warnings with gcc-10 (bsc#1148868).
powerpc/drmem: Make LMB walk a bit more flexible (bsc#1190543 ltc#194523).
powerpc/numa: Consider the max NUMA node for migratable LPAR (bsc#1190544 ltc#194520).
powerpc/perf: Drop the case of returning 0 as instruction pointer (bsc#1065729).
powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set (bsc#1065729).
powerpc/perf: Fix the check for SIAR value (bsc#1065729).
powerpc/perf: Use regs->nip when SIAR is zero (bsc#1065729).
powerpc/perf: Use stack siar instead of mfspr (bsc#1065729).
powerpc/perf: Use the address from SIAR register to set cpumode flags (bsc#1065729).
powerpc/perf/hv-gpci: Fix counter value parsing (bsc#1065729).
powerpc/powernv: Fix machine check reporting of async store errors (bsc#1065729).
powerpc/pseries: Prevent free CPU ids being reused on another node (bsc#1190620 ltc#194498).
powerpc/pseries/dlpar: use rtas_get_sensor() (bsc#1065729).
pseries/drmem: update LMBs after LPM (bsc#1190543 ltc#194523).
pwm: img: Do not modify HW state in .remove() callback (git-fixes).
pwm: rockchip: Do not modify HW state in .remove() callback (git-fixes).
pwm: stm32-lp: Do not modify HW state in .remove() callback (git-fixes).
qlcnic: Remove redundant unlock in qlcnic_pinit_from_rom (git-fixes).
RDMA/bnxt_re: Remove unpaired rtnl unlock in bnxt_re_dev_init() (bsc#1170774).
RDMA/hns: Fix QP's resp incomplete assignment (jsc#SLE-14777).
RDMA/mlx5: Delay emptying a cache entry when a new MR is added to it recently (jsc#SLE-15175).
RDMA/mlx5: Delete not-available udata check (jsc#SLE-15175).
RDMA/rtrs: Remove a useless kfree() (jsc#SLE-15176).
Re-enable UAS for LaCie Rugged USB3-FW with fk quirk (git-fixes).
regmap: fix page selection for noinc reads (git-fixes).
regmap: fix page selection for noinc writes (git-fixes).
regmap: fix the offset of register error log (git-fixes).
Restore kabi after NFS: pass cred explicitly for access tests (bsc#1190746).
rpm: Abolish scritplet templating (bsc#1189841). Outsource kernel-binary and KMP scriptlets to suse-module-tools. This allows fixing bugs in the scriptlets as well as defining initrd regeneration policy independent of the kernel packages.
rpm/kernel-binary.spec: Use only non-empty certificates.
rpm/kernel-binary.spec.in: avoid conflicting suse-release suse-release had arbitrary values in staging, we can't use it for dependencies. The filesystem one has to be enough (boo#1184804).
rtc: rx8010: select REGMAP_I2C (git-fixes).
rtc: tps65910: Correct driver module alias (git-fixes).
s390/unwind: use current_frame_address() to unwind current task (bsc#1185677).
sch_cake: fix srchost/dsthost hashing mode (bsc#1176447).
sched/fair: Add ancestors of unthrottled undecayed cfs_rq (bsc#1191292).
scsi: core: Add helper to return number of logical blocks in a request (bsc#1190576).
scsi: core: Introduce the scsi_cmd_to_rq() function (bsc#1190576).
scsi: fc: Add EDC ELS definition (bsc#1190576).
scsi: fc: Update formal FPIN descriptor definitions (bsc#1190576).
scsi: lpfc: Add bsg support for retrieving adapter cmf data (bsc#1190576).
scsi: lpfc: Add cm statistics buffer support (bsc#1190576).
scsi: lpfc: Add cmf_info sysfs entry (bsc#1190576).
scsi: lpfc: Add cmfsync WQE support (bsc#1190576).
scsi: lpfc: Add debugfs support for cm framework buffers (bsc#1190576).
scsi: lpfc: Add EDC ELS support (bsc#1190576).
scsi: lpfc: Add MIB feature enablement support (bsc#1190576).
scsi: lpfc: Add rx monitoring statistics (bsc#1190576).
scsi: lpfc: Add SET_HOST_DATA mbox cmd to pass date/time info to firmware (bsc#1190576).
scsi: lpfc: Add support for cm enablement buffer (bsc#1190576).
scsi: lpfc: Add support for maintaining the cm statistics buffer (bsc#1190576).
scsi: lpfc: Add support for the CM framework (bsc#1190576).
scsi: lpfc: Adjust bytes received vales during cmf timer interval (bsc#1190576).
scsi: lpfc: Copyright updates for 14.0.0.1 patches (bsc#1190576).
scsi: lpfc: Do not release final kref on Fport node while ABTS outstanding (bsc#1190576).
scsi: lpfc: Do not remove ndlp on PRLI errors in P2P mode (bsc#1190576).
scsi: lpfc: Expand FPIN and RDF receive logging (bsc#1190576).
scsi: lpfc: Fix compilation errors on kernels with no CONFIG_DEBUG_FS (bsc#1190576).
scsi: lpfc: Fix CPU to/from endian warnings introduced by ELS processing (bsc#1190576).
scsi: lpfc: Fix EEH support for NVMe I/O (bsc#1190576).
scsi: lpfc: Fix FCP I/O flush functionality for TMF routines (bsc#1190576).
scsi: lpfc: Fix gcc -Wstringop-overread warning, again (bsc#1190576).
scsi: lpfc: Fix hang on unload due to stuck fport node (bsc#1190576).
scsi: lpfc: Fix I/O block after enabling managed congestion mode (bsc#1190576).
scsi: lpfc: Fix list_add() corruption in lpfc_drain_txq() (bsc#1190576).
scsi: lpfc: Fix NVMe I/O failover to non-optimized path (bsc#1190576).
scsi: lpfc: Fix premature rpi release for unsolicited TPLS and LS_RJT (bsc#1190576).
scsi: lpfc: Fix rediscovery of tape device after LIP (bsc#1190576).
scsi: lpfc: Fix sprintf() overflow in lpfc_display_fpin_wwpn() (bsc#1190576).
scsi: lpfc: Improve PBDE checks during SGL processing (bsc#1190576).
scsi: lpfc: Remove unneeded variable (bsc#1190576).
scsi: lpfc: Update lpfc version to 14.0.0.1 (bsc#1190576).
scsi: lpfc: Update lpfc version to 14.0.0.2 (bsc#1190576).
scsi: lpfc: Use correct scnprintf() limit (bsc#1190576).
scsi: lpfc: Use scsi_cmd_to_rq() instead of scsi_cmnd.request (bsc#1190576).
scsi: lpfc: Use the proper SCSI midlayer interfaces for PI (bsc#1190576).
scsi: lpfc: Zero CGN stats only during initial driver load and stat reset (bsc#1190576).
scsi: scsi_devinfo: Add blacklist entry for HPE OPEN-V (bsc#1189297).
scsi/fc: kABI fixes for new ELS_EDC, ELS_RDP definition (bsc#1171688 bsc#1174003 bsc#1190576).
selftests/bpf: Define string const as global for test_sysctl_prog.c (git-fixes).
selftests/bpf: Fix bpf-iter-tcp4 test to print correctly the dest IP (git-fixes).
selftests/bpf: Fix test_sysctl_loop{1, 2} failure due to clang change (git-fixes).
selftests/bpf: Whitelist test_progs.h from .gitignore (git-fixes).
serial: 8250_pci: make setup_port() parameters explicitly unsigned (git-fixes).
serial: 8250: Define RX trigger levels for OxSemi 950 devices (git-fixes).
serial: mvebu-uart: fix driver's tx_empty callback (git-fixes).
serial: sh-sci: fix break handling for sysrq (git-fixes).
spi: Fix tegra20 build with CONFIG_PM=n (git-fixes).
staging: board: Fix uninitialized spinlock when attaching genpd (git-fixes).
staging: ks7010: Fix the initialization of the 'sleep_status' structure (git-fixes).
staging: rts5208: Fix get_ms_information() heap buffer size (git-fixes).
thermal/core: Potential buffer overflow in thermal_build_list_of_policies() (git-fixes).
time: Handle negative seconds correctly in timespec64_to_ns() (git-fixes).
tools: bpf: Fix error in 'make -C tools/ bpf_install' (git-fixes).
tty: Fix data race between tiocsti() and flush_to_ldisc() (git-fixes).
tty: serial: jsm: hold port lock when reporting modem line changes (git-fixes).
tty: synclink_gt, drop unneeded forward declarations (git-fixes).
usb-storage: Add quirk for ScanLogic SL11R-IDE older than 2.6c (git-fixes).
usb: core: hcd: Add support for deferring roothub registration (git-fixes).
usb: dwc2: Add missing cleanups when usb_add_gadget_udc() fails (git-fixes).
usb: dwc2: Avoid leaving the error_debugfs label unused (git-fixes).
usb: dwc2: gadget: Fix ISOC flow for BDMA and Slave (git-fixes).
usb: dwc2: gadget: Fix ISOC transfer complete handling for DDMA (git-fixes).
usb: EHCI: ehci-mv: improve error handling in mv_ehci_enable() (git-fixes).
usb: gadget: r8a66597: fix a loop in set_feature() (git-fixes).
usb: gadget: u_ether: fix a potential null pointer dereference (git-fixes).
usb: host: fotg210: fix the actual_length of an iso packet (git-fixes).
usb: host: fotg210: fix the endpoint's transactional opportunities calculation (git-fixes).
usb: musb: musb_dsps: request_irq() after initializing musb (git-fixes).
usb: musb: tusb6010: uninitialized data in tusb_fifo_write_unaligned() (git-fixes).
usb: serial: cp210x: add ID for GW Instek GDM-834x Digital Multimeter (git-fixes).
usb: serial: option: add device id for Foxconn T99W265 (git-fixes).
usb: serial: option: add Telit LN920 compositions (git-fixes).
usb: serial: option: remove duplicate USB device ID (git-fixes).
usbip: give back URBs for unsent unlink requests during cleanup (git-fixes).
usbip:vhci_hcd USB port can get stuck in the disabled state (git-fixes).
video: fbdev: asiliantfb: Error out if 'pixclock' equals zero (git-fixes).
video: fbdev: kyro: Error out if 'pixclock' equals zero (git-fixes).
video: fbdev: kyro: fix a DoS bug by restricting user input (git-fixes).
video: fbdev: riva: Error out if 'pixclock' equals zero (git-fixes).
vmxnet3: add support for 32 Tx/Rx queues (bsc#1190406).
vmxnet3: add support for ESP IPv6 RSS (bsc#1190406).
vmxnet3: increase maximum configurable mtu to 9190 (bsc#1190406).
vmxnet3: prepare for version 6 changes (bsc#1190406).
vmxnet3: remove power of 2 limitation on the queues (bsc#1190406).
vmxnet3: set correct hash type based on rss information (bsc#1190406).
vmxnet3: update to version 6 (bsc#1190406).
watchdog/sb_watchdog: fix compilation problem due to COMPILE_TEST (git-fixes).
x86/alternatives: Teach text_poke_bp() to emulate instructions (bsc#1185302).
x86/alternatives: Teach text_poke_bp() to emulate instructions (bsc#1190561).
x86/apic/msi: Plug non-maskable MSI affinity race (bsc#1184439).
x86/asm: Fix SETZ size enqcmds() build failure (bsc#1178134).
x86/cpu: Fix core name for Sapphire Rapids (jsc#SLE-15289).
x86/mm: Fix kern_addr_valid() to cope with existing but not present entries (bsc#1152489).
x86/resctrl: Fix a maybe-uninitialized build warning treated as error (bsc#1152489).
x86/resctrl: Fix default monitoring groups reporting (bsc#1152489).
xfs: allow mount/remount when stripe width alignment is zero (bsc#1188651).
xfs: sync lazy sb accounting on quiesce of read-only mounts (bsc#1190679).
xgene-v2: Fix a resource leak in the error handling path of 'xge_probe()' (git-fixes).
xhci: Set HCD flag to defer primary roothub registration (git-fixes).

Advisory ID	SUSE-RU-2021:3343-1
Released	Tue Oct 12 13:00:09 2021
Summary	Recommended update for pacemaker
Type	recommended
Severity	moderate
References	1177212,1180618,1181744,1187414,1188653

Description:

This update for pacemaker fixes the following issues:

controller: ensure newly joining node learns the node names of non-DCs. (bsc#1180618)
libcrmcommon: Correctly handle case-sensitive ids of xml objects when changing a value. (bsc#1187414)
libpe_status: handle pending migrations correctly. (bsc#1177212)

scheduler: add test for probe of unmanaged resource on pending node (bsc#1188653): scheduler: update existing tests for probe scheduling change. scheduler: don't schedule probes of unmanaged resources on pending nodes.

controld-fencing: add notice-log for successful fencer-connect (bsc#1181744): controld-fencing: remove-notifications upon connection-destroy. fenced: Remove relayed stonith operation. fence-history: resync fence-history after fenced crash. fence-history: add notification upon history-synced. fence-history: fail leftover pending-actions after fenced-restart. st_client: make safe to remove notifications from notifications.

Advisory ID	SUSE-SU-2021:3348-1
Released	Tue Oct 12 13:08:06 2021
Summary	Security update for systemd
Type	security
Severity	moderate
References	1134353,1171962,1184994,1188018,1188063,1188291,1188713,1189480,1190234,CVE-2021-33910

Description:

This update for systemd fixes the following issues:

CVE-2021-33910: Fixed use of strdupa() on a path (bsc#1188063).

logind: terminate cleanly on SIGTERM/SIGINT (bsc#1188018).
Adopting BFQ to control I/O (jsc#SLE-21032, bsc#1134353).
Rules weren't applied to dm devices (multipath) (bsc#1188713).
Ignore obsolete 'elevator' kernel parameter (bsc#1184994, bsc#1190234).
Make sure the versions of both udev and systemd packages are always the same (bsc#1189480).
Avoid error message when udev is updated due to udev being already active when the sockets are started again (bsc#1188291).
Allow the systemd sysusers config files to be overriden during system installation (bsc#1171962).

Advisory ID	SUSE-RU-2021:3349-1
Released	Tue Oct 12 13:21:48 2021
Summary	Recommended update for libgphoto2
Type	recommended
Severity	moderate
References	1172301

Description:

This update for libgphoto2 fixes the following issues:
libgphoto2 was updated to the 2.5.27 release (jsc#SLE-21615)

Lots of new camera models added.
Camera support enhanced for Sony Alpha, Fuji XT, Nikon Z, Canon EOS R, Panasonic Lumix, Leica SL, ...
Better support for files over 4GB
Lumix Wifi, Docupen support added.
Lots of bugfixes

Advisory ID	SUSE-SU-2021:3350-1
Released	Tue Oct 12 13:22:31 2021
Summary	Security update for libaom
Type	security
Severity	low
References	1186799,CVE-2021-30474

Description:

This update for libaom fixes the following issues:

CVE-2021-30474: Fixed use-after-free in aom_dsp/grain_table.c (bsc#1186799).

Advisory ID	SUSE-SU-2021:3353-1
Released	Tue Oct 12 13:23:34 2021
Summary	Security update for webkit2gtk3
Type	security
Severity	important
References	1188697,1190701,CVE-2021-21806,CVE-2021-30858

Description:

This update for webkit2gtk3 fixes the following issues:

Update to version 2.32.4
CVE-2021-30858: Fixed a security bug that could allow maliciously crafted web content to achieve arbitrary code execution. (bsc#1190701)
CVE-2021-21806: Fixed an exploitable use-after-free vulnerability via specially crafted HTML web page. (bsc#1188697)

Advisory ID	SUSE-SU-2021:3354-1
Released	Tue Oct 12 13:24:08 2021
Summary	Security update for libqt5-qtsvg
Type	security
Severity	moderate
References	1184783,CVE-2021-3481

Description:

This update for libqt5-qtsvg fixes the following issues:

CVE-2021-3481: Fixed an out of bounds read in function QRadialFetchSimd from crafted svg file. (bsc#1184783)

Advisory ID	SUSE-RU-2021:3382-1
Released	Tue Oct 12 14:30:17 2021
Summary	Recommended update for ca-certificates-mozilla
Type	recommended
Severity	moderate
References

Description:

This update for ca-certificates-mozilla fixes the following issues:

A new sub-package for minimal base containers (jsc#SLE-22162)

Advisory ID	SUSE-RU-2021:3390-1
Released	Tue Oct 12 18:53:38 2021
Summary	Recommended update for fcoe-utils
Type	recommended
Severity	moderate
References	1010047,1182804

Description:

This update for fcoe-utils fixes the following issues:
Update to version 1.0.34 (bsc#1182804)

Fix 21 string-op truncation, format truncation, and format overflow errors
Use of uninitialized values detected during LTO
fix VLAN device name overflow check
Fix an issue caused by 'safe_makepath' change in 'libopenfcoe.c'
Char can be unsigned on ARM, so set signed explicitly as the check expects it can be negative
Handle NIC names longer than 7 characters. (bsc#1010047)
Change debug->log message if daemon running
Remove references to 'open-fcoe.org'
Fix two gcc-11 compiler warnings.
Exit 'fcoemon' command if 'fcoemon' daemon is already running.
Update systemd service files

Advisory ID	SUSE-RU-2021:3392-1
Released	Tue Oct 12 19:01:24 2021
Summary	Recommended update for rsync
Type	recommended
Severity	important
References	1188258

Description:

This update for rsync fixes the following issues:

Fix a memory protection issue in 'iconv' (bsc#1188258)

Advisory ID	SUSE-RU-2021:3395-1
Released	Tue Oct 12 19:07:18 2021
Summary	Recommended update for sbd
Type	recommended
Severity	important
References	1187547,1189398

Description:

This update for sbd fixes the following issues:
Update to version 1.5.0+20210720.f4ca41f

'sbd-inquisitor': - Implement default delay start for diskless 'sbd'. (bsc#1189398) - Sanitize numeric arguments. - Tolerate and strip any leading spaces of command line option values. (bsc#1187547) - Tell the actual watchdog device specified with '-w'. (bsc#1187547)

Important notes on 'sync_resource_startup_default':

This configuration has to be in sync with the configuration in 'pacemaker' where it is called 'sbd_sync'. The syncing enabled per default will lead to syncing enabled on upgrade without adaption of the config. The setting can still be overruled via 'sysconfig'. The setting in the 'config-template' packaged will follow the default if it is left empty. It is possible to have the setting in the 'config-template' deviate from the default by setting it to an explicit 'yes' or 'no'.

Advisory ID	SUSE-RU-2021:3397-1
Released	Tue Oct 12 19:07:43 2021
Summary	Recommended update for mariadb
Type	recommended
Severity	moderate
References	1182218

Description:

This update for mariadb fixes the following issue:

Remove ownership of '%{_rpmconfigdir}/macros.d' that belongs to RPM. (bsc#1182218)

Advisory ID	SUSE-RU-2021:3398-1
Released	Tue Oct 12 19:07:55 2021
Summary	Recommended update for gnome-packagekit
Type	recommended
Severity	moderate
References	1190330

Description:

This update for gnome-packagekit fixes the following issue:

List all the available updates when getting system updates. (bsc#1190330)

Advisory ID	SUSE-RU-2021:3399-1
Released	Tue Oct 12 19:08:17 2021
Summary	Recommended update for NetworkManager
Type	recommended
Severity	moderate
References	1116625

Description:

This update for NetworkManager fixes the following issues:

Exclude 'systemd.automount' from NFS processing and avoid failures after a suspend/resume cycle. (bsc#1116625)

Advisory ID	SUSE-RU-2021:3400-1
Released	Wed Oct 13 08:15:28 2021
Summary	Recommended update for emacs
Type	recommended
Severity	moderate
References	1178942,1180353

Description:

This update for emacs fixes the following issues:

Fixed an issue when emacs hangs in isearch. (bsc#1178942)
Fix for a possible segmentation fault in case of stack overflow of etags. (bsc#1180353)

Advisory ID	SUSE-RU-2021:3402-1
Released	Wed Oct 13 10:39:58 2021
Summary	Recommended update for 389-ds
Type	recommended
Severity	moderate
References

Description:

This update for 389-ds fixes the following issues:

rebase lib389 and cockpit in 1.4.4
Updated several dsconf --help entries (typos, wrong descriptions, etc.)
Account Policy plugin does not set the config entry DN
Add support for nsslapd-state to CLI and UI
IPA failure in ipa user-del --preserve
backport lib389 cert list fix
dsidm command crashing when account policy plugin is enabled
db reindex corrupts RUV tombstone nsuiqueid index
Fix retro cl trimming misuse of monotonic/realtime clocks

Advisory ID	SUSE-RU-2021:3406-1
Released	Wed Oct 13 10:40:44 2021
Summary	Recommended update for ServiceReport
Type	recommended
Severity	moderate
References

Description:

This update for ServiceReport fixes the following issues:

ServiceReport v2.2.3 release.(jsc#18193)
Added hardening to systemd service(s).
Run-on supported architectures only.
[fadump] Update crashkernel recommendation.
[Daemon] check active status along with enabled.
Take crashkernel recommendation from kdump-lib.sh scripts.

Advisory ID	SUSE-RU-2021:3407-1
Released	Wed Oct 13 10:40:49 2021
Summary	Recommended update for resource-agents
Type	recommended
Severity	low
References	1180668

Description:

This update for resource-agents fixes the following issues:

Live migration fails in some scenarios. (bsc#1180668)

Advisory ID	SUSE-RU-2021:3409-1
Released	Wed Oct 13 10:41:02 2021
Summary	Recommended update for libGLw
Type	recommended
Severity	low
References	1191122

Description:

This update for libGLw fixes the following issue:

fix libGLw.so symlink of devel package. (bsc#1191122)

Advisory ID	SUSE-RU-2021:3410-1
Released	Wed Oct 13 10:41:36 2021
Summary	Recommended update for xkeyboard-config
Type	recommended
Severity	moderate
References	1191242

Description:

This update for xkeyboard-config fixes the following issue:

Wrong keyboard mapping causing input delays with ABNT2 keyboards. (bsc#1191242)

Advisory ID	SUSE-RU-2021:3411-1
Released	Wed Oct 13 10:42:25 2021
Summary	Recommended update for lvm2
Type	recommended
Severity	moderate
References	1191019

Description:

This update for lvm2 fixes the following issues:

Do not crash vgextend when extending VG with missing PV. (bsc#1191019)

Advisory ID	SUSE-RU-2021:3413-1
Released	Wed Oct 13 10:50:45 2021
Summary	Recommended update for suse-module-tools
Type	recommended
Severity	important
References	1189441,1189841,1190598

Description:

This update for suse-module-tools fixes the following issues:

Fixed an issue where the queuing of secure boot certificates did not happen (bsc#1189841, bsc#1190598)
Fixed an issue where initrd was not always rebuilding after installing any kernel-*-extra package (bsc#1189441)

Advisory ID	SUSE-SU-2021:3445-1
Released	Fri Oct 15 09:03:39 2021
Summary	Security update for rpm
Type	security
Severity	important
References	1183659,1185299,1187670,1188548

Description:

This update for rpm fixes the following issues:
Security issues fixed:

PGP hardening changes (bsc#1185299)

Maintaince issues fixed:

Fixed zstd detection (bsc#1187670)
Added ndb rofs support (bsc#1188548)
Fixed deadlock when multiple rpm processes try tp acquire the database lock (bsc#1183659)

Advisory ID	SUSE-RU-2021:3448-1
Released	Fri Oct 15 09:12:28 2021
Summary	Recommended update for scap-security-guide
Type	recommended
Severity	moderate
References	1191431,1191432

Description:

This update for scap-security-guide fixes the following issues:
The scap-security-guide was updated to 0.1.58 release (jsc#ECO-3319)

Support for Script Checking Engine (SCE)
Split RHEL 8 CIS profile using new controls file format
CIS Profiles for SUSE Linux Enterprise 12
Initial Ubuntu 20.04 STIG Profiles
Addition of an automated CCE adder

Advisory ID	SUSE-SU-2021:3451-1
Released	Sat Oct 16 10:49:25 2021
Summary	Security update for MozillaFirefox
Type	security
Severity	important
References	1188891,1189547,1190269,1190274,1190710,1191332,CVE-2021-29980,CVE-2021-29981,CVE-2021-29982,CVE-2021-29983,CVE-2021-29984,CVE-2021-29985,CVE-2021-29986,CVE-2021-29987,CVE-2021-29988,CVE-2021-29989,CVE-2021-29990,CVE-2021-29991,CVE-2021-32810,CVE-2021-38492,CVE-2021-38495,CVE-2021-38496,CVE-2021-38497,CVE-2021-38498,CVE-2021-38500,CVE-2021-38501

Description:

This update for MozillaFirefox fixes the following issues:
This update contains the Firefox Extended Support Release 91.2.0 ESR.
Release 91.2.0 ESR:

Fixed: Various stability, functionality, and security fixes

MFSA 2021-45 (bsc#1191332):

CVE-2021-38496: Use-after-free in MessageTask
CVE-2021-38497: Validation message could have been overlaid on another origin
CVE-2021-38498: Use-after-free of nsLanguageAtomService object
CVE-2021-32810: Fixed Data race in crossbeam-deque
CVE-2021-38500: Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15, and Firefox ESR 91.2
CVE-2021-38501: Memory safety bugs fixed in Firefox 93 and Firefox ESR 91.2

Fixed crash in FIPS mode (bsc#1190710)

Release 91.1.0 ESR:

Fixed: Various stability, functionality, and security fixes

MFSA 2021-40 (bsc#1190269, bsc#1190274):

CVE-2021-38492: Navigating to `mk:` URL scheme could load Internet Explorer
CVE-2021-38495: Memory safety bugs fixed in Firefox 92 and Firefox ESR 91.1

Release 91.0.1esr ESR:

Fixed: Fixed an issue causing buttons on the tab bar to be resized when loading certain websites (bug 1704404)
Fixed: Fixed an issue which caused tabs from private windows to be visible in non-private windows when viewing switch-to- tab results in the address bar panel (bug 1720369)
Fixed: Various stability fixes
Fixed: Security fix MFSA 2021-37 (bsc#1189547)
CVE-2021-29991 (bmo#1724896) Header Splitting possible with HTTP/3 Responses

Firefox Extended Support Release 91.0 ESR

New: Some of the highlights of the new Extended Support Release are:

- A number of user interface changes. For more information, see the Firefox 89 release notes. - Firefox now supports logging into Microsoft, work, and school accounts using Windows single sign-on. Learn more - On Windows, updates can now be applied in the background while Firefox is not running. - Firefox for Windows now offers a new page about:third-party to help identify compatibility issues caused by third-party applications - Version 2 of Firefox's SmartBlock feature further improves private browsing. Third party Facebook scripts are blocked to prevent you from being tracked, but are now automatically loaded 'just in time' if you decide to 'Log in with Facebook' on any website. - Enhanced the privacy of the Firefox Browser's Private Browsing mode with Total Cookie Protection, which confines cookies to the site where they were created, preventing companis from using cookies to track your browsing across sites. This feature was originally launched in Firefox's ETP Strict mode. - PDF forms now support JavaScript embedded in PDF files. Some PDF forms use JavaScript for validation and other interactive features. - You'll encounter less website breakage in Private Browsing and Strict Enhanced Tracking Protection with SmartBlock, which provides stand-in scripts so that websites load properly. - Improved Print functionality with a cleaner design and better integration with your computer's printer settings. - Firefox now protects you from supercookies, a type of tracker that can stay hidden in your browser and track you online, even after you clear cookies. By isolating supercookies, Firefox prevents them from tracking your web browsing from one site to the next. - Firefox now remembers your preferred location for saved bookmarks, displays the bookmarks toolbar by default on new tabs, and gives you easy access to all of your bookmarks via a toolbar folder. - Native support for macOS devices built with Apple Silicon CPUs brings dramatic performance improvements over the non- native build that was shipped in Firefox 83: Firefox launches over 2.5 times faster and web apps are now twice as responsive (per the SpeedoMeter 2.0 test). If you are on a new Apple device, follow these steps to upgrade to the latest Firefox. - Pinch zooming will now be supported for our users with Windows touchscreen devices and touchpads on Mac devices. Firefox users may now use pinch to zoom on touch-capable devices to zoom in and out of webpages. - We’ve improved functionality and design for a number of Firefox search features: * Selecting a search engine at the bottom of the search panel now enters search mode for that engine, allowing you to see suggestions (if available) for your search terms. The old behavior (immediately performing a search) is available with a shift-click. * When Firefox autocompletes the URL of one of your search engines, you can now search with that engine directly in the address bar by selecting the shortcut in the address bar results. * We’ve added buttons at the bottom of the search panel to allow you to search your bookmarks, open tabs, and history. - Firefox supports AcroForm, which will allow you to fill in, print, and save supported PDF forms and the PDF viewer also has a new fresh look. - For our users in the US and Canada, Firefox can now save, manage, and auto-fill credit card information for you, making shopping on Firefox ever more convenient. - In addition to our default, dark and light themes, with this release, Firefox introduces the Alpenglow theme: a colorful appearance for buttons, menus, and windows. You can update your Firefox themes under settings or preferences.

Changed: Firefox no longer supports Adobe Flash. There is no setting available to re-enable Flash support.
Enterprise: Various bug fixes and new policies have been implemented in the latest version of Firefox. See more details in the Firefox for Enterprise 91 Release Notes.

MFSA 2021-33 (bsc#1188891):

CVE-2021-29986: Race condition when resolving DNS names could have led to memory corruption
CVE-2021-29981: Live range splitting could have led to conflicting assignments in the JIT
CVE-2021-29988: Memory corruption as a result of incorrect style treatment
CVE-2021-29983: Firefox for Android could get stuck in fullscreen mode
CVE-2021-29984: Incorrect instruction reordering during JIT optimization
CVE-2021-29980: Uninitialized memory in a canvas object could have led to memory corruption
CVE-2021-29987: Users could have been tricked into accepting unwanted permissions on Linux
CVE-2021-29985: Use-after-free media channels
CVE-2021-29982: Single bit data leak due to incorrect JIT optimization and type confusion
CVE-2021-29989: Memory safety bugs fixed in Firefox 91 and Firefox ESR 78.13
CVE-2021-29990: Memory safety bugs fixed in Firefox 91

Advisory ID	SUSE-RU-2021:3465-1
Released	Tue Oct 19 13:12:46 2021
Summary	Recommended update for cloud-regionsrv
Type	recommended
Severity	moderate
References	1190250

Description:

This update for cloud-regionsrv contains the following fixes:

Update to version 8.1.2 (bsc#1190250) + Place certificate key in proper destination

Update to version 8.1.1 (bsc#1190250) + Use a cross-filesystem compatible method to move certificates

Advisory ID	SUSE-SU-2021:3467-1
Released	Tue Oct 19 13:16:09 2021
Summary	Security update for strongswan
Type	security
Severity	important
References	1191367,1191435,CVE-2021-41990,CVE-2021-41991

Description:

This update for strongswan fixes the following issues:
A feature was added:

Add auth_els plugin to support Marvell FC-SP encryption (jsc#SLE-20151)

Security issues fixed:

CVE-2021-41991: Fixed an integer overflow when replacing certificates in cache. (bsc#1191435)
CVE-2021-41990: Fixed an integer Overflow in the gmp Plugin. (bsc#1191367)

Advisory ID	SUSE-RU-2021:3471-1
Released	Wed Oct 20 08:39:41 2021
Summary	Recommended update for habootstrap-formula
Type	recommended
Severity	moderate
References	1190940

Description:

This update for habootstrap-formula fixes the following issues:
Update to version 0.4.4

Wait for cluster startup after a 'corosync' restart. (bsc#1190940)
Add support for The Oracle Cluster File System v2 (OCFS2)
Enable native fencing for 'microsoft-azure'
Add documentation on how to enable native fencing

Advisory ID	SUSE-SU-2021:3472-1
Released	Wed Oct 20 08:40:43 2021
Summary	Security update for flatpak
Type	security
Severity	important
References	1191507,CVE-2021-41133

Description:

This update for flatpak fixes the following issues:

Update to version 1.10.5:
CVE-2021-41133: Fixed a bug that could lead to sandbox bypass via recent VFS-manipulating syscalls. (bsc#1191507)

Advisory ID	SUSE-SU-2021:3474-1
Released	Wed Oct 20 08:41:31 2021
Summary	Security update for util-linux
Type	security
Severity	moderate
References	1178236,1188921,CVE-2021-37600

Description:

This update for util-linux fixes the following issues:

CVE-2021-37600: Fixed an integer overflow which could lead to a buffer overflow in get_sem_elements() in sys-utils/ipcutils.c. (bsc#1188921)

Advisory ID	SUSE-SU-2021:3476-1
Released	Wed Oct 20 08:42:00 2021
Summary	Security update for xstream
Type	security
Severity	important
References	1189798,CVE-2021-39139,CVE-2021-39140,CVE-2021-39141,CVE-2021-39144,CVE-2021-39145,CVE-2021-39146,CVE-2021-39147,CVE-2021-39148,CVE-2021-39149,CVE-2021-39150,CVE-2021-39151,CVE-2021-39152,CVE-2021-39153,CVE-2021-39154

Description:

This update for xstream fixes the following issues:

Upgrade to 1.4.18
CVE-2021-39139: Fixed an issue that allowed an attacker to execute arbitrary code execution by manipulating the processed input stream with type information. (bsc#1189798)
CVE-2021-39140: Fixed an issue that allowed an attacker to execute a DoS attack by manipulating the processed input stream. (bsc#1189798)
CVE-2021-39141: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798)
CVE-2021-39144: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798)
CVE-2021-39145: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798)
CVE-2021-39146: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798)
CVE-2021-39147: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798)
CVE-2021-39148: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798)
CVE-2021-39149: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798)
CVE-2021-39150: Fixed an issue that allowed an attacker to access protected resources hosted within the intranet or in the host itself. (bsc#1189798)
CVE-2021-39151: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798)
CVE-2021-39152: Fixed an issue that allowed an attacker to access protected resources hosted within the intranet or in the host itself. (bsc#1189798)
CVE-2021-39153: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798)
CVE-2021-39154: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798)

Advisory ID	SUSE-RU-2021:3479-1
Released	Wed Oct 20 11:23:45 2021
Summary	Recommended update for dracut
Type	recommended
Severity	moderate
References	1184970,1186260,1187115,1187470,1187774,1190845

Description:

This update for dracut fixes the following issues:

Fix usage information for -f parameter. (bsc#1187470)
Fix obsolete reference to 96insmodpost in manpage. (bsc#1187774)
Remove references to INITRD_MODULES. (bsc#1187115)
Multipath FCoE configurations may not boot when using only one path. (bsc#1186260)
Adjust path for SUSE: /var/lib/nfs/statd/sm to /var/lib/nfs/sm. (bsc#1184970)
Systemd coredump unit files are missing in initrd. (1190845)
Use $kernel rather than $(uname -r).
Exclude modules that are built-in.
Restore INITRD_MODULES in mkinitrd script.
Call dracut_instmods with hostonly.

Advisory ID	SUSE-RU-2021:3480-1
Released	Wed Oct 20 11:24:10 2021
Summary	Recommended update for yast2-network
Type	recommended
Severity	moderate
References	1185016,1185524,1186910,1187270,1187512,1188344,1190645,1190739,1190915,1190933

Description:

This update for yast2-network fixes the following issues:

Don't crash when the interfaces table contains a not configured one (bnc#1190645, bsc#1190915).
Fix the shown description using the interface friendly name when it is empty (bsc#1190933).
Consider aliases sections as case insensitive (bsc#1190739).
Display user defined device name in the devices overview (bnc#1190645).
Don't crash when defined aliases in AutoYaST profile are not defined as a map (bsc#1188344).
Support 'boot' and 'on' as aliases for the 'auto' startmode (bsc#1186910).
Fix desktop file so the control center tooltip is translated (bsc#1187270).
Use the linuxrc proxy settings for the HTTPS and FTP proxies (bsc#1185016).
Don't crash at the end of installation when storing wifi configuration for NetworkManager (bsc#1185524, bsc#1187512).

Advisory ID	SUSE-feature-2021:3483-1
Released	Wed Oct 20 16:08:18 2021
Summary	Feature update for saptune
Type	feature
Severity	moderate
References	1149205,1164720,1167213,1167416,1167618,1170672,1176243,1178207,1179275,1182009,1182287,1182289,1185702

Description:

This update for saptune fixes the following issues:
Update saptune from version 2.0.3 to version 3.0.0 (jsc#SLE-20985)

This will be additional reflected in the saptune version found in '/etc/sysconfig/saptune' '(SAPTUNE_VERSION)'
Strengthen configuration process with staging, checks of external changes and expansion of automation to new platforms (Azure, AWS) and hardware specifics (jsc#SLE-20985)
Remove saptune version 1 (jsc#SLE-10823, jsc#SLE-10842)
Remove usage of 'tuned' from saptune - Add an own systemd service file for saptune to 'start/stop' tuning of parameter values during a reboot of the system. - Add a new saptune action 'service' to handle the 'saptune.service' supporting 'start/stop/enable/disable/status'. - The saptune action 'daemon', which handled 'tuned.service' in the past, is now flagged as 'deprecated' and internally linked to the new action 'service'. (jsc#SLE-5589, jsc#SLE-5588, jsc#SLE-6457)
Add a sanity check to detect Note definition files which do not exist anymore. (bsc#1149205) This can happen when a Note is renamed or deleted, but without reverting the Note before. saptune will now print an error message, remove the Note from the tracking variables in '/etc/sysconfig/saptune' and try to revert the related parameter settings.
Validate if the json input file is empty and handle left-over files from the migration from saptune v1 to saptune v2 (bsc#1167618)
To support system parameters only relevant for specific SUSE Linux Enterprise Server releases, service packs and/or hardware architectures saptune now supports 'tagged' sections inside the Note definition files. (jsc#SLE-13246, jsc#SLE-13245)
New kernel requirement for Power added to SAP-Note 2205917 and 2684254 (bsc#1167416) SAP Note 2205917 updated to Version 61 SAP Note 2684254 updated to Version 15
SAP Note 2382421 updated to Version 37 (bsc#1170672) - Move all 'not-well-defined' parameters from the 'reminder' section into the 'sysctl' section, but with 'empty' values. - Use an override file to define the values fitting your system requirements
Support empty parameter values in the Note definition files and not only in the override file. (bsc#1170672, jsc#TEAM-1702) - This is needed for the support of SAP Notes like 2382421, so that the customer is able to simply use an override file to define some special parameters instead of using a customer specific Note definition file.
Report an 'error' instead of 'info' and set the exit code to '1', if we reject the apply of a solution (bsc#1167213)
Skip perf bias change if secure boot is enabled. (bsc#1176243) - When a system is in lockdown mode, i.e., Secure Boot is enabled, MSR cannot be altered in user-space. So check, if Secure Boot is enabled using the mokutil utility and skip setting the perf bias in case it is.
Rework the internal block device handling to speed up the apply of block device related tunings on systems with a high number of block devices. (bsc#1178207)
Change block device handling to handle multipath devices correctly. Only the DM multipath devices will be used for the settings, but not its paths. (bsc#1179275)
fixed wrong comparison used for setting FORCE_LATENCY (bsc#1185702)
add keyword 'all' to the 'rpm' section description in the man page saptune-note(5). (bsc#1182287)
support note definition versions containing digits, upper-case and lower-case letters, dots, underscores, minus and plus signs. (bsc#1182289)
fixed issue with 'verify' operation and parameter 'VSZ_TMPFS_PERCENT'. As this parameter is only used to calculate the value of 'ShmFileSystemSizeMB' (if it is not set to a value >0 in the Note definition file) it will not be checked and compared during the saptune operation 'verify'. A footnote is pointing this out. (bsc#1182009)
SAP Note 1771258 update nofile values (bsc#1164720)
SAP Note 2684254 updated to Version 20 SAP Note 2578899 updated to Version 39 SAP Note 1680803 updated to Version 26
enhancements for saptune version 3 (jsc#SLE-16972) - Implement a lock to avoid multiple instances of saptune running in parallel. (jsc#TEAM-1700) - Support for non-colorized output (jsc#TEAM-1679) - If redirecting the output from saptune to a pipe, you no longer need to deal with the

'ugly' control sequences for the colorized output. - Add enable/disable for systemd units and support all systemd unit types in section [service] (jsc#TEAM-1701) - remove script '/usr/share/doc/packages/saptune/sapconf2saptune' and the associated man page (jsc#TEAM-1707) - implement staging of Note definition file and solution definitions. (jsc#TEAM-1844) - The idea is to freeze the saptune configuration to avoid config changes on package update when adding/removing/changing notes or solutions within the package - support custom solutions and override files for solutions. (jsc#TEAM-1706) - Partners and customers will now be able to define their own solution definitions by using files in '/etc/saptune/extra' or to override the shipped solution definitions by using override files in '/etc/saptune/override' - support for device specific configurations (jsc#TEAM-1728) - only supported for the [block] section, tags are 'vendor' and 'model' to support special block devices of a dedicated hardware vendor or a dedicated hardware model - add support for AZURE cloud (SAP Note 2993054) (jsc#TEAM-2676) - add support for AWS cloud (SAP Note 1656250) (jsc#TEAM-1754, jsc#TEAM-1755) - add NVMe support to the block device handling to support AWS (jsc#TEAM-2675) - add SAP Note 3024346 (a NetApp note) (jsc#TEAM-3454) - rework daemon and service actions (jsc#TEAM-3154) - add support for 'read_ahead_kb' and 'max_sectors_kb' to the [block] section (jsc#TEAM-1699) - add a warning to the reminder section of SAP Note 2382421 regarding iSCSI devices and setting of 'net.ipv4.tcp_syn_retries' (jsc#TEAM-1705) - For the actions 'note customise' and 'note create' check, if the customer has changed something during the editor session. If not, remove the temporary created note definition file. (jsc#TEAM-825) - add support for [sys] section and handle double configurations for parameters defined in the [sys] section (jsc#TEAM-3342) - check system sysctl config files as mentioned in the comments of '/etc/sysctl.conf' and in man page 'sysctl.conf(5)' for 'sysctl' parameters currently set by saptune notes. Print a warning and a footnote for 'verify' and 'customize'. (jsc#TEAM-1696) - add support for [filesystem] section only check filesystem mount options, not modify. Starting with filesystem type 'xfs' (jsc#TEAM-4093) - add SAP Note 900929 for SAP Netweaver workloads. (jsc#TEAM-4386) - It's the equivalent to the HANA Note 1980196. - move state files from '/var/lib/saptune' to '/run/saptune' to solve the problem of state files surviving a reboot. - add '/sbin/saptune_check' - add the description of the solution definitions shipped with saptune to the man page saptune(8) (jsc#TEAM-4260)

Advisory ID	SUSE-SU-2021:3485-1
Released	Wed Oct 20 16:17:53 2021
Summary	Security update for squid
Type	security
Severity	moderate
References	1189403,CVE-2021-28116

Description:

This update for squid fixes the following issues:
Update to version 4.17:

CVE-2021-28116: Fixed a out-of-bounds read in the WCCP protocol (bsc#1189403).

Advisory ID	SUSE-SU-2021:3487-1
Released	Wed Oct 20 16:18:28 2021
Summary	Security update for go1.16
Type	security
Severity	moderate
References	1182345,1191468,CVE-2021-38297

Description:

This update for go1.16 fixes the following issues:
Update to go1.16.9

CVE-2021-38297: misc/wasm, cmd/link: do not let command line args overwrite global data (bsc#1191468)

Advisory ID	SUSE-SU-2021:3488-1
Released	Wed Oct 20 16:18:39 2021
Summary	Security update for go1.17
Type	security
Severity	moderate
References	1190649,1191468,CVE-2021-38297

Description:

This update for go1.17 fixes the following issues:
Update to go1.17.2

CVE-2021-38297: misc/wasm, cmd/link: do not let command line args overwrite global data (bsc#1191468)

Advisory ID	SUSE-SU-2021:3489-1
Released	Wed Oct 20 16:19:28 2021
Summary	Security update for python
Type	security
Severity	moderate
References	1189241,1189287,CVE-2021-3733,CVE-2021-3737

Description:

This update for python fixes the following issues:

CVE-2021-3737: Fixed http client infinite line reading (DoS) after a http 100. (bsc#1189241)
CVE-2021-3733: Fixed ReDoS in urllib.request. (bsc#1189287)

Advisory ID	SUSE-SU-2021:3490-1
Released	Wed Oct 20 16:31:55 2021
Summary	Security update for ncurses
Type	security
Severity	moderate
References	1190793,CVE-2021-39537

Description:

This update for ncurses fixes the following issues:

CVE-2021-39537: Fixed an heap-based buffer overflow in _nc_captoinfo. (bsc#1190793)

Advisory ID	SUSE-SU-2021:3493-1
Released	Wed Oct 20 16:37:44 2021
Summary	Security update for fetchmail
Type	security
Severity	moderate
References	1190069,CVE-2021-39272

Description:

This update for fetchmail fixes the following issues:

CVE-2021-39272: Fix failure to enforce STARTTLS session encryption in some circumstances, such as a certain situation with IMAP and PREAUTH. (bsc#1190069)

Advisory ID	SUSE-RU-2021:3494-1
Released	Wed Oct 20 16:48:46 2021
Summary	Recommended update for pam
Type	recommended
Severity	moderate
References	1190052

Description:

This update for pam fixes the following issues:

Added pam_faillock to the set of available PAM modules. (jsc#SLE-20638)
Added new file macros.pam on request of systemd. (bsc#1190052)

Advisory ID	SUSE-RU-2021:3495-1
Released	Thu Oct 21 09:57:36 2021
Summary	Recommended update for yast2-add-on
Type	recommended
Severity	moderate
References	1189154

Description:

This update for yast2-add-on fixes the following issue:

Don't crash Auto client when importing from an empty add-on section. (bsc#1189154)

Advisory ID	SUSE-RU-2021:3496-1
Released	Thu Oct 21 09:57:47 2021
Summary	Recommended update for bash-completion
Type	recommended
Severity	low
References	1190929

Description:

This update for bash-completion fixes the following issue:

modinfo completion fails to recognize .ko.xz (bsc#1190929)

Advisory ID	SUSE-RU-2021:3498-1
Released	Thu Oct 21 09:58:06 2021
Summary	Recommended update for texlive-specs-i
Type	recommended
Severity	low
References	1190640

Description:

This update for texlive-specs-i fixes the following issue:

Fix 'undefined control sequence' error when using with XeLaTeX (bsc#1190640)

Advisory ID	SUSE-RU-2021:3500-1
Released	Fri Oct 22 09:42:21 2021
Summary	Recommended update for open-vm-tools
Type	recommended
Severity	moderate
References	1190987

Description:

This update for open-vm-tools fixes the following issues:

New/Updated features: * Added a configurable logging capability to the network script * The hgfsmounter (mount.vmhgfs) command has been removed from open-vm-tools. It has been replaced by hgfs-fuse.
Resolved issues: * Customization: Retry the Linux reboot if telinit is a soft link to systemctl * open-vm-tools commands would hang if configured with '--enable-valgrind'

Advisory ID	SUSE-RU-2021:3501-1
Released	Fri Oct 22 10:42:46 2021
Summary	Recommended update for libzypp, zypper, libsolv, protobuf
Type	recommended
Severity	moderate
References	1186503,1186602,1187224,1187425,1187466,1187738,1187760,1188156,1188435,1189031,1190059,1190199,1190465,1190712,1190815

Description:

This update for libzypp, zypper, libsolv and protobuf fixes the following issues:

Choice rules: treat orphaned packages as newest (bsc#1190465)
Avoid calling 'su' to detect a too restrictive sudo user umask (bsc#1186602)
Do not check of signatures and keys two times(redundant) (bsc#1190059)
Rephrase vendor conflict message in case 2 packages are involved (bsc#1187760)
Show key fpr from signature when signature check fails (bsc#1187224)
Fix solver jobs for PTFs (bsc#1186503)
Fix purge-kernels fails (bsc#1187738)
Fix obs:// platform guessing for Leap (bsc#1187425)
Make sure to keep states alives while transitioning. (bsc#1190199)
Manpage: Improve description about patch updates(bsc#1187466)
Manpage: Recommend the needs-rebooting command to test whether a system reboot is suggested.
Fix kernel-*-livepatch removal in purge-kernels. (bsc#1190815)
Fix crashes in logging code when shutting down (bsc#1189031)
Do not download full files even if the checkExistsOnly flag is set. (bsc#1190712)
Add need reboot/restart hint to XML install summary (bsc#1188435)
Prompt: choose exact match if prompt options are not prefix free (bsc#1188156)
Include libprotobuf-lite20 in products to enable parallel downloads. (jsc#ECO-2911, jsc#SLE-16862)

Advisory ID	SUSE-SU-2021:3506-1
Released	Mon Oct 25 10:20:22 2021
Summary	Security update for containerd, docker, runc
Type	security
Severity	important
References	1102408,1185405,1187704,1188282,1190826,1191015,1191121,1191334,1191355,1191434,CVE-2021-30465,CVE-2021-32760,CVE-2021-41089,CVE-2021-41091,CVE-2021-41092,CVE-2021-41103

Description:

This update for containerd, docker, runc fixes the following issues:
Docker was updated to 20.10.9-ce. (bsc#1191355)
See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md.
CVE-2021-41092 CVE-2021-41089 CVE-2021-41091 CVE-2021-41103
container was updated to v1.4.11, to fix CVE-2021-41103. bsc#1191355

CVE-2021-32760: Fixed that a archive package allows chmod of file outside of unpack target directory (bsc#1188282)

Install systemd service file as well (bsc#1190826)

Update to runc v1.0.2. Upstream changelog is available from
https://github.com/opencontainers/runc/releases/tag/v1.0.2

Fixed a failure to set CPU quota period in some cases on cgroup v1.
Fixed the inability to start a container with the 'adding seccomp filter rule for syscall ...' error, caused by redundant seccomp rules (i.e. those that has action equal to the default one). Such redundant rules are now skipped.
Made release builds reproducible from now on.
Fixed a rare debug log race in runc init, which can result in occasional harmful 'failed to decode ...' errors from runc run or exec.
Fixed the check in cgroup v1 systemd manager if a container needs to be frozen before Set, and add a setting to skip such freeze unconditionally. The previous fix for that issue, done in runc 1.0.1, was not working.

Update to runc v1.0.1. Upstream changelog is available from
https://github.com/opencontainers/runc/releases/tag/v1.0.1

Fixed occasional runc exec/run failure ('interrupted system call') on an Azure volume.
Fixed 'unable to find groups ... token too long' error with /etc/group containing lines longer than 64K characters.
cgroup/systemd/v1: fix leaving cgroup frozen after Set if a parent cgroup is frozen. This is a regression in 1.0.0, not affecting runc itself but some of libcontainer users (e.g Kubernetes).
cgroupv2: bpf: Ignore inaccessible existing programs in case of permission error when handling replacement of existing bpf cgroup programs. This fixes a regression in 1.0.0, where some SELinux policies would block runc from being able to run entirely.
cgroup/systemd/v2: don't freeze cgroup on Set.
cgroup/systemd/v1: avoid unnecessary freeze on Set.
fix issues with runc under openSUSE MicroOS's SELinux policy. bsc#1187704

Update to runc v1.0.0. Upstream changelog is available from
https://github.com/opencontainers/runc/releases/tag/v1.0.0
! The usage of relative paths for mountpoints will now produce a warning (such configurations are outside of the spec, and in future runc will produce an error when given such configurations).

cgroupv2: devices: rework the filter generation to produce consistent results with cgroupv1, and always clobber any existing eBPF program(s) to fix runc update and avoid leaking eBPF programs (resulting in errors when managing containers).
cgroupv2: correctly convert 'number of IOs' statistics in a cgroupv1-compatible way.
cgroupv2: support larger than 32-bit IO statistics on 32-bit architectures.
cgroupv2: wait for freeze to finish before returning from the freezing code, optimize the method for checking whether a cgroup is frozen.
cgroups/systemd: fixed 'retry on dbus disconnect' logic introduced in rc94
cgroups/systemd: fixed returning 'unit already exists' error from a systemd cgroup manager (regression in rc94)
cgroupv2: support SkipDevices with systemd driver
cgroup/systemd: return, not ignore, stop unit error from Destroy
Make 'runc --version' output sane even when built with go get or otherwise outside of our build scripts.
cgroups: set SkipDevices during runc update (so we don't modify cgroups at all during runc update).
cgroup1: blkio: support BFQ weights.
cgroupv2: set per-device io weights if BFQ IO scheduler is available.

Update to runc v1.0.0~rc95. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc95
This release of runc contains a fix for CVE-2021-30465, and users are strongly recommended to update (especially if you are providing semi-limited access to spawn containers to untrusted users). (bsc#1185405)
Update to runc v1.0.0~rc94. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc94
Breaking Changes:

cgroupv1: kernel memory limits are now always ignored, as kmemcg has been effectively deprecated by the kernel. Users should make use of regular memory cgroup controls.

Regression Fixes:

seccomp: fix 32-bit compilation errors
runc init: fix a hang caused by deadlock in seccomp/ebpf loading code
runc start: fix 'chdir to cwd: permission denied' for some setups

Advisory ID	SUSE-RU-2021:3509-1
Released	Tue Oct 26 09:47:40 2021
Summary	Recommended update for suse-module-tools
Type	recommended
Severity	important
References	1191200,1191260,1191480,1191804,1191922

Description:

This update for suse-module-tools fixes the following issues:
Update to version 15.3.13:

Fix bad exit status in openQA. (bsc#1191922)
Ignore kernel keyring for kernel certificates. (bsc#1191480)
Deal with existing certificates that should be de-enrolled. (bsc#1191804)
Don't pass existing files to weak-modules2. (bsc#1191200)
Skip certificate scriptlet on non-UEFI systems. (bsc#1191260)

Advisory ID	SUSE-RU-2021:3510-1
Released	Tue Oct 26 11:22:15 2021
Summary	Recommended update for pam
Type	recommended
Severity	important
References	1191987

Description:

This update for pam fixes the following issues:

Fixed a bad directive file which resulted in the 'securetty' file to be installed as 'macros.pam'. (bsc#1191987)

Advisory ID	SUSE-RU-2021:3512-1
Released	Tue Oct 26 13:33:17 2021
Summary	Recommended update for MozillaFirefox
Type	recommended
Severity	moderate
References	1190141,1191815

Description:

This update for MozillaFirefox fixes the following issues:

Allow accessing /proc/sys/crypto/fips_enabled from within the newly introduced socket process sandbox. (bsc#1191815, bsc#1190141)
Add a way to let users overwrite MOZ_ENABLE_WAYLAND

Advisory ID	SUSE-RU-2021:3516-1
Released	Tue Oct 26 14:42:44 2021
Summary	Recommended update for azure-cli, azure-cli-core, python-azure-mgmt, python-azure-mgmt-billing, python-azure-mgmt-cdn, python-azure-mgmt-hdinsight, python-azure-mgmt-netapp, python-azure-mgmt-resource, python-azure-mgmt-synapse
Type	recommended
Severity	important
References	1187880,1188178

Description:

This update for azure-cli, azure-cli-core, python-azure-mgmt, python-azure-mgmt-billing, python-azure-mgmt-cdn, python-azure-mgmt-hdinsight, python-azure-mgmt-netapp, python-azure-mgmt-resource, python-azure-mgmt-synapse contains the following fixes:
Changes in python-azure-mgmt:

Remove all version constraints in Requires. (bsc#1187880, bsc#1188178)

Changes in azure-cli-core:

Update in SLE-15 (bsc#1187880, bsc#1188178)

New upstream release + Version 2.16.0 + For detailed information about changes see the HISTORY.rst file provided with this package
Refresh patches for new version
Update Requires from setup.py + Temporarily use a vendored copy of azure-mgmt-resource

New upstream release + Version 2.15.0 + For detailed information about changes see the HISTORY.rst file provided with this package
Update Requires from setup.py

Changes in azure-cli:

Update in SLE-15 (bsc#1187880, bsc#1188178)

Add missing python3-azure-mgmt-resource dependency to Requires

New upstream release + Version 2.16.0 + For detailed information about changes see the HISTORY.rst file provided with this package
Update Requires from setup.py

New upstream release + Version 2.15.0 + For detailed information about changes see the HISTORY.rst file provided with this package
Update Requires from setup.py

Changes in python-azure-mgmt-billing:

Update in SLE-15 (bsc#1187880, bsc#1188178)

New upstream release + Version 1.0.0 + For detailed information about changes see the CHANGELOG.md file provided with this package
Update Requires from setup.py

Changes in python-azure-mgmt-cdn:

Update in SLE-15 (bsc#1187880, bsc#1188178)

New upstream release + Version 5.2.0 + For detailed information about changes see the CHANGELOG.md file provided with this package

Changes in python-azure-mgmt-hdinsight:

Update in SLE-15 (bsc#1187880, bsc#1188178)

New upstream release + Version 2.0.0 + For detailed information about changes see the CHANGELOG.md file provided with this package

Changes in python-azure-mgmt-netapp:

Update in SLE-15 (bsc#1187880, bsc#1188178)

New upstream release + Version 0.14.0 + For detailed information about changes see the CHANGELOG.md file provided with this package

Changes in python-azure-mgmt-resource:

Update in SLE-15 (bsc#1187880, bsc#1188178)

New upstream release + Version 15.0.0 + For detailed information about changes see the CHANGELOG.md file provided with this package
Update Requires from setup.py

Changes in python-azure-mgmt-synapse:

Update in SLE-15 (bsc#1187880, bsc#1188178)

New upstream release + Version 0.5.0 + For detailed information about changes see the CHANGELOG.md file provided with this package

Advisory ID	SUSE-SU-2021:3521-1
Released	Tue Oct 26 15:38:44 2021
Summary	Security update for ffmpeg
Type	security
Severity	moderate
References	1186756,1187852,1189166,1190718,1190719,1190722,1190723,1190726,1190729,1190733,1190734,1190735,CVE-2020-20891,CVE-2020-20892,CVE-2020-20895,CVE-2020-20896,CVE-2020-20899,CVE-2020-20902,CVE-2020-22037,CVE-2020-35965,CVE-2021-3566,CVE-2021-38092,CVE-2021-38093,CVE-2021-38094

Description:

This update for ffmpeg fixes the following issues:

CVE-2021-3566: Fixed information leak (bsc#1189166).
CVE-2021-38093: Fixed integer overflow vulnerability in filter_robert() (bsc#1190734)
CVE-2021-38092: Fixed integer overflow vulnerability in filter_prewitt() (bsc#1190733)
CVE-2021-38094: Fixed integer overflow vulnerability in filter_sobel() (bsc#1190735)
CVE-2020-22037: Fixed denial of service vulnerability caused by memory leak in avcodec_alloc_context3() (bsc#1186756)
CVE-2020-35965: Fixed out-of-bounds write in decode_frame() (bsc#1187852)
CVE-2020-20892: Fixed an issue with filter_frame() (bsc#1190719)
CVE-2020-20891: Fixed a buffer overflow vulnerability in config_input() (bsc#1190718)
CVE-2020-20895: Fixed a buffer overflow vulnerability in function filter_vertically_##name (bsc#1190722)
CVE-2020-20896: Fixed an issue with latm_write_packet() (bsc#1190723)
CVE-2020-20899: Fixed a buffer overflow vulnerability in config_props() (bsc#1190726)
CVE-2020-20902: Fixed an out-of-bounds read vulnerabilit long_term_filter() (bsc#1190729)

Advisory ID	SUSE-SU-2021:3522-1
Released	Tue Oct 26 15:39:29 2021
Summary	Security update for apache2
Type	security
Severity	important
References	1190666,1190669,1190702,1190703,CVE-2021-34798,CVE-2021-36160,CVE-2021-39275,CVE-2021-40438

Description:

This update for apache2 fixes the following issues:

CVE-2021-40438: Fixed a SRF via a crafted request uri-path. (bsc#1190703)
CVE-2021-36160: Fixed an out-of-bounds read via a crafted request uri-path. (bsc#1190702)
CVE-2021-39275: Fixed an out-of-bounds write in ap_escape_quotes() via malicious input. (bsc#1190666)
CVE-2021-34798: Fixed a NULL pointer dereference via malformed requests. (bsc#1190669)

Advisory ID	SUSE-SU-2021:3527-1
Released	Tue Oct 26 17:03:06 2021
Summary	Security update for wireguard-tools
Type	security
Severity	moderate
References	1191224

Description:

This update for wireguard-tools fixes the following issues:

Removed world-readable permissions from /etc/wireguard (bsc#1191224)

Advisory ID	SUSE-SU-2021:3529-1
Released	Wed Oct 27 09:23:32 2021
Summary	Security update for pcre
Type	security
Severity	moderate
References	1172973,1172974,CVE-2019-20838,CVE-2020-14155

Description:

This update for pcre fixes the following issues:
Update pcre to version 8.45:

CVE-2020-14155: Fixed integer overflow via a large number after a '(?C' substring (bsc#1172974).
CVE-2019-20838: Fixed buffer over-read in JIT compiler (bsc#1172973)

Advisory ID	SUSE-SU-2021:3530-1
Released	Wed Oct 27 09:24:29 2021
Summary	Security update for dnsmasq
Type	security
Severity	moderate
References	1173646,1180914,1183709,CVE-2020-14312,CVE-2021-3448

Description:

This update for dnsmasq fixes the following issues:
Update to version 2.86

CVE-2021-3448: fixed outgoing port used when --server is used with an interface name. (bsc#1183709)
CVE-2020-14312: Set --local-service by default (bsc#1173646).
Open inotify socket only when used (bsc#1180914).

Advisory ID	SUSE-SU-2021:3531-1
Released	Wed Oct 27 10:07:33 2021
Summary	Security update for busybox
Type	security
Severity	important
References	1099260,1099263,1121426,1184522,951562,CVE-2011-5325,CVE-2018-1000500,CVE-2018-1000517,CVE-2018-20679,CVE-2021-28831

Description:

This update for busybox fixes the following issues:

CVE-2021-28831: Fixed invalid free or segmentation fault via malformed gzip data (bsc#1184522).
CVE-2018-20679: Fixed out of bounds read in udhcp (bsc#1121426).
CVE-2018-1000517: Fixed buffer overflow in the retrieve_file_data() (bsc#1099260).
CVE-2011-5325: Fixed a directory traversal related to 'tar' command (bsc#951562).
CVE-2018-1000500: Fixed missing SSL certificate validation related to the 'wget' command (bsc#1099263).

Advisory ID	SUSE-RU-2021:3532-1
Released	Wed Oct 27 10:11:20 2021
Summary	Recommended update for pmdk
Type	recommended
Severity	important
References	1191339

Description:

This update for pmdk fixes the following issues:

Fixed an issue when 'PMDK' causes data corruption on power failure. (bsc#1191339)

Advisory ID	SUSE-RU-2021:3534-1
Released	Wed Oct 27 10:40:02 2021
Summary	Recommended update for pacemaker
Type	recommended
Severity	moderate
References	1190821

Description:

This update for pacemaker fixes the following issues:

Drop unformatted log message about log permissions. (bsc#1190821)

Advisory ID	SUSE-RU-2021:3536-1
Released	Wed Oct 27 10:40:13 2021
Summary	Recommended update for yast2-storage-ng
Type	recommended
Severity	low
References	1187270,1191109,1191347

Description:

This update for yast2-storage-ng fixes the following issues:

Fix desktop file so the control center tooltip is translated. (bsc#1187270)
Recommend to install libyui-qt-graph package in order to offer the View/Device Graphs menu option. (bsc#1191109)
Fix (un)masking systemd units by using the systemctl --plain flag. (bsc#1191347).

Advisory ID	SUSE-RU-2021:3538-1
Released	Wed Oct 27 10:40:32 2021
Summary	Recommended update for iproute2
Type	recommended
Severity	moderate
References	1160242

Description:

This update for iproute2 fixes the following issues:

Follow-up fixes backported from upstream. (bsc#1160242)

Advisory ID	SUSE-RU-2021:3542-1
Released	Wed Oct 27 11:44:39 2021
Summary	Recommended update for openscap
Type	recommended
Severity	moderate
References	1186735

Description:

This update for openscap fixes the following issues:

Since upstream has moved to Python 3, switch the BuildRequires from 'python-devel' to 'python3-devel'.
Add definitions for SUSE Linux Enterprise Server, SUSE Linux Enterprise Desktop, openSUSE Tumbleweed, openSUSE Leap and Fedora to the CPE dictionary. (bsc#1186735)
Add updated definitions for openSUSE Tumbleweed, openSUSE Leap and Wind River Linux using the Open Vulnerability and Assessment Language. (bsc#1186735)

openscap 1.3.5 - New features - Made 'schematron-based' validation enabled by default for validate command of 'oval' and 'xccdf' modules - Added SCAP 1.3 source data stream Schematron - Added XML Signature Validation - Added '--enforce-signature' option for eval, guide, and fix modules - Added entity support (OVAL/yamlfilecontent) - Allowed to clamp mtime to SOURCE_DATE_EPOCH - Added severity and role attributes - Added support for requires/conflicts elements of the Rule and Group (XCCDF) - Added Kubernetes remediation to HTML report - Maintenance, bug fix - Fixed CMake warnings - Made 'gpfs', 'proc' and 'sysfs' filesystems non-local - Fixed handling of '--arg=val'-styled common options - Documented used environment variables - Updated man page and help texts - Added '--skip-validation' option synonym for '--skip-valid' - Fixed behavior of StateType operator - Fixed coverity warnings - Ignoring namespace in XPath expressions - Fixed how 'oval_probe_ext_eval' checks absence of the response from the probe (obtrusive data warning) - Described SWID tags detection - Improved documentation about '--stig-viewer' option - File probe behaviour fixed (symlink traversal now behaves as defined by OVAL) - Fixed multiple segfaults and broken test in '--stig-viewer' feature - Added dpkg version comparison algorithm - Fixed 'TestResult/benchmark/@href' attribute - Fixed memory allocation - Fixed field names for cases where key selection section is followed by a set section (probes/yamfilecontent) - Changing hard coded libperl path in favor of FindPerlLibs method - Check local filesystems when using 'filepath' element

Advisory ID	SUSE-RU-2021:3543-1
Released	Wed Oct 27 13:12:40 2021
Summary	Recommended update for system-role-common-criteria
Type	recommended
Severity	moderate
References

Description:

This update for system-role-common-criteria ships it to the Server Applications Module.

Advisory ID	SUSE-RU-2021:3545-1
Released	Wed Oct 27 14:46:39 2021
Summary	Recommended update for less
Type	recommended
Severity	low
References	1190552

Description:

This update for less fixes the following issues:

Add missing runtime dependency on package 'which', that is used by lessopen.sh (bsc#1190552)

Advisory ID	SUSE-RU-2021:3551-1
Released	Wed Oct 27 15:27:49 2021
Summary	Recommended update for SUSE Manager 4.2.3 Release Notes
Type	recommended
Severity	low
References	1171520,1181223,1187572,1187998,1188315,1188977,1189260,1189422,1189609,1189799,1189818,1189933,1190040,1190123,1190151,1190164,1190166,1190265,1190275,1190276,1190300,1190396,1190405,1190455,1190512,1190602,1190751,1190820,1191123,1191139,1191348,1191551,CVE-2021-21996,CVE-2021-40348

Description:

This update for SUSE Manager 4.2.3 Release Notes provides the following additions:
Release notes for SUSE Manager:

Update to 4.2.3 - aarch64 support for CentOS 7/8, Oracle Linux 7/8, Rocky Linux 8, AlmaLinux 8, Amazon Linux 2 and openSUSE Leap 15.3 - Package Locking features is now available for Salt Minions - New XMLRPC API methods for SaltKey - Bugs mentioned: bsc#1171520, bsc#1181223, bsc#1187572, bsc#1187998, bsc#1188315, bsc#1188977, bsc#1189260, bsc#1189422, bsc#1189609, bsc#1189799, bsc#1189818, bsc#1189933, bsc#1190040, bsc#1190123, bsc#1190151, bsc#1190164, bsc#1190166, bsc#1190265, bsc#1190275, bsc#1190276, bsc#1190300, bsc#1190396, bsc#1190405, bsc#1190455, bsc#1190512, bsc#1190602, bsc#1190751, bsc#1190820, bsc#1191123, bsc#1191139, bsc#1191348, bsc#1191551, CVE-2021-40348, CVE-2021-21996

Release notes for SUSE Manager proxy:

Update to 4.2.3 - Bugs mentioned: bsc#1171520, bsc#1181223, bsc#1187998, bsc#1188315, bsc#1188977, bsc#1190405, bsc#1190512, bsc#1190602, bsc#1190751, bsc#1190820, bsc#1191348

Advisory ID	SUSE-SU-2021:3557-1
Released	Wed Oct 27 15:29:15 2021
Summary	Security update for salt
Type	security
Severity	moderate
References	1190265,CVE-2021-21996

Description:

This update for salt fixes the following issues:

CVE-2021-21996: Exclude the full path of a download URL to prevent injection of malicious code. (bsc#1190265)

Advisory ID	SUSE-RU-2021:3564-1
Released	Wed Oct 27 16:12:08 2021
Summary	Recommended update for rpm-config-SUSE
Type	recommended
Severity	moderate
References	1190850

Description:

This update for rpm-config-SUSE fixes the following issues:

Support ZSTD compressed kernel modules. (bsc#1190850)

Advisory ID	SUSE-RU-2021:3568-1
Released	Thu Oct 28 09:27:52 2021
Summary	Recommended update for crmsh
Type	recommended
Severity	moderate
References	1191508

Description:

This update for crmsh fixes the following issues:

Update to parse lifetime option correctly in ui_resource (bsc#1191508)

Advisory ID	SUSE-RU-2021:3569-1
Released	Thu Oct 28 09:28:43 2021
Summary	Recommended update for orarun
Type	recommended
Severity	moderate
References	1191350

Description:

This update for orarun fixes the following issues:

Fixed warning messages, changed $ORACLE_HOME to $ORACLE_BASE/product/21c in oracle.sh (bsc#1191350)

Advisory ID	SUSE-RU-2021:3570-1
Released	Thu Oct 28 09:30:54 2021
Summary	Recommended update for yast2-installation
Type	recommended
Severity	moderate
References	1191160

Description:

This update for yast2-installation fixes the following issues:

Fix file copying when using relurl:// and file:// naming schemes (bsc#1191160)

Advisory ID	SUSE-RU-2021:3571-1
Released	Thu Oct 28 09:32:19 2021
Summary	Recommended update for postfix
Type	recommended
Severity	moderate
References	1190945

Description:

This update for postfix fixes the following issues:

Adapt config.postfix to filter out lmdb files from the alias maps (bsc#1190945)

Advisory ID	SUSE-RU-2021:3573-1
Released	Thu Oct 28 09:36:05 2021
Summary	Recommended update for yast2-theme
Type	recommended
Severity	moderate
References	1176164,1191830

Description:

This update for yast2-theme fixes the following issues:

Remove unnecesary rej file and add icon for Budgie pattern (bsc#1191830, bsc#1176164)

Advisory ID	SUSE-RU-2021:3574-1
Released	Thu Oct 28 12:50:07 2021
Summary	Recommended update for rpmlint
Type	recommended
Severity	moderate
References	1190790,1191821

Description:

This update for rpmlint fixes the following issues:

whitelisting of systemd-od (bsc#1191821) and pam_u2f (bsc#1190790 jsc#SLE-21888)

Advisory ID	SUSE-RU-2021:3578-1
Released	Fri Oct 29 11:36:22 2021
Summary	Recommended update for migrate-sles-to-sles4sap
Type	recommended
Severity	moderate
References	1189481

Description:

This update for migrate-sles-to-sles4sap fixes the following issues:

migrate-sles-to-sles4sap package has dependency perl-XML-Twig that is not installed. (bsc#1189481)

Advisory ID	SUSE-RU-2021:3579-1
Released	Fri Oct 29 14:56:48 2021
Summary	Recommended update for cloud-regionsrv-client
Type	recommended
Severity	moderate
References	1182026,1189362

Description:

This update for cloud-regionsrv-client fixes the following issues:

Avoid race confition with ca-certificates. (bsc#1189362) + Make the service run after ca-sertificates is done + Attempt multiple times to update the trust chain

New package to enable/disable access due to AHB. (bsc#1182026, jsc#SLE-21246, jsc#SLE-21247, jsc#SLE-21248, jsc#SLE-21249)

Advisory ID	SUSE-RU-2021:3581-1
Released	Fri Oct 29 16:09:23 2021
Summary	Recommended update for SUSEConnect
Type	recommended
Severity	important
References

Description:

This update for SUSEConnect contains the following fix:

Update to 0.3.32: - Allow --regcode and --instance-data attributes at the same time. (jsc#PCT-164) - Document that 'debug' can also get set in the config file - --status will also print the subscription name

Advisory ID	SUSE-SU-2021:3584-1
Released	Fri Oct 29 16:27:43 2021
Summary	Security update for transfig
Type	security
Severity	important
References	1189325,1189343,1189345,1189346,1190607,1190611,1190612,1190615,1190616,1190617,1190618,1192019,CVE-2020-21529,CVE-2020-21530,CVE-2020-21531,CVE-2020-21532,CVE-2020-21533,CVE-2020-21534,CVE-2020-21535,CVE-2020-21680,CVE-2020-21681,CVE-2020-21682,CVE-2020-21683,CVE-2021-32280

Description:

This update for transfig fixes the following issues:
Update to fig2dev version 3.2.8 Patchlevel 8b (Aug 2021)

bsc#1190618, CVE-2020-21529: stack buffer overflow in the bezier_spline function in genepic.c.
bsc#1190615, CVE-2020-21530: segmentation fault in the read_objects function in read.c.
bsc#1190617, CVE-2020-21531: global buffer overflow in the conv_pattern_index function in gencgm.c.
bsc#1190616, CVE-2020-21532: global buffer overflow in the setfigfont function in genepic.c.
bsc#1190612, CVE-2020-21533: stack buffer overflow in the read_textobject function in read.c.
bsc#1190611, CVE-2020-21534: global buffer overflow in the get_line function in read.c.
bsc#1190607, CVE-2020-21535: segmentation fault in the gencgm_start function in gencgm.c.
bsc#1192019, CVE-2021-32280: NULL pointer dereference in compute_closed_spline() in trans_spline.c

Advisory ID	SUSE-RU-2021:3587-1
Released	Fri Oct 29 19:30:13 2021
Summary	Recommended update for yast2-country
Type	recommended
Severity	moderate
References	1187857,1189461

Description:

This update for yast2-country fixes the following issues:

Move the keyboards database to lib/ to make the module compatible with the self-update mechanism. (bsc#1189461)
Use official China timezone Asia/Shanghai. (bsc#1187857)

Advisory ID	SUSE-RU-2021:3590-1
Released	Tue Nov 2 06:24:39 2021
Summary	Recommended update for libyui
Type	recommended
Severity	moderate
References	1191130

Description:

This update for libyui fixes the following issues:

Fixed crash in NCurses online update when retracted packages are present (bsc#1191130)

Advisory ID	SUSE-RU-2021:3591-1
Released	Tue Nov 2 06:26:33 2021
Summary	Recommended update for man-pages
Type	recommended
Severity	moderate
References	1185534

Description:

This update for man-pages fixes the following issues:

Added missing manual entry for kernel_lockdown in section 7 (bsc#1185534)

Advisory ID	SUSE-RU-2021:3596-1
Released	Wed Nov 3 08:32:54 2021
Summary	Recommended update for libyui-ncurses-pkg
Type	recommended
Severity	moderate
References	1191130

Description:

This update for libyui-ncurses-pkg fixes the following issues:

Fixed crash in NCurses online update when retracted packages are present (bsc#1191130)

Advisory ID	SUSE-RU-2021:3599-1
Released	Wed Nov 3 10:29:54 2021
Summary	Recommended update for postgresql, postgresql13, postgresql14
Type	recommended
Severity	moderate
References

Description:

This update for postgresql, postgresql13, postgresql14 fixes the following issues:
This update ships postgresql14. (jsc#SLE-20675 jsc#SLE-20676)
Feature changes in postgresql14:

https://www.postgresql.org/about/news/postgresql-14-released-2318/
https://www.postgresql.org/docs/14/release-14.html

Changes in postgresql13:

Stop building the mini and lib packages as they are now coming from postgresql14.

Changes in postgresql:

Bump version to 14, leave default at 12.

Advisory ID	SUSE-RU-2021:3600-1
Released	Wed Nov 3 10:31:11 2021
Summary	Recommended update for postgresql
Type	recommended
Severity	moderate
References

Description:

This update for postgresql fixes the following issues:

Bump version to 14, leave default at 13.

Advisory ID	SUSE-SU-2021:3603-1
Released	Wed Nov 3 14:58:13 2021
Summary	Security update for webkit2gtk3
Type	security
Severity	important
References	1191937,CVE-2021-42762

Description:

This update for webkit2gtk3 fixes the following issues:

CVE-2021-42762: Updated seccomp rules with latest changes from flatpak (bsc#1191937).

Advisory ID	SUSE-SU-2021:3605-1
Released	Wed Nov 3 14:59:32 2021
Summary	Security update for qemu
Type	security
Severity	important
References	1189234,1189702,1189938,1190425,CVE-2021-3713,CVE-2021-3748

Description:

This update for qemu fixes the following issues:
Security issues fixed:

CVE-2021-3713: Fix out-of-bounds write in UAS (USB Attached SCSI) device emulation (bsc#1189702)
CVE-2021-3748: Fix heap use-after-free in virtio_net_receive_rcu (bsc#1189938)

Non-security issues fixed:

Add transfer length item in block limits page of scsi vpd (bsc#1190425)
Fix qemu crash while deleting xen-block (bsc#1189234)

Advisory ID	SUSE-RU-2021:3606-1
Released	Wed Nov 3 15:12:47 2021
Summary	Recommended update for release-notes-sles
Type	recommended
Severity	moderate
References	1183906,1186099,1188302,1189989,1190394,933411

Description:

This update for release-notes-sles fixes the following issues:

15.3.20211025 (tracked in bsc#933411)
Added note about NVMe-oF TCP support (bsc#1190394)
Added note about manual pages (bsc#1188302)
Added keepalived to support exceptions (bsc#1183906)
Updated note about support information (bsc#1189989)
Updated SELinux note to include warning (bsc#1186099)

Advisory ID	SUSE-RU-2021:3609-1
Released	Wed Nov 3 16:41:33 2021
Summary	Recommended update for autoyast2
Type	recommended
Severity	low
References	1191968

Description:

This update for autoyast2 fixes the following issues:

Add the 'keep_unknown_lv' element to the partitioning schema. (bsc#1191968)

Advisory ID	SUSE-SU-2021:3616-1
Released	Thu Nov 4 12:29:16 2021
Summary	Security update for binutils
Type	security
Severity	moderate
References	1179898,1179899,1179900,1179901,1179902,1179903,1180451,1180454,1180461,1181452,1182252,1183511,1184620,1184794,CVE-2020-16590,CVE-2020-16591,CVE-2020-16592,CVE-2020-16593,CVE-2020-16598,CVE-2020-16599,CVE-2020-35448,CVE-2020-35493,CVE-2020-35496,CVE-2020-35507,CVE-2021-20197,CVE-2021-20284,CVE-2021-3487

Description:

This update for binutils fixes the following issues:
Update to binutils 2.37:

The GNU Binutils sources now requires a C99 compiler and library to build.
Support for Realm Management Extension (RME) for AArch64 has been added.
A new linker option '-z report-relative-reloc' for x86 ELF targets has been added to report dynamic relative relocations.
A new linker option '-z start-stop-gc' has been added to disable special treatment of __start_*/__stop_* references when --gc-sections.
A new linker options '-Bno-symbolic' has been added which will cancel the '-Bsymbolic' and '-Bsymbolic-functions' options.
The readelf tool has a new command line option which can be used to specify how the numeric values of symbols are reported. --sym-base=0|8|10|16 tells readelf to display the values in base 8, base 10 or base 16. A sym base of 0 represents the default action of displaying values under 10000 in base 10 and values above that in base 16.
A new format has been added to the nm program. Specifying '--format=just-symbols' (or just using -j) will tell the program to only display symbol names and nothing else.
A new command line option '--keep-section-symbols' has been added to objcopy and strip. This stops the removal of unused section symbols when the file is copied. Removing these symbols saves space, but sometimes they are needed by other tools.
The '--weaken', '--weaken-symbol' and '--weaken-symbols' options supported by objcopy now make undefined symbols weak on targets that support weak symbols.
Readelf and objdump can now display and use the contents of .debug_sup sections.
Readelf and objdump will now follow links to separate debug info files by default. This behaviour can be stopped via the use of the new '-wN' or '--debug-dump=no-follow-links' options for readelf and the '-WN' or '--dwarf=no-follow-links' options for objdump. Also the old behaviour can be restored by the use of the '--enable-follow-debug-links=no' configure time option.

The semantics of the =follow-links option have also been slightly changed. When enabled, the option allows for the loading of symbol tables and string tables from the separate files which can be used to enhance the information displayed when dumping other sections, but it does not automatically imply that information from the separate files should be displayed.
If other debug section display options are also enabled (eg '--debug-dump=info') then the contents of matching sections in both the main file and the separate debuginfo file *will* be displayed. This is because in most cases the debug section will only be present in one of the files.
If however non-debug section display options are enabled (eg '--sections') then the contents of matching parts of the separate debuginfo file will *not* be displayed. This is because in most cases the user probably only wanted to load the symbol information from the separate debuginfo file. In order to change this behaviour a new command line option --process-links can be used. This will allow di0pslay options to applied to both the main file and any separate debuginfo files.

Nm has a new command line option: '--quiet'. This suppresses 'no symbols' diagnostic.

Update to binutils 2.36:
New features in the Assembler:

General:

* When setting the link order attribute of ELF sections, it is now possible to use a numeric section index instead of symbol name. * Added a .nop directive to generate a single no-op instruction in a target neutral manner. This instruction does have an effect on DWARF line number generation, if that is active. * Removed --reduce-memory-overheads and --hash-size as gas now uses hash tables that can be expand and shrink automatically.

X86/x86_64:

* Add support for AVX VNNI, HRESET, UINTR, TDX, AMX and Key Locker instructions. * Support non-absolute segment values for lcall and ljmp. * Add {disp16} pseudo prefix to x86 assembler. * Configure with --enable-x86-used-note by default for Linux/x86.

ARM/AArch64:

* Add support for Cortex-A78, Cortex-A78AE and Cortex-X1, Cortex-R82, Neoverse V1, and Neoverse N2 cores. * Add support for ETMv4 (Embedded Trace Macrocell), ETE (Embedded Trace Extension), TRBE (Trace Buffer Extension), CSRE (Call Stack Recorder Extension) and BRBE (Branch Record Buffer Extension) system registers. * Add support for Armv8-R and Armv8.7-A ISA extensions. * Add support for DSB memory nXS barrier, WFET and WFIT instruction for Armv8.7. * Add support for +csre feature for -march. Add CSR PDEC instruction for CSRE feature in AArch64. * Add support for +flagm feature for -march in Armv8.4 AArch64. * Add support for +ls64 feature for -march in Armv8.7 AArch64. Add atomic 64-byte load/store instructions for this feature. * Add support for +pauth (Pointer Authentication) feature for -march in AArch64.
New features in the Linker:
* Add --error-handling-script= command line option to allow a helper script to be invoked when an undefined symbol or a missing library is encountered. This option can be suppressed via the configure time switch: --enable-error-handling-script=no. * Add -z x86-64-{baseline|v[234]} to the x86 ELF linker to mark x86-64-{baseline|v[234]} ISA level as needed. * Add -z unique-symbol to avoid duplicated local symbol names. * The creation of PE format DLLs now defaults to using a more secure set of DLL characteristics. * The linker now deduplicates the types in .ctf sections. The new command-line option --ctf-share-types describes how to do this: its default value, share-unconflicted, produces the most compact output. * The linker now omits the 'variable section' from .ctf sections by default, saving space. This is almost certainly what you want unless you are working on a project that has its own analogue of symbol tables that are not reflected in the ELF symtabs.
New features in other binary tools:
* The ar tool's previously unused l modifier is now used for specifying dependencies of a static library. The arguments of this option (or --record-libdeps long form option) will be stored verbatim in the __.LIBDEP member of the archive, which the linker may read at link time. * Readelf can now display the contents of LTO symbol table sections when asked to do so via the --lto-syms command line option. * Readelf now accepts the -C command line option to enable the demangling of symbol names. In addition the --demangle=