SUSE Container Update Advisory: suse/hpc/warewulf4-x86_64/sle-hpc-node ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2024:3128-1 Container Tags : suse/hpc/warewulf4-x86_64/sle-hpc-node:15.6 , suse/hpc/warewulf4-x86_64/sle-hpc-node:15.6.17.5.5 , suse/hpc/warewulf4-x86_64/sle-hpc-node:latest Container Release : 17.5.5 Severity : critical Type : security References : 1012628 1029961 1029961 1029961 1029961 1029961 1040589 1040589 1044232 1047178 1047218 1059627 1065729 1078466 1079603 1082216 1082233 1084812 1084842 1087072 1087550 1089497 1089883 1091109 1092100 1094222 1096974 1096984 1097410 1098697 1100077 1101023 1101797 1102564 1103320 1103320 1105435 1106014 1106873 1107342 1107342 1108468 1110700 1112780 1113013 1114407 1114592 1115640 1115929 1116021 1117001 1117260 1119069 1119105 1119496 1119687 1120610 1120610 1120862 1121753 1123043 1124223 1125410 1126117 1126118 1126119 1126377 1127544 1127840 1130325 1130326 1130496 1130496 1131060 1131686 1133581 1134524 1134659 1135254 1138731 1138731 1138767 1141157 1141322 1141322 1141883 1141897 1142343 1142470 1142649 1142654 1142847 1144923 1146705 1148517 1149145 1149995 1150114 1150130 1150137 1152590 1152692 1154036 1154037 1154247 1154661 1154884 1154887 1155271 1155327 1156913 1157805 1157818 1157960 1158527 1158812 1158830 1158830 1158830 1158958 1158959 1158960 1159104 1159491 1159715 1159819 1159819 1159847 1159850 1160171 1160309 1160438 1160439 1164550 1164562 1164569 1164719 1166334 1166510 1166510 1166881 1167898 1168345 1168865 1169444 1169512 1169668 1169746 1170160 1170247 1170347 1170347 1170838 1171978 1172091 1172115 1172156 1172234 1172236 1172240 1172798 1172846 1172973 1172974 1173034 1173391 1173474 1173475 1173641 1173972 1174227 1174230 1174593 1174673 1174697 1174753 1174817 1175168 1175448 1175449 1175519 1175825 1175989 1176123 1176206 1176285 1176325 1176384 1176756 1176759 1176899 1176932 1176934 1177039 1177047 1177179 1177747 1177858 1177864 1177914 1177977 1178331 1178332 1178407 1178481 1178577 1178624 1178675 1178727 1178775 1179020 1179382 1180020 1180083 1180138 1180596 1180603 1180603 1180713 1181011 1181131 1181131 1181411 1181443 1181475 1181674 1181831 1181967 1181976 1181994 1182016 1182604 1182661 1182959 1183012 1183051 1183094 1183942 1184124 1184124 1184124 1184358 1185116 1185116 1185183 1185208 1185232 1185232 1185261 1185261 1185417 1185441 1185441 1185464 1185540 1185562 1185621 1185882 1185961 1186049 1186282 1186642 1186642 1186791 1186827 1186827 1187071 1187071 1187153 1187260 1187260 1187273 1187332 1187386 1187654 1187696 1187716 1188006 1188348 1188441 1188500 1188623 1188891 1189495 1189683 1189802 1189996 1190052 1190447 1190793 1190858 1191175 1191546 1191546 1191546 1191546 1191987 1192014 1192079 1192079 1192080 1192080 1192086 1192086 1192087 1192087 1192228 1192228 1192449 1192717 1192862 1192951 1193282 1193282 1193489 1193599 1193659 1194047 1194172 1194172 1194522 1194557 1194679 1194845 1194869 1195149 1195283 1195391 1195468 1195628 1195654 1195773 1195792 1195856 1196025 1196026 1196093 1196107 1196168 1196169 1196171 1196275 1196406 1196494 1196495 1196647 1196647 1196784 1196861 1197024 1197065 1197293 1197718 1197771 1197794 1198062 1198101 1198165 1198176 1198458 1198486 1198486 1198504 1198627 1198720 1198752 1198823 1198830 1198832 1198922 1198980 1198980 1198980 1199079 1199093 1199140 1199140 1199232 1199467 1199492 1199652 1199944 1200027 1200027 1200278 1200334 1200441 1200441 1200624 1200657 1200657 1200747 1200791 1200800 1200802 1200855 1201066 1201298 1201298 1201298 1201298 1201384 1201385 1201519 1201590 1201680 1201783 1202118 1202118 1202120 1202436 1202436 1202436 1202645 1202853 1202868 1202870 1202870 1202870 1203018 1203438 1203600 1203911 1204111 1204112 1204113 1204272 1204397 1204562 1204690 1204706 1204708 1204729 1204729 1204844 1205161 1205588 1205588 1205604 1205855 1206134 1206212 1206337 1206346 1206346 1206346 1206412 1206480 1206480 1206622 1206684 1206684 1206798 1207038 1207209 1207753 1207778 1207789 1207948 1208079 1208138 1208242 1208270 1208271 1208272 1208593 1208999 1209030 1209122 1209122 1209531 1209627 1209657 1210004 1210382 1210382 1210418 1210419 1210434 1210557 1210557 1210660 1210702 1210959 1210996 1210999 1211078 1211256 1211257 1211272 1211418 1211419 1211427 1211427 1211461 1211721 1211886 1212101 1212101 1212126 1212475 1212475 1212475 1212475 1212475 1212475 1212475 1212475 1213240 1213573 1213638 1213915 1213915 1213945 1214025 1214052 1214052 1214052 1214140 1214248 1214290 1214460 1214460 1214535 1214768 1214852 1214922 1214924 1214925 1214934 1214980 1215004 1215005 1215006 1215033 1215098 1215099 1215100 1215101 1215102 1215103 1215199 1215265 1215377 1215427 1215434 1215434 1215496 1215940 1216001 1216129 1216167 1216196 1216198 1216358 1216378 1216410 1216591 1216664 1216696 1216702 1216717 1216752 1216862 1217000 1217169 1217215 1217237 1217316 1217320 1217321 1217324 1217326 1217329 1217330 1217384 1217408 1217432 1217450 1217489 1217667 1217750 1217959 1217964 1217969 1217979 1218014 1218205 1218215 1218232 1218336 1218447 1218475 1218492 1218571 1218571 1218609 1218668 1218686 1218779 1218917 1218926 1219031 1219104 1219108 1219123 1219123 1219170 1219189 1219189 1219238 1219321 1219460 1219520 1219547 1219559 1219576 1219581 1219596 1219623 1219834 1219855 1220021 1220045 1220061 1220117 1220120 1220148 1220328 1220342 1220428 1220430 1220569 1220587 1220724 1220763 1220783 1220915 1221044 1221101 1221184 1221239 1221289 1221293 1221303 1221361 1221361 1221407 1221482 1221504 1221612 1221615 1221632 1221635 1221645 1221649 1221765 1221777 1221783 1221816 1221829 1221830 1221831 1221858 1222048 1222079 1222086 1222173 1222259 1222264 1222273 1222294 1222301 1222303 1222304 1222307 1222357 1222366 1222368 1222371 1222378 1222385 1222422 1222426 1222428 1222437 1222445 1222459 1222464 1222489 1222522 1222525 1222532 1222547 1222557 1222559 1222563 1222585 1222596 1222606 1222608 1222613 1222615 1222618 1222622 1222624 1222627 1222630 1222635 1222721 1222727 1222769 1222771 1222775 1222777 1222780 1222782 1222793 1222799 1222801 1222849 1222968 1223007 1223011 1223015 1223020 1223023 1223024 1223033 1223034 1223035 1223038 1223039 1223041 1223045 1223046 1223051 1223052 1223058 1223060 1223061 1223076 1223077 1223111 1223113 1223138 1223143 1223187 1223189 1223190 1223191 1223198 1223202 1223278 1223285 1223315 1223338 1223369 1223380 1223384 1223390 1223428 1223430 1223439 1223462 1223532 1223539 1223575 1223590 1223591 1223592 1223593 1223596 1223605 1223625 1223629 1223633 1223634 1223637 1223641 1223643 1223649 1223650 1223651 1223652 1223653 1223654 1223655 1223660 1223661 1223664 1223665 1223666 1223668 1223669 1223670 1223671 1223675 1223677 1223678 1223686 1223692 1223693 1223695 1223696 1223698 1223705 1223712 1223718 1223728 1223732 1223735 1223739 1223741 1223744 1223745 1223747 1223748 1223749 1223750 1223752 1223754 1223757 1223759 1223761 1223762 1223766 1223774 1223782 1223787 1223788 1223789 1223790 1223802 1223805 1223810 1223822 1223827 1223831 1223834 1223838 1223869 1223870 1223871 1223872 1223874 1223944 1223945 1223946 1223991 1224044 1224076 1224096 1224098 1224099 1224100 1224137 1224166 1224174 1224177 1224180 1224181 1224242 1224282 1224320 1224331 1224388 1224392 1224400 1224423 1224429 1224430 1224432 1224433 1224437 1224438 1224442 1224443 1224445 1224449 1224477 1224479 1224480 1224481 1224482 1224486 1224487 1224488 1224491 1224492 1224493 1224494 1224495 1224500 1224501 1224502 1224504 1224505 1224506 1224507 1224508 1224509 1224511 1224513 1224517 1224519 1224521 1224524 1224525 1224526 1224530 1224531 1224534 1224537 1224541 1224542 1224543 1224546 1224550 1224552 1224553 1224555 1224557 1224558 1224559 1224562 1224565 1224566 1224567 1224568 1224569 1224571 1224573 1224576 1224577 1224578 1224579 1224580 1224581 1224582 1224585 1224586 1224587 1224588 1224590 1224592 1224596 1224598 1224600 1224601 1224602 1224603 1224605 1224607 1224608 1224609 1224611 1224613 1224615 1224617 1224618 1224620 1224621 1224622 1224623 1224624 1224626 1224627 1224628 1224629 1224630 1224632 1224633 1224634 1224636 1224637 1224638 1224639 1224640 1224643 1224644 1224645 1224646 1224647 1224648 1224649 1224650 1224651 1224652 1224653 1224654 1224657 1224660 1224663 1224664 1224665 1224666 1224667 1224668 1224671 1224672 1224674 1224675 1224676 1224677 1224678 1224679 1224680 1224681 1224682 1224683 1224685 1224686 1224687 1224688 1224692 1224696 1224697 1224699 1224701 1224703 1224704 1224705 1224706 1224707 1224709 1224710 1224712 1224714 1224716 1224717 1224718 1224719 1224720 1224721 1224722 1224723 1224725 1224727 1224728 1224729 1224730 1224731 1224732 1224733 1224736 1224738 1224739 1224740 1224741 1224742 1224747 1224749 1224763 1224764 1224765 1224766 1224790 1224792 1224793 1224803 1224804 1224866 1224877 1224936 1224989 1225007 1225053 1225133 1225134 1225136 1225172 1225291 1225307 1225502 1225551 1225578 1225579 1225580 1225593 1225598 1225605 1225607 1225610 1225616 1225618 1225640 1225642 1225692 1225694 1225695 1225696 1225698 1225699 1225704 1225705 1225708 1225710 1225712 1225714 1225715 1225720 1225722 1225728 1225734 1225735 1225736 1225747 1225748 1225749 1225750 1225756 1225765 1225766 1225769 1225771 1225773 1225775 1225842 1225904 1225945 1226158 1226415 1226642 1227186 1227187 1227318 1227333 1227350 1227429 928700 928701 953659 969953 CVE-2015-3414 CVE-2015-3415 CVE-2017-6512 CVE-2018-0495 CVE-2018-1000654 CVE-2018-10360 CVE-2018-10906 CVE-2018-1122 CVE-2018-1123 CVE-2018-1124 CVE-2018-1125 CVE-2018-1126 CVE-2018-12384 CVE-2018-12404 CVE-2018-12405 CVE-2018-17466 CVE-2018-17953 CVE-2018-18492 CVE-2018-18493 CVE-2018-18494 CVE-2018-18498 CVE-2018-18508 CVE-2018-19211 CVE-2018-19416 CVE-2018-19517 CVE-2018-20346 CVE-2018-20482 CVE-2018-20482 CVE-2018-6798 CVE-2018-6913 CVE-2018-6942 CVE-2019-11745 CVE-2019-12290 CVE-2019-13224 CVE-2019-13225 CVE-2019-14250 CVE-2019-15847 CVE-2019-16163 CVE-2019-16167 CVE-2019-16168 CVE-2019-17006 CVE-2019-17006 CVE-2019-17594 CVE-2019-17595 CVE-2019-18218 CVE-2019-18224 CVE-2019-19203 CVE-2019-19204 CVE-2019-19244 CVE-2019-19246 CVE-2019-19317 CVE-2019-19603 CVE-2019-19645 CVE-2019-19646 CVE-2019-19725 CVE-2019-19880 CVE-2019-19923 CVE-2019-19924 CVE-2019-19925 CVE-2019-19926 CVE-2019-19959 CVE-2019-20218 CVE-2019-20838 CVE-2019-3880 CVE-2019-5021 CVE-2019-6706 CVE-2019-8905 CVE-2019-8906 CVE-2019-8907 CVE-2019-9923 CVE-2019-9923 CVE-2019-9936 CVE-2019-9937 CVE-2020-11501 CVE-2020-12399 CVE-2020-12400 CVE-2020-12401 CVE-2020-12403 CVE-2020-13434 CVE-2020-13435 CVE-2020-13630 CVE-2020-13631 CVE-2020-13632 CVE-2020-13844 CVE-2020-14155 CVE-2020-15358 CVE-2020-15673 CVE-2020-15676 CVE-2020-15677 CVE-2020-15678 CVE-2020-15683 CVE-2020-15969 CVE-2020-15999 CVE-2020-24370 CVE-2020-24371 CVE-2020-25648 CVE-2020-26159 CVE-2020-6829 CVE-2020-8927 CVE-2020-9327 CVE-2021-20193 CVE-2021-20193 CVE-2021-23981 CVE-2021-23982 CVE-2021-23984 CVE-2021-23987 CVE-2021-3521 CVE-2021-36690 CVE-2021-39537 CVE-2021-43618 CVE-2021-46828 CVE-2021-46848 CVE-2022-1271 CVE-2022-1348 CVE-2022-1586 CVE-2022-1664 CVE-2022-23491 CVE-2022-25235 CVE-2022-25236 CVE-2022-25313 CVE-2022-25314 CVE-2022-25315 CVE-2022-27404 CVE-2022-27405 CVE-2022-27406 CVE-2022-28737 CVE-2022-28737 CVE-2022-28737 CVE-2022-29458 CVE-2022-31252 CVE-2022-31741 CVE-2022-31741 CVE-2022-3479 CVE-2022-35737 CVE-2022-40674 CVE-2022-41720 CVE-2022-41723 CVE-2022-41724 CVE-2022-41725 CVE-2022-42010 CVE-2022-42011 CVE-2022-42012 CVE-2022-43680 CVE-2022-46908 CVE-2022-48303 CVE-2023-0160 CVE-2023-0767 CVE-2023-2004 CVE-2023-2137 CVE-2023-22652 CVE-2023-2426 CVE-2023-24532 CVE-2023-2602 CVE-2023-2603 CVE-2023-2609 CVE-2023-2610 CVE-2023-29491 CVE-2023-30078 CVE-2023-30079 CVE-2023-30630 CVE-2023-31484 CVE-2023-32181 CVE-2023-34969 CVE-2023-39615 CVE-2023-39804 CVE-2023-4016 CVE-2023-4039 CVE-2023-4039 CVE-2023-4039 CVE-2023-40546 CVE-2023-40547 CVE-2023-40548 CVE-2023-40549 CVE-2023-40550 CVE-2023-40551 CVE-2023-4156 CVE-2023-45322 CVE-2023-45853 CVE-2023-45918 CVE-2023-46246 CVE-2023-46316 CVE-2023-4733 CVE-2023-4734 CVE-2023-4735 CVE-2023-4738 CVE-2023-4750 CVE-2023-4752 CVE-2023-4781 CVE-2023-48231 CVE-2023-48232 CVE-2023-48233 CVE-2023-48234 CVE-2023-48235 CVE-2023-48236 CVE-2023-48237 CVE-2023-48706 CVE-2023-50495 CVE-2023-51385 CVE-2023-52425 CVE-2023-52434 CVE-2023-52458 CVE-2023-52472 CVE-2023-52503 CVE-2023-52616 CVE-2023-52618 CVE-2023-52631 CVE-2023-52635 CVE-2023-52640 CVE-2023-52641 CVE-2023-52645 CVE-2023-52652 CVE-2023-52653 CVE-2023-52654 CVE-2023-52655 CVE-2023-52657 CVE-2023-52658 CVE-2023-52659 CVE-2023-52660 CVE-2023-52661 CVE-2023-52662 CVE-2023-52663 CVE-2023-52664 CVE-2023-52667 CVE-2023-52669 CVE-2023-52670 CVE-2023-52671 CVE-2023-52673 CVE-2023-52674 CVE-2023-52675 CVE-2023-52676 CVE-2023-52678 CVE-2023-52679 CVE-2023-52680 CVE-2023-52681 CVE-2023-52683 CVE-2023-52685 CVE-2023-52686 CVE-2023-52687 CVE-2023-52690 CVE-2023-52691 CVE-2023-52692 CVE-2023-52693 CVE-2023-52694 CVE-2023-52695 CVE-2023-52696 CVE-2023-52697 CVE-2023-52698 CVE-2023-52771 CVE-2023-52772 CVE-2023-52860 CVE-2023-52882 CVE-2023-5344 CVE-2023-5388 CVE-2023-5441 CVE-2023-5535 CVE-2023-6238 CVE-2023-7042 CVE-2023-7207 CVE-2023-7207 CVE-2024-0639 CVE-2024-21823 CVE-2024-22099 CVE-2024-22365 CVE-2024-22667 CVE-2024-23848 CVE-2024-24861 CVE-2024-25062 CVE-2024-25739 CVE-2024-26601 CVE-2024-26611 CVE-2024-26614 CVE-2024-26632 CVE-2024-26638 CVE-2024-26642 CVE-2024-26643 CVE-2024-26650 CVE-2024-26654 CVE-2024-26656 CVE-2024-26657 CVE-2024-26671 CVE-2024-26673 CVE-2024-26674 CVE-2024-26679 CVE-2024-26684 CVE-2024-26685 CVE-2024-26692 CVE-2024-26704 CVE-2024-26714 CVE-2024-26726 CVE-2024-26731 CVE-2024-26733 CVE-2024-26737 CVE-2024-26739 CVE-2024-26740 CVE-2024-26742 CVE-2024-26760 CVE-2024-267600 CVE-2024-26761 CVE-2024-26764 CVE-2024-26769 CVE-2024-26772 CVE-2024-26773 CVE-2024-26774 CVE-2024-26775 CVE-2024-26783 CVE-2024-26786 CVE-2024-26791 CVE-2024-26793 CVE-2024-26794 CVE-2024-26802 CVE-2024-26805 CVE-2024-26807 CVE-2024-26815 CVE-2024-26816 CVE-2024-26822 CVE-2024-26832 CVE-2024-26836 CVE-2024-26844 CVE-2024-26846 CVE-2024-26853 CVE-2024-26854 CVE-2024-26855 CVE-2024-26856 CVE-2024-26857 CVE-2024-26858 CVE-2024-26860 CVE-2024-26861 CVE-2024-26862 CVE-2024-26866 CVE-2024-26868 CVE-2024-26870 CVE-2024-26878 CVE-2024-26881 CVE-2024-26882 CVE-2024-26883 CVE-2024-26884 CVE-2024-26885 CVE-2024-26899 CVE-2024-26900 CVE-2024-26901 CVE-2024-26903 CVE-2024-26906 CVE-2024-26909 CVE-2024-26921 CVE-2024-26922 CVE-2024-26923 CVE-2024-26925 CVE-2024-26928 CVE-2024-26932 CVE-2024-26933 CVE-2024-26934 CVE-2024-26935 CVE-2024-26937 CVE-2024-26938 CVE-2024-26940 CVE-2024-26943 CVE-2024-26945 CVE-2024-26946 CVE-2024-26948 CVE-2024-26949 CVE-2024-26950 CVE-2024-26951 CVE-2024-26957 CVE-2024-26958 CVE-2024-26960 CVE-2024-26961 CVE-2024-26962 CVE-2024-26963 CVE-2024-26964 CVE-2024-26972 CVE-2024-26973 CVE-2024-26978 CVE-2024-26981 CVE-2024-26982 CVE-2024-26983 CVE-2024-26984 CVE-2024-26986 CVE-2024-26988 CVE-2024-26989 CVE-2024-26990 CVE-2024-26991 CVE-2024-26992 CVE-2024-26993 CVE-2024-26994 CVE-2024-26995 CVE-2024-26996 CVE-2024-26997 CVE-2024-26999 CVE-2024-27000 CVE-2024-27001 CVE-2024-27002 CVE-2024-27003 CVE-2024-27004 CVE-2024-27008 CVE-2024-27013 CVE-2024-27014 CVE-2024-27022 CVE-2024-27027 CVE-2024-27028 CVE-2024-27029 CVE-2024-27030 CVE-2024-27031 CVE-2024-27036 CVE-2024-27046 CVE-2024-27056 CVE-2024-27057 CVE-2024-27062 CVE-2024-27067 CVE-2024-27080 CVE-2024-27388 CVE-2024-27389 CVE-2024-27393 CVE-2024-27395 CVE-2024-27396 CVE-2024-27398 CVE-2024-27399 CVE-2024-27400 CVE-2024-27401 CVE-2024-27405 CVE-2024-27408 CVE-2024-27410 CVE-2024-27411 CVE-2024-27412 CVE-2024-27413 CVE-2024-27416 CVE-2024-27417 CVE-2024-27418 CVE-2024-27431 CVE-2024-27432 CVE-2024-27434 CVE-2024-27435 CVE-2024-27436 CVE-2024-28085 CVE-2024-28757 CVE-2024-32487 CVE-2024-34397 CVE-2024-34459 CVE-2024-35784 CVE-2024-35786 CVE-2024-35788 CVE-2024-35789 CVE-2024-35790 CVE-2024-35791 CVE-2024-35794 CVE-2024-35795 CVE-2024-35796 CVE-2024-35799 CVE-2024-35800 CVE-2024-35801 CVE-2024-35803 CVE-2024-35804 CVE-2024-35806 CVE-2024-35808 CVE-2024-35809 CVE-2024-35810 CVE-2024-35811 CVE-2024-35812 CVE-2024-35813 CVE-2024-35814 CVE-2024-35815 CVE-2024-35817 CVE-2024-35819 CVE-2024-35821 CVE-2024-35822 CVE-2024-35823 CVE-2024-35824 CVE-2024-35825 CVE-2024-35828 CVE-2024-35829 CVE-2024-35830 CVE-2024-35833 CVE-2024-35834 CVE-2024-35835 CVE-2024-35836 CVE-2024-35837 CVE-2024-35838 CVE-2024-35841 CVE-2024-35842 CVE-2024-35845 CVE-2024-35847 CVE-2024-35849 CVE-2024-35850 CVE-2024-35851 CVE-2024-35852 CVE-2024-35854 CVE-2024-35860 CVE-2024-35861 CVE-2024-35862 CVE-2024-35863 CVE-2024-35864 CVE-2024-35865 CVE-2024-35866 CVE-2024-35867 CVE-2024-35868 CVE-2024-35869 CVE-2024-35870 CVE-2024-35872 CVE-2024-35875 CVE-2024-35877 CVE-2024-35878 CVE-2024-35879 CVE-2024-35883 CVE-2024-35885 CVE-2024-35887 CVE-2024-35889 CVE-2024-35891 CVE-2024-35895 CVE-2024-35901 CVE-2024-35903 CVE-2024-35904 CVE-2024-35905 CVE-2024-35907 CVE-2024-35909 CVE-2024-35911 CVE-2024-35912 CVE-2024-35914 CVE-2024-35915 CVE-2024-35916 CVE-2024-35917 CVE-2024-35921 CVE-2024-35922 CVE-2024-35924 CVE-2024-35927 CVE-2024-35928 CVE-2024-35930 CVE-2024-35931 CVE-2024-35932 CVE-2024-35933 CVE-2024-35935 CVE-2024-35936 CVE-2024-35937 CVE-2024-35938 CVE-2024-35940 CVE-2024-35943 CVE-2024-35944 CVE-2024-35945 CVE-2024-35946 CVE-2024-35947 CVE-2024-35950 CVE-2024-35951 CVE-2024-35952 CVE-2024-35953 CVE-2024-35954 CVE-2024-35955 CVE-2024-35956 CVE-2024-35958 CVE-2024-35959 CVE-2024-35960 CVE-2024-35961 CVE-2024-35963 CVE-2024-35964 CVE-2024-35965 CVE-2024-35966 CVE-2024-35967 CVE-2024-35969 CVE-2024-35971 CVE-2024-35972 CVE-2024-35973 CVE-2024-35974 CVE-2024-35975 CVE-2024-35977 CVE-2024-35978 CVE-2024-35981 CVE-2024-35982 CVE-2024-35984 CVE-2024-35986 CVE-2024-35989 CVE-2024-35990 CVE-2024-35991 CVE-2024-35992 CVE-2024-35995 CVE-2024-35997 CVE-2024-35999 CVE-2024-36002 CVE-2024-36006 CVE-2024-36007 CVE-2024-36009 CVE-2024-36011 CVE-2024-36012 CVE-2024-36013 CVE-2024-36014 CVE-2024-36015 CVE-2024-36016 CVE-2024-36018 CVE-2024-36019 CVE-2024-36020 CVE-2024-36021 CVE-2024-36025 CVE-2024-36026 CVE-2024-36029 CVE-2024-36030 CVE-2024-36032 CVE-2024-36880 CVE-2024-36885 CVE-2024-36890 CVE-2024-36891 CVE-2024-36893 CVE-2024-36894 CVE-2024-36895 CVE-2024-36896 CVE-2024-36897 CVE-2024-36898 CVE-2024-36906 CVE-2024-36918 CVE-2024-36921 CVE-2024-36922 CVE-2024-36928 CVE-2024-36930 CVE-2024-36931 CVE-2024-36936 CVE-2024-36940 CVE-2024-36941 CVE-2024-36942 CVE-2024-36944 CVE-2024-36947 CVE-2024-36949 CVE-2024-36950 CVE-2024-36951 CVE-2024-36955 CVE-2024-36959 CVE-2024-37370 CVE-2024-37371 CVE-2024-39894 CVE-2024-4603 CVE-2024-4741 CVE-2024-5564 CVE-2024-6387 SLE-5958 SLE-6533 SLE-6536 ----------------------------------------------------------------- The container suse/hpc/warewulf4-x86_64/sle-hpc-node was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2340-1 Released: Fri Oct 19 16:05:53 2018 Summary: Security update for fuse Type: security Severity: moderate References: 1101797,CVE-2018-10906 This update for fuse fixes the following issues: - CVE-2018-10906: fusermount was vulnerable to a restriction bypass when SELinux is active. This allowed non-root users to mount a FUSE file system with the 'allow_other' mount option regardless of whether 'user_allow_other' is set in the fuse configuration. An attacker may use this flaw to mount a FUSE file system, accessible by other users, and trick them into accessing files on that file system, possibly causing Denial of Service or other unspecified effects (bsc#1101797) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2513-1 Released: Mon Oct 29 11:11:23 2018 Summary: Recommended update for sysstat Type: recommended Severity: moderate References: 1089883 This update for sysstat fixes the following issues: Sysstat was updated to 12.0.2, bringing new features and bugfixes (fate#326576, bsc#1089883) - It contains lots of improvements in SVG output. - New metric additions for hugepages. - New options Please look at http://sebastien.godard.pagesperso-orange.fr/ for a more detailed history of changes. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2569-1 Released: Fri Nov 2 19:00:18 2018 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1110700 This update for pam fixes the following issues: - Remove limits for nproc from /etc/security/limits.conf (bsc#1110700) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2607-1 Released: Wed Nov 7 15:42:48 2018 Summary: Optional update for gcc8 Type: recommended Severity: low References: 1084812,1084842,1087550,1094222,1102564 The GNU Compiler GCC 8 is being added to the Development Tools Module by this update. The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the Basesystem module of SUSE Linux Enterprise 15. Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-8/changes.html Also changes needed or common pitfalls when porting software are described on: https://gcc.gnu.org/gcc-8/porting_to.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2742-1 Released: Thu Nov 22 13:28:36 2018 Summary: Recommended update for rpcbind Type: recommended Severity: moderate References: 969953 This update for rpcbind fixes the following issues: - Fix tool stack buffer overflow aborting (bsc#969953) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2825-1 Released: Mon Dec 3 15:35:02 2018 Summary: Security update for pam Type: security Severity: important References: 1115640,CVE-2018-17953 This update for pam fixes the following issue: Security issue fixed: - CVE-2018-17953: Fixed IP address and subnet handling of pam_access.so that was not honoured correctly when a single host was specified (bsc#1115640). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2861-1 Released: Thu Dec 6 14:32:01 2018 Summary: Security update for ncurses Type: security Severity: important References: 1103320,1115929,CVE-2018-19211 This update for ncurses fixes the following issues: Security issue fixed: - CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929). Non-security issue fixed: - Remove scree.xterm from terminfo data base as with this screen uses fallback TERM=screen (bsc#1103320). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2961-1 Released: Mon Dec 17 19:51:40 2018 Summary: Recommended update for psmisc Type: recommended Severity: moderate References: 1098697,1112780 This update for psmisc provides the following fix: - Make the fuser option -m work even with mountinfo. (bsc#1098697) - Support also btrFS entries in mountinfo, that is use stat(2) to determine the device of the mounted subvolume (bsc#1098697, bsc#1112780) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:3044-1 Released: Fri Dec 21 18:47:21 2018 Summary: Security update for MozillaFirefox, mozilla-nspr and mozilla-nss Type: security Severity: important References: 1097410,1106873,1119069,1119105,CVE-2018-0495,CVE-2018-12384,CVE-2018-12404,CVE-2018-12405,CVE-2018-17466,CVE-2018-18492,CVE-2018-18493,CVE-2018-18494,CVE-2018-18498 This update for MozillaFirefox, mozilla-nss and mozilla-nspr fixes the following issues: Issues fixed in MozillaFirefox: - Update to Firefox ESR 60.4 (bsc#1119105) - CVE-2018-17466: Fixed a buffer overflow and out-of-bounds read in ANGLE library with TextureStorage11 - CVE-2018-18492: Fixed a use-after-free with select element - CVE-2018-18493: Fixed a buffer overflow in accelerated 2D canvas with Skia - CVE-2018-18494: Fixed a Same-origin policy violation using location attribute and performance.getEntries to steal cross-origin URLs - CVE-2018-18498: Fixed a integer overflow when calculating buffer sizes for images - CVE-2018-12405: Fixed a few memory safety bugs Issues fixed in mozilla-nss: - Update to NSS 3.40.1 (bsc#1119105) - CVE-2018-12404: Fixed a cache side-channel variant of the Bleichenbacher attack (bsc#1119069) - CVE-2018-12384: Fixed an issue in the SSL handshake. NSS responded to an SSLv2-compatible ClientHello with a ServerHello that had an all-zero random. (bsc#1106873) - CVE-2018-0495: Fixed a memory-cache side-channel attack with ECDSA signatures (bsc#1097410) - Fixed a decryption failure during FFDHE key exchange - Various security fixes in the ASN.1 code Issues fixed in mozilla-nspr: - Update mozilla-nspr to 4.20 (bsc#1119105) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:44-1 Released: Tue Jan 8 13:07:32 2019 Summary: Recommended update for acl Type: recommended Severity: low References: 953659 This update for acl fixes the following issues: - test: Add helper library to fake passwd/group files. - quote: Escape literal backslashes. (bsc#953659) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:82-1 Released: Fri Jan 11 17:16:48 2019 Summary: Recommended update for suse-build-key Type: recommended Severity: moderate References: 1044232 This update for suse-build-key fixes the following issues: - Include the SUSE PTF GPG key in the key directory to avoid it being stripped via %doc stripping in CAASP. (bsc#1044232) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:207-1 Released: Tue Jan 29 20:20:24 2019 Summary: Recommended update for container-suseconnect Type: recommended Severity: moderate References: 1119496 This update for container-suseconnect fixes the following issues: container-suseconnect was updated to 2.0.0 (bsc#1119496): - Added command line interface - Added `ADDITIONAL_MODULES` capability to enable further extension modules during image build and run - Added documentation about how to build docker images on non SLE distributions - Improve documentation to clarify how container-suseconnect works in a Dockerfile - Improve error handling on non SLE hosts - Fix bug which makes container-suseconnect work on SLE15 based distributions ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:247-1 Released: Wed Feb 6 07:18:45 2019 Summary: Security update for lua53 Type: security Severity: moderate References: 1123043,CVE-2019-6706 This update for lua53 fixes the following issues: Security issue fixed: - CVE-2019-6706: Fixed a use-after-free bug in the lua_upvaluejoin function of lapi.c (bsc#1123043) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:571-1 Released: Thu Mar 7 18:13:46 2019 Summary: Security update for file Type: security Severity: moderate References: 1096974,1096984,1126117,1126118,1126119,CVE-2018-10360,CVE-2019-8905,CVE-2019-8906,CVE-2019-8907 This update for file fixes the following issues: The following security vulnerabilities were addressed: - CVE-2018-10360: Fixed an out-of-bounds read in the function do_core_note in readelf.c, which allowed remote attackers to cause a denial of service (application crash) via a crafted ELF file (bsc#1096974) - CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c (bsc#1126118) - CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c (bsc#1126119) - CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c (bsc#1126117) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:788-1 Released: Thu Mar 28 11:55:06 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1119687,CVE-2018-20346 This update for sqlite3 to version 3.27.2 fixes the following issue: Security issue fixed: - CVE-2018-20346: Fixed a remote code execution vulnerability in FTS3 (Magellan) (bsc#1119687). Release notes: https://www.sqlite.org/releaselog/3_27_2.html ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:806-1 Released: Fri Mar 29 13:16:51 2019 Summary: Security update for sysstat Type: security Severity: low References: 1117001,1117260,CVE-2018-19416,CVE-2018-19517 This update for sysstat fixes the following issues: Security issues fixed: - CVE-2018-19416: Fixed out-of-bounds read during a memmove call inside the remap_struct function (bsc#1117001). - CVE-2018-19517: Fixed out-of-bounds read during a memset call inside the remap_struct function (bsc#1117260). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:926-1 Released: Wed Apr 10 16:33:12 2019 Summary: Security update for tar Type: security Severity: moderate References: 1120610,1130496,CVE-2018-20482,CVE-2019-9923 This update for tar fixes the following issues: Security issues fixed: - CVE-2019-9923: Fixed a denial of service while parsing certain archives with malformed extended headers in pax_decode_header() (bsc#1130496). - CVE-2018-20482: Fixed a denial of service when the '--sparse' option mishandles file shrinkage during read access (bsc#1120610). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1040-1 Released: Thu Apr 25 17:09:21 2019 Summary: Security update for samba Type: security Severity: important References: 1114407,1124223,1125410,1126377,1131060,1131686,CVE-2019-3880 This update for samba fixes the following issues: Security issue fixed: - CVE-2019-3880: Fixed a path/symlink traversal vulnerability, which allowed an unprivileged user to save registry files outside a share (bsc#1131060). ldb was updated to version 1.2.4 (bsc#1125410 bsc#1131686): - Out of bound read in ldb_wildcard_compare - Hold at most 10 outstanding paged result cookies - Put 'results_store' into a doubly linked list - Refuse to build Samba against a newer minor version of ldb Non-security issues fixed: - Fixed update-apparmor-samba-profile script after apparmor switched to using named profiles (bsc#1126377). - Abide to the load_printers parameter in smb.conf (bsc#1124223). - Provide the 32bit samba winbind PAM module and its dependend 32bit libraries. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1127-1 Released: Thu May 2 09:39:24 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1130325,1130326,CVE-2019-9936,CVE-2019-9937 This update for sqlite3 to version 3.28.0 fixes the following issues: Security issues fixed: - CVE-2019-9936: Fixed a heap-based buffer over-read, when running fts5 prefix queries inside transaction (bsc#1130326). - CVE-2019-9937: Fixed a denial of service related to interleaving reads and writes in a single transaction with an fts5 virtual table (bsc#1130325). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1229-1 Released: Tue May 14 11:05:55 2019 Summary: Recommended update for sensors Type: recommended Severity: moderate References: 1108468,1116021 This update for sensors fixes the following issues: sensors was updated to version 3.5.0: The following changes were done: + soname was bumped due to commit dcf2367 which introduced an ABI change. (This was reverted for the SUSE packages, as it was not necessary) + Fixed disappearance of certain hwmon chips with 4.19+ kernels (bsc#1116021). + Add the find-driver script for debugging. + Various documentation and man page improvements. + Fix various issues found by Coverity Scan. + Updated links in documentation to reflect the new home of lm_sensors. + sensors.1: Add reference to sensors-detect and document -j option (json output). + sensors: Add support for json output, add support for power min, lcrit, min_alarm, lcrit_alarm. + sensors-detect changes: * Fix systemd paths. * Add detection of Fintek F81768. * Only probe I/O ports on x86. * Add detection of Nuvoton NCT6793D. * Add detection of Microchip MCP9808. * Mark F71868A as supported by the f71882fg driver. * Mark F81768D as supported by the f71882fg driver. * Mark F81866D as supported by the f71882fg driver. * Add detection of various ITE chips. * Add detection of Nuvoton NCT6795D. * Add detection of DDR4 SPD. * Add detection of ITE IT8987D. * Add detection of AMD Family 17h temperature sensors. * Add detection of AMD KERNCZ SMBus controller. * Add detection of various Intel SMBus controllers. * Add detection of Giantec GT30TS00. * Add detection of ONS CAT34TS02C and CAT34TS04. * Add detection of AMD Family 15h Model 60+ temperature sensors. * Add detection of Nuvoton NCT6796D. * Add detection of AMD Family 15h Model 70+ temperature sensors. + configs: Add sample configuration files. + sensors.conf.default: * Add hardwired inputs of NCT6795D * Add hardwired inputs of F71868A * Add hardwired NCT6796D inputs + vt1211_pwm: replaced deprecated sub shell syntax, run with bash instead of sh. + pwmconfig: replaced deprecated sub shell syntax. + fancontrol: replaced deprecated sub shell syntax, save original pwm values. + fancontrol.8: replaced deprecated sub shell syntax. + libsensors: * Add support for SENSORS_BUS_TYPE_SCSI, add support for power min, lcrit, min_alarm, lcrit_alarm. * Handle hwmon device with thermal device parent (bsc#1108468). - Undo unnecessary libsensors version bump. - Undo the SENSORS_API_VERSION change, to stay source-compatible with upstream. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1368-1 Released: Tue May 28 13:15:38 2019 Summary: Recommended update for sles12sp3-docker-image, sles12sp4-image, system-user-root Type: security Severity: important References: 1134524,CVE-2019-5021 This update for sles12sp3-docker-image, sles12sp4-image, system-user-root fixes the following issues: - CVE-2019-5021: Include an invalidated root password by default, not an empty one (bsc#1134524) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1372-1 Released: Tue May 28 16:53:28 2019 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1105435,CVE-2018-1000654 This update for libtasn1 fixes the following issues: Security issue fixed: - CVE-2018-1000654: Fixed a denial of service in the asn1 parser (bsc#1105435). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1616-1 Released: Fri Jun 21 11:04:39 2019 Summary: Recommended update for rpcbind Type: recommended Severity: moderate References: 1134659 This update for rpcbind fixes the following issues: - Change rpcbind locking path from /var/run/rpcbind.lock to /run/rpcbind.lock. (bsc#1134659) - Change the order of socket/service in the %postun scriptlet to avoid an error from rpcbind.socket when rpcbind is running during package update. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1998-1 Released: Fri Jul 26 16:13:22 2019 Summary: Recommended update for sysstat Type: recommended Severity: moderate References: 1138767 This update for sysstat fixes the following issues: - Fix scaling issue with mtab symlinks and automounter. (bsc#1138767) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2095-1 Released: Fri Aug 9 06:56:48 2019 Summary: Recommended update for container-suseconnect Type: recommended Severity: moderate References: 1138731 This update for container-suseconnect fixes the following issues: container-suseconnect was updated to 2.1.0 (bsc#1138731), fixing interacting with SCC behind proxy and SMT. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2142-1 Released: Wed Aug 14 18:14:04 2019 Summary: Recommended update for mozilla-nspr, mozilla-nss Type: recommended Severity: moderate References: 1141322 This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to NSS 3.45 (bsc#1141322) : * New function in pk11pub.h: PK11_FindRawCertsWithSubject * The following CA certificates were Removed: CN = Certinomis - Root CA (bmo#1552374) * Implement Delegated Credentials (draft-ietf-tls-subcerts) (bmo#1540403) This adds a new experimental function SSL_DelegateCredential Note: In 3.45, selfserv does not yet support delegated credentials (See bmo#1548360). Note: In 3.45 the SSLChannelInfo is left unmodified, while an upcoming change in 3.46 will set SSLChannelInfo.authKeyBits to that of the delegated credential for better policy enforcement (See bmo#1563078). * Replace ARM32 Curve25519 implementation with one from fiat-crypto (bmo#1550579) * Expose a function PK11_FindRawCertsWithSubject for finding certificates with a given subject on a given slot (bmo#1552262) * Add IPSEC IKE support to softoken (bmo#1546229) * Add support for the Elbrus lcc compiler (<=1.23) (bmo#1554616) * Expose an external clock for SSL (bmo#1543874) This adds new experimental functions: SSL_SetTimeFunc, SSL_CreateAntiReplayContext, SSL_SetAntiReplayContext, and SSL_ReleaseAntiReplayContext. The experimental function SSL_InitAntiReplay is removed. * Various changes in response to the ongoing FIPS review (bmo#1546477) Note: The source package size has increased substantially due to the new FIPS test vectors. This will likely prompt follow-on work, but please accept our apologies in the meantime. mozilla-nspr was updated to version 4.21 * Changed prbit.h to use builtin function on aarch64. * Removed Gonk/B2G references. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2189-1 Released: Wed Aug 21 10:12:23 2019 Summary: Recommended update for sysstat Type: recommended Severity: moderate References: 1142470 This update for sysstat fixes the following issues: - Remove deprecated gettext and require gettext-runtime during build only. (bsc#1142470) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2218-1 Released: Mon Aug 26 11:29:57 2019 Summary: Recommended update for pinentry Type: recommended Severity: moderate References: 1141883 This update for pinentry fixes the following issues: - Fix a dangling pointer in qt/main.cpp that caused crashes. (bsc#1141883) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2533-1 Released: Thu Oct 3 15:02:50 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1150137,CVE-2019-16168 This update for sqlite3 fixes the following issues: Security issue fixed: - CVE-2019-16168: Fixed improper validation of sqlite_stat1 field that could lead to denial of service (bsc#1150137). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2693-1 Released: Wed Oct 16 16:43:30 2019 Summary: Recommended update for rpcbind Type: recommended Severity: moderate References: 1142343 This update for rpcbind fixes the following issues: - Return correct IP address with multiple ip addresses in the same subnet. (bsc#1142343) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2722-1 Released: Mon Oct 21 11:14:20 2019 Summary: Recommended update for pciutils-ids Type: recommended Severity: moderate References: 1127840,1133581 This is a version update for pciutils-ids to version 20190830 (bsc#1133581, bsc#1127840) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2730-1 Released: Mon Oct 21 16:04:57 2019 Summary: Security update for procps Type: security Severity: important References: 1092100,1121753,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 This update for procps fixes the following issues: procps was updated to 3.3.15. (bsc#1092100) Following security issues were fixed: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). Also this non-security issue was fixed: - Fix CPU summary showing old data. (bsc#1121753) The update to 3.3.15 contains the following fixes: * library: Increment to 8:0:1 No removals, no new functions Changes: slab and pid structures * library: Just check for SIGLOST and don't delete it * library: Fix integer overflow and LPE in file2strvec CVE-2018-1124 * library: Use size_t for alloc functions CVE-2018-1126 * library: Increase comm size to 64 * pgrep: Fix stack-based buffer overflow CVE-2018-1125 * pgrep: Remove >15 warning as comm can be longer * ps: Fix buffer overflow in output buffer, causing DOS CVE-2018-1123 * ps: Increase command name selection field to 64 * top: Don't use cwd for location of config CVE-2018-1122 * update translations * library: build on non-glibc systems * free: fix scaling on 32-bit systems * Revert 'Support running with child namespaces' * library: Increment to 7:0:1 No changes, no removals New fuctions: numa_init, numa_max_node, numa_node_of_cpu, numa_uninit, xalloc_err_handler * doc: Document I idle state in ps.1 and top.1 * free: fix some of the SI multiples * kill: -l space between name parses correctly * library: dont use vm_min_free on non Linux * library: don't strip off wchan prefixes (ps & top) * pgrep: warn about 15+ char name only if -f not used * pgrep/pkill: only match in same namespace by default * pidof: specify separator between pids * pkill: Return 0 only if we can kill process * pmap: fix duplicate output line under '-x' option * ps: avoid eip/esp address truncations * ps: recognizes SCHED_DEADLINE as valid CPU scheduler * ps: display NUMA node under which a thread ran * ps: Add seconds display for cputime and time * ps: Add LUID field * sysctl: Permit empty string for value * sysctl: Don't segv when file not available * sysctl: Read and write large buffers * top: add config file support for XDG specification * top: eliminated minor libnuma memory leak * top: show fewer memory decimal places (configurable) * top: provide command line switch for memory scaling * top: provide command line switch for CPU States * top: provides more accurate cpu usage at startup * top: display NUMA node under which a thread ran * top: fix argument parsing quirk resulting in SEGV * top: delay interval accepts non-locale radix point * top: address a wishlist man page NLS suggestion * top: fix potential distortion in 'Mem' graph display * top: provide proper multi-byte string handling * top: startup defaults are fully customizable * watch: define HOST_NAME_MAX where not defined * vmstat: Fix alignment for disk partition format * watch: Support ANSI 39,49 reset sequences ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2749-1 Released: Wed Oct 23 09:08:41 2019 Summary: Security update for sysstat Type: security Severity: moderate References: 1150114,CVE-2019-16167 This update for sysstat fixes the following issue: - CVE-2019-16167: Fixed a memory corruption due to an integer overflow. (bsc#1150114) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2997-1 Released: Mon Nov 18 15:16:38 2019 Summary: Security update for ncurses Type: security Severity: moderate References: 1103320,1154036,1154037,CVE-2019-17594,CVE-2019-17595 This update for ncurses fixes the following issues: Security issues fixed: - CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036). - CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037). Non-security issue fixed: - Removed screen.xterm from terminfo database (bsc#1103320). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3061-1 Released: Mon Nov 25 17:34:22 2019 Summary: Security update for gcc9 Type: security Severity: moderate References: 1114592,1135254,1141897,1142649,1142654,1148517,1149145,CVE-2019-14250,CVE-2019-15847,SLE-6533,SLE-6536 This update includes the GNU Compiler Collection 9. A full changelog is provided by the GCC team on: https://www.gnu.org/software/gcc/gcc-9/changes.html The base system compiler libraries libgcc_s1, libstdc++6 and others are now built by the gcc 9 packages. To use it, install 'gcc9' or 'gcc9-c++' or other compiler brands and use CC=gcc-9 / CXX=g++-9 during configuration for using it. Security issues fixed: - CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145) - CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649) Non-security issues fixed: - Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254) - Fixed miscompilation for vector shift on s390. (bsc#1141897) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3086-1 Released: Thu Nov 28 10:02:24 2019 Summary: Security update for libidn2 Type: security Severity: moderate References: 1154884,1154887,CVE-2019-12290,CVE-2019-18224 This update for libidn2 to version 2.2.0 fixes the following issues: - CVE-2019-12290: Fixed an improper round-trip check when converting A-labels to U-labels (bsc#1154884). - CVE-2019-18224: Fixed a heap-based buffer overflow that was caused by long domain strings (bsc#1154887). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3104-1 Released: Fri Nov 29 06:47:08 2019 Summary: Recommended update for sysstat Type: recommended Severity: moderate References: 1144923,SLE-5958 This update for sysstat fixes the following issues: - Enable log information of starting/stoping services. (bsc#1144923, jsc#SLE-5958) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3395-1 Released: Mon Dec 30 14:05:06 2019 Summary: Security update for mozilla-nspr, mozilla-nss Type: security Severity: moderate References: 1141322,1158527,1159819,CVE-2018-18508,CVE-2019-11745,CVE-2019-17006 This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to NSS 3.47.1: Security issues fixed: - CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819). - CVE-2019-11745: EncryptUpdate should use maxout, not block size (bsc#1158527). - CVE-2019-11727: Fixed vulnerability sign CertificateVerify with PKCS#1 v1.5 signatures issue (bsc#1141322). mozilla-nspr was updated to version 4.23: - Whitespace in C files was cleaned up and no longer uses tab characters for indenting. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:122-1 Released: Fri Jan 17 10:56:07 2020 Summary: Recommended update for container-suseconnect Type: recommended Severity: moderate References: 1138731,1154247,1157960 This update for container-suseconnect fixes the following issues: - Fix usage with RMT and SMT. (bsc#1157960) - Parse the /etc/products.d/*.prod files. - Fix function comments based on best practices from Effective Go. (bsc#1138731) - Implement interacting with SCC behind proxy and SMT. (bsc#1154247) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:225-1 Released: Fri Jan 24 06:49:07 2020 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1158830 This update for procps fixes the following issues: - Fix for 'ps -C' allowing to accept any arguments longer than 15 characters anymore. (bsc#1158830) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:525-1 Released: Fri Feb 28 11:49:36 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1164562 This update for pam fixes the following issues: - Add libdb as build-time dependency to enable pam_userdb module. Enable pam_userdb.so (jsc#sle-7258, bsc#1164562) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:689-1 Released: Fri Mar 13 17:09:01 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for PAM fixes the following issue: - The license of libdb linked against pam_userdb is not always wanted, so we temporary disabled pam_userdb again. It will be published in a different package at a later time. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:690-1 Released: Fri Mar 13 17:09:28 2020 Summary: Recommended update for suse-build-key Type: recommended Severity: moderate References: 1166334 This update for suse-build-key fixes the following issues: - created a new security@suse.de communication key (bsc#1166334) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:917-1 Released: Fri Apr 3 15:02:25 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for pam fixes the following issues: - Moved pam_userdb into a separate package pam-extra. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:948-1 Released: Wed Apr 8 07:44:21 2020 Summary: Security update for gmp, gnutls, libnettle Type: security Severity: moderate References: 1152692,1155327,1166881,1168345,CVE-2020-11501 This update for gmp, gnutls, libnettle fixes the following issues: Security issue fixed: - CVE-2020-11501: Fixed zero random value in DTLS client hello (bsc#1168345) FIPS related bugfixes: - FIPS: Install checksums for binary integrity verification which are required when running in FIPS mode (bsc#1152692, jsc#SLE-9518) - FIPS: Fixed a cfb8 decryption issue, no longer truncate output IV if input is shorter than block size. (bsc#1166881) - FIPS: Added Diffie Hellman public key verification test. (bsc#1155327) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1112-1 Released: Fri Apr 24 16:44:20 2020 Summary: Recommended update for suse-build-key Type: recommended Severity: moderate References: 1170347 This update for suse-build-key fixes the following issues: - add a /usr/share/container-keys/ directory for GPG based Container verification. - Add the SUSE build key as 'suse-container-key.asc'. (PM-1845 bsc#1170347) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1181-1 Released: Tue May 5 12:02:39 2020 Summary: Recommended update for pciutils-ids Type: recommended Severity: moderate References: 1170160 This update for pciutils-ids fixes the following issues: - Update the PCI utilities database to 20200324. (bsc#1170160) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1226-1 Released: Fri May 8 10:51:05 2020 Summary: Recommended update for gcc9 Type: recommended Severity: moderate References: 1149995,1152590,1167898 This update for gcc9 fixes the following issues: This update ships the GCC 9.3 release. - Includes a fix for Internal compiler error when building HepMC (bsc#1167898) - Includes fix for binutils version parsing - Add libstdc++6-pp provides and conflicts to avoid file conflicts with same minor version of libstdc++6-pp from gcc10. - Add gcc9 autodetect -g at lto link (bsc#1149995) - Install go tool buildid for bootstrapping go ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1266-1 Released: Wed May 13 10:20:54 2020 Summary: Recommended update for jq Type: recommended Severity: moderate References: 1170838 This update for jq fixes the following issues: jq was updated to version 1.6: * Destructuring Alternation * many new builtins (see docs) * Add support for ASAN and UBSAN * Make it easier to use jq with shebangs * Add $ENV builtin variable to access environment * Add JQ_COLORS env var for configuring the output colors * change: Calling jq without a program argument now always assumes '.' for the program, regardless of stdin/stdout * fix: Make sorting stable regardless of qsort. - Make jq depend on libjq1, so upgrading jq upgrades both ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1294-1 Released: Mon May 18 07:38:36 2020 Summary: Security update for file Type: security Severity: moderate References: 1154661,1169512,CVE-2019-18218 This update for file fixes the following issues: Security issues fixed: - CVE-2019-18218: Fixed a heap-based buffer overflow in cdf_read_property_info() (bsc#1154661). Non-security issue fixed: - Fixed broken '--help' output (bsc#1169512). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1308-1 Released: Mon May 18 10:05:46 2020 Summary: Recommended update for psmisc Type: recommended Severity: moderate References: 1170247 This update for psmisc fixes the following issues: - Allow not unique mounts as well as not unique mountpoint. (bsc#1170247) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1328-1 Released: Mon May 18 17:16:04 2020 Summary: Recommended update for grep Type: recommended Severity: moderate References: 1155271 This update for grep fixes the following issues: - Update testsuite expectations, no functional changes (bsc#1155271) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1353-1 Released: Wed May 20 13:02:32 2020 Summary: Security update for freetype2 Type: security Severity: moderate References: 1079603,1091109,CVE-2018-6942 This update for freetype2 to version 2.10.1 fixes the following issues: Security issue fixed: - CVE-2018-6942: Fixed a NULL pointer dereference within ttinerp.c (bsc#1079603). Non-security issues fixed: - Update to version 2.10.1 * The bytecode hinting of OpenType variation fonts was flawed, since the data in the `CVAR' table wasn't correctly applied. * Auto-hinter support for Mongolian. * The handling of the default character in PCF fonts as introduced in version 2.10.0 was partially broken, causing premature abortion of charmap iteration for many fonts. * If `FT_Set_Named_Instance' was called with the same arguments twice in a row, the function returned an incorrect error code the second time. * Direct rendering using FT_RASTER_FLAG_DIRECT crashed (bug introduced in version 2.10.0). * Increased precision while computing OpenType font variation instances. * The flattening algorithm of cubic Bezier curves was slightly changed to make it faster. This can cause very subtle rendering changes, which aren't noticeable by the eye, however. * The auto-hinter now disables hinting if there are blue zones defined for a `style' (i.e., a certain combination of a script and its related typographic features) but the font doesn't contain any characters needed to set up at least one blue zone. - Add tarball signatures and freetype2.keyring - Update to version 2.10.0 * A bunch of new functions has been added to access and process COLR/CPAL data of OpenType fonts with color-layered glyphs. * As a GSoC 2018 project, Nikhil Ramakrishnan completely overhauled and modernized the API reference. * The logic for computing the global ascender, descender, and height of OpenType fonts has been slightly adjusted for consistency. * `TT_Set_MM_Blend' could fail if called repeatedly with the same arguments. * The precision of handling deltas in Variation Fonts has been increased.The problem did only show up with multidimensional designspaces. * New function `FT_Library_SetLcdGeometry' to set up the geometry of LCD subpixels. * FreeType now uses the `defaultChar' property of PCF fonts to set the glyph for the undefined character at glyph index 0 (as FreeType already does for all other supported font formats). As a consequence, the order of glyphs of a PCF font if accessed with FreeType can be different now compared to previous versions. This change doesn't affect PCF font access with cmaps. * `FT_Select_Charmap' has been changed to allow parameter value `FT_ENCODING_NONE', which is valid for BDF, PCF, and Windows FNT formats to access built-in cmaps that don't have a predefined `FT_Encoding' value. * A previously reserved field in the `FT_GlyphSlotRec' structure now holds the glyph index. * The usual round of fuzzer bug fixes to better reject malformed fonts. * `FT_Outline_New_Internal' and `FT_Outline_Done_Internal' have been removed.These two functions were public by oversight only and were never documented. * A new function `FT_Error_String' returns descriptions of error codes if configuration macro FT_CONFIG_OPTION_ERROR_STRINGS is defined. * `FT_Set_MM_WeightVector' and `FT_Get_MM_WeightVector' are new functions limited to Adobe MultiMaster fonts to directly set and get the weight vector. - Enable subpixel rendering with infinality config: - Re-enable freetype-config, there is just too many fallouts. - Update to version 2.9.1 * Type 1 fonts containing flex features were not rendered correctly (bug introduced in version 2.9). * CVE-2018-6942: Older FreeType versions can crash with certain malformed variation fonts. * Bug fix: Multiple calls to `FT_Get_MM_Var' returned garbage. * Emboldening of bitmaps didn't work correctly sometimes, showing various artifacts (bug introduced in version 2.8.1). * The auto-hinter script ranges have been updated for Unicode 11. No support for new scripts have been added, however, with the exception of Georgian Mtavruli. - freetype-config is now deprecated by upstream and not enabled by default. - Update to version 2.10.1 * The `ftmulti' demo program now supports multiple hidden axes with the same name tag. * `ftview', `ftstring', and `ftgrid' got a `-k' command line option to emulate a sequence of keystrokes at start-up. * `ftview', `ftstring', and `ftgrid' now support screen dumping to a PNG file. * The bytecode debugger, `ttdebug', now supports variation TrueType fonts; a variation font instance can be selected with the new `-d' command line option. - Add tarball signatures and freetype2.keyring - Update to version 2.10.0 * The `ftdump' demo program has new options `-c' and `-C' to display charmaps in compact and detailed format, respectively. Option `-V' has been removed. * The `ftview', `ftstring', and `ftgrid' demo programs use a new command line option `-d' to specify the program window's width, height, and color depth. * The `ftview' demo program now displays red boxes for zero-width glyphs. * `ftglyph' has limited support to display fonts with color-layered glyphs.This will be improved later on. * `ftgrid' can now display bitmap fonts also. * The `ttdebug' demo program has a new option `-f' to select a member of a TrueType collection (TTC). * Other various improvements to the demo programs. - Remove 'Supplements: fonts-config' to avoid accidentally pulling in Qt dependencies on some non-Qt based desktops.(bsc#1091109) fonts-config is fundamental but ft2demos seldom installs by end users. only fonts-config maintainers/debuggers may use ft2demos along to debug some issues. - Update to version 2.9.1 * No changelog upstream. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1419-1 Released: Tue May 26 12:23:30 2020 Summary: Security update for sysstat Type: security Severity: low References: 1159104,CVE-2019-19725 This update for sysstat fixes the following issues: - CVE-2019-19725: Fixed double free in check_file_actlst in sa_common.c (bsc#1159104). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1677-1 Released: Thu Jun 18 18:16:39 2020 Summary: Security update for mozilla-nspr, mozilla-nss Type: security Severity: important References: 1159819,1169746,1171978,CVE-2019-17006,CVE-2020-12399 This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to version 3.53 - CVE-2020-12399: Fixed a timing attack on DSA signature generation (bsc#1171978). - CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819). Release notes: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.53_release_notes mozilla-nspr to version 4.25 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1852-1 Released: Mon Jul 6 16:50:23 2020 Summary: Recommended update for fontforge, ghostscript-fonts, ttf-converter, xorg-x11-fonts Type: recommended Severity: moderate References: 1169444 This update for fontforge, ghostscript-fonts, ttf-converter, xorg-x11-fonts fixes the following issues: Changes in fontforge: - Support transforming bitmap glyphs from python. (bsc#1169444) - Allow python-Sphinx >= 3 Changes in ttf-converter: - Update from version 1.0 to version 1.0.6: * ftdump is now shipped additionally as new dependency for ttf-converter * Standardize output when converting vector and bitmap fonts * Add more subfamilies fixes (bsc#1169444) * Add --family and --subfamily arguments to force values on those fields * Add parameters to fix glyph unicode values --fix-glyph-unicode : Try to fix unicode points and glyph names based on glyph names containing hexadecimal codes (like '$0C00', 'char12345' or 'uni004F') --replace-unicode-values: When passed 2 comma separated numbers a,b the glyph with an unicode value of a is replaced with the unicode value b. Can be used more than once. --shift-unicode-values: When passed 3 comma separated numbers a,b,c this shifts the unicode values of glyphs between a and b (both included) by adding c. Can be used more than once. * Add --bitmapTransform parameter to transform bitmap glyphs. (bsc#1169444) When used, all glyphs are modified with the transformation function and values passed as parameters. The parameter has three values separated by commas: fliph|flipv|rotate90cw|rotate90ccw|rotate180|skew|transmove,xoff,yoff * Add support to convert bitmap fonts (bsc#1169444) * Rename MediumItalic subfamily to Medium Italic * Show some more information when removing duplicated glyphs * Add a --force-monospaced argument instead of hardcoding font names * Convert `BoldCond` subfamily to `Bold Condensed` * Fixes for Monospaced fonts and force the Nimbus Mono L font to be Monospaced. (bsc#1169444 #c41) * Add a --version argument * Fix subfamily names so the converted font's subfamily match the original ones. (bsc#1169444 #c41) Changes in xorg-x11-fonts: - Use ttf-converter 1.0.6 to build an Italic version of cu12.pcf.gz in the converted subpackage - Include the subfamily in the filename of converted fonts - Use ttf-converter's new bitmap font support to convert Schumacher Clean and Schumacher Clean Wide (bsc#1169444 #c41) - Replace some unicode values in cu-pua12.pcf.gz to fix them - Shift some unicode values in arabic24.pcf.gz and cuarabic12.pcf.gz so glyphs don't pretend to be latin characters when they're not. - Don't distribute converted fonts with wrong unicode values in their glyphs. (bsc#1169444) Bitstream-Charter-*.otb, Cursor.ttf,Sun-OPEN-LOOK-*.otb, MUTT-ClearlyU-Devangari-Extra-Regular, MUTT-ClearlyU-Ligature-Wide-Regular, and MUTT-ClearlyU-Devanagari-Regular Changes in ghostscript-fonts: - Force the converted Nimbus Mono font to be monospaced. (bsc#1169444 #c41) Use the --force-monospaced argument of ttf-converter 1.0.3 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2000-1 Released: Wed Jul 22 09:04:41 2020 Summary: Recommended update for efivar Type: recommended Severity: important References: 1100077,1101023,1120862,1127544 This update for efivar fixes the following issues: - fix logic that checks for UCS-2 string termination (bsc#1127544) - fix casting of IPv4 addresses - Don't require an EUI for NVMe (bsc#1100077) - Add support for ACPI Generic Container and Embedded Controller root nodes (bsc#1101023) - fix for compilation failures bsc#1120862 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2083-1 Released: Thu Jul 30 10:27:59 2020 Summary: Recommended update for diffutils Type: recommended Severity: moderate References: 1156913 This update for diffutils fixes the following issue: - Disable a sporadically failing test for ppc64 and ppc64le builds. (bsc#1156913) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2126-1 Released: Wed Aug 5 09:26:46 2020 Summary: Recommended update for cloud-regionsrv-client Type: recommended Severity: moderate References: 1173474,1173475 This update for cloud-regionsrv-client fixes the following issues: - Introduce containerbuild-regionsrv service to allow container building tools to access required data for accessing Public Cloud RMTs (bsc#1173474, bsc#1173475) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2148-1 Released: Thu Aug 6 13:36:17 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: important References: 1174673 This update for ca-certificates-mozilla fixes the following issues: Update to 2.42 state of the Mozilla NSS Certificate store (bsc#1174673) Removed CAs: * AddTrust External CA Root * AddTrust Class 1 CA Root * LuxTrust Global Root 2 * Staat der Nederlanden Root CA - G2 * Symantec Class 1 Public Primary Certification Authority - G4 * Symantec Class 2 Public Primary Certification Authority - G4 * VeriSign Class 3 Public Primary Certification Authority - G3 Added CAs: * certSIGN Root CA G2 * e-Szigno Root CA 2017 * Microsoft ECC Root Certificate Authority 2017 * Microsoft RSA Root Certificate Authority 2017 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2470-1 Released: Wed Sep 2 23:29:43 2020 Summary: Recommended update for lshw Type: recommended Severity: moderate References: 1168865,1169668,1172156 This update for lshw fixes the following issues: - Fixes the detection of powerpc products (bsc#1172156) - Fixed an issue where lshw crashed on powerpc and aarch64 (bsc#1168865, bsc#1169668) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2735-1 Released: Thu Sep 24 13:32:25 2020 Summary: Recommended update for systemd-rpm-macros Type: recommended Severity: moderate References: 1173034 This update for systemd-rpm-macros fixes the following issues: - Introduce macro '%service_del_postun_without_restart' to resolve blocking new releases based on this. (bsc#1173034) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2782-1 Released: Tue Sep 29 11:40:22 2020 Summary: Recommended update for systemd-rpm-macros Type: recommended Severity: important References: 1176932 This update for systemd-rpm-macros fixes the following issues: - Backport missing macros of directory paths from upstream + %_environmentdir + %_modulesloaddir + %_modprobedir - Make sure %_restart_on_update_never and %_stop_on_removal_never don't expand to the empty string. (bsc#1176932) Otherwise sequences like the following code: if [ ... ]; then %_restart_on_update_never fi would result in the following incorrect shell syntax: if [ ... ]; then fi ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2825-1 Released: Fri Oct 2 08:44:28 2020 Summary: Recommended update for suse-build-key Type: recommended Severity: moderate References: 1170347,1176759 This update for suse-build-key fixes the following issues: - The SUSE Notary Container key is different from the build signing key, include this key instead as suse-container-key. (PM-1845 bsc#1170347) - The SUSE build key for SUSE Linux Enterprise 12 and 15 is extended by 4 more years. (bsc#1176759) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2863-1 Released: Tue Oct 6 09:28:41 2020 Summary: Recommended update for efivar Type: recommended Severity: moderate References: 1175989 This update for efivar fixes the following issues: - Fixed an issue when segmentation fault are caused on non-EFI systems. (bsc#1175989) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2947-1 Released: Fri Oct 16 15:23:07 2020 Summary: Security update for gcc10, nvptx-tools Type: security Severity: moderate References: 1172798,1172846,1173972,1174753,1174817,1175168,CVE-2020-13844 This update for gcc10, nvptx-tools fixes the following issues: This update provides the GCC10 compiler suite and runtime libraries. The base SUSE Linux Enterprise libraries libgcc_s1, libstdc++6 are replaced by the gcc10 variants. The new compiler variants are available with '-10' suffix, you can specify them via: CC=gcc-10 CXX=g++-10 or similar commands. For a detailed changelog check out https://gcc.gnu.org/gcc-10/changes.html Changes in nvptx-tools: - Enable build on aarch64 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2958-1 Released: Tue Oct 20 12:24:55 2020 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1158830 This update for procps fixes the following issues: - Fixes an issue when command 'ps -C' does not allow anymore an argument longer than 15 characters. (bsc#1158830) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2983-1 Released: Wed Oct 21 15:03:03 2020 Summary: Recommended update for file Type: recommended Severity: moderate References: 1176123 This update for file fixes the following issues: - Fixes an issue when file displays broken 'ELF' interpreter. (bsc#1176123) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2995-1 Released: Thu Oct 22 10:03:09 2020 Summary: Security update for freetype2 Type: security Severity: important References: 1177914,CVE-2020-15999 This update for freetype2 fixes the following issues: - CVE-2020-15999: fixed a heap buffer overflow found in the handling of embedded PNG bitmaps (bsc#1177914). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3012-1 Released: Thu Oct 22 22:36:57 2020 Summary: Recommended update for sysstat Type: recommended Severity: moderate References: 1174227 This update for sysstat fixes the following issues: - Fix for an issue when 'iowait' output of 'sar' can also decrement as a result of inaccurate tracking. (bsc#1174227) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3059-1 Released: Wed Oct 28 06:11:23 2020 Summary: Recommended update for sysconfig Type: recommended Severity: moderate References: 1173391,1176285,1176325 This update for sysconfig fixes the following issues: - Fix for 'netconfig' to run with a new library including fallback to the previous location. (bsc#1176285) - Fix for changing content of such files like '/etc/resolv.conf' to avoid linked applications re-read them and unnecessarily re-initializes themselves accordingly. (bsc#1176325) - Fix for 'chrony helper' calling in background. (bsc#1173391) - Fix for configuration file by creating a symlink for it to prevent false ownership on the file. (bsc#1159566) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3091-1 Released: Thu Oct 29 16:35:37 2020 Summary: Security update for MozillaThunderbird and mozilla-nspr Type: security Severity: important References: 1174230,1176384,1176756,1176899,1177977,CVE-2020-15673,CVE-2020-15676,CVE-2020-15677,CVE-2020-15678,CVE-2020-15683,CVE-2020-15969 This update for MozillaThunderbird and mozilla-nspr fixes the following issues: - Mozilla Thunderbird 78.4 * new: MailExtensions: browser.tabs.sendMessage API added * new: MailExtensions: messageDisplayScripts API added * changed: Yahoo and AOL mail users using password authentication will be migrated to OAuth2 * changed: MailExtensions: messageDisplay APIs extended to support multiple selected messages * changed: MailExtensions: compose.begin functions now support creating a message with attachments * fixed: Thunderbird could freeze when updating global search index * fixed: Multiple issues with handling of self-signed SSL certificates addressed * fixed: Recipient address fields in compose window could expand to fill all available space * fixed: Inserting emoji characters in message compose window caused unexpected behavior * fixed: Button to restore default folder icon color was not keyboard accessible * fixed: Various keyboard navigation fixes * fixed: Various color-related theme fixes * fixed: MailExtensions: Updating attachments with onBeforeSend.addListener() did not work MFSA 2020-47 (bsc#1177977) * CVE-2020-15969 Use-after-free in usersctp * CVE-2020-15683 Memory safety bugs fixed in Thunderbird 78.4 - Mozilla Thunderbird 78.3.3 * OpenPGP: Improved support for encrypting with subkeys * OpenPGP message status icons were not visible in message header pane * Creating a new calendar event did not require an event title - Mozilla Thunderbird 78.3.2 (bsc#1176899) * OpenPGP: Improved support for encrypting with subkeys * OpenPGP: Encrypted messages with international characters were sometimes displayed incorrectly * Single-click deletion of recipient pills with middle mouse button restored * Searching an address book list did not display results * Dark mode, high contrast, and Windows theming fixes - Mozilla Thunderbird 78.3.1 * fix crash in nsImapProtocol::CreateNewLineFromSocket - Mozilla Thunderbird 78.3.0 MFSA 2020-44 (bsc#1176756) * CVE-2020-15677 Download origin spoofing via redirect * CVE-2020-15676 XSS when pasting attacker-controlled data into a contenteditable element * CVE-2020-15678 When recursing through layers while scrolling, an iterator may have become invalid, resulting in a potential use-after- free scenario * CVE-2020-15673 Memory safety bugs fixed in Thunderbird 78.3 - update mozilla-nspr to version 4.25.1 * The macOS platform code for shared library loading was changed to support macOS 11. * Dependency needed for the MozillaThunderbird udpate ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3157-1 Released: Wed Nov 4 15:37:05 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1177864 This update for ca-certificates-mozilla fixes the following issues: The SSL Root CA store was updated to the 2.44 state of the Mozilla NSS Certificate store (bsc#1177864) - Removed CAs: - EE Certification Centre Root CA - Taiwan GRCA - Added CAs: - Trustwave Global Certification Authority - Trustwave Global ECC P256 Certification Authority - Trustwave Global ECC P384 Certification Authority ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3308-1 Released: Thu Nov 12 14:20:07 2020 Summary: Recommended update for sysstat Type: recommended Severity: moderate References: 1177747 This update for sysstat fixes the following issues: - Fix iostat switch '-y' to display the correct results. (bsc#1177747) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3462-1 Released: Fri Nov 20 13:14:35 2020 Summary: Recommended update for pam and sudo Type: recommended Severity: moderate References: 1174593,1177858,1178727 This update for pam and sudo fixes the following issue: pam: - pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858) - Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727) - Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593) sudo: - Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3620-1 Released: Thu Dec 3 17:03:55 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: This update for pam fixes the following issues: - Check if the password is part of the username. (jsc#SLE-16719, jsc#SLE-16720) - Check whether the password contains a substring of of the user's name of at least `` characters length in some form. This is enabled by the new parameter `usersubstr=` ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3791-1 Released: Mon Dec 14 17:39:19 2020 Summary: Recommended update for gzip Type: recommended Severity: moderate References: This update for gzip fixes the following issue: - Enable `DFLTCC` (Deflate Conversion Call) compression for s390x for levels 1-6 to `CFLAGS`. (jsc#SLE-13775) Enable by adding `-DDFLTCC_LEVEL_MASK=0x7e` to `CFLAGS`. ----------------------------------------------------------------- Advisory ID: SUSE-OU-2020:3795-1 Released: Mon Dec 14 17:43:26 2020 Summary: Optional update for systemd-rpm-macros Type: optional Severity: low References: 1059627,1178481,1179020 This update for systemd-rpm-macros fixes the following issues: - Deprecate '-f'/'-n' options When used with %service_del_preun, support for these options will be dropped as DISABLE_STOP_ON_REMOVAL support will be removed on the next version of SLE (jsc#SLE-8968) When used with %service_del_postun, they should be replaced with their counterpart %service_del_postun_with_restart/%service_del_postun_without_restart - Introduced %service_del_postun_with_restart() It's the counterpart of %service_del_postun_without_restart() and replaces the '-f' option of %service_del_postun(). - Does no longer apply presets when migrating from a disabled initscript (bsc#1178481) - Fix importing of %{_unitdir} ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3942-1 Released: Tue Dec 29 12:22:01 2020 Summary: Recommended update for libidn2 Type: recommended Severity: moderate References: 1180138 This update for libidn2 fixes the following issues: - The library is actually dual licensed, GPL-2.0-or-later or LGPL-3.0-or-later, adjusted the RPM license tags (bsc#1180138) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:220-1 Released: Tue Jan 26 14:00:51 2021 Summary: Recommended update for keyutils Type: recommended Severity: moderate References: 1180603 This update for keyutils fixes the following issues: - Adjust the library license to be LPGL-2.1+ only (the tools are GPL2+, the library is just LGPL-2.1+) (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:271-1 Released: Mon Feb 1 21:04:13 2021 Summary: Recommended update for lshw Type: recommended Severity: moderate References: 1181411 This update for lshw fixes the following issues: - Display UUID on Power VM LPAR. (bsc#1181411, ltc#191040) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:293-1 Released: Wed Feb 3 12:52:34 2021 Summary: Recommended update for gmp Type: recommended Severity: moderate References: 1180603 This update for gmp fixes the following issues: - correct license statements of packages (library itself is no GPL-3.0) (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:339-1 Released: Mon Feb 8 13:16:07 2021 Summary: Optional update for pam Type: optional Severity: low References: This update for pam fixes the following issues: - Added rpm macros for this package, so that other packages can make use of it This patch is optional to be installed - it doesn't fix any bugs. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:707-1 Released: Thu Mar 4 09:19:36 2021 Summary: Recommended update for systemd-rpm-macros Type: recommended Severity: moderate References: 1177039 This update for systemd-rpm-macros fixes the following issues: - Bump to version 6 - Make upstream '%systemd_{pre,post,preun,postun}' aliases to their SUSE counterparts. Packagers can now choose to use the upstream or the SUSE variants indifferently. For consistency the SUSE variants should be preferred since almost all SUSE packages already use them but the upstream versions might be usefull in certain cases where packages need to support multiple distros based on RPM. - Improve the logic used to apply the presets. (bsc#1177039) Before presests were applied at a) package installation b) new units introduced via a package update (but after making sure that it was not a SysV initscript being converted). The problem is that a) didn't handle package a renaming or split properly since the package with the new name is installed rather being updated and therefore the presets were applied even if they were already with the old name. We now cover this case (and the other ones) by applying presets only if the units are new and the services are not being migrated. This regardless of whether this happens during an install or an update. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:784-1 Released: Mon Mar 15 11:19:08 2021 Summary: Recommended update for efivar Type: recommended Severity: moderate References: 1181967 This update for efivar fixes the following issues: - Fixed an issue with the NVME path parsing (bsc#1181967) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:795-1 Released: Tue Mar 16 10:28:02 2021 Summary: Recommended update for systemd-rpm-macros Type: recommended Severity: low References: 1182661,1183012,1183051 This update for systemd-rpm-macros fixes the following issues: - Added a %systemd_user_pre macro (bsc#1183051, bsc#1183012) - Fixed an issue with %systemd_user_post, where the --global parameter was treated like if it was another service (bsc#1183051, bsc#1182661) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:924-1 Released: Tue Mar 23 10:00:49 2021 Summary: Recommended update for filesystem Type: recommended Severity: moderate References: 1078466,1146705,1175519,1178775,1180020,1180083,1180596,1181011,1181831,1183094 This update for filesystem the following issues: - Remove duplicate line due to merge error - Add fix for 'mesa' creating cache with perm 0700. (bsc#1181011) - Fixed an issue causing failure during installation/upgrade a failure. (rh#1548403) (bsc#1146705) - Allows to override config to add cleanup options of '/var/tmp'. (bsc#1078466) - Create config to cleanup '/tmp' regular required with 'tmpfs'. (bsc#1175519) This update for systemd fixes the following issues: - Fix for a possible memory leak. (bsc#1180020) - Fix for a case when to a bind mounted directory results inactive mount units. (#7811) (bsc#1180596) - Fixed an issue when starting a container conflicts with another one. (bsc#1178775) - Drop most of the tmpfiles that deal with generic paths and avoid warnings. (bsc#1078466, bsc#1181831) - Don't use shell redirections when calling a rpm macro. (bsc#1183094) - 'systemd' requires 'aaa_base' >= 13.2. (bsc#1180083) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:953-1 Released: Thu Mar 25 14:37:26 2021 Summary: Recommended update for psmisc Type: recommended Severity: moderate References: 1178407 This update for psmisc fixes the following issues: - Fix for 'fuser' when it does not show open kvm storage image files such as 'qcow2' files. (bsc#1178407) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:974-1 Released: Mon Mar 29 19:31:27 2021 Summary: Security update for tar Type: security Severity: low References: 1181131,CVE-2021-20193 This update for tar fixes the following issues: CVE-2021-20193: Memory leak in read_header() in list.c (bsc#1181131) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1007-1 Released: Thu Apr 1 17:47:20 2021 Summary: Security update for MozillaFirefox Type: security Severity: important References: 1183942,CVE-2021-23981,CVE-2021-23982,CVE-2021-23984,CVE-2021-23987 This update for MozillaFirefox fixes the following issues: - Firefox was updated to 78.9.0 ESR (MFSA 2021-11, bsc#1183942) * CVE-2021-23981: Texture upload into an unbound backing buffer resulted in an out-of-bound read * CVE-2021-23982: Internal network hosts could have been probed by a malicious webpage * CVE-2021-23984: Malicious extensions could have spoofed popup information * CVE-2021-23987: Memory safety bugs ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1018-1 Released: Tue Apr 6 14:29:13 2021 Summary: Recommended update for gzip Type: recommended Severity: moderate References: 1180713 This update for gzip fixes the following issues: - Fixes an issue when 'gzexe' counts the lines to skip wrong. (bsc#1180713) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1169-1 Released: Tue Apr 13 15:01:42 2021 Summary: Recommended update for procps Type: recommended Severity: low References: 1181976 This update for procps fixes the following issues: - Corrected a statement in the man page about processor pinning via taskset (bsc#1181976) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1289-1 Released: Wed Apr 21 14:02:46 2021 Summary: Recommended update for gzip Type: recommended Severity: moderate References: 1177047 This update for gzip fixes the following issues: - Fixed a potential segfault when zlib acceleration is enabled (bsc#1177047) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1549-1 Released: Mon May 10 13:48:00 2021 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1185417 This update for procps fixes the following issues: - Support up to 2048 CPU as well. (bsc#1185417) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1583-1 Released: Wed May 12 13:40:35 2021 Summary: Recommended update for sensors Type: recommended Severity: moderate References: 1185183 This update for sensors fixes the following issues: - Change PIDFile path from '/var/run' to '/run' as the it is deprecated. (bsc#1185183) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1643-1 Released: Wed May 19 13:51:48 2021 Summary: Recommended update for pam Type: recommended Severity: important References: 1181443,1184358,1185562 This update for pam fixes the following issues: - Fixed a bug, where the 'unlimited'/'-1' value was not interpreted correctly (bsc#1181443) - Fixed a bug, where pam_access interpreted the keyword 'LOCAL' incorrectly, leading to an attempt to resolve it as a hostname (bsc#1184358) - In the 32-bit compatibility package for 64-bit architectures, require 'systemd-32bit' to be also installed as it contains pam_systemd.so for 32 bit applications. (bsc#1185562) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1861-1 Released: Fri Jun 4 09:59:40 2021 Summary: Recommended update for gcc10 Type: recommended Severity: moderate References: 1029961,1106014,1178577,1178624,1178675,1182016 This update for gcc10 fixes the following issues: - Disable nvptx offloading for aarch64 again since it doesn't work - Fixed a build failure issue. (bsc#1182016) - Fix for memory miscompilation on 'aarch64'. (bsc#1178624, bsc#1178577) - Fix 32bit 'libgnat.so' link. (bsc#1178675) - prepare usrmerge: Install libgcc_s into %_libdir. ABI wise it stays /%lib. (bsc#1029961) - Build complete set of multilibs for arm-none target. (bsc#1106014) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1935-1 Released: Thu Jun 10 10:45:09 2021 Summary: Recommended update for gzip Type: recommended Severity: moderate References: 1186642 This update for gzip fixes the following issue: - gzip had a lower release number in 15 sp2 and sp3 than in 15 sp1, which could lead to migration issues. (bsc#1186642) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1941-1 Released: Thu Jun 10 10:49:52 2021 Summary: Recommended update for sysconfig Type: recommended Severity: moderate References: 1186642 This update for sysconfig fixes the following issue: - sysconfig had a lower release number in 15 sp2 and sp3 than in 15 sp1, which could lead to migration issues. (bsc#1186642) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2173-1 Released: Mon Jun 28 14:59:45 2021 Summary: Recommended update for automake Type: recommended Severity: moderate References: 1040589,1047218,1182604,1185540,1186049 This update for automake fixes the following issues: - Implement generated autoconf makefiles reproducible (bsc#1182604) - Add fix to avoid date variations in docs. (bsc#1047218, jsc#SLE-17848) - Avoid bashisms in test-driver script. (bsc#1185540) This update for pcre fixes the following issues: - Do not run profiling 'check' in parallel to make package build reproducible. (bsc#1040589) This update for brp-check-suse fixes the following issues: - Add fixes to support reproducible builds. (bsc#1186049) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2179-1 Released: Mon Jun 28 17:36:37 2021 Summary: Recommended update for thin-provisioning-tools Type: recommended Severity: moderate References: 1184124 This update for thin-provisioning-tools fixes the following issues: - Link as position-independent executable (bsc#1184124) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2191-1 Released: Mon Jun 28 18:38:12 2021 Summary: Recommended update for patterns-microos Type: recommended Severity: moderate References: 1186791 This update for patterns-microos provides the following fix: - Add zypper-migration-plugin to the default pattern. (bsc#1186791) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2193-1 Released: Mon Jun 28 18:38:43 2021 Summary: Recommended update for tar Type: recommended Severity: moderate References: 1184124 This update for tar fixes the following issues: - Link '/var/lib/tests/tar/bin/genfile' as Position-Independent Executable (bsc#1184124) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2196-1 Released: Tue Jun 29 09:41:39 2021 Summary: Security update for lua53 Type: security Severity: moderate References: 1175448,1175449,CVE-2020-24370,CVE-2020-24371 This update for lua53 fixes the following issues: Update to version 5.3.6: - CVE-2020-24371: lgc.c mishandles the interaction between barriers and the sweep phase, leading to a memory access violation involving collectgarbage (bsc#1175449) - CVE-2020-24370: ldebug.c allows a negation overflow and segmentation fault in getlocal and setlocal (bsc#1175448) - Long brackets with a huge number of '=' overflow some internal buffer arithmetic. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2224-1 Released: Thu Jul 1 13:48:44 2021 Summary: Recommended update for psmisc Type: recommended Severity: important References: 1185208 This update for psmisc fixes the following issues: - It does no longer list all processes from different private namespaces when fuser is run on an NFS mount. This led to an issue where the wrong processes were terminated in an SAP application cluster environment (bsc#1185208) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:2248-1 Released: Mon Jul 5 15:40:28 2021 Summary: Recommended update for sysstat Type: optional Severity: low References: 1186827 This update for sysstat fixes the following issues: - Dropped systemd runtime requirement (bsc#1186827) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2320-1 Released: Wed Jul 14 17:01:06 2021 Summary: Security update for sqlite3 Type: security Severity: important References: 1157818,1158812,1158958,1158959,1158960,1159491,1159715,1159847,1159850,1160309,1160438,1160439,1164719,1172091,1172115,1172234,1172236,1172240,1173641,928700,928701,CVE-2015-3414,CVE-2015-3415,CVE-2019-19244,CVE-2019-19317,CVE-2019-19603,CVE-2019-19645,CVE-2019-19646,CVE-2019-19880,CVE-2019-19923,CVE-2019-19924,CVE-2019-19925,CVE-2019-19926,CVE-2019-19959,CVE-2019-20218,CVE-2020-13434,CVE-2020-13435,CVE-2020-13630,CVE-2020-13631,CVE-2020-13632,CVE-2020-15358,CVE-2020-9327 This update for sqlite3 fixes the following issues: - Update to version 3.36.0 - CVE-2020-15358: heap-based buffer overflow in multiSelectOrderBy due to mishandling of query-flattener optimization (bsc#1173641) - CVE-2020-9327: NULL pointer dereference and segmentation fault because of generated column optimizations in isAuxiliaryVtabOperator (bsc#1164719) - CVE-2019-20218: selectExpander in select.c proceeds with WITH stack unwinding even after a parsing error (bsc#1160439) - CVE-2019-19959: memory-management error via ext/misc/zipfile.c involving embedded '\0' input (bsc#1160438) - CVE-2019-19923: improper handling of certain uses of SELECT DISTINCT in flattenSubquery may lead to null pointer dereference (bsc#1160309) - CVE-2019-19924: improper error handling in sqlite3WindowRewrite() (bsc#1159850) - CVE-2019-19925: improper handling of NULL pathname during an update of a ZIP archive (bsc#1159847) - CVE-2019-19926: improper handling of certain errors during parsing multiSelect in select.c (bsc#1159715) - CVE-2019-19880: exprListAppendList in window.c allows attackers to trigger an invalid pointer dereference (bsc#1159491) - CVE-2019-19603: during handling of CREATE TABLE and CREATE VIEW statements, does not consider confusion with a shadow table name (bsc#1158960) - CVE-2019-19646: pragma.c mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns (bsc#1158959) - CVE-2019-19645: alter.c allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements (bsc#1158958) - CVE-2019-19317: lookupName in resolve.c omits bits from the colUsed bitmask in the case of a generated column, which allows attackers to cause a denial of service (bsc#1158812) - CVE-2019-19244: sqlite3,sqlite2,sqlite: The function sqlite3Select in select.c allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage (bsc#1157818) - CVE-2015-3415: sqlite3VdbeExec comparison operator vulnerability (bsc#928701) - CVE-2015-3414: sqlite3,sqlite2: dequoting of collation-sequence names (bsc#928700) - CVE-2020-13434: integer overflow in sqlite3_str_vappendf (bsc#1172115) - CVE-2020-13630: (bsc#1172234: use-after-free in fts3EvalNextRow - CVE-2020-13631: virtual table allowed to be renamed to one of its shadow tables (bsc#1172236) - CVE-2020-13632: NULL pointer dereference via crafted matchinfo() query (bsc#1172240) - CVE-2020-13435: Malicious SQL statements could have crashed the process that is running SQLite (bsc#1172091) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2395-1 Released: Mon Jul 19 12:08:34 2021 Summary: Recommended update for efivar Type: recommended Severity: moderate References: 1187386 This update for efivar provides the following fix: - Fix the eMMC sysfs parsing. (bsc#1187386) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2464-1 Released: Fri Jul 23 14:20:23 2021 Summary: Recommended update for shim Type: recommended Severity: moderate References: 1185232,1185261,1185441,1185464,1185961,1187071,1187260,1187696 This update for shim fixes the following issues: - shim-install: Always assume 'removable' for Azure to avoid the endless reset loop (bsc#1185464) - Avoid deleting the mirrored RT variables (bsc#1187696) - Split the keys in vendor-dbx.bin to vendor-dbx-sles and vendor-dbx-opensuse for shim-sles and shim-opensuse to reduce the size of MokListXRT (bsc#1185261) + Also update generate-vendor-dbx.sh in dbx-cert.tar.xz - Handle ignore_db and user_insecure_mode correctly (bsc#1185441, bsc#1187071) - Relax the maximum variable size check for u-boot (bsc#1185621) - Relax the check for import_mok_state() when Secure Boot is off. (bsc#1185261) - Ignore the odd LoadOptions length (bsc#1185232) - shim-install: reset def_shim_efi to 'shim.efi' if the given file doesn't exist - Fided the size of rela sections for AArch64 - Disable exporting vendor-dbx to MokListXRT since writing a large RT variable could crash some machines (bsc#1185261) - Avoid potential crash when calling QueryVariableInfo in EFI 1.10 machines (bsc#1187260) - Avoid buffer overflow when copying data to the MOK config table (bsc#1185232) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2481-1 Released: Tue Jul 27 14:20:27 2021 Summary: Recommended update for sysconfig Type: recommended Severity: moderate References: 1184124 This update for sysconfig fixes the following issues: - Link as Position Independent Executable (bsc#1184124). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2627-1 Released: Thu Aug 5 12:10:46 2021 Summary: Recommended maintenance update for systemd-default-settings Type: recommended Severity: moderate References: 1188348 This update for systemd-default-settings fixes the following issue: - Solve a downgrade issue between SUSE Linux Enterprise SP3 and lower (bsc#1188348) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2899-1 Released: Wed Sep 1 08:30:58 2021 Summary: Recommended update for systemd-rpm-macros Type: recommended Severity: moderate References: 1186282,1187332 This update for systemd-rpm-macros fixes the following issues: - Fixed an issue whe zypper ignores the ordering constraints. (bsc#1187332) - Introduce '%sysusers_create_package': '%sysusers_create' and '%sysusers_create_inline' are now deprecated and the new macro should be used instead. - %sysusers_create_inline: use here-docs instead of echo (bsc#1186282) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3001-1 Released: Thu Sep 9 15:08:13 2021 Summary: Recommended update for netcfg Type: recommended Severity: moderate References: 1189683 This update for netcfg fixes the following issues: - add submissions port/protocol to services file for message submission over TLS protocol [bsc#1189683] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3052-1 Released: Thu Sep 16 10:05:24 2021 Summary: Recommended update for lshw Type: recommended Severity: moderate References: This update for lshw fixes the following issues: - Update to version B.02.19.2+git.20210619 (jsc#SLE-19399) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3115-1 Released: Thu Sep 16 14:04:26 2021 Summary: Recommended update for mozilla-nspr, mozilla-nss Type: recommended Severity: moderate References: 1029961,1174697,1176206,1176934,1179382,1188891,CVE-2020-12400,CVE-2020-12401,CVE-2020-12403,CVE-2020-25648,CVE-2020-6829 This update for mozilla-nspr fixes the following issues: mozilla-nspr was updated to version 4.32: * implement new socket option PR_SockOpt_DontFrag * support larger DNS records by increasing the default buffer size for DNS queries * Lock access to PRCallOnceType members in PR_CallOnce* for thread safety bmo#1686138 * PR_GetSystemInfo supports a new flag PR_SI_RELEASE_BUILD to get information about the operating system build version. Mozilla NSS was updated to version 3.68: * bmo#1713562 - Fix test leak. * bmo#1717452 - NSS 3.68 should depend on NSPR 4.32. * bmo#1693206 - Implement PKCS8 export of ECDSA keys. * bmo#1712883 - DTLS 1.3 draft-43. * bmo#1655493 - Support SHA2 HW acceleration using Intel SHA Extension. * bmo#1713562 - Validate ECH public names. * bmo#1717610 - Add function to get seconds from epoch from pkix::Time. update to NSS 3.67 * bmo#1683710 - Add a means to disable ALPN. * bmo#1715720 - Fix nssckbi version number in NSS 3.67 (was supposed to be incremented in 3.66). * bmo#1714719 - Set NSS_USE_64 on riscv64 target when using GYP/Ninja. * bmo#1566124 - Fix counter increase in ppc-gcm-wrap.c. * bmo#1566124 - Fix AES_GCM mode on ppc64le for messages of length more than 255-byte. update to NSS 3.66 * bmo#1710716 - Remove Expired Sonera Class2 CA from NSS. * bmo#1710716 - Remove Expired Root Certificates from NSS - QuoVadis Root Certification Authority. * bmo#1708307 - Remove Trustis FPS Root CA from NSS. * bmo#1707097 - Add Certum Trusted Root CA to NSS. * bmo#1707097 - Add Certum EC-384 CA to NSS. * bmo#1703942 - Add ANF Secure Server Root CA to NSS. * bmo#1697071 - Add GLOBALTRUST 2020 root cert to NSS. * bmo#1712184 - NSS tools manpages need to be updated to reflect that sqlite is the default database. * bmo#1712230 - Don't build ppc-gcm.s with clang integrated assembler. * bmo#1712211 - Strict prototype error when trying to compile nss code that includes blapi.h. * bmo#1710773 - NSS needs FIPS 180-3 FIPS indicators. * bmo#1709291 - Add VerifyCodeSigningCertificateChain. update to NSS 3.65 * bmo#1709654 - Update for NetBSD configuration. * bmo#1709750 - Disable HPKE test when fuzzing. * bmo#1566124 - Optimize AES-GCM for ppc64le. * bmo#1699021 - Add AES-256-GCM to HPKE. * bmo#1698419 - ECH -10 updates. * bmo#1692930 - Update HPKE to final version. * bmo#1707130 - NSS should use modern algorithms in PKCS#12 files by default. * bmo#1703936 - New coverity/cpp scanner errors. * bmo#1697303 - NSS needs to update it's csp clearing to FIPS 180-3 standards. * bmo#1702663 - Need to support RSA PSS with Hashing PKCS #11 Mechanisms. * bmo#1705119 - Deadlock when using GCM and non-thread safe tokens. update to NSS 3.64 * bmo#1705286 - Properly detect mips64. * bmo#1687164 - Introduce NSS_DISABLE_CRYPTO_VSX and disable_crypto_vsx. * bmo#1698320 - replace __builtin_cpu_supports('vsx') with ppc_crypto_support() for clang. * bmo#1613235 - Add POWER ChaCha20 stream cipher vector acceleration. Fixed in 3.63 * bmo#1697380 - Make a clang-format run on top of helpful contributions. * bmo#1683520 - ECCKiila P384, change syntax of nested structs initialization to prevent build isses with GCC 4.8. * bmo#1683520 - [lib/freebl/ecl] P-384: allow zero scalars in dual scalar multiplication. * bmo#1683520 - ECCKiila P521, change syntax of nested structs initialization to prevent build isses with GCC 4.8. * bmo#1683520 - [lib/freebl/ecl] P-521: allow zero scalars in dual scalar multiplication. * bmo#1696800 - HACL* update March 2021 - c95ab70fcb2bc21025d8845281bc4bc8987ca683. * bmo#1694214 - tstclnt can't enable middlebox compat mode. * bmo#1694392 - NSS does not work with PKCS #11 modules not supporting profiles. * bmo#1685880 - Minor fix to prevent unused variable on early return. * bmo#1685880 - Fix for the gcc compiler version 7 to support setenv with nss build. * bmo#1693217 - Increase nssckbi.h version number for March 2021 batch of root CA changes, CA list version 2.48. * bmo#1692094 - Set email distrust after to 21-03-01 for Camerfirma's 'Chambers of Commerce' and 'Global Chambersign' roots. * bmo#1618407 - Symantec root certs - Set CKA_NSS_EMAIL_DISTRUST_AFTER. * bmo#1693173 - Add GlobalSign R45, E45, R46, and E46 root certs to NSS. * bmo#1683738 - Add AC RAIZ FNMT-RCM SERVIDORES SEGUROS root cert to NSS. * bmo#1686854 - Remove GeoTrust PCA-G2 and VeriSign Universal root certs from NSS. * bmo#1687822 - Turn off Websites trust bit for the “Staat der Nederlanden Root CA - G3” root cert in NSS. * bmo#1692094 - Turn off Websites Trust Bit for 'Chambers of Commerce Root - 2008' and 'Global Chambersign Root - 2008’. * bmo#1694291 - Tracing fixes for ECH. update to NSS 3.62 * bmo#1688374 - Fix parallel build NSS-3.61 with make * bmo#1682044 - pkix_Build_GatherCerts() + pkix_CacheCert_Add() can corrupt 'cachedCertTable' * bmo#1690583 - Fix CH padding extension size calculation * bmo#1690421 - Adjust 3.62 ABI report formatting for new libabigail * bmo#1690421 - Install packaged libabigail in docker-builds image * bmo#1689228 - Minor ECH -09 fixes for interop testing, fuzzing * bmo#1674819 - Fixup a51fae403328, enum type may be signed * bmo#1681585 - Add ECH support to selfserv * bmo#1681585 - Update ECH to Draft-09 * bmo#1678398 - Add Export/Import functions for HPKE context * bmo#1678398 - Update HPKE to draft-07 update to NSS 3.61 * bmo#1682071 - Fix issue with IKE Quick mode deriving incorrect key values under certain conditions. * bmo#1684300 - Fix default PBE iteration count when NSS is compiled with NSS_DISABLE_DBM. * bmo#1651411 - Improve constant-timeness in RSA operations. * bmo#1677207 - Upgrade Google Test version to latest release. * bmo#1654332 - Add aarch64-make target to nss-try. Update to NSS 3.60.1: Notable changes in NSS 3.60: * TLS 1.3 Encrypted Client Hello (draft-ietf-tls-esni-08) support has been added, replacing the previous ESNI (draft-ietf-tls-esni-01) implementation. See bmo#1654332 for more information. * December 2020 batch of Root CA changes, builtins library updated to version 2.46. See bmo#1678189, bmo#1678166, and bmo#1670769 for more information. Update to NSS 3.59.1: * bmo#1679290 - Fix potential deadlock with certain third-party PKCS11 modules Update to NSS 3.59: Notable changes: * Exported two existing functions from libnss: CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData Bugfixes * bmo#1607449 - Lock cert->nssCertificate to prevent a potential data race * bmo#1672823 - Add Wycheproof test cases for HMAC, HKDF, and DSA * bmo#1663661 - Guard against NULL token in nssSlot_IsTokenPresent * bmo#1670835 - Support enabling and disabling signatures via Crypto Policy * bmo#1672291 - Resolve libpkix OCSP failures on SHA1 self-signed root certs when SHA1 signatures are disabled. * bmo#1644209 - Fix broken SelectedCipherSuiteReplacer filter to solve some test intermittents * bmo#1672703 - Tolerate the first CCS in TLS 1.3 to fix a regression in our CVE-2020-25648 fix that broke purple-discord (boo#1179382) * bmo#1666891 - Support key wrap/unwrap with RSA-OAEP * bmo#1667989 - Fix gyp linking on Solaris * bmo#1668123 - Export CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData from libnss * bmo#1634584 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Trustis FPS Root CA * bmo#1663091 - Remove unnecessary assertions in the streaming ASN.1 decoder that affected decoding certain PKCS8 private keys when using NSS debug builds * bmo#670839 - Use ARM crypto extension for AES, SHA1 and SHA2 on MacOS. update to NSS 3.58 Bugs fixed: * bmo#1641480 (CVE-2020-25648) Tighten CCS handling for middlebox compatibility mode. * bmo#1631890 - Add support for Hybrid Public Key Encryption (draft-irtf-cfrg-hpke) support for TLS Encrypted Client Hello (draft-ietf-tls-esni). * bmo#1657255 - Add CI tests that disable SHA1/SHA2 ARM crypto extensions. * bmo#1668328 - Handle spaces in the Python path name when using gyp on Windows. * bmo#1667153 - Add PK11_ImportDataKey for data object import. * bmo#1665715 - Pass the embedded SCT list extension (if present) to TrustDomain::CheckRevocation instead of the notBefore value. update to NSS 3.57 * The following CA certificates were Added: bmo#1663049 - CN=Trustwave Global Certification Authority SHA-256 Fingerprint: 97552015F5DDFC3C8788C006944555408894450084F100867086BC1A2BB58DC8 bmo#1663049 - CN=Trustwave Global ECC P256 Certification Authority SHA-256 Fingerprint: 945BBC825EA554F489D1FD51A73DDF2EA624AC7019A05205225C22A78CCFA8B4 bmo#1663049 - CN=Trustwave Global ECC P384 Certification Authority SHA-256 Fingerprint: 55903859C8C0C3EBB8759ECE4E2557225FF5758BBD38EBD48276601E1BD58097 * The following CA certificates were Removed: bmo#1651211 - CN=EE Certification Centre Root CA SHA-256 Fingerprint: 3E84BA4342908516E77573C0992F0979CA084E4685681FF195CCBA8A229B8A76 bmo#1656077 - O=Government Root Certification Authority; C=TW SHA-256 Fingerprint: 7600295EEFE85B9E1FD624DB76062AAAAE59818A54D2774CD4C0B2C01131E1B3 * Trust settings for the following CA certificates were Modified: bmo#1653092 - CN=OISTE WISeKey Global Root GA CA Websites (server authentication) trust bit removed. * https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.57_release_notes update to NSS 3.56 Notable changes * bmo#1650702 - Support SHA-1 HW acceleration on ARMv8 * bmo#1656981 - Use MPI comba and mulq optimizations on x86-64 MacOS. * bmo#1654142 - Add CPU feature detection for Intel SHA extension. * bmo#1648822 - Add stricter validation of DH keys in FIPS mode. * bmo#1656986 - Properly detect arm64 during GYP build architecture detection. * bmo#1652729 - Add build flag to disable RC2 and relocate to lib/freebl/deprecated. * bmo#1656429 - Correct RTT estimate used in 0-RTT anti-replay. * bmo#1588941 - Send empty certificate message when scheme selection fails. * bmo#1652032 - Fix failure to build in Windows arm64 makefile cross-compilation. * bmo#1625791 - Fix deadlock issue in nssSlot_IsTokenPresent. * bmo#1653975 - Fix 3.53 regression by setting 'all' as the default makefile target. * bmo#1659792 - Fix broken libpkix tests with unexpired PayPal cert. * bmo#1659814 - Fix interop.sh failures with newer tls-interop commit and dependencies. * bmo#1656519 - NSPR dependency updated to 4.28 update to NSS 3.55 Notable changes * P384 and P521 elliptic curve implementations are replaced with verifiable implementations from Fiat-Crypto [0] and ECCKiila [1]. * PK11_FindCertInSlot is added. With this function, a given slot can be queried with a DER-Encoded certificate, providing performance and usability improvements over other mechanisms. (bmo#1649633) * DTLS 1.3 implementation is updated to draft-38. (bmo#1647752) Relevant Bugfixes * bmo#1631583 (CVE-2020-6829, CVE-2020-12400) - Replace P384 and P521 with new, verifiable implementations from Fiat-Crypto and ECCKiila. * bmo#1649487 - Move overzealous assertion in VFY_EndWithSignature. * bmo#1631573 (CVE-2020-12401) - Remove unnecessary scalar padding. * bmo#1636771 (CVE-2020-12403) - Explicitly disable multi-part ChaCha20 (which was not functioning correctly) and more strictly enforce tag length. * bmo#1649648 - Don't memcpy zero bytes (sanitizer fix). * bmo#1649316 - Don't memcpy zero bytes (sanitizer fix). * bmo#1649322 - Don't memcpy zero bytes (sanitizer fix). * bmo#1653202 - Fix initialization bug in blapitest when compiled with NSS_DISABLE_DEPRECATED_SEED. * bmo#1646594 - Fix AVX2 detection in makefile builds. * bmo#1649633 - Add PK11_FindCertInSlot to search a given slot for a DER-encoded certificate. * bmo#1651520 - Fix slotLock race in NSC_GetTokenInfo. * bmo#1647752 - Update DTLS 1.3 implementation to draft-38. * bmo#1649190 - Run cipher, sdr, and ocsp tests under standard test cycle in CI. * bmo#1649226 - Add Wycheproof ECDSA tests. * bmo#1637222 - Consistently enforce IV requirements for DES and 3DES. * bmo#1067214 - Enforce minimum PKCS#1 v1.5 padding length in RSA_CheckSignRecover. * bmo#1646324 - Advertise PKCS#1 schemes for certificates in the signature_algorithms extension. update to NSS 3.54 Notable changes * Support for TLS 1.3 external pre-shared keys (bmo#1603042). * Use ARM Cryptography Extension for SHA256, when available (bmo#1528113) * The following CA certificates were Added: bmo#1645186 - certSIGN Root CA G2. bmo#1645174 - e-Szigno Root CA 2017. bmo#1641716 - Microsoft ECC Root Certificate Authority 2017. bmo#1641716 - Microsoft RSA Root Certificate Authority 2017. * The following CA certificates were Removed: bmo#1645199 - AddTrust Class 1 CA Root. bmo#1645199 - AddTrust External CA Root. bmo#1641718 - LuxTrust Global Root 2. bmo#1639987 - Staat der Nederlanden Root CA - G2. bmo#1618402 - Symantec Class 2 Public Primary Certification Authority - G4. bmo#1618402 - Symantec Class 1 Public Primary Certification Authority - G4. bmo#1618402 - VeriSign Class 3 Public Primary Certification Authority - G3. * A number of certificates had their Email trust bit disabled. See bmo#1618402 for a complete list. Bugs fixed * bmo#1528113 - Use ARM Cryptography Extension for SHA256. * bmo#1603042 - Add TLS 1.3 external PSK support. * bmo#1642802 - Add uint128 support for HACL* curve25519 on Windows. * bmo#1645186 - Add 'certSIGN Root CA G2' root certificate. * bmo#1645174 - Add Microsec's 'e-Szigno Root CA 2017' root certificate. * bmo#1641716 - Add Microsoft's non-EV root certificates. * bmo1621151 - Disable email trust bit for 'O=Government Root Certification Authority; C=TW' root. * bmo#1645199 - Remove AddTrust root certificates. * bmo#1641718 - Remove 'LuxTrust Global Root 2' root certificate. * bmo#1639987 - Remove 'Staat der Nederlanden Root CA - G2' root certificate. * bmo#1618402 - Remove Symantec root certificates and disable email trust bit. * bmo#1640516 - NSS 3.54 should depend on NSPR 4.26. * bmo#1642146 - Fix undefined reference to `PORT_ZAlloc_stub' in seed.c. * bmo#1642153 - Fix infinite recursion building NSS. * bmo#1642638 - Fix fuzzing assertion crash. * bmo#1642871 - Enable SSL_SendSessionTicket after resumption. * bmo#1643123 - Support SSL_ExportEarlyKeyingMaterial with External PSKs. * bmo#1643557 - Fix numerous compile warnings in NSS. * bmo#1644774 - SSL gtests to use ClearServerCache when resetting self-encrypt keys. * bmo#1645479 - Don't use SECITEM_MakeItem in secutil.c. * bmo#1646520 - Stricter enforcement of ASN.1 INTEGER encoding. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3182-1 Released: Tue Sep 21 17:04:26 2021 Summary: Recommended update for file Type: recommended Severity: moderate References: 1189996 This update for file fixes the following issues: - Fixes exception thrown by memory allocation problem (bsc#1189996) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3274-1 Released: Fri Oct 1 10:34:17 2021 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: important References: 1190858 This update for ca-certificates-mozilla fixes the following issues: - remove one of the Letsencrypt CAs DST_Root_CA_X3.pem, as it expires September 30th 2021 and openssl certificate chain handling does not handle this correctly in openssl 1.0.2 and older. (bsc#1190858) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3382-1 Released: Tue Oct 12 14:30:17 2021 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: This update for ca-certificates-mozilla fixes the following issues: - A new sub-package for minimal base containers (jsc#SLE-22162) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3490-1 Released: Wed Oct 20 16:31:55 2021 Summary: Security update for ncurses Type: security Severity: moderate References: 1190793,CVE-2021-39537 This update for ncurses fixes the following issues: - CVE-2021-39537: Fixed an heap-based buffer overflow in _nc_captoinfo. (bsc#1190793) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3494-1 Released: Wed Oct 20 16:48:46 2021 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1190052 This update for pam fixes the following issues: - Added pam_faillock to the set of available PAM modules. (jsc#SLE-20638) - Added new file macros.pam on request of systemd. (bsc#1190052) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3510-1 Released: Tue Oct 26 11:22:15 2021 Summary: Recommended update for pam Type: recommended Severity: important References: 1191987 This update for pam fixes the following issues: - Fixed a bad directive file which resulted in the 'securetty' file to be installed as 'macros.pam'. (bsc#1191987) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3529-1 Released: Wed Oct 27 09:23:32 2021 Summary: Security update for pcre Type: security Severity: moderate References: 1172973,1172974,CVE-2019-20838,CVE-2020-14155 This update for pcre fixes the following issues: Update pcre to version 8.45: - CVE-2020-14155: Fixed integer overflow via a large number after a '(?C' substring (bsc#1172974). - CVE-2019-20838: Fixed buffer over-read in JIT compiler (bsc#1172973) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3799-1 Released: Wed Nov 24 18:07:54 2021 Summary: Recommended update for gcc11 Type: recommended Severity: moderate References: 1187153,1187273,1188623 This update for gcc11 fixes the following issues: The additional GNU compiler collection GCC 11 is provided: To select these compilers install the packages: - gcc11 - gcc-c++11 - and others with 11 prefix. to select them for building: - CC='gcc-11' - CXX='g++-11' The compiler baselibraries (libgcc_s1, libstdc++6 and others) are being replaced by the GCC 11 variants. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3891-1 Released: Fri Dec 3 10:21:49 2021 Summary: Recommended update for keyutils Type: recommended Severity: moderate References: 1029961,1113013,1187654 This update for keyutils fixes the following issues: - Add /etc/keys/ and /usr/etc/keys/ directory (bsc#1187654) keyutils was updated to 1.6.3 (jsc#SLE-20016): * Revert the change notifications that were using /dev/watch_queue. * Apply the change notifications that use pipe2(O_NOTIFICATION_PIPE). * Allow 'keyctl supports' to retrieve raw capability data. * Allow 'keyctl id' to turn a symbolic key ID into a numeric ID. * Allow 'keyctl new_session' to name the keyring. * Allow 'keyctl add/padd/etc.' to take hex-encoded data. * Add 'keyctl watch*' to expose kernel change notifications on keys. * Add caps for namespacing and notifications. * Set a default TTL on keys that upcall for name resolution. * Explicitly clear memory after it's held sensitive information. * Various manual page fixes. * Fix C++-related errors. * Add support for keyctl_move(). * Add support for keyctl_capabilities(). * Make key=val list optional for various public-key ops. * Fix system call signature for KEYCTL_PKEY_QUERY. * Fix 'keyctl pkey_query' argument passing. * Use keyctl_read_alloc() in dump_key_tree_aux(). * Various manual page fixes. Updated to 1.6: * Apply various specfile cleanups from Fedora. * request-key: Provide a command line option to suppress helper execution. * request-key: Find least-wildcard match rather than first match. * Remove the dependency on MIT Kerberos. * Fix some error messages * keyctl_dh_compute.3: Suggest /proc/crypto for list of available hashes. * Fix doc and comment typos. * Add public key ops for encrypt, decrypt, sign and verify (needs linux-4.20). * Add pkg-config support for finding libkeyutils. * upstream isn't offering PGP signatures for the source tarballs anymore Updated to 1.5.11 (bsc#1113013) * Add keyring restriction support. * Add KDF support to the Diffie-Helman function. * DNS: Add support for AFS config files and SRV records ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3942-1 Released: Mon Dec 6 14:46:05 2021 Summary: Security update for brotli Type: security Severity: moderate References: 1175825,CVE-2020-8927 This update for brotli fixes the following issues: - CVE-2020-8927: Fixed integer overflow when input chunk is larger than 2GiB (bsc#1175825). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3946-1 Released: Mon Dec 6 14:57:42 2021 Summary: Security update for gmp Type: security Severity: moderate References: 1192717,CVE-2021-43618 This update for gmp fixes the following issues: - CVE-2021-43618: Fixed buffer overflow via crafted input in mpz/inp_raw.c (bsc#1192717). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:4009-1 Released: Mon Dec 13 11:24:43 2021 Summary: Recommended update for systemd-rpm-macros Type: recommended Severity: low References: This update for systemd-rpm-macros fixes the following issues: - Introduce rpm macro %_systemd_util_dir ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:71-1 Released: Thu Jan 13 15:37:28 2022 Summary: Recommended update for container-suseconnect Type: recommended Severity: moderate References: This update for container-suseconnect is a rebuild against updated go toolchain to ensure an up to date GO runtime. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:228-1 Released: Mon Jan 31 06:07:52 2022 Summary: Recommended update for boost Type: recommended Severity: moderate References: 1194522 This update for boost fixes the following issues: - Fix compilation errors (bsc#1194522) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:353-1 Released: Tue Feb 8 17:41:48 2022 Summary: Recommended update for systemd-rpm-macros Type: recommended Severity: moderate References: This update for systemd-rpm-macros fixes the following issues: - Bump version to 10 - %sysusers_create_inline was wrongly marked as deprecated - %sysusers_create can be useful in certain cases and won't go away until we'll move to file triggers. So don't mark it as deprecated too ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:519-1 Released: Fri Feb 18 12:44:57 2022 Summary: Recommended update for sysstat Type: recommended Severity: moderate References: 1194679 This update for sysstat fixes the following issues: - Fix possible segfault (bsc#1194679). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:572-1 Released: Thu Feb 24 11:58:05 2022 Summary: Recommended update for psmisc Type: recommended Severity: moderate References: 1194172 This update for psmisc fixes the following issues: - Determine the namespace of a process only once to speed up the parsing of 'fdinfo'. (bsc#1194172) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:692-1 Released: Thu Mar 3 15:46:47 2022 Summary: Recommended update for filesystem Type: recommended Severity: moderate References: 1190447 This update for filesystem fixes the following issues: - Release ported filesystem to LTSS channels (bsc#1190447). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:775-1 Released: Wed Mar 9 12:55:03 2022 Summary: Recommended update for pciutils Type: recommended Severity: moderate References: 1192862 This update for pciutils fixes the following issues: - Report the theoretical speeds for PCIe 5.0 and 6.0 (bsc#1192862) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:789-1 Released: Thu Mar 10 11:22:05 2022 Summary: Recommended update for update-alternatives Type: recommended Severity: moderate References: 1195654 This update for update-alternatives fixes the following issues: - Break bash - update-alternatives cycle rewrite of '%post' in 'lua'. (bsc#1195654) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:792-1 Released: Thu Mar 10 11:58:18 2022 Summary: Recommended update for suse-build-key Type: recommended Severity: moderate References: 1194845,1196494,1196495 This update for suse-build-key fixes the following issues: - The old SUSE PTF key was extended, but also move it to suse_ptf_key_old.asc (as it is a DSA1024 key). - Added a new SUSE PTF key with RSA2048 bit as suse_ptf_key.asc (bsc#1196494) - Extended the expiry of SUSE Linux Enterprise 11 key (bsc#1194845) - Added SUSE Container signing key in PEM format for use e.g. by cosign. - The SUSE security key was replaced with 2022 edition (E-Mail usage only). (bsc#1196495) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:808-1 Released: Fri Mar 11 06:07:58 2022 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1195468 This update for procps fixes the following issues: - Stop registering signal handler for SIGURG, to avoid `ps` failure if someone sends such signal. Without the signal handler, SIGURG will just be ignored. (bsc#1195468) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:861-1 Released: Tue Mar 15 23:31:21 2022 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate References: 1182959,1195149,1195792,1195856 This update for openssl-1_1 fixes the following issues: openssl-1_1: - Fix PAC pointer authentication in ARM (bsc#1195856) - Pull libopenssl-1_1 when updating openssl-1_1 with the same version (bsc#1195792) - FIPS: Fix function and reason error codes (bsc#1182959) - Enable zlib compression support (bsc#1195149) glibc: - Resolve installation issue of `glibc-devel` in SUSE Linux Enterprise Micro 5.1 linux-glibc-devel: - Resolve installation issue of `linux-kernel-headers` in SUSE Linux Enterprise Micro 5.1 libxcrypt: - Resolve installation issue of `libxcrypt-devel` in SUSE Linux Enterprise Micro 5.1 zlib: - Resolve installation issue of `zlib-devel` in SUSE Linux Enterprise Micro 5.1 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:936-1 Released: Tue Mar 22 18:10:17 2022 Summary: Recommended update for filesystem and systemd-rpm-macros Type: recommended Severity: moderate References: 1196275,1196406 This update for filesystem and systemd-rpm-macros fixes the following issues: filesystem: - Add path /lib/modprobe.d (bsc#1196275, jsc#SLE-20639) systemd-rpm-macros: - Make %_modprobedir point to /lib/modprobe.d (bsc#1196275, bsc#1196406) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1047-1 Released: Wed Mar 30 16:20:56 2022 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1196093,1197024 This update for pam fixes the following issues: - Define _pam_vendordir as the variable is needed by systemd and others. (bsc#1196093) - Between allocating the variable 'ai' and free'ing them, there are two 'return NO' were we don't free this variable. This patch inserts freaddrinfo() calls before the 'return NO;'s. (bsc#1197024) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1150-1 Released: Mon Apr 11 17:34:19 2022 Summary: Recommended update for suse-build-key Type: recommended Severity: moderate References: 1197293 This update for suse-build-key fixes the following issues: No longer install 1024bit keys by default. (bsc#1197293) - The SLE11 key has been moved to documentation directory, and is obsoleted / removed by the package. - The old PTF (pre March 2022) key moved to documentation directory. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1281-1 Released: Wed Apr 20 12:26:38 2022 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1196647 This update for libtirpc fixes the following issues: - Add option to enforce connection via protocol version 2 first (bsc#1196647) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1409-1 Released: Tue Apr 26 12:54:57 2022 Summary: Recommended update for gcc11 Type: recommended Severity: moderate References: 1195628,1196107 This update for gcc11 fixes the following issues: - Add a list of Obsoletes to libstdc++6-pp-gcc11 so updates from packages provided by older GCC work. Add a requires from that package to the corresponding libstc++6 package to keep those at the same version. [bsc#1196107] - Fixed memory corruption when creating dependences with the D language frontend. - Add gcc11-PIE, similar to gcc-PIE but affecting gcc11 [bsc#1195628] - Put libstdc++6-pp Requires on the shared library and drop to Recommends. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1451-1 Released: Thu Apr 28 10:47:22 2022 Summary: Recommended update for perl Type: recommended Severity: moderate References: 1193489 This update for perl fixes the following issues: - Fix Socket::VERSION evaluation and stabilize Socket:VERSION comparisons (bsc#1193489) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1491-1 Released: Tue May 3 07:09:44 2022 Summary: Recommended update for psmisc Type: recommended Severity: moderate References: 1194172 This update for psmisc fixes the following issues: - Add a fallback if the system call name_to_handle_at() is not supported by the used file system. - Replace the synchronizing over pipes of the sub process for the stat(2) system call with mutex and conditions from pthreads(7) (bsc#1194172) - Use statx(2) or SYS_statx system call to replace the stat(2) system call and avoid the sub process (bsc#1194172) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:1548-1 Released: Thu May 5 16:45:28 2022 Summary: Security update for tar Type: security Severity: moderate References: 1029961,1120610,1130496,1181131,CVE-2018-20482,CVE-2019-9923,CVE-2021-20193 This update for tar fixes the following issues: - CVE-2021-20193: Fixed a memory leak in read_header() in list.c (bsc#1181131). - CVE-2019-9923: Fixed a null-pointer dereference in pax_decode_header in sparse.c (bsc#1130496). - CVE-2018-20482: Fixed infinite read loop in sparse_dump_region in sparse.c (bsc#1120610). - Update to GNU tar 1.34: * Fix extraction over pipe * Fix memory leak in read_header (CVE-2021-20193) (bsc#1181131) * Fix extraction when . and .. are unreadable * Gracefully handle duplicate symlinks when extracting * Re-initialize supplementary groups when switching to user privileges - Update to GNU tar 1.33: * POSIX extended format headers do not include PID by default * --delay-directory-restore works for archives with reversed member ordering * Fix extraction of a symbolic link hardlinked to another symbolic link * Wildcards in exclude-vcs-ignore mode don't match slash * Fix the --no-overwrite-dir option * Fix handling of chained renames in incremental backups * Link counting works for file names supplied with -T * Accept only position-sensitive (file-selection) options in file list files - prepare usrmerge (bsc#1029961) - Update to GNU 1.32 * Fix the use of --checkpoint without explicit --checkpoint-action * Fix extraction with the -U option * Fix iconv usage on BSD-based systems * Fix possible NULL dereference (savannah bug #55369) [bsc#1130496] [CVE-2019-9923] * Improve the testsuite - Update to GNU 1.31 * Fix heap-buffer-overrun with --one-top-level, bug introduced with the addition of that option in 1.28 * Support for zstd compression * New option '--zstd' instructs tar to use zstd as compression program. When listing, extractng and comparing, zstd compressed archives are recognized automatically. When '-a' option is in effect, zstd compression is selected if the destination archive name ends in '.zst' or '.tzst'. * The -K option interacts properly with member names given in the command line. Names of members to extract can be specified along with the '-K NAME' option. In this case, tar will extract NAME and those of named members that appear in the archive after it, which is consistent with the semantics of the option. Previous versions of tar extracted NAME, those of named members that appeared before it, and everything after it. * Fix CVE-2018-20482 - When creating archives with the --sparse option, previous versions of tar would loop endlessly if a sparse file had been truncated while being archived. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:1617-1 Released: Tue May 10 14:40:12 2022 Summary: Security update for gzip Type: security Severity: important References: 1198062,1198922,CVE-2022-1271 This update for gzip fixes the following issues: - CVE-2022-1271: Fix escaping of malicious filenames. (bsc#1198062) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1655-1 Released: Fri May 13 15:36:10 2022 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1197794 This update for pam fixes the following issue: - Do not include obsolete header files (bsc#1197794) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1658-1 Released: Fri May 13 15:40:20 2022 Summary: Recommended update for libpsl Type: recommended Severity: important References: 1197771 This update for libpsl fixes the following issues: - Fix libpsl compilation issues (bsc#1197771) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1843-1 Released: Wed May 25 15:25:44 2022 Summary: Recommended update for suse-build-key Type: recommended Severity: moderate References: 1198504 This update for suse-build-key fixes the following issues: - still ship the old ptf key in the documentation directory (bsc#1198504) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1887-1 Released: Tue May 31 09:24:18 2022 Summary: Recommended update for grep Type: recommended Severity: moderate References: 1040589 This update for grep fixes the following issues: - Make profiling deterministic. (bsc#1040589, SLE-24115) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1899-1 Released: Wed Jun 1 10:43:22 2022 Summary: Recommended update for libtirpc Type: recommended Severity: important References: 1198176 This update for libtirpc fixes the following issues: - Add a check for nullpointer in check_address to prevent client from crashing (bsc#1198176) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:2019-1 Released: Wed Jun 8 16:50:07 2022 Summary: Recommended update for gcc11 Type: recommended Severity: moderate References: 1192951,1193659,1195283,1196861,1197065 This update for gcc11 fixes the following issues: Update to the GCC 11.3.0 release. * includes SLS hardening backport on x86_64. [bsc#1195283] * includes change to adjust gnats idea of the target, fixing the build of gprbuild. [bsc#1196861] * fixed miscompile of embedded premake in 0ad on i586. [bsc#1197065] * use --with-cpu rather than specifying --with-arch/--with-tune * Fix D memory corruption in -M output. * Fix ICE in is_this_parameter with coroutines. [bsc#1193659] * fixes issue with debug dumping together with -o /dev/null * fixes libgccjit issue showing up in emacs build [bsc#1192951] * Package mwaitintrin.h ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2294-1 Released: Wed Jul 6 13:34:15 2022 Summary: Security update for expat Type: security Severity: important References: 1196025,1196026,1196168,1196169,1196171,1196784,CVE-2022-25235,CVE-2022-25236,CVE-2022-25313,CVE-2022-25314,CVE-2022-25315 This update for expat fixes the following issues: - CVE-2022-25236: Fixed possible namespace-separator characters insertion into namespace URIs (bsc#1196025). - Fixed a regression caused by the patch for CVE-2022-25236 (bsc#1196784). - CVE-2022-25235: Fixed UTF-8 character validation in a certain context (bsc#1196026). - CVE-2022-25313: Fixed stack exhaustion in build_model() via uncontrolled recursion (bsc#1196168). - CVE-2022-25314: Fixed integer overflow in copyString (bsc#1196169). - CVE-2022-25315: Fixed integer overflow in storeRawNames (bsc#1196171). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2361-1 Released: Tue Jul 12 12:05:01 2022 Summary: Security update for pcre Type: security Severity: important References: 1199232,CVE-2022-1586 This update for pcre fixes the following issues: - CVE-2022-1586: Fixed unicode property matching issue. (bsc#1199232) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2396-1 Released: Thu Jul 14 11:57:58 2022 Summary: Security update for logrotate Type: security Severity: important References: 1192449,1199652,1200278,1200802,CVE-2022-1348 This update for logrotate fixes the following issues: Security issues fixed: - CVE-2022-1348: Fixed insecure permissions for state file creation (bsc#1199652). - Improved coredump handing for SUID binaries (bsc#1192449). Non-security issues fixed: - Fixed 'logrotate emits unintended warning: keyword size not properly separated, found 0x3d' (bsc#1200278, bsc#1200802). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:2406-1 Released: Fri Jul 15 11:49:01 2022 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1197718,1199140,1200334,1200855 This update for glibc fixes the following issues: - powerpc: Fix VSX register number on __strncpy_power9 (bsc#1200334) - Disable warnings due to deprecated libselinux symbols used by nss and nscd (bsc#1197718) - i386: Remove broken CAN_USE_REGISTER_ASM_EBP (bsc#1197718) - rtld: Avoid using up static TLS surplus for optimizations (bsc#1200855, BZ #25051) This readds the s390 32bit glibc and libcrypt1 libraries (glibc-32bit, glibc-locale-base-32bit, libcrypt1-32bit). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:2493-1 Released: Thu Jul 21 14:35:08 2022 Summary: Recommended update for rpm-config-SUSE Type: recommended Severity: moderate References: 1193282 This update for rpm-config-SUSE fixes the following issues: - Add SBAT values macros for other packages (bsc#1193282) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2533-1 Released: Fri Jul 22 17:37:15 2022 Summary: Security update for mozilla-nss Type: security Severity: important References: 1192079,1192080,1192086,1192087,1192228,1198486,1200027,CVE-2022-31741 This update for mozilla-nss fixes the following issues: Various FIPS 140-3 related fixes were backported from SUSE Linux Enterprise 15 SP4: - Makes the PBKDF known answer test compliant with NIST SP800-132. (bsc#1192079). - FIPS: Add on-demand integrity tests through sftk_FIPSRepeatIntegrityCheck() (bsc#1198980). - FIPS: mark algorithms as approved/non-approved according to security policy (bsc#1191546, bsc#1201298). - FIPS: remove hard disabling of unapproved algorithms. This requirement is now fulfilled by the service level indicator (bsc#1200325). - Run test suite at build time, and make it pass (bsc#1198486). - FIPS: skip algorithms that are hard disabled in FIPS mode. - Prevent expired PayPalEE cert from failing the tests. - Allow checksumming to be disabled, but only if we entered FIPS mode due to NSS_FIPS being set, not if it came from /proc. - FIPS: Make the PBKDF known answer test compliant with NIST SP800-132. - Update FIPS validation string to version-release format. - FIPS: remove XCBC MAC from list of FIPS approved algorithms. - Enable NSS_ENABLE_FIPS_INDICATORS and set NSS_FIPS_MODULE_ID for build. - FIPS: claim 3DES unapproved in FIPS mode (bsc#1192080). - FIPS: allow testing of unapproved algorithms (bsc#1192228). - FIPS: add version indicators. (bmo#1729550, bsc#1192086). - FIPS: fix some secret clearing (bmo#1697303, bsc#1192087). Version update to NSS 3.79: - Use PK11_GetSlotInfo instead of raw C_GetSlotInfo calls. - Update mercurial in clang-format docker image. - Use of uninitialized pointer in lg_init after alloc fail. - selfserv and tstclnt should use PR_GetPrefLoopbackAddrInfo. - Add SECMOD_LockedModuleHasRemovableSlots. - Fix secasn1d parsing of indefinite SEQUENCE inside indefinite GROUP. - Added RFC8422 compliant TLS <= 1.2 undefined/compressed ECPointFormat extension alerts. - TLS 1.3 Server: Send protocol_version alert on unsupported ClientHello.legacy_version. - Correct invalid record inner and outer content type alerts. - NSS does not properly import or export pkcs12 files with large passwords and pkcs5v2 encoding. - improve error handling after nssCKFWInstance_CreateObjectHandle. - Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple. - NSS 3.79 should depend on NSPR 4.34 Version update to NSS 3.78.1: - Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple Version update to NSS 3.78: - Added TLS 1.3 zero-length inner plaintext checks and tests, zero-length record/fragment handling tests. - Reworked overlong record size checks and added TLS1.3 specific boundaries. - Add ECH Grease Support to tstclnt - Add a strict variant of moz::pkix::CheckCertHostname. - Change SSL_REUSE_SERVER_ECDHE_KEY default to false. - Make SEC_PKCS12EnableCipher succeed - Update zlib in NSS to 1.2.12. Version update to NSS 3.77: - Fix link to TLS page on wireshark wiki - Add two D-TRUST 2020 root certificates. - Add Telia Root CA v2 root certificate. - Remove expired explicitly distrusted certificates from certdata.txt. - support specific RSA-PSS parameters in mozilla::pkix - Remove obsolete stateEnd check in SEC_ASN1DecoderUpdate. - Remove token member from NSSSlot struct. - Provide secure variants of mpp_pprime and mpp_make_prime. - Support UTF-8 library path in the module spec string. - Update nssUTF8_Length to RFC 3629 and fix buffer overrun. - Update googletest to 1.11.0 - Add SetTls13GreaseEchSize to experimental API. - TLS 1.3 Illegal legacy_version handling/alerts. - Fix calculation of ECH HRR Transcript. - Allow ld path to be set as environment variable. - Ensure we don't read uninitialized memory in ssl gtests. - Fix DataBuffer Move Assignment. - internal_error alert on Certificate Request with sha1+ecdsa in TLS 1.3 - rework signature verification in mozilla::pkix Version update to NSS 3.76.1 - Remove token member from NSSSlot struct. - Hold tokensLock through nssToken_GetSlot calls in nssTrustDomain_GetActiveSlots. - Check return value of PK11Slot_GetNSSToken. - Use Wycheproof JSON for RSASSA-PSS - Add SHA256 fingerprint comments to old certdata.txt entries. - Avoid truncating files in nss-release-helper.py. - Throw illegal_parameter alert for illegal extensions in handshake message. Version update to NSS 3.75 - Make DottedOIDToCode.py compatible with python3. - Avoid undefined shift in SSL_CERT_IS while fuzzing. - Remove redundant key type check. - Update ABI expectations to match ECH changes. - Enable CKM_CHACHA20. - check return on NSS_NoDB_Init and NSS_Shutdown. - Run ECDSA test vectors from bltest as part of the CI tests. - Add ECDSA test vectors to the bltest command line tool. - Allow to build using clang's integrated assembler. - Allow to override python for the build. - test HKDF output rather than input. - Use ASSERT macros to end failed tests early. - move assignment operator for DataBuffer. - Add test cases for ECH compression and unexpected extensions in SH. - Update tests for ECH-13. - Tidy up error handling. - Add tests for ECH HRR Changes. - Server only sends GREASE HRR extension if enabled by preference. - Update generation of the Associated Data for ECH-13. - When ECH is accepted, reject extensions which were only advertised in the Outer Client Hello. - Allow for compressed, non-contiguous, extensions. - Scramble the PSK extension in CHOuter. - Split custom extension handling for ECH. - Add ECH-13 HRR Handling. - Client side ECH padding. - Stricter ClientHelloInner Decompression. - Remove ECH_inner extension, use new enum format. - Update the version number for ECH-13 and adjust the ECHConfig size. Version update to NSS 3.74 - mozilla::pkix: support SHA-2 hashes in CertIDs in OCSP responses - Ensure clients offer consistent ciphersuites after HRR - NSS does not properly restrict server keys based on policy - Set nssckbi version number to 2.54 - Replace Google Trust Services LLC (GTS) R4 root certificate - Replace Google Trust Services LLC (GTS) R3 root certificate - Replace Google Trust Services LLC (GTS) R2 root certificate - Replace Google Trust Services LLC (GTS) R1 root certificate - Replace GlobalSign ECC Root CA R4 - Remove Expired Root Certificates - DST Root CA X3 - Remove Expiring Cybertrust Global Root and GlobalSign root certificates - Add renewed Autoridad de Certificacion Firmaprofesional CIF A62634068 root certificate - Add iTrusChina ECC root certificate - Add iTrusChina RSA root certificate - Add ISRG Root X2 root certificate - Add Chunghwa Telecom's HiPKI Root CA - G1 root certificate - Avoid a clang 13 unused variable warning in opt build - Check for missing signedData field - Ensure DER encoded signatures are within size limits - enable key logging option (boo#1195040) Version update to NSS 3.73.1: - Add SHA-2 support to mozilla::pkix's OSCP implementation Version update to NSS 3.73 - check for missing signedData field. - Ensure DER encoded signatures are within size limits. - NSS needs FiPS 140-3 version indicators. - pkix_CacheCert_Lookup doesn't return cached certs - sunset Coverity from NSS Fixed MFSA 2021-51 (bsc#1193170) CVE-2021-43527: Memory corruption via DER-encoded DSA and RSA-PSS signatures Version update to NSS 3.72 - Fix nsinstall parallel failure. - Increase KDF cache size to mitigate perf regression in about:logins Version update to NSS 3.71 - Set nssckbi version number to 2.52. - Respect server requirements of tlsfuzzer/test-tls13-signature-algorithms.py - Import of PKCS#12 files with Camellia encryption is not supported - Add HARICA Client ECC Root CA 2021. - Add HARICA Client RSA Root CA 2021. - Add HARICA TLS ECC Root CA 2021. - Add HARICA TLS RSA Root CA 2021. - Add TunTrust Root CA certificate to NSS. Version update to NSS 3.70 - Update test case to verify fix. - Explicitly disable downgrade check in TlsConnectStreamTls13.EchOuterWith12Max - Explicitly disable downgrade check in TlsConnectTest.DisableFalseStartOnFallback - Avoid using a lookup table in nssb64d. - Use HW accelerated SHA2 on AArch64 Big Endian. - Change default value of enableHelloDowngradeCheck to true. - Cache additional PBE entries. - Read HPKE vectors from official JSON. Version update to NSS 3.69.1: - Disable DTLS 1.0 and 1.1 by default - integrity checks in key4.db not happening on private components with AES_CBC NSS 3.69: - Disable DTLS 1.0 and 1.1 by default (backed out again) - integrity checks in key4.db not happening on private components with AES_CBC (backed out again) - SSL handling of signature algorithms ignores environmental invalid algorithms. - sqlite 3.34 changed it's open semantics, causing nss failures. - Gtest update changed the gtest reports, losing gtest details in all.sh reports. - NSS incorrectly accepting 1536 bit DH primes in FIPS mode - SQLite calls could timeout in starvation situations. - Coverity/cpp scanner errors found in nss 3.67 - Import the NSS documentation from MDN in nss/doc. - NSS using a tempdir to measure sql performance not active Version Update to 3.68.4 (bsc#1200027) - CVE-2022-31741: Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple. (bmo#1767590) Mozilla NSPR was updated to version 4.34: * add an API that returns a preferred loopback IP on hosts that have two IP stacks available. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2595-1 Released: Fri Jul 29 16:00:42 2022 Summary: Security update for mozilla-nss Type: security Severity: important References: 1192079,1192080,1192086,1192087,1192228,1198486,1200027,CVE-2022-31741 This update for mozilla-nss fixes the following issues: Various FIPS 140-3 related fixes were backported from SUSE Linux Enterprise 15 SP4: - Makes the PBKDF known answer test compliant with NIST SP800-132. (bsc#1192079). - FIPS: Add on-demand integrity tests through sftk_FIPSRepeatIntegrityCheck() (bsc#1198980). - FIPS: mark algorithms as approved/non-approved according to security policy (bsc#1191546, bsc#1201298). - FIPS: remove hard disabling of unapproved algorithms. This requirement is now fulfilled by the service level indicator (bsc#1200325). - Run test suite at build time, and make it pass (bsc#1198486). - FIPS: skip algorithms that are hard disabled in FIPS mode. - Prevent expired PayPalEE cert from failing the tests. - Allow checksumming to be disabled, but only if we entered FIPS mode due to NSS_FIPS being set, not if it came from /proc. - FIPS: Make the PBKDF known answer test compliant with NIST SP800-132. - Update FIPS validation string to version-release format. - FIPS: remove XCBC MAC from list of FIPS approved algorithms. - Enable NSS_ENABLE_FIPS_INDICATORS and set NSS_FIPS_MODULE_ID for build. - FIPS: claim 3DES unapproved in FIPS mode (bsc#1192080). - FIPS: allow testing of unapproved algorithms (bsc#1192228). - FIPS: add version indicators. (bmo#1729550, bsc#1192086). - FIPS: fix some secret clearing (bmo#1697303, bsc#1192087). Version update to NSS 3.79: - Use PK11_GetSlotInfo instead of raw C_GetSlotInfo calls. - Update mercurial in clang-format docker image. - Use of uninitialized pointer in lg_init after alloc fail. - selfserv and tstclnt should use PR_GetPrefLoopbackAddrInfo. - Add SECMOD_LockedModuleHasRemovableSlots. - Fix secasn1d parsing of indefinite SEQUENCE inside indefinite GROUP. - Added RFC8422 compliant TLS <= 1.2 undefined/compressed ECPointFormat extension alerts. - TLS 1.3 Server: Send protocol_version alert on unsupported ClientHello.legacy_version. - Correct invalid record inner and outer content type alerts. - NSS does not properly import or export pkcs12 files with large passwords and pkcs5v2 encoding. - improve error handling after nssCKFWInstance_CreateObjectHandle. - Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple. - NSS 3.79 should depend on NSPR 4.34 Version update to NSS 3.78.1: - Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple Version update to NSS 3.78: - Added TLS 1.3 zero-length inner plaintext checks and tests, zero-length record/fragment handling tests. - Reworked overlong record size checks and added TLS1.3 specific boundaries. - Add ECH Grease Support to tstclnt - Add a strict variant of moz::pkix::CheckCertHostname. - Change SSL_REUSE_SERVER_ECDHE_KEY default to false. - Make SEC_PKCS12EnableCipher succeed - Update zlib in NSS to 1.2.12. Version update to NSS 3.77: - Fix link to TLS page on wireshark wiki - Add two D-TRUST 2020 root certificates. - Add Telia Root CA v2 root certificate. - Remove expired explicitly distrusted certificates from certdata.txt. - support specific RSA-PSS parameters in mozilla::pkix - Remove obsolete stateEnd check in SEC_ASN1DecoderUpdate. - Remove token member from NSSSlot struct. - Provide secure variants of mpp_pprime and mpp_make_prime. - Support UTF-8 library path in the module spec string. - Update nssUTF8_Length to RFC 3629 and fix buffer overrun. - Update googletest to 1.11.0 - Add SetTls13GreaseEchSize to experimental API. - TLS 1.3 Illegal legacy_version handling/alerts. - Fix calculation of ECH HRR Transcript. - Allow ld path to be set as environment variable. - Ensure we don't read uninitialized memory in ssl gtests. - Fix DataBuffer Move Assignment. - internal_error alert on Certificate Request with sha1+ecdsa in TLS 1.3 - rework signature verification in mozilla::pkix Version update to NSS 3.76.1 - Remove token member from NSSSlot struct. - Hold tokensLock through nssToken_GetSlot calls in nssTrustDomain_GetActiveSlots. - Check return value of PK11Slot_GetNSSToken. - Use Wycheproof JSON for RSASSA-PSS - Add SHA256 fingerprint comments to old certdata.txt entries. - Avoid truncating files in nss-release-helper.py. - Throw illegal_parameter alert for illegal extensions in handshake message. Version update to NSS 3.75 - Make DottedOIDToCode.py compatible with python3. - Avoid undefined shift in SSL_CERT_IS while fuzzing. - Remove redundant key type check. - Update ABI expectations to match ECH changes. - Enable CKM_CHACHA20. - check return on NSS_NoDB_Init and NSS_Shutdown. - Run ECDSA test vectors from bltest as part of the CI tests. - Add ECDSA test vectors to the bltest command line tool. - Allow to build using clang's integrated assembler. - Allow to override python for the build. - test HKDF output rather than input. - Use ASSERT macros to end failed tests early. - move assignment operator for DataBuffer. - Add test cases for ECH compression and unexpected extensions in SH. - Update tests for ECH-13. - Tidy up error handling. - Add tests for ECH HRR Changes. - Server only sends GREASE HRR extension if enabled by preference. - Update generation of the Associated Data for ECH-13. - When ECH is accepted, reject extensions which were only advertised in the Outer Client Hello. - Allow for compressed, non-contiguous, extensions. - Scramble the PSK extension in CHOuter. - Split custom extension handling for ECH. - Add ECH-13 HRR Handling. - Client side ECH padding. - Stricter ClientHelloInner Decompression. - Remove ECH_inner extension, use new enum format. - Update the version number for ECH-13 and adjust the ECHConfig size. Version update to NSS 3.74 - mozilla::pkix: support SHA-2 hashes in CertIDs in OCSP responses - Ensure clients offer consistent ciphersuites after HRR - NSS does not properly restrict server keys based on policy - Set nssckbi version number to 2.54 - Replace Google Trust Services LLC (GTS) R4 root certificate - Replace Google Trust Services LLC (GTS) R3 root certificate - Replace Google Trust Services LLC (GTS) R2 root certificate - Replace Google Trust Services LLC (GTS) R1 root certificate - Replace GlobalSign ECC Root CA R4 - Remove Expired Root Certificates - DST Root CA X3 - Remove Expiring Cybertrust Global Root and GlobalSign root certificates - Add renewed Autoridad de Certificacion Firmaprofesional CIF A62634068 root certificate - Add iTrusChina ECC root certificate - Add iTrusChina RSA root certificate - Add ISRG Root X2 root certificate - Add Chunghwa Telecom's HiPKI Root CA - G1 root certificate - Avoid a clang 13 unused variable warning in opt build - Check for missing signedData field - Ensure DER encoded signatures are within size limits - enable key logging option (boo#1195040) Version update to NSS 3.73.1: - Add SHA-2 support to mozilla::pkix's OSCP implementation Version update to NSS 3.73 - check for missing signedData field. - Ensure DER encoded signatures are within size limits. - NSS needs FiPS 140-3 version indicators. - pkix_CacheCert_Lookup doesn't return cached certs - sunset Coverity from NSS Fixed MFSA 2021-51 (bsc#1193170) CVE-2021-43527: Memory corruption via DER-encoded DSA and RSA-PSS signatures Version update to NSS 3.72 - Fix nsinstall parallel failure. - Increase KDF cache size to mitigate perf regression in about:logins Version update to NSS 3.71 - Set nssckbi version number to 2.52. - Respect server requirements of tlsfuzzer/test-tls13-signature-algorithms.py - Import of PKCS#12 files with Camellia encryption is not supported - Add HARICA Client ECC Root CA 2021. - Add HARICA Client RSA Root CA 2021. - Add HARICA TLS ECC Root CA 2021. - Add HARICA TLS RSA Root CA 2021. - Add TunTrust Root CA certificate to NSS. Version update to NSS 3.70 - Update test case to verify fix. - Explicitly disable downgrade check in TlsConnectStreamTls13.EchOuterWith12Max - Explicitly disable downgrade check in TlsConnectTest.DisableFalseStartOnFallback - Avoid using a lookup table in nssb64d. - Use HW accelerated SHA2 on AArch64 Big Endian. - Change default value of enableHelloDowngradeCheck to true. - Cache additional PBE entries. - Read HPKE vectors from official JSON. Version update to NSS 3.69.1: - Disable DTLS 1.0 and 1.1 by default - integrity checks in key4.db not happening on private components with AES_CBC NSS 3.69: - Disable DTLS 1.0 and 1.1 by default (backed out again) - integrity checks in key4.db not happening on private components with AES_CBC (backed out again) - SSL handling of signature algorithms ignores environmental invalid algorithms. - sqlite 3.34 changed it's open semantics, causing nss failures. - Gtest update changed the gtest reports, losing gtest details in all.sh reports. - NSS incorrectly accepting 1536 bit DH primes in FIPS mode - SQLite calls could timeout in starvation situations. - Coverity/cpp scanner errors found in nss 3.67 - Import the NSS documentation from MDN in nss/doc. - NSS using a tempdir to measure sql performance not active Version Update to 3.68.4 (bsc#1200027) - CVE-2022-31741: Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple. (bmo#1767590) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2632-1 Released: Wed Aug 3 09:51:00 2022 Summary: Security update for permissions Type: security Severity: important References: 1198720,1200747,1201385 This update for permissions fixes the following issues: * apptainer: fix starter-suid location (bsc#1198720) * static permissions: remove deprecated bind / named chroot entries (bsc#1200747) * postfix: add postlog setgid for maildrop binary (bsc#1201385) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:2640-1 Released: Wed Aug 3 10:43:44 2022 Summary: Recommended update for yaml-cpp Type: recommended Severity: moderate References: 1160171,1178331,1178332,1200624 This update for yaml-cpp fixes the following issue: - Version 0.6.3 changed ABI without changing SONAME. Re-add symbol from the old ABI to prevent ABI breakage and crash of applications compiled with 0.6.1 (bsc#1200624, bsc#1178332, bsc#1178331, bsc#1160171). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2717-1 Released: Tue Aug 9 12:54:16 2022 Summary: Security update for ncurses Type: security Severity: moderate References: 1198627,CVE-2022-29458 This update for ncurses fixes the following issues: - CVE-2022-29458: Fixed segfaulting out-of-bounds read in convert_strings in tinfo/read_entry.c (bsc#1198627). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:2735-1 Released: Wed Aug 10 04:31:41 2022 Summary: Recommended update for tar Type: recommended Severity: moderate References: 1200657 This update for tar fixes the following issues: - Fix race condition while creating intermediate subdirectories (bsc#1200657) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:2796-1 Released: Fri Aug 12 14:34:31 2022 Summary: Recommended update for jitterentropy Type: recommended Severity: moderate References: This update for jitterentropy fixes the following issues: jitterentropy is included in version 3.4.0 (jsc#SLE-24941): This is a FIPS 140-3 / NIST 800-90b compliant userspace jitter entropy generator library, used by other FIPS libraries. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:2844-1 Released: Thu Aug 18 14:41:25 2022 Summary: Recommended update for tar Type: recommended Severity: important References: 1202436 This update for tar fixes the following issues: - A regression in a previous update lead to potential deadlocks when extracting an archive. (bsc#1202436) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:2901-1 Released: Fri Aug 26 03:34:23 2022 Summary: Recommended update for elfutils Type: recommended Severity: moderate References: This update for elfutils fixes the following issues: - Fix runtime dependency for devel package ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:2939-1 Released: Mon Aug 29 14:49:17 2022 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1201298,1202645 This update for mozilla-nss fixes the following issues: Update to NSS 3.79.1 (bsc#1202645) * compare signature and signatureAlgorithm fields in legacy certificate verifier. * Uninitialized value in cert_ComputeCertType. * protect SFTKSlot needLogin with slotLock. * avoid data race on primary password change. * check for null template in sec_asn1{d,e}_push_state. - FIPS: unapprove the rest of the DSA ciphers, keeping signature verification only (bsc#1201298). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:2944-1 Released: Wed Aug 31 05:39:14 2022 Summary: Recommended update for procps Type: recommended Severity: important References: 1181475 This update for procps fixes the following issues: - Fix 'free' command reporting misleading 'used' value (bsc#1181475) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3019-1 Released: Mon Sep 5 11:00:23 2022 Summary: Recommended update for lshw Type: recommended Severity: moderate References: This update for lshw fixes the following issues: - Update to version B.02.19.2+git.20220628 * make version check optional - Update to version B.02.19.2+git.20220310: * Set product name for all netdevs sharing the same PCI number - Update to version B.02.19.2+git.20211222: * Add Spanish translation * Fix mistakes in Catalan translation - Update to version B.02.19.2+git.20211102: * Read and parse network transceiver module eeprom * use max (9) Gzip compression * Add Catalan translation * Update POT file * Add more network speeds - Update to version B.02.19.2+git.20211013: * support for new ethtool capabilities * code clean-up * allow pkg-config override * Translate all words of a phrase together ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3127-1 Released: Wed Sep 7 04:36:10 2022 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1198752,1200800 This update for libtirpc fixes the following issues: - Exclude ipv6 addresses in client protocol version 2 code (bsc#1200800) - Fix memory leak in params.r_addr assignement (bsc#1198752) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3219-1 Released: Thu Sep 8 21:15:24 2022 Summary: Recommended update for sysconfig Type: recommended Severity: moderate References: 1185882,1194557,1199093 This update for sysconfig fixes the following issues: - netconfig: remove sed dependency - netconfig/dns-resolver: remove search limit of 6 domains (bsc#1199093) - netconfig: cleanup /var/run leftovers (bsc#1194557) - netconfig: update ntp man page documentation, fix typos - netconfig: revert NM default policy change change (bsc#1185882) With the change to the default policy, netconfig with NetworkManager as network.service accepted settings from all services/programs directly instead only from NetworkManager, where plugins/services have to deliver their settings to apply them. - Also support service(network) provides ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3252-1 Released: Mon Sep 12 09:07:53 2022 Summary: Security update for freetype2 Type: security Severity: moderate References: 1198823,1198830,1198832,CVE-2022-27404,CVE-2022-27405,CVE-2022-27406 This update for freetype2 fixes the following issues: - CVE-2022-27404 Fixed a segmentation fault via a crafted typeface (bsc#1198830). - CVE-2022-27405 Fixed a buffer overflow via a crafted typeface (bsc#1198832). - CVE-2022-27406 Fixed a segmentation fault via a crafted typeface (bsc#1198823). Non-security fixes: - Updated to version 2.10.4 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3262-1 Released: Tue Sep 13 15:34:29 2022 Summary: Recommended update for gcc11 Type: recommended Severity: moderate References: 1199140 This update for gcc11 ships some missing 32bit libraries for s390x. (bsc#1199140) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3271-1 Released: Wed Sep 14 06:45:39 2022 Summary: Security update for perl Type: security Severity: moderate References: 1047178,CVE-2017-6512 This update for perl fixes the following issues: - CVE-2017-6512: Fixed File::Path rmtree/remove_tree race condition (bsc#1047178). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3304-1 Released: Mon Sep 19 11:43:25 2022 Summary: Recommended update for libassuan Type: recommended Severity: moderate References: This update for libassuan fixes the following issues: - Add a timeout for writing to a SOCKS5 proxy - Add workaround for a problem with LD_LIBRARY_PATH on newer systems - Fix issue in the logging code - Fix some build trivialities - Upgrade autoconf ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3305-1 Released: Mon Sep 19 11:45:57 2022 Summary: Security update for libtirpc Type: security Severity: important References: 1201680,CVE-2021-46828 This update for libtirpc fixes the following issues: - CVE-2021-46828: Fixed denial of service vulnerability with lots of connections (bsc#1201680). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3307-1 Released: Mon Sep 19 13:26:51 2022 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1189802,1195773,1201783,CVE-2021-36690,CVE-2022-35737 This update for sqlite3 fixes the following issues: - CVE-2022-35737: Fixed an array-bounds overflow if billions of bytes are used in a string argument to a C API (bnc#1201783). - CVE-2021-36690: Fixed an issue with the SQLite Expert extension when a column has no collating sequence (bsc#1189802). - Package the Tcl bindings here again so that we only ship one copy of SQLite (bsc#1195773). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3327-1 Released: Wed Sep 21 12:47:17 2022 Summary: Security update for oniguruma Type: security Severity: important References: 1142847,1150130,1157805,1164550,1164569,1177179,CVE-2019-13224,CVE-2019-16163,CVE-2019-19203,CVE-2019-19204,CVE-2019-19246,CVE-2020-26159 This update for oniguruma fixes the following issues: - CVE-2019-19246: Fixed an out of bounds access during regular expression matching (bsc#1157805). - CVE-2019-19204: Fixed an out of bounds access when compiling a crafted regular expression (bsc#1164569). - CVE-2019-19203: Fixed an out of bounds access when performing a string search (bsc#1164550). - CVE-2019-16163: Fixed an uncontrolled recursion issue when compiling a crafted regular expression, which could lead to denial of service (bsc#1150130). - CVE-2020-26159: Fixed an off-by-one buffer overflow (bsc#1177179). - CVE-2019-13224: Fixed a potential use-after-free when handling multiple different encodings (bsc#1142847). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3328-1 Released: Wed Sep 21 12:48:56 2022 Summary: Recommended update for jitterentropy Type: recommended Severity: moderate References: 1202870 This update for jitterentropy fixes the following issues: - Hide the non-GNUC constructs that are library internal from the exported header, to make it usable in builds with strict C99 compliance. (bsc#1202870) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3353-1 Released: Fri Sep 23 15:23:40 2022 Summary: Security update for permissions Type: security Severity: moderate References: 1203018,CVE-2022-31252 This update for permissions fixes the following issues: - CVE-2022-31252: Fixed chkstat group controlled paths (bsc#1203018). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3395-1 Released: Mon Sep 26 16:35:18 2022 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1181994,1188006,1199079,1202868 This update for ca-certificates-mozilla fixes the following issues: Updated to 2.56 state of Mozilla SSL root CAs (bsc#1202868) - Added: - Certainly Root E1 - Certainly Root R1 - DigiCert SMIME ECC P384 Root G5 - DigiCert SMIME RSA4096 Root G5 - DigiCert TLS ECC P384 Root G5 - DigiCert TLS RSA4096 Root G5 - E-Tugra Global Root CA ECC v3 - E-Tugra Global Root CA RSA v3 - Removed: - Hellenic Academic and Research Institutions RootCA 2011 Updated to 2.54 state of Mozilla SSL root CAs (bsc#1199079) - Added: - Autoridad de Certificacion Firmaprofesional CIF A62634068 - D-TRUST BR Root CA 1 2020 - D-TRUST EV Root CA 1 2020 - GlobalSign ECC Root CA R4 - GTS Root R1 - GTS Root R2 - GTS Root R3 - GTS Root R4 - HiPKI Root CA - G1 - ISRG Root X2 - Telia Root CA v2 - vTrus ECC Root CA - vTrus Root CA - Removed: - Cybertrust Global Root - DST Root CA X3 - DigiNotar PKIoverheid CA Organisatie - G2 - GlobalSign ECC Root CA R4 - GlobalSign Root CA R2 - GTS Root R1 - GTS Root R2 - GTS Root R3 - GTS Root R4 Updated to 2.50 state of the Mozilla NSS Certificate store (bsc#1188006) - Added: - HARICA Client ECC Root CA 2021 - HARICA Client RSA Root CA 2021 - HARICA TLS ECC Root CA 2021 - HARICA TLS RSA Root CA 2021 - TunTrust Root CA Updated to 2.46 state of the Mozilla NSS Certificate store (bsc#1181994) - Added new root CAs: - NAVER Global Root Certification Authority - Removed old root CAs: - GeoTrust Global CA - GeoTrust Primary Certification Authority - GeoTrust Primary Certification Authority - G3 - GeoTrust Universal CA - GeoTrust Universal CA 2 - thawte Primary Root CA - thawte Primary Root CA - G2 - thawte Primary Root CA - G3 - VeriSign Class 3 Public Primary Certification Authority - G4 - VeriSign Class 3 Public Primary Certification Authority - G5 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3489-1 Released: Sat Oct 1 13:35:24 2022 Summary: Security update for expat Type: security Severity: important References: 1203438,CVE-2022-40674 This update for expat fixes the following issues: - CVE-2022-40674: Fixed use-after-free in the doContent function in xmlparse.c (bsc#1203438). ----------------------------------------------------------------- Advisory ID: SUSE-feature-2022:3520-1 Released: Tue Oct 4 14:18:34 2022 Summary: Feature update for dmidecode Type: feature Severity: moderate References: This feature update for dmidecode fixes the following issues: Update dmidecode from version 3.2 to version 3.4 (jsc#SLE-24502, jsc#SLE-24591, jsc#PED-411): - Add bios-revision, firmware-revision and system-sku-number to `-s` option - Decode HPE OEM records 194, 199, 203, 236, 237, 238 ans 240 - Decode system slot base bus width and peers - Document how the UUID fields are interpreted - Don't display the raw CPU ID in quiet mode - Don't use memcpy on /dev/mem on arm64 - Fix OEM vendor name matching - Fix small typo in NEWS file - Improve the formatting of the manual pages - Present HPE type 240 attributes as a proper list instead of packing them on a single line. This makes it more readable overall, and will also scale better if the number of attributes increases - Skip details of uninstalled memory modules - Support for SMBIOS 3.4.0. This includes new memory device types, new processor upgrades, new slot types and characteristics, decoding of memor module extended speed, new system slot types, new processor characteristic and new format of Processor ID - Support for SMBIOS 3.5.0. This includes new processor upgrades, BIOS characteristics, new slot characteristics, new on-board device types, new pointing device interface types, and a new record type (type 45 - Firmware Inventory Information) - Use the most appropriate unit for cache size ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3555-1 Released: Mon Oct 10 14:05:12 2022 Summary: Recommended update for aaa_base Type: recommended Severity: important References: 1199492 This update for aaa_base fixes the following issues: - The wrapper rootsh is not a restricted shell. (bsc#1199492) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3781-1 Released: Wed Oct 26 17:50:44 2022 Summary: Security update for container-suseconnect Type: security Severity: moderate References: 1204397 This update of container-suseconnect is a rebuilt of the previous sources against the current security updated go compiler. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3784-1 Released: Wed Oct 26 18:03:28 2022 Summary: Security update for libtasn1 Type: security Severity: critical References: 1204690,CVE-2021-46848 This update for libtasn1 fixes the following issues: - CVE-2021-46848: Fixed off-by-one array size check that affects asn1_encode_simple_der (bsc#1204690) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3787-1 Released: Thu Oct 27 04:41:09 2022 Summary: Recommended update for permissions Type: recommended Severity: important References: 1194047,1203911 This update for permissions fixes the following issues: - Fix regression introduced by backport of security fix (bsc#1203911) - Add permissions for enlightenment helper on 32bit arches (bsc#1194047) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3806-1 Released: Thu Oct 27 17:21:11 2022 Summary: Security update for dbus-1 Type: security Severity: important References: 1087072,1204111,1204112,1204113,CVE-2022-42010,CVE-2022-42011,CVE-2022-42012 This update for dbus-1 fixes the following issues: - CVE-2022-42010: Fixed potential crash that could be triggered by an invalid signature (bsc#1204111). - CVE-2022-42011: Fixed an out of bounds read caused by a fixed length array (bsc#1204112). - CVE-2022-42012: Fixed a use-after-free that could be trigged by a message in non-native endianness with out-of-band Unix file descriptor (bsc#1204113). Bugfixes: - Disable asserts (bsc#1087072). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3873-1 Released: Fri Nov 4 14:58:08 2022 Summary: Recommended update for mozilla-nspr, mozilla-nss Type: recommended Severity: moderate References: 1191546,1198980,1201298,1202870,1204729 This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nspr was updated to version 4.34.1: * add file descriptor sanity checks in the NSPR poll function. mozilla-nss was updated to NSS 3.79.2 (bsc#1204729): * Bump minimum NSPR version to 4.34.1. * Gracefully handle null nickname in CERT_GetCertNicknameWithValidity. Other fixes that were applied: - FIPS: Allow the use of DSA keys (verification only) (bsc#1201298). - FIPS: Add sftk_FIPSRepeatIntegrityCheck() to softoken's .def file (bsc#1198980). - FIPS: Allow the use of longer symmetric keys via the service level indicator (bsc#1191546). - FIPS: Prevent TLS sessions from getting flagged as non-FIPS (bsc#1191546). - FIPS: Mark DSA keygen unapproved (bsc#1191546, bsc#1201298). - FIPS: Use libjitterentropy for entropy (bsc#1202870). - FIPS: Fixed an abort() when both NSS_FIPS and /proc FIPS mode are enabled. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3884-1 Released: Mon Nov 7 10:59:26 2022 Summary: Security update for expat Type: security Severity: important References: 1204708,CVE-2022-43680 This update for expat fixes the following issues: - CVE-2022-43680: Fixed use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate (bsc#1204708). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3910-1 Released: Tue Nov 8 13:05:04 2022 Summary: Recommended update for pam Type: recommended Severity: moderate References: This update for pam fixes the following issue: - Update pam_motd to the most current version. (PED-1712) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3958-1 Released: Fri Nov 11 15:20:45 2022 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1191546,1198980,1201298,1202870,1204729 This update for mozilla-nss fixes the following issues: mozilla-nss was updated to NSS 3.79.2 (bsc#1204729) * Bump minimum NSPR version to 4.34.1. * Gracefully handle null nickname in CERT_GetCertNicknameWithValidity. - FIPS: Allow the use of DSA keys (verification only) (bsc#1201298). - FIPS: Add sftk_FIPSRepeatIntegrityCheck() to softoken's .def file (bsc#1198980). - FIPS: Allow the use of longer symmetric keys via the service level indicator (bsc#1191546). - FIPS: Export sftk_FIPSRepeatIntegrityCheck() correctly (bsc#1198980). - FIPS: Prevent sessions from getting flagged as non-FIPS (bsc#1191546). - FIPS: Mark DSA keygen unapproved (bsc#1191546, bsc#1201298). - FIPS: Enable userspace entropy gathering via libjitterentropy (bsc#1202870). - FIPS: Prevent keys from getting flagged as non-FIPS and add remaining TLS mechanisms. - FIPS: Use libjitterentropy for entropy. - FIPS: Fixed an abort() when both NSS_FIPS and /proc FIPS mode are enabled. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:4062-1 Released: Fri Nov 18 09:05:07 2022 Summary: Recommended update for libusb-1_0 Type: recommended Severity: moderate References: 1201590 This update for libusb-1_0 fixes the following issues: - Fix regression where some devices no longer work if they have a configuration value of 0 (bsc#1201590) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:4081-1 Released: Fri Nov 18 15:40:46 2022 Summary: Security update for dpkg Type: security Severity: low References: 1199944,CVE-2022-1664 This update for dpkg fixes the following issues: - CVE-2022-1664: Fixed a directory traversal vulnerability in Dpkg::Source::Archive (bsc#1199944). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:4135-1 Released: Mon Nov 21 00:13:40 2022 Summary: Recommended update for libeconf Type: recommended Severity: moderate References: 1198165 This update for libeconf fixes the following issues: - Update to version 0.4.6+git - econftool: Parsing error: Reporting file and line nr. --delimeters=spaces accepting all kind of spaces for delimiter. - libeconf: Parse files correctly on space characters (1198165) - Update to version 0.4.5+git - econftool: New call 'syntax' for checking the configuration files only. Returns an error string with line number if error. New options '--comment' and '--delimeters' ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:4256-1 Released: Mon Nov 28 12:36:32 2022 Summary: Recommended update for gcc12 Type: recommended Severity: moderate References: This update for gcc12 fixes the following issues: This update ship the GCC 12 compiler suite and its base libraries. The compiler baselibraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 11 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP3 and SP4, and provided in the 'Development Tools' module. The Go, D and Ada language compiler parts are available unsupported via the PackageHub repositories. To use gcc12 compilers use: - install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages. - override your Makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages. For a full changelog with all new GCC12 features, check out https://gcc.gnu.org/gcc-12/changes.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:4312-1 Released: Fri Dec 2 11:16:47 2022 Summary: Recommended update for tar Type: recommended Severity: moderate References: 1200657,1203600 This update for tar fixes the following issues: - Fix unexpected inconsistency when making directory (bsc#1203600) - Update race condition fix (bsc#1200657) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:4412-1 Released: Tue Dec 13 04:47:03 2022 Summary: Recommended update for suse-build-key Type: recommended Severity: moderate References: 1204706 This update for suse-build-key fixes the following issues: - added /usr/share/pki/containers directory for container pem keys (cosign/sigstore style), put the SUSE Container signing PEM key there too (bsc#1204706) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:4458-1 Released: Tue Dec 13 13:16:04 2022 Summary: Recommended update for container-suseconnect Type: recommended Severity: moderate References: 1186827 This update for container-suseconnect fixes the following issues: container-suseconnect was updated to 2.4.0 (jsc#PED-1710): * Fix docker build example for non-SLE hosts * Minor fixes to --help and README * Improve documentation when building with podman on non-SLE host * Add flag --log-credentials-errors * Update capture to the 1.0.0 release * Use URL.Redacted() to avoid security scanner warning * Regcode fix - strip binaries (removes 4MB/25% of the uncompressed size) (bsc#1186827) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:4492-1 Released: Wed Dec 14 13:52:39 2022 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1191546,1198980,1201298 This update for mozilla-nss fixes the following issues: - FIPS: Disapprove the creation of DSA keys, i.e. mark them as not-fips (bsc#1201298) - FIPS: Allow the use SHA keygen mechs (bsc#1191546). - FIPS: ensure abort() is called when the repeat integrity check fails (bsc#1198980). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:4628-1 Released: Wed Dec 28 09:23:13 2022 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1206337,CVE-2022-46908 This update for sqlite3 fixes the following issues: - CVE-2022-46908: Properly implement the azProhibitedFunctions protection mechanism, when relying on --safe for execution of an untrusted CLI script (bsc#1206337). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:37-1 Released: Fri Jan 6 15:35:49 2023 Summary: Security update for ca-certificates-mozilla Type: security Severity: important References: 1206212,1206622 This update for ca-certificates-mozilla fixes the following issues: - Updated to 2.60 state of Mozilla SSL root CAs (bsc#1206622) Removed CAs: - Global Chambersign Root - EC-ACC - Network Solutions Certificate Authority - Staat der Nederlanden EV Root CA - SwissSign Platinum CA - G2 Added CAs: - DIGITALSIGN GLOBAL ROOT ECDSA CA - DIGITALSIGN GLOBAL ROOT RSA CA - Security Communication ECC RootCA1 - Security Communication RootCA3 Changed trust: - TrustCor certificates only trusted up to Nov 30 (bsc#1206212) - Removed CAs (bsc#1206212) as most code does not handle 'valid before nov 30 2022' and it is not clear how many certs were issued for SSL middleware by TrustCor: - TrustCor RootCert CA-1 - TrustCor RootCert CA-2 - TrustCor ECA-1 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:48-1 Released: Mon Jan 9 10:37:54 2023 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1199467 This update for libtirpc fixes the following issues: - Consider /proc/sys/net/ipv4/ip_local_reserved_ports, before binding to a random port (bsc#1199467) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:54-1 Released: Mon Jan 9 10:49:19 2023 Summary: Recommended update for bash-completion Type: recommended Severity: moderate References: 1200791 This update for bash-completion fixes the following issues: - Fix curl help completion (bsc#1200791) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:119-1 Released: Fri Jan 20 10:28:07 2023 Summary: Security update for mozilla-nss Type: security Severity: important References: 1204272,1207038,CVE-2022-23491,CVE-2022-3479 This update for mozilla-nss fixes the following issues: - CVE-2022-3479: Fixed a potential crash that could be triggered when a server requested a client authentication certificate, but the client had no certificates stored (bsc#1204272). - Updated to version 3.79.3 (bsc#1207038): - CVE-2022-23491: Removed trust for 3 root certificates from TrustCor. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:179-1 Released: Thu Jan 26 21:54:30 2023 Summary: Recommended update for tar Type: recommended Severity: low References: 1202436 This update for tar fixes the following issue: - Fix hang when unpacking test tarball (bsc#1202436) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:181-1 Released: Thu Jan 26 21:55:43 2023 Summary: Recommended update for procps Type: recommended Severity: low References: 1206412 This update for procps fixes the following issues: - Improve memory handling/usage (bsc#1206412) - Make sure that correct library version is installed (bsc#1206412) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:434-1 Released: Thu Feb 16 09:08:05 2023 Summary: Security update for mozilla-nss Type: security Severity: important References: 1208138,CVE-2023-0767 This update for mozilla-nss fixes the following issues: Updated to NSS 3.79.4 (bsc#1208138): - CVE-2023-0767: Fixed handling of unknown PKCS#12 safe bag types. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:463-1 Released: Mon Feb 20 16:33:39 2023 Summary: Security update for tar Type: security Severity: moderate References: 1202436,1207753,CVE-2022-48303 This update for tar fixes the following issues: - CVE-2022-48303: Fixed a one-byte out-of-bounds read that resulted in use of uninitialized memory for a conditional jump (bsc#1207753). Bug fixes: - Fix hang when unpacking test tarball (bsc#1202436). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:617-1 Released: Fri Mar 3 16:49:06 2023 Summary: Recommended update for jitterentropy Type: recommended Severity: moderate References: 1207789 This update for jitterentropy fixes the following issues: - build jitterentropy library with debuginfo (bsc#1207789) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:709-1 Released: Fri Mar 10 16:04:41 2023 Summary: Recommended update for console-setup Type: recommended Severity: moderate References: 1202853 This update for console-setup and kbd fixes the following issue: - Fix Caps_Lock mapping for us.map and others (bsc#1202853) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:713-1 Released: Mon Mar 13 10:25:04 2023 Summary: Recommended update for suse-build-key Type: recommended Severity: moderate References: This update for suse-build-key fixes the following issues: This update provides multiple new 4096 RSA keys for SUSE Linux Enterprise 15, SUSE Manager 4.2/4.3, Storage 7.1, SUSE Registry) that we will switch to mid of 2023. (jsc#PED-2777) - gpg-pubkey-3fa1d6ce-63c9481c.asc: new 4096 RSA signing key for SUSE Linux Enterprise (RPM and repositories). - gpg-pubkey-d588dc46-63c939db.asc: new 4096 RSA reserve key for SUSE Linux Enterprise (RPM and repositories). - suse_ptf_key_4096.asc: new 4096 RSA signing key for PTF packages. - build-container-8fd6c337-63c94b45.asc/build-container-8fd6c337-63c94b45.pem: New RSA 4096 key for the SUSE registry registry.suse.com, installed as suse-container-key-2023.pem and suse-container-key-2023.asc - suse_ptf_containerkey_2023.asc suse_ptf_containerkey_2023.pem: New PTF container signing key for registry.suse.com/ptf/ space. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:776-1 Released: Thu Mar 16 17:29:23 2023 Summary: Recommended update for gcc12 Type: recommended Severity: moderate References: This update for gcc12 fixes the following issues: This update ships gcc12 also to the SUSE Linux Enterprise 15 SP1 LTSS and 15 SP2 LTSS products. SUSE Linux Enterprise 15 SP3 and SP4 get only refreshed builds without changes This update ship the GCC 12 compiler suite and its base libraries. The compiler baselibraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 11 ones. The new compilers for C, C++, and Fortran are provided in the SUSE Linux Enterprise Module for Development Tools. To use gcc12 compilers use: - install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages. - override your makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages. For a full changelog with all new GCC12 features, check out https://gcc.gnu.org/gcc-12/changes.html ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:871-1 Released: Wed Mar 22 14:32:45 2023 Summary: Security update for container-suseconnect Type: security Severity: important References: 1200441,1206134,1208270,1208271,1208272,1209030,CVE-2022-41720,CVE-2022-41723,CVE-2022-41724,CVE-2022-41725,CVE-2023-24532 This update of container-suseconnect fixes the following issue: - container-suseconnect was rebuilt against the current go1.19 release, fixing security issues and other bugs fixed in go1.19.7. - CVE-2022-41723: Fixed quadratic complexity in HPACK decoding (bsc#1208270). - CVE-2022-41724: Fixed panic with arge handshake records in crypto/tls (bsc#1208271). - CVE-2022-41725: Fixed denial of service from excessive resource consumption in net/http and mime/multipart (bsc#1208272). - CVE-2023-24532: Fixed incorrect P-256 ScalarMult and ScalarBaseMult results (bsc#1209030). - CVE-2022-41720: os, net/http: avoid escapes from os.DirFS and http.Dir on Windows (bsc#1206134). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:1702-1 Released: Thu Mar 30 15:23:23 2023 Summary: Security update for shim Type: security Severity: important References: 1185232,1185261,1185441,1185621,1187071,1187260,1193282,1198458,1201066,1202120,1205588,CVE-2022-28737 This update for shim fixes the following issues: - Updated shim signature after shim 15.7 be signed back: signature-sles.x86_64.asc, signature-sles.aarch64.asc (bsc#1198458) - Add POST_PROCESS_PE_FLAGS=-N to the build command in shim.spec to disable the NX compatibility flag when using post-process-pe because grub2 is not ready. (bsc#1205588) - Enable the NX compatibility flag by default. (jsc#PED-127) Update to 15.7 (bsc#1198458) (jsc#PED-127): - Make SBAT variable payload introspectable - Reference MokListRT instead of MokList - Add a link to the test plan in the readme. - [V3] Enable TDX measurement to RTMR register - Discard load-options that start with a NUL - Fixed load_cert_file bugs - Add -malign-double to IA32 compiler flags - pe: Fix image section entry-point validation - make-archive: Build reproducible tarball - mok: remove MokListTrusted from PCR 7 Other fixes: - Support enhance shim measurement to TD RTMR. (jsc#PED-1273) - shim-install: ensure grub.cfg created is not overwritten after installing grub related files - Add logic to shim.spec to only set sbat policy when efivarfs is writeable. (bsc#1201066) - Add logic to shim.spec for detecting --set-sbat-policy option before using mokutil to set sbat policy. (bsc#1202120) - Change the URL in SBAT section to mail:security@suse.de. (bsc#1193282) Update to 15.6 (bsc#1198458): - MokManager: removed Locate graphic output protocol fail error message - shim: implement SBAT verification for the shim_lock protocol - post-process-pe: Fix a missing return code check - Update github actions matrix to be more useful - post-process-pe: Fix format string warnings on 32-bit platforms - Allow MokListTrusted to be enabled by default - Re-add ARM AArch64 support - Use ASCII as fallback if Unicode Box Drawing characters fail - make: don't treat cert.S specially - shim: use SHIM_DEVEL_VERBOSE when built in devel mode - Break out of the inner sbat loop if we find the entry. - Support loading additional certificates - Add support for NX (W^X) mitigations. - Fix preserve_sbat_uefi_variable() logic - SBAT Policy latest should be a one-shot - pe: Fix a buffer overflow when SizeOfRawData > VirtualSize - pe: Perform image verification earlier when loading grub - Update advertised sbat generation number for shim - Update SBAT generation requirements for 05/24/22 - Also avoid CVE-2022-28737 in verify_image() by @vathpela Update to 15.5 (bsc#1198458): - Broken ia32 relocs and an unimportant submodule change. - mok: allocate MOK config table as BootServicesData - Don't call QueryVariableInfo() on EFI 1.10 machines (bsc#1187260) - Relax the check for import_mok_state() (bsc#1185261) - SBAT.md: trivial changes - shim: another attempt to fix load options handling - Add tests for our load options parsing. - arm/aa64: fix the size of .rela* sections - mok: fix potential buffer overrun in import_mok_state - mok: relax the maximum variable size check - Don't unhook ExitBootServices when EBS protection is disabled - fallback: find_boot_option() needs to return the index for the boot entry in optnum - httpboot: Ignore case when checking HTTP headers - Fallback allocation errors - shim: avoid BOOTx64.EFI in message on other architectures - str: remove duplicate parameter check - fallback: add compile option FALLBACK_NONINTERACTIVE - Test mok mirror - Modify sbat.md to help with readability. - csv: detect end of csv file correctly - Specify that the .sbat section is ASCII not UTF-8 - tests: add 'include-fixed' GCC directory to include directories - pe: simplify generate_hash() - Don't make shim abort when TPM log event fails (RHBZ #2002265) - Fallback to default loader if parsed one does not exist - fallback: Fix for BootOrder crash when index returned - Better console checks - docs: update SBAT UEFI variable name - Don't parse load options if invoked from removable media path - fallback: fix fallback not passing arguments of the first boot option - shim: Don't stop forever at 'Secure Boot not enabled' notification - Allocate mokvar table in runtime memory. - Remove post-process-pe on 'make clean' - pe: missing perror argument - CVE-2022-28737: Fixed a buffer overflow when SizeOfRawData > VirtualSize (bsc#1198458) - Add mokutil command to post script for setting sbat policy to latest mode when the SbatPolicy-605dab50-e046-4300-abb6-3dd810dd8b23 is not created. (bsc#1198458) - Updated vendor dbx binary and script (bsc#1198458) - Updated dbx-cert.tar.xz and vendor-dbx-sles.bin for adding SLES-UEFI-SIGN-Certificate-2021-05.crt to vendor dbx list. - Updated dbx-cert.tar.xz and vendor-dbx-opensuse.bin for adding openSUSE-UEFI-SIGN-Certificate-2021-05.crt to vendor dbx list. - Updated vendor-dbx.bin for adding SLES-UEFI-SIGN-Certificate-2021-05.crt and openSUSE-UEFI-SIGN-Certificate-2021-05.crt for testing environment. - Updated generate-vendor-dbx.sh script for generating a vendor-dbx.bin file which includes all .der for testing environment. - avoid buffer overflow when copying data to the MOK config table (bsc#1185232) - Disable exporting vendor-dbx to MokListXRT since writing a large RT variable could crash some machines (bsc#1185261) - ignore the odd LoadOptions length (bsc#1185232) - shim-install: reset def_shim_efi to 'shim.efi' if the given file doesn't exist - relax the maximum variable size check for u-boot (bsc#1185621) - handle ignore_db and user_insecure_mode correctly (bsc#1185441, bsc#1187071) - Split the keys in vendor-dbx.bin to vendor-dbx-sles and vendor-dbx-opensuse for shim-sles and shim-opensuse to reduce the size of MokListXRT (bsc#1185261) + Also update generate-vendor-dbx.sh in dbx-cert.tar.xz ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:1851-1 Released: Fri Apr 14 15:08:38 2023 Summary: Security update for container-suseconnect Type: security Severity: important References: This update for container-suseconnect fixes the following issue: - rebuilt against current go version. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:1880-1 Released: Tue Apr 18 11:11:27 2023 Summary: Recommended update for systemd-rpm-macros Type: recommended Severity: low References: 1208079 This update for systemd-rpm-macros fixes the following issue: - Don't emit a warning when the flag file in /var/lib/systemd/migrated/ is not present as it's expected (bsc#1208079). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:1939-1 Released: Fri Apr 21 11:14:30 2023 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1191546,1207209,1208242,1208999 This update for mozilla-nss fixes the following issues: - FIPS 140-3: Adjust SLI reporting for PBKDF2 parameter validation (bsc#1208999) - FIPS 140-3: Update session->lastOpWasFIPS before destroying the key after derivation in the CKM_TLS12_KEY_AND_MAC_DERIVE, CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256, CKM_TLS_KEY_AND_MAC_DERIVE and CKM_SSL3_KEY_AND_MAC_DERIVE cases. (bsc#1191546) - FIPS 140-3: more changes for pairwise consistency checks. (bsc#1207209) - Add manpages to mozilla-nss-tools (bsc#1208242) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:1947-1 Released: Fri Apr 21 14:14:41 2023 Summary: Security update for dmidecode Type: security Severity: moderate References: 1210418,CVE-2023-30630 This update for dmidecode fixes the following issues: - CVE-2023-30630: Fixed potential privilege escalation vulnerability via file overwrite (bsc#1210418). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2039-1 Released: Wed Apr 26 11:42:49 2023 Summary: Recommended update for lshw Type: recommended Severity: moderate References: 1209531 This update for lshw fixes the following issues: - Update to version B.02.19.2+git.20230320 (bsc#1209531) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2084-1 Released: Tue May 2 13:31:52 2023 Summary: Security update for shim Type: security Severity: important References: 1210382,CVE-2022-28737 This update for shim fixes the following issues: - CVE-2022-28737 was missing as reference previously. - Upgrade shim-install for bsc#1210382 After closing Leap-gap project since Leap 15.3, openSUSE Leap direct uses shim from SLE. So the ca_string is 'SUSE Linux Enterprise Secure Boot CA1', not 'openSUSE Secure Boot CA1'. It causes that the update_boot=no, so all files in /boot/efi/EFI/boot are not updated. Logic was added that is using ID field in os-release for checking Leap distro and set ca_string to 'SUSE Linux Enterprise Secure Boot CA1'. Then /boot/efi/EFI/boot/* can also be updated. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2104-1 Released: Thu May 4 21:05:30 2023 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1209122 This update for procps fixes the following issue: - Allow - as leading character to ignore possible errors on systctl entries (bsc#1209122) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2111-1 Released: Fri May 5 14:34:00 2023 Summary: Security update for ncurses Type: security Severity: moderate References: 1210434,CVE-2023-29491 This update for ncurses fixes the following issues: - CVE-2023-29491: Fixed memory corruption issues when processing malformed terminfo data (bsc#1210434). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2174-1 Released: Thu May 11 13:08:09 2023 Summary: Security update for container-suseconnect Type: security Severity: important References: 1200441 This update of container-suseconnect fixes the following issues: - rebuild the package with the go 19.9 secure release (bsc#1200441). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2307-1 Released: Mon May 29 10:29:49 2023 Summary: Recommended update for kbd Type: recommended Severity: low References: 1210702 This update for kbd fixes the following issue: - Add 'ara' vc keymap, 'ara' is slightly better than 'arabic' as it matches the name of its X11 layout counterpart. (bsc#1210702) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2482-1 Released: Mon Jun 12 07:19:53 2023 Summary: Recommended update for systemd-rpm-macros Type: recommended Severity: moderate References: 1211272 This update for systemd-rpm-macros fixes the following issues: - Adjust functions so they are disabled when called from a chroot (bsc#1211272) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2600-1 Released: Wed Jun 21 15:24:36 2023 Summary: Security update for container-suseconnect Type: security Severity: important References: 1206346 This update of container-suseconnect fixes the following issues: - rebuild the package with the go 1.20 security release (bsc#1206346). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2625-1 Released: Fri Jun 23 17:16:11 2023 Summary: Recommended update for gcc12 Type: recommended Severity: moderate References: This update for gcc12 fixes the following issues: - Update to GCC 12.3 release, 0c61aa720e62f1baf0bfd178e283, git1204 * includes regression and other bug fixes - Speed up builds with --enable-link-serialization. - Update embedded newlib to version 4.2.0 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2765-1 Released: Mon Jul 3 20:28:14 2023 Summary: Security update for libcap Type: security Severity: moderate References: 1211418,1211419,CVE-2023-2602,CVE-2023-2603 This update for libcap fixes the following issues: - CVE-2023-2602: Fixed improper memory release in libcap/psx/psx.c:__wrap_pthread_create() (bsc#1211418). - CVE-2023-2603: Fixed an integer overflow or wraparound in libcap/cap_alloc.c:_libcap_strdup() (bsc#1211419). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2788-1 Released: Thu Jul 6 11:51:02 2023 Summary: Recommended update for mozilla-nspr, mozilla-nss Type: recommended Severity: moderate References: 1185116,1202118 This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nspr was updated to version 4.35 * fixes for building with clang * use the number of online processors for the PR_GetNumberOfProcessors() API on some platforms * fix build on mips+musl libc * Add support for the LoongArch 64-bit architecture mozilla-nss was update to NSS 3.90: * clang-format lib/freebl/stubs.c * Add a constant time select function * Updating an old dbm with lots of certs with keys to sql results in a database that is slow to access. * output early build errors by default * Update the technical constraints for KamuSM * Add BJCA Global Root CA1 and CA2 root certificates * Enable default UBSan Checks * Add explicit handling of zero length records * Tidy up DTLS ACK Error Handling Path * Refactor zero length record tests * Fix compiler warning via correct assert * run linux tests on nss-t/t-linux-xlarge-gcp * In FIPS mode, nss should reject RSASSA-PSS salt lengths larger than the output size of the hash function used, or provide an indicator * Fix reading raw negative numbers * Repairing unreachable code in clang built with gyp * Integrate Vale Curve25519 * Removing unused flags for Hacl* * Adding a better error message * Update HACL* till 51a72a953a4ee6f91e63b2816ae5c4e62edf35d6 * Fall back to the softokn when writing certificate trust * FIPS-104-3 requires we restart post programmatically * cmd/ecperf: fix dangling pointer warning on gcc 13 * Update ACVP dockerfile for compatibility with debian package changes * Add a CI task for tracking ECCKiila code status, update whitespace in ECCKiila files * Removed deprecated sprintf function and replaced with snprintf * fix rst warnings in nss doc * Fix incorrect pygment style * Change GYP directive to apply across platforms * Add libsmime3 abi-check exception for NSS_CMSSignerInfo_GetDigestAlgTag - Merge the libfreebl3-hmac and libsoftokn3-hmac packages into the respective libraries. (bsc#1185116) update to NSS 3.89.1 * Update the technical constraints for KamuSM. * Add BJCA Global Root CA1 and CA2 root certificates. update to NSS 3.89 * revert freebl/softoken RSA_MIN_MODULUS_BITS increase * PR_STATIC_ASSERT is cursed * Need to add policy control to keys lengths for signatures * Fix unreachable code warning in fuzz builds * Fix various compiler warnings in NSS * Enable various compiler warnings for clang builds * set PORT error after sftk_HMACCmp failure * Need to add policy control to keys lengths for signatures * remove data length assertion in sec_PKCS7Decrypt * Make high tag number assertion failure an error * CKM_SHA384_KEY_DERIVATION correction maximum key length from 284 to 384 * Tolerate certificate_authorities xtn in ClientHello * Fix build failure on Windows * migrate Win 2012 tasks to Azure * fix title length in doc * Add interop tests for HRR and PSK to GREASE suite * Add presence/absence tests for TLS GREASE * Correct addition of GREASE value to ALPN xtn * CH extension permutation * TLS GREASE (RFC8701) * improve handling of unknown PKCS#12 safe bag types * use a different treeherder symbol for each docker image build task * remove nested table in rst doc * Export NSS_CMSSignerInfo_GetDigestAlgTag * build failure while implicitly casting SECStatus to PRUInt32 update to NSS 3.88.1 * improve handling of unknown PKCS#12 safe bag types update to NSS 3.88 * remove nested table in rst doc * Export NSS_CMSSignerInfo_GetDigestAlgTag. * build failure while implicitly casting SECStatus to PRUInt32 * Add check for ClientHello SID max length * Added EarlyData ALPN test support to BoGo shim * ECH client - Discard resumption TLS < 1.3 Session(IDs|Tickets) if ECH configs are setup * On HRR skip PSK incompatible with negotiated ciphersuites hash algorithm * ECH client: Send ech_required alert on server negotiating TLS 1.2. Fixed misleading Gtest, enabled corresponding BoGo test * Added Bogo ECH rejection test support * Added ECH 0Rtt support to BoGo shim * RSA OAEP Wycheproof JSON * RSA decrypt Wycheproof JSON * ECDSA Wycheproof JSON * ECDH Wycheproof JSON * PKCS#1v1.5 wycheproof json * Use X25519 wycheproof json * Move scripts to python3 * Properly link FuzzingEngine for oss-fuzz. * Extending RSA-PSS bltest test coverage (Adding SHA-256 and SHA-384) * NSS needs to move off of DSA for integrity checks * Add initial testing with ACVP vector sets using acvp-rust * Don't clone libFuzzer, rely on clang instead update to NSS 3.87 * NULL password encoding incorrect * Fix rng stub signature for fuzzing builds * Updating the compiler parsing for build * Modification of supported compilers * tstclnt crashes when accessing gnutls server without a user cert in the database. * Add configuration option to enable source-based coverage sanitizer * Update ECCKiila generated files. * Add support for the LoongArch 64-bit architecture * add checks for zero-length RSA modulus to avoid memory errors and failed assertions later * Additional zero-length RSA modulus checks update to NSS 3.86 * conscious language removal in NSS * Set nssckbi version number to 2.60 * Set CKA_NSS_SERVER_DISTRUST_AFTER and CKA_NSS_EMAIL_DISTRUST_AFTER for 3 TrustCor Root Certificates * Remove Staat der Nederlanden EV Root CA from NSS * Remove EC-ACC root cert from NSS * Remove SwissSign Platinum CA - G2 from NSS * Remove Network Solutions Certificate Authority * compress docker image artifact with zstd * Migrate nss from AWS to GCP * Enable static builds in the CI * Removing SAW docker from the NSS build system * Initialising variables in the rsa blinding code * Implementation of the double-signing of the message for ECDSA * Adding exponent blinding for RSA. update to NSS 3.85 * Modification of the primes.c and dhe-params.c in order to have better looking tables * Update zlib in NSS to 1.2.13 * Skip building modutil and shlibsign when building in Firefox * Mark _nss_version_c unused on clang-cl * bmo#1795668 - Remove redundant variable definitions in lowhashtest * Add note about python executable to build instructions. update to NSS 3.84 * Bump minimum NSPR version to 4.35 * Add a flag to disable building libnssckbi. update to NSS 3.83 * Remove set-but-unused variables from SEC_PKCS12DecoderValidateBags * Set nssckbi version number to 2.58 * Add two SECOM root certificates to NSS * Add two DigitalSign root certificates to NSS * Remove Camerfirma Global Chambersign Root from NSS * Added bug reference and description to disabled UnsolicitedServerNameAck bogo ECH test * Removed skipping of ECH on equality of private and public server name * Added comment and bug reference to ECHRandomHRRExtension bogo test * Added Bogo shim client HRR test support. Fixed overwriting of CHInner.random on HRR * Added check for server only sending ECH extension with retry configs in EncryptedExtensions and if not accepting ECH. Changed config setting behavior to skip configs with unsupported mandatory extensions instead of failing * Added ECH client support to BoGo shim. Changed CHInner creation to skip TLS 1.2 only extensions to comply with BoGo * Added ECH server support to BoGo shim. Fixed NSS ECH server accept_confirmation bugs * Update BoGo tests to recent BoringSSL version * Bump minimum NSPR version to 4.34.1 update to NSS 3.82 * check for null template in sec_asn1{d,e}_push_state * QuickDER: Forbid NULL tags with non-zero length * Initialize local variables in TlsConnectTestBase::ConnectAndCheckCipherSuite * Cast the result of GetProcAddress * pk11wrap: Tighten certificate lookup based on PKCS #11 URI. update to NSS 3.81 * Enable aarch64 hardware crypto support on OpenBSD * make NSS_SecureMemcmp 0/1 valued * Add no_application_protocol alert handler and test client error code is set * Gracefully handle null nickname in CERT_GetCertNicknameWithValidity * required for Firefox 104 - raised NSPR requirement to 4.34.1 - changing some Requires from (pre) to generic as (pre) is not sufficient (bsc#1202118) update to NSS 3.80 * Fix SEC_ERROR_ALGORITHM_MISMATCH entry in SECerrs.h. * Add support for asynchronous client auth hooks. * nss-policy-check: make unknown keyword check optional. * GatherBuffer: Reduced plaintext buffer allocations by allocating it on initialization. Replaced redundant code with assert. Debug builds: Added buffer freeing/allocation for each record. * Mark 3.79 as an ESR release. * Bump nssckbi version number for June. * Remove Hellenic Academic 2011 Root. * Add E-Tugra Roots. * Add Certainly Roots. * Add DigitCert Roots. * Protect SFTKSlot needLogin with slotLock. * Compare signature and signatureAlgorithm fields in legacy certificate verifier. * Uninitialized value in cert_VerifyCertChainOld. * Unchecked return code in sec_DecodeSigAlg. * Uninitialized value in cert_ComputeCertType. * Avoid data race on primary password change. * Replace ppc64 dcbzl intrinisic. * Allow LDFLAGS override in makefile builds. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2814-1 Released: Wed Jul 12 22:05:25 2023 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1185116,1202118 This update for mozilla-nss fixes the following issues: mozilla-nss was updated to NSS 3.90: * Add a constant time select function * Updating an old dbm with lots of certs with keys to sql results in a database that is slow to access. * output early build errors by default * Update the technical constraints for KamuSM * Add BJCA Global Root CA1 and CA2 root certificates * Enable default UBSan Checks * Add explicit handling of zero length records * Tidy up DTLS ACK Error Handling Path * Refactor zero length record tests * Fix compiler warning via correct assert * run linux tests on nss-t/t-linux-xlarge-gcp * In FIPS mode, nss should reject RSASSA-PSS salt lengths larger than the output size of the hash function used, or provide an indicator * Fix reading raw negative numbers * Repairing unreachable code in clang built with gyp * Integrate Vale Curve25519 * Removing unused flags for Hacl* * Adding a better error message * Update HACL* till 51a72a953a4ee6f91e63b2816ae5c4e62edf35d6 * Fall back to the softokn when writing certificate trust * FIPS-104-3 requires we restart post programmatically * cmd/ecperf: fix dangling pointer warning on gcc 13 * Update ACVP dockerfile for compatibility with debian package changes * Add a CI task for tracking ECCKiila code status, update whitespace in ECCKiila files * Removed deprecated sprintf function and replaced with snprintf * fix rst warnings in nss doc * Fix incorrect pygment style * Change GYP directive to apply across platforms * Add libsmime3 abi-check exception for NSS_CMSSignerInfo_GetDigestAlgTag - Merge the libfreebl3-hmac and libsoftokn3-hmac packages into the respective libraries. (bsc#1185116) update to NSS 3.89.1 * Update the technical constraints for KamuSM. * Add BJCA Global Root CA1 and CA2 root certificates. update to NSS 3.89 * revert freebl/softoken RSA_MIN_MODULUS_BITS increase * PR_STATIC_ASSERT is cursed * Need to add policy control to keys lengths for signatures * Fix unreachable code warning in fuzz builds * Fix various compiler warnings in NSS * Enable various compiler warnings for clang builds * set PORT error after sftk_HMACCmp failure * Need to add policy control to keys lengths for signatures * remove data length assertion in sec_PKCS7Decrypt * Make high tag number assertion failure an error * CKM_SHA384_KEY_DERIVATION correction maximum key length from 284 to 384 * Tolerate certificate_authorities xtn in ClientHello * Fix build failure on Windows * migrate Win 2012 tasks to Azure * fix title length in doc * Add interop tests for HRR and PSK to GREASE suite * Add presence/absence tests for TLS GREASE * Correct addition of GREASE value to ALPN xtn * CH extension permutation * TLS GREASE (RFC8701) * improve handling of unknown PKCS#12 safe bag types * use a different treeherder symbol for each docker image build task * remove nested table in rst doc * Export NSS_CMSSignerInfo_GetDigestAlgTag * build failure while implicitly casting SECStatus to PRUInt32 update to NSS 3.88.1 * improve handling of unknown PKCS#12 safe bag types update to NSS 3.88 * remove nested table in rst doc * Export NSS_CMSSignerInfo_GetDigestAlgTag. * build failure while implicitly casting SECStatus to PRUInt32 * Add check for ClientHello SID max length * Added EarlyData ALPN test support to BoGo shim * ECH client - Discard resumption TLS < 1.3 Session(IDs|Tickets) if ECH configs are setup * On HRR skip PSK incompatible with negotiated ciphersuites hash algorithm * ECH client: Send ech_required alert on server negotiating TLS 1.2. Fixed misleading Gtest, enabled corresponding BoGo test * Added Bogo ECH rejection test support * Added ECH 0Rtt support to BoGo shim * RSA OAEP Wycheproof JSON * RSA decrypt Wycheproof JSON * ECDSA Wycheproof JSON * ECDH Wycheproof JSON * PKCS#1v1.5 wycheproof json * Use X25519 wycheproof json * Move scripts to python3 * Properly link FuzzingEngine for oss-fuzz. * Extending RSA-PSS bltest test coverage (Adding SHA-256 and SHA-384) * NSS needs to move off of DSA for integrity checks * Add initial testing with ACVP vector sets using acvp-rust * Don't clone libFuzzer, rely on clang instead update to NSS 3.87 * NULL password encoding incorrect * Fix rng stub signature for fuzzing builds * Updating the compiler parsing for build * Modification of supported compilers * tstclnt crashes when accessing gnutls server without a user cert in the database. * Add configuration option to enable source-based coverage sanitizer * Update ECCKiila generated files. * Add support for the LoongArch 64-bit architecture * add checks for zero-length RSA modulus to avoid memory errors and failed assertions later * Additional zero-length RSA modulus checks update to NSS 3.86 * conscious language removal in NSS * Set nssckbi version number to 2.60 * Set CKA_NSS_SERVER_DISTRUST_AFTER and CKA_NSS_EMAIL_DISTRUST_AFTER for 3 TrustCor Root Certificates * Remove Staat der Nederlanden EV Root CA from NSS * Remove EC-ACC root cert from NSS * Remove SwissSign Platinum CA - G2 from NSS * Remove Network Solutions Certificate Authority * compress docker image artifact with zstd * Migrate nss from AWS to GCP * Enable static builds in the CI * Removing SAW docker from the NSS build system * Initialising variables in the rsa blinding code * Implementation of the double-signing of the message for ECDSA * Adding exponent blinding for RSA. update to NSS 3.85 * Modification of the primes.c and dhe-params.c in order to have better looking tables * Update zlib in NSS to 1.2.13 * Skip building modutil and shlibsign when building in Firefox * Use __STDC_VERSION__ rather than __STDC__ as a guard * Remove redundant variable definitions in lowhashtest * Add note about python executable to build instructions. update to NSS 3.84 * Bump minimum NSPR version to 4.35 * Add a flag to disable building libnssckbi. update to NSS 3.83 * Remove set-but-unused variables from SEC_PKCS12DecoderValidateBags * Set nssckbi version number to 2.58 * Add two SECOM root certificates to NSS * Add two DigitalSign root certificates to NSS * Remove Camerfirma Global Chambersign Root from NSS * Added bug reference and description to disabled UnsolicitedServerNameAck bogo ECH test * Removed skipping of ECH on equality of private and public server name * Added comment and bug reference to ECHRandomHRRExtension bogo test * Added Bogo shim client HRR test support. Fixed overwriting of CHInner.random on HRR * Added check for server only sending ECH extension with retry configs in EncryptedExtensions and if not accepting ECH. Changed config setting behavior to skip configs with unsupported mandatory extensions instead of failing * Added ECH client support to BoGo shim. Changed CHInner creation to skip TLS 1.2 only extensions to comply with BoGo * Added ECH server support to BoGo shim. Fixed NSS ECH server accept_confirmation bugs * Update BoGo tests to recent BoringSSL version * Bump minimum NSPR version to 4.34.1 update to NSS 3.82 * check for null template in sec_asn1{d,e}_push_state * QuickDER: Forbid NULL tags with non-zero length * Initialize local variables in TlsConnectTestBase::ConnectAndCheckCipherSuite * Cast the result of GetProcAddress * pk11wrap: Tighten certificate lookup based on PKCS #11 URI. update to NSS 3.81 * Enable aarch64 hardware crypto support on OpenBSD * make NSS_SecureMemcmp 0/1 valued * Add no_application_protocol alert handler and test client error code is set * Gracefully handle null nickname in CERT_GetCertNicknameWithValidity * required for Firefox 104 - raised NSPR requirement to 4.34.1 - changing some Requires from (pre) to generic as (pre) is not sufficient (bsc#1202118) update to NSS 3.80 * Fix SEC_ERROR_ALGORITHM_MISMATCH entry in SECerrs.h. * Add support for asynchronous client auth hooks. * nss-policy-check: make unknown keyword check optional. * GatherBuffer: Reduced plaintext buffer allocations by allocating it on initialization. Replaced redundant code with assert. Debug builds: Added buffer freeing/allocation for each record. * Mark 3.79 as an ESR release. * Bump nssckbi version number for June. * Remove Hellenic Academic 2011 Root. * Add E-Tugra Roots. * Add Certainly Roots. * Add DigitCert Roots. * Protect SFTKSlot needLogin with slotLock. * Compare signature and signatureAlgorithm fields in legacy certificate verifier. * Uninitialized value in cert_VerifyCertChainOld. * Unchecked return code in sec_DecodeSigAlg. * Uninitialized value in cert_ComputeCertType. * Avoid data race on primary password change. * Replace ppc64 dcbzl intrinisic. * Allow LDFLAGS override in makefile builds. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2827-1 Released: Fri Jul 14 11:27:47 2023 Summary: Recommended update for libxml2 Type: recommended Severity: moderate References: This update for libxml2 fixes the following issues: - Build also for modern python version (jsc#PED-68) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2847-1 Released: Mon Jul 17 08:40:42 2023 Summary: Recommended update for audit Type: recommended Severity: moderate References: 1210004 This update for audit fixes the following issues: - Check for AF_UNIX unnamed sockets (bsc#1210004) - Enable livepatching on main library on x86_64 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2877-1 Released: Wed Jul 19 09:43:42 2023 Summary: Security update for dbus-1 Type: security Severity: moderate References: 1212126,CVE-2023-34969 This update for dbus-1 fixes the following issues: - CVE-2023-34969: Fixed a possible dbus-daemon crash by an unprivileged users (bsc#1212126). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2882-1 Released: Wed Jul 19 11:49:39 2023 Summary: Security update for perl Type: security Severity: important References: 1210999,CVE-2023-31484 This update for perl fixes the following issues: - CVE-2023-31484: Enable TLS cert verification in CPAN (bsc#1210999). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2918-1 Released: Thu Jul 20 12:00:17 2023 Summary: Recommended update for gpgme Type: recommended Severity: moderate References: 1089497 This update for gpgme fixes the following issues: gpgme: - Address failure handling issues when using gpg 2.2.6 via gpgme, as used by libzypp (bsc#1089497) libassuan: - Version upgrade to 2.5.5 in LTSS to address gpgme new requirements ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2923-1 Released: Thu Jul 20 19:34:50 2023 Summary: Security update for container-suseconnect Type: security Severity: important References: 1206346 This update of container-suseconnect fixes the following issues: - rebuild the package with the go 1.20 security release (bsc#1206346). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2966-1 Released: Tue Jul 25 14:26:14 2023 Summary: Recommended update for libxml2 Type: recommended Severity: moderate References: This update for libxml2 fixes the following issues: - Build also for modern python version (jsc#PED-68) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3264-1 Released: Thu Aug 10 16:05:20 2023 Summary: Security update for container-suseconnect Type: security Severity: important References: 1206346 This update of container-suseconnect fixes the following issues: - rebuild the package with the go 1.20 security release (bsc#1206346). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3410-1 Released: Thu Aug 24 06:56:32 2023 Summary: Recommended update for audit Type: recommended Severity: moderate References: 1201519,1204844 This update for audit fixes the following issues: - Create symbolic link from /sbin/audisp-syslog to /usr/sbin/audisp-syslog (bsc#1201519) - Fix rules not loaded when restarting auditd.service (bsc#1204844) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3440-1 Released: Mon Aug 28 08:57:10 2023 Summary: Security update for gawk Type: security Severity: low References: 1214025,CVE-2023-4156 This update for gawk fixes the following issues: - CVE-2023-4156: Fix a heap out of bound read by validating the index into argument list. (bsc#1214025) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3454-1 Released: Mon Aug 28 13:43:18 2023 Summary: Security update for ca-certificates-mozilla Type: security Severity: important References: 1214248 This update for ca-certificates-mozilla fixes the following issues: - Updated to 2.62 state of Mozilla SSL root CAs (bsc#1214248) Added: - Atos TrustedRoot Root CA ECC G2 2020 - Atos TrustedRoot Root CA ECC TLS 2021 - Atos TrustedRoot Root CA RSA G2 2020 - Atos TrustedRoot Root CA RSA TLS 2021 - BJCA Global Root CA1 - BJCA Global Root CA2 - LAWtrust Root CA2 (4096) - Sectigo Public Email Protection Root E46 - Sectigo Public Email Protection Root R46 - Sectigo Public Server Authentication Root E46 - Sectigo Public Server Authentication Root R46 - SSL.com Client ECC Root CA 2022 - SSL.com Client RSA Root CA 2022 - SSL.com TLS ECC Root CA 2022 - SSL.com TLS RSA Root CA 2022 Removed CAs: - Chambers of Commerce Root - E-Tugra Certification Authority - E-Tugra Global Root CA ECC v3 - E-Tugra Global Root CA RSA v3 - Hongkong Post Root CA 1 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3461-1 Released: Mon Aug 28 17:25:09 2023 Summary: Security update for freetype2 Type: security Severity: moderate References: 1210419,CVE-2023-2004 This update for freetype2 fixes the following issues: - CVE-2023-2004: Fixed integer overflow in tt_hvadvance_adjust (bsc#1210419). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3472-1 Released: Tue Aug 29 10:55:16 2023 Summary: Security update for procps Type: security Severity: low References: 1214290,CVE-2023-4016 This update for procps fixes the following issues: - CVE-2023-4016: Fixed ps buffer overflow (bsc#1214290). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3497-1 Released: Wed Aug 30 21:25:05 2023 Summary: Security update for vim Type: security Severity: important References: 1210996,1211256,1211257,1211461,CVE-2023-2426,CVE-2023-2609,CVE-2023-2610 This update for vim fixes the following issues: Updated to version 9.0 with patch level 1572. - CVE-2023-2426: Fixed Out-of-range Pointer Offset use (bsc#1210996). - CVE-2023-2609: Fixed NULL Pointer Dereference (bsc#1211256). - CVE-2023-2610: Fixed nteger Overflow or Wraparound (bsc#1211257). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3539-1 Released: Tue Sep 5 16:41:09 2023 Summary: Security update for container-suseconnect Type: security Severity: important References: 1212475 This update of container-suseconnect fixes the following issues: - rebuild the package with the go 1.21 security release (bsc#1212475). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3611-1 Released: Fri Sep 15 09:28:36 2023 Summary: Recommended update for sysuser-tools Type: recommended Severity: moderate References: 1195391,1205161,1207778,1213240,1214140 This update for sysuser-tools fixes the following issues: - Update to version 3.2 - Always create a system group of the same name as the system user (bsc#1205161, bsc#1207778, bsc#1213240) - Add 'quilt setup' friendly hint to %sysusers_requires usage - Use append so if a pre file already exists it isn't overridden - Invoke bash for bash scripts (bsc#1195391) - Remove all systemd requires not supported on SLE15 (bsc#1214140) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3661-1 Released: Mon Sep 18 21:44:09 2023 Summary: Security update for gcc12 Type: security Severity: important References: 1214052,CVE-2023-4039 This update for gcc12 fixes the following issues: - CVE-2023-4039: Fixed incorrect stack protector for C99 VLAs on Aarch64 (bsc#1214052). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3666-1 Released: Mon Sep 18 21:52:18 2023 Summary: Security update for libxml2 Type: security Severity: important References: 1214768,CVE-2023-39615 This update for libxml2 fixes the following issues: - CVE-2023-39615: Fixed crafted xml can cause global buffer overflow (bsc#1214768). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3780-1 Released: Tue Sep 26 10:58:21 2023 Summary: Recommended update hidapi Type: recommended Severity: moderate References: 1214535 This update for hidapi ships the missing libhidapi-raw0 library to SLE and Leap Micro 5.3 and 5.4. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3834-1 Released: Wed Sep 27 19:18:33 2023 Summary: Security update for container-suseconnect Type: security Severity: important References: 1212475 This update of container-suseconnect fixes the following issues: - rebuild the package with the go 1.21 security release (bsc#1212475). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3843-1 Released: Wed Sep 27 20:18:06 2023 Summary: Recommended update for suse-build-key Type: recommended Severity: important References: This update for suse-build-key fixes the following issues: This update adds and runs a import-suse-build-key script. It is run after installation with libzypp based installers. (jsc#PED-2777) It imports the future SUSE Linux Enterprise 15 4096 bit RSA key primary and reserve keys. To manually import them you can also run: # rpm --import /usr/lib/rpm/gnupg/keys/gpg-pubkey-3fa1d6ce-63c9481c.asc # rpm --import /usr/lib/rpm/gnupg/keys/gpg-pubkey-d588dc46-63c939db.asc ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3954-1 Released: Tue Oct 3 20:09:47 2023 Summary: Security update for libeconf Type: security Severity: important References: 1211078,CVE-2023-22652,CVE-2023-30078,CVE-2023-30079,CVE-2023-32181 This update for libeconf fixes the following issues: Update to version 0.5.2. - CVE-2023-30078, CVE-2023-32181: Fixed a stack-buffer-overflow vulnerability in 'econf_writeFile' function (bsc#1211078). - CVE-2023-30079, CVE-2023-22652: Fixed a stack-buffer-overflow vulnerability in 'read_file' function. (bsc#1211078) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4073-1 Released: Fri Oct 13 11:40:26 2023 Summary: Recommended update for rpm Type: recommended Severity: low References: This update for rpm fixes the following issue: - Enables build for all python modules (jsc#PED-68, jsc#PED-1988) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4125-1 Released: Thu Oct 19 09:34:58 2023 Summary: Security update for container-suseconnect Type: security Severity: important References: 1212475 This update of container-suseconnect fixes the following issues: - rebuild the package with the go 1.21 security release (bsc#1212475). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4138-1 Released: Thu Oct 19 17:15:38 2023 Summary: Recommended update for systemd-rpm-macros Type: recommended Severity: moderate References: This update for systemd-rpm-macros fixes the following issues: - Switch to `systemd-hwdb` tool when updating the HW database. It's been introduced in systemd v219 and replaces the deprecated command `udevadm hwdb`. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4154-1 Released: Fri Oct 20 19:33:25 2023 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1107342,1215434 This update for aaa_base fixes the following issues: - Respect /etc/update-alternatives/java when setting JAVA_HOME (bsc#1215434,bsc#1107342) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4162-1 Released: Mon Oct 23 15:33:03 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc13, CXX=g++13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4215-1 Released: Thu Oct 26 12:19:25 2023 Summary: Security update for zlib Type: security Severity: moderate References: 1216378,CVE-2023-45853 This update for zlib fixes the following issues: - CVE-2023-45853: Fixed an integer overflow that would lead to a buffer overflow in the minizip subcomponent (bsc#1216378). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4268-1 Released: Mon Oct 30 16:51:57 2023 Summary: Recommended update for pciutils Type: recommended Severity: important References: 1215265 This update for pciutils fixes the following issues: - Buffer overflow error that would cause lspci to crash on systems with complex topologies (bsc#1215265) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4309-1 Released: Tue Oct 31 14:09:03 2023 Summary: Security update for container-suseconnect Type: security Severity: important References: 1212475 This update of container-suseconnect fixes the following issues: - rebuild the package with the go 1.21 security release (bsc#1212475). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4310-1 Released: Tue Oct 31 14:10:47 2023 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1196647 This Update for libtirpc to 1.3.4, fixing the following issues: Update to 1.3.4 (bsc#1199467) * binddynport.c honor ip_local_reserved_ports - replaces: binddynport-honor-ip_local_reserved_ports.patch * gss-api: expose gss major/minor error in authgss_refresh() * rpcb_clnt.c: Eliminate double frees in delete_cache() * rpcb_clnt.c: memory leak in destroy_addr * portmapper: allow TCP-only portmapper * getnetconfigent: avoid potential DoS issue by removing unnecessary sleep * clnt_raw.c: fix a possible null pointer dereference * bindresvport.c: fix a potential resource leakage Update to 1.3.3: * Fix DoS vulnerability in libtirpc - replaces: 0001-Fix-DoS-vulnerability-in-libtirpc.patch * _rpc_dtablesize: use portable system call * libtirpc: Fix use-after-free accessing the error number * Fix potential memory leak of parms.r_addr - replaces 0001-fix-parms.r_addr-memory-leak.patch * rpcb_clnt.c add mechanism to try v2 protocol first - preplaces: 0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch * Eliminate deadlocks in connects with an MT environment * clnt_dg_freeres() uncleared set active state may deadlock * thread safe clnt destruction * SUNRPC: mutexed access blacklist_read state variable * SUNRPC: MT-safe overhaul of address cache management in rpcb_clnt.c Update to 1.3.2: * Replace the final SunRPC licenses with BSD licenses * blacklist: Add a few more well known ports * libtirpc: disallow calling auth_refresh from clnt_call with RPCSEC_GSS Update to 1.3.1: * Remove AUTH_DES interfaces from auth_des.h The unsupported AUTH_DES authentication has be compiled out since commit d918e41d889 (Wed Oct 9 2019) replaced by API routines that return errors. * svc_dg: Free xp_netid during destroy * Fix memory management issues of fd locks * libtirpc: replace array with list for per-fd locks * __svc_vc_dodestroy: fix double free of xp_ltaddr.buf * __rpc_dtbsize: rlim_cur instead of rlim_max * pkg-config: use the correct replacements for libdir/includedir ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4504-1 Released: Tue Nov 21 13:27:50 2023 Summary: Security update for libxml2 Type: security Severity: moderate References: 1216129,CVE-2023-45322 This update for libxml2 fixes the following issues: - CVE-2023-45322: Fixed a use-after-free in xmlUnlinkNode() in tree.c (bsc#1216129). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4511-1 Released: Tue Nov 21 16:43:08 2023 Summary: Security update for container-suseconnect Type: security Severity: important References: 1212475 This update of container-suseconnect fixes the following issues: - rebuild the package with the go 1.21 security release (bsc#1212475). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4557-1 Released: Fri Nov 24 17:04:36 2023 Summary: Security update for vim Type: security Severity: important References: 1214922,1214924,1214925,1215004,1215006,1215033,1215940,1216001,1216167,1216696,CVE-2023-46246,CVE-2023-4733,CVE-2023-4734,CVE-2023-4735,CVE-2023-4738,CVE-2023-4752,CVE-2023-4781,CVE-2023-5344,CVE-2023-5441,CVE-2023-5535 This update for vim fixes the following issues: Updated to version 9.0 with patch level 2103, fixes the following security problems * CVE-2023-5344: vim: Heap-based Buffer Overflow in vim prior to 9.0.1969 (bsc#1215940) * CVE-2023-5441: vim: segfault in exmode when redrawing (bsc#1216001) * CVE-2023-5535: vim: use-after-free from buf_contents_changed() (bsc#1216167) * CVE-2023-46246: vim: Integer Overflow in :history command (bsc#1216696) * CVE-2023-4738: vim: heap-buffer-overflow in vim_regsub_both (bsc#1214922) * CVE-2023-4735: vim: OOB Write ops.c (bsc#1214924) * CVE-2023-4734: vim: segmentation fault in function f_fullcommand (bsc#1214925) * CVE-2023-4733: vim: use-after-free in function buflist_altfpos (bsc#1215004) * CVE-2023-4752: vim: Heap Use After Free in function ins_compl_get_exp (bsc#1215006) * CVE-2023-4781: vim: heap-buffer-overflow in function vim_regsub_both (bsc#1215033) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4619-1 Released: Thu Nov 30 10:13:52 2023 Summary: Security update for sqlite3 Type: security Severity: important References: 1210660,CVE-2023-2137 This update for sqlite3 fixes the following issues: - CVE-2023-2137: Fixed heap buffer overflow (bsc#1210660). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4623-1 Released: Thu Nov 30 19:22:32 2023 Summary: Security update for traceroute Type: security Severity: moderate References: 1216591,CVE-2023-46316 This update for traceroute fixes the following issues: - CVE-2023-46316: wrapper scripts do not properly parse command lines (bsc#1216591). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4644-1 Released: Tue Dec 5 13:46:14 2023 Summary: Recommended update for psmisc Type: recommended Severity: moderate References: This update for psmisc fixes the following issues: - Fix version number when building the package ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4671-1 Released: Wed Dec 6 14:33:41 2023 Summary: Recommended update for man Type: recommended Severity: moderate References: This update of man fixes the following problem: - The 'man' commands is delivered to SUSE Linux Enterprise Micro to allow browsing man pages. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4672-1 Released: Wed Dec 6 14:37:37 2023 Summary: Security update for suse-build-key Type: security Severity: important References: 1216410,1217215 This update for suse-build-key fixes the following issues: This update runs a import-suse-build-key script. The previous libzypp-post-script based installation is replaced with a systemd timer and service (bsc#1217215 bsc#1216410 jsc#PED-2777). - suse-build-key-import.service - suse-build-key-import.timer It imports the future SUSE Linux Enterprise 15 4096 bit RSA key primary and reserve keys. After successful import the timer is disabled. To manually import them you can also run: # rpm --import /usr/lib/rpm/gnupg/keys/gpg-pubkey-3fa1d6ce-63c9481c.asc # rpm --import /usr/lib/rpm/gnupg/keys/gpg-pubkey-d588dc46-63c939db.asc ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4700-1 Released: Mon Dec 11 07:03:27 2023 Summary: Recommended update for p11-kit Type: recommended Severity: moderate References: This update for p11-kit fixes the following issues: - Ensure that programs using can be compiled with CRYPTOKI_GNU. Fixes GnuTLS builds (jsc#PED-6705). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4723-1 Released: Tue Dec 12 09:57:51 2023 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1216862 This update for libtirpc fixes the following issue: - fix sed parsing in specfile (bsc#1216862) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4807-1 Released: Wed Dec 13 18:07:37 2023 Summary: Security update for container-suseconnect Type: security Severity: important References: 1212475 This update of container-suseconnect fixes the following issues: - rebuild the package with the go 1.21 security release (bsc#1212475). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4891-1 Released: Mon Dec 18 16:31:49 2023 Summary: Security update for ncurses Type: security Severity: moderate References: 1201384,1218014,CVE-2023-50495 This update for ncurses fixes the following issues: - CVE-2023-50495: Fixed a segmentation fault via _nc_wrap_entry() (bsc#1218014) - Modify reset command to avoid altering clocal if the terminal uses a modem (bsc#1201384) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:11-1 Released: Tue Jan 2 13:24:52 2024 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1029961,1158830,1206798,1209122 This update for procps fixes the following issues: - Update procps to 3.3.17 (jsc#PED-3244 jsc#PED-6369) - For support up to 2048 CPU as well (bsc#1185417) - Allow `-´ as leading character to ignore possible errors on systctl entries (bsc#1209122) - Get the first CPU summary correct (bsc#1121753) - Enable pidof for SLE-15 as this is provided by sysvinit-tools - Use a check on syscall __NR_pidfd_open to decide if the pwait tool and its manual page will be build - Do not truncate output of w with option -n - Prefer logind over utmp (jsc#PED-3144) - Don't install translated man pages for non-installed binaries (uptime, kill). - Fix directory for Ukrainian man pages translations. - Move localized man pages to lang package. - Update to procps-ng-3.3.17 * library: Incremented to 8:3:0 (no removals or additions, internal changes only) * all: properly handle utf8 cmdline translations * kill: Pass int to signalled process * pgrep: Pass int to signalled process * pgrep: Check sanity of SG_ARG_MAX * pgrep: Add older than selection * pidof: Quiet mode * pidof: show worker threads * ps.1: Mention stime alias * ps: check also match on truncated 16 char comm names * ps: Add exe output option * ps: A lot more sorting available * pwait: New command waits for a process * sysctl: Match systemd directory order * sysctl: Document directory order * top: ensure config file backward compatibility * top: add command line 'e' for symmetry with 'E' * top: add '4' toggle for two abreast cpu display * top: add '!' toggle for combining multiple cpus * top: fix potential SEGV involving -p switch * vmstat: Wide mode gives wider proc columns * watch: Add environment variable for interval * watch: Add no linewrap option * watch: Support more colors * free,uptime,slabtop: complain about extra ops - Package translations in procps-lang. - Fix pgrep: cannot allocate 4611686018427387903 bytes when ulimit -s is unlimited. - Enable pidof by default - Update to procps-ng-3.3.16 * library: Increment to 8:2:0 No removals or functions Internal changes only, so revision is incremented. Previous version should have been 8:1:0 not 8:0:1 * docs: Use correct symbols for -h option in free.1 * docs: ps.1 now warns about command name length * docs: install translated man pages * pgrep: Match on runstate * snice: Fix matching on pid * top: can now exploit 256-color terminals * top: preserves 'other filters' in configuration file * top: can now collapse/expand forest view children * top: parent %CPU time includes collapsed children * top: improve xterm support for vim navigation keys * top: avoid segmentation fault at program termination * 'ps -C' does not allow anymore an argument longer than 15 characters (bsc#1158830) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:26-1 Released: Thu Jan 4 11:15:24 2024 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1214980 This update for mozilla-nss fixes the following issues: Mozilla NSS was updated to NSS 3.90.1 * regenerate NameConstraints test certificates. * add OSXSAVE and XCR0 tests to AVX2 detection. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:62-1 Released: Mon Jan 8 11:44:47 2024 Summary: Recommended update for libxcrypt Type: recommended Severity: moderate References: 1215496 This update for libxcrypt fixes the following issues: - fix variable name for datamember [bsc#1215496] - added patches fix https://github.com/besser82/libxcrypt/commit/b212d601549a0fc84cbbcaf21b931f903787d7e2 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:70-1 Released: Tue Jan 9 18:29:39 2024 Summary: Security update for tar Type: security Severity: low References: 1217969,CVE-2023-39804 This update for tar fixes the following issues: - CVE-2023-39804: Fixed extension attributes in PAX archives incorrect hanling (bsc#1217969). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:105-1 Released: Mon Jan 15 15:41:05 2024 Summary: Recommended update for grub2 and efibootmgr Type: recommended Severity: important References: 1217237 This update for grub2 and efibootmgr fixes the following issues: grub2: - Deliver missing grub2-arm64-efi and grub2-powerpc-ieee1275 to SUSE Manager 4.3 (no source changes) (bsc#1217237) efibootmgr: - Deliver missing efibootmgr to SUSE Manager 4.3 (no source changes) (bsc#1217237) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:136-1 Released: Thu Jan 18 09:53:47 2024 Summary: Security update for pam Type: security Severity: moderate References: 1217000,1218475,CVE-2024-22365 This update for pam fixes the following issues: - CVE-2024-22365: Fixed a local denial of service during PAM login due to a missing check during path manipulation (bsc#1218475). - Check localtime_r() return value to fix crashing (bsc#1217000) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:139-1 Released: Thu Jan 18 11:33:54 2024 Summary: Recommended update for go1.21 Type: recommended Severity: moderate References: 1212475 This update for go1.21 fixes the following issues: go1.21.6 (released 2024-01-09) includes fixes to the compiler, the runtime, and the crypto/tls, maps, and runtime/pprof packages. (bsc#1212475) * x/build,os/signal: TestDetectNohup and TestNohup fail on replacement darwin LUCI builders * runtime: ReadMemStats fatal error: mappedReady and other memstats are not equal * cmd/compile: linux/s390x: inlining bug in s390x * maps: maps.Clone reference semantics when cloning a map with large value types * runtime: excessive memory use between 1.21.0 -> 1.21.1 * cmd/compile: max/min builtin broken when used with string(byte) conversions * runtime/pprof: incorrect function names for generics functions * crypto: upgrade to BoringCrypto fips-20220613 and enable TLS 1.3 * runtime: race condition raised with parallel tests, panic(nil) and -race ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:238-1 Released: Fri Jan 26 10:56:41 2024 Summary: Security update for cpio Type: security Severity: moderate References: 1218571,CVE-2023-7207 This update for cpio fixes the following issues: - CVE-2023-7207: Fixed a path traversal issue that could lead to an arbitrary file write during archive extraction (bsc#1218571). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:322-1 Released: Fri Feb 2 15:13:26 2024 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1107342,1215434 This update for aaa_base fixes the following issues: - Set JAVA_HOME correctly (bsc#1107342, bsc#1215434) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:444-1 Released: Fri Feb 9 16:39:32 2024 Summary: Security update for suse-build-key Type: security Severity: important References: 1219123,1219189 This update for suse-build-key fixes the following issues: This update runs a import-suse-build-key script. The previous libzypp-post-script based installation is replaced with a systemd timer and service (bsc#1217215 bsc#1216410 jsc#PED-2777). - suse-build-key-import.service - suse-build-key-import.timer It imports the future SUSE Linux Enterprise 15 4096 bit RSA key primary and reserve keys. After successful import the timer is disabled. To manually import them you can also run: # rpm --import /usr/lib/rpm/gnupg/keys/gpg-pubkey-3fa1d6ce-63c9481c.asc # rpm --import /usr/lib/rpm/gnupg/keys/gpg-pubkey-d588dc46-63c939db.asc Bugfix added since last update: - run rpm commands in import script only when libzypp is not active. bsc#1219189 bsc#1219123 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:555-1 Released: Tue Feb 20 17:22:17 2024 Summary: Security update for libxml2 Type: security Severity: moderate References: 1219576,CVE-2024-25062 This update for libxml2 fixes the following issues: - CVE-2024-25062: Fixed use-after-free in XMLReader (bsc#1219576). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:597-1 Released: Thu Feb 22 20:07:11 2024 Summary: Security update for mozilla-nss Type: security Severity: important References: 1216198,CVE-2023-5388 This update for mozilla-nss fixes the following issues: Update to NSS 3.90.2: - CVE-2023-5388: Fixed timing attack against RSA decryption in TLS (bsc#1216198) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:614-1 Released: Mon Feb 26 11:31:18 2024 Summary: Recommended update for rpm Type: recommended Severity: important References: 1216752 This update for rpm fixes the following issues: - backport lua support for rpm.execute to ease migrating from SLE Micro 5.5 to 6.0 (bsc#1216752) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:615-1 Released: Mon Feb 26 11:32:32 2024 Summary: Recommended update for netcfg Type: recommended Severity: moderate References: 1211886 This update for netcfg fixes the following issues: - Add krb-prop entry (bsc#1211886) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:725-1 Released: Thu Feb 29 11:03:34 2024 Summary: Recommended update for suse-build-key Type: recommended Severity: moderate References: 1219123,1219189 This update for suse-build-key fixes the following issues: - Switch container key to be default RSA 4096bit. (jsc#PED-2777) - run import script also in %posttrans section, but only when libzypp is not active. bsc#1219189 bsc#1219123 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:734-1 Released: Thu Feb 29 13:16:38 2024 Summary: Recommended update for go1.21 Type: recommended Severity: moderate References: 1212475 This update for go1.21 fixes the following issues: go1.21.7 (released 2024-02-06) includes fixes to the compiler, the go command, the runtime, and the crypto/x509 package. (bsc#1212475 go1.21 release tracking) * go#63209 runtime: 'fatal: morestack on g0' on amd64 after upgrade to Go 1.21 * go#63768 runtime: pinner.Pin doesn't panic when it says it will * go#64497 cmd/go: flag modcacherw does not take effect in the target package * go#64761 staticlockranking builders failing on release branches on LUCI * go#64935 runtime: 'traceback: unexpected SPWRITE function runtime.systemstack' * go#65023 x/tools/go/analysis/unitchecker,slices: TestVetStdlib failing due to vet errors in panic tests * go#65053 cmd/compile: //go:build file version ignored when calling generic fn which has related type params * go#65323 crypto: rollback BoringCrypto fips-20220613 update * go#65351 cmd/go: go generate fails silently when run on a package in a nested workspace module * go#65380 crypto/x509: TestIssue51759 consistently failing on gotip-darwin-amd64_10.15 LUCI builder * go#65449 runtime/trace: frame pointer unwinding crash on arm64 during async preemption ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:305-1 Released: Mon Mar 11 14:15:37 2024 Summary: Security update for cpio Type: security Severity: moderate References: 1218571,1219238,CVE-2023-7207 This update for cpio fixes the following issues: - Fixed cpio not extracting correctly when using --no-absolute-filenames option the security fix for CVE-2023-7207 (bsc#1218571, bsc#1219238) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:861-1 Released: Wed Mar 13 09:12:30 2024 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1218232 This update for aaa_base fixes the following issues: - Silence the output in the case of broken symlinks (bsc#1218232) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:907-1 Released: Fri Mar 15 08:57:38 2024 Summary: Recommended update for audit Type: recommended Severity: moderate References: 1215377 This update for audit fixes the following issue: - Fix plugin termination when using systemd service units (bsc#1215377) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:929-1 Released: Tue Mar 19 06:36:24 2024 Summary: Recommended update for coreutils Type: recommended Severity: moderate References: 1219321 This update for coreutils fixes the following issues: - tail: fix tailing sysfs files where PAGE_SIZE > BUFSIZ (bsc#1219321) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:982-1 Released: Mon Mar 25 12:56:33 2024 Summary: Recommended update for systemd-rpm-macros Type: recommended Severity: moderate References: 1217964 This update for systemd-rpm-macros fixes the following issue: - Order packages that requires systemd after systemd-sysvcompat if needed. (bsc#1217964) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:1091-1 Released: Tue Apr 2 12:18:46 2024 Summary: Recommended update for rpm Type: recommended Severity: moderate References: This update for rpm fixes the following issues: - Turn on IMA/EVM file signature support, move the imaevm code that needs the libiamevm library into a plugin, and install this plugin as part of a new 'rpm-imaevmsign' subpackage (jsc#PED-7246). - Backport signature reserved space handling from upstream. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:1129-1 Released: Mon Apr 8 09:12:08 2024 Summary: Security update for expat Type: security Severity: important References: 1219559,1221289,CVE-2023-52425,CVE-2024-28757 This update for expat fixes the following issues: - CVE-2023-52425: Fixed a DoS caused by processing large tokens. (bsc#1219559) - CVE-2024-28757: Fixed an XML Entity Expansion. (bsc#1221289) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:1133-1 Released: Mon Apr 8 11:29:02 2024 Summary: Security update for ncurses Type: security Severity: moderate References: 1220061,CVE-2023-45918 This update for ncurses fixes the following issues: - CVE-2023-45918: Fixed NULL pointer dereference via corrupted xterm-256color file (bsc#1220061). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:1206-1 Released: Thu Apr 11 12:56:24 2024 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1222259 This update for rpm fixes the following issues: - remove imaevmsign plugin from rpm-ndb [bsc#1222259] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:1253-1 Released: Fri Apr 12 08:15:18 2024 Summary: Recommended update for gcc13 Type: recommended Severity: moderate References: 1210959,1214934,1217450,1217667,1218492,1219031,1219520,1220724,1221239 This update for gcc13 fixes the following issues: - Fix unwinding for JIT code. [bsc#1221239] - Revert libgccjit dependency change. [bsc#1220724] - Remove crypt and crypt_r interceptors. The crypt API change in SLE15 SP3 breaks them. [bsc#1219520] - Add support for -fmin-function-alignment. [bsc#1214934] - Use %{_target_cpu} to determine host and build. - Fix for building TVM. [bsc#1218492] - Add cross-X-newlib-devel requires to newlib cross compilers. [bsc#1219031] - Package m2rte.so plugin in the gcc13-m2 sub-package rather than in gcc13-devel. [bsc#1210959] - Require libstdc++6-devel-gcc13 from gcc13-m2 as m2 programs are linked against libstdc++6. - Fixed building mariadb on i686. [bsc#1217667] - Avoid update-alternatives dependency for accelerator crosses. - Package tool links to llvm in cross-amdgcn-gcc13 rather than in cross-amdgcn-newlib13-devel since that also has the dependence. - Depend on llvmVER instead of llvm with VER equal to %product_libs_llvm_ver where available and adjust tool discovery accordingly. This should also properly trigger re-builds when the patchlevel version of llvmVER changes, possibly changing the binary names we link to. [bsc#1217450] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:1287-1 Released: Mon Apr 15 15:03:40 2024 Summary: Security update for vim Type: security Severity: important References: 1215005,1217316,1217320,1217321,1217324,1217326,1217329,1217330,1217432,1219581,CVE-2023-4750,CVE-2023-48231,CVE-2023-48232,CVE-2023-48233,CVE-2023-48234,CVE-2023-48235,CVE-2023-48236,CVE-2023-48237,CVE-2023-48706,CVE-2024-22667 This update for vim fixes the following issues: Updated to version 9.1.0111, fixes the following security problems - CVE-2023-48231: Use-After-Free in win_close() (bsc#1217316). - CVE-2023-48232: Floating point Exception in adjust_plines_for_skipcol() (bsc#1217320). - CVE-2023-48233: overflow with count for :s command (bsc#1217321). - CVE-2023-48234: overflow in nv_z_get_count (bsc#1217324). - CVE-2023-48235: overflow in ex address parsing (CVE-2023-48235). - CVE-2023-48236: overflow in get_number (bsc#1217329). - CVE-2023-48237: overflow in shift_line (bsc#1217330). - CVE-2023-48706: heap-use-after-free in ex_substitute (bsc#1217432). - CVE-2024-22667: stack-based buffer overflow in did_set_langmap function in map.c (bsc#1219581). - CVE-2023-4750: Heap use-after-free in function bt_quickfix (bsc#1215005). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:1368-1 Released: Mon Apr 22 11:06:29 2024 Summary: Security update for shim Type: security Severity: important References: 1198101,1205588,1205855,1210382,1213945,1215098,1215099,1215100,1215101,1215102,1215103,1219460,CVE-2022-28737,CVE-2023-40546,CVE-2023-40547,CVE-2023-40548,CVE-2023-40549,CVE-2023-40550,CVE-2023-40551 This update for shim fixes the following issues: - Update shim-install to set the TPM2 SRK algorithm (bsc#1213945) - Limit the requirement of fde-tpm-helper-macros to the distro with suse_version 1600 and above (bsc#1219460) Update to version 15.8: Security issues fixed: - mok: fix LogError() invocation (bsc#1215099,CVE-2023-40546) - avoid incorrectly trusting HTTP headers (bsc#1215098,CVE-2023-40547) - Fix integer overflow on SBAT section size on 32-bit system (bsc#1215100,CVE-2023-40548) - Authenticode: verify that the signature header is in bounds (bsc#1215101,CVE-2023-40549) - pe: Fix an out-of-bound read in verify_buffer_sbat() (bsc#1215102,CVE-2023-40550) - pe-relocate: Fix bounds check for MZ binaries (bsc#1215103,CVE-2023-40551) The NX flag is disable which is same as the default value of shim-15.8, hence, not need to enable it by this patch now. - Generate dbx during build so we don't include binary files in sources - Don't require grub so shim can still be used with systemd-boot - Update shim-install to fix boot failure of ext4 root file system on RAID10 (bsc#1205855) - Adopt the macros from fde-tpm-helper-macros to update the signature in the sealed key after a bootloader upgrade - Update shim-install to amend full disk encryption support - Adopt TPM 2.0 Key File for grub2 TPM 2.0 protector - Use the long name to specify the grub2 key protector - cryptodisk: support TPM authorized policies - Do not use tpm_record_pcrs unless the command is in command.lst - Removed POST_PROCESS_PE_FLAGS=-N from the build command in shim.spec to enable the NX compatibility flag when using post-process-pe after discussed with grub2 experts in mail. It's useful for further development and testing. (bsc#1205588) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:1398-1 Released: Tue Apr 23 13:58:22 2024 Summary: Recommended update for systemd-default-settings Type: recommended Severity: moderate References: This update for systemd-default-settings fixes the following issues: - Disable pids controller limit under user instances (jsc#SLE-10123) - Disable controllers by default (jsc#PED-2276) - The usage of drop-ins is now the official way for configuring systemd and its various daemons on Factory/ALP, hence the early drop-ins SUSE specific 'feature' has been abandoned. - User priority '26' for SLE-Micro - Convert more drop-ins into early ones ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:1429-1 Released: Wed Apr 24 15:13:10 2024 Summary: Recommended update for ca-certificates Type: recommended Severity: moderate References: 1188500,1221184 This update for ca-certificates fixes the following issue: - Update version (bsc#1221184) * Use flock to serialize calls (bsc#1188500) * Make certbundle.run container friendly * Create /var/lib/ca-certificates if needed ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:1458-1 Released: Mon Apr 29 07:47:34 2024 Summary: Recommended update for vim Type: recommended Severity: moderate References: 1220763 This update for vim fixes the following issues: - Fix segmentation fault after updating to version 9.1.0111-150500.20.9.1 (bsc#1220763) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:1487-1 Released: Thu May 2 10:43:53 2024 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1211721,1221361,1221407,1222547 This update for aaa_base fixes the following issues: - home and end button not working from ssh client (bsc#1221407) - use autosetup in prep stage of specfile - drop the stderr redirection for csh (bsc#1221361) - drop sysctl.d/50-default-s390.conf (bsc#1211721) - make sure the script does not exit with 1 if a file with content is found (bsc#1222547) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:1557-1 Released: Wed May 8 11:42:34 2024 Summary: Security update for rpm Type: security Severity: moderate References: 1189495,1191175,1218686,CVE-2021-3521 This update for rpm fixes the following issues: Security fixes: - CVE-2021-3521: Fixed missing subkey binding signature checking (bsc#1191175) Other fixes: - accept more signature subpackets marked as critical (bsc#1218686) - backport limit support for the autopatch macro (bsc#1189495) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:1665-1 Released: Thu May 16 08:00:09 2024 Summary: Recommended update for coreutils Type: recommended Severity: moderate References: 1221632 This update for coreutils fixes the following issues: - ls: avoid triggering automounts (bsc#1221632) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:1762-1 Released: Wed May 22 16:14:17 2024 Summary: Security update for perl Type: security Severity: important References: 1082216,1082233,1213638,CVE-2018-6798,CVE-2018-6913 This update for perl fixes the following issues: Security issues fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216) - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233) Non-security issue fixed: - make Net::FTP work with TLS 1.3 (bsc#1213638) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:1850-1 Released: Thu May 30 13:46:58 2024 Summary: Recommended update for sg3_utils Type: recommended Severity: moderate References: 1219547 This update for sg3_utils fixes the following issue: - sg_inq: re-add Unit serial number field (bsc#1219547) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:1852-1 Released: Thu May 30 14:02:02 2024 Summary: Recommended update for wicked Type: recommended Severity: moderate References: 1205604,1218926,1219108,1224100 This update for wicked fixes the following issues: - client: fix ifreload to pull UP ports/links again when the config of their master/lower changed (bsc#1224100, gh#openSUSE/wicked#1014) - cleanup: fix ni_fsm_state_t enum-int-mismatch warnings - cleanup: fix overflow warnings in a socket testcase on i586 - ifcheck: report new and deleted configs as changed (bsc#1218926) - man: improve ARP configuration options in the wicked-config.5 - bond: add ports when master is UP to avoid port MTU revert (bsc#1219108) - cleanup: fix interface dependencies and shutdown order (bsc#1205604) - removed patches included in the source archive ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:1876-1 Released: Fri May 31 06:47:32 2024 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1221361 This update for aaa_base fixes the following issues: - Fix the typo to set JAVA_BINDIR in the csh variant of the alljava profile script (bsc#1221361) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:1883-1 Released: Fri May 31 09:31:11 2024 Summary: Recommended update for iputils Type: recommended Severity: moderate References: 1224877 This update for iputils fixes the following issue: - 'arping: Fix 1s delay on exit for unsolicited arpings', backport upstream fix (bsc#1224877) - Backport proposed fix for regression in upstream commit 4db1de6 (bsc#1224877) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:1887-1 Released: Fri May 31 19:08:38 2024 Summary: Recommended update for suse-module-tools Type: recommended Severity: moderate References: 1192014,1216717,1217979,1223278,1224320 This update for suse-module-tools fixes the following issues: - Include unblacklist in initramfs (bsc#1224320) - regenerate-initrd-posttrans: run update-bootloader --refresh for XEN (bsc#1223278) - 60-io-scheduler.rules: test for 'scheduler' sysfs attribute (bsc#1216717) - README: Update blacklist description (gh#openSUSE/suse-module-tools#71) - macros.initrd: %regenerate_initrd_post: don't fail if mkdir is unavailable (bsc#1217979) - Don't rebuild existing initramfs images if the environment variable SKIP_REGENERATE_ALL=1 is set (bsc#1192014) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:1889-1 Released: Sun Jun 2 11:23:26 2024 Summary: Recommended update for container-suseconnect Type: recommended Severity: moderate References: 1219855 This update for container-suseconnect fixes the following issues: Update to 2.5.0: * Upgrade to go 1.21 * Allow setting of SCC credentials via environment variables * Bump github.com/urfave/cli/v2 from 2.25.7 to 2.27.1 * Use switch instead of else if construction * Add system token header to query SCC subscriptions (bsc#1219855) * Use the FIPS capable go1.21-openssl to build. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:1943-1 Released: Fri Jun 7 17:04:06 2024 Summary: Security update for util-linux Type: security Severity: important References: 1218609,1220117,1221831,1223605,CVE-2024-28085 This update for util-linux fixes the following issues: - CVE-2024-28085: Properly neutralize escape sequences in wall to avoid potential account takeover. (bsc#1221831) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:1950-1 Released: Fri Jun 7 17:20:14 2024 Summary: Security update for glib2 Type: security Severity: moderate References: 1224044,CVE-2024-34397 This update for glib2 fixes the following issues: Update to version 2.78.6: + Fix a regression with IBus caused by the fix for CVE-2024-34397 Changes in version 2.78.5: + Fix CVE-2024-34397: GDBus signal subscriptions for well-known names are vulnerable to unicast spoofing. (bsc#1224044) + Bugs fixed: - gvfs-udisks2-volume-monitor SIGSEGV in g_content_type_guess_for_tree() due to filename with bad encoding - gcontenttype: Make filename valid utf-8 string before processing. - gdbusconnection: Don't deliver signals if the sender doesn't match. Changes in version 2.78.4: + Bugs fixed: - Fix generated RST anchors for methods, signals and properties. - docs/reference: depend on a native gtk-doc. - gobject_gdb.py: Do not break bt on optimized build. - gregex: clean up usage of _GRegex.jit_status. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:1951-1 Released: Fri Jun 7 17:27:16 2024 Summary: Recommended update for libbpf Type: recommended Severity: moderate References: 1221101 This update for libbpf fixes the following issues: - Fixed potential null pointer dereference in bpf_object__collect_prog_relos() (bsc#1221101) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:1954-1 Released: Fri Jun 7 18:01:06 2024 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1221482 This update for glibc fixes the following issues: - Also include stat64 in the 32-bit libc_nonshared.a workaround (bsc#1221482) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:1994-1 Released: Tue Jun 11 15:03:55 2024 Summary: Recommended update for iputils Type: recommended Severity: moderate References: This update for iputils fixes the following issue: - After upstream merged the fix, update git commit hashes. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:1997-1 Released: Tue Jun 11 17:24:32 2024 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1223596 This update for e2fsprogs fixes the following issues: - EA Inode handling fixes: - e2fsck: add more checks for ea inode consistency (bsc#1223596) - e2fsck: fix golden output of several tests (bsc#1223596) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:2006-1 Released: Wed Jun 12 11:39:32 2024 Summary: Recommended update for ethtool Type: recommended Severity: moderate References: 1222079,1224590 This update for ethtool fixes the following issues: - ethtool was upgraded to version 6.4 (jsc#PED-5946, jsc#PED-8451): * For the full list of changes between 5.14 and 6.4 see upstream changelog (file NEWS) - Fixed SFP module diagnostic information (bsc#1222079) - Additional bug fixes (bsc#1224590): * Added missing header files for source distribution * Fixed SFF-8472 transceiver module identification * Allow nl_sset return -EOPNOTSUPP to fallback to do_sset * Fixed netlink support for coalesce tx aggr params * Fixed bug in rmgr when searching for empty slot ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:2024-1 Released: Thu Jun 13 16:15:18 2024 Summary: Recommended update for jitterentropy Type: recommended Severity: moderate References: 1209627 This update for jitterentropy fixes the following issues: - Fixed a stack corruption on s390x: [bsc#1209627] * Output size of the STCKE command on s390x is 16 bytes, compared to 8 bytes of the STCK command. Fix a stack corruption in the s390x version of jent_get_nstime(). Add some more detailed information on the STCKE command. Updated to 3.4.1 * add FIPS 140 hints to man page * simplify the test tool to search for optimal configurations * fix: jent_loop_shuffle: re-add setting the time that was lost with 3.4.0 * enhancement: add ARM64 assembler code to read high-res timer ----------------------------------------------------------------- Advisory ID: 33664 Released: Thu Jun 13 21:03:11 2024 Summary: Recommended update for libsolv, libzypp, zypper, PackageKit-branding-SLE, PackageKit, libyui, yast2-pkg-bindings Type: recommended Severity: important References: 1222086,1223430,1223766,1224242 This update for libsolv, libzypp, zypper, PackageKit-branding-SLE, PackageKit, libyui, yast2-pkg-bindings fixes the following issues: - Fix the dependency for Packagekit-backend-zypp in SUMa 4.3 (bsc#1224242) - Improve updating of installed multiversion packages - Fix decision introspection going into an endless loop in some cases - Split libsolv-tools into libsolv-tools-base [jsc#PED-8153] - Improve checks against corrupt rpm - Fixed check for outdated repo metadata as non-root user (bsc#1222086) - Add ZYPP_API for exported functions and switch to visibility=hidden (jsc#PED-8153) - Dynamically resolve libproxy (jsc#PED-8153) - Fix download from gpgkey URL (bsc#1223430) - Delay zypp lock until command options are parsed (bsc#1223766) - Unify message format ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:2060-1 Released: Tue Jun 18 13:11:47 2024 Summary: Security update for less Type: security Severity: important References: 1222849,CVE-2024-32487 This update for less fixes the following issues: - CVE-2024-32487: Fixed OS command injection via a newline character in the file name. (bsc#1222849) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:2066-1 Released: Tue Jun 18 13:16:09 2024 Summary: Security update for openssl-3 Type: security Severity: important References: 1223428,1224388,1225291,1225551,CVE-2024-4603,CVE-2024-4741 This update for openssl-3 fixes the following issues: Security issues fixed: - CVE-2024-4603: Check DSA parameters for excessive sizes before validating (bsc#1224388) - CVE-2024-4741: Fixed a use-after-free with SSL_free_buffers. (bsc#1225551) Other issues fixed: - Enable livepatching support (bsc#1223428) - Fix HDKF key derivation (bsc#1225291, gh#openssl/openssl#23448, + gh#openssl/openssl#23456) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:2086-1 Released: Wed Jun 19 11:48:24 2024 Summary: Recommended update for gcc13 Type: recommended Severity: moderate References: 1188441 This update for gcc13 fixes the following issues: Update to GCC 13.3 release - Removed Fiji support from the GCN offload compiler as that is requiring Code Object version 3 which is no longer supported by llvm18. - Avoid combine spending too much compile-time and memory doing nothing on s390x. [bsc#1188441] - Make requirement to lld version specific to avoid requiring the meta-package. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:2104-1 Released: Thu Jun 20 10:44:39 2024 Summary: Recommended update for google-cloud SDK Type: recommended Severity: moderate References: This update for protobuf and python-grpcio fixes the following issue: - Add python311 binaries to Python Module. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:2172-1 Released: Mon Jun 24 05:51:55 2024 Summary: Recommended update for iproute2 Type: recommended Severity: moderate References: 1204562 This update for iproute2 fixes the following issues: iproute2 was updated to version 6.4 (jsc#PED-6820 jsc#PED-6844, jsc#PED-8358): - Fixed display of bound but unconnected sockets (bsc#1204562) - Changes in version 6.4: * bridge: mdb: added underlay destination IP support, UDP destination port support, destination VNI support, source VNI support, outgoing interface support * macvlan: added the 'bclim' parameter - Changes in version 6.3: * New release of iproute2 corresponding to the 6.3 kernel. No large feature improvements only incremental improvements to the bridge mdb support, mostly just bug fixes. - Changes in version 6.2: * f_flower: Introduce L2TPv3 support * bridge: fdb: Add support for locked FDB entries * bridge: link: Add MAC Authentication Bypass (MAB) support * ip: Support --json on `ip neigh get` * tc: Add JSON output to tc-class - Changes in version 6.1: * man: ss.8: fix a typo * testsuite: fix build failure * genl: remove unused vars in Makefile * json: do not escape single quotes * ip-monitor: Do not error out when RTNLGRP_STATS is not available * ip-link: man: Document existence of netns argument in add command * macsec: add Extended Packet Number support * macsec: add user manual description for extended packet number feature * ip: xfrm: support 'external' (`collect_md`) mode in xfrm interfaces * ip: xfrm: support adding xfrm metadata as lwtunnel info in routes * ip: add NLM_F_ECHO support * libnetlink: add offset for nl_dump_ext_ack_done * tc/tc_monitor: print netlink extack message * rtnetlink: add new function rtnl_echo_talk() * ip: fix return value for rtnl_talk failures * iplink_bridge: Add no_linklocal_learn option support * devlink: use dl_no_arg instead of checking dl_argc == 0 * devlink: remove dl_argv_parse_put * mnlg: remove unnused mnlg_socket structure * utils: extract CTRL_ATTR_MAXATTR and save it * devlink: expose nested devlink for a line card object * devlink: load port-ifname map on demand * devlink: fix parallel flash notifications processing * devlink: move use_iec into struct dl * devlink: fix typo in variable name in ifname_map_cb() * devlink: load ifname map on demand from ifname_map_rev_lookup() as well * dcb: unblock mnl_socket_recvfrom if not message received * libnetlink: Fix memory leak in __rtnl_talk_iov() * tc_util: Fix no error return when large parent id used * tc_util: Change datatype for maj to avoid overflow issue * ss: man: add missing entries for MPTCP * ss: man: add missing entries for TIPC * ss: usage: add missing parameters * ss: re-add TIPC query support * devlink: Fix setting parent for 'rate add' * link: display 'allmulti' counter * seg6: add support for flavors in SRv6 End* behaviors * tc: ct: Fix invalid pointer dereference * uapi: update from 6.1 pre rc1 * u32: fix json formatting of flowid * tc_stab: remove dead code * uapi: update for in.h and ip.h * remove #if 0 code * tc: add json support to size table * tc: put size table options in json object * tc/basic: fix json output filter * iplink: support JSON in MPLS output * tc: print errors on stderr * ip: print mpls errors on stderr * tc: make prefix const * man: add missing tc class show * iplink_can: add missing `]' of the bitrate, dbitrate and termination arrays * ip link: add sub-command to view and change DSA conduit interface - Changes in version 6.0: * ipstats: Add param.h for musl * Update kernel headers * libbpf: add xdp program name support * iplink: bond_slave: add per port prio support * seg6: add support for SRv6 Headend Reduced Encapsulation * lib: Introduce ppp protocols * f_flower: Introduce PPPoE support - Changes in version 5.19: * ip/iplink_virt_wifi: add support for virt_wifi * Update kernel headers * libnetlink: Add filtering to rtnl_statsdump_req_filter() * ipstats: Add a 'set' command * ipstats: Add a group 'link' * libbpf: Use bpf_object__load instead of bpf_object__load_xattr * uapi: change name for zerocopy sendfile in tls * bridge: vxlan device vnifilter support * f_flower: Add num of vlans parameter - Changes in version 5.18: * The build issues with libbpf should be fixed now. * Building with clang is now supported. * There are still some warnings with gcc-12 that will need to be fixed in the upstream kernel headers. - Changes in version 5.17: * lib/fs: fix memory leak in get_task_name() * bridge: Remove vlan listing from `bridge link` * bond: add arp_missed_max option * libnetlink: fix socket leak in rtnl_open_byproto() * dcb: Fix error reporting when accessing 'dcb app' * tc_util: Fix parsing action control with space and slash * lib: fix ax25.h include for musl * uapi: add missing rose and ax25 files * rdma: Fix res_print_uint() and add res_print_u64() * tc: Add support for ce_threshold_value/mask in fq_codel - Add tmpfiles.d conf for /run/netns - Changes in version 5.16: * devlink: Fix cmd_dev_param_set() to check configuration mode * ip: add AMT support * iplink_can: fix configuration ranges in print_usage() and add unit * tc: flower: Fix buffer overflow on large labels * ip/ipnexthop: fix unsigned overflow in parse_nh_group_type_res() * tc/m_vlan: fix print_vlan() conditional on TCA_VLAN_ACT_PUSH_ETH * iplink_can: add new CAN FD bittiming parameters: Transmitter Delay Compensation (TDC) - Changes in version 5.15: * lib: bpf_legacy: fix bpffs mount when /sys/fs/bpf exists * man: devlink-port: fix the devlink port add synopsis * man: devlink-port: fix pfnum for devlink port add * iptuntap: fix multi-queue flag display * mptcp: unbreak JSON endpoint list * ipneigh: add support to print brief output of neigh cache in tabular format * ip/bond: add LACP active support * ip/tunnel: always print all known attributes * Add, show, link, remove IOAM namespaces and schemas * New IOAM6 encap type for routes * tc/skbmod: Introduce SKBMOD_F_ECN option * tc/f_flower: fix port range parsing ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:2203-1 Released: Tue Jun 25 15:04:37 2024 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1012628,1065729,1181674,1187716,1193599,1194869,1207948,1208593,1209657,1213573,1214852,1215199,1216196,1216358,1216702,1217169,1217384,1217408,1217489,1217750,1217959,1218205,1218336,1218447,1218779,1218917,1219104,1219170,1219596,1219623,1219834,1220021,1220045,1220120,1220148,1220328,1220342,1220428,1220430,1220569,1220587,1220783,1220915,1221044,1221293,1221303,1221504,1221612,1221615,1221635,1221645,1221649,1221765,1221777,1221783,1221816,1221829,1221830,1221858,1222048,1222173,1222264,1222273,1222294,1222301,1222303,1222304,1222307,1222357,1222366,1222368,1222371,1222378,1222385,1222422,1222426,1222428,1222437,1222445,1222459,1222464,1222489,1222522,1222525,1222532,1222557,1222559,1222563,1222585,1222596,1222606,1222608,1222613,1222615,1222618,1222622,1222624,1222627,1222630,1222635,1222721,1222727,1222769,1222771,1222775,1222777,1222780,1222782,1222793,1222799,1222801,1222968,1223007,1223011,1223015,1223020,1223023,1223024,1223033,1223034,1223035,1223038,1223039,1223041,1223045,1223046,1223051,1223052,1223058,1223060,1223061,1223076,1223077,1223111,1223113,1223138,1223143,1223187,1223189,1223190,1223191,1223198,1223202,1223285,1223315,1223338,1223369,1223380,1223384,1223390,1223439,1223462,1223532,1223539,1223575,1223590,1223591,1223592,1223593,1223625,1223629,1223633,1223634,1223637,1223641,1223643,1223649,1223650,1223651,1223652,1223653,1223654,1223655,1223660,1223661,1223664,1223665,1223666,1223668,1223669,1223670,1223671,1223675,1223677,1223678,1223686,1223692,1223693,1223695,1223696,1223698,1223705,1223712,1223718,1223728,1223732,1223735,1223739,1223741,1223744,1223745,1223747,1223748,1223749,1223750,1223752,1223754,1223757,1223759,1223761,1223762,1223774,1223782,1223787,1223788,1223789,1223790,1223802,1223805,1223810,1223822,1223827,1223831,1223834,1223838,1223869,1223870,1223871,1223872,1223874,1223944,1223945,1223946,1223991,1224076,1224096,1224098,1224099,1224137,1224166,1224174,1224177,1224180,1224181,1224331,1224423,1224429,1224430,1224432,1224433,1224437,1224438,1224442,1224443,1224445,1224449,1224477,1224479,1224480,1224481,1224482,1224486,1224487,1224488,1224491,1224492,1224493,1224494,1224495,1224500,1224501,1224502,1224504,1224505,1224506,1224507,1224508,1224509,1224511,1224513,1224517,1224519,1224521,1224524,1224525,1224526,1224530,1224531,1224534,1224537,1224541,1224542,1224543,1224546,1224550,1224552,1224553,1224555,1224557,1224558,1224559,1224562,1224565,1224566,1224567,1224568,1224569,1224571,1224573,1224576,1224577,1224578,1224579,1224580,1224581,1224582,1224585,1224586,1224587,1224588,1224592,1224596,1224598,1224600,1224601,1224602,1224603,1224605,1224607,1224608,1224609,1224611,1224613,1224615,1224617,1224618,1224620,1224621,1224622,1224623,1224624,1224626,1224627,1224628,1224629,1224630,1224632,1224633,1224634,1224636,1224637,1224638,1224639,1224640,1224643,1224644,1224645,1224646,1224647,1224648,1224649,1224650,1224651,1224652,1224653,1224654,1224657,1224660,1224663,1224664,1224665,1224666,1224667,1224668,1224671,1224672,1224674,1224675,1224676,1224677,1224678,1224679,1224680,1224681,1224682,1224683,1224685,1224686,1224687,1224688,1224692,1224696,1224697,1224699,1224701,1224703,1224704,1224705,1224706,1224707,1224709,1224710,1224712,1224714,1224716,1224717,1224718,1224719,1224720,1224721,1224722,1224723,1224725,1224727,1224728,1224729,1224730,1224731,1224732,1224733,1224736,1224738,1224739,1224740,1224741,1224742,1224747,1224749,1224763,1224764,1224765,1224766,1224790,1224792,1224793,1224803,1224804,1224866,1224936,1224989,1225007,1225053,1225133,1225134,1225136,1225172,1225502,1225578,1225579,1225580,1225593,1225605,1225607,1225610,1225616,1225618,1225640,1225642,1225692,1225694,1225695,1225696,1225698,1225699,1225704,1225705,1225708,1225710,1225712,1225714,1225715,1225720,1225722,1225728,1225734,1225735,1225736,1225747,1225748,1225749,1225750,1225756,1225765,1225766,1225769,1225773,1225775,1225842,1225945,1226158,CVE-2023-0160,CVE-2023-52434,CVE-2023-52458,CVE-2023-52472,CVE-2023-52503,CVE-2023-52616,CVE-2023-52618,CVE-2023-52631,CVE-2023-52635,CVE-2023-52640,CVE-2023-52641,CVE-2023-52645,CVE-2023-52652,CVE-2023-52653,CVE-2023-52654,CVE-2023-52655,CVE-2023-52657,CVE-2023-52658,CVE-2023-52659,CVE-2023-52660,CVE-2023-52661,CVE-2023-52662,CVE-2023-52663,CVE-2023-52664,CVE-2023-52667,CVE-2023-52669,CVE-2023-52670,CVE-2023-52671,CVE-2023-52673,CVE-2023-52674,CVE-2023-52675,CVE-2023-52676,CVE-2023-52678,CVE-2023-52679,CVE-2023-52680,CVE-2023-52681,CVE-2023-52683,CVE-2023-52685,CVE-2023-52686,CVE-2023-52687,CVE-2023-52690,CVE-2023-52691,CVE-2023-52692,CVE-2023-52693,CVE-2023-52694,CVE-2023-52695,CVE-2023-52696,CVE-2023-52697,CVE-2023-52698,CVE-2023-52771,CVE-2023-52772,CVE-2023-52860,CVE-2023-52882,CVE-2023-6238,CVE-2023-7042,CVE-2024-0639,CVE-2024-21823,CVE-2024-22099,CVE-2024-23848,CVE-2024-24861,CVE-2024-25739,CVE-2024-26601,CVE-2024-26611,CVE-2024-26614,CVE-2024-26632,CVE-2024-26638,CVE-2024-26642,CVE-2024-26643,CVE-2024-26650,CVE-2024-26654,CVE-2024-26656,CVE-2024-26657,CVE-2024-26671,CVE-2024-26673,CVE-2024-26674,CVE-2024-26679,CVE-2024-26684,CVE-2024-26685,CVE-2024-26692,CVE-2024-26704,CVE-2024-26714,CVE-2024-26726,CVE-2024-26731,CVE-2024-26733,CVE-2024-26737,CVE-2024-26739,CVE-2024-26740,CVE-2024-26742,CVE-2024-26760,CVE-2024-267600,CVE-2024-26761,CVE-2024-26764,CVE-2024-26769,CVE-2024-26772,CVE-2024-26773,CVE-2024-26774,CVE-2024-26775,CVE-2024-26783,CVE-2024-26786,CVE-2024-26791,CVE-2024-26793,CVE-2024-26794,CVE-2024-26802,CVE-2024-26805,CVE-2024-26807,CVE-2024-26815,CVE-2024-26816,CVE-2024-26822,CVE-2024-26832,CVE-2024-26836,CVE-2024-26844,CVE-2024-26846,CVE-2024-26853,CVE-2024-26854,CVE-2024-26855,CVE-2024-26856,CVE-2024-26857,CVE-2024-26858,CVE-2024-26860,CVE-2024-26861,CVE-2024-26862,CVE-2024-26866,CVE-2024-26868,CVE-2024-26870,CVE-2024-26878,CVE-2024-26881,CVE-2024-26882,CVE-2024-26883,CVE-2024-26884,CVE-2024-26885,CVE-2024-26899,CVE-2024-26900,CVE-2024-26901,CVE-2024-26903,CVE-2024-26906,CVE-2024-26909,CVE-2024-26921,CVE-2024-26922,CVE-2024-26923,CVE-2024-26925,CVE-2024-26928,CVE-2024-26932,CVE-2024-26933,CVE-2024-26934,CVE-2024-26935,CVE-2024-26937,CVE-2024-26938,CVE-2024-26940,CVE-2024-26943,CVE-2024-26945,CVE-2024-26946,CVE-2024-26948,CVE-2024-26949,CVE-2024-26950,CVE-2024-26951,CVE-2024-26957,CVE-2024-26958,CVE-2024-26960,CVE-2024-26961,CVE-2024-26962,CVE-2024-26963,CVE-2024-26964,CVE-2024-26972,CVE-2024-26973,CVE-2024-26978,CVE-2024-26981,CVE-2024-26982,CVE-2024-26983,CVE-2024-26984,CVE-2024-26986,CVE-2024-26988,CVE-2024-26989,CVE-2024-26990,CVE-2024-26991,CVE-2024-26992,CVE-2024-26993,CVE-2024-26994,CVE-2024-26995,CVE-2024-26996,CVE-2024-26997,CVE-2024-26999,CVE-2024-27000,CVE-2024-27001,CVE-2024-27002,CVE-2024-27003,CVE-2024-27004,CVE-2024-27008,CVE-2024-27013,CVE-2024-27014,CVE-2024-27022,CVE-2024-27027,CVE-2024-27028,CVE-2024-27029,CVE-2024-27030,CVE-2024-27031,CVE-2024-27036,CVE-2024-27046,CVE-2024-27056,CVE-2024-27057,CVE-2024-27062,CVE-2024-27067,CVE-2024-27080,CVE-2024-27388,CVE-2024-27389,CVE-2024-27393,CVE-2024-27395,CVE-2024-27396,CVE-2024-27398,CVE-2024-27399,CVE-2024-27400,CVE-2024-27401,CVE-2024-27405,CVE-2024-27408,CVE-2024-27410,CVE-2024-27411,CVE-2024-27412,CVE-2024-27413,CVE-2024-27416,CVE-2024-27417,CVE-2024-27418,CVE-2024-27431,CVE-2024-27432,CVE-2024-27434,CVE-2024-27435,CVE-2024-27436,CVE-2024-35784,CVE-2024-35786,CVE-2024-35788,CVE-2024-35789,CVE-2024-35790,CVE-2024-35791,CVE-2024-35794,CVE-2024-35795,CVE-2024-35796,CVE-2024-35799,CVE-2024-35800,CVE-2024-35801,CVE-2024-35803,CVE-2024-35804,CVE-2024-35806,CVE-2024-35808,CVE-2024-35809,CVE-2024-35810,CVE-2024-35811,CVE-2024-35812,CVE-2024-35813,CVE-2024-35814,CVE-2024-35815,CVE-2024-35817,CVE-2024-35819,CVE-2024-35821,CVE-2024-35822,CVE-2024-35823,CVE-2024-35824,CVE-2024-35825,CVE-2024-35828,CVE-2024-35829,CVE-2024-35830,CVE-2024-35833,CVE-2024-35834,CVE-2024-35835,CVE-2024-35836,CVE-2024-35837,CVE-2024-35838,CVE-2024-35841,CVE-2024-35842,CVE-2024-35845,CVE-2024-35847,CVE-2024-35849,CVE-2024-35850,CVE-2024-35851,CVE-2024-35852,CVE-2024-35854,CVE-2024-35860,CVE-2024-35861,CVE-2024-35862,CVE-2024-35863,CVE-2024-35864,CVE-2024-35865,CVE-2024-35866,CVE-2024-35867,CVE-2024-35868,CVE-2024-35869,CVE-2024-35870,CVE-2024-35872,CVE-2024-35875,CVE-2024-35877,CVE-2024-35878,CVE-2024-35879,CVE-2024-35883,CVE-2024-35885,CVE-2024-35887,CVE-2024-35889,CVE-2024-35891,CVE-2024-35895,CVE-2024-35901,CVE-2024-35903,CVE-2024-35904,CVE-2024-35905,CVE-2024-35907,CVE-2024-35909,CVE-2024-35911,CVE-2024-35912,CVE-2024-35914,CVE-2024-35915,CVE-2024-35916,CVE-2024-35917,CVE-2024-35921,CVE-2024-35922,CVE-2024-35924,CVE-2024-35927,CVE-2024-35928,CVE-2024-35930,CVE-2024-35931,CVE-2024-35932,CVE-2024-35933,CVE-2024-35935,CVE-2024-35936,CVE-2024-35937,CVE-2024-35938,CVE-2024-35940,CVE-2024-35943,CVE-2024-35944,CVE-2024-35945,CVE-2024-35946,CVE-2024-35947,CVE-2024-35950,CVE-2024-35951,CVE-2024-35952,CVE-2024-35953,CVE-2024-35954,CVE-2024-35955,CVE-2024-35956,CVE-2024-35958,CVE-2024-35959,CVE-2024-35960,CVE-2024-35961,CVE-2024-35963,CVE-2024-35964,CVE-2024-35965,CVE-2024-35966,CVE-2024-35967,CVE-2024-35969,CVE-2024-35971,CVE-2024-35972,CVE-2024-35973,CVE-2024-35974,CVE-2024-35975,CVE-2024-35977,CVE-2024-35978,CVE-2024-35981,CVE-2024-35982,CVE-2024-35984,CVE-2024-35986,CVE-2024-35989,CVE-2024-35990,CVE-2024-35991,CVE-2024-35992,CVE-2024-35995,CVE-2024-35997,CVE-2024-35999,CVE-2024-36002,CVE-2024-36006,CVE-2024-36007,CVE-2024-36009,CVE-2024-36011,CVE-2024-36012,CVE-2024-36013,CVE-2024-36014,CVE-2024-36015,CVE-2024-36016,CVE-2024-36018,CVE-2024-36019,CVE-2024-36020,CVE-2024-36021,CVE-2024-36025,CVE-2024-36026,CVE-2024-36029,CVE-2024-36030,CVE-2024-36032,CVE-2024-36880,CVE-2024-36885,CVE-2024-36890,CVE-2024-36891,CVE-2024-36893,CVE-2024-36894,CVE-2024-36895,CVE-2024-36896,CVE-2024-36897,CVE-2024-36898,CVE-2024-36906,CVE-2024-36918,CVE-2024-36921,CVE-2024-36922,CVE-2024-36928,CVE-2024-36930,CVE-2024-36931,CVE-2024-36936,CVE-2024-36940,CVE-2024-36941,CVE-2024-36942,CVE-2024-36944,CVE-2024-36947,CVE-2024-36949,CVE-2024-36950,CVE-2024-36951,CVE-2024-36955,CVE-2024-36959 The SUSE Linux Enterprise 15 SP6 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2023-0160: Fixed deadlock flaw in BPF that could allow a local user to potentially crash the system (bsc#1209657). - CVE-2023-52434: Fixed potential OOBs in smb2_parse_contexts() (bsc#1220148). - CVE-2023-52458: Fixed check that partition length needs to be aligned with block size (bsc#1220428). - CVE-2023-52503: Fixed tee/amdtee use-after-free vulnerability in amdtee_close_session (bsc#1220915). - CVE-2023-52618: Fixed string overflow in block/rnbd-srv (bsc#1221615). - CVE-2023-52631: Fixed an NULL dereference bug (bsc#1222264 CVE-2023-52631). - CVE-2023-52635: Fixed PM/devfreq to synchronize devfreq_monitor_[start/stop] (bsc#1222294). - CVE-2023-52640: Fixed out-of-bounds in ntfs_listxattr (bsc#1222301). - CVE-2023-52641: Fixed NULL ptr dereference checking at the end of attr_allocate_frame() (bsc#1222303) - CVE-2023-52645: Fixed pmdomain/mediatek race conditions with genpd (bsc#1223033). - CVE-2023-52652: Fixed NTB for possible name leak in ntb_register_device() (bsc#1223686). - CVE-2023-52659: Fixed to pfn_to_kaddr() not treated as a 64-bit type (bsc#1224442). - CVE-2023-52674: Add clamp() in scarlett2_mixer_ctl_put() (bsc#1224727). - CVE-2023-52680: Fixed missing error checks to *_ctl_get() (bsc#1224608). - CVE-2023-52692: Fixed missing error check to scarlett2_usb_set_config() (bsc#1224628). - CVE-2023-52698: Fixed memory leak in netlbl_calipso_add_pass() (CVE-2023-52698 bsc#1224621) - CVE-2023-52771: Fixed delete_endpoint() vs parent unregistration race (bsc#1225007). - CVE-2023-52772: Fixed use-after-free in unix_stream_read_actor() (bsc#1224989). - CVE-2023-52860: Fixed null pointer dereference in hisi_hns3 (bsc#1224936). - CVE-2023-6238: Fixed kcalloc() arguments order (bsc#1217384). - CVE-2023-7042: Fixed a null-pointer-dereference in ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev() (bsc#1218336). - CVE-2024-0639: Fixed a denial-of-service vulnerability due to a deadlock found in sctp_auto_asconf_init in net/sctp/socket.c (bsc#1218917). - CVE-2024-21823: Fixed safety flag to struct ends (bsc#1223625). - CVE-2024-22099: Fixed a null-pointer-dereference in rfcomm_check_security (bsc#1219170). - CVE-2024-23848: Fixed media/cec for possible use-after-free in cec_queue_msg_fh (bsc#1219104). - CVE-2024-24861: Fixed an overflow due to race condition in media/xc4000 device driver in xc4000 xc4000_get_frequency() function (bsc#1219623). - CVE-2024-25739: Fixed possible crash in create_empty_lvol() in drivers/mtd/ubi/vtbl.c (bsc#1219834). - CVE-2024-26601: Fixed ext4 buddy bitmap corruption via fast commit replay (bsc#1220342). - CVE-2024-26614: Fixed the initialization of accept_queue's spinlocks (bsc#1221293). - CVE-2024-26632: Fixed iterating over an empty bio with bio_for_each_folio_all (bsc#1221635). - CVE-2024-26638: Fixed uninitialize struct msghdr completely (bsc#1221649 CVE-2024-26638). - CVE-2024-26642: Fixed the set of anonymous timeout flag in netfilter nf_tables (bsc#1221830). - CVE-2024-26643: Fixed mark set as dead when unbinding anonymous set with timeout (bsc#1221829). - CVE-2024-26654: Fixed use after free in ALSA/sh/aica (bsc#1222304). - CVE-2024-26656: Fixed drm/amdgpu use-after-free bug (bsc#1222307). - CVE-2024-26671: Fixed blk-mq IO hang from sbitmap wakeup race (bsc#1222357). - CVE-2024-26673: Fixed netfilter/nft_ct layer 3 and 4 protocol sanitization (bsc#1222368). - CVE-2024-26674: Revert to _ASM_EXTABLE_UA() for {get,put}_user() fixups (bsc#1222378). - CVE-2024-26679: Fixed read sk->sk_family once in inet_recv_error() (bsc#1222385). - CVE-2024-26684: Fixed net/stmmac/xgmac handling of DPP safety error for DMA channels (bsc#1222445). - CVE-2024-26685: Fixed nilfs2 potential bug in end_buffer_async_write (bsc#1222437). - CVE-2024-26692: Fixed regression in writes when non-standard maximum write size negotiated (bsc#1222464). - CVE-2024-26704: Fixed a double-free of blocks due to wrong extents moved_len in ext4 (bsc#1222422). - CVE-2024-26726: Fixed invalid drop extent_map for free space inode on write error (bsc#1222532) - CVE-2024-26731: Fixed NULL pointer dereference in sk_psock_verdict_data_ready() (bsc#1222371). - CVE-2024-26733: Fixed an overflow in arp_req_get() in arp (bsc#1222585). - CVE-2024-26737: Fixed selftests/bpf racing between bpf_timer_cancel_and_free and bpf_timer_cancel (bsc#1222557). - CVE-2024-26740: Fixed use the backlog for mirred ingress (bsc#1222563). - CVE-2024-26760: Fixed bio_put() for error case (bsc#1222596 cve-2024-267600). - CVE-2024-26760: Fixed scsi/target/pscsi bio_put() for error case (bsc#1222596). - CVE-2024-26764: Fixed IOCB_AIO_RW check in fs/aio before the struct aio_kiocb conversion (bsc#1222721). - CVE-2024-26772: Fixed ext4 to avoid allocating blocks from corrupted group in ext4_mb_find_by_goal() (bsc#1222613). - CVE-2024-26773: Fixed ext4 block allocation from corrupted group in ext4_mb_try_best_found() (bsc#1222618). - CVE-2024-26774: Fixed dividing by 0 in mb_update_avg_fragment_size() when block bitmap corrupt (bsc#1222622). - CVE-2024-26775: Fixed potential deadlock at set_capacity (bsc#1222627). - CVE-2024-26783: Fixed mm/vmscan bug when calling wakeup_kswapd() with a wrong zone index (bsc#1222615). - CVE-2024-26791: Fixed properly validate device names in btrfs (bsc#1222793) - CVE-2024-26793: Fixed an use-after-free and null-ptr-deref in gtp_newlink() in gtp (bsc#1222428). - CVE-2024-26805: Fixed a kernel-infoleak-after-free in __skb_datagram_iter in netlink (bsc#1222630). - CVE-2024-26807: Fixed spi/cadence-qspi NULL pointer reference in runtime PM hooks (bsc#1222801). - CVE-2024-26815: Fixed improper TCA_TAPRIO_TC_ENTRY_INDEX check (bsc#1222635). - CVE-2024-26816: Fixed relocations in .notes section when building with CONFIG_XEN_PV=y (bsc#1222624). - CVE-2024-26822: Set correct id, uid and cruid for multiuser automounts (bsc#1223011). - CVE-2024-26832: Fixed missing folio cleanup in writeback race path (bsc#1223007). - CVE-2024-26836: Fixed platform/x86/think-lmi password opcode ordering for workstations (bsc#1222968). - CVE-2024-26844: Fixed WARNING in _copy_from_iter (bsc#1223015). - CVE-2024-26853: Fixed igc returning frame twice in XDP_REDIRECT (bsc#1223061). - CVE-2024-26855: Fixed net/ice potential NULL pointer dereference in ice_bridge_setlink() (bsc#1223051). - CVE-2024-26856: Fixed use-after-free inside sparx5_del_mact_entry (bsc#1223052). - CVE-2024-26857: Fixed geneve to make sure to pull inner header in geneve_rx() (bsc#1223058). - CVE-2024-26860: Fixed a memory leak when rechecking the data (bsc#1223077). - CVE-2024-26861: Fixed wireguard/receive annotate data-race around receiving_counter.counter (bsc#1223076). - CVE-2024-26862: Fixed packet annotate data-races around ignore_outgoing (bsc#1223111). - CVE-2024-26866: Fixed spi/spi-fsl-lpspi by removing redundant spi_controller_put call (bsc#1223024). - CVE-2024-26878: Fixed quota for potential NULL pointer dereference (bsc#1223060). - CVE-2024-26881: Fixed net/hns3 kernel crash when 1588 is received on HIP08 devices (bsc#1223041). - CVE-2024-26882: Fixed net/ip_tunnel to make sure to pull inner header in ip_tunnel_rcv() (bsc#1223034). - CVE-2024-26883: Fixed bpf stackmap overflow check on 32-bit arches (bsc#1223035). - CVE-2024-26884: Fixed bpf hashtab overflow check on 32-bit arches (bsc#1223189). - CVE-2024-26885: Fixed bpf DEVMAP_HASH overflow check on 32-bit arches (bsc#1223190). - CVE-2024-26899: Fixed deadlock between bd_link_disk_holder and partition scan (bsc#1223045). - CVE-2024-26901: Fixed do_sys_name_to_handle() to use kzalloc() to prevent kernel-infoleak (bsc#1223198). - CVE-2024-26906: Fixed invalid vsyscall page read for copy_from_kernel_nofault() (bsc#1223202). - CVE-2024-26909: Fixed drm bridge use-after-free (bsc#1223143). - CVE-2024-26921: Preserve kabi for sk_buff (bsc#1223138). - CVE-2024-26923: Fixed false-positive lockdep splat for spin_lock() in __unix_gc() (bsc#1223384). - CVE-2024-26925: Release mutex after nft_gc_seq_end from abort path (bsc#1223390). - CVE-2024-26928: Fix potential UAF in cifs_debug_files_proc_show() (bsc#1223532). - CVE-2024-26945: Fixed nr_cpus < nr_iaa case (bsc#1223732). - CVE-2024-26946: Fixed copy_from_kernel_nofault() to read from unsafe address (bsc#1223669). - CVE-2024-26948: Fixed drm/amd/display by adding dc_state NULL check in dc_state_release (bsc#1223664). - CVE-2024-26950: Fixed wireguard/netlink to access device through ctx instead of peer (bsc#1223661). - CVE-2024-26951: Fixed wireguard/netlink check for dangling peer via is_dead instead of empty list (bsc#1223660). - CVE-2024-26958: Fixed UAF in direct writes (bsc#1223653). - CVE-2024-26960: Fixed mm/swap race between free_swap_and_cache() and swapoff() (bsc#1223655). - CVE-2024-26982: Fixed Squashfs inode number check not to be an invalid value of zero (bsc#1223634). - CVE-2024-26991: Fixed overflow lpage_info when checking attributes (bsc#1223695). - CVE-2024-26993: Fixed fs/sysfs reference leak in sysfs_break_active_protection() (bsc#1223693). - CVE-2024-27013: Fixed tun limit printing rate when illegal packet received by tun device (bsc#1223745). - CVE-2024-27014: Fixed net/mlx5e to prevent deadlock while disabling aRFS (bsc#1223735). - CVE-2024-27022: Fixed linking file vma until vma is fully initialized (bsc#1223774). - CVE-2024-27030: Fixed octeontx2-af to use separate handlers for interrupts (bsc#1223790). - CVE-2024-27036: Fixed writeback data corruption (bsc#1223810). - CVE-2024-27046: Fixed nfp/flower handling acti_netdevs allocation failure (bsc#1223827). - CVE-2024-27056: Fixed wifi/iwlwifi/mvm to ensure offloading TID queue exists (bsc#1223822). - CVE-2024-27062: Fixed nouveau lock inside client object tree (bsc#1223834). - CVE-2024-27389: Fixed pstore inode handling with d_invalidate() (bsc#1223705). - CVE-2024-27395: Fixed Use-After-Free in ovs_ct_exit (bsc#1224098). - CVE-2024-27396: Fixed Use-After-Free in gtp_dellink (bsc#1224096). - CVE-2024-27401: Fixed user_length taken into account when fetching packet contents (bsc#1224181). - CVE-2024-27408: Fixed race condition in dmaengine w-edma/eDMA (bsc#1224430). - CVE-2024-27417: Fixed potential 'struct net' leak in inet6_rtm_getaddr() (bsc#1224721) - CVE-2024-27418: Fixed memory leak in mctp_local_output (bsc#1224720) - CVE-2024-27431: Fixed Zero-initialise xdp_rxq_info struct before running XDP program (bsc#1224718). - CVE-2024-35852: Fixed memory leak when canceling rehash work (bsc#1224502). - CVE-2024-35854: Fixed possible use-after-free during rehash (bsc#1224636). - CVE-2024-35860: struct bpf_link and bpf_link_ops kABI workaround (bsc#1224531). - CVE-2024-35861: Fixed potential UAF in cifs_signal_cifsd_for_reconnect() (bsc#1224766). - CVE-2024-35862: Fixed potential UAF in smb2_is_network_name_deleted() (bsc#1224764). - CVE-2024-35863: Fixed potential UAF in is_valid_oplock_break() (bsc#1224763). - CVE-2024-35864: Fixed potential UAF in smb2_is_valid_lease_break() (bsc#1224765). - CVE-2024-35865: Fixed potential UAF in smb2_is_valid_oplock_break() (bsc#1224668). - CVE-2024-35866: Fixed potential UAF in cifs_dump_full_key() (bsc#1224667). - CVE-2024-35867: Fixed potential UAF in cifs_stats_proc_show() (bsc#1224664). - CVE-2024-35868: Fixed potential UAF in cifs_stats_proc_write() (bsc#1224678). - CVE-2024-35869: Guarantee refcounted children from parent session (bsc#1224679). - CVE-2024-35870: Fixed UAF in smb2_reconnect_server() (bsc#1224672). - CVE-2024-35872: Fixed GUP-fast succeeding on secretmem folios (bsc#1224530). - CVE-2024-35877: Fixed VM_PAT handling in COW mappings (bsc#1224525). - CVE-2024-35895: Fixed lock inversion deadlock in map delete elem (bsc#1224511). - CVE-2024-35903: Fixed IP after emitting call depth accounting (bsc#1224493). - CVE-2024-35905: Fixed int overflow for stack access size (bsc#1224488). - CVE-2024-35917: Fixed Fix bpf_plt pointer arithmetic (bsc#1224481). - CVE-2024-35921: Fixed oops when HEVC init fails (bsc#1224477). - CVE-2024-35931: Fixed PCI error slot reset during RAS recovery (bsc#1224652). - CVE-2024-35943: Fixed a null pointer dereference in omap_prm_domain_init (bsc#1224649). - CVE-2024-35944: Fixed memcpy() run-time warning in dg_dispatch_as_host() (bsc#1224648). - CVE-2024-35956: Fixed qgroup prealloc rsv leak in subvolume operations (bsc#1224674) - CVE-2024-35964: Fixed not validating setsockopt user input (bsc#1224581). - CVE-2024-35969: Fixed race condition between ipv6_get_ifaddr and ipv6_del_addr (bsc#1224580). - CVE-2024-35991: Fixed kABI workaround for struct idxd_evl (bsc#1224553). - CVE-2024-35999: Fixed missing lock when picking channel (bsc#1224550). - CVE-2024-36006: Fixed incorrect list API usage (bsc#1224541). - CVE-2024-36007: Fixed warning during rehash (bsc#1224543). - CVE-2024-36030: Fixed the double free in rvu_npc_freemem() (bsc#1225712) The following non-security bugs were fixed: - 9p: add missing locking around taking dentry fid list (git-fixes) - accel/ivpu: Fix deadlock in context_xa (git-fixes). - ACPI: bus: Indicate support for IRQ ResourceSource thru _OSC (git-fixes). - ACPI: bus: Indicate support for _TFP thru _OSC (git-fixes). - ACPI: bus: Indicate support for the Generic Event Device thru _OSC (git-fixes). - ACPICA: debugger: check status of acpi_evaluate_object() in acpi_db_walk_for_fields() (git-fixes). - ACPI: CPPC: Fix access width used for PCC registers (git-fixes). - ACPI: CPPC: Fix bit_offset shift in MASK_VAL() macro (git-fixes). - ACPI: CPPC: Use access_width over bit_width for system memory accesses (stable-fixes). - ACPI: disable -Wstringop-truncation (git-fixes). - ACPI: Fix Generic Initiator Affinity _OSC bit (git-fixes). - ACPI: LPSS: Advertise number of chip selects via property (git-fixes). - ACPI: resource: Add Infinity laptops to irq1_edge_low_force_override (stable-fixes). - ACPI: resource: Do IRQ override on Lunnen Ground laptops (stable-fixes). - ACPI: scan: Do not increase dep_unmet for already met dependencies (git-fixes). - ACPI: video: Add backlight=native quirk for Lenovo Slim 7 16ARH7 (bsc#1217750). - ACPI: x86: Move acpi_quirk_skip_serdev_enumeration() out of CONFIG_X86_ANDROID_TABLETS (stable-fixes). - Add alt-commit to a nouveau patch - Add reference to L3 bsc#1225765 in BPF control flow graph and precision backtrack fixes (bsc#1225756) The L3 bsc#1225765 was created seperately since our customer requires PTF. - admin-guide/hw-vuln/core-scheduling: fix return type of PR_SCHED_CORE_GET (git-fixes). - ahci: asm1064: asm1166: do not limit reported ports (git-fixes). - ahci: asm1064: correct count of reported ports (stable-fixes). - ALSA: aoa: avoid false-positive format truncation warning (git-fixes). - ALSA: core: Fix NULL module pointer assignment at card init (git-fixes). - ALSA: core: Remove debugfs at disconnection (git-fixes). - ALSA: firewire-lib: handle quirk to calculate payload quadlets as data block counter (stable-fixes). - ALSA: Fix deadlocks with kctl removals at disconnection (stable-fixes). - ALSA: hda: Add Intel BMG PCI ID and HDMI codec vid (stable-fixes). - ALSA: hda: clarify Copyright information (stable-fixes). - ALSA: hda: cs35l41: Add support for ASUS ROG 2024 Laptops (stable-fixes). - ALSA: hda: cs35l41: Ignore errors when configuring IRQs (stable-fixes). - ALSA: hda: cs35l41: Remove redundant argument to cs35l41_request_firmware_file() (stable-fixes). - ALSA: hda: cs35l41: Remove Speaker ID for Lenovo Legion slim 7 16ARHA7 (git-fixes). - ALSA: hda: cs35l41: Set the max PCM Gain using tuning setting (stable-fixes). - ALSA: hda: cs35l41: Support HP Omen models without _DSD (stable-fixes). - ALSA: hda: cs35l41: Support Lenovo 13X laptop without _DSD (stable-fixes). - ALSA: hda: cs35l41: Update DSP1RX5/6 Sources for DSP config (stable-fixes). - ALSA: hda: cs35l56: Add ACPI device match tables (git-fixes). - ALSA: hda: cs35l56: Exit cache-only after cs35l56_wait_for_firmware_boot() (stable-fixes). - ALSA: hda: cs35l56: Fix lifetime of cs_dsp instance (git-fixes). - ALSA: hda: cs35l56: Set the init_done flag before component_add() (git-fixes). - ALSA: hda/cs_dsp_ctl: Use private_free for control cleanup (git-fixes). - ALSA: hda: hda_cs_dsp_ctl: Remove notification of driver write (stable-fixes). - ALSA: hda: intel-dsp-config: harden I2C/I2S codec detection (stable-fixes). - ALSA/hda: intel-dsp-config: reduce log verbosity (git-fixes). - ALSA: hda: intel-sdw-acpi: fix usage of device_get_named_child_node() (git-fixes). - ALSA: hda/realtek: Add quirk for HP SnowWhite laptops (stable-fixes). - ALSA: hda/realtek: Add quirk for HP Spectre x360 14 eu0000 (stable-fixes). - ALSA: hda/realtek: Add quirks for ASUS Laptops using CS35L56 (stable-fixes). - ALSA: hda/realtek: Add quirks for HP Omen models using CS35L41 (stable-fixes). - ALSA: hda/realtek: Add quirks for Huawei Matebook D14 NBLB-WAX9N (stable-fixes). - ALSA: hda/realtek: Add quirks for Lenovo 13X (stable-fixes). - ALSA: hda/realtek: Add quirks for some Clevo laptops (stable-fixes). - ALSA: hda/realtek: Add sound quirks for Lenovo Legion slim 7 16ARHA7 models (stable-fixes). - ALSA: hda/realtek: Add support for ASUS Zenbook 2024 HN7306W (stable-fixes). - ALSA: hda/realtek: Adjust G814JZR to use SPI init for amp (git-fixes). - ALSA: hda/realtek: cs35l41: Support ASUS ROG G634JYR (stable-fixes). - ALSA: hda/realtek: Drop doubly quirk entry for 103c:8a2e (git-fixes). - ALSA: hda/realtek - Enable audio jacks of Haier Boyue G42 with ALC269VC (stable-fixes). - ALSA: hda/realtek: Enable headset mic of JP-IK LEAP W502 with ALC897 (stable-fixes). - ALSA: hda/realtek: Fix build error without CONFIG_PM (stable-fixes). - ALSA: hda/realtek: Fix conflicting PCI SSID 17aa:386f for Lenovo Legion models (bsc#1223462). - ALSA: hda/realtek - fixed headset Mic not show (stable-fixes). - ALSA: hda/realtek: Fixes for Asus GU605M and GA403U sound (stable-fixes). - ALSA: hda/realtek - Fix inactive headset mic jack (stable-fixes). - ALSA: hda/realtek: Fix internal speakers for Legion Y9000X 2022 IAH7 (stable-fixes). - ALSA: hda/realtek: Fix mute led of HP Laptop 15-da3001TU (stable-fixes). - ALSA: hda/realtek: fix mute/micmute LEDs do not work for ProBook 440/460 G11 (stable-fixes). - ALSA: hda/realtek: fix the hp playback volume issue for LG machines (stable-fixes). - ALSA: hda/realtek: Fix volumn control of ThinkBook 16P Gen4 (git-fixes). - ALSA: hda/realtek - Set GPIO3 to default at S4 state for Thinkpad with ALC1318 (stable-fixes). - ALSA: hda/realtek: Update Panasonic CF-SZ6 quirk to support headset with microphone (git-fixes). - ALSA: hda/tas2781: add locks to kcontrols (git-fixes). - ALSA: hda/tas2781: Add new vendor_id and subsystem_id to support ThinkPad ICE-1 (stable-fixes). - ALSA: hda/tas2781: correct the register for pow calibrated data (git-fixes). - ALSA: hda/tas2781: remove digital gain kcontrol (git-fixes). - ALSA: line6: Zero-initialize message buffers (stable-fixes). - ALSA: scarlett2: Add Focusrite Clarett+ 2Pre and 4Pre support (stable-fixes). - ALSA: scarlett2: Add Focusrite Clarett 2Pre and 4Pre USB support (stable-fixes). - ALSA: scarlett2: Add missing error check to scarlett2_config_save() (git-fixes). - ALSA: scarlett2: Add support for Clarett 8Pre USB (stable-fixes). - ALSA: scarlett2: Default mixer driver to enabled (stable-fixes). - ALSA: scarlett2: Move USB IDs out from device_info struct (stable-fixes). - ALSA: seq: Do not clear bank selection at event -> UMP MIDI2 conversion (git-fixes). - ALSA: seq: Fix incorrect UMP type for system messages (git-fixes). - ALSA: seq: Fix missing bank setup between MIDI1/MIDI2 UMP conversion (git-fixes). - ALSA: seq: Fix yet another spot for system message conversion (git-fixes). - ALSA: seq: ump: Fix conversion from MIDI2 to MIDI1 UMP messages (git-fixes). - ALSA: seq: ump: Fix swapped song position pointer data (git-fixes). - ALSA: sh: aica: reorder cleanup operations to avoid UAF bugs (git-fixes). - ALSA: timer: Set lower bound of start tick time (stable-fixes). - ALSA: ump: Do not accept an invalid UMP protocol number (git-fixes). - ALSA: ump: Do not clear bank selection after sending a program change (git-fixes). - ALSA: ump: Set default protocol when not given explicitly (git-fixes). - ALSA: usb-audio: Add sampling rates support for Mbox3 (stable-fixes). - ALSA: usb-audio: Fix for sampling rates support for Mbox3 (stable-fixes). - amd/amdkfd: sync all devices to wait all processes being evicted (stable-fixes). - amdkfd: use calloc instead of kzalloc to avoid integer overflow (stable-fixes). - arm64: bpf: fix 32bit unconditional bswap (git-fixes). - arm64: dts: allwinner: h616: Fix I2C0 pins (git-fixes) - arm64: dts: allwinner: Pine H64: correctly remove reg_gmac_3v3 (git-fixes) - arm64: dts: broadcom: bcmbca: bcm4908: drop invalid switch cells (git-fixes) - arm64: dts: Fix dtc interrupt_provider warnings (git-fixes) - arm64: dts: hi3798cv200: fix the size of GICR (git-fixes) - arm64: dts: imx8qm-ss-dma: fix can lpcg indices (git-fixes) - arm64: dts: imx8-ss-conn: fix usb lpcg indices (git-fixes) - arm64: dts: imx8-ss-conn: fix usdhc wrong lpcg clock order (git-fixes) - arm64: dts: imx8-ss-dma: fix adc lpcg indices (git-fixes) - arm64: dts: imx8-ss-dma: fix can lpcg indices (git-fixes) - arm64: dts: imx8-ss-dma: fix spi lpcg indices (git-fixes) - arm64: dts: imx8-ss-lsio: fix pwm lpcg indices (git-fixes) - arm64: dts: marvell: reorder crypto interrupts on Armada SoCs (git-fixes) - arm64: dts: microchip: sparx5: fix mdio reg (git-fixes) - arm64: dts: rockchip: Add enable-strobe-pulldown to emmc phy on ROCK (git-fixes) - arm64: dts: rockchip: enable internal pull-up for Q7_THRM# on RK3399 (git-fixes) - arm64: dts: rockchip: enable internal pull-up on PCIE_WAKE# for (git-fixes) - arm64: dts: rockchip: enable internal pull-up on Q7_USB_ID for RK3399 (git-fixes) - arm64: dts: rockchip: fix rk3328 hdmi ports node (git-fixes) - arm64: dts: rockchip: fix rk3399 hdmi ports node (git-fixes) - arm64: dts: rockchip: regulator for sd needs to be always on for (git-fixes) - arm64: dts: rockchip: Remove unsupported node from the Pinebook Pro (git-fixes) - arm64: dts: rockchip: set PHY address of MT7531 switch to 0x1f (git-fixes) - arm64/head: Disable MMU at EL2 before clearing HCR_EL2.E2H (git-fixes). - arm64: hibernate: Fix level3 translation fault in swsusp_save() (git-fixes). - arm64/ptrace: Use saved floating point state type to determine SVE (git-fixes) - arm64/sve: Lower the maximum allocation for the SVE ptrace regset (git-fixes) - arm64: tegra: Correct Tegra132 I2C alias (git-fixes) - arm64: tegra: Set the correct PHY mode for MGBE (git-fixes) - ARM: 9381/1: kasan: clear stale stack poison (git-fixes). - ARM: imx: Check return value of devm_kasprintf in imx_mmdc_perf_init (git-fixes). - ARM: imx_v6_v7_defconfig: Restore CONFIG_BACKLIGHT_CLASS_DEVICE (git-fixes). - ARM: OMAP2+: fix N810 MMC gpiod table (git-fixes). - ARM: OMAP2+: fix USB regression on Nokia N8x0 (git-fixes). - arm_pmu: acpi: Add a representative platform device for TRBE (bsc#1220587) - arm_pmu: acpi: Refactor arm_spe_acpi_register_device() (bsc#1220587) - ARM: prctl: reject PR_SET_MDWE on pre-ARMv6 (stable-fixes). - ARM: s5pv210: fix pm.c kernel-doc warning (git-fixes). - asm-generic: make sparse happy with odd-sized put_unaligned_*() (stable-fixes). - ASoC: acp: Support microphone from device Acer 315-24p (git-fixes). - ASoC: amd: acp: fix for acp_init function error handling (git-fixes). - ASoC: amd: yc: Add Lenovo ThinkBook 21J0 into DMI quirk table (stable-fixes). - ASoC: amd: yc: Fix non-functional mic on ASUS M7600RE (stable-fixes). - ASoC: amd: yc: Fix non-functional mic on Lenovo 21J2 (stable-fixes). - ASoC: amd: yc: Revert 'Fix non-functional mic on Lenovo 21J2' (stable-fixes). - ASoC: codecs: wsa881x: set clk_stop_mode1 flag (git-fixes). - ASoC: cs35l56: Fix unintended bus access while resetting amp (git-fixes). - ASoC: cs35l56: Prevent overwriting firmware ASP config (git-fixes). - ASoC: da7219-aad: fix usage of device_get_named_child_node() (git-fixes). - ASoC: Intel: avs: Fix ASRC module initialization (git-fixes). - ASoC: Intel: avs: Fix potential integer overflow (git-fixes). - ASoC: Intel: avs: Populate board selection with new I2S entries (stable-fixes). - ASoC: Intel: avs: Set name of control as in topology (git-fixes). - ASoC: Intel: avs: ssm4567: Do not ignore route checks (git-fixes). - ASoC: Intel: avs: Test result of avs_get_module_entry() (git-fixes). - ASoC: Intel: bytcr_rt5640: Apply Asus T100TA quirk to Asus T100TAM too (git-fixes). - ASoC: Intel: common: DMI remap for rebranded Intel NUC M15 (LAPRC710) laptops (stable-fixes). - ASoC: Intel: Disable route checks for Skylake boards (git-fixes). - ASoC: kirkwood: Fix potential NULL dereference (git-fixes). - ASoC: mediatek: Assign dummy when codec not specified for a DAI link (git-fixes). - ASoC: mediatek: mt8192: fix register configuration for tdm (git-fixes). - ASoC: meson: axg-card: make links nonatomic (git-fixes). - ASoC: meson: axg-fifo: use FIELD helpers (stable-fixes). - ASoC: meson: axg-fifo: use threaded irq to check periods (git-fixes). - ASoC: meson: axg-tdm-interface: manage formatters in trigger (git-fixes). - ASoC: meson: cards: select SND_DYNAMIC_MINORS (git-fixes). - ASoC: ops: Fix wraparound for mask in snd_soc_get_volsw (git-fixes). - ASoC: rockchip: i2s-tdm: Fix inaccurate sampling rates (git-fixes). - ASoC: rt5645: Fix the electric noise due to the CBJ contacts floating (git-fixes). - ASoC: rt5645: Make LattePanda board DMI match more precise (stable-fixes). - ASoC: rt5682-sdw: fix locking sequence (git-fixes). - ASoC: rt711-sdca: fix locking sequence (git-fixes). - ASoC: rt711-sdw: fix locking sequence (git-fixes). - ASoC: rt712-sdca-sdw: fix locking sequence (git-fixes). - ASoC: rt715: add vendor clear control register (git-fixes). - ASoC: rt715-sdca: volume step modification (git-fixes). - ASoC: rt722-sdca: add headset microphone vrefo setting (git-fixes). - ASoC: rt722-sdca: modify channel number to support 4 channels (git-fixes). - ASoC: rt722-sdca-sdw: fix locking sequence (git-fixes). - ASoC: soc-core.c: Skip dummy codec when adding platforms (stable-fixes). - ASoC: SOF: amd: Optimize quirk for Valve Galileo (stable-fixes). - ASoC: SOF: Intel: add default firmware library path for LNL (git-fixes). - ASoC: SOF: Intel: hda-dsp: Skip IMR boot on ACE platforms in case of S3 suspend (stable-fixes). - ASoC: SOF: Intel: lnl: Correct rom_status_reg (git-fixes). - ASoC: SOF: Intel: mtl: call dsp dump when boot retry fails (stable-fixes). - ASoC: SOF: Intel: mtl: Correct rom_status_reg (git-fixes). - ASoC: SOF: Intel: mtl: Disable interrupts when firmware boot failed (git-fixes). - ASoC: SOF: Intel: mtl: Implement firmware boot state check (git-fixes). - ASoC: SOF: ipc4-pcm: Workaround for crashed firmware on system suspend (stable-fixes). - ASoC: SOF: ipc4-topology: Fix input format query of process modules without base extension (git-fixes). - ASoC: tas2552: Add TX path for capturing AUDIO-OUT data (git-fixes). - ASoC: tas2781: Fix a warning reported by robot kernel test (git-fixes). - ASoC: tas2781: Fix wrong loading calibrated data sequence (git-fixes). - ASoC: tas2781: mark dvc_tlv with __maybe_unused (git-fixes). - ASoC: tegra: Fix DSPK 16-bit playback (git-fixes). - ASoC: ti: Convert Pandora ASoC to GPIO descriptors (stable-fixes). - ASoC: ti: davinci-mcasp: Fix race condition during probe (git-fixes). - ASoC: tlv320adc3xxx: Do not strip remove function when driver is builtin (git-fixes). - ASoC: tracing: Export SND_SOC_DAPM_DIR_OUT to its value (git-fixes). - ASoC: wm_adsp: Add missing MODULE_DESCRIPTION() (git-fixes). - ASoC: wm_adsp: Fix missing mutex_lock in wm_adsp_write_ctl() (git-fixes). - ata: libata-core: Allow command duration limits detection for ACS-4 drives (git-fixes). - ata: pata_legacy: make legacy_exit() work again (git-fixes). - ata: sata_gemini: Check clk_enable() result (stable-fixes). - ata: sata_mv: Fix PCI device ID table declaration compilation warning (git-fixes). - ata: sata_sx4: fix pdc20621_get_from_dimm() on 64-bit (git-fixes). - autofs: use wake_up() instead of wake_up_interruptible(() (bsc#1224166). - ax25: Fix netdev refcount issue (git-fixes). - ax25: Fix reference count leak issue of net_device (git-fixes). - ax25: Fix reference count leak issues of ax25_dev (git-fixes). - ax25: fix use-after-free bugs caused by ax25_ds_del_timer (git-fixes). - batman-adv: Avoid infinite loop trying to resize local TT (git-fixes). - bitops: add missing prototype check (git-fixes). - blk-cgroup: fix list corruption from reorder of WRITE ->lqueued (bsc#1225605). - blk-cgroup: fix list corruption from resetting io stat (bsc#1225605). - block: fix q->blkg_list corruption during disk rebind (bsc#1223591). - Bluetooth: Add new quirk for broken read key length on ATS2851 (stable-fixes). - Bluetooth: add quirk for broken address properties (git-fixes). - Bluetooth: btintel: Fixe build regression (git-fixes). - Bluetooth: btintel: Fix null ptr deref in btintel_read_version (stable-fixes). - Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x0bda:0x4853 (stable-fixes). - Bluetooth: btusb: Fix triggering coredump implementation for QCA (git-fixes). - Bluetooth: Fix memory leak in hci_req_sync_complete() (git-fixes). - Bluetooth: Fix TOCTOU in HCI debugfs implementation (git-fixes). - Bluetooth: Fix type of len in {l2cap,sco}_sock_getsockopt_old() (stable-fixes). - Bluetooth: Fix use-after-free bugs caused by sco_sock_timeout (git-fixes). - Bluetooth: hci_core: Cancel request on command timeout (stable-fixes). - Bluetooth: hci_event: Fix sending HCI_OP_READ_ENC_KEY_SIZE (git-fixes). - Bluetooth: hci_event: set the conn encrypted before conn establishes (stable-fixes). - Bluetooth: HCI: Fix potential null-ptr-deref (git-fixes). - Bluetooth: hci_sock: Fix not validating setsockopt user input (git-fixes). - Bluetooth: hci_sync: Fix not checking error on hci_cmd_sync_cancel_sync (git-fixes). - Bluetooth: hci_sync: Fix using the same interval and window for Coded PHY (git-fixes). - Bluetooth: hci_sync: Use QoS to determine which PHY to scan (stable-fixes). - Bluetooth: ISO: Align broadcast sync_timeout with connection timeout (stable-fixes). - Bluetooth: ISO: Do not reject BT_ISO_QOS if parameters are unset (git-fixes). - Bluetooth: l2cap: Do not double set the HCI_CONN_MGMT_CONNECTED bit (git-fixes). - Bluetooth: L2CAP: Fix not validating setsockopt user input (git-fixes). - Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout (git-fixes). - Bluetooth: L2CAP: Fix slab-use-after-free in l2cap_connect() (git-fixes). - Bluetooth: MGMT: Fix failing to MGMT_OP_ADD_UUID/MGMT_OP_REMOVE_UUID (bsc#1221504). - Bluetooth: mgmt: Fix limited discoverable off timeout (stable-fixes). - Bluetooth: msft: fix slab-use-after-free in msft_do_close() (git-fixes). - Bluetooth: qca: add missing firmware sanity checks (git-fixes). - Bluetooth: qca: fix device-address endianness (git-fixes). - Bluetooth: qca: Fix error code in qca_read_fw_build_info() (git-fixes). - Bluetooth: qca: fix firmware check error path (git-fixes). - Bluetooth: qca: fix info leak when fetching fw build id (git-fixes). - Bluetooth: qca: fix NULL-deref on non-serdev setup (git-fixes). - Bluetooth: qca: fix NULL-deref on non-serdev suspend (git-fixes). - Bluetooth: qca: fix NVM configuration parsing (git-fixes). - Bluetooth: RFCOMM: Fix not validating setsockopt user input (git-fixes). - Bluetooth: SCO: Fix not validating setsockopt user input (git-fixes). - bnx2x: Fix firmware version string character counts (git-fixes). - bnxt_en: Fix error recovery for RoCE ulp client (git-fixes). - bnxt_en: Fix possible memory leak in bnxt_rdma_aux_device_init() (git-fixes). - bnxt_en: Reset PTP tx_avail after possible firmware reset (git-fixes). - bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq (git-fixes) - bootconfig: Fix the kerneldoc of _xbc_exit() (git-fixes). - bootconfig: use memblock_free_late to free xbc memory to buddy (git-fixes). - bootmem: use kmemleak_free_part_phys in free_bootmem_page (git-fixes). - bootmem: use kmemleak_free_part_phys in put_page_bootmem (git-fixes). - bpf, arm64: fix bug in BPF_LDX_MEMSX (git-fixes) - bpf, arm64: Fix incorrect runtime stats (git-fixes) - bpf: fix precision backtracking instruction iteration (bsc#1225756). - bpf: Fix precision tracking for BPF_ALU | BPF_TO_BE | BPF_END (git-fixes). - bpf: handle ldimm64 properly in check_cfg() (bsc#1225756). - bpf, scripts: Correct GPL license name (git-fixes). - btrfs: add a helper to read the superblock metadata_uuid (git-fixes) - btrfs: add and use helper to check if block group is used (bsc#1220120). - btrfs: add missing mutex_unlock in btrfs_relocate_sys_chunks() (git-fixes) - btrfs: add new unused block groups to the list of unused block groups (bsc#1220120). - btrfs: allow to run delayed refs by bytes to be released instead of count (bsc#1220120). - btrfs: always print transaction aborted messages with an error level (git-fixes) - btrfs: always reserve space for delayed refs when starting transaction (bsc#1220120). - btrfs: assert correct lock is held at btrfs_select_ref_head() (bsc#1220120). - btrfs: assert delayed node locked when removing delayed item (git-fixes) - btrfs: avoid starting and committing empty transaction when flushing space (bsc#1220120). - btrfs: avoid starting new transaction when flushing delayed items and refs (bsc#1220120). - btrfs: check for BTRFS_FS_ERROR in pending ordered assert (git-fixes) - btrfs: compare the correct fsid/metadata_uuid in btrfs_validate_super (git-fixes) - btrfs: defrag: avoid unnecessary defrag caused by incorrect extent size (git-fixes) - btrfs: defrag: reject unknown flags of btrfs_ioctl_defrag_range_args (git-fixes) - btrfs: do not allow non subvolume root targets for snapshot (git-fixes) - btrfs: do not arbitrarily slow down delalloc if we're committing (git-fixes) - btrfs: do not delete unused block group if it may be used soon (bsc#1220120). - btrfs: do not refill whole delayed refs block reserve when starting transaction (bsc#1220120). - btrfs: do not start transaction when joining with TRANS_JOIN_NOSTART (git-fixes) - btrfs: do not steal space from global rsv after a transaction abort (bsc#1220120). - btrfs: do not warn if discard range is not aligned to sector (git-fixes) - btrfs: ensure fiemap does not race with writes when FIEMAP_FLAG_SYNC is given (bsc#1223285). - btrfs: error out when COWing block using a stale transaction (git-fixes) - btrfs: error out when reallocating block for defrag using a stale transaction (git-fixes) - btrfs: error when COWing block from a root that is being deleted (git-fixes) - btrfs: export: handle invalid inode or root reference in btrfs_get_parent() (git-fixes) - btrfs: fail priority metadata ticket with real fs error (bsc#1220120). - btrfs: file_remove_privs needs an exclusive lock in direct io write (git-fixes) - btrfs: fix 64bit compat send ioctl arguments not initializing version member (git-fixes) - btrfs: fix deadlock with fiemap and extent locking (bsc#1223285). - btrfs: fix information leak in btrfs_ioctl_logical_to_ino() (git-fixes) - btrfs: fix kvcalloc() arguments order in btrfs_ioctl_send() (git-fixes) - btrfs: fix lockdep splat and potential deadlock after failure running delayed items (git-fixes) - btrfs: fix off-by-one chunk length calculation at contains_pending_extent() (git-fixes) - btrfs: fix off-by-one when checking chunk map includes logical address (git-fixes) - btrfs: fix race between ordered extent completion and fiemap (bsc#1223285). - btrfs: fix race when detecting delalloc ranges during fiemap (bsc#1223285). - btrfs: fix race when refilling delayed refs block reserve (git-fixes) - btrfs: fix start transaction qgroup rsv double free (git-fixes) - btrfs: fix stripe length calculation for non-zoned data chunk allocation (bsc#1217489). - btrfs: fix wrong block_start calculation for btrfs_drop_extent_map_range() (git-fixes) Dropped hunk in selftests (test_case_7), 92e1229b204d6. - btrfs: free qgroup rsv on io failure (git-fixes) - btrfs: free the allocated memory if btrfs_alloc_page_array() fails (git-fixes) - btrfs: get rid of label and goto at insert_delayed_ref() (bsc#1220120). - btrfs: handle chunk tree lookup error in btrfs_relocate_sys_chunks() (git-fixes) - btrfs: handle errors properly in update_inline_extent_backref() (git-fixes) - btrfs: initialize key where it's used when running delayed data ref (bsc#1220120). - btrfs: log message if extent item not found when running delayed extent op (bsc#1220120). - btrfs: make btrfs_cleanup_fs_roots() static (bsc#1220120). - btrfs: make btrfs_destroy_delayed_refs() return void (bsc#1220120). - btrfs: make btrfs_destroy_marked_extents() return void (bsc#1220120). - btrfs: make btrfs_destroy_pinned_extent() return void (bsc#1220120). - btrfs: make error messages more clear when getting a chunk map (git-fixes) - btrfs: make find_first_extent_bit() return a boolean (bsc#1220120). - btrfs: make find_free_dev_extent() static (bsc#1220120). - btrfs: make insert_delayed_ref() return a bool instead of an int (bsc#1220120). - btrfs: merge find_free_dev_extent() and find_free_dev_extent_start() (bsc#1220120). - btrfs: move btrfs_free_excluded_extents() into block-group.c (bsc#1220120). - btrfs: open code trivial btrfs_add_excluded_extent() (bsc#1220120). - btrfs: output extra debug info if we failed to find an inline backref (git-fixes) - btrfs: pass a space_info argument to btrfs_reserve_metadata_bytes() (bsc#1220120). - btrfs: prevent transaction block reserve underflow when starting transaction (git-fixes) - btrfs: print available space across all block groups when dumping space info (bsc#1220120). - btrfs: print available space for a block group when dumping a space info (bsc#1220120). - btrfs: print block group super and delalloc bytes when dumping space info (bsc#1220120). - btrfs: print target number of bytes when dumping free space (bsc#1220120). - btrfs: qgroup: always free reserved space for extent records (bsc#1216196). - btrfs: qgroup: convert PREALLOC to PERTRANS after record_root_in_trans (git-fixes) - btrfs: record delayed inode root in transaction (git-fixes) - btrfs: reject encoded write if inode has nodatasum flag set (git-fixes) - btrfs: release path before inode lookup during the ino lookup ioctl (git-fixes) - btrfs: remove pointless initialization at btrfs_delayed_refs_rsv_release() (bsc#1220120). - btrfs: remove pointless in_tree field from struct btrfs_delayed_ref_node (bsc#1220120). - btrfs: remove pointless 'ref_root' variable from run_delayed_data_ref() (bsc#1220120). - btrfs: remove redundant BUG_ON() from __btrfs_inc_extent_ref() (bsc#1220120). - btrfs: remove refs_to_add argument from __btrfs_inc_extent_ref() (bsc#1220120). - btrfs: remove refs_to_drop argument from __btrfs_free_extent() (bsc#1220120). - btrfs: remove the refcount warning/check at btrfs_put_delayed_ref() (bsc#1220120). - btrfs: remove unnecessary logic when running new delayed references (bsc#1220120). - btrfs: remove unnecessary prototype declarations at disk-io.c (bsc#1220120). - btrfs: remove unused is_head field from struct btrfs_delayed_ref_node (bsc#1220120). - btrfs: rename add_new_free_space() to btrfs_add_new_free_space() (bsc#1220120). - btrfs: reorder some members of struct btrfs_delayed_ref_head (bsc#1220120). - btrfs: reserve space for delayed refs on a per ref basis (bsc#1220120). - btrfs: reset destination buffer when read_extent_buffer() gets invalid range (git-fixes) - btrfs: return -EUCLEAN for delayed tree ref with a ref count not equals to 1 (git-fixes) - btrfs: return -EUCLEAN if extent item is missing when searching inline backref (bsc#1220120). - btrfs: return real error when orphan cleanup fails due to a transaction abort (bsc#1220120). - btrfs: send: do not issue unnecessary zero writes for trailing hole (bsc#1222459). - btrfs: send: ensure send_fd is writable (git-fixes) - btrfs: send: handle path ref underflow in header iterate_inode_ref() (git-fixes) - btrfs: send: return EOPNOTSUPP on unknown flags (git-fixes) - btrfs: set page extent mapped after read_folio in relocate_one_page (git-fixes) - btrfs: simplify check for extent item overrun at lookup_inline_extent_backref() (bsc#1220120). - btrfs: stop doing excessive space reservation for csum deletion (bsc#1220120). - btrfs: store the error that turned the fs into error state (bsc#1220120). - btrfs: sysfs: validate scrub_speed_max value (git-fixes) - btrfs: tree-checker: fix inline ref size in error messages (git-fixes) - btrfs: update comment for btrfs_join_transaction_nostart() (bsc#1220120). - btrfs: update documentation for add_new_free_space() (bsc#1220120). - btrfs: use a bool to track qgroup record insertion when adding ref head (bsc#1220120). - btrfs: use a single switch statement when initializing delayed ref head (bsc#1220120). - btrfs: use a single variable for return value at lookup_inline_extent_backref() (bsc#1220120). - btrfs: use a single variable for return value at run_delayed_extent_op() (bsc#1220120). - btrfs: use bool type for delayed ref head fields that are used as booleans (bsc#1220120). - btrfs: use the correct superblock to compare fsid in btrfs_validate_super (git-fixes) - btrfs: use u64 for buffer sizes in the tree search ioctls (git-fixes) - btrfs: zoned: do not skip block groups with 100% zone unusable (bsc#1220120). - bus: mhi: ep: check the correct variable in mhi_ep_register_controller() (git-fixes). - ceph: redirty page before returning AOP_WRITEPAGE_ACTIVATE (bsc#1224866). - ceph: stop copying to iter at EOF on sync reads (bsc#1222606). - certs: Add ECDSA signature verification self-test (bsc#1222777). - certs: Move RSA self-test data to separate file (bsc#1222777). - cifs: account for primary channel in the interface list (bsc#1225172). - cifs: cifs_chan_is_iface_active should be called with chan_lock held (bsc#1225172). - cifs: distribute channels across interfaces based on speed (bsc#1225172).++ kernel-source.spec (revision 4)%define git_commit 596cd3fdbd0fb5902e80279485ad8596f4e82397Release: <RELEASE>.g596cd3f - cifs: do not pass cifs_sb when trying to add channels (bsc#1225172). - cifs: Do not use certain unnecessary folio_*() functions (bsc#1225172). - cifs: failure to add channel on iface should bump up weight (git-fixes, bsc#1225172). - cifs: fix charset issue in reconnection (bsc#1225172). - cifs: fix leak of iface for primary channel (git-fixes, bsc#1225172). - cifs: handle cases where a channel is closed (bsc#1225172). - cifs: handle cases where multiple sessions share connection (bsc#1225172). - cifs: reconnect work should have reference on server struct (bsc#1225172). - clk: Do not hold prepare_lock when calling kref_put() (stable-fixes). - clk: Get runtime PM before walking tree during disable_unused (git-fixes). - clk: Get runtime PM before walking tree for clk_summary (git-fixes). - clk: Initialize struct clk_core kref earlier (stable-fixes). - clk: mediatek: Do a runtime PM get on controllers during probe (git-fixes). - clk: mediatek: mt8365-mm: fix DPI0 parent (git-fixes). - clk: mediatek: pllfh: Do not log error for missing fhctl node (git-fixes). - clk: qcom: clk-alpha-pll: fix rate setting for Stromer PLLs (git-fixes). - clk: qcom: clk-alpha-pll: remove invalid Stromer register offset (git-fixes). - clk: qcom: dispcc-sm6350: fix DisplayPort clocks (git-fixes). - clk: qcom: dispcc-sm8450: fix DisplayPort clocks (git-fixes). - clk: qcom: dispcc-sm8550: fix DisplayPort clocks (git-fixes). - clk: qcom: mmcc-msm8998: fix venus clock issue (git-fixes). - clk: qcom: reset: Commonize the de/assert functions (stable-fixes). - clk: qcom: reset: Ensure write completion on reset de/assertion (git-fixes). - clk: Remove prepare_lock hold assertion in __clk_release() (git-fixes). - clk: renesas: r8a779a0: Fix CANFD parent clock (git-fixes). - clk: renesas: r9a07g043: Add clock and reset entry for PLIC (git-fixes). - clk: rs9: fix wrong default value for clock amplitude (git-fixes). - clk: samsung: exynosautov9: fix wrong pll clock id value (git-fixes). - clk: Show active consumers of clocks in debugfs (stable-fixes). - clk: sunxi-ng: h6: Reparent CPUX during PLL CPUX rate change (git-fixes). - clocksource/drivers/arm_global_timer: Fix maximum prescaler value (git-fixes). - clocksource/drivers/imx: Fix -Wunused-but-set-variable warning (git-fixes). - comedi: vmk80xx: fix incomplete endpoint checking (git-fixes). - coresight: trbe: Add a representative coresight_platform_data for (bsc#1220587) - coresight: trbe: Allocate platform data per device (bsc#1220587) - coresight: trbe: Enable ACPI based TRBE devices (bsc#1220587) - counter: linux/counter.h: fix Excess kernel-doc description warning (git-fixes). - cppc_cpufreq: Fix possible null pointer dereference (git-fixes). - cpufreq: brcmstb-avs-cpufreq: ISO C90 forbids mixed declarations (git-fixes). - cpufreq: exit() callback is optional (git-fixes). - cpumask: Add for_each_cpu_from() (bsc#1225053). - crypto: bcm - Fix pointer arithmetic (git-fixes). - crypto: ccp - Add support for PCI device 0x156E (bsc#1223338). - crypto: ccp - Add support for PCI device 0x17E0 (bsc#1223338). - crypto: ccp - drop platform ifdef checks (git-fixes). - crypto: ecc - update ecc_gen_privkey for FIPS 186-5 (bsc#1222782). - crypto: ecdsa - Fix module auto-load on add-key (git-fixes). - crypto: lib/mpi - Fix unexpected pointer access in mpi_ec_init (git-fixes). - crypto: qat - Fix ADF_DEV_RESET_SYNC memory leak (git-fixes). - crypto: qat - fix ring to service map for dcc in 4xxx (git-fixes). - crypto: qat - improve error logging to be consistent across features (git-fixes). - crypto: qat - relocate and rename get_service_enabled() (stable-fixes). - crypto: qat - specify firmware files for 402xx (git-fixes). - crypto: rsa - add a check for allocation failure (bsc#1222775). - crypto: rsa - allow only odd e and restrict value in FIPS mode (bsc#1222775). - crypto: testmgr - remove unused xts4096 and xts512 algorithms from testmgr.c (bsc#1222769). - crypto: x86/nh-avx2 - add missing vzeroupper (git-fixes). - crypto: x86/sha256-avx2 - add missing vzeroupper (git-fixes). - crypto: x86/sha512-avx2 - add missing vzeroupper (git-fixes). - cxl/acpi: Fix load failures due to single window creation failure (git-fixes). - cxl/pci: Fix disabling memory if DVSEC CXL Range does not match a CFMWS window (git-fixes). - cxl/trace: Properly initialize cxl_poison region name (git-fixes). - dax: alloc_dax() return ERR_PTR(-EOPNOTSUPP) for CONFIG_DAX=n (jsc#PED-5853). - dax/bus.c: replace driver-core lock usage by a local rwsem (jsc#PED-5853). - dax/bus.c: replace several sprintf() with sysfs_emit() (jsc#PED-5853). - device-dax: make dax_bus_type const (jsc#PED-5853). - dlm: fix user space lkb refcounting (git-fixes). - dma-buf: Fix NULL pointer dereference in sanitycheck() (git-fixes). - dma-buf/sw-sync: do not enable IRQ from sync_print_obj() (git-fixes). - dmaengine: axi-dmac: fix possible race in remove() (git-fixes). - dmaengine: idma64: Add check for dma_set_max_seg_size (git-fixes). - dmaengine: idxd: Avoid unnecessary destruction of file_ida (git-fixes). - dmaengine: idxd: Fix oops during rmmod on single-CPU platforms (git-fixes). - dmaengine: owl: fix register access functions (git-fixes). - dmaengine: tegra186: Fix residual calculation (git-fixes). - dma-mapping: benchmark: fix node id validation (git-fixes). - dma-mapping: benchmark: handle NUMA_NO_NODE correctly (git-fixes). - dm/amd/pm: Fix problems with reboot/shutdown for some SMU 13.0.4/13.0.11 users (git-fixes). - dma: xilinx_dpdma: Fix locking (git-fixes). - dm crypt: remove redundant state settings after waking up (jsc#PED-7542). - dm-integrity: set max_integrity_segments in dm_integrity_io_hints (jsc#PED-7542). - dm-multipath: dont't attempt SG_IO on non-SCSI-disks (bsc#1223575). - dm-raid: add a new helper prepare_suspend() in md_personality (jsc#PED-7542). - dm-raid: really frozen sync_thread during suspend (jsc#PED-7542). - dm thin: add braces around conditional code that spans lines (jsc#PED-7542). - dm: update relevant MODULE_AUTHOR entries to latest dm-devel mailing list (jsc#PED-7542). - dm verity: set DM_TARGET_SINGLETON feature flag (jsc#PED-7542). - Docs/admin-guide/mm/damon/usage: fix wrong example of DAMOS filter matching sysfs file (git-fixes). - docs: kernel_include.py: Cope with docutils 0.21 (stable-fixes). - docs: netdev: Fix typo in Signed-off-by tag (git-fixes). - docs: Restore 'smart quotes' for quotes (stable-fixes). - driver core: Introduce device_link_wait_removal() (stable-fixes). - drivers/nvme: Add quirks for device 126f:2262 (git-fixes). - drm: add drm_gem_object_is_shared_for_memory_stats() helper (stable-fixes). - drm/amd/amdgpu: Fix potential ioremap() memory leaks in amdgpu_device_init() (stable-fixes). - drm/amd/display: Add dml2 copy functions (stable-fixes). - drm/amd/display: Allow dirty rects to be sent to dmub when abm is active (stable-fixes). - drm/amd/display: Atom Integrated System Info v2_2 for DCN35 (stable-fixes). - drm/amd/display: Change default size for dummy plane in DML2 (stable-fixes). - drm/amd/display: Do not recursively call manual trigger programming (stable-fixes). - drm/amd/display: Enable colorspace property for MST connectors (git-fixes). - drm/amd/display: Fix bounds check for dcn35 DcfClocks (git-fixes). - drm/amd/display: fix disable otg wa logic in DCN316 (stable-fixes). - drm/amd/display: Fix division by zero in setup_dsc_config (stable-fixes). - drm/amd/display: Fix idle check for shared firmware state (stable-fixes). - drm/amd/display: Fix incorrect DSC instance for MST (stable-fixes). - drm/amd/display: fix input states translation error for dcn35 & dcn351 (stable-fixes). - drm/amd/display: Fix nanosec stat overflow (stable-fixes). - drm/amd/display: Fix noise issue on HDMI AV mute (stable-fixes). - drm/amd/display: Fix potential index out of bounds in color transformation function (git-fixes). - drm/amd/display: handle range offsets in VRR ranges (stable-fixes). - drm/amd/display: Handle Y carry-over in VCP X.Y calculation (stable-fixes). - drm/amd/display: Init DPPCLK from SMU on dcn32 (stable-fixes). - drm/amd/display: Override min required DCFCLK in dml1_validate (stable-fixes). - drm/amd/display: Prevent crash when disable stream (stable-fixes). - drm/amd/display: Program VSC SDP colorimetry for all DP sinks >= 1.4 (stable-fixes). - drm/amd/display: Remove MPC rate control logic from DCN30 and above (stable-fixes). - drm/amd/display: Remove redundant condition in dcn35_calc_blocks_to_gate() (git-fixes). - drm/amd/display: Return the correct HDCP error code (stable-fixes). - drm/amd/display: Set DCN351 BB and IP the same as DCN35 (stable-fixes). - drm/amd/display: Set VSC SDP Colorimetry same way for MST and SST (stable-fixes). - drm/amd/display: Use freesync when `DRM_EDID_FEATURE_CONTINUOUS_FREQ` found (stable-fixes). - drm/amd: Flush GFXOFF requests in prepare stage (git-fixes). - drm/amdgpu: always force full reset for SOC21 (stable-fixes). - drm/amdgpu: amdgpu_ttm_gart_bind set gtt bound flag (stable-fixes). - drm/amdgpu: Assign correct bits for SDMA HDP flush (stable-fixes). - drm/amdgpu/display: Address kdoc for 'is_psr_su' in 'fill_dc_dirty_rects' (git-fixes). - drm/amdgpu: drop setting buffer funcs in sdma442 (git-fixes). - drm/amdgpu: Fix comparison in amdgpu_res_cpu_visible (git-fixes). - drm/amdgpu: fix deadlock while reading mqd from debugfs (git-fixes). - drm/amdgpu: fix doorbell regression (git-fixes). - drm/amdgpu: fix incorrect number of active RBs for gfx11 (stable-fixes). - drm/amdgpu: Fix leak when GPU memory allocation fails (stable-fixes). - drm/amdgpu: fix mmhub client id out-of-bounds access (git-fixes). - drm/amdgpu: fix use-after-free bug (stable-fixes). - drm/amdgpu: Fix VCN allocation in CPX partition (stable-fixes). - drm/amdgpu: fix visible VRAM handling during faults (git-fixes). - drm/amdgpu: implement IRQ_STATE_ENABLE for SDMA v4.4.2 (stable-fixes). - drm/amdgpu: make damage clips support configurable (stable-fixes). - drm/amdgpu: once more fix the call oder in amdgpu_ttm_move() v2 (git-fixes). - drm/amdgpu/pm: Check the validity of overdiver power limit (git-fixes). - drm/amdgpu/pm: Fix NULL pointer dereference when get power limit (git-fixes). - drm/amdgpu/pm: Fix the error of pwm1_enable setting (stable-fixes). - drm/amdgpu: Refine IB schedule error logging (stable-fixes). - drm/amdgpu: remove invalid resource->start check v2 (git-fixes). - drm/amdgpu: Reset dGPU if suspend got aborted (stable-fixes). - drm/amdgpu/sdma5.2: use legacy HDP flush for SDMA2/3 (stable-fixes). - drm/amdgpu: validate the parameters of bo mapping operations more clearly (git-fixes). - drm/amdkfd: Check cgroup when returning DMABuf info (stable-fixes). - drm/amdkfd: do not allow mapping the MMIO HDP page with large pages (git-fixes). - drm/amdkfd: Fix memory leak in create_process failure (git-fixes). - drm/amdkfd: fix TLB flush after unmap for GFX9.4.2 (stable-fixes). - drm/amdkfd: range check cp bad op exception interrupts (stable-fixes). - drm/amdkfd: Reset GPU on queue preemption failure (stable-fixes). - drm/amd/pm: fixes a random hang in S4 for SMU v13.0.4/11 (stable-fixes). - drm/amd/swsmu: modify the gfx activity scaling (stable-fixes). - drm/arm/malidp: fix a possible null pointer dereference (git-fixes). - drm/ast: Fix soft lockup (git-fixes). - drm/bridge: anx7625: Do not log an error when DSI host can't be found (git-fixes). - drm: bridge: cdns-mhdp8546: Fix possible null pointer dereference (git-fixes). - drm/bridge: dpc3433: Do not log an error when DSI host can't be found (git-fixes). - drm/bridge: Fix improper bridge init order with pre_enable_prev_first (git-fixes). - drm/bridge: icn6211: Do not log an error when DSI host can't be found (git-fixes). - drm/bridge: lt8912b: Do not log an error when DSI host can't be found (git-fixes). - drm/bridge: lt9611: Do not log an error when DSI host can't be found (git-fixes). - drm/bridge: lt9611uxc: Do not log an error when DSI host can't be found (git-fixes). - drm/bridge: tc358775: Do not log an error when DSI host can't be found (git-fixes). - drm/bridge: tc358775: fix support for jeida-18 and jeida-24 (git-fixes). - drm/buddy: check range allocation matches alignment (stable-fixes). - drm: Check output polling initialized before disabling (stable-fixes). - drm: Check polling initialized before enabling in drm_helper_probe_single_connector_modes (stable-fixes). - drm/client: Fully protect modes[] with dev->mode_config.mutex (stable-fixes). - drm/connector: Add \n to message about demoting connector force-probes (git-fixes). - drm/display: fix typo (git-fixes). - drm/exynos: do not return negative values from .get_modes() (stable-fixes). - drm/fbdev-generic: Do not set physical framebuffer address (git-fixes). - drm: Fix drm_fixp2int_round() making it add 0.5 (git-fixes). - drm/gma500: Remove lid code (git-fixes). - drm/i915/audio: Fix audio time stamp programming for DP (stable-fixes). - drm/i915/bios: Fix parsing backlight BDB data (git-fixes). - drm/i915/bios: Tolerate devdata==NULL in intel_bios_encoder_supports_dp_dual_mode() (stable-fixes). - drm/i915/cdclk: Fix CDCLK programming order when pipes are active (git-fixes). - drm/i915: Disable live M/N updates when using bigjoiner (stable-fixes). - drm/i915: Disable port sync when bigjoiner is used (stable-fixes). - drm/i915/display: Use i915_gem_object_get_dma_address to get dma address (stable-fixes). - drm/i915: Do not match JSL in ehl_combo_pll_div_frac_wa_needed() (git-fixes). - drm/i915/dp: Fix the computation for compressed_bpp for DISPLAY < 13 (git-fixes). - drm/i915/dp: Remove support for UHBR13.5 (git-fixes). - drm/i915/dpt: Make DPT object unshrinkable (git-fixes). - drm/i915/dsb: Fix DSB vblank waits when using VRR (git-fixes). - drm/i915/dsi: Go back to the previous INIT_OTP/DISPLAY_ON order, mostly (git-fixes). - drm/i915: Fix audio component initialization (git-fixes). - drm/i915/gt: Automate CCS Mode setting during engine resets (git-fixes). - drm/i915/gt: Disable HW load balancing for CCS (git-fixes). - drm/i915/gt: Disarm breadcrumbs if engines are already idle (git-fixes). - drm/i915/gt: Do not generate the command streamer for all the CCS (git-fixes). - drm/i915/gt: Enable only one CCS for compute workload (git-fixes). - drm/i915/gt: Fix CCS id's calculation for CCS mode setting (git-fixes). - drm/i915/gt: Reset queue_priority_hint on parking (git-fixes). - drm/i915/guc: avoid FIELD_PREP warning (git-fixes). - drm/i915/hwmon: Fix locking inversion in sysfs getter (git-fixes). - drm/i915: Include the PLL name in the debug messages (stable-fixes). - drm/i915/lspcon: Separate function to set expected mode (bsc#1193599). - drm/i915/lspcon: Separate lspcon probe and lspcon init (bsc#1193599). - drm/i915/mst: Limit MST+DSC to TGL+ (git-fixes). - drm/i915/mst: Reject FEC+MST on ICL (git-fixes). - drm/i915: Pre-populate the cursor physical dma address (git-fixes). - drm/i915: Replace a memset() with zero initialization (stable-fixes). - drm/i915: Stop printing pipe name as hex (stable-fixes). - drm/i915: Suppress old PLL pipe_mask checks for MG/TC/TBT PLLs (stable-fixes). - drm/i915: Try to preserve the current shared_dpll for fastset on type-c ports (stable-fixes). - drm/i915: Use named initializers for DPLL info (stable-fixes). - drm/i915/vrr: Disable VRR when using bigjoiner (stable-fixes). - drm/i915/vrr: Generate VRR 'safe window' for DSB (git-fixes). - drm/imx/ipuv3: do not return negative values from .get_modes() (stable-fixes). - drm/lcdif: Do not disable clocks on already suspended hardware (git-fixes). - drm/mediatek: Add 0 size check to mtk_drm_gem_obj (git-fixes). - drm/mediatek: dp: Fix mtk_dp_aux_transfer return value (git-fixes). - drm/mediatek: Init `ddp_comp` with devm_kcalloc() (git-fixes). - drm/meson: dw-hdmi: add bandgap setting for g12 (git-fixes). - drm/meson: dw-hdmi: power up phy on device init (git-fixes). - drm/meson: gate px_clk when setting rate (git-fixes). - drm/meson: vclk: fix calculation of 59.94 fractional rates (git-fixes). - drm/msm/a6xx: Avoid a nullptr dereference when speedbin setting fails (git-fixes). - drm/msm: Add newlines to some debug prints (git-fixes). - drm/msm/adreno: fix CP cycles stat retrieval on a7xx (git-fixes). - drm/msm/dp: allow voltage swing / pre emphasis of 3 (git-fixes). - drm/msm/dp: Avoid a long timeout for AUX transfer if nothing connected (git-fixes). - drm/msm/dp: fix typo in dp_display_handle_port_status_changed() (git-fixes). - drm/msm/dpu: Add callback function pointer check before its call (git-fixes). - drm/msm/dpu: Allow configuring multiple active DSC blocks (git-fixes). - drm/msm/dpu: Always flush the slave INTF on the CTL (git-fixes). - drm/msm/dpu: do not allow overriding data from catalog (git-fixes). - drm/msm/dpu: make error messages at dpu_core_irq_register_callback() more sensible (git-fixes). - drm/msm/dpu: use devres-managed allocation for MDP TOP (stable-fixes). - drm/msm/dsi: Print dual-DSI-adjusted pclk instead of original mode pclk (git-fixes). - drm/nouveau/disp: Fix missing backlight control on Macbook 5, 1 (bsc#1223838). - drm/nouveau/dp: Do not probe eDP ports twice harder (stable-fixes). - drm/nouveau/dp: Fix incorrect return code in r535_dp_aux_xfer() (git-fixes). - drm/nouveau/firmware: Fix SG_DEBUG error with nvkm_firmware_ctor() (stable-fixes). - drm/nouveau: use tile_mode and pte_kind for VM_BIND bo allocations (git-fixes). - drm: nv04: Fix out of bounds access (git-fixes). - drm/omapdrm: Fix console by implementing fb_dirty (git-fixes). - drm/panel: do not return negative error codes from drm_panel_get_modes() (stable-fixes). - drm/panel: ili9341: Respect deferred probe (git-fixes). - drm/panel: ili9341: Use predefined error codes (git-fixes). - drm/panel: ltk050h3146w: add MIPI_DSI_MODE_VIDEO to LTK050H3148W flags (git-fixes). - drm/panel: ltk050h3146w: drop duplicate commands from LTK050H3148W init (git-fixes). - drm/panel: novatek-nt35950: Do not log an error when DSI host can't be found (git-fixes). - drm: panel-orientation-quirks: Add quirk for GPD Win Mini (stable-fixes). - drm/panel: simple: Add missing Innolux G121X1-L03 format, flags, connector (git-fixes). - drm/panel: sitronix-st7789v: fix display size for jt240mhqs_hwt_ek_e3 panel (git-fixes). - drm/panel: sitronix-st7789v: fix timing for jt240mhqs_hwt_ek_e3 panel (git-fixes). - drm/panel: sitronix-st7789v: tweak timing for jt240mhqs_hwt_ek_e3 panel (git-fixes). - drm/panel: visionox-rm69299: do not unregister DSI device (git-fixes). - drm/panfrost: fix power transition timeout warnings (git-fixes). - drm/panfrost: Fix the error path in panfrost_mmu_map_fault_addr() (git-fixes). - drm/prime: Unbreak virtgpu dma-buf export (git-fixes). - drm/probe-helper: warn about negative .get_modes() (stable-fixes). - drm/qxl: remove unused `count` variable from `qxl_surface_id_alloc()` (git-fixes). - drm/qxl: remove unused variable from `qxl_process_single_command()` (git-fixes). - drm/radeon: make -fstrict-flex-arrays=3 happy (git-fixes). - drm/radeon: silence UBSAN warning (v3) (stable-fixes). - drm/rockchip: vop2: Do not divide height twice for YUV (git-fixes). - drm/rockchip: vop2: Remove AR30 and AB30 format support (git-fixes). - drm/sched: fix null-ptr-deref in init entity (git-fixes). - drm/shmem-helper: Fix BUG_ON() on mmap(PROT_WRITE, MAP_PRIVATE) (git-fixes). - drm/ttm: return ENOSPC from ttm_bo_mem_space v3 (stable-fixes). - drm/ttm: stop pooling cached NUMA pages v2 (git-fixes). - drm/vc4: do not check if plane->state->fb == state->fb (stable-fixes). - drm: vc4: Fix possible null pointer dereference (git-fixes). - drm/vc4: hdmi: do not return negative values from .get_modes() (stable-fixes). - drm/vmwgfx: Create debugfs ttm_resource_manager entry only if needed (git-fixes). - drm/vmwgfx: Enable DMA mappings with SEV (git-fixes). - drm/vmwgfx: Fix crtc's atomic check conditional (git-fixes). - drm/vmwgfx: Fix invalid reads in fence signaled events (git-fixes). - drm/vmwgfx: Fix Legacy Display Unit (git-fixes). - drm/vmwgfx: Fix prime import/export (git-fixes). - drm/vmwgfx: Sort primary plane formats by order of preference (git-fixes). - drm: zynqmp_dpsub: Always register bridge (git-fixes). - dt-bindings: clock: qcom: Add missing UFS QREF clocks (git-fixes) - dump_stack: Do not get cpu_sync for panic CPU (bsc#1225607). - dyndbg: fix old BUG_ON in >control parser (stable-fixes). - e1000e: Minor flow correction in e1000_shutdown function (git-fixes). - e1000e: move force SMBUS from enable ulp function to avoid PHY loss issue (git-fixes). - e1000e: Workaround for sporadic MDI error on Meteor Lake systems (git-fixes). - ecryptfs: Fix buffer size for tag 66 packet (git-fixes) - ecryptfs: Reject casefold directory inodes (git-fixes) - EDAC/synopsys: Fix ECC status and IRQ control race condition (git-fixes). - Edit 'amdkfd: use calloc instead of kzalloc to avoid integer overflow' Reference CVE and bug numbers. - efi: disable mirror feature during crashkernel (stable-fixes). - efi: fix panic in kdump kernel (git-fixes). - efi: libstub: only free priv.runtime_map when allocated (git-fixes). - efi/unaccepted: do not let /proc/vmcore try to access unaccepted memory (git-fixes). - efi/unaccepted: touch soft lockup during memory accept (git-fixes). - Enable CONFIG_FIPS_SIGNATURE_SELFTEST (bsc#1222771) - Enable new CONFIG_FIPS_SIGNATURE_SELFTEST_ECDSA. - Enable new CONFIG_FIPS_SIGNATURE_SELFTEST_RSA. - extcon: max8997: select IRQ_DOMAIN instead of depending on it (git-fixes). - fast_dput(): handle underflows gracefully (git-fixes) - fat: fix uninitialized field in nostale filehandles (git-fixes) - fbdev: fix incorrect address computation in deferred IO (git-fixes). - fbdev: savage: Handle err return when savagefb_check_var failed (git-fixes). - fbdev: sh7760fb: allow modular build (git-fixes). - fbdev: shmobile: fix snprintf truncation (git-fixes). - fbdev: sisfb: hide unused variables (git-fixes). - fbdev: viafb: fix typo in hw_bitblt_1 and hw_bitblt_2 (stable-fixes). - fbmon: prevent division by zero in fb_videomode_from_videomode() (stable-fixes). - firewire: core: use long bus reset on gap count error (stable-fixes). - firewire: ohci: mask bus reset interrupts between ISR and bottom half (stable-fixes). - firmware: arm_scmi: Make raw debugfs entries non-seekable (git-fixes). - firmware: dmi-id: add a release callback function (git-fixes). - firmware: raspberrypi: Use correct device for DMA mappings (git-fixes). - firmware: tegra: bpmp: Return directly after a failed kzalloc() in get_filename() (stable-fixes). - Fix a potential infinite loop in extract_user_to_sg() (git-fixes). - Fix build errors due to new UIO_MEM_DMA_COHERENT mess (git-fixes). - fs/9p: only translate RWX permissions for plain 9P2000 (git-fixes) - fs/9p: translate O_TRUNC into OTRUNC (git-fixes) - fs: Fix error checking for d_hash_and_lookup() (git-fixes) - fs: indicate request originates from old mount API (git-fixes) - fs: relax mount_setattr() permission checks (git-fixes) - fsverity: skip PKCS#7 parser when keyring is empty (git-fixes) - ftrace: Fix possible use-after-free issue in ftrace_location() (git-fixes). - fuse: do not unhash root (bsc#1223946). - fuse: fix root lookup with nonzero generation (bsc#1223945). - geneve: fix header validation in geneve[6]_xmit_skb (git-fixes). - geneve: make sure to pull inner header in geneve_rx() (git-fixes). - gpio: cdev: check for NULL labels when sanitizing them for irqs (git-fixes). - gpio: cdev: fix missed label sanitizing in debounce_setup() (git-fixes). - gpio: cdev: sanitize the label before requesting the interrupt (stable-fixes). - gpio: crystalcove: Use -ENOTSUPP consistently (stable-fixes). - gpiolib: cdev: fix uninitialised kfifo (git-fixes). - gpiolib: cdev: relocate debounce_period_us from struct gpio_desc (stable-fixes). - gpiolib: swnode: Remove wrong header inclusion (git-fixes). - gpio: tangier: Use correct type for the IRQ chip data (git-fixes). - gpio: tegra186: Fix tegra186_gpio_is_accessible() check (git-fixes). - gpio: wcove: Use -ENOTSUPP consistently (stable-fixes). - gpu: host1x: Do not setup DMA for virtual devices (stable-fixes). - gtp: fix use-after-free and null-ptr-deref in gtp_newlink() (git-fixes). - HID: amd_sfh: Handle 'no sensors' in PM operations (git-fixes). - HID: i2c-hid: remove I2C_HID_READ_PENDING flag to prevent lock-up (git-fixes). - HID: input: avoid polling stylus battery on Chromebook Pompom (stable-fixes). - HID: intel-ish-hid: ipc: Add check for pci_alloc_irq_vectors (git-fixes). - HID: intel-ish-hid: ipc: Fix dev_err usage with uninitialized dev->devc (git-fixes). - HID: logitech-dj: allow mice to use all types of reports (git-fixes). - HID: multitouch: Add required quirk for Synaptics 0xcddc device (stable-fixes). - hwmon: (amc6821) add of_match table (stable-fixes). - hwmon: (corsair-cpro) Protect ccp->wait_input_report with a spinlock (git-fixes). - hwmon: (corsair-cpro) Use a separate buffer for sending commands (git-fixes). - hwmon: (corsair-cpro) Use complete_all() instead of complete() in ccp_raw_event() (git-fixes). - hwmon: (intel-m10-bmc-hwmon) Fix multiplier for N6000 board power sensor (git-fixes). - hwmon: (lm70) fix links in doc and comments (git-fixes). - hwmon: (pmbus/ucd9000) Increase delay from 250 to 500us (git-fixes). - hwmon: (shtc1) Fix property misspelling (git-fixes). - hwtracing: hisi_ptt: Move type check to the beginning of hisi_ptt_pmu_event_init() (git-fixes). - i2c: acpi: Unbind mux adapters before delete (git-fixes). - i2c: cadence: Avoid fifo clear after start (git-fixes). - i2c: pxa: hide unused icr_bits[] variable (git-fixes). - i2c: smbus: fix NULL function pointer dereference (git-fixes). - i2c: synquacer: Fix an error handling path in synquacer_i2c_probe() (git-fixes). - i3c: master: svc: change ENXIO to EAGAIN when IBI occurs during start frame (git-fixes). - i3c: master: svc: fix invalidate IBI type and miss call client IBI handler (git-fixes). - i40e: disable NAPI right after disabling irqs when handling xsk_pool (git-fixes). - i40e: Enforce software interrupt during busy-poll exit (git-fixes). - i40e: Fix firmware version comparison function (git-fixes). - i40e: fix i40e_count_filters() to count only active/new filters (git-fixes). - i40e: Fix VF MAC filter removal (git-fixes). - i40e: fix vf may be used uninitialized in this function warning (git-fixes). - i915: make inject_virtual_interrupt() void (stable-fixes). - IB/mlx5: Use __iowrite64_copy() for write combining stores (git-fixes) - ice: fix enabling RX VLAN filtering (git-fixes). - ice: fix memory corruption bug with suspend and rebuild (git-fixes). - ice: fix stats being updated by way too large values (git-fixes). - ice: fix typo in assignment (git-fixes). - ice: fix uninitialized dplls mutex usage (git-fixes). - ice: reconfig host after changing MSI-X on VF (git-fixes). - ice: Refactor FW data type and fix bitmap casting issue (git-fixes). - ice: reorder disabling IRQ and NAPI in ice_qp_dis (git-fixes). - ice: use relative VSI index for VFs instead of PF VSI number (git-fixes). - ice: virtchnl: stop pretending to support RSS over AQ or registers (git-fixes). - ida: make 'ida_dump' static (git-fixes). - idma64: Do not try to serve interrupts when device is powered off (git-fixes). - idpf: disable local BH when scheduling napi for marker packets (git-fixes). - idpf: extend tx watchdog timeout (bsc#1224137). - idpf: fix kernel panic on unknown packet types (git-fixes). - igb: extend PTP timestamp adjustments to i211 (git-fixes). - igb: Fix missing time sync events (git-fixes). - igc: avoid returning frame twice in XDP_REDIRECT (git-fixes). - igc: Fix missing time sync events (git-fixes). - igc: Remove stale comment about Tx timestamping (git-fixes). - iio: accel: mxc4005: Interrupt handling fixes (git-fixes). - iio: adc: stm32: Fixing err code to not indicate success (git-fixes). - iio: core: Leave private pointer NULL when no private data supplied (git-fixes). - iio: dummy_evgen: remove Excess kernel-doc comments (git-fixes). - iio: gts-helper: Fix division loop (git-fixes). - iio:imu: adis16475: Fix sync mode setting (git-fixes). - iio: pressure: dps310: support negative temperature values (git-fixes). - iio: pressure: Fixes BME280 SPI driver data (git-fixes). - inet_diag: annotate data-races around inet_diag_table[] (git-fixes). - inet: frags: eliminate kernel-doc warning (git-fixes). - init/main.c: Fix potential static_command_line memory overflow (git-fixes). - init: open /initrd.image with O_LARGEFILE (stable-fixes). - Input: allocate keycode for Display refresh rate toggle (stable-fixes). - Input: cyapa - add missing input core locking to suspend/resume functions (git-fixes). - Input: gpio_keys_polled - suppress deferred probe error for gpio (stable-fixes). - Input: imagis - use FIELD_GET where applicable (stable-fixes). - Input: ims-pcu - fix printf string overflow (git-fixes). - Input: pm8xxx-vibrator - correct VIB_MAX_LEVELS calculation (git-fixes). - Input: synaptics-rmi4 - fail probing if memory allocation for 'phys' fails (stable-fixes). - input/touchscreen: imagis: Correct the maximum touch area value (stable-fixes). - Input: xpad - add additional HyperX Controller Identifiers (stable-fixes). - Input: xpad - add support for Snakebyte GAMEPADs (stable-fixes). - intel: legacy: Partial revert of field get conversion (git-fixes). - interconnect: qcom: osm-l3: Replace custom implementation of COUNT_ARGS() (git-fixes). - interconnect: qcom: qcm2290: Fix mas_snoc_bimc QoS port assignment (git-fixes). - interconnect: qcom: sc8180x: Mark CO0 BCM keepalive (git-fixes). - interconnect: qcom: sm8550: Enable sync_state (git-fixes). - iomap: clear the per-folio dirty bits on all writeback failures (git-fixes) - iommu/arm-smmu-v3: Check that the RID domain is S1 in SVA (git-fixes). - iommu/dma: Force swiotlb_max_mapping_size on an untrusted device (bsc#1224331) - iommu/dma: Trace bounce buffer usage when mapping buffers (git-fixes). - iommufd: Add missing IOMMUFD_DRIVER kconfig for the selftest (git-fixes). - iommufd: Fix iopt_access_list_id overwrite bug (git-fixes). - iommufd/iova_bitmap: Bounds check mapped::pages access (git-fixes). - iommufd/iova_bitmap: Consider page offset for the pages to be pinned (git-fixes). - iommufd/iova_bitmap: Switch iova_bitmap::bitmap to an u8 array (git-fixes). - iommufd: Reject non-zero data_type if no data_len is provided (git-fixes). - iommu: Map reserved memory as cacheable if device is coherent (git-fixes). - iommu/vt-d: Allocate local memory for page request queue (git-fixes). - iommu/vt-d: Fix wrong use of pasid config (git-fixes). - iommu/vt-d: Set SSADE when attaching to a parent with dirty tracking (git-fixes). - iommu/vt-d: Update iotlb in nested domain attach (git-fixes). - ionic: set adminq irq affinity (git-fixes). - io_uring: kabi cookie remove (bsc#1217384). - ipv4: annotate data-races around fi->fib_dead (git-fixes). - irqchip/alpine-msi: Fix off-by-one in allocation error path (git-fixes). - irqchip/armada-370-xp: Suppress unused-function warning (git-fixes). - irqchip/gic-v3-its: Do not assume vPE tables are preallocated (git-fixes). - irqchip/gic-v3-its: Fix VSYNC referencing an unmapped VPE on GIC v4.1 (git-fixes). - irqchip/gic-v3-its: Prevent double free on error (git-fixes). - irqchip/loongson-pch-msi: Fix off-by-one on allocation error path (git-fixes). - irqchip/mbigen: Do not use bus_get_dev_root() to find the parent (git-fixes). - irqchip/renesas-rzg2l: Add macro to retrieve TITSR register offset based on register's index (stable-fixes). - irqchip/renesas-rzg2l: Flush posted write in irq_eoi() (git-fixes). - irqchip/renesas-rzg2l: Implement restriction when writing ISCR register (stable-fixes). - irqchip/renesas-rzg2l: Prevent spurious interrupts when setting trigger type (git-fixes). - irqchip/renesas-rzg2l: Rename rzg2l_irq_eoi() (stable-fixes). - irqchip/renesas-rzg2l: Rename rzg2l_tint_eoi() (stable-fixes). - ixgbe: avoid sleeping allocation in ixgbe_ipsec_vf_add_sa() (git-fixes). - ixgbe: {dis, en}able irqs in ixgbe_txrx_ring_{dis, en}able (git-fixes). - jffs2: prevent xattr node from overflowing the eraseblock (git-fixes). - kABI: Adjust trace_iterator.wait_index (git-fixes). - kABI fix of KVM: x86/pmu: Allow programming events that match unsupported arch events (bsc#1225696). - kABI fix of KVM: x86: Snapshot if a vCPU's vendor model is AMD vs. Intel compatible (git-fixes). - kabi fix of perf/x86/intel: Expose existence of callback support to KVM (git fixes). - kabi/severities: ignore brcmfmac-specific local symbols - kabi/severities: ignore IMS functions They were dropped in previous patches. Noone is supposed to use them. - kabi/severities: ignore TAS2781 symbol drop, it's only locally used - kabi/severities: ignore Wangxun ethernet driver local symbols - kabi/severities: Remove mitigation-related symbols Those are used by the core kernel to implement CPU vulnerabilities mitigation and are not expected to be consumed by 3rd party users. - kABI workaround for cs35l56 (git-fixes). - kABI workaround for of driver changes (git-fixes). - kasan: disable kasan_non_canonical_hook() for HW tags (git-fixes). - kasan, fortify: properly rename memintrinsics (git-fixes). - kasan: print the original fault addr when access invalid shadow (git-fixes). - kasan/test: avoid gcc warning for intentional overflow (git-fixes). - kbuild: Move -Wenum-{compare-conditional,enum-conversion} into W=1 (stable-fixes). - kconfig: fix infinite loop when expanding a macro at the end of file (git-fixes). - kexec: do syscore_shutdown() in kernel_kexec (git-fixes). - KEYS: trusted: Do not use WARN when encode fails (git-fixes). - KEYS: trusted: Fix memory leak in tpm2_key_encode() (git-fixes). - kprobes: Fix possible use-after-free issue on kprobe registration (git-fixes). - kselftest: Add a ksft_perror() helper (stable-fixes). - kunit/fortify: Fix mismatched kvalloc()/vfree() usage (git-fixes). - KVM: nVMX: Clear EXIT_QUALIFICATION when injecting an EPT Misconfig (git-fixes). - KVM: s390: Check kvm pointer when testing KVM_CAP_S390_HPAGE_1M (git-fixes bsc#1224790). - KVM: SVM: Add support for allowing zero SEV ASIDs (git-fixes). - KVM: SVM: Flush pages under kvm->lock to fix UAF in svm_register_enc_region() (git-fixes). - KVM: SVM: Use unsigned integers when dealing with ASIDs (git-fixes). - KVM: VMX: Disable LBR virtualization if the CPU does not support LBR callstacks (git-fixes). - KVM: VMX: Report up-to-date exit qualification to userspace (git-fixes). - KVM: x86: Allow, do not ignore, same-value writes to immutable MSRs (git-fixes). - KVM: x86: Fix broken debugregs ABI for 32 bit kernels (git-fixes). - KVM: x86: Fully re-initialize supported_mce_cap on vendor module load (git-fixes). - KVM: x86: Introduce __kvm_get_hypervisor_cpuid() helper (git-fixes). - KVM: x86: Mark target gfn of emulated atomic instruction as dirty (git-fixes). - KVM: x86/mmu: Do not force emulation of L2 accesses to non-APIC internal slots (git-fixes). - KVM: x86/mmu: Move private vs. shared check above slot validity checks (git-fixes). - KVM: x86/mmu: Restrict KVM_SW_PROTECTED_VM to the TDP MMU (git-fixes). - KVM: x86/mmu: Write-protect L2 SPTEs in TDP MMU when clearing dirty status (git-fixes). - KVM: x86: Only set APICV_INHIBIT_REASON_ABSENT if APICv is enabled (git-fixes). - KVM: x86/pmu: Allow programming events that match unsupported arch events (git-fixes). - KVM: x86/pmu: Always treat Fixed counters as available when supported (git-fixes). - KVM: x86/pmu: Apply 'fast' RDPMC only to Intel PMUs (git-fixes). - KVM: x86/pmu: Disable support for adaptive PEBS (git-fixes). - KVM: x86/pmu: Disallow 'fast' RDPMC for architectural Intel PMUs (git-fixes). - KVM: x86/pmu: Do not ignore bits 31:30 for RDPMC index on AMD (git-fixes). - KVM: x86/pmu: Do not mask LVTPC when handling a PMI on AMD platforms (git-fixes). - KVM: x86/pmu: Explicitly check NMI from guest to reducee false positives (git-fixes). - KVM: x86/pmu: Prioritize VMX interception over #GP on RDPMC due to bad index (git-fixes). - KVM: x86/pmu: Set enable bits for GP counters in PERF_GLOBAL_CTRL at 'RESET' (git-fixes). - KVM: x86/pmu: Zero out PMU metadata on AMD if PMU is disabled (git-fixes). - KVM: x86: Snapshot if a vCPU's vendor model is AMD vs. Intel compatible (git-fixes). - KVM: x86: Update KVM_SW_PROTECTED_VM docs to make it clear they're a WIP (git-fixes). - KVM: x86: Use actual kvm_cpuid.base for clearing KVM_FEATURE_PV_UNHALT (git-fixes). - KVM: x86/xen: fix recursive deadlock in timer injection (git-fixes). - KVM: x86/xen: improve accuracy of Xen timers (git-fixes). - KVM: x86/xen: inject vCPU upcall vector when local APIC is enabled (git-fixes). - KVM: x86/xen: remove WARN_ON_ONCE() with false positives in evtchn delivery (git-fixes). - leds: pwm: Disable PWM when going to suspend (git-fixes). - libnvdimm: Fix ACPI_NFIT in BLK_DEV_PMEM help (jsc#PED-5853). - libperf evlist: Avoid out-of-bounds access (git-fixes). - libsubcmd: Fix parse-options memory leak (git-fixes). - lib/test_hmm.c: handle src_pfns and dst_pfns allocation failure (git-fixes). - livepatch: Fix missing newline character in klp_resolve_symbols() (bsc#1223539). - locks: fix KASAN: use-after-free in trace_event_raw_event_filelock_lock (git-fixes) - lsm: fix the logic in security_inode_getsecctx() (git-fixes). - mac802154: fix llsec key resources release in mac802154_llsec_key_del (git-fixes). - maple_tree: fix mas_empty_area_rev() null pointer dereference (git-fixes). - md: add a new helper rdev_has_badblock() (jsc#PED-7542). - md: add a new helper reshape_interrupted() (jsc#PED-7542). - md: changed the switch of RAID_VERSION to if (jsc#PED-7542). - md: check mddev->pers before calling md_set_readonly() (jsc#PED-7542). - md: clean up invalid BUG_ON in md_ioctl (jsc#PED-7542). - md: clean up openers check in do_md_stop() and md_set_readonly() (jsc#PED-7542). - md/dm-raid: do not call md_reap_sync_thread() directly (jsc#PED-7542). - md: Do not clear MD_CLOSING when the raid is about to stop (jsc#PED-7542). - md: do not clear MD_RECOVERY_FROZEN for new dm-raid until resume (jsc#PED-7542). - md: export helper md_is_rdwr() (jsc#PED-7542). - md: export helpers to stop sync_thread (jsc#PED-7542). - md: factor out a helper to sync mddev (jsc#PED-7542). - md: fix kmemleak of rdev->serial (jsc#PED-7542). - md: get rdev->mddev with READ_ONCE() (jsc#PED-7542). - md: merge the check of capabilities into md_ioctl_valid() (jsc#PED-7542). - md: preserve KABI in struct md_personality (jsc#PED-7542). - md/raid1-10: add a helper raid1_check_read_range() (jsc#PED-7542). - md/raid1-10: factor out a new helper raid1_should_read_first() (jsc#PED-7542). - md/raid1: factor out choose_bb_rdev() from read_balance() (jsc#PED-7542). - md/raid1: factor out choose_slow_rdev() from read_balance() (jsc#PED-7542). - md/raid1: factor out helpers to add rdev to conf (jsc#PED-7542). - md/raid1: factor out helpers to choose the best rdev from read_balance() (jsc#PED-7542). - md/raid1: factor out read_first_rdev() from read_balance() (jsc#PED-7542). - md/raid1: factor out the code to manage sequential IO (jsc#PED-7542). - md/raid1: fix choose next idle in read_balance() (jsc#PED-7542). - md/raid1: record nonrot rdevs while adding/removing rdevs to conf (jsc#PED-7542). - md: remove redundant check of 'mddev->sync_thread' (jsc#PED-7542). - md: remove redundant md_wakeup_thread() (jsc#PED-7542). - md: return directly before setting did_set_md_closing (jsc#PED-7542). - md: sync blockdev before stopping raid or setting readonly (jsc#PED-7542). - md: use RCU lock to protect traversal in md_spares_need_change() (jsc#PED-7542). - media: atomisp: ssh_css: Fix a null-pointer dereference in load_video_binaries (git-fixes). - media: cadence: csi2rx: use match fwnode for media link (git-fixes). - media: cec: core: remove length check of Timer Status (stable-fixes). - media: dt-bindings: ovti,ov2680: Fix the power supply names (git-fixes). - media: flexcop-usb: fix sanity check of bNumEndpoints (git-fixes). - media: i2c: et8ek8: Do not strip remove function when driver is builtin (git-fixes). - media: ipu3-cio2: Request IRQ earlier (git-fixes). - media: mc: Fix flags handling when creating pad links (stable-fixes). - media: mc: Fix graph walk in media_pipeline_start (git-fixes). - media: mc: mark the media devnode as registered from the, start (git-fixes). - media: mc: Rename pad variable to clarify intent (stable-fixes). - media: ngene: Add dvb_ca_en50221_init return value check (git-fixes). - media: rcar-vin: work around -Wenum-compare-conditional warning (git-fixes). - media: rkisp1: Fix IRQ handling due to shared interrupts (stable-fixes). - media: sta2x11: fix irq handler cast (stable-fixes). - media: stk1160: fix bounds checking in stk1160_copy_video() (git-fixes). - media: sunxi: a83-mips-csi2: also select GENERIC_PHY (git-fixes). - media: uvcvideo: Add quirk for Logitech Rally Bar (git-fixes). - media: v4l2-subdev: Fix stream handling for crop API (git-fixes). - media: v4l: Do not turn on privacy LED if streamon fails (git-fixes). - mei: me: add arrow lake point H DID (stable-fixes). - mei: me: add arrow lake point S DID (stable-fixes). - mei: me: add lunar lake point M DID (stable-fixes). - mei: me: disable RPL-S on SPS and IGN firmwares (git-fixes). - mlxbf_gige: call request_irq() after NAPI initialized (git-fixes). - mlxbf_gige: stop interface during shutdown (git-fixes). - mlxbf_gige: stop PHY during open() error paths (git-fixes). - mlxsw: Use refcount_t for reference counting (git-fixes). - mmc: core: Add HS400 tuning in HS400es initialization (stable-fixes). - mmc: core: Avoid negative index with array access (git-fixes). - mmc: core: Initialize mmc_blk_ioc_data (git-fixes). - mmc: davinci: Do not strip remove function when driver is builtin (git-fixes). - mmc: omap: fix broken slot switch lookup (git-fixes). - mmc: omap: fix deferred probe (git-fixes). - mmc: omap: restore original power up/down steps (git-fixes). - mmc: sdhci_am654: Add ITAPDLYSEL in sdhci_j721e_4bit_set_clock (git-fixes). - mmc: sdhci_am654: Add OTAP/ITAP delay enable (git-fixes). - mmc: sdhci_am654: Add tuning algorithm for delay chain (git-fixes). - mmc: sdhci_am654: Fix ITAPDLY for HS400 timing (git-fixes). - mmc: sdhci_am654: Write ITAPDLY for DDR52 timing (git-fixes). - mmc: sdhci-msm: pervent access to suspended controller (git-fixes). - mmc: sdhci-omap: re-tuning is needed after a pm transition to support emmc HS200 mode (git-fixes). - mm_init kABI workaround (git-fixes). - mm: memcg: do not periodically flush stats when memcg is disabled (bsc#1222525). - mm: memcg: use larger batches for proactive reclaim (bsc#1222522). - mm,page_owner: check for null stack_record before bumping its refcount (bsc#1222366). - mm,page_owner: Defer enablement of static branch (bsc#1222366). - mm,page_owner: drop unnecessary check (bsc#1222366). - mm,page_owner: Fix accounting of pages when migrating (bsc#1222366). - mm,page_owner: Fix printing of stack records (bsc#1222366). - mm,page_owner: fix recursion (bsc#1222366). - mm,page_owner: Fix refcount imbalance (bsc#1222366). - mm: page_owner: fix wrong information in dump_page_owner (git-fixes). - mm,page_owner: Update metadata for tail pages (bsc#1222366). - mm/slab: make __free(kfree) accept error pointers (git-fixes). - modpost: Add '.ltext' and '.ltext.*' to TEXT_SECTIONS (stable-fixes). - mptcp: annotate data-races around msk->rmem_fwd_alloc (git-fixes). - mptcp: fix bogus receive window shrinkage with multiple subflows (git-fixes). - mptcp: move __mptcp_error_report in protocol.c (git-fixes). - mptcp: process pending subflow error on close (git-fixes). - mptcp: Remove unnecessary test for __mptcp_init_sock() (git-fixes). - mtd: core: Report error if first mtd_otp_size() call fails in mtd_otp_nvmem_add() (git-fixes). - mtd: diskonchip: work around ubsan link failure (stable-fixes). - mtd: rawnand: hynix: fixed typo (git-fixes). - mtd: spinand: Add support for 5-byte IDs (stable-fixes). - net: add netdev_lockdep_set_classes() to virtual drivers (git-fixes). - net: annotate data-races around sk->sk_bind_phc (git-fixes). - net: annotate data-races around sk->sk_forward_alloc (git-fixes). - net: annotate data-races around sk->sk_lingertime (git-fixes). - net: annotate data-races around sk->sk_tsflags (git-fixes). - net: bonding: remove kernel-doc comment marker (git-fixes). - net: cfg802154: fix kernel-doc notation warnings (git-fixes). - net: dsa: microchip: fix register write order in ksz8_ind_write8() (git-fixes). - net: dsa: mt7530: fix handling of all link-local frames (git-fixes). - net: dsa: mt7530: fix link-local frames that ingress vlan filtering ports (git-fixes). - net: dsa: mt7530: prevent possible incorrect XTAL frequency selection (git-fixes). - net: dsa: mt7530: trap link-local frames regardless of ST Port State (git-fixes). - net: dsa: sja1105: Fix parameters order in sja1110_pcs_mdio_write_c45() (git-fixes). - net: ena: Fix incorrect descriptor free behavior (git-fixes). - net: ena: Fix potential sign extension issue (git-fixes). - net: ena: Move XDP code to its new files (git-fixes). - net: ena: Pass ena_adapter instead of net_device to ena_xmit_common() (git-fixes). - net: ena: Remove ena_select_queue (git-fixes). - net: ena: Set tx_info->xdpf value to NULL (git-fixes). - net: ena: Use tx_ring instead of xdp_ring for XDP channel TX (git-fixes). - net: ena: Wrong missing IO completions check order (git-fixes). - net: ethernet: mtk_eth_soc: fix PPE hanging issue (git-fixes). - net: ethernet: ti: cpsw: enable mac_managed_pm to fix mdio (git-fixes). - net: fec: Set mac_managed_pm during probe (git-fixes). - netfilter: nf_tables: disable toggling dormant table state more than once (git-fixes). - netfilter: nf_tables: uapi: Describe NFTA_RULE_CHAIN_ID (git-fixes). - netfilter: nft_ct: fix l3num expectations with inet pseudo family (git-fixes). - netfilter: nft_set_rbtree: use read spinlock to avoid datapath contention (git-fixes). - net: hns3: fix index limit to support all queue stats (git-fixes). - net: hns3: fix kernel crash when 1588 is received on HIP08 devices (git-fixes). - net: hns3: fix kernel crash when devlink reload during pf initialization (git-fixes). - net: hns3: fix port duplex configure error in IMP reset (git-fixes). - net: hns3: fix wrong judgment condition issue (git-fixes). - net: hns3: mark unexcuted loopback test result as UNEXECUTED (git-fixes). - net: hns3: tracing: fix hclgevf trace event strings (git-fixes). - net: ice: Fix potential NULL pointer dereference in ice_bridge_setlink() (git-fixes). - net: ks8851: Handle softirqs at the end of IRQ thread to fix hang (git-fixes). - net: ks8851: Inline ks8851_rx_skb() (git-fixes). - net: ks8851: Queue RX packets in IRQ handler instead of disabling BHs (git-fixes). - net: lan743x: Add set RFE read fifo threshold for PCI1x1x chips (git-fixes). - net: libwx: fix memory leak on free page (git-fixes). - net: llc: fix kernel-doc notation warnings (git-fixes). - net: ll_temac: platform_get_resource replaced by wrong function (git-fixes). - net: mana: Fix Rx DMA datasize and skb_over_panic (git-fixes). - net: mediatek: mtk_eth_soc: clear MAC_MCR_FORCE_LINK only when MAC is up (git-fixes). - net/mlx5: Correctly compare pkt reformat ids (git-fixes). - net/mlx5e: Change the warning when ignore_flow_level is not supported (git-fixes). - net/mlx5e: Do not produce metadata freelist entries in Tx port ts WQE xmit (git-fixes). - net/mlx5e: Fix MACsec state loss upon state update in offload path (git-fixes). - net/mlx5e: Fix mlx5e_priv_init() cleanup flow (git-fixes). - net/mlx5e: HTB, Fix inconsistencies with QoS SQs number (git-fixes). - net/mlx5e: RSS, Block changing channels number when RXFH is configured (git-fixes). - net/mlx5e: RSS, Block XOR hash with over 128 channels (git-fixes). - net/mlx5: E-switch, Change flow rule destination checking (git-fixes). - net/mlx5: E-switch, store eswitch pointer before registering devlink_param (git-fixes). - net/mlx5e: Switch to using _bh variant of of spinlock API in port timestamping NAPI poll context (git-fixes). - net/mlx5e: Use a memory barrier to enforce PTP WQ xmit submission tracking occurs after populating the metadata_map (git-fixes). - net/mlx5: Fix fw reporter diagnose output (git-fixes). - net/mlx5: Fix peer devlink set for SF representor devlink port (git-fixes). - net/mlx5: Lag, restore buckets number to default after hash LAG deactivation (git-fixes). - net/mlx5: offset comp irq index in name by one (git-fixes). - net/mlx5: Properly link new fs rules into the tree (git-fixes). - net/mlx5: Register devlink first under devlink lock (git-fixes). - net/mlx5: Restore mistakenly dropped parts in register devlink flow (git-fixes). - net/mlx5: SF, Stop waiting for FW as teardown was called (git-fixes). - net: nfc: remove inappropriate attrs check (stable-fixes). - net: NSH: fix kernel-doc notation warning (git-fixes). - net: pcs: xpcs: Return EINVAL in the internal methods (git-fixes). - net: phy: fix phy_read_poll_timeout argument type in genphy_loopback (git-fixes). - net: phy: micrel: Fix potential null pointer dereference (git-fixes). - net: phy: micrel: lan8814: Fix when enabling/disabling 1-step timestamping (git-fixes). - net: phy: micrel: set soft_reset callback to genphy_soft_reset for KSZ8061 (git-fixes). - net: phy: phy_device: Prevent nullptr exceptions on ISR (git-fixes). - net: phy: phy_device: Prevent nullptr exceptions on ISR (stable-fixes). - net: ravb: Always process TX descriptor ring (git-fixes). - net: ravb: Let IP-specific receive function to interrogate descriptors (git-fixes). - net/smc: bugfix for smcr v2 server connect success statistic (git-fixes). - net/smc: fix documentation of buffer sizes (git-fixes). - net/smc: use smc_lgr_list.lock to protect smc_lgr_list.list iterate in smcr_port_add (git-fixes). - net: smsc95xx: add support for SYS TEC USB-SPEmodule1 (git-fixes). - net: sparx5: Fix use after free inside sparx5_del_mact_entry (git-fixes). - net: sparx5: fix wrong config being used when reconfiguring PCS (git-fixes). - net: sparx5: flower: fix fragment flags handling (git-fixes). - net: stmmac: dwmac-starfive: Add support for JH7100 SoC (git-fixes). - net: stmmac: Fix incorrect dereference in interrupt handlers (git-fixes). - net: stmmac: fix rx queue priority assignment (git-fixes). - net: sunrpc: Fix an off by one in rpc_sockaddr2uaddr() (git-fixes). - net: tcp: fix unexcepted socket die when snd_wnd is 0 (git-fixes). - net: tls: fix returned read length with async decrypt (bsc#1221858). - net: tls: fix use-after-free with partial reads and async (bsc#1221858). - net: tls, fix WARNIING in __sk_msg_free (bsc#1221858). - net: usb: ax88179_178a: avoid the interface always configured as random address (git-fixes). - net: usb: ax88179_178a: avoid writing the mac address before first reading (git-fixes). - net: usb: ax88179_178a: fix link status when link is set to down/up (git-fixes). - net: usb: ax88179_178a: stop lying about skb->truesize (git-fixes). - net:usb:qmi_wwan: support Rolling modules (stable-fixes). - net: usb: smsc95xx: stop lying about skb->truesize (git-fixes). - net: usb: sr9700: stop lying about skb->truesize (git-fixes). - net: Use sockaddr_storage for getsockopt(SO_PEERNAME) (git-fixes). - net: veth: do not manipulate GRO when using XDP (git-fixes). - net: wwan: t7xx: Split 64bit accesses to fix alignment issues (git-fixes). - net/x25: fix incorrect parameter validation in the x25_getsockopt() function (git-fixes). - nfc: nci: Fix handling of zero-length payload packets in nci_rx_work() (git-fixes). - nfc: nci: Fix kcov check in nci_rx_work() (git-fixes). - nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet (git-fixes). - nfc: nci: Fix uninit-value in nci_rx_work (git-fixes). - nf_conntrack: fix -Wunused-const-variable= (git-fixes). - NFC: trf7970a: disable all regulators on removal (git-fixes). - nfp: flower: handle acti_netdevs allocation failure (git-fixes). - NFSD: change LISTXATTRS cookie encoding to big-endian (git-fixes). - NFSD: Convert the callback workqueue to use delayed_work (git-fixes). - nfsd: do not call locks_release_private() twice concurrently (git-fixes). - nfsd: Fix a regression in nfsd_setattr() (git-fixes). - NFSD: fix LISTXATTRS returning a short list with eof=TRUE (git-fixes). - NFSD: fix LISTXATTRS returning more bytes than maxcount (git-fixes). - NFSD: fix nfsd4_listxattr_validate_cookie (git-fixes). - NFSD: Fix nfsd_clid_class use of __string_len() macro (git-fixes). - NFSD: Reschedule CB operations when backchannel rpc_clnt is shut down (git-fixes). - NFSD: Reset cb_seq_status after NFS4ERR_DELAY (git-fixes). - NFSD: Retransmit callbacks after client reconnects (git-fixes). - nfsd: use __fput_sync() to avoid delayed closing of files (bsc#1223380 bsc#1217408). - NFS: Fix an off by one in root_nfs_cat() (git-fixes). - NFS: Fix nfs_netfs_issue_read() xarray locking for writeback interrupt (git-fixes). - nfs: fix panic when nfs4_ff_layout_prepare_ds() fails (git-fixes). - NFS: Read unlock folio on nfs_page_create_from_folio() error (git-fixes). - NFSv4.1/pnfs: fix NFS with TLS in pnfs (git-fixes). - NFSv4.2: fix listxattr maximum XDR buffer size (git-fixes). - NFSv4.2: fix nfs4_listxattr kernel BUG at mm/usercopy.c:102 (git-fixes). - nilfs2: fix OOB in nilfs_set_de_type (git-fixes). - nilfs2: fix out-of-range warning (git-fixes). - nilfs2: fix potential bug in end_buffer_async_write (git-fixes). - nilfs2: fix unexpected freezing of nilfs_segctor_sync() (git-fixes). - nilfs2: fix use-after-free of timer for log writer thread (git-fixes). - nilfs2: make superblock data array index computation sparse friendly (git-fixes). - nouveau/dmem: handle kcalloc() allocation failure (git-fixes). - nouveau: fix devinit paths to only handle display on GSP (git-fixes). - nouveau: fix function cast warning (git-fixes). - nouveau: fix instmem race condition around ptr stores (git-fixes). - nouveau/gsp: do not check devinit disable on GSP (git-fixes). - nouveau: lock the client object tree (stable-fixes). - nouveau: reset the bo resource bus info after an eviction (git-fixes). - nouveau/uvmm: fix addr/range calcs for remap operations (git-fixes). - nvdimm: make nvdimm_bus_type const (jsc#PED-5853). - nvdimm/pmem: fix leak on dax_add_host() failure (jsc#PED-5853). - nvdimm/pmem: Treat alloc_dax() -EOPNOTSUPP failure as non-fatal (jsc#PED-5853). - nvme-fc: do not wait in vain when unloading module (git-fixes). - nvme: fix multipath batched completion accounting (git-fixes). - nvme: fix reconnection fail due to reserved tag allocation (git-fixes). - nvme: fix warn output about shared namespaces without CONFIG_NVME_MULTIPATH (git-fixes). - nvme-multipath: fix io accounting on failover (git-fixes). - nvme-pci: Add quirk for broken MSIs (git-fixes). - nvme-tcp: strict pdu pacing to avoid send stalls on TLS (bsc#1221858). - nvmet-fc: abort command when there is no binding (git-fixes). - nvmet-fc: avoid deadlock on delete association path (git-fixes). - nvmet-fc: defer cleanup using RCU properly (git-fixes). - nvmet-fc: hold reference on hostport match (git-fixes). - nvmet-fcloop: swap the list_add_tail arguments (git-fixes). - nvmet-fc: release reference on target port (git-fixes). - nvmet-fc: take ref count on tgtport before delete assoc (git-fixes). - nvmet: fix ns enable/disable possible hang (git-fixes). - nvmet-tcp: fix nvme tcp ida memory leak (git-fixes). - octeontx2-af: Add array index check (git-fixes). - octeontx2-af: Fix devlink params (git-fixes). - octeontx2-af: Fix issue with loading coalesced KPU profiles (git-fixes). - octeontx2-af: Fix NIX SQ mode and BP config (git-fixes). - Octeontx2-af: fix pause frame configuration in GMP mode (git-fixes). - octeontx2-af: Use matching wake_up API variant in CGX command interface (git-fixes). - octeontx2-af: Use separate handlers for interrupts (git-fixes). - octeontx2: Detect the mbox up or down message via register (git-fixes). - octeontx2-pf: check negative error code in otx2_open() (git-fixes). - octeontx2-pf: fix FLOW_DIS_IS_FRAGMENT implementation (git-fixes). - octeontx2-pf: Fix transmit scheduler resource leak (git-fixes). - octeontx2-pf: Send UP messages to VF only when VF is up (git-fixes). - octeontx2-pf: Use default max_active works instead of one (git-fixes). - octeontx2-pf: Wait till detach_resources msg is complete (git-fixes). - of: dynamic: Synchronize of_changeset_destroy() with the devlink removals (git-fixes). - of: module: add buffer overflow check in of_modalias() (git-fixes). - of: module: prevent NULL pointer dereference in vsnprintf() (stable-fixes). - of: property: Add in-ports/out-ports support to of_graph_get_port_parent() (stable-fixes). - of: property: fix typo in io-channels (git-fixes). - of: property: fw_devlink: Fix stupid bug in remote-endpoint parsing (git-fixes). - of: property: Improve finding the consumer of a remote-endpoint property (git-fixes). - of: property: Improve finding the supplier of a remote-endpoint property (git-fixes). - of: unittest: Fix compile in the non-dynamic case (git-fixes). - overflow: Allow non-type arg to type_max() and type_min() (stable-fixes). - PCI/AER: Block runtime suspend when handling errors (stable-fixes). - PCI/ASPM: Use RMW accessors for changing LNKCTL (git-fixes). - PCI: Delay after FLR of Solidigm P44 Pro NVMe (stable-fixes). - PCI: Disable D3cold on Asus B1400 PCI-NVMe bridge (stable-fixes). - PCI/DPC: Quirk PIO log size for Intel Raptor Lake Root Ports (stable-fixes). - PCI/DPC: Use FIELD_GET() (stable-fixes). - PCI: dwc: ep: Fix DBI access failure for drivers requiring refclk from host (git-fixes). - PCI/EDR: Align EDR_PORT_DPC_ENABLE_DSM with PCI Firmware r3.3 (git-fixes). - PCI/EDR: Align EDR_PORT_LOCATE_DSM with PCI Firmware r3.3 (git-fixes). - PCI: Execute quirk_enable_clear_retrain_link() earlier (stable-fixes). - PCI: Fix typos in docs and comments (stable-fixes). - PCI: hv: Fix ring buffer size calculation (git-fixes). - PCI: Make link retraining use RMW accessors for changing LNKCTL (git-fixes). - PCI/PM: Drain runtime-idle callbacks before driver removal (stable-fixes). - PCI: qcom: Add support for sa8775p SoC (git-fixes). - PCI: qcom: Disable ASPM L0s for sc8280xp, sa8540p and sa8295p (git-fixes). - PCI: rockchip-ep: Remove wrong mask on subsys_vendor_id (git-fixes). - PCI: rpaphp: Error out on busy status from get-sensor-state (bsc#1223369 ltc#205888). - PCI: Simplify pcie_capability_clear_and_set_word() to ..._clear_word() (stable-fixes). - PCI: switchtec: Add support for PCIe Gen5 devices (stable-fixes). - PCI: switchtec: Use normal comment style (stable-fixes). - PCI: tegra194: Fix probe path for Endpoint mode (git-fixes). - peci: linux/peci.h: fix Excess kernel-doc description warning (git-fixes). - perf annotate: Fix annotation_calc_lines() to pass correct address to get_srcline() (git-fixes). - perf annotate: Get rid of duplicate --group option item (git-fixes). - perf auxtrace: Fix multiple use of --itrace option (git-fixes). - perf bench internals inject-build-id: Fix trap divide when collecting just one DSO (git-fixes). - perf bench uprobe: Remove lib64 from libc.so.6 binary path (git-fixes). - perf bpf: Clean up the generated/copied vmlinux.h (git-fixes). - perf daemon: Fix file leak in daemon_session__control (git-fixes). - perf docs: Document bpf event modifier (git-fixes). - perf evsel: Fix duplicate initialization of data->id in evsel__parse_sample() (git-fixes). - perf expr: Fix 'has_event' function for metric style events (git-fixes). - perf intel-pt: Fix unassigned instruction op (discovered by MemorySanitizer) (git-fixes). - perf jevents: Drop or simplify small integer values (git-fixes). - perf list: fix short description for some cache events (git-fixes). - perf lock contention: Add a missing NULL check (git-fixes). - perf metric: Do not remove scale from counts (git-fixes). - perf pmu: Count sys and cpuid JSON events separately (git fixes). - perf pmu: Fix a potential memory leak in perf_pmu__lookup() (git-fixes). - perf pmu: Treat the msr pmu as software (git-fixes). - perf print-events: make is_event_supported() more robust (git-fixes). - perf probe: Add missing libgen.h header needed for using basename() (git-fixes). - perf record: Check conflict between '--timestamp-filename' option and pipe mode before recording (git-fixes). - perf record: Fix debug message placement for test consumption (git-fixes). - perf record: Fix possible incorrect free in record__switch_output() (git-fixes). - perf report: Avoid SEGV in report__setup_sample_type() (git-fixes). - perf sched timehist: Fix -g/--call-graph option failure (git-fixes). - perf script: Show also errors for --insn-trace option (git-fixes). - perf srcline: Add missed addr2line closes (git-fixes). - perf stat: Avoid metric-only segv (git-fixes). - perf stat: Do not display metric header for non-leader uncore events (git-fixes). - perf stat: Do not fail on metrics on s390 z/VM systems (git-fixes). - perf symbols: Fix ownership of string in dso__load_vmlinux() (git-fixes). - perf tests: Apply attributes to all events in object code reading test (git-fixes). - perf test shell arm_coresight: Increase buffer size for Coresight basic tests (git-fixes). - perf tests: Make data symbol test wait for perf to start (bsc#1220045). - perf tests: Make 'test data symbol' more robust on Neoverse N1 (git-fixes). - perf tests: Skip data symbol test if buf1 symbol is missing (bsc#1220045). - perf thread: Fixes to thread__new() related to initializing comm (git-fixes). - perf thread_map: Free strlist on normal path in thread_map__new_by_tid_str() (git-fixes). - perf top: Uniform the event name for the hybrid machine (git-fixes). - perf top: Use evsel's cpus to replace user_requested_cpus (git-fixes). - perf ui browser: Avoid SEGV on title (git fixes). - perf ui browser: Do not save pointer to stack memory (git-fixes). - perf vendor events amd: Add Zen 4 memory controller events (git-fixes). - perf vendor events amd: Fix Zen 4 cache latency events (git-fixes). - perf/x86/amd/core: Avoid register reset when CPU is dead (git-fixes). - perf/x86/amd/lbr: Discard erroneous branch entries (git-fixes). - perf/x86/amd/lbr: Use freeze based on availability (git-fixes). - perf/x86: Fix out of range data (git-fixes). - perf/x86/intel/ds: Do not clear ->pebs_data_cfg for the last PEBS event (git-fixes). - perf/x86/intel: Expose existence of callback support to KVM (git-fixes). - phy: freescale: imx8m-pcie: fix pcie link-up instability (git-fixes). - phy: marvell: a3700-comphy: Fix hardcoded array size (git-fixes). - phy: marvell: a3700-comphy: Fix out of bounds read (git-fixes). - phy: rockchip: naneng-combphy: Fix mux on rk3588 (git-fixes). - phy: rockchip-snps-pcie3: fix bifurcation on rk3588 (git-fixes). - phy: rockchip-snps-pcie3: fix clearing PHP_GRF_PCIESEL_CON bits (git-fixes). - phy: ti: tusb1210: Resolve charger-det crash if charger psy is unregistered (git-fixes). - pinctrl: armada-37xx: remove an unused variable (git-fixes). - pinctrl: baytrail: Fix selecting gpio pinctrl state (git-fixes). - pinctrl: core: delete incorrect free in pinctrl_enable() (git-fixes). - pinctrl: devicetree: fix refcount leak in pinctrl_dt_to_map() (git-fixes). - pinctrl: mediatek: paris: Fix PIN_CONFIG_INPUT_SCHMITT_ENABLE readback (git-fixes). - pinctrl: mediatek: paris: Rework support for PIN_CONFIG_{INPUT,OUTPUT}_ENABLE (git-fixes). - pinctrl/meson: fix typo in PDM's pin name (git-fixes). - pinctrl: pinctrl-aspeed-g6: Fix register offset for pinconf of GPIOR-T (git-fixes). - pinctrl: qcom: pinctrl-sm7150: Fix sdc1 and ufs special pins regs (git-fixes). - pinctrl: renesas: checker: Limit cfg reg enum checks to provided IDs (stable-fixes). - platform/chrome: cros_ec_uart: properly fix race condition (git-fixes). - platform/x86/amd/pmc: Extend Framework 13 quirk to more BIOSes (stable-fixes). - platform/x86/intel-uncore-freq: Do not present root domain on error (git-fixes). - platform/x86: intel-vbtn: Update tablet mode switch at end of probe (git-fixes). - platform/x86: ISST: Add Granite Rapids-D to HPM CPU list (stable-fixes). - platform/x86: touchscreen_dmi: Add an extra entry for a variant of the Chuwi Vi8 tablet (stable-fixes). - platform/x86: x86-android-tablets: Fix acer_b1_750_goodix_gpios name (stable-fixes). - platform/x86: xiaomi-wmi: Fix race condition when reporting key events (git-fixes). - PM / devfreq: Synchronize devfreq_monitor_[start/stop] (stable-fixes). - PM: s2idle: Make sure CPUs will wakeup directly on resume (git-fixes). - Port 'certs: Add ECDSA signature verification self-test'. - Port 'certs: Move RSA self-test data to separate file'. - powerpc: Avoid nmi_enter/nmi_exit in real mode interrupt (bsc#1221645 ltc#205739 bsc#1223191). - powerpc/crypto/chacha-p10: Fix failure on non Power10 (bsc#1218205). - powerpc/eeh: Permanently disable the removed device (bsc#1223991 ltc#205740). - powerpc/hv-gpci: Fix the H_GET_PERF_COUNTER_INFO hcall return value checks (git-fixes). - powerpc/pseries/lparcfg: drop error message from guest name lookup (bsc#1187716 ltc#193451 git-fixes). - powerpc/pseries: make max polling consistent for longer H_CALLs (bsc#1215199). - powerpc/pseries/vio: Do not return ENODEV if node or compatible missing (bsc#1220783). - powerpc/uaccess: Fix build errors seen with GCC 13/14 (bsc#1194869). - powerpc/uaccess: Use YZ asm constraint for ld (bsc#1194869). - power: rt9455: hide unused rt9455_boost_voltage_values (git-fixes). - power: supply: mt6360_charger: Fix of_match for usb-otg-vbus regulator (git-fixes). - ppdev: Add an error check in register_device (git-fixes). - prctl: generalize PR_SET_MDWE support check to be per-arch (bsc#1225610). - printk: Add this_cpu_in_panic() (bsc#1225607). - printk: Adjust mapping for 32bit seq macros (bsc#1225607). - printk: Avoid non-panic CPUs writing to ringbuffer (bsc#1225607). - printk: Consolidate console deferred printing (bsc#1225607). - printk: Disable passing console lock owner completely during panic() (bsc#1225607). - printk: Do not take console lock for console_flush_on_panic() (bsc#1225607). - printk: For @suppress_panic_printk check for other CPU in panic (bsc#1225607). - printk: Keep non-panic-CPUs out of console lock (bsc#1225607). - printk: Let no_printk() use _printk() (bsc#1225618). - printk: nbcon: Relocate 32bit seq macros (bsc#1225607). - printk: Reduce console_unblank() usage in unsafe scenarios (bsc#1225607). - printk: Rename abandon_console_lock_in_panic() to other_cpu_in_panic() (bsc#1225607). - printk: ringbuffer: Clarify special lpos values (bsc#1225607). - printk: ringbuffer: Cleanup reader terminology (bsc#1225607). - printk: ringbuffer: Do not skip non-finalized records with prb_next_seq() (bsc#1225607). - printk: ringbuffer: Skip non-finalized records in panic (bsc#1225607). - printk: Update @console_may_schedule in console_trylock_spinning() (bsc#1225616). - printk: Use prb_first_seq() as base for 32bit seq macros (bsc#1225607). - printk: Wait for all reserved records with pr_flush() (bsc#1225607). - proc/kcore: do not try to access unaccepted memory (git-fixes). - pstore: inode: Convert mutex usage to guard(mutex) (stable-fixes). - pstore: inode: Only d_invalidate() is needed (git-fixes). - pstore/zone: Add a null pointer check to the psz_kmsg_read (stable-fixes). - pwm: img: fix pwm clock lookup (git-fixes). - qibfs: fix dentry leak (git-fixes) - r8169: fix issue caused by buggy BIOS on certain boards with RTL8168d (git-fixes). - r8169: skip DASH fw status checks when DASH is disabled (git-fixes). - random: handle creditable entropy from atomic process context (git-fixes). - RAS/AMD/FMPM: Avoid NULL ptr deref in get_saved_records() (jsc#PED-7619). - RAS/AMD/FMPM: Fix build when debugfs is not enabled (jsc#PED-7619). - RAS/AMD/FMPM: Safely handle saved records of various sizes (jsc#PED-7619). - RDMA/cm: add timeout to cm_destroy_id wait (git-fixes) - RDMA/cma: Fix kmemleak in rdma_core observed during blktests nvme/rdma use siw (git-fixes) - RDMA/cm: Print the old state when cm_destroy_id gets timeout (git-fixes) - RDMA/hns: Add max_ah and cq moderation capacities in query_device() (git-fixes) - RDMA/hns: Fix deadlock on SRQ async events. (git-fixes) - RDMA/hns: Fix GMV table pagesize (git-fixes) - RDMA/hns: Fix return value in hns_roce_map_mr_sg (git-fixes) - RDMA/hns: Fix UAF for cq async event (git-fixes) - RDMA/hns: Modify the print level of CQE error (git-fixes) - RDMA/hns: Use complete parentheses in macros (git-fixes) - RDMA/IPoIB: Fix format truncation compilation errors (git-fixes) - RDMA/mana_ib: Fix bug in creation of dma regions (git-fixes). - RDMA/mlx5: Adding remote atomic access flag to updatable flags (git-fixes) - RDMA/mlx5: Change check for cacheable mkeys (git-fixes) - RDMA/mlx5: Fix port number for counter query in multi-port configuration (git-fixes) - RDMA/mlx5: Uncacheable mkey has neither rb_key or cache_ent (git-fixes) - RDMA/rxe: Allow good work requests to be executed (git-fixes) - RDMA/rxe: Fix incorrect rxe_put in error path (git-fixes) - RDMA/rxe: Fix seg fault in rxe_comp_queue_pkt (git-fixes) - RDMA/rxe: Fix the problem 'mutex_destroy missing' (git-fixes) - README.BRANCH: Remove copy of branch name - Reapply 'drm/qxl: simplify qxl_fence_wait' (stable-fixes). - regmap: Add regmap_read_bypassed() (git-fixes). - regmap: kunit: Ensure that changed bytes are actually different (stable-fixes). - regmap: maple: Fix cache corruption in regcache_maple_drop() (git-fixes). - regmap: maple: Fix uninitialized symbol 'ret' warnings (git-fixes). - regulator: bd71828: Do not overwrite runtime voltages (git-fixes). - regulator: change devm_regulator_get_enable_optional() stub to return Ok (git-fixes). - regulator: change stubbed devm_regulator_get_enable to return Ok (git-fixes). - regulator: core: fix debugfs creation regression (git-fixes). - regulator: mt6360: De-capitalize devicetree regulator subnodes (git-fixes). - regulator: tps65132: Add of_match table (stable-fixes). - remoteproc: k3-r5: Do not allow core1 to power up before core0 via sysfs (git-fixes). - remoteproc: k3-r5: Jump to error handling labels in start/stop errors (git-fixes). - remoteproc: k3-r5: Wait for core0 power-up before powering up core1 (git-fixes). - remoteproc: mediatek: Make sure IPI buffer fits in L2TCM (git-fixes). - remoteproc: stm32: Fix incorrect type assignment returned by stm32_rproc_get_loaded_rsc_tablef (git-fixes). - remoteproc: virtio: Fix wdg cannot recovery remote processor (git-fixes). - Remove NTFSv3 from configs (bsc#1224429) References: bsc#1224429 comment#3 We only support fuse version of the NTFS-3g driver. Disable NTFSv3 from all configs. This was enabled in d016c04d731 ('Bump to 6.4 kernel (jsc#PED-4593)') - Revert 'ACPI: PM: Block ASUS B1400CEAE from suspend to idle by default' (stable-fixes). - Revert 'ASoC: SOF: Intel: hda-dai-ops: only allocate/release streams for first CPU DAI' (stable-fixes). - Revert 'ASoC: SOF: Intel: hda-dai-ops: reset device count for SoundWire DAIs' (stable-fixes). - Revert 'cifs: reconnect work should have reference on server struct' (git-fixes, bsc#1225172). - Revert 'drm/amd/amdgpu: Fix potential ioremap() memory leaks in amdgpu_device_init()' (stable-fixes). - Revert 'drm/amd/display: Fix sending VSC (+ colorimetry) packets for DP/eDP displays without PSR' (stable-fixes). - Revert 'drm/amdkfd: fix gfx_target_version for certain 11.0.3 devices' (stable-fixes). - Revert 'drm/bridge: ti-sn65dsi83: Fix enable error path' (git-fixes). - Revert 'drm/nouveau/firmware: Fix SG_DEBUG error with nvkm_firmware_ctor()' (stable-fixes). - Revert 'drm/qxl: simplify qxl_fence_wait' (git-fixes). - Revert 'iommu/amd: Enable PCI/IMS' (git-fixes). - Revert 'iommu/vt-d: Enable PCI/IMS' (git-fixes). - Revert 'net/mlx5: Block entering switchdev mode with ns inconsistency' (git-fixes). - Revert 'net/mlx5e: Check the number of elements before walk TC rhashtable' (git-fixes). - Revert 'PCI/MSI: Provide IMS (Interrupt Message Store) support' (git-fixes). - Revert 'PCI/MSI: Provide pci_ims_alloc/free_irq()' (git-fixes). - Revert 'PCI/MSI: Provide stubs for IMS functions' (git-fixes). - Revert 'selinux: introduce an initial SID for early boot processes' (bsc#1208593) It caused a regression on ALP-current branch, kernel-obs-qa build failed. - Revert 'usb: cdc-wdm: close race between read and workqueue' (git-fixes). - Revert 'usb: phy: generic: Get the vbus supply' (git-fixes). - ring-buffer: Do not set shortest_full when full target is hit (git-fixes). - ring-buffer: Fix a race between readers and resize checks (git-fixes). - ring-buffer: Fix full_waiters_pending in poll (git-fixes). - ring-buffer: Fix resetting of shortest_full (git-fixes). - ring-buffer: Fix waking up ring buffer readers (git-fixes). - ring-buffer: Make wake once of ring_buffer_wait() more robust (git-fixes). - ring-buffer: use READ_ONCE() to read cpu_buffer->commit_page in concurrent environment (git-fixes). - ring-buffer: Use wait_event_interruptible() in ring_buffer_wait() (git-fixes). - rtc: mt6397: select IRQ_DOMAIN instead of depending on it (git-fixes). - s390/bpf: Emit a barrier for BPF_FETCH instructions (git-fixes bsc#1224792). - s390/cio: Ensure the copied buf is NUL terminated (git-fixes bsc#1223869). - s390/cio: fix tracepoint subchannel type field (git-fixes bsc#1224793). - s390/cpacf: Split and rework cpacf query functions (git-fixes bsc#1225133). - s390/ipl: Fix incorrect initialization of len fields in nvme reipl block (git-fixes bsc#1225136). - s390/ipl: Fix incorrect initialization of nvme dump block (git-fixes bsc#1225134). - s390/ism: Properly fix receive message buffer allocation (git-fixes bsc#1223590). - s390/mm: Fix clearing storage keys for huge pages (git-fixes bsc#1223871). - s390/mm: Fix storage key clearing for guest huge pages (git-fixes bsc#1223872). - s390/qeth: Fix kernel panic after setting hsuid (git-fixes bsc#1223874). - s390/vdso: Add CFI for RA register to asm macro vdso_func (git-fixes bsc#1223870). - s390/vdso: drop '-fPIC' from LDFLAGS (git-fixes bsc#1223593). - s390/vtime: fix average steal time calculation (git-fixes bsc#1221783). - s390/zcrypt: fix reference counting on zcrypt card objects (git-fixes bsc#1223592). - sched/balancing: Rename newidle_balance() => sched_balance_newidle() (bsc#1222173). - sched/fair: Check root_domain::overload value before update (bsc#1222173). - sched/fair: Use helper functions to access root_domain::overload (bsc#1222173). - sched/psi: Select KERNFS as needed (git-fixes). - sched/topology: Optimize topology_span_sane() (bsc#1225053). - scsi: bfa: Fix function pointer type mismatch for hcb_qe->cbfn (git-fixes). - scsi: core: Consult supported VPD page list prior to fetching page (git-fixes). - scsi: core: Fix unremoved procfs host directory regression (git-fixes). - scsi: csiostor: Avoid function pointer casts (git-fixes). - scsi: hisi_sas: Modify the deadline for ata_wait_after_reset() (git-fixes). - scsi: libsas: Add a helper sas_get_sas_addr_and_dev_type() (git-fixes). - scsi: libsas: Fix disk not being scanned in after being removed (git-fixes). - scsi: lpfc: Add support for 32 byte CDBs (bsc#1225842). - scsi: lpfc: Change default logging level for unsolicited CT MIB commands (bsc#1225842). - scsi: lpfc: Change lpfc_hba hba_flag member into a bitmask (bsc#1225842). Refresh: - patches.suse/lpfc-reintroduce-old-irq-probe-logic.patch - scsi: lpfc: Clear deferred RSCN processing flag when driver is unloading (bsc#1225842). - scsi: lpfc: Copyright updates for 14.4.0.1 patches (bsc#1221777). - scsi: lpfc: Copyright updates for 14.4.0.2 patches (bsc#1225842). - scsi: lpfc: Correct size for cmdwqe/rspwqe for memset() (bsc#1221777). - scsi: lpfc: Correct size for wqe for memset() (bsc#1221777). - scsi: lpfc: Define lpfc_dmabuf type for ctx_buf ptr (bsc#1221777). - scsi: lpfc: Define lpfc_nodelist type for ctx_ndlp ptr (bsc#1221777). - scsi: lpfc: Define types in a union for generic void *context3 ptr (bsc#1221777). - scsi: lpfc: Introduce rrq_list_lock to protect active_rrq_list (bsc#1225842). - scsi: lpfc: Move NPIV's transport unregistration to after resource clean up (bsc#1221777). - scsi: lpfc: Release hbalock before calling lpfc_worker_wake_up() (bsc#1221777). - scsi: lpfc: Remove IRQF_ONESHOT flag from threaded IRQ handling (bsc#1221777 bsc#1217959). - scsi: lpfc: Remove unnecessary log message in queuecommand path (bsc#1221777). - scsi: lpfc: Replace hbalock with ndlp lock in lpfc_nvme_unregister_port() (bsc#1221777). - scsi: lpfc: Update logging of protection type for T10 DIF I/O (bsc#1225842). - scsi: lpfc: Update lpfc_ramp_down_queue_handler() logic (bsc#1221777). - scsi: lpfc: Update lpfc version to 14.4.0.1 (bsc#1221777). - scsi: lpfc: Update lpfc version to 14.4.0.2 (bsc#1225842). - scsi: lpfc: Use a dedicated lock for ras_fwlog state (bsc#1221777). - scsi: mpt3sas: Prevent sending diag_reset when the controller is ready (git-fixes). - scsi: mylex: Fix sysfs buffer lengths (git-fixes). - scsi: qla2xxx: Change debug message during driver unload (bsc1221816). - scsi: qla2xxx: Delay I/O Abort on PCI error (bsc1221816). - scsi: qla2xxx: Fix command flush on cable pull (bsc1221816). - scsi: qla2xxx: Fix double free of fcport (bsc1221816). - scsi: qla2xxx: Fix double free of the ha->vp_map pointer (bsc1221816). - scsi: qla2xxx: Fix N2N stuck connection (bsc1221816). - scsi: qla2xxx: Fix off by one in qla_edif_app_getstats() (git-fixes). - scsi: qla2xxx: NVME|FCP prefer flag not being honored (bsc1221816). - scsi: qla2xxx: Prevent command send on chip reset (bsc1221816). - scsi: qla2xxx: Split FCE|EFT trace control (bsc1221816). - scsi: qla2xxx: Update manufacturer detail (bsc1221816). - scsi: qla2xxx: Update version to 10.02.09.200-k (bsc1221816). - scsi: sd: Unregister device if device_add_disk() failed in sd_probe() (git-fixes). - scsi: sg: Avoid race in error handling & drop bogus warn (git-fixes). - scsi: sg: Avoid sg device teardown race (git-fixes). - scsi: smartpqi: Fix disable_managed_interrupts (git-fixes). - sctp: annotate data-races around sk->sk_wmem_queued (git-fixes). - sdhci-of-dwcmshc: disable PM runtime in dwcmshc_remove() (git-fixes). - selftests/binderfs: use the Makefile's rules, not Make's implicit rules (git-fixes). - selftests/bpf: add edge case backtracking logic test (bsc#1225756). - selftests/bpf: precision tracking test for BPF_NEG and BPF_END (bsc#1225756). - selftests: default to host arch for LLVM builds (git-fixes). - selftests: forwarding: Fix ping failure due to short timeout (git-fixes). - selftests/ftrace: Fix event filter target_func selection (stable-fixes). - selftests/ftrace: Limit length in subsystem-enable tests (git-fixes). - selftests/kcmp: remove unused open mode (git-fixes). - selftests: kselftest: Fix build failure with NOLIBC (git-fixes). - selftests: kselftest: Mark functions that unconditionally call exit() as __noreturn (git-fixes). - selftests: net: bridge: increase IGMP/MLD exclude timeout membership interval (git-fixes). - selftests/net: convert test_bridge_neigh_suppress.sh to run it in unique namespace (stable-fixes). - selftests: net: kill smcrouted in the cleanup logic in amt.sh (git-fixes). - selftests: net: move amt to socat for better compatibility (git-fixes). - selftests/pidfd: Fix config for pidfd_setns_test (git-fixes). - selftests/powerpc/dexcr: Add -no-pie to hashchk tests (git-fixes). - selftests/powerpc/papr-vpd: Fix missing variable initialization (jsc#PED-4486 git-fixes). - selftests/resctrl: fix clang build failure: use LOCAL_HDRS (git-fixes). - selftests: test_bridge_neigh_suppress.sh: Fix failures due to duplicate MAC (git-fixes). - selftests: timers: Convert posix_timers test to generate KTAP output (stable-fixes). - selftests: timers: Fix abs() warning in posix_timers test (git-fixes). - selftests: timers: Fix posix_timers ksft_print_msg() warning (git-fixes). - selftests: timers: Fix valid-adjtimex signed left-shift undefined behavior (stable-fixes). - selftests/timers/posix_timers: Reimplement check_timer_distribution() (git-fixes). - selftests: vxlan_mdb: Fix failures with old libnet (git-fixes). - selinux: avoid dereference of garbage after mount failure (git-fixes). - selinux: introduce an initial SID for early boot processes (bsc#1208593). - serial: 8250_bcm7271: use default_mux_rate if possible (git-fixes). - serial: 8250_dw: Revert: Do not reclock if already at correct rate (git-fixes). - serial: 8250_exar: Do not remove GPIO device on suspend (git-fixes). - serial: 8520_mtk: Set RTS on shutdown for Rx in-band wakeup (git-fixes). - serial: core: Fix atomicity violation in uart_tiocmget (git-fixes). - serial: core: only stop transmit when HW fifo is empty (git-fixes). - serial: kgdboc: Fix NMI-safety problems from keyboard reset code (stable-fixes). - serial: Lock console when calling into driver before registration (git-fixes). - serial: max3100: Fix bitwise types (git-fixes). - serial: max3100: Lock port->lock when calling uart_handle_cts_change() (git-fixes). - serial: max310x: fix NULL pointer dereference in I2C instantiation (git-fixes). - serial: max310x: fix syntax error in IRQ error message (git-fixes). - serial: mxs-auart: add spinlock around changing cts state (git-fixes). - serial/pmac_zilog: Remove flawed mitigation for rx irq flood (git-fixes). - serial: sc16is7xx: add proper sched.h include for sched_set_fifo() (git-fixes). - serial: sc16is7xx: fix bug in sc16is7xx_set_baud() when using prescaler (git-fixes). - serial: sh-sci: protect invalidating RXDMA on shutdown (git-fixes). - serial: stm32: Reset .throttled state in .startup() (git-fixes). - series.conf: cleanup Fix subsection header to silence series_insert error. - SEV: disable SEV-ES DebugSwap by default (git-fixes). - slimbus: core: Remove usage of the deprecated ida_simple_xx() API (git-fixes). - slimbus: qcom-ngd-ctrl: Add timeout for wait operation (git-fixes). - smb3: show beginning time for per share stats (bsc#1225172). - smb: client: ensure to try all targets when finding nested links (bsc#1225172). - smb: client: fix mount when dns_resolver key is not available (git-fixes, bsc#1225172). - smb: client: fix parsing of SMB3.1.1 POSIX create context (git-fixes, bsc#1225172). - smb: client: get rid of dfs code dep in namespace.c (bsc#1225172). - smb: client: get rid of dfs naming in automount code (bsc#1225172). - smb: client: introduce DFS_CACHE_TGT_LIST() (bsc#1225172). - smb: client: reduce stack usage in cifs_try_adding_channels() (bsc#1225172). - smb: client: remove extra @chan_count check in __cifs_put_smb_ses() (bsc#1225172). - smb: client: rename cifs_dfs_ref.c to namespace.c (bsc#1225172). - soc: fsl: qbman: Always disable interrupts when taking cgr_lock (git-fixes). - soc: fsl: qbman: Use raw spinlock for cgr_lock (git-fixes). - sock_diag: annotate data-races around sock_diag_handlers[family] (git-fixes). - soc: mediatek: cmdq: Fix typo of CMDQ_JUMP_RELATIVE (git-fixes). - soc: microchip: Fix POLARFIRE_SOC_SYS_CTRL input prompt (stable-fixes). - soc: qcom: pmic_glink: do not traverse clients list without a lock (git-fixes). - soc: qcom: pmic_glink: Make client-lock non-sleeping (git-fixes). - soc: qcom: pmic_glink: notify clients about the current state (git-fixes). - soc: qcom: rpmh-rsc: Enhance check for VRM in-flight request (git-fixes). - soundwire: amd: fix for wake interrupt handling for clockstop mode (git-fixes). - speakup: Avoid crash on very long word (git-fixes). - speakup: Fix 8bit characters from direct synth (git-fixes). - speakup: Fix sizeof() vs ARRAY_SIZE() bug (git-fixes). - spi: Do not mark message DMA mapped when no transfer in it is (git-fixes). - spi: fix null pointer dereference within spi_sync (git-fixes). - spi: intel-pci: Add support for Lunar Lake-M SPI serial flash (stable-fixes). - spi: lm70llp: fix links in doc and comments (git-fixes). - spi: lpspi: Avoid potential use-after-free in probe() (git-fixes). - spi: mchp-pci1xxx: Fix a possible null pointer dereference in pci1xxx_spi_probe (git-fixes). - spi: microchip-core-qspi: fix setting spi bus clock rate (git-fixes). - spi: spi-fsl-lpspi: remove redundant spi_controller_put call (git-fixes). - spi: spi-mt65xx: Fix NULL pointer access in interrupt handler (git-fixes). - spi: stm32: Do not warn about spurious interrupts (git-fixes). - spi: xilinx: Fix kernel documentation in the xilinx_spi.h (git-fixes). - spmi: hisi-spmi-controller: Do not override device identifier (git-fixes). - staging: vc04_services: changen strncpy() to strscpy_pad() (stable-fixes). - staging: vc04_services: fix information leak in create_component() (git-fixes). - staging: vt6655: Remove unused declaration of RFbAL7230SelectChannelPostProcess() (git-fixes). - stmmac: Clear variable when destroying workqueue (git-fixes). - SUNRPC: fix a memleak in gss_import_v2_context (git-fixes). - SUNRPC: fix some memleaks in gssx_dec_option_array (git-fixes). - supported.conf: support tcp_dctcp module (jsc#PED-8111) - swiotlb: extend buffer pre-padding to alloc_align_mask if necessary (bsc#1224331) - swiotlb: Fix alignment checks when both allocation and DMA masks are (bsc#1224331) - swiotlb: Fix double-allocation of slots due to broken alignment (bsc#1224331) - swiotlb: Honour dma_alloc_coherent() alignment in swiotlb_alloc() (bsc#1224331) - swiotlb: use the calculated number of areas (git-fixes). - Temporarily drop KVM patch that caused a regression (bsc#1226158). - thermal: devfreq_cooling: Fix perf state when calculate dfc res_util (git-fixes). - thermal/drivers/qcom/lmh: Check for SCM availability at probe (git-fixes). - thermal/drivers/tsens: Fix null pointer dereference (git-fixes). - thermal/of: Assume polling-delay(-passive) 0 when absent (stable-fixes). - thunderbolt: Avoid notify PM core about runtime PM resume (stable-fixes). - thunderbolt: Do not create DisplayPort tunnels on adapters of the same router (git-fixes). - thunderbolt: Fix wake configurations after device unplug (stable-fixes). - thunderbolt: Introduce tb_path_deactivate_hop() (stable-fixes). - thunderbolt: Introduce tb_port_reset() (stable-fixes). - thunderbolt: Make tb_switch_reset() support Thunderbolt 2, 3 and USB4 routers (stable-fixes). - thunderbolt: Reset only non-USB4 host routers in resume (git-fixes). - tls: break out of main loop when PEEK gets a non-data record (bsc#1221858). - tls: do not skip over different type records from the rx_list (bsc#1221858). - tls: fix peeking with sync+async decryption (bsc#1221858). - tls: stop recv() if initial process_rx_list gave us non-DATA (bsc#1221858). - tools/arch/x86/intel_sdsi: Fix maximum meter bundle length (git-fixes). - tools/arch/x86/intel_sdsi: Fix meter_certificate decoding (git-fixes). - tools/arch/x86/intel_sdsi: Fix meter_show display (git-fixes). - tools/latency-collector: Fix -Wformat-security compile warns (git-fixes). - tools/power turbostat: Expand probe_intel_uncore_frequency() (bsc#1221765). - tools/power/turbostat: Fix uncore frequency file string (bsc#1221765). - tpm_tis_spi: Account for SPI header when allocating TPM SPI xfer buffer (git-fixes). - tracing: Add MODULE_DESCRIPTION() to preemptirq_delay_test (git-fixes). - tracing: Have saved_cmdlines arrays all in one allocation (git-fixes). - tracing: hide unused ftrace_event_id_fops (git-fixes). - tracing/net_sched: Fix tracepoints that save qdisc_dev() as a string (git-fixes). - tracing: Remove precision vsnprintf() check from print event (git-fixes). - tracing/ring-buffer: Fix wait_on_pipe() race (git-fixes). - tracing: Use .flush() call to wake up readers (git-fixes). - tty: n_gsm: fix missing receive state reset after mode switch (git-fixes). - tty: n_gsm: fix possible out-of-bounds in gsm0_receive() (git-fixes). - tty: serial: samsung: fix tx_empty() to return TIOCSER_TEMT (git-fixes). - tty: vt: fix 20 vs 0x20 typo in EScsiignore (git-fixes). - ubifs: dbg_check_idx_size: Fix kmemleak if loading znode failed (git-fixes). - ubifs: fix sort function prototype (git-fixes). - ubifs: Queue up space reservation tasks if retrying many times (git-fixes). - ubifs: Remove unreachable code in dbg_check_ltab_lnum (git-fixes). - ubifs: Set page uptodate in the correct place (git-fixes). - Update config files. Disable N_GSM (jsc#PED-8240). - Update patches.suse/nvme-ensure-disabling-pairs-with-unquiesce.patch (jsc#PED-6252 jsc#PED-5728 jsc#PED-5062 jsc#PED-3535 bsc#1224534). - usb: aqc111: stop lying about skb->truesize (git-fixes). - usb: audio-v2: Correct comments for struct uac_clock_selector_descriptor (git-fixes). - usb: cdc-wdm: close race between read and workqueue (git-fixes). - USB: core: Add hub_get() and hub_put() routines (stable-fixes). - USB: core: Fix access violation during port device removal (git-fixes). - USB: core: Fix deadlock in port 'disable' sysfs attribute (stable-fixes). - USB: core: Fix deadlock in usb_deauthorize_interface() (git-fixes). - usb: Disable USB3 LPM at shutdown (stable-fixes). - usb: dwc2: gadget: Fix exiting from clock gating (git-fixes). - usb: dwc2: gadget: LPM flow fix (git-fixes). - usb: dwc2: host: Fix dereference issue in DDMA completion flow (git-fixes). - usb: dwc2: host: Fix hibernation flow (git-fixes). - usb: dwc2: host: Fix ISOC flow in DDMA mode (git-fixes). - usb: dwc2: host: Fix remote wakeup from hibernation (git-fixes). - usb: dwc3-am62: Disable wakeup at remove (git-fixes). - usb: dwc3-am62: fix module unload/reload behavior (git-fixes). - usb: dwc3-am62: Rename private data (git-fixes). - usb: dwc3: core: Prevent phy suspend during init (Git-fixes). - usb: dwc3: pci: Drop duplicate ID (git-fixes). - usb: dwc3: Properly set system wakeup (git-fixes). - usb: dwc3: Wait unconditionally after issuing EndXfer command (git-fixes). - usb: Fix regression caused by invalid ep0 maxpacket in virtual SuperSpeed device (bsc#1220569). - usb: fotg210: Add missing kernel doc description (git-fixes). - usb: gadget: composite: fix OS descriptors w_value logic (git-fixes). - usb: gadget: f_fs: Fix a race condition when processing setup packets (git-fixes). - usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete (git-fixes). - usb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error (stable-fixes). - usb: gadget: net2272: Use irqflags in the call to net2272_probe_fin (git-fixes). - usb: gadget: u_audio: Clear uac pointer when freed (git-fixes). - usb: gadget: u_audio: Fix race condition use of controls after free during gadget unbind (git-fixes). - usb: gadget: uvc: mark incomplete frames with UVC_STREAM_ERR (stable-fixes). - usb: gadget: uvc: use correct buffer size when parsing configfs lists (git-fixes). - usb: ohci: Prevent missed ohci interrupts (git-fixes). - usb: phy: generic: Get the vbus supply (git-fixes). - USB: serial: add device ID for VeriFone adapter (stable-fixes). - USB: serial: cp210x: add ID for MGP Instruments PDS100 (stable-fixes). - USB: serial: cp210x: add pid/vid for TDK NC0110013M and MM0110113M (stable-fixes). - USB: serial: ftdi_sio: add support for GMC Z216C Adapter IR-USB (stable-fixes). - USB: serial: option: add Fibocom FM135-GL variants (stable-fixes). - USB: serial: option: add Lonsung U8300/U9300 product (stable-fixes). - USB: serial: option: add MeiG Smart SLM320 product (stable-fixes). - USB: serial: option: add Rolling RW101-GL and RW135-GL support (stable-fixes). - USB: serial: option: add support for Fibocom FM650/FG650 (stable-fixes). - USB: serial: option: add Telit FN920C04 rmnet compositions (stable-fixes). - USB: serial: option: support Quectel EM060K sub-models (stable-fixes). - usb: sl811-hcd: only defined function checkdone if QUIRK2 is defined (stable-fixes). - usb: typec: Return size of buffer if pd_set operation succeeds (git-fixes). - usb: typec: tcpci: add generic tcpci fallback compatible (stable-fixes). - usb: typec: tcpm: Check for port partner validity before consuming it (git-fixes). - usb: typec: tcpm: clear pd_event queue in PORT_RESET (git-fixes). - usb: typec: tcpm: Correct port source pdo array in pd_set callback (git-fixes). - usb: typec: tcpm: Correct the PDO counting in pd_set (git-fixes). - usb: typec: tcpm: fix double-free issue in tcpm_port_unregister_pd() (git-fixes). - usb: typec: tcpm: unregister existing source caps before re-registration (git-fixes). - usb: typec: tipd: fix event checking for tps6598x (git-fixes). - usb: typec: ucsi: Ack unsupported commands (stable-fixes). - usb: typec: ucsi_acpi: Refactor and fix DELL quirk (git-fixes). - usb: typec: ucsi: always register a link to USB PD device (git-fixes). - usb: typec: ucsi: Check for notifications after init (git-fixes). - usb: typec: ucsi: Clean up UCSI_CABLE_PROP macros (git-fixes). - usb: typec: ucsi: Clear EVENT_PENDING under PPM lock (git-fixes). - usb: typec: ucsi: Clear UCSI_CCI_RESET_COMPLETE before reset (stable-fixes). - usb: typec: ucsi: displayport: Fix potential deadlock (git-fixes). - usb: typec: ucsi: Fix connector check on init (git-fixes). - usb: typec: ucsi: Fix race between typec_switch and role_switch (git-fixes). - usb: typec: ucsi: Limit read size on v1.2 (stable-fixes). - usb: typec: ucsi: simplify partner's PD caps registration (git-fixes). - USB: UAS: return ENODEV when submit urbs fail with device not attached (stable-fixes). - usb: udc: remove warning when queue disabled ep (stable-fixes). - usb: xhci: Add error handling in xhci_map_urb_for_dma (git-fixes). - usb: xhci: correct return value in case of STS_HCE (git-fixes). - usb: xhci: Implement xhci_handshake_check_state() helper. - usb: xhci-plat: Do not include xhci.h (stable-fixes). - vboxsf: Avoid an spurious warning if load_nls_xxx() fails (git-fixes). - vboxsf: explicitly deny setlease attempts (stable-fixes). - vdpa/mlx5: Allow CVQ size changes (git-fixes). - vdpa_sim: reset must not run (git-fixes). - veth: try harder when allocating queue memory (git-fixes). - vhost: Add smp_rmb() in vhost_enable_notify() (git-fixes). - vhost: Add smp_rmb() in vhost_vq_avail_empty() (git-fixes). - virtio-blk: Ensure no requests in virtqueues before deleting vqs (git-fixes). - virtio_net: Do not send RSS key if it is not supported (git-fixes). - virtio: treat alloc_dax() -EOPNOTSUPP failure as non-fatal (bsc#1223944). - VMCI: Fix an error handling path in vmci_guest_probe_device() (git-fixes). - VMCI: Fix possible memcpy() run-time warning in vmci_datagram_invoke_guest_handler() (stable-fixes). - vmci: prevent speculation leaks by sanitizing event in event_deliver() (git-fixes). - vsock/virtio: fix packet delivery to tap device (git-fixes). - watchdog: bd9576: Drop 'always-running' property (git-fixes). - watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger (git-fixes). - watchdog: rti_wdt: Set min_hw_heartbeat_ms to accommodate a safety margin (git-fixes). - watchdog: sa1100: Fix PTR_ERR_OR_ZERO() vs NULL check in sa1100dog_probe() (git-fixes). - wifi: ar5523: enable proper endpoint verification (git-fixes). - wifi: ath10k: Fix an error code problem in ath10k_dbg_sta_write_peer_debug_trigger() (git-fixes). - wifi: ath10k: poll service ready message before failing (git-fixes). - wifi: ath10k: populate board data for WCN3990 (git-fixes). - wifi: ath11k: decrease MHI channel buffer length to 8KB (bsc#1207948). - wifi: ath11k: do not force enable power save on non-running vdevs (git-fixes). - wifi: ath12k: fix out-of-bound access of qmi_invoke_handler() (git-fixes). - wifi: ath9k: fix LNA selection in ath_ant_try_scan() (stable-fixes). - wifi: brcmfmac: Add DMI nvram filename quirk for ACEPC W5 Pro (stable-fixes). - wifi: brcmfmac: add per-vendor feature detection callback (stable-fixes). - wifi: brcmfmac: cfg80211: Use WSEC to set SAE password (stable-fixes). - wifi: brcmfmac: Demote vendor-specific attach/detach messages to info (git-fixes). - wifi: brcmfmac: pcie: handle randbuf allocation failure (git-fixes). - wifi: carl9170: add a proper sanity check for endpoints (git-fixes). - wifi: carl9170: re-fix fortified-memset warning (git-fixes). - wifi: cfg80211: check A-MSDU format more carefully (stable-fixes). - wifi: cfg80211: fix rdev_dump_mpp() arguments order (stable-fixes). - wifi: ieee80211: fix ieee80211_mle_basic_sta_prof_size_ok() (git-fixes). - wifi: iwlwifi: fw: do not always use FW dump trig (git-fixes). - wifi: iwlwifi: fw: fix compile w/o CONFIG_ACPI (git-fixes). - wifi: iwlwifi: mvm: allocate STA links only for active links (git-fixes). - wifi: iwlwifi: mvm: fix active link counting during recovery (git-fixes). - wifi: iwlwifi: mvm: fix check in iwl_mvm_sta_fw_id_mask (git-fixes). - wifi: iwlwifi: mvm: guard against invalid STA ID on removal (stable-fixes). - wifi: iwlwifi: mvm: include link ID when releasing frames (git-fixes). - wifi: iwlwifi: mvm: init vif works only once (git-fixes). - wifi: iwlwifi: mvm: remove old PASN station when adding a new one (git-fixes). - wifi: iwlwifi: mvm: return uid from iwl_mvm_build_scan_cmd (git-fixes). - wifi: iwlwifi: mvm: rfi: fix potential response leaks (git-fixes). - wifi: iwlwifi: mvm: select STA mask only for active links (git-fixes). - wifi: iwlwifi: mvm: use correct address 3 in A-MSDU (stable-fixes). - wifi: iwlwifi: pcie: Add the PCI device id for new hardware (stable-fixes). - wifi: iwlwifi: pcie: fix RB status reading (stable-fixes). - wifi: iwlwifi: read txq->read_ptr under lock (stable-fixes). - wifi: iwlwifi: reconfigure TLC during HW restart (git-fixes). - wifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes (stable-fixes). - wifi: mac80211: clean up assignments to pointer cache (stable-fixes). - wifi: mac80211: fix ieee80211_bss_*_flags kernel-doc (stable-fixes). - wifi: mac80211: fix prep_connection error path (stable-fixes). - wifi: mac80211: fix unaligned le16 access (git-fixes). - wifi: mac80211_hwsim: init peer measurement result (git-fixes). - wifi: mac80211: only call drv_sta_rc_update for uploaded stations (stable-fixes). - wifi: mac80211: remove link before AP (git-fixes). - wifi: mt76: mt7603: add wpdma tx eof flag for PSE client reset (git-fixes). - wifi: mt76: mt7603: fix tx queue of loopback packets (git-fixes). - wifi: mt76: mt7915: workaround too long expansion sparse warnings (git-fixes). - wifi: mt76: mt7996: add locking for accessing mapped registers (stable-fixes). - wifi: mt76: mt7996: disable AMSDU for non-data frames (stable-fixes). - wifi: mwl8k: initialize cmd->addr[] properly (git-fixes). - wifi: nl80211: do not free NULL coalescing rule (git-fixes). - wifi: rtw88: 8821cu: Fix connection failure (stable-fixes). - wifi: rtw88: Add missing VID/PIDs for 8811CU and 8821CU (stable-fixes). - wifi: rtw89: fix null pointer access when abort scan (stable-fixes). - wifi: rtw89: pci: correct TX resource checking for PCI DMA channel of firmware command (git-fixes). - wifi: rtw89: pci: enlarge RX DMA buffer to consider size of RX descriptor (stable-fixes). - wireguard: netlink: access device through ctx instead of peer (git-fixes). - wireguard: netlink: check for dangling peer via is_dead instead of empty list (git-fixes). - wireguard: receive: annotate data-race around receiving_counter.counter (git-fixes). - Workaround broken chacha crypto fallback (bsc#1218205). - x86/bugs: Fix BHI retpoline check (git-fixes). - x86/bugs: Fix the SRSO mitigation on Zen3/4 (git-fixes). - x86/bugs: Remove default case for fully switched enums (git-fixes). - x86/calldepth: Rename __x86_return_skl() to call_depth_return_thunk() (git-fixes). - x86/coco: Require seeding RNG with RDRAND on CoCo systems (git-fixes). - x86/cpu: Add model number for Intel Arrow Lake mobile processor (git-fixes). - x86/CPU/AMD: Add models 0x10-0x1f to the Zen5 range (git-fixes). - x86/CPU/AMD: Update the Zenbleed microcode revisions (git-fixes). - x86/cpufeatures: Fix dependencies for GFNI, VAES, and VPCLMULQDQ (git-fixes). - x86/efistub: Add missing boot_params for mixed mode compat entry (git-fixes). - x86/efistub: Call mixed mode boot services on the firmware's stack (git-fixes). - x86/fpu: Keep xfd_state in sync with MSR_IA32_XFD (git-fixes). - x86/hyperv: Allow 15-bit APIC IDs for VTL platforms (git-fixes). - x86/hyperv: Use per cpu initial stack for vtl context (git-fixes). - x86/Kconfig: Remove CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT (git-fixes). - x86/kconfig: Select ARCH_WANT_FRAME_POINTERS again when UNWINDER_FRAME_POINTER=y (git-fixes). - x86/kvm/Kconfig: Have KVM_AMD_SEV select ARCH_HAS_CC_PLATFORM (git-fixes). - x86/mce: Make sure to grab mce_sysfs_mutex in set_bank() (git-fixes). - x86/nmi: Fix the inverse 'in NMI handler' check (git-fixes). - x86/nospec: Refactor UNTRAIN_RET[_*] (git-fixes). - x86/pm: Work around false positive kmemleak report in msr_build_context() (git-fixes). - x86/purgatory: Switch to the position-independent small code model (git-fixes). - x86/rethunk: Use SYM_CODE_START[_LOCAL]_NOALIGN macros (git-fixes). - x86/retpoline: Add NOENDBR annotation to the SRSO dummy return thunk (git-fixes). - x86/retpoline: Do the necessary fixup to the Zen3/4 srso return thunk for !SRSO (git-fixes). - x86/srso: Disentangle rethunk-dependent options (git-fixes). - x86/srso: Fix unret validation dependencies (git-fixes). - x86/srso: Improve i-cache locality for alias mitigation (git-fixes). - x86/srso: Print actual mitigation if requested mitigation isn't possible (git-fixes). - x86/srso: Remove 'pred_cmd' label (git-fixes). - x86/srso: Unexport untraining functions (git-fixes). - x86/xen: Add some null pointer checking to smp.c (git-fixes). - x86/xen: attempt to inflate the memory balloon on PVH (git-fixes). - xdp, bonding: Fix feature flags when there are no slave devs anymore (git-fixes). - xen/events: drop xen_allocate_irqs_dynamic() (git-fixes). - xen/events: fix error code in xen_bind_pirq_msi_to_irq() (git-fixes). - xen/events: increment refcnt only if event channel is refcounted (git-fixes). - xen/events: modify internal [un]bind interfaces (git-fixes). - xen/events: reduce externally visible helper functions (git-fixes). - xen/events: remove some simple helpers from events_base.c (git-fixes). - xen: evtchn: Allow shared registration of IRQ handers (git-fixes). - xen/evtchn: avoid WARN() when unbinding an event channel (git-fixes). - xen-netfront: Add missing skb_mark_for_recycle (git-fixes). - xfs: add lock protection when remove perag from radix tree (git-fixes). - xfs: allow extent free intents to be retried (git-fixes). - xfs: fix perag leak when growfs fails (git-fixes). - xfs: force all buffers to be written during btree bulk load (git-fixes). - xfs: make xchk_iget safer in the presence of corrupt inode btrees (git-fixes). - xfs: pass the xfs_defer_pending object to iop_recover (git-fixes). - xfs: recompute growfsrtfree transaction reservation while growing rt volume (git-fixes). - xfs: transfer recovered intent item ownership in ->iop_recover (git-fixes). - xfs: use xfs_defer_pending objects to recover intent items (git-fixes). - xhci: add helper that checks for unhandled events on a event ring (git-fixes). - xhci: remove unnecessary event_ring_deq parameter from xhci_handle_event() (git-fixes). - xhci: Simplify event ring dequeue pointer update for port change events (git-fixes). - xhci: simplify event ring dequeue tracking for transfer events (git-fixes). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:2214-1 Released: Tue Jun 25 17:11:26 2024 Summary: Recommended update for util-linux Type: recommended Severity: moderate References: 1225598 This update for util-linux fixes the following issue: - Fix hang of lscpu -e (bsc#1225598) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:2234-1 Released: Wed Jun 26 12:54:27 2024 Summary: Recommended update for suse-module-tools Type: recommended Severity: moderate References: 1224400 This update for suse-module-tools fixes the following issue: - Version update, udevrules: activate CPUs on hotplug for s390, too (bsc#1224400) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:2239-1 Released: Wed Jun 26 13:09:10 2024 Summary: Recommended update for systemd Type: recommended Severity: critical References: 1226415 This update for systemd contains the following fixes: - testsuite: move a misplaced %endif - Do not remove existing configuration files in /etc. If these files were modified on the systemd, that may cause unwanted side effects (bsc#1226415). - Import upstream commit (merge of v254.13) Use the pty slave fd opened from the namespace when transient service is running in a container. This revert the backport of the broken commit until a fix is released in the v254-stable tree. - Import upstream commit (merge of v254.11) For a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/e8d77af4240894da620de74fbc7823aaaa448fef...85db84ee440eac202c4b5507e96e1704269179bc ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:2241-1 Released: Wed Jun 26 15:37:28 2024 Summary: Recommended update for wicked Type: recommended Severity: important References: 1218668 This update for wicked fixes the following issues: - Fix VLANs/bonds randomly not coming up after reboot or wicked restart. [bsc#1218668] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:2275-1 Released: Tue Jul 2 16:33:30 2024 Summary: Security update for openssh Type: security Severity: important References: 1226642,CVE-2024-6387 This update for openssh fixes the following issues: - CVE-2024-6387: Fixed race condition in a signal handler (bsc#1226642) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2024:2282-1 Released: Tue Jul 2 22:41:28 2024 Summary: Optional update for openscap, scap-security-guide Type: optional Severity: moderate References: This update for scap-security-guide and openscap provides the SCAP tooling for SLE Micro 5.3, 5.4, 5.5. This includes shipping openscap dependencies libxmlsec1-1 and libxmlsec1-openssl for SLE Micro. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:2283-1 Released: Tue Jul 2 23:12:19 2024 Summary: Security update for libndp Type: security Severity: important References: 1225771,CVE-2024-5564 This update for libndp fixes the following issues: - CVE-2024-5564: Add a check on the route information option length field. (bsc#1225771) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:2290-1 Released: Wed Jul 3 11:35:00 2024 Summary: Security update for libxml2 Type: security Severity: low References: 1224282,CVE-2024-34459 This update for libxml2 fixes the following issues: - CVE-2024-34459: Fixed buffer over-read in xmlHTMLPrintFileContext in xmllint.c (bsc#1224282). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:2307-1 Released: Fri Jul 5 12:04:34 2024 Summary: Security update for krb5 Type: security Severity: important References: 1227186,1227187,CVE-2024-37370,CVE-2024-37371 This update for krb5 fixes the following issues: - CVE-2024-37370: Fixed confidential GSS krb5 wrap tokens with invalid fields were errouneously accepted (bsc#1227186). - CVE-2024-37371: Fixed invalid memory read when processing message tokens with invalid length fields (bsc#1227187). ----------------------------------------------------------------- Advisory ID: SUSE-OU-2024:2316-1 Released: Mon Jul 8 11:18:56 2024 Summary: Optional update for NetworkManager Type: optional Severity: low References: 1227333 This optional update for NetworkManager fixes the following issue: - No-change rebuild to include NetworkManager-wwan in the SLE-Module-Desktop-Applications_15-SP6 product (bsc#1227333) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:2393-1 Released: Wed Jul 10 17:33:47 2024 Summary: Security update for openssh Type: security Severity: moderate References: 1218215,1224392,1225904,1227318,1227350,CVE-2023-51385,CVE-2024-39894 This update for openssh fixes the following issues: Security fixes: - CVE-2024-39894: Fixed timing attacks against echo-off password entry (bsc#1227318). Other fixes: - Add obsoletes for openssh-server-config-rootlogin (bsc#1227350). - Add #include in some files added by the ldap patch to fix build with gcc14 (bsc#1225904). - Remove the recommendation for openssh-server-config-rootlogin from openssh-server (bsc#1224392). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:2401-1 Released: Thu Jul 11 06:36:43 2024 Summary: Security update for oniguruma Type: security Severity: moderate References: 1141157,CVE-2019-13225 This update for oniguruma fixes the following issues: - CVE-2019-13225: Fixed null-pointer dereference in match_at() in regexec.c (bsc#1141157). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:2404-1 Released: Thu Jul 11 09:31:42 2024 Summary: Recommended update for mdadm Type: recommended Severity: moderate References: 1225307 This update for mdadm fixes the following issues: - util.c: change devnm to const in mdmon functions (bsc#1225307) - Wait for mdmon when it is stared via systemd (bsc#1225307) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:2406-1 Released: Thu Jul 11 11:27:05 2024 Summary: Recommended update for suse-build-key Type: recommended Severity: moderate References: 1227429 This update for suse-build-key fixes the following issue: - Added new keys of the SLE Micro 6.0 / SLES 16 series, and auto import them (bsc#1227429) - gpg-pubkey-09d9ea69-645b99ce.asc: Main SLE Micro 6/SLES 16 key - gpg-pubkey-73f03759-626bd414.asc: Backup SLE Micro 6/SLES 16 key The following package changes have been done: - NetworkManager-branding-SLE-42.1-150600.17.2 added - NetworkManager-1.44.2-150600.3.2.1 added - aaa_base-84.87+git20180409.04c9dae-150300.10.20.1 added - bash-completion-2.7-150400.13.3.1 added - bash-sh-4.4-150400.25.22 added - bash-4.4-150400.25.22 added - boost-license1_66_0-1.66.0-12.3.1 added - ca-certificates-mozilla-2.62-150200.30.1 added - ca-certificates-2+git20240416.98ae794-150300.4.3.3 added - container-suseconnect-2.5.0-150000.4.53.2 added - coreutils-8.32-150400.9.6.1 added - cpio-2.13-150400.3.6.1 added - cracklib-dict-small-2.9.11-150600.1.90 added - cracklib-2.9.11-150600.1.90 added - crypto-policies-20230920.570ea89-150600.1.9 added - curl-8.6.0-150600.2.2 added - dbus-1-1.12.2-150400.18.8.1 added - device-mapper-2.03.22_1.02.196-150600.1.3 added - diffutils-3.6-4.3.1 added - dmidecode-3.4-150400.16.8.1 added - dracut-059+suse.521.g8412a1c0-150600.1.3 added - efibootmgr-17-150400.3.2.2 added - elfutils-0.185-150400.5.3.1 added - ethtool-6.4-150600.7.3.2 added - file-magic-5.32-7.14.1 added - filesystem-15.0-11.8.1 added - file-5.32-7.14.1 added - findutils-4.8.0-1.20 added - gawk-4.2.1-150000.3.3.1 added - gettext-runtime-0.21.1-150600.1.7 added - gio-branding-SLE-15-150600.35.2.1 added - glib2-tools-2.78.6-150600.4.3.1 added - glibc-locale-base-2.38-150600.14.5.1 added - glibc-2.38-150600.14.5.1 added - gpg2-2.4.4-150600.1.4 added - grep-3.1-150000.4.6.1 added - grub2-i386-pc-2.12-150600.6.13 added - grub2-x86_64-efi-2.12-150600.6.13 added - grub2-2.12-150600.6.13 added - gzip-1.10-150200.10.1 added - info-6.5-4.17 added - iproute2-6.4-150600.7.3.1 added - iptables-1.8.7-1.1 added - iputils-20221126-150500.3.8.2 added - issue-generator-1.13-150500.1.2 added - jq-1.6-3.3.1 added - kbd-legacy-2.4.0-150400.5.6.1 added - kbd-2.4.0-150400.5.6.1 added - kernel-default-6.4.0-150600.23.7.3 added - kernel-firmware-bnx2-20240201-150600.1.2 added - kernel-firmware-chelsio-20240201-150600.1.2 added - kernel-firmware-i915-20240201-150600.1.2 added - kernel-firmware-intel-20240201-150600.1.2 added - kernel-firmware-liquidio-20240201-150600.1.2 added - kernel-firmware-marvell-20240201-150600.1.2 added - kernel-firmware-mediatek-20240201-150600.1.2 added - kernel-firmware-mellanox-20240201-150600.1.2 added - kernel-firmware-network-20240201-150600.1.2 added - kernel-firmware-platform-20240201-150600.1.2 added - kernel-firmware-qlogic-20240201-150600.1.2 added - kernel-firmware-realtek-20240201-150600.1.2 added - kernel-firmware-usb-network-20240201-150600.1.2 added - keyutils-1.6.3-5.6.1 added - kmod-29-150600.11.4 added - kpartx-0.9.8+88+suse.d504d83-150600.1.2 added - krb5-1.20.1-150600.11.3.1 added - less-643-150600.3.3.1 added - libabsl2401_0_0-20240116.1-150600.17.7 added - libacl1-2.2.52-4.3.1 added - libaio1-0.3.109-1.25 added - libapparmor1-3.1.7-150600.3.1 added - libargon2-1-20190702-150600.1.4 added - libasm1-0.185-150400.5.3.1 added - libassuan0-2.5.5-150000.4.5.2 added - libattr1-2.4.47-2.19 added - libaudit1-3.0.6-150400.4.16.1 added - libaugeas0-1.14.1-150600.1.3 added - libblkid1-2.39.3-150600.4.6.2 added - libboost_system1_66_0-1.66.0-12.3.1 added - libboost_thread1_66_0-1.66.0-12.3.1 added - libbpf1-1.2.2-150600.3.3.1 added - libbrotlicommon1-1.0.7-3.3.1 added - libbrotlidec1-1.0.7-3.3.1 added - libbsd0-0.8.7-150600.16.2 added - libbz2-1-1.0.8-150400.1.122 added - libcap-ng0-0.7.9-4.37 added - libcap2-2.63-150400.3.3.1 added - libcbor0_10-0.10.1-150500.1.1 added - libcom_err2-1.47.0-150600.4.3.2 added - libcrack2-2.9.11-150600.1.90 added - libcrypt1-4.4.15-150300.4.7.1 added - libcryptsetup12-2.7.0-150600.1.4 added - libcurl4-8.6.0-150600.2.2 added - libdbus-1-3-1.12.2-150400.18.8.1 added - libdevmapper-event1_03-2.03.22_1.02.196-150600.1.3 added - libdevmapper1_03-2.03.22_1.02.196-150600.1.3 added - libdw1-0.185-150400.5.3.1 added - libeconf0-0.5.2-150400.3.6.1 added - libedit0-3.1.snap20150325-2.12 added - libefivar1-37-6.12.1 added - libelf1-0.185-150400.5.3.1 added - libevent-2_1-7-2.1.12-150600.1.2 added - libexpat1-2.4.4-150400.3.17.1 added - libfa1-1.14.1-150600.1.3 added - libfdisk1-2.39.3-150600.4.6.2 added - libffi7-3.2.1.git259-10.8 added - libfido2-1-1.13.0-150600.10.3 added - libfreebl3-3.90.2-150400.3.39.1 added - libfreetype6-2.10.4-150000.4.15.1 added - libfuse2-2.9.7-3.3.1 added - libgcc_s1-13.3.0+git8781-150000.1.12.1 added - libgcrypt20-1.10.3-150600.1.23 added - libgdbm4-1.12-1.418 added - libgio-2_0-0-2.78.6-150600.4.3.1 added - libglib-2_0-0-2.78.6-150600.4.3.1 added - libgmodule-2_0-0-2.78.6-150600.4.3.1 added - libgmp10-6.1.2-4.9.1 added - libgobject-2_0-0-2.78.6-150600.4.3.1 added - libgpg-error0-1.47-150600.1.3 added - libgpgme11-1.23.0-150600.1.41 added - libhidapi-hidraw0-0.10.1-150300.3.2.1 added - libidn2-0-2.2.0-3.6.1 added - libip4tc2-1.8.7-1.1 added - libip6tc2-1.8.7-1.1 added - libjitterentropy3-3.4.1-150000.1.12.1 added - libjq1-1.6-3.3.1 added - libjson-c5-0.16-150600.1.4 added - libkeyutils1-1.6.3-5.6.1 added - libkmod2-29-150600.11.4 added - libksba8-1.6.4-150600.1.2 added - libldap-2_4-2-2.4.46-150600.23.21 added - libldap-data-2.4.46-150600.23.21 added - liblua5_3-5-5.3.6-3.6.1 added - liblvm2cmd2_03-2.03.22-150600.1.6 added - liblz4-1-1.9.4-150600.1.4 added - liblzma5-5.4.1-150600.1.2 added - libmagic1-5.32-7.14.1 added - libmnl0-1.0.4-1.25 added - libmount1-2.39.3-150600.4.6.2 added - libmpath0-0.9.8+88+suse.d504d83-150600.1.2 added - libncurses6-6.1-150000.5.24.1 added - libndp0-1.6-150000.3.3.1 added - libnetfilter_conntrack3-1.0.7-1.38 added - libnfnetlink0-1.0.1-2.11 added - libnfsidmap1-1.0-150600.26.2 added - libnftnl11-1.2.0-150400.1.6 added - libnghttp2-14-1.40.0-150600.23.2 added - libnl-config-3.3.0-1.29 added - libnl3-200-3.3.0-1.29 added - libnm0-1.44.2-150600.3.2.1 added - libnpth0-1.5-2.11 added - libnsl2-1.2.0-2.44 added - libonig4-6.7.0-150000.3.6.1 added - libopeniscsiusr0-0.2.0-150600.49.8 added - libopenssl3-3.1.4-150600.5.7.1 added - libp11-kit0-0.23.22-150500.8.3.1 added - libpci3-3.5.6-150300.13.6.1 added - libpcre1-8.45-150000.20.13.1 added - libpcre2-8-0-10.42-150600.1.26 added - libpng16-16-1.6.40-150600.1.3 added - libpopt0-1.16-3.22 added - libprocps8-3.3.17-150000.7.39.1 added - libprotobuf-lite25_1_0-25.1-150600.16.4.2 added - libpsl5-0.20.1-150000.3.3.1 added - libreadline7-7.0-150400.25.22 added - libsasl2-3-2.1.28-150600.5.3 added - libseccomp2-2.5.3-150400.2.4 added - libselinux1-3.5-150600.1.46 added - libsemanage-conf-3.5-150600.1.48 added - libsemanage2-3.5-150600.1.48 added - libsensors4-3.5.0-4.6.1 added - libsepol2-3.5-150600.1.49 added - libsgutils2-1_48-2-1.48+11.56e7b2f-150600.3.3.11 added - libsigc-2_0-0-2.12.1-150600.1.2 added - libsmartcols1-2.39.3-150600.4.6.2 added - libsoftokn3-3.90.2-150400.3.39.1 added - libsolv-tools-base-0.7.29-150400.3.22.4 added - libsqlite3-0-3.44.0-150000.3.23.1 added - libssh-config-0.9.8-150600.9.1 added - libssh4-0.9.8-150600.9.1 added - libstdc++6-13.3.0+git8781-150000.1.12.1 added - libsystemd0-254.13-150600.4.5.1 added - libtasn1-6-4.13-150000.4.8.1 added - libtasn1-4.13-150000.4.8.1 added - libtextstyle0-0.21.1-150600.1.7 added - libtirpc-netconfig-1.3.4-150300.3.23.1 added - libtirpc3-1.3.4-150300.3.23.1 added - libudev1-254.13-150600.4.5.1 added - libunistring2-0.9.10-1.1 added - liburcu6-0.12.1-1.30 added - libusb-1_0-0-1.0.24-150400.3.3.1 added - libutempter0-1.1.6-3.42 added - libuuid1-2.39.3-150600.4.6.2 added - libverto1-0.2.6-3.20 added - libwrap0-7.6-1.433 added - libxml2-2-2.10.3-150500.5.17.1 added - libxtables12-1.8.7-1.1 added - libyaml-cpp0_6-0.6.3-150400.4.3.1 added - libz1-1.2.13-150500.4.3.1 added - libzck1-1.1.16-150600.9.3 added - libzio1-1.06-2.20 added - libzstd1-1.5.5-150600.1.3 added - libzypp-17.34.1-150600.3.4.6 added - login_defs-4.8.1-150600.15.45 added - logrotate-3.18.1-150400.3.7.1 added - lshw-B.02.19.2+git.20230320-150200.3.15.4 added - lsof-4.99.0-150600.1.15 added - lsscsi-0.28-1.24 added - lvm2-2.03.22-150600.1.6 added - mdadm-4.3-150600.3.3.2 added - mokutil-0.5.0-150600.8.3 added - mozilla-nspr-4.35-150000.3.29.1 added - mozilla-nss-certs-3.90.2-150400.3.39.1 added - mozilla-nss-3.90.2-150400.3.39.1 added - multipath-tools-0.9.8+88+suse.d504d83-150600.1.2 added - ncurses-utils-6.1-150000.5.24.1 added - netcat-openbsd-1.203-150400.1.5 added - netcfg-11.6-150000.3.6.1 added - nfs-client-2.6.4-150600.26.2 added - open-iscsi-2.1.9-150600.49.8 added - openslp-2.0.0-150600.19.5 added - openssh-clients-9.6p1-150600.6.6.1 added - openssh-common-9.6p1-150600.6.6.1 added - openssh-server-9.6p1-150600.6.6.1 added - openssh-9.6p1-150600.6.6.1 added - openssl-3-3.1.4-150600.5.7.1 added - openssl-3.1.4-150600.2.1 added - p11-kit-tools-0.23.22-150500.8.3.1 added - p11-kit-0.23.22-150500.8.3.1 added - pam-config-1.1-150600.14.3 added - pam-1.3.0-150000.6.66.1 added - pciutils-ids-20200324-3.6.1 added - pciutils-3.5.6-150300.13.6.1 added - perl-Bootloader-1.8.1-150600.1.1 added - perl-base-5.26.1-150300.17.17.1 added - permissions-20201225-150400.5.16.1 added - pigz-2.3.3-1.28 added - pinentry-1.1.0-4.3.1 added - pkg-config-0.29.2-1.436 added - procmail-3.22-2.34 added - procps-3.3.17-150000.7.39.1 added - psmisc-23.0-150000.6.25.1 added - rpcbind-0.2.3-5.9.2 added - rpm-config-SUSE-1-150400.14.3.1 added - rpm-4.14.3-150400.59.16.1 added - rsync-3.2.7-150600.1.5 added - sed-4.9-150600.1.4 added - sg3_utils-1.48+11.56e7b2f-150600.3.3.11 added - shadow-4.8.1-150600.15.45 added - shared-mime-info-2.4-150600.1.3 added - shim-15.8-150300.4.20.2 added - sles-release-15.6-150600.37.2 added - strace-5.14-150400.1.7 added - suse-build-key-12.0-150000.8.46.2 added - suse-module-tools-15.6.10-150600.3.6.2 added - sysconfig-netconfig-0.85.9-150200.12.1 added - sysconfig-0.85.9-150200.12.1 added - sysstat-12.0.2-3.33.1 added - system-group-hardware-20170617-150400.24.2.1 added - system-group-kvm-20170617-150400.24.2.1 added - system-user-nobody-20170617-150400.24.2.1 added - system-user-root-20190513-3.3.1 added - systemd-default-settings-branding-SLE-0.10-150300.3.7.1 added - systemd-default-settings-0.10-150300.3.7.1 added - systemd-presets-branding-SLE-15.1-150600.33.1 added - systemd-presets-common-SUSE-15-150600.25.2 added - systemd-rpm-macros-15-150000.7.39.1 added - systemd-254.13-150600.4.5.1 added - sysuser-shadow-3.2-150400.3.5.3 added - tar-1.34-150000.3.34.1 added - terminfo-base-6.1-150000.5.24.1 added - thin-provisioning-tools-0.7.5-3.3.1 added - timezone-2024a-150600.89.2 added - traceroute-2.0.21-150000.3.3.1 added - udev-254.13-150600.4.5.1 added - update-alternatives-1.19.0.4-150000.4.4.1 added - util-linux-systemd-2.39.3-150600.4.6.2 added - util-linux-2.39.3-150600.4.6.2 added - vim-data-common-9.1.0330-150500.20.12.1 added - vim-small-9.1.0330-150500.20.12.1 added - which-2.21-2.20 added - wicked-service-0.6.75-150600.11.6.1 added - wicked-0.6.75-150600.11.6.1 added - wpa_supplicant-2.10-150600.5.4 added - xtables-plugins-1.8.7-1.1 added - xz-5.4.1-150600.1.2 added - zstd-1.5.5-150600.1.3 added - zypper-1.14.71-150600.10.2.7 added